testing of safety-related systems · – mttf avalability in machinery standard iso 13849: –...
TRANSCRIPT
-
Testing of Safety-related Systems
Jürgen Hölzel
-
Motivation
Standard Examination Bodies and Role of Standards
Current Safety Standards
Risk Tolerance
Development Hardware
Development Software
SIL Requirement
Calculation of PFD value
-
3
Motivation
� HIMA has been developing, producing and distributing modern safety-related systems (PES) for the international market.
� Safety-related systems have always been used to perform safety-related functions in the process industries. To perform efficiently, these functions shall achieve minimum standards and performance levels.
-
4
Motivation
� To facilitate this approach, the IEC 61508, IEC 61511 and IEC 62061 Require that:
– a hazard and risk assessment is carried out to identify the overall safety requirements
– an allocation of the safety requirements to the safety instrumented system is carried out
– The specification and realization of the safety related system occurs within a framework which is applicable to achieve functional safety
– The functional safety management specifies all methods for achieving functional safety
-
5
� IEC
– The International Electrotechnical Commission (IEC) develops and drafts standards together with national committees.
– Special workgroups discuss main topics, e.g. the „Technical Committee 65” which is responsible for „Industrial-Process Measurement and Control”.
– This committee published the „IEC 61508: Functional Safety - Safety-related Systems”
– IEC 61508 classifies systems in four risk and requirement categories, so called „Safety Integrity Levels” (SIL), according to their hazardous potential.
– IEC 61508 specifies how to proceed while developing and implementing the systems respectively to the SIL.
Standard Examination Bodies and Role of Standards
-
6
� Current Safety Standards
– IEC 61508 part 1 – 7Functional safety of electrical/electronic/programmable electronic safety-related systems
– IEC 61511 part 1 – 3Functional safety - Safety instrumented systems for the process industry sector
– IEC 62061Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
– EN 50156Electrical equipment for furnaces and ancillary equipment
– IEC 61874-3Industrial communication networks - Profiles - Part 3: Functional safety fieldbusses - General rules and profile definitions
Current Safety Standards
-
7
� Current Safety Standards (2)
– ISO 13849 1 – 2Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design
– EN 50126 Railway applications - The specification and demonstration of reliability, availability, maintainability and safety (RAMS)
– EN 50128Railway applications - Software for railway control and protection systems
– EN 50129Railway applications - Safety related electronic systems for signalling
Current Safety Standards
-
8
Risk Tolerance
Actual Risk Reduction
NecessaryRisk reduction
ResidualRisk
TolerableRisk
Risk of the systemwithout safety considerations
Risk
� Techniques for Reducing the Risk
-
9
Safety system development
� Safety systems must be developed , tested, validated , operated and maintainedaccording to current national and international directives and standards.
� The standard IEC/EN 61508 refers to all relevant aspects when using
– electrical (E)
– electronic (E) or
– programmable electronic systems (PES)
for safety-relevant functions and applications.
� IEC/EN 61508 may fundamentally applied to all safety-related E/E/PES, especially if no other special safety standard for an application area exists.
