IEC 61508 – IEC 61511

Presentation

Document last revised 20 May 2005

G.M. International s.r.l

Via San Fiorano, 70
20058 Villasanta (Milano)
ITALY
www.gmintsrl.com
[email protected]
 Standard Definitions
Title: Standard for Functional Safety of
Electrical / Electronic / Programmable Electronic
Safety-Related System

IEC 61511 has been developed as a

Process Sector of IEC 61508
Title: Safety Instrumented Systems for the
Process Industry
 Standard History

The IEC 61508 was conceived to define and harmonize a

method to reduce risks of human and/or valuable harms in
all environments.

The IEC 61508 integrates and extends

American Standard ISA-S84.01 (1996)
and German DIN 19250 (1994).
Standard Requirements
 Other related standards
• DIN 19250 (1994)
Title: “Fundamental Safety aspects to be considered for measuring
and control equipment”
Deals with Quantitative Risk Analysis used for Part 5 of IEC 61508,
classification in AK classes 1-8 similar to SIL levels

• ISA-S84.01 (1996)
Title: “Application of Safety Instrumented Systems (SIS) for the
process industry”
Defines Safety Lifecycles assuming Risk analysis and SIL been
carried out.
 Fundamental Concepts
• Risk Reduction and Risk Reduction Factor (RRF)
• Safety Integrity Level (SIL)
• Independence Levels and consequences
• Probability of Failure on Demand (PFD)
• Reliability
• Availability
• Failure Rate (λ)
• Proof Test Interval between two proof tests (T[Proof])
• Failure In Time (FIT)
• Mean Time To Failure (MTTF)
• Mean Time Between Failure (MTBF)
• Mean Time To Repair (MTTR)
• Safe Failure Fraction (SFF)
• Safety Lifecycle
• Safety Instrumented System (SIS)
 Fundamental Concepts

Risk Reduction
As Low As Reasonably Practicable or Tollerable Risk
(ALARP ZONE)
 Fundamental Concepts

Risk Reduction
 Fundamental Concepts

Safety Integrity Level (SIL)

• SIL levels (Safety Integrity Level)
• RRF (Risk Reduction Factor)
• PFD avg (Average Probability of Failure on Demand)

SIL Table for Demand and Continuous mode of Operation

 Fundamental Concepts

Independence Levels
Assessement Independence Level
as a function of consequences
 Fundamental Concepts

PFDavg / RRF
Correlation between
Probability of Failure on Demand
and
Risk Reduction Factor
 Fundamental Concepts

Reliability
• Reliability is a function of operating time.
• All reliability functions start from reliability one and decrease to reliability
zero. The device must be successful for an entire time interval.
• The statement: “Reliability = 0.76 for a time of 100.000 hs” makes perfect
sense.

R(t) = P(T>t)
 Fundamental Concepts

Reliability
Reliability is the probability that a device will perform its
intended function when required to do so,
if operated within its specified design limits.

– The device “intended function” must be known.

– “When the device is required to function” must be judged.
– “Satisfactory performance” must be determined.
– The “specified design limits” must be known.

Mathematically reliability is the probability that a device

will be successful in the time interval from zero to t
in term of a random variable T.
 Fundamental Concepts

Availability
• Availability is the probability that a device is successful at
time t.
• No time interval is involved.
• A device is available if it’s operating.
• The measure of success is MTTF (Mean Time To Failure)
 Fundamental Concepts

MTTF
MTTF is an indication of the average successful
operating time of a device (system) before a
failure in any mode.

• MTBF (Mean Time Between Failures)

• MTBF = MTTF + MTTR
• MTTF = MTBF - MTTR
• MTTR (Mean Time To Repair)
• Since (MTBF >> MTTR) MTBF is very near to
MTTF in value.
 Fundamental Concepts

MTBF and Failure Rate

Relation between MTBF and Failure Rate λ

Failure per unit time 1

λ = ----------------------------- = ------------
Quantity Exposed MTBF

1 Quantity Exposed
MTBF = ------ = ----------------------------
λ Failure per unit time
 Fundamental Concepts

MTBF - Example
• Instantaneous failure rate is commonly used as measure of
reliability.

• Eg. 300 Isolators have been operating for 10 years. 3 failures have
occurred. The average failure rate of the isolators is:

Failure per unit time 3

λ = ------------------------------- = ----------------- =
Quantity Exposed 300*10*8760

= 0.000000038 per hour =

= 38 FIT (Failure per billion hours) =
= 38 probabilities of failure in one billion hours.

• MTBF = 1 / λ = 303 years (for constant failure rate)

 Fundamental Concepts

Failure Rate Categories

λ tot = λ safe + λ dangerous
λ s = λ sd + λ su
λ d = λ dd + λ du
λ tot = λ sd + λ su + λ dd + λ du

Where:
sd = Safe detected
su = Safe undetected
dd = Dangerous detected
du = Dangerous undetected
 Fundamental Concepts

FIT
Failure In Time is the number of failures per
one billion devices hours.

1 FIT = 1 Failure in 109 hours =

= 10-9 Failures per hour
 Fundamental Concepts

SFF (Safe Failure Fraction)

SFF summarizes the fraction of failures,
which lead to a safe state and the fraction of failure
which will be detected by diagnostic measure
and lead to a defined safety action
 Fundamental Concepts

Type A SFF Chart

Type A components are described as simple devices with
well-known failure modes and a solid history of operation
 Fundamental Concepts

Type B SFF Chart

Type B: “Complex” component (using micro controllers or
programmable logic); according 7.4.3.1.3 of IEC 61508-2
 Fundamental Concepts

HSE Study
Results of system failure cause study done by English
“Health and Safety Executive” (HSE)
 Fundamental Concepts

Safety Lifecycle Origin

 Fundamental Concepts

Safety Lifecycle 1/5

 Fundamental Concepts

Safety Lifecycle 2/5

First portion of the overall safety lifecycle
ANALYSIS (End user / Consultant)
 Fundamental Concepts

Safety Lifecycle 3/5

Realisation activities in the overall safety lifecycle
 Fundamental Concepts

Safety Lifecycle 4/5

Safety lifecycle for the E/E/PES
(Electrical / Electronic / Programmable Electronic)
Safety - Related System (IEC 61508, Part 2)
 Fundamental Concepts

Safety Lifecycle 5/5

Last portion of the overall safety lifecycle
OPERATION (End User / Contractor)
 Fundamental Concepts

SIS
SIS (Safety Instrumented System)
according to IEC 61508 and IEC 61511
 IEC 61511
Safety Instrumented Systems
for Process Industry
• IEC 61511 has been developed as a Process Sector implementation
of the IEC 61508.
• The Safety Lifecycle forms the central framework which links together
most of the concepts in this standard, and evaluates process risks
and SIS performance requirements (availability and risk reduction).
• Layers of protection are designed and analysed.
• A SIS, if needed, is optimally designed to meet particular process
risk.
 IEC 61511

Process sector system standard

 IEC 61511

IEC 61511 Parts

The Standard is divided into three Parts

• Part 1: Framework, Definitions, Systems, Hardware and

Software Requirements
• Part 2: Guidelines in the application of IEC 61511-1
• Part 3: Guidelines in the application of hazard and risk
analysis
 IEC 61511

IEC 61511 Part 3

Guidelines in the application of hazard and risk analysis

 FMEDA
Failure Modes and Effects Diagnostic Analysis (FMEDA)
Is one of the steps taken to achieve functional safety assessement of a
device per IEC 61508 and is considered to be a systematic way to:

• identify and evaluate the effects of each potential component failure

mode;
• classify failure severity;
• determine what could eliminate or reduce the chance of failure;
• document the system (or sub-system) under analysis.
 FMEDA
The following assumptions are usually made during the FMEDA

• Constant Failure Rates (wear out mechanisms not included)

• Propagation of failures is not relevant
• Repair Time = 8 hours
• Stress levels according IEC 60654-1, Class C (sheltered location),
with temperature limits within the manufacturer’s rating and an
average temperature over a long period of time of 40°C
FMEDA
 1oo1 Architecture

PFDavg (T1) = λdd * RT + λdu * T1/2

because RT (avg. repair time) is << T1

PFDavg = λdu * T1/2

λdu = λdu (sensor) + λdu(isolator) + λdu(controller) + λdu(final element)

SIL level is the lowest in the loop.

 1oo2 Architecture

PFDavg = λduc * (T1/2) + λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3

PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3

 2oo3 Architecture

PFDavg = λduc * (T1/2) + 3[λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3]
 SIL3 using SIL2 subsystem
SIL3 Control Loop or Safety Function using
SIL2 SubSystems in 1oo2 Architecture
 Safety Manual
A Safety Manual is a document provided to users of a
product that specifies their responsabilities for installation
and operation in order to maintain the design safety level.

The following information shall be available for each safety-

related sub-system ..
 Safety Manual Requirements
• Functional specification and safety function
• Estimated rate of failure in any mode which would cause both
undetected and detected safety function dangerous failures
• Environment and lifetime limits for the sub-system
• Periodic Proof Tests and/or maintainance requirements
• T proof test time interval
• Information necessary for PFDavg, MTTR, MTBF, SFF, λdu, λtotal
• Hardware fault tolerance and failure categories
• Highest SIL that can be claimed (not required for proven in use
sub-systems)
• Documentary evidence for sub-system’s validation (EXIDA)
• Proof Test Procedures to reveal dangerous faults which are
undetected by diagnostic tests.
 Using the Safety Manual

Standard references
Remembering that:

• SIL (Safety Integrity Level)

• RRF (Risk Reduction Factor)
• PFD avg (Average Probability of Failure on Demand)

SIL Table for operative modes “high” and “low” demand

 Using the Safety Manual

Standard references
Remembring definitions given for type “A” and “B” components,
sub-systems, and related SFF values
 Using the Safety Manual

Loop PFDavg calculation

1oo1 typical control loop

PFDavg(sys) = PFDavg(tx) + PFDavg(i) + PFDavg(c) + PFDavg(fe)

 Using the Safety Manual

Loop PFDavg calculation

For calculating the entire loop’s reliability (Loop PFDavg), PFDavg values
for each sub-systems must first be found and be given a proportional
value (“weight”) compared to the total 100%.
This duty is usually assigned to personnel in charge of plant’s safety,
process and maintainance.
 Using the Safety Manual

Loop PFDavg calculation

Equation for 1oo1 loop

Where:

RT = repair time in hours (conventionally 8 hours)

T1 = T proof test, time between circuit functional tests (1-5-10 years)

λdd = failure rate for detected dangerous failures

λdu = failure rate for undetected dangerous failures
 Using the Safety Manual

Loop PFDavg calculation

If T1 = 1 year then

but being λdd * 8 far smaller than λdu * 4380

 Using the Safety Manual

Example 1
PFDavg = λdu * T1/2

For D1014 λdu is equal to 34 FIT (see manual)

Therefore

PFDavg = 34 * 10-9 * 4380 =

= 0,000148920 = 148920 FIT
 Using the Safety Manual

Example 2
“Weights” of each sub-system in the loop must be verified in relation
with expected SIL level PFDavg and data from the device’s safety
manual.
For example, supposing SIL 2 level to be
achieved by the loop on the right in a low
demand mode:

• PFDavg(sys) is between 10-3 and 10-2 per year

• “Weight” of D1014 Isolator is 10%

Therefore PFDavg(i) should be between 10-4 and 10-3 per year.

 Using the Safety Manual

Example 2

Given the table above (in the safety manual) conclusions are:

8. Being D1014 a type A component with SFF = 90%, it can be used

both in SIL 2 and SIL 3 applications.
9. PFDavg with T proof = 1yr allows SIL3 applications
10.PFDavg with T proof = 5yr allows SIL2 applications
11.PFDavg with T proof = 10yr allows SIL1 applications
 Using the Safety Manual

1oo2 architecture

What happens if the total PFDavg does not reach the

wanted SIL 2 level, or the end user requires to reach a
higher SIL 3 level?

The solution is to use a 1oo2 architecture which offers very

low PFDavg, thus increasing fail-safe failure probabilites.
 Using the Safety Manual

1oo2 architecture
For D1014S (1oo1):

PFDavg = λdu* T1/2

PFDavg = 148920 FIT

For D1014D (1oo2):

PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3

PFDavg = 75 FIT

In this case a 1oo2 architecture gives a 2000

times smaller PFDavg for the sub-system
 Using the Safety Manual

Final considerations
• Always check that the Safety Manual contains information necessary for the
calculation of SFF and PFDavg values.
• Between alternative suppliers, choose the one that offers:
• highest SIL level,
• highest SFF value,
• longest T[proof] time interval for the same SIL level,
• lowest value of PFDavg for the same T[proof].
• When in presence of units with more than one channel and only one power
supply circuit, the safety function allows the use of only one channel. Using
both of the channels is allowed only when supply is given by two
independent power circuits (like D1014D).
• Check that the Safety Manual provides all proof tests procedures to detect
dangerous undetected faults.
 Credits and Contacts

G.M. International s.r.l TR Automatyka Sp. z o.o.

Via San Fiorano, 70 ul. Lechicka 14
20058 Villasanta (Milan) 02-156 Warszawa
ITALY POLAND
www.gmintsrl.com www.trautomatyka.pl
[email protected] [email protected]

Document last revised 20 May 2005