7/28/2019 VUT 6.4.2006-2

1/49

VUT

6.4.2

006

1

Funkn bezpenost

elektrickch pstrojsouvisejcch s bezpenost

7/28/2019 VUT 6.4.2006-2

2/49

VUT

6.4.2

006

2

Funkn bezpenost

st celkov bezpenosti tkajc seEUC a systmu zen EUC zvisl nasprvnm fungovn E/E/EP systmsouvisejcch s bezpenost,systmech souvisejcch s bezpenostzaloench na jinch technickch

principech a vnjch prostedcch prosnen rizika

SN EN 61508-4

7/28/2019 VUT 6.4.2006-2

3/49

VUT

6.4.2

006

3

7/28/2019 VUT 6.4.2006-2

4/49

VUT

6.4.2

006

4

Mechanical Safety Action (if available)

Plant Shut-down

Wild Processparameter

High Control level

High Alarm level

Time

If Operator takes action

Certain Process

parameter value Low Control level

Normal behavior

DCS

Functionality

Process.

7/28/2019 VUT 6.4.2006-2

5/49

VUT

6.4.2

006

5

Mechanical Safety Action (if available)

Plant Shut-down

Wild Processparameter

High Control level

High Alarm level

ESD controlled

Trip level

Time

If Operator takes action

Certain Process

parameter value

Safety Instrumented

System Functionality

Low Control level

Normal behavior

DCS

Functionality

Safety System.

7/28/2019 VUT 6.4.2006-2

6/49

7/28/2019 VUT 6.4.2006-2

7/49

VUT

6.4.2

006

7

Safety Issues for End User / Operators

How do you demonstrate that your operations are safe?

How do you demonstrate that your equipment is safe?

How do you demonstrate that your safety and protectivesystems protect against your hazards?

You can answer these questions by demonstrating compliancewith Industry Safety Standards

IEC61508 - Functional safety ofelectrical/electronic/programmable electronic

safety-related systems

7/28/2019 VUT 6.4.2006-2

8/49

VUT

6.4.2

006

8

What is IEC61508?

An international standard relating to the Functional Safetyof electrical / electronic / programmable electronic safety

related systems

Mainly concerned with E/E/PE safety-related systemswhose failure could have an impact on the safety of

persons and/or the environment

Could also be used to specify any E/E/PE system usedfor the protection of equipment or product

It is an industry best practice standard to enable you to

reduce the risk of a hazardous event to a tolerable level

7/28/2019 VUT 6.4.2006-2

9/49

VUT

6.4.2

006

Technologies Concerned

E Electrical electro-mechanical / relays / interlocks

E Electronic

solid state electronics

PES Programmable Electronic Systems

Programmable Logic Controllers(PLCs);

Microprocessor based systems

Distributed Control Systems Other computer based devices

(smart sensors / transmitters /actuators)

7/28/2019 VUT 6.4.2006-2

10/49

VUT

6.4.2

006

Features

Generic Standard

Guidance on the use of E/E/PES

Comprehensive approach involving concepts of Safety Lifecycle andincludes all elements of the protective system

Risk-based approach leading to determination of Safety IntegrityLevels (S.I.Ls)

Considers the entire Safety Critical Loop

7/28/2019 VUT 6.4.2006-2

11/49

VUT

6.4.2

006

11

Generic and Application Sector Standards

IEC61511 :

Process Sector

Medical Sector

IEC61513 :

Nuclear Sector

IEC62061 :

Machinery Sector

7/28/2019 VUT 6.4.2006-2

12/49

VUT

6.4.2

006 IEC61511

Functional Safety

Safety instrumented systemsfor the

Process industry sector

7/28/2019 VUT 6.4.2006-2

13/49

VUT

6.4.2

006

13

IEC 61511

FUNCTIONAL SAFETY: SAFETY

INSTRUMENTED SYSTEMS FOR

THE PROCESS INDUSTRYSECTOR

7/28/2019 VUT 6.4.2006-2

14/49

VUT

6.4.2

006

14

Industries

Applies to a wide variety ofindustries across the processsector

Including:

Chemicals

Oil refining

Oil and gas production

Pulp and paper

Non-nuclear power

generation

Pharmaceuticals / Fine

Chemicals

7/28/2019 VUT 6.4.2006-2

15/49

VUT

6.4.2

006

15

Scope

Process (chemicals, oil & gas, paper, non-nuclear power generation)

End-to-end safety instrumented system (SIS) -

h/w, s/w, mgt. and human factors

Full safety lifecycle - specification, design,integration, operation, maintenance

Intended for integrators / users not for equipment designers / vendors

7/28/2019 VUT 6.4.2006-2

16/49

VUT

6.4.2

006

16

Structure

IEC 61511 Structure

Part 1Framework, definitions, system,hardware and software requirements.

