use of fieldbus in safety related systems, an evaluation study of worldfip according to...

Use of Fieldbus in safety related systems, an evaluation study of

WorldFIP according to proven-in-use concept of IEC 61508

Jean Pierre Froidevaux WorldFIP

Olivier Nick ALSTOM Technology

Michel Suzan Bureau Veritas

Use of Fieldbus in safety related systems, an evaluation study of

WorldFIP according to proven-in-use concept of IEC 61508

Jean Pierre Froidevaux WorldFIP

Olivier Nick ALSTOM Technology

Michel Suzan Bureau Veritas

PN/IR/01.0003page 2

T H E E F F E C T I V E F I E L D B U S

©Copyright 2001 WorldFIP

Introduction to risks approach

Any production operation has inherent risks in case of malfunctions

These risks may cause damages to the operators, environment, assets

Operations cannot be run if risks are unacceptable:– Risks should be evaluated– If risks are not acceptable, they should be

reduced by reliable means such as E/E/PE

PN/IR/01.0003page 3



IEC 61508 standard

Risk Reduction Concept

PN/IR/01.0003page 4



Random Failures

Systematic Failures (including software)Good

engineering practices

strategy to avoid & control

failures

Organisational measures during all

the life cycle (safety assurance)

Technical measures

Classical RAM

studies

Estimated assessment

strategy

Probabilistic Calculation

RAM: Reliability, Availability & Maintainability

IEC 61508 standard

Failures distinction

PN/IR/01.0003page 5



Objectives of a safety function

To provide a safety related function with a given level of integrity to ensure certain risk reduction

Applicable to a function or a system, not to component

Assessments are done on application basis A safety related function has to protect

persons and environment from an identified hazard

Reliable risk reduction system

PN/IR/01.0003page 6



Mission of a safety function

Keep the process under control within its operating limits

To achieve this the safety function can either:– develop counter actions to avoid crossing a

constraint (ex: anti-surge)– stop the process either gracefully or in

emergency Actions should be defined in accordance

to the gravity of consequences

PN/IR/01.0003page 7



What is the role of communication ?

Communication is a set of hardware and software allowing information to be transferred between two or more devices

It should not propagate or create a fault that may induce a dangerous situation for the process under control:– Data corruption should be detected– time constraints should be enforced for real time

data– delivery should be ordered to avoid out of sequence

PN/IR/01.0003page 8



Behaviour on faults

Behaviour on faults should be known Consequences may be either:

– A communication fault triggers a safety action and stop the process

– The communication is robust to faults and permit to continue operation even in presence of faults

the criteria is the criticity analysis of fault consequences and the need to avoid non justified safety actions (credibility)

Are a stopped systems the only safe systems???

PN/IR/01.0003page 9



Approach for Fieldbus

Fieldbus is a subsystem according to IEC 61508

Device A Device B Device C

ap

plicati

on

field

bu

s

Fieldbus is a set of hardware and software

PN/IR/01.0003page 10



Fieldbus approach

Trusted approach– The Fieldbus subsystem should comply with

the provisions of 61508:• Proven in use concept• Fully designed for safety purpose

Non trusted approach– The integrity of a transmitted information is

ensured by external means (additional coding)




Why trusted approach

Fieldbus native integrity

Conserve initial properties– real time features– robustness to faults– high throughput

Permit use of standard hardware and software

facilitate system engineering use high integrity control across network

for better process safe operation




Open communication is needed

To ensure high integrity of a system over time efficient diagnostic and maintenance should implemented

On-line maintenance needs communication

with end devices These exchanges (event driven)

should be isolated from safe exchanges

Fieldbus should prove the quality of isolation




Why WorldFIP? Cyclic traffic

– Bus scheduler contains the list of “variables” to be exchanged on the shared media

– Variable publisher the entity containing the variable to be sent over the network

– Variable consumers the entity (ies) interested in receiving the variable

PRODUCER CONSUMER

CONSUMERCONSUMER

Equipement 1 Equipement 2 Equipement 3

Equipement 5 Equipement 4

BUS SCHEDULER( DISTRIBUTOR )

BA TABLE(scanning table)




Residual errorResidual errorraterate

Residual errorResidual errorraterate

Error rate on binaryError rate on binaryelementelement

Error rate on binaryError rate on binaryelementelement

1010-5-5 1010-4-4 1010-3-3 1010-2-2 1010-1-1 0.50.51010-5-5 1010-4-4 1010-3-3 1010-2-2 1010-1-1 0.50.5

101000

1010-2-2

1010-4-4

1010-6-6

1010-8-8

1010-10-10

1010-12-12

1010-14-14

1010-16-16

1010-18-18

1010-20-20

101000

1010-2-2

1010-4-4

1010-6-6

1010-8-8

1010-10-10

1010-12-12

1010-14-14

1010-16-16

1010-18-18

1010-20-20

Integrity class

I1

Integrity class

I1

Integrityclass

I2

Integrityclass

I2

Integrityclass

I3

Integrityclass

I3

22-1-1

22-8-8

1010-12-12

1010-15-15

22-1-1

22-8-8

1010-12-12

1010-15-15

WordFIP integrity class WordFIP integrity class (« classical approach »)(« classical approach »)

Integrityclass

I4

Integrityclass

I4

WorldFIP




Generic method issues

Use of an estimated strategy assessment Reliability data can have a high level of non

confidence Difficulty to quantify the safe failure fraction Difficulty to quantify common cause failure A fair method for a complete new design Mandatory conditions : stringent

estimated probabilistic calculation strategy from the beginning of the design

Without proven data the calculation must be conservative




Field experience exploitation

Use field experience from different applications to prove that the system will work in safe operation according to the specified risk reduction target.

Avoid the extensive re-validation for each new application (use similar experience).

Mandatory condition : having a rigorous record of experience and a stringent contextual risk analysis

Proven in use concept




Proven design or Proven in use ?

For ‘Proven-in-use’ the operational failure rate will already include systematic (for instance common cause and software) failures.

For ‘designed to IEC61508’ a separate assessment of systematic failure will be required.

Each method has its advantage, but, in the context of WorldFip, the ‘proven in use’ method could be far more reliable and ‘ready to apply’ because of high number of already WorldFip applications

Essential difference




IEC 61508 standardHow to reach “proven in

use” ?

“Proven in use”

The proofs to bring

Organised & detailed records from field

users

Sufficient number of systems in use to justify reliable

operation

High Level of confidence in the

operational figures




IEC 61508 standardHow to reach “proven in

use” ?

“Proven in use”

- part 2 §7.4.2.2, §7.4.5.1 §7.4.7.3 à §7.4.7.12

- part 7 §C.2.10 §B.5.4 §C.4.5

The proofs to bring


users


operation


operational figures




IEC 61508 standardMethodology employed by

Alstom

Statistical approach

1) DATA COLLECTION

2) DATA SELECTION

3) RELIABILITY BLOCK DIAGRAM MODELLING

4) MARKOVIAN MODEL

5) STATISTICAL ESTIMATORS

6) RESULTS

Statistics made on :

• For FullFip2 : 90000 devices / 1.96E9 hours of operation

• For MicroFIP : 5003 devices / 6.75E7 hours of operation




IEC 61508 standardThe solution to reach high

SIL

Validation strategy


users


operation


operational figures

Validation of the ALSTOM internal methodology for

recording field experience

Validation of the relevancy and the number of the

systems considered in the analysis

Validation of the calculation

methodology




IEC 61508 standardOngoing Independent Assessment

Key elements under inspection by Bureau Veritas

Key elements under inspection Key elements under inspection by Bureau Veritasby Bureau Veritas

How the information is collected ?How is considered an event as unsafe ?

Who is treating the information ?Are the calculations compliant with IEC

61508 requirements ?...

Validation of the ALSTOM internal methodology for

recording field experience

Validation of the relevancy and the number of the

systems considered in the analysis

Validation of the calculation

methodology




Partial Results (audit still under process)

++ The number of samples is sufficient to allow a fair level of confidence in the assessment.

+ + The record of field experience is sufficiently rigorous to allow a proven in use IEC 61508 approach.

- - HW Random failures shall be taken into account.

- - The process of interpretation of failures shall be more safety oriented.

- - A clear “generic” risk analysis shall be provide in the context of use.

Without proven data the calculation must be conservative




Limits of this approach

Need of a very large installed base. Need of a very stringent risk analysis in

compliance with the context of use (how to adapt the risk analysis to the context and be sure the risk is still mitigated - concept of genericgeneric risk analysis).

Need of a close access to failure data. Need of an efficient (independence and

objective recording and assessment, human factors…) Data Recording Process.

The total control of the field experience




Achievements

Bring the evidence that WorldFip can be used in safety applications

No specific direct overcost linked to safety (it was proven in use)

If necessary adapt the field experience methodology (only quality improvement)

If necessary adapt user maintenance procedures to allow fair and relevant record of experience

A simple and operational approach of functional safety

use of fieldbus in safety related systems, an evaluation study of worldfip according to...

Documents