Professional Documents
Culture Documents
Daniel Dupont
University of Kaiserslautern
P.O. Box 3049
67653 Kaiserslautern
Germany
Lothar Litz
University of Kaiserslautern
P.O. Box 3049
67653 Kaiserslautern
Germany
Usually,
is
performed
Germany
ObRjectRRof evalation:
hazarnRp event
RT
risk
O
ve
reduction vi SF
Supporting methods
Risk
Risk
matrixgraph
Sensor
bandwidth,
I.I.
Pirmin Netter
Infraserv Hbchst
Industriepark Hbchst C769
65926 Frankfurt! Main
PLC
Final element
HET
rPocess
LOPA
Criteria
SEE
FED
Fig. 1: SILassessment
To determine the process risk Rp for a certain hazard case defined as the risk without the SIF needed - a risk analysis
must be performed. If Rp lies above the tolerable risk RT all
supporting methods result in one of the four safety integrity
levels (SIL 1 to 4) as risk measure. For any dangerous
scenario with a SIL classification a SIF must be identified and
installed in the SIS. Thereby, a risk reduction to a residual risk
below the tolerable one should be created.
The hardware realization of a SIF is given by a safetyrelated loop in the SIS which has to fulfill SIL-specific criteria.
During the SIL proof the aimed SIL has to be verified under
consideration of several, predominantly quantitative constraints
imposed by [1]. These criteria describe the structural and
technical loop quality, see Fig. 1. The most critical criterion
impacting on a SIL is given by the average probability of failure
on demand (PFD), see Table 1.
S
SIL
SIL
4
TABLE
SIL: PFD VALUES
PFD_target_value
io- . PED < i0-4
4<pFD<10-3
2
1
1O-
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
BOTTOM-UP APPROACH
11.
Typical Compilation
TABLE 11
SINGLE-CHANNEL TYPICALS
1 ool Typical
Observed
Pressure
Level
process
Temp.
quantity
PIRZ+A+ TIRZ+A+ LIRZ+A+
Denotation
Behavior of
final element
close
close
open
on demand
Sensing
0
element
x
x
Sensor
part
Logic
solver
part
TransmitSer
Transmitter
powerLsupply
input
Solenoid
driver
S lni
Solenoid
valve
Actuator
valv
not used
not used
0
(direct)
0
PLC
ouPut
output
Final
element
part
x
0
O
(pilot)
0
Ball
(pilot)
0
2
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
TABLE Ill
REFERENCE DATA
Environment
Laboratory Laboratory
-Field
ADU
ADU
[FIT]
[FIT]
Component
type
RTD and
transmitter
Transmitter
power suppl
Actuator
[FIT]
5670
24
24
150
150
2835
100
available
2835
applications
62
1400
213585
Actuator 2193
670in
19
670
valve data
Ball valve
144
1350
19111
close
960
open
close
open
laboratory
and
case for
fieldbeen
application
the same time.
The proof
testbest
intervals
have
to the
adaptedat according
14553
TABLE IV
with
actuator
ol
strucures,no.sfollown
---
..
Temperature (T)
Level (L)
fSLI(etadwrtcs
il)i
eiibe
A.
C. PFD Determination
Three commercial software tools are spread over Germany
to support PFD calculations. Two of them make use of the
PFD formulas given in IEC 61508 [9], whereas the third one
takes Markov Models. As this paper exclusively deals with
non-redundant structures, non-redundan
no significant deviations will be
expected due to different tools. Therefore, the
calculations are done supported by one of them without
mentioning its name and manufacturer.
As each typical suffers from missing or insufficient
component failure rates, different reference rates have to be
tested. Hence, the PFD calculation does not lead to a crisp
value but to laboratory and field bandwidths. For each typical
the PFD calculation IS performed three times using different
speifiatins
Pressure (P)
comporatoy
ndFelint
Illm aelo
manufacturers);
700
direct
pilot
valve
PFDLab-Field specification -
Field
ADU
438
poweroiupply
driver
Solenoid
PFDLab specification
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
TABLE V
SINGLE-CHANNEL NAMUR DATA 2003 - 2005
11 Year GrOUPDangerous,
undetected
Loops
T,
Year
Group
failures
[absolute]
[years]
I [absolute]
TOtal
12,132
41
41
0.93
Total
0.93
12,132
2003
Pressure (P)
1,479
1,154
1,020
16,172
11
0.93
1
2
43
0.93
0.95
0.93
PreSSUre(P)
Temp. (T)
Level (L)
Total
|Pressure (P)
2,292
1,936
1,368
18,903
2,098
18
5
3
56
17
Temp. (T)
1,600
0.93
0.93
0.95
0.91
0.89
0.94
Temp. (T)
Level (L)
Total
2004
12005
PFD =
pw
6.
(1)
( ( p) p <
(3)
see [10].
Solutions to (2) and (3) are found by iterative methods. The
estimated quantity p corresponds to the ratio of FDU and L:
F
p= L
(4)
4.
5.
=max
(1- p)= pX
Pup= m
x=0 x
2.
3.
L*AT
1.
T
2
T.
2AT
(5)
worse.
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
Year T
Total
2003
Pressure (P)
Temp. (T)
Level (L)
Total
2004
2005
TABLE VI
PFD CONFIDENCE INTERVALS
I
PFD confidence interval
Group
[PFDi0w; PFDup]
Typical (field):
,Tpcl(ll)
[1.0410-3;1.46104]0-
Pressure (P)
(laboratory)".
Temp. (T)
-4
(laboratory):
Typical
~best
case
PFDLab distribution
worst case - PFDLab-Field distribution
__
NAMUR
(field)
r_-
Typical
[__
(field)
Typical
TIboatol)
Ilbraoy
0%
NAMUR
(field)
Typical
(field)
,,1
- I
Til
Typic l
IJ
(laborntori)
0%
Best case
Sensor
l SLisor
Logic solver
Final element
Worst case
I
c Sensor
Logic solver
El Final element
ISenr
NAMUR
(field)
Best case
Typical
(field) L
ri Final element
TEl
YPIca
Sensor
U Logic solver
(laboratoy)
NAMURl_
Based on the NAMUR data set 2004/ 2005, for each group
("Total", "Pressure", "Temperature" and "Level") PFD
confidence intervals can be estimated for sensor, logic solver
and final element part separately. The relation of the PFDiow
boundaries leads to a best case NAMUR distribution (field) for
each group. Applying the same procedure to the PFDUp
boundaries delivers the corresponding worst case NAMUR
distributions (field), see Figs. 2 - 5 "NAMUR (field)".
Tical
(field)
[ f_r
(fild_
(field
1NI IJ),
Worst case
Sensor
Loicsove
Final element
Typical
(laboratory)
0%
5
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
NAMURP
(field)
Typical
TYipicaI
Best case
Sensor
Logic solver
EFinal element
-~
- ____ -
(field)
_1
OE-00-
(laboratory)
0%
20%
40%
60%
80%
NAMUR
chapter IVA.
100%
(field)
Typical
(laboratory)
i ,UE-03----
,OE-04-
0%
(fMUld
(field)
Typical
(field)
Typical
(I a b o
I ___ I
______
_rato_ry_
0%
E,NMAMUR 2003(field)
W
case
Worstcase
(field)
* Logic solver
E
Pressure
Final element
(laboratory)
,,I1
ITempierature,IiIII
0%
Level:
For estimating the dimension of deviation between bottomup and top-down a consideration of the absolute sensor, logic
solver and final element PFDs is reasonable. A first analysis is
performed for the "Total" groups.
1
1,OE-Ol -- - - - - - - - - - - - - - -
> 1 6E-62--
1 0E-041
--
--| | * |*
B;est case
10
Z Z
10
10
SIL 2
10
SILl <S,IL,1
10
10 PFDavg 10
.2
- - - -
U Typical (field)
E_ Typical (laboratory)
Worst case
Fig. 6: PFDsensor "Total"
_1 i_
lstNAMtUR
(field)
OE-03
(field)
Total
Sensor
(field)
Typical
Typical (laboratory)
NAMUR
Typical
Worst case
V. CONCLUSIONS
m~~~ElFinal element
Best case
Best case
Sensor
* Lic sler
o
s le
- ___ -
*I NAMUR (field)
*Typical(field)
Typical (laboratory)
---
1,0E-02
Sensor
E Logic solver
Final element
~~~~~~~~~~~~E
Typical
Typical
l,OE-Ol-
Won cas
_!
(field) 2
6
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
[3]
VIl. VITAE
Daniel DOpont graduated from the University of
Kaiserslautern in 2004 with a Dipl.-Math. oec. degree. From
2004 till today he is research assistant at the Institute of
Automatic Control at the University of Kaiserslautern,
Germany. His major fields of research are methods for SIL
proof evaluation.
Lothar Litz graduated from the University of Karlsruhe in
1975 with a Dipl.-Ing degree. In 1979 and 1982, respectively,
he got his doctor and the Dr.-habil. degree from the same
university. He was a control engineer with the German
Hoechst AG between 1982 and 1992. From 1992 till today he
is professor at the University of Kaiserslautern, Germany, and
head of the Institute of Automatic Control. Since 2005 he is
also vice president of the University of Kaiserslautern. Major
fields of research and education are Safety-related Automatic
Control, Failure Detection and Diagnosis, Ambient Intelligence
and Wireless Networked Control Systems.
Pirmin Netter graduated from the University of Heidelberg in
1975 with a Dipl.-Phys. degree. In 1979 he received his
doctorate. He was a control engineer with the German
Hoechst AG between 1981 and 1996. From 1996 till today he
is member of the Infraserv Hochst and head of the department
for work and plant safety. His major fields of work are work
safety, radiation protection and plant safety, especially plant
safety by devices of process control engineering.
Vil. NOMENCLATURE
SIS
SIF
SIL
Rp
RT
RR
LOPA
PLC
HFT
VI. REFERENCES
[1]
[2]
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.
SFF
PFD
MooN
ADU
FIT
BPCS
RTD
PTC
T,
FDU
AT
1- a
MTTR
(absolute).
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on June 9, 2009 at 06:22 from IEEE Xplore. Restrictions apply.