Smart instruments are commercial off-the-shelf process instruments that contain microprocessors. The use of firmware in these microprocessors presents challenges to the nuclear industry, particularly in safety applications. […] This paper examines the practicalities of smart instrument selection, substantiation, specification and use. It also describe experiences along the way and recommends some future developments. The paper also offers some egalitarian solutions to everyday problems encountered in the inexorable move to smart instrument use.
The aim of this paper is to give a new insight into some fundamental concepts of the IEC 61508 standard. In a first part, we examine low and high or continuous demand modes of operation. We study how to determine the accident frequency in the case the system under study is made of one element under control and its associated safety instrumented system. In a second part, we study the relationship between the average probabilities of failure on demand and the risk reduction factor. Finally, we consider the probability of failure per hour of a safety instrumented system. We propose different ways to compute it.
Author
F.Innal, Mr. Yves Dutuit, Mr. A. Rauzy, Mr. Jean-Pierre Signoret, Mr.
Current IEC 61508 and IEC 61511 standards describe performance levels for safety functions and the devices and systems that carry out these safety functions. The Safety Integrity Level (SIL) is the concept that describes both qualitatively and quantitatively this perfromance. However, these same standards provide no description and no concept covering the performance levels for spurious trips. Risknowlogy, developed a new notion named Spurious Trip Level® (STLTM) to describe this latest performance.
The Spurious Trip Level® (STLTM) gives end-users a new attribute that will help them to define the desired process availability in relation to the performance of safety instrumented functions.
This paper will present a systematic methodology for selecting a Safety PLC platform. It will describe the evaluation of Safety PLC’s based upon both technical requirements (i.e. safety requirements) and commercial requirements (i.e. availability and Life Cycle Cost analysis).
Many facilities have existing legacy Burner Management Systems that utilize a General Purpose Safety Configured PLC as the logic solver. Most of these systems were installed prior to the development and finalization of ANSI/ISA 84.01, IEC 61511 and / or IEC 61508.
This paper will discuss the issues, decisions, and challenges encountered when attempting to apply the concepts of the Safety Lifecycle per ANSI/ISA 84.01, IEC 61508 and / or IEC 61511 to the design of an existing BMS for a single burner natural gas fired installation. In addition, development of a Markov model for a General Purpose Safety Configured PLC, identification of some typical BMS Safety Instrumented Functions (SIF) and subsequent Safety Integrity Levels (SIL) determination will be discussed in detail.
When considering SIL 2 level applications, extra validation steps are required to ensure the suitability of the logic solver for that Safety Integrity Level.
This case study will discuss the application of the Safety Lifecycle as defined by ANSI / ISA 84.00.01-2004 (IEC 61511 mod) to two (2) single burner multiple fuel boilers. Each boiler is capable of firing natural gas, oil and / or waste gas in order to supply the plant header with 1365 psig steam at a maximum capacity of 310,000 lb/hr. The project team included the end client task force at the manufacturing facility, the engineering firm with design / procurement responsibility, the boiler OEM, the Burner / Gas Train OEM, and the safety instrumented system consultant. This paper will include the following:
Development of the concept of a SIS Front End Loading package
Project cost savings realized attributed to following the Safety Lifecycle
Challenges encountered during the design process associated with implementation of the Safety Lifecycle with the diverse project team
This paper will explore and contrast the system implementation requirements for a Burner Management System mandated by NFPA 85 – The Boiler and Combustion System Hazards Code 2001 Edition - and those mandated by ANSI/ISA 84.00.01-2004. Perceived complexities have prevented some users from trying to apply both standards simultaneously to a BMS application. Even though there are a few fundamental differences between the two documents, most of the requirements mandated by ANSI/ISA 84.00.01-2004 are also invoked in NFPA 85. This paper will explore the similarities and the differences and describe the benefits of overlaying the performance-based requirements of S84 in combination with the prescriptive requirements contained in NFPA 85. It will be shown that combining the performance mandates of ANSI/ISA 84 with the prescriptive requirements of NFPA 85 will reduce risk of ownership while maximizing Return On Investment (ROI) for BMS installations.
Layer of Protection Analysis (LOPA), a semi quantitative Process Hazard Analysis (PHA) is found to be the effective tool in hazard evaluation and risk assessment. It is found to be the potential semi quantitative tool for statutory compliance purposes in UK and effective Process Safety Management tool satisfying OSHA requirements in USA. It is a simple tool and identifies the safeguards to be considered for risk assessment and risk reduction. Details of the technique with examples are given in this article.
