Selection of Components: IEC 61508 and IEC 61511 - AUMA · PDF fileSelection of Components: IEC 61508 and IEC 61511 Dr. Jörg Isenberg, 06.10.2015 Where to find...

Selection of Components: IEC 61508 and IEC 61511Dr. Jörg Isenberg, 06.10.2015

� Where to find “SIL”-Certificates

� Criteria for component evaluation & understanding c ertificates

� General suitability of component

� The 3 main requirements of IEC 61508 / IEC 61511

� Additional criteria

� Conclusion

Where to find certificates

2

Where to find certificates

Safety Automation Element List (exida): http://www. exida.com/SAEL

� Database of components certified by exida

� Also includes components certified by e.g. TÜV

TÜV Rheinland: http://www.tuvasi.com/en� Database of components certified by TÜV Rheinland

� List of FS engineers certified by TÜV Rheinland

TÜV Nord: http://www.tuev-nord.de/de/zertifizierung en-fusi/produktzertifizierung-11709.htm

� Database of components certified by TÜV Nord

� List of persons certified by TÜV Nord

� Information only available if company / person agre ed� Most certificates may be downloaded� Not all certificates include safety parameters

Understanding certificates

3

How to interpret certificate headlines?

1. The component may be used in any SIL 3 application

2. The component may be used in SIL 3 applications with HFT=0

3. The component may be used in SIL 3 applications if HFT=1 (if HFT=0 SIL 2 is permissible)

4. The systematic capability is 3 but it has to be checked separately which SIL may be achieved due to failure probability (PFD) and architectural constrains

To find out, you need to read & interpret the detai ls of the certificate!


Criteria for component evaluation

� General suitability for the application

� Fulfillment of the 3 main criteria of IEC 61508 / IEC 61511

� Additional criteria

4


General suitability for the intended application

� Environmental conditions (pressure, temperature, humidity, expected contamination, corrosivity, …)

� Influence of process media (corrosivity, particles, sensors, …)

� Mechanical requirements (Torque, closing time, vibrations, …)

� Functionality (Safety function(s) & priority, seating criteria, …)

5

A “SIL 1 capable” component optimally suited to the general (process) requirements is likely to achieve a higher risk red uction than an

unsuitable “SIL 3 capable” component!


66

The 3 main criteria of IEC 61508

SIL of a SIF always depends on 3 criteria:

� Systematic capability (avoidance of systematic errors)

� Architectural constraints (robustness of system)

� Probability of failure on demand (PFD)

The SIL reached is the lowest SIL achieved by any of these 3 criteria!

Example:

� Systematic capability ⇒ SIL 3

� Architectural constraints ⇒ SIL 1

� Probability of failure on demand ⇒ SIL 2

i.e. achieved SIL for this SIF ⇒ SIL 1


77


Different routes possible

Route 1 S:

� Set of organizational measures (Functional Safety Management) in different safety life cycle phases

� Necessary to make systematic (human) errors unlikely

� Different for each SIL⇒ Systematic capability SC=1…4

Route 2 S: proven in use (IEC 61508) / prior use (IEC 61511)







88


99


According to IEC 61508: 2 different routes possible

� Route 1 H: Based on Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT)

� Route 2 H:Based on HFT and field data evaluation with raised confidence levels

� IEC 61511: preferred route is 2H






SafetyFunction

λSD λSU λDD λDU SFF

OPEN / CLOSEwithout PST

404 FIT

185 FIT

1920 FIT

974 FIT

–

OPEN / CLOSEwith PST

461 FIT

185 FIT

2510 FIT

388 FIT

–


1010

Architectural constraints

� Attention if no SFF and no (random) SIL capability with respect to architectural constrainsis stated!

� Page two of same certificate:

Conclusion?

Architectural constrains (route 1H):

SIL 1 capable (HFT=0) w/wo PST!

Disclaimer:

� Compensation by other parts of same subsystem possible

89%

72%

Data source:Manufacturer homepage


1111

Architectural constraints

More explicit certificates do exist:

� SIL capability explicitly given for both systematic and random capability

Criteria for SIL classification

1212


SIL Average Probability of Failure on Demand (Type of duty: Low demand)

SIL 4 < 10-4

SIL 3 < 10-3

SIL 2 < 10-2

SIL 1 < 10-1






Criteria for SIL classification

What is an acceptable PFD for an actuator in a SIL 2 SIF?

All Safety Instrumented Systems consist of Sensor – Logic – Actor

⇒ Actuator & actuator controls mustn’t consume whole allowed PFD!

⇒ The following non-normative breakdown is widely accepted:

13

Actuator for SIL 2 should have PFD avg ≈< 2,5*10-3

Safety Function: ESD Product XY

λSD Safe detected failure rate … FIT

λSU Safe undetected failure rate … FIT

λDD Dangerous detected failure rate … FIT

λDU Dangerous undetected failure rate … FIT

PFD Probability of failure on demand (per annum)

4.1 x 10-3

SIL Safety Integrity Level 2

MTTR Mean Time to repair* 12 hours

TI Proof Test Interval 12 months


1414

Probability of failure on demand – PFD:

Example from the Safety Handbook of an actuator rat ed “SIL 2 capable”:

Total budget – PFD for SIL 2:

?actuator

sensor+ logic+ valve+ gearbox

Data source:Manufacturer homepage

Proof test interval 6 mon. 1 year 2 years 3 years 5 year s

PFDavg. (IEC 61508-6, B3.2.2, λdu

from FMEDA2,25* 10-5 4,44* 10-5 8,82* 10-5 1,32* 10-4 2,20* 10-4

(1) quantitative achievable SIL SIL 4 SIL 4 SIL 4 SIL 3 SIL 3

(2) Qualitative achievable SIL SIL 2 (for HFT 0 ; Type A ; 60% ≤ SFF < 90%)

Achievable SIL = Min {(1);(2)} SIL 2 SIL 2 SIL 2 SIL 2 SIL 2


1515

Probability of failure on demand – PFD:

� PFD depends on failure rate and parameters as proof test interval, MRT, …

� Achievable SIL as minimum of architectural constrains and PFD

� But: No observance of PFD-distribution rules!In this case: Doesn’t matter (as anyway limited by architecture)

⇒ Make sure you don’t end up with similar certificates where it does matter!

Data Source:Manufacturer homepage


1616

Additional criteria

� Edition of IEC 61508

� Demand mode

� Safety function

� …

Edition of IEC 61508:

� Edition 1 (1998) ⇔ Edition 2 (2010)

� Certificates state, which edition is applied

� Edition 2 is much more restrictive than edition 1

� Significant difference in calculation of SFF ⇒ influence on architectural constrains

• Example – AM controls with SQ.2:

[V2] – Safe

OPEN / CLOSE

λS

[FIT]

λDD

[FIT]

λDU

[FIT]

SFF

[FIT]

SIL architec.

constrains

IEC 61508 ed. 2 21 667 104 86,8% SIL 2 capable

IEC 61508 ed. 1 608 667 104 92,4% SIL 3 capable

Conclusion

17

Criteria for selection of functional safety product s

Subject Important Where to find

Process and environ-mental conditions

Always buy components that match allconditions

Technical documentation

Functionality & seating criteria

All requirements concerning functionality have to be fulfilled ; Seating criteria for SIF match valve/process requirements

Technical documentation or safety manual

Systematic capability Must fit your SIL-requirement “SIL”-certificate orsafety manual

Architectural constraints Sufficient SFF (according to ed.2 of IEC 61508) or sufficient evidence for path 2H

“SIL”-certificate orsafety manual

PFD Component shall only consume part of allowed PFD (e.g. ≈ 25% for actuator)


Edition of IEC 61508 IEC 61508 ed.2 much stricter than ed.1 “SIL”-certificate

Demand Mode Always choose demand mode that fits your application


Safety Instrumented Function (SIF)

Only use safety parameters that fit your SIF ; make sure that the priority between different SIFs is correct


Selection of Components: IEC 61508 and IEC 61511 - AUMA · PDF fileSelection of Components: IEC 61508 and IEC 61511 Dr. Jörg Isenberg, 06.10.2015 Where to find...

Documents