SIL - Safety Classification

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

SIL – Safety Classification

1
1. Functional Safety

2. SIL Classification

2
Functional Safety

Functional Safety is about


reducing the risk for this

3
Functional Safety

Context

Functional Safety
is improved by implementing a so called
SIS (Safety Instrumented System)
including necessary numbers of
SIF’s (Safety Instrumented Functions)

Risk Assessment
of the plant defines the
SIL (Safety Integrity Level)
of each SIF.

4
Functional Safety

Functional Safety Standards

IEC 61508 and IEC 61511 provide an adequate basis for:


zRisk Assessment of an industrial process
zSIS Design
zProduct design
zSIL classification of SIF’s and products

Applicable
Safety Standard

Device System Designers


Manufacturers and Users
IEC 61508 IEC 61511

5
Functional Safety

What is SIL (Safety Integrity Level)

z SIL is a classification of a product’s or a Safety Function’s (SIF’s) ability to reduce


the risk for accidents in an industrial process

z The standards define four Safety Integrity Levels, SIL 1 to SIL 4, where SIL 4 is the
highest safety level

6
Functional Safety

Example of a SIF (Safety Instrumented Function):

Temperature control of a storage tank with steam heating

Valve

Steam entry

Temperature measurement
Pt100 sensor with IPAQ C520

Steam exit

7
Functional Safety

Example of a SIF (cont.)

SIF with three major parts: Sensor, Logic solver and Final element:

Sensor Logic solver Final element


(e.g. PLC or DCS) (Valve)

The safety function of a sensor has two major parts:


1. To ensure a correct measured value (self-check)
2. In case of a sensor error, the transmission of an error information to the safety system,
e.g. the Logic solver

8
Functional Safety

Risk Assessment
Prior to designing and calculating the safety function (SIF), the so-called SIL assessment has to be performed, i.e.
the safety level (e.g. SIL 2), with which the safety function (SIF) must comply, has to be determined.

In IEC 61508 the following risk graph is used for this purpose:
Extent of damages
- - - S1
z S1: Minor injuries of a person; minor harmful
G1
- SIL1 SIL1 influences on the environment
G2 A1 z S2: Serious, irreversible injuries of one or more
SIL1 SIL1 SIL2 persons or death of a person; temporary major
S2
G1
harmful influences on the environment
SIL1 SIL2 SIL2 Starting point of risk
assessment z S3: Death of several persons; lasting major
G2 A2 harmful influences on the environment
SIL2 SIL2 SIL3
z S4: Catastrophic effects, many dead persons
SIL2 SIL3 SIL3 A1 How often/long do persons stay
S3
z A1: Seldom to once in a while
SIL3 SIL3 SIL4
A2 z A2: Frequently to permanently
SIL3 SIL4 -* S4
Risk avoidance
W1 W2 W3 z G1: Possible under special conditions
very low low relatively high
z G2: Hardly possible
Probability of occurence
(W1,W2,W3)

*Safety function on its own insufficient


9
1. Functional Safety

2. SIL Classification

10
SIL Classification

FMEDA (Failure Mode, Effect and Diagnostics Analysis)

A given hardware is analyzed to evaluate its suitability for a specific application. Together with
the investigation of the mechanical / electromechanical components this allows to define the
device’s failure rates needed for SIL determination.

Basically, three parameters resulting from FMEDA are used for SIL classification of the device:

HFT (Hardware Fault Tolerance)

SFF (Safe Failure Fraction)

PFDAVG (Probability of Failure on Demand)

11
SIL Classification

HFT (Hardware Fault Tolerance)

The HFT of a device indicates the quality of a safety function:

HFT = 0 Single-channel use.


A single fault may cause a safety loss.

HFT = 1 Redundant version.


At least two hardware faults must occur at the same time to cause a safety loss.

Through proved operation as well as different safety requirements the value of the HFT can be
increased by ‘1‘ according to IEC 61511

12
SIL Classification

SFF (Safe Failure Fraction)

This value represents the fraction of safe device failures. An SFF of 85 % means that 85 out of
100 device failures do not affect the safety function of the device.
The SFF is used together with the HFT to determine the safety level in which the device may
be used under consideration of these two values:

HFT 1)HFT 0(1):


Single channel device with
SFF 0 1 or 0(1)1 2
proved operation
< 60 % - SIL1 SIL2 according to IEC 61511.
60-90 % SIL1 SIL2 SIL3
90-99 % SIL2 SIL3 SIL4
> 99 % SIL3 SIL4 SIL4

13
SIL Classification

PFDAVG (Probability of Failure on Demand)

The PFDAVG indicates the probability of failure of a safety function (SIF) or a device,
referred to a certain time interval called Proof Test Interval, T[Proof]
E.g.: PFDAVG = 3.35 x 10-4 with T[Proof] = 1 year means that the safety function or the
device fails with a probability of 0.000335 within one year.
The following table shows which PFDAVG is assigned to which SIL for a complete SIF:

PFDAV SIL

≥ 10-2 … < 10-1 SIL1

≥ 10-3 … < 10-2 SIL2

≥ 10-4 … < 10-3 SIL3


≥ 10-6 … < 10-4 SIL4

14
SIL Classification

PFDAVG for the sensor part

A generally accepted distribution of the PFDAVG values of a SIF assumes that 35 % of


the total PFDAVG is caused by the sensor part.
For a SIL 2 application the PFDAVG value for the total SIF should be smaller than 10-2,
hence the maximum allowable PFDAVG for the sensor part is 3.5 x 10-3

Sensor Logic solver Final element

35 % of total PFDAVG 65 % of total PFDAVG

15
SIL Classification

SIL classification of a SIF (Safety Instrumented Function)


For the SIL
classification based
Sensor part Logic solver part Final element part
on the SFF value,
the weakest part will
count!
+ In order to achieve a
SIL 2 for the SIF, all
SFF values of the
SIF parts have to
HFT = 0 HFT = 0 HFT = 0 comply with at least
SIL 2!
SFF = 92.1% SFF = 99.2% SFF = 91%
► SIL 2 ► SIL 3 ► SIL 2

PFDAV, SIF SIL


PFDAVG, SIF = PFDAVG, Sensor + PFDAVG, Logic solver + PFDAVG, Final element
≥ 10-2 … < 10-1 SIL 1
Generally accepted distribution: PFDAVG, Sensor = 35 % of PFDAVG, SIF
≥ 10-3 … < 10-2 SIL 2
For the SIF, the PFDAVG has to be less than 0.01 for SIL 2
≥ 10-4 … < 10-3 SIL 3
For the Sensor, the PFDAV,G has to be less than 0.0035 (35 % of 0.01) for SIL 2
≥ 10-6 … < 10-4 SIL 4

SIL 2 classified SIF


PFDAVG = 0,0049*
acc. to IEC 61508 / 61511
* Proof test interval = 1 year
16
SIL Classification

SIL classification of 3-wire RTD sensor with IPAQ C520S


+
HFT (Hardware Fault Tolerance) = 0
Result of FMEDA: SFF (Safe Failure Fraction) = 92.1 %
PFDAVG = 2,44*10-4

SIL classification based on SFF: SIL classification based on PFD: Common requirements:
HFT
PFD AVG SIL z CE Declaration of
SFF 0 1 2 Conformity
< 60 % - SIL1 SIL2 < 3.5*10-3
z Safety Manual
SIL2
(35 % of the PFDAVG for a z Product documentation
SIL 2 classified SIF)
60-90 % SIL1 SIL2 SIL3 z FMEDA test

90-99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

Declaration of conformity SIL 2


acc. to IEC 61508 / 61511
17
SIL Classification

Safety relevant characteristics of the transmitters

IPAQ R520S & C520S


Temperature transmitters
z SIL2 approved design acc. to IEC 61508
z Redundant input circuit with
sensor backup
z Sensor drift detection
z Maximum long-term drift: 0.05% of span within 5 years
z Shock resistant up to 10g
IPAQ R520S

IPAQ C520S

18

You might also like