CFSE Exam Preparation: Section II-6

Section II-6:
Safety Instrumented System Design
 Hazard Analyses
 Safety Requirements Specification
 Conceptual Design
 Technologies
 Architectures
 Design Verification
 Detail Design

1
 Safety Lifecycle e ida .com
excellence in dependable automation
Conceptual

Detailed
Process Design Process Information

Event History
Identify
Potential Risks

Safety
Potential Hazards
e ida.com
Layers of Protection excellence in dependable automation
PROBE Tool

Failure Probabilities Layer of Protection

Assess Potential Analysis
Risk Likelihood Hazard Frequencies

Lifecycle
e ida.com
FETCH Tool
Analyze Potential excellence in dependable automation

Hazard Risk Magnitude Consequence

Characteristics Analysis
Hazard Consequences
Consequence
Database
Tolerable Risk Select Target Target SILs
Guidelines Develop non- SIL
SIS Layers e ida.com
excellence in dependable automation
DOCUMENT Template

No Safety Requirements Specification-

SIS Functional Description of each Safety

Requirements
Required? Exit

Allocation
Instrumented Function, Target SIL,

Safety
Yes Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
Develop Safety requirements, Response time, etc
Specification
Select Relays, Fail-Safe Solid State, PLC, Safety
Technology PLC, Sensors, Final Elements

Select Redundancy: 1oo1,1oo2, 2003, 1oo2D

SIS Conceptual Architecture
Manufacturer’s Design
Failure Data Determine Test
Philosophy
Failure Data
Database SILVER Tool
No SIL
Achieved? Reliability, Safety SILs Achieved
Yes Evaluation
Manufacturer’s DOCUMENT Template
Safety Manual
SIS Detailed
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
Manufacturer’s SIS Installation, Programming, Installation
Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission
and Pre-startup Requirements, etc.
Planning
Acceptance Test
Verify all documentation against Hazards, design, installation
Validation: testing, maintenance procedures, management of change,
Validation Pre-startup emergency plans, etc.
exida .com , L.L.C.
Planning Safety Review
Munchen , Germany
SIS startup, +49 -89-4900 0547
Operating and operation, Sellersville, PA, U.S.A
Maintenance maintenance,
Periodic +215 -453 -1720
Planning
Functional Tests Columbus, Ohio U.S.A.
Decommission
+614 -226 -4263
Modify Modify, SIS Port Chambers, New
Decommission? Zealand
2 Decommissioning
Sarnia , Canada
CFSE Exam Preparation: Section II-6

SRS Requirements
• The SRS should contain
– System scope and application environment
– Functional Requirements
– Safety Integrity Requirements
– Safety Requirements Allocation
• The SRS should contain these requirements for each safety
functional
– Selection of energize-to-trip or de-energize-to-trip
– Definition of the safe state
– Timing requirements (response time, process safety time, discrepancy
time)
– Relationship between inputs and outputs

3
CFSE Exam Preparation: Section II-6

SRS Requirements (cont’d)

• The SRS should contain these functional requirements
– Process Inputs and their trip points
– Process parameter normal operating range
– Process outputs and their actions
– Hazardous area requirements
– Operational Bypass management
– Maintenance Override
– Consideration for manual shutdown
– Actions on loss and return of power
– Response actions for overt fault – overrides
– Operator Interface requirements
– Reset functions

4
CFSE Exam Preparation: Section II-6

SRS Requirements

• The SRS should contain these integrity requirements

– The required SIL for each SIF
(PFD, Architecture, SFF, FSM)
– Reliability requirements if spurious trips may be
hazardous
– Requirements for architecture and diagnostics
to achieve the required SIL
– Requirements for maintenance and testing
to achieve the required SIL

5
CFSE Exam Preparation: Section II-6

Requirements Tracking
Priority Ptr. to Test spec.
Allocation or Ptr. to Design spec. and Ptr. to User
No. Requirement Criticality and Test
Responsible Implementation documents
Stability protocol
Ptr. to Source
Cycle time shall be essential – for the System test User
R1 CPU S/W no reference
less than 300 ms application clause no. documentation
SIOP DEP safety critical Marketing material

unlikely to change

Priority Ptr. to Test spec.

