sis slides v1

8/10/2019 Sis Slides v1

1/100

EIT: E-Cert SS: Unit 7 Instrument Selection

www.eit.edu.au

Slide 1Slide 1

SAFETY INSTRUMENTED SYSTEMS &

EMERGENCY SHUTDOWN SYSTEMS

for Process Industriesusing IEC 61511 and IEC 61508

Unit 7: SIL Instrument Selection

Version for EQO26: 7 November 2012

Presented by Dave Macdonald,

EIT Cape Town South Africa

Contact E-mail: [email protected]

EIT Safety Instrumentation E-Learning


2/100


www.eit.edu.au

Slide 2

Introduction to Chapter 7: Practical selection ofsensors and actuators for safety duties

Impact on SIS Reliability,

Types of Sensors and Actuators

Failure modes and causes

Separation, redundancy, diversity, diagnostics

Device Selection Issues: What IEC 61511 requires + Common sense

Technologies: Safety certified instruments and fieldbus


3/100


www.eit.edu.au

Slide 3

Sensors and Actuators remain the most critical reliability items in an SIS

Separation, diversity and redundancy are critical issues.

Safety related instruments must have a proven record of performance.

IEC 61508 / 61511 have specific requirements

Logic solver intelligence and communications power will help to provide

diagnostic capabilities to assist field device reliability

Failure modes and common cause issues are potential problems for

intelligent instruments


4/100


www.eit.edu.au

Slide 4

Instrument practice for safety systems : well established

ISA S 84.01 Appendix B.obsolete standard but still relevant.

IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1. Gruhn & Cheddie ISA Textbook; chapter 9

IEC 61511-1 Paragraph 11.5:

Requirements for selection of components and subsystems 11.5.2.1 Components and subsystems selected for use as part of a safety

instrumented system for SIL 1 to SIL 3 applications shall either be inaccordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else theyshall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate

Certifiedcompliant toIEC 61508

Faulttolerance

Prior use

justification


5/100


www.eit.edu.au

Slide 5

Typical Reliability Table

Item Fail to

Danger Rate/ yr.

PFD avg(3 month proof test)

PFD avg

% of total

Input sensor loop 0.05 0.006 32

SIL 3 Logic Solver PLC 0.0005 3

Output Actuator loop

(Solenoid + valve)

0.1 0.0125 65

Totals 0.019 (SIL 1) 100

The field devices taken together contribute 97% of the PFD for this example.

The PFD figures for the field devices are affected by environmental conditions

and maintenance factors.

PES logic solvers benefit from auto-diagnostics.

Table 7.1


6/100


www.eit.edu.au

Slide 6

Bus connected safety certified instrumentsFoundation Field Bus

Profi-safe

ASI-Safety Bus

See Session 5


7/100


www.eit.edu.au

Slide 7

! " #

Good reliability and accuracy

Signal present at all timesimproved SFF Potential for diagnostics, easier to detect faults

Possible to compare signal with other parameters

Trending and alarming available Multiple set points

Competitive pricing

Rationalized spares


8/100


www.eit.edu.au

Slide 8

$

Components of the instrument

Process connection

Fouling /corrosion/process fluids/clogging

Wiring

Environmental: Process/Climate/Electrical

Specification/range/resolution.

Response time

Power supplies

Intrinsic safety barriers

Calibration/testing/ left on test/isolated.


9/100


www.eit.edu.au

Slide 9

$

SIS

Logic

Electrical Drive Trip

Interlocks

M

Process Valve Trip

380 v ac

power

SIS

Logic

Figure 7.4


10/100


www.eit.edu.au

Slide 10

Safety

Relay

K1

Relay

K1 Time

Delayed

Reset

Drive

controller

Stop Category 1

Safety Control Category 2

E-Stop

command

Power

%& & # '(


11/100


www.eit.edu.au

Slide 11

Components of the actuator, positioner, mechanical

failures of springs

Process connection/leaks. Mechanical distortion of

pipes causing stress in valve

Valve internal faults due to : Fouling or corrosion by

process fluids/jamming/sticking/leaking Wiring to solenoids

Pneumatics/ venting failures

Environmental. Physical impacts/fire/freezing oricing up.

Solenoid valves sticking or blocking

Potential Causes of Failures in Final Elements


12/100


www.eit.edu.au

Slide 12

) * $% "&

Sensor contacts closed during normal operation

Tx signals go to trip state upon failure (Normally < 4mA)

Broken wire = trip

Output contacts closed and energized for normal operation

Final trip valves go to trip (safe) position on air failure

Drives go to stop on trip or SIS signal failure


13/100


www.eit.edu.au

Slide 13

For an instrument to qualify for SIL target

Prior Use Build to IEC 61508 HW & SW

Smart tx

SIL 3 requires

assessement and a safety

manual

And PFD must satisfy SIL target

Certify to IEC 61508Analog or switch

or

Apply IEC 61511

limitations

SIL 1 or 2


14/100


www.eit.edu.au

Slide 14

# +

Do not share sensors because it:

Violates the principles of independence

Creates a high level of common cause failure

Does not create a separate layer of protection

Does not provide secure maintenance


15/100


www.eit.edu.au

Slide 15

Boiler Steam

Drum

LT1

Feed watersupply

LSL

SIS Logic Solver

Logic

Boiler

Trip

LIC

1

Figure 7.5Snap question: What is wrong with this safety tripdesign?

Snap question: Draw a better arrangement


16/100


www.eit.edu.au

Slide 16

Boiler Steam

Drum

Separate Sensors for Control and Trip: Acceptable

LT1

Feed watersupply

LIC

1

SIS Logic Solver

Logic

Boiler

Trip

LT2

LSL

Figure 7.5 cont.


17/100


www.eit.edu.au

Slide 17

Boiler Damage

AND

OR

FW Fails

LT-1 Fails

high-No TripLIC causes

low level

Boiler Damage

AND

OR

FW Fails LT-1 Fails

high, LIC-1

causes low

level

0.2 / yr.

0.1 / yr.

LT-2 Fails high

Trip fails on

demand

PFD = 0.1/2 X 0.5

= 0.025

0.0075 / yr.

Low level and NO TRIP

Low level

0.3 / yr.

Trip fails on demand from

FW failure

FW Fails and

No Trip

0.105 / yr.

Low level and NO TRIP

PFD = 0.1/2 X 0.5

= 0.025

0.2 / yr.

0.005 / yr.

0.1 / yr.

Separate Sensor

Fault Tree Analysis for Boiler Low Level TripShared Sensor

Figure 7.6


18/100


www.eit.edu.au

Slide 18

& , $ & - , .-./

Sharing of sensor between SIS and BPCS only allowed

if safety integrity targets can be met. This would requiresensor diagnostics and is only likely to be possible for

SIL 1

Separate sensor is allowed to be copied to BPCS viaisolator

SIL 2, 3 and 4 normally require separate sensors with

redundancy

SIL 3 and 4 normally require separation and diverse

redundancy


19/100


www.eit.edu.au

Slide 19

& , $ & - , .-./

A single valve may be used for both BPCS and SIS but

is not recommended if valve failure places a demand onthe SIS.

Normally shared valve can only be used if: Diagnostic

coverage and reaction time are sufficient to meetsafety integrity requirements

Recommendations for a single valve application

SIL 2 and SIL 3 normally require identical or diverse

separation. Diversity not always desireble


20/100


www.eit.edu.au

Slide 20

!&& ', 0

SIS

BPCS

FY

FV

A/S

Check hazard demands due to valve

Positioner

Solenoid valve

direct acting,

direct mounted.

De-energise to

vent actuator.

Figure 7.7


21/100


www.eit.edu.au

Slide 21

& # '

0 - 0 1

Check hazard demands due to valve

SIS BPCS

A/S

FY

Figure 7.8


22/100


www.eit.edu.au

Slide 22

Do not confuse with proof testing

Compare trip transmitter value with relatedvariables. Not often practicable

Use safety transmitters if available

Use Smart transmitters with diagnostic alarm

but see next


23/100


www.eit.edu.au

Slide 23

Valve Diagnostics

Assurance that a trip valve will respond correctly when needed

Freedom of movement, full travel

Correct venting of actuator

Correct rate of response

Absence of sticking

Trip signals and solenoid all working


24/100


www.eit.edu.au

Slide 24

Methods for Valve Diagnostics

Online trip testing

Discrepancy alarm

Position feedback response testing

Partial closure testing manual or automatic

Smart positioners certified safety positioner


25/100


www.eit.edu.au

Slide 25

& 23

IEC 61508 places an upper limit on the SIL that can beclaimed for any safety function on the basis of the fault

tolerance of the subsystems that it uses.

Limit is a function ofthe hw fault tolerancethe safe failure fractionthe degree of confidence in the behaviour under fault

conditions

Details in IEC 61508 part 2


26/100


www.eit.edu.au

Slide 26

23 *&

IEC Defines two types of equipment for use in SafetySystems:

Type A: Simple Devices: Non PES. E.g Limit switch, levelfloat switch, analogue circuits.

Type B: Complex Devices: Including PES. E.G Smarttransmitters. Digital communications, processor based systems.

Fault tolerance rating of B is less than A except under certainconditions


27/100


www.eit.edu.au

Slide 27

IEC 61511-1 Table 6: Minimum hardware fault tolerance of

sensors, final elements and non PES logic

SIL Minimum HW Fault Tolerance

1 0

2 1

3 2

4 Special requirements: See IEC 61508

Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment

The following summarized conditions apply for SIL 1,2 and 3 :

Increase FT by 1 if instrument does not have fail safe characteristics

Decrease FT by 1 if instrument meets 4 conditions.

