PROCESS PROCESS AUTOMATION AUTOMATION
IEC 61508/61511 SAFETY INTEGRITY LEVEL
IEC 61508/61511
REDUCING SAFETY RISKS
Process technology systems incorporate risks. These risks are determined by the type of processes involved and the materials used, along with the systems’ surroundings. Automated systems can reduce these risks. Functional safety of field instrumentation and control and monitoring systems must be ensured in this respect through the implementation of adequate measures for the prevention, identification and control of faults. ANALYSIS The risk potential relating to a process technology system is determined in accordance with IEC 61511. A risk reduction should be implemented to address the particular risk involved. The components used must meet the requirements of IEC 61508 or IEC 61511 if this risk reduction is achieved through the application of electric/electronic automation technology. Both standards divide systems and risk reducing measures into safety levels, these ranging from SIL 1 (indicating a low risk) to SIL 4 (indicating an extreme risk) based on IEC 61508. IEC 61511 (the sector of process technology) has a limitation to SIL 3.
Extent of damage (S) S1 Injury of a person, insignificant environmental damage S2 Severe, irreversible injury of one or more persons, death of a person, severe or temporary environmental damage S3 Death of several persons, severe, permanent environmental damage S4 Death of a large number of persons
RISK GRAPH (CONFORMING WITH IEC 61508)
Critical Section
Presence in hazardous area (A) A1 Seldom to often A2 Frequently to continuously Avoidance of danger (G) G1 Possible under certain circumstances G2 Practically impossible Probability of an undesired situation arising (W) W1 Very slight W2 Slight W3 Relatively high
SIL 1 TO SIL 4 All organisational and technical risk reduction measures act as a counterweight to the risk potential. The values SIL 1 to SIL 4 (SIL = Safety Integrity Level) are derived from the risk analysis. The greater the risk, the more reliable risk reduction measures must be implemented and, consequently, the greater the reliability the components used must exhibit.
HFT SFF
PFD Tproof
HFT
= hardware fault tolerance (Loop structure)
SFF
= proportion of safe faults or safe failures
PFD
= failure probability in the event of a request occurring
Tproof
= test interval for the entire safety system
REDUCING SAFETY RISKS
Hardware fault tolerance stands for the maximum number of hardware faults which will not lead to a dangerous failure. A hardware fault tolerance of zero means that a single fault can cause loss of the safety function.
HFT
SFF
PFD
Tproof
IEC 61508 requires a minimum degree of Hardware Fault Tolerance (HFT) relative to the Safe failure fraction (SFF). This is shown in the table on the right. The SFF of Pepperl+Fuchs devices achieve the range 60 % ... 90 %, solenoid drivers being up to 100 %. This is why solenoid drivers also achieve SIL 3 in the case of 1oo1 loop structure.
Proportion of “safe” failures
SFF 0
HFT Hardware Fault Tolerance 1 2
< 60 %
SIL 1
SIL 2
SIL 3
60 % < 90 %
SIL 2
SIL 3
SIL 4
90 % < 99 %
SIL 3
SIL 4
SIL 4
> _ 99 %
SIL 3
SIL 4
SIL 4
Maximum permissible SIL relative to the fault tolerance and the proportion of “safe” failures (in compliance with IEC 61508-2) for Type A sub-systems (non complex sub-systems).
HFT
SFF
PFD
Tproof Dangerous Undetected “DU”
Dangerous Detected “DD”
Safe Detected “SD”
Safe Undected “SU”
The SFF (Safe Failure Fraction) is the proportion of “safe” failures which will not endanger the safety function (consisting of “SD” and “SU”). In addition to this, “dangerous” failures must be considered, but these are identified by the system and thus taken into account (“DD”). The safety function detrimental factors are merely the dangerous failures which are not detected by the system (“DU”).
LOOP STRUCTURE AND ORGANISATIONAL MEASURES
HFT
SFF
PFD
Tproof
FAILURE DISTRIBUTION IN CONTROL CIRCUIT: The PFD value (Probability of Failure on Demand) is the probability of failure of a unit as a component part of a complete safety system in the low demand mode.
10 % signal path
10 % signal path
35 % sensor system and signal path
50 % actuator and signal path 15 % Safety PLC
The PFD value for the complete safety related function is derived from the values of individual components. Sensor and actuator are fitted in the field, leading to exposed and physical stress factors (process medium, pressure, temperature, vibration, etc.). The risk of failure associated with these components is thus rela-
HFT
SFF
PFD
tively high. 25 % of the entire PFD should be therefore reserved for the sensor, 40 % for the actuator. 15 % remains for the fail-safe control, and 10 % for each of the interface modules (interface modules and the control system have no contact with the process medium and are located in protected switch rooms).
Tproof
ORGANISATIONAL MEASURES: A safety system is usually in low demand mode in the field of process automation. This is equivalent to one demand per year. The most important organisational measure is therefore a regular function test conducted on the complete safety system.
This test verifies the function of the entire safety system, including its mechanical components. The shorter the interval between tests, the greater the probability that the safety system will function in a correct manner.
ALL IMPORTANT CHARACTERISTIC VALUES AT A GLANCE
PFD
Name
T[proof] = 1 year
Isolated switch amplifier
KFD2-SR2-Ex2.W
PFD = 3.21E-04
(extract)
KFD2-SR2-Ex1.W
Solenoid driver
T[proof] = 2 years
Tproof
SFF
T[proof] = 5 years
SFF
PFD = 6.42E-04
PFD = 1.60E-03
> 74 %
PFD = 3.21E-04
PFD = 6.42E-04
PFD = 1.60E-03
> 74 %
KFD2-SD-Ex1.17
PFD = 0.00E+00
PFD = 0.00E+00
PFD = 0.00E+00
100 %
Sensors
SJ 2-N
PFD = 3.02E-05
PFD = 6.05E-05
PFD = 1.51E-04
> 76 %
(extract)
SJ 3,5-N
PFD = 4.82E-05
PFD = 9.64E-05
PFD = 2.41E-04
> 68 %
Transmitter power supply
KFD2-STC4-Ex1
PFD = 1.6E-04
PFD = 3.2E-04
PFD = 8.0E-03
> 91 %
(extract)
Failure categories: Fail Low (L) = Safe
(extract)
Fail High (H) = Safe
Name
T[proof] = 1 year
T[proof] = 5 years
T[proof] = 10 years
SFF
HARTâ&#x201E;˘ multiplexer
KFD2-HMM-16
PFD = 6.13E-08
PFD = 3.07E-07
PFD = 6.13E-07
> _ 60 %
(extract)
HiD 2700
PFD = 2.50E-07
PFD = 1.25E-06
PFD = 2.50E-06
> _ 60 %
All SIL-Assessments from Pepperl+Fuchs are available for free via Internet. Please go to: www.pepperl-fuchs.com
KEY FEATURES AT A GLANCE: Q Safe signals from the standard program Q No extra charge Q Well-proven engineering Q Simple planning
POINT TO POINT INTERFACE MODULES
Pepperl+Fuchs supply SIL levels for numerous standard units. This ensures that our customers enjoy the following advantages:
SIL
Function
Type
2
AI
SMART transmitter power supply
ED2-STC4-**2
2
DO
Solenoid driver
ED2-VM-Ex*.3**
2
DI
Switch amplifier
EG*-***
2
AI
SMART transmitter power supply
HiC2025
2
AO
Current driver
HiC2031
2
DI
Switch amplifier
HiC2821
2
DI
Switch amplifier
HiC2822
3
DO
Solenoid driver
HiC2871
2
AI
SMART transmitter power supply
HiD2025/2026(SK)
2
AI
SMART transmitter power supply
HiD2029/2030(SK)
2
AO
Current driver
HiD2033/2034
2
AO
SMART current driver
HiD2037/2038
2
DI
Switch amplifier
HiD2821/2822/2824
2
DI
Switch amplifier
HiD2842/2844
2
DO
Solenoid driver
HiD2871/2872
2
DO
Solenoid driver
HiD2875/2876
2
DO
Solenoid driver
HiD2881
3
DI
Safety switch amplifier
K***-SH-Ex1
3
DO
Solenoid driver
KCD0-SD-Ex1.1245
2
AO
SMART current driver
KCD2-SCD-Ex1
2
DI
Switch amplifier
KCD2-SR-***.**
2
AI
SMART transmitter power supply
KCD2-STC-Ex1
2
AI
Transmitter power supply
KF**-CRG-***.*
2
DI
Speed monitor
KF**-DWB-***.*
2
AI
Temperature converter with trip value
KF**-GUT-***.*
2
DI
Switch amplifier
KF**-SOT2-***.**
2
DI
Switch amplifier
KF**-SR2-***.**.**
Q Units which have proven themselves in operation Q No altered approval values Q Standardised certification of intrinsic safety Q Standardised unit documentation Q Standardised warehouse and spare part storage Q Extensive international supply capacity Q No extra charge for the user Q Simple planning and commissioning
SIL
Function
Type
2
A
Hydrostatic pressure sensor
LHC-M20/M40
2
A
Guided microwave
LTC***
2
D
Vibration limit switch
LVL-M* with FEL51 ... FEL58
2
D
Inductive initiator
NCB2-12GM35-N0
2
D
Inductive initiator
NCB2-V3-N0
2
D
Inductive initiator
NCB5-18GM40-N0
3
D
Inductive safety initiator
NCN3-F25*-SN4***
2
D
Inductive initiator
NCN4-12GM35-N0
2
D
Inductive initiator
NCN4-V3-N0
2
D
Inductive initiator
NCN8-18GM40-N0
3
D
Inductive safety initiator
NJ10-30GK-SN***
3
D
Inductive safety initiator
NJ15-30GK-SN***
3
D
Inductive safety initiator
NJ15S+U*+N***
3
D
Inductive safety initiator
NJ20S+U*+N***
3
D
Inductive safety initiator
NJ2-11-SN***
3
D
Inductive safety initiator
NJ2-11-SN-G***
3
D
Inductive safety initiator
NJ2-12GK-SN***
2
DI
Frequency converter with trip value
KF**-UFC-***.*
2
AO
Current driver
KFD0-CS-***.***
3
D
Inductive safety initiator
NJ3-18GK-S1N***
KFD0-HMS-16
3
D
Inductive safety initiator
NJ40-FP-SN***
D
Inductive safety initiator
NJ4-12GK-SN***
3
HART
HART multiplexer slave
3
DO
Relay module
KFD0-RSH-1
3
2
AO
SMART current driver
KFD0-SCS-***.**
3
D
Inductive safety initiator
NJ5-18GK-SN***
KFD2-CD*-***.**-**
3
D
Inductive safety initiator
NJ5-30GK-S1N***
D
Inductive safety initiator
NJ6-22-SN***
2
AO
Current driver
3
HART
HART multiplexer master
KFD2-HMM-16
3
2
AO
SMART current driver
KFD2-SCD*-***.**
3
D
Inductive safety initiator
NJ6-22-SN-G***
D
Inductive safety initiator
NJ6S1+U*+N1*** NJ8-18GK-SN***
3
DO
Solenoid driver
KFD2-SD-***.****
3
3
DO
Solenoid driver
KFD2-SL-***.**
3
D
Inductive safety initiator
2
DO
Solenoid driver
KFD2-SL2-***.**
2
A
Process pressure transmitter
PPC-M10/M20
D
Inductive initiator
SC3,5-N0
2
DO
Solenoid driver
KFD2-SL-4
2
2
DI
Standstill monitor
KFD2-SR2-**2.W.SM
2
D
Inductive initiator
SJ2-N
2
DI
Switch amplifier
KFD2-ST2-***.**
3
D
Inductive safety initiator
SJ2-S1N***
KFD2-STC4-***.**
3
D
Inductive safety initiator
SJ2-SN***
2
AI
SMART transmitter power supply
2
AI
SMART transmitter power supply
KFD2-STV4-***.**
2
D
Inductive initiator
SJ3,5-N
3
HART
HART multiplexer master
Mux2700
3
D
Inductive safety initiator
SJ3,5-S1N***
3
SURGE
Surge suppressor
P-LB-***
3
D
Inductive safety initiator
SJ3,5-SN***
A = Sensor analog, D = Sensor digital
LOOP STRUCTURE, DEVICE SELECTION, ORGANISATIONAL MEASURES
Device selection, Loop structure and organisational measures together determine the signal circuit SIL which can be achieved.
TYPICAL SIGNAL CIRCUIT: Q Signal input (transmitter or sensor) Q Input isolator (transmitter supply unit) Q Safety-PLC Q Output isolator (valve control module) Q Actuator (valve or position control)
LOOP STRUCTURE: The signal circuit with a simple 1oo1 evaluation structure has no hardware fault tolerance (HFT = 0). Failure of a unit can lead to a loss of the safety function.
In
SIL 2 AND SIL 3 WITH THE SAME UNITS: The signal circuit with redundant 1oo2 Loop structure has a hardware fault tolerance of 1 (HFT = 1). Failure of a unit does not lead to a loss of the safety function.
1oo1
Analogue
Transmitter
Signal processing
Analogue
Transmitter Analogue
In
1oo2 Signal processing
Transmitter In
HARDWARE SOLUTIONS WITHOUT SAFETY-PLC Isolating contact amplifiers trigger their output level relative the sensor input involved. An Safety-PLC is therefore unnecessary for simple isolating contact amplifier applications. 1oo1 structure typcal for SIL 2
1oo2 structure typical for SIL 3
7
8
9
7
8
9
7
8
9
PROCESS AUTOMATION – PROTECTING YOUR PROCESS
For over a half century, Pepperl+Fuchs has been continually providing new concepts for the world of process automation. Our company sets standards in quality and innovative technology. We develop, produce and distribute electronic interface modules, Human-Machine Interfaces and hazardous location protection equipment on a global scale, meeting the most demanding needs of industry. Resulting from our world-wide presence and our high flexibility in production and customer service, we are able to individually offer complete solutions – wherever and whenever you need us. We are the recognized experts in our technologies – Pepperl+Fuchs has earned a strong reputation by supplying the world’s largest process industry companies with the broadest line of proven components for a diverse range of applications.
6
5
3
1 7
4
1
2
Worldwide/German Headquarters Pepperl+Fuchs GmbH Mannheim · Germany Tel. +49 621 776 2222 E-Mail: pa-info@de.pepperl-fuchs.com
8
2
Asia Pacific Headquarters Pepperl+Fuchs PTE Ltd. Singapore Company Registration No. 199003130E Tel. +65 6779 9091 E-Mail: pa-info@sg.pepperl-fuchs.com
3
Western Europe & Africa Headquarters Pepperl+Fuchs N.V. Schoten/Antwerp · Belgium Tel. +32 3 6442500 E-Mail: pa-info@be.pepperl-fuchs.com
6
Northern Europe Headquarters Pepperl+Fuchs GB Ltd. Oldham · England Tel. +44 161 6336431 E-Mail: pa-info@gb.pepperl-fuchs.com
4
Middle East/India Headquarters Pepperl+Fuchs M.E (FZE) Dubai · UAE Tel. +971 4 883 8378 E-mail: pa-info@ae.pepperl-fuchs.com
7
Southern/Eastern Europe Headquarters Pepperl+Fuchs Elcon srl Sulbiate · Italy Tel. +39 039 62921 E-Mail: pa-info@it.pepperl-fuchs.com
5
North/Central America Headquarters Pepperl+Fuchs Inc. Twinsburg · Ohio · USA Tel. +1 330 486 0002 E-Mail: pa-info@us.pepperl-fuchs.com
8
Southern America Headquarters Pepperl+Fuchs Ltda. São Bernardo do Campo · SP · Brazil Tel. +55 11 4341 8448 E-Mail: pa-info@br.pepperl-fuchs.com
www.pepperl-fuchs.com Subject
to
modifications
•
Copyright
PEPPERL+FUCHS
•
Printed
in
Germany
•
Part.
No.
126933
10 /08
02