SIS - Safety Instrumented Systems - A Practical View - Part 1
SIS - Safety Instrumented Systems - A Practical View - Part 1
SIS - Safety Instrumented Systems - A Practical View - Part 1
César Cassiolato
Introduction
The Safety Instrumented Systems are used to monitor the condition of values and
parameters of a plant within the operational limits and, when risk conditions occur, they
must trigger alarms and place the plant in a safe condition or even at the shutdown
condition.
The safety conditions should be always followed and adopted by plants and the best
operating and installation practices are a duty of employers and employees. It is
important to remember that the first concept regarding the safety law is to ensure that all
systems are installed and operated in a safe way and the second one is that
instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating
safety and ensuring the emergency stop within the limits considered as safe, whenever
the operation exceeds such limits. The main objective is to avoid accidents inside and
outside plants, such as fires, explosions, equipment damages, protection of production
and property and, more than that, avoiding life risk or personal health damages and
catastrophic impacts to community. It should be clear that no system is completely
immune to failures and, even in case of failure; it should provide a safe condition.
For several years, the safety systems were designed according to the German
standards (DIN V VDE 0801 and DIN V 19250), which were well accepted for years by
the global safety community and which caused the efforts to create a global standard,
IEC 61508, which now works as a basis for all operational safety regarding electric,
electronic systems and programmable devices for any kind of industry. Such standard
covers all safety systems with electronic nature.
Products certified according to IEC 61508 should basically cover 3 types of failures:
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as
guidelines:
Part 1: General requirements
Part 2: Requirements for E/E/PE safety-related systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity levels
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
Part 7: Overview of techniques and measures
Such standard systematically covers all activities of a SIS (Safety Instrumented System)
life cycle and is focused on the performance required from a system, that is, once the
desired SIL level (safety integrity level) is reached, the redundancy level and the test
interval are at the discretion of who specified the system.
IEC61508 aims at potentializing the improvements of PES (Programmable Electronic
Safety, where the PLCs, microprocessed systems, distributed control systems, sensors,
and intelligent actuators, etc. are included) so as to standardize the concepts involved.
Recently, several standards on the SIS development, project and maintenance were
prepared, as IEC 61508 (overall industries) already mentioned, and is also important to
mention IEC 61511, focused on industries with ongoing, liquid, and gas process.
In practice, in several applications it has been seen the specification of equipment with
SIL certification to be used in control systems, without safety function. It is also believed
that there is a disinformation market, leading to the purchase of more expensive pieces
of equipment developed for safety functions where, in practice, they will be used in
process control functions, where the SIL certification does not bring the expected
benefits, making difficult, inclusive, the use and operation of equipment.
In addition, such disinformation makes users to believe that they have a certified safe
control system, but what they have is a controller with certified safety functions.
With the increase of usage and applications with digital equipment and instruments, it is
extremely important that professionals involved on projects or daily instrumentation are
qualified and have the knowledge on how to determine the performance required by the
safety systems, who have domain on calculations tools and risk rates within the
acceptable limits.
In addition, it is necessary to:
Understand the common mode failures, know which types of safe and non-safe failures
are possible in a specific system, how to prevent them and, also, when, how, where
and which redundancy level is more appropriate for each case.
Define the preventive maintenance level appropriate for each application.
The simple use of modern, sophisticated or even certified equipment does not
absolutely ensure any improvement on reliability and safety of operation, when
compared with traditional technologies, except when the system is deployed with criteria
and knowledge of advantages and limitations inherent to each type of technology
available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during
maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such
devices are bypassed in the future, but by a solid project that better satisfies the
operational needs of the safety system user, it is possible to considerably eliminate or
reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits,
failure-tolerant and/or safe failure, microcomputers and software concepts, today is
possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors,
cracking columns, boilers, and stoves are typical examples of equipment requiring
safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis
conditions compared to the conventional systems. The safe operation in a SIS is
composed by sensors, logic programmers, processors and final elements designed with
the purpose of causing a stop whenever safe limits are exceeded (for example, process
variables such as pressure and temperature over the very high alarm limits) or event
preventing the operation under unfavorable conditions to the safe operation conditions.
Typical examples of safety systems:
The Safety Life Cycle involves the probability analysis so as to ensure the safety project
integrity. In addition, it allows, by the calculations, reducing the risk at an effective cost.
Keeping a SIS integrity during the plant life cycle is extremely important for the safety
management. An effective management program should include strict controls and
procedures ensuring that:
The identification of critical points, concepts and choice of sensors, technology, logic
solver and final equipment and elements and the redundancy need comply with the
safety levels and calculated risks reduction. Once the technology and the architecture
are chosen, there is an analysis plan and periodic review of them, reassessing the
overall safety.
The tests of each phase (project, installation, operation, modification/maintenance) are
conducted in compliance with the safety requirements, safety procedures and
standards.
The SIS goes back to its normal operation after a maintenance.
The system integrity is not compromised by non-authorized access to set up, trip or
bypasses points.
Procedures of change management are always followed to any system change.
The changes quality is verified and the system is revalidated before returning to
operation.
The Safety Life Cycle should be part of a PSM (Process Safety Management System).
In this way, it will be conveniently adopted and applied in a conscious way and involving
employees in all its stages and company levels.
Risk Analysis
The more risks a system has, the more difficult is to meet the requirements of a safe
system. Basically, the risk is the sum of the probability of something undesirable
happening as a consequence of such occurrence.
The risk of a process may be defined as the product of the frequency of occurrence of a
specific event (F) and the consequence resulting from the event occurrence (C).
Risk = F x C.
How to interpret the SIL levels? As we have seen, the SIL level is an integrity measure
of a SIS and we can interpret it in two ways:
2) By interpreting table 2, where, for example, SIL 1 means that the risk of accident or
something undesirable is low and that a SIS has 90% availability, or even a 10%
chance of failure.
Table 2 - Levels of SIL and SFF according to the tolerance to hardware failure
The SIL evaluation has grown in the last few years, mainly in chemical and
petrochemical applications. We can even express the need for SIL due to the likely
impact on the plant and community:
“4”- Catastrophic impact for the community.
“3”- Protection of employees and community.
“2”- Protection of production and property. Possible damages to employees.
“1”- Slight impact on the property and protection of production.
Figure 3 - SIL due to the likely impact on the plant and community
Such analysis is not satisfactory as it is hard to classify what is a slight and big impact.
There are several methods of risks identification:
HAZOP technique (Hazard and Operability Study): where risks are identified and when
higher SIL levels are required;
Check Lists technique;
FMEA technique (Failure Modes and its Effects), when the failure of each equipment
and component is analyzed at the control screening.
In terms of SIL levels, the higher the required level, the higher the cost due to more
complex and stricter specifications for hardware and software. Usually, the SIL choice of
each safety function is associated with the staff experience, but one may chose the
HAZOP matrix analysis or the Layers of Protection Analysis (LOP), where the policy,
procedures, safety strategies and instrumentation are included.
Follows below some stages and details of Risk Analysis:
1. Identification of potential risks
a. Starts with HAZOP (Hazard and Operational Issues Study)
b. The company should have a group of experts in the process
and in its risks
c. Several methodologies may be applied, such as PHA
(Process of Hazard Analysis), HAZOP for risks identification,
modified HAZOP, accident consequences, Risks Matrix, Risks
Diagram or Quantitative Analysis for identification of the safety
level to be reached.
d. The standards suggest methodologies for the SIL
identification
e. The available methods are qualitative, quantitative or
semiquantitative
f. Determine the SIL appropriate for the SIS, where the risk
inherent to the process should be equal to or lower to the
acceptable risk, ensuring the necessary safety for the plant
operation.
2. Evaluate the probability of a potential risk related to
a. Equipment failure
b. Human errors
3. Evaluate the potential risks and consequences of the event impacts
Curiosity
Conclusion
In practical terms, the aim is the reduction of failures and, consequently, the reduction of
shutdowns and operational risks. The purpose is to increase the operational availability
and also, in terms of processes, the minimization of variability with direct consequence
to the profitability increase.
References
IEC 61508 – Functional safety of electrical/electronic/programmable electronic safety-
related systems.
IEC 61511-1, clause 11, " Functional safety - Safety instrumented systems for the
process industry sector - Part 1:Framework, definitions, system, hardware and
software requirements", 2003-01
ESTEVES, Marcello; RODRIGUEZ, João Aurélio V.; MACIEL, Marcos.Sistema de
intertravamento de segurança, 2003.
William M. Goble, Harry Cheddie, "Safety Instrumented Systems Verification: Practical
Probabilistic Calculation"
Sistemas Instrumentados de Segurança - César Cassiolato
“Confiabilidade nos Sistemas de Medições e Sistemas Instrumentados de Segurança”
- César Cassiolato
Manual LD400-SIS
Sistemas Instrumentados de Segurança – Uma visão prática – Parte 1, César
Cassiolato
Researches on internet
Share12
César Cassiolato
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as
guidelines:Part 1: General requirements
Such standard systematically covers all activities of a SIS (Safety Instrumented System)
life cycle and is focused on the performance required from a system, that is, once the
desired SIL level (safety integrity level) is reached, the redundancy level and the test
interval are at the discretion of who specified the system.
IEC61508 aims at potentializing the improvements of PES (Programmable Electronic
Safety, where the PLCs, microprocessed systems, distributed control systems, sensors,
and intelligent actuators, etc. are included) so as to standardize the concepts involved.
Recently, several standards on the SIS development, project and maintenance were
prepared, as IEC 61508 (overall industries) already mentioned, and is also important to
mention IEC 61511, focused on industries with ongoing, liquid, and gas process.
In practice, in several applications it has been seen the specification of equipment with
SIL certification to be used in control systems, without safety function. It is also believed
that there is a disinformation market, leading to the purchase of more expensive pieces
of equipment developed for safety functions where, in practice, they will be used in
process control functions, where the SIL certification does not bring the expected
benefits, making difficult, inclusive, the use and operation of equipment.
In addition, such disinformation makes users to believe that they have a certified safe
control system, but what they have is a controller with certified safety functions.
With the increase of usage and applications with digital equipment and instruments, it is
extremely important that professionals involved on projects or daily instrumentation are
qualified and have the knowledge on how to determine the performance required by the
safety systems, who have domain on calculations tools and risk rates within the
acceptable limits.
In addition, it is necessary to:
Understand the common mode failures, know which types of safe and non-safe
failures are possible in a specific system, how to prevent them and, also, when, how,
where and which redundancy level is more appropriate for each case.
