TÜV Rheinland Industrie Service GmbH
Automation - Software - Information Technology
The Global Centre of
Excellence for
Functional Safety
Start | Company | Jobs | Contact | Downloads | Functional Safety
EnglishGerman formal - Sie
  Start - funktionale Sicherheit - functional safety locations functional safety management
IEC 61508

TUVdotCOM ID

tuvdotcomid.gif
The TUV certificate for quality and safety of approved products and companies.

More information...  

 
IEC 62061
Start arrow Products and Systems arrow Lists of type approved products arrow Type approved programmable electronic systems (PES) (PLC's) arrow Product-independent Conditions and Restrictions
ISO13849 TÜV
Product-independent Conditions and Restricitons
Sorry, this content is only availlable in German language.


Specification of Safety Instrumented Loops

  • Specification based on the hazard analysis
      Safety functions, immediate safety states, process safety time (PST)
      Structure of each safety instrumented loop
      Independent control and protective structure of the plant automation
      Interacting of plant subsystems
      Consider a safety shutdown while the process is in start up or controlled shutdown down.
      Specification of organisational measures (operation , inspection)
      Hazards to be covered by full / major responsibility of the plant operator.
  • Suitable Ex-protection
      Overvoltage, surge and other EMC protection
  • Observe the conditions of use specified by the manufacturer
      Example: Monitored threshold limits and leakage current of the digital I/O modules
      Electrical insulation provided by the I/O moduls
      Specified environmental stress conditions
  • Current loop principle (de-energized to trip, 4-20mA)
      Signals should be dynamic, to the extend possible

Configuration of Safety Instrumented System

  • Follow the system documentation incl. safety manual
      Follow the conditions and restrictions stated in the TÜV report to the certificate
  • Configuration based on the specification of the safety functions
      Check by a competent and independent person (four eye principle)
  • Separate safety-related and non-safety-related programs and data
      Highlight the safety-related paths and data in the logic diagrams and parameter lists
  • Configuration with the delivered safety engineering tools only
  • Specify the safety-related configuration
      I/O configuration, process safety time (PST), SIL, max. cycle time,
      System reaction to internal failures and failures of the periphery
      Application-specific processing of the discrepancy of inputs
  • Select system structure suitable for the required availability, SIL and PST
      (Certified systems provide increased availability but rare software and hardware
       failures
      can lead to a complete shutdown)
      Time limitation of degraded operation
  • Only certified safety-related modules for safety functions
      Interference-free modules ("Rückwirkunsfrei") for non-safety-related functions

Communication

  • Safety-related communication is currently only supported between systems of the same family- vendor-independent safety bus specifications are currently under certification
      Communication with other non-safety-related systems can be made safe only by
      additional measures in the application program
      Access control for external communication partners (Examples: Engineering work
      station and DCS)
  • Communication adds to the safety-related reaction time
      Specify and configure time limit for the monitoring of the communication
      Unfavourable communication structures and parameters may reduce the plant
      availability

Application Programming

  • Program based on logic diagrams or cause + effect matrices only
  • Program with the delivered safety engineering tools only
      (if no safety engineering tools exist, each path must be fully tested)
  • Avoid instruction lists / mnemonics
      Use function block diagrams, cause + effect matrix or sequential function charts
  • Use proven-in-use or pre-tested function blocks
      Maintain a library of such blocks
  • Keep the reaction time of the application program constant
      Test of the maximum system reaction time to all external events
  • Test the re-start after power failure in all operating modes
  • Check modifications always with the certified revision comparator
  • Check during commissioning that the compiled configuration loaded in the safety
    instrumented system and the configuration theoretically checked previously are equal

Operation and Modifications

  • Safety relevant fault reactions which only lead to signalling are only permitted under
      supervised operation. (Operator must have enough information and time to react)
  • Maintenance Override requires (operator-specified) guidelines
      Plant operator must nevertheless receive sufficient information about the safety status of the plant see the Document "Maintenance Override"
  • Hazards associated with on-line modifications
      On-line modifications reduce safety by its nature. Full functional testing should be done at simulators or at a similar plant.

Timing restriction after degradation

  • The generic standards ( IEC 61508 and DIN 19250 in companion with DIN 0801) don't give exact figures or guidelines for a system, when a fault has been detected in the system, and the system strucure has been degraded as a result of that fault.
  • For ESD applications, where the AK system according to the DIN 19250 is used, only supervised operation should be possible after reaching a single channel mode of operation. Online repair is possible. If not repaired, single channel operation is possible with the following maximum timing :
    - in AK 5 : shutdown after a maximum of 72 hours of supervised operation in single
      channel mode
    - in AK 6 : shutdown after a maximum of 1 hour of supervised operation in single
      channel mode

 
 
[ Back ]
TÜV Rheinland Industrie Service GmbH Automation - Software - Information Technology

Valid XHTML 1.0 Transitional