SIL

Determining the SIL level of a Safety Instrumented Function (SIF)

Website: Email:

www.gmintsrl.com info@gmintsrl.com

Standard Definitions
IEC 61508 Title: Standard for Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related System IEC 61508 was conceived to define and harmonize a method to reduce risks for human beings and/or reduce valuable loss for all industrial and non industrial environments. IEC 61511 Title: Safety Instrumented Systems for the Process Industry IEC 61511 was developed as a Process Sector implementation of IEC 61508

Following the above standard is the minimum necessary condition to obtain plant safety. However this, alone, does not guarantee that the process will be safe. NOT implementing these safety standards will certainly lead to an UNSAFE process.

What is Safety?
Freedom from unacceptable risks

Safety Integrity Levels IEC 61508

Risk Reduction
RRF = Frequency of accidents w ithout protection 1 = Frequency of tolerable accidents PFD avg

Risk Reduction Factor

Nr. of accidents per year without protections:10 Nr. of tolerable accidents: 1 per 100 years 10 x 100 / 1 = 1000 = RRF (Risk Reduction Factor) 1 / 1000 = 0.001 = PFDavg per year (Average Probability of Failure on Demand) This means to obtain a SIF safety unavailability of 1/1000 in one year (about 10 hours).

A.L.A.R.P.

Hazardous Operative Analysis (HAZOP)

Debutanizer Column Node: Reboiler Section

Required SIFs are usually indicated in the P&ID (Piping and Instrumentation Diagrams) or in the PFD (Process Flow Diagram).

Layer Of Protection Analysis (LOPA)

PSV

Figure 72, Sample Process for LOPA Example

LC LV

Hexane Storage Tank

Next process

Dike

Figure 73, Event tree for LOPA example

Probability of ignition Probability of personnel in area Probability of fatality No significant event

BPCS loop failure

Dike

Success P=0.99 P=0.1 Failure P=0.01 Yes P=1.0 Yes P=0.5 Yes P=0.5 No P=0 No P=0.5 No P=0.5

No significant event Fire Fire, no fatality Fire with fatality

Layer Of Protection Analysis (LOPA)

Scenario Number Date Consequence Description/Category Risk tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency) Enabling Event or Condition Conditional Modifiers (if applicable) LOPA WORKSHEET Equipment Number Description Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality Maximum tolerable risk of serious fire Maximum tolerable risk of fatal injury BPCS loop failure N/A Probability of ignition Probability of personnel in area Probability of fatal injury Other Frequency of unmitigated consequence Independent Protection Layers Dike (existing) Safeguards (non-IPLs) Human action not an IPL as it depends upon BPCS generated alarm. (BPCS failure considered as initiating event) Total PFD for all IPLs 1 x 10-2 Frequency of Mitigated Consequence 2.5 x 10-4 Risk Tolerance Criteria Met? (Yes/No): No. SIF required Action required: Add SIF with PFD of at least 4 x 10-2 (Risk Reduction Factor > 25) Responsible Group / Person: Engineering / J.Q. Public, by July 2005 Maintain dike as an IPL (inspection, maintenance, etc) Notes: Add action items to action tracking database 1 x 10-2 1 0.5 0.5 N/A 2.5 x 10-2 Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike Probability Frequency (per year)

< 1 x 10-4 < 1 x 10-5 1 x 10-1

Benefits Vs. Costs in the ALARP blue Zone

Benefits FNO SIS EVNO SIS FSIS EVSIS = Costs COSTSIS + COSTNT
Where: B-C ratio : The ratio of benefits to costs FNO-SIS : Frequency of the unwanted event without a SIS. EVNO-SIS : Total expected value of loss of the event without a SIS. : Frequency of the unwanted event with a SIS. FSIS EVSIS : Total expected value of loss of the event with a SIS. COSTSIS : Total lifecycle cost of the SIS (annualized). : Cost incurred due to nuisance trip (annualized) COSTNT

Example: A SIS is being installed to prevent a fire that will cost the company $1,000,000. The frequency prior to application of SIS has been calculated in one every 10 years. After SIS installation the expected frequency is one every 1000 years, and its annualized cost is approximately $66.000. Cost for nuisance trip is negligible, being F&G normally de-energized. What is the benefit-to-cost ratio for the F&G project? The Benefits/Costs relation will be:

1 1 1000000) - ( 1000000) = 99000 10 1000 Costs = (66000 + 0) = 66000 Benefits 99000 = = 1.5 Costs 66000 Benefits = (
A benefit-to-cost ratio of 1.5 means that for every $1 of investment the plant owner can expect $1.5 in return.

Risk Reduction with Protection Layers

Layers of Protection

Risk Protection Balance

The Risk Must be balanced by the Protection Layers
(Optimal Safety Balance)

RISK 1. Plant, Process and Environment

PREVENTION 2. DCS 3. SIS / ESD 4. Physical Protections

MTBF
MTTF is an indication of the average successful operating time of a device (system) before a failure in any mode.

MTBF: Mean Time Between Failures MTBF = MTTF + MTTR MTTF = MTBF - MTTR MTTR: Mean Time To Repair

Since (MTBF >> MTTR) MTBF MTTF (very close in values)

Availability
Availability time (hrs) 1000 10000 100000 1000000 Repair time (Hrs) 10 10 10 10 Availability (%) 99 99,9 99,99 99,999

What does an availability of 99,99% for a specific component or system really stand for? That the component or system could stop working one time ..

.. every month with a repair time of 4.3 minutes. .. every year with a repair time of 53 minutes. .. every 10 years with a repair time of 8.8 hours.

MTBF and Failure Rate

Failure Rate = = Failures per unit time Number of components exposed to functional failure 1

MTBF =

RELIABILITY AVAILABILITY

UNRELIABILITY UNAVAILABILITY Successful Unsuccessful

MTTF

MTTR

Venn Diagram: Reliability-Unreliability; Availability-Unreliability and relations with MTTF and MTTR

MTBF and Failure Rate

Relation between MTBF and Failure Rate
Failure per unit time Quantity Exposed 1 MTBF

= ----------------------------- = ------------

1 Quantity Exposed MTBF = ------ = ----------------------------

Failure per unit time

MTBF - Example
Instantaneous failure rate is commonly used as measure of reliability. Eg. 300 Isolators have been operating for 10 years. 3 failures have occurred. The average failure rate of the isolators is: Failure per unit time 3 = ------------------------------- = ----------------- = Quantity Exposed 300*10*8760 = 0.0000000115 per hour = 0.001 per year = 11,5 FIT (Failure per billion hours) = = 11,5 probabilities of failure in one billion hours. = 0.001 probability of failure per year MTBF = 1 / = 1000 years (for constant failure rate)

FIT
Failure In Time is the number of failures per one billion device hours.

1 FIT = = 1 Failure in 109 hours = 10-9 Failures per hour

Failure Rate Categories

tot s d tot = safe + dangerous = sd + su = dd + du = sd + su + dd + du
dd/sd du 0,8 mA su 20 mA

Where: sd = Safe detected su = Safe undetected dd = Dangerous detected du = Dangerous undetected tot = safe + dangerous (MTBF = MTBFs + MTBFd) safe: spurious trip (nuisance trip) dangerous: safety trip

du 4 mA

dd/sd
Example for a 4-20 mA signal

Example of FMEDA Analysis

Failure Modes Effects Diagnostic Analysis

D1014 SIL 3 Analysis

D1014 module Isolated Hart compatible Repeater power supply

Safe Failure Fraction (SFF)

SFF =

DD +

DD

SD

DU +

SU

SD +

SU

= 1-

DD

DU

DU

SD

SU

Type A components are described as simple devices with well-known failure modes and a solid history of operation. Type B devices are complex components with potentially unknown failure modes, e.g. microprocessors, ASICs, etc.

System architectures

PFDavg simplified equations

Common fault / Beta Factor

For redundant subsystems using electronic components, the value of ranges from 1% to 10 %. The second term of the equations is the PFDavg value contribution due to the factor, derived from the 1oo1 architecture.

Example: Example:

du 0.01 // yr; TI == 11 yr; == 0.05 du == 0.01 yr; TI yr; 0.05 For 1oo2 the is: 2 equation 1 1 For 1oo2 the equation is: (1 ) ( DU TI ) + 2 ( DU TI ) = 3

1 1 2 = [ 0.95 0.01] + ( 0.05 0.01 1) = 3 2 = 0.00003 + 0.00025 = 0.00028 / yr

Considerations on Factor
Comparisons using different values of factor:

Considerations: The value 0.00003 is 166.6 times lower than 0.005. The value 0.000082 is 61 times lower than 0.005. The value 0.00028 is 17.8 times lower than 0.005. The value 0.000527 is 9.48 times lower than 0.005. Without factor the PFDavg, of 1oo2 architecture, is 166.6 times better than PFDavg value of 1oo1 architecture. With 1% factor the PFDavg, of 1oo2 architecture, is 61 times better than PFDavg value of 1oo1 architecture. With 5% factor the PFDavg, of 1oo2 architecture, is 17.8 times better than PFDavg value of 1oo1 architecture. With 10% factor the PFDavg, of 1oo2 architecture, is 9.48 time better than PFDavg value of 1oo1 architecture.

