SIL - Safety Classification by wanghonghx


									SIL – Safety Classification

1.   Functional Safety

2.   SIL Classification

Functional Safety

                    Functional Safety is about
                     reducing the risk for this

Functional Safety


                                Functional Safety
                    is improved by implementing a so called
                       SIS (Safety Instrumented System)
                         including necessary numbers of
                    SIF’s (Safety Instrumented Functions)

                              Risk Assessment
                           of the plant defines the
                         SIL (Safety Integrity Level)
                                 of each SIF.

Functional Safety

Functional Safety Standards

IEC 61508 and IEC 61511 provide an adequate basis for:
 Risk Assessment of an industrial process
 SIS Design
 Product design
 SIL classification of SIF’s and products

                                   Safety Standard

                       Device                      System Designers
                    Manufacturers                     and Users
                      IEC 61508                          IEC 61511

Functional Safety

What is SIL (Safety Integrity Level)

  SIL is a classification of a product’s or a Safety Function’s (SIF’s) ability to reduce
  the risk for accidents in an industrial process

  The standards define four Safety Integrity Levels, SIL 1 to SIL 4, where SIL 4 is the
  highest safety level

Functional Safety

Example of a SIF (Safety Instrumented Function):

Temperature control of a storage tank with steam heating


                                                             Steam entry

                                                     Temperature measurement
                                                    Pt100 sensor with IPAQ C520

                                                Steam exit

Functional Safety

Example of a SIF (cont.)

SIF with three major parts: Sensor, Logic solver and Final element:


              Sensor                       Logic solver                Final element
                                        (e.g. PLC or DCS)                 (Valve)

The safety function of a sensor has two major parts:
1. To ensure a correct measured value (self-check)
2. In case of a sensor error, the transmission of an error information to the safety system,
     e.g. the Logic solver

        Functional Safety

        Risk Assessment
        Prior to designing and calculating the safety function (SIF), the so-called SIL assessment has to be performed, i.e.
        the safety level (e.g. SIL 2), with which the safety function (SIF) must comply, has to be determined.

        In IEC 61508 the following risk graph is used for this purpose:
                                                                                             Extent of damages
             -             -               -                   S1
                                                                                             S1: Minor injuries of a person; minor harmful
             -          SIL1          SIL1                                                   influences on the environment
                                                     G2   A1                                 S2: Serious, irreversible injuries of one or more
           SIL1         SIL1          SIL2                                                   persons or death of a person; temporary major
                                                                                             harmful influences on the environment
           SIL1         SIL2          SIL2                          Starting point of risk
                                                                        assessment           S3: Death of several persons; lasting major
                                                     G2   A2                                 harmful influences on the environment
           SIL2         SIL2          SIL3
                                                                                             S4: Catastrophic effects, many dead persons
           SIL2         SIL3          SIL3                A1                                 How often/long do persons stay
                                                                                             A1: Seldom to once in a while
           SIL3         SIL3          SIL4
                                                          A2                                 A2: Frequently to permanently
           SIL3         SIL4               -*                  S4
                                                                                             Risk avoidance
           W1            W2           W3                                                     G1: Possible under special conditions
        very low        low        relatively high
                                                                                             G2: Hardly possible
         Probability of occurence

*Safety function on its own insufficient
1.   Functional Safety

2.   SIL Classification

SIL Classification

FMEDA (Failure Mode, Effect and Diagnostics Analysis)

A given hardware is analyzed to evaluate its suitability for a specific application. Together with
the investigation of the mechanical / electromechanical components this allows to define the
device’s failure rates needed for SIL determination.

Basically, three parameters resulting from FMEDA are used for SIL classification of the device:

               HFT (Hardware Fault Tolerance)

               SFF (Safe Failure Fraction)

               PFDAVG (Probability of Failure on Demand)

SIL Classification

HFT (Hardware Fault Tolerance)

The HFT of a device indicates the quality of a safety function:

  HFT = 0 Single-channel use.
          A single fault may cause a safety loss.

  HFT = 1 Redundant version.
          At least two hardware faults must occur at the same time to cause a safety loss.

Through proved operation as well as different safety requirements the value of the HFT can be
increased by ‘1‘ according to IEC 61511

SIL Classification

SFF (Safe Failure Fraction)

This value represents the fraction of safe device failures. An SFF of 85 % means that 85 out of
100 device failures do not affect the safety function of the device.
The SFF is used together with the HFT to determine the safety level in which the device may
be used under consideration of these two values:

                                             HFT                      1)HFT 0(1):
                                                                      Single channel device with
                     SFF          0       1 or 0(1)1       2
                                                                      proved operation
                      < 60 %      -         SIL1         SIL2         according to IEC 61511.
                     60-90 %    SIL1        SIL2         SIL3
                     90-99 %    SIL2        SIL3         SIL4
                      > 99 %    SIL3        SIL4         SIL4

SIL Classification

PFDAVG (Probability of Failure on Demand)

The PFDAVG indicates the probability of failure of a safety function (SIF) or a device,
referred to a certain time interval called Proof Test Interval, T[Proof]
E.g.: PFDAVG = 3.35 x 10-4 with T[Proof] = 1 year means that the safety function or the
device fails with a probability of 0.000335 within one year.
The following table shows which PFDAVG is assigned to which SIL for a complete SIF:

                                  PFDAV                    SIL

                             ≥ 10-2 … < 10-1              SIL1

                             ≥ 10-3 … < 10-2              SIL2

                             ≥ 10-4 … < 10-3              SIL3
                             ≥ 10-6 … < 10-4              SIL4

SIL Classification

PFDAVG for the sensor part

A generally accepted distribution of the PFDAVG values of a SIF assumes that 35 % of
the total PFDAVG is caused by the sensor part.
For a SIL 2 application the PFDAVG value for the total SIF should be smaller than 10-2,
hence the maximum allowable PFDAVG for the sensor part is 3.5 x 10-3


           Sensor                        Logic solver                        Final element

35 % of total PFDAVG                                 65 % of total PFDAVG

     SIL Classification

     SIL classification of a SIF (Safety Instrumented Function)
                                                                                                              For the SIL
                                                                                                              classification based
              Sensor part                         Logic solver part                   Final element part
                                                                                                              on the SFF value,
                                                                                                              the weakest part will
                 +                                                                                            In order to achieve a
                                                                                                              SIL 2 for the SIF, all
                                                                                                              SFF values of the
                                                                                                              SIF parts have to
             HFT = 0                             HFT = 0                              HFT = 0                 comply with at least
                                                                                                              SIL 2!
             SFF = 92.1%                         SFF = 99.2%                          SFF = 91%
             ► SIL 2                             ► SIL 3                              ► SIL 2

                                                                                                            PFDAV, SIF       SIL
             PFDAVG, SIF =       PFDAVG, Sensor + PFDAVG, Logic solver + PFDAVG, Final element
                                                                                                           ≥ 10-2 … < 10-1   SIL 1
             Generally accepted distribution: PFDAVG, Sensor = 35 % of PFDAVG, SIF
                                                                                                           ≥ 10-3 … < 10-2   SIL 2
             For the SIF, the PFDAVG has to be less than 0.01 for SIL 2
                                                                                                           ≥ 10-4 … < 10-3   SIL 3
             For the Sensor, the PFDAV,G has to be less than 0.0035 (35 % of 0.01) for SIL 2
                                                                                                           ≥ 10-6 … < 10-4   SIL 4

                                                         SIL 2 classified SIF
                                                           PFDAVG = 0,0049*
                                                     acc. to IEC 61508 / 61511
* Proof test interval = 1 year
SIL Classification

SIL classification of 3-wire RTD sensor with IPAQ C520S
                                       HFT (Hardware Fault Tolerance) = 0
   Result of FMEDA:                    SFF (Safe Failure Fraction) = 92.1 %
                                       PFDAVG = 2,44*10-4

SIL classification based on SFF:      SIL classification based on PFD:   Common requirements:
                                               PFD AVG            SIL    CE Declaration of
   SFF        0       1      2                                           Conformity
  < 60 %       -     SIL1   SIL2               < 3.5*10-3
                                                                         Safety Manual
                                      (35 % of the PFDAVG for a          Product documentation
                                      SIL 2 classified SIF)
  60-90 %    SIL1    SIL2   SIL3                                         FMEDA test

  90-99 %    SIL2    SIL3   SIL4

  > 99 %     SIL3    SIL4   SIL4

                                   Declaration of conformity SIL 2
                                      acc. to IEC 61508 / 61511
SIL Classification

Safety relevant characteristics of the transmitters

                                   IPAQ R520S & C520S
                                   Temperature transmitters
                                   SIL2 approved design acc. to IEC 61508
                                   Redundant input circuit with
                                   sensor backup
                                   Sensor drift detection
                                   Maximum long-term drift: 0.05% of span within 5 years
                                   Shock resistant up to 10g
    IPAQ R520S

                     IPAQ C520S


To top