Professional Documents
Culture Documents
Functional Safety Sil BR 9046256 en
Functional Safety Sil BR 9046256 en
Depending on the acceptable risk the So, during development and design of risk by identifying the so-called dangerous
required reliability of protection systems devices and subsystems of safety relevant probability of failure as a measure of the
can be ensured by employing the effective systems the main target is to keep the protection system’s reliability.
measures of probability of failure as low as possible
– failure avoidance, (failure avoidance), or to detect failures by Failures
– failure detection, and diagnostic functions (failure detection) Considering the entire operational time no
– failure tolerance and – in case of a detected failure – E/E/PES is absolutely free of failures.
to force the safety system to go into a safe Always there might be systematic or
This to a degree depends on the actual state (failure tolerance). accidental failures, and wear-out parts
risk, the so-called Safety Integrity Level. need to be considered. However, consum-
Risk analysis able components are not subject to the
For gas detection systems, which have to Depending on the extent of threat to per- SIL-consideration – they have to be
activate safety relevant countermeasures in sons, property and environment there are replaced ensuring failures caused by
case of pre-defined gas concentrations, an four different classes of risk. Generally a consumption shall not occur.
important question comes up: What is the risk is a combination of the consequence
probability of failing to perform the required to be expected and the probability of Systematic failures
countermeasure (safety function) in case occurrence of such an unwanted hazard. … are design- or development-failures,
of a demand from the process (means which already exist at the time of delivery
when pre-defined gas concentrations have To classify the actual risk structured and which are reproducible (e.g. software
been exceeded) if an undetectable danger- methods are used, e.g. the risk graph. The failures, incorrect rating or the operation
ous failure has occurred? risk graph is based on four different of electronic components outside of
consequence categories, and the probability their specification). By organizational
Risk
Risk without aspect is implemented by the criteria measures and safety-orientated develop-
risk reduction “frequency of exposure of persons” and the ment procedures, systematic failures,
“possibility of avoiding the hazardous especially software failures, can be mini-
event”. mized.
is a mere statistical value which however The average value of the resulting zigzag- W3 W2 W1
C1
enables engineers to calculate the proba- curve can be expressed as a number: a – –
bility that a failure will occur. Multiplying half the proof test interval TP P1
SIL 1 a –
with the failure rate leads to the average F1
Probability of failure Probability of Failure On Demand or PFD: P2
SIL 1 SIL 1 a
C2
And statistics predict even more: If for PFDavg = 0.5··TP
P1
example 340 of 1000 equivalent devices F2
SIL 2 SIL 1 SIL 1
with operational time, and at the time of Mode is typical for safety systems in the C4
b SIL 4 SIL 3
MTTF for a considered device this proba- process industry. If a demand is expected
bility is 63 percent. to be more often the plant design a no special safety requirements
engineers should think about the b a single safety system is not sufficient
Needless to say that this can also be trans- implementation of further protection
ferred to the safety function: Considering systems for risk reduction or to keep the Risik graph acc. to IEC 61508 / 61511.
a system which in case of danger needs to process less dangerous by other means. Assumed that in case of the unwanted event, and
because persons are frequently exposed to the hazar-
perform the safety function, then the prob- dous area (F2), the consequence might be the death
ability not to perform the safety function is of one person (C2) and avoidance of the hazardous
zero at the time of function test (time 0), event is only possible under certain conditions (P1)
and the probability of the unwanted occurrence is
and the device is absolutely reliable. But relatively high (W3), then the protection system
the probability of failure rises continuously, should be at least SIL2-rated.
and so does the probability that the safety
function will not be performed. However, Consequence (C)
C1 minor injury or damage
after having tested the safety function C2 serious permanent injury to one or more per-
again, e.g. after reconditioning, and the test sons; death to one person; temporary serious
proved to be successful, then again the damage
C3 death to several people, serious or permanent
probability of failure is zero. So one can environmental damage
reset the probability of failure at regular C4 very many people killed
intervals, because at least at the time of
Frequency of, and exposure time in,
successful proof test of the safety function the hazardous zone (F)
the system is 100 % reliable! F1 rare to more often
F2 frequent to permanent
MTTR*
failure remedied by
exceed the alarm thresholds. If – in case of DD-Failure instant repair
failure – the system cannot trigger gas unsafe state time
safe state failure occurs without notice failure detected
alarms it must go into the safe state.
MTTR*
Danger failure detected during
The safe state of a gas detection system is DU-Failure proof test and remedied
system remains in unsafe state
defined as an action which is equivalent to unsafe state time
Proof test interval TP
gas alarm. At least the same measures as * MTTR = Mean Time To Repair (mostly 8 h)
for gas alarm are activated, and additionally
a fault signal is generated e.g. to ensure
maintenance and repair promptly being
performed. is not dangerous at all because the safety The DU-failure is in focus
function can be performed even if this kind In the statistical mean the DU-failures
But to achieve a safe state at all, failures of failure occurs. As a system can always occur at half of the interval between two
need to be reliably detectable. This is achieve a safe state as long as a failure tests (proof test interval):
why the failure analysis (Failure Modes, is detectable, any detectable failure (SD PFDavg = 0.5·D U·TP
Effects and Diagnostic Analysis FMEDA) and DD), independent of the fact whether
concerning the effects differentiates it impacts the performance of the safety The proof test interval TP implies the
between detectable and undetectable and function or not, is tolerable. periodical test of the safety function per-
between safe and dangerous failures. However, dangerous failures (DU), which formed by the customer. Not only the
cannot be revealed by any diagnostic PFDavg must not exceed certain values for
Safety-related failures measure, can derogate the entire safety a given SIL, but also the Safe Failure
Surely there is no problem with a failure of system’s concept. They may occur at any Fraction SFF, a measure for the share of
type SD which signals itself, and moreover time and can only be discovered by regular tolerable failures, needs to be regarded
inspection and proof test. Performing when designing a safety relevant system
periodical proof tests is the one and only with SIL-requirement.
system or subsystem method to discover failures which cannot
fails once of
PFDavg … demands SIL be revealed by diagnostics, at a stage so
≥ 0.01 … < 0.1 11 … 100 1
early that severe consequences can be
avoided with sufficiently high probability.
≥ 0.001 … < 0.01 101 … 1000 2
– logic controllers, which detect the failures, mostly only estimated as a share
Simple subsystems (type A).
electrical signal exceeding a given of e.g. = 1, 2, 5, or 10 % of the DU-failure. These are e.g. relays, simple sensors, devices
threshold, and with analogue – and to a certain level – also digital
electronic circuits.
– actuators to perform the safety function. True redundancy without common-cause-
failures can only be obtained by diversity,
In the simplest case a SIS is a single chan- meaning the use of different products, and
nel or linear system, e.g. a gas detection even of different manufacturers, if possible. SFF (Share of HFT for complex
system consisting of gas detection trans- tolerable failures) subsystems (type B)
0 1 2
mitter, central controller unit, and relay. Single channel system (HFT = 0)
< 60 % – SIL 1 SIL 2
Depending on the subsystem’s type (com- By means of a FMEDA each subsystem 60 … < 90 % SIL 1 SIL 2 SIL 3
plex or not) the subsystem must feature a needs to be assessed concerning its safety- 90 … < 99 % SIL 2 SIL 3 SIL 4
certain minimum SFF. If there is no high- relevant parameters, and when combining ≥ 99 % SIL 3 SIL 4 SIL 4
complex or programmable electronics the three subsystems to an entire system their
subsystem is mostly considered to be individual PFDavg have to be added to Complex subsystems (type B).
simple or type A. obtain the PFDsys of the system: These are e.g. software-based programmable
logic-controllers, microprocessor-controlled devices,
PFDsys = PFDSE + PFDLS + PFDFE
ASICs, etc.
The HFT (hardware fault tolerance) can be where the individual PFDs are the product
increased by means of the system’s archi- of half the proof test interval and the DU-
tecture. If two sensing elements are oper- failure rate. E.g. to obtain SIL 2 it is neces-
ated redundantly, one may fail without sary to have PFDsys < 0.01 and (because
affecting the performance of the safety the HFT is 0) the individual SFF for com-
function. As one failure does not impact plex subsystems must be higher than 90,
safety the HFT is 1 in case of redundancy for simple subsystems higher than 60 %.
or a 2-out-of-3-voting (“2oo3”). A triple
redundancy (“1oo3”) will result in an HFT
of even 2.
Lifecycle of a SIS sary. Further on the periodically performed also Dräger system engineers can design
Commonly a SIS is planned, designed, proof test of the safety function must be complete safety related gas detection
installed and commissioned by experi- conducted in the compulsory intervals TP, systems including documentation, SIL-
enced system engineers. Just this process and organizational measures must be met evidence, installation, commissioning, and
requires a high degree of diligence, docu- to ensure prompt repair and spare part maintenance.
mentation depth and verification. delivery in case of need.
Our system engineers will competently
During operation a SIS must be serviced Safety Integrity from Dräger give advice if safety integrity needs to be
according to the manufacturer’s guidelines Not only is Dräger the manufacturer of sub- implemented in a system’s safety concept.
given in the safety operating manual and to systems such as sensors, gas detection
be put into quasi-new-condition if neces- transmitters and central controllers, but
www.draeger.com
SYSTEM CENTERS 90 46 256 | 04.10-2 | Marketing Communications | PR | LE | Printed in Germany | Chlorfrei – umweltfreundlich | Änderungen vorbehalten | © 2010 Dräger Safety AG & Co. KGaA