Wilamowski B.M., Irwin J.D. The Industrial Electronics Handbook. Second Edition: Industrial Communication Systems
Подождите немного. Документ загружается.
20-8 Industrial Communication Systems
references
. 1.. Chow,.M.-Y.,.Network-based.control.and.application,.Proceedings of the 2007 IEEE International
Symposium on Industrial Electronics (ISIE07),
.Vig
o,
.Sp
ain,
.Jun
e
.4–7,.2007.
. 2.. Cho
w,
.M.-Y.,.Time.sensi
tive
.netw
ork-based
.cont
rol
.system
s
.and.app
lications,
.IEEE Tr
ansactions on
Industrial Electronics Newsletter,
.52(2),.13–15,.Jun
e
.2005.
. 3.. Lee
,
.K.C
.,
.Lee
,
.S.,.and.Lee
,
.M.H
.,
.QoS
-based
.rem
ote
.con
trol
.of.net
worked
.con
trol
.sys
tems
.via.Pro
bus
.
tok
en
.pas
sing
.pro
tocol,
.IEE
E Transactions on Industrial Informatics,
.1(3
),
.183
–191,
.Aug
ust
.200
5.
. 4.. Lee
,
.K.C
.,
.Lee
,
.S.,.and.Lee
,
.M.H
.,
.Wor
st
.cas
e
.com
munication
.del
ay
.of.rea
l-time
.ind
ustrial
.swi
tched
.
Eth
ernet
. wit
h
. mul
tiple
. lev
els,
. IEE
E Transactions on Industrial Electronics,
. 53(
5),
. 166
9–1676,
.
Oct
ober
.200
6.
. 5.. Daoud
,
.R.M.,.Els
ayed,
.H.M.,.and.Amer
,
.H.H.,.Gigab
it
.Eth
ernet
.for.red
undant
.netw
orked
.cont
rol
.
system
s,
.IEEE In
ternational Conference on Industrial Technology,
.2,.869–873,.De
cember
.2004.
. 6.. Luo,.R.C.,.Su,.K.L.,.Shen,.S.H.,.and.Tsa
i,
.K.H.,.Netw
orked
.inte
lligent
.rob
ots
.thro
ugh
.the.Int
ernet:
.
Iss
ues
.an
d
.op
portunities,
.Pr
oceedings of the IEEE,
.91(3),.371–382,.Ma
rch
.2003.
. 7.. Daoud
,
. R.M.,. Amer
,
. H.H.,. El-Da
kroury,
. M.A.,. El-So
udani,
. M.,. Els
ayed,
. H.M.,. and. Salle
z,
. Y.,.
Wire
less
.vehic
le
.communic
ation
.for.trac.cont
rol
.in.urban.are
as,
.Pro
ceedings of
.IECON
2006,
.Par
is,
.
Fran
ce,
.pp
.748–753,
.No
vember
.2006.
. 8.. Cerv
in,
.A.,.Henri
ksson,
.D.,.Linco
ln,
.B.,.Eker
,
.J.,.and.Arzen.K.E..How.does.cont
rol
.timing.ae
ct
.
perf
ormance?
.IEEE Co
ntrol Systems Magazine,
.23(3),.16–30,.2003.
. 9.. Lozo
ya,
.C.,.Mar
tí,
.P.,.Vel
asco,
.M.,.and.Fuert
es,
.J.M..Ana
lysis
.and.design.of.netw
orked
.cont
rol
.loops.
with.synchronization.at.the.actuation.instants,.Proceedings of the 34th Annual Conference of the IEEE
Industrial Electronics Society (IECON08),
.Orl
ando,
.FL,.No
vember
.2008.
. 10.. Liu
,
.G.P.,.Xia,.Y.,.Chen,.J.,.Rees,.D.,.and.Hu,.W.,.Netw
orked
.pre
dictive
.cont
rol
.of.system
s
.wit
h
.
rando
m
.netw
ork
.dela
ys
.in.bot
h
.for
ward
.and.fee
dback
.cha
nnels,
.IEEE Tr
ansactions on Industrial
Electronics,
.54(3),.1282–1297,.2007.
. 11.. Mar
tí,
.P.,.Vel
asco,
.M.,.and.Bini,.E..e.opt
imal
.boun
dary
.and.regul
ator
.design.pro
blem
.for.even
t-
driven
.cont
rollers,
.Pro
ceedings of the 12th International Conference on Hybrid Systems: Computation
and Control (HSCC09),
.San.Fra
ncisco,
.CA,.Ap
ril
.2009.
. 12.. Zhan
g,
.W.,. Branic
ky,
. M.,. and.Phil
lips,
.S.,. Sta
bility
.of.netw
orked
.cont
rol
.system
s,
.IEEE Co
ntrol
Systems Magazine,
.21(1),.84–99,.Fe
bruary
.2001.
. 13.. Hes
panha,
.J.,.Nag
hshtabrizi,
.P.,.and.Xu,.Y.,.A.sur
vey
.of.rec
ent
.res
ults
.in.net
worked
.con
trol
.sys
tems,
.
Pro
ceedings of IEEE, Special Issue on Technology of Networked Control Systems,
.95(1),. 137–162,.
Jan
uary
.2007.
© 2011 by Taylor and Francis Group, LLC
21-1
21.1 Introduction
Industrial.communication.systems.take.over.more.and.more.critical.tasks..e.criticality.of.the.tasks.can.be.
of.vari
ous
.type
s.
.One.of.the.most.comm
on
.requ
irements
.is.the.achi
evement
.of.a.cert
ain
.leve
l
.of.avai
lability,
.
in.orde
r
.to.redu
ce
.time
s
.when.a.syst
em
.is.not.prod
uctive.
.ere
fore,
.a.cert
ain
.leve
l
.of.avai
lability
.is.econ
omi-
cally
.nece
ssary.
.As.soon.as.such.syst
ems
.take.over.tasks.that.are.crit
ical
.for.the.safe
ty
.of.peop
le
.or.the.envi
-
ronment,
.avai
lability
.alon
e
.is.not.enou
gh,
.but.it.is.also.nece
ssary
.to.achi
eve
.a.cert
ain
.leve
l
.of.safe
ty
.inte
grity.
.
e.foll
owing
.are.the.typi
cal
.safe
ty
.func
tions
.in.the.eld.of.indu
strial
.comm
unication
.syst
ems
.[WRA
07]:
•
. Emer
gency
.stop.of.an.engi
ne:
.In.case.of.an.emer
gency
.(e.g
.,
.an.oper
ator
.can.be.hurt
),
.an.engi
ne
.
has.to.stop.imm
ediately.
•
. Unex
pected
.star
ting
.of.an.engi
ne
.(saf
e
.torqu
e
.o):.In.case.of.main
tenance
.acti
vities,
.it.shal
l
.not.
be.possible.that.the.engine.starts.unexpectedly.
•
. Safe. redu
ced
. velo
city:
. It. shal
l
. be. guar
anteed
. that. the. maxi
mum
. safe. leve
l
. of. velo
city
. is. not.
exce
eded.
.Exc
eeding
.mus
t
.be.det
ected
.and.vel
ocity
.red
uced.
All
.safe
ty
.func
tions
.redu
ce
.the.like
lihood
.of.a.pers
on
.bein
g
.hurt
.
.e.requ
irements
.to.be.met.by.such.
safe
ty
.func
tions
.are.spec
ied
.in.stan
dards
.that.are.eith
er
.gene
ric,
.spec
ic
.for.a.doma
in
.such.as.indu
s-
trial
.comm
unication
.syst
ems,
.or.appl
ication
.depe
ndent.
.All.of.them.have.in.comm
on
.that.they.spec
ify
.
a.life
cycle
.mode
l
.wher
e
.a.haza
rd
.and.risk.anal
ysis,
.a.safe
ty
.requ
irements
.spec
ication,
.a.safe
ty
.anal
ysis,
.
and.saf
ety
.val
idation
.are.the.cru
cial
.act
ivities.
21.2 the Meaning of Safety
Safety.is.a.property.that.is.generally.highly.desired.by.the.public..Safety.consciousness.is.a.property.that.
is.cont
inuously
.incr
easing,
.and.the.dema
nds
.that.socie
ty
.puts.on.techn
ical
.syst
ems
.rega
rding
.thei
r
.safe
ty
.
is.incr
easing
.at.the.same.rate..e.term.safe
ty
.can.be.inte
rpreted
.very.broa
dly.
.Safe
ty
.is.used.in.vario
us
.
21
Functional Safety
21.1. Introduction..................................................................................... 21-1
21.2
. e.Mea
ning
.of.Saf
ety.................................................................... 21-1
21.3
. Safe
ty
.Stan
dards............................................................................... 21-2
Overview.of.Safety.Standards. •. Basics.of.IEC61508
21.4. e.Safety.Lifecycle.and.Safety.Methods.....................................21-4
Generic.Lifecycle. •. HAZOP. •. FMEA. •. Fault.Tree.
Analysis. •. Safety.Cases
21.5. Safety.Approach.for.Industrial.Communication.System..........21-8
Overview.of.Safety-Related.Systems. •. Hazard.and.Risk.
Analysis. •. Failure.Mitigation
Acronyms................................................................................................... 21-15
References................................................................................................... 21-15
Thomas Novak
SWARCO Futurit
Verk
ehrssignalssysteme
GmbH
Andreas Gerstinger
Vienna University
of Tec
hnology
© 2011 by Taylor and Francis Group, LLC
21-2 Industrial Communication Systems
contexts,.such.as.electrical.safety,.personal.safety,.safety.on.the.streets,.system.safety,.or.functional.safety..
In.this.chap
ter,
.we.are.excl
usively
.conc
erned
.with.the.latt
er.
We
.use.the.den
itions
.acco
rding
.to.[IEC
61508].
.Safe
ty
.is.den
ed
.as.“fre
edom
.from.unac
ceptable
.risk.
of.harm
.”
.and.func
tional
.safe
ty
.is.the.part.of.the.over
all
.safe
ty
.that.rela
tes
.to.the.corr
ect
.func
tioning
.
of.some.syst
em
.(e.g
.,
.a.cont
rol
.syst
em
.or.an.indu
strial
.comm
unication
.syst
em)
.to.main
tain
.safe
ty.
.
The.func
tions
.that.need.to.be.perf
ormed
.corr
ectly
.in.orde
r
.to.achi
eve
.safe
ty
.can.henc
e
.be.clas
sied
.as.
safe
ty
.rel
ated.
Generally,
.safe
ty
.is.not.an.abso
lute
.prop
erty.
.To.stat
e
.that.the.risk.rela
ted
.to.a.spec
ic
.syst
em
.has.been.
redu
ced
.to.zero.is.gene
rally
.not.a.real
istic
.stat
ement.
.Risk
—measured
.as.a.combi
nation
.of.prob
ability
.
and.seve
rity
.of.an.unde
sired
.even
t—is
.some
thing
.that.we.are.conf
ronted
.with.cont
inuously.
.e.cruc
ial
.
ques
tion
.is.the.risk.acce
ptability.
.What.leve
l
.of.risk.are.we.will
ing
.to.acce
pt.
.is.comp
lex
.ques
tion
.will.
not.be.delv
ed
.into.here
,
.but.it.shou
ld
.be.said.that.this.depe
nds
.on.soci
ety,
.on.time
,
.and.on.the.doma
in
.
in.ques
tion.
.Luck
ily,
.for.indu
strial
.comm
unication
.and.cont
rol
.syst
ems,
.this.ques
tion
.has.alre
ady
.been.
pose
d
.and.ans
wered
.man
y
.tim
es,
.suc
h
.tha
t
.ref
erence
.can.be.mad
e
.to.the
se
.res
ults.
Safety
. shou
ld
. not. be. conf
used
. with. secu
rity:
. Secu
rity
. is. conc
erned
. with. the. prot
ection
. agai
nst
.
inte
ntional
.atta
cks,
.in.orde
r
.to.safe
guard
.inte
grity,
.con
dentiality,
.and.avai
lability
.of.serv
ices.
.Safe
ty
.
is.conc
erned
.with.the.avoi
dance
.of.unin
tended
.acci
dents
.invo
lving
.harm.to.peop
le
.and.the.envi
ron-
ment.
.A.comm
on
.deno
minator
.is.that.both.disc
iplines—safety
.and.secu
rity—have
.the.goal.of.avoi
ding
.
unwa
nted
.even
ts.
.is.also.make
s
.it.hard.to.dete
rmine
.the.succ
ess
.of.safe
ty
.(and.secu
rity)
.meas
ures,
.
since.they.were.successful.if.something.unwanted.does.not.happen.
A
.basic.conc
ept
.in.safe
ty
.engi
neering
.is.the.conc
ept
.of.a.haza
rd.
.A.haza
rd
.is.den
ed
.as.a.“pot
ential
.
sour
ce
.of.harm
”
.[IEC
61508].
.If.all.haza
rds
.are.iden
tied
.and.corr
ected
.and.adeq
uate
.meas
ures
.are.take
n
.
to.cont
rol
.and.miti
gate
.the.haza
rds,
.safe
ty
.is.achi
eved.
.is.is.the.reas
on
.why.the.iden
tication
.of.haz-
ar
ds
.has.to.be.done.at.the.very.begi
nning
.of.syst
em
.deve
lopment.
.Typi
cal
.haza
rds
.for.indu
strial
.com-
m
unication
.sys
tems
.wou
ld
.be.the.los
s
.or.cor
ruption
.of.a.mes
sage.
e
.impo
rtance
.of.haza
rds
.and.thei
r
.iden
tication
.befo
re
.they.actu
ally
.caus
e
.an.acci
dent
.also.high
-
lights
.the.proa
ctive
.natu
re
.of.safe
ty.
.Safe
ty
.engi
neering
.is.conc
erned
.with.pred
icting
.unwa
nted
.even
ts
.
befo
re
.the
y
.hap
pen,
.not.(on
ly)
.to.lea
rn
.fro
m
.fai
lures.
21.3 Safety Standards
In.order.to.guarantee.the.achievement.of.a.well-dened.goal,.in.our.case.sucient.safety,.standardiza-
tion
.play
s
.an.impo
rtant
.role
.
.Stand
ardization
.help
s
.to.make.syst
ems
.inte
roperable
.and.comp
arable.
.e.
goal.of.safe
ty
.stan
dards
.is.to.devi
se
.gene
rally
.appl
icable
.rule
s
.and.reco
mmendations,
.in.orde
r
.to.be.able.
to.bui
ld,
.ope
rate,
.and.mai
ntain
.a.saf
ety-related
.sys
tem.
21.3.1 Overview of Safety Standards
The.general.problem.with.standards.is.that.they.must.achieve.a.compromise.between.general.appli-
cability
.and.prac
tical
.usef
ulness
.for.spec
ific
.syst
ems
.givi
ng
.conc
rete
.guid
ance.
.A.high
-level
.stan
-
dard
.may.be.appl
icable
.to.a.wide.rang
e
.of.syst
ems,
.but.in.orde
r
.to.be.appl
icable
.to.such.a.larg
e
.grou
p
.
of.syst
ems,
.it.must.make. seve
ral
.gene
ralizations,
.whic
h
.make.the.stan
dard
.less.unde
rstandable
.
for.the.engi
neers
.buil
ding
.a.syst
em
.in.a.spec
ific
.doma
in.
.Stan
dards
.that.cont
ain
.a.lot.of.spec
ific
.
info
rmation
.are.on.the.othe
r
.hand.only.appl
icable
.for.a.smal
l
.numb
er
.of.syst
ems
.and.appl
ications.
.
In.orde
r
.to.hand
le
.this.comp
romise,
.stan
dards
.are.ofte
n
.clas
sified
.as.gene
ric,
.doma
in
.spec
ific,
.and.
appl
ication
.spec
ific.
Standards
.are.abun
dant,
.and.ther
e
.is.no.exce
ption
.in.the.doma
in
.of.safe
ty-critical
.and.safe
ty-related
.
syst
ems.
.A.sele
ction
.of.some.stan
dards
.that.are.all.conc
erned
.with.safe
ty-related
.syst
ems
.can.be.foun
d
.
in.Figu
re
.21.1
.
.Bear.in.mind.that.this.is.sure
ly
.not.a.comp
rehensive
.gur
e,
.but.it.illu
strates
.the.prol
ifera-
tion
.of.saf
ety
.sta
ndards.
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-3
For.our.purposes,.we.will.consider.only.one.of.the.standards:.IEC61508.[IEC61508]..is.standard.
is.generic,.i.e.,.it.is.not.geared.toward.a.specic.application.domain,.but.still.it.contains.enough.con-
crete
.guidance.to.be.useful..Several.domains.have.derived.domain-specic.versions.of.this.standard,.
as.can.be.seen.in.Figure.21.1..e.principles.of.IEC61508.are.reected.in.all.these.domain-specic.
extensions.
21.3.2 Basics of IEC61508
IEC61508.applies.to.electrical,.electronic,.programmable.electronic.safety-related.systems..e.gen-
eral
.assumption.is.that.there.is.some.equipment.under.control.(EUC),.which.has.an.inherent.risk..In.
order.to.reduce.this.risk,.a.safety-related.system.controls.the.risk.of.the.EUC..For.example,.in.a.fac-
tory,
.some.heavy.machines.may.be.the.EUC..e.uncontrolled.EUC.may.pose.a.risk.to.the.operator,.
and.a.safety-related.industrial.communication.system.can.be.used.to.reduce.the.risk.of.this.EUC..
The.safety-related.system.must.be.functionally.safe,.i.e.,.it.must.function.correctly,.and.shall.not.fail.
in.a.dangerous.way.
Depending
.on.the.necessary.risk.reduction,.the.safety-related.
system.is.classied.as.being.in.one.of.four.so-called.safety.integrity.
levels.(SILs)..e.SILs.are.dened.in.terms.of.accepted.failure.rates.
regarding.dangerous.failures.per.hour.(see.Table.21.1).
In
.a.SIL1.system,.it.is.accepted.that.the.system.fails.in.a.danger-
ous
.way.less.frequently.than.every.10
5
.h,.whereas.in.a.SIL4.system,.
a.dangerous.failure.is.allowed.not.more.oen.than.every.10
8
.h..e.
SIL.that.a.system.must.achieve.is.determined.by.a.risk.analysis,.
which.is.performed.at.the.beginning.of.the.system.lifecycle.
Power drive
systems
Process
industry
Nuclear power
plants
Automotive
Safety of
machinery
IEC 61800
Def Stan 00-54 (UK)
Def Stan 00-56 (UK)
Def Stan 00-55 (UK)
DEF 5679 (AUS)
Military
IEC 61511
IEC 61513
ISO 26262:2011
IEC 62061
EN 13849-1
Railways
CENELEC EN 50126
CENELEC EN 50128
CENELEC EN 50129
CENELEC EN 50159
Yellow Book (UK)
AREMA Standards (USA)
NASA Standards
ACTIVE
CANCELLED
In work
ESA Standards
... and many more ...
Aircraft/air traffic control
ARP4754 (USA)
ESARRs (EU)
EATMP (EU)
CAP 670 (UK)
RTCA DO-178C (USA)
RTCA DO-254 (USA)
RTCA DO-178B (USA)
ED12B (Europe)
RTCA DO-278 (USA)
ED109 (Europe)
EN 954-1
IEC 61508:2009
IEC 61508
Generic
MIL STD 882C (USA)
MIL STD 882D (USA)
FIGURE 21.1 Safety.standards.quagmire.
TABLE 21.1 Safety.Integrity.Levels
SIL Dangerous.Failure.per.Hour
4
≥10
−9
.to.<10
−8
3
≥10
−8
.to.<10
−7
2
≥10
−7
.to.<10
−6
1
≥10
−6
.to.<10
−5
© 2011 by Taylor and Francis Group, LLC
21-4 Industrial Communication Systems
Depending.on.the.required.SIL,.there.are.constraints.regarding.the.system.architecture..For.example,.
the.higher.the.SIL,.the.more.fault.tolerance.is.required,.which.is.reected.in.the.number.of.redundancies.
a.system.must.possess.
Depending
.on.the.SIL,.the.methods.used.for.the.design.and.development.of.the.system.are.also.
dierent..e.higher.the.SIL,.the.more.rigorous.are.the.methods.that.must.be.used..is.is.especially.
crucial.for.the.soware,.since.the.used.methods.play.an.important.role.in.the.achieved.soware.quality..
Soware.developed.with.more.rigorous.methods.are.less.likely.to.contain.undetected.faults.
In
.addition.to.architecture.constraints.and.required.methods,.the.standard.calls.for.adequate.docu-
mentation
.to.be.produced..e.documentation.is.necessary.in.order.to.be.able.to.verify.if.the.system.
has.actually.achieved.the.claimed.SIL..e.“proof.of.safety,”.oen.in.the.form.of.a.so-called.safety.case,.
summarizes.all.this.evidence..e.safety.case.must.then.be.approved.by.some.regulatory.agency.before.
the.system.goes.into.operation.
21.4 the Safety Lifecycle and Safety Methods
is.section.introduces.the.safety.lifecycle.and.then.presents.some.of.the.methods.that.may.be.used.
during.this.lifecycle.
21.4.1 Generic Lifecycle
e.safety.lifecycle.species.what.has.to.be.done.in.the.course.of.the.life.of.a.system.from.the.safety.point.
of.view,.from.initial.conception.until.the.disposal..All.safety.standards.specify.such.a.lifecycle,.with.the.
principles.being.comparable.in.all.of.them..For.this.reason,.we.will.present.here.a.generic.safety.lifecycle.
(Figure.21.2).
e
.rst.step,.the.hazard.and.risk.analysis.starts.with.an.identication.of.the.hazards.the.system.may.
pose..At.this.time,.there.should.already.be.a.rough.requirements.specication.of.the.system,.and.the.
major.functions.should.be.dened..Based.on.this.information,.the.potential.hazards.should.be.identi-
ed.
.is.step.is.crucial:.all.theoretical.hazards.have.to.be.identied,.otherwise.it.is.impossible.to.devise.
the.right.methods.and.countermeasures.for.them..Hazards.that.are.not.identied.at.this.step.will.not.
be.considered.adequately.during.the.remainder.of.the.safety.lifecycle.and.may.later.pose.a.risk.during.
system.operation..Aer.the.identication.of.the.hazards,.the.hazards.must.be.classied.according.to.
their.severity.and.probability,.so.that.the.resulting.risk.can.be.determined.
e
.next.step.in.the.safety.lifecycle.of.Figure.21.2.is.the.safety.requirements.specication..Based.on.
the.results.of.the.risk.analysis,.it.is.generally.necessary.to.dene.requirements.to.ensure.that.the.risks.
are.mitigated.to.a.level.so.that.they.are.acceptable..e.safety.requirements.can.be.of.various.types..ey.
can.either.be.functional.requirements,.which.require.an.additional.implementation.of.some.kind,.or.
they.may.be.nonfunctional.requirements,.such.as.the.requirement.to.perform.a.certain.specic.analysis,.
or.the.requirement.to.use.certain.processes.during.the.development..For.example,.a.functional.safety.
requirement.in.a.communication.system.may.specify.a.checksum.with.certain.failure.detection.and/or.
correction.properties..A.nonfunctional.safety.requirement.may.specify.the.need.to.perform.a.common-
mode
.failure.analysis.on.the.design.of.the.system..e.specied.safety.requirements.should.be.included.
in.the.requirement.specication.of.the.complete.system.
e
.third.step.in.the.safety.lifecycle.consists.of.the.performance.of.all.the.safety.analyses..ese.analy-
ses
.can.be.of.various.types,.and.some.of.them.will.be.described.in.the.following.sections..In.general,.the.
Safety requirements
specification
Safety analyses
Safety validation
Hazard and risk
analysis
FIGURE 21.2 Generic.safety.lifecycle.
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-5
safety.engineer.looks.at.the.system.in.its.present.stage.(this.may.be.only.the.documented.architecture.
and.desi
gn,
.or.the.ful
ly
.imp
lemented
.sys
tem,
.dep
ending
.on.the.sta
te
.of.the.dev
elopment)
.and.ana
lyses
.
pot
ential
.sce
narios
.tha
t
.lea
d
.to.haz
ards.
.Mos
t
.ana
lyses
.in.thi
s
.sta
ge
.are.con
cerned
.wit
h
.fau
lts
.and.fai
l-
ures
.th
at
.ma
y
.oc
cur.
.e
se
.an
alyses
.pr
esent
.a.co
re
.of.th
e
.wo
rk
.of.a.sa
fety
.en
gineer.
Safety
.val
idation,
.as.the.na
l
.ste
p,
.sum
marizes
.all.the.res
ults
.and.evi
dences.
.Dur
ing
.thi
s
.pha
se,
.it.has.
to.be.sho
wn
.tha
t
.all.haz
ards
.are.mit
igated
.and.tha
t
.all.saf
ety
.req
uirements
.hav
e
.bee
n
.met
.
