List of All International Safety Standards.

1
PK 8201 supplementary information on

IEC 61508 related standards
Mary Ann Lundteigen
(www.ntnu.no/ross/rams/maryann )
(Slides prepared for small lectures and discussions, and may therefore include
more text than what would be included for a large audience presentation)
NTNU, September 2007
OLF 070 APPLICATION OF IEC 61508 AND

IEC 61511 IN THE NORWEGIAN
PETROLEUM INDUSTRY
May be downloaded from:
http://www.olf.no/061-080/070guidelines-for-the-application-of-iec61508-and-iec-61511-in-thepetroleum-activities-on-thecontinental-shelf-article842-1362.html
Background and objective
Help the industry in the implementation

of key standards, such as IEC 61508
and IEC 61511
Open up for a ``simplified approach for
``standard safety instrumented
functions (SIFs)
Referenced by Petroleum Safety
Authority regulations (in Norway)
Guidance to 7 in Facility regulations: []

For design of safety functions as mentioned in
the first paragraph, the ISO 13702, NORSOK
S-001 revision 4 and IEC 61508 standards and
OLF guidelines No. 70 revision 2 should be
used.
[] In order to stipulate the performance for
the safety functions as mentioned in the
second paragraph, the IEC 61508 standard
and OLF guidelines No. 70 revision 2 should be
used where electrical, electronic and
programmable electronic systems are used in
constructing the functions.
Guidance to 42 in Activity regulations: [] When preparing the

maintenance programme as mentioned in the first paragraph, the standard NSEN ISO 20815:2008 appendix I and the CEI/IEC 60300-3-11 standard may be
used in the area of health, working environment and safety. For activities as
mentioned in the second and third paragraphs, in the area of health, working
environment and safety,a) the ISO 13702 standard Appendix C7, the IEC 61508
standard, and OLF Guidelines No. 070 revision 2 should be used for safety
systems, b) the emergency shutdown system should be verified in accordance
with the safety integrity levels stipulated on the basis of the IEC 61508 standard
and OLF's Guidelines 070 revision 2.
In OLF 070, an alternative is proposed to the

full risk based deduction of SIL requirements.
Minimum SIL tables
Dataoganalyse
metoder (PDS)
FSAplan
SAR
Comp
liance
Report
SRS
Rev.
5
Best practice design of safety systems
(following standards, NORSOK and
authority regulations is acceptable, given a
standard offshore platform
Risk reduction
according to min.
SIL tables
Scope of
OLF 070
Allgined with the life

cycle phases of IEC
61511 (and in
principle, also the life
cycle phases of IEC
61508)
Key concepts
Global safety function:
Fire and explosion hazard safety functions that
provide protection for one or several fire cells.
Example: Emergency shutdown, isolation of ignition
sources and emergency blow down.
Functional safety assessment:

An investigation (independent review), based on
evidence, to judge the functional safety achieved by
one or more protection layers. Performed at specified
stages.
FSA nr 1
Verification
Verification
Local safety function:

Process equipment safety functions that provide
protection for one specific process equipment unit.
Example: High level protection of a production
separator..
FSA nr 2
Validation
(e.g., Site
acceptance test)
Verification
Verification
FSA nr 4
Verification
FSA nr 3
FSA nr x
Functional safety assessment
Key assumptions and limitations

EUC definitions:
The OLF 070 defines a number of typical EUCs
onboard offshore fixed and mobile oil and gas
installations.
It is assumed that the EUC may be protected by global
and/or local safety functions.
Approach:
The OLF 070 represents an alternative to the fully risk
based approach for determining SIL that is suggested
in IEC 61508 and IEC 61511.
Rationale: [] enhance standardization across the
industry, and also avoid time-consuming calculations
and documentation for more or less standard safety
functions.
Process outlined in OLF 070
10
OLF 070 process to SIL determination

Hazard identification (HAZID) is required!
Multi-dicipline team
Reference to ISO 17776 Guidelines on tools
and techniques for identification and
assessment of hazardous events
Issues to consider (and to be compared to
standard design of offshore installations:
Properties of fluid being handled

Human intervention with the EUC
Novelty and complexity of the installation
Need for ``special protection functions
And so on.
Objective is to answer: Is there any reasons

why this particular installation deviates from
standard / typical offshore installations?
11

