Functional safety Standardization activities

(1)

Functional safety

Standardization activities

Bart Aertgeerts Symposium VIK/TI

13 November 2007 Crowne Plaza Antwerp

Materials/En gi neeri ng -S afety 2 Bart Aertgeerts – 2007-11-13 EUC (Machiner y,

process installation, appara

tus, … ) Electrical installations Mechanical movements Use of chemicals

Arrangement of the workplace

Failure of safety-related systems

Dangers Overall safety

Electrical safety Mechanical safety

Chemical safety

Ergonomic design

(2)

Materials/En gi neeri ng -S afety 3 Bart Aertgeerts – 2007-11-13

Functional safety

All aspects regarding the correct functioningof the Safety-Related Systems (SRS) so that the dedicated safety

functions are being keptunder all given conditions

How safe stays the safety-related system?

All aspects to preventand handlethe (dangerous) failuresof the safety-related systems so that the EUC remains in a safe condition or brought to a safe state

The available literature give a broad description of the definition “Functional Safety”

Ambitions of the standards organizations

Developing of standards which gives:

information to prevent andhandle failures of the

safety-related systems;

objectivecriteriato evaluate the functional safety;

requirements to maintainthe functional safetyover the

whole lifecycle of the safety-related system (from concept to decommissioning)

(3)

Materials/En gi neeri ng -S afety 5 Bart Aertgeerts – 2007-11-13 Belgisch Elektrotechnisch Comité Bureau voor Normalisatie National Comité Européen de Normalisation Electrotechnique Comité Européen de Normalisation European International Electrotechnical Commission International Standardization Organization International Electro-technical Standardization “Overall” standardization

Standards organizations

Importance of the standards

Provide technical information, general and detailed principles of design in accordance with the latest

state-of-the-art technology

Are considered as rules of good practice

Standards canbe usedto demonstrate the compliance with the relevant legislation

Standards have no legal statusunless the legislator explicitly has indicated to them

(4)

Harmonized European standards

Are drawn-up by the European standards organizations (CEN & CENELEC) as mandate from the EC Commission in order to fulfill the requirements of the EU Directives When the harmonized standards are used, it is assumed

that the requirements of the EU Directives have been met

Give an “automatic presumption of conformity”

Harmonized standards are published in the Official Journey of the EU

The standards are “unchanged” transferred to national standards

National standards handling the same subject must then be withdrawn

Standards functional safety

1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

1997

Latest SIPI meeting Generic standards Publi c at ion Specific standards for the process industry Publi

c

at

ion

Specific standards for machinery

(Automotive industry, …) Publi

c

at

(5)

Generic standard (series) EN (IEC) 61508

The standard is genericand applicable to the Electrical, Electronic and Programmable Electronic (E/E/PE) safety-related systems

Principles and framework can also be used for other technologies Introduced Safety Integrity Levels (SIL)as a measure for

functional safety

Adopts a risk-based approach for determination of the SIL requirements Sets numerical target failure measures for E/E/PE safety-related systems which are linked to the SIL

Uses an overall safety lifecycleconcept which structural looks to all necessary phases and activities in order to achieve the functional safety

Deals with both the organizational and technical aspects

Has been conceived with a rapidly developing technology in mind

Framework is sufficiently robust and comprehensive to cater for future developments Materials/En gi neeri ng -S afety 10 Bart Aertgeerts – 2007-11-13

Generic standard (series) EN (IEC) 61508

Consists of 7 parts

Part 1: General requirements

Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems

Part 3: Software requirements

Part 4: Definitions and abbreviations

Part 5: Examples of methods for the determination of safety integrity

levels

Part 6: Guidelines on the application of parts 2 and 3

Part 7: Overview of techniques and measures

Parts 1 to 4 of the standard are designed as “basic” publications

Parts 5 to 7 are intended to give more background

(6)

Generic standard (series) EN (IEC) 61508

Intended use :

Facilitate developingof other sector or product related

standards

Supportsmanufacturesof safety-related systems (incl. components)

This (European) standard is not harmonizedunder a specific

EU-Directive

Standards are prepared by IEC TC 65/SC 65A (Industrial process measurement and control)

Generic standard (series) EN (IEC) 61508

Inte rnational International Electrotechnical Commission European FDIS 61508 Final Draft Comité Européen de Normalisation Electrotechnique Nationa l Belgisch Elektrotechnisch Comité CDV 61508 Begin 1995 Draft IEC 61508 1998 - 2000 EN 61508 1998 - 2000 NBN EN 61508 1998 - 2000

(7)

Generic

↔

Sector or product related

standards

61508 Generic standard 61511 Process Industry 62061 Machinery 61513 Nuclear sector 61800 5-2

Power drive systems Safety requirements Functional Materials/En gi neeri ng -S afety 14 Bart Aertgeerts – 2007-11-13

Standard (series) EN (IEC) 61511

Standard focuseson Safety Instrumented Systems (SIS) for

the process industry

Consists of 3 parts

Part 1: Framework, definitions, system, hardware and software requirements

Part 2: Guidelines in the application of IEC 61511-1

Part 3: Guidance for the determination of the required safety integrity levels

Intended use:

Supports usersand integratorsof safety instrumented systems for the process industry

This (European) standard is not harmonizedunder a specific

EU-Directive

(8)

Standard (series) EN (IEC) 61511

Inte rnational International Electrotechnical Commission European FDIS 61511 2002 Final Draft Nationa l ElektrotechnischBelgisch Comité CDV 61511 Begin 1996 Draft IEC 61511 2003 EN 61511 2003 NBN EN 61511 2003 IEC 61508 1998 - 2000 Comité Européen de Normalisation Electrotechnique Materials/En gi neeri ng -S afety 16 Bart Aertgeerts – 2007-11-13

Standardization activities IEC and ISA

International International Electrotechnical Commission USA / Canada American National Standardization Institute Instrument Society of America

S84.01 1996 IEC 61511 2003 IEC 61508 1998-2000 CDV 61508 Begin 1995 Draft S84.01 2004

(9)

Standard EN (IEC) 62061

Standard focuseson Safety-Related Electrical Control Systems (SRECS) for machinery

Consists of one single part Intended use:

Supports usersand integratorsof safety-related electrical control systems for application in machinery

This (European) standard is harmonizedunder the

machinery Directive (98/37/EG)

Standard is prepared by IEC TC 44 (Safety of machinery – Electrotechnical aspects)

Standard EN (IEC) 62061

Inte rnational International Electrotechnical Commission European FDIS 62061 2004 Final Draft Nationa l Belgisch Elektrotechnisch Comité CDV 62061 Begin 1999 Draft IEC 62061 2005 EN 62061 2005 NBN EN 62061 2005 IEC 61508 1998 - 2000 Comité Européen de Normalisation Electrotechnique

(10)

Difference between 61508 – 61511 – 62061

The contentof the standards gives differenceswith regard

to:

Terminology

Number of safety integrity levels

Determination of the mode of operation

Lay-out of the safety-lifecycle

Use of components … Materials/En gi neeri ng -S afety 20 Bart Aertgeerts – 2007-11-13

Differences : Terminology

SIL SIL SIL Safety integrity level

Safety-related control function Safety instrumented function (SIF) Safety function Function of the safety-related system Machinery Process EUC Involved installation SRECS SIS E/E/PE safety-related system Name of the

safety-related system

62061 61511

(11)

Differences : Terminology

Functional safety

part of the safety of the machine control system witch depends on the correct functioning of the SRECS, other technology safety-related systems and external risk reduction facilities; 6206

1

Functional safety

part of the overall safety relating to the process and the BPCS which depends on the correct functioning of the SIS and other protection layers

6151 1

Functional safety

part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities

6150 8 Materials/En gi neeri ng -S afety 22 Bart Aertgeerts – 2007-11-13

Differences : Safety integrity levels

SIL SIL Continuous mode Demand mode en Continuous mode Demand mode en Continuous mode Modes of operations 3 levels 4 levels 4 levels SIL Safety integrity levels 62061 61511 61508

