Professional Documents
Culture Documents
PTC 1oo2
PTC 1oo2
The Relationship between Diagnostic Coverage and Proof Test Interval for 1oo2
and 1oo2D Architectures
İlker Üstoğlu*, Özgür T. Kaymakçı**,
Josef Börcsök***
*Yıldız Technical University, Davutpaşa Campus, A209, 34220, 34220 Esenler, İstanbul
TURKEY (Tel: +90-535-418-22-64; e-mail: ustoglu@yildiz.edu.tr).
** Yıldız Technical University, Davutpaşa Campus, A210, 34220, 34220 Esenler, İstanbul
TURKEY (e-mail:kaymakci@yildiz.edu.tr)
*** University Kassel, Faculty of Electrical Engineering /Computer Science
Department of Computer Architecture and System Programming, Wilhelmshöher Allee 71
34121 Kassel, GERMANY (e-mail: j.boercsoek@uni-kassel.de)}
Abstract: In order to measure the effectiveness of safety protection systems there are several design
parameters. Diagnostic coverage factor is one of the most important parameter which influences all
architectures. In this short paper the relationship between PFDavg, DC and TI are presented. 1oo2 and
1oo2D architectures are considered as examples.
Keywords: Functional safety, 1002 architecture.
electric/electronic/ programmable electronic safety related
1. INTRODUCTION
system (E/E/PE SRS). The standard IEC61508 states that a
According to the standard IEC61508-4 equipment, safety integrity level (SIL) should be allocated to each SIF
machinery, apparatus or plant used for manufacturing, and defines the safety integrity as the probability of a safety
process, transportation, medical or other activities are defined related system (SRS) satisfactorily performing the required
as equipment under control (EUC). Safety instrumented safety functions under all the stated conditions within a stated
systems (SIS) are automatic systems used to prevent period of time. There are four discrete levels for SILs in the
accidents, and to minimize their consequences to humans and standard, where SIL 4 gives the highest and SIL 1 the lowest
the environment. A SIS has to perform one or more safety requirements. In IEC61508 SRSs are classified into low and
instrumented functions (SIFs) to achieve and maintain a safe high demand of operation. When the demand rate is less than
state for the EUC. The safe state is known as the state where once a year and less than twice the proof test frequency the
safety is achieved. Once the safe state is defined, the fail-safe SIS is said to be operating in low demand mode. Otherwise a
operation is considered, where the SIS is responsible for high demand mode of operation is considered. Probability of
taking the EUC to the safe state. Note that the EUC may have failure on demand (PFD) is used as a reliability measure for
different safe states. The SISs are grouped into two main low-demand SISs and probability of failure per hour (PFH) is
types of failures; dangerous and safe failures. Safe failures used for high demand SISs. The SIL verifies whether the
are divided into detectable and undetectable failures with average probability of failure on demand (PFDavg) of the
failure rates λSD and λSU, respectively and they do not affect underlying SRS meets the required failure measure, where
the SIS to perform its functions whereas dangerous failures the average is computed over the time interval of operation
prevent the SIS from working properly on demand. between periodic proof tests. Diagnostic testing is a feature
that is provided for programmable electronic components,
Dangerous failures are also divided into detectable and and aims at revealing failures without interrupting the EUC.
undetectable failures with failure rates λDD and λDU,
respectively. Dangerous detectable failures can be detected Diagnostic coverage is defined as the fractional decrease in
by online diagnostics; dangerous undetectable failures remain the probability of dangerous hardware failure resulting from
unobserved until the proof test. In the standard, proof test is the operation of the automatic diagnostic tests. Diagnostic
defined as the periodic test performed to detect failures in a test interval is the interval between online tests to detect
safety-related system so that, the system can be restored to an faults in a safety-related system that have a specified
“as new” condition or as close as practical to this condition diagnostic coverage. Note that the diagnostic coverage is
(Börcsök, 2004). If 100% of all dangerous failures are seldom 100%. Recall that for a high demand SIS, the demand
detected, the proof test is said to be fully effective. The rate and diagnostic test frequency has to be of the same order
failures that cannot be detected by the diagnostics or remain of magnitude. For low demand SIS there is enough time to
undetected because of the imperfect diagnosis are considered restore the function before the next demand occurs (Börcsök,
to be undetected failures. As mentioned before these failures 2006).
can only be found by the proof-test after the end of a proof
2. 1oo2 and 1oo2D ARCHITECTURES
test interval. The SIF is implemented by an
Channel
182
CTS 2012
September 12-14, 2012. Sofia, Bulgaria
183
CTS 2012
September 12-14, 2012. Sofia, Bulgaria
TI
DU ( MTTR) ( DD SD ) MTTR
t DE 2
DU DD SD (4)
TI
DU ( MTTR) (DD SD ) MTTR
t SE 3
DU DD SD (5)
PFDavg is given as:
PFDavg 2(1 )DU ((1 D )DD SD (1 )DU )t DE t SE
D DD MTTR
Fig. 12. 3D plot of PFDavg with varying DC and TI values for
DU (TI / 2 MTTR) (6) 1oo2D architecture (K=0.8).
Note that λSD=DC·λS and λS= λD, using the same numerical For K=0.8 and using the numerical values given in previous
values the relationship between diagnostic coverage DC, examples the relationship between diagnostic coverage, proof
proof test interval TI and average probability of failure on test interval and average probability of failure on demand is
demand PFDavg are given in Figure 11. presented in Fig.12.
In the newest version of the standard the PFDavg formula is 3. CONCLUSION
reformulated. Due to the fact that the channel comparison/
In this short paper the relationship between PFDavg, DC and
switch over mechanism may not be 100 % efficient a
TI are presented. As the underlying architectures 1oo2 and
coefficient K is represented. It is the efficiency of this inter-
1oo2D architectures are considered. It is observed that the
channel comparison /switch mechanism, i.e. the output may
influence of DC on PFDavg is greater than that of TI. If DC is
remain on the 2oo2 voting even with one channel detected as
increased to keep the same PFDavg value corresponds to
faulty. The new PFDavg formula is given as
longer TI periods. This paper does not concern the way the
PFDavg 2(1 )DU ((1 D )DD SD (1 )DU )t DE t SE diagnostics is performed. The influence of diagnostic testing
strategies is considered in an upcoming work.
2(1 K ) DD t DE MTTR
REFERENCES
DU (TI / 2 MTTR) (7 )
with tDE being the same as introduced in (4) and Börcsök, J. (2004). Electronic Safety Systems, Hüthig.
Börcsök, J. (2006). Functional Safety, Hüthig.
TI IEC 61508. (2000). Functional Safety of Electrical /
t SE ( MTTR) .
3 (8) Electronic / Programmable Electronic Safety-Related
Systems, Geneva, Switzerland.
184