1

VU

T 6

.4.2

006

Funkční bezpečnost elektrických přístrojů

souvisejících s bezpečností

2

VU

T 6

.4.2

006

Funkční bezpečnost

Část celkové bezpečnosti týkající se EUC a systému řízení EUC závislá na správném fungování E/E/EP systémů souvisejících s bezpečností, systémech souvisejících s bezpečností založených na jiných technických principech a vnějších prostředcích pro snížení rizika

ČSN EN 61508-4

3

VU

T 6

.4.2

006

4

VU

T 6

.4.2

006

Mechanical Safety Action (if available)

Plant Shut-down

Wild Process parameter

High Control level

High Alarm level

Time

If Operator takes action

Certain Processparameter value Low Control level

Normal behavior

DCS Functionality

Process.

5

VU

T 6

.4.2

006

Mechanical Safety Action (if available)

Plant Shut-down

Wild Process parameter

High Control level

High Alarm level

ESD controlledTrip level

Time

If Operator takes action

Certain Processparameter value

Safety InstrumentedSystem Functionality

Low Control level

Normal behavior

DCS Functionality

Safety System.

6

VU

T 6

.4.2

006

Have You Been Asked This?

“How can you demonstrate that you are safe?”

‘Regulator’

7

VU

T 6

.4.2

006

Safety Issues for End User / Operators

• How do you demonstrate that your operations are ‘safe’?

• How do you demonstrate that your equipment is ‘safe’?

• How do you demonstrate that your safety and protective systems protect against your hazards?

You can answer these questions by demonstrating compliance with Industry Safety Standards

IEC61508 - Functional safety of electrical/electronic/programmable electronic

safety-related systems

8

VU

T 6

.4.2

006

What is IEC61508?

• An international standard relating to the Functional Safety of electrical / electronic / programmable electronic safety related systems

– Mainly concerned with E/E/PE safety-related systems whose failure could have an impact on the safety of persons and/or the environment

– Could also be used to specify any E/E/PE system used for the protection of equipment or product

• It is an industry best practice standard to enable you to reduce the risk of a hazardous event to a tolerable level

VU

T 6

.4.2

006

Technologies Concerned

• E Electrical• electro-mechanical / relays / interlocks

• E Electronic• solid state electronics

• PES Programmable Electronic Systems• Programmable Logic Controllers

(PLC’s);• Microprocessor based systems• Distributed Control Systems• Other computer based devices

(“smart” sensors / transmitters / actuators)

VU

T 6

.4.2

006

Features

• Generic Standard

• Guidance on the use of E/E/PES

• Comprehensive approach involving concepts of Safety Lifecycle and includes all elements of the protective system

• Risk-based approach leading to determination of Safety Integrity Levels (S.I.Ls)

• Considers the entire Safety Critical Loop

11

VU

T 6

.4.2

006 Generic and Application Sector Standards

IEC61508

IEC61511 :Process Sector

Medical SectorIEC61513 :

Nuclear Sector

IEC62061 : Machinery Sector

VU

T 6

.4.2

006 IEC61511

Functional Safety

Safety instrumented systems

for the

Process industry sector

13

VU

T 6

.4.2

006

IEC 61511

“FUNCTIONAL SAFETY: SAFETY INSTRUMENTED SYSTEMS FOR THE PROCESS INDUSTRY SECTOR”

14

VU

T 6

.4.2

006

Industries

Applies to a wide variety of industries across the process sector

Including:

Chemicals

Oil refining

Oil and gas production

Pulp and paper

Non-nuclear power generation

Pharmaceuticals / Fine Chemicals

15

VU

T 6

.4.2

006

Scope

• Process (chemicals, oil & gas, paper, non-nuclear power generation)

• End-to-end safety instrumented system (SIS) - h/w, s/w, mgt. and human factors

• Full safety lifecycle - specification, design, integration, operation, maintenance

• Intended for integrators / users– not for equipment designers / vendors

16

VU

T 6

.4.2

006

Structure

IEC 61511 – Structure

Part 1 – “Framework, definitions, system, hardware and software requirements”.

Part 2 – “Guidelines for the application of IEC 61511-1”.

Part 3 – “Guidance for the determination of safety integrity levels”.

Normative

Informative

17

VU

T 6

.4.2

006

IEC 61511

TITLE - “Functional Safety – Safety Instrumented Systems for the Process Industry sector”

• This international Standard gives requirements for

the specification, design, installation, operation and

maintenance of a safety instrumented system, so

that it can be confidently entrusted to place and/or

maintain the process in a safe state.

• This standard has been developed as a process sector implementation of IEC 61508.

VU

T 6

.4.2

006

Relationship IEC 61511 & IEC 61508

VU

T 6

.4.2

006

Relationship IEC 61511 & IEC 61508

20

VU

T 6

.4.2

006

Similarities (IEC 61508 - IEC 61511)

• Whole safety lifecycle– Concept, Hazard & Risk Analysis and Design– through operation & maintenance to eventual

decommissioning• Safety requirements specification• Safety integrity levels (SIL 1 to 4)• End-to-end system

– (Sensor via Logic to Actuator)• Hardware reliability analysis (PFD)• Management of functional safety• Architectural constraints (fault tolerance)

21

VU

T 6

.4.2

006

Key Differences IEC 61511 (IEC 61508)

• Terminology– Process (EUC)– Basic Process Control System (EUC Control

system)– Safety Instrumented System (E/E/PE S-R-S)– Safety Instrumented Function (Safety function)

• Presentation– less rigorous than IEC 61508– more guidance (especially in Parts 2 & 3)

22

VU

T 6

.4.2

006

Overall Installation& Commissioning

11

2

External RiskReductionFacilities

Overall Scope Definition

Realisation

1 Concept

3 Hazard Risk Analysis

4 Overall Safety Requirements

Safety RelatedSystems:

E / E / PES

12

Realisation

Overall Planning

Safety RelatedSystems:

OtherTechnology

Realisation

10

OverallInstallation &

CommissioningPlanning

OverallValidationPlanning

OverallOperation &Maintenance

Planning

8

9

76

Safety Requirements Allocation5

Back to appropriateOverall Safety Lifecycle

Phase

15

16 Decommissioning

13 Overall Safety Validation

Overall Operation & Maintenance14 Overall Modification & Retrofit

Overall Safety Lifecycle in IEC 61508

23

VU

T 6

.4.2

006

IEC 61508 - ownership of phases

PRE-DESIGN

(Phases 1 to 5)

OPERATION

(Phases 14 to 16)

DESIGN AND INSTALLATION(Phases 6 to 13)

End user / operator

End user / operator

Engineering Contractors/ Equipment

Supplier

24

VU

T 6

.4.2

006

Pre-Design : Phases 1 - 5

1 : Concept

2 : Overall Scope Definition

3 : Hazard Risk Analysis

4 : Overall Safety Requirements

5 : Safety Requirements

Allocation

Can you demonstrate that you have identified all your hazards?

Can you demonstrate that you are using adequate and correct methods of hazard protection?

25

VU

T 6

.4.2

006

Design & Implementation : Phases 6 - 13

Overall Planning

6 : Overall Operations and Maintenance Planning

7: Overall Validation Planning

8: Overall Installation & Commissioning Planning

9 : Safety Related

Systems : E/E/PES

12 : Overall Installation & Commissioning

13 : Overall Safety Validation

10 : Safety Related

Systems : Other

Technology

11 : External Risk

Reduction Facilities

How do you ensure competencies for all these activities?

Can you demonstrate that you pass the necessary information into these activities?

Can you demonstrate that all necessary information has been passed to you from these activities?

26

VU

T 6

.4.2

006

Operation : Phases 14 - 16

14 : Overall Operations and

Maintenance

15 : Overall Modification and

Retrofit

16 : Decommissioning

Can you demonstrate that you maintain / test / analyse your protective systems correctly?

Can you demonstrate that you are in control of your modification process?

27

VU

T 6

.4.2

006

Supply Chain

IEC

615

11

IEC

615

08 Requirement

SpecificationCommissioning

and Use

End User

System Designer –Integrator

Sub-systemDesigner

ComponentManufacturer

VU

T 6

.4.2

006

Risk

29

VU

T 6

.4.2

006

What is Risk?

• The probable rate of occurrence of a hazard causing harm

AND

• the degree of severity of the harm

– Qualitatively - Words

– Quantitatively - Figures

VU

T 6

.4.2

006

Risk cannot be justified except in extraordinary circumstances

Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained

Necessary to maintainassurance that riskremains at this level

Unacceptable region

Broadly acceptable region

Negligible risk(No need for detailed working to demonstrate ALARP)

The ALARP or Tolerability region

As the risk is reduced the less, proportionately, it is necessary to spend to reduce it further. The concept of diminishing proportion is shown by the triangle.

(Risk is undertaken only if a benefit is desired)

Levels of Risk and ALARP(As Low As Reasonably Practicable)

31

VU

T 6

.4.2

006

32

VU

T 6

.4.2

006

Risk reduction: General concepts

Increasingrisk

Risk to meet Level of Safety

Plant Under Control risk

Necessary minimum risk reduction

Actual risk reduction

Risk reduction achieved by all protective systems & External Risk Reduction Facilities

Actual riskremaining

Partial risk covered by E/E/PES

protective systems

Partial risk covered by Other Technologysafety-related systems

Partial risk covered by External Risk

Reduction Facilities

33

VU

T 6

.4.2

006

SENSOR ACTUATORPROGRAMMABLE ELECTRONICS

Equipment (plant) Under

Control (EUC)

PESRS

Extent of Safety Related System

VU

T 6

.4.2

006

What is a Safety Related System (SRS) ?

• Any system that implements safety functions necessary to achieve a safe state for the “Equipment Under Control”, or to maintain it in a safe state.

Examples

VU

T 6

.4.2

006

Hazard Identification and Risk Analysis

A typical Methodology for Hazard Identification and Risk Analysis

(by the end user)

• Hazard studies and HAZOPs• Evaluate possible consequences• Establish tolerable frequencies vs ALARP• Build event chain• Estimate demand rates• Define protection required• Specify required SIL

VU

T 6

.4.2

006

“ Failure categories” in IEC 61508

• A = Random Hardware Failures

OR

• B = Systematic Failures

• specification;

• systematic hardware;

• software;

• maintenance;

• all failures that are not random

AB

VU

T 6

.4.2

006

Safety Integrity Level SIL

SAFETY INTEGRITY

LEVEL (SIL)

LOW DEMAND MODE OF OPERATION

(Probability of failure to perform its

designed function on demand)

CONTINUOUS/HIGH DEMAND MODE OF OPERATION (Probability of one dangerous failure per hour)

4 >= 10-5 up to < 10-4 >= 10-9 up to < 10-8 h-1

3 >= 10-4 up to < 10-3 >= 10-8 up to < 10-7 h-1

2 >= 10-3 up to < 10-2 >= 10-7 up to < 10-6 h-1

1 >= 10-2 up to < 10-1 >= 10-6 up to < 10-5 h-1

PFD PFHProbability of Failure on

DemandProbability of Failure per

Hour

38

VU

T 6

.4.2

006

Risk and Determination of Safety Integrity Levels

Basic

Design

Unacceptable

NoProtection

SIL 4SIL 3SIL 2SIL 1

Incr

easi

ng S

ever

ity

Increasing Likelihood

39

VU

T 6

.4.2

006

Risk Reduction Requirements

Safety Integrity Level

Risk Reduction

1 10-100

2 100 – 1,000

3 1,000 – 10,000

4 10,000 – 100,000

40

VU

T 6

.4.2

006

Reliability, Failure Rate and Availability at each level

SIL 1

SIL 2

SIL 3

SIL 4

Reliability Probability of failure on demand

Trip Unavailable (per year)

90% - 99% 0.1 to 0.01 876 to 87.6hrs

99% - 99.9% 0.01 to 0.001 87.6 to 8.76hrs

99.9% - 99.99%

0.001 to 0.0001 8.76hrs to 52.6 mins

99.99% - 99.999

%

0.0001 to 0.00001 52.6 mins to 5.3 mins

41

VU

T 6

.4.2

006

Protective System Technology

Standard components, single channel or twin non-diverse channelsSIL 1

Standard components, 1 out of 2 or 2 out of 3, possible need for some diversity. Allowance for common-cause failures needed

SIL 2

Multiple channel with diversity on sensing and actuation. Common-cause failures a major consideration. Should rarely be required in Process Industry

SIL 3

Specialist design. Should never be required in the Process IndustrySIL 4

VU

T 6

.4.2

006

Determined to achieve the correct SIL level...

VU

T 6

.4.2

006

• Various methods available:• Qualitative risk graph• Calibrated risk graph (methodology only –

not definitive)• Layer Of Protection Analysis (LOPA)• Hazardous event severity Matrix • Quantified Risk Analysis (QRA)

• Which one to use? Develop your own?

SIL assessment

VU

T 6

.4.2

006

Calculation of PFDAVG

35% of PFDAvg SE

15% of PFDAvg LS

50% of PFDAvg FE

Distribution of the Failure Measures

35 % Sensors + 15 % Logic solver + 50 % Final elements

VU

T 6

.4.2

006

35 % 15% 50%

PFD-figures for a HIMA system, example

VU

T 6

.4.2

006

RC/AK according DIN V VDE 19250SIL according IEC 61508

consequencerisk

parameter

minor injuryno influence

to the environment

possibilityof avoidinghazardous

events

frequency& exposure

time

probability of theunwanted occurrence

very slightrelativelyhigh

slight

dead of 1 personrare

frequent

periodic influenceto the environment

dead toseveral people

permanent influenceto the environment

disaster

rare

frequent

possible

notpossible

possible

notpossible

requirement classes

RC or AK

Safety IntegrityLevels (SIL)IEC 61508

Risk Graph acc. DIN V VDE 19250

VU

T 6

.4.2

006

Concept of layers of protection acc. IEC 61511

PROCESS

CONTROL and MONITORINGBasic process control systems

Monitoring systems (process alarms)Operator supervision

PREVENTIONMechanical protection system

Process alarms with operator corrective actionSafety instrumented control systems

Safety instrumented prevention systems

MITIGATIONMechanical mitigation systems

Safety instrumented control systemsOperator supervision

PLANT EMERGENCY RESPONSEEvacuation procedures

COMMUNITY EMERGENCY RESPONSEEmergency broadcastingLOPA

VU

T 6

.4.2

006

Hazardous event severity Matrix

49

VU

T 6

.4.2

006

Funkční bezpečnost

Část celkové bezpečnosti týkající se EUC a systému řízení EUC závislá na správném fungování E/E/EP systémů souvisejících s bezpečností, systémech souvisejících s bezpečností založených na jiných technických principech a vnějších prostředcích pro snížení rizika