selection of components: iec 61508 and iec 61511 - auma · pdf fileselection of components:...
TRANSCRIPT
Selection of Components: IEC 61508 and IEC 61511Dr. Jörg Isenberg, 06.10.2015
� Where to find “SIL”-Certificates
� Criteria for component evaluation & understanding c ertificates
� General suitability of component
� The 3 main requirements of IEC 61508 / IEC 61511
� Additional criteria
� Conclusion
Where to find certificates
2
Where to find certificates
Safety Automation Element List (exida): http://www. exida.com/SAEL
� Database of components certified by exida
� Also includes components certified by e.g. TÜV
TÜV Rheinland: http://www.tuvasi.com/en� Database of components certified by TÜV Rheinland
� List of FS engineers certified by TÜV Rheinland
TÜV Nord: http://www.tuev-nord.de/de/zertifizierung en-fusi/produktzertifizierung-11709.htm
� Database of components certified by TÜV Nord
� List of persons certified by TÜV Nord
� Information only available if company / person agre ed� Most certificates may be downloaded� Not all certificates include safety parameters
Understanding certificates
3
How to interpret certificate headlines?
1. The component may be used in any SIL 3 application
2. The component may be used in SIL 3 applications with HFT=0
3. The component may be used in SIL 3 applications if HFT=1 (if HFT=0 SIL 2 is permissible)
4. The systematic capability is 3 but it has to be checked separately which SIL may be achieved due to failure probability (PFD) and architectural constrains
To find out, you need to read & interpret the detai ls of the certificate!
Understanding certificates
Criteria for component evaluation
� General suitability for the application
� Fulfillment of the 3 main criteria of IEC 61508 / IEC 61511
� Additional criteria
4
Criteria for component evaluation
General suitability for the intended application
� Environmental conditions (pressure, temperature, humidity, expected contamination, corrosivity, …)
� Influence of process media (corrosivity, particles, sensors, …)
� Mechanical requirements (Torque, closing time, vibrations, …)
� Functionality (Safety function(s) & priority, seating criteria, …)
5
A “SIL 1 capable” component optimally suited to the general (process) requirements is likely to achieve a higher risk red uction than an
unsuitable “SIL 3 capable” component!
Criteria for component evaluation
66
The 3 main criteria of IEC 61508
SIL of a SIF always depends on 3 criteria:
� Systematic capability (avoidance of systematic errors)
� Architectural constraints (robustness of system)
� Probability of failure on demand (PFD)
The SIL reached is the lowest SIL achieved by any of these 3 criteria!
Example:
� Systematic capability ⇒ SIL 3
� Architectural constraints ⇒ SIL 1
� Probability of failure on demand ⇒ SIL 2
i.e. achieved SIL for this SIF ⇒ SIL 1
Criteria for component evaluation
77
The 3 main criteria of IEC 61508
Different routes possible
Route 1 S:
� Set of organizational measures (Functional Safety Management) in different safety life cycle phases
� Necessary to make systematic (human) errors unlikely
� Different for each SIL⇒ Systematic capability SC=1…4
Route 2 S: proven in use (IEC 61508) / prior use (IEC 61511)
SIL of a SIF always depends on 3 criteria:
� Systematic capability (avoidance of systematic errors)
� Architectural constraints (robustness of system)
� Probability of failure on demand (PFD)
The SIL reached is the lowest SIL achieved by any of these 3 criteria!
Understanding certificates
88
Criteria for component evaluation
99
The 3 main criteria of IEC 61508
According to IEC 61508: 2 different routes possible
� Route 1 H: Based on Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT)
� Route 2 H:Based on HFT and field data evaluation with raised confidence levels
� IEC 61511: preferred route is 2H
SIL of a SIF always depends on 3 criteria:
� Systematic capability (avoidance of systematic errors)
� Architectural constraints (robustness of system)
� Probability of failure on demand (PFD)
The SIL reached is the lowest SIL achieved by any of these 3 criteria!
SafetyFunction
λSD λSU λDD λDU SFF
OPEN / CLOSEwithout PST
404 FIT
185 FIT
1920 FIT
974 FIT
–
OPEN / CLOSEwith PST
461 FIT
185 FIT
2510 FIT
388 FIT
–
Understanding certificates
1010
Architectural constraints
� Attention if no SFF and no (random) SIL capability with respect to architectural constrainsis stated!
� Page two of same certificate:
Conclusion?
Architectural constrains (route 1H):
SIL 1 capable (HFT=0) w/wo PST!
Disclaimer:
� Compensation by other parts of same subsystem possible
89%
72%
Data source:Manufacturer homepage
Understanding certificates
1111
Architectural constraints
More explicit certificates do exist:
� SIL capability explicitly given for both systematic and random capability
Criteria for SIL classification
1212
The 3 main criteria of IEC 61508
SIL Average Probability of Failure on Demand (Type of duty: Low demand)
SIL 4 < 10-4
SIL 3 < 10-3
SIL 2 < 10-2
SIL 1 < 10-1
SIL of a SIF always depends on 3 criteria:
� Systematic capability (avoidance of systematic errors)
� Architectural constraints (robustness of system)
� Probability of failure on demand (PFD)
The SIL reached is the lowest SIL achieved by any of these 3 criteria!
Criteria for SIL classification
What is an acceptable PFD for an actuator in a SIL 2 SIF?
All Safety Instrumented Systems consist of Sensor – Logic – Actor
⇒ Actuator & actuator controls mustn’t consume whole allowed PFD!
⇒ The following non-normative breakdown is widely accepted:
13
Actuator for SIL 2 should have PFD avg ≈< 2,5*10-3
Safety Function: ESD Product XY
λSD Safe detected failure rate … FIT
λSU Safe undetected failure rate … FIT
λDD Dangerous detected failure rate … FIT
λDU Dangerous undetected failure rate … FIT
PFD Probability of failure on demand (per annum)
4.1 x 10-3
SIL Safety Integrity Level 2
MTTR Mean Time to repair* 12 hours
TI Proof Test Interval 12 months
Understanding certificates
1414
Probability of failure on demand – PFD:
Example from the Safety Handbook of an actuator rat ed “SIL 2 capable”:
Total budget – PFD for SIL 2:
?actuator
sensor+ logic+ valve+ gearbox
Data source:Manufacturer homepage
Proof test interval 6 mon. 1 year 2 years 3 years 5 year s
PFDavg. (IEC 61508-6, B3.2.2, λdu
from FMEDA2,25* 10-5 4,44* 10-5 8,82* 10-5 1,32* 10-4 2,20* 10-4
(1) quantitative achievable SIL SIL 4 SIL 4 SIL 4 SIL 3 SIL 3
(2) Qualitative achievable SIL SIL 2 (for HFT 0 ; Type A ; 60% ≤ SFF < 90%)
Achievable SIL = Min {(1);(2)} SIL 2 SIL 2 SIL 2 SIL 2 SIL 2
Understanding certificates
1515
Probability of failure on demand – PFD:
� PFD depends on failure rate and parameters as proof test interval, MRT, …
� Achievable SIL as minimum of architectural constrains and PFD
� But: No observance of PFD-distribution rules!In this case: Doesn’t matter (as anyway limited by architecture)
⇒ Make sure you don’t end up with similar certificates where it does matter!
Data Source:Manufacturer homepage
Criteria for component evaluation
1616
Additional criteria
� Edition of IEC 61508
� Demand mode
� Safety function
� …
Edition of IEC 61508:
� Edition 1 (1998) ⇔ Edition 2 (2010)
� Certificates state, which edition is applied
� Edition 2 is much more restrictive than edition 1
� Significant difference in calculation of SFF ⇒ influence on architectural constrains
• Example – AM controls with SQ.2:
[V2] – Safe
OPEN / CLOSE
λS
[FIT]
λDD
[FIT]
λDU
[FIT]
SFF
[FIT]
SIL architec.
constrains
IEC 61508 ed. 2 21 667 104 86,8% SIL 2 capable
IEC 61508 ed. 1 608 667 104 92,4% SIL 3 capable
Conclusion
17
Criteria for selection of functional safety product s
Subject Important Where to find
Process and environ-mental conditions
Always buy components that match allconditions
Technical documentation
Functionality & seating criteria
All requirements concerning functionality have to be fulfilled ; Seating criteria for SIF match valve/process requirements
Technical documentation or safety manual
Systematic capability Must fit your SIL-requirement “SIL”-certificate orsafety manual
Architectural constraints Sufficient SFF (according to ed.2 of IEC 61508) or sufficient evidence for path 2H
“SIL”-certificate orsafety manual
PFD Component shall only consume part of allowed PFD (e.g. ≈ 25% for actuator)
“SIL”-certificate orsafety manual
Edition of IEC 61508 IEC 61508 ed.2 much stricter than ed.1 “SIL”-certificate
Demand Mode Always choose demand mode that fits your application
“SIL”-certificate orsafety manual
Safety Instrumented Function (SIF)
Only use safety parameters that fit your SIF ; make sure that the priority between different SIFs is correct
“SIL”-certificate orsafety manual