safety and reliability engineering part 7: iec 61508 safety and reliability engineering part 7: iec...

Safety and Reliability EngineeringPart 7: IEC 61508

Prof. Dr.-Ing. Stefan Kowalewski

Chair “Informatik XI”, Embedded Software LaboratoryRWTH Aachen University

Summer term 2007

Reminder: Terminology

Safety:The property of a situation, in which the risk of operating/using a system does not exceed the limit risk.

Risk:

A measure comprising

- the probability of an event leading to damage

- the expected amount of damage, if the event occurs

If quantification is possible:

R = Pdamage · Adamage

Safety and Reliability EngineeringPart 6: Safety, Slide 2

© Stefan Kowalewski, 16 June 2005

Reminder: Possible moon Events

No failureno failure of overall system

passive failurebut failure of overall systemno protection

activated

active failurebut failure of overall system

No failure but failure of overall system

protection activated

no critical eventno protection necessary

critical eventprotection is necessary

Reminder: Availability

1. Safety-related availability As: Probability that the systemwill be shut down in case of a dangerous fault

2. Operation-related availability Ao: Probability that thesystem will be not be shut down unnecessarily

Reminder: Safety-related Availability / Operation-related Availability

kns

ks

n

mksmoon AA

kn

A −

=

−⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛= ∑ )1(,

kno

ko

n

mnkomoon AA

kn

A −

+−=

−⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛= ∑ )1(

1,

Agenda

Safety-related systems

IEC 61508

- Safety Analysis

- Safety Integrity Level (SIL)

Markov Chains

Saftey-related system / component requirements (1)

Fail-safe:- Property of a system to remain in or move to a safe state in

case of a failure

Example:Trainbarkes need energy to be released.If power supply is interrupted, they brake.


Fail-silent:- Property of a subsystem to remain in or move to a state in

which it does not affect the other subsystems in case of a failure

- „Silence“ = safe state of the subsystem

Examples:• Faulty bus user (counterexample: „Babbling Idiot“ in Can Bus)• Faulty SW process in a sound operating system


Fail-operational:- Property of a system to keep up ist function or a degraded

mode of functionality in case of a fault

Example:Air plane controller

≈ Fault-tolerant

Agenda


IEC 61508

- Safety Analysis


Markov Chains

IEC 61508

International standardTitle:Functional safety of electrical / electronic / programmable eletronic (E/E/PE) systems

IEC = InternationalElectronitechnicalCommision

In other words:Functional safety of embedded systemsValid since 1998

IEC 61508

Widely accepted standard for development, design, documentation and operation of electronically controlledsystems with safety-critical functionality in most industies.IEC 61508 is a generic standard (independent fromapplication domain)Derivations:

- Process industries IEC 61511- Manufacturing IEC 62061- Railways EN 50128- Automotive ISO 26262 (Draft)

Safety Standards

prEN 50128(Railway)

IEC 60601(medical equipment)

IEC 61511(process industry)

IEC 62061(Machinery)

ISO WD 26262(Automotive)

IEC 60880(Nucelar power stations)

IEC 50156(Furnaces)

RTCA/DO-178B(Aerospace)

IEC 61508(Meta-Standard)

Three key elements of a safety-related system

Equipment under control (EUC)“equipment, machinery, apparatus used for manufacturing, process, transportation, medical or other acitivities”EUC control system“… responds to input signals causing the ECU to operate in the desired manner”Safety-related system (SRS)“system that … implements the … safety functions necessary to achieve … the necessary integrity for the …safety functions”

Three key elements of a safety-related system

SRS is an addition to the unprotected (but conrolled) EUC to achieve the necessary risk reduction

EUC control system

EUC

Safety-related System

User

Envi

ronm

ent

IEC 61508: Safety-related System Requirements

IEC 61508 requires two, complementary forms:

A description of the function to be performed by the SRS

and

The integrity required of each of those functions

Agenda


IEC 61508

- Safety Analysis


Markov Chains

IEC 61508 is based on the concept of risk reduction

Risk R

uncontrolledRisk

TolerableRisk

Hazard

Harm

Probability of occurrence

Necessary riskreduction ~ SIL

Two main concepts in IEC 61508

1. Safety Life Cycle- A structured procedure integrating all relevant activities to

specify, design,analyze and maintain functional safety2. Safety Integrity Level

- A concept for simplifying and mechanizing thedetermination on the necessary risk reduction

2.a Qualitatively2.b Quantitatively

following slides

Agenda


IEC 61508

- Safety Analysis


Markov Chains

Qualitatively: Risk Analysis 1/2

1. Consequence

2. Frequency of exposure time in hazardous zone

Qualitatively: Risk Analysis 2/2

3. Possibility of avoidingthe hazardous event

4. Probability of theunwanted event

IEC Risk Graph

[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003

SIL - Level

[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003

Life cycle ISO WD 26262

Agenda


IEC 61508

- Safety Analysis


Markov Chains

Motivation: Markov Chains

up to now “static view” – one failure Event

systemfunctional

systemfailure

failure event

4 componentsoperational



repair

repair

frist component

failure

second component

failure

thirdcomponent

failure

Consider the “dynamic” properties different modelMarkov Chains

Summary

Different Terms:- Fail-safe- Fail-silent- Fail-operational

IEC 61508:- Meta-Norm- Three key elements: EUC, control system, SRS- Safety Integrity Level- Risk Graph- Life cycle

Markov chains- Necessary property- First example of modeling and calculation

safety and reliability engineering part 7: iec 61508 safety and reliability engineering part 7: iec...

Documents