functional safety demystified
DESCRIPTION
Functional Safety Demystified. September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions [email protected]. Outline. What is Functional Safety? SIS, SIF and SIL Standards AS IEC61508 and AS IEC61511 An example to demonstrate compliance - PowerPoint PPT PresentationTRANSCRIPT
Functional Safety DemystifiedSeptember 2011
Bob WeissPrincipal Consultant
Honeywell Process [email protected]
2 HONEYWELL - CONFIDENTIAL File Number
Outline
• What is Functional Safety?- SIS, SIF and SIL
• Standards AS IEC61508 and AS IEC61511
• An example to demonstrate compliance
• 4.5 day TÜV FSEng course in 45 minutes!
3 HONEYWELL - CONFIDENTIAL File Number
What is Functional Safety?
• Part of Overall Safety - freedom from unacceptable risk
• Achieved by a Safety Instrumented System (SIS)- E/E/PE Safety System in IEC61508
- Examples: Emergency Shutdown System Burner Management System
- Includes field devices as well as logic solver
• A SIS places or maintains a process in a safe state- Process = Equipment Under Control (EUC) in IEC61508
- Implements Safety Instrumented Functions (SIFs)
- Each SIF achieves a Safety Integrity Level (SIL)
• Acronyms to remember: SIS, SIF and SIL !.
4 HONEYWELL - CONFIDENTIAL File Number
SIF 1: TZH1234
Safety Instrumented Function - SIF
Some terms: SIS, SIF and SIL
SIF 2: PZHH1234
Safety Instrumented System - SIS
Logic Solver(Safety PLC)
Temperaturetransmitter
Temperaturetransmitter
PressureTransmitter
Flowtransmitter
Shut-off valve
Solenoid
Globe valve
Solenoid
Relayin MCC
SIL 2
SIL 1
Safety Integrity Level - SIL
5 HONEYWELL - CONFIDENTIAL File Number
Why Functional Safety?
• Buncefield, England 11 Dec 2005
• Storage tank level gauge showed constant reading
• High level alarm switch jammed
• Gasoline tank overflowed
• Mist exploded- Largest explosion in peacetime
- 20 tanks on fire
- Burned for three days
- Significant environmental impact
- Millions of pounds damage.
6 HONEYWELL - CONFIDENTIAL File Number
Standards: IEC61508 or IEC61511 ?
61511 61511 61511
AS/IEC 61508SIS
ComponentManufacturers
AS/IEC 61511SIS
Integrators & Users
OR SIL4APPLICATIONS
61508 61508 61508
7 HONEYWELL - CONFIDENTIAL File Number
IEC61511 Safety Lifecycle
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification 10 11
5
6
7
8
4
3
1
2
9
Engineering Contractor
SIS Vendor
End User
8 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each componentField devices, logic solver, shutdown valves etc.
• Not just TÜV certification- Though it helps !
• Not just meeting PFDavg target.
Complying with AS IEC 61508 & AS IEC 61511
9 HONEYWELL - CONFIDENTIAL File Number
Comply Throughout Lifecycle
• For the rest of the presentation we’ll follow the SIS lifecycle
• What do we need to do to comply at each stage?
• See the following example…- Only the main elements of compliance are covered.
10 HONEYWELL - CONFIDENTIAL File Number
1 Hazard and Risk Analysis
• Output is a list of hazardous events with their process risk and acceptable risk.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification 10 11
5
6
7
8
4
3
1
2
9
11 HONEYWELL - CONFIDENTIAL File Number
Case Study: 1 A Hazard
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
• “potential source of harm”
• 300t of Liquefied Petroleum Gas can potentially cause harm
• Hazardous Event Example: BLEVE YouTube .
12 HONEYWELL - CONFIDENTIAL File Number
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
Case Study: 2 HazOp
• Node: LPG Tank• Guideword: HIGH LEVEL• Consequence: High Pressure, possible tank rupture & major fire• Existing Controls: Pressure Relief Valve (PSV-1)• New Controls: Add High Level Alarm.
H
13 HONEYWELL - CONFIDENTIAL File Number
2 Allocation of Safety Functions
• Often called SIL Analysis or SIL Determination
• Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
14 HONEYWELL - CONFIDENTIAL File Number
Case Study: 3 Design after HazOp
• Is Risk acceptable?
