Mtl Fsm Poster

1
Definitions and abbreviations SIL 1 IEC 61508:2010 SIL 2 IEC 61508:2010 SIL 3 IEC 61508:2010 SIL 4 IEC 61508:2010 For technical advice or further information call: +44 (0) 1582 723633 www.mtl-inst.com [email protected] ZL-P-FSM-EN-1112 South Korea Tel: +82 2 538 3481 Fax: +82 2 538 3505 Japan Tel: +81 (0)3 6430 3128 Fax: +81 (0)3 6430 3129 China Tel: +86 10 5980 0231 Fax: +86 10 8562 5725 Australia Tel: +61 1300 308 374 Fax: +61 1300 308 463 Germany Tel: +49 (0)2131 718930 Fax: +49 (0)2131 7189333 France Tel: +33 (0)4 37 46 16 70 Fax: +33 (0)4 37 46 17 20 India Tel: + 91 (0)44 24501660 Fax: + 91 (0)44 24501463 Italy Tel: +39 (0)2 61802011 Fax: +39 (0)2 61294560 United Arab Emirates Tel: +971 2 446 6840 Fax: +971 2 446 6841 Singapore Tel: +65 6 645 9888 Fax: +65 6 487 7997 UK Tel: +44 (0)1582 723633 Fax: +44 (0)1582 422283 Americas Tel: +1 281 571 8065 Fax: +1 281 571 8069 Netherlands Tel: +31 (0) 76 7505360 Fax: +31 (0) 76 7505370 WHAT IS FUNCTIONAL SAFETY? In the process industries, safety can be defined as being protected from unacceptable risk of injury or damage to people, property or the environment. Functional Safety relates to the part of overall safety that depends upon the correct operation of an electrical/electronic/programmable electronic safety instrumented system, SIS. The requirements for such a SIS are defined in the IEC 61508 group of standards. IEC 61508 & SAFETY LIFECYCLE IEC 61508 Part 1 Installation, commissioning & safety validation of E/E/PE safety- related systems 7.13 - 7.14 Part 1 Operation, maintenance, repair, modification and retrofit, decommissioning or disposal of E/E/PE safety-related systems 7.15 - 7.17 Part 1 Development of the overall safety requirements (concept, scope, definition, hazard and risk analysis) 7.1 to 7.5 Part 1 Allocation of the safety requirements to the E/E/PE safety-related systems 7.6 Part 1 Specification of the system safety requirements for the E/E/PE safety-related systems 7.10 Part 2 Realisation phase for E/E/PE safety- related systems Part 3 Realisation phase for safety-related software Part 5 Example of methods for the determination of safety integrity levels Part 6 Guidelines for the application of Parts 2 & 3 Part 7 Overview of techniques and measures Part 4 Definitions & abbreviations Part 1 Documentation Clause 5 & Annex A Part 1 Management of functional safety Clause 6 Part 1 Functional safety assessment Clause 8 Overall framework of the IEC 61508 series Technical Requirements Other Requirements E/E/PE system design requirements specification 10.1 E/E/PE system design & development including ASICs & software 10.3 E/E/PE system integration 10.4 E/E/PE system safety validation 10.6 E/E/PE system safety validation planning 10.2 E/E/PE system safety lifecycle (in realisation phase) E/E/PE system installation, commissioning, operation & maintenance procedures 10.5 E/E/PE safety-related systems 10 Realisation (see E/E/PE system safety lifecycle) One E/E/PE safety lifecycle for each E/E/PE safety- related system Box 10 in ‘Overall Safety Lifecycle’ To Box 12 in ‘Overall Safety Lifecycle’ To Box 14 in ‘Overall Safety Lifecycle’ SAFETY INTEGRITY LEVELS Safety integrity is the ability of the SIS to perform the required safety function as and when required. Four levels of safety integrity are defined, each corresponding to a range of target likelihood of failures of a safety function. Safety integrity level 4 (SIL4) is the highest level of safety integrity and safety integrity level 1 (SIL1) is the lowest level. Note that a safety integrity level is a property of a safety function rather than of a system or any part of a system. Safety integrity is considered to be composed of the following two elements: Hardware safety integrity; that part of safety integrity relating to random hardware failures in a dangerous mode of failure. It may be necessary to use redundant architectures to achieve adequate hardware safety integrity. DEFINITION SIL for High Demand Mode Safety Integrity Level (SIL) Average frequency of a dangerous failure of the safety function [h -1 ] (PFH) 4 ≥ 10 -9 to < 10 -8 3 ≥ 10 -8 to < 10 -7 2 ≥ 10 -7 to < 10 -6 1 ≥ 10 -6 to < 10 -5 SIL for Low Demand Mode Safety Integrity Level (SIL) Average probability of a dangerous failure on demand of the safety function (PFDavg) 4 ≥ 10 -5 to < 10 -4 3 ≥ 10 -4 to < 10 -3 2 ≥ 10 -3 to < 10 -2 1 ≥ 10 -2 to < 10 -1 E/E/PE system design requirements specification E/E/PE system architecture Hardware safety requirements specification Programmable electronic hardware Non-programmable hardware Programmable electronics design & development Non-programmable hardware design & development E/E/PE system integration Software safety requirements Software design & development Programmable electronics integration (hardware & software) Relationship between & scope of IEC 61508-2 & IEC 61508-3 Scope of IEC 61508-3 Scope of IEC 61508-2 Systematic safety integrity; that part of safety integrity relating to systematic failures in a dangerous mode of failure. Techniques such as redundant channels of identical hardware, which are very effective at controlling random hardware failures, are of little use in reducing systematic failures such as software errors. Devices, elements and systems may be Type A or Type B. Type A is when the components required to perform a specified function meet all of the following: a) The failure modes of all components are well defined; and b) The behaviour of the device under fault conditions can be completely determined; and c) There is sufficient dependable failure data to show that the claimed failure rates for detected and undetected dangerous failures are met. Type B is simply when one or more of the components required to perform a specified function is not Type A. CASS SCHEME Accredited Certification for Safety Systems... to IEC 61508 and related standards IEC 61508 The CASS Scheme Ltd Members Governing Body Technical Design Authority Technical Committees RULES Feedback UKAS Certification Bodies EN45011 Test Houses Clients Relationship between CASS assessment types Functional Safety Management (FSM) Component Supplier T5 Component Assessment T1 Sub-system Assessment T2 Integrated System Assessment T2a Safety Requirements Assessment T4 Operations and Maintenance Assessment T3 Sub-system Supplier Engineering Function/System Integrator End user/ Operator TERMINOLOGIES & ABBREVIATIONS Abbreviation Full expression Abbreviation Full expression AC/DC Alternating current/direct current LVL Limited variability language AIChE American institute of chemical engineers MooN M out of N channel architecture (for example 1oo2 is 1 out of 2 architecture, where either of the two channels can perform the safety function) ALARP As Low As Reasonably Practicable MooND M out of N channel architecture with Diagnostics ANSI American National Standards Institute MTBF Mean Time Between Failures ASIC Application Specific Integrated Circuit MTTR Mean Time To Repair BPCS Basic process control system MRT Mean Repair Time CCF Common Cause Failure NP Non-programmable CPLD Complex Programmable Logic Device PAL Programmable Array Logic CCPS Center for chemical process safety PE Programmable Electronic DC Diagnostic Coverage PES Programmable electronic system (E)EPLD (Electrically) Erasable Programmable Logic Device PFD Probability of Dangerous Failure on Demand E/E/PE Electrical/Electronic/Programmable Electronic PFDavg Average Probability of dangerous Failure on Demand E/E/PE (system) Electrical/Electronic/Programmable Electronic System PFH Average frequency of dangerous failure [h -1 ] EEPROM Electrically Erasable Programmable Read- Only Memory PLA Programmable Logic Array EPROM Erasable Programmable Read-Only Memory PLC Programmable logic controller EMC Electro-magnetic compatibility SAT Site acceptance test EUC Equipment Under Control SC Systematic capability FAT Factory acceptance testing SFF Safe failure fraction FPGA Field Programmable Gate Array SIF Safety instrumented function FPL Fixed program language SIL Safety integrity level FSA Functional safety assessment SIS Safety instrumented system FTA Fault tree analysis SRS Safety requirement specification FVL Full variability language UON Unless otherwise noted GAL Generic Array Logic ls or lsafe Failure rate of all safe failures H&RA Hazard & risk assessment ld or