Understanding the How, Why, and What of a Safety Integrity ......Training Process Safety Control System Security Onsite Oﬀsite Security Development Alarm Management Engineering Tools

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Copyright © exida.com LLC 2000-2016

Audio is provided via internet. Please enable your speaker (in all places) and

mute your microphone.

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

•  Audio is provided via internet. Please enable your speaker (in all places) and mute your microphone.

•  There is a Q&A tab on the side of your screen. Please use this mechanism to type any questions you may have at any time. Questions will be read and answered.

•  A recording of this session and a copy of the slides will be posted on the exida website and made available for you.


Abstract The certification process is thorough and provides instant recognition of product

reliability, safety, and security that many end users are requesting certifications for

products they buy to reduce liability and risk. Manufacturers, if they haven’t already,

are staying ahead of the requests by certifying their products. During the certification

process a manufacturer may have a requirement to certify their product to a certain

Safety Integrity Level (SIL) rating. This webinar will cover: –  What happens in an exida certification? –  How to find a safety integrity level –  How is SIL used? –  What this means for the manufacturer? –  What is SIL Capability? –  How to calculate SIL –  How to reach a certain rating –  Is there a way to improve a SIL rating?


Loren Stewart, CFSP Loren Stewart graduated from Virginia Tech with a BSME. She has 8 years of professional experience originating in custom design and manufacturing. She currently works for exida consulting as a safety engineer, focusing on the mechanical aspects of their customers. Along with assessing the safety of products and certifications, she continually researches and published reports on stiction and is creating a database for the 2H initiative according to IEC 61508.


exida Worldwide Locations

Copyright © exida.com LLC 2000-2016 5

exida Industry Focus


Automotive Nuclear

Automation Process Industry

Main Product / Service Categories

Consulting Process Safety (IEC 61511, IEC

62061, ISO 26262) Alarm

Management

Control System

Security (ISA S99)

Product Certification Functional Safety (IEC

61508) Control

System Cyber- Security Network

Robustness (Achilles)

Training Process Safety

Control System Security Onsite Offsite

Security Development

Alarm Management

Engineering Tools

exSILentia (PHAx,

SIL Selection LOPAx

SRS SIL Verification) Safety Case

FMEDA SILAlarm SILStat

CyberPHAx

Reference Materials

Databases Tutorials

Textbooks Reference

Books Market Studies

Professional Certification

CFSE CFSP

Includes: -Automotive -CACE/CACS -Hardware -Machinery

-Process -Software


Processes - Products - People

•  exida has established schemes for functional safety and cybersecurity certification of Systems, Products, Components, and Personnel.

•  Functional Safety Certification involves a detailed analysis of both the engineering process and design margins resulting in random failure rate in all failure modes.

•  Cybersecurity Certification involves a detailed analysis of the engineering process, cyber defense mechanisms, and network robustness.

exida Certification


Reference Materials

•  exida authored most industry references for automation safety and reliability

•  exida authored industry data handbook on equipment failure data

•  exida authored the most comprehensive book on functional safety in the market


Engineering Tools


•  exSILentia® –  PHAx™ (HAZOP) –  LOPAx™

•  Layer of Protection database built-in –  SIL Selection

•  Risk Matrix or Risk Graph •  Tolerable Frequency Basis

–  Safety Requirements Specification –  SIL Verification

•  Instrumentation failure database built-in •  Variables include reality – test coverage, service

–  Proof Test Generator –  Life Cycle Cost Analysis

•  SILAlarm™ (Alarm Rationalization)

•  SILStat™ (Field Failure Data Collection and Analysis) –  Proof Test & Maintenance Activity scheduling –  Process demand recording –  Failure recording

•  CyberPHAx™ (Cyber Risk Assessment)

Topics

•  What happens in an exida certification?

•  How to find a safety integrity level

•  How is SIL used?

•  What this means for the manufacturer?

•  What is SIL Capability?

•  How to calculate SIL

•  How to reach a certain rating

•  Is there a way to improve a SIL rating?


WHAT HAPPENS IN AN EXIDA CERTIFICATION?

12 Copyright © exida.com LLC 2000-2016

1. Kickoff Meeting 2. Perform FMEDA Analysis on Product 3. Creation of the Proven-In-Use Analysis 4. Process Analysis 5. Onsite audit 6. Certification Audit

Certification Process


IEC 61508 Full Certification •  The end result of the

certification process is a certificate listing the SIL level for which a product is qualified and the standards that were used for the certification.

•  However, we must understand that some products are certified with “restrictions.”

•  The restrictions essentially indicate when a product does not meet some requirements of IEC 61508.

•  The restrictions are listed in the safety manual and must be followed if safe operation is required.


HOW TO FIND A SAFETY INTEGRITY LEVEL


16

1. The Systematic Capability Rating 2. The Architectural Constraints for the

element 3. The PFDavg calculation for the product.

The SIL level of a product is determined by three things:


Compliance Requirements

February 19, 2016 17

SIL Capability

Probability of Failure Architectural Constraints

Compliance


THE SYSTEMATIC CAPABILITY


19

Systematic Capability is established by having your quality management system audited per IEC 61508. If the QMS meets the requirements of 61508 a SIL Capability rating is issued. The rating achieved depends on the effectiveness of your QMS. The certificate is for the systematic capability of a product.

The Systematic Capability


THE ARCHITECTURAL CONSTRAINTS


21

Architectural constraints are established by following Route 1H or Route 2H. Route 1H involves calculating the Safe Failure Fraction for the element. A valve is typically one component of the final element of a safety instrumented function (SIF).

The Architectural Constraints


Architectural Constraints from FMEDA Results

22

Route 1H - Safe Failure Fraction (SFF) according to 7.4.4.2 of IEC 61508.

Safe Failures Safe + Dangerous Failures Route 2H - Assessment of the reliability data for the entire element according to 7.4.4.3.3 of IEC 61508.


Route 1H

23

TYPE A SafeFailureFraction

0 1 2<60% SIL1 SIL2 SIL3

60%<90% SIL2 SIL3 SIL490%<99% SIL3 SIL4 SIL4>99% SIL3 SIL4 SIL4

HardwareFaultTolerance

Hardware Fault Tolerance = 1 (61508) The quantity of failures that can be tolerated while maintaining the safety function.


Route 2H Table

24

Hardware Fault Tolerance

0 1 2

SIL2 SIL3 SIL4

Type A Low Demand Applications

Type B elements using Route 2H shall have a diagnostic coverage not less than 60%.


THE PFDAVG CALCULATION


26

The PFDavg is based on the dangerous failure rate, system diagnostics, proof test coverage and test intervals. Typically, a final element assembly will have a PFDavg the only meets SIL 1. However, there are things that can be done with the diagnostics and proof test that would improve the PFDavg to SIL 2.

The PFDavg calculation


HOW IS SIL USED?


Safety Integrity Level

28


SIL 4

SIL 3

SIL 2

SIL 1

Used FOUR ways:

1.  To establish risk reduction requirements

2.  Probabilistic limits for hardware random failure

3.  Architectural constraints

4.  To establish systematic capability


TO ESTABLISH RISK REDUCTION


Example of Risk Reduction

30

PHA Determines that a specific hazard can occur every 10 years causing a major release of toxic fumes into the atmosphere. Determine the RRF for the hazard to occur once in 500 years. RRF = 500/10 = 50



31


SIL 4

SIL 3

SIL 2

SIL 1

Risk Reduction Factor

100000 to 10000

10000 to 1000

1000 to 100

100 to 10

1. Each safety function has a requirement to reduce risk. SIL level - Order of magnitude level of risk reduction required


TO SET PROBABILISTIC LIMITS FOR HARDWARE RANDOM FAILURE


Safety Integrity Levels

33


SIL 4

SIL 3

SIL 2

SIL 1

Probability of failure on demand (Demand mode of operation)

>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

Random Failure Probability

2.  To set probabilistic limits for hardware random failure Copyright © exida.com LLC 2000-2016

Random Failure Probability Factors

34

1. Dangerous Undetected Failure Rate (FMEDA) 2. Proof Test Coverage 3. Proof Test Interval 4. Mission Time

PFDavg = (PTC)*DU*TI/2 + (1-PTC)*DU*MT/2 Where PTC = Proof Test Coverage DU = Dangerous Undetected Failures TI = Proof Test Interval MT= Mission Time


Random vs. Systematic Faults

•  Random Failures –  A failure occurring at a random time, which results from one or more

of degradation mechanisms. •  Systematic Failures

–  A failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.


Random vs. Systematic Faults Specification of requirements,

design, implementation

Systematic Fault

Random Failure

The system has a failure

Well Designed System, the system is correct

The system is not correct

Improperly Designed System, the system is not correct


Stress – Strength: Failures

•  All failures occur when stress exceeds the associated level of strength.

Stress is usually a combination of "stressors."

Heat Humidity

Shock

Vibration Electrical Surge

Electro-Static Discharge Radio Frequency Interference

Mis-calibration

Maintenance Errors Operational Errors


0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Stress Strength

Strength varies with time and with other stress. Stress also varies with time. However they can be represented by probability distributions.

Stress - Strength: Failures


At some point in time, Strength decreases and the failure rate increases rapidly – this causes wear-out.

1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9



0

0.005

0.01

0.015

0.02

0.025

1

101

201

301

401

501

601

701

801

Time

Failu

re ra

te

Stress-strength explains how failure rates vary with time.

Weak units from a production population fail early. This portion of the curve is known as “infant mortality.”

When weak units are eliminated from the population stress-strength indicates a steady but declining failure rate.

When strength declines, the failure rate increases significantly.



0

0.005

0.01

0.015

0.02

0.025

1

101

201

301

401

501

601

701

801

Time

Failu

re ra

teStress - Strength: Failures

Area where IEC 61508 is applied “Useful Life” in listed in Safety Manuals

End of “Useful Life”

Note: Constant Failure Rate during “Useful Life”


Terms

•  Low Demand Mode –  Where the frequency of demands for operation made on a safety-

related system is no greater than one per year and no greater than twice the proof test frequency; Part 4, 3.5.12

–  If the ratio of diagnostic test rate to demand rate exceeds 100, then the subsystem can be treated ... As low demand mode..., Part 2, 7.4.3.2.5 Note 2

–  ..the diagnostic test interval will need to be considered directly in the reliability model if it is not at least an order of magnitude less than the expected demand rate, Part 2, 7.4.3.2.2, Note 3

exida definition: A dangerous condition (a demand) occurs infrequently and at least 2X less often than manual proof testing. [Therefore proof testing can be given credit for risk reduction.]



SIL 4

SIL 3

SIL 2

SIL 1


>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

Safety Integrity Levels – Low Demand

Random Failure Probability



SIL 4

SIL 3

SIL 2

SIL 1

Probability of dangerous failure per hour (Continuous mode of operation)

>=10-9 to <10-8

>=10-8 to <10-7

>=10-7 to <10-6

>=10-6 to <10-5

Safety Integrity Levels – High Demand Random Failure Probability

High Demand Mode Where the frequency of demands for operation made on a safety-related system is greater than twice the proof check frequency;


ARCHITECTURAL CONSTRAINTS


SFF Product Types

TYPE A – “A subsystem can be regarded as type A if, for the components required to achieve the safety function

•  a) the failure modes of all constituent components are well defined; and

•  b) the behavior of the subsystem under fault conditions can be completely determined; and

•  c) there is sufficient dependable failure data from field experience to show that the claimed rates of failure for detected and undetected dangerous failures are met.”

TYPE B – everything else! IEC 61508, Part 2, Section 7.4.3.1.2


TYPE A Low Demand Applications

IEC Safe Failure Fraction

SafeFailureFraction

0 1 2<60% SIL1 SIL2 SIL3





Route 2H Table

48

Hardware Fault Tolerance

0 1 2

SIL2 SIL3 SIL4

Type A Low Demand Applications

Type B elements using Route 2H shall have a diagnostic coverage not less than 60%.


TYPE B

IEC Safe Failure Fraction

SafeFailureFraction

0 1 2<60% NotAllowed SIL1 SIL2





TO ESTABLISH SYSTEMATIC CAPABILITY



SIL 4

SIL 3

SIL 2

SIL 1


3) To establish systematic capability

The equipment used to implement any safety function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.



SIL 4

SIL 3

SIL 2

SIL 1


Risk Reduction Factor

>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

100000 to 10000

10000 to 1000

1000 to 100

100 to 10




SIL 4

SIL 3

SIL 2

SIL 1

Probability of dangerous failure per hour (Continuous mode of operation)

>=10-9 to <10-8

>=10-8 to <10-7

>=10-7 to <10-6

>=10-6 to <10-5



61508 Annexes: Tables •  All Numbered Measures Are Required

(No Pick and Choose)

•  All Sub-alphabetized Measures are substitutable and partly combinable

Technical / Measure SIL2 SIL3

1 Fault detection and diagnosis R HR

2 Error detecting and correcting codes R R

3a Failure assertion programming R R3b Safety bag techniques R R3c Diverse programming R R

R-Recommended(NotusingthemeasurerequiresaRa4onale)HR-HighlyRecommended(MUST)


COMPLETE COMPLIANCE


IEC 61508 Full Certification


Compliance Requirements


SIL Capability


Compliance


EXAMPLE


59

exSILentia Example


60

exSILentia Example


HOW CAN I IMPROVE MY SIL?


How can I improve my SIL?

62

SIL Capability


Compliance

1.  Improve SIL Capability 2.  Improve Architectural Constraints 3.  Improve PFDavg


How can I improve my SIL?

1.  Improve SIL Capability •  Improve effectiveness of internal quality management

2.  Improve Architectural Constraints •  1oo2 •  2oo3 •  Change your Hardware Fault Tolerance

3.  Improve PFDavg •  Decrease Proof test interval •  Decrease Mission time •  Change the architecture •  Revise Proof test coverage


excellence in dependable automation


Further questions? Email me: [email protected]


Documents

Understanding the How, Why, and What of a Safety Integrity ......Training Process Safety Control System Security Onsite Oﬀsite Security Development Alarm Management Engineering Tools