concepts iec61508

8/13/2019 Concepts Iec61508

1/52

University of BielefeldFaculty of Technology

The Concepts of IEC 61508

An Overview and Analysis

Sommersemester 2001Prof. Peter B. Ladkin Ph

ladkin!rvs.uni"#ielefeld.de


2/52

$

23 !"r# 2005 2


!otivation$ Clear Concepts

%once&ts must #e clear in order to ena#le easy anduniform use in engineering

'f conce&ts are unclear( then reasoning is not easily seen to #e )in*correct mistakes are harder to detect

There are various conce&ts of risk and ha+ard ,hich are effective for engineering &ur&oses( and

-hich are not ,hich are effective in -hich domains( and -hich not


3/52

$

23 !"r# 2005 3


!otivation$ Effective !ethods

/ffective methods have three characteristics They -ork

They are a&&lica#le to the domain of interest

They ena#le &assa#le assessments of risk and safety"critical failure They can #e used -ithin an engineering organisation

,e kno- -hy they -ork ood arguments e3ist concerning a&&lica#ility and correctness

,e have inde&endent means to check the results

Summary4 good engineering means kno-ing -hatmethods are a&&lica#le( -here( -hy and ho-.


4/52

$

23 !"r# 2005 %


&asic Concepts of 'yste( 'afety

Basic ontological conce&ts system( environment( #oundary( o#5ects( fluents( state(

state change( event( #ehavior( near and far #ehaviors(necessary causal factorplus

6ccident Likelihood( Severity

7a+ard Likelihood( %onse8uences

9isk


5/52

$

23 !"r# 2005 5


&asic Concepts in

de !oivre) *eveson) IEC 61508


6/52

$

23 !"r# 2005 6


+e !oivre

6#raham de :oivre( e :ensura Sortis( 1;11 in the Philoso&hical Transactions of the 9oyal Society The 9isk of losing any sum is the reverse of /3&ectationd* Severity )or damage*4 the -orst &ossi#le accident that

could result from the ha+ard given the environment in itsmost unfavora#le state

Likelihood of occurence Hazard level4 com#ination of severity and likelihood of

occurrence

Risk:the ha+ard level com#ined -ith )1* the likelihood of theha+ard leading to an accident ... and )2* ha+ard e3&osure orduration

Safety4 freedom from accidents or losses


10/52

$

23 !"r# 2005 10


Interpretation of 'afeware definitions

6ccident an un-anted event

7a+ard

a system state( -hich in com#ination -ith the most unfortunateenvironment state( results inevita#ly in )is a sufficient causal factorof* an accident

Severity Level of loss )on a ratio scale*

9isk =&)7*.&)%3 ? 7*.S)%3*

%34 an accident that results from@through 7

S)%3*4 the severity of the accident %3


11/52

$

23 !"r# 2005 11


a#ard$ ariant +efinitions

Leveson4 system state 6 commercial aircraft encounters thunderstorm tur#ulence -hich

causes loss of control and #reaku& ,hen the environment contains such tur#ulence( and the aircraft is

flying( then an accident is inevita#le 't follo-s that flying states of the aircraft are ha+ard states

/nvironment state 'n this e3am&le( as in the game of golf or of real tennis( the ha+ard

is more intuitively an environmental state

lo#al State )Aackson 1C< Sim&son D Stoker 2002* '/% E1C04 &otential source of harm

seems to allo- systemGenvironment state )global state* #ut then( it seems to allo- lots of things


12/52

$23 !"r# 2005 12


Co(parison of 'afeware and +e !oivre -is.

7o- do= &)7*.&)%3 ? 7*.S)%3* and = &)%3*.S)%3* com&are 71( 71( ... (7k a collection of mutually e3clusive ha+ards

such that each accident ha&&ens through one of them Then #y a #asic calculation in conditional &ro#a#ility

&)%3* H = &)7i*.&)%3 ? 7i* Thus &)%3*.S)%3* H = &)7i*.&)%3 ? 7i*.S)%3* 6nd summing over all %3 yields the result

)9e&eat*4 71( 71( ... (7k a collection of mutually exclusivehazards such that each accident happens through one ofthem

