functional safety overview ul

Functional Safety Overview

Michael Mats

Table of Contents

What is Functional Safety? FS in Standards FS per IEC 61508 FS Lifecycle FS Certification Process Marketing Activities Additional Resources

Table of Contents

Standards

UL 991 (2004), "Tests for Safety-Related Controls Employing Solid-State Devices" ANSI/UL 1998 (1998), "Software in Programmable Components" (used in

conjunction with UL 991 for products that include software) ANSI/UL 61496-1 (2010), "Electro-Sensitive Protective Equipment, Part 1: General

Requirements and Tests" ANSI/ASME A17.1/CSA B44 (2007), "Safety Code for Elevators and Escalators" EN 50271 (2010), "Electrical Apparatus for the Detection and Measurement of

Combustible Gases, Toxic Gases or Oxygen - Requirements and Tests for Apparatus Using Software and/or Digital Technologies"

IEC 60335-1 (2010), "Household and Similar Electrical Appliances - Safety - Part 1: General Requirements"

IEC 60730-1 (2010), "Automatic Electrical Controls for Household and Similar Use - Part 1: General Requirements"

EN/IEC 61508-1 through -7 (2010), "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

Slide 3

Standards

EN/IEC 61511 (2003), "Functional Safety - Safety Instrumented Systems for the Process Industry Sector

EN/IEC 61800-5-2 (2007), "Adjustable Speed Electrical Power Drive Systems - Part 5-2: Safety Requirements - Functional"

EN/IEC 62061 (2005), "Safety of Machinery - Functional Safety of Safety-Related Electrical, Electronic, and Programmable Electronic Control Systems"

EN ISO/ISO 13849-1 (2006), "Safety of Machinery - Safety-Related Parts of Control Systems - Part 1: General Principles for Design"

ANSI/RIA/ISO 10218-1 (2007), "Robots for Industrial Environments - Safety Requirements - Part 1: Robot"

ISO/Draft International Standard 26262 (2009), "Road Vehicles - Functional Safety

Slide 4

Demand Drivers for Functional Safety

Why evaluate your product/system for functional safety? A functional safety assessment determines whether your products meet standards and performance requirements created to protect against potential risks, including injuries and even death Compliance is driven by customer requirements, legislation, regulations, and insurance demands

What is Functional Safety?

What is Functional Safety?

The exact definition according to IEC 61508:

part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures

Slide 6

PresenterPresentation NotesINSTRUCTOR NOTES:

IEC 61508: A standard in seven parts (Parts 1 4 are normative)

1: general requirements that are applicable to all parts.

System safety requirements Documentation and safety assessment

2 and 3: additional and specific requirements for E/E/PE safety-related systems

System design requirements Software design requirements

4: definitions and abbreviations 5: guidelines and examples for part 1 in

determining safety integrity levels, 6: guidelines on the application of parts 2

and 3; Calculations, modeling, analysis

7: techniques and measures to be used To control and avoid faults

Slide 7


Indicate that you want to go around the room and want each person to provide this information. Indicate this will be a way for you to get to know the make up of the class.

FS according to IEC 61508: EUC + EUC Control System

EUC + Control System EUC + Control System

EUC + Control System EUC + Control System

Slide 8


Indicate that you want to go around the room and want each person to provide this information. Indicate this will be a way for you to get to know the make up of the class.

Why is there something called Functional Safety?

Functional safety as a property has always existed

The definitions of Functional safety show that it is not related to a

specific technology

Functional Safety, as a term and as an

engineering discipline, has emerged with the advancement of complex programmable electronics

Slide 9


IEC 61508 mandates an overall safety approach could also be referred to as a:

System safety approach or Holistic approach (accounts also for the whole life cycle of

a system)

Functional safety as per IEC 61508

Slide 10

PresenterPresentation NotesINSTRUCTOR NOTES:EUC: system which responds to input signals from the process and/or from an operator and generates output signals causing the EUC to operate in the desired manner

Overall Safety Lifecycle and E/E/PES life cycle

Slide 11

Concept

Overall Scope Definition

Hazard & Risk Analysis

Overall Safety Requirements

Safety Requirements Allocation

Operation & Maintenance

Safety Validation

Installation & Commissioning

Overall Planning Safety-related systems: E/E/PE Realization:

E/E/PE

Other risk Reduction measures

Overall Modification & Retrofit

Overall Installation & Commissioning

Overall Safety Validation

Overall Operation, Maintenance & Repair

Decommissioning or Disposal

E/E/PES System Safety Requirements Specification


Indicate that this is the overall safety lifecycle process found in IEC 61508. Indicate this is a closed-loop process and can be found in several functional safety standards besides 61508. It is a continuous improvement approach in which the designs are reviewed and changed as needed as the process moves along. State that UL has taken this process and generalized it and simplified it.

Functional Safety Certification Process

Kick-Off Meeting

Most effective during the product design phase Collaborate to ensure that the features required by the specified standard are included in the initial design Understand the consequence of choices being made Guidance from certification body on how to design

product Discuss prototyping

Slide 12


Pre-Audit and IA Increase the probability of success of the certification

audit Management system audit Engineers perform on-site GAP analysis Customer received concept evaluation report with

detailed action items

Slide 13


Certification Audit

Certification body audits the systems compliance with the designated standard and functional safety rating

Evaluation of documentation Product is certified

Slide 14


Follow-up Surveillance

A surveillance to verify that the protective functions of the product match the report are

performed Certification body conducts an audit of the

functional safety management system once every three years

Slide 15

Examples of Function Safety Products

Slide 16

EUC E/E/PE System Subsystems Hazard & Risk Analysis shall be conducted for the EUC and the

EUC control system Hazardous events are identified, and the associated risk (the EUC

risk) determined

If the risk is not acceptable, it must be reduced to a tolerable risk level by at least one of, or a combination of, the following: External risk reduction facilities Safety-related control systems, which can be:

Based on electrical/electronic/programmable electronic (E/E/PE) technology

Other technology

Slide 17


Necessary risk reduction and Safety Integrity Level (SIL) IEC 61508 is a standard for E/E/PE safety related systems

(E/E/PES), or subsystems. Therefore, the following is addressed by this standard: The part of necessary risk reduction allocated to an E/E/PES is

expressed as a failure probability limit (target failure measure), which in turn is used to select the so called Safety Integrity Level (SIL)

This means SIL is an attribute of an E/E/PES ( or subsystem),

i.e. of a system/device/product that provides risk reduction

Slide 18


FS Marks The FS Marks are related to a SIL (or similar other FS ratings)

They can thus only be granted for products or components which provide risk reduction functions (i.e. E/E/PE safety-related systems or subsystems) From a SIL point of view, it doesnt make a difference

whether the E/E/PE safety-related (sub-)system is to be considered a stand alone product or a component

An E/E/PE safety-related system can be:

Either integral part of the EUC control system Or implemented by separate and independent systems

dedicated to safety

Slide 19


E/E/PE safety-related system and risk reduction

EUC risk risk arising from the EUC or its interaction with the EUC control system

Tolerable risk

risk which is accepted in a given context based on the current values of society

Necessary risk reduction

risk reduction to be achieved by the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities in order to ensure that the tolerable risk is not exceeded

Residual risk

risk remaining after protective measures have been taken Must be equal or lower than tolerable risk

Slide 20

E/E/PE safety-related system and risk reduction

EUC (+ EUC control system) poses risk, E/E/PES contributes to reduce risk below a tolerable level

IEC 61508-5, Figure A.1

Slide 21

Target failure measure => SIL

EUC Risk

Slide 22

PresenterPresentation NotesOur generic industrial worker is now wondering, this can have a hardware fault, who knows how it was programmed, and did the system integrator really know how the controls worked when he installed them? And he asks himself the famous question, Do I feel lucky?

So we see that there are ma ny possiblilites that lead to faults in safety related circuit so how do we address this?

We can systematically apply risk reduction principles to bring down the risk to a defined level based on established principles.

E/E/PE System and Subsystems

IEC 61508-4, Figure 3

In most cases the FS products certified by UL will be sub-systems of an E/E/PE safety-related system

Subsystem (sensors)

Subsystem (logic unit)

Subsystem (actuators)

Subsystem (data communication)

Slide 23


Software Drives FS Requirements - IEC 61508-3

Electromechanical systems are rapidly being replaced by (software) programmable electronic systems due to: Lower cost parts Greater redesign flexibility Ease of module reuse Less PCB space required Improved Efficiency Greater functionality

Slide 24

Software is Being Used Increasingly

Software controls motor-driven equipment safety parameters such as:

- PRESSURE generated by a compressor - Motor SPEED of an inline gasoline pump - POSITIONING of Fuel/Air valves in a

combustion control - FORCE applied by a robotic arm - Air FLOW RATE within a combustion

chamber - the possibilities are limitless

Slide 25

Achieving HW safety integrity

IEC 61508-2 requires application of the following principles to achieve the intended HW safety integrity:

Redundancy

Diversity of redundant channels to eliminate common cause failures

Failure detection per IEC 61508, detection implies a reaction to a safe (operating) state

