ncaf_may03.ppt slide - 1 cse international ltd data integrity: the use of data by safety-related...

NCAF_May03.pptSlide - 1

CSE International LtdCSE International LtdCSE International LtdCSE International Ltd

Data Integrity: The use of data by

safety-related systems

Alastair Faulkner CEngCSE International Ltd

Tel: +44 (0)1724 862169

email: [email protected]


ContentsContentsContentsContents

• Brief introduction• Introduction to safety• Data integrity• Data provision• Data origination• Conclusions


Safety-related systemsSafety-related systemsSafety-related systemsSafety-related systems


Brief introductionBrief introductionBrief introductionBrief introduction

• Safety concepts• Hazard, opportunity, accident• Risk, Risk reduction• Generalised safety process


Error – Fault - FailureError – Fault - FailureError – Fault - FailureError – Fault - Failure

[Engineering Safety Management: Yellow Book 3][Engineering Safety Management: Yellow Book 3]

Hazard

Causal Factors

Control System

Error: "A discrepancy betweena computed, observed ormeasured value or conditionand the true, specified ortheoretically correct value orcondition"

Fault: "An abnormal conditionthat may cause a reduction in,or loss of, the capability of afunctional unit to perform arequired function"

Failure: "The termination of theability of a functional unit toperform a required function"

hazard is "a situation in whichthere is actual or potential harmto human life or limb, or to theenvironment"


Hazard, opportunity, accidentHazard, opportunity, accidentHazard, opportunity, accidentHazard, opportunity, accident

Hazard AAND

Causal Factors

Accident Trigger

System A

Opportunity

System Environment

Hazard B

System B

Accident

[Engineering Safety Management: Yellow Book 3][Engineering Safety Management: Yellow Book 3]


Innovation: First powered flightInnovation: First powered flightInnovation: First powered flightInnovation: First powered flight


Trees- A hazard to navigationTrees- A hazard to navigationTrees- A hazard to navigationTrees- A hazard to navigation


Risk and ALARPRisk and ALARPRisk and ALARPRisk and ALARP

High risk of death orserious injury etc

Risk to be ALARPand only for benefit

Negligible risk ofdeath or serious

injury etcAcceptable

Tolerable

Intolerable

Reducingrisk

[HSE: [HSE: Reducing Risks, Protecting PeopleReducing Risks, Protecting People]]


Risk reductionRisk reductionRisk reductionRisk reduction

Partial risk coveredby other technology

safety-relatedsystems

ResidualRisk

TolerableRisk

EUCRisk

Necessary Risk Reduction

Actual Risk Reduction

Partial risk coveredby E/E/PE safety-related systems

Partial risk coveredby external risk

reduction facilities

Risk reduction achieved by all safety-relatedsystems and exrernal risk reduction facilities

[IEC 61508-5][IEC 61508-5]


Example risk classification matrixExample risk classification matrixExample risk classification matrixExample risk classification matrix

Catastrophic NegligibleMarginalCritical

Frequent

Incredible

Improbable

Remote

Occasional

Probable

Frequency Consequence

I

II

III

IV

I

II

II II

II

II

III III

IIIIII

III

III

IV

IV

IV

IV IV

IV

Risk = function (Severity, Likelihood)


Generalised safety processGeneralised safety processGeneralised safety processGeneralised safety process

• List system functions (operational requirements)• Find out how they can go wrong

– Functional Hazard Analysis

• Calculate tolerable failure rates (safety requirements) – consequence analysis to assess mitigation

• Design system to meet safety requirements• Show that system will meet safety requirements

– provide safety arguments and evidence in safety case

• Maintain safe operation


Data integrityData integrityData integrityData integrity

• Data in air navigation• Data integrity• Data provision


Air NavigationAir NavigationAir NavigationAir Navigation


Problem descriptionProblem descriptionProblem descriptionProblem description

• The use of data by safety-related systems is becoming more common.

• In such systems data is often a significant (if not the major) component

• Data is not commonly treated as a separate system component and hence is largely ignored.

• Safety of the system may rely on the correctness of the data


Data-driven systemsData-driven systemsData-driven systemsData-driven systems

• The data used by a data-driven system may have extensive influence over both the normal and abnormal behaviour of the system

• Typical examples of large-scale data-driven systems are transportation control systems. These systems use several different types of data – Static configuration data– Instantaneous status information– Operational information– Command Schedule – Timetable


Data integrity requirementsData integrity requirementsData integrity requirementsData integrity requirements

• Hazard and risk analysis process are used to establish system integrity requirements

• These requirements are then apportioned between components of the design, including people, process, hardware, software and data components of the system.

• The integrity requirements apportioned to the data component of the system are termed in this presentation ‘data integrity requirements’.


Apportionment of ‘error budget’Apportionment of ‘error budget’Apportionment of ‘error budget’Apportionment of ‘error budget’

20 %

20 %

20 %20 %

20 %

Data ~20%

Hardware

Software

Data

Process

People

4 ³ 10-9 to < 10-8 ³ 10-5 to < 10-43 ³ 10-8 to < 10-7 ³ 10-4 to < 10-32 ³ 10-7 to < 10-6 ³ 10-3 to < 10-21 ³ 10-6 to < 10-5 ³ 10-2 to < 10-1

SILHigh demand or continuous mode

(Probability of adangerous failure per hour)Low demand mode

(Probability of failure on demand)

Table 1. Target failure rates for systems of different safety integrity levels from IEC 61508

[IEC 61508][IEC 61508]


A question of scale?A question of scale?A question of scale?A question of scale?

