Safety Instrumented Systems: Global

FSE global
Functional Safety Engineering

Safety Instrumented Systems
Analysis and Design
Presented by
Dr. Raymond Wright
FSEglobal Course Administration 2
Course materials & location

Handouts & textbook
Exercises, additional resources, instructional surveys, & progress
reviews
Tent card, reference & training products/courses survey
Course attendance & participation
Breaks
Lunch
Stretch, refreshment, etc.
Personal belongings
18 May 2008
Copyright © FSEglobal 2008

FSEglobal FSEglobal 3
Safety Lifecycle Services

Hazard & Risk Analysis
Safety Integrity Level Selection

Safety Requirements Specification
Conceptual & Detailed SIS Design
FSE global
Safety Integrity Level Verification

Operation & Maintenance Function Testing
Safety Case Preparation

Guidance for Developing a Safety Case
Review of Safety Case
Operational Procedures
Maintenance Procedures
18 May 2008

FSEglobal FSEglobal 4
Alarm Management
Alarm Definition
Alarm Prioritisation
Alarm Implementation
FSE global
Training - Classroom
Functional Safety Management
IEC 61508 / IEC 61511
Preparation for Certification Examination
Software Tools
exSILentia
F&G Simulation
18 May 2008

FSEglobal Introductions 5
Instructor
Raymond Wright
Background / experience
Classmates
Name, company, position
Background / experience
18 May 2008

FSE global
Course Objectives & Content
Presented by
Dr. Raymond Wright
FSEglobal Course Objectives 7
Course Objectives
Understand the Safety Lifecycle and design requirements of the safety

standards IEC 61508 and IEC 61511
Understand the difference between process control and safety control
Understand how to determine the required safety performance through
Hazard Identification, Risk Assessment and SIL Selection
Understand how to write a Safety Requirements Specification and
include all necessary detail
Understand how to select the appropriate technology and level of
redundancy to meet the performance requirements
18 May 2008

FSEglobal Course Objectives 8
Course Objectives
Understand the effects of diagnostics, test interval and common cause

on Safety Integrity Level
Understand how to verify a system design meets the safety
performance requirements
Understand the operational and maintenance requirements to maintain
the integrity of the safety system
Meet the documentation requirements for process safety management
legislation and industry standards
Understand the importance of adequate Management of Change
procedures
18 May 2008

FSEglobal Course Content 9
Introduction
Standards – IEC 61508, IEC 61511, ISA 84.01
Philosophy of Safe Design
Introduction to the Safety Lifecycle
The Safety Lifecycle

Safety Lifecycle phases
Activities within each phase
Documentation requirements
Risk Management
Tolerable Risk
Components of Risk
Consequence
Likelihood
Risk Matrix and Risk Graph
18 May 2008
Risk Reduction

Process Risk
Incidents – Causes & Consequences
Preventative Controls (reduce frequency)
Mitigative Controls – (reduce consequence)
Bow-Tie Diagrams
Analysis Phase
Determination of Tolerable Risk
Hazard Identification
Risk Analysis (frequency and consequence)
Identifying Safety Instrumented Functions (SIF)
Determining the Safety Integrity Level (SIL) using Layer of Protection
Analysis (LOPA)
Writing the Safety Requirement Specification
Other Design Considerations
18 May 2008

Realisation Phase 1
System Technologies – Relay, Solid State, Programmable
Subsystems – Sensor, Logic Solver, Final Element
Architectures – 1oo1, 1oo2, 2oo2, 2oo3, 1oo2D
Sensor Subsystem
Logic Solver Subsystem
Final Element Subsystem
Effects of Field Devices on SIF Performance
Common Cause – Separation, Diversity, Physical Environment
Reliability
Definition of terms
Probability
Failure Modes
Fault Tree Analysis
Reliability Block Diagrams
18 May 2008
Markov Analysis

Realisation Phase 2
SIL Verification – PFDavg and Architectural Constraints
Factory Acceptance Testing
Commissioning
Analysis Models
Operation Phase
Maintenance
Decommissioning
Documentation
Management of Change
Lifecycle Documentation Requirements

18 May 2008

FSEglobal Course Limitations & Acknowledgements 14
Course Limitations
No specific manufacturers equipment
No specific programming of equipment
No specific maintenance of systems
No specific regulatory requirements for different areas, countries or
industries
Acknowledgements
Parts of this course borrowed material from the following sources:
Paul Gruhn & Harry Cheddie – Safety Shutdown Systems: Design, Analysis
and Justification (ISA)
ISA Course EC50 – Designing and Applying Emergency Shutdown Systems
(ISA)
Ed Marszal & Eric Scharpf – Safety Integrity Level Selection: Systematic
Methods Including Layer of Protection Analysis (ISA)
Bill Goble & Harry Cheddie – Safety Instrumented Systems Verification:
Practical Probabilistic Calculations (ISA)
18 May 2008
Exida Course – Function Safety Engineering 1 & 2 (Exida)

FSEglobal Pre-Instructional Survey 15
Pre-Instructional Survey
Answer the questions to the best of your ability

You are not expected to correctly answer all questions prior to
instruction
The results will help the instructor emphasise areas required by all class
members
20 minutes
18 May 2008

FSE global
Introduction
Presented by
Dr. Raymond Wright
FSEglobal Introduction 17
What level of risk is acceptable?

Why not perform safety functions in the DCS?
Can a system that’s 10 times more reliable be less safe?
Which is safer; a dual 1oo2 system, or a triplicated 2oo3 system?
How often should a safety system be tested?
Is mean time to repair (MTTR) the same as mean down time
(MDT)?
If there hasn’t been an accident in your plant for 15 years, does that
mean you have a safe plant?
18 May 2008

What do YOU want to learn?

Confused by the standards?
What is a SIS?
Confused by many safety system choices, and different
architectures?
Don’t know how to write a safety requirements specification?
Don’t know if your safety system meets the requirements of the
standards?
18 May 2008

Can accidents teach us how to do things better?
Flixborough BP Texas
Three Mile Island
Chernobyl
Bhopal
Chernobyl
BP Texas
Buncefield
18 May 2008

Over Confidence and Complacency
After Three Mile Island, but before Chernobyl, the head of the Soviet
Academy of Sciences said,
“Soviet reactors will soon be so safe that they could be installed

in Red Square.”
When the Bhopal plant works manager was informed of the accident,
he said in disbelief,
“The gas leaks just can’t be from my plant. The plant is shut
down. Our technology just can’t go wrong. We just can’t have
leaks.”
18 May 2008

HSE Study of Accident Causes Involving Control Systems:
Specification
44%
Changes after Design &

Commissioning Implementation
21% 15%
Operation & Installation &
Maintenance Commissioning
15% 6%
“Out of Control: Why Control Systems go Wrong and How to Prevent

Failure,” U.K.: Sheffield, Heath and Safety Executive, 1995
18 May 2008

IEC 61508 International Committee
ISA DIN V 19250

S84.01
EWICS DIN VDE 0801
HSE
PES NAMUR
18 May 2008
IEC 61508

A Strategy for Functional Safety
*Safety Lifecycle
Safety Analysis &

Causes of Management Specification
Failure
Design &
Implementation
Technical
Installation &
Requirements
Commissioning
Operation &
Maintenance
Competence
of Persons Changes after
Commissioning
18 May 2008
* Simplified view

IEC 61508 Concept

Safety Lifecycle Each phase
Scope Definition
addresses :
Objectives
Hazard & Risk
Analysis Analysis
Requirements
Realization Overall Safety
Scope
Operation
Requirements
Inputs
Safety Requirements Deliverables
Allocation
Planning 6. Safety Related Safety Related External Risk

Systems Systems Reduction
Operation & Installation & E/E/PES Other Technology Facilities
Validation
Planning Realisation Realisation Realisation
Planning Planning
Installation &
Commissioning
Back to
appropriate
Safety Validation phase
18 May 2008
Operation & Modification &

Maintenance Retrofit
Decommissioning

IEC 61511 Analysis

Safety Lifecycle Realization
Operation
Risk Analysis and Protection Layer Design
Management of Safety Sub-clause 8 Verification
Functional Lifecycle
Safety and Structure Allocation of Safety Functions to Safety Instrumented
Functional and Planning Systems or other means of Risk Reduction
Safety Sub-clause 9
Assessment
Safety Requirements Specification for
the Safety Instrumented System
Sub-clause 10
Design and Development of Design and Development of

Safety Instrumented System other means of Risk Reduction
Sub-clause 11 Sub-clause 9
Installation, Commissioning and Validation

Sub-clause 14
Operation and Maintenance

Sub-clause 15
18 May 2008
Modification Decommissioning
Sub-clause 15.4 Sub-clause 16
Clause Sub-clause Sub-clause
5 6.2 7, 12.7

Concepts in IEC 61508 and IEC 61511 (and ISA 84.01)
Safety Lifecycle ► Structured Process
Risk Management ► Identifying. Assessing &

Reducing Risk
Safety Integrity Level ► Performance Requirements
Competence of people ► Understanding Safety

Issues
Documentation ► Management of Change
18 May 2008

Functional Safety
In order to achieve functional safety the safety instrumented functions

must operate correctly and, when a failure occurs, must behave in a
defined manner so that the plant remains in a safe state or is brought
into a safe state.
18 May 2008

Safety Instrumented System (SIS)
A system composed of Sensors, Logic Solvers, and Final Control Elements for the
purpose of taking the process to a safe state when process conditions are outside
normal limits. Separate from the Basic Process Control System.
Safety Instrumented Basic Process Control

System (SIS) System (BPCS)
INPUTS OUTPUTS INPUTS OUTPUTS
PT PT
1A 1B
I/P
FT
REACTOR
18 May 2008
E/E/PES = Electrical/Electronic/Programmable Electronic System

Safety Instrumented Function (SIF)
Loop 1
A Safety Instrumented
1 Function is defined as a
Loop 2
“Function to be
2 implemented by a SIS
6
3 which is intended to
achieve or maintain a safe
Logic state for the process with
Loop 3 4 Solver respect to a specific
Loop 4
hazardous event.”
5 7 Each SIF has a specified

Safety Integrity Level (SIL)
Loop 5
Sensors 8
18 May 2008
Final elements

Safety Integrity Level (SIL)

The safety integrity level is derived from the average Probability of Failure
on Demand (PFDavg) and determines the risk reduction needed.
Different loops (SIF) can have different SIL’s.
Architectural Constraints also need to be considered.
SAFE
DETECTED
(λSD)
60% Safe
Failures
SAFE
UNDETECTED λS DANGEROUS
(λSU)
UNDETECTED
(λDU)
λD
PFDavg = 1 - e −λ *TI/2
DU
40% DANGEROUS
Dangerous
18 May 2008
DETECTED
RRF = 1/PFDavg Failures
(λDD)

Review of Introduction
Learning from Incidents
Safety Standards – IEC 61508, IEC 61511, ISA 84.01
Concepts in safety standards
Safety Lifecycle
Class Exercise
Question Sheet – SIS (Safety) Terminology
18 May 2008

FSE global
Safety Life Cycle
Presented by
Dr. Raymond Wright
FSEglobal Safety Life Cycle (SLC) 33
IEC 61511 on the Safety Life Cycle (SLC):

The Safety Life Cycle describes the “necessary activities involved in the
implementation of safety instrumented function(s), occurring during a
period of time that starts at the concept phase of a project and finishes
when all of the safety instrumented functions are no longer available for
use.”
The Safety Life Cycle is a core concept in all recent standards
related to Safety Instrumented Systems. It provides:
A structured and consistent framework for the specification, design,
implementation and maintenance of safety instrumented systems
Guide to risk assessment methodologies
The performance requirements of each safety instrumented function
The competency requirements of personnel working in each phase of
the SLC
The documentation requirements that allow the output of each SLC
activity to become the input to the next phase
18 May 2008

IEC 61508 Concept

Safety Life Cycle Each phase
Scope Definition
addresses :
Objectives
Hazard & Risk
Analysis Analysis
Requirements
Realization Overall Safety
Scope
Operation
Requirements
Inputs
Safety Requirements Deliverables
Allocation

Validation
Planning Planning
Installation &
Commissioning
Back to
appropriate
Safety Validation phase
18 May 2008

Decommissioning

Analysis Phase
Concept and Scope

Define Tolerable Risk
Concept Hazard Identification
Risk Analysis
Scope Definition Comparison of Inherent Risk to Tolerable Risk
Layers of Protection Analysis (LOPA) to
Hazard & Risk
Analysis identify preventative control measures that
reduce risk
Overall Safety
Requirements Identify Safety Instrumented Functions (SIF)
Safety Requirements Safety Integrity Level (SIL) Targets
Allocation
Definition of Safety Functions (e.g. Cause and
Effect Charts)
Write the Safety Requirements Specification
18 May 2008

Realisation Phase

Validation
Planning Planning
Installation &
Commissioning
Safety Validation
Architectural / Detail Design of Safety Instrumented System (SIS)

SIL Verification: Fault Trees / Reliability Block Diagrams / Markov
Models
Operation and Maintenance Planning
Validation Test Planning
18 May 2008
Installation and Commissioning

Validation Testing

Operation Phase
Back to
appropriate
phase

Decommissioning
Operation
Maintenance including Periodic
Inspection and Testing
Management of Change for
Modification and Retrofit
Decommissioning
18 May 2008

AS61508 Safety Life Cycle

Safety Life Cycle (SLC)
1. Conceptual Process Design Process Information
Event History 2. Identify Potential Hazards Potential Hazards
Yellow area shows Safety

Hazard Characteristics
Consequence Database
4. Consequence Analysis Hazard Consequences
Life Cycle activities or

Analyse Potential Risk
Magnitude
Assess Potential Risk
Liklihood
processes Layers of Protection
Failure Probabilities
3. Layer of Protection Analysis Hazard Frequencies
Requirements
Blue area shows information
Allocation
Develop Non-SIS
Safety
Target SILs
Layers
required for the activities SIS No

Required Exit
?
Yes Safety Requirements Specification
White area shows the

Functional Description of each Safety
Tolerable Risk Guidelines 5. Select SIL Target Instrumented Function, Target SIL, Mitigated
Hazards, Process Parameters, Logic,
Bypass/Maintenance Requirements,
Response Time, etc.
6. Develop Safety Specification
documentation produced by Relays, Failsafe Solid State, PLC, Safety
7. SIS Conceptual Design

7a. Select Technology
PLC, Sensors, Final Elements
the activities 7b. Select Architecture Redundancy: 1oo1, 1oo2, 2oo3, 1oo2D
7c. Determine Test Philosophy
Manufacturer's Failure Data

7d. Reliability, Safety Evaluation SILs Achieved
Failure Data Databases
This diagram provides the No SIL

Achieved
?
structure for the workshop Manufacturer's Safety Manual

Yes
8. SIS Detailed Design

Detailed Design Documentation
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC Programming,
Installation Requirements, Commissioning
Requirements, etc.
Manufacturer's Installation
Instructions 9. Installation & Commissioning 10. SIS Installation, Commissioning
Planning and Pre-Startup Acceptance Test
Verify all documentation against Hazards,
See separate sheet in the

12. Validation: Pre-Startup Safety Design, Installation Testing, Maintenance

11. Validation Planning
Review Procedures, Management of Change,
Emergency Plans, etc.
workshop manual
14. SIS Startup, Operation,
13. Operation & Maintenance
Maintenance, Periodic Functional
Planning
Tests
18 May 2008
Modify 15. Modify or

Decommission ?
Decommission
16. SIS Decommissioning
Based on the Functional Safety Lifecycle model provided in the Safety Engineering I course from exida.com

Review – Safety Life Cycle

Standards
Common to each phase:
Objectives
Requirements
Scope
Inputs
Deliverables (outputs)
Analysis Phase
Realisation Phase
Operation Phase
Documentation Requirements
Class Exercise
Question Sheet – Safety Life Cycle
18 May 2008

FSE global
Analysis Phase
Presented by
Dr. Raymond Wright
FSEglobal Analysis Phase 41
Activities in the Analysis Phase
Input Process Output
Requirements
Allocation
Safety
18 May 2008

The Analysis Phase includes a number of activities that are

designed to
Determine the Tolerable Risk.

How much risk is a company prepared to tolerate?
What level of risk is acceptable to the community?
Is the tolerable risk determined by national or local regulations ?
Identify all potential Hazards.

A multi-discipline team is used to capture all hazards – mechanical,
chemical, toxic, etc.
Identify the Risk associated with each hazard. This is the Inherent Risk
associated with the particular hazard.
What are the consequences?
How often does it happen?
18 May 2008

Identify the existing control measures that prevent the hazard or

mitigate the consequences, and the risk reduction capability of each
control measure.
What protection already exists?
What risk reduction can this protection offer?
Identify the risk reduction required when the inherent risk minus the risk
reduction provided by existing control measures is still higher than the
tolerable risk.
Do the existing control measures reduce the risk below the tolerable
risk level?
Can other control measures be identified or developed?
Use the required risk reduction as the safety performance target for the
Safety Instrumented Function (SIF). The safety performance target is
specified as the Safety Integrity Level (SIL) of the SIF.
What safety performance do I need from the identified SIF?
Document the safety performance requirements for each SIF in the

18 May 2008
Safety Requirements Specification.

Risk management concepts must be understood because they

form the foundation for the entire Safety Life Cycle.
Risk Management
Tolerable Risk
Components of Risk
Consequence
Likelihood (frequency)
Risk Reduction
Process Risk
Bow Tie Diagrams to Visualise Risk
18 May 2008

FSE global
Risk Management
Presented by
Dr. Raymond Wright
FSEglobal Risk Management 46
Definition of Risk
Risk is a measure of the likelihood and consequence of an adverse
event or incident. That is, how often it happens, and what the effects are
when it does?
Risk Receptors
Injury to Personnel
Damage to the Environment
Financial Loss
Equipment / Property Damage
Business Interruption
Business Liability
Company Image
Lost Market Share
18 May 2008

Tolerable Risk
Organisations have a moral, legal Moral, Legal and Financial
and financial responsibility to limit Responsibilities
the risk their operations pose
Organisations have a moral duty to Make plant a safe as
possible, disregard costs
limit the risk to employees and the
public
Organisations also have a
responsibility to consider the risks to
the environment, property and Moral
business
The concept is simple, but the
determination of tolerable risk is Legal Financial
complex. It considers the
consequences of risk in a number of
different ways:
Individual risk of injury Comply with Build lowest cost
regulations, plant, keep operating
Damage to the environment regardless of costs or budget as small as
Economic loss due to lost level of risk possible
18 May 2008
production or damaged equipment

Legal implications
Community reputation
Basis for Risk Tolerance
Risky activities are tolerated because they

provide benefits
Understanding both the risk and the benefit is

critical to understanding what kind of risk can
be tolerated in trade for what kind of benefit
There is no such thing as zero risk in the real
world
18 May 2008

Tolerable Risk ALARP

Generally accepted criteria for As Low As Reasonably Practicable
determining the tolerable risk of
an organisation are: High Risk
Individual risk expressed as
Probable Loss of Life (PLL) Intolerable
Societal risk expressed Region
National or regional 10-3 per yr 10-4 per yr
tolerable risk criteria Individual Public
Organisations generally adopt
a framework such as ALARP, ALARP or
and select numerical criteria for Tolerable
Region
decision making
Example: 10-6 per yr 10-6 per yr

Victorian Interim Risk Criteria Broadly
Acceptable
1 E-05 at Plant Boundary Region
18 May 2008
1 E-07 at Off-site locations

(individual risk of fatality) Negligible Risk Source: HSE UK

In order to manage risk, the level of risk for each potential

incident needs to be assessed to know if it is tolerable
To assess the inherent risk involved in an incident we need to know the
likelihood of the incident and the consequences of the incident
Once the level of risk has been established, it needs to be compared
with the level of risk considered tolerable.
If the level of risk is higher than the tolerable risk, the risk must be
reduced to the tolerable level by identifying existing layers of protection,
or adding additional layers of protection
Risk Based on the

Inherent Risk unmitigated
consequence and
likelihood
Each layer
Layers of Protection provides risk
reduction
18 May 2008
Tolerable Risk Based on

corporate risk
tolerance

Risk Assessment The relationship between risk and

Risk has two components: likelihood and consequence is:
Likelihood / Frequency - The
higher the likelihood, the higher Risk = Likelihood x Consequence
the risk
Consequence - The higher the
consequence, the higher the
risk
To reduce risk:
LIKELIHOOD
Reduce the likelihood of the
incident
Reduce the consequence of the
incident
Reduce both the likelihood and
the consequence
CONSEQUENCE
Likelihood = 1/10 yrs

18 May 2008
Consequence = 1 fatality (death )
Risk = 1 fatality / 10 years

Consequence Example of Consequence Categories

What is the effect of the incident for Injury to Personnel
happening?
How do we categorise
consequence to make it Qualitative Quantitative
meaningful? Analysis Analysis
Consequence can be
categorised in a number of Catastrophic Multiple Fatalities
ways:
Injury to Personnel
Major Single Fatality
Damage to the Environment
Economic Loss
CONSEQUENCE
Legal Implications Serious Severe or
Permanent Injury
Loss of Public Image
Consequence for each category Single Injury,
can be assessed in two ways: Minor not severe
Qualitatively – uses the judgement
18 May 2008
of competent people
Incidental Minor Injury
Quantitatively – uses specific
effects for calculation
Consequence
Example of Consequence Categories Example of Consequence Categories
for Damage to the Environment for Economic Loss to the Business
Qualitative Quantitative Qualitative Quantitative

Analysis Analysis Analysis Analysis
Long term impact,

Catastrophic Adverse publicity Catastrophic > $10M
Serious Offsite impact,

Major long term health effects Major $1M - $10M
CONSEQUENCE
CONSEQUENCE
Serious Significant with Serious $100K – S1M
Serious Offsite impact
Licence Breech and/or $10K - $100K

Minor Agency involvement Minor
18 May 2008
Recordable, no
Incidental Agency involvement Incidental < $10K

Example of Consequence Categories

These Consequence categories have been ‘calibrated’ to suit a
particular process plant. Other situations may use other consequence
categories.
Consequence
Incidental Minor Serious Major Catastrophic
Costs (C) < $10k $10k - $100k $100k - $1M $1M - $10M > $10M.
Single Injury,
Severe or Multiple fatalities
not severe, Single fatality
People (P) Minor injury permanent (internal &
possible lost (internal only)
disabling injury external)
time
Serious offsite Long term impact,
Recordable, but Licence breach Significant with
Environment impact, possible adverse
no agency and/or agency serious offsite
(E) long-term public international
involvement involvement impact
health effects publicity
Agency Major prosecution
Recordable, but Agency Major
involvement with company
Legal (L) no agency involvement with prosecution with
with possible officer
involvement prosecution significant fine
prosecution imprisonment
Complaint from Widespread Community
Widespread
Community & public, minor complaints, local outrage, state
No impact outrage, federal
18 May 2008
Reputation (R) reputation government government

government action
damage action action

Likelihood / Frequency Example of Likelihood Categories

How often will the incident
happen?
How do we categorise Qualitative Quantitative
likelihood to make it Analysis Analysis
meaningful?
Likelihood is generally Frequently 1/1 yr
categorised as a frequency,
and can be assessed in two
ways - Sometimes 1/10 yrs
Qualitatively – uses the

judgement of competent people
LIKELIHOOD
Seldom 1/100 yrs
Quantitatively – uses specific
frequencies for calculation
Rarely 1/1,000 yrs
18 May 2008
Never < 1/10,000 yrs

Example of Likelihood Categories

These likelihood categories have been ‘calibrated’ to suit a particular
process plant. Other process plants may use other likelihood
categories.
Category Event Frequency Numerical
Frequently Event likely to occur once in 1 year to once in 10 years. > 1.00E-01 per year
Sometimes Event likely to occur once in 10 years to once in 100 years. > 1.00E-02 per year
Seldom Event likely to occur once in 100 years to once in 1,000 years. > 1.00E-03 per year
Event likely to occur once in 1,000 years to once in 10,000

Rarely > 1.00E-04 per year
years.
Never Event likely to occur less than once in 10,000 years. < 1.00E-04 per year
18 May 2008

Must Reduce Risk

Example of a Calibrated Risk Matrix Reduce Risk if Cost-Effective
Risk is Tolerable
1/yr Reduce Risk Reduce Risk Intolerable Intolerable Intolerable
Likelihood
1/10 yr Reduce Risk Reduce Risk Intolerable Intolerable Intolerable
1/100 yr Tolerable Reduce Risk Reduce Risk Reduce Risk Intolerable
1/1,000 yr Tolerable Tolerable Reduce Risk Reduce Risk Intolerable
1/10,000 yr Tolerable Tolerable Tolerable Tolerable Reduce Risk
Consequence
Costs (C) < $10k $10k - $100k $100k - $1M $1M - $10M > $10M.
Single Injury, not Severe or Multiple fatalities
Single fatality
People (P) Minor injury severe, possible permanent (internal &
(internal only)
lost time disabling injury external)
impact, possible adverse
Environment (E) no agency and/or agency serious offsite
long-term public international
Recordable, but Agency Major prosecution
18 May 2008
involvement with with company

Legal (L) no agency involvement with with significant
possible officer
involvement prosecution fine
Complaint from
Widespread Community Widespread
Community / public, minor
No impact complaints, local outrage, state outrage, federal
Reputation (R) reputation
government action government action government action
damage
Must Reduce Risk

Example of a Calibrated Risk Matrix Reduce Risk if Cost-Effective
Uses SIL to determine of safety requirements
Risk is Tolerable
1/yr 2 2 3 4 4
Likelihood
1/10 yr 1 2 3 3 4
1/100 yr 1 1 2 2 3
1/1,000 yr - 1 1 2 3
1/10,000 yr - - 1 1 2
Consequence
Costs (C) < $10k $10k - $100k $100k - $1M $1M - $10M > $10M.
Single Injury, not Severe or Multiple fatalities
Single fatality
People (P) Minor injury severe, possible permanent (internal &
(internal only)
lost time disabling injury external)
impact, possible adverse
Environment (E) no agency and/or agency serious offsite
long-term public international
Recordable, but Agency Major prosecution
18 May 2008
involvement with with company

Legal (L) no agency involvement with with significant
possible officer
involvement prosecution fine
Complaint from
Community / public, minor
No impact complaints, local outrage, state outrage, federal
Reputation (R) reputation
government action government action government action
damage
Risk Reduction
The final step in risk management is to determine the difference
between the inherent risk and the tolerable risk. The different will
determine the level of risk reduction required.
Based on the
Inherent
unmitigated
Risk
consequence and
likelihood
Risk Reduction
Layers of
Each layer
Risk
Protection
provides risk
reduction
Tolerable
Risk Based on
corporate risk
tolerance
18 May 2008

Risk Reduction
As the components of risk are Consequence and Likelihood, reducing
either of these components will reduce the risk
Consequences can be reduced by:

Reducing inventory of hazardous materials,
Use of containment dikes,
Fire protection systems
Material strength in vessels and pipelines, etc.
Likelihood can be reduced by introducing barriers to prevent

the incident from happening. The barriers are called layers of
protection. Examples of Layers of Protection:
Operating procedures
Process control system (DCS)
18 May 2008
Alarm and Operator Response

Safety Instrumented Systems (SIS)

Effect of Preventative and Mitigative controls on Risk
Inherent
Non-SIS Risk Risk of the
Reduction Process
e.g. DCS,
Alarm System Consequence Reduction
e.g. bunds, fire protection,
reduce hazardous material
Likelihood
SIS Risk
SIL 1 Reduction
Unacceptable
SIL 2 Risk Region
ALARP
SIL 3
Risk Region
Tolerable
Risk Region
18 May 2008
Consequence
Summary of Risk Management

Definition of risk
Risk receptors
Components of risk
Consequence categories
Risk matrix
Risk assessment
Inherent risk
Tolerable risk
Risk reduction
Questions?
Class Exercise
Question Sheet – Risk Management
18 May 2008

FSE global
Process Risk
Presented by
Dr. Raymond Wright
FSEglobal Process Risk 64
Incidents have a Cause and a Consequence
Cause Incident Consequence
Examples:
Lightning hits an aeroplane and CAUSES the aeroplane to crash, and
the CONSEQUENCE is many people die. (Injury)
An oil storage tank overflows and CAUSES oil to leak into a river, and
the CONSEQUENCE is contaminated water. (Environment)
No maintenance CAUSES a valve to stick, and the CONSEQUENCE is
$1 million lost production. (Economic)
18 May 2008

Risk Reduction by Prevention or Mitigation
Preventative Mitigative Control

Control Measures Measures
To reduce risk we have to prevent the incident from happening; or if the

incident does happen we have to reduce (or mitigate) the consequence.
We can prevent the incident from happening by putting barriers between
the Cause and the Incident. These barriers are called preventative
control measures.
We can reduce (mitigate) the consequences by putting barriers between
the incident and the consequence. These barriers are called mitigative
control measures.
18 May 2008

Example of risk reduction by Mitigation
Mitigative Control
Measures
Typical mitigative control measures -

Ignition source control
Fire & Gas detection system
Emergency response
Mitigative control measures reduce the risk by reducing the severity of

the consequence
18 May 2008

Example of risk reduction by Mitigation
Mitigative Control
Measures
Example
A fire from a tank overflow costs $1 million
A fire detection system provides an alarm and triggers a deluge system.
This reduces the damage by 80%.
How much does a fire cost with and without the fire detection system?
Without the fire system: With the fire system:

the cost is the cost is
$1 million $1 million x 0.2 = $200k
18 May 2008
The consequence has reduced, therefore the risk has reduced

Example of risk reduction by Prevention
Preventative
Control Measures
Typical preventative control measures -

DCS (BPCS)
Alarm and operator response
Safety Instrumented Systems (SIS)
18 May 2008
Preventative control measures reduce the risk by reducing the likelihood

(frequency) of an incident

Example of risk reduction by Prevention
Preventative
Control Measures
Example
A level transmitter fails once a year and causes a tank to overflow
A high level switch provides an alarm and an operator shuts the inlet valve.
This is effective 90% of the time.
How often does the tank overflow with and without the alarm?
Without the alarm: With the alarm:

the incident happens the incident happens
1 / year 1 / year x 0.1 = 1 / 10 years
18 May 2008
The likelihood has reduced, therefore the risk has reduced

Risk Reduction by Prevention and Mitigation

Control Measures Measures
Without preventative and mitigative control measures
A level transmitter failure costs $1 million each year
With preventative and mitigative control measures

18 May 2008
A level transmitter failure costs $200k every 10 years

Or $20k each year

Some incidents have more than one Cause
Cause Incident
Tank Overflow
Faulty limit switch 1
OR
High level alarm ignored 2
OR
Inlet valve sticks open 3
Example:
A faulty limit switch; OR
An operator ignores a high level alarm; OR
18 May 2008
An inlet valve sticks in the open position

CAUSING a storage tank to overflow

Some incidents have more than one Consequence
Incident Consequence
Tank Overflow
1 Lost product
OR
2 Environmental damage
OR
3 Fire, Explosion
Example:
A storage tank overflow could cause
Lost product; OR
18 May 2008
Fire, explosion; OR
Environmental damage

The Bow-Tie Diagram

Causes Control Measures
Incident Measures
Consequences
! IMPORTANT
CONCEPT !
18 May 2008
The Bow-Tie diagram provides a visual representation of the links

between cause and consequence, and the use of preventative and
mitigative control measures to reduce risk.
Safety Instrumented Functions (SIF) are preventative control

measures
Operating DCS Alarm + Safety Instrumented

Procedures BPCS Op Response Function
Typical preventative control measures -

DCS (BPCS)
Alarm and operator response
18 May 2008
If the existing preventative control measures cannot reduce risk to a

tolerable level, consider using a Safety Instrumented Function (SIF)

Review of Process Risk

Incidents – Causes and Consequences
Preventative Control Measures (reduce the likelihood)
Mitigative Control Measures (reduce the consequence)
One Incident – Multiple Causes
One Incident – Multiple Consequences
Bow-Tie Diagrams
Safety Instrumented Functions as Preventative Control Measures
Questions?
Class Exercise
Question Sheet – Bow Tie Diagrams
18 May 2008

FSE global
Concept and Scope
Presented by
Dr. Raymond Wright
FSEglobal Conceptual Design 77
Activities in the Analysis Phase
Requirements
Allocation
Safety
18 May 2008

Conceptual Process Design

The goal is an inherently safe process. It is at this point that risks can be
eliminated. This is difficult to achieve, but consideration can be given to
The type and quantity of materials used;
The type of process;
The operating temperatures and pressures, etc.
At least a preliminary understanding of potential process hazards
involved with the proposed equipment and materials should be
achieved. These will be looked at in detail in subsequent steps.
The Tolerable Risk should be defined.

This is the level of risk that is tolerable in daily operation, and this will
form the basis for risk reduction requirements
The Tolerable Risk should reflect
The level of risk tolerated by the company
The level of risk tolerated by national codes, standards and regulations
18 May 2008

Scope Definition
This is the framework for the project.
The purpose of the project in terms of goals and outcomes is defined.
Operational and safety objectives are defined.
Adequate resourcing and realistic scheduling should be made
available to achieve these objectives.
Responsibilities are assigned and reporting mechanisms are put in
place.
18 May 2008

FSE global
Hazard Identification
Presented by
Dr. Raymond Wright
FSEglobal Hazard Analysis 81
Process Hazard Analysis
Requirements
Allocation
Safety
18 May 2008

Hazard Identification and Risk Analysis

The purpose is to review the process design to ensure that protection is
provided for all identified hazards.
If a hazard is not identified there may be no control measures to
prevent it, or mitigate its consequences
A formal Process Hazard Analysis (PHA) is conducted to identify

hazardous events.
Use a structured methodology
Use a multi-discipline team of competent people
Consider what information is important for other activities in the Safety
Life Cycle
Document the results
The expected consequence of the hazard and the likelihood of the

causes of each hazard are evaluated to determine the overall risk
associated with the hazard.
If the risk is under-estimated there may not be sufficient protection
If the risk is over-estimated protection will be expensive
18 May 2008

Existing layers of protection are identified, and their effect on the level
of risk is determined.
Identify control measures that can completely prevent the hazard, or
completely mitigate it
What level of risk reduction can each control measure realistically
offer?
If the risk is unacceptable to the company (higher that the tolerable

risk), the process must be changed or additional protective layers must
be implemented.
Can the process be changed – lower pressures, lower temperatures,
etc.?
Can the inventory of hazardous material be reduced?
Could a procedural control measure be used to reduce risk?
If necessary, a Safety Instrumented Function (SIF) can be used as a

layer of protection. These SIFs are sometimes called a safety
interlocks or emergency shutdown (ESD) functions.
Is the SIF independent?
18 May 2008
Will it bring the process to a safe state?

The level of risk reduction required determines the Safety Integrity Level
(SIL) requirement of the SIF.
A SIF with a SIL 3 requirement is expensive to implement, and
expensive to maintain
If a SIL-rated function is implemented in a BPCS (DCS), the BPCS must
have the required safety rating – this is not easy to achieve
If an Alarm and Operator Response is identified as a layer of
protection, it must be independent from other layers of protection
18 May 2008

Risk
Based on the
unmitigated
Inherent Risk consequence and Tolerable Risk inherent
likelihood
Risk Level in the process
Layers of Each layer
Protection provides risk
reduction
SIS ALARM BPCS
Tolerable Risk Based on
corporate risk
tolerance
Risk
DCS ALARM SIS

18 May 2008
Preventative Control Measures

Process Hazard Analysis (PHA)

Process Hazard Analyses (PHA), also called Process Safety Review
(PSR) are formal safety reviews.
A PHA is conducted by a multidiscipline team which can include
A facilitator
A scribe to record the results
Process engineer
Chemical engineer
Operations engineer
Electrical/Instrumentation engineer
Mechanical engineer
Safety/Risk engineer
A PHA will cover the relevant parts of the process, or the whole process
in a thorough and systematic way
Larger process are divided into logical units called “nodes”, then each
node is investigated in a thorough and systematic way
18 May 2008

The main types of Process Hazard Analysis are

“Checklist”
“What If” study
“Failure Mode and Effects Analysis” (FMEA)
“Fault Tree Analysis” (FTA)
“Hazard & Operability” study (HAZOP)
These are formal studies, and should not substitute for

everyday safety awareness and monitoring.
18 May 2008

Checklist
Requires a good knowledge of the process
Useful on established process units with common deficiencies
Often a summary of codes of practice and standards
The disadvantage is that all items may not be listed, and therefore some
items may be overlooked
18 May 2008

What if …
A less formal and structured method

Applies the words “what if …” to each area of investigation
Some examples are
What if the control valve fails open?
What if the pump seal fails?
What if the tank overflows?

Requires the most qualified, experienced team

Helpful to develop “what if …” questions in advance
18 May 2008

FMEA
Identifies failure modes of systems and equipment

Analyses the effects of each failure mode
On hazards
On other components and the overall system
It is important to identify causes of failures so corrective actions can be
implemented
Often used to analyse instrument systems, including shutdown systems
Intended to be conducted before the design is finalised, to see if
changes need to be made
18 May 2008

HAZOP
The most frequently used PHA technique

Identifies operations problems in addition to hazards
Process is divided into areas called “nodes”
The size of each node determines the detail of the study
For each node, guide words are used to help identify any hazards that
process deviations may produce
Typical guide words are:
More, Less, No, High, Low, etc.
Applied to process parameters:
Temperature, Pressure, Level , Flow
The magnitude of the consequence may also be considered
The qualitative results can be used early in the project
18 May 2008

Typical HAZOP Results A B C D E

5
4
3
2
Node: C3 Column 1
Parameter: Liquid Level
Risk Risk Recommendation Action

Deviation Cause Consequence Safeguards
(Inherent) (Safeguards) By/When
Too high Loss of reboiler Potential High level D4 D3 Add high-high J. Jones
heating element distributor alarm level switch to May 2008
damage activate drain
valve
Too high Bottoms valve Potential High level D4 D3 Same as above J. Jones
blockage distributor alarm May 2008
damage
Too low Loss of feed flow Potential Low level D3 D2 Verify if tubes will S. Smith
reboiler tube alarm be damaged March 2008
damage
18 May 2008

Typical HAZOP Results A B C D E

5
4
3
2
Node: C3 Column 1
Parameter: Pressure

More Column Steam Column Pressure relief E4 E2 Install SIF (SIL 2) J. Jones
Reboiler Pressure Overpressure valve, operator to stop reboiler May 2008
Control fails, and potential intervention to steam flow upon
causing mechanical high pressure high column
excessive heat failure of the alarms, pressure
input. vessel and Mechanical
release of its design of
contents. vessel.
More Steam reboiler Column Pressure relief E4 E2 Same as above J. Jones
tube leak causes Overpressure valve, operator May 2008
high pressure and potential intervention to
steam to enter mechanical high pressure
vessel failure of the alarms.
vessel and
release of its
contents.
18 May 2008
More Low flow through Pump seal fails Low Outlet D3 D1 Existing
pump causes and releases flow pump safeguards
pump failure and flammable Shutdown SIF adequate
subsequent seal material (SIL 2).
failure

Expected Output from HAZOP
A description of the hazard being prevented

The consequence of the hazard
The initiating events which cause the consequence
The likelihood of the hazard
The level of risk associated with the hazard
A description of the existing safeguards (non-SIS) used to prevent the
hazard or mitigate the consequence
Description of the Safety Instrumented Functions (SIF) from previous
studies
Description of the recommended Safety Instrumented Functions (SIF)
Other recommendations
18 May 2008

Identify the Hazard and its Consequences

The hazard that is being prevented, and its consequence can be found in a
“Consequences” or “Description of Hazard” column
Hazard &
Consequences

contents. vessel.
vessel and
release of its
contents.
18 May 2008
failure

Initiating Events
In HAZOP, Initiating events are found in the “Causes” column
What-If and Checklist questions
Potential for multiple initiating events per hazard
Initiating Initiating Both Initiating Events cause

Event Event the same consequence

contents. vessel.
vessel and
release of its
contents.
18 May 2008
failure

Safeguards
Find both non-SIS and SIS Safeguards (other than SIS under study)
Safeguards apply to initiating events. Multiple safeguards per initiating event
may exist
Safeguards apply to a
specific Initiating Event

contents. vessel.
vessel and
release of its
contents.
18 May 2008
Safeguards apply to a
failure
specific Initiating Event
SIF Description
Find all of the existing and recommended SIF
Recommended SIF found in Recommendations Column, Existing SIF found in
Safeguards Column
Existing SIF Recommended SIF

contents. vessel.
vessel and
release of its
contents.
18 May 2008
failure

Identifying SIFs from P&IDs
PHA Studies not always 100% effective

Past experience of Licensors and Detailed Design Contractors is
incorporated into the design
SIFs in the design package are not typically differentiated from
other control loops
Identification of SIFs based on P&ID representation requires control
engineering expertise
Hazard, consequence, and safeguards related to SIFs require
process and risk assessment expertise
18 May 2008

Review of Process Hazard Analysis
Hazard Definition
Process Hazard Analysis
HAZOP
HAZOP Results
Questions?
Class Exercise
Question Sheet – Process Hazard Analysis
18 May 2008

FSE global
Consequence Analysis
Presented by
Dr. Raymond Wright
FSEglobal Consequence Analysis 102
Requirements
Allocation
Safety
18 May 2008

Consequence Analysis Consequence:

What is the effect zone? A measure of the expected effects of an
incident outcome case.
How many people will be
affected? How will the people
Fatalities Injuries
be affected – injury, fatality?
Will there be an impact on the
environment? Will the damage Environmental
be short-term or long-term? Damage
Will there be damage to
Business Property
equipment? How long will it Damage
take to replace it? Interruption
Will production be lost? How Third Party

much? For how long? Liability
Will the incident change the Other
perception of the company in Intangible
the community?
Will the incident affect the stock
18 May 2008

prices and cause shareholders
to sell shares?

Incident Outcome
The physical manifestation of
the incident.
For toxic materials, the incident
outcome is a toxic release,
while for flammable materials,
the incident outcome could be a
Boiling Liquid Expanding Vapor
Cloud Explosion (BLEVE), flash
fire, unconfined vapor cloud
explosion, toxic release, etc.
For Example
For a 10 lb/sec leak of
ammonia, the incident outcome
is a toxic release
18 May 2008

should consider:
Fatality and injury

Environmental damage
Business interruption
Property damage
Third-party liability
Corporate image
18 May 2008

Toxic Hazards
Toxic effect zones are a

function of:
Release quantity
Release duration
Source Geometry
Elevation/Orientation
Initial Chemical Density
Atmospheric Conditions
Surrounding Terrain
Limiting Concentration
18 May 2008

Consequence Analysis Methods include:
Estimate and Categorize

Statistical
Consequence Modeling
18 May 2008

Consequence Categorisation
Consequence
Costs (C) < $10k $10k - $100k $100k - $1M $1M - $10M > $10M.
Single Injury,
Severe or Multiple fatalities
not severe, Single fatality
People (P) Minor injury permanent (internal &
possible lost (internal only)
disabling injury external)
time
Licence Serious offsite Long term
Recordable, Significant with
Environment breach and/or impact, possible impact, adverse
but no agency serious offsite
(E) agency long-term public international
involvement impact
involvement health effects publicity
Agency Major
Recordable, Agency Major
involvement prosecution with
Legal (L) but no agency involvement with prosecution with
with possible company officer
involvement prosecution significant fine
Complaint
from public,
Community & complaints, local outrage, state outrage, federal
No impact minor
Reputation (R) government government government
18 May 2008
reputation
action action action
damage

Statistical Consequence Analysis
Use accident statistics to calculate average consequence.

Advantage: Well defined number
Problems:
Applicability of data, is the new situation similar enough
Is there enough data to be statistically significant?
Example:
In a five year period there were 235 explosions of industrial boilers.
As a result of those explosions, 17 people were killed and 84 people
were injured.
Personal Loss of Life (PLL) = 17 / 235 = 0.073 per incident
Personal Injury (PI) = 84 / 235 = 0.358 per incident
18 May 2008

Consequence Modelling
112 meters
87 meters Calculates “Effect Zones” and
“Effect Distances”
Typically uses mathematical
models
Injury Zone 23 meters

Fatality Zone
9 meters
Probable Loss of Life: 0.27
Probable Injuries: 2.56
Typical Consequence Modeling Results

for a toxic chemical release
18 May 2008

Consequence Modelling
Consequence is a function of effect zone, occupancy, and

vulnerability
Effect zone is the area where the incident will have an impact – and will
define the level of impact
Occupancy is the average number of people (or other receptors) in the
effect zone – random and normally occupied buildings
Vulnerability is the probability of fatality (or other harm level) given a
person is in the effect zone
Consequence = Occupancy * Vulnerability

18 May 2008

Effect Zone
For an incident outcome of toxic release, the area over which the
airborne concentration exceeds some level of concern.
For example: given an IDLH* for ammonia of 500 ppm (v), an effect
zone of 4.6 square miles is estimated for a 10 lb/s leak.
Zones for thermal effects and explosion overpressure are described in a
similar fashion.
112 meters
87 meters
Injury Zone 23 meters

Fatality Zone
9 meters
18 May 2008
*Immediately Dangerous to Life or Health

Review of Consequence Analysis
Types of Consequence
Consequence Analysis Methods
Categorisation
Statistical Analysis
Consequence Modeling
Questions?
Class Exercise
Question Sheet – Consequence Analysis
18 May 2008

FSE global
Likelihood Analysis
Presented by
Dr. Raymond Wright
FSEglobal Likelihood Analysis 115
Likelihood Analysis
1. Conceptual Process Design Process Information
Event History 2. Identify Potential Hazards Potential Hazards
Hazard Characteristics
4. Consequence Analysis Hazard Consequences
Consequence Database
Analyse Potential Risk

Magnitude
Assess Potential Risk
Liklihood
Layers of Protection
3. Layer of Protection Analysis Hazard Frequencies
Failure Probabilities
Requirements
Allocation
Develop Non-SIS
Safety
Target SILs
Layers
SIS No
Required Exit
?
Yes Safety Requirements Specification

Functional Description of each Safety
Tolerable Risk Guidelines 5. Select SIL Target Instrumented Function, Target SIL, Mitigated
Hazards, Process Parameters, Logic,
Bypass/Maintenance Requirements,
18 May 2008
Response Time, etc.

6. Develop Safety Specification

Likelihood Analysis Likelihood
Likelihood looks at each of the According to IEC 61511 Part 3:

possible causes of an incident Hazard Likelihood refers to a
and determines how often each frequency such as the number of
events per year or per million hours
cause will occur
There are potentially many types
Examples:
of causes, including:
Plant reliability data shows that a
Equipment failure – faulty
particular type of pump breaks
instrumentation, pump seal
down on average every 6 years.
damage,
Data from similar plants around
Environmental conditions –
the world show that a particular
high winds, hail, lightning,
valve in a similar service will fail
earthquake, floods
open once in 14 years
Human error – did not follow
Weather reports over the past 20
procedure correctly, did not
years shows that severe flooding
calibrate equipment properly
occurs every 30 years on
External factors – under flight
18 May 2008
average
path of aircraft, terrorist
activity, sabotage

Likelihood Analysis Methods

include:

Statistical
Likelihood Modeling
Fault Propagation
Fault Tree
Event Tree
Layer of Protection Analysis
(LOPA)
18 May 2008

Likelihood Analysis using Categorisation

Likelihood can be expressed in qualitative or quantitative categories
Qualitative Quantitative Quantitative

18 May 2008

Likelihood Analysis using Statistical Analysis
Accident likelihood can be determined from the likelihood of similar

previous events, but this depends on a sufficient number of similar
events to provide proper basis
Good for common generic hazards such as:
The likelihood of death from lightning is 1x10-7 per year
The likelihood of a pressure vessel failing with considerable leakage is
3x10-3 per year
Not good for unusual equipment and more specific process accident
prediction
18 May 2008

Likelihood Analysis using Fault Propagation Modelling
Analyze the chain of events that leads to an accident

Establish how they are logically related
Use event rate data of individual components not entire system
Component failure event data is easier to find
Calculate overall likelihood using probability logic
Initiating
Incident
Event
Operator does
Control System Mechanical
not respond
Fails Relief Fails
appropriately
Decompose the specific problem into generic events

18 May 2008
for which statistical data is likely to be available.

Review of Likelihood Analysis
Likelihood Analysis Methods

Categorisation
Likelihood Modeling – Fault Propagation
Questions?
Class Exercise
Question Sheet – Likelihood Analysis
18 May 2008

FSE global
Fault Tree Analysis
Presented by
Dr. Raymond Wright
FSEglobal Fault Trees 123
Fault Tree Analysis

Graphical method to show the logical
relationship of failure probabilities and
frequencies.
Top–Down approach starts with the top
event and builds the Fault Tree
Basic events each have a probability, and
are calculated upwards to arrive at the
probability of the top event
AND gates use probability multiplication
OR gate use probability
addition
18 May 2008

Fault Tree “AND” Gates
Battery
Quantitative Analysis of Fault Trees -
System combine probabilities using probability
Failure multiplication.
PTOP
What is the probability of battery system

failure?
AND gates are solved using probability

multiplication:
Batteries Charger
Discharged Fails
PBattery = 0.2 PCharger = 0.01 PTOP = PBattery x PCharger
= 0.2 x 0.01
= 0.002
18 May 2008

Fault Tree “OR” Gates
Shutoff Quantitative Analysis of Fault Trees - combine

valve fails probabilities using probability addition.
to close
PTOP
What is the probability the valve fails to close?
OR gates are solved using probability addition

(non-mutually exclusive in this case):
PTOP = PSol + PValve – (PSol x PValve)

Solenoid Valve stem sticks,
fails to vent preventing closure = 0.001 + 0.001 – (0.001 * 0.001)
actuator
18 May 2008
PSol = 0.001 PValve = 0.001 = 0.001999

Frequency and Probability
Note that it is possible to treat mixed inputs to an OR gate but only if a

time period is specified for the frequency to be first converted to a
probability of an occurrence during that fixed time period. Then the two
probabilities are treated as for a normal OR gate.
18 May 2008

Multiple Frequency Inputs
(assumes independent events)
Note that is possible to treat multiple frequency inputs to an AND

18 May 2008
gate by converting one or more frequencies to a probability using

a specified time base

Review of Fault Trees
Fault Tree Symbols

Using Frequencies and Probabilities
Fault Tree “AND” Gates
Fault Tree “OR” Gates
Questions?
Class Exercise
Question Sheet – Fault Tree Analysis
18 May 2008

FSE global
Event Tree Analysis
Presented by
Dr. Raymond Wright
FSEglobal Event Trees 130
Likelihood Analysis using an Event Tree
Good fault propagation model for process risk estimation

Event chains connect single initiating event to multiple outcomes
through intermediate branch points
Branch 2
Branch 1
Outcome 1
Initiating Outcome 2
Event Outcome 3
Outcome 4
Outcome 5
18 May 2008
Outcome 6

Example: Drawing an Event Tree
Draw an event tree for fire resulting from an overturned truck

of petrol
Assume the initiating event is a tank truck accident

The primary event branches are:
Is the tank truck overturned?

Does the tank truck leak?
Does the liquid pool find a source of ignition?
18 May 2008

Example: Result of Drawing an Event Tree
INIT EVENT BRANCH 1 BRANCH 2 BRANCH 3 OUTCOME

Truck Accident Tank Overturns Tank Leaks Ignition?
Overturn, spill, fire

YES
YES Overturn, spill, no igntion
NO
YES Overturn, no spill
NO
Spill, fire
YES
YES Spill, no igntion
NO
NO No spill
NO
18 May 2008

Example: Outcome Likelihood (Frequency)
Data:
Accident, 1/7 years
Probability of overturn, 1/10
Probability of leak after turnover, 1/3; otherwise 1/6
Probability of ignition, 20% in all spill cases
Calculate likelihood of:

Overturn and spill without fire
Overturn, spill and fire
18 May 2008

Example: Results of Outcome Probability Calculation
INIT EVENT BRANCH 1 BRANCH 2 BRANCH 3 OUTCOME

Truck Accident Tank Overturns Tank Leaks Ignition?
0.2 Overturn, spill, fire

0.33 YES 0.00094 per year
YES 0.8 Overturn, spill, no igntion
0.1 NO 0.0038 per year
0.143 per year YES 0.67 Overturn, no spill
NO 0.0096 per year
0.2 Spill, fire
0.17 YES 0.0044 per year
YES 0.8 Spill, no igntion
0.9 NO 0.0175 per year
NO 0.83 No spill
NO 0.107 per year
18 May 2008

Review of Event Trees

Statistical
Likelihood Modeling
Fault Propagation
Event Tree
Fault Tree
Questions?
Class Exercise
Question Sheet – Event Tree Analysis
18 May 2008

FSE global
Presented by
Dr. Raymond Wright
FSEglobal LOPA 137
Analyse the results of the HAZOP (PHA) together with the Risk
Matrix (tolerable risk) to determine if the existing control
measures (safeguards) reduce risk sufficiently
This form of analysis is a specific form of event tree analysis,
but is only interested in the likelihood of the failure outcome
Layers of Protection Definition

LOPA Event Tree
Initiating Events and Failure Rates
Example Protection Layers
18 May 2008

FSEglobal LOPA 138
Layers of Protection
Emergency response layer
Consequence
Mitigation Emergency
Response
Dike Passive Mitigation Layer
Fire & Gas Active Mitigation Layer

Detection
Relief valve,
Rupture disk
Prevention
Safety
Active Protection Layer
Likelihood
Instrumented Emergency
System Shutdown
Trip level alarm
Operator Process
Intervention Shutdown
Process Alarm
Basic
Process Process Process Control Layer
18 May 2008
Control Value Normal Behaviour

System
time

FSEglobal LOPA 139
Independent protection layers have the following

characteristics:
Specificity
An independent protection layer must be specifically designed to
prevent the consequences of one potentially hazardous event.
Independence
The operation of the protection layer must be completely
independent from all other protection layers, no common equipment
can be shared with other protection layers.
Dependability
The device must be able to dependably prevent the consequence
from occurring. Both systematic and random faults need to be
considered in its design
Auditability
The device should be proof tested and maintained. These audits of
operation are necessary to ensure that the specified level of risk
18 May 2008
reduction is being achieved.

FSEglobal LOPA 140
A Variation of Event Tree Analysis
Good fault propagation model for process risk estimation

More structured
Event chains connect single initiating event to the outcome through
intermediate branch points
Considers only two outcomes:
Incident
No event
Branches are layers of protection
Likelihood of each outcome is calculated by probability multiplication of
the chain of events leading to the outcome
18 May 2008

FSEglobal LOPA 141
Initiating Events
An initiating event starts the chain-of-events that leads to an incident

Initiating events can be the failure of a piece of equipment or an
operator error
Initiating events are quantified by their likelihood (frequency) of
occurrence
Examples:
Failure of an instrument loop

Operator starts wrong pump
Failure of a cooling water pump
Corrosion results in a leak
18 May 2008

FSEglobal LOPA 142
LOPA Version of the Event Tree
Initiating Protection Protection Protection Final

Event Layer 1 Layer 2 Layer 3 Outcome
PL3 Fails Incident Occurs

PL2 Fails
PL1 Fails
PL3 Success Stop – No Impact

18 May 2008
Protection Layers must be independent

Quantify using probability multiplication; all logical ANDs

FSEglobal LOPA 143
Example – Column Rupture LOPA
Draw the Layer of Protection Analysis Diagram for the following

situation
An accident whose consequence is fire due to distillation column

rupture has a root cause of loss of cooling water
The following layers of protection exist:

The operator responds to alarms and stops the process
Process generally designed to withstand loss of cooling water
The column has a pressure relief valve
Source of ignition are controlled in the process area
18 May 2008

FSEglobal LOPA 144
Proceed as with event tree but only calculate the frequency of

accident
Resulting accident frequency is the initiating event frequency
multiplied by PFD of all protection layers
Initiating Event Protection Protection Protection Protection Outcome

Layer 1 Layer 2 Layer 3 Layer 4
Loss of cooling Process design Operator Pressure relief Ignition source Fire
water Response valve control
Fire
No Incident
18 May 2008

FSEglobal LOPA 145
Quantify the accident frequency of the prior example
Initiating Event
Cooling water failure frequency is 0.5 /yr
Protection Layer PFD are:

Process design inadequate: PFD = 0.01
Operator response failure: PFD = 0.15
Relief valve failure: PFD = 0.07
Ignition source contacted: PFD = 0.3

18 May 2008

FSEglobal LOPA 146
Initiating Protection Protection Protection Protection Outcome

Event Layer 1 Layer 2 Layer 3 Layer 4
Loss of Process Operator Pressure Ignition Source Fire
cooling water Design Response Relief Valve Control
0.3 1.58E-05
0.07
0.15
0.01
0.5 /yr
No Incident
FOUTCOME = 0.5 /yr * 0.01 * 0.15 * 0.07 * 0.3

18 May 2008
FOUTCOME = 1.58 x 10-5 per year

FSEglobal LOPA 147
Typical Protection Layers – Basic Process Control System
The BPCS and SIS are physically separate devices, including sensors,
logic solver and final elements.
Failure of the BPCS is not responsible for initiating the unwanted
accident.
The BPCS has the proper sensors and actuators available to perform a
function similar to the one performed by the SIS.
PFD > 0.1 (by definition)

18 May 2008

FSEglobal LOPA 148
Typical Protection Layers – Operator Response
Operator Always Present

Operator Has Indication of Problem
Operator Has Time to Act
Operator is Trained in the Proper Response
PFD ~ 0.1 , if all conditions met

PFD = 1.0 , if conditions not met
PFD lower than 0.1 possible with Human

Response Analysis (HRA)
18 May 2008

FSEglobal LOPA 149
Typical Protection Layers – Operator Response
Simplified Technique for Estimating Operator Response
Category Description PFD
1 Response Unlikely – Not all of the conditions for a normal operator response 1.0
have been satisfied
2 Normal Operator Response – In order for an operator to respond normally to a 0.1

dangerous situation, the following criteria should be true:
Ample indication exist that there is a condition requiring attention (shutdown)
Operator has been trained in proper response
Operator has ample time (>15min) to perform required action (shutdown)
Operator is ALWAYS monitoring the process (relieved for breaks)
3 Drilled Response - All of the conditions for a normal operator response have 0.01
been satisfied, and a ‘drilled response’ program is in place at the facility. Drilled
response exists when written procedures, which are strictly followed, are drilled
or repeatedly trained. The drilled set of actions forms a small part of all alarms
where response is highly practised – that is, its implementation is ‘automatic’.
18 May 2008
This condition is rarely achieved in process plants.
(Human Error Analysis and Reduction Technique - HEART)

FSEglobal LOPA 150
Typical Protection Layers – Use Factor (Time at Risk)
Hazard is not always present
Time at Risk
P=
Total Time
18 May 2008

FSEglobal LOPA 151
Typical Protection Layers – Mechanical Integrity of Vessel
Is the vessel designed to withstand the pressure and temperature

generated as a result of the initiating event?
In some organizations
PFD = 0.0 if vessel designed to withstand pressure
In other conservative organizations

PFD = one year of “random” failure
Example:
OREDA says 1.0 x 10-7 /hr rate for “significant leakage”
PFD = (1.0 x 10-7*8760) * 1 = 0.0009
18 May 2008

FSEglobal LOPA 152
Typical Protection Layers – Mechanical Relief Devices
Relief Valves
Rupture Disks
Fusible Plugs
PFD calculated based on failure

rate statistics found in databases
18 May 2008

FSEglobal LOPA 153
Typical Protection Layers – Ignition Probability
Most plants are designed to limit sources of ignition

Function of release size and released materials
P ~ 0.3 for flammable gases

P ~ 0.1 -> 0.3 for volatile liquids
P < 0.1 for heavy liquids
18 May 2008

FSEglobal LOPA 154
Occupancy
Fraction of time that effect zone of incident outcome in question is

occupied
Used when Safety is the consequence category of interest
Not typically used because occupancy is accounted for in the
consequence analysis
Time of Occupancy
P=
Total Time
NOTE: It is only appropriate to use an occupancy probability where it can be shown

that the demand rate is random and not related to when occupancy could be higher
than normal. The latter is usually the case with demands that occur at equipment start-
18 May 2008
up and demands that occur during maintenance and test.

FSEglobal LOPA 155
Review of Layer of Protection Analysis (LOPA)
Characteristics of a Layer of Protection

Fault Propagation Context
Event Tree Methods
Layers of Protection Definition
LOPA Event Tree
Initiating Events and Failure Rates
Questions?
Class Exercise
Question Sheet – Layer of Protection Analysis
18 May 2008

Summary of Likelihood Analysis
Likelihood analysis provides the means to estimate the frequency of a

cause of an incident will occur, and can take into account existing
control measures

Likelihood Modeling
Fault Propagation
Fault Tree
Event Tree
Layer of Protection Analysis (LOPA)
Questions?
18 May 2008

FSE global
Develop Non-SIS Layers
Presented by
Dr. Raymond Wright
FSEglobal Non-SIS Layers 158
SIL Selection
Requirements
Allocation
Safety
18 May 2008

FSEglobal Non-SIS Layers 159
Non-SIS Layers of Protection
A SIF only needs to be installed if other layers of protection cannot

reduce the risk to a tolerable level.
Even if other layers of protection cannot reduce risk to a tolerable level,
they can reduce the SIL requirement of the SIF.
As much as practicable should be done to identify and implement non-
SIS layers of protection. Examples of these:
Reduced inventory
Reduced process parameters such as pressure and temperature
Improved layout of the facility
Bunds, Dikes, Fences
Safety-related systems using other technology: pneumatic, hydraulic
systems
18 May 2008

FSE global
SIL Selection
Presented by
Dr. Raymond Wright
FSEglobal SIL Selection 161
SIL Selection
Requirements
Allocation
Safety
18 May 2008

SIL Selection
The results of the Hazard Identification and Risk

Analysis activities have identified the tolerable
risk level, all potential hazards, their causes,
and their consequences, and how much risk
reduction is needed to achieve the tolerable risk
level.
Existing preventative control measures have

been identified, and their contribution towards
the reduction of risk through reducing the
likelihood of an incident has been assessed.
Existing mitigating control measures have been

identified, and their contribution towards the
reduction of risk through reducing the severity of
18 May 2008
the consequence of an incident has been

assessed.

SIL Selection
If the risk is still above the tolerable level then a

non-SIS control measure is considered
If the risk is still above the tolerable level then a

SIF is considered. Identify a Safety Instrumented
Function (SIF) that will reduce the risk to a
tolerable level
Determine the Safety Integrity Level (SIL)

requirements of the SIF using a qualitative or
quantitative method
Qualitative methods group numerical targets
into more broad categories of risk reduction
Quantitative methods give specific numerical
targets for risk
18 May 2008
A consistent method must be used

Reminder!
Safety Instrumented Functions
Specific single set of actions and the corresponding equipment needed

to identify a single emergency and act to bring the system to a safe
state.
A SIL is assigned to each SIF based on required risk reduction
Different from a SIS, which can encompass multiple functions and act in
multiple ways to prevent multiple harmful outcomes
SIS may have multiple SIF with different individual SIL, so it is
incorrect and ambiguous to define a SIL for an entire Safety
Instrumented System
18 May 2008

Safety Integrity Levels
Safety Integrity Average Probability Risk Reduction

Level of failure on demand Factor
SIL 4 1E-04 to 1E-05 10,000 to 100,000
SIL 3 1E-03 to 1E-04 1,000 to 10,000
SIL 2 1E-02 to 1E-03 100 to 1,000
SIL 1 1E-01 to 1E-02 10 to 100
Relationship between PFDavg and RRF: PFDavg = 1 / RRF

18 May 2008

FSE global
Qualitative SIL Selection
Presented by
Dr. Raymond Wright
SIL Selection
Requirements
Allocation
Safety
18 May 2008

Qualitative Methods of SIL Selection
Determine the tolerable risk

Analyse the results of the HAZOP (PHA) to
determine the level of unmitigated risk (no
control measures / safeguards) in terms of
likelihood and consequence for each hazard.
Identify the existing mitigative control measures,
and determine the level of risk with the mitigative
control measures in place. This is performed by
competent people.
Identify the existing preventative control
measures, and determine the level of risk with
the preventative control measures in place. This
is performed by competent people.
18 May 2008

Qualitative Methods of SIL Selection
Compare the remaining risk against the

tolerable risk. Determine if additional
protection (control measures) is required.
If additional risk reduction is required, use
qualitative method to determine the SIL of
the SIF used to provide the risk reduction.
Two popular methods are:

Risk Matrix
Risk Graph
18 May 2008

Qualitative SIL Selection
3b 3a
Hazardous Event Likelihood

Assigning a SIL : 2
Moderate High

Hazard Matrix Procedure 1
Categorize consequence 1 2 3b
Categorize likelihood
3b
Low
Select SIL from matrix
corresponding to identified
Note c 1
consequence and likelihood Minor Serious Extensive
categories
Hazardous Event Severity Rating
3 X 3, 4 X 4, 5 X 5, …
a) One Level 3 Safety Instrumented Function does not provide sufficient risk reduction at this risk
level. Additional modifications are required in order to reduce risk (see note d);
b) One Level 3 Safety Instrumented Function may not provide sufficient risk reduction at this risk
level. Additional review is required (see note d);
18 May 2008
c) SIS independent protection layer is probably not needed;

d) This approach is not considered suitable for SIL 4.
Based on IEC 61511-3 Annex C

Consequence Part of Hazard

Matrix
Hazard Matrix Consequence Severity Impact

Rating
Considerations
Minor Temporary injury to personnel and
damage to the environment.
Clearly identify basis of Minor damage to equipment. No
shutdown of the process.
categories
Serious Serious injury to personnel and the
Can include considerations of: environment.
Loss of life Damage to equipment. Short shutdown
of the process.
Injury
Extensive Catastrophic consequence to personnel
Environmental release and the environment
Property damage Large scale damage of equipment.
Shutdown of a process for a long time.
Lost production
Assignment of Consequence
18 May 2008
category requires judgment.

Assigning the SIL with a Hazard

Matrix
Use selected likelihood and

3b 3a

2
Moderate High
consequence categories to
determine the SIL required
1 2 3b
Example 1
A SIF was identified during a
3b
Low
HAZOP study Note c 1
The HAZOP team determined:
Minor Serious Extensive
the consequence is Serious
the likelihood is High Hazardous Event Severity Rating
What is the SIL?

18 May 2008

c) SIS independent protection layer is probably not required;

Assigning the SIL with a Hazard

Matrix
Use selected likelihood and

3b 3a

2
Moderate High
consequence categories to
determine the SIL required
1 2 3b
Example 1 (continued)
Further analysis showed that this
3b
Low
scenario yielded a consequence of Note c 1
0.21Probable Loss of Life (PLL) and
a likelihood of 1/576 incidents per Minor Serious Extensive
year Hazardous Event Severity Rating
What is the SIL?
18 May 2008

c) SIS independent protection layer is probably not needed;

Assigning a SIL with a Hazard Matrix

Start with a matrix expression of tolerable risk.
Consequence
Recordable Lost Time Permanent
Many Deaths
Injury Injury Injury/Death
1 per 100 yrs Acceptable Moderate Extreme Extreme

Likelihood
1 per 1000 yrs Acceptable Acceptable Moderate Extreme
1 per 10,000 yrs Acceptable Acceptable Moderate Moderate
1 per 100,000 yrs Acceptable Acceptable Acceptable Moderate

18 May 2008
Rule Set:
All extreme risk will be reduced
All moderate risks will be reduced where practical.

Identify the consequence
Identify the likelihood with the layers of protection but without the
proposed SIF
Consequence
Many Deaths

Likelihood

18 May 2008
Rule Set:

Select the SIL to meet the tolerable risk requirement based on event
frequency reduction
Note there are options based on what is practical
Consequence
Many Deaths

Likelihood
SIL 1 (RRF>10)
SIL 2 (RRF>100)
SIL 3 (RRF>1000)
18 May 2008
Rule Set:
Risk Matrix
This example shows
Example of a Risk Matrix
relative risk levels
Rules can be 1/yr 1 2 3 4 NA
developed to 1/10yr 1a 1 2 3 4
determine if risk
Likelihood
1/100yr - 1a 1 2 3
related to a particular
incident is acceptable 1/1000yr - - 1a 1 2
1/10,000yr - - - 1a 1
Rule Set:
Requires SIL 3 SIF
Risk must be reduced
Requires SIL 2 SIF
Consequence
Risk to be reduced if
cost-effective
Requires SIL 1 SIF Figures in the cells represent
Risk is tolerable Safety Integrity Level
18 May 2008

Multi-Dimensional Risk Matrix

Shows the effect of multiple layers of protection
0 1 1
1 2 2 1
Each additional layer of
Likelihood
2 3 3 2 0 protection reduces the

SIL requirement of the
2 3 1 SIF
1
0 1 2
18 May 2008
Consequence

Assigning the SIL with a Risk Graph

The Risk Graph is another method of SIL selection
Consequence
Ca Minor Injury
W3 W2 W1
Cb Serious Injury, Single Death
Ca X1
a Cc Several Deaths
Pa Cd Many Deaths
X2
Fa 1 a
Frequency & Exposure
Cb Pb
X3 Fa Rare to Frequent
Fb Pa 2 1 a
Fb Frequent to Continuous
Pb
Cc Fa X4
Fb Pa 3 2 1 Possibility of Avoidance
Pb Pa Sometimes Possible
Cd Fa X5
Pa 4 3 2 Pb Almost Impossible
Fb
Pb X6 Probability of Occurrence
b 4 3
W1 Very Slight
18 May 2008
Safety Integrity Levels W2 Slight

W3 Relatively High
a = No special safety requirements
b = Single SIS not sufficient

Risk Graph
Select categories for risk graph

parameters
Consequence
Occupancy
Probability of avoiding hazard
W3 W2 W1
Demand rate or frequency Ca X1
a
Follow path determined by
Pa X2
selected parameters to identify the Fa 1 a
required SIL Cb Pb
X3
Fb Pa 2 1 a
Pb
Cc Fa X4
Fb Pa 3 2 1
Pb
Cd Fa X5
Pa 4 3 2
Fb
Pb X6
18 May 2008
b 4 3


Consequence
Ca Minor Injury
W3 W2 W1
Ca X1
a Cc Several Deaths
Pa Cd Many Deaths
X2
Fa 1 a
Cb Pb
Fb Pa 2 1 a
Pb
Cc Fa X4
Cd Fa X5
Fb
b 4 3
W1 Very Slight
18 May 2008
Safety Integrity Levels W2 Slight

a = No special safety requirements W3 Relatively High

Risk Graph Parameters
Parameters Description
Consequence C Average number of fatalities likely to result from the

hazard. Determined by calculating the average numbers
in the exposed area when the area is occupied, taking
into account the vulnerability to the hazardous event.
Occupancy F Probability that the exposed area is occupied.

Determined by calculating the fraction of time the area is
occupied.
Probability of P The probability that exposed persons are able to avoid

avoiding the hazard the hazard if the protection system fails on demand. This
depends on there being independent methods of alerting
the exposed persons to the hazard and manual methods
of preventing the hazard or methods of escape.
Demand Rate W The number of times per year that the hazardous event
would occur if no SIS was fitted. This can be determined
by considering all the failures that can lead to one
18 May 2008
hazard and estimating the overall rate of occurrence.
Based on IEC 61511-3 Section D

Calibrating the Risk Graph - Consequence
Parameters Classification Comments

Consequence (C) Ca Minor Injury 1.The classification system
Average number of fatalities. has been developed to deal
Cb PLL Range 0.01 to 0.1 with injury and death to
This can be calculated by determining the Cc PLL Range >0.1 to 1 people.
average number of people present when 2.For the interpretation of
the area exposed to the hazard is Cd PLL Range >1 CA, CB, CC, and CD, the
occupied and multiplying by the consequences of the
vulnerability to the identified hazard. accident and normal
The vulnerability is determined by the healing shall be taken into
nature of the hazard being protected account.
against. The following factors can be
used:
V=0.01 Small release of flammable or

toxic
V = 0.1 Large release of flammable or

toxic
V = 0.5 As above, but highly toxic or

flammable
18 May 2008
V = 1 Rupture or explosion

Calibrating the Risk Graph - Occupancy

Occupancy (F) Fa Rare to more often 3. See comment 1 above
This is calculated by determining the exposure in the
length of time the area exposed to the hazardous zone.
hazard is occupied during a normal Occupancy less than 0.1.
working period.
Fb Frequency to permanent
NOTE – If the time in the hazardous area exposure in the
is different depending on the shift being hazardous zone.
operated then the maximum should be
selected.
NOTE – It is only appropriate to use FA

where it can be shown that the demand
rate is random and not related to when
occupancy could be higher than normal.
The latter is usually the case with
demands that occur at equipment start-
up.
Occupancy – a likelihood measurement for personnel based on probability of exposure

18 May 2008

Calibrating the Risk Graph - Avoidance

Probability of avoiding the hazardous Pa Adopted if all conditions PA should only be selected if
event (P) if the protection system fails to are satisfied. all the following are TRUE:
operate
Facilities are provided to alert
Adopted if all conditions the operator that the SIS has
Pb
are not satisfied. failed.
Independent facilities are

provided to shut down such
that the hazard can be
avoided or which enable all
persons to escape to a safe
area.
The time between the

operator being alerted and a
hazardous event occurring
exceeds one hour.
Avoidance – a likelihood measurement for personnel based on probability of escape

18 May 2008

Calibrating the Risk Graph – Demand Rate

Demand Rate (W) without protection W1 Demand rate less than The purpose of the W factor is
system. 0.03 per year. to estimate the frequency of
the hazard taking place
To determine the demand rate, it is W2 Demand rate between without the addition of
necessary to consider all sources of 0.3 and 0.03 per year. the SIS.
failure that can lead to one hazardous
W3 Demand rate between
event. In determining the demand rate, If the demand rate is very high
3 and 0.3 per year.
limited credit can be allowed for control (e.g., 10 per year) the SIL has
system performance and intervention. For demand rates to be determined by another
higher than 3 per year method or the risk graph must
The performance that can be claimed if higher integrity shall be be recalibrated. Then the
the control system is not to be designed needed. operation mode is high
and maintained according to IEC61511 is demand or continuous
limited to below the performance ranges (IEC61511-1, Clause
associated with SIL 1. 3.1.48.2).
18 May 2008
Based on IEC 61508-5


Consequence
Ca Minor Injury
W3 W2 W1
Ca X1
a Cc Several Deaths
Pa Cd Many Deaths
X2
Fa 1 a
Cb Pb
Fb Pa 2 1 a
Pb
Cc Fa X4
Cd Fa X5
Fb
b 4 3
W1 Very Slight
18 May 2008
a = No special safety requirements Safety Integrity Levels W2 Slight

W3 Relatively High

A SIF was identified during a HAZOP study
The HAZOP team also determined that:

PLL = 0.9
The area is normally occupied
There is no possibility of avoiding the hazard
The demand rate is 0.05 per year
W3 W2 W1
Ca X1
a
What is the SIL?
Pa X2
Fa 1 a
Cb Pb
X3
Fb Pa 2 1 a
Pb
Cc Fa X4
Fb Pa 3 2 1
18 May 2008
Pb
Cd Fa X5
Pa 4 3 2
Fb
Pb X6
b 4 3

A SIF was identified during a HAZOP study
The HAZOP team also determined that:

PLL = 0.9
The area is normally occupied
There is no possibility of avoiding the hazard
The demand rate is 0.05 per year
W3 W2 W1
Ca X1
a
What is the SIL?
Pa X2
PLL between 0.5 and 1 = Cc Fa 1 a
Normally occupied = Fb Cb Pb
X3
No possibility of avoidance = Pb Fb Pa 2 1 a
Low demand rate = W2 Pb
Cc Fa X4
Fb Pa 3 2 1
18 May 2008
Pb
Cd Fa X5
Pa 4 3 2
Fb
Pb X6
b 4 3

Review Qualitative SIL Selection

SIL Table
Risk Matrix
Risk Graph
Questions ?
Class Exercise
Question Sheet – Qualitative SIL Selection
18 May 2008

FSE global
Quantitative SIL Selection
Presented by
Dr. Raymond Wright
Quantitative Methods of SIL Selection
Requirements
Allocation
Safety
18 May 2008

Determine the tolerable risk

Analyse the results of the HAZOP (PHA) to
determine the level of unmitigated risk (no control
measures / safeguards) in terms of likelihood and
consequence for each hazard.
Identify the existing mitigative control measures,
and determine the level of risk with the mitigative
control measures in place. This is performed by
competent people using consequence and
likelihood analysis.
Identify the existing preventative control
measures, and determine the level of risk with the
preventative control measures in place. This is
performed by competent people.
18 May 2008

Compare the remaining risk against the tolerable

risk. Determine if additional protection (control
measures) is required.
If additional risk reduction is required, use
quantitative method such as Fault Tree Analysis
or LOPA to determine the SIL of the SIF used to
provide the risk reduction.
18 May 2008

Fault Tree Analysis

If the consequence is known, then FTA can be used to calculate the
likelihood of the event with all existing control measures in place.
This is compared with the likelihood required to achieve a tolerable risk
level, and the difference is directly related to the SIL requirement of the
SIF
Example
A known consequence requires a likelihood of 1x10-5 to achieve a
tolerable risk level.
FTA shows that existing control measures reduce the likelihood to
1x10-3
The difference is 1x10-2, or a required risk reduction factor of 100
From the SIL table the SIF needs to be SIL 2
18 May 2008

LOPA
If the consequence is known, then LOPA can be used to calculate the
likelihood of the event with all existing control measures in place.
This is compared with the likelihood required to achieve a tolerable risk
level, and the difference is directly related to the SIL requirement of the
SIF
Example
A known consequence requires a likelihood of 1x10-6 to achieve a
tolerable risk level.
LOPA shows that existing control measures reduce the likelihood to
1x10-3
The difference is 1x10-3, or a required risk reduction factor of 1000
From the SIL table the SIF needs to be SIL 3
18 May 2008

Assigning the SIL with Frequency Based Targets
Select frequency target based on consequence (consequence constant)

A maximum allowable frequency target is selected based on the
consequence of the hazard that the SIF is preventing.
Calculate required risk reduction

The required risk reduction is the difference between the unmitigated
event frequency and the maximum event frequency target.
Assign SIL based on required risk reduction

The selected SIL represents the probability category for SIS failure on
demand that will ensure the resulting event frequency with the SIS
does not violate the maximum frequency target.
18 May 2008

Frequency Based Targets – Selecting the Target
The frequency that is allowable for a hazardous event depends on the

consequence
Severity Target
Impact
Rating Frequency (1 yr)
Temporary injury to personnel and damage
to the environment.
Minor 1.0 x 10-3
Minor damage to equipment. No shutdown
of the process.
Serious injury to personnel and the
environment.
Serious 1.0 x 10-4
Damage to equipment. Short shutdown of
the process.
Catastrophic consequence to personnel
and the environment.
Extensive 1.0 x 10-6
Large scale damage of equipment.
Shutdown of a process for a long time.
18 May 2008

Required Risk Reduction Factor (RRF) is a function of unmitigated event

frequency and the frequency target
FUnmitigated Event
RRFSIF =
FTarget
Event Freq. RRF Target Freq.

1 / 10 yr 100 1 / 1000 yr
18 May 2008
Event Incident Consequence

Select SIL based on required RRF

RRF target converted to SIL based on table specified in ISA S84.01 and
IEC 61511/61508
Selected SIL should give MORE risk reduction than required
Probability of failure
Safety Integrity on demand, average Risk Reduction Factor
Level (Low Demand mode of
operation)
SIL 4 1E-04 to 1E-05 10,000 to 100,000
SIL 3 1E-03 to 1E-04 1,000 to 10,000
SIL 2 1E-02 to 1E-03 100 to 1,000
SIL 1 1E-01 to 1E-02 10 to 100

18 May 2008

Required Risk Reduction Factor (RRF) is a function of unmitigated event

frequency and the frequency target
FUnmitigated Event 1
RRFSIF = PFD =
FTarget
RRFSIF
RRF
Event Freq. 100 Target Freq.
1 / 10 yr 1 / 1000 yr
PFD
0.01
18 May 2008
Event SIL 2 Incident Consequence

Example
An accident scenario yielded a consequence of 0.21 Probable Loss of

Life (PLL) and a likelihood of 1/576 incidents per year. What SIL should
be selected?
Step 1 - The frequency category associated with PLL=0.21 is “serious”,

which has an associated frequency target of 1.0x10-4.
Step 2 - Applying the target RRF equation yields:
RRF = (1/576) / 1.0x10-4 = 17.4 (PFDavg = 0.058)
Step 3 - In order to achieve a RRF = 17.4 (PFDavg = 0.058) :

18 May 2008
SIL 2 should be selected (or SIL 1 with RRF > 17.4)

Frequency Based Targets – Individual Risk Targets
Convert likelihood and consequence into frequency target

Calculate required risk reduction
Assign SIL based on required risk reduction
Calculate frequency target – a function of tolerable individual risk and

probable loss of life
Calculate require risk reduction and assign SIL with the same method as
the general frequency based method
Findividual risk
Ftarget =
PLL
18 May 2008

Example
An accident scenario yielded a consequence of 0.21 Probable Loss of
Life (PLL) and a likelihood of 1/576 incidents per year.
Tolerable individual risk of fatality at this facility is 1x10-4
What SIL should be selected?
Step 1 – Determine the tolerable frequency of this event.

Findividual risk
F(tol) = 1x10-4 / 0.21 = 4.76x10-4 Ftarget =
PLL
Step 2 – Applying the target RRF equation yields.
RRF = (1/576) / 4.76x10-4 / = 3.64 (PFDavg = 0.27)

18 May 2008
Step 3 – Select SIL based on RRF (PFDavg = 0.27) :
For, RRF = 3.64 Æ SIL = 1

Multiple Receptors per SIF
Occasionally a set of tolerable risk levels and risk estimates

gives different risk reduction factors depending on the personnel,
environmental, or financial receptors considered
Personnel RRF = 1000

Environmental RRF = 300
Financial RRF = 150
Choose highest RRF for specifying the system

18 May 2008

SIL Assignment
SIL selection is performed based on the RRF calculated for the SIF
Assuming the RRF required = 210
Target SIL = SIL 3
The minimum risk reduction for SIF of 1000 guarantees that any
SIL 3 system will achieve the required risk reduction factor
Or Target SIL = SIL 2 with RRF > 210
18 May 2008

Review of Quantitative SIL Selection
Topics:
Risk and the Context of SIL Selection
Safety Instrumented Functions
Required risk reduction leading to SIL assignment
Questions?
Class Exercise
Question Sheet – Quantitative SIL Selection
18 May 2008

FSE global
Safety Requirement Specification
Presented by
Dr. Raymond Wright
FSEglobal Safety Requirement Specification 209
Requirements
Allocation
Safety
18 May 2008

Definition
IEC61511: “specification that contains all the requirements of the safety
instrumented functions in a safety instrumented system”
Objective
Specify all requirements of SIS needed for detailed engineering and
process safety information purposes
Tasks
Identify all Safety Instrumented Functions
Document the SIL requirement or Risk Reduction requirement of each
SIF
Document the cause (frequency)/hazard/consequence the SIF is
guarding against
Provide a functional description of each SIF, and document this as
18 May 2008
Logic Drawings, Cause and Effect Diagram, etc.

Document the associated parameters for each SIF – response time,
maintenance/bypass requirements, etc.
The safety requirements specification step

occurs after SIL selection in the safety
lifecycle
The following inputs should be

considered:
Process and hazards information (PHA report)
Regulatory requirements affecting SIS design
List of required Safety Instrumented Functions
(SIF) including:
The hazard
Frequency of occurrence
Consequence
SIL level required
18 May 2008

SRS Elements
The SRS contains two types of requirements:
Functional Requirements
Description of the function of the SIF
How it should work
Integrity Requirements
The risk reduction and reliability requirements
How well it should work
18 May 2008

SRS Functional Requirements
Definition of the safe state of the process or machine

Process inputs and their trip points
Process parameter normal operating range
Process outputs and their actions
Relationship between inputs and outputs
Selection of energize-to-trip or de-energize-to-trip
Consideration for manual shutdown
Response time requirements for the SIS to bring the process
to a safe state
Response actions for equipment failure and power loss
Operator interface requirements
Reset functions
18 May 2008

Definition of the safe state of the

process
The hazard is mitigated by actions such as
stopping fuel flow,

stopping chemical feed,
supplying cooling water, or
relieving pressure
18 May 2008

Functional Requirements – Process Parameters
Process inputs and their trip points

Process parameter normal operating range
Process outputs and their actions
Relationship between inputs and outputs
Structured Text
Cause and Effect Diagrams
Binary Logic Diagrams
OPENS VALVE XV-03C

CLOSE VALVE XV-03A
CLOSE VALVE XV-03B

Instrument Range
Trip Point
Units
SIL
Tag# Description
BS-01 Burner Loss of Flame 1 ~ ~ PSIG X X X
18 May 2008
PSL-01 Fuel Gas Pressure Low ~ 7 PSIG X X X

Logic Description Methods
Structured Text
Strengths: extremely flexible; no special knowledge required
Weaknesses: time consuming; transposition to program code difficult
and error prone
Cause-and-Effect Diagrams
Strengths: low level of effort; clear visual representation
Weaknesses: rigid format (some functions cannot be represented with
C-E diagrams); can oversimplify
Binary Logic Diagrams (ANSI/ISA-5.2-1976)
Strengths: more flexible than C-E diagrams; direct transposition to a
function block diagram program
Weaknesses: time consuming; knowledge of standard logic
representation required
18 May 2008

Example – Logic Description
Describe the logic for a SIF, where a low-pressure condition can cause
flame out in a fired heater. In this case, the inputs are from burner
monitor switch BS-01 and pressure switch PSL-02. The output is to a
double-block and bleed assembly whose up and downstream block
valves are XV-03A and XV-03B respectively with XV-03C as the bleed
valve. The valves can be moved to their safe position by de-energizing
solenoid XY-03. The system is de-energize to trip.
Write the logic description in plain structured text.

18 May 2008

Example – Structured Text
If one of the following conditions occurs:

1. Switch BS-01 is de-energized, indicating loss of flame; or
2. Switch PSL-02 is de-energized, indicating low fuel gas pressure
Then the main fuel gas flow to the heater is stopped by performing the
following:
Closing valves XV-03A and XV-03B
Opening valve XV-03C
The respective valves will be opened and closed by de-energizing the
solenoid valve XY-03.
18 May 2008

Example – Cause & Effect Diagram
The cause-and-effect diagram below also describes the gas flow

shutdown example.
OPENS VALVE XV-03C

CLOSE VALVE XV-03A
CLOSE VALVE XV-03B

Instrument Range
Trip Point
Units
SIL
Tag# Description
BS-01 Burner Loss of Flame 1 ~ ~ PSIG X X X
PSL-01 Fuel Gas Pressure Low ~ 7 PSIG X X X
18 May 2008

Example – Logic Drawing
The Binary Logic Diagram below also describes the gas flow shutdown
example.
Field Input Logic Solver Field Output XV

Energized=1 03A
BS
01
1=Energized FC
AND s XV
03B
PSL Vent FC
01 XV
Energized=1
03C
FO
18 May 2008

Functional Requirements – Trip Mode
Selection of de-energize-to-trip over energize-to-trip
Most safety instrumented functions choose de-energize-to-trip.

Functional safety standards requirements are easier to meet with that
choice.
Verification tools are set up with that assumption.
Available data make that assumption.
Exceptions can be justified, but great care must be taken with all
aspects of the design including verification calculations and the data
used for such calculations.
18 May 2008

Functional Requirements – Manual Shutdown
Consideration for manual shutdown
Required by many applications standards – ESD, burner management

systems (BMS), etc.
Required by many operating companies
Can be used to meet requirements of IEC61508
18 May 2008

Functional Requirements – Response Time
Response time requirements for the SIS to bring the process or

machinery to a safe state
Accident
Detection
Trip level
Process
Safety
Operator takes action Time
High level alarm
High level
18 May 2008
process value Normal behavior

Low level
Time
Functional Requirements – Failure Response
Response actions for failure and power loss
Process Equipment Failure

Electricity Failure
Instrument Air Failure
Sensor Failure
Logic Solver Failure
Final Element Failure
18 May 2008

Functional Requirements – Interface and Reset
Operator Interface Requirements
Reset Functions
Most SIF should latch when a trip occurs. This means that an operator
reset is normally required to ensure that control valves are in their
proper position and that the process is safe to restart.
Automatic resetting is used only when immediate restart of the
equipment is desired (circulation pumps, drain valves, etc.). Any
additional restart risk must be considered as part of the SIL selection
process.
18 May 2008

Integrity Requirements
The SRS should contain these integrity requirements:
The required RRF, or PFDavg for each SIF

Possible process diagnostics or layers of protection that
may improve safety
Reliability requirements if spurious trips may be
hazardous
18 May 2008

SRS Format
1. Introduction
1. Overview of system
2. Description of operation
3. Other
2. General Requirements
1. Requirements common to all SIF
3. SIF Requirements
1. Functional Requirements
2. Integrity Requirements
18 May 2008

Potential Problems for SRS
Hazard and Risk Analysis was done poorly, providing bad

input for the SRS
SRS out of date, not maintained
SRS revision control poor
SRS missing important requirements
18 May 2008

Avoiding Potential Problems for SRS
IEC61508, Part 2, Table B.1 – Recommendations to avoid mistakes

during specification of E/E/PES requirements
(see also clause 7.2)
Technique/Measure See IEC61508-7

Section:
Project Management B.1.1
Documentation B.1.2
Separation of E/E/PE safety-related systems from non- B.1.3
safety-related systems
Structured Specification B.2.1
Inspection of the Specification B.2.6
Semi-formal methods B.2.3 see also Table
B.7 of IEC61508-3
18 May 2008
Checklists B.2.5
*Partial Copy of Table

SRS Quality
The measure of quality for any document, including a SRS, is not the
number of pages or the document weight but rather how precisely,
quickly, and clearly all required information is passed to the reader.
18 May 2008

SRS Review
The Safety Lifecycle

SRS definition and purpose
SRS elements
SRS format
Potential problem areas
Questions ?
Class Exercise
Question Sheet – Safety Requirement Specification
18 May 2008

FSE global
Design Considerations
Presented by
Dr. Raymond Wright
FSEglobal Design Considerations 233
General Design Considerations
Energized vs. De-energized

Panel size and layout
Selection of switches and relays
Application software
Documentation
Personnel
Communication between parties
18 May 2008

Power
Need clean, protected, & regulated power

Should use isolation transformer to protect against
spikes, transients, noise, over / under voltage
Backup source highly recommended for ESD
Systems
UPS (Uninterrupted Power Supply)
Batteries (20-30 minute minimum) continually
(Section 7.6, charged by local power
and Annex B.7) Output of battery inverted
Switch to local power if UPS fails
Must be maintained and installed in environmentally
clean area
18 May 2008

Grounding
Especially important with digital systems

Follow manufacturer's recommendations
Consider
Corrosion
Cathodic Protection
Static Electricity
Intrinsic Safety Barriers
(Annex B.7.2)
18 May 2008

System Environment
System environment shall provide adequate

protection against
Temperature, Humidity
Shock, Vibration
Grounding, EMI/RFI, Electrostatic Discharge
Contaminants, Flooding, etc.
Design should consider all environmental
(Section 7.7) conditions to which the SIS will be exposed
18 May 2008

Operator Interfaces
Operator interface requirements

CRTs, alarms, lights, push-buttons, etc. used
to communicate information to the operator
Must take into consideration that the SIS
interface may not always be available
Critical Information
SIS action taken
Bypass log
(Section 7.5 and
System diagnostics
Annex B.11)
Sensor, logic box, and final element status
Loss of energy that impacts safety
Failure of environmental equipment
18 May 2008
SIS cannot be revised from the operator

interface

Resets
After a shutdown, the process should not

automatically restart when the shutdown initiators
return to their normal state.
(This could cause process upsets and additional
hazards.)
Operator action is usually required to reset the
system after initiators return to normal.
(Section 7.2.9)
Special care should be taken to assure that control
valves are in their proper state before the system is
reset.
18 May 2008

Installation, Commissioning & Pre-Startup Test
Any modification during construction or start-up

requires returning to the appropriate PHAs
All equipment shall be installed as designed
Commissioning activities include
Equipment and wiring installed correctly
Energy sources are operational
All instruments are properly calibrated
Sensors and final actuators are operational
(Section 8)
Logic solver and I/O modules are operational
A pre-start-up acceptance test (PSAT), also
called a functional check, should be completed
before start-up
18 May 2008

Bypassing
Bypass may be required to

Calibrate instruments
Start up (e.g., low level permissives)
Low rate operations
Bypass can be implemented using various
methods
Hard-wired jumpers, banana plugs
Installed switches
Forcing PLC I/O
(Sections 7.9.3
& 9.6.2) Digital inputs to system
Never use a total bypass or leave a system in
bypass
18 May 2008

FSEglobal Analysis Phase Review 241
Analysis Phase Review
Requirements
Allocation
Safety
18 May 2008

FSE global
Realisation Phase
Presented by
Dr. Raymond Wright
FSEglobal Realisation Phase 243
Activities in the Realisation Phase

18 May 2008

FSEglobal Realisation Phase 244
Realisation Phase
The purpose of the Realisation Phase is to translate the Safety

Requirement Specification into reality:
Select the technology to use
Select the architecture to use
Determine the Test Philosophy
Verify that performance requirements have been met for each SIF
Prepare testing, installation, and commissioning documents
Test, install, and commission the SIS
Validate the SIS performance
18 May 2008

FSE global
SIS Technologies
Presented by
Dr. Raymond Wright
exida.com
245
FSEglobal SIS Technologies 246

18 May 2008

System Technologies
The IEC 61508 / IEC 61511 Standards describe functional safety for
Electric / Electronic / Programmable systems. These technologies
include:
Electric - Relay systems
Electronic - Solid State systems
Programmable – PLC and DCS systems
Each type of technology has advantages and disadvantages
Tasks
Choose the right equipment for the purpose. All criteria used for process
control still applies.
Obtain reliability and safety data for ALL of the equipment
18 May 2008
Obtain Safety Manual for any safety certified equipment

Relay Systems
Used in relatively simple logic applications
Generally fail safe
Logic reconfigured by rewiring
Advantages Considerations
Fail-safe Nuisance trips
Low initial cost No diagnostics
Can be distributed No serial communications
Immune to interference Large systems are complex
Suits most voltages Reprogramming by rewiring
Not self documenting
High cost of ownership
18 May 2008

Solid State Systems

Modular construction
Discrete solid state devices perform logic (AND, OR, etc.)
Reprogrammed by rewiring
Built-in functionality Flexibility
Can be distributed Not self documenting
Serial communication available High cost of ownership
Good diagnostic capability
No common cause
18 May 2008

Programmable Systems
Modular construction
Microprocessors/software perform logic
Reprogrammed through software
Flexibility Software dependent (possible
Modular reliability/security issues)
Highest packing density Common cause
Serial communication available Generally good
Good testing/diagnostics communication capabilities

capability (if available) Cost
Self documenting
18 May 2008

Mode of Operation
Safety Systems are Static Systems - it is sometimes years before they
operate
Inputs and Outputs are normally energized

This provides fail-safe operation on total power loss.
The SAFE state is the DE-ENERGIZED state
24V 24V
I/P CPU O/P

18 May 2008

Diagnostics
Internal faults should be detected by diagnostics

Input and Output circuits can fail open or closed
A CPU can fail in many ways
Input 5V Input 5V
Circuit Circuit
Short
Open
Input Signal 1 Circuit Input Signal 1
Circuit
from Field from Field
1 Signal 10 Signal
to CPU to CPU
R R
18 May 2008
0V 0V

Diagnostics in PLC and DCS Systems
Conventional PLC and DCS systems do not have a high diagnostic

coverage factor
Additional modules and software programming have to be added to
provide diagnostic testing
Field
Switch
R1
I/P O/P
Field
CPU Output
I/P O/P
Relay
0V
18 May 2008

Review of SIS Technologies

Relay
Solid State
Programmable
Mode of Operation
Diagnostics
Questions ?
Class Exercise
Question Sheet – SIS Technologies
18 May 2008

FSE global
Architecture
Presented by
Dr. Raymond Wright
FSEglobal Architecture 256

18 May 2008

Selecting System Architecture

Choose type of redundancy if needed.
Obtain reliability and safety data for the architecture
Various redundant configurations have been used to compensate for
lack of diagnostics. Each configuration has advantages and
disadvantages
A 1oo2
A
B
2oo3
B
A
2oo2 C
18 May 2008

Simplex System Performance

Probabilities
Safe Failures Dangerous Failures

(Reduces Availability) (Reduces Safety)
A 1oo1 0.04 0.02

18 May 2008

Dual System Performance

Probabilities

(1oo1) 0.04 0.02
1oo2
0.08 0.0004
Vote
B (very safe, but more
nuisance trips than simplex)
2oo2 0.0016 0.04

Vote
18 May 2008
(few nuisance trips,

B
but less safe than simplex)

Triple System Performance

Probabilities
(1oo1) 0.04 0.02

(1oo2) 0.08 0.0004
0.0004
(2oo2) 0.0016
0.0016 0.04
A
The optimum solution!
2oo3
B Vote 0.0048 0.0012
A Compromise!
C
18 May 2008

Development of the 1oo2D Configuration
Designed for Safety

1oo1D
I/P CPU O/P
Diagnostics Diagnostics Diagnostics
Designed for Safety
Diagnostics
Designed for
1oo2D
Designed for Safety
Safety & Availability
B
18 May 2008
Diagnostics

1oo2D System Performance

Probabilities

(1oo1) 0.04 0.02

(1oo2) 0.08 0.0004
(2oo2) 0.0016 0.04
(2oo3) 0.0048 0.0012
Diagnostics 1oo2D 0.0016 0.0004
B The Optimum Solution

Diagnostics
18 May 2008

Basic Formulae
Configuration PFD MTBFsp

1oo1 λD (MTTR+TI/2) 1/λS
1oo2 2λD2 (MTTR+TI/2)2 1/(2λS)
2oo2 2λD (MTTR+TI/2) 1/(2λS2 * MTTR )
2oo3 6λD2 (MTTR+TI/2)2 1/(6λS2 * MTTR )
1oo2D 2λD2 (MTTR+TI/2)2 1/(2λS2 * MTTR )
Where:
MTTR = Mean Time To Repair TI = Test Interval
MDT (Mean Down Time) = (MTTR + TI/2) S = Safe (initiating) failure
Assumption: 1/MDT >> failure rate D = Dangerous (inhibiting) failure
18 May 2008
Source:
Reliability, Maintainability, and Risk, by D.J. Smith

Review of SIS Architectures

Simplex Architecture
Dual Architecture
Triplicated Architecture
Questions ?
Class Exercise
Question Sheet – SIS Architecture
18 May 2008

FSE global
Testing Philosophy
Presented by
Dr. Raymond Wright
FSEglobal Test Philosophy 266

18 May 2008

Test Philosophy
Determining the test frequency will influence the level of reliability of the
SIS.
Some processes cannot tolerate frequent shutdowns for preventative
maintenance, and need high reliability systems.
Some processes such as batch processes stop and start frequently
making it easier to perform necessary maintenance.
In general the testing can consist of:

Automatic testing which is built into the SIS
Off-line testing, which is done manually while the process is not in
operation.
On-line testing, which is done manually while the process is in
operation.
18 May 2008

Availability. Periodic Test and Inspection
Average
Probability
T
PFavg = ∫ PF (t )dt
1
T 0
Approx PF = λ ∗ TI
18 May 2008
Approx PFavg = λ ∗ TI /2
Simplified Equation PFAVG
PFavg = λ TI / 2
PF(t)
PFAVG
Test period
Operating time interval
18 May 2008
Time interval

The Effects of Incomplete Testing
Because of incomplete testing the PF never returns to its original value

and the risk reduction can be significantly lower.
PF(t)
IEC61511
SIL 1
SIL 2
PFavg
SIL 3
SIL 4
18 May 2008
Operating Time
test
period

Simplified Equation PFavg with Incomplete Testing
PFavg = CPT λ TI / 2 + (1-CPT ) λ LT / 2

CPT = Effectiveness of proof test, 0 – 100%
LT = Operational Lifetime of plant
CPT
18 May 2008

Incomplete Testing and Increased Test Intervals

Because of incomplete testing the PF never returns to its original value.
If test schedules are not also maintained, the PFDavg goes even higher.
PF(t)
IEC61511
SIL 1
SIL 2
PFAVG
SIL 3
SIL 4
18 May 2008
Operating Time
test
period

Review of Test Philosophy

Test frequency
Test coverage
Automatic testing
On-line testing
Off-line testing
Effects of incomplete testing
Effects of increased test interval
Questions ?
Class Exercise
Question Sheet – Test Philosophy
18 May 2008

FSE global
SIL Verification
Presented by
Dr. Raymond Wright
FSEglobal SIL Verification 275

18 May 2008

SIL Verification
SIL verification confirms that each SIF Safety Requirement Specification

achieves the required safety performance
in terms of • Safety function requirements
including target SIL
Probability of Failure on Demand • Functional description
(PFDavg) • Mitigated hazard
• Etc.
Risk Reduction Factor (RRF)
Architectural Constraints
MTTFS
Manufacturer’s Failure Data

7d Reliability, Safety
Evaluation
Failure Data Databases
SILs Achieved
18 May 2008
PFDavg, RRF, MTTFS,


Background
The SRS provided the SIL requirement of each SIF
The technology has been chosen
The architecture has been chosen
The test philosophy has been documented
Failure Data
The failure data for each component in each subsystem of the SIF is needed to
calculate if the SIL requirements have been met.
As this phase requires that performance of each SIF is verified, it is important to
understand the data received on failure rates and failure modes for the various
equipment used, and to be able to use that data for performance verification.
The failure data is used to calculate the PFDavg for each subsystem and for the
whole SIF
System Reliability Engineering

An understanding of probability is required
An understanding of reliability engineering is required
An understanding of the metrics of safety performance is required
18 May 2008

FSE global
Failure Data
Presented by
Dr. Raymond Wright
FSEglobal Failure Data 279
Failure Data - Where does it come from?

Historical reliability data specific to your installation is best, but often
unavailable
Plant maintenance and SIS function test data by equipment type
Industry average data grouped by equipment type
Some expert judgment is still inevitable
Calculation techniques can predict failure rates (MIL HDBK

217). Other techniques can predict failure modes (MIL STD
1629-A; FME&CA).
“... a reliability prediction should never be assumed to represent the
expected field reliability as measured by the user...”
(MIL HDBK 217F, Paragraph 3.3)
Predictions can then be made for:

18 May 2008
Components
Modules
Complete system

Using Maintenance & Function Test Data
Companies usually keep maintenance logs

IEC 61511 requires function testing and documentation of results
Function test data used to approximate failure rate
Simple Equation for point estimate of failure rate:
No. Failures
λ (Failure Rate) = failures/hr
Total Unit Hours of Operation
18 May 2008

Failure Rate (λ)

The failure rate is usually represented by the lower case Greek letter
lambda (λ)
In reliability engineering the primary statistical variable of interest is
Time to Failure. The Time to Failure measurement can be analysed to
generate another important measurement, Failure Rate.
Instantaneous failure rate is a commonly used measure of reliability –
the lower the failure rate, the higher the reliability.
Instantaneous failure rate gives the number of failures per unit time from
a quantity of components exposed to failure.
λ(t) = failures per unit time / quantity exposed
Instantaneous failure rate can be expressed in

Failures per million hours (106 hrs)
Failures per billion hours (109 hrs) – called FITs
18 May 2008
Failures per year

Failure Rate (λ)

Example
A failure rate is given in units of 3200 FITs. What is the failure rate in
units of failures per year?
Answer
λ = 0.0000032 failures per hr x 8760 hrs per yr
λ = 0.028032 failures per year
Analysing Failure Rate Data

If the time-to-fail data of a number of power supply units is analysed, the
instantaneous failure rate can be calculated.
Not all power supplies will fail at the same time, and if the failure rate is
plotted as a function of the operating time interval, it can be seen that
there are three distinct regions on the curve:
Infant mortality region
Useful life region
18 May 2008
End of life, or wearout region

FSEglobal
Failure Data 283
Failure Rate – The Bath Tub Curve
Infant Wearout
Mortality Failures
λ λ Useful
Life
Time
Life
Bath tub curve shows infant mortality and aging failures
(which may not be included in data bases).
λ (Failure Rate) = # Failures / Total Unit Hours of Operation

Constant failure rate (useful life region) assumed for normal life of device
18 May 2008
MTBF = 1 / failure rate

MTBF and Life are not the same.
Example
50 solenoids have been operating in the field for 5 years. During that
period 5 solenoids have failed. What is the failure rate expressed in
Failures per year
Failures per million hour
FITs
50 solenoids operating for 5 years is a total 250 years of operation.

λ = failures / total unit years of operation = 5/250 = 0.02 failures per yr
250 yrs operation is 2.19 x 106 hours (x 8760)

λ = failures / million hrs = 5/2.19 = 2.28 failures per million hrs
2.28 failures per million hrs = 2280 failures per billion hrs
λ = 2280 FITs
18 May 2008

Mean Time To Failure (MTTF)

Normally applied to disposable, single life components such as relays or
resistors which are replaced when they fail.
MTTF = 1 / λ
(valid for single components or a series of components with a constant failure rate)
Mean Time To Repair (MTTR)

The expected value of the time to repair (not failure time), including the
time to detect the failure. MTTR is an average value and applies only to
repairable devices.
Mean Time Between Failure (MTBF)

This is the time between failures and implies that a component has
failed and then has been repaired. MTBF is an average value and
applies only to repairable devices.
18 May 2008
MTBF = MTTF + MTTR

MTTF, MTTR, MTBF
Time to Time to
Detect Fault Repair Fault
Success Success
MTTF MTTR MTTF
MTBF
Failure Failure
18 May 2008
time

Example 1
An industrial I/O module has an MTTF of 87,600 hr. It takes and
average of 2 hr to repair the module. What is the MTBF?
MTBF = MTTF + MTTR = 87,600 + 2 = 87,602 hr
When repair time is short MTBF is approximately equal to MTTF
Example 2
An industrial I/O module has an MTTF of 87,400 hr. It takes and
average of 400 hr to repair the module. What is the MTBF?
MTBF = MTTF + MTTR = 87,400 + 400 = 87,800 hr
It is interesting to note that compared to Example 1 the module in Example

2 will fail sooner because it has a lower MTTF. So, using the larger MTBF
number is misleading. MTTF is a more precise term than MTBF for the
measurement of successful operation.
18 May 2008

FSE global
Presented by
Dr. Raymond Wright
FSEglobal Reliability 289
Topics

Fault Trees
Markov Models
18 May 2008

Quantitative System Analysis Techniques
System Modeling – If the reliability (failure rates) of the components is

known, the reliability of the system can be calculated
Step 1: Define what is meant by a “failure”

Effectively stating, what is included in the model.
Step 2: Understand how the system works

SYSTEM FMEA
HAZOP.
Step 3: Obtain failure rate on each component failure mode, create a

checklist.
Step 4: Build the model.

18 May 2008

Reliability / Unreliability
Probability of Success - the chance that a system will perform its

intended function when operated within its specified limits.
RELIABILITY R(t) - the probability of success during an interval of time
R(t) = P(T > t) where T = Failure Time for an interval 0 - t.
UNRELIABILITY F(t) - the probability of failure during an interval of time
F(t) = P(T ≤ t)
Relationship between R(t) and F(t)

18 May 2008
R(t) = 1 - F(t) (for complementary events)

Reliability / Unreliability
When a constant failure rate is assumed (which is valid during the

‘useful life’ of a device, the relationships between Reliability,
Unreliability, and MTTF are straightforward.
If the failure rate λ(t) is constant then: λ(t) = λ
For that assumption it can be shown that: R(t) = e -λt
Therefore F(t) = 1 - e -λt

[ 1 – R(t) ]
and MTTF = 1 / λ
18 May 2008

Example
A pressure transmitter has an MTTF of 250 yrs. What is the failure rate in
failures per year and FITs?
The failure rate per year equals 1/MTTF = 1/250 = 0.004 failures per yr.
To convert to FITs find failures per hr = 0.004/8760 = 4.57 x 10-7.
This is 457 FITs (failures per billion hrs)
Example
A pressure transmitter has an MTTF of 250 yrs. What is the reliability for a
mission time of 5 years?
R(t) = e –λt = e [-(1/250) x 5] = 0.98

18 May 2008

Useful Approximations
Some functions can be approximated by a series of other functions:
ex = 1 + x + x2/2! + x3/3! + x4/4! + …
For a sufficiently small value of x, the exponential can be approximated

by
ex = 1 + x
Substituting –λt for x,
eλt = 1 + λt
Thus there is an approximation for unreliability when λt is sufficiently

small:
F(t) = λt [F(t) = 1 - e -λt ]
Another notation for unreliability is PF (probability of failure), so

18 May 2008
PF(t) = λt
Availability / Unavailability
Probability of Success - the chance that a system will perform its

intended function when operated within its specified limits.
AVAILABILITY (A) - the probability of success at a moment in time,

(when needed and operated within specified limits, steady state/average
value)
UNAVAILABILITY (U) - the probability of failure at a moment in time,

(steady state/average value)
The relationship between Availability and Unavailability is
A=1-U
18 May 2008

Availability / Unavailability
Useful equations:
A = MTTF / (MTTF + MTTR)
U = MTTR / (MTTF + MTTR)

18 May 2008

Average Unavailability with Periodic Inspection & Test

In low demand situations, an average of the unreliability function will
provide the average probability of failure:
F(t) = 1 - e –λt ≈ F(t) = λt or PF(t) = λt
The average can be obtained by

T
1
PFavg =
T ∫ PF(t) dt
0
With the result being an approximation equation
PFavg = λt / 2
18 May 2008

Example
A transmitter has a failure rate of 0.005 failures per year. What is the
average probability of failure if the transmitter is 100% tested and
calibrated every two years?
PFavg = λt / 2
PFavg = (0.005 x 2) / 2 = 0.005
If the transmitter is tested every four years, what is the average

probability of failure?
PFavg = (0.005 x 4) / 2 = 0.01

18 May 2008

FSEglobal Failure Modes 299
Review of Failure Data
Failure – the Bath Tub curve

Sources of failure data
Questions ?
Class Exercise
Question Sheet – Failure Data
18 May 2008

FSEglobal Reliability

A B
POWER CONTROLLER
Fault Trees SUPPLY
Markov Models
A B
POWER
CONTROLLER
SUPPLY
Fail
De-Energized
3
DDN
1
OK
0
DUN
2
18 May 2008
Fail
Energized
300
Reliability Block Diagrams (RBD)

Best for Reliability /Availability Analysis. Probability combination
method. Takes the “success” view. Confusing when used in multiple
failure mode modeling.
Fault Tree Diagrams

Takes the “failure” view. Probability combination method. Multiple
drawings can be used for multiple failure modes. Easy to understand
the drawing.
Markov Models
Looks at success and failure on one drawing. Flexible, solved for
probabilities as a function of time interval.
18 May 2008

Reliability Block Diagrams (RBD)

AC Power
Motor Pump Nozzle
A
AC Power
B
AC Power
Motor Pump
C
Successful System – path across drawing

AC Power
Motor Pump Nozzle
A
AC Power
B
18 May 2008
AC Power
Motor Pump
C
Reliability Network Diagrams - Reliability
Successful Series System – path formed across drawing
A B
Series System AC Power Motor
System operates only if all components operate
Reliability of the system equals the reliability of component A and

component B.
R S = RA * R B
18 May 2008

Reliability Network Diagrams - Availability
Successful Series System – path formed across drawing
A B
Series System AC Power Motor
Availability of the system equals the Availability of component A

and component B.
A S = AA * A B
18 May 2008

Series System RBD Series System RBD
System Success System Failure
RS = RA * RB FS = FA + FB (for constant failure rates)
A B
AC Power Motor

18 May 2008

Parallel System RBD Series System RBD
System Success System Failure
RS = RA + RB – (RA * RB) FS = FA + FB (for constant failure rates)
Power
Supply
Power
Supply
System operates if any component operates

18 May 2008

Series - Parallel System RBD

A B
Power
Controller
Supply
A B
Power
Controller
Supply
Example: Upper
Leg
RPS = 0.6
RC = 0.8
Lower
(for a one year interval)
Leg
RSystem?
18 May 2008
RSystem = (RPS*RC) + (RPS*RC) – (RPS*RC)²

= (0.6*0.8) + (0.6*0.8) – (0.6*0.8)² = 0.7296
Complex Series-Parallel System RBD
R = 0.8
R = 0.8 R = 0.95 Upper

Leg
R = 0.8
Lower
R = 0.99 Leg
What is the system reliability?
Three parallel blocks: R = 1- (1 - 0.8)3 = 0.992
Two series blocks: R = 0.992 * 0.95 = 0.9424
Two parallel blocks: R = 1- [(1 - 0.9424)*(1 - 0.99)]

18 May 2008
= 0.999424

Fault Tree Analysis

Graphical method to show the logical
relationship of failure probabilities and
frequencies.
Top–Down approach starts with the top
event and builds the Fault Tree
Basic events each have a probability, and
are calculated upwards to arrive at the
probability of the top event
AND gates use probability multiplication
OR gate use probability
addition
18 May 2008

Fault Tree Diagrams
Example 1
A system has a transmitter, a controller, and a valve. All components

are needed for successful operation. The probability of failure for the
next year equals 0.01 for the transmitter, 0.0005 for the controller, and
0.015 for the valve
Draw a Fault Tree describing the situation.
For the next one year time interval what is the probability of system
success?
18 May 2008

Example 1
System will fail is any element fails – use OR gate.
Are failures mutually exclusive?
Solution
System
The failures are not mutually exclusive Failure
0.02534
P(system failure)
= 0.01 + 0.0005 + 0.015

– (0.01 * 0.0005) – (0.01 * 0.015) – (0.0005 * 0.015)
+ (0.01 * 0.0005 * 0.015)
= 0.02534
18 May 2008
Transmitter Controller Valve

Failure Failure Failure
0.01 0.0005 0.015

Example 1
Approximation is done by simply adding the input probabilities.
System
Failure
0.02534
P(system failure)
= 0.01 + 0.0005 + 0.015
= 0.0255
18 May 2008
Transmitter Controller Valve

Failure Failure Failure
0.01 0.0005 0.015

Example 2
AC DC Level Time Delay Solenoid

Power Power Switch Relay Valve
A system has five components. All are needed for proper operation.
Component failure rates are:
λ AC POWER = 0.001 failures per year;
λ DC POWER SUPPLY = 0.04 failures per year;
λ LEVEL SWITCH = 0.1 failures per year;
λ TIME DELAY RELAY = 0.2 failures per year;
λ SOLENOID VALVE = 0.25 failures per year.
What is the probability of system failure for a one year time interval?
18 May 2008

Example 2
AC DC Level Time Delay Solenoid

Power Power Switch Relay Valve
System
Failure
0.4462
AC Power DC Power Level Switch Time Delay Relay Solenoid

Failure Failure Failure Failure Failure
18 May 2008
0.001 0.0392 0.0952 0.1812 0.2212

Likelihood Analysis using a Fault Tree
The frequency (F) at which a hazardous event will occur will be:
F = Fa x P1 x P2 x P3 x P4
For the system to fail, the initiating event has to happen AND protection
18 May 2008
layer 1 has to fail AND protection layer 2 has to fail AND protection layer 3
has to fail AND protection layer 4 has to fail.

Markov Models
The model shows a sequence of failures and repairs.
CIRCLES represent combinations of failed and successful components.
ARCS show the effect of failures and repairs.
Fail
De-Energized
3
DDN
1
OK
0
DUN
2
18 May 2008
Fail
Energized

Markov Models
Accounts for Multiple Failure Modes on one drawing.
Models different repair rates for different kinds of failures.
Qualitatively shows the operation of a fault tolerant system.
Fail
De-Energized
3
DDN
1
OK
0
DUN
2
18 May 2008
Fail
Energized

Markov Models
Markov models can be very simple.

A non-repairable component with one
failure mode is simply two circles with
a failure probability arrow going from OK FAIL
success (OK) to failure.
Non-repairable system
A repairable component is drawn as

two circles with a failure probability
arrow and a repair probability arrow.
OK FAIL
18 May 2008
Repairable system

Markov Models
By convention the Greek lower case letter

lambda is used to represent a failure
probability.
This is shorthand for the lambda * time

approximation.
The lower case Greek letter mu is used to

represent a repair probability, again using a
shorthand for an approximation. λΔt
1−λΔt
1−μΔt
OK FAIL
18 May 2008
μΔt
Repairable system
Markov Models
Markov models can show redundancy and

degraded operation.
They can also show multiple failure modes
on one drawing.
Multiple Failure Modes
Markov Models model

18 May 2008
redundancy.

Markov Models
An ideal redundant system can be modeled with either a

Markov model or Reliability Block Diagram.
These two models are equivalent.
R=e-λt
R=e-λt
18 May 2008

System Reliability Engineering Review
System Engineering
Fault Trees
Markov Models
Multiple Failure Modes
Questions ?
Class Exercise
Question Sheet – Reliability Engineering
18 May 2008

FSE global
Failure Modes
Presented by
Dr. Raymond Wright
Failure Modes
With a safety system, the concern is not how the system operates, but
how the system fails.
Systems can fail in two ways:
Dangerous Failures Safe Failures

(fail energised) (fail de-energised)
Covert (hidden) Overt (known)
Inhibiting Initiating
Effect: Effect:
Reduce Safety Reduce Availability
60%
Failures Safe
Failures λS
18 May 2008
λ
λD Dangerous
40% Failures
Failure Modes
Failures can be further divided into those that are detected and those
that are undetected
Safe failures can be divided into Safe Detected failures and Safe
Undetected failures
Dangerous failures can be divided into Dangerous Detected failures and
Dangerous Undetected failures
SAFE
DETECTED
(λSD)
60% Safe
Failures
SAFE
(λSU)
UNDETECTED
(λDU)
λD
λS = λSD + λSU
18 May 2008
40% DANGEROUS
Dangerous
DETECTED
λD = λDD + λDU Failures
(λDD)
Question - how do we expect safety systems react to the

different types of failure?
A SAFE DETECTED failure takes the process to a safe state
A SAFE UNDETECTED failure takes the process to a safe state
A DANGEROUS DETECTED failure will be converted to a safe

failure and bring the process to a safe state
A DANGEROUS UNDETECTED failure will not be recognised,

and therefore will not be acted on.
18 May 2008

Failure Modes
The safety integrity level is derived from the Probability of Failure on
Demand (PFD)
The Probability of Failure on Demand (PFD) is derived from the
dangerous undetected failure rate
SAFE
DETECTED
(λSD)
60% Safe
Failures
SAFE
(λSU)
UNDETECTED
(λDU)
λD
PFDavg = 1 - e − λ *TI/2
DU
40% DANGEROUS
Dangerous
DETECTED
18 May 2008
PFDavg ~ λDU*TI/2 Failures

(λDD)

Diagnostic Coverage Factor
Failure mode data can be derived from knowing the total failure rate and
the percentage of Safe or Dangerous failures
For example, if the total failure rate is 0.01 and the percentage Safe
failures is 85%, then failures can be split into
Safe Failures = 0.01 x 0.85 = 0.0085
Dangerous failures = 0.01 – 0.0085 = 0.0015
Failure mode data can be split further from knowing the Safe and
Dangerous failure rates and the diagnostic coverage factors (C) for Safe
and Dangerous failures
For example if the diagnostic coverage factor for Safe failures is 90%,
and for Dangerous failures is 60%, then the failures can be split into:
Safe (Detected) = 0.0085 x 0.9 = 0.00765

Safe (Undetected) = 0.0085 x 0.1 = 0.00085
Dangerous (Detected) = 0.0015 x 0.6 = 0.0009
Dangerous (Undetected) = 0.0015 x 0.4 = 0.0006
18 May 2008
Total failure = 0.01

Diagnostic Coverage Factor
The following general expressions can be used to calculate the failure

rate in each failure mode:
Safe Detected Failures λSD = CS*λS

Safe Undetected Failures λSU = (1-CS)*λS
Dangerous Detected Failures λDD = CD*λD
Dangerous Undetected Failures λDU = (1-CD)*λD
The Safe Failure Fraction (SFF) can be expressed as
λSD + λSU + λDD

18 May 2008
SFF =
λTotal
Example
A valve has a failure rate of 0.05. Analysis indicates that the percentage
of safe failures is 80%, and diagnostics can detect 90% of safe failures,
but only 60% of dangerous failures. What is the safe failure fraction
(SFF) of the valve?
Safe failures = 0.05 x 0.8 = 0.04

Safe detected failures = 0.04 x 0.9 = 0.036
Safe undetected failures = 0.04 x 0.1 = 0.004
Dangerous failures = 0.05 x 0.2 = 0.01

Dangerous detected failures = 0.01 x 0.6 = 0.006
Dangerous undetected failures = 0.01 x 0.4 = 0.004
SFF = (0.04 + 0.006) / 0.05 = 0.92 or 92%

18 May 2008

Probability of Failure on Demand (PFD) from Failure Rate
PFD is derived from failure rate, failure mode and test interval
Failure rate is divided into Safe Failures (failures that cause a false trip)
and Dangerous Failures (failures that can prevent operation)
For the purposes of safety and calculating PFDavg we are only
interested in the Dangerous Undetected Failures
Many databases that provide failure rates list the different failure modes
for an equipment item
An untested device’s PFD gets larger as the operational time interval
increases
For devices subject to periodic inspection and test, an average PFD can
be used
PFDavg ~ λDU∗TI/2
18 May 2008
Where TI is the test interval

Example
A valve has a failure rate of 0.05. Analysis indicates that the percentage
of safe failures is 80%, and diagnostics can detect 90% of safe failures,
but only 60% of dangerous failures. The valve is tested every four
years. What is the PFDavg of the valve?
From the previous example, the dangerous undetected failure rate is

0.004
PFDavg = (0.004 x 4) / 2 = 0.008

18 May 2008

Review of Failure Modes
Failure Modes
Safe Failures
Dangerous Failures
Safe Failure Fraction
Questions ?
Class Exercise
Question Sheet –Failure Modes
18 May 2008

FSE global
SIL Verification Metrics
Presented by
Dr. Raymond Wright
FSEglobal SIL Verification Metrics 335
The relationship between component failure data and PFDavg is

PFDavg = λDU * TI/2 where
λDU is the dangerous undetected failure rate
TI is the test interval
Risk Reduction Factor (RRF) = 1 / PDFavg
Probability of failure
Safety Integrity on demand, average Risk Reduction
Level (Low Demand mode Factor
of operation)
SIL 4 1E-04 to 1E-05 10,000 to 100,000
SIL 3 1E-03 to 1E-04 1,000 to 10,000
SIL 2 1E-02 to 1E-03 100 to 1,000
SIL 1 1E-01 to 1E-02 10 to 100

18 May 2008

SIL Verification
Each Safety Instrumented Function can be split into three

subsystems:
Sensor Subsystem
Logic Solver Subsystem
Final Element Subsystem
Each subsystem must meet the safety performance

requirements of the Safety Instrumented Function
Sensor Logic Solver Final Element

Subsystem Subsystem Subsystem
18 May 2008

Example of a simple calculation using Reliability Network
λ (sensor) = 0.000001 per hour (1x10-6)

λ (logic solver) = 0.0000002 per hour (2x10-7)
λ (final element) = 0.000005 per hour (5x10-6)
The system fails if any one of the elements fail. The system is tested
once per year
0.000001 0.0000002 0.000005

18 May 2008

Example of a simple calculation using Reliability Network
1x10-6 2x10-7 5x10-6

The system fails if any one of the elements fail. The system
is tested once per year
λ (system) = λ (sensor) + λ (logic solver) + λ (final element)

= 0.000001 + 0.0000002 + 0.000005
= 0.0000062 per hour
= 0.0543 per year (x 8760)
PF = λ (system) x TI
= 0.0543 x 1
18 May 2008
= 0.0543

Example of a calculation using a Fault Tree

The PFDavg of the sensor subsystem = 3 E-03
The PFDavg of the logic solver subsystem = 4 E-06
The PFDavg of the final element subsystem = 7 E-03
What is the PFDavg of the SIF
System
Failure
PFDavg (SIF) = PFDavg (sensor)
1E-02 + PFDavg (logic solver)
+ PFDavg (final element)
PFDavg (SIF) = 0.003 + 0.000004 + 0.007

= 0.010004
RRF = 1 / PFDavg = 99.96
Within SIL 2 range

18 May 2008
Which subsystem contributes most

Failure Failure Failure to the system failure?
3E-03 4E-06 7E-03

FSEglobal Sensor Subsystems 340
Sensor Subsystems
Sensor subsystems include all components from the sensing

element to the terminals of the input card
Examples of components in a sensor subsystem:
Sensing Element
Transmitter
Effects of Impulse Lines
Barrier
Isolator
Signal Splitter
18 May 2008

FSEglobal Logic Solver Subsystems 341
Logic Solver Subsystems
Logic Solver subsystems include all components from the

terminals of the input card to the terminals of the output card
Examples of components in a logic solver subsystem:
Input card
Input signal bus
CPUs (processors)
CPU bus (redundant processors)
Embedded software
RAM
Watchdog timers
Output signal bus
Output card
Power supplies
18 May 2008

FSEglobal Final Element Subsystems 342
Final Element Subsystems
Final element subsystems include all components from the

terminals of the output card to the final control element
Examples of components in a final element subsystem:
Barrier
Interposing relay
Solenoid
Valve
Motor starter
18 May 2008

Example: High Pressure Protection Loop
Uses a pressure switch and solenoid
Lambda D (λD)
Solenoid 2.4 x 10-6 failures per hour

Pressure switch 3.6 x 10-6 failures per hour
No Diagnostics, Test Interval – 1 year, SIL2 required
PSH
18 May 2008

Example: High Pressure Protection Loop
Uses a pressure switch and solenoid
Lambda D (λD)
Solenoid 2.4 x 10-6 failures per hour

Pressure switch 3.6 x 10-6 failures per hour
No Diagnostics, Test Interval – 1 year, SIL2 required

SIF fails if Solenoid or Switch fail
PFDavg = λDU TI / 2
PSH
PFDavg = (0.000006 * 8760) x 1/2
PFDavg = 0.0263
RRF = 1/PFDavg = 38
18 May 2008
Within SIL 1 range

SIL 2 required

IEC 61508 Table 2

As technology advances it is Type A
becoming easier to achieve the Safe Failure Hardware Fault
required PFDavg. Fraction Tolerance
However, PFDavg is not the 0 1 2
only safety metric that needs to
be satisfied. < 60% SIL 1 SIL 2 SIL 3
Architectural constraints also 60% < 90% SIL 2 SIL 3 SIL 4

need to be satisfied. 90% < 99% SIL 3 SIL 4 SIL 4
Architectural constraints look > 99% SIL 3 SIL 4 SIL 4

at the Hardware Fault Tolerance
(HFT) and the Safe Failure IEC 61508 Table 3
Type B
Fraction (SFF) of each
subsystem to determine if the Safe Failure Hardware Fault
Fraction Tolerance
SIL has been met
0 1 2
λSD + λSU + λDD < 60% NA SIL 1 SIL 2

SFF =
18 May 2008
60% < 90% SIL 1 SIL 2 SIL 3

λTotal 90% < 99% SIL 2 SIL 3 SIL 4
> 99% SIL 3 SIL 4 SIL 4

IEC 61508 Table 2

Type A devices are generally Type A
thought of as simple devices with Safe Failure Hardware Fault
the following requirements Fraction Tolerance
a) The failure modes of all 0 1 2
constituent components are well
defined; and < 60% SIL 1 SIL 2 SIL 3
b) The behavior of the subsystem 60% < 90% SIL 2 SIL 3 SIL 4
under fault conditions can be 90% < 99% SIL 3 SIL 4 SIL 4
completely determined; and > 99% SIL 3 SIL 4 SIL 4
c) There is sufficient dependable
failure data from field experience IEC 61508 Table 3
Type B
to show that the claimed rates of
failure for detected and Safe Failure Hardware Fault
Fraction Tolerance
undetected dangerous failures are
0 1 2
met.”
Examples of Type A devices: < 60% NA SIL 1 SIL 2
18 May 2008
Switches 60% < 90% SIL 1 SIL 2 SIL 3

Solenoids 90% < 99% SIL 2 SIL 3 SIL 4
Valves > 99% SIL 3 SIL 4 SIL 4

FSEglobal Architectural Constraints 347
IEC 61508 Table 2

Type B devices are generally Type A
thought of as complex devices, Safe Failure Hardware Fault
with the following requirements Fraction Tolerance
a) The failure modes of at least 0 1 2
one constituent component is not
well defined; or < 60% SIL 1 SIL 2 SIL 3
b) The behavior of the subsystem 60% < 90% SIL 2 SIL 3 SIL 4
under fault conditions cannot be 90% < 99% SIL 3 SIL 4 SIL 4
completely determined; or > 99% SIL 3 SIL 4 SIL 4
c) No dependable failure data
from field experience exists for IEC 61508 Table 3
Type B
the subsystem, sufficient to show
that the required target failure is Safe Failure Hardware Fault
Fraction Tolerance
met.”
0 1 2
Examples of Type B devices:
Transmitters < 60% NA SIL 1 SIL 2
18 May 2008
Programmable devices 60% < 90% SIL 1 SIL 2 SIL 3

Etc. 90% < 99% SIL 2 SIL 3 SIL 4
> 99% SIL 3 SIL 4 SIL 4

Safe Failure Fraction (SFF)
λSD + λSU + λDD

SFF =
λSD + λSU + λDD + λDU
SFF is defined as:

The ratio of the average rate of safe failures plus
dangerous detected failures of the subsystem to the total
average failure rate of the subsystem.
18 May 2008

Architectural Constraints - Example
Assume an architecture in which a particular safety function is

performed by a single channel of subsystems 1, 2 and 3.
Assume from the previous tables that these subsystems meet the
following requirements:
Subsystem 1, Type A, HFT = 0, SFF = 50%. Meets SILac ?
Subsystem 2, Type B, HFT = 1, SFF = 80%. Meets SILac ?
Subsystem 2, Type B, HFT = 0, SFF = 70%. Meets SILac ?
Subsystem 1 Subsystem 2 Subsystem 3

Type A Type B Type B
SIL ? SIL ? SIL ?
The hardware SIL of the function that can be claimed is SILac ?

18 May 2008
Which subsystem limit the hardware SIL?

FSEglobal Effects of Field Devices 350
Effects of Field Devices on SIF Performance
Field devices are the most critical, and probably the most neglected
elements in safety systems
Field devices provide input information to the logic solver, and carry out
the trip function when the logic solver demands it
Field devices typically contribute considerably more to the PFDavg
value than the logic solver, and therefore have the greatest potential to
create problems
Equipment Fail to Danger Rate PFDavg PFDavg
Per year % Contribution
Sensor 0.05 0.025 42
Logic System ( 4 relays) 0.01 0.005 8
Solenoid and Valve 0.06 0.03 50
Total 0.12 0.06 100
The impact of the field devices on the overall system performance is

18 May 2008
92%

FSEglobal Common Cause 351
Common Cause
Failure as a result of one or more events, originating from the same

external or internal conditions, causing coincident failures of two or
more separate channels in a multiple channel system
Obvious examples are
A single power supply feeding a triplicated controller,
High temperature in an instrument room
Electrical interference from radios
Vibration
A software bug,
Separate cables from redundant field devices installed in the same
cable tray
Redundancy is effective against random hardware failures but not
against design or other systematic errors.
Higher levels of redundancy and more complexity make systems more
susceptible to common cause problems
18 May 2008

FSEglobal Common Cause 352
Minimising Common Cause
The most common methods used to reduce the effect of common cause
problems are separation and diversity.
Examples
Redundant transmitters could be diverse in either process
measurement (one could measure pressure, the other could measure
temperature), or in technology, or both
Separate routing for field cables from redundant devices
Separate process connections for redundant devices
Ensuring test equipment is not faulty. For example, a faulty calibrator
may mean that multiple devices have been calibrated incorrectly
Others?
18 May 2008

FSEglobal Diagnostics 353
Diagnostics
Automatic diagnostics are available in most microprocessor-based
systems such as PLCs, and some smart field devices
The effect of diagnostics is to detect faults so that appropriate action
can be taken – such as initiate an alarm or a shutdown
When dangerous faults are detected they can be recognised and
converted to safe failures. The effect of this is to improve the SFF
λSD + λSU + λDD

SFF =
λSD + λSU + λDD + λDU
As the diagnostic coverage increases, λDD increases and λDU

decreases. This improves the safe failure fraction, and reduces PFDavg
because dangerous undetected failures, λDU has been reduced.
18 May 2008

FSEglobal Class Exercise 354
Review of SIL Verification

Reliability Networks
Fault Trees
SIF Subsystems
Effects of Field Devices
Common Cause
Diagnostics
Questions ?
Class Exercise
Question Sheet – SIL Verification
18 May 2008

FSE global
Analysis Models
Presented by
Dr. Raymond Wright
FSEglobal Analysis Models 356
Modelling Formula
The equation groups given in this section apply to the individual
subsystems as well as the whole SIF
Failures
Overt Failures Covert Failures

Safe Failure Rate Dangerous Failure Rate
λs=1/MTBFsp λd=1/MTTF
Equation Group 1
Leading to loss
of production Detectable Undetectable
Trips plant or stays

dead until repaired. Detectable by Detectable by
Redundant system Self Diagnostics Manual Proof Testing
loses one channel
18 May 2008
PFD = λd*(MTTR+(TI/2)) PFD = λd*TI/2

Equation Group 2 Equation Group 3

Modelling Formula
Equation Group 1 is used to calculate nuisance trips (spurious trips /

safe failures). These will not affect the PFDavg directly, but will take the
SIS, or one of its channels out of service, and create a loss of
availability. MTBFsp is the mean time between spurious trips.
Equation Group 2 is used to calculate the PFDavg for any system (or
part of system) with automatic diagnostics. Note that the test interval for
automatic diagnostics TIa is very short, and should be no more than
50% of the process safety time (fault tolerant time of the process).
Typically, TIa would be in the range of 1 to 10 seconds.
Equation Group 3 is used to calculate the PFDavg for any system with
manual proof testing. Note that the manual proof test interval has to be
short compared with the MTBF of the system.
18 May 2008

Modelling Formula
Overt Failures Covert Failures

Safe Failure Rate Dangerous Failure Rate
λs=1/MTBFsp λd=1/MTTF
Detectable by Detectable by
Self Diagnostics Manual Proof Testing
1oo1 λs λd*(MTTR+(TIa/2)) λd*(TI/2)
1oo2 2* λs 2(λd)2*(MTTR+(TIa/2))2 (λd)2*(TI)2/3
2oo2 (2*(λs)2*MTTR) 2λd*(MTTR+(TIa/2)) λd*TI
2oo3 (6*(λs)2*MTTR) 6(λd)2*(MTTR+(TIa/2))2 (λd)2*(TI)2
Group 1 2 3
18 May 2008

Analysis Models
Using the equations the PFDavg for each subsystem and the SIF can
be calculated.
Example of a Single Channel Model (using example values)
TI = 1 year; TIa = 1 hr; MTTR = 10 hrs
Sensor Logic Actuator
Failure Rates λd = 0.05 λd = 0.02 λd = 0.1
Apply testing or Proof Auto Proof

diagnostics Testing Diagnostics Testing
PFDavg 0.025 0.000024 0.05
Overall PFDavg = 0.025 + 0.000024 + 0.05 = 0.075

18 May 2008
This qualifies within the SIL 1 range (RRF = 13.3)
The relative values of the different subsystems allow us to detect weak areas

Analysis Models – Step 1
The process of analysis starts by splitting the SIS into subsystems:
Sensor
Logic Solver
Actuator (Final Element)
The analysis will look at each subsystem separately before recombining

to establish the overall PFDavg of the SIF
SIF

18 May 2008

The process of building the model continues by representing the design

architecture of the SIF.
In this example:
The sensor subsystem is dual redundant with diagnostics (1oo2D),
allowing one sensor to be disconnected if a fault is detected;
The logic solver is single channel with diagnostics (1oo1D); and
The actuator is redundant without diagnostics (1oo2).
Sensor Actuator
Logic
18 May 2008
Sensor Actuator
1oo2D 1oo1D 1oo2

Next we calculate the safe and dangerous trip rates for a single channel
of the sensor subsystem, and then combine both sensors.
To do this we split the sensor subsystem into components
Sensor 1 Actuator
Logic
Sensor 2 Actuator
Transmitter Barrier
We can now use the failure rate data and failure mode data for each
18 May 2008
component, and see how each component contributes to potential

failures.

Using the failure rate data and failure mode data (percentage split
between safe and dangerous failures) for each component, we split the
overall failure rate into safe and dangerous failures.
Transmitter Barrier
λ1 λ2
λ1s λ1d λ2s λ2d
λs = λ1s + λ2s λd = λ1d + λ2d

By adding the individual safe failure rates we obtain the safe failure rate
for one channel.
18 May 2008
By adding the individual dangerous failure rates we obtain the

dangerous failure rate for one channel.


Knowing the dangerous failure rate of the channel we can progress
towards calculating the PFDavg.
To do this we need to consider the fraction of failures detected
automatically by diagnostics, and the fraction of failures that will be
detected by manual proof testing
Single Channel
λd
Automatic Test Manual Test
PFDa = C * λd * (MTTR+(TIa/2)) PFDm = (1-C) * λd * TI/2
PFDavg (for the single channel) = PFDa + PFDm
C represents the fraction of failures found by diagnostics, and is called

the diagnostic coverage factor
18 May 2008
(1-C) represents the fraction of failures found by manual proof testing

TIa is usually very small compared to MTTR and can be ignored
TI is the proof test interval for the sensor subsystem
Analysis Models – Common Cause
We also need to model the effects of common cause to account for

potential systematic failures
A common method is to use the Beta (ß) factor to represent the fraction
of common cause failures.
This is the fraction of failures inherent in a single channel that will
present themselves in all channels of redundant system.
(1-ß) * λd
ß * λd
(1-ß) * λd
As common cause failures are common to all channels, they are placed
in series with the redundant channels.
18 May 2008
We now need to account for the common cause fraction in the model.


Now we have all the factors we need to complete the model for the
sensor subsystem.
To do this we add the Beta factor into the model and use the Group 2
equations for the diagnostic portion, and Group 3 equations for the proof
tested portion, to calculate the PFDavg of the subsystem.
Sensor 1 Actuator
1oo2D Common Logic
Sensor 2 Actuator
Redundant Section:
PFDavg (R) = 2.C.[(1-ß) λd]2.(MTTR)2 + (1-C).[(1-ß).λd.TI]2/3
Common Cause Section:

PFDavg (C) = C.ß.λd.(MTTR) + (1-C). ß.λd.(TI/2)
18 May 2008
Sensor Subsystem:
PFDavg = PFDavg (R) + PFDavg (C)
The procedure for developing a model (steps 3 to 6) is now repeated for

the logic solver subsystem and the actuator subsystem.
Sensor Actuator
Common Logic Common
Sensor Actuator
1oo2D 1oo1D 1oo2
PFDavg = PFDavg + PFDavg + PFDavg

(SIF) (sensor subsystem) (logic subsystem) (actuator subsystem)
18 May 2008

We may have achieved the PFDavg values we wanted, but it may have
been at the cost of a higher spurious trip rate.
The next step in our model should be to determine the effect on
spurious trip rate. This time we use equation group 1 for λs.
Sensor Actuator
Common Logic Common
Sensor Actuator
1oo2D 1oo1D 1oo2
Tsp = 2.(1-ß).λs + ß.λs Tsp = λs Tsp = 2.(1-ß).λs + ß.λs

(sensor subsystem) (logic subsystem) (actuator subsystem)
18 May 2008
Tsp = Tsp + Tsp + Tsp MTBFsp = 1 / Tsp

(SIF) (sensor (logic (actuator (SIF) (SIF)
subsystem) subsystem) subsystem)

Analysis Models – Reducing Spurious Trip Rate
A comparison of the effect of redundant (1oo2) and triplicated (2oo3)

sensors shows that the spurious trip can be improved.
Sensor Actuator
Common Actuator Common
Sensor Actuator
1oo2 2oo3
Tsp = 2.(1-ß).λs + ß.λs Tsp = 6.[(1-ß).λs]2.MTTR + ß.λs

(1oo2 sensor subsystem) (2oo3 sensor subsystem)
Before deciding on the value of a 2oo3 voting system to improve the

spurious trip rate, we need to check its effect on the spurious trip rate of
18 May 2008
the complete SIF – it may not have much effect on the overall spurious
trip rate.

Review of Analysis Models
Reliability Equations
Building a Model
Effect of Diagnostics
Effect of Common Cause
Questions ?
Class Exercise
Question Sheet – Analysis Models
18 May 2008

FSE global
Operation Phase
Presented by
Dr. Raymond Wright
FSEglobal Operations Phase 372
Activities in the Operations Phase
14. SIS Startup, Operation,

13. Operation & Maintenance
Maintenance, Periodic Functional
Planning
Tests
Modify 15. Modify or

Decommission ?
Decommission
16. SIS Decommissioning

18 May 2008

FSEglobal Functional Testing 373
Functional Testing
Frequency of testing must be determined

Vendors recommendations usually conservative
Usually every shutdown
Procedures / documentation must be developed

Operations and maintenance staff must be trained
On-line testing required when downtime is not possible

Sensors by bypassing
Actuators / valves by controlling movement
May require redundant components
Management of Change procedure must be in place

18 May 2008
(Sections 9.6 & 9.7)

FSEglobal Management of Change 374
Management of Change (MOC)

Required for
Modifications to operating procedures
Modifications to process
Modifications to fix bugs
Software changes
MOC shall contain
Technical basis for proposed change
Impact on safety and health (Section 10)
Authorization requirements
Review of the changes required
Notification to affected personnel
Changes shall initiate return to appropriate phase of safety life cycle
Decommissioning
Ensure that other units are not impacted
Ensure proper review prior to permanently retiring an SIS
18 May 2008
MOC required
(Section 11)
FSEglobal Operations Phase 375
Review of Operation Phase
Functional Testing
Maintenance
Management of Change
Modifications
Decommissioning
Questions ?
Class Exercise
Question Sheet – Operation Phase
18 May 2008

FSE global
Presented by
Dr. Raymond Wright
FSEglobal Functional Safety Management 377
IEC61508 defines functional safety as:

“part of the overall safety relating to the equipment under control
(EUC) and the EUC control system which depends on the correct
functioning of the E/E/PE safety-related systems, other technology
safety-related systems and external risk reduction facilities.”
In more understandable language:

Functional safety management governs the equipment and process
safety activities involving safety systems.
THE PURPOSE IS TO REDUCE THE POSSIBILITY OF A

SYSTEMATIC FAULT!
18 May 2008

Functional Safety & the Safety Lifecycle
1. Concept
2. Overall scope
definition
3. Hazard and
Management of Functional Safety
risk analysis
Functional Safety Assessment

4. Overall safety
requirements
5. Safety requirements
Documentation
allocation
Verification
6. Overall 7. Overall 8. Overall
operation and safety 9. SRS
installation and
maintenance validation E/E/PES
commissioning
planning planning realization
planning
12. Overall installation

and commissioning
Back to appropriate
overall safety lifecycle
13. Overall safety phase
validation
14. Overall operation, 15. overall modification

18 May 2008
maintenance, repair and retrofit
16. Decommissioning
or disposal

Objectives
Specify management and technical activities during the

Safety Lifecycle to achieve and maintain Functional
Safety
Specify responsibilities of persons and organizations
Extend an existing and monitored quality system
Plan, execute, measure and improve
18 May 2008

Since FSM focuses on procedures, the standards provide a

good reference
61508 covers everything including safety system

hardware and software development
Part 1 Clause 6 lays out details of FSM
Broad coverage can make application challenging
61511 focuses on the process owners and safety

system users
Part 1 Clause 5 lays out details of FSM
Narrower coverage makes application more manageable
18 May 2008

Safety Planning
Create a FSM Plan

Assign Roles and Responsibilities
Document Personnel Competency
Documentation, Documentation Control
Functional Safety Verification and Assessment
Documented Processes
18 May 2008

A FSM Plan describes the Safety Lifecycle
Analyze
Hazard Analysis /
Risk Assessment: Document
Define Design Targets
Design Execute HW and

SW Design Document
Evaluate Design:
Verify Reliability Analysis of Safety
Document
Integrity & Availability
Modify
Operate and Document

Maintain
OK
18 May 2008

Components of a FSM Plan

Steps and sequence of work activities
Roles and responsibilities
Personnel competency
Documentation structure
Verification tasks for each step
Safety Requirements Specification development plan
Design guidelines and methods
Verification and Validation plans
Operation and maintenance guidelines
Management of Change procedures
Functional safety assessment plan
18 May 2008

Roles and Responsibilities
Must be clearly delineated and communicated

Each phase of SLC and its associated activities
One of the specifically noted primary objectives of functional safety
management
18 May 2008

Personnel Competency
Ensure that staff “involved in any of the overall or software SLC

activities are competent”
Addressed specifically in Annex A, IEC61508
Training, experience, and qualifications should all be assessed
and documented
System engineering knowledge
Safety engineering knowledge
Legal and regulatory requirements knowledge
More critical for novel systems or high SIL requirements
Competency Certification
CFSE + Exida
18 May 2008
FSEng + TUV
ISA SIS Certification

What needs to be documented?
Any information to effectively perform:
Each phase of the safety lifecycle

Management of functional safety
Verification and Validation
18 May 2008

IEC 61511 Functional Safety Assessment
Does the safety system meet spec and actually achieve

functional safety (freedom from unacceptable risk)
Independent team; one competent senior person not involved
in the design as a minimum
Should be performed after the stages below and MUST be done
at least at stage 3
Stage 1 – After hazard and risk assessment and safety

requirements specification
Stage 2 – After SIS design
Stage 3 – After commissioning and validation
(before the hazard is present)
Stage 4 – After experience in operation and maintenance
Stage 5 – After modification
18 May 2008

FSE global
Safety Lifecycle Documentation
Presented by
Dr. Raymond Wright
FSEglobal Safety Lifecycle Documentation 389
Safety Lifecycle Documentation Overview
Topics :
Safety Lifecycle Context

General documentation philosophy
Key documentation required throughout the
IEC61508 Safety Lifecycle
18 May 2008

Safety Life Cycle (SLC)
Yellow area shows Safety Life

Cycle activities or processes
Blue area shows information
required for the activities
White area shows the
documentation produced by
the activities
This diagram provides the

structure for the workshop
See separate sheet in the

workshop manual
18 May 2008

IEC61508 and Safety Lifecycle Objectives
Analyze
Hazard Analysis /
Risk Assessment: Document
Define Design Targets
Design Execute HW and

SW Design Document
Evaluate Design:
Verify Reliability Analysis of Safety
Document
Integrity & Availability
Modify
Operate and Document

Maintain
OK
18 May 2008

IEC61508 Documentation Philosophy
Two main reasons for documentation according to IEC61508:
“… in order that all phases of the overall, E/E/PES and

software safety lifecycles can be effectively performed.”
“… in order that the management of functional safety,

verification and the functional safety assessment
activities can be effectively performed.”
18 May 2008

Philosophy of Documentation as Helpful
Each of the standards uses documentation to support and aid

the different safety activities
If done correctly and efficiently, documentation can reduce
overall time, effort, and money
If done poorly, documentation is useless, potentially leading to
an inappropriate and unsafe system as well as wasted time,
effort, and money
18 May 2008

IEC61508 Documentation Objectives
What needs to be documented?
Any information to effectively perform:
Each phase of the safety lifecycle

Management of functional safety
Verification and Validation
18 May 2008

Requirements of the Documentation
Documentation must:
Contain sufficient information to effectively perform

each phase of the safety lifecycle, as well as the
associated verification activities
Contain sufficient information to properly manage
functional safety and to support functional safety
assessment
Be accurate and precise
Be easy to understand
18 May 2008

Requirements of the Documentation
Documentation must also:
Suit the purpose for which it was intended

Be accessible and maintainable
Include titles or names indicating the scope of the contents
Include a good table of contents and index
Include a good version control system sufficient to identify
different versions of each document and to indicate
revisions, amendments, reviews, and approvals
18 May 2008

Structure of the Documents
Corresponding Documentation Structure
Title indicating the scope of the contents

Legal entity (e.g., company, author(s), reviewers, etc.)
Table of contents and index
Revision index
Scope and purpose
Inputs and outputs of relevant SLC phase
Traceability to Functional Requirements and Safety Integrity
Requirements
Definition of terms
18 May 2008

Example of FSM Documentation Structure

Safety Lifecycle Phase Information
Scope definition Description (overall scope definition)
Hazard and risk analysis Description (hazard and risk analysis)
Safety requirements Specification (overall safety requirements, comprising: overall safety functions
and overall safety integrity)
Safety requirements Description (safety requirements allocation)
allocation
Operation and maintenance Plan (overall operation and maintenance)
planning
Safety validation planning Plan (overall safety validation)
Installation and Plan (overall installation); Plan (overall commissioning)

commissioning planning
Realisation Realisation of E/E/PE safety-related systems (see parts 2 and 3)
Operation and maintenance Log (overall operation and maintenance)
Modification and retrofit Request (overall modification);

Report (overall modification and retrofit impact analysis);
Log (overall modification and retrofit)
Decommissioning or disposal Plan & Report (overall decommissioning or disposal impact analysis);
18 May 2008
Log (overall decommissioning or disposal)

Concerning all phases Plan (safety);
Plan & Report (verification);
Plan & Report (functional safety assessment)

Overall Project Safety Plan
Ensures and justifies that safety requirements are met with brief details
of:
Safety analysis
Verification & validation
Documentation to be generated
Brief description of the intended testing and validation activities
Factory and site acceptance tests
Tests for unexpected behavior
Regression testing
Management procedures that will be applied
Quality management
Configuration management
Recording mechanisms
18 May 2008
Reviews and safety analysis

Overall Project Safety Plan
Follow up and resolution of modifications and corrective action

Templates for safety-related documentation to be produced during the
lifecycle and for the independent audit process required by the standards
Training, experience, and qualifications of the persons responsible for
the development
Organization, roles, responsibilities, and interfaces between the units
involved in the work, including independent assessment
Definition of the design methodology and software language subset to
be used and its means of enforcement
Integrity requirements for software tools and measuring techniques
18 May 2008

Verification and Validation Plan and Report
For each safety function under test or analysis:

Specific reference to the allocated requirements (traceability)
Description of how the requirements were verified
List of the hazards that could possibly affect the function or be
affected by the function
List of features in the environment on which safe operation
depends, including any operator or maintenance actions or any
assumptions underlying the safety analysis
18 May 2008

Verification and Validation Plan and Report
For each safety function under test or analysis:

Description of the test and the expected result
(passed / failed criteria)
Tools and equipment used, along with calibration data
Results of each test or analysis
Traceability to objectives, requirements, and criteria
Discrepancies between expected and actual results
18 May 2008

Hardware Design Documentation
Architecture and Interface specifications

Module Design Specification
Design Guidelines
Loop, wiring, and logic diagrams
Panel layout
Installation and commissioning requirements
18 May 2008

Software Design Specification and Documentation
Specification of the software architecture

Partitions the logical functions identified in the software
requirements into separate programs
Partitions the programs into a number of blocks
Makes further subdivisions into individual modules
Control flow model at the program and block level, including definitions of
the timing relationships
Data model and functional model for each program and block, including the
specification of the interfaces between them and to the system
Detailed specification of the required functionality of each module
Measures for fault tolerances (self-testing and memory integrity)
Avoidance (defensive programming)
18 May 2008
Detection

Software Design Specification and Documentation
Program, system, and module level exception behaviors

Mapping to the Requirements Specification including safety integrity
levels assigned for programs, blocks, and modules
Indication of how software performance and load requirements will be
met at the program level
Design and coding guidelines
Source code listing
Code review report
Integration and module test specifications and results
18 May 2008

SLC Operation Documentation
Operation Safety Lifecycle Phase Information

Overall safety validation Report (overall safety validation)
Overall operation and maintenance Log (overall operation and
maintenance)
Overall modification and retrofit Request (overall modification);
Report (overall modification and retrofit
impact analysis);
Log (overall modification and retrofit)
Decommissioning or disposal Report (overall decommissioning or
disposal impact analysis);
Plan (overall decommissioning or
disposal);
Log (overall decommissioning or
disposal)
18 May 2008

Documentation Summary
Hazard and Risk Analysis: Report

Requirements Definition: Safety Requirements Specification
and Requirements Allocation
Verification & Validation: Project Safety Plan and Report
Installation, Commissioning: Plan and Report
Operation, Maintenance: Plan, Instructions, and Log
Modification: Work process instructions, Change
request, Report (Impact Analysis)
and Log
System, H/W, S/W Design: Architecture Description, Module
Design Description
Integration and Module Tests: Specifications and Reports
18 May 2008
Assessment: Plan and Report

Managing the Documentation Process
Make documentation as much a part of the SLC

execution process as possible
Use templates to eliminate unneeded work
Use tools that provide appropriate documentation as
part of their direct output
Take advantage of the freedom that the standards
provide in specifying the objectives of documentation
rather than the specific form
18 May 2008

Maintenance Planning and Documentation
Routine actions that need to be carried out to maintain the

"as designed" functional safety of the system
Actions and constraints necessary during start-up, normal operation,
foreseeable disturbances, hardware or software failures, and shutdown
that prevent an unsafe state
Proper periodic test interval must be calculated and
documented as part of the plan
Online? Offline? Bypass procedures?
Records / documentation that need to be maintained
Procedures for change management and modification of the system
and its software
18 May 2008
Traceability to the safety analysis, i.e., activities to confirm that the

assumptions made during the safety analysis are achieved

FSEglobal Post-Instructional Survey 412
Post-Instructional Survey
Answer the questions to the best of your ability
The results will help the instructor improve the course
30 minutes
18 May 2008

FSEglobal End of Presentation 413
Thank you
Questions: Please send any questions to
ray.wright@optusnet.com.au
We will respond as soon as possible.
18 May 2008

Safety Instrumented Systems: Global

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety Instrumented Systems: Global

Uploaded by

Copyright:

Available Formats

FSE global

Functional Safety Engineering

Analysis and Design

 Course materials & location

 Course attendance & participation

Copyright © FSEglobal 2008

 Safety Lifecycle Services

Safety Integrity Level Verification

 Safety Case Preparation

Copyright © FSEglobal 2008

Copyright © FSEglobal 2008

Copyright © FSEglobal 2008