astrazeneca+sil+presentation

7/18/2019 AstraZeneca+SIL+Presentation

http://slidepdf.com/reader/full/astrazenecasilpresentation 1/41

©

A B B G r o u p - 1 -

2 1 - M a r - 0 7

Safety Integrity Level

SIL

Paul Lucas

ABB Engineering Services

13 mars 2007



©

A B B G r o u p - 2 -

2 1 - M a r - 0 7

Agenda

Why do we need SIL systems?

Where does the SIL concept come from?

What is a SIL?

The Three Steps of SIL

Set the target SIL (SIL Determination)

Design to meet the target SIL

Operate and Maintain to keep hitting the target SIL



©

A B B G r o u p - 3 -

2 1 - M a r - 0 7


BP Texas City, USA 2005


http://slidepdf.com/reader/full/astrazenecasilpresentation 4/41 ©

A B B G r o u p - 4 -

2 1 - M a r - 0 7


Buncefield, UK 2006



©

A B B G r o u p - 5 -

2 1 - M a r - 0 7

Safety Issues

How do you demonstrate that your operations are

‘safe’?

How do you demonstrate that your equipment is ‘safe’?

How do you demonstrate that your safety and protectivesystems protect against your hazards?

You can answer these questions by demonstratingcompliance with Industry Safety Standards



©

A B B G r o u p - 6 -

2 1 - M a r - 0 7

Functional Safety Standard - IEC61508

Generic Standard supported by Sector variants

(IEC61511 for Process Sector)

Guidance on use of Electrical, Electronic andProgrammable Electronic Systems which perform safety

functions

Considers the entire Safety Critical Loop Comprehensive approach involving concepts of Safety

Lifecycle and all elements of protective system

Risk-based approach leading to determination of Safety

Integrity Levels - SIL



©

A B B G r o u p - 7 -

2 1 - M a r - 0 7

Generic and Application Sector Standards

I E C 6 1 5 0 8

IEC61511 :Process Sector

Medical Sector IEC61513 :

Nuclear Sector

IEC62061 :

Machinery Sector



©

A B B G r o

u p - 8 -

2 1 - M a r - 0 7

IEC61511 Safety Lifecycle

Design & Development

of other means of risk

reduction

Hazard and Risk Assessment1

Allocation of safety functions

to protection layers2

Safety Requirementsspecification for the safety

instrumented system3

Design & Engineering of

Safety Instrumented System

4

Installation, Commissioning

and Validation5

Operation and Maintenance6

Modification7

Decommissioning8

M an a g em en

t of f un c t i on al s a

f e t y an d f un c t i on

al s af e t y

a s s e s sm en t an d a u d i t i n g

10

S af e t

yL i f e- C y cl e s t r u c t ur e an d pl anni n

g

11

Verification

9



©

A B B G r o

u p - 9 -

2 1 - M a r - 0 7

Step 1 – Set the Target SIL



reduction








4


and Validation5


Modification7

Decommissioning8

M an a g em en

t of f un c t i on al s a

f e t y an d f un c t i on

al s af e t y


10

S af e t

yL i f e- C y cl e s t r u c t ur e an d pl anni n

g

11

Verification

9




©

A B B G r o

u p - 1 0 -

2 1 - M a r - 0 7

Hazard and Risk Assessment

Trevor Kletz (safety guru) sums it up as: -

How big

How often

So what?

What are the hazardous events – the consequence

How often may they occur – the frequency

Risk = Consequence * Frequency

Is this unacceptable to the company/ regulator/ society?

What is risk is tolerated?



©

A B B G r o

u p - 1 1 -

2 1 - M a r - 0 7

Tolerable Risk and ALARP

Intolerable

Broadly Acceptable

Risk cannot be justified on anygrounds

May be “Tolerable” if risk level is

As Low As Reasonably

Practicable (ALARP)

No need for detailed working todemonstrate ALARP

ALARP or

Tolerability

Band

ALARP = As Low As Reasonably Practicable

Low Risk

High Risk



©

A B B G r o

u p - 1 2 -

2 1 - M a r - 0 7

Risk Reduction to meet tolerable risk

Residual

riskResidual

risk

Process

RiskProcess

Risk

Risk

TargetRisk

Target

Increasing

riskNecessary risk reduction

Actual risk reduction

Risk reduction

from all

Non-Instrumented

Prevention /Mitigation Measures

Risk reduction

from all

Non-InstrumentedPrevention /

Mitigation Measures

Risk reduction

from Safety

InstrumentedFunction (SIF)

Risk reduction

from Safety

InstrumentedFunction (SIF)