� This standard offers a systematic, risk-oriented approach to safety-relevant applications
-
10
Safety system development
Specifications SIL 4 SIL 3 SIL 2 SIL 1 Applicability: Hardware (H) / Software (S)
Requirements and design specifications
Formal (mathematical)
Semi-formal (e.g. natural language)
Informal (e.g. natural language)
Informal (e.g. natural language)
H/S
Configuration management
Complete (automatic for development
& production)
Complete (automatic for development
& production)
Yes Manual H/S
Prototyping Yes Yes Optional Optional H/S
Structured design techniques (e.g. data flowcharts; relation or transfer charts)
Yes Yes Preferably Optional H/S
Design reviews Yes (Project team)
Yes (Project team)
Yes (Project team)
Test (Experts)
H/S
Project management
Yes Yes Yes Preferably H/S
� Specifications and Requirements for the different S IL according to IEC 61508
-
11
Safety system development
Independent technical assessment
Yes Preferably Optional Optional H/S
Data assessment analysis and corrective actions
Yes Yes Yes Yes H/S
Statistical analysis Yes Yes Optional Optional H/S
Dynamic analysis (e.g. automatic testing)
Yes Yes Yes Yes S
Independent testing
Yes (performed by
an external organization)
Yes (performed by
an external office)
Yes (preferred if
performed by an external
office)
Optional H/S
Environmental / operational testing (according to Def. Stan 00-35)
Yes Yes Preferably Optional H
Computer-aided simulations for component tolerance)
Yes Yes Preferably Optional H
Additional product monitoring (e.g. independent audits)
Yes (performed by
an external office)
Yes (performed by
an external office)
Yes (preferred if
performed by an external
office)
Optional H/S
ISO 9001 Yes Yes Yes Yes H/S
Specifications SIL 4 SIL 3 SIL 2 SIL 1 Applicability: Hardware (H) / Software (S)
-
12
Safety system development
� System Evaluation according to IEC/EN 61508
-
13
Safety system development
Specification of the Safety Requirements
�The specification for safety functions of E/E/PES shall contain accurate data about how the necessary safety shall be achieved. Each safety function shall be specified:
– Provide comprehensive detailed requirements sufficient for the design and development of the E/E/PE safety-related systems
– List how the E/E/PE safety-related systems are intended to achieve or maintain a safe state for the EUC
– Specify whether low demand mode, high demand mode or continuous mode of operation is required or not
– Using a tool for the specification supports the aspects of requirement tracking
-
14
Safety system development
Specification of the Safety Requirements
� All relevant modes of operation of the EUC have to be considered:
– Preparation for application including setting and adjustment
– Start-up, teach, automatic, manual, semi-automatic, steady state of operation,
– Steady state of non operation, re-setting, shut-down, maintenance
– Reasonably foreseeable abnormal conditions
� For specific modes (for example Start-Up, Adjust or Maintenance) special safety functions could be added to make this work safer.
-
15
Reliability Figures
� Safety systems are used in a wide range of technical applications. To guaranty the safety and availability, values shall be calculated:
– PFD probability of failure on demand
– PFH probability of failure per hour
– MTTF avalability
� In machinery standard ISO 13849:
– MTTFd and DC
� In railway standards
– THR or HR Tolerable Hazard rate
-
16
Development Hardware
� Safety Hardware Life Cycle
-
17
Development Hardware
Design and Development of the E/E/PES
� Overall design of the E/E/PES shall be performed in accordance with the Safety Requirement Specification (SRS).
� Design and implementation of the safety system must fulfill the requirements for safety functions and integrity previously established.
� The system design comprises the overall hardware and software architecture, sensors, actors, programmable electronics, embedded software, user software.
� All design steps have to be documented
-
18
Development Hardware
Design and Development of the E/E/PES
� Design of a safety system shall meet the following requirements:
– The requirements regarding the hardware safety integrity are:
– Reductions of the hardware safety integrity due to the architecture
– Requirements regarding the probability of dangerous random hardware failures
-
19
Development Hardware
� The requirements to the systematic safety integrity are:
– Requirements for avoiding failures and controlling systematic failures
– Proof that the components are tested during operation
– Requirements to the system reaction when a fault is detected
-
20
Development Hardware
Planning Safety Validation
� Functional Testing
� Testing of the functional safety
� Interoperability Testing
� Design and Test for EMC immunity with increased limits for safety systems (the relevant safety and application standards have to be observed)
� Environmental testing according to the relevant product safety standards
� Temperature and humidity testing
� Vibration and shock testing
� Environmental testing derived from other specified conditions (such as critical atmospheres)
-
21
Development Hardware
Analytical Methods
– The evaluation of the design should use one or more of the following:
– Failure Mode and Effects Analysis (FMEA)
– Reliability block diagram
– Fault tree Analysis
– Markov analysis
– Methods serve both design and verification methods
– Failure reaction of a safety function must be documented.
