Professional Documents
Culture Documents
net/publication/239592768
CITATIONS READS
8 1,096
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Stein Hauge on 08 October 2014.
ABSTRACT
This paper presents main results from a project that prepared a guideline for use of the
standards IEC 61508 and IEC 61511 in the offshore industry of Norway. There is a focus on
the determination of Safety Integrity Level (SIL) for main equipment. Also the paper will discuss
the elements contributing to safety unavailability and the calculation of the Probability of
Failure on Demand (PFD), which is crucial for the determination of SIL.
1. INTRODUCTION
Today it seems evident that, at least in Europe, IEC 61508 (ref. [1]) will become the central
standard for specification, design and operation of Safety Instrumented Systems (SIS). Thus, the
standard will have a major impact on the safety work e.g. within the process industry. Whereas IEC
61508 is a generic standard common to several industries, the process industry is currently
developing its own sector specific standard for application of SIS, i.e. IEC 61511 (ref. [2]).
In Norway the offshore oil/gas industry is one major area for the use of IEC 61508 and IEC
61511. The experience so far is that the application of these standards has been beneficial.
However, several challenges has emerged during the work with the Norwegian guideline and during
actual use of IEC 61508. In spite of the negative aspects, IEC 61508 and IEC 61511 introduce a
number of positive elements, and it is therefore important that these standards are implemented. One
of the many positive aspects is the focus on the entire lifecycle, and the requirements related to
operation and maintenance, in addition to design.
The Norwegian Petroleum Directorate (NPD) will in their forthcoming regulations (to
become operative 01.01.2002) recommend the use of IEC 61508 for defining the performance level
for instrumented safety functions. Therefore, the Norwegian offshore industry and NPD took an
initiative in order to ease the implementation of IEC 61508/61511. A guideline (ref. [3]) was
developed, which supports the use of the standards, and gives guidance on how to implement the
defined functions in order to obtain the required safety level. In particular, it treats the determination
of SIL for common safety functions on offshore production installations. Major operators on the
Norwegian Continental Shelf, engineering companies and vendors, together with SINTEF and
NTNU (Norwegian University of Science and Technology) carried out the work as a joint industry
project during the autumn 2000. The guideline was sponsored and issued by the Norwegian Oil
Industry Association (OLF) in January 2001. The NPD will refer to this guideline in their new
regulations.
An expressed objective underlying the guideline work was to include as many companies as
possible and to utilise the experience gathered by these companies, in order to arrive at good
solutions. Further, it was accepted that current design practice for instrumented safety systems has
resulted in a safety level considered adequate and that the implementation of IEC 61508 therefore
should be attempted without significantly increasing the overall costs.
Table 1: Safety integrity levels for safety functions (from IEC 61508-1, Table 2 and 3)
Safety Low demand mode of operation High demand or continuous mode of
Integrity (Aver. probability of failure to perform its operation (Probability of a dangerous
Level (SIL) design function on demand) failure per hour)
4 ≥ 10 to < 10
-5 -4
≥ 10-9 to < 10-8
3 ≥ 10-4 to < 10-3 ≥ 10-8 to < 10-7
2 ≥ 10-3 to < 10-2 ≥ 10-7 to < 10-6
1 ≥ 10-2 to < 10-1 ≥ 10-6 to < 10-5
In addition to specifying a quantitative requirement to the failure probability, the SIL also
forms the basis for a number of qualitative requirements. This includes architectural constraints on the
safety systems as well as the description of which techniques and measures should be used in order
to avoid and control systematic faults in both hardware and software. Both IEC 61508 and IEC
61511 describe a fully risk based approach for determining the SIL requirements. The methods
indicated within IEC 61508 for determining the SIL, range from using pure quantitative risk
assessments to more qualitative methods such as risk graphs. In particular, the risk graph technique
has been extensively applied when determining SIL requirements for local safety functions such as
Process Shutdown Systems (PSD).
Safety function SIL Functional boundaries for given SIL requirement / comments
PSD functions : 2 The function starts with (and includes) the process sensor (e.g.
PAHH PAHH), and terminates with closing of the critical valve.
LAHH Note: The given requirement for PAHH and LAHH assumes that there
LALL is one common inlet line to the considered process equipment. In case
(closure of one of several inlet lines and thus several valves to close, a separate
critical valve) evaluation of required SIL should be performed.
PSD function: 2 The function starts with (and includes) the process sensor and
LAHH on flare terminates at the unit(s) intended to perform the action (cf Note 2)
knock-out drum Note 1: When implemented in both the PSD and ESD system, this
(detection and combined function can obtain SIL 3.
transfer of shutdown Note 2: The final element(s) have not been included since a generic
signal) definition of this function has been impossible to give.
Isolation of riser; 2 The SIL requirement applies to the sub-function needed for isolation of
(shut in of one riser) one riser/flowline, i.e:
- ESD-node
- ESD valve including solenoide(s) and actuator
The QRA should verify whether a stricter requirement (SIL 3) is
required due to dimension, length, number of and fluid composition of
risers/flowlines.
Gas detection; 2 The SIL-requirement applies to the sub-function needed for gas
(alarm signal detection, given exposure of one detector, i.e.:
generated, - Gas detector
processed and - F&G node
action signals.
transmitted)
Consequently, it was decided to come up with a list of minimum safety integrity levels for the
most common safety functions. The SIL requirements given in this list are based on experience, with
a design practice that has resulted in a safety level considered adequate. This will reduce the need for
time-consuming SIL calculations for more or less “standard solutions” and will ensure a minimum
level of safety. Another advantage of using pre-determined SILs is that these figures can be used as
input to QRA during early design stages and thereby set up a link between the risk analysis and the
integrity levels for important safety functions. Some examples of these minimum SIL requirements are
shown in Table 2, treating main PSD functions.
When stating such minimum SIL requirements like the ones above, one main objective has
been to ensure a performance level equal to or better than today’s solutions. Hence, in cases where
the generic reliability data has indicated a requirement “just between” two SIL classes, generally the
stricter SIL requirement has been chosen. This is also in line with the NPD requirement for
continuous improvement.
Failure
NSU
PFD
(used in
IEC)
CSU HW
CSU
(used in
PDS)
CSU Sys
Thus, the total SU is a sum of three terms, see Fig. 2. In this figure the SU terms are also
related to the calculation of PFD as described in IEC 61508. The standard is very clear in stating
that CSUSys is not quantified. So the PFD will not include contribution from systematic failures, which
may be significant for safety systems. Further, the authors of the present paper see it as rather
unfortunate that the PFD, without a proper discussion, includes a mixture of (a part of) the noncritical
safety unavailability (NSU) and hardware failures (CSUHW). The effect of CSU and NSU are so
different that these concepts should be separated.
6. CONCLUSIONS
Overall, it is foreseen that IEC 61508 and IEC 61511 will contribute to a more systematic
safety work in the industry and hopefully to increased safety. In particular, the standards consider all
relevant lifecycles of the SIS, and thereby put focus on aspects that may have been neglected in the
past. However, when trying to implement the standards, certain practical problems arise. In
particular, it is difficult to arrive at the required SIL values. When using risk graphs, it is problematic
to determine the SIL in a unique and objective manner. Thus, in the Norwegian guideline a set of
minimum SIL requirements for common safety functions has been provided. This might not be in line
with the basic intentions of the standards, but has been done e.g. to reduce the need for time-
consuming SIL calculations for more or less “standard solutions”, and to ensure a minimum level of
safety. Further, the work with the Norwegian guideline may be seen as a first effort to obtain
standard definitions of essential safety functions, EUC and corresponding SIL requirements in the
Norwegian offshore industry.
A couple of rather unfortunate ambiguities and flaws have been discovered in the standard,
regarding the recommended approach for PFD quantification. These may contribute to some
confusion, and the paper has presented some suggestions concerning how to deal with these
problems.
ACKNOWLEDGEMENTS
The authors will thank all companies and persons participating in the development of the
Norwegian Guideline for application of IEC 61508 and IEC 61511, and thereby provided valuable
input to this paper. Thanks to OLF, which has sponsored and issued the guideline.
REFERENCES