1、TV SD Functional safety for a digital world Smart solutions from chip design to whole system design White paper Abstract As digitalisation and automation progress, electrical, electronic or programmable electronic systems (E/E/PES) are used increasingly in the field of safety applications. Growing c

2、omplexity and connectivity bring new requirements for the functional safety of systems and power plant technology, with previously separate applications growing closer together. Given this, interdisciplinary expertise is increasingly important to ensure safety and dependability of systems. As a resu

3、lt, new applications of functional safety are emerging, such as collaborative robots which work hand in hand with humans. These trends are also reflected at standardisation level. Current standards provide starting-points for implementing the new demands when realising safety requirements. This TV S

4、D white paper summarises the current trends and challenges and also provides an overview of the opportunities offered by functional safety. Third-party audits and testing throughout the design and development phases play a critical role across all applications. This topic will be of interest to the

5、manufacturers of systems, components and machines and the owners or managers of industrial plants and infrastructure. 2Functional safety for a digital world | TV SD Contents 1 INTRODUCTION 3 2 TRENDS AND CHALLENGES IN FUNCTIONAL SAFETY 4 Modern semiconductors with safety features4 Stricter requireme

6、nts an opportunity for the medical-device industry5 Machine industry: A paradigm shift in protection strategy6 Lifting devices for highest demands in nuclear engineering 7 Revised standards for combustion systems8 Safety instrumented systems in the process industry9 Continuously improved signalling

7、systems for the rail industry 10 Industrial IT security in plant engineering 11 Functional safety as a management responsibility12 3 CONCLUSION13 3TV SD | Functional safety for a digital world 1. Introduction The tradition of functional safety dates back to the 1970s, when an uncontrolled reaction f

8、rom over- heating caused a major dioxin leak at the Seveso chemical plant in the north of Italy. This event led to stricter industrial safety regulations that formed the basis for international standards. Functional safety has become a critically important issue across all areas of industry, from tr

9、ansportation, healthcare and medical devices to the design of power plants or amusement parks and rides. As a result, manufacturers and operators place top priority on the quality and safety of products and plants in order to protect people, property and the environment against technology-related ri

10、sk. As new applications develop and become increasingly interconnected, the landscape of standardisation is changing. An excellent example of this is the field of collaborative robotics, in which man and machine work hand in hand. This innovative field requires a holistic approach to functional safe

11、ty, emphasising the need for expertise and years of experience in both application- specific and generic systems. Other projects require expertise in various application fields across all project phases, from design and development to manufacturing and installation, testing, certification, placing i

12、nto service and decommissioning. Given this, testing and certification organisations need to provide holistic and international services that enable them to offer owners, managers and manufacturers one-stop multi-disciplinary support and comprehensive assistance with international approval services.

13、 4Functional safety for a digital world | TV SD 2. Trends and challenges in functional safety Modern semiconductors with safety features The main requirement for complex semiconductors to be used in functionally safe embedded systems is a high degree of miniaturisation with the goal of reducing area

14、 and cost. Furthermore, modern design requires compatibility, reusability and embedded safety features. This leads to Cs, FPGAs and ASICs with safety mechanisms already implemented on-chip like lockstep architectures or memory integrity measures. The challenges in this domain are short innovation cy

15、cles, high degree of design complexity and increasing integration density. These aspects have a massive impact on the assessment of functional safety of such devices. For example, new fault models caused by new technologies have to be regarded. Especially for Systems-on-Chip (SoC), dependent faults

16、have to be evaluated. Already known failure modes like transient failures take on increased relevance in the context of integration of smaller structures. In addition, adequate verification approaches showing the effectiveness of safety measures have to be developed. Due to the massively increasing

17、complexity, a high quality development and lifecycle process is required to ensure a low level of systematic faults. Finally, great care has to be taken when generating the user documentation with respect to completeness of system integration. Therefore, the generic normative requirements have to be

18、 interpreted and extended based on the current state of the art and the specific technology. The assessment of design and manufacturing processes is another key factor in avoiding the consequences of systematic faults. In addition to the above, the users of semiconductor components need informative

19、and complete documentation to realise safe and straightforward system design. All these demands require comprehensive expertise. “Challenges in the field of semi- conductors are short innovation cycles and increasing integration density. Ensuring that standards reflect the state of the art is one of

20、 these challenges.” Matthias Ramold Global Head Functional Safety TV SD Rail 5TV SD | Functional safety for a digital world Stricter requirements an opportunity for the medical-device industry mind. This concerns the function of a medical device or the software that controls the medical device respe

21、ctively. For high-risk devices, the regulations and standards require specific safety systems that keep the probability of a fault or the severity of its consequences to a minimum. These systems are protected against faults with the help of functional safety methods. Medical engineering also increas

22、ingly relies on systems controlled and monitored by microprocessors and software. Digitalisation and connectivity not only raise the significance of functional safety; they also offer economic opportunities. Safe product design, early avoidance of conformity-related problems, fewer product recalls a

23、nd shorter time to market are only some of the examples of the potential offered. “Functional safety benefits not only patients and users. Manufacturers also avoid conformity-related problems and benefit from shorter time to market.“ Dr Royth von Hahn TV SD Product Service Medical devices are among

24、the most heavily regulated products in the world. Faults can have serious consequences for patients and users. In contrast to most other safety- relevant sectors of industry, there is no explicit definition of functional safety for medical devices. Nevertheless, regulations and standards lay down a

25、number of requirements that can only be fulfilled by applying the principles and methods of functional safety. These can be found in the relevant standards on electrical safety and software, including IEC 60601-1 “Medical electrical equipment Part 1: General requirements for basic safety and essenti

