paul lucas safety integrity level abb engineering servicessafety integrity level sil paul lucas abb...
TRANSCRIPT
©AB
B G
roup
-1
-21
-Mar
-07
Safety Integrity Level
SIL
Paul Lucas ABB Engineering Services
13 mars 2007
©AB
B G
roup
-2
-21
-Mar
-07
Agenda
Why do we need SIL systems?
Where does the SIL concept come from?
What is a SIL?
The Three Steps of SILSet the target SIL (SIL Determination)
Design to meet the target SIL
Operate and Maintain to keep hitting the target SIL
©AB
B G
roup
-3
-21
-Mar
-07
Why do we need SIL systems?
BP Texas City, USA 2005
©AB
B G
roup
-4
-21
-Mar
-07
Why do we need SIL systems?
Buncefield, UK 2006
©AB
B G
roup
-5
-21
-Mar
-07
Safety Issues
How do you demonstrate that your operations are ‘safe’?
How do you demonstrate that your equipment is ‘safe’?
How do you demonstrate that your safety and protective systems protect against your hazards?
You can answer these questions by demonstrating compliance with Industry Safety Standards
©AB
B G
roup
-6
-21
-Mar
-07
Functional Safety Standard - IEC61508
Generic Standard supported by Sector variants (IEC61511 for Process Sector)
Guidance on use of Electrical, Electronic and Programmable Electronic Systems which perform safety functions
Considers the entire Safety Critical Loop
Comprehensive approach involving concepts of Safety Lifecycle and all elements of protective system
Risk-based approach leading to determination of Safety Integrity Levels - SIL
©AB
B G
roup
-7
-21
-Mar
-07
Generic and Application Sector Standards
IEC61508
IEC61511 :Process Sector
Medical SectorIEC61513 :Nuclear Sector
IEC62061 : Machinery Sector
©AB
B G
roup
-8
-21
-Mar
-07
IEC61511 Safety Lifecycle
Design & Development of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions to protection layers2
Safety Requirements specification for the safety
instrumented system3
Design & Engineering of Safety Instrumented System4
Installation, Commissioning and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
Managem
ent of functional safety and functional safety assessm
ent and auditing
10
Safety Life-Cycle structure and planning
11
Verification
9
©AB
B G
roup
-9
-21
-Mar
-07
Step 1 – Set the Target SIL
Design & Development of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions to protection layers2
Safety Requirements specification for the safety
instrumented system3
Design & Engineering of Safety Instrumented System4
Installation, Commissioning and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
Managem
ent of functional safety and functional safety assessm
ent and auditing
10
Safety Life-Cycle structure and planning
11
Verification
9
IEC61511 Safety Lifecycle
©AB
B G
roup
-10
-21
-Mar
-07
Hazard and Risk Assessment
Trevor Kletz (safety guru) sums it up as: -How big How oftenSo what?
What are the hazardous events – the consequenceHow often may they occur – the frequency
Risk = Consequence * Frequency
Is this unacceptable to the company/ regulator/ society?What is risk is tolerated?
