Sunteți pe pagina 1din 74

Functional Safety - IEC 61511 Introduction

New Plymouth, 11 April 2013


Koen Leekens
+65 977 9547

Exida Contacts
Singapore +65 6222 5160 Canada +1 403 475 1943
Shanghai +86 21 5171 7250 United Kingdom +44 2476 456 195
Hong Kong +852 2633 7727 Netherlands +31 318 414 505
Germany +49 89 4900 0547 Australia / NZL +64 3 472 7707
USA +1 215 453 1720 Mexico +52 55 5611 9858
Switzerland +41 22 364 14 34 South Africa +27 31 267 1564

Copyright exida Asia Pacific © 2013


What is…?

Today’s Objective

Introduce the Concept and Basic Principles of IEC 61511

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Safety is Only as Strong as its Weakest Link

exida
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
exida History

Founded in 1999 by experts from Manufacturers, End Users,


Engineering Companies and TÜV Product Services

“Independent provider of Tools, Services and Training


supporting Customers with Compliance and Certification to
any Standards for Functional Safety, Cyber Security and Alarm
Management”

Rainer Faller Dr. William Goble


Former Head of TÜV Product Services Former Director Moore Industries
Chairman German IEC 61508 Developed FMEDA Technique (PhD)
Global Intervener ISO 26262 / IEC 61508 Author of several Safety Books
Author of several Safety Books Author of several Reliability Books
Author of IEC 61508 parts

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What we do

EXPERTISE SCOPE INDUSTRIES CUSTOMERS

Functional Tools Process End Users


Safety

Alarm Training Energy Manufacturer


Management

Cyber Consultancy Machine Engineering


Security

Reliability Certification Automotive Integrators

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


exida Tools – Process Industry

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


exida Services and Training – Process Industry

Functional Safety Management Set-up


Functional Safety Assessment
PHA
SIL Determination
SRS Development
SIL Verification
Alarm Philosophy – Rationalization
Cyber Security Assessments
Training Programs

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


exida Industry Contributions

Global Functional Safety Certification Consultant


3rd Party Accredited Certification Body
Developer FMEDA Technique
Mechanical Failure Database
Electrical & Electronic Failure Database
Instrument & Equipment Failure Database
Development Field Failure Database Methodology
Global Active Participation in IEC – ISO Workgroups
Functional Safety Engineering Tools

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


exida Library

exida publishes analysis


techniques for functional
safety
exida authors ISA
best- sellers for automation
safety and reliability
exida authors
industry data
handbook on
equipment failure
data

www.exida.com

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


exida Customers (extract from 2000+)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Functional Safety:

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What do accidents teach us?

Seveso 1976 Buncefield 2005

Bhopal 1984 Flixborough 1974


Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
Primary Cause of Failures?

Installation and
Commission
Design and
Implementation
Specification
Operation and
Maintenance

Changes after
Commission

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Primary Cause of Failures?

Installation and
Commission
Design and
Implementation

Specification
Operation and
Maintenance

More than Changes after


80% of Failures Commission
Source Health, Safety & Environmental Agency
Before Startup

The majority of accidents are:


… Preventable if a systematic
Risk-Based Approach is adopted…

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Which Standard?

Device Manufacturers - Sector Specific Not Available

IEC 61508
Functional Safety for E/E/PES Safety Related Systems

IEC 61513 IEC 62061 IEC 61511 ISO 26262


Nuclear Machinery Process Industry Road Vehicles

End Users - Systems Integrators

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Relationship IEC 61508 – IEC 61511

Process Sector Safety Instrumented System Standards

Manufacturers and Suppliers of Safety Instrumented System


Devices designers, Integrators and users
IEC 61508 IEC 61511

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61511 – Protection Against:

RANDOM SYSTEMATIC
Failures Failures

Random Failures? Systematic Failures?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What are…?

Random Failures: “Usually a permanent failure due to a


system component loss of functionality – hardware related

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What are…?

Systematic Failures: “Usually due to a design fault, wrong


specification,not fit for purpose , error in software program,
...

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Question?

Is Redundancy sufficient protection against SYSTEMATIC


FAILURES?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

HOW? HOW?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Performance Based HOW?
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


PROBABILISTIC BASED DESIGN

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Performance Based HOW?
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508 – Protect Against:

RANDOM SYSTEMATIC
Failures Failures

Probabilistic
Detailed Engineering
Performance Based
Process
Design

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Key Aspects of IEC 61508/61511

Safety Integrity Levels (SIL)


– Reliable Hardware with predictable failure rates to
protect against Random Failures (Physical)

Safety Lifecycle
– Safety Management with controlled and systematic
processes to protect against Systematic Failures (Design)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Management and
Analysis Phase
Planning

Realization Phase

Operate and Maintain

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Management and
Planning

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Industry Competency Program

www.cfse.org

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Analysis Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


SRS Always Required?

Do I Need
A SIS in
My Plant?

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61511/61508 are Risk Based

“Is it worth going for the Cheese?”

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Risk: Consequence x Likelihood.

Accounts for both the consequense and the likelihood portion


of the risk

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Analyze Process Risk


High
(Inherent Risk)
Risk

Tolerable Level of Risk


(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Analyze Process Risk


High
(Inherent Risk)
Define Tolerable
Risk
Risk

Tolerable Level of Risk


(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Tolerable Risk: The level of risk that society will accept

– Who is being exposed to risk?


 Individuals
 Society
 Environment

– What is the nature of the risk? Legal Moral


 Fatality / Injury
 Permanent / Temporary Damage
 Financial Loss Financial

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

ALARP: As Low As Reasonably Practicable

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Tolerable Risk Sample – Statistics UK

A ctivity P ro b a b ility p er
p erso n p er y ea r

T ra vel
-6
A ir 2 x 10
–6
T ra in 3 x 10
-4
Bus 2 x 10
–4
C ar 2 x 10
-2
M o to rcy cle 2 x 10
O ccu p a tio n
–5
C h em ica l In d u stry 5 x 10
M a n u fa ctu rin g
–4
S h ip p in g 9 x 10
–4
C o a l M in in g 2 x 10
A g ricu ltu re
B o xin g
V o lu n ta ry
Copyright exida Asia Pacific © 2013 R o ck clim b in g 1 .4 x 1 0 – 4
AsiaPacific@exida.com
–3
Risk Analysis

Analyze Process Risk


High
(Inherent Risk)
Analyze Actual
RISK
Risk

Tolerable Level of Risk


(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Calculated Process Risk


High
(Inherent Risk)
Design Changes
Risk

Tolerable Level of Risk


(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Calculated Process Risk


High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

Analyze other Layers of


Protection

Tolerable Level of Risk


(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Calculated Process Risk


High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

Bring Risk below


Tolerable
Tolerable Level of Risk
(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Analysis

Calculated Process Risk


High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk

SIL is measure for


Risk Reduction
Tolerable Level of Risk
(defined by Customer per application)

Low

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Reduction Factor (RRF) and SIL

1/RRF =
PFD

High Risk

Low Risk

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Reduction Factor (RRF) and SIL

1/RRF =
PFD

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Risk Reduction Factor (RRF) and SIL

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Safety Requirements Specification

• Target SIL
• Functional Description of Each SIF
• Response Time
• Bypass Requirement
...

( IEC 61511-1 clause 10)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Realization Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


SIF Design

The SIL achieved is the minimum of:


1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Probability of Failure on Demand

The SIL achieved is the minimum of:


1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508-6 Method

Divide each failure rate into specific failure modes

SAFE DETECTED
SAFE UNDETECTED
60%

DANGEROUS
UNDETECTED
S SD SU

D DD DU 40%

DANGEROUS
DETECTED

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Fail Danger: A failure that prevents the safety function from


performing

Fail Safe: Anything that is not Fail Danger

NOTE: Definitions refer to single channel architectures.

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


SIF Design

The SIL achieved is the minimum of:


1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Hardware Fault Tolerance: The quantity of failures that can


be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Hardware Fault Tolerance: The quantity of failures that can


be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Safe Failure Fraction: A measurement of the likelihood of


getting a dangerous failure that is NOT detected by
automatic self diagnositcs

NOTE: Definitions refer to single channel architectures.

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


IEC 61508 Safe Failure Fraction

SD + SU + DD
SFF =
SD + SU + DD + DU

DU
=1-
Total

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Example FMEDA 3051S

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Example 3051S

Hardware Fault Tolerance: The quantity of failures that can


be tolerated while maintaining the safety function
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


SIF Design

The SIL achieved is the minimum of:


1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Certified versus Proven in Use

Justification
by User

Certificate
by
Independent
Assessor

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Product Certification

Functional safety certification for devices is accomplished


per IEC 61508
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report

SIL Certification
Vendor showed
sufficient protection
against Random and
Systematic Failures

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Example…

The SIL achieved is the minimum of:


1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
???

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Example

The SIL achieved is the minimum of:


1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
SIL1

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Realization Phase

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Operate and Maintain

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


What is…?

Proof Testing: A manually initiated test designed to detect


failure of any part of a SF. Different proof test procedures can
have different levels of effectiveness.

No practical proof
test will detect all
failures

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


www.securityincidents.org

“Disabled” Safety is not SAFE!


revents Safety Shutdown

opriate Control

Incident with “Certified” Boiler


Anti-Virus Software
on system used Microsoft PreventsExcel
Safetyon Shutdown
a PC
orkstation also had Norton anti-virus Source www.securityincidents.org

are prevented the proper communications


stem. A exida
Copyright safety shutdown
Asia Pacific © 2013 that should have AsiaPacific@exida.com
www.securityincidents.org

“Disabled” Safety is not SAFE!


revents Safety Shutdown
Advanced Technology
introduces
new THREATS?

opriate Control

Explosion of “Certified” Boiler


Anti-Virus Software
on system used Microsoft PreventsExcel
Safetyon Shutdown
a PC
orkstation also had Norton anti-virus Source www.securityincidents.org

are prevented the proper communications


stem. A exida
Copyright safety shutdown
Asia Pacific © 2013 that should have AsiaPacific@exida.com
exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™


+
Functional Security Certification ™

“Integrity is doing the right thing,


even if nobody is watching.”
(Anonymous)

Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com


Safety is Only as Strong as its Weakest Link

exida
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com
Thank You
Copyright exida Asia Pacific © 2013 AsiaPacific@exida.com