Functional Safety - IEC 61511 Introduction

New Plymouth, 11 April 2013

Koen Leekens
+65 977 9547

Exida Contacts
Singapore +65 6222 5160 Canada +1 403 475 1943
Shanghai +86 21 5171 7250 United Kingdom +44 2476 456 195
Hong Kong +852 2633 7727 Netherlands +31 318 414 505
Germany +49 89 4900 0547 Australia / NZL +64 3 472 7707
USA +1 215 453 1720 Mexico +52 55 5611 9858
Switzerland +41 22 364 14 34 South Africa +27 31 267 1564

Copyright exida Asia Pacific © 2013

What is…?

Today’s Objective

Introduce the Concept and Basic Principles of IEC 61511

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Safety is Only as Strong as its Weakest Link

exida
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
exida History

Founded in 1999 by experts from Manufacturers, End Users,

Engineering Companies and TÜV Product Services

“Independent provider of Tools, Services and Training

supporting Customers with Compliance and Certification to
any Standards for Functional Safety, Cyber Security and Alarm
Management”

Rainer Faller Dr. William Goble

Former Head of TÜV Product Services
Chairman German IEC 61508
Global Intervener ISO 26262 / IEC 61508
Author of several Safety Books
Author of IEC 61508 parts
Former Director Moore Industries
Developed FMEDA Technique (PhD)
Author of several Safety Books
Author of several Reliability Books

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What we do

EXPERTISE SCOPE INDUSTRIES CUSTOMERS

Functional Tools Process End Users

Safety

Alarm Training Energy Manufacturer

Management

Cyber Consultancy Machine Engineering

Security

Reliability Certification Automotive Integrators

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

exida Tools – Process Industry

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

exida Services and Training – Process Industry

Functional Safety Management Set-up

Functional Safety Assessment
PHA
SIL Determination
SRS Development
SIL Verification
Alarm Philosophy – Rationalization
Cyber Security Assessments
Training Programs

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

exida Industry Contributions

Global Functional Safety Certification Consultant

3rd Party Accredited Certification Body
Developer FMEDA Technique
Mechanical Failure Database
Electrical & Electronic Failure Database
Instrument & Equipment Failure Database
Development Field Failure Database Methodology
Global Active Participation in IEC – ISO Workgroups
Functional Safety Engineering Tools

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

exida Library

exida publishes analysis

techniques for functional
safety
exida authors ISA
best- sellers for automation
safety and reliability
exida authors
industry data
handbook on
equipment failure
data

www.exida.com

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

exida Customers (extract from 2000+)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Functional Safety:

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What do accidents teach us?

Seveso 1976 Buncefield 2005

Bhopal 1984 Flixborough 1974

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
Primary Cause of Failures?

Installation and
Commission
Design and
Implementation
Specification
Operation and
Maintenance

Changes after
Commission

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Primary Cause of Failures?

Installation and
Commission
Design and
Implementation

Specification
Operation and
Maintenance

More than Changes after

80% of Failures Commission
Source Health, Safety & Environmental Agency
Before Startup

The majority of accidents are:

… Preventable if a systematic
Risk-Based Approach is adopted…

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Which Standard?

Device Manufacturers - Sector Specific Not Available

IEC 61508
Functional Safety for E/E/PES Safety Related Systems

IEC 61513 IEC 62061 IEC 61511 ISO 26262

Nuclear Machinery Process Industry Road Vehicles

End Users - Systems Integrators

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Relationship IEC 61508 – IEC 61511

Process Sector Safety Instrumented System Standards

Manufacturers and Suppliers of Safety Instrumented System

Devices designers, Integrators and users
IEC 61508 IEC 61511

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61511 – Protection Against:

RANDOM SYSTEMATIC
Failures Failures

Random Failures? Systematic Failures?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What are…?

Random Failures: “Usually a permanent failure due to a

system component loss of functionality – hardware related

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What are…?

Systematic Failures: “Usually due to a design fault, wrong

specification,not fit for purpose , error in software program,
...

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Question?

Is Redundancy sufficient protection against SYSTEMATIC

FAILURES?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

HOW? HOW?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Performance Based HOW?
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

PROBABILISTIC BASED DESIGN

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Performance Based HOW?
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Detailed Engineering
Performance Based
Process
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Key Aspects of IEC 61508/61511

Safety Integrity Levels (SIL)

– Reliable Hardware with predictable failure rates to
protect against Random Failures (Physical)

Safety Lifecycle
– Safety Management with controlled and systematic
processes to protect against Systematic Failures (Design)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Management and
Analysis Phase
Planning

Realization Phase

Operate and Maintain

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Management and
Planning

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Industry Competency Program

www.cfse.org

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Analysis Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

SRS Always Required?

Do I Need
A SIS in
My Plant?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61511/61508 are Risk Based

“Is it worth going for the Cheese?”

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Risk: Consequence x Likelihood.

Accounts for both the consequense and the likelihood portion

of the risk

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Analyze Process Risk

High
(Inherent Risk)
Risk

Tolerable Level of Risk

(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Analyze Process Risk

High
(Inherent Risk)
Define Tolerable
Risk
Risk

Tolerable Level of Risk

(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Tolerable Risk: The level of risk that society will accept

– Who is being exposed to risk?

 Individuals
 Society
 Environment

– What is the nature of the risk? Legal Moral

 Fatality / Injury
 Permanent / Temporary Damage
 Financial Loss Financial

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

ALARP: As Low As Reasonably Practicable

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Tolerable Risk Sample – Statistics UK

A ctivity P ro b a b ility p er
p erso n p er y ea r

T ra vel
-6
A ir 2 x 10
–6
T ra in 3 x 10
-4
Bus 2 x 10
–4
C ar 2 x 10
-2
M o to rcy cle 2 x 10
O ccu p a tio n
–5
C h em ica l In d u stry 5 x 10
M a n u fa ctu rin g
–4
S h ip p in g 9 x 10
–4
C o a l M in in g 2 x 10
A g ricu ltu re
B o xin g
V o lu n ta ry
Copyright exida Asia Pacific © 2013 R o ck clim b in g 1 .4 x 1 0 – 4
AsiaPacific@exida.com
–3
Risk Analysis

Analyze Process Risk

High
(Inherent Risk)
Analyze Actual
RISK
Risk

Tolerable Level of Risk

(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Calculated Process Risk

High
(Inherent Risk)
Design Changes
Risk

Tolerable Level of Risk

(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Calculated Process Risk

High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

Analyze other Layers of

Protection

Tolerable Level of Risk

(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Calculated Process Risk

High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

Bring Risk below

Tolerable
Tolerable Level of Risk
(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Analysis

Calculated Process Risk

High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

SIL is measure for

Risk Reduction
Tolerable Level of Risk
(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Reduction Factor (RRF) and SIL

1/RRF =
PFD

High Risk

Low Risk

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Reduction Factor (RRF) and SIL

1/RRF =
PFD

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Risk Reduction Factor (RRF) and SIL

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Safety Requirements Specification

• Target SIL
• Functional Description of Each SIF
• Response Time
• Bypass Requirement
...

( IEC 61511-1 clause 10)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Realization Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

SIF Design

The SIL achieved is the minimum of:

1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Probability of Failure on Demand

The SIL achieved is the minimum of:

1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508-6 Method

Divide each failure rate into specific failure modes

SAFE DETECTED
SAFE UNDETECTED
60%

DANGEROUS
UNDETECTED
S SD SU

D DD DU 40%

DANGEROUS
DETECTED

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

 What is…?

Fail Danger: A failure that prevents the safety function from

performing

Fail Safe: Anything that is not Fail Danger

NOTE: Definitions refer to single channel architectures.

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

SIF Design

The SIL achieved is the minimum of:

1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Hardware Fault Tolerance: The quantity of failures that can

be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Hardware Fault Tolerance: The quantity of failures that can

be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

 What is…?

Safe Failure Fraction: A measurement of the likelihood of

getting a dangerous failure that is NOT detected by
automatic self diagnositcs

NOTE: Definitions refer to single channel architectures.

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

IEC 61508 Safe Failure Fraction

SD + SU + DD
SFF =
SD + SU + DD + DU

DU
=1-
Total

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Example FMEDA 3051S

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Example 3051S

Hardware Fault Tolerance: The quantity of failures that can

be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

SIF Design

The SIL achieved is the minimum of:

1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Certified versus Proven in Use

Justification
by User

Certificate
by
Independent
Assessor

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Product Certification

Functional safety certification for devices is accomplished

per IEC 61508
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report

SIL Certification
Vendor showed
sufficient protection
against Random and
Systematic Failures

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Example…

The SIL achieved is the minimum of:

1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
???

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Example

The SIL achieved is the minimum of:

1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
SIL1

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Realization Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Operate and Maintain

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

What is…?

Proof Testing: A manually initiated test designed to detect

failure of any part of a SF. Different proof test procedures can
have different levels of effectiveness.

No practical proof
test will detect all
failures

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

 www.securityincidents.org

“Disabled” Safety is not SAFE!

revents Safety Shutdown

opriate Control

Incident with “Certified” Boiler

Anti-Virus Software
on system used Microsoft PreventsExcel
Safetyon Shutdown
a PC
orkstation also had Norton anti-virus Source www.securityincidents.org

are prevented the proper communications

stem. A exida
Copyright safety shutdown
Asia Pacific © 2013 that should have AsiaPacific@exida.com
 www.securityincidents.org

“Disabled” Safety is not SAFE!

revents Safety Shutdown
Advanced Technology
introduces
new THREATS?

opriate Control

Explosion of “Certified” Boiler

Anti-Virus Software
on system used Microsoft PreventsExcel
Safetyon Shutdown
a PC
orkstation also had Norton anti-virus Source www.securityincidents.org

are prevented the proper communications

stem. A exida
Copyright safety shutdown
Asia Pacific © 2013 that should have AsiaPacific@exida.com
exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™

+
Functional Security Certification ™

“Integrity is doing the right thing,

even if nobody is watching.”
(Anonymous)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com

Safety is Only as Strong as its Weakest Link

exida
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
Thank You
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com