Microelectronics Reliability 51 (2011) 15031507

Contents lists available at ScienceDirect

Microelectronics Reliability
journal homepage: www.elsevier.com/locate/microrel

A simplied procedure for the analysis of Safety Instrumented Systems in the process industry application
M. Catelani, L. Ciani , V. Luongo
Department of Electronics and Telecommunications, University of Florence Via S. Marta 3, 50139 Florence, Italy

a r t i c l e

i n f o

a b s t r a c t
International Standards and Guidelines propose qualitative and quantitative methodologies for the safety assessment of the Safety Instrumented System (SIS). However, some of these methodologies are often complex and not very easy to apply. In fact, some criticalities are found by technicians voted to the functional safety such as the study of SIS for complex architectures, calculation of safety parameters, difculties in the identication of the SIS subsystem during the design review to guarantee the safety requirements, and so on. The aim of this paper is to propose a simplied and more efcient methodology for safety assessment of electromechanical SIS in compliance with the Standards IEC 61508 and IEC 61511. The proposed technique is based on an alternative implementation of the Reliability Block Diagram (RBD) approach for the performance analysis of the Safety Instrumented System. In order to demonstrate the advantages of the proposal, a case study of some of the safety functions is considered. With respect to other methodologies normally used for safety analysis, the results proved the proposed approach both easier in the application and time-saving. In addition, such results are comparatively close to those obtained by using the Standard methods. 2011 Published by Elsevier Ltd.

Article history: Received 27 May 2011 Received in revised form 12 July 2011 Accepted 13 July 2011 Available online 11 August 2011

1. Introduction The increase of both reliability and safety requirements in the context of process industry push designers continuously to face technical specication challenges in order to grow in reliability, maintainability and availability constraints. A way to approach such issues, especially those concerning safety aspects, is suggested by the IEC 61508 [1] and, in particular, by the IEC 61511 [2]. These international Standards are related to the safety system for Electric, Electronic and Programmable Electronic systems (E/E/PEs). In particular, such Standards establish criteria and guidelines which enable the management of a device from the very rst phases of the project up to the decommissioning or disposal of the product from the market. Unfortunately, the application of these Standards is often complex [3,4] and, therefore, can lead to an increase of time in the safety assessment phase. Other techniques are proposed in literature, such as Fault Tree Analysis (FTA) [5], Markov analysis [6], and mathematical method based on the MacLaurin series [7] but such techniques are often too complex or too expensive in terms of cost and time. For these reasons, an alternative application of the RBD methodology is proposed in this paper in order to provide a faster, clear and feasible approach to verify the SIS performances.

After a brief recall of the Standard approach in Section 2, a new procedure for the safety performance analysis of SIS, based on the RBD methodology, is presented in Section 3 with the aim of obtaining an easier and faster analysis compared with the Standards methodologies. The case study for the SIL verication addressed in this Section, concerning three complex safety functions, demonstrates the validity of the proposed approach. 2. Standard approach The role of a SIS is to provide a safety-related function in order to monitor and maintain the safety of any equipment under its control in response to hazardous events. Each SIS can implement one or more Safety Instrumented Functions (SIF), each characterized by a Safety Integrity Level (SIL). The safety function is performed by bringing the process in a pre-determined way into a stable and safe state. To this aim IEC Standards 61508 and 61511 dene four safety integrity levels, from SIL 1 to SIL 4. For each SIL level many design requirements can be dened. In particular, the operational demand modes of the safety system are different in function of two different dependability parameters: average PFD (Probability of Failure on Demand) and PFH (Probability of dangerous Failure per Hour), as shown in Table 1. Operation in low-demand mode means that the safety function is not required more than once per year and not more than twice within the proof-test interval. This test interval represents the time

Corresponding author. Tel./fax: +39 055 4796393.

E-mail address: lorenzo.ciani@uni.it (L. Ciani). 0026-2714/$ - see front matter 2011 Published by Elsevier Ltd. doi:10.1016/j.microrel.2011.07.044

1504 Table 1 Quantitative SIL requirements. Safety integrity level SIL SIL SIL SIL 4 3 2 1 Low-demand mode of operation Average Probability of Failure on Demand (PFDavg) 105 6 PFDavg < 104 104 6 PFDavg < 103 103 6 PFDavg < 102 102 6 PFDavg < 101

M. Catelani et al. / Microelectronics Reliability 51 (2011) 15031507

and 2oo3. So there are no indications that can help technicians in the PFD calculation for different architecture.
High-demand mode of operation Probability of dangerous Failure per Hour (PFH) 109 6 PFH < 108 108 6 PFH < 107 107 6 PFH < 106 106 6 PFH < 105

3. Proposed approach With the aim to eliminate the ambiguities and minimize the difculties in the use of the Standards methodologies, a new approach based on an alternative implementation of the RBD technique is proposed. The technique developed in this paper is based on the following assumptions:  The components failure rates are evaluated by means of a reliability prediction handbook and are then optimized by using eld return data. In particular, for electronic parts the MILHDBK 217 [8] and IEC 62830 [9] are taken into consideration. For electromechanical and mechanical elements the handbook of reliability prediction procedures for mechanical equipment [10] and OREDA Offshore Reliability Data Handbook [11] have been used.  The proof test interval is at least one order of magnitude greater than the diagnostic test interval.  All channels in a voted group have the same failure rate and diagnostic coverage rate.  The failure rate classication into safe and dangerous failures, requested by [1], is estimated by using the classication obtained with the FMEDA (Failure Modes, Effects and Diagnostic Analysis) technique instead of the Standard method.  To perform an accurate classication between safe and dangerous failures. A simplied division of failure into 50% safe and 50% dangerous, as suggested in the IEC61508, could lead to an erroneous value of both PFD and PFH and, consequently, to obtain a not accurate SIL assessment. Therefore the FMEDA approach allows to optimize the design in terms of costs and complexity [12]. In details, the failure rate classication is dened as follows: kDU : dangerous undetected failure rate kDD : dangerous detected failure rate kSD : safe detected failure rate kSU safe undetected failure rate kS : safe failure rate kS kSU kSD kD : dangerous failure rate kD kDU kDD where all failure rates are in hours1. The simplied procedure proposed in this work concerns the introduction of an immediate and efcient reliability model for the PFD calculation in order to clarify the safety aspects even for end-users or other technicians not strictly involved in safety issues. The approach is based on the Reliability Block Diagram (RBD) methodology but is characterized by a different application procedure compared to the well known guideline. For a given system, the RBD is a graphic representation of the required functionality; it shows, in fact, the logical connection among components needed to fulll a specic system function or a mission. For this reason the safety function RBD resembles the physical structure of the SIS, and the sequence of blocks may be similar to the sequence of the component activation. The suggested procedure proposed in this paper considers, rst of all, the logic architecture of a safety function. The rst step is to identify each component involved in the safety function taken into account in order to draw the relevant RBD. Each block has to be considered as an element as described in [1,2]: an element must contain all equipment/devices that are needed to perform a safety function; so the denition of the blocks typology and complexity is made at the element level, and not at the safety function level.

after which a subsystem must be either totally checked or replaced to ensure that it is in an as new condition. In high-demand mode, instead, the frequency of the operational demand must be more than once a year or more than twice the proof-test interval. The IEC Standards provide a guideline for validation and verication of safety systems. In particular, part 6 of IEC 61508 suggests a procedure for evaluating PFD, or PFH values, and the equivalent SIL level, on the basis of following assumptions: 1. the sensor subsystem comprises the actual sensors and any other components and wiring, up to but not including the components where the signals are rst combined by voting or other processing. 2. the logic subsystem (or logic solver) comprises the components where the signals are rst combined, and all other components up to and including where the nal signals are presented to the nal elements subsystem. 3. the nal element subsystem comprises all the component and wiring which process the nal signals from the logic subsystem including the nal actuating components. Considering the assumptions below, the Probability of Failure on Demand of a safety function carried out by a Safety Instrumented System (PFDSYS) is determined by the sum of PFD of all the subsystems (S, sensor; L, logic; FE, nal elements) which provide the safety function as:

PFDSYS PFDS PFDL PFDFE

At this point, the Standard suggest to draw the block diagram showing the sensor subsystem component, logic subsystem component and nal element subsystem components, representing each subsystem as one or more voted group 1oo1, 1oo2, 2oo2, and so on (see Fig. 1). The procedure suggested by the Standard is based on a SIS decomposition in three subsystems, each with a specic architecture, representing SIS as shown in Fig. 1. In the presence of complex architectures, this approach becomes tricky and is not always well understood by the technicians responsible for the safety integrity verication and validation of the SIS. In fact, because IEC 61508-6 does not give explanations of the denitions and PFD calculations for its examples in detail, it is difcult to use the Standard as guidance in practice. This is an important issue because the end-users are typically non involved in the actual design of the SIS because this design phase is often outsourced to a system engineer. In addition, it is important to consider that the Standard assumes only simple architectures 1oo1, 1oo2, 2oo2

Fig. 1. SIS subsystem structure.

M. Catelani et al. / Microelectronics Reliability 51 (2011) 15031507

1505

Once the block diagram is created, it is possible to calculate the Probability of Failure on Demand of each safety function presents in the SIS (PFDSYS). Assuming PFDi as the unreliability of a generic i-element, the simple probability theory is applicable, for series, parallel and KooN functional conguration shown in the following equations [13]:

the barrier. Each element is studied and a value of PFD is carried out. To better understand the methodology, let us consider the rst case study with the safety function SF1. The element/block named T1 is a sensor element with architecture 1oo1. So, the PFD of T1 is obtained as:

PFDSYS 1

N Y i 1

PFDT 1 kD t CE PFDi ; for series functional configuration 2   kDU T 1 kDD MTTR MTTR kD 2 kD

where tCE is the channel equivalent mean down time (in hours) evaluated as:

PFDSYS

M Y i1

tCE PFDi ; for parallel functional configuration 3

PFDSYS 1

 N  X N 1 r r K for KooN functional configuration 4

PFDi r PFDi Nr ;

in the hypothesis of independent events. In each formula, PFDi represents the value of Probability of Failure on Demand of the ith block of the system. It can be calculated with the relevant Standard formulas for architecture 1oo1, 1oo2, 2oo2 and so on, in order to consider the effect of common cause failure too. The proposed procedure can be summarized in the following steps:  determine the logic architecture of the safety function;  classify whether the system works in low demand mode or high demand mode;  identify each element in the safety function  calculate the PFD or PFH value at element level, considering the relevant architecture, with the Standard formula;  calculate the PFDSYS (or PFHSYS) considering the logic relations among the elements by means of Eqs. (2)(4), respectively for series, parallel and KooN functional conguration.  Verify the achievable SIL considering the Standards parameters shown in Table 1. This methodology allows every complex system to be analyzed, with a simple decomposition of the SIS in elements, that reect the reliability structure of the system concerned. The Standards consider only few typologies of architectures so, in particular customized congurations, it is not clear how it can be possible to approach the system safety assessment: the proposed approach intends to solve this critical limitation. 3.1. Case studies Three different cases of safety functions, denoted as SF1, SF2, SF3, were taken into account. The RBD of the analyzed safety functions are shown in Figs. 24, respectively. SF1, SF2 and SF3 represent the safety functions that are present in a complex system designed for process industry application. Nevertheless the proposed methodology can be applied to every type of system. As has already been said, rst of all, for each safety function it is necessary to determine the logic architecture in which each block of the RBD has to represent an element of SIS. For example, if a transmitter is used to perform a measurement and communicate it to the logic solver, than the element or block is made up of the connections, the sensor and the transmitter. If an isolation barrier is present with the transmitter, then the block has to also include

and MTTR denotes the mean time to restoration (in hours), T1 represents the proof test interval (in hours). The same formula is applied for all the elements/blocks with architecture 1oo1 (BR1, BR2, CC, CPU, SL, TV, TR1, TR2). Another more complex typology of elements is represented by the blocks named STA and STB, which are the valves element. Each of these are constituted by solenoids, actuators and valves. The architecture of these blocks is a 1oo2, the PFD can be evaluated as follows:

PFDSTA=B 21 bD kDD 1 bkDU 2 t CEt tGE bD kDD MTTR   T1 bkDU MTTR 2

where the value of tCE is given according to Eq. (6) and tGE is the equivalent mean down time (in hours) of the voted group:

tGE

  kDU T 1 kDD MTTR MTTR kD 3 kD

The parameters b and bD of Eq. (7) denote, respectively, the fraction of undetected and detected failures that have a common cause. Once every block has been completely studied, and the PFD value has been calculated by Eqs. (3)(5), the PFD of the safety function can be easily obtained (see Fig. 5). The PFD of SF1 is given by the unreliability of the system. So, considering the Reliability Block Diagram obtained by the PFD decomposition of SF1, the probability theory is applicable. In particular, PFDS1, PFDS2 and PFDS5 are given by:

PFDS1 1 PFDT 1 PFDBR1 PFDCC PFDCPU PFDS2 1 PFDT 2 PFDBR2 PFDCC PFDCPU PFDS5 1 PFDTV PFDTR1 PFDTR2

9 10 11

Considering that S1 and S2 are identical (PFDS1 is equal to PFDS2) and carried out by a KooN functional conguration with K = 1 and N = 2, PFDS6 is calculated by:

PFDS6 1

2   X 2 1 PFDS1 r PFDS1 2r r r 1

12

The same considerations can be made for the subsystem S4, where the items STA and STB are identical. Thus the calculation of the PFDS4 is carried out by:

PFDS4 1

2   X 2 1 PFDSTA r PFDSTA 2r r r 1

13

Finally, the PFDSYS is obtained considering the series of the macro-block S6, S3, S4 and S5 as:

PFDSYS 1 PFDS6 PFDS3 PFDS4 PFDS5

14

This decomposition permits a faster and more efcient individuation of those parts of a SIS that don not satisfy the safety requirements and therefore the proposed methodology leads to an optimization of the SIS design phase as well.

1506

M. Catelani et al. / Microelectronics Reliability 51 (2011) 15031507

Fig. 2. Reliability Block Diagram of the safety function SF1.

Fig. 3. Reliability Block Diagram of the safety function SF2.

Fig. 4. Reliability Block Diagram of the safety function SF3.

M. Catelani et al. / Microelectronics Reliability 51 (2011) 15031507

1507

Fig. 5. PFD decomposition RBD of safety function SF1.

In order to demonstrate the validity of the proposal, a case study of several safety functions is presented. The results shown the accordance with the corresponding results obtained by means of the standard. In addition, the proposed approach is easier in the application, faster and can lead to an optimization of the safety design costs compared to the traditional methods. Technicians, especially in the presence of complex systems, can be helped by the use of RBD models, as suggested in this paper. Moreover the use of the proposed approach and the consequent decomposition of the safety functions under examination allow both to individuate and to correct the subpart of the SIS which does not respect the safety requirements. Finally, the new procedure which has been proposed is general purpose and can also be used in other types of safety assessment, i.e. in machinery, transportation, biomedical and automotive [14] elds in which safety aspects represent key issues. References
SIL SIL 2 SIL 2 SIL 2 [1] IEC61508. Electric/Electronic/Programmable Electronic safety-related systems, parts 17. Technical report, International Electrotechnical Commission; May 2010. [2] IEC 61511. Functional safety: safety instrumented systems for the process industry sector, parts 13. Geneva: International Electrotechnical Commission; 2003. [3] Gall H. Functional safety IEC 61508/IEC 61511 the impact to certication and the user. In: Proceedings of IEEE/ACS international conference on computer systems and applications; 2008. p. 102731. [4] Schrrs B. Functional safety: IEC 61511 and the industrial implementation. In: Proceedings of seventh international conference on networked sensing systems (INSS); June 2010. p. 458, 158. [5] Dutuit Y, Innal F, Rauzy A, Signoret J-P. Probabilistic assessments in relationship with safety integrity levels by using Fault Trees. Reliab Eng Syst Safety 2008;93(12):186776. December. [6] Zhang Tieling, Long Wei, Sato Yoshinobu. Availability of systems with selfdiagnostic components: applying Markov model to IEC 61508-6. Reliab Eng Syst Safety 2003;80(2):13341. May. [7] Burcsuk J. Development of safety related systems. IEEE Int Forum Strat Technol 2007:5649. 36 October. [8] USA Department of Defence. MIL-HDBK-217F military handbook reliability prediction of electronic equipment; 1991 (and later versions). [9] IEC TR 62380. Reliability data handbook universal model for reliability prediction of electronics components. PCBs and equipment (emerged from UTEC 80-810 or RDF 2000); 2004. [10] NSWC, Naval surface warfare center. Handbook of reliability prediction procedures for mechanical equipment, Carderock Division. Logistics Engineering Technology Branch, NSWC-10; January 2010. [11] SINTEF Industrial Management. OREDA Offshore Reliability Data Handbook. 4th edition; 2002. [12] Catelani M, Ciani L, Luongo V. The FMEDA approach to improve the safety assessment according to the IEC61508. Microelectron Reliab 2010;50(9-11): 12305. [13] Rausand M, Hyland A. System reliability theory. 2nd ed. Hoboken, New Jersey: J. Wiley & Sons, Inc.; 2004. [14] Bellotti M, Mariani R. How future automotive functional safety requirements will impact microprocessors design. Microelectron Reliab 2010;50(911): 13206. SeptemberNovember.

Table 2 PFD Probability of Failure on Demand of the analyzed SIS safety functions. Safety function SF1 SF2 SF3 PFDSYS (STD) 3.03 103 3.05 104 4.12 104 PFDSYS (RBD) 3.14 103 4.24 104 5.02 104

In Table 2, PFDSYS values calculated with the Standard method (STD) and the new procedure proposed in this paper (RBD) have been summarized. It can be observe that the results are very close compared to the Standard ones and therefore show the validity of the proposed approach. The main difference between two methods can be reached through the division of the system. For the example related to SF3, for instance, the Standard approach does not seem very clear, because the division in three subsystem is not simple considering the sensor and logic system architecture. The proposed approach, instead, shows a system decomposition in blocks easy to study, following the well known probability theory. 4. Conclusion The Standards IEC 61508 [1] and IEC 61511 [2] have created an international platform for the design and development of safety related components, sub-systems and Safety Instrumented Systems. The Standards give detailed planning to evaluate the safety performances that are very often too complex to apply, therefore do not allow the safety design to be optimized. For this reasons a new procedure, based on an alternative application of the well known Reliability Block Diagram (RBD) methodology, is proposed in this paper for the analysis of the Safety Instrumented System.