ProSIS-FSE. SIL Calculator V1.6 User Guide

Similar documents
Supersedes: 9/01/11 (Rev.5) Preparer: Owner: Approver: Team Member, North America Process Safety Center of Expertise

Reducing Project Lifecycle Cost with exsilentia

Functional Safety Demystified

Functional Safety Safety Instrumented Systems in Process Industries August 2015

IEC : Annex F

Safety Instrumented Function Verification: The Three Barriers

Practical SIS Design and SIL Verification

Your Company Header. IEC :2016 Annex F SAFETY INTEGRITY LEVEL VERIFICATION. Example Project

Understanding SIS industry standards

Properly Assessing Diagnostic Credit in Safety Instrumented Functions Operating in High Demand Mode

Stochastic SIL Verification for Complex Safety Instrumented Systems

Design of SIFs and SIL Calculation What to expect from the Course? Understand Learn Benefit Methodology (online course)

Potential for failures in the Safeguarding systems

6 km². ca. 5 miljard euro medewerkers. Functional Safety Management EEN GEZOND BEDRIJF. Terneuzen, 25 januari 2018

Validating Process Safety Assumptions using Operations Data Taylor W. Schuler & Jim Garrison aesolutions

HAZOP AND SAFETY INTEGRITY OVERVIEW

A Streamlined Approach for Full Compliance with SIF Implementation Standards

Engineering maintenance of safety instrumented functions

Justifying IEC Spend

SIL and Functional Safety some lessons we still have to learn.

Reliability of Safety-Critical Systems 8.5 Probability of Failure on Demand by using the PDS method

B. Document source: Risk assessment by: Organization: Date: SIF specification issued by: Organization: Date:

What is Your SIS Doing When You re Not Watching? Monitoring and Managing Independent Protection Layers and Safety Instrumented Systems

Reliability of Safety-Critical Systems Chapter 7. Demand Modes and Performance Measures

Risk-oriented approach to design of the industrial safety system: problems, solutions

Accounting for Human Error Probability in SIL Verification Calculations

Defining the Safety Integrity Level of Public Safety Monitoring System Based on the Optimized Three-dimension Risk Matrix

Opportunities for errors and omissions in the PHA to LOPA process for safety integrity level (SIL) determination

Introduction to Process Safety & Risk Assessment

A new emergency release system for high pressure gas transfer arms

LOPA A Method to Analyse Safety Integrity Systems according to IEC 61511

ISO INTERNATIONAL STANDARD. Safety of machinery Risk assessment Part 1: Principles

APPLICATION OF LOPA AND SIL ASSESSMENT TO A NEW COMAH PLANT

NEAR-CONSUMER USE RISK ASSESSMENT METHODOLOGY

Condition Monitoring and Condition Based Maintenance

European Railway Agency Recommendation on the 1 st set of Common Safety Methods (ERA-REC SAF)

What is LOPA and Why Should I Care?

Standard Development Timeline

Classification Based on Performance Criteria Determined from Risk Assessment Methodology

Sample Sub-Title/Presenter/Addendum Info

FAQ SHEET - LAYERS OF PROTECTION ANALYSIS (LOPA)

We will begin the web conference shortly. When you arrive, please type the phone number from which you are calling into the chat field.

PRC Remedial Action Schemes

CHALLENGES IN USING LOPA TO DETERMINE SAFETY INTEGRITY LEVELS (SILS)

Exaquantum Safety Function Monitoring Exaquantum/SFM

Common Safety Methods CSM

Risk Analysis and Management. May 2011 ISO 14971

DATA GAPS AND NON-CONFORMITIES

Understanding the customer s requirements for a software system. Requirements Analysis

ISO INTERNATIONAL STANDARD. Medical devices Application of risk management to medical devices

Risk Assessment Methodology to Support Shutdown Plant Decision

RISK EVALUATIONS FOR THE CLASSIFICATION OF MARINE-RELATED FACILITIES

Implementation Plan Project PRC-005 FERC Order No. 803 Directive PRC-005-6

MiCOM P443-6/P543-7/P841

ISO INTERNATIONAL STANDARD. Medical devices Application of risk management to medical devices

Northpower Fibre UFB Services Agreement Service Level Terms for Bitstream Services

