MODELLING OF SAFETY CHARACTERISTICS OF REDUNDANT SAFETY – RELATED TRANSMISSION SYSTEM VIA MARKOV’S ANALYSIS MODELLING OF SAFETY CHARACTERISTICS OF REDUNDANT SAFETY – RELATED TRANSMISSION SYSTEM VIA MARKOV’S ANALYSIS

basic assumptions for realising measures not only for failure prevention but also for failure detection and failure consequences negation. It is necessary to know where, when and what failures occur in systems, what are their reasons and consequences on the system. From this point of view the considered failures can be in principle classified in [1]: random failures of the transmission system’s hardware part, failures caused by EMI ( Electromagnetic Interferences ) and systematic failures of the transmission system. Industrial communication systems with a higher safety integrity level often involve compound safety techniques in failure states based on a redundant multichannel structure. Then the execution of a safety-relevant function is realised independently by at least two functional units. The compound safety systems utilise several forms of redundancy for achieving the required safety integrity level [1]. The article presents a model of a 1 out-of 2 (1oo2) system. The paper deals with problems of safety features modelling using a safety-related redundant transmission system as part of a safety –crit-ical control system. The main part of the paper is oriented to the Markov model description which was realised for a 1oo2 redundant transmission system. The results of quantitative safety analyses are valid for the fail safe redundant transmission system – Profibus DP with a ProfiSafe safety profile.


Introduction
In control safety-critical processes in industrial applications safety-relevant industrial communication systems are being used for transmission of safety-relevant data, which are characterised by a high resistibility against hazardous failures. The consequences of failures on a communication system's operation can be examined directly on the original system or by the system's operation simulation using a proper constructed model or by theoretical considerations and calculations. It is necessary to point out that in most cases the strict safety requirements on a safety-relevant industrial communication system cannot be proved only by tests or practical results because the dangerous state percent occurrence of a communication system is very low. Therefore the value of mean time between hazardous failures many times exceeds the operational time of system. During safety analyses it is necessary to provide a proof that the resultant risk is acceptable and the safety requirements are met.
The goal of the analysis of failures consequences on an industrial communication system is to construct a model which enables to identify the system's transition process from a safe state to a hazardous state and allows calculating the probability of hazardous system state occurrence as a result of failures effects on the system's operation. An industrial communication system consists of terminal equipment and a transmission system. In most cases the vendors of safety-relevant devices indicate the resulting SIL (Safety Integrity Level) so only characteristics of the transmission system have to be examined.
The transmission system usually does not operate isolated but is a part of another superior system providing service for it. There-fore, the starting point of building a safety model is an exact definition of the interface between the transmission system and the superior system for the purpose to enable a complete hazard identification which has to be considered during the transmission system safety analysis. It is also necessary to explicitly define the event on the transmission system's output which is considered unwanted (hazardous) in respect to safety properties of the transmission system. An unwanted event usually includes an undetected data transmission corruption and the next data manipulation is considered to be correct.
The knowledge of a transmission system failure and error attributes create basic assumptions for realising measures not only for failure prevention but also for failure detection and failure consequences negation. It is necessary to know where, when and what failures occur in systems, what are their reasons and consequences on the system. From this point of view the considered failures can be in principle classified in [1]: random failures of the transmission system's hardware part, failures caused by EMI (Electromagnetic Interferences) and systematic failures of the transmission system.
Industrial communication systems with a higher safety integrity level often involve compound safety techniques in failure states based on a redundant multichannel structure. Then the execution of a safety-relevant function is realised independently by at least two functional units. The compound safety systems utilise several forms of redundancy for achieving the required safety integrity level [1].
The article presents a model of a 1 out-of 2 (1oo2) system.

The Sense of Safety-Relevant Industrial Communication System Modelling
Usually when modelling a safety-relevant industrial communication system several system parameters are being observed, which are a part of the system's technical quality care. Among these are reliability, safety, operational life, availability, no-failure operation and maintainability [2]. The generic standard IEC 61508 [3] recommends focusing on four parameters within the system lifetime: Reliability, Availability, Maintainability, Safety (RAMS), as illustrated in Fig. 1, which provides a more global view of the system safety. The defined system attributes can be fulfilled only with the use of additional safety measures (so-called Fault prevention, Fault tolerant or Fault forecast system) by which the effects of failures or failure states can be eliminated. In case it is not possible to exclude an unauthorised access to the industrial communication system besides RAMS parameters it is necessary to watch security attributes such as confidentiality, integrity and availability.
In praxis we encounter most frequently the following requirements related with the modelling of safety properties of an industrial communication system: G Improvement of safety properties of an existing product or development of a new product, respectively. It is necessary to modify the safety layer and some algorithms of a communication protocol or to create a new protocol with the aim to increase the strength of safety mechanisms; when solving this type of tasks the Unified Modelling Language (UML) can be successfully utilised; G Demonstration of safety properties of a new product It is necessary to demonstrate that the industrial communication system has a sufficient resistibility to attacks against transmitted messages by calculating the intensity of undetectable corruption of a transmitted message based on theoretical considerations (analysis of protocol safety properties, estimation of communication channel bit-error rate (BER), calculation of residual error rate of used codes, estimation of transmission system hardware failures intensity, …) and also the results of the communication system testing in failure-free and failure operation; in this case we can use suitable combinations of modelling methods (RBD [4], FTA [5], FMEA [6], Markov model [7], Petri networks

Makov Model Creation
A simultaneous influence of several factors on the transmission system safety can be well described by Markov model. Figure  2 shows a block scheme of a redundant channel structure 1 00 2 of a safety-relevant Profibus DP transmission system extended by a special ProfiSafe safety module [14]. A two channel structure is composed of two transmission channels connected in parallel, which perform the safety function of provisioning transmission integrity and eliminating the EMI influence with the use of implemented safety mechanisms in a form of safety code (SC) [15] and transmission-code TC [15] independently in both channels. This means that in case of a failure or system malfunction the hazardous failure had to occur in both channels.
The probability of undetected error pu with using a block linear channel (n, k) code (transmission or safety code) can be approximated by the relation (1) where the symbols represented: n codeword length, k information word length, d min minimal Hamming distance, p b bir error rate of communication channel Note: we assume model of BSC (Binnary Symmetric Channel) Let's assume that any diagnostic testing can detect transmission errors only, not correct them. Furthermore, let's suppose that the individual transmission channels are of different hardware construction and that the safety mechanisms and the transmission mode have a cyclic character which is initialised by a master type transmission device. Figure 3 represents a model of a two-channel redundant structure of a closed safety-relevant Profibus DP transmission system  Table 1.
At the beginning the redundant industrial safety-relevant system is in operating state in both transmission channels OK1 and OK2. On the occurrence and detection of a transmission error the system passes in both channels to the state of defined failure reaction, a so-called Fail Safe state: FSK1 and FSK2 with the intensity λ bd and subsequently requests a repeated message sending, i.e. the system returns to operating states OK1 a OK2 with intensity μ. In case the transmission error remains undetected (Fail Unsafe state) the system passes to FUK1 and FUK2 states with intensity λ bn . If the states FUK1 and FUK2 don't occur at once, the discrepancy between transmission channels is detected based on diagnostic testing and the system switches again to operating states OK1 or OK2 with diagnostic testing recovery intensity μ n . In case that both these states FUK1 and FUK2 occur at the same time the system ends up in a hazardous state of undetected transmission error.

Results
The safety analysis of the model depicted in Fig. 3 [-] were calculated according to relation (1). The calculation was providing that the generation frequency of safety-relevant messages from source 1 and from source 2 is f brs1 ϭ f brs2 ϭ 18 000 messages/h. The resulting safety attributes values of a redundant two-channel structure can be found in Table 2. The graphs of safety function

OK2
Transmission of uncorrupted messages between devices. Channel 2 operational state.

FSK1
Channel 1 safety decoder detected a corrupted message. It is a safe failure state of transmission channel 1.

FSK2
Channel 2 safety decoder detected a corrupted message. It is a safe failure state of transmission channel 2.

FUK1
Channel 1 safety decoder did not detect a corrupted message. It is a hazardous failure state of transmission channel 1.

FUK2
Channel 2 safety decoder did not detect a corrupted message. It is a hazardous failure state of transmission channel 2.
Transition Transition description

OK1→FSK1
The transition occurs in dependence on transmission channel 1 message error, which is consequently detected by channel 1 safety code.

OK1→FUK1
The transition occurs in dependence on transmission channel 1 message error, which is not detected by channel 1 safety code.

FSK1→OK1
The transition occurs in dependence on failure handling mechanism and the repeated transition to transmission channel 1 operational state. In most cases on operator confirmation.

FUK1→OK1
The transition occurs in dependence on diagnostic testing mechanism of both transmission channels and the repeated transition to transmission channel 1 operational state. In most cases on operator confirmation.

OK2→FSK2
The transition occurs in dependence on transmission channel 2 message error, which is consequently detected by channel 2 safety code.

OK2→FUK2
The transition occurs in dependence on transmission channel 2 message error, which is not detected by channel 2 safety code.

FSK2→OK2
The transition occurs in dependence on failure handling mechanism and the repeated transition to transmission channel 2 operational state. In most cases on operator confirmation.

FUK2→OK2
The transition occurs in dependence on diagnostic testing mechanism of both transmission channels and the repeated transition to transmission channel 2 operational state. In most cases on operator confirmation.
States and transitions for the diagram in Figure 3  Table 1 S(t) which represents the time dependence of the system getting into an undetected failure state while using a two-channel redundant structure FUK1 and FUK2 are shown in Fig. 4. The results were obtained using the SHARPE modelling tool [16].
The graphs in Fig. 4 represent results with the recommended type of CRC code used in the ProfiSafe profile in both cases the CRC-16 only with different generating polynomials.
The curve of function S(t) 2 and 3 is a result of CRC codes combination, as stated in Table 2. From the results obtained it is obvious that the scheme with 1 OO 2 redundant structure fulfils the safety integrity level SIL3 requirements where the tolerated intensity of hazardous failures per hour is within the limits from 10 Ϫ8 to 10 Ϫ7 .

Conclusions
Using the presented model it is also possible to realise a safety analysis of a two-channel redundant structure at the level of a two-point connection in case that both transmission channels use different transmission media or their transmission is ensured by different safety mechanisms.
The constructed model represents a suitable tool for quantitative safety analysis of a safety-relevant Profibus DP-type transmission system which has a wide application within the frame of safetycritical processes control in industry. The described method is suitable for modelling of safety properties of dynamic systems where the occurrence of random failures (caused for example by aging, physical corruption of the transmission system's hardware components and unintentional EMI failures) is expected. It is created for the Profibus DP safety profile but with a change of input parameters or after a minor modification of the individual models it is also applicable for quantitative safety analyses of other safety fieldbus systems.

Acknowledgement:
This contribution is the result of the project implementation: Centre of excellence for systems and services of intelligent transport, ITMS 26220120028 supported by the Research & Development Operational Programme funded by the ERDF.