IEC61511 Standard Overview
Andre KneiselInstrumentation EngineerChevron C.T. Refinery
SAFA Symposium 2011
August 5th , 2011
2
Presentation Overview
Provide some understanding of the key aspects of Functional
Safety and the applicable standards - IEC61511.
Attempt to explain some of the associated terminology and
acronyms which are frequently used.
Answer the question: ―How do we determine if a safety
function is required, and if it is required how reliable it should
be?‖
Answer the question: ―How do we calculate the reliability of a
given safety function?‖
3
Presentation Overview
Explore what the impact is of including explosion protection
devices (such as IS Isolators) in the reliability calculations.
Explore the impact of including the probability of ignition in
the SIL selection process.
INTRODUCTION
What is Functional Safety?
It is the application of systems to maintain or
achieve a safe state for a process and its
associated equipment.
For the purpose of this presentation we are referring to
automated Safety Systems which generally operate without
operator intervention. We are not referring to mitigation
systems such as deluge systems or emergency response
systems. These are largely outside the IEC61511 standard.
4
5
IEC 61511 OverviewWhat is IEC-61511?
The Newly Released International Standard for the Design,
Implementation, Operation, Maintenance, Testing &
Decommissioning of Safety Instrumented Systems for the
Process Industries.
Performance vs. Prescriptive Based Standard
Focus on Management of Functional Safety & Design Lifecycle
Focus on SIS Design / Performance that Mitigates Risk
Appropriately
Accepted by CENELEC (European Committee for Electrotechnical
Standardization) as European standard in 2003.
Accepted by ANSI (American National Standards Institute) as
United States’ standard, ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC
61511 modified).
IEC61511 – WHAT IT IS NOT
IEC61511 is not a prescriptive standard in terms of
prescribing what safety functions should be implemented. An
engineer would not find a list of recommended safety
functions for a particular process or type of equipment in the
standard.
The standard also does not provide a guide for the required
reliability (SIL) of safety functions. It is, in fact, quite
possible for two different companies both implementing the
same process and equipment to arrive at different target SIL
values for the same safety functions.
6
7
IEC 61508SAFETY-RELATED SYSTEMS
Process Industries – IEC 61511
Safety Instrumented Systems
Manufacturing Industries – IEC 62061
Industrial Robots
Machine Tools
Transportation
Railway Signaling
Braking Systems
Lifts
Medical
Miscellaneous Electro-medical
apparatus
Radiography
IEC 61508 is the
umbrella standard
that covers different
industrial sectors.
Each sector can
develop its own
standard using its
terminology, but
must follow the
framework and core
requirements of IEC
61508
8
Relationship betweenIEC 61508 & IEC 61511
PROCESS SECTORSAFETY
INSTRUMENTEDSYSTEM
STANDARDS
Manufacturers andsuppliers of
devices
IEC 61508
Safety instrumentedsystems designers,
integrators andusers
IEC 61511 ANSI/ISA-84.00.01-2003 (IEC
61511 Mod)
9
IEC 61511 Overview (cont’d)
Functional Safety: Safety Instrumented Systems for the
Process Industry Sector
Part 1-Framework,defintions,system, hardware and
software requirements
Part 2-Guidelines for Part 1
Part 3-Guidance for determining required Safety Integrity
Levels
10
HAZARD &
RISK
ANALYSIS
O&M
EPC
Detailed
Engineering
DESIGN BASIS
Hazard & Risk Analysis
Clause 8
1
Allocation of Safety Functions to
Protection Layers
Clause 92
Safety Requirements Specification
for the Safety Instrumented System
Clause 10 & 123
Design and Engineering of Safety
Instrumented System
Clauses 11 & 124
Design and Development
of Other Means of
Risk Reduction
Clause 9
Installation, Commissioning and
Validation
Clauses 14 & 155
Operation and Maintenance
Clause 166
Modification
Clause 17
Decommisioning
Clause 18
7
8
Verification
Clause
7,12.4, &
12.7
9
FUNCTIONAL SAFETY
MANAGEMENT
Management
of Functional
Safety and
Functional
Safety
Assessment
and auditing
Clause 5
10
Safety
Lifecycle
Structure
and
Planning
Clause 6.2
11
EPC – Engineering,
Procurement &
Construction
(Includes
Implementation,
Commissioning, and
Validation).
O&M – Operations
and Maintenance
including provisions
for Management Of
Change (MOC)
IEC 61511 Overview : SIS Lifecycle (cont’d)
TERMS AND DEFINITIONS
SIS – SAFETY INSTRUMENTED SYSTEM
A SIS is an instrumented system used to implement one or more
safety functions. A SIS is composed of input sensor(s), logic
solver(s) and final element(s).
Typically a single SIS implements multiple safety instrumented
functions and is normally independent of the control systems.
In the past SIS were known as Emergency Shutdown Systems
(ESD) or as Safety Systems. Typically the Logic Solver is a high
reliability programmable system with redundant power supplies,
CPU’s and IO modules. However, the logic solver may also just
be a simple system comprising of relays and contacts used to
implement some tripping logic.
11
TERMS AND DEFINITIONS
12
REACTOR
TT 1
Power
SupplyCPU Input
Module
Output
Module
PT 2
PT 1
TT 3
TT 2
PT 3
Power
SupplyCPU Input
Module
Output
ModuleSIS
BPCS
LOGIC SOLVER
FINAL ELEMENTS INPUT SENSORS
SIS- Typical Configuration
TERMS AND DEFINITIONS
SIF – Safety Instrumented Function
A SIF is a function implemented by a safety instrumented system
which is intended to achieve or maintain a safe state for the
process with respect to a specific hazardous event.
Different SIFs can use the same final elements. It is common for
different hazards to cause the shutdown of the same unit – in
which case the final elements are shared between different SIFs.
It is possible, but less common, for the input sensors to be
shared between different safety functions.
13
TERMS AND DEFINITIONS
SIF – Typical Configuration
14
TERMS AND DEFINITIONS
PFD – Probability of Failure on Demand
PFD is the likelihood (between 0 and 1) that a safety function will
fail to perform as required.
Examples:
• Sensor fails to detect a dangerous condition due to an
internal fault.
• Block valve fails to close due sticking.
The PFD of a safety function increases over time as shown on the
following slide.
15
TERMS AND DEFINITIONS
PFD – Probability of Failure on Demand
The PFD of a safety function increases over time as shown
below.
16
TERMS AND DEFINITIONS
SIL – Safety Integrity Level
The SIL of a safety instrumented function is the measure of the
reliability of the function, i.e. the probability of the function
performing its intended function and is based directly on the
average PFD of the safety instrumented function over its
intended life span.
The SIL value is a discrete value 1 to 4, with 1 being the least
reliable and 4 being the most reliable. For instance a PFDAVG of
5x10-3 would equate to a SIL 2.
17
TERMS AND DEFINITIONS
SIL – Safety Integrity Level
18
SIL Safety Availability Range
PFD Average Range(chance of failing)
Risk Reduction Factor
1 0.9 to < 0.99 10-1 to > 10-2 10 to < 100
2 0.99 to < 0.999 10-2 to > 10-3 100 to < 1,000
3 0.999 to < 0.9999 10-3 to > 10-4 1,000 to < 10,000
4 0.9999 to < 0.99999 10-4 to > 10-5 10,000 to <100,000
TERMS AND DEFINITIONS
SIL – Safety Integrity Level
19
Key Concept
A SIL value is normally associated with an entire safety function, however individual SIF components may be certified in terms of IEC51508 to have a SIL value. For instance a Logic Solver may be certified SIL 3.
Key Concept:
A SIL value is normally associated with an entire safety function, however individual SIF components may be certified in terms of IEC51508 to have a SIL value. For instance a Logic Solver may be certified SIL 3.
This means that the logic solver may be used as part of a SIL 3 safety instrumented function.
It does not mean that any safety instrumented function using this logic solver will automatically meet SIL 3.
TERMS AND DEFINITIONS
Proof Tests
These are tests which are carried out to ensure the functioning of
a safety instrumented function.
20
Key Concept:
theinstrumented
Key Concept:
The PFDAVG of a safety instrumented function is directly related to theproof test frequency. Consequently the SIL of a safety instrumentedfunction is also directly related to the proof test frequency.
TERMS AND DEFINITIONS
Annual Proof Test
21
TERMS AND DEFINITIONS
Proof Test Every Four Years – Same SIF
22
SIL SELECTION
In the past when deciding what Safety Functions to implement,
engineers either based their decisions on prescriptive standards
(where available) or in many cases based their decisions on
―good engineering practice‖ or past experience.
IEC61511 requires that a company should follow a SIL selection
process as part of the Hazard and Risk Analysis Phase. The
standard is not prescriptive with regard to what SIL selection
method to use, but does propose some example methods:
Risk Graph Method
Risk Matrix Method
Quantitative - Layer Of Protection Analysis (LOPA)
As Low as Reasonably Practical (ALARP)
23
SIL SELECTION
24
Key Concept:
The target SIL of a SIF is based on the amount of Risk Reduction needed to reduce the risk of the consequence scenario to an acceptable level (as determined by company policy).
TARGET SIL = Total Risk Reduction needed by non
Key Concept:
The target SIL of a SIF is based on the amount of Risk Reduction needed to reduce the risk of the consequence scenario to an acceptable level (as determined by company policy).
TARGET SIL = Total Risk Reduction needed – risk reduction by non-SIS protection layers.
SIL SELECTION
LOPA EXAMPLE
25
SIL SELECTION
LOPA EXAMPLE
26
Using the LOPA example of the previous slide:
If the company's risk policy states that the maximum loss per
hazard may not exceed 1x 10-5 fatalities per year or R100,000
per year, then the risk must be reduced by a minimum factor of
7.175 which equates to an additional SIL1 safety function (RRF
10-100).
If, on the other hand, the company's risk policy states that the maximum loss per hazard may not exceed 1x 10-4 fatalities per year or R100,000 per year, then no additional safety functionis required!
SIL SELECTION
RISK MATRIX EXAMPLE
27
RR=6 5 4 3 2 1
NR (0) 1 2 3 NS (4) NS
7 6 5 4 3 2
NR (0) NR (0) 1 2 3 NS (4)
8 7 6 5 4 3
NR (0) NR (0) NR (0) 1 2 3
9 8 7 6 5 4
NR (0) NR (0) NR (0) NR (0) 1 2
10 9 8 7 6 5
NR (0) NR (0) NR (0) NR (0) NR (0) 1
10 10 9 8 7 6
NR (0) NR (0) NR (0) NR (0) NR (0) NR (0)
6 5 4 3 2 1
Incidental Minor Moderate Major Severe Catastrophic
6 Rare
4 Unlikely
5 Remote
1 Likely
Occasional2
3 Seldom
Consequence
Indices
Decreasing Consequence/Impact
Decre
asin
g L
ikelih
oo
d
The probability of ignition must be taken into account when selecting the likelihood.
SIL SELECTION
RISK MATRIX EXAMPLE
28
If, in the example on the previous slide, the likelihood (with all protection layers present and enabling events accounted for, but no safety function allowed for) of a severe consequence occurring is assessed as seldom, then the risk matrix indicates that an additional SIL2 safety function is required.
SIL CALCULATION
FAILURE RATES
29
Reliability data for SIL rated equipment is normally provided in terms of Failure Rates λS, λDD, and λDU. (e.g. failures per hour)
λS = Safe Failure Rate. This is the rate for the equipment failing to a safe state. For instance, a block valve failing into the closed position.
λDD = Dangerous Detected Failure Rate. This is the rate for the equipment failing into an unsafe state, however with diagnostic notification which will ensure that operators are made aware of the failure.
λdu = Dangerous Undetected Failure Rate. This is the rate for the equipment failing into an unsafe state, without diagnostic notification. For instance, a block valve stuck in the open position or a relay with contacts welded in the closed position.
THIS IS THE FAILURE RATE USED FOR CALCULATING THE PROBABILITY OF AFAILURE ON DEMAND (PFD).
SIL CALCULATION
PFD CALCULATION
30
SIL CALCULATION
INCORRECT METHOD
31
PT
Sensor
InterfaceIS
Isolator
LogicSolver
InterfaceIS
Isolator
XV
FinalElement
SIL2 SIL4 SIL3 SIL3 SIL2
≠ SIL2 FOR THE WHOLE SAFETY FUNCTION
Key Concept:
The safety Integrity Level (SIL) of the whole safety function is to the lowest SIL of the components. This is a common mistake.
Key Concept:
The safety Integrity Level (SIL) of the whole safety function is not equal to the lowest SIL of the components. This is a common mistake.
SIL CALCULATION
CORRECT METHOD
32
PT
Sensor
InterfaceIS
Isolator
LogicSolver
InterfaceIS
Isolator
XV
FinalElement
Key Concept:
To calculate the SIL of the whole safety function it is necessary to combine the PFD’s of the individual components to calculate an overall PFD and overall SIL value.
Key Concept:
To calculate the SIL of the whole safety function it is necessary to combine the PFD’s of the individual components to calculate an overall PFD and overall SIL value.
Note:
The PFD of the whole safety function can be influenced by the inclusion of intrinsic safety components which are used for explosion protection.
Note:
The PFD of the whole safety function can be influenced by the inclusion of intrinsic safety components which are used for explosion protection.
SIL CALCULATION
33
34
SIL CALCULATIONMethods to Increase SIL of Safety Function
Use voting architectures. Typically 2oo3
voting or 1oo2 voting is used to increase the
achieved SIL value. Note that 2oo2 voting
actually decreases the achieved SIL value.
Use higher reliability components. In most
cases the limiting component is the final
element.
Increase the proof testing frequency.
35
SIL CALCULATIONUsing Voting Architectures
PT
Sensors
InterfaceIS
Isolator
LogicSolver
InterfaceIS
Isolator
XV
FinalElements
PT
PT
XV2 out of 3
Voting
1 out of 2
Voting
Note:
When using voting architectures it is necessary to use more sophisticated calculation methods or software tools such as exSILentia to perform SIL calculations.
Note:
When using voting architectures it is necessary to use more sophisticated calculation methods or software tools such as exSILentia to perform SIL calculations.
36
CONCLUSION
The IEC61511 standard provides a framework for the
activities required to implement Safety Instrumented
Systems in the process industries.
The hazard analysis and SIL selection processes form a
fundamental part of the safety lifecycle and must be
performed in the initial stages of the lifecycle.
The SIL selection process and risk tolerance parameters
must be prescribed by the company’s or organization’s
policy.
37
CONCLUSION
The selection of a safety instrumented function’s SIL
can be strongly influenced by the probability of ignition.
Measures to reduce the probability of ignition reduce
the requirement for high SIL safety functions.
When calculating the actual achieved SIL of a safety
instrumented function, it is important to take the PFD of
all components into account. This means that in
applications where Intrinsically Safe barriers or isolators
are used for explosion protection, these components
should be included in the calculations.
It should be noted that these components generally
have low PFD values in relation to other components.
39
ABBREVIATIONS
ESD – Emergency Shutdown
IPL — Independent Protection Layer
PCS — Process Control System (such as DCS or PLC)
PFD — Probability of Failure on Demand
PHA — Process Hazards Analysis
SAT — Site Acceptance Test
SIF — Safety Instrumented Function
SIL — Safety Integrity Level
SIS — Safety Instrumented System
SRS — Safety Requirements Specification
40
REFERENCES
International Electrotechnical Commission IEC61511-1
Standard
Chevron Corporation CVX-SIS-101/102/201/202 Training
Manuals
Exida exSILentia Integrated Safety Lifecycle Tool
Top Related