Safety Related Systems
Seite 2
© VISSE 20/09/10
Safety Competence Center Vienna SCCV
Safety Competence Center Vienna
> Vision
> Das Safety Competence Center Vienna (SCCV) wird Wissensdrehscheibe für System/Functional Safety mit internationaler Vernetzung.
> Mission
> Das SCCV versteht sich als Kompetenzträger im Bereich System/Functional Safety mit folgenden Dienstleistungen:
> Lehrveranstaltungen und Trainings > Tool- und Methodenentwicklung > Coaching
Seite 4
© SCCV 20/09/10
ISaP – Integrativer Safety Prozess
Projekt-Management & Wartung System Safety Management Engineering & Operation Unterstützende Prozesse Projekt-Abschluss
Projekt-Initialisierung Projektstart Projekt-Controlling
Preliminary Hazard
Identification FHA PSSA
System Safety Assessment
Konzeptionierung Anf.
Analyse Entwurf
Konstruktion, (Realisierung), Integration & Test Konfigurationsmanagement, Qualitätsmanagement (Verifikation, Validierung) Problemlösungs-Management, Änderungsmanagement
Problemraum Modellierungsraum Lösungsraum Anwendung
Betrieb & Technische Wartung Operational SSA Wartung Entsor gung
Introduction
> What is the motivation for considering safety? > What is safety?
> What is a safety related system? > How is software involved?
> What are the demands on safety related systems? > What is the role of the OS?
Seite 6
© VISSE 20/09/10
Motivation
Complexity several years ago
Seite 8
© VISSE 20/09/10
Complexity now
> Modern premium car
Complexity now
> Modern premium car
> Six different computer networks
> More than 1.000 different messages > 20-70 electronic control units (ECUs)
> 70-150 sensors
> 100 million lines of code (LoC)
source: www.embedded.com
Seite 10
© VISSE 20/09/10
European union product liability
> Product Liability Directive 85/374/EEC > Since 1988
> Applies to products, does not apply to services
> The producers shall be liable for damage caused by a defect in their
products
> Death, personal injury, property damage > Factors taken into account
> Presentation of the product
> Reasonable use
> Time the product was put into circulation
> Producers may not limit their liability
Safety regulations, norms and standards
Generic Electric-drive Nuclear power Aviation Automotive IEC 61508 IEC 61800 IEC 61511 Process-industry IEC 61513 ISO/DIS 26262 EN/ISO 13849 Safety of machines EN/IEC 62061 EN/ISO 14121 EN/ISO 12100 Medicine IEC 60601 IEC 80001 RTCA DO-178B EUROCAE ED-12B (Software) RTCA DO-254 (Hardware) Railway CENELEC EN 50126 CENELEC EN 50128 CENELEC EN 50129 CENELEC EN 50159 Military MIL STD 882D Def Stan 00-56 CAP 670 EATMP ESARRsSeite 12
© VISSE 20/09/10
Costs of accidents
> Enschede fireworks disaster (2000)
23 people killed, 947 injured
Damage: €450 million
> “Elchtest” Mercedes A-Class (1997)
€150 million > Toyota recall (2010) 35 people killed $1,1 billion > Deepwater Horizon (2010) 11 people killed $0,5 billion + $6 million/day
pictures: Wikipedia, Süddeutsche, dpa
pictures: Wikipedia, Süddeutsche, dpa
source: Hollnagel 2006, IHSK 2005, RRC AG, Bloomberg
source: Hollnagel 2006, IHSK 2005, RRC AG, Bloomberg
BusinessWeek, The Wall Street Journal
Society
> Absolute safety, zero risk cannot be achieved
> Level of safety
> In a given context
> Reference to an acceptable risk
> Based on current values of society
> The values of society are reflected in > Laws and directives
> Norms and standards > Public opinion
Seite 14
© VISSE 20/09/10
Safety Definition des SCCV
Das Ziel von System Safety ist das sichere Funktionieren eines
Systems in seinem Umfeld. Grundvoraussetzung für die Erreichung dieses Zieles sind reife Prozesse. Das Risiko von Gefahren muss dabei präventiv auf einem akzeptierbaren Niveau gehalten werden, sodass weder Menschen, andere Lebewesen, die Umwelt noch das System selbst oder andere Systeme zu Schaden kommen.
