Propagation of uncertainty in SIL verification and decision making

Propagation of uncertainty in SIL verification and decision making

1 Theoretical framework

1.1 Reliability theory

1.1.1 Safety instrumented systems

Safety instrumented system provides a protective layer around process system by implementing one or more safety instrumented functions which takes the process to a safe state. A SIS is composed of any combination of sensor(s), logic solver(s) and final element(s).

Sensors: it detects the potential or cause of an unwanted incident and producing appropriate electrical signal. The signal is sent to then logic solver. Examples of sensors can be pressure transmitters, level transmitters, temperature gauges, and so on.

Logic Solver: detects the electrical signal exceeding a given threshold and sends a signal to the final elements. Logic solvers can be computers, programmable electronic controllers (PLCs), and relay circuits.

Final Control Element: It implements the action determined by the logic system. This final control element is typically a pneumatically actuated on-off valve operated by solenoid valves.

1.1.2 Safety instrumented functions

A Safety Instrumented Function (SIF) is implemented by a SIS in order to achieve or maintain a safe state. A SIF’s sensors, logic solver, and final elements detects a hazard and bring the process to a safe state.

Figure 1: SIS-SIF-SIL relationship

1.1.3 Failure classification

Failures of SIS elements is classified as dangerous and safe failures, mostly. Dangerous failure can be further split into detected and failures. Detected dangerous failures are those revealed by diagnostic testing, but undetected failures are only revealed by proof testing. In sis reliability calculation often it is assumed that DD failures have a negligible impact on the safety integrity (H. Jin, Lundteigen, and Rausand 2012).

A safe failure does not lead the SIF to an unsafe state when failed. Failures of SIS elements can be classified as also into random hardware failures and systematic failures.

• A random hardware failure: occurs at a random time due to one or more possible degradation in the hardware (H. Jin, Lundteigen, and Rausand 2012).
• A systematic failure: a systematic failure, also called functional failure, is related to the design or process, operational procedures, documentation, or other relevant factors. When A systematic failure occurs, the item is still able to operate, but does not perform its specified function. The systematic failure cannot be easily detected during normal operation or regular proof testing (H. Jin, Lundteigen, and Rausand 2012).

1.1.3.1 Common cause failure (CCF)

A CCF failure causes simultaneous failure of more than one channel in a multiple channel system in such a way, which leads to system failure. CCFs may occur due to having same type of components or design deficiency or inadequate maintenance in redundant channel, or are located in the same area (H. Jin, Lundteigen, and Rausand 2012, Lundteigen and Rausand 2007). Several methods exist to describe CCFs in SIS. Beta factor model is most popular today. β is the conditional probability of a CCF, when a failure has occurred.

1.1.3.2 Test-independent failures (TIF)

TIF were introduced as part of the PDS-method. When a TIF is present, the system will not be as-good-as-new after a proof test. TIF are those failures which passes the proof test, but still remain undetected (H. Jin, Lundteigen, and Rausand 2012).

1.1.3.3 Safety integrity requirements

The performance of the SIS with respect to its assigned safety function is defined in terms of safety integrity levels (SILs). It indicates relative level of risk reduction implemented by safety function.

Four discrete levels of safety is described in IEC standard. Each level represents the measure of risk reduction. Standards require the assignment of a target SIL for any new or modified SIF within the SIS. All of the SIS design, operation and maintenance choices must be verified against the target SIL (IEC 2000). Although a SIL is derived from an assessment of risk, it is not a measure of risk. It is the intended reliability of a safety function or system required to achieve the necessary amount of risk reduction (Lane 2004).

A safety function can operate low demand mode or high demand mode of operation. Low demand mode is where the frequency of demand for operation of a SIS is not greater than one per year and no greater than twice the proof test frequency (IEC 2000). In this mode, safety function is operated only when required to ensure that the equipment and environment remains in a safe state (e.g. gas detection system in boiler room).

In case of high demand mode system, the frequency of demand for operation of a SIS is greater than once per year or greater than twice the proof test frequency. a dangerous failure of these equipment will lead to a hazard (IEC 2000). A simple example is a gas concentration measurement by gas detector system associated with control ventilation and heating to regulate the concentration of gas in a tank.

According to IEC, for these two modes of operation, the safety integrity level of a safety function should be expressed as (Spellemaeker and Witrant 2007):

• The PFD, the average Probability of Failure to perform its design function on Demand, in the case of low demand mode.

The quantitative requirement PFD (Probability of Failure on Demand), is related to the probability that the safety function will fail, when the function is needed. For instance, the probability that a SIL 3 safety function will fail on demand is 0.1%-0.01% or in other words, it will work on demand in 99.9% to 99.99% case and associated risk reduction factor is 1000 to 10000.

• The PFH, the Probability of a dangerous Failure per Hour, in the case of high demand or continuous mode (Spellemaeker and Witrant 2007) .

Table 1: PFD and RRF (risk reduction factor) for SIL level as defined in IEC 61508 (Spellemaeker and Witrant 2007)

1.1.4 Architectural constraint

For each part of the SIS, the architectural constraints are expressed by the hardware fault tolerance (HFT), which again is determined by the type of the components (type A or B), the safe failure fraction (SFF[1]), and the specified SIL.

1.1.5 Hardware fault tolerance (HFT)

The HFT expresses the number of faults that can be tolerated before a SIS is unable to perform the SIF. A HFT of M means that M+1 is the minimum number of faults that could cause a loss of the safety function. A KooN architecture tolerates N–K failures (faults); e.g. 2oo3 system tolerates 1 fault. A hardware fault tolerance of 1 means if there are two devices, the dangerous failure of one component or subsystem does not prevent the safety action from occurring (Lundteigen and Rausand 2009).

The second parameter that is used to determine the HFT, is the component type. IEC 61508 defines them type A and type B components. A type component is characterized by: (i) all failure modes are well defined, (ii) the behavior of the component under fault conditions is well known, and (iii) field data are dependable and able to confirm the failure rates that are claimed. B type component does not fulfill one or more of these criteria.

1.1.6 Reliability block diagram

A Reliability Block Diagram (RBD) is a graphical illustration of a system which shows the logical connections of functioning item that are needed to fulfil a specific function. Each component in the system is represented by a block. Reliability block diagrams are often applied to determine the PFD of a SIF.

Figure 2: a) 1oo1 configuration b) 1oo2 configuration

1.1.7 Impact of testing

There is a link between the safety integrity and the test done in the field to verify that the safety function operates as intended. Over time components drift and the probability to have failures increases. To keep the SIL level at the initial value, it is mandatory to perform a proof test to check the availability of the safety function. Carrying out a proof test leads to return to the normal situation. There is a link between the average PFD, the test interval Tp and the mean time to repair. (Spellemaeker and Witrant 2007). These tests are essentially designed to detect random hardware failures.

1.1.7.1 Functional testing

Functional testing is performed manually at defined time intervals, typically 3, 6 or 12 months intervals.

1.1.7.2 Automatic self-test

In modern system often have built in system to detect random hardware failures by automatic self-test. Moreover, as a part of self-test the system may determine which of the modules have failed. But all random hardware failures cannot be detected automatically, it’ performance depends on voting logic and operating philosophy.

1.2 Standards and guidelines

1.2.1 IEC

Various international standards are used to verify compliance with legal requirement for organization/system. IEC 61508 and IEC 61511 are used as a benchmark for acceptable good practice for industry by worldwide Safety regulators for industry. IEC 61508 is concerned with achieving functional safety and describes a fully risk based approach for determining Safety integrity level requirements (OLF 2004).

For estimating reliability of a SIS, the IEC standard describes a number of possible calculation approaches including analytical formula, reliability block diagrams, fault tree analysis, Markov modelling, petri nets (Innal 2008). IEC standard do not mandate one particular approach or a particular set of formulas , but leave it to the user to choose the most appropriate approach for quantifying the reliability of a given system or function(IEC 2000).

The standard specifies the risk and measures in the design of safety functions. It provides the functional safety requirements covering random hardware failure, systematic failure and common cause failures. IEC 61508 is a generic standard applicable to several industries. It helps in developing sector standards (e.g. machinery, process chemical plants, medical or rail) or product standards (e.g. gas detection)(Spellemaeker and Witrant 2007)

IEC 61508 and IEC 61511 guides all necessary activities during the entire lifecycle of the systems for the management of functional safety. IEC 615081 requires only random hardware failures to be considered in PFDavg calculations, while systematic failures should be managed by a proper safety management program. The main argument for this approach is that systematic failures do not follow the same failure processes as random hardware failures. The standard gives a number of requirements to reduce the systematic failures (OLF 2004).

1.2.2 OLF 70

This standard provides a guideline on the basis of IEC 61508 and IEC 61511 for minimum SIL requirements which are based on experience with a purpose to gain adequate safety level for petroleum activities in Norway. In comparison to fully risk based perspective as described in IEC 61508, this standard will directly focus toward hazard identification and identification of deviations from minimum SIL requirement. To ensure a better performance level, stricter SIL requirement has been chosen.

OLF describe minimum SIL requirement instead of fully risk based approach as described in IEC 61508 for determining SIL requirement. It helps the organization to avoid time consuming calculations and documentation is possible. In case of deviation from requirements according to this guideline due to technological advances or special conceptual or operational aspects, IEC 61508/61511 should be followed.

1

[1] SFF is the proportion of ‘‘safe’’ failures among all failures