Safety Instrumented Systems (SIS), Safety Integrity Levels (SIL), IEC61508, and Honeywell Field Instruments Honeywell Field Instruments are ready for the new safety standards for the process industries Background Safety Instrumented Systems In 1996, the Instrument Society of America published standard ANSI/ISA S84.011996 “Application of safety instrumented systems for the process industries.” This standard was accepted by the American National Standards Institute (ANSI) in March of 1997, and thus became enforceable under OSHA’s process safety management (PSM) and the EPA’s risk management program (RMP). During 1998 through 2000, the International Electrotechnical Commission (IEC) published the IEC 61508 and IEC 61511 standards. The IEC 61508 standard, “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems,” is for suppliers of microprocessor-based instrumentation to the process, medical, and avionics industries. The IEC 61511 standard, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” is for end users and engineering firms detailing the requirements for design and implementation of safety instrumented systems (SIS) for the process industries. IEC and ISA are working together to standardize on IEC 61511 as the global SIS standard, which would make IEC 61508 the global standard for manufacturers. End users (e.g., petrochemical plants) are increasingly using safety instrumented systems (SIS) to complement their process control systems. A SIS is utilized when the risk of an accident needs to be reduced. SIS is defined by ISA S84.01 and IEC 61508 as: SIS loop: “An SIS is a distinct, reliable system used to safeguard a process to prevent a catastrophic release of toxic, flammable, or explosive chemicals.” SIS loop scope: “System composed of sensors, logic solvers, and final control elements for the purpose of taking a process to a safe state, when predetermined conditions are violated.” Every element in the loop is part of the SIS, and needs to be considered when doing an analysis of the SIS. This could include pressure and temperature transmitters, a control system or stand-alone controller, control valves or other final control devices, electrical wiring, process piping, power supplies, software, etc. The function of the SIS is to monitor the process for potentially dangerous conditions (process demands), and to take action when needed to protect the process. Safety Integrity Level The Safety Integrity Level (SIL) is a statistical representation of the integrity of the SIS when a process demand occurs. The purpose of the SIS is to reduce risk, so SIL levels can be defined in terms of the risk reduction factor (RRF). The inverse of the RRF is the probability of failure on demand (PFD), so RRF = 1/PFD. IEC 61508 defines SIL levels 1 through 4, with SIL level 1 representing the lowest acceptable risk level, and SIL level 4 representing the highest acceptable risk level. Safety Integrity Level 4 Availability Required 3 99.9099.99% 99.00 99.90% 90.00 99.00% 2 1 >99.99% Probability to Fail on Demand E-005 to E-004 E-004 to E-003 E-003 to E-002 E-002 to E-001 1/PFD (RRF) 100,000 to 10,000 10,000 to 1,000 1,000 to 100 100 to 10 Diagnostic Coverage: The fraction of the failure rate detected by the operation of internal diagnostic tests. This fraction is expressed as the ratio of the failure rates that are associated with the detected failures to the total failure rate in any mode. For this device, it is assumed that options are set so that detected failures cause the unit to go to under-range. Fail Dangerous Detected: Failure that is potentially dangerous but that is detected by internal diagnostics and converted to the selected fail-safe state. For example, the end user can define a process as a SIL 1 SIS, accepting the risk that the SIS will be available 90% of the time (for a 10% chance of failure). For instance, a low water level on a storage tank will normally (90% of the time) be expected to trip a sensor, which in turn will control a valve to refill the tank. 10% of the time, the SIS is expected to fail, and the tank will not be refilled. Fail Dangerous Undetected: Failure that is dangerous and that is not being diagnosed by internal diagnostics. IEC 61508 and Honeywell Fail High: Failure that will result in an output current that is higher than 20 mA. One of the steps required to achieve functional safety certification per IEC 61508 is a Failure Modes, Effects, and Diagnostic Analysis (FMEDA). Companies like TUV and Exida offer their services to perform the FMEDA. The result is a certificate, which contains the information that the end user needs to complete a statistical analysis of the SIS. Honeywell used Exida to perform the FMEDA for the ST 3000® pressure transmitters, and model STT25H HART* temperature transmitter. Attached to this note is a copy of the certificate for the pressure transmitters. The certificates are also available online at http://field-measurement.com/. The following definitions will be useful when reading the FMEDA: Fail Dangerous: Failure that deviates the measured input state or the actual output by more than 2% of span and that leaves the output within active scale. Fail Low: Failure that will result in an output current that is lower than 4 mA. Fail Safe Detected: Failure that leads to a safe state and that is detected by internal diagnostics. Fail Safe Undetected: Failure that leads to a safe state and that is not detected by internal diagnostics. Fail Safe: Failure that results in the presentation of the selected fail-safe input or output condition independent of the actual input state. Safe Failure Fraction: The fraction of the overall failure rate of a device that results in either a safe fault or a diagnosed unsafe fault. ST 3000 Pressure Transmitter FMEDA Certificate Date: ______________________________ Honeywell ______________________________ Model: Serial ______________________________ Number: Tag ______________________________ Number: Customer ______________________________ PO Number: A Failure Modes, Effects and Diagnostics Analysis is one of the steps taken to achieve functional safety certification per IEC61508 of a device. From the FMEDA, failure rates and safe failure fraction are determined for the analog operating modes with either the HART or DE Protocol. The failure rates for the ST Integral Meter were also evaluated. This FMEDA includes all hardware, electronic and mechanical. For full certification purposes all requirements of IEC61508 must be considered including the software of the transmitter. The ST 3000 transmitter is an isolated two-wire 4 to 20mA smart device classified as Type B according to IEC61508. It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon internal detection of a failure. The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with HART Protocol operating in a clean service are as follows*: λH λL DU λ SFF PFDavg = = = = = 47.88 * 10-9 failures per hour 296.70 * 10-9 failures per hour 145.84 * 10-9 failures per hour 70.26% 6.41E-4 for a one year time interval The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with DE Protocol operating in a clean service are as follows*: λH λL DU λ SFF PFDavg = = = = = 47.88 * 10-9 failures per hour 292.60 * 10-9 failures per hour 139.74 * 10-9 failures per hour 70.90% 6.14E-4 for a one year time interval. Based on a 35% PFDavg budget for the sensor subsystem, both transmitters would meet the PFDavg requirements of SIL2 in a single configuration. Both transmitters would meet the architectural constraint requirements in IEC61508 at a level of SIL1 for a single configuration. Summary As the process industry moves toward adopting the newer safety standards, Honeywell Field Instruments are poised to meet the challenge. The FMEDA certificate, available for the ST 3000 pressure transmitters and the HART temperature transmitter (STT25H), are only a part of what Honeywell has to offer. Honeywell’s TPS system is the industry leader in building plant safety, with the Fail Safe Control (FSC®) safety system. In addition, the FSC SafeCalc is a software tool that was specially developed by Honeywell Safety Management System to perform SIL validation calculations in accordance with the international IEC 61508 standard. It helps users carry out a quantitative analysis of the reliability (safety integrity) of the designed safety-instrumented functions. It can carry out complicated reliability calculations fast and accurately. Further information about the TPS system can be found at http://www.acs.honeywell.com/ichome/ ST 3000® and FSC® are registered trademarks of Honeywell International Inc. *HART is a trademark of the HART Communications Foundation. U.S.A.: Honeywell Industrial Measurement and Control, 16404 North Black Canyon Hwy., Phoenix, AZ 85053 Canada: The Honeywell Centre, 155 Gordon Baker Rd., North York, Ontario M2H 3N7 Latin America: Honeywell Inc., 480 Sawgrass Corporate Parkway, Suite 200, Sunrise, Florida 33325 Japan: Honeywell K.K. 14-6 Shibaura 1-chome, Minato-ku, Tokyo, Japan 105-0023 Asia: Honeywell Pte. Ltd., Honeywell Building, 17 Changi Business Park Central 1, Singapore 486073 Pacific Division: Honeywell Pty Ltd., 5 Thomas Holt Drive, North Ryde NSW Australia 2113 Europe and Africa: Honeywell S.A., Avenue du Bourget 3, 1140 Brussels, Belgium Eastern Europe: Honeywell Praha,s.r.o. Budejovicka 1, 140 21 Prague 4, Czech Republic Middle East: Honeywell Middle East Ltd., Technology Park, Cert Complex, Block Q, Murror Rd., Abu Dhabi, U.A.E. Industrial Measurement and Control http://www.honeywell.com/imc w.pdf 5006 7/2002 © Honeywell International Inc.