Functional safety Standardization activities

Functional safety Standardization activities Bart Aertgeerts Symposium VIK/TI 3 November 2007 Crowne Plaza Antwerp Dangers Overall safety EUC (Machinery, process installation, apparatus, ) Electrical installations Mechanical movements Use of chemicals Arrangement of the workplace Failure of safety-related systems Electrical safety Mechanical safety Chemical safety Ergonomic design Functional safety 2 Bart Aertgeerts 2007--3

Functional safety All aspects regarding the correct functioning of the Safety- Related Systems (SRS) so that the dedicated safety functions are being kept under all given conditions How safe stays the safety-related system? All aspects to prevent and handle the (dangerous) failures of the safety-related systems so that the EUC remains in a safe condition or brought to a safe state The available literature give a broad description of the definition Functional Safety 3 Bart Aertgeerts 2007--3 Ambitions of the standards organizations Developing of standards which gives: information to prevent and handle failures of the safetyrelated systems; objective criteria to evaluate the functional safety; requirements to maintain the functional safety over the whole lifecycle of the safety-related system (from concept to decommissioning) 4 Bart Aertgeerts 2007--3 2

Standards organizations Overall standardization Electro-technical Standardization Standardization Organization Electrotechnical Commission European National Comité Européen de Normalisation Bureau voor Normalisatie Comité Européen de Normalisation Electrotechnique Belgisch Elektrotechnisch Comité 5 Bart Aertgeerts 2007--3 Importance of the standards Provide technical information, general and detailed principles of design in accordance with the latest state-ofthe-art technology Are considered as rules of good practice Standards can be used to demonstrate the compliance with the relevant legislation Standards have no legal status unless the legislator explicitly has indicated to them 6 Bart Aertgeerts 2007--3 3

Harmonized European standards Are drawn-up by the European standards organizations (CEN & CENELEC) as mandate from the EC Commission in order to fulfill the requirements of the EU Directives When the harmonized standards are used, it is assumed that the requirements of the EU Directives have been met Give an automatic presumption of conformity Harmonized standards are published in the Official Journey of the EU The standards are unchanged transferred to national standards National standards handling the same subject must then be withdrawn 7 Bart Aertgeerts 2007--3 Standards functional safety Generic standards Publication 997 Specific standards for the process industry 998 999 2000 200 2002 2003 2004 2005 2006 2007 2008 Publication Specific standards for machinery (Automotive industry, ) Latest SIPI meeting Publication 8 Bart Aertgeerts 2007--3 4

Generic standard (series) EN (IEC) The standard is generic and applicable to the Electrical, Electronic and Programmable Electronic (E/E/PE) safetyrelated systems Principles and framework can also be used for other technologies Introduced Safety Integrity Levels (SIL) as a measure for functional safety Adopts a risk-based approach for determination of the SIL requirements Sets numerical target failure measures for E/E/PE safety-related systems which are linked to the SIL Uses an overall safety lifecycle concept which structural looks to all necessary phases and activities in order to achieve the functional safety Deals with both the organizational and technical aspects Has been conceived with a rapidly developing technology in mind Framework is sufficiently robust and comprehensive to cater for future developments 9 Bart Aertgeerts 2007--3 Generic standard (series) EN (IEC) Consists of 7 parts Part : General requirements Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems Part 3: Software requirements Part 4: Definitions and abbreviations Part 5: Examples of methods for the determination of safety integrity levels Part 6: Guidelines on the application of parts 2 and 3 Part 7: Overview of techniques and measures Parts to 4 of the standard are designed as basic publications Parts 5 to 7 are intended to give more background information 0 Bart Aertgeerts 2007--3 5

Generic standard (series) EN (IEC) Intended use : Facilitate developing of other sector or product related standards Supports manufactures of safety-related systems (incl. components) This (European) standard is not harmonized under a specific EU-Directive Standards are prepared by IEC TC 65/SC 65A (Industrial process measurement and control) Bart Aertgeerts 2007--3 Generic standard (series) EN (IEC) Electrotechnical Commission Draft CDV Begin 995 Final Draft FDIS IEC 998-2000 European Comité Européen de Normalisation Electrotechnique EN 998-2000 National Belgisch Elektrotechnisch Comité NBN EN 998-2000 6

Generic Sector or product related standards 65 Process Industry 6206 Generic standard 653 Nuclear sector Machinery 6800 5-2 Power drive systems Safety requirements Functional 3 Bart Aertgeerts 2007--3 Standard (series) EN (IEC) 65 Standard focuses on Safety Instrumented Systems (SIS) for the process industry Consists of 3 parts Part : Framework, definitions, system, hardware and software requirements Part 2: Guidelines in the application of IEC 65- Part 3: Guidance for the determination of the required safety integrity levels Intended use: Supports users and integrators of safety instrumented systems for the process industry This (European) standard is not harmonized under a specific EU-Directive Standards are prepared by IEC TC 65/SC 65A (Industrial process measurement and control) 4 Bart Aertgeerts 2007--3 7

Standard (series) EN (IEC) 65 Electrotechnical Commission IEC 998-2000 Draft CDV 65 Begin 996 Final Draft FDIS 65 2002 IEC 65 2003 European Comité Européen de Normalisation Electrotechnique EN 65 2003 National Belgisch Elektrotechnisch Comité NBN EN 65 2003 Standardization activities IEC and ISA Electrotechnical Commission Draft CDV Begin 995 IEC 998-2000 IEC 65 2003 USA / Canada American National Standardization Institute Instrument Society of America S84.0 996 S84.0 2004 6 Bart Aertgeerts 2007--3 8

Standard EN (IEC) 6206 Standard focuses on Safety-Related Electrical Control Systems (SRECS) for machinery Consists of one single part Intended use: Supports users and integrators of safety-related electrical control systems for application in machinery This (European) standard is harmonized under the machinery Directive (98/37/EG) Standard is prepared by IEC TC 44 (Safety of machinery Electrotechnical aspects) 7 Bart Aertgeerts 2007--3 Standard EN (IEC) 6206 Electrotechnical Commission IEC 998-2000 Draft CDV 6206 Begin 999 Final Draft FDIS 6206 2004 IEC 6206 2005 European Comité Européen de Normalisation Electrotechnique EN 6206 2005 National Belgisch Elektrotechnisch Comité NBN EN 6206 2005 9

Difference between 65 6206 The content of the standards gives differences with regard to: Terminology Number of safety integrity levels Determination of the mode of operation Lay-out of the safety-lifecycle Use of components 9 Bart Aertgeerts 2007--3 Differences : Terminology 65 6206 Name of the safetyrelated system E/E/PE safetyrelated system SIS SRECS Involved installation Function of the safety-related system Safety integrity level EUC Safety function SIL Process Safety instrumented function (SIF) SIL Machinery Safety-related control function SIL 20 Bart Aertgeerts 2007--3 0

Differences : Terminology 650 8 Functional safety part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities 65 6206 Functional safety part of the overall safety relating to the process and the BPCS which depends on the correct functioning of the SIS and other protection layers Functional safety part of the safety of the machine control system witch depends on the correct functioning of the SRECS, other technology safety-related systems and external risk reduction facilities; 2 Bart Aertgeerts 2007--3 Differences : Safety integrity levels 65 6206 Safety integrity levels Modes of operations SIL 4 levels Demand mode en Continuous mode SIL 4 levels Demand mode en Continuous mode SIL 3 levels Continuous mode 22 Bart Aertgeerts 2007--3

Differences : Mode of operation 650 8 65 6206 low demand mode where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof-test frequency; demand mode safety instrumented function where a specified action (for example, closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the safety instrumented function a potential hazard only occurs in the event of a failure in the process or the BPCS Note 2 : In demand mode applications where the demand rate is more frequent than once per year, the hazard rate will not be higher than the dangerous failure rate of the safety instrumented function. In such a case, it will normally be appropriate to use the continuous mode criteria. low demand mode mode of demands in witch the frequency of demands on a SRECS is no greater than one per year and no greater than twice the proof-test frequency; 23 Bart Aertgeerts 2007--3 Differences : Mode of operation 650 8 high demand or continuous mode where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof check frequency 65 6206 continuous mode safety instrumented function where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it high demand or continuous mode mode of demands in witch the frequency of demands on a SRECS is greater than one per year and no greater than twice the proof-test frequency; 24 Bart Aertgeerts 2007--3 2

Lifecycle Overview giving all necessary phases in the overall lifecycle of a safety-related system, from concept to decommissioning It handles systematically all the activities necessary to achieve the required safety integrity level for the safetyrelated system For each phase the objectives, scope, required inputs and outputs are described The overview follows the (well known) rules of a quality management system The lay-out is different for each standard! (?) 25 Bart Aertgeerts 2007--3 Lifecycle EN (IEC) Concept 7 8 9 9 2 Definitie werkingsgrenzen en gebruiksomstandigheden 3 Veiligheidsstudie (Gevaren Risicoanalyse) 4 Bepalen globale veiligheidseisen 6 Planning gebruik en onderhoud Planning Planning 7 veiligheidsvalidatie Planning installatie 8 en in dienst stellen 5 9 2 3 Toewijzen van veiligheidseisen Veiligheidssystemen E/E/PES Realisatie Installatie en in dienst stellen Veiligheidsvalidatie 0 Veiligheidssyst. met andere technologieen Realisatie Terug naar de overeenkomende fase van de levenscyclus Andere externe risicoreductievoorzieningen Realisatie Management functionele veiligheid Beoordeling functionele veiligheid Verificatie Documentatie 4 Gebruik, onderhoud en herstelling 6 Modificatie en re-engineering 5 Uit dienst name en verwijderen (afbraak) 3

Lifecycle EN (IEC) 65 0 Risicoanalyse en ontwerp protection layers 9 Opbouw en planning van de levenscyclus voor veiligheid Management en beoordeling van de functionele veiligheid 3 Specificatie veiligheidseisen voor de Safety Instrumented System Stadium 4 Ontwerp en bouw van het Safety Instrumented System 2 Toewijzing van de veiligheidsfuncties aan de protection layers Stadium 2 5 Installatie, in dienstname en validatie Stadium 3 6 Werking en onderhoud Stadium 4 7 Aanpassing Ontwerp en bouw van andere risicoreductie maatregelen Verificatie Stadium 5 8 Buiten dienststelling Lifecycle EN (IEC) 6206 4 Risicoanalyse en bepaling van de risicoreducerende maatregelen 0 Toewijzing van de veiligheidsfuncties aan Safety-Related Electrical Control System Management van de functionele veiligheid 5 6 7 8 Specificatie veiligheidseisen voor de Safety-Related Control Function Ontwerp en bouw van het Safety-Related Electrical Control System Informatie voor het gebruik en onderhoud van de machine Validatie van het Safety-Related Electrical Control System Documentatie 9 Wijzigingen van het Safety-Related Electrical Control System Buiten dienststelling 4

Standardization activities for machinery All machines introduced in the EU market have to be compliant with the (essential) safety requirements of the EU machinery Directive The standards organizations have published many standards which are helpful in order to fulfill the safety requirements (harmonized standards) Especially for the design of safety-related control systems there are different harmonized standards available : EN 6206 EN 954- EN ISO 3849 29 Bart Aertgeerts 2007--3 Standard EN 954- Applicable to safety-related parts of control systems based on all operating media : electrical, mechanical, pneumatic, hydraulic; Performance of the safety-related parts described in terms of safety categories (B,,2,3,4) Use a risk-graph methodology (qualitative) in order to designate the categories Sets an appropriate system behavior against a category (deterministic approach) Behavior is based on: Reliability of components : Fault avoidance System structure (architecture) : Fault tolerance (redundancy), fault detection (monitoring) and fault resistance 30 Bart Aertgeerts 2007--3 5

Standard EN 954- Pro Standard is easily-understood and requires no complex mathematics Contra The coherence between risk level and category doesn t always appear plausible No direct connection between risk-reducing and category Emphasis on meeting category requirements rather than reducing risk Categories are not a comprehensive measure of safety integrity No probabilistic considerations included into the safety examinations Not suitable for programmable systems and complex electronics No detailed requirements 3 Bart Aertgeerts 2007--3 Standardization activities for machinery Draft Standardization Organization ISO 3849-999 3849-00 DIS 3849-2004 ISO 3849-2 ISO 3849-2006 2000 2003 European Comité Européen de Normalisation Electrotechnical Commission EN 954-996 TR 954-00 EN ISO 3849-2 EN ISO 3849-2006 999 2003 European Comité Européen de Normalisation Electrotechnique EN 998-2000 EN 6206 2005 6

Standard (series) EN ISO 3849 Standard focuses on safety-related parts of control systems for machinery Consists of 2 parts Part : General principles for design Part 2: Validation Intended use: Supports users and integrators of safety-related control systems for application in machinery This (European) standard is harmonized under the machinery Directive (98/37/EG) Standard is prepared by IS0 TC 99 (Safety of machinery) 33 Bart Aertgeerts 2007--3 Standard (series) EN ISO 3849 It examines all safety functions, including all the components involved Performance of safety-related parts are described in terms of Performance Levels (a,b,c,d,e) The familiar categories remain but are defined in terms of designated architectures Reach information to validate the design in order to check that the requirements are fulfilled Provide data for the reliability of the components and methods for estimations Describe the validation process 34 Bart Aertgeerts 2007--3 7

Standard (series) EN ISO 3849 The remaining risk-graph methodology (qualitative approach) no longer results in categories but in required Performance Levels The standard describes how to calculate (quantitative assessment) the Performance Level for safety-related parts of control systems, based on: Designated architectures (Category) MTTF d : Mean Time To dangerous Failure DC: Diagnostic Coverage CCF: Common Cause Failure 35 Bart Aertgeerts 2007--3 Implementation of EN 6206 and EN ISO 3849 36 Bart Aertgeerts 2007--3 8

Relation between SIL en PL PFH Probability of a dangerous Failure per Hour (/h) PL Performance Level SIL Safety Integrity Level 0-5 to < 0-6 3. 0-6 to < 0-5 0-6 to < 3.0-6 0-7 to < 0-6 0-8 to < 0-7 EN 3849- : Table 2 a b c d e No special safety requirements 2 3 37 Bart Aertgeerts 2007--3 Explosives atmospheres Explosive atmosphere: Gas, vapor or mist of flammable substances mixed with air A cloud of combustible dust in air, layers, deposits and heaps of combustible dust (source which can form an explosive atmosphere) Regulations are stipulated in the ATEX-Directives Safety and health protection of workers potentially at risk from explosive atmospheres (999/92/EG) Equipment intended for use in potentially explosive atmospheres (92/9/EG) 38 Bart Aertgeerts 2007--3 9

Classification of hazardous places Zone 0 /20 A place in which an explosive atmosphere is present continuously or for long periods or frequently. Zone /2 A place in which an explosive atmosphere is likely to occur in normal operation occasionally. Zone 2/22 A place in which an explosive atmosphere is not likely to occur in normal operation but, if it does occur, will persist for a short period only. Note : Normal operation" means the situation when installations are used within their design parameters. 39 Bart Aertgeerts 2007--3 Equipment categories Group II Category 2 3 Level of protection Very high High Normal No active Ignition source even in the event of rare incidents even in the event of disturbances or faults, which normally have to be taken into account during normal operation Equipment of category must be equipped with means of protection such that : in the event of failure of one means of protection, at least an independent second means provides the requisite level of protection, or, the requisite level of protection is ensured in the event of two faults occurring independently of each other 40 Bart Aertgeerts 2007--3 20

Use of equipment in hazardous places Relation between equipment categories, the occurrence of ignition sources and occurrence of an explosive atmosphere Zone 0 Zone 20 Zone Zone 2 Zone 2 Zone 22 Occurrence of ignition sources at the equipment No sources No sources during during normal No sources during normal operations, normal operations operations foreseeable and foreseeable malfunctions and malfunctions rare malfunctions Category 3 Use forbidden Use forbidden Category 2 Use accepted Category Use accepted Use accepted Never -- 4 Bart Aertgeerts 2007--3 Standard EN 3463-6 Non-electrical equipment intended for use in potentially explosive atmospheres - Part 6: Protection by control of ignition source "b Stipulate the specifications for sensors and Ignition Prevention Systems (IPS) to: Detecting operations leading to potential ignition sources Initiating measures before ignition source becomes effective. Assign an Ignition Prevention Level (IPL) to the systems Characterized by its reliability Required IPL level determined from likelihood of occurrence of ignition source and category of equipment 42 Bart Aertgeerts 2007--3 2

Required minimum IPL for the system Relationship between the required ignition protection level (IPL), the occurrence of ignition sources and the equipment category Occurrence of potentional ignition source Category 3 Category 2 Category During normal operations During foreseeable malfunctions During rare malfunctions EN 3463-6 : Table IPL Not relevant Not relevant IPL 2 IPL Not relevant IPL 2 IPL 43 Bart Aertgeerts 2007--3 Requirements for Ignition Prevention Levels Ignition Prevention Level Well tried components, proven history of reliability Well tried safety principles, able to withstand expected influences Capable of being checked at suitable intervals to identify loss of safety (incl. periodic maintenance checks) If a control parameter critical value is exceeded either the ignition source is prevented from becoming effective or a warning is given Ignition Prevention Level 2 Requirements of IPL If a control parameter critical value is exceeded the ignition source is prevented from becoming effective Single fault on Ignition prevention system does not lead to loss of safety function 44 Bart Aertgeerts 2007--3 22

Relation between IPL, safety categories and SIL EN 3463-6 IPL Ignition Prevention Level EN 954- Safety Category EN SIL Safety Integrity Level 2 EN 3463-6 : 8.4 and Annex C 2 3 SIL (?) SIL 2 (?) 45 Bart Aertgeerts 2007--3 Conclusions Functional Safety Standardization activities 23

Time goes always further At 2003 : We had a small number of standards for functional safety Few people had knowledge about the subject, the problems and experience with the use of the standards Present 2007 : We have a lot of standards for functional safety There are now many people who have already a broad knowledge and practical experience There are more and more people who realize that they in the future also will come in contact with the subject 47 Bart Aertgeerts 2007--3 The trees in the (great) forest! Today : We have access to a lot of documents available The standards organizations have many standards published Could we say that everyone without any problems can find all the necessary information on the internet But: Is the information always transparent enough? Are the published documents all in accordance with each other? Is it clear where to start the search for information? 48 Bart Aertgeerts 2007--3 24

Functional safety Standardization activities Bart Aertgeerts Symposium VIK 3 November 2007 Crowne Plaza Antwerp 25