Hendrik Schäbe

Probability of Failure on Demand --- The Why and the How

In the paper, we will study the PFD and its connection with the probability of failure per hour and failure rates of equipment using very simple models. We describe the philosophies that are standing behind the PFD and the THR. A comparison shows, how the philosophies are connected and which connections between PFH and PFD are implied. Depending on additional parameters, there can be deviations between safety integrity levels that are derived on the basis of the PFD and the PFH. Problems are discussed, which can arise when working with the PFD. We describe, how PFD and PFH in IEC 61508 are connected with the THR defined in the standard EN 50129. We discuss arguments that show, why care is needed when using the PFD. Moreover, we present a reasoning, why a probability of failure on demand (PFD) might be misleading.

Towards an IT security protection profile for safety-related communication in railway automation

Some recent incidents have shown that possibly the vulnerability of IT systems in railway automation has been underestimated so far. Fortunately so far almost only denial of service attacks have been successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security requirements for railway automation exist. This paper defines a reference communication architecture which aims to separate IT security and safety requirements as well as certification processes as far as possible, and discusses the threats and IT security objectives including typical assumptions in the railway domain. Finally examples of IT security requirements are stated and discussed based on the approach advocated in the Common Criteria, in the form of a protection profile.

Accelerated life testing models for nonhomogeneous Poisson processes

In this paper an axiomatic approach is used to construct accelerated life testing (ALT) models for Nonhomogeneous Poisson Processes (NHPPs). First, the models of random lifetime variables and Nonhomogeneous Poisson Processes used for modeling non-repairable and repairable systems are compared. Then, an axiomatic approach for the construction of ALT models for NHPPs is given. Particular models are considered that can be constructed by this method.

Parameter estimation for a special class of Markov chains

The followin paper is dedicated to a special class of stationary Markov chains. The transition probabilities are constructed from bivariate distribution functions of the Morgenstem-Type. These Markov chains are defined by their stationary distribution and a parameter a controlling the correlation between succeeding values of the chain. Relevant properties of the Markov chain are discussed. Some estimations of the parameter a are studied. The maximum likelihood estimator is compared with a simple estimator.

Probability and security – pitfalls and chances

Abstract Information security for safety-related systems has become a real issue, in any case since attacks on industrial control systems have been reported. So, there is the task to consider information technology (IT) security issues for safety-related systems. For safety-related systems, there are many probabilistic approaches to computing a residual risk or tolerable risk. This is done for almost all areas of systems. The common concept of these standards is: there exists a certain probability that these systems will have a dangerous failure over a certain mission time (or a dangerous failure rate at a given point of time). Dangerous failures can be systematic or random. The probability for random failures can be computed and for systematic failures, there exist commonly agreed counter measures. When it comes to risk analysis, many concepts from safety and IT security seem very similar; only the wording seems different. What’s called a hazard in safety is called a threat in IT security, but the risk analysis processes really look alike. We show why the concept of probability cannot be applied to IT security. The key to solve the problem is to treat IT security in the same way as systematic failures in the safety domain. We have argued that there are similar problems in the application of probabilistic concepts and we could try to transfer the concept. This would mean to introduce levels for IT security similar to the Safety Integrity Levels (SIL).

Assessment of national reference values for railway safety: a statistical treatment

We discuss the decision procedure used in the Commission Decision for national reference values. According to the safety directive, every year seven safety indicators have to be computed for every member state. In the decision, a fixed procedure has been presented for computing the safety indicators and to assess whether there is a possible deterioration in safety. In the safety assessment, the decision depends on a weighted sum in place of an arithmetic mean. It is then of interest how such a decision procedure would behave and what would be the advantages and disadvantages of the particular method. In this article, we study a slightly simplified version of the procedure by two means. First, we analyze the weighted sum and derive its characteristic as efficiency. Moreover, we compare it via a spread with an ordinary sample mean. We support the theoretical results with the help of a simple simulation study in order to estimate failure probabilities of the first and second kinds. In particular, we construct such alternative distributions that the decision procedure cannot distinguish.

