Functional Safety Component selection according to IEC61511 Title 2
Presentation Michaël GROSSI: Ex / SIL Product manager @ Degree in Instrumentation & Measurement More than 10 years experience in Functional Safety Environment IEC 61511 CFSE by French notified body INERIS, IEC 61508 experience More than 15 years experience in Hazardous Area environments Certified ATEX trainer ISM-Atex level 3 by French notified body INERIS : Danish manufacturer of signal conditioning equipment, 40 years of expertise. Among the first supplier to provide FSM and full assessment for equipment
Content Functional Safety (SIL) component selection according to IEC61511 and full assessment to IEC61508 The IEC 61511 offers two different routes to end users for component selection to be used in Safety Functions. These two routes have different impact on requirements and cost. How does it affect the end users and what manufacturers need to supply their customers to meet requirements?
Statement of the IEC 61511
Requirement when selecting the component according to IEC 61511
SIS Safety life cycle phases Within all phases, one is dedicated to the selection of component to be used in SIF. Clause 11.5 Requirement for selection of components and subsystems
SIS Design and Engineering An end-user has two possibilities in selecting component or sub-systems to be implemented in Safety Instrumented Functions. or Either the end-user can show that the device has a prior-use history in accordance with the requirements of IEC 61511 Either the device was developed and assessed according to IEC 61508 (this corresponds to an IEC 61508 full assessment) It is very important to notice that the first requirement is to be fulfilled by the end-user only.
Requirements for Prior use evidence The Prior-Use clause of IEC 61511 states the following: IEC 61511-1, Section 11.5.3.1: Appropriate evidence shall be available that the components and sub-systems are suitable for use in the safety instrumented system. IEC 61511, Section 11.5.3.2 : The appropriate evidence for devices must be a documented case that includes: Consideration of the manufacturer s quality, management and configuration management systems Adequate identification and specification of the components or subsystems Demonstration of the performance of the components or sub-systems in similar operating profiles and physical environments The volume of operating experience
Requirements for Prior use evidence Consideration of the manufacturer s quality, management and configuration management systems? ISO 9000 is a minimum at manufacturer. Design process must be documented. Safety manual shall be available. Detailed FMEDA report should be supplied to provide failure rates More attention should be taken on higher SIL level (2 or 3) Adequate identification and specification of the components or subsystems? (Description of the components including design revision information?) Hardware and software version control is to be known from manufacturer. Audit of the return data and field failure experience feedback system for SIL 3
Requirements for Prior use evidence Demonstration of the performance of the components or sub-systems in similar operating profiles and physical environments on the plant, within the company? Do you manage all operating profiles at your plant? Type of device, environment condition, Similar non-safety applications performance should also be deemed to satisfy requirement The volume of operating experience? Do you have a necessary recorded experience? User List of equipment approved, based on an extensive history of successful performance List of field devices must be updated and monitored, sufficient experience only. Operating environment must be included Prior use justification for component selection require high resources and cost
Requirements for Hardware Fault Tolerance Sensors and final element and non-pe logic solver SIL Minimum Hardware Fault Tolerance Proven is use component Sensors and final elements 1 0 0 2 0 1 3 1 2 4 Special Requirement apply (see IEC 61508) Alternative fault tolerance requirements may be used providing an assessment is made in accordance with the requirements of IEC 61508-2, Tables 2 and 3 (Type A & Type B components)
Assessment of component according to IEC 61508
Component certification to IEC 61508 Compliance The IEC 61508 standard states: To conform to this standard it shall be demonstrated that the requirements have been satisfied to the required criteria specified (for example safety integrity level) and therefore, for each clause or sub-clause, all the objectives have been met. In practice, demonstration of compliance often involves listing all of the IEC 61508 requirements with an explanation of how each has been met. This applies to both products developed to meet IEC 61508 and specific application projects wishing to claim compliance. FSM system has to be assessed
Component certification to IEC 61508 For a manufacturer, being IEC 61508 compliant means being fully compliant to the standard not just a part of it. Part 1: General requirements Part 2: Requirements for electrical/electronic/programmable electronic safetyrelated systems (required for compliance) Part 3: Software requirements (required for compliance) Part 4 to 7 are supporting information Type A component shall be Part 2 compliant Type B component shall be Part 2-3 compliant
Component certification to IEC 61508 A Functional Safety Management system (FMS) must be created and assessed at manufacturer Competent and trained person, independency, Safety management plan, Safety life cycle A hardware assessment is to be performed for type A devices Safety life cycle, Failure rates (FMEDA, Failure rates λ, SFF, HFT, ) A Software assessment is performed for each type B devices Software Functional Safety plan, SW Safety Cycle, Fault injection,.. Validation planning, SW Safety validation, operation and modification Verification, SIL Capability is a result of all assessments
Functional Assessment Safety Integrated Level Evaluation SFF 60% 60% - 90% 90% - 99% > 99 % SIL 1 SIL 2 SIL 3 SIL 3 Sub-system Type A Hardware Fault Tolerance HFT0 HFT1 HFT2 SIL 2 SIL 3 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4 SIL 4 Sub-system Type B Hardware Fault Tolerance HFT0 HFT1 HFT2 - SIL 1 SIL 2 SIL 3 SIL 1 SIL 2 SIL 3 SIL 4 SIL 2 SIL 3 SIL 4 SIL 4 Evaluation is made in relation with HFT and SFF of each device FMEDA report rates the devices to reachable SIL level.
Functional Assessment Being IEC 61508 means being fully compliant to the standard, not only part of it. Manufacturer should provide : Functional Safety Management System certificate Software and/or Hardware Assessment Report FMEDA report Safety Manual SIL Capable Certificate Covering all 61508 requirements, product can thus be selected according to the IEC 61511 clause.
Safety Manual (both routes) Requirement to be supplied by the manufacturer for the safety manual in any cases Functional specification and safety function, identification of HW and SW version Estimated rate of failure in any mode which would cause both undetected and detected safety function dangerous failures (Assumptions) Environment and lifetime limits for the sub-system Periodic Proof Tests and/or maintenance requirements, Test coverage T proof interval, procedures Information necessary for PFD avg, MTTR, MTBF, SFF, λ du, λ total, Hardware fault tolerance and failure categories Highest SIL that can be claimed (attention of pfd avg %) Documentary evidence for sub-system s validation
Conclusion Selection to Prior Use Many years of documented experience with no dangerous failure. No equipment certified to IEC 61508 available HFT can be reduced for final element Several requirements must be documented for evidence Safety and non-safety applications could be used for evidence if similar For SIL 3 application, formal assessment must be carried out for smart devices. FMEDA report help end users and safety manual to be provided Assessed to IEC61508 More and more product available Many assessment project at manufacturers All standard requirements must be fulfilled Equipment to be suitable for the application Systematic and random failures covered SIL capable certificate FSM assessment FMEDA reports and Safety Manual Manufacturer enable end user to select without prior use evidence.
Title 21