2.2.1Requirements Preliminary to Design and Assessment

Issue: 2008-09Page: 1DSM SHEP 4.4.3-4.1

/ DSM
SHEP 4.4.3-4.1
Practice
Issue: / 2009-11
Page: / 1 of 343433

1Purpose

2General information

2.1Approach

2.2SIL of safety instrumented systems

2.2.1Requirements preliminary to design and assessment

2.2.2Contribution of normal process control to SIL

2.3Make-up

3Pertaining documents

4Terms and definitions

4.1Abbreviations

4.2Definitions

5Applicability

6Requirements

6.1Design

6.2Reliability of equipment

6.2.1General

6.2.2Classification as type A and type B equipment

6.2.3Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment

6.3PFD and architectural constraints requirements

6.3.1General

6.3.2PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A elements

6.3.3PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements

6.4Testing

6.5Common cause

6.6Selection of standard instrumented safety functions

6.7Effectiveness

6.8Prevention of spurious trips

6.9Assessment of existing safety instrumented systems

Appendix 1

Appendix 2

Appendix 3

This document contains annotations (bold and between brackets) toward the aspects: LAW, SHE and BEST PRACTICE; these annotations are informative.

1 Purpose

The purpose of this document is to define guidelinesfor safety instrumented systems. The methodology is laid down in this document can also be used for assessment of existing safety instrumented systems.

2 General information

2.1 Approach

[SHE] Process hazards are identified in a numberof Risk Assessment studies. The risk graph method (SHE Requirements Annex 3) is used for establishing the Risk Level (RL) of the scenario, based on the probability of loss of containment of such scenario.

[SHE; integrity]Process safety is assured by allocating safety provisions, ao safety instrumented systems.

The following technologiesshall be used:

Re-Design (Inherently safe(r) design);
Mechanical Safety Provisions(rupture discs, relief valves, flame arrestors, restrictions);
Instrumental Safety Provisions (Safety instrumented systems);
Procedural Safety Provisions.

The approach reflected in this guideline is in accordance with the IEC61511.

2.2 SIL of safety instrumented systems

2.2.1Safety Requirement Specification

Requirements preleminairy to the design and assessment are listed in the Safety Requirement Specification (SRS).

Objective

To specify the requirements for the safety instrumented function(s)

The SIS requirements should be expressed and structured in such a way that they are:

clear, precise, verifiable, maintainable and feasible; and
written to aid comprehension by those who are likely to utilize the information at any phase of the life cycle

SRS Input is a team effort).

The SIL Required as specified in the SRS shall meet the risk reduction allocated to the SIS.

[SHE; requirements on safety provisions] The following information as a minimum shall be the input for the SRS:

description of consequences and effects

Identification numbers of scenario’s

description of scenario(s)

classification & justification (C=, F=, P=, W=, RL)

Process Safety Time

Allocation safety provisions M / I / P

For each SIF:

SIL required

SIF process measurements (Tag codes) and their trip points (accuracy)

SIF process output actions (Tag codes)

criteria for successful operation, e.g. requirements for leakage of valves, freezing, fouling, crystallisation, polymerisation.

Functional relationship between SIF inputs and outputs and any required permissives (Functional Logic Diagrams)

The information is to be transferred in the SRS format as given in Appendix 4.

2.2.2Design and engineering Safety Instrumented System

Requirements prelieminairy to the design and assessment are listed in the SRS.

Objective

The objective of the requirements is to design one or multiple SIS to provide the safety instrumented function(s) and meet the specified safety integrity level(s).

General requirements

The requirements as mentioned in the SHE Req. Chapt 8 Annex 5A and 5C shall be followed.

The design of the SIS shall be in accordance with the SIS safety requirements specifications, taking into account all the requirements of this clause.

Where the SIS is to implement both safety and non-safety instrumented function(s) then all the hardware and software that can negatively affect any SIF under normal and fault conditions shall be treated as part of the SIS and comply with the requirements for the highest SIL.

Designdetails can be found in the Guideline Safety Instrumented SystemsSHEP 4.4.3-5.1 .

For a conveniant workproces the following toolboxes and materials are available. ???????

SIS Toolbox

SHE Practices

BG accepted Instrument List

Safety Requirement Specification

2.2.3 Contribution of normal process control to Rl SIL risk level reduction.

BEST PRACTICE; background information]In the risk graph technique the contribution of process control to the SIL is factored in through the W scale.

The frequency of occurrence on the W scale shall take account of the presence of effective process control systems (basic control, override control, constraint control, on-off control, operator actions etc.)

[SHE; guidance note] For more detail consult RAT “equipment under control” (under construction)

(table: proposal DNP Thomas Meier-Künzig)

Variante-1 (simple) / W3 / W2 / W1
Low process control QU-standard, e.g.: not documented evidence of System-hardware-IQ, System-OQ, no alarm-system, self-revealing interlocks, no / RL a
Medium process control QA-standard / RL a
high process control QA-standard / RL a
RL-1
Variante-2 (detailed) / W3 / W2 / W1
Hardware
Gaps in System wiring diagram (installation changes not 100% documented), and IQ, no or unknown document-history / x
No fail-safe principle (no life-zero, no Drahtbruch) / x
System wiring diagram up to date, with redlined manual updates and document history / x
Fail-safe principles (life-zero, de-energized, OFF=safe position) / x
System wiring diagram up-dates after minor updates, and after changes of irreversible/no-self revealing interlocks, document-management-system / x
Fail-safe principles (life-zero, deenergized, OFF=safe position,)
System-HW-HAZOP present / x
Software
No documented or unknown System-OQ, / x
documented System-OQ, track changes / x
documented System-OQ, audit-trail, automated track changes / x
no alarm-system, no (manual) Alarm tracking in “Schichtbuch” logbook / x
Standard alarm system on DCS-screen / alarm printer, Alarm history / x
High-end alarm system on DCS-screen / alarm printer, Alarm history including operator-ID logged / x
No or unknown Change management of software, “spaghetti-code” / x
Change management of software, modular-code in context of plant- and functional- design / x
SW-segregation-concept, widely used, modular-code in context of plant-design
separated logics for safety-, interlock logics, redundancy & diversity of interlock-triggers and final-elements fail-safe principles of SW-design
Change management of software, tested and documented evidence of changes, audit trail,
System-SW-HAZOP present, / X
Sum of ticks / n.A. / n.A. / Below 5, W2

All safety provisions are left out of consideration here during scenario definition in HAZOP studies

[BEST PRACTICE; SHE]It is recommended that effective and robust process control systems be put in place enabling the process to be kept on-stream as long as possible so preventing unnecessary downtime.

If the prime function of control loops is to reduce the frequency in the W scale, such loops shall be included in a documentation system, an administration system and an inspection system so that proper performance is assured.

2.3 Make-up

[BEST PRACTICE; background information ]A safety instrumented system is made up of five elements:

Media contact of process to Sensor Sensor, incl. communication with logic solver;
Logic solver;
Final element, incl. communication with logic solver. Media contact of process
Supporting provisions
Utilities

3 Pertaining documents

This SHEP is inextricably related to the following standardizing documents:

-SHEP 1-20.1Classification of safety systems in Safety Integrity Level (SIL) using the risk graph technique based on loss of containment. It also deals with the allocation and technology of safety systems for all defined scenarios;

-SHEP 4.4.3-5.1Guideline for safety instrumented systems;

-SHED 4.1-25.1.2Instrument List

-Auxilary systems ????????

-Supporting provisions ???????

-SHEP 4.4.3-8.1 Verification of safety instrumented systems in existing plants

-RP 4.3-11.9-1.1 Calibrating and testing

-SHEP 4.4.3-10.1 Verification of safety instrumented systems in new projects

4 Terms and definitions

4.1 Abbreviations

RL / = Risk Level
SIL / = Safety Integrity Level
SRS / = Safety Requirement Specification
SIF / = Safety Instrumented Fuction
SIS / = Safety Instrumented System
FLD / = Functional Logic Diagrams
DC / = Diagnostic Coverage
PFD / = Probability of Failure on Demand
AK / = AnforderungsKlasse
OOR / =Out Of Range
n.a. / =not acceptable > n/a= not applicable > confusion !
oo / = out of
SFF / = Safe Failure Fraction
QA / = quality assurance?

4.2 Definitions

Safety Integrity Level

A discreet level (1,2,3 or 4) for specifying the safety integrity requirements that have to be performed by the applied safety instrumented systems, to anticipate of a specific scenario.

AnforderungsKlasse

AK denotes the integrity level of each component in a safety circuit and is based on DIN 19250.

The relationship between SIL and AK is as follows.

SIL denotes the integrity level of a safety circuit as a whole.

The relationship between SIL and AK is shown below.

SIL / AK / PFD / PLinvullen / Mean Probability of a dangerous failure per hour / SIL to IEC 61508
a / 1 / a / 10-5 till 10-4 / No special safety requirement
1 / 2.3 / <10-1 / b / 3 *10-6 till 10-5 / 1
2 / 4 / <10-2 / c / >*10-6 till 3 10-5 / 1
3 / 5.6 / <10-3 / d / >10-7 till 10-6 / 2
4 / 7 / <10-4 / e / 10-8 till 10-7 / 3
b / 8 / n.a.

======

Hold tabellen integreren Germaanse tekst weg

======

Probability of Failure on Demand

The average probability that a safety provision fails on the moment that there is an appeal to the system.

Diagnostic Coverage factor

The DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly funtion.

SFF

The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of safe and unsafe failure.

Common cause (ß)

A common cause of failure in a redundant equipment of process control and/or safety instrumented system.

Sensor

Detecting element (including process connections, sensors, transmitters, convertor, wiring, input cards, etc.) included in a safety instrumented system capable of establishing whether the process operates within acceptable limits.

E.g. thermocouples, pressure transmitters, emergency shut-down switches and pH meters.

OOR-alarm

The OOR –alarm from an analog signal in a SIS case has as function to give straight a fault signal to the operator indicating the reduced availability during the repair time.

Logic solver

A decision-making element in a safety instrumented system which effects a final element.

Final element

A final controlling element (including output cards, output relays, solenoid valves and cabling) included in a safety instrumented system.

E.g.: valves, trip circuits for rotating equipment, alarm systems.

For definitions not included in this list, refer to IEC 61508 Part 4.

5 Applicability

This EP shall be applicable to all new safety instrumented systems, and those to be modified, that are classified to prevent loss of containment. (LOC) The design guide is used in the judgment of these precautions

6 Requirements

6.1 Design

[SHE] Safety instrumented systems shall be designed as follows:

List the requirement in the SRS

Establish the equipment features that affect performance reliability;
classify the equipment into TYPE A or TYPE B (Section 6.2.2);
the Diagnostic Coverage factor (DC) / Safe Failure Fraction (SFF) (Section 6.2.3);
Determine the PFD and architectural constraints to IEC 61508 for the required SIL (Section 6.3);
Determine the test interval (Section 6.4);
Identify common causes (Section 6.5);
Select a standard safety instrumented system that meets the given SIL (Section 6.6). Where deviating parameters and configurations are used, consultation shall take place with the specialist on how the required PFD is to be achieved;
Design an instrumented safety system that protects against the defined scenario (Section 6.7);
Consider adding measures preventing spurious trips (Section 6.8).

6.2 Reliability of equipment

6.2.1 General

[SHE] The elements of a safety instrumented system shall be approved for the appropriate SIL or equivalent AK. The reliability is henceforth expressed as TYPE A or TYPE B in combination with the SFF.

SHEP4.1-25.1.2 " Instrument List " states the class (TYPE A or B), the SFF and the SIL or AK.

Equipment not included in this SHED shall be classified in consultation with the administrator of this SHP, i.e.

DSM SHE&M GMCC Plant Automation -

6.2.2 Classification as type A and type B equipment

[SHE] The elements of a safety instrumented system, such as the sensor, logic solver, final element and auxiliary equipment shall be classified as TYPE A or TYPE B in accordance with the following statements.

TYPE A elements

An element is classified as TYPE A if it is suitable for the intended application and meets the following requirements.

based on Section 2 of IEC 61508:

-the failure mode of each component in the element must be known AND;

-the failure mode of the sub-system (the element ) as a whole must be completely clear AND ;

-reliable failure data gained in practice must indicate that the element performs satisfactorily.

-based on "Proven in use":

-the failure mode of the element is known from practice covering at least 10,000 service hours in at least two years AND ;

-the element has been used in that period in at least ten different applications without a single failure AND;

-all failures have been recorded.

Example: An element giving satisfactory performance over a period of five to ten years is type "A".

TYPE B elements:

These are elements suitable for the intended application but fail to meet the requirements of TYPE A .

Examples include:

-elements whose failure modes are not accurately known from practice;

-complex and high maintenance elements (e.g. analyzers);

-elements of which little or no experience is available

-Instrumented software with limited experience

6.2.3 Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment

[SHE] The DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly function.

DD is the probability of unsafe detected failure (Dangerous Detect).

D is the probability of unsafe failure (Dangerous).

NoDC: / DC < 60% / No or limited automatic feedback on satisfactory or unsatisfactory performance of the element.
LowDC: / 60 < DC < 90% / Limited automatic feedback on satisfactory or unsatisfactory performance of the element.
Medium DC: / 90 < DC < 99% / Substantial automatic feedback on satisfactory or unsatisfactory performance of the element.
High DC: / DC > 99% / Almost complete automatic feedback on satisfactory or unsatisfactory performance of the element.

The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.

DD is the probability of unsafe detected failure (Dangerous Detect).

D is the probability of unsafe failure (Dangerous).

The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.

6.3 PFD and architectural constraints requirements

6.3.1 General

[SHE] The following tables list the PFD and architectural constraints to IEC 61508 for safety instrumented systems based on:

-The required SIL;

-TYPE A or TYPE B elements;

-SFF.

6.3.2 PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A elements

[SHE]

SIL / SFF<60% / 60%<SFF<90% / 90%<SFF<99% / SFF >=99% / PFD
a / 1 oo 1 / 1 oo 1 / 1 oo 1 / 1 oo 1
1 / 1 oo 1 / 1 oo 1 / 1 oo 1 / 1 oo 1 / < 10-1
2 / 1 oo 2 / 1 oo 1 / 1 oo 1 / 1 oo 1 / < 10-2
3 / 1 oo 3 / 1 oo 2 / 1 oo 1 / 1 oo 1 / < 10-3
4 / n.a. / 1 oo 3 / 1 oo 2 / 1 oo 1 / < 10-4
b / n.a. / n.a. / n.a. / n.a. / n.a.

n.a. = not acceptableoo = out of

6.3.3 PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements

[SHE]

SIL / SFF<60% / 60%<SFF<90% / 90%<SFF<99% / SFF >=99% / PFD
- / 1 oo 1 / 1 oo 1 / 1 oo 1 / 1 oo 1
a / 1 oo 1 / 1 oo 1 / 1 oo 1 / 1 oo 1
1 / 1 oo 2 / 1 oo 1 / 1 oo 1 / 1 oo 1 / < 10-1
2 / 1 oo 3 / 1 oo 2 / 1 oo 1 / 1 oo 1 / < 10-2
3 / n.a. / 1 oo 3 / 1 oo 2 / 1 oo 1 / < 10-3
4 / n.a. / n.a. / 1 oo 3 / 1 oo 2 / < 10-4
b / n.a. / n.a. / n.a. / n.a. / n.a.

n.a. = not acceptableoo = out of

6.4 Testing

[BEST PRACTICE; SHE]Automatic diagnostic tests do not cover the entire safety instrumented system. Manual testing by verifying the measured value and conducting a functional test is (remains) necessary, as are preventive measures such as valve refurbishment and cleaning.

[SHE] Test intervals at the loop level needed to achieve the required SIL for standard safety instrumented systems are specified in Appendix 3.

6.5 Common cause

[BEST PRACTICE; achtergrond background informatione]Common cause means a common cause in the failure of process control systems and the safety instrumented system and/or of redundant elements.

[BEST PRACTICE; standaardizsatione, bedrijfservaring experience en and SHE]The following countermeasures are recommended:

-Applying diversity as to technology, supplier and type;

-Using different input and output cards and individual rather than common fusing of power supply systems;

-Preventing plugging by means of flushing and preventing freezing by means of winterizing, etc.

[SHE] The diversity required by IEC 61508 for standard safety instrumented systems is indicated in Appendix 2.

[BEST PRACTICE; SHE]The designs of the standard safety instrumented systems in Appendix 2 are based on approx. 5% common cause.

6.6 Selection of standard instrumented safety functions

[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]A number of standard safety instrumented systems functions have been worked out (Appendix 2).

These functions meet the PFD and architectural constraints to IEC 61508 and the general technology requirements stated in Appendix 1 for each SIL .

These data are based on standard DSM failure data and reduction factors for instrumentation.

In addition, test intervals at the loop level are stated; these enable the PFD requirements to be met (Appendix 3).

Any deviating configuration shall preferably be designed in consultation with the administrator of this SHEP, i.e., DSM CSHE&M GMCC Plant Automation -

Prior In use and Proven IN use

6.7 Effectiveness

[SHE] Safety instrumented systems shall be designed to be effective especially in respect of the scenario and related process parameters, process dynamics, test intervals and process operation:

Process dynamics: The scenario imposes requirements as to the response time of the safety instrumented system, e.g. its ability to perform a particular function within x seconds. For more details see DSM Standard SHP 4.4.3-5.1 Appendix 1 Re / Par. 5.4.3;
Application aspects: Depending on the fluid pressure, temperature and the risk of crystallization, suitable measures may need to be taken such as purging, flushing, tracing and monitoring of these systems;

For more details refer to RP integrity control of impuls lines in a SIL application.

Scenario: choice of measurement technology and final element;
Wherever practical, safety instrumented systems shall fail safe in the event of a fault developing (e.g. loss of auxiliary energie; e.g. loss of energy supply, short-circuit or broken-wire
Unmonitored signal connections shall normally fail safe, i.e. the system shall be de-energized to trip on loss of power or loss of signal;
Circuits with analogue sensors having self-diagnostics (e.g. Out Of Range detection, utility monitoring) shall be provided with:
for SIL 1 and SIL 2: Integrity alarm and a procedure for correcting the fault;
for SIL 3: Integrity alarm, a time-dependent shut-down and a procedure for correcting the fault.
In exceptional cases it is better to opt for an energize-to-trip system. In that case the de-energized circuit shall be monitored (signal monitoring, continuity check).