safety integrated level (sil) augie tf itb

8/10/2019 Safety Integrated Level (SIL) Augie TF ITB

1/39

AugieWidyotriatmo, Ph.D.

[email protected] www.widyotriatmo.com

Instrumentation and Control ResarchGroup

Engineering Physics Program

Faculty of Industrial Technology

InstitutTeknologi Bandung

Safety Integrity Level (SIL)IEC Safety Standard


2/39

2

Email: [email protected]; website: www.widyotriatmo.com

2

Degree Institution

Ph.D. in Mechanical Engineering Pusan National University, SouthKorea

Master Engineeringin Instrumentation & Control Institut Teknologi Bandung

Bachelor Engineeringin Engineering Physics Institut Teknologi Bandung

Affiliation & Organization

Faculty Member, Instrumentation & Control, Engineering Physics, ITBVice Chair,IEEE Indonesia Control Systems& Robotics and Automation Joint Chapter Societies

Selected Publications

Control architectureof an autonomoussystem,

International Journal ofArtificial Intelligence, 8(S12), 2013.

Switching algorithm for robust configuration control of a nonholomicsystem,

Control Engineering Practice, vol. 20, no. 3, pp. 315-325, 2012.

Controlof multiple nonholonomicsystems,

IEEE Transactions on Industrial Electronics, vol. 57, no. 5, pp. 1896-1906, 2011.

ugie idyotriatmo

Engineering Consultants

Jasamarga,PertaminaEP, PGN, Chevron Pacific Indonesia, Indonesia Power


3/39

3

ContentsContents

Protection Layers

BPCS and SIS

IEC61508 & IEC61511 safety standard

SIL from IEC61508 and from ISA S84.01 Safety Calculation

Controller, Sensor, and Final Element Architectures

Conclusion


4/39

R isk R eductionR isk R eduction

PROCESS

Risk

BPCSALARMSISOther

AcceptableRisk Level

Risk Inherentin the Process

SIS

SIS

SIL1SIL2SIL3

4


5/39

5

Assorted Names ofAssorted Names of SafetySafety

SystemSystem

Safety Interlock System

Safety Instrumented System

Safety Shutdown System

Emergency Shutdown System

Protective Instrument System

Different companies within the process

industry use a variety of names


6/39

ALL PROCESSES MUST HAVE SAFETYALL PROCESSES MUST HAVE SAFETY

THROUGH AUTOMATIONTHROUGH AUTOMATION

SAFETY MUST ACCOUNT FOR FAILURES OF

EQUIPMENT (INCLUDING CONTROL) & PERSONNEL

MULTIPLE FAILURES MUST BE COVERED

RESPONSES SHOULD BE LIMITED, TRY TO

MAINTAIN PRODUCTION, IF POSSIBLE

AUTOMATION SYSTEMS CONTRIBUTE TOSAFE OPERATION

(if they are designed and maintained properly!)

6


7/39

7

ALARMS

SIS

RELIEF

CONTAINMENT

EMERGENCY RESPONSE

BPCS

Strength in Reserve

BPCS - Basic process control

Alarms - draw attention

SIS - Safety interlock system

to stop/start equipment

Relief- Prevent excessive

pressure

Containment - Preventmaterials from reaching,

workers, community or

environment

Emergency Response -

evacuation, fire fighting,

health care, etc.

SAFETY INVOLVES MANY LAYERS TOSAFETY INVOLVES MANY LAYERS TO

PROVIDE HIGH RELIABILITYPROVIDE HIGH RELIABILITY

Control

Control


8/39

8

SAFETY STRENGTH IN DEPTH !

PROCESS

RELIEF SYSTEM

SAFETY INTERLOCKSYSTEM

ALARM SYSTEM

BASIC PROCESSCONTROL SYSTEM

Closed-loop control to maintain processwithin acceptable operating region

Bring unusual situation to attentionof a person in the plant

Stop the operation of part of process

Divert material safely

KEY CONCEPT IN PROCESSKEY CONCEPT IN PROCESS SAFETYSAFETY

Seriousness

of event

Fourindependentprotectionlayers (IPL)

SAFETY INSTRUMENTEDSYSTEM


9/39

9

Basic Process Control System (BPCS)Basic Process Control System (BPCS)

PVset-point

SensorTransmitter

ActuatorFinalElement

BPCS

time


10/39

10

SAFETY INSTRUMENTED SYSTEMS (SIS)SAFETY INSTRUMENTED SYSTEMS (SIS)

SensorTransmitter

Logic Solver

ActuatorFinalElement

PVset-point

time


11/39

11

BPCS & SISBPCS & SIS

PROCESS

SensorPT

SensorPT

SAFETY INSTRUMENTED SYSTEMSIS

INPUTS OUTPUTS

BASIC PROCESS CONTROL SYSTEMBPCS

INPUTS OUTPUTS

SensorPT

FT

I/P


12/39

safety

people

property

environment

people

property

environment

probability of

occurrence

Severity of

occurrence

SafetySafety: freedom from unacceptable risk: freedom from unacceptable risk

Harm to:

12


13/39

WhatWhat is a Risky System?is a Risky System?A system with an unacceptable

combination of:

probability of occurrence of harm

and

the severity of that harm.

13


14/39

IEC 61508 serves as the basic standard and basis for safety standardization.It covers all areas where electrical, electronic or PLC systems are used torealize safety-related protection functions.

IEC61508

IEC International Process SafetyIEC International Process Safety

SStandards for Process Industrytandards for Process Industry

14

There are sector-specific standards based on IEC 61508, such as

IEC 61511 for the process industry or IEC 61513 for the nuclearindustry

These sector standards are important for planners and operators ofcorresponding plants.

IEC61511


15/39

The IEC 61511Safety LifecycleThe IEC 61511Safety Lifecycle

15

Manage

ment of

Function

al Safety

andFunction

al Safety

Assess-

ment

Sub-

clause 5

Safety

Lifecy-

cle

Structu-

re andPlann-

ing

Sub-

clause

6.2

Verifica

tion

Sub-

clause

7, 12.7

Risk Analysis and Protection Layer Design

Sub-clause 8

Allocation of Safety Func tions to Safety Instrumented

Systems or other means of risk reduction

Sub-clause 9

Safety Requirements SpecificationSafety Requirements Specification

for the Safety Instrumentedfor the Safety Instrumented

SystemSystem SubSub--clauseclause 1010

Design and Development ofDesign and Development of

Safety InstrumentedSafety Instrumented

SystemSystem SubSub--clauseclause 1111

Design and Development of

other means of Risk Reduction

Sub-clause 9

Installation, Commissioning and ValidationInstallation, Commissioning and Validation

SubSub--clause 14clause 14

Operation and MaintenanceOperation and Maintenance


ModificationModification

SubSub--clause 15.4clause 15.4

DecommissioningDecommissioning



16/39

Safety Lifecycle Management ToolsSafety Lifecycle Management Tools

16


Allocation of Safety Functions to

Safety Instrumented Systems

or other means of Risk Reduction

Safety Requirements

Specification for Safety

Instrumented System

Design and

Development of Safety

Instrumented System

Design and Development

of other means of Risk

Reduction

Installation Commissioning and Validation

Operation and Maintenance

Modification

Decommissioning


Allocation of Safety Functions to

Safety Instrumented Systems

or other means of Risk Reduction

Safety Requirements

Specification for Safety

Instrumented System

Design and

Development of Safety

Instrumented System

Design and Development

of other means of Risk

Reduction

Installation Commissioning and Validation

Operation and Maintenance

Modification

Decommissioning

PHA ToolsHAZOP

LOPA

SIL Tools

SIL Selection

Safety RequirementsSIL Verification

Safety

Engineering

PLC Programming

Simulation/Bypass

Operations

Operator Station

Maintenance Station


17/39

The IEC 61511 Safety LifecycleThe IEC 61511 Safety Lifecycle

17

The different phases of the safety Li fecycle

Analysis Phase Identification of Hazards and Risks Development of the Safety Requirement Specification for

the Safety Instrumented System Allocation of Safety Function to Protective Layers

