When we work with the realisation of control systems for safety critical applications, it is very important to distinguish between safety and reliability.
The reliability of a system can be defined as: the probability that a system has full function in a time interval of a specified length, given that the system had full function at the start of the time interval.
The safety of system can be defined as the probability that a system does not fail in such a way that dangerous personal injuries or large economical losses can occur . In the same way as reliability it can be defined as the probability that such critical failures does not occur in a time interval of a specified length, given that the system had full function at the start of the time interval.
This for example means that a system can be very safe even if the system is unreliable. This is true if the system always (with a high probability) fails in a way that is not dangerous. Many systems can without problems be stopped when a safety critical failure is detected. Such systems can be implemented with fail silence. This means that whenever a safety critical failure is detected, the system is automatically stopped. A fail silent system is a special case of the more general class of fail safe (or FS) systems, which are supposed to have the behaviour that no dangerous failures can occur (only occurs with a very low probability, several magnitudes lower than the reliability figures) at the system level.
In order to achieve a fail silent behaviour, it is for example required that the system is realised in such a way that it can detect all errors that will lead to failures. For the detection of such errors some sort of redundancy normally is required. It is also required that the system can be forced to enter a silent state. For example a short cut in a circuit might mean that the system works in an uncontrolled way. It is then required that the system can be shut down in another way.
A system which is not developed with fail safe behaviour in mind, will achieve that safety that is given by it's failure rate. The problem with this is that the requirements for safety normally are much higher than the requirements for reliability. A typical figure for a hardware component is 1 failure in 105 hours and for a complete system 1 failure in 104 hours. Such figures almost never meet safety demands.
Systems which are not allowed to be shut down (be fail silent) at fault, must be fail operational (or FO) which means that they continue to work as specified despite the fault. In such systems the critical failures have to be detected and then a switch over to a redundant unit has to be made. Therefore such systems tends to become complicated and expensive. A typical application for such systems are aeroplanes.
Back to Contents Continue to read the report; Chapter 7
© Kvaser AB - All rights reserved | Contact us |
Webmaster | SitemapDirect link to this page: