Page 367 -
P. 367
350 Chapter 13 Dependability engineering
System Environment
Protection Sensors
Sensors
Protection Control
System System
Actuators
Controlled
Equipment
Figure 13.3 Protection
system architecture
specification is correct and consistent and that the software is correct with respect to its
specification. The aim is to ensure that the reliability of the protection system is such
that it has a very low probability of failure on demand (say, 0.001). Given that demands
on the protection system should be rare, a probability of failure on demand of 1/1,000
means that protection system failures should be very rare indeed.
13.3.2 Self-monitoring architectures
A self-monitoring architecture is a system architecture in which the system is
designed to monitor its own operation and to take some action if a problem is
detected. This is achieved by carrying out computations on separate channels and
comparing the outputs of these computations. If the outputs are identical and are
available at the same time, then it is judged that the system is operating correctly. If
the outputs are different, then a failure is assumed. When this occurs, the system will
normally raise a failure exception on the status output line, which will lead to control
being transferred to another system. This is illustrated in Figure 13.4.
To be effective in detecting both hardware and software faults, self-monitoring
systems have to be designed so that:
1. The hardware used in each channel is diverse. In practice, this might mean that
each channel uses a different processor type to carry out the required computa-
tions, or the chipset making up the system may be sourced from different manu-
facturers. This reduces the probability of common processor design faults
affecting the computation.
2. The software used in each channel is diverse. Otherwise, the same software
error could arise at the same time on each channel. I discuss the difficulties of
achieving truly diverse software in Section 13.3.4.