Realization Phase Design and Engineering of Safety Instrumented System Design and Development of other Means of Risk Reduction Installation, Commissioning & Validation

Operation Phase Operation & Maintenance Modification

Decommissioning


18/39

SIL from IEC61508SIL from IEC61508

18

10 -1000.1 0.011

100 1,0000.01 - 0.0012

1,000 10,0000.001 0.00013

> 10,000< 0.00014

RISK REDUCTION

FACTOR (RRF)

PROBABILITY OF

FAILURE ON

DEMAND (PFD)

SAFETY INTEGRITY

LEVEL


19/39


20/39

IEC 61508IEC 61508 Safety TheorySafety Theory -- Remove SystematicRemove Systematic

DefectsDefects

IEC 61508 implies:

non-safety processes systematic defects safety processes

safety processes + functional safety assessment IEC 61508 compliance

20


21/39

The SafetyThe Safety EquationsEquations

MTBF = MTBRF + MTBSF

PFD = PRFD + PSFD

safety integrity = hardware safety integrity +

systematic safety integrity

MTBF - Mean Time Between Failure MTBRF - Mean Time Between Random Failure

MTBSF - Mean Time Between Systematic Failure

PFD - Probability of Failure on Demand PRFD - Probability of Random Failure on Demand

PSFD - Probability of Systematic Failure on Demand

21


22/39

Safety MeasurementsSafety Measurements

MTBF = 1/(failure rate)

failure rate = RHF + SHF + SSF

MTBF 1/(RHF + SHF + SSF)

RHF - Random Hardware Failure SHF - Systematic Hardware Failure SSF Systematic Software Failure

See IEC 61508-1, Tables 2 and 3

22


23/39

Relationship of IECRelationship of IEC 6150861508 to failure typeto failure type

random hardware failure (RHF) see IEC 61508-2

systematic hardware failure (SHF) see IEC 61508-2

systematic software failure (SSF) see IEC 61508-3

23


24/39


25/39

NonNon--complex or Complex system?complex or Complex system?Non-complex deterministic system

has a unique output for each specific input

Complex non-deterministic system

the system output is a function of the current input andthe previous output.

25


26/39

IECIEC 6150861508--3 Software3 Software RequirementsRequirements

From the Electrical, Electronic and Programmable Electronic

Systems (E/E/PES) hardware development processes, it has

been determined that a microcontroller is required to implement

the complex logic in software, and SIL 3 has been determined

IEC 61508-3, clause 7.2, Software safety requirements specification,

points to IEC 61508-3, Table A.1

IEC 61508-3, Table A.1, Software safety requirements specification,

points to IEC 61508-7, Technique/Measure B.2.4

IEC 61508-7, Technique/Measure B.2.4, describes Computer-aided

specification tools

26


27/39

What is PFD ?What is PFD ?

27

PFD means average failure probability on demand

(PFDavg) of a safety-instrumented function.

In line with the SIL requirement, the PFD must be in a

certain interval.

SIL 1

SIL 2

SIL 3

SIL 4

PFD (t)PFD (t)

Time

PFDPFDavgavg

Test interval


28/39

PFDPFD--Quantitative EvidenceQuantitative Evidence of failureof failure

probability of aprobability of a SIFSIF

Calculation of PFD values

11121 TPFD

Doo

11,2

11,21,3

4ooSooSooS

PFDPFDPFD

AIFMTASensorooS PFDPFDPFDPFD 11,

11,2

11,32, 4 ooSooSooS PFDPFDPFD

is the part of failure with a

common cause, which produces

a common shutdown using

multiple channel systems.

A value with 0,1 (10%) can beused as a conservative

assumption.

(IEC 61508-6 e.g. B 2.5)

Approximation formulaApproximation formula for PFDfor PFDAVGAVG calculationcalculation


29/39

SIL 1 (s. Corrigendum)SIL 1 (s. Corrigendum)

Safe Failure Fraction (SFF)Safe Failure Fraction (SFF)

29

SFF HFT

Proportional part of the safe recognized failures

S + DD) / ( S + D)

S: Safe, D: Dangerous, DD: Dangerous Detected


30/39

30

SINGLE BOARD CONTROLLER MODELSINGLE BOARD CONTROLLER MODEL

INPUT CIRCUIT

IC

INPUT CIRCUIT

IC

INPUT CIRCUIT

IC

INPUT CIRCUIT

IC

LOGIC CIRCUITMP

OUTPUT CIRCUIT

OC

OUPUT CIRCUIT

OC


31/39

31

1oo1 (One1oo1 (One--outout--ofof--One)One)

Sensor Input CircuitLogic Solver

Common CircuitryOutputCircuit Actuator

FinalElement

PFDavg=d * TI/2= 0.002 * 1/ 2= 0.001

System FailsDangerously

Unit FailsDD

Unit FailsDU

SIL3: PFDavg= 0.001 ~ 0.0001

TI = 1 yrsCd = 60%MTTR = 12 hrs

0.002DD =dCd

DU =d(1-Cd)


32/39

32

1oo1D (One1oo1D (One--outout--ofof--OneOne--Diagnostic)Diagnostic)

OutputCircuit

Sensor

Diagnostic Circuit(s)

ActuatorFinal

Element

Input CircuitLogic Solver

Common Circuitry

System FailsDangerously

Unit FailsDU

SIL3: PFDavg= 0.001 ~ 0.0001

TI = 1 yrsCd = 60%MTTR = 12 hrs

0.002DD =dCd

DU =d(1-Cd)

PFDavg=DD MTTR+ DU TI/ 2= 0.0004


33/39

OutputCircuit

33

1oo2 (One1oo2 (One--outout--ofof--Two)Two)

Sensor


Common Circuitry

Output

Circuit

ActuatorFinal

Element

C: Common Cause; N: Normal Stress


Common Circuitry

System Fails

Dangerously

A&B

Fails

DDC

A&B

Fails

DUC

A Fails

DN

B Fails

DN


34/39

34

2oo2 (Two2oo2 (Two--outout--ofof--Two)Two)

OutputCircuit

Sensor


Common Circuitry

Output

Circuit

Actuator

FinalElement


Common Circuitry

System Fails

Dangerously

A&B

Fails

DDC

A&B

Fails

DUC

A Fails

DUN

B Fails

DDN

A Fails

DDN

B Fails

DUN


35/39


36/39

36

Sensor Architectures: 1oo2 SensorSensor Architectures: 1oo2 Sensor

PS

PS

DIGITAL INPUT

DIGITAL INPUT

1oo2 LOGIC

CONTROLLERDISCRETE SENSOR

DISCRETE SENSOR

PS

PS

ANALOG INPUT

ANALOG INPUT

HIGH OR LOWSELECT COMPARISON

CONTROLLERANALOG TRANSMITTER

ANALOG TRANSMITTER


37/39

DISCRETE OUTPUT

CONTROLLER

37

Final Element Architectures: 1oo2Final Element Architectures: 1oo2

DISCRETE OUTPUT

AIR SUPPLY

VALVE VALVE


38/39

SensorSensor

38

PFDavgPFDavg of Safety Instrumented Systemsof Safety Instrumented Systems

Sensor

SensorSensor

InputsLogic

Processing

SensorSensorOutput

Circuit

SensorSensor

Actuator


39/39

39

ConclusionsConclusions

Protection Layers Functional of BPCS & SIS

IEC61508 & IEC61511 safety standard

SIL from IEC61508 and from ISA S84.01

Safety Calculation

Controller, Sensor, and Final Element Architectures

The objective design is to achieve the requirement

of the class of SIL

Overspecification and overdesign may lead to

inefficiency and excess complexity

safety integrated level (sil) augie tf itb

Documents