Escolar Documentos
Profissional Documentos
Cultura Documentos
09/26/03
Measurement Fundamentals
Introduction
Many industrial processes are inherently hazardous. These processes typically use toxic, flammable
or reactive materials, and often at elevated temperatures and pressures. In the event of equipment
malfunction or human error in these processes a catastrophic event could happen. Safety
Instrumented Systems (SIS) are automation systems designed to prevent these events.
Interest, particularly in the chemical, petrochemical, and refining industries, in these systems has
increased over the last few years because of new international standards.
A safety instrumented system is defined as a system composed of sensors, logic solvers and final
control elements designed for the purpose of:
- Automatically taking a process to a safe state when pre-determined conditions are violated.
- Permit a process to move forward in a safe manner when specified conditions allow
- Taking action to mitigate the consequences of an industrial hazard.
Safety Instrumented Systems are very similar to control systems in that they both use similar
components. However, given the purpose of a SIS, additional design requirements must be met. This
guide will provide an overview of these additional requirements.
This module contains the following sections:
Section 1: SIS Fundamentals
Section 2: SIS Standards
Section 3: SIS Loop Components - FMEDA Analysis Results and Applications
Section 4: SIS Loop Design
Section 5: SIS in the Future
PERFORMANCE OBJECTIVE
After you have completed this training course, you will understand Safety Instrumented Systems
basics, Standards, and the application of those standards.
LEARNING OBJECTIVE
After you have completed this section, you will be able to:
List and briefly explain:
Layers of protection
The purpose of an SIS
Components of an SIS
Layers of Protection
A plant has many layers of protection to protect personnel, equipment, and local communities from a
catastrophic event. These layers are also present to protect the companys reputation and provide
legal protection in the event that a catastrophic event occurs.
Some layers of protection are prevention layers, some layers are mitigation layers. A prevention layer
is there to prevent the catastrophic event from happening. A mitigation layer is used to contain the
event and reduce its cost after the event has occurred.
Figure 1.1
Figure 1.1 shows typical layers of protection. The Basic Process Control System (BPCS), Alarms,
and Safety Instrumented Systems are prevention layers. The rest of the layers are mitigation layers.
To illustrate layers of protection, lets look at a vessel where a reaction is taking place. Given the right
conditions, the reaction could runaway and without different layers of protection, the tank could
explode and cause significant damage. This example is depicted in figure 1.2.
The Protection layers are:
Layer 1 Basic process control system to control the temperature/pressure
Layer 2 An audible alarm to tell the operator to manually shut a valve to stop the reaction
3
Risk Management
When it comes to risk management, the process industry parallels the risk management of our
personal life. For example, when we get into an automobile and drive we take a risk of damaging our
car or other cars, a risk of injury to ourselves or others, and a risk of death to ourselves or others. To
reduce risk:
The government will dictate some risk reduction with laws like car impact protection, mandatory
seat belts, speed limits, and other traffic laws.
The automobile manufacturers offer some risk reduction through standard safety equipment
and some optional safety equipment for the safety conscious.
We decide how much more risk reduction we want through buying the safety options, or not
driving while drinking, tired, or in bad weather.
The process industry parallel is:
The government will dictate risk reduction through laws or directives.
The process industry will offer risk reduction ideas by publishing standards and/or best
practices information.
The plant decides at what level risk they can operate at based on corporate standards, capacity
levels and other factors.
Risk management is not easy. Figure 1.3 illustrates the typical forces involved in the risk
management formula. The government can dictate some risk management, but the end-user has to
make the final decision on how safe the SIS layer should be.
Moral
Legal
Financial
SIS Components
Safety Instrumented Systems (SIS) are very similar to Basic Process Control Systems (BPCS). The
systems include all the elements from the sensor to the final control element connected to the
process, including inputs, outputs, SIS user interfaces, power supply, and a logic solver. SIS
components are usually separate and independent from the BPCS.
Although you have to consider all the things that are listed above when specifying a SIS, the three
key components in the calculation include:
sensors
a logic solver
final control elements.
Sensor
Control
Element
Logic
Solver
Sensors
Sensors measure pressure, temperature, flow, mass flow, level, flame detectors, pH or other
parameters. They range from simple pneumatic or electrical switches to Smart transmitters with onboard diagnostics. SIS sensors can be the same as typical process sensors (under certain qualifying
conditions that will be covered later) or can be sensors specifically designed for SIS applications.
5
Sensors specially designed for SIS have extra internal diagnostics and software allowing fault
detection and controlled access to device setup and calibration.
Again, the standards do not prescribe any specific type or technology for sensors used in SIS
applications. It is up to the designer of the system to determine the most optimal/safest technology.
What the standards will define are the specific requirements the end user must follow when
specifying, installing, and maintaining Sensors.
