Safety Integrity Level

From Wikipedia, the free encyclopedia

(Redirected from Safety integrity level)

Jump to: navigation, search

Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or

to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for

a Safety Instrumented Function (SIF).

The requirements for a given SIL are not consistent among all of the functional safety standards. In the

European Functional Safety standards based on the IEC 61508 standard four SILs are defined, with SIL 4

being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative

factors in combination with qualitative factors such as development process and safety life cycle

management.

Contents

[hide]

1 SIL Assignment

2 Problems with the use of SIL

3 Advantages for Managers

4 Certification to a Safety Integrity Level

5 SIL in Safety Standards

6 See also

7 References

8 Textbooks

9 External links

SIL Assignment[edit]

Assignment of SIL is an exercise in risk analysis where the risk associated with a specific hazard, that is

intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF.

That "unmitigated" risk is then compared against a tolerable risk target. The difference between the

"unmitigated" risk and the tolerable risk, if the "unmitigated" risk is higher than tolerable, must be addressed

through risk reduction of the SIF. This amount of required risk reduction is correlated with the SIL target. In

essence, each order of magnitude of risk reduction that is required correlates with an increase in one of the

required SIL numbers.

There are several methods used to assign a SIL. These are normally used in combination, and may include:

Risk Matrices

Risk Graphs

Layers Of Protection Analysis (LOPA)

Of the methods presented above, LOPA is by far the most commonly used by large industrial facilities.

The assignment may be tested using both pragmatic and controllability approaches, applying guidance on

SIL assignment published by the UK HSE.[1] SIL assignment processes that use the HSE guidance to ratify

assignments developed from Risk Matrices have been certified to meet IEC EN 61508

Problems with the use of SIL[edit]

There are several problems inherent in the use of Safety Integrity Levels. These can be summarized as

follows:

Poor harmonization of definition across the different standards bodies which utilize SIL

Process-oriented metrics for derivation of SIL

Estimation of SIL based on reliability estimates

System complexity, particularly in software systems, making SIL estimation difficult to impossible

These lead to such erroneous statements as, "This system is a SIL N system because the process adopted

during its development was the standard process for the development of a SIL N system", or use of the SIL

concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to

IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate

or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by

safety analysis is intrinsic to the proper determination of the failure rate.[2]

SIL is for electrical controls only and does not relate directly to the caT architecture in EN 62061. It appears

to be a precursor to PL ratings that are now the new requirements which encompass hydraulic and pneumatic

valves.[citation needed]

It is sometimes assumed that the 'S' in SIL refers to software but the failure rate of the software component

of a system is merely a contribution to the overall SIL level of the system as a whole.

Advantages for Managers[edit]

Because SIL has a simple number scheme to represent its levels (1-4), a high-level understanding of each

level is typically all that is necessary to convey SIL at management levels. This saves management from

having to understand the technical aspects of SIL, while allowing them to discuss their concerns.

Certification to a Safety Integrity Level[edit]

The International Electrotechnical Commission's (IEC) standard IEC 61508, now IEC EN 61508, defines

SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety

integrity. A device or system must meet the requirements for both categories to achieve a given SIL.

The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device.In

order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure

and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the

system in question, normally in the form of requirement constraints whose integrity is verified throughout

system development. The actual targets required vary depending on the likelihood of a demand, the

complexity of the device(s), and types of redundancy used.

PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation for

different SILs as defined in IEC EN 61508 are as follows:

SIL PFD PFD (power) RRF

1 0.1-0.01 10−1 - 10−2 10-100

2 0.01-0.001 10−2 - 10−3 100-1000

3 0.001-0.0001 10−3 - 10−4 1000-10,000

4 0.0001-0.00001 10−4 - 10−5 10,000-100,000

For continuous operation, these change to the following. (Probability of failure per hour)

SIL PFH PFH (power) RRF

1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000

2 0.000001-0.0000001 10−6 - 10−7 1,000,000-10,000,000

3 0.0000001-0.00000001 10−7 - 10−8 10,000,000-100,000,000

4 0.00000001-0.000000001 10−8 - 10−9 100,000,000-1,000,000,000

Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks

continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these

risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given

period of time, stated as a discrete SIL.

Certification schemes are used to establish whether a device meets a particular SIL.[3] The requirements of

these schemes can be met either by establishing a rigorous development process, or by establishing that the

device has sufficient operating history to argue that it has been proven in use.

Electric and electronic devices can be certified for use in Functional Safety applications according to IEC

61508, providing application developers the evidence required to demonstrate that the application including

the device is also compliant. IEC 61511 is an application-specific adaptation of IEC 61508 for the Process

Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.

SIL in Safety Standards[edit]

The following standards use SIL as a measure of reliability and/or risk reduction.

ANSI/ISA S84 (Functional safety of safety instrumented systems for the process industry sector)

IEC EN 61508 (Functional safety of electrical/electronic/programmable electronic safety related

systems)

IEC 61511 (Safety instrumented systems for the process industry sector)

IEC 61513 (Nuclear Industry)

IEC 62061 (Safety of machinery)

EN 50128 (Railway applications - Software for railway control and protection)

EN 50129 (Railway applications - Safety related electronic systems for signalling

EN 50402 (Fixed gas detection systems)

ISO 26262 (Automotive industry)

MISRA, various (Guidelines for safety analysis, modelling, and programming in automotive

applications)

Defence Standard 00-56 Issue 2 - accident consequence

The use of a SIL in specific safety standards may apply different number sequences or definitions to those in

IEC EN 61508.[4]

See also[edit]

ALARP

Spurious trip level

HIPPS (High Integrity Pressure Protection System)

All the major components of HIPPS system shall be SIL-3 Approved.

There is a whole family of C-level standards based more or less on IEC 61508 that also uses SIL, e.g.,

62061, 26262.

References[edit]

[5] [6]

1. Jump up ^ M. Charlwood, S Turner and N. Worsell, UK Health and Safety Executive Research Report 216,

"A methodology for the assignment of safety integrity levels (SILs) to safety-related control functions

implemented by safety-related electrical, electronic and programmable electronic control systems of

machines", 2004. ISBN 0-7176-2832-9

2. Jump up ^ F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs"

http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture date of 11 October 2010

3. Jump up ^ CASS Scheme, Conformity Assessment of Safety Systems, http://www.cass.uk.net/

4. Jump up ^ F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs"

http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture dates of 9 July 2010 and 11 October 2010

5. Jump up ^ Marszal, Edward, "Safety Integrity Level Selection - Systematic Methods Including Layer of

Protection Analysis", The Instrumentation, Systems, and Automation Society, Research Triangle Park, NC,

USA, 2002.

6. Jump up ^ Mitchell, KJ, Longendelpher, TM, Kuhn, MC, "Safety Instrumented Systems Engineering

Handbook", Kenexis, Columbus, OH, USA, 2010.

Textbooks[edit]

D. Smith, K. Simpson, "Safety Critical Systems Handbook - A Straightforward Guide to Functional Safety,

IEC 61508 (2010 Edition) and Related Standards" (3rd Edition, ISBN 978-0-08-096781-3, 270 Pages).

M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508,

AS(IEC)62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages).

www.marcuspunch.com

M.J.M. Houtermans, "SIL and Functional Safety in a Nutshell (Risknowlogy Best Practices Series, 1st

Edition, eBook in PDF, ePub, and iBook format, 40 pages). * SIL and Functional Safery in a Nutshell

External links[edit]

61508.org The 61508 Association

IEC Safety Zone The IEC Functional safety zone

Functional Safety, A Basic Guide Functional Safety and IEC 61508: A basic guide

SIL Made Simple - White Paper presented at Valve World 2010

Safety Integrity Level Manual Pepperl+Fuchs SIL Manual

Partial stroke testing

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Partial stroke testing (or PST) is a technique used in a control system to allow the user to test a percentage

of the possible failure modes of a shut down valve without the need to physically close the valve.

Contents

[hide]

1 Standards 2 Measuring safety performance 3 Benefits

o 3.1 Safety benefits o 3.2 Production benefits o 3.3 Capital cost benefits

4 Shortcomings 5 Techniques

o 5.1 Mechanical jammers o 5.2 Pneumatic valve positioners o 5.3 Electronic timer control systems

6 References 7 External links

Standards[edit]

Partial stroke testing is an accepted petroleum industry standard technique and is also quantified in detail by

regulatory bodies such as the International Electrotechnical Commission (or IEC) and the Instrument Society

of America (or ISA). The following are the standards appropriate to these hotbodies.

IEC61508 – Functional safety of electrical/electronic/programmable electronic safety-related systems

IEC61511 – Functional safety – Safety instrumented systems for the process industry sector ANSI/ISA-84.00.01 – Functional Safety: Safety instrumented systems for the process industry sector

The Partial Stroke Test is used to check the function of the safe position of ESD (emergency shutdown)

valves. The partial valve stroke prevents unexpected failure of the safety function by breaking down solid

masses or the onset of corrosion, for example. Furthermore, a successfully executed partial stroke

demonstrates that certain unresolved errors that would otherwise go undetected, such as spring fractures in

the spring chamber of the pneumatic actuator, are not present. Consequently, the interval for testing for these

undetected errors can be extended.

The test can be started both locally on the device in a time-controlled manner or from remote. The positioner

evacuates output 1 until the position change defined in advance occurs. If this does not happen within the set

time (timeout value), an alarm can be output.

Additionally, monitoring is performed to establish whether the valve has moved out of its end position

within a defined period of time (dead time). If this has not happened, the test is cancelled as a "failed" test

and an alarm is output. This behavior prevents a blocked valve from suddenly freeing itself from the end

position and thereby disrupting the process.

At the end of the test, the positioner moves the valve to the last valid position and reverts to the most

recently active control mode.

For documentation purposes, the test result is saved in the non-volatile memory.

Examples for an electro-pneumatic positioner with partial stroke:

Manufacturer: ABB Type:PositionMaster EDP300

Manufacturer: Foxboro Eckardt Type:SRD991

Manufacturer: Emerson Type:DVC6200 SIS

Measuring safety performance[edit]

IEC61508 adapts a Safety life cycle approach to the management of plant safety. During the design phase of

this life cycle of a safety system the required safety performance level is determined using techniques such

as Markov analysis, FMEA, Fault tree analysis and Hazop. These techniques allow the user to determine the

potential frequency and consequence of hazardous activities and to quantify the level of risk. A common

method for this quantification is the Safety integrity level. This is quantified from 1 to 4 with level 4 being

the most hazardous.

Once the SIL level is determined this specifies the required performance level of the safety systems during

the operational phase of the plant. The metric for measuring the performance of a safety function is called

the average Probability of failure on demand (or PFDavg) and this correlates to the SIL level as follows

SIL PFDavg

4 ≥10−5 to <10−4

3 ≥10−4 to <10−3

2 ≥10−3 to <10−2

1 ≥10−2 to <10−1

One method of calculating the PFDavg for a basic safety function with no redundancy is using the formula

PFDavg = [(1-DC)×λD×(TIFC/2)] + [DC×λD×(TIPST/2)]

Where:

DC = Diagnostic coverage of the partial stroke test.

λD = The dangerous failure rate of the safety function.

TIFC = The full closure interval, i.e. how often the valve must be full closed for testing.

TIPST = The partial stroke test interval.

The diagnostic coverage is a measure of how effective the partial stroke test is and the higher the DC the

great the effect the test.

Benefits[edit]

The benefits of using PST are not limited to simply the safety performance but gains can also be made in the

production performance of a plant and the capital cost of a plant.[1][2] These are summarised as follows

Safety benefits[edit]

Gains can be made in the following areas by the use of PST.

Reducing the probability of failure on demand.

Production benefits[edit]

There are a number of areas where production efficiency can be improved by the successful implementation

of a PST system.

Extension of the time between compulsory plant shutdowns. Predicting potential valve failures facilitating the pre-ordering of spare parts. Prioritisation of maintenance tasks.

Capital cost benefits[edit]

If the gains of the SFF are of an appropriate level the need for costly redundant valves may be eliminated

Shortcomings[edit]

In some cases, a PST cannot be performed due to the limitations inherent in the process or the valve being

used. Many solenoid-operated valves do not have sufficient stroke length to insert a position sensor. Thus, in

this case, a PST would not yield any diagnostic information. Further, as the PST introduces a disturbance

into the process or system, it may not be appropriate for some a process or system that is sensitive to

disturbances. Finally, a PST cannot always differentiate between different faults or failures within the valve.

