the agri-motive safety performance integrity level – or how...

TÜV Rheinland InterTraffic GmbH - Transport Safety Consult

The agri-motive safetyperformance integrity level –Or how do you call it?

TÜV Rheinland InterTraffic GmbH

Safety in Transportation 4

Dipl.-Ing. Sebastian Gräfling, TÜV Rheinland InterTraffic GmbH


TÜV Rheinland InterTraffic GmbHContents

I. Insight: SIL

II. Step by step: Various safety standards

III. Focus on: SIL definitions and determinations

IV. Sum up!


� SIL = Safety Integrity Level- Measure of reliability of safety functions- Level of risk reduction

� Development of safety critical systems, applications:

TÜV Rheinland InterTraffic GmbHInsight: SIL

Planning, Requirements Tests, Verification

Risk Analysis

Verification

Implementation

Risk Analysis Risk Graph SIL λ

Development Tests

Integration

ValidationMaintenance

SIL SIL

Random HWfailures

Systematicfailures


� Random HW failures (Ausfälle): They will appear for sure, but you don‘t knowwhen…

� Systematic failures: Caused by humans

- e.g., design faults, SW faults, installation faults, etc.

� Quantitative analyses regarding the effects of random HW failures areestablished (e.g. FMEA, FTA), but corresponding analyses for human faults not.

Effects on project development cycles:

- Random HW failures -> Appropriate architecture (e.g. redundancy), choice of appropriate components and definition of fault detection and diagnosis functions(Proof, e.g. by FTA)

- Systematic Failures -> Measures for the development and quality management

TÜV Rheinland InterTraffic GmbHInsight: SIL

Risk Analysis Risk Graph SIL λ

Random HWfailures

Systematicfailures



I. Insight: SIL



IV. Sum up!


The following standards will be shortly presented:

� IEC 61508

� IEC 61511

� EN 50126/28/29

� ISO 26262

� ISO 13849

� IEC 62061

� ISO 25119

� DEF-STAN-00-56-1

� RTCA DO-178B

TÜV Rheinland InterTraffic GmbH Safety standards – Overview


IEC 61508: Functional safety of electrical/electronic/programmable

electronic safety-related systems

� Generic safety standard (“Sicherheitsgrundnorm”)

� defines a generic approach for all safety lifecycle activities

� electrical and/or electronic and/or programmable electronic

(E/E/PE) elements that are used to perform safety functions

� consists of 7 parts, dedicated to hardware and software

(including examples for application)

TÜV Rheinland InterTraffic GmbH Safety standards – IEC 61508

IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


IEC 61511: Functional safety – Safety instrumented systems for the process

industry sector

� sets out the application of safety instrumented systems for the process

industries

� sensors, logic solvers and final elements

� logic solvers include E/E/PE technology

� IEC 61511 is process industry specific within the framework of the IEC 61508

series


IEC 61508IEC 61511

EN 50126/28/29ISO 26262

...


EN 50126: Railway applications – The specification and

demonstration of Reliability, Availability, Maintainability and

Safety (RAMS)

EN 50128: Railway applications - Communications, signalling and

processing systems - Software for railway control and protection

systems

EN 50129: Railway applications – Communication, signalling and

processing systems – Safety related electronic systems for

signalling

� EN 50126 defines the management of RAMS for railway applications

� EN 50128 provides methods for software in order to meet the demands

for safety integrity that are resulting from the related standards

� EN 50129 is intended for the functional safety of railway signalling

systems and used for electronics in railway applications

TÜV Rheinland InterTraffic GmbH Safety standards – EN 50126/28/29

IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…


ISO 26262: Road vehicles — Functional safety

� automobile-specific derivation of the IEC 61508

� applies to all activities during the safety lifecycle of

safety-related systems

� electrical, electronic, and software elements that provide

safety-related functions

� addresses passenger cars up to an allowed total weight

of 3.5 t

� the standard consists of ten parts

� the volumes 2 to 9 contain the requirements for the

development process and the product, whereas volume 1

and 10 are informative guides.

TÜV Rheinland InterTraffic GmbH Safety standards – ISO 26262

EN 50126/28/29ISO 26262

ISO 13849IEC 62061

…


ISO 13849: Safety of machinery — Safety-related parts of control systems

� for the design and integration of safety-related parts of control systems

(SRP/CS) of machinery

� applies to SRP/CS, regardless of the type of technology and energy used

(electrical, hydraulic, pneumatic, mechanical, etc.)

� for all kinds of machinery

� complies with the Machinery Directive

� use of this standard and/or the ISO 62061 can be presumed in order to fulfil

the safety related requirements for SRP/CS of different technologies


ISO 26262ISO 13849

IEC 62061ISO 25119

...


IEC 62061: Safety of machinery – Functional safety of safety-related electrical,

electronic and programmable electronic control systems

� safety-related E/E/PE control systems for machinery

� can be seen as a further supporting standard for ISO 13849


ISO 13849IEC 62061

ISO 25119DEF-STAN 00-56-1

RTCA DO-178B


ISO 25119: Tractors and machinery for agriculture and forestry – Safety-related

parts of control systems

� E/E/PES components for tractors for agriculture and forestry

� self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture and municipal equipment


ISO 13849IEC 62061ISO 25119

DEF-STAN 00-56-1RTCA DO-178B


Defence Standard 00-56-1: Safety management requirements for defence

systems

� British defence standard

� describes the requirements for safety management including hazard analysis

and safety assessment

� is applied to Ministry of Defence projects

TÜV Rheinland InterTraffic GmbH Safety standards – DEF-STAN 00-56-1

ISO 13849IEC 62061ISO 25119

DEF-STAN 00-56-1

RTCA DO-178B


RTCA DO-178B: Software Considerations in Airborne Systems and Equipment

Certification

� is a software standard for aircrafts

� depending on the necessary level of risk reduction, it knows 5 different levels

� for each level, methods are described that have to be implemented in the

software process and in the software itself

TÜV Rheinland InterTraffic GmbH Safety standards – RTCA DO-178B

ISO 13849IEC 62061ISO 25119




I. Insight: SIL



IV. Sum up!


IEC 61508: Functional safety of electrical/electronic/programmable

electronic safety-related systems

� Generic safety standard (“Sicherheitsgrundnorm”)

� defines a generic approach for all safety lifecycle activities

� electrical and/or electronic and/or programmable electronic

(E/E/PE) elements that are used to perform safety functions

� consists of 7 parts, dedicated to hardware and software

(including examples for application)

TÜV Rheinland InterTraffic GmbH Focus on – IEC 61508

IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


� 4 SILs: SIL 1 .. SIL 4

� Each level defines measures against

- systematic failures and

- random failures

� Random failures are described by probabilities of dangerous failures on demand or probabilities of dangerous failures per hour.

� The safety integrity level determines the target failure measure for dangerous random failures for the safety function according tables 1 and table 2 and vice versa.

� The target failure measure is dependent on the type of application (low demand mode or for continuous mode of operation).

TÜV Rheinland InterTraffic GmbH SIL definition and determination – IEC 61508

IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


≥ 10-2 to < 10-11

≥ 10-3 to < 10-22

≥ 10-4 to < 10-33

≥ 10-5 to < 10-44

Low demand mode of operation(Average probability of failure to perform its

design function on demand)

Safetyintegrity

level

≥ 10-6 to < 10-51

≥ 10-7 to < 10-62

≥ 10-8 to < 10-73

≥ 10-9 to < 10-84

High demand or continuous mode of operation (Probability of a dangerous failure per hour)

SafetyIntegrity

level


Refer to EN 61508-1:2010, Table 2 and Table 3

IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

IEC 61508-5 presents five methods for determining the SIL:

1. The ALARP method

2. Quantitative method of SIL determination

3. The risk graph method

4. Layer of protection analysis (LOPA)

5. Hazardous event severity matrix



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

The ALARP method:

- Quantitative and qualitative risk targets

- Originated in UK

Source: EN 61508-5:2010, Annex C



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


1. The ALARP method







IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

Quantitative method of SIL determination:

Source: EN 61508-5:2010, Annex C and D



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


1. The ALARP method







� Parameters:- Consequence (C)- Frequency of, and exposure time in, the hazardous zone (F)- Possibility of avoiding the hazardous event (P)- Probability of the unwanted occurrence (W)

IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

The risk graph method:

Source: EN 61508-5:2010, Annex E



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


1. The ALARP method







IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

Layer of protection analysis (LOPA):

Source: EN 61508-5:2010, Annex F



IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...


