1TÜV RheinlandHeinz Gall, Bin Zhao
Functional safety according to IEC 61508 / IEC 61511
Important user information
Major changes in IEC 61508 2nd Edition
International TÜV Rheinland Symposium in ChinaFunctional Safety in Industrial Applications18 – 19 October 2011, Shanghai - China
2TÜV RheinlandHeinz Gall, Bin Zhao
Contents
� Some Information about TÜV Rheinland
� Standards development, History of functional safety standards
� 2nd Edition of IEC 61508
� Principle of standards
� Requirements of standards
� Important Information for the User
3TÜV RheinlandHeinz Gall, Bin Zhao
As an international service group, we
document the safety and quality of new and
existing products, systems and services .
TÜV Rheinland Group
� founded in 1872
� 360 sites in 62 countries
� more than 14,500 employees
� 6 business sectors38 business areas and more than2.500 different services
Worldwide Presence
4TÜV RheinlandHeinz Gall, Bin Zhao
TÜV Rheinland Industrie Service
TÜV Rheinland – International Business Units
Energy Systems - Automation
Industrial Services Mobility Products SystemsEducation and Consulting
Life Care
Energy Systems AutomationFunctional Safety
5TÜV RheinlandHeinz Gall, Bin Zhao
Energy Systems & Automation
Energy Systems
Application Areas:
Machinery, Process Industry, Oil & Gas, Power Plants, Nuclear Power Plants, automotive etc.
Automation / Functional Safety
FS Products FS Qualification
FS Systems andApplications
Power Plants Power Plants(nuclear)
Applications ApplicationsTest and Certification
Functional Safety Management
Application and System
Implementation
TrainingsWorkshops
TÜV FS Program
6TÜV RheinlandHeinz Gall, Bin Zhao
Competencies in Functional Safety
7TÜV RheinlandHeinz Gall, Bin Zhao
Product Certificates
More than 500 TÜV Rheinland „Functional Safety“ certificates havebeen issued worldwide.
More than 180 TÜV Rheinland certificates for
safety-related products in nuclear power plants
have been issued worldwide.
8TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Management
For new developments of safety-related devices and systems as well as for system
application, organisational and failure-avoidance measures have to be verified or
validated repeatedly. It is advisable to integrate these measures fundamentally in theframework of a Functional Safety Management System within a company.
Auditors of TÜV Rheinland check acc. to the following certification procedure if a
Functional Safety Management System has been integrated and applied accordingly.
Kick-OffMeeting
Kick-OffMeeting Pre-Audit
Pre-Audit CertificationAudit
CertificationAudit Surveillance
Audit
SurveillanceAudit
Verification ofDocuments
Verification ofDocuments
RecertificationRecertification
Certificate
Basic Certification Procedure
9TÜV RheinlandHeinz Gall, Bin Zhao
FSM certified companies - worldwide
Malaysia
India
Germany
Netherlands
Denmark
AustraliaArgentina
China
Japan
SingaporeMexico
Brazil
Italy
United Kingdom
10TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Program
The TÜV Functional Safety Program is a vocational qualification program forengineers, who work in the area of Functional Safety. Trainings are offered in
cooperation with more than 12 international course providers. The following topics
are offered:� Safety Instrumented Systems (IEC 61511)
� Hardware/Software-Design acc. to IEC 61508
� Functional Safety of Machinery
� Automotive – System Design acc. to ISO 26262 and IEC 61508
Participants can obtain the following 2 qualifications acc. to their knowledge and
Experience. By today more than 4.000 TÜV FS Engineers have successfullyparticipated in this program.
11TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Program
Course Provider of the TÜV Rheinland FS Program
Safety Instrumented Systems HW / SW Functional Safety of Machinery
Automotive
12TÜV RheinlandHeinz Gall, Bin Zhao
Experience with IEC 61508 in the last 10 years
� Is excepted worldwide as the Generic (Basic) standard for Functional Safety
� Has influenced the design development of safety related subsystems (devices)
Subsystems are developed to fulfill the requirements of IEC 61508Many Subsystems (Sensor, PLC, Actuator) are assessed / qualifiedand certified
� Was the basis for the development of sector / application dependent standards in many application areas
13TÜV RheinlandHeinz Gall, Bin Zhao
Relation IEC 61508 / Sector Standards
IEC 61508
IEC 61511Process Sector
IEC 61800-5-2Electrical drives
IEC 62061Machinery
IEC 61513Nuclear Sector
EN 50156Furnaces
IEC 60601Medical devices
EN 50128Railway
application
ISO 13849-1Machinery ISO 26262
Automotive
14TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 2nd Edition changes, overview
� All parts of the standard were updated
� For all parts
Extend the scope from a complete safety function to partial safety functions performed by a subsystem (e.g. sensor, PLC, ..)The safety integrity levels are furthermore linked to safety function
New terms defined:Overall safety function, element safety functionCompliant item, Systematic capabilitySafety manual for compliant item, Safety justification
Mathematical more profound termsAverage probability of dangerous failure on demand PFDavgAverage frequency of dangerous failure PFH
15TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 1, competence
IEC 61508-1 / 2nd editionIEC 61508-1: 1998
6.2 Requirements acc. to MFS 6.2 Requirements acc. to MFS ...h) Competence
see Annex B...
Annex B informative!
B.1 General deliberationB.2 Appropriateness, relevant factors
...h) Competence
see Annex B...
6.2.13 General deliberation6.2.14 Appropriateness, relevant factors6.2.15 Documentation of competence6.2…..
Normative!
The competence of people involved in safety project s is now normative!(previously informative)
16TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 1, life cycle
IEC 61508-1: 1998 IEC 61508-1 / 2nd edition
Separation: System safety requirement specification (user and system designer)Design requirements, realization (system designer, product designer)
E/E/PE system safety requirements specification9
E/E/PE safety-related systems10
Realizationsee E/EPE system
safety lifecycle)
Safety-related systems: E/E/PES
Realization
9
Specification E/E/PES safety requirements specification
9.1
17TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 1, clarification on SIL 4
b) If after further consideration of the application, it is decided to implement the SIL 4 safety function then a further risk assessment shall be carried out using a quantitative method that takes into consideration potential common cause failures between the E/E/PE safety-related system and:
– any other systems whose failure would place a demand on it; and, – any other safety-related systems.
7.6.2.11 In cases where the allocation process results in the requirement for an E/E/PE safety-related system implementing a SIL 4 safety function then the following shall apply: a) There shall be a reconsideration of the application to determine if any of the risk parameters can be modified so that the requirement for a SIL 4 safety function is avoided. The review shall consider whether:
– additional safety-related systems or other risk reduction measures, not based onE/E/PE safety-related systems, could be introduced;
– the severity of the consequence could be reduced; – the likelihood of the specified consequence could be reduced.
18TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 1, security aspects
7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and
the EUC control system shall be determined under all reasonably foreseeable
circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorized action ). This shall include all relevant human factor issues,
and shall give particular attention to abnormal or infrequent modes of operation of the
EUC. If the hazard analysis identifies that malevolent or unauthorized action , constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.
Until now security was not in the scope of the IEC 61508. Now it is!High level requirements, no detailed requirements
19TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, overview
� Definition of compliance routes, hardware integrity
� Definition of existing and new failure modes / clarification on SFF
� Proven in use
� Systematic capability
� Requirements for ASIC, FPGA design
� Consideration of soft errors for high integrated circuits
20TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, hardware integrity
Chapter 7.4
The design of the E/E/PE safety-related system shall meet the:
� requirements for hardware safety integrity (HW Compliance routes)
� special architecture requirements for ICs with on-chip redundancy
� requirements for systematic safety integrity (systematic capability)
� requirements for system behavior on detection of a fault
� requirements for data communication processes
21TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, definition of new failure modes
IEC 61508-4; 3.6.13no part failurefailure of a component that plays no part in implementing the safety function
IEC 61508-4; 3.6.14no effect failurefailure of an element that plays a part in implementing the safety function buthas no direct effect on the safety function. It does not contribute to the failure rate of the safety function.
No-effect and no-part failures shall not play any role in the calculation of the diagnostic coverage or the safe failure fraction .
May be 25 % of safety related elements will degrade (no part and no effect failures were counted as safe in some analysis)
DUDDS
DDSSFFλλλ
λλ
∑∑∑∑∑
+++
=
22TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, systematic integrity / capability
Chapter 7.4.3
IEC 61508-4; 3.5.9 systematic capability measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL, in respect of the specified element safety function, when the element is applied in accordance with the instructions specified in the compliant item safety manual for the element
Increase the understanding:The architecture has the same importance regarding systematic faults (avoidance and control) as regarding the control of random faults
23TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, systematic integrity / capability
- For the determination of the systematic capability the designated safety related E/E/PES system will be partitioned in elements ofdifferent systematic capability SC
- Case 1:- all elements have the systematic capability of N- systematic fault in one of the elements will cause a failure of the specified safety
function� designated safety related E/E/PES system has the systematic capability of N
- Case 2:- an elements has the systematic capability of N- systematic fault in one element will not cause a failure of the specified safety
function- a combination with a second systematic fault of another element of systematic
capability of N causes a failure of the specified safety function � Systematic capability of both elements in combination is N+1
24TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, systematic integrity / independen ce
“Sufficient independence, in the design between elements and in the application of elements, shall be justified by common cause failure analysis to show that the likelihood of interference between elements and between the elements and the environment is sufficiently low in comparison with the safety integrity level of the safety function under consideration.”
The independence of elements can be assessed only when the specific application of the elements is known in relation to the defined safety functions.
Possible approaches to the achievement of sufficient independence include:
- use of functional diversity- use of diverse technology
- no use of common parts/ services- no use of common procedure
25TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 2, systematic capability compliance routes
Chapter 7.4.3
Requirements for systematic safety integrity (systematic capability) can be met by achieving one of the following compliance routes:
- Route 1S: compliance with the requirements for the avoidance of systematic faults(see 7.4.6 and IEC 61508-3) and the requirements for the control of systematic faults (see 7.4.7 and IEC 61508-3), or
- Route 2S: compliance with the requirements for evidence that the equipment is provenin use (see 7.4.10), or
- Route 3S (pre-existing software elements only): compliance with the requirements of IEC 61508-3, 7.4.2.12;
26TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 3, pre existing software
Requirements:� failure analysis has to be carried out� effective defensive measures to be taken. (see Annex F for techniques)� compliance routes� safety manual
Where a pre-existing software element is reused to implement all or part of a safety function,
the element shall meet both requirements a) and b) below for systematic safety integrity:
a) meet the requirements of one of the following compliance routes:
� Route 1 S: compliant development. Compliance with the requirements of this standard for the avoidance and control of systematic faults in software;
� Route 2 S: proven in use. Provide evidence that the element is proven in use. See 7.4.10 of IEC 61508-2;
� Route 3 S: assessment of non-compliant development. Compliance with 7.4.2.13.
: b) provide a safety manual that gives sufficiently precise and complete description of the element to make possible an assessment of the integrity
27TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 3, Tools
� Online support tools: a software tool that can directly influence the safety related system during run time.Online support tools shall be treated as software belonging to the safety related system
� Offline support tools: a software tool that supports a phase of software development life cycle and cannot directly influence the safety related system during its run time
� T1 generates no outputs which can directly or indirectly contribute to the executable code
(including data) of the safety related system;
example: a design support tool with no automatic code generation capabilities
� T2 supports the test or verification of the design or executable code, where errors in the tool
can fail to reveal defects but cannot directly create errors in the executable software;
examples: a test harness generator; a test coverage measurement tool; a static analysis tool.
� T3 generates outputs which can directly or indirectly contribute to the executable code of the
safety related system.
example: a compiler that incorporates an executable run-time package into the executable code.
