Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Safety Demystified

Published byCamila Varnon Modified over 9 years ago

Similar presentations

Presentation on theme: "Functional Safety Demystified"— Presentation transcript:

1 Functional Safety Demystified
September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions

2 Outline What is Functional Safety?
SIS, SIF and SIL Standards AS IEC61508 and AS IEC61511 An example to demonstrate compliance 4.5 day TÜV FSEng course in 45 minutes!

3 What is Functional Safety?
Part of Overall Safety freedom from unacceptable risk Achieved by a Safety Instrumented System (SIS) E/E/PE Safety System in IEC61508 Examples: Emergency Shutdown System Burner Management System Includes field devices as well as logic solver A SIS places or maintains a process in a safe state Process = Equipment Under Control (EUC) in IEC61508 Implements Safety Instrumented Functions (SIFs) Each SIF achieves a Safety Integrity Level (SIL) Acronyms to remember: SIS, SIF and SIL !.

4 Some terms: SIS, SIF and SIL
SIF 1: TZH1234 Safety Instrumented System - SIS Logic Solver (Safety PLC) Temperature transmitter Pressure Transmitter Flow Shut-off valve Solenoid Globe Relay in MCC SIL 2 SIL 1 SIF 2: PZHH1234 Safety Instrumented Function - SIF Safety Integrity Level - SIL

5 Why Functional Safety? Buncefield, England 11 Dec 2005
Storage tank level gauge showed constant reading High level alarm switch jammed Gasoline tank overflowed Mist exploded Largest explosion in peacetime 20 tanks on fire Burned for three days Significant environmental impact Millions of pounds damage.

6 Standards: IEC61508 or IEC61511 ? AS/IEC 61508 SIS Component
Manufacturers AS/IEC 61511 SIS Integrators & Users 61508 61511 OR SIL4 APPLICATIONS

7 IEC61511 Safety Lifecycle Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9 Engineering Contractor SIS Vendor End User

8 Complying with AS IEC 61508 & AS IEC 61511
Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component Field devices, logic solver, shutdown valves etc. Not just TÜV certification Though it helps ! Not just meeting PFDavg target.

9 Comply Throughout Lifecycle
For the rest of the presentation we’ll follow the SIS lifecycle What do we need to do to comply at each stage? See the following example… Only the main elements of compliance are covered.

10 1 Hazard and Risk Analysis
Output is a list of hazardous events with their process risk and acceptable risk. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

11 Case Study: 1 A Hazard “potential source of harm”
300t of Liquefied Petroleum Gas can potentially cause harm Hazardous Event Example: BLEVE YouTube .

12 Case Study: 2 HazOp Node: LPG Tank Guideword: HIGH LEVEL
Consequence: High Pressure, possible tank rupture & major fire Existing Controls: Pressure Relief Valve (PSV-1) New Controls: Add High Level Alarm.

13 2 Allocation of Safety Functions
Often called SIL Analysis or SIL Determination Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

14 Case Study: 3 Design after HazOp
Is Risk acceptable?

15 Risk The product of severity and likelihood Consequence severity
of occurrence Minor Medium Major LOW HIGH MEDIUM Increasing Risk

16 Case Study: 4a Risk Reduction
Hazard - 300t of LPG Level stable Process under control Control valve sticks Process deviation or disturbance LAH Alarm Level Increasing Process out of control High Pressure Hazardous situation PSV Vessel fails Hazardous event Impact / Consequence 300t of boiling LPG released - likely major fire and fatalities

17 Risk Analysis - Layers of Protection 1
Mechanical PSV Target: 1 per 10,000y X 100 Hazardous Event !! Risk Reduction Alarm LAH X 1 ! Required:X 10,000 Control System (BPCS) Only have x 100 !! Failure of the process and/or its control can cause a hazard. Depending on the severity of the hazard and the frequency of failure, the risk from this failure may be unacceptable. Additional layers of protection are then added to reduce the risk to tolerable levels. Alarms are one of these layers. Hazardous Situation : 1 per y Process

18 Case Study: 4b Risk Reduction
Hazard - 300t of LPG Level stable Process under control Control valve sticks Process deviation or disturbance LAH Alarm Level Increasing Process out of control LZHH Trip High Pressure Hazardous situation PSV Vessel fails Hazardous event Impact / Consequence 300t of boiling LPG released - likely major fire and fatalities

19 Case Study: 5 Add a SIF High Level Trip LZHH2 added
Shuts off flow when High High level reached.

20 SIL Determination 1 - Layers of Protection
Mechanical PSV Target: 1 per 10,000y X 100 SIF LZHH Hazardous Event !! SIL 2 X 100 Risk Reduction Alarm LAH Required:X 10,000 Control System (BPCS) SIF must reduce risk by 10,000/100 = 100 Failure of the process and/or its control can cause a hazard. Depending on the severity of the hazard and the frequency of failure, the risk from this failure may be unacceptable. Additional layers of protection are then added to reduce the risk to tolerable levels. Alarms are one of these layers. Hazardous Situation : 1 per y Process

21 Safety Integrity Level vs. Risk Reduction
Risk Reduction Factor Probability of Failure on Demand (PFDavg) ≥ 10-5 < 10-4 ≥ 10-4 10-3 ≥ 10-3 10-2 ≥ 10-2 10-1 Safety Availability > 99.99% % % % SIL 4 3 2 1 - > 10,000 1, ,000 ,000 (Control ≤ 10) = 1 / RRF = 1 - PFDavg Used later for verifying SIL achieved

22 SIL is more than just PFD
Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component.

23 3 Safety Requirements Specification - SRS
Defines functional and integrity requirements of SIS Output is set of documents ready for detail design. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

24 Cause-and-Effect Diagram
SIFs commonly documented by Cause and Effect diagrams Could include required SIL. Example 5 asks for the SIL of a safety instrumented function where the hazard being prevented has a consequence of PLL=0.21 and a likelihood of 1/576 events per year. Based on the description of consequence, the selected category is “Minor”, which has an associated target frequency of 1.0x The target frequency of 1.0x10-3 and the unmitigated event frequency of 1/576 are combined to calculate the PFD using the equation on slide The result is a required PFD of A probability of failure on demand of can be achieved with an SIL 1 system.

25 4 Design and Engineering
SIS vendor for logic solver EPC contractor or end-user for field hardware. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

26 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component.

27 FS Management System - TÜV Certification
See HPS TÜV Certificate Covers compliance to IEC & IEC 61511 Periodic audits and renewal Need comparable processes for other phases.

28 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component.

29 Case Study: 6 PFD Calculation
SIL 2 What is calculated PFDave for SIF LZHH2?.

30 Safety Integrity Level vs. PFDave
Probability of Failure on Demand (PFDavg) ≥ 10-5 < 10-4 ≥ 10-4 10-3 ≥ 10-3 10-2 ≥ 10-2 10-1 Safety Availability > 99.99% % % % SIL 4 3 2 1 - Risk Reduction Factor >10,000 1, ,000 ,000 (Control < 10) = 1 / RRF = 1 - PFDavg Implementation Focus

31 Approximation to PFDave
1 ~ Probability item has failed PFD(t) PFD average time t TI = test interval PFD average = lDU TI / 2 where lDU = Dangerous Undetected failure rate Remember this!

32 Case Study: 6 PFD Calculation
Test interval = 1 y Reliability data: Valve: λDU = 1/10y (= 0.1 y-1) Logic solver: λDU = 1/1000y (= y-1) Sensor: λDU = 1/100y (= 0.01 y-1) PFDave = λDU x TI / = 0.1 x 1 / 2 = 0.05 for valve x 1 / 2 = for logic solver x 1 / 2 = for transmitter Total PFDave = = Calculated SIL = 1 (PFDave range 0.01 – 0.1) Required SIL = 2 Not OK! How can this be fixed?

33 Effect of Test Interval on PFDave
Average PFD 1 TI (Test Interval) ~ Probability item has failed PFD(t) Average PFD 1 TI ~ PFD(t) time t

34 Case Study: 7a Adjust Test Interval
Test interval = 1 month Reliability data: Valve: λDU = 1/10y (= 0.1 y-1) Logic solver: λDU = 1/1000y (= y-1) Sensor: λDU = 1/100y (= 0.01 y-1) PFDave = λDU x TI / = 0.1 / 12 / 2 = for valve / 12 / 2 = for logic solver / 12 / 2 = for transmitter Total PFDave = = Calculated SIL = 2 (PFDave range – 0.01) Required SIL = 2 OK BUT operations object to monthly testing !.

35 Case Study: 7b Duplicate Block Valves
Test interval = 1 year Reliability data: Valve: λDU = 1/10y (= 0.1 y-1) Logic solver: λDU = 1/1000y (= y-1) Sensor: λDU = 1/100y (= 0.01 y-1) For 2 valves 1oo2 voting: PFDave = (0.1 x 1 / 2) = PFDave = = Calculated SIL = 2 (PFDave range – 0.01) Required SIL = 2 OK .

36 Is one transmitter enough or do we need two?
Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component. Is one transmitter enough or do we need two?

37 Architectural Constraints
Aim is to avoid unrealistic reliability claims From single devices (“elements”) Constrains SIF architecture based on: Safe Failure Fraction Complexity of device (“Type A” or “Type B”) Target SIL Outcome is required Hardware Fault Tolerance No. of voted devices minus 1 (typically) Use Tables in IEC61508 part 2 IEC61511 has simplified requirements.

38 Safe Failure Fraction Safety valve, normally open & normally energized
In case of an out of control process, the valve has to close SAFE Undetected Detected by voltage control Closes spontaneously due to loss of energy SAFE DANGEROUS Stuck at open Undetected Detected by diagnostics

39 Architectural Constraints – IEC61508.2
Type A subsystems – e.g. pressure switch Table 2: Safe failure fraction Hardware fault tolerance 1 2 < 60 % SIL1 SIL2 SIL3 60 % - 90 % SIL2 SIL3 SIL4 90 % - 99 % SIL3 SIL4 SIL4 ≥ 99 % SIL3 SIL4 SIL4 Type B subsystems – e.g. Logic Solver, Smart Tx Table 3: Safe failure fraction Hardware fault tolerance 1 2 < 60 % Not allowed SIL1 SIL2 60 % - 90 % SIL1 SIL2 SIL3 90 % - 99 % SIL2 SIL3 SIL4 ≥ 99 % SIL3 SIL4 SIL4 Independent Channels Required = Hardware Fault Tolerance + 1

40 Case Study: 8 Architectural Constraints
Transmitter LZT 2 is a smart radar gauge Can we use single transmitter to satisfy SIL 2? Must also check for logic solver and valve.

41 Case Study: 8 Architectural Constraints
Smart Transmitter = Type B device Use Table 3 in IEC Safe Failure Fraction = 91.8% From TÜV Certificate For SIL 2, required Hardware Fault Tolerance = 0 Therefore one transmitter is ok for SIL 2. Not allowed SIL1 SIL2 SIL3 SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type B subsystems – e.g. Logic Solver, Smart Tx 1 2 Safe failure fraction Hardware fault tolerance Table 3: Std Tx LTZ 2

42 Architectural Constraints for Logic Solver
E.g. Honeywell FSC and Safety Manager logic solvers 1oo2D architecture OR 2oo4D architecture All have 99% safe failure fraction Hence all are “SIL 3 capable” 2oo4D has lower spurious trip rate, but costs more. Not allowed SIL1 SIL2 SIL3 SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type B subsystems – e.g. Logic Solver, Smart Tx 1 2 Safe failure fraction Hardware fault tolerance Table 3: FSC, SM

43 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component How likely is it that each component is free from systematic faults (“bugs”) ?

44 Case Study: 9 – Transmitter Selection
Must control systematic faults Transmitter selected must comply with IEC61508 and IEC61511 Must either be: Proven in use: Comparable application Sample size sufficient for 70% confidence level All failures documented or Designed and manufactured in accordance with IEC 61508 Confirmed by independent certificate (e.g. by TÜV) “SIL x Capable”.

45 Case Study: 9 - Transmitter TÜV Certificate

46 Case Study: 9 - Transmitter TÜV Certification Mark

47 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component Design now complies.

48 5 Installation, Commissioning, Validation
Logic Solver installed with field equipment Includes loop checking, validation and final functional safety assessment. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

49 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component Verification, Validation, Functional Safety Assessment.

50 Case Study: 10 Verification and Validation
Verification and Validation Plan for project V&V Plan Template SIL 2 independence required (i.e. independent engineer) Define responsibilities Verify Safety Requirements Specification Verify hardware design documents Verify functional specifications etc Implement code walkthrough Logic Solver Factory Acceptance Test Complete integration test of application software on target hardware Logic Solver Site Acceptance Test Power up test on site Safety Function Testing Functional Safety Assessment.

51 6 Operations, Maintenance and Modification
The Cinderella Phases ! User must follow a Functional Safety Management System for the life of the SIS. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9

52 Ops and Maintenance Obligations
Proof test each SIF at specified interval Monitor design assumptions Demand rates Component reliability Adjust test interval to suit Control modifications Ensure Maintenance and Operational Overrides are used as designed Monitor and promptly follow-up diagnostics.

53 Case Study: 9 Operation and Maintenance
Risk analysis assumed: Demand on SIS once per year What happens in practice? SIL verification assumed: Transmitter failure rate 0.01 y-1 Etc etc . . . Must verify actual performance against assumptions and adjust testing as required Documentation of assumptions is critical. Mechanical: PSV SIF: LZHH Alarm LAH Process Control System (BPCS) Hazardous Event !! Risk Reduction Hazardous Situation Target: 1 per 10,000y Required:X 10,000 X 100 SIL 2 1 per y

54 Case Study: 12 - Modification
LZHH logic needs modification after commissioning Validation needed depends on highest SIL in that SIS ! TECHNIQUE / MEASURE Ref SIL 1 SIL 2 SIL 3 SIL 4 1 Impact Analysis B.35 HR 2 Re-verify Changed Module 3 Re-verify Affected Modules R 4 Revalidate Complete System --- 5 Software Configuration Management B.56 6 Data Recording and Analysis B.13 During early design consider splitting SIL 2 and SIL 3 systems.

55 Summary 1 – The SIS Lifecycle
Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning development of other means of risk reduction Safety requirements specification for the Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification 10 11 5 6 7 8 4 3 1 2 9 Engineering Contractor SIS Vendor End User

56 Summary 2 – Requirements
Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Architectural constraints Random failure rate (PFDave) Development process for each component Not just TÜV certification Though it helps ! Not just meeting PFDavg target Don’t forget spurious trip rate! .

57 Need more? ISA Safety Instrumented Systems: An Overview
One day overview course 3rd October, Perth 16 November, Sydney TÜV Functional Safety Engineer Qualification One week course and exam Leads to formal qualification (requires 3+ years experience) 24th October, Melbourne.

58 Thank You... Questions?

Download ppt "Functional Safety Demystified"

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.

1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.
IEC – IEC Presentation G.M. International Safety Inc.

IEC – IEC Presentation G.M. International Safety Inc.
IEC – IEC Presentation G.M. International s.r.l

IEC – IEC Presentation G.M. International s.r.l
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.

1 Safety Instrumented Systems ANGELA E. SUMMERS, PH.D., P.E. SIS-TECH Solutions, LLC We’re Proven-in-Use.
What About? …Using Bypasses, DBB, and Other Process Features in SIFs Mike Schmidt, Principal SIS Consultant Tim Forbis, Process Safety Engineer.

What About? …Using Bypasses, DBB, and Other Process Features in SIFs Mike Schmidt, Principal SIS Consultant Tim Forbis, Process Safety Engineer.
Functional Safety Overview

Functional Safety Overview
1 Solution proposal Exam 19. Mai 2000 No help tools allowed.

1 Solution proposal Exam 19. Mai 2000 No help tools allowed.
Vectus Ltd. 2008 Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.

Vectus Ltd Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.
Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.

Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.
Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.

Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.
Event Trees Quantitative Risk Analysis. Event Trees - Overview Definitions Steps Occurrence frequency Mean Time between Shutdown Mean Time Between Runaway.

Event Trees Quantitative Risk Analysis. Event Trees - Overview Definitions Steps Occurrence frequency Mean Time between Shutdown Mean Time Between Runaway.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
-P&ID- Piping & Instrument Diagram

-P&ID- Piping & Instrument Diagram
Pipeline Qra Seminar Title slide Title slide.

Pipeline Qra Seminar Title slide Title slide.
“azbil” Solutions for Oil Refining Plant

“azbil” Solutions for Oil Refining Plant
The Interface Solution Experts  www.miinet.com 1 Lloyds Court, Manor Royal, Crawley West Sussex, RH10 9QU, United Kingdom Tel: 01293 514488 Fax: 01293.

The Interface Solution Experts  1 Lloyds Court, Manor Royal, Crawley West Sussex, RH10 9QU, United Kingdom Tel: Fax:
© Palaniappan R Kannan PMP.,CFSE 1 IEC 61508 Standard – What is it? IEC 61508 is a Standard for the functional safety of Electric / Electronic / Programmable.

© Palaniappan R Kannan PMP.,CFSE 1 IEC Standard – What is it? IEC is a Standard for the functional safety of Electric / Electronic / Programmable.
A 2-Hours Course In Gas Detection

A 2-Hours Course In Gas Detection

Similar presentations

Ads by Google