Professional Documents
Culture Documents
Instrument Selection
SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 7: SIL Instrument Selection
Version for EQO26: 7 November 2012
www.eit.edu.au
Instrument Selection
Impact on SIS Reliability, Types of Sensors and Actuators Failure modes and causes Knowledge of t he r ules + Exper ience If you can get it !
www.eit.edu.au
Instrument Selection
Slide 3
Instrument Selection
Instrument practice for safety systems : well established ISA S 84.01 Appendix B.obsolete standard but still relevant. IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1. Gruhn & Cheddie ISA Textbook; chapter 9
IEC 61511-1 Paragraph 11.5: Requirements for selection of components and subsystems 11.5.2.1 Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate
Fault tolerance
Slide 4
Instrument Selection
Table 7.1
PFD avg
(3 month proof test)
0.006 0.0005
0.1
0.0125
0.019 (SIL 1)
65
100
The field devices taken together contribute 97% of the PFD for this example. The PFD figures for the field devices are affected by environmental conditions and maintenance factors. Slide 5 PES logic solvers benefit from auto-diagnostics.
www.eit.edu.au
Instrument Selection
Bus connected safety certified instruments Foundation Field Bus Profi-safe ASI-Safety Bus See Session 5
Slide 6
www.eit.edu.au
Instrument Selection
Advantages of Analog Transmitters Over Switches Good reliability and accuracy Signal present at all timesimproved SFF Potential for diagnostics, easier to detect faults Possible to compare signal with other parameters Trending and alarming available Multiple set points Competitive pricing Rationalized spares
Slide 7
www.eit.edu.au
Instrument Selection
Response time
Power supplies Intrinsic safety barriers Calibration/testing/ left on test/isolated.
Slide 8
www.eit.edu.au
Instrument Selection
Figure 7.4
Process Valve Trip
380 v ac power
SIS Logic
Interlocks
M
Slide 9
www.eit.edu.au
Instrument Selection
Safet y Relay
Power
Reset
K1 Time Delayed
Drive controller
M
Slide 10
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
or
Prior Use
Smart tx
SIL 3 requires assessement and a safety manual Apply IEC 61511 limitations And PFD must satisfy SIL target
www.eit.edu.au
Slide 13
Instrument Selection
www.eit.edu.au
Instrument Selection
Figure 7.5
Boiler Trip
Logic
LT 1
LIC 1
Slide 15
Instrument Selection
Boiler Trip
Logic
LT
LT 1
LIC 1
Slide 16
www.eit.edu.au
Instrument Selection
Figure 7.6
Separate Sensor
Boiler Damage 0.0075 / yr. Low level and NO TRIP
OR
AND LT-1 Fails high-No Trip LIC causes low level 0.1 / yr. FW Fails LT-1 Fails high, LIC-1 causes low level 0.1 / yr.
Low level 0.3 / yr.
OR
0.2 / yr.
Slide 17
www.eit.edu.au
Instrument Selection
Separation Rules: Field Sensors IEC 61511 part 2 : 11.2.4 Sharing of sensor between SIS and BPCS only allowed if safety integrity targets can be met. This would require sensor diagnostics and is only likely to be possible for SIL 1 Separate sensor is allowed to be copied to BPCS via isolator SIL 2, 3 and 4 normally require separate sensors with redundancy
Slide 18
Instrument Selection
Separation Rules: Final Elements IEC 61511 part 2 : 11.2.4 A single valve may be used for both BPCS and SIS but is not recommended if valve failure places a demand on the SIS. Normally shared valve can only be used if: Diagnostic coverage and reaction time are sufficient to meet safety integrity requirements Recommendations for a single valve application SIL 2 and SIL 3 normally require identical or diverse separation. Diversity not always desireble
Slide 19
www.eit.edu.au
Instrument Selection
Figure 7.7
FY
A/S
Slide 20
A/S FY
Slide 21
Instrument Selection
Sensor Diagnostics
Do not confuse with proof testing
Compare trip transmitter value with related variables. Not often practicable Use safety transmitters if available Use Smart transmitters with diagnostic alarm but see next
Slide 22
www.eit.edu.au
Instrument Selection
Valve Diagnostics
Assurance that a trip valve will respond correctly when needed Freedom of movement, full travel Correct venting of actuator Correct rate of response Absence of sticking Trip signals and solenoid all working
Slide 23
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
IEC 61508 places an upper limit on the SIL that can be claimed for any safety function on the basis of the fault tolerance of the subsystems that it uses.
Limit is a function of the hw fault tolerance the safe failure fraction the degree of confidence in the behaviour under fault conditions Details in IEC 61508 part 2
Slide 25
www.eit.edu.au
Instrument Selection
IEC 61508 Classification of Equipment IEC Defines two types of equipment for use in Safety Systems: Type A: Simple Devices: Non PES. E.g Limit switch, level float switch, analogue circuits.
Type B: Complex Devices: Including PES. E.G Smart transmitters. Digital communications, processor based systems.
Fault tolerance rating of B is less than A except under certain conditions
Slide 26
www.eit.edu.au
Instrument Selection
IEC 61511-1 Table 6: Minimum hardware fault tolerance of sensors, final elements and non PES logic SIL 1 2 3 4 Minimum HW Fault Tolerance 0 1 2 Special requirements: See IEC 61508
The following summarized conditions apply for SIL 1,2 and 3 : Increase FT by 1 if instrument does not have fail safe characteristics Decrease FT by 1 if instrument meets 4 conditions. Predominately fail safe Prior Use ( Proven in use) Limited device adjustment (process parameters only) Password protected Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment www.eit.edu.au
Slide 27
Instrument Selection
Slide 28
www.eit.edu.au
Instrument Selection
Slide 29
www.eit.edu.au
Instrument Selection
Slide 30
www.eit.edu.au
Instrument Selection
Redundancy Options
Sensor or Actuator Configuration. 1oo1 1oo2 2oo3 Selection
Table 7.4
Use if both PFD and FT and nuisance trip targets are met. 2 Sensors installed, 1 required to trip. PFD value improved, nuisance trip rate doubled. 3 Sensors installed, 2 required to trip. PFD improved over 1oo1, nuisance trip rate dramatically reduced.
Slide 31
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
Figure 7.10
PT 1A
PT 1B
Be careful to analyze for common cause faults e.g Try to avoid this
Slide 33
www.eit.edu.au
Instrument Selection
Figure 7.11
SIS
TT 01
Slide 34
www.eit.edu.au
Instrument Selection
Requirements for Device to be Provenin-use Evidence that the instrument is suitable for SIS Consider manufacturer s QA systems PES devices need extra validation Performance record in a similar profile Adequate documentation Volume of experience, > 1 yr exposure per case.
Slide 35
www.eit.edu.au
Instrument Selection
Each instrument that is suitable for SIS Update and monitor the list regularly
Add instruments only when the data is adequate Remove instruments from the list when they let you down Adequate details: Include the process application
Slide 36
www.eit.edu.au
Instrument Selection
Additional requirements for smart transmitters and actuators: Details in IEC 61511 11.5.4 for devices with Fixed Programming Languages (FPLs) Extra for SIL 3 Formal assessmentlow probability of failure in planned application. Appropriate standards used in build Consider manufacturer s QA systems Must have a safety manual
Slide 37
www.eit.edu.au
Instrument Selection
Figure 7.12
Instrument Selection
Figure 7.14
Slide 39
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Instrument Selection
Testing Authorities include : TUV Rheinland Exida.com Any recognized testing body that can show competency in the SIS field.
Note : Exida specializes in certifying instruments claiming prior use qualification. Reports supply SFF and failure rate data with declaration of fault tolerance requirements relevant to IEC 61511. See examples.
Slide 42
www.eit.edu.au
Instrument Selection
www.eit.edu.au
Reliability Analysis
EIT Safety Instrumentation E-Learning
SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 8: Reliability Analysis
Version for EQO26: 7 November 2012
www.eit.edu.au
Slide 44
Reliability Analysis
Reasons and objectives Resolving the SIS into reliability block diagrams Identification of formulae Trial calculation examples
www.eit.edu.au
Reliability Analysis
IEC 61511 requires reliability analysis be done for each SIF to show that SIL target and RRF can be achieved. Why?
Because it tells everyone what RRF can be expected from each individual safety function. It confirms the basis of the design and the chosen proof test interval Compares the calculated RRF for your design with the target to show you can achieve the target. To predict the accident rate: H events/yr = Demand Rate (D) x PFDavg or H = D/ RRF
www.eit.edu.au
Slide 46
Reliability Analysis
Terminology
RRF SIL D H PFDavg
Risk Reduction Factor ( e.g. 200) Safety Integrity Level ( depends on RRF) (SIL Tables) Demand rate on Safety Function. ( How often the SIF is demanded to respond to a hazard condition) Hazardous event rate ( also called accident rate ) ( e.g. 0.1/yr = 1 in 10 years) Average probability of failure on demand of the SIF
www.eit.edu.au
Slide 47
Reliability Analysis
Terminology
MTTFd MTTFs MTTRd Ti Zdd
Mean time to fail dangerously ( = 1/Zd) Mean time to fail safe (or spurious) ( = 1/Zs) Mean time to detect and repair a dangerous fault Time interval between proof tests Failure rate for dangerous detectable faults
Zdu
Zsd
www.eit.edu.au
Slide 48
Reliability Analysis
1 PFDavg
(PFDavg = average probability of failure on demand,) PFDavg is a function of: 1. Failure rate per hour for undetected faults : Ldu 2. Test interval: Ti 3. Redundancy (1oo1, 1oo2, 2oo3, etc) Compare PFDavg with the target PFDavg for the SIL range we need.
www.eit.edu.au
Slide 49
Reliability Analysis
1 Because it can tell you the accident event rate H = Demand Rate x PFDavg 2 Because it helps you decide the SIL of your design PFDavg defines the SIL range for the design (in terms of resistance to random hardware failures
www.eit.edu.au
Slide 50
Reliability A nalysis
Operating safely
2 yr
Reliability Analysis
State of Process
Accident prevented
Reliability Analysis
Proof test
State of Process
Operating safely
Reliability Analysis
Mission time 1 yr
Slide 54
2 yr
Reliability Analysis
Low demand mode applies when the demand on the SIS is equal to or less than once per year. ( IEC 61511) . Alternatively no more than two demands per proof test interval. Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg High demand mode applies when the demand on the SIS is more than once per year. ( IEC 61511) . Alternatively more than two demands per proof test interval. High demand mode calculations use PFH probability of dangerous failure per hour. Hazard event rate H = PFH
Reliability Analysis
Reliability Analysis
Accident rate = Probability of failure/hr of the EBC = Failure rate per hour of the SIS
Example: If PFH = 0.0001/hr H = 0.0001/hr of service If machine used for 5000 hrs /yr accident rate = 0.5/yr. www.eit.edu.au
Slide 57
Reliability Analysis
No
Acceptable
Y es
Reliability Analysis
(SIS)
Sensor PFD1
Logic PFD2
Actuator PFD3
Reliability Analysis
If the fail to danger rate is Zd and proof test interval is Ti PFDavg = Zdu x Ti/2 (failure rate/yr x mean time to detect )
Example Fail to danger rate = 0.05 per year, Ti = 1 year PFDavg = 0.05 x = 0.025. ( SIL 1)
Reliability Analysis
Hazard Rate v Demand Rate showing low and high demand modes
Accident Rate H = Fail rate Zd
H = Ld
H = L d ( 1 e - DTi/ 2 )
D x T<< 1 D x T> 1
Demand mode
Accident Rate H = Demand Rate (D) x PFD avg of SIS www.eit.edu.au
Continuous mode
Demand rate D
Slide 61
Reliability Analysis
p(t) = L d .t
Average value
PFDavg =
L d .Ti/ 2
0
Ti
www.eit.edu.au
Slide 62
2Ti
Time t
Reliability Analysis
S = 1/MTBFsp
D = 1/MTTFD
D
Loss of Production
S + DD
Trips plant unless 2oo3 or 2oo2 voting
DD
Detectable by Self Diagnostics
DU
Undetectable except by manual proof testing
C= Coverage
ZDD = C ZD
Slide 63
ZDU = (1 C) ZD
www.eit.edu.au
Reliability Analysis Example: Find the Safe and Dangerous Failure Modes
SIS H igh Level T rip
Logic Solver
PSV AS LC 1 I/P
Fluid Feed
FC
FC
LT 1 LT 2
Assume out of range detection provided (forcing a trip) Fail Modes/yr Device
Bottom Blocked : 0.1 . T op leaks 0.2 Runs low: 0.05. Runs high : 0.02 Breaks: 0.01 Shorts across LT : 0.1 Lost power: 0.02 T otals for sensor sub system: LE connection LT electronics Cable Power
Lsp
Ldu
Ldd
www.eit.edu.au
Slide 64
Reliability Analysis
Covert Failures
Dangerous Failure Rate
S = 1/MTBFsp C= Coverage DD = C D
D = 1/MTTFD
D
ZDU = (1 C) ZD
Detectable by manual proof testing
Loss of Production
S + DD
Trips plant unless 2oo3 or 2oo2 voting
PFD1 = DD x (MTTR)
Slide 65
PFD2 = DU x (Ti/2)
Reliability Analysis
Covert Failures
Dangerous Failure Rate
S = 1/MTBFsp C= Coverage DD = C D
D = 1/MTTFD
D
ZDU = (1 C) ZD
Detectable by manual proof testing
Reliability Analysis
Formula sets
Single Channel SIS Fail Rates
Overt Failures
Spurious Trip Rate
S = 1/MTBFsp
C= Coverage DD = C D
D = 1/MTTF
D
ZDU = (1 C) ZD
Detectable by manual proof testing
Loss of Production
S + DD
Trips plant unless 2oo3 or 2oo2 voting
EIT EQO26: Unit 8 Reliability Analysis Multi-channel Formula Sets for PFD and s (excluding Figure 8.6 common mode failures )
Covert Failures Overt Failures Spurious Trip Rate s = 1/MTBFsp
Detectable By Self Diagnostics
D D = DC. D
Voting 1oo1 1oo2 Formula set 1 Formula set 2
D U = (1-DC) D
Formula set 3
s 2 s 2( s)2(MTTR)
2oo2
2oo3
6( s)2(MTTR)
Spurious trip rate
6( D D)2 (MTTR)2
PFD due to diagnostics (if detected but not tripped) Slide 68
(( D U .Ti)2)
PFD due to proof test
www.eit.edu.au
Reliability Analysis
1. 2.
3. 4.
Also see: exida.com Reliability Handbook Manufacturers Safety manuals for specific SIL certified instruments Faradip 3 Database exida.com: Safety Automation Equipment List ..Functional Safety Assessment Reports http://www.exida.com/index.php/resour ces/sael/
www.eit.edu.au
Slide 69
Reliability Analysis
Note: Zdd omitted for clarity Zdu Zdu
If the fail to danger rate is Zdu and proof test interval is Ti.
PFDavg = (Zdu xTi)2 /3 Example: If fail to danger rate = 0.05 per year, Ti = 1 year PFDavg = (0.05 x 1)2 / 3 = 0.00083 ( SIL 3)
Beta Factor: Common Cause Failures in redundant SIS channels Unit Failures (1-) d
Common Cause Failures
Reliability Analysis
(1-) d
(1-) d
www.eit.edu.au
Slide 71
Reliability Analysis
www.eit.edu.au
Slide 72
If the fail to danger rate is Zd and proof test interval is Ti. PFDavg = ((1-) du xTi)2 /3 + du xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5% PFDavg = (0.95 x 0.05 x 1)2 / 3 + (0.05 x 0.05 x ) = 0.002 ( SIL 2)
www.eit.edu.au
Slide 73
Reliability Analysis
If the fail to danger rate is Zd and proof test interval is Ti. PFDavg = ((1-) du xTi)2 + du xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5% PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ) = 0.0035 ( SIL 2)
www.eit.edu.au
Slide 74
Reliability Analysis
www.eit.edu.au
Slide 75
Reliability Analysis
www.eit.edu.au
Slide 76
Reliability Analysis
www.eit.edu.au
Slide 77
Reliability Analysis
(1-) d (1-) d
Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Common cause factor for dangerous and safe failures Proof test interval Mean time to detect and repair a detectable fault Undetected Voting portion Detected voting portion Undetected Common portion
(LDD)x MTTR
PFD for 1oo2 subsystem
2.70E-05
3.20E-03
www.eit.edu.au
Slide 78
Reliability Analysis
(1-) d (1-) d (1- ) d
PFDavg = ((1- )LDU xTi)2 + 6((1- )LDD x MTTR)2 + (LDU xTi/2)+ (LDD)x MTTR
Ti in hrs
MTTR in hrs (1-)LDU xTi)2 6((1-)LDD x MTTR)2 (LDU xTi/2) (LDD)x MTTR PFD for 2oo3 subsystem
8760
24 2.03E-03 3.54E-07 2.50E-03 2.70E-05 4.55E-03
www.eit.edu.au
Slide 79
Reliability Analysis
Sensor
Z d1=0.2
Logic
Zd2=0.02 Zd3=0.1
Actuator
or MTTF
5yrs
Proof Testing
50yrs
Auto Diagnostics
10yrs
Proof Testing
Apply Testing or Diagnostics
Apply calculation
PFD averages:
0.01
0.005
0.01
Overall PFD avg. = 0.025 = 2.5 E-2 Qualifies for SIL 1 (E-1 to E-2)
www.eit.edu.au
Slide 80
Reliability Analysis
(SIS)
Sensor
SIL 2
Logic
SIL 1 SIL 1
Actuator
SIL 1
www.eit.edu.au
Slide 81
Reliability Analysis
Sensor
Logic
Actuator
Sensor
Logic
Actuator
D
www.eit.edu.au
Senso r 1oo2D
1oo1D
Actuator 1oo2
Slide 82
Reliability Analysis
SIS Analysis: Step 3, expand details for each single channel Sensor 1oo2D Sensor Logic 1oo1D
Process Connection
Transmitter
Expand detail of sensor sub system and apply fail rates for each item
www.eit.edu.au
Slide 83
SIS Analysis: Step 4: Decide du, dd and s for the elements Step 5: Enter the values to table and totalize
Process Connection
Reliability Analysis
Transmitter
Subsystem totals
3.42E-05
0.00E+00
1.71E-05
7.42E-06
www.eit.edu.au
Slide 84
Reliability Analysis
SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem
Break out the common cause failure fraction for the redundant channels and calculate PFD for each portion and add them together
(1-) d
1oo2
(1-) d
Logic
1oo1
PFDavg
www.eit.edu.au
Reliability Analysis
Sensor
Logic Senso r 1oo2
PFDavg for sensors
Actuator
1oo1
Actuator 1oo2
www.eit.edu.au
Slide 86
Reliability Analysis
DU = 0.05
.045
DU = 0.0025
C = 95%
0.05
DU = 0.1
= 10%
.01 .09
= 5%
.0025
.045
1oo1D
.09
DD = 0.0475
1oo2
Dual Sensors PFD = .00075 +.00125 = .002 Logic solver PFD = .00013 +.00125 = .00138
1oo2
Dual Actuators PFD = .005 + .0027 = .0077
www.eit.edu.au
Slide 87
Reliability Analysis
Subsystem Element
1 2 3 4 5
LSD/hr 1.14E-05
LSU/hr 0.00E+00
LDD/hr 0.00E+00
LDU/hr 5.71E-06
Subsystem totals
1.14E-05
0.00E+00
0.00E+00
5.71E-06
Calculation results for Sensing Safe Failure Fraction Diagnostic coverage PFDavg for 1001 PFDavg for 1002 PFDavg for 2003 66.7% 0.0% 2.50E-02 2.00E-03 3.51E-03
www.eit.edu.au
Slide 88
Reliability Analysis
www.eit.edu.au
Slide 89
Reliability Analysis
www.eit.edu.au
Slide 90
Reliability Analysis
Sensor: single channel s = 1/5 x .75 = .15/yr Logic: single channel s = 1/10 x .5 = .05 dd = (C x d ) =95% x 0.05 = .0475/yr Actuator: single channel s = 1/2 x .8 = .4/yr
www.eit.edu.au
Slide 91
Reliability Analysis
www.eit.edu.au
Slide 92
Reliability Analysis
1oo1
1oo2
Dual Sensors Spurious = .28 trips per yr Logic solver .097 trips per yr
1oo2
Dual Actuators PFD = (2x .36) + (1x.04) = .76 trips per yr
Spurious trip rate = ..28 + .097 +.76 = 1.14 trips per year
www.eit.edu.au
Slide 93
Reliability Analysis
Design Version B
.135
2oo3
.015
.135
1oo2
Dual Sensors Spurious = 2 x .15 = .30 trips per yr .135
From 0.3 per year to 0.015/yr If 1 trip costs AUD 50 000 the annual saving is What? . www.eit.edu.au
Slide 94
2oo3 Sensors Spurious = 6x s2 (MTTR)+ s = (6 x .1352x 8/8760) + .015 = .0001 + .015 . 015 trips per yr
Reliability Analysis
PFDavgs for each section of the SIS Show benefits of redundancy or voting schemes Decide the proof testing intervals Predict the accident rate
www.eit.edu.au
Slide 95
Reliability Analysis
www.eit.edu.au
Slide 96
Supplementary notes on Low Demand Mode versus High Demand Mode (also known as continuous mode)
Low demand mode applies when the demand on the SIS is equal to or less than once per year. ( IEC 61511) . Alternatively no more than two demands per proof test interval. Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg
Reliability Analysis
High demand mode applies when the demand on the SIS is more than once per year. ( IEC 61511) . Alternatively more than two demands per proof test interval. High demand mode calculations use PFH ( same as failure to danger rate) Hazard event rate H = PFH
Slide 97
www.eit.edu.au
Reliability Analysis
PSH
SIS
Power
Hp safety Trip
so H = 5.7E-06/hr = 0.05/yr
www.eit.edu.au
Slide 98
Reliability Analysis
PSH
SIS
Power
Reliability Analysis
Demand on SIS
H = hazardous event
www.eit.edu.au
Slide 100