This paper shows how heterogeneous stochastic modelling techniques of increasing modelling power can be applied to assess the safety of a digital control system. First, a Fault-Tree (FT) has been built to model the system, assuming two-state components and independent failures. Then, the FT is automatically converted into a Bayesian Network, allowing to include more modelling details and locali...

Engineers who develop safety-related systems are required to work to remarkably high standards: SIL 1, the lowest classification recognised by the international standard IEC 61508, requires a probability of failure/hour (pfh) of 10-5 or lower; and many systems are required to achieve several orders of magnitude lower failure rates than this. Yet SIL 1 is already so demanding that it is impracti...

This white paper introduces key dependability aspects for industrial and automotive customers who are designing and developing programmable electronic equipment for safety applications using Xilinx® FPGA and SoC devices. The main focus of this white paper is to explain how to create solutions with highly integrated, high-performance certif iable systems that target IEC 61508 / ISO 26262 norms. ...

Safety integrity level (SIL) verification is a critical step in safety lifecycle of safety-related systems (SRS). Introducing redundancy into SRS raises two issues: voting group configuration and common cause failures (CCF). In order to minimize CCF, diverse redundancy is widely adopted by SRS. However, in the past, almost all attention of SIL verification has been paid to identical redundancy,...

The upcoming safety standard ISO/WD 26262 that has been derived from the more general IEC 61508 and adapted for the automotive industry, introduces the concept of a safety case, a scheme that has already been successfully applied in other sectors of industry such as nuclear, defense, aerospace, and railway. A safety case communicates a clear, comprehensive and defensible argument that a system ...

Programmable components (like personal computers or smart devices) can offer considerable benefits in terms of usability and functionality in a safety-related system. However there is a problem in justifying the use of programmable components if the components have not been safety justified to an appropriate integrity (e.g. to SIL 1 of IEC 61508). This paper outlines an approach (called LowSIL)...

The object of this work is the probabilistic performance evaluation of safety instrumented systems (SIS), i.e. the average probability of dangerous failure on demand (PFDavg) and the average frequency of failure (PFH), taking into account the uncertainties related to the different parameters that come into play: failure rate (λ), common cause failure proportion (β), diagnostic coverage (DC)... ...

AUTOSAR is a standard for the development of software for embedded devices, primarily created for the automotive domain. It specifies a software architecture with more than 80 software modules that provide services to one or more software components. With the trend towards integrating safety-relevant systems into embedded devices, conformance with standards such as ISO 26262 [ISO11] or ISO/IEC ...

Formal verification and validation is a fundamental step for the certification of railways critical systems. Many railways safety standards (e.g. the CENELEC EN-50126, EN-50128 and EN-50129 standards implement the mandatory safety requirements of IEC-61508-7 standard for Functional and Safety) currently mandate the use of formal methods in the design to certify correctness. In this paper we des...