Functional safety Functional safety of Programmable systems, devices & components: Requirements from global & national standards Matthias R. Heinze Vice President Engineering TUV Rheinland of N.A. Email : mheinze@us.tuv.com ASI / 968-1
Overview History of standards Standards overview Comparison of different risk classes and systems Estimation of the requirements from the standards application dependent / independent Example EN 954 Main topics of IEC 61508 Basic documents for the approval Type approval and certification ASI / 968-2
Standards, history In the past: All safety related standards were application dependent result: Different safety philosophies and requirements and mainly oriented to low complex components FMEA of single component failures ASI / 968-3
Standards, history Today: Risk oriented Risk reduction general standards, application independent Technology dependent Life-cycle oriented and application or sector specific dependent ASI / 968-4
Standards to be taken in to account Risk assessment IEC 61508 ANSI B11.TR3 Functional safety of programmable electronic safety-related systems Risk and Risk reduction (Machine tools) Requirements for E/E/PES systems ( application independent / technology specific ) IEC 61508 DIN 19251 DIN V VDE 0801 A1 Application dependent requirements EN 50156 EN 60204 EN 954 EN 692 Functional safety of programmable electronic safety-related systems Control equipment, requirements and measures for safe guarded functions Principles for computers in safety related systems, including Amendment A1 Electrical equipment for furnaces Safety of machinery-electrical equipment of machines Safety of machinery-safety related parts control systems Mechanical presses-safety ANSI B11.1 Mechanical power presses-safety requirements for construction... ASI / 968-5
Current Status of IEC 61508 IEC 61508-1 General requirements final - 2 Requirements for E/E/PES final - 3 Software requirements final - 4 Definitions final - 5 Examples of methods final for the determination of SIL - 6 Guidelines on the application final of part 2 and 3-7 Overview of techniques final and measures ASI / 968-6
Risk Class - Requirement Class Safety Integrity Level - Category of Control NE 31 Risk Class DIN V 19250 Requirement class IEC 61508 Safety Integrity Level EN 954-1 Category of Control 1 - B* I 2 3 1 1 2 4 2 3 II 5 6 3 4 7 8 4 The direction of the arrows must be observed when comparing classification *)B (EN 954-1) corresponds to requirement class 1 (DIN V 19250) and vice versa ASI / 968-7
Comparison IEC 61508 / DIN 19250and VDE 0801 Sensor E / E / PES Actuator 35% 15% 50% IEC DIN / VDE Safety function Components ASI / 968-8
EN 954 Safety category 4 Category Summary of Requirements System Behaviour Principles for the Realisation of Safety The requirements of category B - When the Mainly by the and the use of well tried faults occur structure safety principles apply. the safety function is always performed. 4 Safety related parts have to The faults will be designed, that: detected in time - a single fault in any of its to prevent the parts does not lead to a loss of safety loss of safety function, and function. - the single fault is detected at or before the next demand on the safety function, or, if this detection is not possible then an accumulation of faults shall not lead to a loss of safety function. ASI / 968-9
The IEC 61508 covers for processors, devices, components range and extent of measures and techniques for the avoidance and control of faults ( HW and SW ) applied during the design and development hardware fault tolerance of systems / subsystems ( structure ) in combination with safe failure fraction and diagnostic coverage probability of failure to danger of the subsystem using reliability modelling techniques measures and techniques for avoidance and control of faults during the design and development of the application software ASI / 968-10
Integrity level according IEC 61508 Safety integrity levels: target failure measures for a safety function, allocated to an E/E/PE safety-related system operating in low demand mode of operation Safety integrity level Low demand mode of operation (Average probability of failure to perform its design function on demand) 4 10-5 to < 10-4 3 10-4 to < 10-3 2 10-3 to < 10-2 1 10-2 to < 10-1 Safety integrity levels: target failure measures for a safety function, allocated to an E/E/PE safety-related system operating in high demand or continuous mode of operation Safety integrity level High demand or continuous mode of operation (Probability of a dangerous failure per hour) 4 10-9 to < 10-8 3 10-8 to < 10-7 2 10-7 to < 10-6 1 10-6 to < 10-5 ASI / 968-11
IEC 61508 architectural constraints on low complex subsystems Safe failure fraction Hardware fault tolerance 0 1 2 < 60 % SIL 1 SIL 2 SIL 3 60 % - 90 % SIL 2 SIL 3 SIL 4 90 % - 99 % SIL 3 SIL 4 SIL 4 99 % SIL 3 SIL 4 SIL 4 ASI / 968-12
IEC 61508 architectural constraints on complex subsystems Safe failure fraction Hardware fault tolerance 0 1 2 < 60 % Not allowed SIL 1 SIL 2 60 % - 90 % SIL 1 SIL 2 SIL 3 90 % - 99 % SIL 2 SIL 3 SIL 4 99 % SIL 3 SIL 4 SIL 4 ASI / 968-13
Safe failure fraction The safe failure fraction of a subsystem is defined as (Σλ S + Σλ DD ) / (Σλ S + Σλ D ), λ S λ D λ DD is safe failure is dangerous failure is dangerous failure detected by the internal diagnostic ASI / 968-14
Example PFD calculation SAFETY LOOP Typically pre-certified Sensor Input Module CPU board Output Module Actuator ~30% OF PFH ~50% OF PFH PED 10-20% OF PFH OF SAFETY LOOP ASI / 968-15
Example PFD calculation SAFETY INTEGRITY LEVELS TARGET FAILURE MEASURES FOR A SAFETY FUNCTION TABLE 3 IEC 61508-1 SIL HIGH DEMAND OR CONTINUOUS MODE OF OPERATION (PROBILITY OF A DANGEROUS FAILURE PER HOUR) 4 > 1.00E-09 TO < 1.00E-08 3 > 1.00E-08 TO < 1.00E-07 2 > 1.00E-07 TO < 1.00E-06 1 > 1.00E-06 TO < 1.00E-05 PED IS EQUAL TO 10% OF THE TOTAL SAFETY LOOP 1.00E-07 > λ(sl) > 1.00E-08 1.00E-08 > λ(ped) > 1.00E-09 ASI / 968-16
Example PFD calculation λ(ped) = 2((1-β)λ(DD) + (1-β)λ(DU))^2 x t(de) + βλ(dd) +βλ(du) λ(ped) = 1.77E-09 TERM UNITS DEFINITION λ(t) FAILURES PER HOUR SUM OF AVERAGE PROBABILITY OF FAILURES OF THE SYSTEM COMPONENTS λ(s) FAILURES PER HOUR PROBABILITY OF DETECTED SAFE FAILURE λ(d) FAILURES PER HOUR PROBABILITY OF DANGEROUS FAILURES λ(dd) FAILURES PER HOUR PROBABILITY OF DANGEROUS DETECTED FAILURES λ(du) FAILURES PER HOUR PROBABILITY OF DANGEROUS UNDETECTED FAILURES λ(ped) FAILURES PER HOUR PROBABILITY OF PED FAILURES t(de) HOURS DEVICE EQ. MEAN DOWN TIME MTBF HOURS MEAN TIME BETWEEN FAILURES β PERCENTAGE FRACTION OF FAILURES HAVING A COMMON CAUSE ASI / 968-17
Requirements For all subsystems the following requirements have to be fulfilled: measures to avoid and control failures ( HW/SW ) especially systematic faults architectural requirements ( SFF and HFT ) probability of failure to danger application dependent requirements ASI / 968-18
Development Accompanying Inspection and Certification Phase Phase 1 1 Concept Review Concept Review Validated Validated and and Authorised Authorised Requirement Requirement Specification Specification Phase Phase 2 2 Main Inspection Main Inspection Extensive Extensive Safety Safety Technical Technical Inspection Inspection and and Report Report Phase Phase 3 3 Certification Certification Certification Certification of of the the Inspected Inspected Devices Devices ASI / 968-19
Assessment Overview Functional safety including HW/SW/mechanical Electrical safety Environmental conditions, EMC Quality management during the life-cycle of the equipment FMEA (system level, sub-system, component) Failure detection and reaction (internal self-tests) Estimation / demonstration of proven in use Verification / Calculation of PFD, SFF figures Software approval ASI / 968-20