Sis Slides v1

EIT: E-Cert SS: Unit 7
Instrument Selection
EIT Safety Instrumentation E-Learning
SAFETY INSTRUMENTED SYSTEMS &

EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508
Unit 7: SIL Instrument Selection
Version for EQO26: 7 November 2012
Presented by Dave Macdonald,

EIT Cape Town South Africa
Contact E-mail: macdond@telkomsa.net
Slide 1
www.eit.edu.au
Introduction to Chapter 7: Practical selection of
sensors and actuators for safety duties
Impact on SIS Reliability,

Types of Sensors and Actuators
Failure modes and causes
Separation, redundancy, diversity, diagnostics
Device Selection Issues: What IEC 61511 requires + Common sense
Technologies: Safety certified instruments and fieldbus
www.eit.edu.au
Slide 2
Sensors and Actuators remain the most critical reliability items in an SIS
Separation, diversity and redundancy are critical issues.
Safety related instruments must have a proven record of performance.
IEC 61508 / 61511 have specific requirements
Logic solver intelligence and communications power will help to provide
diagnostic capabilities to assist field device reliability
Failure modes and common cause issues are potential problems for
intelligent instruments
www.eit.edu.au
Slide 3
Instrument practice for safety systems : well established

ISA S 84.01 Appendix B.obsolete standard but still relevant.
IEC 61511 specifics defined in clause 11.5 and 11.6 of part 1.
Gruhn & Cheddie ISA Textbook; chapter 9
IEC 61511-1 Paragraph 11.5:
Requirements for selection of components and subsystems
11.5.2.1 Components and subsystems selected for use as part of a safety
instrumented system for SIL 1 to SIL 3 applications shall either be in
accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they
shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate
Certified
compliant to
IEC 61508
www.eit.edu.au
Fault
tolerance
Prior use
justification
Slide 4
Table 7.1
Typical Reliability Table

Item
Input sensor loop
(3 month proof test)
PFD avg
% of total
0.05
0.006
32
0.0005
0.0125
65
0.019 (SIL 1)
100
SIL 3 Logic Solver PLC

Output Actuator loop
(Solenoid + valve)
Totals
PFD avg
Fail to
Danger Rate
/ yr.
0.1
The field devices taken together contribute 97% of the PFD for this example.
The PFD figures for the field devices are affected by environmental conditions
and maintenance factors.
Slide 5
PES logic solvers benefit from auto-diagnostics.
www.eit.edu.au
Bus connected safety certified instruments
Foundation Field Bus
Profi-safe
ASI-Safety Bus
See Session 5
Slide 6
www.eit.edu.au
"
Good reliability and accuracy

Signal present at all timesimproved SFF
Potential for diagnostics, easier to detect faults
Possible to compare signal with other parameters
Trending and alarming available
Multiple set points
Competitive pricing
Rationalized spares
Slide 7
www.eit.edu.au
$
Components of the instrument
Process connection
Fouling /corrosion/process fluids/clogging
Wiring
Environmental: Process/Climate/Electrical
Specification/range/resolution.
Response time
Power supplies
Intrinsic safety barriers
Calibration/testing/ left on test/isolated.
Slide 8
www.eit.edu.au
Figure 7.4
Electrical Drive Trip
SIS
Logic
Process Valve Trip
380 v ac
power
SIS
Logic
Interlocks
M
Slide 9
www.eit.edu.au
& &
'
(
Stop Category 1
Safety Control Category 2
Safety
Relay
Power
Reset
K1 Time
Delayed
K1
Relay
E-Stop
command
www.eit.edu.au
Drive
controller
Slide 10
Potential Causes of Failures in Final Elements
Components of the actuator, positioner, mechanical

failures of springs
Process connection/leaks. Mechanical distortion of

pipes causing stress in valve
Valve internal faults due to : Fouling or corrosion by

process fluids/jamming/sticking/leaking
Wiring to solenoids
Pneumatics/ venting failures
Environmental. Physical impacts/fire/freezing or

icing up.
Solenoid valves sticking or blocking
www.eit.edu.au
Slide 11
" &
Sensor contacts closed during normal operation

Tx signals go to trip state upon failure (Normally < 4mA)
Broken wire = trip
Output contacts closed and energized for normal operation
Final trip valves go to trip (safe) position on air failure
Drives go to stop on trip or SIS signal failure
Slide 12
www.eit.edu.au
For an instrument to qualify for SIL target
or
Prior Use
Smart tx
Analog or switch
Build to IEC 61508 HW & SW
Certify to IEC 61508
SIL 1 or 2
SIL 3 requires
assessement and a safety
manual
Apply IEC 61511
limitations
And PFD must satisfy SIL target
www.eit.edu.au
Slide 13
Do not share sensors because it:

Violates the principles of independence
Creates a high level of common cause failure
Does not create a separate layer of protection
Does not provide secure maintenance
Slide 14
www.eit.edu.au
Snap question: What is wrong with this safety trip

design?
SIS Logic Solver
Boiler Steam
Drum
LSL
LT
1
Figure 7.5
Boiler
Trip
Logic
LIC
1
Feed water
supply
Snap question: Draw a better arrangement

www.eit.edu.au
Slide 15
Separate Sensors for Control and Trip: Acceptable
Figure 7.5 cont.
SIS Logic Solver

LSL
LT
Boiler Steam
Drum
LT
1
Boiler
Trip
Logic
LIC
1
Feed water
supply
Slide 16
www.eit.edu.au
Figure 7.6
Fault Tree Analysis for Boiler Low Level Trip

Shared Sensor
Separate Sensor
Boiler Damage
Boiler Damage
0.105 / yr.
Low level and NO TRIP
0.0075 / yr.
Low level and NO TRIP
OR
FW Fails and
No Trip
0.005 / yr.
AND
Low level
0.3 / yr.
LT-1 Fails
high-No Trip
LIC causes
low level
0.1 / yr.
AND
PFD = 0.1/2 X 0.5

= 0.025
FW Fails
FW Fails
0.2 / yr.
LT-2 Fails high

Trip fails on
demand
OR
Trip fails on demand from

FW failure
www.eit.edu.au
PFD = 0.1/2 X 0.5

= 0.025
0.2 / yr.
LT-1 Fails
high, LIC-1
causes low
level
0.1 / yr.
Slide 17
&
&
,$
- ,
.- ./
Sharing of sensor between SIS and BPCS only allowed

if safety integrity targets can be met. This would require
sensor diagnostics and is only likely to be possible for
SIL 1
Separate sensor is allowed to be copied to BPCS via
isolator
SIL 2, 3 and 4 normally require separate sensors with
redundancy
SIL 3 and 4 normally require separation and diverse
redundancy
www.eit.edu.au
Slide 18
&
&
,$
- ,
.- ./
A single valve may be used for both BPCS and SIS but
is not recommended if valve failure places a demand on
the SIS.
Normally shared valve can only be used if: Diagnostic
coverage and reaction time are sufficient to meet
safety integrity requirements
Recommendations for a single valve application
SIL 2 and SIL 3 normally require identical or diverse
separation. Diversity not always desireble
Slide 19
www.eit.edu.au
! &&
'
Figure 7.7
SIS
BPCS
Solenoid valve
direct acting,
direct mounted.
De-energise to
vent actuator.
FY
FV
Positioner
A/S
Check hazard demands due to valve

www.eit.edu.au
Slide 20
0 -
&
Figure 7.8
0 1
'
BPCS
SIS
A/S
FY
Check hazard demands due to valve

www.eit.edu.au
Slide 21
Do not confuse with proof testing

Compare trip transmitter value with related
variables. Not often practicable
Use safety transmitters if available
Use Smart transmitters with diagnostic alarm
but see next
Slide 22
www.eit.edu.au
Valve Diagnostics
Assurance that a trip valve will respond correctly when needed
Freedom of movement, full travel
Correct venting of actuator
Correct rate of response
Absence of sticking
Trip signals and solenoid all working
Slide 23
www.eit.edu.au
Methods for Valve Diagnostics

Online trip testing
Discrepancy alarm
Position feedback response testing
Partial closure testing manual or automatic
Smart positioners certified safety positioner
Slide 24
www.eit.edu.au
&
23
IEC 61508 places an upper limit on the SIL that can be

claimed for any safety function on the basis of the fault
tolerance of the subsystems that it uses.
Limit is a function of
the hw fault tolerance
the safe failure fraction
the degree of confidence in the behaviour under fault
conditions
Details in IEC 61508 part 2
www.eit.edu.au
Slide 25
23
&
IEC Defines two types of equipment for use in Safety

Systems:
Type A: Simple Devices: Non PES. E.g Limit switch, level
float switch, analogue circuits.
Type B: Complex Devices: Including PES. E.G Smart
transmitters. Digital communications, processor based systems.
Fault tolerance rating of B is less than A except under certain
conditions
Slide 26
www.eit.edu.au
IEC 61511-1 Table 6: Minimum hardware fault tolerance of

sensors, final elements and non PES logic
SIL
Minimum HW Fault Tolerance
Special requirements: See IEC 61508
The following summarized conditions apply for SIL 1,2 and 3 :

Increase FT by 1 if instrument does not have fail safe characteristics
Decrease FT by 1 if instrument meets 4 conditions.
Predominately fail safe
Prior Use ( Proven in use)
Limited device adjustment (process parameters only)
Password protected
Alternatively tables 2 and 3 of IEC 61508 may be applied with an assessment
www.eit.edu.au
Slide 27
&
, 4
Slide 28
www.eit.edu.au
&
, 4
Slide 29
www.eit.edu.au
4
#
4
&
,
Slide 30
www.eit.edu.au
Redundancy Options
Sensor or Actuator
Configuration.
Table 7.4
Selection
1oo1
Use if both PFD and FT and nuisance trip

targets are met.
1oo2
2 Sensors installed, 1 required to trip. PFD

value improved, nuisance trip rate doubled.
2oo3
3 Sensors installed, 2 required to trip. PFD

improved over 1oo1, nuisance trip rate
dramatically reduced.
Slide 31
www.eit.edu.au
Common Cause Failures in Sensors

Wrong specification
Hardware or circuit design errors
Environmental stress
Shared process connections
Wrong maintenance procedures
Incorrect calibrators
Slide 32
www.eit.edu.au
Figure 7.10
SIS
PT
1A
Be careful to analyze
for common cause
faults
e.g Try to avoid this
www.eit.edu.au
PT
1B
Slide 33
Figure 7.11
Where measurement is
the problem use diverse
redundancy.
e.g. Steam or Ammonia
overpressure protection
SIS
PT
01
TT
01
Slide 34
www.eit.edu.au
Requirements for Device to be Provenin-use
Evidence that the instrument is suitable for SIS
Consider manufacturers QA systems
PES devices need extra validation
Performance record in a similar profile
Adequate documentation
Volume of experience, > 1 yr exposure per case.
www.eit.edu.au
Slide 35
The approved safety instrument list
Each instrument that is suitable for SIS
Update and monitor the list regularly
Add instruments only when the data is adequate
Remove instruments from the list when they let you down
Adequate details: Include the process application

www.eit.edu.au
Slide 36
Additional requirements for smart transmitters

and actuators:
Details in IEC 61511 11.5.4 for devices with
Fixed Programming Languages (FPLs)
Extra for SIL 3
Formal assessmentlow probability of failure in planned
application.
Appropriate standards used in build
Consider manufacturers QA systems
Must have a safety manual
www.eit.edu.au
Slide 37
Figure 7.12
&
Hart
Interface
Status Alarm
SIS Logic Solver

DI
4-20 mA + FSK Data

AI
Smart
Transmitter
FSK = Frequency Shift Keyed

www.eit.edu.au
Hand Held
Programmer
Slide 38
&
Figure 7.14
Slide 39
www.eit.edu.au
Internal diagnostics with high coverage factor

Very low PFDavg values. Saves on proof testing etc.
Certified for single use in SIL 2 (instead of dual channel)
Certified for dual redundant use in SIL 3 (instead of 1oo3)
End user verification is simplified
Slide 40
www.eit.edu.au
&
The safety manual presents all the essential information and set
up conditions that must be followed to allow the instrument to
be validated for any given application.
The manual also supplies the failure rates summary and
expected PFDavg
Compliance to safety manual requirements must be
demonstrated in the validation phase.
See examples of safety manuals and FMEDA reports
Slide 41
www.eit.edu.au
&
The safety certificate is issued by the testing body to clearly define what
products have been tested and what standards and limitations have been
applied in the evaluation.
The safety certificate is an essential document for the validation phase.
See examples of Safety Certificates: 3051C and Rex Radar
Testing Authorities include :
TUV Rheinland
Exida.com
Any recognized testing body that can show competency in the SIS field.
Note : Exida specializes in certifying instruments claiming prior use
qualification. Reports supply SFF and failure rate data with declaration of fault
tolerance requirements relevant to IEC 61511. See examples.
Slide 42
www.eit.edu.au
$
Instruments must be well proven for safety with an assessment
report or Certified SIL capable to IEC 61508.
Intelligent instruments treated as PES
Separation, Redundancy, Diversity, Diagnostics
Diagnostic Coverage via Smarts or Logic Solver
Bus technology established and growing.
Slide 43
www.eit.edu.au
EIT EQO26: Unit 8
Reliability Analysis
EIT Safety Instrumentation E-Learning
SAFETY INSTRUMENTED SYSTEMS &

EMERGENCY SHUTDOWN SYSTEMS
for Process Industries
using IEC 61511 and IEC 61508
Unit 8: Reliability Analysis
Version for EQO26: 7 November 2012
Presented by Dave Macdonald,

EIT Cape Town South Africa
Contact E-mail: macdond@telkomsa.net
Slide 44
www.eit.edu.au
Slide 44
EIT EQO26: Unit 8
Introduction to Chapter 8:
Reliability Analysis of the SIS
The task of measuring or evaluating the SIS design
for its overall safety integrity
Reasons and objectives
Resolving the SIS into reliability block diagrams
Identification of formulae
Trial calculation examples
Calculation software tools
www.eit.edu.au
Slide 45
EIT EQO26: Unit 8
IEC 61511 requires reliability analysis be done for each SIF to

show that SIL target and RRF can be achieved. Why?
Because it tells everyone what RRF can be expected from each

individual safety function.
It confirms the basis of the design and the chosen proof test
interval
Compares the calculated RRF for your design with the target to
show you can achieve the target.
To predict the accident rate: H events/yr = Demand Rate (D) x
PFDavg or H = D/ RRF
www.eit.edu.au
Slide 46
EIT EQO26: Unit 8
Terminology
RRF
SIL
Risk Reduction Factor ( e.g. 200)

Safety Integrity Level ( depends on RRF)
(SIL Tables)
Demand rate on Safety Function. ( How often the SIF is

demanded to respond to a hazard condition)
Hazardous event rate ( also called accident rate )

( e.g. 0.1/yr = 1 in 10 years)
PFDavg
www.eit.edu.au
Average probability of failure on demand of the SIF
Slide 47
EIT EQO26: Unit 8
Terminology
MTTFd
MTTFs
MTTRd
Ti
dd
du
sd
www.eit.edu.au
Mean time to fail dangerously ( = 1/ d)

Mean time to fail safe (or spurious) ( = 1/ s)
Mean time to detect and repair a dangerous fault
Time interval between proof tests
Failure rate for dangerous detectable faults
Failure rate for dangerous undetectable faults (requires
proof testing)
Safe revealed failure rate ( causes spurious trip or loss of
affected safety channel)
Slide 48
EIT EQO26: Unit 8
Risk Reduction Factor and PFDavg

RRF =
1
PFDavg
(PFDavg = average probability of failure on demand,)

PFDavg is a function of:
1.
Failure rate per hour for undetected faults :
2.
Test interval: Ti
3.
Redundancy (1oo1, 1oo2, 2oo3, etc)
du
Compare PFDavg with the target PFDavg for the SIL range we need.
www.eit.edu.au
Slide 49
EIT EQO26: Unit 8
Snap Question: Why is PFD so useful to know?
1 Because it can tell you the accident event rate

