Sil Verification
-
Upload
harpreet-sutdhar -
Category
Documents
-
view
498 -
download
47
description
Transcript of Sil Verification
Prepared By:Amiya Ray
Sandeep Sidhu
RISK & IDENTIFICATION TECHNIQUE
RISK ASSESSMENT & RISK REDUCTION
PROTECTION LAYERS
FTA ANALYSIS
SIL VERIFICATION
2
3
In safety standards such as IEC 61511, what's at risk is identified as personnel and the environment. However, most companies use an expanded list of risk categories that can also include:
• Public safety and health• Liability costs• Production interruptions and quality issues• Equipment damage and repair costs
“What’s the likelihood a harmful event will happen, and what are the consequences if it does?”
4
The challenge is to identify risks in advance so that they can be reduced or eliminated – for example, by changing a product’s formulation or reducing the quantities of hazardous material present.
• Preliminary Hazard Analysis
• Risk Analysis During Hazop Study
• Fault Tree Analysis
• Event Tree Analysis
• Cause Consequence Analysis
5
6
Sample likelihood risk assessment model
Adapted from IEC 61511-3, Table C.1 - Frequency of hazardous event likelihood
ASSESSING RISK .1ASSESSING RISK .1
7
Sample consequence risk assessment model
Adapted from IEC 61511-3, Table C.2 - Criteria for rating the severity of impact of hazardous events.
8
The purpose of a plant safety program – including safety instrumented systems – is to ensure this exposure is tolerable at all times.
IEC 61511 describes tolerable risk as “risk which is accepted in a given context based on the current values of society.” Occupational Safety & Health Administration (OSHA),Environmental Protection Agency (EPA) ALARP MODEL
9
If inherent risk is greater than tolerable risk, the first choice should be to eliminate the risk. If it can't be eliminated, it must be minimized or mitigated — by active means such as relief valves or safety systems, or by passive means such as containment dikes or bunds.
But how safe is safe enough?
That's why it's important to identify how much the risks need to be reduced, and then design a solution that delivers the appropriate level of protection.
10
How much do we need to reduce the risk? There are two ways of finding an answer: quantitative and qualitative.
QuantitativeRisk a + Risk b + Risk c + Risk d……………………. Risk z = RRF x (Risk Tolerable )
For example, we may want to reduce the frequency of a fatality from once every 10 years to once every 10,000 years. In other words, we want to reduce risk by a factor of 1000 — which our Risk Reduction Factor or RRF.
Although this approach is used increasingly often, it raises two challenges. • We need to collect a lot of data to make the calculations meaningful. • We have to express specific, quantified levels of risk that you're
11
QualitativeThe second way of assessing the required risk reduction is to use qualitative rankings like those in the example consequence and likelihood models introduced
Likelihood of a tank rupture as "medium" and the consequence as "serious."
12
So how do we achieve the necessary level of risk reduction? By adding protection layers.
Safety standards define a protection layer as "any independent mechanism that reduces risk by control, prevention, or mitigation." The sum of the protection layers provides what is called functional safety — the functionality that ensures freedom from unacceptable risk.
13
The safety instrumented system (SIS) provides an independent protection layer that is designed to bring the process to a safe state when a hazardous condition occurs.
A typical SIS might include • Sensors, logic solvers, and final
control elements• Power and grounding• Communication networks• Supporting elements such as HART
multiplexers and asset-management software.
DEFINITIONS OF TERMINOLOGY
Consequence – The consequence is the result of the failure of the safety system. It is what the safety system is designed to prevent. The consequence can include impacts on safety, economics or the environment.
Probability of Failure on Demand – The PFD indicates the probability that the SIS will fail to respond to a process demand. This is related to the covert failure of the SIS.
Availability – The system availability is the fraction of time that the SIS is available to prevent or mitigate hazardous events.
Process Demand – This is a condition that requires the action of the SIS to prevent a hazardous event.
WHAT IS “Safety” ?
PFD : Probability of Failure on Demand
Global standards describes the safety by PFD.
IEC 61508 requires that an SIL ( Safety Integrity Level ) be selected
4 ≧ 10-5 to <10-4
3 ≧ 10-4 to <10-3
2 ≧ 10
-3 to <10
-2
1 ≧ 10-2 to <10-1
RRF (Risk Reduction Factor)
10000 – 100000
1000 – 10000
100 – 1000
10 – 100
SIL PFD
RRF = 1/PFD
Higher SIL, More Safety
What is PFD?
If we look at the safety integrity level from the viewpoint of the safety integrity requirement:for example, specifying SIL3 as the safety integrity requirement for a safety instrumented system to be introduced, means that the safety instrumented system is asked to reduce the frequency with which the original hazardous situation occurs, to 1/1000 or less, because PFD of SIL is 10-4 or above, and less than 10-3.
In other words, for example, by installing a safety instrumented system in a plant where no countermeasures are in place and a hazardous event may occur once every 10 years, it becomes possible to achieve an improvement to reduction in this frequency to once or less in every 10,000years.
CLASSIFYING THE FAILURE
Reliability achieve by reducing the failure rate Safety achieve by classifying the failure,
and making λdu reduce
How to reduce the undetected dangerous failure ??
λ ; Random hardware failure rate
λsd
λddλdu
λsu
Detected Safe Failure
Undetected Safe Failure
Detected Dangerous Failure
Undetected Dangerous Failure
Classifying the failure
・ Detected or Undetected
・ Dangerous or Safe
In case of the Undetected and Dangerous failure, taking action for safety is impossible except a proof test .
When the failure would be detected, you can take action for safety. Even if it was the dangerous, you can.
If the failure wouldn’t be detected, the safe failure should be taken action for safety. (e.g. proof test)
The Undetected and Dangerous failure should be reduced!!
PFD avg. =λdd(MTTR)+λdu(T/2 )
λd d : detected dangerous failure rate
μd : 1/MTTR
MTTR : Mean Time To Repairλdu : undetected dangerous failure rate
μu : 1/(T/2)
T : Mean Time between Proof Test
λdd
00
22
11
λdu
μd
1: detected dangerous failure
2: undetected dangerous failure
Failure detected only by proof test
Failure detected
by self- diagnosis
HOW TO MINIMIZE THE UNDETECTED DANGEREOUS FAILURE(1/2)
μu
For minimizing PFD avg. , minimizing λdu is important.
0:Normal
State transition model A:-> 0 state transits to 1, and recover to 0 -> It needs MTTR.State transition model B:->0 state transits to 2, and recover to 0 It is recovered only by Proof test.The time for recovering depends on T (mean time between proof tests).
MTTR < T / 2
Probably MTTR is shorter than 100 x T.Accordingly, it is required minimizing T for shortening PFD.
HOW TO MINIMIZE THE UNDETECTED DANGEROUS FAILURE(2/2)
λ ; Random hardware failure rate
λsd
λddλdu
λsu
Detected Safe Failure
Undetected Safe Failure
Detected Dangerous Failure
Undetected Dangerous Failure
Dangerous Failure
Safe Failure
Undetected Dangerous Failure
detected ← →undetected
With Self-diagnostic functionWith
Self-diagnostic Function !
FAILURE DETECTION MECHANISM IN SAFETY SYSTEMS
Pressure SWRelief Valve
Solenoid ValvePower Supply
Input Calculation
Output
Input Short-circuited failure detection: monitoring the circuit periodically
Output short-circuited failure detection: monitoring the load impedance
Replace with diagnostic sensor
CPU failure detection: activating CPU circuit periodically and check the status
Processor failure detection: comparison of results between redundant processors
Controller and switch failure detection: Switch-off periodically and check the status
Safety Instrumented
System
CALCULATION SHEET
FAULT TREE ANALYSIS
Fault Tree Analysis Quantitative risk assessment was performed by modeling the safety-instrumented
system using Fault Tree Analysis (FTA). FTA was chosen, because it is a very structured, systematic, and rigorous technique that lends itself well to quantification.
Few Assumptions for Fault Tree Calculations for a SIF Component failure and repair rates are assumed to be constant over the life of
the SIF. Once a component has failed in one of the possible failure modes it cannot fail
again in one of the remaining failure modes. It can only fail again after it has first been repaired.
The Test Interval (TI) is assumed to be much shorter than the Mean Time To Failure (MTTF)
The logic solver failure rate includes the input modules, logic solver, output modules and power supplies.
The sensor failure rate includes everything from the sensor up to the signal isolators in the marshalling cabinet including the process impacts (e.g., plugged impulse line to transmitter).
FTA -SAMPLE
TYPICAL SIL VERIFICATION
RESULTS
SIL SOLVER DATA SHEET
VOTING SCHEME
Voting Scheme – The field device and logic configurations defined as follows:
1oo1 – Single – No voting
1oo2 – Dual – Fail safe arrangement (one – out-of-two voting to trip)
2oo2 – Dual - Fail operational Arrangement (two – out-of-two voting to trip)
2oo3 – Triple – Fail safe & fail operational Arrangement (two-out-of-three voting trip)
THANK YOU