Amazon Elastic Compute Cloud

***Regulated Information*** ***For Immediate Release***

Oracle Banking Digital Experience

Guide for the Extension of Boiler Internal Inspections

Why a Near-Miss is Never a Leading Indicator. or why we need to think in system outcomes. Ian Travers, Principal Consultant, Process Safety

More Issues with LOPA - from the Originators

HAZOPS Study on Fuel Distribution System Based on ANFIS Layer of Protection Analysis in Surabaya Installation Group PT. Pertamina Tanjung Perak

Oracle Banking Digital Experience

This is a preview - click here to buy the full publication PUBLICLY AVAILABLE SPECIFICATION. Pre-Standard. Railway applications

SUPPLEMENT # RELIABILITY, AVAILABILITY, MAINTAINABILITY (RAMS) REQUIREMENTS FOR GAS TURBINE UNIT

A New Redundancy Strategy for High-Availability Power Systems

Interconnection Application and Compliance Form For Photovoltaic Systems Up to 2 MW

Probabilistic Safety Analysis (PSA): Applications. Guideline for Swiss Nuclear Installations ENSI-A06

Zurich Hazard Analysis (ZHA) Introducing ZHA

Managed Services Product Terms

Dilemmas in risk assessment

Oracle Banking Digital Experience

Oracle Banking Digital Experience

maxon motor maxon motor control EPOS Positioning Controller Getting Started Edition July 2007 Positioning Controller Documentation Getting Started

Oracle Banking Digital Experience

Oracle Banking Digital Experience

Controlling Risk Ranking Variability Using a Progressive Risk Registry

Oracle Fusion Applications Asset Lifecycle Management, Assets Guide. 11g Release 5 (11.1.5) Part Number E

Vehicle Management and Parking Services

Management of Change as a Part of Caring about Safety

Oracle Banking Digital Experience

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Integrated Software Dependent Systems - ISDS. Digital Ship - October 2012

GAMP 5 Quality Risk Management. Sion Wyn Conformity +[44] (0)

CHAPTER 5 R&M ALLOCATION AND APPORTIONMENT CONTENT

Office of Public and Indian Housing Real Estate Assessment Center, Washington, DC

ADVANCED QUANTITATIVE SCHEDULE RISK ANALYSIS

Enable Networks UFB Services Agreement Service Level Terms for Fibre Interconnection Services

Risk Management Using HAZOP Study Method Base Fault Tree Analysis on Emergency Shutdown System-Vacuum Distillation Unit, PT.PQR, Dumai, Indonesia

Activity Specific Operating Guidelines

Telematics Impacts on CTP and WC Kaise Stephan Deloitte Actuaries & Consultants Limited

Risk Assessment Policy. (Whole School including EYFS)

MICHIGAN ELECTRIC UTILITY

Measurement and Regulation Devices, Regulators

ATTACHMENT VI SERVICE LEVEL AGREEMENT. This Schedule describes the following Service Level Agreements and Service Level Objectives:

Government Debt Collection

Price-based Offers > $1,000/MWh

Enable Networks UFB Services Agreement Service Level Terms for Direct Fibre Access Services (layer 1)

Oracle Fusion Applications Project Management, Project Performance Reporting Guide. 11g Release 1 (11.1.3) Part Number E

Transcription:

SIL Calculator V1.6 User Guide Page 1 of 12 ProSIS-FSE SIL Calculator V1.6 User Guide 1 of 12

Table of Contents ProSIS-FSE... 1 SIL Calculator V1.6 User Guide... 1 1 OBJECTIVES... 3 2 REFERENCES... 4 2.1 Referenced Publications... 4 3 ACRONYMNS AND DEFINITIONS... 5 4 SIL VERIFICATION RESPONSIBILITIES... 6 5 SIS DESIGN Coupled to SIL VERIFICATION PROCESS... 6 5.1 Overview of SIF Design Tasks... 7 5.1.1 Review of SIF Component Selection... 8 5.1.2 Unique Design Requirements Required for SIL Verification... 8 5.1.3 Documentation of Design through SIL Verification... 8 5.2 SIL Verification Overview... 8 5.2.1 SIL verification SIF Level Selections... 9 5.2.2 SIL Verification SIF Parts Selections... 9 5.2.3 SIL Verification Sensor Component Selections...10 5.2.4 SIL Verification Logic Solver Selections...10 5.2.5 SIL Verification Final Element Selections...10 2 of 12

1 OBJECTIVES SIL Verification is a formal process that utilizes the conceptual design results to perform a reliability evaluation on that conceptual design. The SIL verification will be performed using the online tool to located at ProSIS-FSE >SIL Calculator. The result of the SIL verification is the Achieved Safety Integrity Level (ASIL) for the specific SIF under consideration. As long as the ASIL (Achieved SIL) is greater than or equal to the TSIL (Target SIL), the conceptual design of the SIF is proven sufficient. If the ASIL is lower than the TSIL, the conceptual design will need to be improved. The Achieved Safety Integrity Level is obtained from two or three separately determined Safety Integrity Levels (PFD, Architecture, and Systematic Capability). Though it is important for engineers to understand that the final ASIL is based on these two (or three) independently determined Safety Integrity Levels, the actual determination of the Safety Integrity Levels is something that is automatically done through the online SIL Calculator Tool. Safety Integrity Level (SIL) is the internationally accepted term for defining the required performance of a Safety Instrumented Function (SIF) in terms of maximum probability of failure and minimum level of hardware fault tolerance as protection for random failures and for specifying engineering development process requirements as protection against systematic failures. The SIL Calculator tool evaluates all three concepts as defined by current standards. The purpose of this guide is to provide guidance on using the SIL Calculator Tool. This document is not intended to provide advice on applying the published industry consensus standards on Functional Safety. 3 of 12

2 REFERENCES 2.1 Referenced Publications (1) IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, 2003, International Electrotechnical Committee, Geneva, Switzerland (2) ANSI/ISA 84.00.01-2004 (IEC 61511: Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector, 2004, The Instrumentation, Systems, and Automation Society, 67 Alexander Drive, Research Triangle Park, North Carolina, 27709 (3) IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, 2000 & 2010, International Electrotechnical Committee, Geneva, Switzerland 4 of 12

3 ACRONYMNS AND DEFINITIONS Acronymns Act ASIL Amp Anlg BFV Lvl Mtr MTTR Multi Perf PFD avg Pneu Press PHA SIF SIL SILpfd SILarch SILsys SILcalc SIF Smrt SOV SRS Srvc Sw Temp TSIL Tx Actuator Achieved Safety Integrity Level Amplifier Analog Butterfly Valve Level Meter Mean Time To Restoration Multiplexer Performance Average Probability of Failure on Demand Pneumatic Pressure Process Hazards Analysis Safety Instrumented Function Safety Integrity Level SIL based on Probability of Failure (pfd) Average SIL based on Architectural Constraints SIL based on Systematic Capabilities SIL Calculation Online Tool Safety Instrumented System Smart Solenoid Valve Safety Requirements Specification Service Switch Temperature Target Safety Integrity Level Transmitter Definitions Achieved Safety Integrity Level (ASIL) The SIL achieved given the SIF s conceptual design, it is based on the minimum value for SILpfd, SILarch, and SILsys for low demand applications. Safety Instrumented Function (SIF) A function that is implemented by a Safety Instrumented System which is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event. Each SIF should be designed and tested to meet its target SIL. Safety Integrity Level (SIL) Discrete level (one out of a possible four) for specifying the probability of a SIS satisfactorily performing the required SIF under all of the stated conditions within a stated period of time. 5 of 12

Safety Instrumented System (SIS) Target Safety Integrity Level (TSIL) A system consisting of one or more SIFs. Consists of sensors, logic solver(s), and final elements. The SIL required of a SIF such that when this SIF is combined with any non-sis IPLs, the overall risk associated with the hazardous scenario is adequately reduced. 4 SIL VERIFICATION RESPONSIBILITIES 1. Specify SIF design in SILcalc 2. Determine reliability data for components 3. Execute reliability calculations using SILcalc 4. Document results 5. Suggest areas for improvement in case conceptual design does not meet the Target Safety Integrity Level 5 SIS DESIGN Coupled to SIL VERIFICATION PROCESS The combined SIF Design and SIL verification process shows an iterative process where a Design is created evaluated, and if deemed sufficient finalized. If the design is not sufficient a re-design of the design needs to take place. 6 of 12

The following flowchart documents the combined Design and SIL Verification process. FIGURE 1: SIF DESIGN & SIL VERIFICATION PROCESS 5.1 Overview of SIF Design Tasks For each Safety Instrumented Function (SIF) identified: 1. Review the Safety Requirements Specification and obtain an understanding of the requirements on the SIF that needs to be designed 2. Select equipment to be used in the SIF o IEC 61508 certified equipment required o Proven equipment, documented justification needs to be generated for each equipment item. 3. Gather and adhere to the Safety Manuals for all equipment items selected 4. Create design o Select Architecture o Specify Test Philosophy o Identify potentially SIF level diagnostics 5. Document Design 7 of 12

5.1.1 Review of SIF Component Selection Sensors/Logic Solver/Final Element All SIF components shall be certified per the requirements of IEC 61508 unless documented justification is created to verify sufficient proven in use capability. 5.1.2 Unique Design Requirements Required for SIL Verification Each SIF shall be designed with the specified equipment to meet the target proof test interval as specified in the SIF SRS. Equipment redundancy in fault tolerant voting configurations (e.g. 1oo2, 2oo3, etc.) may be added as necessary to meet the target SIL and the target proof test interval.. Additional diagnostics can be considered whenever practical to reduce redundancy requirements or increase proof test intervals. These may include: a. Comparison of sensor signals from the same process variable Deviation alarm credit can be utilized. The assumption is that the deviation alarm is treated as critical and appropriate action taken within the MTTR. b. Partial valve stroke testing (PVST) on final element c. Full (full open to full close or vice versa) on-line stroke test of valves. Based on the SIF component safety manual, proof tests recommended by the manufacturer, proof tests conducted in the field an appropriate Diagnostic (proof) Test Coverage (DTC) must be determined. 5.1.3 Documentation of Design through SIL Verification The design decisions are documented using the through selections made in the SILcalc SIL verification tool. As part of the design documentation a SIS Identification (System ID), SIF Name, a SIF Tag (SIF ID), should be specified as a minimum. For the documentation of the design it is important to have an understanding of the SILcalc structure to ensure correct documentation of the design. The SILcalc structure is shown in Figure 2 for normal configurations. 5.2 SIL Verification Overview A typical SIS consists of sensors which measure process variables (i.e., level, pressure, flow, temperature, etc.), a logic solver, which is configured to recognize hazardous conditions and initiate Critical Safety Actions, and final elements such as solenoid valves, shutdown valves and motors. These final elements are driven by the logic solver to eliminate the unwanted process condition that, if not corrected, would lead to a hazardous condition. They are the minimum needed to bring the process to the safe state. Since the design is documented in the SILcalc SIL verification tool, the process of SIL verification is rather trivial, but it will involve the following: 1. Determine all input information a. General information, like ISA Architectural Constraints requirements, MTTR, etc. b. Failure rate data 2. Compare Achieved Safety Integrity Level with Target Safety Integrity Level 3. Suggest areas for improvement in case conceptual design does not meet the Target Safety Integrity Level 4. Document results 8 of 12

In the Design step, the Safety Instrumented Function is documented in SILcalc, this means that voting arrangements and equipment item selections have already been made. The following provides an overview of required input information. 5.2.1 SIL verification SIF Level Selections This information applies to the entire Safety Instrumented Function Input for ISA 84 Architectural Constraints Determination Consider IEC 61508 Systematic Capability MTTR If any of the SIF components (Sensor, Logic Solver, or Final Element) has ISA selected, the 5 user selections will be available. Otherwise, the user selections will be unavailable. The Systematic Capability as defined in IEC61508 can be considered. If Yes is selected, the final Achieved SIL will reflect the overall SIF Systematic Capabilities. The Achieved SIL will be limited up to the Systematic capability of the SIF. If selected as Yes, the Sys. Cap. Prior Use selection is available for the SIF Parts The Mean Time To Restoration (MTTR) indicates the average time it will take to repair a diagnosed fault. Enter a value between 10-100 5.2.2 SIL Verification SIF Parts Selections This information applies to selections common to the Logic Solver part, Sensor part and Final Element part. The design will consist of up to four sensor groups and up to four final element groups. The voting between these groups should already have been specified during the design phase. As part of the SIL verification step the common cause / beta factor between the various groups needs to be established. 100% TI This is also referred to as the Mission Time. The Mission time is the interval at which the SIF components are brought to a like new state. This is also considered the period over which the SIF parts will operate. Enter a value between 1 30 Years Architectural Constraints Beta % Proof Test Coverage (DTC) % TI (Mo.) Architectural constraints can be considered. IEC 61508:2010 can be utilize for SIL Certified (designed to IEC61508) sensors, Logic Solvers, and Final Elements as this provides the most appropriate evaluation of hardware redundancy. IEC 61511/ISA 84 (ISA) can be considered for SIF components not designed to IEC61508 standards or where SIL Certified devices are not used. The standards allow the practitioner to use either one (IEC61508 or ISA). Indicating the percentage of failures of an equipment item that is susceptible to a common cause failure if the equipment item is used in a redundant architecture. The beta-factor is not applicable to non-redundant configurations. User selections are 0 10% in 1% increments Required to account for imperfect testing methods. Enter a value between 10 and 100 in increments of 1. Indicating the frequency in Months that the imperfect test DTC % will take place. This test interval cannot exceed the 100% TI. Enter a value between 1 360 months 9 of 12

Sys. Cap. Prior Use Sensor/FE KooN Voting Component Voting (Level 1) If Systematic Capabilities is selected as Yes (see 5.2.1), then the user can select from the following: N/A, selected if you do not want to consider Systematic capabilities for this SIF part Certified Device Claim, selected if SIL certified devices are used and the certification states the Systematic limit (1, 2, or3) 1, 2,or 3, selected if you are claiming Prior Use, select the highest SIL level you want to use the device in a SIF. 1/2, selected if you are claiming Prior Use, the maximum allowable for a single (simplex) SIF component is SIL1. If the architecture is N+1 (2) or greater the SIL is limited to SIL2. 2/3, selected if you are claiming Prior Use, the maximum allowable for a single (simplex) SIF component is SIL2. If the architecture is N+1 (2) or greater, the SIL is limited to SIL3. Practitioner can input values if KooN is selected on the Solver voting section. for K enter a value between 1 and 100 For N enter a value between 1 and 100 Group voting level 1. Select from the drop down 1oo1, 1oo2, 2oo2, 1oo3, KooN, etc. 5.2.3 SIL Verification Sensor Component Selections This information applies to the sensor selections. The practitioner will select the SIF components and details specific to the SIS application software and alarming. Selections made here can further improve the PFD results Sensor Alarm PLC Alarm Alarm Vote to Trip SIF Trip H/L Dev Alarm Deviation Alarm Coverage If any of the sensors selected are analog, this will apply if the fail low/high failure rate data is defined. Select Over Range if the transmitter failure state is set to High. Select Under Range if the transmitter fail state is set to Low. If any of the sensors selected are analog, select Yes if the logic solver application software is configured to alarm on the above sensor alarm. Otherwise select No. If the logic solver application program considers the fault as a trip, set to Yes. Set to No if the logic solver application program is not configured to detect a transmitter failure. The fail state direction is defined in Sensor Alarm O/U. See above If the SIF is protecting against a high process condition, select High. If the SIF is protecting against a low process condition, select Low. The standard allows additional diagnostic credit for if there are more than one device measuring the process variable. If there is an alarm that is comparing multiple sensors and an alert is annunciated when the sensor values deviate by some amount, select Yes. If not select No. If deviation alarm Yes is selected, enter a value between 10 100. The value represents the percent of the Dangerous Undetected failures that are detected by the deviation alarm. 5.2.4 SIL Verification Logic Solver Selections There are no specific Logic Solver selections other than selecting the type of solver being used. 5.2.5 SIL Verification Final Element Selections This information applies to the final element selections. The practitioner will select the SIF final element components and details specific to the final element. Selections made here can further improve the PFD results 10 of 12

Component Voting (Level 2) This is the minimum number of final element components that are required to bring the process to a safe state. Select from 1oo1, 1oo2, 2oo2. See the Component Voting (Level 1) under 5.2.2. Trip Position Valve - Tight Shutoff Valve - Service Select Close if the final element trip state is closed Select Open if the final element trip state is open Select Yes if the hazard will not be mitigated if seat leakage occurs. Select No if leakage though the valve will not result in a safety event. Generally valves are specified to meet the process conditions Clean. Severe service may be considered if the valve will be operating at an upper or lower design limit that can adversely affect the performance of the valve. If this is the case, select Severe 11 of 12

12 of 12

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback