330 likes | 343 Views
DIRC Workshop on Software Quality and the legal system 13 February 2004. Functional safety of electrical , electronic and programmable electronic safety-related systems. Ron Bell Electrical and Control Systems Group Health and Safety Executive. Objectives.
E N D
DIRC Workshop on Software Quality and the legal system 13 February 2004 Functional safety of electrical , electronic and programmable electronic safety-related systems Ron Bell Electrical and Control Systems Group Health and Safety Executive
Objectives • To provide an overview of the key principles for the design of complex electrical, electronic or programmable safety-related systems with particular reference to IEC 61508 • To comment on the legal issues from a Regulator’s perspective
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3: Essentials of functional safety • Section 4:Legal considerations • Section 5:Standards and “good practice” • Section 6: Concluding comments
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3: Essentials of functional safety • Section 4: Legal considerations • Section 5: Standards and “good practice” • Section 6: Concluding comments
electro-mechanical solid state electronic programmable electronic programmable Controllers {PCs}; programmable Logic Controllers {PLCs}; microprocessor based systems; application specific integrated circuits (ASICs) intelligent sensors/transmitters/actuators etc digital communication systems (e.g. bus systems) internet based technologies Low complexity Low complexity/Complex Complex Examples of systems, subsystems & devices under consideration
an an emergency shut-down system in a hazardous chemical process plant; railway signalling and train protective systems; guard interlocking systems and emergency stopping systems for machinery; variable speed motor drives used to control the speed as a necessary means of safety; information based safety-related systems Examples of applications under consideration The following are examples of safety-related systems:
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2:What’s the problem? • Section 3: Essentials of functional safety • Section 4: Legal considerations • Section 5: Standards and “good practice” • Section 6: Concluding comments
Safety issues of complex systems • Complexity (software/hardware/system integration) …many factors involved • Testing necessary but not sufficient • Prediction of system performance (safety integrity) difficult; • Only random hardware failures can be quantitatively predicted with confidence • Demands systematic approach throughout the safety lifecycle….. effective Functional Safety Management • Demands high level of competence throughout the safety lifecycle
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3:Essentials of functional safety • Section 4: Legal considerations • Section 5: Standards and “good practice” • Section 6: Concluding comments
E/E/PE IEC 61508:Functional safety of electrical, electronic &programmable electronic systems Electrical, Electronic &Programmable Electronic Example: E/E/PE device; E/E/PE system
Safety and functional safety Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly as a result of damage to property or to the environment General definition for functional safety Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs
General definition Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs Definition applied to E/E/PE safety-related systems Part of the overall safety relating to the equipment And its associated control system which depends on the correct functioning of electrical, electronic and programmable electronic safety-related systems……”. Safety and functional safety
B A Functional Safety Overall safety = A+ B Functional safety Non-functional safety A: safety achieved by measures reliant on passive systems e.g.insulation on electrical conducting parts B: safety achieved by active systems (e.g. temperature measurement and de-energisation of contactor)
Primary cause (by lifecycle phase) of control system failure [based on 34 incidents] Failures by lifecycle phase 44.1% Specification 14.7% Design & implementation 5.9% Installation & commissioning 20.6% Changes after commissioning 14.7% Operation & maintenance
Primary cause (by lifecycle phase) of control system failure [based on 34 incidents] 44.1% Specification All lifecycle phases need to be addressed if functional safety is to be achieved! 14.7% Design & implementation 5.9% Installation & commissioning 14.7% Operation & maintenance 20.6% Changes after commissioning
Strategy in IEC 61508 to achieve functionalsafety Functional Safety Management Specification Installation & commissioning Technical Requirements Design & implementation Competence of persons Operation & maintenance Changes after commissioning Apply to all phases of the safety lifecycle
Functional Safety Requirements spec Systematic hardware EMI Human Factors Fault tolerance Software Random hardware failures etc…………… Some design measures to achieve functional safety! Software is one of many necessary measures!
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3: Essentials of functional safety • Section 4:Legal considerations • Section 5: Standards and “good practice” • Section 6: Concluding comments
Criminal Law - Framework Act of Parliament EC Directive Regulations
Health & Safety at Worketc Act, 1974 (HSW) • Underpins GB workplace health & safety legislation • Places duties on • Employees / self employed • Employers (to employees) • Employers / self employed (to others) • Manufacturers etc. • Unlimited fines / imprisonment
Health & Safety at WorkSection 6 • It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at work….to ensure, so far as is reasonably practicable (‘sfairp’), that the article is so designed and constructed that it will be safe and without risks to health at all times ……
Health & Safety at WorkSection 6 (cont’d) • Carry out testing and examination as necessary to ensure safety, ‘sfairp’ • Provide adequate information about the use for which the article is designed and any conditions necessary to ensure it will be safe • Provide , ‘sfairp’, revisions of information as are necessary, if there is a serious risk to health or safety
So Far as is Reasonably Practicable (SFAIRP) • ‘SFAIRP’ = ‘ALARP’ (HSE view) • risk reduced to extent that cost of further risk reduction is ‘grossly disproportionate’ (i.e. As Low As is Reasonably Practicable, ‘ALARP’)
Health & Safety at Worketc. Act 1974 (HSW) Section 3 • It shall be the duty of every employer (and self-employed person) to conduct his undertaking in such a way as to ensure, so far as is reasonably practicable, that other persons who may be affected thereby are not thereby exposed to risks to their health or safety
Health & Safety at Worketc. Act 1974 (HSW) Section 3 Example: Design Assessment • Port Ramsgate walkway collapse • 14 September 1998 • 6 people died, 7 severely injured • Design calculations inadequate • Lloyd’s Register had assessed design • Pleaded not guilty, found guilty • £500,000 fine, £242,500 costs
S/A S/A S/A/S S/A/S Example supply chain model For discussion purposes! • # 1: HSW Act S. 6 applicable • for failures in the supply • chain….but potential • issues arise because: • is software an article? • Does “safe” in S. 6 encompass “functional safety” ? End user Consultant # 2: HSW Act S. 3 applicable since respective employers of consultant, system Integrator and various Suppliers have duty to “other persons who may be affected”. Various suppliers System integrator S/A/S =specification, agreement & supply #3: End User has duties under HSW Act S.2 & S.3 S/A =specification & agreement
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3: Essentials of functional safety • Section 4: Legal considerations • Section 5:Standards and “good practice” • Section 6: Concluding comments
Standards and “Good Practice” • HSE defines “good practice” as the generic term for those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner • Can take many forms, for example: • HSC (ACoPs) which have special legal status under HSW Act S.16 • HSE guidance
Standards and “Good Practice” • Other written sources which may be recognised include: • Standards produced by Standards-making organisations (e.g. BSI, CENELEC, IEC, ISO) • Guidance agreed by a body representing an industrial /occupational sector (e.g. trade federation, professional institution) • Examples include: • IEE/BCS Competency Guidelines for Safety-related system Practitioners • IEC 61508: “Functional safety of electrical, electronic and programmable electronic safety-related systems”
Concept of good practice:HSE position on IEC 61508 • IEC 61508 “Functional safety of electrical, electronic and programmable electronic safety-related systems” provides a basis for the achievement of functional safety. • HSE’s position on IEC 61508 is as follows: • IEC 61508 will be used by HSE as a reference standard for determining whether a reasonably practicable level of safety has been achieved • The extent to which HSE will use IEC 61508 will depend on individual circumstances including whether any sector standards exist based on IEC 61508 have been developed and whether there are existing specific guidelines or standards.
Contents • Section 1: Examples of systems and subsystems under consideration • Section 2: What’s the problem? • Section 3: Essentials of functional safety • Section 4: Legal considerations • Section 5: Standards and “good practice” • Section 6:Concluding comments
Concluding comments (1) • Safety is the goal • Functional safety is a subset of safety • To achieve functional safety many factors have to be addressed including: • Functional safety management • Technical Requirements for all safety lifecycle activities • Competence of those involved in activity having a bearing on functional • Software is but one factor in the achievement of functional safety, albeit a very important factor, that needs to be addressed
Concluding comments (2) • HSW Act covers within its scope the concept of functional safety • There remains an issue as to whether HSW Act S.6 covers functional safety and whether software is an article within the meaning of S.6 • Any changes to the legal requirements should be aimed at functional safety and not specifically software