New developments about PL and SIL. Present harmonised versions, background and changes.

Transcription

1 Safety evevt 2017 Functional safety New developments about PL and SIL. Present harmonised versions, background and changes. siemens.com

2 ISO/ TC 199 and IEC/ TC 44 joint working group 1 - Merging project Basic intention was Keep backward compatibility One design process integrated within the machine safety assessment process (ISO 12100) Improved relationship between PL and SIL More generic and clarified methods for the safety plan, determination of required PL or SIL : better definition of the elements of risk construction of the safety function using existing pre-evaluated parts (subsystem) software design Integration of verification and validation in the main part (today in ISO ) Page 2

3 ISO/ TC 199 and IEC/ TC 44 joint working group 1 - Merging project Resolution 247 (Mainz 7, ) SUBJECT: ISO/TC 199 Cancellation of work item ISO The ISO/TC 199 "Safety of machinery considering the ISO/IEC Directives, Part 1:2015 regarding the timeframe for standard development, considering that ISO will not be on time for DIS ballot, considering the discussion that took place at ISO/TC 199 plenary meeting in Mainz, decides to cancel the ISO/IEC project before it is cancelled automatically; set the JWG1 dormant and thanks its Convenor, Mr. Juhel (FR) for the work done Page 3

4 ISO/ TC 199 and IEC/ TC 44 joint working group 1 - Merging project And what happens then? Establishment of an ISO/TC IEC/TC 44 Joint Advisory Group Start of revision of IEC and ISO Adhoc groups for Software, Validation and Diagnostics Main goal: Improvements of both standards in order to reflect better the workflow of the user of the standard (machine builder) Page 4

5 - New structure 1 Scope 2 Normative references 3 Terms and definitions 4 Design process of an SCS and management of functional safety 5 Specification of a safety function 6 Design of an SCS to perform a safety function 7 Design and development of subsystem 8 Software 9 Validation 10Documentation Page 5

6 - Design process Risk assessment of the whole machine according to ISO Step 2 of three-step method of ISO Step 1 Can the risk be reduced by inherently safe design measures? YES Risk reduction by inherently safe design measures Is the intended risk reduction achieved? NO If risk reduction measures depend on the control system corresponding safety functions have to be specified NO Can the risk be reduced by guards, Protective devices? YES Step 2 Risk reduction by safeguarding Implementation of complementary protective measures If the selected risk reduction measure depends on the control system then the SCS can be designed by application of IEC (see Figure 2) Is the intended risk reduction achieved? NO NO Page 6

7 - Design process Summary: Safety requirements specification for each selected safety function Information from the risk assessment (see Figure 1) Safety Requirements Specification (5.2.1, 5.2.2) Determine the required safety integrity (5.2.3) Design of an SCS to perform a safety function: Identify the combination of subsystems that implement the safety function (6) Required safety integrity (SIL) Pre-designed subsytem(s)? (6.2.4) No Design of safety-related control system SCS (use of subsystems) Design and development of subsystems (7) architecture, PFH D Yes Combine subsystems to an SCS (6.2), considering their systematic integrity (7.3.2), software (8) No No Yes Validation Validation (9): Are all requirements met including the required safety integrity? Safety plan Yes Have all safety functions been analysed? Yes Information to the risk assessment Page 7

8 - Example of machine design plan including a safety plan SCS design activities documentation Safety plan risk analysis specification safety and verification plan risk analysis specification, handbooks realisation selection of subsystems data sheets, installation parameterization / programmation wiring diagrams software documentation test / verification test and/or verification reports validation Leader Member CA Conformity Assessment documentation Page 8

9 - Specification a safety function Functional requirements specification of the safety function Description: Condition(s): Restart/Reset Priority: Frequency of operation: Response time: Interface(s) to other machine functions: When the guard door will be opened then the electrical motor shall stop Operating mode all Manual human action required where the operator can stay in the hazard zone (according to ISO 12100, ) High priority in comparison to other safety functions; emergency stop function will have the highest priority 10 time per hour; 16 hours per day; 250 days per year Maximum 500 ms from initiation event (opening of the guard door) to deenergizing electrically the motor (stop category 0 acc. to IEC ) Realized by a pre-assessed safety-related device (information for use of the component manufacturer to be referenced) Page 9

