Anda di halaman 1dari 25

Functional safety

Standardization activities

Bart Aertgeerts
Symposium VIK/TI
13 November 2007 Crowne Plaza Antwerp

Dangers Overall safety


EUC (Machinery, process installation, apparatus, …)

Electrical installations Electrical safety

Mechanical movements Mechanical safety

Use of chemicals Chemical safety


Materials/Engineering - Safety

Arrangement of the workplace Ergonomic design

Failure of
Functional safety
safety-related systems

2 Bart Aertgeerts – 2007-11-13

1
Functional safety
ƒ All aspects regarding the correct functioning of the Safety-
Related Systems (SRS) so that the dedicated safety
functions are being kept under all given conditions
How safe stays the safety-related system?
ƒ All aspects to prevent and handle the (dangerous) failures of
the safety-related systems so that the EUC remains in a safe
Materials/Engineering - Safety

condition or brought to a safe state

The available literature give a broad description of the definition “Functional Safety”

3 Bart Aertgeerts – 2007-11-13

Ambitions of the standards organizations


Developing of standards which gives:
ƒ information to prevent and handle failures of the safety-
related systems;
ƒ objective criteria to evaluate the functional safety;
ƒ requirements to maintain the functional safety over the
Materials/Engineering - Safety

whole lifecycle of the safety-related system (from concept to


decommissioning)

4 Bart Aertgeerts – 2007-11-13

2
Standards organizations
“Overall” Electro-technical
standardization Standardization
International International
Standardization Organization Electrotechnical Commission
International
Materials/Engineering - Safety

Comité Européen Comité Européen


de Normalisation de Normalisation
Electrotechnique
European

Bureau voor Belgisch


Normalisatie Elektrotechnisch Comité
National

5 Bart Aertgeerts – 2007-11-13

Importance of the standards


ƒ Provide technical information, general and detailed
principles of design in accordance with the latest state-of-
the-art technology
ƒ Are considered as rules of good practice
ƒ Standards can be used to demonstrate the compliance with
Materials/Engineering - Safety

the relevant legislation


ƒ Standards have no legal status unless the legislator
explicitly has indicated to them

6 Bart Aertgeerts – 2007-11-13

3
Harmonized European standards
ƒ Are drawn-up by the European standards organizations
(CEN & CENELEC) as mandate from the EC Commission
in order to fulfill the requirements of the EU Directives
ƒ When the harmonized standards are used, it is assumed
that the requirements of the EU Directives have been met
Give an “automatic presumption of conformity”
Materials/Engineering - Safety

ƒ Harmonized standards are published in the Official Journey


of the EU
ƒ The standards are “unchanged” transferred to national
standards
National standards handling the same subject must then be withdrawn

7 Bart Aertgeerts – 2007-11-13

Standards functional safety


Publication

Generic
standards
Publication

Specific standards
for the process industry
Materials/Engineering - Safety

Specific standards
Publication

for machinery
(Automotive industry, …)

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

Latest SIPI meeting

8 Bart Aertgeerts – 2007-11-13

4
Generic standard (series) EN (IEC) 61508
ƒ The standard is generic and applicable to the Electrical,
Electronic and Programmable Electronic (E/E/PE) safety-
related systems
Principles and framework can also be used for other technologies
ƒ Introduced Safety Integrity Levels (SIL) as a measure for
functional safety
Materials/Engineering - Safety

Adopts a risk-based approach for determination of the SIL requirements


Sets numerical target failure measures for E/E/PE safety-related systems
which are linked to the SIL
ƒ Uses an overall safety lifecycle concept which structural
looks to all necessary phases and activities in order to
achieve the functional safety
Deals with both the organizational and technical aspects
ƒ Has been conceived with a rapidly developing technology in
mind
Framework is sufficiently robust and comprehensive to cater for future
9 developments Bart Aertgeerts – 2007-11-13

Generic standard (series) EN (IEC) 61508


ƒ Consists of 7 parts
ƒ Part 1: General requirements
ƒ Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems
ƒ Part 3: Software requirements
ƒ Part 4: Definitions and abbreviations
Materials/Engineering - Safety

