Functional safety according to IEC 61508 / IEC 61511 ...IEC 61508 part 2, systematic integrity /...

1TÜV RheinlandHeinz Gall, Bin Zhao

Functional safety according to IEC 61508 / IEC 61511

Important user information

Major changes in IEC 61508 2nd Edition

International TÜV Rheinland Symposium in ChinaFunctional Safety in Industrial Applications18 – 19 October 2011, Shanghai - China


Contents

� Some Information about TÜV Rheinland

� Standards development, History of functional safety standards

� 2nd Edition of IEC 61508

� Principle of standards

� Requirements of standards

� Important Information for the User


As an international service group, we

document the safety and quality of new and

existing products, systems and services .

TÜV Rheinland Group

� founded in 1872

� 360 sites in 62 countries

� more than 14,500 employees

� 6 business sectors38 business areas and more than2.500 different services

Worldwide Presence


TÜV Rheinland Industrie Service

TÜV Rheinland – International Business Units

Energy Systems - Automation

Industrial Services Mobility Products SystemsEducation and Consulting

Life Care

Energy Systems AutomationFunctional Safety


Energy Systems & Automation

Energy Systems

Application Areas:

Machinery, Process Industry, Oil & Gas, Power Plants, Nuclear Power Plants, automotive etc.

Automation / Functional Safety

FS Products FS Qualification

FS Systems andApplications

Power Plants Power Plants(nuclear)

Applications ApplicationsTest and Certification

Functional Safety Management

Application and System

Implementation

TrainingsWorkshops

TÜV FS Program


Competencies in Functional Safety


Product Certificates

More than 500 TÜV Rheinland „Functional Safety“ certificates havebeen issued worldwide.

More than 180 TÜV Rheinland certificates for

safety-related products in nuclear power plants

have been issued worldwide.



For new developments of safety-related devices and systems as well as for system

application, organisational and failure-avoidance measures have to be verified or

validated repeatedly. It is advisable to integrate these measures fundamentally in theframework of a Functional Safety Management System within a company.

Auditors of TÜV Rheinland check acc. to the following certification procedure if a

Functional Safety Management System has been integrated and applied accordingly.

Kick-OffMeeting

Kick-OffMeeting Pre-Audit

Pre-Audit CertificationAudit

CertificationAudit Surveillance

Audit

SurveillanceAudit

Verification ofDocuments

Verification ofDocuments

RecertificationRecertification

Certificate

Basic Certification Procedure


FSM certified companies - worldwide

Malaysia

India

Germany

Netherlands

Denmark

AustraliaArgentina

China

Japan

SingaporeMexico

Brazil

Italy

United Kingdom


Functional Safety Program

The TÜV Functional Safety Program is a vocational qualification program forengineers, who work in the area of Functional Safety. Trainings are offered in

cooperation with more than 12 international course providers. The following topics

are offered:� Safety Instrumented Systems (IEC 61511)

� Hardware/Software-Design acc. to IEC 61508

� Functional Safety of Machinery

� Automotive – System Design acc. to ISO 26262 and IEC 61508

Participants can obtain the following 2 qualifications acc. to their knowledge and

Experience. By today more than 4.000 TÜV FS Engineers have successfullyparticipated in this program.


Functional Safety Program

Course Provider of the TÜV Rheinland FS Program

Safety Instrumented Systems HW / SW Functional Safety of Machinery

Automotive


Experience with IEC 61508 in the last 10 years

� Is excepted worldwide as the Generic (Basic) standard for Functional Safety

� Has influenced the design development of safety related subsystems (devices)

Subsystems are developed to fulfill the requirements of IEC 61508Many Subsystems (Sensor, PLC, Actuator) are assessed / qualifiedand certified

� Was the basis for the development of sector / application dependent standards in many application areas


