Failure Rate Data, Safety System Modeling Concepts, and Fire & Gas Systems Moderator: Lori Dearman, Webinar Producer Thursday, May 16th, 2013

Transcription

1 Welcome to Best Practices for the Latest Safety Instrumented System Performance Developments Failure Rate Data, Safety System Modeling Concepts, and Fire & Gas Systems Moderator: Lori Dearman, Webinar Producer Thursday, May 16th, 2013

2 Poll #1 What method do you use to perform Safety Integrity Level (SIL) verification calculations? Live Audience Response 18% 16% 40% 26% Hand calculations Spreadsheet Commercial program Other

3 Knovel At A Glance Our Focus: Engineering Community Our Product: Web-based application integrating technical information with analytical and search tools to drive innovation and deliver answers engineers can trust Our Vision: To be the first place engineers go to solve problems Our History: For over 10 years Knovel has been helping engineers at the world's largest organizations deliver more innovative and cost effective projects on time Our Customers: of the world s leading organizations and government agencies, including 74 Fortune 500 companies - More than 340 leading universities including 12 of the top 15 US engineering schools Missy Stewart Marketing Manager Knovel

4 Dr. William Goble - Managing Partner and Co-founder of exida - Registered professional engineer in Pennsylvania - Certified Functional Safety Expert (CFSE) - ISA Fellow Dr. William Goble CFSE, Managing Partner Co-founder exida - PhD from Eindhoven University of Technology in Reliability Engineering - Author of several books including Safety Instrumented Systems Verification- Practical Probabilistic Calculations, ISA Panel Sponsored By:

5 Safety Lifecycle 1. Process Design - Scope Definition Process Safety Information An engineering process. Series of steps to be taken during the Analysis Design And Operation of a Safety Instrumented System. Event History Application Standards Hazard Characteristics Consequence Database Failure Probabilities Tolerable Risk Guidelines Manufacturer s Safety Manual Application Standards Manufacturer s Failure Data Failure Data Database Manufacturer s Safety Manual Application Standards Manufacturer s Installation Instructions 2. Identify Potential Hazards IEC Clause 8 3. Consequence Analysis SIF No Required? Yes 6. Select RRF, Target SIL for each SIF No IEC Clause 9 4. Identify Protection Layers IEC Clause 9 5. Likelihood Analysis - LOPA IEC Clause 9 IEC Clause 9 7. Develop Process Safety Specification IEC Clause SIF Conceptual Design Select Technology IEC Clause SIF Conceptual Design Select Architecture IEC Clause SIF Conceptual Design Determine Test Plan IEC Clause SIF Conceptual Design Reliability/Safety Calculation IEC Clause 11 RRF, SIL Achieved? Yes 12. Detailed Design IEC Clause 11, Factory Acceptance Test IEC Clause SIS Installation and Commissioning IEC Clause 14 Potential Hazards Hazard Consequences Layers of Protection Hazard Frequencies Design of other risk reduction facilities IEC Clause 9 RRF, Target SILs Safety Requirements Specification SIF Functional Description, Target SIL, RRF, Mitigated Hazards, Process Parameters, Logic, Bypass/Maintenance Requirements, Response Time, Proof Test Targets, etc. Equipment Justification Report H/W & S/W Design Safety Requirements - Technology Chosen, Voting Logic, Proof Test Requirements, Automatic Diagnostic Logic, Bypass Logic, Repair Time Requirements, SIL achieved, etc. Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic Diagrams, Panel Layout, PLC Programming, PLC Program Testing, FAT Test Plan, Installation Requirements, Commissioning Requirements, Proof Test Plans, etc. FAT Test Report Commission Test Report Security Regulations, Guidelines To correct step in the Safety Lifecycle Modify 15 SIS Safety Validation IEC Clause Cyber-Security Audit 17. SIS Operation and Maintenance IEC Clause Modify, Decommission? IEC Clause SIS Decommissioning IEC Clause 18 Validation Test Report Cyber-Security Audit Report Maintenance Records Proof Test Results Change Requests Safety Impact Analysis Change Authorizations Detailed Safety Lifecycle Drawings, Copyright exida 2008, used with permission.

