DOCSLIB.ORG

Multi-Domain Comparison of Safety Standards Philippe Baufreton, Jean-Paul Blanquart, J

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Multi-Domain Comparison of Safety Standards Philippe Baufreton, Jean-Paul Blanquart, J Multi-domain comparison of safety standards Philippe Baufreton, Jean-Paul Blanquart, J. Boulanger, H Delseny, J. Derrien, J. Gassino, G Ladier, E Ledinot, M Leeman, P Quéré, et al. To cite this version: Philippe Baufreton, Jean-Paul Blanquart, J. Boulanger, H Delseny, J. Derrien, et al.. Multi-domain comparison of safety standards. ERTS2 2010, Embedded Real Time Software & Systems, May 2010, Toulouse, France. hal-02264379 HAL Id: hal-02264379 https://hal.archives-ouvertes.fr/hal-02264379 Submitted on 7 Aug 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Multi-domain comparison of safety standards P. Baufreton1, JP. Blanquart2, JL. Boulanger3, H. Delseny4, JC. Derrien1, J. Gassino5, G. Ladier4, E. Ledinot6, M. Leeman7, P. Quéré8, B. Ricque1 1: Sagem Défense Sécurité, 180 Avenue de Paris, 91300 Massy, France 2: Astrium Satellites, 31 rue des cosmonautes, 31402 Toulouse Cedex 04, France 3: CERTIFER, 1 place de Boussu, 59416 Anzin, France 4: Airbus, 316 route de Bayonne, 31060 Toulouse Cedex 09, France 5: Institut de Radioprotection et de Sûreté Nucléaire (IRSN), BP 17, 92262 Fontenay-Aux-Roses, France 6: Dassault Aviation, 78 quai Marcel Dassault, 92552 Saint-Cloud Cedex, France 7: Valeo, 2 Avenue Fernand Pouillon, 94042 Créteil, France 8: Renault, 1 avenue du Golf, 78288 Guyancourt, France Abstract: This paper presents an analysis of safety It elaborates proposals, recommendations, standards and their implementation in certification roadmaps etc. based on collaborative work and strategies from different domains such as discussions in dedicated thematic working groups. aeronautics, automation, automotive, nuclear, A team of about 20 experts and contributors to this railway and space. This work, performed in the activity has been working for one year. They have context of the CG2E (“Club des Grandes Entreprises the opportunity to share their expertise within a de l’Embarqué”), aims at identifying the main transversal approach between the companies similarities and dissimilarities, for potential cross- involved in this working group. domain harmonization. We strive to find the most Our meeting discussions led us to initiate the comprehensive ‘trans-sectorial’ approach, within a elaboration of a common terminology to address all large number of industrial domains. Exhibiting the these topics. ‘true goals’ of their numerous applicable standards, Dedicated seminars helped us perform deep related to the safety of system and software, is a first analyses of the main system and software important step towards harmonization, sharing standards, used in 6 industrial domains (civil common approaches, methods and tools whenever aviation, automotive, space, automation and possible. industrial control, nuclear plants, railway). Keywords: standards, safety, cross-domain This constitutes the basis for a comparative analysis comparison, software, certification and synthesis of the relevant standards for these major industrial domains, taking care of both 1. Introduction, Objectives technological and economical factors, without losing the main focus on safety. CG2E (“Club des Grandes Entreprises de l’Embarqué”) is an initiative launched (mid 2007) by This paper presents a summary of the main topics major industrial companies involved in the that are addressed in more details in a deliverable of development of critical embedded systems in a wide our working group, currently under preparation. spectrum of application domains. Today this organization comprises more than twenty large, 2. History and positioning of standards medium and small innovative companies, covering This section presents a brief overview of the history six important industrial fields that will be referred to and positioning of the analysed standards. We first in this paper. present the generic multi-domain IEC 61508 Several technical working groups have been standard and the more specific standards derived launched in 2008, one of them addressing from it, applicable mainly in automation, railway and “standards & norms”, mainly related to the safety of automotive domains. Then we present the situation critical embedded systems and software. After a in three other domains which for various reasons use wide state of the art survey performed in 2009, standards not directly related to the IEC 61508: comparing the various standards and practices in nuclear, aeronautics and space. many different industrial fields, several areas were identified including “dependability and certification”, 2.1. IEC 61508, automation, rail, automotive the object of this paper. In September 1985, the International The CG2E objectives are the leverage of the Electrotechnical Commission (IEC) set up a Task domain-specific best practices in the development of Group to assess the viability of developing a generic software intensive safety critical embedded systems. standard for Programmable Electronic Systems Page 1/10 (PESs). The outcome of which was the setting up of The project is currently in Draft International a working group to develop a system-based Standard (DIS) status. approach. A working group has previously been set Standards derived IEC61508 include standards for up to deal with safety-related software. Both working process industries, machinery (IEC 61511:2003, groups collaborated on the development on an 62061:2005), power drive systems, programmable international standard that was to become IEC controllers (IEC 61800:1997, 61131-6(CDV)), 61508. communication networks (61784-3:2007), explosive The original scope of PESs was extended to include atmospheres, detection, measurement, apparatus all types of electro-technical based technologies (EN 60079, 50271, 5042), medical devices (IEC (electrical, electronic and programmable electronic 60601:2005), railway (EN 50126, 50128, 50129) and systems (E/E/PE). Parts 1-7 of IEC 61508 were automotive (ISO/DIS 26262). published during the period 1998-2000. In 2005 IEC 2.2. Nuclear domain Technical Report 61508-0 was published. A review process initiated in 2002 to update and improve the The IAEA (International Atomic Energy Agency) was standard will be completed with the publication of created in 1957 within the United Nations to promote IEC 61508 Edition 2 targeted by March / April 2010. and support the safe use of nuclear technology for The standard came up to meet the demand for peaceful applications, and has currently 151 Member moving from a prescriptive approach to a States. performance-based approach. The intention of the In particular, its Safety Guide [IAEA NS-G-1.3] workgroup was to produce a base standard, i.e. provides general guidance on “Instrumentation and according to IEC rules a standard to be used only to Control (I&C) Systems Important to Safety in Nuclear write other standards. However, the reality today is Power Plants”. This guide addresses the that IEC 61508 is directly used by industries. Sector classification, safety requirements, and design of specific standards have been derived from IEC these systems. 61508, the closest one being IEC 61511 for process [IAEA NS-G-1.3] was published in 2002; it combines industries as most of the IEC61508 workgroup were and revises earlier guides published in 1980 (50-SG- coming from this sector. This resulted also in D3: Protection System and related features) and standard application conflicts between industry 1984 (50-SG-D8: Safety-Related Instrumentation sectors having already operational standards with a and Control Systems). holistic approach to systems. This is mainly the case with aeronautics. The paternity of IEC61508 over This chronology shows that the Protection System some standards is subject to controversy as some was regarded as the most important one and was “sector-specific” standards (e.g. IEC61513 nuclear addressed first in 1980, followed by the other sector) were issued earlier and developed a very systems important to safety in 1984. The revision different safety approach. and combination of these guides into NS-G-1.3 was motivated in particular by the need to take into Concerning the automotive domain, in the 90’s, account the evolution in computer-based systems because of the increasing number and complexity of and to include guidance on the classification of the safety critical systems embedded in a car, it has systems. been felt that a common reference to define the state of the art was needed in order to avoid liability According to an agreement with IAEA, the Technical issues. Some carmakers and suppliers started to Committee 45 of IEC (International Electrotechnical use the IEC 61508. Although the IEC 61508 Commission) developed standards to implement framework is considered very useful, many IAEA safety principles in technical details. difficulties were experienced using this standard The approach of the following IEC-TC45 standards coming from process automation industry. Therefore, to design and verify computer-based systems has it was quickly felt in the community that a strongly been tailored since the 1980’s to meet the needs of adapted variant of IEC61508 was needed.
Load more

Recommended publications
  • IEC61508: Assessment, Certification and Other Assurance Measures
    IEC61508: Assessment, Certification and Other Assurance Measures Ron Bell Engineering Safety Consultants Ltd London, UK Abstract This paper focuses on the safety assurance measures within interna- tional standard IEC 61508, ‘Functional safety of electrical, electronic and pro- grammable electronic safety-related systems’. IEC 61508, and other sector and product standards developed from it, have had a major impact on the application of electrical, electronic and programmable electronic safety-related systems. In particular, the paper examines the safety assurance measures that are part of the compliance requirements within IEC 61508. The paper provides an overview of the key features of IEC 61508 which are relevant to effective assurance as well as covering the explicit assurance measures such as functional safety assessment, functional safety audit, verification and validation. The paper also covers various models for certification that have developed in relation to IEC 61508. 1 Background IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical, electronic or programmable electronic (E/E/PE) devices. E/E/PE safety-related systems are intended, with the other risk reduction measures and risk parameters, to prevent the specified hazardous event or to mitigate the consequences of the specified hazardous event. Parts 1 to 7 of IEC 61508 were published during the period 1998-2000. A re- view process to update and improve the standard was initiated in 2002 and was completed with the publication of IEC 61508 Edition 2 (IEC 2010a) in April 2010. The application of IEC 61508 and sector and product implementations are in- creasingly being recognised as ‘accepted good practice’ and have also influenced sectors which have developed their own standards and have incorporated some of the core concepts that exist within IEC 61508 into their own standards.
    [Show full text]
  • CIP Safety Protocol Training Session 0: Overview of Functional Safety and Safety Networks
    CIP Safety Protocol Training Session 0: Overview of Functional Safety and Safety Networks Virtual Training Courses Before We Begin • Introductions • All attendees are automatically muted with no video connection as a default. • Please use the Q&A to ask questions, not the chat. We will address questions as they come in. • At the end if there is time, we will take questions verbally from the attendees. We will advise if and when there is time for you to “raise your hand” if you have a question. • Please complete the 4 question post session survey. The survey will launch when you close out of the webinar. PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2 Overview of Functional Safety Standards Jim Grosskreuz Rockwell Automation Evolution of Factory Safety In early factories, workers were encouraged to act in unsafe ways to meet production goals. Industry 2.0 and 3.0 gave us increased focus improved safety by focusing on human factors and developing best practices. Industry 4.0 requires flexibility, ease of use, human-machine collaboration, and interoperability between vendors. PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 4 Machinery Builder & Operator Responsibilities • European Union – Machinery Directive • Prescriptive approach to machinery safety • Mandates risk assessments and safe machines • United States – OSHA • Less prescriptive approach to machinery safety • Introduces fines for violations – Litigious Culture • OEMs and System Integrators aren’t protected from litigation • Elsewhere – Mixed legal and cultural environments
    [Show full text]
  • Introduction and Terminology for Functional Safety of Machines and Systems Reference Manual
    Introduction 1 Regulations and standards 2 3 Safety Integrated Terms Attachment 4 Introduction and Terminology for Functional Safety of Machines and Systems Reference Manual 09/2020 E86060-T1813-A101-A6-7600 Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.
    [Show full text]
  • Functional Safety Compliance Throughout the Vehicle with Safeassure Solutions FTF-AUT-F0009 Richard Soja | Automotive MCU Systems Engineer
    Functional Safety Compliance Throughout the Vehicle with SafeAssure Solutions FTF-AUT-F0009 Richard Soja | Automotive MCU Systems Engineer A P R . 2 0 1 4 TM External Use Agenda • Functional Safety at Freescale • Functional Safety and Microcontrollers • MCU Safety Context and Safety Concepts • Dynamic FMEDA • Safety Manual TM External Use 1 Microcontrollers and Digital Networking Processors Five Core Product Four Primary Groups Markets Microcontrollers Automotive Digital Networking Networking Automotive MCU >50 Year Legacy Industrial >5,500 Engineers Analog >6,100 Patent Families RF Consumer TM External Use 2 Several Platforms Key to Making the World a Healthier, Safer Place • Active Safety Systems • Connected Home • Advanced Driver • Portable Medical Assistance • Factory Automation • Radar, Vision Systems Systems • Functional Safety We See a Healthier, Safer Population TM External Use 3 Functional Safety. Simplified. • Simplifies the process of system compliance, with solutions designed to address the requirements of automotive and industrial functional safety standards • Reduces the time and complexity required to develop safety systems that comply with ISO 26262 and IEC 61508 standards • Supports the most stringent Safety Integrity Levels (SILs),enabling designers to build with confidence • Zero defect methodology from design to manufacturing to help ensure our products meet the stringent demands of safety applications TM External Use 4 The Right Technology Partner TM External Use 5 SafeAssure - Simplification • SafeAssure products
    [Show full text]
  • IEC 61784-3-3 ® Edition 2.0 2010-06 INTERNATIONAL STANDARD
    This is a preview - click here to buy the full publication IEC 61784-3-3 ® Edition 2.0 2010-06 INTERNATIONAL STANDARD colour inside Industrial communication networks – Profiles – Part 3-3: Functional safety fieldbuses – Additional specifications for CPF 3 INTERNATIONAL ELECTROTECHNICAL COMMISSION PRICE CODE XF ICS 25.040.40; 35.100.05 ISBN 978-2-88910-978-4 ® Registered trademark of the International Electrotechnical Commission This is a preview - click here to buy the full publication – 2 – 61784-3-3 © IEC:2010(E) CONTENTS FOREWORD...........................................................................................................................8 0 Introduction .................................................................................................................... 10 0.1 General .................................................................................................................10 0.2 Patent declaration .................................................................................................12 1 Scope.............................................................................................................................13 2 Normative references .....................................................................................................13 3 Terms, definitions, symbols, abbreviated terms and conventions ....................................15 3.1 Terms and definitions ............................................................................................15 3.1.1 Common terms and definitions
    [Show full text]
  • FUNCTIONAL SAFETY ASSESSMENTS Guidance on FSA Stages 1, 2 and 3
    FUNCTIONAL SAFETY Version 1.0 - 01.03.2019 ASSESSMENTS Page 1 of 31 FUNCTIONAL SAFETY ASSESSMENTS Guidance on FSA Stages 1, 2 and 3 The 61508 Association,15 Hillside Road, Knutsford, Cheshire, WA16 6TH, UK Tel: 07977 441 552 E-mail: [email protected] Web: www.61508.org FUNCTIONAL SAFETY Version 1.0 - 01.03.2019 ASSESSMENTS Page 2 of 31 Contents Contents .................................................................................................................................................. 2 Revision History ...................................................................................................................................... 4 1 Introduction...................................................................................................................................... 5 1.1 Aim of this guidance ................................................................................................................ 5 1.2 Intended audience for this guidance ....................................................................................... 5 1.3 Background – The Requirement for Functional Safety Assessments .................................... 5 1.4 The purpose / approach of this guidance ................................................................................ 7 2 Definitions and Abbreviations.......................................................................................................... 8 2.1 Functional Safety Assessment ...............................................................................................
    [Show full text]
  • Introduction to Functional Safety
    Functional Safety for Programmable Electronics Used in PPE: Best Practice Recommendations (In Nine Parts) Part 1: Introduction to Functional Safety Prepared by Safety Requirements, Inc. NIOSH Contract 200-2003-02355 September 2007 Part 1 - Introduction to Functional Safety TABLE OF CONTENTS TABLE OF CONTENTS .........................................................................................i LIST OF FIGURES................................................................................................ii LIST OF TABLES..................................................................................................ii FOREWORD........................................................................................................ 1 Background ....................................................................................................... 1 The Report Series ............................................................................................. 1 Report Scopes................................................................................................... 2 Intended Users .................................................................................................. 7 Relevance of the Guidelines.............................................................................. 7 Reference Guidelines and Standards................................................................ 7 ACKNOWLEDGEMENT..................................................................................... 10 ABSTRACT .......................................................................................................
    [Show full text]
  • Functional Safety in the Process Industry You Want That Feeling of Security
    Functional safety in the process industry You want that feeling of security. You require uninterrupted production. We bring you safety and reliability. Page 3 Page 4 SIL – Safety Integrity Level SIL in concrete terms Our expertise Your advantage 2 SIL – Safety Integrity Level Safety equipment in process plants aims to reduce the hazards presented by processes for people, the environment and property to the lowest possible, acceptable level. Depending on the potential hazards, plants are assigned a Safety Integrity Level (SIL1 to SIL4). SIL1 represents the lowest risk and SIL4 the highest acceptable risk with catastrophic consequences. As a general principle, the more hazardous the plant, the more reliably its safety equipment must operate in case of an emergency. Once a plant is assigned a SIL level, specific installation principles must be observed, e.g. redundant design. This enables the risk to be reduced to the greatest possible extent in the event of a malfunction. SIL (Safety Integrity Level) S Extent of damage W1 W2 W3 S1 Minor injury to a person S1 S2 Severe injury to several persons – – – or death of a person P1 S3 Deaths of several persons F1 SIL1 – – P2 S4 Catastrophic consequences with multiple deaths S2 SIL1 SIL1 – P1 F2 SIL2 SIL1 SIL1 F Frequency and exposure time P2 F1 Seldom to relatively frequent SIL3 SIL2 SIL1 F2 Frequent to continuous F1 S3 SIL3 SIL3 SIL2 F2 P Avoiding/mitigating the danger SIL4 SIL3 SIL3 S4 P1 Possible under certain conditions SIL4 SIL4 SIL3 P2 Hardly ever possible W Probability of occurrence W1 Relatively high Four discrete levels (SIL1 to SIL4).
    [Show full text]
  • IEC 61784-3-12 ® Edition 1.0 2010-06 INTERNATIONAL STANDARD
    This is a preview - click here to buy the full publication IEC 61784-3-12 ® Edition 1.0 2010-06 INTERNATIONAL STANDARD colour inside Industrial communication networks – Profiles – Part 3-12: Functional safety fieldbuses – Additional specifications for CPF 12 INTERNATIONAL ELECTROTECHNICAL COMMISSION PRICE CODE XD ICS 25.040.40; 35.100.05 ISBN 978-2-88910-981-4 ® Registered trademark of the International Electrotechnical Commission This is a preview - click here to buy the full publication – 2 – 61784-3-12 © IEC:2010(E) CONTENTS FOREWORD...........................................................................................................................6 0 Introduction ......................................................................................................................8 0.1 General ...................................................................................................................8 0.2 Patent declaration .................................................................................................10 1 Scope.............................................................................................................................11 2 Normative references .....................................................................................................11 3 Terms, definitions, symbols, abbreviated terms and conventions ....................................12 3.1 Terms and definitions ............................................................................................12 3.1.1 Common terms
    [Show full text]
  • Functional Safety Concept to Support Hazard Assessment and Risk Management in Water-Supply Systems
    energies Article Functional Safety Concept to Support Hazard Assessment and Risk Management in Water-Supply Systems Barbara Tchórzewska-Cie´slak 1 , Katarzyna Pietrucha-Urbanik 1,* and Mohamed Eid 2 1 Department of Water Supply and Sewerage Systems, Faculty of Civil, Environmental Engineering and Architecture, Rzeszow University of Technology, Al. Powstancow Warszawy 6, 35-959 Rzeszow, Poland; [email protected] 2 National Institute of Applied Sciences of Rouen-LMN, INSA-Rouen, 685 Avenue de l’Université-BP 08, 76801 St. Etienne du Rouvray, France; [email protected] * Correspondence: [email protected]; Tel.: +48-17-865-1703 Abstract: Within the frame of upgrading and modernisation of the Water Supply System (WSS), our work is focussing on the safety systems/devices implemented or that should be implemented in the WSS. The implementation of safety systems is supposed to reduce hazard occurrence and hazardous consequences in case of a WSS unsafe disruption. To assess this reduction, we preconise the use of the safety integrity levels standards. The implementation of the safety systems/devices is undertaken on the ground of the multi-barriers safeguard approach. The “Water Contamination Hazard” is considered in the paper. A case study is presented, assessed and conclusions are drawn. The methodology presented in the paper and the results of the case study assessment will contribute to the decision-making regarding the upgrading of the safety and the performance of the WSS. Keywords: functional safety; risk; failure analysis Citation: Tchórzewska-Cie´slak,B.; Pietrucha-Urbanik, K.; Eid, M. Functional Safety Concept to Support Hazard Assessment and Risk 1.
