Reliability of Safety-Critical Systems Chapter 1. Introduction

Similar documents
IEC61511 Standard Overview

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

InstrumentationTools.com

Safety Instrumented Systems

High Integrity Pressure Protection System

The agri-motive safety performance integrity level Or how do you call it?

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

Is your current safety system compliant to today's safety standard?

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

Functional Safety Solutions

White Paper. Integrated Safety for a Single BMS Evaluation Based on Siemens Simatic PCS7 System

United Electric Controls One Series Safety Transmitter Safety Manual

2015 Functional Safety Training & Workshops

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

Addressing Challenges in HIPPS Design and Implementation

Measurement of Safety Integrity of E/E/PES according to IEC61508

INTERNATIONAL STANDARD

Siemens Process Automation End-user Summit- 2011

Functional safety. Essential to overall safety

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

100 & 120 Series Pressure and Temperature Switches Safety Manual

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Functional Safety Experience on Railway Signalling in Japan. Yuji Hirao Nagaoka University of Technology (Japan)

FUNCTIONAL SAFETY OF ELECTRICAL INSTALLATIONS IN INDUSTRIAL PLANTS BY OTTO WALCH

INTERNATIONAL STANDARD

HIPPS High Integrity Pressure Protection System

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

The Next Generation Machine Protection System

Safety in the process industry

INTERNATIONAL STANDARD

ADIPEC 2013 Technical Conference Manuscript

Why AC800M High Integrity is used in Burner Management System Applications?

Functional Safety: What It Is, Why It s Important And How to Comply

Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

PRIMATECH WHITE PAPER CHANGES IN THE SECOND EDITION OF IEC 61511: A PROCESS SAFETY PERSPECTIVE

The SIL Concept in the process industry International standards IEC 61508/ 61511

HIPPS High Integrity Pressure Protection System

Hands On: Introduction to Safety Workshop Presented by Robert Jones Manufacturing in America March 14-15, 2018

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Safety Instrumented Systems Overview and Awareness. Workbook and Study Guide

Digital EPIC 2 Safety manual

This document is a preview generated by EVS

OPERATING MANUAL Enertronic Control System 2

New Developments in the IEC61511 Edition 2

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Functional Safety: the Next Edition of IEC 61511

Options for Developing a Compliant PLC-based BMS

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Australian Standard. Functional safety Safety instrumented systems for the process industry sector

Integrated but separate

INTERNATIONAL STANDARD

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

INTERNATIONAL STANDARD

Certification Report of the ST 3000 Pressure Transmitter with HART 6

Tank protection example using Simatic

Failure Modes, Effects and Diagnostic Analysis

67 th Canadian Chemical Engineering Conference EDMONTON, AB OCTOBER 22-25, 2017

SUPREMATouch. Modular Fire & Gas Detection System

USER APPROVAL OF SAFETY INSTRUMENTED SYSTEM DEVICES

SUPREMATouch. Modular Fire & Gas Detection System

Certification Report of the ST3000 Pressure Transmitter

Fire and Gas Monitoring Panel ST7-HV

Failure Modes, Effects and Diagnostic Analysis

Safety lnstrumentation Simplified

Functional Safety Manual June pointek CLS500/LC500

We reserve all rights in this document and in the information contained therein. Reproduction, use or disclosure to third parties without express

Safety Function: Single-beam Area Access Control (AAC)

Reliability and Safety Assessment in Offshore and Process Industries

Safe area; Zone 1 and Zone 2

Functional Safety of Machinery Presented by Greg Richards Manufacturing in America 02/22-23/2017

2013 Honeywell Users EMEA Nice. Johan School. Concepts and Implementation of Process Risk Management using Safety Manager

Functional Safety & Power Drive Systems

New requirements for IEC best practice compliance

SAFETY INTEGRITY LEVEL MANUAL. IEC and IEC XP95 and Discovery SIL Approved Product Range

INTERNATIONAL STANDARD

Operating Guide Safe Torque Off

For Complete Fire and Gas Solutions

Spurious activations of safety-instrumented systems

Safety Instrumented Systems The Smart Approach

Fuji Electric s Approach to Machinery Safety and Functional Safety -Total Safety-

SAFETY RELAY APPLICATION

Session Ten: The importance of a clear Safety Requirements Specification as part of the overall Safety Lifecycle

Annex to the Accreditation Certificate D-ZE according to DIN EN ISO/IEC 17065:2013

SAFEMASTER PRO. The configurable safety system versatile and extendable. Our experience. Your safety.

