determing sil level

7/27/2019 Determing SIL Level

1/86

Determining the SIL level of a SafetyInstrumented Function (SIF)

Website: www.gmintsrl.com

Email: [email protected]

SIL


2/86

2

Standard Definitions

IEC 61508 Title: Standard for Functional Safety of Electrical / Electronic /Programmable Electronic Safety-Related System

IEC 61508 was conceived to define and harmonize a methodto reduce risks for human beings and/or reduce valuable loss for allindustrial and non industrial environments.

IEC 61511 Title: Safety Instrumented Systems for the Process Industry

IEC 61511 was developed as a Process Sector implementation of IEC 61508

Following the above standard is the minimum necessary condition to obtain plantsafety. However this, alone, does not guarantee that the process will be safe.

NOT implementing these safety standards will certainly lead to an UNSAFEprocess.


3/86

What is Safety?

Freedom from unacceptable risks


4/86

Safety Integrity Levels IEC 61508


5/86

Risk Reduction

Frequency of accidents w ithout protection 1RRF =

Frequency of tolerable accidents PFDavg=


6/86


7/86

A.L.A.R.P.


8/86

Hazardous Operative Analysis (HAZOP)

Debutanizer Column Node: Reboiler Section

Required SIFs are usually indicated in the P&ID (Piping and Instrumentation Diagrams)or in the PFD (Process Flow Diagram).


9/86

Layer Of Protection Analysis (LOPA)

Figure 72, Sample Process for LOPA Example

Figure 73, Event tree for LOPA example

Hexane

Storage

Tank

PSV

LV

LC

Next

process

Dike

BPCS loop

failureDike Probability of ignition

Probability of personnel

in areaProbability of fatality

No significant event

Success

P=0.99 No significant event

P=0.1 No P=0Fire

Failure P=0.01 No P=0.5Fire, no fatality

Yes P=1.0 No P=0.5

Yes P=0.5 Fire with fatality

Yes P=0.5


10/86

Layer Of Protection Analysis (LOPA)LOPA WORKSHEET

Scenario Number Equipment Number Scenario Title: Hexane Surge Tank Overflow.

Spill not contained by the dike

Date Description Probability Frequency (per year)

Consequence

Description/Category

Release of hexane outside the dike due to tank

overflow and failure of dike with potential for

ignition and fatality

Risk tolerance Criteria(Category or Frequency)

Maximum tolerable risk of serious fire

Maximum tolerable risk of fatal injury

< 1 x 10-4

< 1 x 10-5

Initiating Event

(typically a frequency)

BPCS loop failure 1 x 10-1

Enabling Event or Condition N/A

Conditional Modifiers (if applicable)

Probability of ignition 1

Probability of personnel in area 0.5

Probability of fatal injury 0.5

Other N/A

Frequency of unmitigated consequence 2.5 x 10-2

Independent Protection Layers

Dike (existing) 1 x 10-2

Safeguards (non-IPLs)

Human action not an IPL as it depends upon

BPCS generated alarm.

(BPCS failure considered as initiating event)

Total PFD for all IPLs 1 x 10-2

Frequency of Mitigated Consequence 2.5 x 10-4

Risk Tolerance Criteria Met? (Yes/No): No. SIF required

Action required: Add SIF with PFD of at least 4 x 10-2 (Risk Reduction Factor > 25) Responsible Group / Person: Engineering / J.Q.

Public, by July 2005 Maintain dike as an IPL (inspection, maintenance, etc)

Notes: Add action items to action tracking database


11/86

Benefits Vs. Costs in the ALARP blue Zone

NO SIS NO SIS SIS SIS

SIS NT

F EV F EVBenefits=

Costs COST COST

+

Where: B-C ratio : The ratio of benefits to costs FNO-SIS : Frequency of the unwanted event without a SIS. EVNO-SIS : Total expected value of loss of the event without aSIS.

FSIS : Frequency of the unwanted event with a SIS. EVSIS : Total expected value of loss of the event with a SIS. COSTSIS : Total lifecycle cost of the SIS (annualized). COSTNT : Cost incurred due to nuisance trip (annualized)

Example:A SIS is being installed to prevent a fire that will cost the company $1,000,000.The frequency prior to application of SIS has been calculated in one every 10 years.

After SIS installation the expected frequency is one every 1000 years,and its annualized cost is approximately $66.000.Cost for nuisance trip is negligible, being F&G normally de-energized.What is the benefit-to-cost ratio for the F&G project?The Benefits/Costs relation will be:

A benefit-to-cost ratio of 1.5 means that for every $1 of investment the plant owner can expect $1.5 in return.

1 1

Benefits = ( 1000000) - ( 1000000) = 9900010 1000

Costs = (66000 + 0) = 66000

Benefits 99000= = 1.5

Costs 66000


12/86

Risk Reduction with Protection Layers


13/86

Layers of Protection


14/86

Risk Protection Balance

The Risk Must be balanced by the Protection Layers

(Optimal Safety Balance)

1 2 3 4

RISK

1. Plant, Process and Environment

PREVENTION

2. DCS

3. SIS / ESD

4. Physical Protections


15/86

MTBF

MTTF is an indication of theaverage successful operating timeof a device (system) before afailure in any mode.

MTBF: Mean Time Between FailuresMTBF = MTTF + MTTRMTTF = MTBF - MTTRMTTR: Mean Time To Repair

Since (MTBF >> MTTR)MTBF MTTF

(very close in values)


16/86

Availability

99,999101000000

99,9910100000

99,91010000

99101000

Availability (%)Repair time (Hrs)Availability time (hrs)

What does an availability of 99,99% for a specific component orsystem really stand for? That the component or system could stopworking one time ..

.. every month with a repair time of 4.3 minutes.

.. every year with a repair time of 53 minutes.

.. every 10 years with a repair time of 8.8 hours.


17/86

MTBF and Failure Rate

Failures per unit timeFailure Rate = =

Number of components exposed to functional failure

1MTBF =

Successful Unsuccessful

UNRELIABILITY

UNAVAILABILITY

RELIABILITYAVAILABILITY

MTTRMTTF

Venn Diagram: Reliability-Unreliability;

Availability-Unreliabili ty and relations with MTTF and MTTR


18/86

MTBF and Failure Rate

Relation between MTBF and Failure Rate

Failure per unit time 1

= ----------------------------- = ------------

Quantity Exposed MTBF

1 Quantity ExposedMTBF = ------ = ----------------------------

Failure per unit time


19/86

MTBF - Example

Instantaneous failure rate is commonly used as measure of reliability.

Eg. 300 Isolators have been operating for 10 years. 3 failures haveoccurred. The average failure rate of the isolators is:

Failure per unit time 3 = ------------------------------- = ----------------- =

Quantity Exposed 300*10*8760

= 0.0000000115 per hour = 0.001 per year= 11,5 FIT (Failure per billion hours) =

= 11,5 probabilities of failure in one billion hours.= 0.001 probability of failure per year

MTBF = 1 / = 1000 years (for constant failure rate)


20/86

FIT

Failure In Time is the number of failures per

one billion device hours.

1 FIT == 1 Failure in 109 hours

= 10-9

Failures per hour


21/86

Failure Rate Categories

0,8 mA

20 mA

4 mA

du

dd/sd

su

du

dd/sd

Example for a 4-20 mA signal

tot = safe + dangerous s = sd + su

d = dd + du tot = sd + su + dd + du

Where:

sd = Safe detectedsu = Safe undetecteddd = Dangerous detecteddu = Dangerous undetected

tot = safe + dangerous(MTBF = MTBFs + MTBFd) safe: spurious trip (nuisance trip) dangerous: safety trip


22/86

Example of FMEDA Analysis

FailureModes

EffectsDiagnostic

Analysis


23/86

D1014 SIL 3Analysis

D1014 module

Isolated Hart compatible

Repeater power supply


24/86

Safe Failure Fraction (SFF)

Type A components are described as simpledevices with well-known failure modes and asolid history of operation.

Type B devices are complex components withpotentially unknown failure modes, e.g.microprocessors, ASICs, etc.

DD SD SU

DD DU SD SU

DU

DD DU SD SU

+ + SFF = =

+ + +

= 1- + + +


25/86

System architectures


26/86

PFDavg simplified equations


27/86

Common fault / Beta Factor

For redundant subsystems using electroniccomponents, the value of ranges from 1%

to 10 %.

The second term of the equations is thePFDavg value contribution due to the factor, derived from the 1oo1 architecture.

Example:du = 0.01 / yr; TI = 1 yr; = 0.05

For 1oo2 the equation is:

Example:du = 0.01 / yr; TI = 1 yr; = 0.05

For 1oo2 the equation is:( ) ( ) ( )

[ ] ( )

2

2

1 113 2

1 10 95 0 01 0 05 0 01 1

3 2

0 00003 0 00025 0 00028

DU DUTI TI

. . . .

. . . / yr

+ =

= + =

= + =


28/86

Considerations on Factor

Comparisons using different values of factor:

Considerations:

The value 0.00003 is 166.6 times lower than 0.005.

The value 0.000082 is 61 times lower than 0.005.

The value 0.00028 is 17.8 times lower than 0.005.

The value 0.000527 is 9.48 times lower than 0.005. Without factor the PFDavg, of 1oo2 architecture, is 166.6 times better than PFDavg value of 1oo1 architecture.

With 1% factor the PFDavg, of 1oo2 architecture, is 61 times better than PFDavg value of 1oo1 architecture.

With 5% factor the PFDavg, of 1oo2 architecture, is 17.8 times better than PFDavg value of 1oo1 architecture.

With 10% factor the PFDavg, of 1oo2 architecture, is 9.48 time better than PFDavg value of 1oo1 architecture.


29/86

PFDavg 1oo1 Calculation

Equation for 1oo1 loop

Where:

RT = repair time in hours (conventionally 8 hours)

T1 = T proof test, time between circuit functional tests (1-5-10 years)

dd = failure rate for detected dangerous failures

du = failure rate for undetected dangerous failures


30/86

PFD Versus T- proof time interval (TI)

PFD degrades in time.

The probability of failure of any equipment (therefore the PFD of a SIF)increases with time (linearly for constant failure rate).


31/86

How PFD changes in time

Since PFD increases with time, its value can be kept undercontrol by actuating maintenance proof tests at certain time

intervals. A periodic test at T-proof interval (as specified by the

manufacturer), is capable of identifying any non directly

detectable failure mechanisms in the equipment (dangerousundetected failures);Note: The grade of the test effectiveness affects the value towhich the PFDavg is set afterwards.

The grade of the test effectiveness affects the value to whichthe PFDavg is set afterwards.


32/86

How PFD changes in time

If the effectiveness is (99-100%) the equipment can be considered asnew, from a probability of failure point of view, if it is lower then 100%(70-80-90%), then the SIL level could expire and not reach the required

SIL level.


33/86

Periodic test for D1014 50%


34/86

Periodic test for D1014 99%


35/86

PFDavg weight in SIF

Each subsystems PFDavg has apercentage value in relation tothe total.

Component manufacturers list, intheir functional safety manual,the value of PFDavg obtained byauthorized certification bodieslike TUV, EXIDA, FM, etc.

These bodies apply aconventional weighing of thePFDavg of the component inconsequence of the importance

that it has in the entire loop, asreported in the following Table:20%

10%

25%

35%

10%

TX

Barrier

PLC

Valve

PS


36/86

Safety Instrumented Systems (SIS)

A simple SIS, with one logicsolver, is a safety function as

shown in the picture.

A SIS is made up of multipleSIFs: one for each potentiallydangerous condition.

Its objective is to collect andanalyzes data information fromsensors to determine if adangerous condition occurs, andconsequently to start a shutdown

sequence to bring the process toa safe state.

A potentially dangerouscondition is called "demand.


37/86

The majority of SIS are based on the concept of de-energizing to trip.In normal working conditions input and output are energized(F&G systems are the opposite)

For each SIF, the required Risk Reduction Factor (RRF) is determined.

IEC 61508 and IEC 61511,

recognized Standards,

cover in detail these safety aspects.

Safety Instrumented Systems (SIS)


38/86

PFDavg 1oo1 Calculation

Equation for 1oo1 loop

Where:

RT = repair time in hours (conventionally 8 hours)

T1 = T proof test, time between circuit functional tests (1-5-10 years)

dd = failure rate for detected dangerous failures

du = failure rate for undetected dangerous failures


39/86

Loop PFDavg calculation

If T1 = 1 year then

but being dd * 8 far smaller than du * 4380


40/86

SIF Example

Calculate values of MTBF, PFDavg, RRFfor a possible SIL level of the following SIF.

These values are given by the manufacturers:Tx: MTBF = 102 yrs; DU = 0,00080 / yr; DD = 0,0010 / yr; S = 0,00800 / yrBarrier: MTBF = 314 yrs; DU = 0,00019 / yr; DD = 0,0014 / yr; S = 0,00159 / yrPLC: MTBF = 685 yrs; DU = 0,00001 / yr; DD = 0,0001 / yr; S = 0,00135 / yrSupply: MTBF = 167 yrs; DU = 0,00070 / yr; DD = 0,0000 / yr; S = 0,00530 / yr

Valve: MTBF = 12 yrs; DU = 0,02183 / yr; DD = 0,0200 / yr; S = 0,00400 / yr

S t bl f SIL 1


41/86

Summary table for SIL 1

SIL 1-85100 %0.0117650.023530.02250.05774170.1037

710

Total(SIF)

SIL 388.3 %28572.97 %0.0003500.000700.00000.005301890.00600167PowerSupply

SIL 273.8 %9292.87 %0.0109150.021830.02000.04150240.0833312Valve

SIL 399.3 %2000000.04 %0.0000050.000010.00010.001357410.00146685PLC

SIL 394.0 %105260.81 %0.0000950.000190.00140.001596290.00318314BarrierD1014S

SIL 291.8 %25003.40 %0.0004000.000800.00100.008001250.00980102Tx

SILLevel

SFFRRF =

1/PFDavg

% of totalPFDavg

PFDavg1oo1 =DU/2

DU

/ yrDD

/ yrS

/ yrMTBFs=1/ S (yr)

/ yr =1/MTBF

MTBF

(yr)

Sub-system

S f S


42/86

Summary table for SIL 2

SIL 2-225100 %0.0044520.008900.009100.02994330.0479421Total(SIF)

SIL 388.3 %28577.86 %0.0003500.000700.00000.005301890.00600167Power

Supply

SIL 273.8 %27880.91 %0.0036020.007200.00660.01370730.0275036Valve

4 MonthsTProof

SIL 399.3 %2000000.11 %0.0000050.000010.00010.001357410.00146685PLC

SIL 394.0 %105262.13 %0.0000950.000190.00140.001596290.00318314BarrierD1014S

SIL 291.8 %25008.98 %0.0004000.000800.00100.008001250.00980102Tx

SILLevel

SFFRRF =

1/PFDavg

% oftotal

PFDavg

PFDavg1oo1 =DU/2

DU

/ yrDD

/ yrS

/ yrMTBFs=1/ S (yr)

=1/MTBFper yr

MTBF

(yr)

Sub-system

SIF PFD f t ti


43/86

SIFs PFDavg confrontation

SIL 1 SIL 2

80,91%

8,98%

7,86%

2,13%

0,11%

92,87%

3,40%

2,97%

0,81%

0,04%

TXBarrier

PLCValve

PS

T f t bl f SIL 2 SIF


44/86

T-proof table for SIL 2 SIF

Since the SIF has a safety integrity level SIL 2 the periodicproof tests can be performed according to the following

table:

4 monthsValve

20 yrsPLC

10 yrsBarrier

1 yrsTransmitterT-proof test time intervalSubsystem

2nd SIF E l


45/86

2nd SIF Example




Considering the same data used in the 1oo2 architecture as

in the first example but introducing a factor of 5% (0.05)on redundant sub-systems.

T bl 1 2


46/86

Table 1oo2

SIL 3-8.513600.0007352817850.011765Total (SIF)

SIL 388.3 %94.3566700.0000176518928570.000350Power

Supply *

SIL 373.8 %1214540.0006876824920.010915Valve

1 year T-Proof

SIL 399.3 %7412000000.000005007412000000.000005PLC

SIL 494.0 %314.42100510.00000476629105260.000095Barrier

D1014D *

SIL 391.8 %62.5495280.0000201912525000.000400Tx *

SILLevel

SFFMTBFs1oo2

RRF1oo2

PFDavg1oo2[1]

MTBFs1oo1

RRF1oo1

PFDavg1oo1

Subsystem

S t bl 1 2


47/86

Summary table 1oo2

Note 1:

The Table highlights advantages of 1oo2 system architecture on 1oo1.Safety integrity level of the SIF has moved from SIL 1 to SIL 3 maintaining the same

T-proof test time interval of 1 year.

Note 2:

Using such system configuration, the risk reduction factor is highly increased. If aSIL 2 level is required instead of SIL 3, it would be possible to extend the T-proof

test time interval (TI).

SIL 21360.0073527551oo2|TI=10

SIL 22720.0036763771oo2|TI=5

SIL 24530.002205821oo2|TI=3

SIL 313600.000735281oo2|TI=1

Max SIL LevelRRFPFDavg 1oo2System

Table 10a shows how the 1oo2 SIFwould change for TI = 3, 5 &10 years.

Table 1oo2 only Final Element


48/86

Table 1oo2 only Final Element

SIL 2-108290.0012053317850.011765Total (SIF)

SIL 288.3 %189566700.0000176518928570.000350Power

Supply

SIL 373.8 %1214540.0006876824920.010915Valve

1 yr T-proof

SIL 399.3 %7412000000.0000057412000000.000005PLC

SIL 394.0 %629105260.000095629105260.000095Barrier

D1014D

SIL 291.8 %12525000.00040012525000.000400Tx

SIL LevelSFFMTBFsRRFPFDavg

1oo2 (Valve Only)

MTBFs

1oo1

RRF

1oo1

PFDavg

1oo1Subsystem

PLC Channel 1

Inputcircuit

Logic Solvercommoncircuits

Outputcircuit

+

_

Finalelement

Finalelement

Tx 1

ISBarrierCh. 1

The valves redundancyallows the SIF to reach SIL 2

level with a more thansatisfactory RRF value.

Consideration 1oo2 only Final Element


49/86

Adding a redundant valve; Supposing a factor of5%, the RFF is =1454.

The PFDavg value is now 1/1454 = 0.00068 and fora test proof time interval or 1 year (SIL 3).

The SIL value of the total SIF becomes 0.0012 with

RRF = 829.

Considerations:

Adjusting the T-proof time and the redundancy offinal element it is possible to obtain a better SIL levelof the SIF, and even to advance it to SIL 3.

Consideration 1oo2 only Final Element

Summary table 1oo2 Final Element


50/86

Summary table 1oo2 Final Element

Note 1:

The Table highlights advantages of 1oo2 system architecture of the final element.

Safety integrity level of the SIF has moved from SIL 1 to a good SIL 2 maintainingthe same T-proof test time interval of 1 year.

SIL 1820. 01205331oo2|TI=10

SIL 21650.006026651oo2|TI=5

SIL 22760.003615991oo2|TI=3

SIL 28290.001205331oo2|TI=1


Table 10b shows how the 1oo2 FinalElement SIF would change for TI = 3,

5 & 10 years.

3rd SIF Example


51/86

3rd SIF Example




Considering the same data used in the 2oo3 architecture as

in the first example but introducing a factor of 5% (0.05)on redundant sub-systems.

Table 2oo3


52/86

Table 2oo3

Summary table 2oo3


53/86

Summary table 2oo3

Note 1:

The advantages of 2oo3 system architecture on 1oo1 are different then thoseobtained with a 1oo2.

Safety integrity level of the SIF has in fact moved from SIL 1 to SIL 2 maintainingthe same T-proof test time interval of 1 year.The very high value of RRF shows that SIL 2 can be easily maintained evenwith longer TI intervals.

Note 2:

Using such system configuration, the risk reduction factor is highly increased. If aSIL 2 level is required instead of SIL 3, it would be possible to extend the T-prooftest time interval (TI).

SIL 1800. 01024142oo3|TI=10

SIL 21950.00512072oo3|TI=5

SIL 23250.003072422oo3|TI=3

SIL 29760.001024142oo3|TI=1


Table 10c shows how the 2oo3 SIFwould change for TI = 3, 5 &10 years.

Comparison between System Architectures


54/86

Redundant Architecture IncreaseSIL level

2oo3 Architecture is primarilyjustified due to the MTBFs highvalue

This means that production willalmost never not be interrupted byspurious/nuisance trips

1oo2 Architecture is simpler, costeffective and with a slightly betterRRF.

But the MTBFs is very poor

Choice is also to be madeconsidering possible T-proof time

SIF

Architecture

MTBFS

(yr)PFDavg RRF

Max.

SIL Level

1oo1 170.01176

585 SIL 1

1oo2 8.50.00073

51360 SIL 3

2oo3 555460.00102

4976 SIL 2

Table 13, Comparison between systemarchitectures

Comparison between System Architectures

Comparison tables for PFDavg values


55/86

in different system architectures

Architecture du/yr PFDavg RRFPossible

SIL level

1oo1 0.01 0.005900000 169 SIL 2

1oo2 0.01 0.000042350 23613 SIL 4

2oo2 0.01 0.010900000 92 SIL 1

2oo3 0.01 0.000127049 7871 SIL 3


SIL level

1oo1 0.01 0.015300000 65 SIL 1

1oo2 0.01 0.000309005 3236 SIL 3

2oo2 0.01 0.030300000 33 SIL 1

2oo3 0.01 0.000927016 1079 SIL 3


SIL level

1oo1 0.01 0.025180 39 SIL 1

1oo2 0.01 0.000842 1187 SIL 3

2oo2 0.01 0.050180 20 SIL 1

2oo3 0.01 0.002527 396 SIL 2


SIL level

1oo1 0.01 0.050090 20 SIL 1

1oo2 0.01 0.003342 299 SIL 2

2oo2 0.01 0.100090 10 SIL 0

2oo3 0.01 0.010027 99 SIL 1

Table 14, TI = 1 yr, TD = 0.0009 yr(8 hrs)




4th SIF Example


56/86

4 SIF Example

Calculate SIL Level for a SIF with two Emergency StopSwitches and a Safety Relay

Object:Calculate, and select components for a SIL 3 SIF with:

Two Emergency Stop Switches with 2 NC contacts.

Using = 5% for the two redundant NC contacts of the Switch. In conjunction with a SIL 3 Safety Relay. With a T-proof time of 10 yrs & NE load conditions, (de-energize to trip).

24 Vdc. supply voltage.

4th SIF Example


57/86

4 SIF Example

Standards Considerations

An electromechanical component, like a Emergency Stop Switch, is usually

not classified, or certified, according IEC 61508 Standards.More typically: IEC 60300-3-5 and IEC 61649.According to these standards to determine d (probability of dangerousfailures per hours) it is necessary to use the B10 value.B10 is the average time, or number of cycles, required to fail 10% of the

components under test. A typical value could be 500.000 cycles

The formula to be used is:

d = 0.1 x fm / B10

Where fm is the frequency of use, for the specific application, per hours.

In case of an Emergency Stop Switch we estimate 10 times per year;

Hence, 10 time in 10.000 hours equal to 0.001.

4th SIF Example


58/86

4 SIF Example

Calculation ofd: d = 0.1 x fm / B10

d = 0.0001 / 500000 = 0.0000000002 per hr = 0.000002 per yr

d for 10 years is = 0.00002

PFDavg for 10 years is 0.00001 for a single contact.

(PFDavg = d/2)

Using two contacts connected in series, with factor of 5%

PFDavg for 10 years is 0.00001 x 0.05 = 0.0000005

(Simplified factor formula PFDavg x )

4th SIF Example


59/86

4 SIF Example

Basic calculation Formula:

PFDavg = 0.5 du per year

[PFDavg]10 = 5 du per 10 yrsRRF = 1/ PFDavg.

[PFDavg]10 1oo2 / factor 5% +/- = [PFDavg]10 x 0.05

SIL 383330.000120.000260.000026Total SIF

SIL 333.3330.000030.000060.000006PSD12101 + 1 spare module

SIL 314.2850.000070.000160.000016D1092S SIL 3 relay

SIL 3100.0000.000010.000020.000002Safety SW2

SIL 3100.0000.000010.000020.000002Safety SW1

SIL levelper 10 yrs

RRFPFDavgper 10 yrs

[du ]per 10 yrs

duper yr

Components

4th SIF Example


60/86

p

We have made the following consideration for the calculation:

B10 Value 500.000 Cycles.

NC, Heavy duty, Gold plated and Sealed contacts. 50 mA constant current provided by SIL relay; To keep contacts clean.

SIL relay value from TUV certification.

Beta Factor 5 %

Life Time 10 Years

PFDavg: Equations and examples


61/86

g q p

For each component of the SIF, when the effectiveness of periodic proof test to reveal dangerous failures, is100%, the PFDavg simplified equation, is:

when the effectiveness is not 100%, the PFDavg simplified equation is:

where:Et: periodic testing effectiveness to reveal dangerous failures (e.g. 90%)

SL: system, or component, test proof interval with 99-100% effectiveness, or between two completereplacement of the device, or the lifetime of the system, or device, if it will never fully tested orreplaced.

for TI = 1 yr and SL = 12 years, the PFDavg simplified equation is:

DU

TIPFDavg =

2

DU DU

TI SLPFDavg = (Et ) + (1- Et)

2 2

DUDUTI=1,SL=12

12PFDavg =(Et )+ (1-Et)

2 2



62/86

DUDUTI=1,SL=12

12PFDavg = (Et ) + (1- Et)

2 2

Example a:

du = 0,01 / yrTI = 1 yrEt = 90% = 0,9SL = 12 yr

At installation:

PFDavg = 0,01 / 2 = 0,005RRF = 1 / PFDavg = 1 / 0,005 = 200

After one year:PFDavg = (0,9 x 0,01 / 2) + (0,1 x 0,01 x 6 ) = 0,0105RRF = 1 / PFDavg = 1 / 0,0105 = 95

Note: after one year (or after each periodic test) SIL 2 level has become SIL 1.



63/86

g q p

DUDUTI=1,SL=12


2 2

Example b:

du = 0,01 / yrTI = 1 yr

Et = 99% = 0,99SL = 12 yrs

After one year:

PFDavg = (0,99 x 0,01 / 2) + (0,01 x 0,01 x 6) = 0,0056

RRF = 1 / PFDavg = 1 / 0,006 = 178Note: after one year (or after each periodic test interval)

SIL2 level is still maintained.



64/86

DUDUTI=1,SL=12


2 2

Example c:

du = 0,01 / yrTI = 1 yr

Et = 50% = 0,5SL = 12 yrs

After one year:

PFDavg = (0,5 x 0,01 / 2) + (0,5 x 0,01 x 6) = 0,0325


SIL2 become SIL 1



65/86

DUDUTI=1,SL=12


2 2

Example c:

du = 0,01 / yrTI = 1 yr

Et = 50% = 0,5SL = 3 yrs

After one year:

PFDavg = (0,5 x 0,01 / 2) + (0,5 x 0,01 x 1,5) = 0,01


SIL2 remain at its minimum level

Test interval duration influence on PFDavg


66/86

To test a safety system online (e.g. while theprocess is still running), a portion of the safetysystem must be placed in bypass in order toprevent nuisance trips. The length of the manualproof test duration can have a significant impact

on the overall performance of a safety system.

During the test, a simplex 1oo1 system must betaken offline. Its availability during the test istherefore zero. Redundant systems , however,

do not have to be completely placed in bypassfor testing. One leg, or slice, or a dual redundantsystem can be place in bypass at a time.

Indeed a dual system is reduced to simplex

during a test, and a triplicate system is reducedto dual.

DU

TIPFDavg =

2

DU

TI TDPFDavg = +

2 TI

Test interval duration influence on PFDavg


67/86

Example c:

du = 0,002 / yrTI = 1 yrTD = 8 hrs (time interval)PFDavg = 0,001 + 0,0009 = 0,0019;RRF = 1/ 0,0019 = 526(useful forSIL 2 level)

Example d:

du = 0,002 / yrTI = 1 yrTD = 96 hrsPFDavg = 0,001 + 0,01 = 0,011;RRF = 1/ 0,011 = 90(useful forSIL 1 level)

Note:

The combination of both, effectiveness and test duration, brings to thefollowing PFDavg equation for a 1oo1 architecture.

DU

TIPFDavg =

2

DUDUTI=1,SL=12

12PFDavg = (Et ) + (1- Et)

2 2

DU DU

TD SLPFDavg = (Et ) + + (1- Et) 2 TI 2

DU

TI TDPFDavg = +

2 TI

True or False?


68/86

SIL rating does not change in time.

FALSE!

SIL integrity levels depend on the probability of failurewhich increases with time.

True or False?


69/86

Safety Manual must be provided

by the component manufacturer.

TRUE!Safety Manual is an integral document to the SIL

rating of any component. It defines the assumption

behind the certification and the conditions of the SILrating as well as provide proper maintenanceinformation.

True or False?


70/86

Two products both claiming SIL 2 offer

the same level of safety.

FALSE!

1) PFDavg or RRF value of a SIL level ranges in a factor of 10.Example: SIL 2 means from RRF = 100 to 1000.

2) SIL ratings are time related.Example: SIL 2 rating for 10 yrs differs from SIL 2 for 1 yr.

True or False?


71/86

Periodic test is required to maintain

the SIL Level.

TRUE!

Since some failures are undetected in operating conditions(dangerous undetected failures) Tests are required to

restore the SIF in as-new condition (effectiveness 100%)

Periodic Tests are essential for maintaining the SIL level.

True or False?


72/86

T-Proof Time Interval are specified by

the Plant Maintenance Personnel.

FALSE!

It is specified in the Hardware Specification and is decided bythe manufacture and verified by the certification agency.

True or False?


73/86

Component Type (A & B) are definedby the customer (User)..

FALSE!

The component class is defined by the Manufacturer.

True or False?


74/86

Shorter T-proof time intervalsimprove SIL ratings.

TRUE!

Reducing time intervals between T-proof tests decreases theprobability of failure (PFDavg) in time.

Example: SIL 1 for 1 yr may become SIL 2 for 3 months.

True or False?


75/86

PFDavg value of the SIF is thehighest of all components PFDavg

FALSE!

The PFDavg value of the safety function (SIF) is the sum ofPFDavg values of all its components (subsystems).

True or False?


76/86

SFF % and PFD both must matchthe SIF SIL Requirement .

TRUE!The SFF value of each of the SIF component mustbe within the table A or B requirement to claim a

given SIL level.

The SIF total PFD must also match that of therequired RRF

True or False?


77/86

It is possible to make software

changes without an ImpactAnalysis

FALSE!

Safety Impact Analysis must be performed for anyhardware or software change in the plant!

True or False?


78/86

SIL 3 equipment can be usefulin SIL 2 functions.

TRUE!

Using a higher SIL level than necessary allows to reducefrequency of T-proof tests and has a lower incidence on the

total PFDavg of the SIF.

Example: SIL 3 for 1 yr could become SIL 2 for 10 yrs.

True or False?


79/86

Maintenance must be considered inthe design phase.

TRUE!

A safety function under maintenance is unavailable thereforethe length of the repair time must be considered.

The improvement obtained applying redundant architecturesis temporarily lost.

True or False?


80/86

All failures have thesame effect on safety.

FALSE!

Failures can be SAFE or DANGEROUS.The first lead to a spurious trip which does not harm, but

induces a stopping of production.

The second instead will render the safety functionunavailable.

True or False?


81/86

MTBF includes time for repair.

TRUE!

MTBF = MTTF + MTTR.For most applications, MTTR is negligible therefore

MTBF MTTF.However in high demand applications,

even a few hours of unavailability are criticaland should be taken into account.

True or False?


82/86

All redundant system architecturesimprove safety.

FALSE!

Redundant Architectures have different effectson SAFE and DANGEROUS failure rates.

Example: 1oo2 improves dangerous failure ratesbut worsens safe failure rates. 2oo2 is the opposite

True or False?


83/86

Safety Manual Provides for T-Prooftest procedure but not the test

effectiveness percentage.

FALSE!

Test Effectiveness (TE) must be specified along with the

T-proof procedure and must be used in calculating recurringSIL level

True or False?


84/86

SIL level and relating RRF aredefined by HSE (Health Safety Executive)

TRUE!

A team composed of Management, Plant, Process,Instrument, Maintenance, Quality Engineers is responsible

for determining RRF factor for each SIF

True or False?


85/86

HSE Engineers have theresponsibility to maintain the SIL

level during plant life time

FALSE!

Maintenance Engineer are responsible to maintain the SIl

level as mandated by initial calculations.For SIL 2 SIFs their work must be reviewed by a separate

department. For SIL 3 or 4 SIFs by an external agency.


86/86

G.M. International S.r.l

Via San Fiorano, 70

20058 Villasanta (Milano)

ITALY

www.gmintsrl.com

[email protected]

determing sil level

Documents