You are on page 1of 41

Paul Lucas

ABB Engineering Services

Safety Integrity Level


SIL

ABB Group - 1 21-Mar-07

13 mars 2007

ABB Group - 2 21-Mar-07

Agenda

Why do we need SIL systems?

Where does the SIL concept come from?

What is a SIL?

The Three Steps of SIL

Set the target SIL (SIL Determination)

Design to meet the target SIL

Operate and Maintain to keep hitting the target SIL

ABB Group - 3 21-Mar-07

Why do we need SIL systems?

BP Texas City, USA 2005

ABB Group - 4 21-Mar-07

Why do we need SIL systems?

Buncefield, UK 2006

Safety Issues

How do you demonstrate that your operations are


safe?

How do you demonstrate that your equipment is safe?

How do you demonstrate that your safety and protective


systems protect against your hazards?

ABB Group - 5 21-Mar-07

You can answer these questions by demonstrating


compliance with Industry Safety Standards

Functional Safety Standard - IEC61508

Generic Standard supported by Sector variants

ABB Group - 6 21-Mar-07

(IEC61511 for Process Sector)

Guidance on use of Electrical, Electronic and


Programmable Electronic Systems which perform safety
functions

Considers the entire Safety Critical Loop

Comprehensive approach involving concepts of Safety


Lifecycle and all elements of protective system

Risk-based approach leading to determination of Safety


Integrity Levels - SIL

Generic and Application Sector Standards

ABB Group - 7 21-Mar-07

IEC61513 :
Nuclear Sector

IEC61511 :
Process Sector

IEC

615
08

Medical Sector

IEC62061 :
Machinery Sector

IEC61511 Safety Lifecycle


1 Hazard and Risk Assessment

ABB Group - 8 21-Mar-07

Safety Life-Cycle structure and planning

Management of functional safety and functional safety


assessment and auditing
10

11

Allocation of safety functions


to protection layers
2
Safety Requirements
specification for the safety
3 instrumented system

Design & Development


of other means of risk
reduction

Verification

Design & Engineering of


Safety Instrumented System
Installation, Commissioning
and Validation
5
6 Operation and Maintenance

Modification

Decommissioning

Step 1 Set the Target SIL


1 Hazard and Risk Assessment

ABB Group - 9 21-Mar-07

Safety Life-Cycle structure and planning

Management of functional safety and functional safety


assessment and auditing
10

11

Allocation of safety functions


to protection layers
2
Safety Requirements
specification for the safety
3 instrumented system

Design & Development


of other means of risk
reduction

Verification

Design & Engineering of


Safety Instrumented System
Installation, Commissioning
and Validation
5
6 Operation and Maintenance

Modification

Decommissioning

IEC61511 Safety Lifecycle

Hazard and Risk Assessment

Trevor Kletz (safety guru) sums it up as:

How big

How often

So what?

What are the hazardous events the consequence

How often may they occur the frequency


Risk = Consequence * Frequency

ABB Group - 10 21-Mar-07

Is this unacceptable to the company/ regulator/ society?

What is risk is tolerated?

Tolerable Risk and ALARP


Intolerable

High Risk

ALARP or
Tolerability
Band

ABB Group - 11 21-Mar-07

Broadly Acceptable

Risk cannot be justified on any


grounds

May be Tolerable if risk level is


As Low As Reasonably
Practicable (ALARP)

Low Risk

ALARP = As Low As Reasonably Practicable

No need for detailed working to


demonstrate ALARP

Risk Reduction to meet tolerable risk


Residual
Residual
risk
risk

Risk
Risk
Target
Target

Process
Process
Risk
Risk

Necessary risk reduction


Actual risk reduction

ABB Group - 12 21-Mar-07

Riskreduction
reduction
Risk
fromSafety
Safety
from
Instrumented
Instrumented
Function(SIF)
(SIF)
Function

SIL

Riskreduction
reduction
Risk
fromall
all
from
Non-Instrumented
Non-Instrumented
Prevention/ /
Prevention
MitigationMeasures
Measures
Mitigation

Increasing
risk

ABB Group - 13 21-Mar-07

Expressing SIL
Risk
Reduction

Probability of failure
on demand (PFD)

SIL 1

10 100

0.1 to 0.01

SIL 2

100 1000

0.01 to 0.001

SIL 3

1000
10000

0.001 to 0.0001

SIL 4

10000 100000

0.0001 to 0.00001

Methods for SIL Determination

Safety Layer Matrix

Risk Graphs

ABB Group - 14 21-Mar-07

IEC 61511-3 Annex D

Layer of Protection Analysis (LOPA)

IEC 61511-3 Annex C

IEC 61511-3 Annex F

Fault Tree Analysis

IEC 61511-3 Annex B

Risk Graph
Extent of Damage
Ca = Minor Injury
Cb = Lost time injury

W3 W2 W1
Ca

Cc = Major Injury

Pa

Cd = On-site fatality

Fa

Ce = Multiple on-site fatalities or one


off-site fatality
Proportion of Time of Exposure to Hazard

Pb
Cc

Fa = Low (< 0.1)

Pa

Fb = High (> 0.1)

Fb

Mitigating Factors

Prob or Freq of Hazardous Event


ABB Group - 15 21-Mar-07

W1 = Very Low (F < 0.01 / YR)


W2 = Low (F > 0.01 / YR)

SIL 2
Pb

Pa = Good Chance of Avoiding


Consequences (> 90%)
Pb = Poor Chance of Avoiding
Consequences (< 10%)

SIL 1

Fa
Cd
Fb

SIL 3

Ce
SIL 4

W3 = Relatively High (F > 0.1 / YR)


5/9

LOPA

For each initiating cause, calculate which layers provide


protection
Multiply for Event Frequency

PFDavg Calculation
Initiating Frequency
Cause
(/yr)
A
0.1
B
0.1
C
0.5
D
E
F

1
1
0.1
0.1

Independent Layer of Protection


2
3
4
0.01
1
0.1
0.01
1
0.1
0.01
1
1

Intermediate
6 Event Frequency
0.0001
Add for
0.00001
0.0005
Total

Event
Freq

ABB Group - 16 21-Mar-07

Total Event Frequency, Fe/yr


Maximum PFDavg for Safety Instrumented Function, Ft/Fe
Target Safety Integrity Level

PFD = Target (0.00003) / Total Event (0.00061) = 0.0492

0.00061
0.0492
SIL 1

ABB Group - 17 21-Mar-07

Comparison of Methods
Safety Layer
Matrix

Risk Graph

LOPA

Fault Tree
Analysis

Initial Screening

NR

Detailed Analysis

NR

NR

Multiple Causes
with Different
Protection

NR

NR

Potential
Dependency

NR

NR

NR

Output (SIL or
PFDavg)

SIL

SIL

PFDavg

PFDavg

Need to include
specific Human
Factors

NR

NR

Suitable for SIL

1&2

>1

NR = Not recommended: R = recommended

Summary of Step 1

Get the Target SIL correct

ABB Group - 18 21-Mar-07

Save time, money, equipment, maintenance

Calibrate any method for YOUR tolerability

Use method suitable for the consequences

Step 2 Design to meet the target SIL


1 Hazard and Risk Assessment

ABB Group - 19 21-Mar-07

Safety Life-Cycle structure and planning

Management of functional safety and functional safety


assessment and auditing
10

11

Allocation of safety functions


to protection layers
2
Safety Requirements
specification for the safety
3 instrumented system

Design & Development


of other means of risk
reduction

Verification

Design & Engineering of


Safety Instrumented System
Installation, Commissioning
and Validation
5
6 Operation and Maintenance

Modification

Decommissioning

IEC61511 Safety Lifecycle

Random Hardware Failures

Any item of equipment in a protective system can fail.

There are broadly two types of system failure

ABB Group - 20 21-Mar-07

Fail Safe

component failure to an open circuit condition, loose connections,


loss of power (air or electrical)

These will cause the system to shut down the plant unnecessarily
but are self revealing and fail safe.

Fail to Danger

contacts welding together, instrument or trip valve mechanisms


seizing, impulse lines becoming blocked

These are fail to danger because, when a demand occurs, the


system cannot respond i.e. un-revealed failures

These are the failures we need for the PFD calculation

Example

High Pressure Trip

Pressure
Transmitter
Trip Amp
Relay

Solenoid Valve

ABB Group - 21 21-Mar-07

Trip Valve

A Single Channel System 6 month testing


Pressure
Transmitter

Trip
Amplifier

Relay

Solenoid
Valve

Trip
Valve

Overall dangerous failure rate for the channel is the sum


of the rates for the components.
d

= 0.067 +

0.05

+ 0.0033 + 0.033 + 0.033 = 0.1863 per year

PFDavg = T x d
If this is tested every 6 months then,

ABB Group - 22 21-Mar-07

PFDavg = x 0.5 x 0.1863 = 0.047


which is near the middle of SIL 1

Safety Integrity Level


Achieved PFDavg

PFDavg = 0.05

0.1

PFDavg = 0.005

0.01

SIL 2

SIL 1

ABB Group - 23 21-Mar-07

10-1

0.001

10-2
PFDavg = 0.047
(6 Month test interval)

0.0001

SIL 3
10-3

0.00001

SIL 4
10-4

10-5

The Need For Testing


Testing can expose un-revealed failures
Test

Test

Test

Unrevealed
fault
Test

Demand
Test

Test

Healthy

Faulty

Test
Interval

ABB Group - 24 21-Mar-07

Dead
Time

Time (years)

Fail to Danger

contacts welding together, instrument or trip valve mechanisms


seizing, impulse lines becoming blocked

These are fail to danger because, when a demand occurs, the


system cannot respond i.e. un-revealed failures

Only exposed by testing

Multiple Channels And Common Cause Failure ()


More complicated but same principles
For One Channel (1 out of 1)
PFDav1 = 1 / 2 d
For Two Channels (1 out of 2)
2

PFDav2 = 4/3 [ PFDav1 ] + [PFDav1 ] or PFDav2 = 1/3[(d)2 2] + [PFDav1]


For Three Channels (1 out of 3)
PFDav3 = 2 [PFDav1 ]3 + [PFDav1 ] or PFDav3 = 1/4[(d)3 3] + [PFDav1 ]
For Two Channels (2 out of 3)

ABB Group - 25 21-Mar-07

PFDav2 = 4[PFDav1]2 + [PFDav1 ] or PFDav2 = (d)2 * 2 + [PFDav1 ]


Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.

Sources of Data

ABB Group - 26 21-Mar-07

Manufacturers data

Based on either returned goods or predictions using either

FMEA (failure mode effects analysis) or

FMEDA (failure mode effects and diagnostic analysis)

These should not be confused with real field failure rates based
on actual use of the units

Field data (61511 uses term prior use)

Based on similar operating conditions and environment

Should be collected using a methodical / auditable process and


allow for errors (misreporting / non reporting) in the collection of
the data

Generic data

From an extensive history of similar industries found to be


appropriate

Checking the numbers

IEC 61511 architectural constraints

Hardware Fault Tolerance

Designed to verify that the numbers make sense

No mathematical basis for the figures

Based on experience

Specified SIL can be reduced with operational


experience and analysis

Analyser

Trip Amp

Solenoid

Trip Valve

Solenoid

Trip Valve

ABB Group - 27 21-Mar-07

Relay Logic
Analyser

Trip Amp

Constraint - Hardware Fault Tolerance (1)

Used for sensor, final elements and non PE Logic Solver


Table 6 in IEC61511 Part 1

Increased fault tolerance can enable easier maintenance and


testing

ABB Group - 28 21-Mar-07

Constraint - Hardware Fault Tolerance (2)

ABB Group - 29 21-Mar-07

Applies to PE Logic Solvers

Table 5 in IEC 61511 Part 1

The cleverer the PES, the less fault tolerance required for the
target SIL

More complex tables in IEC61508 used


for certified instruments to reduce HFT

ABB Group - 30 21-Mar-07

Manufacturers Data Example 2

Non-Hardware faults - Systematic

Because of the findings from Out of Control and other


work

Large number of faults are not caused by hardware

We need appropriate processes, procedures, methods


systems in place to control these faults
Changes after
commissioning
21%
Specification
43%

ABB Group - 31 21-Mar-07

Installation &
commissioning
6%

Operation &
maintenance
15%

Design &
implementation
15%

ABB Group - 32 21-Mar-07

Problems with software systematic faults

How do you make software 10 times better?

How do you measure software?

What is the probability of Fail to Danger (pfd) of a lump


of code?

You cannot measure software like hardware


quantitative methods

You have to use more rigorous techniques for software


required for higher level SIL qualitative methods

Example of Software Techniques

1a
1b
1c

ABB Group - 33 21-Mar-07

2
3
4
5
6
7

Technique/Measures
Structured methods including for example,
JSD, MASCOT,SADT and Yourdon
Semi-formal methods
Formal methods including for example, CCS,
CSP, HOL, LOTOS, OBJ, temporal logic,
VDM and Z
Computer-aided design tools
Defensive programming
Modular approach
Design and coding standards
Structured programming
Use of trusted/verified software modules and
components (if available)

Ref
C.2.1.

SIL 1
HR

SIL 2
HR

SIL 3
HR

SIL 4
HR

Table B.7
C.2.4

HR

HR

HR

--

HR

R
-HR
R
HR
R

R
R
HR
HR
HR
HR

HR
HR
HR
HR
HR
HR

HR
HR
HR
HR
HR
HR

B.3.5
C.2.5
Table B.9
Table B.1
C.2.7
C.2.10
C.4.5

Table A.4 - Software design and development: detailed design

Summary of Step 2

80% - 90% of safety functions should be SIL1

ABB Group - 34 21-Mar-07

Single channel, reasonable test intervals, no HFT to consider

High SIL, complex architecture

Use a specialist

Shorter test intervals (simple SIL calculations may not apply)

Additional hardware (including final elements)

Common cause faults, hardware fault tolerance, SFF, DC

Systematic controls

Take care with instrument data

Field data is best

Manufacturers data is a prediction, will need to be adjusted for


plant conditions

Step 3 Operate and Maintain to meet the SIL


1 Hazard and Risk Assessment

ABB Group - 35 21-Mar-07

Safety Life-Cycle structure and planning

Management of functional safety and functional safety


assessment and auditing
10

11

Allocation of safety functions


to protection layers
2
Safety Requirements
specification for the safety
3 instrumented system

Design & Development


of other means of risk
reduction

Verification

Design & Engineering of


Safety Instrumented System
Installation, Commissioning
and Validation
5
6 Operation and Maintenance

Modification

Decommissioning

IEC61511 Safety Lifecycle

ABB Group - 36 21-Mar-07

Operation and Maintenance

What activities are required to ensure the Safety


Instrumented System keeps meeting the target SIL?

What operations and test data needs to be kept and


recorded to verify SIL determination and Design
assumptions?

Proof Tests 61511 states

Periodic proof tests shall be conducted


using a written procedure

The entire SIS shall be tested including the


sensor(s), the logic solver and the final
element(s)

ABB Group - 37 21-Mar-07

Different parts of the SIS may require different


test intervals

The frequency of the proof tests shall be


decided using the PFDavg calculation

At some periodic interval the frequency of


the testing shall be re-evaluated.

ABB Group - 38 21-Mar-07

Why record Demands?

To demonstrate the design demand rate is not


being exceeded

To demonstrate that the causes of demand


are as expected

To check causes and rates of failsafe


demands

To be able to carry out periodic reviews

ABB Group - 39 21-Mar-07

Why record Proof Test Records/Results?

To demonstrate that testing is being


carried out at specified interval

As an auditable trail to the recorded


results

To indicate who carried out the tests

To demonstrate that faults found have


been rectified

To be able to carry out periodic reviews

Need to record results in a manner which


enables the results to be extracted/
presented in a format which makes
reviews possible

Summary of the 3 steps

Get the Target SIL correct

ABB Group - 40 21-Mar-07

Save time, money, equipment, maintenance

Design to meet the SIL

More than failure rates

Where do you get failure data from?

Hardware Fault Tolerance and Systematic controls

Operate and Maintain to keep the SIL

Testing

Recording

Analysing and improving