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Managing the Lifecycle of Independent Protection Layers

This is a preview - click here to buy the full publication


Proservo NMS5- / NMS7-

innova-ve entrepreneurial global 1

Safety Instrumented Fire & Gas Systems

Functional Safety Application of IEC & IEC to asset protection

Operating Guide Safe Torque Off

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

IEC Functional Safety Assessment

Improved safety system in a nitric acid plant

Failure Modes, Effects and Diagnostic Analysis

Failure Rate Data, Safety System Modeling Concepts, and Fire & Gas Systems Moderator: Lori Dearman, Webinar Producer Thursday, May 16th, 2013

Fully configurable SIL2 addressable Fire & Gas Detection solutions

Transcription:

Reliability of Safety-Critical Systems Chapter 1. Introduction Mary Ann Lundteigen and Marvin Rausand mary.a.lundteigen@ntnu.no & marvin.rausand@ntnu.no RAMS Group Department of Production and Quality Engineering NTNU (Version 1.3 per August 2016) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 1 / 38

Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and Applications Marvin Rausand Homepage of the book: http://www.ntnu.edu/ross/ books/sis M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 2 / 38

Learning objectives To understand what a safety-critical system is and what it is used for To become familiar with the main building blocks and technologies To recognize some of the application areas To be aware of some key concepts associated with the way of operating To become aware of the framing conditions for design and operation, with focus on key international standards M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 3 / 38

Safety-critical system Safety-critical system: A system whose failure may lead to harm to people, economic loss, and/or environmental damage. Safety-critical systems embrace a wide range of systems: Active systems using electrical, electronic, or programmable electronic technology (our focus!) Active systems using mechanical technology alone (e.g pressure relief valve) Passive systems like mechanical protection, dikes, firewalls etc M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 4 / 38

Active safety-critical systems Our focus is on the active safety-critical systems, or more specifically: E/E/PE safety-critical system: A safety-critical system that is based on (at least some) electrical, electronic, or programmable electronic (E/E/PE) technology. The process industry often use the term safety-instrumented system (SIS), and we have adapted this term also for other applications due to its simplicity: Safety-instrumented system (SIS): instrumented system used to implement one or more safety instrumented functions (SIFs). M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 5 / 38

Main parts of a SIS: Process industry A SIS is often split into three subsystems: 1. Sensor (S) subsystem: Monitors some process parameter or presence of a command. 2. Logic solver (LS) subsystem: Decides if it is necessary to act upon the monitored signals. 3. Final element (FE) subsystem: Carries out the necessary tasks, if decided to act. Logic solver Sensor systems Final elements M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 6 / 38

More than one SIS Safety functions are often organized into separate SISs, according to their main function. At a process plant, we may find the following SISs: PSD: Process shutdown system ESD: Emergency shutdown system HIPPS: High integrity pressure protection system Fire and gas detection (F&G) system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 7 / 38

Safety-critical systems Safety-critical system - examples (Process industry) COMMUNITY EMERGENCY RESPONSE PLANT EMERGENCY RESPONSE FIRE AND GAS SYSTEMS toxic gas detection and alarm PHYSICAL BARRIERS Barricades, dikes MITIGATION Pressure relief valves Rupture discs PREVENTION Safety-critical process alarms Safety instrumented systems CONTROL Basic process control system Process alarms, operator procedures PROCESS DESIGN Inherently safe design M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 8 / 38

Main parts of a SIS: Adaptive cruise control M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 9 / 38

Safety-instrumented function (SIF) Safety-instrumented function (SIF): A safety function that is performed by a SIS. Some properties or characteristics: The same SIS may perform several SIFs SIFs associated with the same safety barrier are often put into the same SIS PSD functions A process shutdown system (PSD) may carry out the following SIFs Close inlet valve to a separator upon high pressure Close outlet valve (liquid) from a separator upon low level Stop a pump upon high downstream pressure Trip (stop) a compressor upon too low inlet pressure etc M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 10 / 38

Realization of a SIS: Process industry A process shutdown function may be used as an example of a SIS. It may be noted that several technologies are involved. +24VDC Comparison & voting logic Switches Logic solver Solenoid valve (Electrical operated DCV) Solenoid Hydraulic return system Hydraulic supply (pilot line system) PT PT Pressure transmitters (PTs) Actuator Gate valve Pilot operated DCV From hydraulic main supply Hydraulic return system Flow M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 11 / 38

Realization of a SIS: Railway signaling The example focuses on the control of a green light (drive permit) signal. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 12 / 38

Realization of a SIS: Next generation signaling with ERTMS Some facts: Each European country has (until now) developed their own strategy for railway signaling systems, including interlocking system and automatic train protection systems. In 1996 EU decided that the European Rail Traffic Management System (ERTMS) should become standard for all high-speed lines, to ensure interoperability in Europe. Two EU directives introduced for ERTMS: 96/48 (high speed rail system) and 2001/16 (conventional rail system) A European Train Control System (ETCS) has been developed to standardize implementation of ERTMS ERTMS comprises: ETCS system with trackside (alongside tracks) and trainborne (onboard train) subsystems GSM-R (global system for mobile communcation - for railway) for voice and data communication ETCS /ERTMS is implemented as either level 1, level 2, and level 3. Level 1 allows use/interface of conventional (national) signaling system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 13 / 38

Case example: Railway signaling systems with ERTMS ERTMS vs signaling systems ERTMS level 1 ERTMS level 2 ERTMS level 3 ETCS: European Train Control System ERTMS = ETCS + GSM-R LEU: Lineside Electronics Unit M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 14 / 38

Case example: Detailed about ERTMS level 1 Source: http://www.mobility.siemens.com/mobility/global/en/interurban-mobility/rail-solutions/rail-automation/train-control-system/european-train-protection-system/pages/european-train-control-system.aspx M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 15 / 38

Case example: Detailed about ERTMS level 2 Source: http://www.mobility.siemens.com/mobility/global/en/interurban-mobility/rail-solutions/rail-automation/train-control-system/european-train-protection-system/pages/european-train-control-system.aspx M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 16 / 38

Case example: Detailed about ERTMS level 3 Source: http://www.mobility.siemens.com/mobility/global/en/interurban-mobility/rail-solutions/rail-automation/train-control-system/european-train-protection-system/pages/european-train-control-system.aspx M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 17 / 38

Sensors Sensors are used to monitor a certain process or EUC state, such as.: Processing plant: Temperature, pressure, level, flow, status of pushbuttons, etc Railway signaling: Relay position, position of rail switch, train speed and position, electrical current (in cable to light signal) Signal transmission may be: Analog (e.g., 4-20 ma) Voltage (0 V/12V, or 0 V/24 V) Digital/bus (Fieldbus and Profibus 1, Profi-safe) Pressure 1 Fieldbus and Profibus under development for safety-critical applications M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 18 / 38

Sensors Communication (digital, analogue) Pressure transmitter Electronics Sensing element Impulse line Pipeline Pressure sensor A pressure sensor comprises Impulse line, which connects the sensing element to the process pressure Sensing element, with diaphragm and a reference pressure (atmospheric or vacuum) Electronics, with electrical signal generation from diaphragm deflection, diagnostics features and (if included) digital communication interface M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 19 / 38

Logic solver Logic solvers are used to set output states, based on the processing of input states. This means to: Compare input signals with some set-points defined in the logic solver Power supply Inputs Input modules Logic module CPU Output modules Communication Outputs Railway signaling: Relay position, position of rail switch, train speed and position, electrical current (in cable to light signal) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 20 / 38

