use of fieldbus in safety related systems, an evaluation study of worldfip according to...
Post on 14-Jan-2016
220 Views
Preview:
TRANSCRIPT
Use of Fieldbus in safety related systems, an evaluation study of
WorldFIP according to proven-in-use concept of IEC 61508
Jean Pierre Froidevaux WorldFIP
Olivier Nick ALSTOM Technology
Michel Suzan Bureau Veritas
Use of Fieldbus in safety related systems, an evaluation study of
WorldFIP according to proven-in-use concept of IEC 61508
Jean Pierre Froidevaux WorldFIP
Olivier Nick ALSTOM Technology
Michel Suzan Bureau Veritas
PN/IR/01.0003page 2
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Introduction to risks approach
Any production operation has inherent risks in case of malfunctions
These risks may cause damages to the operators, environment, assets
Operations cannot be run if risks are unacceptable:– Risks should be evaluated– If risks are not acceptable, they should be
reduced by reliable means such as E/E/PE
PN/IR/01.0003page 3
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standard
Risk Reduction Concept
PN/IR/01.0003page 4
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Random Failures
Systematic Failures (including software)Good
engineering practices
strategy to avoid & control
failures
Organisational measures during all
the life cycle (safety assurance)
Technical measures
Classical RAM
studies
Estimated assessment
strategy
Probabilistic Calculation
RAM: Reliability, Availability & Maintainability
IEC 61508 standard
Failures distinction
PN/IR/01.0003page 5
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Objectives of a safety function
To provide a safety related function with a given level of integrity to ensure certain risk reduction
Applicable to a function or a system, not to component
Assessments are done on application basis A safety related function has to protect
persons and environment from an identified hazard
Reliable risk reduction system
PN/IR/01.0003page 6
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Mission of a safety function
Keep the process under control within its operating limits
To achieve this the safety function can either:– develop counter actions to avoid crossing a
constraint (ex: anti-surge)– stop the process either gracefully or in
emergency Actions should be defined in accordance
to the gravity of consequences
PN/IR/01.0003page 7
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
What is the role of communication ?
Communication is a set of hardware and software allowing information to be transferred between two or more devices
It should not propagate or create a fault that may induce a dangerous situation for the process under control:– Data corruption should be detected– time constraints should be enforced for real time
data– delivery should be ordered to avoid out of sequence
PN/IR/01.0003page 8
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Behaviour on faults
Behaviour on faults should be known Consequences may be either:
– A communication fault triggers a safety action and stop the process
– The communication is robust to faults and permit to continue operation even in presence of faults
the criteria is the criticity analysis of fault consequences and the need to avoid non justified safety actions (credibility)
Are a stopped systems the only safe systems???
PN/IR/01.0003page 9
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Approach for Fieldbus
Fieldbus is a subsystem according to IEC 61508
Device A Device B Device C
ap
plicati
on
field
bu
s
Fieldbus is a set of hardware and software
PN/IR/01.0003page 10
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Fieldbus approach
Trusted approach– The Fieldbus subsystem should comply with
the provisions of 61508:• Proven in use concept• Fully designed for safety purpose
Non trusted approach– The integrity of a transmitted information is
ensured by external means (additional coding)
PN/IR/01.0003page 11
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Why trusted approach
Fieldbus native integrity
Conserve initial properties– real time features– robustness to faults– high throughput
Permit use of standard hardware and software
facilitate system engineering use high integrity control across network
for better process safe operation
PN/IR/01.0003page 12
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Open communication is needed
To ensure high integrity of a system over time efficient diagnostic and maintenance should implemented
On-line maintenance needs communication
with end devices These exchanges (event driven)
should be isolated from safe exchanges
Fieldbus should prove the quality of isolation
PN/IR/01.0003page 13
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Why WorldFIP? Cyclic traffic
– Bus scheduler contains the list of “variables” to be exchanged on the shared media
– Variable publisher the entity containing the variable to be sent over the network
– Variable consumers the entity (ies) interested in receiving the variable
PRODUCER CONSUMER
CONSUMERCONSUMER
Equipement 1 Equipement 2 Equipement 3
Equipement 5 Equipement 4
BUS SCHEDULER( DISTRIBUTOR )
BA TABLE(scanning table)
PN/IR/01.0003page 14
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Residual errorResidual errorraterate
Residual errorResidual errorraterate
Error rate on binaryError rate on binaryelementelement
Error rate on binaryError rate on binaryelementelement
1010-5-5 1010-4-4 1010-3-3 1010-2-2 1010-1-1 0.50.51010-5-5 1010-4-4 1010-3-3 1010-2-2 1010-1-1 0.50.5
101000
1010-2-2
1010-4-4
1010-6-6
1010-8-8
1010-10-10
1010-12-12
1010-14-14
1010-16-16
1010-18-18
1010-20-20
101000
1010-2-2
1010-4-4
1010-6-6
1010-8-8
1010-10-10
1010-12-12
1010-14-14
1010-16-16
1010-18-18
1010-20-20
Integrity class
I1
Integrity class
I1
Integrityclass
I2
Integrityclass
I2
Integrityclass
I3
Integrityclass
I3
22-1-1
22-8-8
1010-12-12
1010-15-15
22-1-1
22-8-8
1010-12-12
1010-15-15
WordFIP integrity class WordFIP integrity class (« classical approach »)(« classical approach »)
Integrityclass
I4
Integrityclass
I4
WorldFIP
PN/IR/01.0003page 15
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Generic method issues
Use of an estimated strategy assessment Reliability data can have a high level of non
confidence Difficulty to quantify the safe failure fraction Difficulty to quantify common cause failure A fair method for a complete new design Mandatory conditions : stringent
estimated probabilistic calculation strategy from the beginning of the design
Without proven data the calculation must be conservative
PN/IR/01.0003page 16
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Field experience exploitation
Use field experience from different applications to prove that the system will work in safe operation according to the specified risk reduction target.
