CFSE - Certified Functional Safety Engineering I - Participant's Notebook - Exida 2007
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> I<br />
\<br />
\_;<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> I- (Version 3.51)<br />
Participant's <strong>Notebook</strong><br />
·e:·xccc.·;·:·~/~~- Jil.·~·. ·61; . ;:;-®<br />
- ·. Cf> ('<br />
.,_<br />
; /<br />
J ·:. i I<br />
~-<br />
.· .:~,<br />
..... ./<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.LC., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
Table of Contents<br />
SECTION 1<br />
SECTION 2<br />
SECTION 3<br />
COURSE PRESENTATION SLIDES<br />
EXERCISES<br />
ADDITIONAL RESOURCES<br />
IEC 61508 Overview Report- E. Scharpf and W. Goble<br />
Failure Rate Data<br />
<strong>Safety</strong> Terms and Abbreviations<br />
(.j<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
(r--.,<br />
' )<br />
(J
SECTION 1<br />
,·_<br />
Co"rse Presentation<br />
u<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
()<br />
0
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> 1:<br />
Risk Analysis and <strong>Safety</strong> Integrity Level Selection<br />
~\<br />
L __ J<br />
~.<br />
,.,.,:,.· '7 •''<br />
Sellersville, PA., USA<br />
Munich, Germany<br />
Westville, KZN, South Africa<br />
www.exida.com<br />
Version 3.7<br />
ID
.J ~l
exida Certification S.A. in Switzerland, Geneva<br />
• <strong>Exida</strong> founded an independent certification company in<br />
Geneva Switzerland, the home of IEC.<br />
• Certification are issued by independent assessors and<br />
auditors<br />
• Swiss Quality reputation<br />
Copyright exida.com LLC 2001-2008<br />
5<br />
0<br />
4<br />
4<br />
4<br />
4<br />
4<br />
4<br />
[ Course Logistics<br />
Course materials & location<br />
V' Handouts and course binder<br />
V' Exercises, Reference Material and Course Review<br />
Course attendance & participation<br />
V' Certificate of course completion<br />
Breaks<br />
V'Lunch<br />
V' Stretch, refreshment, etc.<br />
Personal belongings<br />
Fire Alarms and Evacuation Procedure<br />
Calls & e-mails<br />
~¥~{41:~<br />
,. ' .. Copyright exida.com LLC 2001-2008<br />
J<br />
6
4 Instructor<br />
-Name<br />
Introduction of Course<br />
Participants<br />
-Background/experience<br />
4 Classmates<br />
- Name, company, position<br />
- Background/experience you bring to the course<br />
-What would you like to get from this course?<br />
Copyright exida.com LLC 2001-2008 7<br />
[ General Course Objectives<br />
•<br />
•<br />
Review the principles and purposes of Risk -a:<br />
•<br />
Review the purpose behind and the concepts of the<br />
<strong>Safety</strong> Lifecycle<br />
Review of the tasks included in the safety lifecycle<br />
(IEC 61511 based with references to IEC 61508) ...---?- 3"<br />
J<br />
Management<br />
r f<br />
i Review the rules of probability and fundamental fault -<br />
tree analysis<br />
~ Review the purpose and available methods for<br />
process hazards analysis .<br />
,.fl., U.{e<br />
'cR.<br />
~,CL"""""<br />
lri<br />
. '<br />
'r~~lr~<br />
~ ~\lw'
Section 1: Introduction to <strong>Safety</strong><br />
Instrumented Systems<br />
4 Why SIS exist<br />
4 SIS Evolution<br />
4 The Standards<br />
4> SIS Definitions<br />
4 <strong>Safety</strong> Instrumented Functions<br />
4> SIS Equipment<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
1l<br />
Minimum Risk Reduction<br />
n<br />
Optimal Risk Reduction (ALARP)<br />
SIS Relief j Alarms j BPCS i Design Process<br />
Copyright exida.com LLC 2001-2008<br />
12
• 1960's<br />
SIS Evolution<br />
Hardwired relays, install where need is<br />
recognized.<br />
Copyright exida.com LLC 2001-2008<br />
13<br />
SIS Evolution<br />
0<br />
• 1970's<br />
Hardwired relays, Solid State logic -<br />
Install where<br />
need is<br />
recognized<br />
Copyright exida.com LLC 2001-2008<br />
14
SIS Evolution<br />
• 1980's<br />
Started using PLCs<br />
HAZOP, Risk<br />
Analysis<br />
Procedures<br />
developed<br />
Studies showed<br />
no decrease in<br />
accidents.<br />
Continued<br />
financial and<br />
personal loss<br />
~~xlcta'~<br />
Changes after<br />
Commissioning<br />
21%<br />
Operation &<br />
Maintenance<br />
15%<br />
Copyright exida.com LLC 2001-2008<br />
Design &<br />
Implementation<br />
15%<br />
Installation & Commissioning<br />
6%<br />
~<br />
f2.-oo-r Cut ~5<br />
~ fZ
"S0/90's <strong>Safety</strong> Design Process" ]<br />
Potential Hazards<br />
Hazard<br />
SIS Design<br />
0<br />
Copyright exida.com LLC 2001-2008 17<br />
[ S0/90's Company Design Rules<br />
l<br />
• If "CLASS 3" (any serious injury or fatality)<br />
0<br />
- Design with three transmitters voted 2oo3<br />
- Design with AK6 safety PLC: Triconex or Honeywell FSC<br />
- Output will remove air supply from control valve positioner<br />
via 3 way solenoid<br />
G~<br />
G-<br />
AK6<br />
@/<br />
rated PLC -~olenoid Control Valve<br />
~~lcc~;r Copyright exida.com LLC 2001-2008<br />
18
SIS Evolution<br />
• 2000's<br />
<strong>Safety</strong> Field Equipment- Transmitters, Valves<br />
PLC's - Improved Diagnostics<br />
•IEC61511<br />
• Better Diagnostics<br />
• <strong>Safety</strong> Lifecycle Process<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
19<br />
International Performance<br />
Based Standard For All<br />
Industries<br />
(Applies to suppliers)<br />
The Standards<br />
IEC61513:<br />
Nuclear Sector<br />
0<br />
Copyright exida.com LLC<br />
IEC61511: Process<br />
Industry Sector<br />
(US uses essentially<br />
identical/SA 84.00.01-2004)<br />
20
u<br />
IEC 61508 Standard<br />
4 Targets Suppliers<br />
- Requirements for<br />
suppliers of process<br />
·control and<br />
instrumentation for<br />
component I subsystem<br />
safety<br />
- End Users seek<br />
suppliers with products<br />
certified to this<br />
standard by reputable<br />
certifying agency<br />
1<br />
Copyright exida.com LLC 2001-2008<br />
21<br />
IEC 61511 Standard<br />
4, Targets End sers, Contractors and<br />
Integra ors in process industries<br />
4 Covers the entire SIS Life Cycle<br />
- Risk Analysis<br />
- Performance based design<br />
- Operations and Maintenance<br />
4 Performance NOT Prescription<br />
4 End user applications<br />
- Not typically certified<br />
- Independent <strong>Functional</strong> <strong>Safety</strong><br />
Assessments<br />
4 3 sections<br />
- Requirements<br />
- Guidelines<br />
4t!lleXf.d?1 Copyright exida.com LLC 2001-2008<br />
..4.•<br />
.. ....·<br />
·.·.·.· .... ··.· ..•<br />
-... .~.· .... IL Selection<br />
22
<strong>Safety</strong> Instrumented System Definition 1<br />
IEC 61511 defines a <strong>Safety</strong> Instrumented System (SIS) as<br />
"instrumented system used to implement one or more safety<br />
instrumented functions. A SIS is composed of any combination of<br />
sensor(s), logic solver(s), and final element(s)." IEC 61511 Part 1 3.2.72<br />
Copyright exida.com LLC 2001-2008<br />
23<br />
[_________<br />
IE_C __ 6_1s_o_a_o_e_f_in_i_ti_o_n ______ ~<br />
jg"~"'--~"''~<br />
:~~-<br />
'<br />
IEC 61508 does not use the term <strong>Safety</strong> Instrumented<br />
System (SIS) and instead uses <strong>Safety</strong> Related System<br />
to mean the same thing<br />
(SRS is <strong>Safety</strong> Requirements Specification in IEC 61511)<br />
Copyright exida.com LLC 2001-2008<br />
24
<strong>Safety</strong> Instrumented System<br />
<strong>Functional</strong> Definition<br />
0<br />
Practitioners often prefer a more<br />
functional definition of SIS such as:<br />
"A SIS is defined as a system<br />
composed of sensors, logic<br />
solvers and final elements<br />
designed for the purpose of:<br />
1. Automatically taking an industrial<br />
process to a safe state when<br />
specified conditions are violated;<br />
2. Permit a process to move forward<br />
in a safe manner when specified<br />
conditions allow (permissive<br />
functions);<br />
3. Taking action to mitigate the<br />
consequences of an industrial<br />
hazard.''<br />
L.._ __________ __j<br />
BPCS<br />
Copyright exida.com LLC 2001-2008 25<br />
0<br />
[___________<br />
s_af_e_ty __ F_u_n_ct_i_o_n ________ ~]<br />
Logic<br />
Solver<br />
0 Sensors<br />
0 Final elements<br />
"Function to be<br />
implemented by an SIS,<br />
other technology safety<br />
related system, or<br />
external risk reduction<br />
~-=_....,:acilities, which is<br />
intended to achieve or<br />
maintain a safe state for<br />
the process, with respect<br />
to a specific hazardous<br />
event."<br />
lEG 61511 Part 1 (3.2.68)<br />
Copyright exida.com llC 2001-2008 26
[~_s_a_f_et_y_l_n_st_r_u_m_e_n_te_d_Fu_n_c_t_io_n_(_S_IF_)~J<br />
0 Sensors<br />
0 Final elements<br />
"<strong>Safety</strong> function with a<br />
specified SIL which is<br />
necessary to achieve<br />
functional safety and<br />
w "eil;-ca:rrtJ;e-eiftAe:tJ<br />
safety instrumented<br />
protection function or<br />
a safety instrumented<br />
control function."<br />
IEC 61511 Part 1 (3.2.71)<br />
0<br />
Copyright exida.com LL<br />
1-2008<br />
27<br />
Instrumented Function Types<br />
No<br />
0<br />
Ye•<br />
Relevant<br />
Basic Process Control<br />
andfor<br />
Asset Protection<br />
Function<br />
<strong>Safety</strong><br />
Instrumented<br />
Prevention<br />
Function<br />
<strong>Safety</strong><br />
Instrumented<br />
Mitigation<br />
Function<br />
Copyright exida.com LLC 2001-2008<br />
28
[<br />
<strong>Safety</strong> Integrity Level<br />
J<br />
0<br />
<strong>Safety</strong> Integrity<br />
Level<br />
SIL4<br />
SIL3<br />
SIL2<br />
SIL 1<br />
"Discrete level (one out of<br />
four) for specifying the safety<br />
integrity requirements of the<br />
safety instrumented functions<br />
to be allocated to the safety<br />
instrumented systems. SIL 4<br />
has the highest safety integrity<br />
and SIL 1 the lowest."<br />
IEC 61511 Part 1 (3.2.74)<br />
~e .. ·..·.·.·.•.·.'J6.'6ta.·.··.·~<br />
~ / -;> ~:,<br />
Copyright exida.com LLC·2001-2008 29<br />
<strong>Safety</strong> Instrumented System ]<br />
0<br />
0 Sensors<br />
0 Final elements<br />
Copyright exida.com LLC 2001-2008 30
[~___<br />
s_a_fe_t_y_l_n_st_r_u_m_e_n_te_d __ F_u_n_c_ti_o_n_s _____]<br />
[ SIF Sensors<br />
J<br />
Logic Solver<br />
0<br />
Like a control system, a safety system has sensors. In the<br />
process industries sensors measure process parameters<br />
including pressure, temperature, flow, level, gas<br />
concentrations and other measurements. In the machine<br />
industries sensors measure human proximity, operator<br />
intrusion into a dangerous zone and other protective<br />
parameters.<br />
Copyright exida.com LLC 2001-2008<br />
33<br />
[ SIF Logic Solver<br />
J<br />
0<br />
Sensors I<br />
Logic Solver<br />
Final<br />
Elements]<br />
A safety system also has a logic solver, typically<br />
a controller, that reads signals from the sensors<br />
and executes preprogrammed actions to prevent<br />
or mitigate a process hazard. The controller<br />
does this by sending signals to final elements.<br />
~~(4a_,~ Copyright exida.com LLC 2001-2008<br />
34
~-------=S=IF~F=in=a=I~E=Ie=m~e~n=ts~ _______ ]<br />
Final )<br />
Elements<br />
The final element in a SIF is what acts to bring about the<br />
safe stale. This is often a remote actuated valve in the<br />
process industries while in machine safety it could likely be<br />
a clutch/brake assembly.<br />
Copyright exida.com LLC 2001-2008<br />
35<br />
<strong>Safety</strong> Instrumented Function (SIF)<br />
Implementation<br />
Logic Solver<br />
Circuit Utilities<br />
I.e. Electrical Power,<br />
Instrument Air etc.<br />
Interconnections<br />
The actual implementation of any single safety instrumented<br />
function may include multiple sensors, signal conditioning<br />
modules, multiple final elements and dedicated circuit utilities<br />
like electrical power or instrument air.<br />
~~~{£:lU';® Copyright exlda.com LLC 2001-2008<br />
3 6
[~___<br />
s_e_c_t_io_n_1_:_s_u_m_m_a_r_v ___]<br />
0<br />
4 Why SIS exist<br />
4 SIS Evolution<br />
4: The Standards<br />
4 SIS Definitions<br />
,, <strong>Safety</strong> Instrumented Functions<br />
4 SIS Equipment<br />
Copyright exida.com LLC 2001-2008<br />
37<br />
Section 2: <strong>Safety</strong> Lifecycle<br />
4 Accident Causes<br />
4 <strong>Safety</strong> Lifecycle Objectives<br />
4·1EC 61508 and IEC 61511 (ISA<br />
84.01) versions of the <strong>Safety</strong><br />
Lifecycle<br />
4 Analysis Phases<br />
4 Realization Phases<br />
4 Operation Phases<br />
4 Personnel Competency<br />
Copyright exida.com LLC 2001-2008<br />
38
Industrial Accident Primary Causes - HSE<br />
HSE study of accident causes<br />
involving control systems:<br />
Changes after<br />
Commissioning<br />
20%<br />
~~···<br />
Specification 44%<br />
Om••--•<br />
15%<br />
Operation & Installation & Commissioning<br />
Maintenance 6%<br />
15%<br />
"Out of Control: Why Control Systems go Wrong and How to Prevent Fai/ur~<br />
U.K.: Sheffield, Heath and <strong>Safety</strong> Executive, 1995 (Ed 2, 2003)<br />
""""'<br />
Copyright exida.com LLC 2001-2008<br />
39<br />
~-----------__/<br />
[~____<br />
s_a_fe_t_y_L_if_e_cy_c_l_e_o_b_je_c_t_iv_e_s __ ~]<br />
4 Build safer systems that do not experience<br />
as many of the problems of the past<br />
4 Build more cost effective systems that match<br />
design with risk<br />
4 Eliminate "weak link" designs that cost much<br />
but provide little<br />
4 Provide a global framework for consistent<br />
designs<br />
(]<br />
\ .. I<br />
Copyright exida.com LLC 2001-2008 40
Practical results of Implementing SLC<br />
Refinery: Hydrogen Manufacturing Unit<br />
Source<br />
49%<br />
0<br />
~ 49%: <strong>Safety</strong> Functions were over-engineered<br />
~ 4%: <strong>Safety</strong> Functions were under-engineered (unsafe)<br />
~ 47%: No change<br />
Copyright exida.com LLC 2001-2008<br />
41<br />
Practical results of Implementing SLC<br />
0<br />
Total of 5319 loops are considered.<br />
At 7 different plants<br />
So~NAM<br />
37%<br />
~ 37%: <strong>Safety</strong> Functions were over-engineered<br />
~ 6%: <strong>Safety</strong> Functions were under-engineered (unsafe)<br />
~ 57%: No change<br />
Copyright exida.com LLC 2001-2008<br />
42
[ IEC 61508 <strong>Safety</strong> Lifecycle<br />
"ANALYSIS"<br />
Phase<br />
hi Concept I<br />
(End User I Consultant) [3f Ha~ 111 &s 1 ~isk l<br />
1
0<br />
[ <strong>Safety</strong> Lifecycle "Analysis" Phases ]<br />
r 1. Process Design- Scope I<br />
Definition c><br />
Process Saf~.:J<br />
Information<br />
I Event Hlsto!:l I<br />
~r<br />
2. lndentify Potential<br />
l c><br />
Potential Haza~<br />
I Application Standards I<br />
Hazards<br />
c:::> I 3. Consequence Analysis -~<br />
c><br />
4. Identify Protection<br />
I Layers l c><br />
5. Ukelfhood Analysis<br />
c>r l c><br />
( ~ Designofother<br />
c::> 1 risk reduction<br />
I Hazard Characteristics I<br />
I Consequence Database I<br />
I Failure Probabilities<br />
I (LOPA)<br />
I Tolerable Risk Guidelines I<br />
lT<br />
y<br />
Hazard:~<br />
c> Consequence<br />
facilities<br />
Layers of Prete~<br />
Hazard Frequenci~<br />
')~6. Select RRF, Target SIL I c><br />
RRF, TargetS~<br />
for each SIF<br />
I 7. Develop Process <strong>Safety</strong> I<br />
H
[~__ L_a_y_e_r_o_f_P_r_o_te_c_t_io_n_A_na_l_y_s_is __]<br />
Event Historv<br />
Application Standards<br />
Hazard Characteristics<br />
Conse uence Database<br />
Failure Probabilities<br />
2. !ndentlfy Potential<br />
Hazards<br />
Q<br />
q<br />
Potential Haza~<br />
Layers of Prole~<br />
Hazard FrequeniJ<br />
•Objective<br />
Assess likelihood based on all<br />
protection layers.<br />
•Tasks<br />
Identify Layers of Protection<br />
Use qualitative or quantitative methods<br />
lntiiltlnQ Pn>tectk>n IPrnteotbn Prntectlon<br />
Event Loyer 1 I !aver 2 Layer 3 OutJ;ome<br />
PUFais<br />
Pl3 Fa"'<br />
Aeoldentocc..s<br />
-..-.-..---!'!-2_Sucr:e5 I ARF, Target s!i]<br />
4 Objective<br />
Specify the required risk reduction, or<br />
difference between existing and<br />
tolerable risk levels- in terms of SIL<br />
4 Tasks<br />
Compare process risk against<br />
tolerable nsk<br />
Use decision guidelines to select<br />
required risk reduction<br />
Document selection process<br />
Copyright exida.com LLC 2001-2008<br />
48
<strong>Safety</strong> Requirements<br />
Specification<br />
0<br />
• Objective<br />
7. Develop Process <strong>Safety</strong><br />
Specification<br />
<strong>Safety</strong><br />
Requirements<br />
Specification<br />
- Specify all requirements of SIS needed for detailed engineering<br />
and process safety information purposes<br />
• Tasks<br />
Identify and describe safety instrumented functions<br />
Document SIL<br />
Document action taken- Logic, Cause and Effect Diagram, etc.<br />
Document associated parameters -timing, maintenance/bypass<br />
requirements, etc.<br />
Copyright exida.com LLC 2001M2008<br />
49<br />
SIS Project V-Model<br />
0<br />
·''~,::·- -·- -·- -0·-···-·········-·········-·-<br />
\<br />
Copyright exida.com LLC 2001-2008 50
l<br />
<strong>Safety</strong> Lifecycle "Realization" Phases<br />
)I 8. SIF Conceptual Design I q I Equipmen!~<br />
I Manufacturer <strong>Safety</strong> Manual I q I Select Technology Justification Re<br />
I Application Standards<br />
1 q I 9. SIF Conceptual Design I<br />
Select Architecture<br />
110. SIF Conceptual Design I<br />
Determine Test Plan<br />
I Manufacturer <strong>Safety</strong> Manuarl ~ 111. SIFConceptual Design I<br />
I Failure Rate Database I O ReUabUJty I <strong>Safety</strong> Calc. H/W & SIW Design l<br />
NO<br />
[Manufacturer <strong>Safety</strong> Manual) ~ I<br />
<strong>Safety</strong><br />
~<br />
.<br />
s<br />
Requirements<br />
Detailed Design<br />
I<br />
q I FAT Test Rep~<br />
L Application Standards J q<br />
12. Detailed Design Documentation<br />
~~x[tta.;®<br />
I<br />
13. Factoj'~~ceptance I<br />
I I<br />
IEC61511 Stage 2 FSA<br />
Copyright exida.com LLC 2001 ~2008<br />
J<br />
]J<br />
51<br />
()<br />
Select Technology<br />
0<br />
• Objective<br />
- Choose the right equipment for the purpose. All criteria<br />
used for process control still applies.<br />
• Tasks<br />
Choose equipment<br />
Obtain reliability and safety data for the equipment<br />
Obtain <strong>Safety</strong> Manual for any safety certified equipment<br />
Jl ·. ··•..'.. ·............. ~r equipment making a SIL capability claim<br />
~e.X~ de(,. Copyright exida.com LLC 2001-2008<br />
52
u<br />
[ Select Architecture<br />
• Objective<br />
- Choose type of redundancy<br />
if needed<br />
• Tasks<br />
- Choose architecture<br />
- Obtain reliability and safety<br />
data for the architecture<br />
J<br />
I D~ag I<br />
H 1------r--' I<br />
HI<br />
I ofag I<br />
1oo1<br />
1oo2D<br />
Copyright exida.com LLC 2001-2008<br />
53<br />
0<br />
Establish Proof Test Frequency -<br />
Options<br />
In general the testing can include:<br />
(, Automatic testing which is built into the SIS<br />
4 Off-line testing, which is done manually<br />
while the process is not in operation<br />
4 On-line testing, which is done manually<br />
while the process is in operation<br />
.. ~<br />
.. ..'.. •.· ...•.•. '. '.•.•.·.4...,a~"<br />
~ "<br />
Copyright exida.com LLC 2001-2008<br />
54
SIF Verification Task<br />
<strong>Safety</strong> Requirements<br />
Specification:<br />
<strong>Safety</strong> Requirements<br />
including SIL target<br />
I Manufacturer <strong>Safety</strong> Manual I I Failure Rate Database I q Reliability I <strong>Safety</strong> Calc.<br />
j<br />
11. SIF Conceptual Design<br />
PFDavg,<br />
RRF<br />
MTTFS,<br />
SIL achieved<br />
/}<br />
0<br />
Copyright exida.com LLC 2001~2008<br />
55<br />
[ SIF Design Options l<br />
If the SIF verification shows that the SIL<br />
level has not been achieved by the<br />
proposed design a number of options<br />
are available to the designer:<br />
1' Re-evaluate the SIL requirement by<br />
adding other layers of protection, etc.<br />
2. Reduce the proof test interval -this<br />
may involve provisions for on-line<br />
testing.<br />
3. Choose equipment with better safety<br />
ratings- lower dangerous failure rate<br />
or better diagnostics.<br />
4. Change the architecture by adding<br />
more redundancy.<br />
4t~>
<strong>Safety</strong> Lifecycle "Operation" Phases ]<br />
Event History<br />
Application Standards<br />
Hazard Characteristics<br />
I Consequence Database I<br />
Failure Probabilities<br />
0<br />
19. SIS Decommissioning<br />
Copyright exida.com LLC 2001~2008 57<br />
0<br />
~_v_a_l_id_a_t_io_n __ ]<br />
FAT<br />
INSTALLATION 1\ V<br />
~==s=A=T=,=s=IT===~..;\ ~<br />
15. SIS <strong>Safety</strong> Validation COMMISSIONING<br />
<strong>Functional</strong> <strong>Safety</strong> Assessment<br />
4 Objectives sTART uP<br />
- Verify that the SIS functions according to design<br />
requ1rements.<br />
4 Tasks<br />
- Verify operation of field instruments<br />
- Validate logic and operation<br />
- Verify SIL of installed equipment<br />
- Produce required documentation - Certifications if<br />
required<br />
~~Jt&t'l.':~ Copyright exida.com LLC 2001-2008 58<br />
·~I<br />
D<br />
A<br />
T<br />
I<br />
0<br />
N
Periodic Proof Testing<br />
17. SIS Operation and<br />
Maintenance<br />
4, Objectives<br />
- Verify that the SIS continues to function<br />
according to design requirements and detect<br />
otherwise hidden lailures<br />
4 Tasks<br />
- Verify operation of field instruments<br />
- Validate logic and operation<br />
- Document results of all periodic testing<br />
0<br />
~~~diJl~ Copyright e~da.com LLC 2001-2008<br />
59<br />
Modification and De-Commissioning<br />
4 Objectives<br />
- Periodically review hazards and take corrective<br />
action if deemed necessary<br />
4 Tasks<br />
- Periodically review hazards<br />
o Review incidents<br />
o Review Facility Change Notices or Management of<br />
Change (MOC) documents<br />
- Update SIS as required according to the<br />
appropriate safety lifecycle step<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
60
Competency<br />
• IEC 61508 Personnel Competency<br />
" ... ensuring that applicable parties involved in any of the<br />
overall E/E/PE or software safety lifecycle activities are<br />
competent to carry out activities for which they are<br />
accountable."<br />
-IEC 61508, Part 1, Paragraph 6.2.1 (h)<br />
0<br />
"Persons, departments, or organizations involved in<br />
safety lifecycle activities shall be competent to carry out<br />
the activities for which they are accountable."<br />
-IEC 61511, Part 1, Paragraph 5.2.2.2<br />
~~~(4&1:" Copyright exida.com LLC 2001-2008 61<br />
u<br />
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert/Professional<br />
(<strong>CFSE</strong>/CFSP) Programs<br />
• Operated by the <strong>CFSE</strong> Governing Board<br />
-To improve the skills and formally establish the competency of<br />
those engaged in the practice of safety system application in the<br />
process and manufacturing industries.<br />
• Certification audited by exida Certification<br />
,4:<br />
4<br />
~··· ·:~~I!VAJ<br />
Copyright exida.com LLC 2001-2008<br />
62
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> ExperUProfessional<br />
(<strong>CFSE</strong>ICFSP) Programs<br />
• <strong>CFSE</strong>: 1 0 yrs of related experience (reduced with<br />
education level) plus Case Study<br />
• <strong>CFSE</strong>: 2 hour Multiple Choice+ 3 hour Short<br />
Answer/Case Study Exams<br />
• CFSP: 3 yrs of related experience (reduced with<br />
education level)<br />
• CFSP: 3 hour Multiple Choice/Short<br />
Answer Exam<br />
• Renewable each 9 years<br />
<strong>CFSE</strong><br />
GOVERNANCE BOARD<br />
0<br />
~ID
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert/Professional<br />
(<strong>CFSE</strong>/CFSP) Programs<br />
Resources Available:<br />
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert<br />
Application <strong>Engineering</strong>~ Process<br />
Study Guide<br />
2nd Edition<br />
•On-line Training<br />
•Study Guide<br />
•Reference Books<br />
0<br />
Copyright exida.com LLC 2001-2008 65<br />
0<br />
[<br />
~i:iX:ltta.·<br />
Section 2: Summary<br />
4 Accident Causes<br />
4 <strong>Safety</strong> Lifecycle Objectives<br />
4 IEC 61508 and IEC 61511 (ISA<br />
84.01) versions of the <strong>Safety</strong><br />
Lifecycle<br />
4. Analysis Phases<br />
4 Realization Phases<br />
4 Operation Phases<br />
4 Personnel Competency<br />
Copyright exida.com LLC 2001-2008<br />
l<br />
66
Section 3: Principles of Risk<br />
Management<br />
~ Risk Definition<br />
4 Measuring Risk<br />
4 Risk Tolerance<br />
4 Risk Reduction<br />
4 <strong>Safety</strong> Lifecycle and Risk<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
67<br />
Risk is a measure of<br />
the likelihood and<br />
consequence<br />
of an adverse effect.<br />
(i.e., How often can it<br />
happen and<br />
what will be the<br />
effects if it does?)<br />
What is risk? ]<br />
Risk receptors:<br />
4, Personnel<br />
4 Environment<br />
4 Financial<br />
• Equipment/Property Damage<br />
• Business Interruption<br />
• Business Liability<br />
• Company Image<br />
• Lost Market Share<br />
0<br />
Copyright exida.com LLC 2001-2008 68
[ Why do companies manage risk? ]<br />
• Companies have a legal, moral, and financial obligation<br />
to limit risk posed by their operation<br />
• Understanding the way this is expressed in a company<br />
helps to develop safety policy consistent with the way<br />
that company already works<br />
0<br />
Comply with regulations<br />
as written, regardless of<br />
cost or actual level of risk<br />
Make plant as safe as<br />
possible, disregard costs<br />
Build the lowest cost<br />
plant, keep operating<br />
budget as small as<br />
possible<br />
Copyright exida.com LLC 2001-2008<br />
69<br />
Basis for Risk Tolerance ]<br />
0<br />
4 Risky activities are tolerated because<br />
they provide benefits and are always<br />
traded against other risks<br />
-There is no such thing as zero risk in the<br />
real world<br />
-Understanding the various risk and benefit<br />
options is critical to understanding what kind<br />
of risk can be tolerated in trade for what kind<br />
of benefit<br />
Copyright exida.com LLC 2001-2008<br />
70
[ Measuring Risk and Benefit ]<br />
• Both risk and benefit must be measured to intelligently<br />
determine what to do in any situation<br />
4 Risk measurement must address both consequence<br />
and likelihood<br />
The consequences usually involve several forms of<br />
harm<br />
• Harm is effectively defined as "loss of benefits" and<br />
thus brings benefits directly into the equation<br />
''All significant forms of harm must be considered to<br />
properly measure risk<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
71<br />
Expressions of<br />
Consequence<br />
• Measure of risk depends on two factors:<br />
- Who is being exposed to risk?<br />
• Individuals<br />
• Society<br />
• Environment<br />
- What is the nature of the risk?<br />
• Fatality /Injury<br />
• Permanent I Temporary n.,,.,.,,n.,<br />
• Financial Loss<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
72
[~_____<br />
ln_d_iv_i_d_u_a_I_R_is_k ____ ~]<br />
0<br />
Individual risk: frequency an individual may<br />
receive a given level of harm (usually death)<br />
from the outcome of specified hazards.<br />
The UK HSE Tolerability of Risk framework sets<br />
individual risk of fatality limits of:<br />
Boundary between "broadly acceptable" and "tolerable"<br />
regions for risks entailing fatalities<br />
1 x 1 o·• per year (1 in a million per year)<br />
Boundary between "tolerable" and "unacceptable" regions<br />
for risks entailing fatalities<br />
1 X 10-3 per year (1 in a thousand per year)<br />
The ALARP region (As Low As Reasonably<br />
Practicable) typically falls in between these bounds<br />
4~~it{ffl;~ Copyright exida.com LLC 2001-2008 73<br />
[Individual Risk and ALARP]<br />
0<br />
Noway<br />
High Risk<br />
If it's worth it<br />
ALARP or Tolerable<br />
Region<br />
We accept it Broadly Acceptable<br />
Region<br />
le Risk<br />
Copyright exida.com LLC 2001-2008<br />
74
[ Defining Tolerable Risk ]<br />
f. Need both rigor and flexibility<br />
4 Need to consider all relevant<br />
forms of harm<br />
4}. Needs to be consistent with both<br />
company and society practice<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
75<br />
Tolerable Risk Level<br />
Example<br />
All potential hazards must have less than<br />
- 0.0005 fatal accidents per person per year<br />
- 0.005 injuries per person per year<br />
-0.01 significant environmental release<br />
per plant per year<br />
-$500,000 in business loss<br />
per plant per year, etc.<br />
0<br />
4 What is good and bad about this tolerable<br />
risk statement?<br />
Copyright exida.com LLC 2001-2008<br />
76
Tolerable Risk Level<br />
Example<br />
< Matrix form with guiding statement:<br />
All extreme risk will be reduced and all moderate<br />
risks will be reduced where practical.<br />
Recordable Lost Time Permanent Many<br />
Injury Injury Injury/Death Deaths<br />
1 per 100 Acceptable Moderate Extreme Extreme<br />
years<br />
0<br />
1 per 1000 Acceptable Acceptable Moderate Extreme<br />
years<br />
1 per 10,000 Acceptable Acceptable Moderate Moderate<br />
years<br />
1 per 1 oo,ooo Acceptable Acceptable Acceptable Moderate<br />
years<br />
4 What is good and bad about this tolerable risk statement?<br />
~~e{~~t · Copyright eldda.com LLC 2001-2008 77<br />
0<br />
[~__<br />
A_P_P_Ii_ca_t_io_n_E_xe_r_c_is_e_1_~]<br />
ti Tolerable Risk<br />
-Apply the concept of ALARP and tolerable<br />
risk to developing a tolerable risk guideline<br />
for a company<br />
Copyright exida.com LLC 2001-2008 78
[ Start with Inherent Process Risk ]<br />
Risk: A combination of the probability of occurrence of<br />
harm and the severity of that harm (per IEC/180 Guide<br />
51 :1990)<br />
A measure of the likelihood and consequence of<br />
adverse effects.<br />
Inherent Risk: The risk from a completed process<br />
design that contains a given amount of process<br />
materials at given process parameters (i.e.<br />
temperature, pressure, etc.)<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
79<br />
Risk Reduction<br />
L<br />
i<br />
k<br />
e<br />
I<br />
i<br />
h<br />
0<br />
0<br />
d<br />
Acceptable Risk<br />
Region<br />
Increasing Ris<br />
0<br />
Consequence<br />
Copyright exida.com LLC 2001-2008<br />
80
[ Risk Reduction using Inherent Risk<br />
Inherent risk measures the fundamental<br />
magnitude of a consequence<br />
0<br />
4 Manage inherent risk by reducing toxic,<br />
flammable or explosive inventories<br />
4~> Good process engineering support is vital<br />
Copyright exida.com LLC 2001-2008 81<br />
Risk Reduction using Geographic Risk<br />
0<br />
Geographic risk measures the probability an<br />
event will occur in a specific geographic location<br />
Manage personnel risk by controlling where the<br />
people are: control room, work areas and pathways<br />
~8~4'~,~~ Copyright exida.com LLC 2001-2008 8 2
Non-SIS Risk Reduction<br />
Non SIS Risk<br />
Reduction, e.g.<br />
Pressure Relief<br />
Valves<br />
e<br />
I<br />
i<br />
h<br />
0<br />
0<br />
d<br />
Acceptable Risk<br />
Region<br />
Consequence<br />
Reduction, e.g.,<br />
material reduction,<br />
containment dikes,<br />
physical protection<br />
Inherent<br />
Risk of the<br />
Process<br />
Consequence<br />
Increasing Risk<br />
Unacceptable<br />
Risk Region<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
83<br />
SIS Risk Reduction<br />
What is wrong<br />
with this slide?<br />
Non SIS Risk<br />
Reduction, e.g.<br />
Pressure Relief<br />
Valves<br />
i<br />
k~l__<br />
Consequence<br />
Reduction, e.g.,<br />
material reduction,<br />
~~~ containment dikes,<br />
physical protection<br />
Inherent<br />
Risk of the<br />
Process<br />
Increasing Risk<br />
0<br />
e~C:::::<br />
I<br />
i<br />
h t...=::;:...:_J<br />
0<br />
0<br />
d<br />
~e<br />
..·.·.·.Jtlaa ..•<br />
~ ;? ><br />
Acceptable Risk<br />
Region<br />
Consequence<br />
Copyright exida.com LLC 2001-2008<br />
Unacceptable<br />
Risk Region<br />
84
S [ Risk Management Standards ]<br />
0<br />
• IEC 61508<br />
- International standard for electronic risk reduction<br />
and safety systems ~<br />
•IEC60300-3-9 ~<br />
~ - International standard containing guidelines for<br />
~ risk analysis techniques of technological systems<br />
• ISO 14001<br />
- International standard to guide environmental<br />
risk management ·<br />
• 29 CFR 1910<br />
- US OSHA regulation guiding process safety<br />
management<br />
Copyright exida.com LLC 2001-2008<br />
85<br />
0<br />
[<br />
l<br />
Risk Management Methods<br />
,- l _i<br />
Establish context<br />
(')<br />
0 Identify risks<br />
;:<br />
3 I 0<br />
~<br />
~<br />
;;·<br />
I Analyze risks I<br />
~<br />
Q<br />
~<br />
(Likelihood & Consequence)<br />
n <<br />
0<br />
~·<br />
~<br />
I<br />
0<br />
~<br />
~ Accept or treat risks<br />
;;<br />
• Identify treatment options<br />
• Evaluate treatment options<br />
'--<br />
• Select treatment options<br />
• Prepare treatment plan<br />
• Implement treatment plan<br />
~<br />
~<br />
Copyright exida.com LLC 2001-2008<br />
I<br />
86
[~__<br />
s_a_f_e_ty_L_i_fe_c_y_c_le_o_b_ie_c_ti_v_e_~J<br />
Analysis<br />
Hazard Analysis I<br />
Risk Assessment:<br />
Define Design<br />
Targets<br />
f--+1<br />
Reduce Risk to<br />
Document 1 the tolerable<br />
level!<br />
Modify<br />
Design Execute HW<br />
I and SW Design<br />
Verify<br />
"'<br />
Document I<br />
Evaluate Design:<br />
Reliability Analysis of -1 Document 1<br />
<strong>Safety</strong> Integrity &<br />
Availability<br />
I<br />
Operate and<br />
Maintain<br />
Document I<br />
Copyright exida.com LLC 2001-2008 87<br />
0<br />
[ Section 3: Summary<br />
l<br />
4 Risk Definition<br />
4 Measuring Risk<br />
4 Risk Tolerance<br />
4 Risk Reduction<br />
4 <strong>Safety</strong> Lifecycle and Risk<br />
0<br />
Copyright exida.com LLC 2001-2008 88
[~ ____ s_e_c_t_io_n_4_:_P_r_o_b_a_b_il_it_Y ____ ~]<br />
(J<br />
4, Rules of Probability<br />
4 Types of events<br />
4 Probability multiplication<br />
4 Probability addition<br />
4, Fault Trees<br />
Copyright exida.com LLC 2001-2008<br />
89<br />
0<br />
[~__<br />
P_ro_b_a_b_i_li_ty_A_ss_i_g_n_m_e_n_t_~]<br />
4 Probability assigned by two methods:<br />
- Physical property determination<br />
• Geometry, physical shape<br />
Ololro;;lfOolro;?llggl<br />
u ~ L:EJ ~ ~ lQ__2)<br />
- Experimental outcome determination<br />
• Number of occurrences I Number of Trials<br />
4 Probability is a number: ( 0 < P < ~~~~~<br />
~e1tl£4a,~ Copyright exida.com LLC 2001-2008
[ Rules of Probability- Venn Diagrams ]<br />
Rectangle<br />
where entire<br />
event space is<br />
shown<br />
0<br />
~<br />
ex./ u.cr·.<br />
y ::·. 0<br />
... '-
( Rules of Probability- Venn Diagrams J<br />
0<br />
Software<br />
Failure<br />
Hardware Failure<br />
Operational<br />
Failure<br />
Copyright exida.com LLC 2001~2008<br />
93<br />
0<br />
Probability Assignment<br />
Venn Diagrams<br />
P(Gold) = 0.8<br />
P(Marble) = 0.75<br />
Copyright exida.com LLC 2001-2008<br />
94
[ Event Types<br />
4 INDEPENDENT - Events that do not affect<br />
each other:<br />
-Coin Tosses<br />
- Dice Throws<br />
4 COMPLEMENTARY- When one outcome<br />
does not occur, the other will always occur<br />
4: MUTUALLY EXCLUSIVE - When one event<br />
occurs the other cannot happen<br />
[ Complementary Events<br />
0<br />
4 Complementary Events<br />
- When one event does not occur, the other will occur<br />
~ Tossing one coin<br />
- Two events possible - heads and tails<br />
4 Success I Failure?<br />
4; Probability of Complementary Events<br />
P(A*) = 1 - P(A)<br />
- Probability of successful operation for the next year is<br />
0.8. What is the probability of failure in the next year?<br />
Copyright exida.com LLC 2001~2008<br />
97<br />
[ Mutually Exclusive Events J<br />
0<br />
4" Mutually Exclusive Events<br />
-When one event occurs the other cannot<br />
happen<br />
4 Toss of One Di~<br />
-Outcomes (1 ,2,3,4,5,6) are mutually<br />
exclusive<br />
t Complementary?<br />
{ Complementary Events Mutually Exclusive?<br />
Copyright exida.com LLC 2001-2008<br />
98
[ Correlated Events J<br />
~ Positively correlated events<br />
-When one event occurs, the other is<br />
more likely to happen than for<br />
independent events<br />
4 One event does not have to cause the<br />
other to be positively correlated<br />
f It is very dangerous to assume correlated<br />
failure events are independent<br />
0<br />
Copyright exida.com LLC 2001-2008 99<br />
[ Probability Multiplication ]<br />
Independent:<br />
P(A AND B)= P(A) * P(B)<br />
0<br />
Mutually Exclusive:<br />
P(AAND B)= 0<br />
Positively Correlated:<br />
P(A AND B) >> P(A) * P(B)<br />
Copyright exida.com LLC 2001-2008<br />
100
[ Probability Multiplication<br />
l<br />
4 For independent events<br />
P(A and B )= P(A)*P(B)<br />
LIMIT<br />
- SWITCH<br />
1-<br />
SOLENOID<br />
VALVE -<br />
0<br />
In the next year, the probability of successful operation for a<br />
limit switch is 0.9 and the probability of successful operation for<br />
a solenoid valve is 0.98. What is the probability of success for<br />
the system consisting of both elements?<br />
~?Meta• Copyright exida.com LLC 2001-2008 101<br />
0<br />
P (A and B ) = P (A ) * P ( B )<br />
P(Limit Switch Success) = 0.9<br />
P(System Success)<br />
= 0.882 )<br />
P(Solenoid<br />
Success)= 0.98<br />
L---------------~~<br />
The probability of systems success requires the limit switch is<br />
successful AND the solenoid valve is successful, thus using<br />
probability multiplication:<br />
Psystem = 0.9 * 0.98 = 0.882<br />
Copyright exida.com LLC 2001-2008<br />
102
Probability Addition<br />
Mutuallv Exclusive Events<br />
P(A OR B) = P(A) + P(B)<br />
0®<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
103<br />
Probability Addition<br />
Mutuallv Exclusive Events<br />
P(A or B) = P(A) + P(B)<br />
0<br />
One die is rolled. What is the probability of getting a 4 or a 6?<br />
Copyright exida.com LLC 2001-2008<br />
104
Probability Addition<br />
Mutually Exclusive Events<br />
P(A or B) = P(A} + P(B}<br />
One die is rolled. What is the probability of getting a 4 or a 6?<br />
0<br />
It is the probability of rolling 4 of rolling 6. The<br />
probability of rolling 4 is 1/6, the probability of<br />
rolling 6 is 1/6, thus the probability of rolling 4 or 6<br />
is 1/6 + 1/6 or 2/6<br />
Copyright exida.com LLC 2001-2008<br />
105<br />
0<br />
.,<br />
Probability Addition<br />
Mutually Exclusive Events<br />
Pair of Dice Roll - Mutually<br />
Exclusive<br />
- What is the probability of<br />
rolling a 7 OR a 9?<br />
P(A OR B) = P(A) + P(B)<br />
2 4<br />
10 1<br />
12<br />
~exfttii. Copyright exida.com LLC 2001-2008<br />
106
Probability Addition<br />
Independent Events<br />
P(A or B) = P(A) + P(B) - P(A and B)<br />
Not<br />
Mutually<br />
Exclusive<br />
0<br />
Copyri!jlt exida.com LLC 2001~2008<br />
107<br />
[<br />
Probability Addition<br />
_____ l_n_d_ep~e_n_d_e_n_t_E_v_e_n_ts ______ ~<br />
P(A or B) = P(A) + P(B)- P(A and B)<br />
oO)<br />
A sack contains 1 00 objects. All are either<br />
round marbles or square blocks. All are<br />
either red or gold. 75 % of the objects are<br />
marbles. 80% of the objects are gold. If an<br />
object is randomly selected, what is the<br />
probability that it will be either a marble OR<br />
gold?<br />
DO<br />
0<br />
~e. 51/Citi ...'<br />
...•.<br />
~. y,<br />
Copyright exida.com LLC 2001-2008<br />
108
Probability Addition<br />
Independent Events<br />
A sack contains 100 objects. All are either round marbles<br />
or square blocks. All are either red or gold. 75 % of the<br />
objects are marbles. 80% of the objects are gold. If an<br />
object is randomly selected, what is the probability that it<br />
will be either a marble or gold?<br />
The events MARBLE and GOLD are not mutually exclusive because<br />
it is possible to withdraw an object that is both a marble AND gold.<br />
Thus, the non-mutually exclusive form of probability addition is used.<br />
P(M or G)= 0.75 + 0.8- (0.75 * 0.8) = 0.95<br />
~~{'qti;~<br />
4111/'•' '<br />
Copyright exida.com LLC 2001-2008<br />
109<br />
0<br />
Probability Addition<br />
Independent Events<br />
The probability of getting a gold<br />
object or marble object can<br />
also be calculated by using the<br />
rule of complimentary events.<br />
The only way to NOT get the<br />
desired result is to get a red<br />
block. That probability equals<br />
0.2 * 0.25 = 0.05.<br />
Therefore: 1 - 0.05 = 0.95<br />
Copyright exida.com LLC 2001-2008<br />
llO
Probability Addition<br />
Three Independent Events<br />
What about three<br />
events?<br />
P(A or B or C) = P(A) + P(B) + P(C)<br />
P(A * B) - P(A * C) - P(B * C) +<br />
P(A * B *C)<br />
()<br />
Copyright exida.com LLC 2001-2008<br />
111<br />
Probability Addition<br />
Three Independent Events<br />
0<br />
What about three<br />
events?<br />
P(A or B or C) = P(A) + P(B) + P(C) -<br />
P(A * B) - P(A * C) - P(B • C) +<br />
P(A * B *C)<br />
c<br />
Copyright exida.com LLC 2001-2008<br />
112<br />
/
Probability Addition<br />
Three Independent Events<br />
What about three<br />
events?<br />
0<br />
P(A or B or C) = P(A) + P(B) + P(C)<br />
-P(A * B) -P(A * C) -P(B * C)<br />
+P(A * B *C)<br />
c<br />
Copyright exida.com LLC 2001-2008<br />
113<br />
Probability Addition<br />
Three Independent Events<br />
What about three<br />
events?<br />
P(A or B or C) = P(A) + P(B) + P(C)<br />
-P(A * B) - P(A * C) - P(B * C) +<br />
P(A * B *C)<br />
Copyright exida.com LLC 2001-2008<br />
114
Probability Addition<br />
Three Independent Events<br />
What about three<br />
events?<br />
P(A or B or C) = P(A) + P(B) + P(C)<br />
-P(A • B) -P(A * C) -P(B * C) +<br />
P(A * B *C)<br />
0<br />
Copyright e>dda.com LLC 2001-2008<br />
115<br />
Probability Addition<br />
Three Independent Events<br />
0<br />
What about three<br />
events?<br />
P(A or B or C) = P(A) + P(B) + P(C)<br />
-P(A * B) -P(A * C) -P(B * C)<br />
+P(A * B *C)<br />
Copyright exida.com LLC 2001-2008<br />
116<br />
/
Probability Addition<br />
Three Independent Events<br />
What about three<br />
events?<br />
P(A or B or C)= P(A) + P(B) + P(C)<br />
-P(A * B) -P(A * C) -P(B * C)<br />
+P(A * B *C)<br />
Copyright exida.com LLC 2001-2008<br />
117<br />
0<br />
Probability Addition<br />
Three Independent Events<br />
General Solution:<br />
P(A OR B OR ... OR N) =<br />
1- (1-PA)* (1-P 8 )* ... *(1-PN)<br />
Copyright exida.com LLC 2001-2008<br />
118
\I lo ~<br />
+<br />
\\<br />
~ ~~<br />
Rules of Probability<br />
Exercises<br />
4 On the throw of a pair of fair dice, what is the<br />
Rules of Probability<br />
Exercises<br />
0<br />
• What is the probability of an incident over an interval of three<br />
years?<br />
- One approach is the calculate the probability of not having an<br />
incident in one year. This is a complimentary event which<br />
equals 5/6. An incident does not occur in three years only if<br />
there is no incident in year one AND year two AND year three.<br />
That probability of no incident is 5/6 * 5/6 * 5/6 = 0.579<br />
- The probability of an incident is therefore 1 - 0.579 = 0.421<br />
1 What is the probability of an incident in ten years?<br />
- Following a similar approach for a period of ten years, the<br />
probability equals 1 - (5/6) 10 = 0.839<br />
Copyright exida.com LLC 2001-2008<br />
121<br />
0<br />
l~ __ A_P_P_I_ic_a_t_io_n_E_x_e_rc_i_se_2 __ ]<br />
~i Probability<br />
-Apply the rules of probability<br />
Copyright exida.com LLC 2001-2008<br />
122
[~____<br />
F_a_u_lt_T_r_e_e_A_n_a_l_y_si_s ____ ~J<br />
Fault Tree- Grafhical ''Top Down" method to show the logical<br />
relationship o failure probabilities and frequencies<br />
Copyright exida.com LLC 2001-2008 123<br />
[~__ F_a_u_l_t _T_re_e_M __ a_in_s __ vm __<br />
Commonly Used Symbols<br />
W ORGate<br />
0 ANDGate<br />
D Event or Resulting Fault<br />
Q Basic Event<br />
b_o_ls--~J<br />
Occasionally Used Symbols<br />
<br />
0<br />
0<br />
Incomplete Event<br />
Inhibit Gate<br />
House Event<br />
(Trigger eventguaranteed<br />
to occur under<br />
model conditions)<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
124
Fault Tree 'AND' Gates<br />
Independent Events<br />
0<br />
Battery<br />
system failure<br />
Quantitative Analysis of Fault<br />
Trees - combine probabilities<br />
using probability multiplication<br />
What is the probability of<br />
battery system failure?<br />
AND gates are solved using<br />
probability multiplication:<br />
p = 0.2 p = 0.01 Plop = 0.2 * 0.01 = 0.002<br />
•<br />
Copyright exida.com LLC 2001-2008<br />
125<br />
0<br />
[~_F_a_u_l_t _T_re_e_·_o_R_' _G_a_te_s~J<br />
Shutoff valve<br />
Fails to close<br />
Quantitative Analysis of Fault<br />
Trees - combine probabilities<br />
using probability addition<br />
What is the probability the<br />
valve fails to close?<br />
Solenoid<br />
fails to vent<br />
actuator<br />
p = 0.001<br />
~~*~421"<br />
sticks,<br />
preventing<br />
closure<br />
p = 0.001<br />
Copyright exida.com LLC 2001-2008<br />
OR gates are solved using<br />
probability addition (non-mutually<br />
exclusive in this case):<br />
Plop~ 0.001 + 0.001 - (0.001 •<br />
0.001) ~ 0.001999<br />
126
[~__<br />
M_u_It_ip_Ie_In_p_u_t_G_a_t_es __]<br />
•<br />
I EVENT A ~,.--~~<br />
I EVENT B Pb OR<br />
P=Pa+ Pb+ Pc-(PaxPb)<br />
-(PaxPc)-(PbxPc)+(PaxPbxPc)<br />
,---,~ D- n p = Probability<br />
I EVENTC ~ L<br />
IF events A, B, and C are mutually exclusive then<br />
P(A or B or C) = P(A) + P(B) + P(C).<br />
I<br />
EVENT A<br />
I<br />
EVENTS<br />
I<br />
EVENTC<br />
Pa<br />
Pb<br />
Pc<br />
\<br />
AND<br />
__/<br />
P=PaxPbxPc<br />
Copyright exida.com LLC 2001~2008<br />
127<br />
[~__<br />
F_r_e_q_ue_n_c_y_a_n_d_P_ro_b_a_b_ii_it_Y __]<br />
EVENT A<br />
EVENT B<br />
OR<br />
Not possible<br />
0<br />
Frequency/Probability Logic<br />
EVENT A<br />
F=Fa"Pb<br />
EVENT B<br />
Copyright exida.com LLC 2001-2008<br />
128
[~_F_re_q_u_e_n_c_y_L_o_g_i_c__]<br />
EVENT A<br />
EVENT 8<br />
0<br />
EVENTC<br />
EVENT A<br />
EVENT 8<br />
Frequency Logic<br />
Not possible<br />
Convert one frequency to a<br />
probability using a specified time<br />
base e.g. Failure rate (A) converts to<br />
PF using 1-e·" (more in FSE II)<br />
Copyright exida.com LLC 2001-2008<br />
129<br />
0<br />
[~__<br />
A_P_P_I_ic_a_t_io_n_E_x_e_rc_i_se_a_~]<br />
4 Fault Trees<br />
-Solve fault tree models<br />
Copyright exida.com LLC 2001-2008<br />
130
Section 4: Probability Review<br />
.f Rules of Probability<br />
4 Types of events<br />
4 Probability multiplication<br />
4 Probability addition<br />
4 Fault Trees<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
131<br />
Section 5: Process Hazard Analysis<br />
~···Hazard and Other Term Definitions<br />
4 Process Hazard Analysis<br />
4HAZOP<br />
f. Consequence Analysis<br />
4> Likelihood Analysis<br />
4> Fault Propagation<br />
4 Event Tree Analysis<br />
4• Risk Integrals<br />
~@.X:?~a __ ,® Copyright exida.com LLC 2001-2008 132<br />
0
Definition of Hazard<br />
0<br />
~> A potential source of harm<br />
- IEC 61508-4, Sub clause 3.1.2<br />
4, A chemical or physical condition that<br />
has the potential for causing damage<br />
to people, property, or the environment<br />
(e.g., a pressurized tank containing<br />
500 tons of ammonia)<br />
- CCPS, Guidelines for CPQRA<br />
Copyright exida.com LLC 2001-2008<br />
!33<br />
0<br />
['---__ T_e_r_m_: _ln_it_ia_t_in_g_E_v_e_n_t_)<br />
Initiating Event: The<br />
first event in an<br />
event sequence<br />
(e.g., the stress<br />
corrosion resulting<br />
in leak/rupture of the<br />
connecting pipeline<br />
to the ammonia<br />
tank)<br />
Copyright exida.com LLC 2001-2008<br />
134
[ Term: Intermediate Event<br />
J<br />
Intermediate Event: An event<br />
that propagates or mitigates<br />
the initiating event during an<br />
event sequence (e.g.,<br />
improper operator action<br />
fails to stop the initial<br />
ammonia leak and causes<br />
propagation of the<br />
intermediate event to an<br />
incident; in this case the<br />
intermediate event outcome<br />
is a toxic release)<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
135<br />
Je.· ...•..... x ... ','dir~<br />
[~____<br />
T_e_rm __:_ln_c_i_d_e_nt<br />
____ ~]<br />
Incident: The loss of<br />
containment of material<br />
of material or energy<br />
(e.g., leak of 10 Ibis of<br />
ammonia from a<br />
connecting pipeline to<br />
the ammonia tank,<br />
producing a toxic vapor<br />
cloud); not all events<br />
propagate into<br />
incidents.<br />
~ J' ::· ·:><br />
Copyright exida.com LLC 2001-2008 136<br />
0
[~___<br />
T_e_rm __:_ln_c_id_e_n_t_o<br />
__ u_tc_o_m __ e __ ~]<br />
0<br />
Incident Outcome: The<br />
physical manifestation of the<br />
incident; for toxic materials,<br />
the incident outcome is a<br />
toxic release, while for<br />
flammable materials, the<br />
incident outcome could be a<br />
Boiling Liquid Expanding<br />
Vapor Cloud Explosion<br />
(BLEVE), flash fire,<br />
unconfined vapor cloud<br />
explosion, toxic release, etc.<br />
(e.g., for a 10 Ibis leak of<br />
ammonia, the incident<br />
outcome is a toxic release)<br />
Copyright exida.com LLC 2001-2008<br />
137<br />
0<br />
[<br />
Term: Consequence<br />
Consequence: A<br />
measure of the<br />
expected effects of an<br />
incident outcome case<br />
(e.g., an ammonia cloud<br />
from a 10 Ibis leak<br />
under stability class D<br />
weather conditions, and<br />
a 1.4-mph wind<br />
traveling in a northerly<br />
direction will injure 50<br />
people).<br />
J<br />
Copyright exida.com LLC 2001-2008<br />
138
From Potential to Reality ]<br />
Given that a Hazard exists with potential for Ha':'Jl, an<br />
Initiating Event- is often followed by an =-=<br />
Intermediate Event- w~hich may create another=:::,<br />
•<br />
Intermediate Event- which may result in an<br />
Incident- where the result is called an----:::,<br />
Incident Outcome :.. which, depending<br />
on circumstances results in') 'r \<br />
CONSEQUENCES.....----<br />
()<br />
Copyright exida.com LLC 2001-2008<br />
139<br />
I<br />
I<br />
I<br />
r<br />
SLC"Analysis" Phase- Hazard Identification l<br />
j 1. Process Design- Scopel q<br />
Process Saf~~<br />
Definition Information<br />
Event Histo!X I 2. lndentify Potential<br />
A~elication Standards I ~I<br />
Hazards I<br />
Hazard Characteristics I c:> I 3. Consequence Analysis I<br />
I Consequence Database ) q<br />
I<br />
Failure Probabilities<br />
(LOPA)<br />
I 4. Identify Protection Layers I<br />
Jql 5. Ukelihood Analysis I<br />
q Potential Haza~<br />
q<br />
Hazard~~<br />
Consequence<br />
q Layers of Protec~<br />
q Hazard Frequenci~<br />
·~, Deslgnofother<br />
( R . d? Q risk reduction<br />
eqwre ·<br />
facilities<br />
r Tolerable Risk GuidelineSl YES<br />
4~x(aa.•<br />
I I , ! 6. Select RRF, Target Sll I q RRF, TargetS~<br />
-v for each SIF<br />
I 7. Develop Process <strong>Safety</strong>l<br />
Specification<br />
IEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
0000~<br />
1---<br />
<strong>Safety</strong> ;.ffil<br />
Requirements<br />
140<br />
Specification<br />
0
What Is Process Hazards Analysis?<br />
0<br />
4 IEC61508-1 specifies 3 objectives:<br />
- Determine the hazards and hazardous events<br />
of the equipment under control (EUC) and the<br />
EUC control system (in all modes of operation), for<br />
all reasonably foreseeable circumstances<br />
including fault conditions and misuse<br />
- Determine the event sequences leading to the<br />
hazardous events determined above<br />
- Determine the EUC risks associated with the<br />
hazardous events determined above<br />
Copyright exida.com LLC 2001-2008<br />
141<br />
0<br />
What Is Process Hazards Analysis?<br />
4 Identifying Hazards<br />
- Hazards are often identified during PHA<br />
4 Estimating Consequences<br />
4 Estimating Likelihood (Frequency)<br />
Copyright exida.com LLC 2001-2008<br />
142
[ Common PHA Methods J<br />
4 Checklist<br />
4; What if?<br />
4 What if? I Checklist<br />
4> HAZOP (Hazards and Operability Study)<br />
4, FMEA (Failure Modes and Effects Analysis)<br />
{; Fault Tree Analysis<br />
4 Appropriate Equivalent Methods<br />
Copyright exida.com LLC 2001-2008<br />
143<br />
Typical PHA<br />
Requirements<br />
4 Hazards of the process<br />
4' Previous incidents with catastrophic potential<br />
4 <strong>Engineering</strong> and administrative controls<br />
4 Consequences of engineering and<br />
administrative control failures<br />
4 Facility siting (layout, access, exposures, etc.)<br />
4 Human factors (errors, ergonomics, etc.)<br />
4 Qualitative evaluation of effects of failures<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
144
Recommendations for<br />
Effective PHAs<br />
0<br />
~···. Conducted by team with members expert in:<br />
- <strong>Engineering</strong> and process operations<br />
- Specific equipment or process under consideration<br />
- Specific hazards analysis process being used<br />
4 Document process<br />
4 Insure recommendations are acted upon<br />
4 Revisit analysis every five years<br />
(RMP in the US, MHF in Australia, COMAH in UK)<br />
i
PHA- HAZOP<br />
Function to prevent<br />
brittle fracture of<br />
carbon steel field piping<br />
lfl<br />
I<br />
RECOMPRESSION<br />
INLET<br />
GAS<br />
"---------{>PROPANE<br />
0<br />
~'<br />
NATIJRALGAS<br />
·.•.· ... ·.·.,·":- ,. ·.',,•,. UQUIDS<br />
eJ(fdti"<br />
f'' )" :;.;<br />
Copyright exida.com LLC 2001-2008<br />
147<br />
PHA- HAZOP<br />
Identifying SIF<br />
Node: Warm End Cryogenic Heat Exchanger<br />
Parameter: Temperature<br />
0<br />
Deviation Cause Consequence SafellUards Recommendation<br />
Too low Aow imbalance Potential brittle Alarms, Process<br />
Should Indep. PLC<br />
between streams fracture of shut off, lndep.<br />
low T shut off be<br />
PLC Low T shut<br />
downstream<br />
piping and fire<br />
off<br />
an SIS?<br />
Weather extreme Potential brittle PLCLowT Same as above and<br />
fracture of shut off verify likelihood of<br />
downstream<br />
weather extreme<br />
piping and fire<br />
Too high Row imbalance Potential Row alarms Verify if<br />
between streams compressor and Process compressor will be<br />
damage shut off damaged<br />
Action<br />
J. Jones<br />
J. Jones<br />
S. Smith<br />
-4f~(qti,," Copyright exida.com LLC 2001-2008<br />
148
[~__<br />
s_IF __ D_es_c_r_ip_t_io_n ____]<br />
4 Recommended SIF found in<br />
R d . C I Recommended<br />
ecommen at1ons o umn saregnard<br />
1 ~<br />
4 Existing SIF found in Safeguards Column)<br />
0<br />
Deviation Cause Conseuuence Safeeuards Recommendation fction<br />
Too low F1ow imbalance Potential brittle Alarms, Process<br />
Should Indep. Pi£'111<br />
between streams<br />
fracture of shut off, lndep. J. Jones<br />
downstream PLC Low T shut ~Tshutoffbe<br />
SIS?<br />
piping and fire off<br />
Weather extreme Potential brittle PLCLowT Same as above and<br />
fracture of shut off verify likelihood of<br />
downstream<br />
weather extreme<br />
piping and fire<br />
Too high Flow imbalance Potential Flow alarms Verify if<br />
between streams compressor and Process compressor will be<br />
damage shut off damaged<br />
J. Jones<br />
S. Smith<br />
~~~~~;· Copyright exida.com LLC 2001-2008<br />
149<br />
0<br />
[ Hazard and Consequences J<br />
4 The hazard that is being prevented, and its<br />
consequence can be found in a Consequences<br />
or Description of Hazard column<br />
Deviation Cause ce Safeguards Recommendation Action<br />
Too low Flow imbalances t Potential brittle"' Alarms, Process Should Indep. PLC<br />
between streams<br />
fracture of shut off, lndep.<br />
low T shut off be<br />
downstream PLCLowT shut<br />
an SIS?<br />
\wping and fire off<br />
Weather extreme Potenuru onttlo PLCLowT Same as above and<br />
fracture of shut off verify likelihood of<br />
downstream<br />
weather extreme<br />
piping and fire<br />
Too high F1ow imbalance Potential F1ow alarms Verify if<br />
between streams compressor and Process compressor will be<br />
damage shut off damaged<br />
J. Jones<br />
J. Jones<br />
S. Smith<br />
1 ~~>
[~__<br />
ln_i_ti_a~ti_n_g_E_v_e_n_t~s--~J<br />
4 In HAZOP, Initiating events in causes column<br />
4 What-If and Checklist questions<br />
4 Potential for multiple initiating events per hazard<br />
Bot~lnitiating Events cause the same consequence<br />
Deviation ~use Conse(l ence Safeguards Recommendation Action<br />
Too low<br />
~<br />
Flow imbalance Potential "ttle Alarms, Process<br />
~tween streams<br />
shut off, Indep.<br />
PLC Low T shut<br />
dfire off<br />
~run<br />
Should Indep. PLC<br />
low T shut off be<br />
an SIS?<br />
Weather extreme ~~tential brittle PLCLowT Same as above and<br />
fracture of shut off verify likelihood of<br />
downstream<br />
weather extreme<br />
piping and fire<br />
~ ~<br />
Too high Flow imbalance Potential Flow alanns Verify if<br />
between streams compressor and Process compressor will be<br />
damage shut off damaged<br />
J, Jones<br />
J. Jones<br />
S. Smith<br />
0<br />
~~~'<br />
Copyright exida.com LLC 2001-2008<br />
151<br />
[ Safeguards<br />
J<br />
4 Find both non-SIS and SIS Safeguards, other<br />
than SIS under study<br />
•<br />
Safeguards apply to initiating events, multiple<br />
safeguards per initiating event may exist<br />
Too low<br />
~ ~.<br />
Ro~alooce<br />
~;:de~<br />
Potential brittle<br />
fracture of<br />
between streams downstream PLC Low T shut<br />
oioinc ood fire "'"<br />
l'""""ru ~rittle<br />
Should Indep. PLC<br />
lowTshutoffbe<br />
an SIS?<br />
Action<br />
J. Jones<br />
Same as above and PLC L_?W l "" J. Jones<br />
~ fracture of verify likelihood of<br />
downstream<br />
weather extreme<br />
Too high Flow imbalance Potential Flow alarms Verify if<br />
between streams compressor and Process compressor will be<br />
damage shut off damaged<br />
S. Smith<br />
0<br />
"~! .. · .....<br />
Copyright exida.com LLC 2001-2008<br />
152
['-_ld_e_n_ti_fy_in_g_S_I_F_f_ro_m_P_&_ID_s_~]<br />
0<br />
4 PHA Studies not always 1 00% effective<br />
4 Past experience of Licensors and Detailed Design<br />
Contractors is incorporated into the design<br />
SIF in the design package are not typically<br />
differentiated from other control loops<br />
j,. Identification of SIF based on P&ID representation<br />
requires control engineering expertise<br />
4> Hazard, consequence, and safeguards related to SIF<br />
require process and risk assessment expertise<br />
Copyright exida.com LLC 2001-2008<br />
!53<br />
I<br />
I<br />
[ PHA Step 2 - Consequence Analysis l<br />
Event Histo!:X<br />
Application Standards<br />
]1. Process De~!gn- Scope-~ q<br />
Defin1t1on<br />
2. lndentify Potential<br />
1~1 Hazards<br />
Process Saf~~<br />
Information<br />
lc::><br />
Potential Haza~<br />
Hazard Characteristics<br />
~ j 3. Consequence Analysis ] Hazard~~<br />
c::><br />
c::> Consequence<br />
I 4. Identify Protection I c::><br />
layers of Protec~<br />
Layers<br />
Consequence Database<br />
5. Likelihood Analysis<br />
Failure Probabilities<br />
(LOPA) I<br />
~ Deslgnofother<br />
( q risk reduction<br />
facilities<br />
Tolerable Risk Guidelines s<br />
~?~{eta.®<br />
I c::> I<br />
c::><br />
Hazard Frequencl~<br />
ll "· I 6. Select RRF, Target SIL ]<br />
for each SIF c::><br />
RRF, TargetS~<br />
r 7. Develop Process <strong>Safety</strong>l<br />
Specification<br />
IEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
0'-?
What is included in<br />
Consequence Analysis?<br />
4 Should consider:<br />
- Fatality and injury<br />
-Property damage<br />
-Business interruption<br />
- Environmental damage<br />
-Third-party liability<br />
- Corporate image<br />
n<br />
"-·-·<br />
Copyright exida.com LLC 2001-2008<br />
!55<br />
[~__<br />
T_o_x_i_c_H_a_z_a_r_d_s __ ~]<br />
~ Toxic effect zones<br />
are a function of:<br />
- Release quantity<br />
- Release duration<br />
- Source Geometry<br />
- Elevation/Orientation<br />
- Initial Chemical Density<br />
- Atmospheric Conditions<br />
- Surrounding Terrain<br />
- Limiting Concentration<br />
Copyright exida.com LLC 2001-2008<br />
!56
[ Consequence Analysis Methods J<br />
f Estimate and Categorize<br />
4• Statistical<br />
~' Consequence Modeling<br />
u<br />
Copyright exida.com LLC 2001~2008<br />
157<br />
[ Consequence Categorization J<br />
0<br />
Severity Rating lmoact<br />
Minor<br />
Impact initially limited to local area of the event with potential for<br />
broader consequence if corrective action is not taken.<br />
Serious<br />
Extensive<br />
One that could cause any serious injury or fatality on-site or off-site, or<br />
property damage of $1 MM on-site, or $5 MM off-site.<br />
One that is five or more times worse than a SERIOUS accident.<br />
Based on information found in Guidelines for<br />
the Safe Automation of Chemical Processes,<br />
AIChE<br />
~ex{~:ta.• Copyright exida.com LLC 2001-2008<br />
158
[ Statistical Consequence Analysis ]<br />
Use accident statistics to calculate average consequence.<br />
Advantage: Well defined number<br />
Problems:<br />
1. Applicability of data, is the new situation<br />
similar enough?<br />
2. Is there enough data to be statistically<br />
significant?<br />
0<br />
Copyright exida.com LLC 2001-2008 !59<br />
[ Statistical Consequence Analysis ]<br />
Use accident statistics to calculate average consequence.<br />
Example:<br />
In a five year period there were 235 explosions of industrial<br />
boilers.<br />
As a result of those explosions, 17 people were killed and<br />
84 people were injured.<br />
Probable Loss of Life (PLL) = 17 I 235 = 0.073 per incident<br />
Probable Injury (PI) = 84 I 235 = 0.358 per incident<br />
0<br />
Copyright exida.com LLC 2001-2008 !60
---'==[ ===C=o=n=s=e=q=u=e=n=;c_e_M_o_d_e_l_in_g __ ~]<br />
D Injury Zone<br />
D Fatality Zone<br />
23 meters<br />
9 meters<br />
Probable Loss of Life: 0.27<br />
Probable Injuries: 2.56<br />
Typical Consequence Modeling<br />
Results for a toxic chemical release<br />
4 Calculates<br />
"Effect Zones"<br />
and "Effect<br />
Distances"<br />
4> Typically uses<br />
mathematical<br />
models<br />
Copyright exida.com LLC 2001-2008<br />
0<br />
[~____<br />
c_o_n_s_e_q_u_e_nc_e_M_o_d_e_li_n_g ___ ~]<br />
4 Consequence is a function of effect<br />
zone, occupancy, and vulnerability<br />
- Occupancy is the average number of people (or<br />
other receptors) in the effect zone- random and<br />
normally occupied buildings<br />
- Vulnerability is the probability of fatality (or other<br />
harm level) given a person is in the effect zone<br />
Consequence = Occupancy • Vulnerability<br />
Copyright exida.com LLC 2001-2008<br />
162
[ Term: Effect Zone<br />
J<br />
Effect Zone: For an incident<br />
outcome of toxic release, the<br />
area over which the airborne<br />
11? mete.r<<br />
concentration exceeds some<br />
87 meters<br />
level of concern. [e.g., given<br />
an IDLH for ammonia of 500<br />
-----~<br />
ppm (v), an effect zone of<br />
E~<br />
~<br />
4. 6 square miles is<br />
estimated for a 10 Ibis leak].<br />
D Injury Zone<br />
Zones for thermal effects<br />
23 meters<br />
and explosion overpressure D Fatality Zone<br />
9 meters<br />
are described in a similar<br />
fashion.<br />
0<br />
~~ltta® Copyright exida.com LLC 2001-2008 163<br />
[Consequence Modeling Tools]<br />
Model Public/ Model Strengths Limitations<br />
Proprietary Capability<br />
ARCHIE<br />
Cost<br />
Public; developed by • gas or liquid • openly available • gives very conservative<br />
EPA, FEMA, and • buoyant or • credit for some results for tox!cs 0<br />
(e.g., dikes, etc)<br />
• No chemical database<br />
Free<br />
• mixtures<br />
• DOS User Interface<br />
• explosions<br />
DOT dense gas<br />
modeling<br />
passive mitigation • limited flexibility<br />
DEGADIS Public; co-funded by • gas or liquid •Windows ·easy to use • need expert support<br />
DOT, EPA, and DOE • dens~ gas • chemicals can be •limited chemical<br />
modelling preloaded database, can be<br />
variable • portions of model Supplemented<br />
incorporated Into<br />
ALOHA<br />
PHAST Proprietary; • gas or liquid DIPPA chemical • Dispersion may exceed<br />
developed by Del • buoyant or database EPAOCA<br />
Norske Veritas dense • can do aerosols • Need expert support<br />
gas modelling • Previous releases<br />
High Cost • chemical widely accepted within<br />
database<br />
industry<br />
• mixtures<br />
• e)(J)Ioslons<br />
• good graphic ability<br />
extaa Copynght e ~ da.com LLC 2001 . 2008<br />
164
l~ __ A __ P_P_Iic_a_t_io_n __ Ex_e_r_c_is_e_4 _____]<br />
4, Consequence Analysis<br />
- Estimate consequences<br />
0<br />
Copyright exida.com LLC 2001-2008 165<br />
0<br />
I<br />
I<br />
[ PHA Step 3- Likelihood Analysis l<br />
11. Process Design- Scope I<br />
Definition<br />
Event HiSIO!J: I ~I<br />
2. Jndentify Potential<br />
~elication Standards I<br />
Hazards<br />
I Hazard Characteristics I ~ I 3. Consequence Analysis I<br />
Consequence Database I c:::::><br />
I<br />
Failure Probabilities<br />
(LOPA)<br />
I<br />
I c::> I<br />
c::><br />
I c::><br />
c::><br />
Process Saf~~<br />
Information<br />
Potential Haza~<br />
Hazard:.;::]<br />
Consequence<br />
c::> Layers of Protec~<br />
4. Identify Protection<br />
Layers I<br />
5. Ukelihood Analysis<br />
I c::> Hazard Frequenci:J<br />
~ Deslgnofother<br />
( q risk reduction<br />
I Tolerable Risk Guidelines I s<br />
facilities<br />
~~Jll~~,·<br />
ll ._I 6.SelectRRF,TargetSIL I c::><br />
RRF, TargetS~<br />
for each SIF<br />
I 7. Develop Process <strong>Safety</strong> I<br />
~<br />
Specification<br />
IEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
Saf~JH<br />
Requirements<br />
Specification<br />
166
[~____<br />
L_ik_e_li_h_o_o_d_I_F_re_q_u_e_n_c_y __ ~]<br />
4 Hazard Likelihood according to<br />
IEC 61511 Part 3<br />
- Refers to a frequency such as the number<br />
of events per year or per million hours<br />
-Note this is different from the common<br />
English definition equating it to probability<br />
0<br />
~~{t{tJ:::. 181 Copyright exida.com LLC 2001-2008 167<br />
[ Likelihood Analysis Methods J<br />
4 Estimate and Categorize<br />
4 Statistical<br />
4, Likelihood Modeling<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
168
[ Likelihood Categorization J<br />
Likelihood<br />
Type of Events Frequency Near Qualitative Ranking<br />
0<br />
A failure or series of failures with a very<br />
low probability of occurrence within the<br />
1
Likelihood Analysis via<br />
Fault Propagation Modeling<br />
4> Analyze the chain of events that leads<br />
to an accident<br />
Decompose the specific problem into generic events<br />
for which statistical data is likely to be available.<br />
Copyright exida.com LLC 2001-2008<br />
171<br />
Fault Propagation<br />
Modeling<br />
4> Analyze the chain of events that leads<br />
to an accident<br />
4 Use event rate data of individual<br />
components not entire system<br />
- Component failure event data is easier to find<br />
4 Calculate overall likelihood using<br />
probability logic<br />
Copyright exida.com LLC 2001-2008<br />
172
[L ___<br />
E_v_e_nt_T __ re_e_A_n_a_l_y_si_s __ ~]<br />
4 Good fault propagation model for<br />
process risk estimation<br />
~' Event chains connect single initiating<br />
event to multiple outcomes through<br />
intermediate branch points<br />
Branch<br />
_jl 1: g=:;<br />
Outcome3<br />
Initiating Event Outcome 4<br />
Outcome 5<br />
Outcome 6<br />
~~C:ta;~ Copyright e~da.co~,~~c2~o1-2ooa 173<br />
0<br />
[~___<br />
A_T_Y_P_i_ca_I_E_v_e_n_t_T_r_ee __ ~]<br />
Copyright exida.com LLC 2001-2008<br />
174
Likelihood Analysis using a Fault Tree<br />
INITIALIZING I<br />
F,l,- \<br />
I EVENT I<br />
PROTECTION I !',.<br />
I LAYER 1 I<br />
LJ<br />
I PROTECTION I P, Frequency (f I yr)<br />
AND<br />
LAYER 2 I<br />
PROTECTION I Pc<br />
~F, ·p, .P, .Po ·p"<br />
I LAYERS I<br />
PROTECTION I Pr,<br />
LAYER 4 I<br />
I<br />
The frequency (F) at which a hazardous event will occur will be:<br />
F =F, xP, xP. xPc xP"<br />
Copyright exida.com LLC 2001-2008<br />
175<br />
Example:<br />
Drawing an Event Tree<br />
~ Draw an event tree for fire resulting<br />
from a brittle piping fracture<br />
-Assume the initiating event is the pipe<br />
fracturing<br />
-The primary event branches are:<br />
o Is the break a minor or catastrophic?<br />
o Does the vapor cloud find a source of ignition?<br />
o Are other areas ignited as well?<br />
0<br />
Copyright exida.com LLC 2001-2008 176
Event Tree Drawing<br />
Example Result<br />
I·············<br />
. ·~ ; ...<br />
..........<br />
0<br />
. ... . ....... .<br />
Copyright exida.com LLC 2001-2008<br />
177<br />
[ Outcome Probability Example J<br />
0<br />
~Data:<br />
- Pipe fracture, 1/20 year<br />
- Probability of small leak<br />
after fracture, 1/3<br />
- Probability of ignition,<br />
10% in small leak, 30%<br />
in catastrophic leak<br />
- Probability of explosive<br />
propagation to full<br />
plant,<br />
20% in large fire, 4% in<br />
small fire<br />
• Calculate likelihood of:<br />
-Plant explosion<br />
-Small fire plant intact<br />
~~(4a:~ Copyright exida.com LLC 2001-2008<br />
178
Event Tree<br />
Calculation Example<br />
··.~ .. ·.· ..<br />
~~····<br />
......................................................................... h: ..<br />
Full plant explosion is in two places so the ~''encies add<br />
to give a total frequency of 0.00201 + 0.00006 = 0.00208 per~<br />
, ...... ,, or once per -480 years<br />
~g~.C{Z7.,~ Copyright exida.com LLC 2001-2008 179<br />
0<br />
[ Risk Integral Definition<br />
4 Risk integrals are a measure of the total<br />
J<br />
0<br />
-A summation of likelihood and<br />
-.__:~~~~n~c:e for all potential loss events<br />
.,rc ••<br />
Copyright exida.com LLC 2001-2008<br />
180
Considering All the Impacts with<br />
Risk Integrals<br />
0<br />
f. Outcomes must be expressed in the<br />
same terms as the tolerable risk limits<br />
- For the single variable method, this<br />
involves "Multi-Attribute Utility"<br />
4') Risk integral approach<br />
- Risk integral approach can also be applied<br />
to the personnel and financial components<br />
of risk independently of each other<br />
Copyright exida.com LLC 2001-2008 181<br />
0<br />
[<br />
Risk Integral Equation<br />
4 The nominal equation for the risk integral is:<br />
n<br />
RI = LCiFi<br />
i=l<br />
Rl<br />
N<br />
C<br />
F<br />
= risk integral<br />
= number of hazardous events<br />
= consequence of the event<br />
(in terms of fatalities for loss of life calculation)<br />
=frequency of the event<br />
Copyright exida.com LLC 2001-2008<br />
182
Event Tree<br />
Risk Integral Example<br />
' . c<br />
i~···<br />
...... ~<br />
.•.<br />
···.<br />
..................<br />
· .. ··.·.<br />
.......... ~;;0,2<br />
. . .. ...................... .<br />
.... ~;,._<br />
o.oo..·<br />
0.001<br />
.....................<br />
:<br />
··.· ...<br />
1'1.1.=0.1<br />
0.000<br />
(J!-!!'14 ·.····.·. ·.. ~D<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
183<br />
[_A~p~p~l~ic~a~ti~o~n~E~x~e~r~c~is~e~s-~J<br />
4 Event Tree Analysis<br />
Copyright exida.com LLC 2001-2008<br />
184
[~ ~]<br />
______ s_e_c_ti_o_n_s_:_s_u_m __ m_a_r_Y ____<br />
4 Hazard and Other Term Definitions<br />
4 Process Hazard Analysis<br />
4 HAZOP<br />
4, Consequence Analysis<br />
4 Likelihood Analysis<br />
f. Fault Propagation<br />
(. Event Tree Analysis<br />
4 Risk Integrals<br />
Copyright exida.com LLC 2001-2008<br />
185<br />
0<br />
Section 6:<br />
Layer of Protection Analysis<br />
{. Fault Propagation Context<br />
4 Event Tree Methods<br />
4> Laye'rs of Protection Definition<br />
4. LOPA Event Tree<br />
4,, Initiating Events and Failure Rates<br />
4 Example Protection Layers<br />
Copyright exida.com LLC 2001-2008<br />
186
Fault Propagation Modeling<br />
4 Analyze the chain of events that leads<br />
to an accident<br />
Initiating Event<br />
Control<br />
Operator does<br />
Mechanical ~Overpressure<br />
System ...... not respond t-o relief failed Event<br />
Fails properly<br />
0<br />
~~'fl:izY"<br />
Copyright exida.com LLC 2001-2008<br />
187<br />
[ Layer of Protection Analysis<br />
l<br />
4 A variation of Event Tree Analysis<br />
-More "rules" in LOPA<br />
- Like event tree analysis, the initiating event<br />
starts the chain of events<br />
-Branches are layers of protection<br />
-Consider only two outcomes:<br />
• accident<br />
• no event<br />
-For SIL determination, the potential SIF is<br />
not included<br />
Copyright exida.com LLC 2001-2008<br />
188
0<br />
'<br />
VJ<br />
t<br />
T<br />
M<br />
I<br />
I<br />
G<br />
A<br />
T<br />
I<br />
0<br />
N p<br />
R<br />
E<br />
v<br />
E<br />
N<br />
T<br />
I<br />
0<br />
N<br />
4111 Jex~.··.·.··············.:tt£1.· .•...•.<br />
X ~-<br />
Plant and<br />
Emergency<br />
Response<br />
Dike<br />
Relief valve,<br />
Rupture disk<br />
<strong>Safety</strong><br />
System<br />
Operator<br />
Intervention<br />
Basic<br />
Process<br />
Control<br />
System<br />
Copyright sxida.com LLC 2001-2008<br />
Emergency response layer<br />
Passive protection layer<br />
0<br />
Active protection layer<br />
-<br />
L<br />
I<br />
K<br />
E<br />
L<br />
I<br />
H<br />
0<br />
0<br />
D<br />
189<br />
c<br />
0<br />
N<br />
s<br />
E<br />
Q<br />
u<br />
E<br />
N<br />
c<br />
E<br />
LOPA Version of the<br />
Event Tree<br />
Quantify using probability multiplication; all logical ANDs<br />
~~ltti!i" Copyright exida.com LLC 2001-2008<br />
190
Example Part 1 -<br />
Pipe Rupture LOPA<br />
4\ Draw the Layer of Protection Analysis<br />
Diagram for:<br />
- A release and fire from a brittle fracture of a<br />
hydrocarbon line has a root cause of a process<br />
flow imbalance or weather extreme<br />
- These layers of protection are proposed for the flow<br />
imbalance:<br />
• The operator responds to DCS flow alarms and stops the<br />
process<br />
• Other sensors will detect the imbalance and automatically<br />
close control valves through the DCS to prevent the accident<br />
• The system has a separate, independent PLC shutoff<br />
(Potential SIF)<br />
• The pipe may not rupture even if exposed to low temperatures<br />
• Source of ignition are controlled in the process area<br />
~~xtt{a;~ CopiOight e~da.com LLC 2001-2008<br />
1 9<br />
1<br />
0<br />
Example Part 2 -<br />
Pipe Rupture LOPA<br />
These layers of protection are proposed for the<br />
weather extreme:<br />
• The operator responds to weather conditions and<br />
stops the process<br />
• The system has a separate, independent PLC shutoff<br />
(Potential SIF)<br />
• The pipe may not rupture even if exposed to low<br />
temperatures<br />
• Source of ignition are controlled in the process area<br />
Copyright exida.com LLC 2001-2008<br />
192
Example Part 1 -<br />
Pipe Rupture LOPA Solution<br />
............ ._ ... ;<br />
i<br />
0<br />
~e<br />
Note that the Potential SIF is not included in the LOPA since the purpose<br />
for SIL selection is to determine the risk without the potential SIF<br />
.. ','.'.·. %ii{;[fX.'.·<br />
411 ¥'} ,, .•.•.<br />
Copyright exida.com LLC 2001-2008<br />
193<br />
0<br />
Example Part 2 -<br />
Pipe Rupture LOPA Solution<br />
'··················································'··················· '························ •............. ' ' :<br />
Note that the Potential SIF is not included in the LOPA since the purpose<br />
for SIL selection is to determine the risk without the potential SIF<br />
~eJl~,:·.® Copyright exida.com LLC 2001-2008 194
[~ __ L_O_P_A_a_ua_n_t_if_ic_a_t_io_n_~]<br />
4 Proceed as with Event Tree but only<br />
need to calculate the frequency of<br />
accident<br />
4 Resulting accident frequency is initiating<br />
event frequency multiplied by PFD of all<br />
independent protection layers<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
195<br />
Example-<br />
[<br />
~-~P~ip~e~R~urp~tu~r~e~L~O~P~A~---<br />
4 Quantify the accident frequency of the<br />
prior example<br />
Process flow imbalance = 2.5 per year<br />
Protection Layer PFD are:<br />
Operator/DCS combined failure- PFD = 0.05<br />
Pipe may not rupture failure- PFD = 0.33<br />
Ignition source contacted - PFD = 0.23<br />
J<br />
0<br />
Weather Extreme= once every 5 years<br />
Protection Layer PFD are:<br />
Operator failure- PFD = 0.1 0<br />
Pipe may not rupture failure- PFD = 0.33<br />
Ignition source contacted- PFD = 0.23<br />
Copyright exida.com LLC 2001-2008<br />
196
Example-<br />
Pipe Rupture LOPA Solution 2<br />
First part of the solution<br />
0<br />
F 1 = 2.5 /yr * 0.05 * 0.33 * 0.23 = 9.49 x 1 o- 3 per year<br />
Copyright exida.com LLC 2001-2008<br />
197<br />
Example-<br />
Pipe Rupture LOPA Solution 2<br />
0<br />
Second part of the solution<br />
H&Etil;\iit®T~M,_,i!(J0D7fltttff27i(:Nl~}@l~1~'%'\~U!fJ3l~Wii<br />
!Weather ext"""' !Operator I Pipe may lr-t> I I Rre .<br />
---···········-·---·-----------······················:······················----~-------·-·······················r························:··· ................. !<br />
. ····~~···· -~~~~~J!~~~Iiq) i niiiis21<br />
....).... " " 0 . " ·I-· _0.=23=;-' +rc.=:"==:<br />
. --~~~· +~o:,; 0.33 .. ···~~~<br />
0.2<br />
F 2 = 0.2 /yr * 0.10 * 0.33 * 0.23 = 1.52 x 10·3 per year<br />
FTOTAL = 1.52 X 10·3 + 9.49 X 10·3 = 1.1 X 10" 2 per year<br />
Note this is for the accident without the SIF<br />
~~X{4U:,® Copyright exida.com LLC 2001-2008<br />
198
[ Application Exercise 6 J<br />
4 Layer of Protection Analysis<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
199<br />
Failure Rate Quantification<br />
4 Historical reliability data specific to your<br />
installation is best, but often unavailable<br />
4 Plant maintenance and SIS function test<br />
data by equipment type<br />
4 Industry average data grouped by<br />
equipment type<br />
4 Some expert judgment is still inevitable<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
200
Using Maintenance and<br />
Function Test Data<br />
0<br />
4> Companies usually keep maintenance logs<br />
4> IEC 61511 requires function testing and<br />
documentation of results<br />
4 Function test data used to approximate<br />
failure rate<br />
Simple Equation for point estimate of failure rate:<br />
A (Failure Rate) =<br />
# Failures I Total Unit Hours of Operation<br />
~ ex/uti<br />
.. · ·.·0·.~"'"'."".'"<br />
,,,,_.-- t ,., «- Copyright exida.com LLC 2001-2008<br />
201<br />
0<br />
[ PFD from Failure Rate<br />
4·• PFD depends of failure rate, failure mode and test interval<br />
4> Failure rate is divided into failures that cause a false trip<br />
versus those that cause failure on demand<br />
4• Most databases list the failure rates and some failure<br />
modes for an equipment item<br />
4 An untested device's PFD gets larger as the operational<br />
time interval increases<br />
4• For devices subject to periodic inspection and test, an<br />
average PFD can be used<br />
PFDavg - (A.t)/2<br />
J<br />
More about this in<br />
<strong>Functional</strong> <strong>Safety</strong><br />
<strong>Engineering</strong> II<br />
Copyright exida.com LLC 2001-2008<br />
202
[ Application Exercise 7 J<br />
4 Quantifying Protection Layers and<br />
Initiating Events<br />
Copyright exida.com LLC 2001-2008<br />
203<br />
Protection Layer Attributes<br />
4 Specific<br />
- must be specifically designed to be capable of preventing the<br />
consequences of the potentially hazardous event<br />
4: Independent<br />
- must be completely independent from all other protection layers<br />
4 Dependable . n \Z,obw.k ..st !..ow r-r-.D,<br />
- must be capable of act1ng dependably to prevent the<br />
consequence from occurring (systematic and random faults)<br />
4 Auditable<br />
- must be tested and maintained to ensure risk reduction is<br />
continually achieved<br />
0<br />
~~X':J~a::,® Copyright exida.com LLC 2001-2008 204
Typical Protection Layers -<br />
Basic Process Control System (BPCS)<br />
0<br />
CONDITIONS<br />
4 The BPCS and SIS are physically separate<br />
devices, including sensors, logic solver and<br />
final elements<br />
4> Failure of the BPCS is not responsible for<br />
initiating the unwanted accident<br />
4 The BPCS has the proper sensors and<br />
actuators available to perform a function<br />
similar to the one performed by the SIS<br />
PFD > 0.1 (by definition)<br />
205<br />
.I' .PC..~ f9 t<br />
~ ~ ~"''--h'c ~~.<br />
0<br />
CONDITIONS<br />
Typical Protection Layers<br />
Operator Response<br />
4> Operator Always Present<br />
4: Operator Has Indication of Problem<br />
4 Operator Has Time to Act<br />
4 Operator is Trained in the Proper Response<br />
PFD - 0.1 , if all conditions met<br />
PFD = 1.0 , if conditions not met<br />
. PFD lower than 0.1 possible with HRA<br />
~~J'fti;'~,!lD Copyright exida.com LLC 2001-2008 J,. 206
Typical Protection Layers<br />
Use Factor (Time at Risk)<br />
CONDITIONS<br />
• Hazard is not always present<br />
P=<br />
Time at Risk<br />
Total Time<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
207<br />
~'<br />
Typical Protection Layers<br />
Mechanical Integrity of Vessel<br />
Is vessel designed to withstand the pressure<br />
and temperature generated as a result of the<br />
initiating event?<br />
In some organizations,<br />
PFD = 0.0 if vessel designed to withstand pressure<br />
0<br />
In other more conservative organizations,<br />
PFD = one year of "random" failure<br />
Example:<br />
OR EDA says 1.0 x 1 o·7 /hr rate for "significant leakage"<br />
PFD = (1.0 x 1 0·7*8760) * 1 = 0.0009<br />
Copyright exida.com LLC 2001-2008 208
Typical Protection Layers<br />
Mechanical Relief Devices<br />
~··· Relief Valves<br />
~> Rupture Disks<br />
4 Fusible Plugs<br />
0<br />
PFD calculated based on failure<br />
rate data found in databases<br />
Copyright exlda.com LLC 2001-2008<br />
209<br />
0<br />
Typical Protection Layers<br />
External Risk Reduction<br />
4 Water Spray Curtains<br />
4 Dual Walled Piping<br />
4> Enclosures with Scrubbing<br />
LOPA MUST INCLUDE BOTH the SMALL CONSEQUENCE<br />
when the system works AND the LARGE CONSEQUENCE<br />
when it fails since BOTH CASES ARE RISKS!<br />
PFD calculated based on failure rates of system components<br />
~~x{C{rK~ Copyright exida.com LLC 2001-2008<br />
210
Typical Protection Layers<br />
Ignition Probability<br />
4 Most plants are designed to limit sources of<br />
ignition<br />
4 Function of release size and released<br />
materials<br />
P - 0.3 for flammable gases<br />
P - 0.1 -> 0.3 for volatile liquids<br />
P < 0.1 for heavy liquids<br />
4 Can be lower with detailed supporting<br />
arguments and Hazardous Area Classification<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
2ll<br />
Typical Protection Layers<br />
Explosion Probability<br />
4 Probability that explosion will occur<br />
given ignition has already occurred<br />
4> Not typically used because flash fire will<br />
occur if explosion does not, so<br />
consequence not prevented<br />
4 Use with CAUTION! In most cases<br />
explosion probability should be ignored<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
212
[~_______<br />
o_c_c_u_p_a_n_c_v ______ ~]<br />
4 Fraction of time that effect zone of incident<br />
outcome in question is occupied<br />
4, Not typically used because occupancy is<br />
accounted for in the consequence analysis<br />
0<br />
p<br />
Time of Occupancy<br />
Total Time<br />
NOTE: It is only appropriate to use an occupancy probability where it can be shown that the<br />
demand rate is random and not related to when occupancy could be higher than normal.<br />
The latter is usually the case with demands that occur at equipment start-up and demands<br />
that occur during maintenance and test.<br />
~:~~t{lf:':~ Copyright exida.com LLC 2001-2008 213<br />
SLC <strong>Engineering</strong> Tools- LOPA Analysis<br />
0<br />
"'""'"""'<br />
"!~!:'!~~.~ ...<br />
,.,..,.,. __ ~.2006 ;"<br />
'"'""""'''"'""'"""' ..<br />
[""""'"""'<br />
I S«Tdtt""'""' I
[~_______<br />
s_e_c_t_io_n_s __ =s __ u_m_m __ a_rv _______]<br />
4; Fault Propagation Context<br />
t Event Tree Methods<br />
4 Layers of Protection Definition<br />
4 LOPA Event Tree<br />
'" Initiating Events and Failure Rates<br />
4> Example Protection Layers<br />
0<br />
Copyright exida.com LLC 2001-2008 215<br />
[~_____<br />
s_e_c_t_io_n __ 7_:S __ IL_s __ el_e_c_ti_o_n _____]<br />
4 <strong>Safety</strong> Integrity Levels<br />
4 Hazard Matrix<br />
4 Risk Graph<br />
4. Quantitative Methods<br />
4' Cost-benefit Analysis<br />
0<br />
Copyright exida.com LLC 2001-2008 216
0<br />
[ SLC - SIL Selection l<br />
Process Saf~~<br />
c:> Information<br />
I Event Histor~ I<br />
2. lndentify Potential<br />
~I I c:><br />
Potential Haza~<br />
I Application Standards I<br />
Hazards<br />
I Hazard Characteristics I Hazard ::;]<br />
c::::> I 3. Consequence Analysis [<br />
I<br />
c:> Consequence<br />
Consequence Database I c:><br />
I<br />
4. Identify Protection<br />
I c:><br />
Layers of Protec~<br />
Layers<br />
5. Likelihood Analysis<br />
I c:>l I c:> Hazard Frequenci~<br />
I Failure Probabilities<br />
(LOPA)<br />
[1. Process Design- Scope I<br />
Definition<br />
~ Designofother<br />
( . ? c:;> risk reduction<br />
Tolerable Risk Guidelines I<br />
~~l:{i:~<br />
YES<br />
Requ•red ·<br />
facilities<br />
ll f)l 6.SelectRRF,TargetSIL I<br />
v for each SIF c:><br />
RRF, TargetS~<br />
j 7. Develop Process <strong>Safety</strong> I<br />
~<br />
Specification<br />
IEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
<strong>Safety</strong><br />
Requirements<br />
Specification<br />
1--<br />
I<br />
L<br />
<strong>Safety</strong> Integrity Levels ]<br />
0<br />
DEMAND MODE<br />
<strong>Safety</strong> Integrity Target Average<br />
Probability of Failure on Target risk reduction<br />
Level Demand (RRF)<br />
SIL4 0!:1 o-s to 10000 to S 100000<br />
SIL3 i!: 1o-• to 1000 to S 10000<br />
SIL2 i!: 10- 3 to 100 to S 1000<br />
SIL 1 i!: 10- 2 to 10 to s 100<br />
Copyright exida.com LLC 2001-2008<br />
218
[ <strong>Safety</strong> Integrity Levels J<br />
CONTINUOUS MODE<br />
<strong>Safety</strong> Integrity<br />
Level<br />
SIL4<br />
Target Frequency of<br />
Darlgerous Failures to<br />
Perform the SIF<br />
(per hour)<br />
02:1 o-• to
[___<br />
H_o_w_to_A_s_s_ig_n_a_S_IL_~]<br />
0<br />
4, Identify how much risk reduction is needed to<br />
attain a tolerable risk<br />
~> Quantitative methods give specific numerical<br />
targets for risk (e.g. RRF)<br />
•· Qualitative methods group numerical targets into<br />
more broad categories of risk reduction (e.g.<br />
SIL band only)<br />
4: A consistent method or set of methods must<br />
be used<br />
.4.'.'." ... , ..... w~<br />
4111!~/"fU Copyright exida.com LLC 2001-2008<br />
221<br />
0<br />
Hazard Matrix<br />
Procedure 1<br />
.d<br />
4 Categorize consequence :if<br />
"'<br />
,;!<br />
J; Categorize likelihood<br />
"<br />
~<br />
15 "<br />
~<br />
1 2 3b<br />
4 Select SIL from matrix " > '0<br />
"' • :E<br />
corresponding to<br />
5<br />
~<br />
J 1 3b<br />
identified consequence 3 Notec<br />
and likelihood categories Minor Serious Extensive<br />
Hazardous Event Severity Rating<br />
• 3 X 3, 4 X 4, 5 X 5, ...<br />
'0<br />
0<br />
.d<br />
2 3b 3a<br />
a) One Level3 <strong>Safety</strong> Instrumented Function does not provide sufficient risk reduction at this risk level.<br />
Additional modifications are required in order to reduce risk (see note d);<br />
b) One Level3 <strong>Safety</strong> Instrumented Function may not provide sufficient risk reduction at this risk level.<br />
Additional review is required (see note d);<br />
c) SIS independent protection layer Is probably not needed;<br />
d) This approach is not considered suitable for SIL 4.<br />
222<br />
~~~tta~ Copyright exida.com LLC 2001-2008
Consequence Part<br />
of the Hazard Matrix<br />
Severity Ratina<br />
Minor<br />
Serious<br />
lmnact<br />
Minor damage to equipment. No shutdown of the process. Temporary<br />
injury to personnel and damage to the environment.<br />
Damage to equipment. Short shutdown of the process. Serious injury<br />
to personnel and the environment.<br />
Extensive<br />
Large scale damage of equipment. Shutdown of a process for a long<br />
time. Catastrophic consequence to personnel and the environment.<br />
I<br />
Based on IEC 61511~3 Annex c<br />
I<br />
0<br />
~~~·~ / 6<br />
Copyright exida.com LLC 2001-2008<br />
223<br />
Hazard Matrix<br />
Consequence Considerations<br />
f Clearly identify basis of categories<br />
4 Can include considerations of:<br />
-Injury<br />
-Loss of I ife<br />
-Property damage<br />
-Lost production<br />
-Environmental release<br />
Assignment of<br />
Consequence<br />
category<br />
requires<br />
judgment<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
224
Likelihood Part<br />
of the Hazard Matrix<br />
Likelihood<br />
Type of Events Freauencv Near Qualitative Rankina<br />
Events like multiple failures of diverse<br />
instruments or valves, multiple human errors in f < 1Q-4 Low<br />
a stress free environment, or spontaneous<br />
failures of orocess vessels.<br />
Events like dual instrument, valve failures, or 1 Q-4
[ Hazard Matrix Example<br />
l<br />
4 Example 1<br />
-A SIF was identified<br />
during a HAZOP study<br />
- The HAZOP team<br />
determined:<br />
.<br />
g ::iii<br />
• the consequence is Serious "0<br />
• the likelihood is High ~<br />
• 3<br />
• Notec<br />
:I:<br />
-What is the SIL?<br />
"0<br />
"' ,...<br />
0 iii ""<br />
, "0<br />
3b<br />
Ul 0<br />
"<br />
1 3b<br />
Minor Serious Extensive<br />
Hazardous Event Severity Rating<br />
a) One Level 3 <strong>Safety</strong> Instrumented Function does not provide sufficient risk reduction at this risk level. 0<br />
Additional modifications are required in order to reduce risk (see note d);<br />
b) One Level3 <strong>Safety</strong> Instrumented Function may not provide sufficient risk reduction at this risk level.<br />
Additional review is required (see note d);<br />
c) SIS independent protection layer is probably not needed;<br />
d) This approach is not considered suitable for SIL 4.<br />
~',,,,,"',',, .<br />
~t(a Copyright exida.com LLC 2001-2008<br />
227<br />
[ Hazard Matrix Procedure 2]<br />
4 Start with a matrix expression of tolerable risk<br />
Recordable Lost Time Permanent Many<br />
Injury Injury Injury/Death Deaths 0<br />
1 per 100 Acceptable Moderate Extreme Extreme<br />
years<br />
lperlOOO Acceptable Acceptable Moderate Extreme<br />
years<br />
I per 10,000 Acceptable Acceptable Moderate Moderate<br />
years<br />
1 per 100,000 Acceptable Acceptable Acceptable Moderate<br />
years<br />
All extreme risk will be reduced and all moderate risks will be<br />
reduced where practical.<br />
Copyright exida.com LLC 2001-2008 228
[ Hazard Matrix Procedure 2]<br />
0<br />
41dentify consequence and likelihood with the<br />
layers of protection but without the proposed<br />
SIF<br />
Recordable Lost Time Permanent Many<br />
Injury Injury Injury/Death Deaths<br />
1 per 100 Acceptable Moderate Extreme Extreme<br />
years<br />
1 per 1000 Acceptable Acceptable Moderate Extreme<br />
years<br />
1 per 10,000 Acceptable Acceptable Moderate Moderate<br />
years<br />
I per 100,000 Acceptable Acceptable Acceptable Moderate<br />
years<br />
All extreme risk will be reduced and all moderate risks will be<br />
reduced where practical.<br />
Copyright eldda.com LLC 2001-2008<br />
229<br />
0<br />
[ Hazard Matrix Procedure 2]<br />
4 Select the SIL to meet the tolerable risk requirement<br />
based on event frequency reduction<br />
< Note there are options based on what is practical<br />
Recordable Lost Time Permanent Many<br />
Injury Injury Injury/Death Deaths<br />
xtreml, 1<br />
1 per 100 Acceptable Moderate Extreme<br />
years<br />
SIL 1 (RRF>10) I<br />
1 per 1000 Acceptable Acceptable od ate<br />
years<br />
lr I SIL 2 (RRF> 100) I<br />
1 per 10,000 Acceptable Acceptable oderate o era e<br />
years<br />
'I SIL 3 (RRF>!OOO)<br />
1 per 100,000 Acceptable Acceptable Acceptau1e 1mouera~e<br />
years<br />
All extreme risk will be reduced and all moderate risks will be<br />
reduced where practical.<br />
w<br />
Copyright exida.com LLC 2001~2008<br />
230
[~-~R~is~k_G~ra~p~h-~]<br />
~' Select categories for Based on IEC61511-3AnnexD<br />
risk graph parameters<br />
including one consequence<br />
parameter:<br />
- Consequence w,<br />
~·<br />
4 And three likelihood '· x ~·<br />
r=- -=r-2--<br />
-=<br />
parameters: ~ ~ : ·:, : ±<br />
- Occupancy l F- ,'· ., f-"-<br />
4 _2_ 1 r-e1 _2_ .·.······•<br />
4 3 •<br />
- Probability of avoiding ~. :_, rf"--:--<br />
the hazard<br />
c_';,<br />
o:,:':,iil'l:~~tly_""ll!l~<br />
- D eman d ra t e or f requency t:~~~~~;;t ..<br />
I<br />
a<br />
'-'- --!-<br />
A:~:~~llluf
Risk Graph<br />
Parameters<br />
Parameters<br />
Consequence<br />
c<br />
Description<br />
Average number of fatalities likely to result from the hazard. Determined by<br />
calculating the average numbers In the exposed area when the area Is<br />
occupied, taking into account the wlnerablllty to the hazardous event.<br />
Occupancy F Probablllty that the B)CjJOSed area Is occupied. Oetennined by calculating the<br />
fraction of time the area is occupied.<br />
Probability of p The probab!Uty that exposed persons are able to avoid the hazard 11 the<br />
protection system faiTs on demand. This depends on there being Independent<br />
avoiding the hazard<br />
methods of alerting the exposed persons to the hazard and manual methods of<br />
preventing the hazard or methods of escape.<br />
0 Demand Rate w<br />
The number of times per year that the hazardous event would occur if no SIS<br />
was fitted. This can be detarnlned by considering all the failures that can lead<br />
to one hazard and estimating the overall rate of occurrence.<br />
I Based on IEC 61511-3 Annex D<br />
I<br />
~~fttiW" Copyright exida.com LLC 2001-2008 233<br />
Consequence Part<br />
of the Risk Graph<br />
0<br />
Parameters Classification Comments<br />
Consequence (C) c, Minor Injury 1. The classif!catlon system has been<br />
Average number of fatalities.<br />
de1A91oped to deal with Injury and<br />
c,<br />
death to people.<br />
This can be calculated by determining the<br />
PLL Range 0.01 to 0.1<br />
2. For the Interpretation of CA, CB, CC,<br />
average number of people present when the<br />
and CD, the consequences of the<br />
area exposed to the hazard is occupied and c, PLL Range> 0.1 to 1 accident and normal healing shall be<br />
multiplying by the wlnerab!Uty to the Identified<br />
taken Into account.<br />
hazard.<br />
The vulnerability is determined by the natura of<br />
c, PLL Range> 1<br />
the hazard being protected against. The<br />
follOWing factors can be used:<br />
V=0.01 Small release of flammable ortoxic<br />
V"' 0.1 Large release of flammable or toxic<br />
v"' 0.5 As above, but highly toxic or flammable<br />
V"' 1 Rupture or explosion<br />
~~(~a· Copyright exida.com LLC 2001-2008<br />
I<br />
Based on !EC 61511-3 Annex D<br />
I<br />
234
Occupancy Part of<br />
the Risk Graph<br />
Parameters Classification Comments<br />
Occupancy (F)<br />
F, Rare to more often<br />
This Is calculated by determining the length of<br />
exposure In the<br />
time the area exposed to the hazard is<br />
hazardous zone.<br />
occupied during a normal working period.<br />
Occupancy less than<br />
NOTE- If the time In the hazardous area Is<br />
0.1.<br />
different depencfng on the shirt being operated<br />
then the maximum should be selected. F, Frequency to<br />
permanent exposure In<br />
NOTE-It is only appropriate to use FA where<br />
the hazardous zone.<br />
It can be shown that the demand rate Is<br />
random and not related to when occupancy<br />
could be higher than normal. The latter is<br />
usually the case with demands that occur at<br />
equiprilent start-up.<br />
3. See comment 1 above.<br />
Occupancy- a likelihood measurement for personnel based on probability of exposure<br />
n<br />
I Based on IEC 61511-3 Annex D<br />
I<br />
~~dB'~ Copyright eJti~a,~ Copyright exida.com LLC 2001-2008<br />
236
Demand Rate (Likelihood)<br />
Parameters Classification Comments<br />
Demand Rate (W) without protection w, Demand rate less than The purpose of theW factor Is to<br />
system.<br />
0.03 per year. estimate the frequency of the hazard<br />
taking place without the addition of<br />
To determine the demand rate, it is w, Demand rate between the SIS.<br />
necessary to consider all sources of failure<br />
0.3 and 0.03 per year.<br />
that can lead to one hazardous event. In<br />
H the demand rata Is very high (e.g., 10<br />
determining the demand rate, limited credit w, Demand rate between per year) the SIL has to be<br />
can be allowed for control system 3 and 0.3 per year. determined by another method or<br />
performance and Intervention. The<br />
the risk graph must be recalibrated.<br />
performance that can be claimed if the control<br />
For demand rates Then the operation mode Is high<br />
system Is not to be designed and maintained<br />
higher than 3 per year demand or continuous (IEC61511-1,<br />
according to IEC61511 is limited to below the higher Integrity shall be Clause 3.1.48.2).<br />
performance ranges associated with SIL 1.<br />
needed.<br />
I<br />
Based on lEG 61511-3 Annex D<br />
I<br />
~~X'l6la'· Copyright exida.com LLC 2001-2008<br />
;'"j-7 J" "'<br />
237<br />
Demand Rate (Likelihood) -<br />
Qualitative<br />
0<br />
Parameters Classification Comments<br />
Demand Rate {W) without protection w,<br />
system.<br />
w,<br />
Very Slight<br />
Possibility<br />
Slight<br />
Possibility<br />
w, High<br />
Probability<br />
The purpose of theW factor Is to<br />
estimate the frequency of the hazard<br />
taking place without the addition of<br />
the SIS.<br />
I Based on Information foundJ<br />
in 1EC61508, part 5<br />
~~~fiia:,• Copyright exida.com LLC 2001-2008<br />
238
Assigning the SIL with a Risk<br />
Graph<br />
w, w2 wt<br />
c, x, r---- .----=- ,------:-<br />
---<br />
Starting point for risk X<br />
'• ~ 1-- 1-<br />
reduction estimation c, •• c-1-<br />
---<br />
_r. X ~ 1-<br />
F<br />
c,<br />
I<br />
Ap<br />
X ~ ~<br />
F,<br />
C =Consequence parameter<br />
F Exposure lime parameter<br />
P Possibility of tailing to a\.Uid hazard<br />
W = Demand rate assuming no protection<br />
c,<br />
tr<br />
F FA<br />
PAp<br />
X<br />
••<br />
c-1- c-l<br />
~X e-i- c-1- ~<br />
P,<br />
~<br />
4 3<br />
'----- '-----<br />
-- "' No safely r&qulremanls<br />
A = No special safety requlremants<br />
8 = A single EJEIPS i> llOI sufficient<br />
1,2,3,4 =safety Integrity Level<br />
0<br />
~"-·'a;·®<br />
~?
Risk Graph<br />
Example Solution<br />
()<br />
4,, A SIF was identified<br />
during a HAZOP study<br />
{; The <strong>Safety</strong> Department<br />
also determined that: c,<br />
xJ'~<br />
a ---<br />
- PLL=0.9<br />
F, '• x, -<br />
lr<br />
;:'''''''''-'''''<br />
1 a<br />
- The area is normally c,<br />
F x, -<br />
F,<br />
occupied ·.,<br />
2 I<br />
~<br />
X.<br />
- There is no possibility of '• 3 ~<br />
avoiding the hazard +<br />
..<br />
F,<br />
c,<br />
4 3 1,,,,,,,,<br />
- The demand rate is 0.05 .<br />
F, X.<br />
per year<br />
;.-,_<br />
'·<br />
•• ,,,~ ;;tf _3_1··''··,,,_<br />
4 What is the SIL?<br />
+~+•No•81•tYreq!irorn•nf&. -- _-.-_,_, ___<br />
A ·tl~~~~~~allll;>~ul~emanta<br />
a .. A
Frequency Based Targets<br />
Selecting the Target<br />
4c The frequency that is allowable for a<br />
hazardous event depends on the consequence<br />
Severity Rating<br />
Impact<br />
Target Freq.<br />
Minor<br />
Minor damage to equipment. No shutdown of the process.<br />
Temporary injury to personnel or minor damage to the<br />
1.0 xt0·3<br />
Serious<br />
Extensive<br />
Damage to equipment. Short shutdown of the process. Serious<br />
injury of personnel (or single fatality) or serious environmental<br />
damage.<br />
large scale damage of equipment. Shutdown of a process for a<br />
long time. Catastrophic consequence to personnel (e.g. multiple<br />
fatalities) or major permanent environmental damage.<br />
t.o x to·4<br />
l.Ox 10·6<br />
0<br />
Example only<br />
p er y ear<br />
Copyright exida.com LLC 2001-2008<br />
243<br />
~'<br />
Frequency Based Targets<br />
Calculate Risk Reduction<br />
Required risk reduction is a function of<br />
unmitigated accident frequency and the<br />
frequency target<br />
RRFsiF =<br />
Funmitigated event<br />
FTarget<br />
k~<br />
Copyright exida.com LLC 2001-2008<br />
244
Frequency Based Targets<br />
Assign SIL<br />
4 Select SIL based on<br />
required RRF<br />
4 RRF target converted to SIL RRF<br />
SIL based on table<br />
specified in ISA S84 and 4<br />
10 4
Another target frequency method:<br />
Individual Risk Targets<br />
4 Take likelihood and consequence or<br />
existing risk integral and convert into<br />
frequency target<br />
4 Calculate required risk reduction to<br />
achieve the target<br />
4 Assign SIL based on required risk<br />
reduction<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
247<br />
Individual Risk Targets Method 1:<br />
Calculating Frequency Target<br />
4 Calculate frequency target - a function of<br />
tolerable individual risk and probable loss of<br />
life<br />
()<br />
Ftarget =<br />
Findividual risk<br />
PLL<br />
•<br />
Calculate required risk reduction and assign<br />
SIL with the same method as the general<br />
frequency based method<br />
~~(Cia.® Copyright exida.com LLC 2001-2008<br />
248
Example 1:<br />
Individual Risk Based Target<br />
An accident scenario yielded a consequence of 0.21<br />
Probable Loss of Life (PLL) and a likelihood of 11576<br />
inci nts er :-toe · 1v1 ua risk of fatality a<br />
this facility is 1 x1 o- 4 hat SIL should be se<br />
eQ 1 - Determme the tolerable frequency of this event:<br />
. "'\<br />
F(tol) = 1x10-4 I 0.21 = 4.76x10·4<br />
Step 2 -Applying the target RRF equation yields:<br />
RRF = (11576) I 4.76x10-4 I= 3.64<br />
Step 3- Select SIL based on RRF:<br />
For, RRF = 3.64 -7 SIL = 1<br />
(or no SIL required with documentation of RRF achieved)<br />
~.~ttta,;~ Copyright exida.com LLC 2001-2008 249<br />
Example 2:<br />
Individual Risk Based Target<br />
()<br />
A risk integral yielded an existing risk of 0.044 deaths per<br />
year without any SIF (brittle pipe fracture case). The<br />
tolerable individual risk of fatality at this facility is 1 x1 0-4<br />
What SIL should be selected?<br />
Step 1 - Determine the RRF from the ratio of existing to<br />
desired risk:<br />
RRF = 0.044 I 1.0x1 0-4 I= 440<br />
Step 2- Select SIL based on RRF:<br />
For, RRF = 440 -7 SIL = 3 or<br />
(SIL 2 with a RRF of greater than 440 as part of the spec)<br />
~@xial~ Copyright exida.com LLC 2001-2008<br />
250
[ Application Exercise 8 J<br />
4 SIL Selection<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
251<br />
Risk Integral Application to<br />
Cost Benefit Analysis<br />
4 Risk integrals require a single loss variable<br />
4 Can be across all receptors converted to<br />
financial terms<br />
4 Can be across financial receptors only in<br />
monetary cost terms<br />
4 Can also be across personnel receptors<br />
only in equivalent or probable loss of life<br />
(PLL) terms<br />
- PLL can take on fractional values<br />
Copyright exida.com LLC 2001-2008<br />
252
[ Risk Integral Advantages<br />
[ Cost Benefit Analysis<br />
4 A SIF is being considered to prevent the brittle pipe<br />
fracture and plant explosion event described earlier<br />
- Risk without the SIF costs 1.27 M$/year<br />
- A low-cost, low-performance SIL 1 SIF can provide a risk<br />
reduction factor of 10 for $20,000 per year net cost<br />
- A higher-cost, higher-performance SIL 2 SIF can provide a<br />
risk reduction factor of 200 for $80,000 per year net cost<br />
- A top end SIL 3 SIF can provide a risk reduction factor of<br />
2500 for $200,000 per year net cost<br />
4 Which system should be selected?<br />
J<br />
()<br />
1<br />
J'exJ.·· ·..<br />
'4IIJJ y<br />
cl<br />
... ,a.''''.'.'.".<br />
Copyright exida.com LLC 2001-2008 255<br />
[~_______<br />
c_o_s_t_-B_e_n_e_f_it_A_n_a_ly_s_i_s ______ ~J<br />
4 This example can be solved by calculating the annual<br />
cost associated with the risk of each option.<br />
4 For the case with no safety system, the cost of the<br />
hazard is $1,270,000 per year<br />
4 With the first case low-cost safety system:<br />
- The RRF of 1 0 reduces the hazard cost to<br />
$1,270,000/10 = $127,000 per year,<br />
- While the system itself adds $20,000 per year<br />
- This gives a total $147,000 overall annual cost or a net<br />
savings of $1,123,000 per year relative to no safety system<br />
0<br />
Copyright exida.com LLC 2001-2008 256
0<br />
Cost Benefit Analysis<br />
4 Considering the SIL 2 option in the same way<br />
- The hazard cost is $1,270,000/200 = $6350/year,<br />
- The system itself adds $80, 000/year<br />
- This gives a total $86,350 overall annual cost<br />
or a net savings of $1,163,650 relative to no safety system<br />
4c<br />
For the SIL 3 system<br />
- The hazard cost is $1 ,270,000/2500 = $508/year,<br />
- The system itself adds $200,000 per year<br />
- This gives a total $200,508 overall annual cost<br />
or a net savings of $1,069,492 relative to no safety system<br />
< The SIL 2 SIF is the best option, with the greatest<br />
savings of -$1,163,650 per year relative to doing<br />
257<br />
0<br />
[~_____ M __ ul_ti_p_le_R __ ec_e_p_t_o_rs_p_e_r_S_I_F ____ ~<br />
~; Occasionally a set of tolerable risk levels and risk<br />
estimates g1ves different integrity level requirements<br />
depending on the personnel, environmental, or<br />
financial receptors considered:<br />
<strong>Safety</strong> IL = 2<br />
Environmental IL = 3<br />
Financialll = 1<br />
4 Choose highest IL = 3 for specifying<br />
the system<br />
Copyright exida.com LLC 2001-2008<br />
258
SLC <strong>Engineering</strong> Tools-<br />
SIL Selection and Documentation<br />
ProJ«t!dor
Section 8:<br />
Safetv Requirements Specification<br />
4 SRS Definition<br />
4) SRS Requirements<br />
4, SRS Format<br />
4: SRS Problems and Solutions<br />
0<br />
~e~l;fct·<br />
W-'/ ~::· . , ,
[ SLC -Requirements Specification )<br />
11. Process Design -Scope I<br />
Process <strong>Safety</strong><br />
q j<br />
Definition Information r-::<br />
I Event Histo~<br />
I ~I<br />
2. lndentify Potential<br />
I Application Standards I<br />
Hazards<br />
I q<br />
I Hazard Characteristics I ~ I 3. Consequence Analysis I q<br />
I Conseguence Database I<br />
c::>l<br />
I 4. Identify Protection Layers I<br />
5. Likelihood Analysis<br />
I Failure Probabilities I (LOPA)<br />
I q<br />
~I Deslgnofother<br />
( c::> risk reduction<br />
I Tolerable Risk Guidelines I<br />
~~~~~·<br />
y<br />
Potential Haza~<br />
Hazard~<br />
Consequence<br />
q Layers of Prete~<br />
facilities<br />
Hazard Frequencie;.J<br />
[I ~~ 6. Select RRF, Target SIL I q RRF, TargetS~<br />
for each SIF<br />
l7. Develop Process <strong>Safety</strong> I<br />
~<br />
Specification<br />
JEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
<strong>Safety</strong><br />
Requirements<br />
Specification<br />
J6 63<br />
0<br />
[ SRS - The Source of Knowledge]<br />
Process~<br />
I lnfom>atioK Hardware & ~<br />
<strong>Functional</strong>ity Software Sy:Jiem<br />
I Hazard<br />
lnfonnatio~<br />
I Hazard<br />
Freq-uencies /<br />
I Hamd~<br />
Con"'"'"'K<br />
I T"getSIX<br />
I Regulatory<br />
ReqUiremenV<br />
<strong>Safety</strong><br />
Requirement<br />
Specification<br />
Conceptual &<br />
Detailed<br />
Design<br />
Integrity & Procedures<br />
v Validation v<br />
lnlonnatlon & Revision<br />
Operations,<br />
Maintenance<br />
&<br />
Modifications<br />
I Analysis I ·I Implementation I ·I<br />
Operation<br />
I<br />
Copyright exida.com LLC 2001-2008<br />
264<br />
0
Specification Communication ]<br />
How the<br />
Customer<br />
explained it<br />
Howltwas<br />
Sold<br />
How it was<br />
Designed<br />
How it was<br />
Built<br />
How it was<br />
Tested<br />
0<br />
How it was<br />
Documented<br />
How it was<br />
Installed<br />
How it was<br />
Billed<br />
How it was<br />
Maintained<br />
What the<br />
Customer<br />
really<br />
needed<br />
Copyright exida.com LLC 2001-2008<br />
265<br />
[ The SRS as a Living Document ]<br />
0<br />
' The SRS is the 'backbone' not just of the project<br />
Implementation & Testing but also a key point of<br />
reference during the Operation phase<br />
< The SRS should be constructed in a way that is:<br />
-Clear<br />
• Jargon-free so everybody can read it<br />
-Concise<br />
• To-the-point with minimal repetition<br />
-Complete<br />
• All functional. integrity and non-functional requirements covered<br />
- Consistent<br />
• Avoid contradicting statements or requirements<br />
' All modifications should be evaluated against the SRS,<br />
the better the background information provided, the<br />
better informed the change impact assessment<br />
Copyright exida.com LLC 2001-2008<br />
266
[ SRS Requirements J<br />
4 The SRS should contain these functional<br />
requirements<br />
- Definition of the safe state<br />
- Process Inputs and their trip points<br />
- Process parameter normal operating range<br />
- Process outputs and their actions<br />
- Relationship between inputs and outputs<br />
-Selection of energize-to-trip or<br />
deenergize-to-trip<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
267<br />
[ More SRS Requirements<br />
J<br />
4> Consideration for manual shutdown<br />
4 Consideration for bypass<br />
4 Actions on loss of power to the SIS<br />
4>>•·<br />
Response time requirements for the SIS to<br />
bring the process to a safe state<br />
4> Response actions for overt fault<br />
4 Operator Interface requirements<br />
4 Reset functions<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
268
[ More SRS Requirements J<br />
0<br />
4; The SRS should contain these integrity<br />
requirements<br />
-The required SIL for each SIF<br />
- Requirements for diagnostics to achieve<br />
the required SIL<br />
- Requirements for maintenance and testing<br />
to achieve the required SIL<br />
- Reliability requirements if spurious trips<br />
may be hazardous<br />
Copyright exida.com LLC 2001-2008<br />
269<br />
[___<br />
S_R_S_F_o_rm_at_--"']<br />
0<br />
1. General Requirements EXAMPLE ONLY<br />
- Requirements common to all SIF<br />
2. SIF Requirements<br />
- <strong>Functional</strong> Requirements<br />
- Integrity Requirements<br />
Copyright exida.com LLC 2001-2008<br />
270
SRS Format:<br />
General Requirements Section<br />
General Requirements<br />
EXAMPLE ONLY<br />
1. All safety instrumented functions (except fire and gas and<br />
special cases) shall be designed such that movement of the final<br />
element to the safe position will be performed by removing power<br />
from the element (i.e., de-energize-to-trip).<br />
2. SIFs that are not de-energize-to-trip will be clearly described<br />
as such in that individual SIF's specification. For safety<br />
instrumented functions where energize-to-trip is selected,<br />
positive means for continuously monitoring circuit integrity shall<br />
be employed.<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
271<br />
.<br />
SRS Format:<br />
General Requirements Section<br />
General Requirements<br />
EXAMPLE ONLY<br />
3. All safety instrumented functions shall be designed in accordance with<br />
the requirements set forth in the following statutes, regulations, and<br />
standards. If individual safety functions are to be designed in accordance<br />
with other standards than the ones listed below, they shall be clearly<br />
described in that safety instrumented function's individual safety<br />
requirements specifications.<br />
0<br />
Statutes, Regulations, and Standards<br />
lEG 61511<br />
29CFR 1910.119<br />
40CFR 68<br />
Application of <strong>Safety</strong> Instrumented Systems<br />
for the Process Industries<br />
Process <strong>Safety</strong> Management<br />
Risk Management Planning<br />
~et
SRS Format:<br />
General Requirements Section<br />
General Requirements<br />
EXAMPLE ONLY<br />
4. Unless specified otherwise in an individual SIF's logic diagram, the<br />
MTIF' of a SIF shall not be less than 25 years.<br />
5. Unless specified otherwise for an individual SIF, the response time of<br />
a SIF shall not exceed 2 seconds. The maximum response time for each<br />
sub-system, operating asynchronously, shall be as shown below.<br />
System Resgonse Time<br />
0<br />
Sensor Sub-system t 00 milliseconds<br />
Logic Solver Sub-system<br />
900 milliseconds<br />
Final Element Sub-system<br />
1 second<br />
~~(citii';• Copyright exida.com LLC 2001-2008<br />
273<br />
u<br />
SRS Format:<br />
SIF Requirements Section<br />
ID: SIF-001 Service:<br />
EXAMPLE ONLY<br />
Reference: PID-012 Low Recycle Gas Flow Closes Fuel<br />
Required SIL: 1<br />
Gas to Reforming Heaters Dropout<br />
Valve<br />
OffLIIJa"est Interval: 3years<br />
Response Time: See General Requirement 5<br />
Activation Method: Deenergize-to-Trip (See G.R. 1)<br />
Manual Reset: Required (See G. R. 7) Safe State:<br />
Nuisance Trip Req's: See General Requirement 4 Fuel Gas to Reforming Heaters RH-<br />
Diagnostics: None Additional (See G.R. 2)<br />
01 and RH-02 is stopped by closing<br />
the fuel gas shutoff valve.<br />
Manual Shutdown: HS-001 (See G. R. B)<br />
Regulatory Req's: See General Requirement 3<br />
Notes: 1<br />
~~l4a'; Copyright exida.com LLC 2001-2008<br />
274
Cause-and-Effect Diagram:<br />
SRS Format:<br />
SIF Requirements Section<br />
T•g<br />
SFT-960<br />
5HS·001<br />
EXAMPLE ONLY<br />
g a;<br />
E. ~<br />
Description<br />
EU LO EU HI Act<br />
Rec Ia Gas Flow 0 162 < 48.7 MMSCFD X<br />
Heater Fuel Gas Oro out Switch<br />
X<br />
8 ~<br />
~ 13<br />
1-;\lm+-+-+-J<br />
~<br />
~ ...<br />
Trip Pt. Units .. j ~-,,,:,:,:.:-:.,: . ·;r4 t' }{I<br />
0<br />
(<br />
Copyright exida.com LLC 2001-2008<br />
275<br />
[ Logic Description Methods J<br />
4 Plain Text<br />
- Strengths- Extremely flexible, No special knowledge req'd<br />
- Weaknesses- Time-consuming, transposition to program<br />
code difficult and error prone<br />
< Cause-and-Effect Diagrams<br />
- Strengths- Low level of effort, clear visual representation<br />
- Weaknesses- Rigid format (some functions can not be<br />
represented w/ C-E diagrams), can oversimplify<br />
; Binary Logic Diagrams (I SA 5.2)<br />
- Strengths- More flexible than C-E diagrams, direct<br />
transposition to a function block diagram program<br />
- Weaknesses- Time consuming, knowledge of standard<br />
logic representation required<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
276
Example:<br />
Plain Text Logic Description<br />
0<br />
Describe the logic for an SIF, where a low pressure condition can<br />
cause flame out in a fired heater. In this case, the inputs are a<br />
burner rnonitor switch BS-01, and a pressure switch PSL-02. The<br />
output is a double-block and bleed assembly whose valves are XV-<br />
03A and XV-03B for the up and downstream blocks, respectively,<br />
and XV-03C for the bleed valve. The valves can be moved to their<br />
safe position by deenergizing solenoid XY-03. The system is<br />
deenergize to trip.<br />
Write the logic description in plain text.<br />
Copyright exida.com LLC 2001-2008 277<br />
Example:<br />
Plain Text Logic Description<br />
0<br />
If one of the following conditions occur.<br />
1. Switch BS-01 is deenergized, indicating loss of flame<br />
2. Switch PSL -02 is deenergized, indicating low fuel gas pressure<br />
Then the main fuel gas flow to the heater is stopped by performing<br />
the following.<br />
1. closing valves, XV-03A, and XV-03B<br />
2. Opening valve XV-03C.<br />
The respective valves will be opened and closed by<br />
deenergizing the solenoid valve XY-03.<br />
Copyright exida.com LLC 2001-2008 278
Example:<br />
Cause-and-Effect Diagram<br />
Create a Cause-and-Effect diagram that describes the same<br />
shutdown.<br />
0<br />
Copyright exida.com LLC 2001-2008 279<br />
[ C&E Auto-Generated from exSILentia J<br />
''"'"&!ff
Example:<br />
Logic Diagram<br />
Create a Logic diagram that describes that same shutdown.<br />
Field Input<br />
Logic Solver<br />
Field Output<br />
0<br />
8<br />
lln
~:~-"""~<br />
~'\h>i"""""'ol::il)'<br />
r;<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
283<br />
[~___ P_o_t_e_n_ti_a_IS __ R_S_P_r_o_b_le_m __ s ____]<br />
< Hazard and Risk Analysis was done poorly, providing<br />
bad input for the SRS<br />
- Mis-identification of Sl F<br />
- Incorrect selection of SIL<br />
4 Not defining all failure modes and protection<br />
requirements<br />
- Actions of function do not actually achieve safe state.<br />
- Measurement too slow to pick-up and prevent accident<br />
4 Not defining all operating regimes, start-up, shut-down<br />
4 Not defining all environmental conditions<br />
4 SRS not maintained (poor revision control)<br />
< Conflicting or missing requirements<br />
- <strong>Safety</strong> & Non-<strong>Safety</strong> actions<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
284
[~___ A_v_o_i_d_in_g_S_R __ S_P_r_o_b_le_m_s ____]<br />
4 IEC-61508-2 (Table B.1 -see also clause 7.2)<br />
- Recommendations to avoid mistakes during<br />
specification of SIS requirements<br />
4 SRS addresses WHAT is required and Design will<br />
address HOW it is achieved<br />
Copyright exida.com LLC 2001-2008<br />
285<br />
0<br />
[~_______ s_R_s __ a_u_a_li_tv ______ ~]<br />
The measure of quality for<br />
any document, including a<br />
SRS, is not the number of<br />
pages or the document<br />
weight but rather how<br />
precisely, quickly, and<br />
clearly all required<br />
information is passed to<br />
the reader.<br />
~l!>tiCia• Copyright exida.com LLC 2001-2008<br />
286
[~_______<br />
s_e_c_ti_o_n_a_:_s ___ um_m_a_r_v _______]<br />
4 SRS Definition<br />
f SRS Requirements<br />
4 SRS Format<br />
4 SRS Problems and<br />
Solutions<br />
0<br />
Copyright exida.com LLC 2001-2008<br />
287<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> I<br />
Summary<br />
4 SIS Introduction<br />
•I' <strong>Safety</strong> Lifecycle<br />
4 Risk Management<br />
4 Probability<br />
4> Consequence and Likelihood Analysis<br />
4 LOPA<br />
4 SIL Selection<br />
4 <strong>Safety</strong> Requirements Specifications<br />
Copyright exida.com LLC 2001-2008<br />
288
0<br />
[ <strong>Safety</strong> Lifecycle" Analysis" Phases l<br />
I Event Histo~ I<br />
~I<br />
2. lndentJty Potential<br />
11. Process Design- Scope [<br />
Process <strong>Safety</strong>~<br />
q<br />
Definition Information ,c;;<br />
I I q<br />
Aeerrcation Standards Hazards<br />
I<br />
I Hazard Characteristics I ~ I 3. Consequence Analysis [ q<br />
I Conseguence Database I q<br />
I 4. Identify Protection Layers I<br />
5. Ukelihood Analysis<br />
c:>l<br />
I Failure Probabilities I (LOPA)<br />
I q<br />
>~t Oesignofother<br />
Potential Haza~<br />
Hazard:~<br />
Consequence<br />
q Layers of Prote~!!J<br />
Hazard Frequencie;J<br />
( : >. q risk reduction<br />
facilities<br />
s<br />
ll r.... I 6. Select RRF, Target SIL I c::><br />
RAF, TargetS~~<br />
for each SIF<br />
l Tolerable Risk Guidelines J<br />
~~~Ill~~<br />
~ .-<br />
j 7. Develop Process <strong>Safety</strong> j<br />
Specification<br />
IEC61511 Stage 1 FSA<br />
Copyright exida.com LLC 2001-2008<br />
0<br />
0
SECTION 2<br />
Exercises<br />
0<br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
FSE I - Pre-Class Exercise<br />
Name: ____________________________________ ___<br />
Date: _:JJI>-r-,/!_r_o (.
