You are on page 1of 138

e ida.

com
excellence in dependable-automation

Overview of IEC 61511

Functional Safety: Safety Instrumented


Systems for the Process Industry Sector

Copyright © 2000, exida.com


All Rights Reserved

Version 1.0
e ida.com Course Logistics
excellence in dependable-automation

• Course materials & location


– Handouts and course binder
– Exercises, additional resources, instructional surveys, and
progress reviews
– Tent Card, reference & training products / courses survey of
M&C
• Course attendance & participation
– Certificate of course completion
– Continuing education units (CEU)
• Breaks
– Lunch
– Stretch, refreshment, etc.
• Personal belongings

2 Copyright © 2000, exida.com


e ida.com exida Resources
excellence in dependable-automation

• Books
• Application Software
• Web-based online software
• Online discussion and knowledge base
• Online SIS engineering data
• Member newsletter

Phone (215) 896-7170 Internet Address: info@exida.com

www.exida.com
3 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Course Development Team

• Developers: Edward M. Marszal, PE


Dr. William Goble
Rainer Faller
• Reviewers: Rachel Amkreutz
Harry Cheddie

4 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Introduction of Course Participants

• Instructor
– Name
– Background/experience
• Classmates
– Name, company, position
– Background/experience
– What would you like to get from this course?

5 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

General Course Objectives

• Understand the applicability, content, and


benefits of using the IEC 61511 Standard
• Understand the Safety Lifecycle
• Understand the purpose and outputs of
hazard and risk assessments
• Understand how risk is allocated to layers of
protection and SIL are selected
• Understand safety requirements specification
6 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

General Course Objectives (cont’d)

• Develop an understanding of the tasks


performed during the SIS design phase
• Understand FAT, Installation and
Commissioning
• Understand the impacts of modification and
decommissioning
• Develop a knowledge of functional safety
management

7 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Pre-Exercise

• Please complete the Pre-Exercise


• Answer questions to the best of your ability
• The results will help the instructor emphasize
class content needed by class members

8 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Performance Objectives Day 1

• Explain the applicability of IEC 61511


• Define and enumerate tasks associated with
each phase of the safety lifecycle
• Understand hazards and risk analysis
• Understand risk and how it is allocated to
layers of protection, including SIL selection
• Identify information required for safety
requirements specification
9 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Section 1:
Introduction
• What is IEC 61511?
• When is IEC 61511 Applied?
• Relation to other standards
• Benefits
• Key Issues

10 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

What is IEC 61511?

• Process Sector Specific Implementation of


IEC61508
• Sets minimum standards and performance
levels for instrumentation used for safety
• Creates a rational and consistent approach to
SIS engineering, called the “safety life cycle”
The standard is intended to lead to a high level of
consistency within the process industries, which
will have both safety and economic benefits.

11 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

What does the standard contain?

• Defines the relationship between IEC61508


and IEC61511
• Requires allocation of safety requirements to
safety instrumented functions
• Relates safety functions to other functions
• Requires identification of safety requirements
• Specifies requirements for system
architecture, hardware configuration,
application software, and system integration
12 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

What does the standard contain?


(continued)
• Specifies requirements for functional safety, but does
not specify the responsibility for implementation
• Uses a safety life cycle, and defines and defines a list
of activities required for functional safety
• Requires hazard and risk assessment to identify
safety requirements
• Establishes numerical targets for safety instrumented
system performance

13 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

What does the standard contain?


(continued)
• Specifies techniques/measures for achieving
performance targets (Safety Integrity Levels)
• Provides a framework for establishing safety
integrity levels
• Defines information needed during the safety
life cycle

14 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Technical Requirements

Development of the Allocation and safety Design of Safety


overall safety requirements and safety Instrumented Systems
requirements (concept, requirements specification Clause 11
scope, definition, hazard Clause 9 and 10
and risk analysis) Design of SIS Software
Clause 8 Clause 12

Factory Acceptance Test, Operation, maintenance,


Installation, modification, retrofit, All technical
Commissioning, and decommissioning, and requirements are listed in
Safety Validation disposal
Clause 13 and 14 Clause 15, and 16
Part 1 of the Standard!

15 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Support Parts

• References - Clause 2 (Part 1)


• Definitions and Abbreviations – Clause 3(Part 1)
• Conformance - Clause 4 (Part 1)
• Management of Functional Safety – Clause 5 (Part 1)
• Information Requirements – Clause 17 (Part 1)
• Differences – Annex “A” (Part 1)
• Guidelines for the Application of Part 1 – Part 2
• Risk Based Approaches to the Development of
Safety Integrity Requirements – Part 3

16 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

When do I apply IEC61511?

• When integrating instrumentation into a


safety function in the process industries
– Process industries include chemicals, oil refining,
oil and gas production, pulp and paper, non-
nuclear power generation, etc.
• When plant personnel, the public, or the
environment are protected from a process
plant incident by instrumented functions
• Techniques are applicable to asset
protection, but not required
17 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

When must IEC 61508 be used


instead of IEC 61511?
• When manufacturers wish to claim the
devices are suitable for safety applications
• When “high variability” languages are used in
a programmable system

18 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

How is it related to IEC 61508?

Process Sector Safety


System Standard
Process Sector Process Sector
Hardware Software

Develop Use Proven Use Develop Develop Develop


New in Use Hardware Embedded Application Application
Hardware Hardware Developed (System) Software Software
Devices Devices and Software Using Full Using
Validated Variability Limited
According to Languages Variability
Follow Follow IEC 61508 Follow Languages or
IEC 61508 IEC 61511 IEC 61508 Fixed
Follow Programs
Follow IEC 61508 Follow
IEC 61511 IEC 61511

19 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

IEC 61511 vs. ISA S84


Which one should I follow?
• IEC61508 is a broad standard covering
nuclear applications to toasters
• S84 is ANSI endorsed, covering the United
States and Canada
• IEC61508 stipulates S84 is sector standard in
US
• IEC 61511 is expected to be ISO endorsed
globally, ANSI will drop S84 endorsement
• USE 61511!
20 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

IEC 61511 vs. ANSI/ISA S84.01


Both are effectively the same
• Each of the steps required by S84 is also
required by IEC61511
• They are represented somewhat differently
– 61511 does not show conceptual process design
– S84 does not show Design and Development of
Other Means of Risk Reduction
– Multiple tasks in S84 lifecycle are combined in a
single task in 61511 lifecycle

21 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Benefits of Compliance

• Good engineering practice – compilation of


best practices of industry by consensus
• Quality procedures specified by standards
have proven to increase productivity,
decrease cost of engineering, operation, and
maintenance, and increase process up-time
• Safety life cycle procedures will decrease risk
• Compliance with legislation and regulation

22 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Key issues

• Safety Lifecycle
• Hazard and Risk Analysis
• Quantitative Verification
• Management System
• Certification

23 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Introduction
• What is IEC 61511?
• When is IEC 61511 Applied?
• Relation to other standards
• Benefits
• Key Issues

24 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 2:
The Safety Life Cycle
• Safety Lifecycle Objectives
• IEC 61511 Safety Lifecycle
• ANSI/ISA S84.01 Safety Lifecycle
• Lifecycle Phases

25 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Safety Lifecycle Objectives

• To structure, in a systematic manner, the


different phases in order to achieve the
required functional safety of E/E/PES
• To document key information relevant to
Functional Safety
• To provide a framework for safer, more
reliable systems
• To reduce system implementation cost

26 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

IEC 61511 Safety Life Cycle


Risk Analysis and Protection Layer Design
Management of Safety Sub-clause 8 Verification
Functional Lifecycle
Safety and Structure
Allocation of Safety Functions to Safety Instrumented
Functional and
Systems or Other Means of Risk Reduction
Safety Planning
Sub-clause 9
Assessment

Safety Requirements Specification for


the Safety Instrumented System ANALYSIS
Sub-clause 10

Design and Development of Design and Development of Other


Safety Instrumented System Means of Risk Reduction
Sub-clause 11 Sub-clause 9

Installation, Commissioning, and Validation


Sub-clause 14
REALIZATION

Sub-
Operation and Maintenance
Sub-clause 15
OPERATION Sub-
clause
clause
Clause 5 Decommissioning 7, 12.7
6.2 Modification
Sub-clause 15.4 Sub-clause 16

27 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Safety Life Cycle – ISA 84.01

Start SIS Installation,


Commissioning Not Covered
Define Target and Pre-startup by S84.01
SIL Acceptance Test
Conceptual
Process Design Establish
Develop Safety
Pre-startup Operating and
Specification
Hazard Analysis/ Safety Review Maintenance
Risk Assessment (Assessment) Procedures
SIS Conceptual
Design SIS startup,
Develop non- Covered by
operation,
SIS Layers S84.01
SIS Detailed maintenance,
Design Periodic
Functional Tests
SIS Decommission
No
Required?
Yes Modify, SIS
Decommission? Decommissioning

28 Modify Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Hazard / Risk Analysis

• Objective
– Identify process hazards, estimate their
Risk analysis
risks and decide if that risk is tolerable
and
protection • Tasks
layer design
– Hazard Identification (eg, HAZOP)
Subclause 8 – Analysis of Likelihood and
Consequence
– Consideration of non-SIS Layers of
Protection

29 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

SIL Selection

• Objective
– Specify the required risk reduction, or
Allocation of difference between existing and tolerable
Safety Functions risk levels – in terms of SIL
to Safety • Tasks
Instrumented
– Compare process risk against tolerable
Systems or Other
risk
Means of Risk
Reduction – Use decision guidelines to select required
risk reduction
Subclause 9 – Document selection process

30 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Safety Requirements
Specification
• Objective
– Specify all requirements of SIS
Safety
needed for detailed engineering and
Requirements
Specification for process safety information purposes
the Safety • Tasks
Instrumented
System – Identify and describe safety functions
– Document SIL
Subclause 10
– Document action taken – Logic,
Cause and Effect Diagram, etc.

