Safety Instrumented Systems (SIS), Safety Integrity Levels
(SIL), IEC61508, and Honeywell Field Instruments
Honeywell Field Instruments are ready for the new safety standards for the process industries
Background
Safety Instrumented Systems
In 1996, the Instrument Society of
America published standard ANSI/ISA S84.011996 “Application of safety instrumented
systems for the process industries.” This
standard was accepted by the American
National Standards Institute (ANSI) in March
of 1997, and thus became enforceable under
OSHA’s process safety management (PSM)
and the EPA’s risk management program
(RMP).
During 1998 through 2000, the
International Electrotechnical Commission
(IEC) published the IEC 61508 and IEC 61511
standards.
The IEC 61508 standard, “Functional
Safety of Electrical/Electronic/Programmable
Electronic Safety-related Systems,” is for
suppliers of microprocessor-based
instrumentation to the process, medical, and
avionics industries.
The IEC 61511 standard, “Functional
Safety: Safety Instrumented Systems for the
Process Industry Sector,” is for end users and
engineering firms detailing the requirements
for design and implementation of safety
instrumented systems (SIS) for the process
industries.
IEC and ISA are working together to
standardize on IEC 61511 as the global SIS
standard, which would make IEC 61508 the
global standard for manufacturers.
End users (e.g., petrochemical plants)
are increasingly using safety instrumented
systems (SIS) to complement their process
control systems. A SIS is utilized when the risk
of an accident needs to be reduced. SIS is
defined by ISA S84.01 and IEC 61508 as:
SIS loop: “An SIS is a distinct, reliable
system used to safeguard a process to prevent a
catastrophic release of toxic, flammable, or
explosive chemicals.”
SIS loop scope: “System composed of
sensors, logic solvers, and final control
elements for the purpose of taking a process to
a safe state, when predetermined conditions are
violated.”
Every element in the loop is part of the
SIS, and needs to be considered when doing an
analysis of the SIS. This could include pressure
and temperature transmitters, a control system
or stand-alone controller, control valves or
other final control devices, electrical wiring,
process piping, power supplies, software, etc.
The function of the SIS is to monitor
the process for potentially dangerous
conditions (process demands), and to take
action when needed to protect the process.
Safety Integrity Level
The Safety Integrity Level (SIL) is a
statistical representation of the integrity of the
SIS when a process demand occurs. The
purpose of the SIS is to reduce risk, so SIL
levels can be defined in terms of the risk
reduction factor (RRF). The inverse of the RRF
is the probability of failure on demand (PFD),
so RRF = 1/PFD. IEC 61508 defines SIL levels
1 through 4, with SIL level 1 representing the
lowest acceptable risk level, and SIL level 4
representing the highest acceptable risk level.
Safety
Integrity
Level
4
Availability
Required
3
99.9099.99%
99.00 99.90%
90.00 99.00%
2
1
>99.99%
Probability to
Fail on
Demand
E-005 to
E-004
E-004 to
E-003
E-003 to
E-002
E-002 to
E-001
1/PFD
(RRF)
100,000 to
10,000
10,000 to
1,000
1,000 to
100
100 to 10
Diagnostic Coverage: The fraction of the
failure rate detected by the operation of
internal diagnostic tests. This fraction is
expressed as the ratio of the failure rates
that are associated with the detected
failures to the total failure rate in any
mode. For this device, it is assumed that
options are set so that detected failures
cause the unit to go to under-range.
Fail Dangerous Detected: Failure that is
potentially dangerous but that is
detected by internal diagnostics and
converted to the selected fail-safe state.
For example, the end user can define a process
as a SIL 1 SIS, accepting the risk that the SIS
will be available 90% of the time (for a 10%
chance of failure). For instance, a low water
level on a storage tank will normally (90% of
the time) be expected to trip a sensor, which in
turn will control a valve to refill the tank. 10%
of the time, the SIS is expected to fail, and the
tank will not be refilled.
Fail Dangerous Undetected: Failure that is
dangerous and that is not being
diagnosed by internal diagnostics.
IEC 61508 and Honeywell
Fail High: Failure that will result in an output
current that is higher than 20 mA.
One of the steps required to achieve
functional safety certification per IEC 61508 is
a Failure Modes, Effects, and Diagnostic
Analysis (FMEDA). Companies like TUV and
Exida offer their services to perform the
FMEDA. The result is a certificate, which
contains the information that the end user needs
to complete a statistical analysis of the SIS.
Honeywell used Exida to perform the
FMEDA for the ST 3000® pressure
transmitters, and model STT25H HART*
temperature transmitter. Attached to this note is
a copy of the certificate for the pressure
transmitters. The certificates are also available
online at http://field-measurement.com/.
The following definitions will be useful
when reading the FMEDA:
Fail Dangerous: Failure that deviates the
measured input state or the actual
output by more than 2% of span and
that leaves the output within active
scale.
Fail Low: Failure that will result in an output
current that is lower than 4 mA.
Fail Safe Detected: Failure that leads to a safe
state and that is detected by internal
diagnostics.
Fail Safe Undetected: Failure that leads to a
safe state and that is not detected by
internal diagnostics.
Fail Safe: Failure that results in the
presentation of the selected fail-safe
input or output condition independent
of the actual input state.
Safe Failure Fraction: The fraction of the
overall failure rate of a device that
results in either a safe fault or a
diagnosed unsafe fault.
ST 3000 Pressure Transmitter FMEDA
Certificate
Date: ______________________________
Honeywell ______________________________
Model:
Serial ______________________________
Number:
Tag ______________________________
Number:
Customer ______________________________
PO
Number:
A Failure Modes, Effects and Diagnostics Analysis is one of the steps taken to achieve functional safety certification
per IEC61508 of a device. From the FMEDA, failure rates and safe failure fraction are determined for the analog
operating modes with either the HART or DE Protocol. The failure rates for the ST Integral Meter were also
evaluated. This FMEDA includes all hardware, electronic and mechanical. For full certification purposes all
requirements of IEC61508 must be considered including the software of the transmitter.
The ST 3000 transmitter is an isolated two-wire 4 to 20mA smart device classified as Type B according to IEC61508.
It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon
internal detection of a failure.
The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with HART
Protocol operating in a clean service are as follows*:
λH
λL
DU
λ
SFF
PFDavg
=
=
=
=
=
47.88 * 10-9 failures per hour
296.70 * 10-9 failures per hour
145.84 * 10-9 failures per hour
70.26%
6.41E-4 for a one year time interval
The failure rates, safe failure fraction and PFDavg calculation for the ST 3000 pressure transmitter with DE Protocol
operating in a clean service are as follows*:
λH
λL
DU
λ
SFF
PFDavg
=
=
=
=
=
47.88 * 10-9 failures per hour
292.60 * 10-9 failures per hour
139.74 * 10-9 failures per hour
70.90%
6.14E-4 for a one year time interval.
Based on a 35% PFDavg budget for the sensor subsystem, both transmitters would meet the PFDavg requirements
of SIL2 in a single configuration. Both transmitters would meet the architectural constraint requirements in IEC61508
at a level of SIL1 for a single configuration.
Summary
As the process industry moves toward adopting
the newer safety standards, Honeywell Field
Instruments are poised to meet the challenge.
The FMEDA certificate, available for the
ST 3000 pressure transmitters and the HART
temperature transmitter (STT25H), are only a
part of what Honeywell has to offer.
Honeywell’s TPS system is the industry leader
in building plant safety, with the Fail Safe
Control (FSC®) safety system. In addition, the
FSC SafeCalc is a software tool that was
specially developed by Honeywell Safety
Management System to perform SIL validation
calculations in accordance with the
international IEC 61508 standard. It helps users
carry out a quantitative analysis of the
reliability (safety integrity) of the designed
safety-instrumented functions. It can carry out
complicated reliability calculations fast and
accurately.
Further information about the TPS system can
be found at
http://www.acs.honeywell.com/ichome/
ST 3000® and FSC® are registered trademarks of Honeywell International Inc.
*HART is a trademark of the HART Communications Foundation.
U.S.A.: Honeywell Industrial Measurement and Control, 16404 North Black Canyon Hwy., Phoenix, AZ 85053 Canada: The Honeywell Centre, 155 Gordon
Baker Rd., North York, Ontario M2H 3N7 Latin America: Honeywell Inc., 480 Sawgrass Corporate Parkway, Suite 200, Sunrise, Florida 33325 Japan:
Honeywell K.K. 14-6 Shibaura 1-chome, Minato-ku, Tokyo, Japan 105-0023 Asia: Honeywell Pte. Ltd., Honeywell Building, 17 Changi Business Park Central
1, Singapore 486073 Pacific Division: Honeywell Pty Ltd., 5 Thomas Holt Drive, North Ryde NSW Australia 2113 Europe and Africa: Honeywell S.A.,
Avenue du Bourget 3, 1140 Brussels, Belgium Eastern Europe: Honeywell Praha,s.r.o. Budejovicka 1, 140 21 Prague 4, Czech Republic Middle East:
Honeywell Middle East Ltd., Technology Park, Cert Complex, Block Q, Murror Rd., Abu Dhabi, U.A.E.
Industrial Measurement and Control
http://www.honeywell.com/imc
w.pdf 5006 7/2002 © Honeywell International Inc.