SUG Presentation IEC SIL Jan 2007

An independent professional Community with a unique focus: SAFETY INSTRUMENTATION
IEC 61508 & 61511
Introduction
Concepts for defining Safety Integrity Level (SIL) and
choosing equipment
Sponsored by
1
IEC 61508 & 61511 UPDATE
Introduction
Concepts for defining Safety Integrity Level (SIL) &
choosing equipment
Program
1. Introduction to the IEC 61508 & 61511 standards

2. Key concepts
3. Safety Integrity Level - SIL
4. Choosing equipment
5. FAQ / Conclusion
2
1. Introduction to the IEC 61508 & 61511 standard
1.1 General - Standard
IEC - International Electronic Committee
• National standards were in the past in place for safety relevant

equipment
• 1998 IEC standard (61508) for Functional Safety was adopted
• IEC standards are international standards
• 2004 IEC standard (61511) was adopted for the process industry
Information resources
www.iec.ch
www.iec.ch/zone/fsafety
www.iec.ch/zone/fsafety/questions.htm
www.safetyusersgroup.com
3
IEC 61508
Functional safety of
Electrical/Electronic/Programmable Electronic (E/E/PE)
safety-related systems
▼Basic standard: applies to ALL industries

▼Applicable for specifications, draft and operation of
Safety Instrumented Systems - SIS
▼Manufacturer
► Safety Equipment
Electrical equipment
Electronic equipment
Programmable electronic equipment
4
1.1 General – Standard
5
1.1 General – Standard PROCESS SECTOR

SAFETY
INSTRUMENTED
SYSTEM STANDARD
PROCESS PROCESS
SECTOR SECTOR
HARDWARE SOFTWARE
DEVELOPING
DEVELOPING USING USING DEVELOPING DEVELOPING APPLICATION
NEW PROVEN-IN- HARDWARE EMBEDDED APPLICATION SOFTWARE
HARDWARE USE DEVELOPED (SYSTEM) SOFTWARE USING
DEVICES HARDWARE AND SOFTWARE USING FULL LIMITED
ACCESSED VARIABILITY VARIABILITY
DEVICES
ACCORDING LANGUAGES LANGUAGES
TO IEC 61508
OR FIXED
PROGRAMS
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
IEC 61508 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511
6
IEC 61508 content
Part 1 – General requirements

Part 2 – Requirements for electrical/electronic/programmable
electronic safety-related systems
Part 3 – Software requirements
Part 4 – Definitions & abbreviations
Part 5 – Examples of methods for the determination
of safety integrity levels
Part 6 – Guidelines on the application of IEC 61508-2 and
IEC 61508-3
Part 7 – Overview of techniques and measures
7
8
IEC 61511 content
Part 1 - Framework, definitions, system, hardware and software

requirements
Part 2 - Guidelines in the application of IEC 61511
Part 3 - Guidance for the determination of safety integrity levels
9
Technical Support
requirements parts
PART 1 References
Clause 2
Development of the overall safety
requirements (concept, scope definition, PART 1
hazard and risk assessment)
Definitions and
Clause 8 abbreviations
Clause 3
PART 1
PART 1
Allocation of the safety requirements to Conformance

the safety instrumented functions and Clause 4
development of safety requirements PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for requirements
safety safety Clause 6
instrumented instrumented
systems system software PART 1
Clause 11 Clause 12
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
safety validation of safety Clause 19
instrumented systems PART 1
Clauses 13, 14, and 15
Differences
Annex “A”
PART 1 PART 1
Operation and maintenance,
modification and retrofit, Guideline for the
decommissioning or disposal of application of part 1
safety instrumented systems
Clauses 16, 17, and 18 PART 2
Guidance for the

determination of the
required safety
integrity levels 10
PART 3
1.2 General - Concepts
Danger / Hazard
• In life – earthquake, floods, avalanche, traffic,

• In the process industry – explosion, fire, leaks, overflow, etc.
• Definition: Potential source of harm note: The term includes danger to persons
arising within a short time scale (for example, fire and explosion) and also those that have a long-
term effect on a person’s health (for example, release of a toxic substance).
Risk
Risk = frequency x magnitude
Tolerable risk
Risk which is accepted in a given context based on the current

values of society
11
Safety
Freedom from unacceptable risk
Risk reduction
Hazards are assessed according to their risk level

What risk is acceptable or not?
What risk level is acceptable?
Risk “ZERO” does not exist!
12
ALARP – As Low As Reasonably Practicable
13
14
Protective measures
Risk = frequency x magnitude
• Reduce the frequency or likelihood

• Reduce the severity of the magnitude or consequences
The objective of the protective measures are to lower the inherent

(inbuilt) risk to a tolerable (acceptable) level
15
Risk protection
EMERGENCY MEANS
PROTECTION
PHYSISCAL SAFETY
PREVENTION
INSTRUMENTED SAFETY
PROCESS CONTROL
PROCESS
Protection Layers on sites 16

Example
Sensor, detector, etc.
Valve, motor, sprinkler, detector, etc.

Risk
without Water wall, emergency escape, etc.
Protective
measures
Further measures, fire extinguishers,
fire proof materials, etc.
Acceptable risk level
Residual risk ≠ 0
17
Functional Safety
• Part of the overall safety relating to the EUC and the EUC control
system which depends on the correct functioning of the E/E/PE
safety-related systems, other technology safety-related systems
and external risk reduction facilities
Electrical/Electronic/Programmable Electronic System (E/E/PES)
• System for control, protection or monitoring based on one or more

electrical/electronic programmable electronic (E/E/PE) devices,
including all elements of the system such as power supplies,
sensors and other input devices, data highways and other
communication paths, and actuators and other output devices
18
1.3 General - Safety Loop
Safety Instrumented Systems – SIS

instrumented system used to implement one or more safety
instrumented functions. An SIS is composed of any combination of
sensor (s), logic solver (s), and final element(s)
19
1.3 General - Safety Loop
Safety Instrumented Systems – SIS

Sensors / transmitters Safety system Actuators
Measurements: flow, Relays, Electrical, Electronic, Valves motors, pumps, etc.

temperatures, Programmable Electronic, other
pressure, etc. equipment.
Detections: gas
detection, smoke, etc.
E/E/PES Electrical/Electronic/Programmable Electronic System

+ power supplies, monitoring, communication
20
1.3 General - Safety related system
• safety-related system is the designated system that both:
– implements the required safety functions necessary to achieve

or maintain a safe state for the EUC; and
– is intended to achieve, on its own or with other E/E/PE safety-

related systems, other technology safety-related systems or
external risk reduction facilities, the necessary safety integrity
for the required safety functions
21
1.3 General - What is to be protected?
Equipment Under Control - EUC
• Equipment, machinery, apparatus or plant used for

manufacturing, process, transportation, medical or other activities.
NOTE – The EUC control system is separate and distinct from the EUC.
EUC control system
• System which responds to input signals from the process and/or

from an operator and generates output signals causing the EUC
to operate in the desired manner.
NOTE – The EUC control system includes input devices and final elements.
22
1.3 General - What is at risk?
EUC risk
• Risk arising from the EUC or its interaction with the EUC control
system
NOTE 1 – The risk in this context is that associated with the specific hazardous event in which
E/E/PE safety-related systems, other technology safety-related systems and external risk reduction
facilities are to be used to provide the necessary risk reduction, (i.e. the risk associated with
functional safety).
NOTE 2 – The EUC risk is indicated in figure A.1 of IEC 61508-5. The main purpose of determining
the EUC risk is to establish a reference point for the risk without taking into account E/E/PE safety-
related systems, other technology safety-related systems and external risk reduction facilities.
NOTE 3 – Assessment of this risk will include associated human factor issues.
23
1.3 General - Risk reduction
Risk and Safety Integrity
• Distinction between Risk, Tolerable Risk, Safety Integrity
► Actual risk
► Risk is a measure of the probability and consequence of the
occurrence of a specified hazardous event
► EUC risk
Risk arising from the EUC or its interaction with the EUC control
system
► Tolerable risk is determined on a societal basis and involves
consideration of societal and political factors.
Once the tolerable risk has been set, and the necessary risk
reduction estimated, the safety integrity requirements for the SIS can
be allocated. 24
25
Risk and Safety Integrity
• Distinction between Risk, Tolerable Risk, Safety Integrity
► Safety integrity applies solely to

- E/E/PE safety-related systems
- other technology safety related-systems
- external risk reduction facilities
► Safety integrity is a measure of the likelihood of those

systems/facilities satisfactorily achieving the necessary risk
reduction in respect of the specified safety functions.
► Safety integrity requirements for the safety-related systems can

be allocated once the tolerable risk and risk reduction estimations
have been defined (see 7.4, 7.5 and 7.6 of IEC 61508-1). 26
1.3 Safety Function >> Safety Instrumented Function (SIF)
• Safety Functions can be allocated to non-SIS and SIS

• Safety Function in SIS includes as a minimum
- Sensors
- Logic Solver
- Actuators
- SIL in terms of reliability (How much reliable it should be?)
- Timing (How fast?)
Clearly each SF in a SIS has a SIL!
27
28
Three Important steps for managing the risk
• Identify the hazards or hazardous events

• Analyze the hazards or hazardous events
• Reduce risk where necessary
- Tolerable risk
- Risk reduction through existing protection layers
- Risk reduction through additional safety layers
Three categories of techniques
• Qualitative: description with words

• Quantitative: description with numbers
• Semi-quantitative: a mix of words and numbers
29
30
31
2. Key concepts
2.1 Safety Life Cycle
The IEC 61508 Standard introduces the concept of an

Overall Safety Lifecycle to ensure that all activities necessary
to achieve the required Safety Integrity Level are performed.
► Systematic manner (method) with all the activities

► Considered as a technical framework
Overall Safety Lifecycle and for each phase of the lifecycle

the standard specifies:
- The objectives to be achieved

- The requirements to meet the objective
- The scope of each phase
- The required inputs to the phase
- The deliverables required for each phase
32
2. Key concepts
2.1 Safety Life Cycle 01 Concept
02 Overall Scope & Definition
03 Hazard & Risk Analysis
04 Overall Safety Requirements
05 Safety Requirements Allocation
Overall Planning Realization Realization
0 Overall 0 Overall 0 Overall 09 Safety Related Systems

Safety 1 Safety 1 External
6 Operation 7 Validation 8 Installation E/E/PES
Related 0 Related 1 Risk
& Planning & Systems Systems Reduction
Maintenance Commissioning Facilities
Planning Planning Other Other
Technology Technology
12 Overall Instal. & Commissioning

Back to
appropriate
overall safety life
13 Overall Safety Validation
cycle phase
14 Overall Operation & Maintenance 15 Overall Modification & Retrofit
33
16 De-commisioning or disposal
2. Key concepts
Overall Safety Life Cycle phase 01 through 05
01 Concept
04 Overall Safety Requirements
05 Safety Requirements Allocation
34
2. Key concepts
Overall Safety Lifecycle phase 06 through 08
Overall Planning
06 Overall 07 Overall 08 Overall

Operation Validation Installation
& Planning &
Maintenance Commissionin
Planning g
Planning
35
2. Key concepts
Realization Realization
09 Safety
SafetyRelated
Related Systems 10 Safety Related 11 External Risk
Systems
E/E/PES Systems Reduction
Facilities
Other Other
Technology Technology
36
2. Key concepts
12 Overall Installation & Commissioning
Back to appropriate
13 Overall Safety Validation overall safety life cycle
phase
14 Overall Operation & Maintenance 15 Overall Modification & Retrofit
16 De-commisioning or disposal
37
2. Key concepts
2.2 Reasons for Failures
► Random hardware failures

- Internal degradation, wear-out…
- Permanent: disappear only when repaired
- Dynamic: only when specific conditions are present (ex: T°)
► Common cause failures

- Results of one or more events > failures of 2 or more separate
channels > total failures
- Diversity
► Systematic failures
- Failure related in a deterministic way to a cause
- Relate to design & manufacturing process, operational procedure…
- Found only if specific test can find it!
- Standard does not consider them for failure analysis
38
2. Key concepts
2.2 From Hazard & Risk Analysis to Specification & Design
► Safety Requirement Specification (SRS) of a Safety System

- must be based on Hazard & Risk Analysis (see slight 30)
- Hazard identification
- Hazard Analysis (consequences)
- Risk Analysis
- Risk Management (Tolerable risk, Risk reduction…)
► Hazard identification techniques

- Checklists
- « What if » study
- Failure mode and effect analysis (FMEA)
- Hazard and operability analysis (HAZOP)
- Dynamic flowgraph methodology (DFM)
39
2. Key concepts
► Hazard Analysis techniques

- Event Tree Analysis (ETA)
- Fault Tree Analysis (FTA)
- Cause consequence analysis
► Risk Reduction techniques

- Event Tree Analysis (ETA)
- Layer Of Protection Analysis (LOPA, a variation on the ETA)
There are more techniques available. It is important to select the adequate technique for your situation.
► SRS
- Results from Hazard and Risk analysis >> SRS of each SF need to
protect the process
- As a minimum the SRS defines 5 elements for each safety function
40
2. Key concepts
► 5 elements for each Safety Function

- Sensing
- Logic solving
- Actuating
- Safety Integrity in terms of reliability
- Timing (process safety time)
► Safety function specification

- The main safety function of the HIPPS is to protect the separation
vessels against overpressure and to protect the low pressure
equipment against high pressure”
- Measure the pressure on two distinct points in the vessel “A”.

If the pressure exceeds the HH pressure limit open the drain
valve within 4 seconds.
Execute this function with a safety integrity of value “SIL3”.
41
3.1 Determination of required SIL

See IEC61508-5 example of methods for the determination of safety integrity levels
3.1.1 To whom does the SIL classification apply?
• Suppliers
Proof the classification of their products.
• Plant builders/Engineering
Obligation to design and engineer the plant appropriately.
• End Users/Operators
Request compliant safety instrumented devices.
They must proof the remaining risk/tolerable risk.
• Insurance companies, government departments
Request proof of sufficient risk reduction and what risk limit is
achieved.
42

There are Quantitative & Qualitative methods
3.1.2 Quantitative method
When Quantitative method is to be used?
- the tolerable risk is to be specified in numerical manner for

example “a consequence should not occur with a greater
frequency than ONE in 105 year (100 000 years)”
- numerical targets have been specified for the safety integrity

levels for the safety-related systems
43

3.1.2 Quantitative method
Risk of a dangerous process

=
Frequency dangerous event occurrence without existing protective measures
x
Effect of the dangerous event
Risk frequency can be estimated with quantitative risk assessment

methods and defined by a numeric value:
• Analysis of failure rates in comparable situations

• Data from relevant databases
• Calculation using appropriate predictive methods
44

How these targets are defined

SIL Low demand mode of operation
Average probability of failure to perform its design function on
demand
4 ≥10-5 to <10-4
3 ≥10-4 to <10-3
2 ≥10-3 to <10-2
1 ≥10-2 to <10-1
Low demand mode: where the frequency of demands for operation

made on safety-related system is NO greater than one per year and
NO greater than twice the proof-test frequency
45

How these targets are defined
SIL High demand or continuous mode of operation

Probability of a dangerous failure per hour
4 ≥10-9 to <10-8
3 ≥10-8 to <10-7
2 ≥10-7 to <10-6
1 ≥10-6 to <10-5
High demand or continuous mode: where the frequency of

demands for operation made on safety-related system is greater
than one per year or greater than twice the proof-test frequency
46
3.1.3 Qualitative method W3 W2 W1

Ca
a - -
1 a -
Ga
Cb Fa Gb
Fb 2 1 a
Ga
Cc Fa Gb
3 2 1
Fb Ga
Cd Gb
Fa 4 3 2
Fb Ga
Gb
a - no special safety requirements b 4 3
b – a single SIS is insufficient
47
1,2,3,4 - SIL
Extent of damage or consequence of the failure

Ca Light injury of a person, small environmental damage
Cb Severe injury or death of a person
Cc Death of several persons
Cd death of very many persons
Duration of stay of a person in the dangerous area or frequency & exposure time
Fa Seldom to frequent
Fb Frequent to permanent
Aversion of danger or possibility of avoiding the hazardous event

Ga Possible under certain conditions
Gb Hardly possible
Probability of occurrence/failure (without safety systems in place)

W1 Very low
W2 Low
W3 Relatively high
48
3.1.3 Qualitative method

W3 W2 W1
Ca
a - -
1 a -
Ga
Cb Fa Gb
Fb 2 1 a
Ga
Cc Fa Gb
3 2 1
Fb Ga
Cd Gb
Fa 4 3 2
Fb Ga
Gb
b 4 3
Cb Severe injury or death of a person
Fa Seldom to frequent 49
Gb Hardly possible
3.2 Calculation examples – BASICS!
Consideration: in the process industry we deal with low

demand systems only
Random failures only (short circuit, drifting, interruption, etc…)
Probability of failure Probability can be calculated

Magnitude of the failure
The calculated result is called
PFD value – Probability of Failure on Demand
50
3.2 Calculation examples
PFD Probability of Failure on Demand - Mean failure probability of function for the demand
PFDsys Failure probability of complete measuring system
PFDs Failure probability of sensor
PFDL Failure probability of logic solver
PFDA Failure probability of actuator
Sensors / transmitters Logic Solver Actuators
51
3.2.1 A safety loop SIL calculation with SIL 2 sensors

PFD sensor α 1,4x10-3 (suitable SIL2)
PFD logic solv. 1,3x10-4 (suitable SIL3)
PFD actuator 6,4x10-4 (suitable SIL3)
System 1oo1 (1 out of 1 system)

1 unit out of 1 available unit required for functioning
52
3.2.1 A safety loop SIL calculation with SIL 2 sensors

PFD sensor α 1,4x10-3 (suitable SIL2)
PFDsys = PFDs + PFDL + PFDA

PFDsys = 1,4x10-3 + 1,3x10-4 + 6,4x10-4
PFDsys = 2,17x10-3 -->> SIL2

demand
4 ≥10-5 to <10-4
3 ≥10-4 to <10-3
2 ≥10-3 to <10-2
1 ≥10-2 to <10-1
53
3.2.1 A safety loop SIL calculation with SIL 3 components

PFD sensor β 5,89x10-4 (suitable SIL3)
System 1oo1 (1 out of 1 system)

1 unit out of 1 available unit required for functioning
54
3.2.1 A safety loop SIL calculation with SIL 3 components

PFD sensor β 5,89x10-4 (suitable SIL3)
PFDsys = PFDs + PFDL + PFDA

PFDsys = 5,89x10-4 + 1,3x10-4 + 5,4x10-4
PFDsys = 1,259x10-3 --> SIL2 !!!

demand
4 ≥10-5 to <10-4
3 ≥10-4 to <10-3
2 ≥10-3 to <10-2
1 ≥10-2 to <10-1
55
4.1 Architectural constraints

Sensors / transmitters Logic Solver Actuators
o
I u
n t
CPU
p p
u u
t t
Measure the pressure on two distinct

points in the vessel “A”.
If the pressure exceeds the HH
pressure limit open the drain valve
within 4 sec. Execute this function
with a safety integrity of value “SIL3”.
56
IEC 61508 & 61511 standards define limitations on the hardware

architectures
• SIL (safety function)

• Type A or B
• Hardware fault tolerance
• SFF Safe Failure Fraction
• SIL >> each Safety Function

• Type A >> “non complex” equipment
interposing safety relay, valves, acutators
• Type B >> “complex” equipment
equipment with Integrated Circuits (IC)
programmable devices; logic solver, smart transmitter, smart
valve positionner, etc.
57

architectures
• Hardware Fault Tolerance (HFT)

number of faults tolerated before the safety function is “lost”
>> “measure” for redundancy
>> Voting aspect!
Architecture
Redundancy HFT
Voting
1oo1 no redundancy 0
1oo2 Dual 1
2oo2 no redundancy 0
1oo3 Triple 2
2oo3 Triple 1
58

architectures
• SFF – Safe Failure Fraction

A measure of the “fail-safe design” & “built-in diagnostics”
Different ways to fail
> Safe detected (SD)
> Safe undetected (SU)
> Dangerous detected (DD)
> Dangerous undetected (DU)
λ +λ +λ
SFF =
SD SU DD
λ +λ +λ +λ
SD SU DD DU
Fail-safe design ↑ & Diagnostics on DD ↑Æ failure DU↓ & SFF ↑

59
4.1 Architectural constraints (IEC 61508)
Architectural Constraints type A subsystems

Hardware Fault Tolerance (HFT)
SFF 0 1 2
<60% SIL1 SIL2 SIL3
60%< - <90% SIL2 SIL3 SIL4
90%< - <99% SIL3 SIL4 SIL4
>99% SIL3 SIL4 SIL4
Architectural Constraints type B subsystems
Hardware Fault Tolerance (HFT)

SFF 0 1 2
<60% Not Allowed SIL1 SIL2
60%< - <90% SIL1 SIL2 SIL3
90%< - <99% SIL2 SIL3 SIL4
>99% SIL3 SIL4 SIL4
60
Options available for choosing for example a subsystem for

measuring a pressure with a SIL 3 subsystem.
• Type “A” (1) sensor with SFF >90%

• Type “A” sensors, 1oo2 or 2oo3 with 60%<SFF<90%
• Type “A” sensors, 1oo3, with no diagnostics
• Type “B” (1) sensor with SFF>99%

• Type “B” sensors, 1oo2 or 2oo3 with 90%<SFF<99%
• Type “B” sensors, 1oo3 with 60%<SFF<90%
61
Architectural Constraints type A of PE logic solvers

Minimum hardware fault tolerance
SIL SFF < 60 % 60 %< SFF <90 % SFF > 90 %
1 1 0 0
2 2 1 0
3 3 2 1
4 Special requirements apply (see IEC 61508)
Architectural Constraints type B of sensors, final elements and

non PE logic solvers
SIL Minimum HFT
1 0
2 1
3 2
4 Special requirements apply
(see IEC 61508)
62
The principal are identical between IEC 61508 and IEC 61511,
BUT simpler with IEC 61511.
Also for ALL equipment except PE logic solvers, it is possible

to DECREASE the HFT by 1 when the following conditions are met:
• The hardware is “proven in use”

• Only process related parameters can be adjusted
• Adjustment of process parameters is protected
• SIL of the safety function is <4
HFT must be increased by 1 if the dominant failure mode is no the

safe mode and dangerous failures are not detected!
63
What does mean “proven is use”
See IEC 61508-2 clause 7.4.7.6
A previously developed subsystem shall only be regarded as proven in

use when it has a clearly restricted functionality and when there is
adequate documentary evidence which is based on the previous
use of a specific configuration of the subsystem (during which
time all failures have been formally recorded, see 7.4.7.10), and
which takes into account any additional analysis or testing, as
required (see 7.4.7.8). The documentary evidence shall demonstrate
that the likelihood of any failure of the subsystem (due to random
hardware and systematic faults) in the E/E/PE safety-related system
is low enough so that the required safety integrity level (s) of the
safety function (s) which use the subsystem is achieved.
64
What does mean “proven is use”
See IEC 61511-1 clause 3.2.60
proven-in-use
when a documented assessment has shown that there is appropriate
evidence, based on the previous use of the component, that the
component is suitable for use in a safety instrumented system (see
“prior use” in 11.5)
65
Evidences to be delivered to “prove” “proven in use”
• Manufacturers quality, management and configuration

management systems
• Restricted functionality
• Identification and specification of the components or
subsystems
• Performance of the components or subsystems in similar
operating profiles and physical environments
• Volume of the operating experience
• Statistical evidence that the claimed failure rate is sufficiently
low
Difficulties to have access to statistics records!
66
4.2 Equipment selection PROCESS SECTOR

SAFETY
INSTRUMENTED
. SYSTEM STANDARD
PROCESS PROCESS
SECTOR SECTOR
HARDWARE SOFTWARE
DEVELOPING
DEVELOPING USING USING DEVELOPING DEVELOPING APPLICATION
NEW PROVEN-IN- HARDWARE EMBEDDED APPLICATION SOFTWARE
HARDWARE USE DEVELOPED (SYSTEM) SOFTWARE USING
DEVICES HARDWARE AND SOFTWARE USING FULL LIMITED
ACCESSED VARIABILITY VARIABILITY
DEVICES
ACCORDING LANGUAGES LANGUAGES
TO IEC 61508
OR FIXED
PROGRAMS
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
IEC 61508 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511
67
4.2 Equipment selection
4.2.1 Certification and third party reports
Certification (according to IEC 61508)

> Every single requirement of the standards is verified
> Hardware
> Software
A good certified safety products adresses not only functional

safety according to IEC 61508 but also:
> Electrical safety

> Environmental safety
> EMC/EMI
> User documentation
> Reliability analysis
68
4.2.2 Hardware functional safety information
For your safety devices and equipment ask the following

Information
• Applicable standard
• Type
• Hardware fault tolerance
• Safe failure fraction
• Safe undetected failure rate
• Dangerous detected failure rate
• Dangerous undetected failure rate
• SIL of the product
• Recommended periodic proof test interval!
The above information will help you to determine how to comply

69
with the architectural constraints.
4.2.3 Safety Manual
READ THE SAFETY MANUAL!
70
4.3 FAQ
• Is the higher SIL the better?

• Why is it advantageous to have equipment and process in
compliance to IEC standards?
• Are the IEC standards mandatory by law?
• Should there be a difference between new and old plants?
Revamping?
• Are the certification required by standards or by law?
• Are the IEC 61508 /61511 standards prescriptive?
• What are the possible designs (single-channel/redundant)?
• Does proof testing influence the probability to fail
dangerously?
• The higher the SIL the higher the SFF?
71

SUG Presentation IEC SIL Jan 2007

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SUG Presentation IEC SIL Jan 2007

Uploaded by

Copyright:

Available Formats

An independent professional Community with a unique focus: SAFETY INSTRUMENTATION

IEC 61508 & 61511

IEC 61508 & 61511 UPDATE

1. Introduction to the IEC 61508 & 61511 standards

1. Introduction to the IEC 61508 & 61511 standard

1.1 General - Standard

IEC - International Electronic Committee

• National standards were in the past in place for safety relevant

1. Introduction to the IEC 61508 & 61511 standard

1.1 General - Standard

▼Basic standard: applies to ALL industries

1. Introduction to the IEC 61508 & 61511 standard

1.1 General – Standard

1. Introduction to the IEC 61508 & 61511 standard

1.1 General – Standard PROCESS SECTOR

1. Introduction to the IEC 61508 & 61511 standard

1.1 General - Standard

IEC 61508 content

Part 1 – General requirements

1. Introduction to the IEC 61508 & 61511 standard

1.1 General - Standard

IEC 61511 content

Part 1 - Framework, definitions, system, hardware and software

Allocation of the safety requirements to Conformance

Guidance for the

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

• In life – earthquake, floods, avalanche, traffic,

Risk = frequency x magnitude

Risk which is accepted in a given context based on the current

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

Freedom from unacceptable risk

Hazards are assessed according to their risk level

Risk “ZERO” does not exist!

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

ALARP – As Low As Reasonably Practicable

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

Risk = frequency x magnitude

• Reduce the frequency or likelihood

The objective of the protective measures are to lower the inherent

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

Protection Layers on sites 16

1. Introduction to the IEC 61508 & 61511 standard

1.2 General - Concepts

Sensor, detector, etc.

Valve, motor, sprinkler, detector, etc.

1. Introduction to the IEC 61508 & 61511 standard

1.3 General - Concepts

Electrical/Electronic/Programmable Electronic System (E/E/PES)

• System for control, protection or monitoring based on one or more

1. Introduction to the IEC 61508 & 61511 standard

1.3 General - Safety Loop

Safety Instrumented Systems – SIS

1. Introduction to the IEC 61508 & 61511 standard

1.3 General - Safety Loop

Safety Instrumented Systems – SIS

Measurements: flow, Relays, Electrical, Electronic, Valves motors, pumps, etc.