Yokogawa TUV Rheinland Functional Safety Program Safety Instrumented Systems FS Engineer Course Provider Yokogawa’s Safety Expertise Group ennFunctional Safety Expertise Team Functional Safety Expertise Taam oie ae fe Fully independent from project execution verre Sorecn TUV Rheinland / Yokogawa rules for examination (1) ‘The applicant needs to have atleast 3 yeers of experience in functional safety and must have a Master’ or Bachelor's degree in Engineering of he must have achieved Fesponsiilties equivalent to the engineer level (status certitied by employer). To prepare for the examination the applicant has to attend the training “Functional Safety Engineer”. He will receive training material at start of the training, including hand outs of the Powerpoint presentation and the exercise sheets, The examination consists of 60 multiple choice questions and 7 cases. Multiple choice questions may have 7 or 2 (never 3) correct answers, Each correct answer is 1 point. ‘Thay will be handed out at the start of the examination. The examination will take ‘4 hours. Applicants may leave if they have finished. It is not allowed to bring any documents or PC to the exam and to take any documents or notes from the exam. ‘The examination results will be checked by two safety experts of Yokogawa, To ‘succeed the applicant has to earn 75% off all achievable points.TUV Rheinland / Yokogawa rules for examination (2) Discussion regarding the result of the examination is net possible, Countercheck ‘will be done by TOV Rheinland, Applicants who succeed will receive their certificate from TOV Rheinland, This will take some wooks I you fail the exam there are 2 possibilities ~ Start from scratch, participate in @ new training ~ Enter a new examination without re-newed training. Morena ‘The certificate (PDF) (On your business card: Thomas Thomasson FS Engineer (TOV Rh The certificate is valid for 5 years. To prolong a certificate a written. proof is necessary with recent case Study. Contact via Veronica.Gras@de.tuy.comOrganization of the training Day A morning (3 ours) Monin sent psy? Rosy san? Poon IS me aay Day. aternoon (9 nour) Daya sang (3rrours) Day 2 atarnoon (nour) Day 3 morning (3 ous) txoraon NS Day 3 afternoon : session for your questions (3 hours} Day 4 memning : examination (4 hours maximum) YOKOGAWA\ Module 1 : Introduction to Functional Safety YOKOGAWAWhat is safety ? Safety “Freedom from unacceptable risk" (lee 61508 / 1EC 61511) Risk: “Combination of the frequency of occurrence of harm and the severity of that harm" (iec 61508 / tec 61517) Functional Safety “part of safety that depends on safety functions implemented in a safety system” LS 5 YOKOGAWA, Fatality Rates Per Year Per Year Occupation Staying at Home Chemical industry 5x 10%, All Accidents ax10* Construction 14x10" El 12x10" Mining (Coal) 2x10" Travel Nuclear 4x 10% Air(schedulea) 2x 108 Clothing Textiles 2xto% Train axt08 Electrical Engineering 1x 10° Bus 4x10" Shipping 9xto* car 2x10" Involuntary Motor cyel 2x10" thquake, California. 2x 10% Voluntary hing 1x10" Football 4xt0° Run Over 6x10% CarRacing 420 x10" Leukaemia 8x10? Rock Climbing 14x10" Iatluenza 2x10" Cancer 25x10" Drowning 4x10? Fire 2x10% Poison 1.5 x10" Natural Disasters (General) 2 x 10° All Accidents 5 x 10"(Un)acceptable risk High Risk Intolerable region lo / year 10% / year ; for workers) (For public) Tolerable region 108 / year Broadly acceptable. region Negligible Risk Risk Reduction Frequency —— Consequences ReroniWhat has to be protected 7 What is a safety system ? A safety systom is an independent system that leads to a predetermined safe state in case that the process runs out of control reeEnd-user and Safety What do | need a Safety System for? There has never been an accident ! It just costs money. at's my Return on Investment ? YOKOGAWA\ Bhopal, December 1984 Union Carbide factory for pesticides factory since the 1970s India huge market, but no money Losses and stop production in the early 1980s. Large quantities of dangerous chemicals remained The safety system was allowed to fall into disrepair During maintenance water flowed freely into a large tank of MIC (methyl isocyanate) > Explosion with deadly cloud over Bhopal = RecocnueBhopal, December 1984 Bhopal, December 1984 SerenChernobyl Nuclear Power Plant, April 1986 Chernobyl Nuclear Power Plant, April 1986 During shutdown a safety experiment with one of the four reactors (to see If there was enough electrical power to operate the emergency equipment and core cooling pumps until the diese! power supply came online) 6 - 8 control rods were used during the test instead of the required minimum of 30 rods to retain control Test was carried out with poor information between the test team and the operators The emergency cooling system was disabled, shutdown signals blocked and warnings ignored (the last one less than a minute before explosion). 10Chernobyl Nuclear Power Plant, April 1986 Chernoby! Nuclear Power Plant, April 1986 "WOperator's View What do you do? Pump A pumping oil has tripped - Cause Unknown, You switch to Pump B. That also trips - Cause Unknown Soon hundreds of alarms are going off - Cause Unknown Within minutes you have an explosion and a fire. It is 10:00 in the night. The plant manager is in Aberdeen, Scotland, and not available. You are on top of an off-shore oil platform in the middle of the North Sea. Piper Alpha platform, July 1988 12Piper Alpha platform, July 1988 24 oil wells, 2 gas wells Oil pipeline to one, gas pipelines to two other platforms Occidental Petroleum : about §.5 million € per day from Piper Alpha Safety valve to a condensate pump removed for overhaul and maintenance. The pump itself was pressurized after maintenance > leak Or ers = qi Keres Piper Alpha platform, July 1988 Panic and confusion; many workers new, no emergency training, No evacuation drill for more than 3 years. No protection of the accommodations area Bad communications : two other rigs pumping oil for more than hour Many workers jumped 50 m down into the sea that was on fire. Others stayed on the platform and suffocated. rey 13Piper Alpha platform, July 1988 Piper Alpha platform, July 1988 Reresn 44History of functional safety standards Recidents Lawiles. Laws and legislation Europe ‘Seveso III requires local laws in each country E.g. in UK: Control of major Accident Hazards Regulations IEC 61508 / 61511, (ratified by CENELEC), not a law but often required to show compliance with the law. Eg. in UK: Health and Safety at Work Regulations Usa EPA (Environmental Protection Agency) 40 CFR part 68 OSHA (Occupational Safety and Health Administration) § 1910.119 ANSI/ISA 84.00.01 is considered good engineering practice. Austr In Australia safety in the workplace is governed by the WHS Act 2011. While different states have differing legislation, it is necessary to comply with the standards to show compliance with the law. smal) e=|=| 15Big Ones, Mina Al-Ahmedhi Refinery, KPCL, Kuwait, June 2000 Petrobras, Brazil, March 2001 Big Ones. Ammonium Nitrate Explosion in Toulouse — France, September, 2001 Ror 16Or more recent 2005.03.23 Texas City, TX BP refinery Or more recent 2005.12.11 Buncefield, Hemel Hempstead een)From the Internet ......