You are on page 1of 6

SIS Implementation Practice

Changes in the Chemical Industry according to IEC 61511


Helmut Bezecny Dow Deutschland Gmbh & Co. OHG Abstract
IEC 61511 will change the way safety related functions were implemented according to DIN and VDE in Germany today. This paper addresses mainly differences in the selection of instrumentation. In particular the aspects of redundancy mean time to fail, diagnostic s and proof test interval related to the SIL. Starting with the basic PFD requirements of the SIL table, the relationship between these characteristics are shown on a typical PFD calculation formula. Differences resulting from variation of the characteristics are explained with examples. Another new aspect is the fault tolerance requirement, which is explained on basis of IEC 61511-1 table 5b. Finally a SIS example shows how a SIL 2 protection function is realized.

Introduction
In the past years DIN V 19250 and DIN V 19251 as well as VDI/VDE 2180 were the main guides for safety applications in the Chemical Industry. New principles and more detailed requirements were introduced with the development of IEC 61508 as the generic standard for functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 covers a very wide range of applications and is mainly for equipment manufacturers. The chemical industry does not develop their instrumentation or control systems, but buys them on the market and has, due to many applications, extensive operating experience. In order to suit the needs of the Chemical Industry IEC 61511 is under development, and nearing its completion. This standard is still based on the principles of IEC 61511, but addresses only items required for typical applications in a more practical approach.

SIL and AK
One of the first differences you will find are the requirement classes for safety instrumented systems. IEC knows 4 classes, which are called Safety Instrumented Levels. DIN uses Anwenderklassen with 8 levels and VDI talks about risk areas. A relationship between all of them is shown in the figure 1 below.

1/6

IEC61511

DIN V 19250 AK1

VDI/VDE 2180

SIL 1 SIL 2 SIL 3 SIL 4

AK2 AK3 AK4 AK5 AK6 AK7 AK8

Risk Area I (low Risk)

Risk Area II (high Risk) Cannot be covered by SIS only

Figure 1: Relationship IEC 61511, DIN 19250 and VDI/VDE 2180

SIL and PFD


Each safety Integrity Level has an assigned target risk reduction or Probability of Failure on Demand (PFD) as shown in the table 1 below. DEMAND MODE OF OPERATION Target Average Target Risk Probability of Failure on Reduction Demand >10,000 to 100,000 10-5 to <10-4 -4 -3 >1000 to 10,000 10 to <10 >100 to 1000 10-3 to <10-2 -2 -1 >10 to 100 10 to <10

Safety Integrity Level (SIL) 4 3 2 1

Table 1: Safety integrity levels: probability of failure on demand It has to be noted that there is also a continuous mode of operation table available which needs to be used depending on the application. Since most of the applications in the process industry fall under the demand mode, I will not discuss the other table here.

PFD Calculation
The PFD calculation of a SIS always contains the three basic elements: sensor, logic solver and final elements. These elements may consist of several components. Each of them has its own PFD, which as a sum provides the PFD of the SIS. In the following I will only concentrate on Instrumentation since logic solvers will usually be bought with a certificate and have adequate safety related information provided.

2/6

To start with I will introduce all the variables used in the PFD calculation in the table 2 below. Abbreviation T1 Term (units) Proof test period (hour) Parameter ranges in tables B.2 to B.5 and B.10 to B.13 1-3 month - for high demand or continuous mode only 6 months 1 year 2 -10 years - for low demand mode only 8 hours 0%, 60%, 90%, 99% 1%, 5%, 10% (It is assumed = 2 x D) 0.1 x 10-6 50 x 10-6 0.5 (assumes 50% dangerous failures and 50% safe failures) (This is the sum of all the probabilities of detected dangerous failure within the channel) (This is the sum of all the probabilities of undetected dangerous failure within the channel) (This is the combined down time for all the components in a channel)

MTTR DC D DD DU

tDE

Mean time to restoration (hour) Diagnostic coverage (percentage) Fraction of failures having a common cause Average probability of failure (per demand or per hour) Probability of dangerous failure (per demand or per hour) Probability of detected dangerous failure (per demand or per hour) Probability of undetected dangerous failure (per demand or per hour Device equivalent mean down time (hour)

Table 2: variables used in the PFD calculation

Now to the Basic PFD Calculation:

PFD = D. tDE

tD E

DU T 1 DD M TTR + M TTR + D 2 D
% undetected x test interval % detected x repair time

This formula shows that the PFD is directly proportional to the failure rate of the instrument and the device equivalent mean down time. The mean down time mainly depends on the ability to diagnose dangerous failures and the proof test period.

3/6

The first part of the equation contains the percentage of undetected failures and is almost proportional to the proof test period since the restoration time is usually a negligible fraction of it. The second part of the equation contains the percentage of the detected failures and is direct proportional with the restoration time. Assuming that none of the dangerous failures are diagnosed, the down time is half the proof test period. Example: proof test period is one year, MTTR is 8 hours; resulting down time is 4388 hours. Assuming that all of the dangerous failures are diagnosed, the down time is 8 hours. In practice the achievable dangerous failure diagnostic will be somewhere in between depending on how smart the instrument is. This is a completely new aspect since it is now possible to considerably extend the proof test period for a given instrument the more failures can be diagnosed. However is must be understood that one has to repair any diagnosed dangerous fault within the mean time to restoration.

Minimum Hardware Fault tolerance


Another known aspect is the fault tolerance. IEC 61511 has introduced some simple rules and one may always go back to the more complex requirements of IEC 61508. The starting point is table 3 below, which already assumes that the dominant failure mode is to the safe state or dangerous failures are detected, otherwise the fault tolerance shall be increased by one. To establish whether the dominant failure mode is to the safe state it is necessary to consider each of the following: the process connection of the device; use of diagnostic information of the device to validate the process signal; use of inherent fail safe behavior of the device (e.g. live zero signal, loss of power results in a safe state) Minimum Hardware Fault Tolerance (see 11.4.3 and 11.4.4) 0 1 2 Special requirements apply - See IEC 61508

SIL 1 2 3 4

Table 3: Minimum hardware fault tolerance of sensors and final elements and non-PE logic solvers Furthermore for all subsystems (e.g., sensor, final elements and non-PE logic solvers) except PE logic solvers the minimum fault tolerance specified in Table 3 may be reduced by one if the devices used comply with all of the following: - the hardware of the device is selected on the basis successful of prior use; - the device allows adjustment of process-related parameters only, e.g., measuring range, upscale or downscale failure direction, etc.; - the adjustment of the process-related parameters of the device is protected, e.g., jumper, password; - the function has a SIL requirement less than 4. The fault tolerance is defined as the ability of a functional unit to continue to perform a required function in the presence of faults or errors. Usually this is achieved by identical or divers redundancy.

4/6

So this table and the rules provide a clear requirement when redundancy is needed.

SIL 2 example
Hazardous Scenario Temperature control of a steam heated batch reactor fails and opens the steam control valve fully. Safety Requirements Specification for SIS If batch reactor pressure exceeds 10 bar, close off feed of reactant A to the reactor within 20 seconds to avoid exothermic reaction. There is no operator action necessary. Safety Integrity Level SIL: 2 System Architecture Pressure sensor, logic solver, final element. Proven in use smart sensors are directly connected to inputs of the logic system. Emergency block valve has solenoid valve integrated and is directly connected to outputs of the logic system. All MTTF data are actual operating experience. Available Instrumentation Pressure sensors: MTTF 105 hrs., DC = 70%, SFF = 90%, proof test interval every year, MTTR = 8 hrs. Emergency block valve: MTTF 2,5 x 104 hrs., DC = 0%, SFF = 60%, proof test every week (168 hrs.), MTTR = 8 hrs. Single sensor PFD PFD for 1oo1 sensor architecture: 2,2 x 10-3 acceptable (see table 1) Check minimum fault tolerance for SIL 2 = 1 according to table 3, reduced by 1 for additional measures = 0 actual fault tolerance = 0 acceptable Logic solver (redundant) PFD = 1,3 x 10-4 including I / O interface (from certificate) acceptable Single final element PFD PFD = D x tDE , D = 1/25 000 x 2, tDE = 168/2 + 8: = 1,84 x 10-3 Check minimum fault tolerance for SIL 2 = 1 according to table 3, reduced by 1 for additional measures = 0 actual fault tolerance = 0 acceptable Check total Loop sensor + logic solver + final element (2,2 + 0,1 + 1,8) x 10-3 = 4,1 x 10-3 < 10-2 --- acceptable Additional architecture related Safety Software Final Element configuration software: The steam valve output is de-energized when a safe output action is commanded by the safety program. Additionally, monitoring software is written which proves that the safe state of the valve is reached each time the valve is operated (once per batch, typically every 8 hours). In case of a test failure or if more than 168 hours have elapsed since the last test, the logic solver output stays in the safe state (emergency block valve closed)

5/6

and the condition is alarmed. This automatic test allows setting the proof test interval in the PFD calculation to 168 hours.

Summary
This new standard requires a much more differentiated approach to SIS design and implementation, but it is a more candid approach based on mathematics. Also it favors the emerging generation of smart instrumentation and allows credit for this investment. A new challenge is the need for a failure statistic of the instruments under operating conditions.

References
IEC 61511, Safety Instrumented Systems for the process industry sector, FDIS 2002 IEC 61508, Functional safety of electrical/electronic/programmable electronic safetyrelated systems, 1998

6/6