IEC 61508 Safety Integrity Level

7/27/2019 IEC 61508 Safety Integrity Level

http://slidepdf.com/reader/full/iec-61508-safety-integrity-level 1/8

IEC 61508 / 61511

PROCESS AUTOMATIONPROCESS AUTOMATION

IEC 61508/61511

SAFETY INTEGRITY LEVEL



Process technology systems incorporate risks. These risks are determined by the type of

processes involved and the materials used, along with the systems’ surroundings. Automatedsystems can reduce these risks. Functional safety of field instrumentation and control and

monitoring systems must be ensured in this respect through the implementation of adequate

measures for the prevention, identification and control of faults.

REDUCING SAFETY RISKS

ANALYSISThe risk potential relating to a process technology system

is determined in accordance with IEC 61511. A risk reduction

should be implemented to address the particular risk

involved. The components used must meet the require-

ments of IEC 61508 or IEC 61511 if this risk reduction isachieved through the application of electric/electronic

automation technology. Both standards divide systems

and risk reducing measures into safety levels, these ranging

from SIL 1 (indicating a low risk) to SIL 4 (indicating an

extreme risk) based on IEC 61508. IEC 61511 (the sector of

process technology) has a limitation to SIL 3.

SIL 1 TO SIL 4All organisational and technical risk reduction measures

act as a counterweight to the risk potential. The values

SIL 1 to SIL 4 (SIL = Safety Integrity Level) are derived from

the risk analysis. The greater the risk, the more reliable

risk reduction measures must be implemented and, con-

sequently, the greater the reliability the components used

must exhibit.

Presence in hazardous area (A)

A1 Seldom to often A2 Frequently to continuously

Avoidance of danger (G)G1 Possible under certain circumstancesG2 Practically impossible

Probability of an undesired situation arising (W)

W1 Very slightW2 SlightW3 Relatively high

Extent of damage (S)

S1 Injury of a person, insignificant environmental damage

S2 Severe, irreversible injury of one or more persons, death of aperson, severe or temporary environmental damage

S3 Death of several persons, severe, permanent environmental

damageS4 Death of a large number of persons

RISK GRAPH (CONFORMING WITH IEC 61508)

Critical Section

HFT

PFD Tproof SFF

= hardware fault tolerance(Loop structure)

HFT

= failure probability in the eventof a request occurring PFD

= proportion of safefaults or safe failures

= test interval for theentire safety system

SFF

Tproof



Hardware fault tolerance stands for the maximum number of hardware faults which will not

lead to a dangerous failure. A hardware fault tolerance of zero means that a single fault cancause loss of the safety function.

Safe

Detected

“SD”

Dangerous

Detected

“DD”

Safe Undected

“SU”

Dangerous Undetected

“DU”

IEC 61508 requires a minimum degree of Hardware

Fault Tolerance (HFT) relative to the Safe failure frac-

tion (SFF). This is shown in the table on the right.

The SFF of Pepperl+Fuchs devices achieve the range60 % ... 90 %, solenoid drivers being up to 100 %.

This is why solenoid drivers also achieve SIL 3 in the

case of 1oo1 loop structure.

HFT PFD Tproof SFF proof HFT

Maximum permissible SIL relative to the fault tolerance and the proportionof “safe” failures (in compliance with IEC 61508-2) for Type A sub-systems(non complex sub-systems).

Proportion of

“safe” failures

Hardware Fault Tolerance

0 1 2

< 60 % SIL 1 SIL 2 SIL 3

60 % < 90 % SIL 2 SIL 3 SIL 4

90 % < 99 % SIL 3 SIL 4 SIL 4

_> 99 % SIL 3 SIL 4 SIL 4

HFTSFF

REDUCING SAFETY RISKS

The SFF (Safe Failure Fraction) is the proportion of

“safe” failures which will not endanger the safety

function (consisting of “SD” and “SU”).

In addition to this, “dangerous” failures must be con-

sidered, but these are identified by the system and

thus taken into account (“DD”). The safety function

detrimental factors are merely the dangerous failures

which are not detected by the system (“DU”).

HFT PFD Tproof SFF FD proof FF



35 % sensor system and signal path

10 %

signal path

10 %

signal path

50 % actuator and signal path15 % Safety PLC

LOOP STRUCTURE ANDORGANISATIONAL MEASURES

The PFD value for the complete safety related function

is derived from the values of individual components.

Sensor and actuator are fitted in the field, leading to

exposed and physical stress factors (process medium,

pressure, temperature, vibration, etc.). The risk of

failure associated with these components is thus rela-

ORGANISATIONAL MEASURES:A safety system is usually in low demand mode in the

field of process automation. This is equivalent to one

demand per year. The most important organisational

measure is therefore a regular function test conducted

on the complete safety system.

FAILURE DISTRIBUTION IN CONTROL CIRCUIT:The PFD value (Probability of Failure on Demand) is the probability of failure of a unit as a component part of a

complete safety system in the low demand mode.

HFT SFF PFD Tproof roof HFT SFF

HFT SFF PFD Tproof SFF PFD

tively high. 25 % of the entire PFD should be therefore

reserved for the sensor, 40 % for the actuator.

15 % remains for the fail-safe control, and 10 % for

each of the interface modules (interface modules and

the control system have no contact with the process

medium and are located in protected switch rooms).

This test verifies the function of the entire safety

system, including its mechanical components. The

shorter the interval between tests, the greater the pro-

bability that the safety system will function in a correct

manner.



All SIL-Assessments from Pepperl+Fuchs are available for free via Internet.

Please go to: www.pepperl-fuchs.com

KEY FEATURES AT A GLANCE:

Q Safe signals from the standard program

Q No extra charge

Q Well-proven engineering

Q Simple planning

NameT[proof]

= 1 year

T[proof]

= 2 years

T[proof]

= 5 yearsSFF

Isolated switch amplifier(extract)

KFD2-SR2-Ex2.W PFD = 3.21E-04 PFD = 6.42E-04 PFD = 1.60E-03 > 74 %

KFD2-SR2-Ex1.W PFD = 3.21E-04 PFD = 6.42E-04 PFD = 1.60E-03 > 74 %

Solenoid driver(extract)

KFD2-SD-Ex1.17 PFD = 0.00E+00 PFD = 0.00E+00 PFD = 0.00E+00 100 %

Sensors(extract)

SJ 2-N PFD = 3.02E-05 PFD = 6.05E-05 PFD = 1.51E-04 > 76 %

SJ 3,5-N PFD = 4.82E-05 PFD = 9.64E-05 PFD = 2.41E-04 > 68 %

Transmitter power supply(extract)

KFD2-STC4-Ex1 PFD = 1.6E-04 PFD = 3.2E-04 PFD = 8.0E-03 > 91 %

Failure categories: Fail Low (L) = Safe Fail High (H) = Safe

NameT[proof]

= 1 year

T[proof]

= 5 years

T[proof]

= 10 yearsSFF

HART™ multiplexer(extract)

KFD2-HMM-16 PFD = 6.13E-08 PFD = 3.07E-07 PFD = 6.13E-07 _> 60 %

HiD 2700 PFD = 2.50E-07 PFD = 1.25E-06 PFD = 2.50E-06 _> 60 %

PFD SFFTproof

ALL IMPORTANT CHARACTERISTIC VALUES AT A GLANCE



SIL Function Type

2 AI SMART transmitter power supply ED2-STC4-**2

2 DO Solenoid driver ED2-VM-Ex*.3**

2 DI Switch amplifier EG*-***

2 AI SMART transmitter power supply HiC2025

2 AO Current driver HiC2031

2 DI Switch amplifier HiC2821

2 DI Switch amplifier HiC2822

3 DO Solenoid driver HiC2871

2 AI SMART transmitter power supply HiD2025/2026(SK)

2 AI SMART transmitter power supply HiD2029/2030(SK)

2 AO Current driver HiD2033/2034

2 AO SMART current driver HiD2037/2038

2 DI Switch amplifier HiD2821/2822/2824

2 DI Switch amplifier HiD2842/2844

2 DO Solenoid driver HiD2871/2872

2 DO Solenoid driver HiD2875/2876

2 DO Solenoid driver HiD2881

3 DI Safety switch amplifier K***-SH-Ex1

3 DO Solenoid driver KCD0-SD-Ex1.1245

2 AO SMART current driver KCD2-SCD-Ex1

2 DI Switch amplifier KCD2-SR-***.**

2 AI SMART transmitter power supply KCD2-STC-Ex1

2 AI Transmitter power supply KF**-CRG-***.*

2 DI Speed monitor KF**-DWB-***.*

2 AI Temperature converter with trip value KF**-GUT-***.*

2 DI Switch amplifier KF**-SOT2-***.**

2 DI Switch amplifier KF**-SR2-***.**.**

2 DI Frequency converter with trip value KF**-UFC-***.*

2 AO Current driver KFD0-CS-***.***

3 HART HART multiplexer slave KFD0-HMS-16

3 DO Relay module KFD0-RSH-1

2 AO SMART current driver KFD0-SCS-***.**

2 AO Current driver KFD2-CD*-***.**-**

3 HART HART multiplexer master KFD2-HMM-16

2 AO SMART current driver KFD2-SCD*-***.**

3 DO Solenoid driver KFD2-SD-***.****

3 DO Solenoid driver KFD2-SL-***.**

2 DO Solenoid driver KFD2-SL2-***.**

2 DO Solenoid driver KFD2-SL-4

2 DI Standstill monitor KFD2-SR2-**2.W.SM

2 DI Switch amplifier KFD2-ST2-***.**

2 AI SMART transmitter power supply KFD2-STC4-***.**

2 AI SMART transmitter power supply KFD2-STV4-***.**

3 HART HART multiplexer master Mux2700

3 SURGE Surge suppressor P-LB-***

SIL Function Type

2 A Hydrostatic pressure sensor LHC-M20/M40

2 A Guided microwave LTC***

2 D Vibration limit switch LVL-M* with FEL51 ... FEL58

2 D Inductive initiator NCB2-12GM35-N0

2 D Inductive initiator NCB2-V3-N0

2 D Inductive initiator NCB5-18GM40-N0

3 D Inductive safety initiator NCN3-F25*-SN4***

2 D Inductive initiator NCN4-12GM35-N0

2 D Inductive initiator NCN4-V3-N0

2 D Inductive initiator NCN8-18GM40-N0

3 D Inductive safety initiator NJ10-30GK-SN***


3 D Inductive safety initiator NJ15S+U*+N***

3 D Inductive safety initiator NJ20S+U*+N***

3 D Inductive safety initiator NJ2-11-SN***

3 D Inductive safety initiator NJ2-11-SN-G***


3 D Inductive safety initiator NJ3-18GK-S1N***

3 D Inductive safety initiator NJ40-FP-SN***



3 D Inductive safety initiator NJ5-30GK-S1N***

3 D Inductive safety initiator NJ6-22-SN***

3 D Inductive safety initiator NJ6-22-SN-G***

3 D Inductive safety initiator NJ6S1+U*+N1***


2 A Process pressure transmitter PPC-M10/M20

2 D Inductive initiator SC3,5-N0

2 D Inductive initiator SJ2-N

3 D Inductive safety initiator SJ2-S1N***

3 D Inductive safety initiator SJ2-SN***

2 D Inductive initiator SJ3,5-N

3 D Inductive safety initiator SJ3,5-S1N***

3 D Inductive safety initiator SJ3,5-SN***

Q Units which have proven themselves in operation

Q No altered approval values

Q Standardised certification of intrinsic safety

Q Standardised unit documentation

Q Standardised warehouse and spare part storage

Q Extensive international supply capacity

Q No extra charge for the user

Q Simple planning and commissioning

Pepperl+Fuchs supply SIL levels for numerous standard units. This ensures that our customers

enjoy the following advantages:

POINT TO POINTINTERFACE MODULES

A = Sensor analog, D = Sensor digital



Device selection, Loop structure and organisational measures together determine the signal

circuit SIL which can be achieved.

TYPICAL SIGNAL CIRCUIT:Q Signal input (transmitter or sensor)

Q Input isolator (transmitter supply unit)

Q Safety-PLC

Q Output isolator (valve control module)

Q Actuator (valve or position control)

Transmitter

Analogue

InSignal processing

1oo1

Transmitter

Transmitter

Analogue

InAnalogue

InSignal processing

1oo2SIL 2 AND SIL 3 WITH THE SAME UNITS:The signal circuit with redundant 1oo2 Loop structure

has a hardware fault tolerance of 1 (HFT = 1).

Failure of a unit does not lead to a loss of the safety

function.

LOOP STRUCTURE:The signal circuit with a simple 1oo1 evaluation

structure has no hardware fault tolerance (HFT = 0).

Failure of a unit can lead to a loss of the safety

function.

1oo1 structure

typcal for SIL 2

HARDWARE SOLUTIONS WITHOUT SAFETY-PLCIsolating contact amplifiers trigger their output level relative the sensor input involved. An Safety-PLC is therefore

unnecessary for simple isolating contact amplifier applications.

7 8 9 7 8 9 7 8 9

1oo2 structure

typical for SIL 3

LOOP STRUCTURE, DEVICE SELECTION,ORGANISATIONAL MEASURES



5 1

8

4

2

6

7

3

For over a half century, Pepperl+Fuchs has been continually providing new concepts for the world of process automation. Ourcompany sets standards in quality and innovative technology. We develop, produce and distribute electronic interface

modules, Human-Machine Interfaces and hazardous location protection equipment on a global scale, meeting the most demanding needs of industry. Resulting from our world-wide presence and our high flexibility in production and customer service, we areable to individually offer complete solutions – wherever and whenever you need us. We are the recognized experts in our tech-nologies – Pepperl+Fuchs has earned a strong reputation by supplying the world’s largest process industry companies with thebroadest line of proven components for a diverse range of applications.

www.pepperl-fuchs.com

PROCESS AUTOMATION –PROTECTING YOUR PROCESS

Southern/Eastern Europe Headquarters

Pepperl+Fuchs Elcon srl

Sulbiate · Italy

Tel. +39 039 62921

E-Mail: [email protected]

Northern Europe Headquarters

Pepperl+Fuchs GB Ltd.

Oldham · England

Tel. +44 161 6336431


Southern America Headquarters

Pepperl+Fuchs Ltda.

São Bernardo do Campo · SP · BrazilTel. +55 11 4341 8448


Worldwide/German Headquarters

Pepperl+Fuchs GmbH

Mannheim · Germany

Tel. +49 621 776 2222


North/Central America Headquarters

Pepperl+Fuchs Inc.

Twinsburg · Ohio · USATel. +1 330 486 0002


Western Europe & Africa Headquarters

Pepperl+Fuchs N.V.

Schoten/Antwerp · Belgium

Tel. +32 3 6442500


Asia Pacific Headquarters

Pepperl+Fuchs PTE Ltd.

Singapore

Company Registration No. 199003130E

Tel. +65 6779 9091E-Mail: [email protected]

Middle East/India Headquarters

Pepperl+Fuchs M.E (FZE)

Dubai · UAE

Tel. +971 4 883 8378

E-mail: [email protected]

1

2

3

4

5

6

7

8

IEC 61508 Safety Integrity Level

Documents

Transcript of IEC 61508 Safety Integrity Level