A new safety analysis methodology

After close analysis of problems arising within SIL quantifiers, a new component-based methodology emerged.

The use case is a control system of a transmission. The inputs to this control system are (i) a switch to set the gear in forward, neutral or reverse, and (ii) a switch for up and down switching. Two safety functions are defined. In the safety analysis of these safety functions, Dana needs to perform SIL quantification on the control hardware. A simplified system concept for the controller is seen above.
The use case is a control system of a transmission. The inputs to this control system are (i) a switch to set the gear in forward, neutral or reverse, and (ii) a switch for up and down switching. Two safety functions are defined. In the safety analysis of these safety functions, Dana needs to perform SIL quantification on the control hardware. A simplified system concept for the controller is seen above.

In the design process of a safety related system, three main steps are necessary:

  1. hazard and risk analysis, which results in a number of safety functions that have to be implemented,
  2. conceptual design which specifies a design that will implement the safety functions, and
  3. evaluation of the safety functions where the Safety Integrity Level (SIL), for example, needs to be quantified (ref. functional safety standard “IEC 26262”).

The last step requires consideration of the reliability information of the safety-instrumented system.

If one takes a closer look at the current applied approaches that industries follow to quantify the SIL, some issues can be observed. First, additional safety information is not structured in the same way as it is in the design concept. As a consequence, it is difficult to relate the safety information to the different components within the design. When design iterations are required, it is hard to know which safety information is affected.

A second issue is the lack of re-use. Although some tools, like FTA (Fault Tree Analysis), offer the ability to specify failure propagation patterns, it was found that such patterns were not used in the failure specifications of the different safety functions.

At Flanders Make, these issues have been investigated in the framework of the industrial project Experimental Validation for Safety Integrity Level (VAL4SIL) resulting in the development of a new model-based safety methodology to deal with the aforementioned issues.

The model-based safety analysis methodology was validated on a transmission control system from Dana Belgium NV of the Off-Highway Systems Group - Dana Holding Corp. The inputs to the control system are (i) a switch to set the gear in forward, neutral or reverse, and (ii) a switch for up and down switching. Two safety functions are defined

  1. Safety functions to prevent an inadvertent up or down shift.
  2. Safety functions to prevent an inadvertent forward or reverse switch.

In the safety analysis of these safety functions, Dana needed to perform SIL quantification on the control hardware. The analysis showed that the safety information was not structured the same way as the system concept was structured. This makes it difficult to relate the changes to the concept to the changes to be made in the safety analysis.

To read how Flanders Make was able to address the challenges faced with safety analysis through its case model development of a transmission by Dana Holding Corp., download the full white paper at www.oemoffhighway.com/12059970.

Latest