Forum Topic

Donnerstag, 08. Mai 2008 14:01:00

I must have read too much 61508 lately because I managed to become confused again over 61508-2 7.4.3.1.1 and Table 3:

According to the definition in part 4 of 61508 "fault tolerance" describes the ability of a functional unit to perform a required function in the presence of faults or errors. So for HFT=1 a unit would have to perform .... in the presence of 1 error.
Now, looking at a lock-step architecture (e.g. two CPUs running a parallel with continuously compared outputs) it does not continue to perform its function in the presence of one fault. It shuts down. So from that: HFT=0. (Basically a 1oo1D architecture)

If one OTOH takes the definition of Part 2 7.4.3.1.1 "hardware fault tolerance of 1 means that 2 faults could cause a loss of the safety function", then the lock-step mentioned above does have HFT=1 because (assuming an overall fail-safe system), "shutdown" is safe. So HFT=1. (I.e. 1oo2 architecture)

Only one of this can be true.

And to make matters even more confusing: Table 3 and the example given in 7.4.3.1.6 (which is normative too) seem to contradict each other concerning the effects of HFT on required SFF. As far as I understand the table, in an HFT=1 system both channels have to SFF>=90% to reach SIL3. But the example in 7.4.3.1.4.6 combines a SIL2 (90%SFF) and a SIL1(60%SFF) component to a SIL3 by combining them into a HFT=1 system. So is the table wrong?

Montag, 12. Mai 2008 17:36:35

Hi, it is not so easy to answer this question without fully understanding the design. As this is not possible I can only answer it in general.

You need to go back to the basics. HFT is a concept that deals with dangerous undetected failures. If we have a 1oo2 system then this means that we have 2 systems that can independently carry out the safety function from each other.

In your case you really need to figure out whether the two processors need each other or not. Or is only the voting function shared?

Basically your voter can detect dangerous failures and thus turn them into DD failuers. But they are not the worry concerning HFT. The question is what happens if there is a DU failure, will the voter let it go through or not. If so then it still works.

On the other hand if the voter itself has a DU then it means it failed again, but if the voter is hardware you can consider that a 1oo1 system. But I am not sure how that is the case in your system.

Thus, main point is, HFT is always from a DU failure point of view. Never from a safe failure point of view. That does not mean that you cannot built a fault tolerant system for safe failures. That is why we at Risknowlogy developed the Spurious Trip Level (STL) concept. This concept deals with safe failures, not like the SIL level which basically deals with dangerous failures.

Sonntag, 18. Mai 2008 21:47:42

The examples in 61508 are really bad. Not only the examples of HFT, but also the examples in part 6 about Diagnostics Coverage and the common cause factor. Specially the latter is a disaster to use in real life.