IEC 61508 Related Standards

1NTNU, September 2007

PK 8201 supplementary information on IEC 61508 related standards

Mary Ann Lundteigen(www.ntnu.no/ross/rams/maryann )

(Slides prepared for small lectures and discussions, and may therefore include more text than what would be included for a large audience presentation)


OLF 070 APPLICATION OF IEC 61508 AND IEC 61511 IN THE NORWEGIANPETROLEUM INDUSTRY

May be downloaded from:http://www.olf.no/061-080/070-guidelines-for-the-application-of-iec-61508-and-iec-61511-in-the-petroleum-activities-on-the-continental-shelf-article842-1362.html


Background and objective Help the industry in the implementation

of key standards, such as IEC 61508 and IEC 61511

Open up for a ``simplified approach for ``standard safety instrumented functions (SIFs)

Referenced by Petroleum Safety Authority regulations (in Norway)

Guidance to 42 in Activity regulations: [] When preparing the maintenance programme as mentioned in the first paragraph, the standard NS-EN ISO 20815:2008 appendix I and the CEI/IEC 60300-3-11 standard may be used in the area of health, working environment and safety. For activities as mentioned in the second and third paragraphs, in the area of health, working environment and safety,a) the ISO 13702 standard Appendix C7, the IEC 61508 standard, and OLF Guidelines No. 070 revision 2 should be used for safety systems, b) the emergency shutdown system should be verified in accordance with the safety integrity levels stipulated on the basis of the IEC 61508 standard and OLF's Guidelines 070 revision 2.

Guidance to 7 in Facility regulations: [] For design of safety functions as mentioned in the first paragraph, the ISO 13702, NORSOK S-001 revision 4 and IEC 61508 standards and OLF guidelines No. 70 revision 2 should be used. [] In order to stipulate the performance for the safety functions as mentioned in the second paragraph, the IEC 61508 standard and OLF guidelines No. 70 revision 2 should be used where electrical, electronic and programmable electronic systems are used in constructing the functions.


In OLF 070, an alternative is proposed to the full risk based deduction of SIL requirements. Minimum SIL tables

ComplianceReport

SAR

Dataoganalysemetoder (PDS)

FSAplan

SRSRev.


Best practice design of safety systems(following standards, NORSOK and authority regulations is acceptable, given a standard offshore platform

Risk reduction according to min. SIL tables


Scope of OLF 070

Allgined with the life cycle phases of IEC 61511 (and in principle, also the life cycle phases of IEC 61508)


Key concepts

Global safety function:Fire and explosion hazard safety functions that provide protection for one or several fire cells. Example: Emergency shutdown, isolation of ignition sources and emergency blow down.

Local safety function:Process equipment safety functions that provide protection for one specific process equipment unit. Example: High level protection of a production separator..

Functional safety assessment:An investigation (independent review), based on evidence, to judge the functional safety achieved by one or more protection layers. Performed at specified stages.

Verification

Validation(e.g., Site acceptance test)

Verification

Verification

FSA nr 1

FSA nr 2

Verification

VerificationFSA nr 3

FSA nr x

FSA nr 4


Functional safety assessment


Key assumptions and limitations

EUC definitions:The OLF 070 defines a number of typical EUCs onboard offshore fixed and mobile oil and gas installations.

It is assumed that the EUC may be protected by global and/or local safety functions.

Approach:The OLF 070 represents an alternative to the fully risk based approach for determining SIL that is suggested in IEC 61508 and IEC 61511.

Rationale: [] enhance standardization across the industry, and also avoid time-consuming calculations and documentation for more or less standard safety functions.

Process outlined in OLF 070

10

NTNU, September 2007

OLF 070 process to SIL determination

Hazard identification (HAZID) is required! Multi-dicipline team Reference to ISO 17776 Guidelines on tools

and techniques for identification and assessment of hazardous events

Issues to consider (and to be compared to standard design of offshore installations:

Properties of fluid being handled Human intervention with the EUC Novelty and complexity of the installation Need for ``special protection functions And so on.

Objective is to answer: Is there any reasons why this particular installation deviates from standard / typical offshore installations?

11



Definition of safety functions Describe the safety functions required (from the

HAZID) and with support from standards: Local safety functions: Tables in ISO 10418 (ISO 10418

also give requirements to how deviations from conventional design, such as the use of HIPPS instead of PSV, shall be documented).

Global safety functions: NORSOK S-001, I-001, PSA regulations, input from QRA, and from Fire and Explosion strategy (following ISO 13702)

Check if they are covered by the minimum SIL tables

Check if additional components need to be added for fail-safe operation: hydraulic supply, UPS, etc.

Objective is to answer: Is there any reasons why this particular installation deviates from standard / typical offshore installations?

12



SIL allocation:First, apply the minimum SIL table:

Select SIL requirements for each safety (instrumented) function from the minimum SIL tables

Verify, if not already done, that the overall risk acceptance criteria is met (by using minimum SIL as input to QRA)

The minimum SIL table should ensure that the performance of ``typical/standard safety functions is equal to or better than todays standard (best practice)

Note: Minimum SIL table apply basically for risk to personnel Requirements for local safety functions assume that a

secondary level of protection (e.g., a PSV) is available

13



14


OLF 070 process to SIL determinationHandling deviations: Functional deviations (functions not covered by the

minimum SIL table). Example: HIPPS Integrity deviations, due to high demand rate, or high

accumulated demand rate (for example if a high number of risers needs protection)

Consequence deviations, due to special considerations such as layout, process conditions, manning, etc.

LOPA

Risk graph

Riskmatrix

Overpressure protection fails

PSD isolation

fails

HIPPS isolation

failsMinimum SIL tableor by calculating the PFD of the proposed technical solution

Acceptance criteria (e.g., 10-5 for exceeding test pressure)

CCF(HIPPS/PSD)

15






LOPA

Risk graph

Riskmatrix

Overpressure protection fails

PSD isolation

fails

HIPPS isolation

failsMinimum SIL tableor by calculating the PFD of the proposed technical solution

Acceptance criteria (e.g., 10-5 for exceeding test pressure)

CCF(HIPPS/PSD)

16






Acceptance criteria

17


SIFn: EUC boundaries Assumptions Functional

requirements Safety integrity

requirements

SIF2: EUC boundaries Assumptions Functional


requirements

OLF 070 process to SIL determinationDevelopment of the safety requirement specification: Functional deviations (functions not covered by the




SIF1: EUC boundaries Assumptions Functional


requirements

SRS(SIS)

18


OLF 070 process to SIL determinationSIS design and engineering: Organization and resources defining responsible

parties in all SIS lifecycle phases Planning: Making a plan (with responsible

persons/departments) and supporting procedures (e.g., for testing and design reviews) that include activities for verification, validation, and FSA

V-model: Suggested in IEC 61511 for software development, but principles may apply to SIS design in general.

19


OLF 070 process to SIL determinationSIS design and engineering (cont.): Deducing design and performance requirements from

SIL requirements: PFD or PFH Architectural constraints Avoidance and control with systematic failures

Visit IEC 61508 or IEC 61511 forguidance

20


OLF 070 process to SIL determinationSIS design and engineering (cont.): On the calculation of PFD or PFH

PFD (or PFH)Input

data

Experience data (e.g., OREDA) or more generic data sources Selection must be justified Assumptions must be documented Conservative estimates for failure rates () to be selected Any certificates must be included Proper selection of relevant failure modes must be made (from

experience data, estimates based on MIL-HDBK 217 F etc) OLF 070 suggests values for:

-factors (based on various sources and expert judgments) Safe failure fraction (SFF)

21


OLF 070 process to SIL determinationSIS design and engineering (cont.): On the selection of components and design principles

Sensor: Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,

certificates) Prior use must be claimed by end user Independent from other field devices and systems Line monitoring of power supply and signaling lines Mounting so that accidental isolation and hydrate formation are avoided Use comparison of pressure reading from different sensors Diagnostic coverage to be estimated (rules for maximum credit taken from comparison of pressure

reading)

Sensor: Various types of transmitters, switches, and also (manually operated) pushbuttons

22



Logic solver: Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,

certificates) Prior use must be claimed by end user Hardware architecture must be described (CPU, I/O typicals, interface modules) Software may be documented according to the V-model (or similar) Procedures must be made for how to initiate, implement, and verify application software changes

Logic solver: Hardwired, Solid state, programmable logic solvers (PLC)

23



Final element: Manufacturers that claim conformance to IEC 61508 must provide such documentations (e.g.,

certificates) Prior use must be claimed by end user Any local control panel must be lockable (to avoid inadvertent or unauthorized operation of valves) Considerations may be made to the use (and the effect from using) partial stroke testing (valves)

Final elements: Valves, solenoid valves, circuit breakers, fire doors, dampers, etc.

24



Utility systems: Must have sufficient capacity Redundancy may be needed (if the recipient components are redundant, or if loss of utility may lead

to insufficient performance of a safety function)

Utility systems: Electrical power (generators or UPS), hydraulic power, pneumatics

25



Human-machine interface (HMI): Any failure of the HMI shall not adversely affect the ability of the SIS to perform its safety functions If operators need to respond to an alarm: This must be included as elements in the SIF and follow the

SIL requirement System in place to monitor and display status for inhibits, overrides, blockings (may consider

removing the overriding capability for SIL 3 functions).

Utility systems: VDU stations in control room, critical alarm panel in control room, local equipment rooms, cabinets in field, and so on.

26



Independence Physical independence between different SISs (performing different type of safety functions, such

as PSD, ESD, F&G) is preferred SISs shall be independent from process control system (status information from the SISs is

sometimes provided, to reduce the complexity of e.g., the PSD and ESD system) In practice, there is some dependencies among SISs and between SISs and process control, from

sharing components (e.g., sensors and valves) and common communication channels. Sufficient functional independence has been introduced as a concept in this respect.

