GB/T 41295.4-2022 PDF in English
GB/T 41295.4-2022 (GB/T41295.4-2022, GBT 41295.4-2022, GBT41295.4-2022)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 41295.4-2022 | English | 170 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Application guide of functional safety - Part 4: Management and maintenance
| Valid |
Standards related to (historical): GB/T 41295.4-2022
PDF Preview
GB/T 41295.4-2022: PDF in English (GBT 41295.4-2022) GB/T 41295.4-2022
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 25.040
CCS N 10
Application guide of functional safety - Part 4: Management
and maintenance
ISSUED ON: MARCH 09, 2022
IMPLEMENTED ON: OCTOBER 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions... 5
4 Abbreviations ... 6
5 General ... 6
6 Documentation ... 7
7 Personnel ... 7
8 Change management and configuration management ... 8
9 Safety management of operation and maintenance process ... 8
References ... 15
Application guide of functional safety - Part 4: Management
and maintenance
1 Scope
This document specifies the safety management and maintenance activities for the
functional safety system to achieve the corresponding safety integrity level, including
documentation, personnel, change management, inspection and testing of the
maintenance process.
This document applies to relevant management and maintenance activities from the
installation, commissioning to normal operation of functional safety systems.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this
document and are indispensable for its application. For dated references, only the
version corresponding to that date is applicable to this document; for undated references,
the latest version (including all amendments) is applicable to this document.
GB/T 20438.4-2017, Functional safety of electrical/electronic/programmable
electronic safety-related systems - Part 4: Definitions and abbreviations
3 Terms and definitions
Terms and definitions determined by GB/T 20438.4-2017, and the following ones are
applicable to this document.
3.1
functional safety system
A system that performs safety-related functions, has functional safety-related
characteristics, and satisfies a specific Safety Integrity Level (SIL).
Note: The system here is a generalized concept that includes different levels, such as
safety components, safety equipment or safety control systems. In an actual
industrial process, the functional safety system may be a transmitter, a relay, a
safety programmable controller or a safety instrumented system.
[Source: GB/T 41295.1-2022, 3.6]
3.2
team for functional safety system research and development
The liability subject for the design and development of functional safety systems.
Note: Including functional safety system hardware developers, software developers,
verification testers, safety managers, etc.
[Source: GB/T 41295.2-2022, 3.2]
3.3
team for functional safety system maintenance
The liability subject for the maintenance of functional safety systems.
Note: Including inspection and testing personnel, change management personnel, daily
inspection personnel, and accessories replacement personnel for the functional
safety system.
3.4
offline test
Testing activities carried out when the controlled equipment is in a safe state.
4 Abbreviations
The following abbreviations apply to this document.
HAZOP: Hazard and Operability
HMI: Human Machine Interface
LOPA: Layer Of Protection Analysis
PFDavg: Average Probability of Dangerous Failure on Demand
PFH: Average Frequency of Dangerous Failure Per Hour
SIL: Safety Integrity Level
SRS: Safety Requirement Specification
5 General
5.1 Organizations engaged in the installation, commissioning and formal operation of
functional safety systems need to consider establishing a functional safety management
7.3 Clearly define the scope, responsibilities, required competencies (i.e., training,
technical knowledge, experience and qualifications) and limitations of each person
engaged in safety activities.
7.4 Consideration should be given to regulations and limitations on the competence of
personnel to perform specific functional safety activities, including:
-- All personnel have received functional safety training from professional
institutions and are qualified to be engaged in functional safety activities;
-- The team leader has experience in relevant projects and has an in-depth
understanding of functional safety standards and technologies;
-- All personnel are regular trained to keep abreast of the latest functional safety
standards and technological advances.
7.5 An appropriate communication mechanism should be established between
personnel in different positions.
8 Change management and configuration management
8.1 Appropriate configuration management and change control procedures shall be
ensured.
8.2 Build a configuration item that meets the requirements of a specific project. The
configuration item should cover all software and hardware entities and documents that
may affect the safety integrity level.
8.3 It shall be ensured that the required safety integrity in the event of a change is
continuously met. This includes performing an impact analysis and developing an
appropriate test plan for the change.
8.4 It shall be ensured that an appropriate change approval mechanism exists and that
unauthorized changes are not implemented.
8.5 The configuration management system shall ensure that the configuration status and
version of all configuration items are identified.
8.6 A standardized system should be used to ensure that all items under the
configuration can be individually identified.
9 Safety management of operation and maintenance process
9.1 General
The core goal of functional safety maintenance and management is to ensure that the
SIL capability required by the functional safety system during field operation is not
reduced. The reasons for the reduction of SIL capability may include:
a) Due to improper manual installation and commissioning, the functional safety
system has potential defects from the beginning of operation, and not all the
expected safety functions can be achieved (systematic capabilities are not
satisfied);
b) Failure to perform fault handling, repair and replacement, etc. as required by the
system due to improper maintenance activities;
c) The hardware of the system (including data transmission and soft errors) has a
higher failure rate than expected due to environmental or human factors
(hardware safety integrity is not satisfied);
d) Appropriate inspection tests are not performed during the maintenance process,
including the inspection test cycle being too long or the inspection test content
being insufficient.
The contents of a) and b) need to be ensured using appropriate functional safety
management and pre-operational acceptance testing. To avoid the occurrence of c) and
d), the contents of 9.2 ~ 9.4 need to be considered.
9.2 Online safety analysis of operation process
9.2.1 Consider carrying out on-site failure analysis and online safety management of
functional safety systems during maintenance.
9.2.2 During the operation of the functional safety system, the on-site operation and
maintenance personnel need to record the failures of the functional safety system.
9.2.3 Special recording tools should be used for automatic fault statistics. The automatic
recording tool can realize the automatic acquisition, aggregation, classification and
display of the failure information of each component of the functional safety system
through the communication network.
9.2.4 Based on the situation of fault collection, qualitative and quantitative analysis is
required for all fault records, so as to determine whether the occurrence of these faults
exceeds the expected operating goals, rules or failure rates of the system. Equipment
failure modes and data collection methods can be found in GB/T 20172-2006, GB
28526-2012, and GB/T 15969.6-2015.
9.2.5 For critical safety function circuits, it is necessary to consider the use of dedicated
online analysis tools of safety characteristics. Online analysis tools can be used together
with logging tools. Online analysis tools of safety characteristics shall at least have the
9.3.2.1 The most common safety function test used to uncover failures or faults that
lead to the loss of function of the safety function is the off-line functional test. When
this test is performed, the controlled equipment is out of production and all
characteristics of the safety function can be confirmed. The main purpose of this test is
to detect dangerous undisclosed failures in safety functions.
9.3.2.2 Identify each safety function in the safety related system. All inputs, outputs and
logic associated with each safety function are identified. Test specifications need to
consider defining how each safety function will be validated. Identify all equipment
required for performing the test, and verify its suitability for the test, including
calibration equipment of traceable characteristics.
9.3.2.3 Consider the following factors to determine the time interval for offline test:
-- The test interval is determined by the performance calculation of the safety
function;
-- When the logic changes and affects the safety function;
-- When a process or equipment stops working due to planned maintenance activities;
-- Company policy regarding integrity testing of safety functions;
-- After a prolonged shutdown of the functional safety system.
9.3.2.4 Before performing modifications (changing any of the following), perform
corresponding reviews to ensure that the changes do not reduce the level of protection,
and perform appropriate testing to confirm that the modified safety functions are still
functioning properly. Changes include:
-- performance of a safety layer based on the original design intent;
-- materials of construction;
-- operating mode;
-- operating procedures;
-- warning and interlocking settings;
-- responding speed;
-- test interval or method;
-- equipment type, unless replaced by the same type;
-- architecture or voting logic;
-- diagnosis.
9.3.3 Offline test of sensor subsystems
9.3.3.1 During the normal operation of the switch, the state does not change frequently.
In order to confirm the effectiveness of its function, periodic offline test should be
considered, and the testing period should be determined in advance.
9.3.3.2 The transmitter can provide over-range high/low diagnosis and out-of-control
range display, so the test frequency of the transmitter is reduced as appropriate
according to the diagnostic function of the transmitter.
9.3.3.3 The calibration stability of the input device may require that its test frequently
is lower than a full safety function. Considering that equipment will drift due to
environmental changes (such as temperature), more frequent testing and calibration
may be required, so as to ensure that the correct process variable is input to the safety
function. For transmitters of large time drift or poor working environment, it is
necessary to consider increasing the test frequency.
9.3.3.4 Redundancy of components may affect the test frequency. If redundant
transmitters have outputs monitored and compared to each other, agreement means that
frequent testing or calibration of the measured quantities is not required. If the outputs
drift apart, it means that all redundant components need to be tested and calibrated.
9.3.3.5 The variety of detection of hazardous conditions is an increase in the availability
of safety functions without adding redundant components. For example, measurements
of pressure can be represented by temperature measurements of process conditions. By
comparing temperature, pressure values to predicted thermodynamic data, diagnose the
validity of process measurements, and reduce required test intervals.
9.3.3.6 User experience with specific sensors and services can be used to determine the
testing frequency of equipment to ensure sensor performance.
9.3.4 Offline test of logic control subsystem
9.3.4.1 After making changes to the logic solver, evaluate the potential impact of these
changes to determine how many safety functions need to be tested. If changes to the
program can be clearly isolated from certain areas, and it can be unambiguously proven
that the changes will not affect other logic executed in the logic solver, only that area
needs to be fully tested (full functional testing). This applies to logic solvers of various
technologies, including electromechanical relays, solid state relays, pneumatics or
programmable electronics.
9.3.4.2 Diagnosis function, as the external diagnosis of the logic solver, should be tested
at the same frequency as the logic solver.
9.3.4.3 The functional characteristics of the logic solver should be verified according
to the plan; the test frequency should be determined from one year to several years
according to the risk situation related to the process, the complexity of the logic and the
company's experience with the logic solver.
9.3.5 Offline test of final actuating unit subsystems
9.3.5.1 When performing a full system functional test, the final actuating component
(such as a valve) needs to be tested. The frequency of testing should be based on the
performance in the calculation of the safety function. The final actuating component
should be tested whenever the process stops working.
9.3.5.2 The testing frequency as the final actuating component depends on many factors:
-- type of final actuating component;
-- environmental condition of the application;
-- Use as a normal operation or as a backup component when the safety function is
activated;
-- performance requirements of the final actuating component, such as whether the
valve needs to provide minimal leakage isolation or the leakage is tolerable.
9.3.5.3 When testing the final actuating component, accessories such as valve
positioners, limit indicators/sensors, air pressure devices, etc. should be tested at the
same frequency as the final actuator.
9.3.6 Offline test of HMI
The Human Machine Interface (HMI) is tested at the same frequency as the safety
function. When making changes to the display of information in the HMI, test the
changes to confirm the correct state of the display. If the HMI is used to initialize the
safety function logic, all equipment related to initialization shall be tested, including
the HMI, output circuits and final actuating components.
9.3.7 Offline test of safety communication
When the safety function uses the safety communication bus for data exchange, the
communication is tested at the same frequency as the safety function. When carrying
out a full functional test of the safety function, the test includes communication to all
other equipment, such as communication to the basic process control system. When a
communication connection change occurs between the safety function and any other
device, confirm that the correct information is passed on.
9.4 Online testing
9.4.1 Online test can ensure the continuity of the process, but it needs to take into
account the risk that may cause the process to stop by mistake.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|