You are on page 1of 100

EIT: E-Cert SS: Unit 7

EIT Safety Instrumentation E-Learning

Instrument Selection

SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 7: SIL Instrument Selection
Version for EQO26: 7 November 2012

Presented by Dave Macdonald, EIT Cape Town South Africa


Contact E-mail: macdond@telkomsa.net
Slide 1

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Introduction to Chapter 7: Practical selection of

sensors and actuators for safety duties

Impact on SIS Reliability, Types of Sensors and Actuators Failure modes and causes Knowledge of t he r ules + Exper ience If you can get it !

Separation, redundancy, diversity, diagnostics


Device Selection Issues: What IEC 61511 requires + Common sense Technologies: Safety certified instruments and fieldbus
Slide 2

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Key Points about Sensors and Actuators


Sensors and Actuators remain the most critical reliability items in an SIS

Separation, diversity and redundancy are critical issues.


Safety related instruments must have a proven record of performance. IEC 61508 / 61511 have specific requirements Logic solver intelligence and communications power will help to provide diagnostic capabilities to assist field device reliability Failure modes and common cause issues are potential problems for intelligent instruments
www.eit.edu.au

Slide 3

EIT: E-Cert SS: Unit 7

Instrument Selection

IEC 61511 and other guidance sources


Instrument practice for safety systems : well established ISA S 84.01 Appendix B.obsolete standard but still relevant. IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1. Gruhn & Cheddie ISA Textbook; chapter 9

IEC 61511-1 Paragraph 11.5: Requirements for selection of components and subsystems 11.5.2.1 Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate

Certified compliant to IEC 61508


www.eit.edu.au

Fault tolerance

Prior use justification

Slide 4

EIT: E-Cert SS: Unit 7

Instrument Selection

Sensors and Actuators Dominate Reliability Issues


Typical Reliability Table Item Fail to Danger Rate / yr.
Input sensor loop SIL 3 Logic Solver PLC 0.05

Table 7.1
PFD avg
(3 month proof test)
0.006 0.0005

PFD avg % of total


32 3

Output Actuator loop (Solenoid + valve)


Totals

0.1

0.0125
0.019 (SIL 1)

65
100

The field devices taken together contribute 97% of the PFD for this example. The PFD figures for the field devices are affected by environmental conditions and maintenance factors. Slide 5 PES logic solvers benefit from auto-diagnostics.
www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection
Bus connected safety certified instruments Foundation Field Bus Profi-safe ASI-Safety Bus See Session 5

Slide 6

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Advantages of Analog Transmitters Over Switches Good reliability and accuracy Signal present at all timesimproved SFF Potential for diagnostics, easier to detect faults Possible to compare signal with other parameters Trending and alarming available Multiple set points Competitive pricing Rationalized spares
Slide 7

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Potential Causes of Failures in Sensors


Components of the instrument Process connection Fouling /corrosion/process fluids/clogging Wiring Environmental: Process/Climate/Electrical Specification/range/resolution.

Response time
Power supplies Intrinsic safety barriers Calibration/testing/ left on test/isolated.
Slide 8

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Final Control Elements or Actuators


Electrical Drive Trip
SIS Logic

Figure 7.4
Process Valve Trip

380 v ac power

SIS Logic

Interlocks

M
Slide 9

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

E-Stop operation with VSDlInverter Drive


Stop Category 1 Safety Control Category 2

Safet y Relay

Power
Reset

K1 Time Delayed

K1 Relay E-Stop command

Drive controller

M
Slide 10

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Potential Causes of Failures in Final Elements


Components of the actuator, positioner, mechanical failures of springs Process connection/leaks. Mechanical distortion of pipes causing stress in valve Valve internal faults due to : Fouling or corrosion by process fluids/jamming/sticking/leaking Wiring to solenoids

Pneumatics/ venting failures


Environmental. Physical impacts/fire/freezing or icing up. Solenoid valves sticking or blocking
Slide 11

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

General Requirements for Fail-safe Operation

Sensor contacts closed during normal operation

Tx signals go to trip state upon failure (Normally < 4mA)


Broken wire = trip Output contacts closed and energized for normal operation Final trip valves go to trip (safe) position on air failure Drives go to stop on trip or SIS signal failure
Slide 12

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

For an instrument to qualify for SIL target

or

Prior Use

Build to IEC 61508 HW & SW

Smart tx

Analog or switch SIL 1 or 2

Certify to IEC 61508

SIL 3 requires assessement and a safety manual Apply IEC 61511 limitations And PFD must satisfy SIL target
www.eit.edu.au
Slide 13

EIT: E-Cert SS: Unit 7

Instrument Selection

Sharing of Sensors with BPCS

Do not share sensors because it:


Violates the principles of independence Creates a high level of common cause failure Does not create a separate layer of protection Does not provide secure maintenance
Slide 14

www.eit.edu.au

EIT: E-Cert SS: Unit 7


Snap question: What is wrong with this safety trip design?

Instrument Selection

Figure 7.5

Boiler Steam Drum

SIS Logic Solver


LSL

Boiler Trip

Logic

LT 1

LIC 1

Feed water supply

Snap question: Draw a better arrangement www.eit.edu.au

Slide 15

EIT: E-Cert SS: Unit 7

Instrument Selection

Figure 7.5 cont.

Separate Sensors for Control and Trip: Acceptable


SIS Logic Solver
LSL

Boiler Trip

Logic

LT

LT 1

LIC 1

Boiler Steam Drum

Feed water supply

Slide 16

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Fault Tree Analysis for Boiler Low Level Trip


Shared Sensor
Boiler Damage 0.105 / yr. Low level and NO TRIP

Figure 7.6

Separate Sensor
Boiler Damage 0.0075 / yr. Low level and NO TRIP

OR

AND LT-1 Fails high-No Trip LIC causes low level 0.1 / yr. FW Fails LT-1 Fails high, LIC-1 causes low level 0.1 / yr.
Low level 0.3 / yr.

FW Fails and No Trip 0.005 / yr. AND

OR

LT-2 Fails high Trip fails on demand


PFD = 0.1/2 X 0.5 = 0.025

FW Fails 0.2 / yr.

Trip fails on demand from FW failure


PFD = 0.1/2 X 0.5 = 0.025

0.2 / yr.

Slide 17

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Separation Rules: Field Sensors IEC 61511 part 2 : 11.2.4 Sharing of sensor between SIS and BPCS only allowed if safety integrity targets can be met. This would require sensor diagnostics and is only likely to be possible for SIL 1 Separate sensor is allowed to be copied to BPCS via isolator SIL 2, 3 and 4 normally require separate sensors with redundancy

SIL 3 and 4 normally require separation and diverse redundancy


www.eit.edu.au

Slide 18

EIT: E-Cert SS: Unit 7

Instrument Selection

Separation Rules: Final Elements IEC 61511 part 2 : 11.2.4 A single valve may be used for both BPCS and SIS but is not recommended if valve failure places a demand on the SIS. Normally shared valve can only be used if: Diagnostic coverage and reaction time are sufficient to meet safety integrity requirements Recommendations for a single valve application SIL 2 and SIL 3 normally require identical or diverse separation. Diversity not always desireble
Slide 19

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Arrangement for Tripping of Shared Control Valve: SIL 1


SIS BPCS Solenoid valve direct acting, direct mounted. De-energise to vent actuator. FV
Positioner

Figure 7.7

FY

A/S

Check hazard demands due to valve www.eit.edu.au

Slide 20

EIT: E-Cert SS: Unit 7

Instrument SelectF ioin gure 7.8

Diverse Separation of Control and Shutdown V alves SIL 2 and SIL 3


SIS BPCS

A/S FY

Check hazard demands due to valve www.eit.edu.au

Slide 21

EIT: E-Cert SS: Unit 7

Instrument Selection

Sensor Diagnostics
Do not confuse with proof testing
Compare trip transmitter value with related variables. Not often practicable Use safety transmitters if available Use Smart transmitters with diagnostic alarm but see next
Slide 22

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Valve Diagnostics
Assurance that a trip valve will respond correctly when needed Freedom of movement, full travel Correct venting of actuator Correct rate of response Absence of sticking Trip signals and solenoid all working
Slide 23

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Methods for Valve Diagnostics


Online trip testing Discrepancy alarm

Position feedback response testing


Partial closure testing manual or automatic Smart positioners certified safety positioner
Slide 24

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

IEC Architectural Constraints as per IEC 61508

IEC 61508 places an upper limit on the SIL that can be claimed for any safety function on the basis of the fault tolerance of the subsystems that it uses.
Limit is a function of the hw fault tolerance the safe failure fraction the degree of confidence in the behaviour under fault conditions Details in IEC 61508 part 2
Slide 25

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

IEC 61508 Classification of Equipment IEC Defines two types of equipment for use in Safety Systems: Type A: Simple Devices: Non PES. E.g Limit switch, level float switch, analogue circuits.

Type B: Complex Devices: Including PES. E.G Smart transmitters. Digital communications, processor based systems.
Fault tolerance rating of B is less than A except under certain conditions
Slide 26

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

IEC 61511-1 Table 6: Minimum hardware fault tolerance of sensors, final elements and non PES logic SIL 1 2 3 4 Minimum HW Fault Tolerance 0 1 2 Special requirements: See IEC 61508

The following summarized conditions apply for SIL 1,2 and 3 : Increase FT by 1 if instrument does not have fail safe characteristics Decrease FT by 1 if instrument meets 4 conditions. Predominately fail safe Prior Use ( Proven in use) Limited device adjustment (process parameters only) Password protected Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment www.eit.edu.au
Slide 27

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from devices safety manual

Slide 28

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from safety manual

Slide 29

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Example for Level Switch: Extract from safety manual

Slide 30

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Redundancy Options
Sensor or Actuator Configuration. 1oo1 1oo2 2oo3 Selection

Table 7.4

Use if both PFD and FT and nuisance trip targets are met. 2 Sensors installed, 1 required to trip. PFD value improved, nuisance trip rate doubled. 3 Sensors installed, 2 required to trip. PFD improved over 1oo1, nuisance trip rate dramatically reduced.

Slide 31

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Common Cause Failures in Sensors


Wrong specification Hardware or circuit design errors Environmental stress Shared process connections Wrong maintenance procedures Incorrect calibrators
Slide 32

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Comments on Redundancy in Sensors SIS

Figure 7.10

PT 1A

PT 1B

Be careful to analyze for common cause faults e.g Try to avoid this
Slide 33

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Comments on Diverse Redundancy in Sensors


Where measurement is the problem use diverse redundancy. e.g. Steam or Ammonia overpressure protection
PT 01

Figure 7.11

SIS

TT 01

Slide 34

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Requirements for Device to be Provenin-use Evidence that the instrument is suitable for SIS Consider manufacturer s QA systems PES devices need extra validation Performance record in a similar profile Adequate documentation Volume of experience, > 1 yr exposure per case.
Slide 35

Collect t he r ecor ds of ever y maint enance event per inst r ument .