ƒ Part 5: Examples of methods for the determination of safety


integrity
levels
ƒ Part 6: Guidelines on the application of parts 2 and 3
ƒ Part 7: Overview of techniques and measures
ƒ Parts 1 to 4 of the standard are designed as “basic”
publications
Parts 5 to 7 are intended to give more background
information
10 Bart Aertgeerts – 2007-11-13

5
Generic standard (series) EN (IEC) 61508
ƒ Intended use :
ƒ Facilitate developing of other sector or product related
standards
ƒ Supports manufactures of safety-related systems (incl.
components)
ƒ This (European) standard is not harmonized under a specific
Materials/Engineering - Safety

EU-Directive

Standards are prepared by IEC TC 65/SC 65A (Industrial process measurement and control)
11 Bart Aertgeerts – 2007-11-13

Generic standard (series) EN (IEC) 61508


International Draft Final Draft
International

Electrotechnical
Commission
CDV FDIS IEC
61508 61508 61508

Begin 1995 1998 - 2000

Comité Européen
de Normalisation
European

Electrotechnique EN
61508

1998 - 2000

Belgisch
Elektrotechnisch
National

Comité NBN EN
61508

1998 - 2000

6
Generic ↔ Sector or product related
standards

61511

62061
Process Industry

Machinery
Materials/Engineering - Safety

61508

Generic standard

61800
61513 5-2

Power drive systems


Nuclear sector Safety requirements
Functional

13 Bart Aertgeerts – 2007-11-13

Standard (series) EN (IEC) 61511


ƒ Standard focuses on Safety Instrumented Systems (SIS) for
the process industry
ƒ Consists of 3 parts
ƒ Part 1: Framework, definitions, system, hardware and software
requirements
ƒ Part 2: Guidelines in the application of IEC 61511-1
ƒ Part 3: Guidance for the determination of the required safety
Materials/Engineering - Safety

integrity levels
ƒ Intended use:
ƒ Supports users and integrators of safety instrumented systems
for the process industry
ƒ This (European) standard is not harmonized under a specific
EU-Directive

Standards are prepared by IEC TC 65/SC 65A (Industrial process measurement and control)

14 Bart Aertgeerts – 2007-11-13

7
Standard (series) EN (IEC) 61511
International Draft Final Draft
International
Electrotechnical
Commission IEC CDV FDIS IEC
61508 61511 61511 61511

1998 - 2000 Begin 1996 2002 2003

Comité Européen
de Normalisation
European

Electrotechnique EN
61511

2003

Belgisch
Elektrotechnisch
National

Comité NBN EN
61511

2003

Standardization activities IEC and ISA

International Draft
International

Electrotechnical
Commission CDV IEC IEC
61508 61508 61511
Begin 1995 1998-2000 2003
Materials/Engineering - Safety

American National
USA / Canada

Standardization Institute
Instrument Society of America
S84.01 S84.01

1996 2004

16 Bart Aertgeerts – 2007-11-13

8
Standard EN (IEC) 62061
ƒ Standard focuses on Safety-Related Electrical Control
Systems (SRECS) for machinery
ƒ Consists of one single part
ƒ Intended use:
ƒ Supports users and integrators of safety-related electrical
control systems for application in machinery
Materials/Engineering - Safety

ƒ This (European) standard is harmonized under the


machinery Directive (98/37/EG)

Standard is prepared by IEC TC 44 (Safety of machinery – Electrotechnical aspects)

17 Bart Aertgeerts – 2007-11-13

Standard EN (IEC) 62061


International Draft Final Draft
International

Electrotechnical
Commission IEC CDV FDIS IEC
61508 62061 62061 62061

1998 - 2000 Begin 1999 2004 2005

Comité Européen
de Normalisation
European

Electrotechnique EN
62061

2005

Belgisch
Elektrotechnisch
National

Comité NBN EN
62061

2005

9
Difference between 61508 – 61511 – 62061
ƒ The content of the standards gives differences with regard
to:
ƒ Terminology
ƒ Number of safety integrity levels
ƒ Determination of the mode of operation
Materials/Engineering - Safety