For fail-safe applications, this can mean activation of the fail-safe state

Reliability of components Probability of dangerous failure (on demand - PFD, per hour - PFH) in

accordance with target failure measure of the required SIL

Slide 26


Two routes to demonstrate HW safety integrity: Route 1H and Route 2H Route 1H :

based on hardware fault tolerance and safe failure fraction concepts This means a complete FMEDA on HW component level must be

carried out PFH and SFF calculated on this basis

Route 2H : based on field reliability data and hardware fault tolerance for

specified safety integrity levels, Data must have been recorded in accordance with applicable

standards, >90% statistical confidence stricter HW fault tolerance requirements for the different SILs

Slide 27


Achieving HW safety integrity

The primary measurement is PFDavg or PFHavg These depend on the following system-level parameters:

Proof-test interval Mission time (if proof-test not feasible)

In addition to this, the HW integrity of an E/E/PES is measured by

Degree of redundancy: Hardware Fault Tolerance HFT

Detection capability: Safe Failure Fraction SFF Susceptibility to common cause failure: -factor


Continue to review the modules titles. Indicate that this course is geared to a general introduction. Point out that the course will be spending a lot of time reviewing the functional safety lifecycle with particular emphasis on the first 2 phases of the process: defining system requirements and Planning and designing requirements Indicate that 61508 not only focuses on software but also other areas. IMPORTANT: State that compliance information is not included in 61508 but ideally you would be able to cross reference to other standards you use.

FMEDA Table (Design level)

Slide 29

Component reference

Component function

Failure modes

Effects failure distribution

Criticality DC [FIT]

D S DD DU Detection reqmts

Exclusion reqmts

R100 energetic separation between channels, cross communication for diagnostics

0,9 1 0,9 0,1 0,813 0.087

short circuit no separation between channels

0,2 1 0,6 0,2 0 0,12 0,08 sample test, off line

MELF resistor

open circuit no cross communication

0,7 1 0,99 0,7 0 0,693 0,007 cross comparison between channels

0,5< value

SFF and diagnostic test interval

Looking at SFF formula, it doesnt depend on

the test frequency (low demand vs high demand)

SFF = (S + DD)/(S + D)

Slide 30

PresenterPresentation Notes7.4.4.1.4 When estimating the safe failure fraction of an element, intended to be used in asubsystem having a hardware fault tolerance of 0, and which is implementing a safetyfunction, or part of a safety function, operating in high demand mode or continuous mode ofoperation, credit shall only be taken for the diagnostics if: the sum of the diagnostic test interval and the time to perform the specified action toachieve or maintain a safe state is less than the process safety time; or, when operating in high demand mode of operation, the ratio of the diagnostic test rate tothe demand rate equals or exceeds 100.

7.4.4.1.5 When estimating the safe failure fraction of an element which, has a hardware fault tolerance greater than 0, and which is implementing a safetyfunction, or part of a safety function, operating in high demand mode or continuous modeof operation; or, is implementing a safety function, or part of a safety function, operating in low demandmode of operation,credit shall only be taken for the diagnostics if the sum of the diagnostic test interval and thetime to perform the repair of a detected failure is less than the MTTR used in the calculationto determine the achieved safety integrity for that safety function.

Simplified approaches proposed by other standards

Also ISO 13849-1 and IEC 62061 suggest simplified methods for determining the probability of random HW failure

ISO 13849-1 approach is based on designated architectures for the different Categories

IEC 62061 approach is based on basic subsystem architectures

These simplified approaches claim to err towards the safe direction, and make a number of assumptions

If the assumptions cannot be made, or if just more precise (and less conservative) values are desired, then more detailed reliability modeling may be applied

Slide 31


Additional Information

Websites:

www.ul.com/functionalsafety www.exida.com www.siemens.com http://www.automationworld.com/newsletters_fsn.html

Questions?

Functional Safety OverviewTable of ContentsStandardsStandardsDemand Drivers for Functional SafetyWhat is Functional Safety?IEC 61508: A standard in seven parts(Parts 1 4 are normative)FS according to IEC 61508: EUC + EUC Control SystemWhy is there something called Functional Safety?Slide Number 10Overall Safety Lifecycle and E/E/PES life cycleFunctional Safety Certification ProcessFunctional Safety Certification ProcessFunctional Safety Certification ProcessFunctional Safety Certification ProcessExamples of Function Safety ProductsEUC E/E/PE System SubsystemsNecessary risk reduction and Safety Integrity Level (SIL)FS MarksE/E/PE safety-related system and risk reductionE/E/PE safety-related system and risk reduction Slide Number 22E/E/PE System and Subsystems Software Drives FS Requirements - IEC 61508-3 Software is Being Used IncreasinglyAchieving HW safety integrityTwo routes to demonstrate HW safety integrity:Route 1H and Route 2HAchieving HW safety integrityFMEDA Table (Design level)SFF and diagnostic test intervalSimplified approaches proposed by other standards Additional InformationQuestions?

functional safety overview ul

Documents