PFDavg 1oo1 Calculation

Equation for 1oo1 loop

Where: RT = repair time in hours (conventionally 8 hours) T1 = T proof test, time between circuit functional tests (1-5-10 years)

dd = failure rate for detected dangerous failures du = failure rate for undetected dangerous failures

PFD Versus T- proof time interval (TI)

PFD degrades in time. The probability of failure of any equipment (therefore the PFD of a SIF) increases with time (linearly for constant failure rate).

How PFD changes in time

Since PFD increases with time, its value can be kept under control by actuating maintenance proof tests at certain time intervals. A periodic test at T-proof interval (as specified by the manufacturer), is capable of identifying any non directly detectable failure mechanisms in the equipment (dangerous undetected failures); Note: The grade of the test effectiveness affects the value to which the PFDavg is set afterwards. The grade of the test effectiveness affects the value to which the PFDavg is set afterwards.

How PFD changes in time

If the effectiveness is (99-100%) the equipment can be considered as new, from a probability of failure point of view, if it is lower then 100% (70-80-90%), then the SIL level could expire and not reach the required SIL level.

Periodic test for D1014 50%

Periodic test for D1014 99%

PFDavg weight in SIF

Each subsystems PFDavg has a percentage value in relation to the total. Component manufacturers list, in their functional safety manual, the value of PFDavg obtained by authorized certification bodies like TUV, EXIDA, FM, etc. These bodies apply a conventional weighing of the PFDavg of the component in consequence of the importance that it has in the entire loop, as reported in the following Table:
25% 10% 35% 10%

20%

TX Barrier PLC Valve PS

Safety Instrumented Systems (SIS)

A simple SIS, with one logic solver, is a safety function as shown in the picture. A SIS is made up of multiple SIFs: one for each potentially dangerous condition. Its objective is to collect and analyzes data information from sensors to determine if a dangerous condition occurs, and consequently to start a shutdown sequence to bring the process to a safe state. A potentially dangerous condition is called "demand.

Safety Instrumented Systems (SIS)

The majority of SIS are based on the concept of de-energizing to trip. In normal working conditions input and output are energized (F&G systems are the opposite) For each SIF, the required Risk Reduction Factor (RRF) is determined.

IEC 61508 and IEC 61511, recognized Standards, cover in detail these safety aspects.

PFDavg 1oo1 Calculation

Equation for 1oo1 loop

Where: RT = repair time in hours (conventionally 8 hours) T1 = T proof test, time between circuit functional tests (1-5-10 years)

dd = failure rate for detected dangerous failures du = failure rate for undetected dangerous failures

Loop PFDavg calculation

If T1 = 1 year then

but being dd * 8 far smaller than du * 4380

SIF Example
Calculate values of MTBF, PFDavg, RRF for a possible SIL level of the following SIF. These values are given by the manufacturers:
Tx: Barrier: PLC: Supply: Valve: MTBF = 102 yrs; MTBF = 314 yrs; MTBF = 685 yrs; MTBF = 167 yrs; MTBF = 12 yrs; DU = 0,00080 / yr; DU = 0,00019 / yr; DU = 0,00001 / yr; DU = 0,00070 / yr; DU = 0,02183 / yr; DD = 0,0010 / yr; DD = 0,0014 / yr; DD = 0,0001 / yr; DD = 0,0000 / yr; DD = 0,0200 / yr; S = 0,00800 / yr S = 0,00159 / yr S = 0,00135 / yr S = 0,00530 / yr S = 0,00400 / yr

Summary table for SIL 1

Subsystem
MTB F (yr)

/ yr = 1/MTBF

MTBFs= 1/ S (yr)

S / yr

DD / yr

DU / yr

PFDavg 1oo1 = DU/2

% of total PFDavg

RRF = 1/PFDav g

SFF

SIL Level

Tx Barrier D1014S

102

0.00980

125

0.00800

0.0010

0.00080

0.000400

3.40 %

2500

91.8 %

SIL 2

314

0.00318

629

0.00159

0.0014

0.00019

0.000095

0.81 %

10526

94.0 %

SIL 3

PLC

685

0.00146

741

0.00135

0.0001

0.00001

0.000005

0.04 %

200000

99.3 %

SIL 3

Valve

12

0.08333

24

0.04150

0.0200

0.02183

0.010915

92.87 %

92

73.8 %

SIL 2

Power Supply

167

0.00600

189

0.00530

0.0000

0.00070

0.000350

2.97 %

2857

88.3 %

SIL 3

Total (SIF)

10

0.1037 7

17

0.05774

0.0225

0.02353

0.011765

100 %

85

SIL 1

Summary table for SIL 2

Subsystem MTB F (yr) = 1/MTBF per yr MTBFs= 1/ S (yr) S / yr DD / yr DU / yr PFDavg 1oo1 = DU/2 % of total PFDavg RRF = 1/PFDavg SFF SIL Level

Tx

102

0.00980

125

0.00800

0.0010

0.00080

0.000400

8.98 %

2500

91.8 %

SIL 2

Barrier D1014S

314

0.00318

629

0.00159

0.0014

0.00019

0.000095

2.13 %

10526

94.0 %

SIL 3

PLC Valve 4 Months TProof Power Supply

685

0.00146

741

0.00135

0.0001

0.00001

0.000005

0.11 %

200000

99.3 %

SIL 3

36

0.02750

73

0.01370

0.0066

0.00720

0.003602

80.91 %

278

73.8 %

SIL 2

167

0.00600

189

0.00530

0.0000

0.00070

0.000350

7.86 %

2857

88.3 %

SIL 3

Total (SIF)

21

0.04794

33

0.02994

0.00910

0.00890

0.004452

100 %

225

SIL 2

SIFs PFDavg confrontation

92,87%

2,97% 3,40% 0,81% 0,04%

TX Barrier PLC Valve PS

80,91%

7,86%

8,98%

2,13% 0,11%

SIL 1

SIL 2

T-proof table for SIL 2 SIF

Since the SIF has a safety integrity level SIL 2 the periodic proof tests can be performed according to the following table:

Subsystem Transmitter Barrier PLC Valve

T-proof test time interval 1 yrs 10 yrs 20 yrs 4 months

2nd SIF Example

Calculate values of MTBF, PFDavg, RRF for a possible SIL level of the following SIF. These values are given by the manufacturers:
Tx: Barrier: PLC: Supply: Valve: MTBF = 102 yrs; MTBF = 314 yrs; MTBF = 685 yrs; MTBF = 167 yrs; MTBF = 12 yrs; DU = 0,00080 / yr; DU = 0,00019 / yr; DU = 0,00001 / yr; DU = 0,00070 / yr; DU = 0,02183 / yr; DD = 0,0010 / yr; DD = 0,0014 / yr; DD = 0,0001 / yr; DD = 0,0000 / yr; DD = 0,0200 / yr; S = 0,00800 / yr S = 0,00159 / yr S = 0,00135 / yr S = 0,00530 / yr S = 0,00400 / yr

Considering the same data used in the 1oo2 architecture as in the first example but introducing a factor of 5% (0.05) on redundant sub-systems.

Table 1oo2
Subsystem PFDavg 1oo1 RRF 1oo1 MTBFs 1oo1 PFDavg 1oo2[1] RRF 1oo2 MTBFs 1oo2 SFF SIL Level

Tx * Barrier D1014D *

0.000400

2500

125

0.00002019

49528

62.5

91.8 %

SIL 3

0.000095

10526

629

0.00000476

210051

314.4

94.0 %

SIL 4

PLC Valve
1 year T-Proof

0.000005 0.010915 0.000350

200000 92 2857

741 24 189

0.00000500 0.00068768 0.00001765

200000 1454 56670

741 12 94.3

99.3 % 73.8 % 88.3 %

SIL 3 SIL 3 SIL 3

Power Supply *

Total (SIF)

0.011765

85

17

0.00073528

1360

8.5

SIL 3

Summary table 1oo2

Note 1:

The Table highlights advantages of 1oo2 system architecture on 1oo1. Safety integrity level of the SIF has moved from SIL 1 to SIL 3 maintaining the same T-proof test time interval of 1 year.
Note 2:

Using such system configuration, the risk reduction factor is highly increased. If a SIL 2 level is required instead of SIL 3, it would be possible to extend the T-proof test time interval (TI).

System

PFDavg 1oo2 0.00073528 0.00220582 0.003676377 0.007352755

RRF 1360 453 272 136

Max SIL Level SIL 3 SIL 2 SIL 2 SIL 2

Table 10a shows how the 1oo2 SIF would change for TI = 3, 5 &10 years.

1oo2|TI=1 1oo2|TI=3 1oo2|TI=5 1oo2|TI=10

Table 1oo2 only Final Element

Subsystem Tx Barrier D1014D PLC Valve
1 yr T-proof

PFDavg 1oo1 0.000400 0.000095 0.000005 0.010915 0.000350

RRF 1oo1 2500 10526 200000 92 2857

MTBFs 1oo1 125 629 741 24 189

PFDavg 1oo2 (Valve Only) 0.000400 0.000095 0.000005 0.00068768 0.00001765

RRF 2500 10526 200000 1454 56670

MTBFs 125 629 741 12 189

SFF 91.8 % 94.0 % 99.3 % 73.8 % 88.3 %

SIL Level SIL 2 SIL 3 SIL 3 SIL 3 SIL 2 SIL 2

+

Power Supply

Total (SIF)

0.011765

85

17

0.00120533

829

10

PLC Channel 1

The valves redundancy allows the SIF to reach SIL 2 level with a more than satisfactory RRF value.

Tx 1

IS Barrier Ch. 1

Input circuit

Logic Solver common circuits

Output circuit

Final element

Final element _

Consideration 1oo2 only Final Element

Adding a redundant valve; Supposing a factor of 5%, the RFF is =1454. The PFDavg value is now 1/1454 = 0.00068 and for a test proof time interval or 1 year (SIL 3). The SIL value of the total SIF becomes 0.0012 with RRF = 829. Considerations: Adjusting the T-proof time and the redundancy of final element it is possible to obtain a better SIL level of the SIF, and even to advance it to SIL 3.

Summary table 1oo2 Final Element

Note 1:

The Table highlights advantages of 1oo2 system architecture of the final element. Safety integrity level of the SIF has moved from SIL 1 to a good SIL 2 maintaining the same T-proof test time interval of 1 year.

System

PFDavg 1oo2 0.00120533 0.00361599 0.00602665 0. 0120533

RRF 829 276 165 82

Max SIL Level SIL 2 SIL 2 SIL 2 SIL 1

Table 10b shows how the 1oo2 Final Element SIF would change for TI = 3, 5 & 10 years.

1oo2|TI=1 1oo2|TI=3 1oo2|TI=5 1oo2|TI=10

3rd SIF Example

Calculate values of MTBF, PFDavg, RRF for a possible SIL level of the following SIF. These values are given by the manufacturers:
Tx: Barrier: PLC: Supply: Valve: MTBF = 102 yrs; MTBF = 314 yrs; MTBF = 685 yrs; MTBF = 167 yrs; MTBF = 12 yrs; DU = 0,00080 / yr; DU = 0,00019 / yr; DU = 0,00001 / yr; DU = 0,00070 / yr; DU = 0,02183 / yr; DD = 0,0010 / yr; DD = 0,0014 / yr; DD = 0,0001 / yr; DD = 0,0000 / yr; DD = 0,0200 / yr; S = 0,00800 / yr S = 0,00159 / yr S = 0,00135 / yr S = 0,00530 / yr S = 0,00400 / yr

Considering the same data used in the 2oo3 architecture as in the first example but introducing a factor of 5% (0.05) on redundant sub-systems.

Table 2oo3

Summary table 2oo3

Note 1:

The advantages of 2oo3 system architecture on 1oo1 are different then those obtained with a 1oo2. Safety integrity level of the SIF has in fact moved from SIL 1 to SIL 2 maintaining the same T-proof test time interval of 1 year. The very high value of RRF shows that SIL 2 can be easily maintained even with longer TI intervals.
Note 2:

Using such system configuration, the risk reduction factor is highly increased. If a SIL 2 level is required instead of SIL 3, it would be possible to extend the T-proof test time interval (TI).
System PFDavg 1oo2 0.00102414 0.00307242 0.0051207 0. 0102414 RRF 976 325 195 80 Max SIL Level SIL 2 SIL 2 SIL 2 SIL 1

Table 10c shows how the 2oo3 SIF would change for TI = 3, 5 &10 years.

2oo3|TI=1 2oo3|TI=3 2oo3|TI=5 2oo3|TI=10

Comparison between System Architectures

SIF MTBFS PFDavg Architecture (yr) 1oo1 1oo2 2oo3 17 8.5 55546 0.01176 5 0.00073 5 0.00102 4 RRF Max. SIL Level SIL 1 SIL 3 SIL 2

85 1360 976

Table 13, Comparison between system architectures

Redundant Architecture Increase SIL level 2oo3 Architecture is primarily justified due to the MTBFs high value This means that production will almost never not be interrupted by spurious/nuisance trips 1oo2 Architecture is simpler, cost effective and with a slightly better RRF. But the MTBFs is very poor Choice is also to be made considering possible T-proof time

Comparison tables for PFDavg values in different system architectures

Architecture 1oo1 1oo2 2oo2 2oo3 du/yr 0.01 0.01 0.01 0.01 PFDavg 0.005900000 0.000042350 0.010900000 0.000127049 RRF 169 23613 92 7871 Possible SIL level SIL 2 SIL 4 SIL 1 SIL 3 Possible SIL level SIL 1 SIL 3 SIL 1 SIL 3 Possible SIL level SIL 1 SIL 3 SIL 1 SIL 2 Possible SIL level SIL 1 SIL 2 SIL 0 SIL 1

Table 14, TI = 1 yr, TD = 0.0009 yr (8 hrs)

Architecture 1oo1 1oo2 2oo2 2oo3

du/yr 0.01 0.01 0.01 0.01

PFDavg 0.015300000 0.000309005 0.030300000 0.000927016

RRF 65 3236 33 1079

Table 15, TI = 3 yr, TD = 0.0009 yr (8 hrs)

Architecture 1oo1 1oo2 2oo2 2oo3

du/yr 0.01 0.01 0.01 0.01

PFDavg 0.025180 0.000842 0.050180 0.002527

RRF 39 1187 20 396

Table 16, TI = 5 yr, TD = 0.0009 yr (8 hrs)

Architecture 1oo1 1oo2 2oo2 2oo3

du/yr 0.01 0.01 0.01 0.01

PFDavg 0.050090 0.003342 0.100090 0.010027

RRF 20 299 10 99

Table 17, TI = 10 yr, TD = 0.0009 yr (8 hrs)

4th SIF Example

Calculate SIL Level for a SIF with two Emergency Stop Switches and a Safety Relay Object: Calculate, and select components for a SIL 3 SIF with:
Two Emergency Stop Switches with 2 NC contacts. Using = 5% for the two redundant NC contacts of the Switch. In conjunction with a SIL 3 Safety Relay. With a T-proof time of 10 yrs & NE load conditions, (de-energize to trip). 24 Vdc. supply voltage.

4th SIF Example

Standards Considerations An electromechanical component, like a Emergency Stop Switch, is usually not classified, or certified, according IEC 61508 Standards. More typically: IEC 60300-3-5 and IEC 61649. According to these standards to determine d (probability of dangerous failures per hours) it is necessary to use the B10 value. B10 is the average time, or number of cycles, required to fail 10% of the components under test. A typical value could be 500.000 cycles The formula to be used is: d = 0.1 x fm / B10 Where fm is the frequency of use, for the specific application, per hours. In case of an Emergency Stop Switch we estimate 10 times per year; Hence, 10 time in 10.000 hours equal to 0.001.

4th SIF Example

Calculation of d:
d = 0.1 x fm / B10

d = 0.0001 / 500000 = 0.0000000002 per hr = 0.000002 per yr

d for 10 years is = 0.00002 PFDavg for 10 years is 0.00001 for a single contact.
(PFDavg = d/2)

Using two contacts connected in series, with factor of 5%

PFDavg for 10 years is 0.00001 x 0.05 = 0.0000005

(Simplified factor formula PFDavg x )

4th SIF Example

Basic calculation Formula:
PFDavg [PFDavg]10 RRF [PFDavg]10 1oo2 / factor 5%
Components
Safety SW1 Safety SW2 D1092S SIL 3 relay PSD1210 1 + 1 spare module

= 0.5 du per year = 5 du per 10 yrs = 1/ PFDavg. +/- = [PFDavg]10 x 0.05

[du ] per 10 yrs
0.00002 0.00002 0.00016 0.00006 0.00026

du per yr
0.000002 0.000002 0.000016 0.000006 0.000026

PFDavg per 10 yrs

0.00001 0.00001 0.00007 0.00003 0.00012

RRF
100.000 100.000 14.285 33.333 8333

SIL level per 10 yrs

SIL 3 SIL 3 SIL 3 SIL 3 SIL 3

Total SIF

4th SIF Example

We have made the following consideration for the calculation:
B10 Value 500.000 Cycles. NC, Heavy duty, Gold plated and Sealed contacts. 50 mA constant current provided by SIL relay; To keep contacts clean. SIL relay value from TUV certification. Beta Factor 5 % Life Time 10 Years

PFDavg: Equations and examples

For each component of the SIF, when the effectiveness of periodic proof test to reveal dangerous failures, is 100%, the PFDavg simplified equation, is:

PFDavg = DU

TI 2

when the effectiveness is not 100%, the PFDavg simplified equation is:

PFDavg = (Et DU
where: Et: SL:

TI SL ) + (1 - Et) DU 2 2

periodic testing effectiveness to reveal dangerous failures (e.g. 90%) system, or component, test proof interval with 99-100% effectiveness, or between two complete replacement of the device, or the lifetime of the system, or device, if it will never fully tested or replaced.

for TI = 1 yr and SL = 12 years, the PFDavg simplified equation is:

PFDavg TI=1,SL=12 = (Et

DU 12 )+ (1-Et)DU 2 2

PFDavg: Equations and examples

PFDavg TI=1,SL=12 = (Et
Example a:

DU 12 ) + (1- Et) DU 2 2

du = 0,01 / yr TI = 1 yr Et = 90% = 0,9 SL = 12 yr

At installation:

PFDavg = 0,01 / 2 = 0,005 RRF = 1 / PFDavg = 1 / 0,005 = 200

After one year:

PFDavg = (0,9 x 0,01 / 2) + (0,1 x 0,01 x 6 ) = 0,0105 RRF = 1 / PFDavg = 1 / 0,0105 = 95

Note: after one year (or after each periodic test) SIL 2 level has become SIL 1.

PFDavg: Equations and examples

PFDavg TI=1,SL=12 = (Et DU 12 )+ (1-Et)DU 2 2

Example b:

du = 0,01 / yr TI = 1 yr Et = 99% = 0,99 SL = 12 yrs

After one year:

PFDavg = (0,99 x 0,01 / 2) + (0,01 x 0,01 x 6) = 0,0056 RRF = 1 / PFDavg = 1 / 0,006 = 178 Note: after one year (or after each periodic test interval) SIL2 level is still maintained.

PFDavg: Equations and examples

PFDavg TI=1,SL=12 = (Et DU 12 )+ (1-Et)DU 2 2

Example c:

du = 0,01 / yr TI = 1 yr Et = 50% = 0,5 SL = 12 yrs

After one year:

PFDavg = (0,5 x 0,01 / 2) + (0,5 x 0,01 x 6) = 0,0325 RRF = 1 / PFDavg = 1 / 0,006 = 30 Note: after one year (or after each periodic test interval) SIL2 become SIL 1

PFDavg: Equations and examples

PFDavg TI=1,SL=12 = (Et DU 12 )+ (1-Et)DU 2 2

Example c:

du = 0,01 / yr TI = 1 yr Et = 50% = 0,5 SL = 3 yrs

After one year:

PFDavg = (0,5 x 0,01 / 2) + (0,5 x 0,01 x 1,5) = 0,01 RRF = 1 / PFDavg = 1 / 0,006 = 100 Note: after one year (or after each periodic test interval) SIL2 remain at its minimum level

Test interval duration influence on PFDavg

To test a safety system online (e.g. while the process is still running), a portion of the safety system must be placed in bypass in order to prevent nuisance trips. The length of the manual proof test duration can have a significant impact on the overall performance of a safety system. During the test, a simplex 1oo1 system must be taken offline. Its availability during the test is therefore zero. Redundant systems , however, do not have to be completely placed in bypass for testing. One leg, or slice, or a dual redundant system can be place in bypass at a time. Indeed a dual system is reduced to simplex during a test, and a triplicate system is reduced to dual.

TI PFDavg = DU 2
TI TD + 2 TI

PFDavg = DU

Test interval duration influence on PFDavg

Example c: du = 0,002 / yr TI = 1 yr TD = 8 hrs (time interval) PFDavg = 0,001 + 0,0009 = 0,0019; RRF = 1/ 0,0019 = 526 (useful for SIL 2 level) Example d: du = 0,002 / yr TI = 1 yr TD = 96 hrs PFDavg = 0,001 + 0,01 = 0,011; RRF = 1/ 0,011 = 90 (useful for SIL 1 level) Note:
PFDavg = DU TI 2

PFDavg TI=1,SL=12 = (Et

DU 12 ) + (1- Et) DU 2 2

PFDavg = DU

TI TD + 2 TI

PFDavg = (Et

DU TD SL )+ + (1- Et) DU 2 TI 2

The combination of both, effectiveness and test duration, brings to the following PFDavg equation for a 1oo1 architecture.

True or False? SIL rating does not change in time.

FALSE!
SIL integrity levels depend on the probability of failure which increases with time.

True or False?

Safety Manual must be provided by the component manufacturer.

TRUE!
Safety Manual is an integral document to the SIL rating of any component. It defines the assumption behind the certification and the conditions of the SIL rating as well as provide proper maintenance information.

True or False? Two products both claiming SIL 2 offer the same level of safety.

FALSE!
1) PFDavg

or RRF value of a SIL level ranges in a factor of 10. Example: SIL 2 means from RRF = 100 to 1000.

2) SIL ratings are time related. Example: SIL 2 rating for 10 yrs differs from SIL 2 for 1 yr.

True or False? Periodic test is required to maintain the SIL Level.

TRUE!
Since some failures are undetected in operating conditions (dangerous undetected failures) Tests are required to restore the SIF in as-new condition (effectiveness 100%) Periodic Tests are essential for maintaining the SIL level.

True or False? T-Proof Time Interval are specified by the Plant Maintenance Personnel.

FALSE!
It is specified in the Hardware Specification and is decided by the manufacture and verified by the certification agency.

True or False? Component Type (A & B) are defined by the customer (User)..

FALSE!
The component class is defined by the Manufacturer.

True or False? Shorter T-proof time intervals improve SIL ratings.

TRUE!
Reducing time intervals between T-proof tests decreases the probability of failure (PFDavg) in time. Example: SIL 1 for 1 yr may become SIL 2 for 3 months.

True or False? PFDavg value of the SIF is the highest of all components PFDavg

FALSE!
The PFDavg value of the safety function (SIF) is the sum of PFDavg values of all its components (subsystems).

True or False?

SFF % and PFD both must match the SIF SIL Requirement .

TRUE!
The SFF value of each of the SIF component must be within the table A or B requirement to claim a given SIL level. The SIF total PFD must also match that of the required RRF

True or False?

It is possible to make software changes without an Impact Analysis

FALSE!
Safety Impact Analysis must be performed for any hardware or software change in the plant!

True or False? SIL 3 equipment can be useful in SIL 2 functions.

TRUE!
Using a higher SIL level than necessary allows to reduce frequency of T-proof tests and has a lower incidence on the total PFDavg of the SIF. Example: SIL 3 for 1 yr could become SIL 2 for 10 yrs.

True or False? Maintenance must be considered in the design phase.

TRUE!
A safety function under maintenance is unavailable therefore the length of the repair time must be considered. The improvement obtained applying redundant architectures is temporarily lost.

True or False? All failures have the same effect on safety.

FALSE!
Failures can be SAFE or DANGEROUS. The first lead to a spurious trip which does not harm, but induces a stopping of production. The second instead will render the safety function unavailable.

True or False? MTBF includes time for repair.

TRUE!
MTBF = MTTF + MTTR. For most applications, MTTR is negligible therefore MTBF MTTF. However in high demand applications, even a few hours of unavailability are critical and should be taken into account.

True or False? All redundant system architectures improve safety.

FALSE!
Redundant Architectures have different effects on SAFE and DANGEROUS failure rates. Example: 1oo2 improves dangerous failure rates but worsens safe failure rates. 2oo2 is the opposite

True or False? Safety Manual Provides for T-Proof test procedure but not the test effectiveness percentage.

FALSE!
Test Effectiveness (TE) must be specified along with the T-proof procedure and must be used in calculating recurring SIL level

True or False? SIL level and relating RRF are defined by HSE (Health Safety Executive)

TRUE!
A team composed of Management, Plant, Process, Instrument, Maintenance, Quality Engineers is responsible for determining RRF factor for each SIF

True or False? HSE Engineers have the responsibility to maintain the SIL level during plant life time

FALSE!
Maintenance Engineer are responsible to maintain the SIl level as mandated by initial calculations. For SIL 2 SIFs their work must be reviewed by a separate department. For SIL 3 or 4 SIFs by an external agency.

G.M. International S.r.l Via San Fiorano, 70 20058 Villasanta (Milano) ITALY www.gmintsrl.com info@gmintsrl.com