[SystemSafety] SIL ratings to be scrapped?
M Mencke
menckem at gmail.com
Thu Aug 22 16:31:16 CEST 2013
It may be slightly oversimplified. However, I must admit that after I
read EN 50129 some years ago it was not entirely clear to me that THR is an
umbrella concept for both PFH and PFD, rather it gave me the impression
that THR is a concept which assumes that all operation modes are continuous
or high demand, and that their safety functions have a PFH (excluding the
notion of PFD). Though this may not be the case for everybody.
So the literature you suggest should be very useful for me, particularly
the explanation of why EN 50129 uses THR and rather than PFH. Thanks and
regards, Myriam.
2013/8/22 Braband, Jens <jens.braband at siemens.com>
> This discussion on operation modes has been extensively lead in the 90s
> and early 00s. I was chairing the CENELEC WG at that time that rewrote
> annex A of EN 50129. I think the problem is oversimplified here. ****
>
> ** **
>
> I would advise anyone really interested to go into the modeling details,
> e. g. as published by Prof. Sato in****
>
> ** **
>
> Yoshimura, I., Sato, Y., Suyanma, K.: Safety Integrity Level Model for
> Safety-related Systems in Dynamic Demand State, Proceedings of the 2004
> Asian Inter-national Workshop on Advanced Reliability Modeling (AIWARM
> 2004), Hiroshima, 577–584****
>
> ** **
>
> We had a lot of discussions in this time, basically the same as in the
> 90s, and I also wrote a paper for Safecomp with colleagues from TÜV ****
>
> ** **
>
> Braband, J., vom Hövel, R. and Schäbe, H.: Probability of Failure on
> Demand – the Why and the How , in: Proc. SAFECOMP2009, Hamburg, 2009,
> 46-54****
>
> ** **
>
> This sums up many discussions we had in the 90s when writing the EN 50129.
> These papers show that from a risk based perspective PFH and PFD are indeed
> two sides of the same coin and not so much different as suggested by IEC
> 61508. It explains also the reason why EN 50129 uses THR and NOT PFH. THR
> is an umbrella concept for both PFH and PFD and that is the main message.*
> ***
>
> ** **
>
> Best regards****
>
> ** **
>
> Jens Braband****
>
> ** **
>
> PS I stated my personal technical opinion here, not necessarily that of my
> employer or any other organization.****
>
> ** **
>
> *Von:* systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:
> systemsafety-bounces at lists.techfak.uni-bielefeld.de] *Im Auftrag von *M
> Mencke
> *Gesendet:* Donnerstag, 22. August 2013 15:22
> *An:* Gerry R Creech
> *Cc:* System Safety List;
> systemsafety-bounces at lists.techfak.uni-bielefeld.de
> *Betreff:* Re: [SystemSafety] SIL ratings to be scrapped?****
>
> ** **
>
> ****
>
> Yes. They are different. The objective of my previous email was to point
> out that the classification of operation modes for Safety functions into
> different categories (one category containing “High demand” and
> “Continuous” and the other “Low demand”) in some standards and only
> referring to “Continuous” mode in others could lead to confusion. In IEC
> 61508-1, the PFH assigned for each SI level is the same for both “High
> demand” and “Continuous” mode, therefore grouping “High demand” and
> “Continuous” in the same category, at least as far as PFH is concerned.***
> *
>
> As you just mentioned, “Continuous” mode and “High demand” mode are not
> the same. However, if you consider the text I extracted from the EN 50129
> standard (it is a direct quote from the standard), the second point states:
> ****
>
> “All demand mode systems can be modelled as* continuous *mode systems”.***
> *
>
> This gives the (perhaps incorrect) impression that “High demand” and
> “Continuous” could be considered to be equivalent, that is, according to
> what is suggested by the standard. ****
>
> Why? Because a logical interpretation of the above sentence is that
> “Continuous” mode and “High demand” mode are in a single category, named by
> the standard as “Continuous”. If you consider the definition of “High
> demand” mode and “Continuous” mode, for “High demand”, the frequency of
> demands is greater than one per year, and for Continuous, the safety
> function retains the EUC in a safe state as part of normal operation. This
> indicates to me that a “High demand” mode is a frequency of demand anywhere
> between greater than one per year and less than normal operation, a
> “Continuous” frequency being the limit of this interval. The frequency of
> “Low demand” can never be placed in this frequency range, as it is less
> than or equal to one per year.****
>
> ****
>
> prEN 50126-2:2012<http://www.cenelec.eu/dyn/www/f?p=104:110:2614904360520594::::FSP_ORG_ID,FSP_LANG_ID,FSP_PROJECT:,25,21753>(page 39, section 10.2) makes reference to “continuous mode models”.
> However, in drafts 1 – 5 of this standard I cannot find any definition of
> “continuous”, “high demand”, or other. It seems that these drafts are now
> in “In hands of WG 14”. It may be a suggestion to include a definition of
> what “continuous mode” includes, or specify that the category “continuous”
> groups modes only in terms of the same PFH.****
>
> Regards.****
>
> ****
>
> ****
>
> ** **
>
> 2013/8/22 Gerry R Creech <grcreech at ra.rockwell.com>****
>
> Myriam,
>
> Isn't 'high demand' also a demand mode, that happens to use PFH and
> different from continuous mode?
>
> In continuous mode, we can only take credit for diagnostics that can
> detect a failure and carry out the specified action within the process
> safety time.
> In high demand mode, we can take credit for diagnostics where the ratio of
> the test rate to the demand rate equals or exceeds 100.
>
>
>
> Best regards,
>
> Gerry Creech
>
>
>
> From: M Mencke <menckem at gmail.com>
> To: Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
> Cc: System Safety List <systemsafety at techfak.uni-bielefeld.de>
> Date: 22/08/2013 11:10 ****
>
> Subject: Re: [SystemSafety] SIL ratings to be scrapped? ****
>
> Sent by: systemsafety-bounces at lists.techfak.uni-bielefeld.de ****
> ------------------------------
>
> ** **
>
>
> Regarding the high demand and low demand mode, it makes sense to apply
> these modes for some elements. However, in the railway standards, the
> concept of low demand is already not being considered. In EN 50129, the
> following is stated:
> *“NOTE: In contrast to other standards the SIL table in this standard has
> only one column for*
> *frequencies (formerly called high demand or continuous mode) and does
> not have a column for*
> *failure probabilities on demand (formerly called demand mode). The
> reasons to restrict to one*
> *mode are*
> * *
> *· Less ambiguity in determination of SIL.*
> * *
> *· All demand mode systems can be modelled as continuous mode systems.*
> * *
> *· Continuous control and command signalling systems are clearly the
> majority in modern railway signalling applications.*
> * *
> *The SIL table has been constructed taking into account other relevant
> international standards.”*
> In my opinion, the existence of two different approaches to the
> application of the SIL concept, where one only considers high demand mode
> and the other considers both, contributes to the reasons why there are
> misunderstandings regarding the use of SIL. This is particularly true for
> engineers new to the industry or potential customers who consult the
> standard relevant to their sector in order to try to gain an understanding
> of the SIL concept.
> Imagine a situation where a “newcomer” to the railway industry consults
> the railway standards for an overview of SILs, and their understanding of
> the SIL concept is gained based on the assumption that only one mode of
> operation is considered, the high demand mode. This engineer (or
> technician, manager, etc.) then decides that he would like to extend his
> knowledge and reads, for example, the IEC 61508 where the “high demand” and
> “low demand” modes are introduced. This does not appear to aid the reader
> in providing a clear explanation of the application of the concept. Your
> response may be “well, in that case the reader should read the available
> literature”, to gain an in-depth understanding. However, this may not
> always be possible, due to time constraints, etc., particularly in the case
> of a customer or a manager.
> Additionally, even though the standard argues that continuous demand are
> the majority in modern railway signalling applications, as Peter just
> mentioned, passenger emergency braking systems on trains are meant to be
> used only occasionally. Given that only high demand mode is considered in
> the railway standards, should the railway standard definition of “high
> demand” then be applied for this type of system, or is it required to refer
> “back” to IEC 61508?...
> Note: I write in Hiberno English. For example, words ending in the suffix
> “ing” preceded by “l” are spelled with a double “l” rather than a single
> "l", as in “signalling”, “modelling”.
> Regards,
> Myriam.
>
>
> 2013/8/22 Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
> To back up Martin's caveat with other reasons:
>
> I would not argue for scrapping "low-demand" on the sole basis it is
> inappropriately applied - I think there need to be significantly more
> reasons than that.
>
> Reactor SCRAM systems are only meant to be used occasionally. Similarly,
> passenger-emergency-braking systems on trains.
>
> System functions which are invoked occasionally tend to not work when
> invoked. Emergency slides on commercial transport aircraft exits work as a
> rule-of-thumb about half the time, which is why the emergency-evacuation
> certification test is performed with only half the available exits.
>
> So for such systems and functions there need to be defined proof tests and
> a defined interval for proof tests. And those intervals are dependent upon
> how often you think the demand for the function is likely to arise.
>
> You don't have such things as proof tests or associated intervals for
> continuously-operating safety-relevant functions, such as fly-by-wire
> control systems or ETCS.
>
> Now, I agree that such things as proof tests are not relevant for pure SW
> "elements" (to use the 61508 preferred terminology), but that SW mostly
> sits inside something which executes the function and for which proof tests
> are relevant. How are you going to deal with these differences
> appropriately if the standard scraps the distinction?
>
> PBL
>
>
>
> On 8/22/13 9:30 AM, Jensen, Martin Faurschou Jensen wrote:
> I agree with the arguments below when it comes to systems, but we have to
> keep in mind that 61508 is also used for the development of single
> elements. For a sensor, designed and developed for use in a SIS, the demand
> mode makes sense, as this only needs to detect and report a situation, and
> does not need to contribute in maintaining the safe state afterwards.
>
> -----Original Message-----
> ......On Behalf Of ECHARTE MELLADO JAVIER
>
> Sent: 22. august 2013 09:20
> To: Peter Bernard Ladkin; systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] SIL ratings to be scrapped?
>
> I have discussed this mater several times. I think that low demand
> criteria should disappear because it is usually a fallacious argument.
>
> PBL
>
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of
> Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List*
> *systemsafety at TechFak.Uni-Bielefeld.DE
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130822/c64f9c4f/attachment-0001.html>
More information about the systemsafety
mailing list