Professional Documents
Culture Documents
C. Timms
Tel: +44 (0) 1339 886618
c.timms@ifb.co.uk
4. To be able to use tools to model and solve the PFD of complex Safety
Instrumented Systems
Safety Requirements
Specification for the Safety
Instrumented System
3 Clauses 10 & 12
Stage 1
Design and
Design and Engineering of Development of Other
Safety Instrumented System Means of
Clauses 11 & 12 Risk Reduction
4 Clause 9
Stage 2
Installation, Commissioning
and Validation
Clauses 14 & 15
5
Stage 3
Stage 4
Modification
7 Clause 17
Legend:
Typical direction of information flow. No detailed requirements given in this standard.
NOTES:
1. Stages 1 through 5 inclusive are defined in clause 5.2.6.1.3.
2. All references are for Part 1 unless otherwise noted.
Software safety
validation
Application
Sub-system Software Safety
architecture Requirements
Specification PES
Application
software
Integration
testing
Application Software
Architecture design
Application Application
software software
development Testing
Application Application
module module
development testing
•12.3 •Application •To develop a plan for validating the •14.3.2 •SIS application Software •SIS application Software safety
Software application software. safety requirements validation plan;
safety specification. •Verification information.
validation
planning
•12.4 cont’d •Application •Support tools and programming languages: •12.4.4 •SIS application Software •List of procedures for use of utility
Software •To identify a suitable set of configuration, safety requirements software.
design, and library, management, and simulation and test specification; •Verification information.
development. tools, over the whole safety lifecycle of the •Description of the
software (utility software); architecture design;
• •Manuals of the SIS.
•To specify the procedures for development •Safety Manual of the
of the application software. Selected SIS Logic Solver.
© C & C Technical Support Services 2008 10 Part 3 of IEC 61508/61511 Training
Relationship between the hardware
and software architectures of SIS
• 12.4 • Application • Program Development and Test – FVL • 12.4. • Special purpose • Refer to IEC 61508-3
cont’d program only: 6& application software
development • To implement full variability language 12.4. safety specification
using full that fulfil the specified requirements for 7 requirements.
variability software safety.
languages
• 12.4 • Application • Software and Application testing: • 12.4. • Application program • 1) Software test results.
cont’d Software • 1) To verify that the requirements for 6, simulation and • 2) Verified and tested software
• design and software safety have been achieved; 12.4. integration test system.
development • 2) To show that all application program 7, specification (structure • 3) Verification information.
subsystems and system interact 12.7 based testing);
correctly to perform their intended • Software architecture
functions and do not perform integration test
unintended functions. specification.
• Can be merged with the next phase
(12.5) subject to satisfactory test
coverage.
• 12.5 • Programmabl • To integrate the software onto the • 12.5. • Software and hardware • Software and hardware
e electronics target programmable electronic 2 integration test integration test results;
integration hardware. specification. • Verified software and
• (hardware hardware.
and software)
• 14.3 • SIS safety • Validate that the SIS, including the • 14.3 • Software and SIS safety • Software and SIS validation
validation safety application software, meets the validation plans. results.
safety requirements.
SIF:
Provides overpressure protection.
Prevents relief by RV.
Stops the event.
Initial
Loss of
demand Ignition Escalation
containment
rate
Increasing consequence
Decreasing demand rate
Distribution of
reliability
requirements
SIF
implementation
SIL class for SIF
Minimum
(assuming RV
implementation
functions
of SIF
properly)
Distribution of
reliability
requirements
SIF
implementation
Take credit for the
PFD of the RV
PSV
PCV
LICA
LZA2
LL
Oil out
XZV4 LCV
Final elements
Instrumented
Initiator e.g. PZA1 Protective XZV1/2 – Inlet
System
Function 2
Initiator 2 1 2 2 2
Initiator 3 (PZA1) 2 2 1 2 3 3
Initiator 4 1 1 1 1
Initiator 5 0 0 N/A 0
Initiator 6 1 N/A 1
PZA1 Function 1
Final element
Function 2
Instrumented
Confirmed Protective XZV1/2
High Level System
Gas
LZA1 Function 3
Close
Close
Close
Open
XZV1
XZV2
XZV3
XZV4
XZV5
EDP Manual
Flare
PZA1 X X X X X PSV
LZA1 X X X X
XZV3
LZA2 X X X
EDP X X X X X
PCV
HH Gas Compression
PZA1 PICA
2oo3 XZV4
Inlet Spec.
HH
break
XZV1 XZV2
LZA1
LICA
Q1. Mark up the Primary function
for each initiator in the C&E box? LZA2
LL
Oil out
Q2. Are there any logic simplification
opportunities? XZV5 LCV
Spec.