.is.is.usu
-
ally
.don
e
.in.the.for
m
.of.a.“sa
fety
.cas
e.”
.A.saf
ety
.cas
e
.is.a.sou
nd
.and.rig
orous
.arg
ument,
.whi
ch
.cle
arly
.
dem
onstrates
.su
cient
.saf
ety
.of.a.sys
tem
.in.a.giv
en
.con
text.
.e.saf
ety
.cas
e
.doc
ument
.ref
erences
.and.
use
s
.all.pre
viously
.obt
ained
.res
ults
.in.ord
er
.to.con
struct
.thi
s
.pro
of.
.All.the
se
.bui
lding
.blo
cks,
.whi
ch
.are.
nec
essary
.for.thi
s
.pro
of,
.are.usu
ally
.cal
led
.“ev
idences.”
.A.not
ation
.how.suc
h
.a.saf
ety
.cas
e
.can.be.con
-
structed
.is.pr
esented
.la
ter
.in.th
is
.se
ction.
e
.saf
ety
.lif
ecycle
.gen
erally
.con
tinues
.unt
il
.the.end.of.lif
e
.of.the.sys
tem.
.e.ful
l
.lif
ecycle
.can.be.
fou
nd
.in.[I
EC61508].
.Ho
wever,
.fo
r
.br
evity,
.we.ha
ve
.co
ncentrated
.on.th
e
.ma
jor
.st
ages.
All
.met
hods
.tha
t
.are.sho
wn
.in.the.fol
lowing
.sec
tions
.are.to.be.use
d
.dur
ing
.the.saf
ety
.lif
ecycle.
.Are
f-
erence
.to.the.rel
evant
.sta
ge
.of.the.lif
ecycle
.as.sho
wn
.in.Fig
ure
.21.
2
.wil
l
.be.mad
e.
.Gen
erally,
.the.pro
ject
.
saf
ety
.man
ager
.is.res
ponsible
.for.the.con
duct
.of.the.ana
lyses
.and.exe
cutes
.them.tog
ether
.wit
h
.the.
pro
ject
.saf
ety
.eng
ineer
.and.rel
evant
.tea
m
.memb
ers.
.In.sma
ller
.pro
jects,
.the.rol
e
.of.saf
ety
.man
agement
.
and.saf
ety
.eng
ineering
.can.be.comb
ined.
.In.lar
ger
.pro
jects,
.the
re
.may.be.mor
e
.tha
n
.one.saf
ety
.eng
ineer.
e
.met
hods
.pre
sented
.her
e
.are.onl
y
.a.sel
ection
.of.pos
sible
.met
hods.
.[IE
C61508],
.par
t
.7,.ann
exes
.A,.
B,.and.C.contain.a.comprehensive.list.of.methods.with.brief.descriptions.and.further.references.
21.4.2 HaZOP
Hazard.and.Operability.Study.(HAZOP).is.a.method.to.identify.hazards..It.should.therefore.be.used.
at.the.ver
y
.beg
inning
.of.the.saf
ety
.lif
ecycle,
.dur
ing
.the.haz
ard
.and.ris
k
.ana
lysis
.pha
se.
.Alt
hough
.thi
s
.
met
hod
.ori
ginates
.fro
m
.the.pro
cess
.ind
ustry,
.it.is.ver
y
.gen
eric
.and.can.the
refore
.be.app
lied
.bro
adly.
.
For.ele
ctronic
.sy
stems,
.it.is.st
andardized
.in.[D
S00-58].
e
.int
ention
.of.the.HAZ
OP
.is.to.ana
lyze
.all.pos
sible
.fun
ctions
.of.a.giv
en
.sys
tem
.and.exa
mine
.
all.cre
dible
.mal
functions
.or.dev
iations
.fro
m
.the.cor
rect
.fun
ction.
.In.ord
er
.to.ide
ntify
.all.pot
ential
.
haz
ards,
.thi
s
.met
hod
.sug
gests
.the.use.of.a.giv
en
.set.of.gui
de
.wor
ds
.tha
t
.sha
ll
.be.app
lied
.to.fun
ctions
.
(Ta
ble
.21.
2).
All
.the
se
.gui
de
.wor
ds
.sha
ll
.be.sys
tematically
.app
lied
.to.all.fun
ctions.
.It.rem
ains
.to.be.dec
ided
.wha
t
.
the.“fu
nctions”
.of.a.sys
tem
.are
.
.Basi
cally,
.the.fun
ctions
.sho
uld
.be.de
ned
.in.a.sys
tem
.des
cription
.or.
TABLE 21.2 HAZOP.Guide.Words
No is.is.the.complete.negation.of.the.design.intention..No.part.of.the.intention.is.achieved.
and.nothing.else.happens.
More is
.is.a.qu
antitative
.incr
ease.
Less is
.is.a.qu
antitative
.decr
ease.
As
.we
ll
.as
All
.th
e
.design.int
ention
.is.achie
ved
.tog
ether
.wi
th
.addit
ions.
Part
.of
Only
.so
me
.of.th
e
.design.int
ention
.is.achie
ved.
Reverse e
.logic
al
.op
posite
.of.th
e
.int
ention
.is.achie
ved.
Other
.th
an Complete
.su
bstitution,
.wh
ere
.no.pa
rt
.of.th
e
.or
iginal
.int
ention
.is.achie
ved
.bu
t
.so
mething
.
quit
e
.dier
ent
.ha
ppens.
Early Something
.ha
ppens
.ea
rlier
.th
an
.expe
cted
.re
lative
.to.clo
ck
.tim
e.
Late Something
.ha
ppens
.la
ter
.th
an
.expe
cted
.re
lative
.to.clo
ck
.tim
e.
Before Something
.ha
ppens
.bef
ore
.it.is.expe
cted,
.re
lating
.to.or
der
.or.se
quence.
Aer Something
.ha
ppens
.a
er
.it.is.expe
cted,
.re
lating
.to.or
der
.or.se
quence.
Source:
. Ministry. of. Defence,. HAZOP Studies on Systems Containing Programmable Electronics,. U.K..
Defence.Standard,.Def.Stan.00-58,.Ministry.of.Defence,.Glasgow,.U.K.,.2000,.Part.1,.p..14..With.permission.
© 2011 by Taylor and Francis Group, LLC
21-6 Industrial Communication Systems
a.requirements.document..erefore,.such.documentation.should.be.available..It.also.remains.to.be.
dec
ided
.at.whi
ch
.gra
nularity
.the.ana
lysis
.is.car
ried
.out
.
