sil understanding functional safety assessment

7/21/2019 SIL Understanding Functional Safety Assessment

http://slidepdf.com/reader/full/sil-understanding-functional-safety-assessment 1/8

IEC 61508 – Understanding Functional Safety Assessment

Simon DeanSauf Consulting Ltd

July 1999

Introduction

Despite the fact that IEC 61508 !ef" 1# $as only issued in pa%t# on 1 st Janua%y 1999& many

indust%ies ha'e al%eady implemented the standa%d and some companies ha'e de'eloped inte%nal

p%ocedu%es to ensu%e consistent application" (his enthusiasm stems f%om the pe%cei'ed )enefits of

the ne$ standa%d to p%o'ide a fo%malised *ustification of the le'el of integ%ity needed fo% diffe%ent

inst%ument functions and a mo'e to$a%ds the long te%m )enefits that can )e achie'ed th%ough the

application of IEC 61508 th%oughout the supply chain"

+o$e'e%& f%om e,pe%ience $ithin the oil - gas and p%ocess indust%ies& the%e has not )een

$idesp%ead success of adopting IEC 61508 amongst all p%o*ects" (he %easons fo% this stem f%om

the pe%ception of $hat the standa%d is& ho$ it can )e implemented consistently and $hat the

%esults of a functional safety assessment .S/# mean" (his a%ticle e,plains the haa%d and %is

assessment p%ocesses that need to )e follo$ed $ithin a .S/ and highlights some of the pitfalls

that can )e encounte%ed in applying IEC 61508"

Te !is" Assessment Frame#or"

2efo%e attempting to ca%%y out a .S/& it is essential that the gene%al p%inciples of %is assessment

a%e clea%ly unde%stood" (o mae effecti'e decisions& those in'ol'ed in the assessment need to

no$ $hat potential th%eat the failu%e of the e3uipment unde% cont%ol poses and ho$ g%eat is the

lielihood that people $ill )e ha%med" 4athe%ing and analysing this info%mation is %efe%%ed to as %isassessment"

IEC 61508 is a %is )ased standa%d and in o%de% to apply it& some c%ite%ia $hich define the

tole%a)ility of %iss must )e esta)lished fo% the p%o*ect" /s a minimum& this must state $hat is

deemed tole%a)le $ith %espect to )oth the f%e3uency o% p%o)a)ility# of the haa%dous e'ent and its

specific conse3uences" .o% many p%o*ects $o%ld$ide& the o)*ecti'e of meeting some p%edefined

%is acceptance c%ite%ia is fundamental th%ough the design decision p%ocess" nde% 7 legislation&

this is ca%%ied out )y demonst%ation of /L/! unde% the f%ame$o% of the Safety Case !egulations

!ef" # o% the C:;/+ !egulations !ef" <# fo% offsho%e and onsho%e p%o*ects %especti'ely" In othe%

pa%ts of the $o%ld& simila% goal setting %egimes a%e in place o% )eing de'eloped"

(h%ough the .S/ p%ocess& the o)*ecti'e is to ensu%e that the safety%elated systems a%e designed

to %educe the lielihood and=o% conse3uences of the haa%dous e'ent to meet the tole%a)le %is

c%ite%ia" (o achie'e this o)*ecti'e& the p%ocess that is follo$ed $ithin the .S/ can )e summa%ised

)y th%ee ey stages& as follo$s"

1" Esta)lish the tole%a)le %is c%ite%ia"

" /ssess the %iss associated $ith the e3uipment unde% cont%ol"

<" Dete%mine necessa%y %is %eduction needed to meet the %is acceptance c%ite%ia"

(hese th%ee ey stages in the .S/ p%ocess a%e desc%i)ed in mo%e detail in the succeeding

sections"

>Sauf Consulting Ltd& 1999 age 1 of 15 $$$"sauf"co"u

http://www.sauf.co.uk/




Tolera$le !is" Criteria

/ num)e% of diffe%ent methods can )e used to e,p%ess the tole%a)ility of %iss& $hich 'a%ies

)et$een ope%ato%s and the cultu%al and %egulato%y en'i%onment of the p%o*ect?s location" In gene%al&

these c%ite%ia can )e 3ualitati'e o% 3uantitati'e although the%e is often some o'e%lap in the $ay the

c%ite%ia a%e e,p%essed"

@ualitati'e c%ite%ia use $o%ds such as p%o)a)le& f%e3uent& unliely& %emote& etc" to desc%i)e the

lielihood and $o%ds such as mino%& ma*o%& catast%ophic& etc" to desc%i)e the conse3uences"

+o$e'e%& in o%de% to ensu%e that these c%ite%ia a%e applied consistently& it is often necessa%y to

int%oduce 3uantitati'e num)e%s to p%o'ide a clea% definition of ho$ the $o%ds should )e inte%p%eted"

.o% e,ample& unliely may )e defined as ‘once every 10 to 100 years’ & o% ‘may happen once in

over the life of 10 similar facilities’ "

@uantitati'e c%ite%ia on the othe% hand use num)e%s to desc%i)e the lielihood and se'e%ity of the

e'ent" (his can include c%ite%ia such as ‘an event having a frequency of less than 10 -3 per year’ & o%

‘between 2 and 5 fatalities or serious inuries’ & etc" +o$e'e%& the%e is a ce%tain amount of

unce%tainty associated $ith the nume%ical p%ediction of the lielihood and conse3uences of an

e'ent and some 3ualitati'e inte%p%etation $ill in'a%ia)ly )e necessa%y to decide if the e'ent is in the

tole%a)le %egion o% not"

Ahethe% 3ualitati'e o% 3uantitati'e tole%a)le %is c%ite%ia a%e used& it is impo%tant to app%eciate that

the%e is al$ays some )lu%%ing )et$een them" (he 3ualitati'e# $o%ds in'a%ia)ly need some

num)e%s to mae su%e they a%e inte%p%eted consistently and the 3uantitati'e# num)e%s need some

$o%ds to mae su%e they a%e applied consistently" /s fa% as IEC 61508 is conce%ned& it is

immate%ial if 3ualitati'e o% 3uantitati'e c%ite%ia a%e used since the standa%d can )e applied e3ually

using eithe% app%oach" /n e,ample of e,p%essing the tole%a)ility of %iss using a %is )and diag%am

is sho$n in .igu%e 1"

%one &

Tolera$le

!is" !egion

C o n

s e ' u e n c e

Fre'uency ()er year*

10 < 10 9 10 1 110 B

%one 1

Unacce)ta$le

!is" !egion

%one +

Transitional

!is" !egion

C a

t a s

t % o p

h i c

S i g n

i f i c a n

t

; a

* o %

8%o)a)le8ossi)le6nliely!emote

Figure 1 , E-am)le !is" .ands for Tolera$ility of /aards

>Sauf Consulting Ltd& 1999 age < of 15 $$$"sauf"co"u





Assessing te !is"

(he te%m %is assessment con*u%es up diffe%ent meanings fo% many people $hen in fact the

p%inciples a%e 3uite simple" !is assessment can )e defined as dete%mining the potential ha%m a

situation poses and ho$ g%eat is the lielihood that people& the asset o% the en'i%onment $ill )e

ha%med"

Ahen applying IEC 61508& the %is assessment can )e summa%ised as asing the 3uestion& !how

li"ely is the equipment under control to fail and if it does fail# what is the outcome$! (o ans$e% this

3uestion info%mation must )e a'aila)le on the lielihood and conse3uences of the haa%dous

e'ents that the e3uipment unde% cont%ol mitigates against" In o%de% to dete%mine this info%mation fo%

typical p%ocess plant applications& the )ounda%y of the system in te%ms of cause and effect must )e

defined& as $ill )ecome e'ident in the follo$ing discussion"

(he lielihood o% f%e3uency of an e'ent %elating to the e3uipment unde% cont%ol can eithe% )e )y

int%insic o% e,t%insic causes" Int%insic causes a%e e'ents such as component failu%es& soft$a%e

failu%es& o% human e%%o% $ithin the e3uipment unde% cont%ol" E,t%insic causes gene%ally apply to

p%otecti'e systems that only need to function $hen some othe% failu%e $ithin the p%ocess plant

occu%s" .o% e,ample& p%otection against o'e% p%essu%isation that can only occu% as a %esult of othe%

failu%es some$he%e $ithin the p%ocess plant" (he%efo%e& the )ounda%y as fa% as the lielihood of an

e'ent is conce%ned must conside% )oth the int%insic failu%e %ate and the e,t%insic demand %ate of the

e3uipment unde% cont%ol"

(he conse3uences o% se'e%ity of an e'ent %elating to e3uipment unde% cont%ol can %ange f%om the

di%ect effects of the incident to all su)se3uent e'ents along the escalation path" /lthough it is

%elati'ely easy to assess the immediate effects of an incident& the noc on effects fu%the% do$n the

escalation path a%e mo%e difficult to dete%mine unless techni3ues such as e'ent t%ee analysis a%e

used" (his int%oduces a dilemma& since the t%ue conse3uences of an e'ent can only )e dete%minedif the escalation path is assessed th%ough to it?s end conclusions& although the escalation path itself

may contain othe% sepa%ate functions $hich a%e themsel'es su)*ect to the .S/ p%ocess" In o%de% to

aid cla%ity& it is )est to illust%ate this statement )y use of an e,ample"

Conside% an inst%ument )ased p%otection system used to p%e'ent o'e% p%essu%isation" (he

immediate conse3uences should the e3uipment unde% cont%ol fail could )e a %uptu%e of the

pipe$o% and a significant %elease" /pa%t f%om any immediate fatalities in the 'icinity of the %elease&

the effects of this e'ent $ith %espect to pe%sonnel fatalities $ill depend on the success o% failu%e# of

a num)e% of fu%the% systems in the escalation path" (he %elease may o% may not )e detected the

isolation and )lo$do$n system may o% may not $o% the %elease may o% may not ignite the fi%e

may o% may not cause fu%the% loss of containment and escalation the fi%e$ate% system may o% maynot $o% pe%sonnel may o% may not )e a)le to escape"

/s can )e seen )y this e,ample& the )ounda%y applied fo% the conse3uences of an incident play an

impo%tant %ole in the comple,ity of the analysis and the dete%mination of the safety integ%ity le'el"

/lso& in o%de% to accu%ately dete%mine the p%ecise lielihood that people $ill )e ha%med& the

)ounda%y of the analysis has to e,tend to the end of the e'ent t%ee" +o$e'e%& if the )ounda%y is

e,tended co'e% e'e%y potential path $ithin the e'ent t%ee& the analysis $ill include systems not

di%ectly affected )y the e3uipment unde% cont%ol and $hich themsel'es may )e su)*ect to .S/"

/nothe% impo%tant issue to app%eciate using this e,ample is that in the .S/ p%ocess& o'e%all safety

pe%fo%mance could )e imp%o'ed )y achie'ing a high a'aila)ility fo% any element in the escalation

path& such as gas detection isolation and )lo$do$n p%otection against ignition p%e'ention of

escalation to ad*acent plant the fi%e$ate% system etc" +o$e'e%& such an app%oach $ould miss the






a

SIL <

SIL 1

SIL 9

a

a a

SIL B

SIL <

SIL 1

SIL 9

a a

)

SIL B

SIL <

SIL 1

SIL 9

51 5&5+

E1

E6

E&

E+

F1

F+

71

7+

71

7+F1

F+ 71

7+F1

F+ 71

7+F1

F+

71

7+

a

%&' 1

%&' 2

a

a

(0

a

%&' )

b

b

%&' 2

%&' 3

()

%&' 1

Figure + , E-am)le of E-tended !is" 3ra)

In o%de% to ensu%e that this app%oach is applied consistently& it is essential that these fou% te%ms a%e

clea%ly and unam)iguously defined and unde%stood" (o do this& the fou% pa%amete%s must )e

cali)%ated against the tole%a)le %is c%ite%ia in use" It is also impo%tant to test the cali)%ation )y

conside%ing some e,ample cases to ensu%e that the %esulting SIL %ating $ill achie'e the necessa%y

%is %eduction to achie'e a le'el $ithin the tole%a)le %egion of the c%ite%ia in use"

/ common pitfall of the %is g%aph method $hich has )een o)se%'ed on a num)e% of p%o*ects is

inconsistency o% lac of %epeata)ility# of %esults" Diffe%ent SIL %atings ha'e )een dete%mined $hen

diffe%ent teams ha'e )een used to ca%%y out %epeat SIL assessment fo% the same system and e'en$hen the same teams a%e used& diffe%ent %esults ha'e )een o)se%'ed fo% the same system $hen

the assessment is %epeated a sho%t time late%" (his is in'a%ia)ly due to poo% cali)%ation o%

unce%tainties in the info%mation used )y the %e'ie$ team to mae thei% 3ualitati'e *udgements on

fou% pa%amete%s" .o% e,ample& %efe%%ing to .igu%e & the %e'ie$ team may de)ate the issues and

decide that decision t%ee should follo$ the E< .1 1 A path& %esulting in a SIL 1 %ating"

Con'e%sely& de)ate of the issues may %esult in E< H . H A path )eing selected& %esulting in

a SIL < %ating"

Te /aardous Eent Seerity 4atri- 4etod

(he +aa%dous E'ent Se'e%ity ;at%i, method sho$n in /nne, E of IEC 61508 a%t 5 is also a

3ualitati'e method $hich is p%ima%ily applica)le to p%otecti'e functions using multiple independent

p%otecti'e systems ie& p%ima%y& seconda%y& te%tia%y& etc"#" (his method can )e conside%ed as a

decision mat%i, app%oach in $hich the %e'ie$ team conside%s th%ee issues to a%%i'e at the %e3ui%ed

SIL %ating& as follo$s"

♦ Conse3uence %is pa%amete%"

♦ .%e3uency %is pa%amete%"

♦ Fum)e% of independent p%otecti'e functions pa%amete%"

(hese th%ee te%ms tend to )e mo%e %eadily unde%stood than the fou% pa%amete%s used the %is

g%aph method since the conse3uence and f%e3uency pa%amete%s a%e e,actly that same as those






used in most tole%a)le %is c%ite%ia" /s is the case $ith the %is g%aph method /nne, D#& the

conse3uence and f%e3uency )ands must )e cali)%ated against the tole%a)le %is c%ite%ia in use"

/gain& this may in'ol'e int%oducing additional conse3uence and=o% f%e3uency )ands& as sho$n in

the e,ample gi'en in .igu%e < $hich has )een adapted to match the c%ite%ia sho$n in .igu%e 1"

(his cali)%ation should also conside% some e,ample cases to ensu%e that the %esulting SIL %ating

$ill )%ing the %is do$n to $ithin the tole%a)le %egion of the c%ite%ia in use"

2 u m $ e r o f i n d e ) e n d

e n t S ! S s a n d

e - t e r n a l r i s " r e d u c t i o n

f a c i l i t i e s 9 E :

i n c

l u d i n g

t h e

E = E = 8 E S ! S ) e i n g c

l a s s

i f i e d #

Significant 4a; or Catastro)ic

E8 ent <i"eliood 9:

e'ents pe% yea%#

C J /n independent E=E=8E safety %e lated sys tem is p%o)a)ly not %e3ui %ed"

2J :ne SIL < E=E=8E safety%elated system m ay not p%o'ide sufficient %is %eduction at this %is le'el" +aa%d and %is

analysis is %e3ui%ed to dete%m ine $hethe% additional %is %eduction m easu%es a%e neces sa%y"

DJ E'ent lielihood is the lielihood that the haa%dous e'ent occu%s $ ithout any safety %elated system s o% e,te%nal %is

%eduction facilities"

EJ S!S K safety%elated system " E'ent lielihood and the total num) e% of independent p%otection laye%s a%e defined in

%elation to the specific application"

:ne SIL < E=E=8E safety% elated system does no t p%o'ide suf ficient %is %eduction at this %is le'el" /dditional %is%eduction measu%es a%e %e3ui%ed"

/J

SIL 1 SIL 1 SIL 9CJ

SIL 1CJCJCJ

CJCJCJCJ

10 1

to

1

10 9

to

101

10 <

to

109

10 B

to

10<

E8 ent <i"eliood 9:

e'ents pe% yea%#

E8 ent <i"eliood 9:

e'ents pe% yea%#

CJCJCJCJ

SIL 9SIL 1CJCJ

SIL 1 SIL 9SIL <

2JSIL 1

SIL <

2J

SIL <

2J

SIL <

/JSIL 9

SIL <

2JSIL 9SIL 1CJ

SIL 1SIL 1CJCJ<

1

9

10 1

to

1

10 9

to

101

10 <

to

109

10 B

to

10<

10 1

to

1

10 9

to

101

10 <

to

109

10 B

to

10<

/a0ardous E8 ent Se8erity

Figure & , E-am)le of E-tended /aardous Eent Seerity 4atri-

In applying the haa%dous e'ent se'e%ity method& it is impo%tant to %ecognise the le'el of

independence )et$een the S!Ss and e,te%nal %is %eduction facilities since the techni3ue is only

'alid $he%e the%e a%e no common mode failu%es" .o% e,ample& if the p%ima%y and seconda%y

p%otecti'e systems a%e )oth %ated at SIL 1& then the o'e%all p%otecti'e function $ill ha'e a SIL %ating only if the%e a%e no common mode failu%es" If the%e a%e any common mode failu%es at all&

then o'e%all p%otecti'e function $ill ha'e a SIL 1 %ating" (o illust%ate this point& the SIL %atings fo%

com)ined su)systems ha'e )een calculated fo% 'a%ious SIL com)inations and common mode

failu%e %ates& as sho$n in .igu%e B& )elo$"






0"5Common

;ode .ailu%es

S e c o n

d a % y

S u

) s y s

t e m

S I L ! a

t i n g

SIL 1

SIL <

SIL 9

SIL 1

SIL <

SIL 9

SIL B

SIL <

SIL 9

SIL B

SIL <

M SIL B

8%im a%y Su)system SIL !ating

SIL 1 SIL <SIL 9

1Common

;ode .ailu%es

S e c o n

d a % y

S u

) s y s

t e m

S I L ! a

t i n g

SIL 1

SIL <

SIL 9

SIL 1

SIL <

SIL 9

SIL B

SIL <

SIL 9

SIL B

SIL <

SIL B


SIL 1 SIL <SIL 9

5Common

;ode .ailu%es

S e c o n

d a % y

S u

) s y s

t e m

S I L ! a

t i n g

SIL 1

SIL <

SIL 9

SIL 1

SIL <

SIL 9

SIL B

SIL <

SIL 9

SIL B

SIL <

SIL B


SIL 1 SIL <SIL 9

10Common

;ode .ailu%es

S e c o n

d a % y

S u

) s y s

t e m

S I L ! a

t i n g

SIL 1

SIL <

SIL 9

SIL 1

SIL <

SIL 9

SIL <

SIL 9

SIL 9

SIL <

SIL <

SIL <


SIL 1 SIL <SIL 9

Figure , SI< !atings for Com$ined Su$systems

Conclusions

(his a%ticle has gi'en a )%ief illust%ation of the p%inciples )ehind the .unctional Safety /ssessment

p%ocess to dete%mine the necessa%y %is %eduction" .%om the discussion& the ey point to %emem)e%

is that IEC 61508 does not p%o'ide an e,plicit method fo% ca%%ying out a .S/& it only p%o'ides a

f%ame$o%"

/lthough this is consistent $ith the aims and o)*ecti'es of IEC 61508& )eing a standa%d $%itten to

)e applica)le to a $ide %ange of indust%ies& initial attempts to apply the standa%d ha'e in gene%al

failed to app%eciate this fact" +o$e'e%& $ith the de'elopment of othe% secto% specific suppo%ting

standa%ds such as IS: 10B18 !ef" 5# and IEC 61511 !ef" 6#& the application of the .S/ p%ocess$ill undou)tedly )ecome an integ%al pa%t of the design de'elopment fo% p%ocess facilities

$o%ld$ide"

/s a final summa%y& it is $o%th %eite%ating some points %aised in this a%ticle $hich should )e )o%ne in

mind in the .S/ fo% typical p%ocess systems"

♦ (he .S/ does not identify haa%ds& this is )est ca%%ied out using fo%mal haa%d identification

techni3ues such as +/& +/NID and +/N:"

♦ (he )ounda%y of the e3uipment unde% cont%ol )eing conside%ed in the .S/ should )e clea%ly

defined as the detection& initiation and ope%ation of the safety %elated system" (he )ounda%yshould not include conse3uences fu%the% along the escalation path"

♦ In o%de% to ca%%y out the .S/& it is essential that accu%ate info%mation is a'aila)le on the

lielihood and conse3uences of the haa%dous e'ents that the p%otecti'e functions mitigate

against"

♦ / %igo%ous cali)%ation e,e%cise must )e ca%%ied out to ensu%e that the pa%amete%s a%e clea%ly

and unam)iguously defined and tested to ensu%e that the %esulting SIL %ating $ill achie'e the

necessa%y %is %eduction in acco%dance $ith the tole%a)le %is c%ite%ia in use"

♦ Ahen assessing safety %elated systems $ith p%ima%y and seconda%y p%otecti'e functions& the

possi)ility of common mode failu%es must )e ca%efully assessed in o%de% to a%%i'e at 'alid SIL%atings"

>Sauf Consulting Ltd& 1999 age 1< of 15 $$$"sauf"co"u





♦ .o% comple, systems& a %igo%ous %elia)ility and a'aila)ility analysis should )e used to help

dete%mine the SIL %atings"

A$$reiations

/L/! /s Lo$ /s !easona)ly %actica)le

E=E=E Elect%ical=Elect%onic=%og%amma)le Elect%onic

.S/ .unctional Safety /ssessment

+/NID +aa%d Identification Study#

+/N: +aa%d and :pe%a)ility Study#

+/ %ocess +aa%d /nalysis

SIL Safety Integ%ity Le'el

S!S Safety !elated System

7::/ nited 7ingdom :ffsho%e :pe%ato%s /ssociation

!eferences

1" IEC 61508 .unctional safetyO safety%elated systems"

" (he :ffsho%e Installations Safety Case# !egulations SC!#& SI 199 Fo 885& +;S:"

<" (he Cont%ol of ;a*o% /ccident +aa%ds !egulations C:;/+#& SI 1999 Fo GB<& +;S:"

B" nited 7ingdom :ffsho%e :pe%ato%s /ssociation 7::/#" Inst%ument2ased %otecti'e

Systems& Document Fum)e% C01& 1995"

5" IS:=AD 10B18 !e'ision <" et%oleum and natu%al gas indust%ies :ffsho%e p%oduction

installations /nalysis& design& installation and testing of )asic su%face p%ocess safety systems

fo% offsho%e installations !e3ui%ements and guidelines"

6" IEC 61511 .unctional safety inst%umented systems fo% the p%ocess indust%y secto%"

Simon Dean $o%s as a safety consultant p%ima%ily in the oil - gas and p%ocess indust%ies specialising in %isassessment& fo%mal safety assessment and a'aila)ility analysis and can )e contacted at simonPsauf"co"u"


mailto:[email protected]



mailto:[email protected]

sil understanding functional safety assessment

Documents