Functional Safety Questions & Answers

What is PHA ?
Process Hazard Analysis: First step in an organized and systematic assessment of the potential hazards associated
with an industrial process.
What is LOPA ?
Layer of Protection Analysis : A PHA tool that starts with data developed in the Hazard and Operability analysis
and accounts for each hazard by documenting and initiating cause and protection layers that prevent or mitigatre
the hazard.
What is SIS ?
Safety Instrumented System: IEC61511 defines SIS as an “instrumented system used to implement one or more
safety instrumented functions.
Composed of any combination of sensors, logic solvers, and final elements.”
What is SIF ?
Safety Instrumented Function: Designed to respond to the conditions within a plant that may be hazardous in
themselves, or if no action is taken, could result in a hazardous event.
Each SIF is assigned a particular SIL.
What is SIL ?
Safety Integrity Level: The output of the Process Hazards Analysis effort is the operational definition and the
assignment of a SIL rating to each safety loop.
SIL 3 is the highest rating used in the process industries.
What is SFF ?
Safe Failure Fraction: To achieve a specific SIL, a DEVICE must have less than the specified SFF.
Probablilities are calculated using a FMEDA.
ALSO READ :  IEC 61508 STANDARD
What is PFDavg ?
Probablity of failure on demand: To achieve a specific SIL, a DEVICE must have less than the specified PFDavg.
Probablilities are calculated using a FMEDA.
What is FMEDA ?
Failure Modes, Effects, and Diagnostic Analysis.
Actual targets required for DEVICES vary depending on the likelihood of a demand, the complexity of the devices,
and the types of redundancy used.
Abbreviation of IEC ?
International Electrotechnical Commission
SIF vs SIL Relation
Based on the specific process application, a risk reduction factor (SIL rating) must be defined for each safety loop
(SIF).
The required SIL of a specific SIF is determined by taking into account the required risk reduction factor provided
by that function. SIL varies for SIFs that operate continuous vs demand mode.
 What is IEC-61508 ?
SIS Hardware/Software Design Guidance: Targeted at suppliers of systems used for the reduction of risk.
Defines standards for functional safety of electrical/electronic/programmable electronic (E/E/PE) safety related
systems.
What is Functional Safety ?
The overall program to ensure that the safety-related E/E/PE system brings about a safe state when called upon to
do so.
ALSO READ :  IMPORTANCE OF SAFETY INTEGRITY LEVEL
Parts of IEC-61508 ?
General safety requirements,
specific system and software requirements, and
guidelines to applications.
IEC-61508 SIS Vendor Software Quality Plan ?
Part 3, Clause 7 includes software safety lifecycle requirements:
7.1: General requirements
7.2: Software safety requirements specification
7.3: Software safety validation planning
7.4: software design and development
7.5: programmable electronics integration (hw and sw)
7.6: software operation and modification procedures
7.7: software safety validation
7.8: software modification
7.9: software verification
 IEC61508-3 ANNEX A
provides a listing of “techniques and measures” used for software development where different development
techniques are chosen depending on SIL level of software.
IEC61508-3 ANNEX B
Nine detailed tables of design and coding standards as well as analysis and testing techniques that are to be used in
the safety-related software development, depending on the SIL of the software and in some cases the choice of the
development team.
IEC61511
SIS Design Guidance for the Process Industry Sector
2 parts of IEC61511
The safety lifecycle and safety integrity levels.
Safety Lifecycle
The engineering process that includes all of the steps necessary to achieve required functional safety.
ALSO READ :  WHAT IS EMERGENCY SHUTDOWN SYSTEM (ESD) ?
Basic philosophy behind the safety lify cycle
Develop and document a safety plan, execute that plan, document its execution (to show that the plan has been met)
and continue to follow that safety plan through decommissioning – with further appropriate documentation being
generated throughout the life of the system.
IEC61511-1
Framework, definitions, system, hardware and software requirements
IEC61511-2
Guidelines on the application of 61511-1
IEC61511-3
Guidance for the determination of the required safety integrity levels
IEC61511 vs ANSI/ISA-84.00.01-2004
Standards mirror each other with the exception of the “grandfather clause” in ISA-84. Each has 3 main parts, but
ISA-84 also includes a series of technical reports
ALSO READ :  SIS SENSORS
ISA-84 Grandfather Clause
“For existing SIS designated and constructed in accordance withcodes, standards and practices prior to the issuance
of ISA-84, the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and
operating in a safe manner” originated with OSHA 1910.119
Safety Lifecycle – Throughout the Lifecycle
Management of functional safety and functional safety assessment and auditing
Safety lifecycle structure and planning
Verification
Safety Lifecycle – Analysis Phase
Hazard and risk assessment
Allocation of Safety Functions to protection layers
Safety requirements specifications for the SIS
SMS
Safety Management System: Ensures that functional safety objectives are met and appropriate auditing processes
are defined.
SRS
Safety Requirements Specification: document that ensures the safety requirements are adequately specified prior to
proceeding to detailed design.
Safety Lifecycle – Implementation Phase
Design and Engineering of SIS
Design and development of other means of risk
Installation, commissioning, and validation
Safety Lifecycle – Operation Phase
Operation and maintenance
Modification
Decommissioning
Common PHA Methods
Checklist
What if?
What if/checklist
HAZOP
FMEA (Faliure mode effect analysis)
Fault tree analysis
Event tree analysis
LOPA
ALSO READ :  S84 / IEC 61511 STANDARD FOR SAFETY INSTRUMENTED SYSTEMS
Assignment of SIL
There are no regulations to assign a SIL to a particular process or hazard.
The SIL assignment is a company based decision based on risk management and risk tolerance philosophy.
Does OSHA require an SIS?
NO, but . . . “ANSI/ISA S84.01-1996 does mandate that companies should design their safety instrumented system
to be consistent with similar operating process units within their own companies and at other companies.
Likewise, in the US, ASHO PSM and EPA RPM require that industry standards and good engineering practice be
used in the design and operation of process facilities.
This means that the assignment of safety integrity levels must be carefully performed and thoroughly documented.”
Common methods used to convert PHA data into SIL?
Modified HAZOP
Consequence only
Risk matrix
Modified HAZOP
SIL assignment method – Actually an extension of HAZOP and relies on SUBJECTIVE assignment based on the
team’s expertise.
Since it’s subjective, team memeber consistency from project to project needs to be addressed.
Consequence Only
SIL assignment method – Uses estimation of potential consequence of the incident and doesn’t take into effect the
frequency.Simplest to use, but most conservative.
Risk Matrix
SIL assignment method – provides correlation of risk severity and risk likelyhood to the SIL, based on EVENT
SEVERITY and EVENT LIKELIHOOD. Commonly used.
Risk Graph
SIL assignment method – provides correlation of:
Consequence
Frequency and exposure time
Possibility of avoiding the hazardous event
Probability of the unwanted occurrence
Quantitative Assessment (i.e. fault tree or process demand)
SIL assignment method – determines the process demand or incident likelihood and requires an extensive
understanding of potential causes and probability of failure. MOST RIGOROUS TECHNIQUE!
Company Mandated SIL
SIL assignment method – assumes that the greatest cost increase occurs when a SIL is greater than 1; therefore, the
company takes the approach that all SIFs shall be SIL3.
This assignment is the least time comsuming, reduces documentation of SIL selection and ensures consistency.
Failure Rates of SIS Components
50% – Final element (Valve, etc.)
42% – Sensor (switch, transmitter, etc.)
8% – Logic solver
ALSO READ :  PROCESS SAFETY AND INSTRUMENTATION
Abbreviation of FMEA
Failure Modes and Effects Analysis
Common Cause Failure
Failure which is the result of one or more events, causing failures of two or more seperate channels on a multiple
channel system, leading to system failure.
Common Mode Failure
Failure of two or more channels in the same way, causing the same erroneous result
Dangerous Failure
Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state
External Risk Reduction Facilities
Measurs to reduce or mitigate the risks, which are seperate and distinct from the SIS
Final Element
Part of a safety instrumented system which implements the physical action necessary to achieve a safe state.
Impact Analysis
Acitivity of determining the effect that a change to a function or component will have to other functions or
components in that system as well as to other systems
Mitigation
Action that reduces the consequences of a hazardous event
Protection Layer
Any independant mechanism that reduces risk by control, prevention or mitigation
Proven-In-Use
When a documented assessment has shown that there is appropriate evidence, based on the previous use of a
component, that the component is suitable for use in a safety instrumented system
Safety
Freedom from unacceptable risk
Systemic Failure
Failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the
design or the manufacturing process, operational procedures, documentation or other relevant factors.
ALSO READ :  ALARM AND TRIP SYSTEMS
IEC61131-3
Deals with programming languages and defines 2 graphical (LD=ladder and FBD = function block diagram) and 2
textual (ST = structured text and SFC = sequential function chart)
IEC62061
Machine Safety Standard
Breakout of Safety I/O Type in Process Industry
SIL1 – 51%
SIL2 – 32%
SIL3 – 8%
SIL4 – 1%
No SIL – 8%
Two types of Risk Analysis
Quantitative Risk Analysis
Qualitative Risk Analysis
Abbreviation of ALARP
As Low As Resonably Practicable
Abbreviation of RRF
Risk Reduction Factor
Abbreviation of CEM
Cause and Effect Matrices
Markov Analysis
Looks at a sequence of event and analyzes the tendency of one event to be followed by another.
The IEC 61511 standard lists goals for safety planning. List three of the five goals of safety planning
According to IEC 61511, safety planning has five goals. They are:
It ensure that the functional safety objectives and the safety integrity level objectives are achieved for all relevant
modes of the process
Proper installation and commissioning of the safety instrumented system
ensure the safety integrity of the safety instrumented functions after installation
maintain the safety integrity during operation (e.g., proof testing, failure analysis, etc.)
manage the process hazards during maintenance activities on the safety instrumented system