Guideline IEC Appendices
Guideline IEC Appendices
Guideline IEC Appendices
Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 1 of 46
CONTENT
APPENDIX A APPENDIX B APPENDIX C APPENDIX D APPENDIX E APPENDIX F BACKGROUND FOR MINIMUM SIL REQUIREMENTS ...............................................................2 EXAMPLES ON HOW TO DEFINE EUC............................................................................................21 EXAMPLES ON HOW TO HANDLE DEVIATIONS........................................................................24 ESTIMATION OF PROBABILITY OF FAILURE ON DEMAND................................................29 LIFECYCLE PHASES FOR A TYPICAL OFFSHORE PROJECT..............................................37 COLLECTION AND ANALYSIS OF RELIABILITY DATA.........................................................39
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 2 of 46
This appendix documents the background for the minimum SIL requirements as presented in Table 7.1, section 7.6, of this guideline. The formulas used in the calculations are discussed in Appendix D. When stating minimum SIL requirements like the ones given in this guideline, one main objective should be to ensure a performance level equal to or better than todays standard. In this regard, there are certain considerations to be made in order to avoid that the stated criteria actually result in a relaxation of the safety level. Some of these considerations are discussed below: When using conservative failure rates and/or long test intervals for calculating the failure probability of a given function, the resulting PFD = DU . / 2, becomes high. Accordingly, a low SIL value will be claimed for the function, resulting in a non-conservative requirement in the minimum SIL table; Consequently, it is important that the input data fed into the calculations in this appendix are realistic both with respect to the failure rates being representative for new equipment as well as the test intervals. For several important safety functions, the failure probability on demand seem to become in the order of 1.10-2 (e.g. 1.1. 10-2) when calculating the PFD using standard reliability data and test intervals. If this results in a SIL 1 requirement, there are two aspects to be kept in mind: (1) In such case the PFD can vary between 0.1 0.01 and (2) As discussed above the historical data from e.g. from OREDA and PDS might be conservative for new equipment. Therefore, as a general rule in this appendix, a SIL N requirement has been claimed when the calculated FPD is in the lower end of the interval of SIL N-1. E.g. when the estimated PDF = 1.1. 10-2, a SIL 2 requirement is given. This is also in line with the NPD requirement for continues improvements.
The failure data, which are presented below and as used in the "generic quantifications", are considered to be typical values, often used in previous calculations of this type. However, it is stressed that these values should not be used uncritically in future calculations. Actually some of the input data may now be outdated, and more important, in actual calculations it is crucial that application specific data are applied whenever available and documented. Another important aspect concerns the failure rate DU , which is the rate of critical failures undetectable by automatic self-test. The DU values applied in the example calculations assumes a certain diagnostic coverage, which is given from the applied data source (mainly PDS - see below). It is therefore important that during the process of SIL verification, the assumed diagnostic coverage factors are properly documented. This requirement will, in addition, follow from the documentation of hardware safety integrity, ref. Table 2 and 3 in IEC 61508-2, where requirements to (amongst other) diagnostic coverage (DC) and safe failure fraction (SFF) are given depending on the claimed SIL. For the examples given here, some details are omitted, e.g. barriers, relays and signal adapters. In the final calculations, to prove compliance, all components and modules that may influence PFD of the function has to be included. In addition to the PFD requirements all other requirements has to be fulfilled, to prove compliance.
A.2
Data dossier
This section contains a collection of the reliability data used in the calculations. With respect to the applied failure rates, these are to a large degree based upon the PDS report Reliability Data for Control and Safety Systems, 1998 Edition which is considered the most up to date database for the referred equipment.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 3 of 46
TIF
3. 10-4 5. 10-4
1) 2)
- *
5. 10-5 5. 10-4
1) 2)
Reliability Data for Control and Safety Systems, 1998 Edition (PDS). Coverage of self-test has increased during the last years, and in particular the rate of the flame detector now seems high. * No TIF values are given for the detectors since the definitions of F&G functions in table 7.1 assume exposed detector, whereas the TIFs given in PDS include the likelihood of the detector not being exposed. Reliability Data for Control and Safety Systems, 1998 Edition (PDS). Experience indicate that this failure rate is high, e.g. compared to the FTO rate of valves
1) 2)
XV/ESV incl. actuator Blowdown valve incl. actuator X-mas tree valves - Wing valve (WV) - Master Valve (MV) Down Hole Safety Valve DHSV Solenoid / pilot valve Circuit Breaker < 600 V Circuit Breaker 6 KV - 10 KV Fire water pump
1. 10-6 1. 10-5
1) 2)
Reliability Data for Control and Safety Systems, 1998 Edition (PDS). Same failure rate for blowdown valves as for ESVs has been assumed
1) 2)
2.0
1.4 0.34 0.18 1 critical failure, 400 demands; Probfail to start = 2.5.10-3 Prob.fail to open = 5.10-3
Internal SINTEF data / includes the failure modes Fail To Close (FTC) and leakage in closed position. Reliability Data for Control and Safety Systems, 1998 Edition (PDS) T-Boken: Reliability data of components in Nordic nuclear power plants, rev. 3
This value is better than the observed; but increased testing should make this value realistic.
Table A.2 Assumed test intervals Component Test interval Test interval (months) (hours)
Transmitters Fire and gas detectors Logic incl. I/O card (single PLC) Topside valves (ESV/XV/blowdown) 12 12 6 8760 8760 4380
Comments / assumptions
6 months interval for ESD might be optimistic; OK for PDS and F&G Taking into consideration that such valves occasionally trip. In addition to the full stroke functional testing (e.g. once every year) partial stroke testing can be performed which will reveal most failures When installed these valves might be tested as often
4380
DHSV
4380
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 4 of 46
as each month, increasing to every third month and then to twice a year. Solenoid /pilot valve Circuit Breakers Fire water pumps Deluge valve 6 24 4380 17520 -
Table A.3 below summarises the above input data with respect to resulting PFD (probability of failure on demand), i.e.: PFD =DU /2. When Table A.1 presents several values (as for the TIF-probability), one value within the interval is chosen in Table A.3. Finally, also some "typical" -factors are included in Table A.3. This is partly based on the PDS Reliability Data (1998 Edition) letting 2 p 2 2 . The PDS values for some components are combined values for random hardware and systematic failures. However, Table A.3 provides separate -s for these two failure categories. An analysis performed for Norsk Hydro (Tune) is another source for the -factors for random hardware failures presented in Table A.3. This Hydro analysis applied the IEC 61508 approach for calculating some -factors. According to these data sources the suggested -values are perhaps somewhat optimistic. All values for random hardware failures are within the range that follows from the IEC approach; i.e. 0.5%<<5% for logic, and 1%<<10% for sensors and actuators. It is stressed that Table A.3 in no way presents "The recommended values". They are simply "typical values" to be used in the "example calculations".
Table A.3
Summary of component reliability. Values used in example calculations. Test interv. Fail. rate, DU TIFComponent PFD prob. , (months) per 106 hrs factor5)
Pressure transmitter Level transmitter Temperature transmitter Smoke detector Heat detector Flame detectors, conventional Gas detector, catalytic IR Gas detector, Conv. point detector IR Gas detector, Line Logic incl. I/O card (single PLC) XV/ESV incl. actuator Blowdown valve incl. actuator X-mas tree valves (WV, MV) Down Hole Safety Valve DHSV Solenoid / pilot valve Circuit Breaker, < 600 V Circuit Breaker, 6 KV - 10 KV Fire water pump, (fail to start) Deluge valve incl. actuator, solenoid and pilot valve, (fail to open) 12 12 12 12 12 12 12 12 12 6 6 6 6 6 6 24 24 0.1 0.1 0.1 0.8 0.5 2.1 0.6 0.7 0.7 1.6 1.3 1.3 1) 0.8 2.0 1.4 0.34 0.18 0.44 10-3 3.50 10-3 2.19 10-3 9.20 10-3 2.63 10-3 3.07 10-3 3.50 10-3 2.85 10-3 2.85 10-3 1.75 10-3 4.38 10-3 3.07 10-3 2.98 10-3 1.58 10-3 2.5. 10-3 5.0. 10-3 1 10-4 5 10-6 5 10-6 - 4) 3)
3. 10-4
2)
5. 10-4
2)
1) 2)
Use the same FTO rate as for XV/ESV, even if this is another failure mode (here Fail-To-Open) Suggested TIF-probability, given exposed detector 3) It is suggested to use same TIF-probability as for XV/ESV 4) TIF-probability for pilot is included in figure for main valve/actuator. 5) Value applies to dangerous undetectable random hardware failures (duplicated system). Values in parenthesis apply for systematic failures (TIF). 6) =10% for pilot valves on the same valve, otherwise =2%
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 5 of 46
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 6 of 46
Table A.4 Local safety functions - Assumed demand rates Safety function Assumed average demand rate per year (planned testing not included)
Process segregation (through PSD) (closure of several valves) PSD functions : PAHH/LAHH/LALL (closure of one critical valve) PSD function: LAHH on flare KO drum (detection and transfer of SD signal) PSD function: TAHH/TALL (closure of one critical valve) PSD function: PALL (primary protection against leakage) 3 5/5/5 (per installation) 0.1 3/3 (per installation) NA
Global safety functions - assumed demand rates Assumed average demand rate per year (planned testing not included)
3 2 3 (per well)
(10 PSD isolations of inlet per well)
ESD segregation (closure of one ESD valve) Depressurisation (blow down); (opening of one BD valve) Isolation of well; (shut in of one well) Isolation of riser; (shut in of one riser) Fire detection; (alarm signal generated, processed and necessary action signals transmitted) Gas detection; (alarm signal generated, processed and necessary action signals transmitted) Electrical isolation; (signal giving action processed in F&G logic and electrical ignition sources removed) Deluge; (fire water demand signal processed in Fire & Gas logic, start of fire pump, and opening of deluge-valve)
3 (per riser)
(10 PSD isolations of inlet per riser)
2 (per installation)
8 (per installation)
10 1
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 7 of 46
A.3
PSD functions
PSD solenoide
ESD solenoide
ESD logic
PSD Logic
I PT
XV 2
Separator
ESV 1
XV 3
Figure A.1
The function segregation of process section is here defined by the PSD system receiving and processing some signal (e.g. a PALL or a shutdown signal from the ESD system), which activates a closure of ESV 1, XV 2 and XV 3 in order to isolate the vessel. The function starts where the signal is generated (not including transmitter or ESD system) and ends and includes closing of all the necessary valves. The transmitter is not included as this function is most probably activated on an ESD demand. Requirement to the PT is covered by the function PAHH in A 3.2. It should be noted that the specific valves needed for segregation depends on the situation, as some of the valves used in the segregation will be nice to have while others will be essential. The hazard analysis will pinpoint the essential valves/actions and only these valves should be included in the PSD function. This is further discussed in section A.3.2 A.3.5 below where specific process deviations are considered.
x3
PSD
Solenoid
ESV1
XV2
XV3
Figure A.2
Table A.5
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 8 of 46
No. of components 1 3 3 -
As seen the PFD is estimated to be 0.02, and a SIL 1 requirement seems achievable based on a pure quantitative consideration.
PAHH function
PSD solenoide
ESD solenoide
ESD logic
PSD Logic
I PT
Separator
ESV 1
LAHH function
PSD solenoide
ESD solenoide
O
ESD logic
PSD Logic
LT
XV 2
Separator
ESV 1
LALL function
XV 3
Figure A.3
It is here assumed that: A PAHH will only close the inlet valve(s), not the outlet valves; A LAHH will close the same valves as a PSHH; A LALL will only close the valve on the liquid outlet.
The function starts inside the process where the high pressure or level is detected, and ends within the process with closing of the valve.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 9 of 46
It should be noted that in the above definition it is assumed that there is one common inlet valve to the separator. However, the PSD functions PAHH and LAHH might depend upon closure of several valves if there is more than one line into the separator and no common inlet valve. In such case a separate evaluation should be performed in order to evaluate whether a lower SIL requirement than given below (SIL 2) is acceptable.
Transmitter
PSD
Solenoid
ESV/XV
RBD for PAHH, PALL and LALL. PFD for Process segregation through PSD
No. of components 1 1 1 1 Total PFD 0.44 10-3 3.50 10-3 2.85 10-3 3.07 10-3 0.010 Total TIF 3 10-4 1 10-4 0.5 10-5 4.1 10 -4
Here PFD is estimated to be 0.0099 0.01, and a SIL 2 requirement seems achievable based on a pure quantitative consideration.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 10 of 46
Signal out
ESD Logic
Signal out
PSD Logic LT
LT
Flare KO drum
Figure A.5
As indicated on the figure, shutdown as a result of LAHH in the flare KO drum can be executed through the PSD system, the ESD system or through both. A possibility, not shown on the figure, could be that one common transmitter is applied to send a signal to both the PSD and the ESD system. Hence, the function starts inside the process where the high level is expected, and ends at the unit(s) intended to perform the action (these units are not included).
The PFD values for relevant single and duplicated components are presented in Table A.7. The resulting PFD values for the function are presented in Table A.8 (for all three solutions).
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 11 of 46
LT
ESD
ESD LT PSD
LT1
ESD
LT2
Figure A.6 Table A.7
Component LT PSD/ESD logic +I/O
PSD
RBDs for LAHH in flare KO drum (Solutions 1, 2 and 3). PFD input for LAHH in flare KO drum
PFD, single component 0.44 10-3 3.50 10-3 PFD, duplicated comp. 0.88 10-5 3.50 10-5 TIF, single component 3 10-4 1 10-4 TIF, duplicated comp. 1.5 10-5 5 10-5
Table A.8
Solution
1. PSD (or ESD) alone 2. PSD and ESD); single LT 3. PSD and ESD; separate LTs
Thus, a SIL 3 requirement seems achievable given that the function is implemented through both the PSD and ESD system (i.e. if Solution 1 is not chosen).
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 12 of 46
A.4
PSD solenoide
ESD solenoide
O ESD logic
PSD Logic
XV 2
Separator
ESV 1
XV 3
Figure A.7
As seen from Figure A.7, the ESD sub-function is defined as closure of one valve through the ESD system. In order to increase the reliability of the sub-function, it will also be possible to include activation of the ESV through the PSD-system by a separate PSD solenoid. The function starts at the unit giving the demand (unit not included), and ends within the process with the valve.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 13 of 46
ESD
Solenoid
ESV
RBD for ESD sub-function (Segregation through ESD with one ESD valve). PFD for Segregation through ESD
No. of components 1 1 1 Total PFD 3.50 10-3 2.85 10-3 3.07 10-3 0.009 Total TIF 1 10-4 0.5 10-5 1.1 10 -4
Here PFD is estimated to be 0.009, and based on a pure quantitative consideration a SIL 2 requirement seems achievable for this ESD sub-function. A quantitative risk analysis should be conducted to verify that the minimum SIL-requirement gives an overall acceptable risk when all the ESD valves are taken into consideration. The following should then be considered: number of ESD-valves needed to isolate each fire area scenarios where the system is demanded (e.g. leak and fire scenarios) process conditions (pressure, temperature) and duration of leaks and fires. common cause failures etc.
A.5
Blowdown
The function starts at the unit giving the demand (unit not included), and ends with the inventory having free access through the BDV. The probability of successful manual blowdown activation is not included in the definition of the function. Figure A.9 illustrates the sub-function blowdown.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 14 of 46
Demand
ESD logic
To flare
BDV
Blowdown sub-function
XV 2
Separator
ESV 1
Figure A.9
ESD
Figure A.10 Table A.10
Component ESD logic + I/O BDV Solenoid / pilot Total Function
Solenoid
BDV
Here the PFD is estimated to be 0.009 and based on a pure quantitative consideration a SIL 2 requirement seems achievable for the Blowdown sub-function. A quantitative risk analysis should be conducted to verify that the minimum SIL-requirement gives an overall acceptable risk. The following should be considered: number of blowdown-segments in each fire area scenarios where the system is demanded (fire scenarios) process conditions (pressure, temperature) and duration of fires. common-cause failures
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 15 of 46
A.6
Isolation of well
All valves (WV, MV & DHSV) are assumed hydraulically fail-safe, and one of the valves electrically fail-safe. There may exist additional means for removing the hydraulic power to the valves. The function starts at the unit where the demand is initiated (unit not included), and end with the valves shutting in the well. Depending on the scenario having triggered the demand for isolation, one of the three valves will be sufficient to isolate the well. However, in the event of a fire in the wellhead area, the well should be isolated by the DHSV. The well or inlet to the platform will also be isolated due to PSD demands, but these are not included in this function. Depending on for example the event and C&E, this may cause a demand on the same valves or other valves.
ESD demand
HPU
ESD node
Wing valve
To inlet separator
Master valve
Production manifold
DHSV
Figure A.11
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01
Solenoid, ESD DHSV ESD Solenoid 1 WV PSD Solenoid 2 MV Solenoid 3
Date revised: NA
16 of 46
Figure A.12
The calculations are presented in Table A.11, and the result in Table A.12. The quantifications assume common cause failure between the master and the wing valve, but not between MV/WV and DHSV. The essential contribution is from the ESD-system. In addition, the quantification here gives a small contribution from common cause failures of the solenoids, (as the IEC model gives the same result for common cause failure, irrespective of whether there is a 1oo2, 1oo3 or 1oo4 configuration).
Table A.11
Component
The standard -factor model used here gives (essentially) same result for the 1oo4, 1oo3 and 1oo2 voting (cf. Appendix D). A more refined modelling would give a better value for 1oo3 with a factor 3.
Table A.12
Solution
1. Separate solenoids for MV, WVand DHSV. Additional "ESD solenoid" to remove hydraulic power to valves,
1)
Would be 3.5 10-3 if the more refined -factor model for 1oo3 (1oo4) voting of solenoids was applied.
Here PFD is estimated to be 0.0036, and based on a pure quantitative consideration SIL 2 requirement is achievable for the isolation of a single well. By introducing a redundant ESD-logic (1oo2 voting), the example calculation would -5 give PFD = 4 10 , and SIL 3 is clearly achievable. Since isolation of the well is considered a crucial safety function, and since three valves are available for isolation, a SIL 3 requirement has been stated. As observed, this can be achieved by introducing redundancy with respect to safety in the ESD logic. A quantitative risk analysis should be conducted to verify that the minimum SIL-requirement gives an acceptable risk when the total number of wells are taken into consideration. The following should be considered: Number of wells Production / injection wells with or without gas-lift Wells in connection with special operations, such as wireline, coiled tubing, workover, testing, cleanup, etc.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 17 of 46
A simplified example of how a verification of the stated SIL 3 requirement can be performed using QRA, is given in Appendix C.2.
A.7
Isolation of riser
The sub-function starts at the unit where the demand is initiated (unit not included), and ends with the valve closing towards the riser. The sub-function is illustrated in Figure A.13 below.
To inlet separator
ESD logic
Demand
Production manifold Riser ESV
Figure A.13
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 18 of 46
A.8
Fire detection
Note that the fire detection sub-function is defined in terms of one single detector.
Detector
Figure A.14
F&G
Table A.13
Function
Failure data for detectors and logic are considered conservative. Diagnostic coverage for fire detectors have increased during the last years. If a fire-central or some other logics is used to interface between the detector and the F&G, this has to included in the calculations.
A.9
Gas detection
The F&G detection system will have different actions based on configuration of the logic. There are different actions depending on where the gas is detected, and typically for new platforms (signal is given at 20% of LEL); 1ooN detectors will give an alarm in CCR. 1ooN detectors in non-hazardous areas will give electrical isolation of this area. 2ooN in any area will give electrical isolation and stop production.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 19 of 46
Here, the gas detection sub-function is defines in terms of one single detector.
Table A.14
Function
PFD and TIF results for gas detection sub-function (i.e. single detector)
PFD for function 0.006 0.007 0.007 TIF-probability for function 6 10-4
1. Catalytic detector 2. IR gas detector, conven. point det. 3. IR gas detector, line detector
From the table it is seen that a SIL 2 requirement is achievable. It should be noted that in Appendix D.7, some example calculations have been performed for different types of gas detection voting configurations.
A.10
Electrical isolation
The function starts at the unit initiating the demand (unit not included), and ends when the equipment is isolated. Electric isolation is initiated from by F&G detection system. There are different actions depending on where the gas is detected. On new platforms, 1ooN detection in non-hazardous area gives electrical isolation of this area, while 2ooN in any area isolates this area or shut down main power.
x6
F&G
Figure A.15
Table A.15
Component
No. of components F&G logic + I/O 1 Circ. Breaker (600V) 6 Total Function -
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 20 of 46
A.11
Deluge
The function starts at the unit initiating the demand (unit not included), and end when there is flowing water through the deluge valve.
DelugeV
Reliability block diagram for deluge function PFD results for deluge
Voting 1oo1 1oo2 1oo1 PFD per component 3.5 10-3 2.5 10-3 5.0 10-3 System PFD 3.50 10-3 0.13 10-3 5.00 10-3 0.009 System TIF 1 10-4 5.1 10 -4
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 21 of 46
APPENDIX B
IEC 61508 does not give any particular requirements as to how the EUC should be defined. Hence, it is entirely within the hands of those who wish to claim conformance to the standard to define the scope and boundary of the system to be considered. The important point will be that the EUC boundaries are clearly defined and in a manner such that all the relevant hazards to be considered in later lifecycle stages can be identified and described. However, since definition of EUC is an important aspect of IEC 61508, section 7.3.1 and 7.3.2 of the guideline briefly discuss how EUC can be defined for local and global safety functions respectively. In this appendix, an example of a possible EUC definition is given for each type of these safety functions.
B.1
With respect to identification of hazards against which the local safety functions will protect, this is normally done through the HAZOP and SAT analyses. Consequently, an appropriate EUC definition would be parallel to the definition of process components applied in ISO 10418 (i.e. API RP 14C), i.e. the definition should include the process unit and associated piping and valves. Consider a process with a high-pressure separator for a two-phased separation of oil and gas. A simplified schematic of the separator is shown in figure B.1 together with an indication of possible EUC definition. Protection of the separator is designed according to ISO 10418, with a primary and secondary barrier against undesirable events. The local safety functions for the separator are implemented through the PSD system and the PSV.
EUC
XV PSV
Separator
XV Control valve
XV
Figure B.1
Hence, for this example the EUC boundaries are defined in terms of the PSD valves, which are used to isolate the separator during different PSD scenarios (ref. Appendix A.3).
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 22 of 46
B.2
Global safety functions on an offshore installation may include the following functions:
The purpose of these functions will be to prevent abnormal conditions, e.g. a process leakage, from developing into a major hazardous event, and further to control and mitigate the effects from such an event. Typically, the installation will be divided into several fire areas. For process areas, emergency shutdown valves will usually be located within and at the boundaries of the fire area, e.g. next to a firewall, in order to prevent an escalation of the event from one area to another. Hence, when considering fire and explosion events, a fire area seems an appropriate definition of the Equipment Under Control (EUC). This is illustrated in Figure B.2 below.
PB PB = pushbutton S = split
Process segment 1
2
ESD valve B
ESD valve A
ESD valve C
Production line
EUC
Figure B.2
For this example, the EUC comprises process segments 1 and 2, whereas process segment 3 has been separated from segment 2 by a firewall and is therefore here considered as a separate EUC.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 23 of 46
One important motivation for defining the EUC in terms of a fire area, will be the associated possibility of defining an acceptable EUC risk as required by IEC 61508/61511. With respect to acceptance criteria, the operators will have different types, which often will have the format of: an overall acceptance criteria for the installation (e.g. given in terms of an acceptable Fatal Accident Rate, FAR) and; different criteria related to the main safety functions, such as loss of escape routes, safe haven and evacuation means, as well as criteria related to loss of structural integrity and escalation of the event.
Whereas the overall FAR criterion will normally not be very suitable for defining acceptable EUC risk, the escalation criterion appears to be more applicable. This criterion would e.g. typically be defined in terms of the acceptable annual frequency for escalation of an event to another area. For the above example, the acceptable EUC risk could for example be defined as follows: For a fire or explosion event originating in process segment 1 or 2, i.e. within the EUC, escalation to another area on the installation shall not occur with an accumulated frequency above 1 .10 -4 per year. It should be noted that when using the minimum SIL table as given in section 7.6 of the guideline, EUC definition and the definition of an acceptable EUC risk will mainly apply to the handling of deviations. When defining the EUC as indicated above, this may well include several process segments and several blowdown sections connected by process shutdown valves. Furthermore, with respect to electrical isolation, the extent of actual isolation will vary considerably depending on where gas is detected and will also interact closely between the different areas. For the above example (Figure B.2), gas detection in process segment 3 would e.g. typically initiate electrical isolation both in this area and in the EUC under consideration. If found more suitable, it might be considered to define the EUC in terms of several fire areas, e.g. all the hazardous areas on the installation as one EUC, and another EUC as the non-hazardous areas. As indicated initially in this chapter, the important point will be to define EUC in a manner such that all relevant hazards can be identified.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 24 of 46
C.1
Assume a separator as shown on figure C.1 below, without sufficient PSV capacity to protect against certain process situations. I.e. overpressure is here the defined hazard. Furthermore, a HIPPS solution is being considered in addition to the available PSD function.
PSD
HIPPS
PSD
HIPPS
PT
PT
Separator
Figure C.1
The following quantitative method could be applied for determining required SIL for this HIPPS function: 1. 2. Define the EUC and its control system Define exactly the overpressure scenario(s) to be considered and appropriate acceptance criteria. The latter might be expressed as an acceptable upper frequency for exceeding the test pressure of the separator, e.g. 1x10-5 per year Consider which additional safety functions are available to protect the separator against the defined overpressure scenario(s). This could be the PSD function (if confirmed to be sufficiently quick), manually initiated ESD (depending on available operator response time), partial PSV (might provide some protection by reducing speed of pressure build-up), etc. Estimate the frequency from events with a potential to cause a demand on the defined overpressure protection functions. Consider including risk reduction caused by the influence from the EUC control system, keeping in mind that failure of control system may be a potential cause for the demand in the first place (common cause) Roughly estimate the effect of the identified safety functions other than HIPPS, in terms of potential risk reduction Estimate resulting (residual) requirement on HIPPS function in order to achieve stated acceptance criteria.
3.
4.
5. 6.
This method will in addition to providing SIL requirement on the HIPPS function also result in quantitative requirements for the other available safety functions.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 25 of 46
C.2
Personnel risk
Generally, risk acceptance criteria used by operators on the Norwegian continental shelf define an upper limit on the acceptable risk, using varying measures for risk to personnel, environment and assets. The overall risk acceptance criteria are normally not split pr. accidental event. This allows for some degree of flexibility, i.e. it is possible to tolerate a higher risk from process accidents, as long as this is compensated by reduction in the risk from other accident categories in order to ensure that the total risk level is acceptable. The ALARP principle is widely used, implying that the risk should be reduced to a level as low as reasonably practicable. ALARP is normally demonstrated using cost/benefit evaluations with risk reducing measures being implemented when e.g. the cost of averting a fatality are not prohibitively high.
In order to verify whether or not the standard Safety Integrity Levels will result in an acceptable overall risk level, a more detailed analysis is required. Example calculations are given below.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 26 of 46
Assumptions
The installation considered has a process layout as indicated in Figure C.2 below. This includes; Five production wells with standard wellhead configuration. A wellhead area segregated from other areas with a H-120 fire division A production manifold located in the wellhead area, separated from the oil and gas separation process by an ESD valve.
H-120 firewall
H-120 firewall
Wellhead Area
Utility
LQ/ Accommodation
Mani.
HP Separator
General
To limit inventory available to feed any leak, all wells must be shut in, and the ESD valve downstream the production manifold must close. Closing in wells can typically be achieved by closing at least one of the following valves; DHSV Upper master valve Production wing valve Note that the DHSV is the only valve that can prevent flow to surface in the event of damage to the wellheads. A minimum SIL of 3 has been set for isolation of each well, in accordance with specifications given in this guideline. Section A.6 indicates that this is achievable with current day technology. This SIL requirement is used to establish a probability of isolation failure for further use in the risk model.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001
Leak Frequency [pr. year] 1 Detetection Successful Isolation(ESD)
Revision no.: 01
Immidiate Ignition
Date revised: NA
Delayed Ignition End Event
27 of 46
2 Yes 3
4 5
8 9
10
11
12
In order to produce a quantitative example using the above event tree, the following input is used: A leak in the production manifold (or associated piping) is assumed to occur with a frequency of, say, 5.10-3 pr. year1 . The likelihood of immediate ignition of the leak is assumed to be in the order of 10%, with a 2.5% and 5% likelihood of delayed ignition for scenarios with successful and unsuccessful ESD, respectively 2 . The manifold area is assumed covered by a sufficient amount of gas detectors With isolation of well being a SIL 3 function, the probability of failure to isolate one or more well in a wellhead area with five producing wells can be approximated by (1-0.999) x 5 = 0.005.
Using the above data and assumptions in the example event tree, the quantitative example will be as indicated in C.4 below.
1
This example considers one release scenario only. It should be noted that available data indicate that the majority of leaks will be of a very limited size and can be considered not to have a significant escalation potential (naturally, this will depend on the layout of the installation). 2 Here, a detailed QRA would take into account ignition sources in the wellhead area and possibly use a timedependent ignition model to determine installation-specific ignition probabilities.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 28 of 46
Detection
Immediate Ignition
Delayed Ignition
End Event
Frequency [pr. year] 4.48E-04 1.01E-04 3.93E-03 2.25E-06 1.22E-06 1.90E-05 0.00E+00 0.00E+00 0.00E+00 5.00E-05 2.25E-05 4.28E-04 5.00E-03
P(Escalation) F(Escalation) [pr. year] 0.00 0.25 0.00 0.95 0.95 0.00 0.00 0.25 0.00 0.95 0.95 0.00 0.00E+00 2.52E-05 0.00E+00 2.14E-06 1.15E-06 0.00E+00 0.00E+00 0.00E+00 0.00E+00 4.75E-05 2.14E-05 0.00E+00 9.74E-05
0.9 4.50E-03
0.995 4.48E-03
1 0.025 1.01E-04 0.975 3.93E-03 2 3 4 0.06 1.22E-06 0.94 1.90E-05 5 6 7 0.05 0.00E+00 0.95 0.00E+00 8 9 10 0.05 2.25E-05 0.95 4.28E-04 11 12
0.005 2.25E-05
0.1 5.00E-04
0 0.00E+00
1 5.00E-04
The above example indicates that the acceptance criterion of 1. 10-4 per year with respect to escalation can be met, but with small margins, using a SIL 3 requirement for isolation of well. It should be noted that several other options for risk reduction exist, that could be considered had the above approach indicated that the risk was unacceptable, or if the margin to the acceptance criterion is considered to small, e.g. Reduction of number of leak sources in the manifold system (lower leak frequency) Reduction or improved maintenance of potential ignition sources (lower ignition probability) Improved gas detection Improved fire protection on firewall (lower probability of escalation) change of layout in wellhead area to reduce explosion overpressure (lower probability of escalation)
I should be stressed that all numbers in the event tree (leak frequency and branch probabilities) are installation specific, and that the above numbers are to be considered examples only.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 29 of 46
First, we give the following definitions, related to safety unavailability (SU) as defined in the PDS method (cf. refs. /1/ and /2/):
CSU = Critical Safety Unavailability . The probability that the safety system due to an unrevealed fault will fail to
automatically carry out a successful safety action on the occurrence of a hazardous/accidental event. Using the notation of IEC this parameter includes contributions both from random hardware failures (in particular undetectable dangerous failures) and systematic failures (cf. TIF).
NCU = Non-Critical Unavailability . The probability that the safety system due to a revealed fault or inhibition
will fail to automatically carry out a successful safety action on the occurrence of a hazardous/accidental event. In PDS there are two contributions to NCU: 1) Failures that are detected cause unavailability due to repair, 2) Inhibition due to functional testing being carried out. Thus we may write NCU = NCU1 + NCU2
TIF = The probability of Test Independent Failures . This is the probability that a component that has just been
functionally tested will fail on demand (applies to FTO failures only). Essentially, TIF represents a quantification of what in IEC 61508 is referred to as systematic failures.
CSU 1 = Critical safety unavailability due to unrevealed hardware failures. This is the part of CSU which is not
related to systematic failures, and so depends on the period of functional testing, ; (e.g. for a single system, CSU1 = / 2). The notation CSU1 is introduced here and was not used in PDS. Thus, in PDS there are three contributors to SU, see Fig. D1. In this method the main measure for SU is CSU = CSU1 + TIF, while NCU is a "secondary" measure. In IEC 61508 the parameter PFD is used as a measure for SU:
PFD = Probability of Failure on Demand . Includes unavailability both to unrevealed failures (cf. CSU) and to
revealed failure (cf. NCU). However, there are limitations: PFD does not include contributions from systematic failures (cf. TIF) and from inhibition during functional testing (cf. NCU2 ). So PFD is quite different from CSU used in PDS. The PFD will not include contribution from systematic failures (TIF), and we may write: PFD = CSU1 + NCU1 So CSU1 is the common part of CSU and PFD. To get a good overview of the safety performance of your system we claim that all above elements of SU should be quantified separately. Now, the following topics should be investigated: 1. 2. 3. 4. 5. How are failures classified in IEC and PDS? What is the difference? How is CSU1 quantified in PDS and IEC, respectively? How should NCU be quantified? What are he arguments for quantifying the TIF probability, also when IEC 61508 is applied? What is the recommended synthesis of IEC and PDS? That is, what is the recommended approach for SU quantification, adhering to IEC, but at the same time not losing the aspects of the PDS method, that are important for a realistic evaluation of safety systems?
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 30 of 46
CSU1
CSU (used in PDS)
TIF
Figure D.1
Relation between CSU (used in PDS) and PFD (used in IEC 61508)
These topics are treated below. It is attempted to adhere to the IEC method and notation. The standard gives rather complex (but approximate) formulas for PFD (without providing proper arguments for these). When the expressions for PFD in IEC are split to give separate expressions for CSU1 and NCU1 we do not agree on all the formulas obtained. So the expressions for CSU1 and NCU1 presented below, will differ somewhat from those that can be derived from the IEC standard. Further, the presentation below apply -factors and not p-factors (as used in PDS). We restrict so far to treat the voting logics 1oo1, 1oo2, 2oo2 and 2oo3. The following notation apply: MTTR: Mean Time To Repair for a component : Time interval between proof tests (denoted T1 in IEC 61508) : Component failure rate : beta-factor for common cause failures (IEC) The component failure rate is split as follows:
IEC notation
D = DU + DD S = SU + SD DU DD SU SD
PDS notation
FTO SO
FTO un det FTO det
Description
Rate of dangerous failures (fail-to-operate failures) per hr,
FTO FTO = FTO un det + det
Rate of undetected dangerous failures per hr (i.e. rate of failures which lie outside the coverage of the diagnostic tests) Rate of detected dangerous failures per hr (i.e. rate of failures which are detected by the diagnostic tests) Rate of undetected safe failures per hr (i.e. rate of failures which lie outside the coverage of the diagnostic tests) Rate of detected safe failures per hr (i.e. rate of failures which are detected by the diagnostic tests)
SO un det SO det
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 31 of 46
Note 1:
The formulas given below will follow (as closely as possible) the "spirit" of the IEC; in particular by applying the factor model, and considering both CSU1 and NCU1 . However, the formulas provided in Appendix B of IEC 61508-6 are rather complex and are not well documented. Thus in Table D1 below new formulas are provided, for CSU1 following the PDS handbook /1/, (but replacing p-factors with -s).
Note 2:
For NCU1 the handbook /1/ does not provide results. However, the formulas for a kooN-voting given in Table D2 below are rather simple, just expressing the probability of all N "lines" being unavailable due to repair of a dangerous failure. The decision to restrict to dangerous failures again follows the IEC standard. However, it is a question whether also the unavailability due to repair of safe detected (SD) should be included. Often, the detection of these failures will prevent a shut-down and the repair also for these are online, and thus contributing to the NCU1 .
Note 3:
As already stated, the IEC approach does not include unavailability due to functional testing. This seems inconsistent, as the unavailability due to repair is included. However, following IEC, we ignore unavailability due to testing in formulas below. This contribution could easily be added to NCU as / , where is the inhibition period for functional testing of the system; (this contribution to SU would usually be added to the function not to each element?).
Note 4:
The formulas below assume degraded operation by detection/repair of failures. So for instance when a failure is detected on a duplicated system, this failure is repaired on-line, and the system is degraded to a 1oo1 system. On line repair is carried out also on a single system.
Note 5:
All formulas are actually approximations, valid when is not too big. For instance a main term, like DU /2 is actually an approximation for (1 - exp(-DU ) ) / ( DU ) .
D.2
Failure classification.
The PDS method gives a well-defined and rather detailed failure classification, see Figure D2 below (from /2/).
Failures
Physical failure
Functional failure
Normal ageing
Design
Human interaction
Figure D.2
The IEC standard classifies failures into two main categories: Random hardware failures Systematic failures
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 32 of 46
The definitions are not so detailed. However, it is the impression that "random hardware failures" is more or less identical to "physical failures", and that "systematic failures" is more or less identical to "functional failures". The SU caused by the first category (Random hardware failures) is quantified in IEC (by PFD), while the SU caused by systematic failures is not quantified here. Thus, the PFD will not include unavailability due to e.g.: Failure of detector to react due to "wrong" location of detector Failure of detector to discriminate between true and false alarm Failure due to software error Unavailability of system due to erroneous inhibition
To make the definitions of safety unavailability in PDS and IEC respectively compatible, and to avoid too much confusion, we here specify TIF to entirely relate to functional failures (=systematic failures) and CSU1 entirely to relate to physical failures (=random hardware failures), see Fig. D2 above. Observe that a category that we could call "Maintenance induced hardware failures" (during periodic testing) falls outside this classification. These are physical failures, but will not be covered by the CSU1 - formula, as the rate of maintenance induced failures increases with increasing test frequency.
