Testing of Safety-related Systems

Jürgen Hölzel

Motivation

Standard Examination Bodies and Role of Standards

Current Safety Standards

Risk Tolerance

Development Hardware

Development Software

SIL Requirement

Calculation of PFD value

3

Motivation

� HIMA has been developing, producing and distributing modern safety-related systems (PES) for the international market.

� Safety-related systems have always been used to perform safety-related functions in the process industries. To perform efficiently, these functions shall achieve minimum standards and performance levels.

4

Motivation

� To facilitate this approach, the IEC 61508, IEC 61511 and IEC 62061 Require that:

– a hazard and risk assessment is carried out to identify the overall safety requirements

– an allocation of the safety requirements to the safety instrumented system is carried out

– The specification and realization of the safety related system occurs within a framework which is applicable to achieve functional safety

– The functional safety management specifies all methods for achieving functional safety

5

� IEC

– The International Electrotechnical Commission (IEC) develops and drafts standards together with national committees.

– Special workgroups discuss main topics, e.g. the „Technical Committee 65” which is responsible for „Industrial-Process Measurement and Control”.

– This committee published the „IEC 61508: Functional Safety - Safety-related Systems”

– IEC 61508 classifies systems in four risk and requirement categories, so called „Safety Integrity Levels” (SIL), according to their hazardous potential.

– IEC 61508 specifies how to proceed while developing and implementing the systems respectively to the SIL.

Standard Examination Bodies and Role of Standards

6

� Current Safety Standards

– IEC 61508 part 1 – 7Functional safety of electrical/electronic/programmable electronic safety-related systems

– IEC 61511 part 1 – 3Functional safety - Safety instrumented systems for the process industry sector

– IEC 62061Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems

– EN 50156Electrical equipment for furnaces and ancillary equipment

– IEC 61874-3Industrial communication networks - Profiles - Part 3: Functional safety fieldbusses - General rules and profile definitions

Current Safety Standards

7

� Current Safety Standards (2)

– ISO 13849 1 – 2Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design

– EN 50126 Railway applications - The specification and demonstration of reliability, availability, maintainability and safety (RAMS)

– EN 50128Railway applications - Software for railway control and protection systems

– EN 50129Railway applications - Safety related electronic systems for signalling

Current Safety Standards

8

Risk Tolerance

Actual Risk Reduction

NecessaryRisk reduction

ResidualRisk

TolerableRisk

Risk of the systemwithout safety considerations

Risk

� Techniques for Reducing the Risk

9

Safety system development

� Safety systems must be developed , tested, validated , operated and maintainedaccording to current national and international directives and standards.

� The standard IEC/EN 61508 refers to all relevant aspects when using

– electrical (E)

– electronic (E) or

– programmable electronic systems (PES)

for safety-relevant functions and applications.

� IEC/EN 61508 may fundamentally applied to all safety-related E/E/PES, especially if no other special safety standard for an application area exists.

� This standard offers a systematic, risk-oriented approach to safety-relevant applications

10

Safety system development

Specifications SIL 4 SIL 3 SIL 2 SIL 1 Applicability: Hardware (H) / Software (S)

Requirements and design specifications

Formal (mathematical)

Semi-formal (e.g. natural language)

Informal (e.g. natural language)

Informal (e.g. natural language)

H/S

Configuration management

Complete (automatic for development

& production)

Complete (automatic for development

& production)

Yes Manual H/S

Prototyping Yes Yes Optional Optional H/S

Structured design techniques (e.g. data flowcharts; relation or transfer charts)

Yes Yes Preferably Optional H/S

Design reviews Yes (Project team)

Yes (Project team)

Yes (Project team)

Test (Experts)

H/S

Project management

Yes Yes Yes Preferably H/S

� Specifications and Requirements for the different S IL according to IEC 61508

11

Safety system development

Independent technical assessment

Yes Preferably Optional Optional H/S

Data assessment analysis and corrective actions

Yes Yes Yes Yes H/S

Statistical analysis Yes Yes Optional Optional H/S

Dynamic analysis (e.g. automatic testing)

