ABB Consulting

Introduction to IEC61508 and

Functional Safety

© ABB Group
July 31, 2014 | Slide 1
Why have Functional Safety Systems?

To prevent risk to people, environment and business

HOW ?
 By good management safety and quality systems
 Design to standards / best practices
 Using competent resources to deliver

WHAT HAPPENS IF THESE GO WRONG ?

Have You Been Asked This?

‘Regulator’

“How can you demonstrate that you are safe?”

Safety Issues for End User / Operators

 How do you demonstrate that your operations are ‘safe’?

 How do you demonstrate that your equipment is ‘safe’?

 How do you demonstrate that your safety and protective

systems protect against your hazards?

You can answer these questions by demonstrating

compliance with Industry Safety Standards

IEC61508 - Functional safety of

electrical / electronic / programmable electronic
safety-related systems
What is IEC61508?

 An international standard relating to the Functional Safety

of electrical / electronic / programmable electronic safety
related systems
 Mainly concerned with E/E/PE safety-related systems
whose failure could have an impact on the safety of
persons and/or the environment
 Could also be used to specify any E/E/PE system used
for the protection of equipment or product

 It is an industry best practice standard to enable you to

reduce the risk of a hazardous event to a tolerable level
Features of IEC61508

 Generic Standard which may be applied by all Sector variants

(machinery, process plant, medical, rail)
 International standard - end users and suppliers operate
internationally
 Guidance on use of Electrical, Electronic and Programmable
Electronic Systems which perform safety functions
 Comprehensive approach involving concepts of Safety Lifecycle
and all elements of protective system
 Risk-based approach leading to determination of Safety Integrity
Levels (S.I.Ls) - measures proportionate to the risk reduction
required
 Considers the entire Safety Critical Loop
 Aims to facilitate improvements in both safety and economic
performance through effective use of the (PES) technology
Overall Safety Lifecycle in IEC 61508
1 Concept

2 Overall Scope Definition

3 Hazard Risk Analysis

4 Overall Safety Requirements

5 Safety Requirements Allocation

Overall Planning Safety Related Systems: Safety Related Systems: External Risk
E / E / PES Other Technology Reduction Facilities

Overall Overall 9 10 11
Overall
Operational Installation and
6 7 Validation 8
and Maintenance Commissioning Realisation Realisation Realisation
Planning
Planning Planning

12 Overall Installation and Commissioning

Back to appropriate
13 Overall Safety Validation
overall safety lifecycle phase

14 Overall Operation and Maintenance 15 Overall Modification and Retrofit

16 Decommissioning
Why this lifecycle ?

 Maps directly to the normal work pattern of the project in a ‘cradle-

to-grave’ process.
 Maps directly to asset life cycle
 Seen by the Regulatory Authorities as industry best practice
 Can be used in any business, any sector.
 Applies to all aspects of the end user supply chain relationship
 Will be used to demonstrate regulatory compliance
 Generates efficiencies in ‘cost of safety’
 Common terminology
 Defined document / responsibility interfaces throughout the
supply chain
 Common practices
Summary of the Key Messages in IEC 61508

Safety Management System

 Life cycle
 Planning
 Assessing compliance
 Supply chain

Technical Requirements
 Choice of technologies
 Assessment of risk
 Specifications of function & integrity level

Competencies
 Roles & responsibilities
 Skills & training
Benefits of a Safety Management System

 A defensible method of managing risks

 Coherent approach to the whole subject

 Facilitates specification, design and purchase

 Allows self regulation

What is Risk?

 The probable rate of occurrence of a hazard causing harm

AND

 the degree of severity of the harm

 Qualitatively - Words

 Quantitatively - Figures
Risk and Determination of Safety Integrity Levels

Basic
Design
Unacceptable
Increasing Severity

No
Protection

Increasing Likelihood
Levels of Risk and ALARP

Risk cannot be justified except in

Unacceptable Risk
extraordinary circumstances

Tolerable only if risk reduction is

The ALARP or
impracticable or if its cost is grossly
Tolerability Region
disproportionate to the improvement
gained

As risk is reduced, there is a proportional

(Risk is undertaken only if a
decrease in the cost of further reduction,
benefit is desired)
this concept of diminishing proportion is
represented by the triangle.

Broadly acceptable risk Necessary to maintain assurance that risk

remains at this level

(No need for detailed working

to demonstrate ALARP)
Negligible risk
Risk reduction: General concepts

Actual risk Risk to meet Plant under

remaining level of safety Control risk

Necessary minimum risk reduction Increasing risk

Actual risk reduction

Partial risk covered

Partial risk covered Partial risk covered
by other technology
by E/E/PES by External Risk
safety-related
protective systems Reduction Facilities
systems

Risk reduction achieved by all protective systems

and external risk reduction facilities
Technologies Under Consideration

 Electrical
 Electro-mechanical / relays / interlocks

 Electronic
 Solid state electronics

 Programmable Electronic Systems

 Programmable Logic Controllers (PLC’s);
 Microprocessor based systems
 Distributed Control Systems
 Other computer based devices
 (“smart” sensors / transmitters / actuators)
Extent of a E/E/PE safety-related system

Equipment Under Control

SENSOR PE ACTUATOR

PE = Programmable Element
Example method of calculating a Target Safety Integrity
Level

 Hazard studies and HAZOPs

 Evaluate possible consequences

 Establish tolerable frequencies vs ALARP

 Build event chain

 Estimate demand rates

 Define protection required

 Specify required Safety Integrity Level

Risk Reduction Requirements

Safety Integrity Level Risk Reduction

1 10 - 100

2 100 - 1,000

3 1,000 - 10,000

4 10,000 - 100,000
Reliability, Failure Rate and Availability at each level
Probability of failure Trip Unavailable
Reliability
on demand (per year)

SIL 1 90% - 99% 0.1 to 0.01 876 to 87.6hrs

SIL 2 99% - 99.9% 0.01 to 0.001 87.6 to 8.76hrs

SIL 3 99.9% - 99.99% 0.001 to 0.0001 8.76hrs to 52.6 mins

SIL 4 99.99% - 99.999% 0.0001 to 0.00001 52.6 mins to 5.3 mins

Protective System Technology

SIL 1 Standard components, single channel or twin non-diverse channels

Standard components, 1 out of 2 or 2 out of 3, possible need for some

SIL 2 diversity. Allowance for common-cause failures needed

Multiple channel with diversity on sensing and actuation. Common-cause

SIL 3 failures a major consideration. Should rarely be required in process
industry

SIL 4 Specialist design. Should never be required in the Process Industry

Protective System Design, Test and Maintenance
Requirements

SIL 1 Relatively inexpensive to design, build and maintain

Test interval unlikely to be less than 3 months

Moderately expensive to design, build and maintain

SIL 2 Test interval unlikely to be more than 3 months

SIL 3 Expensive to design, build and maintain

Test interval likely to be 1 month

Extremely expensive to design, build and maintain

SIL 4 Test interval as for SIL 3 (diminishing returns below 1 month)
IEC 61508 - ownership of phases

PRE-DESIGN
(Phases 1 to 5)
End user / operator

DESIGN AND
Engineering Contractors
INSTALLATION
(Phases 6 to 13) / Equipment Supplier

OPERATION
(Phases 14 to 16)
End user / operator
Pre-Design: Phases 1 - 5

1 Concept

Can you demonstrate that you

2 Overall Scope Definition have identified all your hazards?

3 Hazard Risk Analysis

4 Overall Safety Requirements Can you demonstrate that

you are using adequate
and correct methods of
hazard protection?
5 Safety Requirements Allocation
Design & Implementation : Phases 6 - 13

How do you ensure competencies

for all these activities?

Overall Planning

Can you demonstrate that you pass the

Overall Overall
Operational
Overall
Installation and necessary information into these activities?
6 7 Validation 8
and Maintenance Commissioning
Planning
Planning Planning

Safety Related Safety Related External Risk

Systems: Systems: Reduction
E / E / PES Other Technology Facilities
9 10 11

Realisation Realisation Realisation

12 Overall Installation and Commissioning

Can you demonstrate that all necessary
information has been passed to you from these
activities?
13 Overall Safety Validation

© ABB Group
July 31, 2014 | Slide 25
Operation : Phases 14 - 16

Can you demonstrate that you

14 Overall Operation and Maintenance maintain / test / analyse your
protective systems correctly?

Can you demonstrate that you

15 Overall Modification and Retrofit are in control of your
modification process?

16 Decommissioning
IEC 61508 - Three Phases for Protective Functions

PRE-DESIGN
Set the Target SIL End user / operator
(Phases 1 to 5)

DESIGN AND
Engineering Contractors
Designed SIL INSTALLATION
/ Equipment Supplier
(Phases 6 to 13)

Demonstrate OPERATION
End user / operator
Achieved = Design = Target (Phases 14 to 16)
IEC 61508 Responsibilities: End Users / Operators

 Functional Safety Specification Requirements

 Contribution from all Safety Function Technologies and
Risk Reduction Methods
 Target SIL for the E/E/PES contribution
 Overall Responsibility for the Management of Functional
Safety
 Functional Safety Plan at the outset of the work -
Identification of Functional Safety Assessments for the
project duration
 Overall Validation and Verification
 Commissioning and acceptance
 Operations and Maintenance
 Modification and Retrofit
© ABB Group
July 31, 2014 | Slide 29