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
15 HONEYWELL - CONFIDENTIAL File Number
Risk
Consequenceseverity
Likelihood of occurrence
Minor
Medium
Major
LOW HIGHMEDIUM
The product of severity and likelihood
Incr
easi
ng Ris
k
16 HONEYWELL - CONFIDENTIAL File Number
Case Study: 4a Risk Reduction
Process under control
Process deviation or disturbance
Process out of control
Hazardous situation
Hazardous event
Impact / Consequence
Level stable
Control valve sticks
Level Increasing
High Pressure
Vessel fails
300t of boiling LPG released -likely major fire and fatalities
PSV
LAH Alarm
Hazard - 300t of LPG
17 HONEYWELL - CONFIDENTIAL File Number
Risk Analysis - Layers of Protection 1
Mechanical PSV
AlarmLAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation : 1 per y
Target:1 per 10,000y
Required:X 10,000
X 100
Only havex 100 !!
X 1 !
18 HONEYWELL - CONFIDENTIAL File Number
Case Study: 4b Risk Reduction
Process under control
Process deviation or disturbance
Process out of control
Hazardous situation
Hazardous event
Impact / Consequence
Level stable
Control valve sticks
Level Increasing
High Pressure
Vessel fails
300t of boiling LPG released -likely major fire and fatalities
LZHH Trip
PSV
LAH Alarm
Hazard - 300t of LPG
19 HONEYWELL - CONFIDENTIAL File Number
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: 5 Add a SIF
• High Level Trip LZHH2 added- Shuts off flow when High High level reached.
20 HONEYWELL - CONFIDENTIAL File Number
SIL Determination 1 - Layers of Protection
Mechanical PSV
SIF LZHH
AlarmLAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation : 1 per y
Target:1 per 10,000y
Required:X 10,000
X 100
X 100SIL 2
SIF must reduce risk
by10,000/100 =
100
21 HONEYWELL - CONFIDENTIAL File Number
Safety Integrity Level vs. Risk Reduction
= 1 / RRF
Safety
Availability
> 99.99%
99.9 - 99.99%
99 - 99.9%
90 - 99%
Probability of Failureon Demand (PFDavg)
≥ 10-5 < 10-4
≥ 10-4 < 10-3
≥ 10-3 < 10-2
≥ 10-2 < 10-1
SIL
4
3
2
1
-
Risk ReductionFactor
> 10,000
1,000 - 10,000
100 - 1,000
10 - 100
(Control ≤ 10) = 1 - PFDavg
Used later for verifying SIL achieved
22 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
SIL is more than just PFD
23 HONEYWELL - CONFIDENTIAL File Number
3 Safety Requirements Specification - SRS
• Defines functional and integrity requirements of SIS
• Output is set of documents ready for detail design.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
24 HONEYWELL - CONFIDENTIAL File Number
Cause-and-Effect Diagram
Tag# Description SIL
Inst
rum
ent
Ran
ge
Trip
Poi
nt
Uni
ts
CLO
SE
VA
LVE
LZ
V-0
2
CLO
SE
VA
LVE
UV
-03A
CLO
SE
VA
LVE
UV
-03B
OP
EN
S V
ALV
E U
V-0
3C
Set
LIC
1 to
MA
N,
OP
=0
BS-01 Burner Loss of Flame 1 ~ ~ X X XPSL-01 Fuel Gas Pressure Low ~ 7 X X X
LZHH-02 LPG Tank High High Level 2 0-3500 3200 mm 2 0
• SIFs commonly documented byCause and Effect diagrams
• Could include required SIL.
25 HONEYWELL - CONFIDENTIAL File Number
4 Design and Engineering
• SIS vendor for logic solver
• EPC contractor or end-user for field hardware.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
26 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
Standards Compliance
27 HONEYWELL - CONFIDENTIAL File Number
FS Management System - TÜV Certification
• See HPS TÜV Certificate
• Covers compliance to IEC 61508 & IEC 61511
• Periodic audits and renewal
• Need comparable processes for other phases.
Hardware Implementation
Software Implementation
Integration
Software DesignHardware Design
PlanningSIS OrderReceived
P1Review Customer
Specifications
CustomerSpecificationsH/W checklistS/W checklist
TIR’sCompleted H/W &
S/W checklists
P2Plan Project
DocumentTemplates
Execution PlanV & V Plan
Design PlansImperium Proj.
H1Design Hardware
SRSH/W Checklist
System HardwareSpecification S1
Design Software
SRSFL Spec Template
S/W checklistH/W checklist
H2Order Hardware
(preliminary)
Hardware Orderon Factory
SRS (Approved)Sys H/W SpecFactory Drgs
PFD CalcsSys H/W Spec
(Approved)Firm Hardware
Order
H4Build, Deliver &Test Hardware
(factory)
Certified Design &Build. Procedures
Int. AcceptanceTest ReportAssembledHardware
H/W Ready forIntegration
S5Configure
Software onDevel’t System
FL SpecSRS (Approved)
ConfiguredSoftware
S6Code
Walkthrough
Code WalkthroughReport
Code WalkthroughChecklist
S/W Ready forIntegration
H5Integrate Factory
Hardware &Marshalling
Failsafe ControlIntegrationGuidelines
S4Verify
FunctionalLogic Spec
S/W checklistH/W checklist
FAT Procedure(Power-up
section)
CompletedFAT Power-up
Checklist
H6HardwarePreFAT
N1Integration &
Pre-FAT
FAT Procedure(Pre-FAT)
N2Factory
AcceptanceTest FAT)
FAT ProcedureSystem H/W Spec
FL Spec, SRS
N4Logic SolverSite Accept.Test (SAT)
Completed SATProc Checklists
(SAT Report)SAT Procedure
N3Install Logic
Solver On Site
Completed SystemReady for Safety
Validation
H3Verify Sys
H/W Spec &Fact’y Dwgs
N6Safety Validation & Commissioning
(Led by Customer, with Honeywell input)
S3Finalise Functional
Logic Spec
SRS(Approved)
FL Spec(Approved)
Completed FL RevChecklist
Safety ManualFunction Block
Library
Verified FuncBlocks
Func block testsheets
S2Configure &
Test FunctionBlocks
N5Install, Connect &Test Field Equip.& Control System
(by others)
InstallationDrawings
As Builts
Completed FATProc Checklists
(FAT Report)
28 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
Standards Compliance
29 HONEYWELL - CONFIDENTIAL File Number
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: 6 PFD Calculation
• What is calculated PFDave for SIF LZHH2?.
SIL 2
30 HONEYWELL - CONFIDENTIAL File Number
Safety Integrity Level vs. PFDave
= 1 / RRF
Safety
Availability
> 99.99%
99.9 - 99.99%
99 - 99.9%
90 - 99%
SIL
4
3
2
1
-
Risk ReductionFactor
>10,000
1,000 - 10,000
100 - 1,000
10 - 100
(Control < 10) = 1 - PFDavg
Implementation Focus
Probability of Failureon Demand (PFDavg)
≥ 10-5 < 10-4
≥ 10-4 < 10-3
≥ 10-3 < 10-2
≥ 10-2 < 10-1
31 HONEYWELL - CONFIDENTIAL File Number
Approximation to PFDave
1
0time t
Probabilityitem
has failed PFD(t)
PFD average
PFD average = lDU TI / 2
where lDU = Dangerous Undetected failure rate
TI = test interval
Remember this!
~~
32 HONEYWELL - CONFIDENTIAL File Number
Case Study: 6 PFD Calculation
• Test interval = 1 y
• Reliability data:
- Valve: λDU = 1/10y (= 0.1 y-1)
- Logic solver: λDU = 1/1000y (= 0.001 y-1)
- Sensor: λDU = 1/100y (= 0.01 y-1)
• PFDave = λDU x TI / 2 = 0.1 x 1 / 2 = 0.05 for valve 0.001 x 1 / 2 = 0.0005 for logic solver 0.01 x 1 / 2 = 0.005 for transmitter
Total PFDave = 0.05 + 0.0005 + 0.005 = 0.0555
• Calculated SIL = 1 (PFDave range 0.01 – 0.1)
• Required SIL = 2 Not OK!
• How can this be fixed?
LZHH
2
LZV 2
LZT
2
33 HONEYWELL - CONFIDENTIAL File Number
Effect of Test Interval on PFDave
PFD(t)
Probabilityitem
has failed PFD(t)
time t
Average PFD
1
0TI (Test Interval)
~~
Average PFD
1
0
TI TI TI TI
~~
34 HONEYWELL - CONFIDENTIAL File Number
Case Study: 7a Adjust Test Interval
• Test interval = 1 month
• Reliability data:
- Valve: λDU = 1/10y (= 0.1 y-1)
- Logic solver: λDU = 1/1000y (= 0.001 y-1)
- Sensor: λDU = 1/100y (= 0.01 y-1)
• PFDave = λDU x TI / 2 = 0.1 / 12 / 2 = 0.004 for valve 0.001 / 12 / 2 = 0.00004 for logic solver 0.01 / 12 / 2 = 0.0004 for transmitter
Total PFDave = 0.004 + 0.00004 + 0.0004 = 0.00444
• Calculated SIL = 2 (PFDave range 0.001 – 0.01)
• Required SIL = 2 OK
• BUT operations object to monthly testing !.
LZHH
2
LZV 2
LZT
2
35 HONEYWELL - CONFIDENTIAL File Number
Case Study: 7b Duplicate Block Valves
• Test interval = 1 year
• Reliability data:
- Valve: λDU = 1/10y (= 0.1 y-1)
- Logic solver: λDU = 1/1000y (= 0.001 y-1)
- Sensor: λDU = 1/100y (= 0.01 y-1)
• For 2 valves 1oo2 voting: PFDave = (0.1 x 1 / 2)2
= 0.0025
• PFDave = 0.0025 + 0.0005 + 0.005 = 0.0080
• Calculated SIL = 2 (PFDave range 0.001 – 0.01)
• Required SIL = 2 OK .
LZHH
2
LZV 2A
LZT
2
LZV 2B
36 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
Standards Compliance
Is one transmitter enough or do we need two?
37 HONEYWELL - CONFIDENTIAL File Number
Architectural Constraints
• Aim is to avoid unrealistic reliability claims- From single devices (“elements”)
• Constrains SIF architecture based on:- Safe Failure Fraction
- Complexity of device (“Type A” or “Type B”)
- Target SIL
• Outcome is required Hardware Fault Tolerance- No. of voted devices minus 1 (typically)
• Use Tables in IEC61508 part 2- IEC61511 has simplified requirements.
38 HONEYWELL - CONFIDENTIAL File Number
Safe Failure Fraction
• Safety valve, normally open & normally energized
• In case of an out of control process, the valve has to close
Closesspontaneouslydue to lossof energy
SAFE
Undetected
Detectedby diagnostics
Undetected
Detectedby voltage control
DANGEROUS
Stuck atopen
SAFE
39 HONEYWELL - CONFIDENTIAL File Number
Architectural Constraints – IEC61508.2
SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4SIL3 SIL4 SIL4
< 60 %
60 % - 90 %
90 % - 99 %
≥ 99 %
Type A subsystems – e.g. pressure switch
0 1 2Safe failure fraction Hardware fault tolerance
Not allowed SIL1 SIL2SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4
< 60 %
60 % - 90 %
90 % - 99 %
≥ 99 %
Type B subsystems – e.g. Logic Solver, Smart Tx
0 1 2Safe failure fraction Hardware fault tolerance
Table 2:
Table 3:
Independent Channels Required = Hardware Fault Tolerance + 1
40 HONEYWELL - CONFIDENTIAL File Number
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: 8 Architectural Constraints
• Transmitter LZT 2 is a smart radar gauge
• Can we use single transmitter to satisfy SIL 2?
• Must also check for logic solver and valve.
41 HONEYWELL - CONFIDENTIAL File Number
Case Study: 8 Architectural Constraints
• Smart Transmitter = Type B device- Use Table 3 in IEC61508.2
• Safe Failure Fraction = 91.8%- From TÜV Certificate
• For SIL 2, required Hardware Fault Tolerance = 0
• Therefore one transmitter is ok for SIL 2.
Not allowed SIL1 SIL2SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4
< 60 %
60 % - 90 %
90 % - 99 %
≥ 99 %
Type B subsystems – e.g. Logic Solver, Smart Tx
0 1 2Safe failure fraction Hardware fault toleranceTable 3:
LTZ 2Std Tx
42 HONEYWELL - CONFIDENTIAL File Number
Architectural Constraints for Logic Solver
• E.g. Honeywell FSC and Safety Manager logic solvers
• 1oo2D architecture OR 2oo4D architecture
• All have 99% safe failure fraction- Hence all are “SIL 3 capable”
• 2oo4D has lower spurious trip rate, but costs more.
Not allowed SIL1 SIL2SIL1 SIL2 SIL3SIL2 SIL3 SIL4SIL3 SIL4 SIL4
< 60 %
60 % - 90 %
90 % - 99 %
≥ 99 %
Type B subsystems – e.g. Logic Solver, Smart Tx
0 1 2Safe failure fraction Hardware fault toleranceTable 3:
FSC, SM
43 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
Standards Compliance
How likely is it that each component is free from systematic faults (“bugs”) ?
44 HONEYWELL - CONFIDENTIAL File Number
Case Study: 9 – Transmitter Selection
• Must control systematic faults
• Transmitter selected must comply with IEC61508 and IEC61511
• Must either be:- Proven in use:
Comparable applicationSample size sufficient for 70% confidence levelAll failures documented
or
- Designed and manufactured in accordance with IEC 61508Confirmed by independent certificate (e.g. by TÜV)“SIL x Capable”.
45 HONEYWELL - CONFIDENTIAL File Number
Case Study: 9 - Transmitter TÜV Certificate
46 HONEYWELL - CONFIDENTIAL File Number
Case Study: 9 - Transmitter TÜV Certification Mark
47 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Design now complies.
Standards Compliance
48 HONEYWELL - CONFIDENTIAL File Number
5 Installation, Commissioning, Validation
• Logic Solver installed with field equipment
• Includes loop checking, validation and final functional safety assessment.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
49 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Verification, Validation, Functional Safety Assessment.
Standards Compliance
50 HONEYWELL - CONFIDENTIAL File Number
Case Study: 10 Verification and Validation
• Verification and Validation Plan for project V&V Plan Template SIL 2 independence required (i.e. independent engineer) Define responsibilities
• Verify Safety Requirements Specification• Verify hardware design documents• Verify functional specifications etc• Implement code walkthrough• Logic Solver Factory Acceptance Test
- Complete integration test of application software on target hardware
• Logic Solver Site Acceptance Test- Power up test on site
• Safety Function Testing• Functional Safety Assessment.
51 HONEYWELL - CONFIDENTIAL File Number
6 Operations, Maintenance and Modification
• The Cinderella Phases !
• User must follow a Functional Safety Management System for the life of the SIS.
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification
10 11
5
6
7
8
4
3
1
2
9
52 HONEYWELL - CONFIDENTIAL File Number
Ops and Maintenance Obligations
• Proof test each SIF at specified interval
• Monitor design assumptions- Demand rates
- Component reliability
• Adjust test interval to suit
• Control modifications
• Ensure Maintenance and Operational Overrides are used as designed
• Monitor and promptly follow-up diagnostics.
53 HONEYWELL - CONFIDENTIAL File Number
300t LPG
P-1
Feed
P-2
Product
PSV-1
LIC
1
H
LZHH
2
LZT
2
Case Study: 9 Operation and Maintenance
Mechanical: PSV
SIF: LZHH
AlarmLAH
Process
Control System(BPCS)
Hazardous Event !!
Risk Reduction
Hazardous Situation
Target:1 per 10,000y
Required:X 10,000
X 100
X 100SIL 2
• Risk analysis assumed:- Demand on SIS once per year
- What happens in practice?
• SIL verification assumed:- Transmitter failure rate 0.01 y-1
- What happens in practice?
• Etc etc . . .
• Must verify actual performance against assumptions and adjust testing as required
• Documentation of assumptions is critical.
1 per y
54 HONEYWELL - CONFIDENTIAL File Number
Case Study: 12 - Modification
TECHNIQUE / MEASURE Ref SIL 1 SIL 2 SIL 3 SIL 4
1 Impact Analysis B.35 HR HR HR HR
2 Re-verify Changed Module B.35 HR HR HR HR
3 Re-verify Affected Modules B.35 R HR HR HR
4 Revalidate Complete System B.35 --- R HR HR
5 Software Configuration Management B.56 HR HR HR HR
6 Data Recording and Analysis B.13 HR HR HR HR
During early design consider splitting SIL 2 and SIL 3 systems.
• LZHH logic needs modification after commissioning• Validation needed depends on highest SIL in that SIS !
55 HONEYWELL - CONFIDENTIAL File Number
Summary 1 – The SIS Lifecycle
Hazard and risk analysis
Allocation ofsafety functions
to protection layers
Design andengineering of
safety instrumented system
Installation, commissioning and validation
Operation and maintenance
Modification
Decommissioning
Design anddevelopment
of other meansof risk reduction
Safety requirementsspecification for the
safety instrumented system
Managementof functionalsafety andfunctional
safetyassessmentand auditing
Safetylife-cyclestructure
andplanning
Verification 10 11
5
6
7
8
4
3
1
2
9
Engineering Contractor
SIS Vendor
End User
56 HONEYWELL - CONFIDENTIAL File Number
• Target SIL must be specified for each SIF based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Not just TÜV certification- Though it helps !
• Not just meeting PFDavg target
• Don’t forget spurious trip rate! .
Summary 2 – Requirements
58 HONEYWELL - CONFIDENTIAL File Number
Thank You...
Questions?