Safety Analysis based on IEC 61508: Lessons Learned and the Way Forward

Transcription

1 Safety Analysis based on IEC 61508: Lessons Learned and the Way Forward Jens Braband SAFECOMP 2006 Empfohlen Gdansk, September wird auf dem 2006Titel der Einsatz eines vollflächigen Hintergrundbildes (Format: 25,4 x 19,05 cm): Bild auf Master platzieren (JPG, RGB, 144dpi) ebase-nummer, Bild in den ebase-revision, Hintergrund legen ebase-sequenz =OKZ&DCC Schutz-Vermerk / Copyright-Vermerk Siemens AG 2006

2 Overview Introduction (IEC and Railway Applications) Definition of Operation Modes SIL Allocation and SIL Table SIL Capability and Safety Criticality Properties and Rigor Documentation Issues Conclusion Page 2 September 2006 TS RA RD / Jens Braband

3 Introduction IEC is a basic safety publication for programmable electronic systems (PES). It serves either as a basis for the creation of sector-specific standards or is applied as it stands. It therefore needs to be generic. In order to highlight certain problems, we have applied it as it stands to some simple railway examples (although sector-specific standards do exist). Where appropriate, we have also taken account of current proposals for amendments to IEC 61508, even though they are by nature volatile. Page 3 September 2006 TS RA RD / Jens Braband

4 PES: Railway Sector Application Examples Interlocking Automatic train protection system Page 4 September 2006 TS RA RD / Jens Braband

5 System according to IEC In general, a system consists of: equipment under control (EUC): equipment used for manufacturing, process, transportation,...: an EUC control system a safety-related PES Page 5 September 2006 TS RA RD / Jens Braband

6 Mode of Operation Definition The way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it. Two modes exist: low-demand mode: in which the frequency of demands for operation made on a safety-related system does not exceed once per year or twice the proof-test frequency. high-demand or continuous mode: in which the frequency of demands for operation made on a safety-related system exceeds once per year or twice the proof-test frequency. Note: In the new CD for IEC the reference to the proof-test frequency has been deleted. Page 6 September 2006 TS RA RD / Jens Braband

7 ATP Example Safety-related PES Automatic train protection (ATP) system stops the train if the driver passes a signal at danger (SPAD). 1 Lineside electronic unit (LEU) 2 Transparent-data balise 3 Fixed balise 4 Vehicle antenna 5 Interrogator On-board unit with peripheral equipment System safety depends on both the reliability of the driver and the ATP system. Application example: Eurobalise (ETCS Level 1) Page 7 September 2006 TS RA RD / Jens Braband Example: Hazard rate of 2x10-6 per train per hour

8 Problems with Modes of Operation Problems for railway applications: Proof-test intervals as in the process industry are often not available, although diagnostic self-checks may be performed every few minutes. The demand rate often depends on the reliability of the human operator (with him acting as a control system) and the operation profile, so it may be argued that the ATP system is both a lowdemand system and a continuous mode system. The distinguishing frequency (once a year) is not reasoned and apparently arbitrary. Page 8 September 2006 TS RA RD / Jens Braband

9 The Great Question: How Safe is Safe Enough? Besides general requirements, IEC provides some 30 pages of informative risk analysis examples, including: a typical MIL-STD risk matrix (mixed with ALARP) a very simple probabilistic approach a general risk graph and a kind of three-dimensional risk matrix This guidance is, however, of little use, as the examples cannot be directly applied in any sector. it fails to explain how to adapt and calibrate any of the methods. ALARP MIL-STD SIL as low as reasonably practicable US military standard safety integrity level Page 9 September 2006 TS RA RD / Jens Braband

10 Safety Integrity Level Definition IEC Definition: Unavailability of safety function? (IEC 61703) Instantaneous hazard rate? (IEC 61703) Page 10 September 2006 TS RA RD / Jens Braband

11 SIL Allocation Issues Step 1: Step 2: definition of overall safety target and selection of appropriate quantitative and qualitative figures apportionment to ATP, taking into account other risk reduction factors Hazard Demand ATP fails & SPAD... 1/λ 1/λ S ATP failure Hazard ATP automatic train protection SPAD signal passed at danger 1/λ H PdFH PES PFD T probability of dangerous failures per hour programmable electronic system probability of failure on demand Proof-test interval PdFH λ H = λ λs T 2 PFD Page 11 September 2006 TS RA RD / Jens Braband

12 SIL Definition Problems (1) Ambiguous definition of PdFH in IEC same concept as instantaneous failure rate or hazard rate? Why is the concise terminology of IEC not used? SIL is defined for complete safety functions only, but in practice used mainly for hardware or software components. Strong dependence of the PFD on proof-test intervals This leads to contradictions, e.g. requirement based on PdFH specifies design of ATP according to SIL 1, requirement based on PFD depends on proof-test interval and may yield an arbitrary SIL! Page 12 September 2006 TS RA RD / Jens Braband

13 SIL Definition Problems (2) According to IEC 61508, the SIL 1 requirement applies to the entire ATP system, i.e. sensors, communication, PES and actuators. However, the PdFH or hazard rate for the PES may be much smaller, say 2x10-7 per train per hour (depending on the apportionment, e.g. by FTA). Question: Is SIL 1 still sufficient for the sensors, communication, PES and actuators? Page 13 September 2006 TS RA RD / Jens Braband