Yes Yes Yes Yes S

Independent testing

Yes (performed by

an external organization)

Yes (performed by

an external office)

Yes (preferred if

performed by an external

office)

Optional H/S

Environmental / operational testing (according to Def. Stan 00-35)

Yes Yes Preferably Optional H

Computer-aided simulations for component tolerance)

Yes Yes Preferably Optional H

Additional product monitoring (e.g. independent audits)

Yes (performed by

an external office)

Yes (performed by

an external office)

Yes (preferred if

performed by an external

office)

Optional H/S

ISO 9001 Yes Yes Yes Yes H/S

Specifications SIL 4 SIL 3 SIL 2 SIL 1 Applicability: Hardware (H) / Software (S)

12

Safety system development

� System Evaluation according to IEC/EN 61508

13

Safety system development

Specification of the Safety Requirements

�The specification for safety functions of E/E/PES shall contain accurate data about how the necessary safety shall be achieved. Each safety function shall be specified:

– Provide comprehensive detailed requirements sufficient for the design and development of the E/E/PE safety-related systems

– List how the E/E/PE safety-related systems are intended to achieve or maintain a safe state for the EUC

– Specify whether low demand mode, high demand mode or continuous mode of operation is required or not

– Using a tool for the specification supports the aspects of requirement tracking

14

Safety system development

Specification of the Safety Requirements

� All relevant modes of operation of the EUC have to be considered:

– Preparation for application including setting and adjustment

– Start-up, teach, automatic, manual, semi-automatic, steady state of operation,

– Steady state of non operation, re-setting, shut-down, maintenance

– Reasonably foreseeable abnormal conditions

� For specific modes (for example Start-Up, Adjust or Maintenance) special safety functions could be added to make this work safer.

15

Reliability Figures

� Safety systems are used in a wide range of technical applications. To guaranty the safety and availability, values shall be calculated:

– PFD probability of failure on demand

– PFH probability of failure per hour

– MTTF avalability

� In machinery standard ISO 13849:

– MTTFd and DC

� In railway standards

– THR or HR Tolerable Hazard rate

16

Development Hardware

� Safety Hardware Life Cycle

17

Development Hardware

Design and Development of the E/E/PES

� Overall design of the E/E/PES shall be performed in accordance with the Safety Requirement Specification (SRS).

� Design and implementation of the safety system must fulfill the requirements for safety functions and integrity previously established.

� The system design comprises the overall hardware and software architecture, sensors, actors, programmable electronics, embedded software, user software.

� All design steps have to be documented

18

Development Hardware

Design and Development of the E/E/PES

� Design of a safety system shall meet the following requirements:

– The requirements regarding the hardware safety integrity are:

– Reductions of the hardware safety integrity due to the architecture

– Requirements regarding the probability of dangerous random hardware failures

19

Development Hardware

� The requirements to the systematic safety integrity are:

– Requirements for avoiding failures and controlling systematic failures

– Proof that the components are tested during operation

– Requirements to the system reaction when a fault is detected

20

Development Hardware

Planning Safety Validation

� Functional Testing

� Testing of the functional safety

� Interoperability Testing

� Design and Test for EMC immunity with increased limits for safety systems (the relevant safety and application standards have to be observed)

� Environmental testing according to the relevant product safety standards

� Temperature and humidity testing

� Vibration and shock testing

� Environmental testing derived from other specified conditions (such as critical atmospheres)

21

Development Hardware

Analytical Methods

– The evaluation of the design should use one or more of the following:

– Failure Mode and Effects Analysis (FMEA)

– Reliability block diagram

– Fault tree Analysis

– Markov analysis

– Methods serve both design and verification methods

– Failure reaction of a safety function must be documented.

