September 23, 2016 at 19:22

Functional safety, Part 3 of 7. IEC 61508: Systematic randomness or random systematicity?


    A whole hub is devoted to security on Habr , and, perhaps, no one really thinks what exactly is embedded in the concept of "security", and so everything is clear: information security (security). However, there is another side to safety, safety, associated with risks to human health and life, as well as the environment. Since information technologies themselves are not dangerous, they usually talk about the functional component, that is, about the security associated with the proper functioning of a computer system. If information security became critical with the advent of the Internet, then functional security was considered before the advent of digital control, because accidents always happened.

    This article continues a series of publications on functional safety.

    The description of a rather complicated terminological casuistry took an entire article , and now it is time to understand the structure of the requirements of IEC 61508.

    It is not recommended for reading to those who are not interested in standardization.

    How to understand the structure of the requirements of IEC 61508?


    So, let's take another look at the structure and relationships between all seven parts of IEC 61508 (this is a repetition of the figure from part 2 of the publication). Now it is important for us that the requirements are directly contained in the first three parts, and the remaining four parts are for reference only.


    Figure 1. Overall framework of the IEC 61508 series (IEC 61508, Figure 1)

    Let’s think, on the basis of what it is possible to analyze the requirements in order to put them “on the shelves”? Need a classification (taxonomy), but where to get it? First, you can take a look at the contents of the standard.

    Indeed, parts of IEC 61508-1,2,3 have a typical content, because in all three parts:

    - section 5 sets out the documentation requirements;
    - Section 6 provides requirements for the management of functional safety;
    - Section 7 describes the structure of the life cycle;
    - Section 8 sets out the requirements for evaluating functional safety.

    However, just a simple look at the content of the standards is not enough to systematize their requirements. It must be remembered that functional safety, and with it the level of safety integrity that we need to achieve, depends on the presence or absence of two types of failures:

    1) random hardware failures, for which we can determine the probability of occurrence;
    2) systematic failures caused by design errors.

    To indicate the ability to withstand the first and second, special terms are introduced: Random Capability & Systematic Capability (resistance to random and systematic failures). Regarding Random Capability, it is clear that it is necessary to protect the system from accidental failures (for example, by redundancy methods, resistance to interference and other extreme influences, etc.). Systematic Capability depends both on the implementation of development processes and on failure protection mechanisms, and includes:

    - Functional Safety Management;
    - implementation of the Functional Safety Life Cycle;
    - protection against systematic failures in the design of the system and hardware (Systematic Failures Avoidance);
    - Protection against systematic software design failures (Software Failures Avoidance).

    In addition, it is necessary to carry out a Functional Safety Assessment by determining whether products (hardware, software and documentation) and product development processes comply with the above requirements.

    Such a structure of functional safety requirements is shown in the figure below, and it is proposed to use just such a structure when analyzing the requirements of individual parts of IEC 61508. Further in the article, a brief analysis of the contents of each of the parts of IEC 61508 presented in the form of a Mind Map is carried out alternately.


    Figure 2. Structure of the requirements of IEC 61508

    IEC 61508-1, General Requirements


    The first part, IEC 61508-1 , sets the tone for the entire standard. Some difficulty in understanding is that this part largely describes the level of the object of control and management, which is not very familiar to IT specialists. Here, the approach is even wider than the level of the automatic process control system, and much wider than the level of the controller and software. What to do about it? Select only those requirements that are directly related to the system being developed or evaluated.


    Figure 3. Content of IEC 61508-1

    Hereinafter, on the Mind Map, sections and applications are marked with labels below that indicate which group of requirements corresponds to a particular section or application. In addition, an Important branch has been created on the Mind Map., emphasizing important tables and figures that without this are “lost” in the text of the standard.

    Documentation requirements (Section 5) are assigned to the Functional Safety Management group. IEC 61508-1 also contains annex A related to the documentation, but in my opinion it is not particularly useful. The recommended documentation structure (based on certification experience) will be considered in subsequent publications. The structure of documents largely determines the structure of the life cycle, and we, like for all security-related applications, have it V-shaped.

    IEC 61508-2, System Requirements


    The second part, IEC 61508-2 , as the name implies, relates to a control system. As defined in the introductory publication on functional safety, we consider three types of control system architectures: Embedded Systems, Industrial Control Systems-based PLCs and the Internet of Things Device Layer. It is important to note that, in addition to system requirements, IEC 61508-2 also defines requirements for the hardware component of systems. Sections 5, 6 and 8 contain only references to IEC 61508-1.


    Figure 4. Content of IEC 61508-2

    As part of IEC 61508-2, we will find a number of important applications that are normative, i.e. binding character:

    - Appendix A proposes an approach to the implementation of self-diagnosis, as well as to protection against systematic failures;
    - in Appendix B, measures to protect against systematic failures are supplemented by requirements for their implementation at various stages of the system's life cycle;
    - Appendix C shows how to calculate diagnostic coverage in order to ensure a certain level of safety integrity (SIL);
    - Appendix D contains requirements for the contents of the instruction manual, which, taking into account the safety requirements, is called the Safety Manual;
    - Appendix E describes approaches for on-chip redundancy when implementing control functions using integrated circuits;
    - Appendix F is formally informative, i.e. as if it were optional, but de facto it should be considered if custom integrated circuits (ASIC) or programmable logic integrated circuits (FPGA & CPLD) are used in the systems.

    IEC 61508-3, Software Requirements


    The third part, IEC 61508-3 , defines the requirements for software, which can be either a component of the system or a separate object of evaluation and certification.


    Figure 5. Contents of IEC 61508-3

    Sections 5, 6 and 8 have traditionally referred to IEC 61508-1, but there are small additions that take into account the features of the software.

    Of the applications, A and B are important, containing requirements for protection against software failures. Appendix D contains requirements for the Safety Manual regarding software features.

    IEC 61508-4, Terms and definitions


    IEC 61508-4 contains a structured list of terms used, which is discussed in detail in part 2 of the publication.


    Figure 6. Content of IEC 61508-4

    IEC 61508-5, Recommendations on the application of methods for determining safety integrity levels


    IEC 61508-5 provides fairly abstract examples of how to determine a safety integrity level (SIL). I would consider this part simply as illustrative material for study, especially since when we get the initial data for the development of a system or software, the safety integrity level (SIL), as a rule, is already set there.



    Figure 7. Content of IEC 61508-5

    IEC 61508-6, Application Guidelines for IEC 61508-2 and IEC 61508-3


    IEC 61508-6 loudly declares that it contains guidance on the application of parts 2 and 3 of IEC 61508, i.e. system, hardware, and software requirements. In fact, Appendix A contains a rather trivial description of the stages of the project (at the level of “develop requirements”, “plan work”, etc.). What is really interesting is the detailed examples of calculating reliability and safety indicators (Appendices B, C, D), as well as an example of how to implement safety integrity methods for software (appendix E). The latter illustrates the application of Annexes A and B of IEC 61508-3.


    Figure 8. Content of IEC 61508-6

    IEC 61508-7, Methods and tools


    IEC 61508-7 contains a list of methods of protection against accidental hardware failures and from systematic design errors (both system and hardware and software). It seems that the authors of the standard have tried to publish everything they have ever heard of these methods. Therefore, there are many theoretical things that can hardly be effectively applied in practice. Nevertheless, the application of basic approaches in terms of diagnosis, testing, organization of project management, etc. is mandatory regulatory requirements. Thus, the study of IEC 61508-7 should be based on IEC 61508-2 and IEC 61508-3, where the pragmatic approach to implementing protection against failures and errors is described.


    Figure 9. Content of IEC 61508-7

    conclusions


    Consideration of IEC 61508 based on the classification and structuring of requirements made it possible to sort out this serious document in seven parts and 700 pages.

    The classification features of the requirements make it possible to single out aspects of functional safety that will need to be considered for completeness in the planned series of articles, namely:
    - Functional Safety Management and Functional Safety Assessment;
    - implementation of the Functional Safety Life Cycle, including testing;
    - assessment of the probability of accidental failures and providing protection against such failures (Random Capability) through the prism of the theory of reliability and safety;
    - methods of protection against systematic failures of system design and hardware (Systematic Failures Avoidance) and against systematic failures of software design (Software Failures Avoidance).

    PS To explain the main aspects of functional safety, the following series of articles
    is being developed: - Introduction to the topic of functional safety ;
    - IEC 61508 standard: terminology ;
    - IEC 61508 standard: requirements structure ;
    - The relationship between information and functional safety of industrial control systems ;
    - Processes of management and assessment of functional safety ;
    -Life cycle of information and functional security ;
    - Theory of reliability and functional safety: basic terms and indicators ;
    - Methods for ensuring functional safety .

    Here you can watch video lectures on the topic of publication.
    Tags:

    Also popular now: