Olaf Winne Hans-J¼rgen Altendorf

LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 1

Current standards situation and modifications

Olaf Winne Hans-Jürgen Altendorf


Standard structure

Standard task International status

European status

National status / law

ISO-standard

IEC-standard

EN ISOstandard

EN IECstandard

ENstandard

DINstandard

DIN ENstandard

DIN EN ISOstandard

DIN EN IECstandard


Standard structure

• Experts represent their own professional opinion and, if possible, the national opinion

• Delegates represent the national opinion in technical committees

Mirroring in DINNHRS 041-03 FB

NHRS in DIN e.V.

Mirror committee for

CEN/TC 58CEN/TC 58WG 11ISO/TC 161

Mirror committee for

CEN/TC 58WG 13ISO/TC 161/WG 3ISO/TC 161/WG 4

Mirror committee forCEN/TC 47/WG 2CEN/TC 58/WG 12CEN/TC 58/WG 14CEN/TC 247/WG CLC/TC 72

control units

Committee was integrated in NA 041-03-31 GA


• The number of European standards increased steadily during the

past years, replacing national standards

Standard structure

European standards Share of mandated standards

Num

be

r o

f sta

nd

ard

s

• The share of standards with a mandate of the EU commission increases (for mandated standards, the EU commission checks the

standards conformity with directives)


Relevant standards and terms of reference

Defined safety functionsEN 298 +

application

Avoidance of systematic faults and failures in Hard- and Software

Identification and control of random hardware failures during operation

Architecture(Failure tolerance / redundancy)

EN 298

EN 607630-2-5EN 60730-1 (4.ed.)

EN 13611


IEC 61508 : 2010 (Ed. 2.0)

Changes & Modifications


Overview of techniques and measures

Part 7

Directives for the use of IEC 61508-2 and

IEC 61508-3

Part 6

Safety requirements for the safety-related E/E/PE-

system[7.6]

Part 1

Installation, implementing and safety validation of the safety-related

E/E/PES[7.13 and 7.14]

Part 1

Operation and Maintenance, modification,

shutdown of the safety-related

E/E/PES[7.15 to 7.17]

Part 1

Risc-based approaches for development of requirements for safety integrity

Part 5

Development of the complete safety

requirements (concept, area of use, risc- and threat analysis) for the

complete system[7.1 bis 7.5]

Part 1

TechnicalRequirements

Other requirements

Definitions and abbreviations

Part 4

DocumentationChapter 5 and

Annex A

Part 1

Management of functional safety (FSM)

Chapter 6

Part 1

Evaluation of functional safety

Chapter 8

Part 1

Phase of realisation for the safety-related E/E/PE-system

Phase of realisation for the safety-related software

Part 2 Part 3

IEC 61508 : 2010 (Ed. 2.0)


Specification of the E/E/PES safety requirements

Specification of the E/E/PES safety requirements

E/E/PES-Architecture

E/E/PES-Architecture

Software safety requirements

Software safety requirements

Software Design and

Development

Software Design and

Development

Integration of programmable electronic

(Hardware and software)

Integration of programmable electronic

(Hardware and software)

Design and development of programmable

electronic

Design and development of programmable

electronic

Design and development of non-

programmable hardware

Design and development of non-

programmable hardware

E/E/PES-Integration

E/E/PES-Integration

Specification of the hardware safety requirements

Hardware of the programmable

electronics

Non-programmable hardware

Application range of

Part 3


Part 3


Part 2


Part 2

IEC 61508 : 2010 (Ed. 2.0)


General requirements

•More stringent requirements to Functional Safety Management (FSM) and the monitoring of FSM activities (also for subcontrators & providers)

• FSM involved persons shall have expert knowledge(documentation required: C.V., certificates, education level)

• During hazard and risk analyses, security issues shall be handled, too (malevolent or unauthorized behavior, foreseeable misuse)

• Even if the EUC has "only" SIL 1, the complete set of requirements of this standard has to be fulfilled

IEC 61508-1: 2010 (Ed. 2.0)


Requirements for electrical / electronic / programmable

electronic safety-related systems

•System may be split into elements with its own level of "systematic capability" (1, 2 or 3)

• Methods to be used to achieve hardware safety integrity constraints:

* Existing: Based on hardware fault tolerance and safe failure fraction concepts (Route 1H)

IEC 61508-2: 2010 (Ed. 2.0)

REMARK: Definition diffuse, followingTUV this is not

simply applicable

* Additonal: Based on component reliability data of feedback from end users (Route 2H)


• Avoidance of systemtic faults in ASIC design

• “Compliant items" which shall be used for the product need to have a "safety manual“

IEC 61508-2: 2010 (Ed. 2.0)

• New and more stringent requirements for diagnoses which are implemented to detect random failures

Requirements for electrical / electronic / programmable

electronic safety-related systems

• The claimed safety performance has to be supported by sufficientevidence


• Safety-related communication shall be part of the Software Safety Requirements

• Foreseeable misuse shall be considered during requirement specification and validation planning

IEC 61508-3: 2010 (Ed. 2.0)

Software requirements

• Safety requirements shall contain details about:

• configuration data• operational parameters• data exchange


• Online support tools (influencing safety-related syste during run-time) shall be treated as element of the safety function

• Offline support tool (e.g. compiler) shall be selected as a coherent part of the software development activities

• Offline tools have to be classified (class T1 - T3), its selection shall be justified

• T3 classified tools (e.g. compiler) shall be validated and "proven in use"

• Assessment of code generation tools is required

• Configuration management shall include tool version management (including tool parameters, options and scripts selected)

IEC 61508-3: 2010 (Ed. 2.0)

Software requirements


• Forward and backward traceability of safety requirements through the

whole software / hardware lifecycle:

IEC 61508-3: 2010 (Ed. 2.0)

Software requirements – Annex A:

• Safety requirement specification

• Modification

• Software architecture

• Software design

• Software development

• Testing

• Integration (HW/SW)

• Validation / Verification


Security as a term of standards

IEC 61508 : 2010 (Ed. 2.0)EN 13611 : 2012


Security

• Responsibility for limitation of threats and avoidance of attacks is shared by operator and manufacturer

Facility operator

Closing attack routes

ICS manufacturer

Blocking of attack methods


Security

Threat and attack scenarios may lead to attacks on safety objectives, such as:

• Confidentiality (unauthorised information benefits)• Integrity (unauthorised modification)• Availability (unauthorised limitation of functionality)

Classification of directed attacks:

Attack probability

The higher the attack efforts, the lower the attack probability

Special knowledge needed � Attack probability low ‚++‘

Special equipment needed�Attack probability middle ‚+‘

In case of attacks as an act of opportunity�� Attack probability high ‚o‘

Potential danger

The more critical the attacked function, the higher the potential danger

Not-safety-related system function affected� Potential damage low – no danger

Monitoring system function affected�Potential damage middle

Safety-related system function affected�� Potential damage high – direct danger


Security

• Security risk 1 to 9 can be split into 3 categories:• [0…2] No action required, category 1 following EN 50159:2010-09• [3…5] Optional measures, category 2 following EN 50159:2010-09• [0…2] Urgent action required, category 3 following EN 50159:2010-09


Security

Measures for facility operators

Physical access security to the system

• Locking system

• Alarm system

Technical access security to the system

• No connection of communication to public networks

• Password protection

• Coding / Encryption

• Access keys


Security

Measures for Manufacturers

• Sequence number

• Time monitoring

• CRC

• Passwords for identification

• Question/Answer communication with user confirmation

• Limited gateway

• Counter for maximum occurence

• Handshake method for coverage end-to-end


EN 298 : 2012



EN 298 : 2012 „Automatic burner control systems“

This standard has been published as national edition DIN EN 298:2012-09,

replacing EN 298:20003 and EN 230:2005

• Consolidation of the requirements for automatic burner control

systems for burners and appliances burning gaseous or liquid fuels

• Adaptation to structure and content of EN 13611:2007 + A2:2011

• References to EN 60730-1:2011 (Software) and EN 60730-2-5:2002 +

A2:2010

• New requirements for common cause failures of switching elements

• Requirements for independent flame detector devices

Modifications:

In case of EMC testing, the EN 298 requires compliance

with EMC class B (EN 60730-2-5:2010).

EN 298 : 2012


EN 298 : 2012

• Structural alignment to EN 13611

• Integration of EN 230

• Harmonization of definitions

• Alignment to EN 267 and EN 676 for flame monitoring requirements

• Requirements and tests for independent flame scanners were added

• New requirements for „common cause failures“ were added

• Refering to EN 60730-1 (ed. 4), requirements for software design

were extended

Modifications:


EN 298 : 2012

Common cause failures:

At least 2 contact elements for safety-relevant output

terminals

Further concrete requirements for „common cause failures“ are not

defined in EN 298 or EN 60730-1 : 2011 (ed. 4)

Already existing

Measures to control / avoid

the common failure of 2 contact elements.

NEW


EN 13611 : 2012



EN 13611 : 2012

EN 13611 „Safety and control devices for gas burners

and gas burning appliances - General requirements“

Annex J – method for determination of

safety integrity level (SIL) based on IEC 61508

• Additional requirements for Functional Safety Management

(structural procedure to avoid systematic failures)

• Additional requirements for hardware(includes a calculation of hazardous failure probability and

a determination of a Safety Integrity Level (SIL))


EN 13611 : 2012

Annex J - Additional requirements for

Functional Safety Management:

• Safety plan

• Specification of safety requirements

• Design and development

• Integration, Hardware and Software as a system

• Verification and validation

• Operation and Maintenance

• Information for manufacturer of the application

• Document management

Measures

for failure

avoidance


EN 13611 : 2012

Annex J - Additional requirements for

Hardware failure consideration:

Component failure

IdentificationControl

Influence on function and

interfaces to

the process

Evaluation

Component

failure

Influence on

function and

process

without identification

and control

Calculation of failure

probability

and other

parametersIdentification

and control

Evaluation


prEN 16340 : 2011



prEN 16340 : 2011

EN 16340 : 2011 „Combustion product sensing devices forgas burners and gas burning appliances“

It applies to all types of stationary sensing devices measuring flue gas components O2, CO, COe (CO, H2, CxHy, etc.), NOx, SO2

This European standard specifies

• safety• construction and • performance requirements

for combustion product sensing devices (CPSD) intended to be use in

combustion control systems.


CPSD coupled with combustion control system:

prEN 16340 : 2011


EN 50156-1: 2005-05-01



EN 50156-1: 2005-05-01

prEN 50156 „Electrical equipment for furnaces

and ancillary equipment“

Content:

Part 1: Requirements for application,

design and installation

Part 2: Requirements for design,

development and type approval

of safety-relevant equipment

Part 3: Requirements for plant-specific

tests of safety-relevant equipment

REVISED

NEW

NEW


EN 50156-1: 2005-05-01

Current status:

Part 1: Enquiry started in July 2012, Deadline for comments ended at the 5th of October in 2012

Part 2: Enquiry started in August 2012, Deadline for

comments ended at the 25th of January in 2013

Part 3: Draft is under preparation


EN 50156-1: 2005-05-01

Major changes:

In relation to the EN 50156-1:2004, the prEN 50156 contains

the following major changes:

• Terms are adjusted to the terms of the new IEC 61508

• Adjustment to the basic requirements of the „pressure equipment

directive (PED)“ 97/23/EC

• Update of normative references

• Elimination of normative references of the „EC machinery directive“

• Creation of Annex ZZ according to the harmonization with the

„pressure equipment directive (PED)“ “

• Harmonization of the requirements for safety-relevant systems with

the EN 12952 and the EN 12953

• Editorial changes in chapter 10


Draft prEN 50156-2: 2012-08



prEN 50156-2: 2012-08

4.1.2 Requirements for qualification

4.1.2.1 Qualification by product standards

In exception to 4.1.1, safety devices or subsystems shall be used which

have been tested in accordance with a product standard as per the

following list, if they are in the scope of these standards:

• EN 298: Automatic gas burner control systems for gas burners & gas burning

appliances

• EN 1643: Valve proving systems for automatic shut-off valves for gas burners

& gas appliances

• EN 1854: Pressure sensing devices for gas burners and gas burning appliances

• EN 12952-11: Water-tube boilers and auxiliary installations - Part 11: Requirements

for limiting devices of the boiler and accessories

LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG

38

prEN 50156-2: 2012-08

• EN 12067-2: Gas/air ratio controls for gas burners and gas burning appliances –

Part 2: Electronic types

• EN 13611: Safety and control devices for gas burners and gas burning appliances -

General requirements

• EN 61800-5-2: Adjustable speed electrical power drive systems –

Part 5-2: Safety requirements

4.1.2 Requirements for qualification

4.1.2.1 Qualification by product standards

In exception to 4.1.1, safety devices or subsystems shall be used which

have been tested in accordance with a product standard as per the

following list, if they are in the scope of these standards:


prEN 50156-2: 2012-08

If the product standards apply, do not define the safety integrity or safety parameters, safety functions realised based on usage of these components have to be completed using solely components in line with such standards.

SIL calculation is no longer necessary, if a safety loop consists only of type approved devices:


prEN 50156-2: 2012-08

• EN 161: Automatic shut-off valves for gas burners and gas appliances

• EN 267: Automatic forced draught burners for liquid fuels

• EN 676: Automatic forced draught burners for gaseous fuels

• EN 1854: Pressure sensing devices for gas burners and gas burning appliances

• EN ISO 23553-1: Safety and control devices for oil burners and oil-burning appliances - Particular requirements - Part 1: Shut-off devicesfor oil burners

• EN 12952-11: Water-tube boilers and auxiliary installations - Part 11:Requirements for limiting devices of the boiler and accessories

• EN 13611: Safety and control devices for gas burners and gas burningappliances - General requirements

• EN 60947-2: Low-voltage switchgear and controlgear –Part 2: Circuit-breakers

4.2 Requirements for safety devices andsubsystems of other technologies


prEN 50156-2: 2012-08

to 4.2.2 Qualification

If there is no approval according to the relevant product

standards, the following requirements have to be fulfilled:

• Picture 10, prEN 50156-1 in conjunction with a FMEA according

to EN 60812 (Annex B)

• 4.2.3 Quality assurance

• 4.2.4 Quantification

• 4.2.5 Recurring functional testing

• 4.2.6 Operation instructions


prEN 50156-2: 2012-08

• Annex A (normative):Proven in operation for subsystems and devices of other technologies

• Annex B (informative):Aspects with influence on functional safety

• Annex C (informative):Summary of the characteristic data for use of a subsystem or device in safety-related applications

• Annex ZZ (informative):Relationship between this European Standard and the Essential Requirements of EU Directive 97/23/EC


EN 12067-2 : 2004



EN12067-2 : 2004

EN12067-2: electronic fuel air raito control is under revision (the work has just

started)New ideas:

•Change the name: no longer only gas appiances. The Name changes from GARC (Gas Air Ratio Control) to AFRC (Air Fuel Ratio Control)

• Extend the scope: include also fuel air monitoring systems, e.g. with flue gas sensors

• Include all influences that can change the Lambda into the safety consideration, not only the aberration of the air fuel ratio control itself.

e.g. gas pressure change, change of caloric value ect.

• Improve the definition of safety times and safety aberration.


THANK YOU FOR YOUR ATTENTION

Documents

Olaf Winne Hans-J¼rgen Altendorf