Definition of safety functions
Describe the safety functions required (from the
HAZID) and with support from standards:
Local safety functions: Tables in ISO 10418 (ISO 10418

also give requirements to how deviations from
conventional design, such as the use of HIPPS instead of
PSV, shall be documented).
Global safety functions: NORSOK S-001, I-001, PSA
regulations, input from QRA, and from Fire and Explosion
strategy (following ISO 13702)
Check if they are covered by the minimum SIL

tables
Check if additional components need to be
added for fail-safe operation: hydraulic supply,
UPS, etc.
Objective is to answer: Is there any reasons

why this particular installation deviates from
standard / typical offshore installations?
12

SIL allocation:
First, apply the minimum SIL table:
Select SIL requirements for each safety (instrumented)

function from the minimum SIL tables
Verify, if not already done, that the overall risk
acceptance criteria is met (by using minimum SIL as
input to QRA)
The minimum SIL table should ensure that the performance

of ``typical/standard safety functions is equal to or better
than todays standard (best practice)
Note:
Minimum SIL table apply basically for risk to personnel
Requirements for local safety functions assume that a

secondary level of protection (e.g., a PSV) is available
13
14

Handling deviations:
Functional deviations (functions not covered by the

minimum SIL table). Example: HIPPS
Integrity deviations, due to high demand rate, or high
accumulated demand rate (for example if a high
number of risers needs protection)
Consequence deviations, due to special considerations
such as layout, process conditions, manning, etc.
<> Acceptance criteria
(e.g., 10-5 for exceeding test pressure)
Overpressure
protection fails
LOPA
PSD
isolation
fails
Minimum SIL table
or by calculating
the PFD of the
proposed
technical solution
CCF
(HIPPS
/PSD)
HIPPS
isolation
fails
Risk
graph
Risk
matrix
15


(e.g., 10-5 for exceeding test pressure)
Overpressure
protection fails
LOPA
PSD
isolation
fails
Minimum SIL table
or by calculating
the PFD of the
proposed
technical solution
CCF
(HIPPS
/PSD)
HIPPS
isolation
fails
Risk
graph
Risk
matrix
16



17

Development of the safety requirement
specification:

SRS
(SIS)
SIFn:
SIF2:
EUC boundaries
Assumptions
SIF1:
EUC boundaries
Functional
Assumptions
EUC boundaries
Functional
Assumptions
requirements
Safety
integrity
requirements
Functional
requirements
requirements
Safety
integrity
requirements
Safety integrity
requirements
18

SIS design and engineering:
Organization and resources defining responsible

parties in all SIS lifecycle phases
Planning: Making a plan (with responsible
persons/departments) and supporting procedures (e.g.,
for testing and design reviews) that include activities for
verification, validation, and FSA
V-model: Suggested in IEC 61511 for software development, but principles

may apply to SIS design in general.
19

SIS design and engineering (cont.):
Deducing design and performance requirements from

SIL requirements:
PFD or PFH
Architectural constraints
Avoidance and control with systematic failures
Visit IEC
61508 or IEC
61511 for
guidance
20

On the calculation of PFD or PFH
Input
data
PFD
(or PFH)
Experience data (e.g., OREDA) or more generic data sources

Selection must be justified
Assumptions must be documented
Conservative estimates for failure rates (
) to be selected
Any certificates must be included
Proper selection of relevant failure modes must be made (from
experience data, estimates based on MIL-HDBK 217 F etc)
OLF 070 suggests values for:
-factors (based on various sources and expert judgments)
Safe failure fraction (SFF)
21

On the selection of components and design principles
Sensor:
Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,
certificates)
Prior use must be claimed by end user
Independent from other field devices and systems
Line monitoring of power supply and signaling lines
Mounting so that accidental isolation and hydrate formation are avoided
Use comparison of pressure reading from different sensors
Diagnostic coverage to be estimated (rules for maximum credit taken from comparison of pressure
reading)
Sensor: Various types of transmitters, switches, and also (manually operated) pushbuttons
22

Logic solver:
certificates)
Hardware architecture must be described (CPU, I/O typicals, interface modules)
Software may be documented according to the V-model (or similar)
Procedures must be made for how to initiate, implement, and verify application software changes
Logic solver: Hardwired, Solid state, programmable logic solvers (PLC)
23

Final element:
certificates)
Any local control panel must be lockable (to avoid inadvertent or unauthorized operation of valves)
Considerations may be made to the use (and the effect from using) partial stroke testing (valves)
Final elements: Valves, solenoid valves, circuit breakers, fire doors, dampers, etc.
24

Utility systems:
Must have sufficient capacity
Redundancy may be needed (if the recipient components are redundant, or if loss of utility may lead
to insufficient performance of a safety function)
Utility systems: Electrical power (generators or UPS), hydraulic power, pneumatics
25

Human-machine interface (HMI):
Any failure of the HMI shall not adversely affect the ability of the SIS to perform its safety functions
If operators need to respond to an alarm: This must be included as elements in the SIF and follow the
SIL requirement
System in place to monitor and display status for inhibits, overrides, blockings (may consider
removing the overriding capability for SIL 3 functions).
Utility systems: VDU stations in control room, critical alarm panel in control room, local equipment rooms,
cabinets in field, and so on.
26

Independence
Physical independence between different SISs (performing different type of safety functions, such
as PSD, ESD, F&G) is preferred
SISs shall be independent from process control system (status information from the SISs is
sometimes provided, to reduce the complexity of e.g., the PSD and ESD system)
In practice, there is some dependencies among SISs and between SISs and process control, from
sharing components (e.g., sensors and valves) and common communication channels. Sufficient
functional independence has been introduced as a concept in this respect.
Some reports have been published on this particular issue, see e.g.,:
Hauge, S., Onshus, T., ien, K., Grtan, T.O., Holmstrm, S., Lundteigen, M.A. (2006):
"Uavhengighet av sikkerhetssystemer offshore - status og utfordringer". STF50 A06011
(82-14-03884-7)
Additional guidance is also provided in appendix G in OLF 070

27
Document regime in OLF 070
28
Document regime in OLF 070

Safety requirement specification (SRS):
Safety analysis report (SAR):
One per SIS

Includes the functional and the safety integrity
requirements
Includes also key assumptions and system
boundaries
See IEC 61511, part 1, or appendix E in OLF
070 for a list of content.
Compliance report:
One per SIS

Shows how all the SIFs that are performed by
the SIS meet the requirements in the SRS
One per component or subsystem (delivered by

the same manufacturer)
System description, including operational modes,
system topology, and block diagrams
Input data to reliability calculations (failure rates,
diagnostic coverage, MTTR, etc)
System behavior under fault conditions and in
response to detected faults
Measures taken to avoid and control systematic
failures
If relevant: PFD calculations and compliance to
architectural constraints
Application software management
More details in appendix E of OLF 070
29
Operation and maintenance

Operation and maintenance planning :
Shall be done during the design phase

Shall include preparation of procedures and practices
for operation of the SIS during normal operation, startup, functional testing, maintenance
Preparation of procedures for how to respond to
dangerous detected failures, and setting/handling of
overrides, overrides, and bypasses.
Procedures for reporting non-conformities, such as
inadequate reliability (of a SIF) or deviations from initial
assumptions regarding e.g., demand rates
Scheduling of testing and maintenance activities
Allocation of responsibilities for operation and
maintenance
Preparation (and initiation) of training of personnel
Preparation of data collection strategies and systems
Preparation of a program for continuous improvement
of SIS operation, of SIS maintenance and SIS followup.
Identifying (and make available) documentation (from
design) that is of relevance for the operational phase
Establish procedures for management of change
Functional testing is an issue that

needs to be addressed in an early
design phase. There are many
examples where a particular design
make adequate functional testing
almost impossible.
In the operational phase: Ensure proper implementation of plan.

30
Modifications (Management of change)

A modification may be a change other than a
replacement in kind:
Introducing a component with different characteristics

New test intervals or new test procedures
Set point changes
Changes in operating procedures
Changes in operating environment or process
conditions
Changes in the SRS
Inadequate SIS performance (too many recorded
failures)
Increased (or decreased) demand rate
Software changes (application software, firmware)
The purpose of management of change is to:
Maintain the SIL (or retain the SIL)

Ensure that a return is made back to the appropriate
life cycle phase to ensure proper implementation of
change.
31
Special topics: Background for minimum SIL

Methods in use:
(Simplified) reliability block diagrams that are

based on commonly agreed best practice
implementation of global and local SIFs.
PDS method for including common cause
failures
PDS reliability data, in combination with
consideration of other reliability sources and
expert judgments
32
Local
Safety function
33

Global
Safety function
34
Special topics: Quantification of PFD
Reference is made to the most

recent PDS method edition (2010)
(Current OLF 070 uses old
notations)
35
Special topics: Follow-up of SIS/Procedures for

updating test intervals
Simple
PFD(t)
PFDavg
Challenges:
The required PFD must be deduced

for each specific component for
each specific safety instrumented
function
2
36

More comprehensive approach

Step 1: Specify initial parameters of SIF
, , M and N (in an MooN configuration)

Step 2: Identify the acceptance criteria
Step 3: Express the uncertainty about the (initial) failure rate
Expressed as U1 and U2
Step 4: Specify the number of failures during a specified time
period and update the failure rate estimate:
Specified time period: The accumulated time =
observation time x number of equipment)
Step 5: Perform failure cause analysis
Is it possible to eliminate some of the recorded
failures in the calculations? (optional)
Step 6: Update the functional test interval based on new data
Step 7: Verify the results and make adjustments according
to restriction rules
Step 8: Make a trend analysis
37

Recent approach developed through the PDS forum
Lundteigen, Mary Ann and Hauge, Stein, "Management

of safety integrity in the operational phase", Volume
2010, issue 1 of "Inside functional safety".
Hauge, Stein, Lundteigen, Mary Ann, and Rausand,
Marvin, "Updating failure rates and test intervals in the
operational phase: A practical implementation of IEC
61511 and IEC 61508". In Risk, Safety And Reliability.
CRC Press 2009 ISBN 978-0415555098. s. 1715-1722.
Hauge, Stein; Lundteigen, Mary Ann.
Guidelines for follow-up of Safety Instrumented Systems
(SIS) in the operation phase. Trondheim: SINTEF 2008
More information (slides):
http://folk.ntnu.no/lundteig/Publications/2010proveforelesning-lundteigen-final.pdf
http://folk.ntnu.no/lundteig/Publications/lundteige
n-esrel2009-final.pdf
38

List of All International Safety Standards.

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

List of All International Safety Standards.

Uploaded by

Copyright:

Available Formats

1

PK 8201 supplementary information on

NTNU, September 2007

OLF 070 APPLICATION OF IEC 61508 AND

NTNU, September 2007

Background and objective

Help the industry in the implementation

Guidance to 7 in Facility regulations: []

Guidance to 42 in Activity regulations: [] When preparing the

NTNU, September 2007

In OLF 070, an alternative is proposed to the

NTNU, September 2007

NTNU, September 2007

Allgined with the life

NTNU, September 2007

Functional safety assessment:

Local safety function:

NTNU, September 2007

Functional safety assessment

NTNU, September 2007

Key assumptions and limitations

Process outlined in OLF 070

NTNU, September 2007

OLF 070 process to SIL determination

Properties of fluid being handled

Objective is to answer: Is there any reasons

NTNU, September 2007

OLF 070 process to SIL determination

Local safety functions: Tables in ISO 10418 (ISO 10418

Check if they are covered by the minimum SIL

Objective is to answer: Is there any reasons

NTNU, September 2007

OLF 070 process to SIL determination

Select SIL requirements for each safety (instrumented)

The minimum SIL table should ensure that the performance

Minimum SIL table apply basically for risk to personnel

Requirements for local safety functions assume that a

NTNU, September 2007

OLF 070 process to SIL determination

NTNU, September 2007

OLF 070 process to SIL determination

Functional deviations (functions not covered by the

NTNU, September 2007

OLF 070 process to SIL determination

Functional deviations (functions not covered by the

NTNU, September 2007

OLF 070 process to SIL determination

Functional deviations (functions not covered by the

<> Acceptance criteria

OLF 070 process to SIL determination

Functional deviations (functions not covered by the

NTNU, September 2007

OLF 070 process to SIL determination

Organization and resources defining responsible

V-model: Suggested in IEC 61511 for software development, but principles

OLF 070 process to SIL determination

Deducing design and performance requirements from

NTNU, September 2007

OLF 070 process to SIL determination

On the calculation of PFD or PFH

Experience data (e.g., OREDA) or more generic data sources

-factors (based on various sources and expert judgments)

Safe failure fraction (SFF)