Q2A: break
C&E
Close
Close
Close
Close
Open
XZV1
XZV2
XZV3
XZV4
XZV5
EDP Manual
Flare
PZA1 X X X X X PSV
LZA1 X X X X
XZV3
LZA2 X X X
EDP X X X X X
PCV
HH Gas Compression
PZA1 PICA
2oo3 XZV4
Inlet Spec.
HH
break
XZV1 XZV2
LZA1
LICA
Q1. Mark up the Primary function
for each initiator in the C&E box? LZA2
LL
Oil out
Q2. Are there any logic simplification
opportunities? XZV5 LCV
Spec.
Q2A: break
Close
Close
Close
Open
XZV1
XZV2
XZV3
XZV4
XZV5
EDP Manual
PZA1 X X X X X
Flare
PSV
LZA1 X X X X
XZV3
LZA2 X X X
EDP X X X X X
PCV
HH Gas Compression
PZA1 PICA
2oo3 XZV4
Inlet Spec.
HH
break
XZV1 XZV2
LZA1
LICA
LZA2
LL
Oil out
A2. Why close XZV5 on LZA1 High High level? XZV5 LCV
Spec.
Why close XZV1 and XZV2 on LZA2 a Low Low level? break
INTERTRIP
UZ-A UZ-B
Final
elements Shutdown area
Local area protection ventilation
INTERTRIP
UZ-A UZ-B
Final 1 2 3 1 2 3
YA YB
elements
STEPS:
Determine the SIL for each initiator XA to final elements YA
Determine the SIL for each initiator XB to final elements YB
Determine the SIL for each initiator XA to INTERTRIP (i.e. synergetic failure of YB)
Determine the SIL of the INTERTRIP to each YB (W = sum of XA demands)
Final 1 2 3 1 2 3
YA YB
elements
STEPS:
Determine the SIL for each initiator XA to final elements YA
Determine the SIL for each initiator XB to final elements YB
Determine the SIL for each initiator XA to INTERTRIP1 (Synergetic failure of all YB )
Determine the SIL of the INTERTRIP1 to each YB (W = sum of XA demands)
Determine the SIL for each initiator XB to INTERTRIP2 (Synergetic failure of all YA )
Determine the SIL of the INTERTRIP2 to each YA(W = sum of XB demands)
Broadly acceptable
region
(No need for detailed working to
demonstrate ALARP) 1 in 10 million per person/yr
Negligible risk
© C & C Technical Support Services 2008 67 Part 3 of IEC 61508/61511 Training
Setting the Safety Target
Example of calibration: Parameter Low Value High Value
W3 0.3 3.0
FA 0.01 0.1
Each parameter has a range of FB 0.1 1.0
values with a: PA 0.1 0.1
‘low’ end value; PB 1.0 1.0
‘high’ end value.
SIL 1 0.01 0.1
SIL 2 0.001 0.01
SIL 3 0.0001 0.001
SIL 4 0.00001 0.0001
Alarm Layer
Process
Design
Initial
Loss of
demand Ignition Escalation
containment
rate
Case 1 Case 2
Increasing consequence
Decreasing demand rate
Initial
Local
Fire demand Escalation
impact
rate
Case 1 Case 2
Increasing consequence
Decreasing demand rate
S0 L0
W3 W2 W1 W0 W3 W2 W1 W0
S1 L1
- - - - - - - -
G1 L2
A1 1 - - - START - - - -
G2 L3
S2 2 1 - - 1 1 - -
G1 L4
A2 2 1 1 - 2 2 1 1
START G2
3 2 1 1
A1
ENVIRONMENT
S3 3 3 2 1 E0
A2 W3 W2 W1 W0
NR 3 3 2
E1
S4 1 - - -
NR NR NR 3
E2
START 2 1 - -
E3
Frequency of demand: 1
3 3 2
W0 Extremely low (demand rate of once between 300 and 3000 years) E4
W1 Very low (demand rate of once between 30 and 300 years) NR NR 3 2
W2 Low (demand rate of once between 3 and 30 years)
W3 Relatively high (demand rate between once in 0.3 and 3 years)
UKOOA Graphs
W3
Demand rate between 3 and 0.3 per year. (0.3 and 3 years)
Demand rate between 0.3 and 0.03 per year. (3 and 33 years)
For demonstration
W2
W1 Demand rate between 0.03 and 0.003 per year. (33 and 333 years) purposes only
Demand between 0.003 and 0.0003 per year. (333 and 3,333 years)
W0
Demand greater than 0.0003 year. (greater than 3,333 years)
W00
C
A
a --- --- --- ---
X2
Starting point
for risk reduction
PA 1 a --- --- ---
CB PB
estimation
FB PA
X3
2 1 a --- ---
PB
CC
FB PA
X4
3 2 1 a ---
PB X5
Generalized arrangement
(in practical implementations
CD
FB PA 4 3 2 1 a
the arrangement is specific to X6
PB
the applications to be covered
by the risk graph) b 4 3 2 1
C = Consequence parameter --- = No safety requirements
Demand rate between 3 and 0.3 per year. (0.3 and 3 years)
W3
Demand rate between 0.3 and 0.03 per year. (3 and 33 years)
For demonstration
W2
W1 Demand rate between 0.03 and 0.003 per year. (33 and 333 years) purposes only
Demand between 0.003 and 0.0003 per year. (333 and 3,333 years)
W0
Demand greater than 0.0003 year. (greater than 3,333 years)
W00
C
A
a --- --- --- ---
X2
Starting point
for risk reduction
PA 1 a --- --- ---
CB PB
estimation
FB PA
X3
2 1 a --- ---
PB
CC
FB PA
X4
3 2 1 a ---
PB X5
Generalized arrangement
(in practical implementations
CD
FB PA 4 3 2 1 a
the arrangement is specific to X6
PB
the applications to be covered
by the risk graph) b 4 3 2 1
C = Consequence parameter --- = No safety requirements
Demand rate between 3 and 0.3 per year. (0.3 and 3 years)
W3
Demand rate between 0.3 and 0.03 per year. (3 and 33 years)
For demonstration
W2
W1 Demand rate between 0.03 and 0.003 per year. (33 and 333 years) purposes only
Demand between 0.003 and 0.0003 per year. (333 and 3,333 years)
W0
Demand greater than 0.0003 year. (greater than 3,333 years)
W00
Likelihood values are events per year, other numerical data are PFD average
0 1 2 3 4 5 6 7 8 9 10 11
Protection Layers
Impact Severity Initiating Initiating General BPCS Additional Additional Additional Intermediate SIF Mitigated Notes
Event Level Cause Likelihood Process Mitigation Mitigation Mitigation Event Integrity event
Description Design A B C Likelihood Level Likeliho-
od
The Corporate criteria has been specified as <1E-07, and the Intermediate Event likelihood
does not meet this. The team decide to add a SIF to reduce the risk further.
The PFD required for the SIF is 1E-07/5.0E-06 = 2E-02 ( SIL 1)
A 1:
A 2:
© C & C Technical Support Services 2008 100 Part 3 of IEC 61508/61511 Training
Solution: Exercise – Fire & Gas
A 1:
A 2:
© C & C Technical Support Services 2008 101 Part 3 of IEC 61508/61511 Training
Name: Exercise – Fire & Gas
Example 1: Gas detection on the underside of the 1st stage separator V1001.
Operations
Visit the area >1 hour per day
Safety Engineer
Data from the QRA for the facility indicates a total probability of 2.98E-1 gas release events per year for all leak
sizes. This is equivalent to a demand rate on the gas detectors of once every 3 years. The probability of TR
impairment frequency for ignited events escalating from this area is shown to be 375 years.
Instrument Engineer
The gas detectors are IR point and they are voted 2ooN.
W: W:
C: C:
F: F:
P: P:
SIL: SIL:
© C & C Technical Support Services 2008 102 Part 3 of IEC 61508/61511 Training
Solution: Exercise – Fire & Gas
Example 1: Gas detection on the underside of the 1st stage separator V1001.
Operations
Visit the area >1 hour per day
Safety Engineer
Data from the QRA for the facility indicates a total probability of 2.98E-1 gas release events per year for all leak
sizes. This is equivalent to a demand rate on the gas detectors of once every 3 years. The probability of TR
impairment frequency for ignited events escalating from this area is shown to be 375 years.
Instrument Engineer
The gas detectors are IR point and they are voted 2ooN.
W: W:
C: C:
F: F:
P: P:
SIL: SIL:
© C & C Technical Support Services 2008 103 Part 3 of IEC 61508/61511 Training
Name: Exercise – Fire & Gas
Safety Engineer
Using data from the QRA for escalation, the probability of TR Total Impairment for any reason is 4.98 x E-4.
Equating to a frequency this is equivalent to 1 in 2000 years. This covers all events.
Instrument Engineer
The gas detectors are IR extended point duct mounted devices and are voted 2oo3.
ANS:
W:
C:
F:
P:
SIL:
© C & C Technical Support Services 2008 104 Part 3 of IEC 61508/61511 Training
Solution: Exercise – Fire & Gas
Safety Engineer
Using data from the QRA for escalation, the probability of TR Total Impairment for any reason is 4.98 x E-4.
Equating to a frequency this is equivalent to 1 in 2000 years. This covers all events.
Instrument Engineer
The gas detectors are IR extended point duct mounted devices and are voted 2oo3.
ANS:
W:
C:
F:
P:
SIL:
© C & C Technical Support Services 2008 105 Part 3 of IEC 61508/61511 Training
Name: Exercise – Fire & Gas
Operations
Visit the area 2 hours/d.
Safety Engineer
Data from the QRA for the facility indicates a total probability of a fire event is 6.3E-2. This is equivalent to a
demand rate on the fire detectors of once every 16 years.
The probability of TR impairment frequency for a fire event escalating from this area is shown to be 2542 years.
Instrument Engineer
The fire detectors are triple IR devices and are voted 2oo3.
W: W:
C: C:
F: F:
P: P:
SIL: SIL:
© C & C Technical Support Services 2008 106 Part 3 of IEC 61508/61511 Training
Solution: Exercise – Fire & Gas
Operations
Visit the area 2 hours/d.
Safety Engineer
Data from the QRA for the facility indicates a total probability of a fire event is 6.3E-2. This is equivalent to a
demand rate on the fire detectors of once every 16 years.
The probability of TR impairment frequency for a fire event escalating from this area is shown to be 2542 years.
Instrument Engineer
The fire detectors are triple IR devices and are voted 2oo3.
W: W:
C: C:
F: F:
P: P:
SIL: SIL:
© C & C Technical Support Services 2008 107 Part 3 of IEC 61508/61511 Training
Further Operational Lifecycle
Considerations
© C & C Technical Support Services 2008 108 Part 3 of IEC 61508/61511 Training
Safety Life Cycle
Identify
Hazards
Risk
Modify assessment
SIS
Funct’l safety
requirements
assessment
spec
Install &
Monitor
commission
Record Validation of
requirements
Operate and
Maintain
© C & C Technical Support Services 2008 109 Part 3 of IEC 61508/61511 Training
Overrides
Override of a SIF defeats protection:
the SIS will not be available to work on demand;
it will NOT provide the required protection;
it is actually in the ‘failed’ state;
if a demand occurs the consequences = failure.
SIFs should never be defeated, bypassed, inhibited or
“frigged” in any way
Overrides should be kept to a minimum
Overrides need proper controls and authority
© C & C Technical Support Services 2008 110 Part 3 of IEC 61508/61511 Training
Override Controls
Authority
Permit to Work
Key control
Key safe
Key logged out
CRO agrees to override and records in panel log
CRO agrees removal and records in panel log
Key returned to safe and logged back in
Permit signed off by the ‘authority’
CRO shift handover
Shift supervisor shift handover
Regular override status audit.
© C & C Technical Support Services 2008 111 Part 3 of IEC 61508/61511 Training
Discrepancy Alarms
© C & C Technical Support Services 2008 112 Part 3 of IEC 61508/61511 Training
Modifications & Change Control
Any modification:
To a SIF (the elements or design)
OR
The process on which a SIF operates
Could defeat the integrity of the SIF
ALL modifications to SIFs must be controlled via the
change control process
This may require another SIL assessment to be made
© C & C Technical Support Services 2008 113 Part 3 of IEC 61508/61511 Training
Repairs
When elements of a SIF are being repaired:
The SIF may not be available to protect
e.g. if the element is a 1oo1
© C & C Technical Support Services 2008 114 Part 3 of IEC 61508/61511 Training
Keeping Records
Care of a SIF extends over their full life cycle:
Conception –risk analysis - design - implementation –
testing – maintenance – operation – decommissioning
Thus records through all these phases need to
be maintained
A good cross-reference database structure is
essential
© C & C Technical Support Services 2008 115 Part 3 of IEC 61508/61511 Training
Feedback, Review & Modify
Don’t install and walk away
Records of testing, faults, maintenance and
operation must be recorded and maintained
SIF performance should to be reviewed
regularly
Testing and maintenance can then be ‘tuned’
© C & C Technical Support Services 2008 116 Part 3 of IEC 61508/61511 Training
Solving Complex Functions
by the
Event Space Method
© C & C Technical Support Services 2008 117 Part 3 of IEC 61508/61511 Training
Complex Functions
Subsystems are made up of components e.g.:
Transmitter devices and trip amps;
Logic solver circuit boards;
Valve actuators, solenoids and valves.
Systems are made up of subsystems e.g. A SIS:
Initiators;
Logic solvers;
Final elements.
© C & C Technical Support Services 2008 118 Part 3 of IEC 61508/61511 Training
Complex Systems
EXAMPLE:
A system comprising 3 subsystems
Serial Path
© C & C Technical Support Services 2008 119 Part 3 of IEC 61508/61511 Training
Component States
n
The number of states is 2 ;
Where n is the number of components/subsystems.
© C & C Technical Support Services 2008 120 Part 3 of IEC 61508/61511 Training
Component States
1oo2 Configuration
For two components or subsystems A and B:
Where n = 2 Component
n
The number of states = 2 A
i.e. 4 states:
1. A and B OK Component
2. A failed and B OK B
3. A OK and B failed
4. A failed and B failed
This is a 1oo2 configuration where the system
will work if at least one component is OK
Neither component is critical
© C & C Technical Support Services 2008 121 Part 3 of IEC 61508/61511 Training
State Table – 1oo2
2 FAIL OK YES
3 OK FAIL YES
4 FAIL FAIL No
© C & C Technical Support Services 2008 122 Part 3 of IEC 61508/61511 Training
Exercise - Complex Systems
A system comprising 3 subsystems:
Serial Path
Subsystem B Subsystem C
Subsystem A
© C & C Technical Support Services 2008 123 Part 3 of IEC 61508/61511 Training
Name: Exercise - Complex Systems
© C & C Technical Support Services 2008 124 Part 3 of IEC 61508/61511 Training
Solution – Complex Systems
© C & C Technical Support Services 2008 125 Part 3 of IEC 61508/61511 Training
Probability of Failure
Serial Path
© C & C Technical Support Services 2008 126 Part 3 of IEC 61508/61511 Training
PFD of Complex Functions
Serial Path
Subsystem 4
made up of
components
Parallel Path
© C & C Technical Support Services 2008 127 Part 3 of IEC 61508/61511 Training
Event Space Method
‘Loss Prevention in the Process Industries’:
Frank P. Lees.
Used to model a wide range of complex
configurations where:
A configuration comprises a number of components;
Components also form sub-systems;
There are both serial and parallel paths;
We need to calculate the PFD.
© C & C Technical Support Services 2008 128 Part 3 of IEC 61508/61511 Training
The Probability of Failure and/or
Success on Demand
© C & C Technical Support Services 2008 129 Part 3 of IEC 61508/61511 Training
The Probability of Failure and/or
Success on Demand
The PFD is then the sum of the
probabilities where the state will not
operate on demand.
The PSD is the sum of the state
probabilities where the system will achieve
success.
PFD+PSD should be equal to 1.
© C & C Technical Support Services 2008 130 Part 3 of IEC 61508/61511 Training
Example -1oo2 system
1 OK OK OK
2 OK FAIL OK
3 FAIL OK OK
4 FAIL FAIL FAIL
λt
Component probability of failure (FAIL) is
2
λt
Component probability of success (OK) is 1 −
2
© C & C Technical Support Services 2008 131 Part 3 of IEC 61508/61511 Training
Example -1oo2 system
State number Component 1 Component 2 Overall state probability System
probability probability (probability 1 x probability 2) status
1 1−
λt (OK)
1−
λt (OK) λ2t 2 OK
2 2 1 − λt +
4
λt (OK) λt (FAIL) λt λt2 2
OK
2 1−
2
−
2 2 4
λt (FAIL) λt (OK) λt λ2t 2 OK
3
2 1− −
2 2 4
λt (FAIL) λt (FAIL) λ2t 2 FAIL
4
2 2
4
TOTAL 1
λ2t 2
+ ( λt λ2 t 2
+ ( λt − λ t λ2t 2
2 2
PSD = (1 − λ t + ) − ) )
4 2 4 2 4 PFD = ( )
4
λ2t 2
PSD = 1 − 4 λ2t 2 λ2t 2
PSD + PFD = (1 − )+ ( ) =1
4 4
© C & C Technical Support Services 2008 132 Part 3 of IEC 61508/61511 Training
Common Configurations
© C & C Technical Support Services 2008 133 Part 3 of IEC 61508/61511 Training
Final Element - Pump & Valve
© C & C Technical Support Services 2008 135 Part 3 of IEC 61508/61511 Training
Flowlines and Manifold
RV1 = one flowline only RV1 Flare
© C & C Technical Support Services 2008 136 Part 3 of IEC 61508/61511 Training
SILCalc Application
© C & C Technical Support Services 2008 137 Part 3 of IEC 61508/61511 Training