Define the preventive maintenance level appropriate for each application.
The simple use of modern, sophisticated or even certified equipment does not
absolutely ensure any improvement on reliability and safety of operation, when
compared with traditional technologies, except when the system is deployed with criteria
and knowledge of advantages and limitations inherent to each type of technology
available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during
maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such
devices are bypassed in the future, but by a solid project that better satisfies the
operational needs of the safety system user, it is possible to considerably eliminate or
reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits,
failure-tolerant and/or safe failure, microcomputers and software concepts, today is
possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors,
cracking columns, boilers, and stoves are typical examples of equipment requiring
safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis
conditions compared to the conventional systems. The safe operation in a SIS is
composed by sensors, logic programmers, processors and final elements designed with
the purpose of causing a stop whenever safe limits are exceeded (for example, process
variables such as pressure and temperature over the very high alarm limits) or event
preventing the operation under unfavorable conditions to the safe operation conditions.
We have seen in the previous article, in the first part, some details on the Safety Life
Cycle and Risk Analysis. Now we will see, in the second part, a little aboutReliability
Engineering
Reliability Principles
The reliability of a measurement system is defined as the ability of a system executing
its function within the operating limits and conditions during a defined time period.
Unfortunately, several factors, such as manufacturer’s tolerance according to operating
conditions sometimes make difficult such determination and, in practice, what we can
get is statistically expressing the reliability by failure probabilities occurring within a time
period.
In practice, we face a great difficulty, which is determining what is a failure. When the
output of a system is incorrect, this is something hard to be interpreted compared with
the overall loss of the measurement output.
The availability measures the proportion of time in which the instrument works without
failures.
The objective with measurement systems is to maximize the MTBF and minimize the
MTTR and, consequently, maximize the Availability.
Failure Models
The failure mode in a device may change throughout its life cycle. It may remain
unchanged, decrease or, at least, increase.
In electronic devices, it is common to have a behavior according to figure 1, also know
as the bathtub curve.
Manufacturers usually apply burn-in tests in a way to eliminate the phase until T1, until
products are placed in the market.
But the mechanical components will have a higher failure rate in the end of their life
cycle, as per figure 2.
In practice, where systems are electronic and mechanical compositions, the failure
models are complex. The more components, the higher the incidents and probabilities
of failures.
Reliability Laws
In the practice, usually we will have several components, and the measurement system
is complex. We may have components in series or in parallel.
Reliability of components in series should take into consideration the probability of
individual failures in a time period. For a measurement system with n components in
series, reliability Rs is the product of individual reliabilities: Rs = R1xR2...Rn.
Imagine we have a measurement system composed by a sensor, a conversion element
and a circuit of signal processing, where we have the following reliability: 0.9, 0.95 and
0.099, respectively. In such case, the system reliability will be:
0.9x0.95x0.009 = 0.85.
The reliability can be increased by placing components in parallel, what means that the
system fails if all components fail. In such case, reliability Rs is demonstrated by:
Rs = 1 – [ (1-0.95)x(1-0.95)x(1-0.95)] = 0.999875
What we look for, in the practice, is to minimize the level of failures. An important
requirement is to ensure one knows and act before T2 (see figures 1 and 2), when the
statistical frequency of failures increases. The ideal is to make T (time period or life
cycle) is equal to T2 and, then, maximizing the period without failures.
Choice of instruments: One should always be aware to the instruments specified, its
influences regarding the process, materials, environment, etc.
Protection of instruments: protecting the instruments with appropriate protections
may help to improve and ensure a higher level of reliability. For example,
thermocouples should be protected in adverse operation conditions.
Regular calibration: Most of the failures may be caused by drifts that may change
and generate incorrect outputs. Therefore, according to the good instrumentation
practices, we recommend that the instruments are periodically checked and
calibrated.
Redundancy: In such case, there is more than one equipment working in parallel and
locked with a key, sometimes, automatically. Here the reliability is significantly
improved.
The Safety Systems are used to monitor the condition of values and parameters of a
plant within the operational limits and, when risk conditions occur, they must trigger
alarms and place the plant in a safe condition or even at the shutdown condition.
Note that the safety conditions should be followed and adopted by plants where the best
operating and installation practices are a duty of employers and employees. It is
important to remember that the first concept regarding the safety law is to ensure that all
systems are installed and operated in a safe way and the second one is that
instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating
safety and ensuring the emergency stop within the limits considered as safe, whenever
the operation exceeds such limits. The main objective is to avoid accidents inside and
outside plants, such as fires, explosions, equipment damages, protection of production
and property and, more than that, avoiding life risk or personal health damages and
catastrophic impacts to community. It should be clear that no system is completely
immune to failures and, even in case of failure; it should provide a safe condition.
1. Reliability R(t)
Reliability is a metric developed to determine the probability of success of an operation
in a specified period of time.
When (failure rate) is too low, the non-reliability function (F(t)) or the Probability of
Failure (PF) is shown by: PF(t) = t
As the MTTR is too low in practice, it is common to assume the MTBF = MTTF
Figure 5 shows the architecture details versus the voting and PFD and figure 6 shows
the correlation in PFD and Factor of Risk Reduction. Subsequently, we will discuss it in
more details in the articles complementing this series.
