第1页 / 共268页
第2页 / 共268页
第3页 / 共268页
第4页 / 共268页
第5页 / 共268页
第6页 / 共268页
第7页 / 共268页
第8页 / 共268页
Safety Critical Systems Handbook.pdf
1.1 Risk and the Need for Safety Targets
1.2 Quantitative and Qualitative Safety Targets
1.3 The Life-cycle Approach
7.1 of Part 1
Concept and scope [Part 1 – 7.2 and 7.3]
Hazard and risk analysis [Part 1 – 7.4]
Safety requirements and allocation [Part 1 – 7.5 and 7.6]
Plan operations and maintenance [Part 1 – 7.7]
Install and commission [Part 1 – 7.13]
Validate that the safety-systems meet the requirements [Part 1 – 7.14]
Operate, maintain, and repair [Part 1 – 7.15]
Control modifications [Part 1 – 7.16]
Disposal [Part 1 – 7.17]
Verification [Part 1 – 7.18]
Functional safety assessments [Part 1 – 8]
1.4 Steps in the Assessment Process
Step 1. Establish Functional Safety Capability �椀⸀攀⸀ 䴀愀渀愀最攀洀攀渀琀
Step 2. Establish a Risk Target
Step 3. Identify the Safety Related Function�猀
Step 4. Establish SILs for the Safety-related Elements
Step 5. Quantitative Assessment of the Safety-related System
Step 6. Qualitative Assessment Against the Target SILs
Step 7. Establish ALARP
1.5 Costs
1.5.1 Costs of Applying the Standard
1.5.2 Savings From Implementing the Standard
1.5.3 Penalty Costs From Not Implementing the Standard
1.6 The Seven Parts of IEC 61508
2.1 Establishing Integrity Targets
2.1.1 The Quantitative Approach
�愀 Maximum tolerable risk
More complex example
�搀 Exercises
2.1.2 LOPA �䰀攀瘀攀氀猀 漀昀 倀爀漀琀攀挀琀椀漀渀 䄀渀愀氀礀猀椀猀
2.1.3 The Risk Graph Approach
2.1.4 Safety Functions
2.1.5 “Not Safety-Related”
2.1.6 SIL 4
2.1.7 Environment and Loss of Production
2.1.8 Malevolence and Misuse
Paragraph 7.4.2.3 of part 1 of the standard
2.2 ALARP ᰀ䄀猀 氀漀眀 愀猀 刀攀愀猀漀渀愀戀氀礀 倀爀愀挀琀椀挀愀戀氀攠ᴀ
2.3 Functional Safety Management and Competence
2.3.1 Functional Safety Capability Assessment
2.3.2 Competency
�愀 IET/BCS “Competency guidelines for safety-related systems practitioners”
�戀 HSE document �㈀ 㜀 “Managing competence for safety-related systems”
�挀 Annex D of “Guide to the application of IEC61511”
IEC 61508 Part 1
3.1 Organizing and Managing the Life-cycle
Sections 7.1 of the Standard: Table ‘1’
3.2 Requirements Involving the Specification
7.2 of the Standard: Table B1 [avoidance]
3.3 Requirements for Design and Development
�愀 Claim via SFF �欀渀漀眀渀Ⰰ 椀渀 琀栀攀 匀琀愀渀搀愀爀搀Ⰰ 愀猀 刀漀甀琀攀 䠀
�戀 Claim via field failure data �㜀⸀㐀⸀㐀⸀㈀ 漀昀 倀愀爀琀 ㈀ �欀渀漀眀渀Ⰰ 椀渀 琀栀攀 匀琀愀渀搀愀爀搀Ⰰ 愀猀 刀漀甀琀攀 ㈀䠀
3.3.3 Random Hardware Failures
7.4.5
3.4 Integration and Test �刀攀昀攀爀爀攀搀 琀漀 愀猀 嘀攀爀椀昀椀挀愀琀椀漀渀
7.5 and 7.9 of the Standard Table B3 [avoidance]