H = Demand Rate x PFDavg
2 Because it helps you decide the SIL of your design
PFDavg defines the SIL range for the design
(in terms of resistance to random hardware failures
www.eit.edu.au
Slide 50
EIT EQO26: Unit 8
Failure scenario for an Untested SIF
Unrevealed Dangerous fault

occurs
Hazardous condition
occurs (Demand)
State of Process
Operating
safely
Reportable
accident
occurs
Operating but
not protected
2 yr
1 yr
www.eit.edu.au
Slide 51
Mission time
EIT EQO26: Unit 8
Low Demand Mode: Proof Tested SIF repaired before demand

Unrevealed Dangerous
fault occurs
State of Process
Proof test
Hazardous condition
Occurs (Demand)
Proof test reveals

fault
Operating
safely
Accident
prevented
Fault
repaired
Operating but not

protected
0.5 yr
www.eit.edu.au
Mission time
1 yr
Slide 52
EIT EQO26: Unit 8
Low Demand Mode: Proof tested SIF but failure on demand

Unrevealed Dangerous
fault occurs
Reportable
accident
occurs
Demand occurs
before next proof
test
State of Process
Proof test
Operating
safely
Failure (to respond)

on Demand
Operating but not
protected
0.5 yr
www.eit.edu.au
Mission time
1 yr
Slide 53
EIT EQO26: Unit 8
Diagnostic + Proof Tested SIF
Detectable Dangerous
fault occurs
PFDavg = MTTD&R x Fail danger rate
State of Process
Operating safely
Diagnostic test
reveals fault
Accident
prevented
Proof test for

undetected
faults
Fault
detected &
repaired
Diagnostic test
typically100
times/day
www.eit.edu.au
2 yr
1 yr
Slide 54
Mission time
EIT EQO26: Unit 8
0 #
Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
Low demand calculations use PFDavg.
Hazard event rate H = D x PFDavg
High demand mode applies when the demand on the SIS is more
than once per year. ( IEC 61511) . Alternatively more than two
demands per proof test interval.
High demand mode calculations use PFH probability of dangerous
failure per hour.
Hazard event rate H = PFH
96
www.eit.edu.au
#
Slide 55
EIT EQO26: Unit 8
Low Demand Mode Application

Pressure surge
once per year
(D)
Pressure relief
trip (SIS)
Accident occurs if
dangerous fault
undetected before the
surge occurs
Accident rate H = D x PFDavg

Provided Test interval is shorter than 1 year or
diagnostics detect faults quickly
Example: If PFDavg = 0.05 and D= 1 : H = 0.05/yr
www.eit.edu.au
Slide 56
EIT EQO26: Unit 8
High demand Mode Application

Brake applied
100 times per
day
Electronic
Braking Controls
(SIS)
Accident occurs as
soon as brake circuit
fails
Accident rate = Probability of failure/hr of the EBC

= Failure rate per hour of the SIS
Example: If PFH = 0.0001/hr H = 0.0001/hr of service
If machine used for 5000 hrs /yr accident rate = 0.5/yr.
www.eit.edu.au
Slide 57
EIT EQO26: Unit 8
Design Iteration for Target PFD in Low Demand Mode

SRS defines the Risk Reduction Factor
PFD = 1/RRF
Set Target PFD

Evaluate Solution PFD
Revise Design
No
Acceptable
Calculated PFD < Target PFD?
Yes
Proceed to Detail Design
www.eit.edu.au
Slide 58
EIT EQO26: Unit 8
Elements and terms in the SIS model

Protective System
Hazard
Demand Rate
(SIS)
Hazard
Event Rate
PFD avg. = H/D = 1/(Risk Reduction Factor)

SIL3
SIL2
SIL1
Sensor
Logic
Actuator
PFD1
PFD2
PFD3
Overall PFD = PFD1 + PFD2 + PFD3

www.eit.edu.au
Slide 59
EIT EQO26: Unit 8
Single Channel Basic calculation of PFD

du
If the fail to danger rate is d and proof test interval is Ti

PFDavg = du x Ti/2
(failure rate/yr x mean time to detect )
Example Fail to danger rate = 0.05 per year, Ti = 1 year

PFDavg = 0.05 x = 0.025.
( SIL 1)
How is this formula obtained ?

www.eit.edu.au
Slide 60
EIT EQO26: Unit 8
6 <
Hazard
Event
Rate H
#
Accident Rate
H = Fail rate d
H=
H=
D x T<< 1
D x T> 1
Accident Rate H = PFH of SIS
Demand mode
Continuous mode
Demand rate D
Accident Rate H = Demand

Rate (D) x PFD avg of SIS
www.eit.edu.au
Slide 61
EIT EQO26: Unit 8
= .
&
,
p(t)
1
Probability of
being failed when
demand occurs.
Proof test action
=
Average
value
0
www.eit.edu.au
Ti
Slide 62
2Ti
Time t
EIT EQO26: Unit 8
Overt Failures
Covert Failures
Spurious Trip Rate
Dangerous Failure Rate
S = 1/MTBFsp
D = 1/MTTFD
D
DD
Loss of Production
S + DD
Trips plant unless
2oo3 or 2oo2 voting
C= Coverage
www.eit.edu.au
DU
Detectable
by Self
Diagnostics
DD
Slide 63
= C
Undetectable
except by manual
proof testing
DU
= (1 C)
EIT EQO26: Unit 8
Example: Find the Safe and Dangerous Failure Modes
SIS High Level Trip
Logic Solver
PSV
AS
LC
1
I/P
Fluid
Feed
FC
FC
LT
1
LT
2
Assume out of range detection provided (forcing a trip)

Fail Modes/yr
Device
Bottom Blocked : 0.1 . Top leaks 0.2
LE connection
Runs low: 0.05. Runs high : 0.02
LT electronics
Breaks: 0.01 Shorts across LT: 0.1
Cable
Lost power: 0.02
Power
Totals for sensor sub system:
www.eit.edu.au
Slide 64
sp
du
dd
EIT EQO26: Unit 8
1oo1 SIS Formulae
Single Channel SIS Fail Rates

Overt Failures
Covert Failures
Spurious Trip Rate
S = 1/MTBFsp
D = 1/MTTFD
C= Coverage
DD = C D
Loss of Production
S + DD
Trips plant unless
2oo3 or 2oo2 voting
SP Trip Rate = s + DD
www.eit.edu.au
Detectable by
Self
Diagnostics
PFD1 = DD x (MTTR)
Slide 65
D
DU
= (1 C)
Detectable by
manual proof
testing
PFD2 = DU x (Ti/2)
EIT EQO26: Unit 8
1oo2 SIS Formulae

Overt Failures
Covert Failures
Spurious Trip Rate
S = 1/MTBFsp
D = 1/MTTFD
C= Coverage
DD = C D
Loss of Production
Trips plant unless
2oo3 or 2oo2 voting
SP Trip Rate = 2 ( s + DD)

www.eit.edu.au
Detectable by
Self
Diagnostics
PFD1 =2(
DD)2( MTTR)2
Slide 66
D
DU
= (1 C)
Detectable by
manual proof
testing
PFD2 =((
D U .Ti)2)/3
EIT EQO26: Unit 8
Formula sets
Overt Failures
Covert Failures
Spurious Trip Rate
S = 1/MTBFsp
D = 1/MTTFD
C= Coverage
Loss of Production
S + DD
Trips plant unless
2oo3 or 2oo2 voting
Formula set 1
in Fig 8.6
www.eit.edu.au
DD = C D
DU
= (1 C)
Detectable by
Self
Diagnostics
Detectable by
manual proof
testing
Formula set 2
in Fig 8.6
Formula set 3
in Fig 8.6
Slide 67
EIT EQO26: Unit 8

Multi-channel Formula Sets for PFD and s (excluding
Figure 8.6
common mode failures )
Covert Failures
Overt Failures
Spurious Trip Rate
d = 1/MTTF
s = 1/MTBFsp
Detectable
By Self
Diagnostics
D D = DC. D
Voting
Formula set 1
Formula set 2
D D (MTTR)
1oo1
1oo2
2
s
2oo2
2(
s)2(MTTR)
2 D D (MTTR)
2oo3
6(
s)2(MTTR)
6(
D D)2 (MTTR)2
Spurious trip rate
www.eit.edu.au
2(
DD)2( MTTR)2
PFD due to diagnostics

(if detected but not tripped)
Slide 68
Detectable
By Manual
Proof testing
D U = (1-DC) D
Formula set 3
D U (Ti/2)
((
D U .Ti)2)/3
D U .Ti
((
D U .Ti)2)
PFD due to proof test
EIT EQO26: Unit 8
Sources of Reliability Data
http://www.sintef.no/Projectweb/PDS-Main-Page/PDS-Handbooks/
Sintef: http://www.sintefbok.no/Product.aspx?sectionId=65&productId=559&categoryId=10
1.
2.
3.
4.
www.eit.edu.au
Also see:
exida.com Reliability Handbook
Manufacturers Safety manuals for
specific SIL certified instruments
Faradip 3 Database
exida.com: Safety Automation
Equipment List ..Functional Safety
Assessment Reports
http://www.exida.com/index.php/resour
ces/sael/
Slide 69
EIT EQO26: Unit 8
Dual Channel Basic calculation of PFD
Note: dd omitted for clarity
du
du
If the fail to danger rate is du and proof test interval is Ti.
PFDavg = ( du xTi)2 /3
Example: If fail to danger rate = 0.05 per year, Ti = 1 year
PFDavg = (0.05 x 1)2 / 3 = 0.00083
( SIL 3)
But this ignores common cause and is unrealistic

www.eit.edu.au
Slide 70
EIT EQO26: Unit 8
Beta Factor: Common Cause Failures in redundant SIS

channels
Unit Failures
Common Cause
Failures
(1-
) d
(1-
) d
Example:
2oo3 sensor with
common cause
failures
(1-
) d
www.eit.edu.au
Slide 71
EIT EQO26: Unit 8
Formulae Sets with Common Cause Factor included
www.eit.edu.au
Slide 72
EIT EQO26: Unit 8
Dual Channel Basic calculation of PFD inc Common Cause 5%

Note: dd omitted for clarity
(1-
) du
du
(1-
) du
If the fail to danger rate is d and proof test interval is Ti.

PFDavg = ((1-
) du xTi)2 /3
+ du xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%

PFDavg = (0.95 x 0.05 x 1)2 / 3 + (0.05 x 0.05 x ) = 0.002 ( SIL 2)
www.eit.edu.au
Slide 73
EIT EQO26: Unit 8
2oo3 Channel Basic calculation of PFD inc Common Cause 5%

(1-
) d
(1-
) d
(1-
) d
If the fail to danger rate is d and proof test interval is Ti.

PFDavg = ((1-
) du xTi)2 + du xTi/2
Example Fail to danger rate = 0.05 per year, Ti = 1 year Beta = 5%
PFDavg = (0.95 x 0.05 x 1)2 + (0.05 x 0.05 x ) = 0.0035 ( SIL 2)
www.eit.edu.au
Slide 74
EIT EQO26: Unit 8
Formulae Sets with Common Cause Factor included
www.eit.edu.au
Slide 75
EIT EQO26: Unit 8
!
7
$
&
Formula for calculating PFDavg for 1oo1

PFDavg = ( DU xTi/2) + ( DD x MTTR)
Failures per year

Parameter
Value
Notes
DU
0.0500
Dangerous undetected failure rate for one channel
DD
0.1000
Dangerous detected failure rate for one channel
Ti in yrs
1.0000
Proof test interval
MTTR in yrs
0.0027
Mean time to detect and repair a detectable fault
( DU xTi/2)
2.50E-02
Undetected portion
( DD x MTTR)
2.74E-04
Detected portion
PFD for 1oo1 subsystem
2.53E-02
SIL Table: SIL 1
www.eit.edu.au
Slide 76
EIT EQO26: Unit 8
!
7
$
&

PFDavg = ( DU xTi/2) + ( DD x MTTR)
Failures per hour

Parameter
Value
Notes
DU
5.71E-06
DD
1.14 E-05
Ti in hrs
8760
Proof test interval
MTTR in hrs
24
( DU xTi/2)
2.50E-02
Undetected portion
( DD x MTTR)
2.74E-04
Detected portion
2.53E-02
SIL Table: SIL 1
www.eit.edu.au
Slide 77
EIT EQO26: Unit 8
$
7
!
:
&
$
(1(1-) d
(1(1-) d

PFDavg = (1/3)*((1- ) DU xTi)2 + 2((1- ) DD x MTTR)2 + ( DU xTi/2)+ ( DD)x MTTR
Failures per year

Parameter
Safecalc: D = 1.71
% safe =0 C=66%
Value
Notes
DU
5.71E-06
DD
1.14 E-05
0.1000
Ti in hrs
MTTR in hrs
Common cause factor for dangerous and safe failures
8760
24
Proof test interval

(1/3)*((1- ) DU xTi)2
6.75E-04
Undetected Voting portion
2((1- ) DD2 x MTTR2)
1.18E-07
Detected voting portion
( DU xTi/2)
2.50E-03
Undetected Common portion
( DD)x MTTR
2.70E-05
Detected common portion
3.20E-03
www.eit.edu.au
Slide 78
EIT EQO26: Unit 8
$
7
!
:
&
$
(1(1-) d
(1(1-) d
(1(1-) d
PFDavg = ((1- ) DU xTi)2 + 6((1- ) DD x MTTR)2 + ( DU xTi/2)+ ( DD)x MTTR
Failures per year

Parameter
Value
Notes
DU
5.71E-06
DD
1.14 E-05
0.1000
Ti in hrs
MTTR in hrs
Common cause factor for dangerous and safe failures
8760
24
Proof test interval

(1- ) DU xTi)2
2.03E-03
Undetected Voting portion
6((1- ) DD x MTTR)2
3.54E-07
Detected voting portion
( DU xTi/2)
2.50E-03
Undetected Common portion
( DD)x MTTR
2.70E-05
Detected common portion
4.55E-03
www.eit.edu.au
Slide 79
EIT EQO26: Unit 8
SIS Analysis Model Example

Sensor
Logic
d1=0.2
d2=0.02
or MTTF
5yrs
50yrs
10yrs
Apply
calculation
Proof
Testing
Auto
Diagnostics
Proof
Testing
D
Failure Rates:
PFD averages:
0.01
0.005
Actuator
d3=0.1
Overall PFD avg. = 0.025

= 2.5 E-2
Qualifies for SIL 1 (E-1 to E-2)
www.eit.edu.au
Slide 80
0.01
Apply
Testing or
Diagnostics
EIT EQO26: Unit 8
SIS Analysis: Step 1

Protective System
Hazard
Demand Rate
(SIS)
Hazard
Event Rate
Sensor
Logic
Actuator
SIL 2
SIL 1
SIL 1
SIL 1
www.eit.edu.au
Slide 81
EIT EQO26: Unit 8
SIS Analysis: Step 2, identify channels in each stage

Example:Dual channel sensors and actuators, single channel logic
Sensor
Sensor
Logic
Actuator
Actuator
Actuator
Logic
D
Sensor
1oo1D
1oo2D
www.eit.edu.au
1oo2
Slide 82
EIT EQO26: Unit 8
SIS Analysis: Step 3, expand details for each single channel

Sensor
1oo2D
Logic
Sensor
1oo1D
Process
Connection
Transmitter
Cable and
Power
Expand detail of sensor sub system and apply fail rates for each item
www.eit.edu.au
Slide 83
EIT EQO26: Unit 8
SIS Analysis:
Step 4: Decide du, dd and s for the elements
Step 5: Enter the values to table and totalize
Process
Connection
DU2
DD2
SD2
DU1
DD1
SD1
Subsystem
Element
Cable and
Power
Transmitter
Device
DU3
DD3
SD3
SD/hr
SU/hr
DD/hr
DU/hr
Process connection
1.14E-05
0.00E+00
5.71E-06
3.42E-06
Transmitter
1.14E-05
0.00E+00
5.71E-06
5.71E-07
Cable and Power
1.14E-05
0.00E+00
5.71E-06
3.42E-06
3.42E-05
0.00E+00
1.71E-05
7.42E-06
4
5
Subsystem totals
www.eit.edu.au
Slide 84
EIT EQO26: Unit 8
SIS Analysis: Step 6, find the PFDavg for the 1oo2 subsystem
Break out the common cause failure fraction for the redundant channels and calculate
PFD for each portion and add them together
(1-
) d
1oo2
= common cause failure fraction

Failures common to
Ch1 and Ch2 sensors
(1-
) d
PFDavg
Redundant section:
PFDavg =
2((1-
).dd)2 . (MTTR)2
+ ((1-
) .du .Ti)2)/3
www.eit.edu.au
+
Slide 85
Logic
1oo1
Common cause section

PFDavg =
.dd (MTTR)
+ .
du . Ti/2)
EIT EQO26: Unit 8
SIS Analysis: Step 7, repeat steps 3 to 6 for each stage

Example: Dual channel sensors and actuators, single channel logic
Sensor
Actuator
Logic
1oo1
Sensor
Actuator
1oo2
PFDavg
for sensors
www.eit.edu.au
1oo2
+
PFDavg for
logic solver
Slide 86
PFDavg
for actuators
EIT EQO26: Unit 8
SIS Analysis: Example

Example: Dual channel sensors and actuators, single channel logic. 1yr test
DU = 0.05
.045
DU = 0.0025
= 5%
.0025
.045
1oo2
Dual Sensors PFD
= .00075 +.00125
= .002
C = 95%
0.05
1oo1D
DD = 0.0475
Logic solver PFD
= .00013 +.00125
= .00138
SIS PFD = .002 + .0014 +.0077

= . 0111 or 1.11 E-2 = SIL 1
www.eit.edu.au
Slide 87
DU = 0.1
= 10%
.09
.01
.09
1oo2
Dual Actuators PFD
= .005 + .0027
= .0077
EIT EQO26: Unit 8
SIS Analysis: Example using the EIT Calculator

File name: EIT GP SIL Calculator .xls
Data Input Table for Sensor Subsystem

Proof Test Interval in Hrs (Ti)
8760
Common cause factor (B)%
5%
Mean Time To Test & Repair (Hrs) (MTTR)
24
Subsystem
Element
1
Device
Sensor all components
SD/hr
SU/hr
DD/hr
DU/hr
1.14E-05 0.00E+00 0.00E+00 5.71E-06
2
3
4
5
Subsystem totals
1.14E-05 0.00E+00 0.00E+00 5.71E-06
Calculation results for Sensing

Safe Failure Fraction
66.7%
Diagnostic coverage
0.0%
PFDavg for 1001
2.50E-02
PFDavg for 1002
2.00E-03
PFDavg for 2003
www.eit.edu.au
3.51E-03
Slide 88
EIT EQO26: Unit 8
IEC Table of PFDs relevant to Figure 8.16
www.eit.edu.au
Slide 89
EIT EQO26: Unit 8

6
www.eit.edu.au
&
3.
Slide 90
EIT EQO26: Unit 8
SIS Analysis: Example Calculation for Spurious Trip

Example:Dual channel sensors and actuators, single channel logic
Sensor MTTF = 5 years, 75% safe failure fraction. C=0%, = 10%, Ti = 0.5 yrs, MTTR = 8hrs
Logic MTTF = 10 years, 50% safe failure fraction. C= 95%, = 10%, Ti = 1 yr
auto diagnostics test interval = 2 secs,
MTTR = 24hrs
Actuator MTTF = 2 years, 80 % safe failure fraction. C= 0%, = 10%, Ti = 0.25 yrs, MTTR =
24hrs
Sensor: single channel s = 1/5 x .75 = .15/yr

Logic: single channel s = 1/10 x .5 = .05
dd = (C x d ) =95% x 0.05 = .0475/yr
Actuator: single channel s = 1/2 x .8 = .4/yr
www.eit.edu.au
Slide 91
EIT EQO26: Unit 8
SIS Analysis: Example Calculation for Spurious Trip
Example :Dual channel sensors and actuators, single channel logic

Spurious Trip for 1oo1
ST = S + DD
Parameter
Logic solver 1oo1

Sensor
Logic
Actuator Notes
0.05
DD
Total for 1oo1 subsystem
Fail safe rate
0.0475
DD rate added due to 95 coverage
0.0975
Spurious trip rate per yr
Spurious Trip for 1oo2

ST = 2x(1-B) ( S + DD) +B( S + DD)
Parameter
Actuators: 1oo2
Sensor
Logic
Actuator Notes
0.15
DD
Beta
0.1
0.1
0.27
0.72
0.015
0.04 Common portion
0.285
0.76 Spurious trip rate per yr
2x(1-B) ( S + DD)
B( S + DD)
Total for 1oo2 subsystem
Overall Spurious Trip Rate
1.1425 per yr
www.eit.edu.au
Slide 92
0.4 Fail safe rate

0 DD rate added due to S
EIT EQO26: Unit 8
SIS Analysis: Example, Spurious Trip Rate

Example: Dual channel sensors and actuators, single channel logic
.36
..0135
.015
.0135
.04
.05
1oo1
1oo2
1oo2
Dual Sensors Spurious

= .28 trips per yr
Logic solver
.097 trips per
yr
Spurious trip rate = ..28 + .097 +.76

= 1.14 trips per year
www.eit.edu.au
.36
Slide 93
Dual Actuators PFD

= (2x .36) + (1x.04)
= .76 trips per yr
EIT EQO26: Unit 8
Reducing Spurious Trip Rate
Design Version B
Design Version A
.15
.135
2oo3
.015
.15
.135
1oo2
Dual Sensors Spurious
= 2 x .15
= .30 trips per yr
.135
From 0.3 per year to 0.015/yr

If 1 trip costs AUD 50 000 the annual saving is
What? .
www.eit.edu.au
Slide 94
2oo3 Sensors Spurious

= 6x s2 (MTTR)+ s
= (6 x .1352x 8/8760) + .015
= .0001 + .015
. 015 trips per yr
EIT EQO26: Unit 8
Outcomes of a Reliability Study

Show whether or not the SIS will satisfy the SIL target
Overall SIS Probability of Failure on Demand (PFDavg)
PFDavgs for each section of the SIS

Show benefits of redundancy or voting schemes
Decide the proof testing intervals
Predict the accident rate
www.eit.edu.au
Slide 95
EIT EQO26: Unit 8
Conclusions on Analysis Models

Models help to visualise SIS performance
Software speeds up analysis
IEC 61508 part 6 - methods and tables
Fault tree analysis for detailed systems
www.eit.edu.au
Slide 96
EIT EQO26: Unit 8
&&
0 #
9
6
;
Low demand mode applies when the demand on the SIS is equal to
or less than once per year. ( IEC 61511) . Alternatively no more than
two demands per proof test interval.
Low demand calculations use PFDavg.
Hazard event rate H = D x PFDavg
High demand mode applies when the demand on the SIS is more
than once per year. ( IEC 61511) . Alternatively more than two
demands per proof test interval.
High demand mode calculations use PFH ( same as failure to danger
rate)
Hazard event rate H = PFH
www.eit.edu.au
Slide 97
EIT EQO26: Unit 8
Pump
Power
PSH
d = 0.05 and Ti = 1/yr:
SIS
6
Hp safety Trip
PFDavg = 0.05 x = 0.025. and

PFH = 0.05 /8760 = 5.7E-06/hr
Suppose the demand rate D is once per year and the overpressure event rate
= H/yr
In low demand mode calculation H = D x PFDavg so H = 1 x 0.025 = 0.025/yr
In high demand mode calculation H = PFH
www.eit.edu.au
Slide 98
so H = 5.7E-06/hr = 0.05/yr
0 #
EIT EQO26: Unit 8
Pump
PSH
d = 0.05 and Ti = 1/yr:
SIS
Power
PFDavg = 0.05 x = 0.025. and

PFH = 0.05 /8760 = 5.7E-06/hr
Suppose the demand rate D is once per day ( 365/yr)
And the overpressure event rate = H/yr
In low demand mode: H = D x PFDavg so H = 365 x 0.025 = 9.1/yr
In high demand mode :H = PFH
www.eit.edu.au
so H = 5.7E-06/hr = 0.05/yr
Slide 99
0 #
EIT EQO26: Unit 8
Demand on SIS
SIS has failures at

PFD = 0.01
PFH = 0.02/yr (2.28 E-06/hr)
H = hazardous event
D = 0.1/yr ..H =
/yr ?
D = 1.0/yr ..H =
/yr ?
D = 10.0/yr ..H =
/yr ?
D = 100 /yr ..H =
/yr ?
www.eit.edu.au
Slide 100

Sis Slides v1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sis Slides v1

Uploaded by

Copyright:

Available Formats

EIT: E-Cert SS: Unit 7

EIT Safety Instrumentation E-Learning

SAFETY INSTRUMENTED SYSTEMS &

Presented by Dave Macdonald,

EIT: E-Cert SS: Unit 7

Introduction to Chapter 7: Practical selection of

sensors and actuators for safety duties

Impact on SIS Reliability,

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7

Instrument practice for safety systems : well established

EIT: E-Cert SS: Unit 7

Typical Reliability Table

Input sensor loop

(3 month proof test)

SIL 3 Logic Solver PLC

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7

Good reliability and accuracy

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7

Process Valve Trip

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7

Potential Causes of Failures in Final Elements

Components of the actuator, positioner, mechanical

Process connection/leaks. Mechanical distortion of

Valve internal faults due to : Fouling or corrosion by

Pneumatics/ venting failures

Environmental. Physical impacts/fire/freezing or

EIT: E-Cert SS: Unit 7

Sensor contacts closed during normal operation

EIT: E-Cert SS: Unit 7

For an instrument to qualify for SIL target

Build to IEC 61508 HW & SW

Certify to IEC 61508

EIT: E-Cert SS: Unit 7

Do not share sensors because it:

EIT: E-Cert SS: Unit 7

Snap question: What is wrong with this safety trip

SIS Logic Solver

Snap question: Draw a better arrangement

EIT: E-Cert SS: Unit 7

Separate Sensors for Control and Trip: Acceptable

Figure 7.5 cont.

SIS Logic Solver

EIT: E-Cert SS: Unit 7

Fault Tree Analysis for Boiler Low Level Trip

PFD = 0.1/2 X 0.5

LT-2 Fails high

Trip fails on demand from

PFD = 0.1/2 X 0.5

EIT: E-Cert SS: Unit 7

Sharing of sensor between SIS and BPCS only allowed

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7

Check hazard demands due to valve

EIT: E-Cert SS: Unit 7

Check hazard demands due to valve

EIT: E-Cert SS: Unit 7

Do not confuse with proof testing

EIT: E-Cert SS: Unit 7

EIT: E-Cert SS: Unit 7