When developing safety-critical embedded software it is important to consider the objectives of standards such as IEC 61508. These standards impose additional constraints on the development processes and require the production of evidence that the objectives were met. IEC 61508 is a generic safety publication. The standard was developed for traditional (hand-coded) software development processes and does not cover advanced software development technologies such as Model-Based Design and production code generation. Therefore the measures and techniques recommended by IEC 61508-3 need to be mapped onto Model-Based Design processes and tools.
This paper is an updated version of a paper that originally appeared in the proceedings of the Workshop on Model-Based Development of Embedded Systems III (MBEES 2007), Schloß Dagstuhl, Germany, Jan. 2007.
La applicazione dei requisiti dello standard IEC 61508/61511 all’interno del processo di sviluppo della ingegneria impiantistica incontra alcuni problemi pratici legati ad esempio alla programmazione delle attivitŕ di attribuzione del SIL ed alla sua relazione con altre analisi condotte sul progetto (ad esempio HAZOP, QRA); ciň puň portare ad una difficoltŕ nella quantificazione delle conseguenze sia in termini incidentali che in termini di danno economico per mancata produzione e danno alle apparecchiature. La definizione dei criteri per la attribuzione del SIL presenta poi gradi di libertŕ che possono fare variare anche significativamente i risultati per impianti anche molto simili. Per quanto riguarda poi la verifica del SIL, essa č evidentemente legata ai ratei di guasto scelti per i vari item, che possono influenzare i tempi di test e la stessa architettura del sistema prescelta per rispettare il valore SIL.
Over the past 25 years there have been a number of initiatives worldwide to develop guidelines and standards to enable the safe exploitation of programmable electronic systems used for safety applications. In the context of industrial applications (to distinguish from aerospace and military applications) a major initiative has been focussed on IEC 61508 and this standard is emerging as a key international standard in many industrial sectors. This paper looks at the background to the development of IEC 61508, considers some of the key features and indicates some of the issues that are being considered in the current revision of the standard.
This paper is an updated version of a paper by the Health & Safety Executive, UK (Author; Ron Bell) 2005. The paper first appeared in the ACS Workshop on Tools and Standards, Sydney, Australia 2005. This version: May 2007 Reproduced under the terms of the Click-Use License. May 2007
Operational characteristics of static ESD valves impose design and testing requirements that are very different from those required for a control valve operating in a fully dynamic mode. Partial stroking of ESD valves can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in diagnostic coverage and the credit taken for this type of test.
This paper reviews the pros and cons of PST in the processing industries, from an independent and objective viewpoint, with absolutely no vested interest from either vendors or end-users.
Over the last years, Petróleos Mexicanos (PEMEX) has carried out an intense modernization job in all of its facilities around the country. As part of the modernization project, automation and optimization of the control equipment, instrumentation and communications play a fundamental role.
In Italia, negli ultimi anni, nelle aziende a rischio di incidente rilevante, sono sempre più evidenti le analisi condotte applicando norme IEC 61508/IEC 61511 [...]
L’esperienza maturata in questi anni ha creato nelle Aziende la consapevolezza che la redazione di un “Rapporto di Sicurezza” o lo svolgimento di una analisi di rischio non è solamente un problema di “rispetto di una norma di legge”, o di un Regolamento, ma la “Gestione della Sicurezza” è diventato ormai l’aspetto centrale dell’attività produttiva. [...]
La Sicurezza è parte integrante dell’attività produttiva e solo con una “Gestione Integrata”, che la porta ad essere non più un aspetto accessorio, si possono raggiungere elevati livelli di sicurezza, salvaguardia delle persone e della loro salute, ed integrità del patrimonio ambientale e aziendale.
Since the Piper Alpha disaster in the North Sea, design of ESD valves has been given top priority and remains to be of great concern for plant safety management. Constant improvements have been made to ensure the integrity of the ESD valves. Essentially, ESD valves should perform their duty (usually closure of valves) under plant demand condition. To meet the production bottom-line, these valves are required to remain open for months, even years, which leads to build up or corrosion in the valve internals. Final control element is the weakest link in the SIS. It contributes 50% of total PFDavg for a SIF. To meet the desired ‘Availability’ figure for ESD valves, different tools have been devised. Partial Valve Stroke Test, Valve – Actuator signature curve, Testing Intervals (TI) are buzzwords in the industry. However, there is no industry standard for ESD valves which covers both engineering and safety aspects together.
This paper presents main results from a project that prepared a guideline for use of the standards IEC 61508 and IEC 61511 in the offshore industry of Norway. There is a focus on the determination of Safety Integrity Level (SIL) for main equipment. Also the paper will discuss the elements contributing to safety unavailability and the calculation of the Probability of Failure on Demand (PFD), which is crucial for the determination of SIL.
Partial stroking is a widely used method to avoid sticking of a ball valve when it is not operated for some time. It is also used to reduce the actuator size and thus the total cost of the valve and actuator. Partial stroking should not be confused with Partial Stroke Testing or even Partial Stroke Monitoring. This article presents the various aspects and conditions for partial stroking on fast acting applications.
Presented at the TÜV Rheinland Group's symposium June 9h, 2005 Cleveland, Ohio, USA
Le funzioni di sicurezza nei diversi settori industriali sono ormai quasi esclusivamente delegate a dispositivi elettrici od elettronici. Anche i controllori a logica programmabile, che inizialmente venivano utilizzati per funzioni operative, trovano sempre maggiore applicazione ai fini della sicurezza degli impianti. L’interesse verso lo studio dell’affidabilità dei sistemi di sicurezza (SIS, Safety Instrumented Systems) ha avuto come risultato la pubblicazione di norme internazionali (serie IEC 61508 e IEC 61511) ed europee (serie CEI EN 61508 pubblicati nel 2002).
Tra gli obiettivi di tali norme c’è anche la definizione di metodologie per l’analisi di rischio dei sistemi con componenti E/E/PE (elettrici / elettronici / elettronici a logica programmabile) e la definizione di specifici requisiti necessari per il raggiungimento della sicurezza funzionale (SIL, Safety Integrity Level).
Ciascuno dei metodi che vengono suggeriti può essere applicato per l’analisi di alcuni aspetti del comportamento di un sistema di sicurezza e pertanto l’applicazione contemporanea di tali metodi può portare a risultati diversi. [...]
Un’analisi qualitativa dettagliata associata ad una quantificazione dei parametri affidabilistici, eseguita attraverso la teoria di Markov e gli alberi di guasto (FTA), ha consentito la definizione di un modello per la valutazione dell’affidabilità dei sistemi di sicurezza, nel rispetto dei requisiti delle norme. [...]
Pubblicato sugli Atti del XXXI CONVEGNO NAZIONALE ANIMP OICE UAMI Monastier di Treviso (TV), 14-15 Ottobre 2004
The safety functions in industrial plants are more often delegated to electrical, electronic or programmable electronic (E/E/PEs) Safety Instrumented Systems (SIS). The international standard IEC61508 proposes guidelines which can be used in order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to evaluate the actual availability of a SIS. Many factors can influence the value of SIL (system configuration, diagnostics, testing and restoration time) and the standard proposes simplified formulas for the evaluation of Probability of Failure on Demand (PFD) for different architectures but in some cases more detailed analyses are required. This situation is due to elements which in a simplified analysis cannot be evaluated, such as operability and maintenance requirements. In order to evaluate the impact of each parameter on PFD, a sensitivity analysis was executed.
If a more accurate analysis is required, Monte Carlo simulation used together with Markov Analysis can help analysts to evaluate the SIL of complex Safety Instrumented Systems and to identify the best solution in order to comply with the system safety requirements.
Published on Proceedings of 1st International Conference on Maintenance Management April 14th -15th, 2005 Venice, Italy
Recently published international standards, such as ISA-SP841 of the Instrument Society of America, and the IEC 61508 draft of the International Electrotechnical Commission2 establish performance-based criteria for the design, installation, operation, and decommissioning of Programmable Electronic Systems (PES) used for safety related functions. These criteria address specifications for the necessary function of these systems, and requirements about their appropriate Safety Integrity Levels, as well as issues of hardware, and software design, testing, management, maintenance and documentation. The present paper demonstrates, through specific examples, an approach for the evaluation of the Safety Integrity Level (SIL) of Programmable Electronic Systems performing specific safety functions in accordance with the aforementioned standards. This approach addresses the definition of PES architectures in terms of the interaction of PES components, their failure modes and associated failure rates. Also, it addresses the impact of the imbedded software quality, the significance of the coverage factor of diagnostic systems of fault tolerant PES, and the significance of common cause failures. The use of appropriate tools for the evaluation of SIL, such as reliability block diagrams, fault trees, and Markov models is discussed and demonstrated.