22

Development Hardware

� Hardware design for safety function is determined b y:

– PFD - Probability of Failure on Demand

– PFH - Probability of Failure per Hour

– HFT - Hardware fault tolerance

– SFF - Safe Failure Fraction

– MTTF Meant time to failure

– Low demand / High demand mode of operation

– Component Types A or B

– Architectural constraints

– This data must be documented for the customer of the safety related system

23

Development Hardware

� Hardware design for safety function is determined b y:

– All components in all failure modes (hardware, software, human error, etc.)

– Diagnostics features

– Repair and test strategies

– Proof test complete or incomplete

– Common cause failures

– Avoiding of systematic failures

24

Development Hardware and Software

Hardware / Software Interactions

E/E/PE system design

requirementsspecification

E/E/PE system

arcitecture

Scope of IEC 61508-3

Scope of IEC 61508-2

Hardware safety requirements specification

Programmable electronic hardware

Non-programmable hardware

Software design and development

Software safety requirements

Programmable electronics integration (hardware and

software)

Programmable electronics design and development

Non-programmable hardware design and development

E/E/PE system integration

25

Development Software

Software Life Cycle

26

Development Software

The V-Model

E/E/PE system safety

requirementsspecification

Software safety requirements specification

ValidationValidation

testingValidated software

Integration

testing (module)

Module design

Software system design

Integration testing (components,

subsystems and programmable

electronics)

E/E/PE system architecture

software architecture

Module testing

Coding

Output

Verification

27

Development Software

� Testing Software

– Not every line of code can be tested.

– The right test procedures and methods shall be used

� Safety related Software

– Safety systems shall perform the safety function, even under faulty conditions.

– Both hardware fault and software failures shall be considered

– Use of fault avoidance strategies

– Measures to control faults: assertions, key procedures, …

28

Development Software

� Sufficient Error Free Software

– Following the traditions of software development and quality assurance

– Developing software in accordance with the lifecycle, using traditions and methods that have been applied and given by the manufacturer

– Selecting appropriate measures to avoid failures:

– Refer to table A and B of IEC 61508, Part 3

– Periodical check of fault avoidance.

– Methods’ efficiency during software development

29

Development Software - Tools

� In the phases of software development IEC 61508 – 3 requires the use of tools

– For the specifications a tool supporting requirements tracking is HR

� Tools for the testphase

– It nescessary to select a suitable set of tools / D ifferent tools for different problems

– Code checker and verification tools (lint, splint)

– Coding rules checker (code check)

– Software metric tools (lines of code, lines of comment, complexity OOP statistics, inheritance tree)

– The use of development tools should be validated or operation approved (version history, debugging system)

30

Development Software

� Module Testing and Integration Testing:

� Software module and integration testing are verification activities

– Probabilistic testing

– Dynamic analysis and testing

– Functional and black box testing

– Performance testing

– Interface testing

– Forward traceability between the software design specification and the module and integration test specifications

– Test management and automation tools

31

Development Software

� Hardware Software Integration Testing:

� Software module and integration testing are verification activities

– Functional and black box testing

– Performance testing

– Testing the system under all relevant operating conditions

– Forward traceability between the software design specification and the module and integration test specifications

– Test management and automation tools

32

Development Software

� Hardware Software Integration Validation:

� The validation testing requires an additional set of test. Software aspects:

– Probabilistic testing

– Process simulation

– Modeling

� Hardware aspects:

– Using of realistic devices

– Testing worst case scenarios

– Environmental stress testing

33

Summary

� Using IEC 61508 for developing processes allows a good guidance

� Knowledge of the relevant standards and regulations is required

� A FSM (functional safety management) has to be established in order ensure a suitable development process

� A quality management system (e.g. ISO 9001) has to be in place

� Skilled teams during all life cycle phases are necessary

� Testing phases must follow a clear V&V plan (verification and validation)

34

Thank you for your attention!