: failure rate:
Cpt: percentage of failures detected by a test (proof test)
TI: test period
LT: life period of a process unit
Let’s see and example: Let’s suppose that a valve is used in a safety instrumented
system and has an annual failure rate of 0.002. Every year a verification and inspection
test is conducted. It is estimated that 70% of failures are detected in such tests. Such
valve will be used for 25 years and its usage demand is estimated as once every 100
years. What is the average probability of failure?
: 0.002
Cpt: 0.7
TI: 1 year
LT: 25 years
Conclusion
In practical terms, the aim is the reduction of failures and, consequently, the reduction of
shutdowns and operational risks. The purpose is to increase the operational availability
and also, in terms of processes, the minimization of variability with direct consequence
to the profitability increase.
References
IEC 61508 – Functional safety of electrical/electronic/programmable electronic
safety-related systems.
IEC 61511-1, clause 11, " Functional safety - Safety instrumented systems for the
process industry sector - Part 1:Framework, definitions, system, hardware and
software requirements", 2003-01
ESTEVES, Marcello; RODRIGUEZ, João Aurélio V.; MACIEL, Marcos.Sistema de
intertravamento de segurança, 2003.
William M. Goble, Harry Cheddie, "Safety Instrumented Systems Verification:
Practical Probabilistic Calculation"
Sistemas Instrumentados de Segurança - César Cassiolato
“Confiabilidade nos Sistemas de Medições e Sistemas Instrumentados de
Segurança” - César Cassiolato
Manual LD400-SIS
Sistemas Instrumentados de Segurança – Uma visão prática – Parte 1, César
Cassiolato
Researches on internet
SIS - Safety Instrumented Systems - A practical view - Part 3
Share9
César Cassiolato
Marketing, Quality, Project and Services Engineering Director
SMAR Industrial Automation
[email protected]
Introduction
The Safety Instrumented Systems are used to monitor the condition of values and
parameters of a plant within the operational limits and, when risk conditions occur, they
must trigger alarms and place the plant in a safe condition or even at the shutdown
condition.
The safety conditions should be always followed and adopted by plants and the best
operating and installation practices are a duty of employers and employees. It is
important to remember that the first concept regarding the safety law is to ensure that all
systems are installed and operated in a safe way and the second one is that
instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating
safety and ensuring the emergency stop within the limits considered as safe, whenever
the operation exceeds such limits. The main objective is to avoid accidents inside and
outside plants, such as fires, explosions, equipment damages, protection of production
and property and, more than that, avoiding life risk or personal health damages and
catastrophic impacts to community. It should be clear that no system is completely
immune to failures and, even in case of failure; it should provide a safe condition.
For several years, the safety systems were designed according to the German
standards (DIN V VDE 0801 and DIN V 19250), which were well accepted for years by
the global safety community and which caused the efforts to create a global standard,
IEC 61508, which now works as a basis for all operational safety regarding electric,
electronic systems and programmable devices for any kind of industry. Such standard
covers all safety systems with electronic nature.
Products certified according to IEC 61508 should basically cover 3 types of failures:
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as
guidelines:
Such standard systematically covers all activities of a SIS (Safety Instrumented System)
life cycle and is focused on the performance required from a system, that is, once the
desired SIL level (safety integrity level) is reached, the redundancy level and the test
interval are at the discretion of who specified the system.
Understand the common mode failures, know which types of safe and non-safe
failures are possible in a specific system, how to prevent them and, also, when, how,
where and which redundancy level is more appropriate for each case.
Define the preventive maintenance level appropriate for each application.
The simple use of modern, sophisticated or even certified equipment does not
absolutely ensure any improvement on reliability and safety of operation, when
compared with traditional technologies, except when the system is deployed with criteria
and knowledge of advantages and limitations inherent to each type of technology
available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during
maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such
devices are bypassed in the future, but by a solid project that better satisfies the
operational needs of the safety system user, it is possible to considerably eliminate or
reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits,
failure-tolerant and/or safe failure, microcomputers and software concepts, today is
possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors,
cracking columns, boilers, and stoves are typical examples of equipment requiring
safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis
conditions compared to the conventional systems. The safe operation in a SIS is
composed by sensors, logic programmers, processors and final elements designed with
the purpose of causing a stop whenever safe limits are exceeded (for example, process
variables such as pressure and temperature over the very high alarm limits) or event
preventing the operation under unfavorable conditions to the safe operation conditions.
Typical examples of safety systems:Emergency Shutdown System
We have seen in the previous article, in the second part, some details on the Reliability
Engineering. Now we will see, with models using series and parallel systems, fault
trees, Markov model and some calculations.
Failure Analysis - Fault Trees
There are some methodologies for failure analysis. One of them, which is very used, is
the fault tree analysis (FTA), aiming at improving the reliability of products and
processes by a systematic analysis of possible failures and their consequences,
instructing on the adoption of corrective or preventive measures.
The fault tree diagram shows the hierarchical relationship between the identified failure
modes. The tree construction process begins with the perception or anticipation of a
failure, which is then decomposed and detailed to simpler events. Therefore, the fault
tree analysis is a top-down technique, as part of the general events that are divided in
more specific events.
Following below, an example of a FTA diagram applied to a failure in an electric engine
is shown. The initial event, which may be an observed or anticipated failure, is called
top event, and is indicated by the blue arrow. From that event, other failures are
detailed, until reaching the basic events composing the diagram resolution limit. Failures
shown in yellow compose the resolution limit of this diagram.
The Fault Tree analysis was developed in the beginning of 1960 by the engineers from
Bell Telephone Company.
Logic Symbols used in the FTA
The FTA conduction is the graphic representation of the interrelation between the
equipment or operation failures that may result in a specific accident. The symbols
shown below are used in the construction of the tree to represent such interrelation.
“OR” Gate: Indicates that the event output occurs when
any type of input occurs.
Markov Models
A Markov model is a state diagram where the several failure state of a system is
identified. The states are connected by a bow with the failure rates or repair rates
leading the system from one state to the other (see figure 4 and figure 5). The Markov
models are also known as state space diagrams or state diagrams. The state space is
defined as the set of all states where the system can be found.
In such model, all failures are classified as dangerous failures or as safe failures. A
dangerous failure is that placing the safety system in a state in which it will not be
available to stop the process if that becomes necessary. A safe failure is that leading
the system to stop the process in a situation of no danger. The safe failure is usually
called false trip or spurious.
The Markov models include diagnosis coverage factors for all components and repair
rates. The models consider that non-detected failures will be diagnosed and repaired by
periodic proof tests.
Markov models also include failure rates associated with performance failures and
common hardware failures.
The system modeling should include all possible types of failures and they can be
grouped in two categories:
1) Physical failures
2) Performance failures
Physical failures are those occurring when the function performed by a module, a
component, etc, presents a deviation concerning the specified function due to physical
degradation.
The physical failures may be failures due to natural aging or failures caused by the
environment.
To use physical failures in Markov models, the cause of failures and its effects on the
modules, etc, should be determined. Physical failures should be categorized as
dependent or independent failures.
Independent failures are those that never affect more than one module, while
dependent failures may cause the failure of several modules.
Performance failures are those occurring when the physical equipment is in operation,
although without performing the specified function due to a performance deficiency or
human error. Examples of performance failures are: safety system project errors,
software, hardware connection, human interaction errors and hardware project errors.
In the Markov models, the performance failures are separated in safe and dangerous
failures. A safe performance failure is supposed to result in a spurious trip. Similarly, a
dangerous performance failure will result in a failure to work state, that is, that failure in
which the system will no longer be available to stop the process. The performance
failure rate evaluation should take into consideration several possible causes, such as:
1) Safety system project errors
Including logic specification errors of the safety system, inappropriate architecture
choice for the system, incorrect selection of sensors and actuators, errors in the
interface project between PLCs and sensors and actuators.
2) Hardware implementation errors
Such errors include errors in the sensors and actuators connection to PLCs. The
probability of an error increases with the E/S redundancy if the user has to connect
each sensor and each actuator to several E/S terminals. The use of redundant sensors
and actuators also cause a major probability of connection errors.
3) Software errors
Such errors include the errors in software developed both by the supplier and user. The
suppliers’ software usually include an operational system, the E/S routines, application
functions and operational language. The supplier software error may be minimized by
ensuring a good software project and the compliance with coding procedures and tests.
The conduction of independent tests by other companies may also be very useful.
The errors of software developed by the user include application program errors, user
interface diagnosis and routines (displays, etc.). Engineers specialized in safety
systems software may help minimizing the user software errors. Also, exhausting
software tests should also be conducted.
4) Human interaction errors
Here it is included the project and operation errors of the man-machine interface of the
safety system, errors made during periodic safety system tests and during the
maintenance of defective modules of the safety system. The maintenance errors may
be reduced by a good safety system diagnosis identifying the defective module and
including failure indicators in the defective modules. It is important to keep in mind that
in this point there is no perfect or failure-proof diagnosis.
5) Hardware project errors
Among those errors, it is included the PLCs manufacturing project errors, sensors and
actuators, as well as users errors in the safety system and process interface.
In redundant settings of PLCs, sensors and actuators, some performance failures may
be reduced by using several hardware and/or software.
Dependent failures should be modeled in a different way, as it is possible that multiple
failures occur simultaneously. At the modeling point of view, the dominant dependent
failures are failures with a common cause. The common cause failures are the direct
result of a common basic cause. An example is the interference of radiofrequency
causing the simultaneous failure of multiple modules. The analysis of that kind of failure
is very complex and requires a deep knowledge of the system, both in hardware and
software level and in the environment.
Figure 5 - Example of Markov model in redundant system
Certainly with certified equipment and tools according to IEC 61508 standard the failure
rates of products is known, making easier the safety calculations and architectures.
Conclusion
In practical terms, the aim is the reduction of failures and, consequently, the reduction of
shutdowns and operational risks. The purpose is to increase the operational availability
and also, in terms of processes, the minimization of variability with direct consequence
to the profitability increase.
References
IEC 61508 – Functional safety of electrical/electronic/programmable electronic
safety-related systems.
IEC 61511-1, clause 11, " Functional safety - Safety instrumented systems for the
process industry sector - Part 1:Framework, definitions, system, hardware and
software requirements", 2003-01
ESTEVES, Marcello; RODRIGUEZ, João Aurélio V.; MACIEL, Marcos.Sistema de
intertravamento de segurança, 2003.
William M. Goble, Harry Cheddie, "Safety Instrumented Systems Verification:
Practical Probabilistic Calculation"
Sistemas Instrumentados de Segurança - César Cassiolato
“Confiabilidade nos Sistemas de Medições e Sistemas Instrumentados de
Segurança” - César Cassiolato
Manual LD400-SIS
Sistemas Instrumentados de Segurança – Uma visão prática – Parte 1, César
Cassiolato
Researches on internet
Share8
César Cassiolato
Marketing, Quality, Project and Services Engineering Director
SMAR Industrial Automation
[email protected]
Introduction
The Safety Instrumented Systems are used to monitor the condition of values and
parameters of a plant within the operational limits and, when risk conditions occur, they
must trigger alarms and place the plant in a safe condition or even at the shutdown
condition.
The safety conditions should be always followed and adopted by plants and the best
operating and installation practices are a duty of employers and employees. It is
important to remember that the first concept regarding the safety law is to ensure that all
systems are installed and operated in a safe way and the second one is that
instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating
safety and ensuring the emergency stop within the limits considered as safe, whenever
the operation exceeds such limits. The main objective is to avoid accidents inside and
outside plants, such as fires, explosions, equipment damages, protection of production
and property and, more than that, avoiding life risk or personal health damages and
catastrophic impacts to community. It should be clear that no system is completely
immune to failures and, even in case of failure; it should provide a safe condition.
For several years, the safety systems were designed according to the German
standards (DIN V VDE 0801 and DIN V 19250), which were well accepted for years by
the global safety community and which caused the efforts to create a global standard,
IEC 61508, which now works as a basis for all operational safety regarding electric,
electronic systems and programmable devices for any kind of industry. Such standard
covers all safety systems with electronic nature.
Products certified according to IEC 61508 should basically cover 3 types of failures:
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as
guidelines:
Such standard systematically covers all activities of a SIS (Safety Instrumented System)
life cycle and is focused on the performance required from a system, that is, once the
desired SIL level (safety integrity level) is reached, the redundancy level and the test
interval are at the discretion of who specified the system.
IEC61508 aims at potentializing the improvements of PES (Programmable Electronic
Safety, where the PLCs, microprocessed systems, distributed control systems, sensors,
and intelligent actuators, etc. are included) so as to standardize the concepts involved.
Recently, several standards on the SIS development, project and maintenance were
prepared, as IEC 61508 (overall industries) already mentioned, and is also important to
mention IEC 61511, focused on industries with ongoing, liquid, and gas process.
In practice, in several applications it has been seen the specification of equipment with
SIL certification to be used in control systems, without safety function. It is also believed
that there is a disinformation market, leading to the purchase of more expensive pieces
of equipment developed for safety functions where, in practice, they will be used in
process control functions, where the SIL certification does not bring the expected
benefits, making difficult, inclusive, the use and operation of equipment.
In addition, such disinformation makes users to believe that they have a certified safe
control system, but what they have is a controller with certified safety functions.
With the increase of usage and applications with digital equipment and instruments, it is
extremely important that professionals involved on projects or daily instrumentation are
qualified and have the knowledge on how to determine the performance required by the
safety systems, who have domain on calculations tools and risk rates within the
acceptable limits.
In addition, it is necessary to:
Understand the common mode failures, know which types of safe and non-safe
failures are possible in a specific system, how to prevent them and, also, when, how,
where and which redundancy level is more appropriate for each case.
Define the preventive maintenance level appropriate for each application.
The simple use of modern, sophisticated or even certified equipment does not
absolutely ensure any improvement on reliability and safety of operation, when
compared with traditional technologies, except when the system is deployed with criteria
and knowledge of advantages and limitations inherent to each type of technology
available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during
maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such
devices are bypassed in the future, but by a solid project that better satisfies the
operational needs of the safety system user, it is possible to considerably eliminate or
reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits,
failure-tolerant and/or safe failure, microcomputers and software concepts, today is
possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors,
cracking columns, boilers, and stoves are typical examples of equipment requiring
safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis
conditions compared to the conventional systems. The safe operation in a SIS is
composed by sensors, logic programmers, processors and final elements designed with
the purpose of causing a stop whenever safe limits are exceeded (for example, process
variables such as pressure and temperature over the very high alarm limits) or event
preventing the operation under unfavorable conditions to the safe operation conditions.
Typical examples of safety systems:
We have seen in the previous article, in the third part, some details on the models of
fault trees analysis, Markov model and some calculations.
In the forth part, we will see some points about the SIF Verification Process.
The equipment should be approved for the environmental conditions where it will be
installed;
The subsystems should have tolerance to failures required due to the dangerous
failures presented by the process;
The Probability of Failure on Demand (PFD) of SIF should be appropriate to the risks
acceptable by the company.
Equipment Selection
It is necessary to take care of the choice of equipment working in safety systems.
Certified pieces of equipment should be specified according to IEC61508 or complying
with the “prior use” criteria according to IEC61511.
Proven in Use (PIU) is a characteristic defined by IEC61511 (clause 11.4.4) in which if a
equipment has already been successfully used in safety applications and meets some
requirements (see below, then the HTF (hardware tolerance fault) can be reduced and,
with that, use it in safe applications with lower costs:
The major advantage is that it is possible to standardize Equipment for use in control
and Equipment for safety with a much lower cost.
By hardware analysis, called FMEDA (Failure Modes Effects and Diagnostics Analysis)
it is also possible to determine the failure rates and the instrument modes. Such
analysis type is an extension of the known FMEA method, the methodology of Failure
Mode and Effect Analysis. In that case, the FMEDA identifies and calculates the failure
rates in the following categories: Detectable safe, non-detectable safe, detectable
dangerous and non-detectable dangerous. Such failure rates are used to calculate the
safety coverage factor and the risk factor
Once the safety integrity level and its requirements are calculated, then the equipment,
redundancy levels and tests are to be chosen, according to the SIF demand. After that,
with the information of each equipment and device, it is calculated by equations, tree
analysis, Markov model and other techniques if the equipment chosen meet the safety
requirements.
How to determine the architecture?
A SIF architecture is decided by the failure tolerance of its components.
It may reach a SIL higher level using redundancy.
The number of pieces of equipment will depend on the reliability of each component
defined in its FMEDA (Failure Modes, Effects and Diagnostic Analysis).
The three commonest architectures are:
Simplex or voting 1oo1 (1 out of 1)
Duplex or voting 1oo2 or 2oo2
Triplex or voting 2oo3
Figure 1 shows the most common examples of architecture for safety systems, where
several techniques are used according to the voting system and desired SIL:
Every device failure is detected by the inspection and by the proof test.
The device is repaired and returned to service as new. The proof test effect is shown
by the form of the saw tooth shown on figure 2.
As the result, the test interval is a imperative factor to determine the reached SIL
classification.
Conclusion
In practical terms, the aim is the reduction of failures and, consequently, the reduction of
shutdowns and operational risks. The purpose is to increase the operational availability
and also, in terms of processes, the minimization of variability with direct consequence
to the profitability increase.
References
IEC 61508 – Functional safety of electrical/electronic/programmable electronic
safety-related systems.
IEC 61511-1, clause 11, " Functional safety - Safety instrumented systems for the
process industry sector - Part 1:Framework, definitions, system, hardware and
software requirements", 2003-01
ESTEVES, Marcello; RODRIGUEZ, João Aurélio V.; MACIEL, Marcos.Sistema de
intertravamento de segurança, 2003.
William M. Goble, Harry Cheddie, "Safety Instrumented Systems Verification:
Practical Probabilistic Calculation"
Sistemas Instrumentados de Segurança - César Cassiolato
“Confiabilidade nos Sistemas de Medições e Sistemas Instrumentados de
Segurança” - César Cassiolato
Manual LD400-SIS
Sistemas Instrumentados de Segurança – Uma visão prática – Parte 1, César
Cassiolato
Researches on internet
Share47
César Cassiolato
Marketing, Quality, Project and Services Engineering Director
SMAR Industrial Automation
[email protected]
Introduction
The Safety Instrumented Systems are used to monitor the condition of values and
parameters of a plant within the operational limits and, when risk conditions occur, they
must trigger alarms and place the plant in a safe condition or even at the shutdown
condition.
The safety conditions should be always followed and adopted by plants and the best
operating and installation practices are a duty of employers and employees. It is
important to remember that the first concept regarding the safety law is to ensure that all
systems are installed and operated in a safe way and the second one is that
instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating
safety and ensuring the emergency stop within the limits considered as safe, whenever
the operation exceeds such limits. The main objective is to avoid accidents inside and
outside plants, such as fires, explosions, equipment damages, protection of production
and property and, more than that, avoiding life risk or personal health damages and
catastrophic impacts to community. It should be clear that no system is completely
immune to failures and, even in case of failure; it should provide a safe condition.
For several years, the safety systems were designed according to the German
standards (DIN V VDE 0801 and DIN V 19250), which were well accepted for years by
the global safety community and which caused the efforts to create a global standard,
IEC 61508, which now works as a basis for all operational safety regarding electric,
electronic systems and programmable devices for any kind of industry. Such standard
covers all safety systems with electronic nature.
Products certified according to IEC 61508 should basically cover 3 types of failures:
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as
guidelines:
Such standard systematically covers all activities of a SIS (Safety Instrumented System)
life cycle and is focused on the performance required from a system, that is, once the
desired SIL level (safety integrity level) is reached, the redundancy level and the test
interval are at the discretion of who specified the system.
IEC61508 aims at potentializing the improvements of PES (Programmable Electronic
Safety, where the PLCs, microprocessed systems, distributed control systems, sensors,
and intelligent actuators, etc. are included) so as to standardize the concepts involved.
Recently, several standards on the SIS development, project and maintenance were
prepared, as IEC 61508 (overall industries) already mentioned, and is also important to
mention IEC 61511, focused on industries with ongoing, liquid, and gas process.
In practice, in several applications it has been seen the specification of equipment with
SIL certification to be used in control systems, without safety function. It is also believed
that there is a disinformation market, leading to the purchase of more expensive pieces
of equipment developed for safety functions where, in practice, they will be used in
process control functions, where the SIL certification does not bring the expected
benefits, making difficult, inclusive, the use and operation of equipment.
In addition, such disinformation makes users to believe that they have a certified safe
control system, but what they have is a controller with certified safety functions.
With the increase of usage and applications with digital equipment and instruments, it is
extremely important that professionals involved on projects or daily instrumentation are
qualified and have the knowledge on how to determine the performance required by the
safety systems, who have domain on calculations tools and risk rates within the
acceptable limits.
In addition, it is necessary to:
Understand the common mode failures, know which types of safe and non-safe
failures are possible in a specific system, how to prevent them and, also, when, how,
where and which redundancy level is more appropriate for each case.
Define the preventive maintenance level appropriate for each application.
The simple use of modern, sophisticated or even certified equipment does not
absolutely ensure any improvement on reliability and safety of operation, when
compared with traditional technologies, except when the system is deployed with criteria
and knowledge of advantages and limitations inherent to each type of technology
available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during
maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such
devices are bypassed in the future, but by a solid project that better satisfies the
operational needs of the safety system user, it is possible to considerably eliminate or
reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits,
failure-tolerant and/or safe failure, microcomputers and software concepts, today is
possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors,
cracking columns, boilers, and stoves are typical examples of equipment requiring
safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis
conditions compared to the conventional systems. The safe operation in a SIS is
composed by sensors, logic programmers, processers and final elements designed with
the purpose of causing a stop whenever safe limits are exceeded (for example, process
variables such as pressure and temperature over the very high alarm limits) or
event preventing the operation under unfavorable conditions to the safe operation
conditions.
Typical examples of safety systems:
We have seen in the previous article, in the fourth part, some details on the SIF
Verification Process
In this fifth and last part, we will see something about the typical SIF solutions and an
application example.
SIF Typical Solutions (Safety Instrumented Function)
How to determine the architecture?
SIF architecture is decided by the failure tolerance of its components.
It may reach a SIL higher level using redundancy.
The number of pieces of equipment will depend on the reliability of each component
defined in its FMEDA (Failure Modes, Effects and Diagnostic Analysis).
The three commonest architectures are:
Simplex or voting 1oo1 (1 out of 1)
Duplex or voting 1oo2 or 2oo2
Triplex or voting 2oo3
2. SIL 2
Figure 2 – SIF – SIL 2
3.SIL 3
Figure 3 – SIF – SIL 3
Application Example
Failures/year
Pressure transmission 0.6
Controller 0.3
I/P 0.5
Control valve 0.2
Failure overall 1.6
The control loop for such example may fail in any direction, assuming that both are
equally probable. Since the active control loop is under the operator supervision, it is
assumed that only 1 failure out of 4 would be suddenly enough to cause a demand for a
shut down condition without a previous intervention by the operator. That causes the
overall result of (1 out of 2) x (1 out of 4) or 1/8 of overall failure rate, which should be
used as the demand rate for a stop. Different assumptions should be made based on
the specific knowledge on the equipment and conditions.
Therefore, the demand rate = 1.6/8 = 0.2/year
The acceptable unavailability =
The loop is designed to fail in the safe direction, therefore, it is admitted that only 1 out
of 3 failures would be in the unsafe direction. All those passive system failures would
not be diagnosed.
Therefore, the non-diagnosed failures rate = 0.6/3 = 0.2/year
With a test annual frequency,
That provides an availability of 0.9, which still does not comply with the safety
requirements. However, the availability may be increase with a higher frequency of
tests. With monthly tests we have,
Reaching an availability >0.99. The project test frequency should be specified as part of
the project documents.
According to table 1, a SIL 1 system with frequent tests should provide an availability of
0.99 complying with the 95% availability required.
Table 1 - Architecture according to SIL level - IEC 61508
Some details
There is a wrong conception very common that the products by themselves or
components are classified as SIL. Applicable products and components are at SIL
levels, but they are not SIL individually. SIL levels are applied to the SIFs safety
functions. The equipment or system should be used to support the risk reduction
project. A piece of equipment certified for use in SIL 2 or 3 applications does not
ensure, necessarily, that the system will meet SIL 2 or 3. All SIF components should be
analyzed.
An important development parameter calculated during the SIL verification is the
MTTFsp: Mean time between failures due to disturbances or false trips. Such variable
indicates how many times the SIS may suffer a false trip until it reaches the shutdown
condition. Table 2 below shows the estimation of cost by false trips in industries with
different processes:
Table 2 - Costs with False Trips.
Conclusion
In practical terms, the aim is the reduction of failures and, consequently, the reduction of
shutdowns and operational risks. The purpose is to increase the operational availability
and also, in terms of processes, the minimization of variability with direct consequence
to the profitability increase.
References
IEC 61508 – Functional safety of electrical/electronic/programmable electronic
safety-related systems.
IEC 61511-1, clause 11, " Functional safety - Safety instrumented systems for the
process industry sector - Part 1:Framework, definitions, system, hardware and
software requirements", 2003-01
ESTEVES, Marcello; RODRIGUEZ, João Aurélio V.; MACIEL, Marcos.Sistema de
intertravamento de segurança, 2003.
http://www.exida.com/images/uploads/CCPS_LA_2010_SIS_EsparzaHochleitner.pdf
William M. Goble, Harry Cheddie, "Safety Instrumented Systems Verification:
Practical Probabilistic Calculation"
Sistemas Instrumentados de Segurança - César Cassiolato
“Confiabilidade nos Sistemas de Medições e Sistemas Instrumentados de
Segurança” - César Cassiolato
Manual LD400-SIS
Sistemas Instrumentados de Segurança – Uma visão prática – Parte 1, César
Cassiolato
Researches on internet