asarn Dr.

enker
Functional Safety SL Sensitron 23.10.2007 page 1 of 9




Functional Safety

Safety ntegrity Levels SL

SL-Capability


Dr. Dieter Wenker

asarn Dr. enker
Schulstr. 32
D-44289 Dortmund
Tel.: xx49/2304/45655
e-mail: wenker@gaswarn-dr-wenker.de
nternet: www.gaswarn-dr-wenker.de

asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 2 of 9


What are we taIking about ?

SL = Safety ntegrity Level
SL describes the different levels of "Functional Safety on a safety device
the values are defined from SL-1 (lowest) up to SL-4 (highest)
That does not imply, that SL-1 may be generally a (too) low level of safety
ATEX as example: A typical gas detection device (system) with ATEX-Certificate including the
functional approval according EC 61779 with regular maintenance is equivalent to SL-1

Functional Safety
Functional Safety describes the behaviour of a safety device that means
hardware and software in the case of an internal failure occurring
The target is "reaching a safe state that means internal faults in the safety device should
be detected by the device itself and shall be indicated and signalled.
The only requirement of the standards is safety not availability !
asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 3 of 9


Safety and AvaiIabiIity - FauIt ToIerance

A safety device, which will shut down the monitored production line or better the whole plant in
any case of the smallest probability of a potential failure is safe and will comply to the
standards reaching a high SL. But will the customer be happy with it ?

The standards require safety the customer requests availability as main target.
Safety and availability must not be a contradiction ! But the solution by systems with fault
tolerance is typically related to a higher SL (e.g. SL-3)
Fault tolerance means the safety device is still in operation and in measuring mode although
an internal fault occurred and was detected eventually with reduced functionality.
The SL-standard in gas detection (EN 50402) permits explicitly an "emergency mode (for a
specified period of time) for redundant systems. After detection of an internal fault the system
is not longer redundant but still fully operational. This allows time to repair for the safety
device without the need to shut down the monitored production line.

asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 4 of 9


TypicaI ExampIes for SIL-LeveIs

SL-1: A typical gas detection device (system) with ATEX-Certificate including the functional
approval according EC 61779 with regular maintenance is equivalent to SL-1
SL-2 The step from SL-1 to SL-2 will typically be reached by self testing facilities for hardware
components. Also reduced maintenance intervals for the sensors may be required.
For software it is a tremendous amount of documentation and requirements to comply
during development.
SL-3 The main requirement is: One failure shall not cause an unsafe state (fail-safe system)
The step from SL-2 to SL-3 will typically be reached by redundancy. For detectors
and microprocessors this is the only choice. f nearly all possible failures will be
detected a single unit is able to reach SL-3 (e.g. BUS-connections).
For software the amount of documentation and requirements to comply during
development will increase but not so dramatically as from SL-1 to SL-2
SL-4 Requires redundancy (sometimes triple redundancy) and excessive self testing and
comparison between the redundant lines. Software is typically divers.
SL-4 will never be required in gas detection.
asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 5 of 9


Different CIasses of FauIts

The difference between the four types of faults:
safe detected ; safe undetected ; dangerous detected and dangerous undetected is
important for the development to establish the "safe failure fraction but not for this lecture.
mportant is to distinguish between random faults and systematic faults.
Random fauIts may occur occasionally at any time e.g. an electronic circuit will be
faulty immediately.
Systematic fauIts occur at specific conditions and will occur reproducible if the same
conditions apply again e.g. a sensor will be poisoned by silicones.

Redundancy will dramatically reduce the probability of random faults but will not reduce the
probability of systematic faults.
Hardware has random fauIts and systematic fauIts - software has onIy systematic fauIts.
This has strong consequences for the design of redundant systems !
asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 6 of 9


SIL-CapabiIity of moduIes

A module may be simple or complex depending on fuction and hardware.
Modules with processor are always complex ; Examples for simple: Relays or sensor-element

SL-Capability is the combination from HFT and SFF (see tables for SL-capability)

n general there are four different classes of faults:

SD
safe detected faults

SU
safe undetected faults

DD
dangerous detected faults

DU
dangerous undetected faults

SFF is the amount of safe faults of the rate of total faults
ges

ges
=
SD
+
SU
+
DD
+
DU
SFF = (
SD
+
SU
+
DD
) 100 /
ges


Determination of failure rates by existing statistical data (proven in use) or
Failure analysis e.g. by FMEDA (Failure Mode, Effects, and Diagnostic Analysis)

asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 7 of 9


SIL-CapabiIity of moduIes

For each unit (module) the SL-capability has to be determined according the standard as
combination of SFF (safe failure fraction) and HFT (hardware fault tolerance).

SFF is the percentage of dangerous undetected failures in relation to the sum of all failures.

HFT is the stage of redundancy (HFT=0 is a single line ; HFT=1 is redundancy .)


Combination of moduIes

f different modules are combined e.g. detector + control unit or two detectors in redundancy
the SL-capability will be determined for the combination of modules again.

For this combination hardware and software are evaluated in a different way.

asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 8 of 9


SIL-CapabiIity of a Safety Function

The combination of modules from gas inlet to the system to the output function (e.g. relays) is
the safety function of a gas detection system. Different options in the combinations of modules
will lead to different safety functions.

Modules one after the other in a chain the weakest module specifies the SL-capability
Parallel modules (redundancy) the SL-capability may be increased by one

Two identical modules with SL-capability 2 used in redundancy will reach SL-capability 3
only if the Software of this module fulfils already the SL-capability 3 .

in combination in combination





SIL-2 SIL-3

Hardware SL-2
Software SL-2

Hardware SL-2
Software SL-2

Hardware SL-3
Software SL-2

Hardware SL-2
Software SL-3

Hardware SL-2
Software SL-3

Hardware SL-3
Software SL-3
asarn Dr. enker
Functional Safety SL Sensitron 23.10.2007 page 9 of 9


LogicaI consequences for a new System

To increase the availability redundancy should be implemented in data processing
independent from SL double processor system
f the two processors detect deviations between them or one processor is faulty the
system will indicate "emergency mode but is still fully operational
Typical applications expected are SL-capabilities equivalent to SL-1 and SL-2
The software is developed according SL-3
With redundant detectors and redundant relays the system will comply with SL-3

t may be neither a random nor a systematic fault that these items above
describe Galileo Multisystem.