6 Safety Lifecycle Event History Application Standards 1. Process Design - Scope Definition 2. Identify Potential Hazards IEC Clause 8 Process Safety Information Potential Hazards In order to: Reduce design mistakes Increase safety, and Optimize cost Hazard Characteristics Consequence Database Failure Probabilities Tolerable Risk Guidelines Manufacturer s Safety Manual Application Standards Manufacturer s Failure Data Failure Data Database Manufacturer s Safety Manual Application Standards Manufacturer s Installation Instructions 3. Consequence Analysis SIF No Required? Yes 6. Select RRF, Target SIL for each SIF No IEC Clause 9 4. Identify Protection Layers IEC Clause 9 5. Likelihood Analysis - LOPA IEC Clause 9 IEC Clause 9 7. Develop Process Safety Specification IEC Clause SIF Conceptual Design Select Technology IEC Clause SIF Conceptual Design Select Architecture IEC Clause SIF Conceptual Design Determine Test Plan IEC Clause SIF Conceptual Design Reliability/Safety Calculation IEC Clause 11 RRF, SIL Achieved? Yes 12. Detailed Design IEC Clause 11, Factory Acceptance Test IEC Clause SIS Installation and Commissioning IEC Clause 14 Hazard Consequences Layers of Protection Hazard Frequencies Design of other risk reduction facilities IEC Clause 9 RRF, Target SILs Safety Requirements Specification SIF Functional Description, Target SIL, RRF, Mitigated Hazards, Process Parameters, Logic, Bypass/Maintenance Requirements, Response Time, Proof Test Targets, etc. Equipment Justification Report H/W & S/W Design Safety Requirements - Technology Chosen, Voting Logic, Proof Test Requirements, Automatic Diagnostic Logic, Bypass Logic, Repair Time Requirements, SIL achieved, etc. Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic Diagrams, Panel Layout, PLC Programming, PLC Program Testing, FAT Test Plan, Installation Requirements, Commissioning Requirements, Proof Test Plans, etc. FAT Test Report Commission Test Report Security Regulations, Guidelines To correct step in the Safety Lifecycle Modify 15 SIS Safety Validation IEC Clause Cyber-Security Audit 17. SIS Operation and Maintenance IEC Clause Modify, Decommission? IEC Clause SIS Decommissioning IEC Clause 18 Validation Test Report Cyber-Security Audit Report Maintenance Records Proof Test Results Change Requests Safety Impact Analysis Change Authorizations Detailed Safety Lifecycle Drawings, Copyright exida 2008, used with permission.

7 SIF Verification Calculations { Manufacturer s Safety Manual Application Standards Manufacturer s Failure Data Failure Data Database Failure rate and failure mode data is needed for each component in a safety instrumented function. SIL Verification Manufacturer s Safety Manual Application Standards 8. SIF Conceptual Design Select Technology No IEC Clause SIF Conceptual Design Select Architecture IEC Clause SIF Conceptual Design Determine Test Plan IEC Clause SIF Conceptual Design Reliability/Safety Calculation IEC Clause 11 RRF, SIL Achieved? Safety Requirements Specification SIF Functional Description, Target SIL, RRF, Mitigated Hazards, Process Parameters, Logic, Bypass/Maintenance Requirements, Response Time, Proof Test Targets, etc. Yes 12. Detailed Design IEC Clause 11, 12 Equipment Justification Report H/W & S/W Design Safety Requirements - Technology Chosen, Voting Logic, Proof Test Requirements, Automatic Diagnostic Logic, Bypass Logic, Repair Time Requirements, SIL achieved, etc. Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic Diagrams, Panel Layout, PLC Programming, PLC Program Testing, FAT Test Plan, Installation Requirements, Commissioning Requirements, Proof Test Plans, etc. Detailed Safety Lifecycle Drawings, Copyright exida 2008, used with permission.

8 Getting Failure Data Where does one get failure rate and failure mode data? End User Field Failure Studies Manufacturer Field Return Data Studies FMEDA (Failure Modes Effects and Diagnostic Analysis) B10 Data

9 End User Field Failure Studies Opportunity to obtain failure rate/ failure mode information ISSUES: Insufficient information Different definitions of failure Operating Environment not recorded Merging of different technologies, products

10 Field Data Collection Standards IEC :2010, lists: ISO 14224:2006. IEC :2004 also Namur NE 93 AIChE CCPS has formed the PERD (Process Equipment Reliability Database) committee

11 End User Field Failure Studies After performing dozens of studies our experience recognized that the data collection process varies by an order of magnitude or more! When is a failure report written? What is the definition of failure? Are "as found" conditions recorded during a proof test? What were the operating conditions?

12 Manufacturer Field Return Failure Studies Opportunity to obtain failure rate/ failure mode information ISSUES: Calculation methods vary widely Cannot know what % of actual failures are returned Different definitions of FAILURE (Not a problem scenario)

13 Manufacturer Field Return Studies Many manufacturers classify returned items as a failure only if a manufacturing defect is found. Many returned items are marked no problem found. Manufacturer s warranty studies are useful primarily for failure mode information but not for absolute failure rates.

14 FMEDA COMPONENT DATABASE Product λ Component λ s FMEDA Product Failure Modes Failure Mode Distribution Diagnostic Coverage Using a component database, failure rates and failure modes for a product can be determined far more accurately than with only field failure data Copyright 2013 exida

15 FMEDA Biggest Negative COMPONENT DATABASE Component λ s Failure Mode Distribution FMEDA Product λ Product Failure Modes Diagnostic Coverage The accuracy of the FMEDA depends on the accuracy of the component database. It must include failure data for each environmental operating profile.

16 Sixty Billion Unit Operating Hours After several hundred field failure studies: Updated a component failure database to constantly improve the model Identified & updated the model when differences between the model and the results are explained Field Failure Data Product λ Compare FMEDA Product λ ELEC./MECH. COMPONENT DATABASE Industry Database Significant Difference? YES Update Component Database NO Finish Copyright 2013 exida

17 B10 Failure Data The B10 method uses cycle test data. Cycle test is done on a set of products (>20) until 10% of the units under test fail. The number of cycles until failure is called the B10 point. The B10 number of cycles is converted to a time period by knowing the cycles per hour in any particular application. A failure rate is calculated by dividing the 10% failure count by the time period. Copyright exida

18 B10 Failure Data The B10 method assumes that the constant failure rate during the useful life is due to premature wear-out AND all other failure modes are insignificant. Research shows other failure modes become significant when these products do not move frequently some failure modes become significant if a product is static for 100 hours.

19 B10 Failure Data - Relays Relays used in de-energize to trip applications will have much higher coil temperatures when energy is applied at a duty cycle greater than 50%. Relays will suffer from failures due to stiction in moving joints. Failure rates will be much higher in static applications where a relay stays energized and static for long periods (one year).

20 B10 Failure Data Solenoids, Actuators When O-rings and other seals are part of a product, many failure modes become significant when the product remains static for a week or more. These include: Stiction Cold-welding Corrosion binding, etc. Most of these failures are dangerous. Copyright exida

21 Careful of High Demand Certifications Some certifications are based on failure data derived from cycle testing or other methods that require frequent movement of electromechanical products. This assessment is not valid for typical low demand process applications. Copyright 2012 exida

22 Comparison of Solenoid Valve Data Sources Source Product Type D Failure Rate per hour Comment FMEDA #1 (exid1) Solenoid Valve 1.59E-07 FMEDA #2 (exid2) Spool Solenoid Valve 5.66E-07 DOW Plant Study [Skwe08] Solenoid Valve 3.51E-07 Actual field data - chemical industry OREDA / PDS-BIP Solenoid Valve 9.00E-07 Highest Number Cycle Test Results #1 (TUVRhSolenoid Valve 8.59E-09 Very Low Number Cycle Test Results #2 (TUVRhSolenoid Valve 4.53E-10 Lowest Number Manufacturer Study [AEAT05] Solenoid Valve 1.70E-08 Warranty Data Cycle test results may be valid for dynamic operation but typically produce results that are 30X 500X smaller than FMEDA and field test records for low demand applications.

23 Comparison of Solenoid Valve Data Sources Source Product Type D Failure Rate per hour Comment FMEDA #1 (exid1) Solenoid Valve 1.59E-07 FMEDA #2 (exid2) Spool Solenoid Valve 5.66E-07 DOW Plant Study [Skwe08] Solenoid Valve 3.51E-07 Actual field data - chemical industry OREDA / PDS-BIP Solenoid Valve 9.00E-07 Highest Number Cycle Test Results #1 (TUVRhSolenoid Valve 8.59E-09 Very Low Number Cycle Test Results #2 (TUVRhSolenoid Valve 4.53E-10 Lowest Number Manufacturer Study [AEAT05] Solenoid Valve 1.70E-08 Warranty Data Cycle test results may be valid for dynamic operation but typically produce results that are 30X 500X smaller than FMEDA and field test records for low demand applications.

24 Comparison of Solenoid Valve Data Sources Source Product Type D Failure Rate per hour Comment FMEDA #1 (exid1) Solenoid Valve 1.59E-07 FMEDA #2 (exid2) Spool Solenoid Valve 5.66E-07 DOW Plant Study [Skwe08] Solenoid Valve 3.51E-07 Actual field data - chemical industry OREDA / PDS-BIP Solenoid Valve 9.00E-07 Highest Number Cycle Test Results #1 (TUVRhSolenoid Valve 8.59E-09 Very Low Number Cycle Test Results #2 (TUVRhSolenoid Valve 4.53E-10 Lowest Number Manufacturer Study [AEAT05] Solenoid Valve 1.70E-08 Warranty Data Cycle test results may be valid for dynamic operation but typically produce results that are 30X 500X smaller than FMEDA and field test records for low demand applications.

25 Comparison of Solenoid Valve Data Sources Source Product Type D Failure Rate per hour Comment FMEDA #1 (exid1) Solenoid Valve 1.59E-07 FMEDA #2 (exid2) Spool Solenoid Valve 5.66E-07 DOW Plant Study [Skwe08] Solenoid Valve 3.51E-07 Actual field data - chemical industry OREDA / PDS-BIP Solenoid Valve 9.00E-07 Highest Number Cycle Test Results #1 (TUVRhSolenoid Valve 8.59E-09 Very Low Number Cycle Test Results #2 (TUVRhSolenoid Valve 4.53E-10 Lowest Number Manufacturer Study [AEAT05] Solenoid Valve 1.70E-08 Warranty Data Cycle test results may be valid for dynamic operation but typically produce results that are 30X 500X smaller than FMEDA and field test records for low demand applications.

26 Comparison of Solenoid Valve Data Sources Source Product Type D Failure Rate per hour Comment FMEDA #1 (exid1) Solenoid Valve 1.59E-07 FMEDA #2 (exid2) Spool Solenoid Valve 5.66E-07 DOW Plant Study [Skwe08] Solenoid Valve 3.51E-07 Actual field data - chemical industry OREDA / PDS-BIP Solenoid Valve 9.00E-07 Highest Number Cycle Test Results #1 (TUVRhSolenoid Valve 8.59E-09 Very Low Number Cycle Test Results #2 (TUVRhSolenoid Valve 4.53E-10 Lowest Number Manufacturer Study [AEAT05] Solenoid Valve 1.70E-08 Warranty Data Cycle test results may be valid for dynamic operation but typically produce results that are 30X 500X smaller than FMEDA and field test records for low demand applications. Failure data must match the application.