D.3
Calculation of CSU1
The contribution CSU1 comes from dangerous undetected (DU) failures that occur with rate DU (and are detected in manual tests with interval ). For redundant systems we also have a contribution to CSU1 where one unit is unavailable due to a repair. According to the IEC formulas we restrict to Dangerous failures (with rate D). However, we should rather include also some Safe failures as these also may result in an on-line repair(?) The formulas for CSU1 are given in Table D1.
Table D1 Formulas for CSU1 . The approximate PDS formula corresponds to the term in bold. However, in the PDS method, p-factors are used instead of a -factor. Voting 1oo1 1oo2 Formula for CSU1 DU /2 DU /2 + [(1- ) DU ]2 /3 + 2(1- )2 DU (/2) D MTTR [ + 2 (1- )] DU /2 + 2 (1- )2 DU ( /2) D MTTR 2oo3 DU /2 + [(1- )DU ]2 + 6 (1- )2 DU (/2) D MTTR Comment
Agrees with PDS The approximate PDS formula only applies the first term, caused by common cause DU failures (with p-factors instead of ). The 2nd term corresponds to two independent DU failures, and the 3rd term represents that one unit has a D (being repaired), and the other has a DU failure. The approximate PDS formula only applies the first term, caused by DU failures (with p-factors instead of ). The 2nd term represents that one unit has a D and the other a DU failure. The approximate PDS formula only applies the first term, caused by common cause DU failures (with p-factors instead of ). The 2nd term corresponds to two independent DU failures, and the 3rd term represents that one unit has a D and another a DU failure.
2oo2
D.4
Calculation of NCU
When maintenance activity is done while the plant is operating, the safety system is set in the off-line state. The time that the safety system is in off-line state is in IEC included as a part of total PFD, and this contribution can become significant if shorter time interval between proof tests is practised.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 33 of 46
Table D2 Voting
1oo1 1oo2
Formulas for NCU1 . Main term in bold Formula for NCU1 (not identical to formulas in IEC )
D MTTR D MTTR + [(1- ) D MTTR]2
Comment
Component repaired Repair of both components, either due to a common cause failure or both having an independent failure. Repair of both components, due to a common cause failure or both having an independent failure. Repair of all three components, due to a common cause failure or all three having an independent failure.
2oo2
2oo3
Table D2 presents formulas for the unavailability due to repair (NCU1 ). As stated above NCU2 = / could be used as a formula for unavailability during testing. Here is the inhibition time during testing.
D.5
In the PDS - projects it was well documented that unavailability of most safety functions are caused by "systematic failures", i.e. Failure of detector to react due to "wrong" location of detectors Failure of detector to discriminate between true and false alarm Insufficient functional test procedure Human error during functional test: - leave in by-pass - wrong calibration Failure due to software error
These are the main elements of the TIF-probability. In the PDS it was strongly argued that it is not very sensible to quantify the contribution of hardware failures, leaving out the major contributor to the SU. It is true that it may be more difficult to quantify the TIF-probability. However, the PDS project succeeded in providing generic values, and for the TIF of gas detectors an approach for obtaining "plant specific" TIF was also developed, see /3/. It is also possible to establish simpler approaches, e.g. along the lines of obtaining "plant-specific" 's as presented in IEC 61508. Regarding the quantification of TIF, we observe that 1. 2. the TIF probability is closely linked to the application ("plant"), and objective data for TIF is often lacking, so that quantification to a larger extent must be based on "subjective" data,
Hence, there are strong arguments for quantifying the TIF probability separately, and not just give the "total" CSU. It is much more informative to have both CSU1 and TIF, than just having the sum CSU.
D.6
Four elements of SU were identified in Section D1. Below we give the "short version" of the definitions: CSU1 = Safety unavailability due to unrevealed "random hardware failures" CSU2 = TIF = Safety unavailability due to (unrevealed) "systematic failures". We actually assume all systematic failures by definition to be unrevealed.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 34 of 46
NCU1 = Safety unavailability due to revealed "random hardware failures", i.e. safety unavailability due to repair (of detected failures) NCU2 = Safety unavailability due to functional testing.
Below, some recommendations regarding the approach for quantification of SU for safety systems are summarised:
2) Data requirements
The quantifications require data on failure rates (split on dangerous/safe and undetected/detected), coverage, -factor and test interval . As far as possible the data should be "plant specific", cf. the IEC approach for obtaining the factor.
3) Dependent failures
Regarding the handling of common cause failure (dependent failures), the use of the -factor model was rejected in PDS. The reason is that this model is very bad for comparing say 1oo2, 1oo3 and 2oo3 votings. For instance from Table D1it is seen that the main (bold) term for the 1oo2 and 2oo3 votings are identical! If the comparison between these voting logics shall in any way be meaningful, there should be different 's for each voting. So either a model with p-factors should be used, or, alternatively and approach using -values that depend on the voting logic! This point is illustrated in Section D.7 below. As stated above, the IEC approach to find "plant-specific" -factors is a good principle, and should be adopted in the future. Note that there is no problem in adopting this approach also to p-factors, (cf. theme of PDS-forum 2000, see /4/).
4) Various contributions to SU
As discussed above there are various contributions to SU. Which of these should be quantified? As a minimum CSU1 should always be quantified. However, the importance of systematic failures is well documented (cf. Section D5). The IEC approach of not including the quantification of this contribution to SU, will represent a significant step backwards, as compared to the present practise (PDS-method). Just a qualitative evaluation of systematic failures necessarily means that there will be less focus on these essential contributions. However, providing separate values for CSU1 and CSU2 = TIF, and not only giving the sum CSU (as in PDS), seems a good idea. So, in conclusion, it is recommended that all the four above elements of SU should be calculated as part of an overall evaluation of the safety system. Then also PFD (as defined in IEC today) is directly found by adding two of these contributions. However, it is considered unfortunate that PFD mixes the unavailability due to revealed and unrevealed failures, and in the long run this should be changed.
5) Quantification formulas
The formulas for quantification of PFD given in IEC are very complex. "All" such formulas are actually approximations. However, it is strongly suspected that the IEC formulas are by no means the most sensible approximations. The formulas presented above (Sections D3-D4) are significantly simpler, and are recommended as a sounder basis for the quantifications. Whether only the main term corresponding to dependent failures (as used in PDS) or also the contributions from independent failures should be included, must be decided for each application, based on the data. In the quantification of unavailability due to repair, not only the rate, D but also (part of) the rate of safe failures, S will often apply. This will require a modification of the formulas given above.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 35 of 46
D.7
Example quantification
In this section, some quantifications of k-out-of-N (kooN) votings are carried out, assuming that the -factor for a kooN-voting is kooN = CkooN Here is the -factor given in Table A.3, and CkooN is a "correction factor" taking into account the applied voting logic, see /4/. Since the -values in Table A.3 apply for 1oo2, it follows that C1oo2 = 1. Table D.3 presents the suggested C-factors, which will give results in line with the PDS method (applies for small and moderate -s, say 10%.) This approach will for instance give that PFD for a 1oo3 voting is significantly lower than for 1oo2, which again has a PFD significantly lower than for 2oo3. The standard -factor model, as described in IEC 61508-2, will lack this feature, as the dominant term in all three cases will be PFDkooN DU /2 rather than PFDkooN kooN DU / 2 which is used in the present quantification. The N-out-of-N votings are not covered in Table D.3, but for these cases PFDNooN NDU /2 is a suitable approximation.
Table D.3
Voting CkooN
Table D.4 PFD and TIF for gas detectors, 1ooN voting logics (Data from Table A.3).Component
Gas detector, catalytic IR Gas detector, conventional IR Gas detector, line
1 10
-4
0.3 10-4
Table D.5
Component
PFD and TIF for gas detectors, 2ooN voting logics (Data from Table A.3).
2oo2 PFD 0.005 0.006 TIF 2 10-4 2oo3 PFD 3.2 10-4 3.7 10-4 TIF 2.4 10-4 2oo4 PFD TIF -4 1.1 10 0.8 10-4 1.2 10-4
Tables D.4 and D.5 have been prepared as a basis for evaluation of / choice between the kooN votings for gas detectors. The tables give the PFD and TIF for the detectors only. Data for the F&G logic solver (PFD = 3.5 10-3) is the dominant term, and has to be added when the function is considered.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 36 of 46
D.8
Refe rences
/1/ Reliability Prediction Handbook; Computer-Based Process Safety Systems. SINTEF report STF75 A89023. /2/ Reliability Quantification of Computer-Based Safety Systems. An Introduction to PDS.SINTEF report STF38 A97434. /3/ Reliability Data for Control and Safety Systems. 1998 edition. SINTEF report STF38 A98445. /4/ Beta-factor model in IEC61508 and p-factors in PDS. SINTEF report. In preparation.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 37 of 46
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 38 of 46
Lifecycle phases as described in IEC 61511 with reference to typical offshore project
Risk Analysis and Protection Layer Design
This activity will start in the concept phase and continue during start of detail engineering. Concludes with a risk analyses report. When major modification, the report to be updated. A new risk analyses will normally be conducted when the installation have been some years in operation.
Modification
This activity is taking part in the operational phase.
Decommissioning
This activity is taking part in the decommissioning phase
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 39 of 46
15
Inprovement measures
14
Failures
Data Analysis Trends, Pareto, CCF, FCA etc Extended reliability databases Manufactures and vendors Infrom regulator (NPD) Database
ing Report
Follow up actions
The OREDA Data Handbook is published every 3-4 years. The OREDA Database is available to most operators on the Norwegian Continental Shelf. See Hansen & Vatn 1999 for PDS Reliability data
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 40 of 46
systematic failure cause analysis is performed it is possible to argue that the new installation will expire a lower failure (IMP in Figure F2), and hence maintenance intervals could be increased. The loop in Figure F1 also illustrates that reliability data should be collected and analysed to improve the overall performance. Based on a proper failure cause analysis, it will be possible to implement measures to eliminate some of these failure causes. But a systematic failure cause analysis could also be used to argue improved reliability performance ( UP2 in Figure F2) at an earlier stage than what is possible with only statistical evidence ( UP1 in Figure F2). The exact procedures for estimating these parameters are shown later on, but the principal issues are shown in Figure F2.
UP1 UP2
Time
F.2 F.3
Input to this stage is the SIL requirements from 5 safety requirements allocation. The SIL requirements are defined at a very generic level, and installation specific conditions are not taken into account. In order to use the SIL requirement for maintenance optimisation it is necessary to introduce a SIL correction factor: CFSIL. The following parameters should at least be considered: f : change in demand rate for the safety function C : change in consequence of a safety function failure on demand IASIL: Inappropriate SIL value. When the SIL was selected in the first place, the interval levels of 10 may give unreasonable results Table F1 shows proposed values for the correction factor in different situations.
Table F1
CFSIL 0.2 0.4 1 3 5
For a given SIL requirement, i.e. SIL N, the PFD value to use in maintenance optimisation is given by PFDA = CFSIL 10-N (F1)
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 41 of 46
F.4
Appendix D presents the formulas for calculating the PFD for a given set of reliability parameters. This section gives a procedure for selecting appropriate initial values for the failure rate. The presentation is for a general failure rate, say , and does not consider specifically the various elements, i.e. DD , DU , SD and SU . Since a generic failure rate represents an average installation, the actual failure rate is expected to deviate from the generic failure rate. Now introduce: Gen = Generic failure rate, i.e. found in OREDA, or PDS data SD = Standard deviation, i.e. the standard deviation in the population from which the generic failure rate is estimated. IMP = failure rate to use in establishing the initial maintenance program
where the index i = 1,2,,n runs through the n different failure causes. Further assume, that we have plant specific information that relates to the failure causes we may expect for the new installation, we may then adjust the generic failure rate according to equation (F4): Gen = 1 1 +2 2 ++ n n where i , i = 1,,n are correction factors obtained from Table F2. (F4)
Table F2
0.1 0.5 1.0 1.5 2 5
The failure rate to use in the initial maintenance program is then: IMP = Gen + Gen SD/ Gen (F5)
F.5
A maintenance program shall be established, which includes written procedures for maintaining, testing, and repairing the SIS to maintain the required integrity level. This program shall be designed to reveal faults that are not automatically detected by the SIS. Consideration needs to be given to non-availability during routine testing and the effect of mean time to repair on the overall availability of the system. SIS maintenance shall include, but not be limited to, the following: Regularly scheduled functional testing of the SIS; Regular inspection of field equipment to ensure that there is no observable deterioration, for example: corrosion or mechanical damage, damaged cabling or terminations, ineffective heat tracing, blockage of fire and gas detectors etc.; Regularly scheduled preventative maintenance, as required (e.g., replacement of ventilation filters, lubrication, battery replacement, calibration, etc.); Repair of detected faults, with appropriate testing after repair.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 42 of 46
Several approaches and methods exist for establishing a maintenance program. Among these are RCM, RBI and TPM. Vendor manuals that describe the SIS maintenance and testing requirements (e.g., battery maintenance, fuse replacement, etc.) may be included in the maintenance procedures. For the following discussion, it is important to identify the type of preventive maintenance, and frequency of maintenance actions. We will only consider the situation with safety systems activated with a low demand rate according to IEC 61508. Further we consider the situation of functional testing with time between tests equal to , see Appendix D. From Appendix D, we also find the relation between PFD and the parameters , and , i.e. PFD = PFD(, ,) To fulfil the acceptance criteria, we therefore must satisfy: PFDA = PFD(, , ) Solving equation (F7) with respect to gives the maintenance interval. Note that maintenance planning usually focuses on establishing type and amount of preventive maintenance. It is, however, strongly recommended that the anticipated corrective maintenance is planned with respect to the need for spare parts, procedures for work permit, required skill of maintenance staff, etc. (F7) (F6)
F.6
Maintenance plan
The main results of the 6 Overall operation and maintenance planning activity is a set of proposed maintenance activities, and recommended intervals between these activities. A necessary basis for implementing these results is that the organisational and technical maintenance support functions are available. A major issue is therefore to ensure the availability of the maintenance support functions. The maintenance actions are typically grouped into maintenance packages, each package describing what to do, and when to do it. Experience has showed that many accidents are related to maintenance work. When implementing a maintenance program it is therefore of vital importance to consider the risk associated with the execution of the maintenance work. Checklists could be used to identify potential risk involved with maintenance work: Can maintenance people be injured during the maintenance work? Is work permit required for execution of the maintenance work? Are means taken to avoid problems related to re-routing, by-passes etc.? Can failures be introduced during maintenance work? etc. Task analysis, see e.g. Kirwan & Ainsworth (1992), may be used to reveal the risk involved with each maintenance job. The result of these analyses should be documented as a part of the maintenance plan. If a SIS function needs to be bypassed while the process is in a hazardous state, administrative controls and written procedures shall be provided to maintain the safety of the process. Particular attention should be put on resetting any inhibits or overrides that may be necessary during testing, inspection and maintenance of the SIS.
