CFSE - Certified Functional Safety Engineering I - Participant's Notebook - Exida 2007

Functional Safety Engineering I 

\ 

\_; 

Functional Safety Engineering I- (Version 3.51) 

Participant's Notebook 

·e:·xccc.·;·:·~/~~- Jil.·~·. ·61; . ;:;-® 

- ·. Cf> (' 

.,_ 

; / 

J ·:. i I 

~- 

.· .:~, 

..... ./ 

Copyright© 2000-2007 exida.com, L.LC., All Rights Reserved 

exida.com, L.L.C. 

64 North Main Street 

Sellersville, PA 18960

0 

0

Table of Contents 

SECTION 1 

SECTION 2 

SECTION 3 

COURSE PRESENTATION SLIDES 

EXERCISES 

ADDITIONAL RESOURCES 

IEC 61508 Overview Report- E. Scharpf and W. Goble 

Failure Rate Data 

Safety Terms and Abbreviations 

(.j 

Copyright© 2000-2007 exida.com, L.L.C., All Rights Reserved 




(r--., 

' ) 

(J

SECTION 1 

,·_ 

Co"rse Presentation 

u 





() 

0

Functional Safety Engineering 1: 

Risk Analysis and Safety Integrity Level Selection 

~\ 

L __ J 

~. 

,.,.,:,.· '7 •'' 

Sellersville, PA., USA 

Munich, Germany 

Westville, KZN, South Africa 

www.exida.com 

Version 3.7 

ID

.J ~l

exida Certification S.A. in Switzerland, Geneva 

• Exida founded an independent certification company in 

Geneva Switzerland, the home of IEC. 

• Certification are issued by independent assessors and 

auditors 

• Swiss Quality reputation 

Copyright exida.com LLC 2001-2008 

5 

0 

4 

4 

4 

4 

4 

4 

[ Course Logistics 

Course materials & location 

V' Handouts and course binder 

V' Exercises, Reference Material and Course Review 

Course attendance & participation 

V' Certificate of course completion 

Breaks 

V'Lunch 

V' Stretch, refreshment, etc. 

Personal belongings 

Fire Alarms and Evacuation Procedure 

Calls & e-mails 

~¥~{41:~ 

,. ' .. Copyright exida.com LLC 2001-2008 

J 

6

4 Instructor 

-Name 

Introduction of Course 

Participants 

-Background/experience 

4 Classmates 

- Name, company, position 

- Background/experience you bring to the course 

-What would you like to get from this course? 

Copyright exida.com LLC 2001-2008 7 

[ General Course Objectives 

• 

• 

Review the principles and purposes of Risk -a: 

• 

Review the purpose behind and the concepts of the 

Safety Lifecycle 

Review of the tasks included in the safety lifecycle 

(IEC 61511 based with references to IEC 61508) ...---?- 3" 

J 

Management 

r f 

i Review the rules of probability and fundamental fault - 

tree analysis 

~ Review the purpose and available methods for 

process hazards analysis . 

,.fl., U.{e 

'cR. 

~,CL""""" 

lri 

. ' 

'r~~lr~ 

~ ~\lw'

Section 1: Introduction to Safety 

Instrumented Systems 

4 Why SIS exist 

4 SIS Evolution 

4 The Standards 

4> SIS Definitions 

4 Safety Instrumented Functions 

4> SIS Equipment 

0 


1l 

Minimum Risk Reduction 

n 

Optimal Risk Reduction (ALARP) 

SIS Relief j Alarms j BPCS i Design Process 


12

• 1960's 

SIS Evolution 

Hardwired relays, install where need is 

recognized. 


13 

SIS Evolution 

0 

• 1970's 

Hardwired relays, Solid State logic - 

Install where 

need is 

recognized 


14

SIS Evolution 

• 1980's 

Started using PLCs 

HAZOP, Risk 

Analysis 

Procedures 

developed 

Studies showed 

no decrease in 

accidents. 

Continued 

financial and 

personal loss 

~~xlcta'~ 

Changes after 

Commissioning 

21% 

Operation & 

Maintenance 

15% 


Design & 

Implementation 

15% 

Installation & Commissioning 

6% 

~ 

f2.-oo-r Cut ~5 

~ fZ

"S0/90's Safety Design Process" ] 

Potential Hazards 

Hazard 

SIS Design 

0 


[ S0/90's Company Design Rules 

l 

• If "CLASS 3" (any serious injury or fatality) 

0 

- Design with three transmitters voted 2oo3 

- Design with AK6 safety PLC: Triconex or Honeywell FSC 

- Output will remove air supply from control valve positioner 

via 3 way solenoid 

G~ 

G- 

AK6 

@/ 

rated PLC -~olenoid Control Valve 

~~lcc~;r Copyright exida.com LLC 2001-2008 

18

SIS Evolution 

• 2000's 

Safety Field Equipment- Transmitters, Valves 

PLC's - Improved Diagnostics 

•IEC61511 

• Better Diagnostics 

• Safety Lifecycle Process 

0 


19 

International Performance 

Based Standard For All 

Industries 

(Applies to suppliers) 

The Standards 

IEC61513: 

Nuclear Sector 

0 

Copyright exida.com LLC 

IEC61511: Process 

Industry Sector 

(US uses essentially 

identical/SA 84.00.01-2004) 

20

u 

IEC 61508 Standard 

4 Targets Suppliers 

- Requirements for 

suppliers of process 

·control and 

instrumentation for 

component I subsystem 

safety 

- End Users seek 

suppliers with products 

certified to this 

standard by reputable 

certifying agency 

1 


21 

IEC 61511 Standard 

4, Targets End sers, Contractors and 

Integra ors in process industries 

4 Covers the entire SIS Life Cycle 

- Risk Analysis 

- Performance based design 

- Operations and Maintenance 

4 Performance NOT Prescription 

4 End user applications 

- Not typically certified 

- Independent Functional Safety 

Assessments 

4 3 sections 

- Requirements 

- Guidelines 

4t!lleXf.d?1 Copyright exida.com LLC 2001-2008 

..4.• 

.. ....· 

·.·.·.· .... ··.· ..• 

-... .~.· .... IL Selection 

22

Safety Instrumented System Definition 1 

IEC 61511 defines a Safety Instrumented System (SIS) as 

"instrumented system used to implement one or more safety 

instrumented functions. A SIS is composed of any combination of 

sensor(s), logic solver(s), and final element(s)." IEC 61511 Part 1 3.2.72 


23 

[_________ 

IE_C __ 6_1s_o_a_o_e_f_in_i_ti_o_n ______ ~ 

jg"~"'--~"''~ 

:~~- 

' 

IEC 61508 does not use the term Safety Instrumented 

System (SIS) and instead uses Safety Related System 

to mean the same thing 

(SRS is Safety Requirements Specification in IEC 61511) 


24

Safety Instrumented System 

Functional Definition 

0 

Practitioners often prefer a more 

functional definition of SIS such as: 

"A SIS is defined as a system 

composed of sensors, logic 

solvers and final elements 

designed for the purpose of: 

1. Automatically taking an industrial 

process to a safe state when 

specified conditions are violated; 

2. Permit a process to move forward 

in a safe manner when specified 

conditions allow (permissive 

functions); 

3. Taking action to mitigate the 

consequences of an industrial 

hazard.'' 

L.._ __________ __j 

BPCS 


0 

[___________ 

s_af_e_ty __ F_u_n_ct_i_o_n ________ ~] 

Logic 

Solver 

0 Sensors 

0 Final elements 

"Function to be 

implemented by an SIS, 

other technology safety 

related system, or 

external risk reduction 

~-=_....,:acilities, which is 

intended to achieve or 

maintain a safe state for 

the process, with respect 

to a specific hazardous 

event." 

lEG 61511 Part 1 (3.2.68) 

Copyright exida.com llC 2001-2008 26

[~_s_a_f_et_y_l_n_st_r_u_m_e_n_te_d_Fu_n_c_t_io_n_(_S_IF_)~J 

0 Sensors 


"Safety function with a 

specified SIL which is 

necessary to achieve 

functional safety and 

w "eil;-ca:rrtJ;e-eiftAe:tJ 

safety instrumented 

protection function or 

a safety instrumented 

control function." 

IEC 61511 Part 1 (3.2.71) 

0 

Copyright exida.com LL 

1-2008 

27 

Instrumented Function Types 

No 

0 

Ye• 

Relevant 

Basic Process Control 

andfor 

Asset Protection 

Function 

Safety 

Instrumented 

Prevention 

Function 


Instrumented 

Mitigation 

Function 


28

[ 

Safety Integrity Level 

J 

0 

Safety Integrity 

Level 

SIL4 

SIL3 

SIL2 

SIL 1 

"Discrete level (one out of 

four) for specifying the safety 

integrity requirements of the 

safety instrumented functions 

to be allocated to the safety 

instrumented systems. SIL 4 

has the highest safety integrity 

and SIL 1 the lowest." 

IEC 61511 Part 1 (3.2.74) 

~e .. ·..·.·.·.•.·.'J6.'6ta.·.··.·~ 

~ / -;> ~:, 

Copyright exida.com LLC·2001-2008 29 

Safety Instrumented System ] 

0 

0 Sensors 


Copyright exida.com LLC 2001-2008 30

[~___ 

s_a_fe_t_y_l_n_st_r_u_m_e_n_te_d __ F_u_n_c_ti_o_n_s _____] 

[ SIF Sensors 

J 

Logic Solver 

0 

Like a control system, a safety system has sensors. In the 

process industries sensors measure process parameters 

including pressure, temperature, flow, level, gas 

concentrations and other measurements. In the machine 

industries sensors measure human proximity, operator 

intrusion into a dangerous zone and other protective 

parameters. 


33 

[ SIF Logic Solver 

J 

0 

Sensors I 

Logic Solver 

Final 

Elements] 

A safety system also has a logic solver, typically 

a controller, that reads signals from the sensors 

and executes preprogrammed actions to prevent 

or mitigate a process hazard. The controller 

does this by sending signals to final elements. 

~~(4a_,~ Copyright exida.com LLC 2001-2008 

34

~-------=S=IF~F=in=a=I~E=Ie=m~e~n=ts~ _______ ] 

Final ) 

Elements 

The final element in a SIF is what acts to bring about the 

safe stale. This is often a remote actuated valve in the 

process industries while in machine safety it could likely be 

a clutch/brake assembly. 


35 

Safety Instrumented Function (SIF) 

Implementation 

Logic Solver 

Circuit Utilities 

I.e. Electrical Power, 

Instrument Air etc. 

Interconnections 

The actual implementation of any single safety instrumented 

function may include multiple sensors, signal conditioning 

modules, multiple final elements and dedicated circuit utilities 

like electrical power or instrument air. 

~~~{£:lU';® Copyright exlda.com LLC 2001-2008 

3 6

[~___ 

s_e_c_t_io_n_1_:_s_u_m_m_a_r_v ___] 

0 

4 Why SIS exist 

4 SIS Evolution 

4: The Standards 

4 SIS Definitions 

,, Safety Instrumented Functions 

4 SIS Equipment 


37 

Section 2: Safety Lifecycle 

4 Accident Causes 

4 Safety Lifecycle Objectives 

4·1EC 61508 and IEC 61511 (ISA 

84.01) versions of the Safety 

Lifecycle 

4 Analysis Phases 

4 Realization Phases 

4 Operation Phases 

4 Personnel Competency 


38

Industrial Accident Primary Causes - HSE 

HSE study of accident causes 

involving control systems: 

Changes after 

Commissioning 

20% 

~~··· 

Specification 44% 

Om••--• 

15% 

Operation & Installation & Commissioning 

Maintenance 6% 

15% 

"Out of Control: Why Control Systems go Wrong and How to Prevent Fai/ur~ 

U.K.: Sheffield, Heath and Safety Executive, 1995 (Ed 2, 2003) 

""""' 


39 

~-----------__/ 

[~____ 

s_a_fe_t_y_L_if_e_cy_c_l_e_o_b_je_c_t_iv_e_s __ ~] 

4 Build safer systems that do not experience 

as many of the problems of the past 

4 Build more cost effective systems that match 

design with risk 

4 Eliminate "weak link" designs that cost much 

but provide little 

4 Provide a global framework for consistent 

designs 

(] 

\ .. I 


Practical results of Implementing SLC 

Refinery: Hydrogen Manufacturing Unit 

Source 

49% 

0 

~ 49%: Safety Functions were over-engineered 

~ 4%: Safety Functions were under-engineered (unsafe) 

~ 47%: No change 


41 

Practical results of Implementing SLC 

0 

Total of 5319 loops are considered. 

At 7 different plants 

So~NAM 

37% 

~ 37%: Safety Functions were over-engineered 

~ 6%: Safety Functions were under-engineered (unsafe) 

~ 57%: No change 


42

[ IEC 61508 Safety Lifecycle 

"ANALYSIS" 

Phase 

hi Concept I 

(End User I Consultant) [3f Ha~ 111 &s 1 ~isk l 

1

0 

[ Safety Lifecycle "Analysis" Phases ] 

r 1. Process Design- Scope I 

Definition c> 

Process Saf~.:J 

Information 

I Event Hlsto!:l I 

~r 

2. lndentify Potential 

l c> 

Potential Haza~ 

I Application Standards I 

Hazards 

c:::> I 3. Consequence Analysis -~ 

c> 

4. Identify Protection 

I Layers l c> 

5. Ukelfhood Analysis 

c>r l c> 

( ~ Designofother 

c::> 1 risk reduction 

I Hazard Characteristics I 

I Consequence Database I 

I Failure Probabilities 

I (LOPA) 

I Tolerable Risk Guidelines I 

lT 

y 

Hazard:~ 

c> Consequence 

facilities 

Layers of Prete~ 

Hazard Frequenci~ 

')~6. Select RRF, Target SIL I c> 

RRF, TargetS~ 

for each SIF 

I 7. Develop Process Safety I 

H

[~__ L_a_y_e_r_o_f_P_r_o_te_c_t_io_n_A_na_l_y_s_is __] 

Event Historv 

Application Standards 

Hazard Characteristics 

Conse uence Database 

Failure Probabilities 

2. !ndentlfy Potential 

Hazards 

Q 

q 


Layers of Prole~ 

Hazard FrequeniJ 

•Objective 

Assess likelihood based on all 

protection layers. 

•Tasks 

Identify Layers of Protection 

Use qualitative or quantitative methods 

lntiiltlnQ Pn>tectk>n IPrnteotbn Prntectlon 

Event Loyer 1 I !aver 2 Layer 3 OutJ;ome 

PUFais 

Pl3 Fa"' 

Aeoldentocc..s 

-..-.-..---!'!-2_Sucr:e5 I ARF, Target s!i] 

4 Objective 

Specify the required risk reduction, or 

difference between existing and 

tolerable risk levels- in terms of SIL 

4 Tasks 

Compare process risk against 

tolerable nsk 

Use decision guidelines to select 

required risk reduction 

Document selection process 


48

Safety Requirements 

Specification 

0 

• Objective 

7. Develop Process Safety 

Specification 


Requirements 

Specification 

- Specify all requirements of SIS needed for detailed engineering 

and process safety information purposes 

• Tasks 

Identify and describe safety instrumented functions 

Document SIL 

Document action taken- Logic, Cause and Effect Diagram, etc. 

Document associated parameters -timing, maintenance/bypass 

requirements, etc. 

Copyright exida.com LLC 2001M2008 

49 

SIS Project V-Model 

0 

·''~,::·- -·- -·- -0·-···-·········-·········-·- 

\ 


l 

Safety Lifecycle "Realization" Phases 

)I 8. SIF Conceptual Design I q I Equipmen!~ 

I Manufacturer Safety Manual I q I Select Technology Justification Re 

I Application Standards 

1 q I 9. SIF Conceptual Design I 

Select Architecture 

110. SIF Conceptual Design I 

Determine Test Plan 

I Manufacturer Safety Manuarl ~ 111. SIFConceptual Design I 

I Failure Rate Database I O ReUabUJty I Safety Calc. H/W & SIW Design l 

NO 

[Manufacturer Safety Manual) ~ I 


~ 

. 

s 

Requirements 

Detailed Design 

I 

q I FAT Test Rep~ 

L Application Standards J q 

12. Detailed Design Documentation 

~~x[tta.;® 

I 

13. Factoj'~~ceptance I 

I I 

IEC61511 Stage 2 FSA 

Copyright exida.com LLC 2001 ~2008 

J 

]J 

51 

() 

Select Technology 

0 

• Objective 

- Choose the right equipment for the purpose. All criteria 

used for process control still applies. 

• Tasks 

Choose equipment 

Obtain reliability and safety data for the equipment 

Obtain Safety Manual for any safety certified equipment 

Jl ·. ··•..'.. ·............. ~r equipment making a SIL capability claim 

~e.X~ de(,. Copyright exida.com LLC 2001-2008 

52

u 

[ Select Architecture 

• Objective 

- Choose type of redundancy 

if needed 

• Tasks 

- Choose architecture 

- Obtain reliability and safety 

data for the architecture 

J 

I D~ag I 

H 1------r--' I 

HI 

I ofag I 

1oo1 

1oo2D 


53 

0 

Establish Proof Test Frequency - 

Options 

In general the testing can include: 

(, Automatic testing which is built into the SIS 

4 Off-line testing, which is done manually 

while the process is not in operation 

4 On-line testing, which is done manually 

while the process is in operation 

.. ~ 

.. ..'.. •.· ...•.•. '. '.•.•.·.4...,a~" 

~ " 


54

SIF Verification Task 


Specification: 


including SIL target 

I Manufacturer Safety Manual I I Failure Rate Database I q Reliability I Safety Calc. 

j 

11. SIF Conceptual Design 

PFDavg, 

RRF 

MTTFS, 

SIL achieved 

/} 

0 

Copyright exida.com LLC 2001~2008 

55 

[ SIF Design Options l 

If the SIF verification shows that the SIL 

level has not been achieved by the 

proposed design a number of options 

are available to the designer: 

1' Re-evaluate the SIL requirement by 

adding other layers of protection, etc. 

2. Reduce the proof test interval -this 

may involve provisions for on-line 

testing. 

3. Choose equipment with better safety 

ratings- lower dangerous failure rate 

or better diagnostics. 

4. Change the architecture by adding 

more redundancy. 

4t~>

Safety Lifecycle "Operation" Phases ] 

Event History 



I Consequence Database I 


0 

19. SIS Decommissioning 

Copyright exida.com LLC 2001~2008 57 

0 

~_v_a_l_id_a_t_io_n __ ] 

FAT 

INSTALLATION 1\ V 

~==s=A=T=,=s=IT===~..;\ ~ 

15. SIS Safety Validation COMMISSIONING 

Functional Safety Assessment 

4 Objectives sTART uP 

- Verify that the SIS functions according to design 

requ1rements. 

4 Tasks 

- Verify operation of field instruments 

- Validate logic and operation 

- Verify SIL of installed equipment 

- Produce required documentation - Certifications if 

required 

~~Jt&t'l.':~ Copyright exida.com LLC 2001-2008 58 

·~I 

D 

A 

T 

I 

0 

N

Periodic Proof Testing 

17. SIS Operation and 

Maintenance 

4, Objectives 

- Verify that the SIS continues to function 

according to design requirements and detect 

otherwise hidden lailures 

4 Tasks 

- Verify operation of field instruments 

- Validate logic and operation 

- Document results of all periodic testing 

0 

~~~diJl~ Copyright e~da.com LLC 2001-2008 

59 

Modification and De-Commissioning 

4 Objectives 

- Periodically review hazards and take corrective 

action if deemed necessary 

4 Tasks 

- Periodically review hazards 

o Review incidents 

o Review Facility Change Notices or Management of 

Change (MOC) documents 

- Update SIS as required according to the 

appropriate safety lifecycle step 

0 


60

Competency 

• IEC 61508 Personnel Competency 

" ... ensuring that applicable parties involved in any of the 

overall E/E/PE or software safety lifecycle activities are 

competent to carry out activities for which they are 

accountable." 

-IEC 61508, Part 1, Paragraph 6.2.1 (h) 

0 

"Persons, departments, or organizations involved in 

safety lifecycle activities shall be competent to carry out 

the activities for which they are accountable." 

-IEC 61511, Part 1, Paragraph 5.2.2.2 

~~~(4&1:" Copyright exida.com LLC 2001-2008 61 

u 

Certified Functional Safety Expert/Professional 

(CFSE/CFSP) Programs 

• Operated by the CFSE Governing Board 

-To improve the skills and formally establish the competency of 

those engaged in the practice of safety system application in the 

process and manufacturing industries. 

• Certification audited by exida Certification 

,4: 

4 

~··· ·:~~I!VAJ 


62

Certified Functional Safety ExperUProfessional 

(CFSEICFSP) Programs 

• CFSE: 1 0 yrs of related experience (reduced with 

education level) plus Case Study 

• CFSE: 2 hour Multiple Choice+ 3 hour Short 

Answer/Case Study Exams 

• CFSP: 3 yrs of related experience (reduced with 

education level) 

• CFSP: 3 hour Multiple Choice/Short 

Answer Exam 

• Renewable each 9 years 

CFSE 

GOVERNANCE BOARD 

0 

~ID

Certified Functional Safety Expert/Professional 

(CFSE/CFSP) Programs 

Resources Available: 

Certified Functional Safety Expert 

Application Engineering~ Process 

Study Guide 

2nd Edition 

•On-line Training 

•Study Guide 

•Reference Books 

0 


0 

[ 

~i:iX:ltta.· 

Section 2: Summary 

4 Accident Causes 

4 Safety Lifecycle Objectives 

4 IEC 61508 and IEC 61511 (ISA 

84.01) versions of the Safety 

Lifecycle 

4. Analysis Phases 

4 Realization Phases 

4 Operation Phases 

4 Personnel Competency 


l 

66

Section 3: Principles of Risk 

Management 

~ Risk Definition 

4 Measuring Risk 

4 Risk Tolerance 

4 Risk Reduction 

4 Safety Lifecycle and Risk 

0 


67 

Risk is a measure of 

the likelihood and 

consequence 

of an adverse effect. 

(i.e., How often can it 

happen and 

what will be the 

effects if it does?) 

What is risk? ] 

Risk receptors: 

4, Personnel 

4 Environment 

4 Financial 

• Equipment/Property Damage 

• Business Interruption 

• Business Liability 

• Company Image 

• Lost Market Share 

0 


[ Why do companies manage risk? ] 

• Companies have a legal, moral, and financial obligation 

to limit risk posed by their operation 

• Understanding the way this is expressed in a company 

helps to develop safety policy consistent with the way 

that company already works 

0 

Comply with regulations 

as written, regardless of 

cost or actual level of risk 

Make plant as safe as 

possible, disregard costs 

Build the lowest cost 

plant, keep operating 

budget as small as 

possible 


69 

Basis for Risk Tolerance ] 

0 

4 Risky activities are tolerated because 

they provide benefits and are always 

traded against other risks 

-There is no such thing as zero risk in the 

real world 

-Understanding the various risk and benefit 

options is critical to understanding what kind 

of risk can be tolerated in trade for what kind 

of benefit 


70

[ Measuring Risk and Benefit ] 

• Both risk and benefit must be measured to intelligently 

determine what to do in any situation 

4 Risk measurement must address both consequence 

and likelihood 

The consequences usually involve several forms of 

harm 

• Harm is effectively defined as "loss of benefits" and 

thus brings benefits directly into the equation 

''All significant forms of harm must be considered to 

properly measure risk 

0 


71 

Expressions of 

Consequence 

• Measure of risk depends on two factors: 

- Who is being exposed to risk? 

• Individuals 

• Society 

• Environment 

- What is the nature of the risk? 

• Fatality /Injury 

• Permanent I Temporary n.,,.,.,,n., 

• Financial Loss 

0 


72

[~_____ 

ln_d_iv_i_d_u_a_I_R_is_k ____ ~] 

0 

Individual risk: frequency an individual may 

receive a given level of harm (usually death) 

from the outcome of specified hazards. 

The UK HSE Tolerability of Risk framework sets 

individual risk of fatality limits of: 

Boundary between "broadly acceptable" and "tolerable" 

regions for risks entailing fatalities 

1 x 1 o·• per year (1 in a million per year) 

Boundary between "tolerable" and "unacceptable" regions 

for risks entailing fatalities 

1 X 10-3 per year (1 in a thousand per year) 

The ALARP region (As Low As Reasonably 

Practicable) typically falls in between these bounds 

4~~it{ffl;~ Copyright exida.com LLC 2001-2008 73 

[Individual Risk and ALARP] 

0 

Noway 

High Risk 

If it's worth it 

ALARP or Tolerable 

Region 

We accept it Broadly Acceptable 

Region 

le Risk 


74

[ Defining Tolerable Risk ] 

f. Need both rigor and flexibility 

4 Need to consider all relevant 

forms of harm 

4}. Needs to be consistent with both 

company and society practice 

0 


75 

Tolerable Risk Level 

Example 

All potential hazards must have less than 

- 0.0005 fatal accidents per person per year 

- 0.005 injuries per person per year 

-0.01 significant environmental release 

per plant per year 

-$500,000 in business loss 

per plant per year, etc. 

0 

4 What is good and bad about this tolerable 

risk statement? 


76

Tolerable Risk Level 

Example 

< Matrix form with guiding statement: 

All extreme risk will be reduced and all moderate 

risks will be reduced where practical. 

Recordable Lost Time Permanent Many 

Injury Injury Injury/Death Deaths 

1 per 100 Acceptable Moderate Extreme Extreme 

years 

0 

1 per 1000 Acceptable Acceptable Moderate Extreme 

years 

1 per 10,000 Acceptable Acceptable Moderate Moderate 

years 

1 per 1 oo,ooo Acceptable Acceptable Acceptable Moderate 

years 

4 What is good and bad about this tolerable risk statement? 

~~e{~~t · Copyright eldda.com LLC 2001-2008 77 

0 

[~__ 

A_P_P_Ii_ca_t_io_n_E_xe_r_c_is_e_1_~] 

ti Tolerable Risk 

-Apply the concept of ALARP and tolerable 

risk to developing a tolerable risk guideline 

for a company 


[ Start with Inherent Process Risk ] 

Risk: A combination of the probability of occurrence of 

harm and the severity of that harm (per IEC/180 Guide 

51 :1990) 

A measure of the likelihood and consequence of 

adverse effects. 

Inherent Risk: The risk from a completed process 

design that contains a given amount of process 

materials at given process parameters (i.e. 

temperature, pressure, etc.) 

0 


79 

Risk Reduction 

L 

i 

k 

e 

I 

i 

h 

0 

0 

d 

Acceptable Risk 

Region 

Increasing Ris 

0 

Consequence 


80

[ Risk Reduction using Inherent Risk 

Inherent risk measures the fundamental 

magnitude of a consequence 

0 

4 Manage inherent risk by reducing toxic, 

flammable or explosive inventories 

4~> Good process engineering support is vital 


Risk Reduction using Geographic Risk 

0 

Geographic risk measures the probability an 

event will occur in a specific geographic location 

Manage personnel risk by controlling where the 

people are: control room, work areas and pathways 

~8~4'~,~~ Copyright exida.com LLC 2001-2008 8 2

Non-SIS Risk Reduction 

Non SIS Risk 

Reduction, e.g. 

Pressure Relief 

Valves 

e 

I 

i 

h 

0 

0 

d 


Region 

Consequence 

Reduction, e.g., 

material reduction, 

containment dikes, 

physical protection 

Inherent 

Risk of the 

Process 

Consequence 

Increasing Risk 

Unacceptable 

Risk Region 

0 


83 

SIS Risk Reduction 

What is wrong 

with this slide? 

Non SIS Risk 

Reduction, e.g. 

Pressure Relief 

Valves 

i 

k~l__ 

Consequence 

Reduction, e.g., 

material reduction, 

~~~ containment dikes, 

physical protection 

Inherent 

Risk of the 

Process 

Increasing Risk 

0 

e~C::::: 

I 

i 

h t...=::;:...:_J 

0 

0 

d 

~e 

..·.·.·.Jtlaa ..• 

~ ;? > 


Region 

Consequence 


Unacceptable 

Risk Region 

84

S [ Risk Management Standards ] 

0 

• IEC 61508 

- International standard for electronic risk reduction 

and safety systems ~ 

•IEC60300-3-9 ~ 

~ - International standard containing guidelines for 

~ risk analysis techniques of technological systems 

• ISO 14001 

- International standard to guide environmental 

risk management · 

• 29 CFR 1910 

- US OSHA regulation guiding process safety 

management 


85 

0 

[ 

l 

Risk Management Methods 

,- l _i 

Establish context 

(') 

0 Identify risks 

;: 

3 I 0 

~ 

~ 

;;· 

I Analyze risks I 

~ 

Q 

~ 

(Likelihood & Consequence) 

n < 

0 

~· 

~ 

I 

0 

~ 

~ Accept or treat risks 

;; 

• Identify treatment options 

• Evaluate treatment options 

'-- 

• Select treatment options 

• Prepare treatment plan 

• Implement treatment plan 

~ 

~ 


I 

86

[~__ 

s_a_f_e_ty_L_i_fe_c_y_c_le_o_b_ie_c_ti_v_e_~J 

Analysis 

Hazard Analysis I 

Risk Assessment: 

Define Design 

Targets 

f--+1 

Reduce Risk to 

Document 1 the tolerable 

level! 

Modify 

Design Execute HW 

I and SW Design 

Verify 

"' 

Document I 

Evaluate Design: 

Reliability Analysis of -1 Document 1 

Safety Integrity & 

Availability 

I 

Operate and 

Maintain 

Document I 


0 

[ Section 3: Summary 

l 

4 Risk Definition 

4 Measuring Risk 

4 Risk Tolerance 

4 Risk Reduction 

4 Safety Lifecycle and Risk 

0 


[~ ____ s_e_c_t_io_n_4_:_P_r_o_b_a_b_il_it_Y ____ ~] 

(J 

4, Rules of Probability 

4 Types of events 

4 Probability multiplication 

4 Probability addition 

4, Fault Trees 


89 

0 

[~__ 

P_ro_b_a_b_i_li_ty_A_ss_i_g_n_m_e_n_t_~] 

4 Probability assigned by two methods: 

- Physical property determination 

• Geometry, physical shape 

Ololro;;lfOolro;?llggl 

u ~ L:EJ ~ ~ lQ__2) 

- Experimental outcome determination 

• Number of occurrences I Number of Trials 

4 Probability is a number: ( 0 

~e1tl£4a,~ Copyright exida.com LLC 2001-2008

[ Rules of Probability- Venn Diagrams ] 

Rectangle 

where entire 

event space is 

shown 

0 

~ 

ex./ u.cr·. 

y ::·. 0 

... '-

( Rules of Probability- Venn Diagrams J 

0 

Software 

Failure 

Hardware Failure 

Operational 

Failure 


93 

0 

Probability Assignment 

Venn Diagrams 

P(Gold) = 0.8 

P(Marble) = 0.75 


94

[ Event Types 

4 INDEPENDENT - Events that do not affect 

each other: 

-Coin Tosses 

- Dice Throws 

4 COMPLEMENTARY- When one outcome 

does not occur, the other will always occur 

4: MUTUALLY EXCLUSIVE - When one event 

occurs the other cannot happen 

[ Complementary Events 

0 

4 Complementary Events 

- When one event does not occur, the other will occur 

~ Tossing one coin 

- Two events possible - heads and tails 

4 Success I Failure? 

4; Probability of Complementary Events 

P(A*) = 1 - P(A) 

- Probability of successful operation for the next year is 

0.8. What is the probability of failure in the next year? 


97 

[ Mutually Exclusive Events J 

0 

4" Mutually Exclusive Events 

-When one event occurs the other cannot 

happen 

4 Toss of One Di~ 

-Outcomes (1 ,2,3,4,5,6) are mutually 

exclusive 

t Complementary? 

{ Complementary Events Mutually Exclusive? 


98

[ Correlated Events J 

~ Positively correlated events 

-When one event occurs, the other is 

more likely to happen than for 

independent events 

4 One event does not have to cause the 

other to be positively correlated 

f It is very dangerous to assume correlated 

failure events are independent 

0 


[ Probability Multiplication ] 

Independent: 

P(A AND B)= P(A) * P(B) 

0 

Mutually Exclusive: 

P(AAND B)= 0 

Positively Correlated: 

P(A AND B) >> P(A) * P(B) 


100

[ Probability Multiplication 

l 

4 For independent events 

P(A and B )= P(A)*P(B) 

LIMIT 

- SWITCH 

1- 

SOLENOID 

VALVE - 

0 

In the next year, the probability of successful operation for a 

limit switch is 0.9 and the probability of successful operation for 

a solenoid valve is 0.98. What is the probability of success for 

the system consisting of both elements? 

~?Meta• Copyright exida.com LLC 2001-2008 101 

0 

P (A and B ) = P (A ) * P ( B ) 

P(Limit Switch Success) = 0.9 

P(System Success) 

= 0.882 ) 

P(Solenoid 

Success)= 0.98 

L---------------~~ 

The probability of systems success requires the limit switch is 

successful AND the solenoid valve is successful, thus using 

probability multiplication: 

Psystem = 0.9 * 0.98 = 0.882 


102

Probability Addition 

Mutuallv Exclusive Events 

P(A OR B) = P(A) + P(B) 

0® 

0 


103 


Mutuallv Exclusive Events 

P(A or B) = P(A) + P(B) 

0 

One die is rolled. What is the probability of getting a 4 or a 6? 


104


Mutually Exclusive Events 

P(A or B) = P(A} + P(B} 

One die is rolled. What is the probability of getting a 4 or a 6? 

0 

It is the probability of rolling 4 of rolling 6. The 

probability of rolling 4 is 1/6, the probability of 

rolling 6 is 1/6, thus the probability of rolling 4 or 6 

is 1/6 + 1/6 or 2/6 


105 

0 

., 


Mutually Exclusive Events 

Pair of Dice Roll - Mutually 

Exclusive 

- What is the probability of 

rolling a 7 OR a 9? 

P(A OR B) = P(A) + P(B) 

2 4 

10 1 

12 

~exfttii. Copyright exida.com LLC 2001-2008 

106


Independent Events 

P(A or B) = P(A) + P(B) - P(A and B) 

Not 

Mutually 

Exclusive 

0 

Copyri!jlt exida.com LLC 2001~2008 

107 

[ 


_____ l_n_d_ep~e_n_d_e_n_t_E_v_e_n_ts ______ ~ 

P(A or B) = P(A) + P(B)- P(A and B) 

oO) 

A sack contains 1 00 objects. All are either 

round marbles or square blocks. All are 

either red or gold. 75 % of the objects are 

marbles. 80% of the objects are gold. If an 

object is randomly selected, what is the 

probability that it will be either a marble OR 

gold? 

DO 

0 

~e. 51/Citi ...' 

...•. 

~. y, 


108



A sack contains 100 objects. All are either round marbles 

or square blocks. All are either red or gold. 75 % of the 

objects are marbles. 80% of the objects are gold. If an 

object is randomly selected, what is the probability that it 

will be either a marble or gold? 

The events MARBLE and GOLD are not mutually exclusive because 

it is possible to withdraw an object that is both a marble AND gold. 

Thus, the non-mutually exclusive form of probability addition is used. 

P(M or G)= 0.75 + 0.8- (0.75 * 0.8) = 0.95 

~~{'qti;~ 

4111/'•' ' 


109 

0 



The probability of getting a gold 

object or marble object can 

also be calculated by using the 

rule of complimentary events. 

The only way to NOT get the 

desired result is to get a red 

block. That probability equals 

0.2 * 0.25 = 0.05. 

Therefore: 1 - 0.05 = 0.95 


llO


Three Independent Events 

What about three 

events? 

P(A or B or C) = P(A) + P(B) + P(C) 

P(A * B) - P(A * C) - P(B * C) + 

P(A * B *C) 

() 


111 



0 


events? 

P(A or B or C) = P(A) + P(B) + P(C) - 

P(A * B) - P(A * C) - P(B • C) + 

P(A * B *C) 

c 


112 

/




events? 

0 


-P(A * B) -P(A * C) -P(B * C) 

+P(A * B *C) 

c 


113 




events? 


-P(A * B) - P(A * C) - P(B * C) + 

P(A * B *C) 


114




events? 


-P(A • B) -P(A * C) -P(B * C) + 

P(A * B *C) 

0 

Copyright e>dda.com LLC 2001-2008 

115 



0 


events? 


-P(A * B) -P(A * C) -P(B * C) 

+P(A * B *C) 


116 

/




events? 

P(A or B or C)= P(A) + P(B) + P(C) 

-P(A * B) -P(A * C) -P(B * C) 

+P(A * B *C) 


117 

0 



General Solution: 

P(A OR B OR ... OR N) = 

1- (1-PA)* (1-P 8 )* ... *(1-PN) 


118

\I lo ~ 

+ 

\\ 

~ ~~ 

Rules of Probability 

Exercises 

4 On the throw of a pair of fair dice, what is the 

Rules of Probability 

Exercises 

0 

• What is the probability of an incident over an interval of three 

years? 

- One approach is the calculate the probability of not having an 

incident in one year. This is a complimentary event which 

equals 5/6. An incident does not occur in three years only if 

there is no incident in year one AND year two AND year three. 

That probability of no incident is 5/6 * 5/6 * 5/6 = 0.579 

- The probability of an incident is therefore 1 - 0.579 = 0.421 

1 What is the probability of an incident in ten years? 

- Following a similar approach for a period of ten years, the 

probability equals 1 - (5/6) 10 = 0.839 


121 

0 

l~ __ A_P_P_I_ic_a_t_io_n_E_x_e_rc_i_se_2 __ ] 

~i Probability 

-Apply the rules of probability 


122

[~____ 

F_a_u_lt_T_r_e_e_A_n_a_l_y_si_s ____ ~J 

Fault Tree- Grafhical ''Top Down" method to show the logical 

relationship o failure probabilities and frequencies 


[~__ F_a_u_l_t _T_re_e_M __ a_in_s __ vm __ 

Commonly Used Symbols 

W ORGate 

0 ANDGate 

D Event or Resulting Fault 

Q Basic Event 

b_o_ls--~J 

Occasionally Used Symbols 

 

0 

0 

Incomplete Event 

Inhibit Gate 

House Event 

(Trigger eventguaranteed 

to occur under 

model conditions) 

0 


124

Fault Tree 'AND' Gates 


0 

Battery 

system failure 

Quantitative Analysis of Fault 

Trees - combine probabilities 

using probability multiplication 

What is the probability of 

battery system failure? 

AND gates are solved using 

probability multiplication: 

p = 0.2 p = 0.01 Plop = 0.2 * 0.01 = 0.002 

• 


125 

0 

[~_F_a_u_l_t _T_re_e_·_o_R_' _G_a_te_s~J 

Shutoff valve 

Fails to close 

Quantitative Analysis of Fault 

Trees - combine probabilities 

using probability addition 

What is the probability the 

valve fails to close? 

Solenoid 

fails to vent 

actuator 

p = 0.001 

~~*~421" 

sticks, 

preventing 

closure 

p = 0.001 


OR gates are solved using 

probability addition (non-mutually 

exclusive in this case): 

Plop~ 0.001 + 0.001 - (0.001 • 

0.001) ~ 0.001999 

126

[~__ 

M_u_It_ip_Ie_In_p_u_t_G_a_t_es __] 

• 

I EVENT A ~,.--~~ 

I EVENT B Pb OR 

P=Pa+ Pb+ Pc-(PaxPb) 

-(PaxPc)-(PbxPc)+(PaxPbxPc) 

,---,~ D- n p = Probability 

I EVENTC ~ L 

IF events A, B, and C are mutually exclusive then 

P(A or B or C) = P(A) + P(B) + P(C). 

I 

EVENT A 

I 

EVENTS 

I 

EVENTC 

Pa 

Pb 

Pc 

\ 

AND 

__/ 

P=PaxPbxPc 


127 

[~__ 

F_r_e_q_ue_n_c_y_a_n_d_P_ro_b_a_b_ii_it_Y __] 

EVENT A 

EVENT B 

OR 

Not possible 

0 

Frequency/Probability Logic 

EVENT A 

F=Fa"Pb 

EVENT B 


128

[~_F_re_q_u_e_n_c_y_L_o_g_i_c__] 

EVENT A 

EVENT 8 

0 

EVENTC 

EVENT A 

EVENT 8 

Frequency Logic 

Not possible 

Convert one frequency to a 

probability using a specified time 

base e.g. Failure rate (A) converts to 

PF using 1-e·" (more in FSE II) 


129 

0 

[~__ 

A_P_P_I_ic_a_t_io_n_E_x_e_rc_i_se_a_~] 

4 Fault Trees 

-Solve fault tree models 


130

Section 4: Probability Review 

.f Rules of Probability 

4 Types of events 

4 Probability multiplication 

4 Probability addition 

4 Fault Trees 

0 


131 

Section 5: Process Hazard Analysis 

~···Hazard and Other Term Definitions 

4 Process Hazard Analysis 

4HAZOP 

f. Consequence Analysis 

4> Likelihood Analysis 

4> Fault Propagation 

4 Event Tree Analysis 

4• Risk Integrals 

~@.X:?~a __ ,® Copyright exida.com LLC 2001-2008 132 

0

Definition of Hazard 

0 

~> A potential source of harm 

- IEC 61508-4, Sub clause 3.1.2 

4, A chemical or physical condition that 

has the potential for causing damage 

to people, property, or the environment 

(e.g., a pressurized tank containing 

500 tons of ammonia) 

- CCPS, Guidelines for CPQRA 


!33 

0 

['---__ T_e_r_m_: _ln_it_ia_t_in_g_E_v_e_n_t_) 

Initiating Event: The 

first event in an 

event sequence 

(e.g., the stress 

corrosion resulting 

in leak/rupture of the 

connecting pipeline 

to the ammonia 

tank) 


134

[ Term: Intermediate Event 

J 

Intermediate Event: An event 

that propagates or mitigates 

the initiating event during an 

event sequence (e.g., 

improper operator action 

fails to stop the initial 

ammonia leak and causes 

propagation of the 

intermediate event to an 

incident; in this case the 

intermediate event outcome 

is a toxic release) 

0 


135 

Je.· ...•..... x ... ','dir~ 

[~____ 

T_e_rm __:_ln_c_i_d_e_nt 

____ ~] 

Incident: The loss of 

containment of material 

of material or energy 

(e.g., leak of 10 Ibis of 

ammonia from a 

connecting pipeline to 

the ammonia tank, 

producing a toxic vapor 

cloud); not all events 

propagate into 

incidents. 

~ J' ::· ·:> 


0

[~___ 

T_e_rm __:_ln_c_id_e_n_t_o 

__ u_tc_o_m __ e __ ~] 

0 

Incident Outcome: The 

physical manifestation of the 

incident; for toxic materials, 

the incident outcome is a 

toxic release, while for 

flammable materials, the 

incident outcome could be a 

Boiling Liquid Expanding 

Vapor Cloud Explosion 

(BLEVE), flash fire, 

unconfined vapor cloud 

explosion, toxic release, etc. 

(e.g., for a 10 Ibis leak of 

ammonia, the incident 

outcome is a toxic release) 


137 

0 

[ 

Term: Consequence 

Consequence: A 

measure of the 

expected effects of an 

incident outcome case 

(e.g., an ammonia cloud 

from a 10 Ibis leak 

under stability class D 

weather conditions, and 

a 1.4-mph wind 

traveling in a northerly 

direction will injure 50 

people). 

J 


138

From Potential to Reality ] 

Given that a Hazard exists with potential for Ha':'Jl, an 

Initiating Event- is often followed by an =-= 

Intermediate Event- w~hich may create another=:::, 

• 

Intermediate Event- which may result in an 

Incident- where the result is called an----:::, 

Incident Outcome :.. which, depending 

on circumstances results in') 'r \ 

CONSEQUENCES.....---- 

() 


139 

I 

I 

I 

r 

SLC"Analysis" Phase- Hazard Identification l 

j 1. Process Design- Scopel q 

Process Saf~~ 

Definition Information 

Event Histo!X I 2. lndentify Potential 

A~elication Standards I ~I 

Hazards I 

Hazard Characteristics I c:> I 3. Consequence Analysis I 

I Consequence Database ) q 

I 


(LOPA) 

I 4. Identify Protection Layers I 

Jql 5. Ukelihood Analysis I 

q Potential Haza~ 

q 

Hazard~~ 

Consequence 

q Layers of Protec~ 

q Hazard Frequenci~ 

·~, Deslgnofother 

( R . d? Q risk reduction 

eqwre · 

facilities 

r Tolerable Risk GuidelineSl YES 

4~x(aa.• 

I I , ! 6. Select RRF, Target Sll I q RRF, TargetS~ 

-v for each SIF 

I 7. Develop Process Safetyl 

Specification 



0000~ 

1--- 

Safety ;.ffil 

Requirements 

140 

Specification 

0

What Is Process Hazards Analysis? 

0 

4 IEC61508-1 specifies 3 objectives: 

- Determine the hazards and hazardous events 

of the equipment under control (EUC) and the 

EUC control system (in all modes of operation), for 

all reasonably foreseeable circumstances 

including fault conditions and misuse 

- Determine the event sequences leading to the 

hazardous events determined above 

- Determine the EUC risks associated with the 

hazardous events determined above 


141 

0 

What Is Process Hazards Analysis? 

4 Identifying Hazards 

- Hazards are often identified during PHA 

4 Estimating Consequences 

4 Estimating Likelihood (Frequency) 


142

[ Common PHA Methods J 

4 Checklist 

4; What if? 

4 What if? I Checklist 

4> HAZOP (Hazards and Operability Study) 

4, FMEA (Failure Modes and Effects Analysis) 

{; Fault Tree Analysis 

4 Appropriate Equivalent Methods 


143 

Typical PHA 

Requirements 

4 Hazards of the process 

4' Previous incidents with catastrophic potential 

4 Engineering and administrative controls 

4 Consequences of engineering and 

administrative control failures 

4 Facility siting (layout, access, exposures, etc.) 

4 Human factors (errors, ergonomics, etc.) 

4 Qualitative evaluation of effects of failures 

0 


144

Recommendations for 

Effective PHAs 

0 

~···. Conducted by team with members expert in: 

- Engineering and process operations 

- Specific equipment or process under consideration 

- Specific hazards analysis process being used 

4 Document process 

4 Insure recommendations are acted upon 

4 Revisit analysis every five years 

(RMP in the US, MHF in Australia, COMAH in UK) 

i

PHA- HAZOP 

Function to prevent 

brittle fracture of 

carbon steel field piping 

lfl 

I 

RECOMPRESSION 

INLET 

GAS 

"---------{>PROPANE 

0 

~' 

NATIJRALGAS 

·.•.· ... ·.·.,·":- ,. ·.',,•,. UQUIDS 

eJ(fdti" 

f'' )" :;.; 


147 

PHA- HAZOP 

Identifying SIF 

Node: Warm End Cryogenic Heat Exchanger 

Parameter: Temperature 

0 

Deviation Cause Consequence SafellUards Recommendation 

Too low Aow imbalance Potential brittle Alarms, Process 

Should Indep. PLC 

between streams fracture of shut off, lndep. 

low T shut off be 

PLC Low T shut 

downstream 

piping and fire 

off 

an SIS? 

Weather extreme Potential brittle PLCLowT Same as above and 

fracture of shut off verify likelihood of 

downstream 

weather extreme 


Too high Row imbalance Potential Row alarms Verify if 

between streams compressor and Process compressor will be 

damage shut off damaged 

Action 

J. Jones 

J. Jones 

S. Smith 

-4f~(qti,," Copyright exida.com LLC 2001-2008 

148

[~__ 

s_IF __ D_es_c_r_ip_t_io_n ____] 

4 Recommended SIF found in 

R d . C I Recommended 

ecommen at1ons o umn saregnard 

1 ~ 

4 Existing SIF found in Safeguards Column) 

0 

Deviation Cause Conseuuence Safeeuards Recommendation fction 

Too low F1ow imbalance Potential brittle Alarms, Process 

Should Indep. Pi£'111 

between streams 

fracture of shut off, lndep. J. Jones 

downstream PLC Low T shut ~Tshutoffbe 

SIS? 

piping and fire off 

Weather extreme Potential brittle PLCLowT Same as above and 


downstream 



Too high Flow imbalance Potential Flow alarms Verify if 



J. Jones 

S. Smith 

~~~~~;· Copyright exida.com LLC 2001-2008 

149 

0 

[ Hazard and Consequences J 

4 The hazard that is being prevented, and its 

consequence can be found in a Consequences 

or Description of Hazard column 

Deviation Cause ce Safeguards Recommendation Action 

Too low Flow imbalances t Potential brittle"' Alarms, Process Should Indep. PLC 

between streams 

fracture of shut off, lndep. 


downstream PLCLowT shut 

an SIS? 

\wping and fire off 

Weather extreme Potenuru onttlo PLCLowT Same as above and 


downstream 



Too high F1ow imbalance Potential F1ow alarms Verify if 



J. Jones 

J. Jones 

S. Smith 

1 ~~>

[~__ 

ln_i_ti_a~ti_n_g_E_v_e_n_t~s--~J 

4 In HAZOP, Initiating events in causes column 

4 What-If and Checklist questions 

4 Potential for multiple initiating events per hazard 

Bot~lnitiating Events cause the same consequence 

Deviation ~use Conse(l ence Safeguards Recommendation Action 

Too low 

~ 

Flow imbalance Potential "ttle Alarms, Process 

~tween streams 

shut off, Indep. 

PLC Low T shut 

dfire off 

~run 



an SIS? 

Weather extreme ~~tential brittle PLCLowT Same as above and 


downstream 



~ ~ 

Too high Flow imbalance Potential Flow alanns Verify if 



J, Jones 

J. Jones 

S. Smith 

0 

~~~' 


151 

[ Safeguards 

J 

4 Find both non-SIS and SIS Safeguards, other 

than SIS under study 

• 

Safeguards apply to initiating events, multiple 

safeguards per initiating event may exist 

Too low 

~ ~. 

Ro~alooce 

~;:de~ 

Potential brittle 

fracture of 

between streams downstream PLC Low T shut 

oioinc ood fire "'" 

l'""""ru ~rittle 


lowTshutoffbe 

an SIS? 

Action 

J. Jones 

Same as above and PLC L_?W l "" J. Jones 

~ fracture of verify likelihood of 

downstream 


Too high Flow imbalance Potential Flow alarms Verify if 



S. Smith 

0 

"~! .. · ..... 


152

['-_ld_e_n_ti_fy_in_g_S_I_F_f_ro_m_P_&_ID_s_~] 

0 

4 PHA Studies not always 1 00% effective 

4 Past experience of Licensors and Detailed Design 

Contractors is incorporated into the design 

SIF in the design package are not typically 

differentiated from other control loops 

j,. Identification of SIF based on P&ID representation 

requires control engineering expertise 

4> Hazard, consequence, and safeguards related to SIF 

require process and risk assessment expertise 


!53 

I 

I 

[ PHA Step 2 - Consequence Analysis l 

Event Histo!:X 


]1. Process De~!gn- Scope-~ q 

Defin1t1on 


1~1 Hazards 

Process Saf~~ 

Information 

lc::> 



~ j 3. Consequence Analysis ] Hazard~~ 

c::> 

c::> Consequence 

I 4. Identify Protection I c::> 

layers of Protec~ 

Layers 

Consequence Database 

5. Likelihood Analysis 


(LOPA) I 

~ Deslgnofother 

( q risk reduction 

facilities 

Tolerable Risk Guidelines s 

~?~{eta.® 

I c::> I 

c::> 

Hazard Frequencl~ 

ll "· I 6. Select RRF, Target SIL ] 

for each SIF c::> 

RRF, TargetS~ 

r 7. Develop Process Safetyl 

Specification 



0'-?

What is included in 

Consequence Analysis? 

4 Should consider: 

- Fatality and injury 

-Property damage 

-Business interruption 

- Environmental damage 

-Third-party liability 

- Corporate image 

n 

"-·-· 


!55 

[~__ 

T_o_x_i_c_H_a_z_a_r_d_s __ ~] 

~ Toxic effect zones 

are a function of: 

- Release quantity 

- Release duration 

- Source Geometry 

- Elevation/Orientation 

- Initial Chemical Density 

- Atmospheric Conditions 

- Surrounding Terrain 

- Limiting Concentration 


!56

[ Consequence Analysis Methods J 

f Estimate and Categorize 

4• Statistical 

~' Consequence Modeling 

u 


157 

[ Consequence Categorization J 

0 

Severity Rating lmoact 

Minor 

Impact initially limited to local area of the event with potential for 

broader consequence if corrective action is not taken. 

Serious 

Extensive 

One that could cause any serious injury or fatality on-site or off-site, or 

property damage of $1 MM on-site, or $5 MM off-site. 

One that is five or more times worse than a SERIOUS accident. 

Based on information found in Guidelines for 

the Safe Automation of Chemical Processes, 

AIChE 

~ex{~:ta.• Copyright exida.com LLC 2001-2008 

158

[ Statistical Consequence Analysis ] 

Use accident statistics to calculate average consequence. 

Advantage: Well defined number 

Problems: 

1. Applicability of data, is the new situation 

similar enough? 

2. Is there enough data to be statistically 

significant? 

0 

Copyright exida.com LLC 2001-2008 !59 

[ Statistical Consequence Analysis ] 

Use accident statistics to calculate average consequence. 

Example: 

In a five year period there were 235 explosions of industrial 

boilers. 

As a result of those explosions, 17 people were killed and 

84 people were injured. 

Probable Loss of Life (PLL) = 17 I 235 = 0.073 per incident 

Probable Injury (PI) = 84 I 235 = 0.358 per incident 

0 

Copyright exida.com LLC 2001-2008 !60

---'==[ ===C=o=n=s=e=q=u=e=n=;c_e_M_o_d_e_l_in_g __ ~] 

D Injury Zone 

D Fatality Zone 

23 meters 

9 meters 

Probable Loss of Life: 0.27 

Probable Injuries: 2.56 

Typical Consequence Modeling 

Results for a toxic chemical release 

4 Calculates 

"Effect Zones" 

and "Effect 

Distances" 

4> Typically uses 

mathematical 

models 


0 

[~____ 

c_o_n_s_e_q_u_e_nc_e_M_o_d_e_li_n_g ___ ~] 

4 Consequence is a function of effect 

zone, occupancy, and vulnerability 

- Occupancy is the average number of people (or 

other receptors) in the effect zone- random and 

normally occupied buildings 

- Vulnerability is the probability of fatality (or other 

harm level) given a person is in the effect zone 

Consequence = Occupancy • Vulnerability 


162

[ Term: Effect Zone 

J 

Effect Zone: For an incident 

outcome of toxic release, the 

area over which the airborne 

11? mete.r< 

concentration exceeds some 

87 meters 

level of concern. [e.g., given 

an IDLH for ammonia of 500 

-----~ 

ppm (v), an effect zone of 

E~ 

~ 

4. 6 square miles is 

estimated for a 10 Ibis leak]. 

D Injury Zone 

Zones for thermal effects 

23 meters 

and explosion overpressure D Fatality Zone 

9 meters 

are described in a similar 

fashion. 

0 

~~ltta® Copyright exida.com LLC 2001-2008 163 

[Consequence Modeling Tools] 

Model Public/ Model Strengths Limitations 

Proprietary Capability 

ARCHIE 

Cost 

Public; developed by • gas or liquid • openly available • gives very conservative 

EPA, FEMA, and • buoyant or • credit for some results for tox!cs 0 

(e.g., dikes, etc) 

• No chemical database 

Free 

• mixtures 

• DOS User Interface 

• explosions 

DOT dense gas 

modeling 

passive mitigation • limited flexibility 

DEGADIS Public; co-funded by • gas or liquid •Windows ·easy to use • need expert support 

DOT, EPA, and DOE • dens~ gas • chemicals can be •limited chemical 

modelling preloaded database, can be 

variable • portions of model Supplemented 

incorporated Into 

ALOHA 

PHAST Proprietary; • gas or liquid DIPPA chemical • Dispersion may exceed 

developed by Del • buoyant or database EPAOCA 

Norske Veritas dense • can do aerosols • Need expert support 

gas modelling • Previous releases 

High Cost • chemical widely accepted within 

database 

industry 

• mixtures 

• e)(J)Ioslons 

• good graphic ability 

extaa Copynght e ~ da.com LLC 2001 . 2008 

164

l~ __ A __ P_P_Iic_a_t_io_n __ Ex_e_r_c_is_e_4 _____] 

4, Consequence Analysis 

- Estimate consequences 

0 


0 

I 

I 

[ PHA Step 3- Likelihood Analysis l 

11. Process Design- Scope I 

Definition 

Event HiSIO!J: I ~I 

2. Jndentify Potential 

~elication Standards I 

Hazards 

I Hazard Characteristics I ~ I 3. Consequence Analysis I 

Consequence Database I c:::::> 

I 


(LOPA) 

I 

I c::> I 

c::> 

I c::> 

c::> 

Process Saf~~ 

Information 


Hazard:.;::] 

Consequence 

c::> Layers of Protec~ 


Layers I 

5. Ukelihood Analysis 

I c::> Hazard Frequenci:J 

~ Deslgnofother 

( q risk reduction 

I Tolerable Risk Guidelines I s 

facilities 

~~Jll~~,· 

ll ._I 6.SelectRRF,TargetSIL I c::> 

RRF, TargetS~ 

for each SIF 

I 7. Develop Process Safety I 

~ 

Specification 



Saf~JH 

Requirements 

Specification 

166

[~____ 

L_ik_e_li_h_o_o_d_I_F_re_q_u_e_n_c_y __ ~] 

4 Hazard Likelihood according to 

IEC 61511 Part 3 

- Refers to a frequency such as the number 

of events per year or per million hours 

-Note this is different from the common 

English definition equating it to probability 

0 

~~{t{tJ:::. 181 Copyright exida.com LLC 2001-2008 167 

[ Likelihood Analysis Methods J 

4 Estimate and Categorize 

4 Statistical 

4, Likelihood Modeling 

0 


168

[ Likelihood Categorization J 

Likelihood 

Type of Events Frequency Near Qualitative Ranking 

0 

A failure or series of failures with a very 

low probability of occurrence within the 

1

Likelihood Analysis via 

Fault Propagation Modeling 

4> Analyze the chain of events that leads 

to an accident 

Decompose the specific problem into generic events 

for which statistical data is likely to be available. 


171 

Fault Propagation 

Modeling 

4> Analyze the chain of events that leads 


4 Use event rate data of individual 

components not entire system 

- Component failure event data is easier to find 

4 Calculate overall likelihood using 

probability logic 


172

[L ___ 

E_v_e_nt_T __ re_e_A_n_a_l_y_si_s __ ~] 

4 Good fault propagation model for 

process risk estimation 

~' Event chains connect single initiating 

event to multiple outcomes through 

intermediate branch points 

Branch 

_jl 1: g=:; 

Outcome3 

Initiating Event Outcome 4 

Outcome 5 

Outcome 6 

~~C:ta;~ Copyright e~da.co~,~~c2~o1-2ooa 173 

0 

[~___ 

A_T_Y_P_i_ca_I_E_v_e_n_t_T_r_ee __ ~] 


174

Likelihood Analysis using a Fault Tree 

INITIALIZING I 

F,l,- \ 

I EVENT I 

PROTECTION I !',. 

I LAYER 1 I 

LJ 

I PROTECTION I P, Frequency (f I yr) 

AND 

LAYER 2 I 

PROTECTION I Pc 

~F, ·p, .P, .Po ·p" 

I LAYERS I 

PROTECTION I Pr, 

LAYER 4 I 

I 

The frequency (F) at which a hazardous event will occur will be: 

F =F, xP, xP. xPc xP" 


175 

Example: 

Drawing an Event Tree 

~ Draw an event tree for fire resulting 

from a brittle piping fracture 

-Assume the initiating event is the pipe 

fracturing 

-The primary event branches are: 

o Is the break a minor or catastrophic? 

o Does the vapor cloud find a source of ignition? 

o Are other areas ignited as well? 

0 


Event Tree Drawing 

Example Result 

I············· 

. ·~ ; ... 

.......... 

0 

. ... . ....... . 


177 

[ Outcome Probability Example J 

0 

~Data: 

- Pipe fracture, 1/20 year 

- Probability of small leak 

after fracture, 1/3 

- Probability of ignition, 

10% in small leak, 30% 

in catastrophic leak 

- Probability of explosive 

propagation to full 

plant, 

20% in large fire, 4% in 

small fire 

• Calculate likelihood of: 

-Plant explosion 

-Small fire plant intact 

~~(4a:~ Copyright exida.com LLC 2001-2008 

178

Event Tree 

Calculation Example 

··.~ .. ·.· .. 

~~···· 

......................................................................... h: .. 

Full plant explosion is in two places so the ~''encies add 

to give a total frequency of 0.00201 + 0.00006 = 0.00208 per~ 

, ...... ,, or once per -480 years 

~g~.C{Z7.,~ Copyright exida.com LLC 2001-2008 179 

0 

[ Risk Integral Definition 

4 Risk integrals are a measure of the total 

J 

0 

-A summation of likelihood and 

-.__:~~~~n~c:e for all potential loss events 

.,rc •• 


180

Considering All the Impacts with 

Risk Integrals 

0 

f. Outcomes must be expressed in the 

same terms as the tolerable risk limits 

- For the single variable method, this 

involves "Multi-Attribute Utility" 

4') Risk integral approach 

- Risk integral approach can also be applied 

to the personnel and financial components 

of risk independently of each other 


0 

[ 

Risk Integral Equation 

4 The nominal equation for the risk integral is: 

n 

RI = LCiFi 

i=l 

Rl 

N 

C 

F 

= risk integral 

= number of hazardous events 

= consequence of the event 

(in terms of fatalities for loss of life calculation) 

=frequency of the event 


182

Event Tree 

Risk Integral Example 

' . c 

i~··· 

...... ~ 

.•. 

···. 

.................. 

· .. ··.·. 

.......... ~;;0,2 

. . .. ...................... . 

.... ~;,._ 

o.oo..· 

0.001 

..................... 

: 

··.· ... 

1'1.1.=0.1 

0.000 

(J!-!!'14 ·.····.·. ·.. ~D 

0 


183 

[_A~p~p~l~ic~a~ti~o~n~E~x~e~r~c~is~e~s-~J 

4 Event Tree Analysis 


184

[~ ~] 

______ s_e_c_ti_o_n_s_:_s_u_m __ m_a_r_Y ____ 

4 Hazard and Other Term Definitions 

4 Process Hazard Analysis 

4 HAZOP 

4, Consequence Analysis 

4 Likelihood Analysis 

f. Fault Propagation 

(. Event Tree Analysis 

4 Risk Integrals 


185 

0 

Section 6: 

Layer of Protection Analysis 

{. Fault Propagation Context 

4 Event Tree Methods 

4> Laye'rs of Protection Definition 

4. LOPA Event Tree 

4,, Initiating Events and Failure Rates 

4 Example Protection Layers 


186

Fault Propagation Modeling 

4 Analyze the chain of events that leads 


Initiating Event 

Control 

Operator does 

Mechanical ~Overpressure 

System ...... not respond t-o relief failed Event 

Fails properly 

0 

~~'fl:izY" 


187 

[ Layer of Protection Analysis 

l 

4 A variation of Event Tree Analysis 

-More "rules" in LOPA 

- Like event tree analysis, the initiating event 

starts the chain of events 

-Branches are layers of protection 

-Consider only two outcomes: 

• accident 

• no event 

-For SIL determination, the potential SIF is 

not included 


188

0 

' 

VJ 

t 

T 

M 

I 

I 

G 

A 

T 

I 

0 

N p 

R 

E 

v 

E 

N 

T 

I 

0 

N 

4111 Jex~.··.·.··············.:tt£1.· .•...•. 

X ~- 

Plant and 

Emergency 

Response 

Dike 

Relief valve, 

Rupture disk 


System 

Operator 

Intervention 

Basic 

Process 

Control 

System 

Copyright sxida.com LLC 2001-2008 

Emergency response layer 

Passive protection layer 

0 

Active protection layer 

- 

L 

I 

K 

E 

L 

I 

H 

0 

0 

D 

189 

c 

0 

N 

s 

E 

Q 

u 

E 

N 

c 

E 

LOPA Version of the 

Event Tree 

Quantify using probability multiplication; all logical ANDs 

~~ltti!i" Copyright exida.com LLC 2001-2008 

190

Example Part 1 - 

Pipe Rupture LOPA 

4\ Draw the Layer of Protection Analysis 

Diagram for: 

- A release and fire from a brittle fracture of a 

hydrocarbon line has a root cause of a process 

flow imbalance or weather extreme 

- These layers of protection are proposed for the flow 

imbalance: 

• The operator responds to DCS flow alarms and stops the 

process 

• Other sensors will detect the imbalance and automatically 

close control valves through the DCS to prevent the accident 

• The system has a separate, independent PLC shutoff 

(Potential SIF) 

• The pipe may not rupture even if exposed to low temperatures 

• Source of ignition are controlled in the process area 

~~xtt{a;~ CopiOight e~da.com LLC 2001-2008 

1 9 

1 

0 


Pipe Rupture LOPA 

These layers of protection are proposed for the 

weather extreme: 

• The operator responds to weather conditions and 

stops the process 

• The system has a separate, independent PLC shutoff 

(Potential SIF) 

• The pipe may not rupture even if exposed to low 

temperatures 

• Source of ignition are controlled in the process area 


192


Pipe Rupture LOPA Solution 

............ ._ ... ; 

i 

0 

~e 

Note that the Potential SIF is not included in the LOPA since the purpose 

for SIL selection is to determine the risk without the potential SIF 

.. ','.'.·. %ii{;[fX.'.· 

411 ¥'} ,, .•.•. 


193 

0 


Pipe Rupture LOPA Solution 

'··················································'··················· '························ •............. ' ' : 

Note that the Potential SIF is not included in the LOPA since the purpose 

for SIL selection is to determine the risk without the potential SIF 

~eJl~,:·.® Copyright exida.com LLC 2001-2008 194

[~ __ L_O_P_A_a_ua_n_t_if_ic_a_t_io_n_~] 

4 Proceed as with Event Tree but only 

need to calculate the frequency of 

accident 

4 Resulting accident frequency is initiating 

event frequency multiplied by PFD of all 

independent protection layers 

0 


195 

Example- 

[ 

~-~P~ip~e~R~urp~tu~r~e~L~O~P~A~--- 

4 Quantify the accident frequency of the 

prior example 

Process flow imbalance = 2.5 per year 

Protection Layer PFD are: 

Operator/DCS combined failure- PFD = 0.05 

Pipe may not rupture failure- PFD = 0.33 

Ignition source contacted - PFD = 0.23 

J 

0 

Weather Extreme= once every 5 years 

Protection Layer PFD are: 

Operator failure- PFD = 0.1 0 

Pipe may not rupture failure- PFD = 0.33 

Ignition source contacted- PFD = 0.23 


196

Example- 

Pipe Rupture LOPA Solution 2 

First part of the solution 

0 

F 1 = 2.5 /yr * 0.05 * 0.33 * 0.23 = 9.49 x 1 o- 3 per year 


197 

Example- 

Pipe Rupture LOPA Solution 2 

0 

Second part of the solution 

H&Etil;\iit®T~M,_,i!(J0D7fltttff27i(:Nl~}@l~1~'%'\~U!fJ3l~Wii 

!Weather ext"""' !Operator I Pipe may lr-t> I I Rre . 

---···········-·---·-----------······················:······················----~-------·-·······················r························:··· ................. ! 

. ····~~···· -~~~~~J!~~~Iiq) i niiiis21 

....).... " " 0 . " ·I-· _0.=23=;-' +rc.=:"==: 

. --~~~· +~o:,; 0.33 .. ···~~~ 

0.2 

F 2 = 0.2 /yr * 0.10 * 0.33 * 0.23 = 1.52 x 10·3 per year 

FTOTAL = 1.52 X 10·3 + 9.49 X 10·3 = 1.1 X 10" 2 per year 

Note this is for the accident without the SIF 

~~X{4U:,® Copyright exida.com LLC 2001-2008 

198

[ Application Exercise 6 J 

4 Layer of Protection Analysis 

0 


199 

Failure Rate Quantification 

4 Historical reliability data specific to your 

installation is best, but often unavailable 

4 Plant maintenance and SIS function test 

data by equipment type 

4 Industry average data grouped by 

equipment type 

4 Some expert judgment is still inevitable 

0 


200

Using Maintenance and 

Function Test Data 

0 

4> Companies usually keep maintenance logs 

4> IEC 61511 requires function testing and 

documentation of results 

4 Function test data used to approximate 

failure rate 

Simple Equation for point estimate of failure rate: 

A (Failure Rate) = 

# Failures I Total Unit Hours of Operation 

~ ex/uti 

.. · ·.·0·.~"'"'."".'" 

,,,,_.-- t ,., «- Copyright exida.com LLC 2001-2008 

201 

0 

[ PFD from Failure Rate 

4·• PFD depends of failure rate, failure mode and test interval 

4> Failure rate is divided into failures that cause a false trip 

versus those that cause failure on demand 

4• Most databases list the failure rates and some failure 

modes for an equipment item 

4 An untested device's PFD gets larger as the operational 

time interval increases 

4• For devices subject to periodic inspection and test, an 

average PFD can be used 

PFDavg - (A.t)/2 

J 

More about this in 

Functional Safety 

Engineering II 


202


4 Quantifying Protection Layers and 

Initiating Events 


203 

Protection Layer Attributes 

4 Specific 

- must be specifically designed to be capable of preventing the 

consequences of the potentially hazardous event 

4: Independent 

- must be completely independent from all other protection layers 

4 Dependable . n \Z,obw.k ..st !..ow r-r-.D, 

- must be capable of act1ng dependably to prevent the 

consequence from occurring (systematic and random faults) 

4 Auditable 

- must be tested and maintained to ensure risk reduction is 

continually achieved 

0 

~~X':J~a::,® Copyright exida.com LLC 2001-2008 204

Typical Protection Layers - 

Basic Process Control System (BPCS) 

0 

CONDITIONS 

4 The BPCS and SIS are physically separate 

devices, including sensors, logic solver and 

final elements 

4> Failure of the BPCS is not responsible for 

initiating the unwanted accident 

4 The BPCS has the proper sensors and 

actuators available to perform a function 

similar to the one performed by the SIS 

PFD > 0.1 (by definition) 

205 

.I' .PC..~ f9 t 

~ ~ ~"''--h'c ~~. 

0 

CONDITIONS 

Typical Protection Layers 

Operator Response 

4> Operator Always Present 

4: Operator Has Indication of Problem 

4 Operator Has Time to Act 

4 Operator is Trained in the Proper Response 

PFD - 0.1 , if all conditions met 

PFD = 1.0 , if conditions not met 

. PFD lower than 0.1 possible with HRA 

~~J'fti;'~,!lD Copyright exida.com LLC 2001-2008 J,. 206


Use Factor (Time at Risk) 

CONDITIONS 

• Hazard is not always present 

P= 

Time at Risk 

Total Time 

0 


207 

~' 


Mechanical Integrity of Vessel 

Is vessel designed to withstand the pressure 

and temperature generated as a result of the 

initiating event? 

In some organizations, 

PFD = 0.0 if vessel designed to withstand pressure 

0 

In other more conservative organizations, 

PFD = one year of "random" failure 

Example: 

OR EDA says 1.0 x 1 o·7 /hr rate for "significant leakage" 

PFD = (1.0 x 1 0·7*8760) * 1 = 0.0009 



Mechanical Relief Devices 

~··· Relief Valves 

~> Rupture Disks 

4 Fusible Plugs 

0 

PFD calculated based on failure 

rate data found in databases 

Copyright exlda.com LLC 2001-2008 

209 

0 


External Risk Reduction 

4 Water Spray Curtains 

4 Dual Walled Piping 

4> Enclosures with Scrubbing 

LOPA MUST INCLUDE BOTH the SMALL CONSEQUENCE 

when the system works AND the LARGE CONSEQUENCE 

when it fails since BOTH CASES ARE RISKS! 

PFD calculated based on failure rates of system components 

~~x{C{rK~ Copyright exida.com LLC 2001-2008 

210


Ignition Probability 

4 Most plants are designed to limit sources of 

ignition 

4 Function of release size and released 

materials 

P - 0.3 for flammable gases 

P - 0.1 -> 0.3 for volatile liquids 

P < 0.1 for heavy liquids 

4 Can be lower with detailed supporting 

arguments and Hazardous Area Classification 

0 


2ll 


Explosion Probability 

4 Probability that explosion will occur 

given ignition has already occurred 

4> Not typically used because flash fire will 

occur if explosion does not, so 

consequence not prevented 

4 Use with CAUTION! In most cases 

explosion probability should be ignored 

0 


212

[~_______ 

o_c_c_u_p_a_n_c_v ______ ~] 

4 Fraction of time that effect zone of incident 

outcome in question is occupied 

4, Not typically used because occupancy is 

accounted for in the consequence analysis 

0 

p 

Time of Occupancy 

Total Time 

NOTE: It is only appropriate to use an occupancy probability where it can be shown that the 

demand rate is random and not related to when occupancy could be higher than normal. 

The latter is usually the case with demands that occur at equipment start-up and demands 

that occur during maintenance and test. 

~:~~t{lf:':~ Copyright exida.com LLC 2001-2008 213 

SLC Engineering Tools- LOPA Analysis 

0 

"'""'"""' 

"!~!:'!~~.~ ... 

,.,..,.,. __ ~.2006 ;" 

'"'""""'''"'""'"""' .. 

[""""'"""' 

I S«Tdtt""'""' I

[~_______ 

s_e_c_t_io_n_s __ =s __ u_m_m __ a_rv _______] 

4; Fault Propagation Context 

t Event Tree Methods 

4 Layers of Protection Definition 

4 LOPA Event Tree 

'" Initiating Events and Failure Rates 

4> Example Protection Layers 

0 


[~_____ 

s_e_c_t_io_n __ 7_:S __ IL_s __ el_e_c_ti_o_n _____] 

4 Safety Integrity Levels 

4 Hazard Matrix 

4 Risk Graph 

4. Quantitative Methods 

4' Cost-benefit Analysis 

0 


0 

[ SLC - SIL Selection l 

Process Saf~~ 

c:> Information 

I Event Histor~ I 


~I I c:> 



Hazards 

I Hazard Characteristics I Hazard ::;] 

c::::> I 3. Consequence Analysis [ 

I 

c:> Consequence 

Consequence Database I c:> 

I 


I c:> 

Layers of Protec~ 

Layers 


I c:>l I c:> Hazard Frequenci~ 

I Failure Probabilities 

(LOPA) 

[1. Process Design- Scope I 

Definition 

~ Designofother 

( . ? c:;> risk reduction 

Tolerable Risk Guidelines I 

~~l:{i:~ 

YES 

Requ•red · 

facilities 

ll f)l 6.SelectRRF,TargetSIL I 

v for each SIF c:> 

RRF, TargetS~ 

j 7. Develop Process Safety I 

~ 

Specification 




Requirements 

Specification 

1-- 

I 

L 

Safety Integrity Levels ] 

0 

DEMAND MODE 

Safety Integrity Target Average 

Probability of Failure on Target risk reduction 

Level Demand (RRF) 

SIL4 0!:1 o-s to 10000 to S 100000 

SIL3 i!: 1o-• to 1000 to S 10000 

SIL2 i!: 10- 3 to 100 to S 1000 

SIL 1 i!: 10- 2 to 10 to s 100 


218

[ Safety Integrity Levels J 

CONTINUOUS MODE 


Level 

SIL4 

Target Frequency of 

Darlgerous Failures to 

Perform the SIF 

(per hour) 

02:1 o-• to

[___ 

H_o_w_to_A_s_s_ig_n_a_S_IL_~] 

0 

4, Identify how much risk reduction is needed to 

attain a tolerable risk 

~> Quantitative methods give specific numerical 

targets for risk (e.g. RRF) 

•· Qualitative methods group numerical targets into 

more broad categories of risk reduction (e.g. 

SIL band only) 

4: A consistent method or set of methods must 

be used 

.4.'.'." ... , ..... w~ 

4111!~/"fU Copyright exida.com LLC 2001-2008 

221 

0 

Hazard Matrix 

Procedure 1 

.d 

4 Categorize consequence :if 

"' 

,;! 

J; Categorize likelihood 

" 

~ 

15 " 

~ 

1 2 3b 

4 Select SIL from matrix " > '0 

"' • :E 

corresponding to 

5 

~ 

J 1 3b 

identified consequence 3 Notec 

and likelihood categories Minor Serious Extensive 

Hazardous Event Severity Rating 

• 3 X 3, 4 X 4, 5 X 5, ... 

'0 

0 

.d 

2 3b 3a 

a) One Level3 Safety Instrumented Function does not provide sufficient risk reduction at this risk level. 

Additional modifications are required in order to reduce risk (see note d); 

b) One Level3 Safety Instrumented Function may not provide sufficient risk reduction at this risk level. 

Additional review is required (see note d); 

c) SIS independent protection layer Is probably not needed; 

d) This approach is not considered suitable for SIL 4. 

222 

~~~tta~ Copyright exida.com LLC 2001-2008

Consequence Part 

of the Hazard Matrix 

Severity Ratina 

Minor 

Serious 

lmnact 

Minor damage to equipment. No shutdown of the process. Temporary 

injury to personnel and damage to the environment. 

Damage to equipment. Short shutdown of the process. Serious injury 

to personnel and the environment. 

Extensive 

Large scale damage of equipment. Shutdown of a process for a long 

time. Catastrophic consequence to personnel and the environment. 

I 

Based on IEC 61511~3 Annex c 

I 

0 

~~~·~ / 6 


223 

Hazard Matrix 

Consequence Considerations 

f Clearly identify basis of categories 

4 Can include considerations of: 

-Injury 

-Loss of I ife 

-Property damage 

-Lost production 

-Environmental release 

Assignment of 

Consequence 

category 

requires 

judgment 

0 


224

Likelihood Part 

of the Hazard Matrix 

Likelihood 

Type of Events Freauencv Near Qualitative Rankina 

Events like multiple failures of diverse 

instruments or valves, multiple human errors in f < 1Q-4 Low 

a stress free environment, or spontaneous 

failures of orocess vessels. 

Events like dual instrument, valve failures, or 1 Q-4

[ Hazard Matrix Example 

l 

4 Example 1 

-A SIF was identified 

during a HAZOP study 

- The HAZOP team 

determined: 

. 

g ::iii 

• the consequence is Serious "0 

• the likelihood is High ~ 

• 3 

• Notec 

:I: 

-What is the SIL? 

"0 

"' ,... 

0 iii "" 

, "0 

3b 

Ul 0 

" 

1 3b 

Minor Serious Extensive 

Hazardous Event Severity Rating 

a) One Level 3 Safety Instrumented Function does not provide sufficient risk reduction at this risk level. 0 

Additional modifications are required in order to reduce risk (see note d); 

b) One Level3 Safety Instrumented Function may not provide sufficient risk reduction at this risk level. 

Additional review is required (see note d); 

c) SIS independent protection layer is probably not needed; 

d) This approach is not considered suitable for SIL 4. 

~',,,,,"',',, . 

~t(a Copyright exida.com LLC 2001-2008 

227 

[ Hazard Matrix Procedure 2] 

4 Start with a matrix expression of tolerable risk 


Injury Injury Injury/Death Deaths 0 


years 

lperlOOO Acceptable Acceptable Moderate Extreme 

years 

I per 10,000 Acceptable Acceptable Moderate Moderate 

years 

1 per 100,000 Acceptable Acceptable Acceptable Moderate 

years 

All extreme risk will be reduced and all moderate risks will be 

reduced where practical. 



0 

41dentify consequence and likelihood with the 

layers of protection but without the proposed 

SIF 




years 

1 per 1000 Acceptable Acceptable Moderate Extreme 

years 

1 per 10,000 Acceptable Acceptable Moderate Moderate 

years 

I per 100,000 Acceptable Acceptable Acceptable Moderate 

years 



Copyright eldda.com LLC 2001-2008 

229 

0 


4 Select the SIL to meet the tolerable risk requirement 

based on event frequency reduction 

< Note there are options based on what is practical 



xtreml, 1 

1 per 100 Acceptable Moderate Extreme 

years 

SIL 1 (RRF>10) I 

1 per 1000 Acceptable Acceptable od ate 

years 

lr I SIL 2 (RRF> 100) I 

1 per 10,000 Acceptable Acceptable oderate o era e 

years 

'I SIL 3 (RRF>!OOO) 

1 per 100,000 Acceptable Acceptable Acceptau1e 1mouera~e 

years 



w 


230

[~-~R~is~k_G~ra~p~h-~] 

~' Select categories for Based on IEC61511-3AnnexD 

risk graph parameters 

including one consequence 

parameter: 

- Consequence w, 

~· 

4 And three likelihood '· x ~· 

r=- -=r-2-- 

-= 

parameters: ~ ~ : ·:, : ± 

- Occupancy l F- ,'· ., f-"- 

4 _2_ 1 r-e1 _2_ .·.······• 

4 3 • 

- Probability of avoiding ~. :_, rf"--:-- 

the hazard 

c_';, 

o:,:':,iil'l:~~tly_""ll!l~ 

- D eman d ra t e or f requency t:~~~~~;;t .. 

I 

a 

'-'- --!- 

A:~:~~llluf

Risk Graph 

Parameters 

Parameters 

Consequence 

c 

Description 

Average number of fatalities likely to result from the hazard. Determined by 

calculating the average numbers In the exposed area when the area Is 

occupied, taking into account the wlnerablllty to the hazardous event. 

Occupancy F Probablllty that the B)CjJOSed area Is occupied. Oetennined by calculating the 

fraction of time the area is occupied. 

Probability of p The probab!Uty that exposed persons are able to avoid the hazard 11 the 

protection system faiTs on demand. This depends on there being Independent 

avoiding the hazard 

methods of alerting the exposed persons to the hazard and manual methods of 

preventing the hazard or methods of escape. 

0 Demand Rate w 

The number of times per year that the hazardous event would occur if no SIS 

was fitted. This can be detarnlned by considering all the failures that can lead 

to one hazard and estimating the overall rate of occurrence. 

I Based on IEC 61511-3 Annex D 

I 

~~fttiW" Copyright exida.com LLC 2001-2008 233 

Consequence Part 

of the Risk Graph 

0 

Parameters Classification Comments 

Consequence (C) c, Minor Injury 1. The classif!catlon system has been 

Average number of fatalities. 

de1A91oped to deal with Injury and 

c, 

death to people. 

This can be calculated by determining the 

PLL Range 0.01 to 0.1 

2. For the Interpretation of CA, CB, CC, 

average number of people present when the 

and CD, the consequences of the 

area exposed to the hazard is occupied and c, PLL Range> 0.1 to 1 accident and normal healing shall be 

multiplying by the wlnerab!Uty to the Identified 

taken Into account. 

hazard. 

The vulnerability is determined by the natura of 

c, PLL Range> 1 

the hazard being protected against. The 

follOWing factors can be used: 

V=0.01 Small release of flammable ortoxic 

V"' 0.1 Large release of flammable or toxic 

v"' 0.5 As above, but highly toxic or flammable 

V"' 1 Rupture or explosion 

~~(~a· Copyright exida.com LLC 2001-2008 

I 

Based on !EC 61511-3 Annex D 

I 

234

Occupancy Part of 

the Risk Graph 


Occupancy (F) 

F, Rare to more often 

This Is calculated by determining the length of 

exposure In the 

time the area exposed to the hazard is 

hazardous zone. 

occupied during a normal working period. 

Occupancy less than 

NOTE- If the time In the hazardous area Is 

0.1. 

different depencfng on the shirt being operated 

then the maximum should be selected. F, Frequency to 

permanent exposure In 

NOTE-It is only appropriate to use FA where 

the hazardous zone. 

It can be shown that the demand rate Is 

random and not related to when occupancy 

could be higher than normal. The latter is 

usually the case with demands that occur at 

equiprilent start-up. 

3. See comment 1 above. 

Occupancy- a likelihood measurement for personnel based on probability of exposure 

n 

I Based on IEC 61511-3 Annex D 

I 

~~dB'~ Copyright eJti~a,~ Copyright exida.com LLC 2001-2008 

236

Demand Rate (Likelihood) 


Demand Rate (W) without protection w, Demand rate less than The purpose of theW factor Is to 

system. 

0.03 per year. estimate the frequency of the hazard 

taking place without the addition of 

To determine the demand rate, it is w, Demand rate between the SIS. 

necessary to consider all sources of failure 

0.3 and 0.03 per year. 

that can lead to one hazardous event. In 

H the demand rata Is very high (e.g., 10 

determining the demand rate, limited credit w, Demand rate between per year) the SIL has to be 

can be allowed for control system 3 and 0.3 per year. determined by another method or 

performance and Intervention. The 

the risk graph must be recalibrated. 

performance that can be claimed if the control 

For demand rates Then the operation mode Is high 

system Is not to be designed and maintained 

higher than 3 per year demand or continuous (IEC61511-1, 

according to IEC61511 is limited to below the higher Integrity shall be Clause 3.1.48.2). 

performance ranges associated with SIL 1. 

needed. 

I 

Based on lEG 61511-3 Annex D 

I 

~~X'l6la'· Copyright exida.com LLC 2001-2008 

;'"j-7 J" "' 

237 

Demand Rate (Likelihood) - 

Qualitative 

0 


Demand Rate {W) without protection w, 

system. 

w, 

Very Slight 

Possibility 

Slight 

Possibility 

w, High 

Probability 

The purpose of theW factor Is to 

estimate the frequency of the hazard 

taking place without the addition of 

the SIS. 

I Based on Information foundJ 

in 1EC61508, part 5 

~~~fiia:,• Copyright exida.com LLC 2001-2008 

238

Assigning the SIL with a Risk 

Graph 

w, w2 wt 

c, x, r---- .----=- ,------:- 

--- 

Starting point for risk X 

'• ~ 1-- 1- 

reduction estimation c, •• c-1- 

--- 

_r. X ~ 1- 

F 

c, 

I 

Ap 

X ~ ~ 

F, 

C =Consequence parameter 

F Exposure lime parameter 

P Possibility of tailing to a\.Uid hazard 

W = Demand rate assuming no protection 

c, 

tr 

F FA 

PAp 

X 

•• 

c-1- c-l 

~X e-i- c-1- ~ 

P, 

~ 

4 3 

'----- '----- 

-- "' No safely r&qulremanls 

A = No special safety requlremants 

8 = A single EJEIPS i> llOI sufficient 

1,2,3,4 =safety Integrity Level 

0 

~"-·'a;·® 

~?

Risk Graph 

Example Solution 

() 

4,, A SIF was identified 

during a HAZOP study 

{; The Safety Department 

also determined that: c, 

xJ'~ 

a --- 

- PLL=0.9 

F, '• x, - 

lr 

;:'''''''''-''''' 

1 a 

- The area is normally c, 

F x, - 

F, 

occupied ·., 

2 I 

~ 

X. 

- There is no possibility of '• 3 ~ 

avoiding the hazard + 

.. 

F, 

c, 

4 3 1,,,,,,,, 

- The demand rate is 0.05 . 

F, X. 

per year 

;.-,_ 

'· 

•• ,,,~ ;;tf _3_1··''··,,,_ 

4 What is the SIL? 

+~+•No•81•tYreq!irorn•nf&. -- _-.-_,_, ___ 

A ·tl~~~~~~allll;>~ul~emanta 

a .. A

Frequency Based Targets 

Selecting the Target 

4c The frequency that is allowable for a 

hazardous event depends on the consequence 

Severity Rating 

Impact 

Target Freq. 

Minor 

Minor damage to equipment. No shutdown of the process. 

Temporary injury to personnel or minor damage to the 

1.0 xt0·3 

Serious 

Extensive 

Damage to equipment. Short shutdown of the process. Serious 

injury of personnel (or single fatality) or serious environmental 

damage. 

large scale damage of equipment. Shutdown of a process for a 

long time. Catastrophic consequence to personnel (e.g. multiple 

fatalities) or major permanent environmental damage. 

t.o x to·4 

l.Ox 10·6 

0 

Example only 

p er y ear 


243 

~' 


Calculate Risk Reduction 

Required risk reduction is a function of 

unmitigated accident frequency and the 

frequency target 

RRFsiF = 

Funmitigated event 

FTarget 

k~ 


244


Assign SIL 

4 Select SIL based on 

required RRF 

4 RRF target converted to SIL RRF 

SIL based on table 

specified in ISA S84 and 4 

10 4

Another target frequency method: 

Individual Risk Targets 

4 Take likelihood and consequence or 

existing risk integral and convert into 

frequency target 

4 Calculate required risk reduction to 

achieve the target 

4 Assign SIL based on required risk 

reduction 

0 


247 

Individual Risk Targets Method 1: 

Calculating Frequency Target 

4 Calculate frequency target - a function of 

tolerable individual risk and probable loss of 

life 

() 

Ftarget = 

Findividual risk 

PLL 

• 

Calculate required risk reduction and assign 

SIL with the same method as the general 

frequency based method 

~~(Cia.® Copyright exida.com LLC 2001-2008 

248

Example 1: 

Individual Risk Based Target 

An accident scenario yielded a consequence of 0.21 

Probable Loss of Life (PLL) and a likelihood of 11576 

inci nts er :-toe · 1v1 ua risk of fatality a 

this facility is 1 x1 o- 4 hat SIL should be se 

eQ 1 - Determme the tolerable frequency of this event: 

. "'\ 

F(tol) = 1x10-4 I 0.21 = 4.76x10·4 

Step 2 -Applying the target RRF equation yields: 

RRF = (11576) I 4.76x10-4 I= 3.64 

Step 3- Select SIL based on RRF: 

For, RRF = 3.64 -7 SIL = 1 

(or no SIL required with documentation of RRF achieved) 

~.~ttta,;~ Copyright exida.com LLC 2001-2008 249 

Example 2: 


() 

A risk integral yielded an existing risk of 0.044 deaths per 

year without any SIF (brittle pipe fracture case). The 

tolerable individual risk of fatality at this facility is 1 x1 0-4 

What SIL should be selected? 

Step 1 - Determine the RRF from the ratio of existing to 

desired risk: 

RRF = 0.044 I 1.0x1 0-4 I= 440 

Step 2- Select SIL based on RRF: 

For, RRF = 440 -7 SIL = 3 or 

(SIL 2 with a RRF of greater than 440 as part of the spec) 

~@xial~ Copyright exida.com LLC 2001-2008 

250


4 SIL Selection 

0 


251 

Risk Integral Application to 

Cost Benefit Analysis 

4 Risk integrals require a single loss variable 

4 Can be across all receptors converted to 

financial terms 

4 Can be across financial receptors only in 

monetary cost terms 

4 Can also be across personnel receptors 

only in equivalent or probable loss of life 

(PLL) terms 

- PLL can take on fractional values 


252

[ Risk Integral Advantages 

[ Cost Benefit Analysis 

4 A SIF is being considered to prevent the brittle pipe 

fracture and plant explosion event described earlier 

- Risk without the SIF costs 1.27 M$/year 

- A low-cost, low-performance SIL 1 SIF can provide a risk 

reduction factor of 10 for $20,000 per year net cost 

- A higher-cost, higher-performance SIL 2 SIF can provide a 

risk reduction factor of 200 for $80,000 per year net cost 

- A top end SIL 3 SIF can provide a risk reduction factor of 

2500 for $200,000 per year net cost 

4 Which system should be selected? 

J 

() 

1 

J'exJ.·· ·.. 

'4IIJJ y 

cl 

... ,a.''''.'.'.". 


[~_______ 

c_o_s_t_-B_e_n_e_f_it_A_n_a_ly_s_i_s ______ ~J 

4 This example can be solved by calculating the annual 

cost associated with the risk of each option. 

4 For the case with no safety system, the cost of the 

hazard is $1,270,000 per year 

4 With the first case low-cost safety system: 

- The RRF of 1 0 reduces the hazard cost to 

$1,270,000/10 = $127,000 per year, 

- While the system itself adds $20,000 per year 

- This gives a total $147,000 overall annual cost or a net 

savings of $1,123,000 per year relative to no safety system 

0 


0 

Cost Benefit Analysis 

4 Considering the SIL 2 option in the same way 

- The hazard cost is $1,270,000/200 = $6350/year, 

- The system itself adds $80, 000/year 

- This gives a total $86,350 overall annual cost 

or a net savings of $1,163,650 relative to no safety system 

4c 

For the SIL 3 system 

- The hazard cost is $1 ,270,000/2500 = $508/year, 

- The system itself adds $200,000 per year 

- This gives a total $200,508 overall annual cost 

or a net savings of $1,069,492 relative to no safety system 

< The SIL 2 SIF is the best option, with the greatest 

savings of -$1,163,650 per year relative to doing 

257 

0 

[~_____ M __ ul_ti_p_le_R __ ec_e_p_t_o_rs_p_e_r_S_I_F ____ ~ 

~; Occasionally a set of tolerable risk levels and risk 

estimates g1ves different integrity level requirements 

depending on the personnel, environmental, or 

financial receptors considered: 

Safety IL = 2 

Environmental IL = 3 

Financialll = 1 

4 Choose highest IL = 3 for specifying 

the system 


258

SLC Engineering Tools- 

SIL Selection and Documentation 

ProJ«t!dor

Section 8: 

Safetv Requirements Specification 

4 SRS Definition 

4) SRS Requirements 

4, SRS Format 

4: SRS Problems and Solutions 

0 

~e~l;fct· 

W-'/ ~::· . , ,

[ SLC -Requirements Specification ) 

11. Process Design -Scope I 

Process Safety 

q j 

Definition Information r-:: 

I Event Histo~ 

I ~I 



Hazards 

I q 

I Hazard Characteristics I ~ I 3. Consequence Analysis I q 

I Conseguence Database I 

c::>l 



I Failure Probabilities I (LOPA) 

I q 

~I Deslgnofother 

( c::> risk reduction 

I Tolerable Risk Guidelines I 

~~~~~· 

y 


Hazard~ 

Consequence 

q Layers of Prete~ 

facilities 

Hazard Frequencie;.J 

[I ~~ 6. Select RRF, Target SIL I q RRF, TargetS~ 

for each SIF 

l7. Develop Process Safety I 

~ 

Specification 

JEC61511 Stage 1 FSA 



Requirements 

Specification 

J6 63 

0 

[ SRS - The Source of Knowledge] 

Process~ 

I lnfom>atioK Hardware & ~ 

Functionality Software Sy:Jiem 

I Hazard 

lnfonnatio~ 

I Hazard 

Freq-uencies / 

I Hamd~ 

Con"'"'"'K 

I T"getSIX 

I Regulatory 

ReqUiremenV 


Requirement 

Specification 

Conceptual & 

Detailed 

Design 

Integrity & Procedures 

v Validation v 

lnlonnatlon & Revision 

Operations, 

Maintenance 

& 

Modifications 

I Analysis I ·I Implementation I ·I 

Operation 

I 


264 

0

Specification Communication ] 

How the 

Customer 

explained it 

Howltwas 

Sold 

How it was 

Designed 

How it was 

Built 

How it was 

Tested 

0 

How it was 

Documented 

How it was 

Installed 

How it was 

Billed 

How it was 

Maintained 

What the 

Customer 

really 

needed 


265 

[ The SRS as a Living Document ] 

0 

' The SRS is the 'backbone' not just of the project 

Implementation & Testing but also a key point of 

reference during the Operation phase 

< The SRS should be constructed in a way that is: 

-Clear 

• Jargon-free so everybody can read it 

-Concise 

• To-the-point with minimal repetition 

-Complete 

• All functional. integrity and non-functional requirements covered 

- Consistent 

• Avoid contradicting statements or requirements 

' All modifications should be evaluated against the SRS, 

the better the background information provided, the 

better informed the change impact assessment 


266

[ SRS Requirements J 

4 The SRS should contain these functional 

requirements 

- Definition of the safe state 

- Process Inputs and their trip points 

- Process parameter normal operating range 

- Process outputs and their actions 

- Relationship between inputs and outputs 

-Selection of energize-to-trip or 

deenergize-to-trip 

0 


267 

[ More SRS Requirements 

J 

4> Consideration for manual shutdown 

4 Consideration for bypass 

4 Actions on loss of power to the SIS 

4>>•· 

Response time requirements for the SIS to 

bring the process to a safe state 

4> Response actions for overt fault 

4 Operator Interface requirements 

4 Reset functions 

0 


268

[ More SRS Requirements J 

0 

4; The SRS should contain these integrity 

requirements 

-The required SIL for each SIF 

- Requirements for diagnostics to achieve 

the required SIL 

- Requirements for maintenance and testing 

to achieve the required SIL 

- Reliability requirements if spurious trips 

may be hazardous 


269 

[___ 

S_R_S_F_o_rm_at_--"'] 

0 

1. General Requirements EXAMPLE ONLY 

- Requirements common to all SIF 

2. SIF Requirements 

- Functional Requirements 

- Integrity Requirements 


270

SRS Format: 

General Requirements Section 

General Requirements 

EXAMPLE ONLY 

1. All safety instrumented functions (except fire and gas and 

special cases) shall be designed such that movement of the final 

element to the safe position will be performed by removing power 

from the element (i.e., de-energize-to-trip). 

2. SIFs that are not de-energize-to-trip will be clearly described 

as such in that individual SIF's specification. For safety 

instrumented functions where energize-to-trip is selected, 

positive means for continuously monitoring circuit integrity shall 

be employed. 

0 


271 

. 

SRS Format: 



EXAMPLE ONLY 

3. All safety instrumented functions shall be designed in accordance with 

the requirements set forth in the following statutes, regulations, and 

standards. If individual safety functions are to be designed in accordance 

with other standards than the ones listed below, they shall be clearly 

described in that safety instrumented function's individual safety 

requirements specifications. 

0 

Statutes, Regulations, and Standards 

lEG 61511 

29CFR 1910.119 

40CFR 68 

Application of Safety Instrumented Systems 

for the Process Industries 

Process Safety Management 

Risk Management Planning 

~et

SRS Format: 



EXAMPLE ONLY 

4. Unless specified otherwise in an individual SIF's logic diagram, the 

MTIF' of a SIF shall not be less than 25 years. 

5. Unless specified otherwise for an individual SIF, the response time of 

a SIF shall not exceed 2 seconds. The maximum response time for each 

sub-system, operating asynchronously, shall be as shown below. 

System Resgonse Time 

0 

Sensor Sub-system t 00 milliseconds 

Logic Solver Sub-system 

900 milliseconds 

Final Element Sub-system 

1 second 

~~(citii';• Copyright exida.com LLC 2001-2008 

273 

u 

SRS Format: 

SIF Requirements Section 

ID: SIF-001 Service: 

EXAMPLE ONLY 

Reference: PID-012 Low Recycle Gas Flow Closes Fuel 

Required SIL: 1 

Gas to Reforming Heaters Dropout 

Valve 

OffLIIJa"est Interval: 3years 

Response Time: See General Requirement 5 

Activation Method: Deenergize-to-Trip (See G.R. 1) 

Manual Reset: Required (See G. R. 7) Safe State: 

Nuisance Trip Req's: See General Requirement 4 Fuel Gas to Reforming Heaters RH- 

Diagnostics: None Additional (See G.R. 2) 

01 and RH-02 is stopped by closing 

the fuel gas shutoff valve. 

Manual Shutdown: HS-001 (See G. R. B) 

Regulatory Req's: See General Requirement 3 

Notes: 1 

~~l4a'; Copyright exida.com LLC 2001-2008 

274

Cause-and-Effect Diagram: 

SRS Format: 

SIF Requirements Section 

T•g 

SFT-960 

5HS·001 

EXAMPLE ONLY 

g a; 

E. ~ 

Description 

EU LO EU HI Act 

Rec Ia Gas Flow 0 162 < 48.7 MMSCFD X 

Heater Fuel Gas Oro out Switch 

X 

8 ~ 

~ 13 

1-;\lm+-+-+-J 

~ 

~ ... 

Trip Pt. Units .. j ~-,,,:,:,:.:-:.,: . ·;r4 t' }{I 

0 

( 


275 

[ Logic Description Methods J 

4 Plain Text 

- Strengths- Extremely flexible, No special knowledge req'd 

- Weaknesses- Time-consuming, transposition to program 

code difficult and error prone 

< Cause-and-Effect Diagrams 

- Strengths- Low level of effort, clear visual representation 

- Weaknesses- Rigid format (some functions can not be 

represented w/ C-E diagrams), can oversimplify 

; Binary Logic Diagrams (I SA 5.2) 

- Strengths- More flexible than C-E diagrams, direct 

transposition to a function block diagram program 

- Weaknesses- Time consuming, knowledge of standard 

logic representation required 

0 


276

Example: 

Plain Text Logic Description 

0 

Describe the logic for an SIF, where a low pressure condition can 

cause flame out in a fired heater. In this case, the inputs are a 

burner rnonitor switch BS-01, and a pressure switch PSL-02. The 

output is a double-block and bleed assembly whose valves are XV- 

03A and XV-03B for the up and downstream blocks, respectively, 

and XV-03C for the bleed valve. The valves can be moved to their 

safe position by deenergizing solenoid XY-03. The system is 

deenergize to trip. 

Write the logic description in plain text. 


Example: 

Plain Text Logic Description 

0 

If one of the following conditions occur. 

1. Switch BS-01 is deenergized, indicating loss of flame 

2. Switch PSL -02 is deenergized, indicating low fuel gas pressure 

Then the main fuel gas flow to the heater is stopped by performing 

the following. 

1. closing valves, XV-03A, and XV-03B 

2. Opening valve XV-03C. 

The respective valves will be opened and closed by 

deenergizing the solenoid valve XY-03. 


Example: 

Cause-and-Effect Diagram 

Create a Cause-and-Effect diagram that describes the same 

shutdown. 

0 


[ C&E Auto-Generated from exSILentia J 

''"'"&!ff

Example: 

Logic Diagram 

Create a Logic diagram that describes that same shutdown. 

Field Input 

Logic Solver 

Field Output 

0 

8 

lln

~:~-"""~ 

~'\h>i"""""'ol::il)' 

r; 

0 


283 

[~___ P_o_t_e_n_ti_a_IS __ R_S_P_r_o_b_le_m __ s ____] 

< Hazard and Risk Analysis was done poorly, providing 

bad input for the SRS 

- Mis-identification of Sl F 

- Incorrect selection of SIL 

4 Not defining all failure modes and protection 

requirements 

- Actions of function do not actually achieve safe state. 

- Measurement too slow to pick-up and prevent accident 

4 Not defining all operating regimes, start-up, shut-down 

4 Not defining all environmental conditions 

4 SRS not maintained (poor revision control) 

< Conflicting or missing requirements 

- Safety & Non-Safety actions 

0 


284

[~___ A_v_o_i_d_in_g_S_R __ S_P_r_o_b_le_m_s ____] 

4 IEC-61508-2 (Table B.1 -see also clause 7.2) 

- Recommendations to avoid mistakes during 

specification of SIS requirements 

4 SRS addresses WHAT is required and Design will 

address HOW it is achieved 


285 

0 

[~_______ s_R_s __ a_u_a_li_tv ______ ~] 

The measure of quality for 

any document, including a 

SRS, is not the number of 

pages or the document 

weight but rather how 

precisely, quickly, and 

clearly all required 

information is passed to 

the reader. 

~l!>tiCia• Copyright exida.com LLC 2001-2008 

286

[~_______ 

s_e_c_ti_o_n_a_:_s ___ um_m_a_r_v _______] 

4 SRS Definition 

f SRS Requirements 

4 SRS Format 

4 SRS Problems and 

Solutions 

0 


287 

Functional Safety Engineering I 

Summary 

4 SIS Introduction 

•I' Safety Lifecycle 

4 Risk Management 

4 Probability 

4> Consequence and Likelihood Analysis 

4 LOPA 

4 SIL Selection 

4 Safety Requirements Specifications 


288

0 

[ Safety Lifecycle" Analysis" Phases l 

I Event Histo~ I 

~I 

2. lndentJty Potential 

11. Process Design- Scope [ 

Process Safety~ 

q 

Definition Information ,c;; 

I I q 

Aeerrcation Standards Hazards 

I 

I Hazard Characteristics I ~ I 3. Consequence Analysis [ q 

I Conseguence Database I q 


5. Ukelihood Analysis 

c:>l 

I Failure Probabilities I (LOPA) 

I q 

>~t Oesignofother 


Hazard:~ 

Consequence 

q Layers of Prote~!!J 

Hazard Frequencie;J 

( : >. q risk reduction 

facilities 

s 

ll r.... I 6. Select RRF, Target SIL I c::> 

RAF, TargetS~~ 

for each SIF 

l Tolerable Risk Guidelines J 

~~~Ill~~ 

~ .- 

j 7. Develop Process Safety j 

Specification 



0 

0

SECTION 2 

Exercises 

0 

0 





FSE I - Pre-Class Exercise 

Name: ____________________________________ ___ 

Date: _:JJI>-r-,/!_r_o (.

0 

7. 

8. 

9. 

What measure is used in LOPA to demonstrate the effectiveness of a safeguard, and how is 

it calculated? 

~~~ PR> CfVD

FSE I - Application Exercise 1 

Nrune: ______________________________________ ___ 

Date: -----'--------------- 

Title: 

Duration: 

Objective: 

Tolerable Risk 

20 Minutes 

At the end of this exercise, participants will be able to apply concept of 

ALARP to developing a tolerable risk statement for a company. 

0 

PROCEDURE: 

Each participant should individually attempt to do the exercises. When they are finished, the 

entire class will review the problems and the answers. 

1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per 

100 years to 1 per 100,000 year events and ranging from release inside the plant with small 

consequences up to a release outside the plant with large permanent consequences? Assume 

all extreme risks will be reduced and all moderate risks will be reduced where practical. 

0 

2. Compare your tolerance with that of the exrunple matrix in the slides and identify the 

equality points. (Where does the tolerable frequency match for different consequences?) 

3. Are there any significant points where the risk tolerance is inconsistent? For example does 

the tolerance for external releases with large temporary consequences match that for many 

human fatalities? 

Copyright © 2000-2008, exida.com, LLC 3


Name: ______________________________________ ___ 

Date: _______ _ 

Title: 

Duration: 

Objective: 

Probability 

15 Minutes 

At the end of this exercise, participants will be able to apply the rules of 

probability. 

0 

PROCEDURE: 



1. An insurance company studied 32400 persons for six months. There were 1800 accidents. 

If this dangerous condition is equally likely at any moment, what is the probability of an 

average person having an accident in any given year? ·(l>oo .).. 

~~()'f. r(z_~ ~ 

0 

2. We toss three fair coins. What is the probability of getting three heads? 

~)C~'f-i 

'"'" .. ... 

3. A system will fail if a power suppl; fail~ a controller fails. The probability of a power 

supply failure during the next year is 0.05. The probability of a controller failure in the next 

year is 0.01. What is the probability of system failure? 

f( ,. o. o .> P. '~- , p 1 +-l'z. 

r .... ~ o.or 

4. A check valve has a probability of not stopping reverse flow of0.015 in a one-year interval. 

The probability of getting a dangerous condition in the next year is 0.004. What is the 

probability of dangerous condition AND having the check valve not stop reverse flow? 



Name: __________________________________ ___ 

Date: ______________ _ 

Title: 

Duration: 

Objective: 

Fault Trees 

10 minutes 

At the end of this exercise, participants will be able to solve simple fault 

trees. 

0 

PROCEDURE: 



1. A fault tree is shown below. What is outcome frequency? 

Freq. = 1 0 I year 

p = 0.05 

Fa 

Pb 

AND 

ro .~.or)- ( o .t) :::- 

p = 0.1 

Pc 

_ __/ 

0 

2. A fault tree is shown below. What is the output probability? 

p = 0.001 

P=0.002 

OR 

P=0.005 

Copyright© 2000-2008, exida.com, LLC 5


p = 0.004 

~ V ,0'2- ~ f (; .oODP1 ~ o. oooo


Name: ______________________________________ ___ 

Date: ________ _ 

Title: 

Duration: 

Objective: 

Consequence Analysis Overview 

20 minutes 

At the end of this exercise, participants will be able to use statistical 

analysis to estimate average consequences. 

0 PROCEDURE: 



1. 

Your company is estimating the risk posed by the failure of a new railroad track switching 

system. Estimate the average consequence, in terms of injuries and fatalities, of a train 

accident using the following data. 

In 1996, 

t~w/I.U."'" 

550 Fatalities 

10,948 Injuries ~~M.,. 

tO.~'t~ 

2..44-> 

::: 

lf,4~ p NYU~ 

2,443 Accidents t...,-i•'f' r,... ~ ,. 0. 2. 2-S" \'M'" ~~ 

Pro~ Lvs


Name: ______________________________________ ___ 

Date: ________ ___ 

0 

Title: 

Duration: 

Objective: 

PROCEDURE: 

Event Tree Analysis 

20 minutes 

At the end of this exercise, participants will be able to build and quantify an 

event tree. 



1. Draw an event tree that describes that following situation: (Use the back of this sheet) 

• A toxic release can be initiated by a delivery driver pumping more material into a storage 

tank than the available capacity. 

• The delivery driver may or may not realize there is not enough capacity for the material 

that he is delivering, and then not attempt to transfer the material. 

• The driver may carefully monitor the level in the storage tank and stop the material 

transfer before a release occurs. 

0 

2. Using the following data, quantify the frequency at which toxic releases occur. 

• Based on historical data, delivery drivers are requested to deliver to storage tanks that do 

not have the required capacity approximately 3 times per year. 

• Due to a training initiative educating the drivers on the hazards of overfilling the tank the 

probability that the driver will try to fill a tank that does not have sufficient capacity is 

estimated at 0. 01. 

• The probability that the driver will not detect a high level condition after he has begun 

transfer is estimated at 0 .1. 



1. Draw a LOP A diagram that describes that following situation 

Reactant A 

(through manhole) 

0 

Cooling Water 

Supply 

Torain 

L--j~ Product 

Solution 

0 

PROCESS: A pharmaceutical company has developed a new process to produce one of its drugs. 

The process creates an aqueous solution that is withdrawn from the bottom of the pressurized, 

water cooling jacketed, continuously stirred tank reactor. Charging is done by filling the vessel 

with 250 kg of water and manually dumping 125 kg (or 5 bags) of reactant A into the vessel. 

After the vessel is charged and closed, the stirring mechanism is started and the vessel's jacket is 

flooded with cooling water. After the stirring and cooling have been established a small metered 

rate of 0.5 kg/min of reactant B is continuously added to the solution. Reactants A and B 

combine to form the desired product. Each batch operates for three weeks, and 12 batches are 

operated per year. 

HAZARDS: 

The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this 

process requires that an excess amount of reactant B never be allowed into the reactor, and that 

cooling water continuously be flowing through the jacket. Hazard analysis determined tbat the 

following events could cause a "runaway" reaction and physical explosion of the vessel. 

1. Failure of controller FIC-01 causing uncontrolled reactant B entry into the reaction vessel. 

2. Failure of cooling water supply causing heat and pressure to build up in the vessel. 

The following layers of protection were identified as a safeguard against explosion of the vessel 

due to runaway reaction. 


1. A rupture disk set to relieve the pressure well below the design pressure of the vessel 

2. Operator intervention to high vessel temperature, high vessel pressure and low cooling 

water flow alarms. The alarm system is independent from the control system with no 

common components. 

It was also noted in the hazard assessment that the rupture disk pressure relief would not be 

effective in the situation where controller FIC-01 failed, because pressure can not be vented as 

fast as it is generated. 

2. Quantify the LOPA Diagrams 

0 

The following frequencies and failure probabilities were determined by a process engineer after 

reviewing the history of the plant. 

Flow control fails open: 

Cooling Water Pump Fails: 

1/25/year 

1/75/year 

Rupture Disk PFD: 

Operator Fails to respond to Cooling Water Loss: 

Operator Fails to response to Control Failure: 

0.0956 

0.1 

0.1 

0 



Name: ____________________________________ ___ 

Date: ______________ _ 

0 

Title: 

Duration: 

Objective: 

PROCEDURE: 

Quantifying Initiating Events and Layers of Protection 

20 minutes 

At the end of this exercise, participants will be able to use statistical 

average data to quantify initiating events and protection layer effectiveness. 



Use the excerpts from "Guidelines for Process Equipment Reliability Data" to quantify the rates 

and I or probabilities of the following situations. 

1. A motor driven fan fails to provide cooling air, initiating an accident. 

2. A flexible hose ruptures, initiating an accident 

0 

3. A non-operated check valve, with a periodic inspection and test interval of four years, 

fails to prevent an accident. 

j .0 ':) · I o- Ji~vz.. · 1,J{, D 

o. oJwt k o .0~ ~Q..-.e/~- 

O.f~ -l~rP(~ 

. '6{-ba 

o • oo ~ ti ~ tt. to) ~o...,.f ~· 



Nmne: ____________________________________ ___ 

Date: ______________ ___ 

0 

Title: 

Duration: 

Objective: 

PROCEDURE: 

Assigning Safety Integrity Levels 

20 minutes 

At the end of this exercise, participants will be able to assign safety 

integrity levels given the consequence and likelihood of the hazard. The 

assignment will be performed using several tolerable risk representations. 



An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a 

reactor that makes polycarbonate resin. Risk analysis has shown that the probable loss of life due 

to this release is 75.6 fatalities per event. The analysis also showed that the accident has an 

unmitigated frequency of once per 892 years. Use the risk graph, risk matrix 1, frequency based 

target, and individual risk target methods described in this section to select safety integrity levels. 

* Individual risk target for the fac · ty is 1. 0 x 10 4 /year. 

() ~-- ~[0~;~_.-. 

1 ~o-'Y~ /1~.c -;. 1 s. tv"' 



Name: ______________________________________ ___ 

Date: ________________ _ 

0 

Title: 

Duration: 

Objective: 

Comprehensive SIL Selection Exercise 

40 minutes 

The purpose of this exercise is to allow the participant to practice and 

demonstrate all of the skills learned in this training course through one 

comprehensive exercise. This exercise should be done in small groups of 

approximately four participants. 

PROCEDURE: 



A chemical processor has just performed an upgrade of a process heater. The upgrade was 

complex enough for the Management of Change procedures to be used. During the process a 

new HAZOP was performed on the process section. 

0 

Review the HAZOP study to determine if there are any new SIS requirements. If so, select a 

safety integrity level. The process plant's tolerable risk target is based on the risk integral with a 

target individual risk of 1.0 x 10 4 • 


Process Diagram: 

Vent to Safe 

Location 

fPSV\ 

To Users 

\V 

/ ,---L--J:;'I

FSE I - Pre-Class Exercise Solutions 

1. What does the Safety Integrity Level (SIL) measure? 

The safety integrity level is a measure of risk reduction. The SIL that is selected during the 

requirements portion of the safety life cycle is a measure of the risk reduction required to 

make the process risk tolerable. During the verification stage of the safety life cycle the 

amount of risk reduction that an SIS can provide is quantitatively determined. 

0 

2. The probability of: 

P(A and B) = P A * PB 

(Probability Multiplication) 

P(A or B) = P A+ PB- (P A * PB), or 1 - (1 - P A)*(1 - PB) (Probability Addition) 

(where A and B are not mutually exclusive) 

If A and B are mutually exclusive 

P(A or B)= PA + PB 

3. Name three different consequences that can occur as the result of a flammable material 

release. 

Looking at the kinds of events there are flash fires, jet fires, pool fires, vapor cloud 

explosions, and toxic releases with no fire. 

Looking at forms of harm there could be deaths, injuries, environmental damage and 

financial items such as lost production, damaged equipment, lost sales, legal penalties, and 

corporate image problems. 

0 

4. What are the three parts of an event tree? 

1. Initiating Events 

2. Branches or propagation steps or escalating events 

3. Outcomes 

5. How are the initiating events and layers of protection logically related to the outcome 

probability in a layer of protection analysis? What type of probability math is used to 

relate them? 

The probability of an outcome is the probability that an initiating event occurs AND all of 

the protection layers fail. Probability multiplication is used to determine the outcome 

probability. 

6. Where can information on what initiating events and layers of protection are involved with a 

hazard be found? 

The process hazards analysis (PHA) often using the HAZOP method is a systematic study of 

a process that is designed to identify hazards that exist. The PHA will identify all hazards 

that already have an SIS in place and all locations where an SIS is recommended. In 

addition, the causes, consequences, and safeguards are listed. 


7. What measure is used in LOPA to demonstrate the effectiveness of a safeguard, and how is 

it calculated? 

The effectiveness of safeguards is demonstrated as Probability of Failure on Demand 

(PFDovg). PFD,vg is a function of an items failure (A.) and test interval (TI). These quantities 

are related by the following equation: 

PFDavg = (A.* t) I 2 

8. Name two methods that can be used to assign SIL given that a consequence and likelihood 

have been determined. 

Risk Matrix 

Risk Graph 

Frequency Based Target 


0 

9. What standards are available to assist in design of burner management systems in your 

plant's location? 

NFP A 85 and NFP A 86 in the US 

AS 3814 I AG 501 and AS 1375 in Australia 

0 



Title: 

Tolerable Risk 

1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per 

I 00 years to 1 per 100,000 year events and ranging from release inside the plant with small 

consequences up to a release outside the plant with large permanent consequences? Assume 

all extreme risks will be reduced and all moderate risks will be reduced where practical. 

0 

0 

Internal release with Internal release with External release with External release with 

small consequences large consequences or large temporary or large permanent 

External release with small permanent consequences 

small temporary consequences 

consequences 

1/100 

_yrs 

Acceptable Moderate Extreme Extreme 

111000 

vrs 

Acceptable Acceptable Moderate Extreme 

1110,000 

yrs 

Acceptable Acceptable Moderate Moderate 

1/100,000 

yrs 

Acceptable Acceptable Acceptable Moderate 

2. Compare your tolerance with that of the example matrix in the slides and identifY the 

equality points. (Where does the tolerable frequency match for different consequences?) 

In the proposed answer, 

Recordable injury roughly matches internal release with small consequences 

Lost time injury roughly matches internal release with large consequences or external release with 

small temporary consequences 

Permanent injury roughly matches external release with large temporary or small permanent 

consequences 

Many deaths roughly matches external release with large permanent consequences 

3. Are there any significant points where the risk tolerance is inconsistent? For example does 

the tolerance for external releases with large temporary consequences match that for many 

human fatalities? 

In the proposed answer, most items are generally consistent depending on the view of one death 

vs external release with small permanent consequences. Better definition on the large and small 

consequences is probably needed to make this a more useful working guide. Note that with the 

same number of categories and the same risk tolerances, the matrix can be combined with the one 

from the slides relatively easily by incorporating a definitions table for the four different 

consequence magnitudes. 



Title: 

Probability 

1. An insurance company studied 32400 persons for six months. There were 1800 accidents. 

If this dangerous condition is equally likely at any moment, what is the probability of an 

average person having an accident in any given year? 

The probability of an event is the number of outcomes divided by the number of chances and 

can be approximated by the accident rate in this case. There are 32,400 people x V2 year 

person-years of exposure and 1800 accidents. This converts to one accident for every nine 

person-years of exposure. So, 

0 

p = outcomes "' 1800accidents 

chances 16200 person_ years 

1 = 0.11 

9 

2. We toss three fair coins. What is the probability of getting three heads? 

The probability of getting three heads is the ANDing of the probabilities of getting a head on 

each of three individual tosses. For each individual toss the probability of heads is V2. 

P, = P2 = P3 = 0.5 

Povornll = P, * P2 * P3 = 0.5 * 0.5 * 0.5 = 0.125 

3. 

A system will fail if a power supply fails or a controller fails. The probability of a power 

supply failure during the next year is 0.05. The probability of a controller failure in the next 

year is 0.01. What is the probability of system failure? 

The probability of system failure is given if the power supply OR the controller fails. 

The events are logically OR' d so use probability addition. Also, the events are not mutually 

exclusive (i.e., both the sight glass and transmitter can fail at the same time), so use the 

form: 

P (A or B)= PA + PB- PA * PB 

Psystem failure= 0.05 + 0.01-0.05 * 0.01 = 0.0595 

4. A check valve has a probability of not stopping reverse flow of 0.015 in a one-year interval. 

The probability of getting a dangerous condition in the next year is 0.004. What is the 

probability of dangerous condition AND not having the check valve operate? 

The occurrence of the described situation is the logical ANDing of two probabilities. Use 

probability multiplication. 

Povomll = 0.015 * 0.004 = 0.00006 



1. A fault tree is shown below. What is outcome frequency? 

0 

Freq. = 1 0 I year 

p = 0.05 

p = 0.1 

Fa 

Pb 

Pc 

\ 

AND 

__/ 

Outcome Frequency= Fa* Pb * Pc = 10 * 0.05 * 0.1 = 0.05 /year 


p = 0.001 

p = 0.002 

P= 0.005 

0 

Probability= 0.001 + 0.002 + 0.005-0.001 *0.002- 0.001 *0.005- 0.002*0.005 + 

0.001 *0.002*0.005 = 0.007983 . • . 

OR 

Approx. Probability= 0.001 + 0.002 + 0.005 = 0.008 



p = 0.004 

Pa 

p = 0.010 

Ph 

OR 

p = 0.01988 

p = 0.006 

AND 

p = 0.000159 

p = 0.080 

P=0.100 

AND 

p = 0.008 

0 

P for the top OR gate= 1- (1 - 0.004)*(1- 0.010)*(1 - 0.006) = 0.01988 

or 

Approximate P for the top OR gate= 0.004 + 0.010 + 0.006 = 0.020 

P for the bottom AND gate = 0.080*0.100 = 0.008 

Total Probabilty = 0.01988*0.008 = 0.000159 

Approximate Total Probabilty = 0.020*0.008 = 0.00016 

0 



Title: 

1. 

Consequence Analysis Overview 

Your company is estimating the risk posed by the failure of a new railroad track switching 

system. Estimate the average consequence, in terms of injuries and fatalities, of a train 

accident using the following data. 

u 

In 1996, 

550 Fatalities 

I 0,948 Injuries 

2,443 Accidents 

Data from Transportation Statistics Annual Report 1998, Bureau of Transportation 

Statistics, US Department of Transportation, BTS98-S-Ol. 

The average consequence is calculated by dividing the total consequence by the number of 

opportunities. 

Average Consequence=(# consequences) I(# opportunities) 

Average Fatalities= 550 I 2,443 = 0.225 

Average Injuries= 10,948 I 2,443 = 4.48 

2. 

Explain why average industry loss data may not be a valid way to estimate the consequence 

for chemical accidents? 

0 

For industry average data to be valid two conditions must be satisfied. 1) There must be a 

large amount of incidents from which to draw data. 2) Each of the incidents must occur 

under roughly similar circumstances. Neither of these two conditions are true for chemical 

accidents. Luckily, the amount of chemical accidents is fairly small. Additionally, all 

chemical plants are very different. It is very unlikely that potential consequences of different 

plants will be similar enough to allow statistical analysis. 

3. 

A high-pressure vessel containing flammable gas that is liquefied under pressure undergoes 

an incident where it is expected to instantaneously rupture. What type of incident outcome 

can be expected if there is a source of ignition? If there is no source of ignition? 

If there is a source of ignition, a fireball will occur. If there is no source of ignition, possible 

consequences include equipment damage and other economic losses. 



Title: 

Event Tree Analysis 

PROCEDURE: 

I. Draw an event tree that describes that following situation: (Use the back of this sheet) 

• A toxic release can be initiated by a delivery driver pumping more material into a storage 

tank than the available capacity. 

• The delivery driver may or may not realize there is not enough capacity for the material Q 

that he is delivering, and then not attempt to transfer the material. 

• The driver may carefully monitor the level in the storage tank and stop the material 

transfer before a release occurs. 

lmJJ!iQIID!PR!lDIB~~~~lll:l!ll!!!!!i!l!l11111111111lill!il&mlllllilllllJmtllllllillllll~1liF~II 

More material than Driver does not Driver does not detect 

available space notice lack of high level in tank 

available Space after starting pump 

TRUE 

FALSE 

TRUE 

FALSE 

Spill 

No Event 

No Event 

0 


2. Using the following data, quantify the frequency at which toxic releases occur. 

• Based on historical data, delivery drivers are requested to deliver to storage tanks that do 

not have the required capacity approximately 3 times per year. 

• Due to a training initiative educating the drivers on the hazards of overfilling the tank the 

probability that the driver will try to fill a tank that does not have sufficient capacity is 

estimated at 0. 01 . 

• The probability that the driver will not detect a high level condition after he has begun 

transfer is estimated at 0 .I. 

IJJfillliiiiiiiiRI._IIIIIIIIJJllll'cmlll'llf!IIIIIIIIIU~EIJBJiil!fLillllliiWJIIIIIIIIIIIBIIIIIIIIilmil!I~ 

More material than Driver does not Driver does not detect 

available space notice lack of high level in tank 

available Space after starting pump 

TRUE 

s ill 

TRUE 0. j 0.003 /year 

3/ ear 0.01 FALSE No Event 

0.9 0.027 /year 

FALSE 

No Event 

0.99 2.97 /year 

0 



Title: 

Layer of Protection Analysis 

PROCEDURE: 

1. Draw a LOP A diagram that describes that following situation 

Reactant A 

(through manhole) 

Ci 

J 

Cooling Water 

Supply 

Torain 

'--l~ Product 

Solution 

PROCESS: 

A pharmaceutical company has developed a new process to produce one of its drugs. The 

process creates an aqueous solution that is withdrawn from the bottom of the pressurized, water 

cooling jacketed, continuously stirred tank reactor. The vessel is charged by filling it with 250 kg 

of water and manually dumping 125 kg, or 5 bags of reactant A into the vessel. After the vessel is 

charged and closed, the stirring mechanism is started and the vessel's jacket is flooded with 

cooling water. After the stirring and cooling have been established a small metered rate of 0.005 

kg/min of reactant B is continuously added to the solution. Reactants A and B combine to form 

the desired product. Each batch operates for three weeks, and 12 batches are operated per year. 

0 


HAZARDS: 

The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this 

process requires that an excess amount of reactant B never be allowed into the reactor, and that 

cooling water continuously be flowing through the jacket. Hazard analysis determined that the 

following events could cause a "runaway" reaction and physical explosion of the vessel. 

I. Failure of controller FIC-01 causing uncontrolled reactant B entry into the reaction vessel. 

2. Failure of cooling water supply causing heat and pressure to build up in the vessel. 

0 

The following layers of protection were identified as a safeguard against explosion of the vessel 

due to runaway reaction. 

1. A rupture disk set to relieve the pressure well below the design pressure of the vessel 

2. Operator intervention to high vessel temperature, high vessel pressure and low cooling 

water flow alarms. The alarm system is independent from the control system with no 

common components. 

It was also noted in the hazard assessment that the rupture disk pressure relief would not be 

effective in the situation where controller FIC-01 failed, because pressure can not be vented as 

fast as it is generated. 

2. Quantify the LOPA Diagrams 

The following frequencies and failure probabilities were determined by a process engineer after 

reviewing the history of the plant. 

0 

Flow control fails open: 

Cooling Water Pump Fails: 

1125/year 

1/75/year 

Rupture Disk PFD: 

Operator Response to Cooling Water Loss: 

Operator Response to Control Failure: 

0.0956 

0.1 

0.1 

In this case, use fraction is a layer of protection. An accident can only occur when the hazard is 

present. 

3 weeks/batch * 7 days/week * 12 batches/year= 252 days/year of operation 

Use fraction is 252 days /365 days= 0.69 = 69% 


1. 

No Event 

0 

2. 

No Event 

FIC-01 Failure Operator Failure Use Fraction Explosion 

0.69 2.76E-03 

1/25 /vr 

0.1 

No Event C) 

0.0956 

- 

1/75 /vr 

0.1 

No Event 



Title: 

Quantifying Initiating Events and Layers of Protection 

PROCEDURE: 

Use the excerpts from "Guidelines for Process Equipment Reliability Data" to quantify the rates 

and I or probabilities of the following situations. 

0 

1. A motor driven fan fails to provide cooling air, initiating an accident. 

Use data from "Guidelines for Process Equipment Reliability Data" table 3.3.4, use the mean 

failure rate. Failure mode of interest is "Fails while running". 

9.09 failures I 10 6 hours 

converting to failures per year, 

9.09 failures* 8760hours 

= 0 . OSfi az . 1 ures 1 year 

10 6 hours !year 

* Initiating events described in frequency 

2. A flexible hose ruptures, initiating an accident 

Use data from "Guidelines for Process Equipment Reliability Data" table 3.2.5, use the mean 

failure rate. Failure mode of interest is "Rupture". 

0 

0.570 failures /10 6 hours 

converting to failures per year, 

0.570failures * 8760hours 

10 6 hours 1 year 

= 0 . OOSfi m . 1 ures 1 year 


3. A non-operated check valve, with a periodic inspection and test interval of four years, 

fails to prevent an accident. 

Use data from "Guidelines for Process Equipment Reliability Data" table 3.5.1.2, use the 

mean failure rate. Use catastrophic, which are given per unit time, not failures per attempt. 

3.18 failures /10 6 hours 

PFDavg = (A. * t) /2 

PFDavg = (0.00000318 * 4 * 8760) /2 = 0.055 

* Protection layers must be described by a probability. In the case of periodic inspection 

and test, average probability of failure on demand, which is a function of failure rate 

and test interval, is the best probability to use. 

CJ 

/ 



Title: 

Assigning Safety Integrity Levels 

PROCEDURE: 

0 

An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a 

reactor that olycarbonate resin. Risk analysis has shown that the probable loss of life due 

to this release i 75.6 fatalities per event. The analysis also showed that the accident has an 

unmitigated frequency of once per years. Use the risk graph, risk matrix 1, frequency based 

'target, and rnd!Vldual nsk target methods described in this section to select safety integrity levels. 

* Individual risk target for the facility is 1.0 x 10 4 /year. 

SOLUTIONS: 

a. Risk Matrix 

Consequence -7 Extensive 

Likelihood -7 11892 year = 1.2 X 10" 3 -7 Moderate 

0 

High 

Moderate 

Low 

2 

1 

NR 

3b 

2 

1 

3a 

~ 

t 

SIL=3 

Note b: One Level3 Safety Instrumented Function may not provide sufficient risk 

reduction aJ-tliis risk level. Additlonaf reviewisreqnired (see notea) . 

Noted: This approach is not considered suitable for SIL 4. , 


. Risk Graph 

Consequence ~ Co 

Occupancy ~ FB 

* No credit taken for lack of occupancy this factor is consolidated in the PLL = 75.6 

estimate 

Probability of Avoidance ~ PB 

* No credit taken for lack of occupancy this factor is consolidated in the PLL = 75.6 

estimate 

Demand Rate~ W 1 

Following Risk Graph Path yields SIL = 3 

c. Frequency Based Target 

Select target based on consequence 

~Extensive, 1.0 X 10' 6 

RRF = (1/892) /1.0 x 10- 6 = 1121 

*Selected SIFRRF must be greater than 1121, so an SIP w/ SIL = 4 

d. Individual Risk Target 

Select target based on consequence 

Fu.cgot = 1.0 X w-• /75.6 = 1.32 X 10' 6 

RRF = (1/892) /1.32 x w- 6 1 = 849 

CJ 

* Selected SIFRRF must be gi-eater than 849, so an SI w/ SIL = 3 



Title: 

Comprehensive SIL Selection Exercise 

PROCEDURE: 

A chemical processor has just performed an upgrade of a process heater. The upgrade was 

complex enough for the Management of Change procedures to be used. During the process a 

new HAZOP was performed on the process section. 

Review the HAZOP study to determine if there are any new SIS requirements. If so, select a 

safety integrity level. The process plant's tolerable risk target is based on the risk integral with a 

target individual risk of 1.0 x 10- 4 • 

Process Diagram: 

To Users 

Wet Gas from 

Reciprocating ------1 

Compressor 

_ _L_-1>.

Process Description: 

A "wet" hydrocarbon gas is compressed by a reciprocating compressor into a flash drum. In the 

flash drum liquid and vapor separate. The liquid is withdrawn from the bottom of the flash drum 

under level control and vapor is withdrawn from the top of the vessel and either compressed and 

sent to downstream users or sent to flare under pressure control. The flare line has not been sized 

to pass the full discharge of the wet gas compressor to flare. 

HAZOP Report Output 

SIF: 

Consequence: 

Initiating event: 

Protection Layers: 

Open vent valve upon high pressure in vessel 

Overpressure and rupture of vessel 

Outlet vapor compressor fails 

Operator intervention 

Relief Valve 

• Relief valve is pilot operated, tested annually. 

• "Wet gas" compressor is a motor driven reciprocating compressor 

• "Vapor withdrawal" compressor is a motor driven reciprocating compressor 

• Operator is well trained, but only has 15 seconds to perform a shutdown before an 

accident occurs. 

• Consequence analysis has determined a PLL=0.15 for the overpressure and explosion of 

the flash drum. 

SOLUTION 

Step I - The LOP A diagram for the overpressure consequence is as follows. 

No Event 

Step 2- Quantify the LOPA diagram. 

21.6 /year 

, I 

0.00415 

No Event 


Vapor withdrawal compressor failure- Table 3.3.2.1 

2470.0 failures I 10 6 hours ~ 21.6 failures per year 

Operator Failure- Simplified Method 

Conditions for PFD=0.1 are not met- use PFD = 1.0 

Relief valve fails- Table 4.3.3.1 

4.15 failures I 10 3 demands 

PFD = 0.00415 

0 

Step 3 - Select SIL (Individual Risk I Risk Integral) 

Ftarget = 1.0 x 10- 4 I 0.15 = 6.67 x 10 4 

PFD = 6.67 X 10- 4 I 0.0896 = 7.44 X 10- 3 

RRF= 134 

SIL = 3 (or SIL 2 with a RRF suitably greater than 134) 


SECTION 3 

Additional Resources 

0 

0 





0 

0

0 

IEC 61508 Overview Report 

0 

An exida Summary 

of the 

IEC61508 Standard for Functional Safety of 

Electrical/Electronic/Programmable Electronic 

Safety-Related Systems 

exida.com 

Sellersville, PA 18960, USA 

+1-215453-1720 

©exida.com 

IEC61508 Overview Report, Version 1.1, September 25, 2002 

Page 1 of 27

1 Overall Document Summary 

IEC61508 is an international standard for the "functional safety" of electrical, electronic, and 

programmable electronic equipment. This standard started in the mid-1980s when the 

International Electrotechnical Committee Advisory Committee of Safety (lEG ACOS) set up 

a task force to consider standardization issues raised by the use of programmable electronic 

systems (PES). At that time, many regulatory bodies forbade the use of any software-based 

equipment in safety critical applications. Work began within IEC SC65A/Working Group 10 on a 

standard for PES used in safety-related systems. This group merged with Working Group 9 

where a standard on software safety was in progress. The combined group treated safety as a 

system issue. 

The totaiiEC61508 standard is divided into seven parts. 

Part 1: General requirements (required for compliance); 

Part 2: Requirements for electricaVelectroniclprogrammable electronic safety-related systems 

(required for compliance); 

Part 3: Software requirements (required for compliance); 

Part 4: Definitions and abbreviations (required for compliance) 

Part 5: Examples of methods for the determination of safety integrity levels (supporting 

information) 

Part 6: Guidelines on the application of parts 2 and 3 (supporting informatim) 

Part 7: Overview of techniques and measures (supporting information). 

Parts 1, 3, 4, and 5 were approved in 1998. Parts 2, 6, and 7 were approved in February 2000. 

The relationship between the technical requirements presented in parts 1, 2, and 3 and the 

supporting information in parts 4 through 7 is shown in Figure 1. 

PART 1 

Development of the overall safety requirements I 

{scope, hazard and risk analysis) 

PART 3 

~L-------~~P~A~R~T~S~J-----------~ 

Risk based approachesto the development 

of the safety Integrity requirements 

0 

Realisation phase for 

E/E/PE safety-related 

PART 1 

Installation and commissioning and safety~valldationof 

E/E/PE safety-related systems 

Guidelines for the 

application of part2 and 3 

Overview of techniques 

and measures 

PART 1 

Operation and maintenanc~ modification and retrofi~ 

decommissioning or disposalof 

E/E/PE safet related s stems 

Figure 1: Technical requirements of IEC61508. 

©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002 

Page 2 of 27

Although the standard has been criticized for its "extensive" documentation requirements and 

use of unproven "statistical" techniques, in rrany industries it represents a great step forward. 

The standard focuses attention on risk-based safety-related system design, which should result 

in far more cost-effective implementation. This cost saving has been verified in a study by the 

AIChE. The standard also requires the attention to detail that is vital to any safe system design. 

Because of these features and the large degree of international acceptance for a single set of 

documents, many consider the standard to be a major advance for the technica wortd. 

0 

OBJECTIVES OF THE STANDARD 

IEC61508 is a basic safety publication of the International Electrotechnical Commission (IEC). 

As such, it is an "umbrella" document covering multiple industries and applications. A primary 

objective of the standard is to help individual industries develop supplemental standards, 

tailored specifically to those industries based on the original 61508 standard. A secondary goal 

of the standard is to enable the development of E/EIPE safety-related systems where specific 

application sector standards do not already exist. 

As of January 2001, work has already begun on two such industry specific standards: IEC61511 

for the process industries and IEC62061 for machinery safety. Both of these standards, which 

are still in draft form, build directly on IEC61508 and reference it accordingly. 

SCOPE 

The 61508 standard covers safety-related systems when one or more of such systems 

incorporates electrical/electronic/programmable electronic devices. These devices can include 

anything from electrical relays and switches through to Programmable Logic Controllers 

(PLCs) and all the way up to complicated computer-driven overall safety systems. The 

standard specifically covers possible hazards created when failures of the safety functions 

performed by E/EIPE safety-related systems occur. The overall program to insure that the 

safety-related EIEIPE system brings about a safe state when called upon to do so is defined 

as "functional safety." 

0 

IEC61508 does not cover safety issues like electric shock, hazardous falls, long-tenn exposure 

to a toxic substance, etc.; these issues are covered by other standards. IEC61508 also does not 

cover low safety EIEIPE systems where a single E/EIPE system is capable of providing the 

necessary risk reduction and the required safety integrity of the E/EIPE system is less than 

safety integrity level 1, i.e., the E/E/PE system is only reliable 90 percent of the time or less. 

IEC61508 is concerned with the EIE/PE safety-related systems whose failure could affect the 

safety of persons and/or the environment. However, it is recognized that the methods of 

IEC61508 also may be applied to business loss and asset protection cases. 

FUNDAMENTAL CONCEPTS 

The standard is based on two fundamental concepts: the safety life cycle and safety integrity 

levels. The safety life cycle is defined as an engineering process that includes all of the steps 

necessary to achieve required functional safety. The safety life cycle from IEC61508 is shown in 

Figure 2. 

© exida.com IEC61508 Overview Report, Version 1.1, September25, 2002 

Page 3 of 27

"ANALYSIS" 

(End User I Consultant) 

Safety-related 

systems: other 

Technology 

Realisation 

_____ .! ___________ ~ 

External Risk 

Reduction 

Facilities 

Realisation 

: 

"REALISATION" 

(Vendor I Contractor I 

End User) 

0 

Figure 2: Safety life cycle from IEC61508. 

"OPERATION" 

(End User I Contractor) 

It should be noted that the safety life cycle as drawn in the ISA84.01 standard (Figure 3) looks 

different from that in IEC61508. However, they convey the.same intent and both should be 

viewed as similarly acceptable processes. 

The basic philosophy behind the safety life cycle is to develop and document a safety plan, 

execute that plan and document its execution (to show that the plan has been met), and 

continue to follow that safety plan through to decommissioning with further appropriate 

documentation throughout the life of the system. Changes along the way must similarly follow 

the pattern of planning, execution, validation, and documentation. 

Figure 3: Safety life cycle from ISA84.01. 

() 

Conceptual 

REALISATION 

©exida.com 


Page 4of 27

Safety integrity levels (Sils) are order of magnitude levels of risk reduction. There are four Slls 

defined in IEC61508. SIL 1 has the lowest level of risk reduction. SIL4 has the highest level of 

risk reduction. The SIL table for "demand mode" is shown in Figure 4. The SIL table for the 

continuous mode is shown in Figure 5. 


Level 

Probability of failure 

on demand per year 

(Demand mode of operation} 


Factor 

0 

Figure 4: Safety integrity levels- demand mode. 

0 

Figure 5: Safety integrity levels - continuous mode 

The mode differences (defined in Part 4 of the standard) are: 

Low demand mode - where the frequency of demands for operation made on a safety-related 

system is no greater than one per year and no greater than twice the proof test frequency; 

High demand or continuous mode - where the frequency of demands for operation made on a 

safety-related system is greater than one per year or greater than twice the proof check 

frequency. 

Note that the proof test frequency refers to how often the safety system is completely tested and 

insured to be fully operational. 


Page 5of 27

While the continuous mode appears to be far more stringent than the demand mode, it should 

be remembered that the units for the continuous mode are per hour. The demand mode units 

assume a time interval of roughly one year per the definition. Considering the fact that there are 

about 10,000 hours in a year (actual 8, 760), the modes are approximately the same in terms of 

safety metrics. 

Basically speaking, functional safety is achieved by property designing a Safety Instrumented 

System (SIS) to carry out a Safety Instrumented Function (SIF) at a reliability indicated by the 

Safety Integrity Level (SIL). The concepts of risk and safety integrity are further discussed in 

Part 5 of the standard. 

COMPLIANCE 

The IEC61508 standard states: "To conform to this standard it shall be demonstrated that the 

requirements have been satisfied to the required criteria specified (for example safety integrity 

level) and therefore, for each clause or sub-clause, all the objectives have been met." 

Q 

In practice, demonstration of compliance often involves listing all of the IEC61508 requirements 

with an explanation of how each requirement has been met. This applies to both products 

developed to meet IEC61508 and specific application projects wishing to claim compliance. 

Because IEC61508 is technically only a standard and not a law, compliance is not always 

legally required. However, in many instances, compliance is identified as best practice and 

thus can be cited in liability cases. Also, many countries have incorporated IEC61508 or large 

parts of the standard directly into their safety codes, so in those instances it is indeed law. 

Finally, many industry and government contracts for safety equipment, systems, and services 

specifically require compliance with IEC61508. So although IEC61508 originated as a standard, 

its wide acceptance has led to legally required compliance in nearly all relevant cases. 

PARTS OF THE STANDARD 

Part 1 covers the basic requirements of the standard and provides a detailed presentation of the 

safety life cycle. This section is considered to be the most important, as it prm.ides overall 

requirements for documentation, compliance, management of functional safety, and functional 

safety assessment. Three annexes provide examples of documentation structure (Annex A), a 

personnel competency evaluation (Annex B), and a bibliography (Annex C). 

Q 

' 

Part 2 covers the hardware requirements for safety-related systems. Many consider this part, 

along with part 3, to be the key area for those developing products for the safety market. Part 2 

is written with respect to the entire system, but many of the requirements are directly applicable 

to safety-related hardware product development. Part 2 covers a detailed safety life cycle for 

hardware as well as specific aspects of assessing functional safety for the hardware. Part 2 

also has detailed requirements for techniques to deal with "control of failures during operation" 

in Annex A (required for compliance). This annex covers hardware fault tolerance, diagnostic 

capability requirements and limitations, and systematic safety integrity issues for hardware. 

Annex B of Part 2 (required for compliance) contains listings of "techniques and measures" for 

"avoidance of systematic failures during different phases of the life cycle." This covers design, 

analysis, and review procedures required by the standard. Annex C of Part 2 (required for 

compliance) discusses the calculation of diagnostic coverage factor (what fraction of failures are 

identified by the hardware) and safe failure fraction (what fraction of failures lead to a safe 

rather than a hazardous state). (Note: see exida.com technical papers for more detailed 

information on these topics.) 


Page 6 of 27

Part 3 covers the software requirements for IEC61508. It applies to any software used in a 

safety-related system or software used to develop a safety-related f!,~Stem. This software is 

specifically referred to as safety-related software. This part provides details of the software 

safety life cycle, a process to be used when developing software. Annex A (required for 

compliance) provides a listing of "techniques and measures" used for software development 

where different development techniques are chosen depending on the SIL level of the software. 

Annex 8 (required for compliance) has nine detailed tables of design and coding standards and 

analysis and testing techriques that are to be used in the safety-related software development, 

depending on SIL level of the software and in some cases the choice of the development team. 

0 

0 

Part 4 contains the definitions and abbreviations used throughout all parts of the standard. This 

section is extremely useful both to those new to the standard and to those already familiar with 

it as a reference to the precise meanings of terms in the standard. 

Part 5 includes informative Annexes A through E which contain discussion and example 

methods for risk, safety integrity, tolerable risk, and SIL selection. It presents several techniques 

of SIL selection including both quantitative and qualitative methods. The quantitative method in 

Annex C is based on calculating the frequency of the hazardous event from failure rate data or 

appropriate predictive methods combined with an assessment of the magnitude of the 

consequence compared to the level of risk that can be tolerated in the given situation. The 

qualitative risk graph and severity matrixes essentially address the same frequency and 

magnitude components, only with general categories rather than numbers before comparing the 

situation with the tolerable risk level.. 

Part 6 provides guidelines on the application of Parts 2 and 3 via informative Annexes A through 

E. Annex A gives a brief overview of Parts 2 and 3 as well as example flowcharts of detailed 

procedures to help with implementation. Annex 8 provides example techniques for calculating 

probabilities of failure for the safety-related system with tables of calculation results. Equations 

that approximate various example architectures are presented, although reliability block 

diagrams are used and these can be confusing in multiple failure mode situations. Annex C 

shows detailed calculation of diagnostic coverage factor based on FMEDA techniques. (Note: 

more information on the FMEDA technique (Failure Modes, Effects, and Diagnostics Analysis) is 

available in exida.com courses and papers.) Annex D shows a method for estimating the effect 

of common cause modes of failure (beta factors) in a redundant hardware architecture. This 

method lists relevant parameters and provides a method of calculation. Annex E shows 

examples applying the software integrity level tables of Part 3 for two different safety 

software cases. 

Part 7 contains important information for those doing product development work on equipment 

to be certified per IEC61508. Annex A addresses control of random hardware failures. It 

contains a reasonable level of detail on various methods and techniques useful for preventing or 

maintaining safety in the presence of component failures. Annex 8 covers the avoidance of 

systematic failures through the different phases of the safety life cycle. Annex C provides a 

reasonably detailed overview of techniques for achieving high software safety integrity. Annex D 

covers a probabilities-based approach for SIL determination of already proven software. 


Page 7 of 27

2 Part 1: General Requirements 

SCOPE 

The IEC61508 standard covers safety-related systems when me or more of such systems 

incorporates electrical/electronic/programmable electronic devices. This includes relay -based 

systems, inherently safe solid-state logic based systems, and, perhaps most importantly, 

programmable systems based on microcomputer te;hnology. The standard specifically covers 

possible hazards created when failures of the safety functions performed by E/E/PE safetyrelated 

systems occur: "functional safety." Functional safety is the overall program to insure that 

a safety-related E/E/PE system brings about a safe state when it is called upon to do so and is 

different from other safety issues. For example, IEC61508 does not cover safety issues like 

electric shock, long-term exposure to toxic substances, etc. These safety issues are covered by 

other standards. 

IEC61508 also does not cover low safety EIE/PE systems where a single E/E/PE system is 0 

capable of providing the necessary risk reduction and the required safety integrity of the E/E/PE 

system is less than safety integrity level 1, i.e., the E/E/PE system is only reliable 90 percent of 

the time or less. IEC61508 is concerned with the E/EIPE safety-related systems whose failure 

could affect the safety of persons and/or the environment. However, it is recognized that the 

methods of IEC61508 may apply to business loss and asset protection as well. Human beings 

may be considered part of a safety-related system, although specific human factor requirements 

are not considered in detail in the standard. The standard also specifically avoids the concept of 

"fail safe" because of the high level of complexity involved with the EIE/PE systems considered. 

CONFORMANCE 

Part 1 of the standard contains the general conformance requirements. It states, "To conform to 

this standard it shall be demonstrated that the requirements have been satisfied to the required 

criteria specified (for example: safety integrity level) and therefore, for each clause or subclause, 

all the objectives have been met." There is a statement that acknowledges that the 

"degree of rigor'' (which determines if a requirement has been met) depends on a number of 

factors, including the nature of the potential hazard, degree of risk, etc. 

Often, demonstrating compliance involves listing all IEC61508 requirements with an explanation 

of how the requirement has been met. This applies to products developed to meet IEC61508 

and specific application projects wishing to claim compliance. The high level of documentation 

for compliance is consistent with the importance of keeping detailed records stressed 

throughout the standard. (Note: exida.com has a suite of products, including a full IEC61508 

requirements database, and documentation templates that can used to form a system of 

compliance meeting IEC61508.) 

O 

The language of conformance in the standard is quite precise. If an item is listed as "shall be ... " 

or "must. .. " it is required for compliance. If an item is listed as "may be ... " it is not specifically 

required for compliance but clear reasoning must be shown to justify its omission. 

DOCUMENTATION (Clause 5) 

The documentation used in safety-related systems must specify the necessary information such 

that safety life cycle activities can be performed. The documentation must also provide enough 

information so that the management of functional safety verification and assessment activities 

can effectively be accomplished. The overall reasoning is to provide proper support for the plan, 

do, and verify theme present throughout the safety life cycle. 


Page 8 of 27

0 

0 

This translates into specific requirements for the documentation. 

It must: 

1 . have sufficient information to effectively perform each phase of the safety life cycle as well as 

the associated verification activities; 

2. have sufficient information to properly manage functional safety and support functional safety 

assessment; 

3. be accurate and precise; 

4. be easy to understand; 

5. suit the purpose for which it was intended; 

6. be accessible and maintainable; 

7. have titles or names indicating the scope of the contents; 

8. have a good table of contents and index; 

9. have a good version control system sufficient to identify different versions of each document 

and indicate revisions, amendments, reviews, and approvals. 

MANAGEMENT OF FUNCTIONAL SAFETY (Clause 6) 

Managing functional safety includes taking on various activities and responsibilities to insure 

that the functional safety objectives are achieved and maintained. These activities must be 

documented, typically in a document called the functional safety management (FSM) plan. The 

FSM plan should consider: 

1. the overall strategy and methods for achieving functional safety, including evaluation 

methods and the way in which the process is communicated within the organization; 

2. the identification of the people, departments, and organizations that are responsible for 

carrying out and reviewing the applicable overall, E/EIPES, or software safety life cycle phases 

(including, where relevant, licensing authorities or safety regulatory bodies); 

3. the safety life cycle phases to be used; 

4. the documentation structure; 

5. the measures and techniques used to meet requirements; 

6. the functional safety assessment activities to be performed and the safety life cycle phases 

where they will be performed; 

7. the procedures for follow-up and resolution of recommendations arising from hazard and risk 

analysis, functional safety assessment, verification and validation activities, etc.; 

8. the procedures for ensuring that personnel are competent; 

9. the procedures for ensuring that hazardous incidents (or near misses) are analyzed, and that 

actions are taken to avoid repetition; 

10. the procedures for analyzing operations and maintenance performance, including periodic 

functional safety inspections and audits; the inspection frequency and level of independence of 

personnel to perform the inspection/audit should be documented; 

11. the procedures for management of change. 

All those responsible for managing functional safety activities must be informed and aware of 

their responsibilities. Suppliers providing products or services in support of any safety life cycle 

phase, shall deliver products or services as specified by those responsible for that phase. 

These suppliers also shall have an appropriate quality management system. 


Page 9of 27

SAFE1Y LIFE CYCLE REQUIREMENTS (Clause 7) 

The &~fety life cycle can be viewed as a logical "identify -assess-design-verify" closed loop 

(Figure 6). The intended result is the optimum design where the risk reduction provided by the 

safety-related system matches the risk reduction needed by the process. 

Figure 6: Closed loop view of the safety life cycle. 

0 

The safety life cycle concept came from studies done by the Health Safety Executive (HSE) in 

the United Kingdom. The HSE studied accidents involving industrial control systems and 

classified accident causes as shown in Figure 7. 

Figure 7: Results of system failure cause study: HSE "Out of Control.'" 

0 

The basic aspects of the safety life cycle (shown in Figure 8) were created to address all of the 

causes identified in the HSE study. 

1 satil!Y 

/' Management: 

• Technical 

Req\lir!\ments 

'-..... 

Competence 

of Persons 

t 

Figure 8: Origin of the safety life cycle. 

© exida.com 


Page 1 Oof 27

0 

The first part of the safety life cycle, known as the analysis portion, covers: 

-Concept and scope of the system or equipment under control (EUC); 

-Hazard and Risk Analysis to identify both hazards and the events that can lead to them, 

including 

Preliminary Hazards and Operability (HAZOP) study, 

Layers of Protection Analysis (LOPA), 

Criticality Analysis; 

-Creation of overall safety requirements and identification of specific safety functions to prevent 

the identified hazards; 

..Safety requirements allocation, i.e., assigning the safety function to an E/EIPE safety-related 

system, an external risk reduction facility, or a safety-related system of different technology. 

This also includes assigning a safety integrity level (SIL) or risk reduction factor required for 

each safety function. 

These first phases are shown in Figure 9. 

Hazard & Risk 

Analysis 

Overall Safety 

Requirements 

- ------------.-------------~ 

0 

Figure 9: First portion of the overall safety life cycle. 

The safety life cycle continues with the realization activities as shown in Figure 10. 

I 

I 

---~-----------~ 

External Risk 

Reduction 

Facilities 

R9alizcition 

Figure 10: Realization activities in the overall safety life cycle. 

© exida.com 


Page 11 of 27

The safety systems must be designed to meet the target safety integrity levels as defined in the 

risk analysis phase. This requires that a probabilistic calculation be done to verify 1hat the 

design can meet the SIL (either in demand mode or continuous mode). The system must also 

meet detailed hardware and software implementation requirements given in Parts 2 and 3. One 

of the most significant is the "safe failure fraction" restriction (see Part 2). There is a more 

detailed subsection of the overall life cycle called the EIE/PE life cycle, which details the 

activities in box 9 above. This EIE/PE lifecycle is shown in Figure 11. These activities are 

detailed in Part 2 of the standard. 

v 

E/E/PES safety requirements 

specification 

I EIE/PES safety I I E/E/PES design validation planning 

and development I 

I 

I 

I 

'V 

v 

I 

v 

E/EIPES integration I I 

E/E/PES operation and I 

maintenance procedures 

I 

.. ". "' .. 

"•' ' • • ' • r "' 

, 

Figure 11: EIEIPES safety life cycle (IEC61508, Part 2). 

I 

0 

The final operation phases of the overall safety life cycle are shown in Figure 12. 

0 

Figure 12: Operation and Maintenance phases of the overall safety life cycle. 

In summary, the safety life cycle g;>nerally lays out the different activities required to achieve 

functional safety and compliance with the standard. II also should be noted that if all of the "shall 

be ... " and "must..." conditions are met, other safety life cycle variations also are fully compliant 

with the standard. 

FUNCTIONAL SAFETY ASSESSMENT (Clause 8) 

Part 1 also describes the functional safety assessment activities required by IEC61508. The 

objective of the assessment is to investigate and arrive at a conclusion regarding the level of 


Page 12of27

safety achieved by the safety-related system. The process requires that one or more competent 

persons be appointed to carry out a functional safety assessment. These individuals must be 

suitably independent of those responsible for the functional safety beirg assessed, depending 

on the SIL and consequences involved. These requirements are shown in Tables 1 and 2. 

0 

Minimum level of 

Consequence 

lndenendence A B c D 

Independent person HR HR NR NR 

Independent department - HR HR NR 

Independent organization - - HR" HR 

(see note 2 of 8.2.12) 

Typical consequences could be: 

Consequence A - minor injury (for example temporary Joss of function); 

Consequence B - serious permanent injury to one or more persons, death 

to one person; Consequence C - death to several people; 

Consequence D - very many people killed. 

Abbreviations- HR - highly recommended, NR - not recommended 

Table 1: Assessment independence level as a function of consequence. 

Minimum level of 

Safety integrity level 

Independence 1 2 3 4 

lndeoendent oerson HR HR NR NR 

Jndeoendent deoartment - HR' HR NR 

lndep en dent organization - - HR' HR 

,---. 

u 

Table 2: Assessment independence level for E/E/PE and software life cycle activities. 

The functional safety assessment shall include all phases of the safety life cycles. The 

assessment must consider the life cycle activities carried out and the outputs obtained. The 

assessment may be done in parts after each activity or group of activities. The main 

requirement is that the assessment be done before the safety-related system is needed to 

protect against a hazard. 

The functional safety assessment must consider. 

1. All work done since the previous functional safety assessment; 

2. The plans for implementing further functional safety assessments; 

3. The recommendations of the previous assessments including a check to verify that the 

changes have been made. 

The functional safety assessment activities shall be consistent and planned. The plan must 

specify the personnel who will perform the assessment, their level of independence, and the 

competency required. The assessment plan must also state the scope of the assessment, 


Page 13of27

outputs of the assessment, any safety bodies involved, and the resources required. At the 

conclusion of the functional safety assessment, recommendations shall indicate acceptance, 

qualified acceptance, or rejection. 

Sample Documentation Structure (Annex A) 

The documentation has to contain enough information to effectively perform each phase of the 

safety life cycle (Clause 7), manage functional safety (Clause 6), and allow functional safety 

assessments (Clause 8). However, IEC61508 does not specify a particular documentation 

structure. Users have flexibility in choosing their own documentation structure as long as it 

meets the criteria described earlier. An example set of documents for a safety life cycle project 

is shown in Table 3. 

Table 3· Documentation examples 

Safety Lifecycle phase 

Information 

Safety requirements Safety Requirements Specification (safety 

functions and safety integrity) 

E/E/PES validation planninr:~ 

Validation Plan 

E/E/PES design and development 

E/E/PES architecture Architecture Design Description (hardware 

and software); 

Specification (integration tests) 

Hardware architecture 

Hardware Architecture Design Description; 

Hardware module design 

Detail Design Specification(s) 

Component construction and/or Hardware modules; 

I orocurement 

Report (hardware modules test) 

Programmable electronic integration Integration Report 

E/E/PES operation and maintenance Operation and Maintenance Instructions 

procedures 

E/E/PES safety validation 

Validation Report 

E/E/PES modification 

E/E/PES modification procedures; 

Modification Request; 

Modification Report; 

Modification Loa 

Concerning all phases 

Safety Plan; 

Verification Plan and Report; 

Functional Safety Assessment Plan and 

Report 

0 

0 

Personnel Competency (Annex B) 

IEC61508 specifically states, "All persons involved in any overall, E/EIPES or software safety 

life cycle activity, including management activities, should have the appropriate training, 

technical knowledge, experience and qualifications relevant to the specific duties they have to 

perform." It is suggested that a number of things be considered in the evaluation of personnel. 

These are: 

1. engineerirg knowledge in the application; 

2. engineering knowledge appropriate to the technology; 

3. safety engineering knowledge appropriate to the technology; 

4. knowledge of the legal and safety regulatory framework; 

5. the consequences of safety-related system failure; 

© exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002 

Page 14of 27

6. the assigned safety integrity levels of safety functions in a project; 

7. experience and its relevance to the job. 

The training, experience, and qualifications of all persons should be documented. The TOV 

Certified Functional Safety Expert (CFSE) program was designed to help companies show 

personnel competency in several different safety specialties. 

Bibliography (Annex C) 

A list of many related lEG standards, ISO standards, and other relevant references is provided. 

0 

3 Part 2: Hardware Requirements 

IEC61508 Part 2 covers specific requirements for safety-related hardware. As in other parts of 

the standard, a safety life cycle is to be used as the basis of requirement compliance. (Figure g 

shows the general safety life cycle model.) The hardware safety life cycle is an expanded plan 

for Phase 9 of the overall safety life cycle from Part 1 that is focused on the design of the control 

hardware for safety systems. As for the overall safety life cycle, there are requirements for a 

functional safety management plan and safety requirements specification including all 

verification and assessment activities. 

EIE/PES safety lifecycle 

() 

One E/E/PES safety 

llfecycle for each 

E/EIPE safety-related 

system 

To box 14 

in figure 2 

of part 1 

NOTE See also lEC 61508·6, A.2(b) 

To box 12 in figure 2 of part 1 

Figure 13: Hardware safety life cycle. 

©exida.com 


Page 15of 27

The safety requirements specification (described in Clause 7.2) shall include details on both the 

safety function and the safety integrity level of that function. Some of these safety function 

details are: 

-how safe state is achieved -response time 

-operator interfaces 

-required E/E/PES behavior modes -start -up requirements 

-operating modes of equipment under control 

Some of the safety integrity level details are: 

-SIL for each funclion 

-high or low demand class for each function 

-environmental extremes 

-electromagnetic immunity limits 

One particular aspect of the hardware design and development requirements (Clause 7.4) is the 

limit on the safety integrity level achievable by any particular level of fault tolerant safety 

redundancy. These are shown in Tables 4 and 5 for various fractions of failures leading to a n 

safe state. · ',__.) 

Table 4: Type A safe failure fraction chart. 

Safe failure Hardware fault tolerance (see note 1) 

fraction 

0 l 2 

Type A components are described as simple devices with well-known failure modes and a solid 

history of operation. Type B devices are complex components with potentially unknown failure 

modes, i.e., microprocessors, ASICs, etc. 

Tables 4 and 5 represent limits on the use of single or even dual architectures in higher SIL 

levels. This is appropriate based on the level of uncertainty present in the failure data as well as 

in the SIL calculations themselves. 

Note the separate phase specifically devoted to integrating the software and hardware before 

validating the safety of the combined system (described in Clause 7.5). Operation and 

maintenance procedures and documentation are described in Clause 7.6 while validation, 

modification, and verification phase details are provided in the remaining parts of Clause 7. 

0 

Control of Failures during Operation (Annex A) 

This annex limits claims that can be made for self diagnostic capatilities and also recommends 

methods of failure control. Numerous types of failures are addressed including random, 

systematic, environmental, and operational failures. It should be noted that following these 

methods does not guarantee that a given system lllill meet a specific SIL. 

Avoidance of Systematic Failures during Different Phases of the Life Cycle (Annex B) 

Here, numerous tables present recommended techniques for different life cycle phases to 

achieve different Slls. Again, simply using these techniques does not guarantee a system will 

achieve a specific SIL. 

Diagnostic Coverage and Safe Failure Fraction (Annex C) 

Here, a basic procedure is described for calculating the fraction of failures that can be sel~ 

diagnosed and the fraction that result in a safe state. 

0 

4 Part 3: Software Requirements 

IEC61508 Part 3 covers specific requirements for safety-related software. As in other parts of 

the standard, a safety life cycle is to be used as the basis of requirement compliance. (Figure 9 

shows the general safety life cycle model.) The software safety life cycle is an expanded plan 

for Phase 9 of the overall safety life cycle from Part 1 and is closely linked with the hardware life 

cycle. As for the overall safety life cycle, there are requirements for a functional safety 

management plan and safety requirements specification, including all verification and 

assessment activities. 

Here the functional safety is addressed in the context of a software quality management system 

(QMS) in Clause 6. A detailed functional safety plan is presented as part of this QMS. As in 

other parts of the standard, the same key features of change management, demonstration, and 

documentation are present. 

SOF1WARE FUNCTIONAL SAFETY PLAN (Clause 6) 

A software functional safety plan (either as a part of other documentation or as a separate 

document) shall define the strategy for the software procurement, development, integration, 

@exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002 

Page 17of 27

verification, validation, and modification as required for the SIL level of the safety-related 

system. The plan must specifY a configuration management system. 

This software configuration management system must: 

1. manage software changes to ensure that the specified requirements for software safety are 

satisfied; 

2. guarantee that all necessary activities have been carried out to demonstrate that the required 

software safety integrity has been achieved; 

3. accurately maintain all documentation and source code including the safety analysis and 

requirements; software specification and design documents; software source code modules; 

test plans and results; commercial off the shelf (COTS) and pre-existing software components 

which are to be incorporated into the E/E/PE safety-related system; all tools and development 

environments which are used to create or test, cr carry out any action on, the software of the 

E/E/PE safety-related system; 

4. prevent unauthorized modifications; 

5. document modification/change requests; 

6. analyze the impact of a proposed modification; 

7. approve or reject the modification request; 

a establish baseline software and document the (partial) integration testing that justifies the 

baseline; 

9. formally document the release of safety-related software. 

0 

Master copies of the software and all documentation should be maintained throughout the 

operational lifetime of the released software. 

SOF1WARE SAFETY LIFE CYCLE (Clause 7) 

IEC61508 has a considerable but appropriate number of requirements for safety critical 

software put forth in the details of the software safety life cycle framework. The major phases of 

the software safety life cycle are shown in Figure 14. 

© ex;da.com 

EIE/PES 

safety 

lifecycle 

I 

f 

l I I 

validation Softwam planning 

safety 1 

Software safety requirements 

specification 

.. 

··· ······· · II ............... 

............ . ........... 

............. .. ......... 

I 

'V 

Softwaredeslgn J 

and development 

'J 

PE Integration 

I 

(hardware/software) 

I 

'J 

.......... 

I ..... .. ''"" 

J 

~ 

I I 

'J 

Software operation and I 

modification procedures 1 

Figure 14: Software safely life cycle. 


Page 18of27 

I 

0

Part 3 requires that a process (such as the safety life cycle) for the development of software 

shall be selected and specified during safety planning. Note that the exact process is not 

specified, it may be customized according to company preference. Appropriate quality and 

safety assurance procedures must be included. Each step of the software safety life cycle 

must be divided into elementary activities with the functions, inputs, and outputs specified for 

each phase. 

The standard has complete details of an example software safety life cycle. Many practitioners 

use a version of the V-model. The exida.com iterative V -model is shown in Figure 15. 

7 

0 

~!@l#llti!lhN!t!ll:T!!Gi(Jiji$1ffli!!H!!!!1-aRMFR&ijijJilill!llilliillffi!!MNMMI!let@t$tjibklt!Wl§6fllliD1fill!:m$Mjtjiit!rutfOOtl!!!!li' 

Figure 15: exida.com iterative V-model for software development. 

0 

During each step of process, appropriate "techniques and measures" must be used. Part 3, 

Annexes A and B give recommendations from a list of software techniques. 

The standard says, "If a any stage of the software safety life cycle, a change is required 

pertaining to an earlier life cycle phase, then that earlier safety life cycle phase and the following 

phases shall be repeated". This natural iterative process is best done in two major bops per 

Figure 15. 

SOFTWARE SAFETY REQUIREMENTS SPECIFICATION (Clause 7.2) 

The functional safety requirements for software must be specified. This can be done in a 

separate document or as part of another document. The specification of the requirements for 

software safety shall be derived from the specified safety requirements of the safety-related 

system and any requirements of safety planning. 

The requirements for software safety shall be sufficiently detailed to allow design and 

implementation and to alow a functional safety assessment. The software developers should 

review the document to verify that it contains sufficient detail. It should be noted that this is often 

another iterative process. 


Page 19of27

The requirements must be clear, precise, verifiable, testable, maintainable, and feasible. The 

requirements must also be appropriate for the safety integrity level. and traceable back to the 

specification of the safety requirements of the safety-related system. Terminology must be clear 

and understandable by those using the document. All modes of operation for the safety-related 

system must be listed. The requirements must detail any relevant constraints between the 

hardware and the sofiware. 

Since the sofiware is often called upon to perform much of the online diagnostics, the 

requirements must detail all sofiware sel~monitoring, any diagnostic tests performed on the 

hardware, periodic testing of critical functions, and means for online testing of safety functions. If 

the sofiware also performs non-safety functions, means to insure that the sofiware safety is not 

compromised (non-interfering) must also be specified. 

SOFTWARE SAFETY VALIDATION PLANNING (Clause 7.3) 

A plan must be set up to demonstrate that the sofiware satisfies the safety requirements set out 

in the specification. A combination of analysis and testing techniques is allowed and the chosen 

techniques must be specified in the plan. The plan must consider: 

1. required equipment; 

2. when validation will be done; 

3. who will do the validation; 

4. the modes of operation to be validated including start up, teach, automatic, manual, semiautomatic, 

steady state of operation, re-set, shut down, and maintenance; 

5. reasonably foreseeable abnormal conditions; 

6. identification of the safety-related sofiware that needs to be validated; 

7. specific reference to the specified requirements for sofiware safety; 

8. expected results and pass/fail criteria. 

O 

• 

The plan must show how assessment will be done, who will review the plan, and the assessor's 

level of independence. 

SOFTWARE DESIGN AND DEVELOPMENT (Clause 7.4) 

Design methods shall be chosen that support abstraction, modularity, information hiding, and 

other good sofiware engineering practices. The design method shall allow clear and ~ 

unambiguous expression of iJnctionality, data flow, sequencing, and time-dependent data, 

timing constraints, concurrency, data structures, design assumptions, and their dependencies. 

During design, the overall complexity of the design, its testability, and the ability to make safe 

modifications shall be considered. The entire design is considered safety-related even if nonsafety 

functions are included unless sufficient independence between safety and non-safety can 

be demonstrated. If different safety integrity levels are part of the design, the overall design is 

only valid for the least stringent SIL of the component parts. 

The design must include sofiware functions to execute proof tests and all online diagnostic tests 

as specified in the requirements. Sofiware diagnostics shall include monitoring of control flow 

and data flow. 

O 

The architectural design defines the major components and subsystems of the sofiware. The 

architectural design description must include: 

1. interconnections of these components; 


Page 20 of 27

2 the "techniques and measures" necessary during the software safety life cycle phases to 

satisfy requirements for software safety at the required safely integrity level including software 

design strategies for fault tolerance and/or fault avoidance (redundancy/diversity); 

3. the software safely integrity level of the subsystem/component; 

4. all software/hardware interactions and their significance; 

5. the design features for maintaining the safely integrity of all data; 

6. software architecture integration tests to ensure that the software architecture satisfies the 

requirements for software. 

It is assumed and permitted that iteration occurs between the design and the requirements 

phases. Any resulting changes in requirements must be documented and approved. 

0 

Support tools and programming languages must meet the safely integrity needs of the software. 

A set of integrated tools, including languages, compilers, configuration management tools, and, 

when applicable, automatic testing tools, shall be selected for the required safety integrity level. 

Detailed design and coding shall follow the software safely life cycle. Coding standards shall be 

employed and must specify good programming practice, prohibit unsafe language features, and 

specify procedures for source code documentation including: 

1 . legal entity; 

2. description; 

3. inputs and outputs; 

4. configuration management history. 

The software code must be : 

1. readable, understandable, and testable; 

2. able to satisfy the specified requirements; 

3. reviewed; 

4. tested as specified during software design. 

0 

INTEGRATION AND TESTING (Clause 7.5) 

Tests of the integration between the hardware and software are created during the design and 

development phases and specify the following: 

1. test cases and test data in manageable integration sets; 

2. test environment, tools, and configuration; 

3. test criteria; 

4. procedures for corrective action on failure of test. 

The integration testing results shall state each test and the pass/fail results. 

SOFTWARE SAFETY VALIDATION (Clause 7.7) 

Software validation is done as an overall check to insure that the software design meets the 

software safely requirements and must include the appropriate documentation. The validation 

may be done as part of overall system validation or it may be done separatEly for the software. 

Testing must be the primary method of validation with analysis used only to supplement. All 

tools used in the validation must be calibrated and an approved quality system must be in place. 

If validation is done separately for the software, the validation must follow the software safety 

validation plan. For each safety function, the validation effort shall document: 


Page 21 of 27

1. a record of the validation activities; 

2. the version of the software safety validation plan; 

3. the safety function being validated with reference to planned test; 

4. test environment (tools and equipment); 

5. the results of the validation activity with discrepancies, if any. 

If discrepancies occur, a change request must be created and an analysis must be done to 

determine if the validation may continue. 

OPERATION AND MODIFICATION (Clauses 7.6 and 7.8) 

Software modification requires authorization under the procedures specified during safety 

planning and must insure that the required safety integrity level is maintained. This authorization 

must address: 

1. the hazards that may be affected; Q 

2. the proposed change; 

3. the reasons for change. 

The modification process starts with an analysis on the impact of the proposed software 

modification on functional safety. The analysis will determine how much of the safety life cycle 

must be repeated. 

SOFTWARE VERIFICATION (Clause 7.9) 

The software verification process tests and evaluates the results of the software safety life cycle 

phases to insure they are correct and consistent with the input information to those phases. 

Verification of the steps used in the software safety life cycle must be performed according to 

the plan and must be done concurrently with design and development. The verification plan 

must indicate the activities performed and the items to be verified (documents, reviews, etc.). A 

verification report must include an explanation of all activities and results. Verification must be 

performed on: 

1. software safety requirements; 

2. software architecture design; 

3. software system design; 

4. software module design; 

5. software source code; 

6. data; 

7. software module testing; 

8. software integration testing; 

9. hardware integration testing; 

10. software safety requirements testing (software validation). 

0 

SOFTWARE FUNCTIONAL SAFETY ASSESSMENT (Clause 9) 

The software assessment process is similar to the other assessment processes in the standard. 

Techniques and measures relevant to this assessment are listed in Annexes A and B as well as 

in Part 1 of the standard. 

GUIDE TO THE SELECTION OF TECHNIQUES AND MEASURES (Annex A) 

Annex A provides ten tables of different techniques relevant to the software safety 

requirements, software design and development, architecture design, support tools and 


Page 22 of 27

programming languages, detailed design, software module testing, integration testing, safety 

validation, modification and functional safety assessment. Different techniques are 

"recommended" or "highly recommended" as a function of safety integrity level required. Some 

techniques are used alone or in combination with other techniques to show compliance with 

the standard. 

DETAILED TABLES (Annex B 

Annex B provides nine tables of detailed techniques for design and coding standards, dynamic 

analysis and testing, functional and black box testing, failure analysis, modeling, performance 

testing, semi-formal methods, static analysis, and modular approaches. These tables are also 

referenced in the tables from Annex A. 

0 

0 

5 Part 4: Abbreviations and Definitions 

Part 4 of the standard contains the abbreviations and definitions used throughout the entire 

document. Some selected key definitions are: 

diversity - different means of performing a required function 

equipment under control (EUC) - equipment, machinery, apparatus, or plant used for 

manufacturirg, process, transportation, medical, or other activities 

functional safety - part of the overall safety relating to the EUC and the EUC control system 

which depends on the correct functioning of the E/EJPE safety-related systems, other 

technology safety-related systems, and external risk reduction facilities 

harm - physical injury or damage to the health of people either directly or indirectly as a result of 

damage to property or to the environment 

hazard - potential source of harm 

limited variability language - software programming language, either textual or graphical, for 

commercial and industrial programmable electronic controllers with a range of capabilities 

limited to their application 

redundancy - means, in addition to the means which would be sufficient, for a functional unit to 

perform a required function or for data to represent information 

risk - combination of the probability of occurrence of harm and the severity of that harm 

safety - freedom from unacceptable risk 

safety function - function to be implemented by an E/E/PE safety-related system, other 

technology safety-related system, or external risk reduction facilities which is intended to 

achieve or maintain a safe state for the EUC, with respect to a specific hazardous event 

safety integrity - probability of a safety-related system satisfactorily performing the required 

safety functions under all the stated conditions within a stated period of time 

safety integrity level (SIL} - discrete level (one out of a possible four) for specifying the safety 

integrity requirements of the safety functions to be allocated to the E/E/PE safety-related 

systems, where safety integrity level 4 has the highest level of safety integrity and safety 

integrity level 1 has the lowest 

safety life cycle - necessary activities involved in the implementation of safety -related systems, 

occurring during a period of time that starts at the concept phase of a project and finishes when 

all of the E/E/PE safety-related systems, other technology safety-related systems, and extemal 

risk reduction facilities are no longer available for use 

safety-related system - designated system that both: 


Page 23 of 27

~mplements the required safety functions necessary to achieve or maintain a safe state 

for the EUC; and 

~s intended to achieve, on its own or with other E/E/PE safety-related systems, other 

technology safety-related systems or external risk reduction facilities, the necessary 

safety integrity for the required safety functions 

systematic failure - failure related in a deterministic way to a certain cause, which can only be 

eliminated by a modification of the design or of the manufacturing process, operational 

procedures, documentation, or other relevant factors 

tolerable risk - risk which is accepted in a given context based on the current values of society 

6 Part 5: Examples of Methods for the Determination of Safety 

Integrity Levels (Informative) 

Part 5 is primarily composed of Annexes A through E which describe key concepts as well as 

various methods of SIL selection and verification. 

0 

RISK AND SAFETY INTEGRITY - GENERAL CONCEPTS (Annex A) 

This annex describes the required safety actions to bridge the gap between the current level of 

risk present in the system and the level that can be tolerated in the given situation. This 

necessary risk reduction is noted to include contributions from E/EIPE safety-related systems, 

other safety-related systems, and external risk reduction methods. Elements of safety integrity 

relating to both the hardware and the overall systematic safety integrity are sometimes difficult 

to assess. This is part of the basis for SIL only referring to the order of magnitude of risk 

reduction for a safety-related system. 

ALARP AND TOLERABLE RISK CONCEPTS (Annex B) 

Annex B describes the concept of a finite level of tolerable risk based on the benefits derived 

from undertaking that risk in the context of the norms of society. It further describes the 

reduction of existing risk to a level "As Low As Reasonably Practicable" or ALARP. This level 

again takes into account the benefits derived from the risk as well as the costs to reduce the risk 

even further. 

0 

DETERMINATION OF SAFETY INTEGRITY LEVELS- A QUANTITATIVE METHOD (Annex C) 

This quantitative method presented is based on calculating a frequency of a hazard and the 

magnitude of its consequences to determine the difference between the existing risk and the 

tolerable risk. First the frequency of the initialing event is determined based on either local 

operating experience, failure rate database references for similar equipment in similar 

environments, or detailed analytical estimation. Then the probabilities that the initiating event 

will actually lead to the hazard are determined and combined with the initiating event to 

determine a hazard frequency. In parallel, the consequence d the hazard is calculated. Finally, 

the frequency and consequence of the hazard are assessed relative to the tolerable risk and a 

SIL is selected to bridge any gap. 

Exida provides training, software, and services in support of this vital safety process. Training 

includes hazards analysis to identify hazards and Layer of Protection Analysis (LOPA) quantify 

the risk. Software includes PROBETM to quantify the hazard probability and FurnEX and 

PhysEX to quantify the consequences. In addition to providing structure and computational 


Page 24of 27

support for the analyses, the software also provides easy standardized documentation of the 

process and results to support compliance with the standards. 

DETERMINATION OF SAFETY INTEGRITY LEVELS- A QUALITATIVE METHOD: RISK 

GRAPH (Annex D) 

This method assigns a category to both the frequency and severity of a hazard to assess the 

risk relative to the tolerable level. Some allowance is made for the likelihood that a given 

initialing event will not always lead to the potential hazard. 

0 

DETERMINATION OF SAFETY INTEGRITY LEVELS - A QUALITATIVE METHOD: 

HAZARDOUS EVENT SEVERITY MATRIX (Annex E) 

This method is similar to the risk graph except that the form follows a matrix rather than a 

sequential graph. 

7 Part 6: Guidelines in the Application of Parts 2 and 3 (Informative) 

Part 6 provides more detailed explanations and examples on how to comply with Parts 2 and 3 

and also is made up almost entirely of Annexes. 

APPLICATION OF PARTS 2 AND 3 (Annex A} 

This annex shows flow charts of the expected implementation of both Part 2 (Hardware) and 

Part 3 (Software) and provides an overview of the requirements. 

0 

EXAMPLE TECHNIQUE FOR EVALUATING PROBABILITIES OF FAILURE (Annex B) 

This annex provides an example of evaluating probabilities of failure with many tables showing 

results for particular architectures for selected values of diagnostic coverage and common 

cause beta factors (factors assessing the likelihood of a common cause failure). The methods 

used for these calculations are approximation formulas based on reliability block diagrams. 

These methods consider the hardware train of field sensor, logic box, and final control element 

and address various architecture configurations. 

CALCULATION OF DIAGNOSTIC COVERAGE: WORKED EXAMPLE (Annex C) 

This annex covers the Failure Modes, Effects, and Diagnostics Analysis (FMEDA) technique for 

calculating diagnostic coverage factor. This method is similar to the method in ISA TR84.02 and 

the exida.com FMEDA template tool. All methods use identical techniques. 

A METHODOLOGY FOR QUANTIFYING THE EFFECT OF HARDWARE-RELATED COMMON 

CAUSE FAILURES IN MULTI-CHANNEL PROGRAMMABLE ELECTRONIC SYSTEMS 

(Annex D) 

This annex explains the important phenomenon of common cause failures in redundant 

systems. A chart is provided along with a method of estimating the beta factor (factor assessing 

the likelihood of a common cause failure) to be used in subsequent calculations. 

EXAMPLE APPLICATION OF SOFTWARE SAFETY INTEGRITY TABLES OF PART 3 

(Annex E) 


Page 25of 27

This annex provides an example of how to use the software safety integrity level tables of Part 

3. Twenty tables are provided with detailed examples of a SIL2 ladder logic program with PLC 

hardware and a SIL3 full pre-coded complex plant system. 

8 Part 7: Overview of Techniques and Measures (Informative) 

Part 7 provides descriptions and an explanation of the many engineering techniques presented 

earlier in the standard. 

OVERVIEW OF TECHNIQUES AND MEASURES FOR E/E/PES: CONTROL OF RANDOM 

HARDWARE FAILURES (Annex A) 

This annex addresses andom hardware failures. It contains methods and techniques useful to 0 

prevent or maintain safety in the presence of component failures. The explanations provided 

here support many of the recommended techniques listed in the hardware tables in Part 2. 

OVERVIEW OF TECHNIQUES AND MEASURES FOR E/E/PES: AVOIDANCE OF 

SYSTEMATIC FAILURES(Annex B) 

This annex covers the avoidance of systematic failures in both hardware and software systems 

and is referenced by Parts 2 and 3. It is structured according to the safety life cycle and 

addresses numerous points relevant to the key phases as noted in the annex. 

OVERVIEW OF TECHNIQUES AND MEASURES FOR ACHIEVING SOFTWARE SAFETY 

INTEGRITY (Annex C) 

This annex provides an overview of techniques for achieving high software safety integrity. 

Many of these techniques fall into the detailed design phase of the life cycle. Architectural 

design issues are also addressed as well as development tools and programming languages. 

The annex also addresses the verification, modification, and functional safety assessment 

phase of the life cycle. 

PROBABILISTIC APPROACH TO DETERMINING SCFTWARE SAFETY INTEGRITY FOR 

PRE-DEVELOPED SOFTWARE (Annex D) 

The annex covers a probabilistic approach for SIL determination of proven software. With many 

systems seeking to employ previously written software, this annex can be valuable. It lists 

several tests to determine the integrity level of the software based on statistical analysis. 

0 

9 AdditionaiiEC615081nformation 

exida.com offers a two-day course that provides an "Introduction to IEC61508." This course 

covers the IEC61508 standard from the perspective of a user (project orientation) or a product 

manufacturer (product orientation). All of the basic principles are covered with exercises to 

reinforce the rrnterial. The training manual is available separately from the exida.com online 

store for those wishing to investigate this further. 


Page 26 of 27

There is of course no substitute to the purchase and study of the actual standard for those 

wanting more in-

0 

0

I 

DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT 

( 

TuooomJ No. 2.1.4.1.3 I F,q•fpmtlill DncrlpUon SWITCHES • ELEcrn.IC • 

PRESSURE 

Operatln& MO!k 

f'rO(:ess Snnltr 

3 

Taxonomr 

' 

Openlln1 

• 

Pop•laUora 

Stuaples 

Failure modt! 

Agf'fllltd time In ttrri« ( IO' hrs) 

Calendar Uane 

I 

Falhrrts {per to' lwt) 

Opentlnaume 

No. ol Demands 

Fllllurtl (per to' dem11nd~} 

t.o,.-tr ~ban Upper Lower Mun Upptr 

Population 

f•ll 

0 

CATASTROPHIC O.S25 49.6 192.0 

a. Function~d without Signal 0.00122 0.07 0.271 

b. Failed !0 Function when 0.00809 0.4{1 l.:SS 

Signaled 

DEGRADED 

a. Functioned at Improper 

Signa1 l.cYcl 

b. lntcrmillent Operation 

INCIPIENT 

a. ln-servie~ Problems 

CAT ASH 

1. FunctiCl 

b. Failed t 

Signal, 

DEGRAD 

a. Functio1 

Signall 

b. lmermi· 

INCIPIE!' 

a. ln-scrvi 

0 

F...qulpment Boundu7 

PDW£R IN 

r-t--, 

I I I I 

I s•ttCH I r 

I I 

I I 

I I 

I I 

PROCESS LitE/TANK I I I I 

I I 

I I 

OUlPUT 

I I • - - - B(ll.H)ARY 

SENSING 

I 

I ____ EL!:HENT ..J 

F,.qulpmcnc 

Comment: Process Severity 3 applies only to Catastrophic rate. 

Dall Rtl'e.uu No. (Table 5.1): 4, 8.2 Data lhrf 

166

I 

DATA ON SF.LRCTF.D PROCESS SYSTRMS ANIJ EQUIPMENT 

Tunnomy No. 3.2.5 I Equipment De:tcrlpllon HOSES 

Opcnllnlt Modr 

PriKtu Stnrllr 

UNKNOWN 

f>npulatlon 

F•&lurc mod~ 

Samplt! 

t\g~regat~ time In stnlce ( 10' hrs) 

Ctltndar time 

I 

Fallur~~ (p~r to' hrs) 

Op~ratlnr: lime 

No. of Dnund! 

FallutM (pu tol demands) 

Lower Mun Upper Lower Mun Upper 

0 

CATASTROPHIC 

•· 0 - IO% Flow Area 

b. >10% Flow Area 

c. Rupturt! 0.0099 0.570 2.20 

d. Plugged 

DEGRADED 

a. Rcstricled F1ow 

INCIPIENT 

a. Wall Thinning 

b. Embriulemenl 

c. Cracl:.cd or Flawed 

d. Erratic Flow 

0 

F.qPipmcnl Rnundarr 

r-L?(""" 

~~~:J 

COIN::crOR L ___ I 

~.J.! ... .!\l,,,, 

•-- -SOI.JIIOARY 

J 

I 

I 

I 

Data Rdt'rence No. (Table !. 1): 6 

,; 

187

I 


[ ] 

TuonomJ No. 

3.3.2 I Equlpmenr DHcrlpllon ROTATING EQUIPMENT. 

COMPRESSORS 

Op~!ultng Mlldt Ptoct!>!ll Stvrrll)' 

UNKNOWN 

I 

T011xonomy 

No. 

OpenUng Mod 

Population 

Samplu 

Failure mude 

Aure1•tl!d lime. In service ( 10 1 hu) 

Calmdu Ume 

I 

Op~rallnK time 

No. of Dc:mands 

Populalfon 

J.'allurn (per 10' hn) Fallure5 (~r 10~ d

DATA ON SF.LF.CTF.D PROCESS SYSTEMS AND EQUIPMENT 

I 

Tn:onomy No. 3.).2.1 I Eqolpm .. r o.mlpllo• Rm"ATING EQUIPMENT-COMPRESSORS-I 

ELECilUC MOTOR DRIVEN 

Operallng Mode Proc:Ht Se,erltr UNKNOWN 

Populallon Samples 

lrtdJ;) 

Failure mnde 

Aggrq:•tcd Umt In Knlu (JOt hn) 

Call'fldn lime 

I 

1-'allures (ptr ro' hrs) 

Openllnr Umt 

No. of Dmundt 

Fallur~ (per 10, demands) 

Upper Lo~·n Mun Upper Lower Mun Upper 

CATASTRO•HIC 27.9 2470.0 9690.0 

a. Fails While Running 

b. Ruprure 

- 

e. Spurious Srart/Comm:md 

Faull 

d. Fails to Start on Demand 

t, Fails 10 Slop on Demand 

DEGRADED 

a. E:w:temallealcage 

Equipment Boundary 

0 

OARY 

POWER SUPPLY 

PROCESS IN 

,----------- ---, 

I 

I 

I 

I 

I I D 

""'"" 

GEAR I I 

I 

I I J 

I 

CCH'RESSOR 

I 

I 

I 

I 

I 

I 

INCLUOEO: 

SEAL Drl SI'STEH 

PlPIP«i 

1NlERSTAGE COOLING 

LUBE OIL COOLIOO 

CONTROL ll'/IT 

________________ BASEPLATE 

J 

I 

I 

I 

I 

I 

PROCESS OUT 

• - - - BOI.Jt«)ARY 

Dala S!:der~nct No. (Table 5.1): 8.4

I 

DATA ON SELECTED PROCESS SYSTF.MS AND EQUIPMENT 

Tuooomy No 

3.3.4 I Equipment DtScrlpUon ROTATING EQUIPMENT- 

MOTOR-DRIVEN FANS 

Op~utlng J\.1fldc: ProcH!II Sevc:rl11 

UNKNOWN 

( AgRrtzaledllmt Itt suvitc: ( 10' hrs) No. or Demands 

P{)pulallfln 

Samplt~ 

Caltndar lime Op:cratln1 llmt 

Fallur~s (pu 10' hr') 

Failures (pu I o' demands) 

F•llurt! mode 

pptr LowC"r Mran Uppcor Lower M!!an Upper 

I 

.0 

CATASTROPiiTC 

a. Fails while Running 1.75 9.09 24.7 

b. Spurious Slart/Comml'lnd Fault 

c. Fails to St:ut on DcmMd 0.00944 0.208 0.769 

d. Fails: to Stop on D~mand 

f.qtJipmcnl JJound:~rr 

- 

POWER SlFPl. Y 

PftCICf:SS IN 

r--+-------1 

I 

I 

I 

I 

lC~TROL~ 

6 

POWER stPPLY 

I _I I I PNJCESS OOT 

I 

I 

I 

I 

; 

L '"' j I • - - - BCl.HJARY 

L----------.J 

Dab Rdercn('e No. (Tah&e !.1): 8.2. 8.4, 8.5, 8.15

UMI'S 

[ 


!:-CENTRIFUGAl 

f Tnonomy No 3.3.7.2.1.1 I F,q,lpmonl Domlplloo ROT MlNG EQIJII'Mf,NJ".PUMPS· 1 

Optralln~~: Mode RUNNING Proem s~verUy UNKNOWN 

MOTOR ORIVEN-PRESSURE.CENTlUFUGA 

c 

mand.~) 

( 

Populatlnn 

rallurt mode 

Samplu 

AggrC'RitOO !lmt '"' ttnlce ( 10~ hrs) 

Cal~du 

lime 

I 

Falluru (pC'r to' hrs) 

Oprrallnll' time 

No. of Dmlands 

FallutH (per to' dcm111&!:) 

Upptt Lowu Mun Upper Lower Mun Upper 

CATASTROPHIC 

450.0 n 

a. Fails while Running 0.&12 104.0 ·-:,. ., 

b. Rupture 

c. Spurinus Start 

43.0 

d. Fails to St:ut on Demand 

e. Fails to Slop on Dcmtllld 

DEGRAOED 

a. Fail~ In Run at Rated Speed 

b. External U:ak 

INCIPIENT 

a. High Vibnticm 

b. Ovc-r-tempcr:lturc 

c. Over-cuncnt 

0.417 24.0 92.8 

Equipment noundarjr 

0 

I~RY 

POVER SUPPLY 

PROCESS IN 

,----------- ---, 

I 

I 

I 

I 

.-.L 

I 

1 RANSMISSlON 

I ""'"" 

I 

P\JMP 

I I 

I 

I 

INCUJOEO: 

I 

I 

SE~ SYSTEM 

CONTROL UNIT 

I 

I 

BASEPLATE 

I 

I 

________________ J I 

I PROCESS 00 T 

I · - - - Bru.tiARY 

nab R~r~rtiiCf No. {T•bl~r 5.1): 5. 8.1. 8.4

I 

DATA ON SEI.ECTED rROCF.SS SYSTEMS AND EQUIPMENT 

l 

Tuooom1 No. 3.5.1.2 I F..qlllpment D«c:rlpllon VALVES-NON-OPERA TED- 

CHECK 

Opl.'ntlnJI: Mode 

f'npuhttlon 

Sumrle~ 

F•llurt mode 

I 

A~grrRatt'd Urn~ In Rt"kt ( 10 1 hrs) 

Calendar llmt 

Falluru (per 10' hu) 

Procts!t Sl!vtrll1 

OpeN:tfnc Umt 

UNKNOWN 

No. of Dnn•ndt 

F•llure:!l (pcr 10 1 demand$) 

Lo,ver Mun Vpptr Lower MtJin Upper 

CATASTROPIIIC 0.0552 3.18 12.3 

a. Fail~ lo Cht:ck 0.285 2.2 6.73 

b. Fails tr1 Optn 0.0347 0.145 0.364 

c. Fails lo Re-npcn 

DEGRADED 

a. Signincant Back-lc:tkAge 

" ' 

) I 

l 

I 

I 

I 

c= 

Tuonnmy 

Opera tin& 

ropulatlor 

CAT ASa. 

Lcua 1 

b. Lt:ah, 

('!;Upt>r 

\..._ _)mm 

e:-Norm 

f. Norm: 

g. Norm 

DEGR/ 

INCIPI. 

a. Wall 

b.Emb: 

c. Ctad 

~ 

Equlpmr:nt Doundny 

F'.qulpm 

i~-, 

Pf'OC:ESS JH I : ~OCE"SS DliT 

I 

I 

'---------' 

I 

I 

• - - - BOI..tf:lARY 

0 

I 

lht• Rertrtnu No. (l'•hlt 5.1): 

7, 8,8.3,8.5,8.7,8.11,8.12,8.15 

I 

198

DATA ON 

SELECTED PROCESS SYSTEMS AND EQUIPMENT 

d~mand.~) 

Uppn 

~ 18.6 

u 

( 

Tnonnmy N~ 3.5.3.3 Equipment Dncrlpllon VALVES-OPERA1ED- 

PNEUMATIC 

Operating Mode 

Pllplllallan 

Samples 

Failure mode 

I 

Au;rtgat~ tlmt In service ( 10~ hrs) 

Calendar UrM 

Falluru (per 10 4 hrs) 

I'roctS! Sevul17 

Opert.llnlt time 

UNKNOWN 

No. of Oetnandt 

Fallurto~ (ptr tol dtmands) 

Lowu Mean Upper Lower Mean Upper 

CATASTROPillC 

a. External Leakage 

b. lntcma 1 Uak:'ICC >I% 

c. Spurious Operation 0.274 3.59 12.3 

d. No Ch:tngc of )losition on 

Demand 

0.306 2.2 6.62 

DEGRADED 

a. Delayed Actuation 

INCIPIENT 

a. Wall Thinning 

b. Embriltlcmctll 

c. Cracked or Flawed 

d. Internal Leakage 

I 

F.qulpment Boundary 

r------1 

I I ACTUATOR I l AIR 

I 

I 

I 

I 

I 

I 

I POSI::J I 

0 

PROCESS IN :~/: ~OC£SS 

SlJ'PlT 

SIGNAL 

OUT 

~ 

....,.., 

1/~, 

·---B(l..IOii!RY 

I 

L------~ 

I 

Data Rertrtnce No. (Table 5.1): 8. R.I. 8.2. 8.3. 8.4. R. 7. 8.10, 8.12, 8.14, 8.15

l!b) 

I 

[ 

DATA ON SELECTED PROCF.SS I SYSTF.MS AND EQUIPMENT 

I 

TmoornY No. 4.3.3.1 F.qulpmenl DucrlpUon PRESSURE · SAFETY RELIEF 

VALVES-PILOT OPERA TED 

Opnatlna: Modt 

Populallon 

Flllurt mode 

Stmplcs- 

AIU~rcBIIOO lime In service (to' hrs) 

C:~lcmd:u 

lime 

I 

FallurH (per to' hn) 

Process Senrlly 

Opcrallnll: time 

UNKNOWN 

No. of Demtrds 

Ftllures (per to' drmtnds) 

Upper Lower Mun Upper Lower Me•n Upper 

CAT ASTROPIHC 

a. Seat Lcak11ge 

143.0 h. Fails In Open 

c. Spurious Operation 

c.l Opens Prcm:aturdy 

c.2 Failure to Recluse once open 

O.IR8 5.0 18.8 

d. Fails to Open on 

Demand 0.00932 .t.IS 18.2 0 

DEGRADED 

a. lnterstagc Leakage 

INCIPIENT 

11.. Pilotl...cak.agc 

I 

F..qulpmcnl Rounduy 

OOTLET 

,--------1 

I 

I 

I 

I 

I 

I 

I 

I 

I 

I 

PILOT I 

"''-VE 

I 

I 

~ I 

~----'----1 0 

·---BOI..t(JIIRY 

INLFT 

Datt Rcrcrenct No. ffablt $.1)t B. 8.12 

211

I Tnooom1 No. 4.3.3.2 -r Equipment DncrJpuon PRESSURE- SAFETY RELIEF 

Optn•llng Mnde 

rnpuhllnlt 

S:unrl~~ 

Fallurt mode 


l'rO«ss Sevtrlty 

VALVES ·SPRING-LOADED 

UNKNOWN 

J\f;jlftl~lcd lltnt In service ( 10' Ius} No. ot Otomands 

Ca1mdar tim~ 

I 

Operatln~ time 

l;allurrs (pu to' hrs) 

Falluru (~r 10 1 demand5) 

lO\ttt Mun Upper Lower Mean Upper 

] 

l 

Cc 

0 

0 

CAT hSTROI"H IC 

a. Scat Lenkl:lge 

b. fails to Op:!n 

c. SpuriouJ:; ()pc-t,11ion 

c.l Opens Prern.:~t111c:ly 0.275 1.68 4.80 

c.2 Failure to Redo~ Once Open 0.127 5.18 22.7 

d. Fails tn Open on 0.0019 0.212 0.7~8 

DcmHnd 

DEOR"DED 

a. Tntcrst~ge Lcnbgc 

INCIPIENT 

F.q_ulpnltnt noundarr 

CXJTLET 

,-------~ 

I 

I 

I 

I 

I 

I 

' 

I 

I 

I 

I 

I 

I 

L---- 1---- I 

• - - - BOIMJAR'f 

··tn most c 

Seldom o 

reliability 

other rcle 

specific s 

thought p 

available 

to add to 

reliability 

keeping s: 

yield bem 

It sl 

company 

intracomr 

r.tw data. 

training: { 

tion (fron 

finished d 

they can 

erly, valu 

tion can 1 

6.1 Data 

INLET 

Dah Rctrrcnce No. (Tablt S.l): R.I. 8.3, 8.5, 8.10 

.. 

Rates of 

equipmer 

follow in! 

rate data· 

• popula 

numbe 

• equipn 

212

0 

0

Functional Safety Terms and Acronyms 

Glossary 

0 

This list of functional safety terms and acronyms has been compiled from a number of sources listed 

at the end including the IEC 61508, IEC 61511 (ISA84.01) standards. It is meant to provide a general 

reference for engineers practicing safety lifecycle engineering in the process industry. As such it 

provides both safety and related non-safety term definitions in a clear useable form. It specifically 

highlights the most important terms and acronyms from the safety lifecycle standards with working 

level definitions. The reader is encouraged to pursue IEC 61508 or IEC 61511 for additional 

definitions and for additional information on applying the safety lifecycle to the process industry. 

Comments and feedback on this document are welcome and can be sent to info@exida.com noting 

the title and version of the document. 

The definitions appearing in this glossary are provided solely for general informational purposes. 

They are not intended to be complete descriptions of all terms, conditions and exclusions applicable 

to the practice of safety engineering. Also, in the case of any inconsistency between the definitions in 

this glossary and the definitions appearing in the applicable codes and standards, the definitions 

contained in the those codes and standards shall govern. 

Issued for general distribution: Version 1.0 on 24 November 2006 by Dr. Eric W. Scharpf, CFSE. 

u 

2oo3 

IEC 61508 

IEC 61511 

Two out of three logic circuit (213 logic circuit) A logic circuit with three 

independent inputs. The output of the logic circuit is the same state as any two 

matching input states. For example a safety circuit where three sensors are 

present and a signal from any two of those sensors is required to call for a shut 

down. This 2oo3 system is said to be single fault tolerant (HFT = 1) in that one 

of the sensors can fail dangerously and the system can still safely shut down. 

Other voting systems include 1oo1, 1oo2, 2oo2, 1oo3 and 2oo4. 

The IEC standard covering Functional Safety of electrical I electronic I 

programmable electronic safety-related systems The main objective of 

IEC61508 is to use safety instrumented systems reduce risk to a tolerable level 

by following the overall, hardware and software safety lifecycle procedures and 

by maintaining the associated documentation. Issued in 1998 and 2000, it has 

since come to be used mainly by safety equipment suppliers to show that their 

equipment is suitable for use in safety integrity level rated systems. 

The IEC standard for use of electrical I electronic I programmable electronic 

safety-related systems in the process industry. Like IEC 61508 it focuses on a 

set of safety lifecycle processes to manage process risk. It was originally 

published by the IEC in 2003 and taken up by the US in 2004 as ISA 84.00.01- 

2004. Unlike IEC 61508, this standard is targeted toward the process industry 

users of safety instrumented systems.

Functional Safety and Reliability 

Terms and Acronyms Issue 1.0 November 2006 

Actuator 

ALARP 

Algorithm 

Analogue 1/0 

Annunciator 

Architecture 

A device responsible for putting a mechanical device into action such as a 

valve. Single acting actuators act in only one direction such as in a spring 

and diaphragm actuator where the spring acts in a direction opposite to the 

diaphragm thrust. Double acting actuators have a power supply that acts to 

move the actuator in two normally opposite directions. Pneumatic actuators 

converts the energy of a compressible fluid, usually air, into motion. Vane 

actuators are typically fluid-powered devices where the fluid acts upon a 

movable pivoted member (the vane) to provide rotary motion to the actuator 

stem. 

As low as reasonably practicable. The philosophy of dealing with risks that 

fall between an upper and lower extreme. The upper extreme is where the 

risk is so great that it is rejected completely while the lower extreme is 

where the risk is, or has been made to be, insignificant. This philosophy 

considers both the costs and benefits of risk reduction to make the risk "as 

low as reasonably practicable". 

A prescribed set of well defined rules or processes for the solution of a 

problem in a finite number of steps 

Input or output signals to or from the filed that vary continuously over a 

range of values. Typically voltage, electric current, temperature, or pressure 

signals are analogue. 

A device or group of devices that call attention to changes in process 

conditions that have occurred. Usually included are sequence logic circuits, 

labeled visual displays, audible devices, and manually operated 

acknowledge and reset push buttons. 

The voting structure of different elements in a safety instrumented function. 

See Architectural Constraints, Fault Tolerance and 2oo3. 

Architectural constraints or AC 

Limitations that are imposed on the hardware selected to implement a 

safety-instrumented function, regardless of the performance calculated for a 

subsystem. Architectural constraints are specified (in IEC 61508-2-Table 2 

and IEC 61511-Table 5) according to the required SIL of the subsystem, 

type of components used, and SFF of the subsystem's components. Type A 

components are simple devices not incorporating microprocessors, and 

Type 8 devices are complex devices such as those incorporating 

microprocessors. See Fault Tolerance. 

As-built 

Asynchronous communication 

A document revision that includes all modifications performed as a result of 

actual fabrication or installation. Note for safety systems, that where the 

actual installation does not conform to the design information, then the 

difference shall be evaluated and the likely impact on safety determined. If 

the difference has no impact on safety, then the design information shall be 

updated to "as built" status. If the difference has a negative impact on 

safety, then the installation shall be modified to meet the design 

requirements. 

Circuitry or operation without common clock or timing signals. Often called 

start/stop transmission; a way of transmitting data in which each character 

is preceded by a start bit and followed by a stop bit. 

0 

0 

Page 2 of33



0 

0 

Auto-tuning 

Availability 

Basic process control system 

Batch process 

~-factor 

BLEVE 

BMS 

BPCS 

Controller feature that calculates proportional, integral and derivative (PID) 

output settings based on calculations using measured process dynamics 

and combining those with the parameters of a PID controller. Calculations 

may be based on transient responses, frequency responses or parametric 

models. 

The probability that a device is operating successfully at a given moment in 

time. This is a measure of the "uptime" and is defined in units of percent. 

For most tested and repaired safety system components, the availability 

varies as a saw tooth with time as governed by the proof test and repair 

cycles. Thus the integrated average availability is used to calculate the 

average probability of failure on demand. See PFDavg. 

System which responds to input signals from the process, associated 

equipment, and/or an operator and generates output signals causing the 

process and its associated equipment to operate in the desired way. The 

BPCS can not perform any safety instrumented functions rated with a safety 

integrity level of 1 or better unless it meets proven in use requirements. See 

proven in use. 

A process that manufactures a fixed quantity of material by subjecting 

measured quantities of raw materials to a time sequential order of 

processing actions using one or more pieces of equipment. Typically used 

for small volume production of high value materials. 

Beta factor, indicating common cause susceptibility. The fraction of total 

failure rate that is attributed to a single cause in common with other units in 

the group. A common cause failure will result in all units with the group 

failing simultaneously. 

Boiling liquid expanding vapor explosion. A specific type of fireball that can 

occur as the result of the situation where a vessel containing a pressurized 

liquid comes in direct contact with external flame. As the liquid inside the 

vessel absorbs the heat of the external fire, the liquid begins to boil, 

increasing the pressure inside the vessel to the set pressure of the relief 

valve(s). The heat of the external fire will also be directed to portions of the 

vessel where the interior wall is not "wet" with the process liquid. Since the 

process liquid is not present to carry heat away from the vessel wall, the 

temperature in this region (usually near the interface of the boiling liquid), 

will rise dramatically causing the vessel wall to overheat and become weak. 

A short time after the vessel wall begins to overheat, the vessel can lose its 

structural integrity and a rupture will occur. After vessel rupture, a fireball 

will usually result with the external fire available as the ignition source. 

Burner management system. The control system designed to improve 

combustion safety and assist the operator in starting and stopping the 

burners. It also should prevent mis-operation and damage to the fuel 

preparation and burning equipment. The BMS can include: interlock system, 

fuel trip system, master fuel trip system, master fuel trip relay, flame 

monitoring and tripping systems, ignition subsystem, main burner 

subsystem, warm-up burner subsystem, bed temperature subsystem, and 

duct burner system. 

See Basic Process Control System. 

Page 3 of33



Burn-in 

Bus 

Butterfly valve 

Calibration curve 

Capacitance 

Cause and effect diagram 

Cavitation 

CFSE/CFSP 

Check valve 

CPT or PTC 

CPQRA 

Device operation, usually under accelerated environmental conditions that 

simulate life in the devices' intended application, used to detect early-life 

(infant mortality) failures. Such testing helps to ensure that constant failure 

rate assumptions for equipment are valid and do not lead to accidents 

during plant start up. 

A group of wires or conductors, considered as a single entity, which 

interconnects part of a system. 

A valve consisting of a disc inside a valve body which operates by rotating 

about an axis in the plane of the disc to shut off or regulate flow. 

A plot of indicated value versus true value used to adjust instrument 

readings for inherent error; a calibration curve is usually determined for 

each calibrated instrument in a standard procedure and its validity 

confirmed or a new calibration curve determined by periodically repeating 

the procedure. 

The ability of a capacitor to store a charge. The greater the capacitance, the 

greater the charge that can be stored. Also applied to tanks in process fluid 

flow systems. 

One method commonly used to show the relationship between the sensor 

inputs to a safety function and the required outputs. Often used as part of a 

safely requirements specification. The method's strengths are a low level of 

effort and clear visual representation while its weaknesses are a rigid format 

(some functions can not be represented w/ C-E diagrams) and the fact that 

it can oversimplify the function. 

A two stage phenomenon of liquid flow. The first stage is the formation of 

voids or cavities within the liquid system; the second stage is the collapse or 

implosion of these cavities back into an all liquid state. Cavitation can cause 

excessive wear and damage to devices in regions where the voids are 

present. 

Certified Functional Safety Expert/Professional Qualifications for safety 

engineers in either process applications, machine applications, hardware, or 

software that demonstrates competence in safety lifecycle activities. These 

qualifications are administered by the non-profit CFSE Governance 

managed by a global consortium of vendor, user, integrator and consultant 

companies. 

A flow control device that permits flow in one direction and prevents flow in 

the opposite direction 

Proof test coverage - The percentage failures that are detected during the 

servicing of equipment. In general it is assumed that when a proof test is 

performed any errors in the system are detected and corrected (1 00% proof 

test coverage). 

(Guidelines for) Chemical Process Quantitative Risk Analysis 

0 

0 

Page4 of33



0 

0 

CPU 

Common mode failure 

Consequence 

Coriolis flow meter 

Coverage 

Cross talk 

D Diagnostics 

Dangerous failure 

Dead time 

Decision table 

Derivative control 

Design pressure 

Diaphragm 

Diaphragm valve 

central processing unit: The part of a computing system that contains the 

arithmetic and logical units, instruction control unit, timing generators, and 

memory and 1/0 interfaces. This is typically a very complex element which 

requires Type B classification for SIL hardware fault tolerance requirements 

according to lEG 61508. 

A random stress that causes two or more components to fail at the same 

time for the same reason. It is different from a systematic failure in that it is 

random and probabilistic but does not proceed in a fixed, predictable, cause 

and effect fashion. See systematic failure. 

The magnitude of harm or measure of the resulting outcome of a harmful 

event. One of the two components used to define a risk. 

A mass flow meter which measures mass flow of a fluid by determining the 

torque resulting from radial acceleration of the fluid. The name comes from 

the Coriolis effect that describes the accelerating force acting on any body 

moving freely above the earth's surface, which is caused by the rotation of 

the earth about its axis. 

See Cpr 

The unwanted energy transferred from one circuit, the disturbing circuit, to 

another circuit, the disturbed circuit. Typically signals electrically coupled 

from another circuit. 

Some safety rated logic solvers are designated as having capital D 

diagnostics. These are different from regular diagnostics in that the unit is 

able to reconfigure its architecture after a diagnostic has detected a failure. 

The greatest effect is for 1 oo2D systems which can reconfigure to 1 oo1 

operation upon detecting a safe failure. Thus the spurious trip rate for such 

a system is dramatically reduced. 

A failure of a component in a safety instrumented function that prevents that 

function from achieving a safe state when it is required to do so. See failure 

mode. 

The interval of time between initiation of an input change or stimulus and 

the start ofthe resulting response. 

A table of all contingencies that are to be considered in the description of a 

problem, together with the actions to be taken. Decision tables can be used 

in place of flow charts for problem description and documentation. 

Change in the output that is proportional to the rate of change of the input. 

Also called "rate control." 

The maximum allowable working pressure permitted under the rules of the 

relevant construction code. See also pressure, design. 

A sensing element consisting of a thin, usually circular, plate which is 

deformed by pressure differential applied across the plate. 

A valve with a flexible linear motion closure piece that is forced into the 

internal flow passageway of the valve body by the actuator. 

Page 5 of33



Diagnostic coverage A measure of a system's ability to detect failures. This is a ratio between the 

failure rates for detected failures to the failure rate for all failures in the 

system. 

Differential gap 

DP (Differential pressure) transmitter 

Digital/Discrete 1/0: 

DCS 

Digital valve 

DIN 

The smallest increment of change in a controlled variable required to cause 

the final control element in a two position control system to move from one 

position to its alternative position. 

A transducer designed to measure the pressure difference between two 

points in a process and transmit a signal proportional to this difference, 

without regard to the absolute pressure at either point. Often used to 

measure flow by the pressure difference across a restriction in the flow line 

or to measure level by measuring the pressure difference between the head 

pressure produced by the height of a liquid in a vessel or tank and a 

reference pressure. 

Input or output that senses or sends either "on" or "otr' (1 or 0) signals to 

the field. For example a discrete input would sense the position of a switch 

as energized or de-energized. A discrete output would turn a pump or light 

on or off. 

Digital or Distributed Control System. DCSs historically refers to larger 

analog control systems traditionally used for PID control in the process 

industries, whereas PLCs were used for discrete or logic processing. 

However, PLCs are gaining capability and acceptance in doing PID control 

while the DCS has come to mean the system of input/output devices, 

control devices and operator interface devices which execute the stated 

control functions and permit transmission· of control, measurement, and 

operating infonmation to and from multiple locations, connected by a 

communication link. The DCS is specifically separate from the safety 

instrumented system (SIS) in that there are no meaningful random common 

mode failures between the two systems. 

A single valve casing containing multiple solenoid valves whose flow 

capacities vary in binary sequence (1, 2, 4, 8, 16, ...);to regulate flow, the 

control device sends operating signals to various combinations of the 

solenoids; applications are limited to very clean fluids at moderate 

temperatures and pressures. 

Abbreviation for the standards institution of the Federal Republic of 

Germany. 

Displacement level meter 

A device that measures liquid level by means of a float and balance beam 

connected to a position sensor. 

Diversity 

applying different ways to performing a required function. Diversity may be 

achieved by different physical methods or different design approaches. 

Division 1-2 See Hazardous Area 

Doppler effect flowmeter 

Q 

Q 

Page 6 of33



0 

0 

Double block and bleed 

Dual-sealing valve 

Duplex 

Dust, combustible 

Dynamic pressure 

Eddy current 

A device that uses ultrasonic techniques to determine flow rate; a 

continuous ultrasonic beam is projected across fluid flowing through the 

pipe, and the difference between incident beam and transmitted beam 

frequencies is a measure of fiuid flow rate. 

A three valve configuration common in shut off applications. Two main shut 

off valves (block valves) operate on the main process line to stop flow. Then 

a third bleed valve to a vent can be opened to relieve pressure of remove 

the process fluid from the region between the two block valves. Typically 

considered as a 1 oo2 voting shut off system provided the bleed valve 

opening is not critical to achieving the safe state. 

A valve which uses a resilient seating material for the primary seal and a 

metal to metal seat for a secondary seal. 

Half duplex is where there is communications in both directions (transmit 

and receive), but in only one direction at a given instant in time. Full duplex 

is where there is communication that appear to have information transfer in 

both directions (transmit and receive) at the same time. 

Dust that (when mixed with air in certain proportions) can be ignited and will 

propagate a flame. 

The increase in pressure above the static pressure that results from 

complete transformation of the kinetic energy of the fluid into potential 

energy in units of pressure. 

A circulating current induced in a conductive material by a changing 

electromagnetic field. 

E/E/PE Electrical/ Electronic I Programmable Electronic See 61508 and 61511. 

Effect Zone 

EIA 

EMI 

Elevation error 

The physical area in which a harmful effect is felt by a receptor. For a toxic 

release, the area over which the airborne concentration exceeds some level 

of concern. For a physical energy release, the area over which a specified 

overpressure criterion is exceeded. For thermal radiation effects, the area 

over which an effect based on a specified damage criterion [e.g., a circular 

effect zone surrounding a pool fire resulting from a flammable liquid spill, 

whose boundary is defined by the radial distance at which the radiative flux 

from the pool fire has decreased by 5 kW/m2 (approximately 1600 BTU/hrft2)]. 

Electronics Industry Association who provide standards for such things as 

interchangeability between manufacturers. 

Electromagnetic Interference: Any spurious effect produced in the circuits or 

elements of a device by external electromagnetic fields. NOTE: A special 

case of interference from radio transmitters is known as "radio frequency 

interference (RFI)" 

A type of error in temperature or pressure sensors that incorporate capillary 

lubes partly filled with liquid; the error is introduced when the liquid filled 

portion of the system is at a different level than the instrument case, the 

amount of error varying with distance of elevation or depression. 

Page 7 of33



Event {Independent) Events that do not affect each other (can be series or parallel). Tossing two 

coins (parallel)or one coin twice (series) are generally considered to be 

independent events. 

Event {Initiating) 

The first event in an event sequence (e.g., the stress corrosion resulting in 

leak/rupture of the connecting pipeline to the ammonia tank) 

Event {Intermediate) An event that propagates or mitigates the initiating event during an event 

sequence (e.g., improper operator action fails to stop the initial ammonia 

leak and causes propagation of the intermediate event to an incident; in this 

case the intermediate event outcome is a toxic release) 

Event tree analysis 

Exception reporting 

Explosion 

A method of fault propagation modeling. The analysis constructs a treeshaped 

picture of the chains of events leading from an initiating event to 

various potential outcomes. The tree expands from the initiating event in 

branches of intermediate propagating events. Each branch represents a 

situation where a different outcome is possible. After including all of the 

appropriate branches, the event tree ends with multiple possible outcomes. 

An information system which reports on situations only when actual results 

differ from planned results. When results occur within a normal range they 

are not reported. 

Combustion which proceeds so rapidly that a high pressure is generated 

suddenly. This high pressure or shock wave is the result of a turbulent flame 

boundary and is very difficult to predict relative to a flash fire which 

propagates through laminar boundary flow. 

Explosion (Physical) The result of sudden catastrophic rupture of a high-pressure vessel. The 

blast wave is caused when the potential energy stored in the high-pressure 

vessel is transferred to kinetic energy when that material is released. The 

effect zone is determined by the quantity of energy released and the blast 

shock wave overpressure resulting from the explosion. 

Explosion (Vapor Cloud) 

Explosion door 

Explosion proof enclosure 

Fail close 

Fail in place/last 

The result of ignition of a cloud of flammable vapor, when the flame velocity 

is high enough (turbulent and supersonic) to produce an explosive shock 

wave. The effect zone is determined by the quantity of energy released and 

the blast shock wave overpressure resulting from the explosion. 

A door in a furnace or boiler setting designed to be opened by a 

predetermined gas pressure. 

An enclosure that is 1) capable of withstanding an explosion of a gas or 

vapor within it, 2) able to prevent the ignition of an explosive gas or vapor 

that may surround it and 3) that operates with an external temperature that 

a surrounding explosive gas or vapor will not be ignited from conditions 

within the enclosure. 

A condition wherein the valve closing component moves to a closed position 

when the actuating energy source fails. 

A condition wherein the valve closing component stays in its last position 

when the actuating energy source fails 

0 

0 

Page 8 of33



0 

Fail open 

Fail safe 

Failure rate 

Failure modes 

FAT 

Fault propagation modeling 

Fault tolerance 

Fault tree diagram 

Field bus 

Final element 

A condition wherein the valve closing component moves to an open position 

when the actuating energy source fails. 

(or preferably de-energize to trip) A characteristic of a particular device 

which causes that device to move to a safe state when it loses electrical or 

pneumatic energy. 

The number of failures per unit time for a piece of equipment. Usually 

assumed to be a constant value. It can be broken down into several 

categories such as safe and dangerous, detected and undetected, and 

independent/normal and common cause. Care must be taken to ensure that 

burn in and wearout are properly addressed so that the constant failure rate 

assumption is valid. 

The way that a device fails. These ways are generally grouped into one of 

four failure modes: Safe Detected (SD), Dangerous Detected (DD), Safe 

Undetected (SU), and Dangerous Undetected (DU) per !SA TR84.0.02. 

Factory acceptance test. A test performed before shipment to site, usually 

at the vendor or integrator premises, often witnessed by the end user. Not a 

mandatory step in IEC61511, but very common to avoid problems during 

site acceptance testing (SAT) and site integration testing (SIT). 

The analysis of the chain of events that leads to an accident. By analyzing 

what events initiate that chain, which events contribute to, or allow the 

accident to propagate, and establishing how they are logically related, the 

event frequency can be determined. Fault propagation modeling techniques 

use the failure rates of individual components to determine the failure rate of 

the overall system. 

Ability of a functional unit to continue to perform a required function in the 

presence of random faults or errors. For example a 1 oo2 voting system can 

tolerate one random component failure and still perform its function. Fault 

tolerance is one of the specific requirements for safety integrity level (SIL) 

and is described in more detail in IEC 61508 Part 2 Tables 2 and 3 and in 

IEC 61511 (ISA84.01 2004) in Clause 11.4 

Probability combination method for estimating complex probabilities. Since it 

generally takes the failure view of a system, it is useful in multiple failure 

mode modeling. Care must be taken when using it to calculate integrated 

average probabilities. 

A Fieldbus is a digital, two-way, multi-drop communication link between 

intelligent measurement and control devices. It serves as a Local Area 

Network (LAN) for advanced process control, remote input/output and high 

speed factory automation applications. 

Component of a safety function (such as a valve) which directly prevents 

the harmful event and brings the process to a safe state. 

Page 9 of33



Fire (Flash) 

Fire (Jet) 

Fire (Pool) 

Fireball 

Fixed program language (FPL) 

Flammability 

Flash point 

The result of ignition of a cloud of flammable vapor, when the flame velocity 

is too slow {laminar and subsonic) to produce an explosive shock wave. 

When a gas phase mixture of fuel an air is ignited, a flame front travels from 

the point of ignition in all directions where the fuel/air concentration is within 

flammable limits. The velocity of the flame front will determine the type of 

damage that will be caused by this event. 

Results when high-pressure flammable material is ignited as it is being 

released from containment. The effect zone of a jet fire is proportional to the 

size of the flame generated. As a high-pressure material is released from a 

hole, the material will exit with a velocity that is mainly a function of system 

pressure and hole size. As distance away from the hole increases, the 

amount of oxygen in the mixture increases as air is entrained in the jet. As 

the upper flammability limit threshold is crossed, the fuel and air react, 

releasing the energy of combustion. As the combustion continues, entrained 

air, unburned fuel and combustion products continue to move in the 

direction of the release due to the momentum generated by the release. 

Results when spilled flammable liquids are ignited. The magnitude of the 

effect zone created by a pool fire will depend on the size of the flame that is 

generated, which in turn depends on the size of the spill surface and the 

properties of the spilled fluid. The flame's footprint is determined by the 

containment of the liquid spill, which is often controlled by any dikes or 

curbs present. If a spill is unconfined, the liquid will spread over an area 

determined by the fluid's viscosity and the characteristics of the surface on 

which the material is spilled, such as its porosity. 

Result of a sudden and widespread release of a flammable gas or volatile 

liquid that is stored under pressure, coupled with immediate ignition. This is 

distinguished from a jet fire by the shorter duration of the event and the 

difference in the geometry and shape of the flame. When a pressure vessel 

containing a flammable gas or volatile liquid ruptures, the first result is the 

quick dispersion of the flammable material as the high-pressure material 

rapidly expands to atmospheric pressure. During this expansion, the release 

will entrain large quantities of air as a result of the process. If the material in 

the vessel is a volatile liquid, this process will also cause formation of an 

aerosol with the dispersion of liquid droplets away from the release as a Q 

result of the vapor expansion. . .. 

This type of language limits the user to adjusting a few parameters (for 

example, range of the pressure transmitter, alarm levels, network 

addresses). Typical examples of devices with FPL are: smart sensors {for 

example, pressure transmitter), smart valves, sequence of events 

controllers, dedicated smart alarm boxes, and small data logging systems. 

Susceptibility to combustion. flammable (explosive) limits The flammable 

(explosive) limits of a gas or vapor are the lower (LFL or LEL) and the upper 

(UFL or UEL) percentages by volume of concentration of gas in a gas-air 

mixture that will form an ignitable mixture 

The minimum temperature where a liquid emits vapor in a concentration 

sufficient to form an ignitable mixture with air near the surface of the liquid 

but not sufficient to sustain combustion. 

0 

Page10of33



0 

0 

Floating ball 

Flow straightener 

FMEDA 

A full ball positioned within the ball valve that contacts either of two seat 

rings and is free to move toward the seat ring opposite the pressure source 

when in the closed position to effect tight shutoff 

A supplementary length of straight pipe or tube, containing straightening 

vanes or the equivalent, which is installed directly upstream of a flow meter 

for the purpose of eliminating swirl from the fluid entering the flow meter 

Failure Modes Effects and Diagnostics Analysis- This is a detailed analysis 

of the different failure modes and diagnostic capability for a piece of 

equipment. This is an effective method for determining failure modes and 

failure rates, a requirement for certification against IEC 61508 in most 

certification agencies. 

Four-wire transmitter Electronic transmitter that has separate pairs of wires for signal and power. 

Full variability language (FVL) 

Functional safety 

Functional safety assessment 

Fusible plug 

Gain 

Gasket 

This type of language is designed for computer programmers and provides 

the capability to implement a wide variety of functions and applications 

Typical example of systems using FVL are general purpose computers. In 

the process sector, FVL is found in embedded software and rarely in 

application software. FVL examples include: Ada, C, Pascal, Instruction List, 

assembler languages, C++, Java, and SQL. 

Freedom from unacceptable risk achieved through the safety lifecycle. See 

IEC 61508, IEC 65111, safety lifecycle, and tolerable risk. 

Activity performed by a competent senior engineer to determine if the safety 

system does meet the specification and actually achieve functional safety 

(freedom from unacceptable risk). This assessment is an important part of 

reducing systematic failures. It must be performed at least after 

commissioning and validation but before the hazard is present. 

A hollowed threaded plug having the hollowed portion filled with a low 

melting point material. This element is often used to provide a mechanical 

relief device triggered by temperature causing the process fluid to vent 

when the plug material melts. 

1. Ratio of output signal magnitude to input signal magnitude; when less 

than one this is usually called attenuation. 2. The relative degree of 

amplification in an electronic circuit. 3. The ratio of the change in output to 

the change in input which caused the change. 4. In a controller, the 

reciprocal of proportional band Proportional band can be expressed as a 

dimensionless number (gain) or as a percent. 

A sealing member, usually made by stamping from a sheet of cork, rubber, 

metal or impregnated synthetic material and clamped between two 

essentially flat surfaces to prevent pressurized fluid from leaking through the 

crevice; typical applications include flanged joints in piping, head seals in a 

reciprocating engine or compressor, casing seals in a pump, or virtually 

anywhere a pressure tight joint is needed between stationary members. 

Also known as "static seal." 

Page 11 of33



Gate valve 

Gland 

Globe valve 

Go/no go test 

Grab sampling 

Ground loop 

HART 

Hazard 

Hazard Matrix 

Hazardous area 

A valve with a closing piece in the form of a flat or wedge shaped gate 

which may be moved linearly in or out of the flow stream. It has a straight 

through flow path. 

A device for preventing a pressurized fluid from leaking out of a casing at a 

machine joint, such as at a shaft penetration for a valve or pump. Also 

known as "gland seal." 

1. A valve with a closure piece that moves in a straight line, one or more 

ports, and a body distinguished by a globular shaped cavity around the port 

region. 2. A type of flow regulating valve consisting of a movable disc and a 

stationary ring seat in a generally spherical body. In the general design, the 

fluid enters below the valve seat and leaves from the cavity above the seat. 

A test in which one or more parameters are determined, but which can 

result only in acceptance or rejection of the test object, depending on the 

value(s) measured. 

A method of sampling bulk materials for analysis, which consists of taking 

one or more small portions (usually only imprecisely measured) at random 

from a pile, tank, hopper, railcar, truck or other point of accumulation. 

Circulating current between two or more connections to electrical ground. 

This signal can be detected and displayed by electronic instruments. These 

signals are generally not associated with the variable to be measured and 

represent noise in the measuring system. They are typically broken 

(removed) by adding optical coupling devices to the circuit. 

Highway Addressable Remote Transducer. The HART protocol was 

originated by Rosemount in the late 1980:s. The protocol was "open" for 

other companies to use and a User Group formed in 1990. 

The potential for harm. 

A category based method for assigning a safety integrity level (SIL). The 

user must create a matrix that assigns defined categories to the 

consequence (one axis dimension) and likelihood (other axis dimension) 

components of the risk with a SIL assignment associated for each entry in 

the matrix. In some cases, quantitative tools, such as LOPA, are used to 

assist the analyst in determining which category to use, but often the 

assignment is done qualitatively, using engineering judgment. 

A US classification for an area in which explosive gas/air mixtures are, or 

may be expected to be, present in quantities such as to require special 

precautions for the construction and use of electrical apparatus. 

Division 1 (hazardous). Where concentrations of flammable gases or vapors 

exist a) continuously or periodically during normal operations; b) frequently 

during repair or maintenance or because of leakage; or c) due to equipment 

breakdown or faulty operation which could cause simultaneous failure of 

electrical equipment. (See the US "National Electrical Code, Paragraph 500 

4(a)" for detailed definition.) 

0 

-.- 

0 

Page12of33



0 

0 

Hazardous material 

HAZOP 

HFT 

H&MB 

Heuristic 

HMI/MMI 

HSE 

Hydrogen damage 

IDLH 

Division 2 (normally nonhazardous). Locations in which the atmosphere is 

normally nonhazardous and may become hazardous only through the 

failure of the ventilating system, opening of pipe lines, or other unusual 

situations. (See the US "National Electrical Code, Paragraph 500 4(b)" for 

detailed definition.) 

Nonhazardous. Areas not classified as Division 1 or Division 2 are 

considered nonhazardous. NOTE: It is safe to have open fiames or other 

continuous sources of ignition in nonhazardous areas [S12.4]. 

Any substance that requires special handling to avoid endangering human 

life, health or well being. Such substances include poisons, corrosives, and 

flammable, explosive or radioactive chemicals. 

Hazards and operability study. A process hazards analysis procedure 

originally developed by ICI in the 1970s. The method is highly structured 

and divides the process into different operationally-based nodes and 

investigates the behavior of the different parts of each node based on an 

array of possible deviation conditions or guidewords. 

Hardware fault tolerance (see fault tolerance) 

Heat and Material Balance. An accounting of the distribution of the heat and 

material input and output for a process. Usually prepared as part of the 

process fiow sheet or diagram (PFD) development early in an engineering 

project. Usually part of the input to a HAZOP or other hazard identification 

process. 

Pertaining to a method of problem solving in which solutions are discovered 

by evaluation of the progress made toward the final solution, such as a 

controlled trial and error method. An exploratory method of tackling a 

problem, or sequencing of investigation, experimentation, and trial solution 

in closed loops, gradually closing in on the solution. A heuristic approach 

usually implies or encourages further investigation, and makes use of 

intuitive decisions and inductive logic in the absence of direct proof known 

to the user. Thus, heuristic methods lead to solutions of problems or 

inventions through continuous analysis of results obtained thus far, 

permitting a determination of the next step. A stochastic method assumes a 

solution on the basis of intuitive conjecture or speculation and testing the 

solution against known evidence, observations, or measurements. The 

stochastic approach tends to omit intervening or intermediate steps toward 

a solution. Contrast with stochastic and algorithmic. 

Human or Man Machine Interface. Refers to the software that the process 

operator "sees" the process with. An example HMI/MMI screen may show a 

tank with levels and temperatures displayed with bar graphs and values. 

Valves and pumps are often shown and the operator can "click" on a device 

to turn it on, off or make a set point change. 

(UK) Health and Safety Executive 

Any of several forms of metal failure caused by dissolved hydrogen, 

including blistering, internal void formation, and hydrogen induced delayed 

cracking. 

Immediately Dangerous to Life and Health. Use in consequence analysis to 

estimate toxic effects on people. 

Page 13of33



IEC 

International Electrotechnical Commission. A worldwide organization for 

standardization. The object of the IEC is to promote international 

cooperation on all questions concerning standardization in the electrical and 

electronic fields. To this end and in addition to other activities, the IEC 

publishes international standards. See 61508 and 61511. 

Impact analysis activity of determining the effect that a change to a function or component 

will have to other functions or components in that system as well as to other 

systems 

Impedance The complex ratio of a force-like parameter to a related velocity-like 

parameter - for instance, force to velocity, pressure to volume, electric 

voltage to current, temperature to heat flow, or electric field strength to 

magnetic field strength. 

Incident 

The result of an initialing event that is not stopped from propagating. The 

incident is most basic description of an unwanted accident, and provides the 

least information. The term incident is simply used to convey the fact that 

the process has lost containment of the chemical, or other potential energy 

source. Thus the potential for causing damage has been released but its 

harmful result has not has not taken specific form. 

Inductance 1. In an electrical circuit, the property that tends to oppose changes in 

current magnitude or direction. 2. In electromagnetic devices, generating 

electromotive force in a conductor by means of relative motion between the 

conductor and a magnetic field such that the conductor cuts magnetic lines 

afforce. 

Infrared 

Any electromagnetic wave whose wavelength is 0. 78 to 300 microns. 

Typically used to detect moisture or heal/temperature. 

Integral control A type of controller function where the output (control) signal or action is a 

time integral of the input (sensor) signal. 

Interference, common mode 

A form of interference which appears between measuring circuit terminals 

and ground. See also EM I. 

Interference, electromagnetic 

Any spurious effect produced in the circuits or elements of a device by 

external electromagnetic fields. NOTE: A special case of interference from 

radio transmitters is known as "radio frequency interference (RFI)" See also 

EM I. 

Interference, normal-mode 

A form of interference which appears between measuring circuit terminals. 

See also EM I. 

Interlock 

1. Instrument which will not allow one part of a process to function unless 

another part is functioning. 2. A device such as a switch that prevents a 

piece of equipment from operating when a hazard exists. 3. To arrange the 

control of machines or devices so that their operation is interdependent in 

order to assure their proper coordination. 

0 

0 

Page 14 of33



0 

Intrinsic safety 

1/0 

1. A type of protection in which a portion of the electrical system contains 

only intrinsically safe equipment (apparatus, circuits, and wiring) that is 

incapable of causing ignition in the surrounding atmosphere. No single 

device or wiring is intrinsically safe by itself (except for battery-operated 

self-contained apparatus such as portable pagers, transceivers, gas 

detectors, etc., which are specifically designed as intrinsically safe selfcontained 

devices) but is intrinsically safe only when employed in a properly 

designed intrinsically safe system. This type of protection is referred to by 

IEC as "Ex 1.". 2. Design methodology for a circuit or an assembly of circuits 

in which any spark or thermal effect produced under normal operating and 

specified fault conditions is not capable under prescribed test conditions of 

causing ignition of a given explosive atmosphere. 3. A method to provide 

safe operation of electric process control instrumentation where hazardous 

atmospheres exist. The method keeps the available electrical energy so low 

that ignition of the hazardous atmosphere cannot occur. 4. A protection 

technique based upon the restriction of electrical energy within apparatus 

and of interconnecting wiring, exposed to a potentially explosive 

atmosphere, to a level below that which can cause ignition by either 

sparking or heating effects. Because of the method by which intrinsic safely 

is achieved, it is necessary to ensure that not only the electrical apparatus 

exposed to the potentially explosive atmosphere but also other electrical 

apparatus with which it is interconnected is suitably constructed. 

Input/Output. Refers to the electronic hardware where the field devices are 

wired. Discrete 1/0 would have switches for inputs and send signals to 

solenoid valves and pumps for outputs. Analog 1/0 would have continuously 

variable process values inputs, and controller outputs. 

1/S barrier 

IPL 

ISA 

Jacketed valve 

Intrinsic safely barrier. Physical element that limits current and voltage into 

a hazardous area in order to satisfy Intrinsic Safety requirements. 

Independent protection layer or layers. This refers to various other methods 

of risk reduction possible for a process. Examples include items such as 

rupture disks and relief valves which will independently reduce the likelihood 

of the hazard escalating into a full accident with a harmful outcome. In order 

to be effective, each layer must specifically prevent the hazard in question 

from causing harm, act independently of other layers, have a reasonable 

probability of working, and be able to be audited once the plant is operation 

relative to its original expected performance. 

Instrumentation, Systems and Automation Society See IEC 61511. 

A valve body cast with a double wall or provided with a second wall by 

welding material around the body so as to form a passage for a heating or 

cooling medium. Also refers to valves which are enclosed in split metal 

jackets having internal heat passageways or electric heaters. Also referred 

to as "steam jacketed" or "vacuum jacketed. " In a vacuum jacketed valve, a 

vacuum is created in the space between the body and secondary outer wall 

to reduce the transfer of heat by convection from the atmosphere to the 

internal process fluid, usually cryogenic. 

Page 15 of33



Ladder diagram 

Lambda 

Laser Doppler flowmeter 

Latent fault 

LEL/LFL 

Likelihood 

Limited variability language (LVL) 

Symbolic representation of a control scheme. The power lines form the two 

sides of a ladder like structure, with the program elements arranged to form 

the rungs. The basic program elements are contacts and coils as in 

electromechanical logic systems. Typically programs of this form fall into the 

limited variability language (LVL) category. 

Failure rate for a system. See failure rate. 

An apparatus for determining flow velocity and velocity profile by measuring 

the Doppler shift in laser radiation scattered from particles in the moving 

fluid stream 

A fault that is present but hidden from regular means of detection. Typically 

these faults can only be identified as part of an accident or a detailed proof 

test. 

Lower explosive (or flammable) limit. See flammability. 

The frequency of a harmful event often expressed in events per year or 

events per million hours. One of the two components used to define a risk. 

Note that this is different from the traditional English definition that means 

probability. 

This type of language is designed for process sector users, and provides 

the capability to combine predefined, application specific, library functions to 

implement the safety requirements specifications. An LVL provides a close 

functional correspondence with the functions required to achieve the 

application. Typical examples of LVL are ladder diagram, function block 

diagram and sequential function chart 

Linear variable differential transformer (L VDT) 

A position sensor consisting of a central primary coil and two secondary 

coils wound on the same core; a moving iron element linked to a 

mechanical member induces changes in self induction that are directly 

proportional to movement of the member. 

Linear variable reluctance transducer (LVRT) 

Load cell 

Loop 

Longitudinal redundancy check (LRC) 

A position sensor consisting of a centre tapped coil and an opposing moving 

coil attached to a linear probe; the winding is continuous over the length of 

the core, instead of being segmented as in an LVDT. 

A transducer for the measurement of force or weight. Action is based on 

strain gauges mounted within the cell on a force beam. 

A combination of two or more instruments or control or safety functions 

arranged so that signals pass from one to another for the purpose of 

measurement and/or control of a process variable or executing a safety 

function. 

Error detection scheme that consists of a byte where each bit is calculated 

on the basis of the parity of all the bits in the block that have the same 

power of two. 

0 

CT 

Page 16of33



0 

0 

LOPA 

Markov analysis 

Mode (Continuous) 

Layer of Protection Analysis. A method of analyzing the likelihood 

(frequency) of a harmful outcome event based on an initiating event 

frequency and on the probability of failure of a series of independent layers 

of protection capable of preventing the harmful outcome. 

A fault propagation method used to analyze failure rate or probability for 

safety instrumented functions. A diagram is constructed to represent the 

system under consideration including the logical relationships between its 

components. In Markov analysis there are a group of circles, each of which 

represents a system state. The different states are connected with 

transitions, which are shown as arrows and indicate paths to move from one 

state to another. The transitions are quantified using either failure rates 

when the transition is from an OK state to a failed state or repair rates when 

the transition is from a failed state back to an OK state. As with other 

models, there are several solution methods to obtain results. For safety 

instrumented system applications, the method using steady state equations 

is not appropriate. Numeric discrete time solutions are excellent. 

When demands to activate a safety function (SIF) are frequent compared to 

the test interval of the SIF. Note that other sectors define a separate high 

demand mode, based on whether diagnostics can reduce the accident rate. 

In either case, the continuous mode is where the frequency of an unwanted 

accident is essentially determined by the frequency of a dangerous SIF 

failure. When the SIF fails, the demand for its action will occur in a much 

shorter time frame than the function test, so speaking of its failure 

probability is not meaningful. Essentially all of the dangerous faults of a SIF 

in continuous mode service will be revealed by a process demand instead 

of a function test. See low demand mode, high demand mode, and SIL. 

Mode (High Demand) (also continuous mode per IEC 61511) Similar to continuous mode only 

there is specific credit taken for automatic diagnostics. The split between 

high demand and continuous mode is whether the automatic diagnostics 

are run many times faster than the demand rate on the safety function. If the 

diagnostics are slower than this there is no credit for them and the 

continuous mode applies. 

Mode (Low Demand) (also demand mode per IEC 61511) when demands to activate the safety 

instrumented function (SIF) are infrequent compared to the test interval of 

the SIF. The process industry defines this mode when the demands to 

activate the SIF are less than once every two proof test intervals. The low 

demand mode of operation is the most common mode in the process 

industries. When defining safety integrity level for the low demand mode, a 

SIF's performance is measured in terms of average Probability of Failure on 

Demand (PFDavg). In this demand mode, the frequency of the initiating 

event, modified by the SIF's probability of failure on demand times the 

demand rate and any other downstream layers of protection determine the 

frequency of unwanted accidents. 

Modulation 

1. The process or the result of the process by which some characteristic of 

one wave is varied in accordance with some characteristic of another wave 

(AM, amplitude modulation; PM, phase modulation; FM, frequency 

modulation). 2. The action of a control valve to regulate fluid flow by varying 

the position of the closure component. 

Page 17of33



MTTF 

MTTR 

MTTFS 

Multiplexing 

MWP 

NAK 

Needle valve 

NEMA standard 

NC I (NO) 

NIOSH 

Noise 

Nozzle 

Nuisance trip 

Mean Time to Failure - The average amount of time until a system fails or 

its "expected" failure time. Please note that the MTTF can be assumed to be 

the inverse of failure rate (lambda) for a series of components, all of which 

have a constant failure rate for the useful life period of the components. 

Mean Time to Repair - The average time between the occurrence of a 

failure and the completion of the repair of that failure. This includes the time 

needed to detect the failure, initiate the repair and fully complete the repair. 

Mean Time to Fail Spurious - The mean time until a failure of the system 

causes a spurious process trip. 

The transmission of a number of different messages simultaneously over a 

single circuit. 

maximum working pressure. See Pressure, maximum working 

Negative acknowledgment. This code indicates that the last block 

transmitted was in error and that the receiver is expecting a re-transmission. 

Its essential design feature is a slender tapered rodlike control element 

which fits into a circular or conoidal seat. Operating the valve causes the 

rod to move into or out of the seat, gradually changing the effective cross 

sectional area of the gap between the rod and its seat. Typically used for 

precise low flow applications. 

Consensus standards for electrical equipment approved by the majority of 

the members of the US National Electrical Manufacturers Association. 

Normally Closed (Normally Open) 1. A switch position where the usual 

arrangement of contacts permits (prevents) the flow of electricity in the 

circuit. 2. In a solenoid valve, an arrangement whereby the disk or plug is 

seated (open) when the solenoid is de-energized. 3. A field contact that is 

closed (open) for a normal process condition and open (closed) when the 

process condition is abnormal. 4. A valve with means provided to move to 

and/or hold in its closed (open) position without actuator energy supply. 5. 

Relay contacts that are closed (open) when the coil is not energized. 

(US) National Institute of Occupational Safety and Health 

1. In process instrumentation, an unwanted component of signal or. See 

"interference, electromagnetic". 2. Any spurious variation in the electrical 

output not present in the input. 3. An unwanted component of a signal or 

variable which obscures the information content. 4. Random variations of 

one or more characteristics of any entity, such as voltage, current, or data. 

5. A random signal of known statistical properties of amplitude, distribution, 

and spectral density. 6. Loosely, any disturbance tending to interfere with 

the normal operation of a device or system 

1. A short flanged or welded neck connection on a drum or shell for the 

outlet or inlet of fluids; also a projecting spout through which a fluid flows. 2. 

A streamlined device for accelerating and directing fluid flow into a region of 

lower fluid pressure. 3. A particular type of restriction used in flow system to 

facilitate flow measurement by pressure drop across a restriction 

See safe failure 

0 

0 

Page 18 of33



0 

0 

Occupancy 

Offset 

On-off control 

Orifice meter 

OSHA 

OSI 

Overrange 

Overrange limit 

Override control 

A measure of the probability that the effect zone of an accident will contain 

one or more personnel receptors of the effect. This probability should be 

determined using plant-specific staffing philosophy and practice. See effect 

zone. 

1. A sustained deviation of the controlled variable from set point. This 

characteristic is inherent in proportional controllers that do not incorporate 

reset action. 2. Offset is caused by load changes. 3. The steady state 

deviation when the set point is fixed. NOTE: The offset resulting from a no 

load to a full load change (or other specified limits) is often called "droop" of 

load regulation." 4. A constant and steady state of deviation of the 

measured variable from the set point. 

A simple form of control whereby the control variable is switched fully on or 

fully off in response to the process variable rising above the set point or 

falling below the set point respectively. Cycling always occurs with this form 

of control. 

A plate with a calibrated sharp edged hole in it. The plate is positioned 

across the flow stream in a pipe for measuring fluid flow rates. It typically 

has differential pressure taps positioned near the orifice and a calibrated 

calculation element to convert the measured pressure difference into a flow 

rate value. 

Occupational Safety and Health Administration 

Open system interconnection. A seven layered model of communications 

networks defined by ISO. The seven layers are: 

Layer 7 Application: provides the interface for application to access the OSI 

environment. 

Layer 6 Presentation: provides for data conversion to preserve the meaning 

of the data. 

Layer 5 Session: provides user to user connections. 

Layer 4 Transport: provides end to end reliability. 

Layer 3 Network: provides routing of data through the network. 

Layer 2 Data Link: provides link access control and reliability. 

Layer 1 Physical: provides an interface to the physical medium. 

In process instrumentation, of a system or element, any excess value of the 

input signal above its upper range value or below its lower range value 

The maximum input that can be applied to a device without causing damage 

or permanent change in performance. 

1. Generally, two control loops connected to a common final control 

element-one control loop being nominally in control with the second being 

switched in by some logic element when an abnormal condition occurs so 

that constant control is maintained. 2. A technique in which more than one 

controller manipulates a final control element. The technique is used when 

constraint control is important. 

Page 19of33



Overshoot 

Pareto chart 

Parity 

PFDavg 

pH meter 

PHA 

Physical relief device 

PID control 

Pigtail 

1. The amount of output measured beyond the final steady output value, in 

response to a step change in the input. NOTE: Expressed in percent of the 

equivalent step change in output. 2. A transient response to a step change 

in an input signal which exceeds the normal or expected steady state 

response. 3. The maximum difference between the transient response and 

the steady state response. 

A display of the number of failures of components by part number in 

descending order of failure rate or number of failures observed. Data may 

also be shown taking into account the total cost of each failure. 

A check that tests whether the number of ones or zeroes in an array of 

binary digits is odd or even used to verify data storage and transmission. 

This is usually done by calculating the sum of the " 1 " bits in a data unit and 

determining if it is either an odd or even number. A binary digit (parity bit) is 

then added to a group of bits to make the sum of all the bits always odd 

(odd parity) or always even (even parity). 

Probability of Failure on Demand average- This is the probability that a 

system will fail dangerously, and not be able to perform its safety function 

when required. PFD can be determined as an average probability or 

maximum probability over a time period. lEG 61508/61511 and ISA 84.01 

use PFD, 9 as the system metric upon which the SIL is defined. 

Also Process Flow Diagram. A diagram of the basic process equipment 

usually accompanied by a heat and material balance. Typically prepared 

early in an engineering project, it is usually part of the input to a HAZOP or 

other hazard identification process. 

An instrument for electronically measuring electrode potential of an aqueous 

chemical solution and directly converting the reading to pH value. pH is the 

symbol for the measurement of acidity or alkalinity. Solutions with a pH 

reading of less than 7 are acid; solutions with a pH reading of more than 7 

are alkaline on the pH scale of 0 to 14, where the midpoint of 7 is neutral. 

Process hazards analysis. Required by both PSM and the safety lifecycle. 

Identifying the hazards of a process for all reasonably foreseeable 

circumstances, determining the sequence of events leading to harm, and 

estimating the likelihood {frequency) and consequence magnitude of the 

potential harm. Various hazard identification methods include Checklist, 

What if?, What if? I Checklist, HAZOP (Hazards and Operability Study), 

FMEA (Failure Modes and Effects Analysis), and Fault Tree Analysis. 

Mechanical equipment that performs an action to relieve pressure when the 

normal operating range of temperature or pressure has been exceeded. 

Physical relief devices include pressure relief valves, thermal relief valves, 

rupture disks, rupture pins, and high temperature fusible plugs. 

Proportional-plus-integral-plus-derivative control, used in processes where 

the controlled variable is affected by long lag times. 

A 270' or 360' loop in pipe or tubing to form a trap for vapor condensate. 

Used to prevent high temperature vapors from reaching the instrument. 

Used almost exclusively in static pressure measurement. 

0 

0 

Page 20 of33



0 

0 

P&ID 

Pilot tube 

PLL 

Plug valve 

Positioner 

PLC 

Predictive control 

Pressure, design 

Pressure, maximum working 

Piping and instrumentation drawing. Shows the interconnection of process 

equipment and the instrumentation used to control the process. In the 

process industry, a standard set of symbols is used to prepare drawings of 

processes. The instrument symbols used in these drawings are generally 

based on Instrument Society of America (!SA) Standard S5. 1. 2. The 

primary schematic drawing used for laying out a process control installation. 

1. An instrument for measuring stagnation pressure of a flowing liquid; it 

consists of an open tube pointing upstream, into the flow of fluid, and 

connected to a pressure indicator or recorder. 2. An instrument which will 

register total pressure and static pressure in a gas stream, used to 

determine its velocity. 

Probable loss of life. A numerical expression for the magnitude of a 

consequence in terms of the most likely number of lives that will be lost in a 

given event or over a given time interval. The value need not be a whole 

number. 

1. A valve with a closing element that may be cylindrical, conical or a 

spherical segment in shape that is opened or closed with rotary motion. 2. A 

type of shutoff valve consisting of a tapered rod with a lateral hole through 

it. As the rod is rotated 90° about its longitudinal axis, the hole is first 

aligned with the direction of flow through the valve and then aligned 

crosswise, interrupting the flow. 

A position controller, which is mechanically connected to a moving part of a 

final control element or its actuator, and automatically adjusts its output 

pressure to the actuator in order to maintain a desired position that bears a 

predetermined relationship to the input signal. The positioner can be used to 

modify the action of the valve (reversing positioner), extend the 

stroke/controller signal (split range positioner), increase the pressure to the 

valve actuator (amplifying positioner) or modify the control valve flow 

characteristic (characterised positioner). 

Programmable Logic Controller. These computers replace relay logic and 

often have PID (proportional integral and derivative) controllers built into 

them. PLCs are very fast at processing discrete signals (like a switch 

condition). They can be designed for either regular or SIL rated applications. 

1. A type of automatic control in which the current state of a process is 

evaluated in terms of a model of the process and controller actions modified 

to anticipate and avoid undesired excursions. 2. Self tuning. 3. Artificial 

intelligence. 

The pressure used in the design of a vessel or device for the purpose of 

determining the minimum permissible thickness or physical characteristics 

of the parts for a given maximum working pressure (MWP) at a given 

temperature. 

Page 21 of33



Pressure relief device 

Prior use 

Proof test 

Protection layer 

Proven in use 

Proportional control 

PSM 

PTC or GeT 

PTI orTI 

Purging 

The maximum total pressure permissible in a device under any 

circumstances during operation, at a specified temperature. It is the highest 

pressure to which it will be subjected in the process. It is a designed safe 

limit for regular use. NOTE: MWP can be arrived at by two methods: a) 

designed-by adequate design analysis, with a safety factor; b) tested-by 

rupture testing of typical samples. 

A mechanism that vents fluid from an internally pressurized system to 

counteract system overpressure; the mechanism may release all pressure 

and shut the system down (as does a rupture disc) or it may merely reduce 

the pressure in a controlled manner to return the system to a safe operating 

pressure (as does a spring loaded safety valve). 

See Proven in use 

Testing of safety system components to detect any failures not detected by 

automatic on-line diagnostics i.e. dangerous failures, diagnostic failures, 

parametric failures followed by repair of those failures to an equivalent asnew 

state. Proof testing is a vital part of the safety lifecycle and is critical to 

ensuring that a system achieves its required safety integrity level throughout 

the safety lifecycle. 

See IPL. 

Basis for use of a component or system as part of a safety integrity level 

(SIL) rated safety instrumented system (SIS) that has not been designed in 

accordance with IEC 61508. It requires sufficient product operational hours, 

revision history, fault reporting systems, and field failure data to determine if 

the is evidence of systematic design faults in a product. IEC 61508 provides 

levels of operational history required for each SIL. 

A control mode in which there is a continual linear relationship between the 

deviation computer in the controller, the signal of the controller, and the 

position of the final control element. 

Process safety management. Part of the US requirement under the 

Occupational Safety and Health Administration (OSHA) guidelines for 

managing risk when dealing with large quantities of certain materials. The 

regulation (29 CFR 1910.119) was published in 1992 to help prevent or 

minimize the consequences of catastrophic releases of toxic, reactive, 

flammable, or explosive chemicals. 

Proof Test Coverage -The percentage failures that are detected during the 

servicing of equipment. In general it is assumed that when a proof test is 

performed any errors in the system are detected and corrected (100% proof 

test coverage). 

Proof Test Interval - The time interval between servicing of the equipment. 

1. The addition of air or inert gas (such as nitrogen) into the enclosure 

around the electrical equipment at sufficient flow to remove any hazardous 

vapors present and sufficient pressure to prevent their re entry. 2. 

Elimination of an undesirable gas or material from an enclosure by means 

of displacing the undesirable material with an acceptable gas or material. 

0 

0 

Page 22 of33



0 

0 

Pyrometer 

Any of a broad class of temperature measuring instruments or devices. 

Some typical pyrometers include thermocouples, radiation pyrometers, 

resistance pyrometers and thermistors, but usually not thermometers. It is a 

temperature transducer that measures temperatures by the EM radiation 

emitted by an object, which is a function of the temperature. 

Quick-opening valve Control valve with trim characteristic designed to produce large flow 

capacity with small amount of valve opening. 

Random failure 

Rated capacity 

Ratio controller 

Receptor 

Redundancy 

Reliability 

Reliability block diagram 

Relief valve 

Repeatability 

A failure occurring at a random time, which results from one or more 

degradation mechanisms. Random failures can be effectively predicted with 

statistics and are the basis for the probability of failure on demand based 

calculations requirements for safety integrity level. See systematic failure. 

The manufacturers stated capacity rating for mechanical equipment, for 

instance, the maximum continuous capacity in pounds of steam per hour for 

which a boiler is designed. 

1. A controller that maintains a predetermined ratio between two or more 

variables. 2. Maintains the magnitude of a controlled variable at a fixed ratio 

to another variable. 

The object or persons on the receiving end of the harm in an unwanted 

event. Common receptors include personnel, plant equipment, plant 

production, the environment, and the general public. 

Use of multiple elements or systems to perform the same function. 

Redundancy can be implemented by identical elements (identical 

redundancy) or by diverse elements (diverse redundancy). Redundancy of 

primarily used to improve reliability or availability. 

1. The probability that a device will perform its objective adequately, for the 

period of time specified, under the operating conditions specified. 2. The 

probability that a component, piece of equipment or system will perform its 

intended function for a specified period of time, usually operating hours, 

without requiring corrective maintenance. 

Probability combination method for estimating complex probabilities. Since it 

generally takes the "success" view of a system, it can be confusing when 

used in multiple failure mode modeling. 

An automatic pressure relieving device actuated by the pressure upstream 

of the valve and characterized by opening pop action with further increase 

in lift with an increase in pressure over popping pressure. See pressure 

relief device. 

The ability of a transducer to reproduce output readings when the same 

input value is applied to it consecutively under the same conditions, and in 

the same direction. NOTE(S): Repeatability is expressed as the maximum 

difference between output readings; it is expressed as "within percent of fullscale 

output." Two calibration cycles are used to determine repeatability 

unless otherwise specified. 

Page 23 of33



Repeater 

Resealing pressure 

1. Device used to extend the range over which signals can be correctly 

transmitted and received for a given medium. 2. A device that amplifies or 

regenerates data signals in order to extend the distance between data 

stations. 

The inlet pressure at which fluid no longer leaks past a relief valve after it is 

closed. 

Response 1. The change in output of a device in relation to a change of input. 2. 

Defined output for a given input under explicitly stated conditions. 

Risk 

Risk (Inherent) 

Risk (Unmitigated) 

Risk graph 

Risk integral 

RMP 

RRF 

RTD 

Rupture disc 

Safe area 

Risk is a measure of the likelihood (frequency) and consequence (severity) 

of an adverse effect. (i.e., How often can harm happen and what will be the 

effects if it does?) 

The risk from a completed process design that contains a given amount of 

process materials at given process parameters (i.e. temperature, pressure, 

etc.) Can usually be managed by good process engineering. 

The level of risk that is present in a process before any safety instrumented 

systems are considered. This level helps identify how much risk reduction is 

required to be provided by any safety instrumented system installed as part 

of a process. This unmitigated risk level must be defined in terms ofboth 

consequence and likelihood. 

A qualitative and category-based method of safety integrity level (SIL) 

assignment. Risk graph analysis uses four parameters to make a SIL 

selection: consequence, occupancy, probability of avoiding the hazard, and 

demand rate. Each of these parameters is assigned a category and a SIL is 

associated with each combination of categories. In some C



0 

0 

Safe failure 

Safe failure fraction 

Safe state 

Safety ground 

Safety lifecycle 

Safety manual 

Failure that does not have the potential to put the safety instrumented 

system in a dangerous or fail-to-function state. The situation when a safety 

related system or component fails to perform properly in such a way that it 

calls for the system to be shut down or the safety instrumented function to 

activate when there is no hazard present. 

See SFF. 

Safety requirements specification 

Sample interval 

Sampling rate 

SAT 

Saturation 

The state of the process after acting to remove the hazard resulting in no 

significant harm. 

1. A connection between metal structures, cabinets, cases, etc. which is 

required to prevent electrical shock hazard to personnel. 2. Safety ground is 

not a signal reference point. 

The procedures to first analyze the situation and document the safety 

requirements (Analysis Phases). Then, translate these requirements into a 

documented safety system design, using appropriate software and 

hardware subsystems and design methodology (Realization Phases). Next, 

evaluate the system against the required integrity and reliability 

specifications and modify it as needed. Finally, operate and maintain the 

system according to accepted procedures (Operation Phases), and 

document the results to insure that performance standards are maintained 

throughout the system's life. See 61508 and 61511. 

Document required for equipment certified in accordance with IEC 61508 

that describes the conditions of use for that equipment in safety 

applications. It typically includes usage requirements/restrictions, 

environmental limits, optional settings, failure rate data, useful life data, 

common cause beta estimate, inspection and test procedures. The "safety 

manual" may be part of another document. 

Specification containing all the requirements of the safety functions that 

have to be performed by the safety-related system. It includes both what the 

functions must do and also how well they must do it. It is often a contractual 

document between companies and is one of the most important documents 

in the safety lifecycle process. 

The rate at which a controller samples the process variable, and calculates 

a new output. Ideally, the sample interval should be set between 4 and 10 

times faster than the process dead time. 

For a given measurement, the number of times that it is sampled per 

second in a time division multiplexed system. Typically, it is at least five 

times the highest data frequency of the measurement. 

Site acceptance test. Involves shipment of the system(s) to site, installation 

and start-up activities. Tests then validate that the installed safety 

instrumented system and its associated safety instrumented functions 

achieve the requirements as stated in the Safety Requirement Specification. 

Note: Full loop checking may come at a later stage. 

A situation when a further change in the input signal produces no significant 

additional change in the output. 

Page 25 of33



SCADA 

Seal chambers 

Seal leg 

Seat 

Segmented ball 

Sensor 

Sensor group 

Set point 

Set pressure 

SFF 

SIF 

Sight glass 

Signal common 

Signal isolation 

Supervisory control and data acquisition: Operator interface and monitoring 

of (usually remote) control devices by computer. 

Enlarged pipe sections in measurement impulse lines to provide a) a high 

area to volume displacement ratio to minimize error from hydrostatic head 

difference when using large volume displacement measuring elements, and 

b) to prevent loss of seal fluid by displacement into the process. Also known 

as Seal Pots 

The piping from the instrument to the top elevation of the seal fluid in the 

impulse line. seal on disk A seal ring located in a groove in the disk 

circumference. The body is unlined in this case [S75.05]. 

The fixed area of a valve into which the moving part of a valve rests when 

the valve is closed to retain pressure and prevent flow. 

A closure piece in a valve that is a segment of a spherical surface which 

may have one edge contoured to yield a desired flow characteristic. 

device or combination of devices that measure the process condition (e.g., 

transmitters, transducers, process switches, position switches, etc.) 

For complex safety functions, there may be more than one property which is 

measured to determine if a shut down is required. 

1. An input variable which sets the desired value of the controlled variable It 

is expressed in the same units as the controlled variable. 

The inlet pressure at which a safety relief valve opens; usually a pressure 

established by specification or code. 

Safe Failure Fraction -The fraction of the overall failure rate of a device that 

results in either a safe fault or a diagnosed (detected) unsafe fault. The safe 

failure fraction includes the detectable dangerous failures when those 

failures are annunciated and procedures for repair or shutdown are in place. 

Safety Instrumented Function - A set of equipment intended to reduce the 

risk due to a specific hazard (a safety loop). Its purpose is to 1. 

Automatically taking an industrial process to a safe state when specified 

conditions are violated; 2. Permit a process to move forward in a safe 

manner when specified conditions allow (permissive functions); or 3. Taking 

action to mitigate the consequences of an industrial hazard. It includes 

elements that detect an accident is imminent, decide to take action, and 

then carry out the action needed to bring the process to a safe state. Its 

ability to detect, decide and act is designated by the safety integrity level 

(SIL) of the function. See SIL. 

A glass tube, or a glass faced section of a process line, used for sighting 

liquid levels or taking manometer readings. 

1. The signal common shall refer to a point in the signal loop which may be 

connected to the corresponding points of other signal loops. It may or may 

not be connected to earth ground [S50.1]. 2. The reference point for all 

voltage signals in a system. Current flow into signal common is minimized to 

prevent IR drops which induce inaccuracy in the signal common reference. 

Signal isolation refers to the absence of a connection between the signal 

loop and all other terminals and earth ground. 

0 

0 

Page 26 of33



SIL 

Safety Integrity Level - A quantitative target for measuring the level of 

performance needed for safety function to achieve a tolerable risk for a 

process hazard. Defining a target SIL level for the process should be based 

on the assessment of the likelihood that an incident will occur and the 

'consequences of the mc1dent. The following table describes SIL for different 

'modes of operation. 

0 

SIL 

0 

SIL selection 

SIL verification 

SIS 

SIT 

Snubber 

The process of defining tolerable risk, confirming existing risk (both 

likelihood and consequence) and assigning a SIL rated safety function as 

needed to achieve a tolerable level of risk. 

The process of calculating the average probability of failure on demand (or 

the probability of failure per hour) and architectural constraints for a safety 

function design to see if it meets the required SIL. 

Safety Instrumented System - Implementation of one or more Safety 

Instrumented Functions. A SIS is composed of any combination of 

sensor(s), logic solver(s), and final element(s). A SIS is usually has a 

number of safety functions with different safety integrity levels (SIL) so it is 

best avoid describing it by a single SIL. See SIF. 

Site integration test. Once site acceptance testing is completed, the basic 

process control system and the safety instrumented system (SIS) 

communications and any hard-wired links are integrated and tested as a 

complete system to ensure that the system as a whole functions correctly. 

SIS signals, diagnostics, bypasses and alarms displayed on shared basic 

process control system human machine interface (HMI) screens will be 

tested during this stage. 

1. A device which is used to damp the motion of the valve stem. This is 

usually accomplished by an oil filled cylinder/piston assembly. The valve 

stem is attached to the piston and the flow of hydraulic fluid from one side of 

the piston to the other is restricted. 2. A mechanical or hydraulic device for 

restraining motion. 3. A device installed between an instrument and the 

process used to protect the instrument from rapid pressure fiuctuations. 

Page27 of33



Solenoid 

Solenoid valve 

Span 

Spurious trip 

Standard condition 

Standpipe 

Static head liquid level meter 

Static pressure 

Stochastic 

Stress corrosion cracking 

Supervisory control 

Suppressed range 

A type of electromechanical operator in which back and forth axial motion of 

a ferromagnetic core within an electromagnetic coil performs some 

mechanical function; common applications include opening or closing 

valves or electrical contacts. 

A shutoff valve whose position is determined by whether or not electric 

current is flowing through a coil surrounding a moving iron valve stem. 

The difference between the upper and lower range values. 

See Safe failure 

1. A temperature of O'C and a pressure of 1 atmospheres (760 torr). Also 

known as "normal temperature and pressure (NTP)"; "standard temperature 

and pressure {STP)." 2. According to the American Gas Association (AGA), 

a temperature of 60'F (1 5-5/9'C) and a pressure of 30 inches of mercury 

(762 mm). 3. According to the Compressed Gas Institute (CGI), a 

temperature of 20' C (68'F) and a pressure of 1 atmosphere. 

A vertical tube filled with a liquid such as water. 

A pressure sensing device, such as a gauge, connected in the piping 

system so that any dynamic pressures in the system cancel each other and 

only the pressure difference due to liquid head above the gauge position is 

registered. 

1. The pressure of a fluid that is independent of the kinetic energy of the 

fluid. 2. Pressure exerted by a gas at rest, or pressure measured when the 

relative velocity between a moving stream and a pressure measuring device 

is zero. 

Pertaining to direct solution by trial and error, usually without a step by step 

approach, and involving analysis and evaluation of progress made, as in a 

heuristic approach to trial and error methods. In a stochastic approach to a 

problem solution, intuitive conjecture or speculation is used to select a 

possible solution, which is then tested against known evidence, 

observations or measurements. Intervening or intermediate steps toward a 

solution are omitted. Contrast with "algorithmic" and "heuristic. " 

Deep cracking in a metal part due to the combination of tensile stress and a 

corrosive environment, causing failure in less time than could be predicted 

by simply adding the separate effects of stress and the corrosive 

environment. 

A term used to imply that a controller output or computer program output is 

used as an input to other controllers. See SCADA. 

A suppressed range is an instrument range which does not include zero. 

The degree of suppression is expressed by the ratio of the value at the 

lower end of the scale to the span. 

0 

0 

Page 28 of33



0 

0 

Systematic failure 

Target flow meter 

Thermal type flow meter 

Thermistor 

Thermocouple 

Tl 

Thermojunction 

Thermowell 

Time constant 

Torque tube flow meter 

A failure that happens in a deterministic (non random) predictable fashion from 

a certain cause, which can only be eliminated by a modification of the 

design or of the manufacturing process, operational procedures, 

documentation, or other relevant factors. Since these are not 

mathematically predictable, the safety lifecycle includes a large number of 

procedures to prevent them from occurring. The procedures are more 

rigorous for higher safety integrity level systems and components. Such 

failures cannot be prevented with simple redundancy. 

A device for measuring fluid flow rates through the drag force exerted on a 

sharp edged disk centered in a circular flow path due to differential pressure 

created by fluid flowing through the annulus. Usually, the disk is mounted on 

a bar whose axis coincides with the tube axis, and drag force is measured 

by a secondary device attached to the bar. 

An apparatus where heat is injected into a flowing fluid stream and flow rate 

is determined from the rate of heat dissipation; either the rise in temperature 

or some point downstream of the heater or the amount of thermal or 

electrical energy required to maintain the heater at a constant temperature 

is measured. 

A temperature transducer constructed from semiconductor material and for 

which the temperature is converted into a resistance, usually with negative 

slope and highly nonlinear. 

Two dissimilar wires joined together that generate a voltage proportional to 

temperature when their junction is heated relative to a reference junction. 

See thermojunction. 

Test Interval This acronym is typically used in risk analysis equations to 

represent the proof test interval described above. 

Temperature Indicator This acronym is used in piping and Instrumentation 

Diagrams (P&IDs) to designate a device with measures and displays the 

temperature. 

Either of the two locations where the conductors of a thermocouple are in 

electrical contact; one, the measuring junction, is in thermal contact with the 

body whose temperature is being determined, and the other, the reference 

junction, is generally held at some known or controlled temperature. 

A thermowell is a pressure tight receptacle adapted to receive a 

temperature sensing element and provided with external threads, flanges or 

other means for pressure tight attachment to a vessel. 

1. The value t in an exponential response term. For the output of a first 

order system forced by a step or an impulse, t is the time required to 

complete 63.2% of the total rise or decay. In higher order systems, there is 

a time constant for each of the first order components of the process. 2. The 

length of time required for the output of a transducer to rise to 63% of its 

final value as a result of a step change of input. 

Page 29 of33



Transient response 

Trim 

Turbine flow meter 

Turndown 

TOV 

A device for measuring liquid flow through a pipe in which differential 

pressure due to the flow operates a bellows, whose motion is transmitted to 

a recorder arm by means of a flexible torque tube. 

The response of a transducer to a step change of input. NOTE: Transient 

response, as such, is not shown in a specification except as a general 

heading, but is defined by such characteristics as time constant, response 

time, ringing period, etc 

The internal parts of a valve which are in flowing contact with the controlled 

fluid. Can be designed to any of the following requirements: 

Anti cavitation: reduces the tendency of the controlled liquid to cavitate. 

Anti noise: reduces the noise generated by fluid flowing through the valve. 

Balanced: minimizes the net static and dynamic fluid flow forces acting on 

the trim. 

Restricted or Reduced: has a flow area less than the full flow area for that 

valve. 

Soft-seated: with an elastomeric, plastic or other readily deformable material 

used either in the closure component or seat ring to provide shutoff with 

minimal actuator forces. 

A volumetric flow measuring device using the rotation of a turbine type 

element to determine flow rate. 

The ratio of the maximum plant design flow rate to the minimum plant 

design flow rate. 

Technische Oberwachungsverein (technical inspection association) Any one 

of a number of different private German companies which provide 

assessment services to various industries including process safety 

engineering. 

Two-wire transmitter Electronic transmitter which uses the power wires (typcally 24vdc) for signal 

transmission, usually by manipulating the current flow (typically 4-20mA) to 

represent the desired signal. 

U tube manometer 

UEL/UFL 

A device for measuring gauge pressure or differential pressure by means of 

a U shaped transparent tube partly filled with a liquid, commonly water; a 

small pressure above or below atmospheric is measured by connecting one 

leg of the U to the pressurized space and observing the height of liquid 

while the other leg is open to the atmosphere; a small differential pressure 

may be measured by connecting both legs to pressurized space for 

example, high and low pressure regions across an orifice or venturi. 

Upper explosive (or flammable) limit. See flammability. 

Ultrasonic flow meter A device for measuring flow rates across fluid streams by either Doppler 

effect measurements or time of transit determination; in both types of flow 

measurement, displacement of the portion of the flowing stream carrying the 

sound waves is determined and flow rate calculated from the effect on 

sound wave characteristics. 

UL 

Underwriters Laboratories An independent US testing and certifying 

organization. 

0 

0 

Page 30 of33



0 

0 

Useful life 

VModel 

V orifice 

Validation 

Valve body 

See wearout 

The basic project execution model that starts with high level design and 

goes down to detailed design followed by testing of the detailed design and 

then testing of the higher level design elements. 

"V"-shaped flow control orifice which allows a characterized flow control as 

the gate moves in relation to the fixed Vee opening. 

the activity of demonstrating that the safety instrumented function(s) and 

safety instrumented system(s) under consideration after installation meets 

in all respects the safety requirements specification. 

The part of the valve which is the main pressure boundary relative to the 

ambient. The body also provides the pipe connecting ends, the fluid flow 

passageway, and may support the seating surfaces and the valve closure 

member. 

Valve body assembly An assembly of a body, bonnet assembly, bottom flange and trim elements. 

The trim includes a valve plug which opens, shuts or partially obstructs one 

or more ports. 

Valve bonnet 

An assembly including the part through which a valve plug stem moves and 

a means for sealing against leakage along the stem. It usually provides a 

means for mounting the actuator. Sealing against leakage may be 

accomplished by packing or a bellows. A bonnet assembly may include a 

packing lubricator assembly with or without isolating valve. Radiation fins or 

an extension bonnet may be used to maintain a temperature differential 

between the valve body and sealing means. 

Valve flow coefficient (Cv) The number of US gallons (3.785 liters) per minute of 60°F (15.6°C) 

water that will flow through a valve with a one pound per square inch (6.89 

kPa) pressure drop. 

Vapor pressure 

Venturi meter 

Verification 

1. The pressure of a vapor corresponding to a given temperature where the 

liquid and vapor are in equilibrium. Vapor pressure increases with 

temperature. 2. The pressure (for a given temperature) at which a liquid is in 

equilibrium with its vapor. As a liquid is heated, its vapor pressure will 

increase until it equals the total pressure of the gas above the liquid; at this 

point the liquid will begin to boil. 

A type of flow meter that measures flow rate by determining the pressure 

drop through a venturi constriction. A venturi is a constriction in a pipe, tube 

or flume consisting of a tapered inlet, a short straight constricted throat and 

a gradually tapered outlet; fluid velocity is greater and pressure is lower in 

the throat area than in the main conduit upstream or downstream of the 

venturi; it can be used to measure flow rate, or to draw another fluid from a 

branch into the main fluid stream. 

Activity of demonstrating for each phase of the safety lifecycle by analysis 

and/or tests that, for the specific inputs, the deliverables meet the objectives 

and requirements set for the specific phase. 

Page 31 of33



Vortex flow meter 

Wearout 

Windup 

Zero shift 

Zone 

A device that measures flow by sensing the movement of vortices in a pipe 

or conduit. The instrument usually is constructed with a partial barrier 

(vortex shedder) inserted perpendicular to the flow to allow formation of 

vortices, and sensor(s) to detect the passing vortices. The vortices are shed 

from one side of the shedder and then the other side as the fluid flows 

around the shedder. The sensor counts the number of vortices generated 

per unit of time and the velocity of the fluid can then be calculated. 

The point where a piece of equipment has accumulated enough stress and 

weakened to the point where its failure rate increases significantly. Note that 

since essentially all safety systems assume a constant failure rate, theye 

must be replaced before they reach this wearout point. 

Saturation of the integral mode of a controller developing during times when 

control cannot be achieved, which causes the controlled variable to 

overshoot its set point when the obstacle to control is removed. 

A change in the output in response to a zero input over a specified period of 

time and at room conditions .. NOTE: This error is characterized by a parallel 

displacement of the entire calibration curve [S37. 1]. 2. A shift in the 

instrument calibrated span evidenced by a change in the zero value. 

Usually caused by temperature changes, overrange, or vibration of the 

instrument. 

The international method of specifying the probability that a location is made 

hazardous by the presence, or potential presence, of flammable 

concentrations of gases and vapors. NOTE: Zone classification has not yet 

been defined for dust. 

Zone 0: Classification of a location in which an explosive concentration of a 

flammable gas or vapor mixture is continuously present or is present for 

long periods. 


flammable or explosive gas or vapor mixture is likely to occur in normal 

operation. 


flammable or explosive gas or vapor mixture is unlikely to occur in normal 

operation and, if it does occur, will exist only for a short time 

0 

n 

References: 

Cross Instrumentation; "Control Valve and Actuator Definitions" downloaded from 

http://www.crossinstrumentation.com/tn/Presentation/Presentations%20Literature/ 

Common%20terms/Giossary.xls on 17 November 2006 

Gerry, John; "Glossary of Process Control Terms" downloaded from 

http://www.expertune.com/glossary.html on 15 November 2006. 

Goble, W. M, "Control Systems Safety Evaluation & Reliability." ISA 1998 

Guidelines for Chemical Process Quantitative Risk Analysis; (New York: American Institute of 

Chemical Engineers Center for Chemical Process Safety) 2000. 

IICA; "Dictionary of Technical Terms" downloaded from http://www.iica.org.au/info/terms/ on 15 

November 2006 

Page 32of33



IEC 61508; Functional Safety of electrical/ electronic I programmable electronic safety-related 

systems, IEC, 1998, 2000. 

IEC 61511 /I SA 84.00.01-2004; Functional safety- Safety instrumented systems for the process 

industry sector IEC 2003; ISA 2004. 

Marszal, E., and Scharpf, E.; "Safety Integrity Level Selection Systematic Methods Including Layer 

of Protection Analysis" ISA 2002. 

PAControl.com; "Foundation Fieldbus Glossary" downloaded from 

http://www.pacontrol.com/ffglossary.html on 15 November 2006. 

0 

Page 33 of33

n

Functional Safety Engineering II 

0 

Functional Safety Engineering II (Version 3.31) 

Participant's Notebook 

0 





0 

0

Table of Contents 

SECTION 1 

SECTION 2 

SECTION 3 

COURSE PRESENTATION 

EXERCISES 

ADDITIONAL RESOURCES 

0 

Extending IEC61508 Reliability Evaluation Techniques- W. Goble and J. Bukowski 

Getting Failure Rate Data- W. Goble 

Techniques for Achieving Reliability in Safety PLC Embedded Software- W. Goble 

0 

Copyright© 2000·2007 exida.com, L.L.C., All Rights Reserved 




0 

0

SECTION 1 

0 

Course Presentation 

0 





0 

0


SIS Design- SIL Verification 

lngenierfa de Seguridad Funcionalll 

Disefio del SIS- Verificaci6n del SIL 

0 

Sellersville, PA., USA 

Munich, Germany 

Westville, KZN, South Africa 

SERVICE CENTERS 

Australia: 

Canada: 

Netherlands: 

New Zealand: 

UK: 

USA (Houston): 

+61--3-9734-3886 

+1-403-475-1943 

+31-318-414-505 

+64-3-472-7707 

+44-24-7679-6480 

+ 1-832-439-3793 

+ 1-215-453-1720 

+49-89-4900-0547 

+27-31-267-1564 

Version 4.0b 

Copyright 102000-2008exida.com L.L.C. 

1 

Network of Excellence in Dependable 

Automation 

0 

Copyright© 2000-2008 exida.com L.L.C. 

2

exida Industry Focus 

• Management 

support 

• Development 

support 

• Certification 

·Tools 

• FSM setup 

• SIL verification 

·Tools 

• Competence 

development 

•CFSE 

• Tools 

0 

Copyright© 20oo-2oos exida.com L.L.C. 

Highest Technical Competency 

4:~ exida has developed 

many analysis techniques 

for functional safety and 

published books on these 

methods 

4> exida authored aiiiSA 

best sellers for automation 

safety and reliability 

~· exida authored industry 

data handbook on 

equipment failure data 

0 

4

- 

4 ~~;;:'', 

c) 

exida Certification S.A. in Switzerland, Geneva 

• Exida founded an independent certification company in 

Geneva Switzerland, the home of IEC. 

• Certification are issued by independent assessors and 

auditors 

• Swiss Quality reputation 

Copyright ro 200(1..2008 exlda.com L.L.C. 

5 

Course Logistics 

Curso Logfstica 

0 

~~ Fire and emergency evacuation procedures 

t> Course materials & location 

- Handouts and course binder 

- Exercises, Reference Material and Course Review 

4> Course attendance & participation 

- Certificate of course completion 

4' Breaks 

- Lunch 

- Stretch, refreshment, etc. 

4> Personal belongings 

Copyrfsht © 200Q-2008exida.com L.L.C. 

6

Introduction of Course Participants 

Presentaci6n de los Participantes en el Curso 

4? Instructor 

• Name 

• Background/experience 

i> Classmates 

• Name, company, position 

• Background/experience 

• Course objectives? 

0 

Copyright© 2000..2008exlda.com L.L.C. 

7 

Course Objectives 

Objetivos del Curso 

•~ 

Review the fundamental concepts of Statistics, 

Reliability Engineering 

• Data Samples 

• Constant Failure Rates 

• Bathtub Curve 

• Terms 

4! Understand Safety Instrumented System (SIS) 

failure modes 

0 

Copyright© 200Q-2008exlda.com L.L.C. 

8

Course Objectives 

Objetivos del Curso 

0 

'' Develop an understanding of the Safety Lifecycle 

(SLC) Design Phase 

~ Review how to implement SIS from requirements 

specifications 

'' What is an FMEDA (Failure Mode Effects and 

Diagnostics Analysis) 

~ Safety Integrity Level (SIL) verification calculations 

,,, Develop an understanding of the Safety Lifecycle 

(SLC) Operation and Maintenance Phase 

Copyright© 20fl0..2008exlda.com L.L.C 

9 

Section 1 : Basic Statistics 

Secci6n 1: Estadfsticas Basicas 

0 

•r~ 

Sample Data 

4~ Histograms 

~J' 

~~' 

Probability Density Functions 

Cumulative Density Functions 

4~ Mean-Median 

Copyright ltl2000-200Sexida.com L.L.C. 

10

Sample Data 

[ 

~-----------D_a_to_s 

J 

__ d_e_M_u_e_s_t_rn __________ ~ 

Statistical Variable: 

Time To Failure, 

Hours - 30 Systems 

0 

Copyright Cl 200D-2008exida.com L.L.C. 

11 

[ 

Data is 

often 

grouped 

into "bins." 

Hours 

Censored Data 

Datos Clasificados 

Units 

0-1000 7 

1001-2000 4 

2001-3000 3 

3001-4000 3 

4001-5000 2 

5001-6000 1 

6001-7000 1 

7001-8000 1 

8001-9000 1 

9001-10000 

10001-11000 1 

11001-12000 1 

12001-13000 1 

13001-14000 3 

Cum. 

7 

11 

14 

17 

19 

20 

21 

22 

23 

24 

25 

26 

27 

30 

l 

0 

Copyright© 200D-2008exida.com L.L.C. 

12

[ 

Histogram 

Histograma 

~-___:::_-~ 

l 

0 

Censored Data 

Hours 

Units 

0-1000 7 

8 

1001-2000 4 

2001-3000 3 

7 

3001-4000 3 

l!l 6 

4001-5000 2 '2 5 

5001-6000 1 ::J 

4 

6001-7000 1 " ~ 

3 

7001-8000 1 

:f 

8001-9000 1 2 

9001-10000 1 1 

10001-11000 1 0 

11001-12000 1 

2 3 4 5 6 7 8 9 10 11 12 13 14 

12001-13000 1 

13001-14000 3 Operational Hours- 1000 

COpyright© 2000-2008 exida.com L.L.C. 13 

Discrete Distributions - pdf 

Distribuci6n Discreta - fdp 

0 

' 

' 

Number of failures (x) per thousand hours - probability of occurrence p(x) 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 

0.233 0.133 0.100 0.100 0.067 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.100 

Probability Density Function 

0.25 

0.2 

10.15 

0.1 

0.05 

0 

2 3 4 5 6 7 8 9 10 11 12 13 14 

' 

Copyright ftl 2000-2008 exida.com L.L.C. 14

Discrete Distributions - pdf 

Distribuci6n Discreta - fdp 

Number of failures (x) for thousand hour intervals- probability of 

occurrence x 

Cumulative Distribution Function 

1.2 

:"§' 1 

:;; 

.l'l e o.a 

Q. 

~ 0.6 

i 

:; 0.4 

E 

8 0.2 

Cumulative 

probability of 

failure, e.g. 

probability of 

failure 

between a 

and 14000 

hours is one. 

0 

0 

2 3 4 5 6 7 8 9 10 11 12 13 14 

x ~ Thousands of Hours 

Copyright© 200D-200B exida.com L.L.C. 

15 

Mean 

Promedio 

Time To Failure, Hours- 30 Systems 

Failure# Hours Failure# Hours 

1 33 16 

3471 

2 96 17 3886 

3 196 18 4348 

4 240 19 4882 

5 409 20 5431 

6 614 21 6056 

7 831 22 

7499 

8 1045 23 8339 

9 1282 24 

9270 

10 1540 25 10305 

11 1815 26 11460 

12 2108 27 12751 

13 2414 28 13351 

14 2740 29 13853 

15 3091 30 13990 

Copyright© 200Q-2008 eXJda.com L.L.C. 

Median= (3091+3471)/2 

= 3281 Hours 

Mean = 4910.8 Hours 

1 

if- .Je...t- ~ {Lw:;Q v-o4.e- 

-bW.> 0Q.Q k kTT 

16 

0

Failure Statistics 

Estadfsticas de Fallas 

Cumulative Distribution Function 

0 

'·' 

'·' 

'·' 

'·' 

• 

• 

0 ' 

'i 3 

. ,• 

Statistics are the basis 

of the failure metrics 

used in reliability 

engineering and safety 

analysis 

•Uncertainty of data 

•Applicability of data 

1 2 3 4 5 6 1 6 9 10 11 12 13 14 

Op..ratlonal Hours -1000 

Copyright© 2000.2008 exida.r:om L.L.C. 

17 

Section 1 : Basic Statistics Summary 

Secci6n 1: Repaso de Estadfstica Basica 

0 

•r~ 

Sample Data 

41> Histograms 

~1, Probability Density Functions 

4~ Cumulative Density Functions 

4'; 

Mean-Median 

Copyright ID 200o-2oos exida.com L.L.C. 

18

Section 2: Basic Reliability Engineering 

Secci6n 2: lngenierfa de Confiabilidad Basica 

t. Terms 

'" Systematic vs Random Failure 

'" Low, High and Continuous Demand 

'' Stress-Strength 

'' Wear out I Bathtub Curve 

'' Failure rate 

'' Reliability I Unreliability 

'' Repairable Systems - Availability I 

Unavailability 

'' PFavg 

'' PFH 

0 


19 

[ 

Terms 

Terminos 

Random Failures 

A failure occurring at a random time, which results 

from one or more degradation mechanisms. 

Systematic Failures 

A failure related in a deterministic way to a certain 

cause, which can only be eliminated by a modification 

of the design or of the manufacturing process, 

Eperational procedures, documentation~ 

or-other relevant factors. 

0 

Copyright© 2000-2008 eXida.com L.L.C. 20

Terms 

[ 

Terminos 

~---~ 

l 

0 

Random Failures 

Usually a permanent failure due to a system 

component loss of functionality- hardware related 

Systematic Failures 

Usually due to a design fault- wrong component, 

error in software program, etc. 'u.l'..:to. fl. $ 

~ :;;:;:: ~""' ~·ver-. ~11\11'-- 

r~ o\9_ 

Copyright CI2000-2008 exida.com L.L.C. 

.e-r~ ~~~- 

" 

Systematic Faults 

Defectos sistematicos 

0 

A single systematic fault can cause failure in multiple 

channels of an identical redundant system. 

REDUNDANCY IS NOT A PROTECTION AGAINST 

SYSTEMATIC FAILURES! 

Early example: A bad command was sent into a redundant 

DCS through a "Foreign Computer Interface." The 

command caused a controller to lock up trying to interpret 

the command. The diagnostics detected the failure and 

forced switchover to a redundant unit. The bad command 

was sent to the redundant unit which promptly locked up as 

well. 

Copyright© 2000-2008exida.com L.L.C. 

22

Random vs. Systematic Faults 

Aleatoric Defectos vs. Defectos Sistematicos 

Real functional needs 

• 

Specification of requirements, 

design, implementation 

• • 

Correct Designlncorrect ~ 

1 

Well De:igned System~ 

'-C 

\ 

syst:m is correct 

Random failure::::> 

The system is not correct 

Function required 

or execution trajectory hits 

incorrectness 

0 

The system has a failure 

Copyright© 2000..2008exida.com L.L.C. 

23 

Modes of Operation 

Modos de Operaci6n 

Continuous Demand 

High Demand 

Low Demand 

} Continuous Mode 

} Demand Mode 

IEC 61508 

IEC61511 

Copyright© 200Q-2008 exida.com L.L.C. 

24

[ 

Terms 

Terminos 

~--~ 

Low Demand Mode - 61508 

Where the frequency of demands for operation made on a safety-related system is 

no greater than one per year and no greater than twice the proof test frequency; 

Part 4, 3.5.12 

If the ratio of diagnostic test rate to demand rate exceeds 100, then the subsystem 

can be treated ... As low demand mode ... , Part 2, 7.4.3.2.5 Note 2 

.. the diagnostic test interval will need to be considered directly in the reliability 

model if it is not at least an order of magnitude less than the expected demand 

rate, Part 2, 7.4.3.2.2, Note 3 

0 

Many find this confusing - in addition, the one year mark is arbitrary and 

misleading. Technically the wording in Part 4, 3.5.12 is incomplete as the 

above Notes in other portions of IEC 61508 give examples that express 

the true intent. The diagnostic test rate (proof test included) must be 

greater than the demand rate . 

Copyright© 200o-2008 exida.com L.L.C. 

25 

Terms 

Terminos 

l 

0 

Low Demand Mode- exida definition 

The average interval between a dangerous 

condition (a demand interval) occurs infrequently 

(example- once per year), the automatic 

diagnostic testing interval is an order of magnitude 

lower and the demand interval is greater than 2X 

the manual proof test interval. 

[Therefore automatic diagnostics and proof testing 

can be given credit for risk reduction.] 

Copyright© 2000.2008 exida.com L.L.C. 26

Terms 

Terminos 

High Demand Mode- exida definition 

Where the demand interval is less than twice 

the proof test interval 

L 

wa... ~ r -t-- 

~ f:A) ~$..P- 

vJL(WI.'k---\4-- ~f.- f ~f 

0 


27 

[ 

Terms -IEC 61511 

Terminos -IEC 61511 

61511 uses the terms demand mode and continuous mode 

demand mode safety instrumented function: where a 

specified action (e.g., closing of a valve) is taken in 

response to process conditions or other demands. In the 

event of a dangerous failure of the safety instrumented 

function a potential hazard only occurs in the event of a 

failure in the process or the BPCS 

continuous mode safety instrumented function: where in 

the event of a dangerous failure of the safety instrumented 

function a potential hazard will occur without further failure 

unless action is taken to prevent it 

0 

Copyright© 2000-2008 exida.com L.L.C. 28

Why do you care about modes? 

Demand 

Mode-61511 

Low Demand- 

61508 

Use PFDavg table 

Modes of Operation 

Modos de Ia Operaci6n 

Continuous 

Mode- 61511 

High Demand - Continuous - 

61508 61508 

Use PFH table 

Use PFH table 

0 

Take credit for 

proof testing 


automatic 

diagnostics 

Copyright (ti2000-2008exida.com L.L.C. 

No credit for proof No credit for proof 

testing 

testing 


automatic 

diagnostics 

No credit for 

automatic 

diagnostics 

29 

Stress- Strength: Failures 

Esfuerzo - Fortaleza: Fallas 

0 

All failures occur when stress exceeds the associated level of 

strength. 

Stress is usually a combination of "stressors" 

Heat 

Humidity 

Shock 

Vibration 

Electrical Surge 

Electro-Static Discharge 

Radio Frequency Interference 

Mis-calibration 

Maintenance Errors 

Operational Errors 


"



0.9 

9.8 

9.7 

0.6 

0.5 

OA 

0.3 

0.8 

0.1 

0 ··' 

Strength varies- with time, with other stress, etc. 

\''" 

0 

Stress also varies with time. 

However they can be represented by probability distributions. 

Copyright (l 2000-2008exida.com L.L.C. 

" 



9.8 

9.8 

9.7 

0 .. 

9.6 

0.5 

0.4 

9.3 

98 

0.1 

9 

At some point in time, Strength decreases and the failure 

rate increases rapidly- this causes wear-out. 


"



o.o2s rr----------------,---, 

0.02 

0.015 

0,01 

0.005 ' 

v 

0 

, Tlmo 

Stress-strength explams how failure rates vary with time. 

Weak units from a production population fail early. This portion of the curvd 

is known as "infant mortality." 

I 

When weak units are eliminated from the population stress-strength 

indicates a steady but declining failure rate. 

When strength declines, the failure rate increases significantly. 

Copyright CI200CI-2008 exida.cam L.L.C. 



0 

Constant Failure Rate during "Useful Life" 

0.025,.----------------------, 

0.02 

~ 

'! 0.015 

~ 

~ 

i 0.01 

... 

~ 

Time 

0 

"' 

Copyright© 2000-200Sexida.com L.L.C. 

34

IEC 61508 Key Variables: 

1. Constant Failure Rate 

2. Useful Life 



0 

§ g 

Time 

CQpyright © 2000-2008 exida.com L.L.C. 35 

Failure Rate 

[ ~----------T_a_sa __ d_e_F_r_a_ca_s_o _____________ 

J 

Failure Rate- number of failures per unit operating hours. 

Failure rate that varies with time 

Constant failure rate 

Average failure rate over a long period of time 

0 

Example: One hundred solenoids are placed into operation. 

During the first year seven units failed. 

What is the average failure rate during the year? 

!.. = 7 I (1 00 units * 8760 hrs/year) ? 


Failure Rate 

[ 

Tasa de Fracaso 

~--~ 

Example: One hundred solenoids are placed into operation. 

During the first year seven units failed. 

0 

What is the average failure rate during the year? 

Least conservative: 

lc = 7 I (1 00 units • 8760 hrslyear) ? 

= 7.99E-06 Failures I Hour 

Most conservati : 

/ lc = 7 I 93 nits • 8760 hrslyear) ? 

= 8.6E-06 ailures I Hour 

V 

Copyright ltl200G-2008 exlda.com L.L.C. 

37 

Failure Rate Equation 

Tasa de Fracaso Ecuaci6n 

0 

A- = ~Nf I (Ns * ~t) 

Ns = number of successful units at end of time period 

Nf = number of failed units at end of time period 

~Nf = number of failed units during a time period 

~t =time period (Tn- Tn+ 1 ) 

copyright (12000.2008 exida.com L.L.C. 

38

System Op.Hours 

12 33 

1 96 

14 196 

13 240 

30 409 

6 614 

11 831 

15 1045 

16 1282 

10 1540 

7 1815 

19 2106 

25 2414 

21 2740 

2 3091 

24 3471 

27 

26 

3 

Failure Rate Calculation 

Calculo de Ia Tasa de Fracaso 

System Op.Hours 

f.. 

12 33 =1i((33-0)Hrs.'29 Units) 0.001045 

1 96 =1i((96-33)Hrs.'28 Untts) 0.000567 

14 196 =1i((196-96)Hrs.'27 Units) 0.00037 

13 240 =1i((240-196)Hrs.'26 Units) 0.000874 

30 409 =1i((409-240)Hrs.'25 Units) 0.000237 

6 614 =1i((614-409)Hrs.'24 Units) 0.000203 

11 831 =11((831-614)Hrs.'23 Units) 0.0002 

3886 Failure Rate 

4348 

4862 

20 5431 

23 6056 

9 7499 

5 8339 

28 9270 

8 10305 

22 11460 

18 12751 

29 13351 200 400 600 600 1000 

4 13853 

17 13990 

Copyrisht © 200(1..2008 exida.com L.L.C. 

Oparatng Time Interval (Hrs.) 

Time To Failure, 

Hours - 30 Systems 

" 

0 

System Op.HourS A 

12 33 0.001045 

1 96 0.000567 


14 196 0.00037 

13 240 0.000874 

Calculo de Ia Tasa de Fracaso 

30 409 0.000237 

6 614 0.000203 

11 831 0.0002 

15 1045 0.000212 

16 1282 0.000201 

10 1540 0.000194 

7 1815 0.000191 

19 2106 0.000191 

25 2414 0.000191 

21 2740 0.000192 

~ 

! 

2 3091 0.00019 

24 3471 0.000188 

27 3886 0.000185 

26 4348 0.00018 

3 4862 0.000177 

20 5431 0.000176 

23 6056 0.000178 

9 7499 8.66E·05 

5 8339 0.00017 

28 9270 0.000179 

8 10305 0.000193 

Total Average = 0.00035 fail/hr. 

22 11460 0.000216 

18 12751 0.000258 

29 13351 0.000833 Average Middle = 0.0002 fail/hr. 

4 13853 0.001992 

17 13990 In!. 

Copyright© 200(1..2008 exida.com L.L.C. 

40 

0

Reliability I Safety Terminology 

Terminologfa de Seguridad/Confiabilidad 

0 

Defined so far: 

~' 

~' 

Failure Rate- number of failures per unit of time 

- Failure rate that varies with time 

-Constant failure rate 

- Average failure rate over a long period of 

time 

Probability of Success - the chance that a system will 

perform its intended function when operated within its 

specified limits. 

Copyright ta 2000-2008exida.com L.L.C. 

41 

0 



i' RELIABILITY - the probability of success during 

an interval of time 

it R(t) = P(T>I) where T =Failure Time for an 

interval 0 to I 

For example: if the probability of successful 

operation for 1 hour= 0.999, what is the 

probability of successful operation for one day? 

PS(24 hours) = PS(1 hour) * PS (1 hour) * .... 

PS(24 hours) = PS (1 hour) 24 

PS (24 hours) = 0.976 

1 0.999 

2 0.998001 

3 0.997003 

4 0.996006 

5 0.99501 

6 0.994015 

7 0.993021 

8 0.9920279 

9 0.9910359 

10 0.9900449 

11 0.9890548 

12 0.9880658 

13 0.9870777 

14 0.9860906 

15 0.9851045 

16 0.9841194 

17 0.9831353 

18 0.9821522 

19 0.98117 

20 0.9801889 

21 0.9792087 

22 0.9782295 

23 o.sms12 

Copyright© 2000-2008 ex/da.com L.L.C. 24 0.976274 42



j' 

RELIABILITY - the probability of success during an interval of 

time 

j; If the example is continued for 2000 hours: 

:; "' 

""' 

(.) 

(.) 

:J

~;, R(t) = Ns/N 

Ns = number of successful units 

at the end of each time period 

N = number of units total 



0 

0.9 

O.B 

O.< 

o.o 

0.5 

0.4 

0.0 

0.2 

0.' 

0 

0 2000 4000 6000 8000 10000 12000 14000 16000 

COpyright 1t1 20oo-zoos exida.com L.L.C. 

45 



0 

i> RELIABILITY R(t) -the probability of success during an 

interval of time 

'' UNRELIABILITY F(t) -the probability of failure during an 

interval of time 

;, PF(t) = Probability of Failure, another name for unreliability 

'' R(t) = 1 - F(t) (complementary events, one failure mode) 

o.o 

0.0 

'·' 

... 

.., 

... ... 

2000 4000 6000 6000 10000 12000 14000 16000 

Copyright© 200Q-2008exida.com L.L.C. 46


Terminologia de Seguridad/Confiabilidad 

'' Failure Rate - Failures per unit time per 

device 

•!\ Mean Time To Failure (MTTF} -The 

average successful operating time 

interval of a system 

0 

Copyright CI200G-2008 exida.com L.L.C. 

47 

Constant Failure Rate 

Constante de Ia Tasa de Fracaso 

R(t) =e-At 

Common Assumptions - 

reasonable for the middle of the 

failure rate curve. Even if the 

F(t) = 1-e-At failure rate is decreasing (more 

MTTF =_!_ 

A, 

realistic), these assumptions are 

conservative 



Constanta de Ia Tasa de Fracaso 

R(t) = e-A! 

F(t) = 1-e-A! 

0 

CQpyright !0 2000-2oosexida.com L.L.C. 

Time Interval - Mission Time 

49 


Constanta de Ia Tasa de Fracaso 

0 

A Useful Approximation: 

2 3 x4 

X 1 X X 

e = +x+-+-+-+ .... 

2! 3! 4! 

F(t) = 1-e-A! 


Alternate Notation: 

F(t) ~At 

PF = A.t 

50

j 

""

Repairable Systems 

Sistemas Reparables 

What about repairable systems? 

0 

The measurement "reliability" requires that a system be 

successful for an interval of time. What is needed for a 

repairable system is a measure that gives us the probability 

that it will work successfully in the situation where repair can 

be done. 


53 

Mean Time to Restore 

Tiempo Media para Reposici6n 

0 

~~ Mean Time To Failure (MTTF)- The average successful operating 

time interval of a system 

~~ Mean Time To Restore (MTTR)- The average failure time interval 

of a system. Applies only to repairable systems! 

~~ Restore Rate (f.l)- Number of restores per time period 

An average over a large number of systems 

and a large number of failure/restore cycles. 

1 1 

MTTR= f.l= 

MTTR 


54

Mean Time to Restore 

Tiempo Medio para Reposici6n 

'' Mean Time To Restore (MTTR)- The average failure time interval 

of a system 

'' MTTR= 

- Average Time to detect failure has occurred plus 

- Average Time to actually make the repair 

Example: If failures are only detected by a periodic inspection and test: 

Tl = Test Interval 

RT = Repair Time 

MTTR approx. = Tl/2 + RT 

0 

Copy11ght tO 2000-2008 eXida.com L.L.C. 

55 

Mean Time Between Failures (MTBF) 

Tiempo Medio entre Fallas (TMEF) 

The average time interval of one failure/restore cycle of a system. 

Applies only to repairable systems. 

MTBF=MTTF + MTTR 

0 

TTF 

TBF 

t 

TTF 

TBF 

TT 

,.--- 

An average over a large number of systems and a large number of 

failure/restore cycles. 


56

Availability I Unavailability 

Disponibilidad /lndisponibilidad 

'' Probability of Success - the chance that a system will perform its 

intended function when operated within its specified limits 

'' AVAILABILITY- the probability of success at a moment in time 

(allows for past failures, i.e. repairable systems} 

'' Steady State Availability- steady state/average value 

0 

Availability. Single Failure Mode 

Disponibilidad. Modo de Falla Simple 

Steady-State Availability Modeling 

'A 

Fail 

MTTF = 11'A 

MTTR = 1lfl 

Constant Restore Rate 

Availability is often defined in reliability texts using a simple single component 

Markov model with the assumption that a constant restore rate is valid. While 

this assumption is not realistic it allows useful analysis for some problem 

domains. The "steady-state'' solution for availability and unavailability for this 

model is: 

Copyright ltl 200G-2008exida.com L.L.C. 

A = MTTF I (MTTF+MTTR) 

U = MTTR I (MTTF+MTTR) 

59 

0 

Steady State Availability. Single Failure Mode 

Disponibilidad a Largo Plazo. Modo de Falla Simple 

If the model is solved for probability of success as a function of operating 

time interval, eventually the availability model reaches a "steady state" or 

average value. This represents many failure I restore cycles. 

0 

o.9 +-'-=-------Mtt--------1 

0.8~~--............ ~ ................ ~ 

0.7 t------' ... ------.====------1 

!! 0.6 -1--_.,.--__ ___:_:_:_:==:.:L------1 

:c 

~ o.s-J----".;:,-------------1 

D. 0.4 -1----.3,.-----.,=,.---------1 

0.3 -1-------'""'c"-'L---------1 

0.2-l--------"" ......,----------1 

0.1 o L------·--·--------------- 

+=====~~~~~~::~:::~~;] 

Operating Time Interval 

Constant Restore Rate 

Copyright© 200G-2008exida.com LLC. 

60

Steady State Unavailability. Single Failure Mode 

Plazo. Modo de Falla Rirr~niA 

If the model is solved for probability of failure as a function of operating 

time interval, eventually the unavailability model reaches a "steady state" 

or average value. This represents many failure I restore cycles. 

0 

0.3 t--/i"L.jblffi:walila!*Hty----{::tffi,------j 

0.2 t-7~==-"--..... ~-~~;..:.~~---1 

0.1 +-..?'c.._---------------1 

0~---------------~ 

Operating Time Interval 

Copyright C 200(}..2008exlda.com L.L.C. 61 

Availability. Periodic Test and Inspection 

Disponibilidad. lnspecci6n y Prueba Peri6dica 

0 

fl equals zero between 

inspections f1 equals one 

right after an inspection 

When Periodic Inspection 

and Test is done, a 

different situation exists 

which requires different 

modeling techniques. 

Steady-state availability 

will not work. 

Copyright© 2000.2008 exida.com L.L.C. 

"



~ equals zero between 

inspections ~ equals one 

right after an inspection 

For LOW DEMAND 

situations, an average §" 

technique has been defined :g 

in lEG 61508. The average of 1) 

the time dependent values o.. 

must be calculated. 

0 

Copyright© 2000.2008 exida.com L.L.C. 63 



Unavailability never reaches steady state in periodic inspection 

0 

Constant Resto!& Rate 

The average unavailability in a periodic tesVinspect 

situation is not the same as the steady state 

unavailability! It is a different Markov model with 

different solution results. 

ll equals zero 

between inspections 

J..l equals one right 

after an inspection 


64



(J 

Copyright© 2000..2008exida.com L.L.C. 

1 T 

PFavg =- fPF(t)dt 

To 

Approx PF =A, *Tl 

Approx PFavg =A, * TI /2 

Assuming 

perfect 

PROOF 

TESTINGall 

failures 

are detected 

and repaired. 

65 

Simplified Equation PFAVG 

Ecuaci6n Simplificada para PFPROM 

0 

PF{I) 

PFAVG =A Tl/ 2 

Assuming 

perfect 

PROOF 

TESTINGall 

failures 

are detected 

and repaired. 

The approximation for PFavg is pessimistic by a slight amounttherefore 

conservative for safety analysis. 

Copyright© 200G-2008exida.com L.L.C. 66

The Effects of Incomplete Testing 

Efectos de Pruebas lncompletas 

Because of incomplete testing the PF never returns to its original 

value and the risk reduction can be significantly lower. 

IIEC61511 I 

PF(t) 

SIL 1 

SIL2 

SIL3 

SIL4 

Operating Time 

-++--flo' - - - - - - 

test 

period 

PFavg 

Copyright tO 200Q-2008exida.com L.L.C. 

67 

Simplified Equation PFAvG with ncomplete Testing 

Ecuaci6n Simplificada para PFPROM c n Prueba lncompleta 

PFavg =CPT A. Til 2 + (1-CPT) A. LT /2 

CPT = Effectiveness (Coverage) of proof test, 0% to 100% 

L T = Operational Lifetime of plant 

0 

COpyright© 200(}-2008 exida.com L.L.C. 

68

Safety Integrity Levels (SILs) 

Nivel de lntegridad de Seguridad 


Level 

Target average 

probability of failure on 

demand 

Target risk reduction 

(RRF) 

SIL4 >=1 o-s to =1 o-4 to =10-3 to =1 o-2 to

Safety Integrity Levels - PFH 

Nivel de lntegridad de Seguridad - PFH 

Random Failure Probability 


Level 

SIL4 

SIL3 

SIL2 

SIL 1 

Probability of 

dangerous failure per 

hour 

(Continuous mxl11 of operation) 

>=10" 9 to =10·8 to =1 o- 7 to =1 o-• to

Application Exercise Set 2 

Ejercicios de Aplicaci6n. Grupo 2 

Reliability and Availability- Complete the Problems 

15 minutes 

0 

Copyright© 200G-2008exida.com L.L.C. 73 

Section 2: Basic Reliability Engineering Summary 

Secci6n 2: lngenierfa de Confiabilidad Basica 

''Terms 

;, Systematic vs Random Failure 

,, Low, High and Continuous Demand 

'' Stress-Strength 

;, Wear out I Bathtub Curve 

" Failure rate 

~ Reliability I Unreliability 

(c Repairable Systems -Availability I Unavailability 

'' PFavg 

,, PFH 


Section 3: System Reliability Engineering 

Secci6n 3: lngenierfa de Confiabilidad de Sistemas 

4!\ 

·~' 

4" 

~. 

(:, 

Reliability Block Diagrams 

Fault Trees 

Markov Models 

Equipment Failure Modes 

Common Cause 

0 

Copyright© 2000-2008 exida.com L.L.C. 75 

Quantitative System Analysis Techniques 

Tecnicas Cuantitativas para Analisis de Sistemas 

System Modeling- We know the 

Reliability (failure rates) of the 

components, what is the Reliability of 

the system? 




0 

~n Define "what is a failure?" 

~rr 

-Effectively stating, what is included in the 

model. 

Obtain failure rate on each component failure 

mode, create a checklist 

4> Understand how the system works? 

-SYSTEM FMEA 

-HAZOP 

~' 

Build the model 

Copyright© 2000-2008exida.com L.L.C. 77 



0 

~' 


4> Simplified Equations 

4> Fault Tree Diagrams 

4, Markov Models 




Simplified Equations - Equations derived form one of the 

techniques listed below. Most are "too simple" and should not 

be used for anything except SIL 1. 

Reliability Block Diagram - Best for Reliability /Availability 

Analysis. Probability combination method. Takes the 

"success" view. Confusing when used in multiple failure 

mode modeling. 

Fault Tree Diagram- Takes the "failure" view. Probability 

combination method. Multiple drawings can be used for (J 

multiple failure modes. Easy to understand the drawing. 

Markov Model- Looks at success and failure on one 

drawing. Flexible, solved for probabilities as a function of 

time interval. Few educated in method. 



Diagrama de Bloques de Confiabilidad 

System successful when a path is formed across the drawing 

Series System 

A 

B 

0 

- AC POWER - MOTOR J-- 

System operates only if all components operate 

Availability 


Success 



Failure 

Copyright© 2000.2008exida.com L.L.C. 80


Diagrama de Sloques de Confiabilidad 

Parallel System 

POWER 

- SUPPLY 

A 

1- 

POWER 

- SUPPLY 

1- 

8 

System operates if any component operates 

0 

Availability 

Probability of Ap = AA + As - (AA * As ) 

Success 


Probabilityof 

Failure 

Up= UA *Us 

Copyright li:l200G-2008 exida.com L.L.C. 81 


Diagrama de Sloques de Confiabilidad 

0 

r- 

Series/Parallel 

POWER 

SUPPLY - 

A 

CONTROLLER 

A 

r--- 

Example: 

Aps = 0.6 

Ac = 0.8 

- 

POWER 

SUPPLY 

8 

1- 

CONTROLLER 

B 

r--- 

(for a one year interval) 

Asyst.em? = (Aps * Acl + (Aps * Ac)- (Aps * Ac) 2 

= (0.6*0.8) + (0.6*0.8)- (0.6*0.8) 2 

= 0.7296 

Copyright© 200()-2008 exida.com L.L.C. 

"

[ 

Fault Trees 

Arboles de Falla 

l 

AC POWER 

- A 1-- 

MOTOR 

B - 

ACPOWER 

Fails 

System operates only if all components operate 

MOTOR 

Falls 

OR 

SYSTEM 

Fails 

0 

Cupyrlght CO 2000.2008 e.xida.com L.L.C. 

" 

[ 

Fault Trees 


l 

- 

POWER 

SUPPLY 

A 

- 

- 

POWER 

SUPPLY 

B 

I-- 

System operates 1f any component operates 

I POWER SUPPLY A lf-_P_a_ Fails 1 

1 

Pb 

POWER SUPPLY B I 

Fails . 

AND 

I SYSTEM I 

Fails 

I 


84

Fault Trees 

[ 

~------------A_ro_o_le_s_d_e_F_a_lla ________ ~ 

l 

POWER 

SUPPLY 

A 

POWER 

SUPPLY 

B 

0 

POWER ~UPPLY A I ~ 

I . Fa!IS ~ 

CONTROLLER A 

Fails 

POWER SUPPLY B 

Fails 

CONTROLLER B 

Fails 

SUBSYSTEM 

X Fails 

SUBSYSTEM 

Y Fails 

AND 

Copyright© 2000..2008 exida.com L.L.C. 

85 

0 

[ 

I POWER SUPPLY A f--! 

/ Fa11s 

A 

CONTROLLER A 

Falls 

POWER SUPPLY A 

Fails 

CONTROLLER B 

Fails 

OR 

Ux 

SUBSYSTEM 

X Fails 

Uy r--:S::-Uc:Bc::Sc-Yc:-ST'"'E-:-M---, 

YFails 

Fault Trees 


SYSTEM 

Fails 

In any probability combination method be careful to check for "identical 

events." In an AND gate with identical events as the input, if Ux and Uy 

share the same event (for example, failure of power supply A) then the 

probability of Us is not Ux * Uv. 

In an OR gate with two identical events as the input, the output = Ux not 

Ux + Ux - Ux * Ux. 

Note: setting up a model this way appears to make no sense, but it does happen. Do not simply 

use GATE SOLUTION techniques without checking for this problem. 

Copyright© 200()..2008 exida.com L.L.C. 86

Fault Tree Model - PFavg 

Modele de Arbol de Falla 

Solenoid 

subsystem 

failure 

Problem with some Fault Tree 

Tools when calculating 

average probability: 

Therefore taking the average 

after any AND logic is the 

proper sequence for PFavg 

calculations 

Q 

Copyright r&1200Q-200S~da.corn L.L.C. 87 




0 

Remember that: 

PFavg 

1 T 

- fPF(t)dt 

To 


Fault Trees- PFDavg 


0 

To get a correct answer in any probability combination method of system 

modeling (RBD and Fault Trees) one must perform the logic before taking 

the average. 

E ~~~P~FD~a 

Subsystem A 

PFDb 

Subsystem B 

PFa= A* Tl 

PFb =A* Tl 

Therefore: 

PFsys = A2 * T(2 

Continuing: 


.------... AND 

SYSTEM 

1 ti 

PFavg,sys =- JA, 2 TJ'dti 

TI 0 

1 A 2 Tt 

PFavg,sys = 

TI 3 

A 2 2 

Tl 

PFavg,sys =--- 

3 

89 

[ 

Fault Trees- PFDavg 


0 

If one calculates PFDavg of each component before the logic: 

Subsystem A 

Subsystem B 

PFDa= Ad* Tl 

PFDavga = Ad * Tl/2 

PFDavgb = Ad * Tl/2 

Therefore: 

PFDavg,sys = Ai * Tl 2 

4 

The results are 

optimistic and 

may result in 

insufficient safety! 

Rather than the correct: A2 2 

P FDavg, sys = d '{I 

Copyright© 2000.2008 e.xida.com L.L.C. 

90

Markov Models 

[__________ M~od~e~l~os~d~e~M~a_r_ko_v ___________ 

J 

Accounts for Multiple Failure 

Modes on one drawing. 

Models different repair rates for 

different kinds of failures. 

Qualitatively shows the operation 

of a fault tolerant system. 

CIRCLES represent combinations 

of failed and successful 

components. 

ARCS show the effect of failures 

and repairs. 

0 

Copyright CO 2000-2008 exida.com L.L.C. 91 

Markov Models 

[ 

~--------~M~o~d~e~l~os~d~e~M~a_r_k_o_v ___________ 

l 

Redundancy 

Multiple Failure Modes 

0 

A.= failure rate 

~=system repair rate (replacement) 

Copyright 10 2000-2008 exida.com L.L.C. 92

Markov Models - PFDavg 

Modelos de Markov 

For PFDavg 

calculations, a Markov 

model must be solved 

for time-dependent 

PFD and averaged 

A. 1 to A.7 = Failure Rates 

0 

~ 1 = Repair Rate after a 

shutdown 

~2 =on-line repair of equipment 

~3 =periodic Inspection I test 

J.l3 


J..t3 equals zero between 

inspections and one after a 100% 

successful inspection 

93 

[ 

Failure Modes 

Modos de Falla 

0 

Electro-mechanical Systems have multiple failure modes! 

Typically Categorized as 

[ SAFE ] 

[DANGEROUS] 



Multiples Modos de Falla 

( NORMAL 

l I[ 

( SAFE 

(DANGEROUS) 

~ 

) / 

J 

-Failed Open Circuit 

[ 

Failed Short Circuit 

0 

copyright ID 2000-2008 exida.com L.L.C. 

95 

[ 

The functional failure modes of 

each product must be translated 

to the modes of the SIF. This 

often depends on the application. 

- Failure Modes 

Output Saturated Hi 

Output Saturated Lo 

Frozen Output 

D {:. Indication Error Hi 

Indication Error Lo 

• Diagnostic Failure 

SID{: 

Define Modes 

Transmitters 

Transmisores 

l 

0 


96

Normally Energized Systems- FAIL SAFE 

Sistemas Normalmente Energizados- FALLA SEGURA 

System causes false trip! 

Dlsclllte lnplll 

PLC 

0 

Input circuit fails - 

PLC thinks the 

sense switch is 

open even when 

it is closed. 

Logic Solver fails to 

read logic 1 inputs, 

fails to solve logic, 

or fails to generate 

logic 1 output. 

Output Circuit 

fails open 

circuit. 

copyright (120oo-200B exida.com L.L.C. 

97 

0 

Normally Energized Systems- FAIL 

DANGER 

Sistemas Normalmente Energizados- FALLA PELIGROSA 

If there is a demand - system cannot respond. 

+ + 

Discrete Input 

PLC 

Input circuit fails - 

PLC thinks the 

sense switch is 

closed even 

when it is open. 

Copyright 1t120oo-2oos exida.com L.L.C. 

Logic Solver fails to 

read logic 0 inputs 

that indicate danger, 

fails to solve logic, 

or fails to generate 

logic 0 output. 

Output Circuit 

fails short 

circuit. 

98

Final Element Failure Modes 

Modos de Falla de un Actuador 

Instrument Failure Mode 

Solenoid plunger stuck 

Solenoid coil burnout 

Actuator shaft failure 

Actuator seal failure 

Actuator spring failure 

Actuator structure failure - air 

Actuator structure failure - binding 

Valve shaft failure 

Valve external seal failure 

Valve internal seal damage 

Valve ball stuck in position 

* unpredictable - assume worst case 

De-energize to Trip Application 

SIF Failure mode 

Fail-Danger 

Fail-Safe 

Fail-Danger* 

Fail-Safe 

Fail-Danger 

Fail-Safe 

Fail-Danger* 

Fail-Danger* 

No Effect 

Fail-Danger 

Fail-Danger 

0 

Copyright© 200Q-2008 exlda.com L.L.C. 

99 

Reliability I Safety Terms 


So far we have defined: 

'' RELIABILITY - the probability of success during an interval of 

time 

,, R(t) = P(T>t) where T = Failure Time for an interval 0 - t. 

'' UNRELIABILITY- the probability of failure during an interval of 

time 

'' F(t) = P(T

Reliability I Safety Terms 


0 

'' PFS - Probability of SAFE failure in a system 

'' PFD- Probability of Failure on Demand (Probability of 

Dangerous failure) 

4$ PFDavg - Average Probability of Failure on Demand 

4J, RRF - Risk Reduction Factor 

- RRF = 1/PFDavg 

4; MTTFS- Mean Time To Failure Spurious, SAFE failure 

4> STR- Spurious Trip Rate= 1/MTTFS 

~, MTTFD- Mean Time To Dangerous Failure 

Copyright© 2000.2008 exido.com L.L.C. 

101 

0 

PFS I PFD I PFDavg. Periodic Test and Inspection 

PFS I PFD I PFDPROM, Intervale de Pruebas Peri6dicas 

If we apply the concept of PFavg approximation to a single failure mode, then: 

1 T 

PFavg =- JPF(t)dt 

To 

~ 

Approx PFS = A- 8 * Tl 

Approx PFD = A- 0 * Tl 

Approx PFDavg = A- 0 * Tl /2 

f., I(. 

I 

- 

- T 

'2- 

- 

~J p 

2-- 

Copyright© 2001}.2008 exido.com L.L.C. 

"' 

.//// 

/ 

I

Availability- Failure Modes 

Disponibilidad- Modos de Falla 

!AVAILABILITY 

PFS 

Nuisance Trip 

PFD 

SUCCESSFUL OPERATION 

PFS - Probability of Safe Failure 

UNSUCCESSFUL 

OPERATION 

PFD - Probability of Failure on Demand (Dangerous Failure) 

0 


103 

Definition: Common Cause 

CausaComun 

Controller 

+ 

0 

Expected system trip rate : 0.0001 /year 

Actual system trip rate : 0.0006/year !!!!! 

In many actual installations, reliability performance did not meet 

calculated predictions. Why? 

Common Stress failed both units in a redundant system! 

Stress- combinations of temperature, humidity, corrosion, shock, 

vibration, electrical surge, RFI and more 


104

Common Cause 

[ 

CausaComun 

~------' 

0.9 

0.8 

0., 

0.0 

0.5 

0.4 

Strength\ 

trength 2\\ 

Stress 

0 

0.3 

0.2 

0.1 

0 

'' 

' : ' 

Stress - Strength View of Common Cause 

Copyrlsht © 2000.2008 exida.com L.L.C. 105 

Common Cause - Beta Model 

Causa Comun - Modelo Beta 

0 

~= 

Beta - the fraction of the 

failure rate where two or 

more failures will occur 

due to the same 

common stress. 

Note: this particular graphical representation of beta was derived for a redundant system 

with two components. The beta model may be used on systems with more than two 

components but care must be taken when choosing the beta number as it will vary 

depending on the number of components exposed to the common stress. 

Copyright© 200G-2008 exida.com L.L.C. 106



A = A-independent + Acommon cause 

~= 

Acommon cause 

Beta represents the fraction of the failure rate where two or 

more failures will occur due to a common stress 

0 


Common Cause - Beta Model. Example 

Causa Comun - Modelo Beta. Ejemplo 

A= ).,independent + Acommon cause 

A, = 0.02 failures I year 

0 

~ = 0.05 

Ace = 0.05 * 0.02 = 0.001 failures I year 

J.. 1 = (1-0.05) * 0.02 = 0.019 failures I year 


Getting the Beta Number 

Obteniendo el Valor de Beta 

NASA Space Shuttle Study 

f3 = 0.11 

IEC 61508, Part 6 Annex 0.6 

0 

= 0.005- 0.05 for programmable electronic 

equipment 

f3 = 0.01 - 0.10 for field equipment 


109 

Reducing Common Cause 

Disminuyendo las Causas Comunes 

0 

1. Physical Separation - redundant units are less 

likely to see a common stress 

2. Diverse Technology- redundant units respond 

differently to a common stress 

Copyright tO 2000.2008 exida.com L.L.C. 110

exSILentia Beta Estimator 

exSILentia Version Beta Estimador 

Copyright© 200G-2008 exida.com L.L.C. 

111 

Common Cause Modeling 

Modelaje de Causa Comun 

Example- Model a Redundant Power Supply 

POWER SUPPLY 

- 

A 

1- 

Power Supply 

System Failure 

0 

- 

rOWER SDPPJ:I:I 

B 

- 

20K 

2')., 

Power 

Supply A 

Fails 

Power 

Supply B 

Fails 

Copyright© 200G-2008 exida.com L.L.C. 

112

Including Common Cause in a Fault Tree Model 

lncluyendo Causa Comun en un Arbol de Fallas 

Fault Tree without 

Common Cause 

Fault Tree with 

Common Cause 

Power Supply 


Power Supply 


0 

Power 

Supply B 

Fails 

Common 

Cause 

Failure 

Copyright CI200G-2008 exido.com L.L.C. 

Difference due to Common Cause 

lncluyendo Causa Comun en un Arbol de Fallas 

0 

p=a.os 

PFDavg = 

3 

PFDavg = 0.000133 

Copyright C 200G-2008 exida.com L.L.C. 

PFDavg = 

(Ad;)2 * T2 

3 

PFDavg = 0.000620 

:\.d = 0.02 failures I year 

Tl = 1 year 

Beta= o.os 

((•mm>n 

Cause 

Oar>Jer•:



Example - Model a Redundant Power Supply with COMMON CAUSE 

Markov Model 

0 

COpyright© 2000-2008 exida.com L.L.C. 

115 



Multiple Failure Modes, Common Cause- Complete the 

Problems 0 

Copyright© 2000-2008exida.com L.L.C. 116

Section 3: System Reliability Engineering Summary 

Secci6n 3: Repaso de lngenieria de Confiabilidad de 

1s emas 

0 

4!, Reliability Block Diagrams 

~;, Fault Trees 

~~ Markov Models 

4tr 

Equipment Failure Modes 

4~ Common Cause 

Copyright 10 200Q-2008 exida.com L.L.C. 

Section 4: FMEA I FMEDA 

Secci6n 4: AMFE I AMFED 

0 

~), FMEA 

~~ FMEA Format 

~!~ Diagnostics 

4~ FMEDA 

4c Coverage Factor 

4+ Safe Failure Fraction 

Copyright 10 200Q-2008 exida.com L.L.C. 118

Failure Modes and Effects Analysis (FMEA) 

Analisis de Modos de Fallas y Efectos (AMFE) 

4> Systematic procedure designed to find design issues 

""Bottom- Up" Technique (as opposed to FTA which is 

"top-down") 

4> Entire system analyzed one component/sub-system at 

a time 

(> FMEA Standards - 

• MIL STD 1629A, 1984 

• IEC 60812,2006 2nd edition 

• New SAE Standard in development to replace 

1629A 


U9 


Anal isis de Modos de Fallas y Efectos (AMFE) 

Procedure: 

1. List all components and each failure mode. 

0 

2. For each component I failure mode, list the effect of 

that failure on the higher level sub-system/system. 

3. List the criticality I severity of the effect. 



Amilisis de Modos de Fallas y Efectos (AMFE) 

EXAMPLE - Cooling System 

0 

COOLING 

WATER 

VAL VEl 

/ 

FO ~ 

POWER SUPPLY _y 

PSl -- 

REACTOR 

COOLING 

JACKET 

COOLING 

"1---------Jfr--i> WATER 

DRAIN 

From ISA Book: Control Systems Safety Evaluation and Reliability, W .M. Goble, 1998. 

Copyright It! 2000.2008 exida.com L.L.C. 121 


Analisis de Modos de Fallas y Efectos (AMFE) 

0 

Sample FMEA- Tabular Format 

·r I 

Copyright© 200(}-2008 exido.com L.L.C. 122


Amilisis de Modos de Fallas y Efectos (AMFE) 

Pointers: 

1. Be careful about listing all parts 

2. Be careful about listing all known failure modes, refer 

to failure mode references. 

3. Identify each part uniquely 

4. Do not worry about "causes" unless the failure mode 

turns out to be critical - then list the cause so that it 

perhaps can be eliminated or reduced in magnitude 

5. FMEAs should be done in groups or reviewed by 

groups 

0 

Copyright© 200Q-2.008 exida.com L.L.C. 

123 

Failure Modes, Effects and Diagnostic Analysis (FMEDA) 

Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED) 

4> Extension of FMEA Technique 

4> Add diagnostic capability column and modes 

0 

(1 When component I failure mode is detectable, 

indicate detection mechanism (and error code) 

J1 Method invented and first published by exida 

people in 1992* 

41 Fault Injection results documented in chart 


"'

0 

~> 



COMPONENT ... 

DATABASE 

Component 

I 

H 

ProductA 

H Product 

Modes 

).' s ,:r Failure 

~ ~ME.DA. 

I·· .·.·., 

.• ; H 

Failure Mode 

Distribution :. :.•. 

I ; .:: 

Diagnostic 

Coverage 

Using a component database, failure rates and failure modes 

for a product (transmitter, 1/0 module, solenoid, actuator, 

valve) can be determined far more accurately than with only 

field warranty failure data 

Copyright CI200Q-2008 e;dda.com L.L.C. 

125 



0 

COpyright© 2000..2008 exida.com L.L.C. 126



4> An FMEDA will identify and quantify failure rates into 

applicable categories of failure modes 

SAFE -failures that cause the SIF to falsely trip in a single channel 

configuration 

DANGEROUS- failures that prevent the SIF from performing its safety 

function in a single channel configuration 

ANNUNCIATION -failures that prevent a diagnostic function from 

performing (per IEC 61508 these are classified as "safe") 

Others?? 

0 

Copyright 10 2000-2008 exida.com L.L.C. 

127 



%Safe= 

AS 

A +A 

8 0 

A 8 = %Safe* A 

A 0 = (1-%Safe) *A 

0 

Copyright 10 2000-2008 exida.com L.L.C. 

128

[ 

Diagnostics 

Diagn6sticos 

Automatic diagnostics allow: 

Quick repair of failed units - reduces time operating in 

degraded condition 

Conversion of dangerous failures to safe failures with 

series wired diagnostic cutoff switches 

0 

Diagnostic capability measured by "C = Coverage 

Factor," the percentage of failures that will be detected 

cs = Coverage Factor for Safe Failures 

C 0 = Coverage Factor for Dangerous Failures 


[ 

Diagnostics 

Diagn6sticos 

0 

41 An FMEDA will analyze the capability of any 

automatic diagnostic or manual proof test 

4!, Diagnostic coverage of automatic diagnostics can 

be accurately estimated, for example: 

-C 5 = 82.4% 

-C 0 = 93.2% 

4 1 Proof test effectiveness can be accurately 

estimated 

Copyright© 2000-2008 exida.com L.L.C. 13{)

Four Categories of Failure Rates 

Cuatro Categorfas de Ratas de Fallas 

A_SD 

A_SU 

A_DD 

A_DU 

CS*A_S 

(1-CS)*A_S 

CD*A_D 

(1-CD)*A_D 

0 

Copyright© 2000.2008exida.com LLC. 


Analisis de Modos de Fallas, Efectos y Diagn6stico (AM FED) 

Conventional PLC Diagnostics 

.. 

" 

1K 

ac Input ~£in \N 1'1'~ V2 

~·oV>W. 

2 

Mll]D F::: 

~ 10

0 



FMEDA for Conventional PES Input Circuit 

Failure Modes end Eftoots Annlysls FallurM/blllion houre ,.. Oang 

... OU$ 

"' Sale .Del. OIE!!Jnostic covere Covered 

'"" 

Comp011ant Mooo Effect Crttlcallty 

AI ·IK short loose filter 1 Sale 0.13 0.125 0 0 0 0 

oooo read toglo o 1 Sale O.o ... 0 1 read O!put cpen O.o 0 

C!-0.18 short read logic 0 1 Sale 

0 0 0 0 

loose filter t Sale O.o ' O.o ' 0 0 0 0 

R2 ·200K "" 

cve!Votlage 0 Dang, 0.13 0 0.13 0 0 0 

'"~ 

rell



I r 

ill 

' 

0 

Copyright© 2000-2008 exkio.com L.L.C. 

135 

Diagnostic Coverage 

Cobertura por Diagn6stico 

~' 

Conventional Input Circuit 

- cs = 0.0257 

-CD = 0.0000 

() 

j,. Safety Rated Input Circuit 

- cs = 0.9789 

-CD = 1 

(No known dangerous undetected) 


l 


Amilisis de Modos de Fallas, Efectos y Diagn6stico (AMFED) 

PROVIDES: 

• IEC 61508 Safe Failure Fraction 

• Coverage Factors: co, cs 

0 

• Failure Rates· f..S f..D f..SD f..SU f..DD f..DU 

. ' ' ' ' ' 

Needed for SIL Verification 

Copyright© 2000.2008 exido.com L.L.C. 

137 

IEC61508/IEC61511 Safe Failure Fraction 

Fracci6n de Falla Segura segun IEC61508/IEC61511 

0 

DEMAND MODE /) -tr;p cM~fA-OS ~ . 

A SD + A su + ADD - 

SFF=--------------- 

Aso + Asu + Aoo + Aou 

SFF is defined as the ratio of the average rate 

of safe failures plus dangerous detected failures 

of the subsystem to the total average failure 

rate of the subsystem. 

Copyrlsht © 2000..2008 exida.com L.L.C. 138


Fracci6n de Falla Segura segun IEC61508/IEC61511 

DEMAND MODE 

A,SD + A,SU + A,DD 

SFF= 

A,SD + A,SU + A,DD + A,DU 

SFF is a fraction not 

dependent on failure rate 

AS 

%Safe= 

AS+ AD SFF = 1- 

A 0 = (1-%Safe) *A 

ADD= CD*AD 

')...DU ~ 

_/ 

SFF =%Safe+ (1-%Safe) * C 0 

Copyright 10 2000-2008exida.com L.L.C. 

A 

"' 

0 

Safe Failure Fraction - Product Types 

Fracci6n de Falla Segura segun IEC61508 

TYPE A- "A subsystem can be regarded as type A if, for the 

components required to achieve the safety function 

a) the failure modes of all constituent components are well 

defined; and 

b) the behavior of the subsystem under fault conditions can be 

completely determined; and 

c) there is sufficient dependable failure data from field 

experience to show that the claimed rates of failure for 

detected and undetected dangerous failures are met." 

TYPE B - everything else! 

IEC 61508, Part 2, Section 7.4.3.1.2 


"' 

I

IEC61508 Safe Failure Fraction 

IEC61508 Fracci6n de Falla Segura 

DEMAND MODE 

TYPE A Subsystem 

Sale Failure 

Fraction 

Hardware Fault Tolerance 

u 

exida Failure Rates 

ex ida Ratas de Fallas 

v' 

v' 

v' 

v' 

v' 

v' 

Calculate IEC 62380 (Reliability data handbook for 

electronic components) failure rate for each component 

type and subtype and temperature profile 

Gather data from independent sources of failure rate data 

Make conservative best engineering judgment with strong 

preference to IEC predicted values 

Override IEC 62380 base failure rate numbers if outside the 

range of the other reference sources (particularly when on 

the low side) 

Combine/group component sub-types based on "significant 

differences" 

Make adjustments for identified weakness in IEC 62380 that 

lead to under estimating failure rates 

Copyright© 200D-200Sexida.com L.L.C. 

"' 

0 

Useful Life 

Vida Util 

v' Failure rates are only valid within the useful life. Infant 

mortality and wear-out are not part of the useful life 

period 

'"'~---------- 

0 

• • § iii 

Tm• • • 

v' lEG 61508-2 7.4.7.4 (note 3) requires publishing the 

useful life of the components 

)i 

! 

Copyright© 200G-2008exida.com L.L.C.

Component Reliability Handbook 

Componente Fiabilidad Manual 

0 

v' Only component reliability reference 

created specifically for IEC 61508 

analysis 

v' Provides reliability data for hundreds of 

electrical and mechanical components 

v' Failure rates 

v' Failure Modes and mode distribution 

v' Useful life limitations 


145 

Database Feedback I Update 

Base de datos Comentarios I Actualizaci6n 

0 

Field 

FMEDA 

ELEC./MECH. 

Failure 1---' Product A 1---' Compare ~ Product A 

~ COMPONENT 

Data 

DATABASE 

1 

Industry 

Database YES Update 

Significant 

ifference? 

Component 

Database 

,__ 

NO 

(Finish) 

Copyright© 2000..2008exida.com L.L.C. 146



Safe Failure Fraction I Failure Rates I Coverage Factors 

Complete the Problems 

15 minutes 

0 

copyright &I 2000-2008 exida.com L.L.C. 

147 

Section 4: FMEA I FMEDA Summary 

Secci6n 4: Repaso de AMFE I AM FED 

49 

jh 

FMEA 

FMEA Format 

See additional 

exida.com course: 

0 

j[, 

{\ 

Diagnostics 

FMEDA 

FMEA/FMEDA 

Analysis 

4 

i• 

Coverage Factor 

Safe Failure Fraction 

www.exida.com 


148

Section 5: Functional Safety Management 

Secci6n 5: Gerencia de Seguridad Funcional 

0 

4J, Management of Functional Safety 

4~· Quality System 

•~ 

Planning, people and paperwork 

~~ Benefits 


"' 

What is Functional Safety Management? 

i,Oue es Ia Gerencia de Seguridad Funcional? 

0 

IEC61508 defines functional safety as: 

"part of the overall safety relating to the equipment under control 

(EUC) and the EUC control system which depends on the correct 

functioning of the E/E/PE safety-related systems, other technology 

safety-related systems and external risk reduction facilities." 

In more approachable terms: 

Functional safety management governs equipment and process 

safety activities involving safety systems. 

THE PURPOSE IS TO REDUCE THE POSSIBILITY OF A 

SYSTEMATIC FAULT! 


"'

Functional Safety and the Safety Lifecycle 

""'m u·•n••n Funcional el Cicio de Vida de Seguridad 

Define the 

steps required 

Define the 

documentation 

required 

Audit the 

process to 

make sure it is 

being followed 

"Stage 3" 

before the 

process 

hazards are 

introduced 

0 

Functional Safety Management Objectives 

Objetivos de Ia Gerencia Funcional de Seguridad 

4& Specify management and technical activities 

during the Safety Lifecycle to achieve and 

maintain Functional Safety 

n 

4o Specify responsibilities of persons and 

organizations 

(> Extend an existing and monitored quality system 

-Plan, execute, measure and improve 

Copyright© 2000..2008 exida.com L.L.C. 152

61508 and 61511 Versions of FSM 

61508 y 61511 Versiones de FSM 

0 

'' Since FSM focuses on procedures, the standards provide 

a good reference 

'' 61508 covers everything including safety system 

hardware and software development 

-Part 1 Clause 6 lays out details of FSM 

-Broad coverage can make application challenging 

61511 focuses on the process owners and safety 

system users 

-Part 1 Clause 5 lays out details of FSM 

-Narrower coverage makes application more manageable 


153 

[ 

Key Issues 

Puntas Claves 

0 

Functional Safety Management 

Safety Planning -create a FSM Plan 

Roles and Responsibilities 

Personnel Competency 

Documentation, Documentation Control 

Functional Safety Verification and Assessment 

Documented Processes 


154

A FSM Plan describes the Safety Lifecycle 

El Plan de Ia GFS describe el Cicio de Vida de 

Analyze 

Hazard Analysis I 

Risk Assessment: 

Define Design Targets 

H Document l 

Modify 

Design I Execute HW 

and SW Design 

Verify 

" 

Document 

Evaluate Design: 

Reliability Analysis of Safety 

f-1 Document 

Integrity & Availabil~y 

I 

I Operate and Document I 

Maintain 

~ 

Copyright Cl2000-2008 exido.com L.L.C. 155 

I 

0 

Components of a FSM Plan 

Componentes del Plan de Ia GFS 

Steps and sequence of work activities 

-Roles and responsibilities 

-Personnel competency 

-Documentation structure 

-Verification tasks for each step 

- Safety Requirements Specification development plan 

- Design guidelines and methods 

- Verification and Validation plans 

- Operation and maintenance guidelines 

- Management of Change procedures 

- Functional safety assessment plan 

n 

----' 

Copyright CI2000-200Sexida.com L.L.C. 156

Roles and Responsibilities 

Roles y Responsabilidades 

• Must be clearly delineated and communicated 

~~Each phase of SLC and its associated activities 

0 

~ One of the specifically noted primary objectives 

of functional safety management 


157 

Personnel Competency 

Competencia del Personal 

0 

4' Ensure that staff "involved in any of the overall or 

software SLC activities are competent" 

~'Addressed specifically in Annex A, IEC61508 

Training, experience, and qualifications should all be 

assessed and documented 

- System engineering knowledge 

- Safety engineering knowledge 

- Legal and regulatory requirements knowledge 

- More critical for novel systems or high SIL 

requirements 

Copyright© 200Q-2008 e.xida.com L.L.C. 

158

~ Operated by the CFSE Governing Board 

-To improve the skills and formally establish the competency of 

those engaged in the practice of safety system application in the 

process and manufacturing industries. 

4, Certification audited by ex ida Certification S.A. 

CFSE 

GOVERNANCE BOARD 

() 

Copyright© 2000-2008 exida.r:om L.L.C. 159 

4 Types of Exams 

-Application- Process Industries 

-Application - Machine Industries 

-Developer- Software 

-Developer- Hardware 

0 


'"'

Certified Functional Safety Expert 

Application Engineering~ Process 

Study Guide 

2"d Edition 

Resources Available: 

110n-line Training 

Reference Books 

0 


Documentation Objectives 

Objetivos de Documentaci6n 

0 

What needs to be documented? 

Any information to effectively perform: 

41· Each phase of the safety lifecycle 

4/ Management of functional safety 

4>Verification and Validation 

~f Functional Safety Assessment 

Copyright !02000-2008 exida.com L.L.C. 162

IEC 61511 Functional Safety Assessment 

IEC 61511 Evaluaci6n de Ia seguridad 

/~ 

I 

i> Does the safety system meet spec and actually achieve 

functional safety (freedom from unacceptable risk) 

4, Independent team; one competent senior person not 

involved in the desi n as a minimum 

4> Should b performe fter the stages below and MUST 

ea sage3 

- Stage 1 - After hazard and risk assessment and 

safety requirements specification 

- Stage 2 -After SIS design 

- Stage 3 -After commissioning and validation 

(before the hazard is present) 

- Stage 4 -After experience in operation and 

maintenance 

- Stage 5 - After modification 


"' 

0 



Functional Safety Management - Complete the Problems 

15 minutes 

0 


"'

Section 5: Functional Safety Management Summary 

Secci6n 5: Repaso de Ia Gerencia Funcional de Seguridad 

4:, Management of Functional Safety 

4~ Quality System 

~} Planning, people and paperwork 

~P· 

Benefits 

0 

Copyright (0 2000-2008 exida.com L.L.C. 165 

Section 6: Redundant Architectures 

Secci6n 6: Arquitecturas Redundantes 

0 

4:· Basic Architectures 

~h Comparison 

~· Advanced Architectures 

4J; Diagnostics 


Basic Architectures 

Arquitecturas Basicas 

How much? 

What kind of redundancy? 


Determine Test 

Philosophy 

1oo1 

1oo2 

2oo3 

1oo1D 

1oo2D 

0 

Copyright ltl200rJ.2008 exida.com L.L.C. 

167 

Simplified Equations 

Ecuaciones Simplificadas 

Voting Average probability ot "punous.np 

failure on demand · rate 

(PFD ""') 

(STR) 

1oo1 A-ct* T/2 A-. 

(A-ct)2 * T2 

1oo2 

n. 

3 

2A- 2 

A-ct* T 

2oo2 

s 

3A-. + 2/T 

2oo3 (A-ct)2 * F 6A,s 2 

5A-. + 2/T 

0 

Note: These "simplified equations are too simple and ignore critical variables that may impact results 

optimistically by multiple SIL levels. Do not use these equations for any real analysis. They are 

presented only to amplify the differences between architecture. 


Safety System Design: Select Architecture Redundancy 

Diseno Sist. Seguridad: Selec. Arquitec. de Redundancia 

f.,= 0.01 failures I year 

}. 0 = 0.02 failures I year 

Tl = 1 year 


1oo1 

0 


Philosophy 

As 

STR 

Controller 

Ad* T/2 

PFDAvG (Dangerous) 

1oo1 

0.01 /year 

0.01 

COpyright© 200IJ.200B eXida.com L.L.C. 

Using the simple approximation 

equations. No diagnostics 

169 

1 oo2 Architecture - Redundancy for Safety 

Arquitectura 1 oo2- Redundancia para Seguridad 

c 


Philosophy 


2A 8 

STR 

1oo1 0.01/year 0.01 

(Ad)2 * F 

3 

1oo2 0.02/year 0.00013 


Using Simple Approximation Formulas 

No Common Cause, No Diagnostics 

170

2oo2 Architecture - Redundancy to reduce false trips 

Arquitectura 2oo2- Redundancia para reducir Paros Falsos 



Philosophy 

Copyright 10 2000.2008exida.com L.L.C. 

2oo2 

8 Controller U 

~=======: 

S·rL_ ______ 

1oo1 

31..,+ 2/T 

STR 

0.01 /year 

1 oo2 0.02 /year 

2oo2 

0.0001 /year 

+ 

c_an_'_'a_u_e'-----~~~1--o 

-9""'" 


0.01 

0.00013 

0.02 

Using Simple Approximation Formulas 

No Common Cause, No Diagnostics m 

0 

2oo3- Redundancy to reduce both failure modes 

2oo3 - Redundancia para reducir ambos modos de lalla 

2oo3 

& 

& 

& 

Input Circuit 

Input Circuit 

Input Circuit 

STR 

+ 

,.,.......,,.,.. ~ 

PFD AVG (Dangerous) 

eoom..cm.~ry 

1oo1 0.01 /year 0.01 

1oo2 0.02 /year 0.00013 

2oo2 0.0001 /year 0.02 

2oo3 0.0003 /year 0.0004 

I VOilngOn:ril 

... 

""- 

Using Simple Approximation Formulas - No Common Cause, No Diagnostics 


m 

0

[ 

Diagnostics 

Diagn6sticos 

~________...__-~ 

J 

Enables On-line Repair 

Enables Automatic Shutdown 

Credit for diagnostics can only be taken if the system has good 

annunciation I repair or automatic shutdown 

This can have a strong positive impact on PFDavg, STR and controller 

availability- in all architectures but especially in redundant architectures. 

0 

Diagnostic capability measured by 

"C =Coverage Factor'', 

the percentage of failures that will be detected. 

c, = Coverage Factor for Safe Failures 

Cd = Coverage Factor for Dangerous Failures 

Copyright Cl2000-2008exida.com L.L.C. 

173 

0 

A,= 0.05 failures I year 

:\.d = 0.02 failures I year 

T=1year 

c,, cd = o to 0.6 

1 oo1 Architecture - Diagnostics 

Arquitectura 1 oo1 - Diagn6sticos 

1oo1 

Controller 

This architecture will not automatically shutdown on a detected 

failure. Therefore repair time is a variable in the PFDavg equation. 

PFDavg = (:\.dd * RT) + (:\.du * T/2) 

STR 

1 oo1 0.05 /year 

1 oo1 0.05 /year 


0.01 no diagnostics 

0.004 with Cd = 0.6 

Using fault trees: average repair time equals 48 hours, inspection period equals 

1 year, diagnostic coverage factors = 0.6, no common cause. 

Copyright© 2000-2008 exida.com L.L.C.

New Generation Architectures 

Arquitecturas de Nueva Generaci6n 

Automatic diagnostics, made effective 

via microprocessor power starting in the 

late 1980's, led to new architectures 

based on reconfiguration of the system 

alter a diagnostic has detected a failure. 

0 

newer designs have proven effective in 

providing low PFDavg and low STR. 

Copyright !ti2000-2008exido.com L.L.C. 175 

New Generation Architectures - 1 oo1 D 

Arquitecturas de Nueva Generaci6n -1oo1 D 

I 

J Input Circuit 

Diagnostic Circuit(s) 

0 

STR 


1oo1 0.05 /year 0.00406 Cd = 0.6 

1oo1D 0.062 /year 0.004 Cd =0.6 

1oo1 0.05 /year 0.0006 Cd = 0.95 

1oo1D 0.069 /year 0.0005 Cd =0.95 

Using fault trees: average repair time equals 48 hours, inspection period 

equals 1 year, no common cause. 


New Generation Architectures - 2oo2D 

Arquitecturas de Nueva Generaci6n- 2oo2D 

u 

~ 

1oo1 

2oo3 

1oo1D 

2oo2D 

STR 

0.05 /year 0.0006 


0.00043 /year 0.00000094 

0.069 /year 0.0005 

0.00021 /year 0.001 

DIAGNOSTIC 

COVERAGE 

=95% 

Using fault trees: average repair time equals 48 hours, inspection period 

equals 1 year, diagnostic coverage factors = 0.95, no common cause. 

Copyright© 2000..2008 exida.com L.L.C. 177 

New Generation Architectures - 1 oo2D 

Arquitecturas de Nueva Generaci6n - 1 oo2D 

0 

1oo1 

2oo3 

STR 

0.05 /year 

0.00043 /year 


0.0006 

0.00000094 

DiajjoosticCirl:uit(s) 

+ 

1oo1D 

0.069 /year 

0.0005 

2oo2D 

0.00021 /year 

0.001 

1oo2D 

0.00021 /year 

0.0000004 

The 1oo2D depends highly 

on good diagnostics. 

Copyright ltl 2000-2008 exida.com L.L.C. 

178

Hybrid Diagnostic Based Architectures 

Closest Notation: 

2oo(1oo2D) 

1 oo2D provides high 

safety in a single module 

but redundant modules 

provide higher 

availability. 

If diagnostics are better 

reach 98%+, this 

architecture achieves 

superior safety and 

availability. 

Example: DeltaV SLS1508 Redundant 

Others: Yokogawa RS, Siemens 87, etc. 

0 


179 

1 oo2 Architecture for field equipment 

Arquitectura 1oo2 para Equipos de Campo 

SENSOR 

FINAL ELEMENT 

0 

Trip if 

either 

transmitter 

indicates a 

trip 

condition 


PLC 


2oo2 Architecture for field equipment 

Arquitectura 2oo2 para Equipos de Campo 

SENSOR 

FINAL ELEMENT 

0 

Trip only if 

both 

transmitters 

indicate a 

trip condition 

L 

Valve closes to trip 

Copyright© 2000.2008exida.com L.L.C. :-h. -ty._~ 181 

[ 

Architectures 

Arquitecturas 

0 

;;:: 

.Q 

Otoo2 

Ol 

~· 

iii 

0 

"- o._ 

.

~~~~~~: 

Hardware 

Architecture Fault 

Tolerance 

toot 0 

1oo1D 0 

mlb2 ~ 

2oo2 0 

2oo3 1 

2oo2D 0 

1oo2D 1 

too3 2 


Tolerancia a Falla en Hardware 

TYPE B 

Safe Failure 

Fraction 


0 1 2 

IEC 61511 PE logic solvers 

IEC 61511 PE L6gica resolutores 

SIL 

1 

2 

3 

Minimum Hardware Fault Tolerance 

SFF 90% 

1 0 0 

2 1 0 

3 2 1 

0 

4 

Special requirements apply (see IEC 61508) 

Almost identical to IEC 61508 Type B table 

- IEC 61508 specifies 4 levels of SFF 

- IEC 61511 does not specify SIL 4 

COpyright ltl2000-2008exida.com L.L.C. 

185 

IEC 61511 field equipment 

IEC 61511 Sortee el Equipo 

0 

SIL 

1 

2 

3 

4 

Minimum 


0 

1 

2 

Special requirements apply (see JEC 61500) 

4i 

No Type A vs. Type B 

~~ No SFF 

~~ Identical to IEC 61508 Type B table for SFF 

60-90% and Type A table for SFF 0-60% 

Copyright !02000-2008 exida.com L.L.C. 

186



•" 

Increase minimum HFT by one if the dominant failure 

mode is not to the safe state or dangerous failures are 

not detected 

~> Reduce minimum HFT by one if 

- The hardware of the device is selected on the basis of 

c---'· prior use; and 

- The device allows adjustment of process-related 

parameters only, for example, measuring range, upscale 

or downscale failure direction; and 

- The adjustment of the process-related parameters of the 

device is protected, for example, jumper, password; and 

- The function has a SIL requirement of less than 4. 

0 

Copyright© 2000-200Sexida.com LLC. 

187 



• I EC 61508 H FT charts may be 

used instead of 61511 chartsrecommended 

• They are clear and more 

flexible 

0 




Redundant Architectures - Complete the Problems 

10 minutes 

0 


189 

Section 6: Redundant Architectures Summary 

Secci6n 6: Repaso de Arquitecturas Redundantes 

0 

~> Basic Architectures 

4" ' 

Comparison 

t Advanced Architectures 

40 Diagnostics 


190

l 

Section 7: Safety Instrumented System Design 

Secci6n 7: Diseno de Sistemas lnstrumentados de Seguridad 

~\ Safety Requirements Specification 

~" Conceptual Design 

4ii 

Technologies 

~;. Architectures 

4~ Design Verification 

~L ? 

Detail Design 

~> Tools 

0 

Copyright Cl 2000-2008 exida.com L.L.C. 

"' 

Detailed Safety Lifecycle 

Cicio Vida Seg. Detallado 

SIS Design in the context of the SLC 

0 

Copyright tO 2000.2008 exida.com L.L.C. 

"'

SIS Design 

Diseiio del SIS 

i 

i 

0 

Copyright e 2000-2008exida.com L.L.C. 

193 

SRS - Design Requirements 

ERS - Requerimientos de Diseiio 

0 

'' The SRS should contain two types of requirements 

- Functional Requirements 

- Integrity Requirements 

'' The SRS should contain these functional requirements 

Definition of the safe state 

Process Inputs and their trip points 

Process parameter normal operating range 

Process outputs and their actions 

Relationship between inputs and outputs 

'" The SRS should contain these integrity requirements 

- The required SIL for each SIF 

Reliability requirements if spurious trips may be hazardous 

Requirements for diagnostics to achieve the required SIL 

Requirements for maintenance and testing 


194

Equipment Selection 

Selecci6n de Equipo 

IEC 61511, Functional Safety for the Process 

Industries, requires that equipment used in safety 

instrumented systems be chosen based on either 

IEC 61508 assessment to the appropriate SIL 

level or justification based on "prior use" 

criteria (IEC 61511 , Part 1, Section 11.5.3) 

0 


"' 

Prior Use ??? 

[ 

Uso de Prioridad ??? 

~--~ 

l 

~: Unfortunately the I EC 61511 standard does not give 

specific details as to what the criteria for "prior use" really 

means 

'" Most agree however that if a user company has many 

years of documented successful experience (no 

dangerous failures) with a particular version of a 

particular instrument this can provide justification for 

using that instrument even if it is not safety certified. 

Operating conditions must be recorded and must be 

similar to the proposed safety application 

0 


exida Recommended Prior Use Criteria 

Recomendado Antes de Utiliza los Criterios 

Time in Use 

• The equipment item must be shipping for one year 

without any revisions or changes; or 

• The equipment item must be shipping for two years 

without any significant revisions or changes 

0 

• IEC 61508 

- Equipment item in service for at least one year with unchanged 

specification [IEC 61508-7 8.5.4] 

• IEC61511 

- No Time In Use requirements 

COpyright© 200G-2008 exidu.com L.L.C. 

"' 



0 

Operating Experience 

• IEC 61508 Techniques and Measures to avoid 

systematic failures [IEC 61508-2 Table 8.6] 

• Low effectiveness 

- 1 0,000 hours of operation time, at least one year of experience 

with at least 1 0 devices in different applications 

- Statistical accuracy claimed should be 95% 

- No safety critical failures may have occurred 

• High effectiveness 

- 10,000,000 hours of operation time, at least two years of 

experience with at least 1 0 devices in different applications 

- Statistical accuracy claimed should be 99.9 % 

- Detailed documentation of all changes (including minor) during 

past operation 

Copyright ©200G-200Sexlda.com L.L.C. 

"'



Operating Conditions 

• The stress conditions of the considered prior use 

applications should be equal to or above average 

conditions of the application 

• Including an assessment of the functionality and the 

application environmental limits 

• IEC61508 

- Similar conditions of use, i.e. functionality and environment 

• IEC 61511 

- Consider operating profile of equipment itefi11s. specific points 

relate to functionality and environment (IEC 61511-2 11.5.3] 

0 


"' 



Operating Conditions 

• IEC 61511 allows for field devices (for example, sensors and 

final elements) that non-safety function experience is 

considered in the safety function proven in use argument 

0 

• This is based on the assumption that the function is usually 

identical in safety and non-safety [IEC 61511-1 11.5.3.2] 

• This may be the case for sensing devices like transmitters, it 

is definitely not the case for valves. A control valve is usually 

a dynamic valve, a safety valve is usually a static valve 




Safety Manual/Quality System 

0 

• A IEC 61508 compliant safety manual needs to be 

available 

• The manufacturer's quality, management, and 

configuration management systems should be 

considered 

- ISO 9000 (or better) certified quality system that covers all 

manufacturing operations and field failure returns 

- Field failure return procedures must require that statistics be 

maintained on all field returns 

- Detailed version control system that identifies all changes and 

revisions. Modification procedures must meet IEC 61508 

requirements 

- IEC 61508 gap analysis should determine maturity of Quality 

System 

copyrlsht © 2000-2008exida.com L.L.C. 201 



0 

Process Parameter Adjustment Only 

• Equipment item allows adjustment of process-related parameters only 

and that the adjustment of the process-related parameters of the device 

is protected [IEC 61511] 

• The equipment item should be assessed as being not programmable 

- This generally excludes products capable of running 

function blocks or configurable calculations (most Fieldbus 

products) 

- The equipment item must have means to protect parameter 

changes, i.e. jumper and/or a password 





• Based on documented hours in use in similar application 

• Account for Proof Test Coverage in calculation of proof 

test failures 

• Make certain that ALL failures are reported OR account 

for estimated % not reported in calculation 

• A single-sided upper confidence limit of at least 70 % 

shall be considered (based on IEC 61508-2 7.4.7.9) 

Compare results to FMEDA results. Choose most conservative numbers or fully 

justify other decision. 

0 

Copyright fi:I200Q-2008 exida.com L.L.C. 203 

Prior Use ??? 

[ 

Usa de Prioridad ??? 

~---~ 

l 

~2 To help end users with their Prior Use justification 

document, many manufacturer's are providing 

third party assessments including: 

~n FMEDA Report- manufacturer provides failure 

rate and failure mode data 

•'· Proven In Use Report- manufacturer provides 

modification history, field performance warranty 

data 

0 

Copyright© 200Q-2008 exida.com L.L.C. 204

Safety Assessment for Products 

Evaluaci6n de Ia seguridad de los productos 

0 

4* FMEDA- manufacturer provides failure rate and 

failure mode data 

t4 Proven In Use- manufacturer provides 

modification history, field performance data 

~n IEC 61508 Certification- manufacturer has third 

party assessors certify that a product meets all 

requirements of 61508 


Safety Assessment Limitations 

Evaluaci6n de Ia seguridad de las limitaciones 

0 

~> FMEDA- manufacturer provides failure rate and failure 

mode data 

-DOES NOT INCLUDE PROCESS 

CONNECTIONS! 

.t' Proven In Use- manufacturer provides modification 

history, field performance data 

- MANFACTURER P.I.U. INFO IS JUST A 

START, THEY DO NOT USE THE 

EQUIPMENT. 


IEC 61508 Certified Product 

Pressure Transmitters 

Temp. Transmitters 

Trend toward 61508 Certified Products 

Tendencia a 61508 Productos Certificados 

SAFETY AUTOMATION EQUIPMENT LIST 

Flow Transmitters 

Level Transmitters 

PLCs 

Trip Amps, modules 

Actuators 

Solenoids 

Valves 

Ta mai{rr.~

0 

Certificate I Ce 

Zertifikat I 

Copyright (Q 2000.2008 exida.com L.L.C. 

IEC 61508 Full Certification 

IEC 61508 Plena Certificaci6n 

., The end result of the 

certification process is a 

certificate listing the SIL level 

for which a product is qualified 

and the standards that were 

used for the certification 

'' However, we must understand 

that some products are certified 

with "restrictions" 

{; The restrictions essentially 

indicate when a product does 

not meet some requirements of 

IEC 61508 

(} The restrictions are listed in the 

safety manual and must be 

followed if safe operation is 

required 

209 

IEC 61508 Pressure Transmitter Certification 

0 

''" 

"" 

2000T/2~1 

~15'.$ 

Ccm!le~ 

~1506 

CerMiod 

#}AI(' 

rovsuo 

..... 

-· 

~1506 

Hone)Well 83iXJl Fressure ~arc~moaer 

Ccmliod 

OWimSys 

51>;00 

~AS•n•s Prosmo

~,,_,, 

,...,, 

;i;l'!EC€1151!8 CERTIFIE!l 

''"'""" 

""'"'''"'"'' 

IEC 61508 

·~ 

PLC 

'"''"- - ~· 

c,,~_. 

"'""'n"'~ h·•'r"l.C Ill ;If 

"'"~"'""' 

~ ,,,., "-" Ill Iii 

T~RI• 

!'H. ,,.,~!1loUF'I.C 

"''~"- 

:;.~ ~.4 

~..,...._"0•ooid~nM 

~;5lla 

C•tllftoo 

6\S!IS 

CeCil~·~ 

p;c, ¢~Nilo13 \\'Of 'l ~10(1$ 

Pos~ttrr16 SW""OI~'h!>O 

.{q.>-)rW_" 

!:[

~ ~ ~ 

"""""""""" 

IEC 61508 Ball Valve Certification 

IEC 61508 Valvula Esferica de Certificaci6n 

Ba!!Va!Vi'dda.com L.L.C. 

213 

IEC 61508 Full Certification Enough? 

IEC 61508 Plena Certificaci6n Suficiente 

0 

~okog.,.oEiunl'8 ......., 

.,L.O@H"T•t!UO~HFT•O 

~' NO! A control system designer cannot 

simply specify 61508 certified 

equipment and expect a safe design! 

Equipment "restrictions" must be 

followed 

., Process connections must be included 

Copyright© 2000..2008 exido.com L.L.C. 

214

[ 

Safety Manual 

Manual de Seguridad 

l 

Certificate i 

Zertifikat 1 

~:;,~.~:::=.~==~~., 

""'''"'""'"lhU: 

~' 

~' 

~j, 

4l 

4\ 

Usage Requirements-Restrictions 

Environmental Limits 

Optional Settings 

Failure Rate Data 

Useful Life Data 

Common Cause Beta Estimate 

Inspection and Test Procedures 

0 

Copyright (I 2000.2008 exida .com L.L.C. 

215 


Selecci6n de Arquitectura 

I 1 

ool ~ 

loof A 

-1Hr-v 

il2oo2 ~ 

I HI-; 

1Hr-i2oo3 

H f--L----i\ 

- Objective 

• Determine type of 

redundancy needed to meet 

required Safety Integrity Level 

• Choose architecture 

• Obtain reliability and safety 

data for the architecture 

0 

Copyright© 200G-2008exida.com L.L.C. 

216

Test Philosophy 

Filosoffa de Pruebas 

0 



Philosophy 

How will the sensors, controller and 

final elements be tested? 

How frequently? 

PERIODIC INSPECTION 

Time Interval: 5 Years, 1 Year, 6 Mas, 3 Mos. 

Procedure: Shutdown Plant? 

Bypass SIS? 

Transmitter Testing? 

Valve I Actuator Testing? 

Copyright

Failure Rate Data Models 

Modelos de Datos para Ratas de Falla 

1. Industry Databases- NOT Application Specific, 

NOT Product Specific 

2. Manufacturer FMEDA, Field Failure Study 

Product Specific 

NOT Application Specific 

3. Detail Field Failure Study- Application model. 0 

Product Specific 

Application Specific 

Copyright© 2000..2008 exkla.com L.L.C. 219 

Failure Rate Data Handbook 

Manual de Datos de Ratas de Falla 

1. Industry Databases - 

NOT Application Specific, NOT Product Specific 

2. Manufacturer FMEDA, Field Failure Study 

Product Specific, NOT Application Specific 

0 

Copyright 10 200Q-2008 exida.com L.L.C. 220

Safety Integrity Levels 

Niveles de lntegridad en Seguridad 

DEMAND MODE 


Level 

Target Average 

Probability of Failure on 

Demand 

Target risk reduction 

(RRF) 

0 

SIL4 

SIL3 

SIL2 

SIL 1 

~1 o-s to 1 oooo to ,; 100000 

~ 10-4 to 1000 to,; 10000 

~ 10 .. to

[ 

Markov Analysis 

Analisis de Markov 

l 

;, Can be more precise with 

less work 

., Generally well accepted 

''Well known Solution 

Techniques 

''One model for multiple 

failure modes 

''Provides clear picture of 

system operation under 

failure conditions 

0 

Copyright CO 2000-2008 exida.com L.L.C. 

223 

Three Requirements for 

SIL Design Verification 

• Low Demand Mode - PFDavg 

- Manages risk from random failures 

• Hardware Fault Tolerance 

- Meets standard requirements 

• Systematic Integrity 

- Proven in use I 61508 compliant equipment 

- Manages risk from systematic failures 

0 

Copyrlsht © 2000-2008 exida.com L.L.C.

Putting the Function Together 

• Overall function PFDavg ~ 

PFDavg Inputs + 

PFDavg Outputs + 

PFDavg Logic Solver 

0 

• Overall function Spurious Trip Rate (STR) = 

STR Inputs+ 

STR Outputs + 

STR Logic Solver 


Ex 1 : High Pres. Prot. Loop. Pressure Switch+Solenoid 

Ej 1: Lazo Prot. Alta Presion. Interrupter Presi6n+Solenoide 

0 

Solenoid ????? 

Pressure switch ????? 

Lambda D (AP) 

No Diagnostics, Test lnterval-1 year, SIL2 required 

:------e-------/' ----- 

sov 

I 

Vessel 


"'

SIF Verification Example 

Ejemplo de Verificaci6n de Ia FIS 

EooPr&>



Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid 

Demand Mode 

Lambda DU (A DU) 

Solenoid 

Pressure switch 

0.585 X 1 Q·B failures per hour 

3.6 x 10·6 failures per hour 

No Diagnostics, Test Interval - 1 year, SIL2 requirement 

0 

PFDavg = ).,DU Tl/2 

PFDavg = (0.000004185* 8760) /2 

PFDavg = 0.01833 

RRF = 1/PFDavg = 54.5 - SIL 1 


Use simplified 

equation for first 

pass. Assuming 

perfect proof testing 

- very optimistic! 

"' 



0 


Proof Test: Operations has said that it is not practical to change the 

process pressure or isolate the pressure switch. Therefore the proof 

test will open the pressure switch wire once a year and check to see 

if the solenoid will de-energize. The pressure switch will be 

inspected for corrosion and dirt and cleaned if necessary. 

How good is this? What coverage? 

Estimate of Test Effectiveness: 

Pressure Switch - 20% 

Solenoid - 95% 

Copyright CI2000-2008 exida.com L.L.C. 230 

I 

I 

/




PFDavg = CpTAD Tl I 2 + (1-CPT) AD LT I 2 

CPT = Effectiveness of proof test, 0 - 1 00% 

L T = Operational Lifetime of plant 

The process unit will be operated for 6 years then shutdown for 

complete overhaul. During the overhaul, solenoid and pressure 

switch will be replaced with new units. 

Therefore L T = 6 years 

0 

Note: This "simplified equation" is not as simple as before but gives reasonable results. 





PFDavg = CpTAo Tl I 2 + (1-CPT) A.o LT I 2 

= 0.2 * 0.0000036 * 876012 + (1 - 0.2) * 

0.0000036 * 6 * 876012 

0 

+ 0.95 * 0.000000585 * 876012 + (1 - 0.95) * 

0.000000585 * 6 * 876012 

= 0.082 

RRF = 12 LOW SIL 1 

Copyright© 2000-2008 e.xida.com L.L.C.


IEC61508/IEC61511 Fracci6n de Falla Segura 

A_SD + A_SU + A_DD 

SFF=-------------- 

A_SD + A_SU + A_DD + A_DU 

SFF is defined as the ratio of the average rate of safe 

failures plus dangerous detected failures of the subsystem 

to the total average failure rate of the subsystem. 

0 

A_DU 

SFF=l- 'A 

Copyright() 200o-2008exida.com L.L.C. 

233 



0 

Example: High Pressure Protection Loop 

1. Pressure Switch • Solenoid 

Lambda D (;IP) 

Lambda S (I..S) 

Solenoid 0.585 x 1 o-s f/hr 1.010 x 10"" f/hr 

Pressure switch 3.6 x 10""1/hr 2.4 x 1 o-s f/hr 

0 

Limiting sub-system is sensor- pressure swttch. 

SFF 

72.1% 




TYPE A Subsystem 

Demand Mode 

Safe Failure 

Fraction 


0 1 2 

Example 2: High Pressure Protection Loop Transmitter - DCS - Solenoi 

Ejemplo 2: Alta Presion Proteccion bucle transmisor- SCD- Solenoids 

EQ\o"'~v.rtrru 

!«~~mount 30S1C 

GENERAl INFORMATION 

0 

M.!M->'K

Trip Setting: Alarm Setting Diagnostic Filtering 

Viaje Ambiente: Alanna de Diagn6stico de Filtrado 

Configure DCS to detect out of range current signals as a "Detected" 

failure without a trip. 

20mA 

Alarm Setting: 

Detected Faults end up here with over range setting 

--- High Trip 

Normal process signal 

4mA~--------~~~~--- 

Aiarm Setting: 

Detected Faults end up here with under range setting 

Diagnostic Filtering: 

• Detection of over range I under range (invalid) signals 

• Detection of rate of change (indication of internal transmitter error) 

also called input filtering 

0 

Copyright© 200o-2oosexida.com L.L.C. 239 

Example 2: High Pressure Protection Loop Transmitter- DCS- Solenoid) 

Ejemplo 2: Alta Presi6n Protecci6n bucle transmisor- SCD - Solenoide 

If we assume "clean service" on the pressure transmitter- no plugged impulse 

line problem then: 

Lambda DU transmitter= 98 FITS (1 failure per 10' hours) 

0 

The SIF in the DCS Logic Solver has one analog input, all common circuitry and 

one digital output. 

Lambda DU DCS = 

(1 • 38) One Analog Input Channel 

+ 250 Analog Module Common 

+ 1500 Main Processor 

+ 13 Power Supply 

+ 125 Digital Output Module Common 

+ (1 '150)0ne Digital Output High Current Channel 

= 2076 FITS 

Copyright© 200CI-2008 exida.com L.L.C. 240



Example 2: High Pressure Protection Loop. Transmitter-DeS-Solenoid 

Lambda DU (1.P") 

Transmitter 

Logic Solver 

Solenoid 

98 X 1 0·9 failures per hour 

2076 x 10·9 failures per hour 

585 x 10·• failures per hour 

0 

PFDavg = jpu Tl/2 

PFDavg = (0.000002759* 8760) /2 

PFDavg = 0.012 

RRF = 1/PFDavg = 83 - SIL 1 

Use simplified 

equation for first 

pass. Assuming 

perfect proof testing 

- very optimistic! 


241 



0 

Transmitter SFF 

is 82%, smart 

device therefore 

Type B. Still 

limited to SIL 1. 

TYPE B Subsystem 

Demand Mode 

Safe Failure 

Fraction 


0 1 2 

Ex 3: Safety Transmitter+Safety PLC+ 1 oo2 Solenoid 

Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1oo2 Sol. 


Pressure 

Transmitter 

I s~~ty ~-----@-- / 

I I 

.---- --- ... 

' 1002 : 

sov [j Voting 

-lXJ- 

0 sov 

--[X}- 

'- 

Vessel 

--.._ 

----- 

0 


243 

Ex 3: Safety Transmitter+Safety PLC+ 1 oo2 Solenoid 

Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1 oo2 Sol. 

0 

via JEC 61508 Certification 

Copyright© 2000-2008 e.xida.com L.L.C. 

244

Ex 3: Safety Transmitter+Safety PLC+1oo2 Solenoid 


0 

'I 

Justification via lEG 61508 Certification 

Copyright a:J 2000-2008 exida.com L.L.C. 

245 

Ex 3: Safety Transmitter+Safety PLC+1 oo2 Solenoid 


0 

PFDavg? 

SFF? 


Pressure 

Transmitter 

SIL? 

I sf~~~ ~-----G-- / 

---.. 

I 

I 

:---1002---: Vessel 

SOV [j Voting [j sov 

-{X} 

-!X} 

'--- 

_./ 


246

SIL Verification Tool 

Verificaci6n del NIS 

0 


0


Herramienta para Verificaci6n del NIS 

0 

Copyright ID 2000-2008exida.com L.L.C. 

249 



0 

Copyright CO 2000-200Sexida.com L.L.C. 

250



0 

Copyright ttl 2000-2008 exida.com L.L.C. 

251 



SIS Design - Design a SIL3 High Pressure Protection SIF 

Complete the Problems - 30 minutes 

0 

Copyright© 2000-2008 e.xida.com L.L.C.

Section 7: Safety Instrumented System Design Summary 

Secci6n 7: Repaso Disefio Sis!. lnstrumentados de Seguridad 

0 

~' Safety Requirements Specification 

~l) 

Conceptual Design 

4> Technologies 

i& Architectures 

i? Design Verification 

i~ Detail Design 

i} Tools 

Copyright ltl 2000-2008 exida.com L.L.C. 

"' 

Section 8: Installation, Commissioning and Validation 

Secci6n 8: lnstalaci6n, Pruebas de Arranque y Validaci6n 

4'' ' Installation and Commissioning 

0 • Objectives 

• Activities 

• Documentation Required 

4& Validation 

• Objectives 






0 

Copyright© 200Q-2008 exida .com L.L.C. 

Terms 

[ 

Terminos 

~---~ 

J 

~'Validation 

the activity of demonstrating that the safety 

instrumented function(s) and safety instrumented 

system(s) under consideration after installation 

meets in all respects the safety requirements 

specification. 

4Nerification 

Activity of demonstrating for each phase of the 

safety lifecycle by analysis and/or tests that, for the 

specific inputs, the deliverables meet the objectives 

and requirements set for the specific phase. 

0 

Copyright© 200o-2oos e.xida.com L.L.C. 256

[ 

Terms 

Terminos 

BPCS & SIS completion 

Vendor Factory 

Process Plant 

0 

E E E 

2 ltJ 

SIS 

FAT SAT SIT 

Copyright© 200G-200Sexida.com L.L.C. 257 

[ 

Terms 

Terminos 

~-----' 

0 

Commissioning 

Process Plant 

E&l 

Loop Check 

Cold 

commissioning 

Hot 

commissioning 

Pre-commissioning 

VALIDATION & FSA 

prior to start-up 

Production 

Copyright CO 200()..2008 exida.com L.L.C. 258

Terms 

[ 

Terminos 

~---- 

(r, Factory Acceptance Test (FAT) 

-A test performed before shipment to site, 

usually at the vendor or integrator premises, 

often witnessed by the end user 

-Not a mandatory step in IEC61511, but very 

common to avoid problems during SAT and 

SIT 

•~ Site Acceptance Test (SAT) 

-Involves shipment of the system(s) to site, 

installation and start-up activities 

0 

Copyright CO 2000-2008 exida.cam LJ..C. 

259 

[ 

Terms 

Terminos 

': Site Integration Test (SIT) 

-Once SAT is completed, the BPCS and SIS 

communications and any hard-wired links are 

integrated and tested as a complete system to 

ensure that the system as a whole functions 

correctly. SIS signals, diagnostics, bypasses 

and alarms displayed on shared BPCS HMI 

screens will be tested during this stage. 

0 

Copyright© 2000-2008 exida.cam L.L.C. 

260

[ 

IEC 61511 

0 

REALIZATION 

Design and Development of 

Safety Instrumented System, 

Factory Acceptance Test 

OPERATION 

FAT 

INSTALLATION 

SAT/SIT 

COMMISSIONING 

Functional Safety Assessment 

Modification Decommissioning 

STARTUP 

v 

A 

L 

I 

D 

A 

T 

I 

0 

N 

Copyright CO 2000.2008 exida.com L.L.C. 

"' 

Installation Objective and Activities 

lnstalaci6n: Objetivos y Actividades 

0 

'' Objective 

• Install equipment to specifications and drawings 

'' Activities 

• Mount equipment per manufacturers instructions 

• Install all equipment components in proper position 

• Install all jumpers, keying mechanisms and protection 

components 

• Connect grounding 

• Connect energy sources 

• Calibrate instruments 

• Connect interfaces and all communications links 

• Connect field devices 

• Verify environmental stress conditions against specifications 

Copyright ltl2000-2008 exida.com L.L.C. 

'"

Installation Activities: Environmental Stress 

Actividades de lnstalaci6n: Estres Ambiental 

4:, Heat- avoid heat sources, verify operation within 

ratings 

4> Electric- avoid surge conditions, avoid secondary 

effects of lightning, verify operation within rating 

Mechanical- avoid severe shock and vibration, check 

for mechanical resonances, verify operation within 

ratings 

~> Application mismatch - avoid operation under 

conditions not allowed by manufacturer, check for 

incompatible materials 

n 

Copyright 1!!1 2000-2008 exida .com L.L .C. 

263 

Commissioning Objectives 

Pruebas de Arranque: Objetivos 

~> Check for correct installation and functionality of equipment 

• Note any "as-built" changes from previous designs 

'Where it has been established that the actual installation 

does not conform to the design information then the difference 

shall be evaluated by a competent person and the likely 

impact on safety determined. If it is established that the 

difference has no impact on safety, then the design 

information shall be updated to "as built" status. If the 

difference has a negative impact on safety, then the 

installation shall be modified to meet the design 

requirements." IEC 61511 Clause 14.2.5 

• Check for installation per equipment Safety Manual 

0 

~,, Ready for Validation tests 

COpyright© 2000-2008 exida.com L.L.C. 264

Commissioning Activities 

Pruebas de Arranque: Actividades 

0 

'' All packing material removed 

(, All jumpers, keying mechanisms and protection components 

are properly installed 

~~ Grounding has been properly connected 

~' 

~' 

Energy sources connected and operational 

No physical damage present 

(> All instruments calibrated and ranges set 

(> Interfaces operational, including interfaces to other systems 

I> All field devices are operational 

1' Logic solver and inpuVoutputs are operational 

Copyright IC 200o-200Sexida.com L.L.C. 

265 

Validation Objectives 

Validaci6n: Objetivos 

0 

'' Ensure that the safety instrumented system (SIS) as 

installed and commissioned meets all of the safety 

requirement specifications (SRS) 

'' Validation is done using a combination of testing and 

inspection 

FAT 

I} 

INSTALLATION I v 

t 

SAT/SIT 

COMMISSIONING I ~ 

FSA I ; 

START UP I ~ 

lEG 61511 Clause 15 

Copyright() 2000-2008 exida.com LLC. 

266

Validation Activities 

Validaci6n: Actividades 

~' 

I• 

I• 

Full FUNCTIONAL test to verify that all requirements in the SRS 

have been successfully implemented. 

All equipment installed per manufacturer's instructions. 

All equipment implemented per the Safety Manual. 

1' Periodic Test plan complete with procedure for testing and 

documenting tests. 

'' 

I 

Validation Test Detail Activities 

Actividades Detalladas en Pruebas de Validaci6n 

0 

;, Ensure sensors, logic solvers, and final elements perform 

according to the SRS under normal/ abnormal conditions 

I> Confirm proper SIS operation on bad process variable values 

,, Make certain SIS provides the proper annunciation (trips and 

faults), displays, and external communications 

'' Ensure computations by the SIS are correct 

Function Safety Assessment 

Funci6n de evaluaci6n de Ia seguridad 

(, An independent judgment on the functional safety achieved 

by the SIS 

- Define an assessment procedure "appropriate" to the SIL 

and novelty of design 

- Appoint an experienced team leader and team of 

reviewers 

- Define the scope of assessment 

- Create a plan for review activities and expected results 

- Identify any safety bodies and certifications 

- Conduct assessment 

0 

Copyright© 2000-200Sexida.com L.L.C. 271 

Validation Safety Review Activities 

Actividades de Ia Revision de Validaci6n de 

egun a 

Pre ~·l·fli

Section 8: Installation, Commissioning and Validation Summary 

Secci6n 8: Repaso de lnstalaci6n, Pruebas Arranque y Validaci6n 

0 

4+ Installation and Commissioning 


I FAT I 

• Activities I 

INSTALLATION 

I 

• Documentation Required I SAT/SIT 

}1 

4). Validation I COMMISSIONING I ~ 

I 

FSA I ~ 


I STARTUP I 



' 

Copyright© 200G-2008exida.com L.L.C. 

"' 

[ 

Section 9: Operational Requirements 

Secci6n 9: Requerimientos Operacionales 

0 

4~ Maintenance Planning 

~,)1 Manufacturer's Maintenance Data 

~' 

Periodic Inspection Testing I Records 

Copyright© 200Q-2008 exida.com L.L.C. 274



0 

Copyright tO 2000.2008 exida.com L.L.C. 

275 

Maintenance Planning 

Planificaci6n del Mantenimiento 

~' 

All tests required to verify proper operation of 

Safety Instrumented Function must be planned 

4> Proper periodic test interval that was calculated 

during SIF verification must be documented as 

part of the plan 

~' 

Online? Offline? Bypass Procedures? 

Proof test procedures must be at least as effective 

as planned during the SIF verification 

0 

Copyright© 2000-2008 exido.com L.L.C. 

276

0 

Proof Test 

[_______________ 

P_ru_e_b_a ____________ ~ 

The purpose of the Proof test is to verify 

that safety instrumented works properly. 

It is often assumed that if it works 

properly it has not failed. 

Procedure: 

1. Block valve from closing. 

2. Move input signal above trip point. 

3. Verify that valve attempted to close. 

4. Move input signal back to normal 

below trip point. 

5. Remove valve block. 

CQpyright 10 2000-2008 exida.com L.L.C. 

Assume 100% 

Diagnostic coverage ?? 

277 

l 

0 

[ 

1 00% Coverage 

100% Cobertura? 

100% coverage is not likely due to intermittent 

faults and not exercising all functionality. 

Transmitter failures 

Logic Solver Failures 

Final Elements Failures 

What are the DUs? What are the 

dangerous failures not detected by 

any automatic diagnostics? 

Assume 100% 

Diagnostic coverage ?? 

l 

Copyright 10 2000-2008 e:dda.com L.L.C. 278

Proof Test 

Prueba 

'\lt-me Proof test is 

safety instrume 

erly. 

· · works properly it has not fal,.,o.,.___ 

The purpose of the Proof test is to 

detect any failures not detected by 

automatic on-line diagnostics - 

dangerous failures, diagnostic 

failures, parametric failures 

0 

Copyright© 2000-2008 exida.com L.L.C. 279 


Manual de Seguridad 

~---"----- 

l 

'' Products intended for SIF applications are supplied with a 

"Safety Manual" 

- The "safety manual" may be part of another document 

0 

•· The Safety Manual contains important restrictions on how the 

product must be used in order to maintain safety 

- Environmental restrictions 

- Design restrictions 

- Periodic Inspection I Test requirements 

- Failure rate I failure mode data 

Copyright It! 2000-2008 e.xida.com L.L.C. 280

0 


Test Content 

From Rosemount 

3051S, Safety: 

Proof Test 1 -65% 

Proof Test 2-98% 

Why bother with 

proof test 1 ? 

Copyright l!:l200G-2008exida.com LLC. 

Operation and Maintenance 

Proof Test and Inspection 

The following proof tests are recommended. Proof test results 

and corrective actions taken must be documented at 

www.rosemount.com/safety ln the event that an error is found 

in the safety functionality. 

Use "Table 1: HART Fast Key Sequence" to perform a loop Test, 

Analog Output Trim. or Sensor Trim. See the 30155 reference manual 

for additional information. 

Five· Yea,(1J Proof- TGS/ 

Coi'ldw::Ung an analog output loop Test satisfies the proof test 

requirements and will detect more than 65% of DU failures not 

detected by the 30518 SIS automatic diagnostics. 

1. Enter the milliampere value representing a high alarm state 

2. Check the reference meter to verify the mA output corresponds 

to the entered value. 

3. Enter the milliampere value representing a low alarm state 

4. Ch~k the reference meter to verify the mA output corresponds 

to "lhil l)ntered value. 

5. Execute the Master Reset command to initiate stari:-up 

diagnostics. 

Ten-Year Pioof-Test 

This proof test, wheli combiood with the Five-year Proof-Test. wiU 

detect over 96% of DU failures not detected by the 3051S SIS 

automatic diagnostics. 

1. Perform a minimum twa point calibration check using the 4-20mA. 

range points as the calibration points. 

2. Cheek the reference mA meter to verify the mA output 

corresponds to the pressure input value. 

3. If necessal)', use one of the 'Trim" procedures available in the 

30518 refererrce manual to calibrate. 

4. Execute U)e Master Reset oommand to initiate start-up 

diagnostics. 

(f) May be 11 icnger prqol ~5f interVal cs;'us/Jflfld by PFD-3V{J.UiciJ/atJOn. 

'" 

Safety Manual Test Content 

Manual de seguridad de contenido de prueba 

0 

From Rosemount 3051S, Safety: 

Proof Test 1 -65% 

Proof Test 2-98% 

Why bother with proof test 1? 

Because the time interval between the more expensive 

PROOF TEST 2 can extended several years!! 

Copyright© 200o-2oos exida.com L.L.C. 

'"

Strategic Proof Test 

Estrategico de Prueba 

The purpose of the Proof test is to detect any 

failures not detected by automatic on-line 

diagnostics. 

1. We can design proof test procedures that are easier to 

perform, cost less and are more likely to actually get 

done. 

2. By understanding the actual DU/AU failures in our 

instruments we can significantly improve our test 

coverage as well as lower cost. 

0 

Copyright© 2000-2008extda.com LL.C. 

283 

Effective Testing Techniques 

Tecnicas de Pruebas Efectivas 

Analog Sensors : Force process variable between 

-10% and 110% of scale. This tests transmitter, 

power supplies and wiring resistance. Inspect for 

corrosion on terminal strips and loose wiring. 

Inspect (or perform cleanout) for plugged impulse 

lines. 

Discrete Sensors : Force process variable over full 

scale and inspect for proper movement of 

mechanisms as well as switch closure at the proper 

point. Inspect for corrosion on terminal strips or 

switch mechanical components. 

0 


"'

Effective Testing Techniques 

Tecnicas de Pruebas Efectivas 

Solenoids : Check for speed of response and 

sound level during a full cycle of air pressure. 

Inspect for corrosion and clogged air inlets. 

0 

Pneumatic Actuators : Inspect for air consumption 

rates and clogged air inlets. During a partial stroke 

check for speed of response and pressure curve. 

During a full stroke check for speed of response, 

pressure curve and abnormal response when seating. 

When valve is closed, check for leakage. 

Copyright© 200G-2008exido.com LLC. 285 

Safety Manual Mechanical Integrity 

Manual de Seguridad: lntegridad Mecanica 

0 

The safety manual will often include specific tests and 

inspections that must be done on a periodic basis. For 

example: 

"The window of the flame detector must be inspected to 

ensure that it is clean and clear. The maintenance 

schedule must be established based on plant 

conditions". 

The designer must estimate plant conditions and add 

periodic inspection to the mechanical integrity 

procedures. 

Copyright (1200G-2008exido.com LLC. 286

Periodic Inspection Testing I Records 

Registros de Pruebas Peri6dicas de lnspecci6n 

Actual Testing must be documented: 

~r, 

Test details 

~' 

Personnel, date 

'' Bypass authorization 

., Tests performed 

., Results 

4> System restored 

0 

Copyright rfl 2000..2008 exida.com L.L.C. 287 

Management of Change Before the Request 

Gesti6n del cambia Antes de Ia Solicitud 

Malntenaru;e 

reports 

Operations 

reports 

Failure and 

demand rate 

database 

0 

Systematic 

failures 

Copyright tO 200o-2oos exida.com L.L.C. 

~ Modification request 

'"

Management of Change After the Request 

Gesti6n del cambio Despues de Ia petici6n 

Safety perforrtl

Section 9: Operational Requirements Summary 

ISElcci6n 9: Resumen de Requerimientos Operctcic>nale~ 

4> Maintenance Planning 

4, Manufacturer's Maintenance Data 

~" Periodic Inspection Testing I Records 

n 

Copyright (12000-2008 exida.com L.L.C. 291 

PostTest 

Prueba Final 

~~~~ 

J 

Post Test 

[ 

~-------------P_r_ue_b_a __ F_in_a_l ____________ ~ 

Review - Complete the Problems 

J 

0 

copyright IC 2000..2008 exida.com L.L.C. 

293 

Final Course Evaluation 

Evaluaci6n Final del Curso 

0 

~~ Course Evaluations are tools that help us maintain 

the quality of our training programs 

~" Please complete the form and return it to your 

instructor upon completion of the course 


References 

[ 

~-------------R_e_f_e_re_n_c_ia_s ____________ ~ 

l 

• IEC61508 Functional Safety of Electric I Electronic I Programmable 

Electronic Safety Related Systems, International Electrotechnical 

Commission, 199812000 

• IEC61511 Functional safety- Safety instrumented systems for the process 

sector, International Electrotechnical Commission, 2003 

• Out of control - Why control systems go wrong and how to prevent failure - 

HSE Books- 2nd edttion 2003-ISBN 0-717621928 

• Safety Equipment Reliability Handbook, exida.com, 2005- ISBN13-978-0- 

9727234-1-1 

• Control Systems Safety Evaluation and Reliability, 2nd edition, William M. 

Goble, 1998- ISBN 1-55617-636-8 

• Safety Instrumented Systems Verification, practical probabilistic 

calculations,. William M.Goble and Harry Cheddie- ISA- ISBN 1-55617- 

909-X, 2005 

Many other papers, books and resources are available on-line: 

www.exida.com 

Copyright !0 2000-2008 exida.com L.L.C. 

295 

0 

www.exida.com 

Copyright !0 2000-2008 exida.com L.L.C. 

'"

SECTION 2 

0 

Exercises 

0 





Revision 4.0, September 2008 


exida.com LLC 

Application Exercise Set 1 - Constant Failure Rate 

1. A system has a probability of failure (all modes) for each one-year mission 

time of 0.1. What is the probability of a failure for a ten-year mission time? 

(No wear out, etc.) f'f



exida.com LLC 

Application Exercise Set 2 - Reliability and Availability 

1. A PLC has a failure rate of 0.01 failures per year. What is the unreliability for 

a five year mission? 

2. A PLC has a failure rate of 0.01 failures per year. All failures are 

immediately detectable. The repair time average is 24 hours. What is the 

steady state unavailability? 

0 

3. A PLC has a failure rate of 0.01 failures per year. Failures are detected only 

when a periodic inspection is done once per year. Assuming that the 

periodic inspection is perfect and detects all failures, what is the PFavg? 

4. A valve has a failure rate of 0.01 failures per year. A periodic inspection 

done once a year can detect 60% of the failures. The valve is operated for 

ten years before it is removed from service and overhauled. What is PFavg 

for the ten year operational interval? 

5. A PLC is programmed to protect against a dangerous condition that occurs 

once every ten years on average. The PLC is tested and inspected every 

year. Should this situation be modeled as LOW DEMAND MODE, HIGH 

DEMAND MODE or CONTINUOUS DEMAND MODE? 

6. A PLC is programmed to protect against a dangerous condition that occurs 

once every month on average. Automatic diagnostics inside the PLC run to 

completion every 60 seconds. The PLC is tested and inspected every year. 

Should this situation be modeled as LOW DEMAND MODE, HIGH 


0 

CD- ;A~ ~or/~ ;c 1-4-tD~'i~uz 

F-- 1- 

_f\·>· 

e 

·::.- (.- 6-~ 

::::.o- 0 4'bg. 

Copyright© 2000-2008, exida.com LLC Functional Safety Eng. II Supplemental Material Page 2



exida.com LLC 

Application Exercise Set 3 - Multiple Failure Modes and Common Cause 

1. A valve stem is stuck when "cold-welding" occurs between the 0-Rings and 

the stem. If the valve must close to provide the automatic protection function, 

what is the failure mode, fail-safe or fail-dangerous? 

2. A solenoid valve has a failure rate of 0.00003 failures per hour in the 

dangerous mode. What is the approximate PFD for a mission time of 2000 

hours? What is the PFDavg for a mission time of 2000 hours? 

0 

3. A solenoid valve has a failure rate of 0.000013 failures per hour in the 

dangerous mode and 0.0005 failures per hour in the safe mode. What is the 

approximate PFDavg for a mission time of 8000 hours? 

4. A temperature transmitter is used to sense an abnormal process condition. 

Two transmitters are arranged in a one-out-of-two voting arrangement. The 

transmitter has a failure rate of A. = 0.05 failures per year, and a beta factor of 

10%. What is the PFDavg of this subsystem if a periodic inspection is done 

once a year that detects 90% of the failures. The transmitter subsystem is 

operated for ten years between major overhauls. 

0 

0 .,_ :> < 10-s- ~ lw~e-/ fv. (; -t ~ l.,.__ I 'i-P"'"' 1-v.-s 

0- 0~ - 0 'l""'-_ f.,v 

k 

(11' 11 :;. 0. OfPOIPl) ~~~ . 

-£ =go oo ~+-:-'-· _· --~....., 

~;;~~ ooo) 

~ - 21 ~ o.os ~\JMLf(\" 

b ~ {6 "],. 

'Tft'A- ~~ 

f'f:VMt 7 

T{ ;;..lO \~, 




exida.com LLC 

Application Exercise Set 4 - Safe Failure Fraction, Failure Rates, Coverage 

Factors 

1. A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of 

the failures are fail-safe. What is Lambda S? What is Lambda D? 


the failures are fail-safe. The coverage factor for safe failures is 74%. 

The coverage factor for dangerous failures is 96%. What is Lambda 

SD? What is Lambda SU? What is Lambda DD? What is Lambda 

DU? 

0 


the failures are fail-safe. The coverage factor for safe failures is 74%. 

The coverage factor for dangerous failures is 96%. What is the Safe 

Failure Fraction for this transmitter? 

4. A smart transmitter has a failure rate of 500 * E-9 failures per hour. 

62% of the failures are fail-safe. The coverage factor for safe failures 

is 74%. The coverage factor for dangerous failures is 96%. With a 

hardware fault tolerance of 0, this transmitter is qualified for use in 

what SIL level? 

0 

::;: 0 .ct ~4~ 

:::o--Cf~xl. 

_:



exida.com LLC 

Application Exercise Set 5 - Functional Safety Management 

1. Based on IEC61508, which of the following statements about the required 

competency of individuals performing safety lifecycle tasks is correct: 

1. Must have a degree in engineering from an accredited university 

2. Must be certified by an independent third party organization 

3. The manager of the project must ascertain that the person is 

competent in all phases of the safety lifecycle 

0 

a) 1 and 2 are true, 3 is false 

b) 1 and 3 are true, 2 is false 

c) 2 and 3 are true, 1 is false 

d) 1, 2 and 3 are true 

@None of the above statements are true 

2. Which of the following information items is NOT required to be maintained 

throughout the lifecycle of an SIS: 

1. The results of the hazard and risk analysis and related assumptions 

0 

2. Information regarding the equipment items used for safety 

instrumented functions together with the function's safety requirements 

3. The procedures necessary to maintain functional safety 

a) 1 and 2 are required, 3 is not 

b) 1 and 3 are required, 2 is not 

c) 2 and 3 are required, 1 is not 

@. 2 and 3 are required 

e) None of the information items listed above are required 



3. Which of the following statements about the documentation required for 

safety planning are true: 

1. Safety Planning documentation can be included as a section in the 

quality plan entitled "safety plan". 

r~ Safety Planning must be documented in a separate document entitled 

""safety plan". 

3. Safety Planning can be documented in a series of documents that may 

include other company procedures or working practices, such as 

corporate standards. 


0 (5 1 and 3 are true, 2 is false 

c) 2 is true, 1 and 3 are false 


e) None of the above statements are true 

4. Which of the following statements about safety planning are true: 

1. Safety planning does not need to consider activities done by outside 

vendors or suppliers. 

2. Safety planning must designate how and when functional safety will be 

assessed. 

0 

3. Safety planning does not need to specifically designate the level of 

independence of any functional safety assessment team. 



@J 2 is true, 1 and 3 are false 





5. When is functional safety assessed according to 61511? 

Usually before the hazard is present but always after a safety function 

trips. 

lways following system commissioning and validation but often after the 

safety requirements specification is complete as well. 

c) It can be assessed at any time as long as it is assessed at least once. 

d) It must be assessed after all system modifications. 


0 

6. Which safety lifecycle roles and responsibilities must be designated? 

a) Those required for each phase of the safety lifecycle and its associated 

activities. 

b) Functional safety assessment activities 

c) Functional safety management activities 

8 

d) Decommissioning activities. 

of the above statements are correct 

0 

Copyright© 2000-2008, exida.com LLC Functional Safety Eng. II Supplemental Material! Page 7



Application Exercise Set 6 - Redundant Architectures 

1. Rank the following redundancy schemes from highest probability of failure on 

demand to lowest probability of failure on demand. 

Highest ---------Lowest 

0 

a) 2oo2- 1 oo2- 2oo3 

b) 2oo3- 1oo2- 2oo2 

2oo3 - 2oo2 - 1 oo2 

2oo2 - 2oo3 - 1 oo2 

1 oo2 - 2oo3 - 2oo2 

2. A 1 oo2 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) 

of: 

a) 0 

®) 

c) 2 

0 

3. A 2oo3 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) 

of: 

a) 0 

@1 

c) 2 

d) 3 




Application Exercise Set 7 - SIL 3 Pressure Protection Loop 

Group Exercise - do a SIL3 design and verify with PFDavg 

calculations, SFF calculations and a MTTFS calculation. 

Design the SIL3 loop using SILver to calculate PFDavg and AC SIL. 

Target 5 year test interval and MTTFS > 10 years. 

0 

0 




Application Exercise Set 8- Periodic Inspection and Test Plans 

1. Name effective inspection and test techniques that should be 

considered for a pressure transmitter. 

2. Name effective inspection and test techniques that should be 

considered for a solenoid. 

0 

0 




Post Test 

1. Two power supplies are used in a redundant configuration. Assume one 

failure mode, lost power. Each power supply has a failure rate of 0.0005 

failures per year. Based on close physical mounting and identical power 

supplies, a beta factor of 0.1 is assigned. What is the system unreliability for 

a two-year mission time? Draw a fault tree for the system including common 

cause. 

0 

2. Which of the following best describes the difference between verification and 

validation, as defined in IEC 61508 and IEC 61511. 

a) There are no differences. Verification and validation have the same 

meaning. 

b) Verification describes review tasks that are performed by independent 

assessment teams. Validation describes review tasks that are performed 

by the design team. 

c) Validation is the activity of demonstrating that the SIS meets the safety 

requirements specifications. Verification is the activity of demonstrating 

that for each safety lifecycle phase the requirements of the safety lifecycle 

model have been met. 

d) Validation is the process of creating a "V"-diagram of the tasks that are 

required to complete that safety lifecycle. Verification is the process of 

ensuring that competent individuals have completed those tasks. 

e) None of the above answers are correct. 

0 3. If the user of a product that was designed under the IEC 61508 standard is 

required to perform manual tests at a periodic interval to achieve the SIL that 

is listed in the product certification, the information regarding the necessity of 

the test, and the frequency the test is required to be performed must be 

provided in: 

a) Product safety manual 

b) Product Specification sheets 

c) Sales and marketing literature 

d) Equipment installation guides 

e) None of the above, the vendor is not required to share this information 

with the customer 



Post-Test Safety Engineering II exida.com, LLC 

4. A control valve is used in an SIS. The valve has a constant safe failure rate of 

0.02 failures per year and a constant dangerous failure rate of 0.05 failures 

per year. The valve is tested on a one-year interval where 85% of the failures 

are detected by the periodic inspection and test. The valve is operated for 

fifteen years until it is removed from service and overhauled. What is the 

average probability of failure on demand? 

0 

5. Two different types of solenoid valves are used to block fuel flow to a burner in 

a SIS. The valves are piped in series. Both valves are energized and open in 

normal operation of the system. Both valves should close when a dangerous 

condition is detected. Both valves have one failure mode, fail-danger, with a 

failure rate of 0.0009 failures per year. Both valves are tested once every 

year and all failures are found during that test. Based on the differences 

between the valves, a common cause beta factor of 0.001 is assigned. What 

is the PFDavg of the valve subsystem including common cause? 

6. Draw a Markov model for the situation in problem 5. 

7. A "smart" transmitter has a failure rate of 0.05 failures/year. The safe failures 

ratio is 70%, and the diagnostic coverage of dangerous failures is 60%. The 

diagnostic coverage for safe failures is 70%. What is the Safe Failure 

Fraction? With hardware fault tolerance of 0, what SIL is allowed? 

0 

I 

Copyright© 2000-2008, exida.com LLC Functional Safety Eng. II Supplemental Materiaf Page 12

FSE II, 4.0 -Solutions to Exercises 

Application Exercise Set 1 -Constant Failure Rate 

Question 1 

A system has a probability of failure (all modes) for each one-year mission time of 0.1. What is the probability 

of a failure for a ten-year mission time? (No wear out, etc.) 

Solution 1 

This type of problem contains a trap for the unwary - 

If this problem is approached as a discrete independent event each year, the probability of failure would be 

the sum of the probability of failure for each one-year mission {fails in year 1 OR fails in year 2 OR ... fails in 

year 10). The solution for a 10 year period would be 

0 

PF(10 year mission) = A, + A2 + A3 + A., + As + As + A1 + As + Ag + A, 0 

=0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 

= 1 

And for an 11 year mission? 

PF(11 year mission) 

= 1.1 (not a valid probability) 

Clearly this is NOT the approach to use. 

This type of problem is best approached from the probability of success (PS) for each one year mission, 

finding the probability of success for the 10 year mission, and then using the one's complement of success to 

determine failure. 

PS(1 year mission) 

= 1 - PF(1 year mission) 

= 1 -0.1 

= 0.9 

The probability of success for a 10 year mission is the probability of success in the first year AND the 

probability of success in the second year AND probability of success in the third year AND ... probability of 

success in the tenth year. 

0 

PS(1 0 year mission) 

= 0.9 * 0.9 * ... * 0.9 (ten times) 

= (0.9)10 

= 0.3487 

PF(1 0 year mission) 

= 1- PS(10 year mission) 

= 1-0.3487 

= 0.6513 

The probability of a failure for a ten-year mission time= 0.6513 

FSE II -Solutions to Exercises Page 1 of 23

FSE II, 4.0 - Solutions to Exercises 

Question 2 

Unreliability for a system with one failure mode is given as 0.001. What is the reliability? 

Solution 2 

Reliability is the one's complement of Unreliability. 

Reliability 

= 1 -Unreliability 

= 1-0.001 

= 0.999 

The Reliability of the system is 0.999 

Question 3 

A module has an MTTF of 80 years for all failure modes. Assuming a constant failure rate, what is the total 

failure rate for all failure modes? 

Solution 3 

0 

MTTF = 11 A 

A = 1 I MTTF failures per year 

= 1 I 80 failures per year 

= 0.0125 failures per year 

= 0.012518760 failures per hour 

= 1.427 E-06 failures per hour 

The total failure rate for all failure modes = 1.427 E-06 failures per hour 

Question 4 

A module has an MTTF of 80 years. What is the reliability of this module for a time period of six months? 

Solution 4 

0 

Reliability= e·A.TI 

A 

Tl 

= 1 I MTTF failures per year 

= 1 I 80 failures per year 


= 0.5 years 

Reliability 

= e·(O.o12s • o.s) 

= e-o.ooszs 

= 0.9938 

The Reliability of this module over a six month period = 0.9938 



Question 5 

A transmitter has a total failure rate of 0.005 failures per year. What is the MTTF? 

Solution 5 

A 

MTTF =1/A 


MTTF = 1 I 0.005 failures per year 

= 200 years 

The MTTF = 200 years 

0 

0 

FSE II - Solutions to Exercises 

Page 3 of23


Application Exercise Set 2- Reliability and Availability 

Question 1 

A PLC has a failure rate of 0.01 failures per year. What is the unreliability for a five year mission? 

Solution 1 

Unreliability is the probability of failure (PF) 

1\ = 0.01 failures per year 

Tl = 5 years 

PF 

= 1 - e·(O.o1. •> 

= 1 - e.o.os 

= 1 -0.95123 

= 0.0488 

0 

The unreliability for a five year mission = 0.0488 

Question 2 

A PLC has a failure rate of 0.01 failures per year. All failures are immediately delectable. The repair lime 

average is 24 hours. What is the steady state unavailability? 

Solution 2 

Unavailability = MTTR I (MTTF + MTTR) 

MTTF =111\ 


MTTF = 1 I 0.01 failures per year 

= 100 years 

= 876,000 hours 

0 

MTTR = 24 hours 

Unavail = 241 (876,000 + 24) 

= 27.4 E-06 

The steady state Unavailability= 27.4 E-06 


Page 4 of23


Question 3 

A PLC has a failure rate of 0.01 failures per year. Failures are detected only when a periodic inspection is done 

once per year. Assuming the periodic inspection is perfect, what is the PFavg? 

Solution 3 

PFavg = 1\ * (TI/ 2) 


Tl = 1 year 

PFavg = 0.01 • 0.5 

= 0.005 

The PFavg = 0.005 (assumes a perfect test with all failures repaired to original condition) 

0 

Question 4 

A valve has a failure rate of 0.01 failures per year. A periodic inspection done once a year can detect 60% of the 

failures. The valve is operated for ten years before it is removed from service and overhauled. What is PFavg 

for the ten year operational interval? 

Solution 4 

PFavg = [Cpr * 1\ * (TI/2)] + [(1-Cpr) * 1\ * (LT/2)] 

Cpr = 0.6 (60%) 


Tl 

LT 

= 1 years 

= 10years 

0 

PFavg = [0.6 • 0.01 • 0.5] + [0.4 * 0.01 * 5] 

= 0.003 + 0.02 

= 0.023 

The PFavg for the ten year operational interval = 0.023 

This translates into a Risk Reduction Factor (RRF) of 43.5 

Lets see what happens if all faults are found and repaired each time (perfect test) ... 

PFavg = 1\ * (TI/ 2) 

0.01. 0.5 

= 0.005 

This translates into a Risk Reduction Factor (RRF) of 200 

Lets see what happens if there is no testing during the 10 year period ... 

PFavg = 1\ * (L T/2) 

0.01 • 5 

= 0.05 

This translates into a Risk Reduction Factor (RRF) of 20 

FSE II -Solutions to Exercises 

Page 5 of23


Question 5 

A PLC is programmed to protect against a dangerous condition that occurs once every ten years on average. 

The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH 


Solution 5 

The demand rate is once every ten years on average. The periodic test and inspection is done once a year, 

clearly several times more rapidly than the demand condition. Therefore credit can be taken in the PF modelling 

and this is classified as low demand. 

Question 6 

A PLC is programmed to protect against a dangerous condition that occurs once every month on average. The 

PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH 


Solution 5 

The demand rate is once every month on average. The periodic test and inspection is done once a year so it is 

unlikely that this testing would detect a failure in lime to prevent an accident. The automatic diagnostics run fast 

therefore this is classified as high demand. 

0 

0 

• 

FSE II- Solutions to Exercises Page 6 of 23


Application Exercise Set 3- Multiple Failure Modes and Common Cause 

Question 1 

A valve stem is stuck when "cold-welding" occurs between the 0-Rings and the stem. If the valve must close 

to provide the automatic protection function, what is the failure mode, fail-safe or fail-dangerous?? 

Solution 1 

The valve will not perform the protection function if it cannot close. Therefore this is classified as fail-danger. 

Question 2 

A solenoid valve has a failure rate of 0.00003 failures per hour in the dangerous mode. What is the 

approximate PFD for a mission lime of 2000 hours? What is the PFDavg for a mission time of 2000 hours? 

Solution 2 

Q Using the complete equation: Using the approximation: 

PF 

= 1- e·ATI 

= 1 

_ e -{o.oo003 • zooo) 

= 1 

_ e·o.oo 

PF 

=A *TI 

= 0.00003 • 2000 

= 0.06 

= 1-0.9418 

= 0.0582 

PFavg = 1-(1/A*TI)*(1- e·''T'l 

= 1 - (1/0.00003*2000)*(1-e·o.oooo3'2ooo) 

= 1 - (1/0.06)*(1-e-a.oo) 

= 1-0.9706 

= 0.0294 

PFavg =A* (TI/2) 

= 0.00003 * (2000 I 2) 

= 0.03 

0 


Page 7 of 23


Question 3 

A solenoid valve has a failure rate of 0.000013 failures per hour in the dangerous mode and 0.0005 failures 

per hour in the safe mode. What is the approximate PFDavg for a mission time of 8000 hours? 

Solution 3 

Using the complete equation: 

PFavg = 1-(1/II*TI)*(1- e·A"TI) 

= 1-(1/0.000013*8000)*(1-e.,·000013 " 6000 ) 

= 1-(1/0.104)*(1-e.,·104 ) 

= 1-0.9498 

= 0.0502 

Using the approximation: 

PFavg = II * (TI/ 2) 

= 0.000013. (8000 /2) 

= 0.000013.4000 

= 0.052 

0 

0 


Page 8 of 23


Question 4 

A temperature transmitter is used to sense an abnormal process condition. Two transmitters are arranged in 

a one-out-of-two voting arrangement. The transmitter has a failure rate of A. = 0.05 failures per year, and a 

beta factor of 1 0%. What is the PFDavg of this subsystem if a periodic inspection is done once a year that 

detects 90% of the failures? The transmitter subsystem is operated for ten years between major overhauls. 

Solution 4 

This problem is complicated and it is best to break it down into parts to solve it. To consider the partial 

coverage testing it is worth remembering that the overall system can fail because of a fault that is covered by 

the annual test, OR a fault that is not found until the major overhaul after 10 years. These two contributions 

to the PDFavg are added together because the two different kinds of faults are mutually exclusive 

0 

'-total 


1!, =0.1 (10%) 

Tl 

CPT 

LT 

= 1 year 

= 0.9 (90%) fraction of failures covered by the one year test 

= 10 years 

Contribution to PFDavg from faults covered by 1 year test interval 

In considering the contribution of the faults corrected in the annual test, we need to make sure we use the 

proper part of the overall failure rate. Since the coverage factor for the test CPT= 90%, we can look at the 

effective rate of failures of interest as 

'-total (1 yr) = 0.9 X 0.05 = 0.045 

Then because there is a second level of complexity with the common cause failures, we need to split this 1 

year lambda total into a hcc(1 yr) and a hN(1 yr) by use of the beta factor. 

'-total ( 1 yr) 

hcc (1 yr) 

hN (1 yr) 

= Atotal * CPT 

= Atotal (1 yr) • B 

='-total (1 yr) • (1-B) 

= 0.05. 0.9 

= 0.045. 0.1 

= 0.045. 0.9 

= 0.045 

= 0.0045 

= 0.0405 

Now, because the normal independent failure mode is a 1oo2 voting system, we use the integrated formula 

for PFDavg due to normal mode failure. Then we add this to the common mode failure component for the 1 

year part since the system either fails in normal independent mode OR by common mode. 

(J PFDavg N (1 yr) 

PFDavg CC (1 yr) 

PFDavg SYS (1 yr) 

= [hN (1 yr) 2 X Tl 2 ]/3 = [0.0405 2 X f]/ 3 

= [hcc(1 yr) x Tl]/2 = [0.0045 x 1]/2 

= PFDavg N (1 yr) + PFDavg CC (1 yr) 

= 0.00055 

= 0.00225 

= 0.00055 + 0.00225 = 0.0028 

Contribution to PFDavg from faults covered by 10 year overhaul 

We now do the same thing for the 10 year overall faults contribution. Again we need to make sure we use 

the proper part of the overall failure rate. Since the coverage factor for the test CPT = 90%, we can look at the 

effective rate of failures of interest as: 

'-total (1 0 yr) = Atotal * (1-CpT) = 0.05. (1-0.9) = 0.005 

Then because there is a second level of complexity with the common cause failures, we again need to split 

this 10 year lambda total into a hcc (1 0 yr) and a hN (1 0 yr) by use of the beta factor. 

'-total (1 0 yr) 

hcc(10 yr) 

hN(10yr) 

= Atotal * (1-CpT) 

= Atotal (1 0 yr) • B 

='-total (10 yr) • (1-B) 

= 0.05. (1-0.9) = 0.005 

= o.oo5 • 0.1 = ·o.ooo5 

= 0.005 • 0.9 = 0.0045 

FSE II- Solutions to Exercises 

Page 9 of 23


As before, because the normal independent failure mode is a 1 oo2 voting system, we use the integrated 

formula for PFDavg due to normal mode failure. Then we add this to the common mode failure component 

for the 10 year part since the system either fails in normal independent mode OR by common mode. 

PFDavg N (1 0 yr) 

PFDavg CC (1 0 yr) 

PFDavg SYS (10 yr) 

= [AN (1 0 yrf X Tl 2 ]/3 = [0.0045 2 X 10 2 ]/ 3 

= [Acc(10 yr) x Tl]/2 = [0.0005 X 10]/2 

= PFDavg N (1 0 yr) + PFDavg CC (1 0 yr) 

= 0.00068 

= 0.00250 

= 0.00068 + 0.00250 = 0.00318 

Summing up the overall PFDavg 

Finally, we add the 1 year tested failure contribution to the 10 year overall corrected failure contribution to get 

the total PFDavg for the system considering all of the pathways. 

Total PFDavg = PFDavg SYS (1 year) + PFDavg SYS (1 0 year) = 0.00280 + 0.00318 = 0.00598 

Total RRF = 1 I Total PFDavg = 167.2 

0 


Page 10 of23

e 

1]-


Application Exercise Set 4- Safe Failure Fraction, Failure Rates, Coverage Factors 

Question 1 

A transmitter has a failure rate of 500 * E-09 failures per hour. 62% of the failures are fail-safe. What is A,;? 

What is J.. 0 ? 

Solution 1 

Atotat = 500 E-09 failures per hour (FIT) 

%Safe = 0.62 (62%) 

= Atotal * %Safe = 500 E-09 * 0.62 

= Atotat * (1-%Safe) = 500 E-09 * 0.38 

= 310 E-09 failures per hour (FIT) 


Question 2 

0 

A transmitter has a failure rate of 500 * E-09 failures per hour. 62% of the failures are fail-safe. The 

coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is J.. 50 ? 

What is Asu? What is J.. 00 ? What is J.. 0 u? 

Solution 2 

The approach to this problem is to split the failure rate into safe and dangerous failures, then split safe 

failures into safe (detected) and safe (undetected), and split dangerous failures into dangerous (detected) 

and dangerous (undetected). 

A total 

%Safe 

Cs 

Co 


= 0.62 (62%) 

=74% 

=96% 

= Atotal * %Safe 

= Atotal * (1-%Safe) 

= 500 E-09 * 0.62 

= 500 E-09 * 0.38 



0 

A so 

Asu 

Aoo 

Aou 

=J..s*Cs = 310 E-09 * 0.74 = 229.4 FIT 

= J..s * (1-Cs) = 310 E-09 * 0.26 = 80.6 FIT 

= Ao *Co = 190 E-09 * 0.96 = 182.4 FIT 

= Ao * (1-Co) = 190 E-09 * 0.04 = 7.6 FIT 

Question 3 

A transmitter has a failure rate of 500 • E-9 failures per hour. 62% of the failures are fail-safe. The coverage 

factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is the Safe Failure 

Fraction for this transmitter? 

Solution 3 

Use the results from Question 2 

SFF = [Aso + Asu + Aoo]/ Atotal = [229.4 + 80.6 + 182.4]/ 500 = 0.9848 = 98.48% 


Page 11 of23

FSE II, 4.0 -Solutions to Exercises 

Question 4 

A transmitter has a failure rate of 500 • E-9 failures per hour. 62% of the failures are fail-safe. The coverage 

factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. With a hardware fault 

tolerance of 0, this transmitter is qualified for use in what SIL level? 

Solution 4 

TYPE A - "A subsystem can be regarded as type A if, for 

the components required to achieve the safety function 

a) the failure modes of all constituent components are well 

defined; and 

Safe Failure 

Fraction 

Type A 

Hardware Fault 

Tolerance 

b) the behavior of the subsystem under fault conditions can 

be completely determined; and 

c) there is sufficient dependable failure data from field 

experience to show that the claimed rates of failure for 

detected and undetected dangerous failures are met." 

TYPE B- everything else! 

99% 

TypeB 

0 

IEC 61508, Part2, Section 7.4.3.1.2 

Safe Failure 

Fraction 

Hardware Fault 

Tolerance 

As we can't determine whether the transmitter can satisfy 

the requirements of Type A, we choose Type B. 


Application Exercise Set 5- Functional Safety Management 

Question 1 

Based on IEC61508, which of the following statements about the required competency of individuals 

performing safety lifecycle tasks is correct: 

1. Must have a degree in engineering from an accredited university 

2. Must be certified by an independent third party organization 

3. The manager of the project must ascertain that the person is competent in all phases of the 

safety lifecycle 

0 



c) 2 and 3 are true, 1 is false 



Solution 1 

Addressed specifically in Annex A, IEC61508 

' 

Ensure that staff "involved in any of the overall or software SLC activities are competent" 

Training, experience, and qualifications should all be assessed and documented 

+ System engineering knowledge 

+ Safety engineering knowledge 

+ Legal and regulatory requirements knowledge 

+ More critical for novel systems or high SIL requirements 

From the above - 

A person does not need to have a degree, or be certified by an independent third party. 

A person must be competent in the part of the Safety Lifecycle they are involved with. 

0 

Therefore the correct answer is e) 



Question 2 

Which of the following information items is NOT required to be maintained throughout the lifecycle of an SIS: 

1. The results of the hazard and risk analysis and related assumptions 

2. Information regarding the equipment items used for safety instrumented functions together with 

the function's safety requirements 

3. The procedures necessary to maintain functional safety 

a) 1 and 2 are required, 3 is not 

b) 1 and 3 are required, 2 is not 

c) 2 and 3 are required, 1 is not 

d) 1, 2 and 3 are required 

e) None of the information items listed above are required 

Solution 2 

All of the documents mentioned are required to be maintained throughout the lifecycle of an SIS. 

0 

Therefore the correct answer is d) 

Question 3 

Which of the following statements about the documentation required for safety planning are true: 

1. Safety planning documentation can be included as a section in the quality plan entitled "safety 

plan". 

2. Safety planning must be documented in a separate document entitled "safety plan". 

3. Safety planning can be documented in a series of documents that may include other company 

procedures or working practices, such as corporate standards. 






0 

Solution 3 

Safety planning must be documented, but there is no specific requirement to create a separate document 

entitled 'Safety plan'. 

Therefore statement 2 is not correct, and the correct choice is b) 

FSE II - Solutions to Exercises Page 14 of 23


Question 4 

Which of the following statements about safety planning are true: 

1. Safety planning does not need to consider activities done by outside vendors or suppliers. 

2. Safety planning must designate how and when functional safety will be assessed. 

3. Safety planning does not need to specifically designate the level of independence of any 

functional safety assessment team. 






0 

Solution 4 

Safety planning does need to consider activities done by outside vendors or suppliers. 

Safety planning does need to specifically designate the level of independence of any functional safety 

assessment team. 

Therefore statements 1 and 3 are not true, and the correct answer is (f} 

Question 5 

When is functional safety assessed according to 61511? 

a) Usually before the hazard is present but always after a safety function trips. 

b) Always following system commissioning and validation but often after the safety requirements 

specification is complete as well. 

c) It can be assessed at any time as long as it is assessed at least once. 

d) It must be assessed after all system modifications. 

0 


Solution 5 

Functional safety is always assessed following system commissioning and validation, but often after the 

safety requirements specification is complete as well. 

Therefore the correct answer is b) 



Question 6 

Which safety lifecycle roles and responsibilities must be designated? 

a) Those required for each phase of the safety lifecycle and its associated activities. 

b) Functional safety assessment activities 

c) Functional safety management activities 

d) Decommissioning activities. 

e) All of the above statements are correct 

Solution 6 

All of the statements above are true. 

Therefore the correct answer is e) 

0 

0 


Page 16 of23


Application Exercise Set 6- Redundant Architectures 

Question 1 

Rank the following redundancy schemes from highest probability of failure on demand to lowest probability of 

failure on demand. 

Lowest ---------Highest 

a) 2oo2 - 1 oo2 - 2oo3 

b) 2oo3 -1oo2- 2oo2 

c) 2oo3- 2oo2- 1oo2 

d) 2oo2 - 2oo3 - 1 oo2 

e) 1oo2- 2oo3- 2oo2 

Solution 1 

0 

The lowest probability of failure on demand is achieved by a 1oo2 configuration. 

The next lowest probability of failure on demand is achieved by a 2oo3 configuration. 

The highest probability of failure on demand of the three configurations is found in the 2oo2 configuration. 

Therefore the redundancy schemes PFDavg are ranked 2oo2 > 2oo3 > 1 oo2, and the answer is d) 

Question 2 

A 1oo2 architecture has a hardware fault tolerance per IEC 61508 (lEG 61511) of: 

a) 0 

b) 1 

c) 2 

Solution 2 

A 1 oo2 architecture has a hardware fault tolerance of 1. 

O Therefore the correct answer is b) 

Question 3 

A 2oo3 architecture has a hardware fault tolerance per IEC 61508 {lEG 61511) of: 

a) 0 

b) 1 

c) 2 

d) 3 

Solution 3 

A 2oo3 architecture has a hardware fault tolerance of 1. 

Therefore the correct answer is b) 



Application Exercise Set 7 - SIL 3 Pressure Protection Loop 

Question 1 

Group Exercise - 

D.esign a SIL3 loop and verify with PFDavg calculations, SFF calculations and a MTTFS calculation. 

Design the SIL3 loop using SILver to calculate PFDavg and AC SIL. 

Target 5 year test interval and MTTFS > 10 years. 

Solution 1 

This is a class exercise and will be answered during the class. 

0 

0 



Application Exercise Set 8- Periodic Inspection and Test Plans 

Question 1 

Name effective inspection and test techniques that should be considered for a pressure transmitter. 

Solution 1 

a. Full-scale analog signal shift -10% to +110% 

b. Check (and clean) impulse lines 

c. Visually inspect for corrosion 

d. Consider interface aspects with controller open/short 

Question 2 

Name effective inspection and test techniques that should be considered for a solenoid. 

Q Solution2 

a. Check speed of response when cycling 

b. Listen for abnormal sounds when cycling 

c. Check air quality 

d. Check voltage losses due to resistance 

e. Check fully closed and fully open 

f. Clean vent ports 

g. Check for force variations 

0 

FSE II- Solutions to Exercises Page 19 of 23


FSE II- Post-Test 

Question 1 

Two power supplies are used in a redundant configuration. Assume one failure mode, lost power. Each 

power supply has a failure rate of 0.0005 failures per year. Based on close physical mounting and identical 

power supplies, a beta factor of 0.1 is assigned. What is the system unreliability for a two-year mission time? 

Draw a fault tree for the system including common cause. 

Solution 1 

Unreliability is the probability of failure (PF) 


T = 2 years (mission time) 

B = 0.1 

(TxA * TxB) + GG 

I 

Ace =J..*I), = 0.0005. 0.1 = 0.00005 failures per year 

=". (1-ll.) = 0.0005. 0.9 = 0.00045 failures per year 

"' 

Ucc =J..cc*T = 0.00005.2 = 0.0001 

u, = J.., • T = 0.00045.2 = 0.0009 

Urx 

U total = UTX + Ucc = 0.0001 + 0.81 E-06 = 0.00010081 

TxA TxB 

- u2 

- I = 0.0009. 0.0009 = 0.81 E-06 (TxA fails AND TxB fails) 

GG 

0 

The unreliability for a two year mission = 0.00010081 

Question 2 

Which of the following best describes the difference between verification and validation, as defined in lEG 

61508 and lEG 61511 

a) There are no differences. Verification and validation have the same meaning. 

b) Verification describes review tasks that are performed by independent assessment teams. Validation 

describes review tasks that are performed by the design team. 

c) Validation is the activity of demonstrating that the SIS meets the safety requirements specifications. 

Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of 

the safety lifecycle model have been met. 

d) Validation is the process of creating a "V''-diagram of the tasks that are required to complete that 

safety lifecycle. Verification is the process of ensuring that competent individuals have completed 

those tasks. 

e) None of the above answers are correct. 

0 

Solution 2 

Validation is the activity of demonstrating that the SIS meets the safety requirements specifications. 

Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of the safety 

lifecycle model have been met. 

Therefore the correct answer is c) 


Page 20 of23


Question 3 

If the user of a product that was designed under the IEC 61508 standard is required to perform manual tests 

at a periodic interval to achieve the SIL that is listed in the product certification, the information regarding the 

necessity of the test, and the frequency the test is required to be performed must be provided in: 

a) Product safety manual 

b) Product Specification sheets 

c) Sales and marketing literature 

d) Equipment installation guides 

e) None of the above, the vendor is not required to share this information with the customer 

Solution 3 

The information regarding the necessity of the test, and the frequency the test is required to be performed 

must be provided in the product safety manual. 

Therefore the correct answer is a) 

Question 4 

A control valve is used in an SIS. The valve has a constant safe failure rate of 0.02 failures per year and a 

constant dangerous failure rate of 0.05 failures per year. The valve is tested on a one-year interval where 

85% of the failures are detected by the periodic inspection and test. The valve is operated for fifteen years 

until it is removed from service and overhauled. What is the average probability of failure on demand? 

Solution 4 

As = 0.02 failures per year (note that this is not used in the solution) 

Ao = 0.05 failures per year 

Tl = 1 year 

Cpr = 0.85 (85%) 

LT = 15 years 

PFDavg =[Cpr*ho*TI]/2 + [(1-Cpr)*h 0 *LT]/2 

= [0.85. 0.05. 1]/2 + [0.15. 0.05. 15]/2 

·~ = 0.02125 + 0.05625 

= 0.0775 


Question 4: A temperature transmitter is used to sense an abnormal process condition. 

Two transmitters are arranged in a one-out-of-two voting arrangement. The transmitter 

has a failure rate of Lambda= 0.05 failures per year, and a beta factor of 10%. 

What is the PFDavg of this subsystem if a periodic inspection is done once a year 

that detects 90% of the failures. The transmitter subsystem is operated for 

ten years between major overhauls. 

Detailed solution to Question 4 of 

Exercise Set 3 

Functional Safety Engineering 2 

exida August 2003 

Initial data and calculation of specific relevant failure rates: 

Total Lambda 0.05 failures/year 

Beta 0.1 

Tl 

1 year partial coverage test interval 

CPT 0.9 Fraction of failures covered by 1 year test 

L T 

1 o year total mission time 

This problem is complicated and is best considered in several parts. 

To consider the partial coverage testing and the total coverage testing, it is worth 

remebering that the overall system can fail because of a fault that is covered by the annual 

test OR by a fault that is only fixed during the major ovemaul at the end of 1 o years. These 

two contributions to the PFDavg are added together because the two different kinds of faults 

are mutually exclusive. With this in mind,we can calculate each contribution separately. 

0 

1 year test interval faults' contribution to the overall PFDavg 

In considering the contribution of the faults corrected in the annual test, we need to make 

sure we use the proper part of the overall failure rate. Since the coverage factor for the test 

Cpt=90%, we can look at the effective rate of failures of interest as 

Cpt x Total Lambda= 0.9 x 0.05 = 0.045 =Lambda Total (1 year). 

Then because there is a second level of complexity with the common cause failures, we 

need to split this 1 year lambda total into a LambdaCC(1 year) and a 

LambdaN(1 year) by use of the beta factor. 

Lambda Total (1 year) 

Lambda Common Gause (1 year) 

Lambda Normal (1 year) 

0.045 =(Lambda total) x Cpt = 0.05 x 0.9 

0.0045 =(Lambda total (1 Year)) x Beta= 0.045 x 0.1 

0.0405 =(Lambda total (1 Year)) x (1-Beta) = 0.045 x (1-0.1) 

Now, because the normal independent failure mode is a 1oo2 voting system, we use the 

integrated formula for PFDavg due to normal mode failure. Then we add this to the common 

mode failure component for the 1 year part since the system either fails in normal 

independent mode OR by common mode. 

PFDavg N, (1 year) 0.00055 = (LambdaN(1 year)A2 x TIA2)/3 = (0.0405'2 x 1A2)/3 20% 

PFDavg CC (1 year) 0.00225 = (LambdaCC(1 year) x Tl)/2 = (0.0045 x 1)/2 80% 

PFDavg SYS (1 year) 0.00280 = PFDavg N, (1 year) + PFDavg CC, (1 year) 

0 

10 year test interval faults' contribution to the overall PFDavg 

We then do the same thing for the 10 year overall faults contribution. Again we need to 

make sure we use the proper part of the overall failure rate. Since the coverage factor for the 

test Cpt=90%, we can look at the effective rate of failures of interest as (1-Cpt) x Total 

Lambda= 0.1 x 0.05 = 0.005 =Lambda Total (10 year). 

Then because there is a second level of complexity with the common cause failures, we 

again need to split this 10 year lambda total into a LambdaCC(10 year) and a LambdaN(10 

year) by use of the beta factor. 

Lambda Total (10 year) 

Lambda Common Cause (10 year) 

Lambda Normal (1 0 year) 

0.005 =(Lambda total) x (1-Cpt) = 0.05 x (1-0.9) 

0.0005 =(Lambda total (10 Year)) x Beta= 0.005 x 0.1 

0.0045 = (Lambda total (1 0 Year)) x (1-Beta) = 0.005 x (1-0.1) 

As before, because the normal independent failure mode is a 1 oo2 voting system, we use 

the integrated fonnula for PFDavg due to normal mode failure. Then we add this to the 

common mode failure component for the 10 year part since the system either fails in normal 

independent mode OR by common mode. 

PFDavg N, (10 year) 

PFDavg CC (1 0 year) 

PFDavg SYS (1 0 year) 

0.00068 = (LambdaN(1 0 year)A2 x TIA2)/3 = (0.0045'2 x 1 QA2)/3 

0.00250 = (LambdaCC(10 year) xTI)/2 = (0.0005 x 10)/2 

0.00318 = PFDavg N, (10 year)+ PFDavg CC, (10 year) 

Summing up the overall PFDavg 

Finally, we add the 1 year tested failure contribution to the 10 year overall corrected failure 

contribution to get the total PFDavg for the system considering all of the pathways. 

Total PFDavg 

Total RRF 

0.00597 = PFDavg SYS (1 year)+ PFDavg SYS (10 year)= 0.00280 + 0.00318 

167

0 

0

SECTION 3 

0 

Additional Resources 

0 





0 

0

Extending IEC61508 Reliability Evaluation Techniques to Include 

Common Circuit Designs Used in Industrial Safety Systems 

William M. Goble • exida.com • Perkasie 

Julia V. Bukowski • Villanova Universi1y • Villanova 

Key Words: Safety system, Diagnostics, Markov model, Standard-international, Failure mode, Failure-on demand, Fail safe, Self 

test 

0 

0 

SUMMARY & CONCLUSIONS 

Recent international standards such as IEC 61508 

and ANSIIISA84.01 cover the design and application of 

safety instmmented systems (SIS). These standards are 

"performance based" and involve establishing risk 

reduction targets followed by a reliability and safety 

evaluation to verify that the targets have been met by the 

design. The standards provide guidelines on how to do 

these reliability and safety calculations that are quite useful 

and provide a common evaluation framework for products 

used in safety instrumented systems. 

However, the reliability and safety evaluation 

methods require extension when SIS products include 

independent diagnostic circuitry or analog circuitry. An 

additional failure mode, diagnostic annunciation, must be 

considered. A definition of "fail-safe" versus "failure-ondemand" 

must be added for analog circuits. Markov models 

must include additional states. With extension, comparable 

results useful for standards-based product certification can 

be obtained. 

1. INTRODUCTION 

The function of an industrial safety instrumented 

system (SIS) is to automatically shutdown an industrial 

process if a dangerous condition is detected. Although 

different kinds of equipment are used, there is a strong trend 

toward the use of programmable electronic equipment 

(microcomputer based logic). For these systems to be 

certified for use in certain types of safety applications, they 

must meet the new standards IEC 61508, (Ref. 1) and 

ANSI!ISA84.01 (Ref. 2) for functional safety. 

These standards are performance-based, and 

require that the systems be designed and implemented using 

an engineering process called the "safety life cycle." The 

following steps are included in this process: 

1. Prior to beginning design, a risk analysis is performed and 

reliability and safety goals are established for the system 

based on risk reduction according to a safety integrity level 

(SIL) as shown in Figure 1; and, 

2.Before implementation, a reliability and safety analysis 

must be performed to verify that the failure probabilities of 

the proposed design meet the targets established during the 

Probability of Failure 

Safety Integrity on Demand 

Level (PFDavg.) 


Factor (ll.R) 

4 HJ' > PFDavg ~ 10- 5 10000$ll.R < 100000 

3 

10- 3 > PFDavg ;::10-'~ 1000 $LVI < 10000 

2 

10- 2 > PFDavg ~ 10- 3 IOO$LIR < 1000 

1 

10- 1 > PFDavg ~ 10- 2 10 $LIR < 100 

risk analysis. The primary measure of safety integrity is 

PFDavg, probability offailure on demand. 

Table I: Safety Integrity Levels. 

Guidance in how to perform the reliability and safety 

analysis is given in an informative section of the standard 

(IEC 61508 - part 6) (Ref. 1) and the technical report (!SA 

TR84.02) (Ref. 3). It is assumed that the systems will operate 

for a period of time and then be shut down and completely 

tested. It is also assumed that the systems have that are 

normally energized outputs and that the safety action is 

accomplished by de-energizing an output. 

1.1 Nomenclature from IEC61508, ISA84.01 

risk- combination of the probability of occurrence of harm 

and the severity ofthat harm 

safety- freedom from unacceptable risk 

functional safety - part of the overall safety relating to the 

equipment under control and the control system which 

RF 2001RM-104: page 1 RF

depends on the correct functioning of the safety 

instrumented systems, other technology safety systems and 

external risk reduction facilities 

safety integrity- probability of a safety instrumented system 

satisfactorily performing the required safety functions under 

all the stated conditions within a stated period of time 

safety integrity level (SIL) - discrete level (one out of a 

possible four) for specifying the safety integrity 

requirements of the safety functions to be allocated to tbe 

safety instrumented systems, where safety integrity level4 

has the highest level of safety integrity and safety integrity 

level 1 has tbe lowest 

dangerous failure - failure which has the potential to put the 

safety instrumented system in a hazardous or fail-tofunction 

state 

diagnostic coverage - tbe probability that a failure will be 

detected by internal self-diagnostics given that a failure 

occurs 

diagnostic annunciation- the ability of a system to detect 

and annunciate a failure 

1.2 Notation 

C- coverage 

FMEDA- failure modes, effects and diagnostic analysis 

IEC- International Electrotechnical Commission 

!SA- Instrument Society of America 

PFDavg- probability of failure on demand, average 

SIL- safety integrity level 

SIS -safety instrumented system 

SD- safe,detected failure 

SU- safe, undetected failure 

DD- dangerous, detected failure 

DU- dangerous, undetected failure 

TOv- Technischer Uberwachungs Verein e.V. (Technical 

Inspection Association of Germany) 

2. ANALYSIS METHODS 

The analysis methods described in the standards 

assume two failure modes, fail-safe and failure-on-demand 

(also called fail-danger, dangerous failure). Failure rates for 

system components are divided into these two modes. The 

total failure rate is partitioned into: 

where the superscript S represents a "safe" failure and the 

superscript D represents a 11 dangerous 11 failure. Safe failures 

are defined as those that would cause an output to falsely 

de-energize. Dangerous failures are those that would 

prevent an output from being de-energized. 

The ability of the system to diagnose its own 

internal failures is taken into account. Each of the failure 

(1) 

mode categories is further partitioned into failures detected 

by the on-line diagnostics versus those undetected where: 

and 

where the superscript SD represents a "safe, detected " 

failure, the superscript SU represents a "safe, undetected" 

failure, the superscript DD represents a "dangerous, 

detected" failure and the superscript DU represents a 

"dangerous, undetected" failure. 

"Coverage 11 

is the measure of the built-in-test 

capability of a system. It is defined in Reference 4 as the 

probability that a failure will be detected given !bat it occurs. 

Coverage is denoted by the letter C. A coverage factor must 

be obtained for each component in the system in order to 

separate the detected failures from the undetected failures. 

The four failure rate categories are calculated as follows: 

For each functional portion of the system, a 

calculation is made of the average probability of failure-ondemand 

(PFDavg.). This calculation may be done in a variety 

of different ways including simple approximation equations 

or detailed Markov models. As input data, the calculation 

requires failure rates and mission times (called periodic 

inspection intervals) and may also require repair times and 

common cause factors for on-line repairable redundant 

components. Several additional assumptions are made in the 

standard guidelines. These include constant failure rates, 

constant repair times and automatic shutdown where internal 

faults are detected. 

Three subsystems are specifically identified: 

sensors, logic solvers and final elements (Fig. 2). Sensors 

may be limit switches, pressure switches, temperature 

sensors, etc. Logic solvers are typically a microcomputer 

based controller. Final elements may be solenoid valves, ball 

valves with actuators, etc. 

(2) 

(3) 

0 


0 

0 

Programmable Electronic Controller 

Logic Solver 

Inputs Outpu s 

Process 

Figure 2: Components of a Safety Function 

Final Elements, 

Valves 

As an example of the simplest function, a pressure 

switch is used as a sensor. This is directly wired to a 

solenoid valve. There is no logic solver. Given failure rates, 

failure modes and a mission time, a PFDavg calculation 

could be made for each subsystem. The standards 

guidelines suggest that the PFDavg for each subsystem be 

added (an approximation) to obtain PFDavg for the system. 

Based on the chart in Figure I, a safety integrity level could 

be assigned. Often, the problem has been getting valid 

failure rate and failure mode data. 

When products are designed by a manufacturer to 

meet these international standards, a detailed reliability and 

safety analysis should be done for that product. A failure 

modes, effects and diagnostic analysis (FMEDA) is 

typically done to provide the coverage factors and failure 

rates (Ref. 5-6). The FMEDA analysis is typically inspected 

and verified by third parties as part of the "safety 

certification" process (Ref. 7). Manufacturers are expected 

to publish this data and to do subsystem PFDavg 

calculations to be used as part of a system analysis. 

Overall, the guidelines and methods published in 

the international standards greatly help in providing a more 

consistent and understandable safety analysis. However, 

the methods assume that all components are operating in a 

digital "on/off' mode. Only two failure modes are defined, 

fail-safe and failure-on demand. These are not sufficient in 

practice when on-line diagnostic circuitry and analog 

circuitry is considered. 

3. DIAGNOSTICS I ANALOG CIRCUITRY 

In many products designed for industrial safety 

applications, extra circuitry is added to detect internal 

component failures. Often when this circuitry fails, the 

product continues to function, though it can no longer 

detect the same internal failures. The diagnostic coverage 

factor goes down. These component failures are neither failsafe 

nor failure-on-demand. In some analyses these failures 

are simply ignored. But this is optimistic and will result in 

PFDavg calculations that are lower than they should be. An 

additional failure mode is required. 

There is also a problem when analog circuits are 

considered. Are the failures fail-safe or failure-on-demand? 

Fortunately, this problem can be solved with a definition. In 

consultation with certification engineers, the following was 

derived: "If a failure causes the analog circuit to be 

inaccurate outside the "safety accuracy" specification then 

it is failure-on-demand. Otherwise it is not conside;ed a 

failure." While this is pessimistic in that not all accuracy 

failures will cause a potentially dangerous failure of the 

system, the calculation results will be conservative. It is also 

important to note that when a component failure within an 

analog circuit does not cause an accuracy error greater than 

the safety accuracy specification, that failure is called "safe." 

That can be misleading as the component failure actually has 

no effect on the circuit functionality from a safety 

perspective. 

4. ANALOG PRESSURE SENSOR EXAMPLE 

An analog pressure sensor was analyzed with a 

FMEDA. A Markov model was developed for a single, nonredundant 

sensor. These were reviewed with TOV the 

industry recognized approvals agency, as part of the s;nsor 

safety certification process. The sensor is designed to 

accurately measure a pressure and modulate a 4 - 20 rnA 

electrical current to indicate the pressure range of the sensor. 

If a failure is detected within the sensor, it sets the current to 

3.7 rnA based on the German NAMUR NE43 standard. A 

block diagram of the design can be seen in Figure 3. 

I Sensor Electronics f.. Prime 

Output 

4-20mA 

Current Output 

Diagnostic .... Secondary f- 

Circuitry 

Output 

Figure 3: Block Diagram of Pressure Sensor. 

f-- 


Five failure modes were obtained when the FMEDA was 

done. These are: 

I. Dangerous Detected (DD) - In this case, a fault has been 

detected by the diagnostic circuit in the sensor that 

otherwise would have caused the sensor to produce an 

output outside the 2% safety tolerance. 

2. Dangerous Undetected (DU)- This is the most critical failure 

mode because theoretically the diagnostic circuitry does not 

detect a failure which causes the output to be more than 2% 

different from the actual measured pressure. 

3. Safe Detected (SD) - A SD failure is one where the 

diagnostic circuit detects a failure which normally would not 

effect the output of the sensor. The sensor places its 

output at 3.7rnA to notify operating personnel that there is a 

problem with the device. 

4. Safe Undetected (SU) - In this case, there is a problem with 

the transmitter not detected by the diagnostic circuitry, but 

the output is operating successfully within the 2% safety 

tolerance. If the safety tolerance (2%) was used as a design 

parameter, for safety and reliability analysis purposes these 

failures can be ignored. These failures cannot be ignored for 

process control applications where the required accuracy is 

the normal published 0.05%. 

5. Diagnostic Annunciation Failure (AU) - A failure in the 

diagnostic circuitry does not have an immediate impact 

upon the proper operation of a sensor. The sensor will 

continue to operate normally. However, since a fault in the 

diagnostic circuitry of the sensor can create a potentially 

dangerous situation upon occurrence of a second fault, the 

diagnostic annunciation failure rate must be included in the 

PFDavg analysis. 

The failure rate data was based on the Bellcore 

failure rate database (Ref. 8) and data from semiconductor 

manufacturers. The average ambient temperature was 

assumed to be 40 'C. The failure rates are reported in terms 

of number of failures per 10 9 hours (FIT). The results of the 

FMEDA can be seen in Table 1, taken from Reference 9. 

Tne OaJp ut Response ArOTAL 

I (FITs) 

DD- Failsafe Reoction 475.6 

Dangerous (FO, FU, or 3.7 n!A) 

Det.ded 

Short!F ail Over 17.5 

nnge(FO) 

Output'""' 21 mA 

Open/Fail Und

0 

0 

The sensor is operating successfully i1 states 0 

and 1. State I represents the condition where there is a 

diagnostic annunciation failure. Figure 4 shows the fail-safe 

state (2) as well as the failure-danger state (3). The Markov 

model shows the effect of diagnostic circuitry failure as a 

failure rate marked DD from state I transitions to state 3 

because the diagnostic annunciation function no longer 

operates. Normally, aDD failure takes the model to the failsafe 

state. 

Note that Markov model does not include the SU 

failures. It assumes that the safety accuracy is used as a 

design parameter and that these failures are therefore 

ignored. The Markov model can be solved numerically for a 

number of parameters including PFDavg and availability. 

Substituting the failure rate numbers for the sensor: 

PFDavg (I year)= 1.7 X 10' 4 

PFDavg (2 year)= 3.4 x 10- 4 

PFDavg (3 year)= 5.2 x 10- 4 

PFDavg (4 year)= 6.9 X to·4 

PFDavg (5 year)= 8.7 x 10- 4 

The Markov solutions were done with matrix multiplication 

using a I hour time increment (Ref. 10, Chapter 8). The 

model was solved for a particular mission time (the time 

between periodic inspections of the equipment). 

This data and the corresponding PFDavg subsystem 

solutions will give SIS designers reasonable input to the 

system level PFDavg calculations required to verity 

functional designs per IEC 61508 or ANSIIISA S84.01 

standards. The additional failure mode and the analog failure 

definition were needed to provide conservative comparable 

information for this sensor application. 

REFERENCES: 

I. IEC 61508, Functional Safety of electrical I electronic I 

programmable electronic safety-related systems, 

Switzerland: Geneva, International Electrotechnical 

Commission, 2000. 

2. !SA S84.01, Application of Safety Instrumented Systems 

for the Process Industries, USA, NC: Research Triangle 

Park, !SA, 1996. 

3. TR84.0.02, draft Technical Report, Safety Instrumented 

System (SIS) - Safety Integrity Level (SIL) Evaluation 

Techniques, NC: Research Triangle Park, Instrument Society 

of America, 1998. 

4. Bouricius, W. G., Carter, W. C.; and Schneider, P. R., 

"Reliability Modeling Techniques for Self-Repairing 

Systems," Proceedings of ACM Annual Conference, 1969; 

Reprinted in Tutorial--Fault-Tolerant Computing, Nelson, 

V. P., and Carroll, B. N., eds., USA, DC: Washington, IEEE 

Computer Society Press, 1987. 

5. Collett, R. E. and Bachant, P. W., "Integration of BIT 

Effectiveness with FMECA," 1984 Proceedings of the 

Annual Reliability and Maintainability Symposium, NY: 

New York, IEEE, 1984. 

6. Goble, W.M. and Brombacher, A.C., "Using a failure 

modes, effects and diagnostic analysis (FMEDA} to measure 

diagnostic coverage in programmable electronic systems," 

Reliability Engineering & System Safety, Vol. 66, No. 2, 

Netherlands, Amsterdam, Elsevier, 1999. 

7. Factory Mutual Research, Technical Report, Hardware 

Assessment of Moore Products Co. QUADLOGIProSafe PLC 

System According to IEC 61508, PA: Spring House, Siemens 

Moore Process Automation Solutions, 1998. 

8. Reliability Prediction Procedure for Electronic 

Equipment, Bellcore Technical Advisory TA-{)()()-23620-84- 

01, NJ: Redbank, Bell Communications Research, 1984. 

9. ADQL-6: Safety Integrity Level Verification- Failure Rate 

Data for the 345 Critical Transmitter, PA: Spring House, 

Siemens Moore Process Automation Solutions, 2000. 

10. Goble, W.M., Control Systems Safety Evaluation and 

Reliability, second edition, NC: Research Triangle Park: !SA, 

1998. 

William M. Goble, PhD 

42 Short Rd. 

Perkasie, PA 18944 

USA 

Email: 

wgob!e@exida.com 

BIOGRAPHIES: 

William M. Goble is currently Principal Partner, exida.com, a 

company that provides consulting, training and support for 

safety critical and high availability automation. He has over 

25 years of experience in research and development of 

control systems including analog and digital circuit design, 

software development, engineering management, and 

marketing. 

He has a BSEE from Penn State, an MSEE from Villanova and 

a PhD from Eindhoven University of Technology in 

Eindhoven, Netherlands. He is also an adjunct professor at 

the University of Pennsylvania. He teaches ISA's course 

ES35, "Evaluating System Reliability and Safety" and is 

author of the JSA book "Control Systems Safety Evaluation 

RF · 2001RM-104: page 5 RF

and Reliability.,. He is a fellow member ofiSA and a member 

ofiSA's SP84 committee on safety systems. 

0 

0 

RF 2001RM-104: page 6 

RF

Julia V. Bukowski. PhD 

Dept of Electrical & Computer Engineering 

Villanova University 

Villanova, PA 19085 

USA 

Email: 

bukowski@ece. vill.edu 

Julia V. Bukowski, (8'70, M '79, SM '85) is an associate 

professor of Electrical and Computer Engineering at 

Villanova University. Her research interests include 

hardware, software, and network reliability. She has 

published numerous technical articles and has been guest 

editor of a special issue of the IEEE Transactions on 

Reliability. She has been a Visiting Associate Professor and 

Fulbright Senior Scholar at the Technion Israel Institute of 

Technology. She has been elected to the Eta Kappa Nu and 

Sigma Xi honor societies, and received the IEEE Centennial 

Young Engineers Award for the Reliability Society. 

0 

0 


0 

0

Getting Failure Rate Data 

Dr. W.M. Goble, Principal Partner, exida 

wgoble@exida.com 

www.exida.com 

0 

0 

INTRODUCTION 

Safety verification calculations for each safety instrumented function are a key 

concept in functional safety standards like ISA 84.01 and IEC 61511. These 

calculations are done to insure a balanced and optimal design. However, the 

calculations require failure rate and failure mode information for all the 

instruments used -sensor to final element. When ISA84.01 was first released in 

1996, one comment was made repeatedly, "No one has good failure rate data." 

This led some to believe that the whole idea behind probabilistic failure 

calculations is impractical. Some are still making the comment. 

The fact is that there has been failure rate data available and the data is getting 

much better as manufacturers understand safety instrumentation users needs. 

Even in the early years of the standard, industry failure databases could provide 

information. While this failure data was not product specific or application 

specific, it helped designers recognize problems in their designs. One such 

problem was the "weak link" design. These designs included expensive SIL3 

safety PLCs that were connected to a switch and a solenoid. Many of these 

engineers thought they had a SIL3 design until they did the safety verification 

calculations. Such a design will not even meet SIL 1! Another common problem 

was the final element, typically a remote actuated on-off valve. Some designs 

had triplicated sensors and a SIL3 rated safety PLC with a set of pneumatic 

controls mounted on a single ball valve. The design target was SIL3 but the 

safety verification calculations showed that the design only met SIL 1. [See 

Appendix 1: "A sample SIF calculation"] 

The safety verification calculations required by the new functional safety 

standards have shown designers how to design much more balanced designs 

that optimize cost and safety. The calculations have shown many how to do a 

better job. But, failure rate and failure mode data on the chosen equipment is a 

must. 

Industry Failure Databases 

One of the most popular failure rate databases is the OREDA database. OREDA 

stands for "Offshore Reliability Data." The information is printed in a book that 

may be ordered from DNV in Norway (oreda@dnv.com). The third edition dated 

1997 has been printed with a new version planned. This book presents detailed 

statistical analysis on many types of process equipment. Many engineers use it 

as a source of failure rate data to perform safety verification calculations. It 

remains an excellent reference for all who do data analysis. 

Copyright 2002, exida.com LLC Page 1 of 1

Other data sources include: 

1. FMD-97, Failure mode I Mechanism Distributions, 1997, Reliability 

Analysis Center, Rome, NY 

2. Guidelines for Process Equipment Reliability Data, with Data Tables, 

1989, Center for Chemical Process Safety of AIChE, New York, NY 

3. NPRD-95, Nonelectronic Parts Reliability Data, 1995, Reliability Analysis 

Center, Rome, NY 

4. IEEE Std. 500, IEEE Guide To The Collection and Presentation Of 

Electrical, Electronic, Sensing Component, And Mechanical Equipment 

Reliability Data For Nuclear-Power Generating Stations, 1984, IEEE, New 

York, NY 

5. Reliability Data for Control and Safety Systems, 1998, SINTEF Industrial 

Management, Trondheim, Norway 

And several other sources somewhat more specialized. 

Many companies have an internal expert who has studied these sources as well 

as their own internal failure records and maintains the company failure rate 

database. Some use failure data compilations found on the internet. While the 

data in industry databases is not product specific or application specific, it does 

provide useful failure rate information for specific industries (nuclear, offshore, 

etc.) and a comparison of the data provides information about failure rates versus 

stress factors. 

There is a problem with the industry databases though. A probability of faildanger 

calculation for safety verification purposes does require more than just 

failure rate data. For each piece of equipment, one must know the failure modes 

(safe versus dangerous) and the effectiveness of any automatic diagnostics (the 

diagnostics coverage factor). This information is included only in rough form if at 

all in industry databases. So many engineers doing safety verification 

calculations provide an educated and conservative estimate. For most electronic 

equipment, the safe percentage is set to 50%. Relays have a higher percentage 

of safe failures with many picking a value of 70% or 80%. Mechanical 

components like solenoids might be more like 40% safe with many failure modes 

causing stuck in place failures that end up being dangerous in a safety protection 

application. 

0 

Diagnostic coverage can also be estimated. If "normal' diagnostics are available 

in a microprocessor based product, diagnostic coverage can be conservatively 

credited to 50%. Diagnostics for mechanical devices is usually given no credit, 

0% detected failures, unless there is some special testing like automatic partial 

valve stroke testing due to a smart valve positioner. 

So, the data is there. Using a combination of industry databases, company data 

and experience, the calculation methods required in functional safety standards 

like ISA 84.01 and lEG 61511 are being performed. 


Product Specific Failure Data 

It is clear that some are uncomfortable with the level of accuracy in the data. 

Questions about failure rate versus stress conditions in particular applications 

come up. Questions about specific products are constantly being asked 

especially when one must attempt to pick a better product to achieve higher 

safety. 

0 

Fortunately, several instrumentation manufacturers are doing detailed analysis of 

their products to determine a more accurate set of numbers useful for safety 

verification purposes. A Failure Modes Effects and Diagnostic Analysis (FMEDA) 

provides specific failure rates for each failure mode of an instrumentation 

product. The percentage of failures that are safe versus dangerous is clear and 

relatively precise for each specific product. The diagnostic ability of the 

instrument is precisely measured. Overall, the numbers from such an analysis 

are indeed product specific and provide a much higher level of accuracy when 

compared to industry database numbers and experience based estimates. 

A FMEDA is done by examining each component in a product. For each failure 

mode of each component, the effect on the product is recorded. Will this resistor 

failure cause the product to fail safety, fail dangerously, lose calibration? If the 

serial communication line from the AID to the microprocessor gets shorted, how 

does the product respond? If this spring fractures does that cause a dangerous 

or a safe failure? The failure rate of each component is entered according to 

component failure mode and the various categories are added. The end result is 

a product specific set of failure data that includes failure rates for each failure 

mode, failure rates that are detected and undetected by diagnostics, safe failure 

fraction calculations and often an explanation on how to use the numbers to do 

safety verification calculations. 

0 

FMEDA is sometimes done by the manufacturer but typically done by third party 

experts including TOV, FM, BASEEFA and exida. Often the work is done as part 

of a IEC61508 functional safety certification effort by the product manufacturer. 

Many manufacturers have recently issued FMEDA reports as shown in Table 1, a 

listing of field instrumentation reports. The FMEDA failure rate and failure mode 

is product specific and generally shows lower failure rates than industry database 

generic data. A comparison is done in Appendix 2. 


Table 1: Field ~·•~na ports I 

I 

i 

I 

~ ~ ·~ 

II ;00 

lTI250 

I 

Moore I i I TRY I 

I Site , Alarm exida I None 

130511 !Pressure· FM I None 

13051' exir lone 

~ 

I 

WIKA T32 i ex ida 

a ... 

I None 

Elcon IHC I Smart isolator I None 

I None 

10 exida 

I Smart isolator 

exida 

'-Ex' I Isolated Barrier exlda lone 

I 

I 

. 50 12 

ex~ 

~ 

1705 

I 

~ 

!Fisher Controls 

iMetso i IVGBOO I I uv 

I IG None 

o Valve actuator 

lexida 

IMokveld IRXD series Valve AEA uv 

uv 

0 

The future of failure data 

Although product specific FMEDA reports offer superior data sources when 

compared to industry databases, they still do not account for application specific 

stress conditions that may affect actual failure rates. Ideally in the future 

manufacturers will be able to provide not only point estimates of failure rates but 

perhaps even equations with application specific variables to more precisely 

calculate the needed numbers. That will happen if there is demand and the 

needed data is collected. 

0 

One effort in the right direction is the PERD (Process Equipment Reliability 

Database) initiative from the Center for Chemical Process Safety (CCPS) of the 

AIChE (www.aiche.org/ccps/perd/). That group has defined failure taxonomies 

for various types of process equipment. The important data that must be 

collected for a failure event has been defined. Operating companies from 

chemical, petrochemical, industrial gases and other industries become members 

and are working to set up inspection and failure reporting. They have created 

data collection software that members use to report field failures to a central 

database. There is potential that this information could someday become the 

best possible source of product specific and application specific failure rate and 

failure mode data. We look forward to better data with more accuracy as we 

move forward. 

Copyright 2002, exida.com LLC 

Page 4 of4

Appendix 1: A sample SIF calculation. 

A safety instrumented function has been defined where high pressure in a process 

vessel must stop "sour gas" fuel flow to a burner. The risk reduction requirement results 

in a SIL2 target for the SIF. The proposed safety instrumented function design is shown 

in figure 1. 

0 

Rosemount 3051C 

pressure transmitter 

Generic SIL2 

Logic Solver 

Actuator 

Figure 1 Conceptual design SIL2 Safety Instrumented Function 

0 

The conceptual design of this safety instrumented function consists of the following 

equipment. Two pressure transmitters in a 1 oo2 voting arrangement are used as the 

sensor devices. A PLC certified for SIL2 is used as the logic solver. Finally two 3-way 

solenoids each operating an pneumatic actuator with ball valve in a 1-out-of-2 voting 

arrangement are used as the final element devices. 

A proof test interval of 12 months and a Mean Time To Repair of 8 hours are specified. 

The results of the SIL verification using the exida software tool SILver, shown in figure 2, 

indicate that the conceptual design of the safety instrumented function meets the SIL2 

requirements based on the average Probability of Failure on Demand value. 

Furthermore the conceptual design of the SIF also meets the SIL2 requirements based 

on the architectural constraints requirement of IEC 61511. 


Sfflnsnr Port !nforrnath:m 

0 

0 

Figure 2 SIL verification results for conceptual design SIL2 SIF 


Appendix 2: A comparison of failure rates. 

Failure rates may be obtained from industry databases, manufacturer FMEDA 

analysis, manufacturer field failure studies, company failure records or other 

sources. Most reliability engineers consider application specific and product 

specific data to be the most accurate. Generally, less specific data turns out to 

be more conservative and that is appropriate for safety verification purposes 

following the rule that "the less one knows, the more conservative one must be." 

Table 2 shows a comparison of data for a pressure transmitter. The failure rate 

numbers from the database sources are significantly higher than the FMEDA 

reports. 

0 

Table 2 failure rate data for a f.l', ''"' transmitter 

I 

Source Component Total r:;~;;e Rate lifo Safe 

Failures 

I 

I 

~ 

I •"""' c%> 

IT• '- 

I - - 

IT• - - - 

IF~~DA, 3051T Pressure Transmitter, 

lexida 

4

0 

0

Techniques for achieving reliability 

in safety PLC embedded software 

Dr. William M. Goble 

www.exida.com 

0 

0 

ABSTRACT 

There is a strong trend toward the use of programmable electronics in safety 

instrumented systems. Yet some users still avoid software-based systems. They cite 

the unpredictability of software and case histories of software failure. However, a 

special class of PLC called a "safety PLC" does meet the need for safety and high 

availability in critical automation. 

A safety PLC must meet the requirements of a set of rigorous international 

standards that cover the design, the design methods and testing of software and 

hardware. Third party experts (typically TOV in GERMANY) enforce the rigor when 

the products go through the certification process. Some of the methods used to 

build "high integrity software" for safety PLCs are described in this paper. 

INTRODUCTION 

The quantity of software in equipment used for critical process control and safety 

instrumented systems is growing. This is due to a strong trend toward using flexible 

safety PLCs instead of relays or DCSs in safety instrumented systems. Safety PLCs 

are microcomputer-based controllers that are designed for high safety and high 

availability applications. Safety PLCs offer application flexibility, self-diagnostics, 

communication interfaces to other plant automation systems, automated application 

tools that help prevent human error [1] and a level of reliability and safety not 

available in conventional PLC/DCS equipment. 

A PLC qualifies to be called a safety PLC when it passes a series of tests given by 

third party certification agencies (TOV, Germany or FMRC, US). Safety PLCs are 

certified per international standards, primarily IEC61508 [2] and VDE0801/A 1 [3]. 

These standards require extensive safety analysis of both hardware and software. A 

key part of the analysis covers the diagnostic ability of the PLC. In the VDE0801/A1 

standard, the qualitative rule "no known dangerous undetected failures" applies. In 

the IEC61508 standard, detailed quantitative analysis [4,5] of hardware failures 

must be performed. That analysis determines the "diagnostic coverage factor," a 

number between 0% and 100%. Levels of 90%+ are expected, depending on target 

safety integrity level and amount of safety redundancy. The safety PLCs are also 

evaluated to insure electrical safety, user manual integrity, fault tolerant architecture 

Copyright exida.com L.L.C. 2000 Page 1 of 8



and software integrity. The software integrity is another of the key differences 

between conventional PLC/DCS equipment and safety PLCs. 

HIGH INTEGRITY SOFTWARE 

While some regulatory bodies in certain geographic areas still do not allow 

software-based equipment to be used in critical process control or safety protection 

applications, most have recognized the value of the intensive diagnostics available 

in safety-certified software-based controllers. Those regulators who do not allow 

software cite the unpredictability of complex software and the history of software 

failures [6]. 

There may be reason to doubt the reliability and safety of some types of consumer 

grade software, but the international standards used by designers of safety PLCs 

have rigorous requirements to increase software integrity. The standards 

emphasize the process: product development according to a lifecycle model. While 

several models are available, the ''V-model" is the recommended choice because of 

the link between the design and test specifications during product development. 

(see Figure 1) Software techniques for complying with these requirements will be 

discussed later. 


Validation Test 

Design 

Integration Test 

-~ 

Implementation ~ Unit Test 

Figure 1: V-Model, Software Development Process 

The standards cover the entire development process from functional requirements 

of the product to final testing, not just software implementation. International 

standards require a whole set of development activities designed to insure the 

highest software quality for avoidance and control of faults. These activities include 

program execution diagnostics, data verification testing, data storage integrity, 

complexity reduction, and a wide set of software development process 

requirements. Following these guidelines closely with the certification agency's help 

will result in "high integrity software." 




Overall, the safety standards require a quality and robustness not found in many 

types of products, with or without software. Whether the VDE0801/A 1 rules or the 

IEC61508 rules are being applied, they both dictate a more stringent product 

development effort. The software development of these products must include 

many techniques that might be cost prohibitive (in both time and money) to average 

software suppliers. 

0 

CRITICAL SOFTWARE PROCESS 

Quality principles developed by Juran and Deming are well known throughout the 

world for factory operations. These quality principles require that a process be 

established and followed. While following a process may seem obvious, it is easy 

to take software quality for granted and shortcut the process after the initial design 

is completed. This seems to be part of the "software culture" at times, especially 

when a project gets behind schedule. 

The safety critical software development process emphasizes a V-model that starts 

with product requirements. Requirements reviews determine that all safety relevant 

requirements are documented. As the V-model indicates, product validation tests 

are developed along with product requirements. Test planning can and should be 

done while requirements are being finalized. A test plan review provides a good 

crosscheck of the testability of any given requirement, a test of requirement 

reasonability. The test plan review may also uncover missing requirements before 

too much design has occurred. 

(! 

The requirements are considered the foundation of the whole project and as such 

should be treated quite seriously. Each requirement must state the safety function in 

quantifiable terms ("The analog channel shall detect any faults that cause a value 

greater than +/- 2% of span within one second"). An important aspect of the 

process is the traceability of requirements to tests. While this step makes auditing 

easier, it also aids the developers to identify missing and duplicated requirements. 

The test effort must show correctness and completeness of fulfilling the product 

requirements. Correctness means that the software operation performs exactly as it 

is intended, fulfills the matched requirement, and takes appropriate action for fault 

detections. Completeness means that all requirements have been met. 

MANAGE THE CHANGES 

It is essential for the development team to maintain control over changing 

requirements. Documents should be properly identified and include revision history. 

Formal reviews should be held with meeting minutes that include issue resolution 

and agreed action items. If decisions are made the affect requirements, the team 

must go back through the process and judge impact to other parts of the product. 

The project manager must review and assure completion of all action items. More 




importantly, the team must translate informal resolutions of design issues to the 

design documents. Not every design decision is made by a formal review; many 

decisions can and should be made at the level appropriate for implementing the 

decision. When decisions are made in this manner, the appropriate design 

documents should be updated. The document trail serves to inform all project 

stakeholders of the changes. 

SAFETY PLC SOFTWARE TECHNIQUES 

Failures in software do not occur randomly nor does software "wear out"; all 

software failures are designed into the system. When that certain combination of 

inputs, timing or data presents the right conditions to the system, it will fail every 

time. For this reason, failures in software systems are known as "systematic" 

failures. To make certain the software is performing as intended therefore, the 

software must check itself to make sure it has what it thinks must be done. Software 

diagnostics are programmed into embedded code. One of the most effective 

software diagnostics is "flow control." Program flow checking makes sure essential 

functions execute in the correct sequence. At key points in the program, a "flag" is 

set, preferably with a time stamp (Figure 2). At the end of each program scan the 

flags are checked. All flags must be set in the correct sequence. If time stamps are 

also used, the time difference between flag settings can be compared with 

reference values for further error detection. 

I Program Segment 1 

~I Set Flag I -Time Stamp Tl 

I 

I Program Segment2 

Set Flag 2 -Time Stamp T2 

I 

I 

-, 

Program 

Segment 3 

Set Flag 3 -Time Stamp T3 -I 

I Program 

Segment4 1 

. 

Program .I 

Segmentn 

I 

Set Flag 4 -Time Stamp T4 

Set Flag n - Time Stamp Tn 

I 

n 

-, -·- 

Check Program Flow: Tn>T4>T3>T2>Tl 

T2-TJ~Atl, T3-T2~t2, T4-T3~At3, Tn-T4~t4 

Check Timing: ATI



Another software diagnostic is called "reasonableness checking." When the results 

of computations should always be within known limits, the computed outputs can be 

tested to see if they exceed those known limits. In this way systematic faults can be 

detected before an erroneous system action occurs. Aside from computational 

results, many states and values are derived and stored within software control. 

When values are mutually exclusive, additional reasonableness checks on this data 

can flag faults before erroneous states occur. The same mechanism can be used 

for message schemes between software-based systems. 

0 

The data used in a safety PLC must be protected from corruption. Critical data is 

identified by analyzing the execution flow of critical software functions. Often done 

with dataflow diagrams, this analysis identifies the software processes that perform 

critical functions found in the safety requirements. These functions include both the 

diagnostics and the execution of the user safety program. The data associated with 

these software processes is termed critical data. Critical data must be stored in a 

manner that cannot become corrupted in an undetected manner by systematic 

software fault or by hardware failure. 

Figure 3 shows a dataflow diagram with a chain of processes and a reverse 

calculation check on critical data. Process #8 provides a crosscheck on processes 

#1 through #3 to detect an error in the normal process chain. While processes #1- 

#3 may provide a high accuracy result based on product specifications, process #8 

provides a comparison of that result within the product safety accuracy, which is 

usually less accurate but will detect an erroneous software condition. 

7 

4 5 

6 

8 

background 

compare 

9 

report 

error 

Figure 3: Dataflow Diagram With Reverse Calculation Comparison 

Copyright exida.com L.L.C. 2000 

Page 5 of8



FIREWALLS AROUND CRITICAL FUNCTIONS 

When safety critical functions must be combined with non-safety critical functions, 

the design must include sufficient safeguards for non-interference. This means that 

any non-safety operations, like data acquisition from a safety system to a plant 

manager console screen, cannot hamper or inhibit in any way the safe operation or 

fault detection mechanisms of the safety system. If any non-safety functions have 

the possibility of writing data to a safety system, the writes must be under controlled 

circumstances in an allowed configuration mode. The system design must reject any 

unexpected changes to the system. 

SOFTWARE COMPLEXITY 

Safety PLC standards demand special techniques to reduce software complexity. 

Operating systems are carefully examined for task interaction. Real-time interaction, 

such as multitasking and interrupts, are avoided. This is because many of the most 

insidious software faults have been traced to unanticipated interaction between 

software programs and common resources used by multiple software tasks. When 

multi-tasking is used, real time interaction of tasks requires extensive review and 

testing. It is especially important to avoid the use of common resources, such as 1/0 

registers and memory, by asynchronous tasks in a multi-tasking environment. 

TESTING 

Extra software testing techniques are required for safety PLCs during software 

development. The findings and assumptions of the criticality analysis must be 

proven. A series of "software fault injection" tests must be run to verify data integrity 

checking. The programs are deliberately corrupted during testing to insure 

predictable, safe response of the software. Hardware emulators, specific for the 

microprocessor, are often used to set break points and alter program data, then the 

program is allowed to continue to see if the fault was detected. An alternative test 

method uses custom software built into the program. This requires a monitor 

program to accept user input about special test codes. These test codes invoke 

fault injection functions that are time dependent and not easily performed by an 

emulator. The testing must be fully documented such that third-party inspectors can 

understand the operation. While this activity is not justified in most software 

development, this is exactly how the most harmful and covert software design faults 

are uncovered. 

Q 

FAULT AND CHANGE TRACKING 

When suspected problems are found in the software design or code, they must be 

recorded and reviewed using a formal system [8]. Not every reported problem is a 

real defect, and these should be discarded with rationale for the determination. Not 

every problem found is reliability or safety related. When a problem is investi,gated 

Copyright exida.com L.L.C. 2000 Page 6 bf 8



and deemed important enough to fix, the development team should perform an 

impact analysis of the suspected defect. The analysis should include: 

• Accurate problem description 

• Effect of the problem on critical functions 

• Description of the proposed solution 

• Effect of the proposed solution on safety functions 

0 

A database should contain all necessary details of activity related to problem 

identification and tracking. Items to clearly identify in this database are: 

• Author, date, and product/version where problem was found 

• Problem description, with any particular test setup details or circumstances 

• Implementer log that includes change notes and files affected 

• Authorization notes for accepting the change 

• Time estimates and actual time used 

• Test data to see that the fix was correct 

SOFnNAREPROCESSIMPROVEMENT 

Problems discovered in the software development process that involve safety 

critical functions must be treated with great scrutiny. The step in the development 

process where the problem occurred should be identified [9]. Some problems can 

be traced to design or implementation, but the greater number of problems is often 

traced to missing or inadequately defined requirements. When the latter case 

occurs, the lifecycle model loop must be reviewed to determine where to start 

implementation of the fix and any related documents that need to change. 

It is also useful to identify what error detection step in the development process 

should have found the problem. If the problem was discovered at a later step in the 

process, improve the process for future developments [9]. While it sometimes 

seems like a problem is isolated to a specific area of software, it is often the case 

that the problem is more far-reaching. The design documentation referenced by the 

problem area must be reviewed for non-obvious interface effects. For example, 

there can be subtle timing elements that could affect message schemes that are 

safety critical, or an uncommon but likely mode of operation may inhibit a critical 

diagnostic under specific conditions. 

Any quality control effort's goal is to find the root cause and fix the process in an 

irreversible way. An effective problem tracking system will aid in closing the loop on 

problem solving that includes both internal process improvement and field failure 

analysis. The system can serve as the repository of all investigative findings and 

include resolution details. 


Page 7 of8



CONCLUSION 

International standards for safety PLC software design require an excellent software 

development process and special software design and test techniques. These 

techniques will produce more reliable software according to the group of 

international experts on these standards committees. A PLC that meets these 

standards provides value through high safety and high availability in fault tolerant 

programmable systems. A PLC that meets these standards should be approved by 

regulators for the appropriate safety level to which it was approved. 

REFERENCES 

1. Goble, W. M. "Meeting Safety Standards with Matrix Programming," Proceedings of the 

Automation Exhibition, ISA Cincinnati, OH: Cincinnati, 1999. 

,---.. 

' ) 

2. IEC61508, Functional Safety of electrical/ electronic I programmable electronic safety-related 

systems, International Electrotechnical Commission, Switzerland: Geneva, 1998. 

3. DIN V VDE 0801 A1, Grundsatze fOr Rechner in Systemen mit Sicherheitsaufgaben, Anderung 

A1, 1994. 

4. Goble, W. M., Bukowski, J. V. and Brombacher. A. C., "How diagnostic coverage improves 

safety in programmable electronic systems," ," /SA Transactions, Vol. 36, No. 4, The 

Netherlands: Amsterdam, Elsevier Science B. V. , 1998. 

5. Goble, W.M., Control System Safety Evaluation and Reliability, I SA, Raleigh, N.C., 1998. 

6. Leveson, N. G., Safeware- System Safety and Computers, Addison-Wesley, MA: Reading, 

1995. 

7. Lawrence, J.D., and Preckshot, G.G. "Design Factors for Safety-Critical Software." (Report# 

NUREG/CR-6294) Lawrence Livermore National Laboratory, 1994. 

8. Mavis, S. A., "An Organized Way of Tracking Faults in the Development Process," Proceedings 

of the International Symposium of Engineered Software Systems (ISESS) Symposium, Malvern, 

PA, USA, May 1993, UK: London, World Scientific, 1993. 

9. Bukowski, J. V., and Goble, W. M., "Software- reliability feedback: A physics of failure 

approach," 1992 Proceedings of the Annual Reliability and Maintainabiltiy Symposium, NY: New 

York, IEEE, 1992. 

• 


Page 8 of8

CFSE - Certified Functional Safety Engineering I - Participant&#039;s Notebook - Exida 2007

Create successful ePaper yourself

Delete template?

Save as template?

CFSE - Certified Functional Safety Engineering I - Participant's Notebook - Exida 2007