e ida presentations/2011...lopa: likelihood analysis layer of protection analysis initiating event...
TRANSCRIPT
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Functional Safety According to
IEC61511 & IEC62061
SAFA, July 2011
Owen Tavener-Smith Pr. Eng CFSE
idae
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
The Functional Safety Standards
International Performance
Based Standard For All
Industries
IEC61511 : Process Industry
Sector
IEC62061 : Machinery
Sector
IEC61513 :
Nuclear Sector
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
IEC 61508 Standard
Released 2000, Ed2: 2010
Umbrella FS standard
Risk Based
Performance basedTargets Suppliers
– Requirements for suppliers of control and instrumentation for component / sub-system safety
– End Users seek suppliers with products certified to this standard by reputable certifying agency
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Industry Sector Standards
Targets End Users, Contractors and Integrators
Performance NOT Prescription
IEC61511 for Process Industry
IEC62061 for Machinery Safety
Apply Functional Safety concepts to industry sectors
•Establish safety requirements
•Design to safety targets
•Maintain safety targets throughout system lifetime
ida .com e
excellence in dependable-automation
IEC61511: Process Industry
• Hazards with large consequences but
low frequency of occurrence
• Demand rate on SIF < once per year
but typically much lower.
• Structure: 3 parts
– Part 1: Technical requirements
– Part 2: Guideline for application of part 1
– Part 3 : Guidelines for the determination of
required SIL.
• IEC technical committee 65Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
IEC62061: Machinery Safety
• Hazards with smaller consequences but
high inherent frequency of occurrence
• Demand rate on SIF > once per year.
• Structure:– Management of Functional Safety
– Requirements for specifying SRCFs
– Design & Integration of SRECSs
– Validation
– Modification.
• IEC technical committee 44
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Functional Safety to Manage Risk
Increasing
Risk
Process RiskAcceptable Risk
Minimum Risk Reduction
Optimal Risk Reduction (ALARP)
DesignBPCSAlarmsReliefSafety Function
Layers Of
Protection
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
REACTOR
TT 1
Power
SupplyCPU Input
Module
Output
Module
PT 2
PT 1
TT 3
TT 2
PT 3
Power
SupplyCPU Input
Module
Output
Module
IEC61511 Terms
SIF: safety Instrumented function
SIS: Safety Instrumented System
IEC62061 Terms
SRCF: Safety Related Control
Function
SRECS: Safety Related Electrical
Control system
Safety System Definitions
Safety Instrumented Function (SIF):
An instrument loop that protects against a single hazard1. Automatically taking an industrial process to a safe state when specified conditions are violated;
2. Permit a process to move forwardin a safe manner when specified conditions allow (permissive functions); or
3. Taking action to mitigate the consequences of an industrial hazard.”
ida .com e
excellence in dependable-automation
Random Failures, (hardware)
A failure occurring at a random time, which results
from one or more degradation mechanisms.
Systematic Failures, (includes software)
A failure related in a deterministic way to a certain
cause, which can only be eliminated by a modification
of the design or of the manufacturing process,
operational procedures, documentation,
or other relevant factors.
Failure Categories
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Specification 44%
Design &
Implementation
15%
Installation & Commissioning
6%
Operation &
Maintenance
15%
Changes after
Commissioning
21%
HSE study of accident causes
involving control systems:
Industrial Accident Causes - HSE
“Out of Control: Why Control Systems go Wrong and How to Prevent Failure,”
U.K.: Sheffield, Heath and Safety Executive, 1995
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Safety Lifecycle Summary
• Conceptual Process Design• Identify Potential Hazards• Consequence Analysis• Layer of Protection Analysis• Develop Non-SIS Layers• Determine SIF Target SIL• Document Requirements
• Startup• Operation• Maintenance• Periodic Proof Tests
• Modifications
• Decommissioning
ANALYSIS
How much safety do
I need?
[Determine SIL]
IMPLEMENTATION
How do I get the
safety I need?
[Achieve SIL]
OPERATION
How do I keep the
safety I need?