Logic Solver
The logic solver is typically a controller that reads signals from the sensors and executes
preprogrammed actions to prevent a hazard. There are many similarities between a safety logic
solver and a conventional DCS or PLC. They both perform logic functions and both have input and
output capability from sensors and final control elements. The difference is that the SIS Logic Solver
is designed to be fault tolerant, have internal redundancy, and designed to fail in a safe mode. They
are designed with extra internal diagnostics and hardware and software that will allow it to detect
faults. The safety logic solver also has added security to ensure against accidental configuration
changes.
Similar to sensors, the standards do not dictate what type or Logic Solver to use, only the
requirements for its application. Typical logic solvers on the market include: Triconex, HIMA, GE, and
Siemens-Moore (Quadlog).
Section 1 Quiz
1.1 The purpose of an SIS system is to:
a. automatically take a process to a safe state
b. permit a process to bypass a hazardous area
c. take action to prevent a hazard
d. all of the above
1.2 What are the three major components of an SIS.
a. front end, middle, back end
b. sensor, logic solver, final control element
c. input, processor, output
d. analysis, design, operation
1.3 An SIS is:
a. the first mitigation layer
b. the last Prevention layer
c. a prevention layer average
d. a mitigation layer average
1.4 The three forces involved in risk management is:
a. Moral, Legal, Engineering
b. Moral, Legal, Technical
c. Moral, Legal, Financial
d. Moral, Legal, Management
1.5 A similar theme for specially designed safety hardware is:
a. the devices are qualified by a third party organization
b. internally redundant
c. visually identified
d. the devices have more diagnostics than BPCS hardware
Hierarchy of Guidance
The hierarchy of guidance is important to understand the actual SIS standards covered. The
hierarchy is Legislation, Regulation, Standards, and then recommended practices. This hierarchy is
important because it lays out what is mandatory, what is not, and what is in between. It basically
creates a hierarchy for company and personal exposure for liability.
Legislation or Directives are laws enacted by officials at a country union, country, state, or local
levels. It is a criminal offense to disobey a law or directive, subject to jail or significant fines.
Regulations are rules which have the weight of law through delegation of authority. An example in
the United States is the EPA (Environmental Protection Agency.) The federal government formed the
agency and delegated the power to create regulations subject to criminal offense if not followed.
Another example in the US; OSHA, Occupational Safety and Hazard Association, has recognized that
if you follow ISA S84.01 safety standard that you will be in compliance with their PSM (Plant Safety
Management) regulation.
Standards are guidelines that are a consensus of an industry or group and typically target the lowest
level of acceptable engineering. They are typically developed by industry people published through
agencies such as ANSI, ASME, IEC, and others.
Recommended Practices are recommendations of an industry group. Sometimes the practices are
published by an organization representative of a group such as NAMUR or WIB. Sometimes these
recommended practices are published by a manufacturer.
If the company is negligent in complying with laws and regulations and a hazardous event happens,
criminal charges can be brought against the company. Ramifications include, employees going to jail,
the company could get severe fines from the government and/or large punitive jury awards from
injured people. If a company is negligent in not complying with a standard and a hazardous event
happens and there is damage or somebody gets hurt, the company could be open to huge punitive
jury awards but probably not a jail sentence. If a company does not follow a recommended practice
it will probably not be liable for anything.
The laws and regulations are also of interest to the plants insurance company. In the first two
examples above, the plants insurance company has to pay for the replacement of damaged
equipment and/or medical bills and possibly punitive awards so it has an interest to make sure the
company is following all laws and standards. Providing insurance to a plant is a risk the insurance
company takes that nothing will happen and they will not have to pay claims. If the plant complies
8
with all laws, regulations, and standards, the less likely a hazardous event will happen and the
insurance premiums will be less.
An exception to the hierarchy is when a standard or recommended practice is given the power of law
or listed by a European directive. An example of this in the US is where OSHA would just reference
a standard instead of writing its own regulation. An example in Europe is where the Seveso Directive,
which was enacted in response to a dioxins that contaminated 17 square km of land near Seveso
Italy, references IEC61511 as a law to abide by.
IEC61508
IEC61508 was the first attempt to write an international standard for safety. This standard has had
several parts approved, 1998-2000. The intent of the standard was to be establish a foundation for
other industry specific safety standards. The standard developed key points that all future standards
will follow.
1. It was the first standard to focus on risk based safety related system design.
2. It required performance based assessment
3. Used a lifecycle approach (conception to decommissioning)
An example of the risk based system is basing the safety level of a loop by the amount of diagnostic
coverage. In IEC61508 the amount of diagnostic coverage is defined by a term named the Safe
Failure Fraction, SFF. Failures in a device can be categorized into four types as follows
1. safe detected this is not an on-scale failure but the component can detect it and act
appropriately
9
2. safe undetected the component can not detect this failure but the this failure will cause the
component output to go off-scale
3. dangerous detected this in an on-scale failure that the diagnostics can detect and set the
component output in to alarm
4. dangerous undetected this is an on-scale failure that can not be detected by diagnostics.
It can only be detected by testing.
The SFF is the fraction on the overall failure rate of the device of dangerous undetected faults to all
faults. In simple terms the SFF is the amount of diagnostic coverage. If a device with a SFF of 92.8%
means it can detect 92.8% of all faults or it cant detect 7.2% of all faults. The SFF depicts a
confidence level that a device/loop is working safely. The higher the SFF, the better the ability to
know whether the loop is working properly, the lower the risk of the event happening, and as a
byproduct, the less redundancy needed to comply with the standard. SFF data is typically supplied by
manufacturers of loop components on a FMEDA, Failure Modes Effects and Diagnostic Analysis/
report. The FMEDA report will be covered in Part 4 of this study guide.
Many of our customers adopted IEC51508 because of its risk based design which could result in far
more cost effective implementations but it but its intent was a basic or umbrella safety publication.
The standard is extensive. It has 7 parts and can be applied to any industry sector. This broad
coverage made it onerous to comply with in the process industry sector. From IEC61508 came other
industry specific standards such as IEC61513 for the Nuclear Sector, IEC62061 for the Machinery
Sector, and the one we are most interested in, IEC61511 for the Process Sector. Many of these
industry specific standards reference IEC61508 for specific SIS components.
IEC61513 :
Nuclear Sector
IEC61508 :
Generic
IEC62061 :
Machinery Sector
IEC61511 :
Process Sector
Figure 2.2 is a drawing directly from IEC61511. It is an example of an industry specific standard,
IEC61511, referencing IEC61508.
10
Process
Sector Hardware
Process
Sector Software
Developing
New
Hardware
Devices
Using
Proven-InUse
Hardware
Devices
Using
Hardware
Developed
& Accessed
According
To
IEC61508
Developing
Embedded
(System)
Software
Developing
Application
Software
Using Full
Variability
Languages
Developing
Application
Software
Using
Limited
Variability
Languages
Follow
IEC61508
Follow
IEC61511
Follow
IEC61511
Follow
IEC61508-3
Follow
IEC61508-3
Follow
IEC61511
11
Concept
1
2
Analysis
3
4
Overall Planning
Overall
Operation &
Maintenance
Planning
Overall
Validation
Planning
Overall
Installation &
Commissioning
Planning
Safety Related
Systems:
E / E / PES
10
Safety Related
Systems:
Other
Technology
Realisation
Realisation
11
External Risk
Reduction
Facilities
Realisation
Design
Operation
13
14
16
Decommissioning
Back to appropriate
Overall Safety Lifecycle Phase
15 Overall Modification & Retrofit
IEC61511
IEC61511 was published January, 2003. It has three parts,
Part One is the framework, definitions, hardware, and software requirements
Part Two is the guidance for applying the requirements
Part Three are examples of how to apply Part One.
IEC61511 was developed specifically for the process industry and recognized as a more
understandable version of IEC61508. It:
Is risk based
Is less prescriptive and more goal orientated than IEC61508
Has industry specific vocabulary
Has some new terminology
Has industry specific examples and tailored requirements
Requires more documentation.
Risk Based
IEC61511 is more risk based than IEC61508. Determination of safety coverage is stated in terms of
RRF (Risk Reduction Factor) and SIL (Safety Integrity Level.) In a most basic example, a plant
calculates that if a certain hazard occurs it could cost the plant $100 M. The plant standard, decided
through corporate policy and insurance, is that it should not have an exposure of more than $500K. In
this case the SIS design needs to decrease the risk by 200 or a Risk Reduction of 200. The designer
can now look at IEC61511to determine Safety Integrity Level (SIL) that must be achieved to meet the
target risk reduction.
12
13
Figure 2.3 shows the SIL table referenced in IEC61511. You see you can either figure out the target
SIL by either RRF or PFD. Typically a customer would calculate the risk reduction they need for a
specific hazard. Then they would look at this table to give them two important pieces of information.
Target SIL
Target PFD
Also notice that the process industry only has SIL1, SIL2, or SIL3. IEC61511 states that if event
needs SIL 4 protection, the process needs to be reengineered.
Safety Integrity
Level
Probability of failure
on demand per year
Risk Reduction
Factor
SIL 4
SIL 3
>=10-4 to <10-3
10000 to 1000
SIL 2
>=10-3 to <10-2
1000 to 100
SIL 1
>=10-2 to <10-1
100 to 10
Figure 2.4 illustrates the Safety life cycle of IEC61511. It still has the three major components of
Analysis, Realization, and Operation. The major difference is the three vertical bars. This represents
the documentation piece of IEC61511. It requires thorough documentation of all the decisions that
were made in all stages of the life cycle.
How hardware is qualified under Prior Use is new.
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
Life-cycle
structure
and
planning
1
2
Operation
Allocation of Safety
functions
to Protection Layers
Design and
Engineering
of SIS
5
6
Verification
Analysis
Safety requirements
spec
3
for the SIS
Realization
Clause
5
Clause
6.2
7
8
Design of other
means
of risk reduction
14
Clause
7,
12.4,
and
12.7
Section 2 Quiz
2.1 The three major sections in the IEC61511 Lifecycle are analysis, design, and operation
T or F
2.2 IEC61511 standard is designed to be used by the
a. end user
b. system integrator
c. manufacturer
d. a or b
2.3 One SIS can handle multiple SIFs
T or F
2.5 Which is the most important to adhere to?
a. Legislation
b. Regulation
c. Standard
d. Recommended Practice
15
Section 3 FMEDA
An FMEDA, Failure Modes Effects and Diagnostic Analysis, is a required report for hardware used in
Safety SIS. This report provides detailed analysis and required device data for users to determine the
suitability for use in a SIS.
After completing this section you should be able to
Explain the whose responsible to produce the FMEDA
Explain/understand the major terminology used on the FMEDA
The FMEDA is commissioned by the manufacturer and is typically done by an independent party but
can be done by the manufacturer. The process is a systematic analysis of every component in the
evaluated device. The analysis evaluates each component in the device and the effect on the output
if the component, opens, shorts, or changes value. Typically this analysis is done by looking at
schematics but sometimes by actually injecting the fault. All outcomes are categorized in to four
categories. All other calculations are based on these four values.
Safe Detected
Safe Undetected
Dangerous Detected
Dangerous Undetected
The manufacturer is provided with a full report of the analysis from the agency performing the
analysis. Typically all that is provided to customers is the summary report. The summary report does
not have a standard format or amount of data. Typically the minimum information provided is the
PFDavg, PDFDangerous Undetected, SFF, and the Test Interval and assumptions of the analysis. This
information can be spelled out or could be, expressed by the word Lambda, or by the symbol .
Lamba - PFD - Overall failure rate- Safe+Dangerous The is standard on all FMEDA reports and
represents the overall number of failures over time, Number of Failures/Time, and is typically
expressed in number of failures per hour. It is important to understand that the PFD on a FMEDA is
calculated and as so is a theoretical number. The reason the PFD number is mentioned as a
theoretical number is the number could be significantly more conservative or liberal than actual field
failure data. Many customers keep device failure data bases and calculate the PFD for their
plant/applications. For those who dont keep databases, the FMEDA numbers are what they use for
calculations.
/PFD is typically expressed scientific notation, 638 x 10-9. It can also be expressed in FITs (failure in
time). One FIT equal 1 x 10-9. Therefore, 638 x 10-9 is the same as 638 FITS .
See example 3.1 to see how a customer could calculate the PFD for existing equipment.
A plant has 1306 3051C pressure transmitters. They are tested once per year. Over a three year
period there have been only 4 failures.
Time = 3 years x 1306 transmitters x (8760 hours/year).
= 4/34,321,680 = 0.116 failures per million hours or 0.001 failures/year
Example 3.1
16
PFDavg The Probability of Failure on Demand is a very important number as the overall calculation
of the PFDavg of the loop is a measure of loop safety. PFDavg is calculated and is a function of test
frequency and repair. As explained earlier, the longer a device goes without being tested for
undetected faults, the higher the probability of an undetected fault exists. An untested devices PFD
gets larger as time increases. The basic formula is t/2. Again if we go use some of the data from
Example 3.1 and the basic formula the PFDavg for this 3051C is 0.0005.
Figure 2.6 is the actual PFDavg graph for the 3051C. It is taken directly off the 3051C FMEDA. A
PFDavg that falls in the green area could qualify for use in a SIL2 application. A PFDavg that falls in the
pink area could qualify for use in a SIL3 application. You can see the 3051C PFDavg changes as the
proof test interval gets shorter.
DU - LamdaDU - Number of Dangerous Undetected failures per unit operating hours. Again this can
be expressed in either format as described in . This is the most important number on the FMEDA.
For every dangerous undetected failure a proof test must be performed to ensure
MTTF Mean Time To Failure MTTF is just another measure of reliability. It is calculated as 1/ .
Assuming the failure rate constant the MTTF for Example 3.1 is 8.62 million hours or 984 years.
