Olaf Winne Hans-J¼rgen Altendorf
Transcript of Olaf Winne Hans-J¼rgen Altendorf
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 1
Current standards situation and modifications
Olaf Winne Hans-Jürgen Altendorf
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 2
Standard structure
Standard task International status
European status
National status / law
ISO-standard
IEC-standard
EN ISOstandard
EN IECstandard
ENstandard
DINstandard
DIN ENstandard
DIN EN ISOstandard
DIN EN IECstandard
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 3
Standard structure
• Experts represent their own professional opinion and, if possible, the national opinion
• Delegates represent the national opinion in technical committees
Mirroring in DINNHRS 041-03 FB
NHRS in DIN e.V.
Mirror committee for
CEN/TC 58CEN/TC 58WG 11ISO/TC 161
Mirror committee for
CEN/TC 58WG 13ISO/TC 161/WG 3ISO/TC 161/WG 4
Mirror committee forCEN/TC 47/WG 2CEN/TC 58/WG 12CEN/TC 58/WG 14CEN/TC 247/WG CLC/TC 72
control units
Committee was integrated in NA 041-03-31 GA
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 4
• The number of European standards increased steadily during the
past years, replacing national standards
Standard structure
European standards Share of mandated standards
Num
be
r o
f sta
nd
ard
s
• The share of standards with a mandate of the EU commission increases (for mandated standards, the EU commission checks the
standards conformity with directives)
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 5
Relevant standards and terms of reference
Defined safety functionsEN 298 +
application
Avoidance of systematic faults and failures in Hard- and Software
Identification and control of random hardware failures during operation
Architecture(Failure tolerance / redundancy)
EN 298
EN 607630-2-5EN 60730-1 (4.ed.)
EN 13611
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 6
IEC 61508 : 2010 (Ed. 2.0)
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 7
Overview of techniques and measures
Part 7
Directives for the use of IEC 61508-2 and
IEC 61508-3
Part 6
Safety requirements for the safety-related E/E/PE-
system[7.6]
Part 1
Installation, implementing and safety validation of the safety-related
E/E/PES[7.13 and 7.14]
Part 1
Operation and Maintenance, modification,
shutdown of the safety-related
E/E/PES[7.15 to 7.17]
Part 1
Risc-based approaches for development of requirements for safety integrity
Part 5
Development of the complete safety
requirements (concept, area of use, risc- and threat analysis) for the
complete system[7.1 bis 7.5]
Part 1
TechnicalRequirements
Other requirements
Definitions and abbreviations
Part 4
DocumentationChapter 5 and
Annex A
Part 1
Management of functional safety (FSM)
Chapter 6
Part 1
Evaluation of functional safety
Chapter 8
Part 1
Phase of realisation for the safety-related E/E/PE-system
Phase of realisation for the safety-related software
Part 2 Part 3
IEC 61508 : 2010 (Ed. 2.0)
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 8
Specification of the E/E/PES safety requirements
Specification of the E/E/PES safety requirements
E/E/PES-Architecture
E/E/PES-Architecture
Software safety requirements
Software safety requirements
Software Design and
Development
Software Design and
Development
Integration of programmable electronic
(Hardware and software)
Integration of programmable electronic
(Hardware and software)
Design and development of programmable
electronic
Design and development of programmable
electronic
Design and development of non-
programmable hardware
Design and development of non-
programmable hardware
E/E/PES-Integration
E/E/PES-Integration
Specification of the hardware safety requirements
Hardware of the programmable
electronics
Non-programmable hardware
Application range of
Part 3
Application range of
Part 3
Application range of
Part 2
Application range of
Part 2
IEC 61508 : 2010 (Ed. 2.0)
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 9
General requirements
•More stringent requirements to Functional Safety Management (FSM) and the monitoring of FSM activities (also for subcontrators & providers)
• FSM involved persons shall have expert knowledge(documentation required: C.V., certificates, education level)
• During hazard and risk analyses, security issues shall be handled, too (malevolent or unauthorized behavior, foreseeable misuse)
• Even if the EUC has "only" SIL 1, the complete set of requirements of this standard has to be fulfilled
IEC 61508-1: 2010 (Ed. 2.0)
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 10
Requirements for electrical / electronic / programmable
electronic safety-related systems
•System may be split into elements with its own level of "systematic capability" (1, 2 or 3)
• Methods to be used to achieve hardware safety integrity constraints:
* Existing: Based on hardware fault tolerance and safe failure fraction concepts (Route 1H)
IEC 61508-2: 2010 (Ed. 2.0)
REMARK: Definition diffuse, followingTUV this is not
simply applicable
* Additonal: Based on component reliability data of feedback from end users (Route 2H)
