IEC 61508

SILence
HIMA

Baradits György Sr.

TÜV Functional Safety Engineer
Safety Instrumented System
TÜV id: 0118/05
http://www.tuvasi.com

SIL 4S Presentation BGS®

All rights reserved TÜV FS Engineer
IEC/EN 61508: SIL selection Safety Life Cycle (SLC)

#1 Concept Analysis
End User/Licensor/Consultant

#2 Overall scope definition

Realization
Vendor/Contractor/End User

#3 Hazard & Risk analysis

Operation
End User/Contractor
#4 Overall safety requirements

Out of the scope of this

#5 Safety requirements allocation Standard

Overall planning… Realization…

#6 Operation #7 Safety #8 Installation

#9 E/E/PES
Maintenance validation Commission #10 Other #11 External

#12 Installation & Commissioning

#13 Overall safety validation Back to the appropriate SLC

#14 Operation & maintenance #15 Modification & Retrofit

#16 Decommissioning

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 2
All rights reserved
IEC/EN 61508: SIL selection Phase 3: Hazard and risk analysis

#1 Concept Analysis
End User/Licensor/Consultant

#2 Overall scope definition

Realization
Vendor/Contractor/End User

#3 Hazard & Risk analysis

Operation
End User/Contractor
#4 Overall safety requirements

Out of the scope of this

#5 Safety requirements allocation Standard

Overall planning… Realization…

#6 Operation #7 Safety #8 Installation

#9 E/E/PES
Maintenance validation Commission #10 Other #11 External

#12 Installation & Commissioning

#13 Overall safety validation Back to the appropriate SLC

#14 Operation & maintenance #15 Modification & Retrofit

#16 Decommissioning

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 3
All rights reserved
IEC/EN 61508: SIL selection Phase 4: Overall safety requirements

#1 Concept Analysis
End User/Licensor/Consultant

#2 Overall scope definition

Realization
Vendor/Contractor/End User

#3 Hazard & Risk analysis

Operation
End User/Contractor
#4 Overall safety requirements

Out of the scope of this

#5 Safety requirements allocation Standard

Overall planning… Realization…

#6 Operation #7 Safety #8 Installation

#9 E/E/PES
Maintenance validation Commission #10 Other #11 External

#12 Installation & Commissioning

#13 Overall safety validation Back to the appropriate SLC

#14 Operation & maintenance #15 Modification & Retrofit

#16 Decommissioning

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 4
All rights reserved
IEC/EN 61508: SIL selection Phase 5: Safety requirement allocation

#1 Concept Analysis
End User/Licensor/Consultant

#2 Overall scope definition

Realization
Vendor/Contractor/End User

#3 Hazard & Risk analysis

Operation
End User/Contractor
#4 Overall safety requirements

Out of the scope of this

#5 Safety requirements allocation Standard

Overall planning… Realization…

#6 Operation #7 Safety #8 Installation

#9 E/E/PES
Maintenance validation Commission #10 Other #11 External

#12 Installation & Commissioning

#13 Overall safety validation Back to the appropriate SLC

#14 Operation & maintenance #15 Modification & Retrofit

#16 Decommissioning

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 5
All rights reserved
IEC/EN 61508: SIL selection Phase 13: Overall safety validation

#1 Concept Analysis
End User/Licensor/Consultant

#2 Overall scope definition

Realization
Vendor/Contractor/End User

#3 Hazard & Risk analysis

Operation
End User/Contractor
#4 Overall safety requirements

Out of the scope of this

#5 Safety requirements allocation Standard

Overall planning… Realization…

#6 Operation #7 Safety #8 Installation

#9 E/E/PES
Maintenance validation Commission #10 Other #11 External

#12 Installation & Commissioning

#13 Overall safety validation Back to the appropriate SLC

#14 Operation & maintenance #15 Modification & Retrofit

#16 Decommissioning

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 6
All rights reserved
IEC/EN 61508: SIL selection Phase 4: Overall safety requirements

Low Demand Mode Continuous/High Demand Mode

Safety
Operation
Operation
Integrity PFH
PFD
Level (SIL) Ti= 2 year, or Ti= 10 year
Ti= 1 months, or Ti= 3 months , or
Ti= 6 months, or Ti= 12 months

4 >=10-5 - < 10-4 >=10-9 - < 10-8 h-1

3 >=10-4 - < 10-3 >=10-8 - < 10-7 h-1
2 >=10-3 - < 10-2 >=10-7 - < 10-6 h-1
1 >=10-2 - < 10-1 5=10-6 - < 10-7 h-1

PFD: Average probability of failure to perform its design function on

demand
Low Demand mode: see PFD
Continuous/High demand mode: Probability of dangerous failure per
hour
Ti : Test Interval

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 7
All rights reserved
IEC/EN 61508: SIL selection Definitions

1. SIF: Safety Instrumented Function

2. SIF :One logic loop
Sensors
Logic Solver (E/E/PES)
PHA
SIL
Actuators
3. One Logic Solver may have
several SIFs

N
IO
AT
Realization

L ID
VA
PHA: Process Hazard Analysis

SIS
June 2005 SIL 4S Presentation BGS®
SIL4S WEB TÜV FS Engineer 8
All rights reserved
IEC/EN 61508: SIL selection PHA and SIL classification

ALARP
PROCESS SIF

LOPA Selection

HAZOP
Fault tree Ch
e ck
in g
SIF&SIL Realisation SIS
in g
Risk matrix Ch eck
Re
pa
ir

Risk Graph Checking

VALIDATION

HAZOP: Hazard and Operability Analysis

LOPA: Layer of Protection Analysis
SIF: Safety I nstrumented Function
SIL: Safety Integrity Level

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 9
All rights reserved
IEC/EN 61508: SIL selection Definitions

PFDavg : probability failure on demand of E/E/PES

PFDse : probability failure on demand of sensors

PFDls : probability failure on demand of Logic

Solver

PFDfe : probability failure on demand of actuators

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 10
All rights reserved
IEC/EN 61508: SIL selection Failure rates

Failure rate definitions Failure type

λS Safety failure
λSD Safe detected failure
λSU Safe undetected failure
λD Dangerous failure
λDD Dangerous detected failure
λDU Dangerous undetected failure

λS= λSD + λSU

λD= λDD + λDU

λ= λS + λD
June 2005 SIL 4S Presentation BGS®
SIL4S WEB TÜV FS Engineer 11
All rights reserved
IEC/EN 61508: SIL selection Safe Failure Fraction and Diagnostic Coverage

Safe Failure Fraction:

λ +λ + λ
SD SU DD
SFF =
λ
SD + λ + λ +λ
SU DD DU

Diagnostic Coverage:
λ
DC = DD

λDD + λDU

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 12
All rights reserved
IEC/EN 61508: SIL selection Example of SIF

Field Control Room Field

SENSORS LOGIC SOLVER ACTUATORS

Pressure
Transmitte F6217 H51q F3331 Valve
r

35% of PFDAvg,Tr 15% of PFD Avg,LS 50% of PFD Avg.A

PFDavg= ΣPFDSE + ΣPFDLS + ΣPFDFE

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 13
All rights reserved
IEC/EN 61508: SIL selection Components classification

Criteria „A” type components „B” type components

Failure modes Well defined Not well defined

Test under Not completely

Fully tested
operation tested
Good failure No good failure
Experience
rates data * Rates data*
Simple components
Example Microprocessor
(Resistors, diodes)

* Good failure rate with field experience

•Minimum 100.000 operating hours within two years
•10 system in different applications

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 14
All rights reserved
IEC/EN 61508: SIL selection Hardware safety integrity

Safe Failure „A” Type Subsystem „B” Type subsystem

Fraction
(SFF) Hardware Failed tolerance

0 1 2 0 1 2
Not
<60% SIL1 SIL2 SIL3 allowed
SIL1 SIL2
60% to < 90% SIL2 SIL3 SIL4 SIL1 SIL2 SIL3
90% to < 99% SIL3 SIL4 SIL4 SIL2 SIL3 SIL4
>99% SIL3 SIL4 SIL4 SIL3 SIL4 SIL4

HW Failed tolerance of „N” means that „N+1” Failed could cause

a loss of the safety function

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 15
All rights reserved
IEC/EN 61508: SIL selection Example: Safe Failure Fraction of 2oo3

„A” transmitter „B” transmitter „C” transmitter Result Probability 1 Probability 2

Operate Operate Operate Safe 0.512 0.729
Failed Operate Operate Safe 0.128 0.081
Operate Failed Operate Safe 0.128 0.081
Operate Operate Failed Safe 0.128 0.081
Failed Failed Operate Dangerous 0.032 0.009
Operate Failed Failed Dangerous 0.032 0.009
Failed Operate Failed Dangerous 0.032 0.009
Failed Failed Failed Dangerous 0.032 0.001
Total 1 1

Case 1, Probabilities 1 Case 2, Probabilities 2

Probability of failure is: 2*E-1=0.2 Probability of failure is: E-1=0.1
Probability of success is: 1 – 2*E-1=0.8 Probability of success is: 1 – E-1=0.9

Safe Failure Fraction: 0.896 Safe Failure Fraction: 0.972

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 16
All rights reserved
IEC/EN 61508: SIL selection Example: Safe Failure Fraction of 2oo3

„A” transmitter „B” transmitter „C” transmitter Result Probability 1 Probability 2

Operate Operate Operate Safe 0.512 0.729
Failed Operate Operate Safe 0.128 0.081
Operate Failed Operate Safe 0.128 0.081
Operate Operate Failed Safe 0.128 0.081
Failed Failed Operate Dangerous 0.032 0.009
Operate Failed Failed Dangerous 0.032 0.009
Failed Operate Failed Dangerous 0.032 0.009
Failed Failed Failed Dangerous 0.032 0.001
Total 1 1

Transmitter is „B” type subsystem

Case 1: If no diagnostic, Safe Failure Fraction is worst case 0.896 and for 2oo3=SIL 2
Case 2: If I have information about any of them failed, using MARKOV model, Safe Failure
Fraction will be more than 60% and 2oo3=SIL 3 depending on the Diagnostic
Coverage Factor. Safe Failure Fraction is between 90 % - 99% and again 2oo3=SIL 3

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 17
All rights reserved
IEC/EN 61508: SIL selection Probability equations

-
t
P(t) = 1 - e
if t << 1/ = constant

P(t) = 

t
P = Probability [ ]
= Failure rate [FIT]
9
[FIT] = [Failure/10 h]
FIT: Failure in Time

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 18
All rights reserved
IEC/EN 61508: SIL selection PHA and SIL classification

SD = safe detected failure rate

SU = safe undetected failure rate
DD = dangerous detected failure rate
DU = dangerous undetected failure rate

DU
PFD =  t
June 2005 SIL 4S Presentation BGS®
SIL4S WEB TÜV FS Engineer 19
All rights reserved
IEC/EN 61508: SIL selection Time pending of PFD average

TI DU
PFDavg = * 2
PFD Imperfect test

PFDavg

TI TI TI t

TI = Test Interval: the time between manual

function test of components

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 20
All rights reserved
IEC/EN 61508: SIL selection

- factor (Common Cause)

 - factor is a quantity feature of common cause. A
failure which make faulty more than one channel,
other words systematic failure
 Calculation of the factor:
 Separation
 Diversity / Redundancy
 Complexity / Design / Application / Experience
 Evaluation / analysis and data feedback
 Procedures / human interface
 Competence / training / safety culture
 Environmental control
 Environmental test
 -factor is 2% in a HIMA system

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 21
All rights reserved
IEC/EN 61508: SIL selection Simplified Voting equations

1oo1
 DU TI
PFDavg = 
 x 2
 

1oo2
 DU 2 TI2 
PFDavg = ( )
 x 3 +
 

1oo3
 DU 3 TI3   DU TI
PFDavg = ( )
 x 4 + x  x 2 
 
   

2oo3
DU 2 2  DUTI

PFDavg = ( ) x TI +


 x
  x 2
 
TI: Test Interval
λDU: Dangerous undetected
β: Common cause
June 2005 SIL 4S Presentation BGS®
SIL4S WEB TÜV FS Engineer 22
All rights reserved
IEC/EN 61508: SIL selection Voting system

Sensor components Logic Solver Components Actuator Components

S
Electronic Voting Logic
Interface
Electronic
1oo2D Act
2oo3 interface

Electronic
S
Interface

Voting Logic
Electronic
2oo3 1oo2D Act
interface
Electronic
S
Interface

λ=5*10-6hr-1 λ=10*10-6hr-1 λ=5*10-6hr-1

β=10% β=1% DC=0%
DC=90% DC=99% Voting=1oo1
Voting=2oo3 Voting=1oo2D

June 2005 SIL 4S Presentation BGS®

SIL4S WEB TÜV FS Engineer 23
All rights reserved