“Things get bigger and bigger, pushing the boundaries,

until you’ve had a change of scale”

Peter Elliott BP, Keynote Speaker ESAS-02


Layer modelLayer modelLayer modelLayer model

Enterprise

Plant Interface

Reflex

Supervisory

Optimising

Business Unit

Plant


WorkstationWorkstationWorkstationWorkstation

PlantInterface

Reflex

Supervisory

Plant

PlantInterface

PlantInterface

Reflex

Plant

PlantInterface


Vertical couplingVertical couplingVertical couplingVertical coupling

Plant Interface

Reflex

Supervisory

Plant


Horizontal couplingHorizontal couplingHorizontal couplingHorizontal coupling

Plant Interface

Reflex

Supervisory

Plant

Plant Interface

Reflex

Supervisory

Plant


Design – Control SystemDesign – Control SystemDesign – Control SystemDesign – Control System

Enterprise

PlantInterface

Reflex

Supervisory

Optimising

Business Unit

Plant

PlantInterface

PlantInterface

Reflex

Plant

PlantInterface

PlantInterface

Reflex

Optimising

Business Unit

Plant

PlantInterface

PlantInterface

Reflex

Supervisory

Plant

PlantInterface

1

2

3

4

5

6

1

2

3

4

5

6


Design – Interface considerationsDesign – Interface considerationsDesign – Interface considerationsDesign – Interface considerations

DTU

DTU

DTU

DTU

DTU

DTU

DTU

DTU

DTU

DTU

Layer N+1

Layer N

Layer N-1

DAP

DAP


Data QualityData QualityData QualityData Quality

• DO 200A identifies a number of ‘data quality’ criteria • the accuracy of the data

• the resolution of the data

• the confidence that the data is not corrupted while stored or in transit (assurance level)

• the ability to determine the origin of the data (traceability)

• the level of confidence that the data is applicable to the period of (its) intended use (timeliness)

• all of the data needed to support the function is provided (completeness)

• the format of the data meets the users requirements


Data developmentData developmentData developmentData development

• In data-driven systems the data is often developed separately from the software

• However, it is clearly an integral part of the system– Safety of the overall system will normally depend on the

correctness of the data– Presumably the SIL of the data will be similar to that of the

executable software– One would expect similar levels of rigour


Data ownershipData ownershipData ownershipData ownership

• Ownership may itself be a complex issue as data may originate from within a number of organisational and political bodies and include any consolidations required to produce a higher data abstraction.

• Organisational responsibilities are not only concerned with the supply of data, but also the ownership and in some cases the liabilities associated data errors.

• Ownership may also be passed across the data supply chain.


Data ProvisionData ProvisionData ProvisionData Provision

• Data provision is dependant upon the integrity of the data source

• Data provision has two main components– Data source (Either data production or Origination)– Data supply chain


Integrity of the data sourceIntegrity of the data sourceIntegrity of the data sourceIntegrity of the data source

• Data may be produced by a number of means, from simple data entry to complex and diverse automated toolsets.

• The integrity of the data origin will be a significant influence upon the integrity required from the supply chain.

• Low integrity at the data source may render the source unusable.

• All data of a particular type may not be provided from a single source


Data productionData productionData productionData production

• Small-scale systems may use data entry to create a validated dataset.

• As the scale and volume of data increases the nature of the data required changes.

• Data production may require vertical or horizontal datasets (or a combination of both)

• Data production may consider data extracted from enabling products such as middleware or data mining or data warehouses.


Data supply chainData supply chainData supply chainData supply chain

• Properties required from a data supply chain– Origination (data of suitable integrity) - Identifies a point at

which the data originates– Data then progresses across a series of elements such as

transmission, preparation, formatting and finally consumed by the data-driven system.

– Each element will not be perfect and therefore, each element in the chain may introduce error of faults.

• Data supply chain errors must be less than the data integrity requirements for the safe operation of the system


Buildings: A hazard to navigationBuildings: A hazard to navigationBuildings: A hazard to navigationBuildings: A hazard to navigation


ConclusionsConclusionsConclusionsConclusions

• The safe operation of the data-driven system is likely to depend upon the correctness of the data

• However, data and its production, use and maintenance rarely are treated as the subject of integrity requirements

• All too often – data is not subject to any systematic hazard or risk analysis– data is poorly structured, making errors more likely to be

produced, and more difficult to detect– data is not subjected to any form of verification


A final quoteA final quoteA final quoteA final quote

“You would think that before they let people use these systems,

they'd ensure they're safe”

Hiram K. Hackenbacker (Brains) International Rescue,

Thunderbirds 1966 (1972 in UK)

ncaf_may03.ppt slide - 1 cse international ltd data integrity: the use of data by safety-related...

Documents