Professional Documents
Culture Documents
Functional Safety Overview UL
Functional Safety Overview UL
Michael Mats
Table of Contents
Table of Contents
Slide 3
Standards
EN/IEC 61511 (2003), "Functional Safety - Safety Instrumented Systems for the
Process Industry Sector
EN/IEC 61800-5-2 (2007), "Adjustable Speed Electrical Power Drive Systems - Part
5-2: Safety Requirements - Functional"
EN/IEC 62061 (2005), "Safety of Machinery - Functional Safety of Safety-Related
Electrical, Electronic, and Programmable Electronic Control Systems"
EN ISO/ISO 13849-1 (2006), "Safety of Machinery - Safety-Related Parts of Control
Systems - Part 1: General Principles for Design"
ANSI/RIA/ISO 10218-1 (2007), "Robots for Industrial Environments - Safety
Requirements - Part 1: Robot"
ISO/Draft International Standard 26262 (2009), "Road Vehicles - Functional Safety
Slide 4
Demand Drivers for Functional Safety
Slide 6
IEC 61508: A standard in seven parts
(Parts 1 – 4 are normative)
Slide 7
FS according to IEC 61508:
EUC + EUC Control System
Slide 8
Why is there something called Functional
Safety?
Functional safety as a property has always existed
Slide 9
Functional safety as per IEC 61508
Slide 10
Overall Safety Lifecycle and E/E/PES life cycle
Concept
Overall Planning
Safety-related
Other risk
systems: E/E/PE Reduction
Operation & Installation &
Safety Realization: measures
Maintenance Commissioning
Validation E/E/PE
Decommissioning or Disposal
Slide 11
Functional Safety Certification Process
Kick-Off Meeting
Slide 12
Functional Safety Certification Process
Pre-Audit and IA
• Increase the probability of success of the certification
audit
Certification Audit
• Evaluation of documentation
• Product is certified
Slide 14
Functional Safety Certification Process
Follow-up Surveillance
Slide 15
Examples of Function Safety Products
Slide 16
EUC – E/E/PE System – Subsystems
Hazard & Risk Analysis shall be conducted for the EUC and the
EUC control system
Hazardous events are identified, and the associated risk (the “EUC
risk”) determined
Slide 17
Necessary risk reduction and Safety Integrity
Level (SIL)
Slide 18
FS Marks
The FS Marks are related to a SIL (or similar other FS ratings)
– They can thus only be granted for products or components
which provide risk reduction functions (i.e. E/E/PE safety-
related systems or subsystems)
• From a SIL point of view, it doesn’t make a difference
whether the E/E/PE safety-related (sub-)system is to be
considered a stand alone product or a component
Slide 19
E/E/PE safety-related system and risk reduction
EUC risk
– risk arising from the EUC or its interaction with the EUC control system
Tolerable risk
– risk which is accepted in a given context based on the current values of
society
Residual risk
– risk remaining after protective measures have been taken
– Must be equal or lower than tolerable risk
Slide 20
E/E/PE safety-related system and risk reduction
Slide 21
EUC Risk
Slide 22
E/E/PE System and Subsystems
In most cases the FS products certified by UL will be sub-systems
of an E/E/PE safety-related system
Subsystem
(data communication)
Subsystem Subsystem
(sensors) (actuators)
Subsystem
(logic unit)
Slide 23
Software Drives FS Requirements - IEC 61508-3
Slide 24
Software is Being Used Increasingly
Slide 25
Achieving HW safety integrity
IEC 61508-2 requires application of the following
principles to achieve the intended HW safety integrity:
– Redundancy
• Diversity of redundant channels to eliminate common cause failures
– Failure detection
• per IEC 61508, detection implies a reaction to a safe (operating) state
▪ For fail-safe applications, this can mean activation of the fail-safe state
– Reliability of components
• Probability of dangerous failure (on demand - PFD, per hour - PFH) in
accordance with target failure measure of the required SIL
Slide 26
Two routes to demonstrate HW safety integrity:
Route 1H and Route 2H
Route 1H :
– based on hardware fault tolerance and safe failure fraction
concepts
• This means a complete FMEDA on HW component level must be
carried out
• PFH and SFF calculated on this basis
Route 2H :
– based on field reliability data and hardware fault tolerance for
specified safety integrity levels,
• Data must have been recorded in accordance with applicable
standards, >90% statistical confidence
• stricter HW fault tolerance requirements for the different SIL’s
Slide 27
Achieving HW safety integrity
Slide 28
FMEDA Table (Design level)
Input 1
Switch off 1 T101
IC101
R100
Input 2
Switch off 2 T102
IC102
Emergency Output diag Safety-related output
Stop switch Safety device
Component Component Failure Effects failure Criticality DC l lD lS lDD lDU Detection Exclusion
reference function modes distribution [FIT] reqmts reqmts
R100 energetic 0,9 1 0,9 0,1 0,813 0.087
separation
between
channels, cross
communication
for diagnostics
short circuit no 0,2 1 0,6 0,2 0 0,12 0,08 sample test, MELF resistor
separation off line
between
channels
open circuit no cross 0,7 1 0,99 0,7 0 0,693 0,007 cross
communica comparison
tion between
channels
0,5< value <2 no effect 0,1 0 0 0 0,1 0 0 select value
high enough to
ensure
separation
Slide 29
SFF and diagnostic test interval
Slide 30
Simplified approaches proposed by other standards
Also ISO 13849-1 and IEC 62061 suggest simplified methods for
determining the probability of random HW failure
Slide 31
Additional Information
Websites:
www.ul.com/functionalsafety
www.exida.com
www.siemens.com
http://www.automationworld.com/newsletters_fsn.html
Questions?