Professional Documents
Culture Documents
B - WP - A Practical Approach For The Selection of PES Used For SF in The Process Industry
B - WP - A Practical Approach For The Selection of PES Used For SF in The Process Industry
Risknowlogy B.V.
Brunner bron 2
6441 GX Brunssum
The Netherlands
www.risknowlogy.com
This document is the property of, and is proprietary to Risknowlogy. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.
Risknowlogy, the Risknowlogy logo, and Functional Safety Data Sheet are registered service marks.
Abstract
Recently published international standards, such as ISA-SP84 i of the Instrument Society of America,
and the IEC 61508 draft of the International Electrotechnical Commission ii establish performance
based criteria for the design, installation, operation, and decommissioning of Programmable
Electronic Systems (PES) used for safety related functions. These criteria address specifications for
the necessary function of these systems, and requirements about their appropriate Safety Integrity
Levels, as well as issues of hardware, and software design, testing, management, maintenance and
documentation.
The present paper demonstrates, through specific examples, an approach for the evaluation of the
Safety Integrity Level (SIL) of Programmable Electronic Systems performing specific safety functions
in accordance with the aforementioned standards. This approach addresses the definition of PES
architectures in terms of the interaction of PES components, their failure modes and associated
failure rates. Also, it addresses the impact of the imbedded software quality, the significance of the
coverage factor of diagnostic systems of fault tolerant PES, and the significance of common cause
failures. The use of appropriate tools for the evaluation of SIL, such as reliability block diagrams, fault
trees, and Markov models is discussed and demonstrated.
1 Introduction
Programmable Electronic Systems play a significant role in the management of risk in the process
industry. When used as "safety" systems, they contribute to the reduction of the likelihood and
consequences of events causing harm to human health, exposure of the environment, damage of
assets and interruption of the continuity of production. The role of safety systems includes,
prevention, and detection of deviations of critical process parameters, such as temperature (over-
temperature, fire), level (high, or low), pressure (over-pressure, depressurisation), concentration (toxic
gas, smoke), as well as control of accident sequences, for example, shutdown and isolation of plant
systems, and initiation of emergency procedures (e.g., fire fighting systems).
A Programmable Electronic System (PES) is: "A system based on one or more programmable
electronic devices, connected to (and including) input devices (e.g., sensors) and/or output
devices/final elements (e.g., actuators), for the purpose of control, protection or monitoring. The term
PES includes all elements in the system, including power supplies, extending from sensors, or other
input devices, via data highways or other communication paths, to the actuators, or other output
devices (sensors/other input devices, and actuators/other output devices are therefore included in the
1
Corresponding author: m.j.m.houtermans@risknowlogy.com
term)." iii When used as a safety-related system, the PES is expected to "carry out the actions
necessary to achieve a safe state for the equipment under control, or to maintain a safe state for the
equipment under control." iv
There are two key attributes characterizing the performance of a safety-related system, namely, its
ability to implement safety functions, and the required Safety Integrity Level (SIL) at which these
safety functions need to be carried out. The selection and specification of a PES, therefore, should be
guided by the results of a detailed examination of the process safety functional specifications and an
evaluation of the process functional integrity requirements. The process safety functional
specifications dictate the safety functions that the safety system must perform under stated
circumstances. The functional integrity requirements specify the level of confidence (reliability and
availability) these safety functions must be performed in those circumstances, so that a desirable
reduction of risk associated with the process hazards is achieved.
The functional specifications and the SIL requirements of the process must be matched by
appropriate PES design, quality of installation, and operational performance. This paper addresses
design considerations only, namely hardware architecture and reliability, and software quality and
dependability.
2 Functional Specifications
The functional specifications define the relevant functional parameters assigned to the PES. Such
parameters include the boundaries of the function, interfaces and interactions with other systems, set-
points and tolerances, the logical relationship between detection and actuation of final elements, the
response time of the overall function and the response times of relevant component and allowable
tolerances v .
The objective of a functional PES specification, in terms of a simple example, may be stated in the
following way: "to detect flammable gas in the recovered solvent tank area and, on confirmed
detection, initiate the emergency ventilation scram system." A statement of the PES functional
specification in the same example could be the following: "Detect gas at 0.5 m above the floor level
and 20% Low Explosion Level (LEL) concentration and enunciate in the Control Room within 1
second. At 60% LEL concentration initiate automatic process shutdown and actuation of the
ventilation scram system within 3 seconds."
3 Integrity Specification
Quantitative definitions of Safety Integrity Levels (SIL) are given in ISA-SP84, and IEC 61508. Each
SIL corresponds to the range of probability of failure on demand. The IEC 61508 definitions are listed
in Table 1.
The design aspects of the PES include the overall hardware and software architecture (sensors,
actuators, programmable electronics, embedded software, application software, etc.) that satisfies
safety integrity requirements established by existing standards and the process hazard analysis and
risk assessment.
safeguarded process deviates from a predefined acceptable safe state. The failures of programmable
systems may be attributed to the hardware components or the software elements of the system. The
following steps demonstrate a systematic approach towards meeting this objective.
Power
Supply +V
Input M ain Output
M odule Processor M odule
Sensor
xx
1oo2
a shutdown
yyy
Logic
Input M ain Output
M odule Processor M odule
Power
Supply Final
Element
Figure 1. Dual PE with Dual I/O, One-out-of-Two (1oo2) Shutdown Logic, and Single
Sensors and Final Elements
The overall system failure is a function of the failures of its components. Table 2 provides a short
list of random failures (i.e., failures occurring at random times and resulting from degradation in the
hardware) and failure rates of the typical PES components. These figures, presented in terms of
ranges of a low, average and high value, can only be used for demonstration reasons and do not
reflect failure rates supported by field data. They represent consensus rates used for demonstrative
reliability quantification of widely used PES architectures included in the ISA Technical Report
dTR84.0.02. vii For the reliability evaluation of actual systems site specific failure rate data are
preferred, if available. If this is not possible, then generic data from credible published sources may
be used.
A PES used for safety can fail in two generic modes, "Fail Safe" and "Fail Dangerous". A "Fail
Safe" mode causes the process to trip while no underlying deviation from safe process boundaries is
present. It is a nuisance trip. A "Fail Dangerous" mode describes the condition of the PES not being
able to respond to upsets of the process. In such failure mode of the PES, the process will continue
its course and may enter a dangerous state. The failed PES is insensitive to this state, therefore this
failure mode is dangerous.
Table 2. Hardware Failure Rates
Table 3 depicts the fraction of the total failure rates of PES components that is attributed to "Fail
Safe" mode. These figures, also, are expressed in a range of low, average, and high values and are
characterized by the same limitations of validity, as those in Table 2.
In addition to random hardware failures, common cause failures of the PES components should be
considered and quantified. Common cause failures are the result of external events which cause
multiple components in separate channels of a redundant system to fail, thus rendering the PES
unable to perform its intended function. There is considerable amount of research in the modeling and
quantification of common cause failures viii, ix , x . Draft IEC 61508 provides a practical methodology for
the evaluation of common cause failures xi using the β-factor model, summarized here for reasons of
convenience.
The β-factor model relates the probability of common cause failure of the hardware to the probability
of random hardware failures. The β factor is calculated for the sensors, the logic system and the
actuators separately and reflects the fraction of single-channel random failures that will affect all
channels.
The overall failure rate due to dangerous common cause failures is given by the expression:
λDU β + λDDβD
where, λDU is the probability of a undetected failure of a single channel,
λDD is the probability of detected failure of a single channel.
β is obtained from Table 4, using a score, S = X + Y (see Table 5);
βD is obtained from Table 4, using a score, S D = X ( Z + 1) + Y .
Systematic failures introduced in the PES safety requirements specification phase, or in the design
and manufacture stages of the hardware, or in the design, implementation and testing phases of the
software need to be analyzed systematically to determine any contribution to the system unreliability.
FD IM FD MP FD MP
FD IM FD MP FD MP
Fail To
Operate (FD)
Fail Safe
OR
OR
AND
OR
1 OR 1
1 OR 1
FS FD
OR OR OR OR OR OR
Sensor Sensor
FS IM CCIM FS MP CC M P FS OM CC OM FD IM CCIM FD MP CC M P FD OM CC OM
λ
a b 2 F a il S a fe
μ
4
5
6
O p era tion a l 1 P a r tia lly F a iled
7
8
9
3 F a il D a n g erou s
Figure 4. Markov Model
Probability Hardware
of Fail to SIL 1
Hardware & Software
Function Hardware, Software &Field Devices
SIL 2
SIL 3
SIL 4
Time
Figure 5. Results
REFERENCES
1. ANSI/ISA S84.01-1996, Applications of Safety Instrumented Systems for the Process Industry,
Instrument Society of America, Research Triangle Park, N. Carolina, USA, February 1996.
2. Draft IEC 61508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-
Related Systems, Parts1-7, IEC Reference 65A/179-185 International Electrotechnical
Commission, 1997
3. Draft IEC61508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-
Related Systems, Part 4, IEC, 1997.
4. Bell, R., "Overview of proposed IEC 1508 & implications for PLCs" Health and Safety Executive,
Technology Division, March 1996.
5. UKOOA "Guidelines for INSTRUMENT-BASED PROTECTIVE SYSTEMS", UK Offshore
Operators Association Limited, December 1995.
6. MIL-STD-1629 "Procedures For Performing A Failure Mode Effects and Criticality Analysis", Nov.
1984.