(fundamental principles of safety relevant system design/Eigene Dateien )

Fundamental Principles of Safety Relevant System Design

Gerhard H. Schildt Senior member of IEEE Daniela Kahn Institute of Computer-Aided Automation Vienna University of Technology Treitlstr. 1/183-1, A-1040 Wien, Austria

www.auto.tuwien.ac.at

( extended abstract )

Keywords. Fail-safe technique, safety relevant electronic system design, quiescient current principle, redundant system design, watch dog function, diversity, tolerance zone management, fail-safe comparator, safety relevant microcomputer system SIMIS.

Abstract. After an introduction to safety terms fundamental principles for safety relevant system design for electronics are presented. These design principles comprise: fail-safe design, watch dog function, dynamization of signals, qiescient current principle, monitoring system, redundant system design, fail-safe comparator, integrated HW-/SW-systems, diversity, fail-safe tolerance zone management, safety relevant microcomputer system SIMIS. For these principles implemented examples are presented.

Introduction

Safety-critical devices and control systems are employed in many application areas of vital importance, such as guideway transit systems ( rail-road systems ), chemical plants, and nuclear power plants. In the past, safety proofs were often carried out by considering the reaction of a certain device in case of any failure. Thus, “failure mode effect and critical analysis” ( FMECA ) was done /1/. ( schi93 ). For better understanding we introduce some terminology of safety engineering:

Safety: property of an item to cause no hazard under given conditions during a given time; i.e., avoidance of undue fail conditions. Undue fail conditions may be caused by technical system failures or malfunctions of electronic devices, e.g. disturbed by electromagnetic noise.

Hazard: state of a system that cannot be controlled by given means, and may lead to damages of human health.

Safe system state: property of a system state to cause no hazards to people or material. Safety-critical system: control system causing no hazard to people or material in case of environmental influence or system failure.

Fail-safe: technical failures within an item may lead to fail states of a safety-critical system (fail) which, however, have to remain safe.

One has to distinguish between plant equipment items relevant to safety, and components not important to safety. The former comprise:

Structures, systems, and components whose malfunction or failure could lead to undue exposure of the site personnel or the public.

Structures, systems, and components, which prevent anticipated operational events from leading to accident conditions and …

Features, which are provided to mitigate the consequences of malfunctions or failures of structures, systems, or components.

2. System design of safety relevant electronics

Fig. 1 shows a single-channel, fail-safe control system. A state graph demonstrates that, if any safety-critical failure or malfunction occurs, the system changes over to a so-called safe system state. The control system stays in that safe system state with a transition probability of p22=1. Thus, the control system can only return into the normal operational state by certain maintenance activities.

Figure 1: One-channel fail-safe control system

Since up to now no fail-safe single-channel computer is available, one has to select a configuration of at least two computers running in parallel. As shown in figure 2, in such a system configuration the results of both channels are fed into a fail-safe comparator, whose output enables a safe gate upon equivalence of the results, which have the form of command telegrams to be sent to the technical process.

Figure 2: dual-channel control system with fail-safe comparator

(Description of a double-channel control system follows)

3. Implementation of design principles

3.1 Fail-safe comparator

At first we should have a look to fail-safe principle. Figure 3: Visualization of fail-safe principle

Figure 4: Functionality of a comparator

Figure 5: Functionality of a antivalence device Figure 6: Antivalence component processing antivalent signals

3.2 Diversity principle Figure 7: Diverse system design

There are some typical disadvantages of diverse system design like …

- unplanable waiting times, - costs of implementation, and - necessary tolerance zone management as shown in figure 8. Figure 8: Tolerance zone management Two results to be compared (a), tolerance zone (b)

3.3 Dynamization of signals

For safety-related electronics it is useful to dynamize certain signals corresponding to quiescient current principle. Figure 9 shows how to encode logical “0” and logical “1”.

Figure 9: Physical representation of log.”0” and log.”1” Figure 10: A simple inverter (a) and its safety-related implementation (b)

3.4 Watch dog function

3.5 On-line test routine

There are two chances how to realize a safe system design: Either an inherent safe design of an electronic component or to realize safe system reaction by a certain test procedure. Often there exists the task designation to take over any information wether a contact is closed or open. Figure 11 shows a computerized test procedure to confirm proper operation of an input device.

Figure 11: Computerized on-line testing an input device

3.6 Quiescient current principle

The quiescient current principle means that a physical value is kept on a higher energy level than necessary, so that in case of failure the value of a physical varaible drops down. Thus, it is possible to detect that a failure has occurred.

3.7 Double channel microcomputer system ( SIMIS )

Because, up to now no single-channel fail-safe microcomputer is available, a double channel system design for two microprocessors running in parallel was done. Fundamental safety principles like dynamization of signals, antivalent signal comparison, a safe gate, watch dog function, and a clock driven operation were implemented. 4. Comparison and evaluation of fundamental safety-critical system design principles

( text will follow )

Conclusions

( text will follow )

References:

/1/ Schildt,G. H., Kastner, W.: „Prozessautomatisierung“, published by Springer Wien New York, ISBN 3-211-82999-7

/2/ Fricke

/3/

/4/