3.3: Certification Path

TÜV SÜD Functional Safety Assessment

Assessment Scope

Certification Body: TÜV SÜD Rail GmbH (Notified Body for IEC 61508)

Project: Emergency Shutdown System (ESD) for Chemical Processing Plant Target: SIL 3 certification for 12 safety functions

Assessment Phases:

1. Phase 1 (Month 11): Documentation review (off-site)
2. Phase 2 (Month 12): On-site assessment (Factory Acceptance Test witness)
3. Phase 3 (Month 12): Final report and certificate issuance

Work Products for TÜV Assessment

IEC 61508 Evidence Portfolio (30+ Documents)

Planning Phase:

Requirements Phase:

Design Phase:

Implementation & Testing:

Safety Assessment:

Total: 32 documents, ~650 pages

SIL Verification Calculations

PFDavg Calculation (Probability of Failure on Demand)

Safety Function: High Temperature Emergency Shutdown (SF-001)

Subsystems:

1. Temperature sensors (3x RTD, 2oo3 voting)
2. Safety PLC (S7-1500F, dual processor)
3. Emergency valves (V-101 feed valve, V-201 cooling valve)

IEC 61508-6 Formula (simplified for low-demand mode):

PFDavg = (λ_DU × T) / 2

Where:
  λ_DU = Dangerous Undetected failure rate (failures/hour)
  T = Proof test interval (hours)

Component Failure Rates (from manufacturer SIL certificates):

*FIT = Failures In Time (failures per 10⁹ hours), e.g., 50 FIT = 50 × 10⁻⁹ failures/hour

Calculation: 2oo3 Temperature Sensors

Configuration: 2-out-of-3 voting (shutdown if median ≥ 350°C)

Formula (IEC 61508-6, Annex B):

PFDavg(2oo3) = 3 × (λ_DU × T)² / 6

Where:
  λ_DU = 5 × 10⁻⁹ failures/hour (per RTD sensor)
  T = 8,760 hours (1 year proof test interval)

PFDavg(2oo3) = 3 × (5 × 10⁻⁹ × 8,760)² / 6
             = 3 × (4.38 × 10⁻⁵)² / 6
             = 3 × 1.92 × 10⁻⁹ / 6
             = 9.6 × 10⁻¹⁰

Contribution: 9.6 × 10⁻¹⁰ (negligible for SIL 3)

Interpretation: 2oo3 voting dramatically reduces PFDavg (vs 1oo1 sensor: PFDavg = 2.19 × 10⁻⁵).

Calculation: Safety PLC

Configuration: Siemens S7-1500F (dual processor, cross-monitoring)

Formula:

PFDavg(PLC) = (λ_DU × T) / 2

Where:
  λ_DU = 1 × 10⁻⁹ failures/hour (from Siemens SIL certificate)
  T = 8,760 hours (1 year proof test)

PFDavg(PLC) = (1 × 10⁻⁹ × 8,760) / 2
            = 8.76 × 10⁻⁶ / 2
            = 4.38 × 10⁻⁶

Contribution: 4.38 × 10⁻⁶

Calculation: Solenoid Valves (1oo1 Configuration)

Configuration: Single valve (V-201 emergency cooling)

Formula:

PFDavg(Valve) = (λ_DU × T) / 2

Where:
  λ_DU = 15 × 10⁻⁹ failures/hour
  T = 4,380 hours (6 months proof test, valves tested more frequently)

PFDavg(Valve) = (15 × 10⁻⁹ × 4,380) / 2
              = 6.57 × 10⁻⁵ / 2
              = 3.29 × 10⁻⁵

Contribution: 3.29 × 10⁻⁵

Total PFDavg (Series System)

Formula: For components in series (all must work for safety function):

PFDavg(Total) = PFDavg(Sensors) + PFDavg(PLC) + PFDavg(Valves)
              = 9.6 × 10⁻¹⁰ + 4.38 × 10⁻⁶ + 3.29 × 10⁻⁵
              = 3.73 × 10⁻⁵

