Date post: | 19-Apr-2018 |
Category: |
Documents |
Upload: | nguyenphuc |
View: | 215 times |
Download: | 2 times |
21/07/2017
1
Functional Safety DemystifiedBOB WEISS - FUNCTIONAL SAFETY CONSULTANT
IICA TECHNICAL EVENING – 19TH JULY 2017
21 July, 2017 1IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Purpose
TOPICS
What is Functional Safety?◦ SIS, SIF and SIL
Standards IEC 61508 and IEC 61511
An example to demonstrate compliance
4.5 day TÜV FSEng course in 45 minutes!◦ One day course also available
Explains how to comply with
AS IEC 61511-2004
using a case study
21/07/2017
2
What is Functional Safety?
New term in IEC 61508 (introduced in 1999)
Part of Overall Safety◦ freedom from unacceptable risk
Achieved by a Safety Instrumented System (SIS)◦ E/E/PE Safety System in IEC 61508
◦ Examples:◦ Trip System
◦ Emergency Shutdown System
◦ Burner Management System
◦ Includes field devices as well as logic solver
A SIS places or maintains a process in a safe state◦ Process = Equipment Under Control (EUC) in IEC 61508
◦ Implements Safety Instrumented Functions (SIFs)
◦ Each SIF achieves a Safety Integrity Level (SIL)
Acronyms to remember: SIS, SIF and SIL !.
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 3
IEC 61508 or IEC 61511
Integrators & users in the process industries can use either IEC 61508 or IEC 61511
IEC 61511 is generally simpler to apply
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 4
SISdevice
manufacturers
SISintegrators & users
SIL 1-3
SIS integrators &
usersSIL 4
SISintegrators & users
SIL 1-3
for process industries
IEC61508
IEC61511
21/07/2017
3
Why Functional Safety?Buncefield, England 11 Dec 2005
Storage tank level gauge showed constant reading
High level switch left in test mode
Gasoline tank overflowed
Mist exploded◦ largest peacetime explosion in Europe
◦ 20 tanks on fire
◦ burned for three days
◦ significant environmental impact
◦ hundreds of millions of pounds damage
Should have complied with IEC 61511.
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 5
SIF 1: TZH1234
Safety Instrumented Function - SIF
Basic Terminology
21 July, 2017
SIF 2: PZHH1234
Safety Instrumented System - SIS
Logic Solver(e.g. Safety PLC)
Temperaturetransmitter
Temperaturetransmitter
Pressuretransmitter
Flowtransmitter
Shut-offvalve
Solenoid
Globevalve
Solenoid
Relayin MCC
Component
SIL 2
SIL 1
Safety Integrity Level - SIL
Sensing subsystem Final element subsystemLogic subsystem
Subsystems
IICA - FUNCTIONAL SAFETY DEMYSTIFIED 6
21/07/2017
4
Safety Integrity Level vs. Risk Reduction
For Demand Mode SIFs only
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 7
= 1 / RRF
SafetyAvailability
> 99.99%
> 99.9 ≤ 99.99%
> 99 ≤ 99.9%
> 90 ≤ 99%
Probability of Failureon Demand (PFDavg)
≥ 10-5 < 10-4
≥ 10-4 < 10-3
≥ 10-3 < 10-2
≥ 10-2 < 10-1
SIL
4
3
2
1
Risk ReductionFactor
> 10,000
> 1,000 ≤ 10,000
> 100 ≤ 1,000
> 10 ≤ 100
= 100(1 – PFDavg)= 1 / PFDavg
BPCS* ≤ 10 ≥ 10-1 ≤ 90%
Used to specify SIL achievedUsed to specify SIL required
* Basic Process Control System
Safety Lifecycle – IEC 61511
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 8
Hazard and risk assessment CDV
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
Engineering Contractor
SIS Vendor
End User
21/07/2017
5
Complying with IEC 61511Target SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Random failure rate (PFDavg)
◦ Architectural constraints (hardware fault tolerance)
◦ Systematic capability for each component◦ Field devices, logic solver, shutdown valves etc.
Not just TÜV certification◦ Though it helps !
Not just meeting PFDavg target.
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 9
Comply Throughout LifecycleFor the rest of the presentation we’ll follow the SIS lifecycle
What do we need to do to comply at each stage?
See the following example…◦ Only the main elements of compliance are covered.
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 10
21/07/2017
6
1 Hazard and Risk Assessment
21 July, 2017 11
Output is a list of hazardous events with their process risk and acceptable risk.
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
A hazard
A “potential source of harm”
300t of Liquefied Petroleum Gas can potentially cause harm
Hazardous Event Example – BLEVE (video)
21 July, 2017 12
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
7
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
Identify Hazardous Events: HAZOP
21 July, 2017 13
Node: LPG Tank
Guideword: HIGH LEVEL
Consequence: High Pressure, possible tank rupture & major fire
Existing Controls: Pressure Safety Valve (PSV-1)
New Controls: Add High Level Alarm
H
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
RiskThe product of severity and likelihood
“The expected value of loss”
21 July, 2017 14
Consequenceseverity
Likelihood of occurrence
Minor
Medium
Major
LOW HIGHMEDIUM
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
8
Risk reduction concept
21 July, 2017 15
Overall risk reduction achieved by all means
Residualrisk
Processrisk
Necessary risk reduction
Actual risk reduction
Increasingrisk
Partial risk reductionby SIS
Partial risk reductionby “other means of risk reduction”
Acceptablerisk
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Is risk acceptable ?
21 July, 2017 16
Process under control
Process deviation or disturbance
Process out of control
Hazardous situation
Hazardous event
Impact / Consequence
Level stable
Control valve sticks
Level Increasing
High Pressure
Vessel fails
300t of boiling LPG released -likely major fire and fatalities
PSV
LAH Alarm
Hazard - 300t of LPG
What is risk ?Is it tolerable?
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
9
Risk Analysis - Layers of Protection
21 July, 2017 17
Mechanical PSV
Alarm LAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation : 1 per y
Target:1 per 10,000y
Required: x 10,000
X 100
Only havex 100 !!
X 1 !
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
2 Allocation of Safety FunctionsOften called SIL Assessment, SIL Analysis or SIL Determination
Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level.
21 July, 2017 18
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
10
Risk is unacceptable - reduce further
21 July, 2017 19
Process under control
Process deviation or disturbance
Process out of control
Hazardous situation
Hazardous event
Impact / Consequence
Level stable
Control valve sticks
Level Increasing
High Pressure
Vessel fails
300t of boiling LPG released -likely major fire and fatalities
PSV
LAH Alarm
Hazard - 300t of LPG
LZHH Trip
How do wereduce risk further?
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Add a high level trip
21 July, 2017 20
High Level Trip LZHH2 added◦ Shuts off flow when High High level reached
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
11
Layers of Protection – SIL assessment
21 July, 2017 21
Mechanical PSV
Alarm LAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation : 1 per y
Target:1 per 10,000y
Required: x 10,000
X 100
X 1 !
SIF LZHH
X 100SIL 2
SIF must reduce risk by10,000/100 = 100
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Safety Integrity Level vs. Risk Reduction
For Demand Mode SIFs only
21 July, 2017 22
= 1 / RRF
SafetyAvailability
> 99.99%
> 99.9 ≤ 99.99%
> 99 ≤ 99.9%
> 90 ≤ 99%
Probability of Failureon Demand (PFDavg)
≥ 10-5 < 10-4
≥ 10-4 < 10-3
≥ 10-3 < 10-2
≥ 10-2 < 10-1
SIL
4
3
2
1
Risk ReductionFactor
> 10,000
> 1,000 ≤ 10,000
> 100 ≤ 1,000
> 10 ≤ 100
= 100(1 – PFDavg)= 1 / PFDavg
BPCS ≤ 10 ≥ 10-1 ≤ 90%
Used to specify SIL achievedUsed to specify SIL required
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
12
Phase 1 & 2 Compliance Achieved !
Target SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ random failure rate (PFDavg)
◦ Systematic Capability of each component
21 July, 2017 23IICA - FUNCTIONAL SAFETY DEMYSTIFIED
3 Safety Requirements Specification - SRSDefines functional and integrity requirements of SIS
Output is a set of documents ready for detail design.
21 July, 2017 24
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
13
Safety Requirements SpecificationFunctional Requirements
◦ desired behaviour of each SIF
◦ behaviour in response to faults
◦ timing requirements
◦ human machine interface
◦ normal and abnormal modes of operation
◦ bypass requirements
◦ etc.
Safety Integrity Requirements◦ Safety Integrity Level for each SIF
◦ basis for SIL
◦ testing requirements
◦ special requirements to maintain SIL
◦ etc.