14 The Way Forward: Integrated SIL Allocation λ S 10 λ Independently proposed and justified by Sato 00 λ 2/T 1/MTTH μ 01 λ S 11 No definition of modes of operation necessary Unified SIL determination using new metric: mean time to hazard (MTTH) Page 14 September 2006 TS RA RD / Jens Braband

15 Model Evaluation MTTH MTTH MTTH λ = + MTTH λ + λ λ + λ = = S 1 μ + λ S 1 λ + 2 T + + S μ μ + λ S 2 T λ + 2 T MTTH 01 MTTH 00 λs + λ + λ 00 S MTTH 10 Index denotes the initial state Model can be explicitly solved Result is an explicit solution for MTTH Page 15 September 2006 TS RA RD / Jens Braband

16 Proposal for a Harmonised SIL Table SIL MTTH > 10,000 years > 1,000 years > 100 years > 10 years Relates to real-life performance Unambiguous SIL determination Integrates all relevant parameters into SIL determination Page 16 September 2006 TS RA RD / Jens Braband

17 Problems: SIL Capability and Safety Criticality (1) SIL capability: measure of the confidence that an element safety function will not fail due to relevant systematic failure mechanisms when the element is used in accordance with the instructions given in its element safety manual Safety criticality: extent to which a deviation from the specified functionality of an element has the potential to create a hazardous situation Categories: C3: single failure is hazardous C2: second (independent) failure is hazardous C1: interference free Based on the safety criticality category, safety functions may be implemented by elements with a lower SIL capability. Page 17 September 2006 TS RA RD / Jens Braband

18 Problems: SIL Capability and Safety Criticality (2) IEC proposal: A SIL X element safety function may be implemented by two (independent) SIL X-1 elements, provided both elements have SIL criticality C2. ATP example: The PES may be implemented by two independent SIL 0 elements, i.e. two (different) PCs with either two separate SIL 0 voters or one common SIL 1 voter. So far, no easy concept for SIL combinations has been validated, and each individual case must be closely scrutinized (e.g. FMEA/FTA, with a very careful consideration of common-cause failures). Also, the terminology is misleading (criticality has a different meaning in IEC standards) and no reasoning is provided. Page 18 September 2006 TS RA RD / Jens Braband

19 New Concepts: Properties and Rigor IEC has extensive tables for the selection of fault avoidance measures for particular SILs. However, many alternatives are possible: Appropriate techniques/measures shall be selected according to the safety integrity level is a standard note for each table and no rules are imposed on the possible combinations. In maintenance, levels of rigor were introduced to assess the achievement of a property: R1: No, or limited, objective acceptance criteria R2: Objective acceptance criteria R3: Objective, systematic reasoning Page 19 September 2006 TS RA RD / Jens Braband

20 Properties and Rigor: Example However, many factors affect systematic and software safety integrity, and it is not possible to give an algorithm for selecting and combining the techniques in a way that is guaranteed in any given application to achieve the desirable properties.. Page 20 September 2006 TS RA RD / Jens Braband

21 Properties and Rigor: SIL Guidance While the rigor of a great variety of techniques is evaluated in more than 10 tables with respect to many properties, no combination or acceptance rules are given for determining what level of rigor (or combined levels) is (are) appropriate for which SIL. Also, the concept is relatively new and needs further explanation. Page 21 September 2006 TS RA RD / Jens Braband

22 Last, but not Least: Documentation (1) The requirements for documentation are fairly general. For example: The documentation shall contain sufficient information In particular, a more detailed structure for safety documentation would facilitate the cross-acceptance of products in different application sectors. The safety case concept, which has improved cross-acceptance in the railway sector for example, is ignored. Page 22 September 2006 TS RA RD / Jens Braband

23 Last, but not Least: Documentation (2) A standard structure for safety documentation should be introduced. The approach can be supported with structured notations for safety arguments. The Goal Structure Notation (GSN) should be recommended. 6: Safety Qualification Tests 5: Safety-related application conditions 4: Operation with external influences 3: Effects of Faults 2: Assurance of Correct Functional Operation 1: Introduction TECHNICAL SAFETY REPORT Page 23 September 2006 TS RA RD / Jens Braband

24 The Way Forward: Conclusions Use mathematically concise, standard terminology which is consistent (at least) with other IEC standards. Abandon the distinction between different operation modes. Delete sections on risk analysis or give clear guidance for calibration of methods. Make sure that SIL determination is unambiguous, e.g. by a single target metric such as MTTH. Use only validated concepts and explain them fully. Enhance cross-acceptance by using a standard safety case structure. Page 24 September 2006 TS RA RD / Jens Braband

25 References Braband, J.: Risikoanalysen in der Eisenbahn-Automatisierung, Eurailpress, 2005 (Risk analyses in railway automation) Braband, J.: Ein Ansatz zur Vereinheitlichung der Betriebsarten und Sicherheitsziele nach IEC 61508, Proc. EKA 2006 (An approach to the standardisation of operating modes and safety targets in accordance with IEC 61508) IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, 2000 IEC 61703: Mathematical expressions for reliability, availability, maintainability and maintenance support terms, 1999 Yoshimura, I., Sato, Y., Suyanma, K.: Safety Integrity Level Model for Safety-related Systems in Dynamic Demand State, Proceedings of the 2004 Asian International Workshop on Advanced Reliability Modeling (AIWARM 2004), Hiroshima, Page 25 September 2006 TS RA RD / Jens Braband