The Client

SIL VERIFICATION RE PORT

High Integrity Pressure Protection System

Date

Referenced Documents:

Attachments:

REV. DATE DESCRIPTION NAME SIGN NAME SIGN NAME SIGN

PREPARED BY REVIEWED BY APPROVED BY

Page 1 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

TABLE OF CONTENT

TABLE OF CONTENT ..................................................................................... 2

EXECUTIVE SUMMARY ................................................................................. 3

LIST OF ACRONYMS ..................................................................................... 3

STANDARDS AND INPUT DOCUMENTS USED. .......................................... 4

DESCRIPTION OF THE SIS TO BE EVALUATED ......................................... 4

SAFETY INSTRUMENTED FUNCTION (SIF) AND PERFORMANCE

REQUIREMENTS ............................................................................................ 4

METHODOLOGY............................................................................................. 5

SIL VERIFICATION ......................................................................................... 5

COMPLETE HIPPS PFD................................................................................... 6
PRESSURE TRANSMITTERS PFD. ...................................................................... 6
MARKOV MODEL FOR PRESSURE TRANSMITTERS. ............................................... 6
LS CONTROLLERS PFD. .................................................................................. 9
SO-DCV’S PFD. .......................................................................................... 10
DCVS PFD. .................................................................................................. 10
GATE VALVES. .............................................................................................. 11
DATA BASE .................................................................................................. 13

STUDY RESULTS ......................................................................................... 14

RESULTS ANALYSIS, CONCLUSIONS AND RECOMMENDATIONS ....... 18

APPENDIX 1: MARKOV MODEL FOR PRESSURE TRANSMITTERS ..... 19

Page 2 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

EXECUTIVE SUMMARY

This report summarizes the results of the SIL verification performed on the The Client’s High
Integrity Pressure Protection System (HIPPS).

The verification consisted on the evaluation of the HIPPS architecture and functional design, to
determine the Safety Integrity Level (SIL) that can be achieved and the requirements to maintain
the performance (SIL 3) over the HIPPS life cycle.

The average Probability of Failure under Demand (PFDavg) of the HIPPS was calculated using
Fault Tree Analysis (FTA) and Markov analysis, and the failure and repair rates for each individual
component. The SIL achieved was determined based on the PFDavg and minimum hardware fault
tolerance requirements given in the IEC-61511 standard.

The conditions to achieve SIL 3 during the HIPPS life cycle are documented throughout this report.

It was found that the Safety Instrumented Function (SIF) performed by the proposed HIPPS
configuration is suitable to achieve SIL 3 if operated and maintained as per the Functional
Design Specification with a functional test interval (TI) of one year.

LIST OF ACRONYMS

FMEDA: Failure Modes, Effects and Diagnostic Analysis

FTA: Fault Tree Analysis
HIPPS: High Integrity Pressure Protection System
HFT: Hardware Fault Tolerance
IEC: International Electrotechnical Commission
ISA: Instrumentation, Systems and Automation Society
PFD: Probability of Failure on Demand
PFDavg: Average PFD
RRF: Risk Reduction Factor (1/PFD).
SIF: Safety Instrumented Function
SIL: Safety Integrity Level
SIS: Safety Instrumented System
TI: Test Interval

Page 3 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

STANDARDS AND INPUT DOCUMENTS USED.

The following standards and documents were used as the basis for the SIL verification performed
on the SIS under study.

- IEC-61508-6 (2000 Edition). Functional safety of electrical/electronic/programmable electronic

safety-related systems –
- IEC-61511 (Parts 1, 2 and 3) (2003 Edition). Functional safety – Safety instrumented systems
for the process industry sector –
- The Client’s HIPPS Functional Design Specification Doc. # xx
- FMEDA for Pressure Transducer, by EXIDA

DESCRIPTION OF THE SIS TO BE EVALUATED

The SIS evaluated is a High Integrity Pressure Protection System (HIPPS) designed to monitor the
pressure in a sub-sea production pipeline and to provide autonomous control of two gate valves
that isolate and protect the downstream equipment from overpressure. A series of pressure
transmitters located on the production pipeline transmit readings to a dual redundant TUV certified
SIL 3 rated Logic Solver, where they are interpreted and analyzed. Upon detection of an
overpressure condition, the Logic Solver initiates the closure of two gate valves. The full
architecture, and detailed functional description of the system evaluated is found in The Client’s
HIPPS Functional Design Specification Doc. # xx.

