Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
24 Novembre 2011 CROWNE PLAZA Via K. Adenauer, 3 20097 San Donato Milanese (MI) ( )
Ledizione 2010 della norma IEC 61508 Carlo Tarantola CTAI S.r.l.
mcT Petrolchimico Milano 2011 1
5. 5 Al tempo stesso modifica in alcuni casi in maniera significativa le stesso, strade per la conformit 6. Introduce il concetto di Systematic Capability e di element di un Sistema di Si Si t Sicurezza 7. Introduce requisiti per ASICs e on-chip redundancy 8. Introduce requisiti obbligatori per il Safety Manual q g p y 9. Introduce metodi per la valutazione di SW pre-esistente 10. Introduce un metodo di dettaglio per la valutazione del SW 11. 11 Introduce requisiti pi specifici per il personale coinvolto nella Sicurezza Funzionale
mcT Petrolchimico Milano 2011 7
SIL
Eliminazione guasti sistematici HW/SW Architettura (HFT)
10
Definizioni - Software
3.2.10 software on-line support tool software tool that can directly influence the safety-related system during its run time 3.2.11 software off-line support tool software tool that supports a p pp phase of the software development lifecycle p y and that cannot directly influence the safety-related system during its run time. Software off-line tools may be divided into the following classes: T1: generates no outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system; T2: supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software; T3: generates outputs which can directly or indirectly contribute to the executable code of the safety related system system.
mcT Petrolchimico Milano 2011 11
Definizioni - Software
3.2.15 application specific integrated circuit ASIC integrated circuit designed and manufactured for specific function, where its functionality is defined by the product developer The term ASIC covers all types of the following integrated circuits: Full custom ASIC Core based ASIC C ll b Cell based ASIC d Gate array Field programmable gate array (FPGA) Programmable logic device (PLD) Complex programmable logic device (CPLD)
12
Definizioni - Sistema
3.4.2 other risk reduction measure measure to reduce or mitigate risk that is separate and distinct from, and does not use, E/E/PE safety-related systems 3.4.5 element part of a subsystem comprising a single component or any group of components that performs one or more element safety functions. 3.5.2 overall safety function means of achieving or maintaining a safe state for the EUC, in respect of a specific hazardous event 3.5.3 element safety function y that part of a safety function (see 3.5.1) which is implemented by an element mcT Petrolchimico Milano 2011
13
14
15
high demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year; or continuous mode: where the safety function retains the EUC in a safe state as part of normal operation
16
Definizioni Guasti
3.6.7 dangerous failure failure which has the potential to put the safety-related system in a hazardous or fail-to-function state
NOTE Whether or not the potential is realised may depend on the channel architecture of the system; in systems with multiple channels to improve safety, a dangerous hardware failure is less likely to lead to the overall dangerous or fail to function state fail-to-function state.
failure of an element and/or subsystem and/or system that plays a part in implementing the safety function that: prevents a safety function from operating when required (demand mode) or causes a safety function to fail (continuous mode) such that the EUC is put into a hazardous or potentially hazardous state; or decreases th probability th t th safety f d the b bilit that the f t function operates correctly when ti t tl h required
17
Definizioni Guasti
3.6.8 safe failure failure which does not have the potential to put the safety-related system in a hazardous or fail-to-function state
NOTE Whether or not the potential is realised may depend on the channel architecture of the system; in systems with multiple channels to improve safety, a safe hardware failure is less likely to result in an erroneous shut down shut-down.
failure of an element and/or subsystem and/or system that plays a part in implementing the safety function that: a) results in the spurious operation of the safety function to put the EUC (or part thereof) into a safe state or maintain a safe state; or b) increases the probability of the spurious operation of the safety function to t th t put the EUC ( part thereof) into a safe state or maintain a safe state (or t th f) i t f t t i t i f t t
18
Definizioni Guasti
3.6.12 soft-error erroneous changes to data content but no changes to the physical circuit itself 3.6.13 no part failure failure of a component that plays no part in implementing the safety function 3.6.14 no effect failure failure of an element that plays a part in implementing the safety function but has no direct effect on the safety function
19
Definizioni Guasti
3.6.15 safe failure fraction SFF property of a safety related element that is defined by the ratio of the average failure rates of safe plus dangerous detected failures and safe plus dangerous failures. This ratio is represented by the following equation: g p y g q SFF = (S avg + Dd avg)/(S avg + Dd avg+ Du avg) when the failure rates are based on constant failure rates the equation can be simplified to: SFF = (S + Dd)/(S + Dd + Du)
20
Definizioni Guasti
3.6.18 average probability of dangerous failure on demand PFDavg mean unavailability (see IEC 60050-191) of an E/E/PE safety-related system to perform the specified safety function when a demand occurs from the EUC or EUC control system
NOTE 2 Two kind of failures contribute to PFD and PFDavg: the dangerous undetected failures occurred since th l t proof test and genuine on d d i the last ft t d i demand f il d failures caused b th d d by the demands ( d (proof f tests and safety demands) themselves. The first one is time dependent and characterized by their dangerous failure rate DU(t) whilst the second one is dependent only on the number of demands and is characterized by a probability of failure per demand (denoted by ). NOTE 3 As genuine on demand failures cannot be detected by tests, it is necessary to identify them and take them into consideration when calculating the target failure measures.
3.6.19 3 6 19 average f frequency of a dangerous failure per hour PFH f d f il h average frequency of a dangerous failure of an E/E/PE safety related system to perform the specified safety function over a given period of time
mcT Petrolchimico Milano 2011 21
Definizioni Guasti
3.6.21 mean time to restoration MTTR expected time to achieve restoration 3.6.22 mean repair time MRT Expected overall repair time Formula per il calcolo PFDAVG(1oo1(D)) secondo Ed. 2010: PFDAVG(1oo1(D))=DU(TI/2+MRT)+ DD(TID/2+MRT)
22
23
24
25
26
27
Requisiti di progettazione
7.4.2.2 The design of the E/E/PE safety-related system (including the overall hardware and software architecture, sensors, actuators, programmable electronics, ASIC ( ) embedded software, application software, d l i ASICs (75), b dd d f li i f data etc.), ) see figure 4 shall meet all of the requirements a) to c) e) as follows: a) the requirements for hardware safety integrity comprising: the architectural constraints on hardware safety integrity (see 7.4.3.1 7.4.4), and the requirements for the probability of dangerous random hardware q p y g failures (see 7.4.3.2) quantifying the effect of random failures (see 7.4.5); b) the special architecture requirements for ICs with on-chip redundancy (see Annex E), where relevant, unless justification can be given that the same level of independence between different channels is achieved by applying a different set of measures;
28
Requisiti di progettazione
b c) the requirements for systematic safety integrity (systematic capability), which can be met by achieving one of the following compliance routes: the requirements for the avoidance of failures (see 7.4.4), and the requirements for the control of systematic faults (see 7.4.5), or evidence that the equipment is "proven in use" ( q p p (see 7.4.7.6 to 7.4.7.12); ) Route 1S: compliance with the requirements for the avoidance of systematic faults (see 7.4.6 and IEC 61508-3) and the requirements for the control of systematic faults (see 7.4.7 and IEC 61508-3), or y ( ), Route 2S: compliance with the requirements for evidence that the equipment is proven in use (see 7.4.10), or Route 3S (pre-existing software elements only): compliance with the requirements of IEC 61508-3, 7.4.2.12; c d) the requirements for system behaviour on detection of a fault (see 7.4.6 7.4.8). 7 4 8) e) the requirements for data communication processes (see 7.4.11).
