Professional Documents
Culture Documents
IEC 61508 Intro2
IEC 61508 Intro2
IEC 61508 Intro2
&
IEC 61508
Changes After
Commissioning 20% Specification 44%
Operations &
Maintenance 15%
From ‘Out Of Control’ A compilation of incidents involving control systems, by the UK HSE
Process vs. Safety Control
Safety Control:
Process Control:
Dormant
Dynamic Must test for
Faults self-revealing hidden faults
Repair time less
Repair time highly
critical
Auto/manual transfers critical
Relies heavily on Should never be
operators off-line
Little reliance on
operators
The Human Aspect
Accidents have
occurred because:
Operators did not believe rare events were real
or genuine.
Integrators Vendors
Regulators Users
Contractors Consultants
Eh... well...
looks about right to me!
OSHA Inspector
Failure Modes
With a safety system, the concern shouldn’t so much be with how
the system operates, but rather how the system fails. Safety systems
can fail in two ways:
• fail-safe • fail-danger
• overt • covert
• spurious • potentially dangerous
• costly downtime • must find by testing
DxU=
Example of a demand failure
Single
Dual
1oo2
2oo2
Hot back-up
Triplicated
Considerations:
System size, budget, risk, MMI, communication
requirements, testing requirements, etc.
Question
Qualitatively, which system is “best”? Which gives the fewest nuisance
trips? Which gives the best safety performance?
Input
Input CPU
CPU Output
Output
0.01
A 0.02
.003 + .004 + .003 =
.006 + .008 + .006 =
A
A
Dual System Performance
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
AA
1oo2 0.04 0.0001
Vote
BB
0.0004 0.02
2oo2
AA Vote
BB
Hot Back-up PLC
Probabilities
CPU
CPU A
A CPU
CPU B
B Spurious Demand
(1oo1) 0.02 0.01
Switch
Switch
1oo2 0.04 0.0001
Vote
0.012 .006
Field devices Hot Backup
Basic 2oo3 Fault-tolerant System
In
In CPU
CPU A
A Out
Out
In
In CPU
CPU B
B Out
Out
In
In CPU
CPU C
C Out
Out
Basic Triple System Performance
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02
AA B
C
C A
Quad system
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02
(2oo3) 0.0012 0.0003
AA
Check
Check AA Quad 0.0008 0.0002
BB
Check
Check BB
Slightly more advanced Fault-tolerant System (SIFT)
V CPU
CPU A
A Out
Out
In
In
In
In V CPU
CPU B
B Out
Out
In
In V CPU
CPU C
C Out
Out
=
2oo3
2oo3
2oo3 CPU
CPU & &
2oo3 In
In
Out
Out
The Best System, Trusted ICS - HIFT
M
In
In V CPU
CPU A
A V Out
Out
e
m
o
In
In V CPU
CPU B
B V Out
Out
r
y
In
In V CPU
CPU C
C V Out
Out
V
=
2oo3
2oo3 In
In 2oo3
2oo3 2oo3
2oo3 2oo3
2oo3 2oo3Out
2oo3Out
CPU*.3
CPU*.3 CPU*.4
CPU*.4 CPU*.3
CPU*.3
Comparison Between Architectures
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02
(2oo3) 0.00012 0.0003
Quad 0.0008 0.0002
SIFT 0.00070 0.00017
Digital
Input
And Timer Output
Analog
Input
Digital
Input
Analog
Or Output
Input
Digital
Input
AK6
Control System Incident Occurrence By Phase
Changes After
Commissioning 20% Specification 44%
Operations &
Maintenance 15%
From ‘Out Of Control’ A compilation of incidents involving control systems, by the UK HSE
How Can Safety be Improved?
Hardware can be easily quantified.
What about software?
What about the field devices?
What about people errors?
Digital
Input
And Timer Output
Analog
Input
Digital
Input
Analog
Or Output
Input
Digital
Input
SIL 3
Safety Integrity Levels (SIL)
IEC 61508
Highest
4 Definition: ‘Discrete level for
specifying the safety integrity
3 requirements of the safety
functions to be allocated to the
2 E/E/ES safety-related system’.
1 Integrity below that of SIL 1
Lowest often termed ‘SIL 0’ .
not an officially recognised
term
Integrity
6
Risk Reduction
Process
Risk
What are SIL levels
Risk Risk
Assessment SIL Reduction
Plant Risks
High
Risk
Low
People Products
Process
Safety Lifecycle (Process)
1 Concept
2 Scope Definition
4 Safety Requirements
5 Requirements Allocation
Competence of Persons
Safety Lifecycle
Safety Functions