www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.

it

EFFECTS OF MAINTENANCE MANAGEMENT SYSTEM ON THE SAFETY INTEGRITY LEVEL IN A PETROCHEMICAL PLANT
Lucio Compagno, Sig., Prof. Ing. Diego DUrso, Sig., Ing. Natalia. Trapani, Sigra., Ing. Dipartimento di Ingegneria Industriale e Meccanica Universit degli Studi di Catania, Viale Andrea Doria 6, 95125 Catania Italia Italy
Published on Proceedings of 1st International Conference on Maintenance Management April 14th -15th, 2005 Venice, Italy

KEYWORDS IEC 61508, Safety Integrity Level, Probability o Failure on Demand, Maintenance. INTRODUCTION ABSTRACT The safety functions in industrial plants are more often delegated to electrical, electronic or programmable electronic (E/E/PEs) Safety Instrumented Systems (SIS). The international standard IEC61508 proposes guidelines which can be used in order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to evaluate the actual availability of a SIS. Many factors can influence the value of SIL (system configuration, diagnostics, testing and restoration time) and the standard proposes simplified formulas for the evaluation of Probability of Failure on Demand (PFD) for different architectures but in some cases more detailed analyses are required. This situation is due to elements which in a simplified analysis cannot be evaluated, such as operability and maintenance requirements. In order to evaluate the impact of each parameter on PFD, a sensitivity analysis was executed. If a more accurate analysis is required, Monte Carlo simulation used together with Markov Analysis can help analysts to evaluate the SIL of complex Safety Instrumented Systems and to identify the best solution in order to comply with the system safety requirements. The international standard IEC 61508 provide the basis for reliability/availability analysis of electrical / electronic / programmable electronic (E/E/PE) Safety Instrumented Systems (SIS). Its publication was completed in the year 2000 and it has been quoted into European standard (CEI EN 61508) in the year 2002, showing how important has become this standard in order to maintaint the plant under control. The standard proposes a safety life-cycle approach from initial concept, design, implementation, operation and maintenance through to decommissioning (Comitato Elettrotecnico Italiano 2002a), as shown in Figure 1. Hence, a constructive and continuous benchmarking between design, process and maintenance engineers is the only way to comply with the standard.

www.safetyusersgroup.com

Page 1 of 9

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

Safety Requirements 1. Concept 2. Overall Scope Definition 3. Hazard Risk Analysis 4. Overall Safety Requirements 5. Safety Requirements Allocation

3. reliability analysis of the safety systems and calculation of the actual system PFD. The Annex B of IEC 61508-6 (Comitato Elettrotecnico Italiano 2002e) provides an example of the Reliability Block Diagram (RBD) technique for evaluating probabilities of hardware failure. In fact, the standard suggests that even if the Markov models method could be more accurate, in the context of a complete analysis of SIL, the loss of accuracy due to the use of RBD is not significant, also because of the low confidence in reliability data (particularly in failure rates). The proposed method for low demand mode operations is based on the following assumptions: - components failure rates ( ) are constant over the life of the system; - for each subsystem there is a single proof test interval (T1) and mean time to restoration (MTTR); MTTR is defined to include the time taken to detect a failure and it is at least one order of magnitude smaller than T1 and smaller than expected time between demands; - for each safety function there is a perfect proof testing and repair; - the proof test interval is at least one order of magnitude greater than the diagnostic test interval; - multiple repair teams are available to work on all known failures; - the resulting average PFD for a subsystem is less than 10-1; - the fraction of failures specified by the diagnostic coverage (DC) is both detected and repaired within the MTTR used to determine hardware safety integrity requirements. Some of the preceeding hypothesis, particularly the ones referring to maintenance, are not so obvious as they appear, i.e. perfect proof testing and repair. A critical analysis of these hypotesys and of related results is done in a later paragraph. PROBABILITY OF FAILURE ON DEMAND

Overall Planning 6. Operation & Maintenance 7. Validation 8. Installation & Commissioning

Design of SRS 9. E/E/PES 10. Other Technologies 11. External Reduction Facilities

Commissioning, Maintenance & Decommissioning 12. Overall Installation & Commissioning 13. Overall Safety Validation 14. Overall Operation & Maintenance 15. Overall Modification & Retrofit 16. Decommissioning

Figure 1: IEC 61508 Overall Safety Life-Cycle

A Safety Instrumented System (Comitato Elettrotecnico Italiano 2002b) is generically made, as shown in Figure 2, by the sensor subsystem, the logic solver subsystem and the final element subsystem. The sensor and the final element subsystems can further be divided into groups: the sensor group can consists of multiple sensors and input interfaces in a number of voting configurations; the final element group consists of redundant output interfaces and actuators.

Sensor Sensor Sensor

Input interface Input interface Input interface

Sensor group voting

Sensor subsystem

Logic subsystem Final element group voting Final element Output interface

Final element subsystem

Final element

Output interface

Figure 2: Subsystems Structure

THE IEC 61508 STANDARD GUIDELINES According to the IEC 61508 Standard Guidelines, the Safety Integrity Study for an existing plant is carried out in three phases (Comitato Elettrotecnico Italiano 2002d): 1. risk classification and definition of the Risk Graph, in order to evaluate the safety requirements of the Safety Instrumented System (required SIL); 2. safety function identification and risk analysis of the interlock loops;

The average probability of failure on demand of a safety function for an E/E/PE Safety Instrumented System is determined by the combination of the average PFD of all the subsystems. Referring to the scheme in Figure 2, the average PFD of the system (PFDSYS) can be expressed by Equation (1): PFDSYS = PFDS + PFDL +PFDFE (1) The PFD expression generically depends on down times which values are related to diagnostic capability, proof test interval and mean time to restoration through Equations (2) and (3):

www.safetyusersgroup.com

Page 2 of 9

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

- the channel equivalent mean down time per hour,

T t CE = 1 (1 - DC) + MTTR 2

(2)

this is the combined down time for all the components in the channel of the subsystem; - the voted group equivalent mean down time,
T t GE = 1 (1 - DC ) + MTTR 3

(3)

this is the combined down time for all the channels in the voted group. No explanation of the Equations (2) and (3) can be found in the Annex B of the IEC 61508:6 but some authors (Zhang et al. 2003) have shown how different expressions for tCE and tGE can be found using Markov model. The values of tCE and tGE calculated by Equations (2) and (3) are more conservative than the ones calculated by Markov model. The overall hardware failure rate of a channel in a subsystem is the sum of dangerous failure rate (per hour) D and undangerous (or safe) failure rate S . These values are assumed to be equal as shown in the Equation (4):

There are only few published historical data relating to common cause failures and hence estimating the correct figures of beta for different components in specific configuration; specific applications are to be done by engineering judgement. Using all the Equations from (2) to (6), PFD expressions for different architecture were derived (see Equations (7), (8), (9), (12) and (13). Architecture 1-out-of-1 (1oo1)
PFD =

t CE

(7)

Architecture 1-out-of-2 (1oo2)

PFD =

{t CE t GE [1 + DC( D )]2 +

T1 + D DC MTTR + (1 DC) 2 + MTTR (8)

D = S =

Architecture 1-out-of-2D (1oo2D) This configuration is similar to a classic redundant 1oo2 architecture but with two independent diagnostic module. This means that if the diagnostic test in either channel detects a fault then the output voting is adapted so that the overall output state is given by the correctly operating channel.
PFD =

(4)

{t 'CE t 'GE (1 )(1 DC)[1 (1 DC) +

Moreover, dangerous failures are divided in dangerous detected failures with a failure rate DD and dangerous undetected failures with a failure rate DU . If a diagnostic test is provided for the system, these failure rates can be calculated by the Equations (5) and (6):

T1 + DC(1 D )]+ D DC MTTR + (1 - DC) (9 2 + MTTR

) where:
T (1 - DC ) t ' CE = 1 + MTTR 2 (1 + DC) T (1 - DC) t ' GE = 1 + MTTR 3 (1 + DC)

(10)

DD =
DU =

2
2

DC
(1 - DC)

(5) (6)

(11)

Architecture 2-out-of-2 (2oo2)

PFD = t CE

In a multi-channel architecture some failures which result from a single cause may affect more than one channel: these failures are known as common failures. The probability of common cause failures contributes to the overall probability of failure and can be considered through the well-established factor model: is the fraction of undetected failures that have a common cause; D is the fraction of failures that have a common cause and that are detected by the diagnostic tests. Typical values for in the process industries (Simpson et al. 2004) are; - 5-20% for typical field devices; - 1-10% for typical logic elements.

(12)

Architecture 2-out-of-3 (2oo3)

PFD =

{3t CE t GE [1 + DC( D )]2 +

(13)

T1 + D DC MTTR + (1 DC ) 2 + MTTR

SENSITIVITY ANALYSIS A deep analysis of the previous Equations was executed in order to identify parameters which have a greater influence on PFD values.

www.safetyusersgroup.com

Page 3 of 9

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

In Figure 3 the variations of PFD values for different values of the failure rate ( ) are shown. These are obviously relevant but only the design engineers can variate this parameter. The analysis of diagnostic and maintenance related parameters can be more interesting. In Figure 4 the sensitivity analysis of PFD vs MTTR for different configurations is shown: PFD is really little influenced by MTTR values not only in redundant but also in non redundant configurations (1oo1 and 2oo2). More important is the influence of the Proof Test Interval T1, as shown in Figure 5. For T1<17520 h the average PFD values decreases rapidly (according to the standard, values of T1 minor than 4380 h cannot be considered in low demand mode operations).

Figure 4: PFD vs MTTR for Different Architectures

( = 5,0E 05 h-1, T1 = 6 months = 4380 h, DC = 60%, = 10% where applicable)

1,00E+00

Average PFD [-]

1,00E-01

1,00E-02

1,00E-03 0 4380 8760 13140 17520 Proof Test Interval T1 [h] 1oo1 1oo2 1oo2D 2oo2 2oo3

1,00E-01

1,00E-02 Average PFD [-]

Figure 5: PFD vs T1 for different architectures

1,00E-03

( = 5,0E 05 h-1, MTTR = 8 h, DC = 60%, = 10% ) In Figure 6 the sensitivity analysis of PFD vs Diagnostic Coverage is shown; DC is the ratio of the detected failure rate to the total failure rate of the component or subsystem as detected by diagnostic tests. Diagnostic Coverage includes only failures detected by self-diagnostic test but it does not include any fault detected by proof tests.
1,0E-01

1,00E-04

1,00E-05

1,00E-06 1,00E-04

1,00E-05

1,00E-06

1,00E-07

failure rate [1/h] 1oo1 1oo2 1oo2D 2oo2 2oo3

Figure 3: PFD vs for Different Architectures

1,0E-02 Average PFD [-]

(T1 = 6 months = 4380 h, MTTR = 8 h, DC = 60%, = 10% where applicable)

1,00,E-01

1,0E-03

1,0E-04

Average PFD [-]

1,00,E-02

1,0E-05 10% 20% 30% 40% 50% 60% 70% 80% 90% 100 % DC [%]
1oo2 1oo2D 2oo3

Figure 6: PFD vs DC for Different Architectures

1,00,E-03 4 8 12 16 20 24 28 32 36 40 44 48 MTTR [h] 2oo2 2oo3

( = 5,0E
Page 4 of 9

05 h-1, MTTR = 8 h,

www.safetyusersgroup.com
1oo1 1oo2

1oo2D

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it T1 = 6 months = 4380 h, = 10% ) As shown, also a little variation in DC factor can deeply influence the PFD value of a group; for example, the spread between the PFD values corresponding to DC=30% and DC=90% is one order of magnitude. the spread between PFD values corresponding to DC=90% and DC=99% is one order of magnitude. These values are not unusual, for example with electromechanical components for which DC=99% is considered a medium value. In Figure 7, at last, the relation between PFD and common values is shown. The dependence, as shown, is not so strong. THE SAFETY FUNCTION The IEC 61511 standard (International Electrotechnical Commission 2004) defines the Safety Integrity Level (SIL) as a discrete value (one out of four) for specifying the safety integrity requirements of the safety functions to be allocated to the safety instrumented systems. The higher the SIL, the higher the probability that the safety function is correctly executed, the lower the average Probability of Failure on Demand. In Table 1 the values of SIL corresponding to the average PFD values are reported.

1,00,E-02

Average PFD [-]

1,00,E-03

Safety Integrity Level (SIL) 1 2 3 4

Average Probability of Failure on Demand (PFD) -1 -2 10 a 10 -2 10 a 10-3 -3 -4 10 a 10 -4 10 a 10-5

Table 1: Values of SIL and PFD

1,00,E-04 0% 5% 10% beta factor [%] 15% 20%

1oo2

1oo2D

2oo3

Figure 7: PFD vs for Different Architectures

( = 5,0E 05 h-1, MTTR = 8 h, T1 = 6 months = 4380 h, DC=60%) Such an analysis could address the engineers during the review phase of a Safety Integrity Level study. If it is necessary to reduce the average PFD of a subsystem, it is possible to reduce the proof test interval. This can be the simpliest but not the most effective solution: the introduction of redundant systems or the substitution with more reliable components (lower failure rates), which are able to do self-diagnosis, can be more effective. The correct choice among different solutions can be executed only after an accurate cost-benefit analysis referring to the entire life cycle of the component/subsystem.
www.safetyusersgroup.com Page 5 of 9

The required SIL can only be evaluated knowing the safety functions required to the system. The Safety Function is the function to be implemented by a SIS, by other technology safety-related system or by external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, in respect of a specific hazardous event. Such a definition clarifies that each safety function guarantees the safety referring to a specified hazardous event and that the SIL related to a safety function has to be high if the risk level of the event is high (i.e. severe consequences or high probability of the event causes). Moreover it is definitively clear that the SIL value is allocated to a safety function and not to the E/E/PE system: in each E/E/PE system can be allocated more than one safety function. In the industry practice interlock loops are classified taking into account only the controlled system or the action performed by the loop but this requires a more detailed analysis of the single loop in order to identify all the dangerous events controlled by the loop: the identification of the safety function is not immediate. For example, in executing the SIL analysis in an alkylation unit (Sola 2005), an interlock loop which performs the compressor blockage was considered: this cannot be

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

considered a safety function as a whole because there are six events that the loop wants to avoid: 1. liquid entering the first state of the inlet channel; 2. liquid entering the second state of the inlet channel; 3. liquid entering the third state of the inlet channel; 4. very low inlet pressure at first stage; 5. very high outlet pressure; 6. very high outlet temperature; For each of these events it is necessary to define a specific safety function characterized by a SIL value: even if there is only one final element, there are different sensors that activate a specific safety function. It was verified that an error in the definition of the safety function can result in an error of 98% in the PFD value.

CRITICAL ANALYSIS OF THE STANDARD It was already highlighted how many factors can influence the safety of a SIS like system layout, diagnostics, testing and repair, but there are a lot of other elements that are not considered by the standard. The IEC 61508 standard proposes simplified formulas useful to calculate the Probability of Failure on Demand (PFD) of typical configurations: the operative practice in the industry can greatly modify the real configuration. For example, in the practice it is not unusual to bypass safety subsystems which are frequently subject to failures in order to avoid frequent false fault and to reduce unnecessary downtimes. Obviously this solution is not correct and it is necessary to reengineer the subsystem and to substitute it with a more reliable one in order to allow to the safety function of being correctly executed. The quantitative techniques for PFD evaluation rely on mathematical analysis using certain models but the data underlying these models are often highly uncertain. As reported above, the simplified analysis uses a single value of failure rate ( ), of proof test interval (T1) and of mean time to restoration (MTTR) for each subsystem and the related operations are considered perfectly executed. These hypothesis can be briefly discussed in order to highlight some matters. The failure rate values are the main cause of inaccuracy. For the analysis, values derived from databases where often used which for their own nature cannot be adapted to all applications, because the values are derived for too specific

applications (SINTEF Industrial Management 2002) or are too general to be accurate. Moreover not all failures can be considered accidental ones so the analysis proposed by the standard cannot consider failure modes, such as calibration failures, which have a different probability density functions (i.e. Weibull failure rate). Also the hypothesis that it does exist only a mean time to restoration for each subsystem could appear severe compared to the real industrial practice. Different values would be considered taking into account the overall maintainability of the system, that is on-line or off-line maintenance, accessibility, presence of spare parts, etc. The standard requires that the proof tests were perfectly executed, ensuring that the safety system always works in as new conditions, but for complex systems a complete testing could be impracticable. So there are some failures that are found only when an event will be which demand the safety function affected by the failure: the time between demand is to be considered in order to evaluate the average PFD and the proof test interval is to be reduced in order to minimize this problem. Even the standard hypothesis of multiple repair team (i.e. a team is always available to repair every known failure) could not be respected, hence considering a single value for MTTR could generate not accurate results. The time to restoration, in the standard, is considered as deriving from an exponential distribution but some authors do not accord with this hypothesis and suggest a lognormal distribution for time to restoration. Sometimes in the industry field device for selfdiagnostic tests are implemented in order to obtain higher safety at lower costs (redundancy not required). If the diagnostic test fails the only way to reveal a failure is the manual proof test interval: an accurate analysis of values attributed to Diagnostic Coverage is to be executed and preferably conservative values of DC are suggested. However, the self-diagnosis component are not so widely diffuse in the industry practice. All the previous considerations let it show how important is that process engineers, safety system manufacturers and maintenance engineers work in team in order to definitively establish the correct operative and maintenance practice for the system and to execute an overall life cycle analysis of the Safety Instrumented Systems in a plant. OTHER RELIABILITY TECHNIQUES The Equations proposed in the standard are derived by Reliability Block Diagrams (RBD)

www.safetyusersgroup.com

Page 6 of 9

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

technique. This method allows sensitivity analysis to be made on results and can easily identify the weakest elements within the safety system. The results obtained are sufficiently accurate compared to the simplicity of calculations, but they are not so accurate compared to other techniques such as Markov analysis (Rouvroye and Brombacher 1999). Notwithstanding this technique is suggested by a number of organizations to model the system as a whole, it can easily be missapplied. In fact, in modelling a redundant repairable systems by Markov method it could be a mistake if cascade repairs are required. If Monte Carlo simulation is used, a great attention is required in entering the configuration data in order to ensure the right system was modeled. Once the model has been correctly set up, and all data entered, then the computer will need to make a very high number of iterations and hence runs may take considerable times in order to get a steady state result. Software applications will often get only the final result therefore it makes difficult to apply sensitivity checks and to identify weak elements. SIMULATION Some simulations, using Monte Carlo simulation and Markov method, were executed in order to evaluate the SIL of Safety Instrumented Systems in a petrochemical plant. The results for the unique safety function in the Interlock Loop (I-20) is reported in Figure 8. The safety function is the stop of the acid inlet in a drum in its very high level conditions.

coped through the actual safety system configuration and eventually to highlight the most effective modifications to the system. In Figure 9 the RBD of the Interlock Loop I-20 is shown. For the Logic subsystem, which is SIL 3 certified, an average PFD is used which is the mean value of the PFD interval related to SIL 3.
Sensor subsystem Logic subsystem Final element subsystem

LSHH-803

1oo1

PLC Triconex

1oo1

LV-804

Figure 9: RBD of the Interlock Loop I-20

Because of the simplicity of the system, by using RBD it is easy to identify the sensor subsystem, which have the highest failure rate, as the weakest component. The first simulation (SIM-1) was executed using the values shown inTable 2. Exponential probability density function for both failure rates and time to restoration were used. Subsystem Sensor Final element

Parameter [105 h1 ] MTTR [h] T1 [h] DC [-]

12,60 32 8760 0%

5,14 32 8760 0%

PLC

LSHH-803
Table 2: Values of reliability parameters used in SIM-1

Acid flow G-111 LV-804

Drum

The results of SIM-1 are shown in Table 3. System Sensor subsystem Logic subsystem Final element subsystem Complete system PFD 2,72 10-2 5,50 10-4 1,13 10-2 3,90 10
-2

SIL 1 3 1 1

PLC: Programmable Logic Controller

Figure 8: Component in Interlock Loop I-20 (from P&ID)

Analysing the Figure 8, it is clear that the critical element, i.e. the element which cant fail in order to achieve a safety state, is the valve which closure avoids the acid entering the drum. The risk analysis (Sola 2005) has shown a required SIL 2 for this safety function (i.e. average PFD from 10-2 to 10-3): it is necessary to verify if this SIL level can be
www.safetyusersgroup.com Page 7 of 9

Table 3: SIM-1 Results for I-20 and Subsystems

These results suggest some solutions in order to obtain that safety function related to I-20 was classified as SIL 2. For each of these solutions specific simulations were executed.

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

The first solution could be a reduction in proof test intervals which is considered of six months (T1 = 4380 h) both for sensors and final elements subsystems, which have PFD values of the same order of magnitude. The results of the simulation (SIM-2) shown in Table 4 suggests that these variations are not able to reduce the overall SIL of the system. System Sensor subsystem Logic subsystem Final element subsystem Complete system PFD 1,38 10-2 5,50 10-4 5,68 10
-3

Table 6: SIM-4 Results for I-20 and Subsystems

A final solution (SIM-5) can be that of modifying the architectures for both the sensor subsystem and the final element subsystem from single (1-out-of-1) to redundant architectures (1-out-of-2), without modifying the proof test interval. The RBD scheme related to this solution is shown in Figure 10.
Sensor subsystem sensor 1oo2 sensor PLC Triconex 1oo2 valve Logic subsystem Final element subsystem valve

SIL 1 3 2 1

2,00 10-2

Table 4: SIM-2 Results for I-20 and Subsystems Figure 10: RBD Scheme for SIM-5 Configuration

These results suggest another solution (SIM-3) that is consists in modifying the architecture of sensor subsystem from a single (1-out-of-1) to a redundant architecture (1-out-of-2) and in maintaining T1=4380 h for both the sensor and the final element subsystems. This solution modifies the overall SIL to the desired value of 2, as reported in Table 5. System Sensor subsystem Logic subsystem Final element subsystem Complete system PFD 6,87 104

The results of simulations are reported all together in Figure 11 in order to allow a comparison of PFD values for each analysed configuration and to highlight the most effective solution.
1,00E-04 SIL 3

SIL
average PFD of the system

3 3 2 2

5,50 10
4 3

1,00E-03

SIL 2

5,65 106,89 10
3 -

1,00E-02 SIL 1

Table 5: SIM-3 Results for I-20 and Subsystems

These results suggests other practicable solutions. In fact, the same results could be obtained, as shown in Table 6 (SIM-4), also maintaining T1=8760 h and changing the architecture in 1-outof-2 for the sensor subsystem and with T1=4380 h for the final element subsystem. The results of the simulation (SIM-4) are reported in Table 6. System Sensor subsystem Logic subsystem Final element subsystem Complete system
www.safetyusersgroup.com

1,00E-01 SIM-1 SIM-2 SIM-3 simulation id SIM-4 SIM-5

Figure 11: Comparison between different solutions

PFD 1,39 10
3

SIL 2 3 2 2
Page 8 of 9

As shown, the reconfiguration of the safety system is the most effective solution (higher PFD) but the required SIL 2 value can be obtained also through solution which modifies both the architecture of the sensor subsystem and the proof test intervals. CONCLUSIONS AND FURTHER STUDIES As it was said, the IEC 61508 standard has been quoted into the European standard CEI EN 61508 only in the year 2002 (Comitato Elettrotecnico Italiano 2002). There are only few complete

5,50 10
4 3

5,68 107,62 103

www.diim.unict.it lcompagn@diim.unict.it ddurso@diim.unict.it ntrapani@diim.unict.it

applications of the standard in the industry, probably for the difficulties related to the comprehension and the application of the proposed guidelines. Instrumentation manufacturers more often propose to their clients to buy SIL certified components but rarely the client knows which is the target SIL for a specific safety function or if the substitution of the installed component with a certified one can really increase the SIL associated to a safety function. Moreover it is necessary to highlight that, as it was shown, the PFD of a system is higher than the PFD of its weakest subsystem, so that PFD can effectively be reduced only by reducing the higher PFD. About maintenance, it is important to notice that if a manufacturer states that a component can be adopted in a SIL 2 safety function, he have assumed fixed values of the proof test interval, of the MTTR, of the diagnostic coverage and of the factor; if these values are not respected by users the component cannot cope SIL 2 requirements.

REFERENCES
Comitato Elettrotecnico Italiano. 2002a. CEI EN 61508-1. Sicurezza funzionale dei sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. Parte 1: Requisiti generali. IEC:1998. Comitato Elettrotecnico Italiano. 2002b. CEI EN 61508-2. Sicurezza funzionale dei sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. Parte 2:Requisiti per i sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. IEC:1999.

Comitato Elettrotecnico Italiano. 2002c. CEI EN 61508-4. Sicurezza funzionale dei sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. Parte 4: Definizioni ed abbreviazioni. IEC:1999. Comitato Elettrotecnico Italiano. 2002d. CEI EN 61508-5. Sicurezza funzionale dei sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. Parte 5: Esempi di metodi per la determinazione dei livelli di integrit di sicurezza. IEC:1999. Comitato Elettrotecnico Italiano. 2002e. CEI EN 61508-6. Sicurezza funzionale dei sistemi elettrici, elettronici ed elettronici programmabili per applicazioni di sicurezza. Parte 6: Guida allapplicazione delle IEC 61508-2 e IEC 61508-3. IEC:2000. International Electrotechnical Commission. 2004. IEC 61511. Functional safety - Safety instrumented systems for the process industry sector. Rouvroye J.L. and Brombacher A.C. 1999 New quantitative safety standards: different techniques, different results?. Reliability Engineering and System Safety, Elsevier, No.66, 121-125. Simpson K., Phil M., Eng C. 2004 IEC61508 And Its Process Related Standards Considerations Based on Experience In Applying The Standard, Communications of the Workshop Il Ciclo del SIL. Milano (Oct.). SINTEF Industrial Management. 2002. Offshore Reliability Data Handbook 4th Edition. Norway (Oct.) Sola L. 2005 Prime applicazioni della norma IEC 61508 ad un impianto petrolifero: dalla valutazione dei rischi allanalisi affidabilistica, M.S. Thesis, Universit degli Studi di Catania. Zhang T., Long W., Sato Y. 2003 Avalilability of systems with self-diagnostic components applying Markov model to IEC 61508-6. Reliability Engineering and System Safety, Elsevier, No.80, 133-141.

www.safetyusersgroup.com

Page 9 of 9