According to SIL standard EN 61508, key parameters of protective systems are the average probability of failure on demand within a defined proof test. In order to create gas detection systems that can be classified as, for example, SIL 2, designers have to give consideration when selecting subsystems, to use to certain numerical limits which apply to reliability parameters, and also comply with measurement performance regulations.

Safety Integrity Level

In this application note we look at EN 61508 (or IEC 61508) which enables system designers, assuming certain conditions are met, to demonstrate the reliability of a safety-oriented system by means of numerical evaluation. According to EN 61508, a protective system used to avoid damage to persons, the environment and assets must meet certain reliability requirements – depending on the extent of the damage likely to occur – which are defined on the basis of what is called Safety Integrity Level (SIL).

“Reliability” in this context is based on probability such as “How likely is it that a protective system will fail at just the moment it is supposed to be carrying out its safety function?“

Introduction: Dangerous Failures

Safety-oriented systems need to be designed so that failures with a negative effect on functional safety will be recognized, dealt with and reported by appropriate self-diagnostic facilities and test routines, and the system will be return to a safe condition; detectable dangerous failures must be remedied immediately. Meantime it is noted that a system in a safe condition, while safe, may not always be ready at that time, for operation. 

Thus even diagnostic systems have their limits, to some degree there will always also be undetectable dangerous failures, meaning failures which remain undetected and result in failure of the safety function, or Safety Integrity Function (SIF); the only way to uncover such failures is to conduct routine system checks. This is why within the time between two tests of this kind, the proof test interval T_P, plays such an important role in safety analyses.

The of safe failure rate (i.e. failures which, though they impair the safety function, are detectable, or failures which have no effect on the safety function) as a proportion of the total failure rate is termed the Safe Failure Fraction (SFF). For SIL 2 systems, the SFF must exceed 90% or: the proportion of undetectable dangerous failures must not be greater than 10%.

This however is not enough; if such undetectable dangerous failures do exist, then a probability of their occurring within the proof test interval T_P must also be assessed, to determine how likely the protective system will fail, the precise moment the safety function is necessary.

Probability of Failure on Demand

The statistical parameter describing the undetectable dangerous failure and the proof test interval is known as the average probability of failure on demand PFD_AVG and, depending on the required SIL, must not exceed certain limits. For systems conforming to SIL 2, steps must be taken to ensure that the PFD_AVG is less than 0.01, ensuring the protective system will only fail once every 100 times the safety function is required.

However functional safety and the average probability of failure on demand PFD_AVG, relates to the system as a whole, which can be separated into the following subsystems:

• sensor (SE, probability of failure on demand PFD_SE),
• logic solver (LS, probability of failure on demand PFD_LS) and
• final elements (FE, probability of failure on demand PFD_FE).

For the system as a whole, the probability of failure on demand is calculated by adding together these three probabilities, as follows:

PFD_AVG = PFD_SE + PFD_LS + PFD_FE

To calculate the PFD_SE of a sensor, a very detailed evaluation of every conceivable type of failure and its effects on every level, right down to the component level, needs to be performed (FMEDA, Failure modes, effects and diagnostic analysis), requires the assistance of experts specialized in such analyses. The outcome of the FMEDA is a list of different failure types and their calculated failure rates λ (in hr^-1), on the basis of which in particular the failure rate λ_DU of the undetectable dangerous failure can be calculated (DU stands for dangerous undetected). Such a failure would occur, for example, if due to an internal failure a 4-20-mAtransmitter for gas detection showed a measurement signal of 4 mA (“no gas“) despite the presence of dangerously high gas concentrations. If this type of rare failure condition occurs it will remain undetected until the next routine test is conducted (proof test interval T_P), at which point it would be discovered immediately and remedied within a very short time (MTTR, Mean time to restore). Statistically speaking, this failure remains undetected for half of the proof test interval T_P. During this same period, plus the time needed for repair, the system will not be able to perform its safety function. Correspondingly, in this case the average probability of failure on demand can be calculated as follows

PFD_AVG = ½⋅ λ_DU ⋅ (T_{P +} MTTR) ≈½⋅ λ_DU⋅T_P⋅

Since repairs generally take only a few hours, the approximation is permissible, while the proof test interval covers a period of several months.

Example:

The failure rate of an undetectable dangerous failure is λ_DU = 10^-6 h^-1 (i.e. one failure in 10⁶ hours or 114 years). If the system is tested annually (every 8,760 hours), the following applies:

PFD_AVG = ½⋅ λ_DU ⋅ T_{P =} ½⋅ 10^-6⋅8760=4.38⋅10^-3

Dangerous failures detected by diagnostic facilities (failure rate λ_DD, DD stands for dangerous detected) also have an effect, even if a lesser one, on the PFD, since the safety function is not available during the repair time MTTR. The MTTR is generally calculated as being 8 hours, though this naturally assumes sufficient stocks of spare parts and a repair service that is initiated without delay. Here too, the safety engineer is responsible, as for compliance with the required proof test intervals T_P.

If system parts are of redundant design or subjected to voting (e.g. a two-out-of-three decision), the rules which apply are different from in the above formula, e.g. for a two-fold redundancy the probability of failure on demand is 

PFD_AVG = 1/3⋅( λ_DU ⋅ T_{P )}²

Although the figures which result are very small (on the basis of the above givens, PFD_AVG = 2.6·10^-5), consideration must realistically also be given to failures which influence both subsystems simultaneously, thereby removing the redundancy again; these are known as common cause failures. The proportion of these is stated by a β-factor which is usually assumed to be 0.05 or 0.1.

In practice, the second term is usually the larger even in the case of a small β-factor.

System design

The PFD_AVG of the system as a whole, therefore, is determined by

• the failure rate of undetectable dangerous failure λ_DU
• the choice of proof test intervals T_P
• the architecture (linear, redundant, voting).

In the case of the subsystem, the failure rate λ_DU is determined by conducting an FMEDA and is usually certified by independent testing institutes, then ensured by quality assurance measures. The system designer, therefore, is able to define the proof test interval and the architecture of the system as a whole. Meantime there are practical limits, as companies do not want testing intervals to be too short, which can result in more frequent downtime, and also redundancies and voting incur considerable costs. 

Therefore it is the system designer’s goal to use subsystems which when subjected to testing just once a year, and provided with no redundancies whatsoever, will fall as far below the maximum permissible PFD as possible.

For a system classified as SIL 2, for example, the designer will achieve the aforementioned goal by using a sensor with PFD_SE = 0.002 and a logic solver with PFD_LS = 0.001, each based on annual proof testing. To ensure the PFD_AVG < 0.01 that is required for SIL 2, the final elements still to be procured must have a PFD_FE of less than 0.007 if they are also to be tested only once a year.

HFT and redundancies

The hardware failure tolerance HFT describes the behavior of a complex system or subsystem in a failure condition. In the case of linear architecture, (a system without redundancies), the safety function is no longer guaranteed if just one failure (HFT = 0) occurs, while a redundant architecture continues to remain operational even when a failure occurs (HFT = 1 or higher). 

Hardware failure		Safe Failure Fraction (SFF)
tolerance (HFT)	< 60 %	60 … < 90%	90% … < 99%
0	—	SIL 1 if PFDAVG < 0.1	SIL 2 if PFDAVG < 0.01
1	SIL 1 if PFDAVG < 0.1	SIL 2 if PFDAVG < 0.01	SIL 3 if PFDAVG < 0.001
2	SIL 2 if PFDAVG < 0.01	SIL 3 if PFDAVG < 0.001	SIL 4 if PFDAVG < 0.00001

As can be seen from the above table (see EN 61508, Section 7.4.3.1.4), SIL 2 classification can only be achieved for linear architecture (HFT = 0) if the SFF is greater than 90%, i.e. the proportion of undetectable dangerous failures must be below 10%. If, on the other hand, the SFF is only 80%, SIL 2 can only be achieved by means of redundancy (HFT = 1).

The functional safety of a subsystem (of a sensor), therefore, can only be fully specified if the PFD with the respective proof test interval T_P, the SFF and the HFT are stated. 

Sensor for SIL 2

By way of 4-20-mA-transmitters for gas detection, Dräger Safety presents three instruments assessed by an independent institute (Exida):

Transmitter	Principle of measurement	λDU	SFF	PFDSE if TP = 1 year *)
Polytron 2 IR	Infrared, combustible gases and vapors	2.92·10-8 h-1	96.5 %	1.28·10-4
Polytron Pulsar	Open path infrared, combustible gases and vapors	1.09·10-7 h-1	91.9 %	4.75·10-4
Polytron 7000	Electrochemical, toxic gases and oxygen	3.56·10-7 h-1	90.8 %	1.56·10-3

As can be seen from the relevant figures given in the table for the Polytron transmitters, these sensors are ideally suited for creating a gas detection system classified as SIL 2.

In the interests of clarity and ease of comprehension, the fact that EN 61508 requires the complete life cycle of a protective system to be taken into consideration, especially aspects of operation and maintenance, has been ignored in this article. Instead, the focus was on familiarizing the reader with the relevant terms and definitions contained in this standard relating to protective systems.

Solution from Dräeger

Besides the functional safety data of the SIL-assessed transmitters Polytron 2 IR, Polytron 7000, and Pulsar there is another report (Vectra) showing how to combine Dräeger transmitters Polytron IR Ex, Polytron Ex or Polytron 2 with Regard controllers to achieve a SIL-2-rated system. This has been done for 

• a single channel system with Polytron Ex or Polytron IR Ex and single channel 4-20-mA-card
• a 2-out-of-3-systems with Polytron Ex or Polytron IR Ex and single channel 4-20-mA-card
• a single channel system with Polytron Ex or Polytron IR Ex and a Regard system with power supply
• a 2-out-of-3-system with Polytron Ex or Polytron IR Ex and a Regard system with one power supply
• a single channel system with Polytron 2 and a Regard system with power supply and sampling unit
• a single channel open-path-system Pulsar and a Regard system with power supply Example (single channel system, proof test interval T_P = 1 year):

P2 IR PFD = 1.28·10-4

4-20-mA input card PFD = 4.6·10-3

FINAL ELEMENT

SIL-2 is achieved if the final element has a PFD of lower than 5.272·10^-3.

Draeger Polytron 8100

Draeger Polytron 7000

Draeger REGARD 7000

Draeger Polytron 6100

• Draeger Safety, Inc. – Terms and Conditions of Sale
• Draeger Polytron 3000
• Gasmet GT5000 Terra
• Draeger Polytron 7000
• Draeger Polytron 8100