IEC 61508 Related Standards

1
NTNU, September 2007

PK 8201 supplementary information on
IEC 61508 related standards
Mary Ann Lundteigen
(www.ntnu.no/ross/rams/maryann )
(Slides prepared for small lectures and discussions, and may therefore include
more text than what would be included for a large audience presentation)
2
OLF 070 APPLICATION OF IEC 61508 AND
IEC 61511 IN THE NORWEGIAN
PETROLEUM INDUSTRY
May be downloaded from:
http://www.olf.no/061-080/070-
guidelines-for-the-application-of-iec-
61508-and-iec-61511-in-the-
petroleum-activities-on-the-
continental-shelf-article842-1362.html
3
Background and objective
Help the industry in the implementation
of key standards, such as IEC 61508
and IEC 61511
Open up for a ``simplified approach for
``standard safety instrumented
functions (SIFs)
Referenced by Petroleum Safety
Authority regulations (in Norway)
Guidance to 42 in Activity regulations: [] When preparing the
maintenance programme as mentioned in the first paragraph, the standard NS-
EN ISO 20815:2008 appendix I and the CEI/IEC 60300-3-11 standard may be
used in the area of health, working environment and safety. For activities as
mentioned in the second and third paragraphs, in the area of health, working
environment and safety,a) the ISO 13702 standard Appendix C7, the IEC 61508
standard, and OLF Guidelines No. 070 revision 2 should be used for safety
systems, b) the emergency shutdown system should be verified in accordance
with the safety integrity levels stipulated on the basis of the IEC 61508 standard
and OLF's Guidelines 070 revision 2.
Guidance to 7 in Facility regulations: []
For design of safety functions as mentioned in
the first paragraph, the ISO 13702, NORSOK
S-001 revision 4 and IEC 61508 standards and
OLF guidelines No. 70 revision 2 should be
used.
[] In order to stipulate the performance for
the safety functions as mentioned in the
second paragraph, the IEC 61508 standard
and OLF guidelines No. 70 revision 2 should be
used where electrical, electronic and
programmable electronic systems are used in
constructing the functions.
4
In OLF 070, an alternative is proposed to the
full risk based deduction of SIL requirements.
Minimum SIL tables
Comp
liance
Report
SAR
Dataoganalyse
metoder (PDS)
FSAplan
SRS
Rev.
5
Best practice design of safety systems
(following standards, NORSOK and
authority regulations is acceptable, given a
standard offshore platform
Risk reduction
according to min.
SIL tables
6
Scope of
OLF 070
Allgined with the life
cycle phases of IEC
61511 (and in
principle, also the life
cycle phases of IEC
61508)
7
Key concepts
Global safety function:
Fire and explosion hazard safety functions that
provide protection for one or several fire cells.
Example: Emergency shutdown, isolation of ignition
sources and emergency blow down.
Local safety function:
Process equipment safety functions that provide
protection for one specific process equipment unit.
Example: High level protection of a production
separator..
Functional safety assessment:
An investigation (independent review), based on
evidence, to judge the functional safety achieved by
one or more protection layers. Performed at specified
stages.
Verification
Validation
(e.g., Site
acceptance test)
Verification
Verification
FSA nr 1
FSA nr 2
Verification
Verification
FSA nr 3
FSA nr x
FSA nr 4
8
Functional safety assessment
9
Key assumptions and limitations
EUC definitions:
The OLF 070 defines a number of typical EUCs
onboard offshore fixed and mobile oil and gas
installations.
It is assumed that the EUC may be protected by global
and/or local safety functions.
Approach:
The OLF 070 represents an alternative to the fully risk
based approach for determining SIL that is suggested
in IEC 61508 and IEC 61511.
Rationale: [] enhance standardization across the
industry, and also avoid time-consuming calculations
and documentation for more or less standard safety
functions.
Process outlined in OLF 070
10
OLF 070 process to SIL determination
Hazard identification (HAZID) is required!
Multi-dicipline team
Reference to ISO 17776 Guidelines on tools
and techniques for identification and
assessment of hazardous events
Issues to consider (and to be compared to
standard design of offshore installations:
Properties of fluid being handled
Human intervention with the EUC
Novelty and complexity of the installation
Need for ``special protection functions
And so on.
Objective is to answer: Is there any reasons
why this particular installation deviates from
standard / typical offshore installations?
11
Definition of safety functions
Describe the safety functions required (from the
HAZID) and with support from standards:
Local safety functions: Tables in ISO 10418 (ISO 10418
also give requirements to how deviations from
conventional design, such as the use of HIPPS instead of
PSV, shall be documented).
Global safety functions: NORSOK S-001, I-001, PSA
regulations, input from QRA, and from Fire and Explosion
strategy (following ISO 13702)
Check if they are covered by the minimum SIL
tables
Check if additional components need to be
added for fail-safe operation: hydraulic supply,
UPS, etc.
Objective is to answer: Is there any reasons
why this particular installation deviates from
standard / typical offshore installations?
12
SIL allocation:
First, apply the minimum SIL table:
Select SIL requirements for each safety (instrumented)
function from the minimum SIL tables
Verify, if not already done, that the overall risk
acceptance criteria is met (by using minimum SIL as
input to QRA)
The minimum SIL table should ensure that the performance
of ``typical/standard safety functions is equal to or better
than todays standard (best practice)
Note:
Minimum SIL table apply basically for risk to personnel
Requirements for local safety functions assume that a
secondary level of protection (e.g., a PSV) is available
13
14
Handling deviations:
Functional deviations (functions not covered by the
minimum SIL table). Example: HIPPS
Integrity deviations, due to high demand rate, or high
accumulated demand rate (for example if a high
number of risers needs protection)
Consequence deviations, due to special considerations
such as layout, process conditions, manning, etc.
LOPA
Risk
graph
Risk
matrix
Overpressure
protectionfails
PSD
isolation
fails
HIPPS
isolation
fails
Minimum SIL table
or by calculating
the PFD of the
proposed
technical solution
<>Acceptance criteria
(e.g., 10-5 for exceeding test pressure)
CCF
(HIPPS
/PSD)
15
LOPA
Risk
graph
Risk
matrix
Overpressure
protectionfails
PSD
isolation
fails
HIPPS
isolation
fails
Minimum SIL table
or by calculating
the PFD of the
proposed
technical solution
(e.g., 10-5 for exceeding test pressure)
CCF
(HIPPS
/PSD)
16
PII
17
SIFn:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
SIF2:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
Development of the safety requirement
specification:
SIF1:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
SRS
(SIS)
18
SIS design and engineering:
Organization and resources defining responsible
parties in all SIS lifecycle phases
Planning: Making a plan (with responsible
persons/departments) and supporting procedures (e.g.,
for testing and design reviews) that include activities for
verification, validation, and FSA
V-model: Suggested in IEC 61511 for software development, but principles
may apply to SIS design in general.
19
SIS design and engineering (cont.):
Deducing design and performance requirements from
SIL requirements:
PFD or PFH
Architectural constraints
Avoidance and control with systematic failures
Visit IEC
61508 or IEC
61511 for
guidance
20
On the calculation of PFD or PFH
PFD
(or PFH)
Input
data
Experience data (e.g., OREDA) or more generic data sources
Selection must be justified
Assumptions must be documented
Conservative estimates for failure rates (z
0
) to be selected
Any certificates must be included
Proper selection of relevant failure modes must be made (from
experience data, estimates based on MIL-HDBK 217 F etc)
OLF 070 suggests values for:
[-factors (based on various sources and expert judgments)
Safe failure fraction (SFF)
21
On the selection of components and design principles
Sensor:
Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,
certificates)
Prior use must be claimed by end user
Independent from other field devices and systems
Line monitoring of power supply and signaling lines
Mounting so that accidental isolation and hydrate formation are avoided
Use comparison of pressure reading from different sensors
Diagnostic coverage to be estimated (rules for maximum credit taken from comparison of pressure
reading)
Sensor: Various types of transmitters, switches, and also (manually operated) pushbuttons
22
Logic solver:
certificates)
Hardware architecture must be described (CPU, I/O typicals, interface modules)
Software may be documented according to the V-model (or similar)
Procedures must be made for how to initiate, implement, and verify application software changes
Logic solver: Hardwired, Solid state, programmable logic solvers (PLC)
23
Final element:
certificates)
Any local control panel must be lockable (to avoid inadvertent or unauthorized operation of valves)
Considerations may be made to the use (and the effect from using) partial stroke testing (valves)
Final elements: Valves, solenoid valves, circuit breakers, fire doors, dampers, etc.
24
Utility systems:
Must have sufficient capacity
Redundancy may be needed (if the recipient components are redundant, or if loss of utility may lead
to insufficient performance of a safety function)
Utility systems: Electrical power (generators or UPS), hydraulic power, pneumatics
25
Human-machine interface (HMI):
Any failure of the HMI shall not adversely affect the ability of the SIS to perform its safety functions
If operators need to respond to an alarm: This must be included as elements in the SIF and follow the
SIL requirement
System in place to monitor and display status for inhibits, overrides, blockings (may consider
removing the overriding capability for SIL 3 functions).
Utility systems: VDU stations in control room, critical alarm panel in control room, local equipment rooms,
cabinets in field, and so on.
26
Independence
Physical independence between different SISs (performing different type of safety functions, such
as PSD, ESD, F&G) is preferred
SISs shall be independent from process control system (status information from the SISs is
sometimes provided, to reduce the complexity of e.g., the PSD and ESD system)
In practice, there is some dependencies among SISs and between SISs and process control, from
sharing components (e.g., sensors and valves) and common communication channels. Sufficient
functional independence has been introduced as a concept in this respect.
Some reports have been published on this particular issue, see e.g.,:
Hauge, S., Onshus, T., ien, K., Grtan, T.O., Holmstrm, S., Lundteigen, M.A. (2006):
"Uavhengighet av sikkerhetssystemer offshore - status og utfordringer". STF50 A06011
