Energy Industries

Products

Systems

Services

Events

Offshore Wind

Functional Safety Management

Your first step to functional safety compliance

To help you achieve functional safety lifecycle compliance in accordance with the relevant IEC safety standards, we provide Greenfield & Brownfield safety project execution, operation, and maintenance service support for installed Safety Instrumented Systems (SIS). This is engineered and supported using our Safety Integrity Level 3 (SIL) capable TUV certificated functional safety management system and underpinned by an independent center of excellence technical authority.

We can provide Asset Owner and EPC organizations with an industry leading SIS solution in alignment with IEC 61511 functional safety lifecycle compliance requirements.

Share this page

Are you confident that your SIS is cyber secure?

Safety related systems and today's digital business needs

Prior to recent times, most Industrial Automation and Control System (IACS) networks were air-gapped from the business network and the Internet.

Broadly speaking, they ‘operated independently’ from such non-process plant operational systems. But as technology has rapidly developed, demand for greater business insight, requirements for remote network access, and the spreading of hardware and software from traditional IT (e.g. TCP/ IP networking, Windows-based platforms) to meet emerging client requirements, has caused many Process Industry companies to seek the benefits of intelligent technologies and to further integrate control systems and their enterprise IT systems.

The following are some of the most commonly asked questions when it comes to ensuring the security of safety instrumented systems (SIS):

1. Do I need my SIS to be cyber secure?

Clearly the answer is “yes”. This is because in today’s world, we appreciate that neither functional safety nor information technology are independent of each another. So, a cyber-attack may lead to significant effects that in a worst case scenario could lead to staff injury or fatalities. Even where the IACS is non-programmable, or is physically separated from other networks, threats from unauthorised physical access should also be considered e.g. during maintenance activities, software upgrades etc. Note that current statistics indicate that some 60% of all attackers to IACS are from inside the organisation (e.g. disgruntled or dismissed employees).

2. Is cyber security required by the IEC functional safety standards?

The safety standards IEC 61508 from 2010, and the recently issued IEC 61511 edition 2, both have requirements for SIS cyber security. These standards require:

1. The risk assessment of security & cyber-attack on SIS; and

2. The design of the SIS shall be such that it provides the necessary resilience against the identified security risks.

3. Which standards provide detailed guidelines on cyber security for SIS?

The IEC, ISA, HSE organisations have all appreciated the importance of cyber security and have provided relevant standards and guidelines. The most significant are the IEC 62443 series of standards that consists of 13 parts. ISA developed TR84.00.09 “Cybersecurity Related to the Functional Safety Lifecycle”. National Cyber Security Centre provided “Security for Industrial Control Systems” and NIST published Special Publication 800-82 Revision 2 “Guide to Industrial Control Systems (ICS) Security”. It should be noted that these standards continue to be ‘work in progress’.

4. How can I make the SIS cyber secure?

This is not a single task assignment. Properly aimed and controlled activities need to be provided at all stages of the security life cycle. Functional safety and cyber security have similar and co-dependent thought processes. There are specific roles and responsibilities required from manufacturers, certifying bodies and system operators. This forms a lifecycle process for cyber security akin to the safety lifecycle process for functional safety. The most effective and efficient means to achieve cyber security is to adopt a lifecycle approach which is fully integrated with process safety procedures.

5. How can ABB FSM TA help?

ABB provides an extensive range of cyber security risk assessment, benchmarking and service care offerings for IACS as part of our Industry leading capabilities. We also offer SIS cyber security training courses to provide an End User/EPC perspective of the key management, design, operations & maintenance of cyber security requirements in the context of Safety Instrumented Systems (SIS) projects according to IEC 61511 and IEC 62443 requirements.

Can I use wireless technology within Safety Instrumented Systems?

Wireless technology benefits

Wireless devices can serve process applications where copper wire is not readily available, is expensive to install, or for applications which are not feasible to be engineering using conventional wiring. In doing so, wireless technology systems may lead to installation cost reduction, increased flexibility in operation and improved asset management.

1. Wireless or wired?

Currently accepted signals for safety applications include binary voltage on-off signals, 4-20mA and digital fieldbus, which is receiving growing acceptance. So why not accept wireless digital fieldbus into an SIS application? Are there any differences which make such a big difference? Here are some considerations for what such differences may be and how they may impact on functional safety:

Communication channels via wiring is clearly different to transmission over the atmosphere and so is open to greater outside influences impact on the ability to perform as intended e.g. electromagnetic interfaces, radio frequency interfaces, weather conditions, etc.

Wireless technology by its very nature increases the transmission path complexities and additional hardware sophistication thereby demanding a greater degree of understanding and competencies to support successful operation and maintenance.

Wireless field devices are most often powered by battery which requires essential battery management and energy management which can limit the measured value refresh rate regarding performance requirements for safety applications.

Such wireless technology has a higher vulnerability to cyber threats. Usually all industrial scientific and medical wireless networks use the same 2.4 GHz bandwidth and many are based on the same IEC 802.15.4 standard. There are obvious concerns about coexistence and interference leading to reliability and latency problems.

Higher vulnerabilities to outside influences may also lead to higher rates of system fail safe action which yields to an unacceptable level of spurious trips where loss of communication with the instrument (even for a short while) may lead to process unit or whole plant shutdown and increasing costs of loss production.

The level of sophistication to design, maintenance and testing to sustain a wireless system that is both reliable and available is an order of magnitude over the equivalent hard-wired system and therefore places a greater emphasis on support by vendors, manufacturers and third parties.

Wireless links may be easier to install, however the maintenance and management support is more requiring and the lifecycle costs may be higher than hard-wired system.

2. Where can I use wireless devices?

The successful use of Wireless devices in non-safety related monitoring application has led to the desire to expand into control and even safety applications. Wireless can be successfully used in application functions where they are not considered Independent Protection Functions i.e. where the risk reduction claimed is less than or equal to 10. Examples of this are safety systems such as combustible or toxic gas detection, fire detection, leak detection and emergency shutdown switches. Wireless has the potential to increase overall plant safety where wired systems are impractical. They can provide additional information to the operator that may not be readily available otherwise.

3. Can I use wireless devices in my SIS?

The implementation of safety instrumented functions has been specifically excluded by IEC committees and ISA committees from consideration due to the additional uncertainties of measurement and communication timing inherent in the application of this technology. Currently there is a lack of standard methods for determining contribution of a mesh style network to PFD/PFH calculations. It is undefined yet how to evaluate the common cause failure contribution of a shared Wireless network. There is insufficient guidance for systematic errors that can occur as a result of introducing obstructions or additional sources of interference in the signal transmission paths.

4. Which standards provide detailed guidelines for wireless industrial networks?

ISA technical report ISA-TR84.00.08-2017 “Guidance for Application of Wireless Sensor Technology to Non-SIS Independent Protection Layers” provides good guidance. ISA 100.11a offers the scope to cover everything from the field devices to the control room and covers a variety of protocols including FOUNDATION Fieldbus, Profibus, Modbus and others. IEC 62591 provides a detailed set of guidelines on WirelessHART. Both ISA and IEC aims to provide secure and reliable wireless communication for non-critical monitoring and control applications.

5. How can ABB FSM TA help?

ABB provides reliable and resilient, high capacity Wireless networks that operate over large areas under extreme environmental conditions. Our communication networks deliver a scalable foundation to securely support multiple applications that increase operational efficiency and safety on one cost-effective physical infrastructure. We also offer training courses to provide an End User/EPC perspective of the key management, design, operations & maintenance of Wireless devices used in safety related applications.

What are the key requirements for ensuring successful SIS design?

What do we mean by a risk-based design approach?

It is recognized that Safety Instrumented Systems (SIS) are used to provide protection of hazardous industrial processes. SIS failure could have an impact on the safety of the persons and/or the environment and/or serious economic implications. The basic functional safety standard IEC 61508 provides a framework where the required safety performance of the SIS is dependent on the required risk reduction calculated on a basis of the risk posed by the process conditions and the tolerable risk level which needs to be achieved.

1. What input is needed for the SIS design?

To start any SIS design, we first need to have functional and safety performance (safety integrity) requirements for the design available. A document which serves for this purpose is the ‘Safety Requirements Specification’ (SRS). The SRS provides functional requirements for Safety Instrumented Functions (SIF) and their associated safety integrity levels. The document describes all SIF’s, indicates the required response time for each SIF, required proof test interval, resetting requirements, requirements for bypassing, the required response on SIF failure and much more.

We also need to have requirements and documentation available for the Application Program to be implemented in the SIS. Application Program safety requirements are derived from the SRS and chosen SIS architecture. This documentation specifies the requirements for real time performance parameters of the logic solver, program sequencing and time delays, equipment and operator interfaces, action to be taken on bad process variable, functions enabling proof testing and diagnostic testing of external devices and other software requirements.

2. What are the basic requirements for the design?

The most important requirement for the design is that the SIS constituting parts shall correctly perform their functions. So, for example the selected sensor measurement method shall be proven for the application. Wetted parts shall be selected on positive experience with the medium they contact. The same applies for the SIF final element subsystem. The designer shall consider which type of valve shall be selected for the specific application e.g. ball valve instead of a gate valve, soft seal versus metal seal etc. In other words, a SIS designer should consider if the selected devices and intended functionality are inherently safe.

The SIS designer should consider if the proposed system is safe in use i.e. how it behaves in case of operator or maintenance error or lack of high competency or experience i.e. we should avoid a situation where a device is safe only when it is operated by a highly competent person. Human Factor implications need to be widely considered.

The SIS designer shall also account for the fact that integration, manufacturing, commissioning, operation & maintenance might not be perfect or that process dynamics, medium composition or equipment/device characteristics might not be fully compliant with the requirements specification. For example, the omission or misinterpretation of requirements in service documentation for a detected fault may not be followed by timely repair. In some cases, device life time due to imperfect maintenance or process medium composition might be shortened considerably.

All of the above might be summarized as competency requirements however it goes beyond the functional safety scope.

3. What are the basic safety integrity requirements for the design phase?

There are three basic safety integrity requirements for the design phase, all aimed at ensuring that the system shall be sufficiently robust to hardware random failures and systematic/human faults. The safety standards require SIS designers to consider:

Target random hardware failure measure PFD/PFH meets the required value specified in the SRS. Safety related devices and systems shall be selected in accordance with the relevant requirements specified in IEC 61508 and/or IEC 61511.

The SIS complies with the minimum hardware fault tolerance requirements specified in the standards.

The SIS is sufficiently robust to systematic faults i.e. human faults which can be made during the device manufacturing process and safety system design & integration phase. Techniques and measures for avoidance and control of systematic faults are particularly important for programmable devices and application programs development processes.

4. What are the other essential requirements for the SIS design?

Apart from the above three basic categories of SIL engineering compliance, there are other ‘process’ requirements to be met with some of them being as follows:

The organisation responsible for the design shall possess a quality system which is aligned with a compliant functional safety management system as defined in the safety standards.

A functional safety management system (FSM) allows for ensuring:
a. Staff competency assessment
b. Assignment of persons to the role
c. Proper management of changes
d. Proper planning and monitoring of all safety lifecycle activities.

Design work verification shall be planned and verification activities shall be carried out at defined project stages (including design document and code reviews).

Functional safety audit and assessment shall be carried out.

The required response of the SIS and system operator on detection of a fault shall be defined so that design and relevant procedures are prepared to meet the requirements as specified in the safety standards.

5. Why do operation and maintenance requirements and constraints need to be addressed in the design phase?

The SIS designer will need to consider if the system is to be designed with full consideration for the existing Asset Owner operation and maintenance (O&M) regime and that the requirements specified during the design phase for O&M are feasible and practicable. For example, we may find that a SIS designer has assumed an ESD valve will be tested at one year intervals; however, this requirement has not been agreed with the plant operator in advance on how often the valve can be tested, as practicably this will require a plant shut down. Similarly, sometimes 100% valve proof test effectiveness is assumed by the SIS designer. However, in reality, there is very limited access to the device location for such maintenance work and so this is not possible or difficult to achieve and the only test which can be performed is a full stroke test once every 4 years. So, achieving less than 60 % effectiveness for this device.

Overly optimistic assumptions result in the system being under designed which yields to unsafe process application.

6.How can ABB FSA help?

ABB is the global leader for in-country TUV certified FSM processes for the design, engineering and service of SIS in accordance with IEC 61508/IEC 61511. We assist our customers with FSM development & gap assessment, SRS development, safety device selection and SIL Verification services. We also provide independent FS Audits and Assessments for any safety lifecycle stage. We provide a range of functional safety training courses covering all aspects of the Safety Lifecyle from initial hazard and risk assessment to asset decommissioning.

How do you know if your SIS will perform successfully for 20 years or more?

What does 'device useful lifetime' mean?

A device hardware failure rate changes as the operating time increases. The simplified methodology is that the rate of failures in time can be approximated by a ‘Bathtub’ shaped curve. As such, three regions can be distinguished in such a pictorial representation.

In the earliest part of device ‘life’, the failure rates are high (weaker units in the population usually during or shortly after completion of the manufacturing process). Then the failure rate remains flat as a function of operating time and so finally, the strength of the product declines and the failure rate increases rapidly (this is called the “end of life” or “wear-out” phase of the Bathtub). To simplify hardware random failure reliability calculations, it is usually assumed that a device failure rate will be constant. What this requires is that a device shall be removed from service before the end of its useful life to make the SIL verification calculations valid.

It should be noted that useful life applies for hardware only and we usually do not consider end of useful life terminology for the software.

1. Where can I find the necessary information about useful life of a product?

Usually, the useful life of a product is specified in the respective device safety manual. It can be part of a device FMEDA report, or can be assessed based on Prior-use experience. We however should note that the useful life is strongly dependent on many operational factors (such as environmental, application operation and maintenance conditions) so the data as specified within the safety manual should be treated as an initial value which should be adjusted accordingly by the safety device operator. Often manufacturers will specify a time range for the useful life e.g. 10-15 years.

2. What is the difference between a device and a component?

A device is composed of many components and each of the components has its own useful life. There is no one common useful life value for all components e.g. for a given ESD valve set and the given application, the vendor information/reports show that the valve body packing and bonnet gaskets shall be replaced every 4 years, the seat ring and plug can be functioning for a maximum of 7 years and then must be renewed and the valve body and actuator piston can work for some 15 years without main overhaul, and so on.

If we take a further example for the sensor-transmitter devices, wetted parts of the sensor can have 10 years of useful life and in contrast, the electronic part can have some 50 years. So useful life is very component and application dependent.

Therefore considering the above impact, it may be difficult to define the time period after which the whole device should be renewed. Based on the above, it can be observed that device life time should be then applied at the device component level and not at the whole device level.

3. How do you detect the end of life status of a device?

Usually, analysis of maintenance records including inspection reports and proof test reports will indicate when we start to reach the end of useful life. Operators need to apply good old fashioned common engineering sense. There are always two options here. One option is to replace the component which reaches the end of its useful time and leave the other components operational until their specific end of life is reached. This option allows the operator to use a device until additional spare parts are available for the perishable components of the device. The second option is to replace the whole device early regardless if some of the components are still functioning/valid. However this may seem costly at first, but this option supports the reduction in unscheduled cost of shut down or maintenance work should the ‘maintained’ device fail in the interim. So, good engineering and a whole host of operational parameters with overall cost analysis should be applied to define the useful life of each device and the optimised point of replacement.

The failure rates of some devices may not exhibit typical Bathtub curve expectations and their failure rate does do not just fall of a cliff after a precisely defined time period of operation, but rather they are steadily rising with predictable increases. For such types of devices, it should be defined at which point of time the device shall be renewed or overhaul to ‘as new condition’ or alternatively (where possible) the device can be inspected or tested more frequently. The results of increased inspection and testing will need be recorded and an ongoing analysis carried out to detect trend direction and speed to failure.

Sometimes, useful life is not directly equivalent to operating time and should also reflect how long the device has spent on the shelf before being installed e.g. devices with ‘soft’ gasket materials, gas detector catalytic sensor poisoning in storage, etc. so we should rather set the clock to look on the manufacturing date than rather than operational start-up date.

4. Can I really use my safety devices for 20 years?

It seems that nowadays there are no manufacturing limitations or contra-indications to reach over 20 years of useful life for modern electronic devices if they are properly designed and use the selection of robust electronic components. In the past, electrolytic capacitors used to lose their storage capacity in just a few years within the power supply circuits, so 10 years was a common value utilised to express the useful life time. Nowadays tantalum capacitors can easily achieve greater than 20 years. Some manufacturers even declare 50 years of useful life for the electronic components of safety related devices. So, device selection and useful life appreciation at the component level is key to establishing the overall useful life of safety related devices to ensure the SIS mission time can be successfully achieved from the use of robust devices in combination with correct operation, inspection, testing and maintenance practices.

5. How can ABB FSM TA help?

ABB can assist our customers with safety device selection and SIL verification requirements for successful design, engineering, operation and maintenance of SIS. We have engineering software tools and services that can monitor device performance to assist with useful life management and optimisation for ensuring both functional safety performance whilst providing leading indicators for the avoidance of spurious trips. We also provide several functional safety training courses regarding IEC 61508 / IEC 61511 compliance and in particular for the design and engineering of SIS using appropriate SIL capable safety devices.

Are you confident that SIL verification for your SIS complies with IEC61511 requirements?

What do we mean by SIL verification?

Commonly, the ‘SIL Verification’ term is used for describing the reliability calculation of the Safety Instrumented System (SIS) hardware random failure measure. This means either calculating the average probability of dangerous failure on demand (PFD), or the average frequency of dangerous failures (PFH), which is then compared against the target value as derived from the Hazard and Risk Assessment.

For overall compliance to the safety standards, the SIL Verification process also includes two further requirements:

Evaluation of the Safety Instrumented Function (SIF) safety devices Hardware Fault Tolerance (HFT) requirements for a given SIL.

Assessment of the SIS capability of the safety devices within the SIF to withstand systematic faults (SC) made during the manufacturing design and engineering process.

The SIL verification process should also include an assessment for whether the SIS devices have been properly selected. Devices shall either be manufactured to comply with IEC 61508 requirements or provide substantiated evidence of successful device performance (in safety and non-safety applications) in the targeted operating environment (prior-use evidence).

1. What mistakes are commonly made when it comes to SIL verification of an SIS?

The SIL Verification process is not as easy as it may be seen at first glance and many engineers do not include all necessary aspects in full, so often many mistakes and shortcomings are made. They include amongst others:

The Achieved SIL of the SIF is considered to be only related to the safety device(s) dangerous undetected failure rate. HFT requirements and system resilience to Systematic faults are not considered.

Using overly optimistic failure rates. This is mainly due to the fact that the unjustified failure rates from vendors are used directly in the calculation without taking into account the impact of modes of operation, duty factors and requirements for operation and maintenance.

Failure rates used in calculations are not based on field feedback from similar devices used in a similar operating environment to support Prior-use claims.

The reliability data ‘uncertainties’ and credibility for the specific SIF application are not assessed by the SIS designer.

Applying the assumption in the SIL calculations that all dangerous detectable failures specified by the device ‘Failure Mode Effect Analysis’ are detected failures in a given SIS. This is assumed without any further consideration to confirm if the SIS is properly designed and configured to detect this type of failure and in doing so, provides timely compensating measures to maintain a safe state for the operating plant.

A false dawn that simplified equations always lead to conservative results.

Negligence of the assumption used to derive the simplified PFDavg equations. For example that the Proof Test Interval (PTI) shall be at least an order of magnitude greater than the Mean Time To Restore, or that the expected interval between demands shall be at least an order of magnitude greater than the PTI;

The assumption that ‘Proof Test Coverage’(PTC) of 100% will be applied for all devices regardless, without the relevant justification/feasibility study being undertaken to determine what the maximum PTC can be applied for each device.

The Independent SIL Verifier adjusting/shortening the intended PTI to such an extent that the Target SIL is achieved to meet contractual obligations without any respect to the expected SIS operator PTI practices or scheduled plant overhaul frequencies.

Misinterpreting that some SIF device ‘components’ are not classified as safety related which provides over optimistic failure measure calculations. For example, transmitter sensor component or sensor process connection failure rates are not considered in the calculations.

The inclusion of non-safety related devices incorporated into the SIL calculation. For example, shutdown valve position limit switches used for indication of the valve status.

Improper SIF subsystem architecture assumed to impact on failure measure calculation, HFT and SC claims for the SIF. A common error is to use the Cause and Effect Diagram as a source of SIF subsystem architecture.

1The belief that the reliance on gathering safety device SIL certificates making ‘claims’ to meet the Target SIL for all connected devices, guarantees operating plant functional safety alone.

2. How can ABB FSM TA help?

ABB FSM TA offers various functional safety related services including SIL Verification. Our focus is to encompass all aspects of the SIS design that has an impact on the Achieved SIL of SIF. We also offer a one day SIL Verification training course for engineers who will be involved in executing safety system application projects.

Which do you need – a Functional Safety Audit, a Functional Safety Assessment or both?

Why is it necessary to have a Functional Safety Audit and / or a Functional Safety Assessment?

Following the technical requirements for SIS design from the functional safety standards is not enough to guarantee that process risk will remain adequately managed. We need a functional safety management system (FSM) which would provide a framework for all lifecycle activities. All safety related activities need to be properly planned, competent persons assigned, work as it progresses reviewed and the whole process documented. However, it is common that some of the assumptions or requirements made during the early safety lifecycle phases are not followed through in full during the subsequent safety lifecycle phases.

For sustainability of risk management, any program must be subjected to a well-defined audit and assessment process, otherwise it will lose its effectiveness. Experience highlights that degradation or omissions of various safety management practises is a common theme in several industry incident reports.

These reports frequently include recommendations for implementation or improvement of the auditability of the overall development and operational lifecycle regarding such automated systems. In addition, detecting management system gaps or technical mistakes early in any of the safety lifecycle stages allows the Asset Owner to implement effective remediation recommendations and reduce the impact on cost, schedule and lost production.

1. What do we mean by Functional Safety Audit and Functional Safety Assessment?

For practitioners who are new to functional safety management, Functional Safety Audit and Functional Safety Assessment are synonymous terms. However as indicated by the IEC 61511 definition below, they have different intentions and impact on functional safety assurance:

Functional Safety Assessment (FSA) - investigation, based on evidence, to judge the functional safety achieved by one or more SIS and/or other protection layers

Functional Safety Audit - systematic and independent examination to determine whether the procedures specific to the functional safety requirements comply with the planned arrangements, are implemented effectively and are suitable to achieve the specified objectives

The Functional Safety Assessor is looking at the specific details relating to ensuring that functional safety requirements are being met e.g. if the assumptions made are adequate, if the safety standard technical requirements are implemented properly, if all personnel are competent as needed, if the content of procedures is adequate and so on.

The Functional Safety Auditor is looking for evidence that the procedures are being followed and whether the overall FS program is working effectively in a manner consistent with the planned arrangements.

In summary, the Functional Safety Auditor checks if the document is available; in contrast, the Functional Safety Assessor checks if the content of the document is satisfactory.

2. When do we need to undertake an FS Audit and an FS Assessment?

Functional Safety Audit and Functional Safety Assessment are both mandatory activities identified within IEC 61511. The standard establishes the recommended safety lifecycle stages for Functional Safety Assessment.

Stage 1 - After the hazard and risk assessment has been carried out, the required protection layers have been identified and the safety requirement specification has been developed.

Stage 2 - After the safety instrumented system has been designed.

Stage 3 - After the installation, pre-commissioning and final validation of the safety instrumented system has been completed and operation and maintenance procedures have been developed.

Stage 4 - After gaining experience in operating and maintenance.

Stage 5 - After modification and prior to decommissioning of a safety instrumented system.

The standard does not specify the timing of the FS Audit, however considering the intended purpose of the FS Audit such activities may take place at any of the completion of any stage of the safety lifecycle, as well as being performed at a fixed multi-year interval during the SIS operational phase.

In addition, planning will need to include consideration that any of the findings & recommendations identified from either audit or assessment can only practicably be incorporated into the system if they are detected early e.g. If an assessment requires to revise a system design, but the plant is already commissioned, it will be very difficult to implement this recommendation due to the timing and cost constraints.

So the project manager and project planner should always seek to consider that the benefits of the audit and assessment process for identifying faults in the system are scheduled and resourced as early as possible and that FS Audits and Assessments are valued as an essential tool for managing the risk impact on project technology non-compliance, cost elevation and schedule delays.

3. How can ABB FSM TA help?

ABB supports customers by undertaking the role of Independent Functional Safety Authority for both new and brownfield projects. We provide independent functional safety audits and assessments for new projects or periodic FSA’s for operational facilities. We also undertake end user and supply chain functional safety management gap assessments and gap closure development against the compliance requirements of the safety standards.

Highlights

Training

Blogs

Who we are

T245 - TÜV Rheinland Functional Safety Engineer
View the latest functional safety related courses on the ABB University page

Do purchasing teams really need to worry about Functional Safety & SIL?

Is it safe? Advice on assessing the suitability of electrical devices for use in a safety instrumented function

What is the target failure measure for your SIF?

Calculating the proof test effectiveness for a Partial Valve Stroke Test application

Do you need to use third party certified software tools when configuring a safety instrumented system (SIS) or SIS devices?

Globally recognised expertise in functional safety

We are a globally focused organisation for functional safety management and safety project execution & service excellence for our customers.

Our global network of Safety Execution Centres (SEC) are located within every geographical region for supporting the process industries. These Centers provide ABB customers with in-country dedicated and competent functional safety resources for safety instrumented system (SIS) project execution, design, engineering, modification, operation and maintenance. The Centres also provide access to local safety standard experts and ABB technology and application experts.

To support this global network of SECs, ABB has a dedicated FSM technical authority (FSM TA) comprising resources that have TÜV FS Expert and TÜV FS Engineer certification and are represented on a number of Industry Safety Bodies/Institutions combined with many years Asset Owner and systems integration experience on a number of technology platforms. Our combined safety lifecycle management solutions are proven to deliver technical robustness, operational excellence and sustainable business improvement. We prefer to work in partnership with our customers where we deliver benefits together and we transfer relevant skills for ongoing improvement.

In terms of functional safety assurance, ABB has more Safety Centers than any other supplier in the industry, providing independent third party (TÜV) certificated SIL 3 systematic capabilities for functional safety management (FSM) with SIL 3 capable system solutions, delivery, implementation, operations and maintenance. ABB lead the world in process and functional safety by harnessing the capabilities of our safety products, services, people and safety management system know how for the benefit of our customers.

Related offerings

Projects and design for safety instrumented systems

Safety-related field devices and controllers

Safety lifecycle managment

Safety systems operation and maintenance

Maximizing safety through intelligent engineering and execution

ABB has over 40 years of experience in the design, manufacture and implementation of process safety systems. With operations on all continents and dedicated safety system teams around the world, we can provide highly-qualified technical resources during project delivery with the added reassurance of competent local support and service at the operational stage.

Products and expertise for functional safety compliance

ABB recognises the importance of individual product certification to allow appropriate SIL verification of SIF designs to be shown to be valid against the safety requirements specification. Our diverse range of SIL capable field elements and controllers provides the necessary hardware safety integrity and systematic safety integrity information / data to allow users and systems integrators to complete the appropriate reliability calculations, architectural and systematic constraints in accordance with the IEC safety standards requirements. The documentation provided allows for ABB safety elements and controllers to be successfully integrated in any given Target SIL application.

Full IEC 61508 certification can apply to a manufacturer's processes. Full certification implies that a manufacturer's product development process meets the standards set down in the appropriate parts of sections 2 to 3 of IEC 61508 (including hardware / system and software). Receiving full certification from an accredited notifying body gives the end user confidence that the manufacturer's engineering process has been reviewed and its products' hardware content, firmware and logic have been assessed and conform to the guidelines in the standard.

Safety Logic Solvers

Safety Field Devices

Loading documents

Select region / language

Europe
Americas
Middle East and Africa
Asia and Oceania

Global - English
Austria - German
Belgium - Dutch | French
Bulgaria - Bulgarian
Croatia - Croatian
Czech Republic - Czech
Denmark - Danish
Estonia - Estonian
Finland - Finnish
France - French
Germany - German
Greece - Greek
Hungary - Hungarian
Ireland - English
Italy - Italian
Latvia - Latvian
Lithuania - Lithuanian
Luxembourg - French
Netherlands - Dutch
Norway - Norwegian
Poland - Polish
Portugal - Portuguese
Romania - Romanian
Russia - Russian
Serbia - Serbian
Slovakia - Slovakian
Slovenia - Slovenian
Spain - Spanish
Sweden - Swedish
Switzerland - French | German | Italian
Turkiye - Turkish
United Kingdom - English

Global - English
Argentina - Spanish
Aruba - Spanish
Bolivia - Spanish
Brazil - Portuguese
Canada - English | French
Chile - Spanish
Colombia - Spanish
Costa Rica - Spanish
Dominican Republic - Spanish
Ecuador - Spanish
El Salvador - Spanish
Guatemala - Spanish
Honduras - Spanish
Mexico - Spanish
Panama - Spanish
Peru - Spanish
Puerto Rico - Spanish
United States of America - English
Uruguay - Spanish

Global - English
Algeria - English | French
Angola - English | French
Bahrain - English | French
Botswana - English | French
Cameroon - English | French
Côte d'Ivoire - English | French
Egypt - English | French
Ghana - English | French
Israel - Hebrew
Jordan - English
Kenya - English | French
Kuwait - English
Lebanon - English
Madagascar - English | French
Mali - English | French
Mauritius - English | French
Morocco - English | French
Namibia - English | French
Nigeria - English | French
Oman - English
Pakistan - English
Palestine - English
Qatar - English
Saudi Arabia - English
Senegal - English | French
South Africa - English
Tanzania - English | French
Tunisia - English | French
Uganda - English | French
United Arab Emirates - English
Zambia - English | French
Zimbabwe - English | French

Global - English
Australia - English
Bangladesh - English
China - Chinese | English
India - English
Indonesia - English
Japan - Japanese
Kazakhstan - Russian
Malaysia - English
Mongolia - Mongolian | English
New Zealand - English
Philippines - English
Singapore - English
South Korea - Korean
Sri Lanka - English
Taiwan (Chinese Taipei) - Chinese - Traditional
Thailand - English
Vietnam - English

abb.com privacy settings

Our website uses cookies which are necessary for running the website and for providing the services you request. We would also like to set the following optional cookies on your device. You can change these settings any time later by clicking "Change cookie settings" at the bottom of any page. For more information, please read our privacy notice.

Analytics

We collect statistics to understand how many visitors we have, how our visitors interact with the site and how we can improve it. The collected data does not directly identify anyone.

Preferences

We store choices you have made so that they are remembered across visits in order to provide you a more personalized experience.

Advertising and tracking

Your browsing behavior is tracked across websites by advertising and social network service providers. You may see tailored advertising and content on other websites based on your browsing profile.

Show details

Hide details

privacy notice.

Accept selected

Refuse all

Accept all