Download presentation
Presentation is loading. Please wait.
1
What is SIL?
2
19.06.2023P. Lerévérendpage 2 Why protective functions?
3
19.06.2023P. Lerévérendpage 3 Why protective functions? What is an accident? Accidents are the invasion of the unprepared by the unexpected (G. C. Eltenton)
4
19.06.2023P. Lerévérendpage 4 What says the law?
5
19.06.2023P. Lerévérendpage 5 Example : Directive 96/82/EU „Seveso II“ Control of major-accident hazards involving dangerous substances Limit their consequences for man and the environment
6
19.06.2023P. Lerévérendpage 6 Major accidents The operator: takes all measures necessary to prevent major accidents and to limit their consequences for man and the environment; is required to prove to the competent authority that all the necessary measures have been taken. Seveso - Quelle: dpa
7
19.06.2023P. Lerévérendpage 7 Prevention policy Member States must require the operator to produce a safety report for the purposes of: demonstrating that a major-accident prevention policy and a safety management system have been put into effect; demonstrating that major-accident hazards have been identified and that the necessary measures have been taken to prevent such accidents and to limit their consequences; demonstrating that adequate safety and reliability have been incorporated into the design, construction, operation and maintenance of any installation, storage facility, equipment and infrastructure connected with its operation which are linked to major-accident hazards inside the establishment; ?
8
19.06.2023P. Lerévérendpage 8 Technical realisation adequate safety and reliability of the protective system Proven in use State of the art Best possible technology
9
19.06.2023P. Lerévérendpage 9 Proven in use? Wang LOCI-2 Alexander Spitzmüller
10
19.06.2023P. Lerévérendpage 10 Best possible technology?
11
19.06.2023P. Lerévérendpage 11 Validation of new technology A new standard were developed, derived von old standard proposals (some of them from Germany : DIN V 19250 / 251, DIN V 0801) In this standard new tools are described which are required in order to be able to validate complex programmable electronic systems. There are technical and (mostly) management related requirements. Focus this standard are Electrical/Electronical/Programmable Electronical Systems (E/E/PES)
12
19.06.2023P. Lerévérendpage 12 Purpose of the safety system Risk reduction
13
19.06.2023P. Lerévérendpage 13 Risk reduction ?
14
19.06.2023P. Lerévérendpage 14 Tolerable risk (Gas-industry GB)
15
19.06.2023P. Lerévérendpage 15 Risk reduction ? ?
16
19.06.2023P. Lerévérendpage 16 Identify risk HAZOP for example
17
19.06.2023P. Lerévérendpage 17 Quantify risk, risk graph for example C = Consequence A = Frequency and exposure time G = Possibility to avoid hazard W = Probability of the unwanted occurrence C1 C2 C3 C4
18
19.06.2023P. Lerévérendpage 18 Result of the risk analysis Safety Requirements Specification describe: What is the purpose of the safety related function (description of the function) How „good“ must be this safety related function („Quality“ of this function)
19
19.06.2023P. Lerévérendpage 19 SIL in the IEC 61508 SRS SRS = Safety Requirement Specification Question 1: How to get the SIL requirements? Question 2: How to verify the SIL of a function?
20
19.06.2023P. Lerévérendpage 20 Risk reduction SIL 1 SIL 2 SIL 3
21
19.06.2023P. Lerévérendpage 21 Focus of the standard What are the causes of accidents?
22
19.06.2023P. Lerévérendpage 22 Root causes of accidents 12.5% 8.3% 70.9% Equipment failure Lacking equipment Poor Maintenance Process Safety Management Ref: Health and Safety Executive, clause 6.2 of Contract Research Report 139/1997, ‘Explosions in gas-fired plant’ United Kingdom 1997
23
19.06.2023P. Lerévérendpage 23 Process safety management Failure sources (control systems) Specification
24
19.06.2023P. Lerévérendpage 24 New approach IEC/EN 61508 and derivates Quality management system Failure rates leading to different failure probabilities Structure requirements low or high demand mode Attribution of a SIL or PL to the whole safety related function
25
19.06.2023P. Lerévérendpage 25 IEC/EN 61508 Functional safety– Safety related system Safety integrity level 4 3 2 1 The IEC/EN 61508 defined an integrity Management requirements Qualitative and quantitative reliability
26
19.06.2023P. Lerévérendpage 26 Process industry sector Relationship of IEC 61511 & IEC 61508 PROCESS SECTOR SAFETY SYSTEM STANDARDS Safety Instrumented Systems Designers, Integrators & Users IEC 61511 Manufacturers & Suppliers of Devices IEC 61508 SIL
27
19.06.2023P. Lerévérendpage 27 Nuclear, railways, medical sectors IEC/EN 61513 Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems SIL EN 50126 Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) SIL EN 50128 Railway Applications - Software for railway control and protection systems SIL EN 50129 Railway Applications - Safety related electronic systems for signalling SIL IEC/EN 62304 Medical device software - Software life cycle processes SIL
28
19.06.2023P. Lerévérendpage 28 Evolution of the international standardization Machinery industry sector IEC 62061 Safety of machinery - Functional safety - Electrical, electronic and programmable electronic control systems SIL ISO/IEC 13849 -1 (EN 954) (adapted to the requirements of IEC/EN 61508) Safety of machinery - Safety related parts of control systems - Part 1: General principles for design PL…
29
19.06.2023P. Lerévérendpage 29 Overall Safety Lifecycle Concept Overall scope definition2 Overall Installation and commissioning Overall safety validation Decommissioning or disposal Overall operation and maintenance and repair 12 13 16 14 Overall modification and retrofit 15 Safety related systems: E/E/PES 9 Realization (see E/E/PES safety lifecycle) External risk reduction facilities 11 Realization Back to appropriate overall safety life cycle phase 1 Safety related systems: other technologies Realization 10 Overall operation & maintenance planning 6 Overall planning Hazard and risk analysis Overall safety requirements4 3 Safety requirements allocation5 Overall validation planning 7 Overall installation and commissioning planning 8 Analysis Realization
30
19.06.2023P. Lerévérendpage 30 New management requirements Goal: Avoidance of failure during specification, design, development, production, installation and commissioning of safety related systems Requires: to specify the management and technical activities during the single phases of the overall safety lifecycle to specify the responsibilities of the persons, departments and organizations responsible for each phase or for activities within each phase of the safety lifecycle. 65%
31
19.06.2023P. Lerévérendpage 31 New requirements explained 1 (IEC) SIL: safety integrated level including management and technical requirements, attributed always to a complete function Failure rates: Failure per time unit (usually ) Low demand mode: the safety function will be activated no more than 1 time a year High demand mode: the safety function will be activated more than 1 time a year
32
19.06.2023P. Lerévérendpage 32 New requirements explained 2 (IEC) PFD avg : Average probability of dangerous failure of a component or complete safety related function in the low demand mode PFH avg : Average dangerous failure rate of a component or complete safety related function in the high demand mode SFF: Safe failure fraction, ratio of the safe failures to all the failures DC: Diagnostic coverage, amount of detected dangerous failures by an integrated automatic diagnostic HFD: Hardware failure tolerance, ability of a safety related system to achieve his function in spite of (a) defective channel(s) CCF: Common cause failure, failure, which is the result of one or more events, causing coincident failures of two or more separate channels
33
19.06.2023P. Lerévérendpage 33 SIL claim limit A component, subsystem or system does not have a SIL on its own. Such devices have a “SIL limitation effect” (SIL claim limit). This SIL claim limit is determined by 2 aspects of the component, subsystem or system: architectural constraints and probability of dangerous failures
34
19.06.2023P. Lerévérendpage 34 Safe / dangerous failures Example safety related pressure monitoring Example : overpressure detection with 4 to 20 mA output. Assume dangerous situation I out more than 10 mA safe detected : ouput stuck high, more than 21 mA Failure detection in the SPLC plant in safe condition spurious trip safe undetected : ouput stuck high, less than 20,5 mA and more than 10 mA SPLC will react plant in safe condition spurious trip dangerous detected : ouput stuck low, less than 3,6 mA Failure detection in the SPLC plant in safe condition spurious trip dangerous undetected : ouput stuck low, more than 3,8 mA and less than 10 mA SPLC do not react dangerous trip
35
19.06.2023P. Lerévérendpage 35 Safe failure fraction SFF safe detected Safe undetected dangerous detected dangerous undetected λ du Architecture Safe failure fraction SFF Fraction of the failures which does not have the potential to put the safety related system in a hazardous state
36
19.06.2023P. Lerévérendpage 36 Hardware fault tolerance A Hardware fault tolerance of N mean that N+1 fault could lead to a loss of the safety function K2 K1 HFT = 1
37
19.06.2023P. Lerévérendpage 37 Hardware safety integrity Subsystem type A –Failure mode of all components well defined and –Behaviour of the subsystem under fault conditions can be completely determined and –Sufficient dependable failure datas from field experience show that the claimed rates of failures for detected and undetected dangerous failures are met
38
19.06.2023P. Lerévérendpage 38 Type A architectural constraints (simple components) Fault detection Fault control One SIL (Structure)
39
19.06.2023P. Lerévérendpage 39 Hardware safety integrity Subsystem type B –The failure mode of at least one component is not well defined or –Behaviour of the subsystem under fault conditions cannot be completely determined or –unsufficient dependable failure datas from field experience show that the claimed rates of failures for detected and undetected dangerous failures are met
40
19.06.2023P. Lerévérendpage 40 Type B architectural constraints (complex components)
41
19.06.2023P. Lerévérendpage 41 We have to compute!?
