Upload
ganeshn1412
View
214
Download
0
Embed Size (px)
Citation preview
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 1/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
What is Functional Safety?Frank West, Senior Engineer, TÜV SÜD America
Many engineers are encountering customer demand that their products meet a “SIL” rating. They
are often encountering the new words “functional safety.” This paper aims to explain what these
requirements mean to design engineers seeking to have a product approved within the regulatory
compliance setting.
Traditional safety assessment focused on electrical, mechanical, and similar aspects of a design.
This assessment was concerned with whether or not a product would pose a hazard because of its usage
by a person or persons. The assessment looked at whether or not a product would, for example, create
an electrical safety hazard, or catch on fire, or have sharp edges that might cut the user. The actual
function of the product was not included in the assessment. Take as an example a product everyone is
familiar with: the toaster. A traditional product safety assessment examines the toaster to ensure that it
will not catch on fire, to ensure that the electrical energy used to heat the toast will not cause an
electrocution hazard, and to assess what might happen if the toaster encounters water. The actual
toasting of the bread is not assessed, because whether or not the toaster produces just the right amount
of crunchy toasted goodness is not safety-relevant.
Functional safety is an additional step beyond the traditional product safety assessment.
Functionally safe products DO—to use the above example—consider the function of the toaster as a
safety-relevant factor in the design, and specific steps are carried out to ensure that the function of the
product is performed with a defined degree of reliability. Using the toaster example, the crunchy
goodness of the bread is defined as safety-relevant, and the reliability of the toaster to provide the exact
amount of toasting to the bread requested by the user is assessed. It is important to remember that a
functional safety assessment does not replace the traditional product safety assessment described
above; it is in addition to the traditional product safety assessment. This is because, using the above
example again, the reliability of the toaster to carry out the toasting function is pretty useless if the toaster
electrocutes the user or catches on fire!
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 2/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
Risk Assessment the Key
A risk assessment process, carried out according to accepted principles of risk assessment, is
the key to defining when functional safety is necessary. A risk assessment defines what actions of a
product will be defined as safety-relevant actions, and what actions will not be safety-relevant. In
addition, the risk assessment will define how safety critical the ability to perform particular actions might
be. Consider another, more realistic example: a programmable pressure switch. A risk assessment is
performed, indicating that the target market for the switch is used in chemical processing applications,
and that the potential users of the switch wish to use the switch to monitor pressure and trigger an
automated pressure relief sequence if the pressure becomes too high. From the risk assessment, the
action of the switch that is safety-relevant is the function to monitor pressure and send a command at a
certain pressure trip point. In addition, it is learnt from the market analysis that the failure of the product
in conditions of use may result in loss of one or more lives in the chemical plant, not to mention the
financial considerations related to the accident. Therefore, the action of the switch must meet a fairly high
degree of reliability—lives are at stake!
The safety-relevant action of the switch is termed a safety function. A particular product mayhave more than one safety function, but every product that requires a functional safety assessment has at
least one safety function. A safety function always has the form of some type of input, some type of logic
that acts on that input, and some type of output:
Input Logic Output
From the risk assessment, the product will be defined as having a list of safety functions, and the
safety consequence of failure will be estimated. This list of safety functions and the criticality of each is
the fundamental engineering input to a functional safety assessment. The goal of the entire functional
safety assessment is to ensure that each function defined as safety-relevant carries out the intended
function with a reliability level that is appropriate to the criticality of the function should it fail to perform.
The SIL of a Safety Function
SIL stands for Safety Integrity Level. The SIL is a measure of risk reduction provided by the
safety function in the product. SIL is defined in four steps, from SIL 1 (the lowest amount of risk
reduction) to SIL 4 (the highest amount of risk reduction). Selection of the SIL is performed to match the
risk reduction to the safety criticality of the safety function. For safety functions with a relatively low
criticality, SIL 1 may be appropriate. Safety functions with a high degree of criticality may require a SIL 3
or even a SIL 4 designation.
Selection of the SIL is a confusing point for many, because the way the marketplace is evolving is
at odds with the technical content of the SIL designation. The SIL designation applies to the overall
safety function that is being assessed for the final product…the SIL for the complete pressure relief
system in the chemical plant, for example. An individual component, the pressure switch from the above
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 3/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
example, is probably the input section to that overall plant level safety function. Therefore, it is technically
incorrect to talk about the switch itself being “SIL” whatever, and it may cause serious problems for the
user of the switch if the switch designer is not aware of this distinction. It is more accurate to say that a
component is suitable for use in a target SIL function, and the designer designs with this in mind.
Internally, all of the requirements for the target SIL are still designed into the switch. However, because
the switch must go into a larger function the switch user is building, the switch designer normally needs to
ensure the switch is an order of magnitude more reliable than it would seem necessary to achieve for a
particular target SIL. This is to allow the designer of the final safety function in the plant or machine to
meet the SIL target for the final function, without consuming all of the allowable failure rate for the function
in the one component—in our example, the pressure switch!
Assessing the Function
Assessment of the functional safety of a product has two primary elements. One important
element is assessment of random failure of the product, and meeting a required rate of failure for the
components and software that make up the safety function. A second important element is assessing the
means employed to avoid systematic failure—that is, failure that is inadvertently designed into the
product.
Assessment of random failure is done by utilizing standard methods of reliability engineering to
ensure the product meets a defined target failure rate. This failure rate is often expressed as a number of
dangerous, random failures per hour. For example, under some conditions, a SIL 1 function must meet a
target failure rate of 1x10-6 random, dangerous failures per hour. The more safety-critical SIL 4 function
under the same conditions must meet at least a target of 1x10-9 random, dangerous failures per hour.
The methods employed for this assessment include, but are not limited to, component reliability
assessment and engineering, fault tree analysis, assessment of the architecture structure via reliability
block diagrams, Markov modeling, and in some cases HALT and environmental testing and assessment.
Of course, reliability of software cannot give rise to a defined failure rate as the hardware
assessment does. However, rigorous methods are used in software to achieve a degree of reliabilityappropriate to the SIL level. Strict separation of safety-related and non safety-related code must be
ensured, accepted coding standards for safety (like the MISRA C and C++ standards) must be followed,
and static and dynamic testing is performed on both the module and integrated code levels. At higher SIL
levels, formal methods of testing such as mathematical modeling and proving of algorithms is required.
By far, the more difficult part of the assessment is the requirement to ensure that systematic
failure is eliminated. Systematic failures, as mentioned, are failures that are designed into the product.
Examples of systematic failure are incorrect specification of the function of the product (one the most
common and most serious failures), hardware design fault, software bugs, and so on. A life cycle model
must be followed, and documented proof of activities, checks, and controls at each life cycle stage must
be part of the technical documents assessed for the safety function. For higher SIL ratings, ISO quality
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 4/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
registration that includes design and development of functionally safe products is mandatory. Internal
checks, such as rigorous design review with documented results, CASE for software development, and
so forth are required parts of the assessment—unfortunately ones that manufacturer’s often overlook.
Meeting the Requirements
The requirements for a functionally safe product are outlined in the IEC 61508 series of
standards. The first step in designing a functionally safe product and meeting the requirements is to
purchase the standards. The table below outlines the standards:
IEC 61508-4 Definitions and Abbreviations
IEC 61508-1 General Requirements (life cycle)
IEC 61508-2 Requirements for E/E/PE (hardware)
IEC 61508-3 Requirements for software
IEC 61508-5 Examples of determining SIL
IEC 61508-6 Guidelines for applications of parts -2
and -3
IEC 61508-7 Overview of techniques and measures
Often, for a manufacturer new to functional safety, a training program from an industry expert is
very helpful in learning the standards and how to apply them. For example, the organization the author
works for offers 2- and 3-day training programs to industry on the IEC 61508 standards and how to apply
and use them. This training allows the manufacturer to meet one of the requirements of the standard
itself—demonstrating the designers and managers are trained in functional safety principles.
The next step is to initiate a functional safety assessment. A functional safety assessment should
be performed by an assessor that is fully conversant with the functional safety standards and
requirements. While lower level SIL targets allow a company to “self assess,” this should only be done
when the company has internally a certified expert for functional safety. Higher level SIL targets require
an outside third-party assessor.
A functional safety assessment normally is broken down into several checkpoint assessments.
The checkpoints may be repeated iteratively if the requirements for that checkpoint are not met. At each
checkpoint, the life cycle documents up to that checkpoint are assessed—failure to have the required life
cycle activity output documents means the checkpoint must be repeated. The normal set of checkpoints
in an assessment may look something like this:
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 5/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
Review of safety requirements specification, audit of safety design
management system
Review of hardware, software requirements specification, verification
and validation testing plan
Review of hardware design, software design
Witness testing of hardware and software verification testing
Witness testing of validation testing and results
Review of user documents and instructions
Review of complete technical file and all life cycle documents
Of course, each product may require customization of the checkpoints. The assessor normally produces
a road map to the assessment and gets buy-in from all affected parties as one of the first activities in the
assessment.
How Much, How Long?
Designers contemplating a functional safety assessment normally are very interested in how long
the assessment process will take, and how much it will cost. Cost is of course contingent on the
complexity of the product, the number of safety functions in the product and the SIL targets for the each
function, and the degree of experience the designers have with functional safety. In general, it is safe to
say that low complexity, low safety function count, low SIL targets all lead to much lower cost. Of course,
high complexity (including any form of digital communication), high safety function count, and high SIL
targets all lead to much higher assessment costs.
The time for the assessment is almost completely contingent on the experience of the designers
and design management with functional safety principles. Organizations with an existing ISO qualification
for safety design and development may be able to move through an assessment process fairly quickly,whilst organizations with a low institutional knowledge of life cycle management for safety designs will
have a more difficult time, and take longer to move through the design process.
As a general statement, organizations with no prior experience should not expect to have
complex products with high SIL targets (SIL 3 or SIL 4) approved easily, inexpensively, or quickly. There
is simply too large a learning curve to move through. It is often better to start with a lower complexity,
lower SIL target product, learn the process and the unique challenges of designing to meet the functional
safety standard requirements, and then use that new knowledge to tackle the more complex, higher SIL
target products.
7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf
http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 6/6
TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]
www.TUVamerica.com
Management Service • Product Service • Industry Service • Automotive
Conclusion
Designing a product to meet functional safety requirements introduces new challenges in the
regulatory compliance setting. Designers, management, and assessors must think about what a product
does and how reliably it must do it. Technical standards, like the IEC 61508 series, provide an outline of
how to ensure a product meets the reliability goals for a given safety function. Assessment provides an
independent review of a company’s efforts to meet these goals for a given product.
Additional Information:
The IEC 61508 standards may be ordered as a set from the IEC webstore:
http://webstore.iec.ch/
About the Author:
Frank West
Mr. West is a Senior Engineer with TÜV SÜD America. He is an expert in
industrial and machinery safety, risk assessment methods, and complex system
safety engineering. Mr. West has over ten years experience evaluating
products for safety.