©AB
B G
roup
-11
-21
-Mar
-07
Tolerable Risk and ALARP
Intolerable
Broadly Acceptable
Risk cannot be justified on any grounds
May be “Tolerable” if risk level is As Low As Reasonably Practicable (ALARP)
No need for detailed working to demonstrate ALARP
ALARP or Tolerability
Band
ALARP = As Low As Reasonably Practicable
Low Risk
High Risk
©AB
B G
roup
-12
-21
-Mar
-07
Risk Reduction to meet tolerable risk
Residualrisk
Residualrisk
ProcessRisk
ProcessRisk
RiskTargetRisk
Target
Increasingrisk
Necessary risk reduction
Actual risk reduction
Risk reductionfrom all
Non-InstrumentedPrevention /
Mitigation Measures
Risk reductionfrom all
Non-InstrumentedPrevention /
Mitigation Measures
Risk reductionfrom Safety
InstrumentedFunction (SIF)
Risk reductionfrom Safety
InstrumentedFunction (SIF)
SIL
©AB
B G
roup
-13
-21
-Mar
-07
Expressing SIL
SIL 1
SIL 2
SIL 3
SIL 4
Risk Reduction
Probability of failureon demand (PFD)
0.1 to 0.01
0.01 to 0.001
0.001 to 0.0001
0.0001 to 0.00001
10 – 100
100 – 1000
1000 –10000
10000 -100000
©AB
B G
roup
-14
-21
-Mar
-07
Methods for SIL Determination
Safety Layer MatrixIEC 61511-3 Annex C
Risk GraphsIEC 61511-3 Annex D
Layer of Protection Analysis (LOPA)IEC 61511-3 Annex F
Fault Tree AnalysisIEC 61511-3 Annex B
©AB
B G
roup
-15
-21
-Mar
-07
W3
Pa
Pb
Pa
Fa
Fb
Fb
Fa
Cc
Cd
Ce
Ca
Pb
W2 W1
SIL 1
SIL 2
SIL 3
SIL 4
Extent of Damage
Proportion of Time of Exposure to Hazard
Mitigating Factors
Prob or Freq of Hazardous Event
Cb = Lost time injury
Cc = Major InjuryCd = On-site fatality
Ce = Multiple on-site fatalities or one off-site fatality
Fa = Low (< 0.1)
Fb = High (> 0.1)
Pa = Good Chance of Avoiding Consequences (> 90%)
Pb = Poor Chance of AvoidingConsequences (< 10%)
W1= Very Low (F < 0.01 / YR)
W2= Low (F > 0.01 / YR)
Ca = Minor Injury
W3= Relatively High (F > 0.1 / YR)
5/9
Risk Graph
©AB
B G
roup
-16
-21
-Mar
-07
Initiating Frequency IntermediateCause (/yr) 1 2 3 4 5 6 Event Frequency
A 0.1 1 0.01 1 0.1 0.0001B 0.1 0.1 0.01 1 0.1 0.00001C 0.5 0.1 0.01 1 1 0.0005DEF
0.000610.0492SIL 1
PFDavg Calculation
Total Event Frequency, Fe/yrMaximum PFDavg for Safety Instrumented Function, Ft/Fe
Target Safety Integrity Level
Independent Layer of Protection
LOPA
For each initiating cause, calculate which layers provide protection
Multiply for Event Frequency
Add forTotal Event Freq
PFD = Target (0.00003) / Total Event (0.00061) = 0.0492
©AB
B G
roup
-17
-21
-Mar
-07
Comparison of MethodsSafety Layer
MatrixRisk Graph LOPA Fault Tree
AnalysisInitial Screening R R R NRDetailed Analysis NR NR R RMultiple Causes with Different Protection
NR NR R R
Potential Dependency
NR NR NR R
Output (SIL or PFDavg)
SIL SIL PFDavg PFDavg
Need to include specific Human Factors
NR NR R R
Suitable for SIL 1 1 1 & 2 >1
NR = Not recommended: R = recommended
©AB
B G
roup
-18
-21
-Mar
-07
Summary of Step 1
Get the Target SIL correctSave time, money, equipment, maintenance
Calibrate any method for YOUR tolerability
Use method suitable for the consequences
©AB
B G
roup
-19
-21
-Mar
-07
Step 2 – Design to meet the target SIL
Design & Development of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions to protection layers2
Safety Requirements specification for the safety
instrumented system3
Design & Engineering of Safety Instrumented System4
Installation, Commissioning and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
Managem
ent of functional safety and functional safety assessm
ent and auditing
10
Safety Life-Cycle structure and planning
11
Verification
9
IEC61511 Safety Lifecycle
©AB
B G
roup
-20
-21
-Mar
-07
Random Hardware Failures
Any item of equipment in a protective system can fail.
There are broadly two types of system failure Fail Safe
component failure to an open circuit condition, loose connections, loss of power (air or electrical)
These will cause the system to shut down the plant unnecessarilybut are self revealing and ‘fail safe’.
Fail to Dangercontacts welding together, instrument or trip valve mechanisms seizing, impulse lines becoming blocked
These are ‘fail to danger’ because, when a demand occurs, the system cannot respond i.e. un-revealed failures
These are the failures we need for the PFD calculation
©AB
B G
roup
-21
-21
-Mar
-07
Example
High Pressure Trip Pressure Transmitter
Relay
Trip Valve
Solenoid Valve
Trip Amp
©AB
B G
roup
-22
-21
-Mar
-07
A Single Channel System – 6 month testing
Overall dangerous failure rate for the channel is the sum of the rates for the components.
λd = 0.067 + 0.0033 0.033 0.033 = 0.1863 per year+ +
PressureTransmitter
SolenoidValve
TripValveRelayTrip
AmplifierPressure
Transmitter
0.05 +
If this is tested every 6 months then,
PFDavg = ½ x 0.5 x 0.1863 = 0.047
which is near the middle of SIL 1
PFDavg = ½ T x λ d
©AB
B G
roup
-23
-21
-Mar
-07
Safety Integrity LevelAchieved PFDavg
SIL 1 SIL 2 SIL 3 SIL 4
0.01 0.001 0.0001 0.00001
PFDavg = 0.005
0.1
PFDavg = 0.05
10-1 10-2 10-3 10-4 10-5
PFDavg = 0.047(6 Month test interval)
©AB
B G
roup
-24
-21
-Mar
-07
The Need For Testing
Fail to Dangercontacts welding together, instrument or trip valve mechanisms seizing, impulse lines becoming blocked
These are ‘fail to danger’ because, when a demand occurs, the system cannot respond i.e. un-revealed failures
Only exposed by testing
Healthy
Faulty
Unrevealedfault Demand
Test
TestInterval
DeadTime
Time (years)
Test
x
Test Test Test Test
Testing can expose un-revealed failures
©AB
B G
roup
-25
-21
-Mar
-07
Multiple Channels And Common Cause Failure (β)More complicated – but same principles
For One Channel (1 out of 1)
PFDav1 = 1 / 2 λd ∗ Τ
For Two Channels (1 out of 2)
PFDav2 = 4/3 [ PFDav1 ]2 + β [PFDav1 ] or PFDav2 = 1/3[(λd)2 ∗ Τ2] + β [PFDav1]
For Three Channels (1 out of 3)
PFDav3 = 2 [PFDav1 ]3 + β [PFDav1 ] or PFDav3 = 1/4[(λd)3 ∗ Τ3] + β [PFDav1 ]
For Two Channels (2 out of 3)
PFDav2 = 4[PFDav1]2 + β [PFDav1 ] or PFDav2 = (λd)2 * Τ2 + β [PFDav1 ]
Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.
©AB
B G
roup
-26
-21
-Mar
-07
Sources of DataManufacturer’s data
Based on either returned goods or predictions using eitherFMEA (failure mode effects analysis) orFMEDA (failure mode effects and diagnostic analysis)These should not be confused with real field failure rates basedon actual use of the units
Field data (61511 uses term prior use)Based on similar operating conditions and environmentShould be collected using a methodical / auditable process and allow for errors (misreporting / non reporting) in the collection of the data
Generic dataFrom an extensive history of similar industries found to be appropriate
©AB
B G
roup
-27
-21
-Mar
-07
‘Checking’ the numbers
IEC 61511 architectural constraints
Hardware Fault ToleranceDesigned to verify that the ‘numbers’ make sense
No mathematical basis for the figures
Based on experience
Specified SIL can be reduced with operational experience and analysis
Analyser Trip Amp
Relay Logic
Solenoid Trip Valve
Analyser Trip Amp Solenoid Trip Valve
©AB
B G
roup
-28
-21
-Mar
-07
Constraint - Hardware Fault Tolerance (1)
Used for sensor, final elements and non PE Logic Solver
Table 6 in IEC61511 Part 1
Increased fault tolerance can enable easier maintenance and testing
©AB
B G
roup
-29
-21
-Mar
-07
Constraint - Hardware Fault Tolerance (2)
Applies to PE Logic SolversTable 5 in IEC 61511 Part 1
The ‘cleverer’ the PES, the less fault tolerance required for the target SIL
More complex tables in IEC61508 – used for certified instruments to reduce HFT
©AB
B G
roup
-30
-21
-Mar
-07
Manufacturer’s Data – Example 2
©AB
B G
roup
-31
-21
-Mar
-07
Non-Hardware faults - Systematic
Because of the findings from ‘Out of Control’ and other work…
Large number of faults are not caused by hardware
We need appropriate processes, procedures, methods –‘systems’ in place to control these faults
Specification43%
Changes after commissioning
21%
Installation & commissioning
6%
Operation & maintenance
15%Design &
implementation15%
©AB
B G
roup
-32
-21
-Mar
-07
Problems with software – systematic faults
How do you make software 10 times better?
How do you measure software?
What is the probability of Fail to Danger (pfd) of a lump of code?
You cannot measure software like hardware –quantitative methods
You have to use more rigorous techniques for software required for higher level SIL – qualitative methods
©AB
B G
roup
-33
-21
-Mar
-07
Technique/Measures Ref SIL 1 SIL 2 SIL 3 SIL 41a Structured methods including for example,
JSD, MASCOT,SADT and YourdonC.2.1. HR HR HR HR
1b Semi-formal methods Table B.7 R HR HR HR1c Formal methods including for example, CCS,
CSP, HOL, LOTOS, OBJ, temporal logic,VDM and Z
C.2.4-- R R HR
2 Computer-aided design tools B.3.5 R R HR HR3 Defensive programming C.2.5 -- R HR HR4 Modular approach Table B.9 HR HR HR HR5 Design and coding standards Table B.1 R HR HR HR6 Structured programming C.2.7 HR HR HR HR7 Use of trusted/verified software modules and
components (if available)C.2.10C.4.5
R HR HR HR
Table A.4 - Software design and development: detailed design
Example of Software Techniques
©AB
B G
roup
-34
-21
-Mar
-07
Summary of Step 2
80% - 90% of safety functions should be SIL1Single channel, reasonable test intervals, no HFT to consider
High SIL, complex architectureUse a specialistShorter test intervals (simple SIL calculations may not apply)Additional hardware (including final elements)Common cause faults, hardware fault tolerance, SFF, DCSystematic controls
Take care with instrument dataField data is bestManufacturers data is a prediction, will need to be adjusted forplant conditions
©AB
B G
roup
-35
-21
-Mar
-07
Step 3 – Operate and Maintain to meet the SIL
Design & Development of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions to protection layers2
Safety Requirements specification for the safety
instrumented system3
Design & Engineering of Safety Instrumented System4
Installation, Commissioning and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
Managem
ent of functional safety and functional safety assessm
ent and auditing
10
Safety Life-Cycle structure and planning
11
Verification
9
IEC61511 Safety Lifecycle
©AB
B G
roup
-36
-21
-Mar
-07
Operation and Maintenance
What activities are required to ensure the Safety Instrumented System keeps meeting the target SIL?
What operations and test data needs to be kept and recorded to verify SIL determination and Design assumptions?
©AB
B G
roup
-37
-21
-Mar
-07
Proof Tests – 61511 states…
Periodic proof tests shall be conducted using a written procedure
The entire SIS shall be tested including the sensor(s), the logic solver and the final element(s)
Different parts of the SIS may require different test intervals
The frequency of the proof tests shall be decided using the PFDavg calculation
At some periodic interval the frequency of the testing shall be re-evaluated.
©AB
B G
roup
-38
-21
-Mar
-07
Why record Demands?
To demonstrate the design demand rate is not being exceeded
To demonstrate that the causes of demand are as expected
To check causes and rates of failsafe demands
To be able to carry out periodic reviews
©AB
B G
roup
-39
-21
-Mar
-07
Why record Proof Test Records/Results?
To demonstrate that testing is being carried out at specified interval
As an auditable trail to the recorded results
To indicate who carried out the tests
To demonstrate that faults found have been rectified
To be able to carry out periodic reviews
Need to record results in a manner which enables the results to be extracted/ presented in a format which makes reviews possible
©AB
B G
roup
-40
-21
-Mar
-07
Summary of the 3 steps
Get the Target SIL correctSave time, money, equipment, maintenance
Design to meet the SILMore than failure ratesWhere do you get failure data from?Hardware Fault Tolerance and Systematic controls
Operate and Maintain to keep the SILTestingRecordingAnalysing and improving