Industrial monitoring system (IEC 61508, SIL 2)
On this page, we explore the design of part of a fire and gas monitoring system for use in an industrial setting.
This system is to be developed in compliance with IEC 61508 (SIL 2).
Our design is based on a ‘Time Triggered‘ (TT) software architecture.
We begin by looking briefly at some of the links between TT systems and IEC 61508.
[This page was last updated: 2018-02-02]
TT software architectures and IEC 61508
IEC 61508 is concerned with functional safety, achieved by means of systems that are implemented primarily in electrical and/or electronic and/or programmable electronic technologies (for example, using microcontrollers – MCUs – and appropriate software).
TT software architectures provide a highly-effective way of meeting IEC 61508 requirements. For example:
- TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
- use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
- static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
- limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1].
Design of a sounder unit for an industrial alarm system: Overview
In this example, we will consider the development of a sounder unit (we’ll simply refer to it as the “Sounder”) for use as part of an industrial monitoring system (IMS). The unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.
In this study we are concerned only with the Sounder unit.
There are likely to be a number of Sounder units in each IMS. Each Sounder unit will (we assume) be connected to a dedicated CAN bus.
We assume that the system will be required to have an operational life of 20 years.
We assume that the unit will be replaced (or repaired) within 8 hours of a fault being detected.
Hazard and risk analysis
Early in the development cycle for any safety-related embedded system, we need to consider potential threats and hazards. This will include an assessment of the risks posed to users of the system or to those in the vicinity. The role of our system design process is then to include mechanisms in our design that will reduce such risks to an acceptable level.
For the Sounder, the key risk is that the alarm will not activate when it is required to do so. This could result in people being exposed to dangerous gases, fires, chemical leaks or other threats that the IMS has been designed to detect.
A secondary risk is that the alarm will sound when it is not required to do so. This may appear to be a ‘nuisance event’, but this would probably underestimate the risk involved. If, for example, the Sounder is triggered erroneously (even) once a month, this would not simply damage the reputation of the manufacturer of the unit, it would very likely to increase the probability that real alarm events would be ignored.
Selecting a TT platform
Various ‘TT platforms’ are described in the ‘ERES2‘ book: use of one of these platforms can help to simplify the process of achieving compliance with various different safety standards.
A summary of the recommended TT platforms is given in the table below.
As we have noted, this is to be a ‘SIL 2 design’, in compliance with IEC 61508. Two design options from the above table would therefore be DuplicaTTor-A-11 or CorrelaTTor-B-2.
Choices between different platform options may depend on a number of factors. For the purposes of this example, we will assume that the development team opts for ‘CorrelaTTor-B-2’ as their candidate platform, since: [i] they require a simple ‘fail safe’ design; [ii] the CorrelaTTor design is likely to result in lower unit costs than the DuplicaTTor alternative.
The architecture of the chosen platform platform is illustrated schematically in the figure below.
The resulting system architecture will then be as illustrated here:
Read the complete case study in ‘ERES2’
The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.
What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.
The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.
In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:
- an industrial alarm sounder unit (IEC 61508, SIL 2);
- a domestic washing machine (IEC 60730, Class B);
- a hospital radiotherapy machine (IEC 62304, Class C);
- a steering-column lock for a passenger car (ISO 26262, ASIL D);
- an aircraft jet engine (DO-178C, Level A).