SAFETY INSTRUMENTED FUNCTION (SIF) AND PERFORMANCE REQUIREMENTS

SIF description: Shut production gate valves (preventing overpressure) upon detection of a high
pressure condition.

SIL requirement: SIL 3 as per Functional Design Specification

Minimum manual test interval required: 1 year

Page 4 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

METHODOLOGY

There are several methods to evaluate the PFD of a SIF as described in IEC-61511 Part 2. For this
particular case the FTA technique was used. The SIS was divided in five (5) sub-systems: a) The
pressure sensors (transmitters); b) The Logic Solver; c) The SO DCV valves; d) The DCV valves;
and e) The Gate Valves. A fault tree was constructed for each sub-system except for the pressure
transmitters where a Markov model was developed since the voting scheme and repair rates
combination are better modeled using this technique. A complete fault tree was built for the whole
system where each branch is a sub-tree for each subsystem, and the point PFD from the Markov
model was used as entry point for the pressure transmitters. Finally the PFDavg was calculated for
the system fault tree.

The Fault Trees and Markov models were constructed and evaluated used specialized software for
reliability evaluation. The software package used was Fault Tree + Lite V 11.0.4 from Isograph,
LTD. The reliability models were fed with the individual components failure rates (see failure rates
data base section) and with the repairs rates.

A detailed description of the Fault Trees and Markov models developed, and the assumptions
considered in each case are given in the SIL verification section that follows.

In addition, the requirements for Hardware Fault Tolerance for sensors, logic solver and final
elements to achieve the SIL were evaluated as per the IEC-61511-1 standard.

SIL VERIFICATION

This section describes the fault trees and Markov models developed to calculate the complete
HIPPS PFDavg, and the assumptions used in each case.

When calculating the PFD of redundant systems the common cause of failure is a very important
parameter, especially when identical components are used for redundancy. Also other factors like
sharing the same process connection for transmitters or vent connections for valves contributes to
the common cause of failures. Typically the minimum value recommended for common causes is
2% of undetected failure rates, and conservative calculations are performed assuming 10%.

For the purpose of this study, it was the analyst criteria to use 10% of common cause of failure for
all components but the Logic Solver (2% was used). The reasons for this are:

1. All redundant components are identical (same manufacturer, same model).

2. Even though the logic solvers are identical, the failure rates and common cause of failure
figures were evaluated and calculated as per IEC-61508 (TUV certified system).

Page 5 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Complete HIPPS PFD.

The complete HIPPS fault tree to calculate the PFD is as shown in figure #1.

As shown, the HIPPS will fail to perform its function if any sub-system fails.

Several scenarios were evaluated to see the impact of the test interval (one year and two years test
interval), the results are shown in the results section.

Pressure Transmitters PFD.

The scenarios considered for the pressure transmitters were:

1) Four transmitters in operation.

2) Three transmitters in operation (2oo3 voting), no active spares available (worst case). The
PFD for this voting scheme was calculated using the IEC-61508-6 standard equations.
3) Two transmitters in operation (1oo2 voting), no active spares available. The PFD for this
voting scheme was calculated using the IEC-61508-6 standard equations.

The PFD calculated for each pressure transmitter voting scenario was entered to the fault tree to
evaluate the impact on the complete HIPPS PFD.

Markov model for pressure transmitters.

To take into consideration the different voting schemes, as described in the functional
design document (Table 6.1), when four transmitters are in operation a Markov model was
developed (See Fig. #2).

The initial state of the Markov model is when four transmitters are working properly (all
readings within the same band), and also there are two spare transmitters available. Starting
from this point and considering the failure rates, repair rates and the diagnostic performed at
the logic solver level to detect deviations between the readings from each transmitter, a
Markov model is constructed. The unavailable states are denoted by a small circle at the
right corner of each state. The detailed description of each state in the Markov model, and
the failure rates and repair rates used to go from one state to the other are listed in the
Appendix “1”.