26、al performance” and application- specific particular standards and software standard IEC 62304 “Medical device software Software life cycle processes”. The standards require hazards to be assessed with patients and users in 6Functional safety for a digital world | TV SD Machine industry: A paradigm

27、shift in protection strategy In the machine industry, the significance of functional safety has increased continuously. In this sector, the focus of interest has always been the safety of operating and maintenance staff. The other goal has been to minimise the costs of operation and servicing or mai

28、ntenance. Consequently, machine manufacturing and operation are subject to a host of regulations and requirements. Machinery manufacturers must show compliance with the European Machinery Directive 2006/42/EC. The harmonised standards EN ISO 13849, Parts 1 and 2 and EN 62061 can be used to reach thi

29、s compliance in the field of functional safety. In recent years, the requirements imposed on machines and machine systems have grown more comprehensive and complex, a trend that is again the result of advancing digitalisation and the increased use of electrical, electronic or programmable electronic

30、 systems (E/E/PES). These technologies have contributed significantly to more efficiency and a higher degree of automation also in terms of improved operability and profitability. The safety systems must be aligned to these more versatile and more complex applications. In the past, dangerous movemen

31、ts of machines for example were reliably stopped on opening of one of the monitored access doors in the safety fence. The paradigm shift away from prevention of access and the reliable shutdown of machines to the reliable identification of people and continued operation is underway. Due to this tren

32、d both possible damage events and the safety-related parts of control systems have become more complex. One example is the collaboration of man and machine, which offers enormous potential for improving efficiency. “Mechanical engineering is undergoing a paradigm shift: Where machines used to be ope

33、rated behind safety fences in the past, collaboration is now possible.“ Christian Eberle TV SD Industrie Service 7TV SD | Functional safety for a digital world Lifting devices for highest demands in nuclear engineering The demands that functional safety makes on lifting and material-handling equipme

34、nt depends on various factors including their specific use. In conventional sectors of industry, safety-related requirements follow from the EU Machinery Directive 2006/42/EC. These requirements are complemented by the standards of the German Institutions for Statutory Accident Insurance and Prevent

35、ion, in particular DGUV standard 52 Cranes (previously BGV D 6). Lifting equipment used for safety- relevant material handling in nuclear power stations are based on nuclear safety standards, such as KTA 3902 “Design of lifting equipment in nuclear power plants”. In principle, the requirements of th

36、is standard build on conventional standards, in particular ISO 13849. KTA standard 3902 includes requirements that go beyond the provisions of this conventional standard, including a list of all necessary safety functions of a lifting device and the required performance level (PL) according to ISO 1

37、3849-1. In this context, the PLs established for the individual safety functions depend on the risk involved and the potential extent of radioactive release in case of an assumed functional failure. ISO 13849 thus defines the basically applicable requirements to be used in nuclear engineering for ac

38、tions taken to identify and control random faults. However, the actions to prevent systematic errors or common cause failure required in ISO 13849 only refer to quality assurance and aim at preventing certain faults in design and development and manufacturing. They do not in all cases satisfy the de

39、terministic design principles of nuclear engineering. There, individual safety functions may have higher safety-related significance, as their failure may result in violation of nuclear safety targets. According to KTA 3902, these functions require two redundant and dissimilar safety devices to ensu

40、re reliable control of systematic faults. In this context, at least one of the two safety devices must comply with PL e (or SIL 3 as applicable). For the second safety device, PL c will be sufficient. In practice, this requirement is fulfilled by using two control systems made by different manufactu

41、rers. In addition, different principles of measurement are used for determining the conditions of the lifting equipment that are subject to monitoring. “Deterministic design principles in nuclear engineering require dissimilar redundant systems and various principles of measurement.“ Cornelia Bhler

42、TV SD Industrie Service 8Functional safety for a digital world | TV SD Revised standards for combustion systems programmable safety controller. The design of these safety systems requires a systematic approach in order to reach and verify the safety integrity level of this specific application. This

43、 requires expertise in functional safety, but also familiarity with process-engineering processes and their behaviour, in particular with respect to existing operating conditions and fault tolerant time. Current standards pursue the approach of evaluating the application-specific design of a safety

44、function under consideration of the strategy used. Examples include EN 746-2 for combustion and fuel-handling systems and its counterpart, the recently published ISO 13577-2 international standard in conjunction with ISO 13577-4. EN 50156-1 on the electrical equipment for furnaces provides for a sim

45、ilar approach, in which safety devices and subsystems must comply to EN 50156-2. This gives plant manufacturers, owners and managers the possibility to design safety functions with hard- wired safety devices and equipment that are approved and qualified according to technical standards. However, the

46、y can also choose to use freely programmable safety instrumented systems with sensors and actuators. Within the scope of the framework defined by the relevant specialist standards, these two options allow stakeholders to find the best possible solution for the realisation of safety functions. Indust

47、rial combustion systems, such as thermal process plants, are designed and manufactured to match their specific applications. Functional safety systems are used to monitor combustion processes and prevent critical plant conditions. Decades of experience in the realisation of safety functions by means

48、 of hard-wired circuits combined with qualified safety devices and equipment is available, ensuring sufficient control of the fault models defined in the relevant technical standards. There has been a rise in the percentage of combustion systems using both sensors and actuators which are approved fo

49、r SIL- or PL-classified safety functions and circuitry via a freely “There are various ways of implementing functional safety requirements for manufacturers, owners and managers of industrial combustion systems.“ Johannes Steiglechner TV SD Industrie Service 9TV SD | Functional safety for a digital world Safety instrumented systems in the process industry thereby significantly reducing the technical efforts and costs of ensuring safe discharge of vessel contents. In step one of this improvement, the experts define possible damage events an