Predominately fail safe

Prior Use ( Proven in use)Limited device adjustment (process parameters only)

Password protected


28/100


www.eit.edu.au

Slide 28

4& 0 #, 4 5


29/100


www.eit.edu.au

Slide 29

4& 0 #, 4


30/100


www.eit.edu.au

Slide 30

4&

0#,4


31/100


www.eit.edu.au

Slide 31

Redundancy Options

Sensor or Actuator

Configuration.

Selection

1oo1 Use if both PFD and FT and nuisance triptargets are met.

1oo2 2 Sensors installed, 1 required to trip. PFD

value improved, nuisance trip rate doubled.

2oo3 3 Sensors installed, 2 required to trip. PFDimproved over 1oo1, nuisance trip ratedramatically reduced.

Table 7.4


32/100


www.eit.edu.au

Slide 32

Common Cause Failures in Sensors

Wrong specification

Hardware or circuit design errors

Environmental stress

Shared process connections

Wrong maintenance procedures

Incorrect calibrators


33/100


www.eit.edu.au

Slide 33

Be careful to analyze

for common causefaults

e.g Try to avoid this

PT

1B

PT

1A

SIS

Figure 7.10


34/100


www.eit.edu.au

Slide 34

Where measurement is

the problem use diverse

redundancy.

e.g. Steam or Ammoniaoverpressure protection

TT

01

PT

01

SIS

Figure 7.11


35/100


www.eit.edu.au

Slide 35

Requirements for Device to be Provenin-use

Evidence that the instrument is suitable for SIS

Consider manufacturers QA systems

PES devices need extra validation

Performance record in a similar profile

Adequate documentation

Volume of experience, > 1 yr exposure per case.


36/100


www.eit.edu.au

Slide 36

The approved safety instrument list

Each instrument that is suitable for SIS

Update and monitor the list regularly

Add instruments only when the data is adequate

Remove instruments from the list when they let you down

Adequate details: Include the process application

EIT E C SS U i 7 I S l i


37/100


www.eit.edu.au

Slide 37

Additional requirements for smart transmitters

and actuators:

Details in IEC 61511 11.5.4 for devices with

Fixed Programming Languages (FPLs)Extra for SIL 3

Formal assessmentlow probability of failure in planned

application.

Appropriate standards used in build

Consider manufacturers QA systems

Must have a safety manual

EIT E C t SS U it 7 I t t S l ti


38/100


www.eit.edu.au

Slide 38

6 ! 7 &

Smart

Transmitter

4-20 mA + FSK Data

Hart

Interface

DI

SIS Logic Solver

AI

Status Alarm

Hand Held

Programmer

Figure 7.12

FSK = Frequency Shift Keyed

EIT E C t SS U it 7 I t t S l ti


39/100


www.eit.edu.au

Slide 39

4& !

Figure 7.1

EIT: E Cert SS: Unit 7 Instrument Selection


40/100


www.eit.edu.au

Slide 40

+ !,

Internal diagnostics with high coverage factor

Very low PFDavg values. Saves on proof testing etc.

Certified for single use in SIL 2 (instead of dual channel)

Certified for dual redundant use in SIL 3 (instead of 1oo3)

End user verification is simplified



41/100


www.eit.edu.au

Slide 41

& 8The safety manual presents all the essential information and set

up conditions that must be followed to allow the instrument to

be validated for any given application.

The manual also supplies the failure rates summary and

expected PFDavg

Compliance to safety manual requirements must be

demonstrated in the validation phase.

See examples of safety manuals and FMEDA reports



42/100


www.eit.edu.au

Slide 42

& The safety certificate is issued by the testing body to clearly define what

products have been tested and what standards and limitations have been

applied in the evaluation.

The safety certificate is an essential document for the validation phase.

See examples of Safety Certificates: 3051C and Rex Radar

Testing Authorities include :TUV Rheinland

Exida.com

Any recognized testing body that can show competency in the SIS field.

Note : Exida specializes in certifying instruments claiming prior usequalification. Reports supply SFF and failure rate data with declaration of fault

tolerance requirements relevant to IEC 61511. See examples.



43/100


www.eit.edu.au

Slide 43

$

Instruments must be well proven for safety with an assessment

report or Certified SIL capable to IEC 61508.

Intelligent instruments treated as PES

Separation, Redundancy, Diversity, Diagnostics

Diagnostic Coverage via Smarts or Logic Solver

Bus technology established and growing.

EIT EQO26: Unit 8 Reliability Analysis


44/100


www.eit.edu.au Slide 44

Slide 44

SAFETY INSTRUMENTED SYSTEMS &

EMERGENCY SHUTDOWN SYSTEMS

for Process Industriesusing IEC 61511 and IEC 61508

Unit 8: Reliability Analysis

Version for EQO26: 7 November 2012

Presented by Dave Macdonald,

EIT Cape Town South Africa

Contact E-mail: [email protected]

EIT Safety Instrumentation E-Learning



45/100

Q y y


The task of measuring or evaluating the SIS design

for its overall safety integrity

Reasons and objectives

Resolving the SIS into reliability block diagrams

Identification of formulae

Trial calculation examples

Calculation software tools

Introduction to Chapter 8:

Reliability Analysis of the SIS



46/100

Q y y


IEC 61511 requires reliability analysis be done for each SIF to

show that SIL target and RRF can be achieved. Why?

Because it tells everyone what RRF can be expected from each

individual safety function. It confirms the basis of the design and the chosen proof test

interval

Compares the calculated RRF for your design with the target toshow you can achieve the target.

To predict the accident rate: H events/yr = Demand Rate (D) x

PFDavg or H = D/ RRF



47/100

y y


Terminology

RRF Risk Reduction Factor ( e.g. 200)

SIL Safety Integrity Level ( depends on RRF)

(SIL Tables)D Demand rate on Safety Function. ( How often the SIF is

demanded to respond to a hazard condition)

HHazardous event rate ( also called accident rate )

( e.g. 0.1/yr = 1 in 10 years)

PFDavg Average probability of failure on demand of the SIF



48/100


Terminology

MTTFd Mean time to fail dangerously ( = 1/d)

MTTFs Mean time to fail safe (or spurious) ( = 1/s)

MTTRd Mean time to detect and repair a dangerous fault

Ti Time interval between proof tests

dd Failure rate for dangerous detectable faults

du Failure rate for dangerous undetectable faults (requiresproof testing)

sd Safe revealed failure rate ( causes spurious trip or loss ofaffected safety channel)



49/100


Risk Reduction Factor and PFDavg

(PFDavg = average probability of failure on demand,)

PFDavg is a function of:

1. Failure rate per hour for undetected faults : du

2. Test interval: Ti

3. Redundancy (1oo1, 1oo2, 2oo3, etc)

Compare PFDavg with the target PFDavg for the SIL range we need.

RRF =1

PFDavg


50/100


F il i f U t t d SIF


51/100


Mission time

State of Process

Operating

safely

Operating but

not protected

Hazardous condition

occurs (Demand)

Reportable

accidentoccurs

1 yr 2 yr

Unrevealed Dangerous fault

occurs

Failure scenario for an Untested SIF



52/100


Mission time

StateofProcess

Operating

safely

Operating but not

protected

Hazardous condition

Occurs (Demand)

Accident

prevented

0.5 yr 1 yr

Proof test reveals

fault

Fault

repaired

Low Demand Mode: Proof Tested SIF repaired before demand

Unrevealed Dangerous

fault occurs

Proof test



53/100


Mission time

Stateo

fProcess

Operating

safely

Operating but not

protected

0.5 yr 1 yr

Demand occursbefore next proof

test

Failure (to respond)

on Demand

Low Demand Mode: Proof tested SIF but failure on demand

Unrevealed Dangerous

fault occurs

Reportable

accident

occurs

Proof test


Di ti + P f T t d SIF


54/100


Mission time

State of Process

Detectable Dangerous

fault occurs

Operating safely

1 yr 2 yr

Diagnostic test

reveals fault

Proof test forundetected

faults

Diagnostic + Proof Tested SIF

Accident

prevented

Diagnostic test

typically100

times/day

PFDavg = MTTD&R x Fail danger rate

Fault

detected &

repaired


0 8 6 8


55/100


0# 8 6 8

Low demand mode applies when the demand on the SIS is equal toor less than once per year. ( IEC 61511) . Alternatively no more thantwo demands per proof test interval.

Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg

High demand mode applies when the demand on the SIS is morethan once per year. ( IEC 61511) . Alternatively more than twodemands per proof test interval.

High demand mode calculations use PFH probability of dangerousfailure per hour.

Hazard event rate H = PFH

96 :# ;



56/100


Low Demand Mode Application

Pressure relief

trip (SIS)

Pressure surge

once per year(D)

Accident occurs if

dangerous fault

undetected before the

surge occurs

Accident rate H = D x PFDavg

Provided Test interval is shorter than 1 year or

diagnostics detect faults quickly

Example: If PFDavg = 0.05 and D= 1 : H = 0.05/yr


Hi h d d M d A li i


57/100


High demand Mode Application

Electronic

Braking Controls

(SIS)

Brake applied

100 times per

day

Accident occurs as

soon as brake circuit

fails

Accident rate = Probability of failure/hr of the EBC

= Failure rate per hour of the SIS

Example: If PFH = 0.0001/hr H = 0.0001/hr of service

If machine used for 5000 hrs /yr accident rate = 0.5/yr.


D i I i f T PFD i L D d M d


58/100


Design Iteration for Target PFD in Low Demand Mode

Set Target PFD

Evaluate Solution PFD

Revise Design

No

Yes

Proceed to Detail Design

Acceptable

SRS defines the Risk Reduction Factor

PFD = 1/RRF

Calculated PFD < Target PFD?


El t d t i th SIS d l


59/100


Elements and terms in the SIS model

(SIS)Hazard

Demand Rate D

Protective System

H HazardEvent Rate

PFD avg. = H/D = 1/(Risk Reduction Factor)

SIL3

SIL2

SIL1

Sensor Logic ActuatorD H

PFD1 PFD2 PFD3

Overall PFD = PFD1 + PFD2 + PFD3



60/100


Single Channel Basic calculation of PFD

If the fail to danger rate is d and proof test interval is Ti

PFDavg = du x Ti/2 (failure rate/yr x mean time to detect )

Example Fail to danger rate = 0.05 per year, Ti = 1 year

PFDavg = 0.05 x = 0.025. ( SIL 1)

How is this formula obtained ?

du


6


61/100


6


62/100

www.eit.edu.auSlide 62

8 ! =. &

,

Time t

p(t)

Probability of

being failed when

demand occurs.

1

0

=

Ti 2Ti

Proof test action

Average

value



63/100


$ 8

Overt Failures

Spurious Trip Rate

S = 1/MTBFsp

Loss of Production

Detectable

by Self

Diagnostics

Undetectable

except by manual

proof testing

Trips plant unless

2oo3 or 2oo2 voting

Covert Failures

Dangerous Failure Rate

D = 1/MTTFD

D

DUDD

DU = (1 C) DDD = C D

S + DD

C= Coverage


Example: Find the Safe and Dangerous Failure Modes

SIS Hi h L l T i


64/100


LTLT

11

PSVPSVPSVPSV

LCLC

11

I/PI/PI/PI/P

FCFC

FluidFluid

FeedFeedFCFC

Logic SolverLogic Solver

LTLT

22

ASAS

SIS High Level TripSIS High Level Trip

Fail Modes/yr Device sp du dd

Bottom Blocked : 0.1 . Top leaks 0.2 LE connection

Runs low: 0.05. Runs high : 0.02 LT electronics

Breaks: 0.01 Shorts across LT: 0.1 Cable

Lost power: 0.02 Power

Totals for sensor sub system:

Assume out of range detection provided (forcing a trip)


1oo1 SIS Formulae


65/100


Single Channel SIS Fail Rates

Overt Failures

Spurious Trip Rate

S = 1/MTBFsp

Loss of Production

Detectable by

Self

Diagnostics

Detectable by

manual proof

testing

Trips plant unless

2oo3 or 2oo2 voting

Covert Failures


D = 1/MTTFD

D

DU = (1 C) DS + DD

C= Coverage

DD = C D

PFD1 = DD x (MTTR) PFD2 = DU x (Ti/2)SP Trip Rate = s + DD


1oo2 SIS Formulae


66/100



Overt Failures

Spurious Trip Rate

S = 1/MTBFsp

Loss of Production

Detectable by

Self

Diagnostics

Detectable by

manual proof

testing

Trips plant unless

2oo3 or 2oo2 voting

Covert Failures


D = 1/MTTFD

D

DU = (1 C) D

C= Coverage

DD = C D

SP Trip Rate = 2 ( s + DD) PFD2 =((D U .Ti)2)/3PFD1 =2(DD)

2( MTTR)2


Formula sets


67/100



Overt Failures

Spurious Trip Rate

S = 1/MTBFsp

Loss of Production

Detectable by

Self

Diagnostics

Detectable by

manual proof

testing

Trips plant unless

2oo3 or 2oo2 voting

Covert Failures


D = 1/MTTFDD

DU = (1 C) DS + DD

C= Coverage

DD = C D

Formula set 2

in Fig 8.6

Formula set 3

in Fig 8.6

Formula set 1

in Fig 8.6


Multi-channel Formula Sets for PFD and s (excludingd f il )

Figure 8.6


68/100


Overt Failures

Spurious Trip Rate

s = 1/MTBFsp

By SelfDiagnostics

By ManualProof testing

s1oo1

2s1oo2

2(s)2(MTTR)2oo2

D U (Ti/2)D D (MTTR)

((D U .Ti)2)/32(DD)

2( MTTR)2

D U .Ti2 D D (MTTR)

6(D D)2 (MTTR)22oo3 6(s)2(MTTR)

Detectable

Spurious trip rate PFD due to diagnostics

(if detected but not tripped)

common mode failures )

Covert Failures


d = 1/MTTF

PFD due to proof test

Detectable

Formula set 1 Formula set 2 Formula set 3

D D = DC. D D U = (1-DC) DVoting

((D U .Ti)2)


Sources of Reliability Data


69/100


Sintef: http://www.sintefbok.no/Product.aspx?sectionId=65&productId=559&categoryId=10

http://www.sintef.no/Projectweb/PDS-Main-Page/PDS-Handbooks/

Also see:

1. exida.com Reliability Handbook

2. Manufacturers Safety manuals for

specific SIL certified instruments

3. Faradip 3 Database4. exida.com: Safety Automation

Equipment List ..Functional Safety

Assessment Reports

http://www.exida.com/index.php/resour

ces/sael/


Dual Channel Basic calculation of PFD


70/100


If the fail to danger rate is du and proof test interval is Ti.

PFDavg = (du xTi)2/3

Example: If fail to danger rate = 0.05 per year, Ti = 1 year

PFDavg = (0.05 x 1)2/ 3 = 0.00083 ( SIL 3)

But this ignores common cause and is unrealistic

du

du

Note: dd omitted for clarity


Beta Factor: Common Cause Failures in redundant SISchannels


71/100


channels

(1-) d

(1-) d

(1-) d

d

Unit Failures Common CauseFailures

Example:2oo3 sensor withcommon causefailures


Formulae Sets with Common Cause Factor included


72/100



Dual Channel Basic calculation of PFD inc Common Cause 5%

N t dd itt d f l it


73/100


If the fail to danger rate is d and proof test interval is Ti.

PFDavg = ((1-) du xTi)2/3 + du xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%

PFDavg = (0.95 x 0.05 x 1)2/ 3 + (0.05 x 0.05 x ) = 0.002 ( SIL 2)

du(1-) du

(1-) du

Note: dd omitted for clarity


2oo3 Channel Basic calculation of PFD inc Common Cause 5%


74/100


If the fail to danger rate is d and proof test interval is Ti.

PFDavg = ((1-) du xTi)2 + du xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%

PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ) = 0.0035 ( SIL 2)

d(1-) d

(1-) d

(1-) d


Formulae Sets with Common Cause Factor included


75/100



! $


76/100


7: 4&

Formula for calculating PFDavg for 1oo1

PFDavg = (DU xTi/2) + (DD x MTTR)

Failures per year

Parameter Value Notes

DU 0.0500 Dangerous undetected failure rate for one channel

DD 0.1000 Dangerous detected failure rate for one channel

Ti in yrs 1.0000 Proof test interval

MTTR in yrs 0.0027 Mean time to detect and repair a detectable fault

(DU xTi/2) 2.50E-02 Undetected portion

(DD x MTTR) 2.74E-04 Detected portion

PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1


! $


77/100


7: 4&


PFDavg = (DU xTi/2) + (DD x MTTR)

Failures per hour


DU 5.71E-06 Dangerous undetected failure rate for one channel

DD 1.14 E-05 Dangerous detected failure rate for one channel

Ti in hrs 8760 Proof test interval

MTTR in hrs 24 Mean time to detect and repair a detectable fault

(DU xTi/2) 2.50E-02 Undetected portion

(DD x MTTR) 2.74E-04 Detected portion

PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1


$ ! $

(1(1 )) dd


78/100


7: 4& -Formula for calculating PFDavg for 1oo2

PFDavg = (1/3)*((1-)DU xTi)2 + 2((1-)DD x MTTR)2 +(DU xTi/2)+(DD)x MTTR

Failures per year




0.1000 Common cause factor for dangerous and safe failuresTi in hrs 8760 Proof test interval


(1/3)*((1-)DU xTi)2 6.75E-04 Undetected Voting portion

2((1-)DD2 x MTTR2) 1.18E-07 Detected voting portion

(DU xTi/2) 2.50E-03 Undetected Common portion

(DD)x MTTR 2.70E-05 Detected common portion

PFD for 1oo2 subsystem 3.20E-03

dd

(1(1--)) dd

(1(1--)) dd

Safecalc: D = 1.71% safe =0 C=66%


$ ! $

dd(1(1--)) dd


79/100


7: 4& -1


PFDavg = ((1-)DU xTi)2 + 6((1-)DD x MTTR)2 +(DU xTi/2)+(DD)x MTTR

Failures per yearParameter Value Notes



0.1000 Common cause factor for dangerous and safe failures

Ti in hrs 8760 Proof test interval


(1-)DU xTi)2 2.03E-03 Undetected Voting portion

6((1-)DD x MTTR)2 3.54E-07 Detected voting portion

(DU xTi/2) 2.50E-03 Undetected Common portion

(DD)x MTTR 2.70E-05 Detected common portion

PFD for 2oo3 subsystem 4.55E-03

dd

(( ))

(1(1--)) dd

(1(1--)) dd


SIS Analysis Model Example


80/100


Proof

Testing

Auto

Diagnostics

Proof

Testing


d1=0.2 d2=0.02 d3=0.1Failure Rates:

5yrs 50yrs 10yrs

0.01 0.005 0.01

Overall PFD avg. = 0.025

Qualifies for SIL 1 (E-1 to E-2)

= 2.5 E-2

Apply

Testing or

Diagnostics

or MTTF

PFD averages:

Apply

calculation

+ +


SIS Analysis: Step 1


81/100


(SIS)Hazard

Demand Rate D

Protective System

H HazardEvent Rate


SIL 2 SIL 1 SIL 1

SIL 1


SIS Analysis: Step 2, identify channels in each stage


82/100



Sensor

Logic

ActuatorD H

Sensor ActuatorD H

Example:Dual channel sensors and actuators, single channel logic

1oo2D

1oo1D

1oo2


SIS Analysis: Step 3, expand details for each single channel


83/100


Sensor

Logic

Sensor

1oo2D

1oo1D

Process

ConnectionTransmitter

Cable and

Power

Expand detail of sensor sub system and apply fail rates for each item


SIS Analysis:Step 4: Decide du, dd and s for the elements


84/100


Step 5: Enter the values to table and totalize

Process

ConnectionTransmitter

Cable and

Power

DU1 DU2 DU3DD1 DD2 DD3

SD1 SD2 SD3

SubsystemElement Device SD/hr SU/hr DD/hr DU/hr

1 Process connection 1.14E-05 0.00E+00 5.71E-06 3.42E-06

2 Transmitter 1.14E-05 0.00E+00 5.71E-06 5.71E-07

3 Cable and Power 1.14E-05 0.00E+00 5.71E-06 3.42E-06

4

5

Subsystem totals 3.42E-05 0.00E+00 1.71E-05 7.42E-06


SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem


85/100


= common cause failure fraction

1oo2 Failures common toCh1 and Ch2 sensors

Logic

1oo1 d

Redundant section:

PFDavg =

2((1-).dd)2 . (MTTR)2

+ ((1-) .du .Ti)2)/3

Common cause section

PFDavg =

.dd (MTTR)+ .du . Ti/2)

+

(1-) d

(1-) d

=PFDavg

Break out the common cause failure fraction for the redundant channels and calculatePFD for each portion and add them together


SIS Analysis: Step 7, repeat steps 3 to 6 for each stage


86/100


Sensor

Logic

Actuator

Sensor Actuator

Example: Dual channel sensors and actuators, single channel logic

1oo2

1oo1

1oo2

PFDavgfor sensors

+ PFDavg forlogic solver

+ PFDavgfor actuators


SIS Analysis: Example

E l D l h l d i l h l l i 1


87/100


Example: Dual channel sensors and actuators, single channel logic. 1yr test

.045

0.05

.09

.045 .09

1oo2

1oo1D

1oo2

Dual Sensors PFD

= .00075 +.00125

= .002

Logic solver PFD

= .00013 +.00125

= .00138

Dual Actuators PFD

= .005 + .0027

= .0077

.0025 .01

SIS PFD = .002 + .0014 +.0077

= . 0111 or 1.11 E-2 = SIL 1

= 5% = 10%C = 95%

DU = 0.05 DU = 0.0025

DD = 0.0475

DU = 0.1


SIS Analysis: Example using the EIT Calculator

Data Input Table for Sensor Subsystem Fil EIT GP SIL C l l t l


88/100


Data Input Table for Sensor SubsystemProof Test Interval in Hrs (Ti) 8760

Common cause factor (B)% 5%

Mean Time To Test & Repair (Hrs) (MTTR) 24

Subsystem

ElementDevice SD/hr SU/hr DD/hr DU/hr

1 Sensor all components 1.14E-05 0.00E+00 0.00E+00 5.71E-06

2

3

4

5

Subsystem totals 1.14E-05 0.00E+00 0.00E+00 5.71E-06

Calculation results for Sensing

Safe Failure Fraction 66.7%

Diagnostic coverage 0.0%

PFDavg for 1001 2.50E-02

PFDavg for 1002 2.00E-03

PFDavg for 20033.51E-03

File name: EIT GP SIL Calculator .xls


IEC Table of PFDs relevant to Figure 8.16


89/100



90/100


SIS Analysis: Example Calculation for Spurious Trip

E l D l h l d t t i l h l l i


91/100


Example:Dual channel sensors and actuators, single channel logic

Sensor MTTF = 5 years, 75% safe failure fraction. C=0%, = 10%, Ti = 0.5 yrs, MTTR = 8hrsLogic MTTF = 10 years, 50% safe failure fraction. C= 95%, = 10%, Ti = 1 yrauto diagnostics test interval = 2 secs, MTTR = 24hrs

Actuator MTTF = 2 years, 80 % safe failure fraction. C= 0%, = 10%, Ti = 0.25 yrs, MTTR =24hrs

Sensor: single channel s = 1/5 x .75 = .15/yrLogic: single channel s = 1/10 x .5 = .05 dd = (C xd ) =95% x 0.05 = .0475/yrActuator: single channel s = 1/2 x .8 = .4/yr


SIS Analysis: Example Calculation for Spurious TripExample :Dual channel sensors and actuators, single channel logic

Spurious Trip for 1oo1


92/100



ST = S + DD Logic solver 1oo1

Parameter Sensor Logic Actuator Notes

S 0.05 Fail safe rate

DD 0.0475 DD rate added due to 95 coveragTotal for 1oo1 subsystem 0.0975 Spurious trip rate per yr


ST = 2x(1-B) (S + DD) +B(S + DD) Actuators: 1oo2

Parameter Sensor Logic Actuator Notes

S 0.15 0 0.4 Fail safe rate

DD 0 0 0 DD rate added due to S

Beta 0.1 0 0.1

2x(1-B) (S + DD) 0.27 0 0.72

B(S + DD) 0.015 0 0.04 Common portion

Total for 1oo2 subsystem 0.285 0 0.76 Spurious trip rate per yr

Overall Spurious Trip Rate

1.1425 per yr


SIS Analysis: Example, Spurious Trip Rate

E l D l h l d i l h l l i


93/100


Example: Dual channel sensors and actuators, single channel logic

.05

.36

.0135.36

1oo2

1oo1

1oo2

Dual Sensors Spurious

= .28 trips per yr

Logic solver

.097 trips per

yr

Dual Actuators PFD

= (2x .36) + (1x.04)

= .76 trips per yr

.04

Spurious trip rate = ..28 + .097 +.76

= 1.14 trips per year

..0135

.015


Reducing Spurious Trip RateDesign Version B


94/100


.135

.135

.015

.135

2oo3

2oo3 Sensors Spurious

= 6x s2 (MTTR)+ s= (6 x .1352x 8/8760) + .015

= .0001 + .015. 015 trips per yr

.15

1oo2

Dual Sensors Spurious

= 2 x .15= .30 trips per yr

.15

From 0.3 per year to 0.015/yr

If 1 trip costs AUD 50 000 the annual saving is

What? .

Design Version A


Outcomes of a Reliability Study


95/100


Show whether or not the SIS will satisfy the SIL target

Overall SIS Probability of Failure on Demand (PFDavg)

PFDavgs for each section of the SIS

Show benefits of redundancy or voting schemes

Decide the proof testing intervals

Predict the accident rate


Conclusions on Analysis Models


96/100


Models help to visualise SIS performance

Software speeds up analysis

IEC 61508 part 6 - methods and tables

Fault tree analysis for detailed systems


&& 0# 8 6 8

9 :# ;


97/100


9 :# ; Low demand mode applies when the demand on the SIS is equal to

or less than once per year. ( IEC 61511) . Alternatively no more thantwo demands per proof test interval.

Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg

High demand mode applies when the demand on the SIS is more

than once per year. ( IEC 61511) . Alternatively more than twodemands per proof test interval.

High demand mode calculations use PFH ( same as failure to dangerrate)

Hazard event rate H = PFH


PSHPump


98/100


6 0#

PFDavg = 0.05 x = 0.025. and

PFH = 0.05 /8760 = 5.7E-06/hr

Suppose the demand rate D is once per year and the overpressure event rate= H/yr

In low demand mode calculation H = D x PFDavg so H = 1 x 0.025 = 0.025/yr

In high demand mode calculation H = PFH so H = 5.7E-06/hr = 0.05/yr

SISPower

pd = 0.05 and Ti = 1/yr:

Hp safety Trip


6 0#PSHPump


99/100


6 0#

PFDavg = 0.05 x = 0.025. and

PFH = 0.05 /8760 = 5.7E-06/hr

Suppose the demand rate D is once per day ( 365/yr)

And the overpressure event rate = H/yr

In low demand mode: H = D x PFDavg so H = 365 x 0.025 = 9.1/yr

In high demand mode :H = PFH so H = 5.7E-06/hr = 0.05/yr

SIS

Power

pd = 0.05 and Ti = 1/yr:


#


100/100


SIS has failures at

PFD = 0.01

PFH = 0.02/yr (2.28 E-06/hr)

Demand on SIS H = hazardous event

D = 0.1/yr ..H = /yr ?

D = 1.0/yr ..H = /yr ?

D = 10.0/yr ..H = /yr ?

D = 100 /yr ..H = /yr ?

sis slides v1

Documents