ファクトリーオートメーション(FA)
プロセスオートメーション(PA)

2. Implementing the Risk Reduction

The impending risk is normally reduced by installing other PLT circuits that serve as a safety function alongside PLT equipment required for operational reasons, i.e. the circuits are only called into action in the event of a malfunction in operational equipment. The kind of equipment used exclusively for risk reduction is referred to as protective equipment or Z functions.

The degree of risk reduction attained through the use of protective equipment depends on the equipment functioning correctly. If a failure was impossible, complete elimination of the relevant risk could be achieved. The residual risk would then be zero. Because this is unrealistic in practice, a finite degree of risk reduction can only be achieved with de facto protective equipment. Although a residual risk always remains, it is so small that it can be tolerated. The aim of the design process is to implement the protective equipment so that the degree of risk reduction achieved corresponds as closely as possible to the required SIL.

An insufficient risk reduction (the SIL of the protective equipment is lower than the required SIL) would result in an intolerable residual risk. While an excessive risk reduction (the SIL of the protective equipment is greater than the required SIL) would result in an unnecessarily high workload that would not be justifiable.

Information on how protective equipment must be designed in order to attain a specific degree of risk reduction (i.e. a specific SIL) can be found in EN 61511 and VDI/VDE 2180. It is vitally important to ask why protective equipment fails because design requirements for the protective equipment can be derived from the relevant answers. Closer investigation reveals that in principle there are two different fault types that can cause protective equipment to fail:

  • Systematic fault
  • Random fault


Systematic and random failures

While a specific degree of probability can be expected for the occurrence of a random fault, this does not apply to a systematic fault.

But unlike random faults, systematic faults can be prevented altogether, in principle. However, experience shows that this is only partly true (especially when it comes to software). This knowledge leads to the following requirements relating to protective equipment design:

  • Preventing failures by introducing a special quality management system (keywords: “Functional Safety Management System” or “FSM system” for short)
  • Avoiding failures through redundancy and/or fail-safe behavior and fault detection (keywords: Hardware fault tolerance, sum of safe faults, diagnostic coverage)
  • Making calculations to quantify the probability of failure based on random faults (keywords: PFD/PFH calculation)

The practical implementation of the three points mentioned above determines the extent of the risk reduction for protective equipment. Generally speaking, the workload involved in planning, implementing, and operating protective equipment depends on which SIL the equipment must reach. Standards EN 61508, EN 61511 and VDI/VDE 2180 describe the exact correlation between the protective equipment design and the SIL that can be achieved.

When protective equipment is designed, fault prevention, fault control, and the probability of failure must all be considered appropriately in order to achieve a specific degree of risk reduction. Taking into account the probability of failure alone is not sufficient to fulfill a SIL requirement. In reality, protective equipment can only reach a specific SIL when both the structure (redundancy, diagnostics, fail-safe design) and the probability of failure (PFD/PFH) meet the requirements stipulated in the standard for the relevant SIL. Furthermore, a FSM system must be used for the implementation. Only then can it be assumed that systematic faults will be prevented to the necessary extent.


Functional Safety Hub from Pepperl+Fuchs

数百の製品、SIL/PL評価、無料ツール、パンフレットを1か所にまとめた:「機能安全ハブサイト」は、機能安全を構築するための出発点です。