Professional Documents
Culture Documents
Assuring Separation of Safety and Non-Safety Related Systems
Assuring Separation of Safety and Non-Safety Related Systems
Bruce Hunter
Thales Training & Simulation
Thales Services Division, Building 314, Garden Island, Sydney
Locked Bag 2700, Potts Point, NSW 2011, Australia
bruce.hunter@thalesgroup.com
Common System Hardware including network infrastructure 3.1.1 Key IEC 61508 extracts
IEC 61508 identifies qualitative requirements for
Figure 3 Distributed system acceptable boundaries independence of safety-related functions.
Common-cause failures and dependencies extending over • IEC 61508-2 clause 7.4.2.3 “Where an E/E/PE
the distributed communication networks must also be safety-related system is to implement both safety and
considered and the functional safety boundary set non-safety functions, then all the hardware and
accordingly. These may include: software shall be treated as safety-related unless it
can be shown that the implementation of the safety
• Global variables accessed by network
and non-safety functions is sufficiently independent
• Security attack and security blocking issues (i.e. that the failure of any non-safety-related
functions does not cause a dangerous failure of the
• Affects of network lock-up on functional safety safety-related functions). Wherever practicable, the
The separation requirements over the functional safety safety-related functions should be separated from the
boundary must take these failures into account. non-safety-related functions.”
NOTE 1 Sufficient independence of implementation
2.5 Setting boundaries in the safety lifecycle is established by showing that the probability of a
As part of the safety lifecycle, identification of Functional dependent failure between the non-safety and safety-
Safety Boundaries and Functional Safety Separation related parts is sufficiently low in comparison with
should be included in setting overall safety requirements the highest safety integrity level associated with the
and the allocation of these to systems and their safety functions involved.”
components. The following table identifies the lifecycle • IEC 61508-2 clause 7.4.2.5 “When independence
phases from IEC 61508, Functional safety of electrical/ between safety functions is required (see 7.4.2.3 and
electronic/ programmable electronic safety-related 7.4.2.4) then the following shall be documented
systems, where segmentation and separation of safety during the design:
should be undertaken.
a) the method of achieving independence;
IEC 61508 Safety Functional Safety Separation
Lifecycle Activities b) the justification of the method.”
Phase 4. Overall Safety Determine safety boundaries Although not quantified, this does support the use of
Requirements
safety boundary setting (in Section 2) and for identifying
Phase 5.Overall Safety Determine separation the level of separation (Section 3.2). However this does
Requirement Allocation requirements allow varying levels of rigour in establishing the required
Phase 9. System Safety Specify trans-boundary independence.
Requirements information allowed and
Specification prohibited IEC 61508-3 (Software Requirements) clause 7.4.2.7 has
requirements requiring: “Where the software is to
Phase 10. Safety-related Establishment of separation implement both safety and non-safety functions, then all
Systems Realisation measures
of the software shall be treated as safety-related, unless
Phase 13. Overall Safety Proof of separation of non-safety adequate independence between the functions can be
Validation systems or influences
demonstrated in the design.”
Phase 14. Overall Monitoring for compromised
Operation, Maintenance separation Clause 7.4.2.8 also requires “Where the software is to
and Repair implement safety functions of different safety integrity
levels, then all of the software shall be treated as
Phase 15. Overall Re-evaluating safety boundaries
Modification and Retrofit and separation belonging to the highest safety integrity level, unless
adequate independence between the safety functions of
Table 1: Lifecycle Consideration of Safety Boundaries the different safety integrity levels can be shown in the
and Separation design. The justification for independence shall be
documented.”
The concept of Safety Separation Levels could be the SSL Probability of propagating Probability of propagating
basis for demonstration of this “independence” for these dangerous failure for low dangerous failure for
clauses. demand mode (<1 per year) continuous/high-demand mode
-5 -4 -9 -8
Notes to clause 7.4.2.8, in the new committee draft, 4 =>10 to <10 =>10 to <10
expand the requirements that allow independence to be 3
-4
=>10 to <10
-3 -8
=>10 to <10
-7
Physical Fully integrated (e.g. TBD TBD In separate enclosures Fully separated (e.g.
single MCU) with special or housing, environment,
physical protection. power, access)
Control Many system-wide TBD TBD Few controls and all Few controls and all
controls without verified and verified and
limitation of their authenticated for authenticated for
impact dangerous impact. dangerous impact.
Setting a common process for this assessment would One often-identified risk of training simulators is
require considerable development and agreement before negative training indirectly leading to bad practices on the
inclusion in a standard could be contemplated but Table 4 real platform. To mitigate this risk, full-flight simulators
proposes a possible framework (albeit incomplete in this are accredited to standards prior to being placed into
paper) where assignment to SSL objectives may possible. service and training credits being claimed. Fidelity checks
Further work and substantiation would be required on the are based on many factors, including model checks with
assignment of separation levels, but in my view this real aircraft data and cues associated with key training
would be beneficial to accommodate the complexity of competencies.
emerging systems.
Taking the example of the 747 aircraft tail scrape in this
paper’s introduction, one of the findings of the TSB was:
3.4 Separation in the Maintenance Lifecycle “The first officer's recent simulator training did not
One of the strengths of IEC 61508 is the full life-cycle include an aircraft out-of-trim or out-of-balance take-off”.
approach that it takes in respect of establishing and The safety functional boundary for this scenario could
maintaining functional safety. This is particularly have been extended beyond the operation of the aircraft
important with maintaining independence across to the specific training task and cues on the simulator. If
functional safety boundaries, as changes to maintenance, this was considered then, so long as the simulator
repair and updates could defeat the isolation measures faithfully represented the aircraft and controls under these
taken. conditions, then the simulator has fulfilled its
requirements.
Due to the subtlety and far reaching impact of some
safety separation issues (see Introduction), continuing Flight Data Simulator
independence of these is at threat of being compromised Available Model
Interlocks
and
Shutdowns
From
SIL0
Host SIL 3 Hydraulic
Motion Control
PLC Valves