HMI Considerations in Safety Systems
Follow these precautions and guidelines for HMI devices in SIL-rated safety systems.
Precautions
You must exercise precautions and implement specific techniques on HMI devices. These precautions include, but are not restricted to the following:
- Limited access and security
- Specifications, testing, and validation
- Restrictions on data and access
- Limits on data and parameters
Use sound techniques in the application software within the HMI and controller.
Access to Safety-related Systems
HMI-related functions consist of two primary activities: reading and writing data.
Reading data is unrestricted because reading doesn’t affect the behavior of the safety system. However, the number, frequency, and size of the data being read can affect controller availability. To avoid safety-related spurious trips, use good communication practices to limit the impact of communication processing on the controller. Do not set read rates to the fastest rate possible.
Writing data, or changing parameters, in a safety-related loop via a device that operates outside the safety loop, such as HMI, is allowed only with the following restrictions:
- Only authorized, specially trained operators can write data in safety-related systems via an HMI.
- The operator that writes data in a safety-related system via an HMI is responsible for the effect of those changes in the safety loop.
- You must clearly document the variables that are to be written.
- You must use a clear, comprehensive, and explicit operator procedure to make safety-related changes via an HMI.
- Writing data can be accepted in a safety-related system only if the following sequence of events occurs:
- The new value must be sent twice to two different standard tags. Both values must not be changed with one command.
- The two standard tags that receive the value from the HMI must be mapped into two safety tags.
- Safety-related code that executes in the controller, must check both safety tags for equivalency and make sure that they are within range (boundary checks).
- Both new variables must be read back and displayed on the HMI device. The HMI display reads the safety tags that received the mapped tag values from the standard tags.
- Trained operators must visually check that both variables are the same and are the correct value.
- Trained operators must manually acknowledge that the values are correct on the HMI display that sends a command to the safety logic, which allows the new values to be used in the safety function. In every case, the operator must confirm the validity of the change before they are accepted and applied in the safety loop.
- Test all changes as part of the safety assessment procedure.
- Sufficiently document all safety-related changes that are made via the HMI, including the following:
- Authorization
- Impact analysis
- Execution
- Test information
- Revision information
- Process Safety changes to the safety-related system must comply with IEC 61511 requirements.
- Machine safety changes to the safety-related system must comply with IEC 62061 requirements.
- The developer must follow the same sound development techniques and procedures that are used for other application software development, including the verification and test of the operator interface and its access to other parts of the program. In the controller application software, create a table that is accessible by the HMI and limit access to only required data points.
- Similar to the controller program, the HMI software is secured and maintained for SIL-level compliance after the system has been validated and tested.
Provide Feedback