PAE2 Functional Safety Course en r0

Functional Safety
HAZOP
Author:
Árpád POZSGAI
Functional Safety Professional
PROCOPLAN Ltd.
About us
Our company, ProCoPlan Ltd. was established in 1998, by former members of the
Instrumentation Design and Software Engineering Group, of the Hungarian Oil and Gas Plc –
Danube Refinery’s Instumentation & Automation Department.
Presently we work with 18 colleagues, 17 of them are engineers and one of them is a
draftswoman, who is also our office manager.
The members and employees are highly qualified in automation, process control, electronics,
electrical, mechanical and telecommunications engineering, having around 5 – 30 years of
experience in instrumentation, measurement and control technique and functional safety in
applications for the different fields in the industry.
We are familiar with designing for industrial facilities where an explosive atmosphere is present
or could occur (e.g: Oil & Gas or Chemical Industry, Power Plants etc.)
Among our colleagues you can also find experts specialized in some of the following areas:
• Burner Management Systems (BMS), Compressor Control Systems, Metering Stations (for
Custody Transfer), Tank Gauging Systems (for Inventory Systems), Rail Car, Truck or Barge
loading systems, Boiler and Steam Generator, Turbine
• For the most up-to-date process control or safety systems, such as: DCS system (Emerson,
Honeywell, Yokogawa etc.), PLC + SCADA, Field Bus Systems (FFB, Profibus etc.),
Wireless Measuring Systems, Safety Instrumented Systems (SIS) complying with IEC 61508
and 61511.
• Functional Safety activity: HAZOP, LOPA, FMEA, SRS, SIL verification
PAE 2. 2 Functional Safety
Safety Principles
Fundamental Safety Principles establishes principles for ensuring the protection of
workers, the public and the environment, now and in the future, from harmful
effects of ionizing radiation.
Abbreviation
• BPCS: Basic Process Control System – Alap folyamatirányító system
• DC: Diagnostic Coverage – Diagnosztikai lefedettség
• DCS: Distributed Control System – Osztott irányító system
• EUC: Equipment Under Control – Irányított berendezés
• H&RA: Hazard and Risk Analysis – Veszély- és kockázat analízis
• HFT: Hardware Fault Tolerance: hardver hibatűrő képesség
• LS: Logic Solver – Logikai vezérlő (kiértékelő)
• MooN: M out of N voting arrangement – M az N-ből szavazás
• MOS: Maintenance Override Switch – Karbantartási feloldó kapcsoló
• MTTF: Mean Time To Failure – Átlagos idő hibáig
• MTTR: Mean Time To Repair - Átlagos idő javításig
• MTBF: Mean Time Between Failure - Átlagos idő hibák között
• PFDavg: Average Probability of Failure on Demand – Hibázás átlagos valószínűsége
• PFH: Probability of failure per hour, average frequency of dangerous failure
• POS: Process Override Switch – Karbantartási feloldó kapcsoló
• SC: Systematic Capability: Szisztematikus (módszertani) képesség
• SIF: Safety Instrumented Function – Biztonsági műszerezett funkció
• SIL: Safety Integrity Level – Biztonsági integritási Level
• SIS: Safety Instrumented System – Biztonsági műszerezésű system
• SFF: Safe Failure Fraction: Biztonságos hiba aránya
• SLC: Safety Life Cycle – Biztonsági életciklus
• SRS: Safety Requirement Specification – Biztonsági követelmény specifikáció
• RR(F): Risk Reduction (Factor) – Kockázat csökkentési (tényező)
• TI: Proof Test Interval: Teszt intervallum
Directives, regulations and standards
PED Directive
MSZ / EN
Machinery
Standards
Directive
OAH IAEA
Directives and Standards in EU and Hungary
Directives Mandatory !
European Reference to
Union (EU)
EN standards Normative
(/ informative)
IEC CENELEC MSZT

Directives (EU)
• PED Pressure Equipment Directive [2014/68/EU]

• Machinery Directive [2006/42/EK]
• Seveso II Directive [96/082/EEC]
• ATEX Directive [1999/92/EK]
• EMC Directive [89/336/EEC]
New Approach:
The European Union adopts legislation (EU Directives) that defines essential
requirements - in relation to safety and other aspects of public interest - which
should be satisfied by products and services being sold in the Europe as Single
Market;
The European Commission issues standardization requests (Mandates) to the
European Standardization Organizations (CEN, CENELEC and ETSI), which are
responsible for preparing technical standards and specifications that facilitate
compliance with these essential requirements
PED Directive (2014/68/EU) 1.

ANNEX I : ESSENTIAL SAFETY REQUIREMENTS:
2. The essential safety requirements laid down in this Directive are
compulsory.
3. The manufacturer is under an obligation to analyse the hazards
and risks in order to identify those which apply to his equipment on
account of pressure; he shall then design and construct it taking
account of his analysis.
2. DESIGN, 2.1. General:
The pressure equipment shall be properly designed taking all relevant
factors into account in order to ensure that the equipment will be
safe throughout its intended life.
2.3. Provisions to ensure safe handling and operation
The method of operation specified for pressure equipment shall be such
as to preclude any reasonably foreseeable risk in operation of the
equipment.

PED Directive (2014/68/EU) 2.
ANNEX I : ESSENTIAL SAFETY REQUIREMENTS:
2.11. Safety accessories

2.11.1. Safety accessories shall:
• be so designed and constructed as to be reliable and suitable for their
intended duty and take into account the maintenance and testing
requirements of the devices, where applicable,
• be independent of other functions, unless their safety function
cannot be affected by such other functions,
• comply with appropriate design principles in order to obtain suitable
and reliable protection. These principles include, in particular, fail-safe
modes, redundancy, diversity and self-diagnosis.
Machinery Directive 2006/42/EC

ANNEX I: Essential health and safety requirements relating to the the
design and construction of machinery
GENERAL PRINCIPLES
1. The manufacturer of machinery or his authorised representative must
ensure that a risk assessment is carried out in order to determine the
health and safety requirements which apply to the machinery. The
machinery must then be designed and constructed taking into account the
results of the risk assessment…
• determine the limits of the machinery, which include the intended use
and any reasonably foreseeable misuse thereof,
• identify the hazards that can be generated by the machinery and the
associated hazardous situations
• estimate the risks, taking into account the severity of the possible injury
or damage to health and the probability of its occurrence,
• evaluate the risks, with a view to determining whether risk reduction is
required, in accordance with the objective of this Directive,
• eliminate the hazards or reduce the risks associated with these
hazards by application of protective measures, in the order of priority
established in section
Seveso II Directive
Aim
This Directive is aimed at the prevention of major accidents which
involve dangerous substances, and the limitation of their
consequences for man and the environment, with a view to ensuring
high levels of protection throughout the Community in a consistent
and effective manner.
General obligations of the operator:

Member States shall ensure that the operator is obliged to take all
measures necessary to prevent major accidents and to limit their
consequences for man and the environment
„all measures necessary” = Satndards shall be used!
Standards are not mandatory, their use is voluntary.

