IEC61511 Standard Overview Andre Kneisel Instrumentation Engineer Chevron C.T. Refinery SAFA Symposium 2011 August 5 th, 2011
Presentation Overview Provide some understanding of the key aspects of Functional Safety and the applicable standards - IEC61511. Attempt to explain some of the associated terminology and acronyms which are frequently used. Answer the question: How do we determine if a safety function is required, and if it is required how reliable it should be? Answer the question: How do we calculate the reliability of a given safety function? 2
Presentation Overview Explore what the impact is of including explosion protection devices (such as IS Isolators) in the reliability calculations. Explore the impact of including the probability of ignition in the SIL selection process. 3
INTRODUCTION What is Functional Safety? It is the application of systems to maintain or achieve a safe state for a process and its associated equipment. For the purpose of this presentation we are referring to automated Safety Systems which generally operate without operator intervention. We are not referring to mitigation systems such as deluge systems or emergency response systems. These are largely outside the IEC61511 standard. 4
IEC 61511 Overview What is IEC-61511? The Newly Released International Standard for the Design, Implementation, Operation, Maintenance, Testing & Decommissioning of Safety Instrumented Systems for the Process Industries. Performance vs. Prescriptive Based Standard Focus on Management of Functional Safety & Design Lifecycle Focus on SIS Design / Performance that Mitigates Risk Appropriately Accepted by CENELEC (European Committee for Electrotechnical Standardization) as European standard in 2003. Accepted by ANSI (American National Standards Institute) as United States standard, ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 modified). 5
IEC61511 WHAT IT IS NOT IEC61511 is not a prescriptive standard in terms of prescribing what safety functions should be implemented. An engineer would not find a list of recommended safety functions for a particular process or type of equipment in the standard. The standard also does not provide a guide for the required reliability (SIL) of safety functions. It is, in fact, quite possible for two different companies both implementing the same process and equipment to arrive at different target SIL values for the same safety functions. 6
IEC 61508 SAFETY-RELATED SYSTEMS Process Industries IEC 61511 Safety Instrumented Systems Manufacturing Industries IEC 62061 Industrial Robots Machine Tools Transportation Railway Signaling Braking Systems Lifts Medical Miscellaneous Electro-medical apparatus Radiography IEC 61508 is the umbrella standard that covers different industrial sectors. Each sector can develop its own standard using its terminology, but must follow the framework and core requirements of IEC 61508 7
Relationship between IEC 61508 & IEC 61511 PROCESS SECTOR SAFETY INSTRUMENTED SYSTEM STANDARDS Manufacturers and suppliers of devices IEC 61508 Safety instrumented systems designers, integrators and users IEC 61511 ANSI/ISA- 84.00.01-2003 (IEC 61511 Mod) 8
IEC 61511 Overview (cont d) Functional Safety: Safety Instrumented Systems for the Process Industry Sector Part 1-Framework,defintions,system, hardware and software requirements Part 2-Guidelines for Part 1 Part 3-Guidance for determining required Safety Integrity Levels 9
IEC 61511 Overview : SIS Lifecycle (cont d) FUNCTIONAL SAFETY MANAGEMENT Management of Functional Safety and Functional Safety Assessment and auditing Safety Lifecycle Structure and Planning Safety Requirements Specification for the Safety Instrumented System Clause 10 & 12 3 Design and Engineering of Safety Instrumented System Clauses 11 & 12 4 1 Hazard & Risk Analysis Clause 8 Allocation of Safety Functions to Protection Layers Clause 9 2 Installation, Commissioning and Validation Clauses 14 & 15 5 6 Operation and Maintenance Clause 16 HAZARD & RISK ANALYSIS DESIGN BASIS Design and Development of Other Means of Risk Reduction Clause 9 EPC Detailed Engineering Verification EPC Engineering, Procurement & Construction (Includes Implementation, Commissioning, and Validation). O&M Operations and Maintenance including provisions for Management Of Change (MOC) Clause 5 Clause 6.2 7 Modification Clause 17 O&M Clause 7,12.4, & 12.7 10 11 8 Decommisioning Clause 18 9 10
TERMS AND DEFINITIONS SIS SAFETY INSTRUMENTED SYSTEM A SIS is an instrumented system used to implement one or more safety functions. A SIS is composed of input sensor(s), logic solver(s) and final element(s). Typically a single SIS implements multiple safety instrumented functions and is normally independent of the control systems. In the past SIS were known as Emergency Shutdown Systems (ESD) or as Safety Systems. Typically the Logic Solver is a high reliability programmable system with redundant power supplies, CPU s and IO modules. However, the logic solver may also just be a simple system comprising of relays and contacts used to implement some tripping logic. 11
TERMS AND DEFINITIONS SIS- Typical Configuration LOGIC SOLVER Power Supply CPU Output Module Input Module PT 3 REACTOR FINAL ELEMENTS SIS TT 1 INPUT SENSORS PT 1 PT 2 Power Supply TT 2 TT 3 CPU Output Module BPCS Input Module 12
TERMS AND DEFINITIONS SIF Safety Instrumented Function A SIF is a function implemented by a safety instrumented system which is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event. Different SIFs can use the same final elements. It is common for different hazards to cause the shutdown of the same unit in which case the final elements are shared between different SIFs. It is possible, but less common, for the input sensors to be shared between different safety functions. 13
TERMS AND DEFINITIONS SIF Typical Configuration 14
TERMS AND DEFINITIONS PFD Probability of Failure on Demand PFD is the likelihood (between 0 and 1) that a safety function will fail to perform as required. Examples: Sensor fails to detect a dangerous condition due to an internal fault. Block valve fails to close due sticking. The PFD of a safety function increases over time as shown on the following slide. 15
TERMS AND DEFINITIONS PFD Probability of Failure on Demand The PFD of a safety function increases over time as shown below. 16
TERMS AND DEFINITIONS SIL Safety Integrity Level The SIL of a safety instrumented function is the measure of the reliability of the function, i.e. the probability of the function performing its intended function and is based directly on the average PFD of the safety instrumented function over its intended life span. The SIL value is a discrete value 1 to 4, with 1 being the least reliable and 4 being the most reliable. For instance a PFD AVG of 5x10-3 would equate to a SIL 2. 17
TERMS AND DEFINITIONS SIL Safety Integrity Level SIL Safety Availability Range PFD Average Range (chance of failing) Risk Reduction Factor 1 0.9 to < 0.99 10-1 to > 10-2 10 to < 100 2 0.99 to < 0.999 10-2 to > 10-3 100 to < 1,000 3 0.999 to < 0.9999 10-3 to > 10-4 1,000 to < 10,000 4 0.9999 to < 0.99999 10-4 to > 10-5 10,000 to < 100,000 18
TERMS AND DEFINITIONS SIL Safety Integrity Level Key Concept: A SIL value is normally associated with an entire safety function, however individual SIF components may be certified in terms of IEC51508 to have a SIL value. For instance a Logic Solver may be certified SIL 3. This means that the logic solver may be used as part of a SIL 3 safety instrumented function. It does not mean that any safety instrumented function using this logic solver will automatically meet SIL 3. 19
TERMS AND DEFINITIONS Proof Tests These are tests which are carried out to ensure the functioning of a safety instrumented function. Key Concept: The PFD AVG of a safety instrumented function is directly related to the proof test frequency. Consequently the SIL of a safety instrumented function is also directly related to the proof test frequency. 20
TERMS AND DEFINITIONS Annual Proof Test 21
TERMS AND DEFINITIONS Proof Test Every Four Years Same SIF 22
SIL SELECTION In the past when deciding what Safety Functions to implement, engineers either based their decisions on prescriptive standards (where available) or in many cases based their decisions on good engineering practice or past experience. IEC61511 requires that a company should follow a SIL selection process as part of the Hazard and Risk Analysis Phase. The standard is not prescriptive with regard to what SIL selection method to use, but does propose some example methods: Risk Graph Method Risk Matrix Method Quantitative - Layer Of Protection Analysis (LOPA) As Low as Reasonably Practical (ALARP) 23
SIL SELECTION Key Concept: The target SIL of a SIF is based on the amount of Risk Reduction needed to reduce the risk of the consequence scenario to an acceptable level (as determined by company policy). TARGET SIL = Total Risk Reduction needed risk reduction by non-sis protection layers. 24
SIL SELECTION LOPA EXAMPLE 25
SIL SELECTION LOPA EXAMPLE Using the LOPA example of the previous slide: If the company's risk policy states that the maximum loss per hazard may not exceed 1x 10-5 fatalities per year or R100,000 per year, then the risk must be reduced by a minimum factor of 7.175 which equates to an additional SIL1 safety function (RRF 10-100). If, on the other hand, the company's risk policy states that the maximum loss per hazard may not exceed 1x 10-4 fatalities per year or R100,000 per year, then no additional safety function is required! 26
Decreasing Likelihood SIL SELECTION RISK MATRIX EXAMPLE RR=6 5 4 3 2 1 1 Likely NR (0) 1 2 3 NS (4) NS 2 Occasional 7 6 5 4 3 2 NR (0) NR (0) 1 2 3 NS (4) 8 7 6 5 4 3 3 Seldom NR (0) NR (0) NR (0) 1 2 3 9 8 7 6 5 4 4 Unlikely NR (0) NR (0) NR (0) NR (0) 1 2 10 9 8 7 6 5 5 Remote NR (0) NR (0) NR (0) NR (0) NR (0) 1 10 10 9 8 7 6 6 Rare NR (0) NR (0) NR (0) NR (0) NR (0) NR (0) Consequence Indices Decreasing Consequence/Impact 6 5 4 3 2 1 Incidental Minor Moderate Major Severe Catastrophic The probability of ignition must be taken into account when selecting the likelihood. 27
SIL SELECTION RISK MATRIX EXAMPLE If, in the example on the previous slide, the likelihood (with all protection layers present and enabling events accounted for, but no safety function allowed for) of a severe consequence occurring is assessed as seldom, then the risk matrix indicates that an additional SIL2 safety function is required. 28
SIL CALCULATION FAILURE RATES Reliability data for SIL rated equipment is normally provided in terms of Failure Rates λ S, λ DD, and λ DU. (e.g. failures per hour) λ S = Safe Failure Rate. This is the rate for the equipment failing to a safe state. For instance, a block valve failing into the closed position. λ DD = Dangerous Detected Failure Rate. This is the rate for the equipment failing into an unsafe state, however with diagnostic notification which will ensure that operators are made aware of the failure. λ du = Dangerous Undetected Failure Rate. This is the rate for the equipment failing into an unsafe state, without diagnostic notification. For instance, a block valve stuck in the open position or a relay with contacts welded in the closed position. THIS IS THE FAILURE RATE USED FOR CALCULATING THE PROBABILITY OF A FAILURE ON DEMAND (PFD). 29
SIL CALCULATION PFD CALCULATION 30
SIL CALCULATION INCORRECT METHOD Sensor Interface IS Isolator Logic Solver Interface IS Isolator Final Element PT XV SIL2 SIL4 SIL3 SIL3 SIL2 SIL2 FOR THE WHOLE SAFETY FUNCTION Key Concept: The safety Integrity Level (SIL) of the whole safety function is not equal to the lowest SIL of the components. This is a common mistake. 31
SIL CALCULATION CORRECT METHOD Note: The PFD of the whole safety function can be influenced by the inclusion of intrinsic safety components which are used for explosion protection. Sensor Interface IS Isolator Logic Solver Interface IS Isolator Final Element PT XV Key Concept: To calculate the SIL of the whole safety function it is necessary to combine the PFD s of the individual components to calculate an overall PFD and overall SIL value. 32
SIL CALCULATION 33
SIL CALCULATION Methods to Increase SIL of Safety Function Use voting architectures. Typically 2oo3 voting or 1oo2 voting is used to increase the achieved SIL value. Note that 2oo2 voting actually decreases the achieved SIL value. Use higher reliability components. In most cases the limiting component is the final element. Increase the proof testing frequency. 34
SIL CALCULATION Using Voting Architectures Sensors Interface IS Isolator Logic Solver Interface IS Isolator Final Elements PT XV 1 out of 2 2 out of 3 Voting PT XV Voting PT Note: When using voting architectures it is necessary to use more sophisticated calculation methods or software tools such as exsilentia to perform SIL calculations. 35
CONCLUSION The IEC61511 standard provides a framework for the activities required to implement Safety Instrumented Systems in the process industries. The hazard analysis and SIL selection processes form a fundamental part of the safety lifecycle and must be performed in the initial stages of the lifecycle. The SIL selection process and risk tolerance parameters must be prescribed by the company s or organization s policy. 36
CONCLUSION The selection of a safety instrumented function s SIL can be strongly influenced by the probability of ignition. Measures to reduce the probability of ignition reduce the requirement for high SIL safety functions. When calculating the actual achieved SIL of a safety instrumented function, it is important to take the PFD of all components into account. This means that in applications where Intrinsically Safe barriers or isolators are used for explosion protection, these components should be included in the calculations. It should be noted that these components generally have low PFD values in relation to other components. 37
Questions? Andre Kneisel Tel: 021-508-3044 Cell: 083-300-2022 Email: aypk@chevron.com 38
ABBREVIATIONS ESD Emergency Shutdown IPL Independent Protection Layer PCS Process Control System (such as DCS or PLC) PFD Probability of Failure on Demand PHA Process Hazards Analysis SAT Site Acceptance Test SIF Safety Instrumented Function SIL Safety Integrity Level SIS Safety Instrumented System SRS Safety Requirements Specification 39
REFERENCES International Electrotechnical Commission IEC61511-1 Standard Chevron Corporation CVX-SIS-101/102/201/202 Training Manuals Exida exsilentia Integrated Safety Lifecycle Tool 40