28TÜV RheinlandHeinz Gall, Bin Zhao
IEC 61508 part 4 to 7
� Part 4, Terms and DefinitionMore, most needed definitions (subsystems, element, compliant item …)
� Part 5, SIL determination methodsNew explanation of safety principles
� Part 6, Guidelines on part 2 and 3, probability calculationMore background information regarding the probability calculationMore probabilistic modeling techniques are described: Reliability block, Fault tree, Markov, …
� Part 7, BibliographyThe complete necessary rework was not done, some modification and outdated literature was removed
29TÜV RheinlandHeinz Gall, Bin Zhao
Principle of functional safety standards
� Risk oriented
� Principal of Risk Reduction
� Management of Functional Safety
� Life-cycle oriented
� Definition of safety-related Functions
� Definition of Safety Integrity Level (SIL)
� Quantitative Requirements to the Probability of Dangerous Failure
30TÜV RheinlandHeinz Gall, Bin Zhao
Characteristic of a safe application
� Qualified safety related components and system
� Safety Management during the life-cycle the whole life cycleManufacturer of components and systemsSystem IntegratorEnd user
� Competence of people
31TÜV RheinlandHeinz Gall, Bin Zhao
Safety related function, conventional wiring
All components shall fulfill the target SIL ! (HFT / SFF, systematic capability)
PFDAV ≤ PFDAV_max
Example : vibration detection with Transmitter and Safety PLC
Contactor
PFDAV = PFDAV_VS + PFDAV_TR + PFDAV_PLC + PFDAV_contactor
Vibration Sensor Transmitter Safety PLC
“TRIP”
(Proof test interval !!!!)
32TÜV RheinlandHeinz Gall, Bin Zhao
Risk reduction, estimation of SIL
In many cases the end user did not carry out a complete
hazard and risk analysis.
S I L
1 2 3
????
33TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Management, why do we need it
Quelle: „Out Of Control“, Eine Zusammenstellung von festgestellten Ereignissen an Steuerungssystemen, von UK HSE (September 2004)
Objective: Avoidance of specification-, design-, development-, installation and operation faults
installation & commissioning 6%
modifications after commissioning 20%
design & implementation 15%
operation & maintenance
15%
specification 44%
Source: „Out Of Control“, from UK HSE (September 2004)
34TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Management
� Have and use safety related procedures, tools, templates� Safety plan and Verification & Validation plan� Specify who is responsible for what� Document control and configuration management (life cycle
documentation, maintainable documentation)� Review and testing procedures/checklists (verification)� Execute functional safety assessments and validation� Educate and employ safety competent staff� Assure that safety integrity will be maintained within the SIL target
during the life time of the SIS� Execute periodical safety audits� Do all this and document clearly what you do!
What does it mean in practice !
35TÜV RheinlandHeinz Gall, Bin Zhao
Functional Safety Management, who is responsible
.......
Experience in similar projects
MC & SProject manager
Pete Smith
RemarksCompany / Depart-ment
RoleName
• Organisation / DepartmentsDocumentation in diagrams
• Personsdocumented in tables
…?
36TÜV RheinlandHeinz Gall, Bin Zhao
Safety life cycle IEC 61508
Core activities ofEnd Users
and/or theirEngineeringContractors
Core activitiesof System IntegratorsUsing safety related
devices from
manufactures
Core activities ofEnd Users
and/or theirEngineeringContractors
37TÜV RheinlandHeinz Gall, Bin Zhao
Safety life cycle IEC 61511
38TÜV RheinlandHeinz Gall, Bin Zhao
Safety integrity according IEC 61508 / IEC 61511
� Hardware safety integrity1. Hardware Fault Tolerance and SFF of the elements of a Safety
Instrumented system SIS (architectural constraints tables in IEC 61508 and IEC 61511)
2. PFDAVG (low demand) or PFH (high demand or continuous mode) of a Safety Instrumented Function, SIF
� Systematic safety integrity / capability3a. Reduction/avoidance of systematic failures in hard- and software (caused
by development, embedded in a SIS)
3b. Reduction/avoidance of systematic failures during specification,realisation, planning, installation, validation, operation, maintenance and modification of a SIS
� Three main aspects that define the max. SIL that can be achieved
� Systematic failures can be avoided / reduced by applying FSM !