Part 2Guidelines for the application ofIEC 61511-1.

Part 3Guidance for the determination ofsafety integrity levels.

Normative

Informative

7/28/2019 VUT 6.4.2006-2

17/49

VUT

6.4.2

006

17

IEC 61511

TITLE - Functional Safety Safety Instrumented

Systems for the Process Industry sector

This international Standard gives requirements for

the specification, design, installation, operation and

maintenance of a safety instrumented system, so

that it can be confidently entrusted to place and/or

maintain the process in a safe state.

This standard has been developed as a processsector implementation of IEC 61508.

7/28/2019 VUT 6.4.2006-2

18/49

VUT

6.4.2

006

Relationship IEC 61511 & IEC 61508

7/28/2019 VUT 6.4.2006-2

19/49

VUT

6.4.2

006

Relationship IEC 61511 & IEC 61508

7/28/2019 VUT 6.4.2006-2

20/49

VUT

6.4.2

006

20

Similarities (IEC 61508 - IEC 61511)

Whole safety lifecycle Concept, Hazard & Risk Analysis and Design

through operation & maintenance to eventualdecommissioning

Safety requirements specification Safety integrity levels (SIL 1 to 4)

End-to-end system

(Sensor via Logic to Actuator)

Hardware reliability analysis (PFD)

Management of functional safety

Architectural constraints (fault tolerance)

7/28/2019 VUT 6.4.2006-2

21/49

VUT

6.4.2

006

21

Key Differences IEC 61511 (IEC 61508)

Terminology Process (EUC)

Basic Process Control System (EUC Controlsystem)

Safety Instrumented System (E/E/PE S-R-S) Safety Instrumented Function (Safety function)

Presentation

less rigorous than IEC 61508

more guidance (especially in Parts 2 & 3)

7/28/2019 VUT 6.4.2006-2

22/49

VUT

6.4.2

006

22

Overall Installation

& Commissioning

11

2

External Risk

ReductionFacilities

Overall Scope Definition

Realisation

1 Concept

3 Hazard Risk Analysis

4 Overall Safety Requirements

Safety Related

Systems:E / E / PES

12

Realisation

Overall Planning

Safety Related

Systems:

Other

Technology

Realisation

10

Overall

Installation &

CommissioningPlanning

Overall

Validation

Planning

Overall

Operation &

MaintenancePlanning

8

9

76

Safety Requirements Allocation5

Back to appropriate

Overall Safety Lifecycle

Phase

15

16 Decommissioning

13 Overall Safety Validation

Overall Operation & Maintenance14 Overall Modification & Retrofit

Overall Safety Lifecycle in IEC 61508

7/28/2019 VUT 6.4.2006-2

23/49

VUT

6.4.2

006

23

IEC 61508 - ownership of phases

PRE-DESIGN

(Phases 1 to 5)

OPERATION

(Phases 14 to 16)

DESIGN AND

INSTALLATION

(Phases 6 to 13)

End user / operator

End user / operator

Engineering Contractors/ Equipment

Supplier

7/28/2019 VUT 6.4.2006-2

24/49

VUT

6.4.2

006

24

Pre-Design : Phases 1 - 5

1 : Concept

2 : Overall Scope

Definition

3 : Hazard Risk

Analysis

4 : Overall Safety

Requirements

5 : Safety

Requirements

Allocation

Can you demonstrate that

you have identified all

your hazards?

Can you demonstrate that

you are using adequateand correct methods of

hazard protection?

7/28/2019 VUT 6.4.2006-2

25/49

VUT

6.4.2

006

25

Design & Implementation : Phases 6 - 13

Overall Planning

6 : Overall Operations and

Maintenance Planning

7: Overall Validation

Planning

8: Overall Installation &

Commissioning Planning

9 : Safety

Related

Systems :E/E/PES

12 : Overall Installation &

Commissioning

13 : Overall

Safety Validation

10 : Safety

Related

Systems :

OtherTechnology

11 : External

Risk

ReductionFacilities

How do you ensure

competencies for all these

activities?

Can you demonstrate that you

pass the necessary information

into these activities?

Can you demonstrate that all

necessary information has been

passed to you from these activities?