.A.hig
h-level
.sys
tem
.fun
ction
.can.usu
ally
.be.
div
ided
.into.a.numb
er
.of.sub
-functions,
.whi
ch
.can.in.tur
n
.be.div
ided
.into.mor
e
.sub
-functions.
.e.
low
er
.the.lev
el
.at.whi
ch
.the.ana
lysis
.is.con
ducted,
.the.mor
e
.eo
rt
.is.req
uired,
.but.the.mor
e
.ben
et
.can.
be.gai
ned
.fro
m
.the.ana
lysis.
.e.rig
ht
.lev
el
.of.the.ana
lysis
.sho
uld
.be.dec
ided
.at.the.beg
inning.
.It.wil
l
.
gen
erally
.alw
ays
.be.a.com
promise
.bet
ween
.rig
or
.and.ec
iency.
.A.goo
d
.sta
rting
.poi
nt
.for.the.ana
lysis
.is.
the.hi
ghest-level
.re
quirements
.de
scription
.of.a.sy
stem.
HAZOP
.sho
uld
.als
o
.be.con
ducted
.as.a.tea
m
.act
ivity.
.is.mea
ns
.tha
t
.the.tea
m
.sho
uld
.inc
lude
.not.
onl
y
.saf
ety
.pro
fessionals
.but.als
o
.eng
ineers,
.sys
tem
.desi
gners,
.so
ware
.eng
ineers,
.or.eve
n
.end.use
rs.
.
One.per
son
.sha
ll
.tak
e
.the.lea
d
.and.mod
erate
.the.HAZ
OP
.ses
sions.
.is.lea
d
.wil
l
.gen
erally
.be.tak
en
.ove
r
.
by.the.saf
ety
.man
ager
.or.eng
ineer.
.e.HAZ
OP
.ses
sions
.sho
uld
.be.pla
nned
.wel
l
.in.adv
ance,
.and.it.is.
imp
ortant
.to.kee
p
.the.foc
us
.and.not.to.get.side
tracked
.into.lon
g
.dis
cussions,
.whi
ch
.do.not.con
tribute
.
to.the.goa
l.
.Als
o,
.so.fac
tors
.suc
h
.as.su
cient
.bre
aks
.and.an.ade
quate
.env
ironment
.are.cru
cial
.to.the.
suc
cess
.of.th
e
.se
ssions.
Finally,
.the.res
ults
.are.doc
umented
.in.a.tab
ular
.for
mat.
.e.mai
n
.out
puts
.are.the.haz
ards,
.aga
inst
.
whi
ch
.ade
quate
.saf
ety
.req
uirements
.hav
e
.to.be.spe
cied.
.In.the.cou
rse
.of.the.rem
ainder
.of.the.saf
ety
.
lif
ecycle,
.it.mu
st
.be.sh
own
.th
at
.th
ese
.ha
zards
.ar
e
.un
der
.co
ntrol.
21.4.3 FMEa
e.Failure.Modes.and.Eects.Analysis.(FMEA).is.a.method.that.systematically.analyzes.all.failure.modes.
of.com
ponents
.and.det
ermines
.the.asso
ciated
.ris
k
.and.pot
ential
.mit
igations.
.It.is.a.bot
tom-up
.app
roach,
.
whi
ch
.sta
rts
.on.the.com
ponent
.lev
el
.and.aims.to.det
ermine
.the.eec
t
.of.fai
lure
.mod
es
.on.the.sys
tem
.fun
c-
tions.
.For.a.saf
ety
.eng
ineer,
.it.is.esse
ntial
.to.det
ermine
.the.saf
ety
.imp
act
.of.the.ana
lyzed
.fai
lure
.mod
es.
An
.int
ernational
.sta
ndard,
.whi
ch
.com
prehensively
.des
cribes
.the.met
hod
.as.a.tec
hnique
.for.sys
tem
.
rel
iability,
.is.ava
ilable
.in.[IE
C60812].
.e.met
hod
.con
sists
.of.ana
lyzing
.all.com
ponents
.or.ite
ms
.of.a.
sys
tem
.and.ll
ing
.out.of.all.the.col
umns
.of.a.giv
en
.tab
le.
.It.sta
rts
.fro
m
.the.com
ponent
.lev
el,
.and.hen
ce
.
is.a.typ
ical
.“bo
ttom-up”
.met
hod.
.e.hea
dings
.of.suc
h
.a.pos
sible
.FME
A
.tab
le
.are.giv
en
.in.Tab
le
.21.
3,
.an.
exa
mple
.wi
ll
.be.sh
own
.in.Ta
ble
.21
.6.
Similar
.to.HAZ
OP,
.an.FME
A
.is.bes
t
.per
formed
.as.a.gro
up
.act
ivity,
.sinc
e
.div
erse
.exp
ertise
.is.nee
ded
.
to.re
cord
.al
l
.in
formation
.ne
cessary.
21.4.4 Fault tree analysis
Whereas.FMEA.has.its.origins.in.reliability.engineering,.fault.tree.analysis.[IEC61025].is.a.typical.safety.
eng
ineering
.tec
hnique.
.It.is.in.man
y
.way
s
.com
plementary
.to.an.FME
A,
.and.the
refore
.sho
uld
.not.be.con
-
sidered
.as.an.alt
ernative,
.but.as.ano
ther
.nec
essary
.met
hod
.to.be.use
d
.dur
ing
.the.saf
ety
.ana
lysis
.pha
se.
.
It.is.a.top-
down
.met
hod,
.whi
ch
.sta
rts
.fro
m
.the.und
esired
.eve
nts,
.in.our.cas
e,
.it.sta
rts
.wit
h
.the.haz
ards.
.
It.is.the
n
.ana
lyzed,
.wha
t
.the.con
tributing
.fac
tors
.to.a.haz
ard
.cou
ld
.be,.and.thi
s
.is.the
n
.pre
sented
.in.the.
for
m
.of.log
ic
.gat
es.
.For.exa
mple,
.if.the.com
munication
.sys
tem
.and.the.bac
kup
.com
munication
.sys
tem
.
mus
t
.fai
l
.for.a.haz
ard
.to.occ
ur,
.thi
s
.is.rep
resented
.by.an.“an
d”
.gat
e.
.If.one.wan
ts
.to.say.tha
t
.the.com
-
munication
.sys
tem
.fai
ls
.whe
n
.the.pow
er
.sup
ply
.fai
ls
.or.whe
n
.the.med
ium
.fai
ls,
.thi
s
.is.rep
resented
.by.
an.“or
”
.gat
e.
.is.tre
e
.is.the
n
.con
structed
.unt
il
.one.rea
ches
.the.basi
c
.eve
nts,
.whi
ch
.can
not
.be.spl
it
.up.
fur
ther.
.e.ex
ample
.ju
st
.de
scribed
.is.sh
own
.in.Fi
gure
.21
.3.
TABLE 21.3 FMEA.Table.Header
Item.ID
Description.
and.
Function
Failure.
Mode
Possible.
Causes Eect
Detection.
Method Mitigation Severity Probability
Safety.
Impact
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-7
Probabilities.can.then.be.assigned.to.the.basic.events..If.this.is.done.completely,.it.is.possible.to.
calculate.the.numerical.probability.for.the.hazard.on.the.top..Several.tools.are.available,.which.aid.in.the.
construction.of.such.fault.trees,.and.which.can.perform.these.calculations.automatically.
21.4.5 Safety Cases
A.safety.case.shall.show.that.the.safety.requirements.and.objectives.are.met..Simply.said,.it.shall.show.
that.“the.system.is.acceptably.safe.for.its.intended.use.”.In.order.to.prove.this.statement,.structured.
textual.arguments.can.be.made.up,.which.show.that.this.claim.is.true..However,.textual.arguments.can.
become.very.long.and.dicult.to.read..Especially,.it.can.become.hard.to.verify.if.the.line.of.argumenta-
tion
.is.sound.and.the.safety.objectives.are.really.met.
For
. this. reason,. [Kel&04]. suggests. a. clearly. dened. notation. for. safety. cases,. called. the. Goal.
Structuring.Notation.(GSN)..GSN.is.already.used.widely.and.is.likely.to.be.standardized.in.the.near.
future..e.basic.elements.of.the.notation.are.goals,.strategies,.and.solutions..e.goals.contain.some.
propositional.statement.that.shall.be.shown.to.be.true..e.strategies.contain.arguments.on.how.this.
proof.can.be.made..e.solutions.are.the.evidences.that.contain.the.necessary.information.to.show.the.
truth.of.the.goal..An.example.is.shown.in.Figure.21.4.
is
.example.contains.a.claim.that.a.system.is.safe..e.argument.is.made.over.the.hazard.mitiga-
tion.
.It.is.suggested.that.if.all.hazards.are.found.and.they.are.mitigated,.the.system.is.safe.by.denition..
Finally,.this.argument.requires.two.subgoals,.namely.that.all.hazards.are.identied.and.that.all.hazards.
TOP 1
GATE 1
Failure of
medium
Failure of
power supply
EVENT 1 EVENT 2
GATE 2
Hazard: total
communication
failure
Main
communication
system failure
Backup
communication
system failure
FIGURE 21.3 Fault.tree.example.
© 2011 by Taylor and Francis Group, LLC
21-8 Industrial Communication Systems
are.mitigated..is.is.shown.by.reference.to.the.hazard-identication.document.(such.as.a.HAZOP.
analysis).and.to.the.hazard.log.(which.contains.a.log.of.all.hazards.and.why.and.how.they.are.mitigated).
e
.GSN.notation.is.likely.to.be.used.in.the.safety.validation.phase..It.shall.enhance.the.readability.
of.the.safety.case.and.shall.ease.the.identication.of.weaknesses.in.the.arguments..Ideally,.the.regulator.
or.certier.of.a.system.can.read.this.notation.and.can.then.decide.if.a.system.may.go.into.operation.
21.5 Safety approach for Industrial Communication System
Safety-related.industrial.communication.systems.are.accomplished.by.enhancing.the.standard.commu-
nication
.protocol.and/or.adapting.the.hardware.of.the.standard.nodes..Such.systems.have.to.be.imple-
mented
.in.a.way.so.that.systematic.failures.(failures.where.the.fault.can.be.clearly.identied.[IEC61508]).
and.stochastic.failures.(failures.that.occur.randomly.and.where.various.faults.can.be.the.reason.for.a.
single.failure.[IEC61508]).are.detected.during.the.operation,.leading.to.hazards.and.resulting.from.node.
or.network.faults.
21.5.1 Overview of Safety-related Systems
What.all.safety-related.industrial.communication.systems.have.in.common.is.that.the.standard.non-safe.
system.is.used.and.safety-related.functions.are.integrated..Most.of.the.communication.systems.adhere.
to.the.requirements.of.SIL3.specied.in.[IEC61508]..Predominantly,.the.communication.systems.use.
a.two-channel.architecture.realized.by.a.one-out-of-two.(1oo2).architecture,.meaning.that.such.archi-
tecture
.consists.of.two.independent.channels.that.execute.a.given.task,.but.have.to.agree.on.the.result.
unanimously..Furthermore,.safety-related.industrial.communication.systems.use.a.safety-related.message.
format.including.a.cyclic.redundancy.check.(CRC),.a.timestamp,.or.sequence.number..at.message.is.
embedded.into.the.payload.eld.of.the.non-safety-related.protocol..Finally,.the.safety-related.rmware.
is.very.oen.placed.above.layer.7.of.the.ISO/OSI.reference.model.to.guarantee.compatibility.between.
Definition of
{System}
{System} is safe in a
given {Environment}
Definition of
“safe”
Argument over
hazard identification
and mitigation
All hazards are
identified
All identified hazards
are mitigated
Hazard log
Goal
Context
Strategy
Justification
Evidence
Hazard
identification
document
If all hazards are found and
their risk is acceptable, the
system is safe by definition
Definition of
{Environment}
C1
G1
C3
S1
G2
G3
Sn2
Sn1
J1
J
C2
J
FIGURE 21.4 Goal.structuring.notation.example.
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-9
non-safe.and.safe.communication.systems..Another.reason.is.that.the.protocol.stack.of.industrial.com-
munication
.syst
ems
.is.very.oen.stan
dardized
.and.ther
efore
.shou
ld
.not.to.be.alte
red.
.Tabl
e
.21.4.give
s
.an.
over
view
.of.the.safe
ty
.feat
ures
.of.some.safe
ty-related
.comm
unication
.syst
ems.
As
.alre
ady
.ment
ioned,
.the.main.goal.of.safe
ty
.is.to.avoi
d
.syst
ematic
.faul
ts
.and.dete
ct
.stoch
astic
.faul
ts
.
lead
ing
.to.haza
rds
.such.as.a.corr
uption
.of.a.mess
age.
.Safe
ty
.meas
ures
.like.a.CRC.are.requ
ired
.to.miti
-
gate
.the.risk.resu
lting
.from.the.haza
rds.
.Typi
cally,
.stan
dard
.comm
unication
.syst
ems
.alre
ady
.incl
ude
.
some.meas
ures
.to.dete
ct
.faul
ts
.(e.g
.,
.a.CRC.or.cros
s-parity
.mech
anism
.to.ensu
re
.data.inte
grity).
.Duri
ng
.
safe
ty
.consi
deration,
.ther
e
.are.two.appr
oaches
.of.how.to.trea
t
.the.stan
dard
.comm
unication
.syst
em:
.
eith
er
.take.the.avai
lable
.faul
t
.dete
ction
.meas
ures
.into.acco
unt
.and.add.more.meas
ures
.to.nal
ly
.reac
h
.
the.targ
et
.safe
ty
.inte
grity
.leve
l.
.Or.the.stan
dard
.comm
unication
.syst
em
.with.its.faul
t
.dete
ction
.mea-
s
ures
.is.neg
lected
.and.the.sys
tem
.is.tre
ated
.as.a.bla
ck
.box.ref
erred
.to.as.bla
ck-channel
.con
cept.
Safety
.of.cont
rol
.area.netw
ork
.(CAN
)
.reli
es
.on.the.faul
t
.dete
ction
.mech
anism
.of.stan
dard
.CAN..
Addi
tionally,
.to.incr
ease
.inte
grity
.and.redu
ce
.resid
ual
.fail
ure,
.prob
ability
.mess
ages
.are.sent.twic
e
.and.
the.seco
nd
.one.is.inve
rted.
.e.two.stan
dard
.mess
ages
.comp
rise
.a.singl
e
.safe
ty-related
.mess
age.
.To.
dist
inguish
.safe
ty-
.and.non-
safety-related
.mess
ages,
.the.iden
tier
.rang
e
.in.the.stan
dard
.mess
age
.was.
exte
nded.
.Fina
lly,
.watc
hdog
.func
tionality
.is.inte
grated
.to.dete
ct
.if.a.safe
ty-related
.mess
age
.part.or.a.
comp
lete
.safe
ty-related
.mess
age
.was.lost
.
.CANo
pen
.Safe
ty
.meet
s
.safe
ty
.requ
irements
.of.SIL3.give
n
.by.
the.inte
rnational
.stan
dard
.IEC6
1508.
.Sinc
e
.the.proto
col
.enha
ncement
.was.not.suc
ient
.to.meet.the.
desir
ed
.saf
ety
.lev
el,
.in.add
ition,
.a.har
dware
.arc
hitecture
.wit
h
.two.cha
nnels
.was.cho
sen.
ProSafe
.or.SafetyLon.are.based.on.the.black-channel.concept.as.shown.in.Figure.21.5..e.network.
and.the.stan
dard
.proto
col,
.and.the.stan
dard
.hard
ware
.comp
onent
.(non
-safety-related
.part
)
.of.the.node.
are.trea
ted
.as.a.blac
k
.box..Node.A.inse
rts
.a.mess
age
.into.the.blac
k-channel
.and.Node.B.rece
ives
.it..e.
idea.is.that.safe
ty
.meas
ures
.are.requ
ired
.to.dete
ct
.all.faul
ts
.that.are.possi
ble
.in.the.blac
k-channel
.with
out
.
payi
ng
.atte
ntion
.to.exis
ting
.meas
ures.
.Typi
cal
.faul
ts
.are.syst
ematic
.faul
ts
.on.the.netw
ork
.or.faul
ts
.in.the.
stan
dard
.hard
ware
.comp
onent.
.Any.meas
ures
.of.the.stan
dard
.proto
col
.to.dete
ct
.faul
ts
.like.pari
ty
.bits.to.
iden
tify
.mess
age
.corr
uption
.are.not.consi
dered.
.e.stan
dard
.proto
col
.is.just.a.mean
s
.to.tran
sport
.data.
some
how
.fro
m
.Nod
e
.A.to.Nod
e
.B.
e
.gray.part.as.show
n
.in.Figu
re
.21.5.is.the.safe
ty-related
.part
.
.It.comp
rises
.the.safe
ty-related
.hard
-
ware
.and.rmw
are.
.Both.are.used.to.incr
ease
.the.safe
ty
.inte
grity
.and.cons
equently
.redu
ce
.the.leve
l
.of.
risk.to.a.tole
rable
.tar
get
.lev
el.
TABLE 21.4 Safety-Related.Communication.Systems
Compliant.
toStandard Safe.Node.Architecture
Safety-Related.
Message.Format
Safety.
Firmware.in.
the.ISO/OSI.
Model
CANopen
.saf
ety IEC61508,
.SIL.3 Tw
o
.cha
nnel
.(1oo2) NO—s
tandard
.
messa
ge
.sent.twice;.
secon
d
.time.invert
ed
Integrated
.
into.lay
er
.7
Dev
iceNet
.saf
ety IEC61508,
.SIL.3 Tw
o
.cha
nnel
.(2×.1oo1,.1oo2) YES—em
bedded
.into.
stan
dard
.pro
tocol
.
paylo
ad
.eld
Saf
ety
.lay
er
.
abov
e
.lay
er
.7
PRO
FIsafe IEC61508,
.SIL.3 Sin
gle
.cha
nnel YES—embedded
.into.
stan
dard
.pro
tocol
.
paylo
ad
.eld
Saf
ety
.lay
er
.
abov
e
.lay
er
.7
Safet
yBUS
.p EN.954-1,.Cat..4 Tw
o
.cha
nnel
.(1oo2) YES—emb
edded
.into.
stan
dard
.pro
tocol
.
paylo
ad
.eld
Saf
ety
.lay
er
.
abov
e
.lay
er
.7
Safet
yLon IEC61508,
.SIL.3 Tw
o
.cha
nnel
.(1oo2) YES—emb
edded
.into.
stan
dard
.pro
tocol
.
paylo
ad
.eld
Saf
ety
.lay
er
.
abov
e
.lay
er
.7
© 2011 by Taylor and Francis Group, LLC