1. The ALARP method







IEC 61508

IEC 61511EN 50126/28/29

ISO 26262...

Hazardous event severity matrix:

Source: EN 61508-5:2010, Annex G


IEC 61511: Functional safety – Safety instrumented systems for the process

industry sector

� sets out the application of safety instrumented systems for the process

industries

� sensors, logic solvers and final elements

� logic solvers include E/E/PE technology

� IEC 61511 is process industry specific within the framework of the IEC 61508

series


IEC 61508IEC 61511

EN 50126/28/29ISO 26262

...


IEC 61511:

� 4 SILs: SIL 1 .. SIL 4

� The SIL definition is consistent with the definition given in the IEC 61508

� For the determination of the safety integrity all failure causes (hardware and systematic failures) that could lead to an unsafe state must be considered

� The safety integrity also depends on factors that cannot be considered quantitatively, but qualitatively.

� Several methods can be applied such as

- risk graphs,

- risk matrices,

- LOPA (Layer of Protection Analysis)


IEC 61508IEC 61511

EN 50126/28/29ISO 26262

...

Source: IEC 61511


EN 50126: Railway applications – The specification and

demonstration of Reliability, Availability, Maintainability and

Safety (RAMS)

EN 50128: Railway applications - Communications, signalling and

processing systems - Software for railway control and protection

systems

EN 50129: Railway applications – Communication, signalling and

processing systems – Safety related electronic systems for

signalling

� EN 50126 defines the management of RAMS for railway applications

� EN 50128 provides methods for software in order to meet the demands

for safety integrity that are resulting from the related standards

� EN 50129 is intended for the functional safety of railway signalling

systems and used for electronics in railway applications

TÜV Rheinland InterTraffic GmbH Focus on – EN 50126/28/29

IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…


EN 50126:

� defines a number of discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety related systems.

� It is recommended that no more than 4 levels should be used

� A SIL shall only be allocated to an "element“ (lowest level equipment), namely a stand-alone equipment which performs one or more simple functions and which can be replaced by another one performing the same function(s)

� EN 50126 alone does not provide enough information to work consistently with a SIL.

� Using e.g. the draft EN 50126-2, one can find additional information.

� EN 50126-2 relates the SIL to the tolerable hazard rate (THR)

110-6≤ THR < 10-5

210-7≤ THR < 10-6

310-8≤ THR < 10-7

410-9≤ THR < 10-8

SILTHR (h-1)

IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…

Refer to EN 50126-2, Table 5

TÜV Rheinland InterTraffic GmbHSIL definition and determination – EN 50126


EN 50128:� software can only have systematic failures, hence no random

failures and no THRs are discussed

� The SIL definition and determination is based on EN 50129 –however with one deviation. EN 50129 used a “SIL0” to denote that there is no specific safety requirement, whereas EN 50128 uses Software SIL0 to define a separate Software SIL (SSIL). This is the only difference between the SIL and the SSIL. The SSIL is required to be at least the same as the system SIL.

� The Software SIL is mainly identical to the SIL for hardware, asderived in EN 50129

Non safety-related0

Low1

Medium2

High3

Very High4

Description of software

safety integrity

Software safety

integrity level

IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…

Refer to EN 50128, Section 5.2



EN 50129:

� In fact, EN 50129 is the standard that provides detailed information regarding the SIL

� The Safety integrity is specified as one of four discrete levels. Additionally, level 0 is used to indicate that there are no safety requirements

� SILs are used as a means of matching the qualitative approaches (to avoid systematic failures) with the quantitative approach (to control random failures), as it is not feasible to quantify systematic failures, thus resembling the IEC 61508 approach to SILs

IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…



IEC 61511EN 50126/28/29

ISO 26262ISO 13849

…

Source: EN 50129, Annex A.5



ISO 26262: Road vehicles — Functional safety

� automobile-specific derivation of the IEC 61508

� applies to all activities during the safety lifecycle of

safety-related systems

� electrical, electronic, and software elements that provide

safety-related functions

� addresses passenger cars up to an allowed total weight

of 3.5 t

� the standard consists of ten parts

� the volumes 2 to 9 contain the requirements for the

development process and the product, whereas volume 1

and 10 are informative guides.