7/28/2019 VUT 6.4.2006-2

26/49

VUT

6.4.2

006

26

Operation : Phases 14 - 16

14 : Overall

Operations and

Maintenance

15 : OverallModification and

Retrofit

16 : Decommissioning

Can you demonstrate thatyou maintain / test /

analyse your protective

systems correctly?

Can you demonstratethat you are in control

of your modification

process?

7/28/2019 VUT 6.4.2006-2

27/49

VUT

6.4.2

006

27

Supply Chain

IEC6

1511

IEC6

150

8

Requirement

SpecificationCommissioning

and Use

End User

System DesignerIntegrator

Sub-system

Designer

Component

Manufacturer

7/28/2019 VUT 6.4.2006-2

28/49

VUT

6.4.2

006

Risk

7/28/2019 VUT 6.4.2006-2

29/49

VUT

6.4.2

006

29

What is Risk?

The probable rate of occurrence of a hazardcausing harm

AND

the degree of severity of the harm

Qualitatively - Words

Quantitatively - Figures

7/28/2019 VUT 6.4.2006-2

30/49

VUT

6.4.2

006

Risk cannot be justified

except in extraordinary

circumstances

Tolerable only if risk reduction

is impracticable or if its cost is

grossly disproportionate to the

improvement gained

Necessary to maintain

assurance that risk

remains at this level

Unacceptable

region

Broadly acceptable

region

Negligible risk

(No need for detailed working

to demonstrate ALARP)

The ALARP or

Tolerability region

As the risk is reduced the less,

proportionately, it is necessary to

spend to reduce it further. The

concept of diminishing proportion

is shown by the triangle.

(Risk is undertaken only

if a benefit is desired)

Levels of Risk and ALARP(As Low As Reasonably Practicable)

7/28/2019 VUT 6.4.2006-2

31/49

VUT

6.4.2

006

31

7/28/2019 VUT 6.4.2006-2

32/49

VUT

6.4.2

006

32

Risk reduction: General concepts

Increasingrisk

Risk to meet

Level of SafetyPlant Under

Control risk

Necessary minimum risk reduction

Actual risk reduction

Risk reduction achieved by all protective systems &

External Risk Reduction Facilities

Actual risk

remaining

Partial risk covered

by E/E/PESprotective systems

Partial risk covered

by Other Technologysafety-related systems

Partial risk covered

by External Risk

Reduction Facilities

7/28/2019 VUT 6.4.2006-2

33/49

VUT

6.4.2

006

33

SENSOR ACTUATORPROGRAMMABLEELECTRONICS

Equipment(plant)

UnderControl (EUC)

PE

SRS

Extent of Safety Related System

7/28/2019 VUT 6.4.2006-2

34/49

VUT

6.4.2

006

What is a Safety Related System (SRS) ?

Any system thatimplements safety

functions necessary to

achieve a safe state for

the Equipment UnderControl, or to maintain itin a safe state.

Examples

7/28/2019 VUT 6.4.2006-2

35/49

VUT

6.4.2

006

Hazard Identification and Risk Analysis

A typical Methodology for Hazard Identification and Risk

Analysis

(by the end user)

Hazard studies and HAZOPs Evaluate possible consequences Establish tolerable frequencies vs ALARP Build event chain Estimate demand rates Define protection required

Specify required SIL

7/28/2019 VUT 6.4.2006-2

36/49

VUT

6.4.2

006

Failure categories in IEC 61508

A = Random HardwareFailuresOR

B = Systematic Failures

specification;

systematic hardware;

software;

maintenance;

all failures that are not random

AB

7/28/2019 VUT 6.4.2006-2

37/49

VUT

6.4.2

006

Safety Integrity Level SIL

SAFETY

INTEGRITY

LEVEL

(SIL)

LOW DEMAND MODEOF OPERATION

(Probability of failure

to perform its

designed function on

demand)

CONTINUOUS/HIGHDEMAND MODE OF

OPERATION

(Probability of one

dangerous failure per

hour)

