Copyright (\) IFAC Automated Systems Based on Human Skill,

Aachen,GermanY,2000

DESIGN, ORGANISATION, PLANNING ACCORDING TO FUNCTIONAL SAFETY

METHODOLOGY

Tadeusz Missala*

Industrial Research Institute for Automation and Measurements PIAP,

AI. Jerozolimskie 202,
PL 02-486 WARSZAWA, Poland,
Tel.: +(4822) 87 40 402; + (48) 0603 919139
Fax: +(48.22) 87 40 220;
e-mail: tmissala@sg.piap.waw.pl

Abstract: This paper deals with the problems of the planning and the design of safety related control
systems. Such systems are used not only for protection purposes, but first of all for control purposes,
as the many operation functions, e.g. start, stop, emergency stop, restart are considered as safety
related functions. The safety life cycle of the system is presented and its design phase is discussed in
details. The measure of functional safety - integrity level - is defined and the corresponding require-
ments are referenced. On this basis, the organising actions, required by the functional safety method-
ology, are presented. Copyright @2000 IFAC

Keywords: Design planning; functional safety; control systems.

1. INTRODUCTION
A wide use of the automated manufacture and The related requirements are listed in tables 1
service devices and systems, among them and 2.
robots and robot systems, had introduced not
only a new, high level of comfort, but also new
kinds of hazards. Especially the microproces- Safety Low demand mode of opera-
sor based devices and systems have intro- integrity tion
duced the great facilities and great hazards, level (Average probability of failure to
because they are very often used in the safety (SIL) perform its design function on
critical applications. It is evident, the contempo- demand)
rary technology shall propose the respective
4 ~ 10.5 ::; 10. 4
means to obviate these hazards.
3 ~ 10.4 ::; 10.3
One of the proposed ways it is the functional > 10. 3 ::; 10. 2
2
safety philosophy.
1 ~ 10.2 ::; 10. 1
The functional safety, as it is presented in the
IEC 61508-1 to 7 and detailed in the draft IEC
61511-1, it is the organising, methodological
and technical way to the confirmation, the Table 1. Safety integrity levels for low demand
separate device or the system as a whole will mode of operation
fulfil its technical mission during the prescribed
time period and with the prescribed probability.

141
 Safety High demand or continuous The other important ideas are:
integrity mode of operation
• module - discrete units, capable of per-
level (Probability of a dangerous forming distinct functions and which can be
(SIL) failure per hour) easily joined to or arranged with other units;
4 ~ 10-5 ~ 10-4
~ 1O-4~ 10- 3 • element - any physical part, comprising
3 hardware and/or software, that can be indi-
2 ~ 10- -S 10-2
3
vidually considered and tested.
1 ~ 10-2~ 10- 1
On the basis of the above done definitions the
system functionally description is made. To be
useful for the further analysis, the description
Table 2. Safety integrity levels for high demand shall list:
or continuous mode for operation
• all tasks which be realised in the expected
applications;
The basis idea of the functional safety is the
• all realised functions, grouped into: process
"safety lifecycle" of the device or of the system.
interface functions, data processing func-
tions, communication functions, human in-
The overall life cycle contains the steps as
terface functions, interface functions to ex-
follows:
ternal equipment.
a) concept;
b) scope definition; Each individual function may be distributed
c) hazard and risk analysis between distinctly different physical modules.
d) overall operation and maintenance plan-
ning;
e) overall safety validation planning; 3. HAZARD AND RISK ANALYSIS
f) overall installation and commissioning plan-
The goal of the hazard and risk analysis is to
ning;
establish the necessary risk reduction from the
g) system realisation;
process risk to the residual risk, as it is shown
h) overall installation and commissioning;
on the Fig. 1. It is to underline that:
i) overall safety validation;
j) overall operation, maintenance and repair; • hazard is a potential source of harm;
k) overall modification or retrofit;
I) decommissioning or disposal. • harm is a physical injury or damage to the
health of people either directly, or indirectly
Stages a) to h) concern the design phase, the as a result of damage to property or to the
others - the realisation and exploitation phases. environment;
The design phase will be presented only.
• risk is a combination of the probability of
For all stages of the safety lifecycle are pre- occurrence of harm and the severity of the
scribed the specific organising and technical harm.
requirements, which shall be introduce into the
lolerabl fJrocess
practice by the correspondent procedures.

2. CONCEPT AND SCOPE DEFINITION

L;j risk risk

~
risk

... ...
: r-
First of all the technical mission of the equip- increasing
ment or system (below will be used the term 1 risk
"system" only) shall be established. The mis-
sion it is the collective activity assigned to the ;. Necessary risk reduction
system to achieve a defined goal in a defined
period under defined conditions. (IEC 61069-
1). The technical mission contains various Actual risk reduction
tasks and various functions, where:
• task - logically complete operation forming a Fig.1 - Risk reduction; general concepts
part of the system mission;
• function - elementary operation performed
by the system which, combined with other The various risks indicated in Fig. 1 are as
elementary operations (i.e. system func- follows:
tions) enable the system to perform a task.

142
• process risk - the risk existing for the speci-
fied hazardous events for the process, the
process control system and associated hu-
man factor issues - no designated safety
protective features are considered in the
determination of risk;
• tolerable risk - the risk which is accepted in
a given context based on the current values
of society;
• residual risk - risk that remaining for the
specified hazardous events for the process,
the basic process control system, human
factor issues but with the addition of exter-
nal risk reduction facilities, Safety Instru-
mented Systems and other technology
safety related systems.
The first step of the analysis is to establish the
tolerable risk target (IEC 61511-3). As the zero
risk achieve isn't possible, the target value
shall be established as the consensus between
the interested parties, e.g. safety regulatory
authorities, companies governing bodies; the
level of the risk target value may also results
from company strategic policy.
The established value will be the directive by
the design works.
The second activity is to identify hazards, po-
tential process deviations and their causes,
available engineered systems, initiating events
and accidents that may occur, as well as iden-
tification of the: consequences of the hazards,
frequency of the hazards arising and exposure
time to them, possibility of the avoiding of the
hazards, probability of the unwanted occur-
rence.
EN 1050 advises to use the methods:
• Preliminary Hazard Analysis (PHA);
• WHAT-IF Method;
• Failure Mode and Effects Analysis (FMEA);
• Fault Simulation for Control Systems;
• MOSAR Method (Method Organised for a
Systematic Analysis of Risks)
• Fault Tree Analysis (FTA);
• DELPHI-Technique.
But in a case of process control systems the
most often used technique is the Hazard and
Operability Study (HAZOP, see IEC 61511-3).
As initiating events shall be considered all in-
ternal and external factors, that can cause the
malfunctions, faults or failure of the process
control system or of the controlled system,
which effects could be hazards or accidents.
These factors (EN 1050) have the nature: me-
143
chanical (among them vibrations), electrical
(among them all electromagnetic distur-
bances), thermal, acoustic (noise), chemical,
biological, ergonomics, human errors and also
the combined nature.
The HAZOP results are the input to the risk
reduction planning; some of corresponding
techniques are listed in IEC 61511-3 and IEC
61508-5; they are:
• ALARP method (As Low As Reasonably
Practicable) ;
• quantitative method, which is based on the
calibrated accident scenarios graphs;
• quantitative method basing on the cali-
brated risk graphs which input is the de-
termination of SIL;
• Safety Layer Matrix Method;
• Layer of Protection Analysis (LOPA).
4. OVERALL SAFETY REQUIREMENTS
The required probability of the realisation of the
device or system mission is a function of the
results of hazard and risk analysis. Therefore
the objective of this stage is to develop the
specification for the overall safety require-
ments, in term of the safety functions require-
ments and safety integrity requirements. This
means:
• all the safety functions necessary to ensure
the required functional safety for each de-
termined hazard shall be specified;
• the necessary risk reduction shall be deter-
mined for each determined hazardous
event; this risk reduction may be deter-
mined in a quantitative and/or qualitative
manner;
• all reasonably foreseeable dangerous fail-
ure modes of the process control system
shall be determined and taken into account;
• the process control system shall be sepa-
rate and independent from the safety re-
lated systems and external risk reduction
facilities, if these cannot be met, then proc-
ess control system shall be designated as
safety-related system;
• the safety integrity requirements, in terms of
