PROCESS AUTOMATION PROCESS AUTOMATION

IEC 61508/61511 SAFETY INTEGRITY LEVEL

IEC 61508/61511

REDUCING SAFETY RISKS

Process technology systems incorporate risks. These risks are determined by the type of processes involved and the materials used, along with the systems surroundings. Automated systems can reduce these risks. Functional safety of field instrumentation and control and monitoring systems must be ensured in this respect through the implementation of adequate measures for the prevention, identification and control of faults.
ANALYSIS
The risk potential relating to a process technology system is determined in accordance with IEC 61511. A risk reduction should be implemented to address the particular risk involved. The components used must meet the requirements of IEC 61508 or IEC 61511 if this risk reduction is achieved through the application of electric/electronic automation technology. Both standards divide systems and risk reducing measures into safety levels, these ranging from SIL 1 (indicating a low risk) to SIL 4 (indicating an extreme risk) based on IEC 61508. IEC 61511 (the sector of process technology) has a limitation to SIL 3.
Extent of damage (S) S1 Injury of a person, insignificant environmental damage S2 Severe, irreversible injury of one or more persons, death of a person, severe or temporary environmental damage S3 Death of several persons, severe, permanent environmental damage S4 Death of a large number of persons

RISK GRAPH (CONFORMING WITH IEC 61508)

Critical Section

Presence in hazardous area (A) A1 Seldom to often A2 Frequently to continuously Avoidance of danger (G) G1 Possible under certain circumstances G2 Practically impossible Probability of an undesired situation arising (W) W1 Very slight W2 Slight W3 Relatively high

SIL 1 TO SIL 4
All organisational and technical risk reduction measures act as a counterweight to the risk potential. The values SIL 1 to SIL 4 (SIL = Safety Integrity Level) are derived from the risk analysis. The greater the risk, the more reliable risk reduction measures must be implemented and, consequently, the greater the reliability the components used must exhibit.

HFT SFF PFD Tproof

HFT

= hardware fault tolerance (Loop structure)

SFF

= proportion of safe faults or safe failures

PFD

= failure probability in the event of a request occurring

Tproof

= test interval for the entire safety system

REDUCING SAFETY RISKS

Hardware fault tolerance stands for the maximum number of hardware faults which will not lead to a dangerous failure. A hardware fault tolerance of zero means that a single fault can cause loss of the safety function.

HFT

SFF

PFD

Tproof
SFF
0
SIL 1 SIL 2 SIL 3 SIL 3

IEC 61508 requires a minimum degree of Hardware Fault Tolerance (HFT) relative to the Safe failure fraction (SFF). This is shown in the table on the right. The SFF of Pepperl+Fuchs devices achieve the range 60 % ... 90 %, solenoid drivers being up to 100 %. This is why solenoid drivers also achieve SIL 3 in the case of 1oo1 loop structure.

Proportion of safe failures

< 60 % 60 % < 90 % 90 % < 99 % > 99 % _

HFT Hardware Fault Tolerance 1 2

SIL 2 SIL 3 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4 SIL 4

Maximum permissible SIL relative to the fault tolerance and the proportion of safe failures (in compliance with IEC 61508-2) for Type A sub-systems (non complex sub-systems).

HFT

SFF

PFD

Tproof
Dangerous Undetected DU

The SFF (Safe Failure Fraction) is the proportion of safe failures which will not endanger the safety function (consisting of SD and SU). In addition to this, dangerous failures must be considered, but these are identified by the system and thus taken into account (DD). The safety function detrimental factors are merely the dangerous failures which are not detected by the system (DU).

Dangerous Detected DD

Safe Detected SD

Safe Undected SU

LOOP STRUCTURE AND ORGANISATIONAL MEASURES

HFT

SFF

PFD

Tproof

FAILURE DISTRIBUTION IN CONTROL CIRCUIT:

The PFD value (Probability of Failure on Demand) is the probability of failure of a unit as a component part of a complete safety system in the low demand mode.

10 % signal path

10 % signal path

35 % sensor system and signal path 15 % Safety PLC

50 % actuator and signal path

The PFD value for the complete safety related function is derived from the values of individual components. Sensor and actuator are fitted in the field, leading to exposed and physical stress factors (process medium, pressure, temperature, vibration, etc.). The risk of failure associated with these components is thus rela-

tively high. 25 % of the entire PFD should be therefore reserved for the sensor, 40 % for the actuator. 15 % remains for the fail-safe control, and 10 % for each of the interface modules (interface modules and the control system have no contact with the process medium and are located in protected switch rooms).

HFT

SFF

PFD

Tproof

ORGANISATIONAL MEASURES:
A safety system is usually in low demand mode in the field of process automation. This is equivalent to one demand per year. The most important organisational measure is therefore a regular function test conducted on the complete safety system. This test verifies the function of the entire safety system, including its mechanical components. The shorter the interval between tests, the greater the probability that the safety system will function in a correct manner.

ALL IMPORTANT CHARACTERISTIC VALUES AT A GLANCE

Name

T[proof] = 1 year

PFD

T[proof] = 2 years

Tproof

T[proof] = 5 years
PFD = 1.60E-03 PFD = 1.60E-03

SFF
SFF

Isolated switch amplifier

(extract)

KFD2-SR2-Ex2.W KFD2-SR2-Ex1.W

PFD = 3.21E-04 PFD = 3.21E-04

PFD = 6.42E-04 PFD = 6.42E-04

> 74 % > 74 %

Solenoid driver
(extract)

KFD2-SD-Ex1.17

PFD = 0.00E+00

PFD = 0.00E+00

PFD = 0.00E+00

100 %

Sensors
(extract)

SJ 2-N SJ 3,5-N

PFD = 3.02E-05 PFD = 4.82E-05

PFD = 6.05E-05 PFD = 9.64E-05

PFD = 1.51E-04 PFD = 2.41E-04

> 76 % > 68 %

Transmitter power supply

(extract)

KFD2-STC4-Ex1

PFD = 1.6E-04

PFD = 3.2E-04 Fail High (H) = Safe

PFD = 8.0E-03

> 91 %

Failure categories: Fail Low (L) = Safe

Name

T[proof] = 1 year
PFD = 6.13E-08 PFD = 2.50E-07

T[proof] = 5 years
PFD = 3.07E-07 PFD = 1.25E-06

T[proof] = 10 years
PFD = 6.13E-07 PFD = 2.50E-06

SFF
> 60 % _ > 60 % _

HART multiplexer
(extract)

KFD2-HMM-16 HiD 2700

All SIL-Assessments from Pepperl+Fuchs are available for free via Internet. Please go to: www.pepperl-fuchs.com

KEY FEATURES AT A GLANCE:

Safe signals from the standard program No extra charge Well-proven engineering Simple planning

POINT TO POINT INTERFACE MODULES

Pepperl+Fuchs supply SIL levels for numerous standard units. This ensures that our customers enjoy the following advantages:
Units which have proven themselves in operation No altered approval values Standardised certification of intrinsic safety Standardised unit documentation Standardised warehouse and spare part storage Extensive international supply capacity No extra charge for the user Simple planning and commissioning

SIL

Function

Type

2 2 2 2 2 2 2 3 2 2 2 2 2 2 2 2 2 3 3 2 2 2 2 2 2 2 2 2 2 3 3 2 2 3 2 3 3 2 2 2 2 2 2 3 3

AI DO DI AI AO DI DI DO AI AI AO AO DI DI DO DO DO DI DO AO DI AI AI DI AI DI DI DI AO HART DO AO AO HART AO DO DO DO DO DI DI AI AI HART SURGE

SMART transmitter power supply Solenoid driver Switch amplifier SMART transmitter power supply Current driver Switch amplifier Switch amplifier Solenoid driver SMART transmitter power supply SMART transmitter power supply Current driver SMART current driver Switch amplifier Switch amplifier Solenoid driver Solenoid driver Solenoid driver Safety switch amplifier Solenoid driver SMART current driver Switch amplifier SMART transmitter power supply Transmitter power supply Speed monitor Temperature converter with trip value Switch amplifier Switch amplifier Frequency converter with trip value Current driver HART multiplexer slave Relay module SMART current driver Current driver HART multiplexer master SMART current driver Solenoid driver Solenoid driver Solenoid driver Solenoid driver Standstill monitor Switch amplifier SMART transmitter power supply SMART transmitter power supply HART multiplexer master Surge suppressor

ED2-STC4-**2 ED2-VM-Ex*.3** EG*-*** HiC2025 HiC2031 HiC2821 HiC2822 HiC2871 HiD2025/2026(SK) HiD2029/2030(SK) HiD2033/2034

SIL

Function

Type

2
HiD2037/2038

A A D D D D D D D D D D D D D D D D D D D D D D D D A D D D D D D D

Hydrostatic pressure sensor Guided microwave Vibration limit switch Inductive initiator Inductive initiator Inductive initiator Inductive safety initiator Inductive initiator Inductive initiator Inductive initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Inductive safety initiator Process pressure transmitter Inductive initiator Inductive initiator Inductive safety initiator Inductive safety initiator Inductive initiator Inductive safety initiator Inductive safety initiator

LHC-M20/M40 LTC*** LVL-M* with FEL51 ... FEL58 NCB2-12GM35-N0 NCB2-V3-N0 NCB5-18GM40-N0 NCN3-F25*-SN4*** NCN4-12GM35-N0 NCN4-V3-N0 NCN8-18GM40-N0 NJ10-30GK-SN*** NJ15-30GK-SN*** NJ15S+U*+N*** NJ20S+U*+N*** NJ2-11-SN*** NJ2-11-SN-G*** NJ2-12GK-SN*** NJ3-18GK-S1N*** NJ40-FP-SN*** NJ4-12GK-SN*** NJ5-18GK-SN*** NJ5-30GK-S1N*** NJ6-22-SN*** NJ6-22-SN-G*** NJ6S1+U*+N1*** NJ8-18GK-SN*** PPC-M10/M20 SC3,5-N0 SJ2-N SJ2-S1N*** SJ2-SN*** SJ3,5-N SJ3,5-S1N*** SJ3,5-SN***

2
HiD2821/2822/2824

2
HiD2842/2844

2
HiD2871/2872 HiD2875/2876 HiD2881 K***-SH-Ex1 KCD0-SD-Ex1.1245 KCD2-SCD-Ex1 KCD2-SR-***.** KCD2-STC-Ex1 KF**-CRG-***.* KF**-DWB-***.* KF**-GUT-***.* KF**-SOT2-***.** KF**-SR2-***.**.** KF**-UFC-***.* KFD0-CS-***.*** KFD0-HMS-16 KFD0-RSH-1 KFD0-SCS-***.** KFD2-CD*-***.**-** KFD2-HMM-16 KFD2-SCD*-***.** KFD2-SD-***.**** KFD2-SL-***.** KFD2-SL2-***.** KFD2-SL-4 KFD2-SR2-**2.W.SM KFD2-ST2-***.** KFD2-STC4-***.** KFD2-STV4-***.** Mux2700 P-LB-***

2 2 3 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 2 2 2 3 3 2 3 3

A = Sensor analog, D = Sensor digital

LOOP STRUCTURE, DEVICE SELECTION, ORGANISATIONAL MEASURES

Device selection, Loop structure and organisational measures together determine the signal circuit SIL which can be achieved.

TYPICAL SIGNAL CIRCUIT:

Signal input (transmitter or sensor) Input isolator (transmitter supply unit) Safety-PLC Output isolator (valve control module) Actuator (valve or position control)

LOOP STRUCTURE:
The signal circuit with a simple 1oo1 evaluation structure has no hardware fault tolerance (HFT = 0). Failure of a unit can lead to a loss of the safety function.
Analogue

Transmitter In

1oo1
Signal processing

SIL 2 AND SIL 3 WITH THE SAME UNITS:

The signal circuit with redundant 1oo2 Loop structure has a hardware fault tolerance of 1 (HFT = 1). Failure of a unit does not lead to a loss of the safety function.
Transmitter

Analogue Analogue

In

1oo2
Signal processing

Transmitter In

HARDWARE SOLUTIONS WITHOUT SAFETY-PLC

Isolating contact amplifiers trigger their output level relative the sensor input involved. An Safety-PLC is therefore unnecessary for simple isolating contact amplifier applications. 1oo1 structure typcal for SIL 2

1oo2 structure typical for SIL 3

PROCESS AUTOMATION PROTECTING YOUR PROCESS

For over a half century, Pepperl+Fuchs has been continually providing new concepts for the world of process automation. Our company sets standards in quality and innovative technology. We develop, produce and distribute electronic interface modules, Human-Machine Interfaces and hazardous location protection equipment on a global scale, meeting the most demanding needs of industry. Resulting from our world-wide presence and our high flexibility in production and customer service, we are able to individually offer complete solutions wherever and whenever you need us. We are the recognized experts in our technologies Pepperl+Fuchs has earned a strong reputation by supplying the worlds largest process industry companies with the broadest line of proven components for a diverse range of applications.

6 3

1 7

Worldwide/German Headquarters Pepperl+Fuchs GmbH Mannheim Germany Tel. +49 621 776 2222 E-Mail: pa-info@de.pepperl-fuchs.com Asia Pacific Headquarters Pepperl+Fuchs PTE Ltd. Singapore Company Registration No. 199003130E Tel. +65 6779 9091 E-Mail: pa-info@sg.pepperl-fuchs.com Western Europe & Africa Headquarters Pepperl+Fuchs N.V. Schoten/Antwerp Belgium Tel. +32 3 6442500 E-Mail: pa-info@be.pepperl-fuchs.com Middle East/India Headquarters Pepperl+Fuchs M.E (FZE) Dubai UAE Tel. +971 4 883 8378 E-mail: pa-info@ae.pepperl-fuchs.com North/Central America Headquarters Pepperl+Fuchs Inc. Twinsburg Ohio USA Tel. +1 330 486 0002 E-Mail: pa-info@us.pepperl-fuchs.com
6

Northern Europe Headquarters Pepperl+Fuchs GB Ltd. Oldham England Tel. +44 161 6336431 E-Mail: pa-info@gb.pepperl-fuchs.com Southern/Eastern Europe Headquarters Pepperl+Fuchs Elcon srl Sulbiate Italy Tel. +39 039 62921 E-Mail: pa-info@it.pepperl-fuchs.com Southern America Headquarters Pepperl+Fuchs Ltda. So Bernardo do Campo SP Brazil Tel. +55 11 4341 8448 E-Mail: pa-info@br.pepperl-fuchs.com

www.pepperl-fuchs.com
Subject to modifications Copyright PEPPERL+FUCHS Printed in Germany Part. No. 126933 10 /08 02