What is SIL and why do we need it?SIL stands for ”Safety Integrity Level”. It is a system that indicates the severity of the risks of product failure as well as the complexity of the actions taken to mitigate the risks. SIL has four levels where level four is highest. EKTOS found that SIL 2 was the relevant rating in the case of the Geopal gas detector through both customer requirements and the FMEDA method, ”Failure Modes Effects and Diagnostics Analysis”. FMEDA is a method for analyzing the different failure modes and diagnostic capability of a device. Combining FMEDA with the analysis of potential hazards and damage allowed for a precise assessment of the relevant SIL level. The simple approach to assess the relevant SIL level for your product is using the mind-map below (SIL-4 is rarely used): Besides the well-known SIL (Safety Integrity Level) as one of the functional safety concepts there are two more to assess: RRF – Risk Reduction Factor and PFD avg. – Average Probability of Failure on Demand. They are described in the international functional safety standard called IEC 61508/61511 that provides measures and a framework for safety lifecycle activities with the purpose of reducing the risk to humans to a tolerable level when safety functions fail. The terms mentioned above are the result of the assessment process that requires an overarching product and process approach to get to the required metrics and measures as shown below. This approach normally results in the assessment table, like shown below, where the SIL-level can be determined:
The technical requirementsWhen designing the gas detector EKTOS’ team decided to use processor and software packages that were pre-compliant with IEC 61508. EKTOS has chosen the ARM-R MCU from the Texas Instruments Hercules line which is based on the ARM architecture. The Hercules family is designed to comply with IEC 61508. One of the chosen platforms was the ARM Cortex R that is optimized for real-time and safety-critical applications. The platform consists of two processors that double check every message. Working with pre-compliant controllers and their corresponding BSP and HAL software packages significantly reduced the amount of engineering hours. The effort efforts spent on making sophisticated start-time diagnostics as well as run-time diagnostics were reduced to a minimum. Choosing the ARM-R architecture allowed to address the 1002 (one out of two) design approach where the computation core allows to compare the calculated control disturbance towards the control object BEFORE it sent out. In case where data is corrupted due to the EMI or simply hardware malfunction – system will skip the control cycle and will not mislead to a wrong control that might end up with a critical failure.
Traceability is the key to proving that standards are metPlanning and carrying out the development process itself according to IEC 61508 requires clearly defined processes and procedures. The principle of dual control and traceability applies to every step of the process, where the development and design team shall properly document all the evidence relevant for the reliability, redundancy, and robustness of the platform. Despite having a proven and qualified development model for the regular electronics design process – EKTOS’ team was adjusting the model to comply with the requirements for the SIL rating. As it can be seen in the figure below, the process must comply to the classical V-model. It is important to mention that besides the hard development deliverables (mandatory to be able to qualify for the SIL rating) there is always a ”surprising” amount of user documentation that shall be in place in order to pass the 3rd party audit mandatory for the SIL-2 compliant products.
EKTOS and Geopal worked with the leading American Notified Body assessor called Exida. It was an advantage that two of EKTOS’ technical experts had previously been certified by Exida. We quickly established effective collaboration with Exida.