astrazeneca+sil+presentation
DESCRIPTION
AstraZeneca+SIL+PresentationTRANSCRIPT
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 1/41
©
A B B G r o u p - 1 -
2 1 - M a r - 0 7
Safety Integrity Level
SIL
Paul Lucas
ABB Engineering Services
13 mars 2007
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 2/41
©
A B B G r o u p - 2 -
2 1 - M a r - 0 7
Agenda
Why do we need SIL systems?
Where does the SIL concept come from?
What is a SIL?
The Three Steps of SIL
Set the target SIL (SIL Determination)
Design to meet the target SIL
Operate and Maintain to keep hitting the target SIL
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 3/41
©
A B B G r o u p - 3 -
2 1 - M a r - 0 7
Why do we need SIL systems?
BP Texas City, USA 2005
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 4/41 ©
A B B G r o u p - 4 -
2 1 - M a r - 0 7
Why do we need SIL systems?
Buncefield, UK 2006
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 5/41
©
A B B G r o u p - 5 -
2 1 - M a r - 0 7
Safety Issues
How do you demonstrate that your operations are
‘safe’?
How do you demonstrate that your equipment is ‘safe’?
How do you demonstrate that your safety and protectivesystems protect against your hazards?
You can answer these questions by demonstratingcompliance with Industry Safety Standards
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 6/41
©
A B B G r o u p - 6 -
2 1 - M a r - 0 7
Functional Safety Standard - IEC61508
Generic Standard supported by Sector variants
(IEC61511 for Process Sector)
Guidance on use of Electrical, Electronic andProgrammable Electronic Systems which perform safety
functions
Considers the entire Safety Critical Loop Comprehensive approach involving concepts of Safety
Lifecycle and all elements of protective system
Risk-based approach leading to determination of Safety
Integrity Levels - SIL
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 7/41
©
A B B G r o u p - 7 -
2 1 - M a r - 0 7
Generic and Application Sector Standards
I E C 6 1 5 0 8
IEC61511 :Process Sector
Medical Sector IEC61513 :
Nuclear Sector
IEC62061 :
Machinery Sector
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 8/41
©
A B B G r o
u p - 8 -
2 1 - M a r - 0 7
IEC61511 Safety Lifecycle
Design & Development
of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions
to protection layers2
Safety Requirementsspecification for the safety
instrumented system3
Design & Engineering of
Safety Instrumented System
4
Installation, Commissioning
and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
M an a g em en
t of f un c t i on al s a
f e t y an d f un c t i on
al s af e t y
a s s e s sm en t an d a u d i t i n g
10
S af e t
yL i f e- C y cl e s t r u c t ur e an d pl anni n
g
11
Verification
9
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 9/41
©
A B B G r o
u p - 9 -
2 1 - M a r - 0 7
Step 1 – Set the Target SIL
Design & Development
of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions
to protection layers2
Safety Requirementsspecification for the safety
instrumented system3
Design & Engineering of
Safety Instrumented System
4
Installation, Commissioning
and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
M an a g em en
t of f un c t i on al s a
f e t y an d f un c t i on
al s af e t y
a s s e s sm en t an d a u d i t i n g
10
S af e t
yL i f e- C y cl e s t r u c t ur e an d pl anni n
g
11
Verification
9
IEC61511 Safety Lifecycle
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 10/41
©
A B B G r o
u p - 1 0 -
2 1 - M a r - 0 7
Hazard and Risk Assessment
Trevor Kletz (safety guru) sums it up as: -
How big
How often
So what?
What are the hazardous events – the consequence
How often may they occur – the frequency
Risk = Consequence * Frequency
Is this unacceptable to the company/ regulator/ society?
What is risk is tolerated?
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 11/41
©
A B B G r o
u p - 1 1 -
2 1 - M a r - 0 7
Tolerable Risk and ALARP
Intolerable
Broadly Acceptable
Risk cannot be justified on anygrounds
May be “Tolerable” if risk level is
As Low As Reasonably
Practicable (ALARP)
No need for detailed working todemonstrate ALARP
ALARP or
Tolerability
Band
ALARP = As Low As Reasonably Practicable
Low Risk
High Risk
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 12/41
©
A B B G r o
u p - 1 2 -
2 1 - M a r - 0 7
Risk Reduction to meet tolerable risk
Residual
riskResidual
risk
Process
RiskProcess
Risk
Risk
TargetRisk
Target
Increasing
riskNecessary risk reduction
Actual risk reduction
Risk reduction
from all
Non-Instrumented
Prevention /Mitigation Measures
Risk reduction
from all
Non-InstrumentedPrevention /
Mitigation Measures
Risk reduction
from Safety
InstrumentedFunction (SIF)
Risk reduction
from Safety
InstrumentedFunction (SIF)
SIL
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 13/41
©
A B B G r o
u p - 1 3 -
2 1 - M a r - 0 7
Expressing SIL
SIL 1
SIL 2
SIL 3
SIL 4
Risk
Reduction
Probability of failure
on demand (PFD)
0.1 to 0.01
0.01 to 0.001
0.001 to 0.0001
0.0001 to 0.00001
10 – 100
100 – 1000
1000 –
10000
10000 -
100000
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 14/41
©
A B B G r o
u p - 1 4 -
2 1 - M a r - 0 7
Methods for SIL Determination
Safety Layer Matrix
IEC 61511-3 Annex C
Risk Graphs
IEC 61511-3 Annex D
Layer of Protection Analysis (LOPA)
IEC 61511-3 Annex F
Fault Tree Analysis
IEC 61511-3 Annex B
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 15/41
©
A B B G r o
u p - 1 5 -
2 1 - M a r - 0 7
W3
Pa
Pb
Pa
Fa
Fb
Fb
Fa
Cc
Cd
Ce
Ca
Pb
W2 W1
SIL 1
SIL 2
SIL 3
SIL 4
Extent of Damage
Proportion of Time of Exposure to Hazard
Mitigating Factors
Prob or Freq of Hazardous Event
Cb = Lost time injury
Cc = Major Injury
Cd = On-site fatality
Ce = Multiple on-site fatalities or one
off-site fatality
Fa = Low (< 0.1)
Fb = High (> 0.1)
Pa = Good Chance of Avoiding
Consequences (> 90%)
Pb = Poor Chance of Avoiding
Consequences (< 10%)
W1= Very Low (F < 0.01 / YR)
W2= Low (F > 0.01 / YR)
Ca = Minor Injury
W3= Relatively High (F > 0.1 / YR)
5/9
Risk Graph
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 16/41
©
A B B G r o
u p - 1 6 -
2 1 - M a r - 0 7
Initiating Frequency Intermediate
Cause (/yr) 1 2 3 4 5 6 Event Frequency
A 0.1 1 0.01 1 0.1 0.0001B 0.1 0.1 0.01 1 0.1 0.00001
C 0.5 0.1 0.01 1 1 0.0005
D
E
F
0.000610.0492
SIL 1
PFDavg Calculation
Total Event Frequency, Fe/yr Maximum PFDavg for Safety Instrumented Function, Ft/Fe
Target Safety Integrity Level
Independent Layer of Protection
LOPA
For each initiating cause, calculate which layers provide
protection
Multiply for Event Frequency
Add for
Total
Event
Freq
PFD = Target (0.00003) / Total Event (0.00061) = 0.0492
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 17/41
©
A B B G r o
u p - 1 7 -
2 1 - M a r - 0 7
Comparison of Methods
Safety Layer
Matrix
Risk Graph LOPA Fault Tree
Analysis
Initial Screening R R R NR
Detailed Analysis NR NR R R
Multiple Causes
with Different
Protection
NR NR R R
Potential
DependencyNR NR NR R
Output (SIL or
PFDavg)SIL SIL PFDavg PFDavg
Need to include
specific HumanFactors
NR NR R R
Suitable for SIL 1 1 1 & 2 >1
NR = Not recommended: R = recommended
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 18/41
©
A B B G r o
u p - 1 8 -
2 1 - M a r - 0 7
Summary of Step 1
Get the Target SIL correct
Save time, money, equipment, maintenance
Calibrate any method for YOUR tolerability Use method suitable for the consequences
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 19/41
©
A B B G r o
u p - 1 9 -
2 1 - M a r - 0 7
Step 2 – Design to meet the target SIL
Design & Development
of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions
to protection layers2
Safety Requirementsspecification for the safety
instrumented system3
Design & Engineering of
Safety Instrumented System
4
Installation, Commissioning
and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
M an a g em en t of f un c t i on al s af e t y an d f un c t i on
al s af e t y
a s s e s sm en t an
d a u d i t i n g
10
S af e t yL i f e- C y cl e s t r u c
t ur e an d pl anni n
g
11
Verification
9
IEC61511 Safety Lifecycle
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 20/41
©
A B B G r o
u p - 2 0 -
2 1 - M a r - 0 7
Random Hardware Failures
Any item of equipment in a protective system can fail.
There are broadly two types of system failure
Fail Safe
component failure to an open circuit condition, loose connections,
loss of power (air or electrical)
These will cause the system to shut down the plant unnecessarily
but are self revealing and ‘fail safe’.
Fail to Danger
contacts welding together, instrument or trip valve mechanisms
seizing, impulse lines becoming blocked
These are ‘fail to danger’ because, when a demand occurs, the
system cannot respond i.e. un-revealed failures
These are the failures we need for the PFD calculation
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 21/41
©
A B B G r o
u p - 2 1 -
2 1 - M a r - 0 7
Example
High Pressure Trip Pressure
Transmitter
Relay
Trip Valve
Solenoid Valve
Trip Amp
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 22/41
©
A B B G r o
u p - 2 2 -
2 1 - M a r - 0 7
A Single Channel System – 6 month testing
Overall dangerous failure rate for the channel is the sumof the rates for the components.
λd = 0.067 + 0.0033 0.033 0.033 = 0.1863 per year + +
PressureTransmitter
SolenoidValve
TripValve
RelayTrip Amplifier
PressureTransmitter
0.05 +
If this is tested every 6 months then,
PFDavg = ½ x 0.5 x 0.1863 = 0.047
which is near the middle of SIL 1
PFDavg = ½ T x λ d
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 23/41
©
A B B G r o u p - 2 3 -
2 1 - M a r - 0 7
Safety Integrity Level
Achieved PFDavg
SIL 1 SIL 2 SIL 3 SIL 4
0.01 0.001 0.0001 0.00001
PFDavg = 0.005
0.1
PFDavg = 0.05
10-1
10-2
10-3
10-4
10-5
PFDavg = 0.047
(6 Month test interval)
Th N d F T ti
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 24/41
©
A B B G r o u p - 2 4 -
2 1 - M a r - 0 7
The Need For Testing
Fail to Danger
contacts welding together, instrument or trip valve mechanisms
seizing, impulse lines becoming blocked These are ‘fail to danger’ because, when a demand occurs, the
system cannot respond i.e. un-revealed failures
Only exposed by testing
Healthy
Faulty
Unrevealed
fault Demand
Test
TestInterval
DeadTime
Time (years)
Test
x
Test Test Test Test
Testing can expose un-revealed failures
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 25/41
©
A B B G r o u p - 2 5 -
2 1 - M a r - 0 7
Multiple Channels And Common Cause Failure ( )
More complicated – but same principles
For One Channel (1 out of 1)
PFDav1
= 1 / 2 λd
∗ Τ
For Two Channels (1 out of 2)
PFDav2 = 4/3 [ PFDav1 ]2+ β [PFDav1 ] or PFDav2 = 1/3[(λd)
2 ∗ Τ2] + β [PFDav1]
For Three Channels (1 out of 3)
PFDav3 = 2 [PFDav1 ]3 + β [PFDav1 ] or PFDav3 = 1/4[(λd)3 ∗ Τ3] + β [PFDav1 ]
For Two Channels (2 out of 3)
PFDav2 = 4[PFDav1]2 + β [PFDav1 ] or PFDav2 = (λd)
2 * Τ2 + β [PFDav1 ]
Taken From Practical Industrial Safety, Risk Assessment & Shutdown Systems, Dave MacDonald.
