Dräger Safety AG & Co.KGaA APN0018 December 2004

SIL and Gas Detection Systems According to SIL standard EN 61508, the average probability of failure on demand within a defined proof test interval and the proportion of undetectable dangerous failures are the key parameters of protective systems. In order to create gas detection systems that can be classified as, for example, SIL 2, their designers have to give particular consideration when selecting which subsystems to use to certain numerical limits which apply to these reliability parameters, while at the same time complying with measurement performance regulations.

Safety Integrity Level

In this application note we will be looking at a further aspect of EN 61508 (or IEC 61508) which enables system designers, assuming certain conditions are met, to demonstrate the reliability of a safety-oriented system by means of a numerical evaluation. According to EN 61508, a protective system used to avoid damage to persons, the environment and assets must meet certain reliability requirements – depending on the extent of the damage likely to occur – which are defined on the basis of the so-called Safety Integrity Level (SIL).

The concept of reliability is founded on statements of probability such as "How likely is it that a protective system will fail at just the moment it is supposed to be carrying out its safety function?“

Introduction

Dangerous failures

Safety-oriented systems, therefore, need to be designed such that any failures which could have a negative effect on functional safety will be recognized, dealt with and reported by appropriate self-diagnostic facilities and test routines and that the system will be brought into a safe condition. Such detectable dangerous failures must be remedied immediately. This is also in the interest of the operator, as a system in a safe condition, though it is of course safe, may not always be ready for operation at the same time.

However, even diagnostic systems have their limits. To a certain extent, there will always also be undetectable dangerous failures, i.e. failures which remain undetected and result in failure of the safety function, or Safety Integrity Function (SIF). The only chance of uncovering such failures is to conduct routine system checks. This is the reason why the time between two tests of this kind, the proof test interval TP, plays such an important role in safety analyses.

The of safe failure rate (i.e. failures which, though they impair the safety function, are detectable, or failures which have no effect on the safety function) as a proportion of the total failure rate is termed the Safe Failure Fraction (SFF). For SIL 2 systems, the SFF must exceed 90% - or: the proportion of undetectable dangerous failures must not be greater than 10%.

This alone, however, is not enough. If such undetectable dangerous failures do exist, then, the probability of their occurring within the proof test interval TP must also be assessed, i.e. determining how likely it is that the protective system will fail at the precise moment the safety function is needed.

Application Note

Dräger Safety AG & Co.KGaA - 2 - APN0018 December 2004

Application Note

Probability of Failure on Demand

The statistical parameter which describes the undetectable dangerous failure and the proof test interval is known as the average probability of failure on demand PFDAVG and, depending on the required SIL, must not exceed certain limits. For systems conforming to SIL 2, for example, steps must be taken to ensure that the PFDAVG is less than 0.01, i.e. the protective system is only allowed to fail once every 100 times the safety function is required.

However, the functional safety and, therefore, the average probability of failure on demand PFDAVG, relates to the system as a whole, which can be split into the following subsystems:

- sensor (SE, probability of failure on demand PFDSE),

- logic solver (LS, probability of failure on demand PFDLS) and

- final elements (FE, probability of failure on demand PFDFE).

For the system as a whole, the probability of failure on demand is calculated by adding together these three probabilities, as follows:

PFDAVG = PFDSE + PFDLS + PFDFE

To calculate the PFDSE of a sensor, for example, a very detailed evaluation of every conceivable type of failure and its effects on every level, right down to the component level, needs to be performed (FMEDA, Failure modes, effects and diagnostic analysis), which is virtually impossible without the assistance of experts specialized in such analyses. The outcome of the FMEDA is a list of different failure types and their calculated failure rates λ (in hr-1), on the basis of which in particular the failure rate λDU of the undetectable dangerous failure can be calculated (DU stands for dangerous undetected). Such a failure would occur, for example, if due to an internal failure a 4-20-mA-transmitter for gas detection showed a measurement signal of 4 mA ("no gas“) despite the presence of dangerously high gas concentrations. If this type of rare failure condition occurs, it will remain undetected until the next routine test is conducted (proof test interval TP), at which point it will of course be discovered immediately and remedied within a very short time (MTTR, Mean time to restore). Statistically speaking, this failure remains undetected for half of the proof test interval TP. During this same period, plus the time needed for repair, the system will of course also not be able to perform its safety function. Correspondingly, in this case the average probability of failure on demand can be calculated as follows

( ) PDUPDUAVG T21MTTRT

21PFD ⋅λ⋅≈+⋅λ⋅= .

The approximation is permissible since repairs generally take only a few hours, while the proof test interval covers a period of several months.

Example: The failure rate of a undetectable dangerous failure is λDU = 10-6 h-1 (i.e. one failure in 106 hours or 114 years). If the system is tested annually (every 8,760 hours), the following applies

36PDUAVG 1038.4876010

21T

21PFD −− ⋅=⋅⋅=⋅λ⋅=

Dangerous failures detected by diagnostic facilities (failure rate λDD, DD stands for dangerous detected), of course, also have an effect – even if a lesser one – on the PFD, since the safety function is not available during the repair time MTTR. The MTTR is generally calculated as being 8 hours, though this naturally assumes sufficient stocks of spare parts and a repair service that is initiated without delay. Here too, the safety engineer is responsible, as for compliance with the required proof test intervals TP.

Dräger Safety AG & Co.KGaA - 3 - APN0018 December 2004

Application Note

If system parts are of redundant design or subjected to voting (e.g. a two-out-of-three decision), the rules which apply are different from in the above formula, e.g. for a two-fold redundancy the probability of failure on demand is

( )2PDUAVG T31PFD ⋅λ⋅=

Although the figures which result are very small (on the basis of the above givens, PFDAVG = 2.6·10-5), consideration must realistically also be given to failures which influence both subsystems simultaneously, thereby removing the redundancy again; these are known as common cause failures. The proportion of these is stated by a β-factor which is usually assumed to be 0.05 or 0.1.

( ) PDU2

PDUAVG TT31PFD ⋅λ⋅β+⋅λ⋅=

In practice, the second term is usually the larger even in the case of a small β-factor.

System design

The PFDAVG of the system as a whole, therefore, is determined by

- the failure rate of the undetectable dangerous failure λDU

- the choice of proof test intervals TP

- the architecture (linear, redundant, voting).

In the case of the subsystem, the failure rate λDU is determined by conducting an FMEDA and is usually certified by independent testing institutes and ensured by quality assurance measures. The system designer, therefore, is able to define the proof test interval and the architecture of the system as a whole. There are, however, practical limits: companies are not keen for testing intervals to be too short, as this can result in more frequent downtime, and redundancies and voting incur considerable costs.

It is therefore the system designer's goal to use subsystems which, if subjected to testing just once every year and provided with no redundancies whatsoever, will fall as far below the maximum permissible PFD as possible.

For a system classified as SIL 2, for example, the designer will achieve the aforementioned goal by using a sensor with PFDSE = 0.002 and a logic solver with PFDLS = 0.001, each based on annual proof testing. To ensure the PFDAVG < 0.01 that is required for SIL 2, the final elements still to be procured must have a PFDFE of less than 0.007 if they are also to be tested only once a year.

HFT and redundancies

The hardware failure tolerance HFT describes the behaviour of a complex system or subsystem in a failure condition. In the case of linear architecture, i.e. a system without redundancies, the safety function is no longer guaranteed if just one failure (HFT = 0) occurs, while a redundant architecture continues to remain operational even when a failure occurs (HFT = 1 or higher).

Safe Failure Fraction (SFF) Hardware failure tolerance (HFT) < 60 % 60 … < 90% 90% … < 99%

0 --- SIL 1 if PFDAVG < 0.1

SIL 2 if PFDAVG < 0.01

1 SIL 1 if PFDAVG < 0.1

SIL 2 if PFDAVG < 0.01

SIL 3 if PFDAVG < 0.001

2 SIL 2 if PFDAVG < 0.01

SIL 3 if PFDAVG < 0.001

SIL 4 if PFDAVG < 0.00001

Dräger Safety AG & Co.KGaA - 4 - APN0018 December 2004

Application Note

As can be seen from the above table (see EN 61508, Section 7.4.3.1.4), SIL 2 classification can only be achieved for linear architecture (HFT = 0) if the SFF is greater than 90%, i.e. the proportion of undetectable dangerous failures must be below 10%. If, on the other hand, the SFF is only 80%, SIL 2 can only be achieved by means of redundancy (HFT = 1).

The functional safety of a subsystem (e.g. of a sensor), therefore, can only be fully specified if the PFD with the respective proof test interval TP, the SFF and the HFT are stated.

Sensor for SIL 2

By way of 4-20-mA-transmitters for gas detection, Dräger Safety presents three instruments assessed by an independent institute (Exida):

Transmitter Principle of measurement λDU SFF PFDSE if TP = 1 year *)

Polytron 2 IR Infrared, combustible gases and vapours

2.92·10-8 h-1 96.5 % 1.28·10-4

Polytron Pulsar Open path infrared, combustible gases and vapours

1.09·10-7 h-1 91.9 % 4.75·10-4

Polytron 7000 Electrochemical, toxic gases and oxygen

3.56·10-7 h-1 90.8 % 1.56·10-3

*) for SIL-2 systems, the PFDSE for the sensor should not exceed 3.5·10-3.

As can be seen from the relevant figures given in the table for the Polytron transmitters, these sensors are ideally suited for creating a gas detection system classified as SIL 2.

In the interests of clarity and ease of comprehension, the fact that EN 61508 requires the complete life cycle of a protective system to be taken into consideration, especially aspects of operation and maintenance, has been ignored in this article. Instead, the focus was on familiarizing the reader with the relevant terms and definitions contained in this standard relating to protective systems.

Market Segments and Development Market segment is commonly chemical industry and petrochemical industry where great amounts of dangerous goods are handled and cause a hazardous risk to workers and environment.

Mostly gas detection systems in these applications have to be SIL-2-rated.

There is surely a trend that SIL-2-rated systems will be more and more required in future in order to reduce the risk of danger arising from chemicals.

Description of the Challenge Dräger develops and produces high-value products with the target of high reliability. This is as well audited by the safety quality management and external authorities.

By means of this the functional safety data are gained and controlled.

The challenge is to support customers with the necessary safety relevant data so that he can combine assessed components to a complete SIL-rated gas detection system.

Dräger Safety AG & Co.KGaA - 5 - APN0018 December 2004

Application Note

Solution from DrägerBesides the functional safety data of the SIL-assessed transmitters Polytron 2 IR, Polytron 7000, and Pulsar there is a further report (Vectra) showing how to combine Dräger transmitters Polytron IR Ex, Polytron Ex or Polytron 2 with Regard controllers to achieve a SIL-2-rated system.

This has been done for

• a single channel system with Polytron Ex or Polytron IR Ex and single channel 4-20-mA-card

• a 2-out-of-3-systems with Polytron Ex or Polytron IR Ex and single channel 4-20-mA-card

• a single channel system with Polytron Ex or Polytron IR Ex and a Regard system with power supply

• a 2-out-of-3-system with Polytron Ex or Polytron IR Ex and a Regard system with one power supply

• a single channel system with Polytron 2 and a Regard system with power supply and sampling unit

• a single channel open-path-system Pulsar and a Regard system with power supply

Example (single channel system, proof test interval TP = 1 year):

SIL-2 is achieved if the final element has a PFD of lower than 5.272·10-3.

Prepared by: Dr. Wolfgang Jessel

P2 IR

PFD = 1.28·10-4

4-20-mA input card

PFD = 4.6·10-3

FINAL

ELEMENT

NEW ENGLANDETA PROCESS INSTRUMENTATIONsince 1971

www.etapii.comsales@etapii.comtel: 978.532.1330

UPSTATE NEW YORKMARTECH CONTROLSsince 1997

www.martechcontrols.comsales@martechcontrols.comtel: 315.876.9120