Systematic fault

Compared with identical separation, which helps against random failures, diverse separation offers the additional benefit of reducing the probability of systematic faults and of reducing common cause failures. 

The requirements of this part of the standard are targeted at ensuring that architectures have the necessary fault tolerance for random hardware faults and some systematic faults. In deciding the extent of fault tolerance needed there are a number of factors that should be taken into consideration as follows ... 

The complexity of the devices used within the subsystem. A device will be less likely to be subject to systematic faults if the failure modes are well defined, the behaviour under fault conditions can be determined and there is sufficient failure data from field experience ... 

Diagnostics may not be capable of detecting systematic errors (such as software bugs). However, appropriate precautionary measures to detect possible systematic faults may be implemented. 

Many of the requirements of lEC 61508 focus on the elimination of systematic faults. In order to demonstrate compliance with all requirements of lEC 61508, the design and development process used to create an instrument must show extensive use of many techniques for "fault control" and "fault avoidance." The lEC 61508 standard defines a set of practices that represent good software and hardware engineering. Most experts believe that these methods are the best techniques available to provide high design quality. 

The concept of the "well designed system" was also presented in Chapter 3. A simplistic definition of such a system would be one where aU the techniques and measures presented in our functional safety standards to prevent systematic failures are followed. These techniques and measures are planned to significantly reduce the chance of a systematic fault to a tolerable level. Therefore, systematic failure rates caused by human error including failures due to installation errors, failures due to calibration errors and failures due to choosing equipment not suited for purpose are not included in the calculation. 

When details about failure cause are not collected, failures due to maintenance errors, calibration errors and other systematic faults cannot be distinguished from random failures. The result is a number that can be high. 

The 3051S SIS has a 61508 assessment certificate states that the product can be used in SIL 2 applications as a single transmitter and SIL 3 applications if more than one transmitter is used in an identical redundant (hardware fault tolerance > 0) architecture. This helps point out the differences between random and systematic failures. The design process used to create the transmitter and its software met the more rigorous criteria of SIL 3. The chance of a systematic fault is lower. 

In the opinion of committee members on functional safety standards, some of the above factors cannot be practically quantified, e.g., systematic faults like software bugs or procedural errors. Hence functional safety standards provide requirements for protection against systematic faults as well as requirements to do probabilistic calculations to protect against random failures. For the typical SIF solutions being reviewed in this chapter the results of probabilistic SIL verification calculations, including architecture limitations per lEC 61508 (Ref. 1), will be used to demonstrate whether the design satisfies the SIL requirements. 

All equipment used in the SIS must be classified as a safety instrumented system. The design, installation, operation and maintenance process must follow all the rules of ANSl/lSA-84.00.01-2004 (lEC 61511 Mod), put there to prevent systematic faults. If this is not done, the standard clearly states that any safety instrumented function cannot have a risk reduction greater than 10. This is the bottom of SlLl range so, in effect, that design cannot meet SIL 1 requirements. The practical effect of this requirement is that a designer cannot combine control functions and safety functions in the same equipment imless the equipment is classified as a safety instrumented system and follows aU the design rules of the standard. 

Design and implementation errors made by developers (i.e., humans or tools during system specification, design, development or manufacture), or by human error during operation or maintenance are referred to as systematic faults and failures (Weaver, 2003). Such faults are labelled as systematic because they originate from specific instances of a breakdown in the degree to which these activities are methodical. The result of failing to be systanatically methodical is usually that the behaviour of the system under specific contextual circumstances will vary from the behaviour intended... 

B5.6 S/W Fault Tolerance A key factor to providing an acceptably safe system architecture (i.e., robust against both random and systematic faults and failures) is fault tolerance. Fault tolerance is the ability for a system to detect an error, fault... 

To prevent the introduction of faults during the design and development of the SIS hardware and software, requirements for the avoidance and control of systematic faults (i.e. related in a deterministic way to a certain cause) are introduced. Techniques and measures are given in Part 2 Atmexes A and B. 

Locate all equipments that consistently appear to have systematic faults (MTBF clearly worse than the whole of this class of equipment) ... 

Took for subtle systematic faults, as evidenced by incidents and anomcJies. (Claphcun Junction, Minneapolis)... 

Measures and techniques used to prevent systematic faults being introduced during design and implementation of the subsystem. In addition also a design review, simulation or analysis measure shall be applied. 

Design features that make the subsystem tolerant against systematic faults. 

Typically, juniors constitute the greatest number of managers, ttieir responsibilities are operational, and fiieir influence is local. In operation, failure of their control is likely to lead to a single incident - though, in manufacture, it could introduce a systematic fault into many systems. 

Middle managers are fewer and the influence of their decisions and actions extends over the lower level as well as their own. They are charged with ensuring that business objectives are met, so the ways in which they do this can introduce systematic faults into the ways in which junior managers and staff function. 

Is the observed association the result of systematic faults in the way individuals were chosen (bias) or in the way information was acquired from them ... 

Where there is any difference between the operational profiles and physical environments of a component or subsystem as experienced previously, and the operational profile and physical environment of the component or subsystem when used within the safety instrumented system, then any such differences shall be identified and there shall be an assessment based on analysis and testing, as appropriate, to show that the likelihood of systematic faults when used in the safety instrumented system is sufficiently low. 

Procedure for identification and prevention of safety-related systematic faults - S.2.5.3 Recommendations to address identified discrepancies... 

Refer to lEC 61508-1, table 2 (for low demand mode operation) or table 3 (for continuous or high demand mode operation) to determine the safety integrity level (SIL). The SIL then guides the selection of the techniques used for the avoidance of systematic faults in both hardware and software, so that as the risk reduction increases, or the hazard rate decreases, there is a reduction in the likelihood that systematic failures (including those resulting from incorrect specification) will result in a hazard. 

Route 1 s, requirements for the avoidance (prevention) and requirements for the control of systematic faults ... 

Random failure (see Chapter VII) Random failures are project specific in the sense that they depend on the process and its use. From lEC 61508 it is found that a failure occurs at a random time, which results from one or more degradation mechanisms. Random failures are mainly caused by physical damage/changes such as wearout, thermal stress erosion/corrosion, etc. These are applicable for hardwires of E/E/PEs in automation systems. The rate of failure of random failures normally cannot be reduced instead for random failures focus should be on their detection and handling. Statistical data handling and treatments can be applied to random failures, hence risks associated with random failure can be calculated. This is not possible in the case of software with systematic faults. Common cause failure (see Chapter VII) This is a kind of fault that causes multiple devices/systems to fail simultaneously. Common cause failure may be random or systematic. This is discussed in Fig. 1/8.3-1 in Chapter I, Chapter Vll, and in Ref. [9]. 

With the idea about software flaws discussed above, it is time to marry these with FTA. Assuming the correct inputs, there can be erroneous output at the controller that may be due to a flaw in designing the software. All these are design flaws a flaw in software logic is a systematic fault, which can be reproduced every time the conditions that trigger the error in the control logic are present. These conditions are... 

I. B. Santiago, J.M. Faure, Y. Papadopoulos, Including Systematic Fault into Fault Tree Analysis, December 2008. HAL Id hal-00348072, https //hal.archives-ouvertes.fr/hal-00348072. 

Systematic failure normally occurs on account of design failure, including incorrect specifications, using a component not fit for the operation, and or due to error in software. Safety life cycle is adapted for systematic faults. So safety standards meant for E/E/PEs take care of both. SISs (Ref. Chapter VII) are developed to prevent or mitigate hazardous events to protect people or the environment, or prevent damage to process equipment. In this connection another important issue is SIL (Chapter VIII), which is a discrete level for specifying the safety integrity requirements of safety functions, but is not a measure of risk. SIL provides means for risk reduction to a tolerable level. The fundamental question, in case of functionally safe instrumentation, is how frequently failures of function will lead to accidents. The answers can be ... 

Systematic safety integrity issues including avoidance of failures, control of systematic faults, system behavior on fault detection, and proven equipment issue. 

Systematic faults occur due a combination of conditions resulting in a reproducible failure of the system, and are most often attributable to software issues in programmable safety systems. This failure may be a result of some error in design, operation or production process, installation and/or maintenance. Improper implementation of MOC at any stage could be responsible for systematic failure also. Device manufacturing errors can be addressed by diversity this increases the SIF complexity. Diversity can be applied to sensor, I/O technologies, control and software platforms, and even product development teams. Incorrect specification, implementation. 

---