IEC 61508 is the general standard on the functional safety of electrical / electronic / programmable electronic systems (E / E / PE). From this general standard, the standards relating to some of the main areas such as process industry, public transport, machinery, nuclear power plants have been derived.
HINTSW - T & T Systems, for any SIL level, is able to support its customers in the definition of the most suitable HW architectures in order to comply with the IEC 61508 requirements related to fault tolerance, and is able to design diagnostic tests to ensure the proper diagnostic coverage, define the correct intervals for the performance of diagnostic tests and the proper frequency of the periodic test required to detect failures not detected by diagnostic tests. HINTSW - T & T Systems is also able to carry out analyzes and calculations needed to determine the probability of failure of the subsystems, the percentage of dangerous failures, detected and undetected, and the susceptibility of the subsystems to the common cause failure.
IEC 61508 defines stringent requirements for the fault tolerance of hardware subsystems that perform safety functions; these requirements are defined according to the security level of integrity required for each safety function, and according to the type of subsystem.
The standard identifies two different types of subsystem:
- Tipo A: these are the subsystems where:
- the mode of failure of any single component of the subsystem is well defined;
- it is possible to completely determine the behavior of the subsystem in the event of any anomaly;
taking into account past experience, there are sufficiently reliable failure data to prove the correctness of the declared failure rates, in relation to the detected and undetected dangerous failure of the subsystem.
- Type B: these are the subsystems where:
- the mode of failure of any single component of the subsystem is not well defined; or
- you can not completely determine the subsystem behavior in the event of any anomaly; or
- taking into account past experience, there are not of sufficiently reliable failure data to prove the correctness of the declared failure rates, in relation to the detected and undetected dangerous failure of the subsystem.
The fault tolerance capabilities required by the standard for a given subsystem depends on the SIL level required for the subsystem and depends on the fraction of dangerous failures (percentage of dangerous failures of total failures) that characterizes the subsystem, and the type of subsystem: A or B; for example for a subsystem SIL 3 of type B characterized by a fraction of dangerous failures greater than 40% is required a hardware fault tolerance of 2, ie, the system must continue to operate correctly even in the presence of two simultaneous failures.
The IEC 61508 also indicates the rules under which it is possible to determine the maximum SIL level reached by an E / E / PE system taking into account the system architecture (physical architecture of the subsystems) and depending on the fault tolerance of each subsystem.
The IEC 61508, finally, defines the requirements related to the interval between the diagnostic tests capable of identifying any detectable faults (the fraction rilavabile dangerous failures) for the subsystems with hardware fault tolerance, greater than zero, and for those with tolerance to fault equal to zero.