sis esd sistems for process industries using iec 61508 unit7 sil selection
Post on 20-Jan-2016
151 views
DESCRIPTION
SIS-ESD-SistemsTRANSCRIPT
SSlliiddee 11
EIT: E-Cert SS: Unit 7 Instrument Selection
EIT Safety Instrumentation E-Learning
SAFETY INSTRUMENTED SYSTEMS &
EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508
Unit 7: SIL Instrument Selection
www.eit.edu.au
Version for EQO26: 7 November 2012
Presented by Dave Macdonald,
EIT Cape Town South Africa
Contact E-mail: [email protected]
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 2
Introduction to Chapter 7: Practical selection of
sensors and actuators for safety duties
■ Impact on SIS Reliability,
■ Types of Sensors and Actuators
■ Failure modes and causes
■ Separation, redundancy, diversity, diagnostics
■ Device Selection Issues: What IEC 61511 requires + Common sense
■ Technologies: Safety certified instruments and fieldbus
Knowledge of t he
r ules +
Exper ience…I f
you can get it !
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Key Points about Sensors and Actuators
Slide 3 intelligent instruments
www.eit.edu.au
◆Sensors and Actuators remain the most critical reliability items in an SIS
◆Separation, diversity and redundancy are critical issues.
◆Safety related instruments must have a proven record of performance.
IEC 61508 / 61511 have specific requirements
◆Logic solver intelligence and communications power will help to provide
diagnostic capabilities to assist field device reliability
◆Failure modes and common cause issues are potential problems for
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 4
IEC 61511 and other guidance sources
■ Instrument practice for safety systems : well established
■ ISA S 84.01 Appendix B….obsolete standard but still relevant.
■ IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1.
■ Gruhn & Cheddie ISA Textbook; chapter 9
IEC 61511-1 Paragraph 11.5:
Requirements for selection of components and subsystems
■ 11.5.2.1 Components and subsystems selected for use as part of a safety
instrumented system for SIL 1 to SIL 3 applications shall either be in
accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they
shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate
Certified compliant to IEC 61508
Fault tolerance
Prior use
justification
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Sensors and Actuators Dominate Reliability Issues
Slide 5 • PES logic solvers benefit from auto-diagnostics.
www.eit.edu.au
Typical Reliability Table
• The field devices taken together contribute 97% of the PFD for this example.
• The PFD figures for the field devices are affected by environmental conditions
• and maintenance factors.
Table 7.1
Item Fail to
Danger Rate
/ yr.
PFD avg
(3 month proof test)
PFD avg
% of total
Input sensor loop 0.05 0.006 32
SIL 3 Logic Solver PLC 0.0005 3
Output Actuator loop
(Solenoid + valve)
0.1 0.0125 65
Totals 0.019 (SIL 1) 100
EIT: E-Cert SS: Unit 7 Instrument Selection
Bus connected safety certified instruments
Foundation Field Bus
Profi-safe
ASI-Safety Bus
See Session 5
Slide 6
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Advantages of Analog Transmitters Over Switches
Slide 7
www.eit.edu.au
• Good reliability and accuracy
• Signal present at all times…improved SFF
• Potential for diagnostics, easier to detect faults
• Possible to compare signal with other parameters
• Trending and alarming available
• Multiple set points
• Competitive pricing
• Rationalized spares
EIT: E-Cert SS: Unit 7 Instrument Selection
Potential Causes of Failures in Sensors
Slide 8
www.eit.edu.au
•Components of the instrument
•Process connection
•Fouling /corrosion/process fluids/clogging
•Wiring
•Environmental: Process/Climate/Electrical
•Specification/range/resolution.
•Response time
•Power supplies
•Intrinsic safety barriers
•Calibration/testing/ left on test/isolated.
EIT: E-Cert SS: Unit 7 Instrument Selection
Final Control Elements or Actuators
SIS
Logic
Electrical Drive Trip
Interlocks
M
Process Valve Trip
380 v ac
power
Slide 9
www.eit.edu.au
SIS
Logic
Figure 7.4
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 10
M
Safet
y
Relay
K1
Relay
K1 Time
Delayed
Reset
Drive
controller
Stop Category 1
Safety Control Category 2
E-Stop
command
www.eit.edu.au
Power
E-Stop operation with VSDlInverter Drive
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 11
www.eit.edu.au
· Components of the actuator, positioner, mechanical
failures of springs
Process connection/leaks. Mechanical distortion of
pipes causing stress in valve
Valve internal faults due to : Fouling or corrosion by
process fluids/jamming/sticking/leaking
Wiring to solenoids
Pneumatics/ venting failures
Environmental. Physical impacts/fire/freezing or
icing up.
Solenoid valves sticking or blocking
·
·
·
·
·
Potential Causes of Failures in Final Elements
EIT: E-Cert SS: Unit 7 Instrument Selection
◆ Sensor contacts closed during normal operation
◆ Tx signals go to trip state upon failure (Normally < 4mA)
◆ Broken wire = trip
◆ Output contacts closed and energized for normal operation
◆ Final trip valves go to trip (safe) position on air failure
◆ Drives go to stop on trip or SIS signal failure
Slide 12
www.eit.edu.au
General Requirements for Fail-safe Operation
EIT: E-Cert SS: Unit 7 Instrument Selection
For an instrument to qualify for SIL target
Prior Use Build to IEC 61508 HW & SW
Certify to IEC 61508 Smart tx
SIL 1 or 2
SIL 3 requires
assessement and a safety
manual Apply IEC 61511
limitations
Analog or switch
or
And PFD must satisfy SIL target Slide 13
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Sharing of Sensors with BPCS
Slide 14
www.eit.edu.au
Do not share sensors because it:
◆ Violates the principles of independence
◆ Creates a high level of common cause failure
◆ Does not create a separate layer of protection
◆ Does not provide secure maintenance
EIT: E-Cert SS: Unit 7 Instrument Selection
Boiler Steam
Drum
LT 1
LIC
Feed water
supply
LSL
SIS Logic Solver
Logic
Boiler
Trip
1
Figure 7.5 Snap question: What is wrong with this safety trip
design?
