SAFETY INTEGRITY LEVEL IEC 61508/61511 [S)PEPPERL+FUCHS PROTECTING YOUR PROCESSWith regard othe supply of products, the curent issue ofthe folowing document is applicable: ‘The General Terms of Delivery for Products and Services of the Electrical Industry, published by the Central Association otha “Elektrotechnik und Etektoinduste (ZVEI) &.V.", Including the supplementary clause: “Extended reservation ote"SST | Sey Structure ESPeEPPERL+FUCHS ‘This manual contains the manuscripts of various contributors, each one complete in itself. The first part presents an overview of the IEC/EN 61508, The second partis based on presentations that were given as part of a seties of seminars by the author, Its therefore possible that some passages in the text are repeated. Itis not the goal of the authors to reproduce excerpts from standards in their ‘entirety, but rather to give the general meaning, If further clarification is needed, the applicable standard should be consulted. Authors: Andy Ingrey (part 1, section 2 to section 5) Patrick Lerévérend (part 2, section 6 to section 9) Dr. Andreas Hildebrandt (part 2, section 10 and section 11)14 1.2 13 14 24 22 34 3.2 44 42 61 6.2 6.3 6.4 TA 72 Introduction... 00... cece cece eect ence een eee e ene neeeeee 4 Safety related systems in accordance with IEC/EN 61508............e.000008 4 Introduction of safety related systems Symbols used 5 Definition of terms and abbreviations . 5 Safety life cycle... 0... cece cece eee eee eee 7 Safety life cycle concept...........0cceceeeeeeeeeceeeeeeeeeeeeeeneenene 7 Risks and their reduction ....... 22.02.02 020e0cceceeeec sence eeeee eee es 4 Safety integrity level (SIL) ......... 0... e ee eee eee eee eee eee 13 Probability of failure «0.0... sees cece eee eee e eee e eee eee ene e eee eeenene es 13 The system structure. ..... 6... c0eceeeeeeeeeeee eee eeeeeee sense ee eenees 14 Probability of failure... 0.0... c cece cece eect eee e eee eee 17 Overview... 22... cece cece ccc e een e eee e cece een e eee eeeeeeneeeneeeeeeees 17 Safety loop example .........0cc0c0cececececececeeeeseeeeuceteeenenes 18 Summary of the first part of the SIL manual. . 21 Verification of the safety integrity level of a safety instrumented function ............06 206s eee eee eee eee eee 22 What is SIL? .... 00... c cece cee e nee e cee ecee ences cceenensensecenseees 22 Example input subsystem with 2 components..........0....0s0eeeseeeees 23 Hardware fault tolerance (IEC/EN 61508, part 2)......-..sseeeeeeeeeen eens 26 SIL limitation due to architectural constraints (IEC/EN 61508, part 2)... ... se eee cece eee eee e eee ee eee ene e ee eeeen eens 27 Other structures ... MooN system (IEC/EN 61508, part 6) ‘Two sensor subsystems from our example configured as a two channel input subsystem. Common cause failures. Proven in use (IEC/EN 61508, part 2)...........0.c cee eee e eee 32 FSPEPPERL+FUCHSETE rg) 9 How to read a SIL product report?............ 0c cece eee eee ee 33 10 Glossary/formulae ... 0.0.6... c eee c eee ee teeee eee nent eee 34 10.1 Failure rate A(t)... ssc eee ee ee ee eee cence ee eee ee ee eee ee snes eenee nents 34 10.2 Constant failure rate i. 10.3. Failure probability F(t). 10.4 Probability density function f(t) . 10.5 Relial 10.6 10.7 Mean failure probability of the function in the demand case PFD (Probability of Failure on Demand) . . - 37 10.8 PFD calculation for multi-channel MooN structures (M out of N). . 38 ahi References and bibliography .............00ceeeeeeeee ee eeeee 39 ESPeEPPERL+FUCHS 3SIL manual Uc 1 Introduction Ww Safety related systems in accordance with IEC/EN 61508 ‘The international standard IEC/EN 61508 has been widely accepted as the basis for the specification, design and operation of safety instrumented systems (SIS). As the basic standard, IEC/EN 61508 uses a formulation based on risk assessment: ‘An assessment of the risk is undertaken and on the basis of this the necessary Safety Integrity Level (SIL) is determined for components and systems with safety functions. SiL-evaluated components and systems are intended to reduce the risk associated with a device to a justifiable level or “tolerable risk”. 1.2 Introduction of safety related systems This document explores some of the issues arising from the recently published international standards for safety systems, particularly within the process industries, and their impact upon the specifications for signal interface equipment. When considering safety in the process industries, there are a number of relevant national, industry and company safety standards + IECIEN 61511 (user) + ISA.$84.01 (USA) (user) + IEC/EN 61508 (product manufacturer) which need to be implemented by the process owners and operators, alongside all the relevant health, energy, waste, machinery and other directives that may apply. ‘These standards, which include terms and concepts that are well known to the specialists in the safety industry, may be unfamiliar to the general user in the process industries. In order to interact with others involved in safety assessments and to implement safety systems within the plant itis necessary to grasp the terminology of these documents and become familiar with the concepts involved. Thus the safety life cycle, risk of accident, safe failure fraction, probability of failure on demand, safety integrity level and other terms need to be understood and used in their appropriate context. Itis not the intention of this document to explain all the technicalities or implications of the standards but rather to provide an overview of the issues covered therein to assist the general understanding of those who may be: + involved in the definition or design of equipment with safety implications, + supplying equipment for use in a safety application, + just wondering what IEC/EN 61508 is all about. For those people who are directly responsible for the specification, design, installation, operation and maintenance of electronic or programmable systems that may have safety implications, reference must be made to part 2 (section 6 to section 10) of this manual and the standards themselves. 4 FSPEPPERL+FUCHSee ere este 1.3. Symbols used this warning may result in the device and any facilities or systems connected to it A This symbol wams of a possible fault. Failure to observe the instructions given in developing a fault or even failing completely. ‘Attention © _ This symbol draws your attention to important information. U Note 14 Definition of terms and abbreviations Term CDF ElectricaV/electronical/programmable electronical systems (E/E/PES) Equipment under control (EU) Esp ETA FME(C)A FMEDA FIT FTA Hazardous event HAZOP HFT IECIEN 61508 IECIEN 61511 Lom MooN MTBF MITF MITR POF PFD PFDavg PFH Risk SFF SIF ESPeEPPERL+FUCHS Deseri ‘Cumulative Distribution Function term used to embrace all possible electrical equipment that may be used to carry outa safety function. Thus simple electrical devices ‘and programmable logic controllers (PLCs) ofall forms are included Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities. Emergency Shut-Down Event Tree Analysis Failure Mode Effect (and Criticality) Analysis Failure Mode Effect and Diagnostics Analysis Failures in Time Fault Tree Analysis hazardous situation which results in harm HAZard and OPerabilty study Hardware Failure Tolerance Standard of functional safety of electrical/electronical/programmable electronical safety-related systems ‘Standard of functional safety: safety instrumented systems for the process industry sector Low Demand Mode — where the frequency of demands for operation made on a safety related system is no greater than one per year and 1no greater than twice the proof test frequency. Mout of N channels Mean Time between Failures Mean Time to Failure Mean Time to Repair Probability Density Function Probability of Failure on Demand ~ mean failure probability in the demand case - the probability that a safety system will not execute its function when itis required to do so. Average Probability of Failure on Demand Probability of dangerous Failure per Hour ‘Combination of the probability of occurrence of harm and the severity of that harm. Calculated as the product between incident frequency and incident severity ‘Safe Failure Fraction — proportion of non-dangerous failures - the ratio of the rate of safe faults plus the rate of diagnosed/recognized faults in relation to the total failure rate of the system. Safety Instrumented FunctionSET Uc Term Description sis Safety Instrumented System — A SIS (Safety system) comprises one or more safety functions; for each of these safety functions there is a SIL requirement. sit Safety Integrity Level - One of four discrete stages in specifying the requirements for the safety integrity of the safety functions, which are assigned to the E/E/PE safety-related system, in which the Safety Integrity Level 4 represents the highest stage and the Safety Integrity Level 1 represents the lowest stage of safety integrity sic Safety Life Cycle — Covers all aspects of safety, including the initial ‘conception, design, implementation, installation, commissioning, validation, maintenance and decommissioning of the risk-reducing measures. Safety ‘The freedom from unacceptable risk of physical injury or of damage to the health of persons, either directly or indirectly, as a result of damage to property or the environment. Safety function Function to be implemented by an E/E/PE safety-related system, other technology safety-related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event. Tolerable risk Risk, which is accepted in a given context based upon the current values of society. 