TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Programmable Systems 1. General 2. System Structures 3. Standards 4. Conditions and Restrictions 5. Product-independent Conditions and Restrictions 6. Recommended Features of safety-related Engineering Software General There are considerable restrictions on the use of the PES, especially for the timing restrictions after faults have been detected. These timing restrictions are depending on calculations or applications. Refer to the detailed test reports of the respective TÜV test institute. The reference list represents a common list of the working group "Safety Related PES" of IQSE (TÜV Product Service) and ASI (TÜV Rheinland). It has been compiled to give end users an overview of type certified PES. The list will be updated periodically. With this reference list both test authorities fulfil the requirement given by their European standard EN 45001 and EN 45011 accreditations to publish a list of tye approved systems. All of the above mentioned PES assume that the zero signal of binary inputs and outputs represents the defined safe state for the application. All of the above mentioned PESs with the system structures 1oo1 (1v1) and 1oo2 (2v2) and test reports dated 1989 or later, provide fault tolerance for the I/O-boards. If independent groups of I/O-boards have been defined during configuration or application programming, depending upon the product, a fault localisation on an I/O-board will lead to a shutdown of the associated safety related group only. Groups of I/O-boards can only be mutually independent, if the I/O-signals connected belong to independent parts of the application. Independent means that a part of the application has no safety relation with any other parts of the application. Beginning with the publication of DIN V 19250 and DIN V VDE 0801 in January 1990 the classification and certification have been performed according to the safety categories of DIN V 19250 and the safety requirements of DIN V VDE 0801. All executed certifications take into consideration requirements of a typical application standard, e.g. furnace control. As an alternative, typical application requirements (e.g. fault models, test methods, process reaction time, fault tolerance) are used. The specific application sectors covered by the certification are listed in the test report. TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) System Structures The nomenclature for system structures describes the possible degradation behaviour after fault detection and fault localisation for the central processing units. Variations are possible due to different implementation possibilities. This table shall give a first guideline. In the I/O area different degradation mechanisms are possible and implemented on the different systems. Fault-free system Degradation 1 Degradation 2 Degradation 3 2oo4 1oo2 1oo1* shutdown 2oo4 1oo3 1oo2 shutdown shutdown 2oo3 1oo2 1oo1* 2oo3 1oo2 shutdown 1oo2D 1oo1D shutdown 1oo2 2oo2 1oo1 shutdown 1oo1 shutdown shutdown shutdown System Structure safety-related and fault tolerant *with time restriction safety-related and fault tolerant safety-related safety-related and fault tolerant *with time restriction safety-related and fault tolerant safety-related and fault tolerant with time restriction safety-related safety-related and fault tolerant safety-related Part 4 of the IEC 61508 gives the defintion of: MooN : M out of N channel architecture (for example 1oo2 is 1 out of 2 architecture, where either of the two channels can perform the safety function) MooND : M out of N channel architecture with diagnostic TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Standards The set of standards used for certification and their publishing date is specified by the report of the certificate. The following list represents a compilation of the most generic standards only. [N1] DIN V 19250 "Fundamental safety aspects for measurements and control equipment" Safety requirements according to [N1] RC 8 - highest requirements [N3] abd [N4.n]:RC 1 - lowest requirements [N2] IEC 61508 "Functional safety of electrical / electronic / programmable electronic systems (PES)" part 1 to 7 (2000) Safety requirements according to [N2] SIL 4 - highest requirements SIL 1 - lowest requirements [N3]DIN 19251 "MC Protection Equipment" [N4.1] DIN V VDE 0801 "Principles for computers in safety-related systems" [N4.2] DIN V VDE 0801 Amendment A1 [N5] DIN VDE 0116 "Electrical Equipment for Furnaces" [N6.1] DIN VDE 0160 "Electronic Equipment used in Electrical Power Installations" (corresponds to prEN 50178) DIN VDE 0110 "Insulation co-ordination for equipment within low-voltage systems; Fundamental requirements" part 1 [N6.2] EN 61131 "Programmable Controllers" Part 1; "General Information" Part 2; "Equipment requirements and tests" [N7.1] prEN 50082-2 "Electromagnetic compatibility (EMC); Generic immunity standard Part 2: Industrial environment" [N7.2] EN 50081-2 "Electromanetic compatibility (EMC); Generic emission standard - Part 2: Industrial environment" EN 55011 "Limits and methods of measurement for radio disturbance characteristics of ISM radio frequency equipment", severity: limit class A [N8] DIN IEC 68 / DIN EN 60068 "Basic testing procedures", set of standards Part 2-1 / Cold Part 2-2-A / Dry heat Part 2-3 / Dump heat, steady state Part 2-6 / Vibration, sinusoidal Part 2-27 / Shock TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Conditions and Restrictions General • • When planning a safety instrumented function with a safety-related programmable controller, the safety section of the manufacturer´s handbook is to be used. The tested and certified components are listed in the test reports fo the TÜV test