Snap question: Draw a better arrangement Slide 15
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 16
Boiler Steam
Drum
Figure 7.5 cont.
Separate Sensors for Control and Trip: Acceptable
LT 1
Feed water
supply
LIC
1
SIS Logic Solver
Logic
Boiler
Trip
LT
2
LSL
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 17
AND
FW Fails
OR
FW Fails LT-1 Fails
high, LIC-1
causes low
level
0.2 / yr.
0.1 / yr.
PFD = 0.1/2 X 0.5
= 0.025
Trip fails on demand from
FW failure
PFD = 0.1/2 X 0.5
= 0.025
0.2 / yr.
0.005 / yr.
0.1 / yr.
Fault Tree Analysis for Boiler Low Level Trip
Shared Sensor Separate Sensor
Boiler Damage Boiler Damage
www.eit.edu.au
OR
LT-1 Fails
high-No Trip
LIC causes
low level
AND
Low level
0.3 / yr.
LT-2 Fails high
Trip fails on
demand
0.0075 / yr.
Low level and NO TRIP
FW Fails and
No Trip
0.105 / yr.
Low level and NO TRIP
Figure 7.6
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 18
www.eit.edu.au
Separation Rules: Field Sensors IEC 61511 part 2 : 11.2.4
•Sharing of sensor between SIS and BPCS only allowed
if safety integrity targets can be met. This would require
sensor diagnostics and is only likely to be possible for
SIL 1
•Separate sensor is allowed to be copied to BPCS via
isolator
•SIL 2, 3 and 4 normally require separate sensors with
redundancy
•SIL 3 and 4 normally require separation and diverse
redundancy
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 19
www.eit.edu.au
Separation Rules: Final Elements IEC 61511 part 2 : 11.2.4
•A single valve may be used for both BPCS and SIS but
is not recommended if valve failure places a demand on
the SIS.
•Normally shared valve can only be used if: Diagnostic
coverage and reaction time are sufficient to meet
safety integrity requirements
• Recommendations for a single valve application
•SIL 2 and SIL 3 normally require identical or diverse
separation. Diversity not always desireble
EIT: E-Cert SS: Unit 7 Instrument Selection
Slide 20
Arrangement for Tripping of Shared Control Valve: SIL 1
SIS
BPCS
FY
FV
A/S
Check hazard demands due to valve
Positioner
Solenoid valve
direct acting,
direct mounted.
De-energise to
vent actuator.
www.eit.edu.au
Figure 7.7
EIT: E-Cert SS: Unit 7
SIS BPCS
Instrument SelectFioingure 7.8
Slide 21 Check hazard demands due to valve
www.eit.edu.au
Diverse Separation of Control and Shutdown Valves SIL 2 and SIL 3
A/S
FY
EIT: E-Cert SS: Unit 7 Instrument Selection
Sensor Diagnostics
Slide 22
www.eit.edu.au
♦Do not confuse with proof testing
♦Compare trip transmitter value with related
variables. Not often practicable
♦Use safety transmitters… if available
♦Use Smart transmitters with diagnostic alarm
…but see next
EIT: E-Cert SS: Unit 7 Instrument Selection
Valve Diagnostics
Slide 23
www.eit.edu.au
Assurance that a trip valve will respond correctly when needed
• Freedom of movement, full travel
• Correct venting of actuator
• Correct rate of response
•Absence of sticking
• Trip signals and solenoid all working
EIT: E-Cert SS: Unit 7 Instrument Selection
Methods for Valve Diagnostics
Slide 24
www.eit.edu.au
• On–line trip testing
• Discrepancy alarm
• Position feedback – response testing
• Partial closure testing – manual or automatic
• Smart positioners – certified safety positioner
EIT: E-Cert SS: Unit 7 Instrument Selection
IEC Architectural Constraints as per IEC 61508
Slide 25
www.eit.edu.au
◆IEC 61508 places an upper limit on the SIL that can be
claimed for any safety function on the basis of the fault
tolerance of the subsystems that it uses.
♦Limit is a function of
♦the hw fault tolerance
♦the safe failure fraction
♦the degree of confidence in the behaviour under fault
conditions
Details in IEC 61508 part 2
EIT: E-Cert SS: Unit 7 Instrument Selection
IEC 61508 Classification of Equipment
Slide 26
www.eit.edu.au
◆IEC Defines two types of equipment for use in Safety
Systems:
♦Type A: Simple Devices: Non PES. E.g Limit switch, level
float switch, analogue circuits.
♦Type B: Complex Devices: Including PES. E.G Smart
transmitters. Digital communications, processor based systems.
Fault tolerance rating of B is less than A except under certain
conditions
EIT: E-Cert SS: Unit 7 Instrument Selection
IEC 61511-1 Table 6: Minimum hardware fault tolerance of
sensors, final elements and non PES logic
SIL Minimum HW Fault Tolerance
1 0
2 1
3 2
4 Special requirements: See IEC 61508
The following summarized conditions apply for SIL 1,2 and 3 :
Increase FT by 1 if instrument does not have fail safe characteristics
Decrease FT by 1 if instrument meets 4 conditions.
•Predominately fail safe
•Prior Use ( Proven in use)
•Limited device adjustment (process parameters only)
•Password protected
Slide 27 Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Example for Level Switch: Extract from device’s safety manual
Slide 28
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Example for Level Switch: Extract from safety manual
Slide 29
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Example for Level Switch: Extract from safety manual
Slide 30
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Redundancy Options
Slide 31
www.eit.edu.au
Table 7.4
Sensor or Actuator
Configuration.
Selection
1oo1 Use if both PFD and FT and nuisance trip
targets are met.
1oo2 2 Sensors installed, 1 required to trip. PFD
value improved, nuisance trip rate doubled.
2oo3 3 Sensors installed, 2 required to trip. PFD
improved over 1oo1, nuisance trip rate
dramatically reduced.
EIT: E-Cert SS: Unit 7 Instrument Selection
Common Cause Failures in Sensors
Slide 32
www.eit.edu.au
♦Wrong specification
♦Hardware or circuit design errors
♦Environmental stress
♦Shared process connections
♦Wrong maintenance procedures
♦Incorrect calibrators
EIT: E-Cert SS: Unit 7 Instrument Selection
Comments on Redundancy in Sensors
Be careful to analyze
for common cause
faults
e.g Try to avoid this
PT
1B PT
1A
SIS
Figure 7.10
Slide 33
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Comments on Diverse Redundancy in Sensors
Where measurement is
the problem use diverse
redundancy.
e.g. Steam or Ammonia
overpressure protection
TT
01
PT
01
SIS
Figure 7.11
Slide 34
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Requirements for Device to be “Proven–in-use”
• Evidence that the instrument is suitable for SIS
• Consider manufacturer’s QA systems
• PES devices need extra validation
• Performance record in a similar profile
• Adequate documentation
• Volume of experience, > 1 yr exposure per case.
Collect t he r ecor ds
of ever y maint enance
event per
inst r ument .
Slide 35
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
The approved safety instrument list
• Each instrument that is suitable for SIS
• Update and monitor the list regularly
• Add instruments only when the data is adequate
• Remove instruments from the list when they let you down
Key j ob f or
maint enance
t eam
• Adequate details: Include the process application Slide 36
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Additional requirements for smart transmitters
and actuators:
Details in IEC 61511 11.5.4 for devices with
“Fixed Programming Languages” (FPLs)
Extra for SIL 3
•Formal assessment…low probability of failure in planned
application.
• Appropriate standards used in build
• Consider manufacturer’s QA systems
• Must have a safety manual Slide 37
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Hart Transmitter With Diagnostic Input
Smart
Transmitter
4-20 mA + FSK Data
AI
Hart
Interface Status Alarm
DI
SIS Logic Solver
Hand Held
Programmer
Slide 38 FSK = Frequency Shift Keyed
www.eit.edu.au
Figure 7.12
EIT: E-Cert SS: Unit 7 Instrument Selection
Example of a Safety Critical Transmitter Figure 7.14
Slide 39
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Benefits of a Safety Certified Transmitter:
Slide 40
www.eit.edu.au
• Internal diagnostics with high coverage factor
• Very low PFDavg values. Saves on proof testing etc.
• Certified for single use in SIL 2 (instead of dual channel)
• Certified for dual redundant use in SIL 3 (instead of 1oo3)
• End user verification is simplified
EIT: E-Cert SS: Unit 7 Instrument Selection
Importance of the Safety Manual
Slide 41
www.eit.edu.au
The safety manual presents all the essential information and set
up conditions that must be followed to allow the instrument to
be validated for any given application.
The manual also supplies the failure rates summary and
expected PFDavg
Compliance to safety manual requirements must be
demonstrated in the validation phase.
See examples of safety manuals and FMEDA reports
EIT: E-Cert SS: Unit 7 Instrument Selection
Importance of the Safety Certificate
Slide 42
www.eit.edu.au
The safety certificate is issued by the testing body to clearly define what
products have been tested and what standards and limitations have been
applied in the evaluation.
The safety certificate is an essential document for the validation phase.
See examples of Safety Certificates: 3051C and Rex Radar
Testing Authorities include :
TUV Rheinland
Exida.com
Any recognized testing body that can show competency in the SIS field.
Note : Exida specializes in certifying instruments claiming “prior use”
qualification. Reports supply SFF and failure rate data with declaration of fault
tolerance requirements relevant to IEC 61511. See examples.
EIT: E-Cert SS: Unit 7 Instrument Selection
Field Devices Summary
Slide 43
www.eit.edu.au
Instruments must be well proven for safety with an assessment
report or Certified SIL capable to IEC 61508.
• Intelligent instruments treated as PES
• Separation, Redundancy, Diversity, Diagnostics
• Diagnostic Coverage via Smarts or Logic Solver
• Bus technology established and growing.
Slide 44
EIT EQO26: Unit 8 Reliability Analysis
EIT Safety Instrumentation E-Learning
SAFETY INSTRUMENTED SYSTEMS &
EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508
Unit 8: Reliability Analysis
www.eit.edu.au Slide 44
Version for EQO26: 7 November 2012
Presented by Dave Macdonald,
EIT Cape Town South Africa
Contact E-mail: [email protected]
EIT EQO26: Unit 8 Reliability Analysis
The task of measuring or evaluating the SIS design
for its overall safety integrity
• Reasons and objectives
• Resolving the SIS into reliability block diagrams
• Identification of formulae
• Trial calculation examples
• Calculation software tools
www.eit.edu.au Slide 45
Introduction to Chapter 8:
Reliability Analysis of the SIS
EIT EQO26: Unit 8 Reliability Analysis
IEC 61511 requires reliability analysis be done for each SIF to show that SIL target and RRF can be achieved. Why?
www.eit.edu.au Slide 46
• Because it tells everyone what RRF can be expected from each
individual safety function.
• It confirms the basis of the design and the chosen proof test
interval
• Compares the calculated RRF for your design with the target to
show you can achieve the target.
• To predict the accident rate: H events/yr = Demand Rate (D) x
PFDavg or H = D/ RRF
EIT EQO26: Unit 8 Reliability Analysis
Terminology
www.eit.edu.au Slide 47
RRF Risk Reduction Factor ( e.g. 200)
SIL Safety Integrity Level ( depends on RRF)
(SIL Tables)
D Demand rate on Safety Function. ( How often the SIF is
demanded to respond to a hazard condition)
H Hazardous event rate ( also called accident rate )
( e.g. 0.1/yr = 1 in 10 years)
PFDavg Average probability of failure on demand of the SIF
EIT EQO26: Unit 8 Reliability Analysis
Terminology
www.eit.edu.au Slide 48
MTTFd Mean time to fail dangerously ( = 1/Zd)
MTTFs Mean time to fail safe (or spurious) ( = 1/Zs)
MTTRd Mean time to detect and repair a dangerous fault
Ti Time interval between proof tests
Zdd Failure rate for dangerous detectable faults
Zdu Failure rate for dangerous undetectable faults (requires
proof testing)
Zsd Safe revealed failure rate ( causes spurious trip or loss of
affected safety channel)
EIT EQO26: Unit 8 Reliability Analysis
Risk Reduction Factor and PFDavg
www.eit.edu.au Slide 49
(PFDavg = average probability of failure on demand,)
PFDavg is a function of:
1. Failure rate per hour for undetected faults : Ldu
2. Test interval: Ti
3. Redundancy (1oo1, 1oo2, 2oo3, etc)
Compare PFDavg with the target PFDavg for the SIL range we need.
RRF = 1
PFDavg
EIT EQO26: Unit 8 Reliability Analysis
1 Because it can tell you the accident event rate
H = Demand Rate x PFDavg
2 Because it helps you decide the SIL of your design
PFDavg defines the SIL range for the design
(in terms of resistance to random hardware failures
Snap Question: Why is PFD so useful to know?
www.eit.edu.au Slide 50
EIT EQO26: Unit 8 Reliability A nalysis
occurs
Operating but
not protected
Mission time
State of Process
Operating
safely
Hazardous condition
occurs (Demand)
Reportable
accident
1 yr 2 yr
Failure scenario for an Untested SIF
Unrevealed Dangerous fault
occurs
www.eit.edu.au Slide 51
EIT EQO26: Unit 8 Reliability Analysis S
tate
of
Pro
cess
Operating
safely
Operating but not
protected
Hazardous condition
Occurs (Demand)
Accident
prevented
Proof test reveals
fault
Fault
repaired
Low Demand Mode: Proof Tested SIF repaired before demand
Unrevealed Dangerous
fault occurs
Proof test
Mission time 0.5 yr 1 yr
www.eit.edu.au Slide 52
EIT EQO26: Unit 8 Reliability Analysis S
tate
of
Pro
cess
Operating
safely
Operating but not
protected
Demand occurs
before next proof
test
Failure (to respond)
on Demand
Low Demand Mode: Proof tested SIF but failure on demand
Unrevealed Dangerous
fault occurs
Reportable
accident
occurs
Proof test
Mission time 0.5 yr 1 yr
www.eit.edu.au Slide 53
EIT EQO26: Unit 8 Reliability Analysis
State of Process
Detectable Dangerous
fault occurs
Operating safely
Diagnostic test
reveals fault
Proof test for
undetected
faults
Diagnostic + Proof Tested SIF
Accident
prevented
PFDavg = MTTD&R x Fail danger rate
Fault
detected &
repaired
Mission time Diagnostic test
typically100
wwtwim.eeits./eddauy.au
1 yr 2 yr
Slide 54
EIT EQO26: Unit 8 Reliability Analysis
Low Demand Mode versus High Demand Mode
• Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
• Low demand calculations use PFDavg.
• Hazard event rate H = D x PFDavg
• High demand mode applies when the demand on the SIS is more
than once per year. ( IEC 61511) . Alternatively more than two
demands per proof test interval.
• High demand mode calculations use PFH probability of dangerous
failure per hour.
• Hazard event rate H = PFH
(High demand also known as continuous mode)
www.eit.edu.au Slide 55
EIT EQO26: Unit 8 Reliability Analysis
Low Demand Mode Application
Pressure relief
trip (SIS)
Pressure surge
once per year
(D)
Accident occurs if
dangerous fault
undetected before the
surge occurs
www.eit.edu.au Slide 56
Accident rate H = D x PFDavg
Provided Test interval is shorter than 1 year or
diagnostics detect faults quickly
Example: If PFDavg = 0.05 and D= 1 : H = 0.05/yr
EIT EQO26: Unit 8 Reliability Analysis
High demand Mode Application
Electronic
Braking Controls
(SIS)
Brake applied
100 times per
day
Accident occurs as
soon as brake circuit
fails
www.eit.edu.au Slide 57
Accident rate = Probability of failure/hr of the EBC
= Failure rate per hour of the SIS
Example: If PFH = 0.0001/hr H = 0.0001/hr of service
If machine used for 5000 hrs /yr accident rate = 0.5/yr.
EIT EQO26: Unit 8 Reliability Analysis
Design Iteration for Target PFD in Low Demand Mode
Set Target PFD
Evaluate Solution PFD
Revise Design
No
Yes
Proceed to Detail Design
Acceptable
SRS defines the Risk Reduction Factor
PFD = 1/RRF
Calculated PFD < Target PFD?
www.eit.edu.au Slide 58
EIT EQO26: Unit 8 Reliability Analysis
Elements and terms in the SIS model
(SIS) Hazard
Demand Rate D H
Protective System
Hazard
Event Rate
PFD avg. = H/D = 1/(Risk Reduction Factor)
SIL3
SIL2
SIL1
Sensor Logic Actuator D H
PFD1 PFD2 PFD3
Overall PFD = PFD1 + PFD2 + PFD3
www.eit.edu.au Slide 59
EIT EQO26: Unit 8 Reliability Analysis
Single Channel Basic calculation of PFD
How is this formula obtained ?
Zdu
If the fail to danger rate is Zd and proof test interval is Ti
www.eit.edu.au Slide 60
PFDavg = Zdu x Ti/2 (failure rate/yr x mean time to detect )
Example Fail to danger rate = 0.05 per year, Ti = 1 year
PFDavg = 0.05 x ½ = 0.025. ( SIL 1)
EIT EQO26: Unit 8 Reliability Analysis
Hazard Rate v Demand Rate showing low and high demand modes
D x T<< 1
Accident Rate H = PFH of SIS
Continuous mode
Demand rate D
Hazard
Event
Rate H
H = Ld
D x T> 1
Accident Rate
H = Fail rate Zd
H = Ld ( 1–e - DTi/ 2)
www.eit.edu.au Slide 61
Demand mode
Accident Rate H = Demand
Rate (D) x PFD avg of SIS
EIT EQO26: Unit 8 Reliability Analysis
Effect of Manual Proof Testing …. leading to average probability of failure on demand:
Time t
p(t)
Probability of
being failed when
demand occurs.
1
0
p(t) = Ld .t
Ti 2Ti
PFDavg = Ld .Ti/ 2
Proof test action
Average
value
www.eit.edu.au Slide 62
EIT EQO26: Unit 8 Reliability Analysis
SIS Failure Modes
Overt Failures
Spurious Trip Rate
λS = 1/MTBFsp
Loss of Production
Detectable
by Self
Diagnostics
Undetectable
except by manual
proof testing
Trips plant unless
2oo3 or 2oo2 voting
Covert Failures
Dangerous Failure Rate
λD = 1/MTTFD
λD
λDU λDD
ZDU = (1 –C) ZD
www.eit.edu.au Slide 63
ZDD = C ZD
λS + λDD
C= Coverage
EIT EQO26: Unit 8 Reliability Analysis Example: Find the Safe and Dangerous Failure Modes
SIS H igh Level T rip
Logic Solver
LT
1
PSV
LC
1
I/P
FC
Fluid
Feed FC
LT
2
AS
www.eit.edu.au Slide 64
Assume out of range detection provided (forcing a trip)
Fail Modes/yr Device Lsp Ldu Ldd
Bottom Blocked : 0.1 . Top leaks 0.2 LE connection
Runs low: 0.05. Runs high : 0.02 LT electronics
Breaks: 0.01 Shorts across LT: 0.1 Cable
Lost power: 0.02 Power
Totals for sensor sub system:
Overt Failures
Spurious Trip Rate
λS = 1/MTBFsp
Loss of Production
Detectable by
Self
Diagnostics
Detectable by
manual proof
testing
Trips plant unless
2oo3 or 2oo2 voting
Covert Failures
Dangerous Failure Rate
λD = 1/MTTFD
λD
ZDU = (1 –C) ZD
λS + λDD
C= Coverage
λDD = C λD
PFD1 = λDD x (MTTR) PFD2 = λDU x (Ti/2)
EIT EQO26: Unit 8 Reliability Analysis
1oo1 SIS Formulae
Single Channel SIS Fail Rates
www.eit.edu.au Slide 65
SP Trip Rate = λs + λDD
EIT EQO26: Unit 8 Reliability Analysis
Single Channel SIS Fail Rates
Overt Failures
Spurious Trip Rate
λS = 1/MTBFsp
Loss of Production
Detectable by
Self
Diagnostics
Detectable by
manual proof
testing
Trips plant unless
2oo3 or 2oo2 voting
Covert Failures
Dangerous Failure Rate
λD = 1/MTTFD
λD
ZDU = (1 –C) ZD
C= Coverage
λDD = C λD
SP Trip Rate = 2 ( λs + λDD)
1oo2 SIS Formulae
PFD2 =((λD U .Ti)2)/3 PFD1 =2(λDD)2( MTTR)2
www.eit.edu.au Slide 66
EIT EQO26: Unit 8 Reliability Analysis
Single Channel SIS Fail Rates
Overt Failures
Spurious Trip Rate
λS = 1/MTBFsp
Loss of Production
Detectable by
Self
Diagnostics
Detectable by
manual proof
testing
Trips plant unless
2oo3 or 2oo2 voting
Covert Failures
Dangerous Failure Rate
λ = 1/MTTF
λD
D D
ZDU = (1 –C) ZD
λS + λDD
C= Coverage
λDD = C λD
Formula sets
Formula set 2
in Fig 8.6
Formula set 3
in Fig 8.6
Formula set 1
in Fig 8.6
www.eit.edu.au Slide 67
EIT EQO26: Unit 8 Reliability Analysis
Overt Failures
Spurious Trip Rate
λs = 1/MTBFsp
By Self
Diagnostics
By Manual
Proof testing
λs 1oo1
2λs 1oo2
2(λs)2(MTTR) 2oo2
λD U (Ti/2) λD D (MTTR)
((λD U .Ti)2)/3 2(λDD)2( MTTR)2
λD U .Ti 2 λD D (MTTR)
6(λD D)2 (MTTR)2 2oo3 6(λs)2(MTTR)
Detectable
Spurious trip rate PFD due to diagnostics
(if detected but not tripped)
Multi-channel Formula Sets for PFD and λs (excluding
common mode failures ) Covert Failures
Dangerous Failure Rate
λd = 1/MTTF
PFD due to proof test
Detectable
Formula set 1 Formula set 2 Formula set 3
λD D = DC. λD λD U = (1-DC) λD
Voting
((λD U .Ti)2)
Figure 8.6
www.eit.edu.au Slide 68
www.eit.edu.au Slide 69
EIT EQO26: Unit 8 Reliability Analysis
Sources of Reliability Data
http://www.sintef.no/Projectweb/PDS-Main-Page/PDS-Handbooks/
Sintef: http://www.sintefbok.no/Product.aspx?sectionId=65&productId=559&categoryId=10
Also see:
Reliability Handbook 1. exida.com
2. Manufacturers’ Safety manuals for
specific SIL certified instruments
3. Faradip 3 Database
4. exida.com: Safety Automation
Equipment List ..Functional Safety
Assessment Reports
http://www.exida.com/index.php/resour
ces/sael/
EIT EQO26: Unit 8 Reliability Analysis
Dual Channel Basic calculation of PFD Note: Zdd omitted for clarity
www.eit.edu.au Slide 70
Zdu
Zdu
If the fail to danger rate is Zdu and proof test interval is Ti.
PFDavg = (Zdu xTi)2 /3
Example: If fail to danger rate = 0.05 per year, Ti = 1 year
PFDavg = (0.05 x 1)2 / 3 = 0.00083 ( SIL 3)
But this ignores common cause and is unrealistic
EIT EQO26: Unit 8 Reliability Analysis Beta Factor: Common Cause Failures in redundant SIS channels
Unit Failures
(1-β) λd
(1-β) λd
(1-β) λd
Common Cause
Failures
β λd
Example:
2oo3 sensor with
common cause
failures
www.eit.edu.au Slide 71
EIT EQO26: Unit 8 Reliability Analysis
Formulae Sets with Common Cause Factor included
www.eit.edu.au Slide 72
EIT EQO26: Unit 8 Reliability Analysis
Dual Channel Basic calculation of PFD inc Common Cause 5%
Note: Zdd omitted for clarity
www.eit.edu.au Slide 73
(1-β) λdu
If the fail to danger rate is Zd and proof test interval is Ti.
PFDavg = ((1-β) λdu xTi)2 /3 + β λdu xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%
PFDavg = (0.95 x 0.05 x 1)2 / 3 + (0.05 x 0.05 x ½) = 0.002 ( SIL 2)
β λdu (1-β) λdu
EIT EQO26: Unit 8 Reliability Analysis
2oo3 Channel Basic calculation of PFD inc Common Cause 5%
(1-β) λd
(1-β) λd
If the fail to danger rate is Zd and proof test interval is Ti.
PFDavg = ((1-β) λdu xTi)2 + β λdu xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%
PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ½) = 0.0035 ( SIL 2)
β λd (1-β) λd
www.eit.edu.au Slide 74
EIT EQO26: Unit 8 Reliability Analysis
Formulae Sets with Common Cause Factor included
www.eit.edu.au Slide 75
EIT EQO26: Unit 8 Reliability Analysis
Calculation Table for PFDavg
Worked example for 1oo1
Formula for calculating PFDavg for 1oo1
PFDavg = (LDU xTi/2) + (LDD x MTTR)
Failures per year
www.eit.edu.au Slide 76
Parameter Value Notes
LDU 0.0500 Dangerous undetected failure rate for one channel
LDD 0.1000 Dangerous detected failure rate for one channel
Ti in yrs 1.0000 Proof test interval
MTTR in yrs 0.0027 Mean time to detect and repair a detectable fault
(LDU xTi/2) 2.50E-02 Undetected portion
(LDD x MTTR) 2.74E-04 Detected portion
PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1
EIT EQO26: Unit 8 Reliability Analysis
Calculation Table for PFDavg
Worked example for 1oo1
Formula for calculating PFDavg for 1oo1
PFDavg = (LDU xTi/2) + (LDD x MTTR)
Failures per hour
www.eit.edu.au Slide 77
Parameter Value Notes
LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(LDU xTi/2) 2.50E-02 Undetected portion
(LDD x MTTR) 2.74E-04 Detected portion
PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1
EIT EQO26: Unit 8 Reliability Analysis
Formatted Calculation Table for PFDavg
Worked example for 1oo2 (1-β) λd
Formula for calculating PFDavg for 1oo2
PFDavg = (1/3)*((1-þ)LDU xTi)2 + 2((1-þ)LDD x MTTR)2 +þ(LDU xTi/2)+þ(LDD)x MTTR
www.eit.edu.au Slide 78
Failures per year
β λd (1-β) λd
Safecalc: LD = 1.71
% safe =0 C=66%
Parameter Value Notes
LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
þ 0.1000 Common cause factor for dangerous and safe failures
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(1/3)*((1-þ)LDU xTi)2 6.75E-04 Undetected Voting portion
2((1-þ)LDD2 x MTTR2) 1.18E-07 Detected voting portion
þ(LDU xTi/2) 2.50E-03 Undetected Common portion
þ(LDD)x MTTR 2.70E-05 Detected common portion
PFD for 1oo2 subsystem 3.20E-03
EIT EQO26: Unit 8 Reliability Analysis
Formatted Calculation Tables for PFDavg
Worked example for 2oo3
Formula for calculating PFDavg for 2oo3
PFDavg = ((1-þ)LDU xTi)2 + 6((1-þ)LDD x MTTR)2 +þ(LDU xTi/2)+þ(LDD)x MTTR
Failures per year
β λd (1-β) λd
(1-β) λd
(1-β) λd
www.eit.edu.au Slide 79
Parameter Value Notes
LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
þ 0.1000 Common cause factor for dangerous and safe failures
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(1-þ)LDU xTi)2 2.03E-03 Undetected Voting portion
6((1-þ)LDD x MTTR)2 3.54E-07 Detected voting portion
þ(LDU xTi/2) 2.50E-03 Undetected Common portion
þ(LDD)x MTTR 2.70E-05 Detected common portion
PFD for 2oo3 subsystem 4.55E-03
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis Model Example
Proof
Testing
Auto
Diagnostics
Proof
Testing
Sensor Logic Actuator D H
Failure Rates: Z
or MTTF
0.01 0.005 0.01
Overall PFD avg. = 0.025
= 2.5 E-2
Qualifies for SIL 1 (E-1 to E-2)
Apply
Testing or
Diagnostics
PFD averages:
Apply
calculation
+ +
www.eit.edu.au Slide 80
d1=0.2 Zd2=0.02
Zd3=0.1
5yrs 50yrs 10yrs
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 1
(SIS) Hazard
Demand Rate D H
Protective System
Hazard
Event Rate
Sensor Logic Actuator D H
SIL 2 SIL 1 SIL 1
SIL 1
www.eit.edu.au Slide 81
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 2, identify channels in each stage
Sensor Logic Actuator D H
Sensor
www.eit.edu.au Slide 82
Logic
Actuator D H
Senso
r
1oo2D
Actuator
1oo2
D H
Example:Dual channel sensors and actuators, single channel logic
1oo1D
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 3, expand details for each single channel
Sensor
Logic
Sensor
1oo2D
1oo1D
www.eit.edu.au Slide 83
Process
Connection Transmitter
Cable and
Power
Expand detail of sensor sub system and apply fail rates for each item
EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 4: Decide λdu, λdd and λs for the elements Step 5: Enter the values to table and totalize
Process
Connection
λDU1
λDD1
λSD1
www.eit.edu.au Slide 84
Transmitter Cable and
Power
λDU3
λDD3
λSD3
λDU2
λDD2
λSD2
Subsystem
Element
Device LSD/hr LSU/hr LDD/hr LDU/hr
1 Process connection 1.14E-05 0.00E+00 5.71E-06 3.42E-06
2 Transmitter 1.14E-05 0.00E+00 5.71E-06 5.71E-07
3 Cable and Power 1.14E-05 0.00E+00 5.71E-06 3.42E-06
4
5
Subsystem totals 3.42E-05 0.00E+00 1.71E-05 7.42E-06
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem
β = common cause failure fraction
1oo2 Failures common to
Ch1 and Ch2 sensors Logic
1oo1 β λd
Redundant section:
PFDavg =
2((1-β).λdd)2 . (MTTR)2
+ ((1-β) .λdu .Ti)2)/3
Common cause section
PFDavg =
β .λdd (MTTR)
+ β .λdu . Ti/2)
+
(1-β) λd
(1-β) λd
= PFDavg
Break out the common cause failure fraction for the redundant channels and calculate
PFD for each portion and add them together
www.eit.edu.au Slide 85
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 7, repeat steps 3 to 6 for each stage
Sensor
Logic
Actuator
Senso
r 1oo2
Actuator
1oo2
Example: Dual channel sensors and actuators, single channel logic
1oo1
PFDavg
for sensors +
PFDavg for
logic solver +
PFDavg
for actuators
www.eit.edu.au Slide 86
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example
Example: Dual channel sensors and actuators, single channel logic. 1yr test
.045
0.05
.09
.045 .09
1oo2
1oo1D
λDD = 0.0475 1oo2
Dual Sensors PFD
= .00075 +.00125
= .002
Logic solver PFD
= .00013 +.00125
= .00138
Dual Actuators PFD
= .005 + .0027
= .0077
.0025 .01
SIS PFD = .002 + .0014 +.0077
= . 0111 or 1.11 E-2 = SIL 1
www.eit.edu.au Slide 87
þ = 5% þ = 10%
λDU = 0.0025
C = 95%
λDU = 0.05 λDU = 0.1
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example using the EIT Calculator
www.eit.edu.au Slide 88
me: EIT GP SIL Calculator .xls Data Input Table for Sensor Subsystem File na
Proof Test Interval in Hrs (Ti) 8760
Common cause factor (B)% 5%
Mean Time To Test & Repair (Hrs) (MTTR) 24
Subsystem
Element
Device LSD/hr LSU/hr LDD/hr LDU/hr
1 Sensor all components 1.14E-05 0.00E+00 0.00E+00 5.71E-06
2
3
4
5
Subsystem totals 1.14E-05 0.00E+00 0.00E+00 5.71E-06
Calculation results for Sensing
Safe Failure Fraction 66.7%
Diagnostic coverage 0.0%
PFDavg for 1001 2.50E-02
PFDavg for 1002 2.00E-03
PFDavg for 2003 3.51E-03
EIT EQO26: Unit 8 Reliability Analysis
IEC Table of PFDs relevant to Figure 8.16
www.eit.edu.au Slide 89
EIT EQO26: Unit 8 Reliability Analysis
Honeywell Safecalc example relevant to fig 8.16
www.eit.edu.au Slide 90
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example Calculation for Spurious Trip
Example:Dual channel sensors and actuators, single channel logic
Sensor MTTF = 5 years, 75% safe failure fraction. C=0%, β = 10%, Ti = 0.5 yrs, MTTR = 8hrs
Logic MTTF = 10 years, 50% safe failure fraction. C= 95%, β = 10%, Ti = 1 yr
auto diagnostics test interval = 2 secs, MTTR = 24hrs
Actuator MTTF = 2 years, 80 % safe failure fraction. C= 0%, β = 10%, Ti = 0.25 yrs, MTTR =
24hrs
Sensor: single channel λs = 1/5 x .75 = .15/yr
Logic: single channel λs = 1/10 x .5 = .05
Actuator: single channel λs = 1/2 x .8 = .4/yr
www.eit.edu.au Slide 91
λdd = (C x λd ) =95% x 0.05 = .0475/yr
EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Example Calculation for Spurious Trip
Example :Dual channel sensors and actuators, single channel logic
www.eit.edu.au Slide 92
Spurious Trip for 1oo1
ST = LS + LDD Logic solver 1oo1
Parameter Sensor Logic Actuator Notes
LS 0.05 Fail safe rate
LDD 0.0475 DD rate added due to 95 coverag
Total for 1oo1 subsystem 0.0975 Spurious trip rate per yr
Spurious Trip for 1oo2
ST = 2x(1-B) (LS + LDD) +B(LS + LDD) Actuators: 1oo2
Parameter Sensor Logic Actuator Notes
LS 0.15 0 0.4 Fail safe rate
LDD 0 0 0 DD rate added due to S
Beta 0.1 0 0.1
2x(1-B) (LS + LDD) 0.27 0 0.72 1oo2 portion
B(LS + LDD) 0.015 0 0.04 Common portion
Total for 1oo2 subsystem 0.285 0 0.76 Spurious trip rate per yr
Overall Spurious Trip Rate
1.1425 per yr
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example, Spurious Trip Rate
Example: Dual channel sensors and actuators, single channel logic
.36
..0135
.05
.0135 .36
1oo2
1oo1
1oo2
Dual Sensors Spurious
= .28 trips per yr
Logic solver
.097 trips per
yr
Dual Actuators PFD
= (2x .36) + (1x.04)
= .76 trips per yr
.04
Spurious trip rate = ..28 + .097 +.76
= 1.14 trips per year
.015
www.eit.edu.au Slide 93
EIT EQO26: Unit 8 Reliability Analysis
Reducing Spurious Trip Rate
.135
.015
.135
.135
2oo3 Sensors Spurious
= 6x λs2 (MTTR)+ β λs = (6 x .1352x 8/8760) + .015
= .0001 + .015
. 015 trips per yr
2oo3
.15
1oo2
Dual Sensors Spurious
= 2 x .15
= .30 trips per yr
From 0.3 per year to 0.015/yr
If 1 trip costs AUD 50 000 the annual saving is
What? ……………………………….
www.eit.edu.au Slide 94
.15
Design Version A
Design Version B
EIT EQO26: Unit 8 Reliability Analysis
Outcomes of a Reliability Study
www.eit.edu.au Slide 95
• Show whether or not the SIS will satisfy the SIL target
• Overall SIS Probability of Failure on Demand (PFDavg)
• PFDavgs for each section of the SIS
• Show benefits of redundancy or voting schemes
• Decide the proof testing intervals
• Predict the accident rate
EIT EQO26: Unit 8 Reliability Analysis
Conclusions on Analysis Models
www.eit.edu.au Slide 96
• Models help to visualise SIS performance
• Software speeds up analysis
• IEC 61508 part 6 - methods and tables
• Fault tree analysis for detailed systems
EIT EQO26: Unit 8 Reliability Analysis Supplementary notes on Low Demand Mode versus High Demand
Mode (also known as continuous mode)
■ Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
■ Low demand calculations use PFDavg.
■ Hazard event rate H = D x PFDavg
■ High demand mode applies when the demand on the SIS is
more than once per year. ( IEC 61511) . Alternatively more than
two
demands per proof test interval.
■ High demand mode calculations use PFH ( same as failure to danger
rate)
■ Hazard event rate H = PFH
www.eit.edu.au Slide 97
EIT EQO26: Unit 8 Reliability Analysis
High v Low Demand
Calculation
PFDavg = 0.05 x ½ = 0.025. and
PFH = 0.05 /8760 = 5.7E-06/hr
Suppose the demand rate D is once per year and the overpressure event rate = H/yr
In low demand mode calculation H = D x PFDavg so H = 1 x 0.025 = 0.025/yr
In high demand mode calculation H = PFH so H = 5.7E-06/hr = 0.05/yr
PSH
SIS Power
Pump Zd = 0.05 and Ti = 1/yr:
www.eit.edu.au Slide 98
Hp safety Trip
EIT EQO26: Unit 8 Reliability Analysis
High v Low Demand
Calculation SIS
Power
PFDavg = 0.05 x ½ = 0.025. and
PFH = 0.05 /8760 = 5.7E-06/hr
Suppose the demand rate D is once per day ( 365/yr)
And the overpressure event rate = H/yr
In low demand mode: H = D x PFDavg so H = 365 x 0.025 = 9.1/yr
In high demand mode :H = PFH so H = 5.7E-06/hr = 0.05/yr
PSH Pump
Zd = 0.05 and Ti = 1/yr:
www.eit.edu.au Slide 99
EIT EQO26: Unit 8 Reliability Analysis
Event rate calculation according to low or high demand mode
SIS has failures at
PFD = 0.01
PFH = 0.02/yr (2.28 E-06/hr)
Demand on SIS H = hazardous event
D = 0.1/yr ……………………………………..H = /yr ?
D = 1.0/yr ……………………………………..H = /yr ?
D = 10.0/yr ……………………………………..H = /yr ?
D = 100 /yr ……………………………………..H =
www.eit.edu.au Slide 100
/yr ?