S f D t
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 26/41
©
A B B G r o u p - 2 6 -
2 1 - M a r - 0 7
Sources of Data
Manufacturer’s data Based on either returned goods or predictions using either
FMEA (failure mode effects analysis) or
FMEDA (failure mode effects and diagnostic analysis) These should not be confused with real field failure rates based
on actual use of the units
Field data (61511 uses term prior use)
Based on similar operating conditions and environment
Should be collected using a methodical / auditable process andallow for errors (misreporting / non reporting) in the collection of
the data
Generic data
From an extensive history of similar industries found to be
appropriate
‘Ch ki ’ th b
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 27/41
©
A B B G r o u p - 2 7 -
2 1 - M a r - 0 7
‘Checking’ the numbers
IEC 61511 architectural constraints
Hardware Fault Tolerance
Designed to verify that the ‘numbers’ make sense No mathematical basis for the figures
Based on experience
Specified SIL can be reduced with operationalexperience and analysis
Analyser Trip Amp
Relay Logic
Solenoid Trip Valve
Analyser Trip Amp Solenoid Trip Valve
Constraint Hardware Fault Tolerance (1)
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 28/41
©
A B B G r o u p - 2 8 -
2 1 - M a r - 0 7
Constraint - Hardware Fault Tolerance (1)
Used for sensor, final elements and non PE Logic Solver Table 6 in IEC61511 Part 1
Increased fault tolerance can enable easier maintenance and
testing
Constraint Hardware Fault Tolerance (2)
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 29/41
©
A B B G r o u p - 2 9 -
2 1 - M a r - 0 7
Constraint - Hardware Fault Tolerance (2)
Applies to PE Logic Solvers
Table 5 in IEC 61511 Part 1
The ‘cleverer’ the PES, the less fault tolerance required for the
target SIL
More complex tables in IEC61508 – used
for certified instruments to reduce HFT
Manufacturer’s Data E l 2
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 30/41
©
A B B G r o u p - 3 0 -
2 1 - M a r - 0 7
Manufacturer’s Data – Example 2
Non Hardware faults Systematic
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 31/41
©
A B B G r
o u p - 3 1 -
2 1 - M a r - 0 7
Non-Hardware faults - Systematic
Because of the findings from ‘Out of Control’ and otherwork…
Large number of faults are not caused by hardware
We need appropriate processes, procedures, methods –‘systems’ in place to control these faults
Specification
43%
Changes after
commissioning
21%
Installation &
commissioning
6%
Operation &
maintenance
15%Design &
implementation
15%
Problems with software systematic faults
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 32/41
©
A B B G r
o u p - 3 2 -
2 1 - M a r - 0 7
Problems with software – systematic faults
How do you make software 10 times better?
How do you measure software?
What is the probability of Fail to Danger (pfd) of a lumpof code?
You cannot measure software like hardware –
quantitative methods
You have to use more rigorous techniques for softwarerequired for higher level SIL – qualitative methods
Example of Software Techniques
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 33/41
©
A B B G r
o u p - 3 3 -
2 1 - M a r - 0 7
Technique/Measures Ref SIL 1 SIL 2 SIL 3 SIL 4
1a Structured methods including for example,
JSD, MASCOT,SADT and Yourdon
C.2.1. HR HR HR HR
1b Semi-formal methods Table B.7 R HR HR HR 1c Formal methods including for example, CCS,
CSP, HOL, LOTOS, OBJ, temporal logic,
VDM and Z
C.2.4
-- R R HR
2 Computer-aided design tools B.3.5 R R HR HR
3 Defensive programming C.2.5 -- R HR HR
4 Modular approach Table B.9 HR HR HR HR
5 Design and coding standards Table B.1 R HR HR HR
6 Structured programming C.2.7 HR HR HR HR
7 Use of trusted/verified software modules and components (if available) C.2.10C.4.5 R HR HR HR
Table A.4 - Software design and development: detailed design
Example of Software Techniques
Summary of Step 2
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 34/41
©
A B B G r
o u p - 3 4 -
2 1 - M a r - 0 7
Summary of Step 2
80% - 90% of safety functions should be SIL1 Single channel, reasonable test intervals, no HFT to consider
High SIL, complex architecture
Use a specialist
Shorter test intervals (simple SIL calculations may not apply)
Additional hardware (including final elements)
Common cause faults, hardware fault tolerance, SFF, DC
Systematic controls
Take care with instrument data
Field data is best
Manufacturers data is a prediction, will need to be adjusted for plant conditions
Step 3 – Operate and Maintain to meet the SIL
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 35/41
©
A B B G r
o u p - 3 5 -
2 1 - M a r - 0 7
Step 3 Operate and Maintain to meet the SIL
Design & Development
of other means of risk
reduction
Hazard and Risk Assessment1
Allocation of safety functions
to protection layers2
Safety Requirementsspecification for the safety
instrumented system3
Design & Engineering of
Safety Instrumented System
4
Installation, Commissioning
and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
M an a g em en t
of f un c t i on al s af e t y an d f un c t i on al s af e t y
a s s e s sm en t an d a u d i t i n g
10
S af e t y
L i f e- C y cl e s t r u c t ur e an d pl anni n g
11
Verification
9
IEC61511 Safety Lifecycle
Operation and Maintenance
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 36/41
©
A B B G r o u p - 3 6 -
2 1 - M a r - 0 7
Operation and Maintenance
What activities are required to ensure the SafetyInstrumented System keeps meeting the target SIL?
What operations and test data needs to be kept and
recorded to verify SIL determination and Design
assumptions?
Proof Tests – 61511 states…
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 37/41
©
A B B G r o u p - 3 7 -
2 1 - M a r - 0 7
Proof Tests 61511 states…
Periodic proof tests shall be conductedusing a written procedure
The entire SIS shall be tested including the
sensor(s), the logic solver and the finalelement(s)
Different parts of the SIS may require different
test intervals
The frequency of the proof tests shall be
decided using the PFDavg calculation
At some periodic interval the frequency ofthe testing shall be re-evaluated.
Why record Demands?
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 38/41
©
A B B G r o u p - 3 8 -
2 1 - M a r - 0 7
Why record Demands?
To demonstrate the design demand rate is notbeing exceeded
To demonstrate that the causes of demand
are as expected
To check causes and rates of failsafe
demands
To be able to carry out periodic reviews
Why record Proof Test Records/Results?
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 39/41
©
A B B G r o u p - 3 9 -
2 1 - M a r - 0 7
y
To demonstrate that testing is beingcarried out at specified interval
As an auditable trail to the recorded
results
To indicate who carried out the tests
To demonstrate that faults found havebeen rectified
To be able to carry out periodic reviews
Need to record results in a manner whichenables the results to be extracted/
presented in a format which makes
reviews possible
Summary of the 3 steps
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 40/41
©
A B B G r o u p - 4 0 -
2 1 - M a r - 0 7
y p
Get the Target SIL correct Save time, money, equipment, maintenance
Design to meet the SIL
More than failure rates
Where do you get failure data from?
Hardware Fault Tolerance and Systematic controls
Operate and Maintain to keep the SIL
Testing
Recording
Analysing and improving
7/18/2019 AstraZeneca+SIL+Presentation
http://slidepdf.com/reader/full/astrazenecasilpresentation 41/41