Scribd Logo
Upload

Welcome to Scribd!

  • Selection of Components For Functional Safety Systems

    Uploaded by

    Romel Rodriguez
    11 views19 pages
    This document discusses selecting components for functional safety systems. It outlines three main criteria for component evaluation: 1) systematic capability to avoid faults, 2) architectural constraints regarding robustness, and 3) probability of failure on demand. The achieved safety integrity level depends on the lowest level achieved across these criteria. The document provides examples of interpreting component certificates and evaluating if criteria like failure rates are suitable for the target safety integrity level application. General guidelines are given for interpreting certificates and ensuring components meet technical, functional and safety requirements.

    Original Description:

    Original Title

    7.-JÖRG-ISENBERG_FONKSİYONEL-GÜVENLİK-SİSTEMLERİ-İÇİN-BİLEŞENLERİN-SEÇİMİ

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses selecting components for functional safety systems. It outlines three main criteria for component evaluation: 1) systematic capability to avoid faults, 2) architectural constraints regarding robustness, and 3) probability of failure on demand. The achieved safety integrity level depends on the lowest level achieved across these criteria. The document provides examples of interpreting component certificates and evaluating if criteria like failure rates are suitable for the target safety integrity level application. General guidelines are given for interpreting certificates and ensuring components meet technical, functional and safety requirements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views19 pages

    Selection of Components For Functional Safety Systems

    Uploaded by

    Romel Rodriguez
    This document discusses selecting components for functional safety systems. It outlines three main criteria for component evaluation: 1) systematic capability to avoid faults, 2) architectural constraints regarding robustness, and 3) probability of failure on demand. The achieved safety integrity level depends on the lowest level achieved across these criteria. The document provides examples of interpreting component certificates and evaluating if criteria like failure rates are suitable for the target safety integrity level application. General guidelines are given for interpreting certificates and ensuring components meet technical, functional and safety requirements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Selection of components for functional safety systems

    requirements, certificates and typical pitfalls


    Dr. Jörg Isenberg, AUMA Riester GmbH
    14-15 MAYIS 2018
    Choosing components for SIS
    How to interpret certificate headlines?
    1. The component may be used in
    any SIL 3 application
    2. The component may be used in
    SIL 3 applications if HFT=1
    (if HFT=0 SIL 2 is permissible)
    3. The systematic capability is 3 but it
    has to be checked separately which
    SIL may be achieved due to failure
    probability (PFD) and architectural
    constrains

    To find out, you need to read & interpret the details of the certificate!
    Choosing components for SIS
    Criteria for component evaluation
     General suitability for the application
     Fulfillment of the 3 main criteria of IEC 61508
     Additional criteria
    General suitability for the application
    General suitability for the intended application
     Environmental conditions (temperature, humidity, …)
     Influence of process media (corrosivity, particles, …)
     Mechanical requirements (torque, closing time, vibrations, …)
     Functionality (safety function(s), priority, …)

    “SIL 1 capable” component


    optimally suited to general
    (process) requirements

     higher risk reduction


    than unsuitable “SIL 3
    capable” component!
    The 3 main criteria of IEC 61508

    SIL of a SIF always depends on 3 criteria:


     Systematic capability (avoidance of systematic faults)
     Architectural constraints (robustness of system)
     Probability of failure on demand (PFD)
    The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

    Example:
     Systematic capability  SIL 3
     Architectural constraints  SIL 1
     Probability of failure on demand (PFD)  SIL 2
    i.e. achieved SIL for this SIF  SIL 1
    The 3 main criteria – systematic capability

    SIL of a SIF always depends on 3 criteria:


     Systematic capability (avoidance of systematic faults)
     Architectural constraints (robustness of system)
     Probability of failure on demand (PFD)
    The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

    Route 1S:
     Set of requirements (Functional Safety Management) to be obeyed in different
    safety life cycle phases
     Necessary to make systematic failures unlikely
     Different for each SIL  Systematic capability SC=1…4
    Route 2S: proven in use (IEC 61508) / prior use (IEC 61511)
    The 3 main criteria – systematic capability

    Data Source: Manufacturer homepage


    The 3 main criteria – system architecture

    SIL of a SIF always depends on 3 criteria:


     Systematic capability (avoidance of systematic faults)
     Architectural constraints (robustness of system)
     Probability of failure on demand (PFD)
    The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

    IEC 61508:
    Route 1H:
    Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT)
    Route 2H:
    HFT & field data evaluation with raised confidence levels
    The 3 main criteria – system architecture
    Architectural constraints:

    Maximum allowed SIL due to architectural constrains (route 1H):

    type A device type B device

    HFT HFT
    SFF SFF
    0 1 2 0 1 2
    < 60% SIL 1 SIL 2 SIL 3 < 60% -- SIL 1 SIL 2
    60% … < 90% SIL 2 SIL 3 SIL 4 60% … < 90% SIL 1 SIL 2 SIL 3
    90% … < 99% SIL 3 SIL 4 SIL 4 90% … < 99% SIL 2 SIL 3 SIL 4
     99% SIL 3 SIL 4 SIL 4  99% SIL 3 SIL 4 SIL 4
    The 3 main criteria – system architecture
    Architectural constraints:
     Attention, if no SFF and no
    (random) integrity is stated!
    Page 2 of same certificate:
    Safety
    λSD λSU λDD λDU SFF
    Function
    ESD 404 185 1920 974
    w/o PST FIT FIT FIT FIT 72%
    ESD 461 185 2510 388
    with PST FIT FIT FIT FIT
    89%

    Data Source: Manufacturer homepage


    The 3 main criteria – system architecture
    Architectural constraints:

    Maximum allowed SIL due to architectural constrains (route 1H):

    type A device type B device

    HFT HFT
    SFF SFF
    0 1 2 0 1 2
    < 60% SIL 1 SIL 2 SIL 3 < 60% -- SIL 1 SIL 2
    60% … < 90% SIL 2 SIL 3 SIL 4 60% … < 90% SIL 1 SIL 2 SIL 3
    90% … < 99% SIL 3 SIL 4 SIL 4 90% … < 99% SIL 2 SIL 3 SIL 4
     99% SIL 3 SIL 4 SIL 4  99% SIL 3 SIL 4 SIL 4
    The 3 main criteria – system architecture
    Architectural constraints:
     Attention, if no SFF and no
    (random) integrity is stated!
    Page 2 of same certificate:
    Safety
    λSD λSU λDD λDU SFF
    Function
    ESD 404 185 1920 974
    w/o PST FIT FIT FIT FIT 72%
    ESD 461 185 2510 388
    with PST FIT FIT FIT FIT
    89%

     Architectural constraints:
    Data Source: Manufacturer homepage
    SIL 1 capable (HFT=0) with/without PST!

    Disclaimer: Compensation by other parts of the same element (if any) possible
    The 3 main criteria – system architecture

    More explicit certificates


    do exist:

    SIL capability explicitly


    given for both systematic
    and random capability

    Data Source: Manufacturer homepage


    The 3 main criteria – failure rates (PFD)

    SIL of a SIF always depends on 3 criteria:


     Systematic capability (avoidance of systematic faults)
     Architectural constraints (robustness of system)
     Probability of failure on demand (PFD)
    The SIL achieved is the lowest SIL achieved by any of these 3 criteria!

    SIL Average Probability of Failure on Demand (Type


    of duty: Low demand)

    SIL 4 < 10-4

    SIL 3 < 10-3

    SIL 2 < 10-2

    SIL 1 < 10-1


    The 3 main criteria – failure rates (PFD)
    Acceptable PFD for an actuator in a SIL 2 safety function?
    All Safety Instrumented Systems consist of Sensor – Logic – Actor
     Components mustn’t consume whole allowed PFD!
    Non-normative but widely accepted breakdown:

     25 %-rule should roughly be obeyed


     Actuator for SIL 2 should have PFD < 2,5*10-3
    The 3 main criteria – failure rates (PFD)
    Example from safety manual of an actuator:
     According to certificate
    actuator is “SIL 2 capable”
    Product
    Safety Function: ESD
    Total budget – PFD for SIL 2: XY
    SD Safe detected failure rate … FIT
    SU Safe undetected failure rate … FIT
    DD Dang. detec. failure rate … FIT
    sensor
    DU Dang. undetec. failure rate … FIT

    ? + logic
    + valve
    + gearbox
    PFDavg @ PTI = 1 yr,
    MTTR=24 hrs, no PVST
    PFDavg @ TPVST = 6 months,
    1,1 x 10-2

    actuator 5,8 x 10-3


    MTTR=24 hrs, with PVST
    Safe Failure Fraction (SFF) …
    Diagnostic coverage (DC) …
    Additional criteria
    Additional criteria:
     Demand mode
     Safety function
     …
    Conclusion

    Subject Important Where to find

    Process & environ- Always buy components that match all Technical
    mental conditions conditions documentation
    Functionality All functionality requirements fulfilled ; Technical
    differences safety function  standard documentation
    operation? or safety manual
    Systematic Must fit your SIL-requirement “SIL”-certificate
    capability or safety manual
    Architectural Sufficient SFF (ed.2 of IEC 61508) or “SIL”-certificate
    constraints sufficient evidence for path 2H or safety manual
    Failure rate (PFD) Component shall only consume part of “SIL”-certificate
    allowed PFD (e.g.  25% for actuator) or safety manual
    AUMA Endüstri Kontrol Sistemleri
    TEL: +90 312 217 32 88
    WEB: www.auma.com.tr
    E-MAIL: info@auma.com.tr

    You might also like