Relation IEC 61508 / Sector Standards

IEC 61508

IEC 61511Process Sector

IEC 61800-5-2Electrical drives

IEC 62061Machinery

IEC 61513Nuclear Sector

EN 50156Furnaces

IEC 60601Medical devices

EN 50128Railway

application

ISO 13849-1Machinery ISO 26262

Automotive


IEC 61508 2nd Edition changes, overview

� All parts of the standard were updated

� For all parts

Extend the scope from a complete safety function to partial safety functions performed by a subsystem (e.g. sensor, PLC, ..)The safety integrity levels are furthermore linked to safety function

New terms defined:Overall safety function, element safety functionCompliant item, Systematic capabilitySafety manual for compliant item, Safety justification

Mathematical more profound termsAverage probability of dangerous failure on demand PFDavgAverage frequency of dangerous failure PFH


IEC 61508 part 1, competence

IEC 61508-1 / 2nd editionIEC 61508-1: 1998

6.2 Requirements acc. to MFS 6.2 Requirements acc. to MFS ...h) Competence

see Annex B...

Annex B informative!

B.1 General deliberationB.2 Appropriateness, relevant factors

...h) Competence

see Annex B...

6.2.13 General deliberation6.2.14 Appropriateness, relevant factors6.2.15 Documentation of competence6.2…..

Normative!

The competence of people involved in safety project s is now normative!(previously informative)


IEC 61508 part 1, life cycle

IEC 61508-1: 1998 IEC 61508-1 / 2nd edition

Separation: System safety requirement specification (user and system designer)Design requirements, realization (system designer, product designer)

E/E/PE system safety requirements specification9

E/E/PE safety-related systems10

Realizationsee E/EPE system

safety lifecycle)

Safety-related systems: E/E/PES

Realization

9

Specification E/E/PES safety requirements specification

9.1


IEC 61508 part 1, clarification on SIL 4

b) If after further consideration of the application, it is decided to implement the SIL 4 safety function then a further risk assessment shall be carried out using a quantitative method that takes into consideration potential common cause failures between the E/E/PE safety-related system and:

– any other systems whose failure would place a demand on it; and, – any other safety-related systems.

7.6.2.11 In cases where the allocation process results in the requirement for an E/E/PE safety-related system implementing a SIL 4 safety function then the following shall apply: a) There shall be a reconsideration of the application to determine if any of the risk parameters can be modified so that the requirement for a SIL 4 safety function is avoided. The review shall consider whether:

– additional safety-related systems or other risk reduction measures, not based onE/E/PE safety-related systems, could be introduced;

– the severity of the consequence could be reduced; – the likelihood of the specified consequence could be reduced.


IEC 61508 part 1, security aspects

7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and

the EUC control system shall be determined under all reasonably foreseeable

circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorized action ). This shall include all relevant human factor issues,

and shall give particular attention to abnormal or infrequent modes of operation of the

EUC. If the hazard analysis identifies that malevolent or unauthorized action , constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.

Until now security was not in the scope of the IEC 61508. Now it is!High level requirements, no detailed requirements


IEC 61508 part 2, overview

� Definition of compliance routes, hardware integrity

� Definition of existing and new failure modes / clarification on SFF

� Proven in use

� Systematic capability

� Requirements for ASIC, FPGA design

� Consideration of soft errors for high integrated circuits


IEC 61508 part 2, hardware integrity

Chapter 7.4

The design of the E/E/PE safety-related system shall meet the:

� requirements for hardware safety integrity (HW Compliance routes)

� special architecture requirements for ICs with on-chip redundancy

� requirements for systematic safety integrity (systematic capability)

� requirements for system behavior on detection of a fault

� requirements for data communication processes


IEC 61508 part 2, definition of new failure modes

IEC 61508-4; 3.6.13no part failurefailure of a component that plays no part in implementing the safety function

IEC 61508-4; 3.6.14no effect failurefailure of an element that plays a part in implementing the safety function buthas no direct effect on the safety function. It does not contribute to the failure rate of the safety function.

No-effect and no-part failures shall not play any role in the calculation of the diagnostic coverage or the safe failure fraction .

