Professional Documents
Culture Documents
17
NTNU, September 2007
SIFn:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
SIF2:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
OLF 070 process to SIL determination
Development of the safety requirement
specification:
Functional deviations (functions not covered by the
minimum SIL table). Example: HIPPS
Integrity deviations, due to high demand rate, or high
accumulated demand rate (for example if a high
number of risers needs protection)
Consequence deviations, due to special considerations
such as layout, process conditions, manning, etc.
SIF1:
EUC boundaries
Assumptions
Functional
requirements
Safety integrity
requirements
SRS
(SIS)
18
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering:
Organization and resources defining responsible
parties in all SIS lifecycle phases
Planning: Making a plan (with responsible
persons/departments) and supporting procedures (e.g.,
for testing and design reviews) that include activities for
verification, validation, and FSA
V-model: Suggested in IEC 61511 for software development, but principles
may apply to SIS design in general.
19
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
Deducing design and performance requirements from
SIL requirements:
PFD or PFH
Architectural constraints
Avoidance and control with systematic failures
Visit IEC
61508 or IEC
61511 for
guidance
20
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the calculation of PFD or PFH
PFD
(or PFH)
Input
data
Experience data (e.g., OREDA) or more generic data sources
Selection must be justified
Assumptions must be documented
Conservative estimates for failure rates (z
0
) to be selected
Any certificates must be included
Proper selection of relevant failure modes must be made (from
experience data, estimates based on MIL-HDBK 217 F etc)
OLF 070 suggests values for:
[-factors (based on various sources and expert judgments)
Safe failure fraction (SFF)
21
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Sensor:
Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,
certificates)
Prior use must be claimed by end user
Independent from other field devices and systems
Line monitoring of power supply and signaling lines
Mounting so that accidental isolation and hydrate formation are avoided
Use comparison of pressure reading from different sensors
Diagnostic coverage to be estimated (rules for maximum credit taken from comparison of pressure
reading)
Sensor: Various types of transmitters, switches, and also (manually operated) pushbuttons
22
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Logic solver:
Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,
certificates)
Prior use must be claimed by end user
Hardware architecture must be described (CPU, I/O typicals, interface modules)
Software may be documented according to the V-model (or similar)
Procedures must be made for how to initiate, implement, and verify application software changes
Logic solver: Hardwired, Solid state, programmable logic solvers (PLC)
23
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Final element:
Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,
certificates)
Prior use must be claimed by end user
Any local control panel must be lockable (to avoid inadvertent or unauthorized operation of valves)
Considerations may be made to the use (and the effect from using) partial stroke testing (valves)
Final elements: Valves, solenoid valves, circuit breakers, fire doors, dampers, etc.
24
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Utility systems:
Must have sufficient capacity
Redundancy may be needed (if the recipient components are redundant, or if loss of utility may lead
to insufficient performance of a safety function)
Utility systems: Electrical power (generators or UPS), hydraulic power, pneumatics
25
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Human-machine interface (HMI):
Any failure of the HMI shall not adversely affect the ability of the SIS to perform its safety functions
If operators need to respond to an alarm: This must be included as elements in the SIF and follow the
SIL requirement
System in place to monitor and display status for inhibits, overrides, blockings (may consider
removing the overriding capability for SIL 3 functions).
Utility systems: VDU stations in control room, critical alarm panel in control room, local equipment rooms,
cabinets in field, and so on.
26
NTNU, September 2007
OLF 070 process to SIL determination
SIS design and engineering (cont.):
On the selection of components and design principles
Independence
Physical independence between different SISs (performing different type of safety functions, such
as PSD, ESD, F&G) is preferred
SISs shall be independent from process control system (status information from the SISs is
sometimes provided, to reduce the complexity of e.g., the PSD and ESD system)
In practice, there is some dependencies among SISs and between SISs and process control, from
sharing components (e.g., sensors and valves) and common communication channels. Sufficient
functional independence has been introduced as a concept in this respect.
Some reports have been published on this particular issue, see e.g.,:
Hauge, S., Onshus, T., ien, K., Grtan, T.O., Holmstrm, S., Lundteigen, M.A. (2006):
"Uavhengighet av sikkerhetssystemer offshore - status og utfordringer". STF50 A06011
(82-14-03884-7)
Additional guidance is also provided in appendix G in OLF 070
27
NTNU, September 2007
Document regime in OLF 070
28
NTNU, September 2007
Compliance report:
One per SIS
Shows how all the SIFs that are performed by
the SIS meet the requirements in the SRS
Document regime in OLF 070
Safety requirement specification (SRS):
One per SIS
Includes the functional and the safety integrity
requirements
Includes also key assumptions and system
boundaries
See IEC 61511, part 1, or appendix E in OLF
070 for a list of content.
Safety analysis report (SAR):
One per component or subsystem (delivered by
the same manufacturer)
System description, including operational modes,
system topology, and block diagrams
Input data to reliability calculations (failure rates,
diagnostic coverage, MTTR, etc)
System behavior under fault conditions and in
response to detected faults
Measures taken to avoid and control systematic
failures
If relevant: PFD calculations and compliance to
architectural constraints
Application software management
More details in appendix E of OLF 070
29
NTNU, September 2007
Operation and maintenance
Operation and maintenance planning :
Shall be done during the design phase
Shall include preparation of procedures and practices
for operation of the SIS during normal operation, start-
up, functional testing, maintenance
Preparation of procedures for how to respond to
dangerous detected failures, and setting/handling of
overrides, overrides, and bypasses.
Procedures for reporting non-conformities, such as
inadequate reliability (of a SIF) or deviations from initial
assumptions regarding e.g., demand rates
Scheduling of testing and maintenance activities
Allocation of responsibilities for operation and
maintenance
Preparation (and initiation) of training of personnel
Preparation of data collection strategies and systems
Preparation of a program for continuous improvement
of SIS operation, of SIS maintenance and SIS follow-
up.
Identifying (and make available) documentation (from
design) that is of relevance for the operational phase
Establish procedures for management of change
Functional testing is an issue that
needs to be addressed in an early
design phase. There are many
examples where a particular design
make adequate functional testing
almost impossible.
In the operational phase: Ensure proper implementation of plan.
30
NTNU, September 2007
Modifications ( Management of change )
A modification may be a change other than a
replacement in kind :
Introducing a component with different characteristics
New test intervals or new test procedures
Set point changes
Changes in operating procedures
Changes in operating environment or process
conditions
Changes in the SRS
Inadequate SIS performance (too many recorded
failures)
Increased (or decreased) demand rate
Software changes (application software, firmware)
The purpose of management of change is to:
Maintain the SIL (or retain the SIL)
Ensure that a return is made back to the appropriate
life cycle phase to ensure proper implementation of
change.
31
NTNU, September 2007
Special topics: Background for minimum SIL
Methods in use:
(Simplified) reliability block diagrams that are
based on commonly agreed best practice
implementation of global and local SIFs.
PDS method for including common cause
failures
PDS reliability data, in combination with
consideration of other reliability sources and
expert judgments
32
NTNU, September 2007
Special topics: Background for minimum SIL
Local
Safety function
33
NTNU, September 2007
Special topics: Background for minimum SIL
Global
Safety function
34
NTNU, September 2007
Special topics: Quantification of PFD
Reference is made to the most
recent PDS method edition (2010)
(Current OLF 070 uses old
notations)
35
NTNU, September 2007
Special topics: Follow-up of SIS/Procedures for
updating test intervals
t
PFD(t)
PFDavg
PF
=
X
2N
z
0
=
X
N
Simple
Challenges:
The required PFD must be deduced
for each specific component for
each specific safety instrumented
function
36
NTNU, September 2007
Special topics: Follow-up of SIS/Procedures for
updating test intervals
More comprehensive approach
Step 1: Specify initial parameters of SIF
z
0
, [, M and N (in an MooN configuration)
Step 2: Identify the acceptance criteria PF
cq
Step 3: Express the uncertainty about the (initial) failure rate
Expressed as U1 and U2
Step 4: Specify the number of failures during a specified time
period and update the failure rate estimate:
Specified time period: The accumulated time =
observation time x number of equipment)
Step 5: Perform failure cause analysis
Is it possible to eliminate some of the recorded
failures in the calculations? (optional)
Step 6: Update the functional test interval based on new data
Step 7: Verify the results and make adjustments according
to restriction rules
Step 8: Make a trend analysis
37
NTNU, September 2007
Special topics: Follow-up of SIS/Procedures for
updating test intervals
Recent approach developed through the PDS forum
Lundteigen, Mary Ann and Hauge, Stein, "Management
of safety integrity in the operational phase", Volume
2010, issue 1 of "Inside functional safety".
Hauge, Stein, Lundteigen, Mary Ann, and Rausand,
Marvin, "Updating failure rates and test intervals in the
operational phase: A practical implementation of IEC
61511 and IEC 61508". In Risk, Safety And Reliability.
CRC Press 2009 ISBN 978-0415555098. s. 1715-1722.
Hauge, Stein; Lundteigen, Mary Ann.
Guidelines for follow-up of Safety Instrumented Systems
(SIS) in the operation phase. Trondheim: SINTEF 2008
More information (slides):
http://folk.ntnu.no/lundteig/Publications/2010-
proveforelesning-lundteigen-final.pdf
http://folk.ntnu.no/lundteig/Publications/lundteige
n-esrel2009-final.pdf
38
NTNU, September 2007