    [Show full text]
  • Understanding Functional Safety an Overview of the Iec 61508 Standard and Its Application and Benefits
    UNDERSTANDING FUNCTIONAL SAFETY AN OVERVIEW OF THE IEC 61508 STANDARD AND ITS APPLICATION AND BENEFITS As the integration of automated safety systems expands globally across diverse industries – including process, household and commercial products, medical, nuclear, automotive, railway and avionics – the importance of functional safety evaluation and certification has become recognized internationally. Today functional safety certification is widely considered to be an essential tool to control and mitigate risk, particularly in those cases where a failure could lead to serious injury or death. Those unfamiliar with the concept of functional safety may find the subject difficult to understand and place within the context of traditional safety and reliability assessments. However, designers who understand and embrace the concept of functional safety – and who demonstrate that products or systems conform to the requirements of recognized functional safety standards – are equipped to better manage risk while also capture increased share of market among the growing ranks of customers who also seek to meet the requirements of functional safety standards. This paper provides an overview of functional safety concepts, standards requirements and methods of compliance. It is intended to help readers understand the importance of functional safety and the advantages of obtaining formal evaluation and certification services performed by an independent third-party. Why Functional Safety? Evaluation and certification of systems involved in a safety related system and products to confirm that the functional application, with SIL4 used to protect IEC 61508 is the international standard for safety requirements of IEC 61508 have been against the highest risks. safety related systems associated with met is just one of the methods of dealing Safety function requirements are defined electrical, electronic and software-based with hazards control.
    [Show full text]
  • AS 62061-2006 Safety of Machinery
    AS 62061—2006 IEC 62061, Ed. 1.0 (2005) AS 62061—2006 Australian Standard™ Safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems This is a free 11 page sample. Access the full version online. This Australian Standard was prepared by Committee EL-017, Electrical Equipment of Industrial Machinery. It was approved on behalf of the Council of Standards Australia on 19 April 2006. This Standard was published on 10 May 2006. The following are represented on Committee EL-017: Australian Electrical and Electronic Manufacturers Association Department of Consumer and Employment Protection, WorkSafe Division (WA) Department of Industrial Relations (QLD) Department of Primary Industries, Mine Safety (NSW) Electrical Regulatory Authorities Council Federal Chamber of Automotive Industries Victorian WorkCover Authority Keeping Standards up-to-date Standards are living documents which reflect progress in science, technology and systems. To maintain their currency, all Standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current Standard, which should include any amendments which may have been published since the Standard was purchased. Detailed information about Standards can be found by visiting the Standards Web Shop at www.standards.com.au and looking up the relevant Standard in the on-line catalogue. Alternatively, the printed Catalogue provides information current at 1 January each year, and the monthly magazine, The Global Standard, has a full listing of revisions and amendments published each month. Australian StandardsTM and other products and services developed by Standards Australia are published and distributed under contract by SAI Global, which operates the Standards Web Shop.
    [Show full text]