May be 25 % of safety related elements will degrade (no part and no effect failures were counted as safe in some analysis)

DUDDS

DDSSFFλλλ

λλ

∑∑∑∑∑

+++

=


IEC 61508 part 2, systematic integrity / capability

Chapter 7.4.3

IEC 61508-4; 3.5.9 systematic capability measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL, in respect of the specified element safety function, when the element is applied in accordance with the instructions specified in the compliant item safety manual for the element

Increase the understanding:The architecture has the same importance regarding systematic faults (avoidance and control) as regarding the control of random faults


IEC 61508 part 2, systematic integrity / capability

- For the determination of the systematic capability the designated safety related E/E/PES system will be partitioned in elements ofdifferent systematic capability SC

- Case 1:- all elements have the systematic capability of N- systematic fault in one of the elements will cause a failure of the specified safety

function� designated safety related E/E/PES system has the systematic capability of N

- Case 2:- an elements has the systematic capability of N- systematic fault in one element will not cause a failure of the specified safety

function- a combination with a second systematic fault of another element of systematic

capability of N causes a failure of the specified safety function � Systematic capability of both elements in combination is N+1


IEC 61508 part 2, systematic integrity / independen ce

“Sufficient independence, in the design between elements and in the application of elements, shall be justified by common cause failure analysis to show that the likelihood of interference between elements and between the elements and the environment is sufficiently low in comparison with the safety integrity level of the safety function under consideration.”

The independence of elements can be assessed only when the specific application of the elements is known in relation to the defined safety functions.

Possible approaches to the achievement of sufficient independence include:

- use of functional diversity- use of diverse technology

- no use of common parts/ services- no use of common procedure


IEC 61508 part 2, systematic capability compliance routes

Chapter 7.4.3

Requirements for systematic safety integrity (systematic capability) can be met by achieving one of the following compliance routes:

- Route 1S: compliance with the requirements for the avoidance of systematic faults(see 7.4.6 and IEC 61508-3) and the requirements for the control of systematic faults (see 7.4.7 and IEC 61508-3), or

- Route 2S: compliance with the requirements for evidence that the equipment is provenin use (see 7.4.10), or

- Route 3S (pre-existing software elements only): compliance with the requirements of IEC 61508-3, 7.4.2.12;


IEC 61508 part 3, pre existing software

Requirements:� failure analysis has to be carried out� effective defensive measures to be taken. (see Annex F for techniques)� compliance routes� safety manual

Where a pre-existing software element is reused to implement all or part of a safety function,

the element shall meet both requirements a) and b) below for systematic safety integrity:

a) meet the requirements of one of the following compliance routes:

� Route 1 S: compliant development. Compliance with the requirements of this standard for the avoidance and control of systematic faults in software;

� Route 2 S: proven in use. Provide evidence that the element is proven in use. See 7.4.10 of IEC 61508-2;

� Route 3 S: assessment of non-compliant development. Compliance with 7.4.2.13.

: b) provide a safety manual that gives sufficiently precise and complete description of the element to make possible an assessment of the integrity


IEC 61508 part 3, Tools

� Online support tools: a software tool that can directly influence the safety related system during run time.Online support tools shall be treated as software belonging to the safety related system

� Offline support tools: a software tool that supports a phase of software development life cycle and cannot directly influence the safety related system during its run time

� T1 generates no outputs which can directly or indirectly contribute to the executable code

(including data) of the safety related system;

example: a design support tool with no automatic code generation capabilities

� T2 supports the test or verification of the design or executable code, where errors in the tool

can fail to reveal defects but cannot directly create errors in the executable software;

examples: a test harness generator; a test coverage measurement tool; a static analysis tool.

� T3 generates outputs which can directly or indirectly contribute to the executable code of the

safety related system.

example: a compiler that incorporates an executable run-time package into the executable code.


IEC 61508 part 4 to 7

� Part 4, Terms and DefinitionMore, most needed definitions (subsystems, element, compliant item …)

� Part 5, SIL determination methodsNew explanation of safety principles

� Part 6, Guidelines on part 2 and 3, probability calculationMore background information regarding the probability calculationMore probabilistic modeling techniques are described: Reliability block, Fault tree, Markov, …

� Part 7, BibliographyThe complete necessary rework was not done, some modification and outdated literature was removed


Principle of functional safety standards

� Risk oriented

� Principal of Risk Reduction

� Management of Functional Safety

� Life-cycle oriented

� Definition of safety-related Functions

� Definition of Safety Integrity Level (SIL)

� Quantitative Requirements to the Probability of Dangerous Failure


Characteristic of a safe application

� Qualified safety related components and system

� Safety Management during the life-cycle the whole life cycleManufacturer of components and systemsSystem IntegratorEnd user

� Competence of people


Safety related function, conventional wiring

All components shall fulfill the target SIL ! (HFT / SFF, systematic capability)

PFDAV ≤ PFDAV_max

Example : vibration detection with Transmitter and Safety PLC

Contactor

PFDAV = PFDAV_VS + PFDAV_TR + PFDAV_PLC + PFDAV_contactor

Vibration Sensor Transmitter Safety PLC

“TRIP”

(Proof test interval !!!!)


Risk reduction, estimation of SIL

In many cases the end user did not carry out a complete

hazard and risk analysis.

S I L

1 2 3

????


Functional Safety Management, why do we need it

Quelle: „Out Of Control“, Eine Zusammenstellung von festgestellten Ereignissen an Steuerungssystemen, von UK HSE (September 2004)

Objective: Avoidance of specification-, design-, development-, installation and operation faults

installation & commissioning 6%

modifications after commissioning 20%

design & implementation 15%

operation & maintenance

15%

specification 44%

Source: „Out Of Control“, from UK HSE (September 2004)



� Have and use safety related procedures, tools, templates� Safety plan and Verification & Validation plan� Specify who is responsible for what� Document control and configuration management (life cycle

documentation, maintainable documentation)� Review and testing procedures/checklists (verification)� Execute functional safety assessments and validation� Educate and employ safety competent staff� Assure that safety integrity will be maintained within the SIL target

during the life time of the SIS� Execute periodical safety audits� Do all this and document clearly what you do!

What does it mean in practice !


Functional Safety Management, who is responsible

.......

Experience in similar projects

MC & SProject manager

Pete Smith

RemarksCompany / Depart-ment

RoleName

• Organisation / DepartmentsDocumentation in diagrams

• Personsdocumented in tables

…?


Safety life cycle IEC 61508

Core activities ofEnd Users

and/or theirEngineeringContractors

Core activitiesof System IntegratorsUsing safety related

devices from

manufactures

Core activities ofEnd Users

and/or theirEngineeringContractors


Safety life cycle IEC 61511


Safety integrity according IEC 61508 / IEC 61511

� Hardware safety integrity1. Hardware Fault Tolerance and SFF of the elements of a Safety

Instrumented system SIS (architectural constraints tables in IEC 61508 and IEC 61511)

2. PFDAVG (low demand) or PFH (high demand or continuous mode) of a Safety Instrumented Function, SIF

� Systematic safety integrity / capability3a. Reduction/avoidance of systematic failures in hard- and software (caused

by development, embedded in a SIS)

3b. Reduction/avoidance of systematic failures during specification,realisation, planning, installation, validation, operation, maintenance and modification of a SIS

� Three main aspects that define the max. SIL that can be achieved

� Systematic failures can be avoided / reduced by applying FSM !


