Separated Safety

Context

A control system for a work machine or an industrial process needs to be designed and developed. According to performed hazard and risk analyses, the system to be controlled is capable of causing physical or financial harm to the environment or people working in its surroundings.

Because of the possible risks, the functional safety of the system must be ensured with a safety system that must be developed according to appropriate standards and possibly certified by authorities. The safety-related standards restrict

development process, tools and methods and in addition require usage of various techniques and measures not directly needed to develop a control system.

Problem

Designing the whole system according to safety standards is costly, bureaucratic and a slow process.

Forces

Safety: The functional safety of the system must be assured with a system compliant to dominant safety regulations.

Standards: Safety-related standards such as IEC 61508 [1] require independence between safety-related and non-safety-related systems.

Cost-efficiency: Development of the whole control system according to safety standards would be difficult and increase the development costs substantially.

Functional Safety System Patterns 5

Cost-efficiency: Use of certified components in the whole control system would increase the hardware costs substantially.

Suitability: Certified components and processing units with limited instruction sets may not enable development of all required basic control functionalities. For example floating point arithmetic is not supported by all safety certified processing units, which makes it hard to use such units in basic control system development.

Solution

Divide the control functionality into two separated systems: basic control system and safety system. Requirements for the whole control system are first divided into critical requirements and non-critical requirements. Typically, the safety-critical requirements are related to deviation and possibly hazardous situations whereas the non-safety-critical requirements are related to normal operational conditions and the intended use of the system. Safety-critical functionality is then designed and implemented into a safety system according to safety standards. Non-safety-critical functionality is designed and implemented into the basic control system. This frees the development of the basic control system from requirements of the safety system. Thus, all kinds of (non-certified or safety approved) devices, tools, methods, instruction sets, etc. are utilizable in basic control system development.

The safety system and the basic control system are separated from each other so that the correct functioning of the safety system is not dependent of the correct functioning of the basic control system. If necessary, the safety system may utilize certified hardware such as sensors, actuators, buses and safety PLCs. The basic control system may utilize the same components provided that it is not capable of disturbing the correct functioning of the safety system; otherwise, it must use different components. Because the basic control system is separated from the safety system, the requirements of safety standards do not apply to the development of it. Separation also potentially enhances the development process of the system. Because the systems are separated there are no (or very little) dependencies between the systems. Thus the systems can be separately developed in parallel and by different development teams (which is beneficial from diversity point of view).

Fig 2. illustrates a separated safety system within a process. The process box represents a (sub)process under consideration. Basic control system controls the process. The safety systems are insulated from the basic control systems. The safety system as well as the basic control system has their own hardware (controllers, actuators, sensors, etc.) That is both systems affect the same process but they operate independent from each other.

Functional Safety System Patterns 6

Safety system Basic control system

Power

management User interface Power

management User interface

Fig. 2. Illustration of separated safety system within a process

Consequences

Safety of the system can be achieved with an appropriate safety system.

Basic control system development may utilize the development process, tools and techniques preferred by the company – not the ones required by safety standards.

Full instruction set tools, computing units and components can be used with the basic control system.

As the safety is ensured with a separated system, the basic control system does not need a certification.

The development costs of the basic control system can be reduced. This is due to basic control system doesn’t have to be developed according to the requirements considering safety systems.

Because the safety and basic control system are separated, the development of them can be outsourced separately or they can be developed independently from each other by different development teams. This can also affect positively to the schedule of the whole project.

- Two separated applications must be developed and they may require different instrumentation.

Resulting Context

The resulting solution consists of two separated systems which can be developed separately so that the independency of the safety system from the basic control system can be proved to the authorities.

Related Patterns

The PRODUCTIVE SAFETY describes how the responsibilities and complexity of the safety system can be decreased even further and how activations of the safety system can be reduced to necessary situations only.

The HARDWIRED SAFETY pattern describes a way to avoid need for safety related application software in safety system development.

The SEPARATED OVERRIDE, DE-ENERGIZED OVERRIDE and SAFETY LIMITER patterns provide solutions to override basic control system with safety system so that safety system has the final word in system’s operation.

Functional Safety System Patterns 7

Known Usage

The solution is widely used in Finnish process industry and also known in the domain of mobile work machines.