TÜV Rheinland InterTraffic GmbH Focus on – ISO 26262

EN 50126/28/29ISO 26262

ISO 13849IEC 62061

…


� The ISO 26262 specifies four levels of automotive SIL (ASIL A..D) for item's or element's necessary requirements and safety measures for avoiding an unreasonable residual risk

� The quantitative random hardware failure target values do not differ for ASIL B and C. Therefore, qualitative measures have to be applied in order to obtain higher requirements for ASIL C than ASIL B.

� The determination of quantitative targets for the ASILs is different from other safety standards like the IEC 61508 or EN 50126/EN 50129.

< 10-6 h-1A

< 10-7 h-1B

< 10-7 h-1C

< 10-8 h-1D

Random hardware failure targetsASIL

EN 50126/28/29ISO 26262

ISO 13849IEC 62061

…

Refer to: ISO 26262, Part 5, Annex G

TÜV Rheinland InterTraffic GmbHSIL definition and determination – ISO 26262


EN 50126/28/29ISO 26262

ISO 13849IEC 62061

…

Source: ISO 26262, Part 3

TÜV Rheinland InterTraffic GmbHSIL definition and determination – ISO 26262


ISO 13849: Safety of machinery — Safety-related parts of control systems

� for the design and integration of safety-related parts of control systems

(SRP/CS) of machinery

� applies to SRP/CS, regardless of the type of technology and energy used

(electrical, hydraulic, pneumatic, mechanical, etc.)

� for all kinds of machinery

� complies with the Machinery Directive

� use of this standard and/or the ISO 62061 can be presumed in order to fulfil

the safety related requirements for SRP/CS of different technologies


ISO 26262ISO 13849

IEC 62061ISO 25119

...


TÜV Rheinland InterTraffic GmbH SIL definition and determination – ISO 13849

� The ISO 13849 defines five performance levels (PL) that are discrete levels used to specify the ability of SRP/CS to perform a safety function under foreseeable conditions

� The PL can be set in relation to the SIL classification of IEC 61508

� PL ‘a’ has no correspondence on the SIL scale and is mainly used to reduce the risk of slight, normally reversible, injury. Since SIL 4 is dedicated to catastrophic events possible in the process industry, this range is not relevant for risks at machines. Thus PL ‘e’ corresponding to SIL 3 is defined as the highest level.

ISO 26262ISO 13849

IEC 62061ISO 25119

...

Source: ISO 13849



ISO 26262ISO 13849

IEC 62061ISO 25119

...

Source: ISO 13849, Annex A


IEC 62061: Safety of machinery – Functional safety of safety-related electrical,

electronic and programmable electronic control systems

� safety-related E/E/PE control systems for machinery

� can be seen as a further supporting standard for ISO 13849


ISO 13849IEC 62061


RTCA DO-178B



� Three SILs are defined by the IEC 62061 for the specification of safety integrity requirements of safety-relevant E/E/PE control functions

ISO 13849IEC 62061


RTCA DO-178B

Source: IEC 62061, Annex A

≥ 10-6 to < 10-51

≥ 10-7 to < 10-62

≥ 10-8 to < 10-73

Probability of dangerous failure per hour, PFHDSafetyintegrity

level


ISO 25119: Tractors and machinery for agriculture and forestry – Safety-related

parts of control systems

� E/E/PES components for tractors for agriculture and forestry

� self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture and municipal equipment


ISO 13849IEC 62061ISO 25119




� The ISO 25119 defines an agricultural performance level (AgPL), which specifies the ability of safety related parts to perform a safety related function under foreseeable conditions

� The AgPL is divided into 5 levels (a – e) (compare to ISO 13849)

� The AgPL consists of four aspects:

- Hardware category,

- Mean time to (dangerous) failure,

- Diagnostic coverage,

- SRL (Software requirement level).

� The selection of appropriate values for these four aspects is necessary to achieve the required performance level. The appendices of ISO 25119-2 provide guidelines for estimating the MTTF and determining the diagnostic coverage.

ISO 13849IEC 62061ISO 25119




ISO 13849IEC 62061ISO 25119


Source: ISO 25119


Defence Standard 00-56-1: Safety management requirements for defence

systems

� British defence standard

� describes the requirements for safety management including hazard analysis

and safety assessment

� is applied to Ministry of Defence projects

TÜV Rheinland InterTraffic GmbH Focus on – DEF-STAN 00-56-1

ISO 13849IEC 62061ISO 25119

DEF-STAN 00-56-1

RTCA DO-178B


TÜV Rheinland InterTraffic GmbH SIL definition and determination – DEF-STAN

� Safety integrity has two components: random failure integrity and systematic failure integrity

� This is the same approach as that of the other standards

� Each abstract function shall be allocated a safety integrity level at the early design phases, and this shall be inherited by the components that implement the function.

� Based on the number of independent functions two SIL matrices are provided by this defence standard. The corresponding SIL is matched by the intersection of probability of function failure and accident severity, i.e. this standard utilizes only two parameters for the SIL determination. The approach is semi-quantitative.

ISO 13849IEC 62061ISO 25119

DEF-STAN 00-56-1

RTCA DO-178B


ISO 13849IEC 62061ISO 25119

DEF-STAN 00-56-1

RTCA DO-178B

Source: DEF-STAN 00-56-1

TÜV Rheinland InterTraffic GmbHSIL definition and determination – DEF-STAN


RTCA DO-178B: Software Considerations in Airborne Systems and Equipment

Certification

� is a software standard for aircrafts

� depending on the necessary level of risk reduction, it knows 5 different levels

� for each level, methods are described that have to be implemented in the

software process and in the software itself

TÜV Rheinland InterTraffic GmbH Focus on – RTCA DO-178B

ISO 13849IEC 62061ISO 25119



Software failure leads to failure with no effect on aircraft operational capability or pilot workload

E

Software failure leads to minor failureD

Software failure leads to major failureC

Software failure leads to hazardous / severe-major failureB

Software failure leads to catastrophic failureA

DefinitionSoftware Level

ISO 13849IEC 62061ISO 25119


Refer to: RTCA DO-178B

TÜV Rheinland InterTraffic GmbHSIL definition and determination – DO-178B



I. Insight: SIL



IV. Sum up!


� Various SIL determination methods... No common method broadly used

� Dependent on applications, risks, national politics and social standards etc.

� Different methods -> different results

� Even SILs dedicated to comparable levels of risk reduction ask for different design rules and measures against systematic failures.

� Safety integrity levels are given different names: safety integrity levels, software safety integrity levels, automotive SIL, agricultural performance levels, performance levels. The situation might even become worse, when the English terminology is translated into other language…

TÜV Rheinland InterTraffic GmbH Contents


� Strictly speaking, EN 50126 can hardly be considered as a standalone standard for SIL

definition and determination, because EN 50129 or a guideline needs to be applied. In

particular, EN 50126 refers to Report R009-001:1997 for safety integrity (levels).

� Currently EN 50128 and EN 50129 give precise (HR, R, M,…) definitions for techniques

and measures for each safety integrity levels and their use for signalling systems,

however, leaving many open questions for other railway sub-systems

� Contrary to other safety standards, e.g., the ISO 25119 does not define any quantitative

levels in terms of tolerable hazard rates. This makes it cumbersome to compare these

standards with others or to convert safety integrity levels into agricultural performance

levels.



� However, all the SILs have also things in common:

- They all describe a necessary amount of risk reduction (methods and techniques, human behavior), necessary in order to reach an acceptable risk level.

- Mostly all types of SILs consist of a set of measures against random hardware failures and systematic (hardware and software) failures.

- Requirements for design and development processes are given for each SIL and mostly a tolerable rate of dangerous failures per hour is provided per SIL to reduce random failures.

� Nevertheless, it is not easy to understand all these different SILs with different names for different areas of technology…



Thank you very much foryour attention!

Questions are welcome!

TÜV Rheinland InterTraffic GmbH

Safety in Transportation 4

the agri-motive safety performance integrity level – or how...

Documents