changes to iec61508 and its impact on implementation

© ABB Inc.April 24, 2023 | Slide 1

WCS-114-1Changes to IEC61508 and its impact on implementation

ABB Automation & Power World: April 18-21, 2011

© ABB Inc. April 24, 2023 | Slide 2

WCS-114-1 Changes to IEC61508 and its impact on implementation

Speaker name: Stuart Nunns

Speaker title: Managing Consultant Functional Safety

Company name: ABB

Location: UK

Presentation Topics

Section 1 - New Development of IEC 61508 2nd Edition

Overview of key changes

Section 2 - How to manage functional safety

Safety Assured Solutions

© ABB Group April 24, 2023 | Slide 3


Your safety is important to usPlease be aware of these emergency procedures

In the event of an emergency please dial ext. 55555from any house phone. Do not dial 9-1-1.

In the event of an alarm, please proceed carefully to thenearest exit. Emergency exits are clearly marked throughout the hotel and convention center.

Use the stairwells to evacuate the building and do notattempt to use the elevators.

Hotel associates will be located throughout the publicspace to assist in directing guests toward the closest exit.

Any guest requiring assistance during an evacuationshould dial “0” from any house phone and notify the operator of their location.

Do not re-enter the building until advised by hotelpersonnel or an “all clear” announcement is made.


Your safety is important to usConvention Center exits in case of an emergency

Know your surroundings: Identify the meeting room your workshop is being held in Locate the nearest exit

Section 1 - Functional Safety StandardsIEC 61508 IEC 62061 :

Machinery Sector

IEC60601Medical Devices

IEC 61513 :Nuclear Sector

IEC 61511 :Process Sector

IEC 61800 Adjustable Speed

Electric Power DriveSystems

EN50128:Railways

EN50156:Furnaces

IEC61508

Ed 2 released

April 2010

IEC 61508 IntroductionParts of the Standard

Part 1:Part 1: General requirements Part 2:Part 2: Requirements for electrical, electronic,

programmable electronic systems Part 3:Part 3: Software requirements Part 4:Part 4: Definitions and abbreviations Part 5:Part 5: Examples of methods for the determination of

safety integrity levels Part 6:Part 6: Guidelines on the application of Parts 2 & 3 Part 7:Part 7: Overview of techniques and measures

Compliance must be proven for parts 1-4 only

’shall’ is a normative requirement

’Should’ is an informative requirement

Overview of changes

Safety Lifecycle * Security * Functional Safety

Assessment * Management of

Functional Safety * Design fundamentals * SIF hierarchies *

Pre-existing software * Communication * Safety manual * Tracebility * Software Tools * Asics/Multicore On-chip IC’s Techniques & Measures –

properties & rigour

*Topics covered during this presentation

Safety Lifecycle – Part 1

Safety Req. Spec Safety Req. Spec has now its own lifecyclephase

See Part 1 7.10.1. for Objectives and 7.10.2. for Requirements

Objective*: ”…is to define the system safety requirements,

regarding the safety functions requirements

and the integrity requirements, in order to achieve the required

functional safety.” Specifies what information the end

user is required to supply to the system integrator


(*taken from IEC61508)

End user/EPC

System Integrator/designer

Security – Part 1

*The standard does not specify the requirements needed to meet a security policy that may be required

But it is recognized as being important: *Part 1, Section 7.4. (Hazard Analysis):

If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.

