IICA FunctionalSafetyDeMystified 2017-07-19

21/07/2017
Functional Safety Demystified

BOB WEISS - FUNCTIONAL SAFETY CONSULTANT
IICA TECHNICAL EVENING – 19 TH JULY 2017
21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 1
TOPICS
What is Functional Safety?
◦ SIS, SIF and SIL
Standards IEC 61508 and IEC 61511
Purpose An example to demonstrate compliance
Explains how to
comply with 4.5 day TÜV FSEng course in 45 minutes!
AS IEC 61511-2004 ◦ One day course also available
using a case study
1
21/07/2017
What is Functional Safety?

New term in IEC 61508 (introduced in 1999)
Part of Overall Safety
◦ freedom from unacceptable risk
Achieved by a Safety Instrumented System (SIS)
◦ E/E/PE Safety System in IEC 61508
◦ Examples:
◦ Trip System
◦ Emergency Shutdown System
◦ Burner Management System
◦ Includes field devices as well as logic solver
A SIS places or maintains a process in a safe state
◦ Process = Equipment Under Control (EUC) in IEC 61508
◦ Implements Safety Instrumented Functions (SIFs)
◦ Each SIF achieves a Safety Integrity Level (SIL)
Acronyms to remember: SIS, SIF and SIL !.
IEC 61508 or IEC 61511
IEC SIS
SIS SIS
61508 integrators &
device integrators & users
users
manufacturers SIL 1-3
SIL 4
IEC SIS
for process
61511 integrators & users
industries
SIL 1-3
Integrators & users in the process industries can use either IEC 61508 or
IEC 61511
IEC 61511 is generally simpler to apply
2
21/07/2017
Why Functional Safety?

Buncefield, England 11 Dec 2005
Storage tank level gauge showed
constant reading
High level switch left in test mode
Gasoline tank overflowed
Mist exploded
◦ largest peacetime explosion in Europe
◦ 20 tanks on fire
◦ burned for three days
◦ significant environmental impact
◦ hundreds of millions of pounds damage
Should have complied with IEC 61511.
Basic Terminology
Sensing subsystem Logic subsystem Final element subsystem
Temperature SIF 1: TZH1234

transmitter
SIL 2 Shut-off
Temperature Solenoid
valve
transmitter
SIF 2: PZHH1234 SIL 1
Pressure Logic Solver Relay
transmitter (e.g. Safety PLC) in MCC
Flow Subsystems Solenoid

Globe
transmitter valve
Safety Instrumented System - SIS

Component Safety Instrumented Function - SIF
Safety Integrity Level - SIL
3
21/07/2017
Safety Integrity Level vs. Risk Reduction

SIL Risk Reduction Probability of Failure Safety
Factor on Demand (PFDavg) Availability
4 > 10,000 ≥ 10-5 < 10-4 > 99.99%
3 > 1,000 ≤ 10,000 ≥ 10-4 < 10-3 > 99.9 ≤ 99.99%
2 > 100 ≤ 1,000 ≥ 10-3 < 10-2 > 99 ≤ 99.9%
1 > 10 ≤ 100 ≥ 10-2 < 10-1 > 90 ≤ 99%
BPCS* ≤ 10 ≥ 10-1 ≤ 90%
= 1 / PFDavg = 1 / RRF = 100(1 – PFDavg)
Used to specify SIL required Used to specify SIL achieved

* Basic Process Control System For Demand Mode SIFs only
Safety Lifecycle – IEC 61511

10 9 1 11
Hazard and risk assessment CDV
Management Safety Verification
of functional life-cycle
safety and structure 2 Allocation of
functional and safety functions
safety planning to protection layers
assessment
and auditing 3 Safety requirements
specification for the
Engineering Contractor safety instrumented system Design and
development
4 of other means
Design and of risk reduction
engineering of
SIS Vendor safety instrumented system
5 Installation, commissioning
and validation
End User 6 Operation and maintenance
7 Modification
8 Decommissioning
4
21/07/2017
Complying with IEC 61511

Target SIL must be specified for each SIF
based on hazard and risk analysis
Processes for SIS throughout lifecycle must comply
Each SIF must meet target SIL requirements for:
◦ Random failure rate (PFDavg)
◦ Architectural constraints (hardware fault tolerance)
◦ Systematic capability for each component
◦ Field devices, logic solver, shutdown valves etc.
Not just TÜV certification

◦ Though it helps !
Not just meeting PFDavg target.
Comply Throughout Lifecycle

For the rest of the presentation we’ll follow the SIS lifecycle
What do we need to do to comply at each stage?
See the following example…
◦ Only the main elements of compliance are covered.
5
21/07/2017
1 Hazard and Risk Assessment

Output is a list of hazardous events with their process risk and
acceptable risk.
10 9 1 11
Hazard and risk assessment
safety and structure 2
functional and Allocation of
safety planning safety functions
assessment to protection layers
and auditing
3 Safety requirements
safety instrumented system Design and
development
of other means
4 Design and of risk reduction
engineering of
safety instrumented system
and validation
6 Operation and maintenance
7 Modification
8 Decommissioning
A hazard
PSV-1
LIC
1
300t LPG
Product
Feed
P-1 P-2
A “potential source of harm”

300t of Liquefied Petroleum Gas can potentially
cause harm
Hazardous Event Example – BLEVE (video)
6
21/07/2017
Identify Hazardous Events: HAZOP

PSV-1
H LIC
1
300t LPG
Product
Feed
P-1 P-2
Node: LPG Tank

Guideword: HIGH LEVEL
Consequence: High Pressure, possible tank rupture & major fire
Existing Controls: Pressure Safety Valve (PSV-1)
New Controls: Add High Level Alarm
Risk
The product of severity and likelihood
Consequence
severity
Major
Medium
Minor Likelihood
LOW MEDIUM HIGH of occurrence
“The expected value of loss”
7
21/07/2017
Risk reduction concept
Residual Acceptable Process

risk risk risk
Necessary risk reduction Increasing

risk
Actual risk reduction
Partial risk reduction Partial risk reduction

by SIS by “other means of risk reduction”
Overall risk reduction achieved by all means
Is risk acceptable ?
Hazard - 300t of LPG
Process under control Level stable
Process deviation or disturbance Control valve sticks
LAH Alarm
Process out of control Level Increasing
Hazardous situation High Pressure

PSV
Hazardous event Vessel fails
Impact / Consequence
What is risk ? 300t of boiling LPG released -

Is it tolerable? likely major fire and fatalities
8
21/07/2017
Risk Analysis - Layers of Protection

Mechanical PSV
X 100 Target:
1 per 10,000y
Hazardous
Event !!
Alarm LAH Risk Reduction
X1 ! Required:
x 10,000
Control System
(BPCS)
Only have
Hazardous Situation : 1 per y x 100 !!
Process
2 Allocation of Safety Functions

Often called SIL Assessment, SIL Analysis or SIL Determination
Output is a list of Safety Instrumented Functions together with their
required Safety Integrity Level.
10 9 1 11
assessment
and auditing
development
of other means
engineering of
and validation
7 Modification
8 Decommissioning
9
21/07/2017
Risk is unacceptable - reduce further

Hazard - 300t of LPG
Process under control Level stable
Process deviation or disturbance Control valve sticks
LAH Alarm
Process out of control Level Increasing
LZHH Trip
Hazardous situation High Pressure
PSV
Hazardous event Vessel fails
How do we Impact / Consequence

reduce risk further?
300t of boiling LPG released -
likely major fire and fatalities
Add a high level trip

LZHH
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1 P-2
High Level Trip LZHH2 added

◦ Shuts off flow when High High level reached
10
21/07/2017
Layers of Protection – SIL assessment

