Professional Documents
Culture Documents
RISKNOWLOGY B.V.
Brunner bron 2
6441 GX Brunssum
The Netherlands
www.risknowlogy.com
This document is the property of, and is proprietary to Risknowlogy. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.
Risknowlogy, the Risknowlogy logo, functional safety data sheet, and spurious trip level are registered service marks.
1 Introduction
The functional safety industry is driven by the international standards IEC 61508 [1] and IEC 61511
[2]. These standards describe performance levels for safety functions and the devices and systems
that carry out these safety functions. This performance is expressed as the so called safety integrity
level (SIL). In practice there are four levels, SIL 1-4. The required SIL level is directly derived from the
process which needs to be protected with a safety function of certain safety integrity. The more
dangerous the process the more safety integrity is required for the safety function.
The SIL level is a measurement of the qualitative and quantitative performance of the safety function.
The higher the SIL level the more difficult it is for a product supplier to design and manufacture the
safety device and the more difficult it is for end-users and system integrators to integrate safety
devices from different manufactures to a complete safety system. The higher the SIL level the more
safety has been or needs to be built into the devices and systems.
The quantitative part of the SIL level is expressed as the probability of failure on demand. This
means that we need to calculate the probability that the safety function cannot be carried out in case
of a demand from the process. In other words how likely is it that the safety function does not work
when we require it to work? The higher the SIL level the more likely it is that the safety function works.
Besides the demand mode functions the IEC 61511 standard also refers to continuous mode
functions. Compared to demand mode functions these kinds of safety functions have a direct impact
on the process when an internal failure occurs. Therefore continuous mode functions need to be
calculated per hour and not per demand, see Figure 1.
1
Corresponding author: m.j.m.houtermans@risknowlogy.com
X ≥10-(x+1) to <10-x
… ….
5 ≥10-6 to <10-5
4 ≥10-5 to <10-4
3 ≥10-4 to <10-3
2 ≥10-3 to <10-2
1 ≥10-2 to <10-1
Subsystem
Hardware Mechanical Electronics Electronics
Type A A B
Software
SIL 3
Table 2 – Overview of the possible architectures and their achievable SIL level
Architecture
Attribute 1oo1 1oo2 2oo3
Hardware fault tolerance 0 1 1
Fit for use in SIL 2 3 3
Table 3 gives an overview of the PFD, the PFS and the achieved SIL and STL levels of the LNG level
sensors in the different architectures. This table is particularly useful for end-users and system
integrators as it demonstrates how much the level sensors allocates of the overall SIL level. For
example in order to achieve a SIL 2 safety loop the level sensors only takes 0.18% of the total PFD
value of SIL 2. For SIL 3 the level sensor takes even less, 0.004% and 0.033% respectively for the
1oo2 and 2oo3 configuration. Even when the safety loop is calculated over a period of 10 years the
level sensor allocates only very little of the overall required PFD value. Also the PFS values are
calculated for the different architectures of the level sensor. The best STL level is achieved by the
2oo3 sensor architecture.
Architecture
Attribute 1oo1 1oo2 2oo3
Figure 3 shows how the probability of failure on demand develops over time for all three architectures.
A graphical representation like this can be used by an end user to determine periodic proof test
intervals. This can only be done though if the logic solver and actuating part are also included in the
calculation. The 1oo1 architecture clearly performs the worst of the three architectures. The reason
that the 1oo2 architecture has a better performance then the 2oo3 architecture is because the 2oo3
has more possibilities to fail.
Figure 3 – Probability of Failure on Demand for 1oo1, 1oo2, and 2oo3 architectures.
Figure 4 – Safety availability calculations for 1oo1, 1oo2, and 2oo3 architectures
Figure 5 – Process availability calculations for 1oo1, 1oo2, and 2oo3 architectures
TT TR SOV
FCV
Logic SOV
TT TR Solver
SOV
FCV
TT TR SOV
Figure 6 – Architecture Safety Instrumented System
The following component reliability data has been used for the components listed in Figure 6.
# Model OFR [/h] SF [%] DDC [%] SDC [%] A SFF Type
Based on the reliability data and the Markov model the results are presented in Table 5. An overview
of the development of the PFD, PFDavg and Safety Availability is given respectively in Figure 7,
Figure 8, and Figure 9:
Table 5 – Results analysis
Parameter Value
PFD 3.916168e-003
PFDavg 1.860371e-003
PFS 2.962833e-003
Figure 8 – PFS
References
1. IEC 61508, Functional safety for electrical, electronic, programmable electronic safety related
systems. Geneva, Switzerland, 1999
2. IEC 61511, Functional safety – Safety instrumented systems for the process industry sector.
Geneva, Switzerland, 2003
3. L. Monfilliette, P. Versluys, M.J.M. Houtermans, Certified Level Sensor For The Liquefied
Natural Gas Industry, TÜV Symposium, Cologne, Germany, May 2006