RESEARCH REPORT 029 - Health and Safety Executive

1 HSE Health & Safety Executive Proposal for requirements for low complexity Safety related systems Prepared by RM Consultants Limited for the Health and Safety Executive 2002 RESEARCH REPORT 029 HSE Health & Safety Executive Proposal for requirements for low complexity Safety related systems RM Consultants Limited Genesis Centre Birchwood Science Park Risley Warrington Cheshire WA3 7BH United Kingdom A framework is proposed for the application of IEC61508 to low complexity systems such as simple relay based interlock arrangements commonly found in machinery safeguarding applications. A scheme for architectural constraints is proposed which limits the Safety Integrity Levels (SILs) which can be claimed for low complexity systems of various degrees of hardware fault tolerance. The scheme is consistent with the principles of IEC 61508 while simplifying the requirements.

2 Comparisons of the numerically and qualitatively assessed SILs on the basis of annual proof testing, annual functional testing only, and taking into account CCF are included for 18 example circuits. The proposed scheme has been shown to be consistent with the achievement of the target failure rate and PFD of the relevant SIL for low complexity systems. In order to simplify the process of reliability analysis to satisfy the requirements for hardware reliability, conservative values based on generic reliability data are proposed for particular components. Requirements for action on failure detection and for the avoidance of systematic failures are also proposed based on IEC 61508 but tailored for low complexity systems. The examples in this REPORT are taken from the machinery sector but the principles described will also be applicable in other sectors. This REPORT and the work it describes were funded by the Health and Safety Executive (HSE).

3 Its contents, including any opinions and/or conclusions expressed, are those of the author alone and do not necessarily reflect HSE policy. HSE BOOKS ii Crown copyright 2002 First published 2002 ISBN 0 7176 2576 1 All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in anyform or by any means (electronic, mechanical, photocopying,recording or otherwise) without the prior written permission ofthe copyright for reproduction should be made in writing to: Licensing Division, Her Majesty's Stationery Office, St Clements House, 2-16 Colegate, Norwich NR3 1BQ or bye-mail to glossary of Symbols, Acronyms and Abbreviations CCF E/E/PE EMI FMEA IEC I/P MTTF MTTR O/P PFD SFF SIL SPST Common Cause Failure Electrical/Electronic/Programmable Electronic Electromagnetic Interference Failure Modes and Effects Analysis International Electrotechnical Commission Input Mean Time to Failure Mean Time to Repair Output Probability of Failure on Demand Safe Failure Fraction Safety Integrity Level (as defined in IEC 61508) Single Pole Single Throw (switch)

4 Symbols used in calculations PFDS Probability of Failure on Demand of the Sensor element of a channel of protection PFDLS Probability of Failure on Demand of the Logic Solver element of a channel of protection PFDFE Probability of Failure on Demand of the Final Element of a channel of protection PFDSC Probability of Failure on Demand of a Single Channel of protection PFD1oo2 Probability of Failure on Demand of a 1 out of 2 redundancy protection system PFD1oo3 Probability of Failure on Demand of a 1 out of 3 redundancy protection system T Interval between proof tests b Common Cause Failure Beta Factor Failure rate ldu Rate of dangerous, undetected failures iii iv FOREWORD HSE recently commissioned RESEARCH into how low complexity systems based upon electromechanical devices may be designed in a way that complies with the IEC 61508 standard.

5 The low complexity systems considered are used in interlocking schemes similar to those comm onl y f ound in machi ner y saf eguar ding applicati ons. This REPORT resulted from this work and it presents a methodology for the design, integration and validation of low complexity electrical/electronic/ programmable electronic Safety -related systems. Whilst the REPORT is the opinion of the author and does not necessarily reflect HSE policy, HSE offers this work as an illustration of a principled approach for the design, integration and validation of low complexity E/E/PE Safety -related systems in terms of: -Probability of dangerous random hardware failures; -Measures to prevent (or control) systematic failures; and -Architectural constraints on hardware integrity. The methodology presented is supported by a series of model systems where the Safety integrity level (SIL) and other requirements ( proof test interval, safe failure fraction, etc.)

6 Have been pre-determined by applying the methodology to typical machinery guard interlocking schemes. HSE invites comments on the practicality and effectiveness of the recommended approach to achieving the above goals, and on any other significant aspect of the Safety integrity of low complexity Safety -related systems that is not addressed by this work. Please send your comments by 30 April 2003 to Eur Ing S Frost Technology Division Electrical and Control Systems Unit Magdalen House Stanley Precinct Bootle Merseyside L20 3QZ v vi CONTENTS Page No. INTRODUCTION 1 PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS 2 Data Requirements 7 Fault Exclusions 8 VALIDATION OF PROPOSED ARCHITECTURAL CONSTRAINTS 10 Validation Using Generic Data 10 Application to Actual Architectures 13 PROPOSED REQUIREMENTS FOR HARDWARE RELIABILITY 14 Generic Failure Rates 14 PROPOSED REQUIREMENTS FOR ACTION ON FAILURE DETECTION 15 PROPOSED REQUIREMENTS FOR DEFENCES AGAINST SYSTEMATIC FAILURE 15 REQUIREMENTS FOR PROVEN-IN-USE 19 REFERENCES 20 APPENDIX A: DERIVATION OF COMPONENT FAILURE RATES A1 APPENDIX B: PFD OF A REDUNDANT SYSTEM SUBJECT TO ONLY FUNCTIONAL TESTING B1 APPENDIX C.

7 CALCULATION OF FAILURE MEASURES AND COMPARISON WITH ARCHITECTURAL CONSTRAINTS FOR MACHINERY GUARDING CIRCUITS C1 APPENDIX D: FAILURE MODES OF ELECTRICAL / ELECTRONIC COMPONENTS FOR LOW COMPLEXITY E/E/PES AND CONSERVATIVE VALUES OF FAILURE RATE D1 vii viii INTRODUCTION IEC 61508 [Reference 1] defines requirements for systems to achieve various Safety Integrity Levels (SILs). SILs are defined in terms of Frequency of Dangerous Failure (for continuously operating control systems or protection systems subjected to a high demand rate) or Probability of Failure on Demand (PFD) ( for protection systems subjected to a low demand rate). The numerical definitions of the SILs are as follows: Safety INTEGRITY LEVEL DEMAND MODE OF OPERATION (Probability of failure to perform its design function on demand) CONTINUOUS / HIGH DEMAND MODE OF OPERATION (Probability of a dangerous failure per year) 4 10-5 to <10-4 10-5 to <10-4 3 10-4 to <10-3 10-4 to <10-3 2 10-3 to <10-2 10-3 to <10-2 1 10-2 to <10-1 10-2 to <10-1 TABLE 1: DEFINITION OF Safety INTEGRITY LEVELS (SILS) Reference 1 gives guidance on the achievement of the above SILs based on: Requirements for hardware Safety integrity comprising: o The architectural constraints on hardware Safety integrity and o The requirements for the probability of dangerous random hardware failures Requirements for systematic Safety integrity comprising.

8 O The requirements for the avoidance of failures and the requirements for the control of systematic faults or o Evidence that the equipment is proven in use. The requirements for system behaviour on detection of a fault. 1 The architectural constraints impose limits on the SILs which can be claimed for particular architectures. These limits may result in lower SILs than are indicated by hardware reliability calculations. The limits are intended to allow for: Uncertainties in the data. Systematic failures. The detailed requirements under each of the above general categories are applicable to all Electrical/Electronic/Programmable Electronic (E/E/PE) Safety related systems and are therefore sufficiently detailed and comprehensive to cover complex programmable systems. The guidance could therefore be considered overly complex and overly restrictive for simple, generally non-programmable low complexity systems which are defined in IEC61508 as follows: E/E/PE Safety -related systems in which: the failure modes of each individual component are well defined; and the behaviour of the system under fault conditions can be completely determined.

9 These requirements will often be satisfied by systems based on relay logic as are commonly used in machinery safeguarding applications. This REPORT proposes a simplified scheme for the application of the IEC 61508 requirements to low complexity systems. PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS Consider a typical low complexity safeguarding system: I/I/Output Device P Device 1 P Device 2 Logic Figure 1. Schematic Block Diagram of Simple Safeguarding System 2 In IEC 61508, each of the above blocks is considered to be a subsystem and the system SIL requirement is met by utilising subsystems of an adequate (equivalent or higher) SIL. The subsystems must meet the Reliability, Architectural Constraints, Systematic Failure and Behaviour on Fault Detection requirements for that SIL. The architectural constraints on the SIL which can be claimed for subsystems performing a Safety function are specified by Tables 2 and 3 in Part 2 of IEC 61508 which are reproduced below: Safe failure fraction Hardware fault tolerance (see Note 2) 0 1 2 < 60 % SIL1 SIL2 SIL3 60 % - < 90 % SIL2 SIL3 SIL4 90 % - < 99 % SIL3 SIL4 SIL4 > 99 % SIL3 SIL4 SIL4 NOTE 1 See IEC61508-2 to for details on interpreting this table.

10 NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the Safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction. TABLE 2: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE A Safety RELATED SUBSYSTEMS Safe failure fraction Hardware fault tolerance (see Note 2) 0 1 2 < 60 % Not allowed SIL1 SIL2 60 % - < 90 % SIL1 SIL2 SIL3 90 % - < 99 % SIL2 SIL3 SIL4 > 99 % SIL3 SIL4 SIL4 NOTE 1 See IEC61508-2 to for details on interpreting this table. NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the Safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction. TABLE 3: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE B Safety RELATED SUBSYSTEMS The requirements for subsystems of Type A are, in accordance with IEC 61508: 3 A subsystem.