Assessment of the safety-related reliability of control systems: development of practical test methods

Project No. BIA 5084

Status:

completed 07/2003

Aims:

Electronic safety equipment for machines, and machine controls with safety-related functions, are increasingly being made subject to assessment of a probability parameter according to IEC 61508, "Functional safety of electrical/electronic/programmable electronic safety-related systems", and in future also according to IEC 62061, "Safety of machinery - Functional safety - Electrical, electronic and programmable electronic control systems" or, respectively, a new version of EN 954-1, "Safety of machinery - Safety-related parts of control systems". This may be the "probability of a dangerous failure per hour" (PFH), a "safety integrity level" (SIL) derived from it, or a specially defined "performance level" (PL). The probability parameter required in each case must be derived from the properties of the components used, the internal structure of the control, the automatic processes, and manual actions. To this end a mathematical model had to be developed which is able to combine a plethora of discrete data, such as failure rates of components, topology of the electrical circuit, diagnostic coverage of automatic tests (online tests), demand mode, etc. In principle, Markov models are highly suited. In the complex systems encountered in practice, however, they exceed a practical size. Conversely, complex systems permit only moderate model approximations if a high level of safety-related reliability (high SIL) is to be validated. The objective of the project was to develop techniques for modelling and evaluation which also enable the safety-related reliability of complex safety facilities and controls with safety functions to be quantified with sufficient accuracy and within an acceptable period of time. In addition, further experience was to be gained in the effective design and optimization of hardware and software so as to enable the requirements of standards governing the probability of a dangerous failure to be observed by economically viable methods.

Activities/Methods:

Methods for simplification of excessively large Markov models were to be produced on the basis of the Markov modelling techniques for safety systems developed during the EU STSARCES project (BIA-project 5076  "Quantitative analysis of complex electronic systems using fault tree analyses and Markov models"). In particular, techniques had to be found which allow a number of online tests to be performed in parallel to be taken account of by efficient means, and which at the same time computionally validate the increase in safety-related reliability achieved by these tests. The principles applied had to be examined for plausibility and accuracy by means of clearly structured examples. The feasibility of the techniques was to be validated on a particularly sophisticated practical case. Concurrent studies were to be performed into the suitability of generalized stochastic Petri nets (GSPNs) as an alternative method of quantification in the field of machine safety. To this end, modelling methods were to be drawn up for all relevant effects (i.e. effects influencing the probability of a dangerous failure). Meaningful examples had to be employed to demonstrate that the results achieved with all newly developed methods matched, with sufficient accuracy, those of proven Markov techniques.

Results:

The results demonstrated that an average diagnostic coverage (DCavg) can be defined for a signal processing channel such as to reflect different localization foci of the failure detection capacity in the chain comprising sensor, processing unit and actor. A number of different DC distributions can thus be attributed to the same average value. This enables a range of differently constructed systems to be quantified by means of a limited number of precalculated Markov models. Based upon Markov models for a selected number of standard system architectures, a diagram was developed for simple approximation of the probability of a dangerous failure per hour (PFH). Where the system architecture, channel-related mean time to failure (MTTF) and average diagnostic coverage are known, the diagram can be used for estimation of the PFH or PL without the need for further Markov modeling. This procedure has been added to draft standard prEN ISO 13849-1 (the planned replacement for EN 954-1). When read backwards, the diagram simplifies the decision for a certain technical design for a given required PL. As far as the specific problem of multiple combined online tests is concerned, a concept of simplified Markov modeling has been developed which substantially reduces the number of sub-states required within the model. A further finding: although periodic tests do not constitute exponentially distributed transient processes, the latter are suitable for their approximate representation in Markov models. If the reciprocal of the test interval is selected as the transition rate, a conservative estimate is produced. Further results of the project concern the influence of the demand rate and the test rate upon the PFH: a characteristic dependence in relation to the system architecture was established. This in turn gives rise to certain new aspects with regard to definition of the PFH, the modeling technique, and the system design. On the basis of the simplifications produced by the project, the complex approach of Monte Carlo simulation of Petri nets was considered dispensable for the time being. This issue will be addressed again in a future project.

 

Last Update:

18-Sep-2003

Project

Financed by:
  • Hauptverband der gewerblichen Berufsgenossenschaften (HVBG)
Research institution(s):
  • Berufsgenossenschaftliches Institut für Arbeitsschutz - BIA
Branche(s):

-cross sectoral-

Type of hazard:

mechanical hazards

Catchwords:

machine safety

Description, key words:

Safety of machinery, electronic safety equipment, electronic controls, IEC 61508, IEC 62061, EN 954-1, dangerous failure, probability of failure, safety-related reliability, safety integrity level, Markov models, Petri nets

Contact