Understanding the How, Why, and What of a Safety Integrity Level (SIL) Audio is provided via internet. Please enable your speaker (in all places) and mute your microphone.
Understanding the How, Why, and What of a Safety Integrity Level (SIL) Audio is provided via internet. Please enable your speaker (in all places) and mute your microphone. There is a Q&A tab on the side of your screen. Please use this mechanism to type any questions you may have at any time. Questions will be read and answered. A recording of this session and a copy of the slides will be posted on the exida website and made available for you.
Abstract The certification process is thorough and provides instant recognition of product reliability, safety, and security that many end users are requesting certifications for products they buy to reduce liability and risk. Manufacturers, if they haven t already, are staying ahead of the requests by certifying their products. During the certification process a manufacturer may have a requirement to certify their product to a certain Safety Integrity Level (SIL) rating. This webinar will cover: What happens in an exida certification? How to find a safety integrity level How is SIL used? What this means for the manufacturer? What is SIL Capability? How to calculate SIL How to reach a certain rating Is there a way to improve a SIL rating?
Loren Stewart, CFSP Loren Stewart graduated from Virginia Tech with a BSME. She has 8 years of professional experience originating in custom design and manufacturing. She currently works for exida consulting as a safety engineer, focusing on the mechanical aspects of their customers. Along with assessing the safety of products and certifications, she continually researches and published reports on stiction and is creating a database for the 2H initiative according to IEC 61508.
exida Worldwide Locations 5
exida Industry Focus Automation Automotive Process Industry Nuclear 6
Main Product / Service Categories Consulting Process Safety (IEC 61511, IEC 62061, ISO 26262) Alarm Management Control System Security (ISA S99) Engineering Tools exsilentia (PHAx, SIL Selection LOPAx SRS SIL Verification) Safety Case FMEDA SILAlarm SILStat Product Certification Functional Safety (IEC 61508) Control System Cyber- Security Network Robustness (Achilles) Training Process Safety Control System Security Onsite Offsite Security Development Alarm Management Reference Materials Databases Tutorials Textbooks Reference Books Market Studies Professional Certification CFSE CFSP Includes: -Automotive -CACE/CACS -Hardware -Machinery -Process -Software CyberPHAx Processes - Products - People 7
exida Certification exida has established schemes for functional safety and cybersecurity certification of Systems, Products, Components, and Personnel. Functional Safety Certification involves a detailed analysis of both the engineering process and design margins resulting in random failure rate in all failure modes. Cybersecurity Certification involves a detailed analysis of the engineering process, cyber defense mechanisms, and network robustness. 8
Reference Materials exida authored most industry references for automation safety and reliability exida authored industry data handbook on equipment failure data exida authored the most comprehensive book on functional safety in the market 9
exsilentia PHAx (HAZOP) LOPAx Engineering Tools Layer of Protection database built-in SIL Selection Risk Matrix or Risk Graph Tolerable Frequency Basis Safety Requirements Specification SIL Verification Instrumentation failure database built-in Variables include reality test coverage, service Proof Test Generator Life Cycle Cost Analysis SILAlarm (Alarm Rationalization) SILStat (Field Failure Data Collection and Analysis) Proof Test & Maintenance Activity scheduling Process demand recording Failure recording CyberPHAx (Cyber Risk Assessment) 10
Topics What happens in an exida certification? How to find a safety integrity level How is SIL used? What this means for the manufacturer? What is SIL Capability? How to calculate SIL How to reach a certain rating Is there a way to improve a SIL rating?
WHAT HAPPENS IN AN EXIDA CERTIFICATION? 12
Certification Process 1. Kickoff Meeting 2. Perform FMEDA Analysis on Product 3. Creation of the Proven-In-Use Analysis 4. Process Analysis 5. Onsite audit 6. Certification Audit
IEC 61508 Full Certification The end result of the certification process is a certificate listing the SIL level for which a product is qualified and the standards that were used for the certification. However, we must understand that some products are certified with restrictions. The restrictions essentially indicate when a product does not meet some requirements of IEC 61508. The restrictions are listed in the safety manual and must be followed if safe operation is required. 14
HOW TO FIND A SAFETY INTEGRITY LEVEL 15
The SIL level of a product is determined by three things: 1. The Systematic Capability Rating 2. The Architectural Constraints for the element 3. The PFDavg calculation for the product. 16
Compliance Requirements SIL Capability Compliance Architectural Constraints Probability of Failure February 19, 2016 17
THE SYSTEMATIC CAPABILITY 18
The Systematic Capability Systematic Capability is established by having your quality management system audited per IEC 61508. If the QMS meets the requirements of 61508 a SIL Capability rating is issued. The rating achieved depends on the effectiveness of your QMS. The certificate is for the systematic capability of a product. 19
THE ARCHITECTURAL CONSTRAINTS 20
The Architectural Constraints Architectural constraints are established by following Route 1H or Route 2H. Route 1H involves calculating the Safe Failure Fraction for the element. A valve is typically one component of the final element of a safety instrumented function (SIF). 21
Architectural Constraints from FMEDA Results Route 1 H - Safe Failure Fraction (SFF) according to 7.4.4.2 of IEC 61508. Safe Failures Safe + Dangerous Failures Route 2 H - Assessment of the reliability data for the entire element according to 7.4.4.3.3 of IEC 61508. 22
Route 1 H TYPE A Safe Failure Fraction Hardware Fault Tolerance 0 1 2 < 60% SIL1 SIL2 SIL3 60% < 90% SIL2 SIL3 SIL4 90% < 99% SIL3 SIL4 SIL4 > 99% SIL3 SIL4 SIL4 Hardware Fault Tolerance = 1 (61508) The quantity of failures that can be tolerated while maintaining the safety function. 23
Route 2 H Table Type A Low Demand Applications Hardware Fault Tolerance 0 1 2 SIL2 SIL3 SIL4 Type B elements using Route 2 H shall have a diagnostic coverage not less than 60%. 24
THE PFDAVG CALCULATION 25
The PFDavg calculation The PFDavg is based on the dangerous failure rate, system diagnostics, proof test coverage and test intervals. Typically, a final element assembly will have a PFDavg the only meets SIL 1. However, there are things that can be done with the diagnostics and proof test that would improve the PFDavg to SIL 2. 26
HOW IS SIL USED? 27
Safety Integrity Level Used FOUR ways: Safety Integrity Level SIL 4 SIL 3 SIL 2 SIL 1 1. To establish risk reduction requirements 2. Probabilistic limits for hardware random failure 3. Architectural constraints 4. To establish systematic capability 28
TO ESTABLISH RISK REDUCTION 29
Example of Risk Reduction PHA Determines that a specific hazard can occur every 10 years causing a major release of toxic fumes into the atmosphere. Determine the RRF for the hazard to occur once in 500 years. RRF = 500/10 = 50 30
Safety Integrity Level Safety Integrity Level Risk Reduction Factor SIL 4 SIL 3 SIL 2 SIL 1 100000 to 10000 10000 to 1000 1000 to 100 100 to 10 1. Each safety function has a requirement to reduce risk. SIL level - Order of magnitude level of risk reduction required 31
TO SET PROBABILISTIC LIMITS FOR HARDWARE RANDOM FAILURE 32
Safety Integrity Levels Random Failure Probability Safety Integrity Level Probability of failure on demand (Demand mode of operation) SIL 4 SIL 3 SIL 2 SIL 1 >=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1 2. To set probabilistic limits for hardware random failure 33
Random Failure Probability Factors 1. Dangerous Undetected Failure Rate (FMEDA) 2. Proof Test Coverage 3. Proof Test Interval 4. Mission Time PFDavg = (PTC)*DU*TI/2 + (1-PTC)*DU*MT/2 Where PTC = Proof Test Coverage DU = Dangerous Undetected Failures TI = Proof Test Interval MT= Mission Time 34
Random vs. Systematic Faults Random Failures A failure occurring at a random time, which results from one or more of degradation mechanisms. Systematic Failures A failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.
Random vs. Systematic Faults Specification of requirements, design, implementation Well Designed System, the system is correct Random Failure The system is not correct Systematic Fault Improperly Designed System, the system is not correct The system has a failure
Stress Strength: Failures All failures occur when stress exceeds the associated level of strength. Stress is usually a combination of "stressors." Heat Humidity Shock Vibration Electrical Surge Electro-Static Discharge Radio Frequency Interference Mis-calibration Maintenance Errors Operational Errors
Stress - Strength: Failures 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 Stress Strength 0.1 0 Strength varies with time and with other stress. Stress also varies with time. However they can be represented by probability distributions.
Stress - Strength: Failures 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 At some point in time, Strength decreases and the failure rate increases rapidly this causes wear-out.
Stress - Strength: Failures 0.025 0.02 Failure rate 0.015 0.01 0.005 0 1 101 201 301 401 501 601 Time Stress-strength explains how failure rates vary with time. 701 801 Weak units from a production population fail early. This portion of the curve is known as infant mortality. When weak units are eliminated from the population stress-strength indicates a steady but declining failure rate. When strength declines, the failure rate increases significantly.
Stress - Strength: Failures Failure rate 0.025 0.02 0.015 0.01 0.005 Area where IEC 61508 is applied Useful Life in listed in Safety Manuals End of Useful Life 0 1 101 201 301 401 501 601 701 801 Time Note: Constant Failure Rate during Useful Life
Terms Low Demand Mode Where the frequency of demands for operation made on a safetyrelated system is no greater than one per year and no greater than twice the proof test frequency; Part 4, 3.5.12 If the ratio of diagnostic test rate to demand rate exceeds 100, then the subsystem can be treated... As low demand mode..., Part 2, 7.4.3.2.5 Note 2..the diagnostic test interval will need to be considered directly in the reliability model if it is not at least an order of magnitude less than the expected demand rate, Part 2, 7.4.3.2.2, Note 3 exida definition: A dangerous condition (a demand) occurs infrequently and at least 2X less often than manual proof testing. [Therefore proof testing can be given credit for risk reduction.]
Safety Integrity Levels Low Demand Random Failure Probability Safety Integrity Level Probability of failure on demand (Demand mode of operation) SIL 4 SIL 3 SIL 2 SIL 1 >=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1
Safety Integrity Levels High Demand Random Failure Probability Safety Integrity Level Probability of dangerous failure per hour (Continuous mode of operation) SIL 4 SIL 3 SIL 2 SIL 1 >=10-9 to <10-8 >=10-8 to <10-7 >=10-7 to <10-6 >=10-6 to <10-5 High Demand Mode Where the frequency of demands for operation made on a safety-related system is greater than twice the proof check frequency;
ARCHITECTURAL CONSTRAINTS 45
SFF Product Types TYPE A A subsystem can be regarded as type A if, for the components required to achieve the safety function a) the failure modes of all constituent components are well defined; and b) the behavior of the subsystem under fault conditions can be completely determined; and c) there is sufficient dependable failure data from field experience to show that the claimed rates of failure for detected and undetected dangerous failures are met. TYPE B everything else! IEC 61508, Part 2, Section 7.4.3.1.2
IEC Safe Failure Fraction TYPE A Low Demand Applications Safe Failure Fraction Hardware Fault Tolerance 0 1 2 < 60% SIL1 SIL2 SIL3 60% < 90% SIL2 SIL3 SIL4 90% < 99% SIL3 SIL4 SIL4 > 99% SIL3 SIL4 SIL4 Hardware Fault Tolerance = 1 (61508) The quantity of failures that can be tolerated while maintaining the safety function.
Route 2 H Table Type A Low Demand Applications Hardware Fault Tolerance 0 1 2 SIL2 SIL3 SIL4 Type B elements using Route 2 H shall have a diagnostic coverage not less than 60%. 48
IEC Safe Failure Fraction TYPE B Safe Failure Fraction Hardware Fault Tolerance 0 1 2 < 60% Not Allowed SIL1 SIL2 60% < 90% SIL1 SIL2 SIL3 90% < 99% SIL2 SIL3 SIL4 > 99% SIL3 SIL4 SIL4 Hardware Fault Tolerance = 1 (61508) The quantity of failures that can be tolerated while maintaining the safety function.
TO ESTABLISH SYSTEMATIC CAPABILITY 50
Safety Integrity Level Safety Integrity Level SIL 4 SIL 3 SIL 2 SIL 1 3) To establish systematic capability The equipment used to implement any safety function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.
Safety Integrity Levels Safety Integrity Level Probability of failure on demand (Demand mode of operation) Risk Reduction Factor SIL 4 SIL 3 SIL 2 SIL 1 >=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1 100000 to 10000 10000 to 1000 1000 to 100 100 to 10
Safety Integrity Levels Safety Integrity Level SIL 4 SIL 3 SIL 2 SIL 1 Probability of dangerous failure per hour (Continuous mode of operation) >=10-9 to <10-8 >=10-8 to <10-7 >=10-7 to <10-6 >=10-6 to <10-5
61508 Annexes: Tables All Numbered Measures Are Required (No Pick and Choose) All Sub-alphabetized Measures are substitutable and partly combinable Technical / Measure SIL2 SIL3 1 Fault detection and diagnosis R HR 2 Error detecting and correcting codes R R 3a Failure assertion programming R R 3b Safety bag techniques R R 3c Diverse programming R R R - Recommended (Not using the measure requires a Ra4onale) HR - Highly Recommended (MUST)
COMPLETE COMPLIANCE 55
IEC 61508 Full Certification 56
Compliance Requirements SIL Capability Compliance Architectural Constraints Probability of Failure February 19, 2016 57
EXAMPLE 58
exsilentia Example 59
exsilentia Example 60
HOW CAN I IMPROVE MY SIL? 61
How can I improve my SIL? SIL Capability Compliance Architectural Constraints Probability of Failure 1. Improve SIL Capability 2. Improve Architectural Constraints 3. Improve PFDavg 62
How can I improve my SIL? 1. Improve SIL Capability Improve effectiveness of internal quality management 2. Improve Architectural Constraints 1oo2 2oo3 Change your Hardware Fault Tolerance 3. Improve PFDavg Decrease Proof test interval Decrease Mission time Change the architecture Revise Proof test coverage 63
excellence in dependable automation Further questions? Email me: lstewart@exida.com February 19, 2016 64