DIRC Workshop on Software Quality and the legal system 13 February 2004 Functional safety of electrical, electronic and programmable electronic safety-related systems Ron Bell Electrical and Control Systems Group Health and Safety Executive

1. 1.To provide an overview of the key principles for the design of complex electrical, electronic or programmable safety-related systems with particular reference to IEC To comment on the legal issues from a Regulator’s perspective Objectives

Contents Section 1: Examples of systems and subsystems under considerationSection 1: Examples of systems and subsystems under consideration Section 2: What’s the problem?Section 2: What’s the problem? Section 3: Essentials of functional safetySection 3: Essentials of functional safety Section 4: Legal considerationsSection 4: Legal considerations Section 5: Standards and “good practice”Section 5: Standards and “good practice” Section 6: Concluding commentsSection 6: Concluding comments

Contents Section 1: Examples of systems and subsystems under considerationSection 1: Examples of systems and subsystems under consideration Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

Examples of systems, subsystems & devices under consideration  electro-mechanical  solid state electronic  programmable electronic programmable Controllers {PCs}; programmable Logic Controllers {PLCs}; microprocessor based systems; application specific integrated circuits (ASICs) intelligent sensors/transmitters/actuators etc digital communication systems (e.g. bus systems) internet based technologies Low complexity Low complexity/Complex Complex

Examples of applications under consideration  an an emergency shut-down system in a hazardous chemical process plant;  railway signalling and train protective systems;  guard interlocking systems and emergency stopping systems for machinery;  variable speed motor drives used to control the speed as a necessary means of safety;  information based safety-related systems The following are examples of safety-related systems:

Contents Section 1: Examples of systems and subsystems under consideration Section 2: What’s the problem?Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

Safety issues of complex systems  Complexity (software/hardware/system integration) …many factors involved  Testing necessary but not sufficient  Prediction of system performance (safety integrity) difficult;  Only random hardware failures can be quantitatively predicted with confidence  Demands systematic approach throughout the safety lifecycle….. effective Functional Safety Management  Demands high level of competence throughout the safety lifecycle

Contents Section 1: Examples of systems and subsystems under consideration Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

IEC 61508: Functional safety of electrical, electronic & programmable electronic systems Electrical, Electronic & Programmable Electronic E/E/PE Example: E/E/PE device; E/E/PE system

Safety and functional safety Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly as a result of damage to property or to the environment Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs General definition for functional safety

Safety and functional safety Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs General definition Definition applied to E/E/PE safety-related systems Part of the overall safety relating to the equipment And its associated control system which depends on the correct functioning of electrical, electronic and programmable electronic safety-related systems……”.

Functional Safety A B A: safety achieved by measures reliant on passive systems e.g.insulation on electrical conducting parts B: safety achieved by active systems (e.g. temperature measurement and de-energisation of contactor) Functional safety Non-functional safety Overall safety = A+ B

Primary cause (by lifecycle phase) of control system failure [based on 34 incidents] 14.7% Operation & maintenance 44.1%Specification 20.6% Changes after commissioning 5.9% Installation & commissioning 14.7% Design & implementation Failures by lifecycle phase

Primary cause (by lifecycle phase) of control system failure [based on 34 incidents] 44.1%Specification 20.6% Changes after commissioning 14.7% Operation & maintenance 5.9% Installation & commissioning 14.7% Design & implementation All lifecycle phases need to be addressed if functional safety is to be achieved!

Functional Safety Management Technical Requirements Competence of persons Strategy in IEC to achieve functional safety Installation & commissioning Specification Design & implementation Operation & maintenance Changes after commissioning Apply to all phases of the safety lifecycle

Functional Safety Requirements spec Systematic hardware Software EMI Fault tolerance Random hardware failures Human Factors etc…………… Some design measures to achieve functional safety! Software is one of many necessary measures !

Contents Section 1: Examples of systems and subsystems under consideration Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

Criminal Law - Framework Act of Parliament Regulations EC Directive

Health & Safety at Work etc Act, 1974 (HSW)  Underpins GB workplace health & safety legislation  Places duties on Employees / self employed Employers (to employees) Employers / self employed (to others) Manufacturers etc.  Unlimited fines / imprisonment

Health & Safety at Work Section 6  It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at work….to ensure, so far as is reasonably practicable (‘sfairp’), that the article is so designed and constructed that it will be safe and without risks to health at all times ……

Health & Safety at Work Section 6 (cont’d)  Carry out testing and examination as necessary to ensure safety, ‘sfairp’  Provide adequate information about the use for which the article is designed and any conditions necessary to ensure it will be safe  Provide, ‘sfairp’, revisions of information as are necessary, if there is a serious risk to health or safety

So Far as is Reasonably Practicable (SFAIRP)  ‘SFAIRP’ = ‘ALARP’ (HSE view) risk reduced to extent that cost of further risk reduction is ‘grossly disproportionate’ (i.e. As Low As is Reasonably Practicable, ‘ALARP’)

Health & Safety at Work etc. Act 1974 (HSW) Section 3  It shall be the duty of every employer (and self-employed person) to conduct his undertaking in such a way as to ensure, so far as is reasonably practicable, that other persons who may be affected thereby are not thereby exposed to risks to their health or safety

Health & Safety at Work etc. Act 1974 (HSW) Section 3  Port Ramsgate walkway collapse 14 September people died, 7 severely injured Design calculations inadequate Lloyd’s Register had assessed design Pleaded not guilty, found guilty £500,000 fine, £242,500 costs Example: Design Assessment

Varioussuppliers Example supply chain model End user System integrator Consultant S/A S/A S/A/S S/A/S =specification, agreement & supply S/A =specification & agreement S/A/S # 1: HSW Act S. 6 applicable for failures in the supply chain….but potential issues arise because:  is software an article?  Does “safe” in S. 6 encompass “functional encompass “functional safety” ? safety” ? # 2: HSW Act S. 3 applicable since respective employers of consultant, system Integrator and various Suppliers have duty to “other persons who may be affected”. affected”. #3: End User has duties under HSW Act S.2 & S.3 For discussion purposes!

Contents Section 1: Examples of systems and subsystems under consideration Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

Standards and “Good Practice”  HSE defines “good practice” as the generic term for those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner  Can take many forms, for example: HSC (ACoPs) which have special legal status under HSW Act S.16 HSE guidance

Standards and “Good Practice”  Other written sources which may be recognised include: Standards produced by Standards-making organisations (e.g. BSI, CENELEC, IEC, ISO) Guidance agreed by a body representing an industrial /occupational sector (e.g. trade federation, professional institution) Examples include: IEE/BCS Competency Guidelines for Safety-related system Practitioners IEE/BCS Competency Guidelines for Safety-related system Practitioners IEC 61508: IEC 61508: “Functional safety of electrical, electronic and programmable electronic safety-related systems”

Concept of good practice: HSE position on IEC  IEC “Functional safety of electrical, electronic and programmable electronic safety-related systems” provides a basis for the achievement of functional safety.  HSE’s position on IEC is as follows: IEC will be used by HSE as a reference standard for determining whether a reasonably practicable level of safety has been achieved The extent to which HSE will use IEC will depend on individual circumstances including whether any sector standards exist based on IEC have been developed and whether there are existing specific guidelines or standards.

Contents Section 1: Examples of systems and subsystems under consideration Section 2: What’s the problem? Section 3: Essentials of functional safety Section 4: Legal considerations Section 5: Standards and “good practice” Section 6: Concluding comments

Concluding comments (1)  To achieve functional safety many factors have to be addressed including: Functional safety management Technical Requirements for all safety lifecycle activities Competence of those involved in activity having a bearing on functional   Safety is the goal   Functional safety is a subset of safety   Software is but one factor in the achievement of functional safety, albeit a very important factor, that needs to be addressed

Concluding comments (2)  HSW Act covers within its scope the concept of functional safety  There remains an issue as to whether HSW Act S.6 covers functional safety and whether software is an article within the meaning of S.6  Any changes to the legal requirements should be aimed at functional safety and not specifically software