Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

Size: px

Start display at page:

Download "Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition"

Andrew Martin
6 years ago
Views:

1 International Symposium in China Functional Safety in Industrial Applications October 2011, Shanghai - China Functional safety according to IEC / IEC Important user information Major changes in IEC nd Edition 1

2 Contents Some Information about Standards development, History of functional safety standards 2nd Edition of IEC Principle of standards Requirements of standards Important Information for the User 2

3 Group Worldwide Presence As an international service group, we document the safety and quality of new and existing products, systems and services. founded in sites in 62 countries more than 14,500 employees 6 business sectors 38 business areas and more than different services 3

4 Industrie Service International Business Units Industrial Services Mobility Products Life Care Education and Systems Consulting Energy Systems - Automation Energy Systems Automation Functional Safety 4

Energy Systems & Automation Automation / Functional Safety Energy

Plants Power Plants (nuclear) Test and Certification Functional Safety

TÜV FS Program Applications Applications Application Areas: Machinery,

5 Energy Systems & Automation Automation / Functional Safety Energy Systems FS Products FS Systems and Applications FS Qualification Power Plants Power Plants (nuclear) Test and Certification Functional Safety Management Application and System Implementation Trainings Workshops TÜV FS Program Applications Applications Application Areas: Machinery, Process Industry, Oil & Gas, Power Plants, Nuclear Power Plants, automotive etc. 5

6 Competencies in Functional Safety 6

More than 180 certificates for safety-related

7 Product Certificates More than 500 Functional Safety certificates have been issued worldwide. More than 180 certificates for safety-related products in nuclear power plants have been issued worldwide. 7

Functional Safety Management For new developments of safety-related devices and systems as well as for system application, organisational and failure-avoidance measures have to be verified or

8 Functional Safety Management For new developments of safety-related devices and systems as well as for system application, organisational and failure-avoidance measures have to be verified or validated repeatedly. It is advisable to integrate these measures fundamentally in the framework of a Functional Safety Management System within a company. Auditors of check acc. to the following certification procedure if a Functional Safety Management System has been integrated and applied accordingly. Basic Certification Procedure Kick-Off Meeting Kick-Off Meeting Pre-Audit Pre-Audit Certification Certification Audit Audit Certificate Surveillance Surveillance Audit Audit Recertification Recertification Verification of Documents Verification of Documents 8

9 FSM certified companies - worldwide Denmark United Kingdom Netherlands Germany Japan Mexico Italy India Singapore China Brazil Malaysia Argentina Australia 9

10 Functional Safety Program The TÜV Functional Safety Program is a vocational qualification program for engineers, who work in the area of Functional Safety. Trainings are offered in cooperation with more than 12 international course providers. The following topics are offered: Safety Instrumented Systems (IEC 61511) Hardware/Software-Design acc. to IEC Functional Safety of Machinery Automotive System Design acc. to ISO and IEC Participants can obtain the following 2 qualifications acc. to their knowledge and Experience. By today more than TÜV FS Engineers have successfully participated in this program. 10

11 Functional Safety Program Course Provider of the FS Program Safety Instrumented Systems HW / SW Functional Safety of Machinery Automotive 11

12 Experience with IEC in the last 10 years Is excepted worldwide as the Generic (Basic) standard for Functional Safety Has influenced the design development of safety related subsystems (devices) Subsystems are developed to fulfill the requirements of IEC Many Subsystems (Sensor, PLC, Actuator) are assessed / qualified and certified Was the basis for the development of sector / application dependent standards in many application areas 12

13 Relation IEC / Sector Standards IEC Nuclear Sector EN Railway application IEC Electrical drives ISO Machinery ISO Automotive IEC IEC Medical devices IEC Process Sector EN Furnaces IEC Machinery 13

14 IEC nd Edition changes, overview All parts of the standard were updated For all parts Extend the scope from a complete safety function to partial safety functions performed by a subsystem (e.g. sensor, PLC,..) The safety integrity levels are furthermore linked to safety function New terms defined: Overall safety function, element safety function Compliant item, Systematic capability Safety manual for compliant item, Safety justification Mathematical more profound terms Average probability of dangerous failure on demand PFDavg Average frequency of dangerous failure PFH 14

15 IEC part 1, competence IEC : 1998 IEC / 2nd edition 6.2 Requirements acc. to MFS 6.2 Requirements acc. to MFS... h) Competence see Annex B h) Competence see Annex B... Annex B informative! B.1 General deliberation B.2 Appropriateness, relevant factors Normative! General deliberation Appropriateness, relevant factors Documentation of competence The competence of people involved in safety projects is now normative! (previously informative) 15

16 IEC part 1, life cycle IEC : 1998 IEC / 2nd edition 9.1 Specification E/E/PES safety requirements specification 9 E/E/PE system safety requirements specification 9 Safety-related systems: E/E/PES 10 E/E/PE safety-related systems Realization Realization see E/EPE system safety lifecycle) Separation: System safety requirement specification (user and system designer) Design requirements, realization (system designer, product designer) 16

17 IEC part 1, clarification on SIL In cases where the allocation process results in the requirement for an E/E/PE safety-related system implementing a SIL 4 safety function then the following shall apply: a) There shall be a reconsideration of the application to determine if any of the risk parameters can be modified so that the requirement for a SIL 4 safety function is avoided. The review shall consider whether: additional safety-related systems or other risk reduction measures, not based on E/E/PE safety-related systems, could be introduced; the severity of the consequence could be reduced; the likelihood of the specified consequence could be reduced. b) If after further consideration of the application, it is decided to implement the SIL 4 safety function then a further risk assessment shall be carried out using a quantitative method that takes into consideration potential common cause failures between the E/E/PE safety-related system and: any other systems whose failure would place a demand on it; and, any other safety-related systems. 17

18 IEC part 1, security aspects The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorized action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. Until now security was not in the scope of the IEC Now it is! High level requirements, no detailed requirements 18

19 IEC part 2, overview Definition of compliance routes, hardware integrity Definition of existing and new failure modes / clarification on SFF Proven in use Systematic capability Requirements for ASIC, FPGA design Consideration of soft errors for high integrated circuits 19

20 IEC part 2, hardware integrity Chapter 7.4 The design of the E/E/PE safety-related system shall meet the: requirements for hardware safety integrity (HW Compliance routes) special architecture requirements for ICs with on-chip redundancy requirements for systematic safety integrity (systematic capability) requirements for system behavior on detection of a fault requirements for data communication processes 20

21 IEC part 2, definition of new failure modes IEC ; no part failure failure of a component that plays no part in implementing the safety function IEC ; no effect failure failure of an element that plays a part in implementing the safety function but has no direct effect on the safety function. It does not contribute to the failure rate of the safety function. SFF= S S λ + λ + λ DD No-effect and no-part failures shall not play any role in the calculation of the diagnostic coverage or the safe failure fraction. May be 25 % of safety related elements will degrade (no part and no effect failures were counted as safe in some analysis) λ + DD λ DU 21

22 IEC part 2, systematic integrity / capability Chapter IEC ; systematic capability measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL, in respect of the specified element safety function, when the element is applied in accordance with the instructions specified in the compliant item safety manual for the element Increase the understanding: The architecture has the same importance regarding systematic faults (avoidance and control) as regarding the control of random faults 22

23 IEC part 2, systematic integrity / capability - For the determination of the systematic capability the designated safety related E/E/PES system will be partitioned in elements of different systematic capability SC - Case 1: - all elements have the systematic capability of N - systematic fault in one of the elements will cause a failure of the specified safety function designated safety related E/E/PES system has the systematic capability of N - Case 2: - an elements has the systematic capability of N - systematic fault in one element will not cause a failure of the specified safety function - a combination with a second systematic fault of another element of systematic capability of N causes a failure of the specified safety function Systematic capability of both elements in combination is N+1 23

24 IEC part 2, systematic integrity / independence Sufficient independence, in the design between elements and in the application of elements, shall be justified by common cause failure analysis to show that the likelihood of interference between elements and between the elements and the environment is sufficiently low in comparison with the safety integrity level of the safety function under consideration. Possible approaches to the achievement of sufficient independence include: - use of functional diversity - use of diverse technology - no use of common parts/ services - no use of common procedure The independence of elements can be assessed only when the specific application of the elements is known in relation to the defined safety functions. 24

25 IEC part 2, systematic capability compliance routes Chapter Requirements for systematic safety integrity (systematic capability) can be met by achieving one of the following compliance routes: - Route 1S: compliance with the requirements for the avoidance of systematic faults (see and IEC ) and the requirements for the control of systematic faults (see and IEC ), or - Route 2S: compliance with the requirements for evidence that the equipment is proven in use (see ), or - Route 3S (pre-existing software elements only): compliance with the requirements of IEC , ; 25

26 IEC part 3, pre existing software Requirements: failure analysis has to be carried out effective defensive measures to be taken. (see Annex F for techniques) compliance routes safety manual Where a pre-existing software element is reused to implement all or part of a safety function, the element shall meet both requirements a) and b) below for systematic safety integrity: a) meet the requirements of one of the following compliance routes: Route 1 S : compliant development. Compliance with the requirements of this standard for the avoidance and control of systematic faults in software; Route 2 S : proven in use. Provide evidence that the element is proven in use. See of IEC ; Route 3 S : assessment of non-compliant development. Compliance with : b) provide a safety manual that gives sufficiently precise and complete description of the element to make possible an assessment of the integrity 26

27 IEC part 3, Tools Online support tools: a software tool that can directly influence the safety related system during run time. Online support tools shall be treated as software belonging to the safety related system Offline support tools: a software tool that supports a phase of software development life cycle and cannot directly influence the safety related system during its run time T1 generates no outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system; example: a design support tool with no automatic code generation capabilities T2 supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software; examples: a test harness generator; a test coverage measurement tool; a static analysis tool. T3 generates outputs which can directly or indirectly contribute to the executable code of the safety related system. example: a compiler that incorporates an executable run-time package into the executable code. 27

28 IEC part 4 to 7 Part 4, Terms and Definition More, most needed definitions (subsystems, element, compliant item ) Part 5, SIL determination methods New explanation of safety principles Part 6, Guidelines on part 2 and 3, probability calculation More background information regarding the probability calculation More probabilistic modeling techniques are described: Reliability block, Fault tree, Markov, Part 7, Bibliography The complete necessary rework was not done, some modification and outdated literature was removed 28

29 Principle of functional safety standards Risk oriented Principal of Risk Reduction Management of Functional Safety Life-cycle oriented Definition of safety-related Functions Definition of Safety Integrity Level (SIL) Quantitative Requirements to the Probability of Dangerous Failure 29

30 Characteristic of a safe application Qualified safety related components and system Safety Management during the life-cycle the whole life cycle Manufacturer of components and systems System Integrator End user Competence of people 30

31 Safety related function, conventional wiring Example: vibration detection with Transmitter and Safety PLC TRIP Vibration Sensor Transmitter Safety PLC Contactor PFD AV = PFD AV_VS + PFD AV_TR + PFD AV_PLC + PFD AV_contactor PFD AV PFD AV_max (Proof test interval!!!!) All components shall fulfill the target SIL! (HFT / SFF, systematic capability) 31

32 Risk reduction, estimation of SIL S I L 1 2 3???? In many cases the end user did not carry out a complete hazard and risk analysis. 32

33 Functional Safety Management, why do we need it modifications after commissioning 20% specification 44% operation & maintenance 15% installation & commissioning 6% design & implementation 15% Objective: Avoidance of specification-, design-, development-, installation and operation faults Source: Out Of Control, from UK HSE (September 2004) Quelle: Out Of Control, Eine Zusammenstellung von festgestellten Ereignissen an Steuerungssystemen, von UK HSE (September 2004) 33

34 Functional Safety Management What does it mean in practice! Have and use safety related procedures, tools, templates Safety plan and Verification & Validation plan Specify who is responsible for what Document control and configuration management (life cycle documentation, maintainable documentation) Review and testing procedures/checklists (verification) Execute functional safety assessments and validation Educate and employ safety competent staff Assure that safety integrity will be maintained within the SIL target during the life time of the SIS Execute periodical safety audits Do all this and document clearly what you do! 34

35 Functional Safety Management, who is responsible Organisation / Departments Documentation in diagrams Persons documented in tables? Name Role Company / Depart-ment Remarks Pete Smith Project manag er MC & S Experience in similar projects... 35

36 Safety life cycle IEC Core activities of System Integrators Using safety related devices from manufactures Core activities of End Users and/or their Engineering Contractors Core activities of End Users and/or their Engineering Contractors 36

37 Safety life cycle IEC

38 Safety integrity according IEC / IEC Three main aspects that define the max. SIL that can be achieved Hardware safety integrity 1. Hardware Fault Tolerance and SFF of the elements of a Safety Instrumented system SIS (architectural constraints tables in IEC and IEC 61511) 2. PFD AVG (low demand) or PFH (high demand or continuous mode) of a Safety Instrumented Function, SIF Systematic safety integrity / capability 3a. Reduction/avoidance of systematic failures in hard- and software (caused by development, embedded in a SIS) 3b. Reduction/avoidance of systematic failures during specification, realisation, planning, installation, validation, operation, maintenance and modification of a SIS Systematic failures can be avoided / reduced by applying FSM! 38

39 Selection of components Chapter For SIL 1-3: Designed in accordance with IEC Certification for Hard- Software available suitable application programming language and selection of programming environment has been used or: components comply with hardware fault tolerance requirements (chapter 11.4) proven-in use, components used in former applications (chapter ) 39

40 Architectural requirements HW / SW Sensor Input Field Devices E / E / PES HW / SW Programmable Logic Solver HW / SW Actuator Output Field Devices 1oo1 Single S1 Input Module Logic Module Output Module 1oo1 Dual 1oo2 S1 S2 1oo1 1oo1D 1oo2 1oo2D 2oo3 2oo4 Automatic Test Setup Triple S1 2oo3 S2 S3 SIS User Interface BPCS 1oo2 40

41 Necessary information for the user Qualified HW/SW acc. to IEC and sector standards Quantitative Values These information are available in the test report or safety manual ( λ DU,...) HFT, SFF, DC, MTTF, λ DD Probability figures, PFD / PFH / PL /.. including Guidance for Calculation on system level Proof Test Interval, Installation and Maintenance guide Use of the system: (conditions for the application) Safety function (normally energised, de-energised) Low demand, high demand mode of operation This is shown with the Certificate These information are available on the Certificate and in the safety manual 41

42 Necessary information for the user Situation today Calculation of probability values PFD / PFH of Safety Instrumented Functions by system integrator or user is necessary Safety related parameters are available but shown in different ways No common rules to ( calculate ) and demonstrate / document the parameters. Certainty of data is not always given or approved Solution Development of a database to assist system integrator and user: Easy access to the data Validated data ( ) including the source of the data Include experience of the Industry -> Interest Group 42

43 Overview database 43

44 User compliance with IEC / IEC They need to perform Hazard and Risk Analysis - identify the safety instrumented functions SIFs - determine the target SIL for each SIF Develop a Safety Requirement Specifications Execute Safety Assessment and Validation Specify procedures for safety Operation and Maintenance Execute well prepared Modifications (impact analysis) Implement and use a functional safety management system FSM Critical aspects Sensor / Actor configuration ( HFT / SFF, systematic capability ) Complete execution of safety validation ( Installation ) Execution of proof tests at all or on calculated time intervals Up to date life cycle documentation (modification) 44

45 Find more information about our services at our website and further details regarding: Time schedule for all Trainings Lists of all TÜV FS Engineers Lists of certified FS-products Overview of FS products and their safetyrelated parameters Information about FS events etc. 45

46 Worldwide Competence in Functional Safety Contact Global Industrie Service GmbH Heinz Gall Am Grauen Stein Cologne - Germany Fax tuevat-asi@de.tuv.com USA TUV Rheinland of North America, Inc. Joe Lenner 1300 Massachusetts Avenue Boxborough, MA USA Fax hgall@us.tuv.com China (China) Ltd. Bin Zhao Unit 707, AVIC Bldg., No.10B, Central Road, East 3rd Ring Road, Chaoyang District Beijing - China Fax Bin.zhao@bj.chn.tuv.com Taiwan TUV Rheinland Taiwan Ltd. Andrew Kao 7F, No. 2, Min Chuan East Rd., Sec. 3 Taipei Taiwan R.O.C ext Fax aka@twn.tuv.com 46 Japan TUV Rheinland Japan Ltd. Joachim Iden Wakasugi Center Bldg Honkan 16F, Higashi Tenma Kita-ku, Osaka - Japan Fax ji@jpn.tuv.com

Measurement of Safety Integrity of E/E/PES according to IEC61508

Measurement of Safety Integrity of E/E/PES according to IEC61508 Mr. Chen Zhenkang TUV Rheinland Singapore 18. May. 2018 Singapore World Metrology Day 2018 1 Agenda 1. TÜV Rheinland: a Certification Body