functional safety demystified

Functional Safety DemystifiedSeptember 2011

Bob WeissPrincipal Consultant

Honeywell Process [email protected]

2 HONEYWELL - CONFIDENTIAL File Number

Outline

• What is Functional Safety?- SIS, SIF and SIL

• Standards AS IEC61508 and AS IEC61511

• An example to demonstrate compliance

• 4.5 day TÜV FSEng course in 45 minutes!


What is Functional Safety?

• Part of Overall Safety - freedom from unacceptable risk

• Achieved by a Safety Instrumented System (SIS)- E/E/PE Safety System in IEC61508

- Examples: Emergency Shutdown System Burner Management System

- Includes field devices as well as logic solver

• A SIS places or maintains a process in a safe state- Process = Equipment Under Control (EUC) in IEC61508

- Implements Safety Instrumented Functions (SIFs)

- Each SIF achieves a Safety Integrity Level (SIL)

• Acronyms to remember: SIS, SIF and SIL !.


SIF 1: TZH1234

Safety Instrumented Function - SIF

Some terms: SIS, SIF and SIL

SIF 2: PZHH1234

Safety Instrumented System - SIS

Logic Solver(Safety PLC)

Temperaturetransmitter

Temperaturetransmitter

PressureTransmitter

Flowtransmitter

Shut-off valve

Solenoid

Globe valve

Solenoid

Relayin MCC

SIL 2

SIL 1

Safety Integrity Level - SIL


Why Functional Safety?

• Buncefield, England 11 Dec 2005

• Storage tank level gauge showed constant reading

• High level alarm switch jammed

• Gasoline tank overflowed

• Mist exploded- Largest explosion in peacetime

- 20 tanks on fire

- Burned for three days

- Significant environmental impact

- Millions of pounds damage.


Standards: IEC61508 or IEC61511 ?

61511 61511 61511

AS/IEC 61508SIS

ComponentManufacturers

AS/IEC 61511SIS

Integrators & Users

OR SIL4APPLICATIONS

61508 61508 61508


IEC61511 Safety Lifecycle

Hazard and risk analysis

Allocation ofsafety functions

to protection layers

Design andengineering of

safety instrumented system

Installation, commissioning and validation

Operation and maintenance

Modification

Decommissioning

Design anddevelopment

of other meansof risk reduction

Safety requirementsspecification for the


Managementof functionalsafety andfunctional

safetyassessmentand auditing

Safetylife-cyclestructure

andplanning

Verification 10 11

5

6

7

8

4

3

1

2

9

Engineering Contractor

SIS Vendor

End User


• Target SIL must be specified for each SIF based on hazard and risk analysis

• Processes for SIS throughout lifecycle must comply

• Each SIF must meet target SIL requirements for:- Architectural constraints

- Random failure rate (PFDave)

- Development process for each componentField devices, logic solver, shutdown valves etc.

• Not just TÜV certification- Though it helps !

• Not just meeting PFDavg target.

Complying with AS IEC 61508 & AS IEC 61511


Comply Throughout Lifecycle

• For the rest of the presentation we’ll follow the SIS lifecycle

• What do we need to do to comply at each stage?

• See the following example…- Only the main elements of compliance are covered.


1 Hazard and Risk Analysis

• Output is a list of hazardous events with their process risk and acceptable risk.








Modification

Decommissioning








andplanning

Verification 10 11

5

6

7

8

4

3

1

2

9


Case Study: 1 A Hazard

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

• “potential source of harm”

• 300t of Liquefied Petroleum Gas can potentially cause harm

• Hazardous Event Example: BLEVE YouTube .

http://www.youtube.com/watch?v=Xf3WKTwHpIU&NR=1


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

Case Study: 2 HazOp

• Node: LPG Tank• Guideword: HIGH LEVEL• Consequence: High Pressure, possible tank rupture & major fire• Existing Controls: Pressure Relief Valve (PSV-1)• New Controls: Add High Level Alarm.

H


2 Allocation of Safety Functions

• Often called SIL Analysis or SIL Determination

• Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level.








Modification

Decommissioning








andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


Case Study: 3 Design after HazOp

• Is Risk acceptable?

300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H


Risk

Consequenceseverity

Likelihood of occurrence

Minor

Medium

Major

LOW HIGHMEDIUM

The product of severity and likelihood

Incr

easi

ng Ris

k


Case Study: 4a Risk Reduction

Process under control

Process deviation or disturbance

Process out of control

Hazardous situation

Hazardous event

Impact / Consequence

Level stable

Control valve sticks

Level Increasing

High Pressure

Vessel fails

300t of boiling LPG released -likely major fire and fatalities

PSV

LAH Alarm

Hazard - 300t of LPG


Risk Analysis - Layers of Protection 1

Mechanical PSV

AlarmLAH

Process

Control System(BPCS)

Hazardous Event !!

Risk Reduction

Hazardous Situation : 1 per y

Target:1 per 10,000y

Required:X 10,000

X 100

Only havex 100 !!

X 1 !


Case Study: 4b Risk Reduction

Process under control

Process deviation or disturbance

Process out of control

Hazardous situation

Hazardous event

Impact / Consequence

Level stable

Control valve sticks

Level Increasing

High Pressure

Vessel fails

300t of boiling LPG released -likely major fire and fatalities

LZHH Trip

PSV

LAH Alarm

Hazard - 300t of LPG


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: 5 Add a SIF

• High Level Trip LZHH2 added- Shuts off flow when High High level reached.


SIL Determination 1 - Layers of Protection

Mechanical PSV

SIF LZHH

AlarmLAH

Process


Hazardous Event !!

Risk Reduction

Hazardous Situation : 1 per y


Required:X 10,000

X 100

X 100SIL 2

SIF must reduce risk

by10,000/100 =

100


Safety Integrity Level vs. Risk Reduction

= 1 / RRF

Safety

Availability

> 99.99%

99.9 - 99.99%

99 - 99.9%

90 - 99%

Probability of Failureon Demand (PFDavg)

≥ 10-5 < 10-4

≥ 10-4 < 10-3

≥ 10-3 < 10-2

≥ 10-2 < 10-1

SIL

4

3

2

1

-

Risk ReductionFactor

> 10,000

1,000 - 10,000

100 - 1,000

10 - 100

(Control ≤ 10) = 1 - PFDavg

Used later for verifying SIL achieved






- Development process for each component.

SIL is more than just PFD


3 Safety Requirements Specification - SRS

• Defines functional and integrity requirements of SIS

• Output is set of documents ready for detail design.








Modification

Decommissioning








andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


Cause-and-Effect Diagram

Tag# Description SIL

Inst

rum

ent

Ran

ge

Trip

Poi

nt

Uni

ts

CLO

SE

VA

LVE

LZ

V-0

2

CLO

SE

VA

LVE

UV

-03A

CLO

SE

VA

LVE

UV

-03B

OP

EN

S V

ALV

E U

V-0

3C

Set

LIC

1 to

MA

N,

OP

=0

BS-01 Burner Loss of Flame 1 ~ ~ X X XPSL-01 Fuel Gas Pressure Low ~ 7 X X X

LZHH-02 LPG Tank High High Level 2 0-3500 3200 mm 2 0

• SIFs commonly documented byCause and Effect diagrams

• Could include required SIL.


4 Design and Engineering

• SIS vendor for logic solver

• EPC contractor or end-user for field hardware.








Modification

Decommissioning








andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9







Standards Compliance


FS Management System - TÜV Certification

• See HPS TÜV Certificate

• Covers compliance to IEC 61508 & IEC 61511

• Periodic audits and renewal

• Need comparable processes for other phases.

Hardware Implementation

Software Implementation

Integration

Software DesignHardware Design

PlanningSIS OrderReceived

P1Review Customer

Specifications

CustomerSpecificationsH/W checklistS/W checklist

TIR’sCompleted H/W &

S/W checklists

P2Plan Project

DocumentTemplates

Execution PlanV & V Plan

Design PlansImperium Proj.

H1Design Hardware

SRSH/W Checklist

System HardwareSpecification S1

Design Software

SRSFL Spec Template

S/W checklistH/W checklist

H2Order Hardware

(preliminary)

Hardware Orderon Factory

SRS (Approved)Sys H/W SpecFactory Drgs

PFD CalcsSys H/W Spec

(Approved)Firm Hardware

Order

H4Build, Deliver &Test Hardware

(factory)

Certified Design &Build. Procedures

Int. AcceptanceTest ReportAssembledHardware

H/W Ready forIntegration

S5Configure

Software onDevel’t System

FL SpecSRS (Approved)

ConfiguredSoftware

S6Code

Walkthrough

Code WalkthroughReport

Code WalkthroughChecklist

S/W Ready forIntegration

H5Integrate Factory

Hardware &Marshalling

Failsafe ControlIntegrationGuidelines

S4Verify

FunctionalLogic Spec

S/W checklistH/W checklist

FAT Procedure(Power-up

section)

CompletedFAT Power-up

Checklist

H6HardwarePreFAT

N1Integration &

Pre-FAT

FAT Procedure(Pre-FAT)

N2Factory

AcceptanceTest FAT)

FAT ProcedureSystem H/W Spec

FL Spec, SRS

N4Logic SolverSite Accept.Test (SAT)

Completed SATProc Checklists

(SAT Report)SAT Procedure

N3Install Logic

Solver On Site

Completed SystemReady for Safety

Validation

H3Verify Sys

H/W Spec &Fact’y Dwgs

N6Safety Validation & Commissioning

(Led by Customer, with Honeywell input)

S3Finalise Functional

Logic Spec

SRS(Approved)

FL Spec(Approved)

Completed FL RevChecklist

Safety ManualFunction Block

Library

Verified FuncBlocks

Func block testsheets

S2Configure &

Test FunctionBlocks

N5Install, Connect &Test Field Equip.& Control System

(by others)

InstallationDrawings

As Builts

Completed FATProc Checklists

(FAT Report)


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: 6 PFD Calculation

• What is calculated PFDave for SIF LZHH2?.

SIL 2


Safety Integrity Level vs. PFDave

= 1 / RRF

Safety

Availability

> 99.99%

99.9 - 99.99%

99 - 99.9%

90 - 99%

SIL

4

3

2

1

-

Risk ReductionFactor

>10,000

1,000 - 10,000

100 - 1,000

10 - 100

(Control < 10) = 1 - PFDavg

Implementation Focus

Probability of Failureon Demand (PFDavg)

≥ 10-5 < 10-4

≥ 10-4 < 10-3

≥ 10-3 < 10-2

≥ 10-2 < 10-1


Approximation to PFDave

1

0time t

Probabilityitem

has failed PFD(t)

PFD average

PFD average = lDU TI / 2

where lDU = Dangerous Undetected failure rate

TI = test interval

Remember this!

~~


Case Study: 6 PFD Calculation

• Test interval = 1 y

• Reliability data:

- Valve: λDU = 1/10y (= 0.1 y-1)

- Logic solver: λDU = 1/1000y (= 0.001 y-1)

- Sensor: λDU = 1/100y (= 0.01 y-1)

• PFDave = λDU x TI / 2 = 0.1 x 1 / 2 = 0.05 for valve 0.001 x 1 / 2 = 0.0005 for logic solver 0.01 x 1 / 2 = 0.005 for transmitter

Total PFDave = 0.05 + 0.0005 + 0.005 = 0.0555

• Calculated SIL = 1 (PFDave range 0.01 – 0.1)

• Required SIL = 2 Not OK!

• How can this be fixed?

LZHH

2

LZV 2

LZT

2


Effect of Test Interval on PFDave

PFD(t)

Probabilityitem

has failed PFD(t)

time t

Average PFD

1

0TI (Test Interval)

~~

Average PFD

1

0

TI TI TI TI

~~


Case Study: 7a Adjust Test Interval

• Test interval = 1 month


- Valve: λDU = 1/10y (= 0.1 y-1)


- Sensor: λDU = 1/100y (= 0.01 y-1)

• PFDave = λDU x TI / 2 = 0.1 / 12 / 2 = 0.004 for valve 0.001 / 12 / 2 = 0.00004 for logic solver 0.01 / 12 / 2 = 0.0004 for transmitter

Total PFDave = 0.004 + 0.00004 + 0.0004 = 0.00444


• Required SIL = 2 OK

• BUT operations object to monthly testing !.

LZHH

2

LZV 2

LZT

2


Case Study: 7b Duplicate Block Valves

• Test interval = 1 year


- Valve: λDU = 1/10y (= 0.1 y-1)


- Sensor: λDU = 1/100y (= 0.01 y-1)

• For 2 valves 1oo2 voting: PFDave = (0.1 x 1 / 2)2

= 0.0025

• PFDave = 0.0025 + 0.0005 + 0.005 = 0.0080


• Required SIL = 2 OK .

LZHH

2

LZV 2A

LZT

2

LZV 2B








Is one transmitter enough or do we need two?


Architectural Constraints

• Aim is to avoid unrealistic reliability claims- From single devices (“elements”)

• Constrains SIF architecture based on:- Safe Failure Fraction

- Complexity of device (“Type A” or “Type B”)

- Target SIL

• Outcome is required Hardware Fault Tolerance- No. of voted devices minus 1 (typically)

• Use Tables in IEC61508 part 2- IEC61511 has simplified requirements.


Safe Failure Fraction

• Safety valve, normally open & normally energized

• In case of an out of control process, the valve has to close

Closesspontaneouslydue to lossof energy

SAFE

Undetected

Detectedby diagnostics

Undetected

Detectedby voltage control

DANGEROUS

Stuck atopen

SAFE


Architectural Constraints – IEC61508.2

SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4SIL3 SIL4 SIL4

< 60 %

60 % - 90 %

90 % - 99 %

≥ 99 %

Type A subsystems – e.g. pressure switch

0 1 2Safe failure fraction Hardware fault tolerance

Not allowed SIL1 SIL2SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4

< 60 %

60 % - 90 %

90 % - 99 %

≥ 99 %

Type B subsystems – e.g. Logic Solver, Smart Tx

0 1 2Safe failure fraction Hardware fault tolerance

Table 2:

Table 3:

Independent Channels Required = Hardware Fault Tolerance + 1


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: 8 Architectural Constraints

• Transmitter LZT 2 is a smart radar gauge

• Can we use single transmitter to satisfy SIL 2?

• Must also check for logic solver and valve.


Case Study: 8 Architectural Constraints

• Smart Transmitter = Type B device- Use Table 3 in IEC61508.2

• Safe Failure Fraction = 91.8%- From TÜV Certificate

• For SIL 2, required Hardware Fault Tolerance = 0

• Therefore one transmitter is ok for SIL 2.


< 60 %

60 % - 90 %

90 % - 99 %

≥ 99 %


0 1 2Safe failure fraction Hardware fault toleranceTable 3:

LTZ 2Std Tx


Architectural Constraints for Logic Solver

• E.g. Honeywell FSC and Safety Manager logic solvers

• 1oo2D architecture OR 2oo4D architecture

• All have 99% safe failure fraction- Hence all are “SIL 3 capable”

• 2oo4D has lower spurious trip rate, but costs more.


< 60 %

60 % - 90 %

90 % - 99 %

≥ 99 %


0 1 2Safe failure fraction Hardware fault toleranceTable 3:

FSC, SM






- Development process for each component


How likely is it that each component is free from systematic faults (“bugs”) ?


Case Study: 9 – Transmitter Selection

• Must control systematic faults

• Transmitter selected must comply with IEC61508 and IEC61511

• Must either be:- Proven in use:

Comparable applicationSample size sufficient for 70% confidence levelAll failures documented

or

- Designed and manufactured in accordance with IEC 61508Confirmed by independent certificate (e.g. by TÜV)“SIL x Capable”.


Case Study: 9 - Transmitter TÜV Certificate


Case Study: 9 - Transmitter TÜV Certification Mark







• Design now complies.



5 Installation, Commissioning, Validation

• Logic Solver installed with field equipment

• Includes loop checking, validation and final functional safety assessment.








Modification

Decommissioning








andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9







• Verification, Validation, Functional Safety Assessment.



Case Study: 10 Verification and Validation

• Verification and Validation Plan for project V&V Plan Template SIL 2 independence required (i.e. independent engineer) Define responsibilities

• Verify Safety Requirements Specification• Verify hardware design documents• Verify functional specifications etc• Implement code walkthrough• Logic Solver Factory Acceptance Test

- Complete integration test of application software on target hardware

• Logic Solver Site Acceptance Test- Power up test on site

• Safety Function Testing• Functional Safety Assessment.


6 Operations, Maintenance and Modification

• The Cinderella Phases !

• User must follow a Functional Safety Management System for the life of the SIS.








Modification

Decommissioning








andplanning

Verification

10 11

5

6

7

8

4

3

1

2

9


Ops and Maintenance Obligations

• Proof test each SIF at specified interval

• Monitor design assumptions- Demand rates

- Component reliability

• Adjust test interval to suit

• Control modifications

• Ensure Maintenance and Operational Overrides are used as designed

• Monitor and promptly follow-up diagnostics.


300t LPG

P-1

Feed

P-2

Product

PSV-1

LIC

1

H

LZHH

2

LZT

2

Case Study: 9 Operation and Maintenance

Mechanical: PSV

SIF: LZHH

AlarmLAH

Process


Hazardous Event !!

Risk Reduction

Hazardous Situation


Required:X 10,000

X 100

X 100SIL 2

• Risk analysis assumed:- Demand on SIS once per year

- What happens in practice?

• SIL verification assumed:- Transmitter failure rate 0.01 y-1

- What happens in practice?

• Etc etc . . .

• Must verify actual performance against assumptions and adjust testing as required

• Documentation of assumptions is critical.

1 per y


Case Study: 12 - Modification

TECHNIQUE / MEASURE Ref SIL 1 SIL 2 SIL 3 SIL 4

1 Impact Analysis B.35 HR HR HR HR

2 Re-verify Changed Module B.35 HR HR HR HR

3 Re-verify Affected Modules B.35 R HR HR HR

4 Revalidate Complete System B.35 --- R HR HR

5 Software Configuration Management B.56 HR HR HR HR

6 Data Recording and Analysis B.13 HR HR HR HR

During early design consider splitting SIL 2 and SIL 3 systems.

• LZHH logic needs modification after commissioning• Validation needed depends on highest SIL in that SIS !


Summary 1 – The SIS Lifecycle








Modification

Decommissioning








andplanning

Verification 10 11

5

6

7

8

4

3

1

2

9

Engineering Contractor

SIS Vendor

End User







• Not just TÜV certification- Though it helps !

• Not just meeting PFDavg target

• Don’t forget spurious trip rate! .

Summary 2 – Requirements


Thank You...

Questions?

functional safety demystified

Documents