,ithout this assum&tion( the sums may not #e the same


13/52

$23 !"r# 2005 13


IEC 61508$ +efinitions /1

7arm &hysical in5ury or damage to the health of &eo&le either

directly( or indirectly as a result of damage to &ro&erty or tothe environment

7a+ard &otential source of harm

7a+ardous event ha+ardous situation -hich results in harm

7a+ardous situation circumstance in -hich a &erson is e3&osed to ha+ard)s*


14/52

$23 !"r# 2005 1%


IEC 61508$ +efinitions /2

9isk com#ination of the &ro#a#ility of occurrence of harm and

the severity of that harm

Tolera#le 9isk risk -hich is acce&ta#le in a given conte3t #ased on the

current values of society Safety

freedom from unacce&ta#le risk


15/52

$23 !"r# 2005 15


Co((ents on IEC 61508 definitions /1

There is no definition of accident ha+ardous event comes close( #ut is a situation

7arm is limited to &ersonal in5ury #ut US aviation regs )1I %F9 J0 KJ0.2* allo- an

accident to #e significant aircraft damage alone similarly -ith US6F %lass 6 misha&s )the severest sort*

efinition of ha+ard is unclear Basic 8uestion4 is it a state or an event ,hat is a source ,hat is a &otential source Potential source of harm Source of &otential harm


16/52

$23 !"r# 2005 16



9isk ho- does one com#ine &ro#a#ility of harm -ith severity of

harm ne can com#ine in an ar#itrary num#er of -ays

'f severity is 8uantitative( does@can com#ine meanmulti&ly

'f so( then risk is defined here to #e a multi&lication 'n de :oivre D Leveson( it is a sum


17/52

$

23 !"r# 2005 1,


-is. in IEC 61508$ Clear4

't is certain ' shall suffer some degree of harm -hile using my#icycle )from a trivial scratch from a &art once a month( tofalling off once a decade( to #eing run over* The &ro#a#ility of harm is 1

Severity is varia#le from trivial to catastro&hic ,hich severity do ' use %all it S 7o- do ' com#ine S -ith 1

't cannot mean the actual harm that -ill in fact occur( sincethat -ould render the conce&t unusa#le for calculation inadvance( as '/% E1C0 re8uires during system develo&ment)/U% risk( tolera#le risk( residual risk*


18/52

$

23 !"r# 2005 18



ood definitions )good &rograms* define terms )varia#les*#efore they use them )ef"use test( used a lot in staticanalysis of &rograms*

Usa#le definitions try to #e &recise reduce or eliminate am#iguity limit the num#er of undefined conce&ts

#e clear to the intended inter&reters

:y o&inion4 '/% E1C0 does not do -ell on these criteria(similar to many )#ut #y no means all* engineering standards


19/52

$

23 !"r# 2005 1


nda(ental Concepts of IEC 61508

System Lifecycle Fuctional Safety 9isk and 9isk 9eduction System Su#division Safety 'ntegrity Level )S'L* 6s Lo- 6s 9easona#ly Practica#le )6L69P*


20/52

$

23 !"r# 2005 20


Concepts 1$ 'yste( *ifecycle

The System Life %ycle :odel etailed The safety task list follo-s the model


21/52

$

23 !"r# 2005 21


The IEC 61508 'afety *ifecycle

10 11

Concept1

Overall scope

definition2

a#ard and ris.analysis3

Overall safety

re7ire(ents%

'afety re7ire(ents

allocation5

Back to appropriate

overall safety lifecycle

phase

Overall safetyvalidation13

Overall operation)

(aintenance and repair

Overall (odificationand retrofit1% 15

+eco((issionin

or disposal16

Safety-related

systems:

E/E/PES

-ealisation)see /@/@P/S

safety

lifecycle*

Safety-related

systems:

other

technology

-ealisation

Overall installation

and co((issionin12

F

Overall plannin

OveralI

operation and

(aintenance

plannin

OveralI

installation and

co((issionin

plannin

Overall

safety

validation

plannin

6 , 8

External riskreductionfacilities

-ealisation


22/52

$

23 !"r# 2005 22


The E9E9:E' /';syste( 'afety *ifecycle

'afety


23/52

$

23 !"r# 2005 23


The '> 'afety *ifecycle

'oftware safetyvalidation

6

'afety fnctionsre7ire(entsspecification

'afety interityre7ire(entsspecification

1

11 12

'oftware safety re7ire(entsspecification

To ;o= 12 in fire 2

'oftware safetyvalidation plannin

'oftware desinand develop(ent

32

% 'oftware operation and(odification procedres

5:E interation/hardware9software0

To ;o= 1%in fire 2

E/E/PES

safetylifecycle(see figure 3

Soft!are safety lifecycle


24/52

$

23 !"r# 2005 2%


The *ifecycle

ne needs a lifecycle model The E1C0 lifecycle model is as good as any and

more detailed than most 7o-ever( there is no guidance on ho- to fit it to a

ty&ical system develo&ment lifecycle


25/52


26/52

$

23 !"r# 2005 26


Co(parison of *ifecycle !odels

,e need to harmonise the '/% E1C0 lifecycle model and thety&ical system develo&ment lifecycle model used in a firm &resumed to #e straightfor-ard( #ut ho- do -e kno-

,ho has done it There are three sorts of different re8uirements in '/% E1C0

)Fenton@Meil( 1* For the final &roduct )the S% system* For documentation

S&ecifications at the various levels 6nalysis and re&orting documents( e.g. the Safety %ase

For resources checks and sign"offs to #e conducted #y 8ualified &ersonnel


27/52

$

23 !"r# 2005 2,


Concepts 2$ nctional 'afety

Functional Safety Safety &ro&hyla3is restricts itself to safety functions Safety functions are actions( that are intended to achieve

or maintain a safe state for the /U%( in res&ect of as&ecific ha+ardous event 9ecall that a ha+ardous event results in harm. 'f harm is to

#e avoided #y means of the safety function( then thefunction should inhi#it the s&ecific ha+ardous events -hich

are &recursors of the harm

9emem#er4 not all ma5or safety issues are functionalN


28/52

$

23 !"r# 2005 28


Concepts 3$ -is. ? its -edction

9isk 9eduction There is no such thing as Oero 9isk The Safety Functions )SF* are concerned -ithrisk

reduction There is an E! risk4 risk arising from the /U% or its interaction

-ith the /U% control system /U%%SQ There is a tolerable risk There is a residual risk4 risk remaining after &rotective measures

have #een taken evelo&ers must assess the /U% risk and the tolera#le risk )to

calculate the re8uired safety integrity level( S'L* as -ell as theresidual risk( -hich must #e as lo" as reasonably practicable)6L69P*


29/52

$

23 !"r# 2005 2


Concepts %$ 'yste( ';division

Three"-ay classification of )su#*system ty&es /8ui&ment under control )/U%* /U% control system )/U%%S*

Safety"9elated System )S9S* The /U%%S can #e classified as an S9S or not )#ut the

criterion( in clause ;.C.2.I( is a logical tautologyNN*

Safety"9elated System 6n S9S is a designated su#Qsystem that

im&lements the re8uired safety functions ....... and is intended to achieve in &ossi#le com#ination -ith othersQ the

necessary safety integrity for the re8uired safety functions


30/52

$

23 !"r# 2005 30


-is. -edction

Tolera;leris.

E@Cris.

ecessary ris. redction

Actal ris. redction

Increasin

ris.

-esidal

ris.

:artial ris. covered;y E9E9:Esafety


31/52

$

23 !"r# 2005 31


Isses$ -is. -edction

9isk 9eduction must #e calculated on the #asis of &articular statistics

9isk of /U%@/U%%S -ithout S9Ss 9isk of /U%@/U%%S G S9Ss 6cce&ta#le 9isk )socially derived*

The statistics don>t al-ays e3istN 7o- often do they e3ist There is some sce&ticism )Fo-ler 2000*


32/52

$

23 !"r# 2005 32


Concepts 5$ 'I*

Safety 'ntegrity Level )S'L* /ach S9S is assigned a S'L( -hich re&resents the

&ro#a#ility that the S9S fulfils its safety function)s*

That is( the S'L of an S9S re&resents o#5ectively therelia#ility of its safety function)s* )aproduct re#uirement* The S'L is assigned according to the re8uired risk

reduction )from /U% risk at least to the tolera#le risk* 6 8uantitative difference is made #et-een

%ontinuous"o&eration )high"demand* functions Lo-"demand functions )kno-n else-here as on"demand functions*

evelo&ment of an S9S -ith a designated S'L re8uires acertain develo&ment &rocess )a process re#uirement*


33/52

$

23 !"r# 2005 33


'I*s) contined

S'L )cont>d* ' shall ignore the difference #et-een lo-"demand and high"

demand modes

Four levels of increasing relia#ility )S'L 1 R S'L I* 'm&licitly five( -ith S'L 0( a#out -hich nothing is said /ach level re8uires a relia#ility of

10)")nG1** to 10)"n* dangerous failures &er hour@&er demand 7ighest recognised level ist nH )S'L I( continuous mode*


34/52

$

23 !"r# 2005 3%


'I* Ta;le$ ih


35/52

$

23 !"r# 2005 35


Isses with 'I*s

The distinction #et-een lo-"demand and high"demand modes may -ell disa&&ear in the ne3trelease of E1C0 )Simon Bro-n( 200C*

6 S'L is valid for aparticular S$%component in aparticular system&environment given a )socially"determined*particular tolerable risk 7o-ever( organisations such as the Ts are starting to

certify com&onents inde&endent of s&ecific a&&lication There is a real danger that a S'L -ill #e seen as a &ro&erty

of the com&onent( -hich it is not)9edmill 2000( 7amilton"9ees( 1*


36/52

$

23 !"r# 2005 36


Isses with 'I*s /!artyn Tho(as

S'Ls are unhel&ful to soft-are develo&ers S'L 1 target failure rates are already #eyond &ractical

verification )Little-ood"Strigini 1J( Butler"Finelli 1J*

S'Ls 1"I su#divide a &ro#lem s&ace in -hich there is nosensi#le distinction to #e made amongst a&&lica#ledevelo&ment and assurance methods

For many recommended methods( there is little or noevidence that they reduce failure rates

There is increasing evidence that those methods -hich doreduce failure rates also save money4 they should #e usedat any S'L


37/52

$

23 !"r# 2005 3,


Isses with 'I*s /!artyn Tho(as

S'Ls set develo&ers im&ossi#le targets so the focus shifts from &roviding ade8uate safety )&roduct*

to fulfilling the recommendations of the standard )&rocess*

But there is little correlation #et-een &rocess &ro&ertiesand safety

Focus shift from &roduct to &rocess does not hel&

safety )Mote4 There are conce&ts of S'L in other standards

-hich suffer from only some of these &ro#lems. PBL*


38/52

$

23 !"r# 2005 38


Isses with 'I*s

7ighest S'L re8uirement4 Less than one dangerous failure every 10 o&"hours )But more than one dangerous failure every 10 o&"

hoursNN aft.*

The com#inatorics doesn>t -ork out for %ommercial aviation )-hich re8uires lo-er failure rates for

certain critical su#systems( and the general historysuggests this can #e achieved* The automo#ile industry )-hich has a real re8uirement of

S9S relia#ility of u& to 1010 o&"hours &er failureNN*


39/52

$

23 !"r# 2005 3


Concepts 6$ A*A-:

The 6L69P Princi&le To calculate the re8uired risk reduction( one must use the

6s Lo- 6s 9easona#ly Practica#le )6L69P* &rinci&le

rigins4 /nglish la- Lord 6s8uith( 1I significantly reinforced4 Lord %ullen )1*( Pi&er 6l&ha oil &latform

fire investigation

9isks are classified into three4 6cce&ta#le4 so lo- that it can for all &ractical &ur&oses #e ignored 'ntolera#le4 so high as to #e unacce&ta#le in all circumstances The 6L69P region4 the region #et-een acce&ta#le and intolera#le(

in -hich the system develo&er is re8uired to reduce the risk to #eas lo- as reasona#ly &ractica#le


40/52

$

23 !"r# 2005 %0


A*A-:

6L69P )cont>d* 'n legal cases( the UV 7S/ regards the 6L69P &rinci&le as

having #een fulfilled if a develo&er is a#le to esta#lish thata system -as develo&ed in accordance -ith '/% E1C0):ark Bo-ell( UV 7S/( mailing"list comment( 200I*

So it seems as if '/% E1C0 re8uires 6L69P( #ut toconform -ith 6L69P one needs only to do everything else

Logically( this makes 6L69P redundantNN

't -ould hel& to resolve this confusion


41/52

$

23 !"r# 2005 %1


The A*A-: :rinciple

Intolera;le reion

&roadly accepta;le reion

)Mo need for detailed -orkingto demonstrate 6L69P*

elii;le ris.

9isk cannot #e 5ustified

e3ce&t in e3traordinary

circumstances

Tolera#le only if further riskreduction is im&ractica#le or if itscost is grossly dis&ro&ortionate tothe im&rovement gained

't is necessary to maintainassurance that risk remains atthis level

The A*A-: ortolera;ility reion

)9isk is undertakenonly if a #enefit isdesired*

6s the risk is reduced( the less(&ro&ortionately( it is necessaryto s&end toreduce it further to satisfy 6L69P. Theconce&t of diminishing &ro&ortion is sho-n#y the triangle.


42/52

$

23 !"r# 2005 %2


Tolera;le -is. Taret$ Bantitative

-is. Classification !atri= /-C! E=a(ple

Frequency Consequence

Catastrophic Critical Marginal NegligibleFrequent I I I II

Probable I I II III

Occasional I II III III

Remote II III III IV

Improbable III III IV IV

Incredible IV IV IV IV


43/52

$

23 !"r# 2005 %3


Interpretation of -is. Classes

Risk class Interpretation

Class I Intolerable risk

Class II Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs aregrossly disproportionate to the improvement gained

Class III Tolerable risk if the cost of risk reduction would exceed the improvement gained

Class IV Negligible risk


44/52

$

23 !"r# 2005 %%


Isses$ A*A-: and -is. Classes

9isk %lasses ' and ' fit -ith 6L69P 9isk %lasses '' and ''' don>t o#viously fit -ith 6L69P

'n the region in -hich 9isk %lasses '' and ''' a&&ly( one is

re8uired to use the 6L69P risk"reduction &rinci&le 6L69P re8uires in #oth cases that4

risk shall #e reduced so far as reasona#ly &ractica#le 6L69P does not )o#viously* say4

9isk reduction may cease -hen cost is grossly dis&or&ortional to#enefits. Mo 9%6 is im&lied 6s risk is reduced( the less it is necessary &ro&ortionately to s&end

to reduce it further But #oth of these claims are in the '/% E1C0 e3&lanatory diagramN


45/52

$

23 !"r# 2005 %5


Isses$ -elation ;etween 'I* and A*A-:

/-ed(ill) 2000

6 S'L is an a &riori re8uirement 't is assigned in the Safety"9e8uirements"6nalysis task

6L69P is a dynamic re8uirement 't -ill #e assigned and handled in the esign task

't is there#y &ossi#le that in a &articular case 6L69P-ould re8uire a further reduction in risk #eyond thatset #y the S'L

U i it f Bi l f ld


46/52

$

23 !"r# 2005 %6


*eveson et al$ Accident Concepts


47/52

Uni ersit of Bielefeld


48/52

$

23 !"r# 2005 %8


IEC 61508 :art 5$ ow to ave an Accident

University of Bielefeld


49/52

$

23 !"r# 2005 %


IEC 61508$ Accident

'/% E1C0 understands 7a+ardous /vent as4 something that can come to &ass( inde&endently of the

severity of its harmful conse8uences a situation( -hich in turn is a circumstance

't seems similar to the conce&t of an accident )-hichho-ever is an event*( #ut in -hich the severity isa#stracted a-ay

:ay#e an accident ty&e Let>s forget the situation@circumstance im&recision

The conce&ts a&&ear to #e interdefina#le( given the#asic ontology )Ladkin( 200I*



50/52

$

23 !"r# 2005 50


Advantae of the IEC 61508 -efine(ent

The refinement of accidents into ha+ardous events ande3&licit severity may -ell #e a&&ro&riate for( say( &rocesscontrol. /3am&le4

6 &ressure vessel #reaches )event ty&e( encom&assing

many event ty&es from leaks to e3&losions* Severity4

's the #reach small or large ,as near#y e8ui&ment heavily damaged( lightly

damaged( or not at all ,ere near#y &eo&le in5ured Severely in5ured ,ere

some killed 6nd ho- many of those &eo&le -ere there



51/52

$

23 !"r# 2005 51


'((ary of !aor IEC 61508 Concepts

Lifecycle4 hel&ful #ut a very &articular model. Mot clear ho- itfits -ith traditional lifecycle models

Safety Functions@S9Ss4 a restricted conce&t

9isk 9eduction4 generally a good idea( #ut a&&lication isrestricted #oth in suita#ility to the a&&lication domain andstatistically

J system"ty&es4 restricted( sometimes misleading conce&t

S'L4restricted and misleading 6L69P4 in &rinci&le strong( in &ractice -eak. 't strains

against &roven techni8ues such as 9isk :atri3 classification.6 legal &rinci&le -hose technical translation is not yet clear.



52/52

$


The End

Thanks for listeningN

concepts iec61508

Documents