Implementing strategies for follow-up of safety

instrumented systems

Mary Ann Lundteigen

Department of Produ tion and Quality Engineering
Norwegian University of S ien e and Te hnology
mary.a.lundteigenntnu.no

Presented at the RAMS meeting

February 29, 2008
Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  1 / 33

Overview
Obje tives
Content
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies

Overview

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  2 / 33

Obje tives of presentation

Overview
Obje tives
Content

The obje tive of this presentation is to present a new pro edure

that:

Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies

Uses plant spe i data to monitor the SIS performan e

Have quantitative and qualitative guidelines on when to
hange the fun tional test intervals

Dis ussion and

on lusion

This presentation builds on the arti le A new approa h for

follow-up of safety instrumented systems in the oil and gas
industry by Stein Hauge and Mary Ann Lundteigen, presented at
the ESREL 2008 onferen e.

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  3 / 33

Content
Overview
Obje tives
Content

1. Ba kground

Ba kground

2. Performan e monitoring

Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies
Dis ussion and
on lusion

3. Performan e indi ators

4. New pro edure
5. Case studies

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  4 / 33

Overview
Ba kground
SIS
Requirements
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies

Ba kground

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  5 / 33

What a SIS?
Overview
Ba kground
SIS
Requirements

A safety instrumented system (SIS) is an instrumented

1 used to implement one or more safety
system
instrumented fun tions (SIFs). (IEC 61511, 2003)

Performan e
monitoring
Performan e
indi ators

A SIS omprises any ombination of sensors, logi solvers,

and nal elements.

New pro edure

Case studies
Dis ussion and
on lusion

An instrumented system is a system where at least one omponent is based on

ele tri al, ele troni or programmable ele troni te hnology.
Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  6 / 33

SIS requirements
Overview
Ba kground
SIS
Requirements

A SIS installed on an oil and gas installation is subje t to a

number or requirements, for example:

Performan e
monitoring

SIS requirements

Performan e
indi ators
New pro edure
Case studies
Dis ussion and
on lusion

PSA regulations

Use

Design

Management

Activity
regulations
42, 46

Facility
regulations
7

Management
regulations
2, 18
Which refer to:

NORSOK IEC 61508

(S-001, I-001)

IEC 61511

Lifecycle requirements

OLF 070

ISO 10418

Design requirements

ISO 14224

Z-016

Company
specific
requirements

Data collection & analysis

PSA: Petroleum Safety Authority Norway

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  7 / 33

IEC requirements follow life y le stru ture

Overview
Ba kground
SIS
Requirements

IEC 61508 and IEC 61511 require that SIS design and operation
follow ertain steps:

Performan e
monitoring

Specification
& allocation

Performan e
indi ators
New pro edure

Perform hazards and risk

analysis
Establish functional safety &
SIL requirements

Case studies
Dis ussion and
on lusion

SIS design &

implementation

Select, build, and install SIS

Reliability analysis

Operate and maintain

Modifications

SIS operation
& maintenance

Functional testing
Data collection and analysis
Performance monitoring
Management of change

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  8 / 33

PSA requires performan e monitoring

Overview
Ba kground
SIS
Requirements

A ording to PSA management regulation, 18, it is required to :

(a) Monitor and ontrol

te hni al,

operational, and organizational

aspe ts

Performan e
monitoring
Performan e
indi ators

(a)

Produ e monitoring parameters, indi ators and statisti s

New pro edure

(a)

Carry out and follow-up analysis

a tivities

Case studies
Dis ussion and
on lusion

during various phases of the

(a) Generate generi data bases

(a)

Take orre tive and preventive a tions,

in luding

improvement of systems and equipment

Requirements shall be set with regard to the quality and the
validity of the data, based on the relevant user needs.
2
Text in bold indi ates what is overed by the new pro edure

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  9 / 33

IEC standards state what to fo us on

Overview
Ba kground
SIS
Requirements
Performan e
monitoring
Performan e
indi ators

