IEC 61511 introduction

Copyright exida Asia Pacific © 2013

Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Germany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564

Exida Contacts

Functional Safety - IEC 61511 IntroductionNew Plymouth, 11 April 2013

Koen Leekens+65 977 9547

mailto:[email protected]

Copyright exida Asia Pacific © 2013 [email protected]

What is…?

Today’s Objective

Introduce the Concept and Basic Principles of IEC 61511


Safety is Only as Strong as its Weakest Link

exida


exida History

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services

“Independent provider of Tools, Services and Training supporting Customers with Compliance and Certification to any

Standards for Functional Safety, Cyber Security and Alarm Management”

Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts

Dr. William GobleFormer Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


What we do

EXPERTISE SCOPE

Tools

Training

Consultancy

Certification

INDUSTRIES

Process

Energy

Machine

Automotive

End Users

Manufacturer

Engineering

Integrators

CUSTOMERS

Functional Safety

Alarm Management

Cyber Security

Reliability


exida Tools – Process Industry


exida Services and Training – Process Industry

Functional Safety Management Set-upFunctional Safety AssessmentPHASIL Determination SRS DevelopmentSIL VerificationAlarm Philosophy – RationalizationCyber Security AssessmentsTraining Programs


Global Functional Safety Certification Consultant 3rd Party Accredited Certification Body Developer FMEDA TechniqueMechanical Failure DatabaseElectrical & Electronic Failure DatabaseInstrument & Equipment Failure DatabaseDevelopment Field Failure Database MethodologyGlobal Active Participation in IEC – ISO WorkgroupsFunctional Safety Engineering Tools

exida Industry Contributions


exida Library

exida publishes analysistechniques for functional safetyexida authors ISA best- sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata

www.exida.com


exida Customers (extract from 2000+)

http://coop.cs.umanitoba.ca/Documents/1694/Shell%20Canada%20logo.jpg

http://www.dsm.com/

http://www.solvay.com/


What is…?

Functional Safety:


What do accidents teach us?

Buncefield 2005

Bhopal 1984 Flixborough 1974

Seveso 1976


Primary Cause of Failures?

Specification

Changes after Com-mission

Operation and Maintenance

Design and Imple-mentation

Installation and Commission


Primary Cause of Failures?

Specification

Changes after Com-mission

Operation and Main-tenance

Design and Implemen-tation

Installation and Commission

Source Health, Safety & Environmental Agency

The majority of accidents are:… Preventable if a systematic

Risk-Based Approach is adopted…

More than 80% of Failures Before Startup


Device Manufacturers - Sector Specific Not Available

Which Standard?

IEC 61513Nuclear

IEC 61511Process Industry

IEC 61508Functional Safety for E/E/PES Safety Related Systems

ISO 26262Road Vehicles

End Users - Systems Integrators

IEC 62061Machinery


Relationship IEC 61508 – IEC 61511

Manufacturers and Suppliers of Devices

IEC 61508

Safety Instrumented System designers, Integrators and users

IEC 61511

Process Sector Safety Instrumented System Standards


RANDOMFailures

IEC 61511 – Protection Against:

SYSTEMATIC Failures

Random Failures? Systematic Failures?


Random Failures: “Usually a permanent failure due to a system component loss of functionality – hardware related

What are…?


Systematic Failures: “Usually due to a design fault, wrong specification,not fit for purpose , error in software program, ...

What are…?


Question?

Is Redundancy sufficient protection against SYSTEMATIC FAILURES?


RANDOMFailures

IEC 61508 – Protect Against:

SYSTEMATIC Failures

HOW? HOW?


RANDOMFailures


SYSTEMATIC Failures

Probabilistic Performance Based

DesignHOW?


PROBABILISTIC BASED DESIGN


RANDOMFailures


SYSTEMATIC Failures


DesignHOW?


RANDOMFailures


SYSTEMATIC Failures


Design

Detailed Engineering Process


Key Aspects of IEC 61508/61511

Safety Integrity Levels (SIL)– Reliable Hardware with predictable failure rates to

protect against Random Failures (Physical)

Safety Lifecycle – Safety Management with controlled and systematic

processes to protect against Systematic Failures (Design)


The IEC 61511 Safety Lifecycle



Management and Planning Analysis Phase

Realization Phase

Operate and Maintain



Management and Planning


Industry Competency Program

www.cfse.org



Analysis Phase


SRS Always Required?

Do I Need A SIS in

My Plant?


IEC 61511/61508 are Risk Based

“Is it worth going for the Cheese?”


What is…?

Risk: Consequence x Likelihood.

Accounts for both the consequense and the likelihood portion of the risk


Analyze Process Risk (Inherent Risk)

Tolerable Level of Risk

Risk

Risk Analysis

(defined by Customer per application)

High

Low




Risk

Risk Analysis


Define Tolerable Risk

High

Low


What is…?

Tolerable Risk: The level of risk that society will accept

– Who is being exposed to risk? Individuals Society Environment

– What is the nature of the risk? Fatality / Injury Permanent / Temporary Damage Financial Loss

MoralLegal

Financial


What is…?

ALARP: As Low As Reasonably Practicable


Tolerable Risk Sample – Statistics UK

A ctivity P robability per person per year

F A R P er 10 8

exposure hrs T ravel A ir 2 x 10 -6 T ra in 3 x 10 –6 3 -5 B us 2 x 10 -4 4 C ar 2 x 10 –4 50-60 M otorcycle 2 x 10 -2 500-1000 O ccupation C hem ical Industry 5 x 10 –5 4 M anufacturing 8 Shipping 9 x 10 –4 8 C oa l M ining 2 x 10 –4 10 A griculture 10 B oxing 20 000 V o luntary R ock clim bing 1 .4 x 10 –4 4 000 Sm oking 5 x 10 –3




Risk

Risk Analysis


Analyze Actual RISK

High

Low


Design Changes

Calculated Process Risk (Inherent Risk)


Risk

Risk Analysis


High

Low


Design Changes

Other Risk Reduction



Risk

Risk Analysis


Analyze other Layers of Protection

High

Low




Risk

Bring Risk below Tolerable

Risk Analysis


Design Changes


High

Low




Risk

SIL is measure for Risk Reduction

Risk Analysis


Design Changes


High

Low


Risk Reduction Factor (RRF) and SIL

High Risk

Low Risk

1/RRF = PFD



1/RRF = PFD




Safety Requirements Specification

• Target SIL• Functional Description of Each SIF• Response Time• Bypass Requirement

...

( IEC 61511-1 clause 10)



Realization Phase


SIF Design

The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)

2. SILAC : Hardware Fault Tolerance

3. SILCAP:Capability to prevent Systematic Failures (SILCAP)


Probability of Failure on Demand




PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection


SSDSU

SAFE DETECTED

SAFE UNDETECTED

DANGEROUSUNDETECTED

DANGEROUSDETECTED

DDDDU

60%

40%

Divide each failure rate into specific failure modes

IEC 61508-6 Method


What is…?

Fail Danger: A failure that prevents the safety function from performing

Fail Safe: Anything that is not Fail Danger

.

NOTE: Definitions refer to single channel architectures.


SIF Design





What is…?

Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function

ArchitectureHardware

FaultTolerance

1oo1 01oo1D 01oo2 12oo2 02oo3 1

2oo2D 01oo2D 11oo3 2


What is…?



FaultTolerance

1oo1 01oo1D 01oo2 12oo2 02oo3 1



What is…?

Safe Failure Fraction: A measurement of the likelihood of getting a dangerous failure that is NOT detected by automatic self diagnositcs

.

NOTE: Definitions refer to single channel architectures.


IEC 61508 Safe Failure Fraction

SFF = lSD + lSU + lDD

lSD + lSU + lDD + lDU

= 1 - lDU

lTotal


Example FMEDA 3051S SILac


Example 3051S



FaultTolerance

1oo1 01oo1D 01oo2 12oo2 02oo3 1



SIF Design





Certified versus Proven in Use

Certificate by

Independent Assessor

Justification by User


Product Certification

Functional safety certification for devices is accomplished per IEC 61508Products are certified to a Safety Integrity Level (SIL)The result is typically a certificate and a certification report

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failures


Example…

The SIL achieved is the minimum of:

1. SILPFD: SIL2

2. SILAC : SIL1

3. SILCAP: SIL3The SIL level for this Safety Instrumented

Function (SIF) is:???


Example

The SIL achieved is the minimum of:

1. SILPFD: SIL2

2. SILAC : SIL1

3. SILCAP: SIL3The SIL level for this Safety Instrumented

Function (SIF) is:SIL1



Realization Phase



Operate and Maintain


What is…?

Proof Testing: A manually initiated test designed to detect failure of any part of a SF. Different proof test procedures can have different levels of effectiveness.

No practical proof test will detect all

failures




“Disabled” Safety is not SAFE!

T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org

Anti-Virus Software Prevents Safety Shutdown

Date: May 2001

Company: Confidential

Location: Confidential

Industry: Petroleum

Incident Type: Accidental – Inappropriate Control

Impact: Confidential

© 2009 Security Incidents Organization

Description:A TÜV approved boiler safety protection system used Microsoft Excel on a PC workstation for programming. This workstation also had Norton anti-virus software running. The anti-virus software prevented the proper communications between the PC and the protection system. A safety shutdown that should have occurred did not.

Incident with “Certified” BoilerAnti-Virus Software

Prevents Safety ShutdownSource www.securityincidents.org


“Disabled” Safety is not SAFE!

T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org

Anti-Virus Software Prevents Safety Shutdown

Date: May 2001

Company: Confidential

Location: Confidential

Industry: Petroleum

Incident Type: Accidental – Inappropriate Control

Impact: Confidential

© 2009 Security Incidents Organization

Description:A TÜV approved boiler safety protection system used Microsoft Excel on a PC workstation for programming. This workstation also had Norton anti-virus software running. The anti-virus software prevented the proper communications between the PC and the protection system. A safety shutdown that should have occurred did not.

Explosion of “Certified” BoilerAnti-Virus Software

Prevents Safety ShutdownSource www.securityincidents.org

Advanced Technology introduces

new THREATS?


exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™

+Functional Security Certification ™

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)


Safety is Only as Strong as its Weakest Link

exida


Thank You