4 >= 10-5

up to < 10-4

>= 10-9

up to < 10-8

h-1

3 >= 10-4

up to < 10-3

>= 10-8

up to < 10-7

h-1

2 >= 10-3

up to < 10-2

>= 10-7

up to < 10-6

h-1

1 >= 10-2

up to < 10-1

>= 10-6

up to < 10-5

h-1

PFD PFH

Probability ofFailure on

Demand

Probability ofFailure per

Hour

Ri k d D t i ti f S f t I t it

7/28/2019 VUT 6.4.2006-2

38/49

VUT

6.4.2

006

38

Risk and Determination of Safety Integrity

Levels

Basic

Design

Unacceptable

No

ProtectionIncrea

sing

Severity

Increasing Likelihood

7/28/2019 VUT 6.4.2006-2

39/49

VUT

6.4.2

006

39

Risk Reduction Requirements

Safety IntegrityLevel

Risk Reduction

1 10-100

2 100 1,000

3 1,000 10,000

4 10,000 100,000

Reliability Failure Rate and Availability at each level

7/28/2019 VUT 6.4.2006-2

40/49

VUT

6.4.2

006

40

Reliability, Failure Rate and Availability at each level

SIL 1

SIL 2

SIL 3

SIL 4

Reliability Probability of

failure on

demand

Trip Unavailable

(per year)

90% - 99% 0.1 to 0.01 876 to 87.6hrs

99% - 99.9% 0.01 to 0.001 87.6 to 8.76hrs

99.9% -

99.99%

0.001 to 0.0001 8.76hrs to 52.6

mins

99.99% -

99.999

%

0.0001 to 0.00001 52.6 mins to 5.3

mins

7/28/2019 VUT 6.4.2006-2

41/49

VUT

6.4.2

006

41

Protective System Technology

Standard components, single channel or twinnon-diverse channelsSIL 1

Standard components, 1 out of 2 or 2 out of 3,

possible need for some diversity. Allowance forcommon-cause failures needed

SIL 2

Multiple channel with diversity on sensing and

actuation. Common-cause failures a major

consideration. Should rarely be required in

Process Industry

SIL 3

Specialist design. Should never be required in

the Process IndustrySIL 4

7/28/2019 VUT 6.4.2006-2

42/49

VUT

6.4.2

006

Determined to achieve the correct SIL level...

7/28/2019 VUT 6.4.2006-2

43/49

VUT

6.4.2

006

Various methods available:

Qualitative risk graph Calibrated risk graph (methodology only

not definitive)

Layer Of Protection Analysis (LOPA)

Hazardous event severity Matrix Quantified Risk Analysis (QRA)

Which one to use? Develop your own?

SIL assessment

7/28/2019 VUT 6.4.2006-2

44/49

VUT

6.4.2

006

Calculation of PFDAVG

35% of PFDAvg SE 15% of PFDAvg LS50% of PFDAvg FE

Distribution of the Failure Measures

35 % Sensors + 15 % Logic solver + 50 % Final elements

PFD fi f HIMA t l

7/28/2019 VUT 6.4.2006-2

45/49

VUT

6.4.2

006

35 % 15% 50%

PFD-figures for a HIMA system, example

7/28/2019 VUT 6.4.2006-2

46/49

VUT

6.4.2

006

RC/AK according DIN V VDE 19250

SIL according IEC 61508

consequence

risk

parameter

minorinjury

no influence

to the environment

possibility

of avoiding

hazardousevents

frequency

& exposure

time

probability of the

unwanted occurrence

very slightrelativelyhigh slight

dead of 1 personrare

frequent

periodic influence

to the environment

dead to

several people

permanent influence

to the environment

disaster

rare

frequent

possible

not

possible

possible

not

possible

requirement

classes

RC or AK

Safety Integrity

Levels (SIL)

IEC 61508

Risk Graph acc. DIN V VDE 19250

C f l f i IEC 61511

7/28/2019 VUT 6.4.2006-2

47/49

VUT

6.4.2

006

Concept of layers of protection acc. IEC 61511

PROCESS

CONTROL and MONITORING

Basic process control systems

Monitoring systems (process alarms)

Operator supervision

PREVENTION

Mechanical protection systemProcess alarms with operator corrective action

Safety instrumented control systems

Safety instrumented prevention systems

MITIGATION

Mechanical mitigation systems

Safety instrumented control systems

Operator supervision

PLANT EMERGENCY RESPONSE

Evacuation procedures

COMMUNITY EMERGENCY RESPONSE

Emergency broadcastingLOPA

Hazardous event severity Matrix

7/28/2019 VUT 6.4.2006-2

48/49

VUT

6.4.2

006

Hazardous event severity Matrix

7/28/2019 VUT 6.4.2006-2

49/49

VUT

6.4.2

006

Funkn bezpenost

st celkov bezpenosti tkajc seEUC a systmu zen EUC zvisl nasprvnm fungovn E/E/EP systm

souvisejcch s bezpenost,systmech souvisejcch s bezpenostzaloench na jinch technickch

principech a vnjch prostedcch prosnen rizika