Industrial monitoring system (IEC 61508, SIL 2)


We receive many enquiries from organisations that need to develop products in compliance with international safety standard IEC 61508 (‘SIL 2’).

As an example of the type of design solution that we use in such products, we explore the development of an industrial monitoring system on this page.

Our solution is based on a ‘Time Triggered‘ (TT) software architecture running on a single (low cost) microcontroller.

[This page was last updated: 2018-05-01]

empty_space


empty_space

TT software architectures and IEC 61508

empty_space
IEC 61508 is concerned with functional safety, achieved by means of systems that are implemented primarily in electrical and/or electronic and/or programmable electronic technologies (for example, using microcontrollers – MCUs – and appropriate software).

TT software architectures provide a highly-effective way of meeting IEC 61508 requirements. For example:

  • TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
  • use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
  • static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
  • limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1].

empty_space


empty_space

Design of a sounder unit for an industrial alarm system: Overview

empty_space
In this example, we will consider the development of a sounder unit (we’ll simply refer to it as the “Sounder”) for use as part of an industrial monitoring system (IMS). The unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.

In this study we are concerned only with the Sounder unit.

sounder_dreamstime_400

There are likely to be a number of Sounder units in each IMS. Each Sounder unit will (we assume) be connected to a dedicated CAN bus.

We assume that the system will be required to have an operational life of 20 years.

We assume that the unit will be replaced (or repaired) within 8 hours of a fault being detected.

empty_space


empty_space

Hazard and risk analysis

empty_space
Early in the development cycle for any safety-related embedded system, we need to consider potential threats and hazards. This will include an assessment of the risks posed to users of the system or to those in the vicinity. The role of our system design process is then to include mechanisms in our design that will reduce such risks to an acceptable level.

For the Sounder, the key risk is that the alarm will not activate when it is required to do so. This could result in people being exposed to dangerous gases, fires, chemical leaks or other threats that the IMS has been designed to detect.

A secondary risk is that the alarm will sound when it is not required to do so. This may appear to be a ‘nuisance event’, but this would probably underestimate the risk involved. If, for example, the Sounder is triggered erroneously (even) once a month, this would not simply damage the reputation of the manufacturer of the unit, it would very likely to increase the probability that real alarm events would be ignored.

empty_space


empty_space

Selecting a TT platform

empty_space
Various ‘TT platforms’ are described in the ‘ERES2‘ book: use of one of these platforms can help to simplify the process of achieving compliance with various different safety standards.

A summary of the recommended TT platforms is given in the table below.

empty_space

empty_space

As we have noted, this is to be a ‘SIL 2 design’, in compliance with IEC 61508. Two design options from the above table would therefore be DuplicaTTor-A-11 or CorrelaTTor-B-2.

Choices between different platform options may depend on a number of factors. For the purposes of this example, we will assume that the development team opts for ‘CorrelaTTor-B-2’ as their candidate platform, since: [i] they require a simple ‘fail safe’ design; [ii] the CorrelaTTor design is likely to result in lower unit costs than the DuplicaTTor alternative.

The architecture of the chosen platform platform is illustrated schematically in the figure below.
empty_space

empty_space
The resulting system architecture will then be as illustrated here:
empty_space

empty_space


empty_space

Video presentation

youtube_logo_100
Video duration: 9 minutes.

A short video related to this design example is available.

[This is Video 22 (out of 28 videos) from the ‘online’ version of our popular TTb course.]

empty_space

empty_space


empty_space

Complete your cost-effective IEC 61508 design successfully using a SafeTTy Solutions™ package

empty_space
The design example presented on this page is based on a SafeTTy Solutions™ Package (SSP-RTL2).

SafeTTy Solutions Packages are designed to help your development team produce a safety-related embedded system quickly and cost-effectively, in compliance with one or more international safety standards (such as IEC 61508).

SafeTTy Solutions Packages are based on TT designs and include carefully-selected combinations of our various products and services.

SafeTTy Solutions Packages include an appropriate ReliabiliTTy® Technology Licence.

Learn more about SafeTTy Solutions Packages …

empty_space


empty_space