100% found this document useful (4 votes)

1K views273 pages

Ida E: Functional Safety Engineering II SIS Design - SIL Verification

Uploaded by

Marcio Granato

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

100% found this document useful (4 votes)

1K views273 pages

Ida E: Functional Safety Engineering II SIS Design - SIL Verification

Uploaded by

Marcio Granato

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 273

e id a

Functional Safety Engineering II

SIS Design – SIL Verification
Ingeniería de Seguridad Funcional II
Diseño del SIS – Verificación del SIL

Sellersville, PA., USA +1-215-453-1720

Munich, Germany +49-89-4900-0547
www.exida.com SERVICE CENTERS
Australia: +61-3-9734-3886
Canada: +1-519-331-6618
Version 3.24 – September 2006 Netherlands: +31-318-414-505
New Zealand: +64-3-472-7707
South Africa: +27-31-266-8414
UK : +44-24-7679-6480
USA (Houston): +1-832-439-3793
Copyright © 2000-2006 exida.com
network of excellence in dependable automation
Development Safety Certification
former Development Managers
(Siemens Moore )

North America
Europe
former TÜV Managers
Africa former Safety PLC Product Manager
(Siemens)
Instrumentation Engineers
(UOP, Bayer, Air Products, etc.)

Application Design +
Operation Asia Pacific
Copyright © 2000-2006 exida.com 2
exida has extensive
experience in automation
safety.
•Authored ISA best sellers on
automation safety and
reliability
•Authored industry databook
on equipment failure data
Copyright © 2000-2006 exida.com 3
Safety Lifecycle Software Tools - exSILentia
SILect – SIL selection and documentation tool
SILver - SIL design verification and documentation tool
SafetyCaseDB – Safety Case requirements database tool

Training
Courses for CFSE
On-line Training lessons for CFSE
Application Courses – Fire and Gas, BMS, HIPPS

Safety Lifecycle Services

Engineering Process Setup
Hazard and Risk Analysis
SIL Selection and Verification
Copyright © 2000-2006 exida.com 4
Course Logistics

• Fire and emergency evacuation procedures

• Course materials & location
– Handouts and course binder
– Exercises, Reference Material and Course Review
• Course attendance & participation
– Certificate of course completion
• Breaks
– Lunch
– Stretch, refreshment, etc.
• Personal belongings

Copyright © 2000-2006 exida.com 5

Introduction of Course Participants
Presentación de los Participantes en el Curso

Instructor
 Name
 Background/experience
Classmates
 Name, company, position
 Background/experience
 Course objectives?
Copyright © 2000-2006 exida.com 6
Course Objectives
Objetivos del Curso

Review the fundamental concepts of Statistics,

Reliability Engineering
 Data Samples
 Constant Failure Rates
 Bathtub Curve
 Terms
Understand Safety Instrumented System (SIS)
failure modes

Copyright © 2000-2006 exida.com 7

Course Objectives
Objetivos del Curso

Develop an understanding of the Safety Lifecycle

(SLC) Design Phase
Review how to implement SIS from requirements
specifications
How to do FMEDA (Failure Mode Effects and
Diagnostics Analysis)
Safety Integrity Level (SIL) verification calculations
Develop an understanding of the Safety Lifecycle
(SLC) Operation and Maintenance Phase

Copyright © 2000-2006 exida.com 8

Section 1: Basic Statistics
Sección 1: Estadísticas Básicas

Sample Data
Histograms
Probability Density Functions
Cumulative Density Functions
Mean-Median

Copyright © 2000-2006 exida.com 9

Sample Data
Datos de Muestra

System Hours System Hours

Statistical Variable: 1 96 16 1282
2 3091 17 13990
Time To Failure, 3 4862 18 12751
Hours - 30 Systems 4 13853 19 2106
5 8339 20 5431
6 614 21 2740
7 1815 22 11460
8 10305 23 6056
9 7499 24 3471
10 1540 25 2414
11 831 26 4348
12 33 27 3886
13 240 28 9270
14 196 29 13351
15 1045 30 409

Copyright © 2000-2006 exida.com 10

System Hours
1
2
96
3091
Censored Data
3
4
4862
13853
Datos Clasificados
5 8339
6 614 Hours Units Cum.
7
8
1815
10305
0-1000 7 7
9
10
7499
1540
1001-2000 4 11
11 831 2001-3000 3 14
12 33
13 240 3001-4000 3 17
14 196 Data is
15 1045 often 4001-5000 2 19
16
17
1282
13990
grouped 5001-6000 1 20
18 12751 into “bins.” 6001-7000 1 21
19 2106
20 5431 7001-8000 1 22
21 2740
22 11460
8001-9000 1 23
23 6056 9001-10000 1 24
24 3471
25 2414 10001-11000 1 25
26 4348
27 3886 11001-12000 1 26
28
29
9270
13351
12001-13000 1 27
30 409 13001-14000 3 30
Copyright © 2000-2005 exida.com
Histogram
Histograma

Hours Units
Censored Data
0-1000 7
1001-2000 4 8
2001-3000 3
7
3001-4000 3
4001-5000 2 6
5001-6000 1 Failed Units
5
6001-7000 1
4
7001-8000 1
8001-9000 1 3
9001-10000 1 2
10001-11000 1
1
11001-12000 1
12001-13000 1 0
13001-14000 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Operational Hours - 1000

Copyright © 2000-2006 exida.com 12

Discrete Distributions – pdf
Distribución Discreta - fdp

Number of failures (x) per thousand hours - probability of occurrence p(x)

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14
p(x) 0.233 0.133 0.100 0.100 0.067 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.033 0.100

Probability Density Function

0.25

0.2

0.15

0.1

0.05

0
1 2 3 4 5 6 7 8 9 10 11 12 13 14
X

Copyright © 2000-2006 exida.com 13

Discrete Distributions – cdf
Distribución Discreta - fda
Number of failures (x) for thousand hour intervals - probability of
occurrence p(x)

Cumulative Distribution Function

1.2 Cumulative
probability of
Cumulative Probability

1 failure, e.g.
probability of
0.8 failure
between 0
0.6 and 14000
hours is one.
0.4

0.2

0
1 2 3 4 5 6 7 8 9 10 11 12 13 14
x - Thousands of Hours

Copyright © 2000-2006 exida.com 14

Mean
Promedio
Time To Failure, Hours - 30 Systems

System Hours System Hours

1 96 16 1282
2 3091 17 13990
3 4862 18 12751 Median = (3091+3471)/2
4 13853 19 2106
5 8339 20 5431 = 3281 Hours
6 614 21 2740
7 1815 22 11460 Mean = 4910.8 Hours
8 10305 23 6056
9 7499 24 3471
10 1540 25 2414
11 831 26 4348
12 33 27 3886
13 240 28 9270
14 196 29 13351
15 1045 30 409
Copyright © 2000-2006 exida.com 15
Failure Statistics
Estadísticas de Fallas

Cumulative Distribution Function

C um ulative Probability

1.2

1 Statistics are the basis

of the failure metrics
0.8

0.6

0.4 used in reliability

0.2

0
engineering and safety
1 2 3 4 5 6 7 8 9 10
x - Thousands of Hours
11 12 13 14
analysis
Censored Data •Uncertainty of data
8
7
•Applicability of data
F a i l e d U n i ts

6
5
4
3
2

Mean = 4910.8 Hours

1
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Operational Hours - 1000

Copyright © 2000-2006 exida.com 16

Section 1: Basic Statistics Review
Sección 1: Repaso de Estadística Básica

Sample Data
Histograms
Probability Density Functions
Cumulative Density Functions
Mean-Median

Copyright © 2000-2006 exida.com 17

Section 2: Basic Reliability Engineering
Sección 2: Ingeniería de Confiabilidad Básica

Failure Rate
Stress-Strength
Wear out / Bathtub Curve
Reliability / Unreliability
Systematic vs Random Failure
Low, High and Continuous Demand
Constant Failure Rate
PFavg

Copyright © 2000-2006 exida.com 18

Terms
Random Failures
A failure occurring at a random time, which results
from one or more degradation mechanisms.
Systematic Failures
A failure related in a deterministic way to a certain
cause, which can only be eliminated by a modification
of the design or of the manufacturing process,
operational procedures, documentation,
or other relevant factors.

Copyright © 2000-2006 exida.com 19

Terms
Random Failures
Usually a permanent failure due to a system
component loss of functionality – hardware related
Systematic Failures
Usually due to a design fault – wrong component,
error in software program, etc.

Copyright © 2000-2006 exida.com 20

Systematic Faults
A single systematic fault can cause failure in multiple
channels of an identical redundant system.
REDUNDANCY IS NOT A PROTECTION AGAINST
SYSTEMATIC FAILURES!
Early example: A bad command was sent into a
redundant DCS through a “Foreign Computer
Interface.” The command caused a controller to lock up
trying to interpret the command. The diagnostics
detected the failure and forced switchover to a
redundant unit. The bad command was sent to the
redundant unit which promptly locked up as well.

Copyright © 2000-2006 exida.com 21

Systematic Faults
Functional safety standards protect against systematic
faults by providing rules, methods and guidelines to
prevent design errors. A system successfully using
those methods should be relatively free of systematic
errors.

exida calls this a

WELL DESIGNED SYSTEM

Copyright © 2000-2006 exida.com 22

Random vs. Systematic Faults
Real functional needs

Specification of requirements,
design, implementation

Correct Design Incorrect Design Systematic Fault

Well Designed System:

system is correct Random failure

Function required
The system is not correct or execution trajectory hits
incorrectness

The system has a failure

Copyright © 2000-2006 exida.com 23

Modes of Operation

 Continuous Demand
 High Demand } Continuous Mode

 Low Demand } Demand Mode

IEC 61508 IEC 61511

Copyright © 2000-2006 exida.com 24

Terms
Low Demand Mode - 61508
Where the frequency of demands for operation made on a safety-related
system is no greater than one per year and no greater than twice the proof
test frequency; Part 4, 3.5.12
If the ratio of diagnostic test rate to demand rate exceeds 100, then the subsystem can be
treated ... As low demand mode..., Part 2, 7.4.3.2.5 Note 2
..the diagnostic test interval will need to be considered directly in the reliability model if it is
not at least an order of magnitude less than the expected demand rate, Part 2, 7.4.3.2.2,
Note 3

Many find this confusing – in addition, the one year mark is arbitrary and
misleading. Technically the wording in Part 4, 3.5.12 is wrong as the
above Notes in other portions of IEC 61508 give examples that express
the true intent. The diagnostic test rate (proof test included) must be
greater than the demand rate

Copyright © 2000-2006 exida.com 25

Terms

Low Demand Mode – exida definition

The average interval between a dangerous
condition (a demand interval) occurs
infrequently (example – once per year), the
automatic diagnostic testing interval is an order
of magnitude lower and the demand interval is
greater than 2X the manual proof test interval.
[Therefore automatic diagnostics and proof
testing can be given credit for risk reduction.]

Copyright © 2000-2006 exida.com 26

Terms
High Demand Mode – exida definition
Where the demand interval is less than
twice the proof test interval.

Copyright © 2000-2006 exida.com 27

Terms – IEC 61511
61511 uses the terms demand mode and
continuous mode.
demand mode safety instrumented function: where a
specified action (e.g., closing of a valve) is taken in
response to process conditions or other demands. In the
event of a dangerous failure of the safety instrumented
function a potential hazard only occurs in the event of a
failure in the process or the BPCS.

continuous mode safety instrumented function: where in the

event of a dangerous failure of the safety instrumented
function a potential hazard will occur without further failure
unless action is taken to prevent it.
Copyright © 2000-2006 exida.com 28
Modes of Operation
Why do you care about modes?
Demand Continuous
Mode - 61511 Mode - 61511
Low Demand - High Demand - Continuous -
61508 61508 61508
Use PFDavg table Use PFH table Use PFH table

Take credit for No credit for proof No credit for proof

proof testing testing testing
Take credit for Take credit for No credit for
automatic automatic automatic
diagnostics diagnostics diagnostics
Copyright © 2000-2006 exida.com 29
Stress - Strength: Failures
Esfuerzo – Fortaleza: Fallas

All failures occur when stress exceeds the

associated level of strength. Heat
Humidity
Stress is usually a
Shock
combination of "stressors." Vibration
Electrical Surge
Electro-Static Discharge
Radio Frequency
Interference
Mis-calibration
Maintenance Errors
Operational Errors
Copyright © 2000-2006 exida.com 30
Stress - Strength: Failures
Esfuerzo – Fortaleza: Fallas
1

0.9

0.8

0.7

0.6

0.5
Strength
0.4
Stress
0.3

0.2

0.1

Strength varies - with time, with other stress, etc.

Stress also varies with time.
However they can be represented by probability distributions.
Copyright © 2000-2006 exida.com 31
Stress - Strength: Failures
Esfuerzo – Fortaleza: Fallas

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

At some point in time, Strength decreases and the

failure rate increases rapidly – this causes wear-out.

Copyright © 2000-2006 exida.com 32

Stress - Strength: Failures
Esfuerzo – Fortaleza: Fallas
0.025

0.02
F a ilu re ra te

0.015

0.01

0.005

0
101

201

401

501

601

701
301

801
1

Time
Stress-strength explains how failure rates vary with time.
Weak units from a production population fail early. This portion of the curve
is known as “infant mortality.”
When weak units are eliminated from the population stress-strength
indicates a steady but declining failure rate.
When strength declines, the failure rate increases significantly.
Copyright © 2000-2006 exida.com 33
Stress - Strength: Failures
Esfuerzo – Fortaleza: Fallas

0.025

0.02
Constant Failure Rate
Failure rate

0.015 during “Useful Life”

0.01

0.005

0
1

101

201

401

501

601

701
301

801
Time

Copyright © 2000-2006 exida.com 34

Failure Rate
Rata de Fallas

Failure Rate – number of failures per unit

operating hours.
Failure rate that varies with time
Constant failure rate
Average failure rate over a long period of time
Example: One hundred solenoids are placed into
operation. During the first year seven units
failed.
What is the average failure rate during the year?
 = 7 / (100 units * 8760 hrs/year) ?