Mechanical PSV
X 100 Target:
1 per 10,000y
SIF Hazardous
SIL 2 LZHH
X 100 Event !!
Alarm LAH Risk Reduction
X1 ! Required:
x 10,000
Control System
(BPCS) SIF must reduce
Hazardous Situation : 1 per y risk by
10,000/100 =
Process
100

4 > 10,000 ≥ 10-5 < 10-4 > 99.99%
3 > 1,000 ≤ 10,000 ≥ 10-4 < 10-3 > 99.9 ≤ 99.99%
2 > 100 ≤ 1,000 ≥ 10-3 < 10-2 > 99 ≤ 99.9%
1 > 10 ≤ 100 ≥ 10-2 < 10-1 > 90 ≤ 99%
BPCS ≤ 10 ≥ 10-1 ≤ 90%

For Demand Mode SIFs only
11
21/07/2017
Phase 1 & 2 Compliance Achieved !
Target SIL must be specified for each SIF based on

hazard and risk analysis

◦ Hardware Fault Tolerance (architectural constraints)
◦ random failure rate (PFDavg)
◦ Systematic Capability of each component
3 Safety Requirements Specification - SRS

Defines functional and integrity requirements of SIS
Output is a set of documents ready for detail design.
10 9 1 11
assessment
and auditing
development
of other means
engineering of
and validation
7 Modification
8 Decommissioning
12
21/07/2017
Safety Requirements Specification

Functional Requirements
◦ desired behaviour of each SIF
◦ behaviour in response to faults
◦ timing requirements
◦ human machine interface
◦ normal and abnormal modes of operation
◦ bypass requirements
◦ etc.
Safety Integrity Requirements

◦ Safety Integrity Level for each SIF
◦ basis for SIL
◦ testing requirements
◦ special requirements to maintain SIL
◦ etc.
Cause-and-Effect Diagram
SIFs commonly documented by
Cause and Effect diagrams
Should include required SIL somewhere – examples:
OPENS VALVE UV-03C
Set LIC1 to MAN, OP=0

CLOSE VALVE UV-03A
CLOSE VALVE UV-03B

CLOSE VALVE LZV-02
Instrument Range
Trip Point
Units
SIF
Tag# Description
BS-01 Burner Loss of Flame 12 ~ ~ X X X
PSL-01 Fuel Gas Pressure Low ~ 7 X X X
LZHH-02 LPG Tank High High Level 13 0-3500 3200 mm 2 0
13
21/07/2017
4 Design and Engineering

SIS vendor or contractor for logic solver
EPC contractor or end-user for field hardware
10 9 1 11
assessment
and auditing
development
of other means
engineering of
and validation
7 Modification
8 Decommissioning
Standards Compliance


14
21/07/2017
Types of failures
Random failures – components (“elements”) wear out
◦ use high reliability components
◦ use redundant components
◦ test frequently
◦ automated and/or manual
Systematic failures – human error

◦ redundant components provide no protection!
◦ “techniques and measures” to
◦ avoid faults
◦ detect faults to avoid failures
◦ Functional Safety Management System
◦ quality system for functional safety
Control of systematic failures

For integration of components into a system (SIS):
◦ Functional Safety Management System (FSMS)
◦ for all phases of lifecycle including operation
◦ quality system for SIS
◦ verification, validation, audit and assessment
◦ can comply with either IEC 61511 or IEC 61508
Within each component:

◦ ensure quality design in accordance with IEC 61508
◦ ensure appropriate techniques and measures from IEC 61508 used for the
SIL of the target SIF
◦ measured by the term “systematic capability”
◦ SC 1 to 4 corresponding to SIL 1 to 4
◦ Formerly called “SIL x Capability”
◦ independent certification or “prior use”
15
21/07/2017
Measures to avoid or control failures

Systematic techniques to specify hardware and software requirements
Design requirements
Requirements management techniques
Revision control
Testing techniques
Documentation control
Project management
...
Functional Safety Management System

Quality system with safety aspects
Safety management system that includes:
◦ policy and strategy to achieve safety
◦ responsible persons, departments, organizations
◦ relationship between those responsible and allocation to safety lifecycle
phases
◦ selected “techniques and measures”
◦ references to the deliverables
◦ the functional safety assessment process
(Functional Safety Assessment Plan)
◦ procedures for ensuring prompt follow-up of actions from hazard and risk
analysis, verification, validation etc.
◦ configuration and change management
◦ ...
16
21/07/2017
Competence must be managed

Competence of all involved, including management shall be managed
◦ engineering knowledge, training and experience appropriate to the
◦ process technology
◦ SIS technology
◦ field devices used
◦ hazard & risk analysis
◦ knowledge of the legal and regulatory requirements
◦ relevant management and leadership skills
Appropriate to the
◦ potential consequence of the event
◦ SIL of the SIF
◦ novelty and complexity of the application and technology
Manage using a procedure and regular assessments

◦ e.g. competency matrix updated at annual performance reviews
SIL Verification
LZHH SIL 2
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1 P-2
Does the design of SIF LZHH2 meet SIL 2?
17
21/07/2017


Hardware Fault Tolerance

“Architectural constraints” in IEC 61508
Aim is to avoid unrealistic reliability claims
◦ from single components
Use IEC 61508-2 (Route 1H) constrains SIF architecture based on:
◦ Safe Failure Fraction
◦ complexity of device (“Type A” or “Type B”)
◦ target SIL
OR use Table 6 in IEC 61511-1 2016 Ed. 2
◦ simplified, relaxes previous unrealistic restrictions
◦ based on IEC 61508 Route 2H
◦ see next slide
Outcome is required minimum Hardware Fault Tolerance (HFT)
◦ no. of voted devices minus no. required to perform safety function
◦ For MooN architecture, HFT = N - M
18
21/07/2017
Case Study: Hardware Fault Tolerance

HFT IEC 61511 Ed. 2 Table 6
Radar gauge, smart device assumptions
◦ Diagnostic Coverage > 60%
◦ We know λDU with confidence limit > 70%
◦ SIF operates in Low Demand mode
For SIL 2 min HFT = 0 (see below)

◦ Only one device required
SIL Mode Minimum required

HFT
1 Any 0
2 Low demand 0
2 High demand or continuous 1
3 Any 1
4 Any 2
Safe Failure Fraction

Block valve, normally open & normally energized
In case of an out of control process, the valve has to close
SFF
Undetected
SAFE
Closes Detected
spontaneously by voltage control
due to loss
of energy
Detected
DANGEROUS by diagnostics
Stuck at Undetected
open
19
21/07/2017
Architectural Constraints – IEC 61508-2

Table 2 Type A Subsystems e.g. pressure switches
Safe Failure Hardware Fault Tolerance
Fraction 0 1 2 * IEC 61511-
2003
< 60% SIL 1* SIL 2* SIL 3* HFT for
≥ 60 < 90% SIL 2 SIL 3 SIL 4 field devices
≥ 90 < 99% SIL 3 SIL 4 SIL 4 For MooN
≥ 99% SIL 3 SIL 4 SIL 4 N-M = HFT
Table 3 Type B Subsystems e.g. logic solver, smart transmitters

Fraction 0 1 2
< 60% Not allowed SIL 1 SIL 2
≥ 60 < 90% SIL 1* SIL 2* SIL 3*
≥ 90 < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Case Study: Architectural Constraints

LZHH
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1 P-2
Transmitter LZT 2 is a smart radar gauge

Can we use single transmitter to satisfy SIL 2?
Must also check for logic solver and valve
20
21/07/2017
Case Study: Architectural Constraints

Smart Transmitter = Type B device
◦ use Table 3 in IEC 61508-2
Safe Failure Fraction = 91%

◦ from certificate
For SIL 2, required Hardware Fault Tolerance = 0

Therefore one transmitter is ok for SIL 2
Type B Subsystems e.g. logic solver, smart transmitters

Fraction 0 1 2
< 60% Not allowed SIL 1 SIL 2
≥ 60 < 90% SIL 1* SIL 2* SIL 3*
LTZ 2 ≥ 90 < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4


21
21/07/2017
SIL Verification
LZHH SIL 2
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1 P-2
What is calculated “PFDavg ” for SIF LZHH-2?

4 > 10,000 ≥ 10-5 < 10-4 > 99.99%
3 > 1,000 ≤ 10,000 ≥ 10-4 < 10-3 > 99.9 ≤ 99.99%
2 > 100 ≤ 1,000 ≥ 10-3 < 10-2 > 99 ≤ 99.9%
1 > 10 ≤ 100 ≥ 10-2 < 10-1 > 90 ≤ 99%
BPCS ≤ 10 ≥ 10-1 ≤ 90%

For Demand Mode SIFs only
22
21/07/2017
Case Study: PFD Calculation

Test interval = 1 y LZV 2
Reliability data:
◦ Valve: λDU = 1/20y (= 0.05 y-1) LZHH
◦ Logic solver: λDU = 1/1000y (= 0.001 y-1) 2
◦ Sensor: λDU = 1/100y (= 0.01 y-1) LZT

2
PFDavg = λDU x TI / 2
= 0.05 x 1 / 2 = 0.025 for valve
0.001 x 1 / 2 = 0.0005 for logic solver
0.01 x 1 / 2 = 0.005 for transmitter
Total PFDavg = 0.025 + 0.0005 + 0.005 = 0.0305
Calculated SIL = 1 (PFDavg range 0.01 – 0.1)
Required SIL = 2 Not OK!
How can this be fixed?
Case Study: Adjust Test Interval

Test interval = 1 month LZV 2
Reliability data:
◦ Valve: λDU = 1/20y (= 0.05 y-1) LZHH
◦ Logic solver: λDU = 1/1000y (= 0.001 y-1) 2
◦ Sensor: λDU = 1/100y (= 0.01 y-1) LZT

2
PFDavg = λDU x TI / 2
= 0.05 / 12 / 2 = 0.002 for valve
0.001 / 12 / 2 = 0.00004 for logic solver
0.01 / 12 / 2 = 0.0004 for transmitter
Total PFDavg = 0.002 + 0.00004 + 0.0004 = 0.00244
Required SIL = 2 OK
BUT operations object to monthly testing !
23
21/07/2017
Case Study: Duplicate Block Valves

LZV 2A LZV 2B
Test interval = 1 year
Reliability data:
◦ Valve: λDU = 1/20y (= 0.05 y-1) LZHH
2
◦ Logic solver: λDU = 1/1000y (= 0.001 y-1)
LZT
◦ Sensor: λDU = 1/100y (= 0.01 y-1) 2
For 2 valves 1oo2 voting: PFDavg = 0.0020 (was 0.025)

PFDavg = 0.0020 + 0.0005 + 0.005 = 0.0075
Required SIL = 2 OK
◦ Systematic Capability of each component.
How likely is it that each component is free from systematic

faults (“bugs”) ?
24
21/07/2017
Control of systematic failures

For integration of components into a system (SIS):
◦ functional safety management system
◦ for all phases of lifecycle including operation
◦ verification, validation, audit and assessment
◦ can comply with either IEC 61511 or IEC 61508
Within each component:

◦ ensure quality design in accordance with IEC 61508
◦ ensure appropriate techniques and measures from IEC 61508 used for the
SIL of the target SIF
◦ measured by the term “systematic capability”
◦ SC 1 to 4 corresponding to SIL 1 to 4
◦ formerly called “SIL Capability”
◦ independent certification or “prior use”
Case Study: Transmitter Selection

Must control systematic faults
Transmitter selected must comply with IEC 61508 and IEC 61511
Must either:
be designed and manufactured in accordance with IEC 61508
◦ confirmed by independent certificate (e.g. by a “TÜV” or exida)
◦ Systematic Capability from 1 to 4
◦ i.e. techniques and measures are suitable for SIL 1 to 4
OR
meet requirements for Prior Use (or “proven in use”):
◦ sufficient experience gained in a comparable application
Best practice: require BOTH prior use and certification
25
21/07/2017
Component Certification
An independent organisation certifies that the component meets the
requirements of IEC 61508 for a particular SIL
◦ not only “TÜV” !!!
Parts 2 and 3 contain numerous “techniques and measures” required to

avoid and control faults
◦ the rigour required increases with SIL
The aim is to reduce the likelihood of systematic faults to an acceptably

low level relative to the SIL
The result is expressed as “Systematic Capability” or SC from 1 to 4
◦ corresponding to SIL 1 to 4
◦ was previously called “SIL Capability”
The certificate also usually also includes failure data and whether the
component is “Type A” or “Type B”
◦ details are in a companion report
Transmitter TÜV Certificate
26
21/07/2017
Transmitter TÜV Certification
Prior Use (IEC 61511)

Requires that appropriate evidence is available that the component is
suitable based on consideration of:
◦ the manufacturer’s quality systems
◦ adequate identification of the devices
◦ demonstration of performance in similar operating environments
◦ the volume of operating experience
Focus is on demonstrating freedom from systematic faults

IEC 61508 term is “Proven in Use”
◦ more rigorous requirements
27
21/07/2017
Design now complies
5 Installation, Commissioning, Validation

Logic Solver installed with field equipment
Includes loop checking, validation and final functional safety
assessment.
10 9 1 11
assessment
and auditing
development
of other means
engineering of
and validation
7 Modification
8 Decommissioning
28
21/07/2017
Verification, Validation, Functional Safety Assessment
Case Study: Verification and Validation

Project Verification and Validation Plan required
◦ Consider level of independence required (i.e. independent engineer)
◦ Define responsibilities
Verify each phase e.g.

◦ Safety Requirements Specification
◦ Verify hardware design documents
◦ Verify functional specifications etc
◦ Implement code walkthrough
Logic Solver Factory Acceptance Test
◦ Complete integration test validates application software on target hardware
Logic Solver Site Acceptance Test
◦ Power up test on site
Safety Function Testing
◦ SIS validation
Functional Safety Assessment
Note that terminology is from the ISO9000 discipline
◦ Some disciplines swap the meanings of “verification” and “validation”!
29
21/07/2017
Verification... build the product right

“activity of demonstrating for EACH PHASE of the relevant safety life
cycle
by analysis and/or tests,
that, for specific inputs, the outputs meet in all respects the objectives
and requirements set for the specific phase” (IEC 61511 3.2.92)
Performed progressively throughout the lifecycle
Validation... build the right product

“activity of demonstrating that
the safety instrumented function(s) and safety instrumented system(s)
under consideration
after installation meets in all respects
the SAFETY REQUIREMENTS SPECIFICATION” (IEC 61511 3.2.91)
Performed prior to introducing the hazards to the process
Can take credit for software validation in Factory Acceptance Test CDV
30
21/07/2017
Functional Safety Audit

“A systematic and independent examination
to determine whether the PROCEDURES specific to the functional safety
requirements to comply with the planned arrangements,
are implemented effectively
and are suitable to achieve the specified objectives”.
(IEC 61508-4 Ed.2 3.8.4 and IEC 61511-2003 3.2.27)
For either an organisation or a project
Functional Safety Assessment

“investigation, based on evidence,
to JUDGE the functional safety achieved
by one or more protection layers”
(IEC 61511 3.2.26)
Judgement based on evidence
At least one required prior to hazard introduction, but may be
progressive
Independence required
◦ Increases with SIL (IEC 61508)
31
21/07/2017
6 Operations, Maintenance and Modification

The Cinderella Phases !
User must follow a Functional Safety Management System for the life of
the SIS.
10 9 1 11
assessment
and auditing
development
of other means
engineering of
and validation
7 Modification
8 Decommissioning
Ops and Maintenance Obligations

