Premier Consulting Services
Search: Search
 

G. SIL Verification

IEC 61511 and ANSI/ISA S84.01-2003 require a quantitative verification of the SIL of each SIF to meet the target SIL determined in the SRS.

Modeling methods are referred to in IEC 61511-2 Annex A and described in IEC 61508-6 and ISA TR84.0.02:

  1. Reliability block diagram technique
  2. Simplified equations technique
  3. Fault tree analysis technique
  4. Markov modeling technique

The modeling technique is selected as appropriate for each application.

Fault Tree Analysis (FTA) was developed in the 1960s by Bell Laboratories in the United States. During the Polaris Missile Project, FTA was utilized to evaluate the probability of an inadvertent launching of a Minuteman missile. FTA has been used extensively by the military, the space program, and the nuclear industry. It is a highly adaptable logic diagram based technique that can be readily applied to the processes of the refining, petrochemical, chemical, oil and gas production, pipeline, pulp and paper, utility, nuclear, manufacturing and pharmaceutical industries. Premier Consulting Services recommends this FTA technique for complete SIF SIL quantified verification.

The principal benefits include:

  • A clear graphical representation of the system.
  • Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by).
  • Results directly indicate key contributors to system unavailability.
  • Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals.
  • Easy conversion of system model for evaluation of nuisance trip rates.

Fault tree analysis is a top down deductive method for identifying the numerous ways in which equipment failures, software failures, human error, environmental factors, and external events can lead to accidents or other undesirable conditions. A fault tree model consists of a top event and a connecting logic structure of events that must take place in order for the undesired top event to result. In the evaluation of Safety Instrumented Systems, there are two scenario top events that are typically of interest: SIS Failure on Demand and SIS Spurious Trip.

A model of the SIS failure on demand investigates the potential for the SIS failing to perform its designed safety function. In the event of a failure on demand, the process plant is experiencing an undesired condition that the SIS has been designed to detect and, upon detection, automatically take the process to a safe state but because of a latent failure, the SIS fails to function, allowing the undesired condition and the subsequent consequences to continue. Simply stated, the SIS fails to perform its designed function when needed.

The second scenario top event that is considered in the evaluation of SIS is a spurious trip. In the event of a spurious trip, the SIS has taken action when no process condition warranting such action is present.

Both the failure on demand and the spurious trip are critical performance characteristics of an SIS.

The fault tree model consists of a single top event, a number of simple faults called basic events and logical operators that dictate how the basic events must combine to result in failure described by the fault tree top event.

Basic events, which represent a simple failure or fault, are the building blocks of the model. It may be a hardware failure, a human error, or an adverse condition. Basic events are always assumed to be independent of each other. A common cause event must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically independent of all other basic events.

Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event.

The basic events are assigned a corresponding "failure rate", "proof test interval" and "mission time" data for computation in the Fault Tree. The resulting PFDavg calculation for each SIF is referenced to the SIL number and compared with the target SIL determined in the SRS. This constitutes the quantified SIL verification process for the fail to function or Safety Availability.

A second Fault Tree is constructed to verify the MTTFspurious. The computed result is compared with the maximum spurious trip rate established in the SRS. This constitutes the quantified verification of the spurious trip rate.

Special Tools

Fault Tree Analysis requires the use of Boolean algebra for the mathematical quantification in order to achieve correct and repeatable results. Therefore, a computer model is recommended for quantification of the fault trees. The US Department of Energy supports a fault tree analysis program with the appropriate mathematics capability and minimum cut sets assessments, which was initially developed for the Nuclear Industry. The software package, SAPHIRE® (Systems Analysis Programs for Hands-on Integrated Reliability Evaluations), is utilized by Premier Consulting Services.

Additionally, PCS may also utilize SILwatch™, which is a Fault Tree based computer modeling tool for the simpler safety instrumented functions. Both tools have been verified to yield equivalent and repeatable results.

SIL Verification
Inputs: PCS LogoDeliverables:
  • SRS- Safety Requirements Spec.
  • P&ID’s and/or Cause and Effect Matrix
  • Instrumentation description
  • Interlock description
  • Expected proof testing frequency
  • Process Safety Hazard Analysis
  • Safety Availability (PFDavg)
  • Minimal cut-sets
  • Devices % contributions to PFDavg
  • SIL verification to SRS targets
  • MTTFspurious (Spurious trip rate)
  • Recommendations for proof test intervals
  • Recommendations for SIS improvements
  • Tools: SAPHIRE® and SILwatch™