3 IEC 61511
-
Upload
eliecer-ayala-gonzalez -
Category
Documents
-
view
414 -
download
31
Transcript of 3 IEC 61511
ida .com e
excellence in dependable-automation
Overview of IEC 61511
Functional Safety: Safety Instrumented Systems for the Process Industry Sector
Copyright © 2000, exida.comAll Rights Reserved
Version 1.0
2
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Course Logistics
• Course materials & location– Handouts and course binder– Exercises, additional resources, instructional surveys, and
progress reviews– Tent Card, reference & training products / courses survey of
M&C
• Course attendance & participation– Certificate of course completion– Continuing education units (CEU)
• Breaks– Lunch– Stretch, refreshment, etc.
• Personal belongings
3
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
exida Resources
• Books• Application Software• Web-based online software• Online discussion and knowledge base• Online SIS engineering data• Member newsletter
Phone (215) 896-7170 Internet Address: [email protected]
www.exida.com
4
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Course Development Team
• Developers: Edward M. Marszal, PEDr. William GobleRainer Faller
• Reviewers: Rachel AmkreutzHarry Cheddie
5
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Introduction of Course Participants
• Instructor– Name– Background/experience
• Classmates– Name, company, position– Background/experience– What would you like to get from this course?
6
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
General Course Objectives
• Understand the applicability, content, and benefits of using the IEC 61511 Standard
• Understand the Safety Lifecycle• Understand the purpose and outputs of
hazard and risk assessments• Understand how risk is allocated to layers of
protection and SIL are selected• Understand safety requirements specification
7
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
General Course Objectives (cont’d)
• Develop an understanding of the tasks performed during the SIS design phase
• Understand FAT, Installation and Commissioning
• Understand the impacts of modification and decommissioning
• Develop a knowledge of functional safety management
8
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
Pre-Exercise
• Please complete the Pre-Exercise• Answer questions to the best of your ability• The results will help the instructor emphasize
class content needed by class members
9
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Performance Objectives Day 1
• Explain the applicability of IEC 61511• Define and enumerate tasks associated with
each phase of the safety lifecycle• Understand hazards and risk analysis• Understand risk and how it is allocated to
layers of protection, including SIL selection• Identify information required for safety
requirements specification
10
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 1:Introduction• What is IEC 61511?• When is IEC 61511 Applied?• Relation to other standards• Benefits• Key Issues
11
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
What is IEC 61511?
• Process Sector Specific Implementation of IEC61508
• Sets minimum standards and performance levels for instrumentation used for safety
• Creates a rational and consistent approach to SIS engineering, called the “safety life cycle”
The standard is intended to lead to a high level of consistency within the process industries, which
will have both safety and economic benefits.
12
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
What does the standard contain?
• Defines the relationship between IEC61508 and IEC61511
• Requires allocation of safety requirements to safety instrumented functions
• Relates safety functions to other functions• Requires identification of safety requirements • Specifies requirements for system
architecture, hardware configuration, application software, and system integration
13
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
What does the standard contain? (continued)• Specifies requirements for functional safety, but does
not specify the responsibility for implementation• Uses a safety life cycle, and defines and defines a list
of activities required for functional safety• Requires hazard and risk assessment to identify
safety requirements• Establishes numerical targets for safety instrumented
system performance
14
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
What does the standard contain? (continued)• Specifies techniques/measures for achieving
performance targets (Safety Integrity Levels)• Provides a framework for establishing safety
integrity levels• Defines information needed during the safety
life cycle
15
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Technical Requirements
Development of the overall safety
requirements (concept, scope, definition, hazard
and risk analysis)Clause 8
Allocation and safety requirements and safety
requirements specificationClause 9 and 10
Design of Safety Instrumented Systems
Clause 11
Factory Acceptance Test, Installation,
Commissioning, and Safety ValidationClause 13 and 14
Design of SIS SoftwareClause 12
Operation, maintenance, modification, retrofit, decommissioning, and
disposalClause 15, and 16
All technical requirements are listed in
Part 1 of the Standard!
16
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Support Parts
• References - Clause 2 (Part 1)• Definitions and Abbreviations – Clause 3(Part 1)• Conformance - Clause 4 (Part 1)• Management of Functional Safety – Clause 5 (Part 1)• Information Requirements – Clause 17 (Part 1)• Differences – Annex “A” (Part 1)• Guidelines for the Application of Part 1 – Part 2• Risk Based Approaches to the Development of
Safety Integrity Requirements – Part 3
17
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
When do I apply IEC61511?
• When integrating instrumentation into a safety function in the process industries– Process industries include chemicals, oil refining,
oil and gas production, pulp and paper, non-nuclear power generation, etc.
