Embed Size (px)
Citation preview
DIRC Workshop on DIRC Workshop on Software Quality and the legal systemSoftware Quality and the legal system
13 February 200413 February 2004
Functional safety of electrical , electronic and programmable
electronic safety-related systems
Ron BellElectrical and Control Systems Group
Health and Safety Executive
1. To provide an overview of the key principles for the design of complex electrical, electronic or programmable safety-related systems with particular reference to IEC 61508
2. To comment on the legal issues from a Regulator’s perspective
ObjectivesObjectives
ContentsContents
•Section 1: Section 1: Examples of systems and Examples of systems and subsystems under considerationsubsystems under consideration
•Section 2:Section 2: What’s the problem? What’s the problem?
•Section 3:Section 3: Essentials of functional safety Essentials of functional safety
•Section 4:Section 4: Legal considerationsLegal considerations
•Section 5:Section 5: Standards and “good practice”Standards and “good practice”
•Section 6:Section 6: Concluding comments Concluding comments
ContentsContents
•Section 1: Section 1: Examples of systems and Examples of systems and subsystems under considerationsubsystems under consideration
•Section 2: What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
Examples of systems, subsystems & Examples of systems, subsystems & devices under considerationdevices under consideration
electro-mechanical solid state electronic programmable electronic
programmable Controllers {PCs}; programmable Logic Controllers {PLCs}; microprocessor based systems; application specific integrated circuits
(ASICs) intelligent sensors/transmitters/actuators etc digital communication systems (e.g. bus
systems) internet based technologies
Low complexityLow complexity
Low complexity/ComplexLow complexity/Complex
ComplexComplex
Examples of applications under Examples of applications under considerationconsideration
an an emergency shut-down system in a hazardous chemical process plant;
railway signalling and train protective systems;
guard interlocking systems and emergency stopping systems for machinery;
variable speed motor drives used to control the speed as a necessary means of safety;
information based safety-related systems
The following are examples of safety-related systems:
ContentsContents
•Section 1: Examples of systems and subsystems under consideration
•Section 2:Section 2: What’s the problem?What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
Safety issues of complex systemsSafety issues of complex systems
Complexity (software/hardware/system integration) …many factors involved
Testing necessary but not sufficient Prediction of system performance (safety
integrity) difficult; Only random hardware failures can be
quantitatively predicted with confidence Demands systematic approach throughout the
safety lifecycle….. effective Functional Safety Management
Demands high level of competence throughout the safety lifecycle
ContentsContents
•Section 1: Examples of systems and subsystems under consideration
•Section 2: What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
IEC 61508:IEC 61508:Functional safety of electrical, electronic &Functional safety of electrical, electronic &
programmable electronic systemsprogrammable electronic systems
EElectrical, lectrical, EElectronic &lectronic &PProgrammable rogrammable EElectroniclectronic
E/E/PEE/E/PE
Example: E/E/PE device; E/E/PE system
Safety and functional safetySafety and functional safety
Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly as a result of damage to property or to the environment
Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs
General definition for functional safety
Safety and functional safetySafety and functional safety
Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs
General definition
Definition applied to E/E/PE safety-related systemsPart of the overall safety relating to the equipment And its associated control system which depends on the correct functioning of electrical, electronic and programmable electronic safety-related systems……”.
Functional SafetyFunctional Safety
AB
A: safety achieved by measures reliant on passive systems e.g.insulation on electrical conducting parts
B: safety achieved by active systems (e.g. temperature measurement and de-energisation of contactor)
Functional safety Non-functional
safety
Overall safety = A+ BOverall safety = A+ B
Primary cause (by lifecycle phase) of control Primary cause (by lifecycle phase) of control system failure [based on 34 incidents]system failure [based on 34 incidents]
14.7%14.7%Operation & Operation & maintenancemaintenance
44.1%44.1%SpecificationSpecification
20.6%20.6%Changes after Changes after commissioningcommissioning
5.9%5.9%Installation & Installation &
commissioningcommissioning
14.7%14.7%Design & Design &
implementationimplementation
Failures by lifecycle phaseFailures by lifecycle phase
Primary cause (by lifecycle phase) of control Primary cause (by lifecycle phase) of control system failure [based on 34 incidents]system failure [based on 34 incidents]
44.1%44.1%SpecificationSpecification
20.6%20.6%Changes after Changes after commissioningcommissioning
14.7%14.7%Operation & Operation & maintenancemaintenance
5.9%5.9%Installation & Installation &
commissioningcommissioning
14.7%14.7%Design & Design &
implementationimplementation
All lifecycle phases need to be addressed if functional safety is to be achieved!
Functional Safety
Management
Technical Requirements
Competence of
persons
Strategy in IEC 61508 to achieve functionalStrategy in IEC 61508 to achieve functional safetysafety
Installation &commissioning
Specification
Design & implementation
Operation &maintenance
Changes after commissioning
Apply to all phases of the safety
lifecycle
Functional Safety Requirements spec
Systematic hardware
Software
EMI
Fault tolerance
Random hardware failures
Human Factors
etc……………etc……………
SomeSome design measures to achieve functional safety! design measures to achieve functional safety!
Software
is one of m
any
Software
is one of m
any
necess
ary m
easure
s
necess
ary m
easure
s!!
ContentsContents
•Section 1: Examples of systems and subsystems under consideration
•Section 2: What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
Criminal Law - FrameworkCriminal Law - Framework
Act of Parliament
Regulations
EC Directive
Health & Safety at WorkHealth & Safety at Worketc Act, 1974 (HSW)etc Act, 1974 (HSW)
Underpins GB workplace health & safety legislation
Places duties onEmployees / self employedEmployers (to employees)Employers / self employed (to others)Manufacturers etc.
Unlimited fines / imprisonment
Health & Safety at WorkHealth & Safety at WorkSection 6Section 6
It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at work….to ensure, so far as is reasonably practicable (‘sfairp’), that the article is so designed and constructed that it will be safe and without risks to health at all times ……
Health & Safety at WorkHealth & Safety at WorkSection 6 (cont’d)Section 6 (cont’d)
Carry out testing and examination as necessary to ensure safety, ‘sfairp’
Provide adequate information about the use for which the article is designed and any conditions necessary to ensure it will be safe
Provide , ‘sfairp’, revisions of information as are necessary, if there is a serious risk to health or safety
So Far as is Reasonably So Far as is Reasonably Practicable (SFAIRP)Practicable (SFAIRP)
‘SFAIRP’ = ‘ALARP’ (HSE view)risk reduced to extent that cost
of further risk reduction is ‘grossly disproportionate’ (i.e. As Low As is Reasonably Practicable, ‘ALARP’)
Health & Safety at WorkHealth & Safety at Worketc. Act 1974 (HSW) Section 3etc. Act 1974 (HSW) Section 3
It shall be the duty of every employer (and self-employed person) to conduct his undertaking in such a way as to ensure, so far as is reasonably practicable, that other persons who may be affected thereby are not thereby exposed to risks to their health or safety
Health & Safety at WorkHealth & Safety at Worketc. Act 1974 (HSW) Section 3etc. Act 1974 (HSW) Section 3
Port Ramsgate walkway collapse14 September 19986 people died, 7 severely injuredDesign calculations inadequateLloyd’s Register had assessed designPleaded not guilty, found guilty£500,000 fine, £242,500 costs
Example: Design AssessmentExample: Design Assessment
Various Various supplierssuppliers
Example supply chain modelExample supply chain model
End user
System integrator
Consultant
S/AS/A
S/AS/A
S/A/SS/A/S
S/A/S =specification, agreement & supplyS/A/S =specification, agreement & supply
S/A =specification & agreementS/A =specification & agreement
S/A/SS/A/S
# 1:# 1: HSW Act S. 6 applicable HSW Act S. 6 applicable for failures in the supply for failures in the supply chain….but potential chain….but potential issues arise because:issues arise because:
is software an article?is software an article? Does “safe” in S. 6Does “safe” in S. 6 encompass “functionalencompass “functional safety” ? safety” ?
# 2:# 2: HSW Act S. 3 applicable HSW Act S. 3 applicable since respective employers since respective employers of consultant, system of consultant, system Integrator and various Integrator and various Suppliers have duty to Suppliers have duty to ““other persons who may beother persons who may be affected”.affected”.
#3: End User has duties under HSW Act S.2 & S.3
For discussion For discussion purposes!purposes!
ContentsContents
•Section 1: Examples of systems and subsystems under consideration
•Section 2: What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
Standards and “Good Practice”
HSE defines “good practice” as the generic term for those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner
Can take many forms, for example:HSC (ACoPs) which have special legal
status under HSW Act S.16HSE guidance
Standards and “Good Practice”
Other written sources which may be recognised include:Standards produced by Standards-making
organisations (e.g. BSI, CENELEC, IEC, ISO)Guidance agreed by a body representing an
industrial /occupational sector (e.g. trade federation, professional institution)
Examples include:Examples include:• IEE/BCS Competency Guidelines for Safety-related IEE/BCS Competency Guidelines for Safety-related system Practitionerssystem Practitioners • IEC 61508: IEC 61508: “Functional safety of electrical, electronic and programmable electronic safety-related systems”
Concept of good practice:Concept of good practice:HSE position on IEC 61508HSE position on IEC 61508
IEC 61508 “Functional safety of electrical, electronic and programmable electronic safety-related systems” provides a basis for the achievement of functional safety.
HSE’s position on IEC 61508 is as follows:IEC 61508 will be used by HSE as a reference
standard for determining whether a reasonably practicable level of safety has been achieved
The extent to which HSE will use IEC 61508 will depend on individual circumstances including whether any sector standards exist based on IEC 61508 have been developed and whether there are existing specific guidelines or standards.
ContentsContents
•Section 1: Examples of systems and subsystems under consideration
•Section 2: What’s the problem?
•Section 3: Essentials of functional safety
•Section 4: Legal considerations
•Section 5: Standards and “good practice”
•Section 6: Concluding comments
Concluding comments (1)Concluding comments (1)
To achieve functional safety many factors have to be addressed including:Functional safety managementTechnical Requirements for all safety
lifecycle activitiesCompetence of those involved in activity
having a bearing on functional
Safety is the goalFunctional safety is a subset of safety
Software is but one factor in the achievement of functional safety, albeit a very important factor, that needs to be addressed
Concluding comments (2)Concluding comments (2)
HSW Act covers within its scope the concept of functional safety
There remains an issue as to whether HSW Act S.6 covers functional safety and whether software is an article within the meaning of S.6
Any changes to the legal requirements should be aimed at functional safety and not specifically software