ƒ Lay-out of the safety-lifecycle


ƒ Use of components
ƒ…

19 Bart Aertgeerts – 2007-11-13

Differences : Terminology

61508 61511 62061

Name of the safety- E/E/PE safety-


SIS SRECS
related system related system
Materials/Engineering - Safety

Involved installation EUC Process Machinery

Function of the Safety Safety-related


safety-related Safety function instrumented control
system function (SIF) function

Safety integrity level SIL SIL SIL

20 Bart Aertgeerts – 2007-11-13

10
Differences : Terminology

Functional safety
6150 part of the overall safety relating to the EUC and the EUC control
8 system which depends on the correct functioning of the E/E/PE
safety-related systems, other technology safety-related systems
and external risk reduction facilities
Functional safety
Materials/Engineering - Safety

6151 part of the overall safety relating to the process and the BPCS
1 which depends on the correct functioning of the SIS and other
protection layers

Functional safety
6206 part of the safety of the machine control system witch depends
1 on the correct functioning of the SRECS, other technology
safety-related systems and external risk reduction facilities;

21 Bart Aertgeerts – 2007-11-13

Differences : Safety integrity levels

61508 61511 62061

SIL SIL SIL


Safety integrity
Materials/Engineering - Safety

levels
4 levels 4 levels 3 levels

Demand mode Demand mode


en en Continuous
Modes of operations
Continuous Continuous mode
mode mode

22 Bart Aertgeerts – 2007-11-13

11
Differences : Mode of operation
low demand mode
6150 where the frequency of demands for operation made on a
8 safety-related system is no greater than one per year and no
greater than twice the proof-test frequency;
demand mode safety instrumented function
where a specified action (for example, closing of a valve) is
taken in response to process conditions or other demands. In
Materials/Engineering - Safety

the event of a dangerous failure of the safety instrumented


6151
function a potential hazard only occurs in the event of a failure in
1
the process or the BPCS
Note 2 : In demand mode applications where the demand rate is more frequent
than once per year, the hazard rate will not be higher than the dangerous failure
rate of the safety instrumented function. In such a case, it will normally be
appropriate to use the continuous mode criteria.
low demand mode
6206 mode of demands in witch the frequency of demands on a
1 SRECS is no greater than one per year and no greater than
twice the proof-test frequency;

23 Bart Aertgeerts – 2007-11-13

Differences : Mode of operation

high demand or continuous mode


6150 where the frequency of demands for operation made on a
8 safety-related system is greater than one per year or greater
than twice the proof check frequency

continuous mode safety instrumented function


Materials/Engineering - Safety

6151 where in the event of a dangerous failure of the safety


1 instrumented function a potential hazard will occur without
further failure unless action is taken to prevent it

high demand or continuous mode


6206 mode of demands in witch the frequency of demands on a
1 SRECS is greater than one per year and no greater than twice
the proof-test frequency;

24 Bart Aertgeerts – 2007-11-13

12
Lifecycle
ƒ Overview giving all necessary phases in the overall lifecycle
of a safety-related system, from concept to decommissioning
ƒ It handles systematically all the activities necessary to
achieve the required safety integrity level for the safety-
related system
ƒ For each phase the objectives, scope, required inputs and
Materials/Engineering - Safety

outputs are described


ƒ The overview follows the (well known) rules of a “quality
management system”
ƒ The lay-out is different for each standard ! (?)

25 Bart Aertgeerts – 2007-11-13

Lifecycle EN (IEC) 61508


1 17 18 19 19
Concept

2 Definitie werkingsgrenzen en
gebruiksomstandigheden

3 Veiligheidsstudie
(Gevaren – Risicoanalyse)

4 Bepalen
globale veiligheidseisen
Management functionele veiligheid

Beoordeling functionele veiligheid

5
Toewijzen van veiligheidseisen
Documentatie
Verificatie

Planning Veiligheidssystemen Veiligheidssyst. Andere externe


E/E/PES met andere risicoreductie-
9 10 technologieen 11 voorzieningen
Planning Planning
Planning Realisatie
gebruik installatie
6 7 veiligheids- 8 Realisatie Realisatie
en en
validatie
onderhoud in dienst stellen
12 Installatie en
in dienst stellen
Terug naar de
overeenkomende
13
Veiligheidsvalidatie fase van de
levenscyclus

14 Gebruik, onderhoud 16 Modificatie


en herstelling en re-engineering

15 Uit dienst name en


verwijderen (afbraak)

13
Lifecycle EN (IEC) 61511
10 1 Risicoanalyse en 9
ontwerp “protection layers”

2 Toewijzing

Management en beoordeling van de functionele veiligheid


Opbouw en planning van de levenscyclus voor veiligheid

van de veiligheidsfuncties
aan de “protection layers”

3 Specificatie veiligheidseisen
voor de
“Safety Instrumented System”
Stadium 1
4 Ontwerp en bouw Ontwerp en bouw

Verificatie
van het van andere risicoreductie
“Safety Instrumented System” maatregelen
Stadium 2
5 Installatie, in dienstname
en validatie
Stadium 3
6
Werking en onderhoud

Stadium 4
7
Aanpassing

Stadium 5
8
Buiten dienststelling

Lifecycle EN (IEC) 62061


4 Risicoanalyse en bepaling van de 10
risicoreducerende maatregelen

Toewijzing van de veiligheidsfuncties


aan “Safety-Related Electrical Control System”
Management van de functionele veiligheid

5 Specificatie veiligheidseisen
voor de
“Safety-Related Control Function”
Documentatie

6 Ontwerp en bouw
van het
“Safety-Related Electrical Control System”

7 Informatie voor het gebruik en onderhoud


van de machine

8 Validatie van het


“Safety-Related Electrical Control System”

9 Wijzigingen van het


“Safety-Related Electrical Control System”

Buiten dienststelling

14
Standardization activities for machinery
ƒ All machines introduced in the EU market have to be
compliant with the (essential) safety requirements of the EU
machinery Directive
ƒ The standards organizations have published many
standards which are helpful in order to fulfill the safety
requirements
Materials/Engineering - Safety

(harmonized standards)
ƒ Especially for the design of safety-related control systems
there are different harmonized standards available :
ƒ EN 62061
ƒ EN 954-1
ƒ EN ISO 13849

29 Bart Aertgeerts – 2007-11-13

Standard EN 954-1
ƒ Applicable to safety-related parts of control systems based
on all operating media : electrical, mechanical, pneumatic,
hydraulic;
ƒ Performance of the safety-related parts described in terms of
safety categories (B,1,2,3,4)
Materials/Engineering - Safety

ƒ Use a risk-graph methodology (qualitative) in order to


designate the categories
ƒ Sets an appropriate system behavior against a category
(deterministic approach)
Behavior is based on:
ƒ Reliability of components : Fault avoidance
ƒ System structure (architecture) : Fault tolerance (redundancy),
fault detection (monitoring) and fault resistance

30 Bart Aertgeerts – 2007-11-13

15
Standard EN 954-1
Pro
ƒ Standard is easily-understood and requires no complex
mathematics
Contra
ƒ The coherence between risk level and category doesn’t
always appear plausible
Materials/Engineering - Safety

ƒ No direct connection between risk-reducing and category


ƒ Emphasis on “meeting category requirements” rather than
reducing risk
ƒ Categories are not a comprehensive measure of safety
integrity
No probabilistic considerations included into the safety examinations
ƒ Not suitable for programmable systems and complex
electronics
No detailed requirements
31 Bart Aertgeerts – 2007-11-13

Standardization activities for machinery


Draft

International DIS
ISO
International

Standardization 13849-1 ISO


13849-1
Organization 13849-1
1999 2004 2006

13849 ISO
-100 13849-2
2000 2003

Comité Européen
de Normalisation
European

International EN EN ISO
Electrotechnical 954-1 TR 13849-1
Commission
1996 2006
954-100 EN ISO
13849-2

1999 2003

Comité Européen
European

de Normalisation
Electrotechnique EN EN
61508 62061
1998-2000 2005

16
Standard (series) EN ISO 13849
ƒ Standard focuses on safety-related parts of control systems
for machinery
ƒ Consists of 2 parts
ƒ Part 1: General principles for design
ƒ Part 2: Validation
ƒ Intended use:
Materials/Engineering - Safety

ƒ Supports users and integrators of safety-related control


systems for application in machinery
ƒ This (European) standard is harmonized under the
machinery Directive (98/37/EG)

Standard is prepared by IS0 TC 199 (Safety of machinery)

33 Bart Aertgeerts – 2007-11-13

Standard (series) EN ISO 13849


ƒ It examines all safety functions, including all the
components involved
ƒ Performance of safety-related parts are described in terms
of Performance Levels (a,b,c,d,e)
ƒ The familiar categories remain but are defined in terms of
Materials/Engineering - Safety

designated architectures
ƒ Reach information to validate the design in order to check
that the requirements are fulfilled
ƒ Provide data for the reliability of the components and methods
for estimations
ƒ Describe the validation process

34 Bart Aertgeerts – 2007-11-13

17
Standard (series) EN ISO 13849
ƒ The remaining risk-graph methodology (qualitative approach)
no longer results in categories but in required Performance
Levels
ƒ The standard describes how to calculate (quantitative
assessment) the Performance Level for safety-related parts
of control systems, based on:
Materials/Engineering - Safety

ƒ Designated architectures (Category)


ƒ MTTFd: Mean Time To dangerous Failure
ƒ DC: Diagnostic Coverage
ƒ CCF: Common Cause Failure

35 Bart Aertgeerts – 2007-11-13

Implementation of EN 62061 and EN ISO


13849
Materials/Engineering - Safety

36 Bart Aertgeerts – 2007-11-13

18
Relation between SIL en PL

PFH
Probability of a PL SIL
dangerous Failure per Performance Level Safety Integrity Level
Hour (1/h)

No special safety
≥10-5 to < 10-6 a
requirements
Materials/Engineering - Safety

≥3. 10-6 to < 10-5 b 1

≥10-6 to < 3 .10-6 c 1

≥10-7 to < 10-6 d 2

≥10-8 to < 10-7 e 3

EN 13849-1 : Table 2

37 Bart Aertgeerts – 2007-11-13

Explosives atmospheres
ƒ Explosive atmosphere:
ƒ Gas, vapor or mist of flammable substances mixed with air
ƒ A cloud of combustible dust in air, layers, deposits and heaps
of combustible dust (source which can form an explosive
atmosphere)
ƒ Regulations are stipulated in the ATEX-Directives
Materials/Engineering - Safety

ƒ Safety and health protection of workers potentially at risk from


explosive atmospheres (1999/92/EG)
ƒ Equipment intended for use in potentially explosive
atmospheres (92/9/EG)

38 Bart Aertgeerts – 2007-11-13

19
Classification of hazardous places
ƒ Zone 0 /20
A place in which an explosive atmosphere is present
continuously or for long periods or frequently.
ƒ Zone 1/21
A place in which an explosive atmosphere is likely to occur in
normal operation occasionally.
Materials/Engineering - Safety

ƒ Zone 2/22
A place in which an explosive atmosphere is not likely to
occur in normal operation but, if it does occur, will persist for
a short period only.

Note : Normal operation" means the situation when installations are used within
their design parameters.

39 Bart Aertgeerts – 2007-11-13

Equipment categories Group II


Category 1 2 3
Level
of protection Very high High Normal

even in the event


even in the event of disturbances
No active or faults, during normal
of rare incidents
Materials/Engineering - Safety

Ignition source which normally operation


have to be taken
into account

Equipment of category 1 must be equipped with means of protection


such that :
– in the event of failure of one means of protection, at least an
independent second means provides the requisite level of protection,
– or, the requisite level of protection is ensured in the event of two faults
occurring independently of each other
40 Bart Aertgeerts – 2007-11-13

20
Use of equipment in hazardous places
Relation between equipment categories, the occurrence of
ignition sources and occurrence of an explosive atmosphere
Occurrence of ignition sources at the equipment
No sources
No sources
during
during
normal
No sources during normal
operations, Never
normal operations operations
foreseeable
Materials/Engineering - Safety

and foreseeable
malfunctions and
malfunctions
rare malfunctions
Category 3 Category 2 Category 1 --

Zone 0
Use forbidden Use accepted
Zone 20
Zone 1
Use forbidden Use accepted
Zone 21
Zone 2
Use accepted
Zone 22

41 Bart Aertgeerts – 2007-11-13

Standard EN 13463-6
ƒ Non-electrical equipment intended for use in potentially
explosive atmospheres - Part 6: Protection by control of
ignition source "b“
ƒ Stipulate the specifications for sensors and Ignition
Prevention Systems (IPS) to:
ƒ Detecting operations leading to potential ignition sources
Materials/Engineering - Safety

ƒ Initiating measures before ignition source becomes effective.


ƒ Assign an Ignition Prevention Level (IPL) to the systems
Characterized by its reliability
ƒ Required IPL level determined from likelihood of occurrence
of ignition source and category of equipment

42 Bart Aertgeerts – 2007-11-13

21
Required minimum IPL for the system
Relationship between the required ignition protection level
(IPL) , the occurrence of ignition sources and the equipment
category
Occurrence of potentional
ignition source Category 3 Category 2 Category 1

During
Materials/Engineering - Safety

normal operations
IPL 1 IPL 2

During
foreseeable malfunctions
Not relevant IPL 1 IPL 2

During
rare malfunctions
Not relevant Not relevant IPL 1

EN 13463-6 : Table 1

43 Bart Aertgeerts – 2007-11-13

Requirements for Ignition Prevention


Levels
ƒ Ignition Prevention Level 1
ƒ Well tried components, proven history of reliability
ƒ Well tried safety principles, able to withstand expected
influences
ƒ Capable of being checked at suitable intervals to identify loss
of safety (incl. periodic maintenance checks)
Materials/Engineering - Safety

ƒ If a control parameter critical value is exceeded either the


ignition source is prevented from becoming effective or a
warning is given
ƒ Ignition Prevention Level 2
ƒ Requirements of IPL 1
ƒ If a control parameter critical value is exceeded the ignition
source is prevented from becoming effective
ƒ Single fault on Ignition prevention system does not lead to loss
of safety function
44 Bart Aertgeerts – 2007-11-13

22
Relation between IPL, safety categories
and SIL

EN 13463-6 EN 954-1 EN 61508


IPL
SIL
Ignition Prevention Safety Category
Safety Integrity Level
Level

1 2 SIL 1 (?)
Materials/Engineering - Safety

2 3 SIL 2 (?)

EN 13463-6 : 8.4 and Annex C

45 Bart Aertgeerts – 2007-11-13

Conclusions

Functional Safety
Standardization activities

23
Time goes always further
At 2003 :
ƒ We had a small number of standards for functional safety
ƒ Few people had knowledge about the subject, the problems
and experience with the use of the standards

Present 2007 :
Materials/Engineering - Safety

ƒ We have a lot of standards for functional safety


ƒ There are now many people who have already a broad
knowledge and practical experience
ƒ There are more and more people who realize that they in the
future also will come in contact with the subject

47 Bart Aertgeerts – 2007-11-13

The trees in the (great) forest !


Today :
ƒ We have access to a lot of documents available
ƒ The standards organizations have many standards published
ƒ Could we say that everyone without any problems can find all
the necessary information on the internet
Materials/Engineering - Safety

But:
ƒ Is the information always transparent enough ?
ƒ Are the published documents all in accordance with each
other ?
ƒ Is it clear where to start the search for information ?

48 Bart Aertgeerts – 2007-11-13

24
Functional safety
Standardization activities

Bart Aertgeerts
Symposium VIK
13 November 2007 Crowne Plaza Antwerp

25