Functional Safety Demystified - IICA 4 Safety Integrity Level vs. Risk Reduction For Demand Mode SIFs only 21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 7 = 1 / RRF Safety

21/07/2017

1

Functional Safety DemystifiedBOB WEISS - FUNCTIONAL SAFETY CONSULTANT

IICA TECHNICAL EVENING – 19TH JULY 2017

21 July, 2017 1IICA - FUNCTIONAL SAFETY DEMYSTIFIED

Purpose

TOPICS

What is Functional Safety?◦ SIS, SIF and SIL

Standards IEC 61508 and IEC 61511

An example to demonstrate compliance

4.5 day TÜV FSEng course in 45 minutes!◦ One day course also available

Explains how to comply with

AS IEC 61511-2004

using a case study

21/07/2017

2

What is Functional Safety?

New term in IEC 61508 (introduced in 1999)

Part of Overall Safety◦ freedom from unacceptable risk

Achieved by a Safety Instrumented System (SIS)◦ E/E/PE Safety System in IEC 61508

◦ Examples:◦ Trip System

◦ Emergency Shutdown System

◦ Burner Management System

◦ Includes field devices as well as logic solver

A SIS places or maintains a process in a safe state◦ Process = Equipment Under Control (EUC) in IEC 61508

◦ Implements Safety Instrumented Functions (SIFs)

◦ Each SIF achieves a Safety Integrity Level (SIL)

Acronyms to remember: SIS, SIF and SIL !.

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 3

IEC 61508 or IEC 61511

Integrators & users in the process industries can use either IEC 61508 or IEC 61511

IEC 61511 is generally simpler to apply


SISdevice

manufacturers

SISintegrators & users

SIL 1-3

SIS integrators &

usersSIL 4

SISintegrators & users

SIL 1-3

for process industries

IEC61508

IEC61511

21/07/2017

3

Why Functional Safety?Buncefield, England 11 Dec 2005

Storage tank level gauge showed constant reading

High level switch left in test mode

Gasoline tank overflowed

Mist exploded◦ largest peacetime explosion in Europe

◦ 20 tanks on fire

◦ burned for three days

◦ significant environmental impact

◦ hundreds of millions of pounds damage

Should have complied with IEC 61511.


SIF 1: TZH1234

Safety Instrumented Function - SIF

Basic Terminology

21 July, 2017

SIF 2: PZHH1234

Safety Instrumented System - SIS

Logic Solver(e.g. Safety PLC)

Temperaturetransmitter

Temperaturetransmitter

Pressuretransmitter

Flowtransmitter

Shut-offvalve

Solenoid

Globevalve

Solenoid

Relayin MCC

Component

SIL 2

SIL 1

Safety Integrity Level - SIL

Sensing subsystem Final element subsystemLogic subsystem

Subsystems

IICA - FUNCTIONAL SAFETY DEMYSTIFIED 6

21/07/2017

4

Safety Integrity Level vs. Risk Reduction

For Demand Mode SIFs only


= 1 / RRF

SafetyAvailability

> 99.99%

> 99.9 ≤ 99.99%

> 99 ≤ 99.9%

> 90 ≤ 99%

Probability of Failureon Demand (PFDavg)

≥ 10-5 < 10-4

≥ 10-4 < 10-3

≥ 10-3 < 10-2

≥ 10-2 < 10-1

SIL

4

3

2

1

Risk ReductionFactor

> 10,000

> 1,000 ≤ 10,000

> 100 ≤ 1,000

> 10 ≤ 100

= 100(1 – PFDavg)= 1 / PFDavg

BPCS* ≤ 10 ≥ 10-1 ≤ 90%

Used to specify SIL achievedUsed to specify SIL required

* Basic Process Control System

Safety Lifecycle – IEC 61511


Hazard and risk assessment CDV

Allocation ofsafety functions

to protection layers

Design andengineering of

safety instrumented system

Installation, commissioningand validation

Operation and maintenance

Modification

Decommissioning

Design anddevelopment

of other meansof risk reduction

Safety requirementsspecification for the


Managementof functional

safety andfunctional

safetyassessment

and auditing

Safetylife-cyclestructure

andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9

Engineering Contractor

SIS Vendor

End User

21/07/2017

5

Complying with IEC 61511Target SIL must be specified for each SIF based on hazard and risk analysis

Processes for SIS throughout lifecycle must comply

Each SIF must meet target SIL requirements for:◦ Random failure rate (PFDavg)

◦ Architectural constraints (hardware fault tolerance)

◦ Systematic capability for each component◦ Field devices, logic solver, shutdown valves etc.

Not just TÜV certification◦ Though it helps !

Not just meeting PFDavg target.


Comply Throughout LifecycleFor the rest of the presentation we’ll follow the SIS lifecycle

What do we need to do to comply at each stage?

See the following example…◦ Only the main elements of compliance are covered.


21/07/2017

6

1 Hazard and Risk Assessment

21 July, 2017 11

Output is a list of hazardous events with their process risk and acceptable risk.

Hazard and risk assessment







Modification

Decommissioning







safetyassessmentand auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9

IICA - FUNCTIONAL SAFETY DEMYSTIFIED

A hazard

A “potential source of harm”

300t of Liquefied Petroleum Gas can potentially cause harm

Hazardous Event Example – BLEVE (video)

21 July, 2017 12

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1


BLEVE2.avi

21/07/2017

7

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

Identify Hazardous Events: HAZOP

21 July, 2017 13

Node: LPG Tank

Guideword: HIGH LEVEL

Consequence: High Pressure, possible tank rupture & major fire

Existing Controls: Pressure Safety Valve (PSV-1)

New Controls: Add High Level Alarm

H


RiskThe product of severity and likelihood

“The expected value of loss”

21 July, 2017 14

Consequenceseverity

Likelihood of occurrence

Minor

Medium

Major

LOW HIGHMEDIUM


21/07/2017

8

Risk reduction concept

21 July, 2017 15

Overall risk reduction achieved by all means

Residualrisk

Processrisk

Necessary risk reduction

Actual risk reduction

Increasingrisk

Partial risk reductionby SIS

Partial risk reductionby “other means of risk reduction”

Acceptablerisk


Is risk acceptable ?

21 July, 2017 16

Process under control

Process deviation or disturbance

Process out of control

Hazardous situation

Hazardous event

Impact / Consequence

Level stable

Control valve sticks

Level Increasing

High Pressure

Vessel fails

300t of boiling LPG released -likely major fire and fatalities

PSV

LAH Alarm

Hazard - 300t of LPG

What is risk ?Is it tolerable?


21/07/2017

9

Risk Analysis - Layers of Protection

21 July, 2017 17

Mechanical PSV

Alarm LAH

Process

Control System(BPCS)

Hazardous Event !!

Risk Reduction

Hazardous Situation : 1 per y

Target:1 per 10,000y

Required: x 10,000

X 100

Only havex 100 !!

X 1 !


2 Allocation of Safety FunctionsOften called SIL Assessment, SIL Analysis or SIL Determination

Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level.

21 July, 2017 18








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


21/07/2017

10

Risk is unacceptable - reduce further

21 July, 2017 19

Process under control

Process deviation or disturbance

Process out of control

Hazardous situation

Hazardous event

Impact / Consequence

Level stable

Control valve sticks

Level Increasing

High Pressure

Vessel fails

300t of boiling LPG released -likely major fire and fatalities

PSV

LAH Alarm

Hazard - 300t of LPG

LZHH Trip

How do wereduce risk further?


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Add a high level trip

21 July, 2017 20

High Level Trip LZHH2 added◦ Shuts off flow when High High level reached


21/07/2017

11

Layers of Protection – SIL assessment

21 July, 2017 21

Mechanical PSV

Alarm LAH

Process


Hazardous Event !!

Risk Reduction

Hazardous Situation : 1 per y


Required: x 10,000

X 100

X 1 !

SIF LZHH

X 100SIL 2

SIF must reduce risk by10,000/100 = 100




21 July, 2017 22

= 1 / RRF

SafetyAvailability

> 99.99%

> 99.9 ≤ 99.99%

> 99 ≤ 99.9%

> 90 ≤ 99%


≥ 10-5 < 10-4

≥ 10-4 < 10-3

≥ 10-3 < 10-2

≥ 10-2 < 10-1

SIL

4

3

2

1


> 10,000

> 1,000 ≤ 10,000

> 100 ≤ 1,000

> 10 ≤ 100


BPCS ≤ 10 ≥ 10-1 ≤ 90%



21/07/2017

12

Phase 1 & 2 Compliance Achieved !

Target SIL must be specified for each SIF based on hazard and risk analysis


Each SIF must meet target SIL requirements for:◦ Hardware Fault Tolerance (architectural constraints)

◦ random failure rate (PFDavg)

◦ Systematic Capability of each component


3 Safety Requirements Specification - SRSDefines functional and integrity requirements of SIS

Output is a set of documents ready for detail design.

21 July, 2017 24








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


21/07/2017

13

Safety Requirements SpecificationFunctional Requirements

◦ desired behaviour of each SIF

◦ behaviour in response to faults

◦ timing requirements

◦ human machine interface

◦ normal and abnormal modes of operation

◦ bypass requirements

◦ etc.

Safety Integrity Requirements◦ Safety Integrity Level for each SIF

◦ basis for SIL

◦ testing requirements

◦ special requirements to maintain SIL

◦ etc.


Cause-and-Effect Diagram SIFs commonly documented byCause and Effect diagrams

Should include required SIL somewhere – examples:

21 July, 2017 26

Tag# Description SIF

Instr

um

ent

Range

Trip P

oin

t

Units

CLO

SE

VA

LV

E L

ZV

-02

CLO

SE

VA

LV

E U

V-0

3A

CLO

SE

VA

LV

E U

V-0

3B

OP

EN

S V

ALV

E U

V-0

3C

Set

LIC

1 t

o M

AN

, O

P=

0

BS-01 Burner Loss of Flame 12 ~ ~ X X X

PSL-01 Fuel Gas Pressure Low ~ 7 X X X

LZHH-02 LPG Tank High High Level 13 0-3500 3200 mm 2 0


21/07/2017

14

4 Design and EngineeringSIS vendor or contractor for logic solver

EPC contractor or end-user for field hardware








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


Standards Compliance




◦ Random failure rate (PFDavg)



21/07/2017

15

Types of failuresRandom failures – components (“elements”) wear out

◦ use high reliability components

◦ use redundant components

◦ test frequently◦ automated and/or manual

Systematic failures – human error◦ redundant components provide no protection!

◦ “techniques and measures” to◦ avoid faults

◦ detect faults to avoid failures

◦ Functional Safety Management System◦ quality system for functional safety


Control of systematic failuresFor integration of components into a system (SIS):

◦ Functional Safety Management System (FSMS)◦ for all phases of lifecycle including operation

◦ quality system for SIS

◦ verification, validation, audit and assessment

◦ can comply with either IEC 61511 or IEC 61508

Within each component:◦ ensure quality design in accordance with IEC 61508

◦ ensure appropriate techniques and measures from IEC 61508 used for the SIL of the target SIF

◦ measured by the term “systematic capability”◦ SC 1 to 4 corresponding to SIL 1 to 4

◦ Formerly called “SIL x Capability”

◦ independent certification or “prior use”


21/07/2017

16

Measures to avoid or control failuresSystematic techniques to specify hardware and software requirements

Design requirements

Requirements management techniques

Revision control

Testing techniques

Documentation control

Project management

. . .


Functional Safety Management SystemQuality system with safety aspects

Safety management system that includes:◦ policy and strategy to achieve safety

◦ responsible persons, departments, organizations

◦ relationship between those responsible and allocation to safety lifecycle phases

◦ selected “techniques and measures”

◦ references to the deliverables

◦ the functional safety assessment process (Functional Safety Assessment Plan)

◦ procedures for ensuring prompt follow-up of actions from hazard and risk analysis, verification, validation etc.

◦ configuration and change management

◦ . . .


21/07/2017

17

Competence must be managedCompetence of all involved, including management shall be managed

◦ engineering knowledge, training and experience appropriate to the◦ process technology

◦ SIS technology

◦ field devices used

◦ hazard & risk analysis

◦ knowledge of the legal and regulatory requirements

◦ relevant management and leadership skills

Appropriate to the◦ potential consequence of the event

◦ SIL of the SIF

◦ novelty and complexity of the application and technology

Manage using a procedure and regular assessments◦ e.g. competency matrix updated at annual performance reviews


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

SIL Verification

21 July, 2017 34

Does the design of SIF LZHH2 meet SIL 2?

SIL 2


21/07/2017

18








Hardware Fault Tolerance“Architectural constraints” in IEC 61508

Aim is to avoid unrealistic reliability claimsfrom single components◦

Use IEC 61508-2 (Route 1H) constrains SIF architecture based on:Safe Failure Fraction◦

complexity of device (◦ “Type A” or “Type B”)

target SIL◦

OR use Table 6 in IEC 61511-1 2016 Ed. 2simplified, relaxes previous unrealistic restrictions◦

based on IEC◦ 61508 Route 2H

see next slide◦

Outcome is required minimum Hardware Fault Tolerance (HFT)no. of voted devices minus no. required to perform safety function◦

For MooN architecture, HFT = N ◦ - M


21/07/2017

19

Case Study: Hardware Fault ToleranceHFT IEC 61511 Ed. 2 Table 6

Radar gauge, smart device assumptions◦ Diagnostic Coverage > 60%

◦ We know λDU with confidence limit > 70%

◦ SIF operates in Low Demand mode

For SIL 2 min HFT = 0 (see below)◦ Only one device required


SIL Mode Minimum required HFT

1 Any 02 Low demand 02 High demand or continuous 13 Any 14 Any 2

Safe Failure FractionBlock valve, normally open & normally energized

In case of an out of control process, the valve has to close

Closesspontaneouslydue to lossof energy

SAFE

Undetected

Detectedby diagnostics

Undetected

Detectedby voltage control

DANGEROUS

Stuck atopen

SFF


21/07/2017

20

Architectural Constraints – IEC 61508-2

21 July, 2017 39

Type A Subsystems e.g. pressure switches

Safe Failure Fraction

Hardware Fault Tolerance

0 1 2

< 60% SIL 1* SIL 2* SIL 3*

≥ 60 < 90% SIL 2 SIL 3 SIL 4

≥ 90 < 99% SIL 3 SIL 4 SIL 4

≥ 99% SIL 3 SIL 4 SIL 4

Type B Subsystems e.g. logic solver, smart transmitters



0 1 2

< 60% Not allowed SIL 1 SIL 2

≥ 60 < 90% SIL 1* SIL 2* SIL 3*

≥ 90 < 99% SIL 2 SIL 3 SIL 4

≥ 99% SIL 3 SIL 4 SIL 4

Table 2

Table 3

* IEC 61511-2003

HFT forfield devices

For MooNN-M = HFT


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: Architectural Constraints

Transmitter LZT 2 is a smart radar gauge

Can we use single transmitter to satisfy SIL 2?

Must also check for logic solver and valve


21/07/2017

21

Type B Subsystems e.g. logic solver, smart transmitters



0 1 2

< 60% Not allowed SIL 1 SIL 2

≥ 60 < 90% SIL 1* SIL 2* SIL 3*

≥ 90 < 99% SIL 2 SIL 3 SIL 4

≥ 99% SIL 3 SIL 4 SIL 4

Case Study: Architectural ConstraintsSmart Transmitter = Type B device

◦ use Table 3 in IEC 61508-2

Safe Failure Fraction = 91%◦ from certificate

For SIL 2, required Hardware Fault Tolerance = 0

Therefore one transmitter is ok for SIL 2

LTZ 2









21/07/2017

22

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

SIL Verification

21 July, 2017 43

What is calculated “PFDavg” for SIF LZHH-2?

SIL 2




21 July, 2017 44

= 1 / RRF

SafetyAvailability

> 99.99%

> 99.9 ≤ 99.99%

> 99 ≤ 99.9%

> 90 ≤ 99%


≥ 10-5 < 10-4

≥ 10-4 < 10-3

≥ 10-3 < 10-2

≥ 10-2 < 10-1

SIL

4

3

2

1


> 10,000

> 1,000 ≤ 10,000

> 100 ≤ 1,000

> 10 ≤ 100


BPCS ≤ 10 ≥ 10-1 ≤ 90%



21/07/2017

23

Case Study: PFD CalculationTest interval = 1 y

Reliability data:◦ Valve: λDU = 1/20y (= 0.05 y-1)

◦ Logic solver: λDU = 1/1000y (= 0.001 y-1)

◦ Sensor: λDU = 1/100y (= 0.01 y-1)

PFDavg = λDU x TI / 2= 0.05 x 1 / 2 = 0.025 for valve

0.001 x 1 / 2 = 0.0005 for logic solver0.01 x 1 / 2 = 0.005 for transmitter

Total PFDavg = 0.025 + 0.0005 + 0.005 = 0.0305

Calculated SIL = 1 (PFDavg range 0.01 – 0.1)

Required SIL = 2 Not OK!

How can this be fixed?

21 July, 2017 45

LZHH

2

LZV 2

LZT

2


Case Study: Adjust Test IntervalTest interval = 1 month

Reliability data:Valve: ◦ λDU = 1/20y (= 0.05 y-1)

Logic solver: ◦ λDU = 1/1000y (= 0.001 y-1)

Sensor: ◦ λDU = 1/100y (= 0.01 y-1)

PFDavg = λDU x TI / 2= 0.05 / 12 / 2 = 0.002 for valve

0.001 / 12 / 2 = 0.00004 for logic solver0.01 / 12 / 2 = 0.0004 for transmitter

Total PFDavg = 0.002 + 0.00004 + 0.0004 = 0.00244


Required SIL = 2 OK

BUT operations object to monthly testing !

21 July, 2017 46

LZHH

2

LZV 2

LZT

2


21/07/2017

24

Case Study: Duplicate Block ValvesTest interval = 1 year

Reliability data:◦ Valve: λDU = 1/20y (= 0.05 y-1)

◦ Logic solver: λDU = 1/1000y (= 0.001 y-1)

◦ Sensor: λDU = 1/100y (= 0.01 y-1)

For 2 valves 1oo2 voting: PFDavg = 0.0020 (was 0.025)

PFDavg = 0.0020 + 0.0005 + 0.005 = 0.0075


Required SIL = 2 OK

LZHH

2

LZV 2A

LZT

2

LZV 2B


Standards ComplianceTarget SIL must be specified for each SIF based on hazard and risk analysis




◦ Systematic Capability of each component.

How likely is it that each component is free from systematic faults (“bugs”) ?


21/07/2017

25

Control of systematic failuresFor integration of components into a system (SIS):

◦ functional safety management system◦ for all phases of lifecycle including operation

◦ verification, validation, audit and assessment

◦ can comply with either IEC 61511 or IEC 61508

Within each component:◦ ensure quality design in accordance with IEC 61508

◦ ensure appropriate techniques and measures from IEC 61508 used for the SIL of the target SIF

◦ measured by the term “systematic capability”◦ SC 1 to 4 corresponding to SIL 1 to 4

◦ formerly called “SIL Capability”

◦ independent certification or “prior use”


Case Study: Transmitter SelectionMust control systematic faults

Transmitter selected must comply with IEC 61508 and IEC 61511

Must either:

be designed and manufactured in accordance with IEC 61508◦ confirmed by independent certificate (e.g. by a “TÜV” or exida)

◦ Systematic Capability from 1 to 4◦ i.e. techniques and measures are suitable for SIL 1 to 4

OR

meet requirements for Prior Use (or “proven in use”):◦ sufficient experience gained in a comparable application

Best practice: require BOTH prior use and certification


21/07/2017

26

Component CertificationAn independent organisation certifies that the component meets the requirements of IEC 61508 for a particular SIL

not only ◦ “TÜV” !!!

Parts 2 and 3 contain numerous “techniques and measures” required to avoid and control faults

the rigour required increases with SIL◦

The aim is to reduce the likelihood of systematic faults to an acceptably low level relative to the SIL

The result is expressed as “Systematic Capability” or SC from 1 to 4corresponding to SIL ◦ 1 to 4

was previously called ◦ “SIL Capability”

The certificate also usually also includes failure data and whether the component is “Type A” or “Type B”

details are in a companion report◦


Transmitter TÜV Certificate


21/07/2017

27

Transmitter TÜV Certification


Prior Use (IEC 61511)Requires that appropriate evidence is available that the component is suitable based on consideration of:

◦ the manufacturer’s quality systems

◦ adequate identification of the devices

◦ demonstration of performance in similar operating environments

◦ the volume of operating experience

Focus is on demonstrating freedom from systematic faults

IEC 61508 term is “Proven in Use”◦ more rigorous requirements


21/07/2017

28



Each SIF must meet target SIL requirements for:Hardware Fault Tolerance (architectural constraints)◦

random failure rate (PFD◦ avg)

Systematic Capability of each component◦

Design now complies


5 Installation, Commissioning, ValidationLogic Solver installed with field equipment

Includes loop checking, validation and final functional safety assessment.








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


21/07/2017

29






Verification, Validation, Functional Safety Assessment


Case Study: Verification and ValidationProject Verification and Validation Plan required

Consider level of independence required (i.e. independent engineer)◦

Define responsibilities◦

Verify each phase e.g.Safety Requirements Specification◦Verify hardware design documents◦Verify functional specifications etc◦Implement code walkthrough◦

Logic Solver Factory Acceptance Test Complete integration test validates application software on target hardware◦

Logic Solver Site Acceptance TestPower up test on site◦

Safety Function TestingSIS validation◦

Functional Safety Assessment

Note that terminology is from the ISO9000 disciplineSome disciplines swap the meanings of ◦ “verification” and “validation”!


21/07/2017

30

Verification... build the product right“activity of demonstrating for EACH PHASE of the relevant safety life cycle

by analysis and/or tests,

that, for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase” (IEC 61511 3.2.92)

Performed progressively throughout the lifecycle


Validation... build the right product“activity of demonstrating that

the safety instrumented function(s) and safety instrumented system(s) under consideration

after installation meets in all respects

the SAFETY REQUIREMENTS SPECIFICATION” (IEC 61511 3.2.91)

Performed prior to introducing the hazards to the process

Can take credit for software validation in Factory Acceptance Test CDV


21/07/2017

31

Functional Safety Audit“A systematic and independent examination

to determine whether the PROCEDURES specific to the functional safety requirements to comply with the planned arrangements,

are implemented effectively

and are suitable to achieve the specified objectives”.

(IEC 61508-4 Ed.2 3.8.4 and IEC 61511-2003 3.2.27)

For either an organisation or a project


Functional Safety Assessment“investigation, based on evidence,

to JUDGE the functional safety achieved

by one or more protection layers”

(IEC 61511 3.2.26)

Judgement based on evidence

At least one required prior to hazard introduction, but may be progressive

Independence required◦ Increases with SIL (IEC 61508)


21/07/2017

32

6 Operations, Maintenance and ModificationThe Cinderella Phases !

User must follow a Functional Safety Management System for the life of the SIS.

21 July, 2017 63








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


Ops and Maintenance ObligationsTrain operators & maintainers

Proof test each SIF at specified interval

Monitor design assumptions◦ demand rates

◦ component reliability

Adjust test interval to suit

Control modifications

Ensure Maintenance and Operational Overrides are used as designed

Monitor and promptly follow-up diagnostics


21/07/2017

33

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: Operation and MaintenanceRisk analysis assumed:

◦ demand on SIF once per year

◦ what happens in practice?

SIL verification assumed:◦ transmitter failure rate 0.01 y-1

◦ what happens in practice?

Etc etc . . .

Must verify actual performance against assumptions and adjust testing as required

Documentation of assumptions is critical

Mechanical: PSV

SIF: LZHH

AlarmLAH

Process


Hazardous Event !!

Risk Reduction

Hazardous Situation


Required: X 10,000

X 100

X 100SIL 2

1 per y


Summary 1 – The SIS Lifecycle

21 July, 2017 66








Modification

Decommissioning







safetyassessment

and auditing


andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9

Engineering Contractor

SIS Vendor

End User


21/07/2017

34

Summary 2 – RequirementsTarget SIL must be specified for each SIF based on hazard and risk assessment




◦ Systematic Capability of each component.

Not just TÜV certification◦ though it helps !

Not just meeting PFDavg target

Don’t forget spurious trip rate!


Need more?IICA runs the following courses:

TÜV Rheinland Functional Safety Engineer course◦ For those with 3+ years experience in functional safety

◦ Leads to Functional Safety Engineer (TÜV Rheinland) qualification

◦ Sydney 16-20 October 2017

◦ Melbourne June 2018 (exact date set Dec 2017)

ISA One-day Introduction to SIS◦ runs on request

If interested please email [email protected]


21/07/2017

35

Questions?


Documents

Functional Safety Demystified - IICA 4 Safety Integrity Level vs. Risk Reduction For Demand Mode SIFs only 21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 7 = 1 / RRF Safety