Transcription
UNDERSTANDING FUNCTIONAL SAFETYAN OVERVIEW OF THE IEC 61508 STANDARD AND ITS APPLICATION AND BENEFITSAs the integration of automated safety systems expands globally across diverse industries – including process, household and commercial products,medical, nuclear, automotive, railway and avionics – the importance of functional safety evaluation and certification has become recognizedinternationally. Today functional safety certification is widely considered to be an essential tool to control and mitigate risk, particularly in thosecases where a failure could lead to serious injury or death.Those unfamiliar with the concept of functional safety may find the subject difficult to understand and place within the context of traditionalsafety and reliability assessments. However, designers who understand and embrace the concept of functional safety – and who demonstratethat products or systems conform to the requirements of recognized functional safety standards – are equipped to better manage risk while alsocapture increased share of market among the growing ranks of customers who also seek to meet the requirements of functional safety standards.This paper provides an overview of functional safety concepts, standards requirements and methods of compliance. It is intended to help readersunderstand the importance of functional safety and the advantages of obtaining formal evaluation and certification services performed by anindependent third-party.Why Functional Safety?IEC 61508 is the international standard forsafety related systems associated withelectrical, electronic and software-basedtechnologies. The principles of the standardcan also be extended to assess mechanicalelements if they are used in the safety function.IEC 61508 is an umbrella (generic) standard,intended to form a basis for sector-specificstandards, including: IEC 61511 process industry IEC 61513 nuclear industry IEC 62061 & ISO 13849 machinery industry EN 50402 gas detector systemsEvaluation and certification of systemsand products to confirm that the functionalsafety requirements of IEC 61508 have beenmet is just one of the methods of dealingwith hazards control. An appropriate initialhazard analysis must be implemented todefine the level of risk and determine iffunctional safety is necessary to ensureadequate safety protection.The IEC 61508 standard defines requirementsfor determining the level of risks and describesthe lifecycle process for ensuring thatsystems are designed, validated, verified,operated and maintained to perform aspecific function or functions to ensurerisk is kept at an acceptable level. IEC 61508defines four SILs according to the risksinvolved in a safety related systemapplication, with SIL4 used to protectagainst the highest risks.Safety function requirements are definedthough a hazard analysis while safetyintegrity requirements are derived from anassessment of acceptable risk. IEC 61508may cover both determining the SIL level ofa product and verifying the manufacturerspecified safety integrity level (SIL) level.The higher the SIL assigned to the safetysystem or component, the lower thelikelihood of dangerous failure. Instrumentscovered by these requirements mightinclude sensors, detectors, signalconditioners, logic controllers, monitors,alarms, actuators, valves and motors. EN 50126 rail industryNorth America Europe Asia www.csagroup.org
UNDERSTANDING FUNCTIONAL SAFETYDemonstrating Functional SafetyThe Benefits of Functional SafetyIn a highly complex, safety-related systemwhere functional safety is required, equipmentsuppliers should identify an accreditedapproval body (third body) that can evaluateand certify compliance with the IEC 61508or applicable industry-specific standard.Accreditation means that the third-partyagency has an internationally recognizedapproval that qualifies it for functionalsafety conformity assessment.Evaluation of systems and components, andcertification that they meet the requirementsof the applicable functional safety standards,provides designers, owners, operators andother stakeholders with increased confidencethat processes operate safely, products meetregulations and industry requirements, riskhas been appropriately managed, and thepotential for costly litigation has beenminimized.The agency should demonstrate itsexperience and expertise in functionalsafety with a highly knowledgeable staffcapable of carefully performing conformityassessment requirements while providinglevels of service that help clients optimizetheir businesses. Agencies should beindependent third parties subject to annualaudits by the accrediting body. Qualifyingagencies must provide annual complianceevidence to the accreditation agency asproof of full conformance with therequirements of IEC 61508.Equipment suppliers can also leverage theirfunctional safety certifications to gain marketadvantage, access new markets and achievesales growth among customers who requireproducts that meet a given SIL for use intheir safety related applications or systems.This “product-of-choice” status is reinforcedby subsequent positive assessment reportsfrom customers whose products and systemsare also certified, further demonstratingfull compliance with functional safetyrequirements.Organizations that provide a safety relatedservice, or operation involving safety systems,can be approved for the technical andmanagement processes that govern theirfunctional safety activities (e.g., plantoperators, systems integrators, contractdesigners, product suppliers etc). Thistype of approval covers the organization’sgeneric processes as well as the competencyof its staff. This approval can be very useful inearning new business, or in satisfying ongoingcontractual or regulatory requirements.Example of Functional SafetyThe following example explains the basicprinciples of functional safety. The diagrambelow shows a relatively simple operationfrom the process industry: filling a bulkstorage fuel tank. Questions that must beanswered initially include: What hazardsare associated with this application? Whatcan go wrong in the process? What are therisks? How safe is the application? Howsafe does it need to be? Other questionsmay also apply.In this illustration, tank overfill is clearly one of the main hazards that must be addressed.North America Europe Asia www.csagroup.org
UNDERSTANDING FUNCTIONAL SAFETYThat might sound basic, but consider whatcan happen if an overflow occurs Oil storage depot, Buncefield, UK, December 2005Miraculously, no-one was killed in thisincident (it was 6:00 am on a Sundaymorning), but dozens of surroundingbusinesses were devastated. Severalcompanies were prosecuted and foundguilty in criminal and civil courts – includingthe owner/operator, the control systemsupplier and one of the instrumentsuppliers. The incident could have beenprevented if the hazard and risk had beencorrectly identified and an appropriatetarget SIL established, resulting in theimplementation of an appropriate overfillprotection system and an operationalfunctional safety management system.SIS ImplementationIn a scenario like this, specifying a “safetyrelated system,” usually called a “SafetyInstrumented System” (SIS) in the processindustry, can reduce risk to a target SILdeemed acceptable based on assessmentof the hazard. Depending on the target SIL,risk level can be reduced by at least The SIS (in red) in this example might bespecified as follows: SIL1 by 10 times SIL2 by 100 timesWith the hazard and risks identified, safetyrequirements can be assessed and anacceptable target SIL established, resultingin the design of a safety related protectionsystem – an SIS loop – implemented asshown below.Safety Function: To close the emergencyshut off valve and switch off the pump inthe event that the high-high level switchcontacts are openedSafety Integrity: To perform the safetyfunction to SIL2 (that’s a probability of theindependent safety function failing to workof less than 1 in 100 trips) SIL3 by 1,000 times SIL4 by 10,000 timesNorth America Europe Asia www.csagroup.org
UNDERSTANDING FUNCTIONAL SAFETYBasic Steps in AchievingFunctional Safety1) SIL DeterminationOnce the hazards and risks have beenidentified, using “HAZOP” analysis, a SILDetermination study can be prepared(normally arranged by the plant/machineoperator) to establish the Safety Function(s)and the amount of risk reduction requiredof the safety system, which then definesits SIL. The IEC 61508 standard shows therequirements for failure data which areexpressed either as a probability of failureon demand (PFD) for a “trip” safety systemor as a failure rate (for a safety systemthat has to respond more frequently oreven continuously).Each SIL has its own range, with an “orderof magnitude” between end points. If thedemand from the process on the safetyfunction is predicted to be less frequentthan once a year, it is classed as a lowdemand system; if the demand is morefrequent than once a year, it is a highdemand system. (A continuous modesafety function is where safety is achievedby continuous or linear control of the plant/machine). It is important to get thedistinction between high and low demandright as the mathematics used to derive therequirements are different. Once the safetyinstrumented system is in operation, alldemands (whether “nuisance” or valid) shouldbe logged, investigated and compared withwhat was predicted at SIL determination.2) Safety Requirements SpecificationOnce the target safety functions and safetyintegrity have been determined, the SafetyRequirements Specification (SRS) should beprepared, as it is one of the most importantphases in the lifecycle. Functional safetystandards emphasize the importance ofcapturing functional requirements, derivingmore detailed design requirements (rightdown to low level hardware and software)and tracing these through the design anddevelopment stages, integration and testingprocess, and through to final validation(assessment to the product lifecycle). At theend of every stage of the product lifecycle,a verification process must be followedto capture any details not fully addressedthat can affect compliance. This supportsavoidance of systematic failures. For complexor high-integrity safety systems, capture offormal requirements and associated testingrequire trusted automated tools. The safetysystem (including all instruments) shouldthen be designed and realized to achievethe numerical SIL requirements identifiedfor the safety function.3) Random Hardware FailuresSystems fail due to random hardwarefailures and systematic failures. Randomhardware failures typically stem from thecomponents used in assembly and thedesign architecture. The probability thatthe safety system will fail to perform itsdesigned safety function must be estimatedusing numerical and analytical techniques.A quantitative assessment is performed toensure the specified figure is achieved.Common Functional SafetyTerms and Concepts Functional Safety is when safetyrelies on:– Safety function(s) – what theequipment does, and– Safety integrity – how reliablythe equipment does it It is aimed at systems, typicallyformed from discrete instrumentssuch as:– Sensors (to detect for unsafeprocess/machine conditions)– Logic solvers (decision makingor controlling devices)– Output elements (devicesthat physically interrupt or haltthe process/machine to makethe situation safe) It is concerned with how thesystems/ instruments can fail:failure modes How likely will the system/instrumentfailure mode occur: failure data The SIS is used to reduce the risk(s)to an “acceptable level” (a figuregenerally accepted by society andlegislators)Continued on next pageA theoretical model of the equipment’sreliability must be constructed, decomposingthe design into functional blocks to forma “Reliability Block Diagram” (RBD). Othermethods such as Fault Tree Analysis canalso be used. Modelling is particularlyrequired for more complex designs.North America Europe Asia www.csagroup.org
UNDERSTANDING FUNCTIONAL SAFETYEach “block” down to component level mustbe analyzed, using methods such as FailureModes and Effects Analysis (FMEA). Duringthis analysis, it is necessary to determinehow the failure of each component affectsthe equipment’s safety function. Failurescan be a combination of safe anddangerous depending on the definitionof the safety function.The outcome of the FMEA for each block isa sum of the different types of failures (safeand/or dangerous). Using the ReliabilityBlock Diagram, the different failure ratescan be grouped into categories, such assafe failures or dangerous (detected orundetected); the probability of failure ondemand (PFD) can be then calculated forthe equipment.(known as the “lifecycle”). These systematicfailures cannot be modelled and determinedstatistically. Instead they must be avoidedby using processes and techniques ofsufficient rigor for the SIL involved. Theseare prescribed in the IEC 61508 standard.The verification of systematic failures(hardware or software) require a qualitativeassessment of the evidence of using theprescribed lifecycle, although the actualprocesses and work activities used will depend on the technologies in the design andtype of safety equipment in question. Forequipment developers, evidence of usingthese methods must be gathered during thedesign and made available for assessment.5) SoftwareIn addition to meeting the PFD requirement,it is necessary for the equipment to meetcertain architectural constraints such asthe safe failure fraction (SFF) and thehardware fault tolerance (HFT) outlinedin the standard.Software requires special attention from thedeveloper if it is involved in performing thesafety function. Software defects are aspecific type of systematic failure and a fulldiscussion is beyond the scope of this paper.However, these points should be noted:This analysis can be performed usinginformation from circuit diagrams,mechanical assembly drawings, partslists, and other sources, and therefore canbe undertaken following design. It requiresa detailed knowledge of component failurerates, their various failure modes and howthese can affect the functionality of theinstrument used in the safety function.The analysis is a specialist area and shouldonly be undertaken by analysts with theappropriate tools, competence and accessto the appropriate failure rate data in order toyield a statistical prediction of the randomhardware failure. E nsure requirements are fully capturedand traceable through the developmentlifecycle R emember the linkage between hardwareand software – FMEA is a rich source ofgenerating software requirements toachieve hardware diagnostic coverage D evelop a software review culture (andkeep evidence; informal log books are fine) M odifications must include an impactanalysis and proof of the implementationprocess4) Systematic Failures C onfiguration management is critical,including versions of test anddevelopment toolsThe second reason for system failure isweaknesses in the processes used in thespecification, design, test, installation, use,modification and repair of the safety system S OUP (software of unknown provenance)and COTS (commercial-off-the-shelf) arebest avoided, or extreme care should betaken in their useCommon Functional Safety Termsand Concepts Continued The level of risk reduction requiredfrom the SIS will define its SafetyIntegrity Level (“SIL”). The SIL places:– Limits on the probability of randomhardware failure, and– Requirements on the systematicfailure during the developmentprocess known as the “lifecycle”used during the product realizationphase Note that before a SIS is specified,risk control is already reduced asmuch as possible by conventionalmeasures such as good (safe)process/machine design, the basiccontrol system, alarms, trips, reliefsystems, procedural measures, etc. I nvest in and maximize the use ofautomated test tools – anything repetitiveor requiring manual effort to generatetest cases or logging results will lenditself to such tools S tatic analysis tools – some are veryaffordable and offer great benefit; thedeeper and wider the analysis the better C oding standards – this is an essentialrequirement to ensure correct and safeconstructs and a safe language sub-setare used U se recommended (Misra C andapproved development tools) to facilitatethe structure of the safety softwarecompliance F or systems integrators, achievingcompliance to IEC 61511 is relativelystraightforwardNorth America Europe Asia www.csagroup.org
UNDERSTANDING FUNCTIONAL SAFETY6) Functional Safety AssessmentAll safety systems must undergo anindependent functional safety assessment(FSA) covering the hardware and softwareas well as all the related processes used inthe realization of the instrument/system.The FSA applies to all activities in the lifecycle of the safety system or instrument.Requirements for the FSA are defined in IEC61508-1 section 8. The accredited certification process is defined by the internationalstandard for certification ISO/IEC 17065,which was published in September 2012and replaces EN 45011 and ISO Guide 65.This change dictated the need for changeswithin Certification Body (CB) managementsystems and processes in order to maintainUKAS accreditation in. ISO 17065 coversmany of the requirements with respect ofthe assessment body. The requirements forthe assessment, including the methods andtechniques prescribed, increase in rigourwith higher SIL. There is a minimum levelof independence between the assessmentteam and the work being assessed, whichdepends on the SIL and the lifecycle activities being evaluated.7) Management of Functional SafetyIEC 61508 makes it clear that allorganizations that deal with safetyinstrumented systems should operatea functional safety management (FSM)process. This could be a company-wideprocess, typically part of the company’sQuality Management System, and shouldinclude the additional elements requiredfor functional safety. Alternatively, it couldbe implemented as an overarching planthat covers a specific project and detailshow functional safety will be achieved.Either way, FSM is indispensible to avoidsystematic failures and for creating a safetyculture. No product, system or operation canclaim to conform to the IEC 61508 standardwithout this critical assessment, whichshould govern all safety-related work activitiesfrom concept to decommissioning.An important part of the FSM is thedevelopment structure, deployment andassessment of the competence of all staffthat have any roles or responsibilitiesassociated with safety systems. Forcompanies starting a functional safetyproject for the first time, FSM is a goodplace to begin as it establishes theprocedural infrastructure in advance.ConclusionHistory (past and recent) shows there is agreat need for industry to provide evidenceof the reliability of automated safetysystems to ensure the safety of people,the environment and corporate assets. IEC61508 (and related standards) provides thesystematic lifecycle approach necessary toachieve functional safety. Around the world,new and existing plants are being measuredagainst the criteria of this standard andmarket requirements for instruments thatare suitable for SIL-rated systems are nowcommonplace. This enables instrumentsuppliers to benefit commercially fromfunctional safety certification, increasingtheir market advantage by earning“product-of-choice” status amongcurrent and future customers.About CSA GroupCSA Group was the first certification bodyin the world to be accredited to issuefunctional safety certification to IEC 61508by UKAS for both products and companies(FSM). It has undertaken more than 300functional safety projects for clients worldwide in the past five years. These projectshave been as diverse as simple electromechanical switches, actuators, and valves,to highly complex programmable protectiondevices and embedded real-time operatingsystems, up to SIL3 compliance. CSA Group’steam of functional safety specialists hasexperience in a wide range of industrysectors and applications, including safety ofmachinery.CSA Group offers a wide range of functionalsafety compliance assessment services –from household equipment, softwareevaluation, FSM and product certification,to services for wide sectors in the processindustries. CSA Group’s functional safetyprogram offers a full-service global solutionto manufacturers of equipment used inhazardous locations and in criticalapplications.The CSA Certified advantage: helpingmanufacturers get the market accessthey need for over 95 years.Contact CSA Group to obtain moreinformation about our global functionalsafety evaluation and certificationsservices:Call 1.866.463.1785 orvisit www.csagroup.org oremail us at certinfo@csagroup.orgTHE FOLLOWING ARE TRADEMARKS OF CSA GROUP: THE CSA LOGO AND CSA CERTIFIED. 2015 CSA GROUP. ALL RIGHTS RESERVED.North America Europe Asia www.csagroup.org
IEC 61508 is the international standard for safety related systems associated with electrical, electronic and software-based technologies. The principles of the standard can also be extended to assess mechanical elements if they are used in the safety function. IEC 61508 is an umbrella (g
