1 | Infinit 1 Oct 2014

InfinIT – SIL Preben Albrecht

PDS(SR))

Power

External signals and control

Diagnostic functions

Communications and I/O

Torque/speed/position control

Modulation and

protection

Power section Motor

Sensors

Control section

IEC 1224/07

2 | Infinit 1 Oct 2014

Agenda - Topics

• Functional Safety, high demand/low demand mode med fokus på de funktioner, som ikke direkte vedr. personsikkerhed

• Certificerings/compliance proces set fra os som applicant og ikke notified body side

First some talk about Safety

3 | Infinit 1 Oct 2014

Safety definition(s)

• EU • IEC Guide 51 – 3.14 • Safety. freedom from risk (3.9) which is not tolerable (“Freedom from unacceptable risk”)

• US • MIL STD 882E - 3.2.30

• Safety. Freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

4 | Infinit 1 Oct 2014

IEC Guide 51

• harm • injury or damage to the health of people, or damage to property or

the environment

• Risk • combination of the probability of occurrence of harm and the

severity of that harm

• Safety • freedom from risk which is not tolerable

• tolerable risk

• level of risk that is accepted in a given context based on the current values of society

5 | Infinit 1 Oct 2014

Functional Safety • Functional Safety defines protection against hazards caused by

incorrect functioning of components or systems

• Products incorporating functional safety protect against • injury or death of people • harm to the environment • loss of property

6 | Infinit 1 Oct 2014

One Safe Function

See Video

7 | Infinit 1 Oct 2014

Low – High Demand mode 3.5.16 (IEC 61508-4) mode of operation way in which a safety function operates, which may be either

– low demand mode: where the safety function is only performed on demand, in order to

transfer the EUC into a specified safe state, and where the frequency of demands is no

greater than one per year; or

NOTE The E/E/PE safety-related system that performs the safety function normally has no influence on the EUC

or EUC control system until a demand arises. However, if the E/E/PE safety-related system fails in such a way that

it is unable to carry out the safety function then it may cause the EUC to move to a safe state (see 7.4.6 of

IEC 61508-2).

– high demand mode: where the safety function is only performed on demand, in order to

transfer the EUC into a specified safe state, and where the frequency of demands is greater

than one per year; or

– continuous mode: where the safety function retains the EUC in a safe state as part of

normal operation

9 | Infinit 1 Oct 2014

PDS

PDS(SR))

Power

External signals and control

Diagnostic functions

Communications and I/O

Torque/speed/position control

Modulation and

protection

Power section Motor

Sensors

Control section

IEC 1224/07

10 | Infinit 1 Oct 2014

Drive functions – Soft Ware • Claim

• All software which is involved in any protecting function, needs to be developed and maintained as safety critical, “just” with different safety levels – base could be SIL1 according to IEC 61508

• This gives that all if SW requirements differ trough out the product, there is a high likelihood that we will have mixt criticality

11 | Infinit 1 Oct 2014

Certification & Compliance

12 | Infinit 1 Oct 2014

Safety Strategies: Normal

operation

Failure occurred

Safe State Exists

Fault detected

Fault detected

Fault develops quickly into Failure

Fault develops quickly into Failure

SaStr3

SaStr5 SaStr4

SaStr6

SaStr1,2

No

No

No

No

No

Yes

Yes

Yes

Yes

1: Improve integrity (decrease failure rate) of original design. 2: Schedule periodic repairs/proof tests to prevent wear out. 3: Direct failure mode (by design) to safe state, e.g. De-energized. 4: Alert operator and instruct him/her to stop. 5: Enter safe state. 6: Add redundancy (physical and/or analytical).

Yes

13 | Infinit 1 Oct 2014

44 %Specifications

20 %Changes after commissioning

15%Operations and

maintenance

6%Installations and commissioning

15%Design and

implementations

6

Life Cycle from IEC 61508

Concept

Overall scope definition 2

Overall Installation and commissioning

Overall safety validation

Decommissioning or disposal

Overall operation and maintenance and repair

12

13

16

14 Overall modification and retrofit 15

Safety related systems: E/E/PES

10 Realization (see E/E/PES safety lifecycle)

Other risk reduction measures 11

Specification and Realization

Back to appropriate overall safety life cycle phase

1

Overall operation & maintenance planning

Overall planning

Hazard and risk analysis

Overall safety requirements 4

3

Safety requirements allocation 5

Overall validation planning

7 Overall

installation and commissioning

planning

8

Safety requirements allocation 9

14 | Infinit 1 Oct 2014

IEC 61508 - 1 7.10.2.6 The E/E/PE system safety functions requirements specification shall contain: f) all relevant modes of operation of the EUC, including: – preparation for use including setting and adjustment, – start-up, teach, automatic, manual, semi-automatic, steady state of operation, – steady state of non-operation, re-setting, shut-down, maintenance, – reasonably foreseeable abnormal conditions;

15 | Infinit 1 Oct 2014

Type of certification

16 | Infinit 1 Oct 2014

Overview of certification process

TÜV SÜD certification process requirements

Not required from a component manufacturer

Concept approval

Certificate EMC, Env. and electrical safety tests preferable in accredited labs

User documentation

Fault insertion tests

17 | Infinit 1 Oct 2014

Admin Functional Safety

18 | Infinit 1 Oct 2014

FSM audit focus

19 | Infinit 1 Oct 2014

Every company claim customer focus ?

7.2.3 Customer communication CIG 023: 14. Customer complaint

14.1 Is there a procedure regarding how to handle customer complaints? 14.2 Are the received complaints reviewed on a regular basis regarding whether they are related to single errors or system errors? - Actual case checked - Procedure checked 14.3 Are corrective actions and decisions regarding customer complaints recorded? Actual case checked Procedure checked 14.4 Is the originator of the complaint informed about the handling and the result of the complaint? - Actual case checked - Procedure checked 14.5 Are the records of customer complaints maintained and satisfactory? 14.6 Are records kept at least for the period between two inspection visits?

20 | Infinit 1 Oct 2014

Focus from Factory TO product -> product functions

TS 16949 ISO 9001 – certificated ISO 17025 (UL-DAP /test lab)

Electrical Safety LVD (CE-mark) OSHA (US) …

Functional safety – - IEC 61508 - ISO 13849 - Motivated bye MD 2006/42/EC (machine builder law)

21 | Infinit 1 Oct 2014

Books

Functional Safety – An IEC 61508 SIL 3 Compliant Development Process, 3rd Edition ISBN-13: 978-193497708-8

Effective FMEAs: Achieving Safe, Reliable, and Economical Products and Processes using Failure Mode and Effects Analysis ISBN-13: 978-1118007433