Sie sind auf Seite 1von 1

IEC

61508

(IEC 615085 A

C)

SIL L

Risk cannot be jus fied except


in extraordinary circumstances.

Intolerable Region

Tolerable only if further risk reduc on is


imprac cable or if its costs are grossly
dispropor onal to the gained improvement.
As the risk is reduced, the less propor onately,
it is necessary to spend to reduce it further, to
sa sfy ALARP. The concept of diminishing
propor on is shown by the triangle.

The ALARP or
tolerability region
(Risk is undertaken only if
a benefit is desired)

IEC
61511

IEC 61508 / IEC 61511

AP

SIL
Safety
Integrity
Level

PFDavg
Average probability of
failure on demand
per year
(low demand mode)

RRF
Risk
Reduc on
Factor

PFDavg
Average probability of
failure on demand
per hour
(high demand or
con nuous mode)

SIL4

105and<104

100000to10000

109and<108

SIL3

104and<103

10000to1000

108and<107

SIL2

103and<102

1000to100

107and<106

SIL1

102and<101

100to10

106and<105

Calculate MTBF, MTBFs, PFDavg, RRF, and possible


SIL level of the following SIF, which includes a
transmi er, a barrier, a safety PLC, and a valve as
final element, in 1oo1 architecture. Tproof test is
carried out once a year with 100% eec veness.
The pie chart on the right shows percentages
of the single subsystems on the total PFD of the
Safety Func on.
The table below contains failure data provided by
the manufacturer of each subsystem.
Formulae to calculate requested values are indicated
in the header.

Broadly Acceptable Region


It is necessary to maintain assurance
that risk remains at this level.

(No need for detailed working


to demonstrate ALARP)

RISKIS
NEGLIGIBLE

Residual
Risk

(IEC 615085 A

A)

EUC Risk

PFDavg

1oo2
1oo2D

Necessary risk reduc on


Actual risk reduc on

Par al risk covered


by other technology
safetyrelated systems

Par al risk covered


by E/E/PE
safetyrelated system

Par al risk covered


by external risk
reduc on facili es

(IEC 615085 A

102

125

0.000400

9%

91.8 %

SIL 2

Barrier

0.00159

0.0014

0.00019

0.00318

314

629

0.000095

2%

94.0 %

SIL 3

PLC

0.00135

0.0001

0.00001

0.00146

685

741

0.000005

0.1 %

99.3 %

SIL 3

Valve

0.01370

0.0066

0.00720

0.02750

36

73

0.003602

81 %

73.8 %

SIL 2

1 DU TI
DU TI
+
3
2

Power
Supply

0.00530

0.0000

0.00070

0.00600

167

189

0.000350

7.9 %

88.3 %

SIL 3

1 DU TI
DU TI
+
4
2

Total
(SIF)

0.02994 0.0091 0.00890 0.04794

21

33

0.004452 100 %

225

SIL 2

PFD

(1

S
Risk (RNP) = FNP x C

EUC
Risk

Frequency of
Hazardous Event

FNP

FP

FNP

Frequency

Catastrophic

Cri cal

Marginal

Negligible

Frequent

I
I
I
II
III
IV

I
I
II
III
III
IV

I
II
III
III
IV
IV

II
III
III
IV
IV
IV

Remote
Improbable
Incredible

1 DU TI

DD

DD

DU TI
+
2

TI: Proof Test Time Interval


Et: Test Eec veness
DU: Dangerous Undetected Failures

(IEC 615082 C

DU

SD

SD

7.4)
SU

SU

1) Determine frequency (FNP) and


consequences (C) of hazardous
event without protec on.
2) Determine risk class using
Table C.1.
3) Apply protec ons if Class = I.
4) Achieve tolerable risk target.

=1

DU

1)

MANUALPERIODICTESTDURATION
The dura on of a manual proof test can have a significant impact on the overall SIS performance.
In 1oo1 architectures, during the test, the system must be taken oine, and its availability is zero.
The original simplified formula is modified into:

PFDavg = DU

TI TD
+
2 TI

where TI is the proof test interval and TD the test dura on.

Note: The average probability of failure is strictly related to test interval (TI); increasing me between tests
directly leads to higher probability of failures and therefore lower SIL levels.

TO T

TYPEAComponents
Simple devices with wellknown failure modes and a solid history of opera on

Necessary risk reduc on

Consequences

TI

DU TI

HardwareFaultTolerance HardwareFaultTolerance HardwareFaultTolerance


0
1
2

Safety integrity of the safetyrelated protec on


system matched to the necessary risk reduc on

Occasional

SFF

Tolerable
Risk Target

1 DU TI +

Risk < RT where (RT = FT x C)

Safetyrelated protec on
system required to achieve
necessary risk reduc on

EUC and
EUC control system

Probable

Consequence of
Hazardous Event

TI
SL
DU Et + 1 Et
2
2

1oo1
(Et100%)

D)

SIL
Level

0.00980

DU DU + DU DU
1
2
1
3

+
DU2 DU3

2oo3

SFF

TI2

%of
RRF
Total
=1/PFDavg
PFDavg

Withcommoncauses(Betafactor)

TI3
DU1 DU2 DU3
4
TI
DU1 + DU2
2

2oo2

PFDavg
1oo1
=DU/2

0.00080

TI

DU1 DU2

1oo3

Risk reduc on obtained by all safetyrelated systems and external risk reduc on systems

DU

MTBFs
=1/S
(yrs)

0.0010

Simplified equations

1oo1

MTBF
(yrs)

0.00800

Withoutcommoncauses

INCREASING RISK

S
DD
DU
peryear
peryear peryear peryear
=1/MTBF

Tx

To le ra b le a ccid e n t fre q u e n cy
1
=
Fre q u e n cy o f a ccid e n ts w ith o u t p ro te ctio n s R R F

Tolerable
Risk

Sub
system

<60%

SIL 1

SIL 2

SIL3

60%<90%

SIL 2

SIL 3

SIL 4

90%<99%

SIL 3

SIL 4

SIL 4

>99%

SIL 3

SIL 4

SIL 4

Example:
DU= 0.002 / yr; TI = 1 yr (= 8760 hrs); TD = 8 hrs
We obtain: PFDavg = 0.001 + 0.0009 = 0.0019; RRF = 1/0.0019 = 526 (suitable for SIL 2 level)
MANUALPERIODICTESTEFFECTIVENESS
The eec veness of a periodic proof test indicates the percentage of dangerous failures detected by the test.
If eec veness is lower than 100%, the proof test does not bring the probability of failure of the system back to zero
(as new), therefore PFDavg progressively increases in me.
In this case the system not always maintains the original SIL level throughout its life me.
The formula for calcula ng PFDavg when eec veness is lower than 100% is:

PFDavg = (Et DU

TYPEBComponents
Complex components with poten ally unknown failure modes
<60%

Not allowed

SIL 1

SIL2

60%<90%

SIL 1

SIL 2

SIL 3

90%<99%

SIL 2

SIL 3

SIL 4

>99%

SIL 3

SIL 4

SIL 4

where:
Et:
SL:

TI
SL
) + [(1 Et)x DU ]
2
2

periodic test eec veness to reveal dangerous failures (e.g. 90%)


system life me. It is equal to the me un l the system is completely tested (100%) or replaced.
If this never happens, SL is equal to the life me of the whole plant.

TableC.1Exampleofriskclassifica onofaccidents

T S

Failure rate categories: DD: Dangerous Detected;


SD: Safe Detected;

MTTFs
1
S

1oo1

B
1oo1

1oo2

2oo2

1
2

2 S MTTR

MTBF = MTTF + MTTR

A
A
B
B

1
6 S 2 MTTR

2oo2

V
o
t
i
n
g

Availability

Operating Time
Operating Time + Repair Time

=
=

2oo3

MTTF
MTTF + MTTR

MTTF
MTBF

1
MTTR
1

Failure me

Time

TTF

SIL 1

M TTF

MTTF

MTTR

MTBF

MTBM

Success

MTBM + MSD

Unavailability = 1 Availability =

G.M.INTERNATIONALS.R.L
Via San Fiorano, 70
20852 Villasanta (MB) ITALY
phone: +39 039 2325038
info@gmintsrl.com
www.gmintsrl.com

The following graph shows an example of PFD and PFDavg varia ons in case Tproof test is carried out once a year with 70%
eec veness: SIL 2 level is maintained only for about 4 years; the SIF then downgrades to SIL 1.

Opera ng me

1
MTTF = MTBF MTTR =

2oo3

1 FIT = 1 10 9 Failures per hour

1
2 S

DU TD
SL
)+
+ [(1 Et)x DU ]
2
TI
2

Failures per unit time


Components exposed to functional failure

1oo2

PFDavg = (Et

Reliability

Failure Rate :
=

DU: Dangerous Undetected;


SU: Safe Undetected.

BasicConcepts:
A

The complete formula for calcula ng PFDavg taking bothinfluences into account is:

Repair
me
(failure)

SIL 2

Acronyms:
MTBF: Mean Time Between Failures
MTTF: Mean Time To Failure
MTTR: Mean Time To Repair
MTBM: Mean Time Between Maintenance
MSD: Expected Mean System Down me
: Failure rate
: Repair rate

SIL 3
RELIABILITY
AVAILABILITY

Success
MTTF

UNRELIABILITY
UNAVAILABILITY
Failure
MTTR

When dealing with SIFs, safety engineers should pay special a en on to the selec on of subsystems, the me interval
between periodic tests and the system architecture.
A wise choice of these three key elements is what it takes to achieve the required SIL level.
For more details on any of the subjects in this poster, refer to Safety Instrumented Systems manual by G.M. Interna onal.