TÜV Rheinland InterTraffic GmbH Safety in Transportation 4 The agri-motive safety performance integrity level Or how do you call it? Dipl.-Ing. Sebastian Gräfling, TÜV Rheinland InterTraffic GmbH
Contents I. Insight: SIL II. Step by step: Various safety standards III. Focus on: SIL definitions and determinations IV. Sum up!
Insight: SIL SIL = Safety Integrity Level - Measure of reliability of safety functions - Level of risk reduction Development of safety critical systems, applications: Planning, Requirements Tests, Verification SIL Validation Risk Analysis Maintenance Verification Integration SIL Development Tests Implementation Risk Analysis Risk Graph SIL λ Systematic failures Random HW failures
Insight: SIL Risk Analysis Risk Graph SIL λ Systematic failures Random HW failures (Ausfälle): They will appear for sure, but you don t know when Systematic failures: Caused by humans Random HW failures - e.g., design faults, SW faults, installation faults, etc. Quantitative analyses regarding the effects of random HW failures are established (e.g. FMEA, FTA), but corresponding analyses for human faults not. Effects on project development cycles: - Random HW failures -> Appropriate architecture (e.g. redundancy), choice of appropriate components and definition of fault detection and diagnosis functions (Proof, e.g. by FTA) - Systematic Failures -> Measures for the development and quality management
Contents I. Insight: SIL II. Step by step: Various safety standards III. Focus on: SIL definitions and determinations IV. Sum up!
Safety standards Overview The following standards will be shortly presented: IEC 61508 IEC 61511 EN 50126/28/29 ISO 13849 IEC 62061 ISO 25119 DEF-STAN-00-56-1 RTCA DO-178B
Safety standards IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems Generic safety standard ( Sicherheitsgrundnorm ) defines a generic approach for all safety lifecycle activities electrical and/or electronic and/or programmable electronic (E/E/PE) elements that are used to perform safety functions consists of 7 parts, dedicated to hardware and software (including examples for application)
Safety standards IEC 61511 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61511: Functional safety Safety instrumented systems for the process industry sector sets out the application of safety instrumented systems for the process industries sensors, logic solvers and final elements logic solvers include E/E/PE technology IEC 61511 is process industry specific within the framework of the IEC 61508 series
Safety standards EN 50126/28/29 IEC 61511 EN 50126/28/29 ISO 13849 EN 50126: Railway applications The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) EN 50128: Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN 50129: Railway applications Communication, signalling and processing systems Safety related electronic systems for signalling EN 50126 defines the management of RAMS for railway applications EN 50128 provides methods for software in order to meet the demands for safety integrity that are resulting from the related standards EN 50129 is intended for the functional safety of railway signalling systems and used for electronics in railway applications
Safety standards EN 50126/28/29 ISO 13849 IEC 62061 : Road vehicles Functional safety automobile-specific derivation of the IEC 61508 applies to all activities during the safety lifecycle of safety-related systems electrical, electronic, and software elements that provide safety-related functions addresses passenger cars up to an allowed total weight of 3.5 t the standard consists of ten parts the volumes 2 to 9 contain the requirements for the development process and the product, whereas volume 1 and 10 are informative guides.
Safety standards ISO 13849 ISO 13849 IEC 62061 ISO 25119... ISO 13849: Safety of machinery Safety-related parts of control systems for the design and integration of safety-related parts of control systems (SRP/CS) of machinery applies to SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.) for all kinds of machinery complies with the Machinery Directive use of this standard and/or the ISO 62061 can be presumed in order to fulfil the safety related requirements for SRP/CS of different technologies
Safety standards IEC 62061 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B IEC 62061: Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems safety-related E/E/PE control systems for machinery can be seen as a further supporting standard for ISO 13849
Safety standards ISO 25119 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B ISO 25119: Tractors and machinery for agriculture and forestry Safety-related parts of control systems E/E/PES components for tractors for agriculture and forestry self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture and municipal equipment
Safety standards DEF-STAN 00-56-1 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Defence Standard 00-56-1: Safety management requirements for defence systems British defence standard describes the requirements for safety management including hazard analysis and safety assessment is applied to Ministry of Defence projects
Safety standards RTCA DO-178B ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B RTCA DO-178B: Software Considerations in Airborne Systems and Equipment Certification is a software standard for aircrafts depending on the necessary level of risk reduction, it knows 5 different levels for each level, methods are described that have to be implemented in the software process and in the software itself
Contents I. Insight: SIL II. Step by step: Various safety standards III. Focus on: SIL definitions and determinations IV. Sum up!
Focus on IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems Generic safety standard ( Sicherheitsgrundnorm ) defines a generic approach for all safety lifecycle activities electrical and/or electronic and/or programmable electronic (E/E/PE) elements that are used to perform safety functions consists of 7 parts, dedicated to hardware and software (including examples for application)
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... 4 SILs: SIL 1.. SIL 4 Each level defines measures against - systematic failures and - random failures Random failures are described by probabilities of dangerous failures on demand or probabilities of dangerous failures per hour. The safety integrity level determines the target failure measure for dangerous random failures for the safety function according tables 1 and table 2 and vice versa. The target failure measure is dependent on the type of application (low demand mode or for continuous mode of operation).
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... Safety integrity level Low demand mode of operation (Average probability of failure to perform its design function on demand) 4 3 2 1 10-5 to < 10-4 10-4 to < 10-3 10-3 to < 10-2 10-2 to < 10-1 Safety Integrity level High demand or continuous mode of operation (Probability of a dangerous failure per hour) 4 3 2 1 10-9 to < 10-8 10-8 to < 10-7 10-7 to < 10-6 10-6 to < 10-5 Refer to EN 61508-1:2010, Table 2 and Table 3
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... The ALARP method: - Quantitative and qualitative risk targets - Originated in UK Source: EN 61508-5:2010, Annex C
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... Quantitative method of SIL determination: Source: EN 61508-5:2010, Annex C and D
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... The risk graph method: Parameters: - Consequence (C) - Frequency of, and exposure time in, the hazardous zone (F) - Possibility of avoiding the hazardous event (P) - Probability of the unwanted occurrence (W) Source: EN 61508-5:2010, Annex E
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... Layer of protection analysis (LOPA): Source: EN 61508-5:2010, Annex F
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61508-5 presents five methods for determining the SIL: 1. The ALARP method 2. Quantitative method of SIL determination 3. The risk graph method 4. Layer of protection analysis (LOPA) 5. Hazardous event severity matrix
SIL definition and determination IEC 61508 IEC 61508 IEC 61511 EN 50126/28/29... Hazardous event severity matrix: Source: EN 61508-5:2010, Annex G
Focus on IEC 61511 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61511: Functional safety Safety instrumented systems for the process industry sector sets out the application of safety instrumented systems for the process industries sensors, logic solvers and final elements logic solvers include E/E/PE technology IEC 61511 is process industry specific within the framework of the IEC 61508 series
SIL definition and determination IEC 61511 IEC 61508 IEC 61511 EN 50126/28/29... IEC 61511: 4 SILs: SIL 1.. SIL 4 The SIL definition is consistent with the definition given in the IEC 61508 For the determination of the safety integrity all failure causes (hardware and systematic failures) that could lead to an unsafe state must be considered The safety integrity also depends on factors that cannot be considered quantitatively, but qualitatively. Several methods can be applied such as - risk graphs, - risk matrices, - LOPA (Layer of Protection Analysis) Source: IEC 61511
Focus on EN 50126/28/29 IEC 61511 EN 50126/28/29 ISO 13849 EN 50126: Railway applications The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) EN 50128: Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN 50129: Railway applications Communication, signalling and processing systems Safety related electronic systems for signalling EN 50126 defines the management of RAMS for railway applications EN 50128 provides methods for software in order to meet the demands for safety integrity that are resulting from the related standards EN 50129 is intended for the functional safety of railway signalling systems and used for electronics in railway applications
SIL definition and determination EN 50126 IEC 61511 EN 50126/28/29 ISO 13849 EN 50126: defines a number of discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety related systems. It is recommended that no more than 4 levels should be used A SIL shall only be allocated to an "element (lowest level equipment), namely a standalone equipment which performs one or more simple functions and which can be replaced by another one performing the same function(s) EN 50126 alone does not provide enough information to work consistently with a SIL. Using e.g. the draft EN 50126-2, one can find additional information. EN 50126-2 relates the SIL to the tolerable hazard rate (THR) THR (h -1 ) 10-9 THR < 10-8 10-8 THR < 10-7 10-7 THR < 10-6 10-6 THR < 10-5 SIL 4 3 2 1 Refer to EN 50126-2, Table 5
SIL definition and determination EN 50128 IEC 61511 EN 50126/28/29 ISO 13849 EN 50128: software can only have systematic failures, hence no random failures and no THRs are discussed The SIL definition and determination is based on EN 50129 however with one deviation. EN 50129 used a SIL0 to denote that there is no specific safety requirement, whereas EN 50128 uses Software SIL0 to define a separate Software SIL (SSIL). This is the only difference between the SIL and the SSIL. The SSIL is required to be at least the same as the system SIL. The Software SIL is mainly identical to the SIL for hardware, as derived in EN 50129 Software safety integrity level 4 3 2 1 0 Description of software safety integrity Very High High Medium Low Non safety-related Refer to EN 50128, Section 5.2
SIL definition and determination EN 50129 IEC 61511 EN 50126/28/29 ISO 13849 EN 50129: In fact, EN 50129 is the standard that provides detailed information regarding the SIL The Safety integrity is specified as one of four discrete levels. Additionally, level 0 is used to indicate that there are no safety requirements SILs are used as a means of matching the qualitative approaches (to avoid systematic failures) with the quantitative approach (to control random failures), as it is not feasible to quantify systematic failures, thus resembling the IEC 61508 approach to SILs
SIL definition and determination EN 50129 IEC 61511 EN 50126/28/29 ISO 13849 Source: EN 50129, Annex A.5
Focus on EN 50126/28/29 ISO 13849 IEC 62061 : Road vehicles Functional safety automobile-specific derivation of the IEC 61508 applies to all activities during the safety lifecycle of safety-related systems electrical, electronic, and software elements that provide safety-related functions addresses passenger cars up to an allowed total weight of 3.5 t the standard consists of ten parts the volumes 2 to 9 contain the requirements for the development process and the product, whereas volume 1 and 10 are informative guides.
SIL definition and determination EN 50126/28/29 ISO 13849 IEC 62061 The specifies four levels of automotive SIL (ASIL A..D) for item's or element's necessary requirements and safety measures for avoiding an unreasonable residual risk The quantitative random hardware failure target values do not differ for ASIL B and C. Therefore, qualitative measures have to be applied in order to obtain higher requirements for ASIL C than ASIL B. ASIL D C B A Random hardware failure targets < 10-8 h -1 < 10-7 h -1 < 10-7 h -1 < 10-6 h -1 Refer to:, Part 5, Annex G The determination of quantitative targets for the ASILs is different from other safety standards like the IEC 61508 or EN 50126/EN 50129.
SIL definition and determination EN 50126/28/29 ISO 13849 IEC 62061 Source:, Part 3
Focus on ISO 13849 ISO 13849 IEC 62061 ISO 25119... ISO 13849: Safety of machinery Safety-related parts of control systems for the design and integration of safety-related parts of control systems (SRP/CS) of machinery applies to SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.) for all kinds of machinery complies with the Machinery Directive use of this standard and/or the ISO 62061 can be presumed in order to fulfil the safety related requirements for SRP/CS of different technologies
SIL definition and determination ISO 13849 ISO 13849 IEC 62061 ISO 25119... The ISO 13849 defines five performance levels (PL) that are discrete levels used to specify the ability of SRP/CS to perform a safety function under foreseeable conditions The PL can be set in relation to the SIL classification of IEC 61508 PL a has no correspondence on the SIL scale and is mainly used to reduce the risk of slight, normally reversible, injury. Since SIL 4 is dedicated to catastrophic events possible in the process industry, this range is not relevant for risks at machines. Thus PL e corresponding to SIL 3 is defined as the highest level. Source: ISO 13849
SIL definition and determination ISO 13849 ISO 13849 IEC 62061 ISO 25119... Source: ISO 13849, Annex A
Focus on IEC 62061 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B IEC 62061: Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems safety-related E/E/PE control systems for machinery can be seen as a further supporting standard for ISO 13849
SIL definition and determination IEC 62061 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Three SILs are defined by the IEC 62061 for the specification of safety integrity requirements of safety-relevant E/E/PE control functions Safety integrity level Probability of dangerous failure per hour, PFH D 3 2 1 10-8 to < 10-7 10-7 to < 10-6 10-6 to < 10-5 Source: IEC 62061, Annex A
Focus on ISO 25119 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B ISO 25119: Tractors and machinery for agriculture and forestry Safety-related parts of control systems E/E/PES components for tractors for agriculture and forestry self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture and municipal equipment
SIL definition and determination ISO 25119 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B The ISO 25119 defines an agricultural performance level (AgPL), which specifies the ability of safety related parts to perform a safety related function under foreseeable conditions The AgPL is divided into 5 levels (a e) (compare to ISO 13849) The AgPL consists of four aspects: - Hardware category, - Mean time to (dangerous) failure, - Diagnostic coverage, - SRL (Software requirement level). The selection of appropriate values for these four aspects is necessary to achieve the required performance level. The appendices of ISO 25119-2 provide guidelines for estimating the MTTF and determining the diagnostic coverage.
SIL definition and determination ISO 25119 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Source: ISO 25119
SIL definition and determination ISO 25119 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Source: ISO 25119
Focus on DEF-STAN 00-56-1 ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Defence Standard 00-56-1: Safety management requirements for defence systems British defence standard describes the requirements for safety management including hazard analysis and safety assessment is applied to Ministry of Defence projects
SIL definition and determination DEF-STAN ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Safety integrity has two components: random failure integrity and systematic failure integrity This is the same approach as that of the other standards Each abstract function shall be allocated a safety integrity level at the early design phases, and this shall be inherited by the components that implement the function. Based on the number of independent functions two SIL matrices are provided by this defence standard. The corresponding SIL is matched by the intersection of probability of function failure and accident severity, i.e. this standard utilizes only two parameters for the SIL determination. The approach is semi-quantitative.
SIL definition and determination DEF-STAN ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Source: DEF-STAN 00-56-1
Focus on RTCA DO-178B ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B RTCA DO-178B: Software Considerations in Airborne Systems and Equipment Certification is a software standard for aircrafts depending on the necessary level of risk reduction, it knows 5 different levels for each level, methods are described that have to be implemented in the software process and in the software itself
SIL definition and determination DO-178B ISO 13849 IEC 62061 ISO 25119 DEF-STAN 00-56-1 RTCA DO-178B Software Level A B C D E Definition Software failure leads to catastrophic failure Software failure leads to hazardous / severe-major failure Software failure leads to major failure Software failure leads to minor failure Software failure leads to failure with no effect on aircraft operational capability or pilot workload Refer to: RTCA DO-178B
Contents I. Insight: SIL II. Step by step: Various safety standards III. Focus on: SIL definitions and determinations IV. Sum up!
Contents Various SIL determination methods... No common method broadly used Dependent on applications, risks, national politics and social standards etc. Different methods -> different results Even SILs dedicated to comparable levels of risk reduction ask for different design rules and measures against systematic failures. Safety integrity levels are given different names: safety integrity levels, software safety integrity levels, automotive SIL, agricultural performance levels, performance levels. The situation might even become worse, when the English terminology is translated into other language
Contents Strictly speaking, EN 50126 can hardly be considered as a standalone standard for SIL definition and determination, because EN 50129 or a guideline needs to be applied. In particular, EN 50126 refers to Report R009-001:1997 for safety integrity (levels). Currently EN 50128 and EN 50129 give precise (HR, R, M, ) definitions for techniques and measures for each safety integrity levels and their use for signalling systems, however, leaving many open questions for other railway sub-systems Contrary to other safety standards, e.g., the ISO 25119 does not define any quantitative levels in terms of tolerable hazard rates. This makes it cumbersome to compare these standards with others or to convert safety integrity levels into agricultural performance levels.
Contents However, all the SILs have also things in common: - They all describe a necessary amount of risk reduction (methods and techniques, human behavior), necessary in order to reach an acceptable risk level. - Mostly all types of SILs consist of a set of measures against random hardware failures and systematic (hardware and software) failures. - Requirements for design and development processes are given for each SIL and mostly a tolerable rate of dangerous failures per hour is provided per SIL to reduce random failures. Nevertheless, it is not easy to understand all these different SILs with different names for different areas of technology
TÜV Rheinland InterTraffic GmbH Safety in Transportation 4 Thank you very much for your attention! Questions are welcome!