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 11
• Avoidance of systemtic faults in ASIC design
• “Compliant items" which shall be used for the product need to have a "safety manual“
IEC 61508-2: 2010 (Ed. 2.0)
• New and more stringent requirements for diagnoses which are implemented to detect random failures
Requirements for electrical / electronic / programmable
electronic safety-related systems
• The claimed safety performance has to be supported by sufficientevidence
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 12
• Safety-related communication shall be part of the Software Safety Requirements
• Foreseeable misuse shall be considered during requirement specification and validation planning
IEC 61508-3: 2010 (Ed. 2.0)
Software requirements
• Safety requirements shall contain details about:
• configuration data• operational parameters• data exchange
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 13
• Online support tools (influencing safety-related syste during run-time) shall be treated as element of the safety function
• Offline support tool (e.g. compiler) shall be selected as a coherent part of the software development activities
• Offline tools have to be classified (class T1 - T3), its selection shall be justified
• T3 classified tools (e.g. compiler) shall be validated and "proven in use"
• Assessment of code generation tools is required
• Configuration management shall include tool version management (including tool parameters, options and scripts selected)
IEC 61508-3: 2010 (Ed. 2.0)
Software requirements
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 14
• Forward and backward traceability of safety requirements through the
whole software / hardware lifecycle:
IEC 61508-3: 2010 (Ed. 2.0)
Software requirements – Annex A:
• Safety requirement specification
• Modification
• Software architecture
• Software design
• Software development
• Testing
• Integration (HW/SW)
• Validation / Verification
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 15
Security as a term of standards
IEC 61508 : 2010 (Ed. 2.0)EN 13611 : 2012
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 16
Security
• Responsibility for limitation of threats and avoidance of attacks is shared by operator and manufacturer
Facility operator
Closing attack routes
ICS manufacturer
Blocking of attack methods
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 17
Security
Threat and attack scenarios may lead to attacks on safety objectives, such as:
• Confidentiality (unauthorised information benefits)• Integrity (unauthorised modification)• Availability (unauthorised limitation of functionality)
Classification of directed attacks:
Attack probability
The higher the attack efforts, the lower the attack probability
Special knowledge needed � Attack probability low ‚++‘
Special equipment needed�Attack probability middle ‚+‘
In case of attacks as an act of opportunity���� Attack probability high ‚o‘
Potential danger
The more critical the attacked function, the higher the potential danger
Not-safety-related system function affected� Potential damage low – no danger
Monitoring system function affected�Potential damage middle
Safety-related system function affected���� Potential damage high – direct danger
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 18
Security
• Security risk 1 to 9 can be split into 3 categories:• [0…2] No action required, category 1 following EN 50159:2010-09• [3…5] Optional measures, category 2 following EN 50159:2010-09• [0…2] Urgent action required, category 3 following EN 50159:2010-09
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 19
Security
Measures for facility operators
Physical access security to the system
• Locking system
• Alarm system
Technical access security to the system
• No connection of communication to public networks
• Password protection
• Coding / Encryption
• Access keys
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 20
Security
Measures for Manufacturers
• Sequence number
• Time monitoring
• CRC
• Passwords for identification
• Question/Answer communication with user confirmation
• Limited gateway
• Counter for maximum occurence
• Handshake method for coverage end-to-end
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 21
EN 298 : 2012
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 22
EN 298 : 2012 „Automatic burner control systems“
This standard has been published as national edition DIN EN 298:2012-09,
replacing EN 298:20003 and EN 230:2005
• Consolidation of the requirements for automatic burner control
systems for burners and appliances burning gaseous or liquid fuels
• Adaptation to structure and content of EN 13611:2007 + A2:2011
• References to EN 60730-1:2011 (Software) and EN 60730-2-5:2002 +
A2:2010
• New requirements for common cause failures of switching elements
• Requirements for independent flame detector devices
Modifications:
In case of EMC testing, the EN 298 requires compliance
with EMC class B (EN 60730-2-5:2010).
EN 298 : 2012
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 23
EN 298 : 2012
• Structural alignment to EN 13611
• Integration of EN 230
• Harmonization of definitions
• Alignment to EN 267 and EN 676 for flame monitoring requirements
• Requirements and tests for independent flame scanners were added
• New requirements for „common cause failures“ were added
• Refering to EN 60730-1 (ed. 4), requirements for software design
were extended
Modifications:
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 24
EN 298 : 2012
Common cause failures:
At least 2 contact elements for safety-relevant output
terminals
Further concrete requirements for „common cause failures“ are not
defined in EN 298 or EN 60730-1 : 2011 (ed. 4)
Already existing
Measures to control / avoid
the common failure of 2 contact elements.
NEW
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 25
EN 13611 : 2012
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 26
EN 13611 : 2012
EN 13611 „Safety and control devices for gas burners
and gas burning appliances - General requirements“
Annex J – method for determination of
safety integrity level (SIL) based on IEC 61508
• Additional requirements for Functional Safety Management
(structural procedure to avoid systematic failures)
• Additional requirements for hardware(includes a calculation of hazardous failure probability and
a determination of a Safety Integrity Level (SIL))
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 27
EN 13611 : 2012
Annex J - Additional requirements for
Functional Safety Management:
• Safety plan
• Specification of safety requirements
• Design and development
• Integration, Hardware and Software as a system
• Verification and validation
• Operation and Maintenance
• Information for manufacturer of the application
• Document management
Measures
for failure
avoidance
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 28
EN 13611 : 2012
Annex J - Additional requirements for
Hardware failure consideration:
Component failure
IdentificationControl
Influence on function and
interfaces to
the process
Evaluation
Component
failure
Influence on
function and
process
without identification
and control
Calculation of failure
probability
and other
parametersIdentification
and control
Evaluation
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 29
prEN 16340 : 2011
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 30
prEN 16340 : 2011
EN 16340 : 2011 „Combustion product sensing devices forgas burners and gas burning appliances“
It applies to all types of stationary sensing devices measuring flue gas components O2, CO, COe (CO, H2, CxHy, etc.), NOx, SO2
This European standard specifies
• safety• construction and • performance requirements
for combustion product sensing devices (CPSD) intended to be use in
combustion control systems.
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 31
CPSD coupled with combustion control system:
prEN 16340 : 2011
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 32
EN 50156-1: 2005-05-01
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 33
EN 50156-1: 2005-05-01
prEN 50156 „Electrical equipment for furnaces
and ancillary equipment“
Content:
Part 1: Requirements for application,
design and installation
Part 2: Requirements for design,
development and type approval
of safety-relevant equipment
Part 3: Requirements for plant-specific
tests of safety-relevant equipment
REVISED
NEW
NEW
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 34
EN 50156-1: 2005-05-01
Current status:
Part 1: Enquiry started in July 2012, Deadline for comments ended at the 5th of October in 2012
Part 2: Enquiry started in August 2012, Deadline for
comments ended at the 25th of January in 2013
Part 3: Draft is under preparation
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 35
EN 50156-1: 2005-05-01
Major changes:
In relation to the EN 50156-1:2004, the prEN 50156 contains
the following major changes:
• Terms are adjusted to the terms of the new IEC 61508
• Adjustment to the basic requirements of the „pressure equipment
directive (PED)“ 97/23/EC
• Update of normative references
• Elimination of normative references of the „EC machinery directive“
• Creation of Annex ZZ according to the harmonization with the
„pressure equipment directive (PED)“ “
• Harmonization of the requirements for safety-relevant systems with
the EN 12952 and the EN 12953
• Editorial changes in chapter 10
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 36
Draft prEN 50156-2: 2012-08
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 37
prEN 50156-2: 2012-08
4.1.2 Requirements for qualification
4.1.2.1 Qualification by product standards
In exception to 4.1.1, safety devices or subsystems shall be used which
have been tested in accordance with a product standard as per the
following list, if they are in the scope of these standards:
• EN 298: Automatic gas burner control systems for gas burners & gas burning
appliances
• EN 1643: Valve proving systems for automatic shut-off valves for gas burners
& gas appliances
• EN 1854: Pressure sensing devices for gas burners and gas burning appliances
• EN 12952-11: Water-tube boilers and auxiliary installations - Part 11: Requirements
for limiting devices of the boiler and accessories
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG
38
prEN 50156-2: 2012-08
• EN 12067-2: Gas/air ratio controls for gas burners and gas burning appliances –
Part 2: Electronic types
• EN 13611: Safety and control devices for gas burners and gas burning appliances -
General requirements
• EN 61800-5-2: Adjustable speed electrical power drive systems –
Part 5-2: Safety requirements
4.1.2 Requirements for qualification
4.1.2.1 Qualification by product standards
In exception to 4.1.1, safety devices or subsystems shall be used which
have been tested in accordance with a product standard as per the
following list, if they are in the scope of these standards:
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 39
prEN 50156-2: 2012-08
If the product standards apply, do not define the safety integrity or safety parameters, safety functions realised based on usage of these components have to be completed using solely components in line with such standards.
SIL calculation is no longer necessary, if a safety loop consists only of type approved devices:
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 40
prEN 50156-2: 2012-08
• EN 161: Automatic shut-off valves for gas burners and gas appliances
• EN 267: Automatic forced draught burners for liquid fuels
• EN 676: Automatic forced draught burners for gaseous fuels
• EN 1854: Pressure sensing devices for gas burners and gas burning appliances
• EN ISO 23553-1: Safety and control devices for oil burners and oil-burning appliances - Particular requirements - Part 1: Shut-off devicesfor oil burners
• EN 12952-11: Water-tube boilers and auxiliary installations - Part 11:Requirements for limiting devices of the boiler and accessories
• EN 13611: Safety and control devices for gas burners and gas burningappliances - General requirements
• EN 60947-2: Low-voltage switchgear and controlgear –Part 2: Circuit-breakers
4.2 Requirements for safety devices andsubsystems of other technologies
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 41
prEN 50156-2: 2012-08
to 4.2.2 Qualification
If there is no approval according to the relevant product
standards, the following requirements have to be fulfilled:
• Picture 10, prEN 50156-1 in conjunction with a FMEA according
to EN 60812 (Annex B)
• 4.2.3 Quality assurance
• 4.2.4 Quantification
• 4.2.5 Recurring functional testing
• 4.2.6 Operation instructions
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 42
prEN 50156-2: 2012-08
• Annex A (normative):Proven in operation for subsystems and devices of other technologies
• Annex B (informative):Aspects with influence on functional safety
• Annex C (informative):Summary of the characteristic data for use of a subsystem or device in safety-related applications
• Annex ZZ (informative):Relationship between this European Standard and the Essential Requirements of EU Directive 97/23/EC
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 43
EN 12067-2 : 2004
Changes & Modifications
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 44
EN12067-2 : 2004
EN12067-2: electronic fuel air raito control is under revision (the work has just
started)New ideas:
•Change the name: no longer only gas appiances. The Name changes from GARC (Gas Air Ratio Control) to AFRC (Air Fuel Ratio Control)
• Extend the scope: include also fuel air monitoring systems, e.g. with flue gas sensors
• Include all influences that can change the Lambda into the safety consideration, not only the aberration of the air fuel ratio control itself.
e.g. gas pressure change, change of caloric value ect.
• Improve the definition of safety times and safety aberration.
LAMTEC Meß- und Regeltechnik für Feuerungen GmbH & Co. KG 45
THANK YOU FOR YOUR ATTENTION