[Maintain SIL]
• Select SIS Technology
• Select SIS Architecture
• Determine Test Frequency
• SIS Detailed Design
• SIS Hardware Build
• SIS Software Configuration
• SIS Testing
• SIS Installation
• SIS Commissioning
• SIS Initial Validation
Modification = Change Requirements
Modification = Change Design
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Safety Lifecycle – IEC 61511
Management
of Functional
Safety
and
Functional
Safety
Assessment
Clause 5
Safety
Lifecycle
Structure
and
Planning
Clause 6.2
Allocate Safety Function to Protection
Layers [Clause 9]
Verification
Clause 7
&
Clause 12.7
An
aly
sis
Re
alis
ati
on
Op
era
tio
n
SIS Safety Requirements Specification
[Clauses 10 & 12]
Process Hazard & Risk Analysis
[Clause 8]
SIS Design and Engineering
[Clauses 11 & 12]
SIS Installation & Commissioning
[Clause 14]
SIS Operation & Maintenance
[Clause 16]
SIS Safety Validation
[Clause 15]
SIS Modification
[Clause 17]
SIS Decommissioning
[Clause 18]
FEED
Concept
SIS FAT
[Clause 13]
Design &
Build
Test
Install
Manage
Validate
Proof
Test
/
(9)(10) (11)
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Safety Lifecycle“Analysis” Phases
Assess
Consequences
Assess Likelihood
Develop Non-SIS
Layers
1. Conceptual Process
Design
SIS Required?
2. Identify Potential Hazards
Process Safety
Information
4. Layer of Protection
Analysis
Potential Hazards
Hazard Frequencies
3. Consequence Analysis
Hazard Consequences
5. Select Target SIL for
SIS & SIF
Target SILs
6. Document SIS / SIF
Requirements
Event History
Layers of
Protection
Failure
Probabilities
Tolerable Risk
Guidelines
Hazard
Characteristics
StopNo
Yes
To Realization
Safety Requirements Specification -Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance requirements, Response time, etc
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Functional Safety to Manage Risk
Increasing
Risk
Process RiskAcceptable Risk
Minimum Risk Reduction
Optimal Risk Reduction (ALARP)
DesignBPCSAlarmsReliefSafety Function
Layers Of
Protection
ida .com e
excellence in dependable-automation
Safety Integrity Level, (SIL)
Copyright exida LLC 2001-2011
• The Safety Integrity Level is an expression of risk
reduction.
• A Safety Instrumented Function protects against a
specific hazard
• Analyse the hazard scenario in terms of risk.
SIL Risk Reduction Factor
4 10,000 to 100,000
3 1,000 to 10,000
2 100 to 1,000
1 10 to 100
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
What is risk?
Risk is a measure of the likelihood and consequenceof a hazard. (i.e., How often can it happen and what will be the severity of the effects if it does?)
We want to:
Personnel
Environment
Financial
• Equipment/Property Damage
• Business Interruption
These categories are called Risk Receptors
ida .com e
excellence in dependable-automation
Measuring Risk
Alarp 1 2 3 4 bMultiple fatalities
NR Alarp 1 2 3 4One fatality
NR NR Alarp 1 2 3Disabling injury
NR NR NR Alarp 1 2Reserible injury
NR NR NR NR Alarp 1First aid
Between once /10000yr and once /100000yr
Between once /1000yr and once /10000yr
Between once /100yr and once /1000yr
Between once /10yr and once /100yr
Between once /yr and once /10yr
> once /yr
Copyright exida LLC 2001-2011
Frequency
Severity
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Consequence Analysis
Incident Outcome: Uncontrolled spillage of unleaded petrol from
storage tank into bunded area. Potential for vapour cloud formation
which if ignited could result in VCE and subsequent tank fire.
Consequences:
Personnel Safety: Fatalities within effect zone
Environment: Serious national environmental impact
Financial: Damage repair cost and lost production: >USD100M
ida .com e
excellence in dependable-automation
Likelihood Analysis
• Hazard can only occur when an unwanted event occurs,
(typically a control system failure or human error)
• In most cases the hazard will not occur immediately since
there may be other conditions that have to be satisfied.
• Example: Uncontrolled tank spillage resulting in VCE
– Unwanted event: Tank level control failure
– Condition #1: High level alarm did not work or operator ignored
alarm
– Condition #2: High high level safety function did not work
– Condition #3: Spillage was not detected by CCTV or other operator
surveillance
– Condition #4: Weather conditions suitable for vapour cloud
formation
– Condition #5: Presence of ignition source
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Likelihood Analysis
Uncontrolled tank spillage resulting in VCE
– Tank level control failure AND
– Condition #1: High level alarm did not work or operator ignored
alarm AND
– Condition #2: High high level safety function did not work AND
– Condition #3: Spillage was not detected by CCTV or other operator
surveillance AND
– Condition #4: Weather conditions suitable for vapour cloud
formation AND
– Condition #5: Presence of ignition source.