Allocation or Ptr. to Design spec. and Ptr. to User
No. Assumption Criticality and Test
Responsible Implementation documents
Stability protocol
Ptr. to Source
System not for
rotating machinery, essential – for the User
A1 Marketing no reference no reference
response time too application documentation
slow
Marketing doc. likely to change Marketing material

6
CFSE Exam Preparation: Section II-6

7
CFSE Exam Preparation: Section II-6

8
CFSE Exam Preparation: Section II-6

Safety Case

 Goals
 Provide justification that a system or appliance is safe
 Provide one document for many certification authorities
 Safety project status is immediately visible
(field “Required activities”)
 Offload the development team from compliance work,
can be done by safety experts

9
CFSE Exam Preparation: Section II-6

Safety Case Structure

 System Scope and Description
incl. context diagram of environment, EUC and interfaces
 Hazard Analysis and Risk Reduction
 Safety Claims – Allocation – Arguments – Evidence (database)
 System Safety Properties (Key requirements and ‘Derived Requirements’ )
 Safety Management (Safety plan, processes / information flow, roles, qualification)
 Allocation to subsystem(s)
 Arguments – Evidence
 Qualitative and quantitative facts
 Analysis and Testing (passed / failed criteria)
 Architecture and design safety analysis
 Guidelines for and testing of the implementation
 Reference to implementation details
 Conclusions (incl. limitations)

10
CFSE Exam Preparation: Section II-6

11
CFSE Exam Preparation: Section II-6

12
CFSE Exam Preparation: Section II-6
Safety
Requirements
Specification

Select Technology

Select
Architecture Safety System
Design
SIS Conceptual
Design Determine Test
Philosophy

Reliability
Evaluation

Performance
Target Met?

Yes
Proceed to Manufacture
13
CFSE Exam Preparation: Section II-6

Safety System Design Based on functionality and target SIL:

How many, What type of SENSORS
Select Technology Conventional Transmitter
Critical Rated Transmitter

Select What type of LOGIC SOLVER

Architecture
Relays

CCM
I/O

I/O
I/O

I/O
I/O
I/O
I/O
I/O
I/O
Determine Test Solid State Logic
Philosophy
Conventional PLC
Safety PLC
Reliability
Evaluation How many, What type of FINAL ELEMENTS

Performance No
Target Met?

Yes, proceed

14
CFSE Exam Preparation: Section II-6

Relay Systems
Hardwired Logic, Inherently Fail-Safe Logic

Positives:
• Generally Fail-Safe if correct components and design limits are used.
• Low initial cost compared to big programmable systems
Negatives:
• Potentially high trip rate depending on the design
• Little or no diagnostics
• Gets complex fast and errors in setting up logic have higher potential
• Hard to re-program as this requires almost complete teardown and rebuild
• High cost of ownership from ongoing expenses

15
CFSE Exam Preparation: Section II-6

Programmable Systems
Positives:
• Flexible because many functions are built-in
• Modular with different types of I/O and logic
• High space density especially for complex systems
• Calculation capability for discrete and analog variables, full math capability
• Computer communications are part of the design
• Documentation Tools are the best with management of change assistance and
even maintenance assistance
Negatives:
• Safety - failure modes. Unless safety critical rated per IEC61508, be careful
• Software reliability is a potential problem especially for equipment not certified
safety critical
• Communication security may be an issue depending on implementation

16
CFSE Exam Preparation: Section II-6

Safety-Rated Transmitters
• High-level of self-diagnostics

• Reduced manual testing

Moore 345 XTC

ABB 600T
Moore Industries
More coming…
17
CFSE Exam Preparation: Section II-6

Safety-Rated Valves
• High-level of self-diagnostics, acoustics

• Automatic Partial Stroke Testing

• Reduced manual testing

Neles Automation
Moore Industries
Trip-A-Larm
More coming….
18
CFSE Exam Preparation: Section II-6

How much, what kind

Select Technology
of redundancy?
Select
Architecture 1oo1
Determine Test 1oo2
Philosophy

2oo3
Reliability
Evaluation
1oo1D
Performance No
Target Met?
1oo2D
Yes, proceed

19
CFSE Exam Preparation: Section II-6
Safety System Design Create Safety
Select Red. Architecture Specification

Select Technology

1oo1 Select
+ Architecture

Sensor Controller
Final Element Determine Test
Philosophy
-
PFS (Safe) PFD (Dangerous)
Reliability
Evaluation
1oo1 0.02 0.01

Performance No
Target Met?