0<br />
7.<br />
8.<br />
9.<br />
What measure is used in LOPA to demonstrate the effectiveness of a safeguard, and how is<br />
it calculated?<br />
~~~ PR> CfVD
FSE I - Application Exercise 1<br />
Nrune: ______________________________________ ___<br />
Date: -----'---------------<br />
Title:<br />
Duration:<br />
Objective:<br />
Tolerable Risk<br />
20 Minutes<br />
At the end of this exercise, participants will be able to apply concept of<br />
ALARP to developing a tolerable risk statement for a company.<br />
0<br />
PROCEDURE:<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per<br />
100 years to 1 per 100,000 year events and ranging from release inside the plant with small<br />
consequences up to a release outside the plant with large permanent consequences? Assume<br />
all extreme risks will be reduced and all moderate risks will be reduced where practical.<br />
0<br />
2. Compare your tolerance with that of the exrunple matrix in the slides and identify the<br />
equality points. (Where does the tolerable frequency match for different consequences?)<br />
3. Are there any significant points where the risk tolerance is inconsistent? For example does<br />
the tolerance for external releases with large temporary consequences match that for many<br />
human fatalities?<br />
Copyright © 2000-2008, exida.com, LLC 3
FSE I - Application Exercise 2<br />
Name: ______________________________________ ___<br />
Date: _______ _<br />
Title:<br />
Duration:<br />
Objective:<br />
Probability<br />
15 Minutes<br />
At the end of this exercise, participants will be able to apply the rules of<br />
probability.<br />
0<br />
PROCEDURE:<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
1. An insurance company studied 32400 persons for six months. There were 1800 accidents.<br />
If this dangerous condition is equally likely at any moment, what is the probability of an<br />
average person having an accident in any given year? ·(l>oo .)..<br />
~~()'f. r(z_~ ~<br />
0<br />
2. We toss three fair coins. What is the probability of getting three heads?<br />
~)C~'f-i<br />
'"'" .. ...<br />
3. A system will fail if a power suppl; fail~ a controller fails. The probability of a power<br />
supply failure during the next year is 0.05. The probability of a controller failure in the next<br />
year is 0.01. What is the probability of system failure?<br />
f( ,. o. o .> P. '~- , p 1 +-l'z.<br />
r .... ~ o.or<br />
4. A check valve has a probability of not stopping reverse flow of0.015 in a one-year interval.<br />
The probability of getting a dangerous condition in the next year is 0.004. What is the<br />
probability of dangerous condition AND having the check valve not stop reverse flow?<br />
Copyright © 2000-2008, exida.com, LLC 4
FSE I - Application Exercise 3<br />
Name: __________________________________ ___<br />
Date: ______________ _<br />
Title:<br />
Duration:<br />
Objective:<br />
Fault Trees<br />
10 minutes<br />
At the end of this exercise, participants will be able to solve simple fault<br />
trees.<br />
0<br />
PROCEDURE:<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
1. A fault tree is shown below. What is outcome frequency?<br />
Freq. = 1 0 I year<br />
p = 0.05<br />
Fa<br />
Pb<br />
AND<br />
ro .~.or)- ( o .t) :::-<br />
p = 0.1<br />
Pc<br />
_ __/<br />
0<br />
2. A fault tree is shown below. What is the output probability?<br />
p = 0.001<br />
P=0.002<br />
OR<br />
P=0.005<br />
Copyright© 2000-2008, exida.com, LLC 5
3. A fault tree is shown below. What is the output probability?<br />
p = 0.004<br />
~ V ,0'2- ~ f (; .oODP1 ~ o. oooo
FSE I - Application Exercise 4<br />
Name: ______________________________________ ___<br />
Date: ________ _<br />
Title:<br />
Duration:<br />
Objective:<br />
Consequence Analysis Overview<br />
20 minutes<br />
At the end of this exercise, participants will be able to use statistical<br />
analysis to estimate average consequences.<br />
0 PROCEDURE:<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
1.<br />
Your company is estimating the risk posed by the failure of a new railroad track switching<br />
system. Estimate the average consequence, in terms of injuries and fatalities, of a train<br />
accident using the following data.<br />
In 1996,<br />
t~w/I.U."'"<br />
550 Fatalities<br />
10,948 Injuries ~~M.,.<br />
tO.~'t~<br />
2..44-><br />
:::<br />
lf,4~ p NYU~<br />
2,443 Accidents t...,-i•'f' r,... ~ ,. 0. 2. 2-S" \'M'" ~~<br />
Pro~ Lvs
FSE I - Application Exercise 5<br />
Name: ______________________________________ ___<br />
Date: ________ ___<br />
0<br />
Title:<br />
Duration:<br />
Objective:<br />
PROCEDURE:<br />
Event Tree Analysis<br />
20 minutes<br />
At the end of this exercise, participants will be able to build and quantify an<br />
event tree.<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
1. Draw an event tree that describes that following situation: (Use the back of this sheet)<br />
• A toxic release can be initiated by a delivery driver pumping more material into a storage<br />
tank than the available capacity.<br />
• The delivery driver may or may not realize there is not enough capacity for the material<br />
that he is delivering, and then not attempt to transfer the material.<br />
• The driver may carefully monitor the level in the storage tank and stop the material<br />
transfer before a release occurs.<br />
0<br />
2. Using the following data, quantify the frequency at which toxic releases occur.<br />
• Based on historical data, delivery drivers are requested to deliver to storage tanks that do<br />
not have the required capacity approximately 3 times per year.<br />
• Due to a training initiative educating the drivers on the hazards of overfilling the tank the<br />
probability that the driver will try to fill a tank that does not have sufficient capacity is<br />
estimated at 0. 01.<br />
• The probability that the driver will not detect a high level condition after he has begun<br />
transfer is estimated at 0 .1.<br />
Copyright© 2000-2008, exida.com, LLC 8
FSE I - Application Exercise 6<br />
1. Draw a LOP A diagram that describes that following situation<br />
Reactant A<br />
(through manhole)<br />
0<br />
Cooling Water<br />
Supply<br />
Torain<br />
L--j~ Product<br />
Solution<br />
0<br />
PROCESS: A pharmaceutical company has developed a new process to produce one of its drugs.<br />
The process creates an aqueous solution that is withdrawn from the bottom of the pressurized,<br />
water cooling jacketed, continuously stirred tank reactor. Charging is done by filling the vessel<br />
with 250 kg of water and manually dumping 125 kg (or 5 bags) of reactant A into the vessel.<br />
After the vessel is charged and closed, the stirring mechanism is started and the vessel's jacket is<br />
flooded with cooling water. After the stirring and cooling have been established a small metered<br />
rate of 0.5 kg/min of reactant B is continuously added to the solution. Reactants A and B<br />
combine to form the desired product. Each batch operates for three weeks, and 12 batches are<br />
operated per year.<br />
HAZARDS:<br />
The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this<br />
process requires that an excess amount of reactant B never be allowed into the reactor, and that<br />
cooling water continuously be flowing through the jacket. Hazard analysis determined tbat the<br />
following events could cause a "runaway" reaction and physical explosion of the vessel.<br />
1. Failure of controller FIC-01 causing uncontrolled reactant B entry into the reaction vessel.<br />
2. Failure of cooling water supply causing heat and pressure to build up in the vessel.<br />
The following layers of protection were identified as a safeguard against explosion of the vessel<br />
due to runaway reaction.<br />
Copyright © 2000-2008, exida.com, LLC 9
1. A rupture disk set to relieve the pressure well below the design pressure of the vessel<br />
2. Operator intervention to high vessel temperature, high vessel pressure and low cooling<br />
water flow alarms. The alarm system is independent from the control system with no<br />
common components.<br />
It was also noted in the hazard assessment that the rupture disk pressure relief would not be<br />
effective in the situation where controller FIC-01 failed, because pressure can not be vented as<br />
fast as it is generated.<br />
2. Quantify the LOPA Diagrams<br />
0<br />
The following frequencies and failure probabilities were determined by a process engineer after<br />
reviewing the history of the plant.<br />
Flow control fails open:<br />
Cooling Water Pump Fails:<br />
1/25/year<br />
1/75/year<br />
Rupture Disk PFD:<br />
Operator Fails to respond to Cooling Water Loss:<br />
Operator Fails to response to Control Failure:<br />
0.0956<br />
0.1<br />
0.1<br />
0<br />
Copyright© 2000-2008, exida.com, LLC 10
FSE I - Application Exercise 7<br />
Name: ____________________________________ ___<br />
Date: ______________ _<br />
0<br />
Title:<br />
Duration:<br />
Objective:<br />
PROCEDURE:<br />
Quantifying Initiating Events and Layers of Protection<br />
20 minutes<br />
At the end of this exercise, participants will be able to use statistical<br />
average data to quantify initiating events and protection layer effectiveness.<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
Use the excerpts from "Guidelines for Process Equipment Reliability Data" to quantify the rates<br />
and I or probabilities of the following situations.<br />
1. A motor driven fan fails to provide cooling air, initiating an accident.<br />
2. A flexible hose ruptures, initiating an accident<br />
0<br />
3. A non-operated check valve, with a periodic inspection and test interval of four years,<br />
fails to prevent an accident.<br />
j .0 ':) · I o- Ji~vz.. · 1,J{, D<br />
o. oJwt k o .0~ ~Q..-.e/~-<br />
O.f~ -l~rP(~<br />
. '6{-ba<br />
o • oo ~ ti ~ tt. to) ~o...,.f ~·<br />
Copyright © 2000-2008, exida.com, LLC 11
FSE I - Application Exercise 8<br />
Nmne: ____________________________________ ___<br />
Date: ______________ ___<br />
0<br />
Title:<br />
Duration:<br />
Objective:<br />
PROCEDURE:<br />
Assigning <strong>Safety</strong> Integrity Levels<br />
20 minutes<br />
At the end of this exercise, participants will be able to assign safety<br />
integrity levels given the consequence and likelihood of the hazard. The<br />
assignment will be performed using several tolerable risk representations.<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a<br />
reactor that makes polycarbonate resin. Risk analysis has shown that the probable loss of life due<br />
to this release is 75.6 fatalities per event. The analysis also showed that the accident has an<br />
unmitigated frequency of once per 892 years. Use the risk graph, risk matrix 1, frequency based<br />
target, and individual risk target methods described in this section to select safety integrity levels.<br />
* Individual risk target for the fac · ty is 1. 0 x 10 4 /year.<br />
() ~-- ~[0~;~_.-.<br />
1 ~o-'Y~ /1~.c -;. 1 s. tv"'<br />
Copyright © 2000-2008, exida.com, LLC 12
FSE I - Application Exercise 9<br />
Name: ______________________________________ ___<br />
Date: ________________ _<br />
0<br />
Title:<br />
Duration:<br />
Objective:<br />
Comprehensive SIL Selection Exercise<br />
40 minutes<br />
The purpose of this exercise is to allow the participant to practice and<br />
demonstrate all of the skills learned in this training course through one<br />
comprehensive exercise. This exercise should be done in small groups of<br />
approximately four participants.<br />
PROCEDURE:<br />
Each participant should individually attempt to do the exercises. When they are finished, the<br />
entire class will review the problems and the answers.<br />
A chemical processor has just performed an upgrade of a process heater. The upgrade was<br />
complex enough for the Management of Change procedures to be used. During the process a<br />
new HAZOP was performed on the process section.<br />
0<br />
Review the HAZOP study to determine if there are any new SIS requirements. If so, select a<br />
safety integrity level. The process plant's tolerable risk target is based on the risk integral with a<br />
target individual risk of 1.0 x 10 4 •<br />
Copyright© 2000-2008, exida.com, LLC 13
Process Diagram:<br />
Vent to Safe<br />
Location<br />
fPSV\<br />
To Users<br />
\V<br />
/ ,---L--J:;'I
FSE I - Pre-Class Exercise Solutions<br />
1. What does the <strong>Safety</strong> Integrity Level (SIL) measure?<br />
The safety integrity level is a measure of risk reduction. The SIL that is selected during the<br />
requirements portion of the safety life cycle is a measure of the risk reduction required to<br />
make the process risk tolerable. During the verification stage of the safety life cycle the<br />
amount of risk reduction that an SIS can provide is quantitatively determined.<br />
0<br />
2. The probability of:<br />
P(A and B) = P A * PB<br />
(Probability Multiplication)<br />
P(A or B) = P A+ PB- (P A * PB), or 1 - (1 - P A)*(1 - PB) (Probability Addition)<br />
(where A and B are not mutually exclusive)<br />
If A and B are mutually exclusive<br />
P(A or B)= PA + PB<br />
3. Name three different consequences that can occur as the result of a flammable material<br />
release.<br />
Looking at the kinds of events there are flash fires, jet fires, pool fires, vapor cloud<br />
explosions, and toxic releases with no fire.<br />
Looking at forms of harm there could be deaths, injuries, environmental damage and<br />
financial items such as lost production, damaged equipment, lost sales, legal penalties, and<br />
corporate image problems.<br />
0<br />
4. What are the three parts of an event tree?<br />
1. Initiating Events<br />
2. Branches or propagation steps or escalating events<br />
3. Outcomes<br />
5. How are the initiating events and layers of protection logically related to the outcome<br />
probability in a layer of protection analysis? What type of probability math is used to<br />
relate them?<br />
The probability of an outcome is the probability that an initiating event occurs AND all of<br />
the protection layers fail. Probability multiplication is used to determine the outcome<br />
probability.<br />
6. Where can information on what initiating events and layers of protection are involved with a<br />
hazard be found?<br />
The process hazards analysis (PHA) often using the HAZOP method is a systematic study of<br />
a process that is designed to identify hazards that exist. The PHA will identify all hazards<br />
that already have an SIS in place and all locations where an SIS is recommended. In<br />
addition, the causes, consequences, and safeguards are listed.<br />
Copyright © 2000-2008, exida.com, LLC 1
7. What measure is used in LOPA to demonstrate the effectiveness of a safeguard, and how is<br />
it calculated?<br />
The effectiveness of safeguards is demonstrated as Probability of Failure on Demand<br />
(PFDovg). PFD,vg is a function of an items failure (A.) and test interval (TI). These quantities<br />
are related by the following equation:<br />
PFDavg = (A.* t) I 2<br />
8. Name two methods that can be used to assign SIL given that a consequence and likelihood<br />
have been determined.<br />
Risk Matrix<br />
Risk Graph<br />
Frequency Based Target<br />
Individual Risk Based Target<br />
0<br />
9. What standards are available to assist in design of burner management systems in your<br />
plant's location?<br />
NFP A 85 and NFP A 86 in the US<br />
AS 3814 I AG 501 and AS 1375 in Australia<br />
0<br />
Copyright © 2000-2008, exida.com, LLC 2
FSE I - Application Exercise 1<br />
Title:<br />
Tolerable Risk<br />
1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per<br />
I 00 years to 1 per 100,000 year events and ranging from release inside the plant with small<br />
consequences up to a release outside the plant with large permanent consequences? Assume<br />
all extreme risks will be reduced and all moderate risks will be reduced where practical.<br />
0<br />
0<br />
Internal release with Internal release with External release with External release with<br />
small consequences large consequences or large temporary or large permanent<br />
External release with small permanent consequences<br />
small temporary consequences<br />
consequences<br />
1/100<br />
_yrs<br />
Acceptable Moderate Extreme Extreme<br />
111000<br />
vrs<br />
Acceptable Acceptable Moderate Extreme<br />
1110,000<br />
yrs<br />
Acceptable Acceptable Moderate Moderate<br />
1/100,000<br />
yrs<br />
Acceptable Acceptable Acceptable Moderate<br />
2. Compare your tolerance with that of the example matrix in the slides and identifY the<br />
equality points. (Where does the tolerable frequency match for different consequences?)<br />
In the proposed answer,<br />
Recordable injury roughly matches internal release with small consequences<br />
Lost time injury roughly matches internal release with large consequences or external release with<br />
small temporary consequences<br />
Permanent injury roughly matches external release with large temporary or small permanent<br />
consequences<br />
Many deaths roughly matches external release with large permanent consequences<br />
3. Are there any significant points where the risk tolerance is inconsistent? For example does<br />
the tolerance for external releases with large temporary consequences match that for many<br />
human fatalities?<br />
In the proposed answer, most items are generally consistent depending on the view of one death<br />
vs external release with small permanent consequences. Better definition on the large and small<br />
consequences is probably needed to make this a more useful working guide. Note that with the<br />
same number of categories and the same risk tolerances, the matrix can be combined with the one<br />
from the slides relatively easily by incorporating a definitions table for the four different<br />
consequence magnitudes.<br />
Copyright © 2000-2008, exida.com, LLC 3
FSE I - Application Exercise 2<br />
Title:<br />
Probability<br />
1. An insurance company studied 32400 persons for six months. There were 1800 accidents.<br />
If this dangerous condition is equally likely at any moment, what is the probability of an<br />
average person having an accident in any given year?<br />
The probability of an event is the number of outcomes divided by the number of chances and<br />
can be approximated by the accident rate in this case. There are 32,400 people x V2 year<br />
person-years of exposure and 1800 accidents. This converts to one accident for every nine<br />
person-years of exposure. So,<br />
0<br />
p = outcomes "' 1800accidents<br />
chances 16200 person_ years<br />
1 = 0.11<br />
9<br />
2. We toss three fair coins. What is the probability of getting three heads?<br />
The probability of getting three heads is the ANDing of the probabilities of getting a head on<br />
each of three individual tosses. For each individual toss the probability of heads is V2.<br />
P, = P2 = P3 = 0.5<br />
Povornll = P, * P2 * P3 = 0.5 * 0.5 * 0.5 = 0.125<br />
3.<br />
A system will fail if a power supply fails or a controller fails. The probability of a power<br />
supply failure during the next year is 0.05. The probability of a controller failure in the next<br />
year is 0.01. What is the probability of system failure?<br />
The probability of system failure is given if the power supply OR the controller fails.<br />
The events are logically OR' d so use probability addition. Also, the events are not mutually<br />
exclusive (i.e., both the sight glass and transmitter can fail at the same time), so use the<br />
form:<br />
P (A or B)= PA + PB- PA * PB<br />
Psystem failure= 0.05 + 0.01-0.05 * 0.01 = 0.0595<br />
4. A check valve has a probability of not stopping reverse flow of 0.015 in a one-year interval.<br />
The probability of getting a dangerous condition in the next year is 0.004. What is the<br />
probability of dangerous condition AND not having the check valve operate?<br />
The occurrence of the described situation is the logical ANDing of two probabilities. Use<br />
probability multiplication.<br />
Povomll = 0.015 * 0.004 = 0.00006<br />
Copyright © 2000-2008, exida.com, LLC 4
FSE I - Application Exercise 3<br />
1. A fault tree is shown below. What is outcome frequency?<br />
0<br />
Freq. = 1 0 I year<br />
p = 0.05<br />
p = 0.1<br />
Fa<br />
Pb<br />
Pc<br />
\<br />
AND<br />
__/<br />
Outcome Frequency= Fa* Pb * Pc = 10 * 0.05 * 0.1 = 0.05 /year<br />
2. A fault tree is shown below. What is the output probability?<br />
p = 0.001<br />
p = 0.002<br />
P= 0.005<br />
0<br />
Probability= 0.001 + 0.002 + 0.005-0.001 *0.002- 0.001 *0.005- 0.002*0.005 +<br />
0.001 *0.002*0.005 = 0.007983 . • .<br />
OR<br />
Approx. Probability= 0.001 + 0.002 + 0.005 = 0.008<br />
Copyright © 2000-2008, exida.com, LLC 5
3. A fault tree is shown below. What is the output probability?<br />
p = 0.004<br />
Pa<br />
p = 0.010<br />
Ph<br />
OR<br />
p = 0.01988<br />
p = 0.006<br />
AND<br />
p = 0.000159<br />
p = 0.080<br />
P=0.100<br />
AND<br />
p = 0.008<br />
0<br />
P for the top OR gate= 1- (1 - 0.004)*(1- 0.010)*(1 - 0.006) = 0.01988<br />
or<br />
Approximate P for the top OR gate= 0.004 + 0.010 + 0.006 = 0.020<br />
P for the bottom AND gate = 0.080*0.100 = 0.008<br />
Total Probabilty = 0.01988*0.008 = 0.000159<br />
Approximate Total Probabilty = 0.020*0.008 = 0.00016<br />
0<br />
Copyright © 2000-2008, exida.com, LLC 6
FSE I - Application Exercise 4<br />
Title:<br />
1.<br />
Consequence Analysis Overview<br />
Your company is estimating the risk posed by the failure of a new railroad track switching<br />
system. Estimate the average consequence, in terms of injuries and fatalities, of a train<br />
accident using the following data.<br />
u<br />
In 1996,<br />
550 Fatalities<br />
I 0,948 Injuries<br />
2,443 Accidents<br />
Data from Transportation Statistics Annual Report 1998, Bureau of Transportation<br />
Statistics, US Department of Transportation, BTS98-S-Ol.<br />
The average consequence is calculated by dividing the total consequence by the number of<br />
opportunities.<br />
Average Consequence=(# consequences) I(# opportunities)<br />
Average Fatalities= 550 I 2,443 = 0.225<br />
Average Injuries= 10,948 I 2,443 = 4.48<br />
2.<br />
Explain why average industry loss data may not be a valid way to estimate the consequence<br />
for chemical accidents?<br />
0<br />
For industry average data to be valid two conditions must be satisfied. 1) There must be a<br />
large amount of incidents from which to draw data. 2) Each of the incidents must occur<br />
under roughly similar circumstances. Neither of these two conditions are true for chemical<br />
accidents. Luckily, the amount of chemical accidents is fairly small. Additionally, all<br />
chemical plants are very different. It is very unlikely that potential consequences of different<br />
plants will be similar enough to allow statistical analysis.<br />
3.<br />
A high-pressure vessel containing flammable gas that is liquefied under pressure undergoes<br />
an incident where it is expected to instantaneously rupture. What type of incident outcome<br />
can be expected if there is a source of ignition? If there is no source of ignition?<br />
If there is a source of ignition, a fireball will occur. If there is no source of ignition, possible<br />
consequences include equipment damage and other economic losses.<br />
Copyright © 2000-2008, exida.com, LLC 7
FSE I - Application Exercise 5<br />
Title:<br />
Event Tree Analysis<br />
PROCEDURE:<br />
I. Draw an event tree that describes that following situation: (Use the back of this sheet)<br />
• A toxic release can be initiated by a delivery driver pumping more material into a storage<br />
tank than the available capacity.<br />
• The delivery driver may or may not realize there is not enough capacity for the material Q<br />
that he is delivering, and then not attempt to transfer the material.<br />
• The driver may carefully monitor the level in the storage tank and stop the material<br />
transfer before a release occurs.<br />
lmJJ!iQIID!PR!lDIB~~~~lll:l!ll!!!!!i!l!l11111111111lill!il&mlllllilllllJmtllllllillllll~1liF~II<br />
More material than Driver does not Driver does not detect<br />
available space notice lack of high level in tank<br />
available Space after starting pump<br />
TRUE<br />
FALSE<br />
TRUE<br />
FALSE<br />
Spill<br />
No Event<br />
No Event<br />
0<br />
Copyright © 2000-2008, exida.com, LLC 8
2. Using the following data, quantify the frequency at which toxic releases occur.<br />
• Based on historical data, delivery drivers are requested to deliver to storage tanks that do<br />
not have the required capacity approximately 3 times per year.<br />
• Due to a training initiative educating the drivers on the hazards of overfilling the tank the<br />
probability that the driver will try to fill a tank that does not have sufficient capacity is<br />
estimated at 0. 01 .<br />
• The probability that the driver will not detect a high level condition after he has begun<br />
transfer is estimated at 0 .I.<br />
IJJfillliiiiiiiiRI._IIIIIIIIJJllll'cmlll'llf!IIIIIIIIIU~EIJBJiil!fLillllliiWJIIIIIIIIIIIBIIIIIIIIilmil!I~<br />
More material than Driver does not Driver does not detect<br />
available space notice lack of high level in tank<br />
available Space after starting pump<br />
TRUE<br />
s ill<br />
TRUE 0. j 0.003 /year<br />
3/ ear 0.01 FALSE No Event<br />
0.9 0.027 /year<br />
FALSE<br />
No Event<br />
0.99 2.97 /year<br />
0<br />
Copyright© 2000-2008, exida.com, LLC 9
FSE I - Application Exercise 6<br />
Title:<br />
Layer of Protection Analysis<br />
PROCEDURE:<br />
1. Draw a LOP A diagram that describes that following situation<br />
Reactant A<br />
(through manhole)<br />
Ci<br />
J<br />
Cooling Water<br />
Supply<br />
Torain<br />
'--l~ Product<br />
Solution<br />
PROCESS:<br />
A pharmaceutical company has developed a new process to produce one of its drugs. The<br />
process creates an aqueous solution that is withdrawn from the bottom of the pressurized, water<br />
cooling jacketed, continuously stirred tank reactor. The vessel is charged by filling it with 250 kg<br />
of water and manually dumping 125 kg, or 5 bags of reactant A into the vessel. After the vessel is<br />
charged and closed, the stirring mechanism is started and the vessel's jacket is flooded with<br />
cooling water. After the stirring and cooling have been established a small metered rate of 0.005<br />
kg/min of reactant B is continuously added to the solution. Reactants A and B combine to form<br />
the desired product. Each batch operates for three weeks, and 12 batches are operated per year.<br />
0<br />
Copyright© 2000-2008, exida.com, LLC 10
HAZARDS:<br />
The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this<br />
process requires that an excess amount of reactant B never be allowed into the reactor, and that<br />
cooling water continuously be flowing through the jacket. Hazard analysis determined that the<br />
following events could cause a "runaway" reaction and physical explosion of the vessel.<br />
I. Failure of controller FIC-01 causing uncontrolled reactant B entry into the reaction vessel.<br />
2. Failure of cooling water supply causing heat and pressure to build up in the vessel.<br />
0<br />
The following layers of protection were identified as a safeguard against explosion of the vessel<br />
due to runaway reaction.<br />
1. A rupture disk set to relieve the pressure well below the design pressure of the vessel<br />
2. Operator intervention to high vessel temperature, high vessel pressure and low cooling<br />
water flow alarms. The alarm system is independent from the control system with no<br />
common components.<br />
It was also noted in the hazard assessment that the rupture disk pressure relief would not be<br />
effective in the situation where controller FIC-01 failed, because pressure can not be vented as<br />
fast as it is generated.<br />
2. Quantify the LOPA Diagrams<br />
The following frequencies and failure probabilities were determined by a process engineer after<br />
reviewing the history of the plant.<br />
0<br />
Flow control fails open:<br />
Cooling Water Pump Fails:<br />
1125/year<br />
1/75/year<br />
Rupture Disk PFD:<br />
Operator Response to Cooling Water Loss:<br />
Operator Response to Control Failure:<br />
0.0956<br />
0.1<br />
0.1<br />
In this case, use fraction is a layer of protection. An accident can only occur when the hazard is<br />
present.<br />
3 weeks/batch * 7 days/week * 12 batches/year= 252 days/year of operation<br />
Use fraction is 252 days /365 days= 0.69 = 69%<br />
Copyright © 2000-2008, exida.com, LLC 11
1.<br />
No Event<br />
0<br />
2.<br />
No Event<br />
FIC-01 Failure Operator Failure Use Fraction Explosion<br />
0.69 2.76E-03<br />
1/25 /vr<br />
0.1<br />
No Event C)<br />
0.0956<br />
-<br />
1/75 /vr<br />
0.1<br />
No Event<br />
Copyright © 2000-2008, exida.com, LLC 12
FSE I - Application Exercise 7<br />
Title:<br />
Quantifying Initiating Events and Layers of Protection<br />
PROCEDURE:<br />
Use the excerpts from "Guidelines for Process Equipment Reliability Data" to quantify the rates<br />
and I or probabilities of the following situations.<br />
0<br />
1. A motor driven fan fails to provide cooling air, initiating an accident.<br />
Use data from "Guidelines for Process Equipment Reliability Data" table 3.3.4, use the mean<br />
failure rate. Failure mode of interest is "Fails while running".<br />
9.09 failures I 10 6 hours<br />
converting to failures per year,<br />
9.09 failures* 8760hours<br />
= 0 . OSfi az . 1 ures 1 year<br />
10 6 hours !year<br />
* Initiating events described in frequency<br />
2. A flexible hose ruptures, initiating an accident<br />
Use data from "Guidelines for Process Equipment Reliability Data" table 3.2.5, use the mean<br />
failure rate. Failure mode of interest is "Rupture".<br />
0<br />
0.570 failures /10 6 hours<br />
converting to failures per year,<br />
0.570failures * 8760hours<br />
10 6 hours 1 year<br />
= 0 . OOSfi m . 1 ures 1 year<br />
Copyright © 2000-2008, exida.com, LLC 13
3. A non-operated check valve, with a periodic inspection and test interval of four years,<br />
fails to prevent an accident.<br />
Use data from "Guidelines for Process Equipment Reliability Data" table 3.5.1.2, use the<br />
mean failure rate. Use catastrophic, which are given per unit time, not failures per attempt.<br />
3.18 failures /10 6 hours<br />
PFDavg = (A. * t) /2<br />
PFDavg = (0.00000318 * 4 * 8760) /2 = 0.055<br />
* Protection layers must be described by a probability. In the case of periodic inspection<br />
and test, average probability of failure on demand, which is a function of failure rate<br />
and test interval, is the best probability to use.<br />
CJ<br />
/<br />
Copyright© 2000-2008, exida.com, LLC 14
FSE I - Application Exercise 8<br />
Title:<br />
Assigning <strong>Safety</strong> Integrity Levels<br />
PROCEDURE:<br />
0<br />
An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a<br />
reactor that olycarbonate resin. Risk analysis has shown that the probable loss of life due<br />
to this release i 75.6 fatalities per event. The analysis also showed that the accident has an<br />
unmitigated frequency of once per years. Use the risk graph, risk matrix 1, frequency based<br />
'target, and rnd!Vldual nsk target methods described in this section to select safety integrity levels.<br />
* Individual risk target for the facility is 1.0 x 10 4 /year.<br />
SOLUTIONS:<br />
a. Risk Matrix<br />
Consequence -7 Extensive<br />
Likelihood -7 11892 year = 1.2 X 10" 3 -7 Moderate<br />
0<br />
High<br />
Moderate<br />
Low<br />
2<br />
1<br />
NR<br />
3b<br />
2<br />
1<br />
3a<br />
~<br />
t<br />
SIL=3<br />
Note b: One Level3 <strong>Safety</strong> Instrumented Function may not provide sufficient risk<br />
reduction aJ-tliis risk level. Additlonaf reviewisreqnired (see notea) .<br />
Noted: This approach is not considered suitable for SIL 4. ,<br />
Copyright © 2000-2008, exida.com, LLC 15
. Risk Graph<br />
Consequence ~ Co<br />
Occupancy ~ FB<br />
* No credit taken for lack of occupancy this factor is consolidated in the PLL = 75.6<br />
estimate<br />
Probability of Avoidance ~ PB<br />
* No credit taken for lack of occupancy this factor is consolidated in the PLL = 75.6<br />
estimate<br />
Demand Rate~ W 1<br />
Following Risk Graph Path yields SIL = 3<br />
c. Frequency Based Target<br />
Select target based on consequence<br />
~Extensive, 1.0 X 10' 6<br />
RRF = (1/892) /1.0 x 10- 6 = 1121<br />
*Selected SIFRRF must be greater than 1121, so an SIP w/ SIL = 4<br />
d. Individual Risk Target<br />
Select target based on consequence<br />
Fu.cgot = 1.0 X w-• /75.6 = 1.32 X 10' 6<br />
RRF = (1/892) /1.32 x w- 6 1 = 849<br />
CJ<br />
* Selected SIFRRF must be gi-eater than 849, so an SI w/ SIL = 3<br />
Copyright© 2000-2008, exida.com, LLC 16
FSE I - Application Exercise 9<br />
Title:<br />
Comprehensive SIL Selection Exercise<br />
PROCEDURE:<br />
A chemical processor has just performed an upgrade of a process heater. The upgrade was<br />
complex enough for the Management of Change procedures to be used. During the process a<br />
new HAZOP was performed on the process section.<br />
Review the HAZOP study to determine if there are any new SIS requirements. If so, select a<br />
safety integrity level. The process plant's tolerable risk target is based on the risk integral with a<br />
target individual risk of 1.0 x 10- 4 •<br />
Process Diagram:<br />
To Users<br />
Wet Gas from<br />
Reciprocating ------1<br />
Compressor<br />
_ _L_-1>.
Process Description:<br />
A "wet" hydrocarbon gas is compressed by a reciprocating compressor into a flash drum. In the<br />
flash drum liquid and vapor separate. The liquid is withdrawn from the bottom of the flash drum<br />
under level control and vapor is withdrawn from the top of the vessel and either compressed and<br />
sent to downstream users or sent to flare under pressure control. The flare line has not been sized<br />
to pass the full discharge of the wet gas compressor to flare.<br />
HAZOP Report Output<br />
SIF:<br />
Consequence:<br />
Initiating event:<br />
Protection Layers:<br />
Open vent valve upon high pressure in vessel<br />
Overpressure and rupture of vessel<br />
Outlet vapor compressor fails<br />
Operator intervention<br />
Relief Valve<br />
• Relief valve is pilot operated, tested annually.<br />
• "Wet gas" compressor is a motor driven reciprocating compressor<br />
• "Vapor withdrawal" compressor is a motor driven reciprocating compressor<br />
• Operator is well trained, but only has 15 seconds to perform a shutdown before an<br />
accident occurs.<br />
• Consequence analysis has determined a PLL=0.15 for the overpressure and explosion of<br />
the flash drum.<br />
SOLUTION<br />
Step I - The LOP A diagram for the overpressure consequence is as follows.<br />
No Event<br />
Step 2- Quantify the LOPA diagram.<br />
21.6 /year<br />
, I<br />
0.00415<br />
No Event<br />
Copyright© 2000-2008, exida.com, LLC 18
Vapor withdrawal compressor failure- Table 3.3.2.1<br />
2470.0 failures I 10 6 hours ~ 21.6 failures per year<br />
Operator Failure- Simplified Method<br />
Conditions for PFD=0.1 are not met- use PFD = 1.0<br />
Relief valve fails- Table 4.3.3.1<br />
4.15 failures I 10 3 demands<br />
PFD = 0.00415<br />
0<br />
Step 3 - Select SIL (Individual Risk I Risk Integral)<br />
Ftarget = 1.0 x 10- 4 I 0.15 = 6.67 x 10 4<br />
PFD = 6.67 X 10- 4 I 0.0896 = 7.44 X 10- 3<br />
RRF= 134<br />
SIL = 3 (or SIL 2 with a RRF suitably greater than 134)<br />
Copyright© 2000-2008, exida.com, LLC 19
SECTION 3<br />
Additional Resources<br />
0<br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
0<br />
IEC 61508 Overview Report<br />
0<br />
An exida Summary<br />
of the<br />
IEC61508 Standard for <strong>Functional</strong> <strong>Safety</strong> of<br />
Electrical/Electronic/Programmable Electronic<br />
<strong>Safety</strong>-Related Systems<br />
exida.com<br />
Sellersville, PA 18960, USA<br />
+1-215453-1720<br />
©exida.com<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 1 of 27
1 Overall Document Summary<br />
IEC61508 is an international standard for the "functional safety" of electrical, electronic, and<br />
programmable electronic equipment. This standard started in the mid-1980s when the<br />
International Electrotechnical Committee Advisory Committee of <strong>Safety</strong> (lEG ACOS) set up<br />
a task force to consider standardization issues raised by the use of programmable electronic<br />
systems (PES). At that time, many regulatory bodies forbade the use of any software-based<br />
equipment in safety critical applications. Work began within IEC SC65A/Working Group 10 on a<br />
standard for PES used in safety-related systems. This group merged with Working Group 9<br />
where a standard on software safety was in progress. The combined group treated safety as a<br />
system issue.<br />
The totaiiEC61508 standard is divided into seven parts.<br />
Part 1: General requirements (required for compliance);<br />
Part 2: Requirements for electricaVelectroniclprogrammable electronic safety-related systems<br />
(required for compliance);<br />
Part 3: Software requirements (required for compliance);<br />
Part 4: Definitions and abbreviations (required for compliance)<br />
Part 5: Examples of methods for the determination of safety integrity levels (supporting<br />
information)<br />
Part 6: Guidelines on the application of parts 2 and 3 (supporting informatim)<br />
Part 7: Overview of techniques and measures (supporting information).<br />
Parts 1, 3, 4, and 5 were approved in 1998. Parts 2, 6, and 7 were approved in February 2000.<br />
The relationship between the technical requirements presented in parts 1, 2, and 3 and the<br />
supporting information in parts 4 through 7 is shown in Figure 1.<br />
PART 1<br />
Development of the overall safety requirements I<br />
{scope, hazard and risk analysis)<br />
PART 3<br />
~L-------~~P~A~R~T~S~J-----------~<br />
Risk based approachesto the development<br />
of the safety Integrity requirements<br />
0<br />
Realisation phase for<br />
E/E/PE safety-related<br />
PART 1<br />
Installation and commissioning and safety~valldationof<br />
E/E/PE safety-related systems<br />
Guidelines for the<br />
application of part2 and 3<br />
Overview of techniques<br />
and measures<br />
PART 1<br />
Operation and maintenanc~ modification and retrofi~<br />
decommissioning or disposalof<br />
E/E/PE safet related s stems<br />
Figure 1: Technical requirements of IEC61508.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 2 of 27
Although the standard has been criticized for its "extensive" documentation requirements and<br />
use of unproven "statistical" techniques, in rrany industries it represents a great step forward.<br />
The standard focuses attention on risk-based safety-related system design, which should result<br />
in far more cost-effective implementation. This cost saving has been verified in a study by the<br />
AIChE. The standard also requires the attention to detail that is vital to any safe system design.<br />
Because of these features and the large degree of international acceptance for a single set of<br />
documents, many consider the standard to be a major advance for the technica wortd.<br />
0<br />
OBJECTIVES OF THE STANDARD<br />
IEC61508 is a basic safety publication of the International Electrotechnical Commission (IEC).<br />
As such, it is an "umbrella" document covering multiple industries and applications. A primary<br />
objective of the standard is to help individual industries develop supplemental standards,<br />
tailored specifically to those industries based on the original 61508 standard. A secondary goal<br />
of the standard is to enable the development of E/EIPE safety-related systems where specific<br />
application sector standards do not already exist.<br />
As of January 2001, work has already begun on two such industry specific standards: IEC61511<br />
for the process industries and IEC62061 for machinery safety. Both of these standards, which<br />
are still in draft form, build directly on IEC61508 and reference it accordingly.<br />
SCOPE<br />
The 61508 standard covers safety-related systems when one or more of such systems<br />
incorporates electrical/electronic/programmable electronic devices. These devices can include<br />
anything from electrical relays and switches through to Programmable Logic Controllers<br />
(PLCs) and all the way up to complicated computer-driven overall safety systems. The<br />
standard specifically covers possible hazards created when failures of the safety functions<br />
performed by E/EIPE safety-related systems occur. The overall program to insure that the<br />
safety-related EIEIPE system brings about a safe state when called upon to do so is defined<br />
as "functional safety."<br />
0<br />
IEC61508 does not cover safety issues like electric shock, hazardous falls, long-tenn exposure<br />
to a toxic substance, etc.; these issues are covered by other standards. IEC61508 also does not<br />
cover low safety EIEIPE systems where a single E/EIPE system is capable of providing the<br />
necessary risk reduction and the required safety integrity of the E/EIPE system is less than<br />
safety integrity level 1, i.e., the E/E/PE system is only reliable 90 percent of the time or less.<br />
IEC61508 is concerned with the EIE/PE safety-related systems whose failure could affect the<br />
safety of persons and/or the environment. However, it is recognized that the methods of<br />
IEC61508 also may be applied to business loss and asset protection cases.<br />
FUNDAMENTAL CONCEPTS<br />
The standard is based on two fundamental concepts: the safety life cycle and safety integrity<br />
levels. The safety life cycle is defined as an engineering process that includes all of the steps<br />
necessary to achieve required functional safety. The safety life cycle from IEC61508 is shown in<br />
Figure 2.<br />
© exida.com IEC61508 Overview Report, Version 1.1, September25, 2002<br />
Page 3 of 27
"ANALYSIS"<br />
(End User I Consultant)<br />
<strong>Safety</strong>-related<br />
systems: other<br />
Technology<br />
Realisation<br />
_____ .! ___________ ~<br />
External Risk<br />
Reduction<br />
Facilities<br />
Realisation<br />
:<br />
"REALISATION"<br />
(Vendor I Contractor I<br />
End User)<br />
0<br />
Figure 2: <strong>Safety</strong> life cycle from IEC61508.<br />
"OPERATION"<br />
(End User I Contractor)<br />
It should be noted that the safety life cycle as drawn in the ISA84.01 standard (Figure 3) looks<br />
different from that in IEC61508. However, they convey the.same intent and both should be<br />
viewed as similarly acceptable processes.<br />
The basic philosophy behind the safety life cycle is to develop and document a safety plan,<br />
execute that plan and document its execution (to show that the plan has been met), and<br />
continue to follow that safety plan through to decommissioning with further appropriate<br />
documentation throughout the life of the system. Changes along the way must similarly follow<br />
the pattern of planning, execution, validation, and documentation.<br />
Figure 3: <strong>Safety</strong> life cycle from ISA84.01.<br />
()<br />
Conceptual<br />
REALISATION<br />
©exida.com<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 4of 27
<strong>Safety</strong> integrity levels (Sils) are order of magnitude levels of risk reduction. There are four Slls<br />
defined in IEC61508. SIL 1 has the lowest level of risk reduction. SIL4 has the highest level of<br />
risk reduction. The SIL table for "demand mode" is shown in Figure 4. The SIL table for the<br />
continuous mode is shown in Figure 5.<br />
<strong>Safety</strong> Integrity<br />
Level<br />
Probability of failure<br />
on demand per year<br />
(Demand mode of operation}<br />
Risk Reduction<br />
Factor<br />
0<br />
Figure 4: <strong>Safety</strong> integrity levels- demand mode.<br />
0<br />
Figure 5: <strong>Safety</strong> integrity levels - continuous mode<br />
The mode differences (defined in Part 4 of the standard) are:<br />
Low demand mode - where the frequency of demands for operation made on a safety-related<br />
system is no greater than one per year and no greater than twice the proof test frequency;<br />
High demand or continuous mode - where the frequency of demands for operation made on a<br />
safety-related system is greater than one per year or greater than twice the proof check<br />
frequency.<br />
Note that the proof test frequency refers to how often the safety system is completely tested and<br />
insured to be fully operational.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 5of 27
While the continuous mode appears to be far more stringent than the demand mode, it should<br />
be remembered that the units for the continuous mode are per hour. The demand mode units<br />
assume a time interval of roughly one year per the definition. Considering the fact that there are<br />
about 10,000 hours in a year (actual 8, 760), the modes are approximately the same in terms of<br />
safety metrics.<br />
Basically speaking, functional safety is achieved by property designing a <strong>Safety</strong> Instrumented<br />
System (SIS) to carry out a <strong>Safety</strong> Instrumented Function (SIF) at a reliability indicated by the<br />
<strong>Safety</strong> Integrity Level (SIL). The concepts of risk and safety integrity are further discussed in<br />
Part 5 of the standard.<br />
COMPLIANCE<br />
The IEC61508 standard states: "To conform to this standard it shall be demonstrated that the<br />
requirements have been satisfied to the required criteria specified (for example safety integrity<br />
level) and therefore, for each clause or sub-clause, all the objectives have been met."<br />
Q<br />
In practice, demonstration of compliance often involves listing all of the IEC61508 requirements<br />
with an explanation of how each requirement has been met. This applies to both products<br />
developed to meet IEC61508 and specific application projects wishing to claim compliance.<br />
Because IEC61508 is technically only a standard and not a law, compliance is not always<br />
legally required. However, in many instances, compliance is identified as best practice and<br />
thus can be cited in liability cases. Also, many countries have incorporated IEC61508 or large<br />
parts of the standard directly into their safety codes, so in those instances it is indeed law.<br />
Finally, many industry and government contracts for safety equipment, systems, and services<br />
specifically require compliance with IEC61508. So although IEC61508 originated as a standard,<br />
its wide acceptance has led to legally required compliance in nearly all relevant cases.<br />
PARTS OF THE STANDARD<br />
Part 1 covers the basic requirements of the standard and provides a detailed presentation of the<br />
safety life cycle. This section is considered to be the most important, as it prm.ides overall<br />
requirements for documentation, compliance, management of functional safety, and functional<br />
safety assessment. Three annexes provide examples of documentation structure (Annex A), a<br />
personnel competency evaluation (Annex B), and a bibliography (Annex C).<br />
Q<br />
'<br />
Part 2 covers the hardware requirements for safety-related systems. Many consider this part,<br />
along with part 3, to be the key area for those developing products for the safety market. Part 2<br />
is written with respect to the entire system, but many of the requirements are directly applicable<br />
to safety-related hardware product development. Part 2 covers a detailed safety life cycle for<br />
hardware as well as specific aspects of assessing functional safety for the hardware. Part 2<br />
also has detailed requirements for techniques to deal with "control of failures during operation"<br />
in Annex A (required for compliance). This annex covers hardware fault tolerance, diagnostic<br />
capability requirements and limitations, and systematic safety integrity issues for hardware.<br />
Annex B of Part 2 (required for compliance) contains listings of "techniques and measures" for<br />
"avoidance of systematic failures during different phases of the life cycle." This covers design,<br />
analysis, and review procedures required by the standard. Annex C of Part 2 (required for<br />
compliance) discusses the calculation of diagnostic coverage factor (what fraction of failures are<br />
identified by the hardware) and safe failure fraction (what fraction of failures lead to a safe<br />
rather than a hazardous state). (Note: see exida.com technical papers for more detailed<br />
information on these topics.)<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 6 of 27
Part 3 covers the software requirements for IEC61508. It applies to any software used in a<br />
safety-related system or software used to develop a safety-related f!,~Stem. This software is<br />
specifically referred to as safety-related software. This part provides details of the software<br />
safety life cycle, a process to be used when developing software. Annex A (required for<br />
compliance) provides a listing of "techniques and measures" used for software development<br />
where different development techniques are chosen depending on the SIL level of the software.<br />
Annex 8 (required for compliance) has nine detailed tables of design and coding standards and<br />
analysis and testing techriques that are to be used in the safety-related software development,<br />
depending on SIL level of the software and in some cases the choice of the development team.<br />
0<br />
0<br />
Part 4 contains the definitions and abbreviations used throughout all parts of the standard. This<br />
section is extremely useful both to those new to the standard and to those already familiar with<br />
it as a reference to the precise meanings of terms in the standard.<br />
Part 5 includes informative Annexes A through E which contain discussion and example<br />
methods for risk, safety integrity, tolerable risk, and SIL selection. It presents several techniques<br />
of SIL selection including both quantitative and qualitative methods. The quantitative method in<br />
Annex C is based on calculating the frequency of the hazardous event from failure rate data or<br />
appropriate predictive methods combined with an assessment of the magnitude of the<br />
consequence compared to the level of risk that can be tolerated in the given situation. The<br />
qualitative risk graph and severity matrixes essentially address the same frequency and<br />
magnitude components, only with general categories rather than numbers before comparing the<br />
situation with the tolerable risk level..<br />
Part 6 provides guidelines on the application of Parts 2 and 3 via informative Annexes A through<br />
E. Annex A gives a brief overview of Parts 2 and 3 as well as example flowcharts of detailed<br />
procedures to help with implementation. Annex 8 provides example techniques for calculating<br />
probabilities of failure for the safety-related system with tables of calculation results. Equations<br />
that approximate various example architectures are presented, although reliability block<br />
diagrams are used and these can be confusing in multiple failure mode situations. Annex C<br />
shows detailed calculation of diagnostic coverage factor based on FMEDA techniques. (Note:<br />
more information on the FMEDA technique (Failure Modes, Effects, and Diagnostics Analysis) is<br />
available in exida.com courses and papers.) Annex D shows a method for estimating the effect<br />
of common cause modes of failure (beta factors) in a redundant hardware architecture. This<br />
method lists relevant parameters and provides a method of calculation. Annex E shows<br />
examples applying the software integrity level tables of Part 3 for two different safety<br />
software cases.<br />
Part 7 contains important information for those doing product development work on equipment<br />
to be certified per IEC61508. Annex A addresses control of random hardware failures. It<br />
contains a reasonable level of detail on various methods and techniques useful for preventing or<br />
maintaining safety in the presence of component failures. Annex 8 covers the avoidance of<br />
systematic failures through the different phases of the safety life cycle. Annex C provides a<br />
reasonably detailed overview of techniques for achieving high software safety integrity. Annex D<br />
covers a probabilities-based approach for SIL determination of already proven software.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 7 of 27
2 Part 1: General Requirements<br />
SCOPE<br />
The IEC61508 standard covers safety-related systems when me or more of such systems<br />
incorporates electrical/electronic/programmable electronic devices. This includes relay -based<br />
systems, inherently safe solid-state logic based systems, and, perhaps most importantly,<br />
programmable systems based on microcomputer te;hnology. The standard specifically covers<br />
possible hazards created when failures of the safety functions performed by E/E/PE safetyrelated<br />
systems occur: "functional safety." <strong>Functional</strong> safety is the overall program to insure that<br />
a safety-related E/E/PE system brings about a safe state when it is called upon to do so and is<br />
different from other safety issues. For example, IEC61508 does not cover safety issues like<br />
electric shock, long-term exposure to toxic substances, etc. These safety issues are covered by<br />
other standards.<br />
IEC61508 also does not cover low safety EIE/PE systems where a single E/E/PE system is 0<br />
capable of providing the necessary risk reduction and the required safety integrity of the E/E/PE<br />
system is less than safety integrity level 1, i.e., the E/E/PE system is only reliable 90 percent of<br />
the time or less. IEC61508 is concerned with the E/EIPE safety-related systems whose failure<br />
could affect the safety of persons and/or the environment. However, it is recognized that the<br />
methods of IEC61508 may apply to business loss and asset protection as well. Human beings<br />
may be considered part of a safety-related system, although specific human factor requirements<br />
are not considered in detail in the standard. The standard also specifically avoids the concept of<br />
"fail safe" because of the high level of complexity involved with the EIE/PE systems considered.<br />
CONFORMANCE<br />
Part 1 of the standard contains the general conformance requirements. It states, "To conform to<br />
this standard it shall be demonstrated that the requirements have been satisfied to the required<br />
criteria specified (for example: safety integrity level) and therefore, for each clause or subclause,<br />
all the objectives have been met." There is a statement that acknowledges that the<br />
"degree of rigor'' (which determines if a requirement has been met) depends on a number of<br />
factors, including the nature of the potential hazard, degree of risk, etc.<br />
Often, demonstrating compliance involves listing all IEC61508 requirements with an explanation<br />
of how the requirement has been met. This applies to products developed to meet IEC61508<br />
and specific application projects wishing to claim compliance. The high level of documentation<br />
for compliance is consistent with the importance of keeping detailed records stressed<br />
throughout the standard. (Note: exida.com has a suite of products, including a full IEC61508<br />
requirements database, and documentation templates that can used to form a system of<br />
compliance meeting IEC61508.)<br />
O<br />
The language of conformance in the standard is quite precise. If an item is listed as "shall be ... "<br />
or "must. .. " it is required for compliance. If an item is listed as "may be ... " it is not specifically<br />
required for compliance but clear reasoning must be shown to justify its omission.<br />
DOCUMENTATION (Clause 5)<br />
The documentation used in safety-related systems must specify the necessary information such<br />
that safety life cycle activities can be performed. The documentation must also provide enough<br />
information so that the management of functional safety verification and assessment activities<br />
can effectively be accomplished. The overall reasoning is to provide proper support for the plan,<br />
do, and verify theme present throughout the safety life cycle.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 8 of 27
0<br />
0<br />
This translates into specific requirements for the documentation.<br />
It must:<br />
1 . have sufficient information to effectively perform each phase of the safety life cycle as well as<br />
the associated verification activities;<br />
2. have sufficient information to properly manage functional safety and support functional safety<br />
assessment;<br />
3. be accurate and precise;<br />
4. be easy to understand;<br />
5. suit the purpose for which it was intended;<br />
6. be accessible and maintainable;<br />
7. have titles or names indicating the scope of the contents;<br />
8. have a good table of contents and index;<br />
9. have a good version control system sufficient to identify different versions of each document<br />
and indicate revisions, amendments, reviews, and approvals.<br />
MANAGEMENT OF FUNCTIONAL SAFETY (Clause 6)<br />
Managing functional safety includes taking on various activities and responsibilities to insure<br />
that the functional safety objectives are achieved and maintained. These activities must be<br />
documented, typically in a document called the functional safety management (FSM) plan. The<br />
FSM plan should consider:<br />
1. the overall strategy and methods for achieving functional safety, including evaluation<br />
methods and the way in which the process is communicated within the organization;<br />
2. the identification of the people, departments, and organizations that are responsible for<br />
carrying out and reviewing the applicable overall, E/EIPES, or software safety life cycle phases<br />
(including, where relevant, licensing authorities or safety regulatory bodies);<br />
3. the safety life cycle phases to be used;<br />
4. the documentation structure;<br />
5. the measures and techniques used to meet requirements;<br />
6. the functional safety assessment activities to be performed and the safety life cycle phases<br />
where they will be performed;<br />
7. the procedures for follow-up and resolution of recommendations arising from hazard and risk<br />
analysis, functional safety assessment, verification and validation activities, etc.;<br />
8. the procedures for ensuring that personnel are competent;<br />
9. the procedures for ensuring that hazardous incidents (or near misses) are analyzed, and that<br />
actions are taken to avoid repetition;<br />
10. the procedures for analyzing operations and maintenance performance, including periodic<br />
functional safety inspections and audits; the inspection frequency and level of independence of<br />
personnel to perform the inspection/audit should be documented;<br />
11. the procedures for management of change.<br />
All those responsible for managing functional safety activities must be informed and aware of<br />
their responsibilities. Suppliers providing products or services in support of any safety life cycle<br />
phase, shall deliver products or services as specified by those responsible for that phase.<br />
These suppliers also shall have an appropriate quality management system.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 9of 27
SAFE1Y LIFE CYCLE REQUIREMENTS (Clause 7)<br />
The &~fety life cycle can be viewed as a logical "identify -assess-design-verify" closed loop<br />
(Figure 6). The intended result is the optimum design where the risk reduction provided by the<br />
safety-related system matches the risk reduction needed by the process.<br />
Figure 6: Closed loop view of the safety life cycle.<br />
0<br />
The safety life cycle concept came from studies done by the Health <strong>Safety</strong> Executive (HSE) in<br />
the United Kingdom. The HSE studied accidents involving industrial control systems and<br />
classified accident causes as shown in Figure 7.<br />
Figure 7: Results of system failure cause study: HSE "Out of Control.'"<br />
0<br />
The basic aspects of the safety life cycle (shown in Figure 8) were created to address all of the<br />
causes identified in the HSE study.<br />
1 satil!Y<br />
/' Management:<br />
• Technical<br />
Req\lir!\ments<br />
'-.....<br />
Competence<br />
of Persons<br />
t<br />
Figure 8: Origin of the safety life cycle.<br />
© exida.com<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 1 Oof 27
0<br />
The first part of the safety life cycle, known as the analysis portion, covers:<br />
-Concept and scope of the system or equipment under control (EUC);<br />
-Hazard and Risk Analysis to identify both hazards and the events that can lead to them,<br />
including<br />
Preliminary Hazards and Operability (HAZOP) study,<br />
Layers of Protection Analysis (LOPA),<br />
Criticality Analysis;<br />
-Creation of overall safety requirements and identification of specific safety functions to prevent<br />
the identified hazards;<br />
..<strong>Safety</strong> requirements allocation, i.e., assigning the safety function to an E/EIPE safety-related<br />
system, an external risk reduction facility, or a safety-related system of different technology.<br />
This also includes assigning a safety integrity level (SIL) or risk reduction factor required for<br />
each safety function.<br />
These first phases are shown in Figure 9.<br />
Hazard & Risk<br />
Analysis<br />
Overall <strong>Safety</strong><br />
Requirements<br />
- ------------.-------------~<br />
0<br />
Figure 9: First portion of the overall safety life cycle.<br />
The safety life cycle continues with the realization activities as shown in Figure 10.<br />
I<br />
I<br />
---~-----------~<br />
External Risk<br />
Reduction<br />
Facilities<br />
R9alizcition<br />
Figure 10: Realization activities in the overall safety life cycle.<br />
© exida.com<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 11 of 27
The safety systems must be designed to meet the target safety integrity levels as defined in the<br />
risk analysis phase. This requires that a probabilistic calculation be done to verify 1hat the<br />
design can meet the SIL (either in demand mode or continuous mode). The system must also<br />
meet detailed hardware and software implementation requirements given in Parts 2 and 3. One<br />
of the most significant is the "safe failure fraction" restriction (see Part 2). There is a more<br />
detailed subsection of the overall life cycle called the EIE/PE life cycle, which details the<br />
activities in box 9 above. This EIE/PE lifecycle is shown in Figure 11. These activities are<br />
detailed in Part 2 of the standard.<br />
v<br />
E/E/PES safety requirements<br />
specification<br />
I EIE/PES safety I I E/E/PES design validation planning<br />
and development I<br />
I<br />
I<br />
I<br />
'V<br />
v<br />
I<br />
v<br />
E/EIPES integration I I<br />
E/E/PES operation and I<br />
maintenance procedures<br />
I<br />
.. ". "' ..<br />
"•' ' • • ' • r "'<br />
,<br />
Figure 11: EIEIPES safety life cycle (IEC61508, Part 2).<br />
I<br />
0<br />
The final operation phases of the overall safety life cycle are shown in Figure 12.<br />
0<br />
Figure 12: Operation and Maintenance phases of the overall safety life cycle.<br />
In summary, the safety life cycle g;>nerally lays out the different activities required to achieve<br />
functional safety and compliance with the standard. II also should be noted that if all of the "shall<br />
be ... " and "must..." conditions are met, other safety life cycle variations also are fully compliant<br />
with the standard.<br />
FUNCTIONAL SAFETY ASSESSMENT (Clause 8)<br />
Part 1 also describes the functional safety assessment activities required by IEC61508. The<br />
objective of the assessment is to investigate and arrive at a conclusion regarding the level of<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 12of27
safety achieved by the safety-related system. The process requires that one or more competent<br />
persons be appointed to carry out a functional safety assessment. These individuals must be<br />
suitably independent of those responsible for the functional safety beirg assessed, depending<br />
on the SIL and consequences involved. These requirements are shown in Tables 1 and 2.<br />
0<br />
Minimum level of<br />
Consequence<br />
lndenendence A B c D<br />
Independent person HR HR NR NR<br />
Independent department - HR HR NR<br />
Independent organization - - HR" HR<br />
(see note 2 of 8.2.12)<br />
Typical consequences could be:<br />
Consequence A - minor injury (for example temporary Joss of function);<br />
Consequence B - serious permanent injury to one or more persons, death<br />
to one person; Consequence C - death to several people;<br />
Consequence D - very many people killed.<br />
Abbreviations- HR - highly recommended, NR - not recommended<br />
Table 1: Assessment independence level as a function of consequence.<br />
Minimum level of<br />
<strong>Safety</strong> integrity level<br />
Independence 1 2 3 4<br />
lndeoendent oerson HR HR NR NR<br />
Jndeoendent deoartment - HR' HR NR<br />
lndep en dent organization - - HR' HR<br />
,---.<br />
u<br />
Table 2: Assessment independence level for E/E/PE and software life cycle activities.<br />
The functional safety assessment shall include all phases of the safety life cycles. The<br />
assessment must consider the life cycle activities carried out and the outputs obtained. The<br />
assessment may be done in parts after each activity or group of activities. The main<br />
requirement is that the assessment be done before the safety-related system is needed to<br />
protect against a hazard.<br />
The functional safety assessment must consider.<br />
1. All work done since the previous functional safety assessment;<br />
2. The plans for implementing further functional safety assessments;<br />
3. The recommendations of the previous assessments including a check to verify that the<br />
changes have been made.<br />
The functional safety assessment activities shall be consistent and planned. The plan must<br />
specify the personnel who will perform the assessment, their level of independence, and the<br />
competency required. The assessment plan must also state the scope of the assessment,<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 13of27
outputs of the assessment, any safety bodies involved, and the resources required. At the<br />
conclusion of the functional safety assessment, recommendations shall indicate acceptance,<br />
qualified acceptance, or rejection.<br />
Sample Documentation Structure (Annex A)<br />
The documentation has to contain enough information to effectively perform each phase of the<br />
safety life cycle (Clause 7), manage functional safety (Clause 6), and allow functional safety<br />
assessments (Clause 8). However, IEC61508 does not specify a particular documentation<br />
structure. Users have flexibility in choosing their own documentation structure as long as it<br />
meets the criteria described earlier. An example set of documents for a safety life cycle project<br />
is shown in Table 3.<br />
Table 3· Documentation examples<br />
<strong>Safety</strong> Lifecycle phase<br />
Information<br />
<strong>Safety</strong> requirements <strong>Safety</strong> Requirements Specification (safety<br />
functions and safety integrity)<br />
E/E/PES validation planninr:~<br />
Validation Plan<br />
E/E/PES design and development<br />
E/E/PES architecture Architecture Design Description (hardware<br />
and software);<br />
Specification (integration tests)<br />
Hardware architecture<br />
Hardware Architecture Design Description;<br />
Hardware module design<br />
Detail Design Specification(s)<br />
Component construction and/or Hardware modules;<br />
I orocurement<br />
Report (hardware modules test)<br />
Programmable electronic integration Integration Report<br />
E/E/PES operation and maintenance Operation and Maintenance Instructions<br />
procedures<br />
E/E/PES safety validation<br />
Validation Report<br />
E/E/PES modification<br />
E/E/PES modification procedures;<br />
Modification Request;<br />
Modification Report;<br />
Modification Loa<br />
Concerning all phases<br />
<strong>Safety</strong> Plan;<br />
Verification Plan and Report;<br />
<strong>Functional</strong> <strong>Safety</strong> Assessment Plan and<br />
Report<br />
0<br />
0<br />
Personnel Competency (Annex B)<br />
IEC61508 specifically states, "All persons involved in any overall, E/EIPES or software safety<br />
life cycle activity, including management activities, should have the appropriate training,<br />
technical knowledge, experience and qualifications relevant to the specific duties they have to<br />
perform." It is suggested that a number of things be considered in the evaluation of personnel.<br />
These are:<br />
1. engineerirg knowledge in the application;<br />
2. engineering knowledge appropriate to the technology;<br />
3. safety engineering knowledge appropriate to the technology;<br />
4. knowledge of the legal and safety regulatory framework;<br />
5. the consequences of safety-related system failure;<br />
© exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 14of 27
6. the assigned safety integrity levels of safety functions in a project;<br />
7. experience and its relevance to the job.<br />
The training, experience, and qualifications of all persons should be documented. The TOV<br />
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert (<strong>CFSE</strong>) program was designed to help companies show<br />
personnel competency in several different safety specialties.<br />
Bibliography (Annex C)<br />
A list of many related lEG standards, ISO standards, and other relevant references is provided.<br />
0<br />
3 Part 2: Hardware Requirements<br />
IEC61508 Part 2 covers specific requirements for safety-related hardware. As in other parts of<br />
the standard, a safety life cycle is to be used as the basis of requirement compliance. (Figure g<br />
shows the general safety life cycle model.) The hardware safety life cycle is an expanded plan<br />
for Phase 9 of the overall safety life cycle from Part 1 that is focused on the design of the control<br />
hardware for safety systems. As for the overall safety life cycle, there are requirements for a<br />
functional safety management plan and safety requirements specification including all<br />
verification and assessment activities.<br />
EIE/PES safety lifecycle<br />
()<br />
One E/E/PES safety<br />
llfecycle for each<br />
E/EIPE safety-related<br />
system<br />
To box 14<br />
in figure 2<br />
of part 1<br />
NOTE See also lEC 61508·6, A.2(b)<br />
To box 12 in figure 2 of part 1<br />
Figure 13: Hardware safety life cycle.<br />
©exida.com<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 15of 27
The safety requirements specification (described in Clause 7.2) shall include details on both the<br />
safety function and the safety integrity level of that function. Some of these safety function<br />
details are:<br />
-how safe state is achieved -response time<br />
-operator interfaces<br />
-required E/E/PES behavior modes -start -up requirements<br />
-operating modes of equipment under control<br />
Some of the safety integrity level details are:<br />
-SIL for each funclion<br />
-high or low demand class for each function<br />
-environmental extremes<br />
-electromagnetic immunity limits<br />
One particular aspect of the hardware design and development requirements (Clause 7.4) is the<br />
limit on the safety integrity level achievable by any particular level of fault tolerant safety<br />
redundancy. These are shown in Tables 4 and 5 for various fractions of failures leading to a n<br />
safe state. · ',__.)<br />
Table 4: Type A safe failure fraction chart.<br />
Safe failure Hardware fault tolerance (see note 1)<br />
fraction<br />
0 l 2<br />
Type A components are described as simple devices with well-known failure modes and a solid<br />
history of operation. Type B devices are complex components with potentially unknown failure<br />
modes, i.e., microprocessors, ASICs, etc.<br />
Tables 4 and 5 represent limits on the use of single or even dual architectures in higher SIL<br />
levels. This is appropriate based on the level of uncertainty present in the failure data as well as<br />
in the SIL calculations themselves.<br />
Note the separate phase specifically devoted to integrating the software and hardware before<br />
validating the safety of the combined system (described in Clause 7.5). Operation and<br />
maintenance procedures and documentation are described in Clause 7.6 while validation,<br />
modification, and verification phase details are provided in the remaining parts of Clause 7.<br />
0<br />
Control of Failures during Operation (Annex A)<br />
This annex limits claims that can be made for self diagnostic capatilities and also recommends<br />
methods of failure control. Numerous types of failures are addressed including random,<br />
systematic, environmental, and operational failures. It should be noted that following these<br />
methods does not guarantee that a given system lllill meet a specific SIL.<br />
Avoidance of Systematic Failures during Different Phases of the Life Cycle (Annex B)<br />
Here, numerous tables present recommended techniques for different life cycle phases to<br />
achieve different Slls. Again, simply using these techniques does not guarantee a system will<br />
achieve a specific SIL.<br />
Diagnostic Coverage and Safe Failure Fraction (Annex C)<br />
Here, a basic procedure is described for calculating the fraction of failures that can be sel~<br />
diagnosed and the fraction that result in a safe state.<br />
0<br />
4 Part 3: Software Requirements<br />
IEC61508 Part 3 covers specific requirements for safety-related software. As in other parts of<br />
the standard, a safety life cycle is to be used as the basis of requirement compliance. (Figure 9<br />
shows the general safety life cycle model.) The software safety life cycle is an expanded plan<br />
for Phase 9 of the overall safety life cycle from Part 1 and is closely linked with the hardware life<br />
cycle. As for the overall safety life cycle, there are requirements for a functional safety<br />
management plan and safety requirements specification, including all verification and<br />
assessment activities.<br />
Here the functional safety is addressed in the context of a software quality management system<br />
(QMS) in Clause 6. A detailed functional safety plan is presented as part of this QMS. As in<br />
other parts of the standard, the same key features of change management, demonstration, and<br />
documentation are present.<br />
SOF1WARE FUNCTIONAL SAFETY PLAN (Clause 6)<br />
A software functional safety plan (either as a part of other documentation or as a separate<br />
document) shall define the strategy for the software procurement, development, integration,<br />
@exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 17of 27
verification, validation, and modification as required for the SIL level of the safety-related<br />
system. The plan must specifY a configuration management system.<br />
This software configuration management system must:<br />
1. manage software changes to ensure that the specified requirements for software safety are<br />
satisfied;<br />
2. guarantee that all necessary activities have been carried out to demonstrate that the required<br />
software safety integrity has been achieved;<br />
3. accurately maintain all documentation and source code including the safety analysis and<br />
requirements; software specification and design documents; software source code modules;<br />
test plans and results; commercial off the shelf (COTS) and pre-existing software components<br />
which are to be incorporated into the E/E/PE safety-related system; all tools and development<br />
environments which are used to create or test, cr carry out any action on, the software of the<br />
E/E/PE safety-related system;<br />
4. prevent unauthorized modifications;<br />
5. document modification/change requests;<br />
6. analyze the impact of a proposed modification;<br />
7. approve or reject the modification request;<br />
a establish baseline software and document the (partial) integration testing that justifies the<br />
baseline;<br />
9. formally document the release of safety-related software.<br />
0<br />
Master copies of the software and all documentation should be maintained throughout the<br />
operational lifetime of the released software.<br />
SOF1WARE SAFETY LIFE CYCLE (Clause 7)<br />
IEC61508 has a considerable but appropriate number of requirements for safety critical<br />
software put forth in the details of the software safety life cycle framework. The major phases of<br />
the software safety life cycle are shown in Figure 14.<br />
© ex;da.com<br />
EIE/PES<br />
safety<br />
lifecycle<br />
I<br />
f<br />
l I I<br />
validation Softwam planning<br />
safety 1<br />
Software safety requirements<br />
specification<br />
..<br />
··· ······· · II ...............<br />
............ . ...........<br />
............. .. .........<br />
I<br />
'V<br />
Softwaredeslgn J<br />
and development<br />
'J<br />
PE Integration<br />
I<br />
(hardware/software)<br />
I<br />
'J<br />
..........<br />
I ..... .. ''""<br />
J<br />
~<br />
I I<br />
'J<br />
Software operation and I<br />
modification procedures 1<br />
Figure 14: Software safely life cycle.<br />
IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 18of27<br />
I<br />
0
Part 3 requires that a process (such as the safety life cycle) for the development of software<br />
shall be selected and specified during safety planning. Note that the exact process is not<br />
specified, it may be customized according to company preference. Appropriate quality and<br />
safety assurance procedures must be included. Each step of the software safety life cycle<br />
must be divided into elementary activities with the functions, inputs, and outputs specified for<br />
each phase.<br />
The standard has complete details of an example software safety life cycle. Many practitioners<br />
use a version of the V-model. The exida.com iterative V -model is shown in Figure 15.<br />
7<br />
0<br />
~!@l#llti!lhN!t!ll:T!!Gi(Jiji$1ffli!!H!!!!1-aRMFR&ijijJilill!llilliillffi!!MNMMI!let@t$tjibklt!Wl§6fllliD1fill!:m$Mjtjiit!rutfOOtl!!!!li'<br />
Figure 15: exida.com iterative V-model for software development.<br />
0<br />
During each step of process, appropriate "techniques and measures" must be used. Part 3,<br />
Annexes A and B give recommendations from a list of software techniques.<br />
The standard says, "If a any stage of the software safety life cycle, a change is required<br />
pertaining to an earlier life cycle phase, then that earlier safety life cycle phase and the following<br />
phases shall be repeated". This natural iterative process is best done in two major bops per<br />
Figure 15.<br />
SOFTWARE SAFETY REQUIREMENTS SPECIFICATION (Clause 7.2)<br />
The functional safety requirements for software must be specified. This can be done in a<br />
separate document or as part of another document. The specification of the requirements for<br />
software safety shall be derived from the specified safety requirements of the safety-related<br />
system and any requirements of safety planning.<br />
The requirements for software safety shall be sufficiently detailed to allow design and<br />
implementation and to alow a functional safety assessment. The software developers should<br />
review the document to verify that it contains sufficient detail. It should be noted that this is often<br />
another iterative process.<br />
©exida.com IEC61506 Overview Report, Version 1.1, September 25, 2002<br />
Page 19of27
The requirements must be clear, precise, verifiable, testable, maintainable, and feasible. The<br />
requirements must also be appropriate for the safety integrity level. and traceable back to the<br />
specification of the safety requirements of the safety-related system. Terminology must be clear<br />
and understandable by those using the document. All modes of operation for the safety-related<br />
system must be listed. The requirements must detail any relevant constraints between the<br />
hardware and the sofiware.<br />
Since the sofiware is often called upon to perform much of the online diagnostics, the<br />
requirements must detail all sofiware sel~monitoring, any diagnostic tests performed on the<br />
hardware, periodic testing of critical functions, and means for online testing of safety functions. If<br />
the sofiware also performs non-safety functions, means to insure that the sofiware safety is not<br />
compromised (non-interfering) must also be specified.<br />
SOFTWARE SAFETY VALIDATION PLANNING (Clause 7.3)<br />
A plan must be set up to demonstrate that the sofiware satisfies the safety requirements set out<br />
in the specification. A combination of analysis and testing techniques is allowed and the chosen<br />
techniques must be specified in the plan. The plan must consider:<br />
1. required equipment;<br />
2. when validation will be done;<br />
3. who will do the validation;<br />
4. the modes of operation to be validated including start up, teach, automatic, manual, semiautomatic,<br />
steady state of operation, re-set, shut down, and maintenance;<br />
5. reasonably foreseeable abnormal conditions;<br />
6. identification of the safety-related sofiware that needs to be validated;<br />
7. specific reference to the specified requirements for sofiware safety;<br />
8. expected results and pass/fail criteria.<br />
O<br />
•<br />
The plan must show how assessment will be done, who will review the plan, and the assessor's<br />
level of independence.<br />
SOFTWARE DESIGN AND DEVELOPMENT (Clause 7.4)<br />
Design methods shall be chosen that support abstraction, modularity, information hiding, and<br />
other good sofiware engineering practices. The design method shall allow clear and ~<br />
unambiguous expression of iJnctionality, data flow, sequencing, and time-dependent data,<br />
timing constraints, concurrency, data structures, design assumptions, and their dependencies.<br />
During design, the overall complexity of the design, its testability, and the ability to make safe<br />
modifications shall be considered. The entire design is considered safety-related even if nonsafety<br />
functions are included unless sufficient independence between safety and non-safety can<br />
be demonstrated. If different safety integrity levels are part of the design, the overall design is<br />
only valid for the least stringent SIL of the component parts.<br />
The design must include sofiware functions to execute proof tests and all online diagnostic tests<br />
as specified in the requirements. Sofiware diagnostics shall include monitoring of control flow<br />
and data flow.<br />
O<br />
The architectural design defines the major components and subsystems of the sofiware. The<br />
architectural design description must include:<br />
1. interconnections of these components;<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 20 of 27
2 the "techniques and measures" necessary during the software safety life cycle phases to<br />
satisfy requirements for software safety at the required safely integrity level including software<br />
design strategies for fault tolerance and/or fault avoidance (redundancy/diversity);<br />
3. the software safely integrity level of the subsystem/component;<br />
4. all software/hardware interactions and their significance;<br />
5. the design features for maintaining the safely integrity of all data;<br />
6. software architecture integration tests to ensure that the software architecture satisfies the<br />
requirements for software.<br />
It is assumed and permitted that iteration occurs between the design and the requirements<br />
phases. Any resulting changes in requirements must be documented and approved.<br />
0<br />
Support tools and programming languages must meet the safely integrity needs of the software.<br />
A set of integrated tools, including languages, compilers, configuration management tools, and,<br />
when applicable, automatic testing tools, shall be selected for the required safety integrity level.<br />
Detailed design and coding shall follow the software safely life cycle. Coding standards shall be<br />
employed and must specify good programming practice, prohibit unsafe language features, and<br />
specify procedures for source code documentation including:<br />
1 . legal entity;<br />
2. description;<br />
3. inputs and outputs;<br />
4. configuration management history.<br />
The software code must be :<br />
1. readable, understandable, and testable;<br />
2. able to satisfy the specified requirements;<br />
3. reviewed;<br />
4. tested as specified during software design.<br />
0<br />
INTEGRATION AND TESTING (Clause 7.5)<br />
Tests of the integration between the hardware and software are created during the design and<br />
development phases and specify the following:<br />
1. test cases and test data in manageable integration sets;<br />
2. test environment, tools, and configuration;<br />
3. test criteria;<br />
4. procedures for corrective action on failure of test.<br />
The integration testing results shall state each test and the pass/fail results.<br />
SOFTWARE SAFETY VALIDATION (Clause 7.7)<br />
Software validation is done as an overall check to insure that the software design meets the<br />
software safely requirements and must include the appropriate documentation. The validation<br />
may be done as part of overall system validation or it may be done separatEly for the software.<br />
Testing must be the primary method of validation with analysis used only to supplement. All<br />
tools used in the validation must be calibrated and an approved quality system must be in place.<br />
If validation is done separately for the software, the validation must follow the software safety<br />
validation plan. For each safety function, the validation effort shall document:<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 21 of 27
1. a record of the validation activities;<br />
2. the version of the software safety validation plan;<br />
3. the safety function being validated with reference to planned test;<br />
4. test environment (tools and equipment);<br />
5. the results of the validation activity with discrepancies, if any.<br />
If discrepancies occur, a change request must be created and an analysis must be done to<br />
determine if the validation may continue.<br />
OPERATION AND MODIFICATION (Clauses 7.6 and 7.8)<br />
Software modification requires authorization under the procedures specified during safety<br />
planning and must insure that the required safety integrity level is maintained. This authorization<br />
must address:<br />
1. the hazards that may be affected; Q<br />
2. the proposed change;<br />
3. the reasons for change.<br />
The modification process starts with an analysis on the impact of the proposed software<br />
modification on functional safety. The analysis will determine how much of the safety life cycle<br />
must be repeated.<br />
SOFTWARE VERIFICATION (Clause 7.9)<br />
The software verification process tests and evaluates the results of the software safety life cycle<br />
phases to insure they are correct and consistent with the input information to those phases.<br />
Verification of the steps used in the software safety life cycle must be performed according to<br />
the plan and must be done concurrently with design and development. The verification plan<br />
must indicate the activities performed and the items to be verified (documents, reviews, etc.). A<br />
verification report must include an explanation of all activities and results. Verification must be<br />
performed on:<br />
1. software safety requirements;<br />
2. software architecture design;<br />
3. software system design;<br />
4. software module design;<br />
5. software source code;<br />
6. data;<br />
7. software module testing;<br />
8. software integration testing;<br />
9. hardware integration testing;<br />
10. software safety requirements testing (software validation).<br />
0<br />
SOFTWARE FUNCTIONAL SAFETY ASSESSMENT (Clause 9)<br />
The software assessment process is similar to the other assessment processes in the standard.<br />
Techniques and measures relevant to this assessment are listed in Annexes A and B as well as<br />
in Part 1 of the standard.<br />
GUIDE TO THE SELECTION OF TECHNIQUES AND MEASURES (Annex A)<br />
Annex A provides ten tables of different techniques relevant to the software safety<br />
requirements, software design and development, architecture design, support tools and<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 22 of 27
programming languages, detailed design, software module testing, integration testing, safety<br />
validation, modification and functional safety assessment. Different techniques are<br />
"recommended" or "highly recommended" as a function of safety integrity level required. Some<br />
techniques are used alone or in combination with other techniques to show compliance with<br />
the standard.<br />
DETAILED TABLES (Annex B<br />
Annex B provides nine tables of detailed techniques for design and coding standards, dynamic<br />
analysis and testing, functional and black box testing, failure analysis, modeling, performance<br />
testing, semi-formal methods, static analysis, and modular approaches. These tables are also<br />
referenced in the tables from Annex A.<br />
0<br />
0<br />
5 Part 4: Abbreviations and Definitions<br />
Part 4 of the standard contains the abbreviations and definitions used throughout the entire<br />
document. Some selected key definitions are:<br />
diversity - different means of performing a required function<br />
equipment under control (EUC) - equipment, machinery, apparatus, or plant used for<br />
manufacturirg, process, transportation, medical, or other activities<br />
functional safety - part of the overall safety relating to the EUC and the EUC control system<br />
which depends on the correct functioning of the E/EJPE safety-related systems, other<br />
technology safety-related systems, and external risk reduction facilities<br />
harm - physical injury or damage to the health of people either directly or indirectly as a result of<br />
damage to property or to the environment<br />
hazard - potential source of harm<br />
limited variability language - software programming language, either textual or graphical, for<br />
commercial and industrial programmable electronic controllers with a range of capabilities<br />
limited to their application<br />
redundancy - means, in addition to the means which would be sufficient, for a functional unit to<br />
perform a required function or for data to represent information<br />
risk - combination of the probability of occurrence of harm and the severity of that harm<br />
safety - freedom from unacceptable risk<br />
safety function - function to be implemented by an E/E/PE safety-related system, other<br />
technology safety-related system, or external risk reduction facilities which is intended to<br />
achieve or maintain a safe state for the EUC, with respect to a specific hazardous event<br />
safety integrity - probability of a safety-related system satisfactorily performing the required<br />
safety functions under all the stated conditions within a stated period of time<br />
safety integrity level (SIL} - discrete level (one out of a possible four) for specifying the safety<br />
integrity requirements of the safety functions to be allocated to the E/E/PE safety-related<br />
systems, where safety integrity level 4 has the highest level of safety integrity and safety<br />
integrity level 1 has the lowest<br />
safety life cycle - necessary activities involved in the implementation of safety -related systems,<br />
occurring during a period of time that starts at the concept phase of a project and finishes when<br />
all of the E/E/PE safety-related systems, other technology safety-related systems, and extemal<br />
risk reduction facilities are no longer available for use<br />
safety-related system - designated system that both:<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 23 of 27
~mplements the required safety functions necessary to achieve or maintain a safe state<br />
for the EUC; and<br />
~s intended to achieve, on its own or with other E/E/PE safety-related systems, other<br />
technology safety-related systems or external risk reduction facilities, the necessary<br />
safety integrity for the required safety functions<br />
systematic failure - failure related in a deterministic way to a certain cause, which can only be<br />
eliminated by a modification of the design or of the manufacturing process, operational<br />
procedures, documentation, or other relevant factors<br />
tolerable risk - risk which is accepted in a given context based on the current values of society<br />
6 Part 5: Examples of Methods for the Determination of <strong>Safety</strong><br />
Integrity Levels (Informative)<br />
Part 5 is primarily composed of Annexes A through E which describe key concepts as well as<br />
various methods of SIL selection and verification.<br />
0<br />
RISK AND SAFETY INTEGRITY - GENERAL CONCEPTS (Annex A)<br />
This annex describes the required safety actions to bridge the gap between the current level of<br />
risk present in the system and the level that can be tolerated in the given situation. This<br />
necessary risk reduction is noted to include contributions from E/EIPE safety-related systems,<br />
other safety-related systems, and external risk reduction methods. Elements of safety integrity<br />
relating to both the hardware and the overall systematic safety integrity are sometimes difficult<br />
to assess. This is part of the basis for SIL only referring to the order of magnitude of risk<br />
reduction for a safety-related system.<br />
ALARP AND TOLERABLE RISK CONCEPTS (Annex B)<br />
Annex B describes the concept of a finite level of tolerable risk based on the benefits derived<br />
from undertaking that risk in the context of the norms of society. It further describes the<br />
reduction of existing risk to a level "As Low As Reasonably Practicable" or ALARP. This level<br />
again takes into account the benefits derived from the risk as well as the costs to reduce the risk<br />
even further.<br />
0<br />
DETERMINATION OF SAFETY INTEGRITY LEVELS- A QUANTITATIVE METHOD (Annex C)<br />
This quantitative method presented is based on calculating a frequency of a hazard and the<br />
magnitude of its consequences to determine the difference between the existing risk and the<br />
tolerable risk. First the frequency of the initialing event is determined based on either local<br />
operating experience, failure rate database references for similar equipment in similar<br />
environments, or detailed analytical estimation. Then the probabilities that the initiating event<br />
will actually lead to the hazard are determined and combined with the initiating event to<br />
determine a hazard frequency. In parallel, the consequence d the hazard is calculated. Finally,<br />
the frequency and consequence of the hazard are assessed relative to the tolerable risk and a<br />
SIL is selected to bridge any gap.<br />
<strong>Exida</strong> provides training, software, and services in support of this vital safety process. Training<br />
includes hazards analysis to identify hazards and Layer of Protection Analysis (LOPA) quantify<br />
the risk. Software includes PROBETM to quantify the hazard probability and FurnEX and<br />
PhysEX to quantify the consequences. In addition to providing structure and computational<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 24of 27
support for the analyses, the software also provides easy standardized documentation of the<br />
process and results to support compliance with the standards.<br />
DETERMINATION OF SAFETY INTEGRITY LEVELS- A QUALITATIVE METHOD: RISK<br />
GRAPH (Annex D)<br />
This method assigns a category to both the frequency and severity of a hazard to assess the<br />
risk relative to the tolerable level. Some allowance is made for the likelihood that a given<br />
initialing event will not always lead to the potential hazard.<br />
0<br />
DETERMINATION OF SAFETY INTEGRITY LEVELS - A QUALITATIVE METHOD:<br />
HAZARDOUS EVENT SEVERITY MATRIX (Annex E)<br />
This method is similar to the risk graph except that the form follows a matrix rather than a<br />
sequential graph.<br />
7 Part 6: Guidelines in the Application of Parts 2 and 3 (Informative)<br />
Part 6 provides more detailed explanations and examples on how to comply with Parts 2 and 3<br />
and also is made up almost entirely of Annexes.<br />
APPLICATION OF PARTS 2 AND 3 (Annex A}<br />
This annex shows flow charts of the expected implementation of both Part 2 (Hardware) and<br />
Part 3 (Software) and provides an overview of the requirements.<br />
0<br />
EXAMPLE TECHNIQUE FOR EVALUATING PROBABILITIES OF FAILURE (Annex B)<br />
This annex provides an example of evaluating probabilities of failure with many tables showing<br />
results for particular architectures for selected values of diagnostic coverage and common<br />
cause beta factors (factors assessing the likelihood of a common cause failure). The methods<br />
used for these calculations are approximation formulas based on reliability block diagrams.<br />
These methods consider the hardware train of field sensor, logic box, and final control element<br />
and address various architecture configurations.<br />
CALCULATION OF DIAGNOSTIC COVERAGE: WORKED EXAMPLE (Annex C)<br />
This annex covers the Failure Modes, Effects, and Diagnostics Analysis (FMEDA) technique for<br />
calculating diagnostic coverage factor. This method is similar to the method in ISA TR84.02 and<br />
the exida.com FMEDA template tool. All methods use identical techniques.<br />
A METHODOLOGY FOR QUANTIFYING THE EFFECT OF HARDWARE-RELATED COMMON<br />
CAUSE FAILURES IN MULTI-CHANNEL PROGRAMMABLE ELECTRONIC SYSTEMS<br />
(Annex D)<br />
This annex explains the important phenomenon of common cause failures in redundant<br />
systems. A chart is provided along with a method of estimating the beta factor (factor assessing<br />
the likelihood of a common cause failure) to be used in subsequent calculations.<br />
EXAMPLE APPLICATION OF SOFTWARE SAFETY INTEGRITY TABLES OF PART 3<br />
(Annex E)<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 25of 27
This annex provides an example of how to use the software safety integrity level tables of Part<br />
3. Twenty tables are provided with detailed examples of a SIL2 ladder logic program with PLC<br />
hardware and a SIL3 full pre-coded complex plant system.<br />
8 Part 7: Overview of Techniques and Measures (Informative)<br />
Part 7 provides descriptions and an explanation of the many engineering techniques presented<br />
earlier in the standard.<br />
OVERVIEW OF TECHNIQUES AND MEASURES FOR E/E/PES: CONTROL OF RANDOM<br />
HARDWARE FAILURES (Annex A)<br />
This annex addresses andom hardware failures. It contains methods and techniques useful to 0<br />
prevent or maintain safety in the presence of component failures. The explanations provided<br />
here support many of the recommended techniques listed in the hardware tables in Part 2.<br />
OVERVIEW OF TECHNIQUES AND MEASURES FOR E/E/PES: AVOIDANCE OF<br />
SYSTEMATIC FAILURES(Annex B)<br />
This annex covers the avoidance of systematic failures in both hardware and software systems<br />
and is referenced by Parts 2 and 3. It is structured according to the safety life cycle and<br />
addresses numerous points relevant to the key phases as noted in the annex.<br />
OVERVIEW OF TECHNIQUES AND MEASURES FOR ACHIEVING SOFTWARE SAFETY<br />
INTEGRITY (Annex C)<br />
This annex provides an overview of techniques for achieving high software safety integrity.<br />
Many of these techniques fall into the detailed design phase of the life cycle. Architectural<br />
design issues are also addressed as well as development tools and programming languages.<br />
The annex also addresses the verification, modification, and functional safety assessment<br />
phase of the life cycle.<br />
PROBABILISTIC APPROACH TO DETERMINING SCFTWARE SAFETY INTEGRITY FOR<br />
PRE-DEVELOPED SOFTWARE (Annex D)<br />
The annex covers a probabilistic approach for SIL determination of proven software. With many<br />
systems seeking to employ previously written software, this annex can be valuable. It lists<br />
several tests to determine the integrity level of the software based on statistical analysis.<br />
0<br />
9 AdditionaiiEC615081nformation<br />
exida.com offers a two-day course that provides an "Introduction to IEC61508." This course<br />
covers the IEC61508 standard from the perspective of a user (project orientation) or a product<br />
manufacturer (product orientation). All of the basic principles are covered with exercises to<br />
reinforce the rrnterial. The training manual is available separately from the exida.com online<br />
store for those wishing to investigate this further.<br />
©exida.com IEC61508 Overview Report, Version 1.1, September 25, 2002<br />
Page 26 of 27
There is of course no substitute to the purchase and study of the actual standard for those<br />
wanting more in-
0<br />
0
I<br />
DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT<br />
(<br />
TuooomJ No. 2.1.4.1.3 I F,q•fpmtlill DncrlpUon SWITCHES • ELEcrn.IC •<br />
PRESSURE<br />
Operatln& MO!k<br />
f'rO(:ess Snnltr<br />
3<br />
Taxonomr<br />
'<br />
Openlln1<br />
•<br />
Pop•laUora<br />
Stuaples<br />
Failure modt!<br />
Agf'fllltd time In ttrri« ( IO' hrs)<br />
Calendar Uane<br />
I<br />
Falhrrts {per to' lwt)<br />
Opentlnaume<br />
No. ol Demands<br />
Fllllurtl (per to' dem11nd~}<br />
t.o,.-tr ~ban Upper Lower Mun Upptr<br />
Population<br />
f•ll<br />
0<br />
CATASTROPHIC O.S25 49.6 192.0<br />
a. Function~d without Signal 0.00122 0.07 0.271<br />
b. Failed !0 Function when 0.00809 0.4{1 l.:SS<br />
Signaled<br />
DEGRADED<br />
a. Functioned at Improper<br />
Signa1 l.cYcl<br />
b. lntcrmillent Operation<br />
INCIPIENT<br />
a. ln-servie~ Problems<br />
CAT ASH<br />
1. FunctiCl<br />
b. Failed t<br />
Signal,<br />
DEGRAD<br />
a. Functio1<br />
Signall<br />
b. lmermi·<br />
INCIPIE!'<br />
a. ln-scrvi<br />
0<br />
F...qulpment Boundu7<br />
PDW£R IN<br />
r-t--,<br />
I I I I<br />
I s•ttCH I r<br />
I I<br />
I I<br />
I I<br />
I I<br />
PROCESS LitE/TANK I I I I<br />
I I<br />
I I<br />
OUlPUT<br />
I I • - - - B(ll.H)ARY<br />
SENSING<br />
I<br />
I ____ EL!:HENT ..J<br />
F,.qulpmcnc<br />
Comment: Process Severity 3 applies only to Catastrophic rate.<br />
Dall Rtl'e.uu No. (Table 5.1): 4, 8.2 Data lhrf<br />
166
I<br />
DATA ON SF.LRCTF.D PROCESS SYSTRMS ANIJ EQUIPMENT<br />
Tunnomy No. 3.2.5 I Equipment De:tcrlpllon HOSES<br />
Opcnllnlt Modr<br />
PriKtu Stnrllr<br />
UNKNOWN<br />
f>npulatlon<br />
F•&lurc mod~<br />
Samplt!<br />
t\g~regat~ time In stnlce ( 10' hrs)<br />
Ctltndar time<br />
I<br />
Fallur~~ (p~r to' hrs)<br />
Op~ratlnr: lime<br />
No. of Dnund!<br />
FallutM (pu tol demands)<br />
Lower Mun Upper Lower Mun Upper<br />
0<br />
CATASTROPHIC<br />
•· 0 - IO% Flow Area<br />
b. >10% Flow Area<br />
c. Rupturt! 0.0099 0.570 2.20<br />
d. Plugged<br />
DEGRADED<br />
a. Rcstricled F1ow<br />
INCIPIENT<br />
a. Wall Thinning<br />
b. Embriulemenl<br />
c. Cracl:.cd or Flawed<br />
d. Erratic Flow<br />
0<br />
F.qPipmcnl Rnundarr<br />
r-L?("""<br />
~~~:J<br />
COIN::crOR L ___ I<br />
~.J.! ... .!\l,,,,<br />
•-- -SOI.JIIOARY<br />
J<br />
I<br />
I<br />
I<br />
Data Rdt'rence No. (Table !. 1): 6<br />
,;<br />
187
I<br />
DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT<br />
[ ]<br />
TuonomJ No.<br />
3.3.2 I Equlpmenr DHcrlpllon ROTATING EQUIPMENT.<br />
COMPRESSORS<br />
Op~!ultng Mlldt Ptoct!>!ll Stvrrll)'<br />
UNKNOWN<br />
I<br />
T011xonomy<br />
No.<br />
OpenUng Mod<br />
Population<br />
Samplu<br />
Failure mude<br />
Aure1•tl!d lime. In service ( 10 1 hu)<br />
Calmdu Ume<br />
I<br />
Op~rallnK time<br />
No. of Dc:mands<br />
Populalfon<br />
J.'allurn (per 10' hn) Fallure5 (~r 10~ d
DATA ON SF.LF.CTF.D PROCESS SYSTEMS AND EQUIPMENT<br />
I<br />
Tn:onomy No. 3.).2.1 I Eqolpm .. r o.mlpllo• Rm"ATING EQUIPMENT-COMPRESSORS-I<br />
ELECilUC MOTOR DRIVEN<br />
Operallng Mode Proc:Ht Se,erltr UNKNOWN<br />
Populallon Samples<br />
lrtdJ;)<br />
Failure mnde<br />
Aggrq:•tcd Umt In Knlu (JOt hn)<br />
Call'fldn lime<br />
I<br />
1-'allures (ptr ro' hrs)<br />
Openllnr Umt<br />
No. of Dmundt<br />
Fallur~ (per 10, demands)<br />
Upper Lo~·n Mun Upper Lower Mun Upper<br />
CATASTRO•HIC 27.9 2470.0 9690.0<br />
a. Fails While Running<br />
b. Ruprure<br />
-<br />
e. Spurious Srart/Comm:md<br />
Faull<br />
d. Fails to Start on Demand<br />
t, Fails 10 Slop on Demand<br />
DEGRADED<br />
a. E:w:temallealcage<br />
Equipment Boundary<br />
0<br />
OARY<br />
POWER SUPPLY<br />
PROCESS IN<br />
,----------- ---,<br />
I<br />
I<br />
I<br />
I<br />
I I D<br />
""'""<br />
GEAR I I<br />
I<br />
I I J<br />
I<br />
CCH'RESSOR<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
INCLUOEO:<br />
SEAL Drl SI'STEH<br />
PlPIP«i<br />
1NlERSTAGE COOLING<br />
LUBE OIL COOLIOO<br />
CONTROL ll'/IT<br />
________________ BASEPLATE<br />
J<br />
I<br />
I<br />
I<br />
I<br />
I<br />
PROCESS OUT<br />
• - - - BOI.Jt«)ARY<br />
Dala S!:der~nct No. (Table 5.1): 8.4
I<br />
DATA ON SELECTED PROCESS SYSTF.MS AND EQUIPMENT<br />
Tuooomy No<br />
3.3.4 I Equipment DtScrlpUon ROTATING EQUIPMENT-<br />
MOTOR-DRIVEN FANS<br />
Op~utlng J\.1fldc: ProcH!II Sevc:rl11<br />
UNKNOWN<br />
( AgRrtzaledllmt Itt suvitc: ( 10' hrs) No. or Demands<br />
P{)pulallfln<br />
Samplt~<br />
Caltndar lime Op:cratln1 llmt<br />
Fallur~s (pu 10' hr')<br />
Failures (pu I o' demands)<br />
F•llurt! mode<br />
pptr LowC"r Mran Uppcor Lower M!!an Upper<br />
I<br />
.0<br />
CATASTROPiiTC<br />
a. Fails while Running 1.75 9.09 24.7<br />
b. Spurious Slart/Comml'lnd Fault<br />
c. Fails to St:ut on DcmMd 0.00944 0.208 0.769<br />
d. Fails: to Stop on D~mand<br />
f.qtJipmcnl JJound:~rr<br />
-<br />
POWER SlFPl. Y<br />
PftCICf:SS IN<br />
r--+-------1<br />
I<br />
I<br />
I<br />
I<br />
lC~TROL~<br />
6<br />
POWER stPPLY<br />
I _I I I PNJCESS OOT<br />
I<br />
I<br />
I<br />
I<br />
;<br />
L '"' j I • - - - BCl.HJARY<br />
L----------.J<br />
Dab Rdercn('e No. (Tah&e !.1): 8.2. 8.4, 8.5, 8.15
UMI'S<br />
[<br />
DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT<br />
!:-CENTRIFUGAl<br />
f Tnonomy No 3.3.7.2.1.1 I F,q,lpmonl Domlplloo ROT MlNG EQIJII'Mf,NJ".PUMPS· 1<br />
Optralln~~: Mode RUNNING Proem s~verUy UNKNOWN<br />
MOTOR ORIVEN-PRESSURE.CENTlUFUGA<br />
c<br />
mand.~)<br />
(<br />
Populatlnn<br />
rallurt mode<br />
Samplu<br />
AggrC'RitOO !lmt '"' ttnlce ( 10~ hrs)<br />
Cal~du<br />
lime<br />
I<br />
Falluru (pC'r to' hrs)<br />
Oprrallnll' time<br />
No. of Dmlands<br />
FallutH (per to' dcm111&!:)<br />
Upptt Lowu Mun Upper Lower Mun Upper<br />
CATASTROPHIC<br />
450.0 n<br />
a. Fails while Running 0.&12 104.0 ·-:,. .,<br />
b. Rupture<br />
c. Spurinus Start<br />
43.0<br />
d. Fails to St:ut on Demand<br />
e. Fails to Slop on Dcmtllld<br />
DEGRAOED<br />
a. Fail~ In Run at Rated Speed<br />
b. External U:ak<br />
INCIPIENT<br />
a. High Vibnticm<br />
b. Ovc-r-tempcr:lturc<br />
c. Over-cuncnt<br />
0.417 24.0 92.8<br />
Equipment noundarjr<br />
0<br />
I~RY<br />
POVER SUPPLY<br />
PROCESS IN<br />
,----------- ---,<br />
I<br />
I<br />
I<br />
I<br />
.-.L<br />
I<br />
1 RANSMISSlON<br />
I ""'""<br />
I<br />
P\JMP<br />
I I<br />
I<br />
I<br />
INCUJOEO:<br />
I<br />
I<br />
SE~ SYSTEM<br />
CONTROL UNIT<br />
I<br />
I<br />
BASEPLATE<br />
I<br />
I<br />
________________ J I<br />
I PROCESS 00 T<br />
I · - - - Bru.tiARY<br />
nab R~r~rtiiCf No. {T•bl~r 5.1): 5. 8.1. 8.4
I<br />
DATA ON SEI.ECTED rROCF.SS SYSTEMS AND EQUIPMENT<br />
l<br />
Tuooom1 No. 3.5.1.2 I F..qlllpment D«c:rlpllon VALVES-NON-OPERA TED-<br />
CHECK<br />
Opl.'ntlnJI: Mode<br />
f'npuhttlon<br />
Sumrle~<br />
F•llurt mode<br />
I<br />
A~grrRatt'd Urn~ In Rt"kt ( 10 1 hrs)<br />
Calendar llmt<br />
Falluru (per 10' hu)<br />
Procts!t Sl!vtrll1<br />
OpeN:tfnc Umt<br />
UNKNOWN<br />
No. of Dnn•ndt<br />
F•llure:!l (pcr 10 1 demand$)<br />
Lo,ver Mun Vpptr Lower MtJin Upper<br />
CATASTROPIIIC 0.0552 3.18 12.3<br />
a. Fail~ lo Cht:ck 0.285 2.2 6.73<br />
b. Fails tr1 Optn 0.0347 0.145 0.364<br />
c. Fails lo Re-npcn<br />
DEGRADED<br />
a. Signincant Back-lc:tkAge<br />
" '<br />
) I<br />
l<br />
I<br />
I<br />
I<br />
c=<br />
Tuonnmy<br />
Opera tin&<br />
ropulatlor<br />
CAT ASa.<br />
Lcua 1<br />
b. Lt:ah,<br />
('!;Upt>r<br />
\..._ _)mm<br />
e:-Norm<br />
f. Norm:<br />
g. Norm<br />
DEGR/<br />
INCIPI.<br />
a. Wall<br />
b.Emb:<br />
c. Ctad<br />
~<br />
Equlpmr:nt Doundny<br />
F'.qulpm<br />
i~-,<br />
Pf'OC:ESS JH I : ~OCE"SS DliT<br />
I<br />
I<br />
'---------'<br />
I<br />
I<br />
• - - - BOI..tf:lARY<br />
0<br />
I<br />
lht• Rertrtnu No. (l'•hlt 5.1):<br />
7, 8,8.3,8.5,8.7,8.11,8.12,8.15<br />
I<br />
198
DATA ON<br />
SELECTED PROCESS SYSTEMS AND EQUIPMENT<br />
d~mand.~)<br />
Uppn<br />
~ 18.6<br />
u<br />
(<br />
Tnonnmy N~ 3.5.3.3 Equipment Dncrlpllon VALVES-OPERA1ED-<br />
PNEUMATIC<br />
Operating Mode<br />
Pllplllallan<br />
Samples<br />
Failure mode<br />
I<br />
Au;rtgat~ tlmt In service ( 10~ hrs)<br />
Calendar UrM<br />
Falluru (per 10 4 hrs)<br />
I'roctS! Sevul17<br />
Opert.llnlt time<br />
UNKNOWN<br />
No. of Oetnandt<br />
Fallurto~ (ptr tol dtmands)<br />
Lowu Mean Upper Lower Mean Upper<br />
CATASTROPillC<br />
a. External Leakage<br />
b. lntcma 1 Uak:'ICC >I%<br />
c. Spurious Operation 0.274 3.59 12.3<br />
d. No Ch:tngc of )losition on<br />
Demand<br />
0.306 2.2 6.62<br />
DEGRADED<br />
a. Delayed Actuation<br />
INCIPIENT<br />
a. Wall Thinning<br />
b. Embriltlcmctll<br />
c. Cracked or Flawed<br />
d. Internal Leakage<br />
I<br />
F.qulpment Boundary<br />
r------1<br />
I I ACTUATOR I l AIR<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I POSI::J I<br />
0<br />
PROCESS IN :~/: ~OC£SS<br />
SlJ'PlT<br />
SIGNAL<br />
OUT<br />
~<br />
....,..,<br />
1/~,<br />
·---B(l..IOii!RY<br />
I<br />
L------~<br />
I<br />
Data Rertrtnce No. (Table 5.1): 8. R.I. 8.2. 8.3. 8.4. R. 7. 8.10, 8.12, 8.14, 8.15
l!b)<br />
I<br />
[<br />
DATA ON SELECTED PROCF.SS I SYSTF.MS AND EQUIPMENT<br />
I<br />
TmoornY No. 4.3.3.1 F.qulpmenl DucrlpUon PRESSURE · SAFETY RELIEF<br />
VALVES-PILOT OPERA TED<br />
Opnatlna: Modt<br />
Populallon<br />
Flllurt mode<br />
Stmplcs-<br />
AIU~rcBIIOO lime In service (to' hrs)<br />
C:~lcmd:u<br />
lime<br />
I<br />
FallurH (per to' hn)<br />
Process Senrlly<br />
Opcrallnll: time<br />
UNKNOWN<br />
No. of Demtrds<br />
Ftllures (per to' drmtnds)<br />
Upper Lower Mun Upper Lower Me•n Upper<br />
CAT ASTROPIHC<br />
a. Seat Lcak11ge<br />
143.0 h. Fails In Open<br />
c. Spurious Operation<br />
c.l Opens Prcm:aturdy<br />
c.2 Failure to Recluse once open<br />
O.IR8 5.0 18.8<br />
d. Fails to Open on<br />
Demand 0.00932 .t.IS 18.2 0<br />
DEGRADED<br />
a. lnterstagc Leakage<br />
INCIPIENT<br />
11.. Pilotl...cak.agc<br />
I<br />
F..qulpmcnl Rounduy<br />
OOTLET<br />
,--------1<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
PILOT I<br />
"''-VE<br />
I<br />
I<br />
~ I<br />
~----'----1 0<br />
·---BOI..t(JIIRY<br />
INLFT<br />
Datt Rcrcrenct No. ffablt $.1)t B. 8.12<br />
211
I Tnooom1 No. 4.3.3.2 -r Equipment DncrJpuon PRESSURE- SAFETY RELIEF<br />
Optn•llng Mnde<br />
rnpuhllnlt<br />
S:unrl~~<br />
Fallurt mode<br />
DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT<br />
l'rO«ss Sevtrlty<br />
VALVES ·SPRING-LOADED<br />
UNKNOWN<br />
J\f;jlftl~lcd lltnt In service ( 10' Ius} No. ot Otomands<br />
Ca1mdar tim~<br />
I<br />
Operatln~ time<br />
l;allurrs (pu to' hrs)<br />
Falluru (~r 10 1 demand5)<br />
lO\ttt Mun Upper Lower Mean Upper<br />
]<br />
l<br />
Cc<br />
0<br />
0<br />
CAT hSTROI"H IC<br />
a. Scat Lenkl:lge<br />
b. fails to Op:!n<br />
c. SpuriouJ:; ()pc-t,11ion<br />
c.l Opens Prern.:~t111c:ly 0.275 1.68 4.80<br />
c.2 Failure to Redo~ Once Open 0.127 5.18 22.7<br />
d. Fails tn Open on 0.0019 0.212 0.7~8<br />
DcmHnd<br />
DEOR"DED<br />
a. Tntcrst~ge Lcnbgc<br />
INCIPIENT<br />
F.q_ulpnltnt noundarr<br />
CXJTLET<br />
,-------~<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
'<br />
I<br />
I<br />
I<br />
I<br />
I<br />
I<br />
L---- 1---- I<br />
• - - - BOIMJAR'f<br />
··tn most c<br />
Seldom o<br />
reliability<br />
other rcle<br />
specific s<br />
thought p<br />
available<br />
to add to<br />
reliability<br />
keeping s:<br />
yield bem<br />
It sl<br />
company<br />
intracomr<br />
r.tw data.<br />
training: {<br />
tion (fron<br />
finished d<br />
they can<br />
erly, valu<br />
tion can 1<br />
6.1 Data<br />
INLET<br />
Dah Rctrrcnce No. (Tablt S.l): R.I. 8.3, 8.5, 8.10<br />
..<br />
Rates of<br />
equipmer<br />
follow in!<br />
rate data·<br />
• popula<br />
numbe<br />
• equipn<br />
212
0<br />
0
<strong>Functional</strong> <strong>Safety</strong> Terms and Acronyms<br />
Glossary<br />
0<br />
This list of functional safety terms and acronyms has been compiled from a number of sources listed<br />
at the end including the IEC 61508, IEC 61511 (ISA84.01) standards. It is meant to provide a general<br />
reference for engineers practicing safety lifecycle engineering in the process industry. As such it<br />
provides both safety and related non-safety term definitions in a clear useable form. It specifically<br />
highlights the most important terms and acronyms from the safety lifecycle standards with working<br />
level definitions. The reader is encouraged to pursue IEC 61508 or IEC 61511 for additional<br />
definitions and for additional information on applying the safety lifecycle to the process industry.<br />
Comments and feedback on this document are welcome and can be sent to info@exida.com noting<br />
the title and version of the document.<br />
The definitions appearing in this glossary are provided solely for general informational purposes.<br />
They are not intended to be complete descriptions of all terms, conditions and exclusions applicable<br />
to the practice of safety engineering. Also, in the case of any inconsistency between the definitions in<br />
this glossary and the definitions appearing in the applicable codes and standards, the definitions<br />
contained in the those codes and standards shall govern.<br />
Issued for general distribution: Version 1.0 on 24 November 2006 by Dr. Eric W. Scharpf, <strong>CFSE</strong>.<br />
u<br />
2oo3<br />
IEC 61508<br />
IEC 61511<br />
Two out of three logic circuit (213 logic circuit) A logic circuit with three<br />
independent inputs. The output of the logic circuit is the same state as any two<br />
matching input states. For example a safety circuit where three sensors are<br />
present and a signal from any two of those sensors is required to call for a shut<br />
down. This 2oo3 system is said to be single fault tolerant (HFT = 1) in that one<br />
of the sensors can fail dangerously and the system can still safely shut down.<br />
Other voting systems include 1oo1, 1oo2, 2oo2, 1oo3 and 2oo4.<br />
The IEC standard covering <strong>Functional</strong> <strong>Safety</strong> of electrical I electronic I<br />
programmable electronic safety-related systems The main objective of<br />
IEC61508 is to use safety instrumented systems reduce risk to a tolerable level<br />
by following the overall, hardware and software safety lifecycle procedures and<br />
by maintaining the associated documentation. Issued in 1998 and 2000, it has<br />
since come to be used mainly by safety equipment suppliers to show that their<br />
equipment is suitable for use in safety integrity level rated systems.<br />
The IEC standard for use of electrical I electronic I programmable electronic<br />
safety-related systems in the process industry. Like IEC 61508 it focuses on a<br />
set of safety lifecycle processes to manage process risk. It was originally<br />
published by the IEC in 2003 and taken up by the US in 2004 as ISA 84.00.01-<br />
2004. Unlike IEC 61508, this standard is targeted toward the process industry<br />
users of safety instrumented systems.
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Actuator<br />
ALARP<br />
Algorithm<br />
Analogue 1/0<br />
Annunciator<br />
Architecture<br />
A device responsible for putting a mechanical device into action such as a<br />
valve. Single acting actuators act in only one direction such as in a spring<br />
and diaphragm actuator where the spring acts in a direction opposite to the<br />
diaphragm thrust. Double acting actuators have a power supply that acts to<br />
move the actuator in two normally opposite directions. Pneumatic actuators<br />
converts the energy of a compressible fluid, usually air, into motion. Vane<br />
actuators are typically fluid-powered devices where the fluid acts upon a<br />
movable pivoted member (the vane) to provide rotary motion to the actuator<br />
stem.<br />
As low as reasonably practicable. The philosophy of dealing with risks that<br />
fall between an upper and lower extreme. The upper extreme is where the<br />
risk is so great that it is rejected completely while the lower extreme is<br />
where the risk is, or has been made to be, insignificant. This philosophy<br />
considers both the costs and benefits of risk reduction to make the risk "as<br />
low as reasonably practicable".<br />
A prescribed set of well defined rules or processes for the solution of a<br />
problem in a finite number of steps<br />
Input or output signals to or from the filed that vary continuously over a<br />
range of values. Typically voltage, electric current, temperature, or pressure<br />
signals are analogue.<br />
A device or group of devices that call attention to changes in process<br />
conditions that have occurred. Usually included are sequence logic circuits,<br />
labeled visual displays, audible devices, and manually operated<br />
acknowledge and reset push buttons.<br />
The voting structure of different elements in a safety instrumented function.<br />
See Architectural Constraints, Fault Tolerance and 2oo3.<br />
Architectural constraints or AC<br />
Limitations that are imposed on the hardware selected to implement a<br />
safety-instrumented function, regardless of the performance calculated for a<br />
subsystem. Architectural constraints are specified (in IEC 61508-2-Table 2<br />
and IEC 61511-Table 5) according to the required SIL of the subsystem,<br />
type of components used, and SFF of the subsystem's components. Type A<br />
components are simple devices not incorporating microprocessors, and<br />
Type 8 devices are complex devices such as those incorporating<br />
microprocessors. See Fault Tolerance.<br />
As-built<br />
Asynchronous communication<br />
A document revision that includes all modifications performed as a result of<br />
actual fabrication or installation. Note for safety systems, that where the<br />
actual installation does not conform to the design information, then the<br />
difference shall be evaluated and the likely impact on safety determined. If<br />
the difference has no impact on safety, then the design information shall be<br />
updated to "as built" status. If the difference has a negative impact on<br />
safety, then the installation shall be modified to meet the design<br />
requirements.<br />
Circuitry or operation without common clock or timing signals. Often called<br />
start/stop transmission; a way of transmitting data in which each character<br />
is preceded by a start bit and followed by a stop bit.<br />
0<br />
0<br />
Page 2 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Auto-tuning<br />
Availability<br />
Basic process control system<br />
Batch process<br />
~-factor<br />
BLEVE<br />
BMS<br />
BPCS<br />
Controller feature that calculates proportional, integral and derivative (PID)<br />
output settings based on calculations using measured process dynamics<br />
and combining those with the parameters of a PID controller. Calculations<br />
may be based on transient responses, frequency responses or parametric<br />
models.<br />
The probability that a device is operating successfully at a given moment in<br />
time. This is a measure of the "uptime" and is defined in units of percent.<br />
For most tested and repaired safety system components, the availability<br />
varies as a saw tooth with time as governed by the proof test and repair<br />
cycles. Thus the integrated average availability is used to calculate the<br />
average probability of failure on demand. See PFDavg.<br />
System which responds to input signals from the process, associated<br />
equipment, and/or an operator and generates output signals causing the<br />
process and its associated equipment to operate in the desired way. The<br />
BPCS can not perform any safety instrumented functions rated with a safety<br />
integrity level of 1 or better unless it meets proven in use requirements. See<br />
proven in use.<br />
A process that manufactures a fixed quantity of material by subjecting<br />
measured quantities of raw materials to a time sequential order of<br />
processing actions using one or more pieces of equipment. Typically used<br />
for small volume production of high value materials.<br />
Beta factor, indicating common cause susceptibility. The fraction of total<br />
failure rate that is attributed to a single cause in common with other units in<br />
the group. A common cause failure will result in all units with the group<br />
failing simultaneously.<br />
Boiling liquid expanding vapor explosion. A specific type of fireball that can<br />
occur as the result of the situation where a vessel containing a pressurized<br />
liquid comes in direct contact with external flame. As the liquid inside the<br />
vessel absorbs the heat of the external fire, the liquid begins to boil,<br />
increasing the pressure inside the vessel to the set pressure of the relief<br />
valve(s). The heat of the external fire will also be directed to portions of the<br />
vessel where the interior wall is not "wet" with the process liquid. Since the<br />
process liquid is not present to carry heat away from the vessel wall, the<br />
temperature in this region (usually near the interface of the boiling liquid),<br />
will rise dramatically causing the vessel wall to overheat and become weak.<br />
A short time after the vessel wall begins to overheat, the vessel can lose its<br />
structural integrity and a rupture will occur. After vessel rupture, a fireball<br />
will usually result with the external fire available as the ignition source.<br />
Burner management system. The control system designed to improve<br />
combustion safety and assist the operator in starting and stopping the<br />
burners. It also should prevent mis-operation and damage to the fuel<br />
preparation and burning equipment. The BMS can include: interlock system,<br />
fuel trip system, master fuel trip system, master fuel trip relay, flame<br />
monitoring and tripping systems, ignition subsystem, main burner<br />
subsystem, warm-up burner subsystem, bed temperature subsystem, and<br />
duct burner system.<br />
See Basic Process Control System.<br />
Page 3 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Burn-in<br />
Bus<br />
Butterfly valve<br />
Calibration curve<br />
Capacitance<br />
Cause and effect diagram<br />
Cavitation<br />
<strong>CFSE</strong>/CFSP<br />
Check valve<br />
CPT or PTC<br />
CPQRA<br />
Device operation, usually under accelerated environmental conditions that<br />
simulate life in the devices' intended application, used to detect early-life<br />
(infant mortality) failures. Such testing helps to ensure that constant failure<br />
rate assumptions for equipment are valid and do not lead to accidents<br />
during plant start up.<br />
A group of wires or conductors, considered as a single entity, which<br />
interconnects part of a system.<br />
A valve consisting of a disc inside a valve body which operates by rotating<br />
about an axis in the plane of the disc to shut off or regulate flow.<br />
A plot of indicated value versus true value used to adjust instrument<br />
readings for inherent error; a calibration curve is usually determined for<br />
each calibrated instrument in a standard procedure and its validity<br />
confirmed or a new calibration curve determined by periodically repeating<br />
the procedure.<br />
The ability of a capacitor to store a charge. The greater the capacitance, the<br />
greater the charge that can be stored. Also applied to tanks in process fluid<br />
flow systems.<br />
One method commonly used to show the relationship between the sensor<br />
inputs to a safety function and the required outputs. Often used as part of a<br />
safely requirements specification. The method's strengths are a low level of<br />
effort and clear visual representation while its weaknesses are a rigid format<br />
(some functions can not be represented w/ C-E diagrams) and the fact that<br />
it can oversimplify the function.<br />
A two stage phenomenon of liquid flow. The first stage is the formation of<br />
voids or cavities within the liquid system; the second stage is the collapse or<br />
implosion of these cavities back into an all liquid state. Cavitation can cause<br />
excessive wear and damage to devices in regions where the voids are<br />
present.<br />
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert/Professional Qualifications for safety<br />
engineers in either process applications, machine applications, hardware, or<br />
software that demonstrates competence in safety lifecycle activities. These<br />
qualifications are administered by the non-profit <strong>CFSE</strong> Governance<br />
managed by a global consortium of vendor, user, integrator and consultant<br />
companies.<br />
A flow control device that permits flow in one direction and prevents flow in<br />
the opposite direction<br />
Proof test coverage - The percentage failures that are detected during the<br />
servicing of equipment. In general it is assumed that when a proof test is<br />
performed any errors in the system are detected and corrected (1 00% proof<br />
test coverage).<br />
(Guidelines for) Chemical Process Quantitative Risk Analysis<br />
0<br />
0<br />
Page4 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
CPU<br />
Common mode failure<br />
Consequence<br />
Coriolis flow meter<br />
Coverage<br />
Cross talk<br />
D Diagnostics<br />
Dangerous failure<br />
Dead time<br />
Decision table<br />
Derivative control<br />
Design pressure<br />
Diaphragm<br />
Diaphragm valve<br />
central processing unit: The part of a computing system that contains the<br />
arithmetic and logical units, instruction control unit, timing generators, and<br />
memory and 1/0 interfaces. This is typically a very complex element which<br />
requires Type B classification for SIL hardware fault tolerance requirements<br />
according to lEG 61508.<br />
A random stress that causes two or more components to fail at the same<br />
time for the same reason. It is different from a systematic failure in that it is<br />
random and probabilistic but does not proceed in a fixed, predictable, cause<br />
and effect fashion. See systematic failure.<br />
The magnitude of harm or measure of the resulting outcome of a harmful<br />
event. One of the two components used to define a risk.<br />
A mass flow meter which measures mass flow of a fluid by determining the<br />
torque resulting from radial acceleration of the fluid. The name comes from<br />
the Coriolis effect that describes the accelerating force acting on any body<br />
moving freely above the earth's surface, which is caused by the rotation of<br />
the earth about its axis.<br />
See Cpr<br />
The unwanted energy transferred from one circuit, the disturbing circuit, to<br />
another circuit, the disturbed circuit. Typically signals electrically coupled<br />
from another circuit.<br />
Some safety rated logic solvers are designated as having capital D<br />
diagnostics. These are different from regular diagnostics in that the unit is<br />
able to reconfigure its architecture after a diagnostic has detected a failure.<br />
The greatest effect is for 1 oo2D systems which can reconfigure to 1 oo1<br />
operation upon detecting a safe failure. Thus the spurious trip rate for such<br />
a system is dramatically reduced.<br />
A failure of a component in a safety instrumented function that prevents that<br />
function from achieving a safe state when it is required to do so. See failure<br />
mode.<br />
The interval of time between initiation of an input change or stimulus and<br />
the start ofthe resulting response.<br />
A table of all contingencies that are to be considered in the description of a<br />
problem, together with the actions to be taken. Decision tables can be used<br />
in place of flow charts for problem description and documentation.<br />
Change in the output that is proportional to the rate of change of the input.<br />
Also called "rate control."<br />
The maximum allowable working pressure permitted under the rules of the<br />
relevant construction code. See also pressure, design.<br />
A sensing element consisting of a thin, usually circular, plate which is<br />
deformed by pressure differential applied across the plate.<br />
A valve with a flexible linear motion closure piece that is forced into the<br />
internal flow passageway of the valve body by the actuator.<br />
Page 5 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Diagnostic coverage A measure of a system's ability to detect failures. This is a ratio between the<br />
failure rates for detected failures to the failure rate for all failures in the<br />
system.<br />
Differential gap<br />
DP (Differential pressure) transmitter<br />
Digital/Discrete 1/0:<br />
DCS<br />
Digital valve<br />
DIN<br />
The smallest increment of change in a controlled variable required to cause<br />
the final control element in a two position control system to move from one<br />
position to its alternative position.<br />
A transducer designed to measure the pressure difference between two<br />
points in a process and transmit a signal proportional to this difference,<br />
without regard to the absolute pressure at either point. Often used to<br />
measure flow by the pressure difference across a restriction in the flow line<br />
or to measure level by measuring the pressure difference between the head<br />
pressure produced by the height of a liquid in a vessel or tank and a<br />
reference pressure.<br />
Input or output that senses or sends either "on" or "otr' (1 or 0) signals to<br />
the field. For example a discrete input would sense the position of a switch<br />
as energized or de-energized. A discrete output would turn a pump or light<br />
on or off.<br />
Digital or Distributed Control System. DCSs historically refers to larger<br />
analog control systems traditionally used for PID control in the process<br />
industries, whereas PLCs were used for discrete or logic processing.<br />
However, PLCs are gaining capability and acceptance in doing PID control<br />
while the DCS has come to mean the system of input/output devices,<br />
control devices and operator interface devices which execute the stated<br />
control functions and permit transmission· of control, measurement, and<br />
operating infonmation to and from multiple locations, connected by a<br />
communication link. The DCS is specifically separate from the safety<br />
instrumented system (SIS) in that there are no meaningful random common<br />
mode failures between the two systems.<br />
A single valve casing containing multiple solenoid valves whose flow<br />
capacities vary in binary sequence (1, 2, 4, 8, 16, ...);to regulate flow, the<br />
control device sends operating signals to various combinations of the<br />
solenoids; applications are limited to very clean fluids at moderate<br />
temperatures and pressures.<br />
Abbreviation for the standards institution of the Federal Republic of<br />
Germany.<br />
Displacement level meter<br />
A device that measures liquid level by means of a float and balance beam<br />
connected to a position sensor.<br />
Diversity<br />
applying different ways to performing a required function. Diversity may be<br />
achieved by different physical methods or different design approaches.<br />
Division 1-2 See Hazardous Area<br />
Doppler effect flowmeter<br />
Q<br />
Q<br />
Page 6 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Double block and bleed<br />
Dual-sealing valve<br />
Duplex<br />
Dust, combustible<br />
Dynamic pressure<br />
Eddy current<br />
A device that uses ultrasonic techniques to determine flow rate; a<br />
continuous ultrasonic beam is projected across fluid flowing through the<br />
pipe, and the difference between incident beam and transmitted beam<br />
frequencies is a measure of fiuid flow rate.<br />
A three valve configuration common in shut off applications. Two main shut<br />
off valves (block valves) operate on the main process line to stop flow. Then<br />
a third bleed valve to a vent can be opened to relieve pressure of remove<br />
the process fluid from the region between the two block valves. Typically<br />
considered as a 1 oo2 voting shut off system provided the bleed valve<br />
opening is not critical to achieving the safe state.<br />
A valve which uses a resilient seating material for the primary seal and a<br />
metal to metal seat for a secondary seal.<br />
Half duplex is where there is communications in both directions (transmit<br />
and receive), but in only one direction at a given instant in time. Full duplex<br />
is where there is communication that appear to have information transfer in<br />
both directions (transmit and receive) at the same time.<br />
Dust that (when mixed with air in certain proportions) can be ignited and will<br />
propagate a flame.<br />
The increase in pressure above the static pressure that results from<br />
complete transformation of the kinetic energy of the fluid into potential<br />
energy in units of pressure.<br />
A circulating current induced in a conductive material by a changing<br />
electromagnetic field.<br />
E/E/PE Electrical/ Electronic I Programmable Electronic See 61508 and 61511.<br />
Effect Zone<br />
EIA<br />
EMI<br />
Elevation error<br />
The physical area in which a harmful effect is felt by a receptor. For a toxic<br />
release, the area over which the airborne concentration exceeds some level<br />
of concern. For a physical energy release, the area over which a specified<br />
overpressure criterion is exceeded. For thermal radiation effects, the area<br />
over which an effect based on a specified damage criterion [e.g., a circular<br />
effect zone surrounding a pool fire resulting from a flammable liquid spill,<br />
whose boundary is defined by the radial distance at which the radiative flux<br />
from the pool fire has decreased by 5 kW/m2 (approximately 1600 BTU/hrft2)].<br />
Electronics Industry Association who provide standards for such things as<br />
interchangeability between manufacturers.<br />
Electromagnetic Interference: Any spurious effect produced in the circuits or<br />
elements of a device by external electromagnetic fields. NOTE: A special<br />
case of interference from radio transmitters is known as "radio frequency<br />
interference (RFI)"<br />
A type of error in temperature or pressure sensors that incorporate capillary<br />
lubes partly filled with liquid; the error is introduced when the liquid filled<br />
portion of the system is at a different level than the instrument case, the<br />
amount of error varying with distance of elevation or depression.<br />
Page 7 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Event {Independent) Events that do not affect each other (can be series or parallel). Tossing two<br />
coins (parallel)or one coin twice (series) are generally considered to be<br />
independent events.<br />
Event {Initiating)<br />
The first event in an event sequence (e.g., the stress corrosion resulting in<br />
leak/rupture of the connecting pipeline to the ammonia tank)<br />
Event {Intermediate) An event that propagates or mitigates the initiating event during an event<br />
sequence (e.g., improper operator action fails to stop the initial ammonia<br />
leak and causes propagation of the intermediate event to an incident; in this<br />
case the intermediate event outcome is a toxic release)<br />
Event tree analysis<br />
Exception reporting<br />
Explosion<br />
A method of fault propagation modeling. The analysis constructs a treeshaped<br />
picture of the chains of events leading from an initiating event to<br />
various potential outcomes. The tree expands from the initiating event in<br />
branches of intermediate propagating events. Each branch represents a<br />
situation where a different outcome is possible. After including all of the<br />
appropriate branches, the event tree ends with multiple possible outcomes.<br />
An information system which reports on situations only when actual results<br />
differ from planned results. When results occur within a normal range they<br />
are not reported.<br />
Combustion which proceeds so rapidly that a high pressure is generated<br />
suddenly. This high pressure or shock wave is the result of a turbulent flame<br />
boundary and is very difficult to predict relative to a flash fire which<br />
propagates through laminar boundary flow.<br />
Explosion (Physical) The result of sudden catastrophic rupture of a high-pressure vessel. The<br />
blast wave is caused when the potential energy stored in the high-pressure<br />
vessel is transferred to kinetic energy when that material is released. The<br />
effect zone is determined by the quantity of energy released and the blast<br />
shock wave overpressure resulting from the explosion.<br />
Explosion (Vapor Cloud)<br />
Explosion door<br />
Explosion proof enclosure<br />
Fail close<br />
Fail in place/last<br />
The result of ignition of a cloud of flammable vapor, when the flame velocity<br />
is high enough (turbulent and supersonic) to produce an explosive shock<br />
wave. The effect zone is determined by the quantity of energy released and<br />
the blast shock wave overpressure resulting from the explosion.<br />
A door in a furnace or boiler setting designed to be opened by a<br />
predetermined gas pressure.<br />
An enclosure that is 1) capable of withstanding an explosion of a gas or<br />
vapor within it, 2) able to prevent the ignition of an explosive gas or vapor<br />
that may surround it and 3) that operates with an external temperature that<br />
a surrounding explosive gas or vapor will not be ignited from conditions<br />
within the enclosure.<br />
A condition wherein the valve closing component moves to a closed position<br />
when the actuating energy source fails.<br />
A condition wherein the valve closing component stays in its last position<br />
when the actuating energy source fails<br />
0<br />
0<br />
Page 8 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
Fail open<br />
Fail safe<br />
Failure rate<br />
Failure modes<br />
FAT<br />
Fault propagation modeling<br />
Fault tolerance<br />
Fault tree diagram<br />
Field bus<br />
Final element<br />
A condition wherein the valve closing component moves to an open position<br />
when the actuating energy source fails.<br />
(or preferably de-energize to trip) A characteristic of a particular device<br />
which causes that device to move to a safe state when it loses electrical or<br />
pneumatic energy.<br />
The number of failures per unit time for a piece of equipment. Usually<br />
assumed to be a constant value. It can be broken down into several<br />
categories such as safe and dangerous, detected and undetected, and<br />
independent/normal and common cause. Care must be taken to ensure that<br />
burn in and wearout are properly addressed so that the constant failure rate<br />
assumption is valid.<br />
The way that a device fails. These ways are generally grouped into one of<br />
four failure modes: Safe Detected (SD), Dangerous Detected (DD), Safe<br />
Undetected (SU), and Dangerous Undetected (DU) per !SA TR84.0.02.<br />
Factory acceptance test. A test performed before shipment to site, usually<br />
at the vendor or integrator premises, often witnessed by the end user. Not a<br />
mandatory step in IEC61511, but very common to avoid problems during<br />
site acceptance testing (SAT) and site integration testing (SIT).<br />
The analysis of the chain of events that leads to an accident. By analyzing<br />
what events initiate that chain, which events contribute to, or allow the<br />
accident to propagate, and establishing how they are logically related, the<br />
event frequency can be determined. Fault propagation modeling techniques<br />
use the failure rates of individual components to determine the failure rate of<br />
the overall system.<br />
Ability of a functional unit to continue to perform a required function in the<br />
presence of random faults or errors. For example a 1 oo2 voting system can<br />
tolerate one random component failure and still perform its function. Fault<br />
tolerance is one of the specific requirements for safety integrity level (SIL)<br />
and is described in more detail in IEC 61508 Part 2 Tables 2 and 3 and in<br />
IEC 61511 (ISA84.01 2004) in Clause 11.4<br />
Probability combination method for estimating complex probabilities. Since it<br />
generally takes the failure view of a system, it is useful in multiple failure<br />
mode modeling. Care must be taken when using it to calculate integrated<br />
average probabilities.<br />
A Fieldbus is a digital, two-way, multi-drop communication link between<br />
intelligent measurement and control devices. It serves as a Local Area<br />
Network (LAN) for advanced process control, remote input/output and high<br />
speed factory automation applications.<br />
Component of a safety function (such as a valve) which directly prevents<br />
the harmful event and brings the process to a safe state.<br />
Page 9 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Fire (Flash)<br />
Fire (Jet)<br />
Fire (Pool)<br />
Fireball<br />
Fixed program language (FPL)<br />
Flammability<br />
Flash point<br />
The result of ignition of a cloud of flammable vapor, when the flame velocity<br />
is too slow {laminar and subsonic) to produce an explosive shock wave.<br />
When a gas phase mixture of fuel an air is ignited, a flame front travels from<br />
the point of ignition in all directions where the fuel/air concentration is within<br />
flammable limits. The velocity of the flame front will determine the type of<br />
damage that will be caused by this event.<br />
Results when high-pressure flammable material is ignited as it is being<br />
released from containment. The effect zone of a jet fire is proportional to the<br />
size of the flame generated. As a high-pressure material is released from a<br />
hole, the material will exit with a velocity that is mainly a function of system<br />
pressure and hole size. As distance away from the hole increases, the<br />
amount of oxygen in the mixture increases as air is entrained in the jet. As<br />
the upper flammability limit threshold is crossed, the fuel and air react,<br />
releasing the energy of combustion. As the combustion continues, entrained<br />
air, unburned fuel and combustion products continue to move in the<br />
direction of the release due to the momentum generated by the release.<br />
Results when spilled flammable liquids are ignited. The magnitude of the<br />
effect zone created by a pool fire will depend on the size of the flame that is<br />
generated, which in turn depends on the size of the spill surface and the<br />
properties of the spilled fluid. The flame's footprint is determined by the<br />
containment of the liquid spill, which is often controlled by any dikes or<br />
curbs present. If a spill is unconfined, the liquid will spread over an area<br />
determined by the fluid's viscosity and the characteristics of the surface on<br />
which the material is spilled, such as its porosity.<br />
Result of a sudden and widespread release of a flammable gas or volatile<br />
liquid that is stored under pressure, coupled with immediate ignition. This is<br />
distinguished from a jet fire by the shorter duration of the event and the<br />
difference in the geometry and shape of the flame. When a pressure vessel<br />
containing a flammable gas or volatile liquid ruptures, the first result is the<br />
quick dispersion of the flammable material as the high-pressure material<br />
rapidly expands to atmospheric pressure. During this expansion, the release<br />
will entrain large quantities of air as a result of the process. If the material in<br />
the vessel is a volatile liquid, this process will also cause formation of an<br />
aerosol with the dispersion of liquid droplets away from the release as a Q<br />
result of the vapor expansion. . ..<br />
This type of language limits the user to adjusting a few parameters (for<br />
example, range of the pressure transmitter, alarm levels, network<br />
addresses). Typical examples of devices with FPL are: smart sensors {for<br />
example, pressure transmitter), smart valves, sequence of events<br />
controllers, dedicated smart alarm boxes, and small data logging systems.<br />
Susceptibility to combustion. flammable (explosive) limits The flammable<br />
(explosive) limits of a gas or vapor are the lower (LFL or LEL) and the upper<br />
(UFL or UEL) percentages by volume of concentration of gas in a gas-air<br />
mixture that will form an ignitable mixture<br />
The minimum temperature where a liquid emits vapor in a concentration<br />
sufficient to form an ignitable mixture with air near the surface of the liquid<br />
but not sufficient to sustain combustion.<br />
0<br />
Page10of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Floating ball<br />
Flow straightener<br />
FMEDA<br />
A full ball positioned within the ball valve that contacts either of two seat<br />
rings and is free to move toward the seat ring opposite the pressure source<br />
when in the closed position to effect tight shutoff<br />
A supplementary length of straight pipe or tube, containing straightening<br />
vanes or the equivalent, which is installed directly upstream of a flow meter<br />
for the purpose of eliminating swirl from the fluid entering the flow meter<br />
Failure Modes Effects and Diagnostics Analysis- This is a detailed analysis<br />
of the different failure modes and diagnostic capability for a piece of<br />
equipment. This is an effective method for determining failure modes and<br />
failure rates, a requirement for certification against IEC 61508 in most<br />
certification agencies.<br />
Four-wire transmitter Electronic transmitter that has separate pairs of wires for signal and power.<br />
Full variability language (FVL)<br />
<strong>Functional</strong> safety<br />
<strong>Functional</strong> safety assessment<br />
Fusible plug<br />
Gain<br />
Gasket<br />
This type of language is designed for computer programmers and provides<br />
the capability to implement a wide variety of functions and applications<br />
Typical example of systems using FVL are general purpose computers. In<br />
the process sector, FVL is found in embedded software and rarely in<br />
application software. FVL examples include: Ada, C, Pascal, Instruction List,<br />
assembler languages, C++, Java, and SQL.<br />
Freedom from unacceptable risk achieved through the safety lifecycle. See<br />
IEC 61508, IEC 65111, safety lifecycle, and tolerable risk.<br />
Activity performed by a competent senior engineer to determine if the safety<br />
system does meet the specification and actually achieve functional safety<br />
(freedom from unacceptable risk). This assessment is an important part of<br />
reducing systematic failures. It must be performed at least after<br />
commissioning and validation but before the hazard is present.<br />
A hollowed threaded plug having the hollowed portion filled with a low<br />
melting point material. This element is often used to provide a mechanical<br />
relief device triggered by temperature causing the process fluid to vent<br />
when the plug material melts.<br />
1. Ratio of output signal magnitude to input signal magnitude; when less<br />
than one this is usually called attenuation. 2. The relative degree of<br />
amplification in an electronic circuit. 3. The ratio of the change in output to<br />
the change in input which caused the change. 4. In a controller, the<br />
reciprocal of proportional band Proportional band can be expressed as a<br />
dimensionless number (gain) or as a percent.<br />
A sealing member, usually made by stamping from a sheet of cork, rubber,<br />
metal or impregnated synthetic material and clamped between two<br />
essentially flat surfaces to prevent pressurized fluid from leaking through the<br />
crevice; typical applications include flanged joints in piping, head seals in a<br />
reciprocating engine or compressor, casing seals in a pump, or virtually<br />
anywhere a pressure tight joint is needed between stationary members.<br />
Also known as "static seal."<br />
Page 11 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Gate valve<br />
Gland<br />
Globe valve<br />
Go/no go test<br />
Grab sampling<br />
Ground loop<br />
HART<br />
Hazard<br />
Hazard Matrix<br />
Hazardous area<br />
A valve with a closing piece in the form of a flat or wedge shaped gate<br />
which may be moved linearly in or out of the flow stream. It has a straight<br />
through flow path.<br />
A device for preventing a pressurized fluid from leaking out of a casing at a<br />
machine joint, such as at a shaft penetration for a valve or pump. Also<br />
known as "gland seal."<br />
1. A valve with a closure piece that moves in a straight line, one or more<br />
ports, and a body distinguished by a globular shaped cavity around the port<br />
region. 2. A type of flow regulating valve consisting of a movable disc and a<br />
stationary ring seat in a generally spherical body. In the general design, the<br />
fluid enters below the valve seat and leaves from the cavity above the seat.<br />
A test in which one or more parameters are determined, but which can<br />
result only in acceptance or rejection of the test object, depending on the<br />
value(s) measured.<br />
A method of sampling bulk materials for analysis, which consists of taking<br />
one or more small portions (usually only imprecisely measured) at random<br />
from a pile, tank, hopper, railcar, truck or other point of accumulation.<br />
Circulating current between two or more connections to electrical ground.<br />
This signal can be detected and displayed by electronic instruments. These<br />
signals are generally not associated with the variable to be measured and<br />
represent noise in the measuring system. They are typically broken<br />
(removed) by adding optical coupling devices to the circuit.<br />
Highway Addressable Remote Transducer. The HART protocol was<br />
originated by Rosemount in the late 1980:s. The protocol was "open" for<br />
other companies to use and a User Group formed in 1990.<br />
The potential for harm.<br />
A category based method for assigning a safety integrity level (SIL). The<br />
user must create a matrix that assigns defined categories to the<br />
consequence (one axis dimension) and likelihood (other axis dimension)<br />
components of the risk with a SIL assignment associated for each entry in<br />
the matrix. In some cases, quantitative tools, such as LOPA, are used to<br />
assist the analyst in determining which category to use, but often the<br />
assignment is done qualitatively, using engineering judgment.<br />
A US classification for an area in which explosive gas/air mixtures are, or<br />
may be expected to be, present in quantities such as to require special<br />
precautions for the construction and use of electrical apparatus.<br />
Division 1 (hazardous). Where concentrations of flammable gases or vapors<br />
exist a) continuously or periodically during normal operations; b) frequently<br />
during repair or maintenance or because of leakage; or c) due to equipment<br />
breakdown or faulty operation which could cause simultaneous failure of<br />
electrical equipment. (See the US "National Electrical Code, Paragraph 500<br />
4(a)" for detailed definition.)<br />
0<br />
-.-<br />
0<br />
Page12of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Hazardous material<br />
HAZOP<br />
HFT<br />
H&MB<br />
Heuristic<br />
HMI/MMI<br />
HSE<br />
Hydrogen damage<br />
IDLH<br />
Division 2 (normally nonhazardous). Locations in which the atmosphere is<br />
normally nonhazardous and may become hazardous only through the<br />
failure of the ventilating system, opening of pipe lines, or other unusual<br />
situations. (See the US "National Electrical Code, Paragraph 500 4(b)" for<br />
detailed definition.)<br />
Nonhazardous. Areas not classified as Division 1 or Division 2 are<br />
considered nonhazardous. NOTE: It is safe to have open fiames or other<br />
continuous sources of ignition in nonhazardous areas [S12.4].<br />
Any substance that requires special handling to avoid endangering human<br />
life, health or well being. Such substances include poisons, corrosives, and<br />
flammable, explosive or radioactive chemicals.<br />
Hazards and operability study. A process hazards analysis procedure<br />
originally developed by ICI in the 1970s. The method is highly structured<br />
and divides the process into different operationally-based nodes and<br />
investigates the behavior of the different parts of each node based on an<br />
array of possible deviation conditions or guidewords.<br />
Hardware fault tolerance (see fault tolerance)<br />
Heat and Material Balance. An accounting of the distribution of the heat and<br />
material input and output for a process. Usually prepared as part of the<br />
process fiow sheet or diagram (PFD) development early in an engineering<br />
project. Usually part of the input to a HAZOP or other hazard identification<br />
process.<br />
Pertaining to a method of problem solving in which solutions are discovered<br />
by evaluation of the progress made toward the final solution, such as a<br />
controlled trial and error method. An exploratory method of tackling a<br />
problem, or sequencing of investigation, experimentation, and trial solution<br />
in closed loops, gradually closing in on the solution. A heuristic approach<br />
usually implies or encourages further investigation, and makes use of<br />
intuitive decisions and inductive logic in the absence of direct proof known<br />
to the user. Thus, heuristic methods lead to solutions of problems or<br />
inventions through continuous analysis of results obtained thus far,<br />
permitting a determination of the next step. A stochastic method assumes a<br />
solution on the basis of intuitive conjecture or speculation and testing the<br />
solution against known evidence, observations, or measurements. The<br />
stochastic approach tends to omit intervening or intermediate steps toward<br />
a solution. Contrast with stochastic and algorithmic.<br />
Human or Man Machine Interface. Refers to the software that the process<br />
operator "sees" the process with. An example HMI/MMI screen may show a<br />
tank with levels and temperatures displayed with bar graphs and values.<br />
Valves and pumps are often shown and the operator can "click" on a device<br />
to turn it on, off or make a set point change.<br />
(UK) Health and <strong>Safety</strong> Executive<br />
Any of several forms of metal failure caused by dissolved hydrogen,<br />
including blistering, internal void formation, and hydrogen induced delayed<br />
cracking.<br />
Immediately Dangerous to Life and Health. Use in consequence analysis to<br />
estimate toxic effects on people.<br />
Page 13of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
IEC<br />
International Electrotechnical Commission. A worldwide organization for<br />
standardization. The object of the IEC is to promote international<br />
cooperation on all questions concerning standardization in the electrical and<br />
electronic fields. To this end and in addition to other activities, the IEC<br />
publishes international standards. See 61508 and 61511.<br />
Impact analysis activity of determining the effect that a change to a function or component<br />
will have to other functions or components in that system as well as to other<br />
systems<br />
Impedance The complex ratio of a force-like parameter to a related velocity-like<br />
parameter - for instance, force to velocity, pressure to volume, electric<br />
voltage to current, temperature to heat flow, or electric field strength to<br />
magnetic field strength.<br />
Incident<br />
The result of an initialing event that is not stopped from propagating. The<br />
incident is most basic description of an unwanted accident, and provides the<br />
least information. The term incident is simply used to convey the fact that<br />
the process has lost containment of the chemical, or other potential energy<br />
source. Thus the potential for causing damage has been released but its<br />
harmful result has not has not taken specific form.<br />
Inductance 1. In an electrical circuit, the property that tends to oppose changes in<br />
current magnitude or direction. 2. In electromagnetic devices, generating<br />
electromotive force in a conductor by means of relative motion between the<br />
conductor and a magnetic field such that the conductor cuts magnetic lines<br />
afforce.<br />
Infrared<br />
Any electromagnetic wave whose wavelength is 0. 78 to 300 microns.<br />
Typically used to detect moisture or heal/temperature.<br />
Integral control A type of controller function where the output (control) signal or action is a<br />
time integral of the input (sensor) signal.<br />
Interference, common mode<br />
A form of interference which appears between measuring circuit terminals<br />
and ground. See also EM I.<br />
Interference, electromagnetic<br />
Any spurious effect produced in the circuits or elements of a device by<br />
external electromagnetic fields. NOTE: A special case of interference from<br />
radio transmitters is known as "radio frequency interference (RFI)" See also<br />
EM I.<br />
Interference, normal-mode<br />
A form of interference which appears between measuring circuit terminals.<br />
See also EM I.<br />
Interlock<br />
1. Instrument which will not allow one part of a process to function unless<br />
another part is functioning. 2. A device such as a switch that prevents a<br />
piece of equipment from operating when a hazard exists. 3. To arrange the<br />
control of machines or devices so that their operation is interdependent in<br />
order to assure their proper coordination.<br />
0<br />
0<br />
Page 14 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
Intrinsic safety<br />
1/0<br />
1. A type of protection in which a portion of the electrical system contains<br />
only intrinsically safe equipment (apparatus, circuits, and wiring) that is<br />
incapable of causing ignition in the surrounding atmosphere. No single<br />
device or wiring is intrinsically safe by itself (except for battery-operated<br />
self-contained apparatus such as portable pagers, transceivers, gas<br />
detectors, etc., which are specifically designed as intrinsically safe selfcontained<br />
devices) but is intrinsically safe only when employed in a properly<br />
designed intrinsically safe system. This type of protection is referred to by<br />
IEC as "Ex 1.". 2. Design methodology for a circuit or an assembly of circuits<br />
in which any spark or thermal effect produced under normal operating and<br />
specified fault conditions is not capable under prescribed test conditions of<br />
causing ignition of a given explosive atmosphere. 3. A method to provide<br />
safe operation of electric process control instrumentation where hazardous<br />
atmospheres exist. The method keeps the available electrical energy so low<br />
that ignition of the hazardous atmosphere cannot occur. 4. A protection<br />
technique based upon the restriction of electrical energy within apparatus<br />
and of interconnecting wiring, exposed to a potentially explosive<br />
atmosphere, to a level below that which can cause ignition by either<br />
sparking or heating effects. Because of the method by which intrinsic safely<br />
is achieved, it is necessary to ensure that not only the electrical apparatus<br />
exposed to the potentially explosive atmosphere but also other electrical<br />
apparatus with which it is interconnected is suitably constructed.<br />
Input/Output. Refers to the electronic hardware where the field devices are<br />
wired. Discrete 1/0 would have switches for inputs and send signals to<br />
solenoid valves and pumps for outputs. Analog 1/0 would have continuously<br />
variable process values inputs, and controller outputs.<br />
1/S barrier<br />
IPL<br />
ISA<br />
Jacketed valve<br />
Intrinsic safely barrier. Physical element that limits current and voltage into<br />
a hazardous area in order to satisfy Intrinsic <strong>Safety</strong> requirements.<br />
Independent protection layer or layers. This refers to various other methods<br />
of risk reduction possible for a process. Examples include items such as<br />
rupture disks and relief valves which will independently reduce the likelihood<br />
of the hazard escalating into a full accident with a harmful outcome. In order<br />
to be effective, each layer must specifically prevent the hazard in question<br />
from causing harm, act independently of other layers, have a reasonable<br />
probability of working, and be able to be audited once the plant is operation<br />
relative to its original expected performance.<br />
Instrumentation, Systems and Automation Society See IEC 61511.<br />
A valve body cast with a double wall or provided with a second wall by<br />
welding material around the body so as to form a passage for a heating or<br />
cooling medium. Also refers to valves which are enclosed in split metal<br />
jackets having internal heat passageways or electric heaters. Also referred<br />
to as "steam jacketed" or "vacuum jacketed. " In a vacuum jacketed valve, a<br />
vacuum is created in the space between the body and secondary outer wall<br />
to reduce the transfer of heat by convection from the atmosphere to the<br />
internal process fluid, usually cryogenic.<br />
Page 15 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Ladder diagram<br />
Lambda<br />
Laser Doppler flowmeter<br />
Latent fault<br />
LEL/LFL<br />
Likelihood<br />
Limited variability language (LVL)<br />
Symbolic representation of a control scheme. The power lines form the two<br />
sides of a ladder like structure, with the program elements arranged to form<br />
the rungs. The basic program elements are contacts and coils as in<br />
electromechanical logic systems. Typically programs of this form fall into the<br />
limited variability language (LVL) category.<br />
Failure rate for a system. See failure rate.<br />
An apparatus for determining flow velocity and velocity profile by measuring<br />
the Doppler shift in laser radiation scattered from particles in the moving<br />
fluid stream<br />
A fault that is present but hidden from regular means of detection. Typically<br />
these faults can only be identified as part of an accident or a detailed proof<br />
test.<br />
Lower explosive (or flammable) limit. See flammability.<br />
The frequency of a harmful event often expressed in events per year or<br />
events per million hours. One of the two components used to define a risk.<br />
Note that this is different from the traditional English definition that means<br />
probability.<br />
This type of language is designed for process sector users, and provides<br />
the capability to combine predefined, application specific, library functions to<br />
implement the safety requirements specifications. An LVL provides a close<br />
functional correspondence with the functions required to achieve the<br />
application. Typical examples of LVL are ladder diagram, function block<br />
diagram and sequential function chart<br />
Linear variable differential transformer (L VDT)<br />
A position sensor consisting of a central primary coil and two secondary<br />
coils wound on the same core; a moving iron element linked to a<br />
mechanical member induces changes in self induction that are directly<br />
proportional to movement of the member.<br />
Linear variable reluctance transducer (LVRT)<br />
Load cell<br />
Loop<br />
Longitudinal redundancy check (LRC)<br />
A position sensor consisting of a centre tapped coil and an opposing moving<br />
coil attached to a linear probe; the winding is continuous over the length of<br />
the core, instead of being segmented as in an LVDT.<br />
A transducer for the measurement of force or weight. Action is based on<br />
strain gauges mounted within the cell on a force beam.<br />
A combination of two or more instruments or control or safety functions<br />
arranged so that signals pass from one to another for the purpose of<br />
measurement and/or control of a process variable or executing a safety<br />
function.<br />
Error detection scheme that consists of a byte where each bit is calculated<br />
on the basis of the parity of all the bits in the block that have the same<br />
power of two.<br />
0<br />
CT<br />
Page 16of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
LOPA<br />
Markov analysis<br />
Mode (Continuous)<br />
Layer of Protection Analysis. A method of analyzing the likelihood<br />
(frequency) of a harmful outcome event based on an initiating event<br />
frequency and on the probability of failure of a series of independent layers<br />
of protection capable of preventing the harmful outcome.<br />
A fault propagation method used to analyze failure rate or probability for<br />
safety instrumented functions. A diagram is constructed to represent the<br />
system under consideration including the logical relationships between its<br />
components. In Markov analysis there are a group of circles, each of which<br />
represents a system state. The different states are connected with<br />
transitions, which are shown as arrows and indicate paths to move from one<br />
state to another. The transitions are quantified using either failure rates<br />
when the transition is from an OK state to a failed state or repair rates when<br />
the transition is from a failed state back to an OK state. As with other<br />
models, there are several solution methods to obtain results. For safety<br />
instrumented system applications, the method using steady state equations<br />
is not appropriate. Numeric discrete time solutions are excellent.<br />
When demands to activate a safety function (SIF) are frequent compared to<br />
the test interval of the SIF. Note that other sectors define a separate high<br />
demand mode, based on whether diagnostics can reduce the accident rate.<br />
In either case, the continuous mode is where the frequency of an unwanted<br />
accident is essentially determined by the frequency of a dangerous SIF<br />
failure. When the SIF fails, the demand for its action will occur in a much<br />
shorter time frame than the function test, so speaking of its failure<br />
probability is not meaningful. Essentially all of the dangerous faults of a SIF<br />
in continuous mode service will be revealed by a process demand instead<br />
of a function test. See low demand mode, high demand mode, and SIL.<br />
Mode (High Demand) (also continuous mode per IEC 61511) Similar to continuous mode only<br />
there is specific credit taken for automatic diagnostics. The split between<br />
high demand and continuous mode is whether the automatic diagnostics<br />
are run many times faster than the demand rate on the safety function. If the<br />
diagnostics are slower than this there is no credit for them and the<br />
continuous mode applies.<br />
Mode (Low Demand) (also demand mode per IEC 61511) when demands to activate the safety<br />
instrumented function (SIF) are infrequent compared to the test interval of<br />
the SIF. The process industry defines this mode when the demands to<br />
activate the SIF are less than once every two proof test intervals. The low<br />
demand mode of operation is the most common mode in the process<br />
industries. When defining safety integrity level for the low demand mode, a<br />
SIF's performance is measured in terms of average Probability of Failure on<br />
Demand (PFDavg). In this demand mode, the frequency of the initiating<br />
event, modified by the SIF's probability of failure on demand times the<br />
demand rate and any other downstream layers of protection determine the<br />
frequency of unwanted accidents.<br />
Modulation<br />
1. The process or the result of the process by which some characteristic of<br />
one wave is varied in accordance with some characteristic of another wave<br />
(AM, amplitude modulation; PM, phase modulation; FM, frequency<br />
modulation). 2. The action of a control valve to regulate fluid flow by varying<br />
the position of the closure component.<br />
Page 17of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
MTTF<br />
MTTR<br />
MTTFS<br />
Multiplexing<br />
MWP<br />
NAK<br />
Needle valve<br />
NEMA standard<br />
NC I (NO)<br />
NIOSH<br />
Noise<br />
Nozzle<br />
Nuisance trip<br />
Mean Time to Failure - The average amount of time until a system fails or<br />
its "expected" failure time. Please note that the MTTF can be assumed to be<br />
the inverse of failure rate (lambda) for a series of components, all of which<br />
have a constant failure rate for the useful life period of the components.<br />
Mean Time to Repair - The average time between the occurrence of a<br />
failure and the completion of the repair of that failure. This includes the time<br />
needed to detect the failure, initiate the repair and fully complete the repair.<br />
Mean Time to Fail Spurious - The mean time until a failure of the system<br />
causes a spurious process trip.<br />
The transmission of a number of different messages simultaneously over a<br />
single circuit.<br />
maximum working pressure. See Pressure, maximum working<br />
Negative acknowledgment. This code indicates that the last block<br />
transmitted was in error and that the receiver is expecting a re-transmission.<br />
Its essential design feature is a slender tapered rodlike control element<br />
which fits into a circular or conoidal seat. Operating the valve causes the<br />
rod to move into or out of the seat, gradually changing the effective cross<br />
sectional area of the gap between the rod and its seat. Typically used for<br />
precise low flow applications.<br />
Consensus standards for electrical equipment approved by the majority of<br />
the members of the US National Electrical Manufacturers Association.<br />
Normally Closed (Normally Open) 1. A switch position where the usual<br />
arrangement of contacts permits (prevents) the flow of electricity in the<br />
circuit. 2. In a solenoid valve, an arrangement whereby the disk or plug is<br />
seated (open) when the solenoid is de-energized. 3. A field contact that is<br />
closed (open) for a normal process condition and open (closed) when the<br />
process condition is abnormal. 4. A valve with means provided to move to<br />
and/or hold in its closed (open) position without actuator energy supply. 5.<br />
Relay contacts that are closed (open) when the coil is not energized.<br />
(US) National Institute of Occupational <strong>Safety</strong> and Health<br />
1. In process instrumentation, an unwanted component of signal or. See<br />
"interference, electromagnetic". 2. Any spurious variation in the electrical<br />
output not present in the input. 3. An unwanted component of a signal or<br />
variable which obscures the information content. 4. Random variations of<br />
one or more characteristics of any entity, such as voltage, current, or data.<br />
5. A random signal of known statistical properties of amplitude, distribution,<br />
and spectral density. 6. Loosely, any disturbance tending to interfere with<br />
the normal operation of a device or system<br />
1. A short flanged or welded neck connection on a drum or shell for the<br />
outlet or inlet of fluids; also a projecting spout through which a fluid flows. 2.<br />
A streamlined device for accelerating and directing fluid flow into a region of<br />
lower fluid pressure. 3. A particular type of restriction used in flow system to<br />
facilitate flow measurement by pressure drop across a restriction<br />
See safe failure<br />
0<br />
0<br />
Page 18 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Occupancy<br />
Offset<br />
On-off control<br />
Orifice meter<br />
OSHA<br />
OSI<br />
Overrange<br />
Overrange limit<br />
Override control<br />
A measure of the probability that the effect zone of an accident will contain<br />
one or more personnel receptors of the effect. This probability should be<br />
determined using plant-specific staffing philosophy and practice. See effect<br />
zone.<br />
1. A sustained deviation of the controlled variable from set point. This<br />
characteristic is inherent in proportional controllers that do not incorporate<br />
reset action. 2. Offset is caused by load changes. 3. The steady state<br />
deviation when the set point is fixed. NOTE: The offset resulting from a no<br />
load to a full load change (or other specified limits) is often called "droop" of<br />
load regulation." 4. A constant and steady state of deviation of the<br />
measured variable from the set point.<br />
A simple form of control whereby the control variable is switched fully on or<br />
fully off in response to the process variable rising above the set point or<br />
falling below the set point respectively. Cycling always occurs with this form<br />
of control.<br />
A plate with a calibrated sharp edged hole in it. The plate is positioned<br />
across the flow stream in a pipe for measuring fluid flow rates. It typically<br />
has differential pressure taps positioned near the orifice and a calibrated<br />
calculation element to convert the measured pressure difference into a flow<br />
rate value.<br />
Occupational <strong>Safety</strong> and Health Administration<br />
Open system interconnection. A seven layered model of communications<br />
networks defined by ISO. The seven layers are:<br />
Layer 7 Application: provides the interface for application to access the OSI<br />
environment.<br />
Layer 6 Presentation: provides for data conversion to preserve the meaning<br />
of the data.<br />
Layer 5 Session: provides user to user connections.<br />
Layer 4 Transport: provides end to end reliability.<br />
Layer 3 Network: provides routing of data through the network.<br />
Layer 2 Data Link: provides link access control and reliability.<br />
Layer 1 Physical: provides an interface to the physical medium.<br />
In process instrumentation, of a system or element, any excess value of the<br />
input signal above its upper range value or below its lower range value<br />
The maximum input that can be applied to a device without causing damage<br />
or permanent change in performance.<br />
1. Generally, two control loops connected to a common final control<br />
element-one control loop being nominally in control with the second being<br />
switched in by some logic element when an abnormal condition occurs so<br />
that constant control is maintained. 2. A technique in which more than one<br />
controller manipulates a final control element. The technique is used when<br />
constraint control is important.<br />
Page 19of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Overshoot<br />
Pareto chart<br />
Parity<br />
PFDavg<br />
pH meter<br />
PHA<br />
Physical relief device<br />
PID control<br />
Pigtail<br />
1. The amount of output measured beyond the final steady output value, in<br />
response to a step change in the input. NOTE: Expressed in percent of the<br />
equivalent step change in output. 2. A transient response to a step change<br />
in an input signal which exceeds the normal or expected steady state<br />
response. 3. The maximum difference between the transient response and<br />
the steady state response.<br />
A display of the number of failures of components by part number in<br />
descending order of failure rate or number of failures observed. Data may<br />
also be shown taking into account the total cost of each failure.<br />
A check that tests whether the number of ones or zeroes in an array of<br />
binary digits is odd or even used to verify data storage and transmission.<br />
This is usually done by calculating the sum of the " 1 " bits in a data unit and<br />
determining if it is either an odd or even number. A binary digit (parity bit) is<br />
then added to a group of bits to make the sum of all the bits always odd<br />
(odd parity) or always even (even parity).<br />
Probability of Failure on Demand average- This is the probability that a<br />
system will fail dangerously, and not be able to perform its safety function<br />
when required. PFD can be determined as an average probability or<br />
maximum probability over a time period. lEG 61508/61511 and ISA 84.01<br />
use PFD, 9 as the system metric upon which the SIL is defined.<br />
Also Process Flow Diagram. A diagram of the basic process equipment<br />
usually accompanied by a heat and material balance. Typically prepared<br />
early in an engineering project, it is usually part of the input to a HAZOP or<br />
other hazard identification process.<br />
An instrument for electronically measuring electrode potential of an aqueous<br />
chemical solution and directly converting the reading to pH value. pH is the<br />
symbol for the measurement of acidity or alkalinity. Solutions with a pH<br />
reading of less than 7 are acid; solutions with a pH reading of more than 7<br />
are alkaline on the pH scale of 0 to 14, where the midpoint of 7 is neutral.<br />
Process hazards analysis. Required by both PSM and the safety lifecycle.<br />
Identifying the hazards of a process for all reasonably foreseeable<br />
circumstances, determining the sequence of events leading to harm, and<br />
estimating the likelihood {frequency) and consequence magnitude of the<br />
potential harm. Various hazard identification methods include Checklist,<br />
What if?, What if? I Checklist, HAZOP (Hazards and Operability Study),<br />
FMEA (Failure Modes and Effects Analysis), and Fault Tree Analysis.<br />
Mechanical equipment that performs an action to relieve pressure when the<br />
normal operating range of temperature or pressure has been exceeded.<br />
Physical relief devices include pressure relief valves, thermal relief valves,<br />
rupture disks, rupture pins, and high temperature fusible plugs.<br />
Proportional-plus-integral-plus-derivative control, used in processes where<br />
the controlled variable is affected by long lag times.<br />
A 270' or 360' loop in pipe or tubing to form a trap for vapor condensate.<br />
Used to prevent high temperature vapors from reaching the instrument.<br />
Used almost exclusively in static pressure measurement.<br />
0<br />
0<br />
Page 20 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
P&ID<br />
Pilot tube<br />
PLL<br />
Plug valve<br />
Positioner<br />
PLC<br />
Predictive control<br />
Pressure, design<br />
Pressure, maximum working<br />
Piping and instrumentation drawing. Shows the interconnection of process<br />
equipment and the instrumentation used to control the process. In the<br />
process industry, a standard set of symbols is used to prepare drawings of<br />
processes. The instrument symbols used in these drawings are generally<br />
based on Instrument Society of America (!SA) Standard S5. 1. 2. The<br />
primary schematic drawing used for laying out a process control installation.<br />
1. An instrument for measuring stagnation pressure of a flowing liquid; it<br />
consists of an open tube pointing upstream, into the flow of fluid, and<br />
connected to a pressure indicator or recorder. 2. An instrument which will<br />
register total pressure and static pressure in a gas stream, used to<br />
determine its velocity.<br />
Probable loss of life. A numerical expression for the magnitude of a<br />
consequence in terms of the most likely number of lives that will be lost in a<br />
given event or over a given time interval. The value need not be a whole<br />
number.<br />
1. A valve with a closing element that may be cylindrical, conical or a<br />
spherical segment in shape that is opened or closed with rotary motion. 2. A<br />
type of shutoff valve consisting of a tapered rod with a lateral hole through<br />
it. As the rod is rotated 90° about its longitudinal axis, the hole is first<br />
aligned with the direction of flow through the valve and then aligned<br />
crosswise, interrupting the flow.<br />
A position controller, which is mechanically connected to a moving part of a<br />
final control element or its actuator, and automatically adjusts its output<br />
pressure to the actuator in order to maintain a desired position that bears a<br />
predetermined relationship to the input signal. The positioner can be used to<br />
modify the action of the valve (reversing positioner), extend the<br />
stroke/controller signal (split range positioner), increase the pressure to the<br />
valve actuator (amplifying positioner) or modify the control valve flow<br />
characteristic (characterised positioner).<br />
Programmable Logic Controller. These computers replace relay logic and<br />
often have PID (proportional integral and derivative) controllers built into<br />
them. PLCs are very fast at processing discrete signals (like a switch<br />
condition). They can be designed for either regular or SIL rated applications.<br />
1. A type of automatic control in which the current state of a process is<br />
evaluated in terms of a model of the process and controller actions modified<br />
to anticipate and avoid undesired excursions. 2. Self tuning. 3. Artificial<br />
intelligence.<br />
The pressure used in the design of a vessel or device for the purpose of<br />
determining the minimum permissible thickness or physical characteristics<br />
of the parts for a given maximum working pressure (MWP) at a given<br />
temperature.<br />
Page 21 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Pressure relief device<br />
Prior use<br />
Proof test<br />
Protection layer<br />
Proven in use<br />
Proportional control<br />
PSM<br />
PTC or GeT<br />
PTI orTI<br />
Purging<br />
The maximum total pressure permissible in a device under any<br />
circumstances during operation, at a specified temperature. It is the highest<br />
pressure to which it will be subjected in the process. It is a designed safe<br />
limit for regular use. NOTE: MWP can be arrived at by two methods: a)<br />
designed-by adequate design analysis, with a safety factor; b) tested-by<br />
rupture testing of typical samples.<br />
A mechanism that vents fluid from an internally pressurized system to<br />
counteract system overpressure; the mechanism may release all pressure<br />
and shut the system down (as does a rupture disc) or it may merely reduce<br />
the pressure in a controlled manner to return the system to a safe operating<br />
pressure (as does a spring loaded safety valve).<br />
See Proven in use<br />
Testing of safety system components to detect any failures not detected by<br />
automatic on-line diagnostics i.e. dangerous failures, diagnostic failures,<br />
parametric failures followed by repair of those failures to an equivalent asnew<br />
state. Proof testing is a vital part of the safety lifecycle and is critical to<br />
ensuring that a system achieves its required safety integrity level throughout<br />
the safety lifecycle.<br />
See IPL.<br />
Basis for use of a component or system as part of a safety integrity level<br />
(SIL) rated safety instrumented system (SIS) that has not been designed in<br />
accordance with IEC 61508. It requires sufficient product operational hours,<br />
revision history, fault reporting systems, and field failure data to determine if<br />
the is evidence of systematic design faults in a product. IEC 61508 provides<br />
levels of operational history required for each SIL.<br />
A control mode in which there is a continual linear relationship between the<br />
deviation computer in the controller, the signal of the controller, and the<br />
position of the final control element.<br />
Process safety management. Part of the US requirement under the<br />
Occupational <strong>Safety</strong> and Health Administration (OSHA) guidelines for<br />
managing risk when dealing with large quantities of certain materials. The<br />
regulation (29 CFR 1910.119) was published in 1992 to help prevent or<br />
minimize the consequences of catastrophic releases of toxic, reactive,<br />
flammable, or explosive chemicals.<br />
Proof Test Coverage -The percentage failures that are detected during the<br />
servicing of equipment. In general it is assumed that when a proof test is<br />
performed any errors in the system are detected and corrected (100% proof<br />
test coverage).<br />
Proof Test Interval - The time interval between servicing of the equipment.<br />
1. The addition of air or inert gas (such as nitrogen) into the enclosure<br />
around the electrical equipment at sufficient flow to remove any hazardous<br />
vapors present and sufficient pressure to prevent their re entry. 2.<br />
Elimination of an undesirable gas or material from an enclosure by means<br />
of displacing the undesirable material with an acceptable gas or material.<br />
0<br />
0<br />
Page 22 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Pyrometer<br />
Any of a broad class of temperature measuring instruments or devices.<br />
Some typical pyrometers include thermocouples, radiation pyrometers,<br />
resistance pyrometers and thermistors, but usually not thermometers. It is a<br />
temperature transducer that measures temperatures by the EM radiation<br />
emitted by an object, which is a function of the temperature.<br />
Quick-opening valve Control valve with trim characteristic designed to produce large flow<br />
capacity with small amount of valve opening.<br />
Random failure<br />
Rated capacity<br />
Ratio controller<br />
Receptor<br />
Redundancy<br />
Reliability<br />
Reliability block diagram<br />
Relief valve<br />
Repeatability<br />
A failure occurring at a random time, which results from one or more<br />
degradation mechanisms. Random failures can be effectively predicted with<br />
statistics and are the basis for the probability of failure on demand based<br />
calculations requirements for safety integrity level. See systematic failure.<br />
The manufacturers stated capacity rating for mechanical equipment, for<br />
instance, the maximum continuous capacity in pounds of steam per hour for<br />
which a boiler is designed.<br />
1. A controller that maintains a predetermined ratio between two or more<br />
variables. 2. Maintains the magnitude of a controlled variable at a fixed ratio<br />
to another variable.<br />
The object or persons on the receiving end of the harm in an unwanted<br />
event. Common receptors include personnel, plant equipment, plant<br />
production, the environment, and the general public.<br />
Use of multiple elements or systems to perform the same function.<br />
Redundancy can be implemented by identical elements (identical<br />
redundancy) or by diverse elements (diverse redundancy). Redundancy of<br />
primarily used to improve reliability or availability.<br />
1. The probability that a device will perform its objective adequately, for the<br />
period of time specified, under the operating conditions specified. 2. The<br />
probability that a component, piece of equipment or system will perform its<br />
intended function for a specified period of time, usually operating hours,<br />
without requiring corrective maintenance.<br />
Probability combination method for estimating complex probabilities. Since it<br />
generally takes the "success" view of a system, it can be confusing when<br />
used in multiple failure mode modeling.<br />
An automatic pressure relieving device actuated by the pressure upstream<br />
of the valve and characterized by opening pop action with further increase<br />
in lift with an increase in pressure over popping pressure. See pressure<br />
relief device.<br />
The ability of a transducer to reproduce output readings when the same<br />
input value is applied to it consecutively under the same conditions, and in<br />
the same direction. NOTE(S): Repeatability is expressed as the maximum<br />
difference between output readings; it is expressed as "within percent of fullscale<br />
output." Two calibration cycles are used to determine repeatability<br />
unless otherwise specified.<br />
Page 23 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Repeater<br />
Resealing pressure<br />
1. Device used to extend the range over which signals can be correctly<br />
transmitted and received for a given medium. 2. A device that amplifies or<br />
regenerates data signals in order to extend the distance between data<br />
stations.<br />
The inlet pressure at which fluid no longer leaks past a relief valve after it is<br />
closed.<br />
Response 1. The change in output of a device in relation to a change of input. 2.<br />
Defined output for a given input under explicitly stated conditions.<br />
Risk<br />
Risk (Inherent)<br />
Risk (Unmitigated)<br />
Risk graph<br />
Risk integral<br />
RMP<br />
RRF<br />
RTD<br />
Rupture disc<br />
Safe area<br />
Risk is a measure of the likelihood (frequency) and consequence (severity)<br />
of an adverse effect. (i.e., How often can harm happen and what will be the<br />
effects if it does?)<br />
The risk from a completed process design that contains a given amount of<br />
process materials at given process parameters (i.e. temperature, pressure,<br />
etc.) Can usually be managed by good process engineering.<br />
The level of risk that is present in a process before any safety instrumented<br />
systems are considered. This level helps identify how much risk reduction is<br />
required to be provided by any safety instrumented system installed as part<br />
of a process. This unmitigated risk level must be defined in terms ofboth<br />
consequence and likelihood.<br />
A qualitative and category-based method of safety integrity level (SIL)<br />
assignment. Risk graph analysis uses four parameters to make a SIL<br />
selection: consequence, occupancy, probability of avoiding the hazard, and<br />
demand rate. Each of these parameters is assigned a category and a SIL is<br />
associated with each combination of categories. In some C
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Safe failure<br />
Safe failure fraction<br />
Safe state<br />
<strong>Safety</strong> ground<br />
<strong>Safety</strong> lifecycle<br />
<strong>Safety</strong> manual<br />
Failure that does not have the potential to put the safety instrumented<br />
system in a dangerous or fail-to-function state. The situation when a safety<br />
related system or component fails to perform properly in such a way that it<br />
calls for the system to be shut down or the safety instrumented function to<br />
activate when there is no hazard present.<br />
See SFF.<br />
<strong>Safety</strong> requirements specification<br />
Sample interval<br />
Sampling rate<br />
SAT<br />
Saturation<br />
The state of the process after acting to remove the hazard resulting in no<br />
significant harm.<br />
1. A connection between metal structures, cabinets, cases, etc. which is<br />
required to prevent electrical shock hazard to personnel. 2. <strong>Safety</strong> ground is<br />
not a signal reference point.<br />
The procedures to first analyze the situation and document the safety<br />
requirements (Analysis Phases). Then, translate these requirements into a<br />
documented safety system design, using appropriate software and<br />
hardware subsystems and design methodology (Realization Phases). Next,<br />
evaluate the system against the required integrity and reliability<br />
specifications and modify it as needed. Finally, operate and maintain the<br />
system according to accepted procedures (Operation Phases), and<br />
document the results to insure that performance standards are maintained<br />
throughout the system's life. See 61508 and 61511.<br />
Document required for equipment certified in accordance with IEC 61508<br />
that describes the conditions of use for that equipment in safety<br />
applications. It typically includes usage requirements/restrictions,<br />
environmental limits, optional settings, failure rate data, useful life data,<br />
common cause beta estimate, inspection and test procedures. The "safety<br />
manual" may be part of another document.<br />
Specification containing all the requirements of the safety functions that<br />
have to be performed by the safety-related system. It includes both what the<br />
functions must do and also how well they must do it. It is often a contractual<br />
document between companies and is one of the most important documents<br />
in the safety lifecycle process.<br />
The rate at which a controller samples the process variable, and calculates<br />
a new output. Ideally, the sample interval should be set between 4 and 10<br />
times faster than the process dead time.<br />
For a given measurement, the number of times that it is sampled per<br />
second in a time division multiplexed system. Typically, it is at least five<br />
times the highest data frequency of the measurement.<br />
Site acceptance test. Involves shipment of the system(s) to site, installation<br />
and start-up activities. Tests then validate that the installed safety<br />
instrumented system and its associated safety instrumented functions<br />
achieve the requirements as stated in the <strong>Safety</strong> Requirement Specification.<br />
Note: Full loop checking may come at a later stage.<br />
A situation when a further change in the input signal produces no significant<br />
additional change in the output.<br />
Page 25 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
SCADA<br />
Seal chambers<br />
Seal leg<br />
Seat<br />
Segmented ball<br />
Sensor<br />
Sensor group<br />
Set point<br />
Set pressure<br />
SFF<br />
SIF<br />
Sight glass<br />
Signal common<br />
Signal isolation<br />
Supervisory control and data acquisition: Operator interface and monitoring<br />
of (usually remote) control devices by computer.<br />
Enlarged pipe sections in measurement impulse lines to provide a) a high<br />
area to volume displacement ratio to minimize error from hydrostatic head<br />
difference when using large volume displacement measuring elements, and<br />
b) to prevent loss of seal fluid by displacement into the process. Also known<br />
as Seal Pots<br />
The piping from the instrument to the top elevation of the seal fluid in the<br />
impulse line. seal on disk A seal ring located in a groove in the disk<br />
circumference. The body is unlined in this case [S75.05].<br />
The fixed area of a valve into which the moving part of a valve rests when<br />
the valve is closed to retain pressure and prevent flow.<br />
A closure piece in a valve that is a segment of a spherical surface which<br />
may have one edge contoured to yield a desired flow characteristic.<br />
device or combination of devices that measure the process condition (e.g.,<br />
transmitters, transducers, process switches, position switches, etc.)<br />
For complex safety functions, there may be more than one property which is<br />
measured to determine if a shut down is required.<br />
1. An input variable which sets the desired value of the controlled variable It<br />
is expressed in the same units as the controlled variable.<br />
The inlet pressure at which a safety relief valve opens; usually a pressure<br />
established by specification or code.<br />
Safe Failure Fraction -The fraction of the overall failure rate of a device that<br />
results in either a safe fault or a diagnosed (detected) unsafe fault. The safe<br />
failure fraction includes the detectable dangerous failures when those<br />
failures are annunciated and procedures for repair or shutdown are in place.<br />
<strong>Safety</strong> Instrumented Function - A set of equipment intended to reduce the<br />
risk due to a specific hazard (a safety loop). Its purpose is to 1.<br />
Automatically taking an industrial process to a safe state when specified<br />
conditions are violated; 2. Permit a process to move forward in a safe<br />
manner when specified conditions allow (permissive functions); or 3. Taking<br />
action to mitigate the consequences of an industrial hazard. It includes<br />
elements that detect an accident is imminent, decide to take action, and<br />
then carry out the action needed to bring the process to a safe state. Its<br />
ability to detect, decide and act is designated by the safety integrity level<br />
(SIL) of the function. See SIL.<br />
A glass tube, or a glass faced section of a process line, used for sighting<br />
liquid levels or taking manometer readings.<br />
1. The signal common shall refer to a point in the signal loop which may be<br />
connected to the corresponding points of other signal loops. It may or may<br />
not be connected to earth ground [S50.1]. 2. The reference point for all<br />
voltage signals in a system. Current flow into signal common is minimized to<br />
prevent IR drops which induce inaccuracy in the signal common reference.<br />
Signal isolation refers to the absence of a connection between the signal<br />
loop and all other terminals and earth ground.<br />
0<br />
0<br />
Page 26 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
SIL<br />
<strong>Safety</strong> Integrity Level - A quantitative target for measuring the level of<br />
performance needed for safety function to achieve a tolerable risk for a<br />
process hazard. Defining a target SIL level for the process should be based<br />
on the assessment of the likelihood that an incident will occur and the<br />
'consequences of the mc1dent. The following table describes SIL for different<br />
'modes of operation.<br />
0<br />
SIL<br />
0<br />
SIL selection<br />
SIL verification<br />
SIS<br />
SIT<br />
Snubber<br />
The process of defining tolerable risk, confirming existing risk (both<br />
likelihood and consequence) and assigning a SIL rated safety function as<br />
needed to achieve a tolerable level of risk.<br />
The process of calculating the average probability of failure on demand (or<br />
the probability of failure per hour) and architectural constraints for a safety<br />
function design to see if it meets the required SIL.<br />
<strong>Safety</strong> Instrumented System - Implementation of one or more <strong>Safety</strong><br />
Instrumented Functions. A SIS is composed of any combination of<br />
sensor(s), logic solver(s), and final element(s). A SIS is usually has a<br />
number of safety functions with different safety integrity levels (SIL) so it is<br />
best avoid describing it by a single SIL. See SIF.<br />
Site integration test. Once site acceptance testing is completed, the basic<br />
process control system and the safety instrumented system (SIS)<br />
communications and any hard-wired links are integrated and tested as a<br />
complete system to ensure that the system as a whole functions correctly.<br />
SIS signals, diagnostics, bypasses and alarms displayed on shared basic<br />
process control system human machine interface (HMI) screens will be<br />
tested during this stage.<br />
1. A device which is used to damp the motion of the valve stem. This is<br />
usually accomplished by an oil filled cylinder/piston assembly. The valve<br />
stem is attached to the piston and the flow of hydraulic fluid from one side of<br />
the piston to the other is restricted. 2. A mechanical or hydraulic device for<br />
restraining motion. 3. A device installed between an instrument and the<br />
process used to protect the instrument from rapid pressure fiuctuations.<br />
Page27 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Solenoid<br />
Solenoid valve<br />
Span<br />
Spurious trip<br />
Standard condition<br />
Standpipe<br />
Static head liquid level meter<br />
Static pressure<br />
Stochastic<br />
Stress corrosion cracking<br />
Supervisory control<br />
Suppressed range<br />
A type of electromechanical operator in which back and forth axial motion of<br />
a ferromagnetic core within an electromagnetic coil performs some<br />
mechanical function; common applications include opening or closing<br />
valves or electrical contacts.<br />
A shutoff valve whose position is determined by whether or not electric<br />
current is flowing through a coil surrounding a moving iron valve stem.<br />
The difference between the upper and lower range values.<br />
See Safe failure<br />
1. A temperature of O'C and a pressure of 1 atmospheres (760 torr). Also<br />
known as "normal temperature and pressure (NTP)"; "standard temperature<br />
and pressure {STP)." 2. According to the American Gas Association (AGA),<br />
a temperature of 60'F (1 5-5/9'C) and a pressure of 30 inches of mercury<br />
(762 mm). 3. According to the Compressed Gas Institute (CGI), a<br />
temperature of 20' C (68'F) and a pressure of 1 atmosphere.<br />
A vertical tube filled with a liquid such as water.<br />
A pressure sensing device, such as a gauge, connected in the piping<br />
system so that any dynamic pressures in the system cancel each other and<br />
only the pressure difference due to liquid head above the gauge position is<br />
registered.<br />
1. The pressure of a fluid that is independent of the kinetic energy of the<br />
fluid. 2. Pressure exerted by a gas at rest, or pressure measured when the<br />
relative velocity between a moving stream and a pressure measuring device<br />
is zero.<br />
Pertaining to direct solution by trial and error, usually without a step by step<br />
approach, and involving analysis and evaluation of progress made, as in a<br />
heuristic approach to trial and error methods. In a stochastic approach to a<br />
problem solution, intuitive conjecture or speculation is used to select a<br />
possible solution, which is then tested against known evidence,<br />
observations or measurements. Intervening or intermediate steps toward a<br />
solution are omitted. Contrast with "algorithmic" and "heuristic. "<br />
Deep cracking in a metal part due to the combination of tensile stress and a<br />
corrosive environment, causing failure in less time than could be predicted<br />
by simply adding the separate effects of stress and the corrosive<br />
environment.<br />
A term used to imply that a controller output or computer program output is<br />
used as an input to other controllers. See SCADA.<br />
A suppressed range is an instrument range which does not include zero.<br />
The degree of suppression is expressed by the ratio of the value at the<br />
lower end of the scale to the span.<br />
0<br />
0<br />
Page 28 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Systematic failure<br />
Target flow meter<br />
Thermal type flow meter<br />
Thermistor<br />
Thermocouple<br />
Tl<br />
Thermojunction<br />
Thermowell<br />
Time constant<br />
Torque tube flow meter<br />
A failure that happens in a deterministic (non random) predictable fashion from<br />
a certain cause, which can only be eliminated by a modification of the<br />
design or of the manufacturing process, operational procedures,<br />
documentation, or other relevant factors. Since these are not<br />
mathematically predictable, the safety lifecycle includes a large number of<br />
procedures to prevent them from occurring. The procedures are more<br />
rigorous for higher safety integrity level systems and components. Such<br />
failures cannot be prevented with simple redundancy.<br />
A device for measuring fluid flow rates through the drag force exerted on a<br />
sharp edged disk centered in a circular flow path due to differential pressure<br />
created by fluid flowing through the annulus. Usually, the disk is mounted on<br />
a bar whose axis coincides with the tube axis, and drag force is measured<br />
by a secondary device attached to the bar.<br />
An apparatus where heat is injected into a flowing fluid stream and flow rate<br />
is determined from the rate of heat dissipation; either the rise in temperature<br />
or some point downstream of the heater or the amount of thermal or<br />
electrical energy required to maintain the heater at a constant temperature<br />
is measured.<br />
A temperature transducer constructed from semiconductor material and for<br />
which the temperature is converted into a resistance, usually with negative<br />
slope and highly nonlinear.<br />
Two dissimilar wires joined together that generate a voltage proportional to<br />
temperature when their junction is heated relative to a reference junction.<br />
See thermojunction.<br />
Test Interval This acronym is typically used in risk analysis equations to<br />
represent the proof test interval described above.<br />
Temperature Indicator This acronym is used in piping and Instrumentation<br />
Diagrams (P&IDs) to designate a device with measures and displays the<br />
temperature.<br />
Either of the two locations where the conductors of a thermocouple are in<br />
electrical contact; one, the measuring junction, is in thermal contact with the<br />
body whose temperature is being determined, and the other, the reference<br />
junction, is generally held at some known or controlled temperature.<br />
A thermowell is a pressure tight receptacle adapted to receive a<br />
temperature sensing element and provided with external threads, flanges or<br />
other means for pressure tight attachment to a vessel.<br />
1. The value t in an exponential response term. For the output of a first<br />
order system forced by a step or an impulse, t is the time required to<br />
complete 63.2% of the total rise or decay. In higher order systems, there is<br />
a time constant for each of the first order components of the process. 2. The<br />
length of time required for the output of a transducer to rise to 63% of its<br />
final value as a result of a step change of input.<br />
Page 29 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Transient response<br />
Trim<br />
Turbine flow meter<br />
Turndown<br />
TOV<br />
A device for measuring liquid flow through a pipe in which differential<br />
pressure due to the flow operates a bellows, whose motion is transmitted to<br />
a recorder arm by means of a flexible torque tube.<br />
The response of a transducer to a step change of input. NOTE: Transient<br />
response, as such, is not shown in a specification except as a general<br />
heading, but is defined by such characteristics as time constant, response<br />
time, ringing period, etc<br />
The internal parts of a valve which are in flowing contact with the controlled<br />
fluid. Can be designed to any of the following requirements:<br />
Anti cavitation: reduces the tendency of the controlled liquid to cavitate.<br />
Anti noise: reduces the noise generated by fluid flowing through the valve.<br />
Balanced: minimizes the net static and dynamic fluid flow forces acting on<br />
the trim.<br />
Restricted or Reduced: has a flow area less than the full flow area for that<br />
valve.<br />
Soft-seated: with an elastomeric, plastic or other readily deformable material<br />
used either in the closure component or seat ring to provide shutoff with<br />
minimal actuator forces.<br />
A volumetric flow measuring device using the rotation of a turbine type<br />
element to determine flow rate.<br />
The ratio of the maximum plant design flow rate to the minimum plant<br />
design flow rate.<br />
Technische Oberwachungsverein (technical inspection association) Any one<br />
of a number of different private German companies which provide<br />
assessment services to various industries including process safety<br />
engineering.<br />
Two-wire transmitter Electronic transmitter which uses the power wires (typcally 24vdc) for signal<br />
transmission, usually by manipulating the current flow (typically 4-20mA) to<br />
represent the desired signal.<br />
U tube manometer<br />
UEL/UFL<br />
A device for measuring gauge pressure or differential pressure by means of<br />
a U shaped transparent tube partly filled with a liquid, commonly water; a<br />
small pressure above or below atmospheric is measured by connecting one<br />
leg of the U to the pressurized space and observing the height of liquid<br />
while the other leg is open to the atmosphere; a small differential pressure<br />
may be measured by connecting both legs to pressurized space for<br />
example, high and low pressure regions across an orifice or venturi.<br />
Upper explosive (or flammable) limit. See flammability.<br />
Ultrasonic flow meter A device for measuring flow rates across fluid streams by either Doppler<br />
effect measurements or time of transit determination; in both types of flow<br />
measurement, displacement of the portion of the flowing stream carrying the<br />
sound waves is determined and flow rate calculated from the effect on<br />
sound wave characteristics.<br />
UL<br />
Underwriters Laboratories An independent US testing and certifying<br />
organization.<br />
0<br />
0<br />
Page 30 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
0<br />
0<br />
Useful life<br />
VModel<br />
V orifice<br />
Validation<br />
Valve body<br />
See wearout<br />
The basic project execution model that starts with high level design and<br />
goes down to detailed design followed by testing of the detailed design and<br />
then testing of the higher level design elements.<br />
"V"-shaped flow control orifice which allows a characterized flow control as<br />
the gate moves in relation to the fixed Vee opening.<br />
the activity of demonstrating that the safety instrumented function(s) and<br />
safety instrumented system(s) under consideration after installation meets<br />
in all respects the safety requirements specification.<br />
The part of the valve which is the main pressure boundary relative to the<br />
ambient. The body also provides the pipe connecting ends, the fluid flow<br />
passageway, and may support the seating surfaces and the valve closure<br />
member.<br />
Valve body assembly An assembly of a body, bonnet assembly, bottom flange and trim elements.<br />
The trim includes a valve plug which opens, shuts or partially obstructs one<br />
or more ports.<br />
Valve bonnet<br />
An assembly including the part through which a valve plug stem moves and<br />
a means for sealing against leakage along the stem. It usually provides a<br />
means for mounting the actuator. Sealing against leakage may be<br />
accomplished by packing or a bellows. A bonnet assembly may include a<br />
packing lubricator assembly with or without isolating valve. Radiation fins or<br />
an extension bonnet may be used to maintain a temperature differential<br />
between the valve body and sealing means.<br />
Valve flow coefficient (Cv) The number of US gallons (3.785 liters) per minute of 60°F (15.6°C)<br />
water that will flow through a valve with a one pound per square inch (6.89<br />
kPa) pressure drop.<br />
Vapor pressure<br />
Venturi meter<br />
Verification<br />
1. The pressure of a vapor corresponding to a given temperature where the<br />
liquid and vapor are in equilibrium. Vapor pressure increases with<br />
temperature. 2. The pressure (for a given temperature) at which a liquid is in<br />
equilibrium with its vapor. As a liquid is heated, its vapor pressure will<br />
increase until it equals the total pressure of the gas above the liquid; at this<br />
point the liquid will begin to boil.<br />
A type of flow meter that measures flow rate by determining the pressure<br />
drop through a venturi constriction. A venturi is a constriction in a pipe, tube<br />
or flume consisting of a tapered inlet, a short straight constricted throat and<br />
a gradually tapered outlet; fluid velocity is greater and pressure is lower in<br />
the throat area than in the main conduit upstream or downstream of the<br />
venturi; it can be used to measure flow rate, or to draw another fluid from a<br />
branch into the main fluid stream.<br />
Activity of demonstrating for each phase of the safety lifecycle by analysis<br />
and/or tests that, for the specific inputs, the deliverables meet the objectives<br />
and requirements set for the specific phase.<br />
Page 31 of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
Vortex flow meter<br />
Wearout<br />
Windup<br />
Zero shift<br />
Zone<br />
A device that measures flow by sensing the movement of vortices in a pipe<br />
or conduit. The instrument usually is constructed with a partial barrier<br />
(vortex shedder) inserted perpendicular to the flow to allow formation of<br />
vortices, and sensor(s) to detect the passing vortices. The vortices are shed<br />
from one side of the shedder and then the other side as the fluid flows<br />
around the shedder. The sensor counts the number of vortices generated<br />
per unit of time and the velocity of the fluid can then be calculated.<br />
The point where a piece of equipment has accumulated enough stress and<br />
weakened to the point where its failure rate increases significantly. Note that<br />
since essentially all safety systems assume a constant failure rate, theye<br />
must be replaced before they reach this wearout point.<br />
Saturation of the integral mode of a controller developing during times when<br />
control cannot be achieved, which causes the controlled variable to<br />
overshoot its set point when the obstacle to control is removed.<br />
A change in the output in response to a zero input over a specified period of<br />
time and at room conditions .. NOTE: This error is characterized by a parallel<br />
displacement of the entire calibration curve [S37. 1]. 2. A shift in the<br />
instrument calibrated span evidenced by a change in the zero value.<br />
Usually caused by temperature changes, overrange, or vibration of the<br />
instrument.<br />
The international method of specifying the probability that a location is made<br />
hazardous by the presence, or potential presence, of flammable<br />
concentrations of gases and vapors. NOTE: Zone classification has not yet<br />
been defined for dust.<br />
Zone 0: Classification of a location in which an explosive concentration of a<br />
flammable gas or vapor mixture is continuously present or is present for<br />
long periods.<br />
Zone 1: Classification of a location in which an explosive concentration of a<br />
flammable or explosive gas or vapor mixture is likely to occur in normal<br />
operation.<br />
Zone 2: Classification of a location in which an explosive concentration of a<br />
flammable or explosive gas or vapor mixture is unlikely to occur in normal<br />
operation and, if it does occur, will exist only for a short time<br />
0<br />
n<br />
References:<br />
Cross Instrumentation; "Control Valve and Actuator Definitions" downloaded from<br />
http://www.crossinstrumentation.com/tn/Presentation/Presentations%20Literature/<br />
Common%20terms/Giossary.xls on 17 November 2006<br />
Gerry, John; "Glossary of Process Control Terms" downloaded from<br />
http://www.expertune.com/glossary.html on 15 November 2006.<br />
Goble, W. M, "Control Systems <strong>Safety</strong> Evaluation & Reliability." ISA 1998<br />
Guidelines for Chemical Process Quantitative Risk Analysis; (New York: American Institute of<br />
Chemical Engineers Center for Chemical Process <strong>Safety</strong>) 2000.<br />
IICA; "Dictionary of Technical Terms" downloaded from http://www.iica.org.au/info/terms/ on 15<br />
November 2006<br />
Page 32of33
<strong>Functional</strong> <strong>Safety</strong> and Reliability<br />
Terms and Acronyms Issue 1.0 November 2006<br />
IEC 61508; <strong>Functional</strong> <strong>Safety</strong> of electrical/ electronic I programmable electronic safety-related<br />
systems, IEC, 1998, 2000.<br />
IEC 61511 /I SA 84.00.01-2004; <strong>Functional</strong> safety- <strong>Safety</strong> instrumented systems for the process<br />
industry sector IEC 2003; ISA 2004.<br />
Marszal, E., and Scharpf, E.; "<strong>Safety</strong> Integrity Level Selection Systematic Methods Including Layer<br />
of Protection Analysis" ISA 2002.<br />
PAControl.com; "Foundation Fieldbus Glossary" downloaded from<br />
http://www.pacontrol.com/ffglossary.html on 15 November 2006.<br />
0<br />
Page 33 of33
n
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
0<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II (Version 3.31)<br />
Participant's <strong>Notebook</strong><br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
Table of Contents<br />
SECTION 1<br />
SECTION 2<br />
SECTION 3<br />
COURSE PRESENTATION<br />
EXERCISES<br />
ADDITIONAL RESOURCES<br />
0<br />
Extending IEC61508 Reliability Evaluation Techniques- W. Goble and J. Bukowski<br />
Getting Failure Rate Data- W. Goble<br />
Techniques for Achieving Reliability in <strong>Safety</strong> PLC Embedded Software- W. Goble<br />
0<br />
Copyright© 2000·<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
SECTION 1<br />
0<br />
Course Presentation<br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
SIS Design- SIL Verification<br />
lngenierfa de Seguridad Funcionalll<br />
Disefio del SIS- Verificaci6n del SIL<br />
0<br />
Sellersville, PA., USA<br />
Munich, Germany<br />
Westville, KZN, South Africa<br />
SERVICE CENTERS<br />
Australia:<br />
Canada:<br />
Netherlands:<br />
New Zealand:<br />
UK:<br />
USA (Houston):<br />
+61--3-9734-3886<br />
+1-403-475-1943<br />
+31-318-414-505<br />
+64-3-472-7707<br />
+44-24-7679-6480<br />
+ 1-832-439-3793<br />
+ 1-215-453-1720<br />
+49-89-4900-0547<br />
+27-31-267-1564<br />
Version 4.0b<br />
Copyright 102000-2008exida.com L.L.C.<br />
1<br />
Network of Excellence in Dependable<br />
Automation<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
2
exida Industry Focus<br />
• Management<br />
support<br />
• Development<br />
support<br />
• Certification<br />
·Tools<br />
• FSM setup<br />
• SIL verification<br />
·Tools<br />
• Competence<br />
development<br />
•<strong>CFSE</strong><br />
• Tools<br />
0<br />
Copyright© 20oo-2oos exida.com L.L.C.<br />
Highest Technical Competency<br />
4:~ exida has developed<br />
many analysis techniques<br />
for functional safety and<br />
published books on these<br />
methods<br />
4> exida authored aiiiSA<br />
best sellers for automation<br />
safety and reliability<br />
~· exida authored industry<br />
data handbook on<br />
equipment failure data<br />
0<br />
4
-<br />
4 ~~;;:'',<br />
c)<br />
exida Certification S.A. in Switzerland, Geneva<br />
• <strong>Exida</strong> founded an independent certification company in<br />
Geneva Switzerland, the home of IEC.<br />
• Certification are issued by independent assessors and<br />
auditors<br />
• Swiss Quality reputation<br />
Copyright ro 200(1..2008 exlda.com L.L.C.<br />
5<br />
Course Logistics<br />
Curso Logfstica<br />
0<br />
~~ Fire and emergency evacuation procedures<br />
t> Course materials & location<br />
- Handouts and course binder<br />
- Exercises, Reference Material and Course Review<br />
4> Course attendance & participation<br />
- Certificate of course completion<br />
4' Breaks<br />
- Lunch<br />
- Stretch, refreshment, etc.<br />
4> Personal belongings<br />
Copyrfsht © 200Q-2008exida.com L.L.C.<br />
6
Introduction of Course Participants<br />
Presentaci6n de los Participantes en el Curso<br />
4? Instructor<br />
• Name<br />
• Background/experience<br />
i> Classmates<br />
• Name, company, position<br />
• Background/experience<br />
• Course objectives?<br />
0<br />
Copyright© 2000..2008exlda.com L.L.C.<br />
7<br />
Course Objectives<br />
Objetivos del Curso<br />
•~<br />
Review the fundamental concepts of Statistics,<br />
Reliability <strong>Engineering</strong><br />
• Data Samples<br />
• Constant Failure Rates<br />
• Bathtub Curve<br />
• Terms<br />
4! Understand <strong>Safety</strong> Instrumented System (SIS)<br />
failure modes<br />
0<br />
Copyright© 200Q-2008exlda.com L.L.C.<br />
8
Course Objectives<br />
Objetivos del Curso<br />
0<br />
'' Develop an understanding of the <strong>Safety</strong> Lifecycle<br />
(SLC) Design Phase<br />
~ Review how to implement SIS from requirements<br />
specifications<br />
'' What is an FMEDA (Failure Mode Effects and<br />
Diagnostics Analysis)<br />
~ <strong>Safety</strong> Integrity Level (SIL) verification calculations<br />
,,, Develop an understanding of the <strong>Safety</strong> Lifecycle<br />
(SLC) Operation and Maintenance Phase<br />
Copyright© 20fl0..2008exlda.com L.L.C<br />
9<br />
Section 1 : Basic Statistics<br />
Secci6n 1: Estadfsticas Basicas<br />
0<br />
•r~<br />
Sample Data<br />
4~ Histograms<br />
~J'<br />
~~'<br />
Probability Density Functions<br />
Cumulative Density Functions<br />
4~ Mean-Median<br />
Copyright ltl2000-200Sexida.com L.L.C.<br />
10
Sample Data<br />
[<br />
~-----------D_a_to_s<br />
J<br />
__ d_e_M_u_e_s_t_rn __________ ~<br />
Statistical Variable:<br />
Time To Failure,<br />
Hours - 30 Systems<br />
0<br />
Copyright Cl 200D-2008exida.com L.L.C.<br />
11<br />
[<br />
Data is<br />
often<br />
grouped<br />
into "bins."<br />
Hours<br />
Censored Data<br />
Datos Clasificados<br />
Units<br />
0-1000 7<br />
1001-2000 4<br />
2001-3000 3<br />
3001-4000 3<br />
4001-5000 2<br />
5001-6000 1<br />
6001-7000 1<br />
7001-8000 1<br />
8001-9000 1<br />
9001-10000<br />
10001-11000 1<br />
11001-12000 1<br />
12001-13000 1<br />
13001-14000 3<br />
Cum.<br />
7<br />
11<br />
14<br />
17<br />
19<br />
20<br />
21<br />
22<br />
23<br />
24<br />
25<br />
26<br />
27<br />
30<br />
l<br />
0<br />
Copyright© 200D-2008exida.com L.L.C.<br />
12
[<br />
Histogram<br />
Histograma<br />
~-___:::_-~<br />
l<br />
0<br />
Censored Data<br />
Hours<br />
Units<br />
0-1000 7<br />
8<br />
1001-2000 4<br />
2001-3000 3<br />
7<br />
3001-4000 3<br />
l!l 6<br />
4001-5000 2 '2 5<br />
5001-6000 1 ::J<br />
4<br />
6001-7000 1 " ~<br />
3<br />
7001-8000 1<br />
:f<br />
8001-9000 1 2<br />
9001-10000 1 1<br />
10001-11000 1 0<br />
11001-12000 1<br />
2 3 4 5 6 7 8 9 10 11 12 13 14<br />
12001-13000 1<br />
13001-14000 3 Operational Hours- 1000<br />
COpyright© 2000-2008 exida.com L.L.C. 13<br />
Discrete Distributions - pdf<br />
Distribuci6n Discreta - fdp<br />
0<br />
'<br />
'<br />
Number of failures (x) per thousand hours - probability of occurrence p(x)<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14<br />
0.233 0.133 0.100 0.100 0.067 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.100<br />
Probability Density Function<br />
0.25<br />
0.2<br />
10.15<br />
0.1<br />
0.05<br />
0<br />
2 3 4 5 6 7 8 9 10 11 12 13 14<br />
'<br />
Copyright ftl 2000-2008 exida.com L.L.C. 14
Discrete Distributions - pdf<br />
Distribuci6n Discreta - fdp<br />
Number of failures (x) for thousand hour intervals- probability of<br />
occurrence x<br />
Cumulative Distribution Function<br />
1.2<br />
:"§' 1<br />
:;;<br />
.l'l e o.a<br />
Q.<br />
~ 0.6<br />
i<br />
:; 0.4<br />
E<br />
8 0.2<br />
Cumulative<br />
probability of<br />
failure, e.g.<br />
probability of<br />
failure<br />
between a<br />
and 14000<br />
hours is one.<br />
0<br />
0<br />
2 3 4 5 6 7 8 9 10 11 12 13 14<br />
x ~ Thousands of Hours<br />
Copyright© 200D-200B exida.com L.L.C.<br />
15<br />
Mean<br />
Promedio<br />
Time To Failure, Hours- 30 Systems<br />
Failure# Hours Failure# Hours<br />
1 33 16<br />
3471<br />
2 96 17 3886<br />
3 196 18 4348<br />
4 240 19 4882<br />
5 409 20 5431<br />
6 614 21 6056<br />
7 831 22<br />
7499<br />
8 1045 23 8339<br />
9 1282 24<br />
9270<br />
10 1540 25 10305<br />
11 1815 26 11460<br />
12 2108 27 12751<br />
13 2414 28 13351<br />
14 2740 29 13853<br />
15 3091 30 13990<br />
Copyright© 200Q-2008 eXJda.com L.L.C.<br />
Median= (3091+3471)/2<br />
= 3281 Hours<br />
Mean = 4910.8 Hours<br />
1<br />
if- .Je...t- ~ {Lw:;Q v-o4.e-<br />
-bW.> 0Q.Q k kTT<br />
16<br />
0
Failure Statistics<br />
Estadfsticas de Fallas<br />
Cumulative Distribution Function<br />
0<br />
'·'<br />
'·'<br />
'·'<br />
'·'<br />
•<br />
•<br />
0 '<br />
'i 3<br />
. ,•<br />
Statistics are the basis<br />
of the failure metrics<br />
used in reliability<br />
engineering and safety<br />
analysis<br />
•Uncertainty of data<br />
•Applicability of data<br />
1 2 3 4 5 6 1 6 9 10 11 12 13 14<br />
Op..ratlonal Hours -1000<br />
Copyright© 2000.2008 exida.r:om L.L.C.<br />
17<br />
Section 1 : Basic Statistics Summary<br />
Secci6n 1: Repaso de Estadfstica Basica<br />
0<br />
•r~<br />
Sample Data<br />
41> Histograms<br />
~1, Probability Density Functions<br />
4~ Cumulative Density Functions<br />
4';<br />
Mean-Median<br />
Copyright ID 200o-2oos exida.com L.L.C.<br />
18
Section 2: Basic Reliability <strong>Engineering</strong><br />
Secci6n 2: lngenierfa de Confiabilidad Basica<br />
t. Terms<br />
'" Systematic vs Random Failure<br />
'" Low, High and Continuous Demand<br />
'' Stress-Strength<br />
'' Wear out I Bathtub Curve<br />
'' Failure rate<br />
'' Reliability I Unreliability<br />
'' Repairable Systems - Availability I<br />
Unavailability<br />
'' PFavg<br />
'' PFH<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
19<br />
[<br />
Terms<br />
Terminos<br />
Random Failures<br />
A failure occurring at a random time, which results<br />
from one or more degradation mechanisms.<br />
Systematic Failures<br />
A failure related in a deterministic way to a certain<br />
cause, which can only be eliminated by a modification<br />
of the design or of the manufacturing process,<br />
Eperational procedures, documentation~<br />
or-other relevant factors.<br />
0<br />
Copyright© 2000-2008 eXida.com L.L.C. 20
Terms<br />
[<br />
Terminos<br />
~---~<br />
l<br />
0<br />
Random Failures<br />
Usually a permanent failure due to a system<br />
component loss of functionality- hardware related<br />
Systematic Failures<br />
Usually due to a design fault- wrong component,<br />
error in software program, etc. 'u.l'..:to. fl. $<br />
~ :;;:;:: ~""' ~·ver-. ~11\11'--<br />
r~ o\9_<br />
Copyright CI2000-2008 exida.com L.L.C.<br />
.e-r~ ~~~-<br />
"<br />
Systematic Faults<br />
Defectos sistematicos<br />
0<br />
A single systematic fault can cause failure in multiple<br />
channels of an identical redundant system.<br />
REDUNDANCY IS NOT A PROTECTION AGAINST<br />
SYSTEMATIC FAILURES!<br />
Early example: A bad command was sent into a redundant<br />
DCS through a "Foreign Computer Interface." The<br />
command caused a controller to lock up trying to interpret<br />
the command. The diagnostics detected the failure and<br />
forced switchover to a redundant unit. The bad command<br />
was sent to the redundant unit which promptly locked up as<br />
well.<br />
Copyright© 2000-2008exida.com L.L.C.<br />
22
Random vs. Systematic Faults<br />
Aleatoric Defectos vs. Defectos Sistematicos<br />
Real functional needs<br />
•<br />
Specification of requirements,<br />
design, implementation<br />
• •<br />
Correct Designlncorrect ~<br />
1<br />
Well De:igned System~<br />
'-C<br />
\<br />
syst:m is correct<br />
Random failure::::><br />
The system is not correct<br />
Function required<br />
or execution trajectory hits<br />
incorrectness<br />
0<br />
The system has a failure<br />
Copyright© 2000..2008exida.com L.L.C.<br />
23<br />
Modes of Operation<br />
Modos de Operaci6n<br />
Continuous Demand<br />
High Demand<br />
Low Demand<br />
} Continuous Mode<br />
} Demand Mode<br />
IEC 61508<br />
IEC61511<br />
Copyright© 200Q-2008 exida.com L.L.C.<br />
24
[<br />
Terms<br />
Terminos<br />
~--~<br />
Low Demand Mode - 61508<br />
Where the frequency of demands for operation made on a safety-related system is<br />
no greater than one per year and no greater than twice the proof test frequency;<br />
Part 4, 3.5.12<br />
If the ratio of diagnostic test rate to demand rate exceeds 100, then the subsystem<br />
can be treated ... As low demand mode ... , Part 2, 7.4.3.2.5 Note 2<br />
.. the diagnostic test interval will need to be considered directly in the reliability<br />
model if it is not at least an order of magnitude less than the expected demand<br />
rate, Part 2, 7.4.3.2.2, Note 3<br />
0<br />
Many find this confusing - in addition, the one year mark is arbitrary and<br />
misleading. Technically the wording in Part 4, 3.5.12 is incomplete as the<br />
above Notes in other portions of IEC 61508 give examples that express<br />
the true intent. The diagnostic test rate (proof test included) must be<br />
greater than the demand rate .<br />
Copyright© 200o-2008 exida.com L.L.C.<br />
25<br />
Terms<br />
Terminos<br />
l<br />
0<br />
Low Demand Mode- exida definition<br />
The average interval between a dangerous<br />
condition (a demand interval) occurs infrequently<br />
(example- once per year), the automatic<br />
diagnostic testing interval is an order of magnitude<br />
lower and the demand interval is greater than 2X<br />
the manual proof test interval.<br />
[Therefore automatic diagnostics and proof testing<br />
can be given credit for risk reduction.]<br />
Copyright© 2000.2008 exida.com L.L.C. 26
Terms<br />
Terminos<br />
High Demand Mode- exida definition<br />
Where the demand interval is less than twice<br />
the proof test interval<br />
L<br />
wa... ~ r -t--<br />
~ f:A) ~$..P-<br />
vJL(WI.'k---\4-- ~f.- f ~f<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
27<br />
[<br />
Terms -IEC 61511<br />
Terminos -IEC 61511<br />
61511 uses the terms demand mode and continuous mode<br />
demand mode safety instrumented function: where a<br />
specified action (e.g., closing of a valve) is taken in<br />
response to process conditions or other demands. In the<br />
event of a dangerous failure of the safety instrumented<br />
function a potential hazard only occurs in the event of a<br />
failure in the process or the BPCS<br />
continuous mode safety instrumented function: where in<br />
the event of a dangerous failure of the safety instrumented<br />
function a potential hazard will occur without further failure<br />
unless action is taken to prevent it<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C. 28
Why do you care about modes?<br />
Demand<br />
Mode-61511<br />
Low Demand-<br />
61508<br />
Use PFDavg table<br />
Modes of Operation<br />
Modos de Ia Operaci6n<br />
Continuous<br />
Mode- 61511<br />
High Demand - Continuous -<br />
61508 61508<br />
Use PFH table<br />
Use PFH table<br />
0<br />
Take credit for<br />
proof testing<br />
Take credit for<br />
automatic<br />
diagnostics<br />
Copyright (ti2000-2008exida.com L.L.C.<br />
No credit for proof No credit for proof<br />
testing<br />
testing<br />
Take credit for<br />
automatic<br />
diagnostics<br />
No credit for<br />
automatic<br />
diagnostics<br />
29<br />
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
0<br />
All failures occur when stress exceeds the associated level of<br />
strength.<br />
Stress is usually a combination of "stressors"<br />
Heat<br />
Humidity<br />
Shock<br />
Vibration<br />
Electrical Surge<br />
Electro-Static Discharge<br />
Radio Frequency Interference<br />
Mis-calibration<br />
Maintenance Errors<br />
Operational Errors<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
0.9<br />
9.8<br />
9.7<br />
0.6<br />
0.5<br />
OA<br />
0.3<br />
0.8<br />
0.1<br />
0 ··'<br />
Strength varies- with time, with other stress, etc.<br />
\''"<br />
0<br />
Stress also varies with time.<br />
However they can be represented by probability distributions.<br />
Copyright (l 2000-2008exida.com L.L.C.<br />
"<br />
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
9.8<br />
9.8<br />
9.7<br />
0 ..<br />
9.6<br />
0.5<br />
0.4<br />
9.3<br />
98<br />
0.1<br />
9<br />
At some point in time, Strength decreases and the failure<br />
rate increases rapidly- this causes wear-out.<br />
Copyright© 2000-2008exida.com L.L.C.<br />
"
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
o.o2s rr----------------,---,<br />
0.02<br />
0.015<br />
0,01<br />
0.005 '<br />
v<br />
0<br />
, Tlmo<br />
Stress-strength explams how failure rates vary with time.<br />
Weak units from a production population fail early. This portion of the curvd<br />
is known as "infant mortality."<br />
I<br />
When weak units are eliminated from the population stress-strength<br />
indicates a steady but declining failure rate.<br />
When strength declines, the failure rate increases significantly.<br />
Copyright CI200CI-2008 exida.cam L.L.C.<br />
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
0<br />
Constant Failure Rate during "Useful Life"<br />
0.025,.----------------------,<br />
0.02<br />
~<br />
'! 0.015<br />
~<br />
~<br />
i 0.01<br />
...<br />
~<br />
Time<br />
0<br />
"'<br />
Copyright© 2000-200Sexida.com L.L.C.<br />
34
IEC 61508 Key Variables:<br />
1. Constant Failure Rate<br />
2. Useful Life<br />
Stress- Strength: Failures<br />
Esfuerzo - Fortaleza: Fallas<br />
0<br />
§ g<br />
Time<br />
CQpyright © 2000-2008 exida.com L.L.C. 35<br />
Failure Rate<br />
[ ~----------T_a_sa __ d_e_F_r_a_ca_s_o _____________<br />
J<br />
Failure Rate- number of failures per unit operating hours.<br />
Failure rate that varies with time<br />
Constant failure rate<br />
Average failure rate over a long period of time<br />
0<br />
Example: One hundred solenoids are placed into operation.<br />
During the first year seven units failed.<br />
What is the average failure rate during the year?<br />
!.. = 7 I (1 00 units * 8760 hrs/year) ?<br />
Copyright© 2000-2008 exida.com L.L.C. 36
Failure Rate<br />
[<br />
Tasa de Fracaso<br />
~--~<br />
Example: One hundred solenoids are placed into operation.<br />
During the first year seven units failed.<br />
0<br />
What is the average failure rate during the year?<br />
Least conservative:<br />
lc = 7 I (1 00 units • 8760 hrslyear) ?<br />
= 7.99E-06 Failures I Hour<br />
Most conservati :<br />
/ lc = 7 I 93 nits • 8760 hrslyear) ?<br />
= 8.6E-06 ailures I Hour<br />
V<br />
Copyright ltl200G-2008 exlda.com L.L.C.<br />
37<br />
Failure Rate Equation<br />
Tasa de Fracaso Ecuaci6n<br />
0<br />
A- = ~Nf I (Ns * ~t)<br />
Ns = number of successful units at end of time period<br />
Nf = number of failed units at end of time period<br />
~Nf = number of failed units during a time period<br />
~t =time period (Tn- Tn+ 1 )<br />
copyright (12000.2008 exida.com L.L.C.<br />
38
System Op.Hours<br />
12 33<br />
1 96<br />
14 196<br />
13 240<br />
30 409<br />
6 614<br />
11 831<br />
15 1045<br />
16 1282<br />
10 1540<br />
7 1815<br />
19 2106<br />
25 2414<br />
21 2740<br />
2 3091<br />
24 3471<br />
27<br />
26<br />
3<br />
Failure Rate Calculation<br />
Calculo de Ia Tasa de Fracaso<br />
System Op.Hours<br />
f..<br />
12 33 =1i((33-0)Hrs.'29 Units) 0.001045<br />
1 96 =1i((96-33)Hrs.'28 Untts) 0.000567<br />
14 196 =1i((196-96)Hrs.'27 Units) 0.00037<br />
13 240 =1i((240-196)Hrs.'26 Units) 0.000874<br />
30 409 =1i((409-240)Hrs.'25 Units) 0.000237<br />
6 614 =1i((614-409)Hrs.'24 Units) 0.000203<br />
11 831 =11((831-614)Hrs.'23 Units) 0.0002<br />
3886 Failure Rate<br />
4348<br />
4862<br />
20 5431<br />
23 6056<br />
9 7499<br />
5 8339<br />
28 9270<br />
8 10305<br />
22 11460<br />
18 12751<br />
29 13351 200 400 600 600 1000<br />
4 13853<br />
17 13990<br />
Copyrisht © 200(1..2008 exida.com L.L.C.<br />
Oparatng Time Interval (Hrs.)<br />
Time To Failure,<br />
Hours - 30 Systems<br />
"<br />
0<br />
System Op.HourS A<br />
12 33 0.001045<br />
1 96 0.000567<br />
Failure Rate Calculation<br />
14 196 0.00037<br />
13 240 0.000874<br />
Calculo de Ia Tasa de Fracaso<br />
30 409 0.000237<br />
6 614 0.000203<br />
11 831 0.0002<br />
15 1045 0.000212<br />
16 1282 0.000201<br />
10 1540 0.000194<br />
7 1815 0.000191<br />
19 2106 0.000191<br />
25 2414 0.000191<br />
21 2740 0.000192<br />
~<br />
!<br />
2 3091 0.00019<br />
24 3471 0.000188<br />
27 3886 0.000185<br />
26 4348 0.00018<br />
3 4862 0.000177<br />
20 5431 0.000176<br />
23 6056 0.000178<br />
9 7499 8.66E·05<br />
5 8339 0.00017<br />
28 9270 0.000179<br />
8 10305 0.000193<br />
Total Average = 0.00035 fail/hr.<br />
22 11460 0.000216<br />
18 12751 0.000258<br />
29 13351 0.000833 Average Middle = 0.0002 fail/hr.<br />
4 13853 0.001992<br />
17 13990 In!.<br />
Copyright© 200(1..2008 exida.com L.L.C.<br />
40<br />
0
Reliability I <strong>Safety</strong> Terminology<br />
Terminologfa de Seguridad/Confiabilidad<br />
0<br />
Defined so far:<br />
~'<br />
~'<br />
Failure Rate- number of failures per unit of time<br />
- Failure rate that varies with time<br />
-Constant failure rate<br />
- Average failure rate over a long period of<br />
time<br />
Probability of Success - the chance that a system will<br />
perform its intended function when operated within its<br />
specified limits.<br />
Copyright ta 2000-2008exida.com L.L.C.<br />
41<br />
0<br />
Reliability I <strong>Safety</strong> Terminology<br />
Terminologfa de Seguridad/Confiabilidad<br />
i' RELIABILITY - the probability of success during<br />
an interval of time<br />
it R(t) = P(T>I) where T =Failure Time for an<br />
interval 0 to I<br />
For example: if the probability of successful<br />
operation for 1 hour= 0.999, what is the<br />
probability of successful operation for one day?<br />
PS(24 hours) = PS(1 hour) * PS (1 hour) * ....<br />
PS(24 hours) = PS (1 hour) 24<br />
PS (24 hours) = 0.976<br />
1 0.999<br />
2 0.998001<br />
3 0.997003<br />
4 0.996006<br />
5 0.99501<br />
6 0.994015<br />
7 0.993021<br />
8 0.9920279<br />
9 0.9910359<br />
10 0.9900449<br />
11 0.9890548<br />
12 0.9880658<br />
13 0.9870777<br />
14 0.9860906<br />
15 0.9851045<br />
16 0.9841194<br />
17 0.9831353<br />
18 0.9821522<br />
19 0.98117<br />
20 0.9801889<br />
21 0.9792087<br />
22 0.9782295<br />
23 o.sms12<br />
Copyright© 2000-2008 ex/da.com L.L.C. 24 0.976274 42
Reliability I <strong>Safety</strong> Terminology<br />
Terminologfa de Seguridad/Confiabilidad<br />
j'<br />
RELIABILITY - the probability of success during an interval of<br />
time<br />
j; If the example is continued for 2000 hours:<br />
:; "'<br />
""'<br />
(.)<br />
(.)<br />
:J
~;, R(t) = Ns/N<br />
Ns = number of successful units<br />
at the end of each time period<br />
N = number of units total<br />
Reliability I <strong>Safety</strong> Terminology<br />
Terminologfa de Seguridad/Confiabilidad<br />
0<br />
0.9<br />
O.B<br />
O.<<br />
o.o<br />
0.5<br />
0.4<br />
0.0<br />
0.2<br />
0.'<br />
0<br />
0 2000 4000 6000 8000 10000 12000 14000 16000<br />
COpyright 1t1 20oo-zoos exida.com L.L.C.<br />
45<br />
Reliability I <strong>Safety</strong> Terminology<br />
Terminologfa de Seguridad/Confiabilidad<br />
0<br />
i> RELIABILITY R(t) -the probability of success during an<br />
interval of time<br />
'' UNRELIABILITY F(t) -the probability of failure during an<br />
interval of time<br />
;, PF(t) = Probability of Failure, another name for unreliability<br />
'' R(t) = 1 - F(t) (complementary events, one failure mode)<br />
o.o<br />
0.0<br />
'·'<br />
...<br />
..,<br />
... ...<br />
2000 4000 6000 6000 10000 12000 14000 16000<br />
Copyright© 200Q-2008exida.com L.L.C. 46
Reliability I <strong>Safety</strong> Terminology<br />
Terminologia de Seguridad/Confiabilidad<br />
'' Failure Rate - Failures per unit time per<br />
device<br />
•!\ Mean Time To Failure (MTTF} -The<br />
average successful operating time<br />
interval of a system<br />
0<br />
Copyright CI200G-2008 exida.com L.L.C.<br />
47<br />
Constant Failure Rate<br />
Constante de Ia Tasa de Fracaso<br />
R(t) =e-At<br />
Common Assumptions -<br />
reasonable for the middle of the<br />
failure rate curve. Even if the<br />
F(t) = 1-e-At failure rate is decreasing (more<br />
MTTF =_!_<br />
A,<br />
realistic), these assumptions are<br />
conservative<br />
Copyright© 2000.2008 exida.com L.L.C. 48
Constant Failure Rate<br />
Constanta de Ia Tasa de Fracaso<br />
R(t) = e-A!<br />
F(t) = 1-e-A!<br />
0<br />
CQpyright !0 2000-2oosexida.com L.L.C.<br />
Time Interval - Mission Time<br />
49<br />
Constant Failure Rate<br />
Constanta de Ia Tasa de Fracaso<br />
0<br />
A Useful Approximation:<br />
2 3 x4<br />
X 1 X X<br />
e = +x+-+-+-+ ....<br />
2! 3! 4!<br />
F(t) = 1-e-A!<br />
Copyright© 2000-200Sexida.com L.L.C.<br />
Alternate Notation:<br />
F(t) ~At<br />
PF = A.t<br />
50
j<br />
""
Repairable Systems<br />
Sistemas Reparables<br />
What about repairable systems?<br />
0<br />
The measurement "reliability" requires that a system be<br />
successful for an interval of time. What is needed for a<br />
repairable system is a measure that gives us the probability<br />
that it will work successfully in the situation where repair can<br />
be done.<br />
Copyright© 2000-2008exida.com L.L.C.<br />
53<br />
Mean Time to Restore<br />
Tiempo Media para Reposici6n<br />
0<br />
~~ Mean Time To Failure (MTTF)- The average successful operating<br />
time interval of a system<br />
~~ Mean Time To Restore (MTTR)- The average failure time interval<br />
of a system. Applies only to repairable systems!<br />
~~ Restore Rate (f.l)- Number of restores per time period<br />
An average over a large number of systems<br />
and a large number of failure/restore cycles.<br />
1 1<br />
MTTR= f.l=<br />
MTTR<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
54
Mean Time to Restore<br />
Tiempo Medio para Reposici6n<br />
'' Mean Time To Restore (MTTR)- The average failure time interval<br />
of a system<br />
'' MTTR=<br />
- Average Time to detect failure has occurred plus<br />
- Average Time to actually make the repair<br />
Example: If failures are only detected by a periodic inspection and test:<br />
Tl = Test Interval<br />
RT = Repair Time<br />
MTTR approx. = Tl/2 + RT<br />
0<br />
Copy11ght tO 2000-2008 eXida.com L.L.C.<br />
55<br />
Mean Time Between Failures (MTBF)<br />
Tiempo Medio entre Fallas (TMEF)<br />
The average time interval of one failure/restore cycle of a system.<br />
Applies only to repairable systems.<br />
MTBF=MTTF + MTTR<br />
0<br />
TTF<br />
TBF<br />
t<br />
TTF<br />
TBF<br />
TT<br />
,.---<br />
An average over a large number of systems and a large number of<br />
failure/restore cycles.<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
56
Availability I Unavailability<br />
Disponibilidad /lndisponibilidad<br />
'' Probability of Success - the chance that a system will perform its<br />
intended function when operated within its specified limits<br />
'' AVAILABILITY- the probability of success at a moment in time<br />
(allows for past failures, i.e. repairable systems}<br />
'' Steady State Availability- steady state/average value<br />
0<br />
Availability. Single Failure Mode<br />
Disponibilidad. Modo de Falla Simple<br />
Steady-State Availability Modeling<br />
'A<br />
Fail<br />
MTTF = 11'A<br />
MTTR = 1lfl<br />
Constant Restore Rate<br />
Availability is often defined in reliability texts using a simple single component<br />
Markov model with the assumption that a constant restore rate is valid. While<br />
this assumption is not realistic it allows useful analysis for some problem<br />
domains. The "steady-state'' solution for availability and unavailability for this<br />
model is:<br />
Copyright ltl 200G-2008exida.com L.L.C.<br />
A = MTTF I (MTTF+MTTR)<br />
U = MTTR I (MTTF+MTTR)<br />
59<br />
0<br />
Steady State Availability. Single Failure Mode<br />
Disponibilidad a Largo Plazo. Modo de Falla Simple<br />
If the model is solved for probability of success as a function of operating<br />
time interval, eventually the availability model reaches a "steady state" or<br />
average value. This represents many failure I restore cycles.<br />
0<br />
o.9 +-'-=-------Mtt--------1<br />
0.8~~--............ ~ ................ ~<br />
0.7 t------' ... ------.====------1<br />
!! 0.6 -1--_.,.--__ ___:_:_:_:==:.:L------1<br />
:c<br />
~ o.s-J----".;:,-------------1<br />
D. 0.4 -1----.3,.-----.,=,.---------1<br />
0.3 -1-------'""'c"-'L---------1<br />
0.2-l--------"" ......,----------1<br />
0.1 o L------·--·---------------<br />
+=====~~~~~~::~:::~~;]<br />
Operating Time Interval<br />
Constant Restore Rate<br />
Copyright© 200G-2008exida.com LLC.<br />
60
Steady State Unavailability. Single Failure Mode<br />
Plazo. Modo de Falla Rirr~niA<br />
If the model is solved for probability of failure as a function of operating<br />
time interval, eventually the unavailability model reaches a "steady state"<br />
or average value. This represents many failure I restore cycles.<br />
0<br />
0.3 t--/i"L.jblffi:walila!*Hty----{::tffi,------j<br />
0.2 t-7~==-"--..... ~-~~;..:.~~---1<br />
0.1 +-..?'c.._---------------1<br />
0~---------------~<br />
Operating Time Interval<br />
Copyright C 200(}..2008exlda.com L.L.C. 61<br />
Availability. Periodic Test and Inspection<br />
Disponibilidad. lnspecci6n y Prueba Peri6dica<br />
0<br />
fl equals zero between<br />
inspections f1 equals one<br />
right after an inspection<br />
When Periodic Inspection<br />
and Test is done, a<br />
different situation exists<br />
which requires different<br />
modeling techniques.<br />
Steady-state availability<br />
will not work.<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
"
Availability. Periodic Test and Inspection<br />
Disponibilidad. lnspecci6n y Prueba Peri6dica<br />
~ equals zero between<br />
inspections ~ equals one<br />
right after an inspection<br />
For LOW DEMAND<br />
situations, an average §"<br />
technique has been defined :g<br />
in lEG 61508. The average of 1)<br />
the time dependent values o..<br />
must be calculated.<br />
0<br />
Copyright© 2000.2008 exida.com L.L.C. 63<br />
Availability. Periodic Test and Inspection<br />
Disponibilidad. lnspecci6n y Prueba Peri6dica<br />
Unavailability never reaches steady state in periodic inspection<br />
0<br />
Constant Resto!& Rate<br />
The average unavailability in a periodic tesVinspect<br />
situation is not the same as the steady state<br />
unavailability! It is a different Markov model with<br />
different solution results.<br />
ll equals zero<br />
between inspections<br />
J..l equals one right<br />
after an inspection<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
64
Availability. Periodic Test and Inspection<br />
Disponibilidad. lnspecci6n y Prueba Peri6dica<br />
(J<br />
Copyright© 2000..2008exida.com L.L.C.<br />
1 T<br />
PFavg =- fPF(t)dt<br />
To<br />
Approx PF =A, *Tl<br />
Approx PFavg =A, * TI /2<br />
Assuming<br />
perfect<br />
PROOF<br />
TESTINGall<br />
failures<br />
are detected<br />
and repaired.<br />
65<br />
Simplified Equation PFAVG<br />
Ecuaci6n Simplificada para PFPROM<br />
0<br />
PF{I)<br />
PFAVG =A Tl/ 2<br />
Assuming<br />
perfect<br />
PROOF<br />
TESTINGall<br />
failures<br />
are detected<br />
and repaired.<br />
The approximation for PFavg is pessimistic by a slight amounttherefore<br />
conservative for safety analysis.<br />
Copyright© 200G-2008exida.com L.L.C. 66
The Effects of Incomplete Testing<br />
Efectos de Pruebas lncompletas<br />
Because of incomplete testing the PF never returns to its original<br />
value and the risk reduction can be significantly lower.<br />
IIEC61511 I<br />
PF(t)<br />
SIL 1<br />
SIL2<br />
SIL3<br />
SIL4<br />
Operating Time<br />
-++--flo' - - - - - -<br />
test<br />
period<br />
PFavg<br />
Copyright tO 200Q-2008exida.com L.L.C.<br />
67<br />
Simplified Equation PFAvG with ncomplete Testing<br />
Ecuaci6n Simplificada para PFPROM c n Prueba lncompleta<br />
PFavg =CPT A. Til 2 + (1-CPT) A. LT /2<br />
CPT = Effectiveness (Coverage) of proof test, 0% to 100%<br />
L T = Operational Lifetime of plant<br />
0<br />
COpyright© 200(}-2008 exida.com L.L.C.<br />
68
<strong>Safety</strong> Integrity Levels (SILs)<br />
Nivel de lntegridad de Seguridad<br />
<strong>Safety</strong> Integrity<br />
Level<br />
Target average<br />
probability of failure on<br />
demand<br />
Target risk reduction<br />
(RRF)<br />
SIL4 >=1 o-s to =1 o-4 to =10-3 to =1 o-2 to
<strong>Safety</strong> Integrity Levels - PFH<br />
Nivel de lntegridad de Seguridad - PFH<br />
Random Failure Probability<br />
<strong>Safety</strong> Integrity<br />
Level<br />
SIL4<br />
SIL3<br />
SIL2<br />
SIL 1<br />
Probability of<br />
dangerous failure per<br />
hour<br />
(Continuous mxl11 of operation)<br />
>=10" 9 to =10·8 to =1 o- 7 to =1 o-• to
Application Exercise Set 2<br />
Ejercicios de Aplicaci6n. Grupo 2<br />
Reliability and Availability- Complete the Problems<br />
15 minutes<br />
0<br />
Copyright© 200G-2008exida.com L.L.C. 73<br />
Section 2: Basic Reliability <strong>Engineering</strong> Summary<br />
Secci6n 2: lngenierfa de Confiabilidad Basica<br />
''Terms<br />
;, Systematic vs Random Failure<br />
,, Low, High and Continuous Demand<br />
'' Stress-Strength<br />
;, Wear out I Bathtub Curve<br />
" Failure rate<br />
~ Reliability I Unreliability<br />
(c Repairable Systems -Availability I Unavailability<br />
'' PFavg<br />
,, PFH<br />
Copyright© 200G-2008exida.com L.L.C. 74
Section 3: System Reliability <strong>Engineering</strong><br />
Secci6n 3: lngenierfa de Confiabilidad de Sistemas<br />
4!\<br />
·~'<br />
4"<br />
~.<br />
(:,<br />
Reliability Block Diagrams<br />
Fault Trees<br />
Markov Models<br />
Equipment Failure Modes<br />
Common Cause<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C. 75<br />
Quantitative System Analysis Techniques<br />
Tecnicas Cuantitativas para Analisis de Sistemas<br />
System Modeling- We know the<br />
Reliability (failure rates) of the<br />
components, what is the Reliability of<br />
the system?<br />
Copyright© 2000-2008 exida.com L.L.C. 76
Quantitative System Analysis Techniques<br />
Tecnicas Cuantitativas para Analisis de Sistemas<br />
0<br />
~n Define "what is a failure?"<br />
~rr<br />
-Effectively stating, what is included in the<br />
model.<br />
Obtain failure rate on each component failure<br />
mode, create a checklist<br />
4> Understand how the system works?<br />
-SYSTEM FMEA<br />
-HAZOP<br />
~'<br />
Build the model<br />
Copyright© 2000-2008exida.com L.L.C. 77<br />
Quantitative System Analysis Techniques<br />
Tecnicas Cuantitativas para Analisis de Sistemas<br />
0<br />
~'<br />
Reliability Block Diagrams<br />
4> Simplified Equations<br />
4> Fault Tree Diagrams<br />
4, Markov Models<br />
Copyright© 2000-2008 exida.com L.L.C. 78
Quantitative System Analysis Techniques<br />
Tecnicas Cuantitativas para Analisis de Sistemas<br />
Simplified Equations - Equations derived form one of the<br />
techniques listed below. Most are "too simple" and should not<br />
be used for anything except SIL 1.<br />
Reliability Block Diagram - Best for Reliability /Availability<br />
Analysis. Probability combination method. Takes the<br />
"success" view. Confusing when used in multiple failure<br />
mode modeling.<br />
Fault Tree Diagram- Takes the "failure" view. Probability<br />
combination method. Multiple drawings can be used for (J<br />
multiple failure modes. Easy to understand the drawing.<br />
Markov Model- Looks at success and failure on one<br />
drawing. Flexible, solved for probabilities as a function of<br />
time interval. Few educated in method.<br />
Copyright© 2000.2008 exida.com L.L.C. 79<br />
Reliability Block Diagrams<br />
Diagrama de Bloques de Confiabilidad<br />
System successful when a path is formed across the drawing<br />
Series System<br />
A<br />
B<br />
0<br />
- AC POWER - MOTOR J--<br />
System operates only if all components operate<br />
Availability<br />
Probability of<br />
Success<br />
Unavailability<br />
Probability of<br />
Failure<br />
Copyright© 2000.2008exida.com L.L.C. 80
Reliability Block Diagrams<br />
Diagrama de Sloques de Confiabilidad<br />
Parallel System<br />
POWER<br />
- SUPPLY<br />
A<br />
1-<br />
POWER<br />
- SUPPLY<br />
1-<br />
8<br />
System operates if any component operates<br />
0<br />
Availability<br />
Probability of Ap = AA + As - (AA * As )<br />
Success<br />
Unavailability<br />
Probabilityof<br />
Failure<br />
Up= UA *Us<br />
Copyright li:l200G-2008 exida.com L.L.C. 81<br />
Reliability Block Diagrams<br />
Diagrama de Sloques de Confiabilidad<br />
0<br />
r-<br />
Series/Parallel<br />
POWER<br />
SUPPLY -<br />
A<br />
CONTROLLER<br />
A<br />
r---<br />
Example:<br />
Aps = 0.6<br />
Ac = 0.8<br />
-<br />
POWER<br />
SUPPLY<br />
8<br />
1-<br />
CONTROLLER<br />
B<br />
r---<br />
(for a one year interval)<br />
Asyst.em? = (Aps * Acl + (Aps * Ac)- (Aps * Ac) 2<br />
= (0.6*0.8) + (0.6*0.8)- (0.6*0.8) 2<br />
= 0.7296<br />
Copyright© 200()-2008 exida.com L.L.C.<br />
"
[<br />
Fault Trees<br />
Arboles de Falla<br />
l<br />
AC POWER<br />
- A 1--<br />
MOTOR<br />
B -<br />
ACPOWER<br />
Fails<br />
System operates only if all components operate<br />
MOTOR<br />
Falls<br />
OR<br />
SYSTEM<br />
Fails<br />
0<br />
Cupyrlght CO 2000.2008 e.xida.com L.L.C.<br />
"<br />
[<br />
Fault Trees<br />
Arboles de Falla<br />
l<br />
-<br />
POWER<br />
SUPPLY<br />
A<br />
-<br />
-<br />
POWER<br />
SUPPLY<br />
B<br />
I--<br />
System operates 1f any component operates<br />
I POWER SUPPLY A lf-_P_a_ Fails 1<br />
1<br />
Pb<br />
POWER SUPPLY B I<br />
Fails .<br />
AND<br />
I SYSTEM I<br />
Fails<br />
I<br />
Copyright© 200Q-2008 exida.com L.L.C.<br />
84
Fault Trees<br />
[<br />
~------------A_ro_o_le_s_d_e_F_a_lla ________ ~<br />
l<br />
POWER<br />
SUPPLY<br />
A<br />
POWER<br />
SUPPLY<br />
B<br />
0<br />
POWER ~UPPLY A I ~<br />
I . Fa!IS ~<br />
CONTROLLER A<br />
Fails<br />
POWER SUPPLY B<br />
Fails<br />
CONTROLLER B<br />
Fails<br />
SUBSYSTEM<br />
X Fails<br />
SUBSYSTEM<br />
Y Fails<br />
AND<br />
Copyright© 2000..2008 exida.com L.L.C.<br />
85<br />
0<br />
[<br />
I POWER SUPPLY A f--!<br />
/ Fa11s<br />
A<br />
CONTROLLER A<br />
Falls<br />
POWER SUPPLY A<br />
Fails<br />
CONTROLLER B<br />
Fails<br />
OR<br />
Ux<br />
SUBSYSTEM<br />
X Fails<br />
Uy r--:S::-Uc:Bc::Sc-Yc:-ST'"'E-:-M---,<br />
YFails<br />
Fault Trees<br />
Arboles de Falla<br />
SYSTEM<br />
Fails<br />
In any probability combination method be careful to check for "identical<br />
events." In an AND gate with identical events as the input, if Ux and Uy<br />
share the same event (for example, failure of power supply A) then the<br />
probability of Us is not Ux * Uv.<br />
In an OR gate with two identical events as the input, the output = Ux not<br />
Ux + Ux - Ux * Ux.<br />
Note: setting up a model this way appears to make no sense, but it does happen. Do not simply<br />
use GATE SOLUTION techniques without checking for this problem.<br />
Copyright© 200()..2008 exida.com L.L.C. 86
Fault Tree Model - PFavg<br />
Modele de Arbol de Falla<br />
Solenoid<br />
subsystem<br />
failure<br />
Problem with some Fault Tree<br />
Tools when calculating<br />
average probability:<br />
Therefore taking the average<br />
after any AND logic is the<br />
proper sequence for PFavg<br />
calculations<br />
Q<br />
Copyright r&1200Q-200S~da.corn L.L.C. 87<br />
Availability. Periodic Test and Inspection<br />
Disponibilidad. lnspecci6n y Prueba Peri6dica<br />
Unavailability<br />
0<br />
Remember that:<br />
PFavg<br />
1 T<br />
- fPF(t)dt<br />
To<br />
Copyright© 2000.2008 exida.com L.L.C. 88
Fault Trees- PFDavg<br />
Arboles de Falla<br />
0<br />
To get a correct answer in any probability combination method of system<br />
modeling (RBD and Fault Trees) one must perform the logic before taking<br />
the average.<br />
E ~~~P~FD~a<br />
Subsystem A<br />
PFDb<br />
Subsystem B<br />
PFa= A* Tl<br />
PFb =A* Tl<br />
Therefore:<br />
PFsys = A2 * T(2<br />
Continuing:<br />
Copyright© 200Q-2008 exida.com L.L.C.<br />
.------... AND<br />
SYSTEM<br />
1 ti<br />
PFavg,sys =- JA, 2 TJ'dti<br />
TI 0<br />
1 A 2 Tt<br />
PFavg,sys =<br />
TI 3<br />
A 2 2<br />
Tl<br />
PFavg,sys =---<br />
3<br />
89<br />
[<br />
Fault Trees- PFDavg<br />
Arboles de Falla<br />
0<br />
If one calculates PFDavg of each component before the logic:<br />
Subsystem A<br />
Subsystem B<br />
PFDa= Ad* Tl<br />
PFDavga = Ad * Tl/2<br />
PFDavgb = Ad * Tl/2<br />
Therefore:<br />
PFDavg,sys = Ai * Tl 2<br />
4<br />
The results are<br />
optimistic and<br />
may result in<br />
insufficient safety!<br />
Rather than the correct: A2 2<br />
P FDavg, sys = d '{I<br />
Copyright© 2000.2008 e.xida.com L.L.C.<br />
90
Markov Models<br />
[__________ M~od~e~l~os~d~e~M~a_r_ko_v ___________<br />
J<br />
Accounts for Multiple Failure<br />
Modes on one drawing.<br />
Models different repair rates for<br />
different kinds of failures.<br />
Qualitatively shows the operation<br />
of a fault tolerant system.<br />
CIRCLES represent combinations<br />
of failed and successful<br />
components.<br />
ARCS show the effect of failures<br />
and repairs.<br />
0<br />
Copyright CO 2000-2008 exida.com L.L.C. 91<br />
Markov Models<br />
[<br />
~--------~M~o~d~e~l~os~d~e~M~a_r_k_o_v ___________<br />
l<br />
Redundancy<br />
Multiple Failure Modes<br />
0<br />
A.= failure rate<br />
~=system repair rate (replacement)<br />
Copyright 10 2000-2008 exida.com L.L.C. 92
Markov Models - PFDavg<br />
Modelos de Markov<br />
For PFDavg<br />
calculations, a Markov<br />
model must be solved<br />
for time-dependent<br />
PFD and averaged<br />
A. 1 to A.7 = Failure Rates<br />
0<br />
~ 1 = Repair Rate after a<br />
shutdown<br />
~2 =on-line repair of equipment<br />
~3 =periodic Inspection I test<br />
J.l3<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
J..t3 equals zero between<br />
inspections and one after a 100%<br />
successful inspection<br />
93<br />
[<br />
Failure Modes<br />
Modos de Falla<br />
0<br />
Electro-mechanical Systems have multiple failure modes!<br />
Typically Categorized as<br />
[ SAFE ]<br />
[DANGEROUS]<br />
Copyright© 2000-2008 exida.com L.L.C. 94
Multiple Failure Modes<br />
Multiples Modos de Falla<br />
( NORMAL<br />
l I[<br />
( SAFE<br />
(DANGEROUS)<br />
~<br />
) /<br />
J<br />
-Failed Open Circuit<br />
[<br />
Failed Short Circuit<br />
0<br />
copyright ID 2000-2008 exida.com L.L.C.<br />
95<br />
[<br />
The functional failure modes of<br />
each product must be translated<br />
to the modes of the SIF. This<br />
often depends on the application.<br />
- Failure Modes<br />
Output Saturated Hi<br />
Output Saturated Lo<br />
Frozen Output<br />
D {:. Indication Error Hi<br />
Indication Error Lo<br />
• Diagnostic Failure<br />
SID{:<br />
Define Modes<br />
Transmitters<br />
Transmisores<br />
l<br />
0<br />
Copyright© 2000-2008exida.com L.L.C.<br />
96
Normally Energized Systems- FAIL SAFE<br />
Sistemas Normalmente Energizados- FALLA SEGURA<br />
System causes false trip!<br />
Dlsclllte lnplll<br />
PLC<br />
0<br />
Input circuit fails -<br />
PLC thinks the<br />
sense switch is<br />
open even when<br />
it is closed.<br />
Logic Solver fails to<br />
read logic 1 inputs,<br />
fails to solve logic,<br />
or fails to generate<br />
logic 1 output.<br />
Output Circuit<br />
fails open<br />
circuit.<br />
copyright (120oo-200B exida.com L.L.C.<br />
97<br />
0<br />
Normally Energized Systems- FAIL<br />
DANGER<br />
Sistemas Normalmente Energizados- FALLA PELIGROSA<br />
If there is a demand - system cannot respond.<br />
+ +<br />
Discrete Input<br />
PLC<br />
Input circuit fails -<br />
PLC thinks the<br />
sense switch is<br />
closed even<br />
when it is open.<br />
Copyright 1t120oo-2oos exida.com L.L.C.<br />
Logic Solver fails to<br />
read logic 0 inputs<br />
that indicate danger,<br />
fails to solve logic,<br />
or fails to generate<br />
logic 0 output.<br />
Output Circuit<br />
fails short<br />
circuit.<br />
98
Final Element Failure Modes<br />
Modos de Falla de un Actuador<br />
Instrument Failure Mode<br />
Solenoid plunger stuck<br />
Solenoid coil burnout<br />
Actuator shaft failure<br />
Actuator seal failure<br />
Actuator spring failure<br />
Actuator structure failure - air<br />
Actuator structure failure - binding<br />
Valve shaft failure<br />
Valve external seal failure<br />
Valve internal seal damage<br />
Valve ball stuck in position<br />
* unpredictable - assume worst case<br />
De-energize to Trip Application<br />
SIF Failure mode<br />
Fail-Danger<br />
Fail-Safe<br />
Fail-Danger*<br />
Fail-Safe<br />
Fail-Danger<br />
Fail-Safe<br />
Fail-Danger*<br />
Fail-Danger*<br />
No Effect<br />
Fail-Danger<br />
Fail-Danger<br />
0<br />
Copyright© 200Q-2008 exlda.com L.L.C.<br />
99<br />
Reliability I <strong>Safety</strong> Terms<br />
Terminologfa de Seguridad/Confiabilidad<br />
So far we have defined:<br />
'' RELIABILITY - the probability of success during an interval of<br />
time<br />
,, R(t) = P(T>t) where T = Failure Time for an interval 0 - t.<br />
'' UNRELIABILITY- the probability of failure during an interval of<br />
time<br />
'' F(t) = P(T
Reliability I <strong>Safety</strong> Terms<br />
Terminologfa de Seguridad/Confiabilidad<br />
0<br />
'' PFS - Probability of SAFE failure in a system<br />
'' PFD- Probability of Failure on Demand (Probability of<br />
Dangerous failure)<br />
4$ PFDavg - Average Probability of Failure on Demand<br />
4J, RRF - Risk Reduction Factor<br />
- RRF = 1/PFDavg<br />
4; MTTFS- Mean Time To Failure Spurious, SAFE failure<br />
4> STR- Spurious Trip Rate= 1/MTTFS<br />
~, MTTFD- Mean Time To Dangerous Failure<br />
Copyright© 2000.2008 exido.com L.L.C.<br />
101<br />
0<br />
PFS I PFD I PFDavg. Periodic Test and Inspection<br />
PFS I PFD I PFDPROM, Intervale de Pruebas Peri6dicas<br />
If we apply the concept of PFavg approximation to a single failure mode, then:<br />
1 T<br />
PFavg =- JPF(t)dt<br />
To<br />
~<br />
Approx PFS = A- 8 * Tl<br />
Approx PFD = A- 0 * Tl<br />
Approx PFDavg = A- 0 * Tl /2<br />
f., I(.<br />
I<br />
-<br />
- T<br />
'2-<br />
-<br />
~J p<br />
2--<br />
Copyright© 2001}.2008 exido.com L.L.C.<br />
"'<br />
.////<br />
/<br />
I
Availability- Failure Modes<br />
Disponibilidad- Modos de Falla<br />
!AVAILABILITY<br />
PFS<br />
Nuisance Trip<br />
PFD<br />
SUCCESSFUL OPERATION<br />
PFS - Probability of Safe Failure<br />
UNSUCCESSFUL<br />
OPERATION<br />
PFD - Probability of Failure on Demand (Dangerous Failure)<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
103<br />
Definition: Common Cause<br />
CausaComun<br />
Controller<br />
+<br />
0<br />
Expected system trip rate : 0.0001 /year<br />
Actual system trip rate : 0.0006/year !!!!!<br />
In many actual installations, reliability performance did not meet<br />
calculated predictions. Why?<br />
Common Stress failed both units in a redundant system!<br />
Stress- combinations of temperature, humidity, corrosion, shock,<br />
vibration, electrical surge, RFI and more<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
104
Common Cause<br />
[<br />
CausaComun<br />
~------'<br />
0.9<br />
0.8<br />
0.,<br />
0.0<br />
0.5<br />
0.4<br />
Strength\<br />
trength 2\\<br />
Stress<br />
0<br />
0.3<br />
0.2<br />
0.1<br />
0<br />
''<br />
' : '<br />
Stress - Strength View of Common Cause<br />
Copyrlsht © 2000.2008 exida.com L.L.C. 105<br />
Common Cause - Beta Model<br />
Causa Comun - Modelo Beta<br />
0<br />
~=<br />
Beta - the fraction of the<br />
failure rate where two or<br />
more failures will occur<br />
due to the same<br />
common stress.<br />
Note: this particular graphical representation of beta was derived for a redundant system<br />
with two components. The beta model may be used on systems with more than two<br />
components but care must be taken when choosing the beta number as it will vary<br />
depending on the number of components exposed to the common stress.<br />
Copyright© 200G-2008 exida.com L.L.C. 106
Common Cause - Beta Model<br />
Causa Comun - Modelo Beta<br />
A = A-independent + Acommon cause<br />
~=<br />
Acommon cause<br />
Beta represents the fraction of the failure rate where two or<br />
more failures will occur due to a common stress<br />
0<br />
Copyright© 2000.2008 exida.com L.L.C. 107<br />
Common Cause - Beta Model. Example<br />
Causa Comun - Modelo Beta. Ejemplo<br />
A= ).,independent + Acommon cause<br />
A, = 0.02 failures I year<br />
0<br />
~ = 0.05<br />
Ace = 0.05 * 0.02 = 0.001 failures I year<br />
J.. 1 = (1-0.05) * 0.02 = 0.019 failures I year<br />
Copyright© 2000.2008 exida.com L.L.C. 108
Getting the Beta Number<br />
Obteniendo el Valor de Beta<br />
NASA Space Shuttle Study<br />
f3 = 0.11<br />
IEC 61508, Part 6 Annex 0.6<br />
0<br />
= 0.005- 0.05 for programmable electronic<br />
equipment<br />
f3 = 0.01 - 0.10 for field equipment<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
109<br />
Reducing Common Cause<br />
Disminuyendo las Causas Comunes<br />
0<br />
1. Physical Separation - redundant units are less<br />
likely to see a common stress<br />
2. Diverse Technology- redundant units respond<br />
differently to a common stress<br />
Copyright tO 2000.2008 exida.com L.L.C. 110
exSILentia Beta Estimator<br />
exSILentia Version Beta Estimador<br />
Copyright© 200G-2008 exida.com L.L.C.<br />
111<br />
Common Cause Modeling<br />
Modelaje de Causa Comun<br />
Example- Model a Redundant Power Supply<br />
POWER SUPPLY<br />
-<br />
A<br />
1-<br />
Power Supply<br />
System Failure<br />
0<br />
-<br />
rOWER SDPPJ:I:I<br />
B<br />
-<br />
20K<br />
2').,<br />
Power<br />
Supply A<br />
Fails<br />
Power<br />
Supply B<br />
Fails<br />
Copyright© 200G-2008 exida.com L.L.C.<br />
112
Including Common Cause in a Fault Tree Model<br />
lncluyendo Causa Comun en un Arbol de Fallas<br />
Fault Tree without<br />
Common Cause<br />
Fault Tree with<br />
Common Cause<br />
Power Supply<br />
System Failure<br />
Power Supply<br />
System Failure<br />
0<br />
Power<br />
Supply B<br />
Fails<br />
Common<br />
Cause<br />
Failure<br />
Copyright CI200G-2008 exido.com L.L.C.<br />
Difference due to Common Cause<br />
lncluyendo Causa Comun en un Arbol de Fallas<br />
0<br />
p=a.os<br />
PFDavg =<br />
3<br />
PFDavg = 0.000133<br />
Copyright C 200G-2008 exida.com L.L.C.<br />
PFDavg =<br />
(Ad;)2 * T2<br />
3<br />
PFDavg = 0.000620<br />
:\.d = 0.02 failures I year<br />
Tl = 1 year<br />
Beta= o.os<br />
((•mm>n<br />
Cause<br />
Oar>Jer•:
Common Cause - Beta Model<br />
Causa Comun - Modelo Beta<br />
Example - Model a Redundant Power Supply with COMMON CAUSE<br />
Markov Model<br />
0<br />
COpyright© 2000-2008 exida.com L.L.C.<br />
115<br />
Application Exercise Set 3<br />
Ejercicios de Aplicaci6n. Grupo 3<br />
Multiple Failure Modes, Common Cause- Complete the<br />
Problems 0<br />
Copyright© 2000-2008exida.com L.L.C. 116
Section 3: System Reliability <strong>Engineering</strong> Summary<br />
Secci6n 3: Repaso de lngenieria de Confiabilidad de<br />
1s emas<br />
0<br />
4!, Reliability Block Diagrams<br />
~;, Fault Trees<br />
~~ Markov Models<br />
4tr<br />
Equipment Failure Modes<br />
4~ Common Cause<br />
Copyright 10 200Q-2008 exida.com L.L.C.<br />
Section 4: FMEA I FMEDA<br />
Secci6n 4: AMFE I AMFED<br />
0<br />
~), FMEA<br />
~~ FMEA Format<br />
~!~ Diagnostics<br />
4~ FMEDA<br />
4c Coverage Factor<br />
4+ Safe Failure Fraction<br />
Copyright 10 200Q-2008 exida.com L.L.C. 118
Failure Modes and Effects Analysis (FMEA)<br />
Analisis de Modos de Fallas y Efectos (AMFE)<br />
4> Systematic procedure designed to find design issues<br />
""Bottom- Up" Technique (as opposed to FTA which is<br />
"top-down")<br />
4> Entire system analyzed one component/sub-system at<br />
a time<br />
(> FMEA Standards -<br />
• MIL STD 1629A, 1984<br />
• IEC 60812,2006 2nd edition<br />
• New SAE Standard in development to replace<br />
1629A<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
U9<br />
Failure Modes and Effects Analysis (FMEA)<br />
Anal isis de Modos de Fallas y Efectos (AMFE)<br />
Procedure:<br />
1. List all components and each failure mode.<br />
0<br />
2. For each component I failure mode, list the effect of<br />
that failure on the higher level sub-system/system.<br />
3. List the criticality I severity of the effect.<br />
Copyright© 2000-2008 exida.com L.L.C. 120
Failure Modes and Effects Analysis (FMEA)<br />
Amilisis de Modos de Fallas y Efectos (AMFE)<br />
EXAMPLE - Cooling System<br />
0<br />
COOLING<br />
WATER<br />
VAL VEl<br />
/<br />
FO ~<br />
POWER SUPPLY _y<br />
PSl --<br />
REACTOR<br />
COOLING<br />
JACKET<br />
COOLING<br />
"1---------Jfr--i> WATER<br />
DRAIN<br />
From ISA Book: Control Systems <strong>Safety</strong> Evaluation and Reliability, W .M. Goble, 1998.<br />
Copyright It! 2000.2008 exida.com L.L.C. 121<br />
Failure Modes and Effects Analysis (FMEA)<br />
Analisis de Modos de Fallas y Efectos (AMFE)<br />
0<br />
Sample FMEA- Tabular Format<br />
·r I<br />
Copyright© 200(}-2008 exido.com L.L.C. 122
Failure Modes and Effects Analysis (FMEA)<br />
Amilisis de Modos de Fallas y Efectos (AMFE)<br />
Pointers:<br />
1. Be careful about listing all parts<br />
2. Be careful about listing all known failure modes, refer<br />
to failure mode references.<br />
3. Identify each part uniquely<br />
4. Do not worry about "causes" unless the failure mode<br />
turns out to be critical - then list the cause so that it<br />
perhaps can be eliminated or reduced in magnitude<br />
5. FMEAs should be done in groups or reviewed by<br />
groups<br />
0<br />
Copyright© 200Q-2.008 exida.com L.L.C.<br />
123<br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
4> Extension of FMEA Technique<br />
4> Add diagnostic capability column and modes<br />
0<br />
(1 When component I failure mode is detectable,<br />
indicate detection mechanism (and error code)<br />
J1 Method invented and first published by exida<br />
people in 1992*<br />
41 Fault Injection results documented in chart<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'
0<br />
~><br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
COMPONENT ...<br />
DATABASE<br />
Component<br />
I<br />
H<br />
ProductA<br />
H Product<br />
Modes<br />
).' s ,:r Failure<br />
~ ~ME.DA.<br />
I·· .·.·.,<br />
.• ; H<br />
Failure Mode<br />
Distribution :. :.•.<br />
I ; .::<br />
Diagnostic<br />
Coverage<br />
Using a component database, failure rates and failure modes<br />
for a product (transmitter, 1/0 module, solenoid, actuator,<br />
valve) can be determined far more accurately than with only<br />
field warranty failure data<br />
Copyright CI200Q-2008 e;dda.com L.L.C.<br />
125<br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
0<br />
COpyright© 2000..2008 exida.com L.L.C. 126
Multiple Failure Modes<br />
Multiples Modos de Falla<br />
4> An FMEDA will identify and quantify failure rates into<br />
applicable categories of failure modes<br />
SAFE -failures that cause the SIF to falsely trip in a single channel<br />
configuration<br />
DANGEROUS- failures that prevent the SIF from performing its safety<br />
function in a single channel configuration<br />
ANNUNCIATION -failures that prevent a diagnostic function from<br />
performing (per IEC 61508 these are classified as "safe")<br />
Others??<br />
0<br />
Copyright 10 2000-2008 exida.com L.L.C.<br />
127<br />
Multiple Failure Modes<br />
Multiples Modos de Falla<br />
%Safe=<br />
AS<br />
A +A<br />
8 0<br />
A 8 = %Safe* A<br />
A 0 = (1-%Safe) *A<br />
0<br />
Copyright 10 2000-2008 exida.com L.L.C.<br />
128
[<br />
Diagnostics<br />
Diagn6sticos<br />
Automatic diagnostics allow:<br />
Quick repair of failed units - reduces time operating in<br />
degraded condition<br />
Conversion of dangerous failures to safe failures with<br />
series wired diagnostic cutoff switches<br />
0<br />
Diagnostic capability measured by "C = Coverage<br />
Factor," the percentage of failures that will be detected<br />
cs = Coverage Factor for Safe Failures<br />
C 0 = Coverage Factor for Dangerous Failures<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
[<br />
Diagnostics<br />
Diagn6sticos<br />
0<br />
41 An FMEDA will analyze the capability of any<br />
automatic diagnostic or manual proof test<br />
4!, Diagnostic coverage of automatic diagnostics can<br />
be accurately estimated, for example:<br />
-C 5 = 82.4%<br />
-C 0 = 93.2%<br />
4 1 Proof test effectiveness can be accurately<br />
estimated<br />
Copyright© 2000-2008 exida.com L.L.C. 13{)
Four Categories of Failure Rates<br />
Cuatro Categorfas de Ratas de Fallas<br />
A_SD<br />
A_SU<br />
A_DD<br />
A_DU<br />
CS*A_S<br />
(1-CS)*A_S<br />
CD*A_D<br />
(1-CD)*A_D<br />
0<br />
Copyright© 2000.2008exida.com LLC.<br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AM FED)<br />
Conventional PLC Diagnostics<br />
..<br />
"<br />
1K<br />
ac Input ~£in \N 1'1'~ V2<br />
~·oV>W.<br />
2<br />
Mll]D F:::<br />
~ 10
0<br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
FMEDA for Conventional PES Input Circuit<br />
Failure Modes end Eftoots Annlysls FallurM/blllion houre ,.. Oang<br />
... OU$<br />
"' Sale .Del. OIE!!Jnostic covere Covered<br />
'""<br />
Comp011ant Mooo Effect Crttlcallty<br />
AI ·IK short loose filter 1 Sale 0.13 0.125 0 0 0 0<br />
oooo read toglo o 1 Sale O.o ... 0 1 read O!put cpen O.o 0<br />
C!-0.18 short read logic 0 1 Sale<br />
0 0 0 0<br />
loose filter t Sale O.o ' O.o ' 0 0 0 0<br />
R2 ·200K ""<br />
cve!Votlage 0 Dang, 0.13 0 0.13 0 0 0<br />
'"~<br />
rell
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Analisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
I r<br />
ill<br />
'<br />
0<br />
Copyright© 2000-2008 exkio.com L.L.C.<br />
135<br />
Diagnostic Coverage<br />
Cobertura por Diagn6stico<br />
~'<br />
Conventional Input Circuit<br />
- cs = 0.0257<br />
-CD = 0.0000<br />
()<br />
j,. <strong>Safety</strong> Rated Input Circuit<br />
- cs = 0.9789<br />
-CD = 1<br />
(No known dangerous undetected)<br />
Copyright© 2000-2008 exida.com L.L.C. 136
l<br />
Failure Modes, Effects and Diagnostic Analysis (FMEDA)<br />
Amilisis de Modos de Fallas, Efectos y Diagn6stico (AMFED)<br />
PROVIDES:<br />
• IEC 61508 Safe Failure Fraction<br />
• Coverage Factors: co, cs<br />
0<br />
• Failure Rates· f..S f..D f..SD f..SU f..DD f..DU<br />
. ' ' ' ' '<br />
Needed for SIL Verification<br />
Copyright© 2000.2008 exido.com L.L.C.<br />
137<br />
IEC61508/IEC61511 Safe Failure Fraction<br />
Fracci6n de Falla Segura segun IEC61508/IEC61511<br />
0<br />
DEMAND MODE /) -tr;p cM~fA-OS ~ .<br />
A SD + A su + ADD -<br />
SFF=---------------<br />
Aso + Asu + Aoo + Aou<br />
SFF is defined as the ratio of the average rate<br />
of safe failures plus dangerous detected failures<br />
of the subsystem to the total average failure<br />
rate of the subsystem.<br />
Copyrlsht © 2000..2008 exida.com L.L.C. 138
IEC61508/IEC61511 Safe Failure Fraction<br />
Fracci6n de Falla Segura segun IEC61508/IEC61511<br />
DEMAND MODE<br />
A,SD + A,SU + A,DD<br />
SFF=<br />
A,SD + A,SU + A,DD + A,DU<br />
SFF is a fraction not<br />
dependent on failure rate<br />
AS<br />
%Safe=<br />
AS+ AD SFF = 1-<br />
A 0 = (1-%Safe) *A<br />
ADD= CD*AD<br />
')...DU ~<br />
_/<br />
SFF =%Safe+ (1-%Safe) * C 0<br />
Copyright 10 2000-2008exida.com L.L.C.<br />
A<br />
"'<br />
0<br />
Safe Failure Fraction - Product Types<br />
Fracci6n de Falla Segura segun IEC61508<br />
TYPE A- "A subsystem can be regarded as type A if, for the<br />
components required to achieve the safety function<br />
a) the failure modes of all constituent components are well<br />
defined; and<br />
b) the behavior of the subsystem under fault conditions can be<br />
completely determined; and<br />
c) there is sufficient dependable failure data from field<br />
experience to show that the claimed rates of failure for<br />
detected and undetected dangerous failures are met."<br />
TYPE B - everything else!<br />
IEC 61508, Part 2, Section 7.4.3.1.2<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'<br />
I
IEC61508 Safe Failure Fraction<br />
IEC61508 Fracci6n de Falla Segura<br />
DEMAND MODE<br />
TYPE A Subsystem<br />
Sale Failure<br />
Fraction<br />
Hardware Fault Tolerance<br />
u<br />
exida Failure Rates<br />
ex ida Ratas de Fallas<br />
v'<br />
v'<br />
v'<br />
v'<br />
v'<br />
v'<br />
Calculate IEC 62380 (Reliability data handbook for<br />
electronic components) failure rate for each component<br />
type and subtype and temperature profile<br />
Gather data from independent sources of failure rate data<br />
Make conservative best engineering judgment with strong<br />
preference to IEC predicted values<br />
Override IEC 62380 base failure rate numbers if outside the<br />
range of the other reference sources (particularly when on<br />
the low side)<br />
Combine/group component sub-types based on "significant<br />
differences"<br />
Make adjustments for identified weakness in IEC 62380 that<br />
lead to under estimating failure rates<br />
Copyright© 200D-200Sexida.com L.L.C.<br />
"'<br />
0<br />
Useful Life<br />
Vida Util<br />
v' Failure rates are only valid within the useful life. Infant<br />
mortality and wear-out are not part of the useful life<br />
period<br />
'"'~----------<br />
0<br />
• • § iii<br />
Tm• • •<br />
v' lEG 61508-2 7.4.7.4 (note 3) requires publishing the<br />
useful life of the components<br />
)i<br />
!<br />
Copyright© 200G-2008exida.com L.L.C.
Component Reliability Handbook<br />
Componente Fiabilidad Manual<br />
0<br />
v' Only component reliability reference<br />
created specifically for IEC 61508<br />
analysis<br />
v' Provides reliability data for hundreds of<br />
electrical and mechanical components<br />
v' Failure rates<br />
v' Failure Modes and mode distribution<br />
v' Useful life limitations<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
145<br />
Database Feedback I Update<br />
Base de datos Comentarios I Actualizaci6n<br />
0<br />
Field<br />
FMEDA<br />
ELEC./MECH.<br />
Failure 1---' Product A 1---' Compare ~ Product A<br />
~ COMPONENT<br />
Data<br />
DATABASE<br />
1<br />
Industry<br />
Database YES Update<br />
Significant<br />
ifference?<br />
Component<br />
Database<br />
,__<br />
NO<br />
(Finish)<br />
Copyright© 2000..2008exida.com L.L.C. 146
Application Exercise Set 4<br />
Ejercicios de Aplicaci6n. Grupo 4<br />
Safe Failure Fraction I Failure Rates I Coverage Factors<br />
Complete the Problems<br />
15 minutes<br />
0<br />
copyright &I 2000-2008 exida.com L.L.C.<br />
147<br />
Section 4: FMEA I FMEDA Summary<br />
Secci6n 4: Repaso de AMFE I AM FED<br />
49<br />
jh<br />
FMEA<br />
FMEA Format<br />
See additional<br />
exida.com course:<br />
0<br />
j[,<br />
{\<br />
Diagnostics<br />
FMEDA<br />
FMEA/FMEDA<br />
Analysis<br />
4<br />
i•<br />
Coverage Factor<br />
Safe Failure Fraction<br />
www.exida.com<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
148
Section 5: <strong>Functional</strong> <strong>Safety</strong> Management<br />
Secci6n 5: Gerencia de Seguridad Funcional<br />
0<br />
4J, Management of <strong>Functional</strong> <strong>Safety</strong><br />
4~· Quality System<br />
•~<br />
Planning, people and paperwork<br />
~~ Benefits<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'<br />
What is <strong>Functional</strong> <strong>Safety</strong> Management?<br />
i,Oue es Ia Gerencia de Seguridad Funcional?<br />
0<br />
IEC61508 defines functional safety as:<br />
"part of the overall safety relating to the equipment under control<br />
(EUC) and the EUC control system which depends on the correct<br />
functioning of the E/E/PE safety-related systems, other technology<br />
safety-related systems and external risk reduction facilities."<br />
In more approachable terms:<br />
<strong>Functional</strong> safety management governs equipment and process<br />
safety activities involving safety systems.<br />
THE PURPOSE IS TO REDUCE THE POSSIBILITY OF A<br />
SYSTEMATIC FAULT!<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'
<strong>Functional</strong> <strong>Safety</strong> and the <strong>Safety</strong> Lifecycle<br />
""'m u·•n••n Funcional el Cicio de Vida de Seguridad<br />
Define the<br />
steps required<br />
Define the<br />
documentation<br />
required<br />
Audit the<br />
process to<br />
make sure it is<br />
being followed<br />
"Stage 3"<br />
before the<br />
process<br />
hazards are<br />
introduced<br />
0<br />
<strong>Functional</strong> <strong>Safety</strong> Management Objectives<br />
Objetivos de Ia Gerencia Funcional de Seguridad<br />
4& Specify management and technical activities<br />
during the <strong>Safety</strong> Lifecycle to achieve and<br />
maintain <strong>Functional</strong> <strong>Safety</strong><br />
n<br />
4o Specify responsibilities of persons and<br />
organizations<br />
(> Extend an existing and monitored quality system<br />
-Plan, execute, measure and improve<br />
Copyright© 2000..2008 exida.com L.L.C. 152
61508 and 61511 Versions of FSM<br />
61508 y 61511 Versiones de FSM<br />
0<br />
'' Since FSM focuses on procedures, the standards provide<br />
a good reference<br />
'' 61508 covers everything including safety system<br />
hardware and software development<br />
-Part 1 Clause 6 lays out details of FSM<br />
-Broad coverage can make application challenging<br />
61511 focuses on the process owners and safety<br />
system users<br />
-Part 1 Clause 5 lays out details of FSM<br />
-Narrower coverage makes application more manageable<br />
Copyright© 2000..2008 exida.com L.L.C.<br />
153<br />
[<br />
Key Issues<br />
Puntas Claves<br />
0<br />
<strong>Functional</strong> <strong>Safety</strong> Management<br />
<strong>Safety</strong> Planning -create a FSM Plan<br />
Roles and Responsibilities<br />
Personnel Competency<br />
Documentation, Documentation Control<br />
<strong>Functional</strong> <strong>Safety</strong> Verification and Assessment<br />
Documented Processes<br />
Copyright© 2000..2008 exida.com L.L.C.<br />
154
A FSM Plan describes the <strong>Safety</strong> Lifecycle<br />
El Plan de Ia GFS describe el Cicio de Vida de<br />
Analyze<br />
Hazard Analysis I<br />
Risk Assessment:<br />
Define Design Targets<br />
H Document l<br />
Modify<br />
Design I Execute HW<br />
and SW Design<br />
Verify<br />
"<br />
Document<br />
Evaluate Design:<br />
Reliability Analysis of <strong>Safety</strong><br />
f-1 Document<br />
Integrity & Availabil~y<br />
I<br />
I Operate and Document I<br />
Maintain<br />
~<br />
Copyright Cl2000-2008 exido.com L.L.C. 155<br />
I<br />
0<br />
Components of a FSM Plan<br />
Componentes del Plan de Ia GFS<br />
Steps and sequence of work activities<br />
-Roles and responsibilities<br />
-Personnel competency<br />
-Documentation structure<br />
-Verification tasks for each step<br />
- <strong>Safety</strong> Requirements Specification development plan<br />
- Design guidelines and methods<br />
- Verification and Validation plans<br />
- Operation and maintenance guidelines<br />
- Management of Change procedures<br />
- <strong>Functional</strong> safety assessment plan<br />
n<br />
----'<br />
Copyright CI2000-200Sexida.com L.L.C. 156
Roles and Responsibilities<br />
Roles y Responsabilidades<br />
• Must be clearly delineated and communicated<br />
~~Each phase of SLC and its associated activities<br />
0<br />
~ One of the specifically noted primary objectives<br />
of functional safety management<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
157<br />
Personnel Competency<br />
Competencia del Personal<br />
0<br />
4' Ensure that staff "involved in any of the overall or<br />
software SLC activities are competent"<br />
~'Addressed specifically in Annex A, IEC61508<br />
Training, experience, and qualifications should all be<br />
assessed and documented<br />
- System engineering knowledge<br />
- <strong>Safety</strong> engineering knowledge<br />
- Legal and regulatory requirements knowledge<br />
- More critical for novel systems or high SIL<br />
requirements<br />
Copyright© 200Q-2008 e.xida.com L.L.C.<br />
158
~ Operated by the <strong>CFSE</strong> Governing Board<br />
-To improve the skills and formally establish the competency of<br />
those engaged in the practice of safety system application in the<br />
process and manufacturing industries.<br />
4, Certification audited by ex ida Certification S.A.<br />
<strong>CFSE</strong><br />
GOVERNANCE BOARD<br />
()<br />
Copyright© 2000-2008 exida.r:om L.L.C. 159<br />
4 Types of Exams<br />
-Application- Process Industries<br />
-Application - Machine Industries<br />
-Developer- Software<br />
-Developer- Hardware<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
'"'
<strong>Certified</strong> <strong>Functional</strong> <strong>Safety</strong> Expert<br />
Application <strong>Engineering</strong>~ Process<br />
Study Guide<br />
2"d Edition<br />
Resources Available:<br />
110n-line Training<br />
Reference Books<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
Documentation Objectives<br />
Objetivos de Documentaci6n<br />
0<br />
What needs to be documented?<br />
Any information to effectively perform:<br />
41· Each phase of the safety lifecycle<br />
4/ Management of functional safety<br />
4>Verification and Validation<br />
~f <strong>Functional</strong> <strong>Safety</strong> Assessment<br />
Copyright !02000-2008 exida.com L.L.C. 162
IEC 61511 <strong>Functional</strong> <strong>Safety</strong> Assessment<br />
IEC 61511 Evaluaci6n de Ia seguridad<br />
/~<br />
I<br />
i> Does the safety system meet spec and actually achieve<br />
functional safety (freedom from unacceptable risk)<br />
4, Independent team; one competent senior person not<br />
involved in the desi n as a minimum<br />
4> Should b performe fter the stages below and MUST<br />
ea sage3<br />
- Stage 1 - After hazard and risk assessment and<br />
safety requirements specification<br />
- Stage 2 -After SIS design<br />
- Stage 3 -After commissioning and validation<br />
(before the hazard is present)<br />
- Stage 4 -After experience in operation and<br />
maintenance<br />
- Stage 5 - After modification<br />
Copyright© 2000-2008exida.com L.L.C.<br />
"'<br />
0<br />
Application Exercise Set 5<br />
Ejercicios de Aplicaci6n. Grupo 5<br />
<strong>Functional</strong> <strong>Safety</strong> Management - Complete the Problems<br />
15 minutes<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'
Section 5: <strong>Functional</strong> <strong>Safety</strong> Management Summary<br />
Secci6n 5: Repaso de Ia Gerencia Funcional de Seguridad<br />
4:, Management of <strong>Functional</strong> <strong>Safety</strong><br />
4~ Quality System<br />
~} Planning, people and paperwork<br />
~P·<br />
Benefits<br />
0<br />
Copyright (0 2000-2008 exida.com L.L.C. 165<br />
Section 6: Redundant Architectures<br />
Secci6n 6: Arquitecturas Redundantes<br />
0<br />
4:· Basic Architectures<br />
~h Comparison<br />
~· Advanced Architectures<br />
4J; Diagnostics<br />
Copyright© 2000-2008 exida.com L.L.C. 166
Basic Architectures<br />
Arquitecturas Basicas<br />
How much?<br />
What kind of redundancy?<br />
Select Architecture<br />
Determine Test<br />
Philosophy<br />
1oo1<br />
1oo2<br />
2oo3<br />
1oo1D<br />
1oo2D<br />
0<br />
Copyright ltl200rJ.2008 exida.com L.L.C.<br />
167<br />
Simplified Equations<br />
Ecuaciones Simplificadas<br />
Voting Average probability ot "punous.np<br />
failure on demand · rate<br />
(PFD ""')<br />
(STR)<br />
1oo1 A-ct* T/2 A-.<br />
(A-ct)2 * T2<br />
1oo2<br />
n.<br />
3<br />
2A- 2<br />
A-ct* T<br />
2oo2<br />
s<br />
3A-. + 2/T<br />
2oo3 (A-ct)2 * F 6A,s 2<br />
5A-. + 2/T<br />
0<br />
Note: These "simplified equations are too simple and ignore critical variables that may impact results<br />
optimistically by multiple SIL levels. Do not use these equations for any real analysis. They are<br />
presented only to amplify the differences between architecture.<br />
Copyright© 2000-2008 exida.com L.L.C. 168
<strong>Safety</strong> System Design: Select Architecture Redundancy<br />
Diseno Sist. Seguridad: Selec. Arquitec. de Redundancia<br />
f.,= 0.01 failures I year<br />
}. 0 = 0.02 failures I year<br />
Tl = 1 year<br />
Select Architecture<br />
1oo1<br />
0<br />
Determine Test<br />
Philosophy<br />
As<br />
STR<br />
Controller<br />
Ad* T/2<br />
PFDAvG (Dangerous)<br />
1oo1<br />
0.01 /year<br />
0.01<br />
COpyright© 200IJ.200B eXida.com L.L.C.<br />
Using the simple approximation<br />
equations. No diagnostics<br />
169<br />
1 oo2 Architecture - Redundancy for <strong>Safety</strong><br />
Arquitectura 1 oo2- Redundancia para Seguridad<br />
c<br />
Determine Test<br />
Philosophy<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
2A 8<br />
STR<br />
1oo1 0.01/year 0.01<br />
(Ad)2 * F<br />
3<br />
1oo2 0.02/year 0.00013<br />
PFDAvG (Dangerous)<br />
Using Simple Approximation Formulas<br />
No Common Cause, No Diagnostics<br />
170
2oo2 Architecture - Redundancy to reduce false trips<br />
Arquitectura 2oo2- Redundancia para reducir Paros Falsos<br />
Select Architecture<br />
Determine Test<br />
Philosophy<br />
Copyright 10 2000.2008exida.com L.L.C.<br />
2oo2<br />
8 Controller U<br />
~=======:<br />
S·rL_ ______<br />
1oo1<br />
31..,+ 2/T<br />
STR<br />
0.01 /year<br />
1 oo2 0.02 /year<br />
2oo2<br />
0.0001 /year<br />
+<br />
c_an_'_'a_u_e'-----~~~1--o<br />
-9""'"<br />
PFDAvG (Dangerous)<br />
0.01<br />
0.00013<br />
0.02<br />
Using Simple Approximation Formulas<br />
No Common Cause, No Diagnostics m<br />
0<br />
2oo3- Redundancy to reduce both failure modes<br />
2oo3 - Redundancia para reducir ambos modos de lalla<br />
2oo3<br />
&<br />
&<br />
&<br />
Input Circuit<br />
Input Circuit<br />
Input Circuit<br />
STR<br />
+<br />
,.,.......,,.,.. ~<br />
PFD AVG (Dangerous)<br />
eoom..cm.~ry<br />
1oo1 0.01 /year 0.01<br />
1oo2 0.02 /year 0.00013<br />
2oo2 0.0001 /year 0.02<br />
2oo3 0.0003 /year 0.0004<br />
I VOilngOn:ril<br />
...<br />
""-<br />
Using Simple Approximation Formulas - No Common Cause, No Diagnostics<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
m<br />
0
[<br />
Diagnostics<br />
Diagn6sticos<br />
~________...__-~<br />
J<br />
Enables On-line Repair<br />
Enables Automatic Shutdown<br />
Credit for diagnostics can only be taken if the system has good<br />
annunciation I repair or automatic shutdown<br />
This can have a strong positive impact on PFDavg, STR and controller<br />
availability- in all architectures but especially in redundant architectures.<br />
0<br />
Diagnostic capability measured by<br />
"C =Coverage Factor'',<br />
the percentage of failures that will be detected.<br />
c, = Coverage Factor for Safe Failures<br />
Cd = Coverage Factor for Dangerous Failures<br />
Copyright Cl2000-2008exida.com L.L.C.<br />
173<br />
0<br />
A,= 0.05 failures I year<br />
:\.d = 0.02 failures I year<br />
T=1year<br />
c,, cd = o to 0.6<br />
1 oo1 Architecture - Diagnostics<br />
Arquitectura 1 oo1 - Diagn6sticos<br />
1oo1<br />
Controller<br />
This architecture will not automatically shutdown on a detected<br />
failure. Therefore repair time is a variable in the PFDavg equation.<br />
PFDavg = (:\.dd * RT) + (:\.du * T/2)<br />
STR<br />
1 oo1 0.05 /year<br />
1 oo1 0.05 /year<br />
PFDAvG (Dangerous)<br />
0.01 no diagnostics<br />
0.004 with Cd = 0.6<br />
Using fault trees: average repair time equals 48 hours, inspection period equals<br />
1 year, diagnostic coverage factors = 0.6, no common cause.<br />
Copyright© 2000-2008 exida.com L.L.C.
New Generation Architectures<br />
Arquitecturas de Nueva Generaci6n<br />
Automatic diagnostics, made effective<br />
via microprocessor power starting in the<br />
late 1980's, led to new architectures<br />
based on reconfiguration of the system<br />
alter a diagnostic has detected a failure.<br />
0<br />
newer designs have proven effective in<br />
providing low PFDavg and low STR.<br />
Copyright !ti2000-2008exido.com L.L.C. 175<br />
New Generation Architectures - 1 oo1 D<br />
Arquitecturas de Nueva Generaci6n -1oo1 D<br />
I<br />
J Input Circuit<br />
Diagnostic Circuit(s)<br />
0<br />
STR<br />
PFDAvG (Dangerous)<br />
1oo1 0.05 /year 0.00406 Cd = 0.6<br />
1oo1D 0.062 /year 0.004 Cd =0.6<br />
1oo1 0.05 /year 0.0006 Cd = 0.95<br />
1oo1D 0.069 /year 0.0005 Cd =0.95<br />
Using fault trees: average repair time equals 48 hours, inspection period<br />
equals 1 year, no common cause.<br />
Copyright© 2000-2008 exida.com L.L.C.
New Generation Architectures - 2oo2D<br />
Arquitecturas de Nueva Generaci6n- 2oo2D<br />
u<br />
~<br />
1oo1<br />
2oo3<br />
1oo1D<br />
2oo2D<br />
STR<br />
0.05 /year 0.0006<br />
PFDAvG (Dangerous)<br />
0.00043 /year 0.00000094<br />
0.069 /year 0.0005<br />
0.00021 /year 0.001<br />
DIAGNOSTIC<br />
COVERAGE<br />
=95%<br />
Using fault trees: average repair time equals 48 hours, inspection period<br />
equals 1 year, diagnostic coverage factors = 0.95, no common cause.<br />
Copyright© 2000..2008 exida.com L.L.C. 177<br />
New Generation Architectures - 1 oo2D<br />
Arquitecturas de Nueva Generaci6n - 1 oo2D<br />
0<br />
1oo1<br />
2oo3<br />
STR<br />
0.05 /year<br />
0.00043 /year<br />
PFDAvG (Dangerous)<br />
0.0006<br />
0.00000094<br />
DiajjoosticCirl:uit(s)<br />
+<br />
1oo1D<br />
0.069 /year<br />
0.0005<br />
2oo2D<br />
0.00021 /year<br />
0.001<br />
1oo2D<br />
0.00021 /year<br />
0.0000004<br />
The 1oo2D depends highly<br />
on good diagnostics.<br />
Copyright ltl 2000-2008 exida.com L.L.C.<br />
178
Hybrid Diagnostic Based Architectures<br />
Closest Notation:<br />
2oo(1oo2D)<br />
1 oo2D provides high<br />
safety in a single module<br />
but redundant modules<br />
provide higher<br />
availability.<br />
If diagnostics are better<br />
reach 98%+, this<br />
architecture achieves<br />
superior safety and<br />
availability.<br />
Example: DeltaV SLS1508 Redundant<br />
Others: Yokogawa RS, Siemens 87, etc.<br />
0<br />
Copyright© 2000-200Sexida.com L.L.C.<br />
179<br />
1 oo2 Architecture for field equipment<br />
Arquitectura 1oo2 para Equipos de Campo<br />
SENSOR<br />
FINAL ELEMENT<br />
0<br />
Trip if<br />
either<br />
transmitter<br />
indicates a<br />
trip<br />
condition<br />
<strong>Safety</strong><br />
PLC<br />
Copyright© 2000-2008 exida.com L.L.C.
2oo2 Architecture for field equipment<br />
Arquitectura 2oo2 para Equipos de Campo<br />
SENSOR<br />
FINAL ELEMENT<br />
0<br />
Trip only if<br />
both<br />
transmitters<br />
indicate a<br />
trip condition<br />
L<br />
Valve closes to trip<br />
Copyright© 2000.2008exida.com L.L.C. :-h. -ty._~ 181<br />
[<br />
Architectures<br />
Arquitecturas<br />
0<br />
;;::<br />
.Q<br />
Otoo2<br />
Ol<br />
~·<br />
iii<br />
0<br />
"- o._<br />
.
~~~~~~:<br />
Hardware<br />
Architecture Fault<br />
Tolerance<br />
toot 0<br />
1oo1D 0<br />
mlb2 ~<br />
2oo2 0<br />
2oo3 1<br />
2oo2D 0<br />
1oo2D 1<br />
too3 2<br />
Hardware Fault Tolerance<br />
Tolerancia a Falla en Hardware<br />
TYPE B<br />
Safe Failure<br />
Fraction<br />
Hardware Fault Tolerance<br />
0 1 2<br />
IEC 61511 PE logic solvers<br />
IEC 61511 PE L6gica resolutores<br />
SIL<br />
1<br />
2<br />
3<br />
Minimum Hardware Fault Tolerance<br />
SFF 90%<br />
1 0 0<br />
2 1 0<br />
3 2 1<br />
0<br />
4<br />
Special requirements apply (see IEC 61508)<br />
Almost identical to IEC 61508 Type B table<br />
- IEC 61508 specifies 4 levels of SFF<br />
- IEC 61511 does not specify SIL 4<br />
COpyright ltl2000-2008exida.com L.L.C.<br />
185<br />
IEC 61511 field equipment<br />
IEC 61511 Sortee el Equipo<br />
0<br />
SIL<br />
1<br />
2<br />
3<br />
4<br />
Minimum<br />
Hardware Fault Tolerance<br />
0<br />
1<br />
2<br />
Special requirements apply (see JEC 61500)<br />
4i<br />
No Type A vs. Type B<br />
~~ No SFF<br />
~~ Identical to IEC 61508 Type B table for SFF<br />
60-90% and Type A table for SFF 0-60%<br />
Copyright !02000-2008 exida.com L.L.C.<br />
186
IEC 61511 field equipment<br />
IEC 61511 Sortee el Equipo<br />
•"<br />
Increase minimum HFT by one if the dominant failure<br />
mode is not to the safe state or dangerous failures are<br />
not detected<br />
~> Reduce minimum HFT by one if<br />
- The hardware of the device is selected on the basis of<br />
c---'· prior use; and<br />
- The device allows adjustment of process-related<br />
parameters only, for example, measuring range, upscale<br />
or downscale failure direction; and<br />
- The adjustment of the process-related parameters of the<br />
device is protected, for example, jumper, password; and<br />
- The function has a SIL requirement of less than 4.<br />
0<br />
Copyright© 2000-200Sexida.com LLC.<br />
187<br />
IEC 61511 field equipment<br />
IEC 61511 Sortee el Equipo<br />
• I EC 61508 H FT charts may be<br />
used instead of 61511 chartsrecommended<br />
• They are clear and more<br />
flexible<br />
0<br />
Copyright© 2000.2008 exida.com L.L.C. 188
Application Exercise Set 6<br />
Ejercicios de Aplicaci6n. Grupo 6<br />
Redundant Architectures - Complete the Problems<br />
10 minutes<br />
0<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
189<br />
Section 6: Redundant Architectures Summary<br />
Secci6n 6: Repaso de Arquitecturas Redundantes<br />
0<br />
~> Basic Architectures<br />
4" '<br />
Comparison<br />
t Advanced Architectures<br />
40 Diagnostics<br />
Copyright© 2000..2008 exida.com L.L.C.<br />
190
l<br />
Section 7: <strong>Safety</strong> Instrumented System Design<br />
Secci6n 7: Diseno de Sistemas lnstrumentados de Seguridad<br />
~\ <strong>Safety</strong> Requirements Specification<br />
~" Conceptual Design<br />
4ii<br />
Technologies<br />
~;. Architectures<br />
4~ Design Verification<br />
~L ?<br />
Detail Design<br />
~> Tools<br />
0<br />
Copyright Cl 2000-2008 exida.com L.L.C.<br />
"'<br />
Detailed <strong>Safety</strong> Lifecycle<br />
Cicio Vida Seg. Detallado<br />
SIS Design in the context of the SLC<br />
0<br />
Copyright tO 2000.2008 exida.com L.L.C.<br />
"'
SIS Design<br />
Diseiio del SIS<br />
i<br />
i<br />
0<br />
Copyright e 2000-2008exida.com L.L.C.<br />
193<br />
SRS - Design Requirements<br />
ERS - Requerimientos de Diseiio<br />
0<br />
'' The SRS should contain two types of requirements<br />
- <strong>Functional</strong> Requirements<br />
- Integrity Requirements<br />
'' The SRS should contain these functional requirements<br />
Definition of the safe state<br />
Process Inputs and their trip points<br />
Process parameter normal operating range<br />
Process outputs and their actions<br />
Relationship between inputs and outputs<br />
'" The SRS should contain these integrity requirements<br />
- The required SIL for each SIF<br />
Reliability requirements if spurious trips may be hazardous<br />
Requirements for diagnostics to achieve the required SIL<br />
Requirements for maintenance and testing<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
194
Equipment Selection<br />
Selecci6n de Equipo<br />
IEC 61511, <strong>Functional</strong> <strong>Safety</strong> for the Process<br />
Industries, requires that equipment used in safety<br />
instrumented systems be chosen based on either<br />
IEC 61508 assessment to the appropriate SIL<br />
level or justification based on "prior use"<br />
criteria (IEC 61511 , Part 1, Section 11.5.3)<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'<br />
Prior Use ???<br />
[<br />
Uso de Prioridad ???<br />
~--~<br />
l<br />
~: Unfortunately the I EC 61511 standard does not give<br />
specific details as to what the criteria for "prior use" really<br />
means<br />
'" Most agree however that if a user company has many<br />
years of documented successful experience (no<br />
dangerous failures) with a particular version of a<br />
particular instrument this can provide justification for<br />
using that instrument even if it is not safety certified.<br />
Operating conditions must be recorded and must be<br />
similar to the proposed safety application<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C. 196
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
Time in Use<br />
• The equipment item must be shipping for one year<br />
without any revisions or changes; or<br />
• The equipment item must be shipping for two years<br />
without any significant revisions or changes<br />
0<br />
• IEC 61508<br />
- Equipment item in service for at least one year with unchanged<br />
specification [IEC 61508-7 8.5.4]<br />
• IEC61511<br />
- No Time In Use requirements<br />
COpyright© 200G-2008 exidu.com L.L.C.<br />
"'<br />
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
0<br />
Operating Experience<br />
• IEC 61508 Techniques and Measures to avoid<br />
systematic failures [IEC 61508-2 Table 8.6]<br />
• Low effectiveness<br />
- 1 0,000 hours of operation time, at least one year of experience<br />
with at least 1 0 devices in different applications<br />
- Statistical accuracy claimed should be 95%<br />
- No safety critical failures may have occurred<br />
• High effectiveness<br />
- 10,000,000 hours of operation time, at least two years of<br />
experience with at least 1 0 devices in different applications<br />
- Statistical accuracy claimed should be 99.9 %<br />
- Detailed documentation of all changes (including minor) during<br />
past operation<br />
Copyright ©200G-200Sexlda.com L.L.C.<br />
"'
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
Operating Conditions<br />
• The stress conditions of the considered prior use<br />
applications should be equal to or above average<br />
conditions of the application<br />
• Including an assessment of the functionality and the<br />
application environmental limits<br />
• IEC61508<br />
- Similar conditions of use, i.e. functionality and environment<br />
• IEC 61511<br />
- Consider operating profile of equipment itefi11s. specific points<br />
relate to functionality and environment (IEC 61511-2 11.5.3]<br />
0<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
"'<br />
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
Operating Conditions<br />
• IEC 61511 allows for field devices (for example, sensors and<br />
final elements) that non-safety function experience is<br />
considered in the safety function proven in use argument<br />
0<br />
• This is based on the assumption that the function is usually<br />
identical in safety and non-safety [IEC 61511-1 11.5.3.2]<br />
• This may be the case for sensing devices like transmitters, it<br />
is definitely not the case for valves. A control valve is usually<br />
a dynamic valve, a safety valve is usually a static valve<br />
Copyright© 2000.2008 exida.com L.L.C. 200
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
<strong>Safety</strong> Manual/Quality System<br />
0<br />
• A IEC 61508 compliant safety manual needs to be<br />
available<br />
• The manufacturer's quality, management, and<br />
configuration management systems should be<br />
considered<br />
- ISO 9000 (or better) certified quality system that covers all<br />
manufacturing operations and field failure returns<br />
- Field failure return procedures must require that statistics be<br />
maintained on all field returns<br />
- Detailed version control system that identifies all changes and<br />
revisions. Modification procedures must meet IEC 61508<br />
requirements<br />
- IEC 61508 gap analysis should determine maturity of Quality<br />
System<br />
copyrlsht © 2000-2008exida.com L.L.C. 201<br />
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
0<br />
Process Parameter Adjustment Only<br />
• Equipment item allows adjustment of process-related parameters only<br />
and that the adjustment of the process-related parameters of the device<br />
is protected [IEC 61511]<br />
• The equipment item should be assessed as being not programmable<br />
- This generally excludes products capable of running<br />
function blocks or configurable calculations (most Fieldbus<br />
products)<br />
- The equipment item must have means to protect parameter<br />
changes, i.e. jumper and/or a password<br />
Copyright© 2000-2008 exida.com L.L.C. 202
exida Recommended Prior Use Criteria<br />
Recomendado Antes de Utiliza los Criterios<br />
Failure Rate Calculation<br />
• Based on documented hours in use in similar application<br />
• Account for Proof Test Coverage in calculation of proof<br />
test failures<br />
• Make certain that ALL failures are reported OR account<br />
for estimated % not reported in calculation<br />
• A single-sided upper confidence limit of at least 70 %<br />
shall be considered (based on IEC 61508-2 7.4.7.9)<br />
Compare results to FMEDA results. Choose most conservative numbers or fully<br />
justify other decision.<br />
0<br />
Copyright fi:I200Q-2008 exida.com L.L.C. 203<br />
Prior Use ???<br />
[<br />
Usa de Prioridad ???<br />
~---~<br />
l<br />
~2 To help end users with their Prior Use justification<br />
document, many manufacturer's are providing<br />
third party assessments including:<br />
~n FMEDA Report- manufacturer provides failure<br />
rate and failure mode data<br />
•'· Proven In Use Report- manufacturer provides<br />
modification history, field performance warranty<br />
data<br />
0<br />
Copyright© 200Q-2008 exida.com L.L.C. 204
<strong>Safety</strong> Assessment for Products<br />
Evaluaci6n de Ia seguridad de los productos<br />
0<br />
4* FMEDA- manufacturer provides failure rate and<br />
failure mode data<br />
t4 Proven In Use- manufacturer provides<br />
modification history, field performance data<br />
~n IEC 61508 Certification- manufacturer has third<br />
party assessors certify that a product meets all<br />
requirements of 61508<br />
Copyright© 2000.2008 exida.com L.L.C. 205<br />
<strong>Safety</strong> Assessment Limitations<br />
Evaluaci6n de Ia seguridad de las limitaciones<br />
0<br />
~> FMEDA- manufacturer provides failure rate and failure<br />
mode data<br />
-DOES NOT INCLUDE PROCESS<br />
CONNECTIONS!<br />
.t' Proven In Use- manufacturer provides modification<br />
history, field performance data<br />
- MANFACTURER P.I.U. INFO IS JUST A<br />
START, THEY DO NOT USE THE<br />
EQUIPMENT.<br />
Copyright© 200G-2008exida.com L.L.C. 206
IEC 61508 <strong>Certified</strong> Product<br />
Pressure Transmitters<br />
Temp. Transmitters<br />
Trend toward 61508 <strong>Certified</strong> Products<br />
Tendencia a 61508 Productos Certificados<br />
SAFETY AUTOMATION EQUIPMENT LIST<br />
Flow Transmitters<br />
Level Transmitters<br />
PLCs<br />
Trip Amps, modules<br />
Actuators<br />
Solenoids<br />
Valves<br />
Ta mai{rr.~
0<br />
Certificate I Ce<br />
Zertifikat I<br />
Copyright (Q 2000.2008 exida.com L.L.C.<br />
IEC 61508 Full Certification<br />
IEC 61508 Plena Certificaci6n<br />
., The end result of the<br />
certification process is a<br />
certificate listing the SIL level<br />
for which a product is qualified<br />
and the standards that were<br />
used for the certification<br />
'' However, we must understand<br />
that some products are certified<br />
with "restrictions"<br />
{; The restrictions essentially<br />
indicate when a product does<br />
not meet some requirements of<br />
IEC 61508<br />
(} The restrictions are listed in the<br />
safety manual and must be<br />
followed if safe operation is<br />
required<br />
209<br />
IEC 61508 Pressure Transmitter Certification<br />
0<br />
''"<br />
""<br />
2000T/2~1<br />
~15'.$<br />
Ccm!le~<br />
~1506<br />
CerMiod<br />
#}AI('<br />
rovsuo<br />
.....<br />
-·<br />
~1506<br />
Hone)Well 83iXJl Fressure ~arc~moaer<br />
Ccmliod<br />
OWimSys<br />
51>;00<br />
~AS•n•s Prosmo
~,,_,,<br />
,...,,<br />
;i;l'!EC€1151!8 CERTIFIE!l<br />
''"'"""<br />
""'"'''"'"''<br />
IEC 61508<br />
·~<br />
PLC<br />
'"''"- - ~·<br />
c,,~_.<br />
"'""'n"'~ h·•'r"l.C Ill ;If<br />
"'"~"'""'<br />
~ ,,,., "-" Ill Iii<br />
T~RI•<br />
!'H. ,,.,~!1loUF'I.C<br />
"''~"-<br />
:;.~ ~.4<br />
~..,...._"0•ooid~nM<br />
~;5lla<br />
C•tllftoo<br />
6\S!IS<br />
CeCil~·~<br />
p;c, ¢~Nilo13 \\'Of 'l ~10(1$<br />
Pos~ttrr16 SW""OI~'h!>O<br />
.{q.>-)rW_"<br />
!:[
~ ~ ~<br />
""""""""""<br />
IEC 61508 Ball Valve Certification<br />
IEC 61508 Valvula Esferica de Certificaci6n<br />
Ba!!Va!Vi'dda.com L.L.C.<br />
213<br />
IEC 61508 Full Certification Enough?<br />
IEC 61508 Plena Certificaci6n Suficiente<br />
0<br />
~okog.,.oEiunl'8 .......,<br />
.,L.O@H"T•t!UO~HFT•O<br />
~' NO! A control system designer cannot<br />
simply specify 61508 certified<br />
equipment and expect a safe design!<br />
Equipment "restrictions" must be<br />
followed<br />
., Process connections must be included<br />
Copyright© 2000..2008 exido.com L.L.C.<br />
214
[<br />
<strong>Safety</strong> Manual<br />
Manual de Seguridad<br />
l<br />
Certificate i<br />
Zertifikat 1<br />
~:;,~.~:::=.~==~~.,<br />
""'''"'""'"lhU:<br />
~'<br />
~'<br />
~j,<br />
4l<br />
4\<br />
Usage Requirements-Restrictions<br />
Environmental Limits<br />
Optional Settings<br />
Failure Rate Data<br />
Useful Life Data<br />
Common Cause Beta Estimate<br />
Inspection and Test Procedures<br />
0<br />
Copyright (I 2000.2008 exida .com L.L.C.<br />
215<br />
Select Architecture<br />
Selecci6n de Arquitectura<br />
I 1<br />
ool ~<br />
loof A<br />
-1Hr-v<br />
il2oo2 ~<br />
I HI-;<br />
1Hr-i2oo3<br />
H f--L----i\<br />
- Objective<br />
• Determine type of<br />
redundancy needed to meet<br />
required <strong>Safety</strong> Integrity Level<br />
• Choose architecture<br />
• Obtain reliability and safety<br />
data for the architecture<br />
0<br />
Copyright© 200G-2008exida.com L.L.C.<br />
216
Test Philosophy<br />
Filosoffa de Pruebas<br />
0<br />
Select Architecture<br />
Determine Test<br />
Philosophy<br />
How will the sensors, controller and<br />
final elements be tested?<br />
How frequently?<br />
PERIODIC INSPECTION<br />
Time Interval: 5 Years, 1 Year, 6 Mas, 3 Mos.<br />
Procedure: Shutdown Plant?<br />
Bypass SIS?<br />
Transmitter Testing?<br />
Valve I Actuator Testing?<br />
Copyright
Failure Rate Data Models<br />
Modelos de Datos para Ratas de Falla<br />
1. Industry Databases- NOT Application Specific,<br />
NOT Product Specific<br />
2. Manufacturer FMEDA, Field Failure Study<br />
Product Specific<br />
NOT Application Specific<br />
3. Detail Field Failure Study- Application model. 0<br />
Product Specific<br />
Application Specific<br />
Copyright© 2000..2008 exkla.com L.L.C. 219<br />
Failure Rate Data Handbook<br />
Manual de Datos de Ratas de Falla<br />
1. Industry Databases -<br />
NOT Application Specific, NOT Product Specific<br />
2. Manufacturer FMEDA, Field Failure Study<br />
Product Specific, NOT Application Specific<br />
0<br />
Copyright 10 200Q-2008 exida.com L.L.C. 220
<strong>Safety</strong> Integrity Levels<br />
Niveles de lntegridad en Seguridad<br />
DEMAND MODE<br />
<strong>Safety</strong> Integrity<br />
Level<br />
Target Average<br />
Probability of Failure on<br />
Demand<br />
Target risk reduction<br />
(RRF)<br />
0<br />
SIL4<br />
SIL3<br />
SIL2<br />
SIL 1<br />
~1 o-s to 1 oooo to ,; 100000<br />
~ 10-4 to 1000 to,; 10000<br />
~ 10 .. to
[<br />
Markov Analysis<br />
Analisis de Markov<br />
l<br />
;, Can be more precise with<br />
less work<br />
., Generally well accepted<br />
''Well known Solution<br />
Techniques<br />
''One model for multiple<br />
failure modes<br />
''Provides clear picture of<br />
system operation under<br />
failure conditions<br />
0<br />
Copyright CO 2000-2008 exida.com L.L.C.<br />
223<br />
Three Requirements for<br />
SIL Design Verification<br />
• Low Demand Mode - PFDavg<br />
- Manages risk from random failures<br />
• Hardware Fault Tolerance<br />
- Meets standard requirements<br />
• Systematic Integrity<br />
- Proven in use I 61508 compliant equipment<br />
- Manages risk from systematic failures<br />
0<br />
Copyrlsht © 2000-2008 exida.com L.L.C.
Putting the Function Together<br />
• Overall function PFDavg ~<br />
PFDavg Inputs +<br />
PFDavg Outputs +<br />
PFDavg Logic Solver<br />
0<br />
• Overall function Spurious Trip Rate (STR) =<br />
STR Inputs+<br />
STR Outputs +<br />
STR Logic Solver<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
Ex 1 : High Pres. Prot. Loop. Pressure Switch+Solenoid<br />
Ej 1: Lazo Prot. Alta Presion. Interrupter Presi6n+Solenoide<br />
0<br />
Solenoid ?????<br />
Pressure switch ?????<br />
Lambda D (AP)<br />
No Diagnostics, Test lnterval-1 year, SIL2 required<br />
:------e-------/' -----<br />
sov<br />
I<br />
Vessel<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
EooPr&>
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid<br />
Demand Mode<br />
Lambda DU (A DU)<br />
Solenoid<br />
Pressure switch<br />
0.585 X 1 Q·B failures per hour<br />
3.6 x 10·6 failures per hour<br />
No Diagnostics, Test Interval - 1 year, SIL2 requirement<br />
0<br />
PFDavg = ).,DU Tl/2<br />
PFDavg = (0.000004185* 8760) /2<br />
PFDavg = 0.01833<br />
RRF = 1/PFDavg = 54.5 - SIL 1<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
Use simplified<br />
equation for first<br />
pass. Assuming<br />
perfect proof testing<br />
- very optimistic!<br />
"'<br />
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
0<br />
Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid<br />
Proof Test: Operations has said that it is not practical to change the<br />
process pressure or isolate the pressure switch. Therefore the proof<br />
test will open the pressure switch wire once a year and check to see<br />
if the solenoid will de-energize. The pressure switch will be<br />
inspected for corrosion and dirt and cleaned if necessary.<br />
How good is this? What coverage?<br />
Estimate of Test Effectiveness:<br />
Pressure Switch - 20%<br />
Solenoid - 95%<br />
Copyright CI2000-2008 exida.com L.L.C. 230<br />
I<br />
I<br />
/
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid<br />
PFDavg = CpTAD Tl I 2 + (1-CPT) AD LT I 2<br />
CPT = Effectiveness of proof test, 0 - 1 00%<br />
L T = Operational Lifetime of plant<br />
The process unit will be operated for 6 years then shutdown for<br />
complete overhaul. During the overhaul, solenoid and pressure<br />
switch will be replaced with new units.<br />
Therefore L T = 6 years<br />
0<br />
Note: This "simplified equation" is not as simple as before but gives reasonable results.<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid<br />
PFDavg = CpTAo Tl I 2 + (1-CPT) A.o LT I 2<br />
= 0.2 * 0.0000036 * 876012 + (1 - 0.2) *<br />
0.0000036 * 6 * 876012<br />
0<br />
+ 0.95 * 0.000000585 * 876012 + (1 - 0.95) *<br />
0.000000585 * 6 * 876012<br />
= 0.082<br />
RRF = 12 LOW SIL 1<br />
Copyright© 2000-2008 e.xida.com L.L.C.
IEC61508/IEC61511 Safe Failure Fraction<br />
IEC61508/IEC61511 Fracci6n de Falla Segura<br />
A_SD + A_SU + A_DD<br />
SFF=--------------<br />
A_SD + A_SU + A_DD + A_DU<br />
SFF is defined as the ratio of the average rate of safe<br />
failures plus dangerous detected failures of the subsystem<br />
to the total average failure rate of the subsystem.<br />
0<br />
A_DU<br />
SFF=l- 'A<br />
Copyright() 200o-2008exida.com L.L.C.<br />
233<br />
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
0<br />
Example: High Pressure Protection Loop<br />
1. Pressure Switch • Solenoid<br />
Lambda D (;IP)<br />
Lambda S (I..S)<br />
Solenoid 0.585 x 1 o-s f/hr 1.010 x 10"" f/hr<br />
Pressure switch 3.6 x 10""1/hr 2.4 x 1 o-s f/hr<br />
0<br />
Limiting sub-system is sensor- pressure swttch.<br />
SFF<br />
72.1%<br />
Copyright© 2000.2008 exida.com L.L.C. 234
IEC61508 Safe Failure Fraction<br />
IEC61508 Fracci6n de Falla Segura<br />
TYPE A Subsystem<br />
Demand Mode<br />
Safe Failure<br />
Fraction<br />
Hardware Fault Tolerance<br />
0 1 2<br />
Example 2: High Pressure Protection Loop Transmitter - DCS - Solenoi<br />
Ejemplo 2: Alta Presion Proteccion bucle transmisor- SCD- Solenoids<br />
EQ\o"'~v.rtrru<br />
!«~~mount 30S1C<br />
GENERAl INFORMATION<br />
0<br />
M.!M->'K
Trip Setting: Alarm Setting Diagnostic Filtering<br />
Viaje Ambiente: Alanna de Diagn6stico de Filtrado<br />
Configure DCS to detect out of range current signals as a "Detected"<br />
failure without a trip.<br />
20mA<br />
Alarm Setting:<br />
Detected Faults end up here with over range setting<br />
--- High Trip<br />
Normal process signal<br />
4mA~--------~~~~---<br />
Aiarm Setting:<br />
Detected Faults end up here with under range setting<br />
Diagnostic Filtering:<br />
• Detection of over range I under range (invalid) signals<br />
• Detection of rate of change (indication of internal transmitter error)<br />
also called input filtering<br />
0<br />
Copyright© 200o-2oosexida.com L.L.C. 239<br />
Example 2: High Pressure Protection Loop Transmitter- DCS- Solenoid)<br />
Ejemplo 2: Alta Presi6n Protecci6n bucle transmisor- SCD - Solenoide<br />
If we assume "clean service" on the pressure transmitter- no plugged impulse<br />
line problem then:<br />
Lambda DU transmitter= 98 FITS (1 failure per 10' hours)<br />
0<br />
The SIF in the DCS Logic Solver has one analog input, all common circuitry and<br />
one digital output.<br />
Lambda DU DCS =<br />
(1 • 38) One Analog Input Channel<br />
+ 250 Analog Module Common<br />
+ 1500 Main Processor<br />
+ 13 Power Supply<br />
+ 125 Digital Output Module Common<br />
+ (1 '150)0ne Digital Output High Current Channel<br />
= 2076 FITS<br />
Copyright© 200CI-2008 exida.com L.L.C. 240
SIF Verification Example<br />
Ejemplo de Verificaci6n de Ia FIS<br />
Example 2: High Pressure Protection Loop. Transmitter-DeS-Solenoid<br />
Lambda DU (1.P")<br />
Transmitter<br />
Logic Solver<br />
Solenoid<br />
98 X 1 0·9 failures per hour<br />
2076 x 10·9 failures per hour<br />
585 x 10·• failures per hour<br />
0<br />
PFDavg = jpu Tl/2<br />
PFDavg = (0.000002759* 8760) /2<br />
PFDavg = 0.012<br />
RRF = 1/PFDavg = 83 - SIL 1<br />
Use simplified<br />
equation for first<br />
pass. Assuming<br />
perfect proof testing<br />
- very optimistic!<br />
Copyright© 2000.2008 exida.com L.L.C.<br />
241<br />
IEC61508 Safe Failure Fraction<br />
IEC61508 Fracci6n de Falla Segura<br />
0<br />
Transmitter SFF<br />
is 82%, smart<br />
device therefore<br />
Type B. Still<br />
limited to SIL 1.<br />
TYPE B Subsystem<br />
Demand Mode<br />
Safe Failure<br />
Fraction<br />
Hardware Fault Tolerance<br />
0 1 2<br />
Ex 3: <strong>Safety</strong> Transmitter+<strong>Safety</strong> PLC+ 1 oo2 Solenoid<br />
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1oo2 Sol.<br />
<strong>Safety</strong><br />
Pressure<br />
Transmitter<br />
I s~~ty ~-----@-- /<br />
I I<br />
.---- --- ...<br />
' 1002 :<br />
sov [j Voting<br />
-lXJ-<br />
0 sov<br />
--[X}-<br />
'-<br />
Vessel<br />
--.._<br />
-----<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
243<br />
Ex 3: <strong>Safety</strong> Transmitter+<strong>Safety</strong> PLC+ 1 oo2 Solenoid<br />
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1 oo2 Sol.<br />
0<br />
via JEC 61508 Certification<br />
Copyright© 2000-2008 e.xida.com L.L.C.<br />
244
Ex 3: <strong>Safety</strong> Transmitter+<strong>Safety</strong> PLC+1oo2 Solenoid<br />
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1 oo2 Sol.<br />
0<br />
'I<br />
Justification via lEG 61508 Certification<br />
Copyright a:J 2000-2008 exida.com L.L.C.<br />
245<br />
Ex 3: <strong>Safety</strong> Transmitter+<strong>Safety</strong> PLC+1 oo2 Solenoid<br />
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1 oo2 Sol.<br />
0<br />
PFDavg?<br />
SFF?<br />
<strong>Safety</strong><br />
Pressure<br />
Transmitter<br />
SIL?<br />
I sf~~~ ~-----G-- /<br />
---..<br />
I<br />
I<br />
:---1002---: Vessel<br />
SOV [j Voting [j sov<br />
-{X}<br />
-!X}<br />
'---<br />
_./<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
246
SIL Verification Tool<br />
Verificaci6n del NIS<br />
0<br />
SIL Verification Tool<br />
0
SIL Verification Tool<br />
Herramienta para Verificaci6n del NIS<br />
0<br />
Copyright ID 2000-2008exida.com L.L.C.<br />
249<br />
SIL Verification Tool<br />
Herramienta para Verificaci6n del NIS<br />
0<br />
Copyright CO 2000-200Sexida.com L.L.C.<br />
250
SIL Verification Tool<br />
Herramienta para Verificaci6n del NIS<br />
0<br />
Copyright ttl 2000-2008 exida.com L.L.C.<br />
251<br />
Application Exercise Set 7<br />
Ejercicios de Aplicaci6n. Grupo 7<br />
SIS Design - Design a SIL3 High Pressure Protection SIF<br />
Complete the Problems - 30 minutes<br />
0<br />
Copyright© 2000-2008 e.xida.com L.L.C.
Section 7: <strong>Safety</strong> Instrumented System Design Summary<br />
Secci6n 7: Repaso Disefio Sis!. lnstrumentados de Seguridad<br />
0<br />
~' <strong>Safety</strong> Requirements Specification<br />
~l)<br />
Conceptual Design<br />
4> Technologies<br />
i& Architectures<br />
i? Design Verification<br />
i~ Detail Design<br />
i} Tools<br />
Copyright ltl 2000-2008 exida.com L.L.C.<br />
"'<br />
Section 8: Installation, Commissioning and Validation<br />
Secci6n 8: lnstalaci6n, Pruebas de Arranque y Validaci6n<br />
4'' ' Installation and Commissioning<br />
0 • Objectives<br />
• Activities<br />
• Documentation Required<br />
4& Validation<br />
• Objectives<br />
• Activities<br />
• Documentation Required<br />
Copyright© 2000-2008 exida.com L.L.C. 254
Detailed <strong>Safety</strong> Lifecycle<br />
Cicio Vida Seg. Detallado<br />
0<br />
Copyright© 200Q-2008 exida .com L.L.C.<br />
Terms<br />
[<br />
Terminos<br />
~---~<br />
J<br />
~'Validation<br />
the activity of demonstrating that the safety<br />
instrumented function(s) and safety instrumented<br />
system(s) under consideration after installation<br />
meets in all respects the safety requirements<br />
specification.<br />
4Nerification<br />
Activity of demonstrating for each phase of the<br />
safety lifecycle by analysis and/or tests that, for the<br />
specific inputs, the deliverables meet the objectives<br />
and requirements set for the specific phase.<br />
0<br />
Copyright© 200o-2oos e.xida.com L.L.C. 256
[<br />
Terms<br />
Terminos<br />
BPCS & SIS completion<br />
Vendor Factory<br />
Process Plant<br />
0<br />
E E E<br />
2 ltJ<br />
SIS<br />
FAT SAT SIT<br />
Copyright© 200G-200Sexida.com L.L.C. 257<br />
[<br />
Terms<br />
Terminos<br />
~-----'<br />
0<br />
Commissioning<br />
Process Plant<br />
E&l<br />
Loop Check<br />
Cold<br />
commissioning<br />
Hot<br />
commissioning<br />
Pre-commissioning<br />
VALIDATION & FSA<br />
prior to start-up<br />
Production<br />
Copyright CO 200()..2008 exida.com L.L.C. 258
Terms<br />
[<br />
Terminos<br />
~----<br />
(r, Factory Acceptance Test (FAT)<br />
-A test performed before shipment to site,<br />
usually at the vendor or integrator premises,<br />
often witnessed by the end user<br />
-Not a mandatory step in IEC61511, but very<br />
common to avoid problems during SAT and<br />
SIT<br />
•~ Site Acceptance Test (SAT)<br />
-Involves shipment of the system(s) to site,<br />
installation and start-up activities<br />
0<br />
Copyright CO 2000-2008 exida.cam LJ..C.<br />
259<br />
[<br />
Terms<br />
Terminos<br />
': Site Integration Test (SIT)<br />
-Once SAT is completed, the BPCS and SIS<br />
communications and any hard-wired links are<br />
integrated and tested as a complete system to<br />
ensure that the system as a whole functions<br />
correctly. SIS signals, diagnostics, bypasses<br />
and alarms displayed on shared BPCS HMI<br />
screens will be tested during this stage.<br />
0<br />
Copyright© 2000-2008 exida.cam L.L.C.<br />
260
[<br />
IEC 61511<br />
0<br />
REALIZATION<br />
Design and Development of<br />
<strong>Safety</strong> Instrumented System,<br />
Factory Acceptance Test<br />
OPERATION<br />
FAT<br />
INSTALLATION<br />
SAT/SIT<br />
COMMISSIONING<br />
<strong>Functional</strong> <strong>Safety</strong> Assessment<br />
Modification Decommissioning<br />
STARTUP<br />
v<br />
A<br />
L<br />
I<br />
D<br />
A<br />
T<br />
I<br />
0<br />
N<br />
Copyright CO 2000.2008 exida.com L.L.C.<br />
"'<br />
Installation Objective and Activities<br />
lnstalaci6n: Objetivos y Actividades<br />
0<br />
'' Objective<br />
• Install equipment to specifications and drawings<br />
'' Activities<br />
• Mount equipment per manufacturers instructions<br />
• Install all equipment components in proper position<br />
• Install all jumpers, keying mechanisms and protection<br />
components<br />
• Connect grounding<br />
• Connect energy sources<br />
• Calibrate instruments<br />
• Connect interfaces and all communications links<br />
• Connect field devices<br />
• Verify environmental stress conditions against specifications<br />
Copyright ltl2000-2008 exida.com L.L.C.<br />
'"
Installation Activities: Environmental Stress<br />
Actividades de lnstalaci6n: Estres Ambiental<br />
4:, Heat- avoid heat sources, verify operation within<br />
ratings<br />
4> Electric- avoid surge conditions, avoid secondary<br />
effects of lightning, verify operation within rating<br />
Mechanical- avoid severe shock and vibration, check<br />
for mechanical resonances, verify operation within<br />
ratings<br />
~> Application mismatch - avoid operation under<br />
conditions not allowed by manufacturer, check for<br />
incompatible materials<br />
n<br />
Copyright 1!!1 2000-2008 exida .com L.L .C.<br />
263<br />
Commissioning Objectives<br />
Pruebas de Arranque: Objetivos<br />
~> Check for correct installation and functionality of equipment<br />
• Note any "as-built" changes from previous designs<br />
'Where it has been established that the actual installation<br />
does not conform to the design information then the difference<br />
shall be evaluated by a competent person and the likely<br />
impact on safety determined. If it is established that the<br />
difference has no impact on safety, then the design<br />
information shall be updated to "as built" status. If the<br />
difference has a negative impact on safety, then the<br />
installation shall be modified to meet the design<br />
requirements." IEC 61511 Clause 14.2.5<br />
• Check for installation per equipment <strong>Safety</strong> Manual<br />
0<br />
~,, Ready for Validation tests<br />
COpyright© 2000-2008 exida.com L.L.C. 264
Commissioning Activities<br />
Pruebas de Arranque: Actividades<br />
0<br />
'' All packing material removed<br />
(, All jumpers, keying mechanisms and protection components<br />
are properly installed<br />
~~ Grounding has been properly connected<br />
~'<br />
~'<br />
Energy sources connected and operational<br />
No physical damage present<br />
(> All instruments calibrated and ranges set<br />
(> Interfaces operational, including interfaces to other systems<br />
I> All field devices are operational<br />
1' Logic solver and inpuVoutputs are operational<br />
Copyright IC 200o-200Sexida.com L.L.C.<br />
265<br />
Validation Objectives<br />
Validaci6n: Objetivos<br />
0<br />
'' Ensure that the safety instrumented system (SIS) as<br />
installed and commissioned meets all of the safety<br />
requirement specifications (SRS)<br />
'' Validation is done using a combination of testing and<br />
inspection<br />
FAT<br />
I}<br />
INSTALLATION I v<br />
t<br />
SAT/SIT<br />
COMMISSIONING I ~<br />
FSA I ;<br />
START UP I ~<br />
lEG 61511 Clause 15<br />
Copyright() 2000-2008 exida.com LLC.<br />
266
Validation Activities<br />
Validaci6n: Actividades<br />
~'<br />
I•<br />
I•<br />
Full FUNCTIONAL test to verify that all requirements in the SRS<br />
have been successfully implemented.<br />
All equipment installed per manufacturer's instructions.<br />
All equipment implemented per the <strong>Safety</strong> Manual.<br />
1' Periodic Test plan complete with procedure for testing and<br />
documenting tests.<br />
''<br />
I<br />
Validation Test Detail Activities<br />
Actividades Detalladas en Pruebas de Validaci6n<br />
0<br />
;, Ensure sensors, logic solvers, and final elements perform<br />
according to the SRS under normal/ abnormal conditions<br />
I> Confirm proper SIS operation on bad process variable values<br />
,, Make certain SIS provides the proper annunciation (trips and<br />
faults), displays, and external communications<br />
'' Ensure computations by the SIS are correct<br />
Function <strong>Safety</strong> Assessment<br />
Funci6n de evaluaci6n de Ia seguridad<br />
(, An independent judgment on the functional safety achieved<br />
by the SIS<br />
- Define an assessment procedure "appropriate" to the SIL<br />
and novelty of design<br />
- Appoint an experienced team leader and team of<br />
reviewers<br />
- Define the scope of assessment<br />
- Create a plan for review activities and expected results<br />
- Identify any safety bodies and certifications<br />
- Conduct assessment<br />
0<br />
Copyright© 2000-200Sexida.com L.L.C. 271<br />
Validation <strong>Safety</strong> Review Activities<br />
Actividades de Ia Revision de Validaci6n de<br />
egun a<br />
Pre ~·l·fli
Section 8: Installation, Commissioning and Validation Summary<br />
Secci6n 8: Repaso de lnstalaci6n, Pruebas Arranque y Validaci6n<br />
0<br />
4+ Installation and Commissioning<br />
• Objectives<br />
I FAT I<br />
• Activities I<br />
INSTALLATION<br />
I<br />
• Documentation Required I SAT/SIT<br />
}1<br />
4). Validation I COMMISSIONING I ~<br />
I<br />
FSA I ~<br />
• Objectives<br />
I STARTUP I<br />
• Activities<br />
• Documentation Required<br />
'<br />
Copyright© 200G-2008exida.com L.L.C.<br />
"'<br />
[<br />
Section 9: Operational Requirements<br />
Secci6n 9: Requerimientos Operacionales<br />
0<br />
4~ Maintenance Planning<br />
~,)1 Manufacturer's Maintenance Data<br />
~'<br />
Periodic Inspection Testing I Records<br />
Copyright© 200Q-2008 exida.com L.L.C. 274
Detailed <strong>Safety</strong> Lifecycle<br />
Cicio Vida Seg. Detallado<br />
0<br />
Copyright tO 2000.2008 exida.com L.L.C.<br />
275<br />
Maintenance Planning<br />
Planificaci6n del Mantenimiento<br />
~'<br />
All tests required to verify proper operation of<br />
<strong>Safety</strong> Instrumented Function must be planned<br />
4> Proper periodic test interval that was calculated<br />
during SIF verification must be documented as<br />
part of the plan<br />
~'<br />
Online? Offline? Bypass Procedures?<br />
Proof test procedures must be at least as effective<br />
as planned during the SIF verification<br />
0<br />
Copyright© 2000-2008 exido.com L.L.C.<br />
276
0<br />
Proof Test<br />
[_______________<br />
P_ru_e_b_a ____________ ~<br />
The purpose of the Proof test is to verify<br />
that safety instrumented works properly.<br />
It is often assumed that if it works<br />
properly it has not failed.<br />
Procedure:<br />
1. Block valve from closing.<br />
2. Move input signal above trip point.<br />
3. Verify that valve attempted to close.<br />
4. Move input signal back to normal<br />
below trip point.<br />
5. Remove valve block.<br />
CQpyright 10 2000-2008 exida.com L.L.C.<br />
Assume 100%<br />
Diagnostic coverage ??<br />
277<br />
l<br />
0<br />
[<br />
1 00% Coverage<br />
100% Cobertura?<br />
100% coverage is not likely due to intermittent<br />
faults and not exercising all functionality.<br />
Transmitter failures<br />
Logic Solver Failures<br />
Final Elements Failures<br />
What are the DUs? What are the<br />
dangerous failures not detected by<br />
any automatic diagnostics?<br />
Assume 100%<br />
Diagnostic coverage ??<br />
l<br />
Copyright 10 2000-2008 e:dda.com L.L.C. 278
Proof Test<br />
Prueba<br />
'\lt-me Proof test is<br />
safety instrume<br />
erly.<br />
· · works properly it has not fal,.,o.,.___<br />
The purpose of the Proof test is to<br />
detect any failures not detected by<br />
automatic on-line diagnostics -<br />
dangerous failures, diagnostic<br />
failures, parametric failures<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C. 279<br />
<strong>Safety</strong> Manual<br />
Manual de Seguridad<br />
~---"-----<br />
l<br />
'' Products intended for SIF applications are supplied with a<br />
"<strong>Safety</strong> Manual"<br />
- The "safety manual" may be part of another document<br />
0<br />
•· The <strong>Safety</strong> Manual contains important restrictions on how the<br />
product must be used in order to maintain safety<br />
- Environmental restrictions<br />
- Design restrictions<br />
- Periodic Inspection I Test requirements<br />
- Failure rate I failure mode data<br />
Copyright It! 2000-2008 e.xida.com L.L.C. 280
0<br />
<strong>Safety</strong> Manual<br />
Test Content<br />
From Rosemount<br />
3051S, <strong>Safety</strong>:<br />
Proof Test 1 -65%<br />
Proof Test 2-98%<br />
Why bother with<br />
proof test 1 ?<br />
Copyright l!:l200G-2008exida.com LLC.<br />
Operation and Maintenance<br />
Proof Test and Inspection<br />
The following proof tests are recommended. Proof test results<br />
and corrective actions taken must be documented at<br />
www.rosemount.com/safety ln the event that an error is found<br />
in the safety functionality.<br />
Use "Table 1: HART Fast Key Sequence" to perform a loop Test,<br />
Analog Output Trim. or Sensor Trim. See the 30155 reference manual<br />
for additional information.<br />
Five· Yea,(1J Proof- TGS/<br />
Coi'ldw::Ung an analog output loop Test satisfies the proof test<br />
requirements and will detect more than 65% of DU failures not<br />
detected by the 30518 SIS automatic diagnostics.<br />
1. Enter the milliampere value representing a high alarm state<br />
2. Check the reference meter to verify the mA output corresponds<br />
to the entered value.<br />
3. Enter the milliampere value representing a low alarm state<br />
4. Ch~k the reference meter to verify the mA output corresponds<br />
to "lhil l)ntered value.<br />
5. Execute the Master Reset command to initiate stari:-up<br />
diagnostics.<br />
Ten-Year Pioof-Test<br />
This proof test, wheli combiood with the Five-year Proof-Test. wiU<br />
detect over 96% of DU failures not detected by the 3051S SIS<br />
automatic diagnostics.<br />
1. Perform a minimum twa point calibration check using the 4-20mA.<br />
range points as the calibration points.<br />
2. Cheek the reference mA meter to verify the mA output<br />
corresponds to the pressure input value.<br />
3. If necessal)', use one of the 'Trim" procedures available in the<br />
30518 refererrce manual to calibrate.<br />
4. Execute U)e Master Reset oommand to initiate start-up<br />
diagnostics.<br />
(f) May be 11 icnger prqol ~5f interVal cs;'us/Jflfld by PFD-3V{J.UiciJ/atJOn.<br />
'"<br />
<strong>Safety</strong> Manual Test Content<br />
Manual de seguridad de contenido de prueba<br />
0<br />
From Rosemount 3051S, <strong>Safety</strong>:<br />
Proof Test 1 -65%<br />
Proof Test 2-98%<br />
Why bother with proof test 1?<br />
Because the time interval between the more expensive<br />
PROOF TEST 2 can extended several years!!<br />
Copyright© 200o-2oos exida.com L.L.C.<br />
'"
Strategic Proof Test<br />
Estrategico de Prueba<br />
The purpose of the Proof test is to detect any<br />
failures not detected by automatic on-line<br />
diagnostics.<br />
1. We can design proof test procedures that are easier to<br />
perform, cost less and are more likely to actually get<br />
done.<br />
2. By understanding the actual DU/AU failures in our<br />
instruments we can significantly improve our test<br />
coverage as well as lower cost.<br />
0<br />
Copyright© 2000-2008extda.com LL.C.<br />
283<br />
Effective Testing Techniques<br />
Tecnicas de Pruebas Efectivas<br />
Analog Sensors : Force process variable between<br />
-10% and 110% of scale. This tests transmitter,<br />
power supplies and wiring resistance. Inspect for<br />
corrosion on terminal strips and loose wiring.<br />
Inspect (or perform cleanout) for plugged impulse<br />
lines.<br />
Discrete Sensors : Force process variable over full<br />
scale and inspect for proper movement of<br />
mechanisms as well as switch closure at the proper<br />
point. Inspect for corrosion on terminal strips or<br />
switch mechanical components.<br />
0<br />
Copyright© 2000-2008 exida.com L.L.C.<br />
"'
Effective Testing Techniques<br />
Tecnicas de Pruebas Efectivas<br />
Solenoids : Check for speed of response and<br />
sound level during a full cycle of air pressure.<br />
Inspect for corrosion and clogged air inlets.<br />
0<br />
Pneumatic Actuators : Inspect for air consumption<br />
rates and clogged air inlets. During a partial stroke<br />
check for speed of response and pressure curve.<br />
During a full stroke check for speed of response,<br />
pressure curve and abnormal response when seating.<br />
When valve is closed, check for leakage.<br />
Copyright© 200G-2008exido.com LLC. 285<br />
<strong>Safety</strong> Manual Mechanical Integrity<br />
Manual de Seguridad: lntegridad Mecanica<br />
0<br />
The safety manual will often include specific tests and<br />
inspections that must be done on a periodic basis. For<br />
example:<br />
"The window of the flame detector must be inspected to<br />
ensure that it is clean and clear. The maintenance<br />
schedule must be established based on plant<br />
conditions".<br />
The designer must estimate plant conditions and add<br />
periodic inspection to the mechanical integrity<br />
procedures.<br />
Copyright (1200G-2008exido.com LLC. 286
Periodic Inspection Testing I Records<br />
Registros de Pruebas Peri6dicas de lnspecci6n<br />
Actual Testing must be documented:<br />
~r,<br />
Test details<br />
~'<br />
Personnel, date<br />
'' Bypass authorization<br />
., Tests performed<br />
., Results<br />
4> System restored<br />
0<br />
Copyright rfl 2000..2008 exida.com L.L.C. 287<br />
Management of Change Before the Request<br />
Gesti6n del cambia Antes de Ia Solicitud<br />
Malntenaru;e<br />
reports<br />
Operations<br />
reports<br />
Failure and<br />
demand rate<br />
database<br />
0<br />
Systematic<br />
failures<br />
Copyright tO 200o-2oos exida.com L.L.C.<br />
~ Modification request<br />
'"
Management of Change After the Request<br />
Gesti6n del cambio Despues de Ia petici6n<br />
<strong>Safety</strong> perforrtl
Section 9: Operational Requirements Summary<br />
ISElcci6n 9: Resumen de Requerimientos Operctcic>nale~<br />
4> Maintenance Planning<br />
4, Manufacturer's Maintenance Data<br />
~" Periodic Inspection Testing I Records<br />
n<br />
Copyright (12000-2008 exida.com L.L.C. 291<br />
PostTest<br />
Prueba Final<br />
~~~~<br />
J<br />
Post Test<br />
[<br />
~-------------P_r_ue_b_a __ F_in_a_l ____________ ~<br />
Review - Complete the Problems<br />
J<br />
0<br />
copyright IC 2000..2008 exida.com L.L.C.<br />
293<br />
Final Course Evaluation<br />
Evaluaci6n Final del Curso<br />
0<br />
~~ Course Evaluations are tools that help us maintain<br />
the quality of our training programs<br />
~" Please complete the form and return it to your<br />
instructor upon completion of the course<br />
Copyright© 2000.2008 exida.com L.L.C. 294
References<br />
[<br />
~-------------R_e_f_e_re_n_c_ia_s ____________ ~<br />
l<br />
• IEC61508 <strong>Functional</strong> <strong>Safety</strong> of Electric I Electronic I Programmable<br />
Electronic <strong>Safety</strong> Related Systems, International Electrotechnical<br />
Commission, 199812000<br />
• IEC61511 <strong>Functional</strong> safety- <strong>Safety</strong> instrumented systems for the process<br />
sector, International Electrotechnical Commission, 2003<br />
• Out of control - Why control systems go wrong and how to prevent failure -<br />
HSE Books- 2nd edttion 2003-ISBN 0-717621928<br />
• <strong>Safety</strong> Equipment Reliability Handbook, exida.com, 2005- ISBN13-978-0-<br />
9727234-1-1<br />
• Control Systems <strong>Safety</strong> Evaluation and Reliability, 2nd edition, William M.<br />
Goble, 1998- ISBN 1-55617-636-8<br />
• <strong>Safety</strong> Instrumented Systems Verification, practical probabilistic<br />
calculations,. William M.Goble and Harry Cheddie- ISA- ISBN 1-55617-<br />
909-X, 2005<br />
Many other papers, books and resources are available on-line:<br />
www.exida.com<br />
Copyright !0 2000-2008 exida.com L.L.C.<br />
295<br />
0<br />
www.exida.com<br />
Copyright !0 2000-2008 exida.com L.L.C.<br />
'"
SECTION 2<br />
0<br />
Exercises<br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
exida.com LLC<br />
Application Exercise Set 1 - Constant Failure Rate<br />
1. A system has a probability of failure (all modes) for each one-year mission<br />
time of 0.1. What is the probability of a failure for a ten-year mission time?<br />
(No wear out, etc.) f'f
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
exida.com LLC<br />
Application Exercise Set 2 - Reliability and Availability<br />
1. A PLC has a failure rate of 0.01 failures per year. What is the unreliability for<br />
a five year mission?<br />
2. A PLC has a failure rate of 0.01 failures per year. All failures are<br />
immediately detectable. The repair time average is 24 hours. What is the<br />
steady state unavailability?<br />
0<br />
3. A PLC has a failure rate of 0.01 failures per year. Failures are detected only<br />
when a periodic inspection is done once per year. Assuming that the<br />
periodic inspection is perfect and detects all failures, what is the PFavg?<br />
4. A valve has a failure rate of 0.01 failures per year. A periodic inspection<br />
done once a year can detect 60% of the failures. The valve is operated for<br />
ten years before it is removed from service and overhauled. What is PFavg<br />
for the ten year operational interval?<br />
5. A PLC is programmed to protect against a dangerous condition that occurs<br />
once every ten years on average. The PLC is tested and inspected every<br />
year. Should this situation be modeled as LOW DEMAND MODE, HIGH<br />
DEMAND MODE or CONTINUOUS DEMAND MODE?<br />
6. A PLC is programmed to protect against a dangerous condition that occurs<br />
once every month on average. Automatic diagnostics inside the PLC run to<br />
completion every 60 seconds. The PLC is tested and inspected every year.<br />
Should this situation be modeled as LOW DEMAND MODE, HIGH<br />
DEMAND MODE or CONTINUOUS DEMAND MODE?<br />
0<br />
CD- ;A~ ~or/~ ;c 1-4-tD~'i~uz<br />
F-- 1-<br />
_f\·>·<br />
e<br />
·::.- (.- 6-~<br />
::::.o- 0 4'bg.<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 2
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
exida.com LLC<br />
Application Exercise Set 3 - Multiple Failure Modes and Common Cause<br />
1. A valve stem is stuck when "cold-welding" occurs between the 0-Rings and<br />
the stem. If the valve must close to provide the automatic protection function,<br />
what is the failure mode, fail-safe or fail-dangerous?<br />
2. A solenoid valve has a failure rate of 0.00003 failures per hour in the<br />
dangerous mode. What is the approximate PFD for a mission time of 2000<br />
hours? What is the PFDavg for a mission time of 2000 hours?<br />
0<br />
3. A solenoid valve has a failure rate of 0.000013 failures per hour in the<br />
dangerous mode and 0.0005 failures per hour in the safe mode. What is the<br />
approximate PFDavg for a mission time of 8000 hours?<br />
4. A temperature transmitter is used to sense an abnormal process condition.<br />
Two transmitters are arranged in a one-out-of-two voting arrangement. The<br />
transmitter has a failure rate of A. = 0.05 failures per year, and a beta factor of<br />
10%. What is the PFDavg of this subsystem if a periodic inspection is done<br />
once a year that detects 90% of the failures. The transmitter subsystem is<br />
operated for ten years between major overhauls.<br />
0<br />
0 .,_ :> < 10-s- ~ lw~e-/ fv. (; -t ~ l.,.__ I 'i-P"'"' 1-v.-s<br />
0- 0~ - 0 'l""'-_ f.,v<br />
k<br />
(11' 11 :;. 0. OfPOIPl) ~~~ .<br />
-£ =go oo ~+-:-'-· _· --~.....,<br />
~;;~~ ooo)<br />
~ - 21 ~ o.os ~\JMLf(\"<br />
b ~ {6 "],.<br />
'Tft'A- ~~<br />
f'f:VMt 7<br />
T{ ;;..lO \~,<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 3
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
exida.com LLC<br />
Application Exercise Set 4 - Safe Failure Fraction, Failure Rates, Coverage<br />
Factors<br />
1. A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of<br />
the failures are fail-safe. What is Lambda S? What is Lambda D?<br />
2. A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of<br />
the failures are fail-safe. The coverage factor for safe failures is 74%.<br />
The coverage factor for dangerous failures is 96%. What is Lambda<br />
SD? What is Lambda SU? What is Lambda DD? What is Lambda<br />
DU?<br />
0<br />
3. A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of<br />
the failures are fail-safe. The coverage factor for safe failures is 74%.<br />
The coverage factor for dangerous failures is 96%. What is the Safe<br />
Failure Fraction for this transmitter?<br />
4. A smart transmitter has a failure rate of 500 * E-9 failures per hour.<br />
62% of the failures are fail-safe. The coverage factor for safe failures<br />
is 74%. The coverage factor for dangerous failures is 96%. With a<br />
hardware fault tolerance of 0, this transmitter is qualified for use in<br />
what SIL level?<br />
0<br />
::;: 0 .ct ~4~<br />
:::o--Cf~xl.<br />
_:
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
exida.com LLC<br />
Application Exercise Set 5 - <strong>Functional</strong> <strong>Safety</strong> Management<br />
1. Based on IEC61508, which of the following statements about the required<br />
competency of individuals performing safety lifecycle tasks is correct:<br />
1. Must have a degree in engineering from an accredited university<br />
2. Must be certified by an independent third party organization<br />
3. The manager of the project must ascertain that the person is<br />
competent in all phases of the safety lifecycle<br />
0<br />
a) 1 and 2 are true, 3 is false<br />
b) 1 and 3 are true, 2 is false<br />
c) 2 and 3 are true, 1 is false<br />
d) 1, 2 and 3 are true<br />
@None of the above statements are true<br />
2. Which of the following information items is NOT required to be maintained<br />
throughout the lifecycle of an SIS:<br />
1. The results of the hazard and risk analysis and related assumptions<br />
0<br />
2. Information regarding the equipment items used for safety<br />
instrumented functions together with the function's safety requirements<br />
3. The procedures necessary to maintain functional safety<br />
a) 1 and 2 are required, 3 is not<br />
b) 1 and 3 are required, 2 is not<br />
c) 2 and 3 are required, 1 is not<br />
@. 2 and 3 are required<br />
e) None of the information items listed above are required<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 5
Revision 4.0, September 2008<br />
3. Which of the following statements about the documentation required for<br />
safety planning are true:<br />
1. <strong>Safety</strong> Planning documentation can be included as a section in the<br />
quality plan entitled "safety plan".<br />
r~ <strong>Safety</strong> Planning must be documented in a separate document entitled<br />
""safety plan".<br />
3. <strong>Safety</strong> Planning can be documented in a series of documents that may<br />
include other company procedures or working practices, such as<br />
corporate standards.<br />
a) 1 and 2 are true, 3 is false<br />
0 (5 1 and 3 are true, 2 is false<br />
c) 2 is true, 1 and 3 are false<br />
d) 1, 2 and 3 are true<br />
e) None of the above statements are true<br />
4. Which of the following statements about safety planning are true:<br />
1. <strong>Safety</strong> planning does not need to consider activities done by outside<br />
vendors or suppliers.<br />
2. <strong>Safety</strong> planning must designate how and when functional safety will be<br />
assessed.<br />
0<br />
3. <strong>Safety</strong> planning does not need to specifically designate the level of<br />
independence of any functional safety assessment team.<br />
a) 1 and 2 are true, 3 is false<br />
b) 2 and 3 are true, 1 is false<br />
@J 2 is true, 1 and 3 are false<br />
d) 1, 2 and 3 are true<br />
e) None of the above statements are true<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 6
Revision 4.0, September 2008<br />
5. When is functional safety assessed according to 61511?<br />
Usually before the hazard is present but always after a safety function<br />
trips.<br />
lways following system commissioning and validation but often after the<br />
safety requirements specification is complete as well.<br />
c) It can be assessed at any time as long as it is assessed at least once.<br />
d) It must be assessed after all system modifications.<br />
e) None of the above statements are true<br />
0<br />
6. Which safety lifecycle roles and responsibilities must be designated?<br />
a) Those required for each phase of the safety lifecycle and its associated<br />
activities.<br />
b) <strong>Functional</strong> safety assessment activities<br />
c) <strong>Functional</strong> safety management activities<br />
8<br />
d) Decommissioning activities.<br />
of the above statements are correct<br />
0<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material! Page 7
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
Application Exercise Set 6 - Redundant Architectures<br />
1. Rank the following redundancy schemes from highest probability of failure on<br />
demand to lowest probability of failure on demand.<br />
Highest ---------Lowest<br />
0<br />
a) 2oo2- 1 oo2- 2oo3<br />
b) 2oo3- 1oo2- 2oo2<br />
2oo3 - 2oo2 - 1 oo2<br />
2oo2 - 2oo3 - 1 oo2<br />
1 oo2 - 2oo3 - 2oo2<br />
2. A 1 oo2 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511)<br />
of:<br />
a) 0<br />
®)<br />
c) 2<br />
0<br />
3. A 2oo3 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511)<br />
of:<br />
a) 0<br />
@1<br />
c) 2<br />
d) 3<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 8
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
Application Exercise Set 7 - SIL 3 Pressure Protection Loop<br />
Group Exercise - do a SIL3 design and verify with PFDavg<br />
calculations, SFF calculations and a MTTFS calculation.<br />
Design the SIL3 loop using SILver to calculate PFDavg and AC SIL.<br />
Target 5 year test interval and MTTFS > 10 years.<br />
0<br />
0<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 9
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
Application Exercise Set 8- Periodic Inspection and Test Plans<br />
1. Name effective inspection and test techniques that should be<br />
considered for a pressure transmitter.<br />
2. Name effective inspection and test techniques that should be<br />
considered for a solenoid.<br />
0<br />
0<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 10
Revision 4.0, September 2008<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> II<br />
Post Test<br />
1. Two power supplies are used in a redundant configuration. Assume one<br />
failure mode, lost power. Each power supply has a failure rate of 0.0005<br />
failures per year. Based on close physical mounting and identical power<br />
supplies, a beta factor of 0.1 is assigned. What is the system unreliability for<br />
a two-year mission time? Draw a fault tree for the system including common<br />
cause.<br />
0<br />
2. Which of the following best describes the difference between verification and<br />
validation, as defined in IEC 61508 and IEC 61511.<br />
a) There are no differences. Verification and validation have the same<br />
meaning.<br />
b) Verification describes review tasks that are performed by independent<br />
assessment teams. Validation describes review tasks that are performed<br />
by the design team.<br />
c) Validation is the activity of demonstrating that the SIS meets the safety<br />
requirements specifications. Verification is the activity of demonstrating<br />
that for each safety lifecycle phase the requirements of the safety lifecycle<br />
model have been met.<br />
d) Validation is the process of creating a "V"-diagram of the tasks that are<br />
required to complete that safety lifecycle. Verification is the process of<br />
ensuring that competent individuals have completed those tasks.<br />
e) None of the above answers are correct.<br />
0 3. If the user of a product that was designed under the IEC 61508 standard is<br />
required to perform manual tests at a periodic interval to achieve the SIL that<br />
is listed in the product certification, the information regarding the necessity of<br />
the test, and the frequency the test is required to be performed must be<br />
provided in:<br />
a) Product safety manual<br />
b) Product Specification sheets<br />
c) Sales and marketing literature<br />
d) Equipment installation guides<br />
e) None of the above, the vendor is not required to share this information<br />
with the customer<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Material Page 11
Revision 4.0, September 2008<br />
Post-Test <strong>Safety</strong> <strong>Engineering</strong> II exida.com, LLC<br />
4. A control valve is used in an SIS. The valve has a constant safe failure rate of<br />
0.02 failures per year and a constant dangerous failure rate of 0.05 failures<br />
per year. The valve is tested on a one-year interval where 85% of the failures<br />
are detected by the periodic inspection and test. The valve is operated for<br />
fifteen years until it is removed from service and overhauled. What is the<br />
average probability of failure on demand?<br />
0<br />
5. Two different types of solenoid valves are used to block fuel flow to a burner in<br />
a SIS. The valves are piped in series. Both valves are energized and open in<br />
normal operation of the system. Both valves should close when a dangerous<br />
condition is detected. Both valves have one failure mode, fail-danger, with a<br />
failure rate of 0.0009 failures per year. Both valves are tested once every<br />
year and all failures are found during that test. Based on the differences<br />
between the valves, a common cause beta factor of 0.001 is assigned. What<br />
is the PFDavg of the valve subsystem including common cause?<br />
6. Draw a Markov model for the situation in problem 5.<br />
7. A "smart" transmitter has a failure rate of 0.05 failures/year. The safe failures<br />
ratio is 70%, and the diagnostic coverage of dangerous failures is 60%. The<br />
diagnostic coverage for safe failures is 70%. What is the Safe Failure<br />
Fraction? With hardware fault tolerance of 0, what SIL is allowed?<br />
0<br />
I<br />
Copyright© 2000-2008, exida.com LLC <strong>Functional</strong> <strong>Safety</strong> Eng. II Supplemental Materiaf Page 12
FSE II, 4.0 -Solutions to Exercises<br />
Application Exercise Set 1 -Constant Failure Rate<br />
Question 1<br />
A system has a probability of failure (all modes) for each one-year mission time of 0.1. What is the probability<br />
of a failure for a ten-year mission time? (No wear out, etc.)<br />
Solution 1<br />
This type of problem contains a trap for the unwary -<br />
If this problem is approached as a discrete independent event each year, the probability of failure would be<br />
the sum of the probability of failure for each one-year mission {fails in year 1 OR fails in year 2 OR ... fails in<br />
year 10). The solution for a 10 year period would be<br />
0<br />
PF(10 year mission) = A, + A2 + A3 + A., + As + As + A1 + As + Ag + A, 0<br />
=0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1 +0.1<br />
= 1<br />
And for an 11 year mission?<br />
PF(11 year mission)<br />
= 1.1 (not a valid probability)<br />
Clearly this is NOT the approach to use.<br />
This type of problem is best approached from the probability of success (PS) for each one year mission,<br />
finding the probability of success for the 10 year mission, and then using the one's complement of success to<br />
determine failure.<br />
PS(1 year mission)<br />
= 1 - PF(1 year mission)<br />
= 1 -0.1<br />
= 0.9<br />
The probability of success for a 10 year mission is the probability of success in the first year AND the<br />
probability of success in the second year AND probability of success in the third year AND ... probability of<br />
success in the tenth year.<br />
0<br />
PS(1 0 year mission)<br />
= 0.9 * 0.9 * ... * 0.9 (ten times)<br />
= (0.9)10<br />
= 0.3487<br />
PF(1 0 year mission)<br />
= 1- PS(10 year mission)<br />
= 1-0.3487<br />
= 0.6513<br />
The probability of a failure for a ten-year mission time= 0.6513<br />
FSE II -Solutions to Exercises Page 1 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 2<br />
Unreliability for a system with one failure mode is given as 0.001. What is the reliability?<br />
Solution 2<br />
Reliability is the one's complement of Unreliability.<br />
Reliability<br />
= 1 -Unreliability<br />
= 1-0.001<br />
= 0.999<br />
The Reliability of the system is 0.999<br />
Question 3<br />
A module has an MTTF of 80 years for all failure modes. Assuming a constant failure rate, what is the total<br />
failure rate for all failure modes?<br />
Solution 3<br />
0<br />
MTTF = 11 A<br />
A = 1 I MTTF failures per year<br />
= 1 I 80 failures per year<br />
= 0.0125 failures per year<br />
= 0.012518760 failures per hour<br />
= 1.427 E-06 failures per hour<br />
The total failure rate for all failure modes = 1.427 E-06 failures per hour<br />
Question 4<br />
A module has an MTTF of 80 years. What is the reliability of this module for a time period of six months?<br />
Solution 4<br />
0<br />
Reliability= e·A.TI<br />
A<br />
Tl<br />
= 1 I MTTF failures per year<br />
= 1 I 80 failures per year<br />
= 0.0125 failures per year<br />
= 0.5 years<br />
Reliability<br />
= e·(O.o12s • o.s)<br />
= e-o.ooszs<br />
= 0.9938<br />
The Reliability of this module over a six month period = 0.9938<br />
FSE II -Solutions to Exercises Page 2 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 5<br />
A transmitter has a total failure rate of 0.005 failures per year. What is the MTTF?<br />
Solution 5<br />
A<br />
MTTF =1/A<br />
= 0.005 failures per year<br />
MTTF = 1 I 0.005 failures per year<br />
= 200 years<br />
The MTTF = 200 years<br />
0<br />
0<br />
FSE II - Solutions to Exercises<br />
Page 3 of23
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 2- Reliability and Availability<br />
Question 1<br />
A PLC has a failure rate of 0.01 failures per year. What is the unreliability for a five year mission?<br />
Solution 1<br />
Unreliability is the probability of failure (PF)<br />
1\ = 0.01 failures per year<br />
Tl = 5 years<br />
PF<br />
= 1 - e·(O.o1. •><br />
= 1 - e.o.os<br />
= 1 -0.95123<br />
= 0.0488<br />
0<br />
The unreliability for a five year mission = 0.0488<br />
Question 2<br />
A PLC has a failure rate of 0.01 failures per year. All failures are immediately delectable. The repair lime<br />
average is 24 hours. What is the steady state unavailability?<br />
Solution 2<br />
Unavailability = MTTR I (MTTF + MTTR)<br />
MTTF =111\<br />
1\ = 0.01 failures per year<br />
MTTF = 1 I 0.01 failures per year<br />
= 100 years<br />
= 876,000 hours<br />
0<br />
MTTR = 24 hours<br />
Unavail = 241 (876,000 + 24)<br />
= 27.4 E-06<br />
The steady state Unavailability= 27.4 E-06<br />
FSE II - Solutions to Exercises<br />
Page 4 of23
FSE II, 4.0 - Solutions to Exercises<br />
Question 3<br />
A PLC has a failure rate of 0.01 failures per year. Failures are detected only when a periodic inspection is done<br />
once per year. Assuming the periodic inspection is perfect, what is the PFavg?<br />
Solution 3<br />
PFavg = 1\ * (TI/ 2)<br />
1\ = 0.01 failures per year<br />
Tl = 1 year<br />
PFavg = 0.01 • 0.5<br />
= 0.005<br />
The PFavg = 0.005 (assumes a perfect test with all failures repaired to original condition)<br />
0<br />
Question 4<br />
A valve has a failure rate of 0.01 failures per year. A periodic inspection done once a year can detect 60% of the<br />
failures. The valve is operated for ten years before it is removed from service and overhauled. What is PFavg<br />
for the ten year operational interval?<br />
Solution 4<br />
PFavg = [Cpr * 1\ * (TI/2)] + [(1-Cpr) * 1\ * (LT/2)]<br />
Cpr = 0.6 (60%)<br />
1\ = 0.01 failures per year<br />
Tl<br />
LT<br />
= 1 years<br />
= 10years<br />
0<br />
PFavg = [0.6 • 0.01 • 0.5] + [0.4 * 0.01 * 5]<br />
= 0.003 + 0.02<br />
= 0.023<br />
The PFavg for the ten year operational interval = 0.023<br />
This translates into a Risk Reduction Factor (RRF) of 43.5<br />
Lets see what happens if all faults are found and repaired each time (perfect test) ...<br />
PFavg = 1\ * (TI/ 2)<br />
0.01. 0.5<br />
= 0.005<br />
This translates into a Risk Reduction Factor (RRF) of 200<br />
Lets see what happens if there is no testing during the 10 year period ...<br />
PFavg = 1\ * (L T/2)<br />
0.01 • 5<br />
= 0.05<br />
This translates into a Risk Reduction Factor (RRF) of 20<br />
FSE II -Solutions to Exercises<br />
Page 5 of23
FSE II, 4.0 - Solutions to Exercises<br />
Question 5<br />
A PLC is programmed to protect against a dangerous condition that occurs once every ten years on average.<br />
The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH<br />
DEMAND MODE or CONTINUOUS DEMAND MODE?<br />
Solution 5<br />
The demand rate is once every ten years on average. The periodic test and inspection is done once a year,<br />
clearly several times more rapidly than the demand condition. Therefore credit can be taken in the PF modelling<br />
and this is classified as low demand.<br />
Question 6<br />
A PLC is programmed to protect against a dangerous condition that occurs once every month on average. The<br />
PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH<br />
DEMAND MODE or CONTINUOUS DEMAND MODE?<br />
Solution 5<br />
The demand rate is once every month on average. The periodic test and inspection is done once a year so it is<br />
unlikely that this testing would detect a failure in lime to prevent an accident. The automatic diagnostics run fast<br />
therefore this is classified as high demand.<br />
0<br />
0<br />
•<br />
FSE II- Solutions to Exercises Page 6 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 3- Multiple Failure Modes and Common Cause<br />
Question 1<br />
A valve stem is stuck when "cold-welding" occurs between the 0-Rings and the stem. If the valve must close<br />
to provide the automatic protection function, what is the failure mode, fail-safe or fail-dangerous??<br />
Solution 1<br />
The valve will not perform the protection function if it cannot close. Therefore this is classified as fail-danger.<br />
Question 2<br />
A solenoid valve has a failure rate of 0.00003 failures per hour in the dangerous mode. What is the<br />
approximate PFD for a mission lime of 2000 hours? What is the PFDavg for a mission time of 2000 hours?<br />
Solution 2<br />
Q Using the complete equation: Using the approximation:<br />
PF<br />
= 1- e·ATI<br />
= 1<br />
_ e -{o.oo003 • zooo)<br />
= 1<br />
_ e·o.oo<br />
PF<br />
=A *TI<br />
= 0.00003 • 2000<br />
= 0.06<br />
= 1-0.9418<br />
= 0.0582<br />
PFavg = 1-(1/A*TI)*(1- e·''T'l<br />
= 1 - (1/0.00003*2000)*(1-e·o.oooo3'2ooo)<br />
= 1 - (1/0.06)*(1-e-a.oo)<br />
= 1-0.9706<br />
= 0.0294<br />
PFavg =A* (TI/2)<br />
= 0.00003 * (2000 I 2)<br />
= 0.03<br />
0<br />
FSE II - Solutions to Exercises<br />
Page 7 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 3<br />
A solenoid valve has a failure rate of 0.000013 failures per hour in the dangerous mode and 0.0005 failures<br />
per hour in the safe mode. What is the approximate PFDavg for a mission time of 8000 hours?<br />
Solution 3<br />
Using the complete equation:<br />
PFavg = 1-(1/II*TI)*(1- e·A"TI)<br />
= 1-(1/0.000013*8000)*(1-e.,·000013 " 6000 )<br />
= 1-(1/0.104)*(1-e.,·104 )<br />
= 1-0.9498<br />
= 0.0502<br />
Using the approximation:<br />
PFavg = II * (TI/ 2)<br />
= 0.000013. (8000 /2)<br />
= 0.000013.4000<br />
= 0.052<br />
0<br />
0<br />
FSE II - Solutions to Exercises<br />
Page 8 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 4<br />
A temperature transmitter is used to sense an abnormal process condition. Two transmitters are arranged in<br />
a one-out-of-two voting arrangement. The transmitter has a failure rate of A. = 0.05 failures per year, and a<br />
beta factor of 1 0%. What is the PFDavg of this subsystem if a periodic inspection is done once a year that<br />
detects 90% of the failures? The transmitter subsystem is operated for ten years between major overhauls.<br />
Solution 4<br />
This problem is complicated and it is best to break it down into parts to solve it. To consider the partial<br />
coverage testing it is worth remembering that the overall system can fail because of a fault that is covered by<br />
the annual test, OR a fault that is not found until the major overhaul after 10 years. These two contributions<br />
to the PDFavg are added together because the two different kinds of faults are mutually exclusive<br />
0<br />
'-total<br />
= 0.05 failures per year<br />
1!, =0.1 (10%)<br />
Tl<br />
CPT<br />
LT<br />
= 1 year<br />
= 0.9 (90%) fraction of failures covered by the one year test<br />
= 10 years<br />
Contribution to PFDavg from faults covered by 1 year test interval<br />
In considering the contribution of the faults corrected in the annual test, we need to make sure we use the<br />
proper part of the overall failure rate. Since the coverage factor for the test CPT= 90%, we can look at the<br />
effective rate of failures of interest as<br />
'-total (1 yr) = 0.9 X 0.05 = 0.045<br />
Then because there is a second level of complexity with the common cause failures, we need to split this 1<br />
year lambda total into a hcc(1 yr) and a hN(1 yr) by use of the beta factor.<br />
'-total ( 1 yr)<br />
hcc (1 yr)<br />
hN (1 yr)<br />
= Atotal * CPT<br />
= Atotal (1 yr) • B<br />
='-total (1 yr) • (1-B)<br />
= 0.05. 0.9<br />
= 0.045. 0.1<br />
= 0.045. 0.9<br />
= 0.045<br />
= 0.0045<br />
= 0.0405<br />
Now, because the normal independent failure mode is a 1oo2 voting system, we use the integrated formula<br />
for PFDavg due to normal mode failure. Then we add this to the common mode failure component for the 1<br />
year part since the system either fails in normal independent mode OR by common mode.<br />
(J PFDavg N (1 yr)<br />
PFDavg CC (1 yr)<br />
PFDavg SYS (1 yr)<br />
= [hN (1 yr) 2 X Tl 2 ]/3 = [0.0405 2 X f]/ 3<br />
= [hcc(1 yr) x Tl]/2 = [0.0045 x 1]/2<br />
= PFDavg N (1 yr) + PFDavg CC (1 yr)<br />
= 0.00055<br />
= 0.00225<br />
= 0.00055 + 0.00225 = 0.0028<br />
Contribution to PFDavg from faults covered by 10 year overhaul<br />
We now do the same thing for the 10 year overall faults contribution. Again we need to make sure we use<br />
the proper part of the overall failure rate. Since the coverage factor for the test CPT = 90%, we can look at the<br />
effective rate of failures of interest as:<br />
'-total (1 0 yr) = Atotal * (1-CpT) = 0.05. (1-0.9) = 0.005<br />
Then because there is a second level of complexity with the common cause failures, we again need to split<br />
this 10 year lambda total into a hcc (1 0 yr) and a hN (1 0 yr) by use of the beta factor.<br />
'-total (1 0 yr)<br />
hcc(10 yr)<br />
hN(10yr)<br />
= Atotal * (1-CpT)<br />
= Atotal (1 0 yr) • B<br />
='-total (10 yr) • (1-B)<br />
= 0.05. (1-0.9) = 0.005<br />
= o.oo5 • 0.1 = ·o.ooo5<br />
= 0.005 • 0.9 = 0.0045<br />
FSE II- Solutions to Exercises<br />
Page 9 of 23
FSE II, 4.0 - Solutions to Exercises<br />
As before, because the normal independent failure mode is a 1 oo2 voting system, we use the integrated<br />
formula for PFDavg due to normal mode failure. Then we add this to the common mode failure component<br />
for the 10 year part since the system either fails in normal independent mode OR by common mode.<br />
PFDavg N (1 0 yr)<br />
PFDavg CC (1 0 yr)<br />
PFDavg SYS (10 yr)<br />
= [AN (1 0 yrf X Tl 2 ]/3 = [0.0045 2 X 10 2 ]/ 3<br />
= [Acc(10 yr) x Tl]/2 = [0.0005 X 10]/2<br />
= PFDavg N (1 0 yr) + PFDavg CC (1 0 yr)<br />
= 0.00068<br />
= 0.00250<br />
= 0.00068 + 0.00250 = 0.00318<br />
Summing up the overall PFDavg<br />
Finally, we add the 1 year tested failure contribution to the 10 year overall corrected failure contribution to get<br />
the total PFDavg for the system considering all of the pathways.<br />
Total PFDavg = PFDavg SYS (1 year) + PFDavg SYS (1 0 year) = 0.00280 + 0.00318 = 0.00598<br />
Total RRF = 1 I Total PFDavg = 167.2<br />
0<br />
FSE II - Solutions to Exercises<br />
Page 10 of23
e<br />
1]-
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 4- Safe Failure Fraction, Failure Rates, Coverage Factors<br />
Question 1<br />
A transmitter has a failure rate of 500 * E-09 failures per hour. 62% of the failures are fail-safe. What is A,;?<br />
What is J.. 0 ?<br />
Solution 1<br />
Atotat = 500 E-09 failures per hour (FIT)<br />
%Safe = 0.62 (62%)<br />
= Atotal * %Safe = 500 E-09 * 0.62<br />
= Atotat * (1-%Safe) = 500 E-09 * 0.38<br />
= 310 E-09 failures per hour (FIT)<br />
= 190 E-09 failures per hour (FIT)<br />
Question 2<br />
0<br />
A transmitter has a failure rate of 500 * E-09 failures per hour. 62% of the failures are fail-safe. The<br />
coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is J.. 50 ?<br />
What is Asu? What is J.. 00 ? What is J.. 0 u?<br />
Solution 2<br />
The approach to this problem is to split the failure rate into safe and dangerous failures, then split safe<br />
failures into safe (detected) and safe (undetected), and split dangerous failures into dangerous (detected)<br />
and dangerous (undetected).<br />
A total<br />
%Safe<br />
Cs<br />
Co<br />
= 500 E-09 failures per hour (FIT)<br />
= 0.62 (62%)<br />
=74%<br />
=96%<br />
= Atotal * %Safe<br />
= Atotal * (1-%Safe)<br />
= 500 E-09 * 0.62<br />
= 500 E-09 * 0.38<br />
= 310 E-09 failures per hour (FIT)<br />
= 190 E-09 failures per hour (FIT)<br />
0<br />
A so<br />
Asu<br />
Aoo<br />
Aou<br />
=J..s*Cs = 310 E-09 * 0.74 = 229.4 FIT<br />
= J..s * (1-Cs) = 310 E-09 * 0.26 = 80.6 FIT<br />
= Ao *Co = 190 E-09 * 0.96 = 182.4 FIT<br />
= Ao * (1-Co) = 190 E-09 * 0.04 = 7.6 FIT<br />
Question 3<br />
A transmitter has a failure rate of 500 • E-9 failures per hour. 62% of the failures are fail-safe. The coverage<br />
factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is the Safe Failure<br />
Fraction for this transmitter?<br />
Solution 3<br />
Use the results from Question 2<br />
SFF = [Aso + Asu + Aoo]/ Atotal = [229.4 + 80.6 + 182.4]/ 500 = 0.9848 = 98.48%<br />
FSE II -Solutions to Exercises<br />
Page 11 of23
FSE II, 4.0 -Solutions to Exercises<br />
Question 4<br />
A transmitter has a failure rate of 500 • E-9 failures per hour. 62% of the failures are fail-safe. The coverage<br />
factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. With a hardware fault<br />
tolerance of 0, this transmitter is qualified for use in what SIL level?<br />
Solution 4<br />
TYPE A - "A subsystem can be regarded as type A if, for<br />
the components required to achieve the safety function<br />
a) the failure modes of all constituent components are well<br />
defined; and<br />
Safe Failure<br />
Fraction<br />
Type A<br />
Hardware Fault<br />
Tolerance<br />
b) the behavior of the subsystem under fault conditions can<br />
be completely determined; and<br />
c) there is sufficient dependable failure data from field<br />
experience to show that the claimed rates of failure for<br />
detected and undetected dangerous failures are met."<br />
TYPE B- everything else!<br />
99%<br />
TypeB<br />
0<br />
IEC 61508, Part2, Section 7.4.3.1.2<br />
Safe Failure<br />
Fraction<br />
Hardware Fault<br />
Tolerance<br />
As we can't determine whether the transmitter can satisfy<br />
the requirements of Type A, we choose Type B.<br />
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 5- <strong>Functional</strong> <strong>Safety</strong> Management<br />
Question 1<br />
Based on IEC61508, which of the following statements about the required competency of individuals<br />
performing safety lifecycle tasks is correct:<br />
1. Must have a degree in engineering from an accredited university<br />
2. Must be certified by an independent third party organization<br />
3. The manager of the project must ascertain that the person is competent in all phases of the<br />
safety lifecycle<br />
0<br />
a) 1 and 2 are true, 3 is false<br />
b) 1 and 3 are true, 2 is false<br />
c) 2 and 3 are true, 1 is false<br />
d) 1, 2 and 3 are true<br />
e) None of the above statements are true<br />
Solution 1<br />
Addressed specifically in Annex A, IEC61508<br />
'<br />
Ensure that staff "involved in any of the overall or software SLC activities are competent"<br />
Training, experience, and qualifications should all be assessed and documented<br />
+ System engineering knowledge<br />
+ <strong>Safety</strong> engineering knowledge<br />
+ Legal and regulatory requirements knowledge<br />
+ More critical for novel systems or high SIL requirements<br />
From the above -<br />
A person does not need to have a degree, or be certified by an independent third party.<br />
A person must be competent in the part of the <strong>Safety</strong> Lifecycle they are involved with.<br />
0<br />
Therefore the correct answer is e)<br />
FSE II -Solutions to Exercises Page 13 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 2<br />
Which of the following information items is NOT required to be maintained throughout the lifecycle of an SIS:<br />
1. The results of the hazard and risk analysis and related assumptions<br />
2. Information regarding the equipment items used for safety instrumented functions together with<br />
the function's safety requirements<br />
3. The procedures necessary to maintain functional safety<br />
a) 1 and 2 are required, 3 is not<br />
b) 1 and 3 are required, 2 is not<br />
c) 2 and 3 are required, 1 is not<br />
d) 1, 2 and 3 are required<br />
e) None of the information items listed above are required<br />
Solution 2<br />
All of the documents mentioned are required to be maintained throughout the lifecycle of an SIS.<br />
0<br />
Therefore the correct answer is d)<br />
Question 3<br />
Which of the following statements about the documentation required for safety planning are true:<br />
1. <strong>Safety</strong> planning documentation can be included as a section in the quality plan entitled "safety<br />
plan".<br />
2. <strong>Safety</strong> planning must be documented in a separate document entitled "safety plan".<br />
3. <strong>Safety</strong> planning can be documented in a series of documents that may include other company<br />
procedures or working practices, such as corporate standards.<br />
a) 1 and 2 are true, 3 is false<br />
b) 1 and 3 are true, 2 is false<br />
c) 2 is true, 1 and 3 are false<br />
d) 1, 2 and 3 are true<br />
e) None of the above statements are true<br />
0<br />
Solution 3<br />
<strong>Safety</strong> planning must be documented, but there is no specific requirement to create a separate document<br />
entitled '<strong>Safety</strong> plan'.<br />
Therefore statement 2 is not correct, and the correct choice is b)<br />
FSE II - Solutions to Exercises Page 14 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 4<br />
Which of the following statements about safety planning are true:<br />
1. <strong>Safety</strong> planning does not need to consider activities done by outside vendors or suppliers.<br />
2. <strong>Safety</strong> planning must designate how and when functional safety will be assessed.<br />
3. <strong>Safety</strong> planning does not need to specifically designate the level of independence of any<br />
functional safety assessment team.<br />
a) 1 and 2 are true, 3 is false<br />
b) 2 and 3 are true, 1 is false<br />
c) 2 is true, 1 and 3 are false<br />
d) 1, 2 and 3 are true<br />
e) None of the above statements are true<br />
0<br />
Solution 4<br />
<strong>Safety</strong> planning does need to consider activities done by outside vendors or suppliers.<br />
<strong>Safety</strong> planning does need to specifically designate the level of independence of any functional safety<br />
assessment team.<br />
Therefore statements 1 and 3 are not true, and the correct answer is (f}<br />
Question 5<br />
When is functional safety assessed according to 61511?<br />
a) Usually before the hazard is present but always after a safety function trips.<br />
b) Always following system commissioning and validation but often after the safety requirements<br />
specification is complete as well.<br />
c) It can be assessed at any time as long as it is assessed at least once.<br />
d) It must be assessed after all system modifications.<br />
0<br />
e) None of the above statements are true<br />
Solution 5<br />
<strong>Functional</strong> safety is always assessed following system commissioning and validation, but often after the<br />
safety requirements specification is complete as well.<br />
Therefore the correct answer is b)<br />
FSE II -Solutions to Exercises Page 15 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Question 6<br />
Which safety lifecycle roles and responsibilities must be designated?<br />
a) Those required for each phase of the safety lifecycle and its associated activities.<br />
b) <strong>Functional</strong> safety assessment activities<br />
c) <strong>Functional</strong> safety management activities<br />
d) Decommissioning activities.<br />
e) All of the above statements are correct<br />
Solution 6<br />
All of the statements above are true.<br />
Therefore the correct answer is e)<br />
0<br />
0<br />
FSE II - Solutions to Exercises<br />
Page 16 of23
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 6- Redundant Architectures<br />
Question 1<br />
Rank the following redundancy schemes from highest probability of failure on demand to lowest probability of<br />
failure on demand.<br />
Lowest ---------Highest<br />
a) 2oo2 - 1 oo2 - 2oo3<br />
b) 2oo3 -1oo2- 2oo2<br />
c) 2oo3- 2oo2- 1oo2<br />
d) 2oo2 - 2oo3 - 1 oo2<br />
e) 1oo2- 2oo3- 2oo2<br />
Solution 1<br />
0<br />
The lowest probability of failure on demand is achieved by a 1oo2 configuration.<br />
The next lowest probability of failure on demand is achieved by a 2oo3 configuration.<br />
The highest probability of failure on demand of the three configurations is found in the 2oo2 configuration.<br />
Therefore the redundancy schemes PFDavg are ranked 2oo2 > 2oo3 > 1 oo2, and the answer is d)<br />
Question 2<br />
A 1oo2 architecture has a hardware fault tolerance per IEC 61508 (lEG 61511) of:<br />
a) 0<br />
b) 1<br />
c) 2<br />
Solution 2<br />
A 1 oo2 architecture has a hardware fault tolerance of 1.<br />
O Therefore the correct answer is b)<br />
Question 3<br />
A 2oo3 architecture has a hardware fault tolerance per IEC 61508 {lEG 61511) of:<br />
a) 0<br />
b) 1<br />
c) 2<br />
d) 3<br />
Solution 3<br />
A 2oo3 architecture has a hardware fault tolerance of 1.<br />
Therefore the correct answer is b)<br />
FSE II -Solutions to Exercises Page 17 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 7 - SIL 3 Pressure Protection Loop<br />
Question 1<br />
Group Exercise -<br />
D.esign a SIL3 loop and verify with PFDavg calculations, SFF calculations and a MTTFS calculation.<br />
Design the SIL3 loop using SILver to calculate PFDavg and AC SIL.<br />
Target 5 year test interval and MTTFS > 10 years.<br />
Solution 1<br />
This is a class exercise and will be answered during the class.<br />
0<br />
0<br />
FSE II -Solutions to Exercises Page 18 of 23
FSE II, 4.0 - Solutions to Exercises<br />
Application Exercise Set 8- Periodic Inspection and Test Plans<br />
Question 1<br />
Name effective inspection and test techniques that should be considered for a pressure transmitter.<br />
Solution 1<br />
a. Full-scale analog signal shift -10% to +110%<br />
b. Check (and clean) impulse lines<br />
c. Visually inspect for corrosion<br />
d. Consider interface aspects with controller open/short<br />
Question 2<br />
Name effective inspection and test techniques that should be considered for a solenoid.<br />
Q Solution2<br />
a. Check speed of response when cycling<br />
b. Listen for abnormal sounds when cycling<br />
c. Check air quality<br />
d. Check voltage losses due to resistance<br />
e. Check fully closed and fully open<br />
f. Clean vent ports<br />
g. Check for force variations<br />
0<br />
FSE II- Solutions to Exercises Page 19 of 23
FSE II, 4.0 - Solutions to Exercises<br />
FSE II- Post-Test<br />
Question 1<br />
Two power supplies are used in a redundant configuration. Assume one failure mode, lost power. Each<br />
power supply has a failure rate of 0.0005 failures per year. Based on close physical mounting and identical<br />
power supplies, a beta factor of 0.1 is assigned. What is the system unreliability for a two-year mission time?<br />
Draw a fault tree for the system including common cause.<br />
Solution 1<br />
Unreliability is the probability of failure (PF)<br />
= 0.0005 failures per year<br />
T = 2 years (mission time)<br />
B = 0.1<br />
(TxA * TxB) + GG<br />
I<br />
Ace =J..*I), = 0.0005. 0.1 = 0.00005 failures per year<br />
=". (1-ll.) = 0.0005. 0.9 = 0.00045 failures per year<br />
"'<br />
Ucc =J..cc*T = 0.00005.2 = 0.0001<br />
u, = J.., • T = 0.00045.2 = 0.0009<br />
Urx<br />
U total = UTX + Ucc = 0.0001 + 0.81 E-06 = 0.00010081<br />
TxA TxB<br />
- u2<br />
- I = 0.0009. 0.0009 = 0.81 E-06 (TxA fails AND TxB fails)<br />
GG<br />
0<br />
The unreliability for a two year mission = 0.00010081<br />
Question 2<br />
Which of the following best describes the difference between verification and validation, as defined in lEG<br />
61508 and lEG 61511<br />
a) There are no differences. Verification and validation have the same meaning.<br />
b) Verification describes review tasks that are performed by independent assessment teams. Validation<br />
describes review tasks that are performed by the design team.<br />
c) Validation is the activity of demonstrating that the SIS meets the safety requirements specifications.<br />
Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of<br />
the safety lifecycle model have been met.<br />
d) Validation is the process of creating a "V''-diagram of the tasks that are required to complete that<br />
safety lifecycle. Verification is the process of ensuring that competent individuals have completed<br />
those tasks.<br />
e) None of the above answers are correct.<br />
0<br />
Solution 2<br />
Validation is the activity of demonstrating that the SIS meets the safety requirements specifications.<br />
Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of the safety<br />
lifecycle model have been met.<br />
Therefore the correct answer is c)<br />
FSE II -Solutions to Exercises<br />
Page 20 of23
FSE II, 4.0 - Solutions to Exercises<br />
Question 3<br />
If the user of a product that was designed under the IEC 61508 standard is required to perform manual tests<br />
at a periodic interval to achieve the SIL that is listed in the product certification, the information regarding the<br />
necessity of the test, and the frequency the test is required to be performed must be provided in:<br />
a) Product safety manual<br />
b) Product Specification sheets<br />
c) Sales and marketing literature<br />
d) Equipment installation guides<br />
e) None of the above, the vendor is not required to share this information with the customer<br />
Solution 3<br />
The information regarding the necessity of the test, and the frequency the test is required to be performed<br />
must be provided in the product safety manual.<br />
Therefore the correct answer is a)<br />
Question 4<br />
A control valve is used in an SIS. The valve has a constant safe failure rate of 0.02 failures per year and a<br />
constant dangerous failure rate of 0.05 failures per year. The valve is tested on a one-year interval where<br />
85% of the failures are detected by the periodic inspection and test. The valve is operated for fifteen years<br />
until it is removed from service and overhauled. What is the average probability of failure on demand?<br />
Solution 4<br />
As = 0.02 failures per year (note that this is not used in the solution)<br />
Ao = 0.05 failures per year<br />
Tl = 1 year<br />
Cpr = 0.85 (85%)<br />
LT = 15 years<br />
PFDavg =[Cpr*ho*TI]/2 + [(1-Cpr)*h 0 *LT]/2<br />
= [0.85. 0.05. 1]/2 + [0.15. 0.05. 15]/2<br />
·~ = 0.02125 + 0.05625<br />
= 0.0775<br />
FSE II -Solutions to Exercises Page 21 of 23
Question 4: A temperature transmitter is used to sense an abnormal process condition.<br />
Two transmitters are arranged in a one-out-of-two voting arrangement. The transmitter<br />
has a failure rate of Lambda= 0.05 failures per year, and a beta factor of 10%.<br />
What is the PFDavg of this subsystem if a periodic inspection is done once a year<br />
that detects 90% of the failures. The transmitter subsystem is operated for<br />
ten years between major overhauls.<br />
Detailed solution to Question 4 of<br />
Exercise Set 3<br />
<strong>Functional</strong> <strong>Safety</strong> <strong>Engineering</strong> 2<br />
exida August 2003<br />
Initial data and calculation of specific relevant failure rates:<br />
Total Lambda 0.05 failures/year<br />
Beta 0.1<br />
Tl<br />
1 year partial coverage test interval<br />
CPT 0.9 Fraction of failures covered by 1 year test<br />
L T<br />
1 o year total mission time<br />
This problem is complicated and is best considered in several parts.<br />
To consider the partial coverage testing and the total coverage testing, it is worth<br />
remebering that the overall system can fail because of a fault that is covered by the annual<br />
test OR by a fault that is only fixed during the major ovemaul at the end of 1 o years. These<br />
two contributions to the PFDavg are added together because the two different kinds of faults<br />
are mutually exclusive. With this in mind,we can calculate each contribution separately.<br />
0<br />
1 year test interval faults' contribution to the overall PFDavg<br />
In considering the contribution of the faults corrected in the annual test, we need to make<br />
sure we use the proper part of the overall failure rate. Since the coverage factor for the test<br />
Cpt=90%, we can look at the effective rate of failures of interest as<br />
Cpt x Total Lambda= 0.9 x 0.05 = 0.045 =Lambda Total (1 year).<br />
Then because there is a second level of complexity with the common cause failures, we<br />
need to split this 1 year lambda total into a LambdaCC(1 year) and a<br />
LambdaN(1 year) by use of the beta factor.<br />
Lambda Total (1 year)<br />
Lambda Common Gause (1 year)<br />
Lambda Normal (1 year)<br />
0.045 =(Lambda total) x Cpt = 0.05 x 0.9<br />
0.0045 =(Lambda total (1 Year)) x Beta= 0.045 x 0.1<br />
0.0405 =(Lambda total (1 Year)) x (1-Beta) = 0.045 x (1-0.1)<br />
Now, because the normal independent failure mode is a 1oo2 voting system, we use the<br />
integrated formula for PFDavg due to normal mode failure. Then we add this to the common<br />
mode failure component for the 1 year part since the system either fails in normal<br />
independent mode OR by common mode.<br />
PFDavg N, (1 year) 0.00055 = (LambdaN(1 year)A2 x TIA2)/3 = (0.0405'2 x 1A2)/3 20%<br />
PFDavg CC (1 year) 0.00225 = (LambdaCC(1 year) x Tl)/2 = (0.0045 x 1)/2 80%<br />
PFDavg SYS (1 year) 0.00280 = PFDavg N, (1 year) + PFDavg CC, (1 year)<br />
0<br />
10 year test interval faults' contribution to the overall PFDavg<br />
We then do the same thing for the 10 year overall faults contribution. Again we need to<br />
make sure we use the proper part of the overall failure rate. Since the coverage factor for the<br />
test Cpt=90%, we can look at the effective rate of failures of interest as (1-Cpt) x Total<br />
Lambda= 0.1 x 0.05 = 0.005 =Lambda Total (10 year).<br />
Then because there is a second level of complexity with the common cause failures, we<br />
again need to split this 10 year lambda total into a LambdaCC(10 year) and a LambdaN(10<br />
year) by use of the beta factor.<br />
Lambda Total (10 year)<br />
Lambda Common Cause (10 year)<br />
Lambda Normal (1 0 year)<br />
0.005 =(Lambda total) x (1-Cpt) = 0.05 x (1-0.9)<br />
0.0005 =(Lambda total (10 Year)) x Beta= 0.005 x 0.1<br />
0.0045 = (Lambda total (1 0 Year)) x (1-Beta) = 0.005 x (1-0.1)<br />
As before, because the normal independent failure mode is a 1 oo2 voting system, we use<br />
the integrated fonnula for PFDavg due to normal mode failure. Then we add this to the<br />
common mode failure component for the 10 year part since the system either fails in normal<br />
independent mode OR by common mode.<br />
PFDavg N, (10 year)<br />
PFDavg CC (1 0 year)<br />
PFDavg SYS (1 0 year)<br />
0.00068 = (LambdaN(1 0 year)A2 x TIA2)/3 = (0.0045'2 x 1 QA2)/3<br />
0.00250 = (LambdaCC(10 year) xTI)/2 = (0.0005 x 10)/2<br />
0.00318 = PFDavg N, (10 year)+ PFDavg CC, (10 year)<br />
Summing up the overall PFDavg<br />
Finally, we add the 1 year tested failure contribution to the 10 year overall corrected failure<br />
contribution to get the total PFDavg for the system considering all of the pathways.<br />
Total PFDavg<br />
Total RRF<br />
0.00597 = PFDavg SYS (1 year)+ PFDavg SYS (10 year)= 0.00280 + 0.00318<br />
167
0<br />
0
SECTION 3<br />
0<br />
Additional Resources<br />
0<br />
Copyright© 2000-<strong>2007</strong> exida.com, L.L.C., All Rights Reserved<br />
exida.com, L.L.C.<br />
64 North Main Street<br />
Sellersville, PA 18960
0<br />
0
Extending IEC61508 Reliability Evaluation Techniques to Include<br />
Common Circuit Designs Used in Industrial <strong>Safety</strong> Systems<br />
William M. Goble • exida.com • Perkasie<br />
Julia V. Bukowski • Villanova Universi1y • Villanova<br />
Key Words: <strong>Safety</strong> system, Diagnostics, Markov model, Standard-international, Failure mode, Failure-on demand, Fail safe, Self<br />
test<br />
0<br />
0<br />
SUMMARY & CONCLUSIONS<br />
Recent international standards such as IEC 61508<br />
and ANSIIISA84.01 cover the design and application of<br />
safety instmmented systems (SIS). These standards are<br />
"performance based" and involve establishing risk<br />
reduction targets followed by a reliability and safety<br />
evaluation to verify that the targets have been met by the<br />
design. The standards provide guidelines on how to do<br />
these reliability and safety calculations that are quite useful<br />
and provide a common evaluation framework for products<br />
used in safety instrumented systems.<br />
However, the reliability and safety evaluation<br />
methods require extension when SIS products include<br />
independent diagnostic circuitry or analog circuitry. An<br />
additional failure mode, diagnostic annunciation, must be<br />
considered. A definition of "fail-safe" versus "failure-ondemand"<br />
must be added for analog circuits. Markov models<br />
must include additional states. With extension, comparable<br />
results useful for standards-based product certification can<br />
be obtained.<br />
1. INTRODUCTION<br />
The function of an industrial safety instrumented<br />
system (SIS) is to automatically shutdown an industrial<br />
process if a dangerous condition is detected. Although<br />
different kinds of equipment are used, there is a strong trend<br />
toward the use of programmable electronic equipment<br />
(microcomputer based logic). For these systems to be<br />
certified for use in certain types of safety applications, they<br />
must meet the new standards IEC 61508, (Ref. 1) and<br />
ANSI!ISA84.01 (Ref. 2) for functional safety.<br />
These standards are performance-based, and<br />
require that the systems be designed and implemented using<br />
an engineering process called the "safety life cycle." The<br />
following steps are included in this process:<br />
1. Prior to beginning design, a risk analysis is performed and<br />
reliability and safety goals are established for the system<br />
based on risk reduction according to a safety integrity level<br />
(SIL) as shown in Figure 1; and,<br />
2.Before implementation, a reliability and safety analysis<br />
must be performed to verify that the failure probabilities of<br />
the proposed design meet the targets established during the<br />
Probability of Failure<br />
<strong>Safety</strong> Integrity on Demand<br />
Level (PFDavg.)<br />
Risk Reduction<br />
Factor (ll.R)<br />
4 HJ' > PFDavg ~ 10- 5 10000$ll.R < 100000<br />
3<br />
10- 3 > PFDavg ;::10-'~ 1000 $LVI < 10000<br />
2<br />
10- 2 > PFDavg ~ 10- 3 IOO$LIR < 1000<br />
1<br />
10- 1 > PFDavg ~ 10- 2 10 $LIR < 100<br />
risk analysis. The primary measure of safety integrity is<br />
PFDavg, probability offailure on demand.<br />
Table I: <strong>Safety</strong> Integrity Levels.<br />
Guidance in how to perform the reliability and safety<br />
analysis is given in an informative section of the standard<br />
(IEC 61508 - part 6) (Ref. 1) and the technical report (!SA<br />
TR84.02) (Ref. 3). It is assumed that the systems will operate<br />
for a period of time and then be shut down and completely<br />
tested. It is also assumed that the systems have that are<br />
normally energized outputs and that the safety action is<br />
accomplished by de-energizing an output.<br />
1.1 Nomenclature from IEC61508, ISA84.01<br />
risk- combination of the probability of occurrence of harm<br />
and the severity ofthat harm<br />
safety- freedom from unacceptable risk<br />
functional safety - part of the overall safety relating to the<br />
equipment under control and the control system which<br />
RF 2001RM-104: page 1 RF
depends on the correct functioning of the safety<br />
instrumented systems, other technology safety systems and<br />
external risk reduction facilities<br />
safety integrity- probability of a safety instrumented system<br />
satisfactorily performing the required safety functions under<br />
all the stated conditions within a stated period of time<br />
safety integrity level (SIL) - discrete level (one out of a<br />
possible four) for specifying the safety integrity<br />
requirements of the safety functions to be allocated to tbe<br />
safety instrumented systems, where safety integrity level4<br />
has the highest level of safety integrity and safety integrity<br />
level 1 has tbe lowest<br />
dangerous failure - failure which has the potential to put the<br />
safety instrumented system in a hazardous or fail-tofunction<br />
state<br />
diagnostic coverage - tbe probability that a failure will be<br />
detected by internal self-diagnostics given that a failure<br />
occurs<br />
diagnostic annunciation- the ability of a system to detect<br />
and annunciate a failure<br />
1.2 Notation<br />
C- coverage<br />
FMEDA- failure modes, effects and diagnostic analysis<br />
IEC- International Electrotechnical Commission<br />
!SA- Instrument Society of America<br />
PFDavg- probability of failure on demand, average<br />
SIL- safety integrity level<br />
SIS -safety instrumented system<br />
SD- safe,detected failure<br />
SU- safe, undetected failure<br />
DD- dangerous, detected failure<br />
DU- dangerous, undetected failure<br />
TOv- Technischer Uberwachungs Verein e.V. (Technical<br />
Inspection Association of Germany)<br />
2. ANALYSIS METHODS<br />
The analysis methods described in the standards<br />
assume two failure modes, fail-safe and failure-on-demand<br />
(also called fail-danger, dangerous failure). Failure rates for<br />
system components are divided into these two modes. The<br />
total failure rate is partitioned into:<br />
where the superscript S represents a "safe" failure and the<br />
superscript D represents a 11 dangerous 11 failure. Safe failures<br />
are defined as those that would cause an output to falsely<br />
de-energize. Dangerous failures are those that would<br />
prevent an output from being de-energized.<br />
The ability of the system to diagnose its own<br />
internal failures is taken into account. Each of the failure<br />
(1)<br />
mode categories is further partitioned into failures detected<br />
by the on-line diagnostics versus those undetected where:<br />
and<br />
where the superscript SD represents a "safe, detected "<br />
failure, the superscript SU represents a "safe, undetected"<br />
failure, the superscript DD represents a "dangerous,<br />
detected" failure and the superscript DU represents a<br />
"dangerous, undetected" failure.<br />
"Coverage 11<br />
is the measure of the built-in-test<br />
capability of a system. It is defined in Reference 4 as the<br />
probability that a failure will be detected given !bat it occurs.<br />
Coverage is denoted by the letter C. A coverage factor must<br />
be obtained for each component in the system in order to<br />
separate the detected failures from the undetected failures.<br />
The four failure rate categories are calculated as follows:<br />
For each functional portion of the system, a<br />
calculation is made of the average probability of failure-ondemand<br />
(PFDavg.). This calculation may be done in a variety<br />
of different ways including simple approximation equations<br />
or detailed Markov models. As input data, the calculation<br />
requires failure rates and mission times (called periodic<br />
inspection intervals) and may also require repair times and<br />
common cause factors for on-line repairable redundant<br />
components. Several additional assumptions are made in the<br />
standard guidelines. These include constant failure rates,<br />
constant repair times and automatic shutdown where internal<br />
faults are detected.<br />
Three subsystems are specifically identified:<br />
sensors, logic solvers and final elements (Fig. 2). Sensors<br />
may be limit switches, pressure switches, temperature<br />
sensors, etc. Logic solvers are typically a microcomputer<br />
based controller. Final elements may be solenoid valves, ball<br />
valves with actuators, etc.<br />
(2)<br />
(3)<br />
0<br />
RF 2001RM-104: page 2 RF
0<br />
0<br />
Programmable Electronic Controller<br />
Logic Solver<br />
Inputs Outpu s<br />
Process<br />
Figure 2: Components of a <strong>Safety</strong> Function<br />
Final Elements,<br />
Valves<br />
As an example of the simplest function, a pressure<br />
switch is used as a sensor. This is directly wired to a<br />
solenoid valve. There is no logic solver. Given failure rates,<br />
failure modes and a mission time, a PFDavg calculation<br />
could be made for each subsystem. The standards<br />
guidelines suggest that the PFDavg for each subsystem be<br />
added (an approximation) to obtain PFDavg for the system.<br />
Based on the chart in Figure I, a safety integrity level could<br />
be assigned. Often, the problem has been getting valid<br />
failure rate and failure mode data.<br />
When products are designed by a manufacturer to<br />
meet these international standards, a detailed reliability and<br />
safety analysis should be done for that product. A failure<br />
modes, effects and diagnostic analysis (FMEDA) is<br />
typically done to provide the coverage factors and failure<br />
rates (Ref. 5-6). The FMEDA analysis is typically inspected<br />
and verified by third parties as part of the "safety<br />
certification" process (Ref. 7). Manufacturers are expected<br />
to publish this data and to do subsystem PFDavg<br />
calculations to be used as part of a system analysis.<br />
Overall, the guidelines and methods published in<br />
the international standards greatly help in providing a more<br />
consistent and understandable safety analysis. However,<br />
the methods assume that all components are operating in a<br />
digital "on/off' mode. Only two failure modes are defined,<br />
fail-safe and failure-on demand. These are not sufficient in<br />
practice when on-line diagnostic circuitry and analog<br />
circuitry is considered.<br />
3. DIAGNOSTICS I ANALOG CIRCUITRY<br />
In many products designed for industrial safety<br />
applications, extra circuitry is added to detect internal<br />
component failures. Often when this circuitry fails, the<br />
product continues to function, though it can no longer<br />
detect the same internal failures. The diagnostic coverage<br />
factor goes down. These component failures are neither failsafe<br />
nor failure-on-demand. In some analyses these failures<br />
are simply ignored. But this is optimistic and will result in<br />
PFDavg calculations that are lower than they should be. An<br />
additional failure mode is required.<br />
There is also a problem when analog circuits are<br />
considered. Are the failures fail-safe or failure-on-demand?<br />
Fortunately, this problem can be solved with a definition. In<br />
consultation with certification engineers, the following was<br />
derived: "If a failure causes the analog circuit to be<br />
inaccurate outside the "safety accuracy" specification then<br />
it is failure-on-demand. Otherwise it is not conside;ed a<br />
failure." While this is pessimistic in that not all accuracy<br />
failures will cause a potentially dangerous failure of the<br />
system, the calculation results will be conservative. It is also<br />
important to note that when a component failure within an<br />
analog circuit does not cause an accuracy error greater than<br />
the safety accuracy specification, that failure is called "safe."<br />
That can be misleading as the component failure actually has<br />
no effect on the circuit functionality from a safety<br />
perspective.<br />
4. ANALOG PRESSURE SENSOR EXAMPLE<br />
An analog pressure sensor was analyzed with a<br />
FMEDA. A Markov model was developed for a single, nonredundant<br />
sensor. These were reviewed with TOV the<br />
industry recognized approvals agency, as part of the s;nsor<br />
safety certification process. The sensor is designed to<br />
accurately measure a pressure and modulate a 4 - 20 rnA<br />
electrical current to indicate the pressure range of the sensor.<br />
If a failure is detected within the sensor, it sets the current to<br />
3.7 rnA based on the German NAMUR NE43 standard. A<br />
block diagram of the design can be seen in Figure 3.<br />
I Sensor Electronics f.. Prime<br />
Output<br />
4-20mA<br />
Current Output<br />
Diagnostic .... Secondary f-<br />
Circuitry<br />
Output<br />
Figure 3: Block Diagram of Pressure Sensor.<br />
f--<br />
RF 2001RM-104: page 3 RF
Five failure modes were obtained when the FMEDA was<br />
done. These are:<br />
I. Dangerous Detected (DD) - In this case, a fault has been<br />
detected by the diagnostic circuit in the sensor that<br />
otherwise would have caused the sensor to produce an<br />
output outside the 2% safety tolerance.<br />
2. Dangerous Undetected (DU)- This is the most critical failure<br />
mode because theoretically the diagnostic circuitry does not<br />
detect a failure which causes the output to be more than 2%<br />
different from the actual measured pressure.<br />
3. Safe Detected (SD) - A SD failure is one where the<br />
diagnostic circuit detects a failure which normally would not<br />
effect the output of the sensor. The sensor places its<br />
output at 3.7rnA to notify operating personnel that there is a<br />
problem with the device.<br />
4. Safe Undetected (SU) - In this case, there is a problem with<br />
the transmitter not detected by the diagnostic circuitry, but<br />
the output is operating successfully within the 2% safety<br />
tolerance. If the safety tolerance (2%) was used as a design<br />
parameter, for safety and reliability analysis purposes these<br />
failures can be ignored. These failures cannot be ignored for<br />
process control applications where the required accuracy is<br />
the normal published 0.05%.<br />
5. Diagnostic Annunciation Failure (AU) - A failure in the<br />
diagnostic circuitry does not have an immediate impact<br />
upon the proper operation of a sensor. The sensor will<br />
continue to operate normally. However, since a fault in the<br />
diagnostic circuitry of the sensor can create a potentially<br />
dangerous situation upon occurrence of a second fault, the<br />
diagnostic annunciation failure rate must be included in the<br />
PFDavg analysis.<br />
The failure rate data was based on the Bellcore<br />
failure rate database (Ref. 8) and data from semiconductor<br />
manufacturers. The average ambient temperature was<br />
assumed to be 40 'C. The failure rates are reported in terms<br />
of number of failures per 10 9 hours (FIT). The results of the<br />
FMEDA can be seen in Table 1, taken from Reference 9.<br />
Tne OaJp ut Response ArOTAL<br />
I (FITs)<br />
DD- Failsafe Reoction 475.6<br />
Dangerous (FO, FU, or 3.7 n!A)<br />
Det.ded<br />
Short!F ail Over 17.5<br />
nnge(FO)<br />
Output'""' 21 mA<br />
Open/Fail Und
0<br />
0<br />
The sensor is operating successfully i1 states 0<br />
and 1. State I represents the condition where there is a<br />
diagnostic annunciation failure. Figure 4 shows the fail-safe<br />
state (2) as well as the failure-danger state (3). The Markov<br />
model shows the effect of diagnostic circuitry failure as a<br />
failure rate marked DD from state I transitions to state 3<br />
because the diagnostic annunciation function no longer<br />
operates. Normally, aDD failure takes the model to the failsafe<br />
state.<br />
Note that Markov model does not include the SU<br />
failures. It assumes that the safety accuracy is used as a<br />
design parameter and that these failures are therefore<br />
ignored. The Markov model can be solved numerically for a<br />
number of parameters including PFDavg and availability.<br />
Substituting the failure rate numbers for the sensor:<br />
PFDavg (I year)= 1.7 X 10' 4<br />
PFDavg (2 year)= 3.4 x 10- 4<br />
PFDavg (3 year)= 5.2 x 10- 4<br />
PFDavg (4 year)= 6.9 X to·4<br />
PFDavg (5 year)= 8.7 x 10- 4<br />
The Markov solutions were done with matrix multiplication<br />
using a I hour time increment (Ref. 10, Chapter 8). The<br />
model was solved for a particular mission time (the time<br />
between periodic inspections of the equipment).<br />
This data and the corresponding PFDavg subsystem<br />
solutions will give SIS designers reasonable input to the<br />
system level PFDavg calculations required to verity<br />
functional designs per IEC 61508 or ANSIIISA S84.01<br />
standards. The additional failure mode and the analog failure<br />
definition were needed to provide conservative comparable<br />
information for this sensor application.<br />
REFERENCES:<br />
I. IEC 61508, <strong>Functional</strong> <strong>Safety</strong> of electrical I electronic I<br />
programmable electronic safety-related systems,<br />
Switzerland: Geneva, International Electrotechnical<br />
Commission, 2000.<br />
2. !SA S84.01, Application of <strong>Safety</strong> Instrumented Systems<br />
for the Process Industries, USA, NC: Research Triangle<br />
Park, !SA, 1996.<br />
3. TR84.0.02, draft Technical Report, <strong>Safety</strong> Instrumented<br />
System (SIS) - <strong>Safety</strong> Integrity Level (SIL) Evaluation<br />
Techniques, NC: Research Triangle Park, Instrument Society<br />
of America, 1998.<br />
4. Bouricius, W. G., Carter, W. C.; and Schneider, P. R.,<br />
"Reliability Modeling Techniques for Self-Repairing<br />
Systems," Proceedings of ACM Annual Conference, 1969;<br />
Reprinted in Tutorial--Fault-Tolerant Computing, Nelson,<br />
V. P., and Carroll, B. N., eds., USA, DC: Washington, IEEE<br />
Computer Society Press, 1987.<br />
5. Collett, R. E. and Bachant, P. W., "Integration of BIT<br />
Effectiveness with FMECA," 1984 Proceedings of the<br />
Annual Reliability and Maintainability Symposium, NY:<br />
New York, IEEE, 1984.<br />
6. Goble, W.M. and Brombacher, A.C., "Using a failure<br />
modes, effects and diagnostic analysis (FMEDA} to measure<br />
diagnostic coverage in programmable electronic systems,"<br />
Reliability <strong>Engineering</strong> & System <strong>Safety</strong>, Vol. 66, No. 2,<br />
Netherlands, Amsterdam, Elsevier, 1999.<br />
7. Factory Mutual Research, Technical Report, Hardware<br />
Assessment of Moore Products Co. QUADLOGIProSafe PLC<br />
System According to IEC 61508, PA: Spring House, Siemens<br />
Moore Process Automation Solutions, 1998.<br />
8. Reliability Prediction Procedure for Electronic<br />
Equipment, Bellcore Technical Advisory TA-{)()()-23620-84-<br />
01, NJ: Redbank, Bell Communications Research, 1984.<br />
9. ADQL-6: <strong>Safety</strong> Integrity Level Verification- Failure Rate<br />
Data for the 345 Critical Transmitter, PA: Spring House,<br />
Siemens Moore Process Automation Solutions, 2000.<br />
10. Goble, W.M., Control Systems <strong>Safety</strong> Evaluation and<br />
Reliability, second edition, NC: Research Triangle Park: !SA,<br />
1998.<br />
William M. Goble, PhD<br />
42 Short Rd.<br />
Perkasie, PA 18944<br />
USA<br />
Email:<br />
wgob!e@exida.com<br />
BIOGRAPHIES:<br />
William M. Goble is currently Principal Partner, exida.com, a<br />
company that provides consulting, training and support for<br />
safety critical and high availability automation. He has over<br />
25 years of experience in research and development of<br />
control systems including analog and digital circuit design,<br />
software development, engineering management, and<br />
marketing.<br />
He has a BSEE from Penn State, an MSEE from Villanova and<br />
a PhD from Eindhoven University of Technology in<br />
Eindhoven, Netherlands. He is also an adjunct professor at<br />
the University of Pennsylvania. He teaches ISA's course<br />
ES35, "Evaluating System Reliability and <strong>Safety</strong>" and is<br />
author of the JSA book "Control Systems <strong>Safety</strong> Evaluation<br />
RF · 2001RM-104: page 5 RF
and Reliability.,. He is a fellow member ofiSA and a member<br />
ofiSA's SP84 committee on safety systems.<br />
0<br />
0<br />
RF 2001RM-104: page 6<br />
RF
Julia V. Bukowski. PhD<br />
Dept of Electrical & Computer <strong>Engineering</strong><br />
Villanova University<br />
Villanova, PA 19085<br />
USA<br />
Email:<br />
bukowski@ece. vill.edu<br />
Julia V. Bukowski, (8'70, M '79, SM '85) is an associate<br />
professor of Electrical and Computer <strong>Engineering</strong> at<br />
Villanova University. Her research interests include<br />
hardware, software, and network reliability. She has<br />
published numerous technical articles and has been guest<br />
editor of a special issue of the IEEE Transactions on<br />
Reliability. She has been a Visiting Associate Professor and<br />
Fulbright Senior Scholar at the Technion Israel Institute of<br />
Technology. She has been elected to the Eta Kappa Nu and<br />
Sigma Xi honor societies, and received the IEEE Centennial<br />
Young Engineers Award for the Reliability Society.<br />
0<br />
0<br />
RF 2001RM-104: page 7 RF
0<br />
0
Getting Failure Rate Data<br />
Dr. W.M. Goble, Principal Partner, exida<br />
wgoble@exida.com<br />
www.exida.com<br />
0<br />
0<br />
INTRODUCTION<br />
<strong>Safety</strong> verification calculations for each safety instrumented function are a key<br />
concept in functional safety standards like ISA 84.01 and IEC 61511. These<br />
calculations are done to insure a balanced and optimal design. However, the<br />
calculations require failure rate and failure mode information for all the<br />
instruments used -sensor to final element. When ISA84.01 was first released in<br />
1996, one comment was made repeatedly, "No one has good failure rate data."<br />
This led some to believe that the whole idea behind probabilistic failure<br />
calculations is impractical. Some are still making the comment.<br />
The fact is that there has been failure rate data available and the data is getting<br />
much better as manufacturers understand safety instrumentation users needs.<br />
Even in the early years of the standard, industry failure databases could provide<br />
information. While this failure data was not product specific or application<br />
specific, it helped designers recognize problems in their designs. One such<br />
problem was the "weak link" design. These designs included expensive SIL3<br />
safety PLCs that were connected to a switch and a solenoid. Many of these<br />
engineers thought they had a SIL3 design until they did the safety verification<br />
calculations. Such a design will not even meet SIL 1! Another common problem<br />
was the final element, typically a remote actuated on-off valve. Some designs<br />
had triplicated sensors and a SIL3 rated safety PLC with a set of pneumatic<br />
controls mounted on a single ball valve. The design target was SIL3 but the<br />
safety verification calculations showed that the design only met SIL 1. [See<br />
Appendix 1: "A sample SIF calculation"]<br />
The safety verification calculations required by the new functional safety<br />
standards have shown designers how to design much more balanced designs<br />
that optimize cost and safety. The calculations have shown many how to do a<br />
better job. But, failure rate and failure mode data on the chosen equipment is a<br />
must.<br />
Industry Failure Databases<br />
One of the most popular failure rate databases is the OREDA database. OREDA<br />
stands for "Offshore Reliability Data." The information is printed in a book that<br />
may be ordered from DNV in Norway (oreda@dnv.com). The third edition dated<br />
1997 has been printed with a new version planned. This book presents detailed<br />
statistical analysis on many types of process equipment. Many engineers use it<br />
as a source of failure rate data to perform safety verification calculations. It<br />
remains an excellent reference for all who do data analysis.<br />
Copyright 2002, exida.com LLC Page 1 of 1
Other data sources include:<br />
1. FMD-97, Failure mode I Mechanism Distributions, 1997, Reliability<br />
Analysis Center, Rome, NY<br />
2. Guidelines for Process Equipment Reliability Data, with Data Tables,<br />
1989, Center for Chemical Process <strong>Safety</strong> of AIChE, New York, NY<br />
3. NPRD-95, Nonelectronic Parts Reliability Data, 1995, Reliability Analysis<br />
Center, Rome, NY<br />
4. IEEE Std. 500, IEEE Guide To The Collection and Presentation Of<br />
Electrical, Electronic, Sensing Component, And Mechanical Equipment<br />
Reliability Data For Nuclear-Power Generating Stations, 1984, IEEE, New<br />
York, NY<br />
5. Reliability Data for Control and <strong>Safety</strong> Systems, 1998, SINTEF Industrial<br />
Management, Trondheim, Norway<br />
And several other sources somewhat more specialized.<br />
Many companies have an internal expert who has studied these sources as well<br />
as their own internal failure records and maintains the company failure rate<br />
database. Some use failure data compilations found on the internet. While the<br />
data in industry databases is not product specific or application specific, it does<br />
provide useful failure rate information for specific industries (nuclear, offshore,<br />
etc.) and a comparison of the data provides information about failure rates versus<br />
stress factors.<br />
There is a problem with the industry databases though. A probability of faildanger<br />
calculation for safety verification purposes does require more than just<br />
failure rate data. For each piece of equipment, one must know the failure modes<br />
(safe versus dangerous) and the effectiveness of any automatic diagnostics (the<br />
diagnostics coverage factor). This information is included only in rough form if at<br />
all in industry databases. So many engineers doing safety verification<br />
calculations provide an educated and conservative estimate. For most electronic<br />
equipment, the safe percentage is set to 50%. Relays have a higher percentage<br />
of safe failures with many picking a value of 70% or 80%. Mechanical<br />
components like solenoids might be more like 40% safe with many failure modes<br />
causing stuck in place failures that end up being dangerous in a safety protection<br />
application.<br />
0<br />
Diagnostic coverage can also be estimated. If "normal' diagnostics are available<br />
in a microprocessor based product, diagnostic coverage can be conservatively<br />
credited to 50%. Diagnostics for mechanical devices is usually given no credit,<br />
0% detected failures, unless there is some special testing like automatic partial<br />
valve stroke testing due to a smart valve positioner.<br />
So, the data is there. Using a combination of industry databases, company data<br />
and experience, the calculation methods required in functional safety standards<br />
like ISA 84.01 and lEG 61511 are being performed.<br />
Copyright 2002, exida.com LLC Page 2 of 2
Product Specific Failure Data<br />
It is clear that some are uncomfortable with the level of accuracy in the data.<br />
Questions about failure rate versus stress conditions in particular applications<br />
come up. Questions about specific products are constantly being asked<br />
especially when one must attempt to pick a better product to achieve higher<br />
safety.<br />
0<br />
Fortunately, several instrumentation manufacturers are doing detailed analysis of<br />
their products to determine a more accurate set of numbers useful for safety<br />
verification purposes. A Failure Modes Effects and Diagnostic Analysis (FMEDA)<br />
provides specific failure rates for each failure mode of an instrumentation<br />
product. The percentage of failures that are safe versus dangerous is clear and<br />
relatively precise for each specific product. The diagnostic ability of the<br />
instrument is precisely measured. Overall, the numbers from such an analysis<br />
are indeed product specific and provide a much higher level of accuracy when<br />
compared to industry database numbers and experience based estimates.<br />
A FMEDA is done by examining each component in a product. For each failure<br />
mode of each component, the effect on the product is recorded. Will this resistor<br />
failure cause the product to fail safety, fail dangerously, lose calibration? If the<br />
serial communication line from the AID to the microprocessor gets shorted, how<br />
does the product respond? If this spring fractures does that cause a dangerous<br />
or a safe failure? The failure rate of each component is entered according to<br />
component failure mode and the various categories are added. The end result is<br />
a product specific set of failure data that includes failure rates for each failure<br />
mode, failure rates that are detected and undetected by diagnostics, safe failure<br />
fraction calculations and often an explanation on how to use the numbers to do<br />
safety verification calculations.<br />
0<br />
FMEDA is sometimes done by the manufacturer but typically done by third party<br />
experts including TOV, FM, BASEEFA and exida. Often the work is done as part<br />
of a IEC61508 functional safety certification effort by the product manufacturer.<br />
Many manufacturers have recently issued FMEDA reports as shown in Table 1, a<br />
listing of field instrumentation reports. The FMEDA failure rate and failure mode<br />
is product specific and generally shows lower failure rates than industry database<br />
generic data. A comparison is done in Appendix 2.<br />
Copyright 2002, exida.com LLC Page 3 of 3
Table 1: Field ~·•~na ports I<br />
I<br />
i<br />
I<br />
~ ~ ·~<br />
II ;00<br />
lTI250<br />
I<br />
Moore I i I TRY I<br />
I Site , Alarm exida I None<br />
130511 !Pressure· FM I None<br />
13051' exir lone<br />
~<br />
I<br />
WIKA T32 i ex ida<br />
a ...<br />
I None<br />
Elcon IHC I Smart isolator I None<br />
I None<br />
10 exida<br />
I Smart isolator<br />
exida<br />
'-Ex' I Isolated Barrier exlda lone<br />
I<br />
I<br />
. 50 12<br />
ex~<br />
~<br />
1705<br />
I<br />
~<br />
!Fisher Controls<br />
iMetso i IVGBOO I I uv<br />
I IG None<br />
o Valve actuator<br />
lexida<br />
IMokveld IRXD series Valve AEA uv<br />
uv<br />
0<br />
The future of failure data<br />
Although product specific FMEDA reports offer superior data sources when<br />
compared to industry databases, they still do not account for application specific<br />
stress conditions that may affect actual failure rates. Ideally in the future<br />
manufacturers will be able to provide not only point estimates of failure rates but<br />
perhaps even equations with application specific variables to more precisely<br />
calculate the needed numbers. That will happen if there is demand and the<br />
needed data is collected.<br />
0<br />
One effort in the right direction is the PERD (Process Equipment Reliability<br />
Database) initiative from the Center for Chemical Process <strong>Safety</strong> (CCPS) of the<br />
AIChE (www.aiche.org/ccps/perd/). That group has defined failure taxonomies<br />
for various types of process equipment. The important data that must be<br />
collected for a failure event has been defined. Operating companies from<br />
chemical, petrochemical, industrial gases and other industries become members<br />
and are working to set up inspection and failure reporting. They have created<br />
data collection software that members use to report field failures to a central<br />
database. There is potential that this information could someday become the<br />
best possible source of product specific and application specific failure rate and<br />
failure mode data. We look forward to better data with more accuracy as we<br />
move forward.<br />
Copyright 2002, exida.com LLC<br />
Page 4 of4
Appendix 1: A sample SIF calculation.<br />
A safety instrumented function has been defined where high pressure in a process<br />
vessel must stop "sour gas" fuel flow to a burner. The risk reduction requirement results<br />
in a SIL2 target for the SIF. The proposed safety instrumented function design is shown<br />
in figure 1.<br />
0<br />
Rosemount 3051C<br />
pressure transmitter<br />
Generic SIL2<br />
Logic Solver<br />
Actuator<br />
Figure 1 Conceptual design SIL2 <strong>Safety</strong> Instrumented Function<br />
0<br />
The conceptual design of this safety instrumented function consists of the following<br />
equipment. Two pressure transmitters in a 1 oo2 voting arrangement are used as the<br />
sensor devices. A PLC certified for SIL2 is used as the logic solver. Finally two 3-way<br />
solenoids each operating an pneumatic actuator with ball valve in a 1-out-of-2 voting<br />
arrangement are used as the final element devices.<br />
A proof test interval of 12 months and a Mean Time To Repair of 8 hours are specified.<br />
The results of the SIL verification using the exida software tool SILver, shown in figure 2,<br />
indicate that the conceptual design of the safety instrumented function meets the SIL2<br />
requirements based on the average Probability of Failure on Demand value.<br />
Furthermore the conceptual design of the SIF also meets the SIL2 requirements based<br />
on the architectural constraints requirement of IEC 61511.<br />
Copyright 2002, exida.com LLC Page 5 of 5
Sfflnsnr Port !nforrnath:m<br />
0<br />
0<br />
Figure 2 SIL verification results for conceptual design SIL2 SIF<br />
Copyright 2002, exida.com LLC Page 6 of 6
Appendix 2: A comparison of failure rates.<br />
Failure rates may be obtained from industry databases, manufacturer FMEDA<br />
analysis, manufacturer field failure studies, company failure records or other<br />
sources. Most reliability engineers consider application specific and product<br />
specific data to be the most accurate. Generally, less specific data turns out to<br />
be more conservative and that is appropriate for safety verification purposes<br />
following the rule that "the less one knows, the more conservative one must be."<br />
Table 2 shows a comparison of data for a pressure transmitter. The failure rate<br />
numbers from the database sources are significantly higher than the FMEDA<br />
reports.<br />
0<br />
Table 2 failure rate data for a f.l', ''"' transmitter<br />
I<br />
Source Component Total r:;~;;e Rate lifo Safe<br />
Failures<br />
I<br />
I<br />
~<br />
I •"""' c%><br />
IT• '-<br />
I - -<br />
IT• - - -<br />
IF~~DA, 3051T Pressure Transmitter,<br />
lexida<br />
4
0<br />
0
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
Dr. William M. Goble<br />
www.exida.com<br />
0<br />
0<br />
ABSTRACT<br />
There is a strong trend toward the use of programmable electronics in safety<br />
instrumented systems. Yet some users still avoid software-based systems. They cite<br />
the unpredictability of software and case histories of software failure. However, a<br />
special class of PLC called a "safety PLC" does meet the need for safety and high<br />
availability in critical automation.<br />
A safety PLC must meet the requirements of a set of rigorous international<br />
standards that cover the design, the design methods and testing of software and<br />
hardware. Third party experts (typically TOV in GERMANY) enforce the rigor when<br />
the products go through the certification process. Some of the methods used to<br />
build "high integrity software" for safety PLCs are described in this paper.<br />
INTRODUCTION<br />
The quantity of software in equipment used for critical process control and safety<br />
instrumented systems is growing. This is due to a strong trend toward using flexible<br />
safety PLCs instead of relays or DCSs in safety instrumented systems. <strong>Safety</strong> PLCs<br />
are microcomputer-based controllers that are designed for high safety and high<br />
availability applications. <strong>Safety</strong> PLCs offer application flexibility, self-diagnostics,<br />
communication interfaces to other plant automation systems, automated application<br />
tools that help prevent human error [1] and a level of reliability and safety not<br />
available in conventional PLC/DCS equipment.<br />
A PLC qualifies to be called a safety PLC when it passes a series of tests given by<br />
third party certification agencies (TOV, Germany or FMRC, US). <strong>Safety</strong> PLCs are<br />
certified per international standards, primarily IEC61508 [2] and VDE0801/A 1 [3].<br />
These standards require extensive safety analysis of both hardware and software. A<br />
key part of the analysis covers the diagnostic ability of the PLC. In the VDE0801/A1<br />
standard, the qualitative rule "no known dangerous undetected failures" applies. In<br />
the IEC61508 standard, detailed quantitative analysis [4,5] of hardware failures<br />
must be performed. That analysis determines the "diagnostic coverage factor," a<br />
number between 0% and 100%. Levels of 90%+ are expected, depending on target<br />
safety integrity level and amount of safety redundancy. The safety PLCs are also<br />
evaluated to insure electrical safety, user manual integrity, fault tolerant architecture<br />
Copyright exida.com L.L.C. 2000 Page 1 of 8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
and software integrity. The software integrity is another of the key differences<br />
between conventional PLC/DCS equipment and safety PLCs.<br />
HIGH INTEGRITY SOFTWARE<br />
While some regulatory bodies in certain geographic areas still do not allow<br />
software-based equipment to be used in critical process control or safety protection<br />
applications, most have recognized the value of the intensive diagnostics available<br />
in safety-certified software-based controllers. Those regulators who do not allow<br />
software cite the unpredictability of complex software and the history of software<br />
failures [6].<br />
There may be reason to doubt the reliability and safety of some types of consumer<br />
grade software, but the international standards used by designers of safety PLCs<br />
have rigorous requirements to increase software integrity. The standards<br />
emphasize the process: product development according to a lifecycle model. While<br />
several models are available, the ''V-model" is the recommended choice because of<br />
the link between the design and test specifications during product development.<br />
(see Figure 1) Software techniques for complying with these requirements will be<br />
discussed later.<br />
<strong>Safety</strong> Requirements<br />
Validation Test<br />
Design<br />
Integration Test<br />
-~<br />
Implementation ~ Unit Test<br />
Figure 1: V-Model, Software Development Process<br />
The standards cover the entire development process from functional requirements<br />
of the product to final testing, not just software implementation. International<br />
standards require a whole set of development activities designed to insure the<br />
highest software quality for avoidance and control of faults. These activities include<br />
program execution diagnostics, data verification testing, data storage integrity,<br />
complexity reduction, and a wide set of software development process<br />
requirements. Following these guidelines closely with the certification agency's help<br />
will result in "high integrity software."<br />
Copyright exida.com L.L.C. 2000 Page 2 of 8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
Overall, the safety standards require a quality and robustness not found in many<br />
types of products, with or without software. Whether the VDE0801/A 1 rules or the<br />
IEC61508 rules are being applied, they both dictate a more stringent product<br />
development effort. The software development of these products must include<br />
many techniques that might be cost prohibitive (in both time and money) to average<br />
software suppliers.<br />
0<br />
CRITICAL SOFTWARE PROCESS<br />
Quality principles developed by Juran and Deming are well known throughout the<br />
world for factory operations. These quality principles require that a process be<br />
established and followed. While following a process may seem obvious, it is easy<br />
to take software quality for granted and shortcut the process after the initial design<br />
is completed. This seems to be part of the "software culture" at times, especially<br />
when a project gets behind schedule.<br />
The safety critical software development process emphasizes a V-model that starts<br />
with product requirements. Requirements reviews determine that all safety relevant<br />
requirements are documented. As the V-model indicates, product validation tests<br />
are developed along with product requirements. Test planning can and should be<br />
done while requirements are being finalized. A test plan review provides a good<br />
crosscheck of the testability of any given requirement, a test of requirement<br />
reasonability. The test plan review may also uncover missing requirements before<br />
too much design has occurred.<br />
(!<br />
The requirements are considered the foundation of the whole project and as such<br />
should be treated quite seriously. Each requirement must state the safety function in<br />
quantifiable terms ("The analog channel shall detect any faults that cause a value<br />
greater than +/- 2% of span within one second"). An important aspect of the<br />
process is the traceability of requirements to tests. While this step makes auditing<br />
easier, it also aids the developers to identify missing and duplicated requirements.<br />
The test effort must show correctness and completeness of fulfilling the product<br />
requirements. Correctness means that the software operation performs exactly as it<br />
is intended, fulfills the matched requirement, and takes appropriate action for fault<br />
detections. Completeness means that all requirements have been met.<br />
MANAGE THE CHANGES<br />
It is essential for the development team to maintain control over changing<br />
requirements. Documents should be properly identified and include revision history.<br />
Formal reviews should be held with meeting minutes that include issue resolution<br />
and agreed action items. If decisions are made the affect requirements, the team<br />
must go back through the process and judge impact to other parts of the product.<br />
The project manager must review and assure completion of all action items. More<br />
Copyright exida.com L.L.C. 2000 Page 3 of 8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
importantly, the team must translate informal resolutions of design issues to the<br />
design documents. Not every design decision is made by a formal review; many<br />
decisions can and should be made at the level appropriate for implementing the<br />
decision. When decisions are made in this manner, the appropriate design<br />
documents should be updated. The document trail serves to inform all project<br />
stakeholders of the changes.<br />
SAFETY PLC SOFTWARE TECHNIQUES<br />
Failures in software do not occur randomly nor does software "wear out"; all<br />
software failures are designed into the system. When that certain combination of<br />
inputs, timing or data presents the right conditions to the system, it will fail every<br />
time. For this reason, failures in software systems are known as "systematic"<br />
failures. To make certain the software is performing as intended therefore, the<br />
software must check itself to make sure it has what it thinks must be done. Software<br />
diagnostics are programmed into embedded code. One of the most effective<br />
software diagnostics is "flow control." Program flow checking makes sure essential<br />
functions execute in the correct sequence. At key points in the program, a "flag" is<br />
set, preferably with a time stamp (Figure 2). At the end of each program scan the<br />
flags are checked. All flags must be set in the correct sequence. If time stamps are<br />
also used, the time difference between flag settings can be compared with<br />
reference values for further error detection.<br />
I Program Segment 1<br />
~I Set Flag I -Time Stamp Tl<br />
I<br />
I Program Segment2<br />
Set Flag 2 -Time Stamp T2<br />
I<br />
I<br />
-,<br />
Program<br />
Segment 3<br />
Set Flag 3 -Time Stamp T3 -I<br />
I Program<br />
Segment4 1<br />
.<br />
Program .I<br />
Segmentn<br />
I<br />
Set Flag 4 -Time Stamp T4<br />
Set Flag n - Time Stamp Tn<br />
I<br />
n<br />
-, -·-<br />
Check Program Flow: Tn>T4>T3>T2>Tl<br />
T2-TJ~Atl, T3-T2~t2, T4-T3~At3, Tn-T4~t4<br />
Check Timing: ATI
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
Another software diagnostic is called "reasonableness checking." When the results<br />
of computations should always be within known limits, the computed outputs can be<br />
tested to see if they exceed those known limits. In this way systematic faults can be<br />
detected before an erroneous system action occurs. Aside from computational<br />
results, many states and values are derived and stored within software control.<br />
When values are mutually exclusive, additional reasonableness checks on this data<br />
can flag faults before erroneous states occur. The same mechanism can be used<br />
for message schemes between software-based systems.<br />
0<br />
The data used in a safety PLC must be protected from corruption. Critical data is<br />
identified by analyzing the execution flow of critical software functions. Often done<br />
with dataflow diagrams, this analysis identifies the software processes that perform<br />
critical functions found in the safety requirements. These functions include both the<br />
diagnostics and the execution of the user safety program. The data associated with<br />
these software processes is termed critical data. Critical data must be stored in a<br />
manner that cannot become corrupted in an undetected manner by systematic<br />
software fault or by hardware failure.<br />
Figure 3 shows a dataflow diagram with a chain of processes and a reverse<br />
calculation check on critical data. Process #8 provides a crosscheck on processes<br />
#1 through #3 to detect an error in the normal process chain. While processes #1-<br />
#3 may provide a high accuracy result based on product specifications, process #8<br />
provides a comparison of that result within the product safety accuracy, which is<br />
usually less accurate but will detect an erroneous software condition.<br />
7<br />
4 5<br />
6<br />
8<br />
background<br />
compare<br />
9<br />
report<br />
error<br />
Figure 3: Dataflow Diagram With Reverse Calculation Comparison<br />
Copyright exida.com L.L.C. 2000<br />
Page 5 of8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
FIREWALLS AROUND CRITICAL FUNCTIONS<br />
When safety critical functions must be combined with non-safety critical functions,<br />
the design must include sufficient safeguards for non-interference. This means that<br />
any non-safety operations, like data acquisition from a safety system to a plant<br />
manager console screen, cannot hamper or inhibit in any way the safe operation or<br />
fault detection mechanisms of the safety system. If any non-safety functions have<br />
the possibility of writing data to a safety system, the writes must be under controlled<br />
circumstances in an allowed configuration mode. The system design must reject any<br />
unexpected changes to the system.<br />
SOFTWARE COMPLEXITY<br />
<strong>Safety</strong> PLC standards demand special techniques to reduce software complexity.<br />
Operating systems are carefully examined for task interaction. Real-time interaction,<br />
such as multitasking and interrupts, are avoided. This is because many of the most<br />
insidious software faults have been traced to unanticipated interaction between<br />
software programs and common resources used by multiple software tasks. When<br />
multi-tasking is used, real time interaction of tasks requires extensive review and<br />
testing. It is especially important to avoid the use of common resources, such as 1/0<br />
registers and memory, by asynchronous tasks in a multi-tasking environment.<br />
TESTING<br />
Extra software testing techniques are required for safety PLCs during software<br />
development. The findings and assumptions of the criticality analysis must be<br />
proven. A series of "software fault injection" tests must be run to verify data integrity<br />
checking. The programs are deliberately corrupted during testing to insure<br />
predictable, safe response of the software. Hardware emulators, specific for the<br />
microprocessor, are often used to set break points and alter program data, then the<br />
program is allowed to continue to see if the fault was detected. An alternative test<br />
method uses custom software built into the program. This requires a monitor<br />
program to accept user input about special test codes. These test codes invoke<br />
fault injection functions that are time dependent and not easily performed by an<br />
emulator. The testing must be fully documented such that third-party inspectors can<br />
understand the operation. While this activity is not justified in most software<br />
development, this is exactly how the most harmful and covert software design faults<br />
are uncovered.<br />
Q<br />
FAULT AND CHANGE TRACKING<br />
When suspected problems are found in the software design or code, they must be<br />
recorded and reviewed using a formal system [8]. Not every reported problem is a<br />
real defect, and these should be discarded with rationale for the determination. Not<br />
every problem found is reliability or safety related. When a problem is investi,gated<br />
Copyright exida.com L.L.C. 2000 Page 6 bf 8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
and deemed important enough to fix, the development team should perform an<br />
impact analysis of the suspected defect. The analysis should include:<br />
• Accurate problem description<br />
• Effect of the problem on critical functions<br />
• Description of the proposed solution<br />
• Effect of the proposed solution on safety functions<br />
0<br />
A database should contain all necessary details of activity related to problem<br />
identification and tracking. Items to clearly identify in this database are:<br />
• Author, date, and product/version where problem was found<br />
• Problem description, with any particular test setup details or circumstances<br />
• Implementer log that includes change notes and files affected<br />
• Authorization notes for accepting the change<br />
• Time estimates and actual time used<br />
• Test data to see that the fix was correct<br />
SOFnNAREPROCESSIMPROVEMENT<br />
Problems discovered in the software development process that involve safety<br />
critical functions must be treated with great scrutiny. The step in the development<br />
process where the problem occurred should be identified [9]. Some problems can<br />
be traced to design or implementation, but the greater number of problems is often<br />
traced to missing or inadequately defined requirements. When the latter case<br />
occurs, the lifecycle model loop must be reviewed to determine where to start<br />
implementation of the fix and any related documents that need to change.<br />
It is also useful to identify what error detection step in the development process<br />
should have found the problem. If the problem was discovered at a later step in the<br />
process, improve the process for future developments [9]. While it sometimes<br />
seems like a problem is isolated to a specific area of software, it is often the case<br />
that the problem is more far-reaching. The design documentation referenced by the<br />
problem area must be reviewed for non-obvious interface effects. For example,<br />
there can be subtle timing elements that could affect message schemes that are<br />
safety critical, or an uncommon but likely mode of operation may inhibit a critical<br />
diagnostic under specific conditions.<br />
Any quality control effort's goal is to find the root cause and fix the process in an<br />
irreversible way. An effective problem tracking system will aid in closing the loop on<br />
problem solving that includes both internal process improvement and field failure<br />
analysis. The system can serve as the repository of all investigative findings and<br />
include resolution details.<br />
Copyright exida.com L.L.C. 2000<br />
Page 7 of8
Techniques for achieving reliability<br />
in safety PLC embedded software<br />
CONCLUSION<br />
International standards for safety PLC software design require an excellent software<br />
development process and special software design and test techniques. These<br />
techniques will produce more reliable software according to the group of<br />
international experts on these standards committees. A PLC that meets these<br />
standards provides value through high safety and high availability in fault tolerant<br />
programmable systems. A PLC that meets these standards should be approved by<br />
regulators for the appropriate safety level to which it was approved.<br />
REFERENCES<br />
1. Goble, W. M. "Meeting <strong>Safety</strong> Standards with Matrix Programming," Proceedings of the<br />
Automation Exhibition, ISA Cincinnati, OH: Cincinnati, 1999.<br />
,---..<br />
' )<br />
2. IEC61508, <strong>Functional</strong> <strong>Safety</strong> of electrical/ electronic I programmable electronic safety-related<br />
systems, International Electrotechnical Commission, Switzerland: Geneva, 1998.<br />
3. DIN V VDE 0801 A1, Grundsatze fOr Rechner in Systemen mit Sicherheitsaufgaben, Anderung<br />
A1, 1994.<br />
4. Goble, W. M., Bukowski, J. V. and Brombacher. A. C., "How diagnostic coverage improves<br />
safety in programmable electronic systems," ," /SA Transactions, Vol. 36, No. 4, The<br />
Netherlands: Amsterdam, Elsevier Science B. V. , 1998.<br />
5. Goble, W.M., Control System <strong>Safety</strong> Evaluation and Reliability, I SA, Raleigh, N.C., 1998.<br />
6. Leveson, N. G., Safeware- System <strong>Safety</strong> and Computers, Addison-Wesley, MA: Reading,<br />
1995.<br />
7. Lawrence, J.D., and Preckshot, G.G. "Design Factors for <strong>Safety</strong>-Critical Software." (Report#<br />
NUREG/CR-6294) Lawrence Livermore National Laboratory, 1994.<br />
8. Mavis, S. A., "An Organized Way of Tracking Faults in the Development Process," Proceedings<br />
of the International Symposium of Engineered Software Systems (ISESS) Symposium, Malvern,<br />
PA, USA, May 1993, UK: London, World Scientific, 1993.<br />
9. Bukowski, J. V., and Goble, W. M., "Software- reliability feedback: A physics of failure<br />
approach," 1992 Proceedings of the Annual Reliability and Maintainabiltiy Symposium, NY: New<br />
York, IEEE, 1992.<br />
•<br />
Copyright exida.com L.L.C. 2000<br />
Page 8 of8