Products Solutions Services

Functional Safety in practice

Whitepaper
Whitepaper
Functional Safety in practice

Register

1 Introduction ..................................................................................................................... 3
2 End user project management ........................................................................................ 3
2.1 Risk assessment and risk reduction ........................................................................................... 3
2.2 From potential hazards to safety ............................................................................................... 4
2.3 Types of errors in safety systems ............................................................................................... 5
2.4 Functional Safety Management ................................................................................................. 6
2.5 Limitation of figures – probabilistic vs. systematic .................................................................. 7
2.6 Technical requirements ............................................................................................................... 8
2.7 Qualification of personnel ........................................................................................................... 8
2.8 Requirements for a legally sound implementation .................................................................. 8
3 Design and planning of safety instrumented systems .................................................. 9
3.1 General Requirements ................................................................................................................. 9
3.2 Component selection ................................................................................................................... 9
3.2.1 Operability .................................................................................................................................... 9
3.2.2 Proof of suitability ........................................................................................................................ 9
3.2.3 Required information ................................................................................................................10
3.3 The Functional Safety Manual ..................................................................................................10
4 Safety loop calculation .................................................................................................. 11
4.1 Preliminary remarks ..................................................................................................................11
4.2 Calulation formulas....................................................................................................................12
4.3 Sample calculations ...................................................................................................................13
4.3.1 Single-channel protective system ............................................................................................13
4.3.2 Multichannel protective system ...............................................................................................14
5 Life cycle of Safety Instrumented Systems ................................................................... 20
5.1 Commissioning ...........................................................................................................................20
5.2 Safe parameterization ...............................................................................................................20
5.3 Device behavior during normal operation and during failures .............................................21
5.4 Proof test .....................................................................................................................................22
5.4.1 General ........................................................................................................................................22
5.4.2 Effect of the proof test interval on PFDavg ...............................................................................22
5.4.3 Ideal proof test............................................................................................................................23
5.4.4 Proof Test Coverage ...................................................................................................................24
5.5 Repair ..........................................................................................................................................27
5.6 Modification................................................................................................................................27
5.7 Useful lifetime ............................................................................................................................27
6 Appendix ........................................................................................................................ 28
6.1 References ...................................................................................................................................28
6.1.1 Standards ....................................................................................................................................28
6.1.2 Relevant NAMUR recommendations .......................................................................................28
6.1.3 Selected Internet Resources ......................................................................................................29
6.2 Calculations according to IEC 61508:2010 .............................................................................29
6.3 Overview calculation tools ........................................................................................................31
7 Glossary .......................................................................................................................... 32

2 / 34
Whitepaper
Functional Safety in practice

1 Introduction
Functional safety is still an intensively discussed topic in the process industry.
This document is a supplement to the Endress+Hauser publication CP01008Z "Functional safety - SIL"
and presumes the knowledge about Functional Safety gained there. It provides additional information
for more advanced practitioners without using the standard language too much. For more detailed
information, a study of relevant literature and the relevant standards is recommended.
The information in this publication is provided to the best of our knowledge. However we cannot accept
any liability from misunderstanding that may occur.

2 End user project management

2.1 Risk assessment and risk reduction

To assess the risk reduction in functional safety the relevant safety figures are a useful tool. The target
safety integrity level (SIL) characterizes the measure of the achievable risk reduction. The assessment of
risk and risk reduction are tasks of the system operator.
Based on best practice (e.g. risk graph, HAZOP, LOPA), the operator determines the risk of a plant and
the required risk reduction. For this purpose, he defines the safe state and uses appropriate measures to
ensure that the required safety functions can be performed.
Note that despite all safety measures, a residual risk remains. Failures, that are not recognized and
therefore do not lead to a safe state, remain a residual risk in the system. The operator must ensure that
the residual risk is less than the tolerable risk.

Figure 1: Risk reduction measures in facilities

There are various risk reduction measures (see Figure 1). In this document, only the risk-minimizing
measures by safety instrumented systems (SIS) are described.

3 / 34
Whitepaper
Functional Safety in practice

2.2 From potential hazards to safety

The operators of safety systems must take appropriate measures for risk assessment and risk reduction
during the entire lifecycle.
For this purpose, IEC 61508 defines certain steps:
• Risk definition and assessment according to detailed failure probabilities for the entire safety loop
from the sensor to the controller to the actuator over the entire safety lifecycle.
• Definition and implementation of measures (Functional Safety Management).
• Use of suitable (qualified) devices.

IEC 61511 defines this for safety systems as follows:

Figure 2: From potential hazards to safety

4 / 34
Whitepaper
Functional Safety in practice

2.3 Types of errors in safety systems

In safety systems, the following types of errors can occur:

• Systematic faults
• Random faults (random failures)

According to VDI / VDE 2180 Part 5, faults in the use of devices in safety systems can be controlled as
follows:

Figure 3: Measures to be taken when using devices in safety systems (Source: VDI/VDE 2180 Part 5)

5 / 34
Whitepaper
Functional Safety in practice

2.4 Functional Safety Management

Every operator of a safety-related system should implement a functional safety management system.
Below, an example of a Functional Safety Management System at an operator’s facility is given (table of
contents).

Table of contents
1 Objective / purpose
Terms and abbreviations
3 Scope
4 Organization in the safety lifecycle
4.1 Safety plan
4.2 Delegation of responsibility
4.2.1 Planning team
4.2.2 Assessment team
4.3 Risk consideration
4.3.1 Consideration of the risks within the HAZOP
4.3.2 Allocation of the scope of the relevant standard
4.3.3 Classification of the safety systems (SIS)
4.4 Preparation of system specification
4.5 Preparation of requirement specifications
4.6 Software Implementation
4.7 Verification of software
4.8 Installation and commissioning
4.9 Validation
4.10 Operation and maintenance
4.11 Decommissioning
5 Change management
6 Tests in safety lifecycle
6.1 Purpose
6.2 Tests to be carried out
6.2.1 Test of system specifications
6.2.2 Test of requirement specifications
6.2.3 Verification of software
6.2.4 Verification of correct application of assembly and
commissioning
6.2.5 Validation
7 Audit (check of operational quality features)
7.1 Purpose
7.2 Planning and execution (minimum requirements)
7.2.1 Delegation of responsibility
7.2.2 Definition of scope
7.2.3 Specification of frequency
7.2.4 Execution of the audit
7.2.5 Documentation and evaluation of results
8 Applicable Documents
9 Modification service
10 Requirement index

Figure 4: Example of the structure of a Functional Safety Management System

6 / 34
Whitepaper
Functional Safety in practice

2.5 Limitation of figures – probabilistic vs. systematic

For the assessment of the residual risk not only the results from the random hardware failures are
relevant, but also systematic faults have an impact. These are caused by non-compliance with boundary
conditions in the application area. Operators and system designers must consider the conditions and
restrictions published by the device manufacturer in the safety documentation. Non-compliance can
have impact on proper execution of the safety function. For example, exceeding the permissible ambient
temperature can downgrade the measurement accuracy.
To reduce systematic faults, functional safety management systems of both the manufacturer and the
operator are important for safe and reliable operation.
Random failures are evaluated using probabilistic methods. These failures are detected by device-
internal diagnostic measures which set the device to a safe state.
For the assessment of the residual risk in a plant, the consideration of both safety-related figures and
the avoidance of systematic faults are absolutely necessary.

Systematic faults Random failures

Plants Incorrect design None
Incorrect assembly
Incorrect commissioning
Incorrect operation
Incorrect maintenance
Process influences
Program errors in application soft-
ware
Force majeure (lightning flash,
overvoltage, …)
Test errors

Devices Specification errors Component failures

Incorrect sizing Soft errors
Incorrect design of components
Design errors
Programming errors in firmware
and system software
Test errors

Table 1: Incomplete listing of systematic errors and random failures in systems and devices

7 / 34
Whitepaper
Functional Safety in practice

2.6 Technical requirements

To assess suitability of equipment for safety instrumented systems (sensors, controllers, actuators,
interface blocks) the following methods can be used.
• Proof by certification
o Which data base was used for classification?
o How were the data collected?
o Which conditions are associated with the application?

• Verification by proven-in-use
o Evidence by manufacturer
o Evidence by end user

• Proof by type examination (up to SIL 2)

The limits of these considerations are:

• No evaluation of process connections and interfaces (like tubing)
• No failure rates for mechanical components
• Critical time considerations (response times)

Generally a standardization of hardware and software is beneficial.

2.7 Qualification of personnel

Personnel responsible for safety-related systems should be qualified as follows:
• Use of professionals
• Continuous training
• Regular exchange of experience
• Use of the same team for the same requirements

For effective functional safety management of safety-related systems, a planning team and an
assessment team should be established and the four eye principle.

Requirements for the planning team:

• Technical knowledge related to process engineering, technologies and techniques used.
• Safety knowledge based on knowledge of laws, standards and guidelines as well as technological
safety standards.

Requirements for the assessment team:

• Define which other safety professionals should be involved in the assessment.
• Define which resources are necessary to carry out the assessment.
• Independence from the planning team

2.8 Requirements for a legally sound implementation

In summary, it can be concluded that a legally sound and cost-effective implementation of safety
instrumented systems can be achieved amongst other things by the following measures:
• Creation of a Functional Safety Management System
• Standardization of hardware and software (e.g. by using certified or proven-in-use components)
• Documentation of requirements and activities / evidence
• Use of professionals

8 / 34
Whitepaper
Functional Safety in practice

3 Design and planning of safety instrumented systems

Once the plant risk is identified, the design and planning of appropriate safety systems can be started.
The reading of VDI / VDE 2180 is recommended (in particular Part 3).

3.1 General Requirements

The following general requirements should be considered amongst others in safety instrumented
systems:
• The installation of a safety instrumented system should be simple and clear.
• The critical process variable has to be measured as directly as possible.
• A safety instrumented system should not be changed during operation.
• A strict separation of process control equipment and safety instrumented systems is beneficial and
highly recommended.

3.2 Component selection

3.2.1 Operability
Amongst others, the following variables can affect the functional safety of components. This should be
considered doing component selection.
Environmental influences:
• Mechanical influences (e.g. vibration, shock, impact, static forces)
• Corrosion and other chemical attack
• Pollution
• Temperature
• Moisture
• Power supply (overvoltage, undervoltage)
• Electromagnetic influences
• Radioactivity
Influences of process media:
• Mechanical influences (e.g. pulsation, turbulence, cavitation)
• Physical influences
• Chemical influences
• Thermal influences

3.2.2 Proof of suitability

All components of safety instrumented systems must have a proof of suitability. For this, there are the
following options:
1. Components with proof of functional safety by the manufacturer: The proof is provided by a
certificate of an external Notified Body.
2. Proven-in-use components (assessment of proven-in-use with support of the manufacturer): The
proven-in-use evaluation of a device for a particular application can be determined by the end user,
including a manufacturer's declaration.
3. Proven-in-use components (assessment of proven-in-use by the end user): For devices without SIL
certificate the end user can self-declare proven-in-use in his plant.
Components assessed according to options 2 and 3 have been proven in comparable applications. How-
ever, their area of application is limited.
Components assessed according to option 1 can be used in all safety-related applications. The proof of
suitability at the end user is carried out by a shortened procedure in various applications (see, e.g.
NAMUR recommendation NE 130).

9 / 34
Whitepaper
Functional Safety in practice

3.2.3 Required information

For planning and design of safety instrumented systems the following information must be available to
the end user in advance:
• Device name and permitted versions
• Safety function of the device
• Safety-related output signal of the device
• Device type (A or B)
• Mode of operation (low demand mode, high demand mode)
• Valid hardware version
• Valid software version
• Type of assessment of the device (full assessment according to IEC 61508, proven-in-use
assessment, evaluation of field data (prior use according to IEC 61511), FMEDA)
• Availability of a functional safety manual
• Systematic safety integrity
• Hardware safety integrity
• Failure rates (λSD, λSU, λDD, λDU)
• Assessment by external Notified Body?
• Availability of a Functional Safety Management at the manufacturer?
• Availability of a manufacturer quality management system: How does a manufacturer track safety-
related systematic faults?
Notes on failure rates:
It can be assumed that various device manufacturers use different methods and tools in the
determination of failure rates of their devices. The used data base and the considered working
temperatures may differ. In addition, manufacturers may use different scopes of device evaluation
(e.g. failures of mechanical components considered or not).
Therefore, the failure rates of different device manufacturers cannot be directly compared. Thus, they
provide no statement about the quality of the device.
It is recommended to end users to define maximum values for the acceptable failure rates. All devices
with ratings below these maximum values can be used when technically suitable.

3.3 The Functional Safety Manual

The Functional Safety Manual (Safety Manual) is an important part of a safety-related device, according
to IEC 61508:2010, Annex D. It is even a mandatory requirement.
It must contain all the information to enable the integration of a device to a safety-related system.
These are basically:
• Design of the measuring system
• Safety function
• Permitted device types (e.g. permissible hardware and software version)
• Instructions for installation, commissioning, operation, maintenance, repair, modification and
decommissioning (safety lifecycle)
• Restrictions for use in safety-related systems
• Failure rates (λSD, λSU, λDD, λDU)
• Device type (A or B)
• Hardware fault tolerance
• Systematic capability
• Device behavior during operation
• Proof test (instructions and recommendations)

10 / 34
Whitepaper
Functional Safety in practice

4 Safety loop calculation

4.1 Preliminary remarks

A safety instrumented system consists of three subsystems (see Figure 5):
• Sensor subsystem
• Logic subsystem
• Actuator subsystem
Sensor and actuator subsystems can consist of several sensor and actuator groups. In addition, interface
components like power supply units have to be considered.
Each of these groups MooN consists of N channels, where M channels are sufficient to fulfill the safety
function.

Figure 5: Structure overview of a safety instrumented system

A mathematical proof for safety instrumented systems is required in IEC 61511-1: 2016, Clause 11.9.1.

11 / 34
Whitepaper
Functional Safety in practice

4.2 Calculation formulas

References for PFDavg and PFH calculation formulas:

Reference Contents
VDI/VDE 2180 Part 4, Approximation formulas for PFDavg for different architectures
Clause 6.1 MooN. Attention must be paid to the specified conditions for
the applicability of the formulas.
IEC 61508-6:2000, Annex B Formulas for PFDavg and PFH (excluding Proof Test Coverage
(PTC) and duration of use).
IEC 61508-6:2010, Annex B Formulas for PFDavg and PFH (including Proof Test Coverage
(PTC) and duration of use). Only the formula for the
architecture 1oo2 is referred to explicitly.

For the consideration in this chapter, the approximation formulas from VDI/VDE 2180 Part 4 are used.
The approximation formulas are:

Meaning of symbols:
PFD Average probability of failure on demand of the safety instrumented systems, later
referred to as PFDavg
ɉୈ୙ Failure rate of dangerous undetected failures
ଵ Proof test interval (specified in hours)
ߚ Proportion of undetected common cause failures (Common Cause Factor). A method for
determining β is specified in IEC 61508-6 Annex D. In practice, the value of β is usually in
the range 5% to 10%.

The exact calculation formulas based on IEC 61508-6: 2010 are given in chapter 6.2.

12 / 34
Whitepaper
Functional Safety in practice

4.3 Sample calculations

In this section, sample calculations are performed based on the approximation formulas. It is assumed
that the individual components are suitable for achieving the required SIL levels. The parameters used
in the calculations are examples.
Important note:
The calculations shown refer exclusively to random failures. In addition, a safety instrumented system
must always be checked for systematic integrity.
Note:
The considered examples are very simplified and serve for basic understanding only. These examples
cannot be used for an exact calculation!

4.3.1 Single-channel protective system

Example: Single channel pressure monitoring

Block diagram:

Used approximation formula:

13 / 34
Whitepaper
Functional Safety in practice

Parameters (example values) and individual results:

Safety PLC
Component Sensor Interface Interface Actuator
AI CPU DO
-8 -8 -9 -9 -9 -8 -8
λDU [1/h] 6.5×10 6.3×10 3.2×10 3.0×10 2.8×10 6.6×10 6.0×10
T1 [h] 8760 8760 87600 87600 87600 8760 8760
Hardware Safety
2 2 3 2 2
Integrity
Systematic
Safety 3 3 3 3 3
Integrity
-4 -4 -4 -4 -4 -4 -4
PFDavg (1oo1) 2.9×10 2.8×10 1.4×10 1.3×10 1.2×10 2.9×10 2.6×10

Overall result:
-4 -4 -4 -4 -4 -4 -4 -3
PFDavg = 2.9×10 + 2.8×10 + 1.4×10 + 1.3×10 + 1.2×10 + 2.9×10 + 2.6×10 = 1.5×10
-2
This protective system is mathematically suitable for safety functions up to SIL 2 (PFD avg <1×10 ). The
review of the systematic suitability gives SIL 3 (see table).
Note: As some components have a hardware safety integrity of SIL 2, the entire protective system can
only be used for safety functions up to SIL 2.

4.3.2 Multichannel protective system

Parameters used for calculation in this section (example values):

Safety PLC
Component Sensor Interface AI CPU DO Interface Actuator

-8 -8 -9 -9 -9 -8 -8
λDU [1/h) 6.5×10 6.3×10 3.2×10 3.0×10 2.8×10 6.6×10 6.0×10
T1 [h] 8760 8760 87600 87600 87600 8760 8760
Hardware
Safety 2 2 3 2 2
Integrity
Systematic
Safety 3 3 3 3 3
Integrity

14 / 34
Whitepaper
Functional Safety in practice

[Link] Homogeneous redundant sensor subsystem

Example: Pressure monitoring with homogeneous redundant sensor subsystem in voting 1oo2

Block diagram:

Used approximation formulas:

15 / 34
Whitepaper
Functional Safety in practice

Procedure for calculation:

Performing the calculation:

Overall result:
-4
PFDavg = 8.3×10
-3
This protective system is mathematically suitable for safety functions up to SIL 3 (PFDavg < 1×10 ).
Note that the actuator interface and the actuator are configured only in single channel architecture and
have hardware safety integrity of SIL 2. Hence, the entire protective system can only be used for safety
functions up to SIL 2.

16 / 34
Whitepaper
Functional Safety in practice

[Link] Homogeneous redundant sensor and actuator subsystems

Example: Pressure monitoring with homogeneous redundant sensor subsystem in voting 2oo3 and
homogeneous redundant actuator subsystem in voting 1oo2.
Note:
For reasons of availability, the voting 2oo3 is frequently preferred to 1oo2 system architecture.

Block diagramm:

Used approximation formulas:

17 / 34
Whitepaper
Functional Safety in practice

Procedure for the calculation:

18 / 34
Whitepaper
Functional Safety in practice

Performing the calculation:

Overall result:
-4
PFDavg = 1.9×10
-3
This protective system is suitable for safety functions up to SIL 3 (PFDavg <1×10 ).

19 / 34
Whitepaper
Functional Safety in practice

5 Life cycle of Safety Instrumented Systems

In the operation of safety instrumented systems, additional aspects need to be considered compared to
standard installations. These are summarized in the following sections.

5.1 Commissioning
Before commissioning of safety-related devices, the following documentation must be available:
• Operating Manual
• Functional Safety Manual
• Operator requirements (e.g. end user documentation)

The procedure for commissioning is as follows:

• Standard installation according to operating manual
• Device parameterization and lock for safety-related use, if required in the Functional Safety Manual
Commissioning may be carried out by any expert of the operator or the manufacturer or a contractor.
The Operating Manual and the Functional Safety Manual must be observed in its entirety.
Commissioning should be documented as follows:
• Create commissioning protocol (e.g. according to customer specifications or proposal in Functional
Safety Manual)
• Filing and managing the commissioning documentation by the operator

5.2 Safe parameterization

Goal of safe parameterization is to configure all parameters necessary for the safety function and to
check them for correctness. Moreover, the parameters are protected by a lock to prevent manipulation
during the execution of the safety function.
To activate the safety function (SIL mode) a sequence of operations has to be performed. Operation can
be carried out via local display (if available) or by an operator tool (e.g. FieldCare).
During the commissioning sequence, critical parameters are either automatically set to factory defaults
by the device or transferred to local display/operator tool to the settings and confirm the correctness
when passing through the startup sequence. After parameterization the SIL mode of the device must be
activated with a SIL-lock code.
The device-specific parameterization can be found in the corresponding Functional Safety Manual.

20 / 34
Whitepaper
Functional Safety in practice

5.3 Device behavior during normal operation and during failures

The safety-related output signal of the device shows a different behavior depending on the device
status. This is shown in the table below using the example of an output signal 4…20 mA (see Figure 6).

Device state Explanation Device behavior

Normal operation No device failures 1 The device behaves within specification.
Failure λSD Safe detected failure 3 The device shows a failure signal.
Failure λSU Safe undetected failure 2 The output signal is within the specified
tolerance band.
Failure λDD Dangerous detected failure 3 The device shows a failure signal.
Failure λDU Dangerous undetected failure 4 The output signal can be outside the
specified tolerance band.

A High Alarm (≥ 21.0 mA)

B Tolerance band (e.g. ± 2 %)
C Low Alarm (≤ 3.6 mA)

Figure 6: Device behavior during normal operation and during failures

21 / 34
Whitepaper
Functional Safety in practice

5.4 Proof test

5.4.1 General
Safety-related devices must be inspected for functionality at appropriate intervals. The relevant
parameter is the time interval for periodic testing (proof test interval T1). This value is to be included in
the calculation of PFDavg. It should be chosen so that PFDavg stays within the required SIL range.
du) in a safety-
related system. It is the goal to bring a safety system to an “as new” condition or as close as practical to
this condition.
Responsibility of the end user is to choose the proof test procedure and the time intervals (T1). The test
shall be carried out such that the proper function of the safety system is proven observing the inter-
action of all components. The proof test intervals for different subsystems may be of different lengths.
The proof tests must be carried out, documented and managed by the end user. For this purpose, a proof
test protocol should be created. The proof test is based on the proposal in Functional Safety Manual or
operator requirement.
To ensure a controlled process a proof test protocol with control of timing is recommended. In the
test instruction, the test procedure should be described in detail. The test documentation should be
transparent and permanently available.
IEC 61511 allows both the proof test of the entire safety system as well as the test of subsystems only.

5.4.2 Effect of the proof test interval on PFDavg

Failures are subject to an exponential distribution. The failure rate λ is constant with respect to time t
and the following equation applies to the reliability function R(t).

ሺ–ሻ ൌ ‡ି஛ή୲

The reliability indicates the degree of probability that a component will meet the requirements for a
certain period of time.
The probability of failure P(t), by definition, indicates the probability that a component has failed before
reaching a certain point in time. The failure probability function P(t) = PFD(t) is described as follows.

 ሺ–ሻ ൌ ሺ–ሻ ൌ ͳ െ ሺ–ሻ ൌ ͳ െ ‡ି஛ή୲

Simplification:
Assuming š ‫ͳ ا‬it follows: ͳ െ ‡ି୶ ൎ š
From this it follows for PFD(t) under the conditions λ = const. and ɉ ή – ‫ͳ ا‬

 ሺ–ሻ ൌ ɉ ή –

The failure rate λ is composed as follows: ɉ ൌ  ɉୈ୙ ൅ ɉୈୈ

For ɉୈୈ , the mean time to restoration (MTTR) must be taken into account and for ɉୈ୙ the total time
including MTTR for ɉୈ୙ must be considered. From this follows:

 ሺ–ሻ ൌ ɉୈ୙ ή ሺ– ൅ ሻ ൅ ɉୈୈ ή 

In practice, the fractions caused by MTTR are neglected for the calculation of PFD(t). Assuming that
MTTR = 8h << the operating time t, it follows:

 ሺ–ሻ ൌ ɉୈ୙ ή –

22 / 34
Whitepaper
Functional Safety in practice

Since the probability of failure is a linear curve, the mean value can be calculated simply by the integral
of PFD(t).

ଵ ்
 ୟ୴୥ ൌ  ή  ‫׬‬଴ భ  ሺ–ሻ†–
୲

ࢀ૚
‫۾‬۴۲‫ ܏ܞ܉‬ൌ ૃ۲‫ ܃‬ή ൬ ൅ ‫܀܂܂ۻ‬൰ ൅ ૃ۲۲ ή ‫܀܂܂ۻ‬
૛

Again, the approximation from practice can be used and the proportions of MTTR neglected, since
MTTR << t. From this follows:

૚
‫۾‬۴۲‫ ܏ܞ܉‬ൌ ήૃ ήࢀ
૛ ۲‫ ܃‬૚

5.4.3 Ideal proof test

In Figure 7 an ideal proof test is shown, using the above derived formulas. However, this case does not
occur in practice, because there is no perfect proof test. In a real proof test the Proof Test Coverage is to
be considered.

Figure 7: Ideal proof test

23 / 34
Whitepaper
Functional Safety in practice

5.4.4 Proof Test Coverage

The effectiveness of a proof test is expressed by the "Proof Test Coverage" (PTC). This describes how
close a safety system can be brought to the "as new state". A proof test includes testing all safety
functions. In multiple channel safety instrumented systems, each channel has to be tested separately.
The Proof Test Coverage has a great influence on the test result, and consequently, the value of PFD avg
and the achievable SIL. PTC depends on the test sequence and is specified in the functional safety
manuals. If PTC decreases, the untested proportion of the SIS increases over time. This is shown in the
following figures for different values of the PTC (99% - complex test procedure, 90%, 50% - simple test
procedure) and a proof test interval of T1 = 1 year.

To calculate the average probability of failure, the approximation is used from the following formula:
ܶଵ ܶ
ܲ‫ܦܨ‬௔௩௚ ൌ ɉ஽௎ ή ൬ ൅ ൰ ή  ൅ ɉ஽௎ ή ൬ ൅ ൰ ή ሺͳ െ ሻ ൅ ɉ஽஽ ή ‫ܴܶܶܯ‬
ʹ ʹ

૚ ૚
ࡼࡲࡰࢇ࢜ࢍ ൌ ૃࡰࢁ ή ࢀ૚ ή ‫܂۾‬۱ ൅ ή ૃࡰࢁ ή ‫ ܂‬ή ሺ૚ െ ‫܂۾‬۱ሻ
૛ ૛

(T total operating time of the system, here 12 years)

Figure 8: Proof test with PTC = 99%

24 / 34
Whitepaper
Functional Safety in practice

T1

Figure 9: Proof test with PTC = 90%

T1

Figure 10: Proof test with PTC = 50%

25 / 34
Whitepaper
Functional Safety in practice

In the case of a simple proof test (PTC = 50%) it may be useful at regular intervals (e.g. every 4 years) to
introduce a more complex proof test. The result then looks as shown in Figure 11.
It is derived from the following formula for the average probability of failure with two Proof Test
Coverages and different proof test intervals.

૚ ૚ ૚
ࡼࡲࡰࢇ࢜ࢍ ൌ ή ૃࡰࢁ ή ࢀ૚ ή ‫܂۾‬۱૚ ൅ ή ૃࡰࢁ ή ࢀ૛ ή ሺ૚ െ ‫܂۾‬۱૚ ሻ ൅ ή ૃࡰࢁ ή ‫ ܂‬ή ሺ૚ െ ‫܂۾‬۱૛ ሻ
૛ ૛ ૛

T1 T2 T

Figure 11: Proof test with PTC 50% (annually) and 99% (every 4 years)

This leads to an improvement of PFDavg with reasonable overhead.

26 / 34
Whitepaper
Functional Safety in practice

5.5 Repair
Repair means a 1:1 replacement of components. It brings a device in an "as new" condition or as close
as practical to this condition (source: IEC 61508-4:2010, Section 3.8.5).
A repair of safety-related components can be carried out by qualified personnel of the end user or a
service technician of the manufacturer. Repair of defined components may be done following the
manufacturer’s repair instructions. Only original spare parts must be used.
If a device was operated in a safety-related application and a device error cannot be excluded, the
replaced component must be sent to the device manufacturer for fault analysis.
For repairs to safety-related devices the following cases and procedures can be distinguished (see
VDI/VDE 2180, Part 3, Section 2.2.3.):
1. Repair of a single-channel safety instrumented system:
• One fault leads to failure of the safety instrumented system.
• The repair must be done immediately after detection of the fault.
• During repair, the plant must be shut down or appropriate actions taken to achieve or maintain
the safe state.
2. Repair of a single fault tolerant, multichannel safety instrumented system:
• After detection of a fault the process can be operated safely, while repairing the defective part.
The designated repair time must be respected.
• Otherwise, alternative measures must be taken.

5.6 Modification
Modifications are changes desired by the end user to already delivered and installed devices.
Usually modifications on safety-related components are performed in the manufacturer’s factory.
Modifications to safety-related components at the end user's location are possible only after
approval by the manufacturer. In this case, the modifications should be performed and documented
by a qualified manufacturers’ service engineer.

5.7 Useful lifetime

How long can a device be operated as part of a safety instrumented system? The useful lifetime depends
on various factors.
During the useful lifetime, i.e. the time after early failures (burn-in) and before late failures (wear-out),
the failure rate of a device can be regarded as constant (IEC 61508-4: 2010, section 3.6.16, Note 2).
Most probabilistic assessments for failure behavior are based on this assumption.
Useful lifetime depends strongly on the device itself and its operating conditions (particularly
temperature). Experience has shown that useful lifetime is often in the range of 8 to 12 years.
However, it may be significantly less if devices are operated near their specification limits.
Longer useful lifetimes can be achieved by appropriate measures of the manufacturer and the operator
(see DIN EN 61508-2:2011, Clause [Link], Note 3, N3).
Measures taken by manufacturer:
• Appropriate equipment design (e.g. avoid aging critical components)
• Active fault behavior, i.e. errors should be detectable or devices should fail safety-related
• Device-specific maintenance guidelines

Measures taken by end user:

• Application-specific maintenance measures
• Reduction of critical application conditions (e.g. protection against environmental influences)
• Design of safety function so that equipment failures lead to a safe plant condition
• Verification by failure data recording
27 / 34
Whitepaper
Functional Safety in practice

6 Appendix

6.1 References

6.1.1 Standards
Designation Title
IEC 61508:1998 Functional safety of electrical/electronic/programmable
electronic safety-related systems, Edition 1
IEC 61508:2010 Functional safety of electrical/electronic/programmable
electronic safety-related systems, Edition 2
IEC 61511-1:2016 Functional safety – Safety instrumented systems for the
process industry sector
VDI/VDE 2180, Part 1 bis 6 Safeguarding of industrial process plants by means of process
control engineering (PCE)

6.1.2 Relevant NAMUR recommendations

The following NAMUR recommendations are of relevance to practical implementation of functional
safety. The list does not claim to be complete.

NAMUR recommendation Title

NE 073 Phases accompanying documentation of safety-related
process control equipment
NE 093 Verification of the Safety-Related Reliability of SIS based on
Field Experience
NE 106 Test Intervals of Safety Instrumented Systems
NE 126 Provisions to Safeguard Existing Standards for Process Control
System Safety Equipment
NE 130 “Prior use”-Devices for Safety Instrumented Systems and
simplified SIL Calculation
NE 142 Functional Safety of Electrotechnical Elements
NE 154 Functional Safety in Batch Processes

28 / 34
Whitepaper
Functional Safety in practice

6.1.3 Selected Internet Resources

The following table lists some information on functional safety with no claim to completeness.

Source Contents
[Link]/SIL Overview of SIL evaluated Endress+Hauser products with
certificates and Functional Safety Manual for download
[Link]/functionalsafety/ Web site of the International Electrotechnical Commission
(IEC) for functional safety
[Link]/ Functional Safety website of VDE
funktionale-sicherheit
[Link] Homepage of “61508 Association“

6.2 Calculations according to IEC 61508:2010

In the following the formulas for PFDavg and PFH for different architectures of subsystems based on IEC
61508-6:2010 are specified.

Input values:
ɉୈ஽ Detected dangerous failure rate
ɉୈ୙ Undetected dangerous failure rate
MRT Mean repair time (hour)
MTTR Mean time to restoration (hour)
ଵ Proof test interval (hour)
ଶ Interval between demands (hour)
Ⱦ The fraction of undetected failures that have a common cause. A method for
determining β is specified in IEC 61508-6 Annex D. In practice, the value of β is
usually in the range 5% to 10%.
ߚୈ The fraction of detected failures that have a common cause.
PTC Proof Test Coverage

29 / 34
Whitepaper
Functional Safety in practice

Terms:

Meaning of terms:

tCE Channel equivalent mean down time (hour) for 1oo1, 1oo2, 2oo2 and 2oo3
architectures
tGE Voted group equivalent mean down time (hour) for 1oo2 and 2oo3 architectures
tG2E Voted group equivalent mean down time (hour) for 1oo3 architecture
CCF Common Cause Factor

Calculation formulas for PFDavg:

30 / 34
Whitepaper
Functional Safety in practice

Calculation formulas for PFH:

6.3 Overview calculation tools

The following table lists some software tools for calculation of safety instrumented functions. These
tools are liable to costs. The tool manufacturer is liable for the correctness of calculations carried out.

Tool name Provider

exSILentia / SILver [Link]
([Link]/exSILentia/)
SILCaS ProSolTech (Distributor)
([Link]/) ([Link]/)
SILence HIMA
([Link]/Produkte/silence/[Link])
TRAC ABB Engineering Services
([Link]/trac/)

31 / 34
Whitepaper
Functional Safety in practice

7 Glossary

Term Explanation

Device type A Devices where the failure rates and failure modes of all
components are clearly known in all cases.
Device type B Devices where the device behavior in case of error is not fully
determinable (e.g. programmable or configurable devices).
Failure rate λ Probability of failure of a component (e.g. resistor, μC). The
-9
failure rate unit is FIT (Failure In Time, 1 FIT = 10 / h).
FMEDA (Failure Modes, Effects Analytical method for electronic circuits and mechanics for
and Diagnostic Analysis) the quantitative determination of failure modes and failure
rates.
Failure rates:
• λSD: Total failure rate for safe detected failures
• λSU: Total failure rate for safe undetected failures
• λDD: Total failure rate for dangerous detected failures
• λDU: Total failure rate for dangerous undetected failures
Functional Safety Part of the overall system safety which depends on the
correct functioning of safety-related systems to reduce risk.
Functional safety is achieved when each safety function is
performed as specified.
Hardware Fault Tolerance A hardware fault tolerance of N means that N+1 is the
(HFT) minimum number of faults that could cause a loss of the
safety function.
Hardware Safety Integrity Part of the safety integrity of a safety-related system relating
to random hardware failures in a dangerous mode of failure.
High demand mode Mode of operation where the safety function is frequently
performed on demand, in order to transfer an equipment
under control into a specified safe state, and where the
frequency of demands is greater than once a year.
Low demand mode Mode of operation where the safety function is only
performed on demand, in order to transfer an equipment
under control into a specified safe state, and where the
frequency of demands is no greater than once a year.
Measurement error of a stand- Specified device accuracy without consideration of safety
ard device concerns.
MTBF Mean Time Between Failures
MTTR Mean Time To Repair
PFDavg Average probability of dangerous failure of a safety function
at low demand mode of operation.
PFH (probability of failure per Failure probability of a safety function at high or continuous
hour) mode of operation.

32 / 34
Whitepaper
Functional Safety in practice

Term Explanation

Proof test interval (T1) Time interval between periodic tests performed to detect
dangerous hidden failures in a safety-related system.
Random failure Error with not reproducible cause. Its occurrence is not
predictable.
Redundancy Using multiple elements or systems to perform the same
function. Redundancy can be implemented by identical
elements (homogeneous redundancy) or with different
elements (diverse redundancy).
Residual risk Remaining risk despite protective measures.
Risk Combination of the probability of occurrence of harm and the
severity of that harm.
Safe Failure Fraction (SFF) Ratio of the average failure rates of safe plus dangerous
detected failures and safe plus dangerous failures.
Safe state Status of a system when safety is achieved.
Safety function Function which is intended to achieve or maintain a safe state
for the process, with respect to a specific hazardous event.
Safety Instrumented System Instrumented system used to implement one or more safety
(SIS) (instrumented) functions.
Safety Integrity Level (SIL) Four discrete levels (SIL 1 to SIL 4). The higher the SIL of a
safety-related system, the lower the probability that the
system does not perform the required safety function.
Safety Life Cycle Description of all necessary activities in the implementation
of safety-related systems from the concept phase to the
decommissioning.
Safety measuring error Changed measurement accuracy for safety-related functions
compared to the specification for standard operating accuracy.
Safety-related system System which performs safety functions in order to reach or
maintain a safe state for equipment under control.
Software Safety Integrity Part of the safety integrity of a safety-related system relating
to systematic failures in a dangerous mode of software related
failures
Systematic fault Error with generally identifiable and reproducible cause.
Systematic Safety Integrity Part of the safety integrity of a safety-related system relating
to random hardware failures in a dangerous mode of failure.
Useful lifetime Time between early failures (burn-in) and before late failures
(wear-out) where the failure rates of components can be
considered constant.

33 / 34
Whitepaper
Functional Safety in practice

Term Explanation

Voting MooN Typical channel architectures:

• 1oo1: Single-channel system. A failure of the device
leads to loss of the safety function.
• 1oo2: Dual-channel system. A failure of both devices
leads to loss of the safety function.
• 2oo2: Dual-channel system. A failure of one devices
leads to loss of the safety function.
• 2oo3: Three-channel system. A failure of two devices
leads to loss of the safety function.

34 / 34
Contact
WP01032F/00/EN/01.16

Endress+Hauser GmbH+Co. KG
Hauptstraße 1
79689 Maulburg
Germany

Tel +49 7622 28 0

Fax +49 7622 28 1438
info@[Link]
[Link]