EIT: E-Cert SS: Unit 7

EIT Safety Instrumentation E-Learning

Instrument Selection

SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 7: SIL Instrument Selection
Version for EQO26: 7 November 2012

Presented by Dave Macdonald, EIT Cape Town South Africa
Contact E-mail: macdond@telkomsa.net
Slide 1

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Introduction to Chapter 7: Practical selection of

sensors and actuators for safety duties

Impact on SIS Reliability, Types of Sensors and Actuators Failure modes and causes Knowledge of t he r ules + Exper ience… If you can get it !

Separation, redundancy, diversity, diagnostics
Device Selection Issues: What IEC 61511 requires + Common sense Technologies: Safety certified instruments and fieldbus
Slide 2

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Key Points about Sensors and Actuators
◆Sensors and Actuators remain the most critical reliability items in an SIS

◆Separation, diversity and redundancy are critical issues.
◆Safety related instruments must have a proven record of performance. IEC 61508 / 61511 have specific requirements ◆Logic solver intelligence and communications power will help to provide diagnostic capabilities to assist field device reliability ◆Failure modes and common cause issues are potential problems for intelligent instruments
www.eit.edu.au

Slide 3

5 and 11.01 Appendix B….6 of part 1.5: Requirements for selection of components and subsystems ■ 11.1 Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3. as appropriate Certified compliant to IEC 61508 www.eit. Gruhn & Cheddie ISA Textbook.EIT: E-Cert SS: Unit 7 Instrument Selection IEC 61511 and other guidance sources ■ ■ ■ ■ Instrument practice for safety systems : well established ISA S 84.5.edu.3 to 11.5.2.5.6. as appropriate. IEC 61511 specifics defined in clause 11.4 and 11. chapter 9 IEC 61511-1 Paragraph 11.obsolete standard but still relevant.au Fault tolerance Prior use justification Slide 4 . or else they shall be in accordance with 11.

eit.0005 PFD avg % of total 32 3 Output Actuator loop (Solenoid + valve) Totals 0.EIT: E-Cert SS: Unit 7 Instrument Selection Sensors and Actuators Dominate Reliability Issues Typical Reliability Table Item Fail to Danger Rate / yr. www. Slide 5 • PES logic solvers benefit from auto-diagnostics.0125 0.05 Table 7.au . • The PFD figures for the field devices are affected by environmental conditions • and maintenance factors.edu.019 (SIL 1) 65 100 • The field devices taken together contribute 97% of the PFD for this example.1 PFD avg (3 month proof test) 0. Input sensor loop SIL 3 Logic Solver PLC 0.1 0.006 0.

edu.au .EIT: E-Cert SS: Unit 7 Instrument Selection Bus connected safety certified instruments Foundation Field Bus Profi-safe ASI-Safety Bus See Session 5 Slide 6 www.eit.

easier to detect faults • Possible to compare signal with other parameters • Trending and alarming available • Multiple set points • Competitive pricing • Rationalized spares Slide 7 www.EIT: E-Cert SS: Unit 7 Instrument Selection Advantages of Analog Transmitters Over Switches • Good reliability and accuracy • Signal present at all times…improved SFF • Potential for diagnostics.edu.au .eit.

edu. Slide 8 www.EIT: E-Cert SS: Unit 7 Instrument Selection Potential Causes of Failures in Sensors •Components of the instrument •Process connection •Fouling /corrosion/process fluids/clogging •Wiring •Environmental: Process/Climate/Electrical •Specification/range/resolution. •Response time •Power supplies •Intrinsic safety barriers •Calibration/testing/ left on test/isolated.au .eit.

4 Process Valve Trip 380 v ac power SIS Logic Interlocks M Slide 9 www.EIT: E-Cert SS: Unit 7 Instrument Selection Final Control Elements or Actuators Electrical Drive Trip SIS Logic Figure 7.au .edu.eit.

eit.edu.EIT: E-Cert SS: Unit 7 Instrument Selection E-Stop operation with VSDlInverter Drive Stop Category 1 Safety Control Category 2 Safet y Relay Power Reset K1 Time Delayed K1 Relay E-Stop command Drive controller M Slide 10 www.au .

Solenoid valves sticking or blocking Slide 11 www.au . mechanical failures of springs Process connection/leaks. positioner.eit.EIT: E-Cert SS: Unit 7 Instrument Selection Potential Causes of Failures in Final Elements · · · · · · Components of the actuator. Physical impacts/fire/freezing or icing up.edu. Mechanical distortion of pipes causing stress in valve Valve internal faults due to : Fouling or corrosion by process fluids/jamming/sticking/leaking Wiring to solenoids Pneumatics/ venting failures Environmental.

EIT: E-Cert SS: Unit 7

Instrument Selection

General Requirements for Fail-safe Operation

◆ Sensor contacts closed during normal operation

◆ Tx signals go to trip state upon failure (Normally < 4mA)
◆ Broken wire = trip ◆ Output contacts closed and energized for normal operation ◆ Final trip valves go to trip (safe) position on air failure ◆ Drives go to stop on trip or SIS signal failure
Slide 12

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

For an instrument to qualify for SIL target

or

Prior Use

Build to IEC 61508 HW & SW

Smart tx

Analog or switch SIL 1 or 2

Certify to IEC 61508

SIL 3 requires assessement and a safety manual Apply IEC 61511 limitations And PFD must satisfy SIL target
www.eit.edu.au
Slide 13

EIT: E-Cert SS: Unit 7

Instrument Selection

Sharing of Sensors with BPCS

Do not share sensors because it:
◆ Violates the principles of independence ◆ Creates a high level of common cause failure ◆ Does not create a separate layer of protection ◆ Does not provide secure maintenance
Slide 14

www.eit.edu.au

edu.EIT: E-Cert SS: Unit 7 Snap question: What is wrong with this safety trip design? Instrument Selection Figure 7.eit.5 Boiler Steam Drum SIS Logic Solver LSL Boiler Trip Logic LT 1 LIC 1 Feed water supply Snap question: Draw a better arrangement www.au Slide 15 .