It is important to remark that the model assumes that once a failure is detected in one
transmitter (reading deviation beyond the limits), the transmitter is disabled, and a spare
transmitter is selected for voting. The time required to select a new spare transmitter, was
used as the repair time in this model. Typically detecting a failure in one transmitters and

Page 6 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

selecting another takes a time in the order of minutes, however a conservative 8 hours was
used in this case.

HIPPS PFD for one

year test interval
(No repairs)

HIPPS PFD
Q=3.162e-4 w=4.152e-8

Both F35
LS fail to Gate valves fail SO DCV's Fail All DCVs fails to Sapphire PT's
probability of failure
operate on to close on to depressurize depressurize
(4 transmitters in
demand demand hydraulic fluid hydraulic fluid operation)

F35 ARRAY FAILS GATE VALVES FAILS SO DCV SYSTEM DCV ARRAY FAILS PT'S FAILURE
Q=8.288e-5 w=9.460e-9 Q=2.029e-4 w=2.351e-8 Q=4.393e-7 w=1.051e-10 Q=3.004e-5 w=8.449e-9

Q=4.38e-009 w=0
Page 2 Page 1 Page 3 Page 4 Q=4.380e-9 w =0.000

Fig. #1. Complete HIPPS fault tree.

Page 7 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

2oo3 w ith 2 bad

Pi=0.000

2oo3

Pi=0.000
2 DU same band 1 B 2oo3 w ith 3 bad

Pi=0.000 Pi=0.000

OK One undetected f ail 1oo2 with 2DU

Pi=1.000 Pi=0.000 Pi=0.000

1oo2 2 DU same band 2B Four PT Bad

Pi=0.000 Pi=0.000 Pi=0.000

Fig. #2. Pressure transmitters Markov model.

Page 8 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

LS Controllers PFD.

Two LS controllers are fully independent and are identical both in application program design and
physical components. The LS controllers are connected to the SODCV assembly as shown in the
Figure #3.

Sensitive information

Fig #3. LS controllers’ connection to SODCV valves assembly.

As either coil 1 or coil 2 in the SODCV are able to keep the SODCV open, then a dangerous failure
in one LS controller (leaving all its outputs energized) will lead in a complete dangerous failure of
the HIPPS. The fault tree showing this situation is shown in the figure #4. The same fault tree was
used to calculate the contribution of the LS Logic Solvers to the total HIPPS PFD. This is basically a
2oo2 configuration. Common cause of failure as per manufacturer data is 2% of the dangerous
failure rate.
Sensitive information
Fig #4. Fault tree for LS controllers.

Page 9 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

SO-DCV’s PFD.

There are two SODCV assemblies named “A” and “B” in the fault tree shown in figure #5.

Sensitive information
.

DCVs PFD.

As for the case of the SODCV there are also two DCV assemblies.

Sensitive information

The fault tree shown in the figure #6 illustrates the model used to calculate the PFD of the DCV
assemblies. To have a dangerous failure each dual redundant array must fail dangerously. Also a
conservative value of 10% common cause was used.

Page 10 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Gate Valves.

The gates valves are arranged in a 1oo2 voting scheme.

Sensitive information

The fault tree shown in the figure #7 illustrates the model used to calculate the PFD of the Gate
valves. A conservative value of 10% common cause was used.

It is important to remark that according to IEC-61511-1, for SIL 3 applications, the minimum
Hardware Fault Tolerance (HFT) required is HFT=2 for sensors, final elements and non-PE logic
solver, however the HFT can be reduced by one if the device is selected on the basis of prior use. It
was assumed that based on previous operating experience with these types of valves, the prior use
clause can be applied, and consequently a 1oo2 configuration for the gate valves is enough to
achieve SIL 3 providing that the PFD of such array is suitable also for SIL 3 requirements.

Sensitive information

Fig #5. Fault tree for SO-DCV assemblies.

Sensitive information

Fig #6. Fault tree for DCV assemblies.

Page 11 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Gate valves fail

to close on
demand

GATE VALVES FAILS

Q=2.029e-4 w=2.351e-8

Gate valves 1&2 Gate valves

fail to close on common cause
demand

GATE 1 & 2 COMMON CAUSE

Q=3.151e-6 w=7.147e-10

r=2.28e-008
Q=1.997e-4 w=2.280e-8

Gate valve 1 fail Gate valve 2 fail

to close on to close on
demand demand

GATE VALVE 1 GATE VALVE 2

Q=0.00177501 w=2.01314e-007 Q=0.00177501 w=2.01314e-007

Q=1.775e-3 w=2.013e-7 Q=1.775e-3 w=2.013e-7

Fig #7. Fault tree for gate valves.

Page 12 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

DATA BASE

This section includes the data base used to perform the SIL verification.

The table #1 summarizes the performance figures used for each component during this study.

Table #1. Failure rate data.

Device Data Performance data Comment

source s dd du SFF MAX
(FIT) (FIT) (FIT) (%) SIL
(HFT=0)
Pressure transducer Exida 0 42 14 77 10 2 - Fail high and fail low
FMEDA are detected by the
LS controller,
consequently are
categorized as
dangerous detected
failures.
- Failures with no
effect on safety are
not considered in the
model.
LS controller Manufactu 1,676 1377 5 99,8 2 3 - The failure rates
rer given, includes the
input channels,
CPU, and output
channels.
SO DCV The Client 5,838 -- 721 89 10 1 - As the SO-DCV has
not any intrinsic
diagnostic
mechanism, all
failures are
considered
undetected.
- The failure rates
include the solenoid
part.
DCV (1/2” Valves) The Client 63025 -- 4,743 93 10 1 - As the DCV has not
any intrinsic
diagnostic
mechanism, all
failures are
considered
undetected.
Gate valves The Client 4,337 228 95 10 1 - As the gate valves
has not any intrinsic
diagnostic
mechanism, all
failures are
considered
undetected.

Page 13 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Terms used in table #1:

s: Safe failure rate in FITs

dd: Dangerous detected failure rates
du: Dangerous undetected failure rates
SFF: Safe Failure Fraction
Common cause factor used for dangerous undetected failures. As was previously
mentioned, to take into account the potential common cause of failures posed by the fact that
identical redundant elements are used. a conservative value of 10% of common case was used
for all components but the logic solver.
MAX SIL: Maximum SIL achievable for the device in a configuration with zero Hardware Fault
Tolerance (HFT = 0) (according to IEC-61511-1 Table # 6). This is the SIL achievable for this
device in simplex configuration (1oo1).

STUDY RESULTS

Basically two scenarios with different combination of parameters were evaluated. As the common
cause of failure is a very sensitive parameter for redundant systems, the performance was
evaluated when common cause for undetected dangerous failures for all redundant components is
assumed 2% and 10% (except for LS controller where common cause was assumed always 2% as
this is a TUV certified system).

For each scenario the test interval of one year and two years was evaluated, and also the pressure
transmitters voting scheme impact on PFD was also evaluated. For the scenarios with 2oo3 and
1oo2 voting of pressure transmitters, it was assumed that no active spares were available (worst
case scenario). Table #2 summarizes the study results obtained for the different scenarios
evaluated.

Page 14 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Table #2. PFD and SIL results for scenarios evaluated

Scenario factor Test PTs voting PFD SIL

Interval
1 2% 1 yr 4 active PTs 1.3 E-4 3
(Note 1)
2oo3 1.4 E-4 3
1oo2 1.4 E-4 3
2 yr 4 active PTs 3.2 E-4 3
(Note 1)
2oo3 3.4 E-4 3
1oo2 3.4 E-4 3
2 10% 1 yr 4 active PTs 3.2 E-4 3
(Note 1)
2oo3 3.5 E-4 3
1oo2 3.5 E-4 3
2 yr 4 active PTs 7.6 E-4 3
(Note 1)
2oo3 8.4 E-4 3
1oo2 8.4 E-4 3
Note 1: Voting performed as per functional description

An evaluation of the importance of each sub-system in the contribution for the total PFD was also
calculated.

In the figure #8, the relative contribution of each sub-system is shown for the scenario 2, 1 yr test
interval, and 4 active PTs.

In the figure #9, the relative contribution of each sub-system is shown for the scenario 2, 1yr test
interval and 2oo3 voting of Pressure transmitters (worst case scenario).

