sil - safety classification
DESCRIPTION
SIL (Safety Integrity Level), Safety ClassificationTRANSCRIPT
1
SIL – Safety Classification
2.
1. Functional Safety
SIL Classification
2
Functional Safety is about reducing the risk for this
3
Functional Safety
Context
Functional Safetyis improved by implementing a so called
SIS (Safety Instrumented System)including necessary numbers of
SIF’s (Safety Instrumented Functions)
Risk Assessmentof the plant defines the
SIL (Safety Integrity Level)of each SIF.
4
Functional Safety
Functional Safety Standards
5
ApplicableSafety Standard
DeviceManufacturers
IEC 61508
System Designersand Users
IEC 61511
Functional Safety
IEC 61508 and IEC 61511 provide an adequate basis for:
Risk Assessment of an industrial process
SIS Design
Product design
SIL classification of SIF’s and products
What is SIL (Safety Integrity Level)
6
Functional Safety
SIL is a classification of a product’s or a Safety Function’s (SIF’s) ability to reduce the risk for accidents in an industrial process
The standards define four Safety Integrity Levels, SIL 1 to SIL 4, where SIL 4 is the highest safety level
Temperature measurementPt100 sensor with IPAQ C520
Steam exit
Valve
Example of a SIF (Safety Instrumented Function):
Temperature control of a storage tank with steam heating
7
Steam entry
Functional Safety
Example of a SIF (cont.)
The safety function of a sensor has two major parts:1. To ensure a correct measured value (self-check)2. In case of a sensor error, the transmission of an error information to the safety system,
e.g. the Logic solver
8
SIF with three major parts: Sensor, Logic solver and Final element:
Sensor Final element(Valve)
Logic solver(e.g. PLC or DCS)
+
Functional Safety
*Safety function on its own insufficient
Probability of occurence(W1,W2,W3)
Starting point of riskassessment
-
SIL1
SIL1
SIL2
SIL2
SIL3
SIL3
SIL4
-
SIL2
SIL3
SIL3
-*
-
-
SIL1
SIL3
W1 W2very low low
W3relatively high
SIL1
SIL2
SIL1
SIL2
SIL2
SIL4
SIL3
S1
S2
S3
S4
A1
A2
A1
A2
Extent of damagesS1: Minor injuries of a person; minor harmful influences on the environment
S2: Serious, irreversible injuries of one or more persons or death of a person; temporary major harmful influences on the environmentS3: Death of several persons; lasting major harmful influences on the environmentS4: Catastrophic effects, many dead persons
How often/long do persons stayA1: Seldom to once in a whileA2: Frequently to permanently
Risk avoidanceG1: Possible under special conditions G2: Hardly possible
Prior to designing and calculating the safety function (SIF), the so-called SIL assessment has to be performed, i.e. the safety level (e.g. SIL 2), with which the safety function (SIF) must comply, has to be determined.
In IEC 61508 the following risk graph is used for this purpose:
Risk Assessment
G1
G1
G2
G2
9
Functional Safety
1. Functional Safety
2. SIL Classification
10
FMEDA (Failure Mode, Effect and Diagnostics Analysis)
A given hardware is analyzed to evaluate its suitability for a specific application. Together with the investigation of the mechanical / electromechanical components this allows to define the device’s failure rates needed for SIL determination.
Basically, three parameters resulting from FMEDA are used for SIL classification of the device:
HFT (Hardware Fault Tolerance)
SFF (Safe Failure Fraction)
PFDAVG (Probability of Failure on Demand)
11
SIL Classification
HFT (Hardware Fault Tolerance)
The HFT of a device indicates the quality of a safety function:
Through proved operation as well as different safety requirements the value of the HFT can be increased by ‘1‘ according to IEC 61511
HFT = 0 Single-channel use. A single fault may cause a safety loss.
HFT = 1 Redundant version. At least two hardware faults must occur at the same time to cause a safety loss.
12
SIL Classification
SFF (Safe Failure Fraction)
This value represents the fraction of safe device failures. An SFF of 85 % means that 85 out of 100 device failures do not affect the safety function of the device.The SFF is used together with the HFT to determine the safety level in which the device may be used under consideration of these two values:
HFT
SFF 0 1 or 0(1)1 2
< 60 % - SIL1 SIL2
60-90 % SIL1 SIL2 SIL3
90-99 % SIL2 SIL3 SIL4
> 99 % SIL3 SIL4 SIL4
1) HFT 0(1): Single channel device with proved operation according to IEC 61511.
13
SIL Classification
PFDAVG (Probability of Failure on Demand)
The PFDAVG indicates the probability of failure of a safety function (SIF) or a device, referred to a certain time interval called Proof Test Interval, T[Proof]
E.g.: PFDAVG = 3.35 x 10-4 with T[Proof] = 1 year means that the safety function or the device fails with a probability of 0.000335 within one year.
The following table shows which PFDAVG is assigned to which SIL for a complete SIF:
PFDAV SIL
≥ 10-2 … < 10-1 SIL1
≥ 10-3 … < 10-2 SIL2
≥ 10-4 … < 10-3 SIL3
≥ 10-6 … < 10-4 SIL4
14
SIL Classification
PFDAVG for the sensor part
15
A generally accepted distribution of the PFDAVG values of a SIF assumes that 35 % of the total PFDAVG is caused by the sensor part.
For a SIL 2 application the PFDAVG value for the total SIF should be smaller than 10-2, hence the maximum allowable PFDAVG for the sensor part is 3.5 x 10-3
Sensor Final elementLogic solver
+
35 % of total PFDAVG 65 % of total PFDAVG
SIL Classification
Sensor part Logic solver part Final element part
HFT = 0SFF = 92.1%► SIL 2
HFT = 0SFF = 99.2%► SIL 3
HFT = 0SFF = 91%► SIL 2
For the SIL classification based on the SFF value, the weakest part will count!
In order to achieve a SIL 2 for the SIF, all SFF values of the SIF parts have to comply with at least SIL 2!
PFDAV, SIF SIL
≥ 10-2 … < 10-1 SIL 1
≥ 10-3 … < 10-2 SIL 2
≥ 10-4 … < 10-3 SIL 3
≥ 10-6 … < 10-4 SIL 4
SIL 2 classified SIF
PFDAVG = 0,0049*
acc. to IEC 61508 / 61511
SIL classification of a SIF (Safety Instrumented Function)
PFDAVG, SIF = PFDAVG, Sensor + PFDAVG, Logic solver + PFDAVG, Final element
Generally accepted distribution: PFDAVG, Sensor = 35 % of PFDAVG, SIF
For the SIF, the PFDAVG has to be less than 0.01 for SIL 2
For the Sensor, the PFDAV,G has to be less than 0.0035 (35 % of 0.01) for SIL 2
* Proof test interval = 1 year 16
+
SIL Classification
+SIL classification of 3-wire RTD sensor with IPAQ C520S
HFT (Hardware Fault Tolerance) = 0 SFF (Safe Failure Fraction) = 92.1 %PFDAVG = 2,44*10-4
Result of FMEDA:
HFT
SFF 0 1 2
< 60 % - SIL1 SIL2
60-90 % SIL1 SIL2 SIL3
90-99 % SIL2 SIL3 SIL4
> 99 % SIL3 SIL4 SIL4
SIL classification based on SFF: SIL classification based on PFD:
PFD AVG SIL
< 3.5*10-3
(35 % of the PFDAVG for a SIL 2 classified SIF)
SIL2
Common requirements:
CE Declaration of ConformitySafety ManualProduct documentationFMEDA test
Declaration of conformity SIL 2
acc. to IEC 61508 / 6151117
SIL Classification
IPAQ R520S & C520S Temperature transmittersSIL2 approved design acc. to IEC 61508Redundant input circuit with sensor backupSensor drift detectionMaximum long-term drift: 0.05% of span within 5 yearsShock resistant up to 10g
IPAQ R520S
IPAQ C520S
Safety relevant characteristics of the transmitters
18
SIL Classification