Copyright © 2000-2006 exida.com 35

Failure Rate
Rata de Fallas

Example: One hundred solenoids are placed into

operation. During the first year seven units
failed.
What is the average failure rate during the year?
Least conservative:
 = 7 / (100 units * 8760 hrs/year) ?
= 7.99E-06 Failures / Hour
Most conservative:
 = 7 / (93 units * 8760 hrs/year) ?
= 8.6E-06 Failures / Hour
Copyright © 2000-2006 exida.com 36
Failure Rate Equation
Ecuación de Rata de Fallas

 = Nf / (Ns * t)

Ns = number of successful units at end of
time period
Nf = number of failed units at end of time
period
Nf = number of failed units during a time
period
t = time period (Tn – Tn+1)

Copyright © 2000-2006 exida.com 37

System Op.Hours
12 33
1 96 Failure Rate Calculation
14 196
13 240 Cálculo de Rata de Fallas
30 409
6 614 System Op.Hours 
11 831 12 33 =1/((33-0)Hrs.*29 Units) 0.001045
15 1045
16 1282 1 96 =1/((96-33)Hrs.*28 Units) 0.000567
10 1540 14 196 =1/((196-96)Hrs.*27 Units) 0.00037
7 1815 13 240 =1/((240-196)Hrs.*26 Units) 0.000874
19 2106
25 2414
30 409 =1/((409-240)Hrs.*25 Units) 0.000237
21 2740 6 614 =1/((614-409)Hrs.*24 Units) 0.000203
2 3091 11 831 =1/((831-614)Hrs.*23 Units) 0.0002
24 3471
27 3886 Failure Rate
26 4348 Time To Failure,
3 4862 Hours - 30 Systems 0.0012
20 5431
0.001
23 6056
9 7499 0.0008
5 8339 0.0006
28 9270
0.0004
8 10305
22 11460 0.0002
18 12751
0
29 13351 0 200 400 600 800 1000
4 13853 Operating Time Interval (Hrs.)
17 13990
Copyright © 2000-2005 exida.com
System Op.Hours 
12 33 0.001045
1 96 0.000567 Failure Rate Calculation
14
13
196 0.00037
240 0.000874
Cálculo de Rata de Fallas
30 409 0.000237
6 614 0.000203
11 831 0.0002
15 1045 0.000212
16 1282 0.000201
10 1540 0.000194
7 1815 0.000191
19 2106 0.000191
25 2414 0.000191
21 2740 0.000192
2 3091 0.00019
24 3471 0.000188
27 3886 0.000185
26 4348 0.00018
3 4862 0.000177
20 5431 0.000176
23 6056 0.000178
9 7499 8.66E-05
5 8339 0.00017
28 9270 0.000179
8 10305 0.000193
22 11460 0.000216 Total Average = 0.00035 fail/hr.
18 12751 0.000258
29
4
13351 0.000833
13853 0.001992
Average Middle = 0.0002 fail/hr.
17 13990 Inf.

Copyright © 2000-2005 exida.com

Reliability / Safety Terminology
Terminología de Seguridad/Confiabilidad

• Failure Rate – number of failures per unit

of time
– Failure rate that varies with time
– Constant failure rate
– Average failure rate over a long period of time
• Probability of Success - the chance that
a system will perform its intended function
when operated within its specified limits.
Copyright © 2000-2006 exida.com 40
Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad
1 0.999
• RELIABILITY - the probability of 2
3
0.998001
0.997003
success during an interval of time 4
5
0.996006
0.99501
• R(t) = P(T>t) where T = Failure Time for 6
7
0.994015
0.993021
an interval 0 - t. 8
9
0.9920279
0.9910359
For example: if the probability of successful 10 0.9900449
11 0.9890548
operation for 1 hour = 0.999, what is the 12 0.9880658
13 0.9870777
probability of successful operation for one 14 0.9860906
day? 15 0.9851045
16 0.9841194
PS(24 hours) = PS(1 hour) * PS (1 hour) * …. 17 0.9831353
18 0.9821522
PS(24 hours) = PS (1 hour) 24 19 0.98117
20 0.9801889
PS (24 hours) = 0.976 21 0.9792087
22 0.9782295
23 0.9772512
Copyright © 2000-2006 exida.com 24 0.976274 41
Reliability / Safety Terminology
Terminología de Seguridad/Confiabilidad

• RELIABILITY - the probability of success during an

interval of time
• If the example is continued for 2000 hours:
1.2
successful operation

0.8
Probability of

0.6

0.4

0.2

Operating Time Interval

Copyright © 2000-2006 exida.com 42

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad

• RELIABILITY - the probability of success

during an interval of time
• Life Test Reliability Equation
• R(t) = Ns/N
– Ns = number of successful units at the end of
each time period
– N = number of units total

Copyright © 2000-2006 exida.com 43

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad
• R(t) = Ns/N
– Ns = number of successful units
at the end of each time period
– N = number of units total
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0 2000 4000 6000 8000 10000 12000 14000 16000

Copyright © 2000-2006 exida.com 44

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad
• RELIABILITY - the probability of success during an interval
of time
• UNRELIABILITY - the probability of failure during an
interval of time
• F(t) = P(T<=t)
• R(t) = 1 - F(t) (complementary events, one failure mode)
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0 2000 4000 6000 8000 10000 12000 14000 16000

Copyright © 2000-2006 exida.com 45

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad

• Failure Rate - Failures per unit time

per device.
• Mean Time To Failure (MTTF) - The
average successful operating time
interval of a system.

Copyright © 2000-2006 exida.com 46

CONSTANT FAILURE RATE
Rata de Falla Constante

 (t )  
Common Assumption -
reasonable for the middle
of the failure rate curve.
 t
R (t )  e Even if the failure rate is
decreasing (more
realistic), this assumption
 t
F (t )  1  e is conservative.

1
MTTF 

Copyright © 2000-2006 exida.com 47
CONSTANT FAILURE RATE
Rata de Falla Constante

 t  t
R (t )  e F (t )  1  e
1

0.8
F(t)
Probability

0.6

0.4

R(t)
0.2

0
31

43
10

49
1

Time Interval - Mission Time

A Useful Approximation:
 t
F (t )  1  e
2 3 4
x x x
e  1  x     ....
x

2! 3! 4!
e  1 x
x

e  t
 1  t F (t )  t
Alternate Notation:
PF = t
Copyright © 2000-2006 exida.com 49
Unreliability Approximation
Aproximación para la No-Confiabilidad

3.5

F (t )  t
3

2.5

 t
1.5

1
F (t )  1  e
0.5

PF<0.1
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Copyright © 2000-2006 exida.com 50

Application Exercise Set 1
Ejercicios de Aplicación. Grupo 1

Constant Failure Rates - complete

the problems
10 minutes

Copyright © 2000-2006 exida.com 51

Repairable Systems
Sistemas Reparables

What about repairable systems? The measurement “reliability”

requires that a system be successful for an interval of time. What
is needed for a repairable system is a measure that gives us the
probability that it will work successfully in the situation where repair
can be done.

Copyright © 2000-2006 exida.com 52

Mean Time To Restore
Tiempo Medio para Reposición

• Mean Time To Failure (MTTF) - The average successful operating

time interval of a system.
• Mean Time To Restore (MTTR) - The average failure time
interval of a system. Applies only to repairable systems!
• Restore Rate () – Number of restores per time period.

An average over a large number of systems

and a large number of failure/restore cycles.

1 1
MTTR = =
 MTTR

Copyright © 2000-2006 exida.com 53

Mean Time To Restore
Tiempo Medio para Reposición

• Mean Time To Restore (MTTR) - The average failure time

interval of a system.
• MTTR =
– Average Time to detect failure has occurred plus
– Average Time to actually make the repair

Example: If failures are only detected by a

periodic inspection and test:
TI = Test Interval
RT = Repair Time
MTTR approx. = TI/2 + RT

Copyright © 2000-2006 exida.com 54

Mean Time Between Failures (MTBF)
Tiempo Medio entre Fallas (TMEF)

The average time interval of one failure/restore cycle of a system.

Applies only to repairable systems.

MTBF=MTTF + MTTR

TTF
TTF
An average over a large
TTR TTR number of systems and
a large number of
TBF TBF
failure/restore cycles.

Copyright © 2000-2006 exida.com 55

Availability / Unavailability
Disponibilidad / Indisponibilidad

• Probability of Success - the chance that a system will

perform its intended function when operated within its
specified limits.
• AVAILABILITY - the probability of success at a
moment in time (allows for past failures, i.e. repairable
systems).
• Steady State Availability - steady state/average value.

• UNAVAILABILITY - the probability of failure at a

moment in time, steady state/average value.
A = 1 – U (one failure mode)

Copyright © 2000-2006 exida.com 56

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad

• AVAILABILITY - the probability of success at a

moment in time.
A = f() failure rates, restore rates

• RELIABILITY - the probability of success for an interval

of time (no failure and repair during interval).
R = f(, TI=t) failure rates, time intervals

Copyright © 2000-2006 exida.com 57

Availability. Single Failure Mode
Disponibilidad. Modo de Falla Simple


MTTF = 1/
OK Fail

MTTR = 1/
Constant Restore Rate

Copyright © 2000-2006 exida.com 58

Steady State Availability. Single Failure Mode
Disponibilidad a Largo Plazo. Modo de Falla Simple


Fail
If the model is
OK
 solved for
Constant Restore Rate probability of
success as a
1 function of
0.9 A(t) operating time
0.8
Availability interval,
0.7
eventually the
Probability

0.6
availability model
0.5
reaches a
0.4
R(t) “steady state” or
0.3
0.2
average value.
0.1
Reliability This represents
0
many failure /
Operating Time Interval restore cycles.

Copyright © 2000-2006 exida.com 59

Steady State Unavailability
Single Failure Mode

Fail
If the model is
OK
 solved for
Constant Restore Rate probability of
failure as a
1
function of
0.9
operating time
0.8
0.7
interval,
Unreliability F(t) eventually the
Probability

0.6

0.5
availability model
0.4
reaches a
“steady state” or
0.3
Unavailability U(t)
0.2 average value.
0.1 This represents
0 many failure /
Operating Time Interval restore cycles.

Copyright © 2000-2006 exida.com 60

Availability. Periodic Test and Inspection
Disponibilidad. Inspección y Prueba Periódica

This is a different
Availability
situation which requires 1
different modeling
techniques. Steady-

Probability
state availability will not
work.
Test/Inspection
 Interval

OK Fail
Unavailability
 0.7

0.6
Probability

 equals zero
0.5

0.4
between inspections 0.3

 equals one right 0.2

after an inspection 0.1

34
10

40
1

Copyright © 2000-2006 exida.com 61

Availability. Periodic Test and Inspection
Disponibilidad. Inspección y Prueba Periódica

Availability
An average technique
Average
has been defined in 1

IEC 61508. The

Probability
average of the time
dependent values
must be calculated. Test/Inspection
Interval

 Unavailability
0.7

OK Fail 0.6
Average

Probability

0.5

0.4

 equals zero 0.3

between inspections 0.2

 equals one right 0.1

after an inspection 0

34
10

40
1

Copyright © 2000-2006 exida.com 62

Availability. Periodic Test and Inspection
Disponibilidad. Inspección y Prueba Periódica

Unavailability never reaches steady state in periodic inspection

Steady State
Unavailability 

OK Fail

Constant Restore Rate

PFavg 

OK Fail

13

33
11
1

 equals zero
The average unavailability in a periodic between inspections
test/inspect situation is not the same as the  equals one right
steady state unavailability! It is a different after an inspection
Markov model with different solution results.
Copyright © 2000-2006 exida.com 63
Availability. Periodic Test and Inspection
Disponibilidad. Inspección y Prueba Periódica

Unavailability
0.7

0.6
Average
Probability

0.5

0.4

0.3

0.2

0.1

0
10

40
13

37
1

T
1
PFavg   PF  t  dt
T 0
Approx PF = TI
Approx PFavg = TI /2
Copyright © 2000-2006 exida.com 64
Simplified Equation PFAVG
Ecuación Simplificada para PFPROM

PFAVG =  TI / 2
PF(t)

PFAVG

Test period
Operating time interval

Time interval
Copyright © 2000-2006 exida.com 65
The Effects of Incomplete Testing
Efectos de Pruebas Incompletas

Because of incomplete testing the PF never returns to its original

value and the risk reduction can be significantly lower.

PF(t)
IEC61511

SIL 1

SIL 2
PFavg
SIL 3

SIL 4
Operating Time
test
period

Copyright © 2000-2006 exida.com 66

Simplified Equation PFAVG with Incomplete Testing
Ecuación Simplificada para PFPROM con Prueba Incompleta

PFavg = CPT  TI / 2 + (1-CPT )  LT / 2

CPT = Effectiveness of proof test, 0 – 100%
LT = Operational Lifetime of plant
PF(t)

CPT

test period

Time interval

Copyright © 2000-2005 exida.com

Safety Integrity Levels

Average probability
Safety Integrity of failure on demand Risk Reduction
Level per year Factor
(Low Demand mode of
operation)

SIL 4 >=10-5 to <10-4 100000 to 10000

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

Copyright © 2000-2006 exida.com 68

PF analysis

Low Demand Mode –

Proof test counts – therefore PFDavg is a valid concept
Diagnostics count – therefore SFF is a valid measurement

Continuous Demand Mode-

No credit for proof test – use PFH chart
No credit for diagnostics – therefore Lambda D is the primary
measurement

“High Demand” mode –

No credit for proof test – use PFH chart
Credit for diagnostics only if they are 10X faster than the “Demand Rate”

Copyright © 2000-2006 exida.com 69

Safety Integrity Levels – PFH

Random Failure Probability

Probability of
Safety Integrity dangerous failure per
Level hour
(Continuous mode of operation)

SIL 4 >=10-9 to <10-8

SIL 3 >=10-8 to <10-7

SIL 2 >=10-7 to <10-6

SIL 1 >=10-6 to <10-5

Copyright © 2000-2006 exida.com 70

PF analysis
“High Demand” mode –
PFDavg is not a valid concept
No credit for proof test
Credit for diagnostics only if they are 10X faster than the “Demand Rate”
Example –
A dangerous condition occurs every hour on
average. A non-redundant (1oo1) SIF has
equipment where the worst case diagnostic time
is 24 hours. A proof test is done every week Safety Integrity
Probability of
dangerous failure
(168 hours). The following failure rates apply: Level per hour
(Continuous mode of operation)

DD – 0.0000014 failures per hour SIL 4 >=10-9 to <10-8

DU – 0.0000002 failures per hour SIL 3 >=10-8 to <10-7

To what SIL level does this design qualify? SIL 2 >=10-7 to <10-6

SIL 1 >=10-6 to <10-5

Reliability and Availability

Complete the problems

10 minutes

Copyright © 2000-2006 exida.com 72

Section 2: Basic Reliability Engineering Review
Sección 2: Repaso de Ingeniería de Confiabilidad Básica

Stress-Strength, Failure Rate

Wear out / Bathtub Curve
Reliability / Unreliability
Systematic vs Random Failure
Low, High and Continuous Demand
Constant Failure Rate
PFavg

Copyright © 2000-2006 exida.com 73

Section 3: System Reliability Engineering
Sección 3: Ingeniería de Confiabilidad de Sistemas

Reliability Block Diagrams

Markov Models
Multiple Failure Modes
Common Cause

Copyright © 2000-2006 exida.com 74

Quantitative System Analysis Techniques
Técnicas Cuántitativas para Análisis de Sistemas

System Modeling - We know the

Reliability (failure rates) of the
components, what is the Reliability of
the system?

Copyright © 2000-2006 exida.com 75

Quantitative System Analysis Techniques
Técnicas Cuántitativas para Análisis de Sistemas

• Define “what is a failure?”

– Effectively stating, what is included in the model.
• Obtain failure rate on each component failure mode,
create a checklist.
• Understand how the system works?
– SYSTEM FMEA
– HAZOP.
• Build the model.

Copyright © 2000-2006 exida.com 76

Quantitative System Analysis Techniques
Técnicas Cuántitativas para Análisis de Sistemas

• Reliability Block Diagrams

• Simplified Equations Fail
De-Energized

3
• Fault Tree Diagrams
DDN
• Markov Models 1
OK
0
A A
DUN
POWER
SUPPLY
CONTROLLER 2

B B Fail
Energized

POWER 4
SUPPLY CONTROLLER

Copyright © 2000-2006 exida.com 77

Quantitative System Analysis Techniques
Técnicas Cuántitativas para Análisis de Sistemas

Simplified Equations – Equations derived form one of the

techniques listed below.
RBD - Best for Reliability /Availability Analysis. Probability
combination method. Takes the “success” view. Confusing
when used in multiple failure mode modeling.
FTD – Takes the “failure” view. Probability combination
method. Multiple drawings can be used for multiple failure
modes. Easy to understand the drawing.
MM – Looks at success and failure on one drawing. Flexible,
solved for probabilities as a function of time interval. Few
educated in method.
Copyright © 2000-2006 exida.com 78
Reliability Block Diagrams
Diagrama de Bloques de Confiabilidad
System successful when a path is formed across the drawing
Series System
A B

AC POWER MOTOR

System operates only if all components

operate
Availability
Probability of A S = A A * AB
Success

Unavailability
Probability of
US = UA + UB – (UA * UB )
Failure
Copyright © 2000-2006 exida.com 79
Reliability Block Diagrams
Diagrama de Bloques de Confiabilidad
Parallel System
POWER
SUPPLY
A

POWER
SUPPLY
B

System operates if any component operates

Availability
Probability of AP = A A + A B - AA * A B
Success
Unavailability
Probability of UP = U A * UB
Failure
Copyright © 2000-2006 exida.com 80
Reliability Block Diagrams
Diagrama de Bloques de Confiabilidad

Series/Parallel
POWER
CONTROLLER
SUPPLY
A A

Example: POWER
CONTROLLER
SUPPLY
B B
APS = 0.6
AC = 0.8
(for a one year interval)
ASystem? = (APS*AC) + (APS*AC) – (APS*AC)²
= (0.6*0.8) + (0.6*0.8) – (0.6*0.8)²
= 0.7296
Copyright © 2000-2006 exida.com 81
Fault Trees
Arboles de Falla

AC POWER MOTOR
A B

System operates only if all components operate

AC POWER UA
Fails

SYSTEM
OR Fails
MOTOR
Fails
UB

US = UA + UB – (UA * UB )
Copyright © 2000-2006 exida.com 82
Fault Trees
Arboles de Falla

POWER
SUPPLY
A

POWER
SUPPLY
B

System operates if any component operates

Pa
POWER SUPPLY A
AND SYSTEM
Pb
POWER SUPPLY B

US = UA * UB
Copyright © 2000-2006 exida.com 83
Fault Trees
Arboles de Falla
POWER
CONTROLLER
SUPPLY
A A

POWER
CONTROLLER
SUPPLY
B B

POWER SUPPLY A
SUBSYSTEM
OR X
CONTROLLER A
AND SYSTEM
POWER SUPPLY B
SUBSYSTEM
OR Y
CONTROLLER B

US = UX * UY
Copyright © 2000-2006 exida.com 84
Fault Trees
A Arboles de Falla
POWER SUPPLY A
SUBSYSTEM
OR X
CONTROLLER A
AND SYSTEM
POWER SUPPLY A
SUBSYSTEM
OR Y
CONTROLLER A
US = UX * UY
In any probability combination method be careful to
check for “identical events.” In an AND gate with
identical events as the input, if Ux and Uy are the
same event, the probability of Us = Ux not Ux * Ux. In
an OR gate with two identical events as the input, the
output = Ux not Ux + Ux – Ux * Ux.
Note: setting up a model this way appears to make no sense but it does happen.

Copyright © 2000-2006 exida.com 85

Fault Tree Model - PFavg
Modelo de Arbol de Falla

Problem with some Fault Tree

Solenoid
subsystem Tools when calculating
failure average probability:

A*B = A * B

Therefore taking the average

after any AND logic is the
proper sequence for PFavg
calculations.
Solenoid A fails Solenoid B fails Common Cause
PF PF Solenoid

Copyright © 2000-2006 exida.com 86

Availability. Periodic Test and Inspection
Disponibilidad. Inspección y Prueba Periódica

Unavailability
0.7

0.6
Average
Probability

0.5

0.4

0.3

0.2

0.1

0
10

40
13

37
1

Remember that:
T
1
PFavg   PF  t  dt
T 0
Copyright © 2000-2006 exida.com 87
Fault Trees – PFD avg
Arboles de Falla

To get a correct answer in any probability combination method of

system modeling (RBD and Fault Trees) one must perform the logic
before taking the average.
PFDa
Subsystem A
AND SYSTEM
PFDb
Subsystem B
ti
1
  TI
2 2
PFa =  * TI PFavg , sys  dti
TI
PFb =  * TI 0

 TI
2 3
Therefore:
1
PFsys =  * TI  2 PFavg , sys 
TI 3

2 2
Continuing:

PFavg , sys 
TI
Copyright © 2000-2006 exida.com 3 88
Fault Trees – PFDavg
Arboles de Falla
If one calculates PFDavg of each component before the logic:
PFDa
Subsystem A
AND SYSTEM
PFDb
Subsystem B

PFDa = d * TI
PFDavga = d * TI/2 The results are
PFDavgb = d * TI/2 optimistic and
may result in
Therefore:
insufficient
PFDavg,sys = d * TI2 safety!
4

2 2
Rather than the correct:
PFDavg , sys  TI d
3
Copyright © 2000-2006 exida.com 89
Markov Models
Modelos de Markov

Accounts for Multiple Failure Fail

Modes on one drawing. De-Energized

3
Models different repair rates for
DDN
different kinds of failures. 1
OK
Qualitatively shows the operation
of a fault tolerant system. 0
DUN
2
CIRCLES represent
combinations of failed and
successful components. Fail
Energized

ARCS show the effect of 4

failures and repairs.

Copyright © 2000-2006 exida.com 90

Markov Models
Modelos de Markov

Redundancy

Multiple Failure Modes

 = failure rate
= system repair rate (replacement)

Copyright © 2000-2006 exida.com 91

Markov Models - PFDavg
Modelos de Markov
1
Fail-Safe For PFDavg
1 3 calculations, a
5
2 Degraded
Markov model
Detected

2 1 must be solved for

OK 6 time-dependent
0 3 PFD and averaged.
Degraded

7
Undetected
1 – 7 = Failure Rates
2 Fail-
Danger 1 = Repair Rate after a shutdown
4 4
2 = on-line repair of equipment
3 3 = periodic Inspection / test
3 equals zero between
inspections and one after an
Copyright © 2000-2006 exida.com inspection. 92
Failure Modes
Modos de Falla

Electro-mechanical Systems have multiple

failure modes!
Typically categorized as:

SAFE
DANGEROUS

Copyright © 2000-2006 exida.com 93

Multiple Failure Modes
Múltiples Modos de Falla
For de-energize to trip

NORMAL

SAFE Failed Open Circuit

DANGEROUS Failed Short Circuit

Copyright © 2000-2006 exida.com 94

Transmitters
Transmisores

The functional failure modes of

each product must be translated
to the modes of the SIF. This
often depends on the application.

– Failure Modes
• Output Saturated Hi
S/D • Output Saturated Lo
• Frozen Output
D • Indication Error Hi
• Indication Error Lo
• Diagnostic Failure

Define Modes

Copyright © 2000-2006 exida.com 95

Normally Energized Systems- FAIL SAFE
Sistemas Normalmente Energizados – FALLA SEGURA

System
+ + causes
false trip!

Solid State
Discrete Input PLC Output Switch

LOAD

Input circuit fails

-PLC thinks the Logic Solver fails to -
sense switch is read logic 1 inputs,
open even when fails to solve logic, Output Circuit
it is closed. or fails to generate fails open
logic 1 output. circuit.

Copyright © 2000-2006 exida.com 96

Normally Energized Systems- FAIL DANGER
Sistemas Normalmente Energizados – FALLA PELIGROSA

If there is a
+ + demand -
system
cannot
respond.
Solid State
Discrete Input PLC Output Switch

LOAD

Input circuit fails

-PLC thinks the Logic Solver fails to -
sense switch is read logic 0 inputs
closed even that indicate danger, Output Circuit
when it is open. fails to solve logic, fails short
or fails to generate circuit.
logic 0 output.
Copyright © 2000-2006 exida.com 97
Final Element Failure Modes
Modos de Falla de un Actuador
Instrument Failure Mode SIF Failure mode
Solenoid plunger stuck Fail-Danger
Solenoid coil burnout Fail-Safe
Actuator shaft failure Fail-Danger*
Actuator seal failure Fail-Safe
Actuator spring failure Fail-Danger
Actuator structure failure - air Fail-Safe
Actuator structure failure - binding Fail-Danger*
Valve shaft failure Fail-Danger*
Valve external seal failure No Effect
Valve internal seal damage Fail-Danger
Valve ball stuck in position Fail-Danger
* unpredictable - assume worst case

De-energize to Trip Application

Copyright © 2000-2006 exida.com 98

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad

We have defined:
• RELIABILITY - the probability of success during an interval of time
• R(t) = P(T>t) where T = Failure Time for an interval 0 - t.
• UNRELIABILITY - the probability of failure during an interval of time
• F(t) = P(T<=t)
• R(t) = 1 - F(t) (complementary events)

What about probability of failure when

there are multiple failure modes like
in Safety Instrumented Systems?

Copyright © 2000-2006 exida.com 99

Reliability / Safety Terms
Terminología de Seguridad/Confiabilidad

• PFS - Probability of SAFE failure in a system

• PFD - Probability of Failure on Demand (Probability of
Dangerous failure)
• PFDavg - Average Probability of Failure on Demand
• RRF - Risk Reduction Factor
– RRF = 1/PFDavg
• MTTFS - Mean Time To Failure Spurious, SAFE failure
• STR – Spurious Trip Rate = 1/MTTFS
• MTTFD - Mean Time To Dangerous Failure

Copyright © 2000-2006 exida.com 100

PFS / PFD / PFDavg. Periodic Test and Inspection
PFS / PFD / PFDPROM. Intervalo de Pruebas Periódicas

T
1
PFavg   PF  t  dt
T 0

Approx PFS = STI

Approx PFD = DTI
Approx PFDavg = DTI /2

Copyright © 2000-2005 exida.com

Availability - Failure Modes
Disponibilidad – Modos de Falla

PFS
Nuisance Trip
AVAILABILITY

PFD

SUCCESSFUL OPERATION UNSUCCESSFUL

OPERATION
PFS - Probability of Safe Failure
PFD - Probability of Failure on Demand (Dangerous Failure)

Copyright © 2000-2006 exida.com 102

Common Cause
Causa Común
+

Sensor Controller

Common Stress
Sensor Controller
Final Element

Expected system trip rate : 0.0001 /year

Actual system trip rate : 0.0006 /year !!!!!
In many actual installations, reliability performance did not
meet calculated predictions. Why?
Common Stress failed both units in a redundant system!
Stress – combinations of temperature, humidity, corrosion,
shock, vibration, electrical surge, RFI and more.
Copyright © 2000-2006 exida.com 103
Common Cause
Causa Común

0.9 Strength 1 Stress

0.8
Strength 2
0.7

0.6

0.5

0.4

0.3

0.2

0.1

Stress - Strength View of Common Cause

Copyright © 2000-2006 exida.com 104

Common Cause – Beta Model
Causa Común – Modelo Beta

Beta - the fraction of

the failure rate where
two or more failures
will occur due to the
same common stress.

Note: this particular graphical representation of beta was derived for a redundant system with two components. The
beta model may be used on systems with more than two components but care must be taken when choosing the beta
number as it will vary depending on the number of components exposed to the common stress.

Copyright © 2000-2006 exida.com 105

Common Cause – Beta Model
Causa Común – Modelo Beta

 = independent + common cause

common cause
=

cc
Beta represents the fraction of the failure rate where two
or more failures will occur due to a common stress.

Copyright © 2000-2006 exida.com 106

Common Cause – Beta Model. Example
Causa Común – Modelo Beta. Ejemplo

cc
= independent + common cause
= 0.02 failures / year
= 0.05
CC = 0.05 * 0.02 = 0.001 failures / year
I = (1-0.05) * 0.02 = 0.019 failures / year

Copyright © 2000-2006 exida.com 107

Getting the Beta Number
Obteniendo el Valor de Beta

NASA Space Shuttle Study

 = 0.11
IEC 61508, Part 6 Annex D.6

 = 0.005 – 0.05 for programmable

electronic equipment

 = 0.01 – 0.10 for field equipment

Copyright © 2000-2006 exida.com 108

Reducing Common Cause
Disminuyendo las Causas Comunes

1. Physical Separation – redundant units are less

likely to see a common stress
2. Diverse Technology – redundant units respond
differently to a common stress

Copyright © 2000-2006 exida.com 109

Common Cause Modeling
Modelaje de Causa Común

Example - Model a Redundant Power Supply

POWER SUPPLY
Power Supply
A
System Failure
POWER SUPPLY

2 
Power Power
2 OK Supply A Supply B
1 OK FAIL
Fails Fails

Copyright © 2000-2006 exida.com 110

Including Common Cause in a Fault Tree Model
Incluyendo Causa Común en un Arbol de Fallas

Fault Tree without Fault Tree with

Common Cause Common Cause

Power Supply
Power Supply
System Failure
System Failure

Power Power
Supply A Supply B
Fails Fails Power Power Common
Supply A Supply B Cause
Fails Fails Failure

Copyright © 2000-2006 exida.com 111

Difference due to Common Cause
Incluyendo Causa Común en un Arbol de Fallas
Fault Tree without Common Cause Fault Tree with Common Cause
System
System Dangerous
Dangerous Failure
Failure

b=0.05

Dangerous Dangerous Common

Dangerous Dangerous
Failure A Failure B Cause
Failure A Failure B
Dangerous
Failure

d)2 * T2 di)2 * T2 dcc * T

PFDavg = PFDavg =
3 + 3 2
PFDavg = 0.000627
PFDavg = 0.000133 d = 0.02 failures / year
TI = 1 year
Copyright © 2000-2006 exida.com Beta = 0.05 112
Common Cause – Beta Model
Causa Común – Modelo Beta

Example - Model a Redundant Power Supply with COMMON CAUSE

Markov Model

2 

2 OK 1 OK FAIL

 C

Copyright © 2000-2006 exida.com 113

Application Exercise Set 3
Ejercicios de Aplicación. Grupo 3

Multiple Failure Modes, Common Cause

Complete the problems

30 minutes

Copyright © 2000-2006 exida.com 114

Section 3: System Reliability Engineering Review
Sección 3: Repaso de Ingeniería de Confiabilidad de Sistemas

Reliability Block Diagrams

Markov Models
Multiple Failure Modes
Common Cause

Copyright © 2000-2006 exida.com 115

Section 4: FMEA / FMEDA
Sección 4: AMFE / AMFED

FMEA
FMEA Format
Diagnostics
Coverage Factor
FMEDA

Copyright © 2000-2006 exida.com 116

Failure Modes and Effects Analysis (FMEA)
Análisis de Modos de Fallas y Efectos (AMFE)

• Systematic procedure designed to find design issues.

• "Bottom - Up" Technique
• Entire system analyzed one component/sub-system at
a time.
• FMEA Standards -
• MIL STD 1629A, 1984
• IEC 812, 1985
• New SAE Standard in development to replace
1629A

Copyright © 2000-2006 exida.com 117

Failure Modes and Effects Analysis (FMEA)
Análisis de Modos de Fallas y Efectos (AMFE)

Procedure:
1. List all components and each
failure mode.
2. For each component / failure mode,
list the effect of that failure on the
higher level sub-system/system.
3. List the criticality / severity of the
effect.

Copyright © 2000-2006 exida.com 118

Failure Modes and Effects Analysis (FMEA)
Análisis de Modos de Fallas y Efectos (AMFE)

COOLING
WATER
REACTOR
VALVE1

COOLING
JACKET

COOLING
WATER
FO
TSW DRAIN
1
POWER SUPPLY
PS1

EXAMPLE - Cooling System

From ISA Book: Control Systems Safety Evaluation and Reliability, W.M. Goble, 1998.

Copyright © 2000-2006 exida.com 119

Failure Modes and Effects Analysis (FMEA)
Análisis de Modos de Fallas y Efectos (AMFE)

Sample FMEA - Tabular Format

Failure Modes and Effects Analysis
1 2 3 4 5 6 7 8 9
Name Code Function Mode Cause Effect Criticality l Remarks
Cool Tank water storage leak corrosion lost water dangerous consider design change to detect
plugged outlet dirt no water dangerous second outlet?
Valve VALVE1 open for coolant jam closed dirt, corr. no water dangerous second valve?
fail open corr., powerfalse trip safe
coil open elec. surgefalse trip safe
coil short corr., wire false trip safe
jacket path for coolant leak none none
clog dirt, corr. no water dangerous small flow in normal operation?
drain pipe path for coolant clog dirt, corr. no water dangerous
temp. switch TSW1 sense overtemp short no cooling dangerous two switches?
open elec. surgefalse trip safe
power supply PS1 energy for valve short maint.er. false trip safe
open many false trip safe

Copyright © 2000-2006 exida.com 120

Failure Modes and Effects Analysis (FMEA)
Análisis de Modos de Fallas y Efectos (AMFE)

Pointers:
1. Be careful about listing all parts
2. Be careful about listing all known failure modes, refer
to failure mode references.
3. Identify each part uniquely
4. Do not worry about "causes" unless the failure mode
turns out to be critical - then list the cause so that it
perhaps can be eliminated or reduced in magnitude
5. FMEAs should be done in groups or reviewed by
groups

Copyright © 2000-2005 exida.com

Failure Modes, Effects and Diagnostic Analysis (FMEDA)
Análisis de Modos de Fallas, Efectos y Diagnóstico (AMFED)

• Extension of FMEA Technique

• Add diagnostic capability column and modes
• When component / failure mode is detectable,
indicate detection mechanism (and error
code).
• First published in 1992*
• Fault Injection results documented in chart
*Evaluating Control Systems Reliability and Safety, Goble, ISA, 1992.
Copyright © 2000-2006 exida.com 122
COMPONENT
DATABASE
Product λ

FMEDA Component Product

Failure
λ’ s FMEDA
Modes

Diagnostic
Coverage
Failure Mode
Distribution

• Using a component database, failure rates and

failure modes for a product (transmitter, I/O module,
solenoid, actuator, valve) can be determined far
more accurately than with only field warranty failure
data.
Copyright © 2000-2006 exida.com 123
Multiple Failure Modes
Múltiples Modos de Falla
• An FMEDA will identify and quantify failure rates into applicable categories of failure modes.

S D A

SAFE – failures that cause the SIF to falsely trip in a single channel
configuration.
DANGEROUS – failures that prevent the SIF from performing its safety
function in a single channel configuration.
ANNUNCIATION – failures that prevent a diagnostic function from
performing (per IEC 61508 these are classified as ‘safe.”)
Others??

Copyright © 2000-2006 exida.com 124

Multiple Failure Modes
Múltiples Modos de Falla

S + D

%Safe =
S

 S + D
S = %Safe * 
D = (1-%Safe) * 

Copyright © 2000-2006 exida.com 125

Diagnostics
Diagnósticos

Automatic diagnostics allow:

Quick repair of failed units -
reduces time operating in degraded
condition.
Conversion of dangerous failures
to safe failures with series wired
diagnostic cutoff switches.

Diagnostic capability measured by “C = Coverage

Factor,” the percentage of failures that will be detected.
CS = Coverage Factor for Safe Failures
CD = Coverage Factor for Dangerous Failures

Copyright © 2000-2006 exida.com 126

Diagnostics
Diagnósticos

• An FMEDA will analyze the capability of any automatic diagnostic

or manual proof test.

• Diagnostic coverage of automatic diagnostics can be accurately

estimated.
– CS = 82.4%
– CD = 93.2%

• Proof test effectiveness can be accurately estimated.

Copyright © 2000-2006 exida.com 127

Four categories of failure rates
Cuatro Categorías de Ratas de Fallas

SD = CS*S
SU = (1-CS)*S
DD = CD*D
DU = (1-CD)*D

Copyright © 2000-2006 exida.com 128

Failure Modes, Effects and Diagnostic Analysis (FMEDA)
Análisis de Modos de Fallas, Efectos y Diagnóstico (AMFED)
Conventional PLC Diagnostics

5V ISO.
D2 +5V
Vin 1K 200K
V1 V2
ac input


F 10K D1

L2
OC1 10K

Conventional PES Input Circuit

From ISA Book: Control Systems Safety Evaluation and Reliability, W.M. Goble, 1998.
Copyright © 2000-2006 exida.com 129
Failure Modes, Effects and Diagnostic Analysis (FMEDA)
Análisis de Modos de Fallas, Efectos y Diagnóstico (AMFED)

FMEDA for Conventional PES Input Circuit

Failure Modes and Effects Analysis Failures/billion hours Safe Dangerous
Component Mode Effect Criticality FIT Safe Dang. Det. Diagnostic Covered Covered
FIT
R1 - 1K short loose filter 1 Safe 0.13 0.125 0 0 0 0
open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0
C1- 0.18 short read logic 0 1 Safe 2 2 0 0 0 0
open loose filter 1 Safe 0.5 0.5 0 0 0 0
R2 - 200K short overvoltage 0 Dang. 0.13 0 0.13 0 0 0
open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0
R3 - 10K short read logic 0 1 Safe 0.13 0.125 0 0 0 0
open overvoltage 0 Dang. 0.5 0 0.5 0 0 0
D1 short read logic 0 1 Safe 2 2 0 0 0 0
open blow out circuit 0 Dang. 5 0 5 0 0 0

D2 short read logic 1 0 Dang. 2 0 2 0 0 0

open blow out circuit 0 Dang. 5 0 5 0 0 0
OC1 led dim no light 1 Safe 28 28 0 0 0 0
tran. short read logic 1 0 Dang. 19 0 19 0 0 0
tran. open read logic 0 1 Safe 5 5 0 0 0 0
R4 - 10k short read logic 0 1 Safe 0.13 0.125 0 0 0 0
open read logic 1 0 Dang. 0.5 0 0.5 0 0 0
71 38.88 32.1 1 0
Total Safe Dang. Safe Coverage 0.0257
Failure Rates
Dangerous
Coverage 0

Safety Rated PES Input Circuit

From ISA Book: Control Systems Safety Evaluation and Reliability, W.M. Goble, 1998.
Copyright © 2000-2005 exida.com
Failure Modes, Effects and Diagnostic Analysis (FMEDA)
Análisis de Modos de Fallas, Efectos y Diagnóstico (AMFED)
FMEDA for Safety Rated Input Circuit
Failure Modes and Effects Analysis Failures/billion hours Safe Dangerous
Component Mode Effect Criticality FIT Safe Dang. Det. Diagnostic Covered Covered
FIT
R1 - 10K short Threshold shift 1 Safe 0.13 0.125 0 0 0 0
open open circuit 1 Safe 0.5 0.5 0 1 loose input pulse 0.5 0
R2 - 100K short short input 1 Safe 0.13 0.125 0 1 loose input pulse 0.125 0
open Threshold shift 1 Safe 0.5 0.5 0 0 0 0
D1 short overvoltage 1 Safe 2 2 0 1 loose input pulse 2 0
open open circuit 1 Safe 5 5 0 1 loose input pulse 5 0
D2 short overvoltage 1 Safe 2 2 0 1 loose input pulse 2 0
open open circuit 1 Safe 5 5 0 1 loose input pulse 5 0
OC1 led dim no light 1 Safe 28 28 0 1 Comp. mismatch 28 0
tran. short read logic 1 0 Dang. 10 0 10 1 Comp. mismatch 0 10

tran. open read logic 0 1 Safe 6 6 0 1 Comp. mismatch 6 0

OC2 led dim no light 1 Safe 28 28 0 1 Comp. mismatch 28 0
tran. short read logic 1 0 Dang. 10 0 10 1 Comp. mismatch 0 10
tran. open read logic 0 1 Safe 6 6 0 1 Comp. mismatch 6 0
R3 - 100K short loose filter 1 Safe 0.13 0.125 0 0 0 0
open input float high 0 Dang. 0.5 0 0.5 1 Comp. mismatch 0 0.5
R4 - 10K short read logic 0 1 Safe 0.13 0.125 0 1 Comp. mismatch 0.125 0
open read logic 1 0 Dang. 0.5 0 0.5 1 Comp. mismatch 0 0.5
R5 - 100K short loose filter 1 Safe 0.13 0.125 0 0 0 0
open input float high 0 Dang. 0.5 0 0.5 1 Comp. mismatch 0 0.5
R6 - 10K short read logic 0 1 Safe 0.13 0.125 0 1 Comp. mismatch 0.125 0
open read logic 1 0 Dang. 0.5 0 0.5 1 Comp. mismatch 0 0.5
C1 short read logic 0 1 Safe 2 2 0 1 Comp. mismatch 2 0
open loose filter 1 Safe 0.5 0.5 0 0 0 0
C2 short read logic 0 1 Safe 2 2 0 1 Comp. mismatch 2 0
open loose filter 1 Safe 0.5 0.5 0 0 0 0
111 88.75 22 86.875 22
Total Safe Dang. Safe Coverage 0.9789
Failure Rates
Dangerous
Coverage 1

From ISA Book: Control Systems Safety Evaluation and Reliability, W.M. Goble, 1998.
Copyright © 2000-2005 exida.com
Diagnostic Coverage
Cobertura por Diagnóstico

• Conventional Input Circuit

– CS = 0.0257
– CD = 0.0000
• Safety Rated Input Circuit
– CS = 0.9789
– CD = 1 (No known dangerous undetected)

Copyright © 2000-2006 exida.com 133

Failure Modes, Effects and Diagnostic Analysis (FMEDA)
Análisis de Modos de Fallas, Efectos y Diagnóstico (AMFED)

PROVIDES:
• IEC 61508 Safe Failure Fraction
• Coverage Factors: CD, CS
• Failure Rates: S, D, SD, SU, DD, DU
Needed for SIL Verification
Copyright © 2000-2006 exida.com 134
IEC61508/IEC61511 Safe Failure Fraction
Fracción de Falla Segura según IEC61508/IEC61511

SD + SU + DD

SFF =
SD + SU + DD + DU
SFF is defined as the ratio of the average rate
of safe failures plus dangerous detected failures
of the subsystem to the total average failure
rate of the subsystem.
Copyright © 2000-2006 exida.com 135
IEC61508/IEC61511 Safe Failure Fraction
Fracción de Falla Segura según IEC61508/IEC61511
SD + SU + DD SFF is a measurement not
SFF =
SD + SU + DD + DU dependent on failure rate.
S
%Safe = S
 + D
D = (1-%Safe) * 
DD = CD*D
SFF = %Safe + (1-%Safe) * CD
Copyright © 2000-2006 exida.com 136
Safe Failure Fraction – Product Types
Fracción de Falla Segura según IEC61508/IEC61511

TYPE A – “A subsystem can be regarded as type A if, for the

components required to achieve the safety function
a) the failure modes of all constituent components are well
defined; and
b) the behavior of the subsystem under fault conditions can be
completely determined; and
c) there is sufficient dependable failure data from field
experience to show that the claimed rates of failure for
detected and undetected dangerous failures are met.”

TYPE B – everything else!

IEC 61508, Part 2, Section 7.4.3.1.2
Copyright © 2000-2005 exida.com
IEC61508 Safe Failure Fraction
IEC61508 Fracción de Falla Segura

TYPE A Subsystem
Safe Failure
Hardware Fault Tolerance
Fraction
0 1 2

< 60 % SIL 1 SIL 2 SIL 3

60 % - < 90 % SIL 2 SIL 3 SIL 4

90 % - < 99 % SIL 3 SIL 4 SIL 4

 99 % SIL 3 SIL 4 SIL 4

NOTE A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function

Copyright © 2000-2006 exida.com 138

IEC61508 Safe Failure Fraction
IEC61508 Fracción de Falla Segura

TYPE B Subsystem
Safe Failure
Hardware Fault Tolerance
Fraction
0 1 2

< 60 % Not allowed SIL 1 SIL 2

60 % - < 90 % SIL 1 SIL 2 SIL 3

90 % - < 99 % SIL 2 SIL 3 SIL 4

 99 % SIL 3 SIL 4 SIL 4

NOTE A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function

Copyright © 2000-2006 exida.com 139

Application Exercise Set 4
Ejercicios de Aplicación. Grupo 4
Safe Failure Fraction / Failure Rates / Coverage Factors
Complete the problems

15 minutes

Copyright © 2000-2006 exida.com 140

Section 4: FMEA / FMEDA Review
Sección 4: Repaso de AMFE / AMFED

FMEA See additional

FMEA Format exida.com course:
Diagnostics FMEA / FMEDA
Coverage Factor Analysis
FMEDA www.exida.com
SFF

Copyright © 2000-2006 exida.com 141

Section 5: Functional Safety Management
Sección 5: Gerencia de Seguridad Funcional

Management of Functional Safety

Quality System
Planning, people and paperwork
Benefits

Copyright © 2000-2006 exida.com 142

What is Functional Safety Management?
¿Qué es la Gerencia de Seguridad Funcional?
IEC61508 defines functional safety as:
“part of the overall safety relating to the equipment under control
(EUC) and the EUC control system which depends on the correct
functioning of the E/E/PE safety-related systems, other technology
safety-related systems and external risk reduction facilities.”

In more approachable terms:

Functional safety management governs equipment and process
safety activities involving safety systems.
THE PURPOSE IS TO REDUCE THE POSSIBILITY OF A
SYSTEMATIC FAULT!

Copyright © 2000-2006 exida.com 143

Functional Safety and the Safety Lifecycle
Seguridad Funcional y el Ciclo de Vida de Seguridad
1. Concept

2. Overall scope
definition

3. Hazard and
Management of Functional Safety

risk analysis

Functional Safety Assessment

4. Overall safety
requirements

5. Safety requirements
Documentation

allocation

Verification
6. Overall 7. Overall 8. Overall
operation and safety 9. SRS
installation and
maintenance validation E/E/PES
commissioning
planning planning realization
planning

12. Overall installation

and commissioning
Back to appropriate
overall safety lifecycle
13. Overall safety phase
validation

14. Overall operation, 15. overall modification

maintenance, repair and retrofit

16. Decommissioning
or disposal
Functional Safety Management Objectives
Objetivos de la Gerencia Funcional de Seguridad

– Specify management and technical activities

during the Safety Lifecycle to achieve and
maintain Functional Safety
– Specify responsibilities of persons and
organizations
– Extend an existing and monitored quality system
–Plan, execute, measure and improve

Copyright © 2000-2006 exida.com 145

61508 and 61511 Versions of FSM

– Since FSM focuses on procedures, the standards provide

a good reference
– 61508 covers everything including safety system
hardware and software development
–Part 1 Clause 6 lays out details of FSM
–Broad coverage can make application challenging
– 61511 focuses on the process owners and safety
system users
–Part 1 Clause 5 lays out details of FSM
–Narrower coverage makes application more manageable

Copyright © 2000-2006 exida.com 146

Key Issues
Puntos Claves

Functional Safety Management

Safety Planning – create a FSM Plan
Roles and Responsibilities
Personnel Competency
Documentation, Documentation Control
Functional Safety Verification and Assessment
Documented Processes

Copyright © 2000-2006 exida.com 147

A FSM Plan describes the Safety Lifecycle
El Plan de la GFS describe el Ciclo de Vida de Seguridad

Analyze
Hazard Analysis /
Risk Assessment: Document
Define Design
Targets

Design Execute HW
and SW Design Document

Verify Evaluate Design:

Reliability Analysis of Document
Safety Integrity &
Modify Availability

Operate and Document

Maintain

Copyright © 2000-2006 exida.com OK 148

Components of a FSM Plan
Componentes del Plan de la GFS
Steps and sequence of work activities
–Roles and responsibilities
–Personnel competency
–Documentation structure
–Verification tasks for each step
– Safety Requirements Specification development
plan
– Design guidelines and methods
– Verification and Validation plans
– Operation and maintenance guidelines
– Management of Change procedures
– Functional safety assessment plan

Copyright © 2000-2005 exida.com

Roles and Responsibilities
Roles y Responsabilidades
Must be clearly delineated and communicated
Each phase of SLC and its associated activities
One of the specifically noted primary objectives of
functional safety management

Copyright © 2000-2006 exida.com 150

Personnel Competency
Competencia del Personal
– Ensure that staff “involved in any of the overall or
software SLC activities are competent”
– Addressed specifically in Annex A, IEC61508
– Training, experience, and qualifications should all
be assessed and documented
– System engineering knowledge
– Safety engineering knowledge
– Legal and regulatory requirements knowledge
– More critical for novel systems or high SIL
requirements
Copyright © 2000-2006 exida.com 151
Certified Functional Safety
Expert (CFSE) Program

• Operated by the CFSE Governing Board

– To improve the skills and formally establish the competency of
those engaged in the practice of safety system application in the
process and manufacturing industries.

• Certification audited by TÜV SÜD

Copyright © 2000-2006 exida.com 152

Certified Functional Safety
Expert (CFSE) Program

• Types of Exams
– Application – Process Industries
– Application – Machine Industries
– Developer – Software
– Developer - Hardware

Copyright © 2000-2006 exida.com 153

Certified Functional Safety
Expert (CFSE) Program

Resources Available:
•On-line Training
•Study Guide
•Reference Books

Copyright © 2000-2006 exida.com 154

Documentation Objectives
Objetivos de Documentación

What needs to be documented?

Any information to effectively perform:

•Each phase of the safety lifecycle
•Management of functional safety
•Verification and Validation
•Functional Safety Assessment

Copyright © 2000-2006 exida.com 155

IEC 61511
Functional Safety Assessment
• Does the safety system meet spec and actually achieve
functional safety (freedom from unacceptable risk)
• Independent team; one competent senior person not
involved in the design as a minimum
• Should be performed after the stages below and
MUST be done at least at stage 3
– Stage 1 – After hazard and risk assessment and safety
requirements specification
– Stage 2 – After SIS design
– Stage 3 – After commissioning and validation
(before the hazard is present)
– Stage 4 – After experience in operation and maintenance
– Stage 5 – After modification

Copyright © 2000-2006 exida.com 156

Application Exercise Set 5
Ejercicios de Aplicación. Grupo 5

Functional Safety Management

Complete the problems

15 minutes

Copyright © 2000-2006 exida.com 157

Section 5: Functional Safety Management Review
Sección 5: Repaso de la Gerencia Funcional de Seguridad

Management of Functional Safety

Quality System
Planning, people and paperwork
Benefits

Copyright © 2000-2006 exida.com 158

Section 6: Redundant Architectures
Sección 6: Arquitecturas Redundantes

Basic Architectures
Comparison
Advanced Architectures
Diagnostics and Common Cause

Copyright © 2000-2006 exida.com 159

Basic Architectures
Arquitecturas Básicas

How much?
Select Technology
What kind of redundancy?

Select
Architecture
1oo1
Determine Test
Philosophy 1oo2
Reliability 2oo3
Evaluation

1oo1D
Performance No
Target Met?
1oo2D
Yes, proceed
Copyright © 2000-2006 exida.com 160
Simplified Equations
Ecuaciones Simplificadas

Voting Average probability of Spurious trip

failure on demand rate
(PFD avg ) (STR)

1oo1 d * T/2 s

d)2 * T2 2s
1oo2
3
d * T 2s2
2oo2
3s + 2/T
2oo3 d)2 * T2 6s2
5s + 2/T

Copyright © 2000-2006 exida.com 161

Safety System Design: Select Architecture Redundancy
Diseño Sist. Seguridad: Selec. Arquitec. de Redundancia

s = 0.01 failures / year

Select Technology d = 0.02 failures / year
TI = 1 year
Select
Architecture
1oo1 +

Sensor Controller
Determine Test Final Element

Philosophy
-
s d * T/2
Reliability
Evaluation
STR PFDAVG (Dangerous)

Performance No 1oo1 0.01 /year 0.01

Target Met?
Using the simple approximation
Yes, proceed
equations. No diagnostics
Copyright © 2000-2005 exida.com
1oo2 Architecture – Redundancy for Safety
Arquitectura 1oo2 – Redundancia para Seguridad

1oo2 +
Select Technology
Sensor Controller

Select
Architecture Sensor Controller
Output

-
Determine Test
Philosophy d)2 * T2
2s
3
Reliability
Evaluation STR PFDAVG (Dangerous)
1oo1 0.01/year 0.01
Performance No
Target Met? 1oo2 0.02/year 0.00013
Yes, proceed Using Simple Approximation Formulas
Copyright © 2000-2005 exida.com
No Common Cause, No Diagnostics
2oo2 Architecture – Redundancy to reduce false trips
Arquitectura 2oo2 – Redundancia para reducir Paros Falsos
2oo2 +
Select Technology Sensor Controller

Select
Architecture Sensor Controller
Output

2s2 -
Determine Test
Philosophy du * T
3s + 2/T
STR PFDAVG (Dangerous)
Reliability
Evaluation
1oo1 0.01 /year 0.01

Performance No 1oo2 0.02 /year 0.00013

Target Met?
2oo2 0.0001 /year 0.02
Yes, proceed
Using Simple Approximation Formulas
Copyright © 2000-2005 exida.com No Common Cause, No Diagnostics
2oo3 – Redundancy to reduce both failure modes
2oo3 – Redundancia para reducir ambos modos de falla
+
A
Output Circuit 1
Logic Solver
Sensor Input Circuit Common Circuitry

MP Output Circuit 2 A A B

B B C C
2oo3
Output Circuit 1
Sensor Logic Solver
Input Circuit Common Circuitry

MP Output Circuit 2

Voting Circuit

C
Output Circuit 1
Logic Solver
Sensor Input Circuit Common Circuitry

MP Output Circuit 2 Output

-
STR PFDAVG (Dangerous)
1oo1 0.01 /year 0.01
1oo2 0.02 /year 0.00013
2oo2 0.0001 /year 0.02
2oo3 0.0003 /year 0.0004
Using Simple Approximation Formulas - No Common Cause, No Diagnostics
Copyright © 2000-2005 exida.com
Diagnostics
Diagnósticos

Enables On-line Repair

Enables Automatic Shutdown
Credit for diagnostics can only be taken if
the system has good annunciation / repair
or automatic shutdown

This can have a strong positive impact on PFDavg, STR and controller
availability – in all architectures but especially in redundant architectures.
Diagnostic capability measured by
“C = Coverage Factor”,
the percentage of failures that will be detected.
Cs = Coverage Factor for Safe Failures
Cd = Coverage Factor for Dangerous Failures
Copyright © 2000-2006 exida.com 166
1oo1 Architecture - Diagnostics
Arquitectura 1oo1 - Diagnósticos
s = 0.05 failures / year 1oo1
+
d = 0.02 failures / year Sensor Controller
T = 1 year Final Element

Cs, Cd = 0 to 0.6 -
This architecture will not automatically shutdown on a detected failure.
Therefore repair time is a variable in the PFDavg equation.

PFDavg = (dd * RT) + (du * T/2)

STR PFDAVG (Dangerous)

1oo1 0.05 /year 0.01 no diagnostics
1oo1 0.05 /year 0.004 with Cd = 0.6

Using fault trees: average repair time equals 48 hours, inspection period equals
1 year, diagnostic coverage factors = 0.6, no common cause.
Copyright © 2000-2006 exida.com 167
New Generation Architectures
Arquitecturas de Nueva Generación
1oo1D 2oo2D +
+ Diagnostic Circuit(s)
Diagnostic Circuit(s)
Output Circuit
Logic Solver
Output Circuit Input Circuit Common Circuitry
Sensor Logic Solver
Input Circuit Common Circuitry
MP
Actuator
MP Final Element
Sensor Diagnostic Circuit(s)
-
Output Circuit

Automatic diagnostics, made effective

Logic Solver
Input Circuit Common Circuitry
Actuator
MP Final Element

via microprocessor power starting in the -

late 1980’s, led to new architectures 1oo2D +

Diagnostic Circuit(s)

based on reconfiguration of the system Output Circuit

after a diagnostic has detected a failure. Input Circuit

Logic Solver
Common Circuitry
MP

Sensor Diagnostic Circuit(s)

Commercial Output Circuit

Logic Solver
implementations of Input Circuit Common Circuitry

MP

these newer designs Actuator

Final Element

have proven effective

in providing low
PFDavg and low STR.
Copyright © 2000-2006 exida.com 168
New Generation Architectures – 1oo1D
Arquitecturas de Nueva Generación – 1oo1D
+
Diagnostic Circuit(s)

Output Circuit
Sensor Logic Solver
Input Circuit Common Circuitry
Actuator
MP Final Element

-
STR PFDAVG (Dangerous)
1oo1 0.05 /year 0.00406 Cd = 0.6
1oo1D 0.062 /year 0.004 Cd = 0.6
1oo1 0.05 /year 0.0006 Cd = 0.95
1oo1D 0.069 /year 0.0005 Cd = 0.95

Using fault trees: average repair time equals 48 hours, inspection period
equals 1 year, no common cause.
Copyright © 2000-2006 exida.com 169
New Generation Architectures – 2oo2D
Arquitecturas de Nueva Generación – 2oo2D
+
Diagnostic Circuit(s)

Output Circuit
Logic Solver
Input Circuit Common Circuitry

MP

Sensor Diagnostic Circuit(s)

Output Circuit
Logic Solver
Input Circuit Common Circuitry
Actuator
MP Final Element

-
STR PFDAVG (Dangerous)
1oo1 0.05 /year 0.0006
2oo3 0.00043 /year 0.00000094
1oo1D 0.069 /year 0.0005
2oo2D 0.00021 /year 0.001
Using fault trees: average repair time equals 48 hours, inspection period
equals 1 year, diagnostic coverage factors = 0.95, no common cause.
Copyright © 2000-2006 exida.com 170
New Generation Architectures – 1oo2D
Arquitecturas de Nueva Generación – 1oo2D

STR PFDAVG (Dangerous)

1oo1 0.05 /year 0.0006
2oo3 0.00043 /year 0.00000094 The 1oo2D
depends highly on
1oo1D 0.069 /year 0.0005 good diagnostics.
2oo2D 0.00021 /year 0.001 +
Diagnostic Circuit(s)

1oo2D 0.00021 /year 0.0000004

Output Circuit
Logic Solver
Input Circuit Common Circuitry

MP

Sensor Diagnostic Circuit(s)

Output Circuit
Logic Solver
Input Circuit Common Circuitry

MP
Actuator
Final Element

Copyright © 2000-2006 exida.com 171

1oo2 Architecture for field equipment
Arquitectura 1oo2 para Equipos de Campo

PT-101A Trip if
either
transmitter SENSOR
indicates a
trip
PT-101B condition
Safety
PLC

FINAL ELEMENT 1002

sov Voting
sov

Valve closes to trip

SENSOR PT-101A Trip only if

both
transmitters
indicate a
Safety trip condition
PLC PT-101B

2oo2
Voting

FINAL ELEMENT

Valve closes to trip

Copyright © 2000-2006 exida.com 173

Architectures
Arquitecturas

1oo2D New Generation architectures

low

1oo2
2oo3 (1oo1D, 2oo2D and 1oo2D)

ce
an
are more susceptible to

rm
rfo
Pe degraded performance if
PFDavg

st
diagnostic
Be

settings/configuration in the
1oo1D safety manual are not strictly
1oo1
followed.
2oo2D
high

2oo2 For all architectures a

mechanical integrity program
high STR low
must ensure repair time
assumptions are met.

Copyright © 2000-2006 exida.com 174

Hardware Fault Tolerance
Tolerancia a Falla en Hardware

TYPE B Safe Failure

Hardware Fault Tolerance
Fraction
0 1 2

Hardware < 60 % Not allowed SIL 1 SIL 2

Architecture Fault
60 % - < 90 % SIL 1 SIL 2 SIL 3
Tolerance
1oo1 0 90 % - < 99 % SIL 2 SIL 3 SIL 4
1oo1D 0
1oo2 1  99 % SIL 3 SIL 4 SIL 4
2oo2 0
NOTE A hardware fault tolerance of N means that N+1 faults could
2oo3 1 cause a loss of the safety function
2oo2D 0
1oo2D 1
1oo3 2

Copyright © 2000-2006 exida.com 175

Hardware Fault Tolerance
Tolerancia a Falla en Hardware

Maximum SIL Allowed

Safe Failure Fraction
Architecture 0 - <60% 60 - <90% 90 - <99% 99%+
1oo1 Not Allowed SIL 1 SIL 2 SIL 3
1oo1D Not Allowed SIL 1 SIL 2 SIL 3
1oo2 SIL 1 SIL 2 SIL 3 SIL 4
2oo2 Not Allowed SIL 1 SIL 2 SIL 3
2oo3 SIL 1 SIL 2 SIL 3 SIL 4
2oo2D Not Allowed SIL 1 SIL 2 SIL 3
1oo2D SIL 1 SIL 2 SIL 3 SIL 4
1oo3 SIL 2 SIL 3 SIL 4 SIL 4

For Programmable Electronic Systems (Type B)

Copyright © 2000-2006 exida.com 176

IEC 61511 PE logic solvers

Minimum Hardware Fault Tolerance

SIL
SFF < 60% SFF 60% to 90% SFF > 90%

1 1 0 0

2 2 1 0

3 3 2 1

4 Special requirements apply (see IEC 61508)

• Almost identical to IEC 61508 Type B table

– IEC 61508 specifies 4 levels of HFT
– IEC 61511 does not specify SIL 4

Copyright © 2000-2006 exida.com 177

IEC 61511 field equipment
Minimum
SIL Hardware Fault Tolerance

1 0

2 1

3 2

4 Special requirements apply (see IEC 61508)

• No Type A vs. Type B

• Increase minimum HFT by one if the dominant failure

mode is not to the safe state or dangerous failures are
not detected
• Reduce minimum HFT by one if
– The hardware of the device is selected on the basis of prior use;
and
– The device allows adjustment of process-related parameters
only, for example, measuring range, upscale or downscale
failure direction; and
– The adjustment of the process-related parameters of the device
is protected, for example, jumper, password; and
– The function has a SIL requirement of less than 4.

IEC 61511 field equipment

• IEC 61508 HFT charts may be used

instead of 61511 charts –
recommended.
• They are clear and more flexible.

Application Exercise Set 6
Ejercicios de Aplicación. Grupo 6

Redundant Architectures
Complete the problems

10 minutes

Section 6: Redundant Architectures Review
Sección 6: Repaso de Arquitecturas Redundantes

Basic Architectures
Comparison
Advanced Architectures
Diagnostics and Common Cause

Section 7: Safety Instrumented System Design
Sección 7: Diseño de Sistemas Instrumentados de Seguridad
Safety Requirements Specification
Conceptual Design
Technologies
Architectures
Design Verification
Detail Design
Tools

Safety Lifecycle e id a .com
Detailed Safety Lifecycle Conceptual
Process Design
excellence in dependable automation

Process Information

Ciclo Vida Seg. Detallado Event History

Identify
Potential Risks Potential Hazards
e id a .com
Layers of Protection excelle nce in dependable automation
PROBE Tool

Failure Probabilities Layer of Protection

Assess Potential Analysis
Risk Likelihood Hazard Frequencies
e id a .com
FETCH Tool
Analyze Potential exce lle nce i n dependab le automation

Hazard Risk Magnitude Consequence

Characteristics Analysis
Hazard Consequences
Consequence
Database
Tolerable Risk Select Target Target SILs
Guidelines Develop non- SIL
SIS Layers e id a .com
excelle nce i n dependable a utomatio n
DOCUMENT Template

No Safety Requirements Specification-

Requirements
SIS Functional Description of each Safety
Exit

Allocation
Required? Instrumented Function, Target SIL,

Safety
Yes Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
Develop Safety requirements, Response time, etc
Specification

SIS Design in the

Select Relays, Fail-Safe Solid State, PLC, Safety
Technology PLC, Sensors, Final Elements

context of the SLC

Select Redundancy: 1oo1,1oo2, 2003, 1oo2D
SIS Conceptual Architecture
Manufacturer’s Design
Failure Data Determine Test
Philosophy
Failure Data
Database SILVER Tool
No SIL
Achieved? Reliability, Safety SILs Achieved
Yes Evaluation
Manufacturer’s DOCUMENT Template
Safety Manual
SIS Detailed
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
Manufacturer’s SIS Installation, Programming, Installation
Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission
and Pre-startup Requirements, etc.
Planning
Acceptance Test
Verify all documentation against Hazards, design, installation
Validation: testing, maintenance procedures, management of change,
Validation Pre-startup emergency plans, etc.
Planning
e xid a .co m , L.L.C.
Safety Review
Munchen , Germany
SIS startup, +49 -89-4900 0547
Operating and operation, Sellersville, PA, U.S.A
Maintenance maintenance,
Periodic +215 -453 -1720
Planning
Functional Tests Columbus, Ohio U.S.A.
Decommission
+614 -226 -4263
Modify Modify, SIS Port Chambers, New
Copyright © 2000-2005 exida.com Decommission? Decommissioning Zealand
Sarnia , Canada
SIS Design
Diseño del SIS
Safety Requirements Specification -
Functional Description of each Safety
Instrumented Function, Target SIL,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
requirements, Response time, etc
7a. Select Choose sensor, logic solver
Technology and final element technology

7. SIS Conceptual 7b. Select Redundancy: 1oo1,1oo2,

Design Architecture 2oo3, 1oo2D
Manufacturer’s
Failure Data 7c. Determine
Test Philosophy
Failure Data
Database e ida.com SILver Tool
No SIL excellenceindependableautomation

Achieved? 7d. Reliability, SILs Achieved

Yes Safety Evaluation
Manufacturer’s DD DOCUMENT Template
Safety Manual
8. SIS Detailed
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
10. SIS Installation, Programming, Installation
Manufacturer’s 9. Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission and Pre-startup Requirements, etc.
Planning Acceptance Test

SRS – Design Requirements
ERS – Requerimientos de Diseño

• The SRS should contain two types of requirements

– Functional Requirements
– Integrity Requirements
• The SRS should contain these functional requirements
– Definition of the safe state
– Process Inputs and their trip points
– Process parameter normal operating range
– Process outputs and their actions
– Relationship between inputs and outputs
• The SRS should contain these integrity requirements
– The required SIL for each SIF
– Reliability requirements if spurious trips may be hazardous
– Requirements for diagnostics to achieve the required SIL
– Requirements for maintenance and testing

Equipment Selection

IEC 61511, Functional Safety for the

Process Industries, requires that
equipment used in safety
instrumented systems be chosen
based on either IEC 61508
certification to the appropriate SIL
level or justification based on
“prior use” criteria (IEC 61511,
Part 1, Section 11.5.3).

Prior Use ???

• Unfortunately the IEC 61511 standard does not give

specific details as to what the criteria for “prior use” really
means.
• Most agree however that if a user company has many
years of documented successful experience (no
dangerous failures) with a particular version of a particular
instrument this can provide justification for using that
instrument even if it is not safety certified. Operating
conditions must be recorded and must be similar to the
proposed safety application.

Prior Use ???

• To help end users many manufacturer’s are

providing third party assessments including:
• FMEDA – manufacturer provides failure
rate and failure mode data
• Prior Use – manufacturer provides
modification history, field performance data

Safety Assessment for Products
• FMEDA – manufacturer provides failure rate and
failure mode data
• Proven In Use – manufacturer provides
modification history, field performance data
• IEC 61508 Certification – manufacturer has third
party assessors certify that a product meets all
requirements of 61508.

Safety Assessment Limitations

• FMEDA – manufacturer provides failure rate and

failure mode data
– DOES NOT INCLUDE PROCESS CONNECTIONS!
• Proven In Use – manufacturer provides
modification history, field performance data
– MANFACTURER P.I.U. INFO IS JUST A START,
THEY DO NOT USE THE EQUIPMENT.

Trend toward 61508 certified products

IEC 61508 Certified Products:

Pressure Transmitters
Temp. Transmitters
Flow Transmitters
Level Transmitters
PLCs
Trip Amps, modules
Actuators
Solenoids
Valves Equipment List on www.exida.com

IEC 61508 Full Certification

• The end result of the certification

process is a certificate listing the SIL
level for which a product is qualified
and the standards that were used for
the certification.
• However, we must understand that
some products are certified with
“restrictions.”
• The restrictions essentially indicate
when a product does not meet some
requirements of IEC 61508.
• The restrictions are listed in the
safety manual and must be followed if
safe operation is required.

IEC 61508 PLC
Certification

IEC 61508 Certified Instruments

Product Type Manufacturers

Pressure Transmitter ABB, Rosemount, Yokogawa
Temperature Transmitter Rosemount, Yokogawa
Flow Transmitter Micro-Motion
Level Transmitter Endress+Houser
Gas Detector Det-Tronics
Flame Detector Det-Tronics
Solenoid ASCO, Westlock, RGS
Pneumatic Actuator Hy-Tork, El-O-Matic, Bettis
Valves Maxon, Mokveld
Copyright © 2000-2006 exida.com 195
IEC 61508 Full Certification Enough?

• NO! A control system designer

cannot simply specify 61508
certified equipment and expect a
safe design!
• Equipment must match intended
application
• Equipment “restrictions” must be
followed
• Process connections must be
included

Safety Manual
Manual de Seguridad
• Usage Requirements-Restrictions
• Environmental Limits
• Optional Settings
• Failure Rate Data
• Useful Life Data
• Common Cause Beta Estimate
• Inspection and Test Procedures

Safety Manual Mechanical Integrity
• The safety manual will often include specific tests and inspections
that must be done on a periodic basis. For example:
• 1. “The window of the flame detector must be inspected to ensure that it is clean and
clear. The maintenance schedule must be established based on plant conditions.”
• The designer must estimate plant conditions and add periodic inspection to the
mechanical integrity procedures.
• 2. “The user is responsible for testing of all fault routines. …”
• While this seems easy enough, a detail list of fault routines in one example
shows things like “stack overflow fault.” A test to demonstrate that the stack
overflow fault detection in a PLC is actually working may be quite time
consuming if not completely impractical.
• 3. “All analog inputs must be checked for accuracy and proper operation over the full
range of input signal once a year.”
• A complete test of all analog inputs requires that each be checked over the full
range of –5% to +105% with accuracy checking at enough points to verify safety
accuracy.

• The safety manual is an essential document that should

1oo1
1oo2D
1oo2
– Objective
2oo2 • Determine type of redundancy
needed to meet required Safety
Integrity Level
2oo3 – Tasks
• Choose architecture
• Obtain reliability and safety data
for the architecture

Test Philosophy
Filosofía de Pruebas

How will the sensors, controller and

Select Technology final elements be tested?
How frequently?
Select
Architecture
PERIODIC INSPECTION
Determine Test Time Interval: 5 Years, 1 Year, 6 Mos, 3 Mos.
Philosophy
Procedure: Shutdown Plant?
Reliability Bypass SIS?
Evaluation
Transmitter Testing?
Performance No
Valve / Actuator Testing?
Target Met?

Safety Requirements-
Specification - Safety Where does the data come from?
Function Requirements
including target SIL

Manufacturer’s
Failure Data
7d. Reliability and
Failure Data Safety Evaluation
Database

1. Industry Databases – NOT Application Specific,

NOT Product Specific
2. Manufacturer FMEDA, Field Failure Study –
Product Specific
NOT Application Specific
3. Detail Field Failure Study – Application model.
Product Specific
Application Specific

Failure Rate Data Handbook
Manual de Datos de Ratas de Falla

1. Industry Databases –
NOT Application Specific,
NOT Product Specific
2. Manufacturer FMEDA, Field
Failure Study –
Product Specific, NOT
Application Specific

Safety Integrity Levels
Niveles de Integridad en Seguridad

Average probability
Safety Integrity of failure on demand Risk Reduction
Level per year Factor
(Demand mode of operation)

SIL 4 >=10-5 to <10-4 100000 to 10000

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

Fault Tree AND Gates
Arbol de Fallas. Compuertas Y
Quantitative Analysis of Fault Trees - combine probabilities.

Battery
system failure

Probability of Battery system failure?

Fsys =

Batteries
discharged Charger
fails

F = 0.2 F = 0.01

Markov Analysis
Análisis de Markov
SDC +SUC +2SDN +2SUN
• Can be more precise with SD FS
less work
DDN DDN
1
• Generally well accepted
O
SD +SU
• Well known Solution
Techniques
• One model for multiple DUN
DUN
failure modes OK
P 3
0
• Provides clear picture of
DD
system operation under DDC
failure conditions FD
O DD
O DD
P DUC FD
FD DD
DU
DU
DU
DU
Copyright © 2000-2006 exida.com 206
Ex 1: High Pres. Prot. Loop. Pressure Switch+Solenoid
Ej 1: Lazo Prot. Alta Presión. Interruptor Presión+Solenoide

Lambda D (D)

Solenoid 2.4 x 10-6 failures per hour

Pressure switch 3.6 x 10-6 failures per hour

No Diagnostics, Test Interval – 1 year, SIL2 required

PSH

sov V essel

SIF Verification Example
Ejemplo de Verificación de la FIS

Example 1: High Pressure Protection Loop. Pressure Switch+Solenoid

Lambda DU (DU)

Solenoid 2.4 x 10-6 failures per hour

Pressure switch 3.6 x 10-6 failures per hour

No Diagnostics, Test Interval – 1 year, SIL2

PFDavg = DU TI / 2
PFDavg = (0.000006 * 8760) / 2
PFDavg = 0.0263
RRF = 1/PFDavg = 38
Copyright © 2000-2006 exida.com 208
IEC61508/IEC61511 Safe Failure Fraction
IEC61508/IEC61511 Fracción de Falla Segura

SD + SU + DD

SIF Verification Example

Example: High Pressure Protection Loop

1. Pressure Switch - Solenoid

Lambda D (D) Lambda S (S)

Solenoid 2.4 x 10-6 f/hr 2.0 x 10-6 f/hr

Pressure switch 3.6 x 10-6 f/hr 3.8 x 10-6 f/hr

SFF = (2.0 + 3.8) / (2.0 + 3.8 + 2.4 + 3.6)

= 49%

IEC61508 Safe Failure Fraction
IEC61508 Fracción de Falla Segura

TYPE A Subsystem
Safe Failure
Hardware Fault Tolerance
Fraction
0 1 2

< 60 % SIL 1 SIL 2 SIL 3

60 % - < 90 % SIL 2 SIL 3 SIL 4

90 % - < 99 % SIL 3 SIL 4 SIL 4

 99 % SIL 3 SIL 4 SIL 4

NOTE A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function

Ex 2: High Pres. Prot. Loop. Transmitter+DCS+Solenoid
Ej 2: Lazo Prot. Alta Presión. Transmisor+SCD+Solenoide

1. Verify that the DCS was not being used as a “Layer of Protection.”
2. Verify that any DCS failure would not be an “initiating event” for a
hazard.
If either of these are possible, then one cannot use the DCS in a safety
instrumented function.

P re s s u re
T r a n s m it te r

D C S TX

sov V essel

Ex 2: High Pres. Prot. Loop. Transmitter+DCS+Solenoid
Ej 2: Lazo Prot. Alta Presión. Transmisor+SCD+Solenoide

P re s s u re
T r a n s m itte r

DCS TX

sov V essel

Example 2:
High Pressure
Protection
Loop
Transmitter -
DCS - Solenoid

IEC61508 Safe Failure Fraction
IEC61508 Fracción de Falla Segura

TYPE B Subsystem
Safe Failure
Hardware Fault Tolerance
Fraction
0 1 2

< 60 % Not allowed SIL 1 SIL 2

60 % - < 90 % SIL 1 SIL 2 SIL 3

90 % - < 99 % SIL 2 SIL 3 SIL 4

 99 % SIL 3 SIL 4 SIL 4

NOTE A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function

Ex 2: High Pres. Prot. Loop. Transmitter+DCS+Solenoid
Ej 2: Lazo Prot. Alta Presión. Transmisor+SCD+Solenoide

P re s s u re
PFDavg? T r a n s m itt e r

SFF? DC S TX

SIL? V essel
sov

Ex 3: Safety Transmitter+Safety PLC+1oo2 Solenoid
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1oo2 Sol.
Safety Pressure

Transmitter
Safety
TX
PLC

1002 Vessel
sov sov
Voting

Example 3: High Pressure Protection Loop Safety Transmitter -
Safety PLC - 1oo2 Solenoid

S a fe ty
P re s s u re
T r a n s m itte r
S a fe ty
PLC TX

1002 V essel
sov V o tin g
sov

Example 3: High
Pressure
Protection Loop
Safety
Transmitter -
Safety PLC -
1oo2 Solenoid

Ex 3: Safety Transmitter+Safety PLC+1oo2 Solenoid
Ej 3: Transm.Seguridad+PLC Seguridad+Arreglo 1oo2 Sol.
S a fe ty
P re s s u re
T r a n s m it te r
PFDavg? S a fe ty
TX
PLC
SFF?
1002 V essel
SIL? sov V o tin g
sov

SIL Verification Tool
Herramienta para Verificación del NIS

Application Exercise Set 7
Ejercicios de Aplicación. Grupo 7

SIS Design – Design a SIL3 High Pressure Protection SIF

Complete the problems

30 minutes

Section 7: Safety Instrumented System Design Review
Sección 7: Repaso Diseño Sist. Instrumentados de Seguridad
Safety Requirements Specification
Conceptual Design
Technologies
Architectures
Design Verification
Detail Design
Tools

Section 8: Installation, Commissioning and Validation
Sección 8: Instalación, Pruebas de Arranque y Validación
Installation and Commissioning
 Objectives
 Activities
 Documentation Required
Validation
 Objectives
 Activities
 Documentation Required
Copyright © 2000-2006 exida.com 231
Safety Lifecycle e id a .com
excellence in dependable automation
Conceptual
Process Design Process Information

Event History
Identify
Potential Risks Potential Hazards
e id a .com
Layers of Protection exce llence i n dependable a utomatio n
PROBE Tool

Failure Probabilities Layer of Protection

Assess Potential Analysis
Risk Likelihood Hazard Frequencies
e id a .com
FETCH Tool
Analyze Potential exce llence i n dependable a utomatio n

Detailed Safety Lifecycle Hazard Risk Magnitude Consequence

Characteristics Analysis
Hazard Consequences
Consequence
Database

Ciclo Vida Seg. Detallado Tolerable Risk Select Target Target SILs
Guidelines Develop non- SIL
SIS Layers e id a .com
exce llence i n depe ndab le automatio n
DOCUMENT Template

No Safety Requirements Specification-

SIS Functional Description of each Safety

Requirements
Required? Exit

Allocation
Instrumented Function, Target SIL,

Safety
Yes Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
Develop Safety requirements, Response time, etc
Specification
Select Relays, Fail-Safe Solid State, PLC, Safety
Technology PLC, Sensors, Final Elements

Select Redundancy: 1oo1,1oo2, 2003, 1oo2D

SIS Conceptual Architecture
Manufacturer’s Design
Failure Data Determine Test
Philosophy
Failure Data
Database SILVER Tool
No SIL
Achieved? Reliability, Safety SILs Achieved
Yes Evaluation
Manufacturer’s DOCUMENT Template
Safety Manual
SIS Detailed
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
Manufacturer’s SIS Installation, Programming, Installation
Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission
and Pre-startup Requirements, etc.
Planning
Acceptance Test
Verify all documentation against Hazards, design, installation
Validation: testing, maintenance procedures, management of change,
Validation Pre-startup emergency plans, etc.
Planning
e xid a .co m , L.L.C.
Safety Review
Munchen , Germany
SIS startup, +49 -89-4900 0547
Operating and operation, Sellersville, PA, U.S.A
Maintenance maintenance,
Periodic +215 -453 -1720
Planning
Functional Tests Columbus, Ohio U.S.A.
Decommission
+614 -226 -4263
Modify Modify, SIS Port Chambers, New
Copyright © 2000-2006 exida.com Decommission? Decommissioning Zealand 232
Sarnia , Canada
Terms
Términos

Validation
the activity of demonstrating that the safety
instrumented function(s) and safety instrumented
system(s) under consideration after installation
meets in all respects the safety requirements
specification.
Verification
Activity of demonstrating for each phase of the
safety lifecycle by analysis and/or tests that, for the
specific inputs, the deliverables meet the objectives
and requirements set for the specific phase.
Copyright © 2000-2006 exida.com 233
Terms
Términos

BPCS & SIS completion

Vendor Factory Process Plant

BPCS BPCS BPCS

SIS SIS SIS

FAT SAT SIT

Terms
Términos

Commissioning

Process Plant

E&I Cold Hot

Loop Check commissioning commissioning

Pre-commissioning Production
VALIDATION & FSA
prior to start-up

Terms
Términos

• Factory Acceptance Test (FAT)

– A test performed before shipment to site, usually at the vendor
or integrator premises, often witnessed by the end user.
– Not a mandatory step in IEC61511, but very common to avoid
problems during SAT and SIT.
• Site Acceptance Test (SAT)
– Involves shipment of the system(s) to site, installation and start-
up activities. Tests then validate that the installed safety
instrumented system and its associated safety instrumented
functions achieve the requirements as stated in the Safety
Requirement Specification*.
*Note: Full loop checking may come at a later stage.

Terms
Términos

• Site Integration Test (SIT)

– Once SAT is completed, the BPCS and SIS
communications and any hard-wired links are
integrated and tested as a complete system to
ensure that the system as a whole functions
correctly. SIS signals, diagnostics, bypasses
and alarms displayed on shared BPCS HMI
screens will be tested during this stage.

IEC 61511

REALIZATION
FAT
Design and Development of
Safety Instrumented System,
Factory Acceptance Test INSTALLATION V
A
SAT / SIT L
Installation, Commissioning, and Validation
Sub- clause 14 and 15 I
COMMISSIONING D
OPERATION A
Operation and Maintenance Functional Safety Assessment T
Sub-clause 16
I
START UP O
Modification Decommissioning
N

Installation Objective and Activities
Instalación: Objetivos y Actividades

– Objective
• Install equipment to specifications and drawings
– Activities
• Mount equipment per manufacturers instructions
• Install all equipment components in proper position
• Install all jumpers, keying mechanisms and protection
components
• Connect grounding
• Connect energy sources
• Calibrate instruments
• Connect interfaces and all communications links
• Connect field devices
• Verify environmental stress conditions against
specifications

Installation Activities: Environmental Stress
Actividades de Instalación: Estrés Ambiental

 Heat – avoid heat sources, verify operation within

ratings.
 Electric – avoid surge conditions, avoid secondary
effects of lightning, verify operation within rating.
 Mechanical – avoid severe shock and vibration, check
for mechanical resonances, verify operation within
ratings.
 Application mismatch – avoid operation under
conditions not allowed by manufacturer, check for
incompatible materials.

Commissioning Objectives
Pruebas de Arranque: Objetivos
– Check for correct installation and functionality of equipment
• Note any “as-built” changes from previous designs
“Where it has been established that the actual installation does
not conform to the design information then the difference shall
be evaluated by a competent person and the likely impact on
safety determined. If it is established that the difference has no
impact on safety, then the design information shall be updated
to “as built” status. If the difference has a negative impact on
safety, then the installation shall be modified to meet the
design requirements.” IEC 61511 Clause 14.2.5
• Check for installation per equipment Safety Manual
– Ready for Validation tests

Commissioning Activities
Pruebas de Arranque: Actividades

• All packing material removed

• All jumpers, keying mechanisms and protection components are
properly installed
• Grounding has been properly connected
• Energy sources connected and operational
• No physical damage present
• All instruments calibrated and ranges set
• Interfaces operational, including interfaces to other systems
• All field devices are operational
• Logic solver and input/outputs are operational

Validation Objectives
Validación: Objetivos

– Ensure that the safety instrumented system (SIS) as

installed and commissioned meets all of the safety
requirement specifications (SRS).
– Validation is done using a combination of testing and
inspection.
FAT
INSTALLATION V
A
SAT / SIT L
I
COMMISSIONING D
A
FSA T
I
O
START UP N

IEC 61511 Clause 15

Validation Activities
Validación: Actividades

 Full FUNCTIONAL test to verify that all requirements in the SRS

have been successfully implemented.
 All equipment installed per manufacturer‘s instructions.
 All equipment implemented per the Safety Manual.
 Periodic Test plan complete with procedure for testing and
documenting tests.
 All Safety Lifecycle documents are complete.
FAT
 CHECKLISTS RECOMMENDED INSTALLATION V
A
SAT / SIT L
I
COMMISSIONING D
A
FSA T
I
START UP O
N

Validation Test of SRS Functional Requirements
Pruebas de Validación de Req. Funcionales de las ERS
• Definition of the safe state
• Process inputs, trip points and normal operating range
• Process outputs and their actions
• Relationship between inputs and outputs
• Selection of energize-to-trip or deenergize-to-trip
• Consideration for manual shutdown or bypass
• Actions on loss of power to the SIS
FAT
• Response time requirements INSTALLATION V

• Response actions for overt fault SAT / SIT A

L
I
COMMISSIONING
• Reset functions
D
A
FSA T
I
• Operator interface requirements START UP O
N

Validation Test Detail Activities
Actividades Detalladas en Pruebas de Validación
– Ensure sensors, logic solvers, and final elements perform
according to the SRS under normal / abnormal conditions
– Confirm proper SIS operation on bad process variable values
– Make certain SIS provides the proper annunciation (trips and
faults), displays, and external communications
– Ensure computations by the SIS are correct
– Verify SIS reset functions operate as defined in SRS
FAT
– Test for degraded mode of operation INSTALLATION V
– Bypass functions operate properly SAT / SIT A
L
I
COMMISSIONING
– Manual shutdown operates properly D
A
FSA T
– Diagnostic alarm functions perform as required START UP I
O
N
– Confirmation SIS performs as required on power cycle(s)
Copyright © 2000-2006 exida.com 246
Validation Test Report
Informe de Pruebas de Validación

• Completion of all checkout forms

• Tools and equipment used, including calibration data
• Test results
• Version of test specification
• Criteria for test acceptance
• Version of SIS
• Discrepancies between expected and actual results
• Decisions taken when discrepancies occur
• Sign-off/acceptance
Copyright © 2000-2006 exida.com 247
Function Safety Assessment

• An independent judgment on the

functional safety achieved by the SIS
– Define an assessment procedure
“appropriate” to the SIL and novelty of
design
– Appoint an experienced team leader and
team of reviewers
– Define the scope of assessment
– Create a plan for review activities and
expected results
– Identify any safety bodies and certifications
– Conduct assessment

Validation Safety Review Activities
Actividades de la Revisión de Validación de Seguridad

– All commissioning and PSAT activities were completed

– All maintenance and operating procedures are in place
– All personnel training has been completed
– All bypass functions shall be returned to their normal
position
– All process isolation valves shall be set according to
the process startup requirements FAT

– All test materials shall be removed INSTALLATION V

A
SAT / SIT
– All forces shall be removed
L
I
COMMISSIONING D
A
FSA T
I
START UP O
N

Section 8: Installation, Commissioning and Validation Review
Sección 8: Repaso de Instalación, Pruebas Arranque y Validación

Installation and Commissioning

 Objectives
FAT
 Activities INSTALLATION V

 Documentation Required SAT / SIT

A
L
I
D

Validation
A
COMMISSIONING T
I
O
FSA
 Objectives N

Maintenance Planning
Manufacturer‘s Maintenance Data
Periodic Inspection Testing / Records

Safety Lifecycle e id a .com
excellence in dependable automation
Conceptual
Process Design Process Information

Event History
Identify
Potential Risks Potential Hazards
e id a .com
Layers of Protection excelle nce i n dependable a utomation
PROBE Tool

Failure Probabilities Layer of Protection

Assess Potential Analysis
Risk Likelihood Hazard Frequencies
e ida .com
FETCH Tool
Analyze Potential excelle nce i n depe ndable a utomation

Risk Magnitude Consequence

Detailed Safety Lifecycle

Hazard
Characteristics Analysis
Hazard Consequences
Consequence
Database
Select Target

Ciclo Vida Seg. Detallado

Tolerable Risk Target SILs
Guidelines Develop non- SIL
SIS Layers e id a .com
exce lle nce i n dependable a utomation
DOCUMENT Template

No Safety Requirements Specification-

SIS Functional Description of each Safety

Requirements
Required? Exit

Allocation
Instrumented Function, Target SIL,

Select Redundancy: 1oo1,1oo2, 2003, 1oo2D

All tests required to verify proper operation of

Safety Instrumented Function must be planned.
Proper periodic test interval that was calculated
during SIF verification must be documented as
part of the plan.
Online? Offline? Bypass Procedures?
Proof test procedures must be at least as effective
as planned during the SIF verification.

Proof Test

The purpose of the Proof test is to verify

that safety instrumented works properly. Assume
It is often assumed that if it works 100%
properly it has not failed. Diagnostic
Procedure: coverage ??
1. Block valve from closing.
2. Move input signal above trip point.
3. Verify that valve attempted to close.
4. Move input signal back to normal
below trip point.
5. Remove valve block.
Copyright © 2000-2006 exida.com 254
100% Coverage?

100% coverage is not likely due to intermittent

faults and not exercising all functionality.
Assume
100%
Transmitter failures Diagnostic
Logic Solver Failures coverage??
Final Elements Failures
What are the DUs? What are the
dangerous failures not detected by
any automatic diagnostics?

Proof Test

The purpose of the Proof test is to verify that

safety instrumented works properly. It is assumed
that if it works properly it has not failed.

The purpose of the Proof test is to

detect any failures not detected by
automatic on-line diagnostics –
dangerous failures, diagnostic
failures, parametric failures

Safety Manual
Manual de Seguridad

• Products intended for SIF applications are supplied with a

“Safety Manual.”
– The “safety manual” may be part of another document
• The Safety Manual contains important restrictions on how the
product must be used in order to maintain safety.
– Environmental restrictions
– Design restrictions
– Periodic Inspection / Test requirements
– Failure rate / failure mode data

Safety Manual
Test Content

From Rosemount
3051S, Safety:
Proof Test 1 –
65%
Proof Test 2 –
98%
Why bother with
proof test 1?

Safety Manual Test Content

From Rosemount 3051S, Safety:

Proof Test 1 – 65%
Proof Test 2 – 98%
Why bother with proof test 1?
Because the time interval
between the more expense
PROOF TEST 2 can extended
several years!!

Strategic Proof Test

The purpose of the Proof test is to detect any

failures not detected by automatic on-line
diagnostics.
1. We can design proof test procedures that easier to
perform, cost less and are more likely to actually get
done.
2. By understanding the actual DU/AU failures in our
instruments we can significantly improve our test
coverage as well as lower cost.

Effective Testing Techniques
Técnicas de Pruebas Efectivas

Analog Sensors : Force process variable

between –10% and 110% of scale. This
tests transmitter, power supplies and wiring
resistance. Inspect for corrosion on terminal
strips and loose wiring. Inspect (or perform
cleanout) for plugged impulse lines.
Discrete Sensors : Force process variable
over full scale and inspect for proper
movement of mechanisms as well as switch
closure at the proper point. Inspect for
corrosion on terminal strips or switch
mechanical components.

Effective Testing Techniques
Técnicas de Pruebas Efectivas

Solenoids : Check for speed of response and

sound level during a full cycle of air pressure.
Inspect for corrosion and clogged air inlets.

Pneumatic Actuators : Inspect for air consumption

rates and clogged air inlets. During a partial
stroke check for speed of response and pressure
curve. During a full stroke check for speed of
response, pressure curve and abnormal response
when seating. When valve is closed, check for
leakage.

Safety Manual Mechanical Integrity
Manual de Seguridad: Integridad Mecánica
The safety manual will often include specific tests and
inspections that must be done on a periodic basis. For
example:
“The window of the flame detector must be inspected to
ensure that it is clean and clear. The maintenance
schedule must be established based on plant
conditions”.
The designer must estimate plant conditions and add
periodic inspection to the mechanical integrity
procedures.
Copyright © 2000-2006 exida.com 263
Periodic Inspection Testing / Records
Registros de Pruebas Periódicas de Inspección
Actual Testing must be
documented:
 Test details
2

Modification request

Management of Change
After the Request

Application Exercise Set 8
Ejercicios de Aplicación. Grupo 8

Periodic Inspection and Test Plans

Complete the problems

10 minutes

Section 9: Operational Requirements Summary
Sección 9: Resumen de Requerimientos Operacionales

Maintenance Planning
Manufacturer‘s Maintenance Data
Periodic Inspection Testing / Records

Post Test
Prueba Final

• Answer the questions to the best of your ability

• This test can be used to determine effective-
ness of this course
• Instructor will review questions and answers to
enhance your learning

Post Test
Prueba Final

Review - complete the problems.

Final Course Evaluation
Evaluación Final del Curso

Course Evaluations are tools that help us

maintain the quality of our training
programs
Please complete the form and return it to
your instructor upon completion of the
course

References
• IEC61508 Functional Safety of Electric / Electronic / Programmable
Electronic Safety Related Systems, International Electrotechnical
Commission, 1998/2000
• IEC61511 Functional safety – Safety instrumented systems for the process
sector, International Electrotechnical Commission, 2003
• Out of control - Why control systems go wrong and how to prevent failure -
HSE Books - 2nd edition 2003 – ISBN 0-717621928
• Safety Equipment Reliability Handbook, exida.com, 2005 – ISBN13-978-0-
9727234-1-1
• Control Systems Safety Evaluation and Reliability, 2nd edition, William M.
Goble, 1998 - ISBN 1-55617-636-8
• Safety Instrumented Systems Verification, practical probabilistic calculations,
William M.Goble and Harry Cheddie - ISA - ISBN 1-55617-909-X, 2005

Many other papers, books and resources are available on-line:

www.exida.com

Safety Instrumented System Design - Techniques and - 240202 - 184149
100% (2)
Safety Instrumented System Design - Techniques and - 240202 - 184149
433 pages
Crypto Trading Secrets How To Earn Big in The Cryptocurrency Market
100% (4)
Crypto Trading Secrets How To Earn Big in The Cryptocurrency Market
25 pages
SIL Working Method Report
92% (12)
SIL Working Method Report
35 pages
TinoVC - TUV FSE Course Preparation Info Rev 2019 R
100% (2)
TinoVC - TUV FSE Course Preparation Info Rev 2019 R
110 pages
exSILentia v4 User Guide
No ratings yet
exSILentia v4 User Guide
284 pages
TÜV Functional Safety Program: WWW - Prosalus.co - Uk
100% (6)
TÜV Functional Safety Program: WWW - Prosalus.co - Uk
267 pages
Competence For Functional Safety
100% (1)
Competence For Functional Safety
25 pages
Project Proposal2
80% (5)
Project Proposal2
5 pages
Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis
No ratings yet
Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis
2 pages
Exida - Overview of IEC 61511 PDF
100% (5)
Exida - Overview of IEC 61511 PDF
138 pages
Comparison Chart of ISA CFSE TUV
0% (3)
Comparison Chart of ISA CFSE TUV
1 page
Day 2 Slides Rev. 13-0 - Tab 2-1
100% (2)
Day 2 Slides Rev. 13-0 - Tab 2-1
64 pages
What Does Proven in Use Imply
No ratings yet
What Does Proven in Use Imply
12 pages
RM70 FMEDA Exida - 1
100% (1)
RM70 FMEDA Exida - 1
22 pages
Exida Webinar Benchmarking Practices For The Use of Alarms As Safeguards and IPLs PDF
100% (3)
Exida Webinar Benchmarking Practices For The Use of Alarms As Safeguards and IPLs PDF
41 pages
Day 1 Slide Rev. 13-1
No ratings yet
Day 1 Slide Rev. 13-1
225 pages
FSA Guidance Document - As Published 08.03.2019 1.0
No ratings yet
FSA Guidance Document - As Published 08.03.2019 1.0
31 pages
White Paper Rouse 2h Sil Verification For Rosemount Type B Transmitters With Type A Components Data
No ratings yet
White Paper Rouse 2h Sil Verification For Rosemount Type B Transmitters With Type A Components Data
16 pages
Essentials On Safety Instrumented Systems
No ratings yet
Essentials On Safety Instrumented Systems
9 pages
Functional Safety Questions & Answers
100% (2)
Functional Safety Questions & Answers
5 pages
2.2.1 - SIS - Design, Analysis and Justification (EC50) - ISA
No ratings yet
2.2.1 - SIS - Design, Analysis and Justification (EC50) - ISA
2 pages
TUT101
No ratings yet
TUT101
33 pages
Functional Safety - IEC 61511 Introduction: New Plymouth, 11 April 2013
100% (4)
Functional Safety - IEC 61511 Introduction: New Plymouth, 11 April 2013
74 pages
Safety Instrumented Systems: Global
100% (3)
Safety Instrumented Systems: Global
410 pages
Hima Fscs - Tuv Fse White Papers 2012
100% (2)
Hima Fscs - Tuv Fse White Papers 2012
160 pages
01 Functional Safety 2018.03.27
100% (2)
01 Functional Safety 2018.03.27
76 pages
Functional Safety Practices For Operations
100% (4)
Functional Safety Practices For Operations
14 pages
ExSILentia User Guide
100% (1)
ExSILentia User Guide
180 pages
Example Results
100% (1)
Example Results
5 pages
FSE 1 Rev 3.4 Slides (Modo de Compatibilidade)
No ratings yet
FSE 1 Rev 3.4 Slides (Modo de Compatibilidade)
299 pages
BMS Exida White Paper
No ratings yet
BMS Exida White Paper
13 pages
SIS Overview
100% (4)
SIS Overview
50 pages
Saved by The Bell Using Alarm Management To Make Your Plant Safer
100% (1)
Saved by The Bell Using Alarm Management To Make Your Plant Safer
12 pages
Applying The Process Safety Standards
100% (5)
Applying The Process Safety Standards
125 pages
Alarm Management Tips, Tricks, Traps
100% (1)
Alarm Management Tips, Tricks, Traps
49 pages
Applying IEC 61511 To Industrial Turbines: Chris O'Brien
100% (1)
Applying IEC 61511 To Industrial Turbines: Chris O'Brien
45 pages
Alarm Shelving Exida Ebook PDF
100% (3)
Alarm Shelving Exida Ebook PDF
26 pages
Exida Alarm Philosophy Sample (Oct 2011) PDF
75% (4)
Exida Alarm Philosophy Sample (Oct 2011) PDF
23 pages
Functional Safety: Sil Assessment & Verification: Do Proof Test Practices Affect P&Ids?
100% (1)
Functional Safety: Sil Assessment & Verification: Do Proof Test Practices Affect P&Ids?
32 pages
Proof Testing Safety Instrumented Systems: Prasad Goteti May 10, 2018
100% (2)
Proof Testing Safety Instrumented Systems: Prasad Goteti May 10, 2018
33 pages
Achieving Hardware Fault Tolerance
100% (2)
Achieving Hardware Fault Tolerance
16 pages
E BOOK Functional Safety
100% (1)
E BOOK Functional Safety
13 pages
Proof Test Guide
100% (2)
Proof Test Guide
34 pages
exSILentia User Guide v3 PDF
No ratings yet
exSILentia User Guide v3 PDF
180 pages
Layers of Protection Analysis
100% (1)
Layers of Protection Analysis
109 pages
Sil As Per Iec
No ratings yet
Sil As Per Iec
157 pages
SIL Verification of Legacy System V3
No ratings yet
SIL Verification of Legacy System V3
12 pages
Vanbeurden IntegrationofSafetyLifecycleTools EXIDA
No ratings yet
Vanbeurden IntegrationofSafetyLifecycleTools EXIDA
15 pages
Abhisam Quick Guide Functional Safety and SIL
75% (4)
Abhisam Quick Guide Functional Safety and SIL
47 pages
Exida exSILentia User Guide PDF
No ratings yet
Exida exSILentia User Guide PDF
168 pages
ISA TR84 Part 2
No ratings yet
ISA TR84 Part 2
222 pages
Whitepaper Alarm Management ISA 18
No ratings yet
Whitepaper Alarm Management ISA 18
16 pages
FSE 1 Rev 3.3 Exercise Solutions
100% (1)
FSE 1 Rev 3.3 Exercise Solutions
19 pages
The Principles of IEC 61508 and IEC 61511 Day 2
No ratings yet
The Principles of IEC 61508 and IEC 61511 Day 2
136 pages
SIL Study
100% (2)
SIL Study
36 pages
Emerson - Best Practices in SIS Documentation
No ratings yet
Emerson - Best Practices in SIS Documentation
18 pages
Key Variables Needed For PFDavg Calculation
No ratings yet
Key Variables Needed For PFDavg Calculation
15 pages
Proof Test of Safety Instrumented Systems SIS According To IEC 61511
No ratings yet
Proof Test of Safety Instrumented Systems SIS According To IEC 61511
38 pages
Ovation SIS Safety Instrumented Systems Brochure
No ratings yet
Ovation SIS Safety Instrumented Systems Brochure
12 pages
Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis
From Everand
Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis
CCPS (Center for Chemical Process Safety)
5/5 (1)
Getting Failure Rate Data: Random Failures Versus Systematic Failures
No ratings yet
Getting Failure Rate Data: Random Failures Versus Systematic Failures
12 pages
02 - Introduction To PHRA Course (301118)
No ratings yet
02 - Introduction To PHRA Course (301118)
17 pages
2014 2Q Exida TI Safety Webinar
No ratings yet
2014 2Q Exida TI Safety Webinar
40 pages
Per Unit System Lecture Notes
No ratings yet
Per Unit System Lecture Notes
22 pages
自动化设备清单及报价Automation Equipment List and Quotation
No ratings yet
自动化设备清单及报价Automation Equipment List and Quotation
2 pages
IEEE Standards Style Manual
No ratings yet
IEEE Standards Style Manual
70 pages
Oscommerce Online Merchant V3.0.2
No ratings yet
Oscommerce Online Merchant V3.0.2
7 pages
BAA AGK Lesson 2,3 and 4-Hydraulics
No ratings yet
BAA AGK Lesson 2,3 and 4-Hydraulics
102 pages
Tardecilla Plastic Limit and Plasticity Index of Soil
No ratings yet
Tardecilla Plastic Limit and Plasticity Index of Soil
11 pages
7-13-0003 Rev7 - Hot Insulation Supports For Storage Tanks
No ratings yet
7-13-0003 Rev7 - Hot Insulation Supports For Storage Tanks
3 pages
ETC Console Shortcut Keys: Element v2.3.0
No ratings yet
ETC Console Shortcut Keys: Element v2.3.0
3 pages
How To Create A Business That Can Sell Without You
No ratings yet
How To Create A Business That Can Sell Without You
12 pages
Operating Instructions DO Portable F4 EN
No ratings yet
Operating Instructions DO Portable F4 EN
28 pages
Liebert PEX3 - UM-ENG-ASIA
No ratings yet
Liebert PEX3 - UM-ENG-ASIA
125 pages
Filtura® Solutions Overview For HVAC Filtration Systems (EN) Copyrights Freudenberg Performance Materials
No ratings yet
Filtura® Solutions Overview For HVAC Filtration Systems (EN) Copyrights Freudenberg Performance Materials
2 pages
Draft PK Hong Kong
No ratings yet
Draft PK Hong Kong
4 pages
Candle Strategy
No ratings yet
Candle Strategy
6 pages
Power Point MCQ
No ratings yet
Power Point MCQ
25 pages
Dkrci - Pd.if0.a7.02 Sfa
No ratings yet
Dkrci - Pd.if0.a7.02 Sfa
10 pages
Transforming Fitness Training With AR - VR
No ratings yet
Transforming Fitness Training With AR - VR
15 pages
Samuel Kifle
No ratings yet
Samuel Kifle
95 pages
Invoice
No ratings yet
Invoice
1 page
Supplementary KYC
No ratings yet
Supplementary KYC
1 page
KTM Adventure Range Folder MY21-EN
No ratings yet
KTM Adventure Range Folder MY21-EN
33 pages
Study OF Operation OF Tesla Turbine: International Journal of Advance Research in Engineering, Science & Technology
No ratings yet
Study OF Operation OF Tesla Turbine: International Journal of Advance Research in Engineering, Science & Technology
5 pages
Administration of Waqf in India
No ratings yet
Administration of Waqf in India
12 pages
1 - Sophos VPN Client Installation: Remark
No ratings yet
1 - Sophos VPN Client Installation: Remark
8 pages
Mama Earth Goodness Inside Happiness Outside
No ratings yet
Mama Earth Goodness Inside Happiness Outside
16 pages
Exxsol D80
No ratings yet
Exxsol D80
2 pages
National Institute of Design (UG Campus) : Thesis Topics
100% (1)
National Institute of Design (UG Campus) : Thesis Topics
4 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.