The release of IEC 61508 2010 has led to several discussions on how certain new, updated, and unmodified definitions need to be interpreted. The controversy relates to the determination of the required minimum hardware fault tolerance / architectural constraints interpretation.
This position paper explains the position that exida has taken with regard to this issue. The position paper is structured in two parts; the position and the rational for the position including counter arguments received over the last couple of months. The exida position is also implemented in the exida exSILentia safety lifecycle tool.
1.1 Use of standard
End?users / owners / operators in the Process Industries should seek compliance with IEC 61511 (2003) or ANSI/ISA 84.00.01?2004 (IEC 61511 Mod). The minimum hardware fault tolerance / architectural constraints are addressed in section 11.4. exida suggest users to follow clause 11.4.5 that allows users to deviate from the concepts defined in 61511 as long as they are compliant with the concepts as defined in IEC 61508?2, Tables 2 and 3 [Rational 1]. The reference is towards the 2000 edition of 61508 and should not be interpreted as a future reference to IEC 61508 2010.
IEC 61508 2010 introduces the element concept in part 4 Clause 3.4.5. The minimum hardware fault tolerance requirements (SFF and Type definition) are applied on a per element basis. An element is defined as:
part of a subsystem comprising a single component or any group of components that performs one or more element safety functions. NOTE 1 An element may comprise hardware and/or software. NOTE 2 A typical element is a sensor, programmable controller or final element.
It is exida’s position that an element should contain all equipment/devices that are needed to perform a safety function [Rational 2].
1.3 Failure Mode Definitions
Though IEC 61508 2010 acknowledges that there are more failure modes than simply dangerous and safe the definitions lack clarity. It is exida’s position that the following base definitions should be used [Rational 3].
1.3.1 Fail Dangerous
A dangerous failure is defined as a failure that does not respond to a demand from the process (i.e. being unable to go to the defined fail?safe state).
1.3.2 Fail Safe
A safe failure is defined as a failure that results in the presentation of the selected fail?safe input or output condition without a demand from the process.
1.3.3 Fail Annunciation
An annunciation failure is defined as a failure that has no effect on the safety function but does affect the ability to detect future faults, for example a failure of an internal diagnostic circuit of an equipment item.
1.3.4 Fail No Effect / Residual
The No Effect / Residual failure category represents failures of components that are part of the safety function but that have no effect on the correct functioning of the safety function. Note that equipment item components that are not part of the safety function (but may be part of the product design) and that cannot affect the safety function are not included in this category.
In relation to hardware, detected by automatic diagnostic tests, internal or by a connected safety logic solver
In relation to hardware, undetected (not diagnosed) by automatic diagnostic tests, internal or by a connected safety logic solver
In relation to hardware, detected by proof tests, operator intervention (for example physical inspection and manual tests), or through normal operation
In relation to hardware, undetected (not diagnosed) by proof tests, operator intervention (for example physical inspection and manual tests), or through normal operation
1.4 Safe Failure Fraction (SFF)
It is exdia’s position that the SFF should be calculated as follows [Rational 4].