27 Optimistic = Unsafe Optimistic = Unsafe The problem with optimistic data is SIF verification calculations can fool a designer into thinking a design is safe enough when the design is NOT. Power Supply CPU Output Input Module Module PT 3 REACTOR PT 1 SIS TT 1 PT 2 Power Supply TT 2 TT 3 CPU Output Input Module Module BPCS

28 Comparing Failure Rate Sources Failure Rate D Failure Source Product Type per hour Rate Comment Refinery Data [Shel00] Analog Pressure Transducer Failure 2.71E-06 Rate D Failure Seals? Manifold? Refinery Source Data [Shel00] Smart Product Pressure Type Transmitter per 7.19E-06 hour Rate Impulse Comment Line? DOW Refinery Plant Data Study [Shel00] [Skwe08] Pressure Analog Pressure Transmitter Transducer 4.96E E-06 Seals? Manifold? OLF-070 Refinery Data OREDA [Shel00] Pressure Smart Pressure Transmitter Transmitter 7.19E E-07 Impulse Line? FMEDA DOW Plant Analog Study 1151 [Skwe08] Analog Pressure Pressure Transmitter Transducer 3.53E E E-07 High Trip FMEDA OLF-070 Analog OREDA 1152 Analog Pressure Pressure Transmitter Transducer 8.13E E E-07 FMEDA Micro Analog 1151 Smart Analog Pressure Transmitter Transducer 5.64E E E E-07 High Trip FMEDA Micro Analog Smart Analog Pressure Transmitter Transducer 5.43E E E E-07 No remote seal FMEDA Safety Micro Smart Pressure Certified Pressure Transmitter Trans 5.36E E E-07 No High remote Trip seal FMEDA Safety Micro 3051 EJX Smart Pressure Certified Pressure Transmitter Trans 5.01E E E-08 No remote seal FMEDA Safety Certified Pressure Trans 5.36E-07 No remote seal FMEDA 3051 Safety w EJX Remote Sea Smart Pressure Certified Pressure Transmitter Trans 7.04E E E-07 Include Remote Seal FMEDA 3051 w Remote Sea Smart Pressure Transmitter 7.04E E-07 Include Remote Seal

29 Comparing Failure Rate Sources Failure Rate D Failure Source Product Type per hour Rate Comment Refinery Data [Shel00] Refinery Source Data [Shel00] Analog Pressure Transducer Smart Product Pressure Type Transmitter Failure 2.71E-06 Rate D Failure per 7.19E-06 hour Rate Seals? Manifold? Impulse Comment Line? DOW Refinery Plant Data Study [Shel00] [Skwe08] Pressure Analog Pressure Transmitter Transducer 4.96E E-06 Seals? Manifold? OLF-070 Refinery Data OREDA [Shel00] Pressure Smart Pressure Transmitter Transmitter 7.19E E-07 Impulse Line? FMEDA DOW Plant Analog Study 1151 [Skwe08] Analog Pressure Pressure Transmitter Transducer 3.53E E E-07 High Trip FMEDA OLF-070 Analog OREDA 1152 Analog Pressure Pressure Transmitter Transducer 8.13E E E-07 FMEDA Micro Analog 1151 Smart Analog Pressure Transmitter Transducer 5.64E E E E-07 High Trip FMEDA Micro Analog Smart Analog Pressure Transmitter Transducer 5.43E E E E-07 No remote seal FMEDA Safety Micro Smart Pressure Certified Pressure Transmitter Trans 5.36E E E-07 No High remote Trip seal FMEDA Safety Micro 3051 EJX Smart Pressure Certified Pressure Transmitter Trans 5.01E E E-08 No remote seal FMEDA Safety Certified Pressure Trans 5.36E-07 No remote seal FMEDA 3051 Safety w EJX Remote Sea Smart Pressure Certified Pressure Transmitter Trans 7.04E E E-07 Include Remote Seal FMEDA 3051 w Remote Sea Smart Pressure Transmitter 7.04E E-07 Include Remote Seal Quality field failure data from OREDA & DOW matches up with FMEDA results. FMEDA does seem somewhat pessimistic.

30 Comparing Failure Rate Sources Failure Rate D Failure Source Product Type per hour Rate Comment Refinery Data [Shel00] Refinery Source Data [Shel00] Analog Pressure Transducer Smart Product Pressure Type Transmitter Failure 2.71E-06 Rate D Failure per 7.19E-06 hour Rate Seals? Manifold? Impulse Comment Line? DOW Refinery Plant Data Study [Shel00] [Skwe08] Pressure Analog Pressure Transmitter Transducer 4.96E E-06 Seals? Manifold? OLF-070 Refinery Data OREDA [Shel00] Pressure Smart Pressure Transmitter Transmitter 7.19E E-07 Impulse Line? FMEDA DOW Plant Analog Study 1151 [Skwe08] Analog Pressure Pressure Transmitter Transducer 3.53E E E-07 High Trip FMEDA OLF-070 Analog OREDA 1152 Analog Pressure Pressure Transmitter Transducer 8.13E E E-07 FMEDA Micro Analog 1151 Smart Analog Pressure Transmitter Transducer 5.64E E E E-07 High Trip FMEDA Micro Analog Smart Analog Pressure Transmitter Transducer 5.43E E E E-07 No remote seal FMEDA Safety Micro Smart Pressure Certified Pressure Transmitter Trans 5.36E E E-07 No High remote Trip seal FMEDA Safety Micro 3051 EJX Smart Pressure Certified Pressure Transmitter Trans 5.01E E E-08 No remote seal FMEDA Safety Certified Pressure Trans 5.36E-07 No remote seal FMEDA 3051 Safety w EJX Remote Sea Smart Pressure Certified Pressure Transmitter Trans 7.04E E E-07 Include Remote Seal FMEDA 3051 w Remote Sea Smart Pressure Transmitter 7.04E E-07 Include Remote Seal Quality field failure data from OREDA & DOW matches up with FMEDA results. FMEDA does seem somewhat pessimistic.

31 Getting Failure Data Where does one get failure rate and failure mode data? End User Field Failure Studies With quality collection system Manufacturer Field Return Data Studies With quality component database (Failure Modes Effects and Diagnostic Analysis) FMEDA B10 Data Do not use in low demand applications

32 Paul Gruhn, P.E., ISA 84 Expert - Global Process Safety Consultant, Rockwell Automation - Safety Systems Specialist for > 25 years - ISA Fellow - Member of ISA 84 & 101 committees - Developer & Instructor for ISA s courses on Safety Instrumented Systems - Co-author of Safety Instrumented Systems: Design, Analysis and Justification, ISA - Developed 1 st commercial SIS modeling software - Registered Professional Engineer in Texas - ISA 84 Expert Panel Sponsored By:

33 Basic PFD Reliability Formula for 1oo1 PFD = [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] Where: TI A = Automatic test interval DD = Dangerous detected failure TI M = Manual test interval DU = Dangerous undetected failure TD = Test (Bypass) Duration DN = Dangerous never detected failure MTTR = Mean Time To Repair PFD = Probability of Failure on Demand λ S λ DD λ DU λ DN C A = Automatic Diagnostic Coverage factor C M = Manual Test Coverage factor λ DD = λ D x C A λ DU = λ D x (1 - C A ) x C M λ DN = λ D x (1 - C A ) x (1 - C M ) λ D = λ DD + λ DU + λ DN

34 PFD of a Dumb Switch PFD = [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] λ S λ DU Assuming a MTTF D of 30 years, and a 1 year TI. And remembering that MTTF = 1/ λ, and that RRF = 1/PFD PFD = 1 / 30 years * 1 year / 2 = 1 / 60 RRF = 60 (SIL 1 is a (system) RRF between 10 and 100)

35 PFD of a Smart Transmitter PFD = [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] λ S λ DD λ DU Assuming a MTTF D of 60 years, an automatic diagnostic coverage of 50%, a 72 hour repair time, and a 1 year manual test interval. And remembering that MTTF = 1/ λ, and that RRF = 1/PFD PFD = [(1 / 60 years) * 0.5 * (72 hrs / 8760 hr/yr)] + [(1 / 60 years) * 0.5 * 1 year / 2] = 6.85 E E-3 RRF = 240 (SIL 2 is a (system) RRF between 100 and 1,000)

36 Smart Trsmtr w/ Imperfect Manual Testing PFD = [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] λ S λ DD λ DU λ DN Assuming a MTTF D of 60 years, an automatic diagnostic coverage of 50%, a 72 hour repair time, a 1 year manual test interval, 90% effective manual test, and a 15 year life. PFD = [(1 / 60 years) * 0.5 * (72 hrs / 8760 hr/yr)] + [(1 / 60 years) * 0.5 * 0.9 * (1 year / 2)] + [(1 / 60 years) * 0.5 * 0.1 * (15 year / 2)] = 6.85 E E E-3 RRF = 100 (SIL 1 is a (system) RRF between 10 and 100)

37 Now Including Bypassing PFD = [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] λ S λ DD λ DU λ DN Assuming a MTTF D of 60 years, an automatic diagnostic coverage of 50%, a 72 hour repair time, a 1 year manual test interval, 90% effective manual test, a 15 year life, and a 1 week bypass. PFD = [(1 / 60 years) * 0.5 * (72 hrs / 8760 hr/yr)] + [(1 / 60 years) * 0.5 * 0.9 * (1 year / 2)] + [(1 / 60 years) * 0.5 * 0.1 * (15 year / 2)] + [1 week / 52 weeks/yr] = 6.85 E E E E-2 RRF = 34 (SIL 1 is a (system) RRF between 10 and 100)

38 Basic Reliability Formulas Configuration 1oo1 MTTF sp 1 / λ S 1oo2 1 / ((2 * λ S ) + (β * λ s )) 2oo2 1 / ((2 * λ S 2 * MTTR ) + (β * λ s )) 2oo3 1 / ((6 * λ S 2 * MTTR ) + (β * λ s )) Where: MTTF sp = Mean Time To Fail spurious MTTR = Mean Time To Repair s = Safe failure β = Beta percentage

39 Basic Reliability Formulas Configuration PFD avg 1oo1 [λ DD * (MTTR + TI A /2)] + [λ DU * TI M /2] + [λ DN * Life/2] + [TD/TI M ] 1oo2 [(λ DD ) 2 * (MTTR + TI A /2) 2 ] + [((λ DU ) 2 * (TI M ) 2 ) / 3] + [((λ DN ) 2 * Life 2 ) / 3] + [2 * TD * λ DU * (((TI M /2) + MTTR) / TI M )] + [λ DU * β * TI M /2] 2oo2 [2 * λ DD * (MTTR + TI A /2)] + [λ DU * TI M ] + [λ DN * Life] + [2 * TD/TI M ] + [λ DU * β * TI M /2] 2oo3 [3 * (λ DD ) 2 * (MTTR + TI A /2) 2 ] + [(λ DU ) 2 * (TI M ) 2 ] + [(λ DN ) 2 * Life 2 ] + [6 * TD * λ DU * (((TI M /2) + MTTR) / TI M )] + [λ DU * β * TI M /2] Where: TI A = Automatic test interval DD = Dangerous detected failure TI M = Manual test interval DU = Dangerous undetected failure β = Beta percentage DN = Dangerous never detected failure TD = Test Duration MTTR = Mean Time To Repair Note: These formulas are valid as long as MTTF >> TI

40 Understanding the Formulas The portions of the PFD calculations are: 1. The dangerous detected portion: usually negligible, except in the case of partial stroking of valves (because the automatic test interval is significant in that case) 2. The dangerous undetected portion: significant 3. The dangerous never detected portion: included when assuming imperfect manual testing. Its impact can be significant, yet it is often ignored. 4. The portion due to bypassing: can be significant for 1oo1 and 2oo2 configurations, although this factor is also often ignored 5. The common cause portion. This factor dominates for 1oo2 and 2oo3 configurations. This factor does not apply for 1oo1. λ S λ DD λ DU λ DN C A = Automatic Diagnostic Coverage factor C M = Manual Test Coverage factor λ DD = λ D x C A λ DU = λ D x (1 - C A ) x C M λ DN = λ D x (1 - C A ) x (1 - C M ) λ D = λ DD + λ DU + λ DN

41 Edward Marszal PE Edward Marszal PE President Kenexis - President Kenexis - Author of Safety Integrity Level Selection years of experience in the design and implementation of engineered safeguards - ISA Fellow - ISA 84 Expert - Participates on ISA standards committees - Registered Professional Engineer (Control Systems) - Certified Functional Safety Expert Panel Sponsored By:

42 Basis of Safety for FGS All critical instrumentation / control systems require a basis of safety Specify adequate equipment selection and design Specify functional testing requirements For fire and gas systems basis of safety are developed in two ways: Prescriptive Basis of Safety, NFPA/EN standards, etc. Performance Basis / Risk Assessment

43 Performance-Based Standards ISA TR Provides guidance for FGS design in accordance with the principles of ISA84 / IEC61511 Specify and Verify Performance Targets Availability (equivalent to SIL) Detector Coverage Written specifically for process industry Not intended as replacement for prescriptive design; intended as supplement

44 Typical Workflow for FGS Design Identify Requirement for FGS Design Specification Develop FGS Philosophy Procedure Development FGS Zone Definition Determine FGS Performance Requirements Verify Detector Coverage Verify FGS Availability Modify Design (if required) Construction, Installation, And Commissioning PSAT Operation, Maintenance and Testing Management of Change

45 FGS Performance Targets Performance Targets Specify requirements for Risk Reduction: Fire and Gas Detector Coverage Geographic Coverage Scenario Coverage Equipment Probability of Failure Safety Availability Safety Integrity Level (SIL)

46 Performance Target Determination Two Common Approaches: Semi-Quantitative (Similar to LOPA) Quantitative Risk Analysis (QRA)

47 Risk Integration Event Tree Early Ignition? Release Detected? ("Detector Coverage") FGS Effectiveness ("PFD") Delayed Ignition? Residual Fire Detected Residual FGS Effectiveness ("PFD") Frequency (1/year) Success Yes Failure Yes No 0.15 Success 0.9 Yes Success Release Yes 2.97E Failure Yes No Failure No 0.96 No Success Yes 0.85 Failure Yes No No No 0.96 Total 9.10E E E E E E E E E E E E E-04

48 Semi-Quantitative Approach Team-Based approach employing calibrated risk assessment tables Risk factors qualitatively ranked by team Likelihood Consequence Mitigating factors Selected categories determine zone grade Zone grade defines geographic coverage & safety availability Grade Level of Risk Detection Coverage FGS Safety Availability A High Risk 0.90 B Medium Risk 0.80 C Low Risk (High SIL 1 Equivalent) 0.90 (SIL 1 Equivalent) 0.90 (SIL 1 Equivalent)

49 Why Verify Detector Coverage? Failure of Fire & Gas System to Function are related to one of two Mechanisms: Inadequate Coverage Failure to detect hazard due to inadequate sensor type, number and/or location Inadequate Availability Failure of component hardware to function as intended Proposed detector layout should be assessed to ensure adequate coverage: The coverage footprint is sufficient to provide the required hazard alarms and control actions Detector views are not impeded by pipework, cable trays and other obstruction HSE Statistics Indicate that >30% of Major Gas Release in North Sea Offshore Installations are Not Detected by Gas Detection Systems

50 FGS Detector Mapping Assessment Detector Performance characterized based on data from FM approval testing Detector Coverage calculated based on 3-dimensional modeling 50 % Sensitivity 75 % Sensitivity 100 % Sensitivity Achieved coverage is compared against performance target

51 FGS Detector Results Geographic Fire Detector Coverage Scenario-Based Geographic Risk Geographic Gas Detector Coverage Scenario-Based Coverage

52 Poll #2 Which of the following will be the most immediate priorities for achieving functional safety? Live Audience Response 15% 25% Start a field failure data collection program Get management buy-in 28% 32% Get buy-in from other departments for their required inputs Find a suitable consultant and/or integrator

53 Getting Started Find more resources at Pages.knovel.com/SISWhitepapers Webinar Designing and Verifying Safety Instrumented Systems White Papers: Field Failure Data- the Good, the Bad and the Ugly FMEDA- Accurate Product Failure Metrics Understanding Fire and Gas Mapping Software and Effigy

54 Continue the Discussion Watch the webinar on demand On Facebook Like our fan page to comment on posts about this webinar Learn more about Knovel Learn more about ISA