mcT Petrolchimico Milano 2011
29
Requisiti di progettazione
7.4.3.1 To meet the requirements for systematic safety integrity, the designated safety related E/E/PE system may, in the circumstances described in this section, be partitioned into elements of different systematic capability capability. 7.4.3.2 For an element of systematic capability SC N (N=1, 2, 3), where a systematic fault of that element does not cause a failure of the specified safety function but does so o y combination t only in co b at o with a seco d syste at c fault of another e e e t o syste at c second systematic au t o a ot e element of systematic capability SC N, the systematic capability of the combination of the two elements can be treated as having a systematic capability of SC (N + 1) providing that sufficient independence exists between the two elements ( see 7.4.3.4). 7.4.3.3 The systematic capability that can be claimed for a combination of elements each of systematic capability SC N can at most be SC (N+1). A SC N element may be used in this way only once. It is not permitted to achieve SC (N+2) and higher by successively building assemblies of SC N elements elements. 7.4.3.4 Sufficient independence, in the design between elements and in the application of elements, shall be justified by common cause failure analysis to show that the likelihood of interference between elements and between the elements and the environment is sufficiently low in comparison with the safety integrity level of the safety function under consideration.
mcT Petrolchimico Milano 2011
30
31
32
33
34
35
a) a hardware fault tolerance of 2 for a specified safety function of SIL 4 unless the conditions in 7.4.4.3.2 apply. b) a hardware fault tolerance of 1 for a specified safety function of SIL 3 unless th conditions i 7 4 4 3 2 apply. l the diti in 7.4.4.3.2 l c) a hardware fault tolerance of 1 for a specified safety function of SIL 2, operating in a high demand or continuous mode of operation, unless the conditions i 7 4 4 3 2 apply. diti in 7.4.4.3.2 l d) a hardware fault tolerance of 0 for a specified safety function of SIL 2 operating in a low demand mode of operation. e) a hardware fault tolerance of 0 for a specified safety function of SIL 1.
mcT Petrolchimico Milano 2011 36
37
38
< 60% 60% < 90% 90% < 99% >= 99%
La tolleranza ai guasti N significa che il guasto N+1 pu causare una perdita della funzione di sicurezza
39
< 60% 60% < 90% 90% < 99% >= 99%
La tolleranza ai guasti N significa che il guasto N+1 pu causare una perdita della funzione di sicurezza
40
La tolleranza ai guasti N significa che il guasto N+1 pu causare una perdita della funzione di sicurezza
41
SIL e PFD/PFH
Safety Integrity Level (SIL) Average Probability of Failure on Demand (PFDAVG) 10-5 a <10-4 10-4 a <10-3 10-3 a <10-2 10-2 a <10-1 Probability of Failure per Hour (PFH) Risk Reduction Factor (RRF)
PFDAVG utilizzata per sistemi Low Demand Mode PFH utilizzata per sistemi High Demand or Continuous Mode
42
44
45
Esempio - Tecniche e misure per evitare errori nella Specifica dei Requisiti di Sicurezza
46
Special architecture requirements for Ics with on-chip redundancy ona) The highest safety integrity level that can be claimed for a safety function using an IC as described above is limited to SIL 3. b) The systematic capability shall not be increased by combination of elements. c) To avoid common cause failure(s), the effects of increasing temperature, for example due to random hardware fault(s), shall be considered. At least one of the measures listed in Table E 2 no 6 shall be applied In a design where a local fault E.2, no. applied. can cause a safety critical temperature increase, appropriate measures shall be taken. d) Separate physical blocks on substratum of the IC shall be established for each channel and each monitoring element such as a watchdog. The blocks shall include bond wires and pin-out. Each channel shall have its own separated inputs and outputs which shall not be routed through another channel/block. e) Appropriate measures shall be taken to avoid dangerous failure caused by faults of the power supply including common cause failures. f) The minimum distance between boundaries of separate physical blocks shall be sufficient to avoid short circuit and cross talk between these blocks.
mcT Petrolchimico Milano 2011 47
Special architecture requirements for Ics with on-chip redundancy ong) Short circuit and/or cross-talk between adjacent lines of separate physical blocks shall not lead to a loss of a safety function or an undetected loss of a monitoring function (Table E.2, no. 5). ( ) h) substratum shall be connected to ground whatever the IC design process used (nwell or p-well); i) The susceptibility of an IC with on-chip redundancy to common cause failures shall on chip be estimated by determining a -factor according to E.3. This -factor called IC shall be used when estimating the achieved safety integrity of the E/E/PE safetyrelated system according to 7.4.5.1 and will be used for the IC instead of the factor -factor determined for example according to Annex D of IEC 61508-6. j) The detection of a fault (by diagnostic tests, proof tests or by any other means) in an IC with on-chip redundancy shall result in a specified action to achieve or on chip maintain a safe state. k) The minimum diagnostic coverage of each channel shall be at least 60 %. Where a monitoring element is implemented only once the minimum diagnostic coverage once, for this element shall also be at least 60 %.
mcT Petrolchimico Milano 2011 48
Special architecture requirements for Ics with on-chip redundancy onl) If it is necessary to implement a watchdog, for example for program sequence monitoring and/or to guarantee the required diagnostic coverage or safe failure fraction one channel shall not be used as a watchdog of another channel, except g p when functionally diverse channels are used. m) When testing for electromagnetic compatibility without additional safety margin, y (for p performance the function carried out by the IC shall not be interfered ( example p criterion A as described in EMC immunity standards). n) When testing for electromagnetic compatibility with additional safety margins, the safety function (including IC) shall comply with the FS criterion in IEC 61326-3-1 FS 61326 3 1 o) Appropriate measures shall be taken to avoid dangerous failure caused by oscillations of digital input ports connected to external asynchronous digital signals, e.g. introduction of respective multiple clock synchronization stages. p) The common cause potential of common resources such as boundary scan circuitries and arrays of special function registers shall be analyzed. q) The requirements a) to p) list common cause initiators specific to ICs with on chip on-chip redundancy. Other relevant common cause initiators shall be considered as 49 specified in this Standard. mcT Petrolchimico Milano 2011
50
52
54
IEC 61508-2: 2010 - Conclusioni 615081. Quasi tutti i requisiti (Funzione di Sicurezza, Systematic Capability, HFT, SFF, Classificazione Tipo A e Tipo B) sono attribuibili a partire dallElemento (a parte la SIL, che assegnata alla Funzione di Sicurezza) ( p g ) 2. La norma prevede due strade ben distinte per la dimostrazione della conformit per elementi:
1. Progettazione secondo norma g 2. Proven in use
3. La Classificazione in Tipo A non prevede pi una esperienza di campo 4. Deve essere predisposta FMEDA dell elemento seguendo le nuove dellelemento classificazioni di guasti (Safe, Dangerous, No Effect, No Part) 5. Sono inseriti requisiti specifici per ASICs 6. Item 6 Item conformi alla norma devono essere accompagnati da un Safety Safety Manual dal contenuto definito, e da adeguata documentazione comprovante la conformit
58
59
60
61
7.2.2.10 The software safety requirements specification shall express the required safety properties of the product, but not of the project as this is covered by safety planning (see Clause 6 of 61508-1). With reference to 7.2.2.1 to 7.2.2.10 7.2.2.9, the following shall be specified as appropriate: a) the requirements for the following software safety functions: 1) ) 11) safety-related communications (see 7.4.11 of IEC 61508-2). b) the requirements for the software safety integrity systematic capability: 1) 2) independence requirements between functions.
mcT Petrolchimico Milano 2011
62
67
69
70
R --NR
Appropriate techniques/measures shall be selected according to the safety integrity level. Alternate or equivalent techniques/measures are indicated by a letter following the number. Only one of the alternate or equivalent techniques/measures has to be satisfied. Other measures and techniques may be applied p q y pp providing that the g requirements and objectives have been met. See Annex C for guidance on selecting techniques. mcT Petrolchimico Milano 2011 72
C.2.11
HR
HR
B.2.4
HR
HR
1) Si p ) parte da una delle tabelle dellAllegato A ( esempio la Tabella A.1 sopra g (ad p p riportata, per le SW Safety Requirements Specification).
mcT Petrolchimico Milano 2011 73
2) Lallegato C Table C.1 (Properties for systematic safety integrity Software safety requirements specification) definisce che la software safety requirements specification caratterizzata dalle propriet sopra riportate.
74
R2
R3
3) Viene definito uno score qualitativo per lefficacia della tecnica / misura.
75
76
77
79
80
81
82
IEC 61508-3: 2010 - Conclusioni 61508Anche per il SW viene definita la Systematic Capability Viene definito come trattare il pre-existing SW Vengono definiti requisiti per on-line e off-line support tools stato inserito un allegato (Allegato C Informativo) per guidare nella scelta e nell efficacia di tecniche e misure per raggiungere la Systematic nellefficacia Systematic Capability desiderata 5. Item conformi alla norma devono essere accompagnati da un Safety Manual Manual dal contenuto definito, e da adeguata documentazione definito comprovante la conformit, anche per quello che riguarda il SW 1. 2. 3. 4.
83
IEC 61508-1: 2010 61508 1: Management of Functional Safety Safety Life Cycle Le modifiche sostanziali
84
85
c.
Safety LifeCycle
A parte alcune modifiche cosmetiche e/o comunque derivanti dalle modifiche alle definizioni (ad esempio quella relativa a other risk reduction measure, che va a modificare di conseguenza il Safety Life C l ) la modifica pi h difi S f Lif Cycle), l difi i significativa quella relativa al livello minimo di indipendenza di chi svolge lassessment (si vedano le slides successive). Vengono definite due tabelle: 1. Una per tutte le fasi di assessment, eccettuate quelle di definizione delle Specifiche del Sistema di Sicurezza (fase 9) e di realizzazione del Sistema di Sicurezza (fase 10) 2. Una seconda per le fasi 9 e 10 NOTA: altre modifiche sono meno rilevanti, in quanto relative pi al ruolo dellintegratore di sistema / utilizzatore finale, per i quali la norma pi appropriata da utilizzare nellindustria di processo la IEC 61511 nell industria 61511.
mcT Petrolchimico Milano 2011 88
89
90
91
92
IEC 61508-1: 2010 - Conclusioni 61508Management of Functional Safety Viene data maggiore importanza alla competenza e qualifica del personale coinvolto Safety LifeCycle Viene maggiormente chiarito (e leggermente modificato) il livello minimo di indipendenza richiesto per la fase di assessment
93
IEC 61508-1: 2010 - Conclusioni 61508La seguente documentazione (almeno) deve essere predisposta per elementi conformi alla norma (per dettagli vedere Allegato A della IEC 61508-1): 1. Safety Plan 2. Safety Requirements Specification (requisiti di integrit e funzionalit); Specifiche di Progetto p g 3. Verification and Validation Plan (con riferimento ai requisiti di integrit e funzionalit, HW e SW) 4. 4 Documentazione di progetto (HW e SW) 5. Analisi guasti sistematici e di causa comune (con riferimento a tabelle IEC 61508-2/3) 6. 6 Analisi guasti casuali 7. Reports in conformit al Verification and Validation Plan 8. Documento di validazione 9. Safety Manual (HW e SW)
mcT Petrolchimico Milano 2011 94
95
96
97
4. 4 Correzione di tutta una serie di errori di cut and paste nelle tabelle di esempio 5. Piccole modifiche alla tabella per la stima del fattore dei guasti di causa comune
mcT Petrolchimico Milano 2011 98
99
Domande?
100