SIS performan e omprises two elements; fun tional safety

requirements and safety integrity requirements

These requirements are linked to fun tions rather than

omponents or systems

New pro edure

Case studies
Dis ussion and
on lusion
IEC 61508

IEC 61511

OLF 070

Functional focus

Functional safety requirements

Safety integrity requirements

Safety integrity level (SIL)

Safe versus
dangerous failures
Probability of failure
on demand (PFD)

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  10 / 33

Overview
Ba kground
Performan e
monitoring
Key aspe ts
Terminology
Performan e
indi ators
New pro edure
Case studies

Performan e monitoring

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  11 / 33

Key aspe ts of performan e monitoring

Overview
Ba kground
Performan e
monitoring
Key aspe ts
Terminology
Performan e
indi ators

Performan e monitoring of SIS omprises two elements:

(1) Verify the fun tional requirements

Requires that failure modes are dened and lassied

Requires that all a tivations are re orded

New pro edure

Case studies
Dis ussion and
on lusion

(1) Verify the SIL requirements

Verify that the required PFD is met

Verify that pro edures, tools, and work pra ti es avoid,
reveal and a t upon systemati failures (in luding
software failures)

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  12 / 33

Relevant terminology
Overview
Ba kground
Performan e
monitoring
Key aspe ts
Terminology

Desired performance
Specification
& allocation

Performan e
indi ators
New pro edure

SIL
requirement

Required PFD

Predicted performance
SIS design &
implementation

Generic data

Predicted PFD

Case studies
Dis ussion and
on lusion

Estimated performance
SIS operation
& maintenance

Mary Ann Lundteigen September 17, 2008

Plant specific
data

Estimated PFD

RAMS Group, NTNU  13 / 33

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
Sele tion
Illustration
New pro edure
Case studies

Performan e indi ators

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  14 / 33

Sele tion of performan e indi ator

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
Sele tion
Illustration

We suggest that we distinguish between:

Integrity performan e indi ator3 : Performan e indi ator that

is dire tly or indire tly linked to the required PFD of a SIF

Integrity target value : An upper or lower limit that the

New pro edure

integrity indi ator may take before the required PFD is

Case studies

ex eeded

Dis ussion and

on lusion

Indi ator: A measurable/operational variable that an be used to des ribe the ondition of a
broader phenomenon or aspe t of reality (ien, 2001)

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  15 / 33

Sele tion of integrity performan e indi ator

Overview
Ba kground

For any

Performan e
monitoring

koon

PFD

Performan e
indi ators
Sele tion
Illustration
New pro edure

Note: For

Case studies
Dis ussion and
on lusion

If

DU

Parameters
DU
FT

koon

onguration ,

n
((1 )DU )nk+1

nk+1
nk+2
DU
+
2

n = 1,

then

(1)

= 0.
5

is kept un hanged, then the PFD is un hanged

Des ription
The rate of dangerous undete ted failures
The fun tion test interval
The fra tion of ommon ause failures
(among all dangerous failures)
k out of n omponents must fun tion for the
SIF to be su essfully performed

Standard beta-fa tor model. The PDS method suggests onguration fa tors for CCFs for koon
ongurations, where 2
5
Assuming that is un hanged
Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  16 / 33

Sele tion of integrity performan e indi ator

Overview

We may derive an integrity performan e indi ator from the DU failure

Ba kground

rate (for a given population of similar/identi al omponents):

Performan e
monitoring

Performan e
indi ators
Sele tion
Illustration

Given the generi failure rate

DU ,

E(X) of failures during

population of n omponents:

number

we may al ulate the mean

an observation time

for a

E(X) = n t DU

New pro edure

(2)

Case studies
Dis ussion and
on lusion

With

E(X)

as basis, we may derive the integrity target values

We apply the prin iples of ( ounts) ontrol harts

We dene the upper and lower a tion limit, so that

P r(xL < X xH )

The number of re orded DU failures

is used as an integrity

performan e indi ator

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  17 / 33

Sele tion of integrity performan e indi ators

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
Sele tion
Illustration
New pro edure
Case studies

Desired performance
Specification
& allocation

SIL
requirement

Required PFD

Integrity target values

Predicted performance
SIS design &
implementation

Generic data

Estimated performance

Mary Ann Lundteigen September 17, 2008

Plant specific
data

Upper action limit

xL

Lower action limit

Predicted PFD

Dis ussion and

on lusion

SIS operation
& maintenance

xH

Integrity performance indicator

Estimated PFD

Recorded number of
DU failures

RAMS Group, NTNU  18 / 33

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2
Case studies

New pro edure

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  19 / 33

Step 1: Analyze the SIS integrity performan e

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2

For monitoring purposes, we suggest the use of ( ounts) ontrol harts:

E(X),

i.e.,

orresponding to our integrity target value,

We dene the lower and upper a tion limit, orresponding to

performan e indi ator targets, so that

Case studies
Dis ussion and
on lusion

x0 ,
DU tn

We start with an

If

x < xL ,

P r(xL < X xH ) 0.70

we may laim that the safety integrity so good that

we an onsider in reasing the fun tional test interval (step 2)

If

x > xH ,

we must onsider redu ing the fun tional test

intervals, and also initiate additional means to redu e the

o uren e of failures (step 2)

As long as

xL < x < xH ,

we onsider the safety integrity as

adequate and in a ordan e with the required SIL.

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  20 / 33

Illustration - xed observation time

Overview
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2

Number of failures

Ba kground

xH
x0
xL

Case studies
Dis ussion and
on lusion

Mary Ann Lundteigen September 17, 2008

4
Observation period

RAMS Group, NTNU  21 / 33

Step 1: Analyze the SIS integrity performan e

Overview
Ba kground

Means to redu e the (future) number of failures may in lude:

Performan e
monitoring

Modi ation of SIS

Performan e
indi ators

Improvement of operation and maintenan e pro edures,

New pro edure

Step 1
Step 2
Case studies
Dis ussion and
on lusion

tools, and pra ti es

Additional training of personnel

Improvement of software modi ation pro edures and work
pra ti es

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  22 / 33

Step 2: Evaluate the fun tional test intervals

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2
Case studies
Dis ussion and
on lusion

This step omprises two sub-steps:

(a) Perform a quantitative analysis to determine if the
fun tional test interval an be hanged

We do not rely on the new failure rate estimate alone

We also al ulate the asso iated 90% onden e
interval

(a) Perform a qualitative analysis for to determine if the

fun tional test interval should be hanged

We argue for a onservative approa h for hanging the fun tional

test intervals.

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  23 / 33

Step 2a: Perform quantitative analysis

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators

Quantitative evaluation:
(i) Estimate a new DU failure rate,

DU ,

based on the number of

re orded DU failures:

DU = x

nt

New pro edure

Step 1
Step 2

(3)

Case studies
Dis ussion and
on lusion

(i) Establish a 90% onden e interval for


where

1
1
z0.95,2x ,
z0.05,2(x+1)
2tn
2tn

z0.95,2x

DU :

(4)

z0.05,2(x+1) denote the upper 95% and 5%

2 -distribution with 2x and 2(x + 1) degrees

and

per entiles of the

of

fredom.
(i) Apply the rules for hanging fun tional test intervals

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  24 / 33

Step 2a: Rules for hanging fun tional test intervals

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2
Case studies
Dis ussion and
on lusion

2 DU AND the entire 90% interval of DU is

below DU , then the fun tional test interval an be

(I) If

DU

<

onsidered doubled
(I) If

DU

above

>

2DU

DU ,

AND the entire 90% interval of

DU

is

then the fun tional test interval should be

halved

Consider doubling the interval

Consider halving the interval

DU

DU
90% confidence for DU

90% confidence for DU

Mary Ann Lundteigen September 17, 2008

DU
2

DU

2DU
RAMS Group, NTNU  25 / 33

Step 2b: Perform qualitative analysis

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Step 1
Step 2
Case studies
Dis ussion and
on lusion

Qualitative evaluation ( he klist) should be performed to analyze

the ee ts of modied fun tional test interval:

'

(1) Quality and onden e in the olle ted data

(5) Type of failures experien ed

(1) Relevan e of olle ted data (new

type versus old type equipment)

(6) The benet and pra ti alities of

hanging the test intervals

(1) Quality of testing (versus initial

assumptions)

(7) Vendor re ommendations

(1) (Number of operational hours)

&

(8) Se ondary ee ts of the fun -

tional test intervals

The result of the qualitative analysis may be that an adjustment

of the fun tional test interval is not re ommended.
Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  26 / 33

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies
Case1
Case6

Case studies

Dis ussion and

on lusion

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  27 / 33

Case study 1
Overview

Component:
Failure rate DU :
Number of omponents:
Observation period:
Number of DU failures found:
Number of DU failures tolerated

Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure

Smoke dete tors

0.8E-6 failure/hours
800
2 years
2
11 (11.2)

Graphical result illustration

Case studies
Case1
Case6
Dis ussion and
on lusion

0.0E+00

2.0E-07

4.0E-07

6.0E-07

Original LambdaDU
1/2 * LambdaDU

8.0E-07

1.0E-06

1.2E-06

New LambdaDU (^)

2 * LambdaDU

1.4E-06

1.6E-06

1.8E-06

90% interval
70% interval

The fun tional test interval may be halved.

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  28 / 33

Case study 6
Overview

How is the fun tion test interval ae ted by the number of failures
and the observation time?

Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure

Failure rate DU :
Number of omponents:

1.0E-6 failure/hours
800



Increase functional test interval

Case studies
Case1
Case6

Number of DU failures (accumulated)

Dis ussion and

on lusion

No change

200
190
180
170
160
150
140
130
120
110
100
90
80
70
60
50
40
30
20
10
0

Reduce functional test interval

Mean number of failures
DU=1E-6 failure/hour
n = 800
90% confidence limit

Mary Ann Lundteigen September 17, 2008

10

Observation time (years)

RAMS Group, NTNU  29 / 33

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies
Dis ussion and
on lusion
Pros
Cons
Further Resear h

Mary Ann Lundteigen September 17, 2008

Dis ussion and on lusion

RAMS Group, NTNU  30 / 33

Positive features
Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies
Dis ussion and
on lusion
Pros
Cons
Further Resear h

Positive features of new pro edure

In a ordan e with the IEC 61508 and the IEC 61511

requirements

Provides quantitative and qualitative guidan e on when and

how to adjust the fun tional test intervals

Performan e indi ator on the omponent level and

independent of how often the omponents are tested

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  31 / 33

Constraints and hallenges

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure
Case studies
Dis ussion and
on lusion
Pros
Cons
Further Resear h

(Some of the) onstraints and hallenges are:

The new pro edure is more suited for large populations than
small

For small populations, it may be ne essary to in lude data

from other similar plants (or alternatively, onsider prior
information)

Does not dis uss how to take a ount of failures of whi h

auses are permanently removed

Perhaps the pro edure redu es the fun tional test intervals
too late (?)

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  32 / 33

Areas of further resear h

Overview
Ba kground
Performan e
monitoring
Performan e
indi ators
New pro edure

The pro edure should be tested out on plants (ongoing a tivities)

Evaluate if the pro edure is too onservative in one dire tion or

the other. Testing of hypotheses?

Case studies

Try to integrate the best of  from the strategy proposed by

Prof. Jrn Vatn , and this strategy:

Dis ussion and

on lusion
Pros
Cons
Further Resear h

Allow more renement than doubling and halving

Give more redit to re ent failures than earlier failures

Give redit to prior knowledge

Give redit where failure auses have been permanently

removed

Paper by J. Vatn in See also Pro eedings of the 30th ESReDA Seminar Hosted
by SINTEF Trondheim Norway June 7-8,2006, page 173-184 or in appendix F in
OLF 070 guideline on the appli ation of IEC 61508 and IEC 61511.

Mary Ann Lundteigen September 17, 2008

RAMS Group, NTNU  33 / 33