Avoid the extensive re-validation for each new application (use similar experience).
Mandatory condition : having a rigorous record of experience and a stringent contextual risk analysis
Proven in use concept
PN/IR/01.0003page 17
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Proven design or Proven in use ?
For ‘Proven-in-use’ the operational failure rate will already include systematic (for instance common cause and software) failures.
For ‘designed to IEC61508’ a separate assessment of systematic failure will be required.
Each method has its advantage, but, in the context of WorldFip, the ‘proven in use’ method could be far more reliable and ‘ready to apply’ because of high number of already WorldFip applications
Essential difference
PN/IR/01.0003page 18
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standardHow to reach “proven in
use” ?
“Proven in use”
The proofs to bring
Organised & detailed records from field
users
Sufficient number of systems in use to justify reliable
operation
High Level of confidence in the
operational figures
PN/IR/01.0003page 19
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standardHow to reach “proven in
use” ?
“Proven in use”
- part 2 §7.4.2.2, §7.4.5.1 §7.4.7.3 à §7.4.7.12
- part 7 §C.2.10 §B.5.4 §C.4.5
The proofs to bring
Organised & detailed records from field
users
Sufficient number of systems in use to justify reliable
operation
High Level of confidence in the
operational figures
PN/IR/01.0003page 20
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standardMethodology employed by
Alstom
Statistical approach
1) DATA COLLECTION
2) DATA SELECTION
3) RELIABILITY BLOCK DIAGRAM MODELLING
4) MARKOVIAN MODEL
5) STATISTICAL ESTIMATORS
6) RESULTS
Statistics made on :
• For FullFip2 : 90000 devices / 1.96E9 hours of operation
• For MicroFIP : 5003 devices / 6.75E7 hours of operation
PN/IR/01.0003page 21
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standardThe solution to reach high
SIL
Validation strategy
Organised & detailed records from field
users
Sufficient number of systems in use to justify reliable
operation
High Level of confidence in the
operational figures
Validation of the ALSTOM internal methodology for
recording field experience
Validation of the relevancy and the number of the
systems considered in the analysis
Validation of the calculation
methodology
PN/IR/01.0003page 22
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
IEC 61508 standardOngoing Independent Assessment
Key elements under inspection by Bureau Veritas
Key elements under inspection Key elements under inspection by Bureau Veritasby Bureau Veritas
How the information is collected ?How is considered an event as unsafe ?
Who is treating the information ?Are the calculations compliant with IEC
61508 requirements ?...
Validation of the ALSTOM internal methodology for
recording field experience
Validation of the relevancy and the number of the
systems considered in the analysis
Validation of the calculation
methodology
PN/IR/01.0003page 23
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Partial Results (audit still under process)
++ The number of samples is sufficient to allow a fair level of confidence in the assessment.
+ + The record of field experience is sufficiently rigorous to allow a proven in use IEC 61508 approach.
- - HW Random failures shall be taken into account.
- - The process of interpretation of failures shall be more safety oriented.
- - A clear “generic” risk analysis shall be provide in the context of use.
Without proven data the calculation must be conservative
PN/IR/01.0003page 24
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Limits of this approach
Need of a very large installed base. Need of a very stringent risk analysis in
compliance with the context of use (how to adapt the risk analysis to the context and be sure the risk is still mitigated - concept of genericgeneric risk analysis).
Need of a close access to failure data. Need of an efficient (independence and
objective recording and assessment, human factors…) Data Recording Process.
The total control of the field experience
PN/IR/01.0003page 25
T H E E F F E C T I V E F I E L D B U S
©Copyright 2001 WorldFIP
Achievements
Bring the evidence that WorldFip can be used in safety applications
No specific direct overcost linked to safety (it was proven in use)
If necessary adapt the field experience methodology (only quality improvement)
If necessary adapt user maintenance procedures to allow fair and relevant record of experience
A simple and operational approach of functional safety
top related