Selection of components

Chapter 11.5.2

For SIL 1 -3:• Designed in accordance with IEC 61508

- Certification for Hard- Software availablesuitable application programming language and selection of programming environment has been used

or:

• components comply with hardware fault tolerance requirements (chapter 11.4)

• „proven-in use“, components used in former applications (chapter 11.5.3 –11.5.6)


Architectural requirements

E / E / PESSensor ActuatorHW / SWHW / SWHW / SW

Output Field DevicesProgrammable Logic SolverInput Field Devices

1oo2

AutomaticTest Setup

1oo1Input Module Logic Module Output Module

1oo11oo1D

1oo21oo2D

2oo32oo4

SIS UserInterface BPCS

S1

S2

S3

S2

S1

S1

Single

Dual

Triple

1oo2

1oo1

2oo3


Necessary information for the user

� Qualified HW/SW acc. to IEC 61508 and sector standards

� Quantitative Values

HFT, SFF , DC, MTTF,

Probability figures, PFD / PFH / PL /…..

including Guidance for Calculation on system level

Proof Test Interval, Installation and Maintenance guide

� Use of the system: (conditions for the application)

Safety function (normally energised, de-energised)

Low demand, high demand mode of operation

,( DUλ ......)DDλThis is shown with

the Certificate

These information are available in the test report or safety manual

These information are available on the Certificate and in the safety manual


Necessary information for the user

Situation today� Calculation of probability values PFD / PFH of Safety Instrumented

Functions by system integrator or user is necessary� Safety related parameters are available but shown in different ways� No common rules to ( calculate ) and demonstrate / document the

parameters.� Certainty of data is not always given or approved

Solution� Development of a database to assist system integrator and user:

� Easy access to the data� Validated data ( TÜV Rheinland ) including the source of the data

� Include experience of the Industry -> Interest Group


Overview database


User compliance with IEC 61508 / IEC 61511

They need to

� perform Hazard and Risk Analysis- identify the safety instrumented functions SIFs

- determine the target SIL for each SIF

� Develop a Safety Requirement Specifications� Execute Safety Assessment and Validation

� Specify procedures for safety Operation and Maintenance

� Execute well prepared Modifications (impact analysis)� Implement and use a functional safety management system FSM

Critical aspects� Sensor / Actor configuration ( HFT / SFF, systematic capability )

� Complete execution of safety validation ( Installation )

� Execution of proof tests at all or on calculated time intervals� Up to date life cycle documentation (modification)


www.tuvasi.com

Find more information about our services at

our website www.tuvasi.com and further

details regarding:

� Time schedule for all Trainings

� Lists of all TÜV FS Engineers

� Lists of certified FS-products

� Overview of FS products and their safety-related parameters

� Information about FS events

� … etc.


USATUV Rheinland of North America, Inc.

Joe Lenner1300 Massachusetts AvenueBoxborough, MA 01719 - USA

� +1 – 426 0888Fax +1 – 426 [email protected]://www.us.tuv.com

Global

TÜV Rheinland Industrie Service GmbHHeinz GallAm Grauen Stein51105 Cologne - Germany

� +49 – 221 – 806 1790Fax +49 – 221 – 806 [email protected]://tuvasi.com

JapanTUV Rheinland Japan Ltd.

Joachim IdenWakasugi Center BldgHonkan 16F, Higashi Tenma 2-9-1 Kita-ku, Osaka - Japan

� +81 – 66355-5732Fax +81 – [email protected]://www.jpn.tuv.com

ChinaTÜV Rheinland (China) Ltd.

Bin ZhaoUnit 707, AVIC Bldg., No.10B, Central Road, East 3rd Ring Road, Chaoyang DistrictBeijing - China

� +86 10 6566 6660-104 Fax +86 10 6566 [email protected]://www.chn.tuv.com/en/

TaiwanTUV Rheinland Taiwan Ltd.

Andrew Kao7F, No. 2, Min Chuan East Rd., Sec. 3Taipei 104 - Taiwan R.O.C.

� +886-2-2516-6040 ext. 1161Fax [email protected]://www.twn.tuv.com/

Worldwide Competence in Functional Safety

Contact

Date post:	27-Jun-2020
Category:	Documents
Upload:	others
View:	110 times
Download:	15 times