Scribd
Upload
434 views41 pages

ABB +SIL+Presentation PDF

Uploaded by

satishkumar0085
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
434 views41 pages

ABB +SIL+Presentation PDF

Uploaded by

satishkumar0085
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Paul Lucas Safety Integrity Level

ABB Engineering Services

SIL

13 mars 2007
© ABB Group - 1 -
21-Mar-07
Agenda

„ Why do we need SIL systems?


„ Where does the SIL concept come from?
„ What is a SIL?
„ The Three Steps of SIL
„ Set the target SIL (SIL Determination)
„ Design to meet the target SIL
„ Operate and Maintain to keep hitting the target SIL
© ABB Group - 2 -
21-Mar-07
© ABB Group - 3 - Why do we need SIL systems?

BP Texas City, USA 2005


21-Mar-07
© ABB Group - 4 - Why do we need SIL systems?

Buncefield, UK 2006
21-Mar-07
Safety Issues

„ How do you demonstrate that your operations are


‘safe’?

„ How do you demonstrate that your equipment is ‘safe’?

„ How do you demonstrate that your safety and protective


systems protect against your hazards?

You can answer these questions by demonstrating


compliance with Industry Safety Standards
© ABB Group - 5 -
21-Mar-07
Functional Safety Standard - IEC61508

„ Generic Standard supported by Sector variants


„ (IEC61511 for Process Sector)
„ Guidance on use of Electrical, Electronic and
Programmable Electronic Systems which perform safety
functions
„ Considers the entire Safety Critical Loop
„ Comprehensive approach involving concepts of Safety
Lifecycle and all elements of protective system
„ Risk-based approach leading to determination of Safety
Integrity Levels - SIL
© ABB Group - 6 -
21-Mar-07
Generic and Application Sector Standards

IEC61513 : IEC Medical Sector


Nuclear Sector 615
08

IEC62061 :
© ABB Group - 7 -

IEC61511 : Machinery Sector


21-Mar-07

Process Sector
IEC61511 Safety Lifecycle

1 Hazard and Risk Assessment


Management of functional safety and functional safety

Allocation of safety functions


Safety Life-Cycle structure and planning 2 to protection layers

Safety Requirements
assessment and auditing

specification for the safety


Design & Development
3 instrumented system
of other means of risk
reduction Verification
4
Design & Engineering of
Safety Instrumented System

Installation, Commissioning
5 and Validation

6 Operation and Maintenance

7 Modification 9
© ABB Group - 8 -

10 11 8 Decommissioning
21-Mar-07
Step 1 – Set the Target SIL

1 Hazard and Risk Assessment


Management of functional safety and functional safety

Allocation of safety functions


Safety Life-Cycle structure and planning 2 to protection layers

Safety Requirements
assessment and auditing

specification for the safety


Design & Development
3 instrumented system
of other means of risk
reduction Verification
4
Design & Engineering of
Safety Instrumented System

Installation, Commissioning
5 and Validation

6 Operation and Maintenance

7 Modification 9
© ABB Group - 9 -

10 11 8 Decommissioning
21-Mar-07

IEC61511 Safety Lifecycle


Hazard and Risk Assessment

„ Trevor Kletz (safety guru) sums it up as: -


„ How big
„ How often
„ So what?

„ What are the hazardous events – the consequence


„ How often may they occur – the frequency
Risk = Consequence * Frequency

„ Is this unacceptable to the company/ regulator/ society?


„ What is risk is tolerated?
© ABB Group - 10 -
21-Mar-07
Tolerable Risk and ALARP
Risk cannot be justified on any
Intolerable High Risk
grounds

ALARP or May be “Tolerable” if risk level is


Tolerability As Low As Reasonably
Band Practicable (ALARP)

No need for detailed working to


Broadly Acceptable Low Risk
demonstrate ALARP
© ABB Group - 11 -

ALARP = As Low As Reasonably Practicable


21-Mar-07
Risk Reduction to meet tolerable risk

Residual
Residual Risk
Risk Process
Process
risk
risk Target
Target Risk
Risk

Necessary risk reduction Increasing


risk

Actual risk reduction

Riskreduction
Risk reduction
Riskreduction
Risk reduction
fromall
from all
fromSafety
from Safety
Non-Instrumented
Non-Instrumented
Instrumented
Instrumented Prevention/ /
Prevention
Function(SIF)
Function (SIF)
MitigationMeasures
Mitigation Measures
© ABB Group - 12 -

SIL
21-Mar-07
Expressing SIL
Risk Probability of failure
Reduction on demand (PFD)

10 – 100 0.1 to 0.01


SIL 1

100 – 1000 0.01 to 0.001


SIL 2

1000 – 0.001 to 0.0001


SIL 3
10000

10000 - 0.0001 to 0.00001


SIL 4
© ABB Group - 13 -

100000
21-Mar-07
Methods for SIL Determination

„ Safety Layer Matrix


„ IEC 61511-3 Annex C

„ Risk Graphs
„ IEC 61511-3 Annex D

„ Layer of Protection Analysis (LOPA)


„ IEC 61511-3 Annex F

„ Fault Tree Analysis


„ IEC 61511-3 Annex B
© ABB Group - 14 -
21-Mar-07
Risk Graph
Extent of Damage W3 W2 W1
Ca = Minor Injury
Ca
Cb = Lost time injury
Cc = Major Injury
Pa SIL 1
Cd = On-site fatality
Ce = Multiple on-site fatalities or one Fa
off-site fatality Pb
Proportion of Time of Exposure to Hazard Cc
Fa = Low (< 0.1)
Pa
Fb = High (> 0.1)
Fb SIL 2
Mitigating Factors Pb
Pa = Good Chance of Avoiding
Consequences (> 90%)
Fa
Pb = Poor Chance of Avoiding
Consequences (< 10%) Cd
Fb SIL 3
Prob or Freq of Hazardous Event
Ce
W1 = Very Low (F < 0.01 / YR)
© ABB Group - 15 -

SIL 4
W2 = Low (F > 0.01 / YR)
W3 = Relatively High (F > 0.1 / YR)
21-Mar-07

5/9
LOPA

„ For each initiating cause, calculate which layers provide


protection
Multiply for Event Frequency

PFDavg Calculation
Initiating Frequency Independent Layer of Protection Intermediate
Cause (/yr) 1 2 3 4 5 6 Event Frequency
A 0.1 1 0.01 1 0.1 0.0001
B 0.1 0.1 0.01 1 0.1 Add for 0.00001
C 0.5 0.1 0.01 1 1 Total 0.0005
D Event
E
Freq
F
Total Event Frequency, Fe/yr 0.00061
Maximum PFDavg for Safety Instrumented Function, Ft/Fe 0.0492
Target Safety Integrity Level SIL 1
© ABB Group - 16 -

PFD = Target (0.00003) / Total Event (0.00061) = 0.0492


21-Mar-07
Comparison of Methods
Safety Layer Risk Graph LOPA Fault Tree
Matrix Analysis
Initial Screening R R R NR
Detailed Analysis NR NR R R
Multiple Causes NR NR R R
with Different
Protection
Potential NR NR NR R
Dependency
Output (SIL or SIL SIL PFDavg PFDavg
PFDavg)
Need to include NR NR R R
specific Human
Factors
Suitable for SIL 1 1 1&2 >1
© ABB Group - 17 -
21-Mar-07

NR = Not recommended: R = recommended


Summary of Step 1

„ Get the Target SIL correct


„ Save time, money, equipment, maintenance
„ Calibrate any method for YOUR tolerability
„ Use method suitable for the consequences
© ABB Group - 18 -
21-Mar-07
Step 2 – Design to meet the target SIL

1 Hazard and Risk Assessment


Management of functional safety and functional safety

Allocation of safety functions


Safety Life-Cycle structure and planning 2 to protection layers

Safety Requirements
assessment and auditing

specification for the safety


Design & Development
3 instrumented system
of other means of risk
reduction Verification
4
Design & Engineering of
Safety Instrumented System

Installation, Commissioning
5 and Validation

6 Operation and Maintenance

7 Modification 9
© ABB Group - 19 -

10 11 8 Decommissioning
21-Mar-07

IEC61511 Safety Lifecycle


Random Hardware Failures

„ Any item of equipment in a protective system can fail.


„ There are broadly two types of system failure
„ Fail Safe
„ component failure to an open circuit condition, loose connections,
loss of power (air or electrical)
„ These will cause the system to shut down the plant unnecessarily
but are self revealing and ‘fail safe’.
„ Fail to Danger
„ contacts welding together, instrument or trip valve mechanisms
seizing, impulse lines becoming blocked
„ These are ‘fail to danger’ because, when a demand occurs, the
system cannot respond i.e. un-revealed failures
© ABB Group - 20 -

„ These are the failures we need for the PFD calculation


21-Mar-07
Example
„ High Pressure Trip Pressure
Transmitter
Trip Amp

Relay

Solenoid Valve

Trip Valve
© ABB Group - 21 -
21-Mar-07
A Single Channel System – 6 month testing

Pressure Trip Relay Solenoid Trip


Transmitter Amplifier Valve Valve

Overall dangerous failure rate for the channel is the sum


of the rates for the components.

λd = 0.067 + 0.05 + 0.0033 + 0.033 + 0.033 = 0.1863 per year

PFDavg = ½ T x λ d

If this is tested every 6 months then,

PFDavg = ½ x 0.5 x 0.1863 = 0.047


© ABB Group - 22 -

which is near the middle of SIL 1


21-Mar-07
Safety Integrity Level
Achieved PFDavg

PFDavg = 0.05 PFDavg = 0.005

0.1 0.01 0.001 0.0001 0.00001

SIL 1 SIL 2 SIL 3 SIL 4

10-1 10-2 10-3 10-4 10-5

PFDavg = 0.047
© ABB Group - 23 -

(6 Month test interval)


21-Mar-07
The Need For Testing
Testing can expose un-revealed failures Unrevealed Demand
fault

Test Test Test Test Test Test


Healthy

Faulty
Test Dead Time (years)
Interval Time
x

„ Fail to Danger
„ contacts welding together, instrument or trip valve mechanisms
seizing, impulse lines becoming blocked
„ These are ‘fail to danger’ because, when a demand occurs, the
system cannot respond i.e. un-revealed failures
© ABB Group - 24 -

„ Only exposed by testing


21-Mar-07
Multiple Channels And Common Cause Failure (β)
More complicated – but same principles

For One Channel (1 out of 1)


PFDav1 = 1 / 2 λd ∗ Τ
For Two Channels (1 out of 2)
2
PFDav2 = 4/3 [ PFDav1 ] + β [PFDav1 ] or PFDav2 = 1/3[(λd)2 ∗ Τ2] + β [PFDav1]

For Three Channels (1 out of 3)

PFDav3 = 2 [PFDav1 ]3 + β [PFDav1 ] or PFDav3 = 1/4[(λd)3 ∗ Τ3] + β [PFDav1 ]

For Two Channels (2 out of 3)

PFDav2 = 4[PFDav1]2 + β [PFDav1 ] or PFDav2 = (λd)2 * Τ2 + β [PFDav1 ]


© ABB Group - 25 -

Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.
21-Mar-07
Sources of Data
„ Manufacturer’s data
„ Based on either returned goods or predictions using either
„ FMEA (failure mode effects analysis) or
„ FMEDA (failure mode effects and diagnostic analysis)
„ These should not be confused with real field failure rates based
on actual use of the units
„ Field data (61511 uses term prior use)
„ Based on similar operating conditions and environment
„ Should be collected using a methodical / auditable process and
allow for errors (misreporting / non reporting) in the collection of
the data
„ Generic data
© ABB Group - 26 -

„ From an extensive history of similar industries found to be


appropriate
21-Mar-07
‘Checking’ the numbers

„ IEC 61511 architectural constraints


„ Hardware Fault Tolerance
„ Designed to verify that the ‘numbers’ make sense
„ No mathematical basis for the figures
„ Based on experience
„ Specified SIL can be reduced with operational
experience and analysis

Analyser Trip Amp Solenoid Trip Valve


Relay Logic
Analyser Trip Amp Solenoid Trip Valve
© ABB Group - 27 -
21-Mar-07
Constraint - Hardware Fault Tolerance (1)
„ Used for sensor, final elements and non PE Logic Solver
„ Table 6 in IEC61511 Part 1
„ Increased fault tolerance can enable easier maintenance and
testing
© ABB Group - 28 -
21-Mar-07
Constraint - Hardware Fault Tolerance (2)

„ Applies to PE Logic Solvers


„ Table 5 in IEC 61511 Part 1
„ The ‘cleverer’ the PES, the less fault tolerance required for the
target SIL

More complex tables in IEC61508 – used


© ABB Group - 29 -

for certified instruments to reduce HFT


21-Mar-07
© ABB Group - 30 -
21-Mar-07
Manufacturer’s Data – Example 2
Non-Hardware faults - Systematic
„ Because of the findings from ‘Out of Control’ and other
work…
„ Large number of faults are not caused by hardware
„ We need appropriate processes, procedures, methods –
‘systems’ in place to control these faults
Changes after
commissioning
21%
Specification
43%
Installation &
commissioning
6%
© ABB Group - 31 -

Operation &
maintenance
Design &
15%
21-Mar-07

implementation
15%
Problems with software – systematic faults

„ How do you make software 10 times better?


„ How do you measure software?
„ What is the probability of Fail to Danger (pfd) of a lump
of code?

„ You cannot measure software like hardware –


quantitative methods
„ You have to use more rigorous techniques for software
required for higher level SIL – qualitative methods
© ABB Group - 32 -
21-Mar-07
Example of Software Techniques

Technique/Measures Ref SIL 1 SIL 2 SIL 3 SIL 4


1a Structured methods including for example, C.2.1. HR HR HR HR
JSD, MASCOT,SADT and Yourdon
1b Semi-formal methods Table B.7 R HR HR HR
1c Formal methods including for example, CCS, C.2.4
CSP, HOL, LOTOS, OBJ, temporal logic, -- R R HR
VDM and Z
2 Computer-aided design tools B.3.5 R R HR HR
3 Defensive programming C.2.5 -- R HR HR
4 Modular approach Table B.9 HR HR HR HR
5 Design and coding standards Table B.1 R HR HR HR
6 Structured programming C.2.7 HR HR HR HR
7 Use of trusted/verified software modules and C.2.10 R HR HR HR
components (if available) C.4.5
© ABB Group - 33 -

Table A.4 - Software design and development: detailed design


21-Mar-07
Summary of Step 2

„ 80% - 90% of safety functions should be SIL1


„ Single channel, reasonable test intervals, no HFT to consider
„ High SIL, complex architecture
„ Use a specialist
„ Shorter test intervals (simple SIL calculations may not apply)
„ Additional hardware (including final elements)
„ Common cause faults, hardware fault tolerance, SFF, DC
„ Systematic controls
„ Take care with instrument data
„ Field data is best
„ Manufacturers data is a prediction, will need to be adjusted for
© ABB Group - 34 -

plant conditions
21-Mar-07
Step 3 – Operate and Maintain to meet the SIL

1 Hazard and Risk Assessment


Management of functional safety and functional safety

Allocation of safety functions


Safety Life-Cycle structure and planning 2 to protection layers

Safety Requirements
assessment and auditing

specification for the safety


Design & Development
3 instrumented system
of other means of risk
reduction Verification
4
Design & Engineering of
Safety Instrumented System

Installation, Commissioning
5 and Validation

6 Operation and Maintenance

7 Modification 9
© ABB Group - 35 -

10 11 8 Decommissioning
21-Mar-07

IEC61511 Safety Lifecycle


Operation and Maintenance

„ What activities are required to ensure the Safety


Instrumented System keeps meeting the target SIL?
„ What operations and test data needs to be kept and
recorded to verify SIL determination and Design
assumptions?
© ABB Group - 36 -
21-Mar-07
Proof Tests – 61511 states…
„ Periodic proof tests shall be conducted
using a written procedure
„ The entire SIS shall be tested including the
sensor(s), the logic solver and the final
element(s)
„ Different parts of the SIS may require different
test intervals
„ The frequency of the proof tests shall be
decided using the PFDavg calculation
„ At some periodic interval the frequency of
the testing shall be re-evaluated.
© ABB Group - 37 -
21-Mar-07
Why record Demands?

„ To demonstrate the design demand rate is not


being exceeded
„ To demonstrate that the causes of demand
are as expected
„ To check causes and rates of failsafe
demands
„ To be able to carry out periodic reviews
© ABB Group - 38 -
21-Mar-07
Why record Proof Test Records/Results?

„ To demonstrate that testing is being


carried out at specified interval
„ As an auditable trail to the recorded
results
„ To indicate who carried out the tests
„ To demonstrate that faults found have
been rectified
„ To be able to carry out periodic reviews
„ Need to record results in a manner which
enables the results to be extracted/
presented in a format which makes
© ABB Group - 39 -

reviews possible
21-Mar-07
Summary of the 3 steps

„ Get the Target SIL correct


„ Save time, money, equipment, maintenance
„ Design to meet the SIL
„ More than failure rates
„ Where do you get failure data from?
„ Hardware Fault Tolerance and Systematic controls
„ Operate and Maintain to keep the SIL
„ Testing
„ Recording
„ Analysing and improving
© ABB Group - 40 -
21-Mar-07

You might also like