Safety Related Systems

Transcription

1 Safety Related Systems What are the demands? Seite 1

2 Safety Competence Center Vienna SCCV > Safe systems for a safer world! Seite 2

3 Safety Competence Center Vienna > Vision > Das Safety Competence Center Vienna (SCCV) wird Wissensdrehscheibe für System/Functional Safety mit internationaler Vernetzung. > Mission > Das SCCV versteht sich als Kompetenzträger im Bereich System/Functional Safety mit folgenden Dienstleistungen: > Lehrveranstaltungen und Trainings > Tool- und Methodenentwicklung > Coaching Seite 3

4 ISaP Integrativer Safety Prozess Problemraum Modellierungsraum Lösungsraum Anwendung Projekt- Management & Wartung Projekt- Initialisierung Projektstart Projekt-Controlling Projekt- Abschluss Wartung System Safety Management Preliminary Hazard Identification FHA PSSA System Safety Assessment Operational SSA Engineering & Operation Konzeptionierung Anf. Analyse Entwurf Konstruktion, (Realisierung), Integration & Test Betrieb & Technische Wartung Entsor gung Unterstützende Prozesse Konfigurationsmanagement, Qualitätsmanagement (Verifikation, Validierung) Problemlösungs- Management, Änderungsmanagement SCCV 20/09/10 Seite 4

5 Introduction > What is the motivation for considering safety? > What is safety? > What is a safety related system? > How is software involved? > What are the demands on safety related systems? > What is the role of the OS? Seite 5

6 Motivation > Why does safety become increasingly important? Seite 6

7 Complexity several years ago > Car electrical system 1970 Seite 7

8 Complexity now > Modern premium car source: Seite 8

9 Complexity now > Modern premium car > Six different computer networks > More than different messages > electronic control units (ECUs) > sensors > 100 million lines of code (LoC) source: source Seite 9

10 European union product liability > Product Liability Directive 85/374/EEC > Since 1988 > Applies to products, does not apply to services > The producers shall be liable for damage caused by a defect in their products > Death, personal injury, property damage > Factors taken into account > Presentation of the product > Reasonable use > Time the product was put into circulation > Producers may not limit their liability > Producer of a component is jointly liable with the producer of the product Seite 10

11 Safety regulations, norms and standards MIL STD 882D Def Stan IEC Generic IEC Military IEC Electricdrive Processindustry Safety of machines EN/IEC EN/ISO EN/ISO EN/ISO IEC ISO/DIS CAP 670 EATMP RTCA DO-178B EUROCAE ED-12B (Software) ESARRs Aviation RTCA DO-254 (Hardware) Nuclear power Automotive IEC IEC Medicine CENELEC EN Railway CENELEC EN CENELEC EN CENELEC EN Seite 11

12 Costs of accidents > Enschede fireworks disaster (2000) 23 people killed, 947 injured Damage: 450 million > Elchtest Mercedes A-Class (1997) 150 million > Toyota recall (2010) 35 people killed $1,1 billion > Deepwater Horizon (2010) 11 people killed $0,5 billion + $6 million/day source: Hollnagel 2006, IHSK 2005, RRC AG, Bloomberg BusinessWeek, The Wall Street Journal pictures: Wikipedia, Süddeutsche, dpa Seite 12

13 Society > Absolute safety, zero risk cannot be achieved > Level of safety > In a given context > Reference to an acceptable risk > Based on current values of society > The values of society are reflected in > Laws and directives > Norms and standards > Public opinion > Increasing demand for safety in the society Seite 13

14 What is safety? Seite 14

15 Safety Definition des SCCV Das Ziel von System Safety ist das sichere Funktionieren eines Systems in seinem Umfeld. Grundvoraussetzung für die Erreichung dieses Zieles sind reife Prozesse. Das Risiko von Gefahren muss dabei präventiv auf einem akzeptierbaren Niveau gehalten werden, sodass weder Menschen, andere Lebewesen, die Umwelt noch das System selbst oder andere Systeme zu Schaden kommen. Seite 15

16 Safety and security Security System is protected against attacks Safety System does not cause harm Attack System Health Equipment Environment Seite 16

17 Safety vs. security > A security issue may collaterally become a safety issue Source: > security needs to be considered for safety Seite 17

18 Safety and reliability > Reliability - the system operates as expected System Seite 18

19 Reliability of the safety functions > The safety functions perform as expected > Safety Integrity Level - measure for reliability of safety functions System Seite 19

20 Example Escalator source: source: Seite 20

21 Example Airplane Seite 21

22 Safety Related System Seite 22

23 System and system context System context System Seite 23

24 Failure chain within a system > Fault > Error > Cause of an error > System state, or part of the system state, that may lead to a failure > Failure > Deviation from the correct function > Failure mode is the way something fails > Failure Chain: System Fault Error Failure Seite 24

25 Failure propagation System Sub-System Failure Sub-Sub- System Fault Failure Fault Failure Fault Seite 25

26 Hazard > A situation, state or condition that can lead to an accident > Hazards are described at the system boundary > It s important to identify the system boundary! Hazard > Every dangerous failure is a hazard > Once the hazard has occurred > The system in question cannot stop the accidental sequence > Still mitigation may be possible by other systems or measures Seite 26

27 Causal factor > Factors that may contribute to hazards are called causal factors > Causal > Expressing a cause or reason > Factors > Circumstances, conditions, etc. that produce a result > It s important to distinguish causal factors from hazards Seite 27

28 Two types of hazards Internal caused Hazard > Internally caused hazard > Internal, endogenous > Causal factors in the system > Behavior > Properties System! > Externally caused hazard > External, environmental, exogenous > Causal factors outside the system > e.g. misjudged system environment External caused Hazard System! Seite 28

29 Accident > Unintended event or sequence of events > Results in loss > Death > Injury > Environmental damage > Financial loss > The consequences determine the severity of the accident Seite 29

30 Internally caused hazard to accident System Causal Factors Failure Fault Error! Accident Severity Seite 30

31 Externally caused hazard to accident Causal Factors Fault Error System Failure! Accident Severity Seite 31

32 All possible accidents From causal factor to accident System Hazard 1 Function 1! Causal Factor Failure 1! Causal Factor Failure n All Functions! Hazard m Worst case severity Seite 32

33 Safety related system System Seite 33

34 Safety related system > Properties of a safety related system > Failure can cause an accident > Provides safety functions > Safety related software > Part of a safety related System > Software used for safety related system development > Tools Seite 34

35 Strategies for achieving functional safety > Robust system > System where fault automatically leads to a safe state (safe fault) > Detect fault, change to a safe state and maintain it > Detect fault and warn user > Provide redundancy > Detect multiple point fault for avoiding latent faults Seite 35

36 Safety related software development > Avoid systematic failures > Requirements > Safety Requirements > Interfaces > Software development process > Traceability > Hardware, software, system integration > Verification and validation > Problem tracking, change management > Conformance with respect to safety standards > Safety case > Documented evidence, that the system is safe Seite 36

37 Safety and operating systems > OS manages the timing > Real time behaviour > OS manages resources > RAM > IO > Communication > > May provide separation of safety related and not safety related software > Prevents undesired interference of functions Seite 37

38 Conclusion > Safety has become more important for electronic systems and software > Safety is different from security > Safety needs to be designed into the system > Systematic failures need to be avoided during software development > OS plays a major role in a safety related system Seite 38

39 Thank you for your attention! Seite 39