Selection of components for functional safety systems

requirements, certificates and typical pitfalls

Dr. Jörg Isenberg, AUMA Riester GmbH
14-15 MAYIS 2018
Choosing components for SIS
How to interpret certificate headlines?
1. The component may be used in
any SIL 3 application
2. The component may be used in
SIL 3 applications if HFT=1
(if HFT=0 SIL 2 is permissible)
3. The systematic capability is 3 but it
has to be checked separately which
SIL may be achieved due to failure
probability (PFD) and architectural
constrains

To find out, you need to read & interpret the details of the certificate!
Choosing components for SIS
Criteria for component evaluation
 General suitability for the application
 Fulfillment of the 3 main criteria of IEC 61508
 Additional criteria
General suitability for the application
General suitability for the intended application
 Environmental conditions (temperature, humidity, …)
 Influence of process media (corrosivity, particles, …)
 Mechanical requirements (torque, closing time, vibrations, …)
 Functionality (safety function(s), priority, …)

“SIL 1 capable” component

optimally suited to general
(process) requirements

 higher risk reduction

than unsuitable “SIL 3
capable” component!
The 3 main criteria of IEC 61508

SIL of a SIF always depends on 3 criteria:

 Systematic capability (avoidance of systematic faults)
 Architectural constraints (robustness of system)
 Probability of failure on demand (PFD)
The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

Example:
 Systematic capability  SIL 3
 Architectural constraints  SIL 1
 Probability of failure on demand (PFD)  SIL 2
i.e. achieved SIL for this SIF  SIL 1
The 3 main criteria – systematic capability

SIL of a SIF always depends on 3 criteria:

 Systematic capability (avoidance of systematic faults)
 Architectural constraints (robustness of system)
 Probability of failure on demand (PFD)
The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

Route 1S:
 Set of requirements (Functional Safety Management) to be obeyed in different
safety life cycle phases
 Necessary to make systematic failures unlikely
 Different for each SIL  Systematic capability SC=1…4
Route 2S: proven in use (IEC 61508) / prior use (IEC 61511)
The 3 main criteria – systematic capability

Data Source: Manufacturer homepage

The 3 main criteria – system architecture

SIL of a SIF always depends on 3 criteria:

 Systematic capability (avoidance of systematic faults)
 Architectural constraints (robustness of system)
 Probability of failure on demand (PFD)
The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

IEC 61508:
Route 1H:
Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT)
Route 2H:
HFT & field data evaluation with raised confidence levels
The 3 main criteria – system architecture
Architectural constraints:

Maximum allowed SIL due to architectural constrains (route 1H):

type A device type B device

HFT HFT
SFF SFF
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 < 60% -- SIL 1 SIL 2
60% … < 90% SIL 2 SIL 3 SIL 4 60% … < 90% SIL 1 SIL 2 SIL 3
90% … < 99% SIL 3 SIL 4 SIL 4 90% … < 99% SIL 2 SIL 3 SIL 4
 99% SIL 3 SIL 4 SIL 4  99% SIL 3 SIL 4 SIL 4
The 3 main criteria – system architecture
Architectural constraints:
 Attention, if no SFF and no
(random) integrity is stated!
Page 2 of same certificate:
Safety
λSD λSU λDD λDU SFF
Function
ESD 404 185 1920 974
w/o PST FIT FIT FIT FIT 72%
ESD 461 185 2510 388
with PST FIT FIT FIT FIT
89%

Data Source: Manufacturer homepage

The 3 main criteria – system architecture
Architectural constraints:

Maximum allowed SIL due to architectural constrains (route 1H):

type A device type B device

HFT HFT
SFF SFF
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 < 60% -- SIL 1 SIL 2
60% … < 90% SIL 2 SIL 3 SIL 4 60% … < 90% SIL 1 SIL 2 SIL 3
90% … < 99% SIL 3 SIL 4 SIL 4 90% … < 99% SIL 2 SIL 3 SIL 4
 99% SIL 3 SIL 4 SIL 4  99% SIL 3 SIL 4 SIL 4
The 3 main criteria – system architecture
Architectural constraints:
 Attention, if no SFF and no
(random) integrity is stated!
Page 2 of same certificate:
Safety
λSD λSU λDD λDU SFF
Function
ESD 404 185 1920 974
w/o PST FIT FIT FIT FIT 72%
ESD 461 185 2510 388
with PST FIT FIT FIT FIT
89%

 Architectural constraints:
Data Source: Manufacturer homepage
SIL 1 capable (HFT=0) with/without PST!

Disclaimer: Compensation by other parts of the same element (if any) possible
The 3 main criteria – system architecture

More explicit certificates

do exist:

SIL capability explicitly

given for both systematic
and random capability

Data Source: Manufacturer homepage

The 3 main criteria – failure rates (PFD)

SIL of a SIF always depends on 3 criteria:

 Systematic capability (avoidance of systematic faults)
 Architectural constraints (robustness of system)
 Probability of failure on demand (PFD)
The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

SIL Average Probability of Failure on Demand (Type

of duty: Low demand)

SIL 4 < 10-4

SIL 3 < 10-3

SIL 2 < 10-2

SIL 1 < 10-1

The 3 main criteria – failure rates (PFD)
Acceptable PFD for an actuator in a SIL 2 safety function?
All Safety Instrumented Systems consist of Sensor – Logic – Actor
 Components mustn’t consume whole allowed PFD!
Non-normative but widely accepted breakdown:

 25 %-rule should roughly be obeyed

 Actuator for SIL 2 should have PFD < 2,5*10-3
The 3 main criteria – failure rates (PFD)
Example from safety manual of an actuator:
 According to certificate
actuator is “SIL 2 capable”
Product
Safety Function: ESD
Total budget – PFD for SIL 2: XY
SD Safe detected failure rate … FIT
SU Safe undetected failure rate … FIT
DD Dang. detec. failure rate … FIT
sensor
DU Dang. undetec. failure rate … FIT

? + logic
+ valve
+ gearbox
PFDavg @ PTI = 1 yr,
MTTR=24 hrs, no PVST
PFDavg @ TPVST = 6 months,
1,1 x 10-2

actuator 5,8 x 10-3

MTTR=24 hrs, with PVST
Safe Failure Fraction (SFF) …
Diagnostic coverage (DC) …
Additional criteria
Additional criteria:
 Demand mode
 Safety function
 …
 Conclusion

Subject Important Where to find

Process & environ- Always buy components that match all Technical
mental conditions conditions documentation
Functionality All functionality requirements fulfilled ; Technical
differences safety function  standard documentation
operation? or safety manual
Systematic Must fit your SIL-requirement “SIL”-certificate
capability or safety manual
Architectural Sufficient SFF (ed.2 of IEC 61508) or “SIL”-certificate
constraints sufficient evidence for path 2H or safety manual
Failure rate (PFD) Component shall only consume part of “SIL”-certificate
allowed PFD (e.g.  25% for actuator) or safety manual
AUMA Endüstri Kontrol Sistemleri
TEL: +90 312 217 32 88
WEB: www.auma.com.tr
E-MAIL: [email protected]