05 - SIS Design & Development

Functional Safety Engineering
Safety Instrumented System!
Design and Development!

!
Slide 5 - 1

Achieving the target SIL
• Selection of Components and Sub Systems

• Design to achieve the target PFD average
• Design for safe behaviour on detection of a fault
• Ensure functional independence from BPCS
• Comply with fault tolerance requirements
• Design to reduce common cause failures
• Provide secure interfaces between components
ProSalus Limited Slide 5 - 2
Copyright ProSalus Limited 2011

1
Selection of Components and Subsystems
Two paths to Functional Safety Compliance:

1. All components and subsystems in the SIF loop are
designed and tested in accordance with IEC 61508-2/3
OR
2. Evidence based on IEC 61511 “Prior Use” to demonstrate
suitability of the SIF for a maximum target SIL2

For a SIF to qualify for a SIL target
or
Prior Use (11.5.3)

Build to IEC 61508-2 & 3 HW & SW
Smart Device (FPL) Non PE

Certify to IEC 61508
SIL 1 or 2
SIL 3 requires formal

assessment and a safety
Manual (11.5.4.4)
Apply IEC 61511

Limitations (11.5.4)
PFD must satisfy SIL target

2
Requirements for Device to be IEC 61511 “Proven–in-use”
§ Evidence that the instrument is suitable for SIF Collect the records of
every fault, failure,
§ Consider manufacturer’s QA systems Inspection, proof test,
partial test and
§ PES devices need formal validation – maintenance event per
IEC 61508-3 Annex A Table A.7 as starting point instrument.
§ Performance record in a similar profile
§ Adequate documentation
§ Volume of experience, > 1 yr exposure per case.
The approved safety instrument list
Managed by
§ Each instrument that is suitable for SIF maintenance team
and data fed to
§ Update and monitor the list regularly procurement
§ Add instruments only when the data is adequate
§ Remove instruments from the list when they let you down
§ Adequate details: Include the process application

3

• IEC 61508 General requirements _
§ Component developed to relevant IEC 61508 Part 2 & 3 requirements
§ Safety Manual provided for specific component IEC 61508-2 Annex D
§ Functional Specification, Hardware / software configuration
§ Constraints and limitations on use identified during analysis (FMEDA)
§ Failure Modes for device and device diagnostics (Specifically those
device failure modes not detected by diagnostics)
§ Failure Rates and Hardware Fault Tolerance
§ Type classification A or B, Systematic capability
§ Proof test, operating and maintenance requirements.
§ Calibration and set up features identified.
Slide 5 - 7

• Field Devices
§ ‘An initiator or final element used as part of a SIS shall not be used for
control purposes where failure of the control system would cause a
demand on the protection system except when an analysis has been
carried out to confirm that the risk is acceptable’
§ De-energize to trip is the preferred action.
§ Energize to trip shall apply a continuous end-of-line monitor such as
pilot current to ensure continuity.
§ Smart sensors shall have write protection enabled.
§ Must be suitable for the installed environment
o i.e. Corrosion, temperature, humidity etc.

4
Sharing of Sensors with BPCS
When possible do not share sensors because it:
§ Violates the principles of independence
§ Potential for a high level of common mode failure

§ Cannot not be considered a separate layer of protection
§ Creates maintenance and change control issues
Separation Rules: Field Sensors IEC 61511 Part 1 : 11.2.4


• Field sensors
§ If a sensor is used for both BPCS and SIS then common mode failure
considerations must be assessed
§ Sensor diagnostics must be capable of placing the process in a safe
state if a CMF occurs
§ The Hardware Fault Tolerance requirements are met
§ Separate sensors with identical or diverse redundancy will normally be
required for SIL 3 & SIL 4 depending on the SFF.
§ If SIS sensors are connected to a BPCS suitable isolator / splitters
must be used and meet the target SIL requirements.

5
Separate Sensors for Control and Trip FTA Example

Boiler
SIS Logic Solver Trip
LSL Logic
LT LT LIC
2 1 1
Boiler Steam
Drum
Feed water
supply

FTA Example for Boiler Low Level Trip
Shared Sensor Separate Sensor
Boiler Damage Boiler Damage
0.105 / yr. 0.0075 / yr.

Low level and NO TRIP Low level and NO TRIP
OR
AND
Low level
LT-1 Fails 0.3 / yr.
FW Fails and
No Trip high-No Trip
LIC causes low OR LT-2 Fails high
Trip fails on
0.005 / yr. level
demand
0.1 / yr.
AND PFD = 0.1/2 X 0.5
= 0.025
FW Fails LT-1 Fails
high, LIC-1
FW Fails Trip fails on demand from 0.2 / yr. causes low
FW failure level
0.2 / yr.
PFD = 0.1/2 X 0.5
= 0.025 0.1 / yr.

6
Shared Sensor for Control and Trip
Boiler
SIS Logic Solver Trip
Boiler Steam
Drum LSL Logic
LT LIC
1 1
Feed water
Failure of the BPCS supply
must not cause a failure
in the SIS consider
Splitter unit that is
functionally safe

• Control and shutdown valves
§ A single valve may be used for both BPCS and SIS
provided that:
o A failure of the valve cannot cause a demand on the SIF
o Diagnostic coverage on the valve and SIF will ensure safe
reaction to a dangerous failure and common mode failure
requirements are met.
o Hardware Fault Tolerance requirements are met
§ SIL 3 and SIL 4 will normally require separate identical

or diverse valves

7

Arrangement for Tripping of Shared Control Valve SIL 1
SIS
BPCS
Solenoid valve
direct acting,
direct mounted. FY
De-energise to
vent actuator.
FV Positioner
A/S
Check hazard demands due to valve

Diverse Separation of Control and Shutdown Valves SIL 2 & 3
SIS BPCS
A/S
FY
Check hazard demands due to valve

8
• SIS Logic solver
§ Functional separation between BPCS and SIS

§ Will have internal diagnostics to detect dangerous faults
§ Can be PES, Solid State or Relay
§ When there are a large number of outputs then it shall
be necessary to determine if any foreseeable failures or
combination of failures can lead to an hazardous event
Design Considerations
Types of Failure
• The Integrity of a SIF is dependent on how often it fails

dangerously.
• There are two main types of failure which need to be
addressed:
§ Systematic failures;
§ Random hardware failures

9

Design Considerations to meet the target Safety Integrity Level
Design needs to evaluate the potential for random hardware failures
and for systematic errors in design or in software
Random hardware failures. Systematic failures
Adequate measures to avoid

Each subsystem must satisfy SIL systematic errors during design.
tables for HW fault tolerance • project procedures
• safety lifecycle methods
• verifications
Each subsystem must satisfy
SIL tables for PFD or PFH
Software engineering design must
incorporate safety techniques and
Overall system must satisfy SIL measures appropriate to required SIL
tables for PFD or PFH
SIL rating of the safety function defined by the lowest SIL of the above

Systematic Failures
• A failure related in a deterministic way to a certain cause,
which can only be eliminated by a modification of the
design or the manufacturing process, operational
procedures, documentation or other relevant factors:
§ Safety requirements specification;
§ Design;
§ Manufacture;
§ Installation;
§ Operation;
§ Maintenance
• Usually due to a human error, design fault-wrong
component, incorrect specification error in software
program, error in testing.

10

Systematic failures
§ A single systematic fault can cause failure in multiple
channels of a redundant system.
§ Systematic failures, by their very nature, cannot be
accurately predicted because the events leading to them
cannot be easily predicted.
§ Functional safety standards protect against systematic
faults providing rules, methods and guidelines to prevent
design errors.
§ A system implemented using such methods should be
relatively free of systematic errors.
Random Failures
• A failure occurring at a random time, which results
from one or more of the possible component
degradation mechanisms.
§ Random failures rates can be predicted with reasonable
accuracy depending on the quality of the data
o E.g. Generic, Industrial or Site failure rate data
• Safe failures
• Dangerous failures

11

Random Failures
• Failure Rate data:
§ Number of failures per unit / component as either:
o A constant failure rate;
o An average failure rate over a period / mission time
• Dangerous failures are those that prevent success when
there is a demand:
o Fails to operate when required i.e. valve fails to close
o Worse are dormant failures – undetected dangerous failures
o Potential consequences due to failure to prevent hazard occurring
• Safe failures are spurious or nuisance failures:
o Spurious or nuisance shutdown no demand from process to trip
o Downtime due to fault detection and restart
o Loss of production / profits
IEC 61508 / 61511 Modes of Operation
• Three modes to consider:

§ Low
§ High
§ Continuous
• Most process plant SIFs are ‘low demand mode’

12

Demand Modes
• Low demand mode:
§ An infrequent demand rate on a protective system;
§ No greater than once per year
§ Use Probability of Failure of Demand average (PFDavg)
• High demand:
§ The demand rate is greater than once per year
§ Use average frequency of dangerous failure (PFH)
• Continuous demand
§ Dangerous failure will lead to a potential hazard without any further
failure
§ Use average frequency of dangerous failure (PFH).

Demand modes
Demand mode-61511 Continuous mode - 61511
Low demand - 61508 High demand - 61508 Continuous - 61508
Use PFDavg Use probability of Use probability of

failure per hour failure per hour
Take credit for proof No credit for proof No credit for proof
testing testing testing
Take credit for Take credit for No credit for automatic

automatic diagnostics automatic diagnostics diagnostics

13

Average Probability of Failure on Demand
• A statistical probability or chance that a system will not perform
its intended function when demanded.
• Valid for low demand mode operation only
Average frequency of dangerous failure

• The average frequency of a dangerous failure of system to
perform the specified safety function over a given period (PFH).
• Valid for high demand and continuous mode operation only
• When the system is the ultimate layer PFH is calculated from
unreliability F(t) = 1-R(t) approximates to F(t)/T & 1/MTTF
• When the system is not the ultimate layer PFH is calculated from
unavailability U(t) and approximates to 1/MTBF
Slide 5 - 27
Understanding Types of Failures

For a low Demand System SIFs can fail in two ways:
• Dangerous failure (hidden, covert or un-revealed)
§ Loss of protective function, but not aware until demand
§ Failure rate can be reduced by hardware fault tolerance (e.g. 1oo2 or 1oo3
§ Diagnostics can also be used.
• Safe failure (revealed, evident – mostly economic)

§ Spurious or nuisance trip or alarm
§ No loss of protection
§ Spurious failures can be reduced by “revealed failure robustness” (e.g.
2oo2 or 2oo3)

14
Which type of failures have impact on the SIF?
Many failures do not influence the safety function at all, and so they are not
considered anymore. Example: Display, Keypad, HART communication).
In safety engineering we need to differentiate between safe and dangerous
failures,
and, if they are detectable or not (undetectable).
Safe failures impact on the SIF‘s availability, but not on the safety
function.
Dangerous failures are split into detected and undetected.
Dangerous detected failures are detectable by diagnostic and will raise a
diagnostic alarm or trip system into a safe state.
Slide 5 - 29

Understanding Types of Failure
(Detectable (Undetectable
) )
(Safe) λSD λSU
(Dangerous) λDD λDU
Depending on the kind of evaluation safe and detectable
failures can force a system to go into the safe state.
Signal cable to transmitter cut, Output transistor becomes defective,
λSD Signal is 0 mA, central controller
detects it:
λSU signal ≥ 20 mA, central controller
triggers (maintaining) gas alarm:
Safe! Safe!
Dangerous RAM-failure, being
Loss of measuring function
λDD detected during automatic cyclic
RAM-test, controller detects failure:
λDU without indication: Unsafe –
dangerous!
Safe!
The Dangerous Undetectable failure (λDU) is in the main focus of the SIL-
consideration.
Slide 5 - 30

15

Design Considerations
• Improving reliability and integrity

§ Hardware fault tolerance;
§ Multiple devices:
o 1oo2, 1oo3 etc.
• Avoidance of nuisance or spurious trips:

§ Voted multiple devices
o 2oo2, 2oo3 etc.
Diagnostic Capability
§ Ability of a sub system to automatically detect dangerous
failures and take a action by:
§ Bringing the process to a safe state
§ Alerting the operator to take action – the diagnostic alarm should be
included in the SIS in this case
§ Thus when considering dangerous failures:

§ λdd = those dangerous failures that are detected by
diagnostics:
§ λdu = those dangerous failures that remain undetected by
diagnostics and are only detected during Proof Testing

16
Diagnostic Coverage
§ The Diagnostic Coverage (DC) of a component or sub system is

defined as the ratio of the average rate of dangerous detected
failures of the component or sub system to the total average
dangerous failure rate of the the component or sub system
§ DC normally determined by FMEDA
§ For pre certified or pre approved equipment the DC is included on the
certificate of conformance
Diagnostic Coverage = ∑λDD
∑λDD + ∑λDU

Design Considerations - Sensor Diagnostics
§ Do not confuse with proof testing

§ Integral to the device, designed in after OEM FMEDA has been
completed to determine potential diagnostic mechanisms
§ Must ensure diagnostic output is used and either trips the SIF or
operator is trained to understand requirements of diagnostic alarms
or NO credit for diagnostics should be taken in calculations
§ Could compare trip transmitter value with related variables when
practicable but not a secure method and puts more pressure on
operator
§ Diagnostic alarm test must be included in proof test to ensure
operator awareness stays high

17
Valve Diagnostics
Failure Mode % Contribution %Detection by % Of Dangerous
to dangerous partial closure test Faults Detected
failures
Actuator spring breakage 20 70 14
or jamming
Solenoid fails to vent 5 50 2.5
Positioner fails to trip 5 100 5
Hoses kinked or blocked 10 100 10
Valve stem or rotary shaft 40 70 28
stuck
Actuator linkage fault 5 70 3.5
Seating failures of valve 10 0 0
causing high leakage. Due
to erosion or corrosion
Foreign bodies or sludge 5 0 0
preventing full closure
Total 100% 63%
Methods for Valve Diagnostics
§ On–line functional testing
§ Limit switch discrepancy / mismatch alarm
§ Position feedback
§ Partial closure testing – manual or automatic
§ Smart Positioner – certified safety Positioner

18
Architectural Constraints
Subsystem Safety Integrity
Architectural Constraints and Hardware Fault Tolerance
Hardware Fault tolerance:

Hardware fault tolerance is the ability of a system to continue to be able
to undertake the required safety function in the presence of one or more
dangerous faults in hardware. Hence a fault tolerance level of 1 means
that a single dangerous fault in the equipment will not prevent the system
from performing its safety functions.
From the above it follows that a fault tolerance level of zero implies that
the system cannot protect the process if a single dangerous fault occurs
in the equipment.

19
SIL of the overall SIS is defined by the lowest SIL of the subsystems
Sensor Logic Actuator
SIL 1 SIL 2 SIL 1

Subsystem Subsystem Subsystem
Overall SIS
SIL 1
Safe Failure Fraction
§ The Safe Failure Fraction (SFF) of a sub system is defined as the

ratio of the average rate of safe plus dangerous detected failures of
the sub system to the total average failure rate of the sub system
§ SFF normally determined by FMEDA
§ For pre certified or pre approved equipment the SFF is included on
the certificate of conformance
Safe Failure Fraction = ∑ λS + ∑λDD
∑ λS + ∑λDD + ∑λDU

20
Architectural Constraints
§ IEC 61508 places an upper limit on the SIL that can be

claimed for any SIF on the basis of the HFT of the
subsystems that it uses.
§ Limit is a function of
§ Device Type A or B
§ The degree of confidence in the behaviour under fault
conditions
§ Safe Failure Fraction

§ Hardware fault tolerance
IEC 61508 Classification of Equipment
IEC 61508 defines two types of equipment for use in SIS:
§ Type A: Simple Devices: Non PES – where failure modes

and fault behaviour are well defined and there is
dependable failure data
§ Type B: Complex Devices: Including PES - where failure

modes and fault behaviour are not well defined and there is
insufficient dependable failure data
§ Fault tolerance rating of B is less than A for equivalent SFF


21

IEC 61508 Table 2
Minimum hardware fault tolerance of type A sub systems
Minimum HW Fault Tolerance

SIL
SFF<60% SFF 60% to 90% SFF>90% SFF>99%
1 0 0 0 0
2 1 0 0 0
3 2 1 0 0
4 2 1 1
For devices with well defined failure modes,

predicable behaviour and field experience.
Normally excludes PES
IEC 61508 Table 3

Minimum hardware fault tolerance of type B sub systems
SIL
SFF<60% SFF 60% to 90% SFF>90% SFF>99%
1 1 0 0 0
2 2 1 0 0
3 2 1 0
4 2 1
For devices with some none defined failure modes

OR unpredictable behaviour
OR insufficient field experience

22

IEC 61511-1 Table 6
Minimum hardware fault tolerance of sensors, final elements & non PES logic
SIL Minimum HW Fault Tolerance
1 0
2 1
3 2
4 Special requirements: See IEC 61508
The following summarized conditions apply for SIL 1,2 and 3 :

Increase FT by 1 if instrument does not have fail safe characteristics
Decrease FT by 1 if instrument if the device complies with the following.
• The hardware is selected on the basis of prior use (IEC 61511 11.5.3)
• The device allows adjustment of process related parameters only, for example, measuring range, upscale or
downscale failure detection.
• The adjustment of the process related parameters of the device is protected, for example jumper, password.
• The function has a SIL requirement of less than 4.
Alternatively tables 2 and 3 of IEC 61508 may be applied if the SFF can be calculated

Architecture rules for PES logic solvers
IEC 61511-1 Table 5
Minimum hardware fault tolerance of PE logic solvers

SIL
SFF<60% SFF 60% to 90% SFF>90%
1 1 0 0
2 2 1 0
3 3 2 1
4 Special requirements: See IEC 61508
Alternatively tables 2 and 3 of IEC 61508 may be applied with

an assessment

23
Example Minimum Architectures for Fault Tolerance of

Type A and B Sub-Systems for 60% to 90% SFF
Simple Devices (Non PES) Complex Devices
Type A Type B
Safety Integrity. Min. Fault Minimum Min. Fault Minimum
tolerance. Architecture tolerance. Architecture
SIL 1 0 1oo1 0 1oo1
SIL 2 0 1oo1 1 1oo2 or 2oo3
SIL 3 1 1oo2 or 2oo3 2 1oo3
SIL 4 2 1oo3 Special requirements apply,

see IEC 61508

Architectures for Safety Systems - 1oo1 Single channel
1oo1D has a higher safe failure fraction than 1oo1 but is still not able to
protect the plant if a fault remains hidden
1oo1 Fault Tolerance: ?
Channel
1oo1 D Fault Tolerance: ?
Channel
1oo1 D
Diagnostics

24
Architectures for Safety Systems - 1oo2 v 2oo2

Channel 1oo2
Fault Tolerance: ?
Diagnostics 1oo2
Channel
Channel 2oo2
Fault Tolerance: ?
Diagnostics 2oo2
Channel

Performance attributes of sub-system architectures
Sub system Fault Selection Guide
structure tolerance
1oo1 0 Use if both PFD and nuisance trip targets are met.
1oo2 1 2 Sensors installed, 1 required to trip. PFD value
improved, nuisance trip rate doubled. Often suitable for
SIL 2
2oo3 1 3 Sensors installed, 2 required to trip. PFD improved over
1oo1, nuisance trip rate dramatically reduced.
1oo1D 0 Internal and external diagnostics used to improve safe
failure fraction. Alternative to 1oo2 for SIL2
1oo2D 1 As for 1oo1D but able to tolerate 1 fault and revert to
1oo1D during repair.
Meets SIL 3 if safe failure fraction exceeds 90%. Does
not satisfy diversity for SIL3 if sensors are identical.
Reduces spurious trip rate, good alternative to 2oo3
1oo3 2 3 Sensors installed, 1 required to trip. PFD improved over
1oo2 but not by much unless diverse instruments are
used. Nuisance trip rate may be a problem. Likely to be
used for SIL 2 or 3.
2oo4 2 Configured as two voting pairs of 1oo2D. Very high
performance when used in logic solvers. Achieves SIL 3
performance with 1 pair off line for repair.

25
Safe Failure Fraction - Issues
§ Optimistic claims for dangerous failures that can be detected by

diagnostics
§ FMEDA is considered best practice for assessing dangerous

failures that can be detected by diagnostics
§ If the detected failure claim is to optimistic then the safety integrity

will be compromised due to the reduction in Hardware fault
tolerance
Common Cause & Common Mode Failures
• A CCF occurs when a single fault results in the

corresponding failure of multiple components.
• Common mode failures are a subset of common
cause failures’
§ “A common-mode failure (CMF) is the result of an event (s)
which because of dependencies, causes a coincidence of
failure states of components in two or more separate channels
of a redundancy system, leading to the defined system failing to
perform its intended function”.

26
Common Cause Failures in Sensors

§ Wrong specification
§ Hardware design errors
§ Software design errors
§ Environmental stress
§ Shared process connections
§ Wrong maintenance procedures
§ Incorrect calibration

Design Issues:
Redundancy in Sensors SIS
PT PT
1A 1B
Be careful to analyze for

common cause faults
eg. Try to avoid this

27
Common Cause Failures (IEC 61508)

• IEC 61508 Part 6 Annex D –Method for quantifying CCF
• 2010 version updated and based on PDS methodology
• Based on the following factors from IEC 61508-6 Table D.1 to D5:
• Separation/segregation;
• Diversity/redundancy;
• Complexity/design/application/experience;
• Assessment/analysis & feedback of data;
• Procedures/human interface;
• Competence/training/safety culture;
• Environmental Control;
• Environmental Testing.
Slide 5 - 56

28
Slide 5 - 57
Slide 5 - 58

29
Slide 5 - 59

Common Cause Failures (IEC 61508)
• Using the IEC 61508 Part 6 Annex D β-factor model
• Common Cause failure rate is λDβ
• Where diagnostics are available overall CCF rate is
λDUβ + λDDβD
• Using Table D1, D2, D3 and D4

• β - S = X + Y = βint for a 1oo2 System
• βD - SD = X (Z+1) + Y = βD int for a 1oo2 System

30
Common Cause Failures
• Apply Table D5 for systems with levels of redundancy

greater than 1oo2 , table based on PDS Method
• IEC 61508-3, Annex D, Table D.4 for 1oo2

• 0.01 –0.1 for field equipment;
• 0.005 –0.05 for programmable electronic systems

Common Cause Failures – Systems Diagram 1oo2
 Consider a simple 1oo2 redundant subsystem
λd
λcc
λd
Common cause
failures
λd = total dangerous failure rate

λcc = total common cause failure rate
λcc = βλd
Where β = the common cause failure factor

31
Common Cause Failure Calculation - Example
λcc = λcommon cause

λcc = βλd
Where:
λd =0.05 failures / year
β = 0.1
Therefore
λcc= 0.1 * 0.05 = 0.005 failures / year
Common Cause Failures – Systems Diagram 1oo2
λd
λcc
λd Common cause
failures
PFDavg = (λd)2 x T2 + λcc x T

3 2
Common Cause failure should be shown as an additional 1oo1 block in
the RBD or as an input to an OR gate in an FTA and then summed with
the 1oo2 block to calculate overall sub system PFDavg

32

Design Considerations - Field Devices Summary
• Safety Related Instruments must well proven
• Smart instrumentation treated as PES – Type B
• Separation, Redundancy, Diversity design issues
• Increased Diagnostic Coverage for improved SFF to reduce HFT
requirements
• For SIL 1 and SIL 2 - justifification of suitability on “prior use”.
• Requires evidence of previous usage in safety.
• SIL 3 requires formal assessment (IEC 61511 11.5.4.4)
• “ Prior use” does not help if the instrument is new to your
company unless the vendor can assist with Client data
Safety Component Selection

§ Use Safety Certified / approved components to IEC 61508 wherever
possible as this aids in the verification in terms of failure data, component
type, safe failure fraction, available diagnostics
§ Make sure Safety Manual is supplied with device / component.
§ Ensure application and usage complies with vendor’s safety manual.
§ If you have records of the same instrument being used for an extensive
period in safety applications you can document your own “Prior use”
justification up to SIL 2 only.
§ Insist on verifiable data from Vendor / system supplier for the device /
component either based on FMEDA, returns data or acelerated testing.

33
IEC 61511 Application Software
Slide 5 - 67
Software Safety Topics
§ Software for Safety

§ Software Verification & Systematic Errors
§ Software Management & Quality Assurance
§ Software Safety life cycle
§ Software Safety Requirements
§ Certification and compliance

34
Software for Safety

§ SIS software must have a proven QA/C (Testing) and FSM record
§ Software comes in two parts: Embedded and Application
§ Both parts require software QA/C & FS management procedures
§ Embedded software including development tools QA/C & FS
management procedures and software construct should to be 3rd
party certified to IEC 61508-3 with a report of limitations of use
§ Application tools should be certified for use with the OEM software
package
§ Development of Application software to follow IEC 61511-1 figures
12 Software development lifecycle table 7 and comply with IEC
61131 software language requirements.

Software Verification & Systematic Errors
• IEC 61508-3 safety approved embedded / operating system and
check versions are certified for use with hardware and application
package
• IEC 61508-3 precertified software modules (Function Blocks)
• OEM approved application package matched to system hardware and
software versions.
• IEC 61511 Clause 12 for QA and FSM procedures for application
software when using IEC 61508 compliant systems
• IEC 61511 Software Validation by Testing against Requirement
Specification and cause and effects
• Software verification complicated – 61508 requires formal analysis &
traceability ( 61508-7 Annex D)

35

Software Management and Quality Assurance
§ Management of Software Quality & Testing replaces reliability
analysis
§ Software Quality Assurance practices are well established.
§ IEC 61508-6 Annex E Safety Manual requirements for Software
Elements
§ Software Safety Life Cycle in IEC 61508-3 Annex G for detailed
guidance on software lifecycles and IEC 61511 clause 12
§ IEC 61508-6 Annex E for example guidance on the application
of the IEC 61508-3 software safety integrity tables

Software Safety Lifecycle: V model
Validation Validation Validated
SIS SRS
Testing 14.3 SIS
Application Software SRS - Application software

12.2 Integration test
12.5
Application Software
Architecture design 12.4.3 & 4
Application Software Application Software

development 12.4.5 Testing - 12.4.7
Application Module Application Module

Development -12.4.5 Testing - 12.4.6
Output Coding – 12.4.2.1 Code development and test –

FVL only (see IEC 61508-3)
Verification

36

Application Software Life Cycle Requirements
§ Application Software Safety Requirements Specification
§ Features and facilities required of the application language
§ Features to facilitate safe modification of the application
§ Architecture of the application software
§ Requirements for support tools, user manual and application languages
§ Software development methods
§ Software module testing
§ Software integration testing
§ Integration testing with the SIS subsystem
Continues through to Validation, Operation, Proof testing and Inspection.

37

38
IEC 61508 Part 3 Overview
Slide 5 - 78

39
IEC 61508 Safety Certified PES Logic Solvers
• TUV Publish a list of type certified systems on website

• Ensure hardware and software versions are as per certificate
• Check Test report for any limitations on use
• Software representation complies with IEC 61131 requirements
• Within the use of LVL software there is the possibility to create user
defined function blocks, however they must be constructed and
tested as FVL software modules to avoid human or specification
errors
• Certification can be directed at specific applications e.g. furnace
control, HIPPS or for other typical process applications
IEC 61508 Software Verification
§ Software verification complicated – 61508 requires formal analysis

& traceability ( 61508-7 Annex D)
§ Difficult and costly to test all foreseeable combinations of logic not
normally considered in process applications reliance on SRS and
C&E testing
§ The failure modes are unpredicatable in presence of hardware
faults.
§ Re-use of old software in new applications (also known as
SOUP…software of uncertain pedigree - Refer HSE guidance RR
336/2001 & 337/2001

40

Table A.1 – Software safety requirements specification (see 7.2)
TECHNIQUE/MEASURE * REF SIL1 SIL2 SIL3 SIL4

Computer-aided specification tools B.2.4 R R HR HR
Semi-formal methods Table B.7 R R HR HR
Formal methods B.2.2, C. - R R HR

2.4
Note 1 – The software safety requirements specification will always require a description of the problem in natural language and
any necessary mathematical notation that reflects the application.
Note 2 – The table reflects additional requirements for specifying the software safety requirements clearly and precisely.
* Appropriate techniques/measures shall be selected according to the safety integrity level. Alternate or equivalent techniques/
measures are indicated by a letter following the number. Only one of the alternate or equivalent techniques/measure has to be
satisfied.

Table A.3 – Software design and development: (see7.4.4)

1 Suitable programming language C.4.5 HR HR HR HR
2 Strongly typed programming language C.4.1 HR HR HR HR
3 Language subset C.4.2 - - HR HR
4a Certified tools and Certificated translators C.4.3 R HR HR HR
4b Tools and translators: increased confidence from use C.4.4 HR HR HR HR
* Appropriate techniques/measures shall be selected according to the safety integrity level. Alternate or equivalent techniques/
measures are indicated by a letter following the number. Only one of the alternate or equivalent techniques/measure has to be
satisfied.

41

Table A.4 – Software design and development: detailed design (see 7.4.5 and 7.4.6
1a Structured methods C.2.1 HR HR HR HR
1b Semi-formal methods Table B.7 R HR HR HR
1c Formal design and refinement methods B2.2.2, C.2.4 - R R HR
2 Computer-aided design tools B.3.5 R R HR HR
3 Defensive programming C.2.5 - R HR HR
4 Modular approach Table B.9 HR HR HR HR
5 Design and coding standards C.2.6, Table B.1 R HR HR HR
6 Structured programming C.2.7 HR HR HR HR
7 Use of trusted/verified software elements (if available) C.2.10 R HR HR HR
* Appropriate techniques/measures shall be selected according to the safety integrity level. Alternate or equivalent techniques/measures are indicated by a
letter following the number. Only one of the alternate or equivalent techniques/measure has to be satisfied.
Scope of compliance required for logic solver software

products
• SIS Logic Solver and I/O certified for use at the relevant SIL
• All of the programming languages supported by the logic solver with

any special safety functions and function blocks to be certified for
compliance at the relevant SIL.
• All restrictions and operating procedures required by the certifying

organization to be stated in the user documentation.
• Methodology for on-line testing using overrides to be approved by the

certifying organization.

42

Software Proven in Use - IEC61508-7 B.5.4 Field experience
For field experience to apply (very difficult in reality – different firmware
versions and missing FSM of the software)
– unchanged specification;
– 10 systems in different applications;
– 100000 operating hours and at least one year of service history.
This documentation must contain at least

– the exact designation of the system and its components, including
version control for hardware;
– the users and time of application;
– the operating hours;
– the procedures for the selection of the systems and applications
procured to the proof;
– the procedures for fault detection and fault registration as well as fault
removal.

Summary
§ Software safety integrity is achieved through IEC 61511-12 software life

cycle and company software quality assurance procedures
§ IEC 61508-3 is targeted at new PES devices but can be applied as

necessary for end user support, but requires detailed knowledge
§ Certified software packages provide a secure platform for the end user
to execute an application.
§ Vendor’s training and safety manual requirements must be applied
§ IEC 61511-2 Clause 12 provides additional support but is informative

only

43
End

44

05 - SIS Design & Development

Uploaded by

Copyright:

Available Formats

05 - SIS Design & Development

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05 - SIS Design & Development

Uploaded by

Copyright:

Available Formats

Functional Safety Engineering

Functional Safety Engineering

Safety Instrumented System!

Design and Development!

Functional Safety Engineering

• Selection of Components and Sub Systems

ProSalus Limited Slide 5 - 2

Copyright ProSalus Limited 2011

Functional Safety Engineering

Selection of Components and Subsystems

Two paths to Functional Safety Compliance:

ProSalus Limited Slide 5 - 3

Functional Safety Engineering

Prior Use (11.5.3)

Smart Device (FPL) Non PE

SIL 3 requires formal

Apply IEC 61511

PFD must satisfy SIL target

ProSalus Limited Slide 5 - 4

Copyright ProSalus Limited 2011

Functional Safety Engineering

Requirements for Device to be IEC 61511 “Proven–in-use”

§ Performance record in a similar profile

§ Volume of experience, > 1 yr exposure per case.

ProSalus Limited Slide 5 - 5

Functional Safety Engineering

The approved safety instrument list

§ Add instruments only when the data is adequate

§ Adequate details: Include the process application

ProSalus Limited Slide 5 - 6

Copyright ProSalus Limited 2011

Functional Safety Engineering

Functional Safety Engineering

ProSalus Limited Slide 5 - 8

Copyright ProSalus Limited 2011

Functional Safety Engineering

Sharing of Sensors with BPCS

When possible do not share sensors because it:

§ Violates the principles of independence

§ Potential for a high level of common mode failure

§ Creates maintenance and change control issues

Separation Rules: Field Sensors IEC 61511 Part 1 : 11.2.4

Functional Safety Engineering

ProSalus Limited Slide 5 - 10

Copyright ProSalus Limited 2011

Functional Safety Engineering

Separate Sensors for Control and Trip FTA Example

ProSalus Limited Slide 5 - 11

Functional Safety Engineering

Boiler Damage Boiler Damage

0.105 / yr. 0.0075 / yr.

ProSalus Limited Slide 5 - 12

Copyright ProSalus Limited 2011

Functional Safety Engineering

Shared Sensor for Control and Trip

Functional Safety Engineering

Selection of Components and Subsystems

§ SIL 3 and SIL 4 will normally require separate identical

ProSalus Limited Slide 5 - 14

Copyright ProSalus Limited 2011