Seite 16
© VISSE 20/09/10
Safety and security
Safety
System does not cause harm Security System is protected against attacks Health Equipment Environment Attack System
Safety vs. security
> A security issue may collaterally become a safety issue …
> … security needs to be considered for safety
Seite 18
© VISSE 20/09/10
Safety and reliability
> Reliability - the system operates as expected
Reliability of the safety functions
> The safety functions perform as expected
> Safety Integrity Level - measure for reliability of safety functions
Seite 20
© VISSE 20/09/10
Example Escalator
Seite 22
© VISSE 20/09/10
System and system context
System
Seite 24
© VISSE 20/09/10
System
Failure chain within a system
> Fault
> Cause of an error > Error
> System state, or part of the system state, that may lead to a failure
> Failure
> Deviation from the correct function
> Failure mode is the way something fails > Failure Chain:
Failure propagation
System Sub-System Failure Fault Sub-Sub-System Fault Failure Fault FailureSeite 26
© VISSE 20/09/10
Hazard
> A situation, state or condition that can lead to an accident
> Hazards are described at the system boundary > It’s important to identify the
system boundary
> Every dangerous failure is a hazard > Once the hazard has occurred
> The system in question cannot stop the accidental sequence > Still mitigation may be possible by other systems or measures
Hazard
Causal factor
> Factors that may contribute to hazards are called causal factors > Causal
> Expressing a cause or reason > Factors
> Circumstances, conditions, etc. that produce a result > It’s important to distinguish causal factors from hazards
Seite 28
© VISSE 20/09/10
Two types of hazards
> Internally caused hazard
> Internal, endogenous
> Causal factors in the system
> Behavior > Properties
> Externally caused hazard
> External, environmental, exogenous
> Causal factors outside the system > e.g. misjudged system
environment
System
!
System
!
Internal caused Hazard
Accident
> Unintended event or sequence of events > Results in loss
> Death > Injury
> Environmental damage > Financial loss
Seite 30
© VISSE 20/09/10
Internally caused hazard to accident
Accident Severity
System
Causal Factors Fault Error Failure!
Externally caused hazard to accident
Accident Severity
System
Causal Factors Fault Error Failure!
Seite 32 © VISSE 20/09/10
A
ll
p
os
sib
le
a
cc
id
en
ts
Function 1All Functions
From causal factor to accident
!
Hazard 1
Hazard m
! ! Causal Factor Causal Factor Failure nSystem
Worst case severity Failure 1Safety related system
Seite 34
© VISSE 20/09/10
Safety related system
> Properties of a safety related system > Failure can cause an accident > Provides safety functions
> Safety related software
> Part of a safety related System
> Software used for safety related system development > Tools
Strategies for achieving functional safety
> Robust system
> System where fault automatically leads to a safe state (safe fault) > Detect fault, change to a safe state and maintain it
> Detect fault and warn user > Provide redundancy
Seite 36
© VISSE 20/09/10
Safety related software development
>Avoid systematic failures
> Requirements
> Safety Requirements > Interfaces
> Software development process > Traceability
> Hardware, software, system integration > Verification and validation
> Problem tracking, change management
> Conformance with respect to safety standards > Safety case
Safety and operating systems
> OS manages the timing
> Real time behaviour > OS manages resources
> RAM > IO
> Communication > …
> May provide separation of safety related and not safety related software
Seite 38
© VISSE 20/09/10
Conclusion
> Safety has become more important for electronic systems and software
> Safety is different from security
> Safety needs to be designed into the system
> Systematic failures need to be avoided during software development