institutes. Requirements related to other components of installation will be specified by the application and have to be determined and assessed during the local inspection. Planning / Protecting • The configuration and the operation of the safety-related programmable controller should be based on a hazard analysis. • The protective targets of the realised application shall be defined. • • • • • • • • • • • • Care is to be given to the possibility of a safety shutdown whilst the control process is starting up or closing down. The behaviour of the programmable controller in all different operating conditions, error conditions and restarting should to be defined. The conditions for use specified by the manufacturer are to be observed. Particular attention is to be paid to: o Protection from excessive voltage and EMC; o Environmental conditions; o Ex-protection - if required. Care is to be taken that system parameters which may have an affect upon safety are set correctly in safetycritical applications, particularly: o Requirement class / Safety integrity level o Maximum cycle time o System configuration o Process safety time, interval for foreground tests and background tests o Time limit for monitoring of the communication o Access limitations for external communicators (e.g. programming equipment and process control systems) o I/O configuration and connections o Reaction to I/O errors o Reaction to system errors Equipment and components which are used must be certified. Only safety-related components may be used in safety-critical operation. Either the equipment in the shutdown path must be made of type approved fail safe components, or the application must have two separate, independent shutdown paths. The safe state of an ESD must be the de-energised state or low (0) state. In general, the closed loop principle is to be maintained for all external safety circuits which are connected to the system. Signals should be dynamic where possible. Care must be taken when projecting, that non-safety related functions can never interfer with safety-related functions / components in any operating situation. The conditions and restrictions for operation in degraded mode shall observed. Typically a timing restriction should be planned for the degraded mode of operation. The low state of the output components (current and voltage) is to be considered for the appropriate application. In systems with components which are to be serviced cyclically (e.g. backup batteries) administrative measures shall ensure that the required work is carried out. Regarding cabling the local respectively national installation and equipping requirements are to be adhered to. Programming • Application programming is to be carried out in accordance with the information in the safety section of the manufacturer´s handbook. • Safety orientated configuration and application programming must be carried out with safety tools and checked by a competent person who is independent of the application developer. • Care is to be taken that the details of the planning and engineering (system parameters which may have an affect TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) • • • • • upon safety) are set correctly in safety critical application. Programs and data which are relevant to safety must be separated from programs and data which are not relevant to safety. Safety paths are to be marked in logic plans and parameter lists. Proof of freedom of interaction (interference-free) of non-safety-related program parts must be shown for every modification. System reaction times to external requirements are to be tested. System reaction times to internal errors are to be taken into account. Discrepancy times are to be specified application-specific, as far as is necessary. Conformity of the programs that are loaded in the safety-related programmable controller with the programs theoretically checked previously must be proved. This especially includes proof that the compiled version of the programs, which are to be jointly used, provide the specified safety functions. The correct operation of the safety related program should to be shown by means of a complete functional test. The usage a certified revision comparator during the test of modifications is strongly recommended. Operation • Safety relevant error reactions which only lead to signalling alarms are only permitted under supervised operation. • On-line modification reduces the safety by its nature and are not supported by TÜV. On-line modifications are under the sole responsibility of the operator. • Modification of the system software (operating system, I/O-drives, diagnostics, libraries e.g.) are subject to the type certi fication. In addition to the printed documentation of the application program, copies of the program must be stored on write-protected data carrier. PID and other control algorithms must not be used for safety relevant functions. • • • If it is intended to take safety-related functions temporarily out of operation for maintenance (so-called "maintenance ovrride) then: o This factor is to be taken into account at the planning stage. o It is to be ensured that the plant operator is clearly informed about this operating condition. o It is to be ensured that the plant operator still receives sufficient information about the safety status of the plant. o A detailed instruction is to be produced for switching this special condition on or off. It is recommended, to consider the actual version of the document "Maintenance Override" of TÜV Süddeutschland (TÜV Product Service) and TÜV Rheinland. TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Product-independent Conditions and Restrictions Specification of Safety Instrumented Loops • Specification based on the hazard analysis Safety functions, immediate safety states, process safety time (PST) Structure of each safety instrumented loop Independent control and protective structure of the plant automation Interacting of plant subsystems Consider a safety shutdown while the process is in start up or controlled shutdown down. Specification of organisational measures (operation , inspection) Hazards to be covered by full / major responsibility of the plant operator. • Suitable Ex-protection Overvoltage, surge and other EMC protection • Observe the conditions of use specified by the manufacturer Example: Monitored threshold limits and leakage current of the digital I/O modules Electrical insulation provided by the I/O moduls Specified environmental stress conditions • Current loop principle (de-energized to trip, 4-20mA) Signals should be dynamic, to the extend possible Configuration of Safety Instrumented System • Follow the system documentation incl. safety manual Follow the conditions and restrictions stated in the TÜV report to the certificate • Configuration based on the specification of the safety functions Check by a competent and independent person (four eye principle) • Separate safety-related and non-safety-related programs and data Highlight the safety-related paths and data in the logic diagrams and parameter lists • Configuration with the delivered safety engineering tools only • • • Specify the safety-related configuration I/O configuration, process safety time (PST), SIL, max. cycle time, System reaction to internal failures and failures of the periphery Application-specific processing of the discrepancy of inputs Select system structure suitable for the required availability, SIL and PST (Certified systems provide increased availability but rare software and hardware failures can lead to a complete shutdown) Time limitation of degraded operation Only certified safety-related modules for safety functions Interference-free modules ("Rückwirkunsfrei") for non-safety-related functions Communication • Safety-related communication is currently only supported between systems of the same family- vendor-independent safety bus specifications are currently under certification Communication with other non-safety-related systems can be made safe only by additional measures in the application program Access control for external communication partners (Examples: Engineering work station and DCS) • Communication adds to the safety-related reaction time Specify and configure time limit for the monitoring of the communication Unfavourable communication structures and parameters may reduce the plant availability TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Application Programming • Program based on logic diagrams or cause + effect matrices only • Program with the delivered safety engineering tools only (if no safety engineering tools exist, each path must be fully tested) • Avoid instruction lists / mnemonics Use function block diagrams, cause + effect matrix or sequential function charts Use proven-in-use or pre-tested function blocks Maintain a library of such blocks Keep the reaction time of the application program constant Test of the maximum system reaction time to all external events Test the re-start after power failure in all operating modes • • • • • Check modifications always with the certified revision comparator Check during commissioning that the compiled configuration loaded in the safety instrumented system and the configuration theoretically checked previously are equal Operation and Modifications • Safety relevant fault reactions which only lead to signalling are only permitted under supervised operation. (Operator must have enough information and time to react) • Maintenance Override requires (operator-specified) guidelines Plant operator must nevertheless receive sufficient information about the safety status of the plant see the Document "Maintenance Override" • Hazards associated with on-line modifications On-line modifications reduce safety by its nature. Full functional testing should be done at simulators or at a similar plant. Timing restriction after degradation • The generic standards ( IEC 61508 and DIN 19250 in companion with DIN 0801) don't give exact figures or guidelines for a system, when a fault has been detected in the system, and the system strucure has been degraded as a result of that fault. • For ESD applications, where the AK system according to the DIN 19250 is used, only supervised operation should be possible after reaching a single channel mode of operation. Online repair is possible. If not repaired, single channel operation is possible with the following maximum timing : - in AK 5 : shutdown after a maximum of 72 hours of supervised operation in single channel mode - in AK 6 : shutdown after a maximum of 1 hour of supervised operation in single channel mode TÜV Rheinland Industrie Service GmbH Automation and Functional Safety (AFS) Recommended Features of safety-related Engineering Software Features to facilitate configuration, programming and tests • • • • • Encapsulation of program units Libraries of pre-tested, application-specific function blocks Standardised programming languages, e.g. as a subset of IEC 61131-3 (Function blocks, sequential function charts, strong data type checking) Cause + effect matrix programming Use of Simulator Features to support modifications • • • • • Encapsulation of program units Function blocks without global variables Safety-related and non-safety-related program and parameter are secrued by individual CRC-checksums Revision comparator Version-Control System with individual access rights Configuration checker (Example: is the proposed online-modification allowed ?)