View
104
Download
9
Embed Size (px)
DESCRIPTION
Slides fra InfinIT-seminar den 1. oktober 2014: Udvikling af sikkerhedskritisk software
Citation preview
1 | Infinit 1 Oct 2014
InfinIT – SIL Preben Albrecht
PDS(SR))
Power
External signals and control
Diagnostic functions
Communications and I/O
Torque/speed/position control
Modulation and
protection
Power section Motor
Sensors
Control section
IEC 1224/07
2 | Infinit 1 Oct 2014
Agenda - Topics
• Functional Safety, high demand/low demand mode med fokus på de funktioner, som ikke direkte vedr. personsikkerhed
• Certificerings/compliance proces set fra os som applicant og ikke notified body side
First some talk about Safety
3 | Infinit 1 Oct 2014
Safety definition(s)
• EU • IEC Guide 51 – 3.14 • Safety. freedom from risk (3.9) which is not tolerable (“Freedom from unacceptable risk”)
• US • MIL STD 882E - 3.2.30
• Safety. Freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.
4 | Infinit 1 Oct 2014
IEC Guide 51
• harm • injury or damage to the health of people, or damage to property or
the environment
• Risk • combination of the probability of occurrence of harm and the
severity of that harm
• Safety • freedom from risk which is not tolerable
• tolerable risk
• level of risk that is accepted in a given context based on the current values of society
5 | Infinit 1 Oct 2014
Functional Safety • Functional Safety defines protection against hazards caused by
incorrect functioning of components or systems
• Products incorporating functional safety protect against • injury or death of people • harm to the environment • loss of property
6 | Infinit 1 Oct 2014
One Safe Function
See Video
7 | Infinit 1 Oct 2014
Low – High Demand mode 3.5.16 (IEC 61508-4) mode of operation way in which a safety function operates, which may be either
– low demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is no
greater than one per year; or
NOTE The E/E/PE safety-related system that performs the safety function normally has no influence on the EUC
or EUC control system until a demand arises. However, if the E/E/PE safety-related system fails in such a way that
it is unable to carry out the safety function then it may cause the EUC to move to a safe state (see 7.4.6 of
IEC 61508-2).
– high demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is greater
than one per year; or
– continuous mode: where the safety function retains the EUC in a safe state as part of
normal operation
9 | Infinit 1 Oct 2014
PDS
PDS(SR))
Power
External signals and control
Diagnostic functions
Communications and I/O
Torque/speed/position control
Modulation and
protection
Power section Motor
Sensors
Control section
IEC 1224/07
10 | Infinit 1 Oct 2014
Drive functions – Soft Ware • Claim
• All software which is involved in any protecting function, needs to be developed and maintained as safety critical, “just” with different safety levels – base could be SIL1 according to IEC 61508
• This gives that all if SW requirements differ trough out the product, there is a high likelihood that we will have mixt criticality
11 | Infinit 1 Oct 2014
Certification & Compliance
12 | Infinit 1 Oct 2014
Safety Strategies: Normal
operation
Failure occurred
Safe State Exists
Fault detected
Fault detected
Fault develops quickly into Failure
Fault develops quickly into Failure
SaStr3
SaStr5 SaStr4
SaStr6
SaStr1,2
No
No
No
No
No
Yes
Yes
Yes
Yes
1: Improve integrity (decrease failure rate) of original design. 2: Schedule periodic repairs/proof tests to prevent wear out. 3: Direct failure mode (by design) to safe state, e.g. De-energized. 4: Alert operator and instruct him/her to stop. 5: Enter safe state. 6: Add redundancy (physical and/or analytical).
Yes
13 | Infinit 1 Oct 2014
44 %Specifications
20 %Changes after commissioning
15%Operations and
maintenance
6%Installations and commissioning
15%Design and
implementations
6
Life Cycle from IEC 61508
Concept
Overall scope definition 2
Overall Installation and commissioning
Overall safety validation
Decommissioning or disposal
Overall operation and maintenance and repair
12
13
16
14 Overall modification and retrofit 15
Safety related systems: E/E/PES
10 Realization (see E/E/PES safety lifecycle)
Other risk reduction measures 11
Specification and Realization
Back to appropriate overall safety life cycle phase
1
Overall operation & maintenance planning
Overall planning
Hazard and risk analysis
Overall safety requirements 4
3
Safety requirements allocation 5
Overall validation planning
7 Overall
installation and commissioning
planning
8
Safety requirements allocation 9
14 | Infinit 1 Oct 2014
IEC 61508 - 1 7.10.2.6 The E/E/PE system safety functions requirements specification shall contain: f) all relevant modes of operation of the EUC, including: – preparation for use including setting and adjustment, – start-up, teach, automatic, manual, semi-automatic, steady state of operation, – steady state of non-operation, re-setting, shut-down, maintenance, – reasonably foreseeable abnormal conditions;
15 | Infinit 1 Oct 2014
Type of certification
16 | Infinit 1 Oct 2014
Overview of certification process
TÜV SÜD certification process requirements
Not required from a component manufacturer
Concept approval
Certificate EMC, Env. and electrical safety tests preferable in accredited labs
User documentation
Fault insertion tests
17 | Infinit 1 Oct 2014
Admin Functional Safety
18 | Infinit 1 Oct 2014
FSM audit focus
19 | Infinit 1 Oct 2014
Every company claim customer focus ?
7.2.3 Customer communication CIG 023: 14. Customer complaint
14.1 Is there a procedure regarding how to handle customer complaints? 14.2 Are the received complaints reviewed on a regular basis regarding whether they are related to single errors or system errors? - Actual case checked - Procedure checked 14.3 Are corrective actions and decisions regarding customer complaints recorded? Actual case checked Procedure checked 14.4 Is the originator of the complaint informed about the handling and the result of the complaint? - Actual case checked - Procedure checked 14.5 Are the records of customer complaints maintained and satisfactory? 14.6 Are records kept at least for the period between two inspection visits?
20 | Infinit 1 Oct 2014
Focus from Factory TO product -> product functions
TS 16949 ISO 9001 – certificated ISO 17025 (UL-DAP /test lab)
Electrical Safety LVD (CE-mark) OSHA (US) …
Functional safety – - IEC 61508 - ISO 13849 - Motivated bye MD 2006/42/EC (machine builder law)
21 | Infinit 1 Oct 2014
Books
Functional Safety – An IEC 61508 SIL 3 Compliant Development Process, 3rd Edition ISBN-13: 978-193497708-8
Effective FMEAs: Achieving Safe, Reliable, and Economical Products and Processes using Failure Mode and Effects Analysis ISBN-13: 978-1118007433