(If the chosen solution differs from solution required in the standard, it shall be proven
that the chosen solution is the same or better than the solution required in standard.)
IAEA Safety Standards
Requirement 4: Purpose of the safety assessment

The primary purposes of the safety assessment shall be to
determine whether an adequate level of safety has been
achieved for a facility or activity and whether the basic
safety objectives and safety criteria established by the
designer, the operating organization
SAFETY ANALYSIS
Requirement 14: Scope of the safety analysis:
4.50. The consequences arising from all conditions in normal operation (including
startup and shutdown, where appropriate) and the frequencies and
consequences associated with all anticipated operational occurrences and
accident conditions shall be addressed in the safety analysis.

The main issues
What are the potential hazardous events and their

associated risks, and what risk reduction is necessary to
achieve an acceptably safe process installation?
How can it be established and confirmed that the

safeguarding measures/equipment realize the required risk
reduction?
What activities need to be carried out to guarantee that this

safety integrity level is maintained during the entire lifetime
of the safeguarded process installation?
How can at any moment be proofed, by proper

documentation, that the safety requirements are met?
Functional Safety Standards

• EN 61508-1..7 – Functional Safety of Electrical/Electronic/Programmable
Electronic Safety Related Systems
• EN 61511-1..3 – Functional Safety: Safety Instrumented Systems for the
Process Industry Sector
• EN 61513 - Nuclear power plants. Instrumentation and control important
to safety. General requirements for systems
• EN 62061 – Safety of machinery. Functional safety of safety-related
electrical, electronic and programmable electronic control systems
• EN 61511 (MOD.) IS A WORLD WIDE STANDARD:
• ISA S84.01 – Application of Safety Instrumented Systems for the Process
Industries.
• JIS C 0511 機能安全－プロセス産業分野の安全計装システム－第 1 部：フレー
ムワーク，定義及びシステム・ハードウェア・ソフトウェアの要求事項EN 61508
Note: EN 61508 is not referred to by any EC Directive.

Safety standards
Safety Standards Functional Standards
EN 61508-1..7 e.g. BMS:
Manufacturers safeguarding equipment (sub-
systems) for
all industrial sectors (except from the nuclear
industry)
Burner
Manager
Systems:
EN 61511 Other
End-users sector specific: EN 676
& Railway EN 12952-8
EN 61513: EN 746-1
System Applications
For nuclear EN 746-2
integrators power plants EN 62279, EN 298
in the Machinery EN 1643
Process EN 62061 EN 230
industry EN 50156-1
Directive vs. Standards
EN 61508 does not have the status of a harmonized European standard, and is
not referred to by any EC Directive.
Although EN 61508 is a European Standard, it does not have the status of a

harmonised European standard in relation to any EC product directive and it is
not therefore listed in the EC Official Journal. However, this does not prevent
compliance with relevant parts of EN 61508 being used to support a declaration
of conformity with an EC product directive, if that is appropriate. But because EN
61508 is not a harmonised European standard, compliance with it does not
provide a presumption of conformity with any directive. It would therefore be
necessary to explain in the product's technical file how compliance with EN
61508 is being used to support compliance with specific essential requirements
of the particular directive.
Note: EN 62061 is a harmonized European standard under the 98/37/EC

Machinery Directive (an EC product directive) and will become a harmonized
European standard under the 2006/42/EC Machinery Directive.

Typical Safety Instrumented System
• Machinery Protection System
• Emergency Shutdown System – ESD:
• Gas breakthrough protection)
• Overfill protection (for tanks)
• High Integrity Pressure Protection System - HIPPS
• Fire & GasProtection of rotating machines (compressors, pumps etc.)
• Burner Manager System
EN 61511-1, 2, 3
Functional safety – Safety instrumented

systems for the process industry sector
Part 1 : Framework, definitions, system, hardware

and software requirements
Normative
Part 2 : Guidelines in the application of part1

Informative
Part 3 : Examples of methods for determining
safety integrity in the application of hazard
& risk analysis
Informative

EN 61511 Safety Lifecycle
1. Hazard and risk
10. Management Of functional safety and functional safety Assessment and auditing
assessment
2. Allocation of safety
functions to
protection layers
11. Safety life-cycle structure and planning

3. Safety
requirements
Design and
specification for SIS
development of other
means of
4. Design and risk reduction
9. Verification
engineering of
SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission

Analyses Functionalse: Determination of safety
requirements
Activities: 1. Hazard and risk
assessment
• To determine the hazards of the process,
the sequence of events leading to the 2. Allocation of safety
functions to
hazardous event, the requirements for risk protection layers
reduction and the safety functions required

3. Safety
requirements
to achieve the necessary risk reduction specification for SIS
Design and
• Allocation of safety functions to 4. Design and
means of
risk reduction
9. Verification
protection layers and for each safety engineering of

SIS
instrumented function, the associated safety 5. Installation,
integrity level commissioning
and validation
• Safety Requirements Specification (SRS):
To specify the requirements for each SIS, in 6. Operation and
maintenance
terms of the required safety instrumented
functions and their associated safety 7. SIS modification
integrity, in order to achieve the required
functional safety 8. Decommission

Realization of Safety Instrumented System
Activities:
1. Hazard and risk
• To design the SIS to meet the
assessment
requirements for safety instrumented 2. Allocation of safety

functions (SIF) and safety integrity (SIL). functions to
protection layers
Design of the SIS in conformance with the

3. Safety
SIS safety requirements specification requirements
Design and
(SRS) development of other
means of
• SIS installation: Fully functioning SIS in 4. Design and risk reduction
9. Verification
engineering of
conformance with the SIS design results of SIS
SIS integration tests (FAT, SAT) 5. Installation,

commissioning
To validate that the SIS meets in all respects and validation
the requirements for safety in terms of the 6. Operation and

required safety instrumented functions maintenance
(SIF) and the required safety integrity level