(82-14-03884-7)
Additional guidance is also provided in appendix G in OLF 070
27
Document regime in OLF 070
28
Compliance report:
One per SIS
Shows how all the SIFs that are performed by
the SIS meet the requirements in the SRS
Document regime in OLF 070
Safety requirement specification (SRS):
One per SIS
Includes the functional and the safety integrity
requirements
Includes also key assumptions and system
boundaries
See IEC 61511, part 1, or appendix E in OLF
070 for a list of content.
Safety analysis report (SAR):
One per component or subsystem (delivered by
the same manufacturer)
System description, including operational modes,
system topology, and block diagrams
Input data to reliability calculations (failure rates,
diagnostic coverage, MTTR, etc)
System behavior under fault conditions and in
response to detected faults
Measures taken to avoid and control systematic
failures
If relevant: PFD calculations and compliance to
architectural constraints
Application software management
More details in appendix E of OLF 070
29
Operation and maintenance
Operation and maintenance planning :
Shall be done during the design phase
Shall include preparation of procedures and practices
for operation of the SIS during normal operation, start-
up, functional testing, maintenance
Preparation of procedures for how to respond to
dangerous detected failures, and setting/handling of
overrides, overrides, and bypasses.
Procedures for reporting non-conformities, such as
inadequate reliability (of a SIF) or deviations from initial
assumptions regarding e.g., demand rates
Scheduling of testing and maintenance activities
Allocation of responsibilities for operation and
maintenance
Preparation (and initiation) of training of personnel
Preparation of data collection strategies and systems
Preparation of a program for continuous improvement
of SIS operation, of SIS maintenance and SIS follow-
up.
Identifying (and make available) documentation (from
design) that is of relevance for the operational phase
Establish procedures for management of change
Functional testing is an issue that
needs to be addressed in an early
design phase. There are many
examples where a particular design
make adequate functional testing
almost impossible.
In the operational phase: Ensure proper implementation of plan.
30
Modifications ( Management of change )
A modification may be a change other than a
replacement in kind :
Introducing a component with different characteristics
New test intervals or new test procedures
Set point changes
Changes in operating procedures
Changes in operating environment or process
conditions
Changes in the SRS
Inadequate SIS performance (too many recorded
failures)
Increased (or decreased) demand rate
Software changes (application software, firmware)
The purpose of management of change is to:
Maintain the SIL (or retain the SIL)
Ensure that a return is made back to the appropriate
life cycle phase to ensure proper implementation of
change.
31
Special topics: Background for minimum SIL
Methods in use:
(Simplified) reliability block diagrams that are
based on commonly agreed best practice
implementation of global and local SIFs.
PDS method for including common cause
failures
PDS reliability data, in combination with
consideration of other reliability sources and
expert judgments
32
Local
Safety function
33
Global
Safety function
34
Special topics: Quantification of PFD
Reference is made to the most
recent PDS method edition (2010)
(Current OLF 070 uses old
notations)
35
Special topics: Follow-up of SIS/Procedures for
updating test intervals
t
PFD(t)
PFDavg
PF
=
X
2N
z
0
=
X
N
Simple
Challenges:
The required PFD must be deduced
for each specific component for
each specific safety instrumented
function
36
More comprehensive approach
Step 1: Specify initial parameters of SIF
z
0
, [, M and N (in an MooN configuration)
Step 2: Identify the acceptance criteria PF
cq
Step 3: Express the uncertainty about the (initial) failure rate
Expressed as U1 and U2
Step 4: Specify the number of failures during a specified time
period and update the failure rate estimate:
Specified time period: The accumulated time =
observation time x number of equipment)
Step 5: Perform failure cause analysis
Is it possible to eliminate some of the recorded
failures in the calculations? (optional)
Step 6: Update the functional test interval based on new data
Step 7: Verify the results and make adjustments according
to restriction rules
Step 8: Make a trend analysis
37
Recent approach developed through the PDS forum
Lundteigen, Mary Ann and Hauge, Stein, "Management
of safety integrity in the operational phase", Volume
2010, issue 1 of "Inside functional safety".
Hauge, Stein, Lundteigen, Mary Ann, and Rausand,
Marvin, "Updating failure rates and test intervals in the
operational phase: A practical implementation of IEC
61511 and IEC 61508". In Risk, Safety And Reliability.
CRC Press 2009 ISBN 978-0415555098. s. 1715-1722.
Hauge, Stein; Lundteigen, Mary Ann.
Guidelines for follow-up of Safety Instrumented Systems
(SIS) in the operation phase. Trondheim: SINTEF 2008
More information (slides):
http://folk.ntnu.no/lundteig/Publications/2010-
proveforelesning-lundteigen-final.pdf
http://folk.ntnu.no/lundteig/Publications/lundteige
n-esrel2009-final.pdf
38

IEC 61508 Related Standards

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IEC 61508 Related Standards

Uploaded by

Copyright:

Available Formats

1

NTNU, September 2007

You might also like