Separate Sensors for Control and Trip: Acceptable SIS Logic Solver LSL Boiler Trip Logic LT 2 LT 1 LIC 1 Boiler Steam Drum Feed water supply Slide 16 www.au .edu.EIT: E-Cert SS: Unit 7 Instrument Selection Figure 7.eit.5 cont.

025 0.au .1/2 X 0.025 FW Fails 0.3 / yr.6 Separate Sensor Boiler Damage 0. Slide 17 www.5 = 0. FW Fails LT-1 Fails high. Low level and NO TRIP Figure 7.5 = 0. Low level 0.1 / yr.2 / yr.0075 / yr. Low level and NO TRIP OR AND LT-1 Fails high-No Trip LIC causes low level 0. FW Fails and No Trip 0. Trip fails on demand from FW failure PFD = 0.1 / yr. AND OR LT-2 Fails high Trip fails on demand PFD = 0.EIT: E-Cert SS: Unit 7 Instrument Selection Fault Tree Analysis for Boiler Low Level Trip Shared Sensor Boiler Damage 0.105 / yr.2 / yr. LIC-1 causes low level 0.edu.1/2 X 0.eit.005 / yr.

EIT: E-Cert SS: Unit 7 Instrument Selection Separation Rules: Field Sensors IEC 61511 part 2 : 11. This would require sensor diagnostics and is only likely to be possible for SIL 1 •Separate sensor is allowed to be copied to BPCS via isolator •SIL 2.au Slide 18 .4 •Sharing of sensor between SIS and BPCS only allowed if safety integrity targets can be met.2.edu. 3 and 4 normally require separate sensors with redundancy •SIL 3 and 4 normally require separation and diverse redundancy www.eit.

2.edu.eit.4 •A single valve may be used for both BPCS and SIS but is not recommended if valve failure places a demand on the SIS. •Normally shared valve can only be used if: Diagnostic coverage and reaction time are sufficient to meet safety integrity requirements • Recommendations for a single valve application •SIL 2 and SIL 3 normally require identical or diverse separation. Diversity not always desireble Slide 19 www.EIT: E-Cert SS: Unit 7 Instrument Selection Separation Rules: Final Elements IEC 61511 part 2 : 11.au .

eit.7 FY A/S Check hazard demands due to valve www. direct mounted.au Slide 20 . De-energise to vent actuator.edu. FV Positioner Figure 7.EIT: E-Cert SS: Unit 7 Instrument Selection Arrangement for Tripping of Shared Control Valve: SIL 1 SIS BPCS Solenoid valve direct acting.

edu.eit.EIT: E-Cert SS: Unit 7 Instrument SelectF ioin gure 7.8 Diverse Separation of Control and Shutdown V alves SIL 2 and SIL 3 SIS BPCS A/S FY Check hazard demands due to valve www.au Slide 21 .

EIT: E-Cert SS: Unit 7 Instrument Selection Sensor Diagnostics ♦Do not confuse with proof testing ♦Compare trip transmitter value with related variables.edu.eit. Not often practicable ♦Use safety transmitters… if available ♦Use Smart transmitters with diagnostic alarm …but see next Slide 22 www.au .

EIT: E-Cert SS: Unit 7 Instrument Selection Valve Diagnostics Assurance that a trip valve will respond correctly when needed • Freedom of movement. full travel • Correct venting of actuator • Correct rate of response • Absence of sticking • Trip signals and solenoid all working Slide 23 www.edu.au .eit.

edu.au .EIT: E-Cert SS: Unit 7 Instrument Selection Methods for Valve Diagnostics • On–line trip testing • Discrepancy alarm • Position feedback – response testing • Partial closure testing – manual or automatic • Smart positioners – certified safety positioner Slide 24 www.eit.

EIT: E-Cert SS: Unit 7 Instrument Selection IEC Architectural Constraints as per IEC 61508 ◆IEC 61508 places an upper limit on the SIL that can be claimed for any safety function on the basis of the fault tolerance of the subsystems that it uses. ♦Limit is a function of ♦the hw fault tolerance ♦the safe failure fraction ♦the degree of confidence in the behaviour under fault conditions Details in IEC 61508 part 2 Slide 25 www.au .edu.eit.

edu. level float switch. Fault tolerance rating of B is less than A except under certain conditions Slide 26 www. ♦Type B: Complex Devices: Including PES. E.au . analogue circuits.G Smart transmitters. Digital communications. E.eit. processor based systems.EIT: E-Cert SS: Unit 7 Instrument Selection IEC 61508 Classification of Equipment ◆IEC Defines two types of equipment for use in Safety Systems: ♦Type A: Simple Devices: Non PES.g Limit switch.

au Slide 27 .EIT: E-Cert SS: Unit 7 Instrument Selection IEC 61511-1 Table 6: Minimum hardware fault tolerance of sensors. final elements and non PES logic SIL 1 2 3 4 Minimum HW Fault Tolerance 0 1 2 Special requirements: See IEC 61508 The following summarized conditions apply for SIL 1. •Predominately fail safe •Prior Use ( Proven in use) •Limited device adjustment (process parameters only) •Password protected Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment www.2 and 3 : Increase FT by 1 if instrument does not have fail safe characteristics Decrease FT by 1 if instrument meets 4 conditions.edu.eit.

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from device’s safety manual

Slide 28

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from safety manual

Slide 29

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from safety manual

Slide 30

www.eit.edu.au

4 Use if both PFD and FT and nuisance trip targets are met.edu.EIT: E-Cert SS: Unit 7 Instrument Selection Redundancy Options Sensor or Actuator Configuration.au . 2 Sensors installed. 1oo1 1oo2 2oo3 Selection Table 7. nuisance trip rate doubled. 2 required to trip.eit. Slide 31 www. nuisance trip rate dramatically reduced. 3 Sensors installed. PFD improved over 1oo1. PFD value improved. 1 required to trip.

au .eit.EIT: E-Cert SS: Unit 7 Instrument Selection Common Cause Failures in Sensors ♦Wrong specification ♦Hardware or circuit design errors ♦Environmental stress ♦Shared process connections ♦Wrong maintenance procedures ♦Incorrect calibrators Slide 32 www.edu.

eit.edu.10 PT 1A PT 1B Be careful to analyze for common cause faults e.EIT: E-Cert SS: Unit 7 Instrument Selection Comments on Redundancy in Sensors SIS Figure 7.g Try to avoid this Slide 33 www.au .

e.edu.au .eit. Steam or Ammonia overpressure protection PT 01 Figure 7.EIT: E-Cert SS: Unit 7 Instrument Selection Comments on Diverse Redundancy in Sensors Where measurement is the problem use diverse redundancy.g.11 SIS TT 01 Slide 34 www.

au .edu. www.eit. > 1 yr exposure per case. Slide 35 Collect t he r ecor ds of ever y maint enance event per inst r ument .EIT: E-Cert SS: Unit 7 Instrument Selection Requirements for Device to be “Proven–in-use” • Evidence that the instrument is suitable for SIS • Consider manufacturer ’s QA systems • PES devices need extra validation • Performance record in a similar profile • Adequate documentation • Volume of experience.

eit.au .edu.EIT: E-Cert SS: Unit 7 Instrument Selection The approved safety instrument list Key j ob f or maint enance t eam • Each instrument that is suitable for SIS • Update and monitor the list regularly • Add instruments only when the data is adequate • Remove instruments from the list when they let you down • Adequate details: Include the process application Slide 36 www.

edu.au .EIT: E-Cert SS: Unit 7 Instrument Selection Additional requirements for smart transmitters and actuators: Details in IEC 61511 11.5.4 for devices with “Fixed Programming Languages” (FPLs) Extra for SIL 3 •Formal assessment…low probability of failure in planned application.eit. • • • Appropriate standards used in build Consider manufacturer ’s QA systems Must have a safety manual Slide 37 www.

12 SIS Logic Solver 4-20 mA + FSK Data AI Smart Transmitter Hand Held Programmer Slide 38 FSK = Frequency Shift Keyed www.au .EIT: E-Cert SS: Unit 7 Instrument Selection Hart Transmitter With Diagnostic Input Hart Interface Status Alarm DI Figure 7.eit.edu.

au .EIT: E-Cert SS: Unit 7 Instrument Selection Example of a Safety Critical Transmitter Figure 7.eit.14 Slide 39 www.edu.

au .EIT: E-Cert SS: Unit 7 Instrument Selection Benefits of a Safety Certified Transmitter: • Internal diagnostics with high coverage factor • Very low PFDavg values. • Certified for single use in SIL 2 (instead of dual channel) • Certified for dual redundant use in SIL 3 (instead of 1oo3) • End user verification is simplified Slide 40 www.eit. Saves on proof testing etc.edu.

EIT: E-Cert SS: Unit 7 Instrument Selection Importance of the Safety Manual The safety manual presents all the essential information and set up conditions that must be followed to allow the instrument to be validated for any given application.au . The manual also supplies the failure rates summary and expected PFDavg Compliance to safety manual requirements must be demonstrated in the validation phase.edu.eit. See examples of safety manuals and FMEDA reports Slide 41 www.

Reports supply SFF and failure rate data with declaration of fault tolerance requirements relevant to IEC 61511. See examples of Safety Certificates: 3051C and Rex Radar Testing Authorities include : TUV Rheinland Exida. Slide 42 www.eit.edu. The safety certificate is an essential document for the validation phase. Note : Exida specializes in certifying instruments claiming “prior use” qualification. See examples.com Any recognized testing body that can show competency in the SIS field.EIT: E-Cert SS: Unit 7 Instrument Selection Importance of the Safety Certificate The safety certificate is issued by the testing body to clearly define what products have been tested and what standards and limitations have been applied in the evaluation.au .

Redundancy. Diagnostics • Diagnostic Coverage via Smarts or Logic Solver • Bus technology established and growing. Diversity.edu.au . Slide 43 www.eit.EIT: E-Cert SS: Unit 7 Instrument Selection Field Devices Summary Instruments must be well proven for safety with an assessment report or Certified SIL capable to IEC 61508. • Intelligent instruments treated as PES • Separation.

edu.net Slide 44 www.eit. EIT Cape Town South Africa Contact E-mail: macdond@telkomsa.EIT EQO26: Unit 8 Reliability Analysis EIT Safety Instrumentation E-Learning SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 8: Reliability Analysis Version for EQO26: 7 November 2012 Presented by Dave Macdonald.au Slide 44 .

eit.edu.au .EIT EQO26: Unit 8 Reliability Analysis Introduction to Chapter 8: Reliability Analysis of the SIS The task of measuring or evaluating the SIS design for its overall safety integrity • Reasons and objectives Resolving the SIS into reliability block diagrams Identification of formulae Trial calculation examples • • • • Calculation software tools Slide 45 www.

edu. To predict the accident rate: H events/yr = Demand Rate (D) x PFDavg or H = D/ RRF www. Why? • • • • Because it tells everyone what RRF can be expected from each individual safety function.au Slide 46 .EIT EQO26: Unit 8 Reliability Analysis IEC 61511 requires reliability analysis be done for each SIF to show that SIL target and RRF can be achieved. It confirms the basis of the design and the chosen proof test interval Compares the calculated RRF for your design with the target to show you can achieve the target.eit.

edu. 200) Safety Integrity Level ( depends on RRF) (SIL Tables) Demand rate on Safety Function.au Slide 47 .1/yr = 1 in 10 years) Average probability of failure on demand of the SIF www.g. ( How often the SIF is demanded to respond to a hazard condition) Hazardous event rate ( also called accident rate ) ( e.g.EIT EQO26: Unit 8 Reliability Analysis Terminology RRF SIL D H PFDavg Risk Reduction Factor ( e.eit. 0.

EIT EQO26: Unit 8 Reliability Analysis Terminology MTTFd MTTFs MTTRd Ti Zdd Mean time to fail dangerously ( = 1/Zd) Mean time to fail safe (or spurious) ( = 1/Zs) Mean time to detect and repair a dangerous fault Time interval between proof tests Failure rate for dangerous detectable faults Zdu Zsd Failure rate for dangerous undetectable faults (requires proof testing) Safe revealed failure rate ( causes spurious trip or loss of affected safety channel) www.edu.eit.au Slide 48 .

1oo2. Test interval: Ti 3.eit. etc) Compare PFDavg with the target PFDavg for the SIL range we need. 2oo3.EIT EQO26: Unit 8 Reliability Analysis Risk Reduction Factor and PFDavg RRF = 1 PFDavg (PFDavg = average probability of failure on demand. Failure rate per hour for undetected faults : Ldu 2. www.) PFDavg is a function of: 1. Redundancy (1oo1.edu.au Slide 49 .

eit.edu.EIT EQO26: Unit 8 Reliability Analysis Snap Question: Why is PFD so useful to know? 1 Because it can tell you the accident event rate H = Demand Rate x PFDavg 2 Because it helps you decide the SIL of your design PFDavg defines the SIL range for the design (in terms of resistance to random hardware failures www.au Slide 50 .

eit.au Slide 51 2 yr .EIT EQO26: Unit 8 Reliability A nalysis Failure scenario for an Untested SIF Unrevealed Dangerous fault occurs State of Process Hazardous condition occurs (Demand) Operating safely Reportable accident occurs Operating but not protected Mission time 1 yr www.edu.

edu.eit.au 1 yr Slide 52 .EIT EQO26: Unit 8 Reliability Analysis Low Demand Mode: Proof Tested SIF repaired before demand Unrevealed Dangerous fault occurs Proof test Proof test reveals fault Hazardous condition Occurs (Demand) State of Process Operating safely Fault repaired Operating but not protected Accident prevented Mission time 0.5 yr www.

edu.au 1 yr Slide 53 .5 yr www.EIT EQO26: Unit 8 Reliability Analysis Low Demand Mode: Proof tested SIF but failure on demand Unrevealed Dangerous fault occurs Reportable accident occurs Demand occurs before next proof test Proof test State of Process Operating safely Failure (to respond) on Demand Operating but not protected Mission time 0.eit.

ee it Mission time 1 yr Slide 54 2 yr .EIT EQO26: Unit 8 Reliability Analysis Diagnostic + Proof Tested SIF Detectable Dangerous fault occurs State of Process Operating safely Diagnostic test reveals fault PFDavg = MTTD&R x Fail danger rate Accident prevented Proof test for undetected faults Fault detected & repaired Diagnostic test typically100 im s./e dd au y.au wwtw .

EIT EQO26: Unit 8 Reliability Analysis Low Demand Mode versus High Demand Mode • • • Low demand mode applies when the demand on the SIS is equal to or less than once per year.eit. Hazard event rate H = PFH • • • (High demand also known as continuous mode) www. Hazard event rate H = D x PFDavg High demand mode applies when the demand on the SIS is more than once per year. High demand mode calculations use PFH probability of dangerous failure per hour.edu.au Slide 55 . ( IEC 61511) . Alternatively no more than two demands per proof test interval. Low demand calculations use PFDavg. ( IEC 61511) . Alternatively more than two demands per proof test interval.

edu.05/yr www.05 and D= 1 : H = 0.eit.au Slide 56 .EIT EQO26: Unit 8 Reliability Analysis Low Demand Mode Application Accident occurs if dangerous fault undetected before the surge occurs Pressure surge once per year (D) Pressure relief trip (SIS) Accident rate H = D x PFDavg Provided Test interval is shorter than 1 year or diagnostics detect faults quickly Example: If PFDavg = 0.

0001/hr of service If machine used for 5000 hrs /yr accident rate = 0.eit.EIT EQO26: Unit 8 Reliability Analysis High demand Mode Application Brake applied 100 times per day Accident occurs as soon as brake circuit fails Electronic Braking Controls (SIS) Accident rate = Probability of failure/hr of the EBC = Failure rate per hour of the SIS Example: If PFH = 0.au Slide 57 .5/yr.0001/hr H = 0. www.edu.

EIT EQO26: Unit 8 Reliability Analysis Design Iteration for Target PFD in Low Demand Mode SRS defines the Risk Reduction Factor PFD = 1/RRF Set Target PFD Evaluate Solution PFD Revise Design No Acceptable Y es Calculated PFD < Target PFD? Proceed to Detail Design www.eit.au Slide 58 .edu.

edu.au Slide 59 .EIT EQO26: Unit 8 Reliability Analysis Elements and terms in the SIS model Protective System Hazard Demand Rate D (SIS) H Hazard Event Rate PFD avg. = H/D = 1/(Risk Reduction Factor) SIL3 SIL2 SIL1 D Sensor PFD1 Logic PFD2 Actuator PFD3 H Overall PFD = PFD1 + PFD2 + PFD3 www.eit.

edu.au Slide 60 .eit.05 per year. Ti = 1 year PFDavg = 0.05 x ½ = 0.EIT EQO26: Unit 8 Reliability Analysis Single Channel Basic calculation of PFD Zdu If the fail to danger rate is Zd and proof test interval is Ti PFDavg = Zdu x Ti/2 (failure rate/yr x mean time to detect ) Example Fail to danger rate = 0. ( SIL 1) How is this formula obtained ? www.025.

EIT EQO26: Unit 8 Reliability Analysis Hazard Rate v Demand Rate showing low and high demand modes Accident Rate H = Fail rate Zd Hazard Event Rate H H = Ld H = L d ( 1 –e .eit.edu.au Continuous mode Demand rate D Slide 61 .DTi/ 2 ) D x T<< 1 D x T> 1 Accident Rate H = PFH of SIS Demand mode Accident Rate H = Demand Rate (D) x PFD avg of SIS www.

eit. leading to average probability of failure on demand: p(t) 1 Probability of being failed when demand occurs.edu.EIT EQO26: Unit 8 Reliability Analysis Effect of Manual Proof T esting ….t Average value PFDavg = L d .Ti/ 2 0 Ti www.au Slide 62 2Ti Time t . Proof test action p(t) = L d .

EIT EQO26: Unit 8 Reliability Analysis SIS Failure Modes Overt Failures Spurious Trip Rate Covert Failures Dangerous Failure Rate λ S = 1/MTBFsp λ D = 1/MTTFD λD Loss of Production λ S + λ DD Trips plant unless 2oo3 or 2oo2 voting λ DD Detectable by Self Diagnostics λ DU Undetectable except by manual proof testing C= Coverage ZDD = C ZD Slide 63 ZDU = (1 –C) ZD www.au .eit.edu.

au Slide 64 .05.1 .edu.02 Breaks: 0.2 Runs low: 0.EIT EQO26: Unit 8 Reliability Analysis Example: Find the Safe and Dangerous Failure Modes SIS H igh Level T rip Logic Solver PSV AS LC 1 I/P Fluid Feed FC FC LT 1 LT 2 Assume out of range detection provided (forcing a trip) Fail Modes/yr Device Bottom Blocked : 0.02 T otals for sensor sub system: LE connection LT electronics Cable Power Lsp Ldu Ldd www. Runs high : 0.1 Lost power: 0. T op leaks 0.01 Shorts across LT : 0.eit.

EIT EQO26: Unit 8 1oo1 SIS Formulae Reliability Analysis Single Channel SIS Fail Rates Overt Failures Spurious Trip Rate Covert Failures Dangerous Failure Rate λ S = 1/MTBFsp C= Coverage λ DD = C λ D λ D = 1/MTTFD λD ZDU = (1 –C) ZD Detectable by manual proof testing Loss of Production λ S + λ DD Trips plant unless 2oo3 or 2oo2 voting Detectable by Self Diagnostics SP Trip Rate = λ s + λ DD www.eit.au PFD1 = λ DD x (MTTR) Slide 65 PFD2 = λ DU x (Ti/2) .edu.

EIT EQO26: Unit 8 Reliability Analysis 1oo2 SIS Formulae Single Channel SIS Fail Rates Overt Failures Spurious Trip Rate Covert Failures Dangerous Failure Rate λ S = 1/MTBFsp C= Coverage λ DD = C λ D λ D = 1/MTTFD λD ZDU = (1 –C) ZD Detectable by manual proof testing Loss of Production Trips plant unless 2oo3 or 2oo2 voting Detectable by Self Diagnostics SP Trip Rate = 2 ( λ s + λ DD) www.edu.Ti)2)/3 .au PFD1 =2(λ DD)2( MTTR)2 Slide 66 PFD2 =((λ D U .eit.

6 www.6 .6 Slide 67 Formula set 3 in Fig 8.au Formula set 2 in Fig 8.eit.edu.EIT EQO26: Unit 8 Reliability Analysis Formula sets Single Channel SIS Fail Rates Overt Failures Spurious Trip Rate Covert Failures Dangerous Failure Rate λ S = 1/MTBFsp C= Coverage λ DD = C λ D λD = 1/MTTF D λD ZDU = (1 –C) ZD Detectable by manual proof testing Loss of Production λ S + λ DD Trips plant unless 2oo3 or 2oo2 voting Detectable by Self Diagnostics Formula set 1 in Fig 8.

EIT EQO26: Unit 8 Reliability Analysis Multi-channel Formula Sets for PFD and λ s (excluding Figure 8.eit.Ti)2)/3 λ D U .Ti)2) PFD due to proof test www. λ D Voting 1oo1 1oo2 Formula set 1 Formula set 2 λ D U = (1-DC) λ D Formula set 3 λs 2λ s 2(λ s)2(MTTR) λ D D (MTTR) 2(λ DD)2( MTTR)2 2 λ D D (MTTR) λ D U (Ti/2) ((λ D U .6 common mode failures ) Covert Failures Overt Failures Spurious Trip Rate λ s = 1/MTBFsp Detectable By Self Diagnostics Dangerous Failure Rate λ d = 1/MTTF Detectable By Manual Proof testing λ D D = DC.edu.au .Ti 2oo2 2oo3 6(λ s)2(MTTR) Spurious trip rate 6(λ D D)2 (MTTR)2 PFD due to diagnostics (if detected but not tripped) Slide 68 ((λ D U .

php/resour ces/sael/ www.sintef..edu. 2.sintefbok.no/Projectweb/PDS-Main-Page/PDS-Handbooks/ Sintef: http://www.com/index.eit.EIT EQO26: Unit 8 Sources of Reliability Data Reliability Analysis http://www.exida. Also see: exida.com Reliability Handbook Manufacturers’ Safety manuals for specific SIL certified instruments Faradip 3 Database exida.com: Safety Automation Equipment List . 4.au Slide 69 .no/Product.Functional Safety Assessment Reports http://www. 3.aspx?sectionId=65&productId=559&categoryId=10 1.

edu. PFDavg = (Zdu xTi)2 /3 Example: If fail to danger rate = 0.05 x 1)2 / 3 = 0.eit.00083 ( SIL 3) But this ignores common cause and is unrealistic www.au Slide 70 .05 per year. Ti = 1 year PFDavg = (0.EIT EQO26: Unit 8 Reliability Analysis Note: Zdd omitted for clarity Zdu Zdu Dual Channel Basic calculation of PFD If the fail to danger rate is Zdu and proof test interval is Ti.

au Slide 71 .edu.EIT EQO26: Unit 8 Beta Factor: Common Cause Failures in redundant SIS channels Unit Failures (1-β) λ d Common Cause Failures Reliability Analysis β λd (1-β) λ d Example: 2oo3 sensor with common cause failures (1-β) λ d www.eit.

au Slide 72 .eit.EIT EQO26: Unit 8 Reliability Analysis Formulae Sets with Common Cause Factor included www.edu.

05 x ½) = 0. Ti = 1 year Beta = 5% PFDavg = (0.95 x 0.002 ( SIL 2) www.EIT EQO26: Unit 8 Reliability Analysis Note: Zdd omitted for clarity (1-β) λ du (1-β) λ du β λ du Dual Channel Basic calculation of PFD inc Common Cause 5% If the fail to danger rate is Zd and proof test interval is Ti.05 per year.05 x 1)2 / 3 + (0. PFDavg = ((1-β) λ du xTi)2 /3 + β λ du xTi/2 Example Fail to danger rate = 0.au Slide 73 .eit.edu.05 x 0.

Ti = 1 year Beta = 5% PFDavg = (0.EIT EQO26: Unit 8 Reliability Analysis 2oo3 Channel Basic calculation of PFD inc Common Cause 5% (1-β) λ d (1-β) λ d (1-β) λ d β λd If the fail to danger rate is Zd and proof test interval is Ti.au Slide 74 .0035 ( SIL 2) www.05 x 1)2 + (0.05 per year.edu.05 x ½) = 0.05 x 0. PFDavg = ((1-β) λ du xTi)2 + β λ du xTi/2 Example Fail to danger rate = 0.95 x 0.eit.

EIT EQO26: Unit 8 Reliability Analysis Formulae Sets with Common Cause Factor included www.au Slide 75 .eit.edu.

50E-02 2.74E-04 2.53E-02 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Proof test interval Mean time to detect and repair a detectable fault Undetected portion Detected portion SIL Table: SIL 1 www.0027 2.EIT EQO26: Unit 8 Reliability Analysis Calculation T able for PFDavg Worked example for 1oo1 Formula for calculating PFDavg for 1oo1 PFDavg = (LDU xTi/2) + (LDD x MTTR) Failures per year Parameter LDU LDD Ti in yrs MTTR in yrs (LDU xTi/2) (LDD x MTTR) PFD for 1oo1 subsystem Value 0.1000 1.au Slide 76 .0500 0.eit.0000 0.edu.

71E-06 1.edu.14 E-05 8760 24 2.EIT EQO26: Unit 8 Reliability Analysis Calculation T able for PFDavg Worked example for 1oo1 Formula for calculating PFDavg for 1oo1 PFDavg = (LDU xTi/2) + (LDD x MTTR) Failures per hour Parameter LDU LDD Ti in hrs MTTR in hrs (LDU xTi/2) (LDD x MTTR) PFD for 1oo1 subsystem Value 5.53E-02 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Proof test interval Mean time to detect and repair a detectable fault Undetected portion Detected portion SIL T able: SIL 1 www.74E-04 2.50E-02 2.eit.au Slide 77 .

edu.au Slide 78 .eit.1000 8760 24 6.20E-03 Detected common portion www.71 % safe =0 C=66% Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Common cause factor for dangerous and safe failures Proof test interval Mean time to detect and repair a detectable fault Undetected Voting portion Detected voting portion Undetected Common portion þ(LDD)x MTTR PFD for 1oo2 subsystem 2.75E-04 1.18E-07 2.71E-06 1.EIT EQO26: Unit 8 Reliability Analysis (1-β) λ d (1-β) λ d Formatted Calculation T able for PFDavg Worked example for 1oo2 Formula for calculating PFDavg for 1oo2 PFDavg = (1/3)*((1-þ )LDU xTi)2 + 2((1-þ )LDD x MTTR)2 +þ (LDU xTi/2)+þ (LDD)x MTTR β λd Failures per year Parameter LDU LDD þ Ti in hrs MTTR in hrs (1/3)*((1-þ)LDU xTi)2 2((1-þ)LDD2 x MTTR2) þ(LDU xTi/2) Value 5.14 E-05 0.50E-03 Notes Safecalc: LD = 1.70E-05 3.

edu.50E-03 2.03E-03 3.71E-06 1.55E-03 Proof test interval Mean time to detect and repair a detectable fault Undetected Voting portion Detected voting portion Undetected Common portion Detected common portion www.14 E-05 0.eit.EIT EQO26: Unit 8 Reliability Analysis (1-β) λ d (1-β) λ d (1-β ) λ d Formatted Calculation T ables for PFDavg Worked example for 2oo3 Formula for calculating PFDavg for 2oo3 β λd PFDavg = ((1-þ )LDU xTi)2 + 6((1-þ )LDD x MTTR)2 +þ (LDU xTi/2)+þ (LDD)x MTTR Failures per year Parameter LDU LDD þ Value 5.70E-05 4.54E-07 2.1000 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Common cause factor for dangerous and safe failures Ti in hrs MTTR in hrs (1-þ)LDU xTi)2 6((1-þ)LDD x MTTR)2 þ(LDU xTi/2) þ(LDD)x MTTR PFD for 2oo3 subsystem 8760 24 2.au Slide 79 .

= 0.eit.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis Model Example D Failure Rates: Sensor Z d1=0.5 E-2 Qualifies for SIL 1 (E-1 to E-2) www.01 Overall PFD avg.1 Actuator H or MTTF 5yrs Proof Testing 50yrs Auto Diagnostics 10yrs Proof Testing Apply Testing or Diagnostics Apply calculation PFD averages: 0.edu.au Slide 80 .02 Zd3=0.025 = 2.01 + 0.2 Logic Zd2=0.005 + 0.

eit.edu.au Slide 81 .EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 1 Protective System Hazard Demand Rate D (SIS) H Hazard Event Rate D Sensor SIL 2 Logic SIL 1 SIL 1 Actuator SIL 1 H www.

identify channels in each stage Example:Dual channel sensors and actuators. single channel logic D Sensor Logic Actuator H D Sensor Logic Actuator H D www.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 2.eit.au Senso r 1oo2D 1oo1D Actuator 1oo2 H Slide 82 .edu.

au Slide 83 .edu.eit. expand details for each single channel Sensor 1oo2D Sensor Logic 1oo1D Process Connection Transmitter Cable and Power Expand detail of sensor sub system and apply fail rates for each item www.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 3.

00E+00 1.14E-05 1.14E-05 1. λ dd and λ s for the elements Step 5: Enter the values to table and totalize Process Connection EIT EQO26: Unit 8 Reliability Analysis Transmitter Cable and Power λ DU1 λ DD1 λ SD1 Subsystem Element 1 2 3 4 Device λ DU2 λ DD2 λ SD2 LSD/hr λ DU3 λ DD3 λ SD3 LSU/hr LDD/hr LDU/hr Process connection Transmitter Cable and Power 1.00E+00 5.42E-05 0.au Slide 84 .00E+00 0.71E-06 5.71E-06 3.eit.71E-07 3.edu.42E-06 www.71E-06 5.14E-05 0.SIS Analysis: Step 4: Decide λ du.42E-06 5 Subsystem totals 3.00E+00 0.71E-05 7.42E-06 5.

λ du . Ti/2) www.λ dd (MTTR) + β .au .Ti)2)/3 Slide 85 + Common cause section PFDavg = β .edu.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 6.λ du . (MTTR)2 + ((1-β) .eit.λ dd)2 . find the PFDavg for the 1oo2 subsystem Break out the common cause failure fraction for the redundant channels and calculate PFD for each portion and add them together (1-β) λ d β = common cause failure fraction Failures common to Ch1 and Ch2 sensors 1oo2 (1-β) λ d Logic 1oo1 β λd PFDavg = Redundant section: PFDavg = 2((1-β).

edu.au Slide 86 . repeat steps 3 to 6 for each stage Example: Dual channel sensors and actuators.eit. single channel logic Sensor Logic Senso r 1oo2 PFDavg for sensors Actuator 1oo1 Actuator 1oo2 + PFDavg for logic solver + PFDavg for actuators www.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Step 7.

045 λ DU = 0. 1yr test λ DU = 0.00075 +.002 Logic solver PFD = .1 þ = 10% .0077 = .edu.05 .0027 = .045 1oo1D .00125 = . single channel logic.002 + .0025 C = 95% 0.0077 SIS PFD = .00013 +. 0111 or 1.0025 .09 þ = 5% .00125 = .00138 1oo2 Dual Actuators PFD = .0475 1oo2 Dual Sensors PFD = .005 + .au Slide 87 .11 E-2 = SIL 1 www.01 .eit.05 λ DU = 0.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Example Example: Dual channel sensors and actuators.0014 +.09 λ DD = 0.

71E-06 Subsystem totals 1.eit.51E-03 www.au Slide 88 .14E-05 0.50E-02 2.00E+00 0.00E+00 LDD/hr 0.14E-05 LSU/hr 0.71E-06 Calculation results for Sensing Safe Failure Fraction Diagnostic coverage PFDavg for 1001 PFDavg for 1002 PFDavg for 2003 66.00E+00 LDU/hr 5.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Example using the EIT Calculator Data Input Table for Sensor Subsystem Proof Test Interval in Hrs (Ti) Common cause factor (B)% Mean Time To Test & Repair (Hrs) (MTTR) 8760 5% 24 File na me: EIT GP SIL Calculator .7% 0.edu.00E-03 3.0% 2.xls Subsystem Element 1 2 3 4 5 Device Sensor all components LSD/hr 1.00E+00 5.

EIT EQO26: Unit 8 Reliability Analysis IEC Table of PFDs relevant to Figure 8.edu.16 www.au Slide 89 .eit.

au Slide 90 .16 Reliability Analysis www.EIT EQO26: Unit 8 Honeywell Safecalc example relevant to fig 8.edu.eit.

8 = .0475/yr Actuator: single channel λ s = 1/2 x . 50% safe failure fraction. β = 10%. Ti = 1 yr auto diagnostics test interval = 2 secs.edu.75 = . β = 10%. single channel logic Sensor MTTF = 5 years.05 λ dd = (C x λ d ) =95% x 0.5 = . 75% safe failure fraction.eit. Ti = 0.05 = . C=0%.4/yr www.5 yrs. MTTR = 24hrs Actuator MTTF = 2 years.25 yrs. 80 % safe failure fraction.15/yr Logic: single channel λ s = 1/10 x . C= 95%. C= 0%. MTTR = 8hrs Logic MTTF = 10 years. Ti = 0. MTTR = 24hrs Sensor: single channel λ s = 1/5 x .au Slide 91 . β = 10%.EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Example Calculation for Spurious Trip Example:Dual channel sensors and actuators.

1425 per yr Sensor 0.1 0.285 Logic 0 0 0 0 0 0 Actuator Actuators: 1oo2 Notes 0 DD rate added due to S 0.15 0 0.27 0.EIT EQO26: Unit 8 SIS Analysis: Example Calculation for Spurious Trip Logic solver 1oo1 Sensor Logic 0.edu.04 Common portion 0.05 0.76 Spurious trip rate per yr 0.1 0.au Slide 92 .015 0.4 Fail safe rate www.0975 Actuator Notes Fail safe rate DD rate added due to 95 coverag Spurious trip rate per yr Reliability Analysis Example :Dual channel sensors and actuators.72 1oo2 portion 0. single channel logic Spurious Trip for 1oo1 ST = LS + LDD Parameter LS LDD Total for 1oo1 subsystem Spurious Trip for 1oo2 ST = 2x(1-B) (LS + LDD) +B(LS + LDD) Parameter LS LDD Beta 2x(1-B) (LS + LDD) B(LS + LDD) Total for 1oo2 subsystem Overall Spurious Trip Rate 1.eit.0475 0.

eit.36 1oo1 1oo2 Dual Sensors Spurious = .015 .au Slide 93 .14 trips per year www. single channel logic .04 . Spurious Trip Rate Example: Dual channel sensors and actuators.097 +.76 trips per yr Spurious trip rate = .36 ..76 = 1.edu.05 .04) = .0135 .0135 .EIT EQO26: Unit 8 Reliability Analysis SIS Analysis: Example.28 + .28 trips per yr Logic solver .097 trips per yr 1oo2 Dual Actuators PFD = (2x ..36) + (1x.

015 .au Slide 94 2oo3 Sensors Spurious = 6x λ s2 (MTTR)+ β λ s = (6 x .eit.135 From 0.15 = .3 per year to 0.015/yr If 1 trip costs AUD 50 000 the annual saving is What? ……………………………….135 2oo3 . 015 trips per yr .135 1oo2 Dual Sensors Spurious = 2 x .0001 + .15 .edu.15 Design Version B . www.015 = .EIT EQO26: Unit 8 Reliability Analysis Reducing Spurious Trip Rate Design Version A .015 .30 trips per yr .1352x 8/8760) + .

au Slide 95 .edu.eit.EIT EQO26: Unit 8 Reliability Analysis Outcomes of a Reliability Study • Show whether or not the SIS will satisfy the SIL target • Overall SIS Probability of Failure on Demand (PFDavg) • PFDavgs for each section of the SIS • Show benefits of redundancy or voting schemes • Decide the proof testing intervals • Predict the accident rate www.

EIT EQO26: Unit 8 Reliability Analysis Conclusions on Analysis Models • Models help to visualise SIS performance • Software speeds up analysis • IEC 61508 part 6 .methods and tables • Fault tree analysis for detailed systems www.edu.eit.au Slide 96 .

( IEC 61511) . ( IEC 61511) .edu. High demand mode calculations use PFH ( same as failure to danger rate) ■ Hazard event rate H = PFH Slide 97 www. Alternatively no more than two demands per proof test interval.au .eit.EIT EQO26: Unit 8 Supplementary notes on Low Demand Mode versus High Demand Mode (also known as continuous mode) Low demand mode applies when the demand on the SIS is equal to or less than once per year. Alternatively more than two demands per proof test interval. Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg ■ Reliability Analysis ■ ■ ■ ■ High demand mode applies when the demand on the SIS is more than once per year.

05 x ½ = 0.EIT EQO26: Unit 8 Reliability Analysis Pump Zd=0.7E-06/hr = 0.05 and Ti = 1/yr: PSH SIS Power Hp safety Trip High v Low Demand Calculation PFDavg = 0.025.au Slide 98 .eit.025 = 0.7E-06/hr Suppose the demand rate D is once per year and the overpressure event rate = H/yr In low demand mode calculation H = D x PFDavg so H = 1 x 0.05 /8760 = 5.025/yr In high demand mode calculation H = PFH so H = 5.05/yr www. and PFH = 0.edu.

eit.05/yr Slide 99 .05 /8760 = 5.05 and Ti = 1/yr: PSH SIS Power High v Low Demand Calculation PFDavg = 0.7E-06/hr = 0.1/yr In high demand mode :H = PFH www.edu.au so H = 5.025.EIT EQO26: Unit 8 Reliability Analysis Pump Zd=0.7E-06/hr Suppose the demand rate D is once per day ( 365/yr) And the overpressure event rate = H/yr In low demand mode: H = D x PFDavg so H = 365 x 0.05 x ½ = 0. and PFH = 0.025 = 9.

H = D = 10.1/yr …………………………………….0/yr …………………………………….eit.02/yr (2.edu..au Slide 100 .0/yr …………………………………….EIT EQO26: Unit 8 Reliability Analysis Event rate calculation according to low or high demand mode Demand on SIS SIS has failures at PFD = 0.01 PFH = 0..28 E-06/hr) H = hazardous event D = 0.H = D = 1..H = D = 100 /yr ……………………………………..H = /yr ? /yr ? /yr ? /yr ? www.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times