ISE Functional Safety of Drone System

∗
Ricardo Sanz
∗
Universidad Politcnica de Madrid — Autonomous Systems Laboratory

Exercise Ex01 v0.0 — INGENIA Systems Engineering Course

This exercise addresses the need of achieving the necessary safety Functional safety engineering is enabling the system to
for the INGENIA SE challenge. detect a potentially dangerous condition and activate activate
a protective or corrective subsystem or behaviour to prevent
Keywords: SE | Functional Safety | IEC 61508 hazardous events arising or providing mitigation to reduce the
consequence of the hazardous event.
Parts of this text have been obtained from the public web-
I NGENIA Systems Engineering (ISE) focuses on systems en-
gineering of software-intensive autonomous systems. This
requires from the student teams the capability of building
sites of the IEC and Wikipedia:
https://en.wikipedia.org/wiki/IEC_61508
complex systems. http://www.iec.ch/functionalsafety
This exercise (Ex01) focuses on functional safety of those
systems.
About risk

Contents
Introduction 1 Table 1 – Consequence categories
Category Definition
About risk 1 Catastrophic Multiple loss of life
Critical Loss of a single life
A dual concept of functional safety 1 Marginal Major injuries to one or more persons
Negligible Minor injuries at worst
IEC 61508 1

Parts of IEC 61508 1

A dual concept of functional safety
What systems does IEC 61508 cover? 2
IEC 61508
Other Specs 2 IEC 61508 is an international standard published by the In-
IEC 61511 . . . . . . . . . . . . . . . . . . . . . . . . 2 ternational Electrotechnical Commission. It is titled Func-
ISO 26262 . . . . . . . . . . . . . . . . . . . . . . . . 2 tional Safety of Electrical/Electronic/Programmable
IEC 62279 . . . . . . . . . . . . . . . . . . . . . . . . 2 Electronic Safety-related Systems (E/E/PE).
IEC 61513 . . . . . . . . . . . . . . . . . . . . . . . . 2 The standard covers the complete safety life cycle, and
IEC 62061 . . . . . . . . . . . . . . . . . . . . . . . . 2 may need interpretation to develop sector specific standards.
It has its origins in the process control industry but it is in-
Safety integrity level 2 tended to be a basic functional safety standard applicable to
all kinds of industry.
The task 2
IEC 61508 defines functional safety as: ?part of the overall
safety relating to the EUC (Equipment Under Control) and the
Relevant references 2
EUC control system which depends on the correct functioning
of the E/E/PE safety-related systems, other technology safety-
related systems and external risk reduction facilities.?
Introduction
All IEC International Standards in the IEC 61508 series
In ISE we develop an intelligent system where intelligence were developed by IEC SC (Subcommittee) 65 A: Industrial-
comes from the execution of sophisticated software for percep- process measurement, control and automation - Systems as-
tion, decision-making and control of a physical system. These pects.
systems offer behaviours that are not easily predictable. This
is a major source of risk, esp. for a flying artefact. Among the
tasks of the systems engineer the assurance of safety is one of Parts of IEC 61508
the critical ones.
Safety is defined as freedom from unacceptable risk of The IEC 61508 international standard consist of seven parts;
physical injury or of damage to the health of people, either di- only parts 1 to 4 contain normative requirements1 :
rectly, or indirectly as a result of damage to property or to the
environment. Notice the keywords damage and unaceptable.
About ISE
Total elimination of risk is impossible —there is no 100% safe INGENIA Systems Engineering is a transversal competences course focused on the application
system. A systems engineer sets a aceptable risk target and of systems engineering to the construction of an embedded intelligent system with augmented
designs the system to behave under this boundary. autonomy. Autonomy is a technical property of systems that make them capable of sustained
provision of a particular service even in the presence of major uncertainties in the service demand,
This exercise addresses functional safety. Functional the context of service execution and the disturbances that the system may be suffering from outside
safety is the part of the overall safety that depends on a sys- or inside.
tem operating correctly in response to its inputs. This implies 1
Non-normative parts are provided as informational, contextual or applicative materials. Confor-
a safe perception–though–action loop. mance to these parts is nor expected nor required.

FS for INGENIA SE Drone Challenge ISE January 9, 2018 Ex01 v0.0 1–4
IEC 61508-1 — General requirements; ISO 26262. ISO 26262 is an adaptation of IEC 61508 for
IEC 61508-2 — Requirements for electrical / electronic / Automotive Electric/Electronic Systems. It is being widely
programmable electronic safety-related systems; adopted by the major car manufacturers.
IEC 61508-3 — Software requirements;
IEC 61508-4 — Definitions and abbreviations; IEC 62279. IEC 62279 provides a specific interpretation of
IEC 61508-5 — Examples of methods for the determination IEC 61508 for railway applications.
of safety integrity levels;
IEC 61508-6 — Guidelines on the application of IEC 61508- IEC 61513. IEC 61513 provides requirements and recommen-
2 and IEC 61508-3; dations for the instrumentation and control for systems im-
IEC 61508-7 — Overview of techniques and measures. portant to safety of nuclear power plants.

IEC 62061. IEC 62061 is the machinery-specific implementa-

tion of IEC 61508.
What systems does IEC 61508 cover?
IEC 61508 applies to safety-related systems when one or more
of such systems incorporate electrical and/or electronic and/or Safety integrity level
programmable electronic (E/E/PE) devices. It covers possi- Safety integrity level (SIL) is defined as a relative level of risk-
ble hazards caused by failure of the safety functions to be reduction provided by a safety function, or to specify a target
performed by the E/E/PE safety-related systems, as distinct level of risk reduction. In simple terms, SIL is a measurement
from hazards arising from the E/E/PE equipment itself (for of performance required for a safety instrumented function
example electric shock etc). It is generically based and ap- (SIF).
plicable to all E/E/PE safety-related systems irrespective of https://en.wikipedia.org/wiki/Safety_integrity_level
the application. It is recognized that the consequences of
failure could also have serious economic implications and in
such cases the standard could be used to specify any E/E/PE The task
safety-related system used for the protection of equipment or Smith (2016); Smith and Simpson (2004); Ross (2016) IEC
product. (2016c,b,a)
Development Guidelines for Vehicle Based Software.
MISRA. 1994. ISBN 0952415607.

Other Specs
Relevant references
The IEC 61508 standard is considered a fundamental or ?root?
standard for functional safety. It is intentionally generic and The Eclipse Safety Framework (ESF) project provides a set of
vague to give room to domain-specific developments. IEC tools that enable both modelling and analysis of safety con-
61508 enables that various industry sectors develop their own cerns in the context of modelling standards such as SysML
specific standards based on established domain practices (e.g. and MARTE.
61513 for the nuclear domain, 62061 for the machine safety https://www.polarsys.org/proposals/
domain, and 61511 for the process control domain). eclipse-safety-framework

Glossary
IEC 61511. IEC 61511 is an IEC standard which sets out prac-
tices in the engineering of systems that ensure the safety of an domain-specific it is said of an entity that is tailored to an
industrial process through the use of specific safety instrumen- specific domain of application (in opposition to be general
tation. Such systems are referred to as Safety Instrumented or cross-domain). 1
Systems. The title of the standard is "IEC 61511 Func- functional safety is the part of the overall safety that de-
tional safety - Safety instrumented systems for the pends on a system operating correctly in response to its
process industry sector". inputs. 1
risk is a .... 1

References
IEC (2016a). IEC 61508-3-1:2016 functional safety of electri-
cal/electronic/programmable electronic safety-related sys-
tems - part 3-1: Software requirements - reuse of pre-
existing software elements to implement all or part of a
safety function. International Standard IEC TS 61508-3-
1:2016, International Electrotecnical Commission.
IEC (2016b). IEC 61508-3:2010 functional safety of electri-
cal/electronic/programmable electronic safety-related sys-
tems - part 3: Software requirements. International Stan-
dard IEC TS 61508-3:2010, International Electrotecnical
Commission.
IEC (2016c). IEC 61511-1:2016 functional safety - safety in-
strumented systems for the process industry sector - part 1:
Framework, definitions, system, hardware and application
Figure 1 – The 61508 family of standards have general parts and programming requirements. International Standard IEC
domain-specific parts. 61511-1:2016, International Electrotecnical Commission.

2 FS for INGENIA SE Drone Challenge R.Sanz

Ross, H.-L. (2016). Functional Safety for Road Vehicles: New
Challenges and Solutions for E-mobility and Automated
Driving. Springer International Publishing.
Smith, D. J. (2016). The Safety Critical Systems Handbook.
A Straightforward Guide to Functional Safety: IEC 61508
(2010 Edition), IEC 61511 (2015 Edition) & Related Guid-
ance. Butterworth-Heinemann, 4th edition. The ISE logo highlights the abstract
Smith, D. J. and Simpson, K. G. L. (2004). Functional Safety nature of systems thinking. Abstrac-
A Straightforward Guide to applying IEC 61508 and Related tion is key to rigorous development of
Standards. Elsevier, 2nd edition. safe systems.

R.Sanz ISE January 9, 2018 Ex01 v0.0 3