Product & Technology Quality. Excellence. Support SIL Explanation 27.JAN 2006 Automation & Safety
MAC - A.Wenigenrath - 26.JAN 06 - English 2 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) New Technologies for the Safety of Machinery Machine safety is a fast growing segment of industrial automation driven by new technologies like safety field buses and integrated safety in drives along with the development of international safety standards. The new safety technologies like safety PLCs or safety field buses require the use of highly complex electronic components like micro controllers and of course the use of firmware and software. The revision of the existing ISO (equivalent to EN 954-1) and new standards within the framework of IEC/EN like IEC/EN take into account the use of these new technologies in safety products and solutions and provide guidelines to calculate the probability of failures. With these new technologies and standards worker safety and saving costs can be realised by intelligent safety strategy.
MAC - A.Wenigenrath - 26.JAN 06 - English 3 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) New Standards for the Safety of Machinery Today more and more the devices and products dedicated to the safety of machinery incorporate complex and programmable electronic systems. Due to the complexity of the programmable electronic systems it is in practice difficult to determine the behaviour of such safety device in the case of a fault. Therefore the standard IEC/EN with the title “Functional safety of electrical/electronic/ programmable electronic safety-related systems” provides a new approach by considering the reliability of safety functions. It is a basic safety standard for the industry and in the process sectors. IEC/EN is the machine sector specific standard within the framework of IEC/EN EN is harmonised under the European Machinery Directive. The Safety Integrity Level (SIL) is the new measure defined in IEC regarding the probability of failures in a safety function or a safety related system. Note: IEC = International Electrotechnical Committee EN = European Norm
MAC - A.Wenigenrath - 26.JAN 06 - English 4 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) Sector specific standards for the Process Industry and Machinery IEC/EN Functional safety of electrical / electronic / programmable electronic safety-related systems Process IEC/EN Machines prEN ISO *IEC/EN Software IEC/EN Safety of Systems and Equipment EN 954-1* Safety related parts of control systems *Covering the non-electrical technologies e.g. hydraulics...
MAC - A.Wenigenrath - 26.JAN 06 - English 5 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) Definition of Functional Safety according to IEC/EN Safety is freedom from unacceptable risk (from ISO/IEC Guide 51) Functional safety is a part of the overall safety related to the EUC and the EUC control system. It depends on: the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities. Note: EUC = equipment under control E/E/PE = electrical / electronic / programmable electronic Safety Integrity Level (SIL): The scale of the achieved functional safety is declined on 4 levels*. It depends on: the probability of dangerous failures together with the fault tolerance and the quality by which the freedom of systematic faults is ensured. Note: Safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.
MAC - A.Wenigenrath - 26.JAN 06 - English 6 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety is achieved by risk reduction (for those hazards that cannot be designed-out). Residual risk is the risk remaining after protective measures have been taken. Protective measures realised by E/E/PE safety related systems contribute to risk reduction. Note: EUC = equipment under control E/E/EP = electrical / electronic / programmable electronic Functional Safety and Safety Integrity Level (SIL) Risk reduction according to IEC/EN Risk reduction achieved by all safety-related systems and external risk reduction facilities Practical risk covered by other technology safety-related systems Practical risk covered by E/E/PE safety-related systems Practical risk covered by external risk reduction facilities Necessary risk reduction Actual risk reduction Residual risk Tolerable risk EUC risk Increasing risk
MAC - A.Wenigenrath - 26.JAN 06 - English 7 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) The safety integrity levels consider the probability of failures For machinery, the probability of dangerous failures per hour of a control system is denoted in IEC/EN as the PFH d IEC considers two modes of operation: high demand or continuous mode – where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof check frequency; or low demand mode – where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency The low demand mode is not considered in IEC/EN to be relevant for safety applications at machinery! SIL 4 is not considered in IEC/EN 62061, as it is not relevant to the risk reduction requirements normally associated with machinery.
MAC - A.Wenigenrath - 26.JAN 06 - English 8 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) The safety integrity levels are identified by the probability of failures The rate of failures can be expressed as follows: = s + dd + du ( s = rate of safe failures, dd = rate of detected dangerous failures, du = rate of undetected dangerous failures) In practice, detected dangerous failure are dealt with by fault reaction functions The calculation of the PFH d for a system or subsystem depends on several parameters: the dangerous failure rate ( d ) of the subsystem elements the fault tolerance (e.g. redundancy) of the system the diagnostic test interval (T2) the proof test interval (T1) or lifetime whichever is smaller the susceptibility to common cause failures ( ) For each of the four different logical architectures A to D there is a different formula to calculate the PFH d. (The principal relationship is: PFH d = d x 1h)
MAC - A.Wenigenrath - 26.JAN 06 - English 9 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) Risk graph of IEC/EN (given as an example in an informative Annex) a, b, c, d, e, f, g, h represent the necessary minimum risk reduction. The link between the necessary minimum risk reduction and the safety integrity level is shown in the table. a b c d e f g h a b c d e f g - a b c d e f - - W3W3 W2W2 W1W1 P1P1 P2P2 P1P1 P2P2 P1P1 P2P2 F1F1 F2F2 F1F1 F2F2 C1C1 C2C2 C3C3 C4C4 Starting point for risk reduction estimation C = Consequence risk parameter F = Frequency and exposure time risk parameter P = Probability of avoiding hazard risk parameter W = Probability of unwanted occurrence a,b,c... h = Estimates of the required risk reduction for the SRSs
MAC - A.Wenigenrath - 26.JAN 06 - English 10 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Functional Safety and Safety Integrity Level (SIL) Risk parameters given as an example in IEC/EN 61508
MAC - A.Wenigenrath - 26.JAN 06 - English 11 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery and Functional Safety Machinery: Risk estimation and SIL assignment of IEC/EN (given as an example in an informative Annex) Risk related to the identified hazard Severity of the possible harm =and Frequency and duration of exposure Fr Probability of occurrence of a hazardous event Pr Probability of avoiding or limiting harm Av Probability of occurrence of that harm } Se
MAC - A.Wenigenrath - 26.JAN 06 - English 12 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery and Functional Safety Machinery: Risk parameter examples of IEC/EN List all the possible hazards of the machine and determine the parameters according to the tables and fill in the values: The Class Cl is the sum of: Fr + Pr + Av = Cl
MAC - A.Wenigenrath - 26.JAN 06 - English 13 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery and Functional Safety Machinery: Determination of the required SIL. Example according to IEC/EN =
MAC - A.Wenigenrath - 26.JAN 06 - English 14 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery and Functional Safety Machinery: Risk assessment form given as an example in IEC/EN 62061
MAC - A.Wenigenrath - 26.JAN 06 - English 15 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery: prEN ISO , definition of MTTF d Instead of a failure rate per hour ( ), prEN ISO uses the mean time to failure (MTTF) as the parameter for the probability of failures. MTTF = mean time to failure [years] –The mean time after installation of devices to any first failure. –The relation between and MTTF is: MTBF = mean time between failures –Not relevant for devices which are not repaired. MTTF d = mean time to dangerous failure –The MTTF d is defined in prEN ISO as the expectation of the mean time to dangerous failure of a safety related part of a control system. MTTF = 1/
MAC - A.Wenigenrath - 26.JAN 06 - English 16 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery: new parameters of prEN ISO prEN ISO adds three new parameters to the requirements of the categories of EN in order to determine the Performance Level (PL): MTTF d =mean time to dangerous failure –Three levels of MTTF d are defined in this standard in order to classify the requirements of the categories and the performance levels (PL): DC=diagnostic coverage CCF=common cause failure ( ) –This parameter describes the failure of different items resulting from a single event. ( The CCF can be estimated with the help of table I.1 in annex I of the prEN ISO ) DC = dd / d total
MAC - A.Wenigenrath - 26.JAN 06 - English 17 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery: prEN ISO Risk graph and parameters a b c d e P1P1 P2P2 F2F2 F1F1 Starting point for the evaluation of the contribution to the risk reduction of a safety function P1P1 P2P2 P2P2 P2P2 P1P1 P1P1 F1F1 F2F2 S1S1 S2S2 Required performance level (PL r ) Low contribution to risk reduction High contribution to risk reduction S =Severity of injury S1 = Slight (normally reversible injury) S2 = Serious (normally irreversible) injury including death F =Frequency and/or exposure time to the hazard F1 = Seldom to less often and/or the exposure time is short F2 = Frequent to continuous and/or the exposure time is long P =Possibility of avoiding the hazard or limiting the harm P1 = Possible under specific conditions P2 = Scarcely possible
MAC - A.Wenigenrath - 26.JAN 06 - English 18 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety In difference to the pure categories the performance levels refer now as well to failure rates per hour required for the safety related parts of the control system: The relation between the categories, the PL and the SIL is the following: Safety of Machinery: prEN ISO Probability of dangerous failure and performance level (PL)
MAC - A.Wenigenrath - 26.JAN 06 - English 19 Machine Control Industrial Presence Sensors / Control and Signaling / Machine Safety Safety of Machinery: prEN ISO Relationship between categories, DC, MTTF d and PL MTTF d of each channel = low MTTF d of each channel = medium MTTF d of each channel = high * * In several application the realisation of performance level c by category 1 may not be sufficient. In this case a higher category e.g. 2 or 3 should be chosen.