Understanding Key Changes in IEC 61508:2010

Transcription

Understanding Key Changes in IEC 61508:2010
A UL White Paper
Understanding Key Changes in
IEC 61508:2010
Understanding Key Changes in IEC 61508:2010
The Importance of Functional Safety Development
First published in 1998, IEC 61508 is the principal standard of functional safety. The
second edition of the standard — IEC 61508:2010 — has been in effect since April 2010,
and covers those aspects to be considered when electrical/electronic/programmable
electronic (E/E/PE) systems are used to carry out safety functions. This second
edition cancels and replaces the first edition, as it constitutes a technical revision.
A major objective of this standard is to facilitate the development of product
and application sector international standards by the related technical
committees. This will allow all the relevant factors associated with the product
or application to be taken into account fully and thereby meet the specific
needs of users of the product and application sector. A second objective of
this standard is to enable the development of E/E/PE safety-related systems
where product or application sector international standards do not exist.
The significant and basic aspects
This paper addresses key changes
of functional safety development,
in five critical areas of focus:
evaluation, and verification remain in
the second edition, including the overall
1)Traceability
safety lifecycle, use of the V-Model for
2)Elements
implementation of software development
3)On-chip redundancy
in particular, and the assessment of
performance using Failure Mode Effects
Analysis (FMEA) and other probabilistic
4)EMC requirements
5)Clearer definitions of failure types
calculations. However, important changes
have particular impact on component
Traceability
manufacturers, resulting in a higher
The need for traceability is clarified
degree of confidence for manufacturers,
in the new edition. “When we start
integrators, and end users alike.
looking through the whole product
development process, all phases
ultimately trace to one another,” says
Anura Fernando, research engineer,
predictive modeling and risk analysis,
at Underwriters Laboratories (UL).
page 2
Understanding Key Changes in IEC 61508:2010
Viewed from a broader perspective,
components that feed into the supply
rather than as a single component or
chain. Understanding the requirements
device that is being developed with 61508
for components relative to the different
compliance, the concept of traceability
safety integrity levels (SILs) can provide a
can carry through to the overall supply
level of assurance for systems integrators.
chain. When a component is integrated
By having visibility into the component
into a system, the end user can look at
development process, they understand
what has been done at the component
that using the same types of processes to
level to see how all the developmental
build a larger system provides a consistent
activities tie together at that level, as
mechanism for risk management.
well as how they tie together at the
sub-assembly level and the system level.
“Traceability is probably the key element
in building the overall safety case
“When we talk about traceability from
for a safety-related control system
an individual product perspective, we’re
or subsystem,” says Thomas Maier,
looking at everything that goes into the
principal engineer, functional safety, at
development effort, all the way from
UL. “Only if you have full traceability —
the product concept to the validation
from requirements and hazard analysis
of the product,” says Fernando.
through concept design, down through
every single component and every single
All the stages of development are
line of code that goes into the system or
involved in traceability: developing
subsystem (and further traceability to all
requirements for the product,
the test cases and test results) — do you
determining the product design, applying
have a chance to build a really conclusive
proper verification techniques to make
safety case for these complex systems.”
"Only if you have full
traceability — from
requirements and hazard
analysis through concept
design, down through every
single component and every
single line of code that goes
into the system or subsystem
(and further traceability to
all the test cases and test
results) — do you have a
chance to build a really
conclusive safety case for
these complex systems."
—Thomas Maier, principal engineer
sure that the product is being designed
and implemented correctly, implementing
Traceability is also essential if working
the verified product, testing to assure that
change management processes are to
each process has been achieved according
be in place. Whenever a safety-related
to specification, then finally testing
certified product has been released
to ensure that the product’s original
and a “bug” is discovered or some
requirements have been met — that
changes are indicated, it is important
the customer’s need for the product has
to discover what is impacted by
been satisfied. “From a risk management
the proposed change: which parts,
perspective, these kinds of things
elements, or software functions will
help to minimize systematic failures
be affected. “The only way to find
and defects that can be introduced
that out is if you have thorough and
into a product,” explains Fernando.
detailed traceability,” Maier concludes.
From a supply chain perspective, the
Elements
second edition provides additional
“Element” is a newly introduced concept
guidelines about what is required
consisting of inputs, some safety-related
in the second edition of IEC 61508;
from a traceability perspective for
logic, and safety-related output. In IEC
all the development and verification
terms, this is called an E/E/PE system.
page 3
calculations are now performed based
on this concept. An element can be
considered the lowest-level item
from which a safety-related system
is composed; it is at the base of the
functional safety hierarchy. “As the
lowest-level item, elements are where
you begin,” says Maier. For example,
the SIL parameter “safe failure fraction”
is now to be determined for elements,
and no longer for subsystems.
At the top of the hierarchy is the system,
a complete, safety-related control system
Understanding Key Changes in IEC 61508:2010
This safety-related control system can be
being independent of each other), you
It is electromagnetic immunity that
decomposed into subsystems: an input
may achieve a kind of bonus regarding
is of critical importance to functional
subsystem, then the logic subsystem,
the systematic capability these elements
safety. All the immunity phenomena
and then an output subsystem leading
have to fulfill. For example, if the
that are known and specified in the
to the actuators. So subsystems,
overall objective is SIL 2, then each of
standards need to be considered. What
connected in series, are what build a
the two elements would only have to
is important for functional safety —
complete, safety-related control system.
fulfill a systematic capability of SIL 1.
what is required by the second version
These subsystems can be further
On-Chip Redundancy
decomposed into the elements. Elements
The second edition of IEC 61508 defines
of electromagnetic immunity are
implement, for example, redundant
stringent requirements for on-chip
considered to decrease the probability
channels. They can be connected in
redundancy. Special architectural
that electromagnetic phenomena could
series and in parallel, if they belong
requirements for integrated circuits (ICs)
cause loss of the safety function.
to different channels. For example, a
with on-chip redundancy are given in a
microprocessor can be an element in
normative annex of the standard. This
Emissions are also included with
a safety-related logic subsystem.
requirement is being driven by emerging
immunity; but, in the United States,
technologies such as Field Programmable
the Federal Communications
Grid Arrays (FPGAs) and advances in
Commission (FCC) typically deals with
Application Specific Integrated Circuits
electromagnetic emissions. A few
(ASICs) that are helping to drive down
areas of functional safety (e.g., the
costs by incorporating more functionality
elevator industry) are required to look
onto a single chip. A group of techniques
at emissions and immunity because a
and measures essential to preventing
system can itself generate emissions
the introduction of faults during the
that could exceed tested immunity
design and development of these
levels. But this is the exception.
If you develop a programmable safety
relay, you select an architecture — say a
two-channel one. Each of these channels
needs to have a microprocessor — a
microcontroller; in IEC 61508 terms,
each of these microcontrollers would
be an element. So to fulfill a certain
SIL of the subsystem or safety-related
control system, you have to fulfill
hardware requirements and provide
probability calculations concerning
components has been introduced in
the new version of the standard.
of IEC 61508 — is that testing go beyond
the normal levels so that higher levels
“One should be clear in making
a distinction between emission
reliability that address random
EMC Requirements
requirements and immunity
hardware failures. You also have to
The focus on electromagnetic
requirements,” says Maier. “Functional
fulfill requirements concerning the use
compatibility (EMC) has increased
safety is overwhelmingly about immunity
of stringent processes and methods for
significantly in the second edition of
and being protected against any
the development of software. These
IEC 61508. In the old standard, the EMC
electromagnetic emissions that could
requirements address systematic failures.
requirements were not expressed very
be expected in a certain environment.”
Synthesis of Elements
explicitly. They were sometimes forgotten
“The equation, ‘SIL 1 plus SIL 1 equals
SIL 2’ has to do with the synthesis of
elements,” says Maier. This means
that, if you have two elements that
are redundant (two elements that
implement two channels, each channel
page 4
or not as respected as they should have
been. Now this has changed. “You cannot
do a functional safety evaluation without
looking at environmental impacts, and
electromagnetic phenomena are among
the most important environmental
impacts to consider,” notes Maier.
EMC is critical because it is a major
common cause failure. As noted
above, if you design a functionally
safe product, it often has a level of
redundancy: two channels that perform
the safety function. This is how fault
tolerance is achieved. Electromagnetic
impacts could destroy or disturb
Understanding Key Changes in IEC 61508:2010
both channels at exactly the same
it was always a bit doubtful that no
to advisory consultative services that
time, meaning the loss of the safety
part failures could be considered for
can train, coach, and educate your staff.
function. That’s a “common cause.”
calculating the safe failure fraction. The
second edition of IEC 61508 makes it
For more information on how we can help
“If you have a safety-related control
very clear that these two types of failures
you with the second edition of IEC 61508
signal, that signal is supposed to look
must not be considered in doing the
and other functional safety issues, please
a particular way,” says Fernando.
calculation of the safe failure fraction.
contact Kevin Connelly at 1.631.546.2691,
“Electromagnetic interference can
or by e-mail at [email protected],
distort the signal so that it looks very
“Under the first edition, this was not
different, and this distortion (i.e.
clearly stated,” says Maier. Component
change in waveform or waveshape)
manufacturers could, in principle,
has the potential to cause the
embellish their figures. “You could make
system to respond in an unexpected,
them look better by including no part
and possibly unsafe way.”
failures and inventing some additional no
or visit us at ul.com/functionalsafety.
effect failures to improve the percentage
Two IEC standards specifically address
of non-dangerous failures,” notes Maier.
EMC requirements in relation to
functional safety: the technical
Now you are only allowed to consider
specification IEC/TS 61000-1-2 and
real safe failures and real dangerous
IEC 61326-3-1. These are referred to
failures. All other failures that are not
in the second edition of IEC 61508.
part of the safety circuit or have no effect
Clearer Definitions
of Failure Types
on the behavior of the safety circuit
must not be taken into consideration.
same definitions of a safe failure and
Something Else
You Should Know
a dangerous failure; but, it goes on to
Since UL personnel have participated
define a new “no effect failure” and a
in the writing of the second IEC 61508
“no part failure” that are important to
standard, we are ideally positioned to
understand. A no effect failure is the
help you understand its nuances.
The second edition of IEC 61508 has the
failure of a component that is part of the
safety-related circuit, but which has no
Whether you are an experienced
effect on the safety function at all when
manufacturer that currently has products
it fails — it doesn’t make the system fall
certified under the first edition of IEC
to the safe side or the dangerous side. A
61508 and are now looking to convert to
no part failure is a failure of a component
the second edition, or you are new to the
that is somewhere in the system, but is
functional safety space and the second
not related to the safety related circuits.
edition is your first involvement with
functional safety certification, UL is here
The first edition of IEC 61508 allowed
to help. What’s more, UL has people who
the consideration of no effect failures
can assist every step of the way, from our
as being safe failures. Furthermore,
functional safety mark, to certification,
page 5
Copyright © 2011 Underwriters Laboratories Inc. All rights reserved. No part of this document may be copied
or distributed without the prior written consent of Underwriters Laboratories Inc. 4/11 BDI 110420