3 } i 6 FSPEPPERL+FUCHSUe acest 2 Safety life cycle 2.1 Safety life cycle concept Itis seldom, if ever, that an aspect of safety in any area of activity depends solely on ‘one factor or on one piece of equipment. ‘Thus the safety standards concemed here, IEC/EN 61511 and IEC/EN 61508, identity an overall approach to the task of determining and applying safety within a process plant. This approach, including the concept of a safety life cycle (SLC), cts the user to consider all of the required phases of the life cycle. In order to ‘claim compliance with the standard it ensures that all issues are taken into account and fully documented for assessment. Essentially, the standards give the framework and direction for the application of the overall safety life cycle (SLC), covering all aspects of safety including conception, design, implementation, installation, commissioning, validation, maintenance and de-commissioning. The fact that “safety” and “life” are the key elements at the core of the standards should reinforce the purpose and scope of the documents. For the process industries the standard IEC/EN 61511 provides relevant guidance for the user, including both hardware and software aspects of safety systems, as shown in Figure 2.1, Please consider the close relationship between the standards IEC/EN 61511 and IECIEN 61508. Eo To implement their strategies within these overall safety requirements the plant operators and designers of safety systems, following the directives of IEC/EN 61511 for example, utilise equipment developed and validated according to IEC/EN 61508 to achieve their safety instrumented systems (SIS). PROCESS SECTOR SAFETY SYSTEM ‘STANDARD PROCESS SECTOR HARDWARE. PROCESS SECTOR ‘SOFTWARE, evsoping sia Using Deveping Doveloing Devscpna ne proven in use are enbedaed opeican ‘paieaon erdere devies| | | nariunredevees | | deeoped and (cyte) stare satare setae “atsates {ing ta vc ime toon foto sexing 2 iow verabty ‘nab ON Cisoa coEN Ets WGN eto IEOENS5003 lengsages Ioraweges toon stow TEEN 61514 Figure 2.1. Scope IECIEN 61506 and IEGIEN 61511 5 i ESPeEPPERL+FUCHS 7The standard IEC/EN 61508 deals specifically with “functional safety of electrical electroniciprogrammable electronic safety-related systems’ and thus, for a manufacturer of process instrumentation interface equipment such as Pepperl+Fuchs, the task is to develop and validate devices following the demands of IEC/EN 61508 and to provide the relevant information to enable the use of these devices by others within their SIS. The SLC, as shown in Figure 2.2, inoludes a series of steps and activities to be considered and implemented. 6 ‘Overall scope definition Extomal Overall planning systems: BEIPES a sk ‘Overall Overall ‘Overall reduction operation [MM safety Installation Realisation technology facilities nd validation ‘nd Serer ‘maintenance fll planning ll commissioning Aalsalon eae planning planning ‘Overall installation and commissioning Overall safety validation Back to appropriate ‘overall safety, lite eyele phase ‘Overall operation, ‘Overall modification maintenance and repalr ‘and retrofit Decommissioning or disposal Figure 22 Pha 526 ofthe safety Me cycle FSPEPPERL+FUCHSUe Si i Within the SLC the various phases or steps may involve different personnel, groups, ‘or even companies, to carry out the specific tasks. For example, the steps can be grouped together and the various responsibilities understood as identified below. Analytical measures The first five steps can be considered as an analytical group of activities: Concept Overall scope definition Hazard and risk analysis Overall safety requirements 5. Safety requirements allocation - and would be carried out by the plant owner/end user, probably working together with specialist consultants. The resulting outputs of overall definitions and requirements are the inputs to the next stages of activity. eM Implementation measures The second group of implementation comprises the next eight steps: 6. Operation and maintenance planning 7. Validation planning 8. Installation and commissioning planning 9. Safety-related systems: E/E/PES implementation (further detailed in Figure 2.3) 10. Safety-related systems: other technology implementation 11. External risk reduction facilities implementation +12, Overall installation and commissioning 19. Overall safety validation - and would be conducted by the end user together with chosen contractors and suppliers of equipment. It may be readily appreciated, that whilst each of these steps has a simple tile, the work involved in carrying out the tasks can be complex and time-consuming! Process operation The third group is essentially one of operating the process with its effective safeguards and involves the final three steps: 414. Overall operation and maintenance 45. Overall modification and retrofit 16. De-commissioning - these normally being carried out by the plant end-user and his contractors. Within the overall safety life cycle, we are particularly interested here in considering step 9 in greater detail, which deals with the aspects of any electricallelectronical’ programmable electronical systems (E/E/PES). To return to the standards involved for a moment: Following the directives given in IEC/EN 61511 and implementing the steps in the SLC, when the safety assessments are carried out and E/E/PES are used to carry out safety functions, IEC/EN 61508 then identifies the aspects which need to be addressed ESPeEPPERL+FUCHS 9More details of the safety life cycle for an E/E/PES are shown in the following diagram. It can be seen that even at this overview level the integrity as welll as the funetion of the safety systems are included in the specification. We will return to this, issue later in the discussion. Box 9 in igure 2.2 TECIEN 61508, part 1 E/EIPES safety life cycle E/EPES safety requirements Satety-retated ety requi systems: spe BEES Safety uncon Safty mioorty requirements voquremonts Spocetion ‘pecfeation Realisation LT a E/EIPES safety EIEIPES design validation planning and devolopment I EJEPES integration PRY ©2105 operation and To box 14 in figure 2.2 TECIEN 61508, part 1 EIEIPES safety validation ‘on E/PES sialy We oyoe foreach EIEPE stayed ‘syst To box 12in figure 2.2 TEGIEN 61508, part 1 [lo 10 Figure 23 Safety fe cyte of an EJEIPE System ‘There are essentially two groups, or types, of subsystems that are considered within the standard: the equipment under control (EUC) carries out the required manufacturing or process activity the control and protection systems implement the safety functions necessary to ensure that the EUG is suitably safe. Fundamentally, the goal here is the achievement or maintenance of a safe state for the EUC. You can think of the “control system" causing a desired EUC operation and the “protection system” responding to undesired EUC operation. Note that, dependent upon the risk-reduction strategies implemented, it may be that some control functions are designated as safety functions. In other words, do not assume that all safety functions are to be performed by a separate protection system. (If you find it difficult to conceive exactly what is meant by the IEC/EN 61508 reference to EUC, it may be helpful to think in terms of “process, which is the term used in IEC/EN 61511.) FSPEPPERL+FUCHS‘When any possible hazards are analysed and the risks arising from the EUC and its control system cannot be tolerated (see section 2.2), then a way of reducing the risks to tolerable levels must be found. Perhaps in some cases the EUC or control system can be modified to achieve the requisite risk-reduction, but in other cases protection systems will be needed. These protection systems are designated safety-related systems, whose specific purpose is to mitigate the effects of a hazardous event or to prevent that event from ‘occurring, 2.2 Risks and their reduction 0 Note [io Note One phase of the SLC is the analysis of hazards and risks arising from the EUC and its control system. In the standards the concept of risk is defined as the probable rate of ‘+ occurrence of a hazard (accident) causing harm and + the degree of severity of harm. So risk can be seen as the product of “incident frequency" and “incident severity" Often the consequences of an accident are implicit within the description of an accident, but if not they should be made explicit. ‘There is a wide range of methods applied to the analysis of hazards and risk around the world and an overview is provided in both IEC/EN 61511 and IEC/EN 61508, These methods include techniques such as HAZOP HAZard and OPerabilty study FME(C)A Failure Mode Effect (and Criticality) Analysis FMEDA Failure Mode Effect and Diagnostics Analysis ETA Event Tree Analysis, FTA Fault Tree Analysis and other study, checklist, graph and model methods. This step of clearly identitying hazards and analysing risk is one of the most difficult to carry out, particularly if the process being studied is new or innovative. ‘When there is a history of plant operating data or industry-specific methods or guidelines, then the analysis may be readily structured, but is still complex. The standards embody the principle of balancing the risks associated with the EUC (i.e. the consequences and probability of hazardous events) by relevant dependable safety functions. This balance includes the aspect of tolerability of the risk. For example, the probable occurrence of a hazard whose consequence is negligible could be considered tolerable, whereas even the occasional ‘occurrence of a catastrophe would be an intolerable risk. If, in order to achieve the required level of safety, the risks of the EUC cannot be tolerated according to the criteria established, then safety functions must be implemented to reduce the risk. ESPeEPPERL+FUCHS WSTINE Berane Resa] [Torerabie ae mak ik tik Growing Necessary risk reduction l. Actual risk reduction Risk minimisation achioved through all safety systems and €.¢ organisational measures Parti eek coveres Perl risk coveres lootonieal Dy entra atitos safely systems | Figure 24 Relation between residual isk and tolerable rick ‘The goal is to ensure that the residual risk ~ the probability of a hazardous event ‘occurring even with the safety functions in place — is less than or equal to the tolerable risk. The diagram shows this effectively, where the risk posed by the EUC is reduced to a tolerable level by a “necessary risk reduction’ strategy. The reduction of risk can bbe achieved by a combination of items rather than depending upon only one safety system and can comprise organisational measures as well. ‘The effect of these risk reduction measures and systems must be to achieve an “actual risk reduction’ that is greater than or equal to the necessary risk reduction. 3 i FSPEPPERL+FUCHSpe ee ean 3 Safety integrity level (SIL) ‘As we have seen, analysis of hazards and risks gives rise to the need to reduce the risk and within the SLC of the standards this is identified as the derivation of the safety requirements. There may be some overall methods and mechanisms described in the safety requirements but also these requirements are then broken down into specific safety functions to achieve a defined task. In parallel with this allocation of the overall safety requirements to specific safety functions, a measure of the dependability or integrity of those safety functions is, required What is the confidence that the safety function will perform when called upon? This measure is the safety integrity level or SIL. More precisely, the safety integrity of a system can be defined as “the probability (likelihood) of a safety-related system performing the required safety function under all the stated con oftime.” ‘Thus the specification of the safety function includes both the actions to be taken in response to the existence of particular conditions and also the time for that response to take place. The SIL is a measure of the reliability of the safety function performing to specification 34 Probability of failure To categorise the safety integrity of a safety function the probability of failure is considered — in effect the inverse of the SIL definition, looking at failure to perform rather than success. Itis easier to identify and quantity possible conditions and causes leading to failure ofa safely function than itis to guarantee the desired action of a safety function when called upon. ‘Two classes of SIL are identified, depending on the service provided by the safety function, + For safety functions that are activated when required (on demand mode) the probability of failure to perform correctly is given, whilst + for safety functions that are in place continuously the probability of a dangerous failure is expressed in terms of a given period of time (per hour)(continous mode).. In summary, IEC/EN 61508 requires that when safety functions are to be performed by E/E/PES the safety integrity is specified in terms of a safety integrity level. The probabilities of failure are related to one of four safety integrity levels, as shown in Table 3.1 5 ESPeEPPERL+FUCHS 13SIL manual Peano atl Probability of failure Safetyintegrity | Mode of operation an demand | Mode of operation — continous Lovel(SiL) | (average probabilty of failure to | (probabilty of dangerous falure per Perform is dasign function upon hour) demand) + 210% ta< 104 210% 10 = 10% a 21040 < 102 210% 9 <107 2 = 108to< 102 21079 <108 1 S107to< 107 210% 910% Table 3.1 Probabilty of falure We have seen that protection functions, whether performed within the control LT] yosmerasoparate ‘protection system, are referred to as safety related systems. If, after analysis of possible hazards arising from the EUC and its control system, Note itis decided that there is no need to designate any safety functions, then one of the requirements of IECIEN 61508 is that the dangerous failure rate of the EUC control system shall be below the levels given as SIL1. So, even when a process may be considered as benign, with no intolerable risks, the control system must be shown to have a rate not lower than 10° dangerous failures per hour. 3.2 The system structure 3.2.1 Safe failure fraction The safe failure fraction (SFF) is the fraction of the total failures that are assessed as either safe or diagnosed/detected (see section 6.2.3) When analysing the various failure states and failure modes of components they can be categorised and grouped according to their effect on the safely of the device. Failure rate definition Thus we have the terms: deate = failure rate of components leading to a safe state 2 dangerous = failure rate of components leading to a potentially dangerous state ‘These terms are further categorised into “detected” or "undetected! to reflect the level of diagnostic ability within the device. For example: daa = dangerous detected failure rate day = dangerous undetected failure rate ‘The sum of all the component failure rates is expressed as: total = Aeafo + Adangorous and the SFF can be calculated as SFF = 1-hjy/hota 3 i 14 FSPEPPERL+FUCHSSIL manual ee ean 3.2.2 Hardware fault tolerance 5 i ‘Subsystem type A (e.g. a field transmitter) ‘Subsystem type B (e. g.a logic solver) fo Note One further complication in associating the SFF with a SIL is that when considering hardware safety integrity two types of subsystems are defined. For type A subsystems it is considered that all possible failure modes can be determined for all elements, while for type B subsystems it is considered that it is not possible to ‘completely determine the behaviour under fault conditions. ‘+ failure mode of all components well defined, and + behaviour of the subsystem under fault conditions can be completely determined, and + sufficient dependable failure data from field experience show that the claimed rates of failure for detected and undetected dangerous failures are met. ‘Sale failure fraction Hardware fault tolerance (HFT) (SFF) 3 7 2 =00% SiLt siz Sus 60%... 00% ‘site ils site 00% .. 99% ‘sila sia ‘site 290% sia Sia ry Table 82 Hardware saety integrity: architectural constraints on type A safety-related subsystems (WECIEN 61508-2, part 2) the failure mode of at least one component is not well defined, or behaviour of the subsystem under fault conditions cannot be completely determined, or + insufficient dependable failure data from field experience show that the claimed rates of failure for detected and undetected dangerous failures are met, ‘Safe failure fraction Hardware fault tolerance (HFT) (SFF) ° 1 2 =80% rot alowed itt oe 60%. 80% Sit siLz Sis 80%. 89% S12 SLs Sika 399% sis ‘site Sita Table 3.3 Hardware safety integrity: architectural constraints on type B safety-related subsystems (IECIEN 61808-2, part 3) ‘These definitions, in combination with the fault tolerance of the hardware, are part of the “architectural constraints’ for the hardware safety integrity as shown in Table 3.2 and Table 3.3. Note that although mathematically a higher reliability might be calculated for a subsystem itis this "hardware safety integrity" that defines the maximum SIL that can be claimed. In the tables above, a hardware fault tolerance of N means that N+1 faults could ‘cause a loss of the safety function. For example, if a subsystem has a hardware fault tolerance of 1 then 2 faults need to occur before the safety function is lost. ESPeEPPERL+FUCHS 15SIL manual Peano atl 3.2.3 Connecting risk and safety integrity level Already we have briefly met the concepts of risk, the need to reduce these risks by safety functions and the requirement for integrity of these safety functions. One of the problems faced by process owners and users is how to associate the relevant safety integrity level with the safety function that is being applied to balance a particular risk. The risk graph shown in the Figure 3.1, based upon IEC/EN 61508, is a way of achieving the linkage between the risk parameters and the SIL for the safety function. Risk parameters Probability of occurrence: ‘Consequence (severity) © minor injury or damage ws w, wy esas ity tna det onpoay stan Sores ALE D- sever deat, ergtaen danage Ca may doe catanepi loc v| fel [ Fequenenoxposur tne race oer S| OI FL ooento carious Povey of evotance al ial In Bares posse tumble sno pose ai lal Io Probabiy ot eccuence wen on sry »| fa] [os ww We Pan. neuen tan -sseyemm ot a yess 3 Teplice } ISAS, Fipwe 3 ik ososaont For example, with the particular process being studied, the low or rare probability of minor injury is considered a tolerable risk, whilst if itis highly probable that there is frequent risk of serious injury then the safety function to reduce that risk would require an integrity level of three. ‘There are two further concepts related to the safety functions and safety systems that need to be explained before considering an example. These are the safe failure: fraction and the probability of failure. 16 FSPEPPERL+FUCHS 3 iET be) 4 Probability of failure 41 Overview ‘An important consideration for any safety related system or equipment is the level of ‘certainty that the required safe response or action will take place when it is needed. This is normally determined as the likelihood that the safety loop will fil to act as and when itis required to and is expressed as a probability. The standards apply both to safety systems operating on demand, such as an emergency shut-down (ESD) system, and to systems operating "continuousiy' or in high demand, such as the process control system. For a safety loop operating in the ‘demand mode of operation the relevant factor is the PFDayg, which is the average probability of failure on demand, For a continuous or high demand mode of ‘operation the probability of a dangerous failure per hour (PFH) is considered rather than PFDaug. Obviously the aspect of risk that was discussed earlier and the probability of failure ‘on demand of a safety function are closely related. Using the definitions Frp = frequency of accident/event in the absence of protection functions F, = tolerable frequency of accident/event then the risk reduction factor (AR) is defined as: AR =F op/Ft whereas PFD is the inverse: PFD ag = FiFap Since the concepts are closely linked, similar methods and tools are used to evaluate risk and to assess the PFDayg, As particular tools are used FMEDA and Markov models. Failure modes and effects analysis (FMEA) is a way to document the system being considered using a systematic approach to identity and evaluate the effects of component failures and 10 determine what could reduce or eliminate the chance of failure. An FMEDA extends the FMEA techniques to include on-line diagnostic techniques and identify failure modes relevant to safety instrumented system design, Once the possible feilures and their consequence have been evaluated, the various ‘operational states of the subsystem can be associated using the Markov models, for example. One other factor that needs to be applied to the calculation is that of the interval between tests, which is known as the ‘proof time" or the “proof test interval" This is a variable that may depend not only upon the practical implementation of testing and maintenance within the system, subsystem or component concerned, but also upon the desired end result. By varying the proof time within the model it ‘can result that the subsystem or safety loop may be suitable for use with a different SIL. Practical and operational considerations are often the guide, Note also that “low demand mode" is defined as one where the frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof test frequency. ‘tention In the related area of application that most readers may be familiar with one can consider the fire alarm system in a commercial premises. Here, the legal or insurance driven need to frequently test the system must be balanced with the practicality and cost to organise the tests. Maybe the insurance premiums would be lower if the system were to be tested more frequently but the cost and disruption to ‘organise and implement them may not be worth it. ESPeEPPERL+FUCHS 74.2 STENT bed) Poesy With all the factors taken into consideration the PFDay, can be calculated. Once the PFDayg for each component part of the system has been calculated the PFDayg of the whole system is simply the sum of the component PFDay,, S22 also section 6.2.2 in part 2. To satisfy the requirements of a particular SIL both the PFDayg and the SFF figures have to meet the specific limits Safety loop example Let us summarise these points in a simple example from the processing industry The IEC/EN 61508 standard states that a safety integrity level can be properly associated only with a specific safety function — as implemented by the related safety loop — and not with a stand alone instrument or piece of equipment. In our context, this means that — strictly speaking — itis only possible to state the ‘compliance with the requirements of a specific SIL level after having analysed the whole safety loop, Itis however possible - and sensible — to analyse a single building block of a typical safety loop and to provide evidence that this can be used to finally obtain a SIL- rated safety loop. Since all the elements of a safety loop are interdependent in achieving the goal it is relevant to check that each piece is suitable for the purpose. For our example we will consider a single electronic isolator component. Within the context of this example, the safety loop is a control system intended to implement a safety function. In the Figure 4.1 a typical safety loop is shown, including Intrinsically Safe signal input and output isolators for explosion protection, and let us assume that the safety integrity level required has been determined as SIL2. This is for reference only, and doesn't imply that a full safety loop assessment has been performed. bess ete Extent ofthe risk reduction equipment 18 Figure 41 Salely instrumented system, example FSPEPPERL+FUCHS 3 i3 i a ST ETE] barr) Ce You can identity in Figure 4.1 the various elements of the process loop + Input sensor, + Input linefinput isolator block, + Logic system (Logic solver, required to trigger the safety function), ‘+ Output line/output isolator block (safe out) and finally + Control valve (required to implement the safety function) Considering that the typical safety loop as shown is made of many serially ‘connected blocks, all of which are required to implement the safety function, the available PFD budget (< 10 as for SIL2) has to be shared among all the relevant blocks. For example, a reasonable, rather conservative, goal is to assign to the isolator no more than around 10 % of the available PFD budget, resulting in a PFD limit - at the isolator level - of around 10%, thatiis to say, 0.1 %. It should be clear, however, that this figure is only a reasonable guess, and doesn't imply that there is no need to, evaluate the PFD at the safety oop level or that the isolator contribution can be neglected. Failure distribution in control circuit a== PFO, + PFD, + PFDS + PFO, + PFDs “ox® cy sonata son patn 35 %* 15% * 50% Serser system and srl path satay PLC Actuator aria path ESPeEPPERL+FUCHS Figure 42 Verification of he satel instrumented system * Numerical values depend onthe appication ‘The PFD value for the complete safety device is calculated from the values of the individual components. Since sensors and actuators are installed in the field, these are exposed to chemical and physical loading (Process medium, pressure, temperature, vibration, etc.). Accordingly, the risk of faults is high for these ‘components. For this reason 25 % of the overall PFD is assigned to the sensors ‘and 40 % to the actuators. Thus 15 % remains for the fault tolerant control system ‘and 10 % each for the interface modules (the interface modules and control system have no contact with the process medium and are housed in the protected control room). 1920 FMEA assessment In this example, to demonstrate that the relevant isolators are suitable to be used within a SIL2 safety loop, a comprehensive FMEA analysis was carried out. The FMEA covered 100 % of the components and took into account, for each ‘component, the different applicable failure modes including, when required, also intermittent and “derating’ failures. This is the recommended procedure, according to IEC/EN 61508, with respect to other non-quantitative or semi-quantitative approaches. AAs a result of the FMEA, the PFDayg can be calculated for each of the relevant isolators and is shown to be less than 10°, thus enabling their possible use within this specific application. Pepperl+Fuchs contract the specialist organisation EXIDA to carry out these assessments for their products. 1. IECIEN 61508 considers the total instrumentation loop. Much like “a chainis only as strong as its weakest link" so, too, all the elements in the instrumentation loop play their part. Duplication of a particular block function may need to be applied to achieve the objectives 2. Don't neglect any steps in assessing the life cycle. The instrumentation elements identified within this document are just one part of an SIS. 3. Unless specifically stated, itis not permitted to use more than one channel of a multi-channel interface device in the same safety loop. The remaining channels of the device can however be used in other independent safety loops. 4, Itis false to assume that all safety functions are to be implemented in a separate protection system - some safety functions may be included in the control system. 5. To prove their satisfactory operation, safety functions may need to be exercised and the frequency of conducting these tests is a factor in calculating the probability of failure on demand. Thus different PFDayg Values for components such as our isolators are calculated for relevant intervals between tests, for example Tioroot) Of 1 year, 5 years and 10 years. FSPEPPERL+FUCHS : i aSIL manual ‘Summi Ree g eee ue) 5 Summary of the first part of the SIL manual ESPeEPPERL+FUCHS 1. The concept of the safety life cycle introduces a structured statement for risk analysis, for the implementation of safety systems and for the operation of a safe process, It safety systems are employed in order to reduce risks to a tolerable level, then these safety systems must exhibit a specified safety integrity level. The calculation of the safety integrity level for a safety system embraces the factors “safe failure fraction” and “failure probability of the safety function”. 21SIL manual Wa ee ecm um acre ane atcn chai ny 6 Verification of the safety integrity level of a safety instrumented function This short introduction covers only the technical aspects related to the implementation of a safety related function according to the requirements of the IECIEN 61508161511. See also part 1. Attention 61 What is SIL? 61.1 Basics SiL means salety integrity level according to IEC/EN 61508 and describes the integrity of a safety related function. Management and technical measures are necessary to achieve a given integrity. A SIL is attributed to a safety function, which includes different function blocks describing systems (such as sensors, logic systems (logic solvers) and actuators). A safety instrumented system (SIS) consists of one or more safety related functions, ‘each of which have a SIL requirement. A component, subsystem and system do not have SILs in their own tight. ‘Systems have “SIL limitation effect’. For example the following function (Figure 6.1) can only claim SIL2 because of the limitation of the sensor system: + Sensor system: max. SIL2 + Logic system (logic solver): max. SIL3 + Output element: max. SIL3 ‘Subsystem max. SIL [Sensor}—) Input module Logie solver|_| (output isolator and ‘max. SIL ‘actuating element) max. SL2 solver Input subsystem Figure 6.1 System structure Within a system, components or subsystems can be combined (in parallel for example) in order to modify the SIL limitation [sensor}—{ input module Subsystem max. ILS max, SIL2 Logic solver|_| (output isolator anc max. SIL ‘actuating element) ‘solver Input module max. SIL2 ‘SIL limitation now max. SILS max.SIL3 Figure 62 Example configuralion for redundant sensor channels 22 FSPEPPERL+FUCHSpT Ve ie Coa a eC omunataeace kate cat 6.1.2 Management requirements Studies have found that the most important factor in the occurrence of accidents is management commitment to safety and the basic safety culture in the organisation ‘or industry. For that reason, the relevant standards (IEC/EN 61508 or IEC/EN 61511 in the process sector) describe a lifecycle of the safety related function and its components and require also the implementation of management measures. 6.13 How to achieve the selected safety integrity level? AIL assessed product presents some specific parameters. The SIL limitation created by this product is directly affected by these parameters: + Hardware fault tolerance + Safe failure fraction + Architectural constraints (see section 6.4) + Probabilty of failure on demand = PFD (probability of failure on demand) = low demand mode = PFH (probability of dangerous failure per hour) — continuous mode + Maintenance intervals. Allof these parameters are numerical values, which have to be combined with the ‘corresponding values of the other components of the safety related function and then checked with the values of the target SIL in the relevant standard (IECIEN 61508 or IEC/EN 61511), In order to combine or verify different systems or subsystems, know how the different parameters are acting together. itis necessary to 6.2 Example input subsystem with 2 components Sensor Isolated ampli Sensor - isolated amplifier subsystem Figure 6&3 Input subsystem fe mode and effect analysis (IEC/EN 61508, part 2) ‘The different failure rates of the subsystem were calculated using FMEDA. Then the values of PDF;y, and safe failure fraction (SFF) were calculated and are stated in the manufacturer's documentation. 624 In our example Sensor component: NAMUR proximity switch NJ2-12GM-N (SJ2-N") Tipoot PPOs ‘SF Arotal=2.90 «10° vh "year 3.02% 10° > 78% Dgafe = 1.77 x10 1m 2 years 905x108 276% Adangorous ~ 691 x10 1th years 1stx 10% > 76% Padort care = 442% 10 1 Isolated amplifier component: isolated switching amplifier KFD2-SOT2-Ex1.N Tiprot PFD agi FF Aaotal= 207 107 1 year 921x108 > 69% Agate = 788% 104 th 2 years 194K 10* 280% Jedangorous = 2.10% 10° 1h sears 4.60% 107 > 69% Jno effect = 1.08% 10°? 1h ESPeEPPERL+FUCHS 36.2.2 24 SEE Vere aic ace ks safety instrumented function Average probability of failure on demand (PFDayg) of the input subsystem (IEC/EN 61508, part 2 und part 6, annex B) Failure rate igs the dangerous (detected and undetected) failure rate of a channel ina subsystem. For the PFD calculation (low demand mode) itis stated as failures per year. Target failure measure PFDayg is the average probability of failure on demand of a safety function or subsystem, also called average probability of failure on demand. is time dependant: Itis a function of the failure rate 2 and the time t between proof tests. That means that you cannot find out the maximum SIL. of your (sub)system if you do not know if a test procedure is implemented by the user and what the test intervals are! ‘The maximum SIL according to the failure probability requirements is then read out from table 3 of IEC/EN 61508 part 1 (low demand mode): Safety integrity level (SIL) ‘Low demand mods of operation (average probably of failure to perform ts design function on demand) 4 21050 = 107 3 2104 to <108 2 210810102 1 2107t0<107 Table 6.1 Safety integiy level: target failure measures fora salty function in the low demand mode ‘of operation These values are required for the whole safety function, usually including different systems or subsystems. The average probability of failure on demand of a safety function is determined by calculating and combining the average probability of failure on demand for all the subsystems, which together provide the safely function. FSPEPPERL+FUCHS 3 iSTE] It the probabilities are small, this can be expressed by the following: PFD.ys = PFD, + PFD) + PFD. where PFDsys is the average probability of failure on demand of a safety function safety-related system; PFD; is the average probability of failure on demand for the sensor subsystem; PFD, is the average probability of failure on demand for the logic subsystem; and PFD. is the average probability of failure on demand for the final element subsystem. © _ This means that a subsystem or component cannot claim the whole PFD value for T] agin StL Usual, ottrs have & PED, which clas 10% of the tal PFD value of the required SIL. Note In our example PFD ubsys = PFD; + PFD, where PFD eaboys is the average probability of failure on demand for the input subsystem; PFD, is the average probability of failure on demand for the sensor; PFD, is the average probability of failure on demand for the isolated amplifier. ‘The maximum SIL limit of the input subsystem, according to the target failure measure for low demand mode (PFDaypsys less than 10 % PFD ma), Will be: Tiproon PFO stove sit 11 year 122x104 2 2 years 245x104 2 S years eax i0* 2 ESPeEPPERL+FUCHS 25SEE Wa ee ecm um acre ane atcn chai ny 6.2.3 Safe failure fraction (SFF) (IEC/EN 61508, part 2, annex C) Fraction of the failure rate, which does not have the potential to put the safety related system in a hazardous state. SFF= (Lig + Dagg)l(hg + Bg) = 1 - Eeg/(Ehg + Lig) Where Bhs = Ehgy + Bigg Und Eig = Thay + Dhge Dangerous detected failures are also considered as sate, aw dangerous undetected dae sale dee dotected dangerous detected fa sale undatacted Figure 64 Sale falure traction (SFF) In our example SFF= (1.77 + 0.442 + 7.83 + 10.8) x 10% (1.77 + 0.442 + 7.83 + 10.8 + 0.691 +21) x 108 ‘SFF of the input subsystem > 88 % 63 Hardware fault tolerance (IEC/EN 61508, part 2) This is the ability of a functional unit to perform a required function in the presence of faults. A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function ‘A one-channel system will not be able to perform its function if itis defective! A two- ‘channel architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand In our example The input subsystem has one channel; the Hardware fault tolerance of the input subsystem = 0 3 } i 26 FSPEPPERL+FUCHS5 i pT a Pu dau eee auch 6.4 SIL limitation due to architectural constraints (IEC/EN 61508, part 2) ‘Subsystem type A ‘Subsystem type B In our example ‘The combination of safe failure fraction and hardware fault tolerance maximum SIL of our device. The standard distinguishes between two types of subsystems: ‘A subsystem can be regarded as type A if, for the components required to achieve the safety function ‘+ the failure modes of all constituent components are well defined; and + the behaviour of the subsystem under fault conditions can be completely determined; and ‘+ there is sufficient dependable failure data from field experience to show that the claimed rates of failure for detected and undetected dangerous failures are met. ‘Safe fallure faction Hardware fault tolerance (HFT) (SF) ° 1 2 200% su sz sue 80% .. 90% ‘siz ‘sie Sia 90% .. 99% ‘sie ‘siLé Sia > 99% sila sie sia ‘Table 62 — Safety intogity of the hardware: architectural constraints on type A safety elated subsystems (IEC/EN 61508, part 2) ‘A subsystem shall be regarded as type B, if for the components required to achieve the safety function ‘+ the failure mode of at least one constituent component is not well defined; or ‘+ the behaviour of the subsystem under fault conditions cannot be completely determined; or + there is insufficient dependable failure data from field experience to support claims for rates of failure for detected and undetacted dangerous failures. Simplifying, one can say that as long as programmable or highly integrated electronic components are used, a subsystem must be considered as type B. ‘Safe failure fraction Hardware fault tolerance (HFT) (SFF) 2 7 2 00% not allowed SILI sz 60%... 80% ‘silt ‘sz sia 90%... 90% ‘siz ‘sits sia 299% ‘sis ‘sie Sia ‘Table 6.3 Safety iniogiy ofthe hardware: architectural constrains on type B satety-elated subsystems (IEC/EN 61508, part 2) Both components of the subsystem are type A with a SFF of max. 88 % and a hardware fault tolerance of 0. The subsystem achieves the requirements for maximum siL2, Results of our example assessment (PFDsupsys less than 10 % PFD max): Tipron PFD ‘Architectural | SIL of the subsystem constraints year sia sue 2 years a2 siz 5 years a2) siz ESPeEPPERL+FUCHS 27SIL manual Ce ee 7 Other structures 71 MooN system (IEC/EN 61508, part 6) Safety system, or part thereof, made up of N independent channels, which are so ‘connected, that M channel(s) is (are) sufficient to perform the safety function (M out of N). The architecture of the following example is called 1002 (one out of two) ‘Sensor Input module ‘Sensor Input module Figure 71 Configuration fortwo sensor subsystems, 1002-Sructure 72 Twosensor subsystems from our example configured as a two channel input subsystem The calculations use simplified formulae (for example, the time to repair is not considered here) and may not be suitable for your application ‘See IECIEN 61508, part 6 for more information. [oper cueyetom Example: | (ms) Input subsystem 1 ® =| {input sunsyatem 2 —o Input subsystem 2 Figure 72 Example redundant input subsystom ‘The two outputs of the isolated switching ampifier are connected in series. SIL assessment of the redundant input subsystem consisting of NJ2-12GM-N and KFD2-SOT2-Ex.N. PDFsnannel (See section 6.2.2) Tiproon PFDs ‘year 1224104 2 years 245 x 10% S years 6.11 «104 POF of the redundant input subsystem PDF ays = 4/3 x PDF*channal Tipreeth PED sys 1 year 1.98 «10% 2 years 800% 10% S years 498x107 3 } i 28 FSPEPPERL+FUCHSSST TE | cel Attention ESPeEPPERL+FUCHS SFF of the new redundant input subsystem Both channels are identical, the safe failure fraction does not change. ‘SFF of the new redundant input subsystem > 88 % Hardware fault tolerance ‘The new input subsystem is now redundant (1002) Hardware fault tolerance = 1 Results of the new redundant input subsystem SIL assessment (PDF,y, less than 10 % PDF nag Tipo POF oy ‘Architectural ‘SIL of the new constraints redundant input subsystem “year Lt Sia Sil 2 years St SLs SiLs Sivears Si SiLs Sil The calculation does not take account of any faults due to common causes (see section 7.3). 29SIL manual Ce ee 7.3 Common cause failures Common cause failures must be taken into consideration in safety instrumented systems. If, for example, both channels of a 1002 structure are powered by the ‘same power supply, the safety function will not be performed if a failure occurs in this power supply. This “channel separation” is described by a parameter (8), which is obtained by checking the quality of the channel diversity or separation with a table in annex D of part 6 of IEC/EN 61508 (scoring system). Table 7.1 shows an extract of this annex D table item Logic | Sensorsand subsystem | final elements Xs | Yus | Xsr | Ysr ‘Separation/segregation| ’Ae all signal cables for the channels routed separately a all is] 15] 10 | 20 postions? “Are the logic subsystem channels on separate pinted-crcut 30 | 10 boards? ‘Ate the logic subaystem channels in separate cabinets? 25 | 05 Ifthe sensorsfinal elements have dedicated contol electronic, f= 2s | 78 ‘he electronics for each channel on separate prnted-crcutt boards? IT the sensorsiinal elements Nave dedicated contol electrons, is 25 | 08 the lactronis for each channel indoors and la separate cabinets? Diversity/redundancy Do the channels employ citferent electrical technologies — for 70 ‘example, one electronic or programmable electronic and the other relay? Do the channels employ different electronic technologies — for 50 ‘example, one elactoni, the her programmable elacronie? Do the devas emplay diferent physical principles for the sensing 75 ‘loments — for example, pressure and temperature, vana ‘anemometer and Doppler transducer, etc? Do the devices employ diferent electrical principles/desions — for 35 ‘example, cigital and analogue, ciferent manufacturer (notre bdigad) or diferent technology? Do the channels employ enhanced redundancy with MooN 20 | os | 20 | os architacturo, where N>M +2? Do the channels employ enhanced redundancy with MooN yo | os | 0 | os architecture, where N-=M +2? Ts low diversity used, for example hardware diagnostic tests using | 20 | 1.0 same technlogy? 1s medium diversity used, for example hardware dagnosi tests | 30 | 15 using diferent technology? ‘Were the channels designed by dflarent designers with no io | 10 ‘communication between them during the design activities? ‘re separate test methods and people used foreach channel yo | 05 | 10 | 10 during commissioning? |s maintenance on each channel carried oul by diferent psopie at | 2.5 25 sitirent times? Table 7.1 Scoring programmable electronics or sensoratinal elements (extract) The usual values are: + Field devices together with their cabling: between 5 % and 10 % + Safety PLO: 1 9% 3 i 30 iad PEPPERL+FUCHSQ 3 i SST TE | Ot tery In our example — What is the influence of commen cause failures B acer Block diagram of alabity Figure 73 Assessment ofthe qualiy ofthe channel separation ‘As a simplification, we consider a f factor of 5 %. PFDs = PFD soa + BX PFDuboye where PFDeubeye is the PFD of a single input subsystem and PFD;eq is the PFD of the redundant input subsystem without the common cause failures PFD.yc is the PFD of the redundant input subsystem with the common cause failures PFD oq = 4/3 x PFD suinays PFD yg = 4/3 X PFD¥ 5945 + BX PFDs unays Tiproon PFD swears PF ves PFDs year 122104 1.9810" 611x 10% 2 years 245 x10 ‘00x10 123x105 years eatx ot 499x107 30x 10% Results of the new redundant input subsystem SIL assessment with common cause failures (PDF yg less than 10 % PDF max): Tipoon PFDs. ‘Architecture Sloe 1 year Sila sis SLs 2 years sis sis ‘SLs Syears sits si sie ‘These results show clearly the huge influence of the quality of the separation between channels on the probability of dangerous iad PEPPERL+FUCHS 31STENT Proven in use (IEC/EN 61508, part 2) 8 Proven in use (IEC/EN 61508, part 2) ‘A component or subsystem may be considered as proven in use when a documented assessment has shown that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system. The volume of operating experience shall be sufficient to support the claimed rates of failure due to random hardware faults on a statistical basis. Only previous operation where failures of the component have been effectively detected and reported shall be taken into account in the analysis. Further information you can find in the EN 61511. zo g } i FSPEPPERL+FUCHS 32pe ee) Te ecg 9 How to read a SIL product report? SIL qualified products are useless ifthe required data for the overall safety function SIL verification are not supplied. Usually the PFD and SFF are represented in the form of tables and calculated for diferent proof intervals. The calculations are based ‘on a list of assumptions, which represent the common field of application of the device (which may not correspond with yours). In this case, some of the calculations are invalid and must be reviewed or other actions must be taken, such as safe shut- down of the process. ‘Assumptions ‘+ Failure rates are constant; mechanisms subject to “wear and tear" are not inoluded + Propagation of failures is not relevant + All;component failure modes are known ‘+The repair time after a safe failure is 8 hours +The average temperature over a long period of time is 40 °C. + The stress levels are average for an industrial environment + Allmodules are operated at low demand Tiprwon= 2 years Failiow (L) Fait high (H Faillow (L)= dangerous Fell high (H) = dangerous Table 9.1. Example of the report of a SMART transmitter isolator Column failure categories ‘The PFD and SFF of this device depend of the overall safety function and its fault reaction function. Hf, for example, a “tail low’ failure will bring the system into a safe state and the “fail high’ failure will be detected by the logic solver input circuitry, then these component faults are considered as safe and line 1 can be used. If, on the other hand, a “fal low failure will bing the system into a safe state and the “fail high” failure will not be detected and could lead to a dangerous state of the system, then this fault is a dangerous fault and the values of line 2 have to be used. Column Tiproon and SFF Pepperl+Fuchs have limited the maximum PFD of an isolator to 10 % of the maximum allowed value for a given SIL (in this case SIL2). [I Green means a PFD part smaller than 10 % of total value of SIL2. [_] _ Yetiow means a PFD part greater than 10 % of total value of SIL2. [The red values in the SFF column are not compatible with the architecture constraints of the given SIL (in this case SIL2). A SFF < 60 % limits a system with a hardware fault tolerance of 0 to SIL1 ESPeEPPERL+FUCHS 3310 10.1 34 SIL manual freee: Glossary/formulae Failure rate X(t) Formula 1 Formula 2 ‘The failure rate A(t) indicates the magnitude of the relative number of failures during 1a specified observation period. Therefore for an individual component the failure rate 2. is a direct indication of the failure probability during the above-mentioned observation period. The following applies: Number of failures during a specified observation period a(t) ( Number of observed components x observation period Thus, together with the two following definitions it follows that: Definitions: At = Observation period n(t) = Number of functioning components at the point in, nit) =n(t+ At) at nit) x At The unit for the failure rate A is 1/time, Here the failure rate of 10° his frequently abbreviated with the letters FIT (Failures In Time). Normally components and systems have an increased failure rate at the start of their lives, which however quickly reduces (so-called early failures). After a short period of operation the failure rate reaches a value, which remains substantially constant over a long period of time. As a rule, after a very long period of operation {an increase in the failure rate is observed, which is usually due to wear. Because of this behavior of the failure rate with time, reference is sometimes made to a “bathtub curve". 1.60604 140-04 1208-04 1.00604 8.008 05 soe soxe x f\ sows |X 006 200 ' Tine years] Figure 10:1 Behavior ofthe falure rate over a long period of time Example: 10,000 components are subjected to a week. Thus, for the failure rate: test. Three components fail within one 10000-9997 _ 3. 10000x7x24h 1680000h = 18x 10% 1 1800 FIT 3 i FSPEPPERL+FUCHSSST TE | Glossary/formulae 3 i a 10.2 Constant failure Formula 3 10.3 Failure probabili Formula 4 Formula 5 JN ‘Attention ESPeEPPERL+FUCHS rate In order to simplify calculations, itis normally only the part of the bathtub curve, in \hich the failure rate is constant, that is used. The usual argument for this is that earry failures need not be considered, since these will have already occurred before ‘or during commissioning (i.e. with the manufacturer or during commissioning). Another consideration, is that all calculated results, which have been obtained Under the assumption of a constant failure rate, are only applicable so long as no ‘wear has taken place. In the case of electronic equipment the usual assumption is that under normal operating conditions signs of wear should not be observed for between 8 to 12 years from new (EN 61508, part 2, chapter 7.4.7.4, remark 3) 2(t) = constant = 2. fort=0...= 10 years ity F(t) Under the assumption, that the failure rate A(t) is constant ("bottom of the bathtub curve’), the failure probability of a component can be easily determined, The following applies: F(y=1-e% *! Since in practice the exponent of the e-function is always significantly less than 4 (xt <<1), equation (formula 4) can be further simplified. One then obtains for the failure probability F(t) the simple expression: Fi)=axt This approximation loses validity at large values of 2. andior fang time intervals. Example: The failure rate of a sensor is 4 = 30 FIT or = 30x 10° h The probability, that the sensor could fail within its first year of operation, can be easily calculated from Formula 5 (1 year = 8760 h). One obtains: F(1 year) = 30 x 10° ht x 8760h = 2.63 x 10 35SIL manual fee Oy 10.4 Probability density function f(t) ty function f(t) of the probability is given by the derivative of the distribution F(t). The expectation value of a vatiate can be calculated using the probability density (here: expectation value of life MTTF, Mean Time To Failure). ‘The derivative with respect to time of Formula 4 is: Formula 6 f(t) =Axe™ xt 5x10 ~— rd aa fo aus Fo o4 Probably of 1x10 02 oo oo 4 © Tine yeas Figure 102 Faiure probability and denay action © _ tis recognized, that at the start of the operating time (here, for example up to T]_ 2P2"0% 8 ears) te tau probabity increases approximately Invary with ie. Note 10.5 Reliability function R(t) The reliability function Rit) represents the probability, that a component will suc- cessfully carty out its function up to the point in time t Since the reliability function R(t) involves the complementary parameters for the fail- ute probability F(t), these can be easily calculated, in that the failure probability F(t) is subtracted from 1. One obtains: Formula 7 Rit =(1-e* *4 Ri Fi) = setxt g } i 36 FSPEPPERL+FUCHSpe Glossary/formulae 10.6 = Mean life MTTF ‘The expected life can be calculated as follows from the density function of the failure probability: Formula 8 MTTF() = f txf(nat= ftxaxe™ tated a a Alternatively, the mean life can also be calculated, as follows, using the reliability function RQ): Formula 9 MTTE() = | Ritjdt= fe* * ta a a The relationship MTTF = 1). only applies to systems free from wear.Since electronic devices and components are subject to wear, itis in general not permissible to designate the reciprocal of the (constant) failure rate i. as the MTTF. Aifention 10.7 Mean failure probability of the function in the demand case PFD (Probability of Failure on Demand) For safety functions, which are only required in the case of a fault, the Probability of Failure on Demand, PFD is of interest. This probability of failure represents an important criterion in the context of IEC/EN 61508 for the qualitative evaluation of a safety function Fundamentally, the above-mentioned failure probability involves a time-dependant parameter. That is to say, when the safety function is required, the probability ofits failure is more or less high. In order to obtain the simplest possible statement in respect of the reliability of a safety function and in order to simplify the corresponding calculations, in the context of IEC/EN 61508 the mentioned time dependency is eliminated by the generation of mean values (PFD,,,). Therefore, when in the following "PFD" is mentioned, this always implies its mean value (strictly speaking, the PFDayg) ‘Two different types of failure have to be considered in the calculation of the PFD. On the one hand these are the dangerous unrecognized failures (Failure rate 2.) ‘and on the other hand the dangerous recognized failures (Failure rate 7.4). The latter therefore influence the PFD, since in the case of the occurrence of a failure of this type the device involved must be repaired. During the repair time (Mean Time To Repair, MTTR) the safety function is net available, so that in the demand case this fails. However, if one assumes, that a repair can be made within a few hours (e.g. by replacing the defective device) and the failure rate Ay of the dangerous, Fecognized failure is not unusually high, then this risk can be neglected. The caaloulation formulae for the PFD are simplified by this. For a single-channel (1001), hich is regularly subjected to a complete examination in the time interval T,, the simpified formula for the PFD calculation is as follows: Formula 10 T, PFD oot = Au X z 5 ESPeEPPERL+FUCHS 37SIL manual ey ear 10.8 PFD calculation for multi-channel MooN structures (M out of N) In order to reduce the failure probability of a safety function, systems are often redundantly constructed. In these cases the PFD of the redundant system can be calculated from the failure rates of the individual channels. A special case is given in respect of IEC/EN 61508, in that for a part of the possible failure it is assumed that this has the same effect on all channels and thus for this type of failures any redundancy is ineffective, Account is taken of this circumstance in the PED calculation by the introduction of a factor ([3). The factor fi takes account of the magnitude of the proportion of failures, which has a simultaneous effect on all channels. For example, if 3 % of the possible failures on a channel also has an effect on the remaining channels, then: f = 0.03. The determination of the factor B takes place using a tabular evaluation system, which the device characteristics as well as the type of installation and the scope of the quality management system play a part. In the reliability block diagram the situation is then represented, in which the multi- channel (redundant) structure is connected in series with a single-channel structure, whose failure rate is equal to the "Failure rate with common cause’ channel | osinconm mt) fault channel 2 wma conmen at) Figure 10.3 Reliabilly block diagram It again here — as in the case of the above-mentioned single-channel structure — the influence of the repair time is neglected, then one obtains the following simplified formulae for the calculation of the PFD for various multi-channel structures (see. also VDVVDE 2180): Formula 11 a PEDioo1 = Pau X a! root = aux Formula 12 PFD p90 gu XT) = 2 X PFD 001 Formula 13 bce ux, ty PFD sooo * LB xdqux st = 49 x PFO? 001 + BX PFD jo01 Formula 14 qT, PFD 099 = Agu XT B hay X 5 = 4X PFD" oor + BX PFD sc04 Formula 15 sos 24uxT. T, PFD 003 * ae +B x2gsx ZF =2XPFD% 001 + BX PFD 001 Formula 16 Ty, PFD cos = Dou k Tre Bay x! = BX PFD 490; + BX PFD 94 : i a 38 FSPEPPERL+FUCHSSST TE] To n References an: ESPeEPPERL+FUCHS Esa id bibliography IEC/EN 61508, part 1 107 IEC/EN 61511, part 1 to. VDIVDE 2180 \Wahrscheinlichkeitstheorie far Ingenieure (Probability theory for engineers) Lothar Litz Hathig Zuvertassigkeitstechnik (Reliability technology) Balbir S. Dhillon VCH Control system safety evaluation and reliability Williams M. Goble Isa Reliability Engineering, Theory and Practice A. Birolini Springer 39SIL manual he tojounr rosea Datatiat 40 FPEPPERL+FUCHSwith regard to the supply of produc, te current issue ofthe following document is applicable: ‘The General Terms of Delivery for Products and Services of the Electrical Industry, published by the Cental Associaton ofthe “Elektrotechnik und Elektoinduste (2VEI) a", including the supplementary clause: "Extended reservation of tle"For overa half century, Pepperl+Fuchs has been continually providing new concepts for the world of process automation. Our ‘company sets standards in quality and innovative technology. We develop, produce and distribute electronic interface modu- les, Human-Machine Interfaces and hazardous location protection equipment on a global scale, meeting the most demanding needs of industry. Resulting from our world-wide presence and our i production and customer service, we are able to individually offer complete solutions - wherever and whenever you need us. We are the recognized experts in our technologies ~ PepperlsFuchs has earned a strong reputation by supplying the world's largest process industry companies with the broadest line of proven components for a diverse range of applicatior _ &y a Wornide/ Garman Hesdguntors Peppeefucs Gat Marans Geman Teng Gon 776a222 Mal po infob depp uhscom Joie Pact Headquarters Peapetfucs PTE Company Rexseaon No. 99203308 Mall peor peppet fuchscom . Westen Europe ica Hedges 1 none tape Headquarters r 5 Peppers Peppottuce ‘Sho/aniver: Btu tan Eaand Tsp 36gs500 Tels 669630 ak peinfoobe pppefuccom Ea priloBah pepper isco izle art/niaHeadquarrs FL. Sutharn/txte Saope Hsdguarers Pepper 620 peppettucs eon st Dubai te sate ai Tet sors ams 9378 aL e9oap a9 Ea p-feoae pppetichecon Eat parnfoOpape-iche.com Hoth/ertalAneaHeedquntes Sethe mera Headgears Penne Peppers Tetabrg- One USA Si Bema do Campo 5P: Brat Tet s1330 cone Tet sss 139 9938 Ehatcpeates peppetchscom Ea pinto geppe hom L 4 www.pepperl-fuchs.com FSPEPPERL+FUCHS PROTECTING YOUR PROCESS Subject to reasonable modifications due to technical advances * Copyright PEPPERL FUCHS « Printed in Germany * Part. No, 180663 10/07 01