• When plant personnel, the public, or the environment are protected from a process plant incident by instrumented functions
• Techniques are applicable to asset protection, but not required
18
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
When must IEC 61508 be used instead of IEC 61511?• When manufacturers wish to claim the
devices are suitable for safety applications• When “high variability” languages are used in
a programmable system
19
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
How is it related to IEC 61508?
Process Sector Safety System Standard
Process Sector Hardware
Process Sector Software
Develop New
Hardware Devices
Follow IEC 61508
Use Proven in Use
Hardware Devices
Follow IEC 61511
Use Hardware Developed
and Validated
According to IEC 61508
Follow IEC 61511
Develop Embedded (System) Software
Follow IEC 61508
Develop Application
Software Using Full Variability Languages
Follow IEC 61508
Develop Application
Software Using
Limited Variability
Languages or Fixed
ProgramsFollow
IEC 61511
20
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
IEC 61511 vs. ISA S84Which one should I follow?• IEC61508 is a broad standard covering
nuclear applications to toasters• S84 is ANSI endorsed, covering the United
States and Canada• IEC61508 stipulates S84 is sector standard in
US• IEC 61511 is expected to be ISO endorsed
globally, ANSI will drop S84 endorsement• USE 61511!
21
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
IEC 61511 vs. ANSI/ISA S84.01 Both are effectively the same• Each of the steps required by S84 is also
required by IEC61511• They are represented somewhat differently
– 61511 does not show conceptual process design– S84 does not show Design and Development of
Other Means of Risk Reduction– Multiple tasks in S84 lifecycle are combined in a
single task in 61511 lifecycle
22
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Benefits of Compliance
• Good engineering practice – compilation of best practices of industry by consensus
• Quality procedures specified by standards have proven to increase productivity, decrease cost of engineering, operation, and maintenance, and increase process up-time
• Safety life cycle procedures will decrease risk • Compliance with legislation and regulation
23
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Key issues
• Safety Lifecycle • Hazard and Risk Analysis• Quantitative Verification• Management System• Certification
24
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Introduction• What is IEC 61511?• When is IEC 61511 Applied?• Relation to other standards• Benefits• Key Issues
25
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 2:The Safety Life Cycle• Safety Lifecycle Objectives• IEC 61511 Safety Lifecycle• ANSI/ISA S84.01 Safety Lifecycle• Lifecycle Phases
26
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
Safety Lifecycle Objectives
• To structure, in a systematic manner, the different phases in order to achieve the required functional safety of E/E/PES
• To document key information relevant to Functional Safety
• To provide a framework for safer, more reliable systems
• To reduce system implementation cost
27
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
IEC 61511 Safety Life Cycle
Verification
Sub-clause 7, 12.7
Sub-clause
6.2Clause 5
Management of Functional Safety and Functional
Safety Assessment
Safety Lifecycle Structure
and Planning
Risk Analysis and Protection Layer Design Sub-clause 8
Allocation of Safety Functions to Safety Instrumented Systems or Other Means of Risk ReductionSub-clause 9
Safety Requirements Specification for the Safety Instrumented SystemSub-clause 10
Design and Development of Safety Instrumented System
Sub-clause 11
Design and Development of Other Means of Risk Reduction
Sub-clause 9
Installation, Commissioning, and ValidationSub-clause 14
Operation and MaintenanceSub-clause 15
ModificationSub-clause 15.4
DecommissioningSub-clause 16
ANALYSIS
REALIZATION
OPERATION
28
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Safety Life Cycle – ISA 84.01
Start
ConceptualProcess Design
Hazard Analysis/Risk Assessment
Develop non-SIS Layers
Develop SafetySpecification
SIS ConceptualDesign
SIS Detailed Design
SIS Installation,Commissioningand Pre-startup Acceptance Test
SISRequired?
No
Yes
EstablishOperating andMaintenanceProcedures
Pre-startup Safety Review(Assessment)
Define TargetSIL
SIS startup,operation,
maintenance,Periodic
Functional Tests
Modify,Decommission?
Modify
Decommission
SIS Decommissioning
Covered byS84.01
Not Coveredby S84.01
29
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Hazard / Risk Analysis
• Objective– Identify process hazards, estimate their
risks and decide if that risk is tolerable• Tasks
– Hazard Identification (eg, HAZOP)– Analysis of Likelihood and
Consequence– Consideration of non-SIS Layers of
Protection
Risk analysis and
protection layer design
Subclause 8
30
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
SIL Selection
• Objective– Specify the required risk reduction, or
difference between existing and tolerable risk levels – in terms of SIL
• Tasks– Compare process risk against tolerable
risk– Use decision guidelines to select required
risk reduction– Document selection process
Allocation of Safety Functions
to Safety Instrumented
Systems or Other Means of Risk
Reduction
Subclause 9
31
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Safety Requirements Specification
• Objective– Specify all requirements of SIS
needed for detailed engineering and process safety information purposes
• Tasks– Identify and describe safety functions– Document SIL– Document action taken – Logic,
Cause and Effect Diagram, etc.
Safety Requirements
Specification for the Safety
Instrumented System
Subclause 10
32
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Conceptual / Detailed Design
• Objective– Select and configure equipment
used in the SIS (including programming)
• Tasks– Specify system technology and
architecture– Specify field instrumentation– Configuration / Programming– Select vendors, review bids
Design and Engineering of
Safety Instrumented
System
Subclauses 11, 12
33
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Installation and Commissioning
• Objective– Install equipment, after acceptance
testing, and prepare for operation• Tasks
– Factory Acceptance Testing Field and control room equipment installation
– Confirm equipment operation– Instrumentation Calibration
Installation, Commissioning
Subclauses 13 and 14
34
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Safety Review Validation
• Objectives– Verify that the SIS is designed,
installed, and operating according the the Safety Requirements
• Tasks– Verify operation of field instruments– Validate logic and operation– Verify SIL of installed equipment – Produce OSHA and EPA required
documentation – Certifications if req.
Validation
Subclauses 13
35
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Operation and Maintenance
• Objective– Operate and maintain the SIS so that
the specified SIL is maintained• Tasks
– Establish procedures for operating and maintaining the SIS
– Perform periodic function test on an interval that allows the specified SIL to be achieved with the installed equipment
Operation and Maintenance
Subclause 15
36
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Modification and Decommissioning
• Objective– Ensure changes to the system are
safe and appropriately reviewed• Tasks
– Establish procedures for change management
– Review safety functions prior to taking an SIS out of service
Modification and Decommissioning
Subclauses 15.4 and 16
37
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Application Exercise 1
• Safety Life Cycle– List safety lifecycle tasks and responsibilities for
completion in your organization
38
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:The Safety Life Cycle• Safety Lifecycle Objectives• IEC 61511 Safety Lifecycle• ANSI/ISA S84.01 Safety Lifecycle• Lifecycle Phases
39
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 3:Hazard and Risk Analysis• Objectives and Requirements• Identifying Safety Instrumented Functions• Process Hazards Analysis
40
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objective– Identify hazardous events, quantify their risk, and
identify required safety instrumented function• Inputs
– Process design, equipment layout, staffing arrangement
• Outputs– A description of required safety instrumented
functions
41
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Objectives and Requirements
• Determine and document the hazards and hazardous events of the process and associated equipment
• Determine the sequence of events leading to the hazardous event
• Determine the process risks associated with the hazardous event - describing the consequence and likelihood and additional risk reduction required
• Determine the safety functions required to achieve the necessary risk reduction and how the requirements are allocated
• Determine if any of the safety functions are safety instrumented functions
42
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
How do you know when to apply a SIF?• Process Experience
– Most process units are not new– Designers learn from past incidents and near-
misses and incorporate prevention systems• Process Hazards Analysis (PHA)
– Organized and systematic study for identification and analysis of the significance of potential hazards
– Proactive team effort identifies what could go wrong
43
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
How can I identify the SIF that should be used on my process?• Review the design documentation
– Process Hazards Analysis Report– Process Licensor P&IDs– Detailed Design Contractor P&IDs
44
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Identifying SIF from PHA ReportsWhat does a PHA contain?• There are a variety of PHA methods
– Hazard and Operability Studies (HAZOP)– Checklist – What-if? PHA will use various techniques to
identify hazards• Discussions of hazards include
consequences and safeguards (both SIS and non-SIS)
• Additional safeguards may be recommended
45
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Hazard and Risk Analysis• Objectives and Requirements• Identifying Safety Instrumented Functions• Process Hazards Analysis
46
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 4:Requirement Allocation/SIL Selection• Objectives and Requirements• Risk / Risk Reduction• Consequence Analysis• Likelihood Analysis• SIL Selection
47
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objective– Allocation of safety functions to protective layers
and for each SIF, the associated Safety Integrity Level SIL
• Inputs– A description of the SIF and hazards requiring risk
reduction• Outputs
– Description of allocation of safety requirements, including SIL
48
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Risk TermsRisk and Hazard• The objective of SIS is to reduce the risk of
the hazards in a process to a tolerable level– Risk – Combination of the probability of
occurrence of harm and the severity of that harm– Harm – Physical injury or damage to the health of
people either directly, or indirectly as a result of damage to property of the environment
– Hazard – Potential source of harm
49
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Risk TermsTolerable Risk• The risk reduction the SIF must provide is the
difference or process risk and tolerable risk– Process Risk – Risk arising from the process
conditions caused by abnormal events– Tolerable Risk – Risk which is accepted given a
context based on the current values of society– Necessary Risk Reduction – The risk reduction
required to ensure that the risk is reduced to a tolerable level
50
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.comNegligible RiskNegligible Risk
Intolerable RegionIntolerable Region
ALARP or Tolerable ALARP or Tolerable RegionRegion
Broadly Acceptable Broadly Acceptable RegionRegion
Risk Reduction - ALARP
High RiskHigh Risk
51
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Risk Reduction - putting it in context
• Examples of fatality risk figures– Road accident 100cpm 1.0x10-4/yr– Car accident 150cpm 1.5x10-4/yr– Accident at work 10cpm 1.0x10-5/yr– Falling Aircraft 0.02cpm 2.0x10-8/yr– Lightning strike 0.1cpm 1.0x10-7/yr– Insect/Snake bite 0.1cpm 1.0x10-7/yr– Smoking (20 per day) 5000cpm 5.0x10-3/yr
– cpm = chances per million of the population per year
ida.comeexcellence in dependable automation
52
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Negligible Risk
10-3/yr (workers) 10-4/yr (public)
10-5/yr (workers)
Intolerable Region
ALARP or Tolerable Region
Broadly Acceptable Region
Numerical Targets for tolerable risk are from
HSE Tolerability of Risk Guidance
10-6/yr (public)
Risk Reduction – ALARPQuantitative Risk Guidance
High Risk
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Increasing Risk
Consequence
Likelihood Final Risk
after Mitigation
Risk after non-SIS Mitigation
Inherent Risk of the Process (I.e., No Mitigation)
SIL 1
SIL 2
SIL 3
Acceptable Risk Region
ALARP Risk Region
Unacceptable Risk Region
Non-SIS Consequence reduction, e.g., containment dikes
Non-SIS likelihood reduction, e.g. relief valves
SIS Risk Reduction
Effect of SIS
54
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
How do I analyze likelihood?
• Consequence analysis can be performed in a number of ways– Qualitative Estimation - Expert Judgement– Quantitative - Statistical Analysis– Quantitative – Fault Propagation Modeling
• Result is frequency of unwanted event
55
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Fault Propagation Modeling
• Used when statistical analysis alone is inadequate
• Analyze chain-of-events that leads to an accident
• Use failure data of individual components not entire system
• Combine failures using probability logic
56
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
Trip level alarm
Process alarm
Processvalue Normal behaviour
SafetyInstrumentedSystem
BasicProcessControlSystem
OperatorIntervention
Relief valve,Rupture disk
Dike
Active protection layer
Passive protection layer
Emergency response layerPlant andEmergency Response
PREVENTION
Safety layer
Process control layer
Process control layer
Emergency Shut Down
Process shutdown
MITIGATION
Layer of Protection Analysis
57
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
How do I analyze consequences?
• Consequence analysis can be performed in a number of ways– Qualitative Estimation - Expert Judgement– Semi-Quantitative - Risk Indices– Quantitative - Statistical Analysis– Quantitative - Hazardous Potential Release
Modeling
58
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Consequence Analysis Results
• Size of impact zone and occupancy of that zone are combined for probable loss
• Result depends on consequence of concern, typically probable loss of life and probable injury
Typical Consequence Analysis Results for a toxic chemical release
Injury Zone
Fatality Zone
87 meters112 meters
23 meters
9 meters
Probable Loss of Life: 0.27Probable Injuries: 2.56
59
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Assigning SIL - Qualitative
a
1
2
3
4
b
W3
---
a
1
2
3
4
W2
---
---
a
1
2
3
W1
--- = No safety requirementsA = No special safety requirementsB = A single E/E/PS is not sufficient1,2,3,4 = Safety Integrity Level
X1
X2
X3
X4
X5
X6
CA
PA
PB
PB
PB
PB
PA
PA
PA
FB
FACD
FB
FA
CC
FB
FACB
3*
3*
3*2
1
NR 1 3*
2
Risk Matrix Risk Graph
60
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Assigning SIL - Quantitative
• Risk is frequency times consequence• Tolerable risk for an event can be expressed
as frequency by considering consequence• Necessary risk reduction can be calculated
and expressed as frequency of failure of the SIS
• Allowable failure of frequency is converted to SIS using the tables in the standard
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
Probability of failure on demand per year
(Demand mode of operation)
Risk Reduction Factor
>=10-5 to <10-4
>=10-4 to <10-3
>=10-3 to <10-2
>=10-2 to <10-1
100000 to 10000
10000 to 1000
1000 to 100
100 to 10
Safety Integrity Levels
62
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Requirement Allocation/SIL Selection• Objectives and Requirements• Risk / Risk Reduction• Consequence Analysis• Likelihood Analysis• SIL Selection
63
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 5:Safety Requirements Specification• Objectives and Requirements• Safety Instrumented Functions• Logic Description Techniques
64
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objective– Specify requirements of each SIF of a SIS,
including functional and safety integrity requirements
• Inputs– Description of allocation of safety requirements
• Outputs– SIS safety requirements; software safety
requirements
65
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Objectives
• Define the requirements of the SIS– Requirements spelled out for EACH SIF– Includes Functional Requirements, “What does
the system do”– Includes Performance Requirements, “How well
does the system perform these functions” – in this case Safety Integrity Level (SIL)
66
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Requirements
• The SRS shall contain:– A description of all the safety instrumented
functions necessary to achieve the required functional safety
– Requirements sufficient to design the SIS– A definition of any individually safe process states
which, when occurring concurrently, create a separate hazard (e.g., overload of emergency storage, relief, flare systems)
67
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Requirements
• The SRS shall contain– The assumed sources of demand and demand
rate on the safety instrumented function– Requirement for proof test intervals– Response time requirements for the SIS to bring
the process to a safe state– The safety integrity level for each safety
instrumented function– A description of SIS process measurements and
their trip points
68
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Requirements
• The SRS shall contain– A description of SIS process output actions– A functional relationship between process inputs
and outputs, including logic, mathematical functions, and any required permissives
– Requirements for manual shutdown– Requirements for resetting the SIS after a
shutdown– Maximum allowable spurious trip rate
69
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Requirements
• The SRS shall contain– Failure modes and desired response of the SIS
(for example, alarms, automatic shutdown, etc.)– Any specific requirements related to the
procedures for starting up and restarting the SIS– All interfaces between the SIS and any other
system– A description of the modes of operation of the
plant and identification of safety instrumented functions required to operate within each mode
70
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Requirements
• The SRS shall include– The application software requirements– Requirements for overrides / inhibits / bypasses– The specification of any action necessary to
achieve or maintain a safe state in the event of fault(s) being detected in the SIS
– The minimum and worst-case repair time for the SIS
– Dangerous combinations of output states of SIS must be addressed
71
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
Sensors
Final elements
Loop 1
Loop 2
Loop 3
Loop 4
Loop 5
Loop 6
LogicSolver
LogicSolver
Safety Instrumented Function
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Methods for Logic Specification
PS
V 1
201
PS
V 1
234
XV
121
7
XJ
1217
PSLL-0203
BSL-0252
XL-0288
Causes
Effects
PSLPSL101101
LSLLSL105105
HYHY415415OROR
Low Pressure or Low Level shall Low Pressure or Low Level shall indicated by deenergization of the indicated by deenergization of the inputs from LSLinputs from LSL--105 and PSL105 and PSL--105, 105, shall deenergize output HYshall deenergize output HY--415 415 causing the shutoff valve to close.causing the shutoff valve to close.
X
X X
X
X X
Cause and Effect Diagram
Binary Logic Diagram
Plain Text
73
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Application Exercise 4
• Safety Requirements Specification– Review a sample safety requirements
specification to determine if it is complete
74
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Safety Requirements Specification• Objectives and Requirements• Safety Instrumented Functions• Logic Description Techniques
75
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Daily Progress Review
• Were today’s objectives clearly covered?• Did today’s presentation / activities meet your
goals?• Was the level and pace of instruction right for
you?
76
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Performance Objectives Day 2
• Identify the tasks performed during SIS design and engineering
• Understand factory acceptance testing, installation and commissioning
• Understand modification and decommissioning
• Understand the management tasks and requirements for functional safety
77
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 6:SIS Design and Engineering• System Technology and Architecture• Field Device Considerations• Interfaces and Communication• Probability of Failure
78
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Design
• Choose Technology - Relays, PLC, Safety PLC
• Choose Sensors - Switch, Analog Transmitter, Safety Rated Transmitter
• Select level of system integration, communications needs
• Design the startup and shutdown logic• Design logic to implement safety
requirements
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Failure Modes
• With a safety system, the failure mode counts! Two failure modes
• are significant:Safe failures
t initiatingt spurioust costly downtime
Dangerous failures
t inhibitingt potentially
dangeroust must find by testing
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
TechnologyRelay Systems
• Relays/Modules perform logic• Reprogrammed by rewiring• Relays/Modules perform logic• Reprogrammed by rewiring
Considerations
• Nuisance trips• No diagnostics on relays• Complexity of large systems• Reprogramming• Documentation• High cost of ownership
Considerations
• Nuisance trips• No diagnostics on relays• Complexity of large systems• Reprogramming• Documentation• High cost of ownership
Advantages
• Fail-safe for special relays and inherent fail-safe logic
• Low initial cost
Advantages
• Fail-safe for special relays and inherent fail-safe logic
• Low initial cost
Hardwired LogicInherently Fail-Safe Logic
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
TechnologyProgrammable Electronic Systems
• Microcomputers perform the logic• I/O modules sense inputs and generate outputs
Considerations:Considerations:
1.1. Fail danger failure modesFail danger failure modes
2.2. Software unpredictabilitySoftware unpredictability
3.3. Communications securityCommunications security
4.4. CostCost
Advantages:Advantages:
1.1. DiagnosticsDiagnostics
2.2. Flexibility, ModularFlexibility, Modular
3.3. Cabinet space savingsCabinet space savings
4.4. Calculation capabilityCalculation capability
5.5. CommunicationsCommunications
6.6. DocumentationDocumentation
82
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
General Requirements
• Design in accordance with SRS• Common components designed to highest
SIL of all SIF• Separate BPCS and SIS• Requirements for maintenance and testing
should be considered• Manual means of activating final elements
should be provided
83
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Fault Tolerance Requirements
• Fault Tolerance – ability of a functional unit to continue to perform a required function in the presence of faults and errors
Simple Devices Complex DevicesIntegrity Level Min. Fault Toler. Typical Arch. Min. Fault Toler. Typical Arch.
SIL 1 0 Single, 1oo1 0 Single, 1oo1
SIL 2 0 Single,1oo1 1 1oo2, 2oo3
SIL 3 1 1oo2, 2oo3 2 1oo3
SIL 4 2 1oo3 **Special Requirements Apply **
84
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Selection of Components and Sub-systems• Designed in accordance with IEC61508-2
and –3– TÜV approval
• “Proven in Use”– Consideration of mfr. Quality management– Consideration of performance of device in similar
“operating profile”Sufficient operational time is required to establish a claimed failure rate to a single sided confidence limit of at least 70%
85
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Field Devices
• If energize to trip is used a method must be applied to ensure circuit integrity
• Each device shall have its own dedicated wiring, except:– Multiple switches in series indicating same
condition– Multiple final elements on single output– Digital bus system meeting performance
requirements of SIF• Smart sensors are remote write protected
86
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Interfaces
• Operator Interface– SIS protective action has occurred– Protective functions have been bypassed– Status of sensors and final elements including
failures and diagnostics• Maintenance/Engineering Interface
– SIS operating information including diagnostics, voting and fault handling - troubleshooting
– Add, delete, modify application software
87
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
SIF Probability of Failure
• Check Reliability / Safety Metrics for each Safety Instrumented Function
• Verify that PFDavg meets target SIL range• If necessary: change technology, equipment,
or architecture.• Document all results
88
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Factors affecting SIF Failure Probability• SIF Architecture• Failure rates of subsystems• Susceptibility to common cause failure• Diagnostic coverage of testing• Proof test intervals• Repair times (Diagnosis + Repair)• Climatic and mechanical conditions
89
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Probability of Failure Modeling Methods
λDUFault Tree
Analysis
Markov Analysis
Block Diagram
90
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Application Exercise 5
• SIS Design and Engineering Principles– Demonstrate some principles of SIS Design
Engineering
91
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:SIS Design and Engineering• System Technology and Architecture• Field Device Considerations• Interfaces and Communication• Probability of Failure
92
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 7:FAT, Installation and Commissioning• Objectives and Requirements• Factory Acceptance Testing• Commissioning Activities• Validation (PSAT)
93
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objectives– Integrate and test the SIS.– Validate the SIS meets requirements of the SRS
• Inputs– SIS Design, SIS Test Plan, SIS safety
requirements, Validation Plan• Outputs
– Fully functioning SIS in conformance with SRS– Validation of SIS
94
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Factory Acceptance Testing
• If required, specified in SRS• FAT proceeds according to written plan• FAT should be documented
– If failure occurs, reason for failure and corrective action and re-test should be documented
The objective of a Factory Acceptance Test (FAT) is to test the logic solver and associated software together to ensure it satisfies the requirements defined in the Safety Requirements Specification. By testing the logic solver and associated software prior to installing in a plant, errors can be readily identified and corrected
95
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Commissioning Activities
• SIS components installed per design• Grounding has been properly connected• Energy sources connected and operational• No physical damage present• All instruments calibrated• All devices operational• Logic solver input/output operational• Interfaces operational
96
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the following
activities– The SIS performs under all normal and abnormal modes as
identified in the SRS– Confirmation that adverse interaction of the BPCS and other
systems do not affect the proper operation of the SIS– The proper shutdown sequence is achieved– The SIS properly communicates– Sensors, logic solvers, and actuators perform according to
the SRS– Confirmation of proper SIS operation on Bad PV– Proper shutdown sequence is activated
97
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the
following activities– The SIS performs under all normal and abnormal
modes as identified in the SRS– The SIS provides the proper annunciation and
display– Computation of the SIS are correct– SIS reset functions operate as defined in SRS
98
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the
following activities– Bypass functions operate properly– Manual shutdown operates properly– Proof test intervals are documented in
maintenance procedures– Diagnostic alarm functions perform as required– Confirmation SIS performs as required on loss of
power and returns to proper state upon re-application of power
99
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Validation Documentation
• Version of the SIS validation planning• Tools and equipment used, including calibration data• Test results• Version of test specification• Criteria for test acceptance• Version of SIS• Discrepancies between expected and actual results• Decisions taken when discrepancies occur
100
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Pre-startup Tasks
• Prior to placing the SIS into service, the following tasks should be performed– All bypass functions shall be returned to their
normal position– All process isolation valves shall be set according
to the process start-up requirements– All test materials shall be removed– All forces shall be removed
101
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:FAT, Installation, and Commissioning• Objectives and Requirements• Factory Acceptance Testing• Commissioning Activities• Validation (PSAT)
102
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 8:SIS Operation and Maintenance• Objectives and Requirements• Procedures• Training• Proof Testing
103
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objective– Ensure functional safety of the SIS is maintained
• Inputs– Safety requirements specification– SIS Design– SIS operation and maintenance
• Outputs– SIS operation and maintenance
104
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Objectives
• Ensure that the required SIL of each SIF is maintained during operation and maintenance
• Operate and maintain the SIS such that the designed functional safety is maintained
105
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Planning Requirements
• Routine and abnormal operations• Proof testing, preventative and breakdown
maintenance activities• Procedures, measures and techniques to be
used for operation and maintenance• Verification and adherence to operations and
maintenance procedures• Timing for these activities• Resources responsible for the activities
106
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Procedures
• Routine actions required to maintain the “as designed” functional safety of the SIS
• Actions necessary to prevent an unsafe condition during maintenance
• Information to be maintained for system failure and demand rates
• Information to be maintained for audit and test results• Maintenance procedures for when faults occur• Ensuring test equipment is calibrated and maintained
107
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Training
• Ensure that:– Understand how the SIS functions (trip points and
resulting actions)– Hazard SIS is preventing– Operation of bypass switches and circumstances
for their use– Operation of manual switches and when they are
to be activated (I.e., reset switches)– Action taken on diagnostic alarms
108
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Proof testing and Inspection
• Periodic proof tests are conducted using written procedures
• The entire SIS shall be tested• Test interval is based on SIS, and will be re-
evaluated based on system performance at a periodic interval
109
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
SIL 1
SIL 2
SIL 3
SIL 4
IEC61511 1/PFD(t)
time
1/PFDavg
test period
Periodic Inspection Interval
The test period is a parameter which significantly affects the average probability of failure on demand and hence the safety integrity level
110
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
SIL 1
SIL 2
SIL 3
SIL 4
IEC61511
testperiod
1/PFD(t)
1/PFDavg
time
Decreasing the test interval decreases the average failure probability, increasing the safety integrity of the system
Periodic Inspection Interval
111
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
2
Proof Test Documentation
• The user shall maintain proof test records that include– Description of Test– Date of Test– Persons involved– Identifier of system– Test Results
112
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Application Exercise 7
• Exercise 7– Describe some operational requirements for SIS
113
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Operation and Maintenance• Objectives and Requirements• Procedures• Training• Proof Testing
114
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 9:Modification and Decommissioning• SIS Modifications• Management of Change• SIS Decommissioning
115
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
SIS Modification
• If modification are performed to an SIS– Modifications must be properly planned, reviewed,
and approved– Required safety integrity must be maintained
• Procedures for modification must be in place• A full analysis of the impact on functional
safety is required• Work will not begin without proper
authorization
116
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
When is management of change required?• If operating procedure changes are required• The process is changed significantly• Safety requirement specification changes• Software or firmware changes• Failure or demand rate is higher than
expected
117
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
When is Management of Change not required?• “Replacement in kind” of components• Changes do not affect safety requirements• Regular calibration and maintenance
118
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Considerations for modification
• Technical basis of the change• Impact of change on safety• Modifications to operating procedures• Necessary time period for changes• Authorization requirements• Impact on existing equipment• Process state during change (online change)
119
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Modification Documentation
• Modification documentation should contain the following information at a minimum– Description of change– Reason for change– Hazards which might be impacted– Analysis of impact on SIS– Required approvals– Verification tests– Configuration history
120
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
SIS Decommissioning
• When SIS are decommissioned– Conduct appropriate safety review and obtain
required authorization– Ensure required SIF remain operational during
decommissioning activities• Update Hazard and Risk Assessment
– Functional safety during decommissioning– Impact of SIS decommissioning on adjacent
operating units and facility services
121
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Modification and Decommissioning• SIS Modifications• Management of Change• SIS Decommissioning
122
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Section 10:Management of Functional Safety• Objectives and Requirements• Planning• Verification• SIS Functional Safety Audit• Documentation
123
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Overview
• Objective– Identify the management activities that are necessary to
ensure functional safety objectives are met
• Requirements– The policy and strategy for achieving safety shall be
identified together with the means for evaluating its achievement and shall be communicated within the organization
– A safety management system shall be in place so as to ensure that safety instrumented systems have the ability to place and/or maintain the process in a safe state
124
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Resources
• Resources shall be informed of their responsibilities• Resources shall be competent to carry out activities
for which they are accountable• Knowledge of application• Knowledge of SIS technology• Safety engineering knowledge• Knowledge of regulatory requirements• Adequate management and leadership skills• Understanding of potential event consequences• The SIL of the safety instrumented functions• The novelty and complexity of the application and SIS
125
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Planning
• Define required activities• Resources responsible for activities• Timing of activities• Planning shall be updated as necessary
through the entire safety lifecycle
126
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Implementation and Monitoring
• Implement procedures for resolution of recommendations– Hazard and risk assessment– Assessment activities– Verification activities– Validation activities
• Verify quality management of suppliers• Implement procedures for evaluating
performance of SIS against requirements
127
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Functional Safety Assessment
• Performed by team, one competent senior person not involved in the design, minimum
• May be performed after the stages below, must be done at least for stage 3– Stage 1 – After hazard and risk assessment and
safety requirements specification– Stage 2 – After SIS design– Stage 3 – After commissioning and validation– Stage 4 – After experience in ops and maint.– Stage 5 – After modification
128
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Functional Safety AssessmentStage 3 Requirements• Hazard and risk analysis completed,
recommendations completed or resolved• Recommendations from previous functional safety
assessment resolved• SIS designed, constructed and installed per SRS• Operating, and maintenance procedures in place• Validation activities completed• Employee training complete• Plans for further functional safety assessments done
129
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Audits and Revisions
• Procedures for auditing compliance with the requirements of the standard defined– Frequency of audits– Degree of independence of auditor– Recording and follow up
• Management of change procedures in place
130
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Verification vs. Validation
• Verification – The activity of demonstrating for each phase of the
relevant safety lifecycle by analysis and/or tests, that, for specific inputs, the deliverables meet in all respects the objectives and requirements set for the specific phase
• Validation– The activity of demonstrating that the safety
instrumented system under consideration after installation meets in all respects the safety requirements specification.
131
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Verification
• Performed for each phase of the safety lifecycle
• Demonstrate the deliverables meet the requirements of that phase
132
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Documentation Requirements
• Describe the installation, system or equipment and the use of it
• Be accurate• Be easy to understand• Suit the purpose for which it is intended• Be available in an accessible and
maintainable form
133
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Documentation to be maintained
• The results of the hazard and risk assessment and the related assumptions
• The equipment used for safety instrumented functions together with its safety requirements
• Organization responsible for maintaining functional safety
• The procedures necessary to achieve and maintain functional safety of the SIS
• Modification information• Design, implementation, test and validation
134
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
ida.comeexcellence in dependable automation
Documentation ControlDocumentation Control
• All relevant Documents shall be – Revised– Amended– Reviewed– Approved– Under Control of a Document Control Scheme
A Document Control Scheme is mandatory
135
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Application Exercise 2
• Functional Safety Management– Describe the objectives of functional safety
management
136
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Summary:Functional Safety Management• Objectives and Requirements• Planning• Verification• SIS Functional Safety Audit• Documentation
137
ida .com e
excellence in dependable-automation
Copyright © 2000, exida.com
Post Instructional Test
• Answer the questions to the best of your ability
• This test can be used to determine effectiveness of this course
• Instructor will review questions and answers to enhance your learning