SIL



©

A B B G r o

u p - 1 3 -

2 1 - M a r - 0 7

Expressing SIL

SIL 1

SIL 2

SIL 3

SIL 4

Risk

Reduction

Probability of failure

on demand (PFD)

0.1 to 0.01

0.01 to 0.001

0.001 to 0.0001

0.0001 to 0.00001

10 – 100

100 – 1000

1000 –

10000

10000 -

100000



©

A B B G r o

u p - 1 4 -

2 1 - M a r - 0 7

Methods for SIL Determination

Safety Layer Matrix

IEC 61511-3 Annex C

Risk Graphs

IEC 61511-3 Annex D

Layer of Protection Analysis (LOPA)

IEC 61511-3 Annex F

Fault Tree Analysis

IEC 61511-3 Annex B



©

A B B G r o

u p - 1 5 -

2 1 - M a r - 0 7

W3

Pa

Pb

Pa

Fa

Fb

Fb

Fa

Cc

Cd

Ce

Ca

Pb

W2 W1

SIL 1

SIL 2

SIL 3

SIL 4

Extent of Damage

Proportion of Time of Exposure to Hazard

Mitigating Factors

Prob or Freq of Hazardous Event

Cb = Lost time injury

Cc = Major Injury

Cd = On-site fatality

Ce = Multiple on-site fatalities or one

off-site fatality

Fa = Low (< 0.1)

Fb = High (> 0.1)

Pa = Good Chance of Avoiding

Consequences (> 90%)

Pb = Poor Chance of Avoiding

Consequences (< 10%)

W1= Very Low (F < 0.01 / YR)

W2= Low (F > 0.01 / YR)

Ca = Minor Injury

W3= Relatively High (F > 0.1 / YR)

5/9

Risk Graph



©

A B B G r o

u p - 1 6 -

2 1 - M a r - 0 7

Initiating Frequency Intermediate

Cause (/yr) 1 2 3 4 5 6 Event Frequency

A 0.1 1 0.01 1 0.1 0.0001B 0.1 0.1 0.01 1 0.1 0.00001

C 0.5 0.1 0.01 1 1 0.0005

D

E

F

0.000610.0492

SIL 1

PFDavg Calculation

Total Event Frequency, Fe/yr Maximum PFDavg for Safety Instrumented Function, Ft/Fe

Target Safety Integrity Level

Independent Layer of Protection

LOPA

For each initiating cause, calculate which layers provide

protection

Multiply for Event Frequency

Add for

Total

Event

Freq

PFD = Target (0.00003) / Total Event (0.00061) = 0.0492



©

A B B G r o

u p - 1 7 -

2 1 - M a r - 0 7

Comparison of Methods

Safety Layer

Matrix

Risk Graph LOPA Fault Tree

Analysis

Initial Screening R R R NR

Detailed Analysis NR NR R R

Multiple Causes

with Different

Protection

NR NR R R

Potential

DependencyNR NR NR R

Output (SIL or

PFDavg)SIL SIL PFDavg PFDavg

Need to include

specific HumanFactors

NR NR R R

Suitable for SIL 1 1 1 & 2 >1

NR = Not recommended: R = recommended



©

A B B G r o

u p - 1 8 -

2 1 - M a r - 0 7

Summary of Step 1

Get the Target SIL correct

Save time, money, equipment, maintenance

Calibrate any method for YOUR tolerability Use method suitable for the consequences



©

A B B G r o

u p - 1 9 -

2 1 - M a r - 0 7

Step 2 – Design to meet the target SIL



reduction








4


and Validation5


Modification7

Decommissioning8

M an a g em en t of f un c t i on al s af e t y an d f un c t i on

al s af e t y

a s s e s sm en t an

d a u d i t i n g

10

S af e t yL i f e- C y cl e s t r u c

t ur e an d pl anni n

g

11

Verification

9




©

A B B G r o

u p - 2 0 -

2 1 - M a r - 0 7

Random Hardware Failures

Any item of equipment in a protective system can fail.

There are broadly two types of system failure

Fail Safe

component failure to an open circuit condition, loose connections,

loss of power (air or electrical)

These will cause the system to shut down the plant unnecessarily

but are self revealing and ‘fail safe’.

Fail to Danger

contacts welding together, instrument or trip valve mechanisms

seizing, impulse lines becoming blocked

These are ‘fail to danger’ because, when a demand occurs, the

system cannot respond i.e. un-revealed failures

These are the failures we need for the PFD calculation



©

A B B G r o

u p - 2 1 -

2 1 - M a r - 0 7

Example

High Pressure Trip Pressure

Transmitter

Relay

Trip Valve

Solenoid Valve

Trip Amp



©

A B B G r o

u p - 2 2 -

2 1 - M a r - 0 7

A Single Channel System – 6 month testing

Overall dangerous failure rate for the channel is the sumof the rates for the components.

λd = 0.067 + 0.0033 0.033 0.033 = 0.1863 per year + +

PressureTransmitter

SolenoidValve

TripValve

RelayTrip Amplifier

PressureTransmitter

0.05 +

If this is tested every 6 months then,

PFDavg = ½ x 0.5 x 0.1863 = 0.047

which is near the middle of SIL 1

PFDavg = ½ T x λ d



©

A B B G r o u p - 2 3 -

2 1 - M a r - 0 7

Safety Integrity Level

Achieved PFDavg

SIL 1 SIL 2 SIL 3 SIL 4

0.01 0.001 0.0001 0.00001

PFDavg = 0.005

0.1

PFDavg = 0.05

10-1

10-2

10-3

10-4

10-5

PFDavg = 0.047

(6 Month test interval)

Th N d F T ti



©

A B B G r o u p - 2 4 -

2 1 - M a r - 0 7

The Need For Testing

Fail to Danger

contacts welding together, instrument or trip valve mechanisms

seizing, impulse lines becoming blocked These are ‘fail to danger’ because, when a demand occurs, the

system cannot respond i.e. un-revealed failures

Only exposed by testing

Healthy

Faulty

Unrevealed

fault Demand

Test

TestInterval

DeadTime

Time (years)

Test

x

Test Test Test Test

Testing can expose un-revealed failures



©

A B B G r o u p - 2 5 -

2 1 - M a r - 0 7

Multiple Channels And Common Cause Failure ( )

More complicated – but same principles

For One Channel (1 out of 1)

PFDav1

= 1 / 2 λd

∗ Τ

For Two Channels (1 out of 2)

PFDav2 = 4/3 [ PFDav1 ]2+ β [PFDav1 ] or PFDav2 = 1/3[(λd)

2 ∗ Τ2] + β [PFDav1]

For Three Channels (1 out of 3)

PFDav3 = 2 [PFDav1 ]3 + β [PFDav1 ] or PFDav3 = 1/4[(λd)3 ∗ Τ3] + β [PFDav1 ]

For Two Channels (2 out of 3)

PFDav2 = 4[PFDav1]2 + β [PFDav1 ] or PFDav2 = (λd)

2 * Τ2 + β [PFDav1 ]

Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.

S f D t



©

A B B G r o u p - 2 6 -

2 1 - M a r - 0 7

Sources of Data

Manufacturer’s data Based on either returned goods or predictions using either

FMEA (failure mode effects analysis) or

FMEDA (failure mode effects and diagnostic analysis) These should not be confused with real field failure rates based

on actual use of the units

Field data (61511 uses term prior use)

Based on similar operating conditions and environment

Should be collected using a methodical / auditable process andallow for errors (misreporting / non reporting) in the collection of

the data

Generic data

From an extensive history of similar industries found to be

appropriate

‘Ch ki ’ th b



©

A B B G r o u p - 2 7 -

2 1 - M a r - 0 7

‘Checking’ the numbers

IEC 61511 architectural constraints

Hardware Fault Tolerance

Designed to verify that the ‘numbers’ make sense No mathematical basis for the figures

Based on experience

Specified SIL can be reduced with operationalexperience and analysis

Analyser Trip Amp

Relay Logic

Solenoid Trip Valve

Analyser Trip Amp Solenoid Trip Valve

Constraint Hardware Fault Tolerance (1)



©

A B B G r o u p - 2 8 -

2 1 - M a r - 0 7

Constraint - Hardware Fault Tolerance (1)

Used for sensor, final elements and non PE Logic Solver Table 6 in IEC61511 Part 1

Increased fault tolerance can enable easier maintenance and

testing

Constraint Hardware Fault Tolerance (2)



©

A B B G r o u p - 2 9 -

2 1 - M a r - 0 7

Constraint - Hardware Fault Tolerance (2)

Applies to PE Logic Solvers

Table 5 in IEC 61511 Part 1

The ‘cleverer’ the PES, the less fault tolerance required for the

target SIL

More complex tables in IEC61508 – used

for certified instruments to reduce HFT

Manufacturer’s Data E l 2



©

A B B G r

o u p - 3 1 -

2 1 - M a r - 0 7

Non-Hardware faults - Systematic

Because of the findings from ‘Out of Control’ and otherwork…

Large number of faults are not caused by hardware

We need appropriate processes, procedures, methods –‘systems’ in place to control these faults

Specification

43%

Changes after

commissioning

21%

Installation &

commissioning

6%

Operation &

maintenance

15%Design &

implementation

15%

Problems with software systematic faults



©

A B B G r

o u p - 3 2 -

2 1 - M a r - 0 7

Problems with software – systematic faults

How do you make software 10 times better?

How do you measure software?

What is the probability of Fail to Danger (pfd) of a lumpof code?

You cannot measure software like hardware –

quantitative methods

You have to use more rigorous techniques for softwarerequired for higher level SIL – qualitative methods

Example of Software Techniques



©

A B B G r

o u p - 3 3 -

2 1 - M a r - 0 7

Technique/Measures Ref SIL 1 SIL 2 SIL 3 SIL 4

1a Structured methods including for example,

JSD, MASCOT,SADT and Yourdon

C.2.1. HR HR HR HR

1b Semi-formal methods Table B.7 R HR HR HR 1c Formal methods including for example, CCS,

CSP, HOL, LOTOS, OBJ, temporal logic,

VDM and Z

C.2.4

-- R R HR

2 Computer-aided design tools B.3.5 R R HR HR

3 Defensive programming C.2.5 -- R HR HR

4 Modular approach Table B.9 HR HR HR HR

5 Design and coding standards Table B.1 R HR HR HR

6 Structured programming C.2.7 HR HR HR HR

7 Use of trusted/verified software modules and components (if available) C.2.10C.4.5 R HR HR HR

Table A.4 - Software design and development: detailed design

Example of Software Techniques

Summary of Step 2



©

A B B G r

o u p - 3 4 -

2 1 - M a r - 0 7

Summary of Step 2

80% - 90% of safety functions should be SIL1 Single channel, reasonable test intervals, no HFT to consider

High SIL, complex architecture

Use a specialist

Shorter test intervals (simple SIL calculations may not apply)

Additional hardware (including final elements)

Common cause faults, hardware fault tolerance, SFF, DC

Systematic controls

Take care with instrument data

Field data is best

Manufacturers data is a prediction, will need to be adjusted for plant conditions

Step 3 – Operate and Maintain to meet the SIL



©

A B B G r

o u p - 3 5 -

2 1 - M a r - 0 7

Step 3 Operate and Maintain to meet the SIL



reduction








4


and Validation5


Modification7

Decommissioning8

M an a g em en t

of f un c t i on al s af e t y an d f un c t i on al s af e t y


10

S af e t y

L i f e- C y cl e s t r u c t ur e an d pl anni n g

11

Verification

9


Operation and Maintenance



©

A B B G r o u p - 3 6 -

2 1 - M a r - 0 7

Operation and Maintenance

What activities are required to ensure the SafetyInstrumented System keeps meeting the target SIL?

What operations and test data needs to be kept and

recorded to verify SIL determination and Design

assumptions?

Proof Tests – 61511 states…



©

A B B G r o u p - 3 7 -

2 1 - M a r - 0 7

Proof Tests 61511 states…

Periodic proof tests shall be conductedusing a written procedure

The entire SIS shall be tested including the

sensor(s), the logic solver and the finalelement(s)

Different parts of the SIS may require different

test intervals

The frequency of the proof tests shall be

decided using the PFDavg calculation

At some periodic interval the frequency ofthe testing shall be re-evaluated.

Why record Demands?



©

A B B G r o u p - 3 8 -

2 1 - M a r - 0 7

Why record Demands?

To demonstrate the design demand rate is notbeing exceeded

To demonstrate that the causes of demand

are as expected

To check causes and rates of failsafe

demands

To be able to carry out periodic reviews

Why record Proof Test Records/Results?



©

A B B G r o u p - 3 9 -

2 1 - M a r - 0 7

y

To demonstrate that testing is beingcarried out at specified interval

As an auditable trail to the recorded

results

To indicate who carried out the tests

To demonstrate that faults found havebeen rectified

To be able to carry out periodic reviews

Need to record results in a manner whichenables the results to be extracted/

presented in a format which makes

reviews possible

Summary of the 3 steps



©

A B B G r o u p - 4 0 -

2 1 - M a r - 0 7

y p

Get the Target SIL correct Save time, money, equipment, maintenance

Design to meet the SIL

More than failure rates

Where do you get failure data from?

Hardware Fault Tolerance and Systematic controls

Operate and Maintain to keep the SIL

Testing

Recording

Analysing and improving

astrazeneca+sil+presentation

Documents