IEC 61508/61511

PROCESS AUTOMATIONPROCESS AUTOMATION

IEC 61508/61511SAFETY INTEGRITY LEVEL

Process technology systems incorporate risks. These risks are determined by the type of processes involved and the materials used, along with the systems’ surroundings. Automated systems can reduce these risks. Functional safety of field instrumentation and control and monitoring systems must be ensured in this respect through the implementation of adequate measures for the prevention, identification and control of faults.

REDUCING SAFETY RISKS

ANALYSISThe risk potential relating to a process technology systemis determined in accordance with IEC 61511. A risk reduction should be implemented to address the particular risk involved. The components used must meet the require-ments of IEC 61508 or IEC 61511 if this risk reduction is achieved through the application of electric/electronic automation technology. Both standards divide systems and risk reducing measures into safety levels, these ranging from SIL 1 (indicating a low risk) to SIL 4 (indicating an extreme risk) based on IEC 61508. IEC 61511 (the sector of process technology) has a limitation to SIL 3.

SIL 1 TO SIL 4All organisational and technical risk reduction measures act as a counterweight to the risk potential. The values SIL 1 to SIL 4 (SIL = Safety Integrity Level) are derived from the risk analysis. The greater the risk, the more reliable risk reduction measures must be implemented and, con-sequently, the greater the reliability the components used must exhibit.

Presence in hazardous area (A)

A1 Seldom to oftenA2 Frequently to continuously

Avoidance of danger (G)G1 Possible under certain circumstancesG2 Practically impossible

Probability of an undesired situation arising (W)W1 Very slightW2 SlightW3 Relatively high

Extent of damage (S)

S1 Injury of a person, insignificant environmental damage

S2 Severe, irreversible injury of one or more persons, death of a person, severe or temporary environmental damage

S3 Death of several persons, severe, permanent environmental damage

S4 Death of a large number of persons

RISK GRAPH (CONFORMING WITH IEC 61508)

Critical Section

HFT

PFD TproofSFF

= hardware fault tolerance (Loop structure)HFT

= failure probability in the event of a request occurringPFD

= proportion of safe faults or safe failures

= test interval for the entire safety system

SFF

Tproof

Hardware fault tolerance stands for the maximum number of hardware faults which will not lead to a dangerous failure. A hardware fault tolerance of zero means that a single fault can cause loss of the safety function.

Safe Detected

“SD”

Dangerous Detected

“DD”

Safe Undected“SU”

Dangerous Undetected“DU”

IEC 61508 requires a minimum degree of Hardware Fault Tolerance (HFT) relative to the Safe failure frac-tion (SFF). This is shown in the table on the right.

The SFF of Pepperl+Fuchs devices achieve the range 60 % ... 90 %, solenoid drivers being up to 100 %. This is why solenoid drivers also achieve SIL 3 in the case of 1oo1 loop structure.

HFT PFD TproofSFF PFD TproofTTHFT

Maximum permissible SIL relative to the fault tolerance and the proportion of “safe” failures (in compliance with IEC 61508-2) for Type A sub-systems (non complex sub-systems).

Proportion of “safe” failures

Hardware Fault Tolerance 0 1 2

< 60 % SIL 1 SIL 2 SIL 3

60 % < 90 % SIL 2 SIL 3 SIL 4

90 % < 99 % SIL 3 SIL 4 SIL 4

_> 99 % SIL 3 SIL 4 SIL 4

HFTSFF

REDUCING SAFETY RISKS

The SFF (Safe Failure Fraction) is the proportion of “safe” failures which will not endanger the safety function (consisting of “SD” and “SU”).

In addition to this, “dangerous” failures must be con-sidered, but these are identified by the system and thus taken into account (“DD”). The safety function detrimental factors are merely the dangerous failures which are not detected by the system (“DU”).

HFT PFD TproofSFF PFD TproofTTSFF

35 % sensor system and signal path

10 % signal path

10 % signal path

50 % actuator and signal path15 % Safety PLC

LOOP STRUCTURE AND ORGANISATIONAL MEASURES

The PFD value for the complete safety related function is derived from the values of individual components. Sensor and actuator are fitted in the field, leading to exposed and physical stress factors (process medium, pressure, temperature, vibration, etc.). The risk of failure associated with these components is thus rela-

ORGANISATIONAL MEASURES:A safety system is usually in low demand mode in the field of process automation. This is equivalent to one demand per year. The most important organisational measure is therefore a regular function test conducted on the complete safety system.

FAILURE DISTRIBUTION IN CONTROL CIRCUIT:The PFD value (Probability of Failure on Demand) is the probability of failure of a unit as a component part of a complete safety system in the low demand mode.

HFT SFF PFD TproofTproofTTHFT SFF

HFT SFF PFD TproofHFT SFF PFD

tively high. 25 % of the entire PFD should be therefore reserved for the sensor, 40 % for the actuator. 15 % remains for the fail-safe control, and 10 % for each of the interface modules (interface modules and the control system have no contact with the process medium and are located in protected switch rooms).

This test verifies the function of the entire safety system, including its mechanical components. The shorter the interval between tests, the greater the pro-bability that the safety system will function in a correct manner.

All SIL-Assessments from Pepperl+Fuchs are available for free via Internet. Please go to: www.pepperl-fuchs.com

KEY FEATURES AT A GLANCE:

Safe signals from the standard program

No extra charge

Well-proven engineering

Simple planning

NameT[proof] = 1 year

T[proof] = 2 years

T[proof] = 5 years

SFF

Isolated switch amplifier (extract)

KFD2-SR2-Ex2.W PFD = 3.21E-04 PFD = 6.42E-04 PFD = 1.60E-03 > 74 %

KFD2-SR2-Ex1.W PFD = 3.21E-04 PFD = 6.42E-04 PFD = 1.60E-03 > 74 %

Solenoid driver (extract)

KFD2-SD-Ex1.17 PFD = 0.00E+00 PFD = 0.00E+00 PFD = 0.00E+00 100 %

Sensors (extract)

SJ 2-N PFD = 3.02E-05 PFD = 6.05E-05 PFD = 1.51E-04 > 76 %

SJ 3,5-N PFD = 4.82E-05 PFD = 9.64E-05 PFD = 2.41E-04 > 68 %

Transmitter power supply (extract)

KFD2-STC4-Ex1 PFD = 1.6E-04 PFD = 3.2E-04 PFD = 8.0E-03 > 91 %

Failure categories: Fail Low (L) = Safe Fail High (H) = Safe

NameT[proof] = 1 year

T[proof] = 5 years

T[proof] = 10 years

SFF

HART™ multiplexer (extract)

KFD2-HMM-16 PFD = 6.13E-08 PFD = 3.07E-07 PFD = 6.13E-07 _> 60 %

HiD 2700 PFD = 2.50E-07 PFD = 1.25E-06 PFD = 2.50E-06 _> 60 %

PFD SFFTproof

ALL IMPORTANT CHARACTERISTIC VALUES AT A GLANCE

SIL Function Type

2 AI SMART transmitter power supply ED2-STC4-**2

2 DO Solenoid driver ED2-VM-Ex*.3**

2 DI Switch amplifier EG*-***

2 AI SMART transmitter power supply HiC2025

2 AO Current driver HiC2031

2 DI Switch amplifier HiC2821

2 DI Switch amplifier HiC2822

3 DO Solenoid driver HiC2871

2 AI SMART transmitter power supply HiD2025/2026(SK)

2 AI SMART transmitter power supply HiD2029/2030(SK)

2 AO Current driver HiD2033/2034

2 AO SMART current driver HiD2037/2038

2 DI Switch amplifier HiD2821/2822/2824

2 DI Switch amplifier HiD2842/2844

2 DO Solenoid driver HiD2871/2872

2 DO Solenoid driver HiD2875/2876

2 DO Solenoid driver HiD2881

3 DI Safety switch amplifier K***-SH-Ex1

3 DO Solenoid driver KCD0-SD-Ex1.1245

2 AO SMART current driver KCD2-SCD-Ex1

2 DI Switch amplifier KCD2-SR-***.**

2 AI SMART transmitter power supply KCD2-STC-Ex1

2 AI Transmitter power supply KF**-CRG-***.*

2 DI Speed monitor KF**-DWB-***.*

2 AI Temperature converter with trip value KF**-GUT-***.*

2 DI Switch amplifier KF**-SOT2-***.**

2 DI Switch amplifier KF**-SR2-***.**.**

2 DI Frequency converter with trip value KF**-UFC-***.*

2 AO Current driver KFD0-CS-***.***

3 HART HART multiplexer slave KFD0-HMS-16

3 DO Relay module KFD0-RSH-1

2 AO SMART current driver KFD0-SCS-***.**

2 AO Current driver KFD2-CD*-***.**-**

3 HART HART multiplexer master KFD2-HMM-16

2 AO SMART current driver KFD2-SCD*-***.**

3 DO Solenoid driver KFD2-SD-***.****

3 DO Solenoid driver KFD2-SL-***.**

2 DO Solenoid driver KFD2-SL2-***.**

2 DO Solenoid driver KFD2-SL-4

2 DI Standstill monitor KFD2-SR2-**2.W.SM

2 DI Switch amplifier KFD2-ST2-***.**

2 AI SMART transmitter power supply KFD2-STC4-***.**

2 AI SMART transmitter power supply KFD2-STV4-***.**

3 HART HART multiplexer master Mux2700

3 SURGE Surge suppressor P-LB-***

SIL Function Type

2 A Hydrostatic pressure sensor LHC-M20/M40

2 A Guided microwave LTC***

2 D Vibration limit switch LVL-M* with FEL51 ... FEL58

2 D Inductive initiator NCB2-12GM35-N0

2 D Inductive initiator NCB2-V3-N0

2 D Inductive initiator NCB5-18GM40-N0

3 D Inductive safety initiator NCN3-F25*-SN4***

2 D Inductive initiator NCN4-12GM35-N0

2 D Inductive initiator NCN4-V3-N0

2 D Inductive initiator NCN8-18GM40-N0

3 D Inductive safety initiator NJ10-30GK-SN***

3 D Inductive safety initiator NJ15-30GK-SN***

3 D Inductive safety initiator NJ15S+U*+N***

3 D Inductive safety initiator NJ20S+U*+N***

3 D Inductive safety initiator NJ2-11-SN***

3 D Inductive safety initiator NJ2-11-SN-G***

3 D Inductive safety initiator NJ2-12GK-SN***

3 D Inductive safety initiator NJ3-18GK-S1N***

3 D Inductive safety initiator NJ40-FP-SN***

3 D Inductive safety initiator NJ4-12GK-SN***

3 D Inductive safety initiator NJ5-18GK-SN***

3 D Inductive safety initiator NJ5-30GK-S1N***

3 D Inductive safety initiator NJ6-22-SN***

3 D Inductive safety initiator NJ6-22-SN-G***

3 D Inductive safety initiator NJ6S1+U*+N1***

3 D Inductive safety initiator NJ8-18GK-SN***

2 A Process pressure transmitter PPC-M10/M20

2 D Inductive initiator SC3,5-N0

2 D Inductive initiator SJ2-N

3 D Inductive safety initiator SJ2-S1N***

3 D Inductive safety initiator SJ2-SN***

2 D Inductive initiator SJ3,5-N

3 D Inductive safety initiator SJ3,5-S1N***

3 D Inductive safety initiator SJ3,5-SN***

Units which have proven themselves in operation No altered approval values Standardised certification of intrinsic safety Standardised unit documentation Standardised warehouse and spare part storage Extensive international supply capacity No extra charge for the user Simple planning and commissioning

Pepperl+Fuchs supply SIL levels for numerous standard units. This ensures that our customers enjoy the following advantages:

POINT TO POINTINTERFACE MODULES

A = Sensor analog, D = Sensor digital

Device selection, Loop structure and organisational measures together determine the signal circuit SIL which can be achieved.

TYPICAL SIGNAL CIRCUIT: Signal input (transmitter or sensor) Input isolator (transmitter supply unit) Safety-PLC Output isolator (valve control module) Actuator (valve or position control)

TransmitterAnalogue

InSignal processing

1oo1

Transmitter

Transmitter

Analogue

InAnalogue

InSignal processing

1oo2SIL 2 AND SIL 3 WITH THE SAME UNITS:The signal circuit with redundant 1oo2 Loop structure has a hardware fault tolerance of 1 (HFT = 1).Failure of a unit does not lead to a loss of the safety function.

LOOP STRUCTURE:The signal circuit with a simple 1oo1 evaluation structure has no hardware fault tolerance (HFT = 0).Failure of a unit can lead to a loss of the safety function.

1oo1 structure typcal for SIL 2

HARDWARE SOLUTIONS WITHOUT SAFETY-PLCIsolating contact amplifiers trigger their output level relative the sensor input involved. An Safety-PLC is therefore unnecessary for simple isolating contact amplifier applications.

7 8 9 7 8 9 7 8 9

1oo2 structure typical for SIL 3

LOOP STRUCTURE, DEVICE SELECTION, ORGANISATIONAL MEASURES

5 1

8

4

2

6

7

3

Subject to modifications • Copyright PEPPERL+FUCHS • Printed in Germany • Part. No. 126933 /08 0

For over a half century, Pepperl+Fuchs has been continually providing new concepts for the world of process automation. Our company sets standards in quality and innovative technology. We develop, produce and distribute electronic interfacemodules, Human-Machine Interfaces and hazardous location protection equipment on a global scale, meeting the most demanding needs of industry. Resulting from our world-wide presence and our high flexibility in production and customer service, we are able to individually offer complete solutions – wherever and whenever you need us. We are the recognized experts in our tech-nologies – Pepperl+Fuchs has earned a strong reputation by supplying the world’s largest process industry companies with the broadest line of proven components for a diverse range of applications.

www.pepperl-fuchs.com

PROCESS AUTOMATION – PROTECTING YOUR PROCESS

Southern/Eastern Europe HeadquartersPepperl+Fuchs Elcon srl Sulbiate · ItalyTel. +39 039 62921E-Mail: pa-info@it.pepperl-fuchs.com

Northern Europe HeadquartersPepperl+Fuchs GB Ltd. Oldham · EnglandTel. +44 161 6336431E-Mail: pa-info@gb.pepperl-fuchs.com

Southern America HeadquartersPepperl+Fuchs Ltda.São Bernardo do Campo · SP · Brazil Tel. +55 11 4341 8448E-Mail: pa-info@br.pepperl-fuchs.com

Worldwide/German HeadquartersPepperl+Fuchs GmbH Mannheim · GermanyTel. +49 621 776 2222E-Mail: pa-info@de.pepperl-fuchs.com

North/Central America HeadquartersPepperl+Fuchs Inc. Twinsburg · Ohio · USATel. +1 330 486 0002E-Mail: pa-info@us.pepperl-fuchs.com

Western Europe & Africa HeadquartersPepperl+Fuchs N.V. Schoten/Antwerp · BelgiumTel. +32 3 6442500E-Mail: pa-info@be.pepperl-fuchs.com

Asia Pacific HeadquartersPepperl+Fuchs PTE Ltd. SingaporeCompany Registration No. 199003130ETel. +65 6779 9091E-Mail: pa-info@sg.pepperl-fuchs.com

Middle East/India HeadquartersPepperl+Fuchs M.E (FZE)Dubai · UAETel. +971 4 883 8378E-mail: pa-info@ae.pepperl-fuchs.com

1

2

3

4

5

6

7

8

10 2