Factor of Fundamental Risk

Document Sample
Factor of Fundamental Risk Powered By Docstoc
					         IEC 61508 – IEC 61511

                                      Document last revised 20 May 2005

G.M. International s.r.l
               Via San Fiorano, 70
          20058 Villasanta (Milano)
        Standard Definitions
     Title: Standard for Functional Safety of
Electrical / Electronic / Programmable Electronic
              Safety-Related System

      IEC 61511 has been developed as a
           Process Sector of IEC 61508
   Title: Safety Instrumented Systems for the
                 Process Industry
            Standard History

The IEC 61508 was conceived to define and harmonize a
method to reduce risks of human and/or valuable harms in
                    all environments.

        The IEC 61508 integrates and extends
        American Standard ISA-S84.01 (1996)
           and German DIN 19250 (1994).
Standard Requirements
        Other related standards
• DIN 19250 (1994)
  Title: “Fundamental Safety aspects to be considered for measuring
  and control equipment”
  Deals with Quantitative Risk Analysis used for Part 5 of IEC 61508,
  classification in AK classes 1-8 similar to SIL levels

• ISA-S84.01 (1996)
  Title: “Application of Safety Instrumented Systems (SIS) for the
  process industry”
  Defines Safety Lifecycles assuming Risk analysis and SIL been
  carried out.
            Fundamental Concepts
•   Risk Reduction and Risk Reduction Factor (RRF)
•   Safety Integrity Level (SIL)
•   Independence Levels and consequences
•   Probability of Failure on Demand (PFD)
•   Reliability
•   Availability
•   Failure Rate (λ)
•   Proof Test Interval between two proof tests (T[Proof])
•   Failure In Time (FIT)
•   Mean Time To Failure (MTTF)
•   Mean Time Between Failure (MTBF)
•   Mean Time To Repair (MTTR)
•   Safe Failure Fraction (SFF)
•   Safety Lifecycle
•   Safety Instrumented System (SIS)
                                       Fundamental Concepts

           Risk Reduction
As Low As Reasonably Practicable or Tollerable Risk
                   (ALARP ZONE)
                 Fundamental Concepts

Risk Reduction
                                                   Fundamental Concepts

        Safety Integrity Level (SIL)
• SIL levels (Safety Integrity Level)
• RRF (Risk Reduction Factor)
• PFD avg (Average Probability of Failure on Demand)

       SIL Table for Demand and Continuous mode of Operation
                             Fundamental Concepts

Independence Levels
 Assessement Independence Level
  as a function of consequences
                              Fundamental Concepts

   PFDavg / RRF
     Correlation between
Probability of Failure on Demand
    Risk Reduction Factor
                                                              Fundamental Concepts

• Reliability is a function of operating time.
• All reliability functions start from reliability one and decrease to reliability
  zero. The device must be successful for an entire time interval.
• The statement: “Reliability = 0.76 for a time of 100.000 hs” makes perfect

        R(t) = P(T>t)
                                                   Fundamental Concepts

Reliability is the probability that a device will perform its
        intended function when required to do so,
      if operated within its specified design limits.

 –   The device “intended function” must be known.
 –   “When the device is required to function” must be judged.
 –   “Satisfactory performance” must be determined.
 –   The “specified design limits” must be known.

Mathematically reliability is the probability that a device
 will be successful in the time interval from zero to t
           in term of a random variable T.
                                                  Fundamental Concepts

• Availability is the probability that a device is successful at
  time t.
• No time interval is involved.
• A device is available if it’s operating.
• The measure of success is MTTF (Mean Time To Failure)
                                     Fundamental Concepts

 MTTF is an indication of the average successful
  operating time of a device (system) before a
               failure in any mode.

• MTBF (Mean Time Between Failures)
• MTTR (Mean Time To Repair)
• Since (MTBF >> MTTR) MTBF is very near to
  MTTF in value.
                                                   Fundamental Concepts

MTBF and Failure Rate
Relation between MTBF and Failure Rate λ

              Failure per unit time            1
     λ = ----------------------------- = ------------
            Quantity Exposed               MTBF

               1        Quantity Exposed
     MTBF = ------ = ----------------------------
                  λ       Failure per unit time
                                                                Fundamental Concepts

                 MTBF - Example
• Instantaneous failure rate is commonly used as measure of

• Eg. 300 Isolators have been operating for 10 years. 3 failures have
  occurred. The average failure rate of the isolators is:

                      Failure per unit time               3
               λ = ------------------------------- = ----------------- =
                       Quantity Exposed              300*10*8760

        = 0.000000038 per hour =
        = 38 FIT (Failure per billion hours) =
        = 38 probabilities of failure in one billion hours.

• MTBF = 1 / λ = 303 years (for constant failure rate)
                                  Fundamental Concepts

Failure Rate Categories
  λ tot = λ safe + λ dangerous
  λ s = λ sd + λ su
  λ d = λ dd + λ du
  λ tot = λ sd + λ su + λ dd + λ du

  sd   = Safe detected
  su   = Safe undetected
  dd   = Dangerous detected
  du   = Dangerous undetected
                                  Fundamental Concepts

Failure In Time is the number of failures per
one billion devices hours.

      1 FIT = 1 Failure in 109 hours =
          = 10-9 Failures per hour
                                             Fundamental Concepts

SFF (Safe Failure Fraction)
     SFF summarizes the fraction of failures,
which lead to a safe state and the fraction of failure
  which will be detected by diagnostic measure
        and lead to a defined safety action
                                           Fundamental Concepts

           Type A SFF Chart
Type A components are described as simple devices with
well-known failure modes and a solid history of operation
                                         Fundamental Concepts

           Type B SFF Chart
Type B: “Complex” component (using micro controllers or
programmable logic); according of IEC 61508-2
                                         Fundamental Concepts

                HSE Study
Results of system failure cause study done by English
          “Health and Safety Executive” (HSE)
                   Fundamental Concepts

Safety Lifecycle Origin
                   Fundamental Concepts

Safety Lifecycle 1/5
                                       Fundamental Concepts

    Safety Lifecycle 2/5
First portion of the overall safety lifecycle
   ANALYSIS (End user / Consultant)
                                           Fundamental Concepts

         Safety Lifecycle 3/5
Realisation activities in the overall safety lifecycle
                                        Fundamental Concepts

        Safety Lifecycle 4/5
          Safety lifecycle for the E/E/PES
(Electrical / Electronic / Programmable Electronic)
   Safety - Related System (IEC 61508, Part 2)
                                      Fundamental Concepts

    Safety Lifecycle 5/5
Last portion of the overall safety lifecycle
 OPERATION (End User / Contractor)
                               Fundamental Concepts

  SIS (Safety Instrumented System)
according to IEC 61508 and IEC 61511
                        IEC 61511
            Safety Instrumented Systems
                for Process Industry
• IEC 61511 has been developed as a Process Sector implementation
  of the IEC 61508.
• The Safety Lifecycle forms the central framework which links together
  most of the concepts in this standard, and evaluates process risks
  and SIS performance requirements (availability and risk reduction).
• Layers of protection are designed and analysed.
• A SIS, if needed, is optimally designed to meet particular process risk.
                          IEC 61511

Process sector system standard
                                                      IEC 61511

              IEC 61511 Parts
         The Standard is divided into three Parts

• Part 1: Framework, Definitions, Systems, Hardware and
  Software Requirements
• Part 2: Guidelines in the application of IEC 61511-1
• Part 3: Guidelines in the application of hazard and risk
                                                            IEC 61511

       IEC 61511 Part 3

Guidelines in the application of hazard and risk analysis
        Failure Modes and Effects Diagnostic Analysis (FMEDA)
 Is one of the steps taken to achieve functional safety assessement of a
     device per IEC 61508 and is considered to be a systematic way to:

• identify and evaluate the effects of each potential component failure
• classify failure severity;
• determine what could eliminate or reduce the chance of failure;
• document the system (or sub-system) under analysis.
The following assumptions are usually made during the FMEDA

•   Constant Failure Rates (wear out mechanisms not included)
•   Propagation of failures is not relevant
•   Repair Time = 8 hours
•   Stress levels according IEC 60654-1, Class C (sheltered location),
    with temperature limits within the manufacturer’s rating and an
    average temperature over a long period of time of 40°C
             1oo1 Architecture

              PFDavg (T1) = λdd * RT + λdu * T1/2
               because RT (avg. repair time) is << T1

                        PFDavg = λdu * T1/2

λdu = λdu (sensor) + λdu(isolator) + λdu(controller) + λdu(final element)

                SIL level is the lowest in the loop.
                     1oo2 Architecture

PFDavg = λduc * (T1/2) + λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3

                         PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3
                    2oo3 Architecture

PFDavg = λduc * (T1/2) + 3[λddc * RT+(λddn* RT)2 + (λddn* RT * λdun* T1)2/2 + (λdun* T1)2 /3]
    SIL3 using SIL2 subsystem
SIL3 Control Loop or Safety Function using
   SIL2 SubSystems in 1oo2 Architecture
                 Safety Manual
A Safety Manual is a document provided to users of a
product that specifies their responsabilities for installation
and operation in order to maintain the design safety level.

The following information shall be available for each safety-
related sub-system ..
          Safety Manual Requirements
1.    Functional specification and safety function
2.    Estimated rate of failure in any mode which would cause both
      undetected and detected safety function dangerous failures
3.    Environment and lifetime limits for the sub-system
4.    Periodic Proof Tests and/or maintainance requirements
5.    T proof test time interval
6.    Information necessary for PFDavg, MTTR, MTBF, SFF, λdu, λtotal
7.    Hardware fault tolerance and failure categories
8.    Highest SIL that can be claimed (not required for proven in use
9.    Documentary evidence for sub-system’s validation (EXIDA)
10.   Proof Test Procedures to reveal dangerous faults which are
      undetected by diagnostic tests.
                                                                     Using the Safety Manual

              Standard references
Remembering that:

•   SIL (Safety Integrity Level)
•   RRF (Risk Reduction Factor)
•   PFD avg (Average Probability of Failure on Demand)

                  SIL Table for operative modes “high” and “low” demand
                                                Using the Safety Manual

        Standard references
Remembring definitions given for type “A” and “B” components,
          sub-systems, and related SFF values
                                              Using the Safety Manual

        Loop PFDavg calculation

                 1oo1 typical control loop

PFDavg(sys) = PFDavg(tx) + PFDavg(i) + PFDavg(c) + PFDavg(fe)
                                                       Using the Safety Manual

             Loop PFDavg calculation
For calculating the entire loop’s reliability (Loop PFDavg), PFDavg values
 for each sub-systems must first be found and be given a proportional
              value (“weight”) compared to the total 100%.
 This duty is usually assigned to personnel in charge of plant’s safety,
                       process and maintainance.
                                                                  Using the Safety Manual

              Loop PFDavg calculation
                           Equation for 1oo1 loop

   RT = repair time in hours (conventionally 8 hours)
   T1 = T proof test, time between circuit functional tests (1-5-10 years)
    λdd = failure rate for detected dangerous failures
    λdu = failure rate for undetected dangerous failures
                                             Using the Safety Manual

Loop PFDavg calculation

              If T1 = 1 year then

  but being λdd * 8 far smaller than λdu * 4380
                                      Using the Safety Manual

            Example 1
            PFDavg = λdu * T1/2

For D1014 λdu is equal to 34 FIT (see manual)


        PFDavg = 34 * 10-9 * 4380 =
        = 0,000148920 = 148920 FIT
                                                      Using the Safety Manual

                        Example 2
“Weights” of each sub-system in the loop must be verified in relation
with expected SIL level PFDavg and data from the device’s safety
For example, supposing SIL 2 level to be
achieved by the loop on the right in a low
demand mode:

         • PFDavg(sys) is between 10-3 and 10-2 per year
         • “Weight” of D1014 Isolator is 10%

 Therefore PFDavg(i) should be between 10-4 and 10-3 per year.
                                                  Using the Safety Manual

                    Example 2

Given the table above (in the safety manual) conclusions are:

1. Being D1014 a type A component with SFF = 90%, it can be used
   both in SIL 2 and SIL 3 applications.
2. PFDavg with T proof = 1yr allows SIL3 applications
3. PFDavg with T proof = 5yr allows SIL2 applications
4. PFDavg with T proof = 10yr allows SIL1 applications
                                             Using the Safety Manual

             1oo2 architecture

  What happens if the total PFDavg does not reach the
  wanted SIL 2 level, or the end user requires to reach a
                   higher SIL 3 level?

The solution is to use a 1oo2 architecture which offers very
 low PFDavg, thus increasing fail-safe failure probabilites.
                              Using the Safety Manual

1oo2 architecture
      For D1014S (1oo1):

        PFDavg = λdu* T1/2
        PFDavg = 148920 FIT

      For D1014D (1oo2):

        PFDavg = (λdun* T1)2/2 + (λdun* T1)2 /3
        PFDavg = 75 FIT

      In this case a 1oo2 architecture gives a 2000
        times smaller PFDavg for the sub-system
                                                             Using the Safety Manual

               Final considerations
•   Always check that the Safety Manual contains information necessary for the
    calculation of SFF and PFDavg values.
•   Between alternative suppliers, choose the one that offers:
          • highest SIL level,
          • highest SFF value,
          • longest T[proof] time interval for the same SIL level,
          • lowest value of PFDavg for the same T[proof].
•   When in presence of units with more than one channel and only one power
    supply circuit, the safety function allows the use of only one channel. Using
    both of the channels is allowed only when supply is given by two
    independent power circuits (like D1014D).
•   Check that the Safety Manual provides all proof tests procedures to detect
    dangerous undetected faults.
              Credits and Contacts

 G.M. International s.r.l            TR Automatyka Sp. z o.o.
  Via San Fiorano, 70                     ul. Lechicka 14
20058 Villasanta (Milan)                02-156 Warszawa
         ITALY                                POLAND
   www.gmintsrl.com                    www.trautomatyka.pl
  info@gmintsrl.com                   biuro@trautomatyka.pl

 Document last revised 20 May 2005

Description: Factor of Fundamental Risk document sample