Some reports have been published on this particular issue, see e.g.,: Hauge, S., Onshus, T., ien, K., Grtan, T.O., Holmstrm, S., Lundteigen, M.A. (2006):

"Uavhengighet av sikkerhetssystemer offshore - status og utfordringer". STF50 A06011 (82-14-03884-7)

Additional guidance is also provided in appendix G in OLF 070

27


Document regime in OLF 070

28


Compliance report: One per SIS Shows how all the SIFs that are performed by

the SIS meet the requirements in the SRS

Document regime in OLF 070Safety requirement specification (SRS): One per SIS Includes the functional and the safety integrity

requirements Includes also key assumptions and system

boundaries See IEC 61511, part 1, or appendix E in OLF

070 for a list of content.

Safety analysis report (SAR): One per component or subsystem (delivered by

the same manufacturer) System description, including operational modes,

system topology, and block diagrams Input data to reliability calculations (failure rates,

diagnostic coverage, MTTR, etc) System behavior under fault conditions and in

response to detected faults Measures taken to avoid and control systematic

failures If relevant: PFD calculations and compliance to

architectural constraints Application software management More details in appendix E of OLF 070

29


Operation and maintenanceOperation and maintenance planning : Shall be done during the design phase Shall include preparation of procedures and practices

for operation of the SIS during normal operation, start-up, functional testing, maintenance

Preparation of procedures for how to respond to dangerous detected failures, and setting/handling of overrides, overrides, and bypasses.

Procedures for reporting non-conformities, such as inadequate reliability (of a SIF) or deviations from initial assumptions regarding e.g., demand rates

Scheduling of testing and maintenance activities Allocation of responsibilities for operation and

maintenance Preparation (and initiation) of training of personnel Preparation of data collection strategies and systems Preparation of a program for continuous improvement

of SIS operation, of SIS maintenance and SIS follow-up.

Identifying (and make available) documentation (from design) that is of relevance for the operational phase

Establish procedures for management of change

Functional testing is an issue that needs to be addressed in an early design phase. There are many examples where a particular design make adequate functional testing almost impossible.

In the operational phase: Ensure proper implementation of plan.

30


Modifications (Management of change)

A modification may be a change other than a replacement in kind: Introducing a component with different characteristics New test intervals or new test procedures Set point changes Changes in operating procedures Changes in operating environment or process

conditions Changes in the SRS Inadequate SIS performance (too many recorded

failures) Increased (or decreased) demand rate Software changes (application software, firmware)The purpose of management of change is to: Maintain the SIL (or retain the SIL) Ensure that a return is made back to the appropriate

life cycle phase to ensure proper implementation of change.

31


Special topics: Background for minimum SIL

Methods in use: (Simplified) reliability block diagrams that are

based on commonly agreed best practice implementation of global and local SIFs.

PDS method for including common cause failures

PDS reliability data, in combination with consideration of other reliability sources and expert judgments

32



LocalSafety function

33



GlobalSafety function

34


Special topics: Quantification of PFD

Reference is made to the most recent PDS method edition (2010)(Current OLF 070 uses old notations)

35


Special topics: Follow-up of SIS/Procedures for updating test intervals

t

PFD(t)

PFDavg

2

Simple

Challenges: The required PFD must be deduced

for each specific component for each specific safety instrumented function

36



More comprehensive approachStep 1: Specify initial parameters of SIF

, , M and N (in an MooN configuration)Step 2: Identify the acceptance criteria Step 3: Express the uncertainty about the (initial) failure rate

Expressed as U1 and U2Step 4: Specify the number of failures during a specified time period and update the failure rate estimate:

Specified time period: The accumulated time = observation time x number of equipment)

Step 5: Perform failure cause analysis Is it possible to eliminate some of the recorded

failures in the calculations? (optional)Step 6: Update the functional test interval based on new dataStep 7: Verify the results and make adjustments according to restriction rulesStep 8: Make a trend analysis

37



Recent approach developed through the PDS forum

Lundteigen, Mary Ann and Hauge, Stein, "Management of safety integrity in the operational phase", Volume 2010, issue 1 of "Inside functional safety".

Hauge, Stein, Lundteigen, Mary Ann, and Rausand, Marvin, "Updating failure rates and test intervals in the operational phase: A practical implementation of IEC 61511 and IEC 61508". In Risk, Safety And Reliability. CRC Press 2009 ISBN 978-0415555098. s. 1715-1722.

Hauge, Stein; Lundteigen, Mary Ann. Guidelines for follow-up of Safety Instrumented Systems (SIS) in the operation phase. Trondheim: SINTEF 2008

More information (slides): http://folk.ntnu.no/lundteig/Publications/2010-

proveforelesning-lundteigen-final.pdf http://folk.ntnu.no/lundteig/Publications/lundteige

n-esrel2009-final.pdf

38


Documents

IEC 61508 Related Standards