ebook img

The Safety Critical Systems Handbook. A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) & Related Guidance PDF

302 Pages·2016·5.123 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Safety Critical Systems Handbook. A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) & Related Guidance

The Safety Critical Systems Handbook A Straightforward Guide To Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2016 Edition) & Related Guidance Including Machinery and other industrial sectors FOURTH EDITION Dr David J Smith Kenneth GL Simpson AMSTERDAM(cid:129)BOSTON(cid:129)HEIDELBERG(cid:129)LONDON(cid:129)NEWYORK(cid:129)OXFORD PARIS(cid:129)SANDIEGO(cid:129)SANFRANCISCO(cid:129)SINGAPORE(cid:129)SYDNEY(cid:129)TOKYO Butterworth-HeinemannisanimprintofElsevier Butterworth-HeinemannisanimprintofElsevier TheBoulevard,LangfordLane,Kidlington,OxfordOX51GB,UnitedKingdom 50HampshireStreet,5thFloor,Cambridge,MA02139,UnitedStates Copyright(cid:1)2016DrDavidJSmithandKennethGLSimpson.PublishedbyElsevierLtd.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical, includingphotocopying,recording,oranyinformationstorageandretrievalsystem,withoutpermissioninwriting fromthepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthePublisher’spermissions policiesandourarrangementswithorganizationssuchastheCopyrightClearanceCenterandtheCopyright LicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions. ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher(otherthan asmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperiencebroadenour understanding,changesinresearchmethods,professionalpractices,ormedicaltreatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingandusingany information,methods,compounds,orexperimentsdescribedherein.Inusingsuchinformationormethodsthey shouldbemindfuloftheirownsafetyandthesafetyofothers,includingpartiesforwhomtheyhaveaprofessional responsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeanyliabilityfor anyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligenceorotherwise,orfrom anyuseoroperationofanymethods,products,instructions,orideascontainedinthematerialherein. LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ISBN:978-0-12-805121-4 ForinformationonallButterworth-Heinemannpublications visitourwebsiteathttps://www.elsevier.com/ Publisher:JoeHayton AcquisitionEditor:FionaGeraghty EditorialProjectManager:MariaConvey ProductionProjectManager:JasonMitchell Designer:MatthewLimbert TypesetbyTNQBooksandJournals IEC 61508 PROCESS RAIL DEFENCE AUTO-MOTIVE MISCELLANEOUS OIL&GAS IEC IGEM Guide to the ISA OLF EN50126 DEF STAN EN26262 61511 SR\15 Application S84.01 070 00-56 of IEC ISO/DIS 25119 61511 (00-55) EARTHMOVING NUCLEAR AVIONICS MACHINERY MEDICAL STAGE & ELECTRICAL MISRA thg(euR iUedpeKllaiOnceeOssA) EN50128 EN50129 GMuiIdSeRliAnes ISOE/DNI4S7 145 998 61IE51C3 DDOO 1 27584C STANDARDS IEC 60601 ESRNCTEWRAT A1I5N9M02E-N1 T PDOEWVIECRE S CS tCaonddianrgd ARINC 653 ISO BSEN 61800-5-2 14121 Rail ARINC 661 EnGerugiyd eInlisnteitsute “InYBdeoulosloktrw”y IESNO 6123086419 A Quick Overview Functional safety engineering involves identifying specific hazardous failures which lead to serious consequences (e.g., death) and then establishing maximum tolerable frequency targets for each mode of failure. Equipment whose failure contributes to each of these hazards is identified and usually referred to as “safety related.” Examples are industrial process control systems, process shut down systems, rail signaling equipment, automotive controls, medical treatment equipment, etc. In other words, any equipment (with or without software) whose failure can contribute to a hazard is likely to be safety related. A safetyfunctionis thusdefinedas afunction,of apieceof equipment,which maintainsit in a safe state, or brings it to a safe state, in respect of some particular hazard. Sincethepublicationofthefirstthreeeditionsofthisbook,in2001,2004,and2011,theappli- cation of IEC 61508 has spread rapidly through most sectors of industry. Also, the process sector IEC 61511 has been published and now updated. IEC 61508 (BS EN 61508 in the UK) was re-issued in 2010. The opportunity has therefore been taken to update and enhance thisbookinthelightoftheauthors’recentexperience.Therearestillthreechaptersonindustry sectors, and Chapters 15 and 16 provide even more examples. There are both random hardware failures which can be quantified and assessed in terms of failureratesANDsystematicfailureswhichcannotbequantified.Thereforeitisnecessaryto havetheconceptofintegritylevelssothatthesystematicfailurescanbeaddressedbylevelsof rigor in the design techniques and operating activities. The maximum tolerable failure rate that we set, for each hazard, will lead us to an integrity target for each piece of equipment, depending upon its relative contribution to the hazard in question. These integrity targets, as well as providing a numerical target to meet, are also expressed as “safety-integrity levels” according to the severity of the numerical target. This usually involves four discrete bands of “rigor” and is explained in Chapters 1 and 2. SIL4:thehighesttargetandmostoneroustoachieve,requiringstate-of-the-arttechniques (usually avoided) SIL3:lessonerousthanSIL4butstillrequiringtheuseofsophisticateddesigntechniques xv xvi A Quick Overview SIL2:requiringgooddesignandoperatingpracticetoalevelsuchaswouldbefoundinan ISO 9001 management system SIL 1: the minimum level but still implying good design practice <SIL1:referredto(inIEC61508andotherdocuments)as“not-safetyrelated”intermsof compliance Anassessment ofthedesign,thedesigner’sorganizationandmanagement,theoperator’sand themaintainer’scompetenceandtrainingshouldthenbecarriedoutinordertodetermineifthe proposed (or existing) equipment actually meets the target SIL in question. Overall, the steps involve: Setting the SIL targets Section 2.1 Capability to design for functional safety Section 2.2 Quantitativeassessment Chapters 3e6 Qualitativeassessment Chapters 3and 4 Establishing competency Section 2.3 As low asreasonably practicable Sections 2.2 and 2.4 Reviewing the assessment itself Appendix2 IEC 61508 is a generic standard which deals with the above. It can be used on its own or as a basis for developing industry-sector-specific standards (Chapters 8e10). In attempting to fill the roles of being both a global template for the development of application-specific stan- dardsandastandardinitsownright,itnecessarilyleavesmuchtothediscretionandinterpre- tationoftheuser.IEC61511isasimplifiedformofIEC61508cateringforthemoreconsistent equipment architectures found in the process industries. One shouldbear in mindthat the above documentsare, largely, nonprescriptiveguidanceand alargeamountofinterpretationisrequiredonthepartoftheuser.Therearefewabsoluteright/ wronganswersand,asalways,thejudgmentoftheprofessional(i.e.,chartered)engineermust always prevail. It is also vital to bear in mind that no amount of assessment will lead to enhanced integrity unless the assessment process is used as a tool during the design cycle. Now read on! The 2010 Version of IEC 61508 Thefollowingisabriefsummaryofthemainchangeswhichbroughtaboutthe2010version. Architectural Constraints (Chapter 3) An alternative route to the “safe failure fraction” (the so-called route 1 ) requirements was H introduced (known as Route 2 ). H Route 2 allows the “safe failure fraction” requirements to lapse providing that amount of H redundancy (so-called hardware fault tolerance) meets a minimum requirement AND there is adequate user-based information providing failure rate data. Themeaningof“safe”failuresintheformulaforsafefailurefractionwasemphasizedasrefer- ring only to failures which force a “safe” state (e.g., spurious trip). Security (Chapter 2) Malevolent and unauthorized actions, as well as human error and equipment failure, can be involvedincausingahazard.Theyaretobetakenaccountof,ifrelevant,inriskassessments. Safety Specifications (Chapter 3) Thereismoreemphasisonthedistinctsafetyrequirementsleadingtoseparatelydefineddesign requirements. Digital Communications (Chapter 3) More detail in providing design and test requirements for “black box” and “white box” communications links. ASICs and Integrated Circuits (Chapters 3 and 4) MoredetailedtechniquesandmeasuresaredefinedanddescribedinAnnexestotheStandard. xvii xviii The 2010 Version of IEC 61508 Safety Manual (Chapters 3 and 4) Producers are required to provide a safety manual (applies to hardware and to software) with alltherelevantsafety-relatedinformation.HeadingsaredescribedinAnnexestotheStandard. Synthesis of Elements (Chapter 3) In respect of systematic failures, the ability to claim an increment of one SIL for parallel elements. Software Properties of Techniques (Chapter 4) New guidance on justifying the properties which proposed alternative software techniques should achieve in order to be acceptable. Element (Appendix 8) The introduction of a new term (similar to a subsystem). The 2016 Version of IEC 61511 The following is a brief summary of the main changes which have brought about the 2016 update. The term “application software” has been changed to “application program.” The “grandfather clause” in ISA84 has been added. Procedures for competence are called for. It is possible to claim up to one risk reduction layer within the process control system for the same hazard event when it is also the initiatingevent and two risk reduction layers ifit is not part of the initiating cause (see Chapter 8). The Architectures table has been revised and the term “safe failure fraction” deleted (see Chapter 8). New clause on security vulnerabilities added. Requirements for “application program” development have been significantly reduced by removing repetition with the wider requirements. The total risk reduction for both the Basic Process Control System and Safety Instrumented Systems shall not be <10,000:1. The Safety Manual (IEC 65108 2010) is emphasized. xix Acknowledgments The authors would like to thank all the staff of ESC Ltd for suggestions and support and, in particular, Simon Burwood, Ron Bell, and Mohammed Bhaimia for their detailed contributions. The authors are very grateful to Mike Dodson, Independent Consultant, of Solihull, for extensive comments and suggestions and for a thorough reading of the earlier manuscripts. Thanks, also, to: Dr Tony Foord for constructive comments on Chapters 3 and 4 and for help with the original Chapter 14. Mr Paul Reeve for comments on Chapter 7. MrStephenWaldron,ofJCB,andMrPeterStanton,ofRailtrack,forhelpwithChapter10. xxi PART A The Concept of Safety Integrity In the first chapter wewill introduce the concept offunctional safety and the need to express targets by means of safety integrity levels. Functional safety will be placed in context, along with risk assessment, likelihood of fatality, and the cost of conformance. Thelife-cycleapproach,togetherwiththebasicoutlineofIEC61508(knownasBSEN61508 in the UK), will be explained. 1

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.