*NOTE 3: For guidance on security risks analysis, see IEC 62443 series

*Part 1, Section 7.5. (Overall Safety Requirements): If security threats have been identified, then a vulnerability

analysis should be undertaken in order to specify security requirements



Functional Safety Assessment – Part 1 8.2.14.: Those carrying out a functional safety assessment

shall be competent for the activities to be undertaken, according to the requirements

Part 1 provides a new approach to classify competence



Management of Functional Safety Part 1

Significant restructuring Shalls against all sub-clauses Organisations shall appoint one or more persons with

responsibility for one or more phases….. All persons, depts or orgs shall be identified, responsibilities

clearly defined and communicated Activities related to management of functional safety shall be

applied at the relevant phases All persons undertaking specific activities shall have the

appropriate competence The competence shall be documented

Competency now normative


Design fundamentals– Part 2: 7.4.2.2

Design of safety-related system shall meet:

Hardware safety integrity Architectural constraints 1

H and 2H

Quantification of random hardware failures

On-chip ICs

Systematic capability Avoidance & control of systematic faults 1S or

Proven in use 2S or

Pre-existing software 3S

System behaviour on detection of fault

Data communications


√

√

√

√√

Hardware safety integrity – Part 2

Route 1H

Architectural constraints HFT & SFF

Route 2H

Based on: Component reliability data –feedback from end users and Increased confidence levels and HFT for specified safety integrity levels


Systematic Capability – Part 2

Systematic capability Systematic capability – is the concept being developed for systematic safety integrity compliance for elements and sub-systems

Replaces the term: “effectiveness against systematic failure” Measure on a scale 1-4 that the systematic safety integrity of an

element fulfills the given safety function considering the instructions stated in the safety manual

Three routes are proposed: Compliance with techniques and measures tables 1S

Proven in use concepts 2S

For software that does not satisfy the first two routes 3S



Simplified Example: Hierarchies

Logic SolverLogic SolverSensorsSensors ActuatorsActuators

elements

Sub-system

Sub-system

system

entity of the top-level architectural design of a safety-related system where a dangerous failure of the subsystem results in dangerous failure of a safety function

part of a subsystem comprising a single component or any group of components that performs one or more element safety functions

implements the required safety functions necessary to achieve or maintain a safe state for the EUC;

Requirements for Integration of pre-existing Software (7.4.2.2) - Part 2 & 7.4.2.12 - 13 Part 3

pre-existing software software element which already exists and is not developed

specifically for the current project or safety-related system

For 3S

Creation of a precise software safety requirement specification The properties of software system capability shall be fulfilled Creation of a safety manual Validation and documentation of the compatibility (HW & SW) Software shall have been validated and verified (tests, code

reviews etc.) Non used functions of the software shall not have influence on the

safety system Credible failure mechanisms have been identified and

countermeasures developed


Data Communication - Part 2

New section 7.4.11. on additional reqs. for data communication

Two possible approaches* The entire communication channel shall be designed,

implemented and validated according to the IEC 61508 series and IEC 61784-3 or IEC 62280 series

This is a so-called ‘white channel’ (see Figure 7 a)



Data Communication - Part 2

Parts of the communication channel are not designed or validated according to the IEC 61508 series

This is a so-called ‘black channel’ (see Figure 7 b) But, measures necessary to ensure the failure performance

of the communication process shall be implemented e.g. PROFIsafe on PROFINET



Safety Manual - Part 2 – New Annex D

New requirements*: 7.4.9. Requirements for E/E/PE system implementation:

7.4.9.6: Suppliers shall provide a safety manual for items for which they claim IEC 61508 compliance

7.4.9.7: Suppliers shall document a justification for all the information that is provided in each safety manual



Safety Manual – Part 3 – New Annex D What shall it contain?

Required competence of the user (minimal skills) Trustworthiness of the element (certificates etc.) Installation instructions The reason for release of the element Compatibility to previous elements or other systems Configuration of the element (version number, modification) Modification control (how to update the element?) Requirements that were not realized Description of the default configuration Description of specific user profiles


Traceability - Part 3

More significance on traceability Extract from the standard:

Forward traceability between the system safety requirements and the software safety requirements

Backward traceability between the safety requirements and the perceived safety needs

Forward traceability between the software safety requirements specification and software architecture

Forward traceability between the software design specification and the module and integration test specifications

etc. 34 hits on traceability requirements in Part 3 alone !


Software off-line support toolsQuick side-trip - Part 4

*Divided in 3 classes T1

generates no outputs which can directly or indirectly contribute to the executable code of the safety related system

e.g. texteditor

T2

supports the test or verification of the design or executable code errors in the tool can fail to reveal defects but cannot directly create errors

in the executable software e.g. static analysis-tool

T3

generates outputs which can directly or indirectly contribute to the executable code of the safety related system

e.g. Automatic code generator



Software off-line support toolsQuick side-trip - Part 4

*Off-line support tools of classes T2 and T3

Configuration management shall ensure that information on the tools is recorded:

Tool identification and version Configuration baseline identification Usage of the tool for each configuration baseline item

including the tool parameters, options and scripts selected



Other topics Code reviews mandatory

Modifications at any phase linked to earlier phases – impact assessment required

100% structural testing



Section 2 - How to manage Functional Safety Some considerations (1)

Technology driven Methodology, procedures and systems Compliance with standards / good practice Compliance with the overall safety lifecycle

Product safety Fit for purpose Performance guarantees

Competency assurance People - knowledge, experience, training and qualifications


Functional Safety Management Some considerations (2)

Role of an instrumented safety system as part of your basis of safety

Compliance to good practice standards i.e, IEC 61511 Use of certified:-

Safety products E.g. 800xAHi, SafeGuard, PlantGuard Field Instruments Final elements

Engineers Organisations

Mapping the complete safety lifecycle


End Users - What to look for?Safety Assured Solutions

Product SIL 3 (third-party) certified capable products safety track record Significant global installed base R&D investment programme

People Competency management systems in place Certified experts and engineers (industry benchmark) Hazard & risk practitioners

Organisation & Systems Assured SIL 3 (third-party) certified capable solutions thru global

execution capability Development of an appropriate basis of safety (ALARP)


Safety Lifecycle Model – Risk Management Process Safety Management

Systems Behavioural Safety & Culture Process Hazard Review Lifecycle Hazard Studies

(including HAZOP 1-6) Pressure Relief Mechanical Integrity SIL Determination Hazardous Area Risk

Assessment and Classification


Safety Lifecycle Model – Design & Engineering – (1) SIS Delivery Application specific solution

SIL Achievement Specification Detailed design Realisation (Total Solution) Certified Engineers Certified FS management systems

Commissioning Validation


Safety Lifecycle Model – Design & Engineering – (2) Safety Execution Capability

Global footprint Third-party certified for delivering

application specific solutions:- Comprehensive systems, methodology

documentation Competency assured Certified safety platforms

SIL 3 capable


Safety Lifecycle Model – Operations and Maintenance

Full Service

Reliability and Operations Improvement Modifications , upgrades 24/7 Service Level Agreements Certified service organisations Performance assurance Testing and repairs Operating and Maintenance Procedures


Safety Lifecycle Model – Operations and Maintenance

Consulting

Organisational Culture / Change Human Reliability Assessment Safety Critical Procedure Assessment Staffing Levels and Workload Assessment Pre Start-up Safety Review Legacy Systems Review Control Room Performance Assessment Alarm Management Health Check Safe Systems of Work Management of Change Incident Investigation Support

Conclusion – 61508 Ed 2 More routes to demonstrate compliance Downwards compatibility was followed Reaction to user requests to get more practical examples Some updates to consider new technologies

Updates include: Systematic capability Management of Functional Safety Functional safety assessemnt Safety manual Communication Security Asics/Multicore



RemindersAutomation & Power World 2011

Please be sure to complete the workshop evaluation

Professional Development Hours (PDHs) andContinuing Education Credits (CEUs):

You will receive a link via e-mail to printcertificates for all the workshops you have attended during Automation & Power World 2011.

BE SURE YOU HAVE YOUR BADGE SCANNEDfor each workshop you attend. If you do not haveyour badge scanned you will not be able to obtainPDHs or CEUs.

changes to iec61508 and its impact on implementation

Documents

safety manual

presentation abb

required functional

functional safety assessment

functional safety standardsiec

uk abb

system safety requirements

nearest exit abb