Page 15 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Fig #8. Relative contribution of each sub-system to the total PFD for scenario 2 (1yr, 4 active
PTs).

Page 16 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Fig #9. Relative contribution of each sub-system to the total PFD for scenario 2 (2yr, 2oo3).

Page 17 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

RESULTS ANALYSIS, CONCLUSIONS AND RECOMMENDATIONS

1. It was found that the Safety Instrumented Function (SIF) performed by the proposed
HIPPS configuration is suitable to achieve SIL 3 if operated and maintained as per the
Functional Design Specification with a functional test interval (TI) of one year (Full
stroke test)
2. A SIL 3 level of performance can be also achieved for a 2 years test interval and 2oo3
voting for pressure transmitters (with no spares available), however, this operation is not
recommended since the PFD is close to the lower limit of SIL 3.
3. The gate valves are the components with the heavier contribution to the total PFD,
therefore, it is recommended to evaluate the performance of these valves through the
system life cycle, and to track and record the failure rates and failure modes and compare
with the values used for this verification.
4. System performance is very sensitive to common cause of failures. The value of 10% used
for this study is quite conservative, however common cause of failures must be tracked
during the system life cycle to validate the value assumed.
5. Even when SIL 3 can be achieved for a two years test interval, due to the typical data
uncertainty used for failure rates, it is recommended not to extend the manual test interval,
and repair of damaged components for more than one year.

Page 18 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

APPENDIX 1:

Markov Model for Pressure Transmitters

Page 19 of 22
TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

2oo3 w ith 2 bad

Pi=0.000

2oo3

Pi=0.000
2 DU same band 1 B 2oo3 w ith 3 bad

Pi=0.000 Pi=0.000

OK One undetected f ail 1oo2 with 2DU

Pi=1.000 Pi=0.000 Pi=0.000

1oo2 2 DU same band 2B Four PT Bad

Pi=0.000 Pi=0.000 Pi=0.000

Markov model for pressure transmitters

Page 20 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

State Definition.

State Description
OK (Initial state) Four transmitters selected, 2 spares available, all transmitters
reading within the band
One undetected failure One transmitter has failed, and the fail is not detected by the
diagnostic. For example zero or span error within the band
limits.
2oo3 One detected failure. 3 PT’s inside the band, 1 outside the
band. The system is operating in 2oo3 mode. The probability
of being in this state is multiplied by the probability of failure of
2oo3 voting form IEC-61508 standard equations.
1oo2 Two transmitters have failed and the failure was detected by
the diagnostic.
2 DU same band 2B
Sensitive information
2 DU same band 1B
Sensitive information
2oo3 with 2 bad Four transmitters have failed in an undetected way. In this
state the system will fail under demand (Unavailability state).
1oo2 with 2DU This situation is when the system is performing 1oo2 voting
with two undetected bad transmitters. In this state the system
will fail under demand (Unavailability state).
2oo3 with 3 bad The system is working in 2oo3 mode, and all transmitters
have failed undetected. In this state the system will fail under
demand (Unavailability state).
Four PT bad The system is working in 2oo3 mode, and all transmitters
have failed undetected. In this state the system will fail under
demand (Unavailability state).

Page 21 of 22
 TITLE: HIGH INTEGRITY PRESSURE PROTECTION SYSTEM
SIL VERIFICATION REPORT
REF:
DATE:

Failures and repair rates definition.

Rate Description
3 Transmitter dangerous undetected failure rate
4 Transmitter dangerous failure rate (detected plus undetected)
6 Transmitter dangerous detected failure rate (transmitter output goes either to
high (20 mA) or low (4mA) scale)
7 Dangerous undetected failure rate for common causes
7 Transmitters safe plus dangerous detected failure rates due to common
causes
Transmitters repair rate. It was assumed that when two or less transmitters
have failed and the failure was detected, the failed transmitters are taken out
of service, and one spare healthy transmitter selected. The time used to the
operator to perform the online spare switching was assumed to be no more
than 8 hours.

The failure rates were taken from the FMEDA report performed by Exida on the pressure
transmitters.

Page 22 of 22