FIE * PC#1 * PC#2 * PC#3 * PC#4 * PC#5 = Hazard Frequency
FIE: Frequency of initiating event, (events per year)
PC#n: Probability of condition, (0-1)
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
LOPA: Likelihood Analysis
Layer Of Protection Analysis
Initiating event IPL #1 LOC IPL#2
Level control
failure
Independent
alarm + operator
intervention
Spillage of
flammable fuel
at 500m3 ph
Routine field
operator
surveilance
Stable
weather
conditions
Probability
of ignition
0.9 0.0027 VCE followed by tank fire
0.1
0.3
1 Yes
0.1
0.1 0.0003 Vapour cloud forms but no ignition source found
0.9 0.0270 No significant vapour cloud formation
0.7 0.07 LOC but mitigated by post release intervention
0 No 0 No LOC
Outcome Modifiers
ida .com e
excellence in dependable-automation
Measuring Risk: SIL Determination
Alarp 1 2 3 4 bMultiple fatalities
NR Alarp 1 2 3 4One fatality
NR NR Alarp 1 2 3Disabling injury
NR NR NR Alarp 1 2Reserible injury
NR NR NR NR Alarp 1First aid
Between once /10000yr and once /100000yr
Between once /1000yr and once /10000yr
Between once /100yr and once /1000yr
Between once /10yr and once /100yr
Between once /yr and once /10yr
> once /yr
Copyright exida LLC 2001-2011
Frequency
Severity
SIL 2
Target
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
SIL Determination Example
Community Safety 2.70E-03 Community: 2
0.0027
CAUSE 2
0
Cause frequency: 0
0.1 0.9
CAUSE 1
Tank guage failure
High level alarm +
operator intervention
IPL #5, (Personnel
occupancy)
IPL #5 (Community
occupancy)
At least one worker will
normally be within effect
zone
Probable that public
will be within effect
zone
2
1
Safety:
Financial:
2.70E-03
2.70E-03
15 min
2
3
32.70E-03PFD:
Personnel Safety
EML
Environment
Notes:
PFD: 11
05/12/2005SIL Review Date:Project Description: Buncefield Fuel Depot Tank Overfill LOPA example
Environment:
119-1910
Spurious trip effect and impact cost
Intermediate
Frequency
Outcome Modifier #2
[Probability]
Area: Tank farm zone 1 P&ID
1
Total Intermediate Frequency
0
0
Target SIL
Target MTTFs: (years)
PST: (seconds)
Initiating Event Cause(s)
[events per year]
IPL #2
[PFD]
cSIF No: 1 Initiator Tagname: 30-LSHH-001
IPL #1
[PFD]
SIF Definition:
Description of hazard:[include initiating event and incident outcome]
On detection of high high level, (30-LSHH-001) at storage tank 001, close tank inlet valve 30-XV-010.
Outcome Modifier #1
[Probability]
Continued filling of storage tank will lead to spillage of unleaded fuel into the bunded area. Formation of vapour
cloud is possible, (aggravated by aerosol formation). Build-up of vapour cloud beyond bund wall could be ignited
leading to potential for VCE with flash back and tank fire.
Personnel Safety Community Safety Financial EnvironmentConsequence:
1-2 fatalities
Hospitalisation or multiple press
articles regarding complaints 100 - 1000 Million
Serious national environmental
impact
Operator notices level
reading is not changing
Weather conditions
favourable for vapour
cloud build-up
Ignition source found
0.1Cause frequency: 1 0.3
1 1 1
1 1 1
CAUSE 4
Cause frequency: 0 1
CAUSE 3
1Cause frequency: 0 1 1 1
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
ida.come
excellence in dependable automation
10. SIS Installation,
Commissioning
and Pre-startup
Acceptance Test
Safety Requirements Specification -Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance requirements, Response time, etc
7. SIS Conceptual
Design
7a. Select
Technology
7b. Select
ArchitectureRedundancy: 1oo1,1oo2,
2oo3, 1oo2D
7c. Determine
Test Philosophy
7d. Reliability,
Safety EvaluationSILs Achieved
SIL
Achieved?
No
Yes
8. SIS Detailed
Design
Failure Data Database
Manufacturer’s Installation Instructions
9. Installation
& Commission
Planning
SILver Tool
Manufacturer’s Failure Data
Detailed Design Documentation -Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
Programming, Installation
Requirements, Commissioning
Requirements, etc.
