SIL - Safety Classification by wanghonghx

VIEWS: 38 PAGES: 18

									SIL – Safety Classification




                              1
1.   Functional Safety

2.   SIL Classification




                          2
Functional Safety




                    Functional Safety is about
                     reducing the risk for this




                                                  3
Functional Safety


Context


                                Functional Safety
                    is improved by implementing a so called
                       SIS (Safety Instrumented System)
                         including necessary numbers of
                    SIF’s (Safety Instrumented Functions)

                              Risk Assessment
                           of the plant defines the
                         SIL (Safety Integrity Level)
                                 of each SIF.




                                                              4
Functional Safety



Functional Safety Standards

IEC 61508 and IEC 61511 provide an adequate basis for:
 Risk Assessment of an industrial process
 SIS Design
 Product design
 SIL classification of SIF’s and products


                                     Applicable
                                   Safety Standard



                       Device                      System Designers
                    Manufacturers                     and Users
                      IEC 61508                          IEC 61511


                                                                      5
Functional Safety



What is SIL (Safety Integrity Level)


  SIL is a classification of a product’s or a Safety Function’s (SIF’s) ability to reduce
  the risk for accidents in an industrial process

  The standards define four Safety Integrity Levels, SIL 1 to SIL 4, where SIL 4 is the
  highest safety level




                                                                                            6
Functional Safety



Example of a SIF (Safety Instrumented Function):

Temperature control of a storage tank with steam heating




                                                   Valve

                                                             Steam entry




                                                     Temperature measurement
                                                    Pt100 sensor with IPAQ C520

                                                Steam exit




                                                                                  7
Functional Safety


Example of a SIF (cont.)


SIF with three major parts: Sensor, Logic solver and Final element:




            +

              Sensor                       Logic solver                Final element
                                        (e.g. PLC or DCS)                 (Valve)



The safety function of a sensor has two major parts:
1. To ensure a correct measured value (self-check)
2. In case of a sensor error, the transmission of an error information to the safety system,
     e.g. the Logic solver



                                                                                               8
        Functional Safety



        Risk Assessment
        Prior to designing and calculating the safety function (SIF), the so-called SIL assessment has to be performed, i.e.
        the safety level (e.g. SIL 2), with which the safety function (SIF) must comply, has to be determined.

        In IEC 61508 the following risk graph is used for this purpose:
                                                                                             Extent of damages
             -             -               -                   S1
                                                                                             S1: Minor injuries of a person; minor harmful
                                                     G1
             -          SIL1          SIL1                                                   influences on the environment
                                                     G2   A1                                 S2: Serious, irreversible injuries of one or more
           SIL1         SIL1          SIL2                                                   persons or death of a person; temporary major
                                                               S2
                                                     G1
                                                                                             harmful influences on the environment
           SIL1         SIL2          SIL2                          Starting point of risk
                                                                        assessment           S3: Death of several persons; lasting major
                                                     G2   A2                                 harmful influences on the environment
           SIL2         SIL2          SIL3
                                                                                             S4: Catastrophic effects, many dead persons
           SIL2         SIL3          SIL3                A1                                 How often/long do persons stay
                                                               S3
                                                                                             A1: Seldom to once in a while
           SIL3         SIL3          SIL4
                                                          A2                                 A2: Frequently to permanently
           SIL3         SIL4               -*                  S4
                                                                                             Risk avoidance
           W1            W2           W3                                                     G1: Possible under special conditions
        very low        low        relatively high
                                                                                             G2: Hardly possible
         Probability of occurence
              (W1,W2,W3)

*Safety function on its own insufficient
                                                                                                                                                 9
1.   Functional Safety

2.   SIL Classification




                          10
SIL Classification


FMEDA (Failure Mode, Effect and Diagnostics Analysis)

A given hardware is analyzed to evaluate its suitability for a specific application. Together with
the investigation of the mechanical / electromechanical components this allows to define the
device’s failure rates needed for SIL determination.

Basically, three parameters resulting from FMEDA are used for SIL classification of the device:

               HFT (Hardware Fault Tolerance)

               SFF (Safe Failure Fraction)

               PFDAVG (Probability of Failure on Demand)




                                                                                                     11
SIL Classification


HFT (Hardware Fault Tolerance)

The HFT of a device indicates the quality of a safety function:


  HFT = 0 Single-channel use.
          A single fault may cause a safety loss.

  HFT = 1 Redundant version.
          At least two hardware faults must occur at the same time to cause a safety loss.



Through proved operation as well as different safety requirements the value of the HFT can be
increased by ‘1‘ according to IEC 61511




                                                                                                12
SIL Classification


SFF (Safe Failure Fraction)

This value represents the fraction of safe device failures. An SFF of 85 % means that 85 out of
100 device failures do not affect the safety function of the device.
The SFF is used together with the HFT to determine the safety level in which the device may
be used under consideration of these two values:




                                             HFT                      1)HFT 0(1):
                                                                      Single channel device with
                     SFF          0       1 or 0(1)1       2
                                                                      proved operation
                      < 60 %      -         SIL1         SIL2         according to IEC 61511.
                     60-90 %    SIL1        SIL2         SIL3
                     90-99 %    SIL2        SIL3         SIL4
                      > 99 %    SIL3        SIL4         SIL4



                                                                                                   13
SIL Classification


PFDAVG (Probability of Failure on Demand)

The PFDAVG indicates the probability of failure of a safety function (SIF) or a device,
referred to a certain time interval called Proof Test Interval, T[Proof]
E.g.: PFDAVG = 3.35 x 10-4 with T[Proof] = 1 year means that the safety function or the
device fails with a probability of 0.000335 within one year.
The following table shows which PFDAVG is assigned to which SIL for a complete SIF:



                                  PFDAV                    SIL

                             ≥ 10-2 … < 10-1              SIL1

                             ≥ 10-3 … < 10-2              SIL2

                             ≥ 10-4 … < 10-3              SIL3
                             ≥ 10-6 … < 10-4              SIL4



                                                                                          14
SIL Classification



PFDAVG for the sensor part

A generally accepted distribution of the PFDAVG values of a SIF assumes that 35 % of
the total PFDAVG is caused by the sensor part.
For a SIL 2 application the PFDAVG value for the total SIF should be smaller than 10-2,
hence the maximum allowable PFDAVG for the sensor part is 3.5 x 10-3




            +

           Sensor                        Logic solver                        Final element


35 % of total PFDAVG                                 65 % of total PFDAVG




                                                                                             15
     SIL Classification


     SIL classification of a SIF (Safety Instrumented Function)
                                                                                                              For the SIL
                                                                                                              classification based
              Sensor part                         Logic solver part                   Final element part
                                                                                                              on the SFF value,
                                                                                                              the weakest part will
                                                                                                              count!
                 +                                                                                            In order to achieve a
                                                                                                              SIL 2 for the SIF, all
                                                                                                              SFF values of the
                                                                                                              SIF parts have to
             HFT = 0                             HFT = 0                              HFT = 0                 comply with at least
                                                                                                              SIL 2!
             SFF = 92.1%                         SFF = 99.2%                          SFF = 91%
             ► SIL 2                             ► SIL 3                              ► SIL 2



                                                                                                            PFDAV, SIF       SIL
             PFDAVG, SIF =       PFDAVG, Sensor + PFDAVG, Logic solver + PFDAVG, Final element
                                                                                                           ≥ 10-2 … < 10-1   SIL 1
             Generally accepted distribution: PFDAVG, Sensor = 35 % of PFDAVG, SIF
                                                                                                           ≥ 10-3 … < 10-2   SIL 2
             For the SIF, the PFDAVG has to be less than 0.01 for SIL 2
                                                                                                           ≥ 10-4 … < 10-3   SIL 3
             For the Sensor, the PFDAV,G has to be less than 0.0035 (35 % of 0.01) for SIL 2
                                                                                                           ≥ 10-6 … < 10-4   SIL 4



                                                         SIL 2 classified SIF
                                                           PFDAVG = 0,0049*
                                                     acc. to IEC 61508 / 61511
* Proof test interval = 1 year
                                                                                                                               16
SIL Classification


SIL classification of 3-wire RTD sensor with IPAQ C520S
                                                                                           +
                                       HFT (Hardware Fault Tolerance) = 0
   Result of FMEDA:                    SFF (Safe Failure Fraction) = 92.1 %
                                       PFDAVG = 2,44*10-4


SIL classification based on SFF:      SIL classification based on PFD:   Common requirements:
                     HFT
                                               PFD AVG            SIL    CE Declaration of
   SFF        0       1      2                                           Conformity
  < 60 %       -     SIL1   SIL2               < 3.5*10-3
                                                                         Safety Manual
                                                                  SIL2
                                      (35 % of the PFDAVG for a          Product documentation
                                      SIL 2 classified SIF)
  60-90 %    SIL1    SIL2   SIL3                                         FMEDA test

  90-99 %    SIL2    SIL3   SIL4


  > 99 %     SIL3    SIL4   SIL4




                                   Declaration of conformity SIL 2
                                      acc. to IEC 61508 / 61511
                                                                                                 17
SIL Classification



Safety relevant characteristics of the transmitters

                                   IPAQ R520S & C520S
                                   Temperature transmitters
                                   SIL2 approved design acc. to IEC 61508
                                   Redundant input circuit with
                                   sensor backup
                                   Sensor drift detection
                                   Maximum long-term drift: 0.05% of span within 5 years
                                   Shock resistant up to 10g
    IPAQ R520S




                     IPAQ C520S




                                                                                    18

								
To top