the necessary risk reduction, shall be speci-
fied for each safety function.
 5. SAFETY REQUIREMENTS ALLOCATION
The objectives of this stage are:
• to allocate the safety functions, contained in
the specification for the overall safety re-
quirements (both the safety functions re-
quirements and safety integrity require-
ments), to the designated electric/electronic/
programmable electronic (ElElPE) safety-
related systems, other technology safety-
related systems and external risk reduction
facilities;
• to allocate a safety integrity level to each
safety function.
The requirements for the realisation of the
above done objectives are:
• the designated safety-related systems that
are to be used to achieve the required func-
tional safety shall be specified;
• in allocating safety functions to the desig-
nated safety-related systems, the skills and
resources available during all phases of the
overall safety Iifecycle shall be considered;
• each safety function, with its associated
safety integrity requirements, shall be allo-
cated to the designated ElEIPE safety-
related system, taking into account the risk
reductions achieved by the other technology
safety-related systems and external risk re-
duction facilities, so the necessary risk re-
duction is achieved;
• the above presented allocation is iterative,
i.e. if it is found that the necessary risk re-
duction cannot be met, then the architecture
shall be modified and the allocation re-
peated;
• the allocation indicated above shall be done
in such a way that all safety functions are
allocated and the safety integrity require-
ments are met for each safety function;
• by allocation of safety functions, the great
care shall be done on the electromagnetic
compatibility (EMC) aspects, the book of
Gonshorek and Singer, as well as the paper
of Missala can be useful;
• the safety integrity requirements for each
safety functions shall be qualified according
tables 1 and 2;
• the allocation of the safety integrity require-
ments shall be carried out using appropriate
. techniques for the combination of probabili-
ties and shall take into account the possibil-
ity of common cause failures;
144
• the allocation shall take into account (IEC
61508-2,3,6), the sufficient diagnostic cov-
erage and the proper choosing of the pro-
gramming languages, e.g. language C is
recommended for the SIL 1 only, but ladder
language for all SIL 'so
6. OVERALL OPERATION AND MAINTE-
NANCE PLANNING
The objective of this step is to develop a plan
for operating and maintaining the E/E/PE
safety-related systems, to ensure that the re-
quired functional safety is maintained during
operation and maintenance. The plan shall
specify the following:
• the routine actions which need to be carried
out to maintain the required functional
safety of the E/E/PE safety-related systems;
• the actions and constrains that are neces-
sary to prevent an unsafe state, to reduce
the demands on E/E/PE safety-related sys-
tem, or reduce the consequences of the
hazardous events;
• the documentation which needs to be
maintained showing results of functional
safety audits and tests;
• the documentation which needs to be
maintained on hazardous incidents and all
incidents with the potential to create a haz-
ardous event;
• the scope of the maintenance activities;
• the action to be taken in the event of haz-
ards occurring;
• the contents of the chronological docu-
mentation of operation and maintenance
activities.
The routine maintenance activities which are
carried out to detect unrevealed faults should
be determined by a systematic analysis.
7. OVERALL SAFETY VALIDATION PLAN-
NING
The objective of this step is to develop a plan
to facilitate the overall safety validation of
E/ElPE safety-related systems. Validation it is
confirmation by examination and provision of
objective evidence that the particular require-
ments for a specific intended use are fulfilled.
The plan shall include the following:
• details of when the validation shall take
place;
• details of those who shall carry out the vali-
dation;
• specification of the relevant modes of proc-
ess operation with their relationship to the
 ElEIPE safety-related system, including
where applicable: preparation for use, start
up, teach, automatic, manual, semi-
automatic, steady state of operation, re-
setting, shut down, maintenance, reasona-
bly foreseeable abnormal conditions;
• specification of the ElEIPE safety-related
systems which need to be validated for
each mode of process operation before
commissioning commences;
• the technical strategy for the validation
(analytical methods, statistical tests, etc.);
• the measures, techniques and procedures
that shall be used for confirming that the
allocation of safety functions has been car-
ried out correctly - this shall include confir-
mation that each safety functions conforms
with the specification for the overall safety
functions requirements and to the specifica-
tion for the overall safety integrity require-
ments;
• specific reference to each element con-
tained in the specifications, discussed
above;
• the required environment in which the vali-
dation activities are to take place;
• the pass and fail criteria;
• the policies and procedures for evaluating
the results of the validation, particularly fail-
ures.
The more details about validation are in EN
954-2.
8. OVERALL INSTALLATION AND COM-
MISSIONING PLANNING
The objectives of this step are:
• to develop a planfor the installation of the
ElEIPE safety-related systems in a con-
trolled manner, to ensure that the required
functional safety is achieved;
• to develop a plan for the commissioning of
the ElEIPE safety-related systems in a con-
trolled manner, to ensure the required
functional safety is achieved.
The plan for the installation of the ElEIPE
safety-related systems shall contain:
• the installation schedule;
• persons responsible for different parts of
the installation;
• the procedures for the installation;
145
• the sequence in which the various elements
are integrated;
• the criteria for declaring all or parts of the
ElE.lPE safety-related systems ready for in-
stallation and for declaring installation ac-
tivities complete;
• procedures for the resolution of failures and
incompatibilities.
The plan for the commissioning of the ElEIPE
safety-related systems shall be develop by
specifying:
• the commissioning schedule;
• the persons responsible for different parts
of the commissioning;
• the procedure for the commissioning;
• the relationships to the different steps in the
installation;
• the relationships to the validation.
The overall installation and commissioning
planning shall be documented.
9. CONCLUSIONS
The pursuance according functional safety
methodology give the evidence, the process
control and/or surveillance system will be sat-
isfactory safe as well as its installation and
maintenance will not disturb this safety. Such a
evidence is a great advantage of the project.
REFERENCES
1. Gonschorek K.H, Singer H.: Elektro-
Magnetische Vertriigligkeit. Grundlagen,
Analysen, Maj3nahmen. B.G.Teubner,
Stuttgard, 1992.
2. Missala T.: EMC aspects in Functional
Safety. AUTOMAT10N'99. Industrial Re-
search Institute for automation and Meas-
urements, Warsaw, Poland, 1999 (in Pol-
ish).
3. IEC 1508-1:1998. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety-related systems - Part 1: Gen-
eral requirements.
4. IEC 1508-2:2000. - Functional safety of
electrical! electronic/programmable elec-
tronic safety-related systems - Part 2: Re-
quirements for electrical/electronic/ pro-
grammable electronic safety-related sys-
tems.
5. lEG 1508-3: 1999. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety- related systems - Part 3:
Software requirements.
6. lEG 1508-4: 1998. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety-related systems - Part 4: Defi-
nitions and abbreviations.
7. lEG 1508-5: 1998. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety-related systems - Part 5: Ex-
amples of methods for the determination of
safety integrity levels.
8. lEG 1508-6: 2000. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety-related systems - Part 6:
Guidelines on the application of Parts 2 and
3.
9. lEG 1508-7: 2000. - Functional safety of
electrical/ electronic/programmable elec-
tronic safety related systems - Part 7:
Overview of techniques and measures.
10. EN 954-1: 1996 - Safety of machinery -
Safety-related parts of control systems -
Part 1: General principles for design
11. EN 954-2: 1999 - Safety of machinery -
Safety-related parts of control systems -
Part 2: Validation;
12. 11. EN 1050: 1996 - Safety of machinery -
Principles for risk assessment;
13. lEG 61069-1: 1991 -Industrial-process
measurement and control - Evaluation of
system properties for the purpose of system
assessment. Part 1: General considerations
and methodology.
14. lEG 61511-1 (65A1290/GD.) - Functional
safety instrumented systems for the proc-
ess industry sector - Part 1: General frame-
work, definitions system software and
hardware requirements.
15. lEG 61511-2 (65A1297/GD.) - Functional
safety instrumented systems for the proc-
ess industry sector - Part 2: Guidelines in
the application of Part 1.
16. lEG 61511-3 (65A1291/GD.) - Functional
safety instrumented systems for the proc-
ess industry sector - Part 3: Guidelines in
the application of hazard and risk analysis.

146