9th International Symposium on Loss Prevention and safety Promotion in the Process Industries. Barcelona, Spain, May 1998
This paper will focus on Programmable Electronic Safety Systems (PES’) and their diagnostic systems. A PES is defined as a system for control, protection or monitoring based on one or more programmable electronic devices, including elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices. The diagnostic systems of PES’ comprise hardware and software elements that identify and reveal on-line PES covert failures, when they occur. Thus, immediate repair of the PES safety system is performed before an upset condition of the safeguarded process occurs. A measure of the effectiveness of diagnostic systems is the so called "coverage factor". This expresses the fraction of the total number of possible covert failures of the safeguarding PES that will be revealed by the diagnostics. Our examination will cover the basic elements of PES’ and address practical questions, such as the nature of diagnostic systems, how diagnostics are realized and examples for the different PES components, what level of diagnostic efficiency can be achieved by different approaches and systems, and methods of evaluation of the diagnostic coverage factor.
The purpose of this paper is to show the influence of design parameters on the performance of safety systems. The performance is measured in terms of the Probability of Failure on Demand (PFD). This attribute is important in the safety world as its values represent a measurement for the safety introduced. The required PFD is expressed in national and international standards as the safety integrity level [1,2]. These safety integrity levels (SIL) represent discrete levels of reliability depending on the severity of the process or the equipment under control (EUC).
The purpose of this paper is to show the influence of design parameters on the performance of safety systems. The performance is measured in terms of the Probability of Fail-Safe (PFS) or spurious trip. The attribute is important in the safety world as its value represent a measurement for the financial loss caused by the safety system because of spurious trips. For the PFS a similar measure as the SIL level for PFD failures does not exist at the moment.
The purpose of this paper is to show the effect online diagnostic and periodic proof testing have on the performance of the safety function in terms of the PFD. For three different architectures the influence of the diagnostic coverage, the proof test coverage, and the proof test interval on the PFD are determined. A performance indicator is used to express this influence and show the effect.
Modern distributed control systems are connected via bus systems, which need effective and uninterrupted communication between all subscribers. Therefore it is necessary for these communications to be fault tolerant and safe. For safety related systems, additional safety layers are required to fulfil these requirements. In a safety related application it is important to understand that a safe protocol alone cannot fulfil this requirement without two safe source and destination hardware nodes. Only the marriage of safety related protocol and safety related hardware nodes can fulfil the requirements for safety related bus systems.
[…]The more precise and effective, efficient and accessible, flexible and safer production plants and flows must be, the more information about the plant state is required. As a result, an expanding number of measuring and monitoring points for processing data is essential. […]
Due to these requirements, the manufacturer of safety-related automation systems must develop innovative approaches which take the requirements demanded by the operators into consideration.
Ancillary conditions to such automation systems are easily operability, simple handling, high reliability and safety for the controlling process.
The requirements for safety-related automation system are as essential as the normative requirements and those given by law. These last consider not only the hardware, but the operating system, programming languages for processing applications and diagnostic devices. The overall life cycle of such a system is therefore taken into consideration.
A considerable amount of data is required in order to be able to assess safety systems properly. One of the most important criteria is consideration of the distribution of failures over a system’s life cycle. In considering such failures, a basic distinction is made between safe and dangerous failures. […] In the event of dangerous detectable failures, however, the safety system, provided it is appropriately designed, can bring the entire system or plant into a safe state. It is undetectable, dangerous failures that constitute a critical state. No safety system is able to detect such failures when they occur. They may be present in the system until it switches off or, in the worst-case scenario, until it fails dangerously without the user being aware of it. […]
This paper discusses the methodical analysis of hardware architectures used in safety-related applications. It provides an excursus on a safe computer system’s software technology and specifies the overview in greater details. This integrates the last sections presenting the required test procedures. The excursus cannot, however, be complete because studies and methods have increased rapidly, particularly with respect to object oriented software system’s design and programming design.
Partial Valve Stroke Testing or PVST, is an emerging concept to automatically increase the performance of Safety Instrumented Systems. PVST is a concept where safety-related valves like ESD valves and shut-off valves are automatically tested concerning failure modes that are related to valve sticking and slowing down operation. Current trends in the industry show an upcoming number of dedicated technical PVST solutions by various automation and instrumentation vendors. The added value of PVST within the process industries is a significant reduction of the frequency of required manual periodic valve proof tests, its related manual test cost and reduced spurious trips due to manual errors. Partial testing is performed by additional automated test instrumentation, which can easily be initiated and controlled by the safety-instrumented systems’ logic solver such as the safety-related PLC. This paper will discuss practical examples of Partial Valve Stroke Testing in which it appears that SIL1 rated valves can be upgraded to SIL2, and off-line proof test intervals which can be extended from two(2) to five(5) years.
The advantages of field bus for process control applications are well known in the process, manufacturing, auto, and machinery industries. Consequently, there are several standards for implementing field bus e.g., IEC-IEC/SC 65C/MT 9, ANSI/ISA 50.02, and IEC-61158. The current field bus standards do not however, address issues and requirements of field bus, for safety applications. Specifically, the requirements noted in IEC-61508 , "Functional Safety of electrical/electronic/programmable electronic safety related systems” , and the sector specific standards e.g. IEC-61511, " Functional Safety: Safety Instrumented Systems for the process industry sector" , IEC- 61513, "Nuclear power plants – Instrumentation and control for systems important to safety" , or other sector safety standards. That is, risk reduction factors or safety integrity levels (SIL) and reliability requirements, are not addressed in the current field bus standards for process control applications. As of this date, there are no national or international standards for safety bus but there are some protocols recognized for safety applications e.g. (PROFIBUS) in the machinery industry. Safety busses have not yet been accepted in the process industries. Moreover, the ISA 84 committee is concerned that some will implement buses with a detrimental impact on safety. In order to address these concerns, the ISA Committee formed a working group (WG-1) to address high level or global bus issues. This paper will discuss those global safety bus requirements that users as well as vendors, have recognized. In addition, the requirements listed in the draft ISA Technical Report ISA SP84 WG 1 will be discussed in detail.
The Safety Integrity Level (SIL) of a Safety Instrumented Function (SIF) depends on failures of the various components involved in performing the function. These failures depend on various factors and can be random hardware failures and /or systematic failures. Failures of a SIF need not necessarily result in a hazardous event when there are other Layers of Protection. Hence the residual risk probability that is left out after various layers of protection is of interest and it should be tolerable. In order to find the residual risk due to a hazard we need to know the demand rate of the hazard, the failure rates of various layers of protection and the factors, which influence these failures. So the failure rates are not static and are dynamic as various factors come into play during the lifecycle of the protection devices involved. In this paper the author proposes Bayesian Belief Networks to build the scenario based SIF model and use it in post design phase to track the residual risk probability. An example is used to illustrate the application.
The purpose of this document is to introduce the concept of functional safety and give an overview of the international standard IEC 61508. You should read it if you are:
Wondering whether IEC 61508 applies to you,
Involved in the development of electrical, electronic or programmable electronic systems which may have safety implications, or
Drafting any other standard where functional safety is a relevant factor.
Section 2 of this document gives an informal definition of functional safety, describes the relationship between safety functions, safety integrity and safety-related systems, gives an example of how functional safety requirements are derived, and lists some of the challenges in achieving functional safety in electrical, electronic or programmable electronic systems. Section 3 gives details of IEC 61508, which provides an approach for achieving functional safety. The section describes the standard’s objectives, technical approach and parts framework. It explains that IEC 61508 can be applied as is to a large range of industrial applications and yet also provides a basis for many other standards.
Source – International Electrotechnical Commission (IEC)
IEC 61511 was released as an international standard in 2004. The United States ISA SP84 committee has accepted ISA 84.01-2004 as the replacement for ANSI/ISA 84.01-1996 (ISA 84.01-1996). The new standard will be called ANSI/ISA 84.00.01-2004 (IEC 61511). […] The SP84 committee is now completing a guidance document, ISA TR84.00.04, concerning implementation of ISA 84.01-2004 in the United States. […]Although ISA 84.01-2004 uses a lifecycle concept, it is no mirror image of ISA 84.01-1996. An international standard must harmonize the standards of many countries. Consequently, the standard will add new requirements for component selection, design architecture, software development, pre-startup safety reviews, operation and maintenance, and management of change. […] this paper will focus on the most significant differences between ISA 84.01-2004 and ISA 84.01-1996, highlighting what end users need to consider in migrating their current ISA 84.01-1996 programs into ISA 84.01-2004 programs.
Safety Integrity Levels as defined by IEC 61508 provide the plant designer with the opportunity to optimise the design of protection system against potential hazards based on knowledge of the consequences of failure. This paper details the reasons behind the development of the standard, and describes the techniques that can be used for integrity level evaluation. A case study is then presented that demonstrates approaches for assessment and implementation of the safety integrity requirements.
This article reviews the principle requirements of IEC 61508 relating to the specification and design of hardware and software in programmable electronic systems intended for use in safety-related applications.
This paper was originally published in the Computing & Control Engineering Journal, vol. 11, no.11, February 2000 Institution of Electrical Engineers, London, UK
