In our continuing look at elements in the IEC 61511 process safety lifecycle, I uncovered an excellent presentation, Safety Instrumented Systems – Considering the Whole Loop, by Emerson’s Andy Crosland. You may recall Andy from a recent process safety seminar series in the U.K. Andy presents at Institute of Measurement and Control regional meetings from time to time.
In his presentation, Andy highlights the safety drivers for process manufacturers, the IEC 61511 safety lifecycle, probability of failure on demand (PFD) for the whole safety loop, integrated control and safety systems, and safety integrity level (SIL) verification calculations.
If you follow Mike Boudreaux‘
Process Safety page in FriendFeed Twitter feed, you’ll see a continuing stream of safety incidents in process manufacturing facilities. Andy highlights these incidents as motivation for an increased focus on process safety. He points to the Safety Users Group video page that highlights videos from the U.S. Chemical Safety Board investigations.
Andy provides a very long list of items that need to be included in an IEC 61511-compliant safety requirements specification (SRS). A sampling from his list includes a description of all the safety instrumented functions (SIF) necessary to achieve required functional safety, definition of process safe states for each SIF, response times to reach safe states, SIF testing intervals, process measurements and associated trip points, target safety integrity levels and mode of operation (demand/continuous) per SIF, and much more.
As mentioned in an earlier post, the SRS is critical since the safety instrumented system (SIS) cannot be properly validated without it. The SRS should be the primary source of requirements for all design and selection information, and the SRS is what the SIS is validated against. Validation is a mandatory step in the IEC 61511 lifecycle.
Maintenance and testing of the SIS is a key part of making sure it will function on demand. IEC 61511 Part 1 Section 11.8.1 notes that the system design should provide technical and procedural requirements to accomplish full testing of all elements within a SIF–sensors, logic solver, and final elements. Andy shared some statistics from the Offshore Reliability Database (OREDA) where 50% of the failures occur in final elements, 42% in sensors, and 8% in the logic solver. He shares some of the typical failures that occur in each of these devices.
These failure rates are the basis for the PFD calculations based on the probability of dangerous-undetected (DU) failures. There is much more to SIF design than doing a PFD average calculation based on DU failures. You have to also consider systematic integrity (check the device certification), architectural constraints based on Safe Failure Fraction, which is an equation involving safe-detected (SD), safe-undetected (SU), dangerous-detected (DD), and DU failure rates. These may lead to redundant voting arrangements (1oo2, 2oo3), common cause and diagnostic coverage. Specialists such as Emerson’s SIS Consultancy team can assist with these calculations.
Diagnostics within the individual components can help reduce the undetected failures. Andy describes examples of these diagnostics including HART process variable “bad status” alert, earth/ground current leakage, valve partial stroke testing, and external solenoid valve pulsing. Connecting these diagnostics with smart logic solvers such as DeltaV SIS provide a way to alert the maintenance team of the problem condition to initiate repair actions.
If you’re in the U.K. and a member of the Institute of Measurement and Control, look for Andy’s next presentation in Scotland on September 15. If you’re not, subscribe to the safety category of this blog for future posts related to process safety.
Update: I’ve updated the post striking out the reference to FriendFeed. Mike posts these events directly to his Twitter feed.