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

The approved safety instrument list Key j ob f or maint enance t eam

Each instrument that is suitable for SIS Update and monitor the list regularly

Add instruments only when the data is adequate Remove instruments from the list when they let you down Adequate details: Include the process application
Slide 36

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Additional requirements for smart transmitters and actuators: Details in IEC 61511 11.5.4 for devices with Fixed Programming Languages (FPLs) Extra for SIL 3 Formal assessmentlow probability of failure in planned application. Appropriate standards used in build Consider manufacturer s QA systems Must have a safety manual
Slide 37

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Hart Transmitter With Diagnostic Input


Hart Interface Status Alarm DI

Figure 7.12

SIS Logic Solver

4-20 mA + FSK Data AI Smart Transmitter

Hand Held Programmer


Slide 38

FSK = Frequency Shift Keyed www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Example of a Safety Critical Transmitter

Figure 7.14

Slide 39

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Benefits of a Safety Certified Transmitter:


Internal diagnostics with high coverage factor
Very low PFDavg values. Saves on proof testing etc. Certified for single use in SIL 2 (instead of dual channel) Certified for dual redundant use in SIL 3 (instead of 1oo3) End user verification is simplified
Slide 40

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Importance of the Safety Manual


The safety manual presents all the essential information and set up conditions that must be followed to allow the instrument to be validated for any given application. The manual also supplies the failure rates summary and expected PFDavg Compliance to safety manual requirements must be demonstrated in the validation phase. See examples of safety manuals and FMEDA reports
Slide 41

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Importance of the Safety Certificate


The safety certificate is issued by the testing body to clearly define what products have been tested and what standards and limitations have been applied in the evaluation. The safety certificate is an essential document for the validation phase. See examples of Safety Certificates: 3051C and Rex Radar

Testing Authorities include : TUV Rheinland Exida.com Any recognized testing body that can show competency in the SIS field.
Note : Exida specializes in certifying instruments claiming prior use qualification. Reports supply SFF and failure rate data with declaration of fault tolerance requirements relevant to IEC 61511. See examples.
Slide 42

www.eit.edu.au

EIT: E-Cert SS: Unit 7

Instrument Selection

Field Devices Summary


Instruments must be well proven for safety with an assessment report or Certified SIL capable to IEC 61508. Intelligent instruments treated as PES

Separation, Redundancy, Diversity, Diagnostics


Diagnostic Coverage via Smarts or Logic Solver

Bus technology established and growing.


Slide 43

www.eit.edu.au

EIT EQO26: Unit 8

Reliability Analysis
EIT Safety Instrumentation E-Learning

SAFETY INSTRUMENTED SYSTEMS & EMERGENCY SHUTDOWN SYSTEMS for Process Industries using IEC 61511 and IEC 61508 Unit 8: Reliability Analysis
Version for EQO26: 7 November 2012

Presented by Dave Macdonald, EIT Cape Town South Africa


Contact E-mail: macdond@telkomsa.net
Slide 44

www.eit.edu.au

Slide 44

EIT EQO26: Unit 8

Reliability Analysis

Introduction to Chapter 8: Reliability Analysis of the SIS


The task of measuring or evaluating the SIS design for its overall safety integrity

Reasons and objectives Resolving the SIS into reliability block diagrams Identification of formulae Trial calculation examples

Calculation software tools


Slide 45

www.eit.edu.au

EIT EQO26: Unit 8

Reliability Analysis

IEC 61511 requires reliability analysis be done for each SIF to show that SIL target and RRF can be achieved. Why?

Because it tells everyone what RRF can be expected from each individual safety function. It confirms the basis of the design and the chosen proof test interval Compares the calculated RRF for your design with the target to show you can achieve the target. To predict the accident rate: H events/yr = Demand Rate (D) x PFDavg or H = D/ RRF

www.eit.edu.au

Slide 46

EIT EQO26: Unit 8

Reliability Analysis

Terminology
RRF SIL D H PFDavg
Risk Reduction Factor ( e.g. 200) Safety Integrity Level ( depends on RRF) (SIL Tables) Demand rate on Safety Function. ( How often the SIF is demanded to respond to a hazard condition) Hazardous event rate ( also called accident rate ) ( e.g. 0.1/yr = 1 in 10 years) Average probability of failure on demand of the SIF

www.eit.edu.au

Slide 47

EIT EQO26: Unit 8

Reliability Analysis

Terminology
MTTFd MTTFs MTTRd Ti Zdd
Mean time to fail dangerously ( = 1/Zd) Mean time to fail safe (or spurious) ( = 1/Zs) Mean time to detect and repair a dangerous fault Time interval between proof tests Failure rate for dangerous detectable faults

Zdu
Zsd

Failure rate for dangerous undetectable faults (requires proof testing)


Safe revealed failure rate ( causes spurious trip or loss of affected safety channel)

www.eit.edu.au

Slide 48

EIT EQO26: Unit 8

Reliability Analysis

Risk Reduction Factor and PFDavg


RRF =

1 PFDavg

(PFDavg = average probability of failure on demand,) PFDavg is a function of: 1. Failure rate per hour for undetected faults : Ldu 2. Test interval: Ti 3. Redundancy (1oo1, 1oo2, 2oo3, etc) Compare PFDavg with the target PFDavg for the SIL range we need.

www.eit.edu.au

Slide 49

EIT EQO26: Unit 8

Reliability Analysis

Snap Question: Why is PFD so useful to know?

1 Because it can tell you the accident event rate H = Demand Rate x PFDavg 2 Because it helps you decide the SIL of your design PFDavg defines the SIL range for the design (in terms of resistance to random hardware failures

www.eit.edu.au

Slide 50

EIT EQO26: Unit 8

Reliability A nalysis

Failure scenario for an Untested SIF


Unrevealed Dangerous fault occurs State of Process Hazardous condition occurs (Demand)

Operating safely

Reportable accident occurs

Operating but not protected Mission time 1 yr www.eit.edu.au


Slide 51

2 yr

EIT EQO26: Unit 8

Reliability Analysis

Low Demand Mode: Proof Tested SIF repaired before demand


Unrevealed Dangerous fault occurs
Proof test Proof test reveals fault

Hazardous condition Occurs (Demand)

State of Process

Operating safely Fault repaired


Operating but not protected

Accident prevented

Mission time 0.5 yr www.eit.edu.au 1 yr


Slide 52

EIT EQO26: Unit 8

Reliability Analysis

Low Demand Mode: Proof tested SIF but failure on demand


Unrevealed Dangerous fault occurs Reportable accident occurs
Demand occurs before next proof test

Proof test

State of Process

Operating safely

Failure (to respond) on Demand


Operating but not protected

Mission time 0.5 yr www.eit.edu.au 1 yr


Slide 53

EIT EQO26: Unit 8

Reliability Analysis

Diagnostic + Proof Tested SIF


Detectable Dangerous fault occurs State of Process Operating safely
Diagnostic test reveals fault

PFDavg = MTTD&R x Fail danger rate


Accident prevented

Proof test for undetected faults

Fault detected & repaired

Diagnostic test typically100 im s./e dd au y.au wwtw .ee it

Mission time 1 yr
Slide 54

2 yr

EIT EQO26: Unit 8

Reliability Analysis

Low Demand Mode versus High Demand Mode

Low demand mode applies when the demand on the SIS is equal to or less than once per year. ( IEC 61511) . Alternatively no more than two demands per proof test interval. Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg High demand mode applies when the demand on the SIS is more than once per year. ( IEC 61511) . Alternatively more than two demands per proof test interval. High demand mode calculations use PFH probability of dangerous failure per hour. Hazard event rate H = PFH

(High demand also known as continuous mode)


www.eit.edu.au
Slide 55

EIT EQO26: Unit 8

Reliability Analysis

Low Demand Mode Application


Accident occurs if dangerous fault undetected before the surge occurs

Pressure surge once per year (D)

Pressure relief trip (SIS)

Accident rate H = D x PFDavg


Provided Test interval is shorter than 1 year or diagnostics detect faults quickly Example: If PFDavg = 0.05 and D= 1 : H = 0.05/yr
www.eit.edu.au
Slide 56

EIT EQO26: Unit 8

Reliability Analysis

High demand Mode Application


Brake applied 100 times per day Accident occurs as soon as brake circuit fails

Electronic Braking Controls (SIS)

Accident rate = Probability of failure/hr of the EBC = Failure rate per hour of the SIS
Example: If PFH = 0.0001/hr H = 0.0001/hr of service If machine used for 5000 hrs /yr accident rate = 0.5/yr. www.eit.edu.au
Slide 57

EIT EQO26: Unit 8

Reliability Analysis

Design Iteration for Target PFD in Low Demand Mode


SRS defines the Risk Reduction Factor PFD = 1/RRF

Set Target PFD

Evaluate Solution PFD


Revise Design

No

Acceptable
Y es

Calculated PFD < Target PFD?

Proceed to Detail Design


www.eit.edu.au
Slide 58

EIT EQO26: Unit 8

Reliability Analysis

Elements and terms in the SIS model


Protective System Hazard Demand Rate

(SIS)

Hazard Event Rate

PFD avg. = H/D = 1/(Risk Reduction Factor)


SIL3 SIL2 SIL1

Sensor PFD1

Logic PFD2

Actuator PFD3

Overall PFD = PFD1 + PFD2 + PFD3


www.eit.edu.au
Slide 59

EIT EQO26: Unit 8

Reliability Analysis

Single Channel Basic calculation of PFD


Zdu

If the fail to danger rate is Zd and proof test interval is Ti PFDavg = Zdu x Ti/2 (failure rate/yr x mean time to detect )

Example Fail to danger rate = 0.05 per year, Ti = 1 year PFDavg = 0.05 x = 0.025. ( SIL 1)

How is this formula obtained ?


www.eit.edu.au
Slide 60

EIT EQO26: Unit 8

Reliability Analysis

Hazard Rate v Demand Rate showing low and high demand modes
Accident Rate H = Fail rate Zd

Hazard Event Rate H

H = Ld

H = L d ( 1 e - DTi/ 2 )

D x T<< 1 D x T> 1

Accident Rate H = PFH of SIS

Demand mode
Accident Rate H = Demand Rate (D) x PFD avg of SIS www.eit.edu.au

Continuous mode
Demand rate D
Slide 61

EIT EQO26: Unit 8

Reliability Analysis

Effect of Manual Proof T esting . leading to average probability of failure on demand:


p(t) 1 Probability of being failed when demand occurs.
Proof test action

p(t) = L d .t

Average value

PFDavg =

L d .Ti/ 2

0
Ti
www.eit.edu.au
Slide 62

2Ti

Time t

EIT EQO26: Unit 8

Reliability Analysis

SIS Failure Modes


Overt Failures Spurious Trip Rate Covert Failures Dangerous Failure Rate

S = 1/MTBFsp

D = 1/MTTFD

D
Loss of Production

S + DD
Trips plant unless 2oo3 or 2oo2 voting

DD
Detectable by Self Diagnostics

DU
Undetectable except by manual proof testing

C= Coverage

ZDD = C ZD
Slide 63

ZDU = (1 C) ZD

www.eit.edu.au

EIT EQO26: Unit 8

Reliability Analysis Example: Find the Safe and Dangerous Failure Modes
SIS H igh Level T rip

Logic Solver
PSV AS LC 1 I/P

Fluid Feed

FC

FC
LT 1 LT 2

Assume out of range detection provided (forcing a trip) Fail Modes/yr Device
Bottom Blocked : 0.1 . T op leaks 0.2 Runs low: 0.05. Runs high : 0.02 Breaks: 0.01 Shorts across LT : 0.1 Lost power: 0.02 T otals for sensor sub system: LE connection LT electronics Cable Power

Lsp

Ldu

Ldd

www.eit.edu.au

Slide 64

EIT EQO26: Unit 8


1oo1 SIS Formulae

Reliability Analysis

Single Channel SIS Fail Rates


Overt Failures
Spurious Trip Rate

Covert Failures
Dangerous Failure Rate

S = 1/MTBFsp C= Coverage DD = C D

D = 1/MTTFD

D
ZDU = (1 C) ZD
Detectable by manual proof testing

Loss of Production

S + DD
Trips plant unless 2oo3 or 2oo2 voting

Detectable by Self Diagnostics

SP Trip Rate = s + DD www.eit.edu.au

PFD1 = DD x (MTTR)
Slide 65

PFD2 = DU x (Ti/2)

EIT EQO26: Unit 8

Reliability Analysis

1oo2 SIS Formulae Single Channel SIS Fail Rates


Overt Failures
Spurious Trip Rate

Covert Failures
Dangerous Failure Rate

S = 1/MTBFsp C= Coverage DD = C D

D = 1/MTTFD

D
ZDU = (1 C) ZD
Detectable by manual proof testing

Loss of Production Trips plant unless 2oo3 or 2oo2 voting

Detectable by Self Diagnostics

SP Trip Rate = 2 ( s + DD) www.eit.edu.au

PFD1 =2( DD)2( MTTR)2


Slide 66

PFD2 =(( D U .Ti)2)/3

EIT EQO26: Unit 8

Reliability Analysis

Formula sets
Single Channel SIS Fail Rates
Overt Failures
Spurious Trip Rate

Covert Failures Dangerous Failure Rate

S = 1/MTBFsp

C= Coverage DD = C D

D = 1/MTTF

D
ZDU = (1 C) ZD
Detectable by manual proof testing

Loss of Production

S + DD
Trips plant unless 2oo3 or 2oo2 voting

Detectable by Self Diagnostics

Formula set 1 in Fig 8.6 www.eit.edu.au

Formula set 2 in Fig 8.6


Slide 67

Formula set 3 in Fig 8.6

EIT EQO26: Unit 8 Reliability Analysis Multi-channel Formula Sets for PFD and s (excluding Figure 8.6 common mode failures )
Covert Failures Overt Failures Spurious Trip Rate s = 1/MTBFsp
Detectable By Self Diagnostics

Dangerous Failure Rate d = 1/MTTF


Detectable By Manual Proof testing

D D = DC. D
Voting 1oo1 1oo2 Formula set 1 Formula set 2

D U = (1-DC) D
Formula set 3

s 2 s 2( s)2(MTTR)

D D (MTTR) 2( DD)2( MTTR)2 2 D D (MTTR)

D U (Ti/2) (( D U .Ti)2)/3 D U .Ti

2oo2
2oo3

6( s)2(MTTR)
Spurious trip rate

6( D D)2 (MTTR)2
PFD due to diagnostics (if detected but not tripped) Slide 68

(( D U .Ti)2)
PFD due to proof test

www.eit.edu.au

EIT EQO26: Unit 8


Sources of Reliability Data

Reliability Analysis

http://www.sintef.no/Projectweb/PDS-Main-Page/PDS-Handbooks/ Sintef: http://www.sintefbok.no/Product.aspx?sectionId=65&productId=559&categoryId=10

1. 2.

3. 4.

Also see: exida.com Reliability Handbook Manufacturers Safety manuals for specific SIL certified instruments Faradip 3 Database exida.com: Safety Automation Equipment List ..Functional Safety Assessment Reports http://www.exida.com/index.php/resour ces/sael/

www.eit.edu.au

Slide 69

EIT EQO26: Unit 8

Reliability Analysis
Note: Zdd omitted for clarity Zdu Zdu

Dual Channel Basic calculation of PFD

If the fail to danger rate is Zdu and proof test interval is Ti.

PFDavg = (Zdu xTi)2 /3 Example: If fail to danger rate = 0.05 per year, Ti = 1 year PFDavg = (0.05 x 1)2 / 3 = 0.00083 ( SIL 3)

But this ignores common cause and is unrealistic


www.eit.edu.au
Slide 70

EIT EQO26: Unit 8

Beta Factor: Common Cause Failures in redundant SIS channels Unit Failures (1-) d
Common Cause Failures

Reliability Analysis

(1-) d

Example: 2oo3 sensor with common cause failures

(1-) d
www.eit.edu.au
Slide 71

EIT EQO26: Unit 8

Reliability Analysis

Formulae Sets with Common Cause Factor included

www.eit.edu.au

Slide 72

EIT EQO26: Unit 8

Reliability Analysis Note: Zdd omitted for clarity


(1-) du (1-) du du

Dual Channel Basic calculation of PFD inc Common Cause 5%

If the fail to danger rate is Zd and proof test interval is Ti. PFDavg = ((1-) du xTi)2 /3 + du xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5% PFDavg = (0.95 x 0.05 x 1)2 / 3 + (0.05 x 0.05 x ) = 0.002 ( SIL 2)

www.eit.edu.au

Slide 73

EIT EQO26: Unit 8

Reliability Analysis

2oo3 Channel Basic calculation of PFD inc Common Cause 5%


(1-) d (1-) d (1-) d d

If the fail to danger rate is Zd and proof test interval is Ti. PFDavg = ((1-) du xTi)2 + du xTi/2

Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5% PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ) = 0.0035 ( SIL 2)

www.eit.edu.au

Slide 74

EIT EQO26: Unit 8

Reliability Analysis

Formulae Sets with Common Cause Factor included

www.eit.edu.au

Slide 75

EIT EQO26: Unit 8

Reliability Analysis

Calculation T able for PFDavg Worked example for 1oo1

Formula for calculating PFDavg for 1oo1

PFDavg = (LDU xTi/2) + (LDD x MTTR)

Failures per year


Parameter LDU LDD Ti in yrs MTTR in yrs (LDU xTi/2) (LDD x MTTR) PFD for 1oo1 subsystem Value 0.0500 0.1000 1.0000 0.0027 2.50E-02 2.74E-04 2.53E-02 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Proof test interval Mean time to detect and repair a detectable fault Undetected portion Detected portion SIL Table: SIL 1

www.eit.edu.au

Slide 76

EIT EQO26: Unit 8

Reliability Analysis

Calculation T able for PFDavg Worked example for 1oo1

Formula for calculating PFDavg for 1oo1

PFDavg = (LDU xTi/2) + (LDD x MTTR)

Failures per hour


Parameter LDU LDD Ti in hrs MTTR in hrs (LDU xTi/2) (LDD x MTTR) PFD for 1oo1 subsystem Value 5.71E-06 1.14 E-05 8760 24 2.50E-02 2.74E-04 2.53E-02 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Proof test interval Mean time to detect and repair a detectable fault Undetected portion Detected portion SIL T able: SIL 1

www.eit.edu.au

Slide 77

EIT EQO26: Unit 8

Reliability Analysis
(1-) d (1-) d

Formatted Calculation T able for PFDavg Worked example for 1oo2


Formula for calculating PFDavg for 1oo2 PFDavg = (1/3)*((1- )LDU xTi)2 + 2((1- )LDD x MTTR)2 + (LDU xTi/2)+ (LDD)x MTTR
d

Failures per year


Parameter LDU LDD Ti in hrs MTTR in hrs (1/3)*((1-)LDU xTi)2 2((1-)LDD2 x MTTR2) (LDU xTi/2) Value 5.71E-06 1.14 E-05 0.1000 8760 24 6.75E-04 1.18E-07 2.50E-03 Notes

Safecalc: LD = 1.71 % safe =0 C=66%

Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Common cause factor for dangerous and safe failures Proof test interval Mean time to detect and repair a detectable fault Undetected Voting portion Detected voting portion Undetected Common portion

(LDD)x MTTR
PFD for 1oo2 subsystem

2.70E-05
3.20E-03

Detected common portion

www.eit.edu.au

Slide 78

EIT EQO26: Unit 8

Reliability Analysis
(1-) d (1-) d (1- ) d

Formatted Calculation T ables for PFDavg Worked example for 2oo3


Formula for calculating PFDavg for 2oo3
d

PFDavg = ((1- )LDU xTi)2 + 6((1- )LDD x MTTR)2 + (LDU xTi/2)+ (LDD)x MTTR

Failures per year


Parameter LDU LDD Value 5.71E-06 1.14 E-05 0.1000 Notes Dangerous undetected failure rate for one channel Dangerous detected failure rate for one channel Common cause factor for dangerous and safe failures

Ti in hrs
MTTR in hrs (1-)LDU xTi)2 6((1-)LDD x MTTR)2 (LDU xTi/2) (LDD)x MTTR PFD for 2oo3 subsystem

8760
24 2.03E-03 3.54E-07 2.50E-03 2.70E-05 4.55E-03

Proof test interval


Mean time to detect and repair a detectable fault Undetected Voting portion Detected voting portion Undetected Common portion Detected common portion

www.eit.edu.au

Slide 79

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis Model Example D


Failure Rates:

Sensor
Z d1=0.2

Logic
Zd2=0.02 Zd3=0.1

Actuator

or MTTF

5yrs
Proof Testing

50yrs
Auto Diagnostics

10yrs
Proof Testing
Apply Testing or Diagnostics

Apply calculation

PFD averages:

0.01

0.005

0.01

Overall PFD avg. = 0.025 = 2.5 E-2 Qualifies for SIL 1 (E-1 to E-2)
www.eit.edu.au
Slide 80

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Step 1


Protective System Hazard Demand Rate

(SIS)

Hazard Event Rate

Sensor
SIL 2

Logic
SIL 1 SIL 1

Actuator
SIL 1

www.eit.edu.au

Slide 81

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Step 2, identify channels in each stage


Example:Dual channel sensors and actuators, single channel logic

Sensor

Logic

Actuator

Sensor
Logic

Actuator

D
www.eit.edu.au

Senso r 1oo2D

1oo1D

Actuator 1oo2

Slide 82

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Step 3, expand details for each single channel Sensor 1oo2D Sensor Logic 1oo1D

Process Connection

Transmitter

Cable and Power

Expand detail of sensor sub system and apply fail rates for each item
www.eit.edu.au
Slide 83

SIS Analysis: Step 4: Decide du, dd and s for the elements Step 5: Enter the values to table and totalize
Process Connection

EIT EQO26: Unit 8

Reliability Analysis

Transmitter

Cable and Power

DU1 DD1 SD1


Subsystem Element 1 2 3 4 Device

DU2 DD2 SD2


LSD/hr

DU3 DD3 SD3


LSU/hr LDD/hr LDU/hr

Process connection Transmitter Cable and Power

1.14E-05 1.14E-05 1.14E-05

0.00E+00 0.00E+00 0.00E+00

5.71E-06 5.71E-06 5.71E-06

3.42E-06 5.71E-07 3.42E-06

Subsystem totals

3.42E-05

0.00E+00

1.71E-05

7.42E-06

www.eit.edu.au

Slide 84

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem
Break out the common cause failure fraction for the redundant channels and calculate PFD for each portion and add them together

(1-) d

= common cause failure fraction


Failures common to Ch1 and Ch2 sensors

1oo2
(1-) d

Logic
1oo1

PFDavg

Redundant section: PFDavg = 2((1-). dd)2 . (MTTR)2 + ((1-) . du .Ti)2)/3


Slide 85

Common cause section PFDavg = . dd (MTTR) + . du . Ti/2)

www.eit.edu.au

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Step 7, repeat steps 3 to 6 for each stage


Example: Dual channel sensors and actuators, single channel logic

Sensor
Logic Senso r 1oo2
PFDavg for sensors

Actuator

1oo1

Actuator 1oo2

PFDavg for logic solver

PFDavg for actuators

www.eit.edu.au

Slide 86

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Example


Example: Dual channel sensors and actuators, single channel logic. 1yr test

DU = 0.05
.045

DU = 0.0025
C = 95%
0.05

DU = 0.1
= 10%
.01 .09

= 5%
.0025

.045

1oo1D

.09

DD = 0.0475
1oo2
Dual Sensors PFD = .00075 +.00125 = .002 Logic solver PFD = .00013 +.00125 = .00138

1oo2
Dual Actuators PFD = .005 + .0027 = .0077

SIS PFD = .002 + .0014 +.0077 = . 0111 or 1.11 E-2 = SIL 1

www.eit.edu.au

Slide 87

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Example using the EIT Calculator


Data Input Table for Sensor Subsystem Proof Test Interval in Hrs (Ti) Common cause factor (B)% Mean Time To Test & Repair (Hrs) (MTTR) 8760 5% 24

File na me: EIT GP SIL Calculator .xls

Subsystem Element
1 2 3 4 5

Device Sensor all components

LSD/hr 1.14E-05

LSU/hr 0.00E+00

LDD/hr 0.00E+00

LDU/hr 5.71E-06

Subsystem totals

1.14E-05

0.00E+00

0.00E+00

5.71E-06

Calculation results for Sensing Safe Failure Fraction Diagnostic coverage PFDavg for 1001 PFDavg for 1002 PFDavg for 2003 66.7% 0.0% 2.50E-02 2.00E-03 3.51E-03

www.eit.edu.au

Slide 88

EIT EQO26: Unit 8

Reliability Analysis

IEC Table of PFDs relevant to Figure 8.16

www.eit.edu.au

Slide 89

EIT EQO26: Unit 8


Honeywell Safecalc example relevant to fig 8.16

Reliability Analysis

www.eit.edu.au

Slide 90

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Example Calculation for Spurious Trip


Example:Dual channel sensors and actuators, single channel logic Sensor MTTF = 5 years, 75% safe failure fraction. C=0%, = 10%, Ti = 0.5 yrs, MTTR = 8hrs Logic MTTF = 10 years, 50% safe failure fraction. C= 95%, = 10%, Ti = 1 yr auto diagnostics test interval = 2 secs, MTTR = 24hrs Actuator MTTF = 2 years, 80 % safe failure fraction. C= 0%, = 10%, Ti = 0.25 yrs, MTTR = 24hrs

Sensor: single channel s = 1/5 x .75 = .15/yr Logic: single channel s = 1/10 x .5 = .05 dd = (C x d ) =95% x 0.05 = .0475/yr Actuator: single channel s = 1/2 x .8 = .4/yr

www.eit.edu.au

Slide 91

EIT EQO26: Unit 8

SIS Analysis: Example Calculation for Spurious Trip


Logic solver 1oo1 Sensor Logic 0.05 0.0475 0.0975 Actuator Notes Fail safe rate DD rate added due to 95 coverag Spurious trip rate per yr

Reliability Analysis

Example :Dual channel sensors and actuators, single channel logic


Spurious Trip for 1oo1 ST = LS + LDD Parameter LS LDD Total for 1oo1 subsystem Spurious Trip for 1oo2 ST = 2x(1-B) (LS + LDD) +B(LS + LDD) Parameter LS LDD Beta 2x(1-B) (LS + LDD) B(LS + LDD) Total for 1oo2 subsystem Overall Spurious Trip Rate 1.1425 per yr Sensor 0.15 0 0.1 0.27 0.015 0.285 Logic 0 0 0 0 0 0 Actuator Actuators: 1oo2 Notes 0 DD rate added due to S 0.1 0.72 1oo2 portion 0.04 Common portion 0.76 Spurious trip rate per yr 0.4 Fail safe rate

www.eit.edu.au

Slide 92

EIT EQO26: Unit 8

Reliability Analysis

SIS Analysis: Example, Spurious Trip Rate


Example: Dual channel sensors and actuators, single channel logic

.36 ..0135 .015 .0135 .05 .04 .36

1oo1

1oo2
Dual Sensors Spurious = .28 trips per yr Logic solver .097 trips per yr

1oo2
Dual Actuators PFD = (2x .36) + (1x.04) = .76 trips per yr

Spurious trip rate = ..28 + .097 +.76 = 1.14 trips per year

www.eit.edu.au

Slide 93

EIT EQO26: Unit 8

Reliability Analysis

Reducing Spurious Trip Rate


Design Version A
.15 .15

Design Version B
.135

2oo3
.015

.135

1oo2
Dual Sensors Spurious = 2 x .15 = .30 trips per yr .135

From 0.3 per year to 0.015/yr If 1 trip costs AUD 50 000 the annual saving is What? . www.eit.edu.au
Slide 94

2oo3 Sensors Spurious = 6x s2 (MTTR)+ s = (6 x .1352x 8/8760) + .015 = .0001 + .015 . 015 trips per yr

EIT EQO26: Unit 8

Reliability Analysis

Outcomes of a Reliability Study


Show whether or not the SIS will satisfy the SIL target

Overall SIS Probability of Failure on Demand (PFDavg)

PFDavgs for each section of the SIS Show benefits of redundancy or voting schemes Decide the proof testing intervals Predict the accident rate

www.eit.edu.au

Slide 95

EIT EQO26: Unit 8

Reliability Analysis

Conclusions on Analysis Models


Models help to visualise SIS performance Software speeds up analysis IEC 61508 part 6 - methods and tables

Fault tree analysis for detailed systems

www.eit.edu.au

Slide 96

EIT EQO26: Unit 8

Supplementary notes on Low Demand Mode versus High Demand Mode (also known as continuous mode)
Low demand mode applies when the demand on the SIS is equal to or less than once per year. ( IEC 61511) . Alternatively no more than two demands per proof test interval. Low demand calculations use PFDavg. Hazard event rate H = D x PFDavg

Reliability Analysis

High demand mode applies when the demand on the SIS is more than once per year. ( IEC 61511) . Alternatively more than two demands per proof test interval. High demand mode calculations use PFH ( same as failure to danger rate) Hazard event rate H = PFH
Slide 97

www.eit.edu.au

EIT EQO26: Unit 8

Reliability Analysis

Pump Zd=0.05 and Ti = 1/yr:

PSH

SIS
Power

Hp safety Trip

High v Low Demand Calculation

PFDavg = 0.05 x = 0.025. and PFH = 0.05 /8760 = 5.7E-06/hr


Suppose the demand rate D is once per year and the overpressure event rate = H/yr In low demand mode calculation H = D x PFDavg so H = 1 x 0.025 = 0.025/yr

In high demand mode calculation H = PFH

so H = 5.7E-06/hr = 0.05/yr

www.eit.edu.au

Slide 98

EIT EQO26: Unit 8

Reliability Analysis

Pump Zd=0.05 and Ti = 1/yr:

PSH

SIS
Power

High v Low Demand Calculation

PFDavg = 0.05 x = 0.025. and PFH = 0.05 /8760 = 5.7E-06/hr


Suppose the demand rate D is once per day ( 365/yr) And the overpressure event rate = H/yr In low demand mode: H = D x PFDavg so H = 365 x 0.025 = 9.1/yr In high demand mode :H = PFH www.eit.edu.au so H = 5.7E-06/hr = 0.05/yr
Slide 99

EIT EQO26: Unit 8

Reliability Analysis

Event rate calculation according to low or high demand mode

Demand on SIS

SIS has failures at PFD = 0.01 PFH = 0.02/yr (2.28 E-06/hr)

H = hazardous event

D = 0.1/yr ..H = D = 1.0/yr ..H = D = 10.0/yr ..H = D = 100 /yr ..H =

/yr ? /yr ? /yr ? /yr ?

www.eit.edu.au

Slide 100