1 / 25

Introduction to risks approach

Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP Olivier Nick ALSTOM Technology Michel Suzan Bureau Veritas. Any production operation has inherent risks in case of malfunctions

jkrista
Télécharger la présentation

Introduction to risks approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use of Fieldbus in safety related systems, an evaluation study of WorldFIP according to proven-in-use concept of IEC 61508 Jean Pierre Froidevaux WorldFIP Olivier Nick ALSTOM Technology Michel Suzan Bureau Veritas

  2. Any production operation has inherent risks in case of malfunctions These risks may cause damages to the operators, environment, assets Operations cannot be run if risks are unacceptable: Risks should be evaluated If risks are not acceptable, they should be reduced by reliable means such as E/E/PE Introduction to risks approach

  3. IEC 61508 standard Risk Reduction Concept

  4. IEC 61508 standard • Random Failures Classical RAM studies Probabilistic Calculation Estimated assessment strategy • Systematic Failures (including software) Good engineering practices strategy to avoid & control failures Organisational measures during all the life cycle (safety assurance) Technical measures RAM: Reliability, Availability & Maintainability Failures distinction

  5. To provide a safety related function with a given level of integrity to ensure certain risk reduction Applicable to a function or a system, not to component Assessments are done on application basis A safety related function has to protect persons and environment from an identified hazard Objectives of a safety function Reliable risk reduction system

  6. Keep the process under control within its operating limits To achieve this the safety function can either: develop counter actions to avoid crossing a constraint (ex: anti-surge) stop the process either gracefully or in emergency Actions should be defined in accordance to the gravity of consequences Mission of a safety function

  7. Communication is a set of hardware and software allowing information to be transferred between two or more devices It should not propagate or create a fault that may induce a dangerous situation for the process under control: Data corruption should be detected time constraints should be enforced for real time data delivery should be ordered to avoid out of sequence What is the role of communication ?

  8. Behaviour on faults should be known Consequences may be either: A communication fault triggers a safety action and stop the process The communication is robust to faults and permit to continue operation even in presence of faults the criteria is the criticity analysis of fault consequences and the need to avoid non justified safety actions (credibility) Behaviour on faults Are a stopped systems the only safe systems???

  9. Approach for Fieldbus Fieldbus is a set of hardware and software Device A Device B Device C application fieldbus Fieldbus is a subsystem according to IEC 61508

  10. Trusted approach The Fieldbus subsystem should comply with the provisions of 61508: Proven in use concept Fully designed for safety purpose Non trusted approach The integrity of a transmitted information is ensured by external means (additional coding) Fieldbus approach

  11. Why trusted approach • Conserve initial properties • real time features • robustness to faults • high throughput • Permit use of standard hardware and software • facilitate system engineering • use high integrity control across network for better process safe operation Fieldbus native integrity

  12. To ensure high integrity of a system over time efficient diagnostic and maintenance should implemented On-line maintenance needs communication with end devices These exchanges (event driven) should be isolated from safe exchanges Open communication is needed Fieldbus should prove the quality of isolation

  13. Bus scheduler contains the list of “variables” to be exchanged on the shared media Variable publisher the entity containing the variable to be sent over the network Variable consumers the entity (ies) interested in receiving the variable CONSUMER CONSUMER Why WorldFIP? Cyclic traffic Equipement 3 Equipement 2 Equipement 1 CONSUMER PRODUCER BUS SCHEDULER ( DISTRIBUTOR ) Equipement 4 Equipement 5 BA TABLE (scanning table)

  14. WordFIP integrity class (« classical approach ») 100 10-2 10-4 10-6 10-8 10-10 10-12 10-14 10-16 10-18 10-20 2-1 2-8 10-12 10-15 Integrity class I1 Integrity class I2 Residual error rate Integrity class I3 WorldFIP Integrity class I4 Error rate on binary element 10-5 10-4 10-3 10-2 10-1 0.5

  15. Use of an estimated strategy assessment Reliability data can have a high level of non confidence Difficulty to quantify the safe failure fraction Difficulty to quantify common cause failure A fair method for a complete new design Mandatory conditions : stringent estimated probabilistic calculation strategy from the beginning of the design Generic method issues Without proven data the calculation must be conservative

  16. Use field experience from different applications to prove that the system will work in safe operation according to the specified risk reduction target. Avoid the extensive re-validation for each new application (use similar experience). Mandatory condition : having a rigorous record of experience and a stringent contextual risk analysis Field experience exploitation Proven in use concept

  17. For ‘Proven-in-use’ the operational failure rate will already include systematic (for instance common cause and software) failures. For ‘designed to IEC61508’ a separate assessment of systematic failure will be required. Each method has its advantage, but, in the context of WorldFip, the ‘proven in use’ method could be far more reliable and ‘ready to apply’ because of high number of already WorldFip applications Proven design or Proven in use ? Essential difference

  18. “Proven in use” IEC 61508 standardHow to reach “proven in use” ? Organised & detailed records from field users Sufficient number of systems in use to justify reliable operation High Level of confidence in the operational figures The proofs to bring

  19. “Proven in use” - part 2 §7.4.2.2, §7.4.5.1 §7.4.7.3 à §7.4.7.12 - part 7 §C.2.10 §B.5.4 §C.4.5 IEC 61508 standardHow to reach “proven in use” ? Organised & detailed records from field users Sufficient number of systems in use to justify reliable operation High Level of confidence in the operational figures The proofs to bring

  20. IEC 61508 standardMethodology employed by Alstom 1) DATA COLLECTION 2) DATA SELECTION 3) RELIABILITY BLOCK DIAGRAM MODELLING • Statistics made on : • For FullFip2 : 90000 devices / 1.96E9 hours of operation • For MicroFIP : 5003 devices / 6.75E7 hours of operation 4) MARKOVIAN MODEL 5) STATISTICAL ESTIMATORS 6) RESULTS Statistical approach

  21. IEC 61508 standardThe solution to reach high SIL Validation of the ALSTOM internal methodology for recording field experience Organised & detailed records from field users Validation of the relevancy and the number of the systems considered in the analysis Sufficient number of systems in use to justify reliable operation Validation of the calculation methodology High Level of confidence in the operational figures Validation strategy

  22. IEC 61508 standardOngoing Independent Assessment Key elements under inspection by Bureau Veritas Validation of the ALSTOM internal methodology for recording field experience How the information is collected ? How is considered an event as unsafe ? Who is treating the information ? Are the calculations compliant with IEC 61508 requirements ? ... Validation of the relevancy and the number of the systems considered in the analysis Validation of the calculation methodology Key elements under inspection by Bureau Veritas

  23. + The number of samples is sufficient to allow a fair level of confidence in the assessment. + The record of field experience is sufficiently rigorous to allow a proven in use IEC 61508 approach. - HWRandom failures shall be taken into account. - The process of interpretation of failures shall be more safety oriented. - A clear “generic” risk analysis shall be provide in the context of use. Partial Results (audit still under process) Without proven data the calculation must be conservative

  24. Need of a very large installed base. Need of a very stringent risk analysis in compliance with the context of use (how to adapt the risk analysis to the context and be sure the risk is still mitigated - concept of generic risk analysis). Need of a close access to failure data. Need of an efficient (independence and objective recording and assessment, human factors…) Data Recording Process. Limits of this approach The total control of the field experience

  25. Bring the evidence that WorldFip can be used in safety applications No specific direct overcost linked to safety (it was proven in use) If necessary adapt the field experience methodology (only quality improvement) If necessary adapt user maintenance procedures to allow fair and relevant record of experience Achievements A simple and operational approach of functional safety

More Related