Workshop Functional Safety

Similar documents
innova-ve entrepreneurial global 1

Section 1: Multiple Choice Explained EXAMPLE

Understanding safety life cycles

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Section 1: Multiple Choice

A study on the relation between safety analysis process and system engineering process of train control system

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Session: 14 SIL or PL? What is the difference?

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

PL estimation acc. to EN ISO

Ultima. X Series Gas Monitor

Safety Manual OPTISWITCH series relay (DPDT)

The IEC61508 Operators' hymn sheet

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

High Integrity Pressure Protection Systems HIPPS

Safety Manual VEGAVIB series 60

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Marine Risk Assessment

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Implementing IEC Standards for Safety Instrumented Systems

New Thinking in Control Reliability

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

Hydraulic (Subsea) Shuttle Valves

Safety Manual VEGAVIB series 60

Solenoid Valves used in Safety Instrumented Systems

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Safety-critical systems: Basic definitions

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

DeZURIK. KSV Knife Gate Valve. Safety Manual

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

To comply with the OHS Act, the responsible manager must carry out and document the following:

SIL Allocation. - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Every things under control High-Integrity Pressure Protection System (HIPPS)

RISK ASSESSMENT. White Paper.

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Instrumented Safety Systems

Bespoke Hydraulic Manifold Assembly

Solenoid Valves For Gas Service FP02G & FP05G

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Impact on People. A minor injury with no permanent health damage

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

SPR - Pneumatic Spool Valve

The Risk of LOPA and SIL Classification in the process industry

FUNCTIONAL SAFETY: SIL DETERMINATION AND BEYOND A CASE STUDY FROM A CHEMICAL MANUFACTURING SITE

The Key Variables Needed for PFDavg Calculation

Quantitative Risk Analysis (QRA)

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Transmitter mod. TR-A/V. SIL Safety Report

Advanced LOPA Topics

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Using LOPA for Other Applications

Engineering Safety into the Design

Risk Management Qualitatively on Railway Signal System

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Accelerometer mod. TA18-S. SIL Safety Report

Review and Assessment of Engineering Factors

CONTENTS OF THE PCSR CHAPTER 1 - INTRODUCTION AND GENERAL DESCRIPTION

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Safety manual for Fisher GX Control Valve and Actuator

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

NZQA unit standard version 3 Page 1 of 8. Manage the mine ventilation system at an extractive site

Rosemount 2130 Level Switch

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Transducer mod. T-NC/8-API. SIL Safety Report

Intrinsic safety 101 hazardous locations

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

Linking Risk and Reliability Mapping the output of risk assessment tools to functional safety requirements for safety related control systems.

Using what we have. Sherman Eagles SoftwareCPR.

Technical Standards and Legislation: Risk Based Inspection. Presenter: Pierre Swart

Knowledge, Certification, Networking

The Meaning and Context of Safety Integrity Targets

PRAGMATIC ASSESSMENT OF EXPLOSION RISKS TO THE CONTROL ROOM BUILDING OF A VINYL CHLORIDE PLANT

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Partial Stroke Testing. A.F.M. Prins

Safety Critical Systems

SAFETY STUDY OF HYDROGEN SUPPLY STATIONS FOR THE REVIEW OF HIGH PRESSURE GAS SAFETY LAW IN JAPAN

Risk-Based Inspection Requirements for Pressure Equipment

Safe High Pressure Water Washing (HPWW) Requirement

The IEC61508 Inspection and QA Engineer s hymn sheet

The Safety Case. The safety case

The Safety Case. Structure of Safety Cases Safety Argument Notation

User Information Sheet 015

Failure Modes, Effects and Diagnostic Analysis

Flammable Environments Guideline

D-Case Modeling Guide for Target System

Pressure Equipment Directive PED 2014/68/EU Commission's Working Group "Pressure"

4-sight Consulting. IEC case study.doc

SAFETY SEMINAR Rio de Janeiro, Brazil - August 3-7, Authors: Francisco Carlos da Costa Barros Edson Romano Marins

Grantek Systems Integration

Introduction to HAZOP Study. Dr. AA Process Control and Safety Group

Introduction to Machine Safety Standards

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

Transcription:

Workshop Functional Safety Nieuwegein 12 March 2014 Workshop Functional Safety VDMA 4315 Part 1 page 1

Agenda VDMA Working Group on Functional Safety Functional Safety and Safety Lifecycle Functional Safety Basic Terms Quantitative Risk Analysis Low Demand Case Risk Equation Risk Assessment Assumptions and Factors Basic Questions, Tolerable Risk Limits, Severity of Harm, Occupancy Definition Type of Risk SIL Assignment Tools & Methods page 2

VDMA Working Group Motivation - Introduction of new Standards for Functional Safety IEC 61508, IEC61511, IEC62061, ISO13849 Common Key Avoidance of Systematic Failures Features Probabilistic Approach Finding 2007 None of the standards is completely applicable None of them is applicable without interpretation Concern - Functional Safety: Issue for Project Execution Compliance Documentation for Handover and Permitting Risk of conflicts in understanding, late changes, delays, costs Target Synthesis of the relevant standards with respect to Specification of Safety Integrity Requirements VDMA Specification 4315, part 1 Relevant safety functions with typical safety integrity requirements for different types of engines VDMA Specification 4315, other parts page 3

VDMA Working Group Active since 2007 Participating OEMs and Products under Consideration Alstom Power Steam turbines and gas turbines for power generation, industrial steam turbines and turbogenerators Atlas Copco Energas Compressors MAN Diesel & Turbo Compressors and steam turbines and gas turbines for power generation and industrial applications Siemens Energy Sector Steam turbines and gas turbines for power generation and industrial applications, turbogenerators and compressors VGB PowerTech European association of operating companies of power stations and heating plants Current Publication: VDMA Specification Series 4315 page 4

VDMA Working Group VDMA-Specification Series 4315 Structure and Status Part No. Title Status Part 1 Methods for determination of the necessary risk German: published reduction English: published Part 2 Functional safety in existing installations In preparation Part 3 spare not applicable Part 4 spare not applicable Part 5 Risk assessment steam turbines German: published English: published Part 6 Risk assessment gas turbines German: published English: in preparation Part 7 Risk assessment compressor train German: published English: published Part 8 Risk assessment hydrogen cooled generators with water cooled stator windings In final preparation For actual status and ordering information see http://www.beuth.de/cn/j35teq85dvw0aymsy12ukunyu.4/d29ya2zsb3duyw1lpwv4yujhc2lju2vhcmnojnjlzj10cgwtag 9tZSZsYW5ndWFnZWlkPWRl.html page 5

What is Functional Safety Functional Safety: Engineering of Safety Functions Instrumented Control System Functions In the process industry typically not required for normal operation of the machines React on dangerous process situations Restoration of a Safe State mostly by an emergency shut-down (trip) Examples for turbomachines: Overspeed protection function all turbines Flame supervision function gas turbines see figure Central control & protection system Process control logic Safety logic page 6

What is Functional Safety Machinery Directive 2006/42/EC, ANNEX I, Essential health and safety requirements GENERAL PRINCIPLES: The manufacturer of machinery must ensure that a risk assessment is carried out... 1.1.2. Principles of safety integration: Machinery must be designed and constructed so that it does not put people at risk and to this end... the manufacturer must apply the following principles, in the order given: eliminate or reduce risks as far as possible (inherently safe machinery design and construction), take the necessary protective measures in relation to risks that cannot be eliminated, inform users of the residual risks due to any shortcomings of the protective measures adopted, indicate whether any particular training is required and specify any need to provide personal protective equipment. Legal Basis for Functional Safety page 7

Functional Safety Lifecycle Nr. Step in the safety lifecycle Corresponding clauses in the standards 1. Risk assessment ISO 12100, 3.17: Overall process comprising a hazard analysis and a risk evaluation IEC 61511; step 1: hazard and hazard analysis (IEC 61511-1, figure 8) 1.1 Specification of the scope of the analysis 1.2 Hazard analysis Identification of hazards 1.3 Risk estimation ISO 12100, 3.15: Combination of the specification of the limits of the machine, hazard identification and risk estimation ISO 12100, 5.3: Specification of the limits of the machine IEC 61508: step 2: specification of the overall scope ISO 12100, 5.4: Identification of hazards IEC 61508: step 3: hazard and hazard analysis, ISO 12100, 3.14: Definition of the likely severity of harm and probability of its occurrence ISO 12100, 5.5: Risk estimation 1.4 Risk evaluation ISO 12100, 3.16: judgement, on the basis of hazard analysis, of whether the risk reduction objectives have been achieved 2. Allocation of safety integrity requirement 2.1 2.2 Identification of safety measures, in particular of safety functions Allocation of safety integrity requirement to safety functions IEC 61511; step 2: allocation of safety requirements 3 Allocation of safety integrity requirement to safety functions 3.1 Safety integrity requirement IEC 61511: step 3: safety requirements specification 3.2 Functional requirements page 8

Functional Safety Lifecycle Nr. Step in the safety lifecycle Corresponding clauses in the standards 4. Design of the safety function IEC 61511: step 4: design and realisation 5. Construction and installation of the safety function IEC 61508: step 5: installation and commissioning 6. 7. Verification of the satisfaction of the safety requirements prior to commencing commercial operation of the protected equipment Operation and maintenance of the safety circuit during the operation of the protected equipment IEC 61511: Included in step 5: validation (IEC 61508: step 13: safety validation) IEC 61511: step 6: operation and maintenance 8. Modification of the safety circuit IEC 61511: step 7: modification: 9. Decommissioning of the safety circuit IEC 61511: step 8: decommissioning page 9

Functional Safety Lifecycle Simplified Representation in Main Phases pre-specification post-specification Hazard Ident. Risk Analysis Specification of Safety Functions Design of Safety Functions Implementation & Testing of Safety Functions Transition document: Safety Requirement Specification Functional Requirements: What shall be done when & how fast Conditions for triggering a safety system actions ( process parameters, logics) Required system reaction ( triggering of process actuators) Required Safety Integrity Safety Integrity: Degree of immunity of a function against failures Current Subject: Specification of required safety integrity page 10

Functional Safety Basic Terms From Risk Assessment to Safety Requirement Specification Process Hazard Accident Scenario 1 Accident Scenario n Accident Scenario 2 Functional Requirements Safety Function Risk page 11

Functional Safety Basic Terms Process Hazard A harmful effect - penetrating the process enclosure process gasses (steam, hot gas, combustion gas or others),particles, shock waves, fire, high pressure jets of liquids Caused by a specific type of malfunction Potentially causing harm to people (or damage to equipment) Accident Scenario Description of an accident as narrative with the initial conditions, the chronological sequence of events, the causal relationships and the final outcome Risk Measure for the hazardous nature of a scenario or event: How dangerous is it? Combination of the severity of the harm and the rate of occurrence that is connected with the scenario or event page 12

Functional Safety Basic Terms Rate of Occurrence of an Event Qualitatively described as «frequently», «occasionally», «seldom» or «never» Quantified in «events per time» or «average time between events» For accidents of turbomachinery causing harm to people Theoretically anticipated from a risk analysis Cannot be derived from actual accident statistics An event rate be attached to a defined event only Reference Event Formalized Description of an Accident Scenario Which equipment unit or equipment scope is causing the accident? To which specific process hazard is the accident related? Who is suffering harm? (What is suffering damage?) Which kind of harm (or damage) is suffered, on which level of severity? page 13

Functional Safety Basic Terms Safety Integrity is a property of a specific Function Degree of confidence, that the function will work as designed within given boundary conditions Safety Integrity Level SIL: Indicator for Safety Integrity in discrete Levels: SIL1, SIL2, SIL3, SIL4 Low demand mode: SIL Decades of Risk Reduction Factor RRF High demand mode: SIL Decades of Dangerous Failure Rate PFH D Safety Integrity is established by different measures...... as requirement to a function Required risk reduction Safety Requirement Specification Functional features Safety Integrity... as property of a function Measures against systematic failures System architecture (e.g. redundancy) Calculated risk reduction (reliability) page 14

Quantitative Risk Analysis Specification of a Required Safety Integrity Subject A: Process Hazard Reference Event Process Risk Risk is treated as emission of machine & process Tolerable Risk: Maximum allowable risk emission Subject B: Safety Function Attenuation factor for the risk emission Residual Risk Required Risk Reduction Required Safety Integrity increasing risk Process Risk Emission assuming the safety function absent Tolerable Risk Required Risk Reduction Safety Integrity of a safety function Actual Risk Reduction Residual Risk Reference level page 15

Quantitative Risk Analysis... but treat it correctly, nevertheless! potential accidents - demands actual accident Risk w/o Safety Function Unmitigated accident rate Safety Function Residual risk Mitigated accident rate page 16

Quantitative Risk Analysis Safety Function Unreliability as a function of time 1 0.9 PFH D = 510-6 / h; TI = 3y probability of failure PFD 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 PFD avg = 1/2 PFH D TI Safety Function - PFD(t) - NOT tested Safety Function - PFD(t) Safety Function - tested, PFD average 0 0 10 20 30 40 50 60 70 calendar time / years page 17

Quantitative Risk Analysis Safety Functions as Attenuation Function for Accident Rates Process Risk Unmitigated accident rate: Rate of a reference event, under the assumption, that a safety function is not installed Remnant Risk Mitigated accident rate: Rate of the same reference event, under the assumption, that a safety function is installed 1 Mitigated Accident. Rate 0.1 0.01 0.001 Demand Rate = 2 * Test Rate model calculation risk reduction approximation risk limiting approximation 0.0001 0.001 0.01 0.1 1 10 100 1000 Unmitigated Accident Rate in Events per Year At low rates: Safety function works as risk reducer Low demand mode At high rates: Safety function works as risk limiter High demand mode page 18

Low-Demand Case - Basic Equations Typical for Safety Functions of Turbomachines: Low Demand The Risk Reduction Equation Protection Function as risk reducer RRF = U / L RRF: Required Risk Reduction factor quantifies required safety integrity U: Unmitigated accident rate process demand L: Tolerable Risk The General Risk Equation Common parameters of risk analyses of turbomachines Quantification of unmitigated accident rate U = W x F x A x V U: Unmitigated accident rate W: Rate of occurrence of the hazardous situation (emergence of a process hazard F: Occupancy parameter: Likelihood for the process hazard to meet people A: Avoidability parameter or unavoidability V: Vulnerablility page 19

Risk Assessment - Assumptions Basic Questions Four Factors Quantifying the Risk Emission of Turbomachines What needs to happen to a person to suffer harm? How frequently will a harmful effect break out of the containment and penetrate into an area, which can be occupied? How likely will somebody meet the harmful effect? How likely will this somebody avert the danger by herself/himself? Not at all, for example, if the accident develops too fast to allow any action. How likely does the exposed person get away without suffering the reference harm?... or has bad luck, finally. Dangerous event rate W Occupancy parameter F Unavoidability A Vulnerability V page 20

Tolerable Risk Limits Tolerable Risk Limit: Maximum allowable risk emission assigned to an equipment unit or equipment scope a process hazard ( a safety function ) a single person or a collective of people suffering harm? the level of severity of the harm (injury, casualty) Parameter in a Quality Assurance Procedure expression of a state of the art as reflected by methods for risk analysis / SIL assignment without direct relation to actual accident rates (for turbomachines) Established Numerical Level Event based risk, work accident with 1 to 10 fatalities: 1*10-4 per year Individual risk, fatal work accident: 1*10-5 per year Staggered in decadic steps for other damage categories page 21

VDMA Power Systems Risk Assessment - Assumptions Severity of Harm Which Severity to be assumed for a Process Hazard There are many different scenarios with many levels of severity For each possible Reference Event a separate analysis could be made Frequent convention: Most severe harm that can reasonably be assumed representative for general Risk Level Event Rate Range of realistic reference events with similarly high risk Most severe harm that can reasonably be assumed Severity of Harm page 22

Risk Assessment - Assumptions Occupancy Group Hazard- Zone Inspectors (1 to 2 persons) Maintenance personnel (up to 3 persons)) General site personnel Overhaul personnel 20 to 70 persons only in plants with several units Visitor groups typically 20 persons Directly at the machine 1% or less at a specific hazard location 1a 1b 2 3 4 Not allowed Enclosure Machine Machine building / Extended installation zone Not allowed (with machine in operation or machine ready to start) Site 2% 30% Rest of the time Less than 10% Less than 10% (up to 3 persons) 30% (only 1 shift per day) 100% (always, 5 to 10 persons, depending on time of day and size of plant) 5% Not relevant 1% (up to 2*1h per week) Plus around the same time as in the machine building Exterior Not relevant General population Not allowed 100% page 23

Risk Assessment - Assumptions Occupancy Group Hazard- Zone Directly at the machine 1a 1b 2 3 4 Enclosure Machine Machine building / Extended installation zone Site Exterior Summary - occupancy of the risk zones based on the number persons present at the same time 1-2 persons 3 to 10 persons Less than 1% to a few % 30% 10% Always (site employees)) Not allowed Many 6% 1% Always (people who are not staff) page 24

Definition Type of Risk Several Expressions of Risk for a given Hazard / given Harm Expected count of Events per Reference Time There are different definitions for events & time Most frequently used: Event Based Risk & Individual Risk page 25

Definition Type of Risk Event Based Risk Reference Event: Accident of a specific severity, defined by level of harm maximum number of affected people On a specific unit or plant Caused by a defined hazard or group of hazards Established preliminarily as a measure for risk in continental Europe Individual Risk Reference Event Accident with a specific level of harm Affecting a specific individual person On a specific unit or plant, by a defined hazard or group of hazards as above Individual risk does not account for Maximum number of people affected by a single accident Accidents to people, who are not most exposed Established as a measure for risk in the UK (by HSE) page 26

SIL Assignment Tools & Methods SIL Assignment Required Risk Reduction to a Function Available Tools & Methods Layer of Protection Analysis Full Fault Tree and/or Event Tree Analysis Risk Matrices Risk Graphs Each valid Tool or Method is an Expression of the Risk Equation RRF = U / L = W x F x A x V / L Equivalence of tools can be shown on this basis Each tool or method expressing the risk equation is valid The VDMA Risk Graph Selected as Tool for Presentation of Results Not obligatory for the user see above Valid for low demand cases page 27

SIL Assignment Tools & Methods LOPA, Format acc. IEC61511 page 28

SIL Assignment Tools & Methods LOPA, Customized Format Explosion protection for the propane gas cabinet MBQ30 - PR7.11 according HTCT608170 scenario number & desciption Initial failure event rates in average occurence per year of engine operation Identification of concerned safety function Potential Consequences with Consequence Likelihoods Likelihood of the given consequence to result from the preceding event, assuming the preceding event as given. Risk mitigating factors Likelihood oof casualty events per mean time year of between engine events in operation years A Propane Ignition System: Gas leak with subsequent explosion or deflagration description of failure scenario rate of initial event Propane gas leak in system MBQ30 Failure of cabinet ventilation Failure of Alarms and Inspections Accumulation of propane and ignition Risk area coverage factor - "vulnerability" Person present in risk area 0.5 0.002 0.1 0.2 1 0.083 1.7E-06 602'410 Initial likelihood mitigated by commissioning erection checks. Later on, leaks may be generated preliminarily by improper connection of new bottles into the system. A bottle is supposed to entertain about 100 starts. Depending on the engine operation schedule, a bottle is exchanged a few times per year down to once in a few years. In the majority of cases this is done correctly. Ventilator MBQ33 AN001 to propane cabinet MBQ30. The dominating failure cause would be a failure of the motor. The failure rate of an AC squirrel cage motor is typically 5*10-6/h. A factor of 3 is applied to allow for other failures than those of the motor. Assuming a time to repair of 5 days, the likelihood of meeting the propane cabinet ventilation failed at any point of time is as given above. Differential pressure supervision MBW33 CP010 with Alarm. Alarm of motor control center MBQ33 AN001. Inspection and local indication of pressure MBQ30 CP002/CP003. There are no ignition sources inside the propane gas cabinet. Leakages to the outside of the cabinet will be small. They are diluted by diffusion and air turbulence with increasing distance from the cabinet. Therefore, the likelihood of a postulated propane leakage to meet an ignition source with a sufficient level of concentration is assessed significantly less than "certain". (It is acknowledged, that the auxiliary enclosure is not designed as explosion protection zone.) Risk Area: Auxiliary enclosure. Assumed to be included in "common GT& ST- Buildings", item 1. In occupancy plan 1AHA053291, section 8.1. Coverage factor "1" is conservative. required RRF Operator during walkaraound, per day 15 minutes in 1. "Common GT&ST"; to be multiplied by 2 for 2 units plus a margin of 33% in order to allow for additional maintenance supervision expected event rate of damage - cumulated tolerable event rate Total required SIL individual risk of casualty for the most exposed person, tolerable level in events per years of engine operation Required risk reduction factor Required SIL-Level 1.7E-06 602'410 5.0E-05 20000 none none page 29

SIL Assignment Tools & Methods Risk Matrix Energy Risk - Siemens page 30

SIL Assignment Tools & Methods The VDMA Risk Graph W3 >1 W2 [1; 0,1] W1 [0,1; 0,01] W0 [0,01; 0,001] W-1 [0,001; 0,0001] W-2 <= 0,0001 S1 Minor injury a --- --- --- --- --- S2 Serious irreversible injury F1 F2 <=10% >10% A V 1 A V 2 A V 1 <=10% >10% <=10% 1 a --- --- --- --- 2 1 a --- --- --- S3 Fatalities one to max. 10 persons F1 F2 <=10% >10% A V 2 A V 1 >10% <=10% 3 2 1 a --- --- S4 Fatalities F1 <=10% more than 10 persons F2 >10% A V 2 A V 1 A V 2 >10% <=10% >10% 4 3 2 1 a --- b 4 3 2 1 a page 31

SIL Assignment Tools & Methods Risk Graph Risk Graph: Graphical Representation of a Discretized Equation Equation: SIL = S + F + Av + W 6: Equivalent to risk equation Discretization: Accident related parameters discretized UP Required risk reduction discretized DOWN 0.1 1 10 1 10 100 10 3 10 4 W F P 0.1 1 a SIL1 SIL2 SIL3 For a given SIL-level, a risk graph can assume only the lowest risk reduction factor of the assigned interval. page 32

SIL Assignment Tools & Methods Risk Graph Extraction of a Tolerable Risk Limit from a Risk Graph W3 >1 W2 [1; 0,1] W1 [0,1; 0,01] W0 [0,01; 0,001] W-1 [0,001; 0,0001] W-2 <= 0,0001 S1 Minor injury a --- --- --- --- --- S2 Serious irreversible injury F1 F2 <=10% >10% A V 1 A V 2 A V 1 <=10% >10% <=10% 1 a --- --- --- --- 2 1 a --- --- --- S3 Fatalities one to max. 10 persons F1 F2 <=10% >10% A V 2 A V 1 >10% <=10% 3 2 1 a --- --- S4 Fatalities F1 <=10% more than 10 persons F2 >10% A V 2 A V 1 A V 2 >10% <=10% >10% 4 3 2 1 a --- b 4 3 2 1 a page 33

Summary Safety Integrity expresses the relation between Hazard Function Tolerable Risk Limit Each of these is a logically necessary. Assigning a Safety Integrity Requirement to a Safety Function Is NOT an exact science. Requires reasonable engineering judgement. Can comply with a clear and consistent logical concept, nevertheless. That concept is laid out in VDMA 4315-1 Best available state of the art page 34

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback