November 2017
SIL Safety Manual
SM-025-GVO Rev. 0
22
Section 11: Architectural Constraints
Architectural Constraints
Section 11: Architectural Constraints
For the evaluation of the conformity to the requirement of Hardware safety integrity
architectural constraints of the standard IEC 61508, both Route 1H and Route 2H are used.
Route 1H
•
The device has a single channel configuration, HFT=0
•
According to IEC 65108 definitions (in particular definitions 3.6.8 and 3.6.13
of IEC 61508-4), no Safe Failures are possible in a Single Acting actuator: each
failure mode of the actuator itself shall be classified as “Dangerous” or “No Effect”
(failures which can generate the spurious operation of the safety function are only
external to the actuator itself, or are related to components that “plays no part in
implementing the safety function”, e.g. components of the pneumatic cylinder,
and so, according to definition 3.6.13 of IEC 61508- 4, they cannot be used for the
calculation of the SFF): hence
λ
S
=0 for each type of Single Acting actuator.
For this reason, according to definition 3.6.15 of IEC 61508-4, we have:
•
SFF=0 without external diagnostic tests;
•
SFF>0 with external diagnostic tests, carried out according to definition 3.8.7 of
IEC 61508-4, and according to what written in Par. 8 above (see the same paragraph
for the SFF / DC reacheable).
*The diagnostic test shall be performed considerably more often (at least 10 times) than
the demand of the safety function.
Route 2H
The application of Route 2H (“proven in use approach”) is evaluated according paragraphs
7.4.10.1÷7.4.10.7 of IEC 61508-2. Evidence was identified for each specific point.
As the device is classified as “Type A”, no requirements for SFF are given for Route 2H.
In conclusion:
The device can be used in single channel configuration up to:
•
SIL 2 without external diagnostic tests
•
SIL 3 considering external diagnostic tests
