I did my homework, purchased certified devices, and specified physical redundancy. I expected an uneventful SIL Verification but the assessor is telling me that I have functions failing Architectural Constraints in the sensor and final element groups. How can that be? 

Low demand mode Safety Instrumented Function (SIF) design is verified against three criteria:

  • Probability of Failure on Demand
  • Architectural Constraints
  • Systematic Capability

Probability of Failure on Demand (PFDavg) is a statistical evaluation based on random failure data representing the likelihood that a SIF will fail to perform properly when there is a process demand. Systematic Capability is an evaluation of the potential that SIF will fail due to systematic factors that are introduced in the design, manufacture, installation and operation of the SIF hardware, and design or implementation of software. Architectural Constraints is a physical redundancy requirement for sensors, logic solvers, and final elements. Verification surprises frequently occur when the design process focused more heavily on one criteria than the others (usually PFDavg), or the SIF is assembled like building blocks using rule of thumb. A few simple checks in preliminary design will help avoid the Architectural Constraint blind side.

Architectural Constraint is the sum of the number of devices required for voting and the number required for Hardware Fault Tolerance (HFT). HFT requirements differ under IEC 61511/ISA 84 and IEC 61508. IEC 61511/ISA84 Table 6 defines minimum HFT:

Table 6 - Minimum hardware fault tolerance of sensors, final elements and non-PE logic solvers

SIL

Minimum hardware fault tolerance

1

0

2

1

3

2

4

Special requirements apply (see IEC 61508)

Utilizing the table, one might design the sensor group in a SIL 2 SIF with 2 elements for voting plus 1 for HFT for a total of 3 elements in a 2oo3 voting arrangement. Seems pretty straightforward, right? Wrong? Clause 11.4.3 requires that the HFT must be increased by 1 if the dominate fail mode is not to the safe state or dangerous failures are not detected. If the designer selected a sensor that lacked diagnostic capability, or has a Safe Failure fraction (SFF) less than 60%, the HFT must be increased requiring 4 elements in a 2oo4 voting arrangement, or three elements in a 1oo3 voting arrangement.

IEC 61511 also allows for alternative fault tolerance with requirements set according to IEC61508-2. There are two routes 1H and 2H. Route 1H is based on Safe failure Fraction (SFF) and Tables 2 and 3.

Table 2 – Maximum allowable safety integrity level for a safety function carried out by a type A safety-related element or subsystem

Safe Failure Fraction of an element

Hardware fault tolerance

0

1

2

< 60%

SIL 1

SIL 2

SIL 3

60% ≤ 90%

SIL 2

SIL 3

SIL 4

90% ≤ 99%

SIL 3

SIL 4

SIL 4

≥ 99%

SIL 3

SIL 4

SIL 4

See IEC61508-2 section 7.4.4.2.2 Table 2 for notes

 

Table 3 – Maximum allowable safety integrity level for a safety function carried out by a type B safety-related element or subsystem

Safe Failure Fraction of an element

Hardware fault tolerance

0

1

2

< 60%

Not allowed

SIL 1

SIL 2

60% ≤ 90%

SIL 1

SIL 2

SIL 3

90% ≤ 99%

SIL 2

SIL 3

SIL 4

≥ 99%

SIL 3

SIL 4

SIL 4

See IEC61508-2 section 7.4.4.2.2  Table 3 for notes

Safe Failure Fraction (SFF) is the percentage of “safe” failures for an element:

The term   reflect the effect of diagnostics. No effect failures are not considered in the calculation. SFF must be considered when designing a SIF under the IEC 61508 criteria and can greatly impact the design plan.  For example a generic transmitter (type B) will often have a SFF of 60% or less while a certified device may have a SFF 60% ≤ 90%. With use of diagnostics, SFF can be in the 90% ≤ 99% range. For a sensor group in SIL 2 application with two elements to trip (2ooX voting), generic devices will require 4 transmitters, certified devices with diagnostics may only require 3 transmitters. If the selected transmitters have a SSF of 90% ≤ 99% then as few as 2 devices are require in 2oo2 voting.

So how do we avoid getting blind-sided by architectural constraints? Be aware that voting, diagnostic capability, and SFF have a direct impact on HFT.  Recognize that a last minute voting change from 1ooX to 2ooX could require an additional device to maintain HFT. Include a comparison of SFF, including diagnostic effect, in the technical analysis of competitive bids and consider the HFT impact in device selection.


Tagged as:     SIL Verification     SIF     Safety Instrumented Function     Safe failure Fraction     PFDavg     IEC 61511     IEC 61508     Hardware Fault Tolerance     Denise Chastain-Knight  

Other Blog Posts By Denise Chastain Knight