Reliability of Safety-Critical Systems Chapter 1. Introduction

Size: px

Start display at page:

Download "Reliability of Safety-Critical Systems Chapter 1. Introduction"

Ross Price
6 years ago
Views:

1 Reliability of Safety-Critical Systems Chapter 1. Introduction Mary Ann Lundteigen and Marvin Rausand & RAMS Group Department of Production and Quality Engineering NTNU (Version 1.3 per August 2016) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 1 / 38

Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and

2 Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and Applications Marvin Rausand Homepage of the book: books/sis M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 2 / 38

3 Learning objectives To understand what a safety-critical system is and what it is used for To become familiar with the main building blocks and technologies To recognize some of the application areas To be aware of some key concepts associated with the way of operating To become aware of the framing conditions for design and operation, with focus on key international standards M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 3 / 38

4 Safety-critical system Safety-critical system: A system whose failure may lead to harm to people, economic loss, and/or environmental damage. Safety-critical systems embrace a wide range of systems: Active systems using electrical, electronic, or programmable electronic technology (our focus!) Active systems using mechanical technology alone (e.g pressure relief valve) Passive systems like mechanical protection, dikes, firewalls etc M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 4 / 38

5 Active safety-critical systems Our focus is on the active safety-critical systems, or more specifically: E/E/PE safety-critical system: A safety-critical system that is based on (at least some) electrical, electronic, or programmable electronic (E/E/PE) technology. The process industry often use the term safety-instrumented system (SIS), and we have adapted this term also for other applications due to its simplicity: Safety-instrumented system (SIS): instrumented system used to implement one or more safety instrumented functions (SIFs). M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 5 / 38

6 Main parts of a SIS: Process industry A SIS is often split into three subsystems: 1. Sensor (S) subsystem: Monitors some process parameter or presence of a command. 2. Logic solver (LS) subsystem: Decides if it is necessary to act upon the monitored signals. 3. Final element (FE) subsystem: Carries out the necessary tasks, if decided to act. Logic solver Sensor systems Final elements M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 6 / 38

7 More than one SIS Safety functions are often organized into separate SISs, according to their main function. At a process plant, we may find the following SISs: PSD: Process shutdown system ESD: Emergency shutdown system HIPPS: High integrity pressure protection system Fire and gas detection (F&G) system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 7 / 38

8 Safety-critical systems Safety-critical system - examples (Process industry) COMMUNITY EMERGENCY RESPONSE PLANT EMERGENCY RESPONSE FIRE AND GAS SYSTEMS toxic gas detection and alarm PHYSICAL BARRIERS Barricades, dikes MITIGATION Pressure relief valves Rupture discs PREVENTION Safety-critical process alarms Safety instrumented systems CONTROL Basic process control system Process alarms, operator procedures PROCESS DESIGN Inherently safe design M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 8 / 38

9 Main parts of a SIS: Adaptive cruise control M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 9 / 38

10 Safety-instrumented function (SIF) Safety-instrumented function (SIF): A safety function that is performed by a SIS. Some properties or characteristics: The same SIS may perform several SIFs SIFs associated with the same safety barrier are often put into the same SIS PSD functions A process shutdown system (PSD) may carry out the following SIFs Close inlet valve to a separator upon high pressure Close outlet valve (liquid) from a separator upon low level Stop a pump upon high downstream pressure Trip (stop) a compressor upon too low inlet pressure etc M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 10 / 38

11 Realization of a SIS: Process industry A process shutdown function may be used as an example of a SIS. It may be noted that several technologies are involved. +24VDC Comparison & voting logic Switches Logic solver Solenoid valve (Electrical operated DCV) Solenoid Hydraulic return system Hydraulic supply (pilot line system) PT PT Pressure transmitters (PTs) Actuator Gate valve Pilot operated DCV From hydraulic main supply Hydraulic return system Flow M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 11 / 38

12 Realization of a SIS: Railway signaling The example focuses on the control of a green light (drive permit) signal. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 12 / 38

13 Realization of a SIS: Next generation signaling with ERTMS Some facts: Each European country has (until now) developed their own strategy for railway signaling systems, including interlocking system and automatic train protection systems. In 1996 EU decided that the European Rail Traffic Management System (ERTMS) should become standard for all high-speed lines, to ensure interoperability in Europe. Two EU directives introduced for ERTMS: 96/48 (high speed rail system) and 2001/16 (conventional rail system) A European Train Control System (ETCS) has been developed to standardize implementation of ERTMS ERTMS comprises: ETCS system with trackside (alongside tracks) and trainborne (onboard train) subsystems GSM-R (global system for mobile communcation - for railway) for voice and data communication ETCS /ERTMS is implemented as either level 1, level 2, and level 3. Level 1 allows use/interface of conventional (national) signaling system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 13 / 38

Case example: Railway signaling systems with

14 Case example: Railway signaling systems with ERTMS ERTMS vs signaling systems ERTMS level 1 ERTMS level 2 ERTMS level 3 ETCS: European Train Control System ERTMS = ETCS + GSM-R LEU: Lineside Electronics Unit M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 14 / 38

Case example: Detailed about ERTMS level 1 Source: http://www.mobility.siemens.

15 Case example: Detailed about ERTMS level 1 Source: M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 15 / 38

Case example: Detailed about ERTMS level 2 Source: http://www.mobility.siemens.

16 Case example: Detailed about ERTMS level 2 Source: M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 16 / 38

17 Case example: Detailed about ERTMS level 3 Source: M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 17 / 38

18 Sensors Sensors are used to monitor a certain process or EUC state, such as.: Processing plant: Temperature, pressure, level, flow, status of pushbuttons, etc Railway signaling: Relay position, position of rail switch, train speed and position, electrical current (in cable to light signal) Signal transmission may be: Analog (e.g., 4-20 ma) Voltage (0 V/12V, or 0 V/24 V) Digital/bus (Fieldbus and Profibus 1, Profi-safe) Pressure 1 Fieldbus and Profibus under development for safety-critical applications M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 18 / 38

19 Sensors Communication (digital, analogue) Pressure transmitter Electronics Sensing element Impulse line Pipeline Pressure sensor A pressure sensor comprises Impulse line, which connects the sensing element to the process pressure Sensing element, with diaphragm and a reference pressure (atmospheric or vacuum) Electronics, with electrical signal generation from diaphragm deflection, diagnostics features and (if included) digital communication interface M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 19 / 38

20 Logic solver Logic solvers are used to set output states, based on the processing of input states. This means to: Compare input signals with some set-points defined in the logic solver Power supply Inputs Input modules Logic module CPU Output modules Communication Outputs Railway signaling: Relay position, position of rail switch, train speed and position, electrical current (in cable to light signal) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 20 / 38

21 Logic solver A programmable logic solver (also called programmable logic controller - PLC) comprises: Input cards/ modules (digital, analogue) Central processing unit - CPU (containing firmware and application program) Output cards/modules (digital with relays) In some cases: distributed input/output (I/O) cards Communication (internal between the input/output cards and the CPU, and between CPU and distributed nodes The PLC requires a power supply and has interfaces to other systems, including human machine interface. Figure: Source: how_plcs_work M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 21 / 38

22 Logic solver Logic solvers may be: Hardwired, meaning that all processing is carried out by the use of relays and contactors. Solid state, meaning that the processing is carried out by a fixed arranged and programmed set of electronic components. Programmable, meaning that the processing is carried out by an application program (software). Figure: Source: plcdev.com/how_plcs_work M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 22 / 38

23 Final elements Final elements are also called actuating devices, and may be: Relay controlled by the logic solver +24VDC Valves Relays Circuit breakers Actuating devices Solenoid valve (Electrical operated valve) Pilot operated valve Solenoid Hydraulic return system Hydraulic supply (pilot line system) capable of stopping flow and isolating electrical equipment. Actuator From hydraulic main supply Hydraulic return system To carry out a function, it may be necessary with an arrangement of several final elements. Flow Gate valve M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 23 / 38

24 Design principles Redundancy: Having more than one item to carry out the same function Hardware fault tolerance: The number of faults tolerated (in a subsystem) before the function is lost Fail-safe: The final element goes to a predefined safe state upon loss of signal or power (electrical or by other utility system): Fail-active Fail-passive Fail-operational Energize-to-trip: Activation of function requires a pulsed or stable electrical signal De-energize-to-trip: Activation of function is achieved by removing a pulsed or stable electrical signal M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 24 / 38

25 Design principles LOWER STEM UPPER STEM LEAK VENT GATE POSITION INDICATOR GATE MECHANICAL OVERRIDE FLOW CLOSE OPEN HYDRAULIC OPERATOR FAIL-SAFE CLOSED Figure: A fail-safe gate valve used for a subsea Xmas tree M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 25 / 38

26 Demands and demand rates Demand: An event or a condition that requires a SIF to be activated (i) to prevent an undesired event from occurring, or (ii) to mitigate the consequences of an undesired event. The frequency of occurrences of demands, the demand rate is often modeled as a homogeneous Poisson process with demand rate λ de λ de λ effect Barrier Risk reduction factor = λ de λ effect Demands Effects Consequences M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 26 / 38

27 Modes of operation Safety-critical functions, such as a SIF, are often categorized according to how often the barrier functions are demanded. It is common to distinguish between three modes of operation (high-demand and continuous demand mode is sometimes merged into one): Low-demand mode: The safety function operates in the low-demand mode if demanded less often than once every year High-demand mode: A safety-critical function operates in the high-demand mode if demanded once a year or more often Continuous mode: This is a special case of a high-demand mode where the safety-critical function operates continuously (always at demand) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 27 / 38

28 Modes of operation Examples System Low-demand High-demand Continuous Air bag release system (automotives) Emergency shutdown system (process industry) Presence-sensing safeguarding devices around robots (manufacturing) Anti-lock breaking system (ABS) for cars (automotive) Fly-by-wire systems (aviation) Dynamic positioning system (marine/ship systems) Signaling systems (Railway) X X X X X X X a a Depends on how frequent trains pass at the tracks controlled by the system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 28 / 38

29 Equipment under control Equipment under control (EUC): Equipment, machinery, apparatus, or plant used for manufacturing, process, transportation, medical, or other activities. The EUC may be a boundary of something where hazardous events can occur (and cause damage), or be a boundary of something that can be exposed by hazardous events from the outside. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 29 / 38

30 Equipment under control Examples Industry Examples of EUC Process industry: Production separator Fire area Pipeline section Railway: Block/rail section Station Tunnel Hospital: Patient Critical medicine dosing apparatus Cutting machine: Machine itself Humans (operators or Room where maintenance personnel) machine is located M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 30 / 38

31 Safe state Safe state: A state of the EUC where safety is achieved. [IEC 61508] The objective of a SIF is to bring the EUC to a safe state, or to keep the EUC in a safe state after a demand has occurred. The safe state should also be achieved if the SIS looses critical utility systems (electrical power, hydraulic power, etc). Is the safe state well defined? What would be the safe state in case of an hazardous event occuring while: Running process at a process plant? A train is leaving a station? Driving a car? A plane is climbing after take-off? A lift is moving and is between two floors? M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 31 / 38

32 Functional Safety Functional safety: Part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures. [IEC 61508] Relates to the ability to protect the EUC or vulnerable objects within the EUC from damage Relies on the ability of a SIS (and other safety barriers) to bring the EUC to a safe state, under normal situations and foreseeable fault situations...this means that functional safety is the safety provided by SIS. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 32 / 38

33 Key standards Applicable to design and operation of SIS IEC 61508: A generic standard on functional safety IEC Medical IEC Process industry IEC Machinery IEC Nuclear ISO Automotive EN 50126, 50128,50129 Railway Def stand Millitary M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 33 / 38

34 IEC IEC and the sector-specific standards based on IEC are often referred to as functional safety standards. IEC is named Functional safety of electrical/electronic/programmable electrnoic safety-related systems and comprises 7 parts, of which 4 are mandatory and 3 are informative. The 1st edition came in 1998, and the current edition (2nd edition) is from The purposes of IEC are to: Serve as a guideline for development of sector-specific standards. Serve as a standard where sector-specific standards do not exist or have certain restrictions on application areas. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 34 / 38

35 IEC IEC is the umbrella standard for a collection of functional safety standards that aim to: Frame the safe implementation of electrical/electronic/programmable-electronic technology in safety applications Ensure adaption of best practises in all stages of the safety life cycle, from concept definition and specification of requirements to construction, installation, operation, maintenance, modifications, and eventually, decommissioning M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 35 / 38

36 IEC in parts Part Name Comment Status 2 1 General requirements Cover all life-cycle phases, from concept definition to decommissioning N 2 Requirements for electrical/ electronic/ Concerns hardware design and the in- N programmable electronic tegration hardware and software safety-related systems 3 Software requirements Concerns requirements for software N development, software development tools, and software architectures 4 Definitions and abbreviations Given by the title. N 5 Examples of methods for the determination of safety integrity levels Explains methods like risk matrix, risk graph, and LOPA I 6 Guidelines for the application of Includes formulas for quantifying PFD I IEC and IEC and PFH and checklists for beta 7 Overview of techniques and measures Elaborates on referenced topics I 2 N is normative, I is informative M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 36 / 38

37 IEC for the process idnustry IEC applies to process industry with some exceptions. SIS design process industry sector Hardware Software Developing NEW hardware devices Using PROVEN-IN-USE hardware devices Using hardware developed and assessed in accordance with IEC Developing embedded software systems Developing application software using FVL Developing applicatiion software using LVL or FP IEC ,2 IEC IEC IEC IEC IEC IEC 61508: Manufacturers standard IEC 61511: End users standard FVL: Fixed variable language LVL: Limited variable language FP: Fixed programming M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 37 / 38

38 Functional safety standards Mode of operation in focus Standard IEC 61508: IEC 61511: IEC 62061: EN 50126/,28,29 3 : ISO 26262: Mode of operation in focus All modes of operation Mainly on low-demand Mainly on high/continuous-demand Mainly on high/continuous-demand Mainly high/continous-demand 3 Remark: IEC 62278, IEC 62425, and IEC are identical to EN 50126, EN 50129, and EN 50128, however, the EN version is more often referenced. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 38 / 38

IEC61511 Standard Overview

IEC61511 Standard Overview Andre Kneisel Instrumentation Engineer Chevron C.T. Refinery SAFA Symposium 2011 August 5 th, 2011 Presentation Overview Provide some understanding of the key aspects of Functional