TOV FS Engineer IEC 61508 / 1EC 61511 Solutions Day 1 Course Provider: Yokogawa's Safoty Expertise Group End of Module 1 Questions, 1) What is safety ? 2) Name three characteristics of safety system 3) How can one reduce the risk ? 4) What is a demand ? 5) What is the mein difference between a control system and a safety system ? Answers : 1), Freedom from unacceptable rsk 2) Independent. predetermined safe state, only when process runs out of control 3) Design, mechanical risk reduction (relief valves ete), external risk reduction (mitigation), safety systoms, 4) Process request for a protective action, for example a high or lowEnd of Module 2 Questions: What are the 5 main aspects of the 1EC61508 and 1ECB1511 ? For SIL 2 what is the maximum PFDavg ? What is the RRF ? What is the main difference between IEC61508 and IEC61511 7 What does FSM imply ? What is a SIF? Answers : 11, Safety Lifecycle, Pipe to Pipe Approach, Quantitative Safety Assessment, Hardware Fault Tolerance, Functional Safety Management System, For SIL2 the maximum PFDavg = 10E-2, the RRF between 100-1000 Main difference: 08 is generic, 11 is specifically for process industry Intention FSM: reduction of systematic failures SIF, safety instrumented function, complete loop, pipe to pipe etc.Terese Rerocn‘SiFi|SiF2) Sirs IE SiF5 #2) 5) 4) 51617 siFi| sire4) 2) 3\@ 8) 6) 7 SIF1| SIF2, SIF3) SIF4) SIF5) 4%) 2) 3) 4) 5) 6) 7 ‘SIF SIF2 SIF. SIF4) SIFSWhat are the SIFs 27? re x vasa 092 vasa SH: AEN HH ove SOVASISOVAED (er ovaemovesisovess rion) SF 5: Hea cme sovesisoves2 SF 0: Hes cone S0V48 ane 12) SI 7: H23 ene G4 What are the SIFs 27? 7) Protects pipaline against overpressure YOKOGAWAWhat are the SIFs 72? aoe deh Mey gel 4 Protects punp agaist running What are the SIFs 77? 6) To manual stop tinge ak S718 iF 38 part of ESD ©: 6)ar7) combine: ‘eonon of Va8 a pa of ESD RorecninWhat are the SIFs 227 FA e02 1602 elf (1 Paea Wame> BV (er soveatoves inion) SIF 5: R48 LL ene Ge [51 8: Hz3 com> SO (ne SIF) SF 9:23 cme ab Rexocuy What are the SIFs 222 Second case 2) Prolets Train B against ‘vempeessno "100 1 We ake +) Profats Train agains ‘overpressure: 1001 valve 29) Protect ink against overpressure 1 60 2 valves Rest is same as previous (HZ3 is now 4 SIFs. YOKOGAWASIF 1 (pump protection) SIF 1: What is the SIL target? Consequence (ossing | efert, Extonsive Frtaies | 10M ‘ip ae: approx. once every 7 yr ‘Repair cos of pump: 10 KE Producton lore 100 KE / doy Repaie ime 1/2 Economies | Enwranmental | negligible Repair cost of pump : 10 KE Production loss : 100 KE / day Repair time : 1/2 day Trip rate: approx. ance every 1 yr Terocnay Demand ate me betwee demands) TecoSIF 2 (overpressure) Exercise ‘What isthe target SIL? Scenario 1 Unmanned installation Scenario 2 ‘Manned installation (1-2 persons) Repair oe of veel : 200 KE radio ose 100 KE / doy Repos tee = 5 cays Fads contain methane gas Tip rate: approx once every 2975 SIF 2: Unmanned installation _ CConsaquencas ‘emane Rata tine betneen demancs) Hatt and | Eoonomis | Environmental | Nessie ‘ately | (Lotsing) | efect” | Demand FS woo az Minor inary or Heath each Mar nny eath te [ele Fatale Mtoe Frales “rp ate: approx once every 2 ys Ropar costo vessel. 200 He Production ase 100 Ke ay Ropar time: days Fld: eaain mane gas roca 10SIF 2: Manned installation Consequences ‘Demand Rate firme between demands) Heath and | Econamies | Envonmanta! | Nogigiie | >20 | 4-20 | 05-4 Salty | (Lossing) | eect | Demand | years | yours | yoors [Sipamen | Sit a ‘Health Effoct Ke ™~ f Bory or | — tor enn enec | roK 00K ‘hc Extnave Som “Tp ato: approx. once every 2 yrs 1-2 persons working coe othe vos Repair ean of vss: 200 HE Production tas 10 Ke day Repair time: 5 ays Fg oman mathane gas Instrumentation s"xover™ YOKOGAWA End of Module 3 Questions, 1) How are the SIFs of a process determined ? 2) Which methods do you know to determine the target SIL? 3) Which method is prescribed in the standards ? Answers 1) No teal method prescribed, but in most cases itis done in HAZOP. Standards do not even give an example to dotermino the SIF 2) ALARP (As Low As Reasonably Practica), Risk Graph, Risk Matrix, FTA (Fault Tree Analysis), LOPA (Layers of Protection Analysis) Like for the SIF determination there is nothing Pre-serbed, only im this case examples of how to do it ae given (ALARP, FTA, LOPA et.) ablExercise: draw the RBD Model in RBD the following DTS SIF TOV FS Engineer IEC 61508 / IEC 61511 Solutions Day 2 Yokogawa's Safety Expertise GroupAn exercise (1) ern ot $85 Lf ma Lee Sat fae [of mer ffir i Sexoenyn 8) ) 2 3) 4) 5) 6) 7 8) 9) End of Module 4 Questions End of Module 4 Answers oC oT eee ay eases wee na me power TEL1B acne ainda te ante 7 Tee ero For safety: DTS, incase of power loss the outputs wil. go to ther safe poston, ‘1002 is beter for safety, 2002 is better for availabilty 2003 is @ good combination for beter safety and higher availability Sensor validation means you have more than cne sensor and the values irom the sensors are compared. Ifthe values from the sensors tlffer too much an action/alarm can be raised Process Safety Time is tho timo left between a demand and the completion of the actions before things go wrong, For example, high level in 2 vessel ‘measured, this means that there are 15 minutes left to close the inlet bafore the vessel starts overflowing. 4+ 5 = 00-3 + 50-6 = 9.0060-3 => 0,90050-2 => SIL2 (nary SIL 1) Overrides “kil the safety function, The intention ofthe SIF is bypassed, so a demand cannot result in a corrective action anymore. With strict procedures (permits) and incications that overrides are placed in the System: A hardwired enable key swatch Is highly recommended 15% 15End of Module 5 Questions, 1) Whatis the intention of FSM? 2) Whatis the role of documentation ? 3) What is verification ? What is validation? 4) What is impact analysis ? 5) When is validation mandatory? Answers 1) Reduction of systematic failures 2) Provide an aucitable trail for al stops taken 3) Verification is a check it one small step 's done correctly. Validation is a check if a large step (for example the realization phase) has been done correctly. So the project FAT is a validation from the customer to check if the SRS from him has been correctly taken over in the realized system. | an error is found or a change has to be engineered which involves SIF for SIL, it must be analyzed (and documented!) what the impact ofthe cchange shell be. [At the end of SIS realization and before starting up the plant Exercise: calculate failure rates 1 year = 365 days x 24 hr = 8760 hr 1 million hr = 1.000 000 / 8760 = 114 year TPIT = 1/109 hr The failure rate Is §.70 £+01 / million hr How many FITs is that ? 5.7 E+04 (= 57000) FIT What is the MTBF in years ? 1 million hr / 5.7 E+01 > 114 yr / 57D 2 yr The MTBF of an isolator is 15 years How do you convert to failures per million hr ? Format = 1 /million hr 15 yrs > (15/114) million hr > (114/15) / million hr > 7.6 £-06 / hr See 16Case 1 End user requires compliance with IEC 61508 Route 1H sensors three transmitters (1003 voted) logic solver ProSafe-RS final elements one valve final elements : type A, 9696 Sensors : type 8, 80 9% The compliant SIF architecture is shown in the figure below bs. ( = eee YOKOGAWA Case 2 End user requires compliance with IEC 61508 Route 2H (prior-use is available) Sensors two transmitters (1002 voted) Logic solver ProSafe-RS ( Final elements two valves (1002 voted) Sensors and Final elements: 1 HFT ‘The compliant SIF architecture is shown in the Figure below 7Case 3 End user requires compliance with IEC 61511 (Prior use is available) IEC 61511 Is the same as IEC 61508 Route 2H > Same result as Case 2 Merocnun SIF 1: How does the design look ? You remember to protect the pump against : running dry and it was SIL1 (apply 1EC 61511 and proven in use) | 18Fault tolerance acc. IEC 61511 sit Fault Tolerance (oe Table 3) any mode ° ° Cones ose z any mode ‘any mode SIF 1: How does the design look ? You remember to protact the pump against | running dry and it was SILT (epply IEC 61511 and proven in use) Sores 19SIF 2: How does the design look ? You remember To protect against high pressure Unmanned installation, SIL2 apply !EC 61511 and proven in use) Fault tolerance ace, IEC 61511 ferecu Minimum Hardware Faulk Toloranes (Goo Table e) o igh derwand or ‘ny mode ‘ry modo Sores 20SIF 2 : How does the design took ? fae Bi) ( water | 1902 and SONS ( You remember To protect against high pressure Unmanned installation, SIL2 Rerecny How does the design look? Same, but Manned installation, SIL3 (apply 1EC 61511 and proven in use) YOKOGAWA\ 21Fault tolerance acc. IEC 61511 Minimo Hardware si. Ft Taroree ‘tao Tastee) jloabes ee, ° 2 een = = continues mode. te ee ee 1 Fe eer 5 SIF 2 : How does the design look ? Manned installation, SIL3 22SIF 2: How does the design look 7 [ | Same, but En Manned installation, SIL3 (apply IEC 61511 and proven in use) Vereen \d of Module 6 Questions: 1) What is the HFT of a 2003 voter ? 2) What is the HFT of a 2002 voter ? 3) Which voting gives a HFT of 2? 4) Which failure modes are there ? 5) Which failure rate is used for the PED ? 6) What is a human failure ? Answers 1 ° 41003 or 2004 Fail Safe Detected, Fail Safe Undetected, Fail Dangerous Detected, Fail Dangerous Undetected Lambda Dangerous Undetected In Operational phase only: Operator taking wrong actions, Maintenance ‘man starts working on the wrong equipment, Management id not train the employees 2324TUV FS Engineer IEC 61508 / 1EC 61511 Solutions Day 3 ‘course Provider ‘Yokogawa’s Safety Expertise Group Common cause ! voted inputs 25Common cause : voted inputs End of Module 7 Questions. 1) what is common cause 7 2). how is common cause expressed ? 3) is Beta = 7% a normal value for transmitters ? Iisa single stress event that will cause the simultaneous (or near simultaneous) failure of 2 or more logs of a redundant system. It's a percentage of the failure rate Its a bit high, a common cause of 10 percent will eause the loss of a SIL level Keren Roresniy 26(Use the 61508-1H PFD,yq calculation case 1 and 2 and 1 yr = 10000 hrs) Pressure : TED 4 Shutdown valve Tonsmter | ' Loge saver - vicswver [Ot | tnnoe You 01 ET] ty, = 0.001 SFF=95% NI Rpg iM EB / te SFF=B0% ' ae 1) Toes Toov= 1 year yy = 10 yeor sik = 77 2) Tyr = Tay = Syear BE Tis = 10 year, 2 ser i Solution case 1 AE. 2 PD a tet = 1/2 X Ags xT PFDgmasr ~ 06x01 x10°x1x10"=5 10% = 0.5 107 PFDgrais = 0.5 «0.001 x 10°x 10x 10'= 810% = 005107 PFDgecsos~ 0.5 x0.9x10"x1 x 10" = 45.107 PFDrce =PFOnca+PFDaxst PFDgvesoy = 5.08 10 = 0.5 10 2107 to < 107 siL2 Is that right 22 NO, S1L1 because of HFT 27Solution case 2 Aol 2 PD ter = 1/2 X Rg XT PFDamcer = 06 «0.1 x 10° x5 x10" = 2.6107 PFD pais ~ 0.6 %0.001 x 10° x 10 x 10" = 5 10 = 0.05 10 PFDgrasor ~ 0.5 #0.9x10°x5 x 10"= 2.28 10? = 22.510 PFDgvcut =PFOncrrtPFDaqais+ PFD soy = 25:05 10° = 0.25 10" 210710 <107 sit (Use the 61508-1H PFD,yq calculation case 3 and 4 and 1 yr = 10000 hrs) Prossure transmitter An = 0.1 SFF=80% Shutelown valve Logie solver . ‘lool doy = 0.9 You = 0.001 | ye as = SFF=95% NI Roy iM 6 / be T= Teor year Tis = 10 year Common cause = 0 se Tor = Tow = 1 year Tis = 10 year Common eause 10% siL= 7 28Solution case 3 Jo yt? ul 2 3 PFD rt # 1/2 Xe, XT PFDyua ima = 1/3 Hho, Kg TXT PFD or 20-33 X01 X10 x 0.1 x 1081 x 10°31 X 10 PFDqais =05 x0001 x 10x 10% 10" = 5 10 PFDgy = 0.33 x09 10*x0.9% 10% 1x 10"x 1x 10' =2.7 10% PFD ge =PFDsr+PFDs+PFDany = 7710 — > 10* to. < 10 sia Ie that right 72 No! siL2 YOKOGAWA Solution case 4 Poll — gy od 5g Aol : Os8) eee PFD nan = V2¥ ge XT Davo ma = 1/3 ¥ (1-8) x (1-8) X Rpg gg THT # 1/2 28 Dg, xT PD papr = 0.83 x 0810.9 x 0.1x10°%O.1210" x 1x1OIX10" + 05 x 0.1 0.110% 1x10" PFDyiais = 0.5 x 0.001x10° x 10x 10" = 510% = 05 10 PFDgraon = 0.33% 0:910.9 x0.9410%0.9%10" x 1x10"x1«10" + 0.5 x07 xO.9x10"x 1x10" PFDart “PFDp ae 2PFncistPFOwvasny=5:710" 210+ t0<10™ sia Is tnat righ 72 ‘No, again StL 2 Rorecnuy 2930TOV FS Engineer IEC 61508 / IEC 61511 Extra Exercises on Day 3 course Provider: Yokogawa's Safety Expertise Group YOKOGAWA Extra exercise 1 Case 1: Both SDV's act on Pressure High of elther the PT or the PS ‘Case 2: SDV1 works on Pressure High High from PT and SDV2 works on Pressure High from PS. 31Extra exercise 1 Extra exercise 2 Exercise’ + Find (circle) the SIFs Draw the RBDs YOKOGAWA 32Extra exercise 2 Love Loaie | vanemter Saver —e Level Logie be transmter solver — Pressure onic 1 A a ae ove sovi aov ‘What configuration do you see? Whatis the RBD ? Interactive exercise 1 | 2 shuteown valves in 1002, ‘each with 2 solenoid valves in 1002 ‘The first SDV log sov ir Solenoids 1002 Connect tote gic soiver | El ‘Then the other SDV log, Then connect, based on 1002 of the SOV 33Interactive exercise 2 | ‘What configuration do you seo? 2 shutdown valves in 2002, ‘each with 1 solenoid valve In toot ‘Then the solenoids First the SVs ‘Then connect, Whats the RBD 2 Sores Interactive exercise 3a ‘Assume 1 year = 10.000 hour Proof test interval = 1 year SFF=03% Lambda Du =1.9£-7/hr What isthe maximum SIL? HFT Solenoid =0,SFF=82%> HFT SDV=0,SFF=99% > ‘SIL2 maximum. 'SIL3 maximum. PFD, Solenoid =0.4 E-2, " : PFO mg SOV=09E3 —— Botertnan 1-29 Sz foreskin 34Interactive exercise 3b | 1 | 1. Does this change ofthe solenoid c configuration help ? No. Solenoids are now 2002, so HFT Is. still and PFDavg will bo 2 times as high. OKOGAWA Interactive exercise 4 ‘Assume 1 year = 10.000 hour Proof test interval = 1 year Whats the maximum SIL SFF=93% Lambda Du =1.8 0-7/ hr HFT Solenoid=1,SFF=03%> | HFTSDV=0,SFF=935, > ILS maximum. 'SIL3 maximum. PFD ya SDV=0.9E9 Total = 0.921 £9 Better than 1€-3 > SIL PFDyyc Solenoids OstE4/3=021E-4 3 NO, because budget final elements = 50% > siz 35Interactive exercise 5 ‘Assume 1 year = 10.000 hour =| Proof test interval = 1 year SFF=83 % Serene ir ‘What is the maximum SIL ? SIL3? SFF = 95% Lambda Du = 1.8 €-7/hr ‘The frst SDV leg sov Whatisthe neo? Solenoid. «=| —- — Connect, Theseconssovieg — —- —— cininiesicc n Rsxocnay Interactive exercise 5 Proof test interval = t year the maximum SIL ? SIL3? Lambda Du=1.8.0-7/ hr HFT Solenoid=1,SFF=63%> HET spv=1,SFF=99%> Combined: SILS maximum. ‘SIL maximum. Better than 1 E-4 9 SIL¢ 1002: PFDqyo = 0.996-4 > ves YOKOGAWA 36Interactive exercise 6 setihr SFF=9% Lembda Du = 1.8 0-7/ hr We are now at PFD yg = 0:396-4 = 99 % of SILA budget 3.3% of SILS budget Now we can optimize, For example : extend the proof test interval How long before we “lose” SIL3 ? 50/3.3 > 15 almost 4 years {actually : 4.5 years If you calculate with 8760) We are now at PRD ja = 0.9364 = 39% of SILA budget =3.3% of SIL8 budget Now we can optimize. For example : improve the availability and stil be SILS. HOW 2? Workit out with a drawing, BO and calculation. Rocco 37Interactive exercise 7 Aa Lambda shen formula Yo (17086"17065"10E4" 1080 /3= 10864 9 106% ofthe SL3 budget 38