(SIL) 7. SIS modification
8. Decommission

Operation of Safety Instrumented System
Activities:
1. Hazard and risk
• To ensure that the functional safety of assessment
the SIS is maintained during operation 2. Allocation of safety

and maintenance (Test….Test…Test…) functions to
protection layers
• To make corrections, enhancements or
3. Safety
adaptations to the SIS, ensuring that the requirements
Design and
required safety integrity level is development of other
means of
achieved and maintained (MoC: 4. Design and risk reduction
9. Verification
engineering of
Management of Change) SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission

Verification
Activities:
1. Hazard and risk
• To test and evaluate the outputs of a
assessment
given phase to ensure correctness and 2. Allocation of safety

consistency with respect to the products functions to
protection layers
and standards provided as input to that

3. Safety
phase requirements
Design and
means of
4. Design and risk reduction
9. Verification
engineering of
SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission
EN 61511 Safety Lifecycle: Verification

Demonstration
Simulation
Inspection
Checklist
Analysis
Safety Life Cycle phases

Review
1. Hazard and risk
Audit
assessment
Test
Define safety lifecycle HR HR 2. Allocation of safety

functions to
Hazard and risk analysis HR HR
protection layers
Allocation of SIF to protection layers HR HR HR
Safety Requirements Specifications (SRS) HR HR HR
3. Safety
SIS design and engineering HR HR HR HR requirements
Design and
SIS installation commissioning HR HR HR HR HR specification for SIS
SIS validation HR HR HR HR HR HR HR means of
SIS operation and maintenance HR HR HR 4. Design and risk reduction
9. Verification
engineering of
SIS modification HR HR R R HR HR R SIS
Decommissioning HR HR R R
SIS functional safety assessment HR HR HR 5. Installation,
Description of Responsible Name / Company Responsibility commissioning
Customer / End-user MOL Co. I and validation
HSE Representative MOL Co. P/R
Main Contactor OTF I 6. Operation and
Process Designer / Licensor Haldor Topsoe P/R maintenance
Process Designer OLAJTERV P/R
Functional Safety Engineer / SIS specialist PROCOPLAN L / V*
Plant Operation MOL Co. Refinery P/R
SIS Detail Designer OLAJTERV / YEW / PCP I 7. SIS modification
SIS Vendor YOKOGAWA - Example
SIS Installer OTF -
SIS Maintenance PETROSZOLG - 8. Decommission
Functional Safety Assessor SIL4S FSA
NR: Not recommended, R: Recommended, HR: Highly recommended, L: Lead, P: Participate, R: Review, A:
Approval, I: Inform, V: Verify, FSA: Functional Safety Assessment

EN 61511 Safety Lifecycle: Safety Book
Safety Book
Management Of Safety Plan
functional safety Responsibility Matrix Test report
Operation and
HSE report
Hazard and risk maintenance
HAZOP report
assessment
LOPA report (preliminary)
(H&RA) HAZOP report (modified)
PFD, P&ID + IPL, SIF-el
SIS modification SRS
Detail design(mod.)
Allocation of safety LOPA report
functions to SIS C-E Matrix
protection layers Trip-diagram
SIS HAZOP report (modified)
decommissioning Detail design (decommissioning plan)
Safety requirements Safety Requirements
specification for SIS Specification(SRS)
SIF components specifications

Detail design of SIS
Operation Manual
Design and
engineering of Maintenance Manual Example
SIS Test protocol
Application software design
FAT/SAT protocol
Validation Plan
Installation,
commissioning FAT/SAT report
and validation Validation plan
As built plans
Definitions
• Hazard: potential source of harm
• Harm: physical injury or damage to the health of people, either directly
or indirectly, as a result of damage to property or to the environment
• Risk: combination of the frequency of occurrence of harm and the
severity of that harm
• Tolerable risk: risk which is accepted in a given context based on the
current values of society
• Safety: freedom from unacceptable risk
• Safe state: state of the process when safety is achieved
• Safety integrity: average probability of a safety instrumented system
satisfactorily performing the required safety instrumented functions
under all the stated conditions within a stated period of time
• Safety Integrity Level (SIL): discrete level (one out of four) for specifying
the safety integrity requirements of the safety instrumented functions to
be allocated to the safety instrumented systems.

Risk
Safety integrity of protection layers shall meet the
required risk reduction!
Concequency
of hazardous Risk = Severity x Frequency
event
Severity
Non SIS SIS Safety Other
EUC risk Tolerable
Instrumented safety
risk reduction risk
(BPCS) System system
Frequency
Required risk reduction
Frequency of
hazardous
event
Reduce risks to acceptable levels

Hazard
Class
Major
Unacceptably
high risks!
Medium
Acceptably
low risks!
Minor Frequency
LOW MEDIUM HIGH of occurrence

Reduce the frequency of occurrence
Prevention
Hazard
Class
Major
PL3 PL1
Medium
PL4 PL2
Minor Frequency
Reduce the severity of consequence

Hazard
Class
Major
ML
Mitigation
ML 1
2
Medium
ML
3
ML
4
Minor Frequency

Reduce the severity of consequence
Hazard Major
Class PL2 PL1
Mitigation
Medium ML1
ML2
Minor Frequency
Tolerable risk
Risk cannot be justified

except in extraordinary
Intolerable region circumstances
The ALARP or
tolerability region ALARP: Tolerable only if further risk
reduction is impracticable or if its
(Risk is undertaken cost is grossly disproportionate to
only if a benefit is the improvement gained
desired)
(As Low As Reasonably Practicable)
Broadly acceptable region It is necessary to maintain

assurance that risk remains at
this level
(No need for detailed working
to demonstrate ALARP)
Negligible risk

Typical Risks
Risk Description
5*10-2 Risk of Smoking
10-2 Risk of average illness
R > 10-3 Not acceptable
1. 3*10-4 Road accident
10-4 ALARP
10-4-10-3 Work accident (mining)
1*10-4 Average work accident
10-5-10-4 Work accident (Refinery)
10-5 ALARP
10-6-10-5 Work accident (light industry)
R < 10-6 Acceptable by average individual
10-7-10-6 Risk of lighting
Risk Criteria
1.0E-3
Individual
Risk:
Design intent
1.0E-4 Not acceptable
CDF 1.0E-5
ALARP
LRF 1.0E-6
1.0E-7 Acceptable
1.0E-8
Note: EN 61511 / 61508 does not define tolerable risk. Tolerable risk
for harm to people must be defined by the corporate body.
Layers of protection I&C:
IPL: COMMUNITY EMERGENCY REPSONSE: Broadcasting DiD-4
Independent Protection Layer DiD-5
PLANT EMERGENCY REPSONSE: Evacuation
Mitigation:
IPL4: Mechanical Mitigation system
Mitigation:
PSV Safety Instrumented System
Prevention:
IPL3: Mechanical protection System I&C:
SIS Prevention: DiD-2
Safety Instrumented System
IPL2: DiD-3a
Prevention:
Alarm Process alarm + operator’s action
I&C: DiD-3b
DiD-2
IPL1: Control and Monitoring:
BPCS, Monitoring System
BPCS I&C:
I
PROCESS
DESIGN
DiD-1
LAH
1
Safety is BEST achieved by inherently safe design!