10 - Specification a safety function Functional requirements specification of the safety function (continued) Fault reaction function: Defeating: Environment Stopping immediately or detection at restart at least by prohibiting restart Design of guard door and mounting of guard interlocking devices acc. to ISO Temperature, dust, vibration, Safety integrity requirements specification of the safety function Required SIL Architectural constraints SIL 2 with related target PFH D value Use of mechanical guard interlocking devices (position switches) due to vibration No type C standard requirements (e.g. required category) Page 10

11 - Design of an SCS to perform a safety function An SCS (safety-related control system) can include: one or several pre-designed subsystem(s), and/or one or several subsystem(s) developed according to this standard, based on subsystem element(s). D SET Q 0 & 0 L CLR Q 0 Input subsystem (e.g. light curtain) Logic subsystem (e.g. safety controller) Output subsystem (e.g. valves) Page 11

12 - Design of an SCS to perform a safety function Safety Function Virtual view: Functional description decomposition initiation event (cause) sub-function 1 (detection, input) sub-function 2 (evaluation, logic) sub-function 3 (reaction, output) machine actuator (effect) allocation subsystem 1 (e.g. position switches, light curtain) subsystem 2 (e.g. safety relay/ embedded systems) subsystem 3 (e.g. contactors, valves) Safety-related Control System (SCS) Real view: Physical design (architecture) Page 12

13 - Design of an SCS to perform a safety function Use of already pre-designed subsystem and required their safety performance IEC IEC IEC ISO IEC (IEC 61508) (see also NOTE 1) PFH D SIL at least at least at least < 10-5 SIL 1 SIL 1 PL c Type 2 < 10-6 SIL 2 SIL 2 PL d Type 3 < 10-7 SIL 3 SIL 3 PL e Type 4 NOTE 1 This column includes SIL-based standards that fulfil the architectural constraints of the IEC 61508, such as IEC , IEC , and IEC NOTE 2 A relation between IEC and IEC or ISO cannot be given within this table. Pre-designed means this type of subsystem is qualified to be used with a dedicated SIL or PL Page 13

14 - Design of an SCS to perform a safety function Quantifiable characteristics depending on subsystem type and subsystem element Characteristic value Subsystem Pre-designed subsystem Subsystem elements element Safetyrelated Non-safetyrelated SIL X see PL X see Comments PFH D X see 7.6 Category or architectural X see 7.4 constraints 1) MTTF D X λ D MTTF X X see Exactly one of the characteristic values is required. Preferably MTTF D. MTBF X RDF (X) X see ratio of dangerous failure The RDF can be estimated as 50% if no other information is available unless there is reason to assume otherwise. Page 14 B 10D X see Exactly one of the characteristic values is required. B 10 X Preferably the B 10D value. T M = T 1 X X X 1) If relevant or required by a type-c standard (X) Optional information

15 - Design of an SCS to perform a safety function Safety integrity of a safety function based on allocated subsystems Architecture limitation (architectural constraints) Subsystem 1 (detection, input) Subsystem 2 (evaluation, logic) Subsystem 3 (reaction, output) SIL 2 PFH D = 1,5 x 10-8 SIL 3 PFH D = 2 x 10-9 SIL 2 PFH D = 4 x 10-8 PFH D can be better than SIL, but restriction by architectural constraints Safety integrity of the SCS lowest SIL of all subsystems: SIL 2 Probability of dangerous hardware failure: PFH D = 5,7 x 10-8 (see ) SCS achieves SIL 2 Page 15