For example, a sluggish plunger movement could be the result of increased friction in the plunger tube, or it

could be the result of a faulty electrical coil.

Techniques[edit]

There are a number of different techniques available for partial stroke testing available and the selection of

the most appropriate technique depends on the main benefits the operator is trying to gain.

Mechanical jammers[edit]

Mechanical jammers are devices where a device is inserted into the valve and actuator assembly that

physically prevents the valve from moving past a certain point. These are used in cases where accidentally

shutting the valve would have severe consequences, or any application where the end user prefers a

mechanical device.

Typical benefits of this type of device are as follows:[3]

The devices assure metal-to-metal prevention of stroke past the specified set point. Unlike electronic systems, there is no need to commission and calibrate controls or continually train

personnel, resulting in additional significant cost savings. The devices are vibration resistant, making them highly reliable. The risk associated with having an ESD event occur at time of manual mechanical PST may be considered

statistically insignificant and allows a rational consideration of the advantages mechanical devices offer. Modular design allows for addition of limit switches, potentiometers, remote control operation, etc. When the device is tested, all the actual safety system components, controls and elements used in he ESD

Valve will be tested. No bleed valves or tiny orifices slowing down stroke time. The system will stroke in its "real world" time sequence and speed of operation. The user has real information about the exact controls that will be relied upon to protect his plant and

personnel. Cost savings can be significant. The system is simpler and will not cause spurious alarms due to ESD valve not performing in a repeatable

manner. SIS control loop is kept as simple as possible ESD valve remains an on/off valve, not a control valve. Limit switches can provide indication to control room if device is engaged.

However, opinions differ whether these devices are suitable for functional safety systems as the safety

function is offline for the duration of the test.

Modern mechanical PST devices may be automated.

Examples of this kind of device include direct interface products that mount between the valve and the

actuator and may use cams fitted to the valve stem. Good example of such a mechanical PST system: [4]

Other methods include adjustable actuator end stops.

Pneumatic valve positioners[edit]

The basic principle behind partial stroke testing is that the valve is moved to a predetermined position in

order to determine the performance of the shut down valve. This led to the adaptation of pneumatic

positioners used on flow control valve for use in partial stroke testing. These systems are often suitable for

use on shutdown valves up to and including SIL3. The main benefits are :

Elimination of the cost of manual testing Tracking and records of the PST tests for an optimum Safety monitoring. When the positioner is connected to

the Safety System, the date and result of the test are registered in the Sequence of Events, for Insurance purposes.

Remote access to valve diagnostics from the Control Room, with action oriented reports for predictive maintenance.

These systems are however limited to use on pneumatically actuated valves

Electronic timer control systems[edit]

Timer control systems use a configurable electronic timer that connects between the supply from the ESD

system and the solenoid valve. In order to perform a test the timer de-energises the solenoid valve to

simulate a shutdown and re-energises the soleniod when the required degree of partial stroke is reached.

These systems are fundamentally a miniature PLC dedicated to the testing of the valve.

Due to their nature these devices do not actually form part of the safety function and are therefore 100% fail

safe. With the addition of a pressure sensor and/or a position sensor for feedback timer systems are also

capable of providing intelligent diagnostics in order to diagnose the performance of all components

including the valve, actuator and solenoid valves.

In addition timers are capable of operating with any type of fluid power actuator and can also be used with

subsea valves where the solenoid valve is located top-side

References[edit]

1. Jump up ^ Web Exclusive: Valve failure not an option. ISA (2009-01-01). Retrieved on 2011-05-30. 2. Jump up ^ Partial stroking. Focus-nuclear.com. Retrieved on 2011-05-30. 3. Jump up ^ D-Stop Partial Stroke Test Device. Manual/Local and Remote Operated Mechanical Partial Stroke

Valve Testing. Cameron. Docs.google.com. Retrieved on 2011-05-30. 4. Jump up ^ Netherlocks mechanical PST system FAITH - known as the industry standard. Retrieved on 2013-

07-14.

External links[edit]

International Electrotechnical Commission Instrument Society of America Paladon Systems PST Controller Rotork Smart Valve Monitor Dynatorque D-Stop Mechanical Partial Stroke Test Device Foxboro PST positioner