SIL Part 2: Architectural Constraints

 
SIL achievement requires that the design of a safety function meets three specific criteria as outlined in the standard. This section will concentrate on number 2 – Architectural constraints.

 

What is functional safety?

Functional safety is the active detection of potentially dangerous conditions, resulting in a demand of a protective mechanism or function to prevent or reduce the impact of hazardous events that might occur.

 

Forming part of the overall safety of equipment under control (EUC), functional safety has focus on electronics and related software.

 

IEC 61508 is an international standard for “Functional Safety or electrical/electronic/programmable electronic safety-related systems”. As the umbrella standard for functional safety, it forms the foundation of many industry specific derivatives such as IEC 61511 for the process industry.

 

Following a safety lifecycle model, the standards formalize the management of functional safety and provide measures and techniques for the design of Safety Instrumented Systems (SIS) and associated Safety Instrumented Functions (SIF).

 

IEC 61511 Safety lifecycle

IEC 61511 Safety lifecycle

 

A key element of the safety lifecycle is the creation of the Safety Requirement Specification (SRS). Based on inputs from the hazard and risk assessment stages of the lifecycle, this document is the blueprint for the functionality, integrity and validation of the safety system design.

 

 

What is SIL?

The Safety Requirement Specification will document the level of any residual risk reduction required of the safety system design and assign a corresponding target SIL level.

 

SIL or Safety Integrity Level, is a relative level of risk reduction provided by a safety function. Four separate SIL levels from 1 to 4 are defined, with SIL 4 offering the highest level of safety integrity and corresponding risk reduction factor.

 

SIL Risk Reduction Factor - RRF
4 > 10,000 to ≤ 100,000
3 > 1000 to ≤ 10,000
2 > 100 to ≤ 1,000
1 >10 to ≤ 100

 

 

How is a specific SIL achieved?

SIL achievement requires that the design of a safety function meets three specific criteria as outlined in the standard.

 

These strict criteria are: Random hardware integrity, Architectural constraints and Systematic capability.

 

This section will concentrate on number 2 – Architectural Constraints. For information on Random Hardware Integrity and Systematic Capability please click on the relevant links.

 

 

PR electronics offers a range of SIL certified devices to cover a wide selection of SIL applications.

 

 

What are architectural constraints?

Historically, obtaining accurate and reliable failure rate data for electrical/electronic and programmable electronic devices was very difficult. Inconsistent measuring and reporting of field failures together with overly optimistic failure rate data from manufacturers meant that designs based on these assumptions could often be unsuitable and unsafe.

 

To compensate for this, functional safety standards imposed architectural constraints depending on the SIL level required. This meant that a hardware fault tolerance (HFT) was used to complement claimed failure rates adding more integrity to the safety system design.

 

Hardware fault tolerance is the addition of redundant elements to allow for failures e.g. 1oo1 = HFT0, 1oo2=HFT1.

 

The latest release of IEC 61511 offers 3 routes to satisfying the architectural constraints of a safety function:

 

  • IEC 61508 route 1H
  • IEC 61508 route 2H
  • IEC 61511 11.4.5 to 11.4.9 of clause 11 (derived from IEC 61508 route 2H)

 

IEC 61508 route 1H

This route is primarily for new devices which have no historical data. The hardware fault tolerance required is based on device type and a safe failure fraction calculation. 

 

There are 2 defined device types, Type A and Type B. Type A devices are simple devices with well understood failure modes, while type B devices are complex devices often containing microprocessors/software.

 

Safe Failure Fraction (SFF) is the percentage of safe and dangerous detected failures vs total failures.

 

 

 

Tables provided in the standards show minimum hardware fault tolerances based on target SIL.

 

IEC 61508 route 1H table

IEC 61508 route 1H table

 

 

IEC 61508 : 2010 full SIL assessment up to SIL 3 SIL assessment

 

IEC 61511 v IEC 61508 route 2H

The table of IEC 61511 for architectural constraints is based on the IEC 61508 route 2H approach.

 

IEC 61511 – HFT requirements according to SIL

IEC 61511 – HFT requirements according to SIL

 

Added to the second edition of IEC 61508 (-2010) route 2H determines hardware fault tolerance based on the quality of historical field reliability data. 

 

IEC 61508 states that the quality of data used should be based on field feedback for equipment in use in a similar application and environment, and based on data collected in accordance with published standards (e.g. IEC 60300-3-2 or ISO 14224); and, be evaluated according to:

 

  • the amount of field feedback; and
  • the exercise of expert judgement; and when needed
  • the undertake of specific tests.

 

There also needs to be a high confidence level (90%) in the data used to satisfy IEC 61508-2010 route 2H.

 

IEC 61511 clause 11.4.9 states "reliability data used in the calculation of the failure measure should be determined by an upper bound statistical confidence limit of no less than 70%."

 

Although both IEC 61508 route 2H and IEC 61511 can be used, it is important to fully understand, document and validate the evidence used to justify these approaches.

 

Achieving the Architectural Constraints for a safety function does not in itself prove target SIL achievement. Consideration must also be given to Random Hardware Integrity and Systematic Capability.