42
19.06.2023P. Lerévérendpage 42 PFD variables PFD avg = f( DU, T, β, MTTR) DU = undetected dangerous failures Device documentation T = Test interval Plant maintenance schedule β = common cause failures Instrumentation „culture“ (usually assumed to be 5% for field apparatus and 2% for SPCS -see manufacturer documentation-) MTTR = Mean Time To Repair Repair time on detected failures (usually set to 8 hours)
43
19.06.2023P. Lerévérendpage 43 The failure rate is the relative number of failures per time slice (e.g. 3% / year or 7 ppm / hour) Failure Rate „Bath Tub Curve“
44
19.06.2023P. Lerévérendpage 44 Failure Rate - MTTF - MTBF - MTTR Example: employee time failure (disease) healthy again failure (disease) MTTF MTBF = MTTF + MTTR MTTR MTTR = Mean Time To Repair MTTF = Mean Time To Failure MTBF = Mean Time Between Failure
45
19.06.2023P. Lerévérendpage 45 Failure rate „Bath tub curve“ Example: (30-year old man) = 7,73·10 -4 1 / a
46
19.06.2023P. Lerévérendpage 46 MTBF = 1/λ What is the MTBF of a 30 year old man?
47
19.06.2023P. Lerévérendpage 47 MTBF = 1/λ MTBF 30 year old = 1/ 7,73·10 -4 MTBF = 1293,7 Jahre Only valid for constant failures rates! MTBF of a 30 year old man
48
19.06.2023P. Lerévérendpage 48 F(t) = t for t <<1 PFD vs.
49
19.06.2023P. Lerévérendpage 49 Considering the safety function Relevant value is dangerous undetected failures: DU PFD avg for a test intervall T1 PFD = DU t for t <<1 PFD avg = ½ DU T1 for t <<1
50
19.06.2023P. Lerévérendpage 50 PFD as Function of the time
51
19.06.2023P. Lerévérendpage 51 We have to compute! Logic solver PFD avg Sensor systemPFD avg (Sensor) Actuator system PFD avg (Actuator) PFD avgtotal = ?
52
19.06.2023P. Lerévérendpage 52 Probability calculations AND What is the probability with dice A and with dice B to throw a six? P(A and B) = P(A) · P(B), if A and B are statistical independent F2 F1 F2 OR What is the probability with dice A OR with dice B to throw a six? P(A or B) P(A) + P(B), if P(A) and P(B) are very small Precisely: P(A or B) = P(A) + P(B) - P(A) · P(B) One SIL (Probability of failure) PFD avgtotal = PFD PFD avgtotal = PFD
53
19.06.2023P. Lerévérendpage 53 Performance requirements Failure probability –Failure rate Failure rate of a channel in a subsystem –Target failure measure PFD avg Average probability of failure on demand of a safety function or subsystem also called probability of failure on demand (/year) –Target failure measure PDH avg Average probability of dangerous failure on demand of a safety function or subsystem (/hour)
54
19.06.2023P. Lerévérendpage 54 Target failure (low and high demand) PFD avg PFH
55
19.06.2023P. Lerévérendpage 55 We have to compute! Logic solver PFD avg PFD avgtotal = ? Common cause failures (β) Logic solver PFD avg Sensor systemPFD avg (Sensor) Sensor systemPFD avg (Sensor) Actuator system PFD avg (Actuator) Actuator system PFD avg (Actuator)
56
19.06.2023P. Lerévérendpage 56 We have to compute! Formula for calculation of the PDF of a 1oo2 structure according to IEC 61508 part 6
57
19.06.2023P. Lerévérendpage 57 Formulas In Part 6 of IEC 61508 For different structures 1oo1 1oo2 2oo2 2oo3 1oo2D
58
19.06.2023P. Lerévérendpage 58 Using a tool Tools on the market place SILENCE Hima SILVER Exida Trac ABB
59
19.06.2023P. Lerévérendpage 59 Simplifying the formulaes PFD = Probability of Failure on Demand ( acc. to VDI/VDE 2180)
60
19.06.2023P. Lerévérendpage 60 Summary Failure rates λ DU Failure rates λ S, λ DD Probability of failure, PFD (PFH) Hardware fault tolerance HFT architectural constraints Safe failure fraction SFF Safety Integrity Level SIL Diagnostic DC
61
19.06.2023P. Lerévérendpage 61 SIL assessment example Architectural constraints SIL3 PFD AVG 10% PFD AVG SIL 3 for a test intervall up to 5 years 90% PDF avg
62
19.06.2023P. Lerévérendpage 62 Storage tank for liquefied gas Storage tank for liquefied gas with a level control loop, alarming included, on DCS
63
19.06.2023P. Lerévérendpage 63 Structure Alarm on DCS
64
19.06.2023P. Lerévérendpage 64 Risk analysis C = Consequence A = Frequency and exposure time G = Possibility to avoid hazard W = Probability of the unwanted occurrence C1 C3 C4 C2 Low demand mode
65
19.06.2023P. Lerévérendpage 65 Component and calculation data's Sensor: LVL M 56 Pepperl+Fuchs Isolated switch amplifier KFD2-SOT2-EX1.N Pepperl+Fuchs Solenoid driver Pepperl+Fuchs KFD2-SD-Ex1 Control valve Norgren 9801 Ball valve Generic SIL Structure: 2 in a one channel configuration SFF: <81% Failure rates: DU = 59 FIT DD = 6 FIT SU = 189 FIT SD = 84 FIT SIL Structure: 2 in a one channel configuration SFF: <89,86% Failure rates: D = 21 FIT S = 78 FIT SIL Structure: 3 in a one channel configuration SFF: =100% Failure rates: D = 0 FIT S = 1,3 FIT SIL Structure: 3 in a one channel configuration SFF: <99% Failure rates: D = 0 FIT S = 0 FIT Calculated after labor tests, PFD = 2,9 10 -7 cycles SIL Structure: 1 in a one channel configuration; 2 in a two channels configuration SFF = 50% Failure rates: D = 60 FIT S = 60 FIT Sensor Isolated switch amplifier Solenoid driver Control valve Ball valve X 2
66
19.06.2023P. Lerévérendpage 66 Assumptions for the calculation of the PFD avg Test interval 1, 2, 5 years MTTR 8 hours Demand mode Low Formulas from IEC 61508 part 6
67
19.06.2023P. Lerévérendpage 67 Input subsystem PDF calculation SIL according to structure SIL 2 1 year2 years5 years PDF sensor: 2,64 10 -4 5,22 10 -4 1,30 10 -3 PDF SOT2:9,21 10 -5 1,84 10 -4 4,60 10 -4 PFD Input subsystem3,56 10 -4 7,06 10 -4 1,76 10 -3 Sensor Isolated switch amplifier
68
19.06.2023P. Lerévérendpage 68 Output subsystem PFD calculation Solenoid driver Control valve Ball valve Solenoid driver Control valve Ball valve SIL according to structure (Table 2 of IEC 61508, HFT 1) SIL 2 Σ D = 0 +0+6,0 10 -8 = 6,0 10 -8 Σ S = 1,3 10 -7 +0+6,0 10 -8 = 1,9 10 -7 β assumed 0,1 1 year2 years5 years PFD output subsystem:2,64 10 -5 5,29 10 -5 1,33 10 -4
69
19.06.2023P. Lerévérendpage 69 Level control loop SIL verification 1 year2 years5 years PFD avg Input subsystem : 3,56 10 -4 7,06 10 -4 1,76 10 -3 PFD avg output subsystem :2,64 10 -5 5,29 10 -5 1,33 10 -4 PFD avg total 3,82 10 -4 7,58 10 -4 1,89 10 -3 SIL according to PFD, (SIL 2 10 -3 to 10 -2 ) 1 yearSIL 3 2 yearsSIL 3 5 yearsSIL 2 Result: the safety function has a SIL 2 with a test interval up to 5 years
70
19.06.2023P. Lerévérendpage 70 Structure Alarms on DCS Isolated switch amplifier Solenoid driver
71
19.06.2023P. Lerévérendpage 71 Don‘t fear standards like IEC 61508 / 61511 / 62061,... Thank you very much for your attention Conclusion
Similar presentations
