Your Safety, Our Future

1
Your Safety, Our Future
2
SAFETY, CONTROL AUTOMATION SYSTEMS
3
IEC 61508 / 61511

• THE QUESTIONS TO ASK
• or What To Ask Your Vendors and You
• by
• Ian Parry - Hima Sella Ltd
• Colin Howard - Istech Consulting Ltd

4
Background
We assume for this presentation you are aware of
and understand IEC61508/61511 International
Standard Out for 6 years ( principles for Safety
have been around for 30) yrs. Now being
revised Still having Problems Not with the
Standard but with its application Hardware
requirements are well covered in 61508 but
Software still leaves large questions to be
answered
5
Responsibility
Everyone. Owner / Operator
/ Designer / Constructor / Integration / System
Supplier / Device Suppliers Everyone has a
requirement to supply documentation and figures
supporting the system in use.
6
Questions
The Following questions need to be asked of
everyone. Only some of them will need to be
answered by others!!!! I.e You have a response to
all the first set of questions But how much
information you need is dependent on your
responsibility.
7
The First Set
a) What Overall SIL has been determined by the
HAZOP for each Safety Integrity Function
b) What External risk reduction ( or other
Technologies) is applicable for each Safety
Integrity Function c) What SIL level has been
allocated to the E/E/PES system to provide the
risk reduction to enable the required defined
overall risk reduction to be met.
8
The Second Set
E/E/PES system responsibilities a) Total system
including the field devices i.e. from
transmitter manifold to the final valve b) Logic
Solver - terminal to terminal c) Logic Solver -
hardware only d) Who provides the field devices
9
The Third Set
a) Who has the responsibility for the
calculations for the E/E/PES system as
required by IEC 61508 / 61511 b) Who has the
responsibility for sourcing the information
required for the calculations c) What has been
determined from the HAZOP for the Demand
Rate d) From the operator / owner, What is
the preferred Test Interval e) Field device
suppliers to provide the required device figures
- see later f) Logic system suppliers /
integrators to supply the required figures - see
later g) If no information on a device is
available from suppliers - from where is the
information to be obtained or derived and who is
to derive the information. h) How will the
System components - Logic solver , field devices
etc. be tested in service.
10
The Fourth Set
What information is required for each device or
sub system or system a) Hardware Fault Tolerance
- HFT - as per Tables 2 3 of 61508 Part
2 b) Safe Failure Fraction - SFF c) Mean time to
repair - MTTR - What value has been used in
each of the calculations d) Probability of
Failure on Demand - PFD (or PFDAVG) e) Probability
of Failure to Danger per Hour - PFH f) Fail Safe
failure detected - ?sd g) Fail Safe failure
undetected - ?su h) Fail to Danger Detected - ?dd
action needs to be taken to go to fail nsafe
state i) Fail to Danger undetected - ?du j) Test
Interval used for calculations Note even if the
SFF is advised then f), g) ,h) and i) will
still be required
11
How to ease the load when starting. For the
logic solvers and overall loops pick the worst
case loop, i.e worst case Transmitter, barrier,
logic solver path, output valve and do the loop
calculation. If this value is used in the first
pass of the calculations then you have a quick
method of identifying the problems loops where
you need to do more reviews to ensure you meet
the requirements. Typically it is the field
devices that cause the problem.
12
Performance Orders
Order of magnitude increases in performance
requirement
Can your procedures and practices for Design
Maintenance Operations Performance monitoring
Competence demonstrate equivalent increases in
rigour?
Throughout the whole lifecycle of the system?
13
(No Transcript)
14
Not IEC 61508
IEC 61508
15
HOW NOT TO DO IT
Some pointers of the wrong way to confirm
compliance.
16
1) From a specification
The plant will be shutdown on 23 days in the
year . The demand rate is 0.00435 years per
demand . A SIL3 system is required
Would you accept the specification?
Comments please
17
2) A proposed design..
1oo2 trips on Bearing temperature,Vibration 1oo
1 trip on displacement
Gas Turbine
Compressor
2oo3 trips on Bearing temperature Vibration Displ
acement
Suction Drum
LSZ
1oo1 Trip On Level
Process plant
Would you accept this design proposal?
18
3) Take the MTFB / MTTF figure, convert it to a
rate per hour and then allocated a , say 20 to
be the Fail to Danger Rate - If no information
then you should use 50 but also what about HFT,
SFF is also questionable, as you have decided
what the figure is.
19
4) Use of 3 standard non SIL transmitters in a
SIL3 application as it has a HFT of 2. What is
the SFF of the devices. Are they SMART
transmitters raising the question on the
integrity of the software. IEC61508 clearly shows
that if you have 2 off SIL2 sub systems in a 1oo2
to trip configuration then the best they can
achieve is SIL3, even 2oo3 only gives SIL3 ( HFT
and SFF Table 2/3) What about common cause
effects, this can cause 2oo3 SIL2 Txs may not
meet SIL2. Most certified devices reports detail
what different configurations will meet with
respect to SIL levels.
20
5) Devices provided with FMEA reports which
provide PFD / PFH figures but the report
specifically excludes any software coverage and
thus it is difficult to use the devices. Or the
report makes assumptions, i.e. a trip amplifier
with relay outputs which the Logic Solver is
required to monitor for failure of the relay.
21
6) Concentration on the Logic Solver details when
placing orders, but do not consider the field
devices associated with the logic solver. This
causes problems as the configurations of the
field devices may need to be upgraded, if it is
in fact possible to use the devices ordered, from
1oo1 to 1oo2 or even 2oo3 usually late in the
project ( at FAT) delaying the project and costs
overruns.
22
7) Attention needs to be taken during the design
stage to refer to maintenance regime and training
requirements for the systems and also spares
holdings. Calculations for the PFD and PFH
requires the use of the MTTR, normally assumed to
be 8 hrs i.e. a normal shift. It is possible to
use 1 Hour in the calculations to give the answer
you wish to show, so the MTTR figure used should
be declared.
23
8) Test intervals. Again short test intervals
will improve the calculated figures but does not
reflect the time and costs incurred by the
maintenance teams. Also to be considered is the
amount of time each device is not available to
provide the protection when it is in
test,calibration or maintenance. This can affect
the SIL level applicable if you have to apply
overrides for long periods per year just to
maintain the field devices.
24
9) Common Mode Failure. When using voting
configurations it is important to validate and
quantify the Common Mode Beta value
applicable. If the Beta value is high say 10
then this can be the defining limit on the SIL
level achievable. Indeed if you have a high BETA
value then even a 2oo3 voting configuration may
only meet SIL1 or 2 !!!
25
10) My supplier says the kit is good for SIL3 so
why not design to SIL3? SIL 3 systems are very
difficult to achieve in practice. If SIL 3 is
specified, too much of the risk reduction is
being taken by the instrumented system and not
enough by other layers of protection. This
indicates a need to review the risk
assessment. Avoid the need for a SIL 3 or 4
system by introducing further layers of
protection (other non-instrument measures)
These will then take their share of the overall
risk reduction.
26
Thank you for your attention If you have any
questions? Please wait until the question time at
the end of the presentations