Protection Layers
BUMM
Mechanical Protection
Trip level HH
Safety action of SIS (ESD)
(BPCS) Alarm + operator’s response Alarm high: AH
High level
BPCS (DCS)
Process Variable (PV) Normal operation
Low level

Protection Layers
Risk
Initial risk without

protection
Risk reduction by process

design
Risk reduction by
BPCS (DCS)
Total risk reduction
Risk reduction by
Alarm & operator’s
response
Risk reduction by
SIS
Acceptable risk Risk reduction by

Mechanical protection
Other risk reduction

Residual Risk
Protection Layers
IPL1 IPL2 IPL3 IPL4 IPL5 IPL6
Preventive and mitigation Protection Layers

MECHANICAL PROTECTION COUNTRY EMERGENCY RESPONSE
SIS (ESD) COMMUNITY EMERGENCY RESPONSE
ALARM + OPERATOR SUPERVISION PLANT EMERGENCY RESPONSE
BPCS (DCS) CONTROL PHISICAL PROTECTION
PROCESS DESIGN HAZARDOUS EVENT
I
ACCIDENT
LAH
1
PREVENTION MITIGATION
INIT. PROTECTION LAYERS CONSEQUENCE 1

ML1 ML2
EVENT 1 PL PL PL PL ML
1A 1B 1C 1D ML 2A
INIT. EVENT 1A CONSEQUENCE 2
2 HAZARDOUS
PL PL
CONSEQUENCE 3
2B 2C EVENT ML
INIT- 1B
EVENT 3 CONSEQUENCE 4
PL PL PL
3A 3C 3D
I&C: DiD-2 I&C: DiD-3 I&C: DiD-4 I&C: DiD-5

SCENARIO = FROM INIT EVENT ..TO CONSEQUENCY
TYPE OF RISK
CENSEQUENCY
FOR PERSON
ENVIROMENT ACCIDENT
CONSEQUENCE FOR
CAUSE POPULATION
SYSTEM
CONSEQUENCY FOR
INCIDENT ENVIROMENT
(FAILURE)
HAZARD
CONSEQUENCY FOR
ECONOMY
PROCES HAZARD ANALYSIS

HOW TO IDENTIFY THE HAZARDS?
USEFUL ANALYSIS TECHNIQUES:
• QRA: Quantitative Risk Assessment
• Checklist Analysis
• What If Analysis
• What if Analysis + Checklist Analysis
• Hazard and Operability Analysis: HAZOP
• Failure Mode and Effects Analysis: FMEA
OTHER PROCEDURES:
• Event Tree Analysis: ETA
• Fault-Tree Analysis: FTA

Origin of HAZOP
Bert Lawley
•Published by Bert Lawley in 1974

•Aim: Systematically checking of P&ID’s
Flowsheet of HAZOP
0. Data gathering
HAZOP
1. Partition of process 5. Determine consequences + severity
2. Intentions of design 6. Identify protections, safeguards
Determine deviations
7. Recommendations, actions
(parameter + guideword)
4. Determine causes + frequency 8. Documentations
NO
Finish?
RISK
ASSESMENT
Applied software: DYADEM PHA-Pro7

Aims of HAZOP
Hazard & Risk Analysis:
• identification of the hazards and hazardous events (emergency situations)
inherent in the process and its associated equipment as well as of the
sequence of events leading to an emergency, the process risks related to
emergencies, the requirements of risk reduction and the safety functions
necessary for achieving the required level of risk reduction.
Objective of the HAZOP:
• The hazard & operability (HAZOP) analysis is the structured and
systematic investigation of some planned or existing technological
process or operation with the purpose of identifying and evaluating all
problems which may pose risks in respect of the personnel, the
environment or equipment or may hinder the efficient operation of the
process system. The HAZOP study is aimed at the discovery of potential
deviations from the intention of the design as well as the investigation of
the possible causes of these and the assessment of the consequences.
Applied standard:
IEC 61882: Hazard and operability studies (HAZOP studies)
HAZOP glossary
HAZOP worksheet entries:
• Node / subnode: A node is a specific location in the process in which
(the deviations of) the design/process intent are evaluated. (e.g.
separators, heat exchangers, scrubbers, pumps, compressors, and
interconnecting pipes with equipment.)
• Design Intent: The design intent is a description of how the process is
expected to behave at the node; this is qualitatively described as an
activity (e.g., feed, reaction, sedimentation) and/or quantitatively in the
process parameters, like temperature, flow rate, pressure etc.
• Deviation: A deviation is a way in which the process conditions may
depart from their design/process intent.
• Parameter: The relevant parameter for the condition(s) of the process
(e.g. pressure, temperature, composition).
• Guideword: A short word to create the imagination of a deviation of the
design/process intent. The most commonly used set of guide-words
is: no, more, less, as well as, part of, other than, and reverse.
Deviation = Parameter + Guideword
HAZOP glossary
HAZOP worksheet entries:
• Cause: The reason(s) why the deviation could occur
• Consequence: The results of the deviation, in case it
occurs. Consequences may both comprise process
hazards and operability problems, like plant shut-down or
reduced quality of the product. Several consequences may
follow from one cause and, in turn, one consequence can
have several causes
• Safeguard: Facilities that help to reduce the occurrence
frequency of the deviation or to mitigate its consequences.
HAZOP members
Practically in the HAZOP procedure the following members should be

present as participants:
• HAZOP team leader (PROCOPLAN Ltd)
• HAZOP secretary (PROCOPLAN Ltd)
• Operator
• Maintenance experts of process unit
• Functional Safety Engineer (FSE) and /or SIS expert (PROCOPLAN Ltd)
• Technologist
• HSE

HAZOP leader
HAZOP leader responsibilities:
• Defining the method and scope of the analysis
• Plans and schedules the HAZOP study
• Ensures the data supply gets to the members
• Explanation of the applied guide-words and technological parameters
• Leads the team in the HAZOP analysis
• Ensure the results and recommendations are documented
• Ensures that the study is completed in the time and follows the progress
of HAZOP study
• Ensures that the analysis fully covers the process
• Prepares the HAZOP sheets and handles the HAZOP program
• Makes a report about the comments and notices
• Documenting the determined hazards, identified problems and
recommendations
• Prepares the draft HAZOP report
HAZOP guidewords
The basic HAZOP guide-words are:
Guide Words Meaning
No (not, none) None of the design intent is achieved
More (more of, higher) Quantitative increase in a parameter
Less (less of, lower) Quantitative decrease in a parameter
As well as (more than) An additional activity occurs
Part of Only some of the design intention is achieved
Reverse Logical opposite of the design intention occurs
Other than (other) Complete substitution - another activity takes place
Early / late The timing is different from the intention

Before / after The step (or part of it) is effected out of sequence
Faster / slower The step is done/not done with the right timing
Where else Applicable for flows, transfer, sources and destinations
Typical HAZOP guidewords in use
Set of HAZOP deviation in used: Example
Recommended Deviation Node / Subnode Type
Heat
Paraméter Gudeword Deviation Column Vessel Pipeline Pumps
exchanger
Pressure Low Low Pressure X X X X
Pressure High High Pressure X X X X
Flow No No Flow X X
Flow Low/ No Low/No Flow X
Flow High High Flow X
Flow Reverse Reverse Flow X X
Flow Other / differ / as well as Other Flow X X
Level No No Level X X
Level Low / No Low/No Level X X
Level High High Level X X
Phase level Low Low Phase level X
Phase level High High Phase level X
Temperature Low Low Temperature X X X
Temperature High High Temperature X X X
Composition Low Low Composition X X X
Composition High High Composition X X X
Composition Other / differ / as well as Other Composition
Leakage Leakage X X X X X
Rupture Rupture X X X X X
HAZOP documentation
Input documentation:
• Process Flow Diagram (PFD)
• Piping and Instrumentation Diagram (P&ID)!
• Detailed technological description
• Operational manual
• Safety Material Data Sheets (SMDS)
• Risk criteria’s for people, public, business and environment. Tolerable
risks (part of HSE policy)
• Logic Narrative, ESD system description
• Cause and Effect matrix (C&E)!
Output documentation:
• Introduction, methodology
• System definition and limitation
• Documents (on which the analysis is based)
• Methodology
• Team members, sessions, attendance
• HAZOP report
• HAZOP recommendations

HAZOP input documentation: P&ID
Example
HAZOP input documentation: Cause and

Effect diagram / C&E matrix
Example

HAZOP worksheet 1.
HAZOP worksheet 2.

HAZOP worksheet 3.
HAZOP worksheet 4.
Enabled Initial Event
Frequency
Initial Event Frequency Unmitigated Event

Frequency
Mitigated Event
Frequency
Tolerate Event
Frequency
Risk Reduction Factor

HAZOP worksheet 5.
HAZOP & LOPA

HAZOP LOPA
RISK RANKING
INITIATING EVENT
DEVIATION
FREQUENCY OF INITIATING EVENT
CAUSES
COUSES FREQUENCY
FSQA RISK BPCS (DCS, PLC) IPL

CONSEQUENCES
MATRIX & PFD
SEVERITY OF ALARM + OPERATOR’S
SEVERITY OF CONSEQUENCE ACTION IPL & PFD
CONSEQUENCES
CONSEQUENCE
TOLERABLE EVENT
EXISTING PROTECTION FSQA SIS (ESD) IPL & PFD
FREQUENCY
MECHANICAL
PROPOSED PROTECTION
PROTECTIONIPL & PFD
SAFETY REQUIREMENT MITIGATED

SIL? EVENT FREQUENCY
SPECIFICATION– SRS

Frequency of the initial causes
Determination of the frequency of the initial causes (by qualitative method)

Category Probability Definition
Negligible, extremely An occurrence unknown in the industry, not expected

0
improbable during the life-cycle of the equipment.
Has occurred in the industry, not yet at known unit
1 Improbable (> 20 years) sites, but may occur during the life-cycle of the
equipment.
Has occurred at known unit sites and may occur a
2 Possible (4 - 20 years)
few times during the life-cycle of the equipment.
Has occurred several times in a year at known unit
3 Probable (1 - 4 years) sites and may occur several times during the life-
cycle of the equipment.
4 Frequent (< 1 year) May occur several times in a year at a given location.
Example
Consequences affecting people (PERS)

Consequences affecting the health and safety of people:
Category Consequence Definition
Slight injury & harm to Capacity to work not affected, no lost time caused (first-aid,
A
health (first-aid) medical attention).
Temporary (less than 3 days) loss of capacity to work.

Major injury (accident) & Reversible, complete recovery possible.
B
harm to health
(INES 1 event: Anomaly)
Prolonged or partial loss of capacity to work. Not reversible,
Severe injury (accident) complete recovery not possible, but does not entail loss of life.
C
& harm to health
(INES 2-3 event: Incident)
Fatal accident involving one person or a severe group accident
Fatality or group involving more than two persons.
D
accident
(INES 4 event: Accident with local consequences)
Fatal accident involving more than one person, catastrophe.
E Multiple fatality
(INES 5-6 event: Serious accident with wide consequences)
Nuclear accident with Nuclear Accident with Large Release. Extensive health impact.
N many people have been Expected death due to a significant number of radiation.
involved (INES 7 event: Major accident)
Example
Economic or business consequences:
Yield, energy loss, reduced energy production (business loss: 1

A Minor loss
– 10 thousand EUR)
Shut-down of a unit, major reduced energy production, minor

B Major loss asset loss (business loss: 10 – 100 thousand EUR)
(INES 1 event: Anomaly)
Spoiled corporate image, moderate asset loss (business loss:
C Severe loss 0.1 – 1 million EUR)
(INES 2-3 event: Incident)
Long term shut-down of a unit, serious energy production
problem in market, serious spoiling the corporate image, major
D Very severe loss asset loss (business loss: 1 – 10 million EUR)
Shocking upset in the energy production, catastrophic asset
E Catastrophic loss loss. (business loss: 10 – 100 million EUR)
(INES 5-6 event: Serious accident with wide consequences)
Destroyed asset, no possibility to retestoration. Nuclear

N Nuclear accident Accident with Large Release. (business loss: > 100 million
EUR) (INES 7 event: Major eccident)
Example
Environmental consequences:
Local environmental impact, inconvenience (noise, odor, waste

A Minor effect
generation).
Major environmental impact, emission above limits Periodical

B Major effect
environmental impact. (INES 1 event: Anomaly)
Local (internal) damage to the environment, spoiling corporate

C Severe (local) effect image. Significant severe contamination. Limited release of toxic /
radiological substance. (INES 2-3 event: Incident)
Very severe effect damaging the environment, emission exceeding
limits significantly. Release of significant quantities of radioactive
D Very severe effect material. External (outside the fence) and major internal damage to
the environment. Rehabilitation requiring significant resources.
Large effect damaging the external environment with catastrophic
consequences, prolonged emission exceeding limits considerably.
E Catastrophic effect Release of large quantities of radioactive material due to Severe
damage to reactor core. (INES 5-6 event: Serious accident with wide
consequences)
Destroyed asset, no possibility to retestoration. Nuclear Accident

N Nuclear accident
with Large Release. (INES 7 event: Major eccident)
Example

Layer of Protection Analysis: LOPA
• The LOPA methodology allows the determination of the
appropriate Safety Integrity Level (SIL) for the SIF.
• Providing rational, semi-quantitative, risk-based answers
• LOPA can be easily applied after the HAZOP
• The mitigated risk for an impact event can be compared with the
corporation's criteria for unacceptable risk.
• Additional safeguards or independent protection layers can be
added.
• LOPA provides a rational basis to allocate risk reduction
resources efficiently.
• Reducing emotionalism
• Providing clarity and consistency
• Documenting the basis for the decision
• Facilitating understanding among plant personnel
Layer of Protection Analysis: LOPA

LOPA
6. Calculation of Unmitigated
1. Identification of scenario
event frequency
2. Determination of severity of
consequence 7. PFD of IPL’s
3. Tolerable frequency (TEF) 8. Calculation of Mitigated

event frequency (MEF)
4. Frequency of cause
9. Determination of SIL
5. Enabling event and

conditional modifier
10. LOPA documentation
SIF/SRS
LOPA: Layer of Protection Analysis Simplified Process Risk Assessment
by CCPS (concept book)
Applied LOPA software: DYADEM PHA-Pro7

Risk criteria:
Tolerable frequency for the health and safety of people: Example
Category Consequence Tolerable frequency
A Small injury and health damage (first aid) 10-2 event/year
B Moderate injury and health damage 10-3 event/year
C Serious injury and health damage 10-4 event/year
D One fatality and group of injury 10-5 event/year
E More fatalities 10-6 event/year
N Nuclear accident 10-6 event/year (LRF)
Tolerable frequency for the business:

Category Consequence Tolerable frequency
A No significant losses (business losses: 1-10 000 EUR) 10-1 event/year
B Significant losses (business losses: 0,01-0,1 mEUR) 10-2 event/year
C Serious losses (business losses: 0,1-1 mEUR) 10-3 event/year
D Highly serious losses (business losses: 1-10 mEUR) 10-4 event/year
E Catastrophic losses (business losses: 10- 100 mEUR) 10-5 event/year (CDF)
N Nuclear accident (business losses: > 100 mEUR) 10-6 event/year (LRF)
RRF and PFD

•PFD: Probability of Failure on Demand
•PFDavg: Average Probability of Failure on Demand
Initial event IPL1 IPL2 IPL3

Occurrence of consequence
BPCS Alarm+ SIS
(DCS) operator
Success
Initial Safety
event
Success Not desirable, but
fI
Failed (PFD1) acceptable
f1=fI*PFD1 Success
Not desirable, but
Failed (PFD2) acceptable
f2=f1*PFD2
Failed (PFD3) Dangerous
fC=f2*PFD3 fC
N
1
f C = f I ⋅ PFD1 ⋅ PFD2 ⋅ ⋅ ⋅ PFDN = f I ⋅ ∏ PFDi = f I ⋅
i =1 RRF
IPL requirements
IPL – Independent Protection Layer shall be (acc. to EN 61511-3/F.9.):
• Specificity: An IPL is designed solely to prevent or to mitigate the
consequences of one potentially hazardous event (for example, a runaway
reaction, release of toxic material, a loss of containment, or a fire).
Multiple causes may lead to the same hazardous event; and, therefore,
multiple event scenarios may initiate action of one IPL;
• Independence: An IPL is independent of the other protection layers
associated with the identified danger.
• Dependability: It can be counted on to do what it was designed to do.
Both random and systematic failures modes are addressed in the design.
• Auditability: It is designed to facilitate regular validation of the protective
functions. Proof testing and maintenance of the safety system is
necessary.
• 3 Enough's, Big/Fast/Strong Enough
• 3 D’s: Detect / Decide / Deflect
Typical PFD 1.

Typical PFD
A
LOPA calculation
fUMF = f I ⋅ PE ⋅ PC
Initial event fUMF Hazardous
SW X IPL1 IPL2 IPL3 IPLN event
fI fMEF
N
f I = ∑ f Ii
Severity of
consequence
PE PC PFD1 PFD2 PFD3 PFDN fT
i
ENABLING CONDITIONAL RRF SIL
EVENT MODIFIER
O
M
f MEF fUEF N fI N
PE = ∏ PEi PC = ∏ PCi RRFSIF = = ⋅ ∏ PFDi = ⋅ PE ⋅ PC ⋅ ∏ PFDi
i i fT fT i =1 fT i =1
TE
PE =
TBASE TBASE
Time
TE (t)
PC
AEFF
fatality = V ⋅
AEFF ATOT p
ATOT

SIL, RRF
•RR(F): Risk Reduction (Factor)
•SIL: Safety Integrity Level
Avarage Probability of
Safety integrity level
Failure on Demand Risk Reduction Factor (RRF)
(SIL)
(PFDavg)
- >=10-1 <= 100
1 >=10-2 - <10-1 >10 - <= 100
2 >=10-3 - <10-2 >100 - <= 1000
3 >=10-4 - <10-3 >1000 - <= 10000
4 >=10-5 - <10-4 >10000 - <= 100000
Safety Requirement Specification

