Failure mode reasoning in safety-critical programs
In the process industry, a Safety Instrumented System (SIS) is a mechanism that protects against process-related hazards. The failure of an SIS can result in catastrophic failure of the plant and potentially loss of lives. It is therefore crucial that the failure modes of SISs are known and addressed early in the design and realization stage. An SIS comprises hardware components and a software element – the program. The main role of the program is to process real-time readings from the sensors, which monitor the status of the plant, and decide if a safety action should be triggered to save the plant from a hazardous event.
Failure Mode Reasoning (FMR) is a new method for analyzing the transformation of faults through SIS programs. Where the subject of study is the program itself, FMR helps identify potentially incorrect parameters within the program. Where the program is considered “as intended,” the method helps identify the combinations of SIS input failure modes that can result in undesired outputs. FMR uses the program architecture for deductive reasoning. The process begins with a given output failure as the premise and concludes with a list of potential causes of the failure being produced. FMR employs an abstraction technique to derive the program’s failure behavior from its functional behavior. The method is compositional and can be applied to any program architecture, regardless of its complexity.
Herein, we describe the concepts, formalize the method and demonstrate its application in industrial case studies. We also generalize the method for its use in failure modeling in generic systems, as opposed to its specific application in SIS programs.