16 - Design and development of subsystem Functional description Relevant information to be available for each subsystem 1) A functional description of the function(s) and interface(s) of the subsystem. Hardware information 2) The estimated rates of failure (due to random hardware failures and failure modes) for each subsystem element which could cause a dangerous failure of the subsystem (see Annex C); 3) Any test and/or maintenance requirements; Page 16 4) The probability of dangerous transmission errors for digital data communication processes, where applicable. Environmental conditions 5) The environment and operating conditions which should be observed in order to maintain the validity of the estimated rates of failure due to random hardware failures; and 6) The useful lifetime (e.g. mission time T M or T 10D ) of the subsystem which should not be exceeded, in order to maintain the validity of the estimated rates of failure due to random hardware failures; Design information 7) The diagnostic coverage and the diagnostic test interval (see and 7.4.4); 8) Limits on the application of the subsystem which should be observed in order to avoid systematic failures; 9) Information which is required to identify the hardware and software configuration of the subsystem; 10) The highest SIL that can be claimed for a safety function under consideration which uses the subsystem on the basis of: - architectural constraints, - measures and techniques used to prevent systematic faults being introduced during the design and implementation of the hardware and software of the subsystem, and - the design features that make the subsystem tolerant against systematic faults. NOTE One subsystem can implement sub-functions of several safety functions with different SIL.

17 - Design and development of subsystem For each subsystem element qualitative requirements: systematic integrity; fault consideration(s) and fault exclusion(s) Most important issue: Use of the right components for the application quantitative requirements: failure rate and other relevant parameters Estimation of the parameters 1. Use manufacturer s data 2. Use Annex C of this standard 3. Choose a MTTF D of ten years Page 17

18 - Design and development of subsystem In the context of hardware safety integrity, the highest safety integrity level that can be claimed for a SCS is limited by the hardware fault tolerances (HFT) and safe failure fractions of the subsystems that carry out that safety function Safe failure fraction (SFF) Hardware fault tolerance (HFT) (see NOTE 1) < 60 % Not allowed (for exceptions see NOTE 3) SIL 1 SIL 2 Page % < 90 % SIL 1 SIL 2 SIL 3 90 % < 99 % SIL 2 SIL 3 SIL 3 (see NOTE 2) 99 % SIL 3 SIL 3 (see NOTE 2) SIL 3 (see NOTE 2) NOTE 1 A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function. NOTE 2 SIL 4 is not considered in this standard. For SIL 4 see IEC NOTE 3 See , where subsystems which have a safe failure fraction of less than 60 % and zero hardware fault tolerance, that use well-tried components can be considered to achieve SIL 1; or for subsystems where fault exclusions have been applied to faults that could lead to a dangerous failure. NOTE 4 In IEC 62061:2015 the maximum SIL that could be claimed was named SILCL.

19 - Design and development of subsystem Designated architectures: Maximum reachable SIL or PL of a subsystem by using a simplified approach DC avg <60% (none) 1) SIL 1 PL b Maximum reachable SIL (or PL) based on the designated architectures Single channel (HFT = 0) Dual channel (HFT = 1) without diagnostic SIL 1 PL c with diagnostic without diagnostic SIL 1 PL c with diagnostic 60% - <90% (low) PL c SIL 1 PL d SIL 2 90% - < 99% (medium) PL d SIL 2 PL d SIL 2 2) >= 99% (high) PL d SIL 2 PL e SIL 3 Category 3) basic subsystem architecture B A 1 A 2 C B 4) 3 D 4 D Page 19 1) DC avg < 60% is considered to be DC avg = 0%. 2) Reachable SIL (or PL) with Category 3 and DC 90% - < 99% (medium) can be one SIL (or PL) level higher (SIL 3 or PL e) but PFH D is limited to 4, (independent of MTTF D > 100 years, see K.3). 3) The type of subsystems A to D represent a logical view of single or dual channel architecture (with or without diagnostic) and describe a simplified approach to the estimation of PFH D (see K.4, based on IEC 62061). 4) A redundant architecture (double channel) without any diagnostic coverage and where each channel fulfils at least the requirements of Category B allows a maximum reachable SIL 1 or PL c.

20 and ISO (ongoing discussion) - Software SW level A Use of pre-assed software-platform designed for safety applications: Typically a combination of pre-assessed software modules. SW level B Use of a software-platform for designing application software typically running on a programmable controller according to IEC /2, both not designed explicitly for safety application software. SW level C Use of another language than a limited variability language (LVL). Typically in an embedded software application. Page 20

21 and ISO (ongoing discussion) - Software SW level A is of reduced complexity due to the use of pre-assessed safety-related hardware and software modules Software safety requirements Software design Test Software testing Tested Software Software design specification Review Coding Reviewed Software Module requirements Module design Test Module test Tested module Module design specification Review Coding Reviewed Software Page 21

22 and ISO (ongoing discussion) - Software Software levels B and C are of increased complexity due to the use of hardware and software systems or modules which are not pre-assessed by the provider for safety-related applications Software safety requirements Software design Test Software testing Tested Software Software design specification Review Software system design Test Software integration testing Tested integration Software system design specification Review Module design Test Module test Tested modules Page 22 Module design specification Review Coding Reviewed code

23 Guard door 1 (GD1) Revision of IEC and ISO (ongoing discussion) - Software Pre-processing Logic Post-processing Motor 3 (M3) IS_bGD1_1 SF_GUARD #bm3_on SF_FDBACK IS_bGD1_2... to be defined IS_STAT_M3 I_bACK1 #bgd1_ok... QS_M3 INPUT LOGIC OUTPUT Page 23

24 and ISO operating (ongoing modes X discussion) Priority 2 - Software Level 2 operating mode auto Level 1 operating mode all Priority 1 Principal design approach of the logic layer condition 2a condition 2b... AND (&) condition 3a operating mode inching condition 1a condition 1b condition 3b... AND (&) OR ( 1)... AND (&)... Page 24

25 Guard door 1 (GD1) Revision of IEC and ISO (ongoing discussion) - Software Pre-processing Logic Post-processing IS_bGD1_1 SF_GUARD Level 1 operating mode all #bm3_on Motor 3 (M3) SF_FDBACK IS_bGD1_2... I_bACK1 #bgd1_ok AND (&) #bm3_on IS_STAT_M3... QS_M3 INPUT LOGIC OUTPUT Page 25

26 Requirements of the safety function, in particular: a) functional requirements b) SIL or PL 1) architecture / category 2) systematic integrity 3) software c) environmental conditions Revision of IEC Validation Validation principles Start of validation Safety plan Requirements of the safety function, in particular: a) functional requirements b) SIL or PL 1) architecture / category 2) systematic integrity 3) software c) environmental conditions Validation principles Start of validation _contains_ Safety plan _contains in context of_ Design documents Validation plan Criteria for exclusion Fault Lists Design documents Validation plan Criteria for exclusion Fault Lists Analysis _in context of_ Analysis passed Testing Analysis no Testing passed _no_ Diagnostic function used? Analysis passed no Test of safety function under fault condition Testing passed _no_ Modification of design Verification report Testing All safety functions validated? _no_ no Page 26 Validation successful (validation report) Testing passed _no_

27 Requirements of the safety function, in particular: a) functional requirements b) SIL or PL 1) architecture / category 2) systematic integrity 3) software c) environmental conditions Revision of IEC Validation Validation principles Start of validation Safety plan Testing passed Diagnostic function used? _no in context of_ Design documents Validation plan _contains_ Criteria for exclusion Fault Lists Test of safety function under fault condition Analysis no Analysis passed Testing passed _no_ Modification of design Testing no Testing passed _no_ Diagnostic function used? Verification report Test of safety function under fault condition no Testing passed _no_ Modification of design All safety functions validated? _no_ Verification report All safety functions validated? _no_ Page 27 Validation successful (validation report) Validation successful (validation report)

28 Thank you for your attention! Patrick Gehlen IEC/ TC44 Chairman DF TI SR Schuhstr Erlangen, Germany siemens.com Page 28