Logic solver A programmable logic solver (also called programmable logic controller - PLC) comprises: Input cards/ modules (digital, analogue) Central processing unit - CPU (containing firmware and application program) Output cards/modules (digital with relays) In some cases: distributed input/output (I/O) cards Communication (internal between the input/output cards and the CPU, and between CPU and distributed nodes The PLC requires a power supply and has interfaces to other systems, including human machine interface. Figure: Source: http://www.plcdev.com/ how_plcs_work M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 21 / 38

Logic solver Logic solvers may be: Hardwired, meaning that all processing is carried out by the use of relays and contactors. Solid state, meaning that the processing is carried out by a fixed arranged and programmed set of electronic components. Programmable, meaning that the processing is carried out by an application program (software). Figure: Source: http://www. plcdev.com/how_plcs_work M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 22 / 38

Final elements Final elements are also called actuating devices, and may be: Relay controlled by the logic solver +24VDC Valves Relays Circuit breakers Actuating devices Solenoid valve (Electrical operated valve) Pilot operated valve Solenoid Hydraulic return system Hydraulic supply (pilot line system) capable of stopping flow and isolating electrical equipment. Actuator From hydraulic main supply Hydraulic return system To carry out a function, it may be necessary with an arrangement of several final elements. Flow Gate valve M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 23 / 38

Design principles Redundancy: Having more than one item to carry out the same function Hardware fault tolerance: The number of faults tolerated (in a subsystem) before the function is lost Fail-safe: The final element goes to a predefined safe state upon loss of signal or power (electrical or by other utility system): Fail-active Fail-passive Fail-operational Energize-to-trip: Activation of function requires a pulsed or stable electrical signal De-energize-to-trip: Activation of function is achieved by removing a pulsed or stable electrical signal M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 24 / 38

Design principles LOWER STEM UPPER STEM LEAK VENT GATE POSITION INDICATOR GATE MECHANICAL OVERRIDE FLOW CLOSE OPEN HYDRAULIC OPERATOR FAIL-SAFE CLOSED Figure: A fail-safe gate valve used for a subsea Xmas tree M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 25 / 38

Demands and demand rates Demand: An event or a condition that requires a SIF to be activated (i) to prevent an undesired event from occurring, or (ii) to mitigate the consequences of an undesired event. The frequency of occurrences of demands, the demand rate is often modeled as a homogeneous Poisson process with demand rate λ de λ de λ effect Barrier Risk reduction factor = λ de λ effect Demands Effects Consequences M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 26 / 38

Modes of operation Safety-critical functions, such as a SIF, are often categorized according to how often the barrier functions are demanded. It is common to distinguish between three modes of operation (high-demand and continuous demand mode is sometimes merged into one): Low-demand mode: The safety function operates in the low-demand mode if demanded less often than once every year High-demand mode: A safety-critical function operates in the high-demand mode if demanded once a year or more often Continuous mode: This is a special case of a high-demand mode where the safety-critical function operates continuously (always at demand) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 27 / 38

Modes of operation Examples System Low-demand High-demand Continuous Air bag release system (automotives) Emergency shutdown system (process industry) Presence-sensing safeguarding devices around robots (manufacturing) Anti-lock breaking system (ABS) for cars (automotive) Fly-by-wire systems (aviation) Dynamic positioning system (marine/ship systems) Signaling systems (Railway) X X X X X X X a a Depends on how frequent trains pass at the tracks controlled by the system M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 28 / 38

Equipment under control Equipment under control (EUC): Equipment, machinery, apparatus, or plant used for manufacturing, process, transportation, medical, or other activities. The EUC may be a boundary of something where hazardous events can occur (and cause damage), or be a boundary of something that can be exposed by hazardous events from the outside. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 29 / 38

Equipment under control Examples Industry Examples of EUC Process industry: Production separator Fire area Pipeline section Railway: Block/rail section Station Tunnel Hospital: Patient Critical medicine dosing apparatus Cutting machine: Machine itself Humans (operators or Room where maintenance personnel) machine is located M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 30 / 38

Safe state Safe state: A state of the EUC where safety is achieved. [IEC 61508] The objective of a SIF is to bring the EUC to a safe state, or to keep the EUC in a safe state after a demand has occurred. The safe state should also be achieved if the SIS looses critical utility systems (electrical power, hydraulic power, etc). Is the safe state well defined? What would be the safe state in case of an hazardous event occuring while: Running process at a process plant? A train is leaving a station? Driving a car? A plane is climbing after take-off? A lift is moving and is between two floors? M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 31 / 38

Functional Safety Functional safety: Part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures. [IEC 61508] Relates to the ability to protect the EUC or vulnerable objects within the EUC from damage Relies on the ability of a SIS (and other safety barriers) to bring the EUC to a safe state, under normal situations and foreseeable fault situations...this means that functional safety is the safety provided by SIS. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 32 / 38

Key standards Applicable to design and operation of SIS IEC 61508: A generic standard on functional safety IEC 62304 Medical IEC 61511 Process industry IEC 62061 Machinery IEC 61513 Nuclear ISO 26262 Automotive EN 50126, 50128,50129 Railway Def stand 00-56 Millitary M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 33 / 38

IEC 61508 IEC 61508 and the sector-specific standards based on IEC 61508 are often referred to as functional safety standards. IEC 61508 is named Functional safety of electrical/electronic/programmable electrnoic safety-related systems and comprises 7 parts, of which 4 are mandatory and 3 are informative. The 1st edition came in 1998, and the current edition (2nd edition) is from 2010. The purposes of IEC 61508 are to: Serve as a guideline for development of sector-specific standards. Serve as a standard where sector-specific standards do not exist or have certain restrictions on application areas. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 34 / 38

IEC 61508 IEC 61508 is the umbrella standard for a collection of functional safety standards that aim to: Frame the safe implementation of electrical/electronic/programmable-electronic technology in safety applications Ensure adaption of best practises in all stages of the safety life cycle, from concept definition and specification of requirements to construction, installation, operation, maintenance, modifications, and eventually, decommissioning M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 35 / 38

IEC 61508 in parts Part Name Comment Status 2 1 General requirements Cover all life-cycle phases, from concept definition to decommissioning N 2 Requirements for electrical/ electronic/ Concerns hardware design and the in- N programmable electronic tegration hardware and software safety-related systems 3 Software requirements Concerns requirements for software N development, software development tools, and software architectures 4 Definitions and abbreviations Given by the title. N 5 Examples of methods for the determination of safety integrity levels Explains methods like risk matrix, risk graph, and LOPA I 6 Guidelines for the application of Includes formulas for quantifying PFD I IEC 61508-2 and IEC 61508-3 and PFH and checklists for beta 7 Overview of techniques and measures Elaborates on referenced topics I 2 N is normative, I is informative M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 36 / 38

IEC 61511 for the process idnustry IEC 61511 applies to process industry with some exceptions. SIS design process industry sector Hardware Software Developing NEW hardware devices Using PROVEN-IN-USE hardware devices Using hardware developed and assessed in accordance with IEC 61508 Developing embedded software systems Developing application software using FVL Developing applicatiion software using LVL or FP IEC 61508-1,2 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511 IEC 61508: Manufacturers standard IEC 61511: End users standard FVL: Fixed variable language LVL: Limited variable language FP: Fixed programming M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 37 / 38

Functional safety standards Mode of operation in focus Standard IEC 61508: IEC 61511: IEC 62061: EN 50126/,28,29 3 : ISO 26262: Mode of operation in focus All modes of operation Mainly on low-demand Mainly on high/continuous-demand Mainly on high/continuous-demand Mainly high/continous-demand 3 Remark: IEC 62278, IEC 62425, and IEC 62279 are identical to EN 50126, EN 50129, and EN 50128, however, the EN version is more often referenced. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.3) 38 / 38

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback