Functional Safety in Process Automation

Risk Reduction Through SIL Classification

IEC 61508 / 61511 International safety engineering standards

Integrated checking and functional safety of electronic control systems
Fail safe components plant risk reduction

Instrumentation

Conclusions from Damage in the Past

Historical Background of Effective Safety Thinking

On July 10, 1976, a chemical accident happened in the small town of Seveso, North
Italy. Highly toxic dioxin (TCDD) was released into the air, causing tremendous
damage to man and nature. The accident was caused by uncontrolled overheating,
resulting in overpressure that destroyed a safety device. The reactor had no automatic
cooling system. When the incident occurred, no skilled chemical staff was on site.
It was pure chance that the escaped quantity of toxic gas was not even higher.

Legislative measures
As a consequence of the Seveso accident the acts,
directives and regulations for the protection of man,
nature and environment were tightened.
In the mid of the 80ies the European Community
adopted the so-called Seveso I Directive which has
been replaced with the Seveso II Directive (Council
Directive 96/82/EC) later on. This was a fundamental
change to the legal basis regarding the control of
plants with major accident hazards.

In Germany, the Act for the Protection Against

Immissions (12. BImSchV) supplemented with an
Incident Regulation has been adopted on April 26,
2000. The Incident Regulation refers to DIN19250
and DIN 19251 which define requirement classes
AK 0-8 for the realization of the requested measures
DIN 19250 and DIN 19251will expire on July 31,
2004.
IEC 61508 and IEC 61511 provide an adequate basis
for risk assessment and certification of assessed
systems to ensure compliance with the Incident
Regulation for the future.

IEC 61508 / IEC 61511

Protection of man/nature
Protection of the environment
These standards define four safety integrity levels
(SIL1 to SIL4) stipulating measures for the risk
management of plant parts.

Parameters for Device Classification

Safety Evaluation of Process Instruments

ABB field instruments are subject to various extensive analyses and tests performed in close
co-operation with an independent body and recorded in detail. This is required to allow for
conformity assessment and determine whether or not a device complies with the SIL requirements
in accordance with IEC 61508 or IEC 61511 for a specific safety chain.

FMEDA (Failure Mode, Effect and

Diagnostics Analysis)
A given hardware is analyzed to evaluate its suitability for a specific application, e.g. by examining the
hardware structure of the electronics. Together with
the investigation of the mechanical / electromechanical components this allows to define the devices
failure rates needed for SIL determination. Basically,
three parameters resulting from FMEDA are used for
SIL classification of the device:

HFT (Hardware Fault Tolerance)

HFT = 2 Dual redundancy version. At least three

hardware faults must occur at the same time to
cause a safety loss.

SFF (Safe Failure Fraction)

This value represents the fraction of safe device
failures. An SFF of 79 % means e.g. that 79 out of
100 device failures do not affect the safety function
of the device.
The SFF is used together with the HFT to determine the risk area in which the device may be
used under consideration of these two values:

The HFT of a device indicates the quality of a

safety function:
SFF
HFT = 0 Single-channel use. A single fault may
cause a safety loss.
HFT = 1 Redundant version. At least two
hardware faults must occur at the same time
to cause a safety loss.

< 60
60-90
90-99
> 99

%
%
%
%

HFT
0

SIL1
SIL2
SIL3

SIL1
SIL2
SIL3
SIL4

SIL2
SIL3
SIL4
SIL4

FMEDA
HFT
SFF
PFD

Parameters for Device Classification

Safety Evaluation of Process Instruments

PFD (Probability of Failure on Demand)

The probability of failure on demand (PFD) is
another measure for evaluating in how far a device
is suitable for use in safety relevant plant parts.
This value indicates the probability of failure, referred to a time interval.

The following table shows which probability of

failure on demand is assigned to which SIL.
PFDaverage
10-2

SIL
10-1

<
10-3 < 10-2
10-4 < 10-3
10-6 < 10-4

SIL1
SIL2
SIL3
SIL4

IEC 61511
IEC 61508

General Safety Evaluations

Besides the evaluations regarding the above-listed
parameters other, more general analyses of the field
instruments are performed.
GAP Analysis
Verification of the development process for compliance with the requirements of IEC 61508. Especially
the firmware, the product documentation and the
test procedures are investigated thoroughly.
Immunity
The device is tested for immunity to external
influences like EMI, environmental disturbances
or RFI.

SIL Certification of a Positioner as an Example

From the Parameters to the Classified Device

SIL Device Classification

(Example: ABB Positioners TZIDC/
TZIDC-200)
The electronically programmable positioner TZIDC
for attachment to pneumatic actuators is suitable for
various communications.
An SFF of 85 % results from the FMEDA. As a singlechannel device the positioner TZIDC has an HFT of
0 in accordance with IEC 61508.

As the positioner TZIDC is a proven-in-field device

and meets various other safety-relevant requirements, the calculable SIL value in accordance with
IEC 61511 can be increased by 1 (HFT = 0).
When the SFF and HFT values are entered in the
relevant table, the SIL value reachable for these two
values can be seen: The positioner TZIDC is suitable
for use in SIL2 safety loops, as far as the HFT and
SFF values are concerned.

SFF
60-90 %

HFT
0
SIL1

In order to assist the user in selecting the appropriate

devices for his safety loops, the respective Declarations of SIL Conformity are provided by ABB.
The specified SIL classification always refers to the
lowest SIL device i.e. the weakest link in the chain.
In the case of the positioner TZIDC this value
depends on the SFF and HFT, i.e. it is SIL2. As a rule,
all general safety requirements for a Declaration of
SIL Conformity must be met.

Classification Overview
Process Instrument
Transmitter for absolute pressure*
Transmitter for gauge pressure*
Transmitter for differential pressure*
Transmitter for absolute pressure
Transmitter for gauge pressure
Transmitter for differential pressure
Multivariable transmitter

Type

SIL
Level

2600T-Series
268Nx Safety, 268Vx Safety
268Hx Safety, 268Px Safety
268Dx Safety
264Nx, 264Vx, 265Ax
264Hx, 264Px, 265Gx
264Bx, 264Dx, 265Dx, 265Jx
267Cx, 269Cx

SIL3
SIL3
SIL3
SIL2
SIL2
SIL2
SIL2

x defines different variants

1
SIL2

2
SIL3

The PFDavg value of the positioner TZIDC was

calculated with the FMEDA on the basis of a oneyear test interval and resulted in 7.52 x 10-4.
PFDavg 10-4 < 10-3

Declaration of SIL Conformity

Transmitter for absolute pressure

Transmitter for gauge pressure
Transmitter for differential pressure
Multivariable transmitter

2000T-Series
2010TA, 2020TA
2020TG
2010TD
2010TC

SIL2
SIL2
SIL2
SIL2

Positioner
Positioner, ExD
Option board for TZIDC

TZIDC
TZIDC-200
Shutdown-Modul

SIL2
SIL2
SIL2

Temperature transmitter
Head-mounted
Rail-mounted
Field-mounted

TH02, TH02-Ex
TH102, TH102-Ex
TH202, TH202-Ex

SIL2
SIL2
SIL2

SIL3

With regard to the most important value in the

safety chain the positioner is, thus, suitable for
use in SIL3.

Temperature sensors in conjunction with temperature transmitters are appropriate for SIL2.

Coriolis Mass Flowmeter

Flowmeter (multi-variable)

FCM2000-MC2
267Cx, 269Cx

* Full redundancy version for hardware and software

i. p.
SIL2

Plant Certification
From Certified Devices to a Safe Plant

Assessment of the Entire Safety Loop

In order to ensure safe operation of a plant the entire safety loops have to be
examined and assessed to comply with IEC 61508 or 61511, respectively.
A single safety loop comprises:

Sensor/Transmitter

Control system

Actor

Risk Assessment

Risk graph

Prior to designing and calculating the safety loop,

the so-called SIL assessment has to be performed,
i.e. the safety standard (e.g. SIL2) with which the
safety loop must comply has to be determined.
In IEC 61508 the risk graph is used for this purpose:

Starting point of risk assessment

S1

S2

S3

A1
G1

A2
G2

G1

A1

S4
A2

G2

Risk parameters
Extent of damages
S1: minor injuries of a person; minor harmful influences
on the environment
S2: serious, irreversible injuries of one or more persons
or death of a person; temporary major harmful
influences on the environment
S3: death of several persons; lasting major
harmful influences on the environment
S4: catastrophic effects, many dead persons
How often/long do persons stay
A1: seldom to once in a while
A2: frequently to permanently
Risk avoidance
G1: possible under special conditions
G2: hardly possible

SIL1 SIL1 SIL2 SIL3 SIL3 SIL4 SIL4

W3
relatively high

SIL1 SIL1 SIL2 SIL3 SIL3 SIL4

W2
low

SIL1 SIL1 SIL2 SIL3 SIL3

W1
very low

Probability of occurrence (W1, W2, W3)

From SIL assessment results that the

respective safety loop must comply with a
specific SIL rating, upon evaluation of the
risk parameters.

Plant Control during Operation

TRAC and TRAMS Documentation Software at its Finest

Safety Loop Design

Upon SIL assessment a safety loop can be designed
in accordance with the calculating formulas specified
in IEC 61508 / 61511.

statistic evaluations. The user should agree with

the local authorities which method NAMUR
recommendation or IEC 61508 / 61511 should
be used.

It is important to be aware of the fact that even when

exclusively SIL-classified components are used this
does not necessarily mean that the entire safety chain
of the plant complies with the respective SIL rating.
The PFDavg values of all components, for example,
must be added up and then assessed again.

Operation of a SafetyAssessed Plant

During permanent operation of a safety-assessed
plant the safety function of all safety loops must
be tested on a regular basis. For this purpose, individual test routines have to be defined, executed,
and logged.
ABB also offers a special tool for this application:
ABB offers a special tool for this purpose:
TRAMS (TRip and Alarm Management System)
TRAC (Trip Requirement and Availability
Calculator)
The TRAC Software from ABB is a special program
providing a powerful MS Access database for organizing all safety loops of the plant. This tool covers
all plant certification aspects from SIL assessment
to safety loop design and calculation in accordance
with IEC 61508. All decisions and calculating bases
are recorded and archived.
Another way to certify and design safety loops is
described in the NAMUR recommendation regarding

The TRAMS Software from ABB is the users assistant for the operation of a safety assessed plant.
It provides for efficient management of all test
routines and the test results of all safety loops in
accordance with IEC 61508. Monthly reports and
statistics of the test results, relevant alarms and
messages can be generated. The primary goal is to
match the calculated processes with the actual
plant conditions and achieve an optimum balance
between the required test frequency for the safety
loops and an economical and efficient production
process.

ABB has Sales & Customer Support

expertise in over 100 countries worldwide.

The Companys policy is one of continuous

product improvement and the right is reserved to modify
the information contained herein without notice.
Printed in the Fed. Rep. of Germany (03.2004)
ABB 2004

www.abb.com/instrumentation

ABB Automation Products GmbH

Borsigstrasse 2
63755 Alzenau
GERMANY
E-Mail Customer Care Center:
CCC-support.deapr@de.abb.com

3KDE010001R5001 Rev. A

The IndustrialIT wordmark and all mentioned

product names in the form XXXXXXIT are registered
or pending trademarks of ABB.