DD DOCUMENT TemplateManufacturer’s Safety Manual
Choose sensor, logic solver
and final element technology
Safety Lifecycle “Realization” Phases
How to achieve the safety target?
SIF Design
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2009
• Design solution:
– Three transmitters voted 2oo3
– Certified Safety PLC: Triconex or Honeywell FSC
– Single solenoid and actuator/valve
Eliminate Weak Link Designs
TT
TT
TT
Safety PLC Solenoid Control Valve
ida .com e
excellence in dependable-automation
Safety Integrity Level, (SIL)
Copyright exida LLC 2001-2011
• The Safety Integrity Level is an expression of:• Risk reduction,
• Probability of failure of the Safety Function.
• To achieve the target SIL, the probability of
the Safety Function must be calculated.
SIL Risk Reduction Factor PFDavg
4 10,000 to 100,000 10-4 to 10-5
3 1,000 to 10,000 10-3 to 10-4
2 100 to 1,000 10-2 to 10-3
1 10 to 100 10-1 to 10-2
ida .com e
excellence in dependable-automation
SIF Design
Copyright exida LLC 2001-2011
On high high tank level, close inlet valve
– Level transmitter
– Portion of Safety PLC
– Actuator/valve + solenoid
Probability of Failure = λTI/2
λ, (lambda): Device failure rate, (dangerous)
TI: Time interval between proof test
The lower the failure rate the lower the failure probability,
The shorter the time interval between proof tests, the lower the
failure probability.PFDavg = λTI/2 valid for low demand mode
ida .com e
excellence in dependable-automation
SIF Design: Transmitter
• Device type 1: λ = 2E-06 failures per hour
– TI = 2 years
– PFDavg = λTI/2 = 1.75E-02 SIL 1
• Device type 2: 90% diagnostic coverage
– λ = 2E-07
– PFDavg = λTI/2 = 1.75E-03 SIL 2
• Device type 1: 2 devices voted 1oo2
– PFDavg = λ2TI2/3 = 4.1E-04 SIL 3
– Common cause: PFDavg = 1.25E-03 SIL 2
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
• Objective
– Choose the right equipment for the purpose. All criteria
used for process control still apply.
• Tasks
– Choose equipment
– Obtain reliability and safety data for the equipment
– Obtain Safety Manual for any safety certified equipment
SIF Design: Select Technology
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
• Objective
– Choose type of redundancy if needed.
• Tasks
– Choose architecture
– 1oo1 no redundancy
– 1oo2 two devices single fault tolerant
– 2oo3 three devices single fault tolerant
– Obtain reliability and safety data for the
architecture
SIF Design: Select Architecture
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
SIF Design: Establish Proof Test Philosophy
In general the testing can include:
• Automatic testing which is built into the SIS, (called
diagnostics)
• Off-line testing, which is done manually while the
process is not in operation.
• On-line testing, which is done manually while the
process is in operation.
• Frequency of tests?
• Effectiveness of tests?
Proof testing: responsibility for maintenance team:
the design team should always think about
facilitating the maintenance tasks.
ida .com e
excellence in dependable-automation
SIF Design and Verification
Copyright exida LLC 2001-2011
• The SIL is based on the complete SIF:
– Sensor(s) PFDavg (S)
– Logic Solver(s) PFDavg (LS)
– Final Element(s) PFDavg (FE)
SensorFinal Element
Logic Solver
PFDavg (SIF) = PFDavg (S) + PFDavg (LS) + PFDavg (FE)
PFDavg = λ.TI/2
ida .com e
excellence in dependable-automation
Systematic Capability
• Hardware failures
– Stress/strength model
– Wear out mechanisms
– Useful life
• Systematic failures
– Software errors
– Specification error
– Manufacturing defect
Copyright exida LLC 2001-2011
Systematic Capability addresses systematic failures
ida .com e
excellence in dependable-automation
Copyright exida 2000-2011
Trend toward 61508
certified products •IEC 61508 Certification addresses both Hardware Integrity
requirements and Systematic Integrity requirements.
•More and more products are getting IEC 61508 Certification:
0
5
10
15
20
25
30
1996
1997
1998
1999
2000
2001
200'2
2003
2004
2005
2006
2007
Number of IEC 61508 Certified Sensors
From exida Process
Measurement
Instrument Market
report
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
12. Validation:
Pre-startup
Safety Review
ModifyDecommission
14. SIS startup,
operation,
maintenance,
Periodic
Functional Tests
15. Modify,
Decommission?
16. SIS
Decommissioning
Verify all documentation against
Hazards, design, installation testing,
maintenance procedures,
management of change, emergency
plans, etc.
13. Operating and
Maintenance
Planning
11. Validation
Planning
Safety Lifecycle “Operation” Phases
ida .com e
excellence in dependable-automation
Maintenance of SIS
• Planning the proof tests
• Writing the proof test procedures
• How to perform the tests?
– On-line vs off-line
• What is the coverage of the tests?
– How to test impulse lines?
• Document the proof test results – why?
– Company/site device database.
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Management Of Change
• 21% of incident causes due to changes
after commissioning!
• Must be a formal process
• Is the change necessary?
• Impact assessment, (mini risk evaluation)
• Document the process
• Execute the change, (within the safety lifecycle).
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Management of Functional Safety
• Addresses the impact of failures due to
human actions
• Define safety lifecycle activities
• Define roles and responsibilities
• Communicate
• Ensure competence of persons
• Verify and validate activity deliverablesCopyright exida LLC 2001-2011
Specification 44%
Design & Implementation
15%
Installation & Commissioning6%
Operation & Maintenance
15%
Changes after Commissioning
21%
ida .com e
excellence in dependable-automation
Adoption of the FS Standards
• IEC 61508 has been adopted in the UK as BS EN 61508, with the “EN”
indicating adoption also by the European electrotechnical standardisation
organisation CENELEC.
• COMAH Assessment: The report should state which standard these systems
have been designed to. If the standard claimed is not a currently recognised
relevant standard such as BS IEC 61511 or BS EN 61508, then a justification for
this should be included in the report.
• COAL MINE HEALTH AND SAFETY REGULATION 2006 NSW Govt.
Interpretation: “electrical and mechanical control systems [and safeguards] are
designed in accordance with established functional safety and machinery
safeguarding concepts. Refer: AS 61508, AS 62061 and AS 4024”.
• Buncefield Recommendation 1: The Competent Authority and operators of
Buncefield type site should develop and agree a common methodology to
determine safety integrity level (SIL) requirements for overfill prevention systems
in line with the principles set out in Part 3 of BS EN 61511.
• HSE recognises BS IEC 61511 as relevant good practice for safety functions
implemented by safety instrumented systems in the Process Industry sector in
the context of assessing compliance with the law in individual cases and the use
of good practice.
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Functional Safety Summary
• Its not rocket science..
• Its good engineering common sense– Establish what safety performance you need,
– Design to achieve the performance targets,
– Maintain the systems so that the performance
levels are ensured throughout the system life.
• Risk is managed without over
engineered solutions
• Cuts out weak-link designs
• Addresses human error.
Copyright exida LLC 2001-2011
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Thank-you
Any questions?
ida .com e
excellence in dependable-automation
Copyright exida LLC 2001-2011
Backup Slides
ida .com e
excellence in dependable-automation
Case Study – Deepwater Horizon
• BP owned oil production platform suffers explosion and sinks
– 11 persons dead
– Asset loss >USD 500 million
– Environmental: catastrophic
– Reputation: ???
• Process fluids in seabed well head cause overpressure.
• Blowout Preventers failed or not activated?
• Questions to be answered:
– How good were the Blowout Preventers?
– How good did they need to be?
– Were procedures followed?
Copyright exida.com LLC 2001-2008
API-14C is a prescriptive standard. Safety
performance targets are not specified..
ida .com e
excellence in dependable-automation
Systematic Faults
A single systematic fault can cause failure in multiple
channels of an identical redundant system.
REDUNDANCY IS NOT A PROTECTION AGAINST
SYSTEMATIC FAILURES!
Early example: A bad command was sent into a redundant
DCS through a “Foreign Computer Interface.” The
command caused a controller to lock up trying to interpret
the command. The diagnostics detected the failure and
forced switchover to a redundant unit. The bad command
was sent to the redundant unit which promptly locked up as
well.
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
Competency Requirements in the Standards
• “…ensuring that applicable parties involved in any of the overall E/E/PE or software safety lifecycle activities are competent to carry out activities for which they are accountable.”
-IEC 61508, Part 1, Paragraph 6.2.1 (h)
• “Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.”
-IEC 61511, Part 1, Paragraph 5.2.2.2
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2010
• SIL Determination tool; supports:
– Risk Graph
– Risk Matrix
– Frequency Based Target, (quantitative)
• Safety Requirements Specification
– Template
• SIL Verification
– Built-in equipment reliability database
• Extensive reporting
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
Analy
se
Realis
eO
pe
rate
Ma
na
gem
ent of F
unctional S
afe
ty
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
Safety Lifecycle“Analysis” Phases
Assess
Consequences
Assess Likelihood
Develop Non-SIS
Layers
1. Conceptual Process
Design
SIS Required?
2. Identify Potential Hazards
Process Safety
Information
4. Layer of Protection
Analysis
Potential Hazards
Hazard Frequencies
3. Consequence Analysis
Hazard Consequences
5. Select Target SIL for
SIS & SIF
Target SILs
6. Document SIS / SIF
Requirements
Event History
Layers of
Protection
Failure
Probabilities
Tolerable Risk
Guidelines
Hazard
Characteristics
StopNo
Yes
To Realization
Safety Requirements Specification -Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance requirements, Response time, etc
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
Safety Requirements Specification
• Objective
– Specify all requirements of SIS needed for detailed engineering
and process safety information purposes
• Tasks
– Identify and describe safety instrumented functions
– Document SIL
– Document action taken – Logic, Cause and Effect Diagram, etc.
– Document associated parameters – timing, maintenance/bypass
requirements, etc.
6. Document SIS / SIF
Requirements
To Realization
Safety Requirements Specification -Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance requirements, Response time, etc
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
ida.come
excellence in dependable automation
10. SIS Installation,
Commissioning
and Pre-startup
Acceptance Test
Safety Requirements Specification -Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance requirements, Response time, etc
7. SIS Conceptual
Design
7a. Select
Technology
7b. Select
ArchitectureRedundancy: 1oo1,1oo2,
2oo3, 1oo2D
7c. Determine
Test Philosophy
7d. Reliability,
Safety EvaluationSILs Achieved
SIL
Achieved?
No
Yes
8. SIS Detailed
Design
Failure Data Database
Manufacturer’s Installation Instructions
9. Installation
& Commission
Planning
SILver Tool
Manufacturer’s Failure Data
Detailed Design Documentation -Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
Programming, Installation
Requirements, Commissioning
Requirements, etc.
DD DOCUMENT TemplateManufacturer’s Safety Manual
Choose sensor, logic solver
and final element technology
Safety Lifecycle “Realization” Phases
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
Safety Requirements
Specification - Safety
Function Requirements
including target SIL
PFDavg, RRF
MTTFS,
SIL achieved
Manufacturer’s
Failure Data
SIF Verification Task
Failure Data
Database
7d. Reliability and
Safety Evaluation
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
PFDavg, RRF
MTTFS,
SIL achieved
SIF Design Options
7d. Reliability and
Safety Evaluation
If the SIF verification shows that the SIL
level has not been achieved by the
proposed design a number of options
are available to the designer:
1. Re-evaluate the SIL requirement by
adding other layers of protection, etc.
2. Reduce the proof test interval – this
may involve provisions for on-line
testing.
3. Choose equipment with better safety
ratings – lower dangerous failure rate
or better diagnostics.
4. Change the architecture by adding
more redundancy.
Safety Requirements
Specification - Safety
Function Requirements
including target SIL
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
• Objectives– Verify that the SIS functions
according to design requirements.
• Tasks– Verify operation of field instruments– Validate logic and operation– Verify SIL of installed equipment – Produce required documentation –
Certifications if required
Validation
12. Validation:
Pre-startup
Safety Review
INSTALLATION
FAT
SAT / SIT
COMMISSIONING
Functional Safety Assessment
START UP
V
A
L
I
D
A
T
I
O
N
ida .com e
excellence in dependable-automation
Copyright exida.com LLC 2001-2008
• Objectives– Verify that the SIS continues to function according to
design requirements and detect otherwise hidden failures
• Tasks– Verify operation of field instruments– Validate logic and operation– Document results of all periodic testing
Periodic Proof Testing
14. SIS startup,
operation,
maintenance,
Periodic
Functional Tests
ida .com e
excellence in dependable-automation
exida Certification S.A. in Switzerland, Geneva
Exida founded an independent certification company in
Geneva Switzerland, the home of IEC.
Certification are issued by independent assessors and
auditors
Swiss Quality reputation
Copyright exida.com LLC 2001-2009