IEC 61508 IEC 61511 Presentation

1
IEC 61508 IEC 61511Presentation
Document last revised 20 May 2005
G.M. International s.r.l Via San Fiorano,
70 20058 Villasanta (Milano) ITALY www.gmintsrl.co
m info_at_gmintsrl.com
2
Standard Definitions

• Title Standard for Functional Safety of
• Electrical / Electronic / Programmable Electronic
• Safety-Related System
• IEC 61511 has been developed as a
• Process Sector of IEC 61508
• Title Safety Instrumented Systems for the
• Process Industry

3
Standard History

• The IEC 61508 was conceived to define and
  harmonize a method to reduce risks of human
  and/or valuable harms in all environments.
• The IEC 61508 integrates and extends
• American Standard ISA-S84.01 (1996)
• and German DIN 19250 (1994).

4
Standard Requirements
5
Other related standards

• DIN 19250 (1994)
• Title Fundamental Safety aspects to be
  considered for measuring and control equipment
• Deals with Quantitative Risk Analysis used for
  Part 5 of IEC 61508, classification in AK classes
  1-8 similar to SIL levels
• ISA-S84.01 (1996)
• Title Application of Safety Instrumented
  Systems (SIS) for the process industry
• Defines Safety Lifecycles assuming Risk analysis
  and SIL been carried out.

6
Fundamental Concepts

• Risk Reduction and Risk Reduction Factor (RRF)
• Safety Integrity Level (SIL)
• Independence Levels and consequences
• Probability of Failure on Demand (PFD)
• Reliability
• Availability
• Failure Rate (?)
• Proof Test Interval between two proof tests
  (TProof)
• Failure In Time (FIT)
• Mean Time To Failure (MTTF)
• Mean Time Between Failure (MTBF)
• Mean Time To Repair (MTTR)
• Safe Failure Fraction (SFF)
• Safety Lifecycle
• Safety Instrumented System (SIS)

7
Risk Reduction
Fundamental Concepts
As Low As Reasonably Practicable or Tollerable
Risk (ALARP ZONE)
8
Risk Reduction
Fundamental Concepts
9
Safety Integrity Level (SIL)
Fundamental Concepts

• SIL levels (Safety Integrity Level)
• RRF (Risk Reduction Factor)
• PFD avg (Average Probability of Failure on
  Demand)
• SIL Table for Demand and Continuous mode of
  Operation

10
Independence Levels
Fundamental Concepts

• Assessement Independence Level
• as a function of consequences

11
PFDavg / RRF
Fundamental Concepts
Correlation between Probability of Failure on
Demand and Risk Reduction Factor
12
Reliability
Fundamental Concepts

• Reliability is a function of operating time.
• All reliability functions start from reliability
  one and decrease to reliability zero. The device
  must be successful for an entire time interval.
• The statement Reliability 0.76 for a time of
  100.000 hs makes perfect sense.
• R(t) P(Tgtt)

13
Reliability
Fundamental Concepts

• Reliability is the probability that a device will
  perform its intended function when required to do
  so,
• if operated within its specified design limits.
• The device intended function must be known.
• When the device is required to function must be
  judged.
• Satisfactory performance must be determined.
• The specified design limits must be known.
• Mathematically reliability is the probability
  that a device
• will be successful in the time interval from zero
  to t
• in term of a random variable T.

14
Availability
Fundamental Concepts

• Availability is the probability that a device is
  successful at
• time t.
• No time interval is involved.
• A device is available if its operating.
• The measure of success is MTTF (Mean Time To
  Failure)

15
MTTF
Fundamental Concepts

• MTTF is an indication of the average successful
  operating time of a device (system) before a
  failure in any mode.
• MTBF (Mean Time Between Failures)
• MTBF MTTF MTTR
• MTTF MTBF - MTTR
• MTTR (Mean Time To Repair)
• Since (MTBF gtgt MTTR) MTBF is very near to
  MTTF in value.

16
MTBF and Failure Rate
Fundamental Concepts

• Relation between MTBF and Failure Rate ?
• Failure per unit time 1
• ? ----------------------------- ------------
• Quantity Exposed MTBF
• 1 Quantity Exposed
• MTBF ------ ----------------------------
• ? Failure per unit time

17
MTBF - Example
Fundamental Concepts

• Instantaneous failure rate is commonly used as
  measure of reliability.
• Eg. 300 Isolators have been operating for 10
  years. 3 failures have occurred. The average
  failure rate of the isolators is
• Failure per unit time 3
• ? -------------------------------
  -----------------
• Quantity Exposed 300108760
• 0.000000038 per hour
• 38 FIT (Failure per billion hours)
• 38 probabilities of failure in one billion
  hours.
• MTBF 1 / ? 303 years (for constant failure
  rate)

18
Failure Rate Categories
Fundamental Concepts

• ? tot ? safe ? dangerous
• ? s ? sd ? su
• ? d ? dd ? du
• ? tot ? sd ? su ? dd ? du
• Where
• sd Safe detected
• su Safe undetected
• dd Dangerous detected
• du Dangerous undetected

19
FIT
Fundamental Concepts

• Failure In Time is the number of failures per one
  billion devices hours.
• 1 FIT 1 Failure in 109 hours
• 10-9 Failures per hour

20
SFF (Safe Failure Fraction)
Fundamental Concepts
SFF summarizes the fraction of failures, which
lead to a safe state and the fraction of failure
which will be detected by diagnostic measure
and lead to a defined safety action
21
Type A SFF Chart
Fundamental Concepts

• Type A components are described as simple devices
  with well-known failure modes and a solid history
  of operation

22
Type B SFF Chart
Fundamental Concepts

• Type B Complex component (using micro
  controllers or programmable logic) according
  7.4.3.1.3 of IEC 61508-2

23
HSE Study
Fundamental Concepts

• Results of system failure cause study done by
  English Health and Safety Executive (HSE)

24
Safety Lifecycle Origin
Fundamental Concepts
25
Safety Lifecycle 1/5
Fundamental Concepts
26
Safety Lifecycle 2/5
Fundamental Concepts

• First portion of the overall safety lifecycle
• ANALYSIS (End user / Consultant)

27
Safety Lifecycle 3/5
Fundamental Concepts

• Realisation activities in the overall safety
  lifecycle

28
Safety Lifecycle 4/5
Fundamental Concepts

• Safety lifecycle for the E/E/PES
• (Electrical / Electronic / Programmable
  Electronic)
• Safety - Related System (IEC 61508, Part 2)

29
Safety Lifecycle 5/5
Fundamental Concepts

• Last portion of the overall safety lifecycle
• OPERATION (End User / Contractor)

30
SIS
Fundamental Concepts

• SIS (Safety Instrumented System)
• according to IEC 61508 and IEC 61511

31
IEC 61511

• Safety Instrumented Systems
• for Process Industry
• IEC 61511 has been developed as a Process Sector
  implementation of the IEC 61508.
• The Safety Lifecycle forms the central framework
  which links together most of the concepts in this
  standard, and evaluates process risks and SIS
  performance requirements (availability and risk
  reduction).
• Layers of protection are designed and analysed.
• A SIS, if needed, is optimally designed to meet
  particular process risk.

32
Process sector system standard
IEC 61511
33
IEC 61511 Parts
IEC 61511

• The Standard is divided into three Parts
• Part 1 Framework, Definitions, Systems, Hardware
  and Software Requirements
• Part 2 Guidelines in the application of IEC
  61511-1
• Part 3 Guidelines in the application of hazard
  and risk analysis

34
IEC 61511 Part 3
IEC 61511
Guidelines in the application of hazard and risk
analysis
35
FMEDA

• Failure Modes and Effects Diagnostic Analysis
  (FMEDA)
• Is one of the steps taken to achieve functional
  safety assessement of a device per IEC 61508 and
  is considered to be a systematic way to
• identify and evaluate the effects of each
  potential component failure mode
• classify failure severity
• determine what could eliminate or reduce the
  chance of failure
• document the system (or sub-system) under
  analysis.

36
FMEDA

• The following assumptions are usually made during
  the FMEDA
• Constant Failure Rates (wear out mechanisms not
  included)
• Propagation of failures is not relevant
• Repair Time 8 hours
• Stress levels according IEC 60654-1, Class C
  (sheltered location), with temperature limits
  within the manufacturers rating and an average
  temperature over a long period of time of 40C

37
FMEDA
38
1oo1 Architecture

• PFDavg (T1) ?dd RT ?du T1/2
• because RT (avg. repair time) is ltlt T1
• PFDavg ?du T1/2
• ?du ?du (sensor) ?du(isolator)
  ?du(controller) ?du(final element)
• SIL level is the lowest in the loop.

39
1oo2 Architecture

• PFDavg ?duc (T1/2) ?ddc RT(?ddn RT)2
  (?ddn RT ?dun T1)2/2 (?dun T1)2 /3
• PFDavg (?dun T1)2/2 (?dun T1)2 /3

40
2oo3 Architecture
PFDavg ?duc (T1/2) 3?ddc RT(?ddn RT)2
(?ddn RT ?dun T1)2/2 (?dun T1)2 /3
41
SIL3 using SIL2 subsystem

• SIL3 Control Loop or Safety Function using SIL2
  SubSystems in 1oo2 Architecture

42
Safety Manual

• A Safety Manual is a document provided to users
  of a product that specifies their
  responsabilities for installation and operation
  in order to maintain the design safety level.
• The following information shall be available for
  each safety-related sub-system ..

43
Safety Manual Requirements

• Functional specification and safety function
• Estimated rate of failure in any mode which would
  cause both undetected and detected safety
  function dangerous failures
• Environment and lifetime limits for the
  sub-system
• Periodic Proof Tests and/or maintainance
  requirements
• T proof test time interval
• Information necessary for PFDavg, MTTR, MTBF,
  SFF, ?du, ?total
• Hardware fault tolerance and failure categories
• Highest SIL that can be claimed (not required for
  proven in use sub-systems)
• Documentary evidence for sub-systems validation
  (EXIDA)
• Proof Test Procedures to reveal dangerous faults
  which are undetected by diagnostic tests.

44
Standard references
Using the Safety Manual

• Remembering that
• SIL (Safety Integrity Level)
• RRF (Risk Reduction Factor)
• PFD avg (Average Probability of Failure on
  Demand)
• SIL Table for operative modes high and low
  demand

45
Standard references
Using the Safety Manual

• Remembring definitions given for type A and B
  components,
• sub-systems, and related SFF values

46
Loop PFDavg calculation
Using the Safety Manual

• 1oo1 typical control loop
• PFDavg(sys) PFDavg(tx) PFDavg(i) PFDavg(c)
  PFDavg(fe)

47
Loop PFDavg calculation
Using the Safety Manual

• For calculating the entire loops reliability
  (Loop PFDavg), PFDavg values for each sub-systems
  must first be found and be given a proportional
  value (weight) compared to the total 100.
• This duty is usually assigned to personnel in
  charge of plants safety, process and
  maintainance.

48
Loop PFDavg calculation
Using the Safety Manual

• Equation for 1oo1 loop
• Where
• RT repair time in hours (conventionally 8
  hours)
• T1 T proof test, time between circuit
  functional tests (1-5-10 years)
• ?dd failure rate for detected dangerous
  failures
• ?du failure rate for undetected dangerous
  failures

49
Loop PFDavg calculation
Using the Safety Manual

• If T1 1 year then
• but being ?dd 8 far smaller than ?du 4380

50
Example 1
Using the Safety Manual

• PFDavg ?du T1/2
• For D1014 ?du is equal to 34 FIT (see manual)
• Therefore
• PFDavg 34 10-9 4380
• 0,000148920 148920 FIT

51
Example 2
Using the Safety Manual

• Weights of each sub-system in the loop must be
  verified in relation with expected SIL level
  PFDavg and data from the devices safety manual.
• For example, supposing SIL 2 level to be
• achieved by the loop on the right in a low
• demand mode
• PFDavg(sys) is between 10-3 and 10-2 per year
• Weight of D1014 Isolator is 10
• Therefore PFDavg(i) should be between 10-4 and
  10-3 per year.

52
Example 2
Using the Safety Manual

• Given the table above (in the safety manual)
  conclusions are
• Being D1014 a type A component with SFF 90, it
  can be used both in SIL 2 and SIL 3 applications.
• PFDavg with T proof 1yr allows SIL3
  applications
• PFDavg with T proof 5yr allows SIL2
  applications
• PFDavg with T proof 10yr allows SIL1
  applications

53
1oo2 architecture
Using the Safety Manual

• What happens if the total PFDavg does not reach
  the wanted SIL 2 level, or the end user requires
  to reach a higher SIL 3 level?
• The solution is to use a 1oo2 architecture which
  offers very low PFDavg, thus increasing fail-safe
  failure probabilites.

54
1oo2 architecture
Using the Safety Manual
For D1014S (1oo1) PFDavg ?du T1/2
PFDavg 148920 FIT For D1014D (1oo2)
PFDavg (?dun T1)2/2 (?dun T1)2 /3
PFDavg 75 FIT In this case a 1oo2 architecture
gives a 2000 times smaller PFDavg for the
sub-system
55
Final considerations
Using the Safety Manual

• Always check that the Safety Manual contains
  information necessary for the calculation of SFF
  and PFDavg values.
• Between alternative suppliers, choose the one
  that offers
• highest SIL level,
• highest SFF value,
• longest Tproof time interval for the same SIL
  level,
• lowest value of PFDavg for the same Tproof.
• When in presence of units with more than one
  channel and only one power supply circuit, the
  safety function allows the use of only one
  channel. Using both of the channels is allowed
  only when supply is given by two independent
  power circuits (like D1014D).
• Check that the Safety Manual provides all proof
  tests procedures to detect dangerous undetected
  faults.

56
Credits and Contacts

• G.M. International s.r.l
• Via San Fiorano, 70
• 20058 Villasanta (Milan)
• ITALY
• www.gmintsrl.com
• info_at_gmintsrl.com
• Document last revised 20 May 2005

TR Automatyka Sp. z o.o. ul. Lechicka 14 02-156
Warszawa POLAND www.trautomatyka.pl biuro_at_trautoma
tyka.pl