Professional Documents
Culture Documents
Once the risks and hazards have been assessed, one can determine if they are
below acceptable levels. If the study concludes that existing protection is
insufficient, a Safety Instrumented System may be required.
Even when emergency shutdown systems are not mandatory, many process control
industries today are using the reliability specifications defined in IEC 61508 to
separate great products from good ones. In fact, many companies are using a key
parameter Safe Failure Fraction (SFF), which is an indication of all of the safe and
dangerous detected failures within a device, to objectively compare the reliability of
instruments from different suppliers.
by Magnetrol International
In last weeks blog post, we discussed how layered protection can minimize risk and
how a Hazards Analysis can help determine if a Safety Instrumented Systems (SIS)
is required. In this post, we will explain what a Safety Instrumented System (SIS) is
and the types of safety functions that the SIS requires.
The SIS is comprised of Safety Instrumented Functions (SIFs) with sensors, logic
solvers and actuators:
Heres an example:
Safety Instrumented Systems pg 4 2
A process vessel sustains a buildup of pressure, which should open a vent valve.
The specific safety hazard is overpressure of the vessel.
When pressure rises above the normal set points, a pressure-sensing instrument
detects the increase. Logic (PLC, relay, hard-wired, etc.) then opens a vent valve to
return the system to a safe state.
In fact, the increased availability and use of SIL reliability data has allowed the
traditional example above to be improved using a High Integrity Process Pressure
System (HIPPS) to eliminate even the risk of venting to the environment. When the
HIPPS is implemented, the system controls are so thorough and reliable that there is
no need to vent, or use a relief valve.
Like the safety features on an automobile, a SIF may operate continuously like a
cars steering, or intermittently like a cars air bag. A safety function operating in
the demand mode is only performed when required in order to transfer the
Equipment Under Control (EUC) into a specified state. A safety function operating in
continuous mode operates to retain the EUC within its safe state.
by Magnetrol International
London, to name just two of the more notorious incidents. For decades, the
industrial firewall against safety incidents as they relate to level controls has been
governmental and professional association standards that require manufacturers to
make their products according to safety guidelines. The International Standards
Association, however, lists some 180,000 varieties of international standards. The
key health and safety standards that can affect level control devices and
applications fall into three categories: (1) Instrument and Component Standards, (2)
Safety Integrity Levels, and (3) Hygienic Standards.
Safety Integrity Level (SIL). Another group of directives that relate specifically to
level control safety performance are those of the IEC concerning risk reduction.
These directives refer to the classification of Safety Instrumented Systems (SISs)
according to their Safety Integrity Level (SIL)that is, according to their potential
risk for people, manufacturing processes, and the environment in case of a
malfunction. Four SIL levels are defined in these directives, with SIL 4 being the
most stringent and SIL 1 being the least. (No standard process controls have yet
been defined and tested for SIL 4).\
There are two ways an instrument manufacturer can determine and declare their
devices suitable for a SIL level. For pre-existing devices, the supplier takes over the
proven in use procedure, in which the instruments are tested and described
according to IEC 61508 and 61511. For new devices, the supplier makes a direct
declaration to IEC. This declaration comprises an evaluation of the device based
partly on a Failure Modes, Effects and Diagnostics Analysis (FMEDA) and partly on
an assessment of the proven-in-use documentation.
Today, many instrument and plant engineers use an instruments SIL suitability level
as shorthand for an instruments overall reliability.
by Magnetrol International
The occurrence of catastrophic overfill incidents in recent years has made improving
safety a mission-critical requirement for all process industries. To do this, one needs
to first understand the hazards that these types of processes pose, and what can be
done to mitigate them.
In prior posts, this blog has discussed how assessing the hazards and risks within
your processes can determine the need for a Safety Instrumented System (SIS). This
week, well explain Safety Integrity Level (SIL) and how assigning a target SIL can
help you measure the safety risk of a given process.
SIL is a way to indicate the tolerable failure rate of a safety function. Standards
require the assignment of a target SIL for any new or retrofitted SIF within a SIS. The
assignment of the target SIL is a decision that requires the extension of the Hazards
Analysis, which analyzes the hazards and risks within a process. The SIL assignment
is based on the amount of risk reduction that is necessary to maintain the risk at an
acceptable level. All of the SIS design, operation, and maintenance choices must
then be verified against the target SIL. This ensures that the SIS can mitigate the
assigned process risk.
A hardware fault tolerance of 0 means that if there is a single fault, the transmitter
will not be able to perform its function (for example, measure level). A hardware
fault tolerance of N means that N+1 faults could cause a loss of the safety function.
When a Failures Modes, Effects and Diagnostic Analysis (FMEDA) is performed on a
device, the resultant Safe Failure Fraction (SFF) has an associated hardware fault
tolerance of 0.
Various methodologies are used to assign target SILs, including (but not limited to),
Simplified Calculations, Fault Tree Analysis, Layer of Protection Analysis and Markov
Analysis. The determination must also involve people who possess the relevant
expertise and experience.
FMEDA is best when reviewed or certified by a third party, such as exida or TUV,
but manufacturers can do self declarations. A systematic analysis technique is
necessary to determine failure rates, failure modes and the diagnostic capability as
defined by IEC 61508/651511.
Proven in Use (also called Prior Use) is typically used for mature instruments in
known processes. This approach requires sufficient product operational hours,
revision history, fault reporting systems and field failure data to determine if there is
evidence of systematic design faults in a product. IEC 61508 provides levels of
operational history required for each SIL. It is generally considered more valuable
when done by users in their facility when comparing like data. It is considered less
reliable when done by a device manufacturer whose data may be less relevant to
the end users application.
If using a manufacturers prior use data is necessary because a product does not
reach the required level under the standard FMEDA analysis, there are significant
requirements that are imposed. For example, a mature product must generally be
used (to have the required field experience) and the design and assembly must be
frozen in time so that no upgrades, modifications or even configuration changes
are allowed that may render the Proven in Use data useless. A key result of the
analysis is establishing a Safe Failure Fraction (SFF) for a product. The following
chart shows the relationship of SFF values, SIL ratings and the effects of
redundancy.
Saftey Integrity Level pg7 1While two SIL 1 devices can be used to achieve SIL 2
and two SIL 2 devices may be used to achieve SIL 3, it is not automatic. Using
redundancy to attain a higher SIL rating has an additional requirement of systematic
safety, which includes software integrity. It is important to note that the most
conservative approach to redundancy is to use dissimilar technologies. This reduces
failures due to application issues. Within the SFF determination is an understanding
of types of failures and the ability of the instrument to diagnose them.
Safety Integrity Level pg 7 2The most critical category of failures is called
Dangerous Undetected (DU). For example, the new Eclipse Model 706 has an SFF
of 93.0% with 61 Dangerous Undetected failures, which means that 93.0% of all
failures are detected or are safe (nuisance) failures. Conversely, 61 represents the
remaining 7% that are dangerous and undetected. The lower the number of
Dangerous Undetected failures the better. This number is key in a reliability
evaluation, even for non safety-related applications.
Seveso, Bhopal, Piper Alpha the scenes of some of the worst accidents ever in
the chemical and petrochemical industries. These catastrophes, which are still
remembered today for their very high death toll, were caused by human error and
technical failures. Taking the applicable rules and regulations governing industrial
accidents as a starting point, plant operators everywhere must endeavour to reduce
the residual risk created by their plant to a tolerable level.
Architecture of a safety instrumented system comprising a sensor, two final
elements and a safety control system (example taken from Samson training system)
An uncontrolled exothermic reaction in a reactor in Seveso, Italy, caused a safety
relief valve to burst open in 1976. As a result, an unknown amount of highly toxic
dioxin was released into the atmosphere. In Bhopal, India, several tons of toxins
were released into the atmosphere in 1984 due to the failure of the safety systems.
In 1988, a fire destroyed the Piper Alpha offshore oil platform moored in the North
Sea. This catastrophe was caused by a tempora-rily missing high-pressure valve as
well as several other sources of error such as a negligently secured pipeline,
insufficient explosion protection and external platforms continuing to pump oil
towards Piper Alpha during the fire. Deaths and severe injuries among staff and
residents as well as environmental damage are merely the visible consequences of
such accidents.
The risk created by a plant increases with the severity of the consequences in the
event of a fail-ure and the probability that such a failure will occur. To reduce the
residual risk to a tolerable level, plant-specific emergency plans, passive and active
mechanical safety measures and electronic safety instrumented systems (SIS) are
implemented. These safety instrumented systems, which are independent of the
basic process control system, comprise sensors, a safety control system and a final
element. There is a clear assignment of roles within the SIS. The sensors measure
the controlled variable (e. g. temperature, pressure, filling level) and transmit the
measured data to the safety control system. The safety control system processes
the received data independently of the basic process control system (BPCS) and
causes the final element to perform the safety instrumented function in case of a
failure. The final element executes the safety instrumented function, i. e. it opens or
closes the valve as required. The term "final element" refers to the entire control
valve including all mounted accessories, such as a solenoid valve, positioner and
booster.
These components are expected to interact in the event of a failure and maintain
the plant in a safe state. The performance required of a safety instrumented
function is quantified in four discrete safety integrity levels (SIL 1 to 4). The safety
instrumented system is categorised based on IEC 61508 and IEC 61511. While IEC
61508 (Functional safety of elec- trical/electronic/programmable electronic safetyrelated systems) is directed at manufacturers of individual components for use in a
safety instrumented system, IEC 61511 (Functional safety Safety instrumented
systems for the process industry sector) is relevant to planners, builders and
operators of safety instrumented systems.
Role of manufacturers
The manufacturer identifies all characteristic values with a bearing on safety with
the help of the mathematical models and calculation methods of the FMEDA (failure
modes, effects and diagnostic analysis) and possibly also proven-in-use data (see
table). These values are documented and confirmed in a product-specific
manufacturer's declaration which the manufacturer is responsible for. The
development process can optionally be supervised and certified by an independent
body. The manufacturer is also responsible for providing instructions regarding a
prod-uct's proper use, which are given in the safety manual. The characteristic
values supplied by the manufacturer only describe the safety integrity that an
individual component can theoretically achieve. A manufacturer obviously cannot
make any statements regarding the safety integrity of a complete safety
instrumented system.
Role of planners, builders and operators
Plant owners assess the requirements placed on the safety instrumented system
(SIL rating) using a suitable method such as a risk graph, risk matrix or LOPA (layer
of protection analysis). Planners and builders are responsible for designing the
entire safety instrumented system to match the SIL rating and for selecting the
individual safety components (sensors, final elements and safety control system),
taking account of the latest advances in safety engineering. According to the
standard, the suitability of a selected component must be certified for the ambient
conditions and the specific process. As far as control valves are concerned, this
means they must be sized correctly and the sizing process documented
appropriately.
The performance achieved by the safety instrumented function, or SIL rating,
depends on the device type used (degree of complexity as defined by the standard),
the selected architecture and the probability of failure. Ideally, operators should rely
on probability of failure values gathered from their own experience, i. e. prior use.
These empirical values can be backed up by Namur data. The organisation also
publishes a series of practical recommendations for plant planners and builders
including Namur Recommendation 130, which deals with proven-in-use devices, and
Namur Recommendation 106 on the test intervals for safety instrumented systems.
Experienced occupational safety experts and safety engineers take on the project
management role and coordinate all safety personnel
Experienced occupational safety experts and safety engineers take on the project
management role and coordinate all safety personnel
Five tasks a service provider should provide
Safety during shutdowns
Drger provides the very latest equipment technology available and takes care of
maintenance and servicing of all equipment supplied
Drger provides the very latest equipment technology available and takes care of
maintenance and servicing of all equipment supplied
A study conducted by Drger and T.A. Cook shows that, according to the answers
received, 80% of all accidents during downtime are due to human error. The number
of accidents can be significantly reduced if a professional safety service provider is
present throughout the shutdown and accepted by all stakeholders. This partner can
take the required action from the planning phase onwards to help achieve the goal
of zero accidents. Many plant operators have realised that by cooperating with
partners, they can fully concentrate on their actual core competences. The overall
responsibility for health and safety at work remains with the customer, but a service
provider is appointed to implement and monitor the necessary measures.
Consistently high safety levels
During the first few days of a plant shutdown, the motivation of all parties involved
(plant operators and contractors) is still very high: the project is on time, all process
steps ideally have sufficient staff and material and everything is running smoothly.
However, after a while, this motivation starts to decrease, delays occur and it
becomes necessary to increase or reduce personnel and material levels, with
adjacent steps also affected. A professional safety service provider's task is to
monitor and support all work during the entire project phase and maintain an
overview of safety-relevant aspects. If appropriately authorised, this provider can
take preventive and corrective action, initiate the rescue chain in an emergency and
provide first aid where necessary.
Efficient approval processes
Due to time and cost restraints, safety briefings for staff and contractors frequently
only take place on the plant itself and in large groups shortly before the work starts.
Special tasks and individual skillsets, especially of contractor employees, cannot
always be taken into account here. The situation is different if an external safety
service provider is involved in the shutdown planning phase and can invite the
manufacturer (IEC 61508) and operator (IEC 61511) under a comprehensive safety
life cycle approach. Even though random failures hardly ever occur in mechanical
components, the standards mandate that they be taken into account. This is mainly
done through the dangerous undetected failure rate DU, which is given in the
manufacturer's specifications. Typical values based on a worst-case estimate for
proven-in-use equipment are also found in Namur Recommendation NE 130. The
average probability of failure on demand (PFDavg) can be calculated from the
dangerous undetected failure rate. The PFDavg value is directly related to the safety
integrity level (SIL) described in IEC 61511.
Plant planners, builders and operators profit from the expertise of manufacturers
when selecting individual safety-related components. The companies belonging to
the Samson Group for example, develop and manufacture the entire range of final
elements from valves and actuators to valve accessories such as positioners,
solenoid valves or limit switches. Back in 1995, Samsomatic, a member of the
Group, applied for the certification of solenoid valves manufactured in compliance
with the then-preliminary DIN V 19251 standard. Since then, these solenoid valves
have been proven in use and are now being employed in smart Samson valve
accessories. In 2006, Samson launched the Series 3730 Positioner swith emergency
shutdown (ESD) function. Since then, Samson equipment has been capable of
emergency ventin: the Series 3730 and 3731 Positioners as well as the smart Type
3738 Electronic Limit Switch with integrated solenoid valve and limit contact
function.
In December 2011, Samson became one of the first valve manufacturers to have its
complete R&D, design, production and sales processes for valves audited by TV
Sd according to IEC 61508-1. For plant planners and operators, this manufacturer
certification has benefits when it comes to attesting prior use according to Namur
Recommendation NE 130 as the prior use period is shortened by six months.
Despite the different roles assigned by IEC 61508 and IEC 61511, the company
considers itself responsible for supporting operators and providing them with
information on functional safety. Samson does this by holding hands-on training and
participating in events like the SIL road show that tours Germany. In this connection
the authors would like to draw attention to the seminar dealing with control valves
and valve accessories used in safety-instrumented systems (SSA). The seminar