TÜV Rheinland Industrie Service GmbH

advertisement
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Programmable Systems
1.
General
2.
System Structures
3.
Standards
4.
Conditions and Restrictions
5.
Product-independent Conditions and Restrictions
6.
Recommended Features of safety-related Engineering Software
General
There are considerable restrictions on the use of the PES, especially for the timing restrictions after faults have been
detected. These timing restrictions are depending on calculations or applications. Refer to the detailed test reports of the
respective TÜV test institute.
The reference list represents a common list of the working group "Safety Related PES" of IQSE (TÜV Product Service) and
ASI (TÜV Rheinland). It has been compiled to give end users an overview of type certified PES. The list will be updated
periodically. With this reference list both test authorities fulfil the requirement given by their European standard EN 45001
and EN 45011 accreditations to publish a list of tye approved systems.
All of the above mentioned PES assume that the zero signal of binary inputs and outputs represents the defined safe state
for the application.
All of the above mentioned PESs with the system structures 1oo1 (1v1) and 1oo2 (2v2) and test reports dated 1989 or later,
provide fault tolerance for the I/O-boards. If independent groups of I/O-boards have been defined during configuration or
application programming, depending upon the product, a fault localisation on an I/O-board will lead to a shutdown of the
associated safety related group only. Groups of I/O-boards can only be mutually independent, if the I/O-signals connected
belong to independent parts of the application. Independent means that a part of the application has no safety relation with
any other parts of the application.
Beginning with the publication of DIN V 19250 and DIN V VDE 0801 in January 1990 the classification and certification have
been performed according to the safety categories of DIN V 19250 and the safety requirements of DIN V VDE 0801.
All executed certifications take into consideration requirements of a typical application standard, e.g. furnace control. As an
alternative, typical application requirements (e.g. fault models, test methods, process reaction time, fault tolerance) are used.
The specific application sectors covered by the certification are listed in the test report.
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
System Structures
The nomenclature for system structures describes the possible degradation behaviour after fault detection and fault
localisation for the central processing units. Variations are possible due to different implementation possibilities. This table
shall give a first guideline.
In the I/O area different degradation mechanisms are possible and implemented on the different systems.
Fault-free system
Degradation 1
Degradation 2
Degradation 3
2oo4
1oo2
1oo1*
shutdown
2oo4
1oo3
1oo2
shutdown
shutdown
2oo3
1oo2
1oo1*
2oo3
1oo2
shutdown
1oo2D
1oo1D
shutdown
1oo2
2oo2
1oo1
shutdown
1oo1
shutdown
shutdown
shutdown
System Structure
safety-related and fault tolerant
*with time restriction
safety-related and fault tolerant
safety-related
safety-related and fault tolerant
*with time restriction
safety-related and fault tolerant
safety-related and fault tolerant
with time restriction
safety-related
safety-related and fault tolerant
safety-related
Part 4 of the IEC 61508 gives the defintion of:
MooN : M out of N channel architecture (for example 1oo2 is 1 out of 2 architecture, where either of the two channels can
perform the safety function)
MooND : M out of N channel architecture with diagnostic
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Standards
The set of standards used for certification and their publishing date is specified by the report of the certificate. The following
list represents a compilation of the most generic standards only.

[N1] DIN V 19250 "Fundamental safety aspects for measurements and control equipment"
Safety requirements according to [N1] RC 8 - highest requirements
[N3] abd [N4.n]:RC 1 - lowest requirements

[N2] IEC 61508 "Functional safety of electrical / electronic / programmable electronic systems (PES)"
part 1 to 7 (2000)
Safety requirements according to [N2] SIL 4 - highest requirements
SIL 1 - lowest requirements

[N3]DIN 19251 "MC Protection Equipment"

[N4.1] DIN V VDE 0801 "Principles for computers in safety-related systems"

[N4.2] DIN V VDE 0801 Amendment A1

[N5] DIN VDE 0116 "Electrical Equipment for Furnaces"

[N6.1] DIN VDE 0160 "Electronic Equipment used in Electrical Power Installations" (corresponds to prEN
50178)
DIN VDE 0110 "Insulation co-ordination for equipment within low-voltage systems; Fundamental requirements" part 1

[N6.2] EN 61131 "Programmable Controllers"
Part 1; "General Information"
Part 2; "Equipment requirements and tests"

[N7.1] prEN 50082-2 "Electromagnetic compatibility (EMC); Generic immunity standard Part 2: Industrial
environment"



[N7.2] EN 50081-2 "Electromanetic compatibility (EMC); Generic emission standard - Part 2: Industrial
environment"
EN 55011 "Limits and methods of measurement for radio disturbance characteristics of ISM radio frequency
equipment", severity: limit class A
[N8] DIN IEC 68 / DIN EN 60068 "Basic testing procedures", set of standards
Part 2-1 / Cold
Part 2-2-A / Dry heat
Part 2-3 / Dump heat, steady state
Part 2-6 / Vibration, sinusoidal
Part 2-27 / Shock
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Conditions and Restrictions
General
•
•
When planning a safety instrumented function with a safety-related programmable controller, the safety section of
the manufacturer´s handbook is to be used.
The tested and certified components are listed in the test reports fo the TÜV test institutes. Requirements related
to other components of installation will be specified by the application and have to be determined and assessed
during the local inspection.
Planning / Protecting
• The configuration and the operation of the safety-related programmable controller should be based on a hazard
analysis.
• The protective targets of the realised application shall be defined.
•
•
•
•
•
•
•
•
•
•
•
•
Care is to be given to the possibility of a safety shutdown whilst the control process is starting up or closing down.
The behaviour of the programmable controller in all different operating conditions, error conditions and restarting
should to be defined.
The conditions for use specified by the manufacturer are to be observed. Particular attention is to be paid to:
o Protection from excessive voltage and EMC;
o Environmental conditions;
o Ex-protection - if required.
Care is to be taken that system parameters which may have an affect upon safety are set correctly in safetycritical applications, particularly:
o Requirement class / Safety integrity level
o Maximum cycle time
o System configuration
o Process safety time, interval for foreground tests and background tests
o Time limit for monitoring of the communication
o Access limitations for external communicators (e.g. programming equipment and process control
systems)
o I/O configuration and connections
o Reaction to I/O errors
o Reaction to system errors
Equipment and components which are used must be certified. Only safety-related components may be used in
safety-critical operation.
Either the equipment in the shutdown path must be made of type approved fail safe components, or the
application must have two separate, independent shutdown paths.
The safe state of an ESD must be the de-energised state or low (0) state.
In general, the closed loop principle is to be maintained for all external safety circuits which are connected to the
system. Signals should be dynamic where possible.
Care must be taken when projecting, that non-safety related functions can never interfer with safety-related
functions / components in any operating situation.
The conditions and restrictions for operation in degraded mode shall observed. Typically a timing restriction should
be planned for the degraded mode of operation.
The low state of the output components (current and voltage) is to be considered for the appropriate application.
In systems with components which are to be serviced cyclically (e.g. backup batteries) administrative measures
shall ensure that the required work is carried out.
Regarding cabling the local respectively national installation and equipping requirements are to be adhered to.
Programming
• Application programming is to be carried out in accordance with the information in the safety section of the
manufacturer´s handbook.
• Safety orientated configuration and application programming must be carried out with safety tools and checked by
a competent person who is independent of the application developer.
•
Care is to be taken that the details of the planning and engineering (system parameters which may have an affect
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
•
•
•
•
•
upon safety) are set correctly in safety critical application.
Programs and data which are relevant to safety must be separated from programs and data which are not relevant
to safety. Safety paths are to be marked in logic plans and parameter lists. Proof of freedom of interaction
(interference-free) of non-safety-related program parts must be shown for every modification.
System reaction times to external requirements are to be tested. System reaction times to internal errors are to be
taken into account.
Discrepancy times are to be specified application-specific, as far as is necessary.
Conformity of the programs that are loaded in the safety-related programmable controller with the programs
theoretically checked previously must be proved. This especially includes proof that the compiled version of the
programs, which are to be jointly used, provide the specified safety functions.
The correct operation of the safety related program should to be shown by means of a complete functional test.
The usage a certified revision comparator during the test of modifications is strongly recommended.
Operation
• Safety relevant error reactions which only lead to signalling alarms are only permitted under supervised operation.
•
On-line modification reduces the safety by its nature and are not supported by TÜV. On-line modifications are
under the sole responsibility of the operator.
•
Modification of the system software (operating system, I/O-drives, diagnostics, libraries e.g.) are subject to the
type certi fication.
In addition to the printed documentation of the application program, copies of the program must be stored on
write-protected data carrier.
PID and other control algorithms must not be used for safety relevant functions.
•
•
•
If it is intended to take safety-related functions temporarily out of operation for maintenance (so-called
"maintenance ovrride) then:
o This factor is to be taken into account at the planning stage.
o It is to be ensured that the plant operator is clearly informed about this operating condition.
o It is to be ensured that the plant operator still receives sufficient information about the safety status of the
plant.
o A detailed instruction is to be produced for switching this special condition on or off.
It is recommended, to consider the actual version of the document "Maintenance Override" of TÜV Süddeutschland (TÜV
Product Service) and TÜV Rheinland.
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Product-independent Conditions and Restrictions
Specification of Safety Instrumented Loops
• Specification based on the hazard analysis
Safety functions, immediate safety states, process safety time (PST)
Structure of each safety instrumented loop
Independent control and protective structure of the plant automation
Interacting of plant subsystems
Consider a safety shutdown while the process is in start up or controlled shutdown down.
Specification of organisational measures (operation , inspection)
Hazards to be covered by full / major responsibility of the plant operator.
• Suitable Ex-protection
Overvoltage, surge and other EMC protection
• Observe the conditions of use specified by the manufacturer
Example: Monitored threshold limits and leakage current of the digital I/O modules
Electrical insulation provided by the I/O moduls
Specified environmental stress conditions
• Current loop principle (de-energized to trip, 4-20mA)
Signals should be dynamic, to the extend possible
Configuration of Safety Instrumented System
• Follow the system documentation incl. safety manual
Follow the conditions and restrictions stated in the TÜV report to the certificate
• Configuration based on the specification of the safety functions
Check by a competent and independent person (four eye principle)
• Separate safety-related and non-safety-related programs and data
Highlight the safety-related paths and data in the logic diagrams and parameter lists
• Configuration with the delivered safety engineering tools only
•
•
•
Specify the safety-related configuration
I/O configuration, process safety time (PST), SIL, max. cycle time,
System reaction to internal failures and failures of the periphery
Application-specific processing of the discrepancy of inputs
Select system structure suitable for the required availability, SIL and PST
(Certified systems provide increased availability but rare software and hardware
failures
can lead to a complete shutdown)
Time limitation of degraded operation
Only certified safety-related modules for safety functions
Interference-free modules ("Rückwirkunsfrei") for non-safety-related functions
Communication
• Safety-related communication is currently only supported between systems of the same family- vendor-independent
safety bus specifications are currently under certification
Communication with other non-safety-related systems can be made safe only by
additional measures in the application program
Access control for external communication partners (Examples: Engineering work
station and DCS)
• Communication adds to the safety-related reaction time
Specify and configure time limit for the monitoring of the communication
Unfavourable communication structures and parameters may reduce the plant
availability
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Application Programming
• Program based on logic diagrams or cause + effect matrices only
•
Program with the delivered safety engineering tools only
(if no safety engineering tools exist, each path must be fully tested)
•
Avoid instruction lists / mnemonics
Use function block diagrams, cause + effect matrix or sequential function charts
Use proven-in-use or pre-tested function blocks
Maintain a library of such blocks
Keep the reaction time of the application program constant
Test of the maximum system reaction time to all external events
Test the re-start after power failure in all operating modes
•
•
•
•
•
Check modifications always with the certified revision comparator
Check during commissioning that the compiled configuration loaded in the safety
instrumented system and the configuration theoretically checked previously are equal
Operation and Modifications
• Safety relevant fault reactions which only lead to signalling are only permitted under
supervised operation. (Operator must have enough information and time to react)
• Maintenance Override requires (operator-specified) guidelines
Plant operator must nevertheless receive sufficient information about the safety status of the plant see the
Document "Maintenance Override"
•
Hazards associated with on-line modifications
On-line modifications reduce safety by its nature. Full functional testing should be done at simulators or at a
similar plant.
Timing restriction after degradation
• The generic standards ( IEC 61508 and DIN 19250 in companion with DIN 0801) don't give exact figures or
guidelines for a system, when a fault has been detected in the system, and the system strucure has been degraded
as a result of that fault.
•
For ESD applications, where the AK system according to the DIN 19250 is used, only supervised operation should
be possible after reaching a single channel mode of operation. Online repair is possible. If not repaired, single
channel operation is possible with the following maximum timing :
- in AK 5 : shutdown after a maximum of 72 hours of supervised operation in single
channel mode
- in AK 6 : shutdown after a maximum of 1 hour of supervised operation in single
channel mode
TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety (AFS)
Recommended Features of safety-related Engineering Software
Features to facilitate configuration, programming and tests
•
•
•
•
•
Encapsulation of program units
Libraries of pre-tested, application-specific function blocks
Standardised programming languages, e.g. as a subset of IEC 61131-3
(Function blocks, sequential function charts, strong data type checking)
Cause + effect matrix programming
Use of Simulator
Features to support modifications
•
•
•
•
•
Encapsulation of program units
Function blocks without global variables
Safety-related and non-safety-related program and parameter are secrued by individual CRC-checksums
Revision comparator
Version-Control System with individual access rights
Configuration checker (Example: is the proposed online-modification allowed ?)
Download