Category Archives: 61508

Why are you born? Meaning of safety requirement existence


If some requirement are regarded as safety attribute, it means that in-achievement of safety requirement leads to threaten safety.

The rationale is explained in the somewhere. I believe that system FTA or system FMEA are proper means of why they are born.

After they are identified, safety engineers shall suggest methods how to handle them. Their suggestions are called safety mechanisms in ISO standard.

Sometimes, engineers forget this simple principle. So non-safety related requirements are mis-perceived as safety requirements.

All safety requirements have birth-registered? Unregistered has a potential to threat safety. Don’t forget to register. It is natural like happened in our society.

Advertisements

What are meaning to make plans in the project which is required functional safety ?


I’ve seen many project that initiated without in depth plan. They acted as if they are ready. But it was not.

They almost have various kinds of troubles as time pass by.

They are apt to out of control and behind of schedule.

Persons involved in the project fight each other because of responsibility.

They recognize that they should have do some activities several months ago.

They always regret.

I hope that project will begin when conditions are ready.

otherwise it is easily anticipated as if we know what happens after 10 seconds when person jumps forwards on the bridge.

So that is why I emphasize that process is very important.

To appeal that our safety engineering is good, compliance for functional safety process is basic. It won’t work without it.

 

ASIL decomposition


I read an interesting discussion about ASIL decomposition. He questioned that when ASIL C is decomposed, why ASIL B(C)+ASIL B(C) is missing.

ASIL decomposition – what about the "missing" ones?
[Picture 1. ASIL decomposition. Reference 1]

To explain this, let me refer to a paper, “Understanding the Use, Misuse and Abuse of Safety Integrity Levels”.

There is a move from the belief that a system can be either safe or unsafe, i.e. that safety is a binary attribute, to the acceptance that there is a continuum between absolute safety and certain catastrophe and that this continuum is a scale of risk.

In this sense, SIL is a result of artificial separations between absolute safety and certain catastrophe.

ALARP에 대한 이미지 검색결과

reference 3: picture

There are many standards which adapts SIL concept and their SIL decomposition concepts are similar. So I’d like to explain with IEC 61508 which is a mother standard of functional safety. Because it defines SILs  with a ranged safety levels, which concept is needed to explain.

Table 1. Safety Integrity Levels specifying what has to be observed to achieve the safety certification of a system according to IEC 61508 or ISO 26262.
[Picture 2. Target level of safety for SILs. reference 2]

For a product that has SIL3, probability of failure mode  shall be between 1.0e-4 to 1.0e-3 on continuous mode(low demand rate).

If we assume that the product has two sub-systems, which has no common cause or dependent failure between them, we can decompose target level of safety into two pieces.

 

Decomposition

5.0E-4 = 5.0E-1 * 1.0E-3

SIL(5.0E-4) = SIL(5.0E-1) + SIL(1.0E-3)

SIL C = SIL A + SIL B

 

In this sense, generalization rules are defined in the standards.

 

Then, why ISO26262 doesn’t have a safety target concept? In fact it has, but not in the system level. But similar rules defined in proven in use part,  hw component qualification part, and hw development process part. Not in system part and software part, because there is no reliable reliability model in software, and system consists of software.

Why ASIL C(B)+ASIL C(B) is missing for decomposition of ASIL C ? Because composition of decomposed safety level is not equal to original one.

Reference 1. Linked-in community (ISO 26262 Functional Safety)
Reference 2. http://www.dataweek.co.za/43184n

reference 3. https://www.graphicproducts.com/media/70398/alarp-floating.jpg