Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP.

Published byCecil Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP."— Presentation transcript:

1 Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP Olivier Nick ALSTOM Technology Michel Suzan Bureau Veritas Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP Olivier Nick ALSTOM Technology Michel Suzan Bureau Veritas

2 PN/IR/01.0003page 2 ©Copyright 2001 WorldFIP Introduction to risks approach Any production operation has inherent risks in case of malfunctions These risks may cause damages to the operators, environment, assets Operations cannot be run if risks are unacceptable: –Risks should be evaluated –If risks are not acceptable, they should be reduced by reliable means such as E/E/PE

3 PN/IR/01.0003page 3 ©Copyright 2001 WorldFIP IEC 61508 standard Risk Reduction Concept

4 PN/IR/01.0003page 4 ©Copyright 2001 WorldFIP  Random Failures  Systematic Failures (including software) Good engineering practices strategy to avoid & control failures Organisational measures during all the life cycle (safety assurance) Technical measures Classical RAM studies Estimated assessment strategy Probabilistic Calculation RAM: Reliability, Availability & Maintainability IEC 61508 standard Failures distinction

5 PN/IR/01.0003page 5 ©Copyright 2001 WorldFIP Objectives of a safety function To provide a safety related function with a given level of integrity to ensure certain risk reduction Applicable to a function or a system, not to component Assessments are done on application basis A safety related function has to protect persons and environment from an identified hazard Reliable risk reduction system

6 PN/IR/01.0003page 6 ©Copyright 2001 WorldFIP Mission of a safety function Keep the process under control within its operating limits To achieve this the safety function can either: –develop counter actions to avoid crossing a constraint (ex: anti-surge) –stop the process either gracefully or in emergency Actions should be defined in accordance to the gravity of consequences

7 PN/IR/01.0003page 7 ©Copyright 2001 WorldFIP What is the role of communication ? Communication is a set of hardware and software allowing information to be transferred between two or more devices It should not propagate or create a fault that may induce a dangerous situation for the process under control: –Data corruption should be detected –time constraints should be enforced for real time data –delivery should be ordered to avoid out of sequence

8 PN/IR/01.0003page 8 ©Copyright 2001 WorldFIP Behaviour on faults Behaviour on faults should be known Consequences may be either: –A communication fault triggers a safety action and stop the process –The communication is robust to faults and permit to continue operation even in presence of faults the criteria is the criticity analysis of fault consequences and the need to avoid non justified safety actions (credibility) Are a stopped systems the only safe systems???

9 PN/IR/01.0003page 9 ©Copyright 2001 WorldFIP Approach for Fieldbus Fieldbus is a subsystem according to IEC 61508 Device A Device B Device C application fieldbus Fieldbus is a set of hardware and software

10 PN/IR/01.0003page 10 ©Copyright 2001 WorldFIP Fieldbus approach Trusted approach –The Fieldbus subsystem should comply with the provisions of 61508: Proven in use concept Fully designed for safety purpose Non trusted approach –The integrity of a transmitted information is ensured by external means (additional coding)

11 PN/IR/01.0003page 11 ©Copyright 2001 WorldFIP Why trusted approach Fieldbus native integrity Conserve initial properties –real time features –robustness to faults –high throughput Permit use of standard hardware and software facilitate system engineering use high integrity control across network for better process safe operation

12 PN/IR/01.0003page 12 ©Copyright 2001 WorldFIP Open communication is needed To ensure high integrity of a system over time efficient diagnostic and maintenance should implemented On-line maintenance needs communication with end devices These exchanges (event driven) should be isolated from safe exchanges Fieldbus should prove the quality of isolation

13 PN/IR/01.0003page 13 ©Copyright 2001 WorldFIP Why WorldFIP?Cyclic traffic –Bus scheduler contains the list of “variables” to be exchanged on the shared media –Variable publisher the entity containing the variable to be sent over the network –Variable consumers the entity (ies) interested in receiving the variable PRODUCER CONSUMER Equipement 1 Equipement 2 Equipement 3 Equipement 5 Equipement 4 BUS SCHEDULER ( DISTRIBUTOR ) BA TABLE (scanning table)

14 PN/IR/01.0003page 14 ©Copyright 2001 WorldFIP Residual error rate rate Error rate on binary element element 10 -5 10 -4 10 -3 10 -2 10 -1 0.5 10 0 10 -2 10 -4 10 -6 10 -8 10 -10 10 -12 10 -14 10 -16 10 -18 10 -20 10 0 10 -2 10 -4 10 -6 10 -8 10 -10 10 -12 10 -14 10 -16 10 -18 10 -20 Integrity class I1 Integrity class I1 Integrity class I2 Integrity class I2 Integrity class I3 Integrity class I3 2 -1 2 -8 10 -12 10 -15 2 -1 2 -8 10 -12 10 -15 WordFIP integrity class (« classical approach ») Integrity class I4 Integrity class I4 WorldFIP

15 PN/IR/01.0003page 15 ©Copyright 2001 WorldFIP Generic method issues Use of an estimated strategy assessment Reliability data can have a high level of non confidence Difficulty to quantify the safe failure fraction Difficulty to quantify common cause failure A fair method for a complete new design Mandatory conditions : stringent estimated probabilistic calculation strategy from the beginning of the design Without proven data the calculation must be conservative

16 PN/IR/01.0003page 16 ©Copyright 2001 WorldFIP Field experience exploitation Use field experience from different applications to prove that the system will work in safe operation according to the specified risk reduction target. Avoid the extensive re-validation for each new application (use similar experience). Mandatory condition : having a rigorous record of experience and a stringent contextual risk analysis Proven in use concept

17 PN/IR/01.0003page 17 ©Copyright 2001 WorldFIP Proven design or Proven in use ? For ‘Proven-in-use’ the operational failure rate will already include systematic (for instance common cause and software) failures. For ‘designed to IEC61508’ a separate assessment of systematic failure will be required. Each method has its advantage, but, in the context of WorldFip, the ‘proven in use’ method could be far more reliable and ‘ready to apply’ because of high number of already WorldFip applications Essential difference

18 PN/IR/01.0003page 18 ©Copyright 2001 WorldFIP IEC 61508 standard How to reach “proven in use” ? “Proven in use” The proofs to bring Organised & detailed records from field users Sufficient number of systems in use to justify reliable operation High Level of confidence in the operational figures

19 PN/IR/01.0003page 19 ©Copyright 2001 WorldFIP IEC 61508 standard How to reach “proven in use” ? “Proven in use” - part 2 §7.4.2.2, §7.4.5.1 §7.4.7.3 à §7.4.7.12 - part 7 §C.2.10 §B.5.4 §C.4.5 The proofs to bring Organised & detailed records from field users Sufficient number of systems in use to justify reliable operation High Level of confidence in the operational figures

20 PN/IR/01.0003page 20 ©Copyright 2001 WorldFIP IEC 61508 standard Methodology employed by Alstom Statistical approach 1) DATA COLLECTION 2) DATA SELECTION 3) RELIABILITY BLOCK DIAGRAM MODELLING 4) MARKOVIAN MODEL 5) STATISTICAL ESTIMATORS 6) RESULTS Statistics made on : For FullFip2 : 90000 devices / 1.96E9 hours of operation For MicroFIP : 5003 devices / 6.75E7 hours of operation

21 PN/IR/01.0003page 21 ©Copyright 2001 WorldFIP IEC 61508 standard The solution to reach high SIL Validation strategy Organised & detailed records from field users Sufficient number of systems in use to justify reliable operation High Level of confidence in the operational figures Validation of the ALSTOM internal methodology for recording field experience Validation of the relevancy and the number of the systems considered in the analysis Validation of the calculation methodology

22 PN/IR/01.0003page 22 ©Copyright 2001 WorldFIP IEC 61508 standard Ongoing Independent Assessment Key elements under inspection by Bureau Veritas How the information is collected ? How is considered an event as unsafe ? Who is treating the information ? Are the calculations compliant with IEC 61508 requirements ?... Validation of the ALSTOM internal methodology for recording field experience Validation of the relevancy and the number of the systems considered in the analysis Validation of the calculation methodology

23 PN/IR/01.0003page 23 ©Copyright 2001 WorldFIP Partial Results (audit still under process) + + The number of samples is sufficient to allow a fair level of confidence in the assessment. + + The record of field experience is sufficiently rigorous to allow a proven in use IEC 61508 approach. - - HW Random failures shall be taken into account. - - The process of interpretation of failures shall be more safety oriented. - - A clear “generic” risk analysis shall be provide in the context of use. Without proven data the calculation must be conservative

24 PN/IR/01.0003page 24 ©Copyright 2001 WorldFIP Limits of this approach Need of a very large installed base. generic Need of a very stringent risk analysis in compliance with the context of use (how to adapt the risk analysis to the context and be sure the risk is still mitigated - concept of generic risk analysis). Need of a close access to failure data. Need of an efficient (independence and objective recording and assessment, human factors…) Data Recording Process. The total control of the field experience

25 PN/IR/01.0003page 25 ©Copyright 2001 WorldFIP Achievements Bring the evidence that WorldFip can be used in safety applications No specific direct overcost linked to safety (it was proven in use) If necessary adapt the field experience methodology (only quality improvement) If necessary adapt user maintenance procedures to allow fair and relevant record of experience A simple and operational approach of functional safety

Download ppt "Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP."

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Module N° 3 – ICAO SARPs related to safety management

Module N° 3 – ICAO SARPs related to safety management
Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.

Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.
Software Quality Assurance Plan

Software Quality Assurance Plan
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.

1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.
ITIL: Service Transition

ITIL: Service Transition
5 december 2011 Living Probabilistic Asset Management Dr.ir. J.A. van den Bogaard.

5 december 2011 Living Probabilistic Asset Management Dr.ir. J.A. van den Bogaard.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Overview Lesson 10,11 - Software Quality Assurance

Overview Lesson 10,11 - Software Quality Assurance
1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.

1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
IS Audit Function Knowledge

IS Audit Function Knowledge
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

Similar presentations

Ads by Google