IEC 61508 – IEC 61511 Presentation G.M. International s.r.l Document last revised 20 May 2005 G.M. International s.r.l Via San Fiorano, 70 20058 Villasanta (Milano) ITALY www.gmintsrl.com info@gmintsrl.com

Standard Definitions Title: Standard for Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related System IEC 61511 has been developed as a Process Sector of IEC 61508 Title: Safety Instrumented Systems for the Process Industry

Standard History The IEC 61508 was conceived to define and harmonize a method to reduce risks of human and/or valuable harms in all environments. The IEC 61508 integrates and extends American Standard ISA-S84.01 (1996) and German DIN 19250 (1994).

Standard Requirements

Other related standards DIN 19250 (1994) Title: “Fundamental Safety aspects to be considered for measuring and control equipment” Deals with Quantitative Risk Analysis used for Part 5 of IEC 61508, classification in AK classes 1-8 similar to SIL levels ISA-S84.01 (1996) Title: “Application of Safety Instrumented Systems (SIS) for the process industry” Defines Safety Lifecycles assuming Risk analysis and SIL been carried out.

Fundamental Concepts Risk Reduction and Risk Reduction Factor (RRF) Safety Integrity Level (SIL) Independence Levels and consequences Probability of Failure on Demand (PFD) Reliability Availability Failure Rate (λ) Proof Test Interval between two proof tests (T[Proof]) Failure In Time (FIT) Mean Time To Failure (MTTF) Mean Time Between Failure (MTBF) Mean Time To Repair (MTTR) Safe Failure Fraction (SFF) Safety Lifecycle Safety Instrumented System (SIS)

As Low As Reasonably Practicable or Tollerable Risk Fundamental Concepts Risk Reduction As Low As Reasonably Practicable or Tollerable Risk (ALARP ZONE)

Fundamental Concepts Risk Reduction

Safety Integrity Level (SIL) Fundamental Concepts Safety Integrity Level (SIL) SIL levels (Safety Integrity Level) RRF (Risk Reduction Factor) PFD avg (Average Probability of Failure on Demand) SIL Table for Demand and Continuous mode of Operation

Independence Levels Assessement Independence Level Fundamental Concepts Independence Levels Assessement Independence Level as a function of consequences

Probability of Failure on Demand Fundamental Concepts PFDavg / RRF Correlation between Probability of Failure on Demand and Risk Reduction Factor

Reliability Reliability is a function of operating time. Fundamental Concepts Reliability Reliability is a function of operating time. All reliability functions start from reliability one and decrease to reliability zero. The device must be successful for an entire time interval. The statement: “Reliability = 0.76 for a time of 100.000 hs” makes perfect sense. R(t) = P(T>t)

Fundamental Concepts Reliability Reliability is the probability that a device will perform its intended function when required to do so, if operated within its specified design limits. The device “intended function” must be known. “When the device is required to function” must be judged. “Satisfactory performance” must be determined. The “specified design limits” must be known. Mathematically reliability is the probability that a device will be successful in the time interval from zero to t in term of a random variable T.

Fundamental Concepts Availability Availability is the probability that a device is successful at time t. No time interval is involved. A device is available if it’s operating. The measure of success is MTTF (Mean Time To Failure)

Fundamental Concepts MTTF MTTF is an indication of the average successful operating time of a device (system) before a failure in any mode. MTBF (Mean Time Between Failures) MTBF = MTTF + MTTR MTTF = MTBF - MTTR MTTR (Mean Time To Repair) Since (MTBF >> MTTR) MTBF is very near to MTTF in value.

MTBF and Failure Rate Relation between MTBF and Failure Rate λ Fundamental Concepts MTBF and Failure Rate Relation between MTBF and Failure Rate λ Failure per unit time 1 λ = ----------------------------- = ------------ Quantity Exposed MTBF 1 Quantity Exposed MTBF = ------ = ---------------------------- λ Failure per unit time

λ = ------------------------------- = ----------------- = Fundamental Concepts MTBF - Example Instantaneous failure rate is commonly used as measure of reliability. Eg. 300 Isolators have been operating for 10 years. 3 failures have occurred. The average failure rate of the isolators is: Failure per unit time 3 λ = ------------------------------- = ----------------- = Quantity Exposed 300*10*8760 = 0.000000038 per hour = = 38 FIT (Failure per billion hours) = = 38 probabilities of failure in one billion hours. MTBF = 1 / λ = 303 years (for constant failure rate)

Failure Rate Categories Fundamental Concepts Failure Rate Categories λ tot = λ safe + λ dangerous λ s = λ sd + λ su λ d = λ dd + λ du λ tot = λ sd + λ su + λ dd + λ du Where: sd = Safe detected su = Safe undetected dd = Dangerous detected du = Dangerous undetected

Fundamental Concepts FIT Failure In Time is the number of failures per one billion devices hours. 1 FIT = 1 Failure in 109 hours = = 10-9 Failures per hour

SFF (Safe Failure Fraction) Fundamental Concepts SFF (Safe Failure Fraction) SFF summarizes the fraction of failures, which lead to a safe state and the fraction of failure which will be detected by diagnostic measure and lead to a defined safety action

Fundamental Concepts Type A SFF Chart Type A components are described as simple devices with well-known failure modes and a solid history of operation

Fundamental Concepts Type B SFF Chart Type B: “Complex” component (using micro controllers or programmable logic); according 7.4.3.1.3 of IEC 61508-2

Fundamental Concepts HSE Study Results of system failure cause study done by English “Health and Safety Executive” (HSE)

Safety Lifecycle Origin Fundamental Concepts Safety Lifecycle Origin

Fundamental Concepts Safety Lifecycle 1/5

Safety Lifecycle 2/5 First portion of the overall safety lifecycle Fundamental Concepts Safety Lifecycle 2/5 First portion of the overall safety lifecycle ANALYSIS (End user / Consultant)

Realisation activities in the overall safety lifecycle Fundamental Concepts Safety Lifecycle 3/5 Realisation activities in the overall safety lifecycle

Safety Lifecycle 4/5 Safety lifecycle for the E/E/PES Fundamental Concepts Safety Lifecycle 4/5 Safety lifecycle for the E/E/PES (Electrical / Electronic / Programmable Electronic) Safety - Related System (IEC 61508, Part 2)

Safety Lifecycle 5/5 Last portion of the overall safety lifecycle Fundamental Concepts Safety Lifecycle 5/5 Last portion of the overall safety lifecycle OPERATION (End User / Contractor)

SIS SIS (Safety Instrumented System) Fundamental Concepts SIS SIS (Safety Instrumented System) according to IEC 61508 and IEC 61511

Safety Instrumented Systems IEC 61511 Safety Instrumented Systems for Process Industry IEC 61511 has been developed as a Process Sector implementation of the IEC 61508. The Safety Lifecycle forms the central framework which links together most of the concepts in this standard, and evaluates process risks and SIS performance requirements (availability and risk reduction). Layers of protection are designed and analysed. A SIS, if needed, is optimally designed to meet particular process risk.

Process sector system standard IEC 61511 Process sector system standard

The Standard is divided into three Parts IEC 61511 IEC 61511 Parts The Standard is divided into three Parts Part 1: Framework, Definitions, Systems, Hardware and Software Requirements Part 2: Guidelines in the application of IEC 61511-1 Part 3: Guidelines in the application of hazard and risk analysis

IEC 61511 IEC 61511 Part 3 Guidelines in the application of hazard and risk analysis

Failure Modes and Effects Diagnostic Analysis (FMEDA) Is one of the steps taken to achieve functional safety assessement of a device per IEC 61508 and is considered to be a systematic way to: identify and evaluate the effects of each potential component failure mode; classify failure severity; determine what could eliminate or reduce the chance of failure; document the system (or sub-system) under analysis.

FMEDA The following assumptions are usually made during the FMEDA Constant Failure Rates (wear out mechanisms not included) Propagation of failures is not relevant Repair Time = 8 hours Stress levels according IEC 60654-1, Class C (sheltered location), with temperature limits within the manufacturer’s rating and an average temperature over a long period of time of 40°C

FMEDA

SIL level is the lowest in the loop. 1oo1 Architecture PFDavg (T1) = λdd * RT + λdu * T1/2 because RT (avg. repair time) is << T1 PFDavg = λdu * T1/2 λdu = λdu (sensor) + λdu(isolator) + λdu(controller) + λdu(final element) SIL level is the lowest in the loop.

PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3 1oo2 Architecture PFDavg = λduc * (T1/2) + λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3 PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3

2oo3 Architecture PFDavg = λduc * (T1/2) + 3[λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3]

SIL3 using SIL2 subsystem SIL3 Control Loop or Safety Function using SIL2 SubSystems in 1oo2 Architecture

Safety Manual A Safety Manual is a document provided to users of a product that specifies their responsabilities for installation and operation in order to maintain the design safety level. The following information shall be available for each safety-related sub-system ..

Safety Manual Requirements Functional specification and safety function Estimated rate of failure in any mode which would cause both undetected and detected safety function dangerous failures Environment and lifetime limits for the sub-system Periodic Proof Tests and/or maintainance requirements T proof test time interval Information necessary for PFDavg, MTTR, MTBF, SFF, λdu, λtotal Hardware fault tolerance and failure categories Highest SIL that can be claimed (not required for proven in use sub-systems) Documentary evidence for sub-system’s validation (EXIDA) Proof Test Procedures to reveal dangerous faults which are undetected by diagnostic tests.

SIL Table for operative modes “high” and “low” demand Using the Safety Manual Standard references Remembering that: SIL (Safety Integrity Level) RRF (Risk Reduction Factor) PFD avg (Average Probability of Failure on Demand) SIL Table for operative modes “high” and “low” demand

Using the Safety Manual Standard references Remembring definitions given for type “A” and “B” components, sub-systems, and related SFF values

Loop PFDavg calculation Using the Safety Manual Loop PFDavg calculation 1oo1 typical control loop PFDavg(sys) = PFDavg(tx) + PFDavg(i) + PFDavg(c) + PFDavg(fe)

Loop PFDavg calculation Using the Safety Manual Loop PFDavg calculation For calculating the entire loop’s reliability (Loop PFDavg), PFDavg values for each sub-systems must first be found and be given a proportional value (“weight”) compared to the total 100%. This duty is usually assigned to personnel in charge of plant’s safety, process and maintainance.

Loop PFDavg calculation Using the Safety Manual Loop PFDavg calculation Equation for 1oo1 loop Where: RT = repair time in hours (conventionally 8 hours) T1 = T proof test, time between circuit functional tests (1-5-10 years) λdd = failure rate for detected dangerous failures λdu = failure rate for undetected dangerous failures

Loop PFDavg calculation Using the Safety Manual Loop PFDavg calculation If T1 = 1 year then but being λdd * 8 far smaller than λdu * 4380

For D1014 λdu is equal to 34 FIT (see manual) Using the Safety Manual Example 1 PFDavg = λdu * T1/2 For D1014 λdu is equal to 34 FIT (see manual) Therefore PFDavg = 34 * 10-9 * 4380 = = 0,000148920 = 148920 FIT

Using the Safety Manual Example 2 “Weights” of each sub-system in the loop must be verified in relation with expected SIL level PFDavg and data from the device’s safety manual. For example, supposing SIL 2 level to be achieved by the loop on the right in a low demand mode: PFDavg(sys) is between 10-3 and 10-2 per year “Weight” of D1014 Isolator is 10% Therefore PFDavg(i) should be between 10-4 and 10-3 per year.

Using the Safety Manual Example 2 Given the table above (in the safety manual) conclusions are: Being D1014 a type A component with SFF = 90%, it can be used both in SIL 2 and SIL 3 applications. PFDavg with T proof = 1yr allows SIL3 applications PFDavg with T proof = 5yr allows SIL2 applications PFDavg with T proof = 10yr allows SIL1 applications

Using the Safety Manual 1oo2 architecture What happens if the total PFDavg does not reach the wanted SIL 2 level, or the end user requires to reach a higher SIL 3 level? The solution is to use a 1oo2 architecture which offers very low PFDavg, thus increasing fail-safe failure probabilites.

1oo2 architecture Using the Safety Manual For D1014S (1oo1): PFDavg = λdu* T1/2 PFDavg = 148920 FIT For D1014D (1oo2): PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3 PFDavg = 75 FIT In this case a 1oo2 architecture gives a 2000 times smaller PFDavg for the sub-system

Final considerations Using the Safety Manual Always check that the Safety Manual contains information necessary for the calculation of SFF and PFDavg values. Between alternative suppliers, choose the one that offers: highest SIL level, highest SFF value, longest T[proof] time interval for the same SIL level, lowest value of PFDavg for the same T[proof]. When in presence of units with more than one channel and only one power supply circuit, the safety function allows the use of only one channel. Using both of the channels is allowed only when supply is given by two independent power circuits (like D1014D). Check that the Safety Manual provides all proof tests procedures to detect dangerous undetected faults.

Document last revised 20 May 2005 Credits and Contacts G.M. International s.r.l Via San Fiorano, 70 20058 Villasanta (Milan) ITALY www.gmintsrl.com info@gmintsrl.com Document last revised 20 May 2005 TR Automatyka Sp. z o.o. ul. Lechicka 14 02-156 Warszawa POLAND www.trautomatyka.pl biuro@trautomatyka.pl