Result: 3.73 × 10⁻⁵ (0.0000373)

SIL 3 Requirement: PFDavg < 10⁻⁴ (0.0001)

Verdict: [PASS] 3.73 × 10⁻⁵ < 10⁻⁴ → SIL 3 achieved (with 2.7× safety margin)

Common Cause Failure (CCF) Consideration: The calculations above assume independent failures. For rigorous SIL verification, include CCF beta-factor (typically 5-10% for diverse sensors) per IEC 61508-6, Annex D. CCF can significantly impact PFDavg for redundant configurations.

Factory Acceptance Test (FAT)

Test Environment Setup

Location: Tier-1 supplier facility (our factory) Duration: 5 days (Month 9) Attendees: Customer (ChemSafe), TÜV assessor, project team

HIL Test Bench:

Hardware-in-the-Loop Configuration:
├── Real Safety PLC: Siemens S7-1500F (production hardware)
├── Real I/O Modules: SM 1531 F-AI, SM 1526 F-DO
├── Simulated Plant:
│   ├── dSPACE SCALEXIO Real-Time Simulator
│   ├── Chemical Reactor Model (temperature, pressure dynamics)
│   ├── Valve Models (actuator response time, flow characteristics)
│   └── Sensor Models (RTD drift, noise, failures)
└── Test Automation:
    ├── ControlDesk (test script execution)
    ├── Python scripts (data logging, report generation)
    └── SCADA HMI (operator interface, same as production)

FAT Test Cases (120 Total)

Test Coverage:

Total: 119/120 Pass (99.2%)

Example FAT Test Case: High Temperature Trip

Test ID: FAT-TC-SF-001-1 Safety Function: SF-001 (Emergency shutdown on high temperature) Objective: Verify shutdown triggers at 350°C threshold

Procedure:

1. Initialize system:
   - Set all temperature sensors to 300°C (normal operation)
   - Enable ACC control (reactor running)
   - Verify all valves in normal state (V-101 open, V-201 closed)

2. Ramp temperature (simulate reactor overheat):
   - Increase RTD-101 from 300°C to 360°C at 5°C/second
   - RTD-102, RTD-103 follow same ramp

3. Expected behavior:
   - At t=10s: Median temp = 350°C
   - PLC detects high temperature trip condition
   - Within 2 seconds:
     a) V-101 feed valve closes (DO-001, DO-002 = LOW)
     b) V-201 cooling valve opens (DO-002 = LOW, spring extends)
     c) M-301 agitator trips (contactor opens)
     d) Alarm horn/strobe activate

4. Acceptance criteria:
   [PASS] Shutdown triggered when median ≥ 350°C
   [PASS] Response time ≤ 2 seconds (measure via SCALEXIO timestamp)
   [PASS] All safety actions executed
   [PASS] Event logged to SCADA with correct timestamp

Results (Execution Date: 2025-09-12):

Test Execution Log:
─────────────────────────────────────────────────────────
t=0.0s:   Initial conditions OK (T=300°C, all sensors valid)
t=10.0s:  RTD median = 350.0°C (threshold reached)
t=10.1s:  PLC sets shutdown flag
t=10.3s:  V-101 solenoid A,B de-energized (valve closing)
t=10.5s:  V-201 solenoid de-energized (valve opening)
t=10.6s:  M-301 contactor opened (motor tripped)
t=10.7s:  Alarm horn activated
t=11.2s:  SCADA event logged: "HIGH TEMP SHUTDOWN - Reactor T=350°C"

Response Time: 1.2 seconds [PASS] (within 2s spec)
All safety actions: PASS [PASS]

Verdict: PASS
Witnessed by: TÜV assessor (signature on test report)

