IEC61508 and Applications for Protection of … FUNCTIONAL SAFETY...SENSONICS KEEPING INDUSTRY TURNING Overview • About Sensonics • What is IEC 61508? • Safety Integrity Levels

SENSONICS

IEC61508 and Applications for Protection of Rotating Machinery.

Presented by

Russell King

SENSONICS

KEEPING INDUSTRY TURNING

Overview

• About Sensonics

• What is IEC 61508?

• Safety Integrity Levels

• Protection of Rotating Machines

• Life Cycle Activities

SENSONICS

Situated in the UK and founded in 1978, SENSONICS has nearly 30 years experience in

the design, manufacture and installation of Condition Monitoring & Protection equipment.

SENSONICS

Products & Competencies

• Turbine Supervisory Systems

• Machine Condition Monitoring

• Plant Protection Systems

• Nuclear Infrastructure Protection

• Structural Monitoring Solutions

• Accelerometer, Displacement & Seismic Transducers

• Turn-Key Design, Manufacture Installation and Commissioning & Project Support

SENSONICS


Overview

• About Sensonics





SENSONICS


IEC61508 Definition

“Functional safety of electrical / electronic & programmable electronic safety – related systems”

• Prevention and control of dangerous failures

• Provides a risk based process for determining the required performance

• The standard can be used across all industries and applications

• Internationally recognised

IEC61511 is specific to the process industry

• Utilises simplified Life-cycle model

• Process Industry Based Terminology

SENSONICS


What is a safety – related system?

Purpose :-

• To prevent injury and loss of life

• To protect and minimise damage to plant assets

Safety Instrumented Systems will typically consist of the following elements:-

• Sensors

• Signal Processing

• Logic Resolvers

• Communication Interface

• Actuators

SENSONICS


Example Safety – Related Systems

• Railway signalling system

• Crane safe load indicator

• Turbine Overspeed protection system

• Anti-Lock brakes

• Machine Guard Interlocks

• Emergency shutdown systems

SENSONICS


What is a dangerous failure?

• Incorrect or weak equipment specification

• Random failures in hardware

• Systematic failures of hardware and software

• Human error

• Environmental influences

• Supply system disturbances

The Safety Integrity Level dictates the approach and level of design mitigation against the known failures of the system

SENSONICS


Overview

• About Sensonics





SENSONICS


Safety Integrity Levels

System is specified to a Safety Integrity Level

• SIL 1 – 4

Note : A SIL can only apply to a the safety function of a system – and not a standalone piece of equipment.

• SIL – 1, injury to persons or damage to property

• SIL – 2, serious injury or damage resulting in shutdown

• SIL – 3, life – threatening or extensive operational shutdown

• SIL – 4, Multiple loss of life or plant destruction

Applies for loss of revenue scenarios

SENSONICS


SIL Relationship to Failure

1. Continuous Safety Process (High Demand System)

2. Low Demand Safety Related System

IEC61508 specifies the following integrity ratings

PFD = Probability of Failure on Demand (=Risk Reduction)

>=10-5 to <10-4>=10-5 to <10-4SIL 4

>=10-2 to <10-1>=10-2 to <10-1SIL 1

>=10-3 to <10-2>=10-3 to <10-2SIL 2

>=10-4 to <10-3>=10-4 to <10-3SIL 3

High DemandFailure Rate p.a.

Low Demand PFD

SENSONICS


SIL Relationship to Redundancy and SFF

IEC61508 specifies the following redundancy & SFF requirements

SFF – Safe Failure Fraction (Determined From FMEA)

(Ratio of safe plus detected dangerous failures to total failure rate)

HFT – Hardware Fault Tolerance or Redundancy

SIL3

SIL2

SIL1

-

HFT=0 (B)Single Channel

SIL2 SIL1<60%

SIL4SIL4>99%

SIL4SIL390-99%

SIL3SIL260-90%

HFT=2 (B)Dual Redundancy

HFT=1 (B) Redundant Channel

SFF

SENSONICS


SIL Relationship to Redundancy and SFF

Safety Related Subsystems are categorised in to Type A and B.

• Type A – Failure modes and behaviour fully understood plus dependable field failure data

• Type B – Doubt in any of the above

SIL3

SIL3

SIL2

SIL1

HFT=0 (A)Single Channel

SIL3 SIL2<60%

SIL4SIL4>99%

SIL4SIL490-99%

SIL4SIL360-90%

HFT=2 (A)Dual Redundancy

HFT=1 (A) Redundant Channel

SFF

SENSONICS


Overview

• About Sensonics





SENSONICS


Protection of Rotating Machines

Sensonics experience is in safe shutdown through vibration, expansion and speed measurements.

Two main outcomes to consider

• Failure to Trip (Safety)

• Spurious Trip (Process / Financial)

Consider the following instrumentation set up.

Shutdown Level

SENSONICS


Failure Mode and Effect Analysis

Shutdown Level

Breakdown System to key sub-systems

For each subsystem component determine the following for required ‘Effects’ (i.e. Fail to Trip & Spurious Trip):-

• Failure rate including environmental factors

• Failure Mode

• Diagnostic Coverage of Failure Mode

SENSONICS


Vibration Transducer Analysis

Failure Mode And Effect Analysis Considerations

C1 - O/C

Fail to Trip

C2/C3 - O/C

Spurious Trip

TR1 - All

Fail to TripC6 - O/C

Fail to Trip

SENSONICS


Vibration Transducer Analysis

FMEA Analysis – MTBF’s calculated for

• Safe Failures

• Unsafe Failures Detected

• Unsafe Failures Undetected

PZS4 Accelerometer

• Failure to Trip (MTBF) 298 years

• Diagnostic Cover 22.5%

• SFF 32.5%

• Spurious Trip (MTBF) >5000 years

Overall Component MTBF – 260 years

SENSONICS


Protection Monitor Analysis

Failure Mode And Effect Analysis Considerations

Monitor

Personality Display Interface

Fail to MoveRelay

SpuriousRelay Trip

Fail to BreakContact

SENSONICS


Protection Monitor Analysis

Monitor consists of three assemblies – analysis is carried out on each –individual results are combined.

DN2611 Protection Monitor

FMEA Analysis Results

Failure to Trip (MTBF) 200 years

Diagnostic Cover 19%

SFF 79%

Spurious Trip 185 years

Overall MTBF – 53 years

SENSONICS

Hardware Configurations

The SFF’s, Diagnosed and Undiagnosed failure rates have now been calculated for the key system elements. Now consider the following simplex hardware configuration (HFT=0).

PFDs = λ1 MTTR + λ2 T/2

λ1 = Diagnosed Failures, λ2 = Undiagnosed Failures

MTTR = Repair Time, T = Proof test interval

PFDs = 0.16E-6 x 24hrs + 0.58E-6 x 8760hrs / 2

= 2.6 x 10-3 with SFF of 68%

MonitorTransducer

SENSONICS


SIL Relationship to PFD, Redundancy and SFF

SIL3

SIL2

SIL1

-


SIL2 SIL1<60%

SIL4SIL4>99%

SIL4SIL390-99%

SIL3SIL260-90%



SFF

>=10-5 to <10-4>=10-5 to <10-4SIL 4

>=10-2 to <10-1>=10-2 to <10-1SIL 1

>=10-3 to <10-2>=10-3 to <10-2SIL 2

>=10-4 to <10-3>=10-4 to <10-3SIL 3


Low Demand PFD

SENSONICS

Hardware Configurations

Duplex Hardware configuration (HFT=1).

PFDd = (PFDs)2 + 10%PFDs

= (2.6 x 10-3 )2 + 0.1x2.6 x 10-3

PFDd = 2.7 x 10-4 with SFF of 68%

MonitorTransducer

Transducer Monitor

SENSONICS



SIL3

SIL2

SIL1

-


SIL2 SIL1<60%

SIL4SIL4>99%

SIL4SIL390-99%

SIL3SIL260-90%



SFF

>=10-5 to <10-4>=10-5 to <10-4SIL 4

>=10-2 to <10-1>=10-2 to <10-1SIL 1

>=10-3 to <10-2>=10-3 to <10-2SIL 2

>=10-4 to <10-3>=10-4 to <10-3SIL 3


Low Demand PFD

SENSONICS

TMR Protection Systems

Triple Modular Redundancy utilising 2 of 3 voting.

Applications include:-

• Overspeed Protection

• Valve Position Control

PFDt = 3x(PFDd)

HFT = 2

Significantly reduces risk

of spurious trip!

(MTBF)2 /(6x MTTR)

SENSONICS



SIL3

SIL2

SIL1

-


SIL2 SIL1<60%

SIL4SIL4>99%

SIL4SIL390-99%

SIL3SIL260-90%



SFF

>=10-5 to <10-4>=10-5 to <10-4SIL 4

>=10-2 to <10-1>=10-2 to <10-1SIL 1

>=10-3 to <10-2>=10-3 to <10-2SIL 2

>=10-4 to <10-3>=10-4 to <10-3SIL 3


Low Demand PFD

SENSONICS

Field Data Effect

An established product with several years of field reliability statistics in a broad range of applications can enhance the SIL rating.

PZS4 accelerometer - Calculated MTBF of 260 years.

This product has a large field installation and returns indicate a failure rate of 0.22 failures per Mhrs. The FMEA predicted 0.38 failures per Mhrs.

DN2611 has a demonstrated failure rate of 1.5 failures per Mhrs. The FMEA predicted 2.16 failures per MHrs.

Established field data of this kind can enhance system from Type B to Type A and therefore increase SIL rating by ONE

SENSONICS


Overview

• About Sensonics





SENSONICS

Life Cycle Activities

“The necessary activities involved in the implementation of safety critical systems”

Note: - Its starts at the concept and finishes after system decommissioning

• Quality System Enhancements

• Capture of requirements in overall business process

• Project Requirements

• Activities specific to project

SENSONICS

Quality System Enhancements

Achieved through extending the existing ISO9001-2000 quality management system.

• Contract and Project review processes

• External Safety Authority

• Internal Competency Register

• Change Control & Corrective Action

• Vendor / Subcontract Management

• Internal Audit Program

SENSONICS

Project Specific Tasks

Project operated under the extended quality system with structured set of activities.

• Hazard and Risk Assessment (SIL Targeting)

• Functional Design Specification to meet above Targeting

• Quality and Safety Plan

• Independent Assessment Reports

• Hardware FMEA

• Software Analysis

Assessed byRating

Independent OrgSIL 4

Independent DeptSIL 3

Independent PerSIL 2

Independent PerSIL 1

SENSONICS

Project Specific Tasks (Cont)

• Validation Plan

• Test Specifications (User Interface!)

• Environmental

• EMC Directive

• Installation and Commissioning

• Operations and Maintenance Strategy

• Functional Safety Audit

SENSONICS

Thank you for your time

Any questions?

Please contact Sensonics

Documents

IEC61508 and Applications for Protection of … FUNCTIONAL SAFETY...SENSONICS KEEPING INDUSTRY TURNING Overview • About Sensonics • What is IEC 61508? • Safety Integrity Levels