IEC UNDERSTANDING IEC

61508 SAFETY INTEGRITY LEVELS 61511

TOLERABLE RISKS AND ALARP (IEC 61508-5 Annex ‘C’) SIL LEVELS ACCORDING IEC 61508 / IEC 61511 A PRACTICAL APPLICATION

SAFETY: SIL PFDavg PFDavg

RRF Calculate MTBF, MTBFs, PFDavg, RRF, and possible SIL level of the following SIF, which includes a
Safety Average probability Average probability
Risk cannot be justified except Risk transmitter, a barrier, a safety PLC, and a valve as final element, in 1oo1 architecture.
of failure on of failure on
Intolerable Region Integrity Reduction T-proof test is carried out once a year with 100% effectiveness.
in extraordinary circumstances
FREEDOM FROM
demand per year demand per hour
Level Factor The table below contains failure data provided by the manufacturer of each sub-system.
(low demand) (high demand)
Tolerable only if further Formulae to calculate requested values are indicated in the header.

UNACCEPTABLE The ALARP or

tolerability region
risk reduction is impracticable or
if its costs are grossly disproportional
SIL 4 ≥ 10-5 and < 10-4 100000 to 10000 ≥ 10-9 and < 10-8
Sub-
system
MTBF λ MTBFs λS λDD λDU
PFDavg
=1/λ per year =1/λS per year per year per year 1oo1
% of
total
RRF
=1/PFDavg
SFF
SIL
Level

RISK
to the gained improvement. (yrs) =1/MTBF (yrs) = λDU/2 PFDavg
(Risk is undertaken only if As the risk is reduced, the less
proportionately, it is necessary to spend
SIL 3 ≥ 10-4 and < 10-3 10000 to 1000 ≥ 10-8 and < 10-7 Tx 102 0.00980 125 0.00800 0.0010 0.00080 0.000400 8% 2500 91.8 % SIL 2
a benefit is desired)
to reduce it further, to satisfy ALARP.
Barrier 314 0.00318 629 0.00159 0.0014 0.00019 0.000095 1.9 % 10526 94.0 % SIL 3
The concept of diminishing proportion is
shown by the triangle.
SIL 2 ≥ 10-3 and < 10-2 1000 to 100 ≥ 10-7 and < 10-6
PLC 685 0.00146 741 0.00135 0.0001 0.00001 0.000005 0.1 % 200000 99.3 % SIL 3
Broadly Acceptable Region It is necessary to maintain assurance
that risk remains at this level.
SIL 1 ≥ 10-2 and < 10-1 100 to 10 ≥ 10-6 and < 10-5
Valve 30 0.03330 60 0.01660 0.0083 0.00830 0.004100 83 % 244 73.8 % SIL 2
(No need for detailed working
Power
to demonstrate ALARP)
RISK IS
AVERAGE PROBABILITY OF FAILURE ON DEMAND Supply
167 0.00600 189 0.00530 0.0000 0.00070 0.000350 7% 2857 88.3 % SIL 3

NEGLIGIBLE Tolerable accident frequency (FT) 1 Total

18.8 0.053 40.8 0.0245 0.019 0.01 0.005 100 % 200 - SIL 2
= = (SIF)
Frequency of accidents without protection (FNP) RRF
RISK REDUCTION (IEC 61508-5 Annex ‘A’) PFDavg Simplified equations
The following graph shows PFD and PFDavg variations in time:

1,3E-02
Residual Tolerable Without common causes With common causes (Beta factor) PFD PFDavg
EUC Risk SIL 1
Risk Risk
TI 1,0E-02
1oo1 λ DU × not applicable
2
INCREASING RISK
2 7,5E-03
Boiling Liquid Expanding 1oo2 TI2 1-β  ×  λDU × TI  β × λDU × TI
Necessary risk reduction λDU1 × λDU2 ×

PFD
Vapor Explosion (BLEVE) +
1oo2D 3 3 2 SIL 2
Actual risk reduction 5,0E-03

3
Partial risk covered TI3 1-β  ×  λDU × TI  β × λDU × TI
by other technology Partial risk covered Partial risk covered 1oo3 λDU1 × λDU2 × λDU3 × + 2,5E-03
safety-related by E/E/PE by external risk 4 4 2
safety-related system reduction facilities
systems
β × λDU × TI SIL 3
 λDU + λDU  TI 0
Risk reduction achieved by all safety-related systems
2oo2 × 1-β  ×  λDU × TI  + 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 2
2 2 TI = 1 yr; Et = 100% TIME (years)
and external risk reduction systems
  
 λDU × λDU + λDU × λDU

 × TI2
2 β × λDU × TI Note: The average probability of failure is strictly related to test interval (TI); increasing time
1-β  ×  λDU × TI  +
1 2 1 3
2oo3 between tests directly leads to higher probability of failures and therefore lower SIL levels.
SAFETY INTEGRITY LEVEL CALCULATION (IEC 61508-5 Annex ‘D’) + λ
 
DU2 × λDU3  

3
2

Risk (RNP) = FNP x C Risk < RT where (RT = FT x C)

INFLUENCE OF PERIODIC TEST DURATION AND EFFECTIVENESS ON PFDavg (1oo1)
TI: Proof Test Time Interval
1oo1  TI  SL 
(Et < 100%)
λDU  Et ×  + 1-Et   Et: Test Effectiveness MANUAL PERIODIC TEST DURATION
Consequence of C 2 2
Hazardous Event
 λDU: Dangerous Undetected Failures The duration of a manual proof test can have a significant impact on the overall SIS performance.
Safety-related protection
Flash Fire EUC system required to achieve the
Tolerable In 1oo1 architectures, during the test, the system must be taken offline, and its availability is zero.
Risk FNP FP Risk Target The original simplified formula is modified into:
necessary risk reduction SAFE FAILURE FRACTION (IEC 61508-2 Clause 7.4)
Frequency of TI TD
PFDavg = λDU × +
λ +λ +λ 
Hazardous Event FNP Necessary risk reduction
λ 2 TI where TI is the proof test interval and TD the test duration.
DD SD SU DU
= 1- Example:
λ +λ +λ +λ λ
EUC and
Safety integrity of the safety-related protection λDU= 0.002 / yr; TI = 1 yr (= 8760 hrs); TD = 8 hrs
EUC control system
system matched to the necessary risk reduction SFF DD DU SD SU TOT
We obtain: PFDavg = 0.001 + 0.0009 = 0.0019; RRF = 1/0.0019 = 526 (suitable for SIL 2 level)
Hardware Fault Tolerance Hardware Fault Tolerance Hardware Fault Tolerance MANUAL PERIODIC TEST EFFECTIVENESS
Consequences 1) Determine frequency (FNP) and 0 1 2 The effectiveness of a periodic proof test indicates the percentage of dangerous failures detected
Frequency Catastrophic Critical Marginal Negligible consequences (C) of hazardous by the test. If effectiveness is lower than 100%, the proof test does not bring the probability of
Frequent I I I II event without protection. TYPE A Components failure of the system back to zero (“as new”), therefore PFDavg increases progressively in time.
Probable I I II III Simple devices with well-known failure modes and a solid history of operation In this case the system not always maintains the original SIL level throughout its lifetime.
2) Determine risk class using
Occasional I II III III
Table C.1. < 60% SIL 1 SIL 2 SIL 3 The formula for calculating PFDavg when effectiveness is lower than 100% is:
Remote II III III IV
Improbable III III IV IV 3) Apply protections if Class = I. 60% - < 90% SIL 2 SIL 3 SIL 4 TI SL
Incredible IV IV IV IV 4) Achieve tolerable risk target. PFDavg = (Et × λDU × ) + [(1- Et) × λDU × ]
Jet Fire 90% - < 99% SIL 3 SIL 4 SIL 4 2 2
Table C.1 - Example of risk classification of accidents
≥ 99% SIL 3 SIL 4 SIL 4 where:
TYPE B Components Et: periodic test effectiveness to reveal dangerous failures (e.g. 90%)
AVAILABILITY AND RELIABILITY Complex components with potentially unknown failure modes SL: system lifetime. It is equal to the time until the system is completely tested (100%) or
replaced. If this never happens SL is equal to the lifetime of the whole plant.
Basic Concepts: Reliability < 60% Not allowed SIL 1 SIL 2
60% - < 90% SIL 1 SIL 2 SIL 3 The complete formula for calculating PFDavg taking both influences into account is:
Failures per unit time
1
λ= 90% - < 99% SIL 2 SIL 3 SIL 4 λDU TD SL
Components exposed to functional failure PFDavg = (Et × )+ + [(1- Et) × λDU × ]
≥ 99% SIL 3 SIL 4 SIL 4 2 TI 2
-9
1 FIT = 1 × 10 Failures per hour Operating time Time The following graph shows an example of PFD and PFDavg variations in case T-proof test is carried out
Failure rates categories: λDD: Dangerous Detected; λDU: Dangerous Undetected
0 λSD: Safe Detected; λSU: Safe Undetected once a year with 70% effectiveness: SIL 2 level is maintained only for about 4 years; the SIF then
MTBF = MTTF + MTTR Time To Failure t TTF downgrades to SIL 1.
1
MTTF = MTBF - MTTR = PFD PFDavg
λ 2,3E-02
MEAN TIME TO SPURIOUS FAILURE SYSTEM ARCHITECTURES
Operating Time MTTF MTTR 2,0E-02
Availability = =
Pool Fire Operating Time + Repair Time
MTTFs
1,8E-02
MTBF SIL 1
MTTF MTTF μ A A 1,5E-02
= = = = Repair
MTTF + MTTR MTBF μ+ λ 1,3E-02
Success time B
PFD

1
MTBM (failure) 1oo1 1,0E-02
= λS
MTBM + MSD 1oo1 1oo2 7,5E-03
λ SIL 2
Unavailability = 1- Availability = 1 5,0E-03
μ 1oo2
RELIABILITY 2λ S 2,5E-03
Acronyms: AVAILABILITY A V
MTBF: Mean Time Between Failures A o 0 SIL 3
MTTF: Mean Time To Failure
1 t 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
UNRELIABILITY 2oo2 B
i TIME (years)
MTTR: Mean Time To Repair UNAVAILABILITY 2λ S 2 × MTTR B TI = 1 yr; Et = 70%
MTBM: Mean Time Between Maintenance n
Success Failure C g When dealing with SIFs, safety engineers should pay special attention to the selection of the
MSD: Expected Mean System Downtime 1
λ: Failure rate MTTF sub-systems, the time interval between periodic tests and the system architecture.
2oo3
μ: Repair rate
MTTR 6λ S 2 × MTTR 2oo2 2oo3 A wise choice of these three key elements is what it takes to achieve the required SIL level.
Fireball

ITALY UNITED ARAB EMIRATES UNITED STATES OF AMERICA

G.M. International SRL GM International JLT GM International Safety Inc.
Via San Fiorano, 70 1201, Fortune Executive Tower, JLT 17453 Village Green Drive
I-20852 Villasanta (MB) PB 111365, Dubai 77040 Houston, TX
Tel: +39 039 2325038 Tel: +971 4 422 5844 Tel: +1 713 896 0777
Fax: +39 039 2325107 Fax: +971 4 422 5843 Fax: +1 713 896 0782
info@gmintsrl.com info@gminternational.ae info@gmisafety.com
www.gmintsrl.com www.gminternational.ae www.gmisafety.com