1 iec 61508 – iec 61511 presentation document last revised october 1st 2005 g.m. international...

1

IEC 61508 – IEC 61511 Presentation

Document last revised October 1st 2005

G.M. International Safety Inc.

P.O. Box 25581

Garfield Heights, OH 44125

USA

www.gmisafety.com

[email protected]

http://www.gmisafety.com/

mailto:[email protected]

2

Standard Definitions

IEC 61508

Title: Standard for Functional Safety of

Electrical / Electronic / Programmable Electronic

Safety-Related System

IEC 61511

Title: Safety Instrumented Systems for the

Process Industryhas been developed as a Process Sector of IEC 61508

3

Standard History

The IEC 61508 was conceived to define and harmonize a method to reduce risks for human beings

and/or reduce valuable loss for all industrial and non industrial environments.

The IEC 61508 integrates and extends American Standard ISA-S84.01 (1996)

and German DIN 19250 (1994).

4

Standard Requirements

5

Other related standards

• DIN 19250 (1994)

Title: “Fundamental Safety aspects to be considered for measuring and control equipment”

Deals with Quantitative Risk Analysis used for Part 5 of IEC 61508, classification in AK classes 1-8 similar to SIL levels

• ISA-S84.01 (1996)

Title: “Application of Safety Instrumented Systems (SIS) for the process industry”

Defines Safety Lifecycles assuming Risk analysis and SIL been carried out.

6

Fundamental Concepts• Risk Reduction and Risk Reduction Factor (RRF)• Safety Integrity Level (SIL)• Independence Levels and consequences• Probability of Failure on Demand (PFD)• Reliability• Availability• Failure Rate (λ)• Proof Test Interval between two proof tests (T[Proof])• Failure In Time (FIT)• Mean Time To Failure (MTTF)• Mean Time Between Failure (MTBF)• Mean Time To Repair (MTTR)• Safe Failure Fraction (SFF)• Safety Lifecycle• Safety Instrumented System (SIS)

7

Risk Reduction

As Low As Reasonably Practicable or Tolerable Risk

(ALARP ZONE)

Fundamental Concepts

8

Risk ReductionFundamental Concepts

9

PFDavg / RRF

Correlation between Probability of Failure on Demand

and Risk Reduction Factor


10

Safety Integrity Level (SIL)

• SIL levels (Safety Integrity Level) • RRF (Risk Reduction Factor) • PFD avg (Average Probability of Failure on Demand)

SIL Table for Demand and Continuous mode of Operation


11

Independence LevelsAssessment Independence Level

as a function of consequences


12

Reliability• Reliability is a function of operating time.• All reliability functions start from reliability one and decrease to reliability

zero. The device must be successful for an entire time interval.• The statement: “Reliability = 0.76 for a time of 100.000 hs” makes perfect

sense.

R(t) = P(T>t)


13

Reliability

Reliability is the probability that a device will perform its intended function when required to do so, if operated within its specified design limits.

– The device “intended function” must be known.– “When the device is required to function” must be judged.– “Satisfactory performance” must be determined.– The “specified design limits” must be known.

Mathematically reliability is the probability that a device will be successful in the time interval from zero to t

in term of a random variable T.


14

Availability• Availability is the probability that a device is successful at

time t. • No time interval is involved. • A device is available if it’s operating.• The measure of success is MTTF (Mean Time To Failure)


15

Failure Rate Categories

λ tot = λ safe + λ dangerous λ s = λ sd + λ su λ d = λ dd + λ du λ tot = λ sd + λ su + λ dd + λ du

Where:

sd = Safe detected su = Safe undetected dd = Dangerous detected du = Dangerous undetected


16

FIT

Failure In Time is the number of failures per one billion devices hours.

1 FIT = 1 Failure in 109 hours =

= 10-9 Failures per hour


17

MTTF

MTTF is an indication of the average successful operating time of a device (system) before a

failure in any mode.

• MTBF (Mean Time Between Failures) • MTBF = MTTF + MTTR• MTTF = MTBF - MTTR• MTTR (Mean Time To Repair)• Since (MTBF >> MTTR) MTBF is very near to MTTF in value.


18

MTBF and Failure Rate

Relation between MTBF and Failure Rate λ

Failure per unit time 1

λ = ----------------------------- = ------------

Quantity Exposed MTBF

1 Quantity Exposed

MTBF = ------ = ----------------------------

λ Failure per unit time


19

MTBF - Example• Instantaneous failure rate is commonly used as measure of

reliability.

• Eg. 300 Isolators have been operating for 10 years. 3 failures have occurred. The average failure rate of the isolators is:

Failure per unit time 3 λ = ------------------------------- = ----------------- =

Quantity Exposed 300*10*8760

= 0.000000038 per hour = = 38 FIT (Failure per billion hours) == 38 probabilities of failure in one billion hours.

• MTBF = 1 / λ = 303 years (for constant failure rate)


20

SFF (Safe Failure Fraction)Fundamental Concepts

SFF summarizes the fraction of failures, which lead to a safe state and the fraction of failure

which will be detected by diagnostic measure and lead to a defined safety action

21

Type A SFF Chart

Type A components are described as simple devices with well-known failure modes and a solid history of operation


22

Type B SFF Chart

Type B: “Complex” component (using micro controllers or programmable logic); according 7.4.3.1.3 of IEC 61508-2


23

HSE Study

Results of system failure cause study done by English “Health and Safety Executive” (HSE)


24

Safety Lifecycle OriginFundamental Concepts

25

Safety Lifecycle 1/5


26


First portion of the overall safety lifecycle

ANALYSIS (End user / Consultant)


27


Realisation activities in the overall safety lifecycle


28


Safety lifecycle for the E/E/PES

(Electrical / Electronic / Programmable Electronic)

Safety - Related System (IEC 61508, Part 2)


29


Last portion of the overall safety lifecycle

OPERATION (End User / Contractor)


30

SIS

SIS (Safety Instrumented System)

according to IEC 61508 and IEC 61511


31

IEC 61511

Safety Instrumented Systems

for Process Industry

• IEC 61511 has been developed as a Process Sector implementation of the IEC 61508.

• The Safety Lifecycle forms the central framework which links together most of the concepts in this standard, and evaluates process risks and SIS performance requirements (availability and risk reduction).

• Layers of protection are designed and analyzed.• A SIS, if needed, is optimally designed to meet particular process

risk.

32

Process sector system standardIEC 61511

33

IEC 61511 Parts

The Standard is divided into three Parts

• Part 1: Framework, Definitions, Systems, Hardware and Software Requirements

• Part 2: Guidelines in the application of IEC 61511-1• Part 3: Guidelines in the application of hazard and risk

analysis

IEC 61511

34

IEC 61511 Part 3

Guidelines in the application of hazard and risk analysis

IEC 61511

35

FMEDA

Failure Modes and Effects Diagnostic Analysis (FMEDA)

Is one of the steps taken to achieve functional safety assessment of a device per IEC 61508 and is considered to be a systematic way to:

• identify and evaluate the effects of each potential component failure mode;

• classify failure severity;• determine what could eliminate or reduce the chance of failure;• document the system (or sub-system) under analysis.

36

FMEDA

The following assumptions are usually made during the FMEDA

• Constant Failure Rates (wear out mechanisms not included)• Propagation of failures is not relevant• Repair Time = 8 hours• Stress levels according IEC 60654-1, Class C (sheltered location),

with temperature limits within the manufacturer’s rating and an average temperature over a long period of time of 40°C

37

FMEDA

38

1oo1 Architecture

PFDPFDavg avg (T1) = (T1) = λλdddd * RT + λ * RT + λdudu * T1/2 * T1/2

because RT (avg. repair time) is << T1

PFDPFDavgavg = = λλdudu * T1/2 * T1/2

λdu = λdu (sensor) + λdu(isolator) + λdu(controller) + λdu(final element)

SIL level is the lowest in the loop.

39

1oo2 Architecture

PFDavg = λduc * (T1/2) + λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3

PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3

40

2oo3 Architecture

PFDavg = λduc * (T1/2) + 3[λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3]

41

SIL3 using SIL2 subsystem

SIL3 Control Loop or Safety Function using SIL2 Sub-Systems in 1oo2 Architecture

42

Safety Manual

A Safety Manual is a document provided to users of a product that specifies their responsibilities for installation and operation in order to maintain the design safety level.

The following information shall be available for each safety-related sub-system ..

43

Safety Manual Requirements

1. Functional specification and safety function2. Estimated rate of failure in any mode which would cause both

undetected and detected safety function dangerous failures3. Environment and lifetime limits for the sub-system4. Periodic Proof Tests and/or maintenance requirements5. T proof test time interval

6. Information necessary for PFDavg, MTTR, MTBF, SFF, λdu, λtotal

7. Hardware fault tolerance and failure categories8. Highest SIL that can be claimed (not required for proven in use

sub-systems)9. Documentary evidence for sub-system’s validation (EXIDA)10. Proof Test ProceduresProcedures to reveal dangerous faults which are

undetected by diagnostic tests.

44

Standard referencesRemembering that:

• SIL (Safety Integrity Level) • RRF (Risk Reduction Factor) • PFD avg (Average Probability of Failure on Demand)

SIL Table for operative modes “high” and “low” demand

Using the Safety Manual

45

Standard references

Remembering definitions given for type “A” and “B” components,

sub-systems, and related SFF values


46

Loop PFDavg calculation

1oo1 typical control loop

PFDavg(sys) = PFDavg(tx) + PFDavg(i) + PFDavg(c) + PFDavg(fe)


47


For calculating the entire loop’s reliability (Loop PFDavg), PFDavg values for each sub-systems must first be found and be given a proportional

value (“weight”) compared to the total 100%.

This duty is usually assigned to personnel in charge of plant’s safety, process and maintenance.


48


Equation for 1oo1 loop

Where:

RT = repair time in hours (conventionally 8 hours)

T1 = T proof test, time between circuit functional tests (1-5-10 years)

λdd = failure rate for detected dangerous failures

λdu = failure rate for undetected dangerous failures


49


If T1 = 1 year then

but being λdd * 8 far smaller than λdu * 4380


50

Example 1

PFDavg = λdu * T1/2

For D1014 λdu is equal to 34 FIT (see manual)

Therefore

PFDavg = 34 * 10-9 * 4380 =

= 0,000148920 = 148920 FIT


51

Example 2

“Weights” of each sub-system in the loop must be verified in relation with expected SIL level PFDavg and data from the device’s safety manual.

For example, supposing SIL 2 level to be

achieved by the loop on the right in a low

demand mode:

• PFDavg(sys) is between 10-3 and 10-2 per year• “Weight” of D1014 Isolator is 10%

Therefore PFDavg(i) should be between 10-4 and 10-3 per year.


52

Example 2

Given the table above (in the safety manual) conclusions are:

1. Being D1014 a type A component with SFF = 90%, it can be used both in SIL 2 and SIL 3 applications.

2. PFDavg with T proof = 1yr allows SIL3 applications




53

1oo2 architecture

What happens if the total PFDavg does not reach the wanted SIL 2 level, or the end user requires to reach a

higher SIL 3 level?

The solution is to use a 1oo2 architecture which offers very low PFDavg, thus increasing fail-safe failure probabilities.


54

1oo2 architecture

For D1014S (1oo1):

PFDavg = λdu* T1/2

PFDavg = 148920 FIT

For D1014D (1oo2):

PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3

PFDavg = 75 FIT

In this case a 1oo2 architecture gives a 2000 times smaller PFDavg for the sub-system


55

Final considerations

• Always check that the Safety Manual contains information necessary for the calculation of SFF and PFDavg values.

• Between alternative suppliers, choose the one that offers:

• highest SIL level,

• highest SFF value,

• longest T[proof] time interval for the same SIL level,

• lowest value of PFDavg for the same T[proof].

• When in presence of units with more than one channel and only one power supply circuit, the safety function allows the use of only one channel. Using both of the channels is allowed only when supply is given by two independent power circuits (like D1014D).

• Check that the Safety Manual provides all proof tests procedures to detect dangerous undetected faults.


56

Credits and Contacts

G.M. International Safety Inc. P.O.BOX 25581

Garfield Heights, OH 44125USA

Toll Free: 800 960 [email protected]

Document last revised October 1st 2005

http://www.gmisafety.com/

mailto:[email protected]

1 iec 61508 – iec 61511 presentation document last revised october 1st 2005 g.m. international...

Documents

failure rate failure

failure fundamental

failure mtbf

failure mttf

fit failure

probabilities of failure

unit time fundamental

average failure rate