(12)

Differences : Mode of operation

low demand mode

mode of demands in witch the frequency of demands on a SRECS is no greater than one per year and no greater than twice the proof-test frequency;

6206 1

demand mode safety instrumented function

where a specified action (for example, closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the safety instrumented function a potential hazard only occurs in the event of a failure in the process or the BPCS

Note 2 : In demand mode applications where the demand rate is more frequent than once per year, the hazard rate will not be higher than the dangerous failure rate of the safety instrumented function. In such a case, it will normally be appropriate to use the continuous mode criteria.

6151 1

low demand mode

where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof-test frequency;

6150 8 Materials/En gi neeri ng -S afety 24 Bart Aertgeerts – 2007-11-13

Differences : Mode of operation

high demand or continuous mode

mode of demands in witch the frequency of demands on a SRECS is greater than one per year and no greater than twice the proof-test frequency;

6206 1

continuous mode safety instrumented function where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it

6151 1

high demand or continuous mode

where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof check frequency

6150 8

(13)

Lifecycle

Overviewgiving allnecessary phasesin the overall lifecycle

of a safety-related system, from concept to decommissioning

It handlessystematically allthe activitiesnecessary to

achieve the required safety integrity level for the safety-related system

For each phase the objectives, scope, required inputs and outputs are described

The overview follows the (well known) rulesof a “quality management system”

The lay-out is differentfor each standard ! (?)

Lifecycle EN (IEC) 61508

Realisatie Concept Definitie werkingsgrenzen en gebruiksomstandigheden Installatie en in dienst stellen Veiligheidsvalidatie

Uit dienst name en verwijderen (afbraak) Gebruik, onderhoud

en herstelling en re-engineeringModificatie Veiligheidssystemen E/E/PES Realisatie Andere externe risicoreductie-voorzieningen 11 Terug naar de overeenkomende fase van de levenscyclus 1 Veiligheidssyst. met andere technologieen Realisatie 10 Planning gebruik en onderhoud 6 Planning Veiligheidsstudie (Gevaren – Risicoanalyse) Bepalen globale veiligheidseisen

Toewijzen van veiligheidseisen

Planning veiligheids-validatie 7 Planning installatie en in dienst stellen 8 2 3 4 5 9 12 13 14 15 16 M a nagem e nt f u nct ionele veiligh eid 17 B e oordeling f u nct ionele veiligh eid 18 V e ri fi cati e 19 Docum e ntati e 19

(14)

Risicoanalyse en ontwerp “protection layers”

Toewijzing van de veiligheidsfuncties aan de “protection layers”

Specificatie veiligheidseisen voor de “Safety Instrumented System”

Ontwerp en bouw van het “Safety Instrumented System”

Ontwerp en bouw van andere risicoreductie

maatregelen Installatie, in dienstname en validatie Aanpassing Werking en onderhoud Buiten dienststelling Ma na g e men t en be oo rd e lin g va n d e f u n c ti one le ve ilighe id Opb o uw e n pl a n ni ng va n d e l e v e nscy cl us v o or v e ili g h e id Ver if ic a ti e 2 1 3 4 5 6 7 8 9 10 Stadium 1 Stadium 2 Stadium 3 Stadium 4 Stadium 5

Lifecycle EN (IEC) 61511

Risicoanalyse en bepaling van de risicoreducerende maatregelen

Toewijzing van de veiligheidsfuncties aan “Safety-Related Electrical Control System”

Specificatie veiligheidseisen voor de “Safety-Related Control Function”

Ontwerp en bouw van het

“Safety-Related Electrical Control System”

Informatie voor het gebruik en onderhoud van de machine

Wijzigingen van het “Safety-Related Electrical Control System”

Validatie van het “Safety-Related Electrical Control System”

Buiten dienststelling Ma na g e men t v a n de fun c ti o n e le v e ilig he id 5 6 7 8 9 4 D o c u m e nt ati e 10

Lifecycle EN (IEC) 62061

(15)

Standardization activities for machinery

All machines introduced in the EU market have to be

compliant with the (essential) safety requirements of the EU machinery Directive

The standards organizations have published many standards which are helpful in order to fulfill the safety requirements

(harmonized standards)

Especially for the design of safety-related control systems there are different harmonized standards available :

EN 62061 EN 954-1 EN ISO 13849 Materials/En gi neeri ng -S afety 30 Bart Aertgeerts – 2007-11-13

Standard EN 954-1

Applicable to safety-related parts of control systems based on all operating media : electrical, mechanical, pneumatic, hydraulic;

Performance of the safety-related parts described in terms of safety categories (B,1,2,3,4)

Use a risk-graph methodology (qualitative) in order to designate the categories

Sets an appropriate system behavior against a category (deterministic approach)

Behavior is based on:

Reliability of components : Fault avoidance

System structure (architecture) : Fault tolerance (redundancy), fault detection (monitoring) and fault resistance

(16)

Standard EN 954-1

Pro

Standard is easily-understood and requires no complex mathematics

Contra

The coherence between risk level and category doesn’t always appear plausible

No direct connection between risk-reducing and category

Emphasis on “meeting category requirements” rather than reducing risk

Categories are not a comprehensive measure of safety integrity

No probabilistic considerations included into the safety examinations Not suitable for programmable systems and complex

electronics

No detailed requirements

Standardization activities for machinery

International Electrotechnical Commission Inte rnational ISO 13849-2 2003 EN 62061 2005 EN 61508 1998-2000 International Standardization Organization European EN 954-1 1996 13849 -100 2000 954-100 1999 TR ISO 13849-1 1999 DIS 13849-1 2004 Draft ISO 13849-1 2006 EN ISO 13849-2 2003 EN ISO 13849-1 2006 Comité Européen de Normalisation European Comité Européen de Normalisation Electrotechnique

(17)

Standard (series) EN ISO 13849

Standard focuseson safety-related parts of control systems

for machinery

Consists of 2 parts

Part 1: General principles for design

Part 2: Validation

Intended use:

Supports usersand integratorsof safety-related control systems for application in machinery

This (European) standard is harmonizedunder the

machinery Directive (98/37/EG)

Standard is prepared by IS0 TC 199 (Safety of machinery)

Standard (series) EN ISO 13849

It examines all safety functions, including all the

components involved

Performance of safety-related parts are described in terms of Performance Levels (a,b,c,d,e)

The familiar categories remain but are defined in terms of designated architectures

Reach information to validate the design in order to check that the requirements are fulfilled

Provide data for the reliability of the components and methods for estimations

(18)

Standard (series) EN ISO 13849

The remaining risk-graph methodology (qualitativeapproach) no longer results in categories but in required Performance Levels

The standard describes how to calculate (quantitative

assessment) the Performance Level for safety-related parts of control systems, based on:

Designated architectures (Category)

MTTF_d: Mean Time To dangerous Failure

DC: Diagnostic Coverage

CCF: Common Cause Failure

Implementation of EN 62061 and EN ISO

13849

(19)

Relation between SIL en PL

No special safety requirements a ≥10-5 _{to < 10}-6 1 c ≥10-6 _{to < 3 .10}-6 3 e ≥10-8 _{to < 10}-7 2 d ≥10-7 _{to < 10}-6 1 b ≥3. 10-6 _{to < 10}-5 SIL

Safety Integrity Level

PL

Performance Level

PFH

Probability of a dangerous Failure per

Hour (1/h) EN 13849-1 : Table 2 Materials/En gi neeri ng -S afety 38 Bart Aertgeerts – 2007-11-13

Explosives atmospheres

Explosive atmosphere:

Gas, vapor or mist of flammable substances mixed with air

A cloud of combustible dust in air, layers, deposits and heaps of combustible dust (source which can form an explosive atmosphere)

Regulations are stipulated in the ATEX-Directives

Safety and health protection of workers potentially at risk from explosive atmospheres (1999/92/EG)

Equipment intended for use in potentially explosive atmospheres (92/9/EG)

(20)

Classification of hazardous places

Zone 0 /20

A place in which an explosive atmosphere is present continuously or for long periods or frequently.

Zone 1/21

A place in which an explosive atmosphere is likely to occur in normal operation occasionally.

Zone 2/22

A place in which an explosive atmosphere is not likely to occur in normal operation but, if it does occur, will persist for a short period only.

Note : Normal operation" means the situation when installations are used within their design parameters.

Equipment categories Group II

Category Level of protection No active Ignition source 1 Very high

even in the event of rare incidents

2

High even in the event

of disturbances or faults, which normally have to be taken into account 3 Normal during normal operation

Equipment of category 1 must be equipped with means of protection such that :

–in the event of failure of one means of protection, at least an

independent second means provides the requisite level of protection,

–or, the requisite level of protection is ensured in the event of two faults occurring independently of each other

(21)

Use of equipment in hazardous places

Relation between equipment categories, the occurrence of ignition sources and occurrence of an explosive atmosphere

--Category 1 Category 2 Category 3 Use accepted Use accepted No sources during normal operations, foreseeable malfunctions and rare malfunctions Use accepted Use forbidden

Occurrence of ignition sources at the equipment

Never No sources during normal operations and foreseeable malfunctions No sources during normal operations Zone 2 Zone 22 Zone 1 Zone 21 Zone 0

Zone 20 Use forbidden

Standard EN 13463-6

Non-electrical equipment intended for use in potentially explosive atmospheres - Part 6: Protection by control of ignition source "b“

Stipulate the specifications for sensors and Ignition Prevention Systems (IPS) to:

Detecting operations leading to potential ignition sources

Initiating measures before ignition source becomes effective.

Assign an Ignition Prevention Level (IPL) to the systems

Characterized by its reliability

Required IPL level determined from likelihood of occurrence of ignition source and category of equipment

(22)

Required minimum IPL for the system

Relationship between the required ignition protection level (IPL) , the occurrence of ignition sources and the equipment category Not relevant IPL 2 Category 2 IPL 1 During normal operations IPL 1 IPL 2 Not relevant IPL 1 Category 1 Not relevant During rare malfunctions During foreseeable malfunctions Occurrence of potentional

ignition source Category 3

EN 13463-6 : Table 1 Materials/En gi neeri ng -S afety 44 Bart Aertgeerts – 2007-11-13

Requirements for Ignition Prevention

Levels

Ignition Prevention Level 1

Well tried components, proven history of reliability

Well tried safety principles, able to withstand expected influences

Capable of being checked at suitable intervals to identify loss of safety (incl. periodic maintenance checks)

If a control parameter critical value is exceeded either the ignition source is prevented from becoming effective or a warning is given

Ignition Prevention Level 2 Requirements of IPL 1

If a control parameter critical value is exceeded the ignition source is prevented from becoming effective

Single fault on Ignition prevention system does not lead to loss of safety function

(23)

Relation between IPL, safety categories

and SIL

SIL

Safety Integrity Level Safety Category IPL Ignition Prevention Level SIL 1 (?) 2 1 SIL 2 (?) 3 2 EN 61508 EN 954-1 EN 13463-6 EN 13463-6 : 8.4 and Annex C

Conclusions

Functional Safety Standardization activities

(24)

Time goes always further

At 2003:

We had a small numberof standards for functional safety Fewpeople had knowledge about the subject, the problems

and experience with the use of the standards

Present 2007:

We have a lotof standards for functional safety

There are now manypeople who have already a broad knowledge and practical experience

There are more and morepeople who realize that they in the future also will come in contact with the subject

The trees in the (great) forest !

Today :

We have access to a lot of documents available

The standards organizations have many standardspublished Could we say that everyonewithout any problems can findall

the necessary informationon the internet But:

Is the information always transparentenough ?

Are the published documents all in accordance with each

other?

(25)

Functional safety

Standardization activities

Bart Aertgeerts Symposium VIK