SFF Safe Failure Fraction The number of all failures in comparison to Dangerous Undetected
Failures expressed in %. This number is more important to the manufacturer than the user as a
manufacturers device has the requirement of a SFF above 90% to qualify for SIL 2 certification.
Some manufacturers claim their device is better as they have a higher SFF. It is important to
understand that this is just a ratio.
Proof Test Interval A proof test for a device is the test defined by the manufacturer to be
performed which will discover any dangerous undetected faults. The proof test interval relates to how
often testing has to be performed on the device to maintain the published PFDavg. The interval needs
close review as the PFDavg can be made to look very good if frequent testing is performed. For
example, testing a device once a month lowers the PFDavg but requires a large staff. Plants prefer to
test the system only during a plant shutdown which can be in excess of five years. Typically, the
manufacturer sets the proof test interval to one year. It is up to the customer to set the actual interval.
17
MTTR Mean Time To Repair The time it would take to replace a faulty device. This is important as
this calculation also effects the PFDavg. MTTR is typically 8 hrs.
Diagnostic coverage The percent of failures that are detected by internal diagnostics not a very
useful number as
1. many failures are detectable without a diagnostic
2. the figure does not have standard to compare against. For example: a device with 100
faults which can detect 90 faults has 90% diagnostic coverage where a device with 20
faults which can detect 15 faults has 75% diagnostic coverage. The 20 fault device has a
lower Diagnostic Coverage but has five fewer faults and could be a safer device.
Section 3 Quiz
3.1 An FMEDA is typically done by:
a. User
b. Manufacturer
c. Third party
d. Certified FMEDA agency
e. b or c
3.2 DU on a FMEDA is:
a. Number of dangerous Undetected failures
b. Number of detected dangerous failures
c. Number of dont use sensors in an SIS
d. A term rarely used in SIS applications
3.2 The actual Proof Test Interval is set by:
a. Manufacturer
b. Third Party
c. Doesnt matter
d. User
18
Learning Objective
After you have completed this section, you will be able to:
List and briefly explain:
1. The major events in the three phases of the IEC61511 lifecycle
2. The difficulty in engineering a SIS loop
3. Voting systems
4. Requirements for using prior use devices
Analysis
The first thing that is done in the design phase is a functional safety assessment. The standard
clearly dictates that this assessment must be done by a cross functional team. The standard dictates
that the team includes technical, application, operations personnel and at least one senior competent
person.
The first responsibility of the team is to perform a hazard and risk assessment. This assessment:
1. determine the hazards and or hazardous events of the process and associated equipment
2. determine the sequence of events leading to the hazardous event
3. determine the hazards process risks associated with the hazardous event
4. determine any requirements for risk reduction
5. determine the safety functions required to achieve the necessary risk reduction
6. determine if any of the safety functions are safety instrumented functions
Performing a HAZOP (hazard and operational risk analysis) is done first. It is one of the new and
significant requirements of IEC61511. The requirement is a process to determine all the possible
hazards in the plant or process and the probability of the hazard actually occurring. There are two
major pieces to the HAZOP, how much is it going to cost including equipment damage and/or human
injury or life and the probability of the hazard occurring.
After all the hazards have been identified and a SIF identified for each hazard, a LOPA (Layers of
Protection Analysis) is performed. A LOPA is required for each SIF. Different safety functions are
assigned to layers and an assessment of the probability of the hazard occurring is derived. The LOPA
process requires documenting how the calculation layers were assigned and how the risk reduction
for each layer is calculated. IEC61511 clearly states this step is to be documented and the logic is
Clear and traceable.
19
Plant and
Emergency
Response
Mitigate
Containment,
Dike/Vessel
Relief valve,
Rupture disk
Safety
Instrumented
System
Emergency
Shut Down
Operator
Intervention
Process
Shutdow
Safety
Trip level
Prevent
Process control
Process
Basic
Process
Control
System
Proces
s
Normal behavior
Process control
Figure 3.2 and 3.3 is and example of the assessment of a SIF. It is calculating the probability of an
flammable vapor escaping from a tank actually catching fire. The process can either be done
qualitatively or quantitatively. Figure 3.2 is a qualitative example of calculating the probability of the
excess vapor from a vent catching fire. You can tell it is a qualitative assessment as all probabilities
are described in words.
No Cooling Water
Quite
Possible
Source of ignition
Quite
OR
Quite
Possible
Quite
Possible
Quite
Possible
Possible
Quite
Possible
Excess vapor
from vent
catches fire
OR
Quite
Possible
Quite
Possible
AND
Excess vapor
from vent
OR
Quite
Possible
Figure 3.3 is a quantitative example of calculating the probability of the excess vapor from a vent
catching fire. You can tell it is a qualitative assessment as all probabilities are described numerically.
Either method, qualitative or quantitative, is acceptable. The only requirement per IEC61511 is that
the process be documented and the logic is Clear and traceable.