31 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Conceptual /
Detailed Design
• Objective
– Select and configure equipment
Design and used in the SIS (including
Engineering of programming)
Safety
Instrumented • Tasks
System – Specify system technology and
architecture
Subclauses 11,
– Specify field instrumentation
12
– Configuration / Programming
– Select vendors, review bids
32 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Installation and
Commissioning
• Objective
– Install equipment, after acceptance
Installation,
testing, and prepare for operation
Commissioning
• Tasks
Subclauses 13
and 14 – Factory Acceptance Testing Field
and control room equipment
installation
– Confirm equipment operation
– Instrumentation Calibration

33 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Safety Review
Validation
• Objectives
– Verify that the SIS is designed,
Validation installed, and operating according the
the Safety Requirements
Subclauses 13 • Tasks
– Verify operation of field instruments
– Validate logic and operation
– Verify SIL of installed equipment
– Produce OSHA and EPA required
documentation – Certifications if req.
34 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Operation and
Maintenance
• Objective
– Operate and maintain the SIS so that
Operation and the specified SIL is maintained
Maintenance • Tasks
Subclause 15 – Establish procedures for operating
and maintaining the SIS
– Perform periodic function test on an
interval that allows the specified SIL
to be achieved with the installed
equipment

35 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Modification and
Decommissioning
• Objective
– Ensure changes to the system are
Modification and safe and appropriately reviewed
Decommissioning
• Tasks
Subclauses 15.4 – Establish procedures for change
and 16
management
– Review safety functions prior to
taking an SIS out of service

36 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Application Exercise 1

• Safety Life Cycle


– List safety lifecycle tasks and responsibilities for
completion in your organization

37 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
The Safety Life Cycle
• Safety Lifecycle Objectives
• IEC 61511 Safety Lifecycle
• ANSI/ISA S84.01 Safety Lifecycle
• Lifecycle Phases

38 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 3:
Hazard and Risk Analysis
• Objectives and Requirements
• Identifying Safety Instrumented Functions
• Process Hazards Analysis

39 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objective
– Identify hazardous events, quantify their risk, and
identify required safety instrumented function
• Inputs
– Process design, equipment layout, staffing
arrangement
• Outputs
– A description of required safety instrumented
functions
40 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Objectives and Requirements

• Determine and document the hazards and hazardous


events of the process and associated equipment
• Determine the sequence of events leading to the
hazardous event
• Determine the process risks associated with the
hazardous event - describing the consequence and
likelihood and additional risk reduction required
• Determine the safety functions required to achieve
the necessary risk reduction and how the
requirements are allocated
• Determine if any of the safety functions are safety
instrumented functions
41 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

How do you know when to apply a


SIF?
• Process Experience
– Most process units are not new
– Designers learn from past incidents and near-
misses and incorporate prevention systems
• Process Hazards Analysis (PHA)
– Organized and systematic study for identification
and analysis of the significance of potential
hazards
– Proactive team effort identifies what could go
wrong

42 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

How can I identify the SIF that should


be used on my process?
• Review the design documentation
– Process Hazards Analysis Report
– Process Licensor P&IDs
– Detailed Design Contractor P&IDs

43 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Identifying SIF from PHA Reports


What does a PHA contain?
• There are a variety of PHA methods
– Hazard and Operability Studies (HAZOP)
– Checklist
– What-if? PHA will use various techniques to
identify hazards
• Discussions of hazards include
consequences and safeguards (both SIS and
non-SIS)
• Additional safeguards may be recommended
44 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Summary:
Hazard and Risk Analysis
• Objectives and Requirements
• Identifying Safety Instrumented Functions
• Process Hazards Analysis

45 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 4:
Requirement Allocation/SIL Selection
• Objectives and Requirements
• Risk / Risk Reduction
• Consequence Analysis
• Likelihood Analysis
• SIL Selection

46 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objective
– Allocation of safety functions to protective layers
and for each SIF, the associated Safety Integrity
Level SIL
• Inputs
– A description of the SIF and hazards requiring risk
reduction
• Outputs
– Description of allocation of safety requirements,
including SIL
47 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Risk Terms
Risk and Hazard
• The objective of SIS is to reduce the risk of
the hazards in a process to a tolerable level
– Risk – Combination of the probability of
occurrence of harm and the severity of that harm
– Harm – Physical injury or damage to the health of
people either directly, or indirectly as a result of
damage to property of the environment
– Hazard – Potential source of harm

48 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Risk Terms
Tolerable Risk
• The risk reduction the SIF must provide is the
difference or process risk and tolerable risk
– Process Risk – Risk arising from the process
conditions caused by abnormal events
– Tolerable Risk – Risk which is accepted given a
context based on the current values of society
– Necessary Risk Reduction – The risk reduction
required to ensure that the risk is reduced to a
tolerable level

49 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Risk Reduction - ALARP

High Risk
Intolerable Region

ALARP or Tolerable
Region

Broadly Acceptable
Region
Negligible
50 Risk Copyright © 2000, exida.com
ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Risk Reduction - putting it in context

• Examples of fatality risk figures


– Road accident 100cpm 1.0x10-4/yr
– Car accident 150cpm 1.5x10-4/yr
– Accident at work 10cpm 1.0x10-5/yr
– Falling Aircraft 0.02cpm 2.0x10-8/yr
– Lightning strike 0.1cpm 1.0x10-7/yr
– Insect/Snake bite 0.1cpm 1.0x10-7/yr
– Smoking (20 per day) 5000cpm 5.0x10-3/yr

– cpm = chances per million of the population per year


51 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Risk Reduction – ALARP


Quantitative Risk Guidance
High Risk
Intolerable Region
10-3/yr (workers) 10-4/yr (public)

Numerical Targets for


tolerable risk are from
HSE Tolerability of
ALARP or Tolerable
Risk Guidance Region
10-5/yr (workers) 10-6/yr (public)

Broadly Acceptable
Negligible Risk Region
52 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation
Effect of SIS

Risk after Inherent


non-SIS Risk of the
L Mitigation Process
(I.e., No
Increasing Risk
i Mitigation)

k
e Non-SIS
Non-SIS
SIL 1 Consequence
likelihood
l reduction, e.g.,
reduction,
e.g. relief
containment
i SIL 2 dikes
valves

h
SIL 3 SIS Risk
o Reduction Unacceptable
Risk Region
o
d Final Risk
after
ALARP
Acceptable Risk Risk Region
Region Mitigation

Consequence
Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

How do I analyze likelihood?

• Consequence analysis can be performed in a


number of ways
– Qualitative Estimation - Expert Judgement
– Quantitative - Statistical Analysis
– Quantitative – Fault Propagation Modeling
• Result is frequency of unwanted event

54 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Fault Propagation Modeling

• Used when statistical analysis alone is


inadequate
• Analyze chain-of-events that leads to an
accident
• Use failure data of individual components not
entire system
• Combine failures using probability logic

55 Copyright © 2000, exida.com


ee ida .com
ida.com Layer of Protection
excellence in
excellence in dependable-automation
dependable automation

Analysis
M
Plant and
I Emergency Emergency response layer
T Response
I
G Passive protection layer
Dike
A
T
I Relief valve,
O Active protection layer
Rupture disk
N P
R Safety Emergency Shut Down
E Instrumented Safety layer
V System
E Trip level alarm
N Process shutdown
T Operator Process control layer
Intervention
I
O Process alarm
N Basic
Process Process Process control layer
Control value Normal behaviour
System
56 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

How do I analyze consequences?

• Consequence analysis can be performed in a


number of ways
– Qualitative Estimation - Expert Judgement
– Semi-Quantitative - Risk Indices
– Quantitative - Statistical Analysis
– Quantitative - Hazardous Potential Release
Modeling

57 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Consequence Analysis Results

Typical Consequence Analysis • Size of impact zone and


Results for a toxic chemical release
occupancy of that zone
112 meters are combined for
87 meters
probable loss
• Result depends on
consequence of
concern, typically
Injury Zone 23 meters probable loss of life and
Fatality Zone
9 meters probable injury
Probable Loss of Life: 0.27
Probable Injuries: 2.56
58 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Assigning SIL - Qualitative

Risk Matrix Risk Graph


W3 W2 W1
CA X1
a --- ---
2 3* 3* FA
PA X2
CB 1 a ---
PB X3
FB 2 1 a
1 2 3* CC
FA
FB
PA P
B X4
3 2 1
PA P
B X5
FA
CD PA 4 3 2
NR 1 3* FB
PB
X6
b 4 3
--- = No safety requirements
A = No special safety requirements
B = A single E/E/PS is not sufficient
1,2,3,4 = Safety Integrity Level

59 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Assigning SIL - Quantitative

• Risk is frequency times consequence


• Tolerable risk for an event can be expressed
as frequency by considering consequence
• Necessary risk reduction can be calculated
and expressed as frequency of failure of the
SIS
• Allowable failure of frequency is converted to
SIS using the tables in the standard

60 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Safety Integrity Levels

Safety Integrity Probability of failure Risk Reduction


Level on demand per year Factor
(Demand mode of operation)

SIL 4 >=10-5 to <10-4 100000 to 10000

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Requirement Allocation/SIL Selection
• Objectives and Requirements
• Risk / Risk Reduction
• Consequence Analysis
• Likelihood Analysis
• SIL Selection

62 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 5:
Safety Requirements Specification
• Objectives and Requirements
• Safety Instrumented Functions
• Logic Description Techniques

63 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objective
– Specify requirements of each SIF of a SIS,
including functional and safety integrity
requirements
• Inputs
– Description of allocation of safety requirements
• Outputs
– SIS safety requirements; software safety
requirements
64 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Objectives

• Define the requirements of the SIS


– Requirements spelled out for EACH SIF
– Includes Functional Requirements, “What does
the system do”
– Includes Performance Requirements, “How well
does the system perform these functions” – in this
case Safety Integrity Level (SIL)

65 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Requirements

• The SRS shall contain:


– A description of all the safety instrumented
functions necessary to achieve the required
functional safety
– Requirements sufficient to design the SIS
– A definition of any individually safe process states
which, when occurring concurrently, create a
separate hazard (e.g., overload of emergency
storage, relief, flare systems)

66 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Requirements

• The SRS shall contain


– The assumed sources of demand and demand
rate on the safety instrumented function
– Requirement for proof test intervals
– Response time requirements for the SIS to bring
the process to a safe state
– The safety integrity level for each safety
instrumented function
– A description of SIS process measurements and
their trip points

67 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Requirements

• The SRS shall contain


– A description of SIS process output actions
– A functional relationship between process inputs
and outputs, including logic, mathematical
functions, and any required permissives
– Requirements for manual shutdown
– Requirements for resetting the SIS after a
shutdown
– Maximum allowable spurious trip rate

68 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Requirements

• The SRS shall contain


– Failure modes and desired response of the SIS
(for example, alarms, automatic shutdown, etc.)
– Any specific requirements related to the
procedures for starting up and restarting the SIS
– All interfaces between the SIS and any other
system
– A description of the modes of operation of the
plant and identification of safety instrumented
functions required to operate within each mode
69 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Requirements

• The SRS shall include


– The application software requirements
– Requirements for overrides / inhibits / bypasses
– The specification of any action necessary to
achieve or maintain a safe state in the event of
fault(s) being detected in the SIS
– The minimum and worst-case repair time for the
SIS
– Dangerous combinations of output states of SIS
must be addressed

70 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Safety Instrumented Function


Loop 1
Sensors
Final elements
Logic
Solver
Loop 2
Loop 4

Loop 3

Logic
Solver

Loop 5

Loop
71 6 Copyright © 2000, exida.com
e ida.com Methods for Logic
excellence in dependable-automation

Specification
Binary Logic Diagram
PSL
101
HY
Cause and Effect Diagram
LSL
OR 415

105

Effects

PSV 1201

PSV 1234

XV 1217

XJ 1217
Plain Text
Causes
Low Pressure or Low Level shall
indicated by deenergization of the PSLL-0203 X X
inputs from LSL -105 and PSL -105, BSL-0252 X X
shall deenergize output HY-415
causing the shutoff valve to close. XL-0288 X X
Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Application Exercise 4

• Safety Requirements Specification


– Review a sample safety requirements
specification to determine if it is complete

73 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Safety Requirements Specification
• Objectives and Requirements
• Safety Instrumented Functions
• Logic Description Techniques

74 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Daily Progress Review

• Were today’s objectives clearly covered?


• Did today’s presentation / activities meet your
goals?
• Was the level and pace of instruction right for
you?

75 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Performance Objectives Day 2

• Identify the tasks performed during SIS


design and engineering
• Understand factory acceptance testing,
installation and commissioning
• Understand modification and
decommissioning
• Understand the management tasks and
requirements for functional safety

76 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 6:
SIS Design and Engineering
• System Technology and Architecture
• Field Device Considerations
• Interfaces and Communication
• Probability of Failure

77 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Design

• Choose Technology - Relays, PLC, Safety


PLC
• Choose Sensors - Switch, Analog
Transmitter, Safety Rated Transmitter
• Select level of system integration,
communications needs
• Design the startup and shutdown logic
• Design logic to implement safety
requirements
78 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Failure Modes

• With a safety system, the failure mode


counts! Two failure modes
• are significant:
Safe failures Dangerous failures
t initiating t inhibiting

t spurious t potentially

t costly downtime
dangerous
t must find by testing

Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Technology
Relay Systems
• Relays/Modules
Relays/Modules perform
perform logic
logic
Hardwired Logic • Reprogrammed
Reprogrammed byby rewiring
rewiring
Inherently Fail-Safe Logic
Advantages
Advantages Considerations
Considerations
• Fail-safe
Fail-safe for
for special
special relays
relays • Nuisance
Nuisance trips
trips
and
and inherent
inherent fail-safe
fail-safe logic
logic • No
No diagnostics
diagnostics on on relays
relays
• Low
Low initial
initial cost
cost • Complexity
Complexity ofof large
large systems
systems
• Reprogramming
Reprogramming
• Documentation
Documentation
• High
High cost
cost of
of ownership
ownership

Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Technology
Programmable Electronic Systems
• Microcomputers perform the logic
• I/O modules sense inputs and generate outputs

Advantages: Considerations:
1. Diagnostics 1. Fail danger failure modes
2. Flexibility, Modular 2. Software unpredictability
3. Cabinet space savings 3. Communications security
4. Calculation capability 4. Cost
5. Communications
6. Documentation
Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

General Requirements

• Design in accordance with SRS


• Common components designed to highest
SIL of all SIF
• Separate BPCS and SIS
• Requirements for maintenance and testing
should be considered
• Manual means of activating final elements
should be provided
82 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Fault Tolerance Requirements

• Fault Tolerance – ability of a functional unit to


continue to perform a required function in the
presence of faults and errors
Simple Devices Complex Devices
Integrity Level Min. Fault Toler. Typical Arch. Min. Fault Toler. Typical Arch.

SIL 1 0 Single, 1oo1 0 Single, 1oo1

SIL 2 0 Single,1oo1 1 1oo2, 2oo3

SIL 3 1 1oo2, 2oo3 2 1oo3

SIL 4 2 1oo3 **Special Requirements Apply **

83 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Selection of Components and Sub-


systems
• Designed in accordance with IEC61508-2
and –3
– TÜV approval
• “Proven in Use”
– Consideration of mfr. Quality management
– Consideration of performance of device in similar
“operating profile”
Sufficient operational time is required to establish a claimed
failure rate to a single sided confidence limit of at least 70%

84 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Field Devices

• If energize to trip is used a method must be


applied to ensure circuit integrity
• Each device shall have its own dedicated
wiring, except:
– Multiple switches in series indicating same
condition
– Multiple final elements on single output
– Digital bus system meeting performance
requirements of SIF
• Smart sensors are remote write protected
85 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Interfaces

• Operator Interface
– SIS protective action has occurred
– Protective functions have been bypassed
– Status of sensors and final elements including
failures and diagnostics
• Maintenance/Engineering Interface
– SIS operating information including diagnostics,
voting and fault handling - troubleshooting
– Add, delete, modify application software
86 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

SIF Probability of Failure

• Check Reliability / Safety Metrics for each


Safety Instrumented Function
• Verify that PFDavg meets target SIL range
• If necessary: change technology, equipment,
or architecture.
• Document all results

87 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Factors affecting SIF Failure


Probability
• SIF Architecture
• Failure rates of subsystems
• Susceptibility to common cause failure
• Diagnostic coverage of testing
• Proof test intervals
• Repair times (Diagnosis + Repair)
• Climatic and mechanical conditions

88 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Probability of Failure
Modeling Methods
Markov
Analysis
λD
Fault Tree U

Analysis
Block Diagram

89 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Application Exercise 5

• SIS Design and Engineering Principles


– Demonstrate some principles of SIS Design
Engineering

90 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
SIS Design and Engineering
• System Technology and Architecture
• Field Device Considerations
• Interfaces and Communication
• Probability of Failure

91 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 7:
FAT, Installation and Commissioning
• Objectives and Requirements
• Factory Acceptance Testing
• Commissioning Activities
• Validation (PSAT)

92 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objectives
– Integrate and test the SIS.
– Validate the SIS meets requirements of the SRS
• Inputs
– SIS Design, SIS Test Plan, SIS safety
requirements, Validation Plan
• Outputs
– Fully functioning SIS in conformance with SRS
– Validation of SIS
93 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Factory Acceptance Testing

• If required, specified in SRS


• FAT proceeds according to written plan
• FAT should be documented
– If failure occurs, reason for failure and corrective
action and re-test should be documented

The objective of a Factory Acceptance Test (FAT) is to test the


logic solver and associated software together to ensure it satisfies
the requirements defined in the Safety Requirements Specification.
By testing the logic solver and associated software prior to
installing in a plant, errors can be readily identified and corrected
94 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Commissioning Activities

• SIS components installed per design


• Grounding has been properly connected
• Energy sources connected and operational
• No physical damage present
• All instruments calibrated
• All devices operational
• Logic solver input/output operational
• Interfaces operational
95 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Validation
Pre-Startup Safety Acceptance Test
• The Validation or PSAT will consist of the following
activities
– The SIS performs under all normal and abnormal modes as
identified in the SRS
– Confirmation that adverse interaction of the BPCS and other
systems do not affect the proper operation of the SIS
– The proper shutdown sequence is achieved
– The SIS properly communicates
– Sensors, logic solvers, and actuators perform according to
the SRS
– Confirmation of proper SIS operation on Bad PV
– Proper shutdown sequence is activated

96 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Validation
Pre-Startup Safety Acceptance Test
• The Validation or PSAT will consist of the
following activities
– The SIS performs under all normal and abnormal
modes as identified in the SRS
– The SIS provides the proper annunciation and
display
– Computation of the SIS are correct
– SIS reset functions operate as defined in SRS

97 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Validation
Pre-Startup Safety Acceptance Test
• The Validation or PSAT will consist of the
following activities
– Bypass functions operate properly
– Manual shutdown operates properly
– Proof test intervals are documented in
maintenance procedures
– Diagnostic alarm functions perform as required
– Confirmation SIS performs as required on loss of
power and returns to proper state upon re-
application of power

98 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Validation Documentation

• Version of the SIS validation planning


• Tools and equipment used, including calibration data
• Test results
• Version of test specification
• Criteria for test acceptance
• Version of SIS
• Discrepancies between expected and actual results
• Decisions taken when discrepancies occur

99 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Pre-startup Tasks

• Prior to placing the SIS into service, the


following tasks should be performed
– All bypass functions shall be returned to their
normal position
– All process isolation valves shall be set according
to the process start-up requirements
– All test materials shall be removed
– All forces shall be removed

100 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
FAT, Installation, and Commissioning
• Objectives and Requirements
• Factory Acceptance Testing
• Commissioning Activities
• Validation (PSAT)

101 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 8:
SIS Operation and Maintenance
• Objectives and Requirements
• Procedures
• Training
• Proof Testing

102 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objective
– Ensure functional safety of the SIS is maintained
• Inputs
– Safety requirements specification
– SIS Design
– SIS operation and maintenance
• Outputs
– SIS operation and maintenance

103 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Objectives

• Ensure that the required SIL of each SIF is


maintained during operation and
maintenance
• Operate and maintain the SIS such that the
designed functional safety is maintained

104 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Planning Requirements

• Routine and abnormal operations


• Proof testing, preventative and breakdown
maintenance activities
• Procedures, measures and techniques to be
used for operation and maintenance
• Verification and adherence to operations and
maintenance procedures
• Timing for these activities
• Resources responsible for the activities
105 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Procedures

• Routine actions required to maintain the “as


designed” functional safety of the SIS
• Actions necessary to prevent an unsafe condition
during maintenance
• Information to be maintained for system failure and
demand rates
• Information to be maintained for audit and test results
• Maintenance procedures for when faults occur
• Ensuring test equipment is calibrated and maintained

106 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Training

• Ensure that:
– Understand how the SIS functions (trip points and
resulting actions)
– Hazard SIS is preventing
– Operation of bypass switches and circumstances
for their use
– Operation of manual switches and when they are
to be activated (I.e., reset switches)
– Action taken on diagnostic alarms

107 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Proof testing and Inspection

• Periodic proof tests are conducted using


written procedures
• The entire SIS shall be tested
• Test interval is based on SIS, and will be re-
evaluated based on system performance at a
periodic interval

108 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Periodic Inspection Interval

The test period is a parameter which significantly


1/PFD(t) affects the average probability of failure on
IEC61511
demand and hence the safety integrity level
SIL 4

SIL 3
1/PFDavg
SIL 2

SIL 1
test period
time

109 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Periodic Inspection Interval

1/PFD(t)
Decreasing the test interval decreases the
IEC61511 average failure probability, increasing the safety
integrity of the system
SIL 4

SIL 3
1/PFDavg

SIL 2
test
SIL 1 period

time

110 Copyright © 2000, exida.com


ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Proof Test Documentation

• The user shall maintain


proof test records that
include
– Description of Test
2

– Date of Test
– Persons involved
– Identifier of system
– Test Results

111 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Application Exercise 7

• Exercise 7
– Describe some operational requirements for SIS

112 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Operation and Maintenance
• Objectives and Requirements
• Procedures
• Training
• Proof Testing

113 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 9:
Modification and Decommissioning
• SIS Modifications
• Management of Change
• SIS Decommissioning

114 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

SIS Modification

• If modification are performed to an SIS


– Modifications must be properly planned, reviewed,
and approved
– Required safety integrity must be maintained
• Procedures for modification must be in place
• A full analysis of the impact on functional
safety is required
• Work will not begin without proper
authorization

115 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

When is management of change


required?
• If operating procedure changes are required
• The process is changed significantly
• Safety requirement specification changes
• Software or firmware changes
• Failure or demand rate is higher than
expected

116 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

When is Management of Change not


required?
• “Replacement in kind” of components
• Changes do not affect safety requirements
• Regular calibration and maintenance

117 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Considerations for modification

• Technical basis of the change


• Impact of change on safety
• Modifications to operating procedures
• Necessary time period for changes
• Authorization requirements
• Impact on existing equipment
• Process state during change (online change)

118 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Modification Documentation

• Modification documentation should contain


the following information at a minimum
– Description of change
– Reason for change
– Hazards which might be impacted
– Analysis of impact on SIS
– Required approvals
– Verification tests
– Configuration history
119 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

SIS Decommissioning

• When SIS are decommissioned


– Conduct appropriate safety review and obtain
required authorization
– Ensure required SIF remain operational during
decommissioning activities
• Update Hazard and Risk Assessment
– Functional safety during decommissioning
– Impact of SIS decommissioning on adjacent
operating units and facility services

120 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Modification and Decommissioning
• SIS Modifications
• Management of Change
• SIS Decommissioning

121 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Section 10:
Management of Functional Safety
• Objectives and Requirements
• Planning
• Verification
• SIS Functional Safety Audit
• Documentation

122 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Overview

• Objective
– Identify the management activities that are necessary to
ensure functional safety objectives are met
• Requirements
– The policy and strategy for achieving safety shall be
identified together with the means for evaluating its
achievement and shall be communicated within the
organization
– A safety management system shall be in place so as to
ensure that safety instrumented systems have the ability to
place and/or maintain the process in a safe state

123 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Resources

• Resources shall be informed of their responsibilities


• Resources shall be competent to carry out activities
for which they are accountable
• Knowledge of application
• Knowledge of SIS technology
• Safety engineering knowledge
• Knowledge of regulatory requirements
• Adequate management and leadership skills
• Understanding of potential event consequences
• The SIL of the safety instrumented functions
• The novelty and complexity of the application and SIS

124 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Planning

• Define required activities


• Resources responsible for activities
• Timing of activities
• Planning shall be updated as necessary
through the entire safety lifecycle

125 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Implementation and Monitoring

• Implement procedures for resolution of


recommendations
– Hazard and risk assessment
– Assessment activities
– Verification activities
– Validation activities
• Verify quality management of suppliers
• Implement procedures for evaluating
performance of SIS against requirements

126 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Functional Safety Assessment

• Performed by team, one competent senior


person not involved in the design, minimum
• May be performed after the stages below,
must be done at least for stage 3
– Stage 1 – After hazard and risk assessment and
safety requirements specification
– Stage 2 – After SIS design
– Stage 3 – After commissioning and validation
– Stage 4 – After experience in ops and maint.
– Stage 5 – After modification
127 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Functional Safety Assessment


Stage 3 Requirements
• Hazard and risk analysis completed,
recommendations completed or resolved
• Recommendations from previous functional safety
assessment resolved
• SIS designed, constructed and installed per SRS
• Operating, and maintenance procedures in place
• Validation activities completed
• Employee training complete
• Plans for further functional safety assessments done

128 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Audits and Revisions

• Procedures for auditing compliance with the


requirements of the standard defined
– Frequency of audits
– Degree of independence of auditor
– Recording and follow up
• Management of change procedures in place

129 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Verification vs. Validation

• Verification
– The activity of demonstrating for each phase of the
relevant safety lifecycle by analysis and/or tests,
that, for specific inputs, the deliverables meet in all
respects the objectives and requirements set for
the specific phase
• Validation
– The activity of demonstrating that the safety
instrumented system under consideration after
installation meets in all respects the safety
requirements specification.
130 Copyright © 2000, exida.com
e ida.com
excellence in dependable-automation

Verification

• Performed for each phase of the safety


lifecycle
• Demonstrate the deliverables meet the
requirements of that phase

131 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Documentation Requirements

• Describe the installation, system or


equipment and the use of it
• Be accurate
• Be easy to understand
• Suit the purpose for which it is intended
• Be available in an accessible and
maintainable form

132 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Documentation to be maintained

• The results of the hazard and risk assessment and


the related assumptions
• The equipment used for safety instrumented
functions together with its safety requirements
• Organization responsible for maintaining functional
safety
• The procedures necessary to achieve and maintain
functional safety of the SIS
• Modification information
• Design, implementation, test and validation
133 Copyright © 2000, exida.com
ee ida .com
ida.com
excellence in
excellence in dependable-automation
dependable automation

Documentation ControlControl
Documentation

• All relevant Documents shall be


– Revised
– Amended
– Reviewed
– Approved
– Under Control of a Document Control Scheme

A Document Control Scheme is mandatory

134 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Application Exercise 2

• Functional Safety Management


– Describe the objectives of functional safety
management

135 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Summary:
Functional Safety Management
• Objectives and Requirements
• Planning
• Verification
• SIS Functional Safety Audit
• Documentation

136 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Post Instructional Test

• Answer the questions to the best of your


ability
• This test can be used to determine
effectiveness of this course
• Instructor will review questions and answers
to enhance your learning

137 Copyright © 2000, exida.com


e ida.com
excellence in dependable-automation

Final Course Evaluation

• Course Evaluations help us provide the


highest quality training programs
• Please complete the form and return it to your
instructor

138 Copyright © 2000, exida.com