39TÜV RheinlandHeinz Gall, Bin Zhao
Selection of components
Chapter 11.5.2
For SIL 1 -3:• Designed in accordance with IEC 61508
- Certification for Hard- Software availablesuitable application programming language and selection of programming environment has been used
or:
• components comply with hardware fault tolerance requirements (chapter 11.4)
• „proven-in use“, components used in former applications (chapter 11.5.3 –11.5.6)
40TÜV RheinlandHeinz Gall, Bin Zhao
Architectural requirements
E / E / PESSensor ActuatorHW / SWHW / SWHW / SW
Output Field DevicesProgrammable Logic SolverInput Field Devices
1oo2
AutomaticTest Setup
1oo1Input Module Logic Module Output Module
1oo11oo1D
1oo21oo2D
2oo32oo4
SIS UserInterface BPCS
S1
S2
S3
S2
S1
S1
Single
Dual
Triple
1oo2
1oo1
2oo3
41TÜV RheinlandHeinz Gall, Bin Zhao
Necessary information for the user
� Qualified HW/SW acc. to IEC 61508 and sector standards
� Quantitative Values
HFT, SFF , DC, MTTF,
Probability figures, PFD / PFH / PL /…..
including Guidance for Calculation on system level
Proof Test Interval, Installation and Maintenance guide
� Use of the system: (conditions for the application)
Safety function (normally energised, de-energised)
Low demand, high demand mode of operation
,( DUλ ......)DDλThis is shown with
the Certificate
These information are available in the test report or safety manual
These information are available on the Certificate and in the safety manual
42TÜV RheinlandHeinz Gall, Bin Zhao
Necessary information for the user
Situation today� Calculation of probability values PFD / PFH of Safety Instrumented
Functions by system integrator or user is necessary� Safety related parameters are available but shown in different ways� No common rules to ( calculate ) and demonstrate / document the
parameters.� Certainty of data is not always given or approved
Solution� Development of a database to assist system integrator and user:
� Easy access to the data� Validated data ( TÜV Rheinland ) including the source of the data
� Include experience of the Industry -> Interest Group
43TÜV RheinlandHeinz Gall, Bin Zhao
Overview database
44TÜV RheinlandHeinz Gall, Bin Zhao
User compliance with IEC 61508 / IEC 61511
They need to
� perform Hazard and Risk Analysis- identify the safety instrumented functions SIFs
- determine the target SIL for each SIF
� Develop a Safety Requirement Specifications� Execute Safety Assessment and Validation
� Specify procedures for safety Operation and Maintenance
� Execute well prepared Modifications (impact analysis)� Implement and use a functional safety management system FSM
Critical aspects� Sensor / Actor configuration ( HFT / SFF, systematic capability )
� Complete execution of safety validation ( Installation )
� Execution of proof tests at all or on calculated time intervals� Up to date life cycle documentation (modification)
45TÜV RheinlandHeinz Gall, Bin Zhao
www.tuvasi.com
Find more information about our services at
our website www.tuvasi.com and further
details regarding:
� Time schedule for all Trainings
� Lists of all TÜV FS Engineers
� Lists of certified FS-products
� Overview of FS products and their safety-related parameters
� Information about FS events
� … etc.
46TÜV RheinlandHeinz Gall, Bin Zhao
USATUV Rheinland of North America, Inc.
Joe Lenner1300 Massachusetts AvenueBoxborough, MA 01719 - USA
� +1 – 426 0888Fax +1 – 426 [email protected]://www.us.tuv.com
Global
TÜV Rheinland Industrie Service GmbHHeinz GallAm Grauen Stein51105 Cologne - Germany
� +49 – 221 – 806 1790Fax +49 – 221 – 806 [email protected]://tuvasi.com
JapanTUV Rheinland Japan Ltd.
Joachim IdenWakasugi Center BldgHonkan 16F, Higashi Tenma 2-9-1 Kita-ku, Osaka - Japan
� +81 – 66355-5732Fax +81 – [email protected]://www.jpn.tuv.com
ChinaTÜV Rheinland (China) Ltd.
Bin ZhaoUnit 707, AVIC Bldg., No.10B, Central Road, East 3rd Ring Road, Chaoyang DistrictBeijing - China
� +86 10 6566 6660-104 Fax +86 10 6566 [email protected]://www.chn.tuv.com/en/
TaiwanTUV Rheinland Taiwan Ltd.
Andrew Kao7F, No. 2, Min Chuan East Rd., Sec. 3Taipei 104 - Taiwan R.O.C.
� +886-2-2516-6040 ext. 1161Fax [email protected]://www.twn.tuv.com/
Worldwide Competence in Functional Safety
Contact