Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Safety Overview

Published byJesse Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Functional Safety Overview"— Presentation transcript:

1 Functional Safety Overview
Michael Mats

2 Table of Contents Table of Contents What is Functional Safety?
FS in Standards FS per IEC 61508 FS Lifecycle FS Certification Process Marketing Activities Additional Resources

3 Standards UL 991 (2004), "Tests for Safety-Related Controls Employing Solid-State Devices" ANSI/UL 1998 (1998), "Software in Programmable Components" (used in conjunction with UL 991 for products that include software) ANSI/UL (2010), "Electro-Sensitive Protective Equipment, Part 1: General Requirements and Tests" ANSI/ASME A17.1/CSA B44 (2007), "Safety Code for Elevators and Escalators" EN (2010), "Electrical Apparatus for the Detection and Measurement of Combustible Gases, Toxic Gases or Oxygen - Requirements and Tests for Apparatus Using Software and/or Digital Technologies" IEC (2010), "Household and Similar Electrical Appliances - Safety - Part 1: General Requirements" IEC (2010), "Automatic Electrical Controls for Household and Similar Use - Part 1: General Requirements" EN/IEC through -7 (2010), "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

4 Standards EN/IEC (2003), "Functional Safety - Safety Instrumented Systems for the Process Industry Sector EN/IEC (2007), "Adjustable Speed Electrical Power Drive Systems - Part 5-2: Safety Requirements - Functional" EN/IEC (2005), "Safety of Machinery - Functional Safety of Safety-Related Electrical, Electronic, and Programmable Electronic Control Systems" EN ISO/ISO (2006), "Safety of Machinery - Safety-Related Parts of Control Systems - Part 1: General Principles for Design" ANSI/RIA/ISO (2007), "Robots for Industrial Environments - Safety Requirements - Part 1: Robot" ISO/Draft International Standard (2009), "Road Vehicles - Functional Safety

5 Demand Drivers for Functional Safety
Why evaluate your product/system for functional safety? • A functional safety assessment determines whether your products meet standards and performance requirements created to protect against potential risks, including injuries and even death • Compliance is driven by customer requirements, legislation, regulations, and insurance demands

6 What is Functional Safety?
The exact definition according to IEC 61508: “part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures” INSTRUCTOR NOTES:

7 IEC 61508: A standard in seven parts (Parts 1 – 4 are normative)
1: general requirements that are applicable to all parts. System safety requirements Documentation and safety assessment 2 and 3: additional and specific requirements for E/E/PE safety-related systems System design requirements Software design requirements 4: definitions and abbreviations 5: guidelines and examples for part 1 in determining safety integrity levels, 6: guidelines on the application of parts 2 and 3; Calculations, modeling, analysis 7: techniques and measures to be used To control and avoid faults INSTRUCTOR NOTES: Indicate that you want to go around the room and want each person to provide this information. Indicate this will be a way for you to get to know the make up of the class. Slide 7

8 FS according to IEC 61508: EUC + EUC Control System
INSTRUCTOR NOTES: Indicate that you want to go around the room and want each person to provide this information. Indicate this will be a way for you to get to know the make up of the class. EUC + Control System EUC + Control System Slide 8

9 Why is there something called Functional Safety?
Functional safety as a property has always existed The definitions of Functional safety show that it is not related to a specific technology Functional Safety, as a term and as an engineering discipline, has emerged with the advancement of complex programmable electronics INSTRUCTOR NOTES:

10 Functional safety as per IEC 61508
IEC mandates an ”overall” safety approach could also be referred to as a: System safety approach or Holistic approach (accounts also for the whole life cycle of a system) INSTRUCTOR NOTES: EUC: system which responds to input signals from the process and/or from an operator and generates output signals causing the EUC to operate in the desired manner

11 Overall Safety Lifecycle and E/E/PES life cycle
Concept Overall Scope Definition Hazard & Risk Analysis Overall Safety Requirements Safety Requirements Allocation E/E/PES System Safety Requirements Specification Overall Planning Safety-related systems: E/E/PE Other risk Reduction measures Operation & Maintenance Installation & Commissioning Safety Validation Realization: E/E/PE INSTRUCTOR NOTES: Indicate that this is the overall safety lifecycle process found in IEC Indicate this is a closed-loop process and can be found in several functional safety standards besides It is a continuous improvement approach in which the designs are reviewed and changed as needed as the process moves along. State that UL has taken this process and generalized it and simplified it. Overall Installation & Commissioning Overall Safety Validation Overall Operation, Maintenance & Repair Overall Modification & Retrofit Decommissioning or Disposal Slide 11

12 Functional Safety Certification Process
Kick-Off Meeting Most effective during the product design phase Collaborate to ensure that the features required by the specified standard are included in the initial design Understand the consequence of choices being made Guidance from certification body on how to design product Discuss prototyping Slide 12

13 Functional Safety Certification Process
Pre-Audit and IA Increase the probability of success of the certification audit Management system audit Engineers perform on-site GAP analysis Customer received concept evaluation report with detailed action items Slide 13

14 Functional Safety Certification Process
Certification Audit Certification body audits the system’s compliance with the designated standard and functional safety rating Evaluation of documentation Product is certified Slide 14

15 Functional Safety Certification Process
Follow-up Surveillance A surveillance to verify that the protective functions of the product match the report are performed Certification body conducts an audit of the functional safety management system once every three years Slide 15

16 Examples of Function Safety Products
Slide 16

17 EUC – E/E/PE System – Subsystems
Hazard & Risk Analysis shall be conducted for the EUC and the EUC control system Hazardous events are identified, and the associated risk (the “EUC risk”) determined If the risk is not acceptable, it must be reduced to a tolerable risk level by at least one of, or a combination of, the following: External risk reduction facilities Safety-related control systems, which can be: Based on electrical/electronic/programmable electronic (E/E/PE) technology Other technology INSTRUCTOR NOTES:

18 Necessary risk reduction and Safety Integrity Level (SIL)
IEC is a standard for E/E/PE safety related systems (E/E/PES), or subsystems. Therefore, the following is addressed by this standard: The part of necessary risk reduction allocated to an E/E/PES is expressed as a failure probability limit (target failure measure), which in turn is used to select the so called Safety Integrity Level (SIL) This means SIL is an attribute of an E/E/PES ( or subsystem), i.e. of a system/device/product that provides risk reduction INSTRUCTOR NOTES:

19 FS Marks The FS Marks are related to a SIL (or similar other FS ratings) They can thus only be granted for products or components which provide risk reduction functions (i.e. E/E/PE safety-related systems or subsystems) From a SIL point of view, it doesn’t make a difference whether the E/E/PE safety-related (sub-)system is to be considered a stand alone product or a component An E/E/PE safety-related system can be: Either integral part of the EUC control system Or implemented by separate and independent systems dedicated to safety INSTRUCTOR NOTES:

20 E/E/PE safety-related system and risk reduction
EUC risk risk arising from the EUC or its interaction with the EUC control system Tolerable risk risk which is accepted in a given context based on the current values of society Necessary risk reduction risk reduction to be achieved by the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities in order to ensure that the tolerable risk is not exceeded Residual risk risk remaining after protective measures have been taken Must be equal or lower than tolerable risk Slide 20

21 E/E/PE safety-related system and risk reduction
EUC (+ EUC control system) poses risk, E/E/PES contributes to reduce risk below a tolerable level Target failure measure => SIL IEC , Figure A.1

22 EUC Risk Our generic industrial worker is now wondering, this can have a hardware fault, who knows how it was programmed, and did the system integrator really know how the controls worked when he installed them? And he asks himself the famous question, “Do I feel lucky?” So we see that there are ma ny possiblilites that lead to faults in safety related circuit so how do we address this? We can systematically apply risk reduction principles to bring down the risk to a defined level based on established principles. Slide 22

23 E/E/PE System and Subsystems
In most cases the FS products certified by UL will be sub-systems of an E/E/PE safety-related system Subsystem (sensors) (logic unit) (actuators) (data communication) INSTRUCTOR NOTES: IEC , Figure 3

24 Software Drives FS Requirements - IEC 61508-3
Electromechanical systems are rapidly being replaced by (software) programmable electronic systems due to: Lower cost parts Greater redesign flexibility Ease of module reuse Less PCB space required Improved Efficiency Greater functionality

25 Software is Being Used Increasingly
Software controls motor-driven equipment safety parameters such as: - PRESSURE generated by a compressor - Motor SPEED of an inline gasoline pump - POSITIONING of Fuel/Air valves in a combustion control - FORCE applied by a robotic arm - Air FLOW RATE within a combustion chamber - …the possibilities are limitless…

26 Achieving HW safety integrity
IEC requires application of the following principles to achieve the intended HW safety integrity: Redundancy Diversity of redundant channels to eliminate common cause failures Failure detection per IEC 61508, detection implies a reaction to a safe (operating) state For fail-safe applications, this can mean activation of the fail-safe state Reliability of components Probability of dangerous failure (on demand - PFD, per hour - PFH) in accordance with target failure measure of the required SIL INSTRUCTOR NOTES: Slide 26

27 Two routes to demonstrate HW safety integrity: Route 1H and Route 2H
based on hardware fault tolerance and safe failure fraction concepts This means a complete FMEDA on HW component level must be carried out PFH and SFF calculated on this basis Route 2H : based on field reliability data and hardware fault tolerance for specified safety integrity levels, Data must have been recorded in accordance with applicable standards, >90% statistical confidence stricter HW fault tolerance requirements for the different SIL’s INSTRUCTOR NOTES: Slide 27

28 Achieving HW safety integrity
The primary measurement is PFDavg or PFHavg These depend on the following system-level parameters: Proof-test interval Mission time (if proof-test not feasible) In addition to this, the HW integrity of an E/E/PES is measured by Degree of redundancy: Hardware Fault Tolerance HFT Detection capability: Safe Failure Fraction SFF Susceptibility to common cause failure: b-factor INSTRUCTOR NOTES: Continue to review the modules titles. Indicate that this course is geared to a general introduction. Point out that the course will be spending a lot of time reviewing the functional safety lifecycle with particular emphasis on the first 2 phases of the process: defining system requirements and Planning and designing requirements Indicate that not only focuses on software but also other areas. IMPORTANT: State that compliance information is not included in but ideally you would be able to cross reference to other standards you use. Slide 28

29 FMEDA Table (Design level)
Input 1 IC101 Switch off 1 T101 R100 Input 2 IC102 Switch off 2 T102 Emergency Stop switch Output diag Safety-related output Safety device INSTRUCTOR NOTES: Slide 29

30 SFF and diagnostic test interval
Looking at SFF formula, it doesn’t depend on the test frequency (low demand vs high demand) SFF = (SlS + SlDD)/(SlS + SlD) When estimating the safe failure fraction of an element, intended to be used in a subsystem having a hardware fault tolerance of 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation, credit shall only be taken for the diagnostics if: – the sum of the diagnostic test interval and the time to perform the specified action to achieve or maintain a safe state is less than the process safety time; or, – when operating in high demand mode of operation, the ratio of the diagnostic test rate to the demand rate equals or exceeds 100. When estimating the safe failure fraction of an element which, – has a hardware fault tolerance greater than 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation; or, – is implementing a safety function, or part of a safety function, operating in low demand mode of operation, credit shall only be taken for the diagnostics if the sum of the diagnostic test interval and the time to perform the repair of a detected failure is less than the MTTR used in the calculation to determine the achieved safety integrity for that safety function. Slide 30

31 Simplified approaches proposed by other standards
Also ISO and IEC suggest simplified methods for determining the probability of random HW failure ISO approach is based on ”designated architectures” for the different Categories IEC approach is based on ”basic subsystem architectures” These simplified approaches claim to err towards the safe direction, and make a number of assumptions If the assumptions cannot be made, or if just more precise (and less conservative) values are desired, then more detailed reliability modeling may be applied INSTRUCTOR NOTES: Slide 31

32 Additional Information
Websites:

33 Questions?

Download ppt "Functional Safety Overview"

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
IEC – IEC Presentation G.M. International Safety Inc.

IEC – IEC Presentation G.M. International Safety Inc.
IEC – IEC Presentation G.M. International s.r.l

IEC – IEC Presentation G.M. International s.r.l
ISO 9001:2000 Documentation Requirements

ISO 9001:2000 Documentation Requirements
EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage: www.mwftr.com/CNE.html.

EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage:
Functional Safety Demystified

Functional Safety Demystified
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Systems Analysis and Design Feasibility Study. Introduction The Feasibility Study is the preliminary study that determines whether a proposed systems.

Systems Analysis and Design Feasibility Study. Introduction The Feasibility Study is the preliminary study that determines whether a proposed systems.
1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.

1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.
ISO 9001 : 2000.

ISO 9001 : 2000.
Security Controls – What Works

Security Controls – What Works
Developing safety critical systems

Developing safety critical systems
DIRC Workshop on Software Quality and the legal system 13 February 2004 Functional safety of electrical, electronic and programmable electronic safety-related.

DIRC Workshop on Software Quality and the legal system 13 February 2004 Functional safety of electrical, electronic and programmable electronic safety-related.
Software Requirements

Software Requirements
Vectus Ltd. 2008 Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.

Vectus Ltd Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.
9 1 Chapter 9 Database Design Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

9 1 Chapter 9 Database Design Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.

Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.
Introduction to Software Testing

Introduction to Software Testing
Prepared by Long Island Quality Associates, Inc. ISO 9001:2000 Documentation Requirements Based on ISO/TC 176/SC 2 March 2001.

Prepared by Long Island Quality Associates, Inc. ISO 9001:2000 Documentation Requirements Based on ISO/TC 176/SC 2 March 2001.
IV&V Facility Model-based Design Verification IVV Annual Workshop September, 2009 Tom Hempler.

IV&V Facility Model-based Design Verification IVV Annual Workshop September, 2009 Tom Hempler.

Similar presentations

Ads by Google