DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Similar documents
Understanding safety life cycles

innova-ve entrepreneurial global 1

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Safety-critical systems: Basic definitions

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

Impact on People. A minor injury with no permanent health damage

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Solenoid Valves used in Safety Instrumented Systems

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Hydraulic (Subsea) Shuttle Valves

Every things under control High-Integrity Pressure Protection System (HIPPS)

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Solenoid Valves For Gas Service FP02G & FP05G

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

IGEM/TD/2 Edition 2 with amendments July 2015 Communication 1779 Assessing the risks from high pressure Natural Gas pipelines

High Integrity Pressure Protection Systems HIPPS

SPR - Pneumatic Spool Valve

Bespoke Hydraulic Manifold Assembly

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

DeZURIK. KSV Knife Gate Valve. Safety Manual

A study on the relation between safety analysis process and system engineering process of train control system

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Partial Stroke Testing. A.F.M. Prins

Safety manual for Fisher GX Control Valve and Actuator

Section 1: Multiple Choice

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

New Thinking in Control Reliability

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Application of pipeline risk assessment to proposed developments in the vicinity of high pressure Natural Gas pipelines

Risk Management Qualitatively on Railway Signal System

Implementing IEC Standards for Safety Instrumented Systems

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Using LOPA for Other Applications

The IEC61508 Operators' hymn sheet

Valve Communication Solutions. Safety instrumented systems

Risks Associated with Caissons on Ageing Offshore Facilities

Safety-Critical Systems

Session: 14 SIL or PL? What is the difference?

Section 1: Multiple Choice Explained EXAMPLE

Safety Requirement Specification

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Accelerometer mod. TA18-S. SIL Safety Report

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

The Best Use of Lockout/Tagout and Control Reliable Circuits

Linking Risk and Reliability Mapping the output of risk assessment tools to functional safety requirements for safety related control systems.

Technical Standards and Legislation: Risk Based Inspection. Presenter: Pierre Swart

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Achieving Compliance in Hardware Fault Tolerance

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

Reliability Analysis Including External Failures for Low Demand Marine Systems

Safety Manual OPTISWITCH series relay (DPDT)

FUNCTIONAL SAFETY: SIL DETERMINATION AND BEYOND A CASE STUDY FROM A CHEMICAL MANUFACTURING SITE

CHEMICAL ENGINEEERING AND CHEMICAL PROCESS TECHNOLOGY Vol. IV - Process Safety - R L Skelton

The Risk of LOPA and SIL Classification in the process industry

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

PROCEDURE. April 20, TOP dated 11/1/88

Module No. # 03 Lecture No. # 01 Dose assessment, Safety regulations

Transmitter mod. TR-A/V. SIL Safety Report

HOW LAYER OF PROTECTION ANALYSIS IN EUROPE IS AFFECTED BY THE GUIDANCE DRAWN UP AFTER THE BUNCEFIELD ACCIDENT

Failure Modes, Effects and Diagnostic Analysis

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Definition of Safety Integrity Levels and the Influence of Assumptions, Methods and Principles Used

Transducer mod. T-NC/8-API. SIL Safety Report

Part 1: General principles

4-sight Consulting. IEC case study.doc

Proposal title: Biogas robust processing with combined catalytic reformer and trap. Acronym: BioRobur

PL estimation acc. to EN ISO

Using what we have. Sherman Eagles SoftwareCPR.

Proficiency Module Syllabus. P601 - Thorough Examination and Testing of Local Exhaust Ventilation Systems

Enhancing NPP Safety through an Effective Dependability Management

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

Safety Manual VEGAVIB series 60

Fail Operational Controls for an Independent Metering Valve

The IEC61508 Inspection and QA Engineer s hymn sheet

Failure Modes, Effects and Diagnostic Analysis

Functional Safety SIL Safety Instrumented Systems in the Process Industry

The Safety Case. Structure of Safety Cases Safety Argument Notation

Recommended Facilitator Notes: (read the following text out-loud to participants while showing this slide)

Workshop Functional Safety

Point level switches for safety systems

Safe management of industrial steam and hot water boilers A guide for owners, managers and supervisors of boilers, boiler houses and boiler plant

Safety Manual VEGAVIB series 60

The Safety Case. The safety case

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Review and Assessment of Engineering Factors

Ultima. X Series Gas Monitor

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

Transcription:

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508 Simon J Brown Technology Division, Health & Safety Executive, Bootle, Merseyside L20 3QZ, UK Crown Copyright 2000. Reproduced with the permission of the Controller of Her Majesty s Stationery Office. The methodology for the determination of safety requirements of safety-related systems adopted by the international standard IEC 61508, Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems is reviewed. The process of determining overall safety requirements from a hazard & analysis and how this leads to a safety requirements specification (in terms of safety functions and associated safety integrity levels) is described. The concept of the process safety time and how it relates to requirements for the diagnostic test interval of the safety-related system is explained. INTRODUCTION Whilst hazards, whenever possible, should be eliminated using the principles of inherent safety, there are many applications where this is not practical and where it is necessary to put in place arrangements to reduce s associated with chemical processes to tolerable levels. Often, safety-related systems based on electrical, electronic or programmable electronic (E/E/PE) technology are used to effect such reduction (for example, emergency shut down systems and fire / gas detection systems). The aim of IEC 61508 1 is to ensure that the safety integrity of such E/E/PE safety-related systems is adequate to achieve functional safety. This is achieved by first determining the safety requirements for the E/E/PE safety-related systems using a systematic based approach. This takes into account the hazards and s associated with the process and process control system, together with any contributions to overall safety provided by other technology safety-related systems and reduction facilities. To be effective, it is important that this activity takes place at a very early stage in the design of the arrangements necessary to ensure the safety of the process and it will often form part of the intial process hazard analysis. It is therefore important that those involved with this activity are familiar with the concept of safety functions in the context of IEC 61508. OVERALL SAFETY REQUIREMENTS HAZARD & RISK ANALYSIS One of the first steps in the IEC 61508 methodology is to undertake an analysis to determine the hazards and s associated with the so-called equipment under control (EUC) and the EUC control system. This is termed the EUC. In chemical process applications this is the associated with the process and process control system. At this stage, no account is taken of any safety-related systems or other reduction measures. The aim is, for each hazard, to assess the nature and extent of the unmitigated in terms of consequence and frequency of the hazardous event. This is typically undertaken using the fault tree analysis technique. It should be noted that IEC 61508 places a lower limit on the dangerous failure rate that can be claimed for the EUC control system of 10-5 dangerous failures per hour, unless the control system is itself designed according to the requirements of the standard. This is to prevent unrealistic claims being made for the reduction of a control system in order to ease the requirement on the safety-related system. 1

TOLERABLE RISK The next stage is, for each hazard, to determine the tolerable, again in terms of consequence and frequency. IEC 61508 does not give any specific guidance as to what might be regarded as a tolerable, but general advice is given in IEC 61508-5 on how tolerable might be determined using the ALARP (as low as is reasonably practicable) model. Also, a discussion document which addresses this matter has recently been published by the Health & Safety Executive 2. In practice, the tolerable will depend on many factors (for example, severity of injury, the number of people exposed to danger, the frequency at which a person or people are exposed to danger and the duration of the exposure). Important factors will be the perception and views of those exposed to the hazardous event. In arriving at what constitutes a tolerable for a specific application, a number of inputs are considered. These include: guidelines from the appropriate safety regulatory authority; discussions and agreements with the different parties involved in the application; industry standards and guidelines; international discussions and agreements the role of national and international standards are becoming increasingly important in arriving at tolerable criteria for specific applications; the best independent industrial, expert and scientific advice from advisory bodies; legal requirements both general and those directly relevant to the specific application; individual and societal concerns. RISK REDUCTION Where the EUC associated with any of the hazards exceeds the tolerable, then it is necessary to put in place measures to reduce the to at least the tolerable level. This can be achieved by reducing either the frequency of the hazardous event, or the consequences associated with the hazardous event or by reducing both the frequency and consequence of the hazardous event (see Figure 1). The measures employed to bring about the required reduction can comprise safety-related systems using E/E/PE or other technologies (for example, mechanical pressure relief systems), or external reduction facilities (such as fire walls, bunds, etc.). The measures employed to effect the necessary reduction are sometimes referred to as layers of protection. In some applications it may be possible to obtain the necessary reduction from a single layer of protection (e.g. a pressure relief valve). However, particularly when higher levels of reduction are required, there are benefits to be gained by employing a number of different measures (sometimes referred to as layers of protection) to protect against any one hazard, particularly if the layers are independent so that a failure in any one layer does not promote a failure in another. This both eases the safety integrity requirements of any one layer and provides protection against the failure of any one layer. IEC 61508 refers to the process of sharing reduction between different layers of protection as allocation. This is sometimes referred to as layer of protection analysis 3. The concept of allocating reduction to different types of protection is illustrated in Figure 2. 2

SAFETY FUNCTIONS & SAFETY INTEGRITY The requirements for each layer of protection, in terms of the functional action required, and the probability with which the action will be successfully carried out, are together referred to in IEC 61508 as a safety function. It is vital that the necessary reduction for each hazard is accurately captured in the specification of the safety functions. In general, safety functions are specified in terms of both the functional requirement and the safety integrity requirement to achieve the required reduction. The first stage in the development of a specification for a safety function is the determination of the functional requirements and safety integrity requirement. The functional requirement is a precise description of the action required to achieve the necessary reduction. The safety integrity requirement is is a measure of the likelihood that the required function will be successfully carried out. These requirements are, in principle, determined before the safety functions are allocated to the various types of safety related system or reduction facilities. The safety integrity requirement of a safety function is determined by the reduction which is effected by the safety function and may be derived using either quantitative or qualitative techniques. Having determined the safety integrity requirements for the safety functions, they are then allocated to the E/E/PES safetyrelated systems, other technology safety related systems and external reduction facilities in such a way that the required reduction is achieved for each hazard. This process results in target performance measures for all the types of safety-related system and reduction facilities used. However, IEC 61508 only specifies requirements for E/E/PE safety-related systems and it is therefore assumed that techniques for the implementation of other technology safety-related systems and external reduction facilities (to achieve the safety integrity requirements which have been allocated to those systems) are available elsewhere. For those safety functions which are allocated to E/E/PES safety-related systems, the standard defines 4 safety integrity levels (SILs). This approach allows the grading, according to the required reduction, of the measures and techniques recommended by the standard for the avoidance and control of systematic faults. Also, IEC 61508 defines a range of target failure probabilities for each SIL, see Table 1. These form the targets for the quantified reliability requirements of the safety functions. There are 2 basic types of safety functions - those which operate on demand and those which operate continuously. LOW DEMAND MODE SAFETY FUNCTIONS An example of an on demand safety function is a trip which operates to take some action, for example, closing a feed valve, when some process variable, for example, pressure in a vessel, exceeds some set limit. The target failure measure for a demand mode safety function is the probability of failure on demand (PFD). A demand mode safety function typically provides the required reduction by reducing the frequency of a hazardous event whist maintaining the same consequence. In such circumstances the required reduction can readily be quantified: Risk in the absence of the safety function, R np = F np. C (1) Tolerable, R t = F t. C (2) where F np = frequency of the hazardous event with no protective safety function in place F t = tolerable frequency of the hazardous event C = consequence associated with the hazardous event 3

therefore: Required reduction factor, R = R np / R t = F np / F t (3) For a demand mode safety function: F p = PFD. F np (4) where F p = frequency of the hazardous event with the safety function in place PFD = probability of failure on demand of the safety function therefore the PFD required to achieve the necessary reduction is given by: PFD = F t / F np = 1 / R (5) The SIL of the safety function is determined according to Table 1. On this basis, the ranges of target failure probabilities relating to each SIL can also be related to ranges of reduction factors, see Table 2. In other situations a demand mode safety function may reduce the consequence of a hazardous event. An example of such a safety function is a water deluge which operates to reduce the consequences (fire and explosion) associated with a leak of some flammable liquid or gas. IEC 61508 does not provide any explicit methodology for the determination of the safety integrity level of the safety function in such circumstances. One possible approach results from the consideration that tolerable is a measure of which takes account of both the consequence and likelihood of a hazardous event. In this situation, the reduction effected by the safety function is given by: Risk reduction = F m / F u where F m = tolerable frequency of the mitigated hazardous event F u = tolerable frequency of the unmitigated hazardous event The reduction factor can then be mapped to a SIL according to Table 2. IEC 61508 regards safety functions having a demand rate of less than one per year and no greater than twice the proof test frequency as operating in the low demand mode, and the target failure measure for such safety functions is determined according to the PFD requirements of Table 1. If the demand rate exceeds 1 per year, or is greater than twice the proof test frequency, then the safety function is regarded as operating in the high demand / continuous mode and the target failure measure for the safety function is defined in terms of the probability of dangerous failure per hour, according to Table 3. HIGH DEMAND / CONTINUOUS MODE SAFETY FUNCTIONS An example of a truly continuous mode safety function would be a temperature control loop which is required to maintain temperature at all times below some upper limit. Examples of such safety functions are rare in process applications, where safety functions typically operate 4

as trips on demand. However, as outlined above, IEC 61508 also treats demand mode safety functions which operate with a demand rate greater than 1 per year, or greater than twice the proof test frequency as operating in the high demand / continuous mode. The concept of reduction is of limited value in determining the safety integrity requirements of such safety functions. Instead, the target failure measure may be determined directly by the tolerable frequency of the hazardous event which is being mitigated by the safety function. This is expressed in terms of the probability of dangerous failure per unit time, T (e.g. dangerous failures per hour). This is equivalent to the dangerous failure rate (λ) of the safety function provided that λτ << 1. Again, ΙΕC 61508 defines 4 levels of safety integrity for safety functions implemented in E/E/PE safety-related systems, see Table 3. Process Safety Time Where a continuous / high demand safety function relies on a single channel system (that is, a system having no redundancy), then IEC 61508 requires that the diagnostic tests within the E/E/PE safety-related system are able to detect faults quickly enough to allow action to be taken to achieve a safe state (e.g. shut-down of the process) before any fault in the process or the process control system could lead to a hazardous event. The process safety time is defined by IEC 61508 as the period of time between a failure occurring in the EUC or the EUC control system and the hazardous event if the safety function is not performed. CONCLUSIONS The effective application of IEC 61508 requires a fundamental understanding of the process and process control system and the associated hazards and s in order to derive the safety requirements for E/E/PE safety-related systems. The methodology requires that the reduction provided by safety-related systems or protection measures of other technologies is taken into account and that safety functions allocated to E/E/PE safety-related systems are specified in terms of both functionality and safety integrity levels. IEC 61508 requires that the safety integrity level of a safety function be determined by the reduction required to achieve tolerable. The reduction may be achieved by either the reduction in frequency of the hazardous event, or by a reduction in the consequence, or a combination of both. Safety functions may operate in the low demand mode (typical for a protection system) or in the high demand / continuous mode. In the case of the latter, knowledge of the process safety time is necessary in order to allow the effective application of fault detection diagnostics. REFERENCES 1. IEC 61508 - Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems, IEC, Geneva, 1998 2. Health & Safety Executive, 1999, Reducing Risks Protecting People (Discussion document) 3. Center for Chemical Process Safety of the American Institute of Chemical Engineering, guidelines for the Safe Automation of Chemical Process, ISBN 0-8969-0554-1, 1993 5

Figure 1 Risk terminology Actual reduction Necessary reduction Consequence EUC Risk Tolerable Residual Broadly acceptable Tolerable Intolerable Frequency Residual Tolerable EUC Necessary reduction Increasing Actual reduction Partial covered by other technology safety-related systems Partial covered by E/E/PE safety-related systems Partial covered by external reduction facilities Risk reduction achieved by all safety-related systems and external reduction facilities Figure 2 Risk reduction concepts 6

Safety Integrity Level of the Safety Function Probability of Failure on demand (PFD) of the Safety Function 4 10-5 to < 10-4 3 10-4 to < 10-3 2 10-3 to < 10-2 1 10-2 to < 10-1 Table 1 Target Failure Measures for Demand Mode Safety Functions Safety Integrity Level of the Safety Function Risk Reduction Factors 4 10 4 to < 10 5 3 10 3 to < 10 4 2 10 2 to < 10 3 1 10 to < 10 2 Table 2 Risk Reduction Factors of Safety Functions Safety Integrity Level of the Safety Function Probability of Dangerous Failure per hour 4 10-9 to < 10-10 3 10-7 to < 10-9 2 10-6 to < 10-7 1 10-5 to < 10-6 Table 3 Target Failure Measures for Continuous / High Demand Safety Functions 7

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback