1

Ed. 2008/09

Andrea CARPIGNANO andrea.carpignano@polito.it

Risk Assessment Risk Analysis / Safety and Risk Analysis

POLITECNICO DI TORINO DIPARTIMENTO DI ENERGETICA

Methodologies - Part 5

Standards IEC 61508 & 61511

Part 5: IEC 61508 & 61511

Safety Life Cycle in the design of process systems

2

Standard IEC/EN 61508

STANDARD IEC/EN 61508

Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems

The Standard IEC 61508 is an international standard that sets the

general approach for all the activities of the Safety Life Cycle of

E/E/PE (Electrical / Electronic / Programmable Electronic) Systems

used to perform Safety Functions.

The Standard IEC 61508 provides a method for the development of

specific safety requirements, as well as introduce and use the safety

integrity levels (SIL).

Functional Safety

Functional Safety is the portion of total safety which depends on a

system, or a device, operating properly in response to one or more

logic inputs.

This portion is strictly related to the Process and to the Basic Process

Control System (BPCS), which depend on the correct functioning of

Safety Instrumented System (SIS) and other [Independent] Protection

Layers .

3

Safety Instrumented Functions

(SIFs)

A Safety Instrumented Function (SIF) is a function that has to be

implemented by a Safety Instrumented System (SIS) and by other

[Independent] Protection Layers, to maintain or restore safety in the

process, in relation to a specific dangerous event (when one or more

predetermined conditions are not met).

Standard IEC/EN 61508

Recipients of the standard:

Designers of equipment and "complex" systems

Designers of components for safety systems

Designers of software for managing safety systems

P

V2

V1 T+

L

4

Safety Instrumented Systems

(SISs)

A Safety Instrumented System (SIS) is a combination of one or more:

- Sensors (e.g. Transmitters, Switches, Sensors, etc.);

- Logic Solvers with E/E/PE technology, where:

E = Electric (eg. Electromechanical relay)

E = Electronic (eg. Logical solid state)

PE = Programmable Electronic (eg. PLC);

- Final elements (eg. Solenoids, Actuators, Valves, etc.);

- Input and output devices (I/O);

- User interfaces;

- Feeders.

subsystems The IEC 61508 considers two categories of systems / subsystems.

A system/subsystem is defined as Type A if it meets the following

requirements:

Typical examples of components of Type A, according to the standard, are

for example: switches, relays, solenoid valves, etc.

Typical components of Type B are: microprocessors and other electronic

components that implement complex logics.

failure modes of all the constituent components are well defined;

the behavior of the system under fault conditions can be determined in a

comprehensive and exhaustive way;

there are sufficient data from the field or from a test to support the

reliable data associated with different failure modes.

A system/subsystem is defined of Type B if not all of the above criteria

are met.

5

Structure of the Standard IEC/EN

61508

Part 1: General Requirements

Part 2: Requirements for Electrical/ Electronic/Programmable

Electronic Safety-Related Systems (E/E/PES)

Part 3: Software Requirements

Part 4: Definitions and Abbreviations

Part 5: Examples of Methods for the Determination of SILs

Part 6: Guidelines on the Application of Parts 2 and 3

Part 7: Overview of Techniques and Measures

Definition of Safety Integrity Level

(SIL)

The Safety Integrity Level (SIL) is a discrete level (one out of a possible

four), corresponding to a set of safety integrity values, where SIL 4 is

the highest and SIL 1 is the lowest.

It is a complex parameter indicating a range of probability that an SIS

run properly a safety instrumental function within a preset period of

time and respecting defined technical, architectural, functional and

design requirements.

It is important to remark that the SIL is allocated to an independent

Safety Instrumented Function (SIF), that can be implemented by one or

more SISs, not directly to a SIS (that anyway inherits the SIL allocated

to the implemented SIF).

6

Safety Life Cycle (I)

The Safety Life Cycle is represented by all the necessary activities

involved in the implementation of Safety-Related Systems,

occurring during a period of time that starts at the concept phase of

a project and finishes when all of the E/E/PE safety-related systems

and other risk reduction measures are no longer available for use

(decommissioning).

Safety Life Cycle (II)

Safety Life Cycle

Phase 1

General Conception of the

Functional Safety Project

Phase 2

Definition of the overall objective

of the Functional Safety Project

Phase 3

Risk Analysis

Phase 4

Allocation of the safety functions

to the Independent Levels of

Protection & SIL Allocation

Phase 5

Specification of the

requirements of the

Safety of SIS (SRS) Phase 6

Design and

engineering of SIS &

SIL Verification

Phase 7

Factory Acceptance

Test (FAT)

Phase 8

Installation and

Commissioning

Service of SIS

Phase 9

Site Acceptance Test

(SAT)

Phase 10

Operation and

Maintenance

Phase 11

Modifications

Phase 12

Decommissioning of

SIS

7

Standards derived from IEC/EN

61508 STANDARD IEC 61511 Functional Safety: Safety Instrumented Systems for the Process

Industry Sector

STANDARD IEC 61513 Nuclear Power plants - Instrumentation and Control for Systems

important to safety - General Requirements for Systems

STANDARD EN 50402 Electrical Apparatus for the detection and measurement of

combustible or toxic gases or vapours or of oxygen. Requirements on

STANDARD IEC 62061 Safety of machinery - Functional safety of safety-related electrical,

electronic and programmable electronic control

systems

System Description

Hazard Identification

Historical Analysis

HAZID

HAZOP

FMECA

Selection of critical

events

Risk Matrix

Design and Management

review

Selection and Grouping

of Initiating Events

Analysis of Accidental

Sequences

Probabilistic Analysis Acident Simulation

Risk Assessment

END

Event Tree Analysis

Fault Tree Analysis

Simulation Models

Data Banks

Tolerability Criteria

START

Not critical

Critical

Tolerable Not Tolerable

APPLYING THE STANDARD IEC 61508

1. Definition of SILs

according to the risk

analysis of the

system

2.

3. Checking of the level

of SIL imposed

4. Commissioning and

management to

maintain the level of

SIL of the project

8

STEP 1 - SIL Allocation to Safety

Instrumented Functions

Identification of the hazards, of the related expected

frequencies, incidental scenarios, safety-related critical

systems, by means of qualitative and/or quantitative

techniques

Definition of a policy of SIL allocation to the SIFs (Safety

Integrity Levels) identified and deemed necessary

Approach to SIL Allocation

suggested by the Standard

HAZOP and Simplified Risk Matrixes

Calibrated Risk Graph Method

LOPA (Layer of Protection Analysis)

QRA (Quantitative Risk Assessment )

Increasing level of

complexity and detail

of the analyses

Increasing level of conservativity in the allocation of SILs

9

SIL Allocation: HAZOP & Simplified

Risk Matrixes (I) HazOp Hazard and Operability Studies

SYSTEM

DANNO

PROCESS PARAMETER

DEVIATION CAUSE OP. PHASE

EFFECTS (Local

System Plant )

FREQ. S E P A DETECTION, PREVENTION, MITIGATION

METHODS

ACTIONS NOTES

S Index of damage on Safety E Index of damage on Environment P Index of damage on Production A Index of damage on Assets

SIL Allocation: HAZOP & Simplified

Risk Matrixes (II)

FREQUENCY DESCRIPTION

1 Not exptected over system life cycle

2 May happen one time along the system lifecycle

3 Expected few times along the system lifecycle

4 Expected several times along the system lifecycle

Qualitative indexes for Frequencies (examples)

Qualitative indexes for Damages (examples) DAMAGE (Safety )

DESCRIPTION

1 No important effects

2 Temporary injuries to people (recovery within max 3 days)

3 Temporary injuries to people (recovery in more than 3 days)

4 Permanent disabilities or fatalities

DAMAGE (Production)

DESCRIPTION

1 No important effects

2

Damages to the system without any interruption of production, or slight reduction of production without interruptions

3 Damages to the system along with interruption of production within a week

4 Severe damages to the system along with long term loss of production (more than a week)

10

SIL Allocation: HAZOP & Simplified

Risk Matrixes (III)

Risk Matrix (qualitative acceptability criteria ) F 4 4 8 12 16

3 3 6 9 12

2 2 4 6 8

1 1 2 3 4

1 2 3 4

D

R>8 Events with very high criticality on which to intervene with preventive and/or mitigative actions

4 R 8 Critical events that require deepening (accurate cost-benefit analysis)

2 R 3 Low criticality events on which to intervene in case of identification of low cost preventive and/or mitigative solutions

R=1 Non critical events

The Risk Criteria depends on the type of considered damage (Safety , Environment, Asset , Production, etc.): each type has a specific Risk Matrix of reference

SIL Allocation: HAZOP & Simplified

Risk Matrixes (IV)

R>8 Events with very high criticality on which to intervene with preventive and/or mitigative actions

4 R 8 Critical events that require deepening (accurate cost-benefit analysis)

2 R 3 Low criticality events on which to intervene in case of identification of low cost preventive and/or mitigative solutions

R=1 Non critical events

F 4 SIL 2 SIL 3 SIL 4 SIL 4

3 SIL 1 SIL 2 SIL 3 SIL 4

2 SIL 1 SIL 2 SIL 2 SIL 3

1 No SIL required

SIL 1 SIL 1 SIL 2

1 2 3 4

D

SIL are allocated by means of a highly conservative approach to the different areas of the matrix

Simplified SIL Allocation

11

SIL Allocation: HAZOP & Simplified

Risk Matrixes (V) Simplified SIL Allocation (Example )

SYSTEM

DANNO

PROCESS PARAMETER

DEVIATION CAUSE OP. PHASE

EFFECTS (Local

System Plant )

FREQ. S E P A DETECTION, PREVENTION, MITIGATION

METHODS

ACTIONS NOTES

Pressure More

Normal operation

Possible release of flammable

substance fire and/or

explosion 1 or more fatalities

3 4 3 3 2 None Provide a new SIF :

detection of high pressure on vessel and shutdown of inlet/outlet

lines

Perform SIL

Study for the

new SIF

SIL Allocation to a new SIF: SIL 4 for Safety

SIL Allocation: Calibrated Risk Graphs (I)

(qualitative approach)

This approach does not refer to an explicit correlation with risk acceptability criteria : anyway , before applying the method , it is necessary to verify the consistence with the available reference criteria and perform the so called calibration

12

SIL Allocation: Calibrated Risk Graphs (II)

(qualitative approach)

SIL Allocation: Calibrated Risk Graphs (III)

(qualitative approach)

13

SIL Allocation: Calibrated Risk Graphs (IV)

(qualitative approach)

SIL Allocation by Risk Graphs (Example )

Overpressure in vessel Fire / Explosion

1 or more fatalities Frequent exposure of operators / maintainers

Expected few times in plant lifecycle (F 10 -1 ev(y)

SIF REQUIRED : detection of high pressure on vessel and shutdown of inlet /outlet lines

ALLOCATION: SIL 3

SIL Allocation: LOPA (I)

(semi-quantitative approach)

It is a - approach, more accurate and detailed

than the previous ones (higher need of time and resources but less

conservative and more realistic results)

It is used downstream the HAZOP and applied to all scenarios for

which the need of a SIF has been identified

It allows to highlight the existing safeguards, to distinguish the

related efficacy against all the initiating causes, to evaluate the

need of implementation of the new SIFs and to allocate the

required SIL

It has a direct and explicit link with Risk Acceptability Criteria

LOPA (Layer Of Protection Analysis)

14

SIL Allocation: LOPA (II)

Damage

Extended (10 or more

fatalities, large exposed groups)

Serious (severe injuries, 1 or more fatalities,

small exposed groups)

Minor (light injuries)

1,0 E-06 ev/y

1,0 E-07 ev/y

1,0 E-08 ev/y

1,0 E-09 ev/y

1,0 E-10 ev/y Frequency

Semi -quantitive Risk Acceptability Criteria (Example )

NOT ACCEPTABLE ACCEPTABLE

SIL Allocation: LOPA (III) (template suggested by IEC 61511)

Reference incidental scenario

highlighted by the HAZOP

INDEPENDENT

Design preventive actions (over dimensioning and ratings , intrinsic safety , ATEX, etc.

Basic Process Control System (protections )

Procedural protections ,

safety escape ways, etc.

Passive protections and other

IPLs

PFD required for an additional SIF

(*) NOTE: the mitigated frequency for each single cause is within the limits set by the acceptability criteria, but the frequency of the overall scenario (sum of all causes) NOT! A PFD of 10 -2 is not sufficient, the requirement in terms of PFD for the new SIF must be lower!

(* )

0,1 0,1

15

SIL Allocation: LOPA (IV)

SIL Allocation: LOPA (IV)

IPL Independent Protection Layers

Complete effectiveness against the consequences of scenario

Independence from all causes of the of initiating events and

from all other considered IPLs

Complete testability in terms of functional efficacy and of

reliability characteristics

16

SIL Allocation: LOPA (V)

The SIL defines the integrity in terms of safety of the requested SIF (and consequently of the SIS that will be in charge of its implementation) and of its capability to reduce the Risk Level .

Once defined the necessary value of PFD (Probability of Failure on Demand) , the allocation of the required SIL is performed by means of the following table :

SIL Allocation: LOPA (VI) (Alternative template suggested by references in IEC 61508&11)

Layer of Protection Analysis

Simplified Process Risk Assessment

(2001)

Center for Chemical Process

Safety (CPS)

Of the American Institute of

Chemical Engineers (AIChE )

17

1. Definition of SILs

according to the risk

analysis of the

system

2.

3. Checking of the level

of SIL imposed

4. Commissioning and

management to

maintain the level of

SIL of the project

System Description

Hazard Identification

Historical Analysis

HAZID

HAZOP

FMECA

Selection of critical

events

Risk Matrix

Design and Management

review

Selection and Grouping

of Initiating Events

Analysis of Accidental

Sequences

Probabilistic Analysis Acident Simulation

Risk Assessment

END

Event Tree Analysis

Fault Tree Analysis

Simulation Models

Data Banks

Tolerability Criteria

START

Not critical

Critical

Tolerable Not Tolerable

APPLYING THE STANDARD IEC 61508

STEP 2 Design safety systems to

meet the required level of SIL

System architecture:

Redound (Fault Tolerant), separating and diversifying

Defense in depth (IPL Independent Protection Layers)

Quality and Reliability of components:

Improve the reliability and the maintainability of the components

Increase the availability improving maintenance

Improving the production process of Software

18

STEP 3 SIL Verification

The SIL Allocation described in the previous section, is performed with reference to a specific SIF (Safety Instrumented Function) , defined in terms of a set of functional, time, architectonic, probabilistic, maintenance requirements ( SRS - Safety Requirement Specifications ).

The SIF is implemented by means of a well defined SIS (Safety Instrumented System) , whose design inherits all the requirements of the SIF, in terms of SIL and SRS .

The phase of SIL Verification aims to analyze the project of the SIS and to verify that all the requirements in terms of SIL and SRS have been effectively met

SIL Verification

SIL VERIFICATION for the project of a SIS

HARDWARE requirements verification

SOFTWARE requirements verification

Probabilistic requirements verification

Architectural and Functional

requirements verification

New Software development

Existing Software verification

SIL verification is successful only if BOTH

Hardware AND Software

requirements are met !!