• SIF identification
• SIF description + narrative
• Input and Output devices (with field tag)
• Requirements for Common Cause Failure (CCF)
• Definition of Safe State
• Demands (per HAZOP) and Demand Rate (Low/High)
• Response Time
• Proof Test Requirements (PTI)
• Target SIL and target RRF
• Process measurements (inputs) range and trip limits
• Output action and criteria
• Functional description (e.g. C&E matrix), starting
restarting procedure
• Manual shutdown requirements
• Energize or de-energize trip
• RESETing requirements
• Max. Spurious Trip Rate (STR)
Example • Failure mode and desired response
• Interfaces (on HMI of BPCS)
• Requirements for bypass (POS / MOS)
• Main Repair Time (MTTR: e.g. 8 hours)
• Environment Conditions
• Etc.
Safety Instrumented Functions (SIF)
SIF1
SIF1 SIF2
S1 S1
SIF2 FE
1
S2 Logic S2 Logic
FE FE
Solver Solver
2 2
S3 (LS) S3 (LS)
SIF3 FE
S3 3
S4 SIF3
Typical SIF
• Typical SIF of BMS:
Fuel gas low pressure protection: SIF-102-02B/1..4
MPSL-087A/B/C
PSL 2oo3 1oo2 1oo2 MUV-002A/B/C
LOGIC (main burner 1.)
SOLVER:
MBAL-001-004
BSL Safety PLC
(main burner 1.)
No flame protection (during operation): SIF-102-03D/5..8

MBAL-005-008
BSL 1oo2 MUV-003A/B/C
(main burner 2.)
SOLVER:
Safety PLC
Flue gas path protection: SIF-102-05A

MGSC-
GSC 2oo3 1oo2 MUV-002A/B/C
015/15A/15B
SOLVER:
MUV-003A/B/C
Safety PLC 3oo3 1oo2 (main burner 2.)
MUV-004A/B/C
1oo3
(pilot burner)
8oo8 MUV-011..018
(pilot burner)

1oo2, 2oo2 voting
1oo2 voting
2oo2 voting
Failure Mode 1.
Safety
Safety failure: Detected
close Detected by
limit switch
Safety
Failure Undetected
Dangerous
Detected by Detected
PST
Dangerous failure: Dangerous

Stuck open Undetected

Failure Mode 2.
High-Scale Burnout
Safety Failure: 21.0 mA

Close 20.5 mA
Pressure 20.0 mA
Normal
Signal
PSHH Saturation
High Pressure
Dangerous
failure
4,0 mA
Time 3,8 mA
Spurious shutdown Failed
shutdown shutdown 3,6 mA
(safety) (dangerous)
NAMUR NE 44 Low-Scale Burnout
Failure Mode 3.
Safety
λSD Detected
λSU Safety
Undetected
No failure
λDD
Dangerous
λDU Detected
Dangerous
Undetected
λ = λ D + λS = λ DD + λ DU + λSD + λSU

Useful Lifetime
Failure rate
Constant:
λ(t)=λ
Time
Normal operation (lifetime)
Wear in
USEFUL LIFETIME!!! Wearing
(When failure rate is constant)
PFDavg
PFDavg: (Average Probability of Failure on Demand):
Probability
1
PFDAVG: average
TI: TEST INTERVAL
1
TI
1
TI
− λ D ⋅t λD ⋅ TI
= ∫0 D ⋅ = − ⋅ ≈
TI ∫0
PFDAVG PFD (t ) dt 1 e dt
TI 2

Safe Failure Fraction (SFF)
FAILURE DIAGNOSTIC FAILURE

DIAGNOSTIC FAILURE
DIAGNOSTIC DIAGNOSTIC
FAILURE
DC=0% DC=60% DC=90% DC=99%
λ = λ D + λU = λ DD + λ DU + λ SD + λ SU
λD λD λ DD + λ SD
DC = = =
λ λ D + λU λ DD + λ DU + λ SD + λ SU
λ DD + λ SD + λ SU
SFF =
λ DD + λ DU + λ SD + λ SU
Achieved Safety Integrity Level (PFD / PFH)

Low demand High / Continous
mode: mode:
Safety integrity Level

PFDavg PFH
(SIL)
- >=10-1 <= 100

1 >=10-2 - <10-1 >=10-6 - <10-5
2 >=10-3 - <10-2 >=10-7 - <10-6
3 >=10-4 - <10-3 >=10-8 - <10-7 Energize to trip
4 >=10-5 - <10-4 >=10-9 - <10-8
LOGIC FINEL POWER

SENSOR
SOLVER ELEMENT SUPPLY
PFDSIS = ∑ PFDSi + ∑ PFDLSi + ∑ PFDFEi + ∑ PFDPSi

SIL Architecture Constrains
Route: 1H
Route: 2H
(EN 61511)
MooN voting arrangements

Safety
1oo3 2oo4 Safety

Reliability
1oo2 2oo3
Architecture HFT SFT
1oo1 0 0
2oo2 0 1
1oo1 2oo2 3oo3 1oo2 1 0

2oo3 1 1
1oo3 2 0
Reliability
2oo4 2 2
MooN voting (respect to safety) implies that at least M out of N

component must function for the safety function to work (on demand)

CCF: Common Cause Failure
Failure A CCF Failure B λ = (1 − β )λ λ = βλ

N C
A RRF = 1 / PFD = 100

PFD = 0,1
A*B
CCF = 0%
B PFD = 0,01
PFD = 0,1
A RRF = 1 / PFD = 1 / 0,02 = 50 !!!

PFD = 0,09
CCF = 10% A*B CCF
B PFD = 0,01 PFD = 0,0081 PFD = 0,01
PFD = 0,09 PFD = 0,0081 + 0,01 = 0,0181 ~ 0,02
CCF should be reduced by: divers redundancy, separation /
segregation, redundant power supply, divers cabling route etc.
SIL verification
Failure rate
DIAGNOSTIC Failure Architecture PROOF TEST
DC l NooM PTI H&RA
mode
lDU, lDD
lSU, lSD
SRS
HW. Fault TOL.
SFF
HFT
Target SIL
Route: 2H
Route: 1H (EN 61511)
SILAC SILPFD SILPFH SILTAR
SIL Demand Mode: Low /
ARCHITECTURE High / Continuous
Constraint
MIN
NOT
SCn: SIL > OK
Systematic
Capability SCn Achieved
SIL
OK
SIL certificate
FIT: Failure In Time (1x10-9 failures per hour).
SIL verification
FIT: Failure In Time (1x10-9 failures per hour).

SIL verification
Realization of SIF by SIS (Logic)
START OVERRIDE
ON (1): NORMAL
TRIP
OFF (0): TRIP
MOS
MAN.SHUTDOWN
POS LOCK-OUT
RESET NON VOLATILE ! Example

Realization of SIF (HMI)
Example
Thank You for your attention!
PROCOPLAN KFT.
2030 Érd, Diósdi u. 107./C
Tel: +36 23 361-433
Fax: +36 23 364-124
Mail: procoplan@procoplan.hu
www.procoplan.hu

Appendix A.: Safety Lifecycle of I&C system in NPP based on EN-
61513 standard
5.2 Deriving the I&C requirements from the plant safety design base 5.3 I&C system output documentation
Review of the functional, performance and Design of the overall I&C architecture and assignment of the I&C
5.2.2 independence requirements
5.4 functions
Assignment of functions to Example

5.2.3 Review of the categorization requirements 5.4.2 Design of the I&C architecture 5.4.3 systems
Required analysis (reliability,

5.2.4 Review of plant constraints 5.4.4 CCF etc.)
5.5 Overall I&C operation plan 5.6. Overall I&C output documentation
System safety life cycle of individual I&C (for all of 1…N. individual I&C
5.5.2 Overall quality assurance (QA) programs 6 systems)
Individual I&C system Individual I&C System

5.5.3 Overall I&C security plan.. 6.2.2 requirements specification 6.3 planning
Overall I&C integration and
7 commissioning
Individual I&C system Output documentation of
5.5.4 Overall I&C integration and commissioning 6.2.3 specification
6.4 Individual I&C
Overall I&C operation and
8 maintenance
Individual I&C system detailed System qualification of
5.5.5 Overall I&C operation plan 6.2.4 design and implementation 6.5 individual I&C
Individual I&C system Back to begin

5.5.6 Overall I&C maintenance plan 6.2.5 integration
Individual I&C system Modification of individual

5.5.7 Planning of training 6.2.6 validation (SAT)
6.2.8 I&C
Appendix B.: Recommended safety life cycle of I&C system in

NPP (based on SSG-39, EN 61513 and EN-61511 + OAH 1.5 guide)
I&C system general requirements
2 Deriving the I&C requirements from the plant safety design base 2.1 (design rules!)
1
1. Authority procedure
3 Design of the overall I&C system architecture
5. Integration
Function identification and Overall I&C system Overall I&C system integration
3.1 3.3 7 and commissioning
categorization specification
Example
I&C systems safety 6. Test
Overall safety life cycle design
3.2 classification Overall I&C system

1. Basic design 8a Test
(Safety Plan, QA)
4 Function allocation to I&C systems

6. Authority procedure
Safety life cycle of individual I&C system (for all of 1…N. individual I&C
5 Overall I&C system design 6 systems) Overall I&C system operation
8b and maintenance
Overall I&C system integration Individual I&C system Individual I&C system 7. Operation
5.1 and installation design 6.1 requirements specification
6.7 documentation
Individual I&C system

9 I&C system modification (MoC)
Overall I&C system operation Individual I&C system,
5.2 design
6.2 subsystem, element specification 6.8 qualification
10 I&C system decommissioning
Overall I&C system Individual I&C system detail Individual I&C procurement
5.3 maintenance design 6.3a design 6.3b and manufacturing (FAT)
3. Procurement, installation 4. Site installation
Overall I&C system security Individual I&C system
5.4 6.3.1 hardware design
Individual I&C system Individual I&C system site
design 6.4 integration and installation 6.5 installation
Individual I&C system
6.3.2 Individual I&C system
software design 4. Authority procedure 6.6 validation (SAT)
2. Detailed design
2.-3. Authority procedure 5. Authority procedure

PAE2 Functional Safety Course en r0

Uploaded by

Copyright:

Available Formats

You might also like

PAE2 Functional Safety Course en r0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAE2 Functional Safety Course en r0

Uploaded by

Copyright:

Available Formats

Functional Safety

PAE 2. 3 Functional Safety

PAE 2. 5 Functional Safety

Directives and Standards in EU and Hungary

IEC CENELEC MSZT

PAE 2. 6 Functional Safety

• PED Pressure Equipment Directive [2014/68/EU]

PED Directive (2014/68/EU) 1.

PAE 2. 8 Functional Safety

2.11. Safety accessories

PAE 2. 9 Functional Safety

Machinery Directive 2006/42/EC

General obligations of the operator:

„all measures necessary” = Satndards shall be used!

Standards are not mandatory, their use is voluntary.

PAE 2. 11 Functional Safety

IAEA Safety Standards

Requirement 4: Purpose of the safety assessment

PAE 2. 12 Functional Safety

What are the potential hazardous events and their

How can it be established and confirmed that the

What activities need to be carried out to guarantee that this

How can at any moment be proofed, by proper

PAE 2. 13 Functional Safety

Functional Safety Standards

Note: EN 61508 is not referred to by any EC Directive.

PAE 2. 14 Functional Safety

PAE 2. 15 Functional Safety

Directive vs. Standards

Although EN 61508 is a European Standard, it does not have the status of a

Note: EN 62061 is a harmonized European standard under the 98/37/EC

PAE 2. 16 Functional Safety

PAE 2. 17 Functional Safety

Functional safety – Safety instrumented

Part 1 : Framework, definitions, system, hardware

Part 2 : Guidelines in the application of part1

PAE 2. 18 Functional Safety

1. Hazard and risk

11. Safety life-cycle structure and planning

PAE 2. 19 Functional Safety

EN 61511 Safety Lifecycle

reduction and the safety functions required

protection layers and for each safety engineering of

PAE 2. 20 Functional Safety

requirements for safety instrumented 2. Allocation of safety

11. Safety life-cycle structure and planning

SIS integration tests (FAT, SAT) 5. Installation,

the requirements for safety in terms of the 6. Operation and

(SIF) and the required safety integrity level

PAE 2. 21 Functional Safety

EN 61511 Safety Lifecycle

the SIS is maintained during operation 2. Allocation of safety

PAE 2. 22 Functional Safety

given phase to ensure correctness and 2. Allocation of safety

11. Safety life-cycle structure and planning

PAE 2. 23 Functional Safety

EN 61511 Safety Lifecycle: Verification

Safety Life Cycle phases