SIL Explanation

Product & Technology Quality . Excellence . Support

SIL Explanation27.JAN 2006

Automation & Safety

MAC - A.Wenigenrath - 26.JAN 06 - English 2

Machine ControlIndustrial Presence Sensors / Control and Signaling / Machine Safety

Functional Safety and Safety Integrity Level (SIL)New Technologies for the Safety of Machinery Machine safety is a fast growing segment of industrial automation driven by new

technologies like safety field buses and integrated safety in drives along with the development of international safety standards.

The new safety technologies like safety PLCs or safety field buses require the use of highly complex electronic components like micro controllers and of course the use of firmware and software.

The revision of the existing ISO 13849-1 (equivalent to EN 954-1) and new standards within the framework of IEC/EN 61508 like IEC/EN 62061 take into account the use of these new technologies in safety products and solutions and provide guidelines to calculate the probability of failures.

With these new technologies and standards worker safety and saving costs can be realised by intelligent safety strategy.



Functional Safety and Safety Integrity Level (SIL)New Standards for the Safety of Machinery Today more and more the devices and products dedicated to the safety of machinery

incorporate complex and programmable electronic systems. Due to the complexity of the programmable electronic systems it is in practice difficult

to determine the behaviour of such safety device in the case of a fault. Therefore the standard IEC/EN 61508 with the title “Functional safety of

electrical/electronic/ programmable electronic safety-related systems” provides a new approach by considering the reliability of safety functions.

It is a basic safety standard for the industry and in the process sectors. IEC/EN 62061 is the machine sector specific standard within the framework of IEC/EN

61508. EN 62061 is harmonised under the European Machinery Directive. The Safety Integrity Level (SIL) is the new measure defined in IEC 61508 regarding

the probability of failures in a safety function or a safety related system.

Note: IEC = International Electrotechnical Committee EN = European Norm



Functional Safety and Safety Integrity Level (SIL)Sector specific standards for the Process Industry and Machinery

IEC/EN 61508Functional safety of electrical / electronic /

programmable electronic safety-related systems

Process

IEC/EN 61511

Machines

prEN ISO 13849-1*IEC/EN 62061

Software

IEC/EN 61508-3

Safety of Systems and Equipment

EN 954-1*Safety related parts of

control systems

*Covering the non-electrical technologiese.g. hydraulics...



Functional Safety and Safety Integrity Level (SIL)Definition of Functional Safety according to IEC/EN 61508 Safety is freedom from unacceptable risk (from ISO/IEC Guide 51)

Functional safety is a part of the overall safety related to the EUC and the EUC control system. It depends on:

the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.

Note: EUC = equipment under control E/E/PE = electrical / electronic / programmable electronic

Safety Integrity Level (SIL): The scale of the achieved functional safety is declined on 4 levels*. It depends on:

the probability of dangerous failures together with the fault tolerance and the quality by which the freedom of systematic faults is ensured.

Note: Safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.



Safety is achieved by risk reduction (for those hazards that cannot be designed-out). Residual risk is the risk remaining after protective measures have been taken. Protective measures realised by E/E/PE safety related systems contribute to risk

reduction.

Note: EUC = equipment under control E/E/EP = electrical / electronic / programmable electronic

Functional Safety and Safety Integrity Level (SIL)Risk reduction according to IEC/EN 61508

Risk reduction achieved by all safety-relatedsystems and external risk reduction facilities

Practical risk coveredby other technology

safety-relatedsystems

Practical risk coveredby E/E/PE

safety-relatedsystems

Practical risk coveredby external risk

reduction facilities

Necessary risk reduction

Actual risk reduction

Residualrisk

Tolerablerisk

EUCrisk

Increasingrisk



Functional Safety and Safety Integrity Level (SIL)The safety integrity levels consider the probability of failures For machinery, the probability of dangerous failures per hour of a control system

is denoted in IEC/EN 62061 as the PFHd

IEC 61508 considers two modes of operation:high demand or continuous mode – where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof check frequency; orlow demand mode – where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency

The low demand mode is not considered in IEC/EN 62061 to be relevant for safety applications at machinery!

SIL 4 is not considered in IEC/EN 62061, as it is not relevant to the risk reduction requirements normally associated with machinery.

Safety integrity level

SIL

High demand or continuous mode of operation (Probability of a dangerous failure per hour)

PFHd

Low demand mode of operation (Average probability of failure to perform its design function on demand)

PFDaverage

4 >= 10-9 to < 10-8 >= 10-5 to < 10-4

3 >= 10-8 to < 10-7 >= 10-4 to < 10-3

2 >= 10-7 to < 10-6 >= 10-3 to < 10-2

1 >= 10-6 to < 10-5 >= 10-2 to < 10-1



Functional Safety and Safety Integrity Level (SIL)The safety integrity levels are identified by the probability of failures

The rate of failures can be expressed as follows: = s+ dd + du

(s = rate of safe failures, dd = rate of detected dangerous failures, du = rate of undetected dangerous failures) In practice, detected dangerous failure are dealt with by fault reaction functions

The calculation of the PFHd for a system or subsystem depends on several parameters:

the dangerous failure rate (d) of the subsystem elements the fault tolerance (e.g. redundancy) of the system the diagnostic test interval (T2) the proof test interval (T1) or lifetime whichever is smaller the susceptibility to common cause failures ()

For each of the four different logical architectures A to D there is a different formula to calculate the PFHd. (The principal relationship is: PFHd = d x 1h)



Functional Safety and Safety Integrity Level (SIL)Risk graph of IEC/EN 61508-5 (given as an example in an informative Annex)

a, b, c, d, e, f, g, h represent thenecessary minimum risk reduction. The link between thenecessary minimum risk reduction and the safety integritylevel is shown in the table.

a

b

c

d

e

f

g

h

a

b

c

d

e

f

g

-

a

b

c

d

e

f

-

-

W3 W2 W1

P1

P2

P1

P2

P1

P2

F1

F2

F1

F2

C1

C2

C3

C4

Starting pointfor risk reduction

estimation

C = Consequence risk parameter

F = Frequency and exposure time riskparameter

P = Probability of avoiding hazard riskparameter

W = Probability of unwantedoccurrence

a,b,c ... h = Estimates of the required riskreduction for the SRSs

Necessaryminimum risk

reductionSafety integrity level

- No safety requirements

aNo special safety

requirementsb, c 1d 2

e, f 3g 4

hAn E/E/EP SRS is not

sufficient



Functional Safety and Safety Integrity Level (SIL)Risk parameters given as an example in IEC/EN 61508



Safety of Machinery and Functional Safety Machinery: Risk estimation and SIL assignment of IEC/EN 62061(given as an example in an informative Annex)

Risk relatedto the

identifiedhazard

Severity ofthe possible

harm= and

Frequency and durationof exposure Fr

Probability of occurrenceof a hazardous event Pr

Probability of avoidingor limiting harm Av

Probability ofoccurrence ofthat harm}

Se



Safety of Machinery and Functional Safety Machinery: Risk parameter examples of IEC/EN 62061

Consequences Severity (Se)Irreversible: death, losing an eye or arm 4Irreversible: broken limb(s), losing a finger(s) 3Reversible: requiring attention from a medical practitioner 2Reversible: requiring first aid 1

Frequency of exposureDuration> 10 min

<= 1 h 5> 1 h to <= 1 day 5

> 1 day to <= 2 weeks 4> 2 weeks to <= 1 year 3

> 1 year 2

Frequency and duration of exposure (Fr)

Probability of occurrence Probability (Pr)Very high 5

Likely 4Possible 3Rarely 2

Negligible 1

Impossible 5Rarely 3

Probable 1

Probability of avoiding or limiting harm (Av)

List all the possible hazards of the machine and

determine the parameters according to the tables and fill in the values:

The Class Cl is the sum of: Fr + Pr + Av = Cl

Serial no. Hazard Se Fr Pr Av Cl1234



Safety of Machinery and Functional SafetyMachinery: Determination of the required SIL. Example according to IEC/EN 62061 Consequences Severity (Se)Irreversible: death, losing an eye or arm 4Irreversible: broken limb(s), losing a finger(s) 3Reversible: requiring attention from a medical practitioner 2Reversible: requiring first aid 1

Frequency of exposureDuration> 10 min

<= 1 h 5> 1 h to <= 1 day 5

> 1 day to <= 2 weeks 4> 2 weeks to <= 1 year 3

> 1 year 2

Frequency and duration of exposure (Fr)

Probability of occurrence Probability (Pr)Very high 5

Likely 4Possible 3Rarely 2

Negligible 1

Impossible 5Rarely 3

Probable 1

Probability of avoiding or limiting harm (Av)

Serial no. Hazard Se Fr Pr Av Cl1 hazard x 4 5 4 3 122

+ + =



Product:Issued by:Date:

