Functional Safety: Assessment and Certification

Transcription

1 Functional Safety: Assessment and Certification Joachim Iden TÜV Rheinland Japan Ltd. Business Unit Automation, Software and Information Technology (ASI) 1

2 Basic Principles of EN

3 Basic Principles of IEC Risk oriented Principal of Risk Reduction Management of Functional Safety Life-cycle oriented Definition of safety-related Functions Definition of Safety Integrity Level (SIL) Quantitative Requirements to the Probability of Failure 14

4 Management of Functional Safety Activities to achieve and maintain Functional Safety of an application e.g.: Organisation, Resources, Documentation, Qualification of personal Risk Estimation and Risk Management Planning Implementation and Supervision Judgement, Assessment 15

5 Required activities Determination of management- and technical activities during the individual phases of the life cycle Assignment of responsibilities of persons, departments and organisations including their qualification Control of the performance of defined steps Planning of verification and validation of hardware, software and the instrumented system Documentation of the results of the tests according to the V&V plan Assessment of results, introduction of measures regarding negative results 16

6 Simplified Safety Life Cycle Product specification Concept-, architectural design Development Prototype production Zero-production series Series production Faults are mainly systematic, so called design faults. They have to be avoided by the application of suitable Quality Management measures for fault avoidance. Installation Putting into operation Operation Repair, remove of faults Maintenance / modifications Withdrawal from service Disposal Systematic and random faults, fault avoidance and fault control Mainly systematic faults, fault avoidance 17

7 Safety Related Function Consisting of Input, Output, Controller, Communication and power supply Sensor E / E / PES Actuator 35% 15% 50% e.g. Communication network failure rate of all nodes in a network < 1% of the related SIL-level regarding the communication part 18

8 Safety Integrity Level, SIL Average probability to perform designed function on demand Safety integrity level (SIL) Low demand mode of operation (Average probability of failure to perform its design function on demand) to < to < to < to < 10-1 Probability of a dangerous failure per hour Safety integrity level (SIL) High demand or continuous mode of operation (Probability of a dangerous failure per hour) to < to < to < to <

9 IEC Architectural Constraints on Low Complex Subsystems Safe Failure Fraction Hardware Fault Tolerance < 60 % SIL 1 SIL 2 SIL 3 60 % - 90 % SIL 2 SIL 3 SIL 4 90 % - 99 % SIL 3 SIL 4 SIL 4 99 % SIL 3 SIL 4 SIL 4 20

10 IEC Architectural Constraints on Complex Subsystems Safe Failure Fraction < 60 % Hardware Fault Tolerance Not allowed SIL 1 SIL 2 Possible system structures: 1oo2 for safety or 2oo3 for safety and availability 60 % - 90 % SIL 1 SIL 2 SIL 3 90 % - 99 % SIL 2 SIL 3 SIL 4 99 % SIL 3 SIL 4 SIL 4 21

11 Fault Tolerance acc. to IEC Minimum Hardware Fault Tolerance of PE Logic Systems SIL Minimum Hardware Fault Tolerance SFF < 60 % 60 % < SFF < 90 % SFF > 90 % Special requirements apply, see IEC Minimum Hardware Fault Tolerance for Sensors, Actors, non-programmable Systems SIL Minimum Hardware Fault Tolerance Special requirements apply, see IEC

12 Safe Failure Fraction The safe failure fraction of a subsystem is defined as: ( + ) ( + ) λ λ λ λ S DD / S D λ S λ D λ DD Safe failure Dangerous failure Dangerous failure, Detected by the internal diagnostic 23

13 Calculation Probability of Failure Example: 1oo2 Component PFD G = 2 (( 1 β ) λ + ( 1 β) λ ) t t + β λ MTTR+ β λ + MTTR Important factors apart from failure rate, diagnostic, safe failure fraction β MTTR T 1 : common cause effect : mean time to repair : proof test interval T D DD D U CE GE D DD DU 24

14 Summary of Requirements Measures to avoid and control failures especially systematic failures in HW/SW, applied during design and development including functional safety management Architectural constraints (HFT and SFF) including diagnostic Probability of dangerous failure by reliability modelling techniques Measures to avoid and control failures during the design and development of application software Requirements derived from the intended application need to be taken into consideration: e.g. reaction time, safe state 25

15 Safety Networks 26

16 Safe Network Communication Today s demands on Safety networks: Failsafe communication up to safety integrity level 3 (SIL3) according to IEC Selective Switching off operation in case of fault or error condition Integration into entire enterprise network topology Easy and consistent network design and engineering Maximised diagnosis capability of all components High degree of maintainability and remote maintenance capability Easy component replacement. 27

17 Safe Network Communication Simplified Model of Bus Communication Communication System Transmitter Receiver Communication line Receiver Transmitter Coupler 28

18 Safe Network Communication Safety related system encodes and decodes safety related messages detects faults in received data Safety related system encodes and decodes safety related messages detects faults in received data Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer

19 Safe Network Communication Measures against Transmission Faults (Examples) Sequence Time Timeout Handshake CRC Number Stamp Bit Error X Repetition X X Loss X X X X -- Insertion X X Incorrect Order X X Delay -- X X X -- Addres s ing Failures / Mas querade X -- 30

20 Safe Network Communication Node 1 Node 2 Node x e.g. I/O or processing e.g. sensor or actuator specific function communication function Probability of failure of the safety function = = PFD Sensor +PFD Communication +PFD Processing +PFD Actuator If it can be shown that communication contributes less than 1% of the maximum allowed failure rate for a given SIL level, it may be neglected for determining the failure rates of the individual safety functions. 31

21 Safe Network Communication Determination of Residual Error Probability R n ( ) i ( n i) n, d, p A p (1 p = i= d n, i ) where A n, i = n i = n! i!( n i)! n = message length, p = bit error probability, d = hamming distance 32

22 Safe Network Communication To calculate the error over time resulting from R(p), the following formula may be used: Λ =3600R(p) ν(m-1)*100 [transmission errors/hour] where ν = number of safety relevant messages per second, m = number of participants The factor 100 indicates that the transmissions only contributes 1% to the error rate 33

23 Safe Network Communication Relation to SIL Level Category 4 (SIL 3) Λ < Category 3 (SIL 2) Λ < Category 2 (SIL 1) Λ < Example for Category 3 (SIL 2): m=32, R=10-16, ν=100/s => Λ= <

24 Networks: Safe Configuration Data integrity inside engineering station (e.g. PC) Ensuring data integrity during download/upload Configuration verified by user data + e.g. CRC engineering station network module / node user data + e.g. CRC 35

25 Networks: Requirements for Safe Configuration Configuration data inside the engineering station need to be protected: Signature, CRC,... Date and time stamp The programming station should display discrepancies between configuration data stored locally and those stored on the network modules. The user finally needs to intentionally confirm the validity of the configuration data. Network modules themselves perform a plausibility check of their configuration data. They should operate only if the data are found to be valid. Configuration data need to be access protected by password. 36