FAT Failure Example

Test ID: FAT-TC-SF-002-5 Objective: Verify safe state on 2 sensor failures (2oo3 degraded to invalid)

Scenario:

1. Start with 3 sensors OK (T=300°C)
2. Inject RTD-101 failure (sensor reads -50°C, out of range)
3. Inject RTD-102 failure (sensor reads 650°C, out of range)
4. Only RTD-103 remains (1 out of 3 valid)

Expected: PLC detects insufficient sensors (need ≥2 for 2oo3), enters safe state

Results:

Test Execution:
─────────────────────────────────────────────────────────
t=0.0s:   3 sensors valid
t=5.0s:   RTD-101 injected fault → -50°C (out of range 0-600°C)
t=5.1s:   PLC marks RTD-101 as FAULT (plausibility check)
t=10.0s:  RTD-102 injected fault → 650°C
t=10.1s:  PLC marks RTD-102 as FAULT
t=10.2s:  Sensor count = 1 (below 2oo3 requirement)
t=10.3s:  PLC FAILS TO ENTER SAFE STATE [FAIL]

Actual Behavior:
  - PLC continues using RTD-103 only (should shutdown, but didn't)
  - Alarm "SENSOR FAULT" triggered (correct)
  - But NO shutdown (incorrect, dangerous failure)

Root Cause: Code defect in FB_ReadTempSensors_2oo3
  - Logic error: "IF Sensor_Count_OK >= 1" (should be >= 2)

Verdict: FAIL [FAIL]

Fix:

// BEFORE (defect):
IF Sensor_Count_OK >= 1 THEN  // Wrong! Should require ≥2 for 2oo3
    Temp_Valid := TRUE;
END_IF;

// AFTER (corrected):
IF Sensor_Count_OK >= 2 THEN  // Correct: 2oo3 requires ≥2 sensors
    Temp_Valid := TRUE;
ELSE
    Temp_Valid := FALSE;
    Temp_Median_C := 1000.0;  // Force high value → triggers shutdown
END_IF;

Retest: [PASS] PASS (after code fix, regression test passed)

Lesson: Fault injection tests critical for catching safety logic defects.

Site Acceptance Test (SAT)

On-Site Validation (Month 10)

Location: ChemSafe Industries chemical plant (customer site) Duration: 3 days Attendees: Customer operations team, TÜV assessor, commissioning team

Test Environment: Real plant (reactor, valves, sensors installed)

SAT Test Cases: 30 (subset of FAT, focusing on integration with real plant)

Example SAT Test: End-to-End Shutdown from Real Sensor

Procedure:

1. Operate reactor at normal conditions (T=280°C, P=12 bar)
2. Gradually increase reactor heating (reduce cooling flow)
3. Allow temperature to naturally rise to 350°C
4. Verify ESD system triggers shutdown automatically

Safety Precautions:
  - Test performed during scheduled maintenance (no production)
  - Safety engineer on-site with manual override controls
  - Emergency response team on standby

Results:

SAT Test Execution (Date: 2025-10-08):
─────────────────────────────────────────────────────────
t=0:      Reactor at 280°C, 12 bar (stable)
t=15 min: Cooling flow reduced to 30% (controlled test)
t=32 min: Temperature reaches 345°C (approaching threshold)
t=35 min: Temperature = 350.2°C
          → PLC triggers shutdown
          → V-101 feed valve closes (visual confirmation: valve position indicator)
          → V-201 cooling valve opens (coolant flow increases to 100%)
          → Agitator stops (motor current drops to 0A)
          → Alarm horn sounds (audible confirmation)

Response Time: 1.8 seconds [PASS]
Temperature stabilizes at 340°C (emergency cooling effective)

Verdict: PASS [PASS]
Customer sign-off: Plant Manager (approved for production use)
TÜV witness signature: Confirmed SIL 3 compliance

TÜV Certification Report

Final Assessment Outcome

Assessment Report: TÜV SÜD FSE 12345678.001 (December 2025)

Findings:

Major Non-Conformance Example:

Finding: NC-001 (Major)
Clause: IEC 61508-3, Clause 7.4.2.7 (Defensive Programming)

Description:
  Code review identified insufficient range checking in analog input scaling.
  Function FB_ScaleAnalogInput does not validate AI raw value before scaling,
  allowing out-of-range values to propagate.

Example:
  AI_RTD1 = 32767 (max INT value, likely sensor fault)
  Scaled temperature = 500°C (incorrect, should be INVALID)

Risk: Dangerous undetected failure (sensor fault masked as valid reading)

Required Action:
  Add input validation:
    IF (AI_RTD1 < 0) OR (AI_RTD1 > 27648) THEN
        Sensor_Fault := TRUE;
        Temp_C := -999.0;  // Invalid marker
    END_IF;

Resolution: Code updated, regression test passed, resubmitted to TÜV
Status: [PASS] CLOSED (verified by TÜV on-site visit)

SIL 3 Certificate Issued

Certificate: TÜV SÜD FSE 12345678.001 (valid 10 years, subject to periodic audits)

Certification Statement:

TÜV SÜD Rail GmbH certifies that the Emergency Shutdown System (ESD)
developed by [Supplier Name] for ChemSafe Industries complies with
IEC 61508:2010 Part 1-7 for Safety Integrity Level 3 (SIL 3).

Certified Safety Functions:
  - SF-001: High Temperature Emergency Shutdown (SIL 3)
  - SF-002: High Pressure Emergency Shutdown (SIL 3)
  - SF-003: Low Cooling Flow Trip (SIL 2)
  [... 9 more safety functions]

PFDavg Verified: 3.73 × 10⁻⁵ (complies with SIL 3 requirement < 10⁻⁴)

Validity: 10 years from issue date (subject to annual proof tests)
Periodic Audit: Required every 3 years

Signed: [TÜV Assessor Name], Lead Functional Safety Engineer
Date: 2025-12-20

Lessons Learned

What Worked Well [PASS]

1. ASPICE-IEC 61508 Alignment (70% Overlap)

Success: Reused ASPICE work products for IEC 61508 evidence

Evidence:

• SYS.2 System Requirements → IEC 61508 SRS (90% reuse, added HARA)
• SWE.1-6 reports → IEC 61508 verification reports (direct mapping)
• SUP.8 Configuration Management → IEC 61508 CM plan (100% reuse)

Time Saved: 200 hours (documentation effort reduced by 40%)

2. Early TÜV Engagement (Month 3 Pre-Assessment)

Success: TÜV reviewed requirements and design early, flagged 12 issues

Example Issue Caught Early:

TÜV Feedback (Month 3):
  "Requirement SIL3-SF-001 does not specify fail-safe direction for V-101 valve.
   Must clarify: Fail-open or fail-close?"

Fix: Updated SRS to specify "Fail-close (spring return, de-energize to close)"

Impact: If caught during final assessment → 2-week delay, €15k rework cost
        Early fix → 1 day, €500 cost

Recommendation: Budget €20k for pre-assessment (ROI: 10×)

3. HIL Testing from Day 1 (Continuous Validation)

Success: dSPACE HIL bench operational from Month 5 (implementation phase)

Benefit:

• 18 defects found during development (cheap to fix)
• vs 1 defect found at FAT (expensive, customer present)
• Defect density: 0.8 defects/KLOC (excellent for PLC code)

What Didn't Work [WARN]

1. TIA Portal Version Control (Binary Files)

Problem: TIA Portal project files (.ap18) are binary, not Git-friendly

Impact: Difficult to track changes, merge conflicts, code review

Solution (partial):

• Export LAD/FBD/ST to XML via TIA Openness API
• Version control XML, not .ap18 files
• Trade-off: 10% overhead for export/import automation

Recommendation: Siemens should provide native Git integration (feature request submitted)

2. Limited AI Support for Ladder Logic

Problem: GitHub Copilot ineffective for LAD (visual programming)

Evidence:

• Structured Text (ST): 38% productivity gain with Copilot
• Ladder Diagram (LAD): 13% productivity gain (marginal)

Root Cause: Copilot trained on text-based languages (C, Python), not visual LAD

Workaround:

• Use ST for complex logic (AI-assisted)
• Use LAD for simple interlocks (manual development)
• Convert LAD to ST where feasible (AI can then help)

3. Proof Test Procedures Underestimated

Problem: IEC 61508 requires detailed proof test procedures (12-month interval)

Underestimation: Assumed 1 week to write procedures, actual: 3 weeks

Complexity: Must document:

• Step-by-step manual test procedure for each safety function
• Expected results, acceptance criteria
• How to interpret test failures
• Procedure to restore system to service

Recommendation: Allocate 5% of project effort to proof test documentation (not 1%)

Project Metrics Summary

Final Results

AI Contribution Summary

Overall: 760 hours → 505 hours (33% reduction)

ROI: AI tools cost €2,500 (licenses), saved 255 hours × €80/hour = €20,400 (8× ROI)

Tool Licensing Cost-Benefit: The €2,500 AI tool cost includes GitHub Copilot Business ($19/user/month x 8 users x 12 months = €1,800) plus Claude API costs for code review (€700). The 8x ROI demonstrates clear value, though results vary based on ST vs LAD code ratio.

Recommendations for Future Projects

For IEC 61508 Compliance

1. Early TÜV Pre-Assessment (Month 3)

   • Budget €20k for pre-assessment
   • Catch 70% of non-conformances early (cheap to fix)
   • Reduce final assessment risk

2. ASPICE as Foundation

   • 70% overlap with IEC 61508
   • Implement ASPICE CL2 → Add IEC 61508 specific work products (HARA, SIL calc, proof test)
   • Saves 40% documentation effort

3. Proof Test Procedures from Day 1

   • Allocate 5% of project effort
   • Write procedures in parallel with development (not at the end)
   • Involve plant operators early (they execute proof tests)

For AI-Assisted PLC Development

1. Use AI for Structured Text (Not LAD)

   • ST: 38% productivity gain with GitHub Copilot
   • LAD: 13% gain (limited AI support)
   • Recommendation: Convert complex logic to ST for AI benefits

2. AI Code Review for Safety Logic

   • Claude Sonnet effective for defensive programming checks
   • Detects missing range checks, unvalidated inputs
   • 42% faster code review (vs manual only)

3. Continuous HIL Testing

   • HIL bench from Month 5 (not Month 9)
   • Catches 90% of defects during development (cheap)
   • vs FAT defects (expensive, customer/TÜV present)

Conclusion

Industrial Safety Controller Development: A Success

• [PASS] SIL 3 Certified: TÜV SÜD certificate issued
• [PASS] On Time, Under Budget: 12 months, €835k (€15k savings)
• [PASS] High Quality: 0.8 defects/KLOC (better than PLC industry average)
• [PASS] ASPICE CL2: 89% BP achievement (foundation for IEC 61508)

Key Differences from Automotive ECU (Chapter 25):

• Standard: IEC 61508 (industrial) vs ISO 26262 (automotive)
• Platform: PLC (Siemens S7-1500F) vs ECU (Infineon AURIX)
• Language: Ladder Logic (LAD) vs C99
• AI Impact: 33% productivity gain (PLC) vs 52% (automotive C code)

Message: ASPICE + IEC 61508 is achievable for industrial automation. AI tools help (especially for ST), but visual programming (LAD) benefits less than text-based languages.

Chapter 26 Complete: Industrial controller development demonstrates ASPICE + IEC 61508 integration for safety PLCs.

Next: Medical device software development (Chapter 27) - IEC 62304 compliance.