IEC61508 & Functional Safety

System Selection

MOST Process Control and SafetyNet Systems

 Objectives

• Discuss IEC 61508

• Use a typical application to bring it alive
Introduction to the standards

 The umbrella ….

“IEC 61508:2002. “Functional Safety of

Electrical/Electronic/Programmable Electronic
Safety-related Systems”.

• The industry specific beneath the umbrella ...

“IEC 61511:2003. “Functional Safety - Safety
Instrumented Systems for the Process
Sector”.
 It’s all in the title

Operate in some way to protect

Functional Safety of

Electrical/Electronic/Programmable Electronic

PLCs, DCS etc. can have

high software content
Safety-related Systems

Related to safety, but not entirely

responsible for it
What sorts of hazards?

 All hazards that might lead to risk of:

- injury
- death

 Doesn’t cover risk to:

- the environment
- plant and production capacity
- but you could use it if you wanted to
It’s all about risk reduction

Residua l Tolera ble EUC

risk risk risk

If you’ve tried everything else to reduce

the risk (re-design, bunds, de-manning),
then you need to use a E/E/PE Safety-
Related
EUC - is “EquipmentNecessa
Under ry System
Control” which Incre a s ing
risk reduction ris k
is controlled by the “Basic Process Control
System” or BPCS
Actua l risk reduction

The bigger the necessary risk reduction, the more

excellent the safety system needs to be - it has to
have more “integrity”.
 What is SIL?

s!
• Safety Integrity Level - safety
uirem ent
excellence
• In bands - SIL4 highest
S I L r e q
integrity, SIL1 lowest
• Standard talksetabout
m e he P
e
th LaC “safety function”
- think
s st t as a “safety loop”
to ofuthis
h a ot j
•L
O
Like
O
Pa control
N loop, it’s made up of:
The • a sensor (like a transmitter)
• a logic solver (like a safety PLC)
• a final element (like a valve)
How “good” is each Safety
Integrity Level?
Probability of failure to protect on
demand
Safety Low demand
Integrity Mode of Operation
Level (prob. of Failure on Demand)

4 >= 1 0 -5 to 1 0 -4

3 >= 1 0 -4 to 1 0 -3

2 >= 1 0 -3 to 1 0 -2

1 >= 1 0 -2 to 1 0 -1

SIL4 - better than 1 in 10,000 demands (= years)

SIL3 - better than 1 in 1000 demands
SIL2 - better than 1 in 100 demands
SIL1 - better than 1 in 10 demands
 What determines the SIL?

The SIL you can claim is constrained by:

ents
i r e m
 the design processes used requ ty. ck.
e r i c he
smeasures o
 the design techniques fand t h e a uth aused s to
a ll o fying ser h cts
u c t, e r ti d U d u
c r o
 the tolerance p rodof the
t h esystem
o r E nto hardware
ed p faults
ie d y
b eS I r tif i
t i f d e
 thec erprobability e cke tofs tah failure n - cto provide protection
o r a c h duc e no
F are pro an us
f ie d uc
 the
er ti proportion y o of faults that lead to safe failure
n c Bu t
No
What do you need from a
functional safety system?

Identify the level of

risk reduction required

Express this as a
safety integrity
level for each
safety function

You need a safety

system that meets
the required SIL
 3 Basic Questions

• Are all the components suitable?

• How often must the safety function operate?

- and when it does, can it act quickly enough?

• Is the probability of failure low enough?

 Suitable Components

Safe Failure Hardware Fault Tolerance

Fraction 0 1 2
< 60% Not allowed SIL 1 SIL 2
60% to < 90% SIL 1 SIL 2 SIL 3
90% to < 99% SIL 2 SIL 3 SIL 4
 99% SIL 3 SIL 4 SIL 4
What makes the products
suitable?

• Hardware Fault Tolerance

• Safe Failure Fraction

Safe failures = good failures
Dangerous = bad failures
Dangerous detected = good failures
 Suitable Components

Safe Failure Hardware Fault Tolerance

Fraction 0 1 2
< 60% Not allowed SIL 1 SIL 2
60% to < 90% SIL 1 SIL 2 SIL 3
90% to < 99% SIL 2 SIL 3 SIL 4
 99% SIL 3 SIL 4 SIL 4
 How often will it operate?
Low Demand

• Think automotive “ABS” and ESD

• Integrity failure rate is “to protect on demand”
Integrity measure is “will it fail, when needed?”
Typically a back-up to an operation system
• Demands will be once a year or less
(and no more often than twice the proof test interval)
• Proof testing required
 How often will it operate?
High Demand

• Think automotive steering and machine guarding

• Integrity failure rate is “failure rate per hour”
Integrity measure is “how often might it fail?”
Often the sole guardian of safety
•Demands will be more than once per year
- but perhaps better to think “continuous”
• Proof testing won’t improve the integrity measure
Is the safety function fast
enough?

Definition: … the period of time between a

failure in the EUC ….. and the occurrence of
the hazardous event if the safety function is
not performed

The clock is
ticking …
….. can it be
defused in time?
Is the probability of failure low
enough?
Safety Low demand
Integrity Mode of Operation
Level (prob. of Failure on Demand)

4 >= 1 0 -5 to 1 0 -4

3 >= 1 0 -4 to 1 0 -3

2 >= 1 0 -3 to 1 0 -2

1 >= 1 0 -2 to 1 0 -1

• Manufacturers calculation (FMEAD)

• Amount of field failure data
 3 Basic Questions

• Are all the components suitable?

• How often must the safety function operate?

- and when it does, can it act quickly enough?

• Is the probability of failure low enough?

Emergency Shut Down
Application
Input devices
e.g. temperature or
pressure
transmitters

Actuators
MOST e.g. shut-off valves,
SafetyNet dump valves etc.
Controller

Basic requirement - normally

energised outputs must de-energise
on detection of emergency or internal
fault

Control room
 Our safety function

• SIL2
• Low demand
• Process safety time > 10s

Pressure 8810 8851 8811 Valve

Transmitter SafetyNet SafetyNet SafetyNet
AI Controller DI/DO
Some convenient assumptions!

• Everything is certified to SIL2

• 1oo1 - to simplify failure probability calculations

• MTTR = 0 (ie if it fails, shut down)

• PFDavg = 1/2 T 1 du

 3 Basic Questions

• Are all the components suitable?

• How often must the safety function operate?

- and when it does, can it act quickly enough?

• Is the probability of failure low enough?

Are all the components suitable?

• Certificate confirms
- design processes, techniques & measures
- calculation of safety parameters

• Hardware fault tolerance and safe failure fraction

- Type A: HFT = 1
- Type A: HFT = 0 + SFF > 60%

- Type B: HFT = 1 + SFF > 60%

- Type B: HFT = 0 + SFF > 90%
 Is the safety function fast
enough?

 No Process Safety Time >

Response Time?
Yes

Pressure 8810 8851 8811 Pilot &
Transmitter SafetyNet SafetyNet SafetyNet Control Valve
AI Controller DI/DO

2 x 50ms + 2 x 30ms + 2 x 100ms + 10ms + 4s

Worst case response time = 4.37 seconds < 10 second PST

 How often must the safety
function operate?

Once a Demand rate >

Continuous What is the & twice proof
year or less
Demand test frequency
Rate?

Low Demand Mode -

calculate PFDavg
of the safety loop
 The mathematics for
PFDavg = 1/2 T1 du

• Dangerous undetected failures

- only revealed on demand
• Failure probability grows with time from last test
Probability of Failure on Dem and

PFDAVG

Proof Test Interval Time

 Is the probability of failure
low enough?
Repeat for next
safety function!

 No PFDavg < limit

for target SIL?
Yes

Pressure 8810 8851 8811 Pilot &
Transmitter SafetyNet SafetyNet SafetyNet Control Valve
AI Controller DI/DO

DU = 100 x10 -9 DU = 20 x10 -9 DU = 100 x10 -9 DU = 50 x10 -9 DU = 1400 x10 -9
T1 = 8760 hours T1 = 8760 hours T1 = 8760 hours T1 = 8760 hours T1 = 8760 hours
PFDavg = 5x10 -4 PFDavg = 1x10 -4 PFDavg = 5x10 -4 PFDavg = 3 x10 -4 PFDavg = 6.1 x10 -3

Pressure Tx: 1/2 (8760 x 100 x 10-9) = 4.38 x 10-4  5 x 10-4

PFDavg = 7.5 x10 -3

Does it meet SIL 2?

Safety Low demand

Integrity Mode of Operation
Level (prob. of Failure on Demand)

4 >= 1 0 -5 to 1 0 -4

3 >= 1 0 -4 to 1 0 -3

1
>= 1 0 -3 to 1 0 -2 PFDavg 7.5 x 10-3

>= 1 0 -2 to 1 0 -1

 3 Basic Questions

• Are all the components suitable? 

• How often must the safety function operate? 

- and when it does, can it act quickly enough?


• Is the probability of failure low enough?
 Why use 61508/61511?

• It’s the gold standard

• It’s the basis for new standards
• Mathematics is always right
• You can explain what you did and why
 IEC61508 & Functional Safety
System Selection

MOST Process Control and SafetyNet Systems