You are on page 1of 100

EIT: E-Cert SS: Unit 7 Instrument Selection

EIT Safety Instrumentation E-Learning

SAFETY INSTRUMENTED SYSTEMS &


EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508

Unit 7: SIL Instrument Selection

Version for EQO26: 7 November 2012

Presented by Dave Macdonald,


EIT Cape Town South Africa

Contact E-mail: macdond@telkomsa.net


Slide 1

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Introduction to Chapter 7: Practical selection of


sensors and actuators for safety duties
■ Impact on SIS Reliability,

■ Types of Sensors and Actuators Knowledge of t he


r ules +
Exper ience…I f
■ Failure modes and causes you can get it !

■ Separation, redundancy, diversity, diagnostics

■ Device Selection Issues: What IEC 61511 requires + Common sense

■ Technologies: Safety certified instruments and fieldbus Slide 2

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Key Points about Sensors and Actuators

◆Sensors and Actuators remain the most critical reliability items in an SIS

◆Separation, diversity and redundancy are critical issues.

◆Safety related instruments must have a proven record of performance.


IEC 61508 / 61511 have specific requirements

◆Logic solver intelligence and communications power will help to provide


diagnostic capabilities to assist field device reliability

◆Failure modes and common cause issues are potential problems for
intelligent instruments Slide 3

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

IEC 61511 and other guidance sources

■ Instrument practice for safety systems : well established


■ ISA S 84.01 Appendix B….obsolete standard but still relevant.
■ IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1.
■ Gruhn & Cheddie ISA Textbook; chapter 9

IEC 61511-1 Paragraph 11.5:


Requirements for selection of components and subsystems
■ 11.5.2.1 Components and subsystems selected for use as part of a safety
instrumented system for SIL 1 to SIL 3 applications shall either be in
accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they
shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate

Certified
compliant to Fault
IEC 61508 Prior use
tolerance Slide 4
justification
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Sensors and Actuators Dominate Reliability Issues


Table 7.1
Typical Reliability Table
Item Fail to PFD avg PFD avg
Danger Rate (3 month proof test) % of total
/ yr.
Input sensor loop 0.05 0.006 32

SIL 3 Logic Solver PLC 0.0005 3

Output Actuator loop 0.1 0.0125 65


(Solenoid + valve)
Totals 0.019 (SIL 1) 100

• The field devices taken together contribute 97% of the PFD for this example.
• The PFD figures for the field devices are affected by environmental conditions
• and maintenance factors.
Slide 5
• PES logic solvers benefit from auto-diagnostics.
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Bus connected safety certified instruments


Foundation Field Bus
Profi-safe
ASI-Safety Bus

See Session 5

Slide 6

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Advantages of Analog Transmitters Over Switches

• Good reliability and accuracy


• Signal present at all times…improved SFF
• Potential for diagnostics, easier to detect faults
• Possible to compare signal with other parameters
• Trending and alarming available
• Multiple set points
• Competitive pricing
• Rationalized spares

Slide 7

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Potential Causes of Failures in Sensors


•Components of the instrument
•Process connection
•Fouling /corrosion/process fluids/clogging
•Wiring
•Environmental: Process/Climate/Electrical
•Specification/range/resolution.
•Response time
•Power supplies
•Intrinsic safety barriers
•Calibration/testing/ left on test/isolated.
Slide 8

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Final Control Elements or Actuators Figure 7.4

Electrical Drive Trip Process Valve Trip

SIS
Logic SIS
380 v ac
power Logic

Interlocks

M
Slide 9

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
E-Stop operation with VSDlInverter Drive

Stop Category 1
Safety Control Category 2

Power
Safet
y
Reset
Relay

K1 Time
Delayed

K1
Relay Drive
M
controller
E-Stop
command
Slide 10

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Potential Causes of Failures in Final Elements

· Components of the actuator, positioner, mechanical


failures of springs
· Process connection/leaks. Mechanical distortion of
pipes causing stress in valve
· Valve internal faults due to : Fouling or corrosion by
process fluids/jamming/sticking/leaking
· Wiring to solenoids

· Pneumatics/ venting failures

· Environmental. Physical impacts/fire/freezing or


icing up.
Solenoid valves sticking or blocking
Slide 11

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

General Requirements for Fail-safe Operation

◆ Sensor contacts closed during normal operation

◆ Tx signals go to trip state upon failure (Normally < 4mA)

◆ Broken wire = trip

◆ Output contacts closed and energized for normal operation

◆ Final trip valves go to trip (safe) position on air failure

◆ Drives go to stop on trip or SIS signal failure

Slide 12

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

For an instrument to qualify for SIL target


or

Prior Use Build to IEC 61508 HW & SW

Smart tx Analog or switch Certify to IEC 61508


SIL 1 or 2

SIL 3 requires
assessement and a safety
manual
Apply IEC 61511
limitations
And PFD must satisfy SIL target Slide 13

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Sharing of Sensors with BPCS

Do not share sensors because it:

◆ Violates the principles of independence

◆ Creates a high level of common cause failure

◆ Does not create a separate layer of protection

◆ Does not provide secure maintenance

Slide 14

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Snap question: What is wrong with this safety trip


Figure 7.5
design?

Boiler
SIS Logic Solver Trip
Boiler Steam
Drum LSL Logic

LT LIC
1 1

Feed water
supply

Snap question: Draw a better arrangement


Slide 15

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Figure 7.5 cont.
Separate Sensors for Control and Trip: Acceptable

Boiler
SIS Logic Solver Trip
LSL Logic

LT LT LIC
2 1 1

Boiler Steam
Drum
Feed water
supply

Slide 16

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Figure 7.6
Fault Tree Analysis for Boiler Low Level Trip
Shared Sensor Separate Sensor
Boiler Damage Boiler Damage
0.105 / yr. 0.0075 / yr.
Low level and NO TRIP Low level and NO TRIP
OR
AND
Low level
FW Fails and LT-1 Fails 0.3 / yr.
No Trip high-No Trip
LIC causes OR LT-2 Fails high
0.005 / yr. Trip fails on
low level
demand
0.1 / yr.
AND PFD = 0.1/2 X 0.5
= 0.025
FW Fails LT-1 Fails
FW Fails Trip fails on demand from high, LIC-1
0.2 / yr.
FW failure causes low
0.2 / yr.
PFD = 0.1/2 X 0.5
level Slide 17
= 0.025 0.1 / yr.
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Separation Rules: Field Sensors
IEC 61511 part 2 : 11.2.4

•Sharing of sensor between SIS and BPCS only allowed


if safety integrity targets can be met. This would require
sensor diagnostics and is only likely to be possible for
SIL 1
•Separate sensor is allowed to be copied to BPCS via
isolator
•SIL 2, 3 and 4 normally require separate sensors with
redundancy
•SIL 3 and 4 normally require separation and diverse
redundancy
Slide 18

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Separation Rules: Final Elements
IEC 61511 part 2 : 11.2.4

•A single valve may be used for both BPCS and SIS but
is not recommended if valve failure places a demand on
the SIS.
•Normally shared valve can only be used if: Diagnostic
coverage and reaction time are sufficient to meet
safety integrity requirements
• Recommendations for a single valve application
•SIL 2 and SIL 3 normally require identical or diverse
separation. Diversity not always desireble
Slide 19

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Arrangement for Tripping of Shared Control Valve: SIL 1 Figure 7.7

SIS

BPCS
Solenoid valve
direct acting,
direct mounted. FY
De-energise to
vent actuator.
FV Positioner

A/S

Check hazard demands due to valve Slide 20

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument SelectF
ioingure 7.8
Diverse Separation of Control and Shutdown Valves
SIL 2 and SIL 3

SIS BPCS

A/S
FY

Slide 21
Check hazard demands due to valve
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Sensor Diagnostics

♦Do not confuse with proof testing

♦Compare trip transmitter value with related


variables. Not often practicable

♦Use safety transmitters… if available

♦Use Smart transmitters with diagnostic alarm


…but see next

Slide 22

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Valve Diagnostics
Assurance that a trip valve will respond correctly when needed

• Freedom of movement, full travel

• Correct venting of actuator

• Correct rate of response

• Absence of sticking

• Trip signals and solenoid all working


Slide 23

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Methods for Valve Diagnostics

• On–line trip testing

• Discrepancy alarm

• Position feedback – response testing

• Partial closure testing – manual or automatic

• Smart positioners – certified safety positioner

Slide 24

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

IEC Architectural Constraints as per IEC 61508

◆IEC 61508 places an upper limit on the SIL that can be


claimed for any safety function on the basis of the fault
tolerance of the subsystems that it uses.

♦Limit is a function of
♦the hw fault tolerance
♦the safe failure fraction
♦the degree of confidence in the behaviour under fault
conditions
Details in IEC 61508 part 2
Slide 25

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

IEC 61508 Classification of Equipment

◆IEC Defines two types of equipment for use in Safety


Systems:

♦Type A: Simple Devices: Non PES. E.g Limit switch, level


float switch, analogue circuits.

♦Type B: Complex Devices: Including PES. E.G Smart


transmitters. Digital communications, processor based systems.

Fault tolerance rating of B is less than A except under certain


conditions
Slide 26

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
IEC 61511-1 Table 6: Minimum hardware fault tolerance of
sensors, final elements and non PES logic
SIL Minimum HW Fault Tolerance
1 0
2 1
3 2
4 Special requirements: See IEC 61508
The following summarized conditions apply for SIL 1,2 and 3 :

Increase FT by 1 if instrument does not have fail safe characteristics


Decrease FT by 1 if instrument meets 4 conditions.
•Predominately fail safe
•Prior Use ( Proven in use)
•Limited device adjustment (process parameters only)
•Password protected

Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment Slide 27

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Example for Level Switch: Extract from device’s safety manual

Slide 28

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Example for Level Switch: Extract from safety manual

Slide 29

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Example for
Level
Switch:
Extract from
safety
manual

Slide 30

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Table 7.4
Redundancy Options

Sensor or Actuator Selection


Configuration.

1oo1 Use if both PFD and FT and nuisance trip


targets are met.
1oo2 2 Sensors installed, 1 required to trip. PFD
value improved, nuisance trip rate doubled.
2oo3 3 Sensors installed, 2 required to trip. PFD
improved over 1oo1, nuisance trip rate
dramatically reduced.

Slide 31

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Common Cause Failures in Sensors

♦Wrong specification

♦Hardware or circuit design errors

♦Environmental stress

♦Shared process connections

♦Wrong maintenance procedures

♦Incorrect calibrators
Slide 32

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Comments on Redundancy in Sensors Figure 7.10

SIS

PT PT
1A 1B

Be careful to analyze
for common cause
faults
e.g Try to avoid this
Slide 33

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Comments on Diverse Redundancy in Sensors Figure 7.11

Where measurement is
the problem use diverse SIS
redundancy.
e.g. Steam or Ammonia
overpressure protection

PT
01

TT
01

Slide 34

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Requirements for Device to be “Proven–in-use”

• Evidence that the instrument is suitable for SIS

• Consider manufacturer’s QA systems


Collect t he r ecor ds
of ever y maint enance
• PES devices need extra validation event per
inst r ument .
• Performance record in a similar profile

• Adequate documentation

• Volume of experience, > 1 yr exposure per case.


Slide 35

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

The approved safety instrument list

Key j ob f or
maint enance
• Each instrument that is suitable for SIS t eam

• Update and monitor the list regularly

• Add instruments only when the data is adequate

• Remove instruments from the list when they let you down

• Adequate details: Include the process application


Slide 36

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Additional requirements for smart transmitters
and actuators:

Details in IEC 61511 11.5.4 for devices with


“Fixed Programming Languages” (FPLs)
Extra for SIL 3

•Formal assessment…low probability of failure in planned


application.

• Appropriate standards used in build

• Consider manufacturer’s QA systems

• Must have a safety manual Slide 37

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Figure 7.12
Hart Transmitter With Diagnostic Input

Hart
Interface SIS Logic Solver
Status Alarm
DI

4-20 mA + FSK Data


AI

Smart
Transmitter Hand Held
Programmer
Slide 38
FSK = Frequency Shift Keyed
www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection
Figure 7.14
Example of a Safety Critical Transmitter

Slide 39

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Benefits of a Safety Certified Transmitter:

• Internal diagnostics with high coverage factor

• Very low PFDavg values. Saves on proof testing etc.

• Certified for single use in SIL 2 (instead of dual channel)

• Certified for dual redundant use in SIL 3 (instead of 1oo3)

• End user verification is simplified

Slide 40

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Importance of the Safety Manual


The safety manual presents all the essential information and set
up conditions that must be followed to allow the instrument to
be validated for any given application.

The manual also supplies the failure rates summary and


expected PFDavg

Compliance to safety manual requirements must be


demonstrated in the validation phase.

See examples of safety manuals and FMEDA reports

Slide 41

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Importance of the Safety Certificate


The safety certificate is issued by the testing body to clearly define what
products have been tested and what standards and limitations have been
applied in the evaluation.

The safety certificate is an essential document for the validation phase.

See examples of Safety Certificates: 3051C and Rex Radar

Testing Authorities include :


TUV Rheinland
Exida.com
Any recognized testing body that can show competency in the SIS field.

Note : Exida specializes in certifying instruments claiming “prior use”


qualification. Reports supply SFF and failure rate data with declaration of fault
tolerance requirements relevant to IEC 61511. See examples.
Slide 42

www.eit.edu.au
EIT: E-Cert SS: Unit 7 Instrument Selection

Field Devices Summary

Instruments must be well proven for safety with an assessment


report or Certified SIL capable to IEC 61508.

• Intelligent instruments treated as PES

• Separation, Redundancy, Diversity, Diagnostics

• Diagnostic Coverage via Smarts or Logic Solver

• Bus technology established and growing.


Slide 43

www.eit.edu.au
EIT EQO26: Unit 8 Reliability Analysis

EIT Safety Instrumentation E-Learning

SAFETY INSTRUMENTED SYSTEMS &


EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508
Unit 8: Reliability Analysis

Version for EQO26: 7 November 2012

Presented by Dave Macdonald,


EIT Cape Town South Africa

Contact E-mail: macdond@telkomsa.net


Slide 44

www.eit.edu.au Slide 44
EIT EQO26: Unit 8 Reliability Analysis

Introduction to Chapter 8:
Reliability Analysis of the SIS

The task of measuring or evaluating the SIS design


for its overall safety integrity

• Reasons and objectives

• Resolving the SIS into reliability block diagrams

• Identification of formulae

• Trial calculation examples

• Calculation software tools

www.eit.edu.au Slide 45
EIT EQO26: Unit 8 Reliability Analysis

IEC 61511 requires reliability analysis be done for each SIF to


show that SIL target and RRF can be achieved. Why?

• Because it tells everyone what RRF can be expected from each


individual safety function.
• It confirms the basis of the design and the chosen proof test
interval
• Compares the calculated RRF for your design with the target to
show you can achieve the target.
• To predict the accident rate: H events/yr = Demand Rate (D) x
PFDavg or H = D/ RRF

www.eit.edu.au Slide 46
EIT EQO26: Unit 8 Reliability Analysis

Terminology

RRF Risk Reduction Factor ( e.g. 200)


SIL Safety Integrity Level ( depends on RRF)
(SIL Tables)
D Demand rate on Safety Function. ( How often the SIF is
demanded to respond to a hazard condition)

H Hazardous event rate ( also called accident rate )


( e.g. 0.1/yr = 1 in 10 years)
PFDavg Average probability of failure on demand of the SIF

www.eit.edu.au Slide 47
EIT EQO26: Unit 8 Reliability Analysis

Terminology
MTTFd Mean time to fail dangerously ( = 1/Zd)
MTTFs Mean time to fail safe (or spurious) ( = 1/Zs)
MTTRd Mean time to detect and repair a dangerous fault
Ti Time interval between proof tests
Zdd Failure rate for dangerous detectable faults
Zdu Failure rate for dangerous undetectable faults (requires
proof testing)
Zsd Safe revealed failure rate ( causes spurious trip or loss of
affected safety channel)

www.eit.edu.au Slide 48
EIT EQO26: Unit 8 Reliability Analysis

Risk Reduction Factor and PFDavg


1
RRF =
PFDavg

(PFDavg = average probability of failure on demand,)

PFDavg is a function of:


1. Failure rate per hour for undetected faults : Ldu
2. Test interval: Ti
3. Redundancy (1oo1, 1oo2, 2oo3, etc)

Compare PFDavg with the target PFDavg for the SIL range we need.

www.eit.edu.au Slide 49
EIT EQO26: Unit 8 Reliability Analysis

Snap Question: Why is PFD so useful to know?

1 Because it can tell you the accident event rate


H = Demand Rate x PFDavg

2 Because it helps you decide the SIL of your design


PFDavg defines the SIL range for the design
(in terms of resistance to random hardware failures

www.eit.edu.au Slide 50
EIT EQO26: Unit 8 Reliability A nalysis
Failure scenario for an Untested SIF
Unrevealed Dangerous fault
occurs
Hazardous condition
State of Process occurs (Demand)

Operating
safely Reportable
accident
occurs

Operating but
not protected

Mission time
1 yr 2 yr

www.eit.edu.au Slide 51
EIT EQO26: Unit 8 Reliability Analysis
Low Demand Mode: Proof Tested SIF repaired before demand
Unrevealed Dangerous
fault occurs
Hazardous condition
Proof test reveals Occurs (Demand)
Proof test fault
State of Process

Operating
Accident
safely
prevented
Fault
repaired
Operating but not
protected

Mission time
0.5 yr 1 yr

www.eit.edu.au Slide 52
EIT EQO26: Unit 8 Reliability Analysis
Low Demand Mode: Proof tested SIF but failure on demand
Unrevealed Dangerous Reportable
fault occurs accident
occurs

Proof test Demand occurs


before next proof
test
State of Process

Operating
safely

Failure (to respond)


on Demand
Operating but not
protected

Mission time
0.5 yr 1 yr

www.eit.edu.au Slide 53
EIT EQO26: Unit 8 Reliability Analysis
Diagnostic + Proof Tested SIF
Detectable Dangerous
fault occurs PFDavg = MTTD&R x Fail danger rate

State of Process Accident


prevented Proof test for
Diagnostic test undetected
Operating safely reveals fault faults

Fault
detected &
repaired

Diagnostic test Mission time


typically100 1 yr 2 yr

wwtw
im
.eeits./eddauy.au Slide 54
EIT EQO26: Unit 8 Reliability Analysis
Low Demand Mode versus High Demand Mode

• Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
• Low demand calculations use PFDavg.
• Hazard event rate H = D x PFDavg

• High demand mode applies when the demand on the SIS is more
than once per year. ( IEC 61511) . Alternatively more than two
demands per proof test interval.
• High demand mode calculations use PFH probability of dangerous
failure per hour.
• Hazard event rate H = PFH

(High demand also known as continuous mode)


www.eit.edu.au Slide 55
EIT EQO26: Unit 8 Reliability Analysis

Low Demand Mode Application


Accident occurs if
dangerous fault
Pressure surge
undetected before the
once per year
Pressure relief surge occurs
(D)
trip (SIS)

Accident rate H = D x PFDavg

Provided Test interval is shorter than 1 year or


diagnostics detect faults quickly

Example: If PFDavg = 0.05 and D= 1 : H = 0.05/yr

www.eit.edu.au Slide 56
EIT EQO26: Unit 8 Reliability Analysis

High demand Mode Application


Accident occurs as
Brake applied
soon as brake circuit
100 times per
Electronic fails
day
Braking Controls
(SIS)

Accident rate = Probability of failure/hr of the EBC

= Failure rate per hour of the SIS


Example: If PFH = 0.0001/hr H = 0.0001/hr of service

If machine used for 5000 hrs /yr accident rate = 0.5/yr.

www.eit.edu.au Slide 57
EIT EQO26: Unit 8 Reliability Analysis
Design Iteration for Target PFD in Low Demand Mode
SRS defines the Risk Reduction Factor
PFD = 1/RRF Set Target PFD

Evaluate Solution PFD


Revise Design

Acceptable Calculated PFD < Target PFD?


No

Yes

Proceed to Detail Design

www.eit.edu.au Slide 58
EIT EQO26: Unit 8 Reliability Analysis
Elements and terms in the SIS model
Protective System
Hazard Hazard
Demand Rate D (SIS) H Event Rate

PFD avg. = H/D = 1/(Risk Reduction Factor)


SIL3
SIL2
SIL1

D Sensor Logic Actuator H


PFD1 PFD2 PFD3
Overall PFD = PFD1 + PFD2 + PFD3

www.eit.edu.au Slide 59
EIT EQO26: Unit 8 Reliability Analysis

Single Channel Basic calculation of PFD

Zdu

If the fail to danger rate is Zd and proof test interval is Ti

PFDavg = Zdu x Ti/2 (failure rate/yr x mean time to detect )

Example Fail to danger rate = 0.05 per year, Ti = 1 year

PFDavg = 0.05 x ½ = 0.025. ( SIL 1)

How is this formula obtained ?

www.eit.edu.au Slide 60
EIT EQO26: Unit 8 Reliability Analysis

Hazard Rate v Demand Rate showing low and high demand modes

Accident Rate
Hazard H = Ld H = Fail rate Zd
Event
Rate H
H = L d ( 1–e - DTi/ 2 )

D x T<< 1
D x T> 1

Accident Rate H = PFH of SIS


Demand mode Continuous mode
Accident Rate H = Demand Demand rate D
Rate (D) x PFD avg of SIS
www.eit.edu.au Slide 61
EIT EQO26: Unit 8 Reliability Analysis
Effect of Manual Proof Testing …. leading to average probability of
failure on demand:
p(t) 1
Probability of
being failed when
demand occurs.

Proof test action


p(t) = L d .t

Average
value PFDavg = L d .Ti/ 2

0
Ti 2Ti Time t

www.eit.edu.au Slide 62
EIT EQO26: Unit 8 Reliability Analysis

SIS Failure Modes

Overt Failures Covert Failures


Spurious Trip Rate Dangerous Failure Rate

λ S = 1/MTBFsp λ D = 1/MTTFD

λD

Loss of Production λ DD λ DU
λS + λDD
Detectable Undetectable
Trips plant unless
2oo3 or 2oo2 voting by Self except by manual
Diagnostics proof testing

C= Coverage ZDD = C ZD ZDU = (1 –C) ZD

www.eit.edu.au Slide 63
EIT EQO26: Unit 8 Reliability Analysis
Example: Find the Safe and Dangerous Failure Modes
SIS H igh Level T rip

Logic Solver

PSV

AS LC
1

I/P

Fluid
Feed
FC FC
LT LT
1 2

Assume out of range detection provided (forcing a trip)


Fail Modes/yr Device Lsp Ldu Ldd
Bottom Blocked : 0.1 . Top leaks 0.2 LE connection
Runs low: 0.05. Runs high : 0.02 LT electronics
Breaks: 0.01 Shorts across LT: 0.1 Cable
Lost power: 0.02 Power
Totals for sensor sub system:

www.eit.edu.au Slide 64
EIT EQO26: Unit 8 Reliability Analysis
1oo1 SIS Formulae

Single Channel SIS Fail Rates

Overt Failures Covert Failures


Spurious Trip Rate Dangerous Failure Rate

λ S = 1/MTBFsp λ D = 1/MTTFD

C= Coverage λD

Loss of Production λ DD = C λ D ZDU = (1 –C) ZD


λS + λDD
Detectable by Detectable by
Trips plant unless Self manual proof
2oo3 or 2oo2 voting Diagnostics testing

SP Trip Rate = λs + λ DD PFD1 = λ DD x (MTTR) PFD2 = λ DU x (Ti/2)

www.eit.edu.au Slide 65
EIT EQO26: Unit 8 Reliability Analysis
1oo2 SIS Formulae
Single Channel SIS Fail Rates

Overt Failures Covert Failures


Spurious Trip Rate Dangerous Failure Rate

λ S = 1/MTBFsp λ D = 1/MTTFD

C= Coverage λD

Loss of Production λ DD = C λ D ZDU = (1 –C) ZD


Detectable by Detectable by
Trips plant unless Self manual proof
2oo3 or 2oo2 voting Diagnostics testing

SP Trip Rate = 2 ( λs + λ DD) PFD1 =2(λ DD)2( MTTR)2 PFD2 =((λ D U .Ti)2)/3

www.eit.edu.au Slide 66
EIT EQO26: Unit 8 Reliability Analysis
Formula sets
Single Channel SIS Fail Rates

Overt Failures
Covert Failures
Spurious Trip Rate
Dangerous Failure Rate
λ S = 1/MTBFsp
λD = D
1/MTTF
C= Coverage
λD

Loss of Production λ DD = C λ D ZDU = (1 –C) ZD


λS + λDD
Detectable by Detectable by
Trips plant unless Self manual proof
2oo3 or 2oo2 voting Diagnostics testing

Formula set 1 Formula set 2 Formula set 3


in Fig 8.6 in Fig 8.6 in Fig 8.6

www.eit.edu.au Slide 67
EIT EQO26: Unit 8 Reliability Analysis
Multi-channel Formula Sets for PFD and λs (excluding Figure 8.6
common mode failures )
Covert Failures
Overt Failures Dangerous Failure Rate
Spurious Trip Rate λd = 1/MTTF
λs = 1/MTBFsp Detectable Detectable
By Self By Manual
Diagnostics Proof testing

λ D D = DC. λ D λ D U = (1-DC) λ D
Voting Formula set 1 Formula set 2 Formula set 3

1oo1 λs λ D D (MTTR) λ D U (Ti/2)


1oo2 2λs 2(λ DD)2( MTTR)2 ((λ D U .Ti)2)/3
2oo2 2(λs)2(MTTR) 2 λ D D (MTTR) λ D U .Ti
2oo3 6(λs)2(MTTR) 6(λ D D)2 (MTTR)2 ((λ D U .Ti)2)

Spurious trip rate PFD due to diagnostics PFD due to proof test
(if detected but not tripped)
www.eit.edu.au Slide 68
EIT EQO26: Unit 8 Reliability Analysis
Sources of Reliability Data

http://www.sintef.no/Projectweb/PDS-Main-Page/PDS-Handbooks/
Sintef: http://www.sintefbok.no/Product.aspx?sectionId=65&productId=559&categoryId=10

Also see:
1. exida.com Reliability Handbook
2. Manufacturers’ Safety manuals for
specific SIL certified instruments
3. Faradip 3 Database
4. exida.com: Safety Automation
Equipment List ..Functional Safety
Assessment Reports
http://www.exida.com/index.php/resour
ces/sael/

www.eit.edu.au Slide 69
EIT EQO26: Unit 8 Reliability Analysis
Dual Channel Basic calculation of PFD
Note: Zdd omitted for clarity
Zdu

Zdu

If the fail to danger rate is Zdu and proof test interval is Ti.

PFDavg = (Zdu xTi)2 /3

Example: If fail to danger rate = 0.05 per year, Ti = 1 year

PFDavg = (0.05 x 1)2 / 3 = 0.00083 ( SIL 3)

But this ignores common cause and is unrealistic


www.eit.edu.au Slide 70
EIT EQO26: Unit 8 Reliability Analysis
Beta Factor: Common Cause Failures in redundant SIS
channels

Unit Failures Common Cause


Failures

(1-β) λd β λd

(1-β) λd Example:
2oo3 sensor with
common cause
failures

(1-β) λd

www.eit.edu.au Slide 71
EIT EQO26: Unit 8 Reliability Analysis
Formulae Sets with Common Cause Factor included

www.eit.edu.au Slide 72
EIT EQO26: Unit 8 Reliability Analysis
Dual Channel Basic calculation of PFD inc Common Cause 5%
Note: Zdd omitted for clarity
(1-β) λdu
β λdu
(1-β) λdu

If the fail to danger rate is Zd and proof test interval is Ti.

PFDavg = ((1-β) λdu xTi)2 /3 + β λdu xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%

PFDavg = (0.95 x 0.05 x 1)2 / 3 + (0.05 x 0.05 x ½) = 0.002 ( SIL 2)

www.eit.edu.au Slide 73
EIT EQO26: Unit 8 Reliability Analysis
2oo3 Channel Basic calculation of PFD inc Common Cause 5%

(1-β) λd
β λd
(1-β) λd

(1-β) λd

If the fail to danger rate is Zd and proof test interval is Ti.

PFDavg = ((1-β) λdu xTi)2 + β λdu xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%

PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ½) = 0.0035 ( SIL 2)

www.eit.edu.au Slide 74
EIT EQO26: Unit 8 Reliability Analysis
Formulae Sets with Common Cause Factor included

www.eit.edu.au Slide 75
EIT EQO26: Unit 8 Reliability Analysis
Calculation Table for PFDavg
Worked example for 1oo1

Formula for calculating PFDavg for 1oo1

PFDavg = (LDU xTi/2) + (LDD x MTTR)

Failures per year


Parameter Value Notes
LDU 0.0500 Dangerous undetected failure rate for one channel
LDD 0.1000 Dangerous detected failure rate for one channel
Ti in yrs 1.0000 Proof test interval
MTTR in yrs 0.0027 Mean time to detect and repair a detectable fault
(LDU xTi/2) 2.50E-02 Undetected portion
(LDD x MTTR) 2.74E-04 Detected portion
PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1

www.eit.edu.au Slide 76
EIT EQO26: Unit 8 Reliability Analysis
Calculation Table for PFDavg
Worked example for 1oo1

Formula for calculating PFDavg for 1oo1

PFDavg = (LDU xTi/2) + (LDD x MTTR)

Failures per hour


Parameter Value Notes
LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(LDU xTi/2) 2.50E-02 Undetected portion
(LDD x MTTR) 2.74E-04 Detected portion
PFD for 1oo1 subsystem 2.53E-02 SIL Table: SIL 1

www.eit.edu.au Slide 77
EIT EQO26: Unit 8 Reliability Analysis
Formatted Calculation Table for PFDavg
(1-β) λ d
Worked example for 1oo2 β λd
(1-β) λ d

Formula for calculating PFDavg for 1oo2


PFDavg = (1/3)*((1-þ)LDU xTi)2 + 2((1-þ)LDD x MTTR)2 +þ(LDU xTi/2)+þ(LDD)x MTTR
Failures per year Safecalc: LD = 1.71
% safe =0 C=66%

Parameter Value Notes


LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
þ 0.1000 Common cause factor for dangerous and safe failures
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(1/3)*((1-þ)LDU xTi)2 6.75E-04 Undetected Voting portion
2((1-þ)LDD2 x MTTR2) 1.18E-07 Detected voting portion
þ(LDU xTi/2) 2.50E-03 Undetected Common portion
þ(LDD)x MTTR 2.70E-05 Detected common portion
PFD for 1oo2 subsystem 3.20E-03

www.eit.edu.au Slide 78
EIT EQO26: Unit 8 Reliability Analysis
Formatted Calculation Tables for PFDavg
(1-β) λ d
Worked example for 2oo3 β λd
(1-β) λ d

(1-β) λ d
Formula for calculating PFDavg for 2oo3
PFDavg = ((1-þ)LDU xTi)2 + 6((1-þ)LDD x MTTR)2 +þ(LDU xTi/2)+þ(LDD)x MTTR

Failures per year


Parameter Value Notes
LDU 5.71E-06 Dangerous undetected failure rate for one channel
LDD 1.14 E-05 Dangerous detected failure rate for one channel
þ 0.1000 Common cause factor for dangerous and safe failures
Ti in hrs 8760 Proof test interval
MTTR in hrs 24 Mean time to detect and repair a detectable fault
(1-þ)LDU xTi)2 2.03E-03 Undetected Voting portion
6((1-þ)LDD x MTTR)2 3.54E-07 Detected voting portion
þ(LDU xTi/2) 2.50E-03 Undetected Common portion
þ(LDD)x MTTR 2.70E-05 Detected common portion
PFD for 2oo3 subsystem 4.55E-03

www.eit.edu.au Slide 79
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis Model Example

D Sensor Logic Actuator H


Failure Rates: Z d1=0.2 Zd2=0.02
Zd3=0.1
or MTTF
5yrs 50yrs 10yrs
Apply
Apply Proof Auto Proof
Testing or
calculation Testing Diagnostics Testing Diagnostics

PFD averages: 0.01 + 0.005 + 0.01


Overall PFD avg. = 0.025
= 2.5 E-2
Qualifies for SIL 1 (E-1 to E-2)

www.eit.edu.au Slide 80
EIT EQO26: Unit 8 Reliability Analysis

SIS Analysis: Step 1


Protective System
Hazard Hazard
Demand Rate D (SIS) H Event Rate

D Sensor Logic Actuator H


SIL 2 SIL 1 SIL 1

SIL 1
www.eit.edu.au Slide 81
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 2, identify channels in each stage
Example:Dual channel sensors and actuators, single channel logic

D Sensor Logic Actuator H

D Sensor Actuator H

Logic

Senso 1oo1D Actuator


D H
r 1oo2
www.eit.edu.au Slide 82
1oo2D
EIT EQO26: Unit 8 Reliability Analysis

SIS Analysis: Step 3, expand details for each single channel

Sensor

1oo2D Logic

Sensor 1oo1D

Process Cable and


Transmitter
Connection Power

Expand detail of sensor sub system and apply fail rates for each item

www.eit.edu.au Slide 83
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis:
Step 4: Decide λdu, λdd and λs for the elements Step 5: Enter the
values to table and totalize

Process Cable and


Transmitter
Connection Power
λDU1 λDU2 λDU3
λDD1 λDD2 λDD3
λSD1 λSD2 λSD3
Subsystem Device LSD/hr LSU/hr LDD/hr LDU/hr
Element

1 Process connection 1.14E-05 0.00E+00 5.71E-06 3.42E-06

2 Transmitter 1.14E-05 0.00E+00 5.71E-06 5.71E-07

3 Cable and Power 1.14E-05 0.00E+00 5.71E-06 3.42E-06

Subsystem totals 3.42E-05 0.00E+00 1.71E-05 7.42E-06

www.eit.edu.au Slide 84
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem
Break out the common cause failure fraction for the redundant channels and calculate
PFD for each portion and add them together

(1-β) λ d
β = common cause failure fraction

1oo2 Failures common to


Logic
Ch1 and Ch2 sensors

(1-β) λ d
β λd 1oo1

Redundant section: Common cause section


PFDavg = PFDavg =
PFDavg = 2((1-β).λ dd)2 . (MTTR)2
+ β .λ dd (MTTR)
+ ((1-β) .λ du .Ti)2)/3 + β .λ du . Ti/2)

www.eit.edu.au Slide 85
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Step 7, repeat steps 3 to 6 for each stage
Example: Dual channel sensors and actuators, single channel logic

Sensor Actuator

Logic

Senso 1oo1 Actuator


r 1oo2 1oo2

PFDavg PFDavg for PFDavg


for sensors
+ logic solver
+ for actuators

www.eit.edu.au Slide 86
EIT EQO26: Unit 8 Reliability Analysis

SIS Analysis: Example


Example: Dual channel sensors and actuators, single channel logic. 1yr test
λDU = 0.05 λDU = 0.0025 λDU = 0.1
.045 þ = 5% C = 95% þ = 10% .09

.0025 0.05 .01

.045 1oo1D .09


λDD = 0.0475
1oo2 1oo2

Dual Sensors PFD Logic solver PFD Dual Actuators PFD


= .00075 +.00125 = .00013 +.00125 = .005 + .0027
= .002 = .00138 = .0077

SIS PFD = .002 + .0014 +.0077


= . 0111 or 1.11 E-2 = SIL 1

www.eit.edu.au Slide 87
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example using the EIT Calculator
Data Input Table for Sensor Subsystem File na me: EIT GP SIL Calculator .xls
Proof Test Interval in Hrs (Ti) 8760
Common cause factor (B)% 5%
Mean Time To Test & Repair (Hrs) (MTTR) 24

Subsystem Device LSD/hr LSU/hr LDD/hr LDU/hr


Element
1 Sensor all components 1.14E-05 0.00E+00 0.00E+00 5.71E-06

Subsystem totals 1.14E-05 0.00E+00 0.00E+00 5.71E-06

Calculation results for Sensing

Safe Failure Fraction 66.7%

Diagnostic coverage 0.0%

PFDavg for 1001 2.50E-02

PFDavg for 1002 2.00E-03

PFDavg for 2003 3.51E-03

www.eit.edu.au Slide 88
EIT EQO26: Unit 8 Reliability Analysis

IEC Table of PFDs relevant to Figure 8.16

www.eit.edu.au Slide 89
EIT EQO26: Unit 8 Reliability Analysis
Honeywell Safecalc example relevant to fig 8.16

www.eit.edu.au Slide 90
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example Calculation for Spurious Trip
Example:Dual channel sensors and actuators, single channel logic
Sensor MTTF = 5 years, 75% safe failure fraction. C=0%, β = 10%, Ti = 0.5 yrs, MTTR = 8hrs
Logic MTTF = 10 years, 50% safe failure fraction. C= 95%, β = 10%, Ti = 1 yr
auto diagnostics test interval = 2 secs, MTTR = 24hrs
Actuator MTTF = 2 years, 80 % safe failure fraction. C= 0%, β = 10%, Ti = 0.25 yrs, MTTR =
24hrs

Sensor: single channel λs = 1/5 x .75 = .15/yr


Logic: single channel λs = 1/10 x .5 = .05 λdd = (C x λd ) =95% x 0.05 = .0475/yr
Actuator: single channel λs = 1/2 x .8 = .4/yr

www.eit.edu.au Slide 91
EIT EQO26: Unit 8 Reliability Analysis
SIS Analysis: Example Calculation for Spurious Trip
Example :Dual channel sensors and actuators, single channel logic
Spurious Trip for 1oo1
ST = LS + LDD Logic solver 1oo1

Parameter Sensor Logic Actuator Notes

LS 0.05 Fail safe rate


LDD 0.0475 DD rate added due to 95 coverag
Total for 1oo1 subsystem 0.0975 Spurious trip rate per yr

Spurious Trip for 1oo2


ST = 2x(1-B) (LS + LDD) +B(LS + LDD) Actuators: 1oo2
Parameter Sensor Logic Actuator Notes
LS 0.15 0 0.4 Fail safe rate
LDD 0 0 0 DD rate added due to S
Beta 0.1 0 0.1

2x(1-B) (LS + LDD) 0.27 0 0.72 1oo2 portion


B(LS + LDD) 0.015 0 0.04 Common portion
Total for 1oo2 subsystem 0.285 0 0.76 Spurious trip rate per yr
Overall Spurious Trip Rate
1.1425 per yr
www.eit.edu.au Slide 92
EIT EQO26: Unit 8 Reliability Analysis

SIS Analysis: Example, Spurious Trip Rate


Example: Dual channel sensors and actuators, single channel logic

.36
..0135

.015 .05 .04

.0135
1oo1 .36

1oo2 1oo2

Dual Sensors Spurious Logic solver Dual Actuators PFD


= .28 trips per yr .097 trips per = (2x .36) + (1x.04)
yr = .76 trips per yr

Spurious trip rate = ..28 + .097 +.76


= 1.14 trips per year

www.eit.edu.au Slide 93
EIT EQO26: Unit 8 Reliability Analysis
Reducing Spurious Trip Rate
Design Version B

Design Version A .135 2oo3

.15 .15 .015

.135
1oo2

Dual Sensors Spurious


.135
= 2 x .15
= .30 trips per yr
2oo3 Sensors Spurious
From 0.3 per year to 0.015/yr = 6x λs2 (MTTR)+ β λs
= (6 x .1352x 8/8760) + .015
If 1 trip costs AUD 50 000 the annual saving is = .0001 + .015
. 015 trips per yr
What? ……………………………….

www.eit.edu.au Slide 94
EIT EQO26: Unit 8 Reliability Analysis

Outcomes of a Reliability Study

• Show whether or not the SIS will satisfy the SIL target

• Overall SIS Probability of Failure on Demand (PFDavg)

• PFDavgs for each section of the SIS

• Show benefits of redundancy or voting schemes

• Decide the proof testing intervals

• Predict the accident rate

www.eit.edu.au Slide 95
EIT EQO26: Unit 8 Reliability Analysis

Conclusions on Analysis Models

• Models help to visualise SIS performance

• Software speeds up analysis

• IEC 61508 part 6 - methods and tables

• Fault tree analysis for detailed systems

www.eit.edu.au Slide 96
EIT EQO26: Unit 8 Reliability Analysis
Supplementary notes on Low Demand Mode versus High Demand
Mode
(also known as continuous mode)
■ Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
■ Low demand calculations use PFDavg.
■ Hazard event rate H = D x PFDavg

■ High demand mode applies when the demand on the SIS is


more than once per year. ( IEC 61511) . Alternatively more than
two
demands per proof test interval.
■ High demand mode calculations use PFH ( same as failure to danger
rate)
■ Hazard event rate H = PFH

www.eit.edu.au Slide 97
EIT EQO26: Unit 8 Reliability Analysis

PSH
Pump
Zd=0.05 and Ti = 1/yr:
High v Low
SIS
Demand
Power
Hp safety Trip Calculation

PFDavg = 0.05 x ½ = 0.025. and


PFH = 0.05 /8760 = 5.7E-06/hr

Suppose the demand rate D is once per year and the overpressure event rate
= H/yr

In low demand mode calculation H = D x PFDavg so H = 1 x 0.025 = 0.025/yr

In high demand mode calculation H = PFH so H = 5.7E-06/hr = 0.05/yr

www.eit.edu.au Slide 98
EIT EQO26: Unit 8 Reliability Analysis

PSH
Pump
Zd=0.05 and Ti = 1/yr: High v Low
Demand
Calculation
SIS

Power
PFDavg = 0.05 x ½ = 0.025. and
PFH = 0.05 /8760 = 5.7E-06/hr

Suppose the demand rate D is once per day ( 365/yr)


And the overpressure event rate = H/yr

In low demand mode: H = D x PFDavg so H = 365 x 0.025 = 9.1/yr

In high demand mode :H = PFH so H = 5.7E-06/hr = 0.05/yr

www.eit.edu.au Slide 99
EIT EQO26: Unit 8 Reliability Analysis

Event rate calculation according to low or high demand mode

Demand on SIS SIS has failures at H = hazardous event


PFD = 0.01
PFH = 0.02/yr (2.28 E-06/hr)

D = 0.1/yr ……………………………………..H = /yr ?

D = 1.0/yr ……………………………………..H = /yr ?

D = 10.0/yr ……………………………………..H = /yr ?

D = 100 /yr ……………………………………..H = /yr ?

www.eit.edu.au Slide 100