-
22
Development Hardware
� Hardware design for safety function is determined b y:
– PFD - Probability of Failure on Demand
– PFH - Probability of Failure per Hour
– HFT - Hardware fault tolerance
– SFF - Safe Failure Fraction
– MTTF Meant time to failure
– Low demand / High demand mode of operation
– Component Types A or B
– Architectural constraints
– This data must be documented for the customer of the safety related system
-
23
Development Hardware
� Hardware design for safety function is determined b y:
– All components in all failure modes (hardware, software, human error, etc.)
– Diagnostics features
– Repair and test strategies
– Proof test complete or incomplete
– Common cause failures
– Avoiding of systematic failures
-
24
Development Hardware and Software
Hardware / Software Interactions
E/E/PE system design
requirementsspecification
E/E/PE system
arcitecture
Scope of IEC 61508-3
Scope of IEC 61508-2
Hardware safety requirements specification
Programmable electronic hardware
Non-programmable hardware
Software design and development
Software safety requirements
Programmable electronics integration (hardware and
software)
Programmable electronics design and development
Non-programmable hardware design and development
E/E/PE system integration
-
25
Development Software
Software Life Cycle
-
26
Development Software
The V-Model
E/E/PE system safety
requirementsspecification
Software safety requirements specification
ValidationValidation
testingValidated software
Integration
testing (module)
Module design
Software system design
Integration testing (components,
subsystems and programmable
electronics)
E/E/PE system architecture
software architecture
Module testing
Coding
Output
Verification
-
27
Development Software
� Testing Software
– Not every line of code can be tested.
– The right test procedures and methods shall be used
� Safety related Software
– Safety systems shall perform the safety function, even under faulty conditions.
– Both hardware fault and software failures shall be considered
– Use of fault avoidance strategies
– Measures to control faults: assertions, key procedures, …
-
28
Development Software
� Sufficient Error Free Software
– Following the traditions of software development and quality assurance
– Developing software in accordance with the lifecycle, using traditions and methods that have been applied and given by the manufacturer
– Selecting appropriate measures to avoid failures:
– Refer to table A and B of IEC 61508, Part 3
– Periodical check of fault avoidance.
– Methods’ efficiency during software development
-
29
Development Software - Tools
� In the phases of software development IEC 61508 – 3 requires the use of tools
– For the specifications a tool supporting requirements tracking is HR
� Tools for the testphase
– It nescessary to select a suitable set of tools / D ifferent tools for different problems
– Code checker and verification tools (lint, splint)
– Coding rules checker (code check)
– Software metric tools (lines of code, lines of comment, complexity OOP statistics, inheritance tree)
– The use of development tools should be validated or operation approved (version history, debugging system)
-
30
Development Software
� Module Testing and Integration Testing:
� Software module and integration testing are verification activities
– Probabilistic testing
– Dynamic analysis and testing
– Functional and black box testing
– Performance testing
– Interface testing
– Forward traceability between the software design specification and the module and integration test specifications
– Test management and automation tools
-
31
Development Software
� Hardware Software Integration Testing:
� Software module and integration testing are verification activities
– Functional and black box testing
– Performance testing
– Testing the system under all relevant operating conditions
– Forward traceability between the software design specification and the module and integration test specifications
– Test management and automation tools
-
32
Development Software
� Hardware Software Integration Validation:
� The validation testing requires an additional set of test. Software aspects:
– Probabilistic testing
– Process simulation
– Modeling
� Hardware aspects:
– Using of realistic devices
– Testing worst case scenarios
– Environmental stress testing
-
33
Summary
� Using IEC 61508 for developing processes allows a good guidance
� Knowledge of the relevant standards and regulations is required
� A FSM (functional safety management) has to be established in order ensure a suitable development process
� A quality management system (e.g. ISO 9001) has to be in place
� Skilled teams during all life cycle phases are necessary
� Testing phases must follow a clear V&V plan (verification and validation)
-
34
Thank you for your attention!