HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (6 Oct 2024)

GB/T 41295.4-2022 PDF in English


GB/T 41295.4-2022 (GB/T41295.4-2022, GBT 41295.4-2022, GBT41295.4-2022)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 41295.4-2022English170 Add to Cart 0-9 seconds. Auto-delivery. Application guide of functional safety - Part 4: Management and maintenance Valid
Standards related to (historical): GB/T 41295.4-2022
PDF Preview

GB/T 41295.4-2022: PDF in English (GBT 41295.4-2022)

GB/T 41295.4-2022 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 25.040 CCS N 10 Application guide of functional safety - Part 4: Management and maintenance ISSUED ON: MARCH 09, 2022 IMPLEMENTED ON: OCTOBER 01, 2022 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions... 5  4 Abbreviations ... 6  5 General ... 6  6 Documentation ... 7  7 Personnel ... 7  8 Change management and configuration management ... 8  9 Safety management of operation and maintenance process ... 8  References ... 15  Application guide of functional safety - Part 4: Management and maintenance 1 Scope This document specifies the safety management and maintenance activities for the functional safety system to achieve the corresponding safety integrity level, including documentation, personnel, change management, inspection and testing of the maintenance process. This document applies to relevant management and maintenance activities from the installation, commissioning to normal operation of functional safety systems. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the version corresponding to that date is applicable to this document; for undated references, the latest version (including all amendments) is applicable to this document. GB/T 20438.4-2017, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations 3 Terms and definitions Terms and definitions determined by GB/T 20438.4-2017, and the following ones are applicable to this document. 3.1 functional safety system A system that performs safety-related functions, has functional safety-related characteristics, and satisfies a specific Safety Integrity Level (SIL). Note: The system here is a generalized concept that includes different levels, such as safety components, safety equipment or safety control systems. In an actual industrial process, the functional safety system may be a transmitter, a relay, a safety programmable controller or a safety instrumented system. [Source: GB/T 41295.1-2022, 3.6] 3.2 team for functional safety system research and development The liability subject for the design and development of functional safety systems. Note: Including functional safety system hardware developers, software developers, verification testers, safety managers, etc. [Source: GB/T 41295.2-2022, 3.2] 3.3 team for functional safety system maintenance The liability subject for the maintenance of functional safety systems. Note: Including inspection and testing personnel, change management personnel, daily inspection personnel, and accessories replacement personnel for the functional safety system. 3.4 offline test Testing activities carried out when the controlled equipment is in a safe state. 4 Abbreviations The following abbreviations apply to this document. HAZOP: Hazard and Operability HMI: Human Machine Interface LOPA: Layer Of Protection Analysis PFDavg: Average Probability of Dangerous Failure on Demand PFH: Average Frequency of Dangerous Failure Per Hour SIL: Safety Integrity Level SRS: Safety Requirement Specification 5 General 5.1 Organizations engaged in the installation, commissioning and formal operation of functional safety systems need to consider establishing a functional safety management 7.3 Clearly define the scope, responsibilities, required competencies (i.e., training, technical knowledge, experience and qualifications) and limitations of each person engaged in safety activities. 7.4 Consideration should be given to regulations and limitations on the competence of personnel to perform specific functional safety activities, including: -- All personnel have received functional safety training from professional institutions and are qualified to be engaged in functional safety activities; -- The team leader has experience in relevant projects and has an in-depth understanding of functional safety standards and technologies; -- All personnel are regular trained to keep abreast of the latest functional safety standards and technological advances. 7.5 An appropriate communication mechanism should be established between personnel in different positions. 8 Change management and configuration management 8.1 Appropriate configuration management and change control procedures shall be ensured. 8.2 Build a configuration item that meets the requirements of a specific project. The configuration item should cover all software and hardware entities and documents that may affect the safety integrity level. 8.3 It shall be ensured that the required safety integrity in the event of a change is continuously met. This includes performing an impact analysis and developing an appropriate test plan for the change. 8.4 It shall be ensured that an appropriate change approval mechanism exists and that unauthorized changes are not implemented. 8.5 The configuration management system shall ensure that the configuration status and version of all configuration items are identified. 8.6 A standardized system should be used to ensure that all items under the configuration can be individually identified. 9 Safety management of operation and maintenance process 9.1 General The core goal of functional safety maintenance and management is to ensure that the SIL capability required by the functional safety system during field operation is not reduced. The reasons for the reduction of SIL capability may include: a) Due to improper manual installation and commissioning, the functional safety system has potential defects from the beginning of operation, and not all the expected safety functions can be achieved (systematic capabilities are not satisfied); b) Failure to perform fault handling, repair and replacement, etc. as required by the system due to improper maintenance activities; c) The hardware of the system (including data transmission and soft errors) has a higher failure rate than expected due to environmental or human factors (hardware safety integrity is not satisfied); d) Appropriate inspection tests are not performed during the maintenance process, including the inspection test cycle being too long or the inspection test content being insufficient. The contents of a) and b) need to be ensured using appropriate functional safety management and pre-operational acceptance testing. To avoid the occurrence of c) and d), the contents of 9.2 ~ 9.4 need to be considered. 9.2 Online safety analysis of operation process 9.2.1 Consider carrying out on-site failure analysis and online safety management of functional safety systems during maintenance. 9.2.2 During the operation of the functional safety system, the on-site operation and maintenance personnel need to record the failures of the functional safety system. 9.2.3 Special recording tools should be used for automatic fault statistics. The automatic recording tool can realize the automatic acquisition, aggregation, classification and display of the failure information of each component of the functional safety system through the communication network. 9.2.4 Based on the situation of fault collection, qualitative and quantitative analysis is required for all fault records, so as to determine whether the occurrence of these faults exceeds the expected operating goals, rules or failure rates of the system. Equipment failure modes and data collection methods can be found in GB/T 20172-2006, GB 28526-2012, and GB/T 15969.6-2015. 9.2.5 For critical safety function circuits, it is necessary to consider the use of dedicated online analysis tools of safety characteristics. Online analysis tools can be used together with logging tools. Online analysis tools of safety characteristics shall at least have the 9.3.2.1 The most common safety function test used to uncover failures or faults that lead to the loss of function of the safety function is the off-line functional test. When this test is performed, the controlled equipment is out of production and all characteristics of the safety function can be confirmed. The main purpose of this test is to detect dangerous undisclosed failures in safety functions. 9.3.2.2 Identify each safety function in the safety related system. All inputs, outputs and logic associated with each safety function are identified. Test specifications need to consider defining how each safety function will be validated. Identify all equipment required for performing the test, and verify its suitability for the test, including calibration equipment of traceable characteristics. 9.3.2.3 Consider the following factors to determine the time interval for offline test: -- The test interval is determined by the performance calculation of the safety function; -- When the logic changes and affects the safety function; -- When a process or equipment stops working due to planned maintenance activities; -- Company policy regarding integrity testing of safety functions; -- After a prolonged shutdown of the functional safety system. 9.3.2.4 Before performing modifications (changing any of the following), perform corresponding reviews to ensure that the changes do not reduce the level of protection, and perform appropriate testing to confirm that the modified safety functions are still functioning properly. Changes include: -- performance of a safety layer based on the original design intent; -- materials of construction; -- operating mode; -- operating procedures; -- warning and interlocking settings; -- responding speed; -- test interval or method; -- equipment type, unless replaced by the same type; -- architecture or voting logic; -- diagnosis. 9.3.3 Offline test of sensor subsystems 9.3.3.1 During the normal operation of the switch, the state does not change frequently. In order to confirm the effectiveness of its function, periodic offline test should be considered, and the testing period should be determined in advance. 9.3.3.2 The transmitter can provide over-range high/low diagnosis and out-of-control range display, so the test frequency of the transmitter is reduced as appropriate according to the diagnostic function of the transmitter. 9.3.3.3 The calibration stability of the input device may require that its test frequently is lower than a full safety function. Considering that equipment will drift due to environmental changes (such as temperature), more frequent testing and calibration may be required, so as to ensure that the correct process variable is input to the safety function. For transmitters of large time drift or poor working environment, it is necessary to consider increasing the test frequency. 9.3.3.4 Redundancy of components may affect the test frequency. If redundant transmitters have outputs monitored and compared to each other, agreement means that frequent testing or calibration of the measured quantities is not required. If the outputs drift apart, it means that all redundant components need to be tested and calibrated. 9.3.3.5 The variety of detection of hazardous conditions is an increase in the availability of safety functions without adding redundant components. For example, measurements of pressure can be represented by temperature measurements of process conditions. By comparing temperature, pressure values to predicted thermodynamic data, diagnose the validity of process measurements, and reduce required test intervals. 9.3.3.6 User experience with specific sensors and services can be used to determine the testing frequency of equipment to ensure sensor performance. 9.3.4 Offline test of logic control subsystem 9.3.4.1 After making changes to the logic solver, evaluate the potential impact of these changes to determine how many safety functions need to be tested. If changes to the program can be clearly isolated from certain areas, and it can be unambiguously proven that the changes will not affect other logic executed in the logic solver, only that area needs to be fully tested (full functional testing). This applies to logic solvers of various technologies, including electromechanical relays, solid state relays, pneumatics or programmable electronics. 9.3.4.2 Diagnosis function, as the external diagnosis of the logic solver, should be tested at the same frequency as the logic solver. 9.3.4.3 The functional characteristics of the logic solver should be verified according to the plan; the test frequency should be determined from one year to several years according to the risk situation related to the process, the complexity of the logic and the company's experience with the logic solver. 9.3.5 Offline test of final actuating unit subsystems 9.3.5.1 When performing a full system functional test, the final actuating component (such as a valve) needs to be tested. The frequency of testing should be based on the performance in the calculation of the safety function. The final actuating component should be tested whenever the process stops working. 9.3.5.2 The testing frequency as the final actuating component depends on many factors: -- type of final actuating component; -- environmental condition of the application; -- Use as a normal operation or as a backup component when the safety function is activated; -- performance requirements of the final actuating component, such as whether the valve needs to provide minimal leakage isolation or the leakage is tolerable. 9.3.5.3 When testing the final actuating component, accessories such as valve positioners, limit indicators/sensors, air pressure devices, etc. should be tested at the same frequency as the final actuator. 9.3.6 Offline test of HMI The Human Machine Interface (HMI) is tested at the same frequency as the safety function. When making changes to the display of information in the HMI, test the changes to confirm the correct state of the display. If the HMI is used to initialize the safety function logic, all equipment related to initialization shall be tested, including the HMI, output circuits and final actuating components. 9.3.7 Offline test of safety communication When the safety function uses the safety communication bus for data exchange, the communication is tested at the same frequency as the safety function. When carrying out a full functional test of the safety function, the test includes communication to all other equipment, such as communication to the basic process control system. When a communication connection change occurs between the safety function and any other device, confirm that the correct information is passed on. 9.4 Online testing 9.4.1 Online test can ensure the continuity of the process, but it needs to take into account the risk that may cause the process to stop by mistake. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.