3.5 Operations and Maintenance
7.6 Table B4 [Avoidance]
3.6 Validation �䴀攀愀渀椀渀最 伀瘀攀爀愀氀氀 䄀挀挀攀瀀琀愀渀挀攀 吀攀猀琀 愀渀搀 琀栀攀 䌀氀漀猀攀 伀甀琀ⴀ漀昀 䄀挀琀椀漀渀猀
7.3 and 7.7: Table B5
3.7 Safety Manuals
7.4.9.3–7 and App D
3.8 Modifications
7.8
3.9 Acquired Sub-systems
3.10 “Proven in Use” �刀攀昀攀爀爀攀搀 琀漀 愀猀 刀漀甀琀攀 ㈀猀 椀渀 琀栀攀 匀琀愀渀搀愀爀搀
3.11 ASICs and CPU Chips
�愀 Digital ASICS and User Programmable ICs
7.4.6.7 and Annex F of the Standard
�戀 Digital ICs With On-chip Redundancy �甀瀀 琀漀 匀䤀䰀 ㌀
3.12 Conformance Demonstration Template
IEC 61508 PART 2
4.1 Organizing and Managing the Software Engineering
4.1.1 Section 7.1 and Annex G of the Standard Table ‘1’
4.2 Requirements Involving the Specification
7.2 of the Standard: Table A1
4.3 Requirements for Design and Development
4.4 Integration and Test �刀攀昀攀爀爀攀搀 琀漀 愀猀 嘀攀爀椀昀椀挀愀琀椀漀渀
Paragraphs 7.4.7, 7.4.8, Tables A5, B2, B3, B6, B8
4.4.2 Overall Integration Testing
Paragraph 7.5, Table A6
4.5 Validation �䴀攀愀渀椀渀最 伀瘀攀爀愀氀氀 䄀挀挀攀瀀琀愀渀挀攀 吀攀猀琀 愀渀搀 䌀氀漀猀攀 伀甀琀 漀昀 䄀挀琀椀漀渀猀
Paragraphs 7.3, 7.7, 7.9, Table A7
4.6 Safety Manuals
�䄀渀渀攀砀 䐀
4.7 Modifications
Paragraph 7.6, 7.8, Table A 8 and B9
4.8 Alternative Techniques and Procedures
4.9 Data Driven Systems
4.9.1 Limited Variability Configuration, Limited Application Configurability
4.9.2 Limited Variability Configuration, Full Application Configurability
4.9.3 Limited Variability Programming, Limited Application Configurability
4.9.4 Limited Variability Programming, Full Application Configurability
4.10 Some Technical Comments
4.10.1 Static Analysis
4.10.2 Use of “Formal” Methods
4.11 Conformance Demonstration Template
Failure Rate and Unavailability
Creating a Reliability Model
Block Diagram Analysis
Common Cause Failure �䌀䌀䘀
�愀 Categories of factors
�戀 Scoring
�挀 Taking account of diagnostic coverage
�搀 Sub-dividing the checklists according to the effect of diagnostics
�攀 Establishing a model
�昀 Non-linearity
�最 Equipment type
�栀 Calibration
1 out of 6
5 out of 6
Fault Tree Analaysis
Taking Account of Auto-test
Human Factors
Addressing Human Factors
Human Error Rates
“HEART” method
“TESEO” method
A Rigorous Approach
Chapter 6 - Failure Rate and Mode Data
Data Accuracy
Sources of Data
Electronic Failure Rates
Other General Data Collections
Some Older Sources
Manufacturer's Data
Anecdotal Data
Data Ranges and Confidence Levels
For a Prediction Using Site Specific Data
For a Prediction Using Industry Specific Data
For a Prediction Using Generic Data
Conclusions
Now try the exercise and the example, which are Chapters 11 and 12.
Chapter 7 -
Demonstrating and Certifying Conformance
Demonstrating Conformance
The Current Framework for Certification
Self Certification �䤀渀挀氀甀搀椀渀最 匀漀洀攀 䤀渀搀攀瀀攀渀搀攀渀琀 䄀猀猀攀猀猀洀攀渀琀
Showing Functional Safety Capability �䘀匀䴀 as Part of the Quality Management System
Application of IEC 61508 to Projects/Products
Rigor of Assessment
Independence
Preparing for Assessment
Summary
8 -
Second-tier Documents – Process, Oil and Gas Industries
8.1 IEC International Standard 61511: Functional Safety – Safety Instrumented Systems for the Process Industry Sector
8.1.1 Organizing and Managing the Life-cycle
8.1.2 Requirements Involving the Specification
8.1.3 Requirements for Design and Development
�愀 Selection of components and subsystems
�戀 Architecture �椀⸀攀⸀ 猀愀昀攀 昀愀椀氀甀爀攀 昀爀愀挀琀椀漀渀
�挀 Predict the random hardware failures
�搀 Software
�椀 Requirements
�椀椀 Software library modules
�椀椀椀 Software design specification
�椀瘀 Code
�瘀 Programming support tools
8.1.4 Integration and Test �刀攀昀攀爀爀攀搀 琀漀 愀猀 嘀攀爀椀昀椀挀愀琀椀漀渀
8.1.5 Validation �䴀攀愀渀椀渀最 伀瘀攀爀愀氀氀 䄀挀挀攀瀀琀愀渀挀攀 吀攀猀琀 愀渀搀 䌀氀漀猀攀ⴀ漀甀琀 漀昀 䄀挀琀椀漀渀猀
8.1.6 Modifications
8.1.7 Installation and Commissioning
8.1.8 Operations and Maintenance
8.1.9 Conformance Demonstration Template
8.2 Institution of Gas Engineers and Managers IGEM/SR/15: Programmable Equipment in Safety-related Applications – 5th Edition 2010
8.3 Guide to the Application of IEC 61511 to Safety Instrumented Systems in the UK Process Industries
8.4 ANSI/ISA-84.00.01 �㈀ 㐀 – Functional Safety, Instrumented Systems for the Process Sector
8.5 Recommended Guidelines for the Application of IEC 61508 and IEC 61511 in the Petroleum Activities on the Norwegian Continen ...
9 -
Machinery Sector
9.1 EN ISO 14121
9.2 EN ISO 13849
The Assessment
9.2.1 Systematic Failures
9.3 BS EN 62061
9.3.1 Targets
9.3.2 Design
Rail
European Standard EN 50126: Railway Applications – The Specification and Demonstration of Dependability, Reliability, Maint ...
EN 50126, EN 50128 and EN 50129
Engineering Safety Management �欀渀漀眀渀 愀猀 吀栀攀 夀攀氀氀漀眀 䈀漀漀欀 – Issue 4.0 2005
Railway safety case
Engineering safety case
UK MOD Documents
Defence Standard 00-56 �䤀猀猀甀攀 㐀⸀ : Hazard Management for Defence Systems
Earth Moving Machinery
EN 474: Earth Moving Machinery – Safety
C Coding Standard �䴀䤀匀刀䄀†ጀ 䴀漀琀漀爀 䤀渀搀甀猀琀爀椀攀猀 刀攀猀攀愀爀挀栀 䄀猀猀漀挀椀愀琀椀漀渀 – Development Guidelines for Vehicle Based Programmable S ...
Automotive
MISRA �䴀漀琀漀爀 䤀渀搀甀猀琀爀礀 匀漀昀琀眀愀爀攀 刀攀氀椀愀戀椀氀椀琀礀 䄀猀猀漀挀椀愀琀椀漀渀, 2007: Guidelines for Safety Analysis of Vehicle Based Software
ISO/DIS 25119: Tractors and Machinery for Agriculture
IEC International Standard 61513: Nuclear Power Plants – Instrumentation and Control for Systems Important to Safety – Gene ...
Avionics
RTCA DO-178B/�䔀唀刀伀䌀䄀䔀 䔀䐀ⴀ㈀䈀: Software Considerations in Airborne Systems and Equipment Certification
RTCA/DO-254: Design Assurance Guidance for Airborne Electronic Hardware
Medical – IEC 60601: Medical Electrical Equipment, General Requirements for Basic Safety and Essential Performance
Stage and Theatrical Equipment
SR CWA 15902-1:2009 Lifting and Load-bearing Equipment for Stages and other Production Areas within the Entertainment Industry
Electrical Power Drives
BS EN 61800-5-2:2007 Adjustable Speed Electrical Power Drive Systems
Documents which are now Withdrawn
UKOOA: Guidelines for Process Control and Safety Systems on Offshore Installations
EEMUA Guidelines, Publication No 160: Safety-related Instrument Systems for the Process Industry �䤀渀挀氀甀搀椀渀最 倀爀漀最爀愀洀洀愀戀氀攀 䔀氀 ⸀⸀�
IEE Publication, SEMSPLC, 1996: Safety-related Application Software for Programmable Logic Controllers
MOD Standard 00-54: Requirements for Safety-related Electronic Hardware in Defense Equipment
MOD Standard 00-55: The Procurement of Safety Critical Software in Defense Equipment
MOD Standard 00-58: A Guideline for HAZOP Studies on Systems which Include Programmable Electronic Systems
Instrumentation Systems and Automation Society S84.01, 1996: Application of Safety Instrumented Systems for the Process Ind ...
Chapter 11 - Pressure Control System Exercise
The Unprotected System
Protection System
Assumptions
Reliability Block Diagram
Failure Rate Data
Quantifying the Model
Proposed Design and Maintenance Modifications
Modeling Common Cause Failure �倀爀攀猀猀甀爀攀 吀爀愀渀猀洀椀琀琀攀爀猀
Quantifying the Revised Model
ALARP
Architectural Constraints
Executive Summary and Recommendations
Objectives
Targets
Results
Recommendations
Objectives
Integrity Requirements
Assumptions
Specific
General
Results
Random Hardware Failures
Qualitative Requirements
Requirements
Design and language
Fault tolerance
Documentation and change control
Design review
Test �愀瀀瀀氀椀攀猀 琀漀 戀漀琀栀 栀愀爀搀眀愀爀攀 愀渀搀 猀漀昀琀眀愀爀攀
Integrity assessment
Quality, safety and management
Installation and commissioning
ALARP
Failure Rate Data
References
Annex I Fault tree details
Chapter 13 - SIL Targeting ? Some Practical Examples
A Problem Involving EUC/SRS Independence
A Hand-held Alarm Intercom, Involving Human Error in the Mitigation
Maximum Tolerable Failure Rate Involving Alternative Propagations to Fatality
Concentration of Gas on Site
Spread of Gas to Nearby Habitation
Hot/cold Water Mixer Integrity
Scenario Involving High Temperature Gas to a Vessel
ALARP
Example using the LOPA Technique
Chapter 14 - Hypothetical Rail Train Braking System Example
The Systems
The SIL Targets
Assumptions
Failure Rate Data
Reliability Models
Primary Braking System �䠀椀最栀 䐀攀洀愀渀搀
Emergency Braking System �䰀漀眀 䐀攀洀愀渀搀
Overall Safety Integrity
Chapter 15 - Rotorcraft Accidents and Risk Assessment
Helicopter Incidents
Floatation Equipment Risk Assessment
Assessment of the Scenario
ALARP
Chapter 16 - Hydro-electric Dam and Tidal Gates
Flood-gate Control System
Targets
Assessment
Common cause failures �䌀䌀䘀猀
Assumptions
Failure rates of component parts
Results and conclusions
Spurious Opening of Either of Two Tidal Lock Gates Involving a Trapped Vessel
We shall now address ALARP
Safety Critical Systems Handbook
Copyright
IEC 61508
A Quick Overview
Now read on!
The 2010 Version of IEC 61508
Architectural Constraints Chapter 3
Architectural Constraints �䌀栀愀瀀琀攀爀 ㌀
Security �䌀栀愀瀀琀攀爀 ㈀
Safety Specifications �䌀栀愀瀀琀攀爀 ㌀
Digital Communications �䌀栀愀瀀琀攀爀 ㌀
ASICs and Integrated Circuits �䌀栀愀瀀琀攀爀猀 ㌀ 愀渀搀 㐀
Safety Manual �䌀栀愀瀀琀攀爀猀 ㌀ 愀渀搀 㐀
Synthesis of Elements �䌀栀愀瀀琀攀爀 ㌀
Software Properties of Techniques �䌀栀愀瀀琀攀爀 㐀
Element �䄀瀀瀀攀渀搀椀砀 㠀
Acknowledgements
Part A -
The Concept of Safety Integrity
Part B -
Specific Industry Sectors
Part C Case Studies in the Form of Exercises and Examples
Appendix 1 - Functional Safety Management
Template Procedure
Company Standard xxx Implementation of Functional Safety
Contents
Purpose of document
Scope
Functional safety policy
Quality & safety plan
Competencies
Sample entry in the competency register
Review of requirements and responsibilities
Source of the requirement
Contract or project review
Assigning responsibilities
Functional safety specification
Life-cycle activities
Integrity targeting
Random hardware failures
ALARP �䄀猀 䰀漀眀 䄀猀 刀攀愀猀漀渀愀戀氀礀 倀爀愀挀琀椀挀愀戀氀攀
“Architectures”
Life-cycle activities
Functional safety capability
Audit
Changes
Failures
Placing requirements onto suppliers
Functional safety assessment report
Implementation
Validation
Annex A
Notes on the Second-level Work Instructions 001-008
Appendix 2 - Assessment Schedule
Defining the Assessment and the Safety System
Describing the Hazardous Failure Mode and Safety Targets
Assessing the Random Hardware Failure Integrity of the Proposed Safety-related System
Assessing the Qualitative Integrity of the Proposed Safety-related System
Reporting and Recommendations
Assessing Vendors
Addressing Capability and Competence
Appendix 3 - Betaplus CCF Model, Scoring Criteria
Checklist for Equipment Containing Programmable Electronics
Separation/segregation
Diversity
Complexity/design/application/maturity/experience
Assessment/analysis and feedback of data
Procedures/human interface
Competence/training/safety culture
Environmental control
Environmental testing
Checklist and Scoring for Non-programmable Equipment
Separation/segregation
Diversity
Complexity/design/application/maturity/experience
Assessment/analysis and feedback of data
Procedures/human interface
Competence/training/safety culture
Environmental control
Environmental testing
Assessing Safe Failure Fraction and Diagnostic Coverage
1 Failure Mode and Effect Analysis
2 Rigor of the Approach
Appendix 5 - Answers to Examples
Answer to Exercise 1 �䌀栀愀瀀琀攀爀 ㈀⸀⸀搀
Answer to Exercise 2 �䌀栀愀瀀琀攀爀 ㈀⸀⸀搀
Answer 2.1
Answer 2.2
Answer to Exercise 3 �䌀栀愀瀀琀攀爀 ㈀⸀⸀搀
Answer to Exercise 4 �䌀栀愀瀀琀攀爀 ㈀⸀㈀
Answer to Exercises �䌀栀愀瀀琀攀爀
Protection system
Reliability block diagram
Quantifying the model
Revised diagrams
Quantifying the revised model
ALARP
Architectural constraints
Comments on Example �䌀栀愀瀀琀攀爀 ㈀
Integrity requirements
ALARP
Failure rate data
Other items
Appendix 6 - References
Appendix 7 - Quality and Safety Plan
Responsibilities �戀礀 渀愀洀攀 愀渀搀 洀甀猀琀 戀攀 氀椀猀琀攀搀 椀渀 琀栀攀 挀漀洀瀀愀渀礀 挀漀洀瀀攀琀攀渀挀礀 爀攀最椀猀琀攀爀
Life-cycle Details
Hazard Analysis and Risk Assessment
Items/deliverables to be Called for and Described in Outline
Document Hierarchy
List of Hardware Modules
List of Software Items
Safety Manual
Review Plan
Test Plan
Validation Plan/report
Descriptions of
Appendix 8 - Some Terms and Jargon of IEC 61508
Software packages
FARADIP.THREE �ꌀ㐀㔀
TTREE �ꌀ㜀㜀㔀
Betaplus �ꌀ㈀㔀
Index
CHAPTER 1
The Meaning and Context
of Safety Integrity Targets
Chapter Outline
1.1 Risk and the Need for Safety Targets 4
1.2 Quantitative and Qualitative Safety Targets 7
1.3 The Life-cycle Approach 10
Section 7.1 of Part 1 10
Concept and scope [Part 1 e 7.2 and 7.3] 11
Hazard and risk analysis [Part 1 e 7.4] 12
Safety requirements and allocation [Part 1 e 7.5 and 7.6] 12
Plan operations and maintenance [Part 1 e 7.7] 12
Plan the validation [Part 1 e 7.8] 12
Plan installation and commissioning [Part 1 e 7.9] 12
The safety requirements specification [Part 1 e 7.10] 12
Design and build the system [Part 1 e 7.11 and 7.12] 12
Install and commission [Part 1 e 7.13] 12
Validate that the safety-systems meet the requirements [Part 1 e 7.14] 12
Operate, maintain, and repair [Part 1 e 7.15] 13
Control modifications [Part 1 e 7.16] 13
Disposal [Part 1 e 7.17] 13
Verification [Part 1 e 7.18] 13
Functional safety assessments [Part 1 e 8] 13
1.4 Steps in the Assessment Process 13
Step 1. Establish Functional Safety Capability (i.e. Management) 13
Step 2. Establish a Risk Target 13
Step 3. Identify the Safety Related Function(s) 14
Step 4. Establish SILs for the Safety-related Elements 14
Step 5. Quantitative Assessment of the Safety-related System 14
Step 6. Qualitative Assessment Against the Target SILs 14
Step 7. Establish ALARP 14
1.5 Costs 15
1.5.1 Costs of Applying the Standard 15
1.5.2 Savings From Implementing the Standard 16
1.5.3 Penalty Costs from not Implementing the Standard 16
1.6 The Seven Parts of IEC 61508 16
Safety Critical Systems Handbook. DOI: 10.1016/B978-0-08-096781-3.10001-X
Copyright Ó 2011 Dr David J Smith and Kenneth G L Simpson. Published by Elsevier Ltd. All rights of reproduction in any form reserved
3
4 Chapter 1
1.1 Risk and the Need for Safety Targets
There is no such thing as zero risk. This is because no physical item has zero failure rate, no
human being makes zero errors and no piece of software design can foresee every operational
possibility.
Nevertheless public perception of risk, particularly in the aftermath of a major incident, often calls
for the zero risk ideal. However, in general most people understand that this is not practicable, as
can be seen from the following examples of everyday risk of death from various causes:
All causes (mid-life including medical)
All accidents (per individual)
Accident in the home
Road traffic accident
Natural disasters (per individual)
1 10
5 10
4 10
6 10
2 10
�3 pa
�4 pa
�4 pa
�5 pa
�6 pa
Therefore the concept of defining and accepting a tolerable risk for any particular activity
prevails.
The actual degree of risk considered to be tolerable will vary according to a number of factors
such as the degree of control one has over the circumstances, the voluntary or involuntary
nature of the risk, the number of persons at risk in any one incident and so on. This partly
explains why the home remains one of the highest areas of risk to the individual in everyday
life since it is there that we have control over what we choose to do and are therefore prepared
to tolerate the risks involved.
A safety technology has grown up around the need to set target risk levels and to evaluate
whether proposed designs meet these targets, be they process plant, transport systems, medical
equipment or any other application.
In the early 1970s people in the process industries became aware that, with larger plants
involving higher inventories of hazardous material, the practice of learning by mistakes (if
indeed we do) was no longer acceptable. Methods were developed for identifying hazards and
for quantifying the consequences of failures. They were evolved largely to assist in the
decision-making process when developing or modifying plant. External pressures to identify
and quantify risk were to come later.
By the mid 1970s there was already concern over the lack of formal controls for regulating
those activities which could lead to incidents having a major impact on the health and safety of
the general public. The Flixborough incident in June 1974, which resulted in 28 deaths,
focused UK public and media attention on this area of technology. Many further events, such as
that at Seveso (Italy) in 1976 through to the Piper Alpha offshore disaster and more recent
The Meaning and Context of Safety Integrity Targets 5
Paddington (and other) rail incidents, have kept that interest alive and have given rise to the
publication of guidance and also to legislation in the UK.
The techniques for quantifying the predicted frequency of failures are just the same as those
previously applied to plant availability, where the cost of equipment failure was the prime
concern. The tendency in the last few years has been towards a more rigorous application of
these techniques (together with third party verification) in the field of hazard assessment. They
include Fault Tree Analysis, Failure Mode & Effect Analysis, Common Cause Failure
Assessment and so on. These will be explained in Chapters 5 and 6.
Hazard assessment of process plant, and of other industrial activities, was common in the
1980s but formal guidance and standards were rare and somewhat fragmented. Only Section 6
of the Health and Safety at Work Act 1974 underpinned the need to do all that is reasonably
practicable to ensure safety. However, following the Flixborough disaster, a series of moves
(including the Seveso directive) led to the CIMAH (Control of Industrial Major Accident
Hazards) regulations, 1984, and their revised COMAH form (Control of Major Accident
Hazards) in 1999. The adoption of the Machinery Directive by the EU, in 1989, brought the
requirement for a documented risk analysis in support of CE marking.
Nevertheless, these laws and requirements do not specify how one should go about establishing
a target tolerable risk for an activity, nor do they address the methods of assessment of
proposed designs nor provide requirements for specific safety-related features within design.
The need for more formal guidance has long been acknowledged. Until the mid 1980s risk
assessment techniques tended to concentrate on quantifying the frequency and magnitude of
consequences arising from given risks. These were sometimes compared with loosely defined
target values but, being a controversial topic, such targets (usually in the form of fatality rates)
were not readily owned up to or published.
EN 1050 (Principles of risk assessment), in 1996, covered the processes involved in risk
assessment but gave little advice on risk reduction. For machinery control EN 954-1 (see
Chapter 10) provided some guidance on how to reduce risks associated with control systems
but did not specifically include PLCs (programmable logic controllers) which were separately
addressed by other IEC (International Electrotechnical Commission) and CENELEC
(European Committee for Standardization) documents.
The proliferation of software during the 1980s, particularly in real time control and safety
systems, focused attention on the need to address systematic failures since they could not
necessarily be quantified. In other words whilst hardware failure rates were seen as a credibly
predictable measure of reliability, software failure rates were generally agreed not to be
predictable. It became generally accepted that it was necessary to consider qualitative defenses
against systematic failures as an additional, and separate, activity to the task of predicting the
probability of so called random hardware failures.
6 Chapter 1
In 1989, the HSE (Health and Safety Executive) published guidance which encouraged this
dual approach of assuring functional safety of programmable equipment. This led to IEC work,
during the 1990s, which culminated in the international safety Standard IEC 61508 e the main
subject of this book. The IEC Standard is concerned with electrical, electronic and
programmable safety-related systems where failure will affect people or the environment. It
has a voluntary, rather than legal, status in the UK but it has to be said that to ignore it might
now be seen as “not doing all that is reasonably practicable” in the sense of the Health and
Safety at Work Act and a failure to show “due diligence”. As use of the Standard becomes more
and more widespread it can be argued that it is more and more “practicable” to use it. The
Standard was revised and re-issued in 2010. Figure 1.1 shows how IEC 61508 relates to some
of the current legislation.
The purpose of this book is to explain, in as concise a way as possible, the requirements of IEC
61508 and the other industry-related documents (some of which are referred to as 2nd tier
guidance) which translate the requirements into specific application areas.
HEALTH &
SAFETY AT
WORK ACT
1974
INVOKES
(Indirectly)
SEVESO
DIRECTIVE
1976
CIMAH
1984
COMAH
1999
Provides
supporting
evidence to
Regulators
IEC 61508
MACHINERY
DIRECTIVE
1989
Figure 1.1: How IEC 61508 relates to some of the current legislation.
The Meaning and Context of Safety Integrity Targets 7
The Standard, as with most such documents, has considerable overlap, repetition, and some
degree of ambiguity, which places the onus on the user to make interpretations of the guidance
and, in the end, apply his/her own judgement.
The question frequently arises as to what is to be classified as safety-related equipment. The
term ‘safety-related’ applies to any hard-wired or programmable system where a failure, singly
or in combination with other failures/errors, could lead to death, injury or environmental
damage. The terms “safety-related” and “safety-critical” are often used and the distinction has
become blurred. “Safety-critical” has tended to be used where failure alone, of the equipment
in question, leads to a fatality or increase in risk to exposed people. “Safety-related” has
a wider context in that it includes equipment in which a single failure is not necessarily critical
whereas coincident failure of some other item leads to the hazardous consequences.
A piece of equipment, or software, cannot be excluded from this safety-related category merely
by identifying that there are alternative means of protection. This would be to pre-judge the
issue and a formal safety integrity assessment would still be required to determine whether the
overall degree of protection is adequate.
1.2 Quantitative and Qualitative Safety Targets
In an earlier paragraph we introduced the idea of needing to address safety-integrity targets
both quantitatively and qualitatively:
Quantitatively: where we predict the frequency of hardware failures and compare them
with some tolerable risk target. If the target is not satisfied then the design is adapted (e.g.
provision of more redundancy) until the target is met.
Qualitatively: where we attempt to minimize the occurrence of systematic failures (e.g.
software errors) by applying a variety of defenses and design disciplines appropriate to the
severity of the tolerable risk target.
It is important to understand why this twofold approach is needed. Prior to the 1980s, system
failures could usually be identified as specific component failures (e.g. relay open circuit,
capacitor short circuit, motor fails to start). However, since then the growth of complexity
(including software) has led to system failures of a more subtle nature whose cause may not be
attributable to a catastrophic component failure. Hence we talk of:
Random hardware failures: which are attributable to specific component failures and to
which we attribute failure rates. The concept of “repeatability” allows us to model
proposed systems by means of associating past failure rates of like components together to
predict the performance of the design in question.
and
Systematic failures: which are not attributable to specific component failures and are
therefore unique to a given system and its environment. They include design tolerance/
8 Chapter 1
timing related problems, failures due to inadequately assessed modifications and, of
course, software. Failure rates cannot be ascribed to these incidents since they do not
enable us to predict the performance of future designs.
Quantified targets can therefore be set for the former (random hardware failures) but not for the
latter. Hence the concept emerges of an arbitrary number of levels of rigor/excellence in the
control of the design and operations. The ISO 9001 concept of a qualitative set of controls is
somewhat similar and is a form of single “SIL”. In the Functional Safety profession the
practice has been to establish four such levels of rigor according to the severity of the original
risk target.
During the 1990s this concept of safety-integrity levels (known as SILs) evolved and is used in
the majority of documents in this area. The concept is to divide the “spectrum” of integrity into
four discrete levels and then to lay down requirements for each level. Clearly, the higher the
SIL then the more stringent become the requirements. In IEC 61508 (and in most other
documents) the four levels are defined as shown in Table 1.1.
Note that had the high demand SIL bands been expressed as “per annum” then the tables would
appear numerically similar. However, being different parameters, they are NOT even the same
dimensionally. Thus the “per hour” units are used to minimize confusion.
The reason for there being effectively two tables (high and low demand) is that there are two
ways in which the integrity target may need to be described. The difference can best be
understood by way of examples.
Consider the motor car brakes. It is the rate of failure which is of concern because there is
a high probability of suffering the hazard immediately each failure occurs. Hence we have the
middle column of Table 1.1.
On the other hand, consider the motor car air bag. This is a low demand protection system in
the sense that demands on it are infrequent (years or tens of years apart). Failure rate alone is of
little use to describe its integrity since the hazard is not incurred immediately each failure
occurs and we therefore have to take into consideration the test interval. In other words, since
the demand is infrequent, failures may well be dormant and persist during the test interval.
Safety integrity
level
4
3
2
1
Table 1.1: Safety Integrity Levels (SILs).
High demand rate
Low demand rate
(dangerous failures/hr)
>¼ 10
>¼ 10
>¼ 10
>¼ 10
�9 to < 10
�8 to < 10
�7 to < 10
�6 to < 10
�8
�7
�6
�5
(probability of failure on demand)
>¼ 10
>¼ 10
>¼ 10
>¼ 10
�5 to < 10
�4 to < 10
�3 to < 10
�2 to < 10
�4
�3
�2
�1
The Meaning and Context of Safety Integrity Targets 9
What is of interest is the combination of failure rate and down time and we therefore specify
the probability of failure on demand (PFD): hence the right hand column of Table 1.1.
In IEC 61508 (clause 3.5.14 of part 4) the high demand definition is called for when the demand
on a safety related function is greater than once per annum and the low demand definition when
it is less frequent.
In Chapter 2 we will explain the ways of establishing a target SIL and it will be seen that the
IEC 61508 Standard then goes on to tackle the two areas of meeting the quantifiable target and
addressing the qualitative requirements separately.
A frequent misunderstanding is to assume that if the qualitative requirements of a particular
SIL are observed the numerical failure targets, given in Table 1.1, will automatically be
achieved. This is most certainly not the case since the two issues are quite separate. The
quantitative targets refer to random hardware failures and are dealt with in Chapters 5 and 6.
The qualitative requirements refer to quite different types of failure whose frequency is NOT
quantified and are thus dealt with separately. The assumption, coarse as it is, is that by
spreading the rigor of requirements across the range SIL 1 e SIL 4, which in turn covers the
credible range of achievable integrity, the achieved integrity is likely to coincide with the
measures applied.
A question sometimes asked is: If the quantitative target is met by the predicted random
hardware failure probability then what allocation should there be for the systematic (software)
failures? The target is to be applied equally to random hardware failures and to systematic
failures. In other words the numerical target is not divided between the two but applied to the
random hardware failures. The corresponding SIL requirements are then applied to the
systematic failures. In any case, having regard to the accuracy of quantitative predictions (see
Chapter 6), the point may not be that important. The 2010 version implies this in 7.4.5.1 of Part 2.
The following should be kept in mind:
SIL 1: is relatively easy to achieve especially if ISO 9001 practices apply throughout the
design providing that Functional Safety Capability is demonstrated.
SIL 2: is not dramatically harder than SIL 1 to achieve although clearly involving more
review and test and hence more cost. Again, if ISO 9001 practices apply throughout the
design, it should not be difficult to achieve.
(SILs 1 and 2 are not dramatically different in terms of the life-cycle activities)
SIL 3: involves a significantly more substantial increment of effort and competence than is
the case from SIL 1 to SIL 2. Specific examples are the need to revalidate the system
following design changes and the increased need for training of operators. Cost and time
will be a significant factor and the choice of vendors will be more limited by lack of ability
to provide SIL 3 designs.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