ldangerous Failure rate of all dangerous failures HFT Hardware Fault Tolerance ldd Failure rate of all dangerous detected failures IEC International Electrotechnical Commission ldu Failure rate of all dangerous undetected failures IEV International Electrotechnical Vocabulary lsu Failure rate of all safe undetected failures ISA Instrumentation, Systems & Automation Society lsd Failure rate of all safe detected failures ISO International Organization for Standardization While every effort has been made to ensure that the information contained within this document is accurate and up to date, MTL Instruments makes no warranty, representation or undertaking whether expressed or implied, nor does it assume legal liability, whether direct or indirect, or responsibility for the accuracy, completeness, or usefulness of any information. SIL 1 IEC 61508:2010 SIL 2 IEC 61508:2010 SIL 3 IEC 61508:2010 SIL 4 IEC 61508:2010 Concept 1 Overall scope definition 2 Hazard and risk analysis 3 Overall safety requirements 4 Overall safety requirements allocation 5 E/E/PE system safety requirements specification 9 E/E/PE safety-related systems 10 Other risk reduction measures 11 Specification and Realisation Realisation (see E/E/PE system safety lifecycle) Overall planning Overall operation and maintenance planning 6 Overall safety validation planning 7 Overall installation and commissioning planning 8 Overall installation and commissioning 12 Overall safety validation 13 Overall operation, maintenance and repair 14 Decommissioning or disposal 16 Overall modification and retrofit 15 Overall safety lifecycle Back to appropriate overall safety lifecycle phase IEC 61508 aims to: release the potential of E/E/PE technology to improve both safety and economic performance; enable technological developments to take place within an overall safety framework; provide a technically sound, system based approach, with sufficient flexibility for the future; provide a risk-based approach for determining the required performance of safety-related systems; provide requirements based on common underlying principles to facilitate: - improved efficiencies in the supply chain for suppliers of subsystems and components to various sectors - improvements in communication and requirements (i.e. to increase clarity of what needs to be specified), - the development of techniques and measures that could be used across all sectors, increasing available resources, - the development of conformity assessment services if required. Part 0 Functional safety and IEC 61508 Functional Safety Management A basic requirement of the standards is that all aspects of the safety lifecycle activities demonstrate Functional Safety Management. As well as concerns for equipment, this includes management of personnel competency, covering the end-user, contractors, suppliers and sub-contractors. (In the UK see also guidance from HSE’ “Managing competence for safety-related systems”.) A Type A Safety System Safe failure fraction of an element Hardware fault tolerance 0 SIL 1 SIL 2 SIL 3 SIL 3 1 SIL 2 SIL 3 SIL 4 SIL 4 2 SIL 3 SIL 4 SIL 4 SIL 4 < 60 % 60 % - < 90 % 90 % - < 99 % ≥ 99 % Type B Safety System B Hardware fault tolerance < 60 % 60 % - < 90 % 90 % - < 99 % ≥ 99 % 0 Not Allowed SIL 1 SIL 2 SIL 3 1 SIL 1 SIL 2 SIL 3 SIL 4 2 SIL 2 SIL 3 SIL 4 SIL 4 Safe failure fraction of an element CASS is a scheme for assessing the compliance of safety related systems with the requirements of IEC 61508 and associated standards. It provides a systematic approach to be used by certification bodies and others when assessing compliance at all stages from the specification of safety requirements through the design, development and manufacture of system components to integration, commissioning, operation and maintenance. IEC 61508 Functional safety of E/E/PE safety-related systems IEC 61511 Process industry sector IEC 61513 Nuclear power plants IEC 62061 Safety of machinery E/E/PES ISO 13849 Safety of simple machinery IEC 61800-5-2 Power Drives CERTIFICATION SERVICE Functional Safety Approved Company 011 Certificate No. CASS 00015/01 www.61508.org www.iec.ch/functionalsafety www.cass.uk.net www.hse.gov.uk

description

Mtl Fsm Poster

Transcript of Mtl Fsm Poster

Page 1: Mtl Fsm Poster

Definitions and abbreviations

SIL1

IEC 61508:2010

SIL2

IEC 61508:2010

SIL3

IEC 61508:2010

SIL4

IEC 61508:2010

For technical adviceor further information call:

+44 (0) 1582 723633

www.mtl-inst.com [email protected]

ZL-P

-FSM

-EN-

1112

south KoreaTel: +82 2 538 3481 Fax: +82 2 538 3505

JapanTel: +81 (0)3 6430 3128Fax: +81 (0)3 6430 3129

chinaTel: +86 10 5980 0231 Fax: +86 10 8562 5725

australiaTel: +61 1300 308 374Fax: +61 1300 308 463

GermanyTel: +49 (0)2131 718930 Fax: +49 (0)2131 7189333

FranceTel: +33 (0)4 37 46 16 70 Fax: +33 (0)4 37 46 17 20

indiaTel: + 91 (0)44 24501660 Fax: + 91 (0)44 24501463

italyTel: +39 (0)2 61802011 Fax: +39 (0)2 61294560

united arab emiratesTel: +971 2 446 6840 Fax: +971 2 446 6841

singaporeTel: +65 6 645 9888 Fax: +65 6 487 7997

uKTel: +44 (0)1582 723633 Fax: +44 (0)1582 422283

americasTel: +1 281 571 8065 Fax: +1 281 571 8069

netherlandsTel: +31 (0) 76 7505360 Fax: +31 (0) 76 7505370

What is Functional saFety?

In the process industries, safety can be defined as being protected from unacceptable risk of injury or damage to people, property or the environment. Functional safety relates to the part of overall safety that depends upon the correct operation of an electrical/electronic/programmable electronic safety instrumented system, SIS. The requirements for such a SIS are defined in the IEC 61508 group of standards.

iec 61508 & saFety liFecycle

IEC 61508Part 1

Installation, commissioning & safety validation of E/E/PE safety-

related systems7.13 - 7.14

Part 1Operation, maintenance, repair,

modification and retrofit, decommissioning or disposal of E/E/PE safety-related systems

7.15 - 7.17

Part 1Development of the overall safety

requirements (concept, scope, definition, hazard and risk analysis)

7.1 to 7.5

Part 1Allocation of the safety

requirements to the E/E/PE safety-related systems

7.6

Part 1Specification of the system safety

requirements for the E/E/PE safety-related systems

7.10

Part 2Realisation phase for E/E/PE safety-related systems

Part 3Realisation phase for safety-related

software

Part 5Example of methods for

the determination of safety integrity levels

Part 6Guidelines for the

application of Parts 2 & 3

Part 7Overview of

techniques and measures

Part 4Definitions & abbreviations

Part 1Documentation

Clause 5 & Annex A

Part 1Management of functional safety

Clause 6

Part 1Functional safety

assessment Clause 8

overall framework of the iec 61508 series

technical Requirements

other Requirements

E/E/PE system design requirements specification10.1

E/E/PE system design & development including ASICs

& software 10.3

E/E/PE system integration10.4

E/E/PE system safety validation10.6

E/E/PE system safety validation planning10.2

e/e/Pe system safety lifecycle (in realisation phase)

E/E/PE system installation, commissioning, operation &

maintenance procedures10.5

E/E/PE safety-related systems

10 Realisation(see E/E/PE system

safety lifecycle)

One E/E/PE safety lifecycle for each E/E/PE safety-

related system

Box 10 in ‘Overall Safety

Lifecycle’

To Box 12 in ‘Overall Safety

Lifecycle’

To Box 14 in ‘Overall Safety

Lifecycle’

saFety inteGRity leVels

Safety integrity is the ability of the SIS to perform the required safety function as and when required. Four levels of safety integrity are defined, each corresponding to a range of target likelihood of failures of a safety function. Safety integrity level 4 (SIL4) is the highest level of safety integrity and safety integrity level 1 (SIL1) is the lowest level. Note that a safety integrity level is a property of a safety function rather than of a system or any part of a system.

safety integrity is considered to be composed of the following two elements: hardware safety integrity; that part of safety integrity relating to random hardware failures in a dangerous mode of failure. It may be necessary to use redundant architectures to achieve adequate hardware safety integrity.

DeFinition sil for high Demand Modesafety integrity level (sil)

average frequency of a dangerous failure of the safety function [h-1](PFh)

4 ≥ 10-9 to < 10-8

3 ≥ 10-8 to < 10-7

2 ≥ 10-7 to < 10-6

1 ≥ 10-6 to < 10-5

sil for low Demand Modesafety integrity level (sil)

average probability of a dangerous failure on demand of the safety function(PFDavg)

4 ≥ 10-5 to < 10-4

3 ≥ 10-4 to < 10-3

2 ≥ 10-3 to < 10-2

1 ≥ 10-2 to < 10-1

E/E/PE system design requirements specification

E/E/PE system architecture

Hardware safety requirements specification

Programmable electronic hardware

Non-programmable hardware

Programmable electronics design &

development

Non-programmable hardware design &

development

E/E/PE system integration

Software safety requirements

Software design & development

Programmable electronics integration (hardware & software)

Relationship between & scope of iec 61508-2 & iec 61508-3

Scope of IEC 61508-3

Scope of IEC 61508-2

systematic safety integrity; that part of safety integrity relating to systematic failures in a dangerous mode of failure. Techniques such as redundant channels of identical hardware, which are very effective at controlling random hardware failures, are of little use in reducing systematic failures such as software errors.

Devices, elements and systems may be type a or type B. type a is when the components required to perform a specified function meet all of the following: a) The failure modes of all components are well defined; andb) The behaviour of the device under fault conditions can be completely determined; andc) There is sufficient dependable failure data to show that the claimed failure rates for detected and undetected dangerous failures are met.

type B is simply when one or more of the components required to perform a specified function is not Type A.

cass scheMe

accredited certification for safety systems... to iec 61508 and related standards

IEC 61508

The CASS Scheme Ltd

Members

Governing Body Technical Design Authority

Technical Committees

RULES

Feedback UKAS

CertificationBodies

EN45011

Test Houses

Clients

Relationship between cass assessment types

Functional Safety Management (FSM)

ComponentSupplier

T5

ComponentAssessment

T1

Sub-systemAssessment

T2

IntegratedSystem

Assessment

T2a

SafetyRequirementsAssessment

T4

Operations and Maintenance Assessment

T3

Sub-systemSupplier

Engineering Function/System

Integrator

End user/Operator

teRMinoloGies & aBBReViations

abbreviation Full expression abbreviation Full expressionac/Dc Alternating current/direct current lVl Limited variability languageaiche American institute of chemical engineers Moon M out of N channel architecture (for example 1oo2 is 1 out

of 2 architecture, where either of the two channels can perform the safety function)

alaRP As Low As Reasonably Practicable MoonD M out of N channel architecture with Diagnosticsansi American National Standards Institute MtBF Mean Time Between Failuresasic Application Specific Integrated Circuit MttR Mean Time To RepairBPcs Basic process control system MRt Mean Repair TimeccF Common Cause Failure nP Non-programmablecPlD Complex Programmable Logic Device Pal Programmable Array LogicccPs Center for chemical process safety Pe Programmable ElectronicDc Diagnostic Coverage Pes Programmable electronic system(e)ePlD (Electrically) Erasable Programmable Logic

DevicePFD Probability of Dangerous Failure on Demand

e/e/Pe Electrical/Electronic/Programmable Electronic

PFDavg Average Probability of dangerous Failure on Demand

e/e/Pe (system)

Electrical/Electronic/Programmable Electronic System

PFh Average frequency of dangerous failure [h-1]

eePRoM Electrically Erasable Programmable Read-Only Memory

Pla Programmable Logic Array

ePRoM Erasable Programmable Read-Only Memory Plc Programmable logic controllereMc Electro-magnetic compatibility sat Site acceptance testeuc Equipment Under Control sc Systematic capabilityFat Factory acceptance testing sFF Safe failure fractionFPGa Field Programmable Gate Array siF Safety instrumented functionFPl Fixed program language sil Safety integrity levelFsa Functional safety assessment sis Safety instrumented systemFta Fault tree analysis sRs Safety requirement specificationFVl Full variability language uon Unless otherwise notedGal Generic Array Logic ls or lsafe Failure rate of all safe failuresh&Ra Hazard & risk assessment ld or

ldangerousFailure rate of all dangerous failures

hFt Hardware Fault Tolerance ldd Failure rate of all dangerous detected failuresiec International Electrotechnical Commission ldu Failure rate of all dangerous undetected failuresieV International Electrotechnical Vocabulary lsu Failure rate of all safe undetected failuresisa Instrumentation, Systems & Automation Society lsd Failure rate of all safe detected failuresiso International Organization for Standardization

While every effort has been made to ensure that the information contained within this document is accurate and up to date, MTL Instruments makes no warranty, representation or undertaking whether expressed or implied, nor does it assume legal liability, whether direct or indirect, or responsibility for the accuracy, completeness, or usefulness of any information.

SIL1

IEC 61508:2010

SIL2

IEC 61508:2010

SIL3

IEC 61508:2010

SIL4

IEC 61508:2010

Concept1

Overall scope definition2

Hazard and risk analysis3

Overall safety requirements4

Overall safety requirementsallocation5

E/E/PE system safety requirements specification9

E/E/PE safety-related systems10

Other risk reduction measures11

Specification and Realisation

Realisation(see E/E/PE system

safety lifecycle)

Overall planning

Overalloperation andmaintenance

planning

6

Overallsafety

validationplanning

7

Overallinstallation and commissioning

planning

8Overall installation and

commissioning12

Overall safety validation13

Overall operation, maintenance and repair14

Decommissioning or disposal16

Overall modification and retrofit15

overall safety lifecycle

Back to appropriate overall safety

lifecycle phase

iec 61508 aims to:

• release the potential of E/E/PE technology to improve both safety and economic performance;• enable technological developments to take place within an overall safety framework;• provide a technically sound, system based approach, with sufficient flexibility for the future;• provide a risk-based approach for determining the required performance of safety-related systems;• provide requirements based on common underlying principles to facilitate: - improved efficiencies in the supply chain for suppliers of subsystems and components to various sectors - improvements in communication and requirements (i.e. to increase clarity of what needs to be specified), - the development of techniques and measures that could be used across all sectors, increasing available resources, - the development of conformity assessment services if required.

Part 0Functional safety and

IEC 61508

Functional safety Management

A basic requirement of the standards is that all aspects of the safety lifecycle activities demonstrate Functional Safety Management. As well as concerns for equipment, this includes management of personnel competency, covering the end-user, contractors, suppliers and sub-contractors.

(In the UK see also guidance from HSE’ “Managing competence for safety-related systems”.)

Atype a safety system

safe failure fraction of an element hardware fault tolerance

0

SIL 1SIL 2SIL 3SIL 3

1

SIL 2SIL 3SIL 4SIL 4

2

SIL 3SIL 4SIL 4SIL 4

< 60 %60 % - < 90 %90 % - < 99 %≥ 99 %

type B safety system

Bhardware fault tolerance

< 60 %60 % - < 90 %90 % - < 99 %≥ 99 %

0

Not AllowedSIL 1SIL 2SIL 3

1

SIL 1SIL 2SIL 3SIL 4

2

SIL 2SIL 3SIL 4SIL 4

safe failure fraction of an element

cass is a scheme for assessing the compliance of safety related systems with the requirements of IEC 61508 and associated standards. It provides a systematic approach to be used by certification bodies and others when assessing compliance at all stages from the specification of safety requirements through the design, development and manufacture of system components to integration, commissioning, operation and maintenance.

IEC 61508Functional safety of E/E/PE

safety-related systems

IEC 61511Process industry

sector

IEC 61513Nuclear power

plants

IEC 62061Safety of machinery

E/E/PES

ISO 13849Safety of simple

machinery

IEC 61800-5-2PowerDrives

CERTIFICATION SERVICE

Functional Safety

Approved Company011

Certificate No. CASS 00015/01

www.61508.orgwww.iec.ch/functionalsafety www.cass.uk.netwww.hse.gov.uk