S01 IEC61508 and Functional Safety System Selection v1 4

8/8/2019 S01 IEC61508 and Functional Safety System Selection v1 4

1/34

IEC61508 & Functional Safety

System Selection

MOST Process Control and SafetyNet Systems


2/34

Discuss IEC 61508

Use a typical application to bring it alive

Objectives


3/34

Introduction to the standards

The umbrella .

IEC 61508:2002. Functional Safety of

Electrical/Electronic/Programmable ElectronicSafety-related Systems.

The industry specific beneath the umbrella ...IEC 61511:2003. Functional Safety - Safety

Instrumented Systems for the Process

Sector.


4/34

Its all in the title

Functional Safety of

Electrical/Electronic/Programmable Electronic

Safety-related Systems

Operate in some way to protect

Related to safety, but not entirely

responsible forit

PLCs, DCS etc. can have

high software content


5/34

What sorts of hazards?

All hazards that might lead to risk of:

- injury

- death

Doesnt cover risk to:

- the environment- plant and production capacity

- but you could use it if you wanted to


6/34


7/34

What is SIL?

Safety Integrity Level - safety excellence In bands - SIL4 highest integrity, SIL1 lowest Standard talks about a safety function

- think of this as a safety loop

Like a control loop, its made up of: a sensor (like a transmitter) a logic solver (like a safety PLC) a final element (like a valve)


8/34

How good is each Safety

Integrity Level?

Probability of failure to protect on demand

afety

nte r ity

evel

1

2

3

4

Lo w d e ma nd

M o de o f O pe ra tio n

(prob. of Failure on Demand)

>= 10-5

to 10-4

>= 10-4

to 10-3

>= 10-3

to 10-2

>= 10-2 to 10-1

SIL4- better than 1 in 10,000 demands (= years)

SIL3- better than 1 in 1000 demands




9/34


10/34

What do you need from a

functional safety system?

You s f t

s st m th t m ts

th r quir SIL

I tif th l v l of

risk r uction r quir

xpr ss this s

s f t int grit

l v l f or ch

s f t f unction


11/34

3 Basic Questions

Are all the components suitable?

How often must the safety function operate?- and when it does, can it act quickly enough?

Is the probability of failure low enough?


12/34

Suitable Components

Hardware Fault ToleranceSafe Failure

Fraction 0 1 2< 60% Not llow SIL 1 SIL 2

60% to < 90% SIL 1 SIL 2 SIL 3

90% to < 99% SIL 2 SIL 3 SIL 4

u 99% SIL 3 SIL 4 SIL 4


13/34

What makes the products

suitable?

Hardware Fault Tolerance

Safe Failure Fraction

S f f ilur s = good f ilur s

D ng rous = d f ilur sD ng rous detected = good f ilures


14/34

Suitable Components

Hardware Fault ToleranceSafe Failure

Fraction 0 1 2< 60% Not llowed SIL 1 SIL 2

60% to < 90% SIL 1 SIL 2 SIL 3

90% to < 99% SIL 2 SIL 3 SIL 4

u 99% SIL 3 SIL 4 SIL 4


15/34

How often will it operate?

Low Demand

Think automotive ABS and ESD

Integrity failure rate is to protect on demandIntegrity measure is will it fail, when needed?Typically a back-up to an operation system

Demands will be once a year or less(and no more often than twice the proof test interval)

Proof testing required


16/34

Think automotive steering and machine guarding

Integrity failure rate is failure rate per hourIntegrity measure is how often might it fail?Often the sole guardian of safety

Demands will be more than once per year- but perhaps better to think continuous

Proof testing wont improve the integrity measure

How often will it operate?

High Demand


17/34

Is the safety function fast

enough?

Definition: the period of time between a

failure in the EUC .. and the occurrence of

the hazardous event if the safety function is

not performed

The clock is

ticking

.. can it bedefused in time?


18/34

Is the probability of failure low

enough?

Manufacturers calculation (FMEAD) Amount of field failure data

afet

nte r it

Level

1

2

3

4

Low demand

M ode of Operation

(prob. of Failure o n Demand)

>= 10-5 to 10-4

>= 10-4

to 10-3

>= 10-3

to 10-2

>= 10-2 to 10-1


19/34

3 Basic Questions





20/34

Emergency Shut Down

Application

Control room

MOSTS fet Net

Controller

Input devices

e.g. temper tureor

pressure

tr nsmitters

ctuators

e.g. shut-off valves,

dump valves etc.

Basic requirement - normall

energisedoutputs must de-energiseondetectionofemergenc or internal

fault


21/34

Our safety function

Pressure

Transmitter

8810

Safet NetI

8851

Safet NetController

8811

Safet NetDI/DO

Valve

SIL2 Low demand Process safety time > 10s


22/34

Some convenient assumptions!

Everything is certified to SIL2

1oo1 - to simplify failure probability calculations

MTTR = 0 (ie ifit fails, shut down)

PFDavg = 1/2 T1 Pdu


23/34

3 Basic Questions





24/34


Certificate confirms- design processes, techniques & measures

- calculation of safety parameters

Hardware fault tolerance and safe failure fraction- Type A: HFT = 1

- Type A: HFT = 0 + SFF > 60%

- Type B: HFT = 1 + SFF > 60%

- Type B: HFT = 0 + SFF > 90%


25/34

Is the safety function fast

enough?

Process Safet Time >esponse Time? YesNo

Pressure

Transmitter

8810

Safet Net

I

8851

Safet Net

Controller

8811

Safet Net

DI/DO

Pilot &

Control Valve

50ms + 30ms + 100ms + 10ms + 4s2 x 2 x 2 x

Worst case response time = 4.37 seconds < 10 second PST


26/34

How often must the safety

function operate?

What is the

Demand

ate?

Low Demand Mode -

calculate

PFDavgof the safet loop

ContinuousOncea

earor less&

Demand rate >

twice proof

test frequenc


27/34

The mathematics for

PFDavg = 1/2 T1 Pdu

Dangerous undetected failures- only revealed on demand

Failure probability grows with time from last test

o

b

a

b

iliy

o

a

ilu

e

o

n

e

a

n

d

i e

A

G

oo e n e al


28/34

Is the probability of failure

low enough?

PFDavg < limit

for target SIL?No

Yes

epeat fornext

safet function!

Pressure

Transmitter

8810

Safet Net

I

8851

Safet Net

Controller

8811

Safet Net

DI/DO

Pilot &

Control Valve

PDU = 100 x10-9

T1 = 8760 hours

PFDavg = 5x10 -4

PDU = 20 x10-9

T1 = 8760 hours

PFDavg = 1x10 -4

PDU = 100 x10-9

T1 = 8760 hours

PFDavg = 5x10 -4

PDU = 50 x10-9

T1 = 8760 hours

PFDavg = 3 x10 -4

PDU = 1400 x10-9

T1 = 8760 hours

PFDavg = 6.1 x10 -3

PFDavg = 7.5 x10 -3

Pressure Tx: 1/2 (8760 x 100 x 10-9) = 4.38 x 10-4 } 5 x 10-4


29/34

Does it meet SIL 2?

Safety

Integr ty

Lev el

1

2

3

4

Low de mand

Mode of Ope ration

(prob. of Failure on Demand)

>= 10 -5 to

10-4

>= 10-4

to 10-3

>= 10-3

to 10-2

>= 10 -2 to 10-1

PFDavg 7.5 x 10-3


30/34

3 Basic Questions





31/34

Why use 61508/61511?

Its the gold standard Its the basis for new standards Mathematics is always rightYou can explain what you did and why


32/34


33/34

IEC61508 & Functional Safety

System Selection

MOST Process Control and SafetyNet Systems


34/34

S01 IEC61508 and Functional Safety System Selection v1 4

Documents

Transcript of S01 IEC61508 and Functional Safety System Selection v1 4