Train operators & maintainers
Proof test each SIF at specified interval
Monitor design assumptions
◦ demand rates
◦ component reliability
Adjust test interval to suit

Control modifications
Ensure Maintenance and Operational Overrides are used as designed
Monitor and promptly follow-up diagnostics
32
21/07/2017
Case Study: Operation and Maintenance

Mechanical: PSV
Risk analysis assumed:
Target:
X 100 1 per 10,000y ◦ demand on SIF once per year
SIF: LZHH Hazardous Event ◦ what happens in practice?
SIL 2 !!
X 100
Alarm Risk Reduction SIL verification assumed:

LAH Required: ◦ transmitter failure rate 0.01 y-1
X 10,000
Control System ◦ what happens in practice?

(BPCS)
Hazardous Situation
1 per y
Etc etc . . .
Process
Must verify actual performance against
assumptions and adjust testing as
required
LZHH
2 Documentation of assumptions is
critical
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1 P-2
Summary 1 – The SIS Lifecycle

10 9 1 11
assessment
and auditing 3 Safety requirements
Engineering Contractor Design and
development
4 of other means
Design and of risk reduction
engineering of
SIS Vendor safety instrumented system
and validation
End User 6 Operation and maintenance
7 Modification
8 Decommissioning
33
21/07/2017
Summary 2 – Requirements
based on hazard and risk assessment
◦ Systematic Capability of each component.
Not just TÜV certification

◦ though it helps !
Not just meeting PFDavg target

Don’t forget spurious trip rate!
Need more?
IICA runs the following courses:
TÜV Rheinland Functional Safety Engineer course
◦ For those with 3+ years experience in functional safety
◦ Leads to Functional Safety Engineer (TÜV Rheinland) qualification
◦ Sydney 16-20 October 2017
◦ Melbourne June 2018 (exact date set Dec 2017)
ISA One-day Introduction to SIS

◦ runs on request
If interested please email training@iica.org.au
34
21/07/2017
Questions?
35

IICA FunctionalSafetyDeMystified 2017-07-19

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IICA FunctionalSafetyDeMystified 2017-07-19

Uploaded by

Copyright:

Available Formats

21/07/2017

Functional Safety Demystified

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 1

Standards IEC 61508 and IEC 61511

Purpose An example to demonstrate compliance

using a case study

What is Functional Safety?

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 3

IEC 61508 or IEC 61511

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 4

Why Functional Safety?

Should have complied with IEC 61511.

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 5

Temperature SIF 1: TZH1234

Flow Subsystems Solenoid

Safety Instrumented System - SIS

Safety Integrity Level vs. Risk Reduction

Used to specify SIL required Used to specify SIL achieved

Safety Lifecycle – IEC 61511

End User 6 Operation and maintenance

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 8

Complying with IEC 61511

Not just TÜV certification

Not just meeting PFDavg target.

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 9

Comply Throughout Lifecycle

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 10

1 Hazard and Risk Assessment

6 Operation and maintenance

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 11

A “potential source of harm”

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 12

Identify Hazardous Events: HAZOP

Node: LPG Tank

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 13

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 14

Risk reduction concept

Residual Acceptable Process

Necessary risk reduction Increasing

Partial risk reduction Partial risk reduction

Overall risk reduction achieved by all means

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 15

Process under control Level stable

Process deviation or disturbance Control valve sticks

Hazardous situation High Pressure

What is risk ? 300t of boiling LPG released -

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 16

Risk Analysis - Layers of Protection

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 17

2 Allocation of Safety Functions

6 Operation and maintenance

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 18

Risk is unacceptable - reduce further

Process under control Level stable

Process deviation or disturbance Control valve sticks

How do we Impact / Consequence

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 19

Add a high level trip

High Level Trip LZHH2 added

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 20

Layers of Protection – SIL assessment

21 July, 2017 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 21

Safety Integrity Level vs. Risk Reduction