![Page 1: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/1.jpg)
Safety and Reliability EngineeringPart 7: IEC 61508
Prof. Dr.-Ing. Stefan Kowalewski
Chair “Informatik XI”, Embedded Software LaboratoryRWTH Aachen University
Summer term 2007
![Page 2: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/2.jpg)
Reminder: Terminology
Safety:The property of a situation, in which the risk of operating/using a system does not exceed the limit risk.
Risk:
A measure comprising
- the probability of an event leading to damage
- the expected amount of damage, if the event occurs
If quantification is possible:
R = Pdamage · Adamage
Safety and Reliability EngineeringPart 6: Safety, Slide 2
© Stefan Kowalewski, 16 June 2005
![Page 3: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/3.jpg)
Reminder: Possible moon Events
No failureno failure of overall system
passive failurebut failure of overall systemno protection
activated
active failurebut failure of overall system
No failure but failure of overall system
protection activated
no critical eventno protection necessary
critical eventprotection is necessary
![Page 4: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/4.jpg)
Reminder: Availability
1. Safety-related availability As: Probability that the systemwill be shut down in case of a dangerous fault
2. Operation-related availability Ao: Probability that thesystem will be not be shut down unnecessarily
![Page 5: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/5.jpg)
Reminder: Safety-related Availability / Operation-related Availability
kns
ks
n
mksmoon AA
kn
A −
=
−⋅⋅⎟⎟⎠
⎞⎜⎜⎝
⎛= ∑ )1(,
kno
ko
n
mnkomoon AA
kn
A −
+−=
−⋅⋅⎟⎟⎠
⎞⎜⎜⎝
⎛= ∑ )1(
1,
![Page 6: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/6.jpg)
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
![Page 7: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/7.jpg)
Saftey-related system / component requirements (1)
Fail-safe:- Property of a system to remain in or move to a safe state in
case of a failure
Example:Trainbarkes need energy to be released.If power supply is interrupted, they brake.
![Page 8: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/8.jpg)
Saftey-related system / component requirements (2)
Fail-silent:- Property of a subsystem to remain in or move to a state in
which it does not affect the other subsystems in case of a failure
- „Silence“ = safe state of the subsystem
Examples:• Faulty bus user (counterexample: „Babbling Idiot“ in Can Bus)• Faulty SW process in a sound operating system
![Page 9: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/9.jpg)
Saftey-related system / component requirements (3)
Fail-operational:- Property of a system to keep up ist function or a degraded
mode of functionality in case of a fault
Example:Air plane controller
≈ Fault-tolerant
![Page 10: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/10.jpg)
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
![Page 11: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/11.jpg)
IEC 61508
International standardTitle:Functional safety of electrical / electronic / programmable eletronic (E/E/PE) systems
IEC = InternationalElectronitechnicalCommision
In other words:Functional safety of embedded systemsValid since 1998
![Page 12: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/12.jpg)
IEC 61508
Widely accepted standard for development, design, documentation and operation of electronically controlledsystems with safety-critical functionality in most industies.IEC 61508 is a generic standard (independent fromapplication domain)Derivations:
- Process industries IEC 61511- Manufacturing IEC 62061- Railways EN 50128- Automotive ISO 26262 (Draft)
![Page 13: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/13.jpg)
Safety Standards
prEN 50128(Railway)
IEC 60601(medical equipment)
IEC 61511(process industry)
IEC 62061(Machinery)
ISO WD 26262(Automotive)
IEC 60880(Nucelar power stations)
IEC 50156(Furnaces)
RTCA/DO-178B(Aerospace)
IEC 61508(Meta-Standard)
![Page 14: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/14.jpg)
Three key elements of a safety-related system
Equipment under control (EUC)“equipment, machinery, apparatus used for manufacturing, process, transportation, medical or other acitivities”EUC control system“… responds to input signals causing the ECU to operate in the desired manner”Safety-related system (SRS)“system that … implements the … safety functions necessary to achieve … the necessary integrity for the …safety functions”
![Page 15: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/15.jpg)
Three key elements of a safety-related system
SRS is an addition to the unprotected (but conrolled) EUC to achieve the necessary risk reduction
EUC control system
EUC
Safety-related System
User
Envi
ronm
ent
![Page 16: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/16.jpg)
IEC 61508: Safety-related System Requirements
IEC 61508 requires two, complementary forms:
A description of the function to be performed by the SRS
and
The integrity required of each of those functions
![Page 17: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/17.jpg)
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
![Page 18: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/18.jpg)
IEC 61508 is based on the concept of risk reduction
Risk R
uncontrolledRisk
TolerableRisk
Hazard
Harm
Probability of occurrence
Necessary riskreduction ~ SIL
![Page 19: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/19.jpg)
Two main concepts in IEC 61508
1. Safety Life Cycle- A structured procedure integrating all relevant activities to
specify, design,analyze and maintain functional safety2. Safety Integrity Level
- A concept for simplifying and mechanizing thedetermination on the necessary risk reduction
2.a Qualitatively2.b Quantitatively
following slides
![Page 20: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/20.jpg)
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
![Page 21: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/21.jpg)
Qualitatively: Risk Analysis 1/2
1. Consequence
2. Frequency of exposure time in hazardous zone
![Page 22: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/22.jpg)
Qualitatively: Risk Analysis 2/2
3. Possibility of avoidingthe hazardous event
4. Probability of theunwanted event
![Page 23: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/23.jpg)
IEC Risk Graph
[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003
![Page 24: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/24.jpg)
SIL - Level
[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003
![Page 25: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/25.jpg)
Life cycle ISO WD 26262
![Page 26: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/26.jpg)
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
![Page 27: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/27.jpg)
Motivation: Markov Chains
up to now “static view” – one failure Event
systemfunctional
systemfailure
failure event
4 componentsoperational
3 componentsoperational
2 componentsoperational
repair
repair
frist component
failure
second component
failure
thirdcomponent
failure
Consider the “dynamic” properties different modelMarkov Chains
![Page 28: Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC 61508 Prof. Dr.-Ing. Stefan Kowalewski Chair “Informatik XI”, Embedded Software](https://reader030.vdocuments.us/reader030/viewer/2022021421/5a7245647f8b9ac0538d7117/html5/thumbnails/28.jpg)
Summary
Different Terms:- Fail-safe- Fail-silent- Fail-operational
IEC 61508:- Meta-Norm- Three key elements: EUC, control system, SRS- Safety Integrity Level- Risk Graph- Life cycle
Markov chains- Necessary property- First example of modeling and calculation