Selecting Sensors for Safety Instrumented

Systems per IEC 61511 (ISA 84.00.01 2004)

Timothy J. Layer
Director
Global Quality, Reliability & Safety
Emerson Process Management Rosemount Division
Chanhassen, MN 55317 USA

Key Words:

Safety, Sensors, Designed per IEC 61508, Prior-Use, Lifecycle Costs (CaPEX,
OpEX, MAINTEX)

Abstract:

The international standard for safety instrumented systems for the process
control sector IEC 61511 was published in 2003 and details the lifecycle
requirements for Safety Instrumented Systems (SIS). The ISA Standard 84.01-
1996 will migrate to the IEC 61511 standard under the name ISA 84.00.01
2004. New technologies are now available that will allow designers to select
sensors that meet safety requirements in compliance with these new standards
while reducing overall lifecycle costs. This paper will outline a Best Practice
approach to the selection of sensors for SIS applications that meet the
requirements of IEC 61511 / ISA 84.00.01-2004 while minimizing lifecycle costs.

Introduction:

This paper will discuss a best practice approach to the selection of sensors for
SIS applications that meet IEC 61511 (ISA 84.00.01-2004) requirements while
minimizing life cycle costs. Lifecycle costs include Capital Expenditures
(CaPEX), Operating Expenditures (OpEX), and Maintenance Expenditures
(MAINTEX). New safety certified instrument technologies have been
developed for SIS applications that in many cases will ensure adequate safety
but add significant capital, operating and/or maintenance expenditures. Second,
in many cases safety engineers inadvertently over-design the SIS architecture
that increases capital costs. Third, many companies will use sensors specified
for basic process control on SIS that will require costly proven-in-use
documentation programs increasing maintenance costs. A best practice
approach is to select sensors that meet the safety requirements without the need
for prior-use programs while delivering reliable field performance resulting in
decreased lifecycle costs.
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
New International Standards add value for process sector
operating plants

In 2003, a new SIS standard was published under the title IEC 61511. This
standard was developed by end-users representing an international consortium
from over 20 countries including the United States. The purpose of this standard
was to develop a single set of requirements that would address the entire SIS
lifecycle (identification, design, installation, operating & maintenance and
decommissioning) specific for the process sector while meeting the requirements
of the global process industry. The standard is organized into three parts:

IEC 61511-1 Requirements
IEC 61511-2 Informative guidance on meeting the requirements
IEC 61511-3 Informative examples of different methodologies to assist in
the determination of the Safety Integrated Levels

This standard offers significant value to operators and integrators in the process
industry. Since most global standard committees and/or authorities are expected
to adopt this standard for their specific countries, companies can now develop
standardized processes for safety instrumented systems that will meet most all
global requirements. Second, the standard follows the life-cycle approach that
assists users in ensuring SIS are designed to meet the operating plants safety
instrumented function (SIF) requirements and complete the intended safety
function from conception through decommissioning.

IEC 61511 was developed under the framework of IEC 61508. While IEC 61508
was developed for any industry sector, and also address the requirements for
manufacturers of safety components used on SIS. IEC 61511 was developed
specifically for the process sector and outlines the requirements for end-users
and integrators only.















IEC61513
Nuclear
Sector
IEC61511
Process
Sector
IEC62061
Machinery
Sector
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
IEC 61511 lists the requirements for end-users and integrators. This standard
requires manufacturers and suppliers of equipment used in SIS applications to
follow the requirements outlined in IEC 61508 Section 2 (Hardware/System) and
Section 3 (Software). This is a very important distinction. IEC 61511 states;

IEC 61511-1, Scope (b): (This Standard) applies when equipment meets the
requirements of IEC 61508, or of Section 11.5 of IEC 61511 (Prior-Use or Proven
in Use) is integrated into an overall system that is to be used for process sector
applications but does not apply to manufacturers wishing to claim that
devices are suitable for use in SIS for the process sector.

IEC 61511-1, Scope (d): (This Standard) applies when application software is
developed . but does not apply to manufacturers, SIS designers,
integrators, and users that develop embedded software.

IEC 61511 clearly states that manufacturers of equipment used on SIS must
follow the requirements of IEC 61508 Section 2 and 3 unless the end-user has
met the requirements of Section 11.5 Prior-Use. Note, manufacturers cannot
make a claim to meet Prior-Use per this standard, this is the responsibility of
the end-user. Manufacturers would need to follow the Prior-Use requirements
of IEC 61508.

Figure 1















Requirements for Sensors used in Safety Instrumented Systems

IEC 61511 documents specific requirements for sensors used in SIS. In
summary, there are two options end-users have for the selection of Sensors
and Final Control Elements for SIS:

Select devices designed per the requirements of IEC 61508 Section 2 and 3
Select devices based upon Prior-Use (also referred to as Proven-in-Use)
IEC 61511
Process Sector
Safety Instrumented
Systems
Manufacturers &
Suppliers of Devices
IEC61508
Sections 2&3
Safety Instrumented
Systems Designers,
Integrators & Users
IEC61511
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
These requirements apply regardless of the sensor technology preferred. The
standard recognizes the advantages to increased safety by requiring the use of
Safety Designed Instruments and IEC 61508 Section 2 (Hardware) and Section
3 (Software) is an excellent standard to apply. The standard also recognized
potential issues with using Safety Designed Instruments including;

Lack of manufacturers offering devices designed per IEC 61508
Lack of known reliability of new designs leading to the potential increase
spurious trip rates
Operating plants may have many years experience using existing
instrumentation in SIS

To address these issues, the standard allows end-users a second option. The
option is to establish Prior-Use (also referred to as Proven-in-Use).

Figure 2















Sensors Selected Designed per IEC 61508 Sections 2 and 3

Sensors that are designed per IEC 61508 define a field instrument design that
meets the hardware, system and software requirements detailed in IEC 61508
Sections 2 and 3. The standard uses the Safety Integrated Level (SIL) table and
applies it to the instrument system design as a measure of the device safety
level. The typical approach manufacturers use to comply with IEC 61508 is as
follows:

Develops safety requirements and safety requirements specification
Design instrument architecture and hardware per the rules of Section 2
Design, verify, validate and control software and systems per the rules of
Section 3 to the desired SIL level (level of device safety)
Complete fault insertion testing to verify diagnostics
Implements design control processes for management of change
Requirements for the
Selection of
Sensors
per IEC 61511
Select Sensors based on
Prior Use
IEC 61511
Section 11.5
Select Sensors based on
Designed per IEC 61508
IEC 61508
Sections 2 and 3
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
Implements manufacturing controls to ensure safety of device is not degraded
Completes a Failure Mode Effect Diagnostic Analysis (FMEDA) to determine
the failure rates, safe failure fraction (SFF) and probability of failure on
demand (PFD)
Detail the device proof-test requirement for the specified PFD
Contracts with a Notified Body for a third party review of the design
requirements, hardware, software, system and design controls
Notified Body issues a third party certification and report
Manufacturer supplies a Safety Manual documenting for the end-user
proper use of the product in SIS.

Notified Bodies include TUVit-Augsburg, Germany; TUV Automotive-Munich
Germany, Factory Mutual, USA; and many others. In certain cases,
manufacturers will use industry experts to assist in meeting the requirements.
These experts, such as EXIDA or Risknowledgy, are not notified bodies but have
expertise in meeting IEC 61508 requirements and will complete specific activities
such as completing FMEDA and developing the safety requirements. There is
significant value to end-users in specifying designed per IEC 61508 sensors for
SIS.

Allows simple compliance to IEC 61511, supplier is responsible for
documenting the safety level of the device
Assurance that the failure rate data and PFD values are valid and correct
Assurance that the instrument design meets good engineering practice for
SIS applications defined in international standard IEC 61508 (especially
important for minimizing systemic software failures)
Assurance that the manufacturer has processes for management of change
over the product life-cycle
A Safety Manual and Certification Reports are available for proper
implementation into an SIS

Although Design per IEC 61508 add value for SIS designers, extreme caution
must be used before specifying these sensors. Specific issues important to
selecting sensors include:

Safety review and certification does not mean a Reliability review was
completed safe does not mean reliable. Therefore a thorough review of
the failure rates should be completed to ensure the potential for spurious trips
is reduced
Designs per IEC 61508 are reviewed as white paper analysis with no
requirements for operating experience. Using untested, unproven devices in
SIS application carries very high risk. Users should gain experience with the
devices before installing on SIS applications
Failure rate data supplied by manufacturers DOES NOT INCLUDE the failure
rates of the process interface. This is very important when selecting sensors.
A high Safe Failure Fraction (means a low % of potential dangerous failures
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
from the sensor) will not include dangerous failures such as line plugging,
line freezing, slugs in lines, or gas permeation
Read the certification statements and the safety manual carefully many
designs require significant proof testing or have severe limitations on their
use for the safety certification to be valid

Sensors Selected Based Upon Prior-Use

The international committees that developed IEC 61508 and IEC 61511
recognized that users could develop other criteria for certifying SIS loop
components. Therefore, a Prior-Use (also referred to as Proven-in-Use) clause
was included. The Prior-Use clause allows users a methodology to accept
Sensors and Control Elements that were not designed per IEC 61508 Section 2
and 3 for SIS applications.

The Prior-Use clause of IEC 61511 states the following:
IEC 61511-1, Section 11.5.3.1: Appropriate evidence shall be available that
the components and sub-systems are suitable for use in the safety instrumented
system.

The appropriate evidence for Sensors must be a documented case that
includes (Reference IEC 61511-1, Section 11.5.3.2):

Consideration of the manufacturers quality, management and
configuration management systems
Adequate identification and specification of the components or sub-
systems
Demonstration of the performance of the components or sub-systems in
similar operating profiles and physical environments;

To meet these requirements, the standard allows users to document
operating experience from Basic Process Control applications as well as
SIS applications. However, the standard does require that the operating
experience be the same conditions as the planned use in SIS and that the
data collected have statistical significance. In addition, only the end-user
can establish prior-use per IEC 61511 suppliers cannot make this claim.

Establishing Prior-Use for sensors has many advantages for the end-user.
First, this ensures that the Sensors selected have a known reliability. This will
reduce the potential for spurious trips and the cost for failed sensor
replacements. Second, the selected sensors are already well understood by the
designers and maintenance technicians. Installation practices for SIS
applications can be the same as those for Basic Process Control applications, no
training is required for maintenance personnel and spare part inventory can be
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
leveraged. Third, the failure history of the sensors typically will also include
failures of the process interface. This is why IEC 61511 only allows the End-
User to establish prior-use, not manufacturers or suppliers.

Although Prior-Use offers some advantages for end users, there are many
hidden costs and risks.

End user must maintain documentation on sensor operating hours,
environments and failure rates (MAINTEX)
Increased risk of systemic failures due to software since manufacturer
software development will likely not meet IEC 61508 Section 3 levels of
quality (OpEX)
Management of change affect on Prior-Use. Manufacturers continue to
make changes on Sensors due to part obsolescence, added features or
cost reductions. These changes impact the Prior-use documentation and
may need to start the clock over in terms of operating experience
(CaPEX, MAINTEX)

In summary, IEC 61511 allows end-users to select Sensors for SIS based on
Designed per IEC 61508 or Prior-Use. There are advantages and
disadvantages to either approach. Either approach alone will meet the safety
requirements but in each case lifecycle costs can be negatively affected. The
Best Practice approach is one that combines both Designed per IEC 61508
with the elements of Prior-Use.

Best Practice Approach to the Selection of Sensors for SIS

The best practice approach for the selection of sensors for SIS is to select
sensors designed per IEC 61508 Section 2 and 3 AND require the same sensor
and reliability as specified and used in Basic Process Control.

This approach adds significant value for end-users:

Ensures compliance with IEC 61511 with all required documentation
supplied by manufacturer
Minimizes the potential systemic software failures since the software will
be designed and certified to IEC 61508 Section 3 requirements
Minimizes the potential for spurious trips since the reliability will be similar
to the devices used in BPCS
Safety is enhanced and costs reduced by Leveraging all training of
personnel (Design and Maintenance)
Costs are reduced by leverage inventory costs for spare/replacements
Allows use of standardized installation practices for both Basic Process
Control and SIS installations improving safety and costs

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
In terms of lifecycle costs, here are the end user benefits for implementing this
practice:

CaPEX Savings:

IEC 61511-1 has specific requirements for SIS for minimum fault tolerance
based upon the SIS Safety Integrated Level (SIL). Fault Tolerance is
defined as the ability of a functional unit to continue to perform a required
safety function in the presence of a fault. Designers typically meet this
fault tolerance requirement through the use of redundant sensors inputting
into a logic solver combined with voting logic. The standard sets a
minimum fault tolerance and then allows the designer to adjust the final
fault tolerance based upon the sensors selected and the process
conditions.

Table 1 represents the minimum required fault tolerance based upon the SIS SIL
referenced in IEC 61511. IEC 61511 requires a minimum fault tolerance but
allows the user to reduce the fault tolerance by 1 if;

Sensor was justified under Prior-Use
Senor was designed per IEC 61508 Section 2/3 (by using the fault
tolerance tables of IEC 61508 Section 2)
And - If SMART sensors are used, sensor must allow device parameter
changes only (no changes to firmware) and have write protection (either
via hardware or software)

The standard next requires the designer to review any process interface affects
that could lead to a dangerous failure condition. For sensors, these would
include line plugging, freezing, gas permeation, etc. If any dangerous failure
potentials exist, the fault tolerance must again be increased by 1. Table 1
summarizes the fault tolerance decision tree. Adjustment 1 refers to the
reduction in fault tolerance allowed by using sensors based on Prior-Use of IEC
61508 certified. Adjustment 2 refers to the increase in fault tolerance required if
any dangerous failure modes exist in the process interface.

Table 1
SIL Fault
Tolerance
Adjustment
1
Adjustment
2
1 0 0 1
2 1 0 1
3 2 1 2
4 3 2 3

Adjustment 1 reduce FT by 1 if End-user has Prior-Use or supplier has designed per IEC 61508
Adjustment 2 increase the FT by 1 if dangerous failure modes are possible in the process
interface (e.g. process line plugging)

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
By using IEC 61508 devices with proven use, the user can take advantage of
decreased fault tolerance if no dangerous failures exist in the process interface.
The result is CaPEX savings for the user since one less sensor is required to
meet the fault tolerance.

Minimum Fault Tolerance for SIL 3 IEC 61508/Prior Use for SIL 3
(Use three sensors) (Reduce to two sensors)









OpEX Savings:

Using IEC 61508 designed sensor platforms with proven use on the basic
process control delivers OpEX savings in two ways. First, these sensors will
have proven reliability that can lower potential spurious trip rates that will improve
plant availability. Second, by requiring IEC 61508 designed devices the end-user
is not required to establish a Prior-Use program saving significant overhead
costs. Poor reliable sensors used in SIS can negatively impact plant availability.
Spurious trips are typically caused by faulty signals received from the sensor.
Many designers will attempt to reduce the spurious trip rate by increasing
redundancy. However, this approach will increase CaPEX. The best approach
is to maintain minimum redundancy with reduction in potential spurious trip rates.
This can best be achieved by using the same reliable sensor platforms on Basic
Process Control and SIS.

MAINTEX Savings:

There are numerous MAINTEX savings users can take advantage of by requiring
the same sensor platforms for both Basic Process Control and SIS when the
platform can be design per IEC 61508.

Elimination of Prior-Use Operating Experience Tracking and
Documentation:

Prior-Use requires the user to document the operating experience of the SIS
sensors through the entire sensor lifecycle. This can be very expensive and time
consuming. By using sensors designed per IEC 61508, none of this work is
required. The largest risk for the end-user when using Prior-Use sensors is the
management of change. Manufacturers continually change product designs in
response to part obsolescence, design enhancements or cost reductions. These
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
changes will impact the Prior-Use data and in many cases will require the user
to start the clock over in documenting operating experience. IEC 61508
designs require maintenance throughout the product lifecycle and thus
manufacturers are responsible for the documentation and certifications.

Reduced Proof Tests:

Users are required to determine and document SIS loop proof tests. As part of
these tests, the loop components also must be verified. For sensors, this is
typically completed by a field calibration once every 12 months. New SMART
transmitters typically extend required calibration intervals to up to 10 years. By
leveraging the same devices, sensor proof test intervals can be extended saving
field calibration costs.

Leverage Inventory and Technician Training Costs:

Using the same platform for basic process control and SIS allows the users to
take advantage of the inventory already on hand. If a new sensor is specified for
SIS, the user must carry the inventory costs of the new sensors as well as the
basic process control sensor. Using the same sensor platforms not only saves
costs for the design and maintenance team training but also increases safety by
reducing the likelihood of systematic failures caused by technician errors


Other Considerations for Selecting Sensors for SIS

There are other considerations a designer of SIS should review when making a
selection of a specific Sensor type and manufacturer. There are other papers
written on this topic so it will be covered in only a high level. (See Reference 4).
The main considerations when selecting Sensors for any process application but
of special importance in SIS:

Use of Process Industry Grade SMART Transmitters over Other
Technologies

Process sector grade Pressure and Temperature Transmitters are the best
sensor type for SIS applications. These devices are designed for high reliability
in process grade applications and environments, have good installed
performance and response times, and have a short Mean-Time-to-Restoration
(MTTR). SMART transmitters also deliver a continuous electronic signal and
therefore can be detected by SIS logic solvers if no signal is received or if
internal transmitter alarms are initiated.
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
Common Cause Design Strength:

When selecting a supplier for SIS sensors the designer should consider common
cause design strength. Similar to reliability, common cause design strength
requires the supplier to design a sensor that will deliver a high quality and
accurate signal for the sensors entire installed life. Some designs are simply
better than others. Selecting a device that meets the requirements based upon a
white paper analysis or from testing in laboratory conditions does not ensure
high performance in field conditions.

Installed Performance and Response Time

All sensors will be supplied with manufacturers claim of performance and
response time to initiate a signal. These are important specifications for the SIS
designer. Many sensors may have performance impacts in harsh environments
that impact the devices ability to initiate a safe signal. The response time of the
sensor must also be known such that the SIS designer can ensure the entire SIS
can complete the safety function in the allotted safety time.

Installation Practices:

Proper design and installation of the sensor is critical to ensure safety. For
example, process related affects on the sensor, such as process line plugging,
corrosion or gas permeation, can all lead to a dangerous failure condition of the
sensor. Proper installation practices can reduce or eliminate these systematic
affects.

Summary and Conclusions:

New international standards for SIS are now available. These standards require
users to select sensors either based on Designed per IEC 61508 or based upon
Prior-Use. Although either method will meet the safety requirements, both can
lead to increased lifecycle costs. A Best Practice approach is to use a
combination of these options. Specify SIS sensors that meet IEC 61508 Section
2 and 3 while requiring proven reliability. To ensure your SIS sensor supplier can
meet this practice, the following lists the requirements users should impose on
your suppliers:

Specify IEC 61508 certification with evidence of reliability either through
demonstrated testing or field experience
Require third party certification of IEC 61508 compliance
Supplier should impose no additional installation, commissioning, or
testing requirements for using the sensor on SIS than required for basic
process control
Supply Failure Rate, PFD with required proof test intervals and spurious
trip rate derived from a Failure Modes Effect Diagnostic Analysis (FMEDA)
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org
Supply reliability test data and operating performance data
Ensure management of change practices are in place such that any
changes to the sensor will not affect the IEC 61508 design through the
sensor lifetime

Suppliers meeting these requirements will allow you to implement the Best
Practice for selecting sensors for SIS. A practice that ensures the safety
requirements are met while minimizing lifecycle costs.

References:

1. IEC 61511 (2003) Functional safety: Safety Instrumented Systems for
the process industry sector Part 1
2. dISA 84.00.01 (2004) Functional safety: Safety Instrumented Systems
for the process industry sector Part 1(USA version of IEC 61511)
3. IEC 61508 (1997-2000) Functional safety of electrical/electronic/
programmable electronic safety-related systems
4. Measurement Best Practices for Safety Instrumented Systems, May
2003, Menezes and Brown
5. Guidelines for Safe Automation of Chemical Processes, published by
the Center for Chemical Process Safety of the AICHE


Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.
Presented at ISA AUTOMATION WEST; www.isa.org