paul lucas safety integrity level abb engineering servicessafety integrity level sil paul lucas abb...

©AB

B G

roup

-1

-21

-Mar

-07

Safety Integrity Level

SIL

Paul Lucas ABB Engineering Services

13 mars 2007

http://www.astrazeneca.se/

©AB

B G

roup

-2

-21

-Mar

-07

Agenda

Why do we need SIL systems?

Where does the SIL concept come from?

What is a SIL?

The Three Steps of SILSet the target SIL (SIL Determination)

Design to meet the target SIL

Operate and Maintain to keep hitting the target SIL

©AB

B G

roup

-3

-21

-Mar

-07


BP Texas City, USA 2005

©AB

B G

roup

-4

-21

-Mar

-07


Buncefield, UK 2006

©AB

B G

roup

-5

-21

-Mar

-07

Safety Issues

How do you demonstrate that your operations are ‘safe’?

How do you demonstrate that your equipment is ‘safe’?

How do you demonstrate that your safety and protective systems protect against your hazards?

You can answer these questions by demonstrating compliance with Industry Safety Standards

©AB

B G

roup

-6

-21

-Mar

-07

Functional Safety Standard - IEC61508

Generic Standard supported by Sector variants (IEC61511 for Process Sector)

Guidance on use of Electrical, Electronic and Programmable Electronic Systems which perform safety functions

Considers the entire Safety Critical Loop

Comprehensive approach involving concepts of Safety Lifecycle and all elements of protective system

Risk-based approach leading to determination of Safety Integrity Levels - SIL

©AB

B G

roup

-7

-21

-Mar

-07

Generic and Application Sector Standards

IEC61508

IEC61511 :Process Sector

Medical SectorIEC61513 :Nuclear Sector

IEC62061 : Machinery Sector

©AB

B G

roup

-8

-21

-Mar

-07

IEC61511 Safety Lifecycle

Design & Development of other means of risk

reduction

Hazard and Risk Assessment1

Allocation of safety functions to protection layers2

Safety Requirements specification for the safety

instrumented system3

Design & Engineering of Safety Instrumented System4

Installation, Commissioning and Validation5

Operation and Maintenance6

Modification7

Decommissioning8

Managem

ent of functional safety and functional safety assessm

ent and auditing

10

Safety Life-Cycle structure and planning

11

Verification

9

©AB

B G

roup

-9

-21

-Mar

-07

Step 1 – Set the Target SIL


reduction








Modification7

Decommissioning8

Managem


ent and auditing

10


11

Verification

9


©AB

B G

roup

-10

-21

-Mar

-07

Hazard and Risk Assessment

Trevor Kletz (safety guru) sums it up as: -How big How oftenSo what?

What are the hazardous events – the consequenceHow often may they occur – the frequency

Risk = Consequence * Frequency

Is this unacceptable to the company/ regulator/ society?What is risk is tolerated?

©AB

B G

roup

-11

-21

-Mar

-07

Tolerable Risk and ALARP

Intolerable

Broadly Acceptable

Risk cannot be justified on any grounds

May be “Tolerable” if risk level is As Low As Reasonably Practicable (ALARP)

No need for detailed working to demonstrate ALARP

ALARP or Tolerability

Band

ALARP = As Low As Reasonably Practicable

Low Risk

High Risk

©AB

B G

roup

-12

-21

-Mar

-07

Risk Reduction to meet tolerable risk

Residualrisk

Residualrisk

ProcessRisk

ProcessRisk

RiskTargetRisk

Target

Increasingrisk

Necessary risk reduction

Actual risk reduction

Risk reductionfrom all

Non-InstrumentedPrevention /

Mitigation Measures

Risk reductionfrom all

Non-InstrumentedPrevention /

Mitigation Measures

Risk reductionfrom Safety

InstrumentedFunction (SIF)

Risk reductionfrom Safety

InstrumentedFunction (SIF)

SIL

©AB

B G

roup

-13

-21

-Mar

-07

Expressing SIL

SIL 1

SIL 2

SIL 3

SIL 4

Risk Reduction

Probability of failureon demand (PFD)

0.1 to 0.01

0.01 to 0.001

0.001 to 0.0001

0.0001 to 0.00001

10 – 100

100 – 1000

1000 –10000

10000 -100000

©AB

B G

roup

-14

-21

-Mar

-07

Methods for SIL Determination

Safety Layer MatrixIEC 61511-3 Annex C

Risk GraphsIEC 61511-3 Annex D

Layer of Protection Analysis (LOPA)IEC 61511-3 Annex F

Fault Tree AnalysisIEC 61511-3 Annex B

©AB

B G

roup

-15

-21

-Mar

-07

W3

Pa

Pb

Pa

Fa

Fb

Fb

Fa

Cc

Cd

Ce

Ca

Pb

W2 W1

SIL 1

SIL 2

SIL 3

SIL 4

Extent of Damage

Proportion of Time of Exposure to Hazard

Mitigating Factors

Prob or Freq of Hazardous Event

Cb = Lost time injury

Cc = Major InjuryCd = On-site fatality

Ce = Multiple on-site fatalities or one off-site fatality

Fa = Low (< 0.1)

Fb = High (> 0.1)

Pa = Good Chance of Avoiding Consequences (> 90%)

Pb = Poor Chance of AvoidingConsequences (< 10%)

W1= Very Low (F < 0.01 / YR)

W2= Low (F > 0.01 / YR)

Ca = Minor Injury

W3= Relatively High (F > 0.1 / YR)

5/9

Risk Graph

©AB

B G

roup

-16

-21

-Mar

-07

Initiating Frequency IntermediateCause (/yr) 1 2 3 4 5 6 Event Frequency

A 0.1 1 0.01 1 0.1 0.0001B 0.1 0.1 0.01 1 0.1 0.00001C 0.5 0.1 0.01 1 1 0.0005DEF

0.000610.0492SIL 1

PFDavg Calculation

Total Event Frequency, Fe/yrMaximum PFDavg for Safety Instrumented Function, Ft/Fe

Target Safety Integrity Level

Independent Layer of Protection

LOPA

For each initiating cause, calculate which layers provide protection

Multiply for Event Frequency

Add forTotal Event Freq

PFD = Target (0.00003) / Total Event (0.00061) = 0.0492

©AB

B G

roup

-17

-21

-Mar

-07

Comparison of MethodsSafety Layer

MatrixRisk Graph LOPA Fault Tree

AnalysisInitial Screening R R R NRDetailed Analysis NR NR R RMultiple Causes with Different Protection

NR NR R R

Potential Dependency

NR NR NR R

Output (SIL or PFDavg)

SIL SIL PFDavg PFDavg

Need to include specific Human Factors

NR NR R R

Suitable for SIL 1 1 1 & 2 >1

NR = Not recommended: R = recommended

©AB

B G

roup

-18

-21

-Mar

-07

Summary of Step 1

Get the Target SIL correctSave time, money, equipment, maintenance

Calibrate any method for YOUR tolerability

Use method suitable for the consequences

©AB

B G

roup

-19

-21

-Mar

-07

Step 2 – Design to meet the target SIL


reduction








Modification7

Decommissioning8

Managem


ent and auditing

10


11

Verification

9


©AB

B G

roup

-20

-21

-Mar

-07

Random Hardware Failures

Any item of equipment in a protective system can fail.

There are broadly two types of system failure Fail Safe

component failure to an open circuit condition, loose connections, loss of power (air or electrical)

These will cause the system to shut down the plant unnecessarilybut are self revealing and ‘fail safe’.

Fail to Dangercontacts welding together, instrument or trip valve mechanisms seizing, impulse lines becoming blocked

These are ‘fail to danger’ because, when a demand occurs, the system cannot respond i.e. un-revealed failures

These are the failures we need for the PFD calculation

©AB

B G

roup

-21

-21

-Mar

-07

Example

High Pressure Trip Pressure Transmitter

Relay

Trip Valve

Solenoid Valve

Trip Amp

©AB

B G

roup

-22

-21

-Mar

-07

A Single Channel System – 6 month testing

Overall dangerous failure rate for the channel is the sum of the rates for the components.

λd = 0.067 + 0.0033 0.033 0.033 = 0.1863 per year+ +

PressureTransmitter

SolenoidValve

TripValveRelayTrip

AmplifierPressure

Transmitter

0.05 +

If this is tested every 6 months then,

PFDavg = ½ x 0.5 x 0.1863 = 0.047

which is near the middle of SIL 1

PFDavg = ½ T x λ d

©AB

B G

roup

-23

-21

-Mar

-07

Safety Integrity LevelAchieved PFDavg

SIL 1 SIL 2 SIL 3 SIL 4

0.01 0.001 0.0001 0.00001

PFDavg = 0.005

0.1

PFDavg = 0.05

10-1 10-2 10-3 10-4 10-5

PFDavg = 0.047(6 Month test interval)

©AB

B G

roup

-24

-21

-Mar

-07

The Need For Testing

Fail to Dangercontacts welding together, instrument or trip valve mechanisms seizing, impulse lines becoming blocked

These are ‘fail to danger’ because, when a demand occurs, the system cannot respond i.e. un-revealed failures

Only exposed by testing

Healthy

Faulty

Unrevealedfault Demand

Test

TestInterval

DeadTime

Time (years)

Test

x

Test Test Test Test

Testing can expose un-revealed failures

©AB

B G

roup

-25

-21

-Mar

-07

Multiple Channels And Common Cause Failure (β)More complicated – but same principles

For One Channel (1 out of 1)

PFDav1 = 1 / 2 λd ∗ Τ

For Two Channels (1 out of 2)

PFDav2 = 4/3 [ PFDav1 ]2 + β [PFDav1 ] or PFDav2 = 1/3[(λd)2 ∗ Τ2] + β [PFDav1]

For Three Channels (1 out of 3)

PFDav3 = 2 [PFDav1 ]3 + β [PFDav1 ] or PFDav3 = 1/4[(λd)3 ∗ Τ3] + β [PFDav1 ]

For Two Channels (2 out of 3)

PFDav2 = 4[PFDav1]2 + β [PFDav1 ] or PFDav2 = (λd)2 * Τ2 + β [PFDav1 ]

Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.

©AB

B G

roup

-26

-21

-Mar

-07

Sources of DataManufacturer’s data

Based on either returned goods or predictions using eitherFMEA (failure mode effects analysis) orFMEDA (failure mode effects and diagnostic analysis)These should not be confused with real field failure rates basedon actual use of the units

Field data (61511 uses term prior use)Based on similar operating conditions and environmentShould be collected using a methodical / auditable process and allow for errors (misreporting / non reporting) in the collection of the data

Generic dataFrom an extensive history of similar industries found to be appropriate

©AB

B G

roup

-27

-21

-Mar

-07

‘Checking’ the numbers

IEC 61511 architectural constraints

Hardware Fault ToleranceDesigned to verify that the ‘numbers’ make sense

No mathematical basis for the figures

Based on experience

Specified SIL can be reduced with operational experience and analysis

Analyser Trip Amp

Relay Logic

Solenoid Trip Valve

Analyser Trip Amp Solenoid Trip Valve

©AB

B G

roup

-28

-21

-Mar

-07

Constraint - Hardware Fault Tolerance (1)

Used for sensor, final elements and non PE Logic Solver

Table 6 in IEC61511 Part 1

Increased fault tolerance can enable easier maintenance and testing

©AB

B G

roup

-29

-21

-Mar

-07

Constraint - Hardware Fault Tolerance (2)

Applies to PE Logic SolversTable 5 in IEC 61511 Part 1

The ‘cleverer’ the PES, the less fault tolerance required for the target SIL

More complex tables in IEC61508 – used for certified instruments to reduce HFT

©AB

B G

roup

-31

-21

-Mar

-07

Non-Hardware faults - Systematic

Because of the findings from ‘Out of Control’ and other work…

Large number of faults are not caused by hardware

We need appropriate processes, procedures, methods –‘systems’ in place to control these faults

Specification43%

Changes after commissioning

21%

Installation & commissioning

6%

Operation & maintenance

15%Design &

implementation15%

©AB

B G

roup

-32

-21

-Mar

-07

Problems with software – systematic faults

How do you make software 10 times better?

How do you measure software?

What is the probability of Fail to Danger (pfd) of a lump of code?

You cannot measure software like hardware –quantitative methods

You have to use more rigorous techniques for software required for higher level SIL – qualitative methods

©AB

B G

roup

-33

-21

-Mar

-07

Technique/Measures Ref SIL 1 SIL 2 SIL 3 SIL 41a Structured methods including for example,

JSD, MASCOT,SADT and YourdonC.2.1. HR HR HR HR

1b Semi-formal methods Table B.7 R HR HR HR1c Formal methods including for example, CCS,

CSP, HOL, LOTOS, OBJ, temporal logic,VDM and Z

C.2.4-- R R HR

2 Computer-aided design tools B.3.5 R R HR HR3 Defensive programming C.2.5 -- R HR HR4 Modular approach Table B.9 HR HR HR HR5 Design and coding standards Table B.1 R HR HR HR6 Structured programming C.2.7 HR HR HR HR7 Use of trusted/verified software modules and

components (if available)C.2.10C.4.5

R HR HR HR

Table A.4 - Software design and development: detailed design

Example of Software Techniques

©AB

B G

roup

-34

-21

-Mar

-07

Summary of Step 2

80% - 90% of safety functions should be SIL1Single channel, reasonable test intervals, no HFT to consider

High SIL, complex architectureUse a specialistShorter test intervals (simple SIL calculations may not apply)Additional hardware (including final elements)Common cause faults, hardware fault tolerance, SFF, DCSystematic controls

Take care with instrument dataField data is bestManufacturers data is a prediction, will need to be adjusted forplant conditions

©AB

B G

roup

-35

-21

-Mar

-07

Step 3 – Operate and Maintain to meet the SIL


reduction








Modification7

Decommissioning8

Managem


ent and auditing

10


11

Verification

9


©AB

B G

roup

-36

-21

-Mar

-07

Operation and Maintenance

What activities are required to ensure the Safety Instrumented System keeps meeting the target SIL?

What operations and test data needs to be kept and recorded to verify SIL determination and Design assumptions?

©AB

B G

roup

-37

-21

-Mar

-07

Proof Tests – 61511 states…

Periodic proof tests shall be conducted using a written procedure

The entire SIS shall be tested including the sensor(s), the logic solver and the final element(s)

Different parts of the SIS may require different test intervals

The frequency of the proof tests shall be decided using the PFDavg calculation

At some periodic interval the frequency of the testing shall be re-evaluated.

©AB

B G

roup

-38

-21

-Mar

-07

Why record Demands?

To demonstrate the design demand rate is not being exceeded

To demonstrate that the causes of demand are as expected

To check causes and rates of failsafe demands

To be able to carry out periodic reviews

©AB

B G

roup

-39

-21

-Mar

-07

Why record Proof Test Records/Results?

To demonstrate that testing is being carried out at specified interval

As an auditable trail to the recorded results

To indicate who carried out the tests

To demonstrate that faults found have been rectified

To be able to carry out periodic reviews

Need to record results in a manner which enables the results to be extracted/ presented in a format which makes reviews possible

©AB

B G

roup

-40

-21

-Mar

-07

Summary of the 3 steps

Get the Target SIL correctSave time, money, equipment, maintenance

Design to meet the SILMore than failure ratesWhere do you get failure data from?Hardware Fault Tolerance and Systematic controls

Operate and Maintain to keep the SILTestingRecordingAnalysing and improving

paul lucas safety integrity level abb engineering servicessafety integrity level sil paul lucas abb...

Documents