SIL - Safety Classification

18
1 SIL – Safety Classification

description

SIL (Safety Integrity Level), Safety Classification

Transcript of SIL - Safety Classification

Page 1: SIL - Safety Classification

1

SIL – Safety Classification

Page 2: SIL - Safety Classification

2.

1. Functional Safety

SIL Classification

2

Page 3: SIL - Safety Classification

Functional Safety is about reducing the risk for this

3

Functional Safety

Page 4: SIL - Safety Classification

Context

Functional Safetyis improved by implementing a so called

SIS (Safety Instrumented System)including necessary numbers of

SIF’s (Safety Instrumented Functions)

Risk Assessmentof the plant defines the

SIL (Safety Integrity Level)of each SIF.

4

Functional Safety

Page 5: SIL - Safety Classification

Functional Safety Standards

5

ApplicableSafety Standard

DeviceManufacturers

IEC 61508

System Designersand Users

IEC 61511

Functional Safety

IEC 61508 and IEC 61511 provide an adequate basis for:

Risk Assessment of an industrial process

SIS Design

Product design

SIL classification of SIF’s and products

Page 6: SIL - Safety Classification

What is SIL (Safety Integrity Level)

6

Functional Safety

SIL is a classification of a product’s or a Safety Function’s (SIF’s) ability to reduce the risk for accidents in an industrial process

The standards define four Safety Integrity Levels, SIL 1 to SIL 4, where SIL 4 is the highest safety level

Page 7: SIL - Safety Classification

Temperature measurementPt100 sensor with IPAQ C520

Steam exit

Valve

Example of a SIF (Safety Instrumented Function):

Temperature control of a storage tank with steam heating

7

Steam entry

Functional Safety

Page 8: SIL - Safety Classification

Example of a SIF (cont.)

The safety function of a sensor has two major parts:1. To ensure a correct measured value (self-check)2. In case of a sensor error, the transmission of an error information to the safety system,

e.g. the Logic solver

8

SIF with three major parts: Sensor, Logic solver and Final element:

Sensor Final element(Valve)

Logic solver(e.g. PLC or DCS)

+

Functional Safety

Page 9: SIL - Safety Classification

*Safety function on its own insufficient

Probability of occurence(W1,W2,W3)

Starting point of riskassessment

-

SIL1

SIL1

SIL2

SIL2

SIL3

SIL3

SIL4

-

SIL2

SIL3

SIL3

-*

-

-

SIL1

SIL3

W1 W2very low low

W3relatively high

SIL1

SIL2

SIL1

SIL2

SIL2

SIL4

SIL3

S1

S2

S3

S4

A1

A2

A1

A2

Extent of damagesS1: Minor injuries of a person; minor harmful influences on the environment

S2: Serious, irreversible injuries of one or more persons or death of a person; temporary major harmful influences on the environmentS3: Death of several persons; lasting major harmful influences on the environmentS4: Catastrophic effects, many dead persons

How often/long do persons stayA1: Seldom to once in a whileA2: Frequently to permanently

Risk avoidanceG1: Possible under special conditions G2: Hardly possible

Prior to designing and calculating the safety function (SIF), the so-called SIL assessment has to be performed, i.e. the safety level (e.g. SIL 2), with which the safety function (SIF) must comply, has to be determined.

In IEC 61508 the following risk graph is used for this purpose:

Risk Assessment

G1

G1

G2

G2

9

Functional Safety

Page 10: SIL - Safety Classification

1. Functional Safety

2. SIL Classification

10

Page 11: SIL - Safety Classification

FMEDA (Failure Mode, Effect and Diagnostics Analysis)

A given hardware is analyzed to evaluate its suitability for a specific application. Together with the investigation of the mechanical / electromechanical components this allows to define the device’s failure rates needed for SIL determination.

Basically, three parameters resulting from FMEDA are used for SIL classification of the device:

HFT (Hardware Fault Tolerance)

SFF (Safe Failure Fraction)

PFDAVG (Probability of Failure on Demand)

11

SIL Classification

Page 12: SIL - Safety Classification

HFT (Hardware Fault Tolerance)

The HFT of a device indicates the quality of a safety function:

Through proved operation as well as different safety requirements the value of the HFT can be increased by ‘1‘ according to IEC 61511

HFT = 0 Single-channel use. A single fault may cause a safety loss.

HFT = 1 Redundant version. At least two hardware faults must occur at the same time to cause a safety loss.

12

SIL Classification

Page 13: SIL - Safety Classification

SFF (Safe Failure Fraction)

This value represents the fraction of safe device failures. An SFF of 85 % means that 85 out of 100 device failures do not affect the safety function of the device.The SFF is used together with the HFT to determine the safety level in which the device may be used under consideration of these two values:

HFT

SFF 0 1 or 0(1)1 2

< 60 % - SIL1 SIL2

60-90 % SIL1 SIL2 SIL3

90-99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

1) HFT 0(1): Single channel device with proved operation according to IEC 61511.

13

SIL Classification

Page 14: SIL - Safety Classification

PFDAVG (Probability of Failure on Demand)

The PFDAVG indicates the probability of failure of a safety function (SIF) or a device, referred to a certain time interval called Proof Test Interval, T[Proof]

E.g.: PFDAVG = 3.35 x 10-4 with T[Proof] = 1 year means that the safety function or the device fails with a probability of 0.000335 within one year.

The following table shows which PFDAVG is assigned to which SIL for a complete SIF:

PFDAV SIL

≥ 10-2 … < 10-1 SIL1

≥ 10-3 … < 10-2 SIL2

≥ 10-4 … < 10-3 SIL3

≥ 10-6 … < 10-4 SIL4

14

SIL Classification

Page 15: SIL - Safety Classification

PFDAVG for the sensor part

15

A generally accepted distribution of the PFDAVG values of a SIF assumes that 35 % of the total PFDAVG is caused by the sensor part.

For a SIL 2 application the PFDAVG value for the total SIF should be smaller than 10-2, hence the maximum allowable PFDAVG for the sensor part is 3.5 x 10-3

Sensor Final elementLogic solver

+

35 % of total PFDAVG 65 % of total PFDAVG

SIL Classification

Page 16: SIL - Safety Classification

Sensor part Logic solver part Final element part

HFT = 0SFF = 92.1%► SIL 2

HFT = 0SFF = 99.2%► SIL 3

HFT = 0SFF = 91%► SIL 2

For the SIL classification based on the SFF value, the weakest part will count!

In order to achieve a SIL 2 for the SIF, all SFF values of the SIF parts have to comply with at least SIL 2!

PFDAV, SIF SIL

≥ 10-2 … < 10-1 SIL 1

≥ 10-3 … < 10-2 SIL 2

≥ 10-4 … < 10-3 SIL 3

≥ 10-6 … < 10-4 SIL 4

SIL 2 classified SIF

PFDAVG = 0,0049*

acc. to IEC 61508 / 61511

SIL classification of a SIF (Safety Instrumented Function)

PFDAVG, SIF = PFDAVG, Sensor + PFDAVG, Logic solver + PFDAVG, Final element

Generally accepted distribution: PFDAVG, Sensor = 35 % of PFDAVG, SIF

For the SIF, the PFDAVG has to be less than 0.01 for SIL 2

For the Sensor, the PFDAV,G has to be less than 0.0035 (35 % of 0.01) for SIL 2

* Proof test interval = 1 year 16

+

SIL Classification

Page 17: SIL - Safety Classification

+SIL classification of 3-wire RTD sensor with IPAQ C520S

HFT (Hardware Fault Tolerance) = 0 SFF (Safe Failure Fraction) = 92.1 %PFDAVG = 2,44*10-4

Result of FMEDA:

HFT

SFF 0 1 2

< 60 % - SIL1 SIL2

60-90 % SIL1 SIL2 SIL3

90-99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

SIL classification based on SFF: SIL classification based on PFD:

PFD AVG SIL

< 3.5*10-3

(35 % of the PFDAVG for a SIL 2 classified SIF)

SIL2

Common requirements:

CE Declaration of ConformitySafety ManualProduct documentationFMEDA test

Declaration of conformity SIL 2

acc. to IEC 61508 / 6151117

SIL Classification

Page 18: SIL - Safety Classification

IPAQ R520S & C520S Temperature transmittersSIL2 approved design acc. to IEC 61508Redundant input circuit with sensor backupSensor drift detectionMaximum long-term drift: 0.05% of span within 5 yearsShock resistant up to 10g

IPAQ R520S

IPAQ C520S

Safety relevant characteristics of the transmitters

18

SIL Classification