Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Similar documents
Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

What functional safety module designers need from IC developers

New developments about PL and SIL. Present harmonised versions, background and changes.

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Hardware Safety Integrity. Hardware Safety Design Life-Cycle

DEPENDABLE PROCESSOR DESIGN

SAFETY MANUAL SIL Switch Amplifier

HART Temperature Transmitter for up to SIL 2 applications

Software architecture in ASPICE and Even-André Karlsson

HART Temperature Transmitter for up to SIL 2 applications

Report. Certificate Z Rev. 00. SIMATIC Safety System

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL COMMISSION

Dependability tree 1

Part 2: Basic concepts and terminology

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY AND THE GPU. Richard Bramley, 5/11/2017

TSW Reliability and Fault Tolerance

FUNCTIONAL SAFETY ASSESSMENT: AN ISSUE FOR TECHNICAL DIAGNOSTICS

BUILDING FUNCTIONAL SAFETY PRODUCTS WITH WIND RIVER VXWORKS RTOS

New ARMv8-R technology for real-time control in safetyrelated

Products Solutions Services. Functional Safety. How to determine a Safety integrity Level (SIL 1,2 or 3)

Applications & Tools. Technology CPU 317TF-2 DP: Example for determining the Safety Integrity Level (SIL) according to IEC

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

MANUAL Functional Safety

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

The ApplicATion of SIL. Position Paper of

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

Safety Manual. VEGABAR series ma/hart - two-wire and slave sensors With SIL qualification. Document ID: 48369

Functional Example AS-FE-I-013-V13-EN

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

Failure Modes, Effects and Diagnostic Analysis

Type Switching repeater. Safety manual

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

ISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design

Safety Manual. Vibration Control Type 663. Standard Zone-1-21 Zone Edition: English

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Functional safety manual RB223

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

Soliphant M with electronic insert FEM54

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

Safety-related controls SIRIUS Safety Integrated

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Failure Modes, Effects and Diagnostic Analysis

Functional safety in BATTERY MANAGEMENT SYSTEMS

SIRIUS Safety Integrated. Modular safety system 3RK3

Regulatory Aspects of Digital Healthcare Solutions

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

Fault-robust microcontrollers for automotive applications

Functional Safety Processes and SIL Requirements

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Functional Safety for Electronic Control

Original operating instructions Safety relay with relay outputs G1501S / / 2016

Report. Certificate M6A SIMATIC Safety System

Original operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016

The evolution of the cookbook

INTERNATIONAL STANDARD

Proline Prowirl 72, 73

T72 - Process Safety and Safety Instrumented Systems

Mobrey Hydratect 2462

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

Issues in Programming Language Design for Embedded RT Systems

Study and Design on Self-diagnostic Based Safety Pressure Transmitter

Extension to Chapter 2. Architectural Constraints

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

Report. Certificate Z SIMATIC S7 F/FH Systems

FAULT TOLERANT SYSTEMS

AS-i 3.0 PROFIBUS Gateways with integrated Safety Monitor

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

FUNCTIONAL SAFETY CERTIFICATE

Report. Certificate M6A SIMATIC S7 Distributed Safety

Point Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics

AURIX After-Lunch-Seminar Performance meets Safety. Safety & Security with professional Software-Components. Björn Assmann (Hitex GmbH)

Executive summary. by Michel Bonnet, Maximilien Laforge, and Jean-Baptiste Samuel

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q957) for ACS880-07/17/37 drives

Foundation Fieldbus Safety Instrumented System (FF SIS) FF-SIS Meeting. Hannover. April 21, 2004

Functional Safety on Multicore Microcontrollers for Industrial Applications. Thomas Barth (h-da) Prof. Dr.-Ing. Peter Fromm (h-da)

Functional Safety Design Packages for STM32 & STM8 MCUs

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

Is This What the Future Will Look Like?

MASP Chapter on Safety and Security

Low voltage switchgear and controlgear functional safety aspects

ED17: Architectures for Process Safety Applications

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

Automotive ECU Design with Functional Safety for Electro-Mechanical Actuator Systems

FMEDA-Based Fault Injection and Data Analysis in Compliance with ISO SPEAKER. Dept. of Electrical Engineering, National Taipei University

Application Note. AC500-S Usage of AC500 Digital Standard I/Os in Functional Safety Applications up to PL c (ISO )

AS-i 3.0 PROFIBUS Gateways with integrated Safety Monitor

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

How Microcontrollers help GPUs in Autonomous Drive

Transcription:

June 25th, 2007 Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309 Christopher Temple Automotive Systems Technology Manager

Overview Functional Safety Basics Functional Safety Standards Functional Safety Measures 186C RGB: 208, 12, 51 2

Functional Safety Basics

Functional Safety Definition Definitions according to IEC61508 risk combination of the probability of occurrence of harm and the severity of that harm harm physical injury or damage to the health of people either directly or indirectly as a result of damage to property or to the environment safety freedom from unacceptable risk functional safety part of the overall safety relating to the equipment under control (EUC) and the EUC control system which depends on the correct functioning of the electrical/electronic/programmable electronic (E/E/PE) safety-related systems, other technology related safety-related systems and external risk reduction facilities 4

Definitions according to IFIP WG10.4 Safety in the Context of Dependability Probability that the system will perform to its specification throughout a period of duration t Reliability Dependability Security Secondary attributes Usability, recoverability, maintainability, extendibility, trustability, etc. Availability Percentage of time for which the system will perform to its specification Safety Probability that the system will not show a specified dangerous behavior throughout a period of duration t 5

Impairments through Faults Phenom. cause Phase of creation System boundary Persistence Example Design faults man-made development internal (HW/SW) permanent temporary architecture, algorithms Manufacturing faults man-made manufacturing internal (HW/SW) permanent temporary compiler bugs, test escapes, SI-faults Physical faults physical operational internal external permanent intermittent permanent transient ageing timing noise, short circuit a-particles, glitches Interaction faults man-made operational external temporary interface formats 6

Fault - Error - Failure Model error latency error detection latency error activation Failure fault dormacy fault activation Error error detection fault occurence Fault fault duration Fault Cause of an error 7

Fault - Error - Failure Model error latency error detection latency error activation Failure fault dormacy fault activation Error error detection fault occurence Fault fault duration Error Manifestation of the fault in a system 8

Fault - Error - Failure Model error latency error detection latency error activation Failure fault dormacy fault activation Error error detection fault occurence Fault fault duration Failure Deviation of the delivered service from compliance with the specification 9

System / Component Hierarchy A system can be viewed as a set of interacting components with each component being a system in itself but on a lower hierarchy level System (top hierarchy) Component Component Component Component is a new system in itself Component is a new system in itself Component Component is a new system Component in itself Component Component Component Component Component Component Component 10

System / Component Hierarchy functional safety develops top down System (top hierarchy) Component Component Component Component Component is a new system Component in itself Component Component Component Component Component Component Component safety measures work towards functional safety objective bottom up 11

Addressing Faults in Systems Means for Addressing Faults Development Lifecycle HW Measures SW Measures Means for Addressing Faults Fault Prevention Fault Tolerance (Error Processing, Fault Treatment) Fault Removal (Verification, Diagnosis, Correction) Fault Forecasting (Qualitative Evaluation, Quantitative Evaluation) 12

Functional Safety Standards

Safety Challenge No established metric and value network to classify safety of measures without top system context How to quantify safety of measures? How to compare different approaches? How to make a good technoeconomical decision? 14

Role of Standards Standards are emerging as a framework to establish metrics IEC61508 (existing) Safety lifecycle defined Top down Recommended & mandatory practices ISO26262 (emerging) Decomposition of safety from system to component level 15

The 7 Parts of IEC 61508 1: General Requirements 2: Requirements for electrical / electronic / programmable electronic safety-related systems (means HW) 3: Software Requirements 4: Definitions and abbreviations 5: Examples of methods for the determination of safety integrity levels 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 7: Overview of techniques and measures 16

IEC61508 Safety Lifecycle Concept Overall scope definition Hazard & risk analysis Overall safety requirements Safety requirements allocation Outside of the scope of IEC61508 Overall operation and maintenance planning Overall planning Overall safety validation planning Overall installation and commissioning planning Safety-related systems: E/E/PES Realization Safety-related systems: other technology Realization External risk reduction facilities Realization Overall installation and commissioning Overall safety validation Back to appropriate overall safety lifecycle phase Overall operation, maintenance and repair Overall modification and retrofit Decomissioning or disposal 17

IEC61508 - Towards Functional Safe Systems Carry out a failure mode and effect analysis to determine the effect of each failure mode of each component or group of components in the subsystem on the behaviour of the E/E/PE safety-related systems Following is required: a detailed block diagram of the E/E/PE safety-related system describing the subsystem together with the interconnections for that part of the E/E/PE safetyrelated system which will affect the safety function(s) under consideration; the hardware schematics of the subsystem describing each component or group of components and the interconnections between components the failure modes and rates of each component or group of components and associated percentages of the total failure probability corresponding to safe and dangerous failures. 18

Interaction between IEC61508 Part 2 and Part 3 Source: IEC61508-3, 7 Software safety lifecycle requirements, figure 7 19

Target Failure Rates According To IEC61508 Source: IEC61508-2, 2 Requirements for electrical / electronic / programmable electronic safety-related systems, table 3 20

Current definition in IEC61508 Diagnostic Coverage & Safe Failure Fraction diagnostic coverage DC = λdd / λd safe failure fraction SFF = ( λs + λdd) / ( λs + λd) = ( λs + DC * λd) / ( λs + λd) with λs=0: SFF = DC λs : safe failure probability λd : dangerous failure probability λdd : detected dangerous failure probability λud : undetected dangerous failure probability λd = λdd + λud 21

Designing a Safe System Hazard Analysis Risk Analysis Safety Integrity Level 1..4 Which unintended situations (hazards) can occur? How likely is a hazard? How dangerous is a hazard? How controllable is the system in case of a hazard? Dangerous failure rate λ du Diagnostic Coverage DC Safe Failure Fraction SFF Safety Functions How to mitigate the hazards? Integrity Requirements Are the safety functions effective enough? Refine the system until the remaining risk is below the highest acceptable risk 22

IEC 61508 versus ISO 26262 IEC 61508 ISO 26262 Target General safety standard for E/E/PE systems Adaption of IEC 61508 for the automotive industry Risk classification SIL1 - SIL4 ASIL A - ASIL D Development Lifecycle Recommended & mandatory HW measures & practices Overall safety lifecycle Automotive safety lifecycle (incl. V model) Recommended & mandatory SW measures & practices 23

IEC 61508 SIL versus ISO 26262 ASIL low Safety Integrity Level SIL 1 ASIL A Automotive SIL IEC61508 [today] ASIL B ISO26262 [future] Ranking by assessing the probability of a dangerous failure per hour SIL 2 SIL 3 SIL 4 ASIL C ASIL D Ranking by assessing severity of injuries, exposure to hazardous situations and the controllability of the driving situation Direct comparison not possible Assessment of recommended & mandatory HW/SW measures & practices high 24

Functional Safety Measures

Impairments through Faults Phenom. cause Phase of creation System boundary Persistence Example Design faults man-made development internal (HW/SW) permanent temporary architecture, algorithms Manufacturing faults man-made manufacturing internal (HW/SW) permanent temporary compiler bugs, test escapes, SI-faults Physical faults physical operational internal external permanent intermittent permanent transient ageing timing noise, short circuit a-particles, glitches Interaction faults man-made operational external temporary interface formats 26

Addressing Faults in Systems Means for Addressing Faults Development Lifecycle HW Measures SW Measures Means for Addressing Faults Fault Prevention Fault Tolerance (Error Processing, Fault Treatment) Fault Removal (Verification, Diagnosis, Correction) Fault Forecasting (Qualitative Evaluation, Quantitative Evaluation) 27

Error Processing versus Fault Treatment Error Processing Error Detection ( detect latent errors to mitigate effect of error) Error Diagnosis Error Recovery Detects error upon activation by normal system operation Duplexing & Comparison, (Redundancy based techniques) Timing & Execution Checks (Reasonableness based techniques) Backward & forward recovery Compensation (Redundancy based techniques) Fault Treatment Testing & Fault Diagnosis ( detect dormant faults before these create errors) Fault Isolation Reconfiguration forces activation of fault within test interval Online BIST (Redundancy based techniques, Reasonableness based techniques) In general error detection online testing! 28

Tradeoffs of Different Redundancy Approaches different chips different die areas HW related approaches Tradeoff: HW Costs main prg & plausibility check different modules different submodules float & integer different FFs Time related approaches Tradeoff : Performance challenge & response different math/flow different clock cycles concurrent threads one after another Algorithm related approaches Tradeoff : SW Complexity 29

Processing Subsystem Philosophies for Safety Master / Slave Approach MCU #1 LVI COP CPU Clock Mon MCU #2 CPU Dual Processor Approach MCU #1 LVI COP CPU Clock Mon MCU #2 CPU Memory Peripherals Peripherals Memory Memory Peripherals Peripherals Memory Safety Relay Safety Relay SPI Complex Hardware Watchdog Output n Drivers (Valves,pump) n Input Modules Safety Relay n n Sensor s SPI Complex Hardware Watchdog Output n Drivers (Valves,pump) n Input Modules Safety Relay n n Senso rs Single Core Self Test Approach Memory MCU #1 LVI COP CPU Clock Mon Peripherals Dual Core Approach Memory MCU #1 Memory Validation CPU s Bus Validation COP LVI Clock Mon Peripherals SPI Complex hardware Watchdog n Safety Relay Output Drivers (Valves,pump) n Input Modules n n Sensors Safety Relay 30

Comparison of different Architectures Key Parameters Architectures Desirable System Properties Low Cost Low Complexity High Availability Safety Properties Transient Fault Detection Early Detection of permanent Faults Detection of systematic SW Faults 31

Low Complexity Metric for Fault Tolerance Mechanisms Detection of transient Faults Availability Desirable System Properties Fault Detection Detection of systematic SW Faults Low Cost early Detection of permanent Faults 32

Low Complexity Single Core - Fault Tolerance Mechanisms Detection of transient Faults single core no self test Availability Detection of systematic SW Faults single core with self test Low Cost early Detection of permanent Faults 33

Low Complexity Dual Core - Fault Tolerance Mechanisms Detection of transient Faults dual core locked no self test Availability Detection of systematic SW Faults dual core tightly coupled with self test Low Cost dual core locked with self test early Detection of permanent Faults 34

Multi Core/Device - Fault Tolerance Mechanisms Low Complexity Detection of transient Faults dual (identical) core loosely coupled Availability Detection of systematic SW Faults core with coprocessor dual device Low Cost early Detection of permanent Faults 35

Summary Functional Safety Basics Functional safety is a system property It is impaired by faults Functional Safety Standards IEC61508 / ISO26262 Top down assessment Safety lifecycle Recommended & mandatory HW/SW measures & practices Functional Safety Measures Error detection versus testing Redundancy Trade-off depending on fault assumptions 186C RGB: 208, 12, 51 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback