Functional Safety in Process Automation

Risk Reduction Through SIL Classification

IEC 61508 / 61511 International safety engineering standards Integrated checking and functional safety of electronic control systems Fail safe components plant risk reduction

Instrumentation

Conclusions from Damage in the Past

Historical Background of Effective Safety Thinking

On July 10, 1976, a chemical accident happened in the small town of Seveso, North Italy. Highly toxic dioxin (TCDD) was released into the air, causing tremendous damage to man and nature. The accident was caused by uncontrolled overheating, resulting in overpressure that destroyed a safety device. The reactor had no automatic cooling system. When the incident occurred, no skilled chemical staff was on site. It was pure chance that the escaped quantity of toxic gas was not even higher.

Legislative measures
As a consequence of the Seveso accident the acts, directives and regulations for the protection of man, nature and environment were tightened. In the mid of the 80ies the European Community adopted the so-called Seveso I Directive which has been replaced with the Seveso II Directive (Council Directive 96/82/EC) later on. This was a fundamental change to the legal basis regarding the control of plants with major accident hazards.

In Germany, the Act for the Protection Against Immissions (12. BImSchV) supplemented with an Incident Regulation has been adopted on April 26, 2000. The Incident Regulation refers to DIN19250 and DIN 19251 which define requirement classes AK 0-8 for the realization of the requested measures DIN 19250 and DIN 19251will expire on July 31, 2004. IEC 61508 and IEC 61511 provide an adequate basis for risk assessment and certification of assessed systems to ensure compliance with the Incident Regulation for the future.

IEC 61508 / IEC 61511

Protection of man/nature Protection of the environment
These standards define four safety integrity levels (SIL1 to SIL4) stipulating measures for the risk management of plant parts.

Parameters for Device Classification

Safety Evaluation of Process Instruments

ABB field instruments are subject to various extensive analyses and tests performed in close co-operation with an independent body and recorded in detail. This is required to allow for conformity assessment and determine whether or not a device complies with the SIL requirements in accordance with IEC 61508 or IEC 61511 for a specific safety chain.

FMEDA (Failure Mode, Effect and Diagnostics Analysis)

A given hardware is analyzed to evaluate its suitability for a specific application, e.g. by examining the hardware structure of the electronics. Together with the investigation of the mechanical / electromechanical components this allows to define the devices failure rates needed for SIL determination. Basically, three parameters resulting from FMEDA are used for SIL classification of the device:

HFT = 2 Dual redundancy version. At least three hardware faults must occur at the same time to cause a safety loss.

FMEDA HFT SFF PFD

SFF (Safe Failure Fraction)

This value represents the fraction of safe device failures. An SFF of 79 % means e.g. that 79 out of 100 device failures do not affect the safety function of the device. The SFF is used together with the HFT to determine the risk area in which the device may be used under consideration of these two values: HFT 0 % % % % SIL1 SIL2 SIL3

HFT (Hardware Fault Tolerance)

The HFT of a device indicates the quality of a safety function:

SFF HFT = 0 Single-channel use. A single fault may cause a safety loss. HFT = 1 Redundant version. At least two hardware faults must occur at the same time to cause a safety loss. < 60 60-90 90-99 > 99

1 SIL1 SIL2 SIL3 SIL4

2 SIL2 SIL3 SIL4 SIL4

Parameters for Device Classification

Safety Evaluation of Process Instruments

PFD (Probability of Failure on Demand)

The probability of failure on demand (PFD) is another measure for evaluating in how far a device is suitable for use in safety relevant plant parts. This value indicates the probability of failure, referred to a time interval.

The following table shows which probability of failure on demand is assigned to which SIL. PFDaverage < 10-3 < 10-2 10-4 < 10-3 10-6 < 10-4 10-2 10-1 SIL SIL1 SIL2 SIL3 SIL4

IEC 61511 IEC 61508

General Safety Evaluations

Besides the evaluations regarding the above-listed parameters other, more general analyses of the field instruments are performed. GAP Analysis Verification of the development process for compliance with the requirements of IEC 61508. Especially the firmware, the product documentation and the test procedures are investigated thoroughly. Immunity The device is tested for immunity to external influences like EMI, environmental disturbances or RFI.

SIL Certification of a Positioner as an Example

From the Parameters to the Classified Device

SIL Device Classification (Example: ABB Positioners TZIDC/ TZIDC-200)

The electronically programmable positioner TZIDC for attachment to pneumatic actuators is suitable for various communications. An SFF of 85 % results from the FMEDA. As a singlechannel device the positioner TZIDC has an HFT of 0 in accordance with IEC 61508.

Declaration of SIL Conformity

In order to assist the user in selecting the appropriate devices for his safety loops, the respective Declarations of SIL Conformity are provided by ABB. The specified SIL classification always refers to the lowest SIL device i.e. the weakest link in the chain. In the case of the positioner TZIDC this value depends on the SFF and HFT, i.e. it is SIL2. As a rule, all general safety requirements for a Declaration of SIL Conformity must be met.

As the positioner TZIDC is a proven-in-field device and meets various other safety-relevant requirements, the calculable SIL value in accordance with IEC 61511 can be increased by 1 (HFT = 0). When the SFF and HFT values are entered in the relevant table, the SIL value reachable for these two values can be seen: The positioner TZIDC is suitable for use in SIL2 safety loops, as far as the HFT and SFF values are concerned. HFT 0 SIL1

Classification Overview
Process Instrument Transmitter for absolute pressure* Transmitter for gauge pressure* Transmitter for differential pressure* Transmitter for absolute pressure Transmitter for gauge pressure Transmitter for differential pressure Multivariable transmitter Type 2600T-Series 268Nx Safety, 268Vx Safety 268Hx Safety, 268Px Safety 268Dx Safety 264Nx, 264Vx, 265Ax 264Hx, 264Px, 265Gx 264Bx, 264Dx, 265Dx, 265Jx 267Cx, 269Cx 2000T-Series 2010TA, 2020TA 2020TG 2010TD 2010TC TZIDC TZIDC-200 Shutdown-Modul TH02, TH02-Ex TH102, TH102-Ex TH202, TH202-Ex FCM2000-MC2 267Cx, 269Cx SIL Level SIL3 SIL3 SIL3 SIL2 SIL2 SIL2 SIL2

x defines different variants

SFF 60-90 %

1 SIL2

2 SIL3

The PFDavg value of the positioner TZIDC was calculated with the FMEDA on the basis of a oneyear test interval and resulted in 7.52 x 10-4. PFDavg 10-4 < 10-3 SIL3

Transmitter for absolute pressure Transmitter for gauge pressure Transmitter for differential pressure Multivariable transmitter Positioner Positioner, ExD Option board for TZIDC Temperature transmitter Head-mounted Rail-mounted Field-mounted Coriolis Mass Flowmeter Flowmeter (multi-variable)

SIL2 SIL2 SIL2 SIL2 SIL2 SIL2 SIL2 SIL2 SIL2 SIL2 i. p. SIL2

With regard to the most important value in the safety chain the positioner is, thus, suitable for use in SIL3.

Temperature sensors in conjunction with temperature transmitters are appropriate for SIL2.

* Full redundancy version for hardware and software

Plant Certification
From Certified Devices to a Safe Plant

Assessment of the Entire Safety Loop In order to ensure safe operation of a plant the entire safety loops have to be examined and assessed to comply with IEC 61508 or 61511, respectively. A single safety loop comprises:

Sensor/Transmitter

Control system

Actor

Risk Assessment
Prior to designing and calculating the safety loop, the so-called SIL assessment has to be performed, i.e. the safety standard (e.g. SIL2) with which the safety loop must comply has to be determined. In IEC 61508 the risk graph is used for this purpose:

Risk graph

Starting point of risk assessment

S1 A1 G1 G2

S2 A2 G1 G2 A1

S3 A2

S4

Risk parameters Extent of damages S1: minor injuries of a person; minor harmful influences on the environment S2: serious, irreversible injuries of one or more persons or death of a person; temporary major harmful influences on the environment S3: death of several persons; lasting major harmful influences on the environment S4: catastrophic effects, many dead persons How often/long do persons stay A1: seldom to once in a while A2: frequently to permanently Risk avoidance G1: possible under special conditions G2: hardly possible

SIL1 SIL1 SIL2 SIL3 SIL3 SIL4 SIL4

W3
relatively high

SIL1 SIL1 SIL2 SIL3 SIL3 SIL4

W2
low

SIL1 SIL1 SIL2 SIL3 SIL3

Probability of occurrence (W1, W2, W3)

W1
very low

From SIL assessment results that the respective safety loop must comply with a specific SIL rating, upon evaluation of the risk parameters.

Plant Control during Operation

TRAC and TRAMS Documentation Software at its Finest

Safety Loop Design

Upon SIL assessment a safety loop can be designed in accordance with the calculating formulas specified in IEC 61508 / 61511. It is important to be aware of the fact that even when exclusively SIL-classified components are used this does not necessarily mean that the entire safety chain of the plant complies with the respective SIL rating. The PFDavg values of all components, for example, must be added up and then assessed again.

statistic evaluations. The user should agree with the local authorities which method NAMUR recommendation or IEC 61508 / 61511 should be used.

Operation of a SafetyAssessed Plant

During permanent operation of a safety-assessed plant the safety function of all safety loops must be tested on a regular basis. For this purpose, individual test routines have to be defined, executed, and logged. ABB also offers a special tool for this application: ABB offers a special tool for this purpose: TRAMS (TRip and Alarm Management System) TRAC (Trip Requirement and Availability Calculator) The TRAC Software from ABB is a special program providing a powerful MS Access database for organizing all safety loops of the plant. This tool covers all plant certification aspects from SIL assessment to safety loop design and calculation in accordance with IEC 61508. All decisions and calculating bases are recorded and archived. Another way to certify and design safety loops is described in the NAMUR recommendation regarding The TRAMS Software from ABB is the users assistant for the operation of a safety assessed plant. It provides for efficient management of all test routines and the test results of all safety loops in accordance with IEC 61508. Monthly reports and statistics of the test results, relevant alarms and messages can be generated. The primary goal is to match the calculated processes with the actual plant conditions and achieve an optimum balance between the required test frequency for the safety loops and an economical and efficient production process.

The IndustrialIT wordmark and all mentioned product names in the form XXXXXXIT are registered or pending trademarks of ABB. ABB has Sales & Customer Support expertise in over 100 countries worldwide. www.abb.com/instrumentation

The Companys policy is one of continuous product improvement and the right is reserved to modify the information contained herein without notice. Printed in the Fed. Rep. of Germany (03.2004) ABB 2004 3KDE010001R5001 Rev. A

ABB Automation Products GmbH Borsigstrasse 2 63755 Alzenau GERMANY E-Mail Customer Care Center: CCC-support.deapr@de.abb.com