Features
Using Simulation to Characterize Common Cause
Fault tolerant systems have been designed for safety critical applications including the protection of potentially dangerous industrial processes. These systems are typically evaluated and certified to functional safety standards with IEC 61508 [1] by agencies like exida Certification or one of the TUV companies. Many factors are taken into account during the certification process including hardware diagnostic capability, level of hardware redundancy, design processes used, software diagnostics and general equipment strength. It has clearly become recognized that common cause failures can have a major negative impact on the safety and availability of a fault tolerant system [2]. The whole value of redundancy may be ruined. Common cause is recognized as an important factor but there is disagreement regarding how to account for common cause in the quantitative modeling. Part 7 of IEC 61508 at least provides a list of questions with a point scoring system [3].
In previous work [4, 5] it has been proposed that common cause strength is obtained by following three principles:
1. Reduce the chance of a common stress - physical separation and electrical separation in redundant units.
2. Respond differently to a common stress - redundant units should use diverse mechanisms.
3. Increased strength against all failures. But general guidelines and rules do not help in establishing quantitative measures. While several models exist to conceptually model common cause failures, there is little published guidance on how to establish quantitative parameters to use in these models. It is hard to assign numbers to real implementations of fault tolerant systems.