Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC...
-
Upload
duongkhuong -
Category
Documents
-
view
231 -
download
9
Transcript of Safety and Reliability Engineering Part 7: IEC 61508 Safety and Reliability Engineering Part 7: IEC...
Safety and Reliability EngineeringPart 7: IEC 61508
Prof. Dr.-Ing. Stefan Kowalewski
Chair “Informatik XI”, Embedded Software LaboratoryRWTH Aachen University
Summer term 2007
Reminder: Terminology
Safety:The property of a situation, in which the risk of operating/using a system does not exceed the limit risk.
Risk:
A measure comprising
- the probability of an event leading to damage
- the expected amount of damage, if the event occurs
If quantification is possible:
R = Pdamage · Adamage
Safety and Reliability EngineeringPart 6: Safety, Slide 2
© Stefan Kowalewski, 16 June 2005
Reminder: Possible moon Events
No failureno failure of overall system
passive failurebut failure of overall systemno protection
activated
active failurebut failure of overall system
No failure but failure of overall system
protection activated
no critical eventno protection necessary
critical eventprotection is necessary
Reminder: Availability
1. Safety-related availability As: Probability that the systemwill be shut down in case of a dangerous fault
2. Operation-related availability Ao: Probability that thesystem will be not be shut down unnecessarily
Reminder: Safety-related Availability / Operation-related Availability
kns
ks
n
mksmoon AA
kn
A −
=
−⋅⋅⎟⎟⎠
⎞⎜⎜⎝
⎛= ∑ )1(,
kno
ko
n
mnkomoon AA
kn
A −
+−=
−⋅⋅⎟⎟⎠
⎞⎜⎜⎝
⎛= ∑ )1(
1,
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
Saftey-related system / component requirements (1)
Fail-safe:- Property of a system to remain in or move to a safe state in
case of a failure
Example:Trainbarkes need energy to be released.If power supply is interrupted, they brake.
Saftey-related system / component requirements (2)
Fail-silent:- Property of a subsystem to remain in or move to a state in
which it does not affect the other subsystems in case of a failure
- „Silence“ = safe state of the subsystem
Examples:• Faulty bus user (counterexample: „Babbling Idiot“ in Can Bus)• Faulty SW process in a sound operating system
Saftey-related system / component requirements (3)
Fail-operational:- Property of a system to keep up ist function or a degraded
mode of functionality in case of a fault
Example:Air plane controller
≈ Fault-tolerant
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
IEC 61508
International standardTitle:Functional safety of electrical / electronic / programmable eletronic (E/E/PE) systems
IEC = InternationalElectronitechnicalCommision
In other words:Functional safety of embedded systemsValid since 1998
IEC 61508
Widely accepted standard for development, design, documentation and operation of electronically controlledsystems with safety-critical functionality in most industies.IEC 61508 is a generic standard (independent fromapplication domain)Derivations:
- Process industries IEC 61511- Manufacturing IEC 62061- Railways EN 50128- Automotive ISO 26262 (Draft)
Safety Standards
prEN 50128(Railway)
IEC 60601(medical equipment)
IEC 61511(process industry)
IEC 62061(Machinery)
ISO WD 26262(Automotive)
IEC 60880(Nucelar power stations)
IEC 50156(Furnaces)
RTCA/DO-178B(Aerospace)
IEC 61508(Meta-Standard)
Three key elements of a safety-related system
Equipment under control (EUC)“equipment, machinery, apparatus used for manufacturing, process, transportation, medical or other acitivities”EUC control system“… responds to input signals causing the ECU to operate in the desired manner”Safety-related system (SRS)“system that … implements the … safety functions necessary to achieve … the necessary integrity for the …safety functions”
Three key elements of a safety-related system
SRS is an addition to the unprotected (but conrolled) EUC to achieve the necessary risk reduction
EUC control system
EUC
Safety-related System
User
Envi
ronm
ent
IEC 61508: Safety-related System Requirements
IEC 61508 requires two, complementary forms:
A description of the function to be performed by the SRS
and
The integrity required of each of those functions
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
IEC 61508 is based on the concept of risk reduction
Risk R
uncontrolledRisk
TolerableRisk
Hazard
Harm
Probability of occurrence
Necessary riskreduction ~ SIL
Two main concepts in IEC 61508
1. Safety Life Cycle- A structured procedure integrating all relevant activities to
specify, design,analyze and maintain functional safety2. Safety Integrity Level
- A concept for simplifying and mechanizing thedetermination on the necessary risk reduction
2.a Qualitatively2.b Quantitatively
following slides
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
Qualitatively: Risk Analysis 1/2
1. Consequence
2. Frequency of exposure time in hazardous zone
Qualitatively: Risk Analysis 2/2
3. Possibility of avoidingthe hazardous event
4. Probability of theunwanted event
IEC Risk Graph
[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003
SIL - Level
[1] Anton A. Frederickson, Mr., Dr. The IEC 61508 standard: Functional safety of Electrical /Electronic / Programmable Electronic Safety-related systems 10 Januar, 2003
Life cycle ISO WD 26262
Agenda
Safety-related systems
IEC 61508
- Safety Analysis
- Safety Integrity Level (SIL)
Markov Chains
Motivation: Markov Chains
up to now “static view” – one failure Event
systemfunctional
systemfailure
failure event
4 componentsoperational
3 componentsoperational
2 componentsoperational
repair
repair
frist component
failure
second component
failure
thirdcomponent
failure
Consider the “dynamic” properties different modelMarkov Chains
Summary
Different Terms:- Fail-safe- Fail-silent- Fail-operational
IEC 61508:- Meta-Norm- Three key elements: EUC, control system, SRS- Safety Integrity Level- Risk Graph- Life cycle
Markov chains- Necessary property- First example of modeling and calculation