20
No Cooling Water
Excess vapor
from vent
catches fire
0.1
0.25
0.05
Source of ignition
OR
0.09
0.1
0.4
0.9
OR
AND
0.5
Hot solvent supply
0.1
0.2
0.1
0.1
Excess vapor
from vent
OR
The hazard and the probability of the hazard have now been calculated. The outcome of the
quantitative analysis is 0.09 occurrences per year or one failure every 11.1 years. If the hazard
analysis determined that every time the hazard happens it cost the company $20 million dollars and
the corporate policy or insurance policy states that no risk should cost more that $50,000, the risk
must be lowered by 400 ($20,000,000/$50,000=400.)
Since the current design is not adequate from a safety standpoint, the risk needs to be lowered.
Some of he options are to:
Reengineer the process so that the hazard does not exist or the risk is low.
Add a SIS as a layer of protection to lower the risk
Add other layers of protection to lower the risk
Typically the process cannot be easily redesigned which leaves two alternatives.
The least expensive alternative is to add an alarm layer of protection. If you take the example in
Figure 3.3 and add an alarm layer which is indicated by the AND gates in figure 3.4, the probability of
excess vapor catching fire has gone from .09 to .0065. Mathematically, 1/.0065=153, the risk
reduction for adding the alarm layer is only 153. Even with this extra layer it is still not enough to
satisfy the corporate or insurance policy.
21
AND
0.4
OR
Excess vapor
from vent
catches fire
Source of ignition
0.00065
0.01
0.04
0.065
OR
Hot solvent supply 0.1
Excess vapor
from vent
0.025
OR
0.5
AND
AND
0.05
Thus, a SIS must be installed to meet the risk reduction target of 400. Risk reductions are stated as
SIL levels in SIS loops. The first thing that must be looked at is in IEC61511 section 9.2.4 where the
SIL tables are located. There are two tables. Table 3 is for demand mode of operation and most
frequently used in the process sector. As defined in IEC61511 Part 2, the demand mode determines
the demand for the action will be less than once per year. Table 4 would be used if the determined
demand would be more than once a year.
For our example, a risk reduction of 400 is required. Using Table 3 (Figure 3.4) in IEC61511, look at
the Risk Reduction Factor column to see what block 400 would be and then look to the left to find the
target SIL. With a RRF of 400, this SIS must be SIL2.
Safety Integrity
Level
Probability of failure
on demand per year
Risk Reduction
Factor
SIL 4
>=10-5 to <10-4
100000 to 10000
SIL 3
>=10-4 to <10-3
10000 to 1000
SIL 2
>=10-3 to <10-2
1000 to 100
SIL 1
>=10-2 to <10-1
100 to 10
Figure 3.4 IEC61511, Section 9, Table 3 - Safety integrity levels: probability of failure on demand
SIL 2 means that when adding up all the PFDs of all the devices in the SIF and any penalties for
plugged impulse lines other common cause failures, the PDF will not be less than 10-3 demands per
year. For very basic example, figure 3.5 shows a flow application SIS. Using the most basic
calculation the PFD of this loop is 308 x 10-2 (228 x 10-9 + 5x 10-9 + 308 x 10-2.)
22
Sensor
-9
228 x 10
Logic
Solver
-9
5x 10
Control
Element
-2
308 x 10
The Analysis phase is just about complete. The last requirement is SIS safety requirements
document. This document by the safety team and is a very comprehensive document that describes
all the requirements of the SIS. It starts with the description of the SIF and then describes the:
Safe state of the process
The assumed demand rate
Test intervals
Response time requirements
SIL level
Manual shutdown requirements
How to restart the system
Maximum allowable spurious trip rate
Interfaces between the SIS and other systems
Extremes of environmental conditions
Time to repair requirements
And many other requirements
DESIGN
The design phase is where the SIS safety requirements document comes to life. This is where the
equipment and equipment configuration are selected to meet the documented requirements.
To get the equipment needed to meet the SIL level specified in the Safety Requirements Documents
can be a long laborious task. It is a juggling act of finding the right equipment that:
requires the least amount of maintenance, testing
meets the required performance specifications
will have the least amount of spurious trips
works in the proposed environment
has the required response time
has the required Mean Time To Repair time
23
Select Architecture
Determine Test
philosophy
SIL
Achieved?
Reliability,
safety evaluation
figure 3.6
Figure 3.5 is a typical first calculation where the PFD is 308 x 10-2 for the loop. You should notice that
the valve is so dominant, large PFD, that the other devices are insignificant in the calculation. Valves
have large PFDs because they are primarily mechanical and the mechanical pieces dont move in a
SIS unless an upset is detected. There are strategies to lower the PFD number of the valve so the
other devices become more significant such as using certified positioners or testing more often. At
some point in time valve configuration cost becomes unrealistic and it is time look at the sensor and
logic solver to help lower the PFD.
To begin, the first step is to look at the fault tolerance table. The fault tolerance table indicates the
mandated minimum number of redundant sensors needed for a particular SIL. The table is in
IEC61511. In our example we need SIL2, refer to figure 3.7, a minimum of two sensors to stay in
compliance.
SIL
FTmin
See
61508
Figure 3.8 is an example using the fault tolerance table. For a SIL1 application the Fault Tolerance is
0 which means all you need for your SIS is one sensor. For a SIL2 application the fault tolerance is 1
which means you need two sensors, one and a back up for your SIS.
24
SIL
FTmin
See
61508
BPC
BPC
There are three ways to qualify/justify equipment to be used in an SIS. The combination of the right
equipment and redundancy is needed to lower the PFD. The key is getting the two critical pieces of
information needed to verify the SIS meets the SIL requirement, PFD, and SFF. The three ways are:
1. You can use existing equipment or new non-certified equipment. To use existing or new noncertified equipment requires the user/designer/integrator to look for equipment reliability data.
There are multiple sources for this data, ORIEDA (Offshore Reliability database), CCPS
(American Society of Chemical Engineers database), or EXIDA has its own reliability
database. A person could look up a piece of equipment and get the MTBF (Mean Time Before
Failure.) They could then calculate PFD as it is the reciprocal of the MTBF. There is not SFF
data published so an educated estimate must be taken. There are many issues with designing
using database information but the primary one is that analog pressure transmitters, smart
pressure transmitters, and pressure switches are frequently lumped together. Being lumped
together yields a very high PFD which makes the user use maximum redundancy in design. So
the initial lower cost of using standard equipment is offset by adding redundancy and proof test
requirements.
2. You can qualify existing equipment through a Prior Use clause in the standard. For Prior
Use the user is required to keep a large data base of equipment type, revisions, installation
connections, installation processes. The user can then use this database to calculate all the
required data needed to verify the SIS meets the SIL. The issue is maintaining the database,
especially with the new requirements of IEC61511.
Qualifying a piece of hardware under IEC61511Prior Use now requires:
a. Consideration of the manufacturers quality, management and configuration management,
management of change.
1. Manufacturer must have a process that documents the impact product modification.
b. Demonstration of performance of components in similar operating profiles and
environments.
c. Maintain a list of Approved use based on extensive history in safety or non-safety
applications.
1. List must be maintained and reviewed regularly
2. Field devices can be added after sufficient operating experience
3. Filed devices must be removed when they have a history of not performing
4. Process applications are included
25
If the database can be maintained, the reward is less redundancy needed in the design.
IEC61511 lets you take a credit of one if you can qualify a sensor under Prior Use. Figure 3.9
shows an example of getting the fault tolerance credit. With the credit I only have to use one
sensor in the SIL2 loop.
SIL
FTmin
Prior
Use
-1
-1
See
61508
Prior Use
3. You can buy certified equipment. Certified equipment lowers the PFD and lowers the
redundancy requirements but typically is specialized equipment that is not as reliable as
standard equipment. So even though the certified equipment will make it easier to meet the
required PFD and SFF, they traditionally have a higher spurious trip rate and might require
special maintenance. A spurious trip is defined as the device malfunction caused the SIS to
trip, not the process. The advantage other than less redundancy of certified equipment is that
the manufacturer is responsible for making sure all changes made within the transmitter do not
affect the safety of the transmitter.
SIL
FTmin
Certified
IEC61508
-1
-1
See
61508
IEC61508
Figure 3.9 shows an example of getting the fault tolerance credit. With the credit you only have to use
one sensor in the SIL2 loop.
26
Another redundancy configuration utilized sometimes is specified with a D at the end. Examples are
1oo2D or 2oo2D. The D means that the control system has separate hardware to alarm in case of a
failure. The advantage of the diagnostic channel is lower PFDs without redundant sensors.
27
Common cause problems are sometimes an issue with voting systems. Common cause faults are
faults caused by stress, pressure, temperature, or humidity, could cause. The stress would cause an
undetected failure to be in all the equipment at the same time and the user would never know it. For
example: a high temperature could cause the same undetected failure in every sensor. Many experts
say that using a variety of technologies diversity is the safest way to go. However, diversity only
provides value if the back up is immune to the equivalent stress of the primary sensor. Using a variety
of technologies can also complicate proof testing and maintenance.
Part of the loop PFD calculation addresses identical redundant equipment. This correction is specified
as beta and sometimes can be found on the FMEDA report. Some manufacturers (Rosemount) do
not publish a beta on the FMEDA as beta is only used in voting systems and the FMEDA is for a
single device. Additionally, this calculation requires more information than a single devices data.
Sometimes the correction to the PFD is small but and it can be significant.
Be aware that things are not as intuitively obvious when it comes to SIS. Dual redundancy in not
always better than single redundancy and triple redundancy is not always better than Dual
redundancy. Which technology, redundancy, and test interval make a big difference.
Different tactics/philosophies are used at this stage to select SIS hardware. Some use internal staff,
some over engineer almost everything thinking they are safe no matter what the requirement is and
then others use engineering firms that specialize in SIS.
On one end of the spectrum are the big multi national companies. They are staffed that to design a
system providing the safety coverage needed at the right CAPEX and OPEX. They have reliability
departments that track and supply data to support using standard BPCS equipment in SIS under the
Prior Use clause. They have departments that specialize that can specify a system that is safe and
economical
Some plants take the easy way and just make all loops SIL3 plant wide and do not pursue extensive
calculations. If there is a hazard they install a SIL3 loop. This can be a very expensive way of
complying with the SIS standards, CAPEX and OPEX. The increased CAPEX come from having to
buy extra equipment, wiring, system I/O, and installation cost. After installation there are high OPEX
cost performing the extra proof test.
Engineering firms are starting to emerge that specialize in safety standard compliance and safety
shutdown systems. Process companies of all sizes hire these firms to help them in all aspects of
safety compliance. These specialized engineering firms have people that specialize in areas from
HAZOPs to SIL selection, to SIS specifying, installation, and startup.
28
Many plants outsource their SIS engineering. Most of the outsourcing is to their normally contracted
engineering firm of which some have the expertise in SIS, some dont. This is where you will have the
most questions and probably the most marginally acceptable SIS engineering. This is especially true
in jobs where the emphasis is on low cost.
There are some tools available on the market to help your customers through the design phase. For
example: Exida has a program called SilVer which is an online program that has a large reliability
data base that allows the user to select many different technologies from a variety of manufacturers.
The program uses reliability data from multiple sources and asks the difficult questions to account for
other faults such as impulse lines. The user initially sets selects a sensor, logic solver, architecture,
and a final element. The program will calculate the PFD and the SIL level that can be achieved by
that configuration. It then allows the user to keep modifying the variable until the required SIL is
reached.
As stated earlier, SIS design is not an easy task. Only the biggest companies are staffed and have
the proper tools while others contract design work to safety specialty engineering firms.
29
a.
b.
c.
d.
2oo2
2oo3
3oo2
1oo3
30
Learning Objective
After you have completed this section, you will be able to:
Briefly explain:
How fast IEC61511 is being adopted.
What the next major modification will be to IEC61511.
Safety has always been an important part of the process industry. Many years ago the process
industry figured out it needed to police itself to insure that workers, plants, and surrounding
communities are safe. They knew that if they did not police themselves, the government would.
As time went on different standards became The standard to follow. Sometimes the standards were
modified as a better practice was determined. Sometimes the standards were modified as technology
changed. Europe was the world leader in drafting safety standards. In other world areas safety
standards were created or modified due to a catastrophic plant accident.
International agreement is finally here. IEC61511 was basically ten years in the making and is gaining
popularity. Within this next year IEC61511 will become the Standard for the European Community
and the United States. There will be some changes by world area but the basics of the standard will
be standard.
An example of a small change per world area is the United States. The standard for the United States
has be ISA S84.01. ISA is in the process of replacing ISAS84.01 with IEC61511. The new document
will be titled ISA S84.01 (2003). It is IEC61511 with one small modification that allows users adopt the
standard but all existing installations will be Grandfathered. This means that even though the user
adopts IEC61511 they do not have to go through their plant immediately and bring it in compliance.
They can bring their existing installations in to compliance during the normal review cycle which is
every three to five years.
The next major modification to the standard is allowing different protocols to be used in SIS
applications. Today the standard only recognizes 4-20mA as a safe signal. Profibus has released a
version with a Safety layer within the protocol which is being recognized as safe. Foundation
fieldbus is working on getting certified for use in SIS applications. Currently there is an ISA committee
working on drafting a requirements document to allow digital protocols in SIS applications that will
eventually become part of IEC61508 and IEC61511. It could be another year or two before digital
buses are approved for use in a SIS.
As with all IEC documents, IEC61511 will be reviewed and updated in five years.
31
Section 5 Quiz
5.1 How fast the United States and Europe are going to adopt IEC61511.
a. The next world environmental summit
b. Within the next five years
c. Within the next two years
d. Within the next year
5.2 The next major modification to the IEC61511 will be
a. Additional requirements for Prior Use devices
b. Allowing the use of digital buses
c. Addition of a grandfather clause
d. Additional requirements system integrators
32