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 43 of 46
F.7
Follow-up plan
Safety aspects of maintenance work; Who is responsible for following up the results from e.g. task analysis Methods for following up, e.g. formal review, arbitrary checks etc Frequency for follow up actions Budget for follow up actions Identification of database concept for collecting and analysing reliability data (also includes data about the technical condition of the equipment); Who is responsible for development and maintenance of the database system What system for quality assurance of the reporting is used, and who is responsible Budget for reporting and quality assurance System for following up the backlog; Who is responsible What should trigger immediate actions (e.g. number of critical PM jobs exceeds a predefined number) The frequency of ordinary investigation into the backlog Data analysis; Who is responsible for the analysis What type of analyses Frequency of analysis Budget for analysis Continuos improvement; Who is responsible for systematic improvement work Who is responsible for treating ad-hoc suggestions, and event-based need for improvement measures Budget for evaluating proposed measures Responsible for resource allocation when measures are to be implemented Updating maintenance plan; Who is responsible updating the maintenance plan (intervals, etc) Frequency of updating the plan
F.8
The work order system is the mean for making the maintenance plan operational. In addition to implementing the maintenance plan, the Work Order system should also handle corrective maintenance.
F.9
Actual PM & CM
In principle, the work order system defines the maintenance the maintenance to be exceeded, and when to do it. The actual maintenance being carried out is, however, another story.
F.10
Backlog PM & CM
In this context we will use the term backlog for all scheduled preventive and corrective maintenance that is not performed at due date. It does not exist a unique expression for measuring the backlog. In Figure F1 the backlog box is a virtual entity, and the measurable backlog is defined within the work order system.
F.11
It is of outmost importance to define the responsible persons or organisation units for the backlog follow-up. There are two main sources for action: Automatic triggering from the backlog system, e.g. number of critical PM jobs exceeds a predefined number Systematic analysis of the backlog at predefined intervals Independent of the source, the following items should be considered: Any operational restrictions, e.g. shut down of part of operation, restrictions on hot work, etc.; Whether the regulator should be informed;
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 44 of 46
What are the causes for the large backlog, e.g. lack of money, lack of adequate personnel, pressure from production unit to postpone maintenance work, organisational problems etc.; What could be done to overcome these problems; A plan, responsible persons, and due dates for bringing the backlog under control.
F.12
Reporting
All maintenance work (functional testing, preventive maintenance, and corrective maintenance) shall be reported into an electronic maintenance database. The information to report depends on the type of maintenance work, i.e. Verification report for functional testing shall include Date of inspection; Name of the person who performed the test or inspection; Serial number or other unique identifier of equipment (loop number, tag number, equipment number, user approved number, etc.); Results of inspection/test (as-found and as-left condition); Details of any faults found and a link to the corresponding corrective maintenance report; Any identification of erroneous test procedures, increased risk during inspection etc, should be reported. Preventive maintenance report (PM) shall include Date of PM; Name of the person(s) who performed the PM work; Serial number or other unique identifier of equipment (loop number, tag number, equipment number, user approved number, etc.); Maintenance activity; Any need for corrective maintenance work. Corrective maintenance report (CM) shall include Date of failure detection; Date of CM; Name of the person(s) who performed the CM work; Serial number or other unique identifier of equipment (loop number, tag number, equipment number, user approved number, etc.); Failure mode, i.e. Safe detected (SD), Safe undetected (SU), Dangerous detected (DD) and Dangerous undetected (DU); Failed part; Failure cause; Method of detection, e.g. PM, functional testing, inspection, self test etc.; Corrective action; Recommended action to eliminate the failure cause.
F.13
Database
The database used in Figure F1 is a conceptual term. A reliability database may be realised as a part of the work order system. It is essential that the database system allows for storing the information as required in this appendix.
F.14
Data Analysis
It is essential that the scope of the data analysis is agreed upon. As a minimum the analysis should include: A proper failure cause analysis (FCA); Investigation into the failure reports to identify common cause problems (CCF); Updated reliability data, see Appendix F.18 below. If assumption about reliability performance (e.g. SIL requirements) are not met, this shall be formally treated. The analysis group should also identify the need and relevance of: Reporting to the regulator; Feedback to the manufactures and vendors; Reporting to generic databases, e.g. company specific, or OREDA.
F.15
Improvement measures
Based on the systematic failure cause analysis, improvement measures should be identified. Improvement measures should be evaluated in a cost-benefit setting as long as the SIL requirements could be met. If the actual reliability performance threatens the SIL requirements, implementation of improvement measures are mandatory. Each
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 45 of 46
improvement measure should be evaluated wrt whether it should be treated as a modification or retrofit according to the IEC 61508 lifecycle or not.
F.16
If an improvement measure is classified as a modification or retrofit, the IEC 61508 life cycle process should be followed.
F.17
This section present methods for updating reliability data in the lifecycle of a product. The principal situation is as follows:
Only the failure rate, , is considered in this presentation. Similar approaches could be developed for e.g. the factor; From the generic data, or previous updates of the failure rate, we have an uncertainty distribution for the failure rate. This distribution is either expressed by a mean and a standard deviation, or by the two parameters and in the Gamma distribution (se below); Since the last update of the failure rate we have observed one or several components over a period of time equal to t. In this period we have observed totally X failures (with the failure mode of interest). In some situations we have also implemented measures to eliminate one or more failure causes.
Table F3
Log10 (U /L)
Thus, we are able to express the uncertainty distribution of the failure rate by the parameters and in all situations above.
Updating the failure rate when failure causes are not available
If information about failure causes are not available, the failure rate is updated using a simple method, e.g.
=+X +t
(F8)
where and are the parameters in the uncertainty distribution, X the number of failures in the observation period, and t is the exposure time. The uncertainty parameters could also be updated by = +X = +t and the new parameters and could be used for the next update of the failure rate. (F9)
Updating the failure rate when failure causes are analysed, and compensating measures against the failure causes are implemented
OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf No.: 070 Date effective: 01.02.2001 Revision no.: 01 Date revised: NA 46 of 46
In situations where failure cases are analysed, and appropriate measures are implemented we could take credit of this as indicated below. Now, assume that the failures are classified according to the failure cause, and assume that we could group in i = 1,,n different failure causes. Prior to any measures we then have: X = X1 + X2 ++Xn If compensating measures are implemented we could estimate a future equivalent to this number by: X = 1 X1 + 2 X2 ++n Xn Where i , i = 1,,n are correction factors due to the anticipated effect of implemented measure. The values of the parameters i could be obtained from Table F4. (F11) (F10)
Table F4
0.75 0.5 0.25 0.1
When the different measures are implemented, a best estimate for the future failure rate is given by equation (F12):
= + X' +t
(F12)
Note that equation (F12) will give a lower failure rate estimate than equation (F8). However, in order to use equation (F12) it is required an explicit judgement of the failure causes, and how implemented measures could eliminate or reduce the failure cause. This will also require a certain quality level of the collection and analysis of reliability data. The uncertainty parameters could also be updated by equation (13): = + X = +t and the new parameters and could be used for the next update of the failure rate. Note that in this section we recommend to use the best estimate for the failure rate as input to the maintenance optimisation, where as in the initial phase we added one standard deviation to the failure rate. (F13)
F.18
References
G. K. Hansen and J. Vatn. Reliability Data for Control and Safety Systems. 1998 Edition. Technical Report STF38 A98445, SINTEF Industrial Management, N-7465 Trondheim, Norway, 1998. ISO 14224. Petroleum and natural gas industries - Collection and exchange of reliability and maintanance data for equipment. International Standards Organisation, 1999. B. Kirwan and L. K. Ainsworth. A Guide to Task Analysis. Taylor & Francis, London, 1992. OREDA-97. Offshore Reliability Data. Distributed by Det Norske Veritas, P.O.Box 300, N-1322 Hvik, Norway, 3 edition, 1997. Prepared by SINTEF Industrial Management. N-7465 Trondheim, Norway