sil explanation
DESCRIPTION
SIL ExplanationTRANSCRIPT
Product & Technology Quality . Excellence . Support
SIL Explanation27.JAN 2006
Automation & Safety
MAC - A.Wenigenrath - 26.JAN 06 - English 2
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)New Technologies for the Safety of Machinery Machine safety is a fast growing segment of industrial automation driven by new
technologies like safety field buses and integrated safety in drives along with the development of international safety standards.
The new safety technologies like safety PLCs or safety field buses require the use of highly complex electronic components like micro controllers and of course the use of firmware and software.
The revision of the existing ISO 13849-1 (equivalent to EN 954-1) and new standards within the framework of IEC/EN 61508 like IEC/EN 62061 take into account the use of these new technologies in safety products and solutions and provide guidelines to calculate the probability of failures.
With these new technologies and standards worker safety and saving costs can be realised by intelligent safety strategy.
MAC - A.Wenigenrath - 26.JAN 06 - English 3
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)New Standards for the Safety of Machinery Today more and more the devices and products dedicated to the safety of machinery
incorporate complex and programmable electronic systems. Due to the complexity of the programmable electronic systems it is in practice difficult
to determine the behaviour of such safety device in the case of a fault. Therefore the standard IEC/EN 61508 with the title “Functional safety of
electrical/electronic/ programmable electronic safety-related systems” provides a new approach by considering the reliability of safety functions.
It is a basic safety standard for the industry and in the process sectors. IEC/EN 62061 is the machine sector specific standard within the framework of IEC/EN
61508. EN 62061 is harmonised under the European Machinery Directive. The Safety Integrity Level (SIL) is the new measure defined in IEC 61508 regarding
the probability of failures in a safety function or a safety related system.
Note: IEC = International Electrotechnical Committee EN = European Norm
MAC - A.Wenigenrath - 26.JAN 06 - English 4
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)Sector specific standards for the Process Industry and Machinery
IEC/EN 61508Functional safety of electrical / electronic /
programmable electronic safety-related systems
Process
IEC/EN 61511
Machines
prEN ISO 13849-1*IEC/EN 62061
Software
IEC/EN 61508-3
Safety of Systems and Equipment
EN 954-1*Safety related parts of
control systems
*Covering the non-electrical technologiese.g. hydraulics...
MAC - A.Wenigenrath - 26.JAN 06 - English 5
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)Definition of Functional Safety according to IEC/EN 61508 Safety is freedom from unacceptable risk (from ISO/IEC Guide 51)
Functional safety is a part of the overall safety related to the EUC and the EUC control system. It depends on:
the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.
Note: EUC = equipment under control E/E/PE = electrical / electronic / programmable electronic
Safety Integrity Level (SIL): The scale of the achieved functional safety is declined on 4 levels*. It depends on:
the probability of dangerous failures together with the fault tolerance and the quality by which the freedom of systematic faults is ensured.
Note: Safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.
MAC - A.Wenigenrath - 26.JAN 06 - English 6
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety is achieved by risk reduction (for those hazards that cannot be designed-out). Residual risk is the risk remaining after protective measures have been taken. Protective measures realised by E/E/PE safety related systems contribute to risk
reduction.
Note: EUC = equipment under control E/E/EP = electrical / electronic / programmable electronic
Functional Safety and Safety Integrity Level (SIL)Risk reduction according to IEC/EN 61508
Risk reduction achieved by all safety-relatedsystems and external risk reduction facilities
Practical risk coveredby other technology
safety-relatedsystems
Practical risk coveredby E/E/PE
safety-relatedsystems
Practical risk coveredby external risk
reduction facilities
Necessary risk reduction
Actual risk reduction
Residualrisk
Tolerablerisk
EUCrisk
Increasingrisk
MAC - A.Wenigenrath - 26.JAN 06 - English 7
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)The safety integrity levels consider the probability of failures For machinery, the probability of dangerous failures per hour of a control system
is denoted in IEC/EN 62061 as the PFHd
IEC 61508 considers two modes of operation:high demand or continuous mode – where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof check frequency; orlow demand mode – where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency
The low demand mode is not considered in IEC/EN 62061 to be relevant for safety applications at machinery!
SIL 4 is not considered in IEC/EN 62061, as it is not relevant to the risk reduction requirements normally associated with machinery.
Safety integrity level
SIL
High demand or continuous mode of operation (Probability of a dangerous failure per hour)
PFHd
Low demand mode of operation (Average probability of failure to perform its design function on demand)
PFDaverage
4 >= 10-9 to < 10-8 >= 10-5 to < 10-4
3 >= 10-8 to < 10-7 >= 10-4 to < 10-3
2 >= 10-7 to < 10-6 >= 10-3 to < 10-2
1 >= 10-6 to < 10-5 >= 10-2 to < 10-1
MAC - A.Wenigenrath - 26.JAN 06 - English 8
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)The safety integrity levels are identified by the probability of failures
The rate of failures can be expressed as follows: = s+ dd + du
(s = rate of safe failures, dd = rate of detected dangerous failures, du = rate of undetected dangerous failures) In practice, detected dangerous failure are dealt with by fault reaction functions
The calculation of the PFHd for a system or subsystem depends on several parameters:
the dangerous failure rate (d) of the subsystem elements the fault tolerance (e.g. redundancy) of the system the diagnostic test interval (T2) the proof test interval (T1) or lifetime whichever is smaller the susceptibility to common cause failures ()
For each of the four different logical architectures A to D there is a different formula to calculate the PFHd. (The principal relationship is: PFHd = d x 1h)
MAC - A.Wenigenrath - 26.JAN 06 - English 9
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)Risk graph of IEC/EN 61508-5 (given as an example in an informative Annex)
a, b, c, d, e, f, g, h represent thenecessary minimum risk reduction. The link between thenecessary minimum risk reduction and the safety integritylevel is shown in the table.
a
b
c
d
e
f
g
h
a
b
c
d
e
f
g
-
a
b
c
d
e
f
-
-
W3 W2 W1
P1
P2
P1
P2
P1
P2
F1
F2
F1
F2
C1
C2
C3
C4
Starting pointfor risk reduction
estimation
C = Consequence risk parameter
F = Frequency and exposure time riskparameter
P = Probability of avoiding hazard riskparameter
W = Probability of unwantedoccurrence
a,b,c ... h = Estimates of the required riskreduction for the SRSs
Necessaryminimum risk
reductionSafety integrity level
- No safety requirements
aNo special safety
requirementsb, c 1d 2
e, f 3g 4
hAn E/E/EP SRS is not
sufficient
MAC - A.Wenigenrath - 26.JAN 06 - English 10
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)Risk parameters given as an example in IEC/EN 61508
MAC - A.Wenigenrath - 26.JAN 06 - English 11
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety Machinery: Risk estimation and SIL assignment of IEC/EN 62061(given as an example in an informative Annex)
Risk relatedto the
identifiedhazard
Severity ofthe possible
harm= and
Frequency and durationof exposure Fr
Probability of occurrenceof a hazardous event Pr
Probability of avoidingor limiting harm Av
Probability ofoccurrence ofthat harm}
Se
MAC - A.Wenigenrath - 26.JAN 06 - English 12
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety Machinery: Risk parameter examples of IEC/EN 62061
Consequences Severity (Se)Irreversible: death, losing an eye or arm 4Irreversible: broken limb(s), losing a finger(s) 3Reversible: requiring attention from a medical practitioner 2Reversible: requiring first aid 1
Frequency of exposureDuration> 10 min
<= 1 h 5> 1 h to <= 1 day 5
> 1 day to <= 2 weeks 4> 2 weeks to <= 1 year 3
> 1 year 2
Frequency and duration of exposure (Fr)
Probability of occurrence Probability (Pr)Very high 5
Likely 4Possible 3Rarely 2
Negligible 1
Impossible 5Rarely 3
Probable 1
Probability of avoiding or limiting harm (Av)
List all the possible hazards of the machine and
determine the parameters according to the tables and fill in the values:
The Class Cl is the sum of: Fr + Pr + Av = Cl
Serial no. Hazard Se Fr Pr Av Cl1234
MAC - A.Wenigenrath - 26.JAN 06 - English 13
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional SafetyMachinery: Determination of the required SIL. Example according to IEC/EN 62061 Consequences Severity (Se)Irreversible: death, losing an eye or arm 4Irreversible: broken limb(s), losing a finger(s) 3Reversible: requiring attention from a medical practitioner 2Reversible: requiring first aid 1
Frequency of exposureDuration> 10 min
<= 1 h 5> 1 h to <= 1 day 5
> 1 day to <= 2 weeks 4> 2 weeks to <= 1 year 3
> 1 year 2
Frequency and duration of exposure (Fr)
Probability of occurrence Probability (Pr)Very high 5
Likely 4Possible 3Rarely 2
Negligible 1
Impossible 5Rarely 3
Probable 1
Probability of avoiding or limiting harm (Av)
Serial no. Hazard Se Fr Pr Av Cl1 hazard x 4 5 4 3 122
+ + =
MAC - A.Wenigenrath - 26.JAN 06 - English 14
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Product:Issued by:Date:
Black area = Safetymeasures required
Grey area = Safety mesures recommended
3 - 4 5 - 7 8 - 10 11 - 13 14 - 15 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 <= 1 hour 5 Common 53 OM SIL 1 SIL 2 SIL 3 > 1 h to <= 1 day 5 Likely 42 OM SIL 1 SIL 2 > 1 day to <= 2 wks 4 Possible 3 Impossible 51 OM SIL 1 > 2 wks to <= 1 year 3 Rarely 2 Possible 3
> 1 year 2 Negligible 1 Likely 1
No. Se Fr Pr Av Cl
Comments
Death, losing an eye or armPermanent, losing fingers
Severity(Se)
Probability of hzd. EventPr
AvoidanceAv
ConsequencesClass Cl Frequency and duration
Fr
Reversible, medical attentionReversible, first aid
Safety Measure SafeHazard
Risk assessment and safety measures
Safety of Machinery and Functional SafetyMachinery: Risk assessment form given as an example in IEC/EN 62061
MAC - A.Wenigenrath - 26.JAN 06 - English 15
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1, definition of MTTFd
Instead of a failure rate per hour (), prEN ISO 13849-1 uses the mean time to failure (MTTF) as the parameter for the probability of failures.
MTTF = mean time to failure [years]– The mean time after installation of devices to any first failure.– The relation between and MTTF is:
MTBF = mean time between failures– Not relevant for devices which are not repaired.
MTTFd = mean time to dangerous failure– The MTTFd is defined in prEN ISO 13849-1 as the expectation of the mean time to
dangerous failure of a safety related part of a control system.
MTTF = 1/
MAC - A.Wenigenrath - 26.JAN 06 - English 16
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: new parameters of prEN ISO 13849-1
prEN ISO 13849-1 adds three new parameters to the requirements of the categories of EN 954-1 in order to determine the Performance Level (PL):
MTTFd = mean time to dangerous failure
– Three levels of MTTFd are defined in this standard in order to classify the requirements of the categories and the performance levels (PL):
DC = diagnostic coverage
CCF = common cause failure ()– This parameter describes the failure of different items resulting from a single
event. (The CCF can be estimated with the help of table I.1 in annex I of the prEN ISO 13849-1.)
DC = dd / d total
Denotation of mean time to dangerous failure Range of MTTFd
low 3 years <= MTTFd < 10 years
medium 10 years <= MTTFd < 30 years
high 30 years <= MTTFd < 100 years
Denotation of diagnostic coverage Range of DCnone DC < 60%low 60% <= DC < 90%
medium 90% <= DC < 99%high 99% <= DC
MAC - A.Wenigenrath - 26.JAN 06 - English 17
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1Risk graph and parameters
a
b
c
d
e
P1
P2
F2
F1
Starting pointfor the evaluation of the contribution
to the risk reduction of a safety function
P1
P2
P2
P2
P1
P1
F1
F2
S1
S2
Requiredperformance
level (PLr)
Low contributionto risk reduction
High contributionto risk reduction
S = Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death
F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long
P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible
MAC - A.Wenigenrath - 26.JAN 06 - English 18
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
In difference to the pure categories the performance levels refer now as well to failure rates per hour required for the safety related parts of the control system:
The relation between the categories, the PL and the SIL is the following:
Safety of Machinery: prEN ISO 13849-1Probability of dangerous failure and performance level (PL)
Performance level prEN ISO 13849-1PL
Average probability of a dangerous failure per hour[1/h]
a >= 10-5 to < 10-4
b >= 3 x 10-6 to < 10-5
c >= 10-6 to < 3 x 10-6
d >= 10-7 to < 10-6
e >= 10-8 to < 10-7
CategoryEN 954-1, prEN 13849-1
Performance level (PL)prEN ISO 13849-1
SILIEC 61508, EN 62061
B a no special safety requirements1 b 12 c 13 d 24 e 3
MAC - A.Wenigenrath - 26.JAN 06 - English 19
Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1Relationship between categories, DC, MTTFd and PL
a *
b 1
c 1
d 2
e 3
Cat. BDC avg =0
Cat. 1DC avg =0
Cat. 2DC avg =low
Cat. 2DC avg =medium
Cat. 3DC avg =low
Cat. 3DC avg =medium
Cat. 4DC avg =high
Perf
orm
an
ce level
Sa
fety
Inte
gri
ty L
ev
el
MTTFd of each channel = low
MTTFd of each channel = medium
MTTFd of each channel = high
*
* In several application the realisation of performance level c by category 1 may not be sufficient. In this case a higher category e.g. 2 or 3 should be chosen.