Формирование системы с более высоким уровнем полноты безопасности из компонентов с низким уровнем полноты безопасности

Aim. Technical systems are becoming more and more complex. An increasing number of technical systems contains electronic equipment and software, thus their functional safety is of utmost importance. The safety integrity level is defined by a discrete number that characterizes the set of measures against random and systematic failures depending on the specified risk reduction requirements. The concept of safety integrity levels (SIL) was developed as part of various systems of standards. While the safety architecture of a system is considered, the main question arises: how systems with higher SIL are made out of components and subsystems with low SIL. The answer to that question will allow using existing and certified components in the development of systems with specified safety integrity levels, probably with higher SIL than the SIL of the components. Methods. The paper analyzes and compares the existing rules of system combination with safety integrity levels set forth in various functional safety standards, e.g. EN 50126/8/9, ISO 26262, IEC 61508, DEF-STAN-00-56, SIRF and the Yellow Book. Beside the tolerable failure rates, the system design requirements must make provisions for combining low SIL subsystems to make higher SIL systems. The widest set of methods is defined for SIL 4 compliance. However, this set of methods cannot be reworked for all possible systems into a simple rule for the combination of systems with lower SIL into systems with higher SIL. In general, the combination of systems into a serial structure will make a system with the safety integrity level equivalent to the lowest subsystem safety integrity level. Tentatively, we can assume that by combining two subsystems with the same safety integrity level we can create a system with a safety integrity level one step higher. Results. It is shown that the general SIL allocation rule established in the DEF-STAN-00-56, the Yellow Book or the SIRF standards cannot be recommended for all countries and any situations. Failure rate and/or observation intervals must be taken into consideration. Its is proven that general rules can only be given for subsystems connected in parallel and some SIL combinations (see e.g. the Yellow Book, SIRF). In each case common failures must be taken into consideration. The general rule may be as follows: in order to achieve system SIL one level higher than the initial level, two component subsystems with the SIL one level lower must be connected in parallel. Other system architectures must be thoroughly studied.

A Simple Model of the Software Failure Rate

Abstract In the paper a very simple model of a software failure rate is derived. This model is not intended to compute the failure rate or failure probability of software under realistic conditions. It is rather used to show the influences of measures for software quality assurance and of measures required by software safety standards on this failure rate, i.e. a tendency. In particular, it is shown that testing is important to reduce software failure rate and the effect is the larger, the closer testing is to exhaustive testing. Verification is also important and it needs to be done by an independent person or party to give a good effect. Another result is that software failure rate grows with the size of the software, the frequency the software is used and, the fraction of the software that is used per demand cycle. As a result, it is recommended to implement the measures with more consequence and rigidity, the larger the part of the software that is used, the larger the software itself and the more frequently it is used.

A spot of an upside down bathtub failure rate lifetime distribution in the wild

Abstract Lifetime distributions are characterised by their behaviour of the coinciding failure rate as increasing (wear), decreasing (early failures) or bathtub (typical behaviour with three phases). Some distributions have upside down bathtub shaped (UBT) failure rates, which is often associated with overload of a component or a subsystem. Many models of UBT distributions can be found, but not many practical examples. Analyzing a large sample of washing machines over a lifetime, a distribution with UBT shaped failure rate has been found. The failures occurred too early and not all machines were subject to this type of failure. A technical investigation has been carried out to reveal the failure process. It turned out, that too much grease has been used, causing pollution of the commutators of the electrical motor. This pollution increased as long as oil was bleeding out of the grease. The commutator demonstrated a kind of self-cleaning property, if no more oil polluted the commutator. The polluted commutator caused increased electrical discharges at the commutator. These electrical discharges caused instabilities in the controller of the machine leading to failures requiring intervention of a repair technician. The cause was insufficient protection of the controller board against ripple voltage transmitted via the connecting lines. As long as the grease was bleeding out oil, the risk of failure increased. After the quantities of oil decreased, caused by the self-cleaning of the brushes of the motor, electrical discharges and therefore also failures of the machines decreased. A mathematical model has been developed to describe this entire process. As a result, a UBT shaped failure rate has been derived which fitted quite well a large set of data (about several ten thousands of failures). The model allows to explain the observed failure data in terms of the physical failure process and to better understand the application of lifetime distributions with UBT failure rates. Future work could be dedicated to other, simpler failure type distributions with UBT failure rate and to simplify the given model, which is still quite close to physical processes.