21 July, 2017 25IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Cause-and-Effect Diagram SIFs commonly documented byCause and Effect diagrams
Should include required SIL somewhere – examples:
21 July, 2017 26
Tag# Description SIF
Instr
um
ent
Range
Trip P
oin
t
Units
CLO
SE
VA
LV
E L
ZV
-02
CLO
SE
VA
LV
E U
V-0
3A
CLO
SE
VA
LV
E U
V-0
3B
OP
EN
S V
ALV
E U
V-0
3C
Set
LIC
1 t
o M
AN
, O
P=
0
BS-01 Burner Loss of Flame 12 ~ ~ X X X
PSL-01 Fuel Gas Pressure Low ~ 7 X X X
LZHH-02 LPG Tank High High Level 13 0-3500 3200 mm 2 0
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
14
4 Design and EngineeringSIS vendor or contractor for logic solver
EPC contractor or end-user for field hardware
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
21 July, 2017 27IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Standards Compliance
Target SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ Random failure rate (PFDavg)
◦ Systematic Capability of each component
21 July, 2017 28IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
15
Types of failuresRandom failures – components (“elements”) wear out
◦ use high reliability components
◦ use redundant components
◦ test frequently◦ automated and/or manual
Systematic failures – human error◦ redundant components provide no protection!
◦ “techniques and measures” to◦ avoid faults
◦ detect faults to avoid failures
◦ Functional Safety Management System◦ quality system for functional safety
21 July, 2017 29IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Control of systematic failuresFor integration of components into a system (SIS):
◦ Functional Safety Management System (FSMS)◦ for all phases of lifecycle including operation
◦ quality system for SIS
◦ verification, validation, audit and assessment
◦ can comply with either IEC 61511 or IEC 61508
Within each component:◦ ensure quality design in accordance with IEC 61508
◦ ensure appropriate techniques and measures from IEC 61508 used for the SIL of the target SIF
◦ measured by the term “systematic capability”◦ SC 1 to 4 corresponding to SIL 1 to 4
◦ Formerly called “SIL x Capability”
◦ independent certification or “prior use”
21 July, 2017 30IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
16
Measures to avoid or control failuresSystematic techniques to specify hardware and software requirements
Design requirements
Requirements management techniques
Revision control
Testing techniques
Documentation control
Project management
. . .
21 July, 2017 31IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Functional Safety Management SystemQuality system with safety aspects
Safety management system that includes:◦ policy and strategy to achieve safety
◦ responsible persons, departments, organizations
◦ relationship between those responsible and allocation to safety lifecycle phases
◦ selected “techniques and measures”
◦ references to the deliverables
◦ the functional safety assessment process (Functional Safety Assessment Plan)
◦ procedures for ensuring prompt follow-up of actions from hazard and risk analysis, verification, validation etc.
◦ configuration and change management
◦ . . .
21 July, 2017 32IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
17
Competence must be managedCompetence of all involved, including management shall be managed
◦ engineering knowledge, training and experience appropriate to the◦ process technology
◦ SIS technology
◦ field devices used
◦ hazard & risk analysis
◦ knowledge of the legal and regulatory requirements
◦ relevant management and leadership skills
Appropriate to the◦ potential consequence of the event
◦ SIL of the SIF
◦ novelty and complexity of the application and technology
Manage using a procedure and regular assessments◦ e.g. competency matrix updated at annual performance reviews
21 July, 2017 33IICA - FUNCTIONAL SAFETY DEMYSTIFIED
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
SIL Verification
21 July, 2017 34
Does the design of SIF LZHH2 meet SIL 2?
SIL 2
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
18
Target SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ Random failure rate (PFDavg)
◦ Systematic Capability of each component
Standards Compliance
21 July, 2017 35IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Hardware Fault Tolerance“Architectural constraints” in IEC 61508
Aim is to avoid unrealistic reliability claimsfrom single components◦
Use IEC 61508-2 (Route 1H) constrains SIF architecture based on:Safe Failure Fraction◦
complexity of device (◦ “Type A” or “Type B”)
target SIL◦
OR use Table 6 in IEC 61511-1 2016 Ed. 2simplified, relaxes previous unrealistic restrictions◦
based on IEC◦ 61508 Route 2H
see next slide◦
Outcome is required minimum Hardware Fault Tolerance (HFT)no. of voted devices minus no. required to perform safety function◦
For MooN architecture, HFT = N ◦ - M
21 July, 2017 36IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
19
Case Study: Hardware Fault ToleranceHFT IEC 61511 Ed. 2 Table 6
Radar gauge, smart device assumptions◦ Diagnostic Coverage > 60%
◦ We know λDU with confidence limit > 70%
◦ SIF operates in Low Demand mode
For SIL 2 min HFT = 0 (see below)◦ Only one device required
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 37
SIL Mode Minimum required HFT
1 Any 02 Low demand 02 High demand or continuous 13 Any 14 Any 2
Safe Failure FractionBlock valve, normally open & normally energized
In case of an out of control process, the valve has to close
Closesspontaneouslydue to lossof energy
SAFE
Undetected
Detectedby diagnostics
Undetected
Detectedby voltage control
DANGEROUS
Stuck atopen
SFF
21 July, 2017 38IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
20
Architectural Constraints – IEC 61508-2
21 July, 2017 39
Type A Subsystems e.g. pressure switches
Safe Failure Fraction
Hardware Fault Tolerance
0 1 2
< 60% SIL 1* SIL 2* SIL 3*
≥ 60 < 90% SIL 2 SIL 3 SIL 4
≥ 90 < 99% SIL 3 SIL 4 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Type B Subsystems e.g. logic solver, smart transmitters
Safe Failure Fraction
Hardware Fault Tolerance
0 1 2
< 60% Not allowed SIL 1 SIL 2
≥ 60 < 90% SIL 1* SIL 2* SIL 3*
≥ 90 < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Table 2
Table 3
* IEC 61511-2003
HFT forfield devices
For MooNN-M = HFT
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: Architectural Constraints
Transmitter LZT 2 is a smart radar gauge
Can we use single transmitter to satisfy SIL 2?
Must also check for logic solver and valve
21 July, 2017 40IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
21
Type B Subsystems e.g. logic solver, smart transmitters
Safe Failure Fraction
Hardware Fault Tolerance
0 1 2
< 60% Not allowed SIL 1 SIL 2
≥ 60 < 90% SIL 1* SIL 2* SIL 3*
≥ 90 < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Case Study: Architectural ConstraintsSmart Transmitter = Type B device
◦ use Table 3 in IEC 61508-2
Safe Failure Fraction = 91%◦ from certificate
For SIL 2, required Hardware Fault Tolerance = 0
Therefore one transmitter is ok for SIL 2
LTZ 2
21 July, 2017 41IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Standards Compliance
Target SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ Random failure rate (PFDavg)
◦ Systematic Capability of each component
21 July, 2017 42IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
22
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
SIL Verification
21 July, 2017 43
What is calculated “PFDavg” for SIF LZHH-2?
SIL 2
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Safety Integrity Level vs. Risk Reduction
For Demand Mode SIFs only
21 July, 2017 44
= 1 / RRF
SafetyAvailability
> 99.99%
> 99.9 ≤ 99.99%
> 99 ≤ 99.9%
> 90 ≤ 99%
Probability of Failureon Demand (PFDavg)
≥ 10-5 < 10-4
≥ 10-4 < 10-3
≥ 10-3 < 10-2
≥ 10-2 < 10-1
SIL
4
3
2
1
Risk ReductionFactor
> 10,000
> 1,000 ≤ 10,000
> 100 ≤ 1,000
> 10 ≤ 100
= 100(1 – PFDavg)= 1 / PFDavg
BPCS ≤ 10 ≥ 10-1 ≤ 90%
Used to specify SIL achievedUsed to specify SIL required
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
23
Case Study: PFD CalculationTest interval = 1 y
Reliability data:◦ Valve: λDU = 1/20y (= 0.05 y-1)
◦ Logic solver: λDU = 1/1000y (= 0.001 y-1)
◦ Sensor: λDU = 1/100y (= 0.01 y-1)
PFDavg = λDU x TI / 2= 0.05 x 1 / 2 = 0.025 for valve
0.001 x 1 / 2 = 0.0005 for logic solver0.01 x 1 / 2 = 0.005 for transmitter
Total PFDavg = 0.025 + 0.0005 + 0.005 = 0.0305
Calculated SIL = 1 (PFDavg range 0.01 – 0.1)
Required SIL = 2 Not OK!
How can this be fixed?
21 July, 2017 45
LZHH
2
LZV 2
LZT
2
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Case Study: Adjust Test IntervalTest interval = 1 month
Reliability data:Valve: ◦ λDU = 1/20y (= 0.05 y-1)
Logic solver: ◦ λDU = 1/1000y (= 0.001 y-1)
Sensor: ◦ λDU = 1/100y (= 0.01 y-1)
PFDavg = λDU x TI / 2= 0.05 / 12 / 2 = 0.002 for valve
0.001 / 12 / 2 = 0.00004 for logic solver0.01 / 12 / 2 = 0.0004 for transmitter
Total PFDavg = 0.002 + 0.00004 + 0.0004 = 0.00244
Calculated SIL = 2 (PFDavg range 0.001 – 0.01)
Required SIL = 2 OK
BUT operations object to monthly testing !
21 July, 2017 46
LZHH
2
LZV 2
LZT
2
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
24
Case Study: Duplicate Block ValvesTest interval = 1 year
Reliability data:◦ Valve: λDU = 1/20y (= 0.05 y-1)
◦ Logic solver: λDU = 1/1000y (= 0.001 y-1)
◦ Sensor: λDU = 1/100y (= 0.01 y-1)
For 2 valves 1oo2 voting: PFDavg = 0.0020 (was 0.025)
PFDavg = 0.0020 + 0.0005 + 0.005 = 0.0075
Calculated SIL = 2 (PFDavg range 0.001 – 0.01)
Required SIL = 2 OK
LZHH
2
LZV 2A
LZT
2
LZV 2B
21 July, 2017 47IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Standards ComplianceTarget SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ random failure rate (PFDavg)
◦ Systematic Capability of each component.
How likely is it that each component is free from systematic faults (“bugs”) ?
21 July, 2017 48IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
25
Control of systematic failuresFor integration of components into a system (SIS):
◦ functional safety management system◦ for all phases of lifecycle including operation
◦ verification, validation, audit and assessment
◦ can comply with either IEC 61511 or IEC 61508
Within each component:◦ ensure quality design in accordance with IEC 61508
◦ ensure appropriate techniques and measures from IEC 61508 used for the SIL of the target SIF
◦ measured by the term “systematic capability”◦ SC 1 to 4 corresponding to SIL 1 to 4
◦ formerly called “SIL Capability”
◦ independent certification or “prior use”
21 July, 2017 49IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Case Study: Transmitter SelectionMust control systematic faults
Transmitter selected must comply with IEC 61508 and IEC 61511
Must either:
be designed and manufactured in accordance with IEC 61508◦ confirmed by independent certificate (e.g. by a “TÜV” or exida)
◦ Systematic Capability from 1 to 4◦ i.e. techniques and measures are suitable for SIL 1 to 4
OR
meet requirements for Prior Use (or “proven in use”):◦ sufficient experience gained in a comparable application
Best practice: require BOTH prior use and certification
21 July, 2017 50IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
26
Component CertificationAn independent organisation certifies that the component meets the requirements of IEC 61508 for a particular SIL
not only ◦ “TÜV” !!!
Parts 2 and 3 contain numerous “techniques and measures” required to avoid and control faults
the rigour required increases with SIL◦
The aim is to reduce the likelihood of systematic faults to an acceptably low level relative to the SIL
The result is expressed as “Systematic Capability” or SC from 1 to 4corresponding to SIL ◦ 1 to 4
was previously called ◦ “SIL Capability”
The certificate also usually also includes failure data and whether the component is “Type A” or “Type B”
details are in a companion report◦
21 July, 2017 51IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Transmitter TÜV Certificate
21 July, 2017 52IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
27
Transmitter TÜV Certification
21 July, 2017 53IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Prior Use (IEC 61511)Requires that appropriate evidence is available that the component is suitable based on consideration of:
◦ the manufacturer’s quality systems
◦ adequate identification of the devices
◦ demonstration of performance in similar operating environments
◦ the volume of operating experience
Focus is on demonstrating freedom from systematic faults
IEC 61508 term is “Proven in Use”◦ more rigorous requirements
21 July, 2017 54IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
28
Standards ComplianceTarget SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:Hardware Fault Tolerance (architectural constraints)◦
random failure rate (PFD◦ avg)
Systematic Capability of each component◦
Design now complies
21 July, 2017 55IICA - FUNCTIONAL SAFETY DEMYSTIFIED
5 Installation, Commissioning, ValidationLogic Solver installed with field equipment
Includes loop checking, validation and final functional safety assessment.
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
21 July, 2017 56IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
29
Standards ComplianceTarget SIL must be specified for each SIF based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ random failure rate (PFDavg)
◦ Systematic Capability of each component
Verification, Validation, Functional Safety Assessment
21 July, 2017 57IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Case Study: Verification and ValidationProject Verification and Validation Plan required
Consider level of independence required (i.e. independent engineer)◦
Define responsibilities◦
Verify each phase e.g.Safety Requirements Specification◦Verify hardware design documents◦Verify functional specifications etc◦Implement code walkthrough◦
Logic Solver Factory Acceptance Test Complete integration test validates application software on target hardware◦
Logic Solver Site Acceptance TestPower up test on site◦
Safety Function TestingSIS validation◦
Functional Safety Assessment
Note that terminology is from the ISO9000 disciplineSome disciplines swap the meanings of ◦ “verification” and “validation”!
21 July, 2017 58IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
30
Verification... build the product right“activity of demonstrating for EACH PHASE of the relevant safety life cycle
by analysis and/or tests,
that, for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase” (IEC 61511 3.2.92)
Performed progressively throughout the lifecycle
21 July, 2017 59IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Validation... build the right product“activity of demonstrating that
the safety instrumented function(s) and safety instrumented system(s) under consideration
after installation meets in all respects
the SAFETY REQUIREMENTS SPECIFICATION” (IEC 61511 3.2.91)
Performed prior to introducing the hazards to the process
Can take credit for software validation in Factory Acceptance Test CDV
21 July, 2017 60IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
31
Functional Safety Audit“A systematic and independent examination
to determine whether the PROCEDURES specific to the functional safety requirements to comply with the planned arrangements,
are implemented effectively
and are suitable to achieve the specified objectives”.
(IEC 61508-4 Ed.2 3.8.4 and IEC 61511-2003 3.2.27)
For either an organisation or a project
21 July, 2017 61IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Functional Safety Assessment“investigation, based on evidence,
to JUDGE the functional safety achieved
by one or more protection layers”
(IEC 61511 3.2.26)
Judgement based on evidence
At least one required prior to hazard introduction, but may be progressive
Independence required◦ Increases with SIL (IEC 61508)
21 July, 2017 62IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
32
6 Operations, Maintenance and ModificationThe Cinderella Phases !
User must follow a Functional Safety Management System for the life of the SIS.
21 July, 2017 63
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Ops and Maintenance ObligationsTrain operators & maintainers
Proof test each SIF at specified interval
Monitor design assumptions◦ demand rates
◦ component reliability
Adjust test interval to suit
Control modifications
Ensure Maintenance and Operational Overrides are used as designed
Monitor and promptly follow-up diagnostics
21 July, 2017 64IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
33
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: Operation and MaintenanceRisk analysis assumed:
◦ demand on SIF once per year
◦ what happens in practice?
SIL verification assumed:◦ transmitter failure rate 0.01 y-1
◦ what happens in practice?
Etc etc . . .
Must verify actual performance against assumptions and adjust testing as required
Documentation of assumptions is critical
Mechanical: PSV
SIF: LZHH
AlarmLAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation
Target:1 per 10,000y
Required: X 10,000
X 100
X 100SIL 2
1 per y
21 July, 2017 65IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Summary 1 – The SIS Lifecycle
21 July, 2017 66
Hazard and risk assessment
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioningand validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functional
safety andfunctional
safetyassessment
and auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
Engineering Contractor
SIS Vendor
End User
IICA - FUNCTIONAL SAFETY DEMYSTIFIED
21/07/2017
34
Summary 2 – RequirementsTarget SIL must be specified for each SIF based on hazard and risk assessment
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)
◦ random failure rate (PFDavg)
◦ Systematic Capability of each component.
Not just TÜV certification◦ though it helps !
Not just meeting PFDavg target
Don’t forget spurious trip rate!
21 July, 2017 67IICA - FUNCTIONAL SAFETY DEMYSTIFIED
Need more?IICA runs the following courses:
TÜV Rheinland Functional Safety Engineer course◦ For those with 3+ years experience in functional safety
◦ Leads to Functional Safety Engineer (TÜV Rheinland) qualification
◦ Sydney 16-20 October 2017
◦ Melbourne June 2018 (exact date set Dec 2017)
ISA One-day Introduction to SIS◦ runs on request
If interested please email [email protected]
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 68