Current IEC 61508 and IEC 61511 standards describe performance levels for safety functions and the devices and systems that carry out these safety functions. The Safety Integrity Level (SIL) is the concept that describes both qualitatively and quantitatively this perfromance. However, these same standards provide no description and no concept covering the performance levels for spurious trips. Risknowlogy, developed a new notion named Spurious Trip Level® (STLTM) to describe this latest performance.
The Spurious Trip Level® (STLTM) gives end-users a new attribute that will help them to define the desired process availability in relation to the performance of safety instrumented functions.
Layer of Protection Analysis (LOPA), a semi quantitative Process Hazard Analysis (PHA) is found to be the effective tool in hazard evaluation and risk assessment. It is found to be the potential semi quantitative tool for statutory compliance purposes in UK and effective Process Safety Management tool satisfying OSHA requirements in USA. It is a simple tool and identifies the safeguards to be considered for risk assessment and risk reduction. Details of the technique with examples are given in this article.
When developing safety-critical embedded software it is important to consider the objectives of standards such as IEC 61508. These standards impose additional constraints on the development processes and require the production of evidence that the objectives were met. IEC 61508 is a generic safety publication. The standard was developed for traditional (hand-coded) software development processes and does not cover advanced software development technologies such as Model-Based Design and production code generation. Therefore the measures and techniques recommended by IEC 61508-3 need to be mapped onto Model-Based Design processes and tools.
This paper is an updated version of a paper that originally appeared in the proceedings of the Workshop on Model-Based Development of Embedded Systems III (MBEES 2007), Schloß Dagstuhl, Germany, Jan. 2007.
La applicazione dei requisiti dello standard IEC 61508/61511 all’interno del processo di sviluppo della ingegneria impiantistica incontra alcuni problemi pratici legati ad esempio alla programmazione delle attività di attribuzione del SIL ed alla sua relazione con altre analisi condotte sul progetto (ad esempio HAZOP, QRA); ciò può portare ad una difficoltà nella quantificazione delle conseguenze sia in termini incidentali che in termini di danno economico per mancata produzione e danno alle apparecchiature. La definizione dei criteri per la attribuzione del SIL presenta poi gradi di libertà che possono fare variare anche significativamente i risultati per impianti anche molto simili. Per quanto riguarda poi la verifica del SIL, essa è evidentemente legata ai ratei di guasto scelti per i vari item, che possono influenzare i tempi di test e la stessa architettura del sistema prescelta per rispettare il valore SIL.
Operational characteristics of static ESD valves impose design and testing requirements that are very different from those required for a control valve operating in a fully dynamic mode. Partial stroking of ESD valves can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in diagnostic coverage and the credit taken for this type of test.
This paper reviews the pros and cons of PST in the processing industries, from an independent and objective viewpoint, with absolutely no vested interest from either vendors or end-users.
In Italia, negli ultimi anni, nelle aziende a rischio di incidente rilevante, sono sempre più evidenti le analisi condotte applicando norme IEC 61508/IEC 61511 [...]
L’esperienza maturata in questi anni ha creato nelle Aziende la consapevolezza che la redazione di un “Rapporto di Sicurezza” o lo svolgimento di una analisi di rischio non è solamente un problema di “rispetto di una norma di legge”, o di un Regolamento, ma la “Gestione della Sicurezza” è diventato ormai l’aspetto centrale dell’attività produttiva. [...]
La Sicurezza è parte integrante dell’attività produttiva e solo con una “Gestione Integrata”, che la porta ad essere non più un aspetto accessorio, si possono raggiungere elevati livelli di sicurezza, salvaguardia delle persone e della loro salute, ed integrità del patrimonio ambientale e aziendale.
Since the Piper Alpha disaster in the North Sea, design of ESD valves has been given top priority and remains to be of great concern for plant safety management. Constant improvements have been made to ensure the integrity of the ESD valves. Essentially, ESD valves should perform their duty (usually closure of valves) under plant demand condition. To meet the production bottom-line, these valves are required to remain open for months, even years, which leads to build up or corrosion in the valve internals. Final control element is the weakest link in the SIS. It contributes 50% of total PFDavg for a SIF. To meet the desired ‘Availability’ figure for ESD valves, different tools have been devised. Partial Valve Stroke Test, Valve – Actuator signature curve, Testing Intervals (TI) are buzzwords in the industry. However, there is no industry standard for ESD valves which covers both engineering and safety aspects together.
Modern distributed control systems are connected via bus systems, which need effective and uninterrupted communication between all subscribers. Therefore it is necessary for these communications to be fault tolerant and safe. For safety related systems, additional safety layers are required to fulfil these requirements. In a safety related application it is important to understand that a safe protocol alone cannot fulfil this requirement without two safe source and destination hardware nodes. Only the marriage of safety related protocol and safety related hardware nodes can fulfil the requirements for safety related bus systems.
[…]The more precise and effective, efficient and accessible, flexible and safer production plants and flows must be, the more information about the plant state is required. As a result, an expanding number of measuring and monitoring points for processing data is essential. […]
Due to these requirements, the manufacturer of safety-related automation systems must develop innovative approaches which take the requirements demanded by the operators into consideration.
Ancillary conditions to such automation systems are easily operability, simple handling, high reliability and safety for the controlling process.
The requirements for safety-related automation system are as essential as the normative requirements and those given by law. These last consider not only the hardware, but the operating system, programming languages for processing applications and diagnostic devices. The overall life cycle of such a system is therefore taken into consideration.
Partial Valve Stroke Testing or PVST, is an emerging concept to automatically increase the performance of Safety Instrumented Systems. PVST is a concept where safety-related valves like ESD valves and shut-off valves are automatically tested concerning failure modes that are related to valve sticking and slowing down operation. Current trends in the industry show an upcoming number of dedicated technical PVST solutions by various automation and instrumentation vendors. The added value of PVST within the process industries is a significant reduction of the frequency of required manual periodic valve proof tests, its related manual test cost and reduced spurious trips due to manual errors. Partial testing is performed by additional automated test instrumentation, which can easily be initiated and controlled by the safety-instrumented systems’ logic solver such as the safety-related PLC. This paper will discuss practical examples of Partial Valve Stroke Testing in which it appears that SIL1 rated valves can be upgraded to SIL2, and off-line proof test intervals which can be extended from two(2) to five(5) years.
The advantages of field bus for process control applications are well known in the process, manufacturing, auto, and machinery industries. Consequently, there are several standards for implementing field bus e.g., IEC-IEC/SC 65C/MT 9, ANSI/ISA 50.02, and IEC-61158. The current field bus standards do not however, address issues and requirements of field bus, for safety applications. Specifically, the requirements noted in IEC-61508 , "Functional Safety of electrical/electronic/programmable electronic safety related systems” , and the sector specific standards e.g. IEC-61511, " Functional Safety: Safety Instrumented Systems for the process industry sector" , IEC- 61513, "Nuclear power plants – Instrumentation and control for systems important to safety" , or other sector safety standards. That is, risk reduction factors or safety integrity levels (SIL) and reliability requirements, are not addressed in the current field bus standards for process control applications. As of this date, there are no national or international standards for safety bus but there are some protocols recognized for safety applications e.g. (PROFIBUS) in the machinery industry. Safety busses have not yet been accepted in the process industries. Moreover, the ISA 84 committee is concerned that some will implement buses with a detrimental impact on safety. In order to address these concerns, the ISA Committee formed a working group (WG-1) to address high level or global bus issues. This paper will discuss those global safety bus requirements that users as well as vendors, have recognized. In addition, the requirements listed in the draft ISA Technical Report ISA SP84 WG 1 will be discussed in detail.
The underlying attribute of the safety management function is a thorough and integrated understanding of the process. In practice safety management will deal with having the right people, with the right knowledge using the right tools for the organizations situation. Several techniques and tools have been developed to address safety management functions within the various phases of the safety lifecycle of the system. These echniques can and are used to collect information about parameters of interest that support the five core safety management functions. Some of these techniques are outlined here.
The ISO/IEC Guide 51 defines safety as "freedom from unacceptable risk". Therefore in order to manage safety it is necessary to understand what leads to unacceptable risk. This understanding can be obtained with the identification of important process parameters, their possible deviations from normal conditions, and consequences of these conditions. To focus on safety requires a comprehensive understanding of the manufacturing process. It is necessary to understand the process in terms of process parameters and process elements, which include the necessary hardware and software that materialize the process. These process parameters and elements need to be understood in terms of their relationships and possible interaction, and how deviations from the normal quantities, settings, or behavior can effect the safe operation of the process. To achieve a safe operating plant, it is necessary to design a process where possible deviations from normal conditions can be kept within specific limits that are dedicated by what is perceived as acceptable risk.
The process industry has always been faced with the difficult task of determining the required integrity of safeguarding systems. In spite of the application of a wide variety of safeguarding measures, many accidents in the process industries still happen. Experiences gained from these accidents have led to the application of a variety of technical and non-technical layers of protection, such as Safety Instrumented Systems (SIS). The central role of the safety-PLC forces companies to decide on the logic solver integrity class (e.g. SIL 3) taking into account the current risk levels to be reduced by the SIS, as well as future higher risk levels. This article describes the future expectations with regards to the requirements and application of dedicated safety-PLC’s. It addresses issues such as the (un) acceptability to use a SIL 2 rated logic solver instead of SIL 3, and the (un) acceptability to use a single system both for control and process safeguarding functions.
Over the past year or so we have seen a rather disturbing trend from the process industries. That is, an attempt to drive safety instrumented functions to low safety integrity levels (SIL). The process of evaluating and implementing non- instrumented external protection layers is required by IEC-61508/61511 and is normally a good engineering practice. […]
Sicherheitsgerichtete elektronische Steuerungen dringen in Bereiche vor, in denen bisher Vorbehalte gegen Elektronik und Software bestanden haben. In den letzten Jahren sind generische Standards entstanden, die Anforderungen für Elektrik, Elektronik und Software in der Sicherheitstechnik formulieren. Auf der anderen Seite sind im Rahmen der Öffnung der europäischen Märkte viele nationalstaatliche Überwachungsfunktionen früherer Zeiten, z. B. durch die Gewerbeaufsichtsämter entfallen, mit Hinblick auf eine erweiterte Haftung im Rahmen von Produkthaftungsgesetzen. Unabhängig von behördlichen Zwängen kann die Einhaltung von Standards und Richtlinien von den Technischen Überwachungsvereinen (TÜV) als unabhängiger Stelle im Rahmen einer ,“Third Party Inspection” erfolgen. Der Artikel gibt einenÜberblick über die dabei angewendeten Methoden. Safety related programmable electronic systems (PES) are used in areas, where traditionally no electronic and software was tolerated. Over the past years generic standards have been created, which identify requirements for electric, electronic and software used in safety technique.On the other hand the strict regulations of the past days, e. g. by governmental organizations, have been loosened because of European product liability laws. Independent of government enforcement the adherence to standards and guidelines can be assessed by the German Technical Supervisory Agencies (TÜV) by means of a ,”third party inspection”. The article gives an overview about the methods used during such an inspection.
A Safety Integrity Level (SIL) Analysis is the initial step in the Safety System Design Process. Where the HAZOP process normally discovers potential hazards and provides general recommendations, the SIL is a specific analysis which defines the Safety Criteria and Mitigation of hazards which can lead to a significant economic, safety and environmental consequences.
There are three SILs utilized by ISA S84 and four by IEC 1508/1511 for Risk Classification, as defined in terms of Probability of Failure on Demand (PFD). This paper provides a methodology to evaluate and classify risk in terms of Consequences, and to determine the SIL for the process under consideration based on these Consequences and the Process Demand Rate. The methodology can be customized to comply with existing company standards, and should satisfy many of the critical OSHA 29 CFR - 1910.119 requirements.
In addition, the paper addresses the configuration of the Safety Instrumented System (SIS) and the impact of field devices on the system SIL, including the necessity of redundancy and testing of field devices to achieve and maintain SILs of 2 or higher.
The OSHA 1910 specifically addresses emergency shutdown systems and controls as equipment that must meet mechanical integrity requirements under the rule. Without proper classification or public standards which define otherwise, all instrumentation and controls may be interpreted as critical and seemingly must comply with the mechanical integrity section. It is estimated that only 5-15% of all controls may truly be classified as critical and which must meet the intent of the rule. Covering all controls under mechanical integrity dilutes focus and manpower away from instrumentation, controls and safety functions that do protect highly hazardous process safety events. Thus the requirements for the definition and classification of critical instruments and control is paramount to insuring their long term performance and operation. This paper explores the definition and classification of critical instrumentation and controls, and provides some basic parameters for design.
This paper presents background and basis for establishing acceptable and tolerable levels of fatalistic risk specific to the Hydrocarbon / Petrochemical / Chemical (HPC) industry, and suggests both a target level of tolerable risk and a boundary region. It also implies that tolerable fatalistic risk levels should be an industry wide standard, and not governed or decided by individual organizations. Further, the criticality of having an acceptable risk reduction target suggests that it is imperative for regulatory bodies and/or their standard setting organizations to adopt and publish these criteria.