Black area = Safetymeasures required

Grey area = Safety mesures recommended

3 - 4 5 - 7 8 - 10 11 - 13 14 - 15 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 <= 1 hour 5 Common 53 OM SIL 1 SIL 2 SIL 3 > 1 h to <= 1 day 5 Likely 42 OM SIL 1 SIL 2 > 1 day to <= 2 wks 4 Possible 3 Impossible 51 OM SIL 1 > 2 wks to <= 1 year 3 Rarely 2 Possible 3

> 1 year 2 Negligible 1 Likely 1

No. Se Fr Pr Av Cl

Comments

Death, losing an eye or armPermanent, losing fingers

Severity(Se)

Probability of hzd. EventPr

AvoidanceAv

ConsequencesClass Cl Frequency and duration

Fr

Reversible, medical attentionReversible, first aid

Safety Measure SafeHazard

Risk assessment and safety measures

Safety of Machinery and Functional SafetyMachinery: Risk assessment form given as an example in IEC/EN 62061



Safety of Machinery: prEN ISO 13849-1, definition of MTTFd

Instead of a failure rate per hour (), prEN ISO 13849-1 uses the mean time to failure (MTTF) as the parameter for the probability of failures.

MTTF = mean time to failure [years]– The mean time after installation of devices to any first failure.– The relation between and MTTF is:

MTBF = mean time between failures– Not relevant for devices which are not repaired.

MTTFd = mean time to dangerous failure– The MTTFd is defined in prEN ISO 13849-1 as the expectation of the mean time to

dangerous failure of a safety related part of a control system.

MTTF = 1/



Safety of Machinery: new parameters of prEN ISO 13849-1

prEN ISO 13849-1 adds three new parameters to the requirements of the categories of EN 954-1 in order to determine the Performance Level (PL):

MTTFd = mean time to dangerous failure

– Three levels of MTTFd are defined in this standard in order to classify the requirements of the categories and the performance levels (PL):

DC = diagnostic coverage

CCF = common cause failure ()– This parameter describes the failure of different items resulting from a single

event. (The CCF can be estimated with the help of table I.1 in annex I of the prEN ISO 13849-1.)

DC = dd / d total

Denotation of mean time to dangerous failure Range of MTTFd

low 3 years <= MTTFd < 10 years

medium 10 years <= MTTFd < 30 years

high 30 years <= MTTFd < 100 years

Denotation of diagnostic coverage Range of DCnone DC < 60%low 60% <= DC < 90%

medium 90% <= DC < 99%high 99% <= DC



Safety of Machinery: prEN ISO 13849-1Risk graph and parameters

a

b

c

d

e

P1

P2

F2

F1

Starting pointfor the evaluation of the contribution

to the risk reduction of a safety function

P1

P2

P2

P2

P1

P1

F1

F2

S1

S2

Requiredperformance

level (PLr)

Low contributionto risk reduction

High contributionto risk reduction

S = Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death

F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long

P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible



In difference to the pure categories the performance levels refer now as well to failure rates per hour required for the safety related parts of the control system:

The relation between the categories, the PL and the SIL is the following:

Safety of Machinery: prEN ISO 13849-1Probability of dangerous failure and performance level (PL)

Performance level prEN ISO 13849-1PL

Average probability of a dangerous failure per hour[1/h]

a >= 10-5 to < 10-4

b >= 3 x 10-6 to < 10-5

c >= 10-6 to < 3 x 10-6

d >= 10-7 to < 10-6

e >= 10-8 to < 10-7

CategoryEN 954-1, prEN 13849-1

Performance level (PL)prEN ISO 13849-1

SILIEC 61508, EN 62061

B a no special safety requirements1 b 12 c 13 d 24 e 3



Safety of Machinery: prEN ISO 13849-1Relationship between categories, DC, MTTFd and PL

a *

b 1

c 1

d 2

e 3

Cat. BDC avg =0

Cat. 1DC avg =0

Cat. 2DC avg =low

Cat. 2DC avg =medium

Cat. 3DC avg =low

Cat. 3DC avg =medium

Cat. 4DC avg =high

Perf

orm

an

ce level

Sa

fety

Inte

gri

ty L

ev

el

MTTFd of each channel = low

MTTFd of each channel = medium

MTTFd of each channel = high

*

* In several application the realisation of performance level c by category 1 may not be sufficient. In this case a higher category e.g. 2 or 3 should be chosen.

SIL Explanation

Documents

Transcript of SIL Explanation