<p>(fundamental principles of safety relevant system design/Eigene Dateien )</p><p>Fundamental Principles of Safety Relevant System Design</p><p>Gerhard H. Schildt Senior member of IEEE Daniela Kahn Institute of Computer-Aided Automation Vienna University of Technology Treitlstr. 1/183-1, A-1040 Wien, Austria</p><p> www.auto.tuwien.ac.at</p><p>( extended abstract )</p><p>Keywords. Fail-safe technique, safety relevant electronic system design, quiescient current principle, redundant system design, watch dog function, diversity, tolerance zone management, fail-safe comparator, safety relevant microcomputer system SIMIS.</p><p>Abstract. After an introduction to safety terms fundamental principles for safety relevant system design for electronics are presented. These design principles comprise: fail-safe design, watch dog function, dynamization of signals, qiescient current principle, monitoring system, redundant system design, fail-safe comparator, integrated HW-/SW-systems, diversity, fail-safe tolerance zone management, safety relevant microcomputer system SIMIS. For these principles implemented examples are presented. </p><p>Introduction</p><p>Safety-critical devices and control systems are employed in many application areas of vital importance, such as guideway transit systems ( rail-road systems ), chemical plants, and nuclear power plants. In the past, safety proofs were often carried out by considering the reaction of a certain device in case of any failure. Thus, “failure mode effect and critical analysis” ( FMECA ) was done /1/. ( schi93 ). For better understanding we introduce some terminology of safety engineering:</p><p>Safety: property of an item to cause no hazard under given conditions during a given time; i.e., avoidance of undue fail conditions. Undue fail conditions may be caused by technical system failures or malfunctions of electronic devices, e.g. disturbed by electromagnetic noise.</p><p>Hazard: state of a system that cannot be controlled by given means, and may lead to damages of human health.</p><p>Safe system state: property of a system state to cause no hazards to people or material. Safety-critical system: control system causing no hazard to people or material in case of environmental influence or system failure.</p><p>Fail-safe: technical failures within an item may lead to fail states of a safety-critical system (fail) which, however, have to remain safe.</p><p>One has to distinguish between plant equipment items relevant to safety, and components not important to safety. The former comprise:</p><p>Structures, systems, and components whose malfunction or failure could lead to undue exposure of the site personnel or the public.</p><p>Structures, systems, and components, which prevent anticipated operational events from leading to accident conditions and …</p><p>Features, which are provided to mitigate the consequences of malfunctions or failures of structures, systems, or components. </p><p>2. System design of safety relevant electronics</p><p>Fig. 1 shows a single-channel, fail-safe control system. A state graph demonstrates that, if any safety-critical failure or malfunction occurs, the system changes over to a so-called safe system state. The control system stays in that safe system state with a transition probability of p22=1. Thus, the control system can only return into the normal operational state by certain maintenance activities. </p><p>Figure 1: One-channel fail-safe control system</p><p>Since up to now no fail-safe single-channel computer is available, one has to select a configuration of at least two computers running in parallel. As shown in figure 2, in such a system configuration the results of both channels are fed into a fail-safe comparator, whose output enables a safe gate upon equivalence of the results, which have the form of command telegrams to be sent to the technical process.</p><p>Figure 2: dual-channel control system with fail-safe comparator</p><p>(Description of a double-channel control system follows)</p><p>3. Implementation of design principles</p><p>3.1 Fail-safe comparator</p><p>At first we should have a look to fail-safe principle. Figure 3: Visualization of fail-safe principle</p><p>Figure 4: Functionality of a comparator</p><p>Figure 5: Functionality of a antivalence device Figure 6: Antivalence component processing antivalent signals</p><p>3.2 Diversity principle Figure 7: Diverse system design</p><p>There are some typical disadvantages of diverse system design like …</p><p>- unplanable waiting times, - costs of implementation, and - necessary tolerance zone management as shown in figure 8. Figure 8: Tolerance zone management Two results to be compared (a), tolerance zone (b)</p><p>3.3 Dynamization of signals</p><p>For safety-related electronics it is useful to dynamize certain signals corresponding to quiescient current principle. Figure 9 shows how to encode logical “0” and logical “1”.</p><p>Figure 9: Physical representation of log.”0” and log.”1” Figure 10: A simple inverter (a) and its safety-related implementation (b)</p><p>3.4 Watch dog function</p><p>3.5 On-line test routine</p><p>There are two chances how to realize a safe system design: Either an inherent safe design of an electronic component or to realize safe system reaction by a certain test procedure. Often there exists the task designation to take over any information wether a contact is closed or open. Figure 11 shows a computerized test procedure to confirm proper operation of an input device.</p><p>Figure 11: Computerized on-line testing an input device</p><p>3.6 Quiescient current principle</p><p>The quiescient current principle means that a physical value is kept on a higher energy level than necessary, so that in case of failure the value of a physical varaible drops down. Thus, it is possible to detect that a failure has occurred.</p><p>3.7 Double channel microcomputer system ( SIMIS )</p><p>Because, up to now no single-channel fail-safe microcomputer is available, a double channel system design for two microprocessors running in parallel was done. Fundamental safety principles like dynamization of signals, antivalent signal comparison, a safe gate, watch dog function, and a clock driven operation were implemented. 4. Comparison and evaluation of fundamental safety-critical system design principles</p><p>( text will follow )</p><p>Conclusions</p><p>( text will follow )</p><p>References:</p><p>/1/ Schildt,G. H., Kastner, W.: „Prozessautomatisierung“, published by Springer Wien New York, ISBN 3-211-82999-7</p><p>/2/ Fricke</p><p>/3/</p><p>/4/</p>