Process Automation Siemens

8/3/2019 Process Automation Siemens

1/24

....~-

Functional Safety (SIL) ~in Process InstrumentationQuestions, Examples, Background

SIEMENS


2/24

ForewordSince the introduction of the lEG 61508 safety standard, the topic "Functional Safety"in the process industry has come into focus.In this brochure we wish to provide you with an introduction to the topic - with empha-sis on instrumentation for process engineering. We wish to provide fundamentalunderstanding without using the language of the standard too much. Therefore somedescriptions may appear to experts to be too inexact or superficial.This brochure can only be an introduction to the topic. If you require detailedinfor-mation, you must refer to the corresponding literature and the relevant standards.The calculation examples shown here must therefore only be considered as thebasic procedure, and cannot be applied to a "real" calculation.

The information in this brochure has been produced to the best of our knowledge.However, errors may nevertheless have slipped in. A resulting responsibility willtherefore not be accepted.


3/24

Contents1 Introduction 22 Functional safety 42.1 For whom is IEC 61508 relevant? 52.2 Safety Instrumented System (SIS) 53 Safety Integrity Level 73.1 Determination of required SIL 73.2 Low demand and high demand modes 93.3 Comparison between SIL and AK. 103.4 To whom does the SIL classification apply? 103.5 What devices can be used with which SIL? 113.6 If two SIL 2 devices are used in redundant mode, is this automatically SIL 3? 11

4 Interpretation 124.1 Types of failures 124.2 Calculation examples (random failures) 135 Testing and certification 185.1 Is the highest possible SIL advantageous? 185.2 Why is it advantageous for a company to have a process in accordance with

IEC 61511? 185.3 Device ratings by manufacturers 185.4 What certificates are required- and who can provide them? 195.5 Possible designs (single-channel/redundant) 205.6 How it is the assessment carried out? 205.7 New plants - old plants (protection ofinventory) 206 Summary 21

Functional Safety (SILl in Process Instrumentation


4/24

Introduction

1 IntroductionDangers and risksIn everyday life we are permanently exposed to many different dangers. The band-width of these dangers extends up to major catastrophes which can have severe det-rimental effects on health and the environment. We are not always able to avoid adanger with its associated risks. For example, a high proportion of the world popula-tion lives with the dangers of earthquakes or flooding. There are no protective mea-sures against the events themselves; however, protective measures do exist for thethreatening effects of such events (e.g. dams or dikes, or buildings resistant to earth-quakes).Reduction of risksMany dangers are therefore assessed in everyday life according to their risk level,and correspondingly accepted or not. If someone plans a long journey, selection ofthe means of transport can influence the risk of an accident. The traveler can reducethe danger to a residual risk which is acceptable for him. 100% protection does notexist.Protective measuresWe can protect ourselves from risk by reducing the likelihood of the risk or trying tolower the severity of its consequences. These protective measures lower the inher-ent risk to an tolerable level. While there are many different methods for protectingourselves from risk, our world is being increasingly dominated by electronic system.We have the possibility for recognizing danger using electronic systems and reduc-ing the risks for mankind and the environment.A simple example:Various protective measures can be taken in a building in order to reduce the risk ofdamage through fire.

Risk withoutprotective measures

Further measures, (fire extinguishers,--- fireproof rnaterlals)

Residual risk

Fig. 1 Example of risk reductionFor example, appropriate emergency exits and escape routes can be provided whenplanning the building. Smoke detectors can trigger an alarm which signals the dangerto persons inside and outside the building. The installation of fire doors and the useof fireproof materials prevents further spreading of a fire.

Functional Safety (SIL) in Process Instrumentation2


5/24

Introduction

Automatic sprinkler systems battle against the flames, and fire extinguishers are alsoavailable for fighting the fire. This example shows that there are many possibilitiesfor reducing a risk. The protective measures are matched to the respective require-ments, for the risks in a warehouse are different from those in living accommodation.Protective measures in industrYThe many reactions in industrial processes are associated with different dangerpotentials. In order to protect mankind and the environment from danger, as well asthe machines and plants from damage, risks are determined and subsequentlyreduced by applying appropriate protective measures.

: f . :II Ii . . VProtective measures, . . . . - . . : - ". . . . . . ,,"_________ .Accaptable residual risk

Risk without protective measures

tFig. 2 Representation of risk reductionThe measures required to reduce a risk can sometimes be very simple, but alsoextremely complex.Examples: Structural measures (e.g. build concrete walls around production plants) Distribution of danger Evacuation plans Safety-relevant control and protection equipment ... and many moreThe measures which are finally applied depend on the residual risk that is acceptable- and what overheads (including financial) are necessary to achieve this. SafeN-rele-vant control and protection equipment can make a significant contribution to reducingrisks in a process.

Functional Safety (SILl in Process Instrumentation3


6/24

Functional safety

2 Functional safetyThe systems of automation engineering are increasingly handling safety-relevanttasks. For example, processes representi ng a dange rto man kind, equipment and theenvironment are monitored by safety systems. These safety instrumented systemsmonitor the process and in the event of a process upset they can reduce the risk ofa dangerous state. Functional safety is the correct functioning of such equipment.Up to now, national standards have existed for the planning, construction and oper-ation of Safety Instru mented Systems. On the Ge rman market, for example, the man-ufacturers and owners of such plants could refer to the safety standardsDINNDE 19250, DINNDE 19251 and DINNDE 801. The design of the safety-rele-vant equipment could be described using these standards and the requirement cat-egories (AK 1-8).Since many countries had different standards for the correct functioning of safety-rel-evant equipment, a globally applicable lEG basic standard for functional safety wasadopted in 1998. A series of standards was derived from this, in which the organiza-tional and technical demands placed on Safety Instrumented Systems and theirimplementation were defined.A uniform standard for plants in the process industry was adopted on 01.08.2004.The following two standards are of significance to process instrumentation: lEG 61508 (basic standard)

Globally applicable as the basis for specifications, drafts and operation of SafetyInstrumented Systems (SIS).

lEG 61511 (application-specific standard for the process industry)Implementation of lEG 61508 for the process industry

I II .} ~r-----"'-----.I II I- - - - - - 1 Further standards 1I II I1 - - - - - , . 1 1

IEC61508Basic standard (applies to all industries)

IEC61511 IEC 615 ..EG 615 ..xx industryrocess industry Nuclear industry

Fig. 3 Standards used for functional safely



7/24

Functional safety

2.1 For whom is lEe 61508 relevant.?Based on a hazard and risk analysis, all dangers can be determined which resultfrom a process. This analyzes whether an additional safety instrumented system isnecessary to guarantee app rapriate protection against possi ble dangers. If this is thecase, the associated concepts must be appropriately incorporated in the develop-ment of this plant.A safety instrumented system is only one possibility for coping with these dangers.Other methods are also of fundamental importance, e.g. inherent safety throughdevelopment. IEC 61508 defines app ropriate methods for achievi ng functional safetyfor associated systems.

What systems are affected by lEe 61508?IEC 61508 must be applied to safety-relevant systems if these contain one or moreof the following devices: Electrical equipment Electronic equipment Programmable electronic equipmentThe standard covers possible risks caused by the failure of implemented safety func-tions. Not covered are dangers resulting from the electrical/electronic devices them-selves, e.g. electric shock. The standard is generally applicable to safety-relevantelectrical/electronic systems, independent of their respective application.

2.2 Safety Instrument.ed System (SIS)A Safety Instrumented System (SIS) is used to protect a dangerous process and toreduce the risk of a serious accident.Process instruments are components of a Safety Instrumented System whichtypicallyi ncludes: Sensors Failsafe processing units Actuators

Fig. 4 Components of an SIS



8/24

Functional safety

In order to be able to evaluate the functional safety of an SIS, it is therefore neces-sary to consider the complete processing system (from sensor up to actuator).

+

ControllerCommunications components mustalso be taken into consideration!

Fig. 5 Representation of an SIS

+

Several sensors, actuators or control components can be used within an SIS.It may also be the case that safety-relevant and non-safety-relevant components areconnected together within a plant. However, only the safety-relevant components areconsidered for the SIS.

Safety-relevant signals(e.g. for emergency shutdown)

non-Safety-releva nt signa Is

+. . . . . . .Actuator

Fig. 6 Signals to be processed in a plant

6Functional Safety (SIL) in Process Instrumentation


9/24

Safety Integrity Level

3 Safety Integrity LevelDifferent risks originate from the reactions in various industrial processes. As the riskincreases, the demands made on the reliability (integrity) of the Safety InstrumentedSystem also increase. As the integrity of the system increases so does its ability toprotect against the risk it is monitoring. The standards IEC 61508 and IEC 61511therefore define four different safety levels which describe the measures for ensuringthe risk reduction capability of these components. These four safety levels are theso-called Safety Integrity Level (SIL).The higher the number of the 51L, the higher the reduction of the risk. The 51Listherefore a measure of the probability that the safety system can correctly providethe required safety functions for a specific period.

3.1 Determination of required SILThe re are different approaches for dete rmining the required 51L fa r the Safety Instru-mented System that is monitoring a dangerous process. The standards IEC 61508and IEC 61511 (application of IEC 61508 for the process industry) include variousmethods for defining the 51L. Since the topic is extremely complex, only that neces-sary to obtain basic understanding is presented here.A quantitative methodThe risk of a dangerous process is determined by the frequency with which a dan-gerous event could occur without existing protective measures, multiplied by theeffect of the dangerous event. It is necessary to determine how high the risk fre-quencyis which can lead to a dangerous state. This risk frequency can be estimatedby applying quantitative risk assessment methods, and defined by a numeric limit.The frequency can be determined by: Analysis of failure rates in comparable situations Data from relevant databases Calculation with application of appropriate prediction methodsThe exact methods of calculation cannot be treated further here. If required, detailscan be found in IEC 61508 Part 5.



10/24


A qualitative methodThe qualitative method is a simplified model which readily shows which SIL isrequired for which dangers.

Starting point forestimation of risk

Ca

Cc

a: no special safety requirementsb: a single SIS is insufficient1,2, 3, 4: safety integrity level (SIL)

Fig. 7 Determination of SIL according to the "qualitalive method"

Extent of damageLight injury of a person, small environmental damageSevere injury or death of a personDeath of several personsDeath of very many persons

Duration of stay of a person in the dangerous areaSeldom to frequentFrequent to permanent

Aversion of danger

Hardly possiblePossible under certain conditions

Probability of occurrenceW, Very lowW2 LowW3 Relatively high

8

a

23

1

Functional Safety (SIL) in Process Instrumentation


11/24


3.2 Low demand and high demand modesSince applications in the process and production industries vary greatly, differentdemands are also placed on the SIS. For this reason, each of these industrial sectorshas a different system in which the demand rate on the SIS is defined. A differentia-tion is made between the systems using the probability of failure on demand (PFD).Low demandMode with low demand rate on the safety system. The safety system must not bedemanded to adress a dangerous failure more frequently than once per year.SILSIL 1SIL2SIL3SIL4

Table 1

PFD; : > : 10.2to : 10.3 to : 10.9 to


12/24


3.3 Comparison between SIL and AKDIN 19250 is a German national standard that was used as the basis for evaluatingsafety products before the release of the lEG 61508 international standard. It definedsafety levels in terms of requirements categories (AK) instead of Safety Integrity Lev-els (SIL). The basic principle for application of the requirement categories (AK) isbased on the fact that, through the exclusive use of devices of a particular require-ment category, the total system also fulfills this requirement category. In addition,only the computer components of a measuring system have been considered.The following table shows a comparison between the requirement categories AK andthe Safety Integrity Levels.DIN 19250Requirement categoryAK 1AK2AK3AK4AK5AK6AK7AK8

IEC 61508Safety Integrity LevelNot definedSIL 1SIL2SIL3SIL4

Table 3 Comparison between AK (DIN 19250) and SIL (IEC 61508)(may not completely agree in a few cases)

3.4 To whom does the SIL classification apply?The SIL Classification applies to all sectors which must fulfill the safety directives,e.g.: Companies operating the plant

Place the demands on the suppliers of safety instrumented components. Thesemust provide proof of the remaining risk potential.

Plant constructorsMust appropriately design the plant.

SuppliersConfirm the classification of their products.

Insurance companies, government departmentsRequest proof of a sufficient reduction in the residual risk of the plant.



13/24


3.5 What devices can be used with which SIL?In order to achieve a level (SIL 1 - 4), the complete measuring system must fulfill thedemands for the systematic failures (particularly the software) and the random fail-ures (hardware). The calculated results of the complete measuring system must thencorrespond to the demanded SIL.In practice, this primarily depends on the design of the process or measuring system.The SIL rating of the entire safety system will depend on the combination of theexpected fai lure rates of the various compone nts. The architectu re of the system wiIIimpact how these values are combined to determine the SIL.Typically, a device used in a SIL 2 safety function must be rated for SIL 2 or higher.Redundant voting architectures have the ability to improve the safety rating of thedevices (see next section).In many cases it is more advantageous to use two sensors since the company oper-ating the plant requests redundancy for availability reasons. A small positive sideeffect is that the cost of two SIL 2 devices is usually lower than that of one SIL 3device.SIL 4 cannot be implemented using conventional devices.

3.6 If two SIL 2 devices are used in redundant mode, is thisautomatically SIL 3?No. It is always the case that the calculated failure probability of the complete mea-suring system must result in SIL 3. Redundant operation of SIL 2 devices permits areduction in the probability for random failures depending on the voting architecturethat is used. Whether this is sufficient for SIL 3 must be determined by consideringsystematic and random faults.This procedure applies analogously to other SIL levels.



14/24

Interpretation

4 Interpretation4.1 Types of failures

A differentiation is made in a Safety Instrumented System between systematic fail-u res and random fai lu res. Both types of fai lures must be can side red ind ividua Ilyin order to fulfill a demanded SIL level.Random failuresRandom failures do not exist at the time of delivery. They result from failures in thehardware, and occur at random during operation. Examples of random failuresinclude: short-circuit, interruption, drift in component values, .... The failure probabil-ity, and the associated magnitude of the failure probability, can be calculated. Theindividual hardware components of a measuring system are calculated. The resultsare expressed by the PFD value (average probability of failure on demand), and arethe calculation basis for determining the SIL value.Systematic failuresSystematic failures already exist at the time of delivery of every device. These aretypically development failures or failures in the design or configuration. Examplesinclude software failures, incorrect dimensioning, incorrect rating of measuringdevice, .... failures in the device software make the largest contribution to the sys-tematic failures. The fundamental consideration with systematic software failures isthat failures in the programming can also result in failures in the process.The device manufacturer must provide data on the SIL rating with respect to system-atic failures. These data are usually present in the conformity certificate of the indi-vidual devices. Depending on the SIL, the data are also provided in certificatesproduced by independent organizations such as the TOV (German Technicallnspec-torate) or companies specialized in testing such as Exida.These data are not values for further calcu lations, but onIy provide info rmation on theSIL rating of the device with respect to systematic failures.In order to fulfill the systematic failure demands for a certain SIL (e.g. SIL 3), the com-plete measuring system must be appropriately designed. The simplest considerationin this case is that all components possess an SIL 3 rating for systematic failures.Complete redundancy with systematic failuresHowever,itis also possible to use SIL 2 components if measures have been takenwhich do not allow a systematic failure at the SIL 2 level. For example, if SIL 2 pres-sure measuring devices are to be used in an SIL 3 measuring system,it must beensured that different device software is used. This is achieved e.g. by using two dif-ferent devices, best of all from different manufacturers (complete redundancy, seealso Fig. Page 20). Complete redundancy can also apply if different technologies areused instead of different devices (if meaningful), for example with a pressure mea-suring device and a temperature measuring device.



15/24

Interpretation

4.2 Calculation examples (random failures)Important note: The following calculations refer exclusively to random failures!Whether a measuring system actually fulfills the demands of the required SIL mustadditionally be checked with respect to the systematic failures.The following abbreviations are used in the calculation examples:Abbrevia-tion

Explanation

PFD Mean failure probability of function for the demandFailure probability of complete measuring systemFailure probability of sensorFailure probability of logic components/controllerFailure probability of actuator

PFDsy sPFDsPFDLPFDA

Comment:The examples shown here are presented very simply, and only to providebasic understanding. These examples cannot be applied to a "real" calcula-tion!



16/24

Interpretation

4.2.1 Calculation of a measuring system with an SIL 2 sensorPrevailing values:PFD sensor A 1.5 * 10.3

1.3 * 10-4(suitable for SIL 2)(suitable for SIL 3)(suitable for SIL 3)

PFD controllerPFD actuator 7.5 * 10-4

Example of a 1001 (1-out-of-1 system)(1 unit of 1 available unit required for functioning)

PFDsys= PFDs + PFDL + PFDAPFDSys= 1.5*10-3 + 1.3*10"4 + 7.5*10-4PFDSys= 2.38*10.3 (SIL 2)By using these components, the measuring system achieves the PFD for SIL 2.

SIL PFDSIL 1 :::::10.2 to


17/24

Interpretation

4.2.2 Calculation of a measuring system exclusively with SIL 3 compo-nentsPrevailing values:

PFD sensor B 6.09 * 10.41.3 * 10-4

(suitable for SIL 3)(suitable for SIL 3)(suitable for SIL 3)

PFD controllerPFD actuator 5.0*10-4

Example of a 1001 (1-out-of-1 system)(1 unit of 1 available unit required for functioning)

PFDSys= PFDs + PFDLPFDsys= 6.09*10-4 + 1.3*10-4PFDsys= 1.24 *lO's (SIL 2)

+ PFDA+ 5.0*10-4

By using these components, the measuring system achieves the PFD for SIL 2.

This example clearly shows that the measuring system does W 2 1 achieve thePFD for SIL 3 despite the exclusive use of SIL 3 components.

SIL PFDSIL 1 :::::10-2 to


18/24

Interpretation

4 . 2 . 3 Calculation of a measuring system with redundant sensorsPrevailing values:PFD sensor A 1.5 * 10.3

1.5 * 10-3(suitable for SIL 2)(suitable for SIL 2)FD sensor A

PFDs = 1.52*10.4Determination of the PFD value for the redundant connection of the two sensors istoo complex to be presented here understandably. The value can vary greatly, forexample if different technologies, manufacturers or device designs are used.PFD sensor AA 1.52 * 10-4

1.3 * 10-46.8 * 10-4

(suitable for SIL 3)(suitable for SIL 3)(suitable for SIL 3)

PFD controllerPFD actuator

Example of a 1002 (1-out-of-2 system)(1 unit of 2 available units required for functioning)

PFDsys=PFDsys=PFDSys=

PFDs + PFDL1.3*10.4

+1.52*10-4 +9.62*10.4 (SIL 3)

+

By using these components, the measuring system achieves the PFD for SIL 3.This example clearly shows that the complete measuring system achieves thePFD for SIL 3 despite the use of SIL 2 components.

SIL PFDSIL 1 :::::10.2 to


19/24

Interpretation

4.2.4 Calculation of a measuring system with redundant sensors(poorer actuator value)Prevailing values:

PFD sensor A 1.5 * 10-31.5 * 10-3

(suitable for SIL 2)(suitable for SIL 2)FD sensor A

PFDs = 1.52*10-4Determination of the PFD value for the redundant connection of the two sensors istoo complex to be presented here understandably, The value can vary greatly, forexample if different technologies, manufacturers or device designs are used,PFD sensor AA 1.52 * 10-4 (suitable for SIL 3)

(suitable for SIL 3)(suitable for SIL 3)

PFD controller 1.3 * 10-4PFD actuator 7_5 * 10-4

Example of a 1002 (1-out-of-2 system)(1 unit of 2 available units required for functioning)

PFDSys= PFDs + PFDL + PFDAPFDsys= 1.52*10-4 + 1.3*10-4 + 7.5*10-4PFDsys= 1.03*10-s (SIL 2)By using these components, the measuring system achieves the PFD for SIL 2.This example clearly shows that the measuring system does not achieve thePFD for SIL 3 despite the use of redundant SIL 2 sensors.

SIL PFDSIL 1 ::::-:0-2 to


20/24

Testing and certification

5 Testing and certification

5.1 Is the highest possible SIL advantageous?Companies operating plants are responsible for proving the functional safety of theirprocesses. They are frequently unsure whether a high or low SIL should be achievedfor their processes. The demand for a certain SIL results from determination of theresidual risk exhibited by the processes. Selection of the lowest possible SIL not onlyresults in significant cost advantages, but also permits a far greater selection ofdevices.A high SIL is only striven for if it is unavoidable or if cost advantages then result else-where, permitting saving again of the extra costs (e.g. by saving expensive additionalconstruction measures).

5.2 Why is it advantageous for a company to have a process in accor-dance with IEC 61511?Thei nternational safety standards (IEC 61508/1EC 61511) define a safety lifecyclewhich allows companies to follow a methodical process to ensure safety is designedinto their process.The standards also provide a common basis for manufacturers and end users tomeasure safety designed into their process. When companies select safety productsto meet their targeted safety levels, they can be sure that these products are ratedusing the same methodology used to design the process.It is the n made easie r for the company operati ng the plant to provide the proof fa r riskreduction required by law. This is required in order to achieve operating approval forthe plant. Itis not absolutely essential to use SIL-classified products. However, theprovision of proof is then greatly simplified since the residual risk is already known(and unambiguous) for these products.

5.3 Device ratings by manufacturersRating in accordance with IEC 61508The definitions of IEC 61508 comprise the complete product lifecycle from idea up todiscontinuation of a product. In order to develop a component according to this stan-dard, appropriate procedures and additional technical measures must be taken andchecked from development up to production. This is often an additional overhead,and makes the development of a failsafe product more expensive than that of a stan-dard component without SIL certification. However this certification offers companiesthe assurance that their vendor followed the industry's best safety practices whendesigning and manufacturing their safety products.Devices cannot be classified in accordance with IEC 61508 in retrospect.



21/24


Rating in accordance with lEe 61511 (operational proof)At the moment there are only very few devices which have been completely devel-oped in accordance with the IEC 61508 standard. In order to allow a practicableselection of devices, the possibility of operational proof for devices has been permit-ted in IEC 61511. In practice, the older devices have been used successfully formany years. Therefore a statement on the functional safety can be provided by con-sidering failure statistics under certain conditions. The objective is to determine with-out doubt whether the required functional safety is also actually provided. Proof mustbe provided for a sufficient number, and include data on the operating period andconditions of use. The minimum period of use isl year and additionally a specifiednumber of operating hours. The operational proof only applies to the version/releaseof the product for which the proof has been provided. All future modifications of theproduct must subsequently be carried outin accordance with IEC 61508.

5.4 What certificates are required -and who can provide them?Up to and including 51L 2, manufactu rer's declarations in accordance with IEC 61511are sufficient. Certificates are neither stipulated by law nor required by the standard.They are a purely voluntary service of the suppliers who thereby attempt to underlinetheir credibility. The sense of such certificates is questionable since very high costsare sometimes involved with such certif ication without significant advantages result-ing for the user. Companies frequently accept just the manufacturer's declaration.For SIL 3 and above, the assessment must be carried out by an independent orga-nization, and is frequently associated with a certificate. However, this may only beproduced if the test has been carried out by an approved organization (e.g. TOV).The higher the safety required for a plant, the more independent the person must bewho carries out judgment of the functional safety.SIL 1SIL2SIL3SIL4

Independent personIndependent departmentIndependent organizationIndependent organization

Table 4 Summary of which authority must at least carry out the assessment

Certificate

The manufacturer certifies that a particular 51L levelhas been achieved according to his tests and calcu-lations or as a result of operational proof. The testsare frequently carried out by another testing author-ity such as e.g. Exida or TOV.Is provided by an independent, certified organiza-tion (e.g. TOV).

Overview of possible certificates

Declaration of confor-mity (manufacturer'sdeclaration)

Table 5Functional Safety (SILl in Process Instrumentation

19


22/24


5.5 Possible designs (single-channel/redundant)Singlechannel designOne single device

Redundant, two-channel designTwo devices of same type

Completely redundant designTwo different devices(measure to ensure that systematicfailures cannot occur simulta-neously) P re ss u re m e a s u n ngdevice ATwo different technologies

+

+ : g otherdevioeP re ss u re r ne as u r ln9

device B

+ 1Pressure Level

5.6 How it is the assessment carried out?The following elements can be assessed: The complete device Random failures (only hardware) Systematic failures (hardware and software)

5.7 New plants - old plants (protection of inventory)Inventory protection applies to existing plants. However, this means that, with plantconversions or expansions, the newly added parts will be assessed according to thenew standards.

20Functional Safety (SIL) in Process Instrumentation


23/24

Summary

6 SummaryImportant statements concerning the topic of Functional Safety are summarizedagain below: Companies must determine tolerable risk guidelines and apply them to their var-ious processes in their plants. If a Safety Instrumented System is used to reduce the risk in a process, a SIL will

be specified to achieve the desired risk reduction. The device supplier has no in-fluence on the SIL rating of the process.

In order to assess whether a measuring system observes a required SIL,itisal-ways necessary to calculate the failure probability of the random failures.

In the end, the val ue of the fai lure probab iI ity of the used components is there-fore of significance to the company operating the plant. The SIL rating of the de-vice can therefore frequently only be used as an approximate value for thecalculation.

In addition, the measu ring system must satisfy the systematic fault requ irements. The statement on the SIL rating of a device only means that it is basically possi-

ble to use it in a process with corresponding SIL rating. The standard requires assessment of the functional safety. Certificates are

neither required by the standard nor stipulated by law. The application standard IEC 61511 applies to the process industry.



24/24

For further details, visit:www.siemens.com/processi nstru me ntationwww.siemens.com/processa na Iyticswww.siemens.com/safetywww.siemens.com/SI L

SiemensAGAutomation and Drives (A&D)Process Instrumentation and Analytics76 18 1 K AR LS RUHEGERMANY

www.siemens.com/processa utomation

The i n fo rmat ion p rov ided i n t hi s c a ta log cont ai ns desc ri pt ions or characteristics ofp e rf orman ce w h ic h in c as eof a ct ua l u se d o n ot a lw a ys a pp ly a s d e sc rib e d o r w h khma y c ha n ge as a result of fu rther deve lopment of the praduc ts. An ob li ga t ion t op ro vid e t he r es pe ct iv e c ha ra ct er is tic s s ho ll o nl y e xis t if e xp re ss ly a gr ee d in t heterms of cont ra c t. A vai lab il it y and t echni ca l s pec if ic o ti ons a re subj ec t to changew it hou t no tk e .Al l p roduct desi gna ti ons may be t rademarks or p ro d uc t n ame s of S iemen sAG o rsupp li er c ompan ies whose use by th ird por ti es for t he ir own pu rposes coul d v io la te
http://www.siemens.com/processihttp://www.siemens.com/processahttp://www.siemens.com/safetyhttp://www.siemens.com/SIhttp://www.siemens.com/processahttp://www.siemens.com/processahttp://www.siemens.com/SIhttp://www.siemens.com/safetyhttp://www.siemens.com/processahttp://www.siemens.com/processi

Process Automation Siemens

Documents