[SystemSafety] SIL ratings to be scrapped?
Gerry R Creech
grcreech at ra.rockwell.com
Thu Aug 22 16:53:07 CEST 2013
Bertrand,
I wasn't discussing it from a tolerable hazard rate point of view.
I was simply (although I agree, maybe too simply), pointing out that a
high demand system is a "demand mode" system where the hazard rate based
on a PFD crosses the hazard rate defined by PFH, therefore PFH gets used
provided the system meets the high demand requirements.
The maximum demand rate is defined by the slowest diagnostic test interval
that has been used in the analysis. On a low & high demand system the
process safety time is often independent from the diagnostic test
interval.
In a continuous system the minimum process safety time is defined by the
maximum diagnostic time plus the time to achieve the safe state.
They both have their place, the demand system can make use and take credit
for diagnostics that would be to slow for continuous mode applications.
Continuous mode systems can be used for application where failure of the
SIS will cause a hazard, which a demand system can't.
My personal belief is that it is important to chose the correct system to
fit the application.
If we loose the distinction between the different types of operation I
believe that we are likely to complicate the requirements to make sure all
aspects have been covered.
(ok, lets not get into the discussion on what happens once in the shutdown
state just at the moment :-).
Best regards,
Gerry Creech
From: "RICQUE Bertrand (SAGEM DEFENSE SECURITE)"
<bertrand.ricque at sagem.com>
To: System Safety List <systemsafety at techfak.uni-bielefeld.de>
Date: 22/08/2013 15:26
Subject: Re: [SystemSafety] SIL ratings to be scrapped?
Sent by: systemsafety-bounces at lists.techfak.uni-bielefeld.de
Well said Jens, and things have not that much evoluated. This is normal as
there are still industries that fiercely reject any approach to MTTH as
the consequences might be disturbing in terms of necessary engineering
effort and of low results...
Bertrand RICQUE
Program Manager, Optronics and Defense Division
T +33 (0)1 58 11 96 82
M +33 (0)6 87 47 84 64
23 avenue Carnot
91300 MASSY - FRANCE
http://www.sagem-ds.com
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [
mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Braband, Jens
Sent: Thursday, August 22, 2013 3:55 PM
To: M Mencke; Gerry R Creech
Cc: System Safety List;
systemsafety-bounces at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] SIL ratings to be scrapped?
This discussion on operation modes has been extensively lead in the 90s
and early 00s. I was chairing the CENELEC WG at that time that rewrote
annex A of EN 50129. I think the problem is oversimplified here.
I would advise anyone really interested to go into the modeling details,
e. g. as published by Prof. Sato in
Yoshimura, I., Sato, Y., Suyanma, K.: Safety Integrity Level Model for
Safety-related Systems in Dynamic Demand State, Proceedings of the 2004
Asian Inter-national Workshop on Advanced Reliability Modeling (AIWARM
2004), Hiroshima, 577?584
We had a lot of discussions in this time, basically the same as in the
90s, and I also wrote a paper for Safecomp with colleagues from TÜV
Braband, J., vom Hövel, R. and Schäbe, H.: Probability of Failure on
Demand ? the Why and the How , in: Proc. SAFECOMP2009, Hamburg, 2009,
46-54
This sums up many discussions we had in the 90s when writing the EN 50129.
These papers show that from a risk based perspective PFH and PFD are
indeed two sides of the same coin and not so much different as suggested
by IEC 61508. It explains also the reason why EN 50129 uses THR and NOT
PFH. THR is an umbrella concept for both PFH and PFD and that is the main
message.
Best regards
Jens Braband
PS I stated my personal technical opinion here, not necessarily that of my
employer or any other organization.
Von: systemsafety-bounces at lists.techfak.uni-bielefeld.de [
mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] Im Auftrag von
M Mencke
Gesendet: Donnerstag, 22. August 2013 15:22
An: Gerry R Creech
Cc: System Safety List;
systemsafety-bounces at lists.techfak.uni-bielefeld.de
Betreff: Re: [SystemSafety] SIL ratings to be scrapped?
Yes. They are different. The objective of my previous email was to point
out that the classification of operation modes for Safety functions into
different categories (one category containing ?High demand? and
?Continuous? and the other ?Low demand?) in some standards and only
referring to ?Continuous? mode in others could lead to confusion. In IEC
61508-1, the PFH assigned for each SI level is the same for both ?High
demand? and ?Continuous? mode, therefore grouping ?High demand? and
?Continuous? in the same category, at least as far as PFH is concerned.
As you just mentioned, ?Continuous? mode and ?High demand? mode are not
the same. However, if you consider the text I extracted from the EN 50129
standard (it is a direct quote from the standard), the second point
states:
?All demand mode systems can be modelled as continuous mode systems?.
This gives the (perhaps incorrect) impression that ?High demand? and
?Continuous? could be considered to be equivalent, that is, according to
what is suggested by the standard.
Why? Because a logical interpretation of the above sentence is that
?Continuous? mode and ?High demand? mode are in a single category, named
by the standard as ?Continuous?. If you consider the definition of ?High
demand? mode and ?Continuous? mode, for ?High demand?, the frequency of
demands is greater than one per year, and for Continuous, the safety
function retains the EUC in a safe state as part of normal operation. This
indicates to me that a ?High demand? mode is a frequency of demand
anywhere between greater than one per year and less than normal operation,
a ?Continuous? frequency being the limit of this interval. The frequency
of ?Low demand? can never be placed in this frequency range, as it is less
than or equal to one per year.
prEN 50126-2:2012 (page 39, section 10.2) makes reference to ?continuous
mode models?. However, in drafts 1 ? 5 of this standard I cannot find any
definition of ?continuous?, ?high demand?, or other. It seems that these
drafts are now in ?In hands of WG 14?. It may be a suggestion to include a
definition of what ?continuous mode? includes, or specify that the
category ?continuous? groups modes only in terms of the same PFH.
Regards.
2013/8/22 Gerry R Creech <grcreech at ra.rockwell.com>
Myriam,
Isn't 'high demand' also a demand mode, that happens to use PFH and
different from continuous mode?
In continuous mode, we can only take credit for diagnostics that can
detect a failure and carry out the specified action within the process
safety time.
In high demand mode, we can take credit for diagnostics where the ratio of
the test rate to the demand rate equals or exceeds 100.
Best regards,
Gerry Creech
From: M Mencke <menckem at gmail.com>
To: Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
Cc: System Safety List <systemsafety at techfak.uni-bielefeld.de>
Date: 22/08/2013 11:10
Subject: Re: [SystemSafety] SIL ratings to be scrapped?
Sent by: systemsafety-bounces at lists.techfak.uni-bielefeld.de
Regarding the high demand and low demand mode, it makes sense to apply
these modes for some elements. However, in the railway standards, the
concept of low demand is already not being considered. In EN 50129, the
following is stated:
?NOTE: In contrast to other standards the SIL table in this standard has
only one column for
frequencies (formerly called high demand or continuous mode) and does not
have a column for
failure probabilities on demand (formerly called demand mode). The reasons
to restrict to one
mode are
· Less ambiguity in determination of SIL.
· All demand mode systems can be modelled as continuous mode systems.
· Continuous control and command signalling systems are clearly the
majority in modern railway signalling applications.
The SIL table has been constructed taking into account other relevant
international standards.?
In my opinion, the existence of two different approaches to the
application of the SIL concept, where one only considers high demand mode
and the other considers both, contributes to the reasons why there are
misunderstandings regarding the use of SIL. This is particularly true for
engineers new to the industry or potential customers who consult the
standard relevant to their sector in order to try to gain an understanding
of the SIL concept.
Imagine a situation where a ?newcomer? to the railway industry consults
the railway standards for an overview of SILs, and their understanding of
the SIL concept is gained based on the assumption that only one mode of
operation is considered, the high demand mode. This engineer (or
technician, manager, etc.) then decides that he would like to extend his
knowledge and reads, for example, the IEC 61508 where the ?high demand?
and ?low demand? modes are introduced. This does not appear to aid the
reader in providing a clear explanation of the application of the concept.
Your response may be ?well, in that case the reader should read the
available literature?, to gain an in-depth understanding. However, this
may not always be possible, due to time constraints, etc., particularly in
the case of a customer or a manager.
Additionally, even though the standard argues that continuous demand are
the majority in modern railway signalling applications, as Peter just
mentioned, passenger emergency braking systems on trains are meant to be
used only occasionally. Given that only high demand mode is considered in
the railway standards, should the railway standard definition of ?high
demand? then be applied for this type of system, or is it required to
refer ?back? to IEC 61508?...
Note: I write in Hiberno English. For example, words ending in the suffix
?ing? preceded by ?l? are spelled with a double ?l? rather than a single
"l", as in ?signalling?, ?modelling?.
Regards,
Myriam.
2013/8/22 Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
To back up Martin's caveat with other reasons:
I would not argue for scrapping "low-demand" on the sole basis it is
inappropriately applied - I think there need to be significantly more
reasons than that.
Reactor SCRAM systems are only meant to be used occasionally. Similarly,
passenger-emergency-braking systems on trains.
System functions which are invoked occasionally tend to not work when
invoked. Emergency slides on commercial transport aircraft exits work as a
rule-of-thumb about half the time, which is why the emergency-evacuation
certification test is performed with only half the available exits.
So for such systems and functions there need to be defined proof tests and
a defined interval for proof tests. And those intervals are dependent upon
how often you think the demand for the function is likely to arise.
You don't have such things as proof tests or associated intervals for
continuously-operating safety-relevant functions, such as fly-by-wire
control systems or ETCS.
Now, I agree that such things as proof tests are not relevant for pure SW
"elements" (to use the 61508 preferred terminology), but that SW mostly
sits inside something which executes the function and for which proof
tests are relevant. How are you going to deal with these differences
appropriately if the standard scraps the distinction?
PBL
On 8/22/13 9:30 AM, Jensen, Martin Faurschou Jensen wrote:
I agree with the arguments below when it comes to systems, but we have to
keep in mind that 61508 is also used for the development of single
elements. For a sensor, designed and developed for use in a SIS, the
demand mode makes sense, as this only needs to detect and report a
situation, and does not need to contribute in maintaining the safe state
afterwards.
-----Original Message-----
......On Behalf Of ECHARTE MELLADO JAVIER
Sent: 22. august 2013 09:20
To: Peter Bernard Ladkin; systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] SIL ratings to be scrapped?
I have discussed this mater several times. I think that low demand
criteria should disappear because it is usually a fallacious argument.
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of
Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des
informations confidentielles ou ayant un caractère privé. S'ils ne vous
sont pas destinés, nous vous signalons qu'il est strictement interdit de
les divulguer, de les reproduire ou d'en utiliser de quelque manière que
ce soit le contenu. Si ce message vous a été transmis par erreur, merci
d'en informer l'expéditeur et de supprimer immédiatement de votre système
informatique ce courriel ainsi que tous les documents qui y sont
attachés."
******
" This e-mail and any attached documents may contain confidential or
proprietary information. If you are not the intended recipient, you are
notified that any dissemination, copying of this e-mail and any
attachments thereto or use of their contents by any means whatsoever is
strictly prohibited. If you have received this e-mail in error, please
advise the sender immediately and delete this e-mail and all attached
documents from your computer system."
#_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130822/266a309e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1835 bytes
Desc: not available
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130822/266a309e/attachment-0001.jpe>
More information about the systemsafety
mailing list