Yes, proceed
20
CFSE Exam Preparation: Section II-6
Create Safety
1oo2 Architecture
Specification
1oo2 +
Select Technology
Sensor Controller

Select
Sensor Controller Architecture
Final Element

-
Determine Test
PFS (Safe) PFD (Dangerous) Philosophy

1oo1 0.02 0.01

Reliability
1oo2 0.04 0.0001 .. 0.0003 Evaluation

Performance No
Using Simple Approximation Formulas - Target Met?
No Common Cause or ß = 2%
Yes, proceed
21
CFSE Exam Preparation: Section II-6
Create Safety
Specification
2oo2 +

Sensor Controller Select Technology

Select
Sensor Controller
Final Element
Architecture

-
PFS (Safe) PFD (Dangerous) Determine Test
Philosophy
1oo1 0.02 0.01
1oo2 0.04 0.0001 .. 0.0003 Reliability
Evaluation
2oo2 0.0004 .. 0.0008 0.02
Performance No
Target Met?
Using Simple Approximation Formulas -
No Common Cause or ß = 2% Yes, proceed

22
CFSE Exam Preparation: Section II-6
+
A
Output Circuit 1
Logic Solver
Sensor Input Circuit Common Circuitry

MP Output Circuit 2

A A B
B
Logic Solver
Output Circuit 1
B C C 2oo3
Sensor Input Circuit Common Circuitry

MP Output Circuit 2

Voting Circuit

C
Output Circuit 1
Logic Solver
Sensor Input Circuit Common Circuitry

MP Output Circuit 2

Final Element
-

PFS (Safe) PFD (Dangerous)

1oo1 0.02 0.01
1oo2 0.04 0.0001 .. 0.0003
2oo2 0.0004 .. 0.0008 0.02
2oo3 0.0012 .. 0.0016 0.0003 ... 0.0005
Using Simple Approximation Formulas - No Common Cause or ß = 2%
23
CFSE Exam Preparation: Section II-6

How will the sensors, controller and final

elements be tested?
Select Technology
How frequently?
PERIODIC INSPECTION
Select
Architecture
Time Interval: 5 Years, 1 Year, 6 Mos, 3 Mos.
Procedure: Shutdown Plant?
Determine Test
Philosophy Bypass SIS?
Transmitter Testing?
Reliability
Evaluation Valve / Actuator Testing?

No
All these conditions can be precisely
Performance
Target Met? Markov modeled
Yes, proceed

24
CFSE Exam Preparation: Section II-6
Quantitative Analysis / SIL Verification

Select Technology SAFETY INSTRUMENTED FUNCTION: A

logical collection of sensors, logic solver
and final elements required to implement a
Select single protection function. Aka - a single
Architecture "safety loop."

Determine Test For each Safety Instrumented Function

Philosophy (SIF), the PFDavg/RRF is calculated and
verified against the original Safety
Reliability Integrity Level (SIL) determined for that
Evaluation
SIF.

Performance No
Target Met?

Yes, proceed
25
CFSE Exam Preparation: Section II-6
SENSOR PART LOGIC SOLVER FINAL ELEMENT PART
PART

SENSOR FINAL ELEMENT

GROUP 1 GROUP 1
SENSOR FINAL ELEMENT
Final
GROUP 2 Sensor GROUP 2
LOGIC element
group
SOLVER group
SENSOR voting FINAL ELEMENT
voting
GROUP 3 GROUP 3
SENSOR FINAL ELEMENT
GROUP 4 Group voting options: GROUP 4
1 group: 1oo1
2 groups: 1oo2, 2oo2
3 groups: 1oo3, 3oo3
4 groups: 1oo4, 4oo4
V
INTERFACE INTERFACE INTERFACE A
SENSOR ACTUATOR L
MODULE MODULE MODULE V
E
1oo2
V
INTERFACE INTERFACE INTERFACE A
SENSOR 1oo3 ACTUATOR L
MODULE MODULE MODULE V
Example
E
Example Each Final element group can have up to six final element entries. A final
INTERFACE INTERFACE
SENSOR element entry always consists of an actuator and can have either an
MODULE MODULE
interface module, a valve, or both.
The voting options within each final element group are:
Each sensor group can have up to three sensor entries. A sensor entry 1oo1, 1oo2, 2oo2, 1oo3, 3oo3, 2oo4, 4oo4, 5oo5, and 6oo6
always consists of a sensor and can have up to two interface modules. All voting options up to three final element entries can have diverse
The voting options within each sensor group are: redundant components. The components can be selected from the
1oo1, 1oo1D, 1oo2, 1oo2D, 2oo2, 1oo3, 2oo3, and 3oo3 exida.com equipment database.
All voting options can have diverse redundant components. The
components can be selected from the exida.com equipment database.
26
CFSE Exam Preparation: Section II-6

Detailed sensor part information

27
CFSE Exam Preparation: Section II-6

Periodic Inspection Interval

The test period is a parameter which significantly affects the average
probability of failure on demand and hence the safety integrity level

1/PFD(t)
IEC61508

SIL 4

SIL 3
1/PFDavg
SIL 2

SIL 1
test period
time

28
CFSE Exam Preparation: Section II-6

Periodic Inspection Interval

1/PFD(t)

IEC61508

SIL 4

SIL 3
1/PFDavg

SIL 2
test
SIL 1 period

time

29
CFSE Exam Preparation: Section II-6
Create Safety
Specification

Select Technology
The Safety Lifecycle
Safety System Design
Select
Architecture
SIS Conceptual
Design
Determine Test
Philosophy

Reliability
Evaluation

Performance No
Target Met?
Yes
Proceed to Manufacture
30
CFSE Exam Preparation: Section II-6

Summary:
Safety Instrumented System Design
 Safety Requirements Specification
 Conceptual Design
 Technologies
 Architectures
 Design Verification

31
CFSE Exam Preparation: Section II-6
Exercise 1
Safety Instrumented System Design
 A PLC has a probability of failure for a one year time interval
[1/y] of 0.01. A switch has a probability of failure [1/y] of 0.05. A
solenoid valve has a probability of failure [1/y] of 0.1.
A system consists of two switches, a PLC and a solenoid valve.
Do the Fault Trees for the PFD and PFS for a proof test interval
of 1 year and the possible input evaluation schemes by the
controller.

32
CFSE Exam Preparation: Section II-6
Exercise 2 The Safety Life Cycle
Safety System Design
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
pressure switch and solenoid meet the SIL requirements of the SIF.
D

Solenoid 2.40 x 10-6 failures per hour

Pressure switch 4.55 x 10-6 failures per hour

No Diagnostics, Test Interval – 1 year, SIL2

Meeting architectural constraint depends on

SFF.

33
CFSE Exam Preparation: Section II-6
Exercise 3
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Transmitter, DCS, and solenoid meet the SIL requirements of the SIF.
D

Transmitter 1.60 x 10-6 f/hour CD=30%

DCS 50. x 10-6 f/hour
CD=70% Solenoid 2.40 x 10-6 f/hour
CD=0%

Test Interval – 1 year, SIL2

Meeting architectural constraint depends on

SFF of transmitter, DCS, and solenoid.

34
CFSE Exam Preparation: Section II-6
Exercise 4
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Safety Transmitter, Safety PLC, and 1oo2 solenoid meet the SIL
requirements of the SIF.
D

STransmitter 2 x 10-6 f/hour CD=95%

SPLC 60. x 10-6 f/hour
CD=99% Solenoid 2.40 x 10-6 f/hour
CD=0%

Test Interval – 1 year, SIL2

Meeting architectural constraint depends on

SFF of solenoid

35
CFSE Exam Preparation: Section II-6
Exercise 1 (Key)
Safety Instrumented System Design
 A PLC has a probability of failure for a one year time interval
[1/y] of 0.01. A switch has a probability of failure [1/y] of 0.05. A
solenoid valve has a probability of failure [1/y] of 0.1.
System Failure
1oo2
FS =0.1112

0.0025

SW X SW Y PLC Sol

0.05 0.05 0.01 0.10

36
CFSE Exam Preparation: Section II-6
Exercise 1 (Key)
Safety Instrumented System Design
 A PLC has a probability of failure for a one year time interval
[1/y] of 0.01. A switch has a probability of failure [1/y] of 0.05. A
solenoid valve has a probability of failure [1/y] of 0.1.
System Failure
2oo2
FS =0.1959

SW X SW Y PLC Sol

0.05 0.05 0.01 0.10

37
 CFSE Exam Preparation: Section II-6
Exercise 2 (Key)The Safety Life Cycle
Safety System Design
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
pressure switch and solenoid meet the SIL requirements of the SIF.
D
•There is no failure rate data for
Solenoid 2.40 x 10-6 failures per hour safe failure, so assume SFF = 0
Pressure switch 4.55 x 10-6 failures per hour •There is no redundancy, so fault
tolerance is 0
No Diagnostics, Test Interval – 1 year, SIL2 •Solenoids and pressure switch
are simple devices—Type A.
Meeting architectural constraint depends on
SFF. Architectural constraint: SIL 1

DSys = DSol + DSw = (2.40 x 10-6 + 4.55 x 10-6) f/hr = 6.95 x 10-6 f/hr
PdF = 1 – e-Dt = 1 – e(-6.95 x 10-6 x 8760) = 0.0591
PFDAVE ~ PdF / 2 = 0.0591 / 2 = 0.0295  RRF = 33.9  SIL 1

The SIF, as designed, does not meet the SIL 2 requirements.

38
CFSE Exam Preparation: Section II-6
Exercise 3 (Key)
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Transmitter, DCS, and solenoid meet the SIL requirements of the SIF.
D DD = S

Transmitter 1.60 x 10-6 f/hour CD=30%

0.48 x 10-6 f/hour
DCS 50. x 10-6 f/hour
35.0 x 10-6 f/hour
CD=70% Solenoid 2.40 x 10-6 f/hour
-0-
CD=0%
SFF = S / Total
Test Interval – 1 year, SIL2
=35.48/54.00 = 65.7%
Meeting architectural constraint depends on Architectural constraint: SIL 1
SFF of transmitter, DCS, and solenoid.
•Failure rate data for safe failure is limited to detected unsafe: calculate SFF
•There is no redundancy, so fault tolerance is 0
•DCS is not a simple device—Type B
39
 CFSE Exam Preparation: Section II-6
Exercise 3 (Key)
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Transmitter, DCS, and solenoid meet the SIL requirements of the SIF.
D DU

Transmitter 1.60 x 10-6 f/hour CD=30% 1.12 x 10-6 f/hour

DCS 50. x 10-6 f/hour 15.0 x 10-6 f/hour
CD=70% Solenoid 2.40 x 10-6 f/hour 2.40 x 10-6 f/hour
CD=0%
D = 18.52 x 10-6 f/hour
Test
PdFInterval – 1 xyear,
= D / Total ( 1 –SIL2
e-Totalt) Total = 54.00 x 10-6 f/hour
= (18.52 x 10-6 / 54.00 x 10-6 ) x ( 1 – e-(54.00 x 10-6 x 8760) )
= (0.343 ) x ( 1 – e-0.4730) = 0.343 x ( 1 – 0.623) = 0.1293
PFDAVE = PdF / 2 = 0.1293 / 2 = 0.0647  RRF = 15.5  SIL 1

The SIF, as designed, does not meet the SIL 2 requirements.

40
 CFSE Exam Preparation: Section II-6
Exercise 4 (Key)
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Safety Transmitter, Safety PLC, and 1oo2 solenoid meet the SIL
requirements of the SIF.
D •There is no failure rate data for
safe failure and no diagnostic
STransmitter 2 x 10-6 f/hour CD=95% coverage for the solenoid, so
SPLC 60. x 10-6 f/hour SFF = 0
CD=99% Solenoid 2.40 x 10-6 f/hour •There is 1oo2 voting for the
CD=0% solenoid, so fault tolerance is 1
•Solenoids are simple devices—
Test Interval – 1 year, SIL2 Type A.
Architectural constraint: SIL 2
Meeting architectural constraint depends on
SFF of solenoid
The SIF architecture permits SIL 2, if the RRF is high enough.
41
CFSE Exam Preparation: Section II-6
Exercise 4 (Key)
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Safety Transmitter, Safety PLC, and 1oo2 solenoid meet the SIL
requirements of the SIF. 
D DU

STransmitter 2 x 10-6 f/hour CD=95% 0.1 x 10-6 f/hour

SPLC 60. x 10-6 f/hour 0.6 x 10-6 f/hour
CD=99% Solenoid 2.40 x 10-6 f/hour 2.40 x 10-6 f/hour
CD=0%

Test
PdF Interval
~ t – 1 year, SIL2
PdF1Sol ~ 2.40 x 10-6 x 8760 = 0.0210
PdF2Sol = PdF1Sol x PdF1Sol = 0.02102 = 0.000441
PdFSTrans ~ 0.1 x 10-6 x 8760 = 0.000876
PdFSPLC ~ 0.6 x 10-6 x 8760 = 0.005256
PdFSys = 1 – ( 1 – 0.000441 ) x ( 1 – 0.000876 ) x ( 1 – 0.005256 )
= 0.00657 42
CFSE Exam Preparation: Section II-6
Exercise 4 (Key)
Safety Instrumented System Design
Verify that a high pressure protection loop consisting of a
Safety Transmitter, Safety PLC, and 1oo2 solenoid meet the SIL
requirements of the SIF.
D

STransmitter 2 x 10-6 f/hour CD=95%

SPLC 60. x 10-6 f/hour
CD=99% Solenoid 2.40 x 10-6 f/hour
CD=0%

Test Interval – 1 year, SIL2

PFDAVE = PdF / 2 = 0.00657 / 2 = 0.00328  RRF = 305  SIL 2

The SIF, as designed, meets the architectural and

risk reduction requirements of SIL 2.
43