(1) ‘out but was contained to a process heater in the refinery's naphtha pre-treating unit. (07.10 Japan 050710-05 Ehime Prefecture, on the island of Shikoku. Shikoku Electric Power Co Inc. The Ikata Nuclear Power Plant experienced a vapour leak, bur the leak was contained and there was no danger of radiation escaping, 07.12 USA 050712-06-A Naturita, CO. EnCana Oil & Gas. A natural gas well about i0km (20 miles) wost of Naturita leaked, Sending gas into the air over southern Colorado, prompting fight restrictions and forcing EnCana to evacuate some ofits ‘employees from the area, (07.12 USA 050712-07 Gulf of Mexico. BP. BP reported that its Thunder Horse oll platform, one of its largest under development, was listing after Hurricane Dennis, battered the Gulf of Mexico, (07-12 USA 050712-09 Ponder, Denton County, TX. Lightning apparently struck a I tank at a gas well, starting a fire From the Internet ......(2) 07.12 USA 050712-13-A North Siope, AK. ConocoPhillips Alaska Inc, A leaky well ceasing reportedly caused a spill of about 4,000 litres (1,050 US gallons) of diesel fuel and an unknown amount of salty produced water at the Kuparuk oil fold (07.12 USA 050712-14 Fort Atkinson, WI. NASCO. According to the Fort Atkinson Fire Chief, petroleum-based products fuelled a fire that destroyed one of two main ‘buildings at a plastics manufacturing plant. (07.13 USA 050713-05 Commerce City, CO. Suncor Energy USA. A gasoline leak in ‘an underground pipeline forcad the evacuation of a refinery and a wastewater ‘treatment plant. 07.13 Mexico 050713-12 Gulf coast port of Coatzacoaicos, in eastern Veracruz state, Pemex. Mexico's state-owned oil com-pany, Pemex, said two researchers ‘were killed in a pipeline explosion. Cay A Recocnuat 07.10 Canada 050710-04 Sarnia, Ontario. Suncor Energy Products Ine. A fre broke 18From the Internet ......(3) 07.14 China 050714-08 Taiyuan, Shanxi Province. Two people were killed in an oil tanker explosion in a suburban village. 07.14 Norway 050714-11 Oslo. Shell, The E18, the main highway leading to Osto from the west, was closed to all traffic for nearly eight hours after an explosion at Sheil gas station. 07.14 Netherlands 050714-14 Pernis, Rotterdam. Royal Dutch/Shell. The 416,000 bpd Pernis refinery, the largest in Europe and one of the biggest in the world, shut, down at 11.00 because of a power outage. 07.15 USA 050715-03 Peariand, Brazoria County, TX. A fuel tank caught fire and ‘exploded, possibly after being struck by lightning. 07.15 USA 050715-08 Brownsville, TX. Texas Gas Co. A gas leak prompted street closures around the Port of Brownsville, but did not pose any health dangers. 67 incidents in 1 week this selection petroleum / gas/ oil : 14 incidents Ce Causes of Accidents 26% Equipment failures (ising ESD sytem: 8) source: TNO investigations of 216 accidents 19Some definitions EUC = Equipment Under Control if something runs out of Fan a Be control a dangerous situation Industria) Process can arise 3 a demand for a \H protective action demand rate (frequency, how many times per how many year) consequences Control 2 (how serious, how much money, how many injuries, how many fatalities) Process risk 20Process risk Risk Reduction nical Risk | | trevfot ner #5 Rei valve Frequency L { | i i. Consequences YOKOGAWA\Layers of protection The place of the SIS Process Deficiency inthe protection 22ferences Control System / Safety System + Failure Mode Prediction + Flexibility, Repair and Maintenance + Test strategy Largest difference Control system 24 / 7 (hours per day / days per week) Safety system : always on hot standby ( “sleeping” ) Serena Failure Mode Prediction Control Systems. + No guarantee on state of outputs during failure of control system, most likely outputs on hold Safety Instrumented Systems. ‘+ Predictable state of output on any revealed failure in the system + Fail safe design 23Flexibility, Repair and Maintenance Control Systems * High flexibility needed to develop and maintain (complex) control and automation applications + Improvements or changes in the configuration but also repairs are mainly implemented on-line * Accepted risk of plant disturbance in order to avoid a maintenance shut-down of the plant Safety Instrumented Systems (S1S) Fixed functionality, carefully minimized during design ‘No modification of safeguarding functionality in a running plant (BUT. Rigid procedures to make any change Limited possibilities to repair the hardware while the plant is, ( running nas ris Rerosna Test Strategy Control Systems + No need to test control system regularly except for some back- up / redundant parts ( Safety Instrumented Systems * Explicit procedure and strategy to test for unrevealed failures of instrumented protective functions * Automatic tests (that are intended to reduce risk of unrevealed failures) : line monitoring, partial stroke testing Of course : if you don't have the tests then the unrevealed failures increase which has an effect on safety 24Process parameter range igh sarmiee! Se G Rexoon End of Module 1 Questions 1) What is safety ? 2) Name three characteristics of @ safety system 3) How can one reduce the risk ? 4) What is a demand ? 5) What is the main difference between a control system and a safety system ? YOKOGAWA\ 2526The IEC 61508 / 61511 Standard ec 61508 E4.2 part 1 ~ 7 (May 2010) : functional safety of electrical / electronic / programmable electronic safety-related systoms, ~- generic standard (much attention for development) HEC 61571 €4.2 part 1 ~ 3 (2016) (1SA 84.00.01 is identical) functional safety Tor the process industry - for the process industry (much attention for the application) Rerecny The continuing story 1EC 61508 E/E/PE Generic standard Oe, Tec 62061 -Snthaacaine o EN 50128 OC). usar ISA $84.00.01 alla oO eee Tec 61513 Cd TEC 61511 Nuclear o Ca IEC 60079-29-1 Process, EN 50402 1SO 17894 Gas detection Marine Rexocna 275 most significant aspects of IEC 61508 / 61511 The Safety Lifecycle The “pipe-to-pipe” approach The quantitative safety assessment The hardware fault tolerance ‘The Functional Safety Management System tl Reresn Overall Safety Lifecycle Maybe with support an ‘rom 3" party Some system / Dra spe don pace Haat ra ( rea ay ogee / FE / ae ‘Syerah pine oe revere Taso 5 atnon conan | ie ay vataon Se SE TaN eat apron: aktnanen Ropar] Nat sources 66 610004 19.2 28Pipe to pipe Pipe to pipe Logic solver put 17} Protection gic SIF Safety Instrumented Function On nea Rexocnay Quantitative Assessment The safety requirement for a complete safety loop (SIF) is expressed as Safety Integrity Level (SIL) ( For each SIF the target SIL must be determined For Low Demand Applications Target SIL maximum average Probability of Failure on Demand (PFD,yc) for the SIF (table 2) For High Demand or Continuous Mode Applications Target SIL maximum Probability of dangerous Failure per Hour (PFH) for the SIF (table 3) Rorecn 29SIL, PFDayg and Risk Reduction Sh sang age atc a aa setecie ome saa Sarncter_| cimeciom No safety roquirements tec 6500-1, table? For Low Demand rate (less than once per year) Emergency Shutdown Systems Emergency break of a train Airbag = YOKOGAWA SIL and PFH And of course EH = Probatilty of ak Recucton Failure por Hour Factor <10* 4 > 10000 210810.<107 > 0000 10000, 210" <10* 2 > 10010.51 000 21080 <10# + >10t6s100 No safety requremen's IEC 61500, _ For High Demand rate (more than once per year) and continuous mode. Note: (1 year = 8760 hours % factor 104) Machinery ABS:Hardware fault tolerance The target SIL indicates the maximum PFDayg but also depending on type and quality of the used device double / triple devices (1002, 1003) might be required There are tables in both standards Hardware fault tolerance Tables Resse? | ISSR’ ecetsoe sm m7 moma a fae fs 1 [me LeFunctional Safety Management System Most important for Safety Projects is to make sure that all steps of the lifecycle are really executed For this there is a special quality system, the Functional Safety Management (FSM). You may think of it as a "super ISO 9000", Functional Safety Management aims to reduce or avoid WHY ? systematic failures and consequently increase the systematic safety integrity, Employ competent personnel Plan the actions and execute them Use adequate procedures, tools and templates Verify / review thoroughly by another person Verify / test thoroughly by another person Record and document the plan and the execution of all steps Validate End-user, Contractor, SIS supplier Functional Safety Management System Yokogawa realised that FSM Is very close to a “super ISO 9000" and. integrated the extra's in the standard quality system, After that they asked TOV to check if this resulted in a Functional Safety Management Systom according to IEC 61508 and IEC 61511 TUY has now approved this for Amersfoort, Bucharest, Kuala Lumpur, Bangalore, Singapore and Bahrain 32End of Module 2 Questions : 1) What are the 5 main aspects of the IEC 61508 and IEC 61511 7 2). For SIL 2 whatis the maximum PFDau ? What is the RRF ? 3) What is the main difference between HEC 61508 and IEC 61511 ? 44) What does FSM imply 7 5) Whatis a SIF? Module 3 : HAZARD Poros SUP SSE Rerocny 33HAZARD, SIF, SIL Hazard identification Layers of protection Find the SIFS Determine the SIL What are the hazards 777 YOKOGAWA No method prescribed | General method : HAZOP. HAZard and OPerability study 34HAZOP Work method Team effort ‘esi ie Faclttator (chairman, secretary) | | Hazardous situation tobe protected against | Process Eng, Moreen Characteristics of the HAZOP method ‘Systematic hazard identification method for processes + Wide spread use in Industry and with Engineering contractors, + Form : team brainstorm sessions * Basis: P&ID drawing + Done in a systematic way: * Each pipeline, vessel, etc has to be considered in turn. + Use of guide words (ICI method) Results: Overview of all possible unwanted disturbances acument the results of the HAZOP and justify Safety Functions Determine what safeguards already in place Action planning for improvements of the process or required clarifications RoresnaHAZOP Method Preparation’ + Collect all information (P&I, Process description) = Check whether info is up-to date! ‘Split the process in ‘functional nodes’ and indicate intention of the function During the sessions: + One of the team members briefly explain each node before the analysis starts + The chairman starts to use the relevant Guide words (High, Low ete.) for all relevant Parameters (Temperature, Pressure otc.) + Possible applicable Safety Functions as relief valves and Sensors/Safety Valves can be already proposed by the Process, engineers, but have to be examined and justified fully. HAZOP procedure Guide words: = High Low = More = Less = Partly = As welll as = Reverse * Other than Deep ERGR ITE maar eI ‘Detaimina snsorsand fl enents SIF 36Layers of protection : Onion model Layers of protection SS Roxen 37,Exercise: 2 phase separator Cause & Effect Matrix wPPeAat Gas out eroen caus! sy ‘ OY.s> S Was i NE SAE PZA-001 | LZA-001 LZA-002 HZ-001 ESD X xX X x xX xX X 383 2 = > £ 6SIL Classification Methodology ‘ Factitator(chaieman/seeratary) ||| Hazardous situation to be protected against | | “Process Eng i i Instrumentation Eng From the HAZOP |“ Operations/Maintenance Eng, + Safety Eng (90) = SIF IO {Rotating Equipm. Eng (pt) = SIF description Most katy initiating events and frequency ~ une proecios (na te SIF unde SIL Classification Risk Assessment = Narrative describing + Failure on demand = hazardous + Consequence severity + Personal Safety, Environment, onomtes Determine target SIL 1EC61508 : part § and IEC61511 : part 3 - As Low As Reasonably Practical (ALARP) - Risk Graph - Risk Matrix - Event Tree Analysis (ETA) - Layers Of Protection Analysis (LOPA)As For industrial risks, determine whether i 1 : Low As Reasonably Practical a) the risk is so great that it must be refused altogether b) the risk is, or has been made, so small that it is negligible ©) the risk falls between the two states specified in a) and b) land has been reduced to a level which is “AS Low As Reasonably Practical Alarp Principle Interpretation Unaccoptabl Region Tolerable Region aRisk Graph (determination of SIL) © Consequence of hazard = Cx: Minor injury = Gr Serious injury, death of one persort = Ce: Death to several persons = Cp: Very many people killed g F Frequency of exposure to hazerd = Fa: Rare to more often <8". = Fy: Frequent to permanent P_ Possibility to avoid hazard = Py: Possible = Pg: Almost impossibie W Probability of occurrence of hazard Wy: Very low <= Nosafety requirements = We: Low 2 No spocia satety roqurements = Wy: High. 1b _ Asingle E/€/PES Is not sulficlent 1-4 ‘Safety Integrity Lev 1, Unmanned installation: Cy; Fq i Py => SIL1 2, Manned installation: Cc; Fy: Ps => SIL3 tesa A. Geurevneneni Sian, Risk Matrix — ———— ane | eg [ceo eee |p] | Slight inary or | Sight antic | Sek Sh aris | ain NGOS act tee aor awrom Som Exercise to follow later 42Event Tree Analysis 1, Estimate expected hazard frequencies 2, Determine consequences maximum allowed frequency 3, Determine expected event frequency 4. Missing part (if any), gives the target SIL of an SIF YOKOGAWA Event Tree Analysis : example rule-set peetween | Frequency occurrence To0ys _[oar/yr T000yrs | 0.001 Fy T0.o00yr= | 0.0007 yr 700.000 yrs [0100001 7or_| 1 fatality > max freq = 0.0001 /yr YOKOGAWA 43ETA: determine frequency of occurrences You calculate with Frequency (per year) or Probability (no dimension) 2 Pleotiyr ® ‘Muttiptication : ¥ Reon FIXPt meee AND gate : Both hazards must be present at the same time > Addition: = PI=0.4 02 Piep2 9 2-01 —— OR gate : Each hazard is bad in iteolt add Frequency and Probability = multiply Frequencies Note: you cannot Event Tree Analysis: an example Bectica Event frequency Fault (P1) E> Jgniton source — Pte Pa ossble explosion arian (Pt+P2) Posse expt reper wong 2) as eskoge peer rveryeeh eee [Electrical ieee] [Faut(o.1) | — Bb: source Jee Sees Da ossible explosion ‘Spark from Possible expiosi welding (0.5) Gas leakage pas (21 per year) 44Event Tree Analysis : an example Missing part (if any), gives the target SIL of an SIF We selected the max allowed frequency: = 1 fatality > max freq = 0.0001 /yr Calculated frequency = 0.06 /yr Missing : 0.06 / 0.0001 = 600 >SIL2 Layers Of Protection Analysis, . Determine expected hazard likelihood . Determine consequences > maximum allowed likelihood |. Determine risk reduction achieved by known protection layers Determine intermediate event likelihood Missing risk reduction (if any), gives the target SIL of an SIF 45‘An example of the rule-set for a LOPA a ee Seas Se ee An example of the rule-set for a LOPA (2) aati cas aT TET manor st pt wi pay eft propo Te peje amasAn example of the rule-set for a LOPA (3) Layers Of Protection Analysis 1. Determine expected hazard likelihood Eg. once every 5 yoars From the HAZOP Tpact ‘initiating | Taking yea Explosion of | High 02 vessel pressureLayers Of Protection Analysis 2. Determine consequences Corporate Rsk acceptance emteria Tox 001 for 0.007 yr ‘a.a001 yr ‘e000 yr Layers Of Protection Analysis 3. Determine risk reduction achieved by known protection layers ayers of protection RaterLayers Of Protection Analysis From the HAZOP Tayors or protection (PFD) Trtermeaiare| Tmpact | iniioing Event — | couse Tritating Nkainood (Cyan) ‘arma, | Restricted Operator | access Raiet Explosion oz | oa Layers Of Protection Analysis 5, Determine missing mutily k reduction (if any) ene rar Lac YOKOGAWA MEL no addtional risk reduction necessary Else : adlional isk edition =IMEL/TMEL ‘Target SL: from able Sores 49EXERCISE Consequences Heath and | Economies | Enronmente | nepobe Salty | (Lessing) | eect | Demand Seen S| rere La igerege | tm | ane Le Health and Safety Consequences Effect Siight injury Description Fist aid case and medical treatment case. Not alfecting work performance or causing disabilly. Minor injury Lost ime injury. Affecting work performance, such as restriction to activites or a need to take afew days to fully recover (maximum one week).Economic Losses Effect Description Slight damage No disruption to operation = 10 KE ‘Minor damage Brief disruption 10 kE- 100 ke Environmental Consequences Effect Description Siight effect Local environmental damage, Wihin the fence and within systems, Negligible financial ( consequences. Contamination; damage suficiony largo To alack he ‘envronment; No permanent efect on the environment. RerocnySIFs with their SIL HAZOP, SIF, SIL Know your risks > HAZOP Define your SIFs Determine the SIL for each SIF ® Risk Analysis Document all safety relevant requirements (SRS : safety requirement specification) 52End of Module 3 Questions : 1) How are the SIFs ofa process determined ? 2), Which methods do you know to determine the target SIL? 3) Which method is required by the standards ? Module 4 : Engineering 53Engineering Engineering solutions - Principles : DTS / ETS. - Redundancy - Architectures De-energized To Safe (DTS/ESD, trip) Roxon Process pipe a PFD a. SUE te $19 sagery 57Reliability Block Diagrams [2] Example 1: Consider a SIF with a sensor and a valve. To have success (SIF will work) all elements have to work. ‘The RBD notation Is as follows: Logie Solver The overall PFD is: PFD sensor + PFD ogic soiver + PFO vawve Terosnn liability Block Diagrams [3] Example 2 Consider two elements that are voted e.g. 1002 To have success (this part of the SIF will work) one of the two elements has to work Tho RBD notation is ( | (two parallel elements) ‘The overall PFD is PFD , * PFD g Advantage: you can easily see the Hardware Fault Tolerance (HFT=1) vt Pa TeroonunReliability Block Diagrams [4] Example 3: Consider two elements that are voted e.g. 2002 To have success (this part of the SIF will work) both of the two elements have to work The RBD notation is as follows (two serial elements) [es ‘The overall PFD is PFD , + PFD g And HFT = 0 a a Keren Reliability Block Diagrams [5] Example 4: Consider three elements that are voted 2003 This kind of voting is used to increase both safety integrity and availability The RBD notation is as follows (three times two parallel elements) SSS The overall PFD is PFD , * PFD g + PFD , * PFD + PFDg * PFD. ‘Again: you can see that HFT= 1 va Seresn) 59Why Reliability Block Diagrams In the above mentionad examples there’s no real need to use RED However, in very complex SIFs RBD modeling can support to execute proper PFO,ye calculation Example For the overall PFD je calculation 11 separate calculations were executed Ar EE ~ aR te Redundancy for sensors (1) Loge notation PLCprogram) alos Sock Dogan -o— Reresnn 60Redundancy for sensors (2) ogi notation (PL program) Reidy Boek Diagram Semorsvoted 2003 Redundancy for final elements (1) aes Safe ang retin) poston iso if Keres ati Block Diagram Teron 61Redundancy for final elements (2) Bay Sg ae 4. s “wo sets of sro valves in pale Pe) ‘wo waves in paral {9 blow eon voles) Seren Redundancy for final elements (3) —— ta» 62Sensor validation Just accept the value Now we can compare values and based on the difference we can “validate” the measured value (or generate an error message) Of course it also possible to compare sensors in the DCS with sez sensors in the SIS ses (One may claim additional diagnostle coverage for the sensor if Seviatioh alarm'isused. : Examples : SLS Program, Shell MVC, specific voters in PLC programs Lo 5 YOKOGAWA Sensor out of range I sensor is out of range we can either simply consider this @ trip ‘condition or we can try to avoid a uisanee trip. In the latter caso an alarm must be placed (and handled of course) and the sensor can be "ignored (for ‘example go from 2003 to 1002) This is not diagnostic, it only for AvailabiltyPartial stroke test ‘By moving the valve from fully open to partly closed and analysing the results (used force, time spent etc.) we can % dotect errors. Because we do not fully close the valve itis not a complete test, but it Is also not a disruption of the procass It isa periodic test in which not all errors (failures) are detected. A coverage Factor must be defined (by the end-user or the manufacturer of the valve) This can be used to calculate the effect of the PST on the PFDavg. Sometimes users consider PST to be a diagnostic test, and change the Failure rate of the valve with the coverage factor, Ths is not inline with the IEC61508 standard, 2 Obes 16 aly respondent he draquaiee erage riers evan Soren Te cw Oates 8 Mearns es \aernalee UE RAR L.BT Oe lebween PITTR 1 Boog best Selection of hardware (1) Pipe to pipe Logie solver Protection logic SIL > PFD aye, target for the SIF PFD pio. = PFD avcensore + PFD avon saber + PFD svo,in! sents 64Selection of hardware (2) Pipe to pipe PFD wa. = PFD svc, wore + PED pyciogie solr + PFD sven! ements PFO was =PFDarasaans + PFD geyjztatora * PFOwasgs sow * PED ayayeieys + PFOnsmt sre Try to got hardware with certificates or FMEA (") reports. Check the PFD, Many times the isolator destroys the SIL! Of course there are the normal selection criteria such as Voltage, Current, Temperature, Humidity, mounting, etc. CLEMER = Failure Modes and Etfects Analysis, Selection of hardware (3) Pipe to pipe 35%. 15%. 50% SIL Budget !!!! 65Safety Manual Both IEC 61508 and IEC 61511 require vendors of safety rated equipment to provide a Safety Manual, containing at least’ ~ Classification (type A or B; to be explained later) ~ Failure data (As, sy: hoy and 2, to be explained later) - Possible design / application constraints - Declaration of systematic safety integrity (systematic capability) (ir you alm for a SIL3 SIF then the manufacturer's FSM must be good for SIL3: to De explained later) Always ask for Safety Manual when ordering safety rated equipment | If not available, at least the above information need to be provided. Safety Manual Be careful when interpreting safety manuals or safety certificates. Sometimes they ~ Show not usable failure rates - Are in-complete - Based on real field experience? eS Rerecnay 66Process Safety ime vs. Response Time Process Safety Time : the time that the process remains safe after the trip condition has been reached Response time of a SIF ah nsor(s) * Tinertacots) * TogicsoWver * Tintertace(s) * Trinal etement(s) SIF Response Time < Process Safety Time The only tool we have i5 Tage sive worstcase (= 2 X Tecan) while the valves are the most important factor.. Overrides Start-up override & for a limited time only | (limit in the logie solver) Maintenance override Input override Fora limitod time (typically not longer than a shift) then a message or ‘an automatic disable (although this is not a very good idea) Key-switch to enable, maybe in groups (Hardware) indication that override is ON, maybe in groups General key-switch to remove all overricies Output override 9 very dangerous ! (multiple causes) Lamuttipe 31 fe Fel Were 67Programming How to create problems ~ an example a GR WE cme From OCS, PC DTS “Son oO | Sapoly ec: ONCE dem © enclroN In ETS the logic is diferent But of course there are more examples Inverters, S/R blocks etc. ‘Check your application, and make a record of your check! Hey that sounds the same! Software of the Ariane 4 Racket was simply copied into the software for the Ariane 5 Rocket Velocity of the Ariane § was much higher than the Ariane 4 velocity, a simple type conversion went wrong, Don't just copy and paste! Sa ereen 68Human factor ! Challenger, January 28, 1986 Engineers were concerned about the O-rings used to seal the aft field joint = There was evi idence of erosion from previous flights = The launch ter near freezing smperature was NASA management neglected this, problem = Pressure to launch + Publicity + Desired flight rates SIS architectures Inherent fail-safe Dual Triple Quad No Software | sets ake Rerecny SIL4 rated AI SIL3 rated Rexecna 69Inherent fail-safe systems Advantages: - Very reliable (discrete components) = Very safo (no dangerous undetected failures) = No Software = Certified by TUV for SIL 4 capability ~ Runs on a solar cell Redundant systems Fault Tolerant Systems: DMR, TMR and QMR ‘A dangerous undetected failure can be tolerated due to redundancy Advantages: = Easy to modify Easy to communicate with = High availability Disadvantage: Expensive All are SIL 3 rated labs ProSafe-PLC Examples OMR: [aay] Hata HI IE Fc YOKOGAWA 701) 2) 3) 4) 5) 6) 2 8) 9) Single system End of Module 4 Questions : Single (1001) architecture: VMR Versatile Modular Redundant™ (term introduced by Yokogawa) (Or call it pair-and-spare) The rate of dangerous undetected failures is extremely low due to extensive diagnostics Advantages = Insingle architecture SIL3 rated = High availability in redundant architecture ~ Easy to modity Easy to communicate with What is better, ETS or DTS ? Why ? What's better for safety, 1002 or 2002 ? What's the purpose of 2003 7 What do you mean with sensor validation ? What is the process safety time ? BEDaamn 7 44182 Wregewter = SK BO rae =5x 10? What SIL can be achieved ? What is the effect of overrides on the SIF ? How do we deal with overrides ? What budget may the logic solver take 7 aModule 5 : Functional Safety Management Keren IEC 61511 Overall Safety Lifecycle oh = Say roomens speeation or a - Rerocnn 72Two types of integrity Three basic requirements have to be fulfilled in order to claim any SIL: ‘ Hardware fault tolerance for the claimed SIL to be justified. Ihe 1c 615062, tale, 3 and C815 ae 6) NB 1424 vb dense in mon PFD, (Of all elements within @ SIF) shall be within the claimed SIL bandwidth (low demand mode of operation) {Ref IEC 6100-1, ale and IESYSH-1 tale 3 PFH be within required bandwidth (high demand or continuous mode of operation) [Ror 1€¢61600-1, bie3 and IEE61511-1, tbe 4) . Systematic Capability shall comply with the requirements for the claimed SIL. Ire: EC 61800-2,7.4.22,7.43 and JC 61508-2and 1EC6I5I11,9.2881 NB 152535 entree ay Terecnay Systematic Capability 1EC61508 Ed 2 defines 3 routes: 1s, 2s 35 avoidance of systematic faults and control of systematic faults proven in use for pre-existing software elements only many requirements, see 08:3-7.4.12.13 Note: normally route 15 will be followed 73Systematic safety integrity > FSM Measures to avoid systematic failures Employment of safety competent personne! Controlied realization Verification processes Configuration management Document contro! (including application program) Functional Safety Assessment Validation processes Controlled operation, proof testing and maintenance| Controlled site modifications All covered in Functional Safety Management And here also human failures Employment of safety competent personnel You must be competent for what you must do ! + Safety training program (safety basics: SIL, SIF, SIS, PFD,ve: ) + Train on SIS development tools (Risk Graph, SIL cales, application programming tools...) + Train on SIS application engineering (HAZOP execution, SIL classification, safety architectures, overrides, proof testing, operation, maintenance, ..) + Train on operation and maintenance + Keap personnel records in HR department + Create safety awareness by al those involved during life eyele Rerocne 74Controlled realisation Plan the actions and execute them Use adequate procedures, tools and templates Verify / review thoroughly by another person Verify / test thoroughly by another person Record and document ©? the plan and the execution of all steps Validate Functional Safety Assessment (©) documentation should be suet that an “outsidercan Lace your decisions. anne Sores Yokogawa's implementation ne coerce Oman Rexesnua 75SIS realisation phase Why important: first step ! eer step! Client Realisator Rerecnay System Requirements > Safety system > Low False-Trip-Rate and @ High maintain and. 61508 and > High: flexibility and. 61511 | > Buca : > Weal ‘ ayant ome ee ee Rorocnin 76SIS Realisation phase Cause Areas of failures (Systematic and Human) Installation & Commissioning Source: HSE 2004 Rerecny First check Checklist Reference to the requirements Application which documents 7? Segregation Safety principle Overrides Transmitters Actuators Timers Ex-lsolators Environment Interfaces Maintainability Etc, Check on safety requirements YOKOGAWA 77Safety Validation Plan + Check the requirements * Check and report the HFT * Chock and report the PFDs + Issue warnings + Try to create feedback loop ey Verification To make sure that the result of the lifecycle stage is as expected + Make use of checklist for raviews and tests * Reviews and tests : by another person as the originator * The higher the SIL requirement, the more detailed these checks = Go back to the appropriate phase if test cases donot IMPACT fulfil the requirements, ele « Keep record of how problems have been solved Do it, document that you do it, document what you decide Reorocnn 78Configuration management What documents with what revision number belong to the SIS hardware? What version number of embedded application program? What version number of the application program? What version number of the SRS are these deliverables based on? ‘What version number of the SIL allocation report is the SRS based on? ‘What version number of the HAZOP report? ‘What version number of... These questions must be answered at any verification or validation phase of the SIS Life cycle > life cycle documentation Serecnay Document contro! + Register when what deliverable with what revision and what status to whom was sent + Register when what deliverable with what revision and what status from whom was received Remember : documentation is the central item | enable design enable verification, validation auditable trail | ering = YOKOGAWA 79Functional safety assessment To arrive at a judgement on the achieved functional safety + Must be done before the hazards are introduced (before start. up). It is part of the overall Validation + Its advised to do this also during design (to detect problems in an early stage) + Those who execute the functional safety assessment shall be independent (the higher the SIL requirement, the higher the level of independence) Check vretions have been executed Chock that every noted person was competent Chock the SiS aginst th SRS Chockif al safty reat opon'tems Rav sen shed Chock f deliverables are complete and up to ate Koop record ofthe results Validation * To make sure that the entire process has delivered a system compliant to the specifications ‘Must be done at the end of the realization phase (SIS Validation) ‘Must be done at the end of Installation and Commissioning (Overall Validation) ‘Test the (part of the) SIS against the specifications and the SRS Check if deliverables are complete and up to date Keep record of the results 80IEC 61511 Overall Safety Lifecycle | 5] Safety egulementsspecicnion | ae peeen ol vn ay Operation and maintenance * Collect data on failures, test results, demands, accidents * Check assumptions made during HAZOP * Check used failure rates in SIL calculation Prooftesting * Prooftest interval « Prooftest procedures, + Prooftest records a Sores 81Operation and maintenance + Make use of operation instruction(s) + Make use of maintenance instruction(s) + Make use of instructions for proof test + Make use of (override) procedures during on line maintenance and/or proof test * Log all site activities with respect to the SIS YOKOGAWA Operation and maintenance Mantensne repr partons reports Systematic tates Failce and demand ate Data derived for] “Data used in actual operations Ask analysos_| | Performance | ‘comparison anu ate above pros Moaitication request 82Modification Overall Safety Lifecycle 5] sataton connissning ana ‘ssa Managemen of nein ally Modification ‘The wish for modifications can occur during operation Decision to be made = Back to the appropriate phase IMPACT + What is the appropriate phase? ANALYSIS Apply procedures for site modification and test, Involved life cycle documents to be updated Re-execute overall safety validation Do it, document that you doit, document what you decide Reroena 83Modification ‘Saloly pedornance boon target ‘systemate faut Ircdonlocidntexpoionce + Operatonproductonrequess + New amended legaton + Mecotons tthe EUC + Changes o he salty roquremens ‘study seport ‘Authorzstion| Back to appropat phase of the tlegee Quantitative assessment : a summary SIL allocation: give every SIF a target SIL Check if SIF complies with fault tolerance tables IEC 61508 and /or IEC 6 1511 Check if SIF has achieved the required SIL PFD jv“ (calculation always with respect to the complete SIF) Do allthis and DOCUMENT it © 0 PFH in case of high demand or continuous mode Pore 84Qualitative assessment : a summary Review your design and provide evidence (review reports) ‘Test your hardware and application and provide evidence (test reports) Execute functional safety assessments and provide evidence (independent assessment reports) Do all this and DOCUMENT it "Oa a : Seren All covered by: Functional Safety Management A quality system that facilitates doing all life cycle activities ina controlled way Applicable for every party Involved in the life cycle: end user, contractor, system integrator, supplier of safety related device Facilitated by procedures, tools and templates Supported by the management Periodically reviewed by means of Functional Safety Audits (how well or how badly FSM has been implemented and, applied in the organisation) Optionally certified by certification body (not mandatory)End of Module 5 Questions : 1) What is the intention of FSM ? 2) What is the role of documentation ? 3) What is verification ? What is validation? 4) What is impact analysis ? 5) When is validation mandatory? Module 6 : Failures and Hardware Fault Tolerance 86Three failure types Random hardware failures ~ Failures occurring at a random time, which result from one or more of the possible degradation mechanisms in the hardware of a system ‘Systematic failures ~ Failures that, if we determine their origin, related to a certain cause, which can only be eliminated by a modification of the system Human failures — Failures related to a certain human action, during the ‘operational phase of a system Random hardware failures + Many degradation mechanisms occur at different rates + Components fail due to these mechanisms at different times because of manufacturing tolerances + Failures occur at predictable rates but at unpredictable times + Example: Components (i.e. resistor, capacitor, etc.) fail due to (predicted) wear out ‘The Bathtub Curve + Repair by replacing eee the failed device 4 i é 3 i sara, Tie — > =a a Serer 87Systematic failures Corrective maintenance without modification will usually not eliminate the failure cause Example causes of systematic failures + the safety requirements specification (wrong cross in CRE diagram) + the design, manufacture, installation and commissioning of the hardware (diode mounted in wrong direction on all modules) ‘the design, implementation, etc. of the application program (mistake in error handling procedure) + the specifications (too small temperature range in a closed cabinet) Introduced during design and modification. Human failures Only in operational phase of the system (by definition) Examples: * Operator takes wrong action + Maintenance engineer does not follow procedure + Management did not train operators on new system Teresa 88Failure rate Failure rate ‘number of times that a component will fail during a specific time interval Example: “Assume that failure rate (A) of a light-emitting diode is 0.01 per year #1 million hrs = 114 year > R= 1.14/10% hr or: R= 1140 FIT (USA unit : / 10° hr) *As average every LED will fail after 100 years of operation > the Mean Time Between Failures (MTBF) is 100 years (= 1/MTBF) NB: UNITS! years / per year / per million hours / per billion hours (FIT) NB: 1/10°hr =1*10%/hr =1€-09/ hr Roxen Exercise: calculate failure rates 365 days x 24 hr = 8760 hr = 1000 000 / 8760 = 114 year TFIT = 1/109 hr The failure rate is 5.70 E+01 / million hr How many FITs is that ? What is the MTBF in years ? The MTBF of an isolator is 15 years How do you convert to failures per million hr ? Rorocny 89Determine a failure mode and rate (module) Using MIL-HOBK 217F or Telcordia or another database, the (part) failure rate for each component on a module can be looked up (of ‘course in certain conditions => sometimes correction factors must be applied) By analysing the failure modes of a component, the effect on the ‘module can be determined (FMEA*). The effect can either be safe or ‘dangerous, (! Of caurse first the safe state must be defined I) ‘Adding up all component failure rates with a safe effect (As) results In the safe failure rate of the module, {Adding up all component failure rates with a dangerous effect (hs) results in the dangerous failure rate of the module. “EMEA = Fallura Modes and Effects Analysis Failure Modes. Failure Safe / Dangerous Safe Dangerous Failure Failure So E TeroennFailure Modes - Diagnostics Diagnostics on a device or system perform numerous tests in order to reveal failures in that device or system Diagnostics can be realized internally (self-diagnostics) and by external means, it's a periodical automatic test Most self-diagnostics are software programmed When failures are detected various actions can be taken depending on the severity of the detected failure, for example an alarm can be initiated the system can be shut down FMEDA = Failure Modes, Effects, and Diagnostic Analysis a Rerecn Failure Modes Failure Safe / Dangerous Self-diagrpstics or easels ‘normal aperation Sate safe Dangerous Dangerous: Detected Undetected Detected Undetected Each failure mode has a failure rate A 1Failure Rates » © @ ‘These three don’t really bother you they are detected (so you will repair them) or undetected, but safe anyway. Of course they are also used in the calculation of the Availability Failure Rates ~» @ @ Definition This one really bothers you it will make that the SIS cannot perform the action, Itis the only one that goes into the PFDaye calculation, SAFE FAILURE FRACTION SFF = (As2oq) / (s+Apa*Aou) 92Safe Failure Fraction SFF = (AsAos) / As+Ape tou) Safety Manuals Agy : not only “safe undetected”, But also "No effect”, "No part” te No sted Ne part Tacoma, vie. Congeatty ode execute Sager It you make Regu very big SFF willbe large. agen a. en aupn If you add components you'll get a good SFF. 1£C61508 Edition 2 Ano par. 294 Dio erect 829 not be part of SFF calculation 4 hin oe Terocay aah om EECA, ERAGVA Hardware fault tolerance --- Tables in |EC 61508 Route 1H ~ Seoyesared sons Suyiamelnepane Type A: simple devices where ] [Type B : everything that is not the failure modes can easily be | | simple, not type A understood (mechanical devices, simple electronic devices like zener barrier, isolator etc.) PTW ve BE TRO, nd SERaor ue [froven vier BV Wodome grat bE Ooaisryred as yer SNL eOqeed CHE, p Proven 10 USE Hardware fault tolerance --- Table in IEC 61508 Route 2H si Fault Tolerance, (soe clause 74.4.3) any mode ° Tow demand ° high demand or ontinuous mode 4 any mode ‘any mods Note: failure data must be ‘based on feedback trom field operation ~ callcted in accordance with intamational standards evaluated and judged by expert Soren Hardware fault tolerance --- Table in 1EC 61511 Vainimmam Hardware si Fault Tolerance (Gee Tabie 5) any moae ° mode 2 high demand or ontinuous mode s any mode 1 any mode a Note: failure data must be based on foouback trom field operation ~ confidencs limit of 70% = diagnostic coverage notiess than 60% ‘mee ReroairExcercise ‘Customer asks fora HIPPS with pressure measuring and shut down valve with SIL 3, He will use the following elements (sub systems) sensor: transmitter make X, IEC 61808 type B, SFF=80% logic solver: make Yokogawa, ProSafe-RS (SILS rated) final element: air controlled shut down valve make 2, IEC 61808 type A, SFF=96% ‘Assumption: dangerous feilure rates of al subsystems justify SIL 3 capability ‘Wat the configuration ofthe syste the customer asks for ) compliance with IEC 61508 Route 1H 9 compliance with ) Sues BET 2 Coo) Aes Wer a eS Wet OC loot) tee ty Cet) US eer yg =A pe Foe 8 ye suet fC loo) sine HT Weo2) ae eee gi an ee ere vw ver 1 Cheo®) 9596End of Module 6 Questions : y 2) 3) 4) 5) 6) What is the HFT of a 2003 voter ? ‘What is the HET of a 2002 voter ? ‘Which voting gives a HFT of 2? Which failure modes are there ? ‘Which failure rate is used for the PFDjyc ? What is a human failure ? Terocnn Module 7 : Common cause and other errors YOKOGAWA 97Common Cause Common Cause Factor B 98Common cause influence of failures Systematic Hardware Human factor Development —_Enviranment Operation Engineering Corrosion Wrong Components EMC procedures Installation Temperature Logical errors Maintenance SE ce aac) The B - factor Total failure Various methods can be used to determine the B -factor ~ IEC 61508-6 annex D (checklist) Tagies|Sensore AEA UPM 3.1 (technique) dora | td [ears Simulations = 7 Expert estimate aaa End-user experience st 45. Note Of course there is for dangerous and fi tor sae etc. Serena 99Common cause defence rules Separation Reduce the probability of a common stress event Diversity Design redundant units to respond differently toa common, stress event High Strength Make the design more robust ay YOKOGAWA Common cause : voted inputs % % %The very busy office Single bulb Dual bulb Triple bulb Hardware failures and redundancy ¥ month ‘1 month 1 month 20 years "lp RU ees irene | tO es 5 28 YOKOGAWA 101Systematic failures and redundancy Dark No systematic | With systematic failures failures oye y 1 month 0-1 month » iy ® Ar @ “@ 20 years | O-20years Ur y RST DRN Uae Common cause failures and redundancy No common ith common cause cause 1 month @ 20 years 12 months 100 years 12 months 102Human factor and redundancy No human With human factor factor oe 1 month 0.5 month Mr ot 20 years STRSTR 100 years A ‘1 month Ss E Rerecninn End of Module 7 Questions : 1)_ what is common cause ? 2) how is common cause expressed ? 3)_is Beta = 7% a normal value for transmitters ? = Perec 103Module 8 : Calculations Ls Rerecn Multiple methods Formulas based on Reliability Block Diagrams Fault Tree Analysis: based on Fault Tree based on State Transition Diagrams Markov and Fault Tree need either sophisticated tools or higher ‘education in mathematics, Therefore the first method is most widely used. roe rome 3 Teroonun 104Probability of a Failure on Demand, derived from the safety parameters of the equipment. Th PFD =1-e7*out PFD ays = 7 PFD(t)at La ceca uw (2 T2) = Ye Ay T Ls 7 YOKOGAWA 105Redundancy for sensors (1) PFD ave PFD = (Apu t) 2 = pu)? , 1 { PFDavg = Apu?t? dt = Te hou? x 0173 79) © ereei 106,oO Redundancy for sensors (2) Redundancy forfinalelements (1) “wo valves in a 107Redundancy for final elements (2) = (65 blow sum ses) Redundancy for final elements (3) rr 7 we comets paraPFDayg formulas Son [PO PD wh sana eiciecesialll mine ar ore toot ete root | Gah |g py Qa gah 3 cee 1003 Bath | o-pp GoD pnt het arlene 22 we 2002 at 7 ae 2003 GotP — a-pyay.ry +p aa Influence — - factor on PFD aye ait ans) YOKOGAWA 109Proof Test A proof test means a complete test of the SIF A proof test does not mean a ‘material test printed-circuit test The purpose of the proof test is to reveal all dangerous undetected failures that are present in the SIF After the proof test the elements in the SIF should be in their initial state nee YOKOGAWA\ Proof Test The proof test of the SIF does not completely restore the initial state Imperfect testing not all failures will be detected during the proof test > prooftest coverage PC (in the order of 90% - 99%) Imperfect repair the failure is not completely repaired new failures can be introduced during repair Ageing Some wear already took place erosny 110AR A yagnene Grey, 3 Ag > CoE WE coer W RED 9 ee YE adda and on Vorenane 7 eR He ayavenn eae EH A toot Coemge 2 Vag, Moe Impact of Proof testing on PFD ayg, Without proof test > PED =Apy xt and PFD jy, = Yer hoy xT With proof test > PFDay = Ye xPCX May XT + Ye x (1 PC) xApy xT, Paro, that no detect ty roo tet LS YOKOGAWA Availability parameters FTR _: False Trip Rate (spurious action), based on the reliability requirements of the process. MTBF: Mean Time Between Failures MTBF = 1/FTR (False Trip Rate) MTTR_ : Mean Time to Repair Restorahn MTBF - MITR. A (Availability) = and A (Availability) re mWIs 99.9% good enough ? ‘One hour of unsafe drinking water per month 32000 missed heart beats per person each year 20000 incorrect drug prescriptions per year 500 incorrect surgical operations each 50 new-born babies dropped at birth Ten unsafe landings at Airports each day BBatec on population of USA: > 300 min (Use the 61508-1H and 1 yr = 10000 hrs) Shutdown valve PFDayg calculation case 1 and 2 Pressure ' | Logie solver | =09 | tor | do ou oy = 0.001 sFF=05% sFF=B0% A gy in€6/ ne Rerosni 112PFD,yc calculation case 3 and 4 (Use the 61508-1H and 1 yr = 10000 hrs) Pressure 1 1 Shutdown valve ' Logie solver | Ane= 0.0 roo GP Mot” | Bef toe | Pn = 0001 SrF=95% srr-com Mt eo _srr=9596 | A oy iW E6/ he = ' ee ee 3) Ter Toor = 1 year eae : ee Tis = 10 year. ae oe per Commoncause =O -eaaex-bar Darbar tlc vee (esse [ears 9 toto ter FR = te Tas" 1000 : aa? Common cause 10% [> dg y sit=77 ee x pp? pint = OP xe tea: End of All Good Luck with the Exam 113oO CO