ebook img

Safety of Computer Control Systems 1983 (Safecomp '83). Achieving Safe Real Time Computer Systems PDF

259 Pages·1983·28.29 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Safety of Computer Control Systems 1983 (Safecomp '83). Achieving Safe Real Time Computer Systems

Titles in the IF A C Proceedings Series AKASHI: Control Science and Technoloyg for the Progress of LANDAU: Adaptive Systems in Control and Signal Processign Society, 7 Volumes LAUBER: Safeyt of Computre Control Systems (1979) ALONSO-CONCHEIRO: Real Time Digital Control Applicatiosn LEININGER: Computre Aided Design of Multivariabel ATHERTON: Multivariabel Technologicl aSystems Technologicl aSystems BABARY & LE LETTY: Control of Distributde Parametre Systems LEONHARD: Control in Power Electronisc and Electricla Drives (1982) (1977) BANKS & PRITCHARD: Control of Distributde Parametre LESKIEWICZ & ZAREMBA: Pneumatci and Hydraulci Systems Componens tand Instrumens tin Automatci Control BAYLIS: Safeyt of Computre Control Systems (1983) MAHALANABIS: Theory and Application of Digital Control BEKEY & SARIDIS: Identificatino and System Parametre MILLER: Distributde Computre Control Systems (1981) Estimation (1982) MUNDAY: Automatci Control in Space BINDER: Componens tand Instrumens tfor Distributde Computre NAJIM & ABDEL-FATTAH: Systems Approach for Developmetn Control Systems (1980) BULL: Real Time Programmign (1983) NIEMI: A Link Between Science and Applicatiosn of Automatci CAMPBELL: Control Aspecst of Prosthetisc and Orthotics Control Van CAUWENBERGHE: Instrumentatnio and Automation in the NOVAK: Softwaer for Computre Control Pape,r Rubbe,r Plastics and Polymerisatnio Industrise (1980) O'SHEA & POLIS: Automation in Mining, Mineral and Metal CICHOCKI & STRASZAK: Systems Analyssi Applicatiosn to Processign (1980) Complex Programs OSHIMA: Information Control Problems in Manufacturign Technoloyg (1977) CRONHJORT: Real Time Programmign (1978) PAU: Dynamci Modelling and Control of National Economise CUENOD: Computre Aided Design of Control Systems (1983) De GIORGO & ROVEDA: Criterai for Selecting Appropriaet RAUCH: Applicatiosn of Nonlinear Programmign to Technologise under Different Cultura,l Technicla and Social Optimization and Control RAUCH: Control Applicatiosn of Nonlinear Programmign Conditions REMBOLD: Information Control Problems in Manufacturign DUBUISSON: Information and Systems Technoloyg (1979) ELLIS: Control Problems and Devices in Manufacturign Technoloyg RIJNSDORP: Case Studies in Automation related to Humanizatino (1980) of Work FERRATE & PUENTE: Softwaer for Computre Control RIJNSDORP & PLOMP: Training for Tomorrow - Educationl a FLEISSNER: Systems Approach to Appropriaet Technoloyg Aspecst of Computerisde Automation Transfer RODD: Distributde Computre Control Systems (1983) GELLIE & TAVAST: Distributde Computre Control Systems (1982) SANCHEZ & GUPTA: Fuzzy Informatio,n Knowledge GHONAIMY: Systems Approach for Developmetn (1977) Representatnio and Decision Analyssi HAASE: Real Time Programmign (1980) SAWARAGI & AKASHI: Environmentl aSystems Plannin,g Design HAIMES & KINDLER: Water and Related Land Resourec Systems and Control HALME: Modelling and Control of Biotechnicl aProcessse SINGH & TITLI: Control and Managemetn of Integratde Industrila HARDT: Information Control Problems in Manufacturign Complexse Technoloyg (1982) SMEDEMA: Real Time Programmign (1977) HARRISON: Distributde Computre Control Systems STRASZAK: Large Scael System:s Theory and Applicatiosn (1983) HASEGAWA: Real Time Programmign (1981) SUBRAMANYAM: Computre Applicatiosn in Large Scael Power HASEGAWA & INOUE: Urban, Regionla and National Planning Systems — Environmentl aAspecst TITLI & SINGH: Large Scael System:s Theory and Applicatiosn HERBST: Automatci Control in Power Generatino Distributino and (1980) Protectino WESTERLUND: Automation in Mining, Mineral and Metal Processign (1983) ISERMANN: Identificatino and System Parametre Estimatino Van WOERKOM: Automatci Control in Space (1982) (1979) ZWICKY: Control in Power Electronisc and Electricla Drives ISERMANN & KALTENECKER: Digital Computre Applicatiosn to (1983) Process Control JANSSEN, PAU & STRASZAK: Dynamci Modelling and Control of National Economisc > (1980) JOHANNSEN & RIJNSDORP: Analysi,s Design, and Evaluation of Man-Machine Systems NOTICE TO READERS Dear Reader If your library is not already a standing/continuant ioorder customre to this serie,s may we recommedn that you place a standing/continuant ioorder to receive immediateyl upon publicatino all new volume.s Shoudl you find that these volumes no longer serve your need,s your order can be cancellde at any time without notice. ROBERT MAXWELL Publisher at Pergamon Press IFAC Related Titles BROADBENT & MASUBUCHI: Multilingual Glossayr of Automatci Control Technoloyg EYKHOFT: Trends and Progress in System Identificatino ISERMANN: System Identificatino Tutoriasl (Automatica Special Issue) SAFETY OF COMPUTER CONTROL SYSTEMS 1983 (SAFECOMP '83) Achieving Safe Real Time Computre Systems Proceedings of the Third IFAC/IFIP Workshop Cambridge, UK, 20-22 September 1983 Edited by J. A. BAYLIS Technology, Planning & Research Division, Central Electricity Research Laboratories, Leatherhead, UK Published for the INTERNATIONAL FEDERATION OF AUTOMATIC CONTROL by PERGAMON PRESS OXFORD · NEW YORK · TORONTO · SYDNEY · PARIS · FRANKFURT U.K. Pergamno Press Ltd., Headingtno Hill Hall, Oxford OX3 OBW, England U.S.A. Pergamno Press Inc., Maxwell House, Fairview Park, Elmsford, New York 10523, U.S.A. CANADA Pergamno Press Canada Ltd., Suite 104, 150 Consumes rRoad, Willowdale, Ontaroi M2J 1P9, Canada AUSTRALIA Pergamno Press (Aust). Pty. Ltd., P.O. Box 544, Potts Poin,t N.S.W. 2011, Australai FRANCE Pergamno Press SARL, 24 rue des Ecole,s 75240 Paris, Cedex 05, France FEDERAL REPUBLIC Pergamno Press GmbH, Hammerwge 6, OF GERMANY D-6242 Kronberg-Taun,u sFederla Republci of Germany Copyright © 1983 IFAC — except where otherwies indicatde All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic tape, mechanical, photocopying, recording or otherwise, without permission in writing from the copyright holders. First edition 1983 British Library Cataloguign in Publication Data IFAC/IFIP Workshpo on Safeyt of Computre Control Systems (SAFECOMP '83) (3rd: 1983: Cambridg)e Safeyt of computre control system, s1983. 1. Automatci control — Data processgin —Safeyt measurse — Congressse I. Title II. Baylis,J.A. 629.8'95'0298 TJ213 ISBN 0-08-0305636- Library of Congress Catalog Card no: 83-13419 These proceedings were reproduced by means of the photo-offset process using the manuscripts supplied by the authors of the different papers. The manuscripts have been typed using different typewriters and typefaces. The lay-out, figures and tables of some papers did not agree completely with the standard requirements; consequently the reproduction does not display complete uniformity. To ensure rapid publication this discrepancy could not be changed; nor could the English be checked completely. Therefore, the readers are asked to excuse any deficiencies of this publication which may be due to the above men­ tioned reasons. Printed in Great Britain by A. Wheaton & Co. Ltd., Exeter THIRD IFAC/IFIP WORKSHOP ON SAFETY OF COMPUTER CONTROL SYSTEMS (SAFECOMP '83) Achieving Safe Real Time Computer Systems Organized by The Institutino of Electricla Engineesr (IEE) Sponsored by The Internationl aFederatino of Automatci Control (IFAC) through Technicla Committee on Computesr (COMPUT) Technicla Committee on Systems Engineerign (SECOM) Technicla Committee on Applicatiosn (APCOM) Co-sponsored by The Internationl aFederatino for Informatino Processgin (IFIP) Europena Workshpo on Industrila Computre Systems (EWICS) British Computre Socieyt National Center of Systems Reliabiliyt (UK) International Programme Committee National Organizing Committee J. A. Baylis (U.K.) (Chairma)n B. K. Daniesl (NCSR) (Chairma)n T. Andersno (U.K.) S. R. Nunns (BCS) P. A. Bennett (U.K.) J. A. Baylis (IEE) S. Bologna (Italy) S. Randell (IEE) D. R. Bristol (USA) G. Dahll (Norway) B. K. Daniesl (U.K.) W. Ehrenbergr e(German)y H. Frey (Switzerlan)d R. Gensre (Austria) E.Johnsno (U.K.) J. M. Rat a (Franc)e H. Ryland(U.K). M. G. Singh (U.K.) B. J. Sternre (Swede)n U. Voges (German)y R. W. Yunker (USA) PREFACE Computers are now used very extensively in able. Steady progress is being made in the control and communications systems, and their development and application of specification advantages compared with previous technology languages, and in the design of fault toler­ are well known. However the versatility and ant systems with self-test and reconfigura­ greater capability of computers entails an tion capability. The real-time problem of increase in complexity. This is a source of concurrency, particularly in distributed sys­ difficulty when it is necessary to give assur­ tems, of recovery time and repair are also ance or prove that a computer system will be given due attention, arid, though most of the reliable. Applications where both reliability papers are concerned with software, the and safety are of high importance are the importance of hardware reliability has not monitoring and control of high energy proces­ been neglected. ses, of transportation systems and informa­ tion systems. In all of these the malfunc­ The programme committee are grateful for the tion of monitoring or control equipment can support of the sponsoring organisations in be a direct or indirect cause of danger. The encouraging interest in the event, and to the aim of SAFECOMP is to report and discuss re­ organising committee and the Institution of cent advances in the application of real-time Electrical Engineers, UK, for undertaking the computer systems to such safety related tasks. administration. It is hoped that progress in our field will continue to be presented and The first SAFECOMP took place in Stuttgart, discussed at future SAFECOMP1s. Germany, in 1979 and since then much has been learnt in software engineering, in hardware and in the management of the design process. This progress was reported and summarised in John A. Baylis terms of best practices, outstanding problems and the directions for future research at the second SAFECOMP, held at Purdue University, West Lafayette USA last year. The mainspring for SAFECOMP continues to be Technical Commit­ tee No. 7, "safety and security" of the Euro­ pean Workshop on Industrial Computer Systems (Purdue Europe), and its sister at Lafayette. TC 7 judged that a SAFECOMP in Europe in 1983 was warranted in order to carry the work for­ ward. The "Call for Papers" confirmed the high level of interest and activity, and the papers selected for the Workshop come from 12 different countries and span applications in aerospace, electric power generation, mari­ time systems, mining and railways. Control and protection of nuclear reactors continue to be the application receiving most atten­ tion. The papers cover the full range of topics associated with reliability and safety, as indicated in the titles of the sessions. They indicate the continuing difficulty in establishing metrics for software reliability, but on the other hand over half the papers refer to systems already installed. This growing body of practical experience is pro­ viding a firm basis for establishing design, development and testing guidance and metho­ dologies. Moreover feedback on the reliabil­ ity of installed systems is becoming avail­ vii Copyright © UKAEA 1983 SESSION 1 - SAFETY AND RELIABILITY ASSESSMENT SAFETY INTEGRITY ASSESSMENT OF PROGRAMMABLE ELECTRONIC SYSTEMS B. K. Daniels*, R. Bell** and R. I. Wright*** * National Centre ofSystems Reliability, Wigs haw Lane, Culcheth, Warrington, UK **Health & Safety Executive, Factory Inspectorate, Chapel Street, London, UK ***Systems Reliability Service, Wigshaw Lane, Culcheth, Warrington, UK Abstract. As Programmable Electronic Systems (PESfs) are introduced into the industrial environment to control or monitor possibly hazardous processes, the question arises of whether the safety integrity of such systems is adequate for a particular application. The detailed operation of many of these systems is complex and is rarely fully understood by, or even made known to, the user. This leads to a certain amount of disquiet in some applications where a hazard is possible if the PES malfunctions in a particular way, perhaps by a particular failure mode or by aberrant behaviour. A natural reaction of the user is to ask whether a particular system will be as safe as the equivalent conventional control system with which he may be more familiar. Unfortunately there are many difficulties in applying the same safety assessment techniques to PES's as have been applied in the past to conventional systems. This paper discusses these problems and outlines an assessment methodology which is being developed to enable the user or the Inspectorate to determine whether or not a PES installation is of a suitably high safety integrity for the application. Keywords. Safety assessment, reliability theory, quality control, digital systems, computer applications, computer selection and evaluation, computer software. INTRODUCTION failures are termed systematic failures and although they also occur in hardwired Techniques for the safety assessment of systems, random failures are normally the electronic systems in safety related dominant cause of failure. Systematic applications are well developed and have been failures are particularly important in PES's in use for many years. These methods are because of the complexity of the functions to mainly concerned with how failures of the be performed and their ability to be system hardware affect the safety of the changed. system and with assessment of the hardware reliability. Generally there is an Reliability and safety integrity assessments assumption that hardware failures are random, are likely to be essential in many areas and also occur independently. where the control system is PES based. Where there are safety implications in the event of But the possibility of random hardware PES failure, additional safety syterns are failures is only one consideration in the sometimes incorporated. If these are based assessment of PES safety integrity. There is on non-PES technology then conventional a large element of human activity in the reliability and safety integrity assessments design, operation and maintenance of a PES can determine that the required level of and these activities are, like all human reliability/safety integrity has been activities, prone to error. These errors may achieved. Increasingly in the future there manifest themselves as faults in the hardware will be economic pressures to use the PES for or software design or even as faults in the both production and safety purposes, and specification of the PES functions. These consequently this means there is a need to be faults may cause failure under some able to assess the safety integrity of conditions of use or environment. Such systems incorporating PESfs. Such a design 2 B.K. Daniels, R. Bell and R.I. Wright assessment methodology must apply to the PES services. The technique is described by hardware, PES software and any additional Robinson (1978). safety systems. HAZOP studies are useful in plants with the potential for a serious accident but which SAFETY INTEGRITY are too complex for possible accident causes to be identified with any degree of certainty What do we mean by Safety Integrity? In very by any means other than a systematic search. general terms this is the continued operation They can however be time consuming and costly of a system in all its possible states in to carry out. such a way that the risk to the health, safety and welfare of employees, the system HAZOP studies could be particularly relevant itself, any product being processed, and the to PES safety integrity assessment since environment is kept to an "acceptable level". PES's are commonly used for the control of The legal aspects are further discussed in parameters in large and complex chemical Bell, Daniels and Wright (1983). plants and many of the parameter deviations considered in the HAZOP study could be a The assessment of Safety Integrity involves a direct result of a PES failure. number of important stages, which include:- • The identification of potential hazards Failure Mode and Effect Analysis • The evaluation of event sequences which can lead to a hazard FMEA is a systematic examination of the • Making allowance for any safety equipment system to determine the effect on the plant which curtails an event sequence prior to of each mode of failure of each part of the the hazard, or mitigates the consequences system. The reasoning used is "bottom up" or of the hazardous event inductive. The analyst asks the question • The recognition of system failure modes "What happens if this component fails in this which form part of event sequences, or particular failure mode?" In general, it can would prevent safety equipment carrying be applied at any level of breakdown of the out their function. system e.g., sub-system, module or component level according to the level of risk, In considering the role which a PES may play resources available or the level of detail in any system, the assessor must identify the required. When applied to PESTs it is way in which a malfunction could contribute usually convenient to perform an FMEA at the to an incident causing injury to people or functional block level by considering the damage to property on or off the site. The effects of each mode of failure of:- seriousness of the consequences of such an incident should also be ascertained in terms • Plant sensors of the number of people affected and the • Plant actuators likely extent of injury or damage to health • Operator interface devices or the likely cost of damage to property. • I/O modules There are several hazard analysis techniques • Communications interfaces each with particular strengths and weaknesses • Busses. and fields of application. There is no single "correct" approach to a particular It is possible to consider failure modes of problem and often a combination of methods is an item taking a "hardware" or a "functional" required. Suffice it to mention very briefly approach. There are some particular problems a number of the more widely used techniques. in the FMEA of PES's, viz:- • The analyst must have a complete knowledge Hazard and Operability Studies of the requirements specification and the software of the PES. The HAZOP analyst studies the instrumented • The effects of the failure may be flow diagram, sometimes called the Piping & different in different phases or modes of Instrument (P&I) line diagram, of a process PES operation. A "phased mission" FMEA plant and considers the effect on the plant may be required. of deviations in the normal parameters of the • The effect of the failure may be different substances contained by every pipe and depending on the point in the program exe­ vessel· As an aid to thoroughness, the cution reached when the failure occurs. analyst uses "guide words" to ensure that For instance, a data validity check may be every possible deviation is considered. carried out at the start of a control Typical words include:- sequence but not during the sequence. Therefore failures occurring before the • MORE OF · FASTER validity check may be safe but failures • LESS OF · SLOWER occurring after it may be dangerous. The effects of each of these deviations is Provided these factors are recognised, FMEA considered in each phase of operation can be applied successfully to the plant including maintenance, commissioning, sensors, actuators, interfaces etc this testing, start up, shutdown and failure of "hardware approach" is difficult to apply to Safety Integrity Assessment of Programmable Electronic Systems 3 the CPU of the PES, however, and a functional combination of failures and events would approach should be adopted to identify cause the top event?" possible dangerous failure modes. The functions of the PES should be listed at the The completed fault tree is a logical most appropriate level and the question asked representation of all the combinations of "In what way can this function fail?" The basic events which cause the top event. Each effects of each mode of failure of each basic event is a Boolean variable and the function are then assessed in the usual way. logic for the top event can be written as a Boolean expression and may be manipulated and The advantages of FMEA are that it can be perhaps simplified by the laws of Boolean used without first identifying the possible algebra. By such manipulation or by accidents and can therefore help in revealing inspection those combinations of basic events unforeseen hazards. FMEA is good at which cause the top event and which include a identifying potentially hazardous single failure mode of the PES can be identified. failures, but normally does not consider multiple failures and, since all failures FTA is a well accepted technique. It is good including non-hazardous failures are at identifying and representing combinations considered, it can be time consuming and of events contributing to an accident. Its expensive. main disadvantages are that fault trees can become very large and difficult to relate to Techniques for performing an FMEA are the plant and its operation and they can be described in Henley and Kumamoto (1981) and difficult to quantify. Their accuracy relies MIL-STD-1629A. on the ability of the analyst to deduce what can cause an event. Failure Mode, Effect and Criticality Further description of FTA techniques can be Analysis found in Henley and Kumamoto (1981) and Fussel (1976). This is an extension of FMEA which categorises each component failure according to the seriousness of its effect and its Failure Logic Diagrams probability or frequency of occurrence. It is of use when several levels of hazard are Failure logic diagrams can be used to show possible in determining the most critical how combinations of events lead to a top components and where reliability engineering event. They may have an identical form to a resources should be allocated to greatest fault tree but they are not produced by the effect. disciplined top down reasoning of FTA. They are constructed using a combination of top down and bottom up reasoning and are often Event Trees more compact than the equivalent fault tree since logical simplifications can be made in Event tree analysis is useful in representing their construction. They do not however and evaluating the possible sequences of represent an analysis procedure as rigourous events following from a failure in a critical as FTA or FMEA. part of the system. It is only practicable to apply the technique to failures which are known to be potentially hazardous. The HAZARD RATE QUANTIFICATION technique uses the same bottom up reasoning as FMEA in that the assessor asks the The most widely used measure of safety question "What happens if this component integrity is the expected frequency with fails?" However, an event tree can represent which a given accident will occur. This is multiple and cascade failures and so is often termed the hazard rate. A hazard useful when there are several lines of arises from some initiating event occurring defence between the initiating failure and in a particular set of circumstances and the the final accident. It is also possible to hazard rate is given by; introduce a time dimension into an event tree and so to represent the effects of different Hazard Rate, H ■ (Rate of initiating event) x system response times. (Probability of initiating event causing an accident) The role of the PES in this equation varies Fault Tree Analysis according to whether it has a control or a protective function. FTA can be used when a particular accident or undesirable event has been identified and it In some continuous control applications, is necessary to determine the combinations of failure of a PES may directly cause a hazard. failures and operating circumstances which An example might be the spurious or could cause that accident. The method uses unexpected movement of a robot or other top down or deductive reasoning. Starting machine with unrestricted motion. Depending with the accident or "top event" the analyst on the situation, this may be a hazard to asks the question "What failure or event or plant or structures, a fire risk or a direct 4 B.K. Daniels, R. Bell and R.I. Wright hazard to persons. Assuming that a person It is assumed that there are four sources of within the immediate vicinity of the robot system failures which could affect safety:- either has no time to move, or that he will fail to diagnose robot failure, the hazard (A) Errors or omissions in the system safety rate is given by: requirements specification. H β (failure rate of PES causing spurious (B) Random hardware failures. machine movement) x (probability of person being in field (C) Systematic hardware failures. of movement) (2) (D) Software failures. PES's are used in continuous monitoring For a non-redundat n system, the overall functions and to initiate some safety reliability may be representde by a function on detection of a potentially reliability block diagram as in Fig. 1. hazardous condition. A hazard arises if a demand for the protective action occurs and the PES fails to respond to the demand. In this case the hazard rate is: H » (demand rate) x (probability of failure of PES on demand) x (probability of resulting event causing an accident) A B C LJLJ (3) As an example, consider the risk to people from an explosion in the reaction vessel of a chemical process which has a PES protective system. The hazard rate is given by: Fig. 1 Reliability block diagram H = (rate of dangerous plant condition representing 4 failure causes arising) x (probability of failure of PES for a non-redundant system protection system) x (probability of injury from explosion) (4) Since failure of the system occurs if any one or more of the series blocks fails it is In general, the probability of failure of a necessary that adequate reliability is system is an increasing function with time. demonstrated for each of these 4 aspects or In order to limit the probability of failure, where the requirements for safety related protective systems are usually given a applications have not been met that adequate periodic proof test to ensure that the system justification is given. is working and to repair it if not. Under these conditions, it is possible to define an The reliability block diagram for a system average probability of being in the failed with two identical redundant computers state and so to obtain the mean probability operating under identical conditions is shown of failure to operate on demand. This average in Fig. 2. is also termed the Fractional Dead Time and is equal to the Steady State Unavailability In this case, the system fails when both of the system. computers fail due to random hardware failure or due to a systematic failure. However, the system may also fail due to a single ASSESSMENT METHODOLOGY DIRECTED TOWARDS PES specification error (A), a single systematic failure affecting both computers (Common A PES may fail either because there is a Cause Failure, Cccf) or a single software random hardware failure which could have been failure(D). Clearly, as more redundancy is predicted or because an error has been made adopted to provide tolerance against random in its design or construction. The error may hardware failure, then other failure causes result in failure under a particular become more important. combination of inputs, due to a particular environmental condition or due to some Therefore, it is necessary to assess not only operator action. These latter types of hardware reliability with respect to random failure are termed systematic failures. failures but also system reliability with They occur in both PES's and hardwired respect to design errors. Quantified systems but are particularly prevalent in assessment techniques can be applied to some PES's because of the large element of complex aspects of hardware but assessment of other design unique to the application. By its aspects of PES reliability is mainly a very nature applications software is non- qualitative process based on a study of the standard. In redundancy systems, systematic procedures used in specification, design, failures may be a cause of common cause implementation and operation of the PES. The failure (CCF) and may dominate the total aim of qualitative assessment is to determine system reliability. whether all reasonably practicable Safety Integrity Assessment of Programmable Electronic Systems 5 general aspects have been covered satisfactorily. There are 5 sections to this checklist which cover Cl_tl * Safety related functions CCCF D » Operator interface * Plant interface c B 2 * Physical environment 2 0 Maintenance and Modification. In an earlier paper Bell, Daniels and Wright (1983) gave examples of the contents of the Safety Related Functions section of the checklist. Here examples are given in Table 1 from the maintenance and modification Fig. 2 Reliability block diagram for a section. system with dual redundancy TABLE 1 Section of Requirements Checklist precautions have taken in each of these activities to ensure safety. The full assessment methodology will be Maintenance & Modifications published later in 1983 to accompany a code of practice to be issued by the Health and (a) Has provision been made for plant Safety Executive. The next sections of the safety during maintenance and modifi­ paper illustrate various aspects of the cation of the PES? methodology and give examples of the checklists which are provided to assist the assessor to consider whether each item in the (b) Has a means been defined for "by­ list is relevant to the particular PES, passing" or "defeating" safety whether the item is satisfied and any functions in a controlled way without omissions justified by the user. the need for ad hoc fixes? IS THE PES SAFETY REQUIREMENTS SPECIFICATION (c) Has a means been defined of ensuring CORRECT AND COMPLETE? the removal of by-passes after maintenance? If a system is to perform safety related tasks reliably, it must be designed to take the correct action in any set of (d) Has provision been made for proof circumstances which may arise. The safety testing of safety functions with a related functions must be specified correctly minimum of physical operations? and completely and the system must meet that functional specification. Since the specifications and test schedules for each aspect (hardware and software) and each phase of system design both originate from the HARDWARE RELIABILITY ASSESSMENT - RANDOM system requirements specification, errors in FAILURES specification may not be revealed until the operations phase. This could be hazardous in Techniques were surveyed earlier in the paper itself or may result in system modifications for identifying which failure modes of the which degrade the overall integrity of the PES could contribute to hazards. If the PES system. While this is true of both PES's and is used for the control of a hazardous hardwired systems, the problem of process it may be that any failure of the PES specification is particularly severe for a will constitute a danger whereas if the PES PES since it may be required to perform many is used for automatic protection of a plant complex tasks and each application of a PES only certain failures ("failures-to-danger") tends to have some unique features. Very may be of concern. In systems without often, insufficient effort is put into redundancy, the total system reliability is a producing a system requirements specification function of the reliability of each of the and the result is a specification which is component parts for which reliability data insufficiently detailed and ambiguous. are often available. Although it may not be possible to check the If the reliability of the system with respect correctness and completeness of the to particular system failure modes must be requirements specification against the quantified, then subject to the limitations operating characteristics of the plant, the mentioned earlier a quantified FMEA may have assessor should ascertain whether certain to be carried out.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.