Safety Instrumented Systems - Part B

Safety Instrumented Systems - Part B Notes

Rationale

  • Safety instrumented systems (SIS) are crucial for reducing the risk of accidents and their consequences in industrial settings.
  • Understanding the special requirements of SIS is essential for proper maintenance, troubleshooting, and configuration.

Outcome

  • Upon completion of this module, you will be able to describe the principles and applications of safety instrumented systems.

Prerequisites

  • Prior completion of the module "310401hA Safety Instrumented Systems - Part A" is required.

Objectives

  • Select, configure, and verify an SIS system for a specific Safety Integrity Level (SIL) rating.

Introduction

  • This module focuses on how to verify a safety system to ensure it performs as designed.

Objective One: Verification

  • Goal: Select, configure, and verify an SIS system for a specific SIL rating.
Verification
  • Control functions performed by an SIS are called Safety Instrumented Functions (SIF).
  • SIFs are designed to prevent or mitigate specific hazards and are assigned a Safety Integrity Level (SIL).
  • SIL rating verification requires calculating the SIF's average Probability of Failure on Demand (PFDavg).
  • Hardware Fault Tolerance (HFT) of the SIF architecture must comply with its SIL rating.
  • Spurious Trip Rate (STR) must meet company policy.
Methods for Calculating PFDavg (Table 1)
MethodSystem ModeledQuantification TechniqueHandles Different Repair TimesHandles Diverse TechnologyHandles Sequence Dependent Failures
Simplified EquationsSimple SIF equationSimple mathNoNoNo
Fault Tree AnalysisSIF with complex relationshipsSimple math or Boolean algebraYesYesYes
Markov AnalysisSIF with complex relationships, time dependant requirements or PE logic solversMatrix algebraYesYesYes
  • Simplified Equations: Only method presented in this module.
  • Fault Tree Analysis: Uses top-down diagrams representing the logical relationship between subsystem and component failures.
  • Markov Analysis: Uses circles representing system states, connected by transitions (arrows) indicating paths between states.
Simplified Equations for PFD (Table 2)

Equations for Probability of Failure On Demand

ConfigurationEquation
1oo1(2λDU×TI)(2 λ_{DU} × TI)
1oo1D2λ<em>DU×TI+(2λ</em>SD+2λDD×MTTR)2 λ<em>{DU} × TI + (2 λ</em>{SD} + 2 λ_{DD} × MTTR)
1oo2[(1β)×(λ<em>DU×TI)2]/3+(β×λ</em>DU×TI)/2[(1-β)× (λ<em>{DU} ×TI)^2] / 3 + (β×λ</em>{DU} × TI) / 2
1oo2D[(1β)x(λ<em>DU×TI)2]/4+(β×λ</em>DU×TI)/2[(1-β)x(λ<em>{DU} ×TI)^2] / 4 + (β×λ</em>{DU} × TI) / 2
2oo2[(1β)×(λ<em>DU×TI)2]/4+(β×λ</em>DU×TI)/2[(1-β)× (λ<em>{DU} ×TI)^2] / 4 + (β×λ</em>{DU} × TI) / 2
2oo3[(1β)×(λ<em>DU×TI)2]+(β×λ</em>DU×TI)/2[(1-β)× (λ<em>{DU} ×TI)^2] + (β×λ</em>{DU} × TI) / 2
Assumptions for Correct Application:
  • Failure rates are constant over the functional test period.
  • Failure rates for redundant components within a sensor voting group are identical.
  • Full functional tests are 100% effective.
  • Final control elements fail in the safe state (e.g., ESD valve fails closed).
  • Automatically diagnosed failures cause the SIF to take automatic action or degrade to a mode where the SIF can take safety action automatically.
  • Mean Time To Repair (MTTR) is the time to repair any detected failure.
SIL Rating Based on PFDavg (Table 3)
Safety Integrity Level (SIL)PFDavgRisk Reduction Factor (RRF)
SIL 40.00001 to 0.000110,000 to 100,000
SIL 30.0001 to 0.0011,000 to 10,000
SIL 20.001 to 0.01100 to 1,000
SIL 10.01 to 0.110 to 100
Simplified Equations for Spurious Trip Rate (STR) (Table 4)
ConfigurationEquation
1oo1(λ<em>S+λ</em>DD)(λ<em>S + λ</em>{DD})
1oo22(λ<em>S+λ</em>DD)+(β(λ<em>S+λ</em>DD))2(λ<em>S + λ</em>{DD}) + (β (λ<em>S + λ</em>{DD}))
2oo2(2×λ<em>S(λ</em>S+λ<em>DD)×MTTR)+(β(λ</em>S+λDD))(2 × λ<em>S (λ</em>S + λ<em>{DD}) × MTTR) + (β (λ</em>S + λ_{DD}))
2oo3(6×λ<em>S(λ</em>S+λ<em>DD)×MTTR)+(β(λ</em>S+λDD))(6 × λ<em>S (λ</em>S + λ<em>{DD}) × MTTR) + (β (λ</em>S + λ_{DD}))
Assumptions for Correct Application:
  • Failure rates are constant over the functional test period.
  • Failure rates for redundant components within a sensor voting group are identical.
  • Final control elements fail in the safe state.
  • Diagnosed dangerous failure puts the SIF in a safe state via automatic or human intervention.
Limitations of Simplified Equations
  • They do not account for partial proof test calculations, varying degrees of diagnostic coverage, or other factors.
  • More complex formulas are required for these calculations.
SIL Rating for Components (Table 5)
  • Determined by component type (A or B), architecture, and Safety Failure Fraction (SFF) rating.
  • The lowest rating of any component dictates the overall allowed SIL.
Type A Components
  • Simple devices with well-known failure modes and a solid history of operation.
SFFHFT of 0HFT of 1HFT of 2
< 60%SIL 1SIL 2SIL 3
60% to <90%SIL 2SIL 3SIL 4
90% to <99%SIL 3SIL 4SIL 4
>99%SIL 3SIL 4SIL 4
Type B Components
  • Complex components with potentially unknown failure modes.
SFFHFT of 0HFT of 1HFT of 2
< 60%Not allowedSIL 1SIL 2
60% to <90%SIL 1SIL 2SIL 3
90% to <99%SIL 2SIL 3SIL 4
>99%SIL 3SIL 4SIL 4

Distillation Fired Heater Reboiler Example

  • A refinery is installing a new processing unit with a distillation column heated by a gas-fired heater reboiler (Figure 1).
Scenario
  • The amount of vapor generated is sensitive to the vapor/liquid temperature in the column.
  • Malfunctions leading to excessive heat input can generate excessive vapor amounts.
  • Cooling systems may lack the capacity to control pressure during excess heat input.
  • Vapor release from a column rupture can cause an explosion when contacting the fired heater.
Task
  • Select, configure, and verify a column pressure SIS.
Steps
  1. Risk assessment
  2. Conceptual design verification
  3. Redesign verification
  4. SRS specifications

Risk Assessment

Identified Risks
  • Column rupture likelihood: Occasional.
  • Explosion severity to personnel: Severe (two fatalities).
  • Explosion severity to the environment: Minor (minor on-site release).
  • Explosion severity to commercial aspects: Severe (equipment damage > 20million).</li></ul><h5id="riskmatrixassignment">RiskMatrixAssignment</h5><ul><li>Mediumrisk,requiringaSIL2SISinstallation.</li></ul><h5id="layerofprotectionanalysislopa">LayerofProtectionAnalysis(LOPA)</h5><ul><li>Acceptablerisklevelforanexplosion:20 million).</li> </ul> <h5 id="riskmatrixassignment">Risk Matrix Assignment</h5> <ul> <li>Medium risk, requiring a SIL 2 SIS installation.</li> </ul> <h5 id="layerofprotectionanalysislopa">Layer of Protection Analysis (LOPA)</h5> <ul> <li>Acceptable risk level for an explosion:10^{-4}occurrencesperyear.</li><li>Initiatingevent:Overheatingduetofuelcontrolvalvefailure.</li><li>Processrisklevelforfuelvalvefailure:Onceeverytwoyears.</li><li>Mechanicalpressurereliefvalveriskreduction:10(creditof0.1).</li><li>Alarmsandoperatorresponseriskreduction:10(creditof0.1).</li><li>BPCSriskreduction:None(failureofitscontrolvalveistheinitiatingevent).</li></ul><h5id="requiredriskreduction">RequiredRiskReduction</h5><ul><li>TheriskreductionthattheSISsystemrequiresis200timesoraPFDof0.005,whichyoucalculateasfollows.</li><li>occurrences per year.</li> <li>Initiating event: Overheating due to fuel control valve failure.</li> <li>Process risk level for fuel valve failure: Once every two years.</li> <li>Mechanical pressure relief valve risk reduction: 10 (credit of 0.1).</li> <li>Alarms and operator response risk reduction: 10 (credit of 0.1).</li> <li>BPCS risk reduction: None (failure of its control valve is the initiating event).</li> </ul> <h5 id="requiredriskreduction">Required Risk Reduction</h5> <ul> <li>The risk reduction that the SIS system requires is 200 times or a PFD of 0.005, which you calculate as follows.</li> <li> PFD = (10^{-4} / yr) / ((2 / yr)(0.1)(0.1)) = 0.005
  • A PFD of 0.005 requires an SIL 2 SIS installation.
Nuisance Trips and Shutdowns
  • Nuisance trips should occur less than once every three years (STR < 0.33 failures/yr).
  • Planned shutdowns occur once every three years.

Conceptual Design Verification

Initial SIF Design (Figure 2)
  • Pressure SIS transmitter (PZT-8) to measure column pressure.
  • Fail-closed (FC) pressure SIS valve (PZV-8) to shut off fuel supply.
  • Safety PLC logic solver:
    • Alarm (PZAH-8) to BPCS for high column pressure.
    • Automatic closure of ESD fuel valve (PZV-8) at trip point.
Equipment Failure Rates (Table 6)
  • Failure rates are given in failures per billion hours (FIT).
InstrumentλSU (FIT)λSD (FIT)λDD (FIT)λDU (FIT)
Pressure transmitter0250750120
Solenoid de-energize to trip0669002900
Ball valve, tight shut-off0215302378
Safety PLC99005097
Reliability Block Diagram (RBD) (Figure 3)
  • Calculates PFDavg, STRSIS, and overall allowed SIL rating.
Design Information
  • Simplex architecture (1oo1) for pressure transmitter, safety PLC, solenoid, and ESD valve.
  • Common Cause Factor (CCF) beta (β) factor of 0% due to no redundancy.
  • Proof test interval (TI) of one year (8760 hours) for sensors and final elements.
  • Proof TI of three years (26,280 hours) for the logic solver.
Initial Design Limitations
  • Insufficient risk reduction.
    • PFDavg of 2.37 E-02 (0.0237) exceeds the required 0.005.
  • Inadequate nuisance trip reduction.
    • STRSIS of 1.05 failures/yr, exceeds the required 0.33 failures/yr.
  • Overall allowed SIL 1 rating, lower than the required SIL 2.
PFD Calculation
  • PFDavg is the sum of PFD calculations for each component (Table 2 formulas).
Example: ESD Ball Valve (1oo1 Architecture)

  • PFD = 2 * λDU * TI </p></li><li><p>λDU=2378E09failures/hr,TI=8760hr</p></li><li><p></p></li> <li><p>λDU = 2378 E-09 failures/hr, TI = 8760 hr</p></li> <li><p> PFD = (2 * 2378 E-09) * 8760 = 1.04 E-02 </p></li></ul><h5id="strcalculation">STRCalculation</h5><ul><li>STRSISisthesumofSTRcalculationsforeachcomponent(Table4formulas).</li></ul><h6id="examplepressuretransmitter1oo1architecture">Example:PressureTransmitter(1oo1Architecture)</h6><ul><li></p></li> </ul> <h5 id="strcalculation">STR Calculation</h5> <ul> <li>STRSIS is the sum of STR calculations for each component (Table 4 formulas).</li> </ul> <h6 id="examplepressuretransmitter1oo1architecture">Example: Pressure Transmitter (1oo1 Architecture)</h6> <ul> <li> STR = λS + λDD </li><li>λDD=750E09failures/hr,λS=250E09failures/hr</li><li></li> <li>λDD = 750 E-09 failures/hr, λS = 250 E-09 failures/hr</li> <li> STR = (750 E-09 + 250 E-09) = 1.00 E-06 </li></ul><h5id="silratingdetermination">SILRatingDetermination</h5><ul><li>UsingTable5,basedoncomponenttype,architecture,andSFFrating.ThelowestSILratingcomponentcounts.</li></ul><h6id="examplesafetyplc">Example:SafetyPLC</h6><ul><li><p>TypeBcomponent,1oo1architecture(HFTof0).</p></li><li><p></li> </ul> <h5 id="silratingdetermination">SIL Rating Determination</h5> <ul> <li>Using Table 5, based on component type, architecture, and SFF rating. The lowest SIL rating component counts.</li> </ul> <h6 id="examplesafetyplc">Example: Safety PLC</h6> <ul> <li><p>Type B component, 1oo1 architecture (HFT of 0).</p></li> <li><p>SFF = 1 - (λDU / λ) </p></li><li><p>λDU=7E09failures/hr</p></li><li><p>λ=λDD+λDU+λS=(509E09)+(7E09)+(990E09)=1.51E06</p></li><li><p></p></li> <li><p>λDU = 7 E-09 failures/hr</p></li> <li><p>λ = λDD + λDU + λS = (509 E-09) + (7 E-09) + (990 E-09) = 1.51 E-06</p></li> <li><p> SFF = 1 - (7E-09 / 1.51E-06) = 1 - 0.005 = 0.995 or99.5<li><p>HFTof0andSFFof99.5</ul><h5id="prooftestingconstraints">ProofTestingConstraints</h5><ul><li>YearlyprooftestingrequiredforESDvalveandpressuretransmitter,butdesignlacksbypassforonlinetesting.</li><li>Logicsolverprooftestingcanbedoneduringplannedthreeyearshutdowns.</li></ul><h5id="conclusion">Conclusion</h5><p>TheinitialdesigndoesnotmeetPFDavg,STRSISandSILrequirements.</p><h4id="redesignverification">RedesignVerification</h4><h5id="proposedmodificationsfigure4">ProposedModifications(Figure4)</h5><ul><li>ThreepressureSIStransmitters(PZT8A,PZT8B,PZT8C)in2oo3architecturewithblockvalvesforonlineprooftesting.</li><li>Twofailclosed(FC)pressureSISvalves(PZV8AandPZV8B)in1oo2architecturewithabypassforonlineprooftesting.</li><li>Dualredundantsolenoidsin2oo2architectureoneachESDvalve.</li><li>DualredundantsafetyPLClogicsolver(1oo2Darchitecture):<ul><li>Alarm(PZAH8)toBPCSforhighcolumnpressure.</li><li>Alarm(PZI8)whenaredundantpressurecomponentisinalarm.</li><li>Alarm(XZI8)whenabypassisinplace.</li></ul></li></ul><h5id="reliabilityblockdiagramrbdfigure5">ReliabilityBlockDiagram(RBD)(Figure5)</h5><ul><li>CalculatesPFDavg,STRSIS,andoverallallowedSILrating.</li></ul><h6id="designinformation1">DesignInformation</h6><ul><li>Pressuretransmitters:2oo3architecture,βfactorof5<li>SafetyPLC:1oo2Darchitecture,βfactorof3<li>Finalelement:1oo2architecture,βfactorof5<li>ProofTIofoneyear(8760hours)forsensorsandfinalelements.</li><li>ProofTIofthreeyears(26,280hours)forthelogicsolver.</li></ul><h5id="redesignresults">RedesignResults</h5><ul><li>Requiredriskreductionisachieved.<ul><li>PFDavgof2.70E03(0.0027)islessthantherequired0.005(SIL2rating).</li></ul></li><li>Requiredspurioustriprateisachieved.<ul><li>STRSISof0.034failures/yrislessthantherequired0.33failures/year.</li></ul></li><li>RequiredoverallSIL2ratingisachieved.</li></ul><h5id="pfdcalculation1">PFDCalculation</h5><ul><li>PFDavgisthesumofPFDcalculationsforeachcomponent(Table2formulas).</li></ul><h6id="examplesolenoidvalves1oo2architecture">Example:SolenoidValves(1oo2Architecture)</h6><ul><li>Doublethesolenoidsundetectedfailurerate(λDU)from2900to5800dueto2oo2architecture.<br/>or 99.5%</p></li> <li><p>HFT of 0 and SFF of 99.5% results in SIL 3.</p></li> </ul> <h5 id="prooftestingconstraints">Proof Testing Constraints</h5> <ul> <li>Yearly proof testing required for ESD valve and pressure transmitter, but design lacks bypass for online testing.</li> <li>Logic solver proof testing can be done during planned three-year shutdowns.</li> </ul> <h5 id="conclusion">Conclusion</h5> <p>The initial design does not meet PFDavg, STRSIS and SIL requirements.</p> <h4 id="redesignverification">Redesign Verification</h4> <h5 id="proposedmodificationsfigure4">Proposed Modifications (Figure 4)</h5> <ul> <li>Three pressure SIS transmitters (PZT-8A, PZT-8B, PZT-8C) in 2oo3 architecture with block valves for online proof testing.</li> <li>Two fail-closed (FC) pressure SIS valves (PZV-8A and PZV-8B) in 1oo2 architecture with a bypass for online proof testing.</li> <li>Dual redundant solenoids in 2oo2 architecture on each ESD valve.</li> <li>Dual redundant safety PLC logic solver (1oo2D architecture):<ul> <li>Alarm (PZAH-8) to BPCS for high column pressure.</li> <li>Alarm (PZI-8) when a redundant pressure component is in alarm.</li> <li>Alarm (XZI-8) when a bypass is in place.</li></ul></li> </ul> <h5 id="reliabilityblockdiagramrbdfigure5">Reliability Block Diagram (RBD) (Figure 5)</h5> <ul> <li>Calculates PFDavg, STRSIS, and overall allowed SIL rating.</li> </ul> <h6 id="designinformation-1">Design Information</h6> <ul> <li>Pressure transmitters: 2oo3 architecture, β factor of 5%.</li> <li>Safety PLC: 1oo2D architecture, β factor of 3%.</li> <li>Final element: 1oo2 architecture, β factor of 5%.</li> <li>Proof TI of one year (8760 hours) for sensors and final elements.</li> <li>Proof TI of three years (26,280 hours) for the logic solver.</li> </ul> <h5 id="redesignresults">Redesign Results</h5> <ul> <li>Required risk reduction is achieved.<ul> <li>PFDavg of 2.70 E-03 (0.0027) is less than the required 0.005 (SIL 2 rating).</li></ul></li> <li>Required spurious trip rate is achieved.<ul> <li>STRSIS of 0.034 failures/yr is less than the required 0.33 failures/year.</li></ul></li> <li>Required overall SIL 2 rating is achieved.</li> </ul> <h5 id="pfdcalculation-1">PFD Calculation</h5> <ul> <li>PFDavg is the sum of PFD calculations for each component (Table 2 formulas).</li> </ul> <h6 id="examplesolenoidvalves1oo2architecture">Example: Solenoid Valves (1oo2 Architecture)</h6> <ul> <li>Double the solenoid's undetected failure rate (λDU) from 2900 to 5800 due to 2oo2 architecture.<br /> PFD = [(1-β) × (λDU ×TI)^2] / 3 + (β×λDU × TI) / 2 <br/>B=0.05<br/>λDU=5800E09failures/hr<br/>TI=8760hr<br/><br /> B = 0.05<br /> λDU =5800 E-09 failures/hr<br /> TI = 8760 hr<br /> PFD = [(1-0.05)x((5800 E-09)x(8760))^2] / 3 + (0.05x(5800 E-09)x(8760)) / 2= 2.08 E-03 </li></ul><h5id="strcalculation1">STRCalculation</h5><p>STRforthesolenoidvalvesiscalculatedassuch:<br/>λDD=0failures/hr<br/>λs=6690E09failures/hr<br/>MTTRis72hours.<br/>B=0.05<br/></li> </ul> <h5 id="strcalculation-1">STR Calculation</h5> <p>STR for the solenoid valves is calculated as such:<br /> λDD = 0 failures/hr<br /> λs = 6690 E-09 failures/hr<br /> MTTR is 72 hours.<br /> B=0.05<br />STR = (2x(6690 E-09) ((6690 E-09)+(0))x (72))+(0.05) x ((6690 E-09)+(0)) = 3.4 E-07<br/>TheSTRrateisnowdoubledbecauseofthe2001architecture;therefore,theSTRequals6.8E7forthesolenoidvalves.</p><h5id="silrating">SILRating</h5><ul><li>TheoverallSILratingisequaltothelowestSILratingofanycomponent(Table5).</li><li>Forexample,calculatetheSILallowedfortheESDValve.Inthisexample,theESDvalveisatypeAcomponentandtheESDvalvehas1oo2architecturethatprovidesanHFTofone(1).<br/>λDU=2378E09failures/hr<br/>λ=λDD+λDU+λs=(0)+(2378E09)+(2153E09)=4531E06</li></ul><p><br /> The STR rate is now doubled because of the 2001 architecture; therefore, the STR equals 6.8 E-7 for the solenoid valves.</p> <h5 id="silrating">SIL Rating</h5> <ul> <li>The overall SIL rating is equal to the lowest SIL rating of any component (Table 5).</li> <li>For example, calculate the SIL allowed for the ESD Valve. In this example, the ESD valve is a type A component and the ESD valve has 1oo2 architecture that provides an HFT of one (1).<br /> λDU =2378 E-09 failures/hr<br /> λ = λDD + λDU +λs = (0) + (2378 E-09)+(2153 E-09) = 4531 E-06</li> </ul> <p>SFF = 1- (λDU / λ) = 1- (2378 E-09) / (4531 E-09) =1-0.525 = 0.475or48<p>AnSFFoflessthan60<h4id="srsspecifications">SRSSpecifications</h4><h5id="requiredinformationforeachsif">RequiredInformationforEachSIF</h5><ul><li>DescriptionoftheSIF(whatitdoesanditscomponents).</li><li>Commoncausefailures.</li><li>Safestatedefinition.</li><li>Prooftestintervals.</li><li>Responsetimetobringtheprocesstoasafestate.</li><li>SafetyIntegrityLevel(SIL)rating.</li><li>Processmeasurementsandtheirtrippoints.</li><li>Processoutputactionsandsuccessfuloperationcriteria.</li><li>Manualshutdownrequirements.</li><li>Informationregardingenergizingordeenergizingtotrip.</li><li>Resettingafterashutdown.</li><li>Maximumallowedspurioustriprate.</li><li>FailuremodesandSISresponsetofailures.</li><li>StartingupandrestartingtheSIS.</li><li>InterfacesbetweentheSISandanyothersystem.</li><li>Overrides/inhibits/bypassesandhowtheyarecleared.</li><li>ActionsfollowingaSISfaultdetection.</li></ul><h4id="selftest">SelfTest</h4><ol><li>WhatdoestheacronymSTRstandfor?</li><li>Listthree(3)methodsusedtocalculatetheaverageprobabilityoffailureondemand.<br/>a)<br/>b)<br/>c)</li><li>CalculatethePFDusingsimplifiedequationsgiventhefollowinginformation.<ul><li>TwoidenticalESDvalvesina1oo2architecture.</li><li>Acommoncausebetafactorof3<li>Aprooftesttimeintervalof8760hours.</li><li>Adangerousundetectedfailurerateof2050failuresperbillionhours.</li></ul></li><li>CalculatetheSTRinfailuresperyearusingsimplifiedequationsgiventhefollowinginformation.<ul><li>Alevelswitch.</li><li>Asafefailurerateof118failuresperbillionhours.</li><li>Adangerousdetectedfailurerateof131failuresperbillionhours.</li></ul></li><li>CalculatetheallowedSILratinggiventhefollowinginformation.<ul><li>Threeidenticallevelswitches(TypeA)ina2oo3architecture.</li><li>Asafefailurerateof118failuresperbillionhours.</li><li>Adangerousdetectedfailurerateof131failuresperbillionhours.</li><li>Adangerousundetectedfailurerateof24failuresperbillionhours</li></ul></li><li>UsingtheRBDinFigure6,answerthefollowingquestions.<br/>a)WhatisthePFDavgforthisSIFanditsSILrating?<br/>b)WhatistheSTRSISforthisSIFinfailuresperyear?<br/>c)WhatistheoverallallowedSILforthisSIF?</li></ol><h4id="selftestanswers">SelfTestAnswers</h4><ol><li>spurioustriprate</li><li>a)simplifiedequations<br/>b)faulttreeanalysis<br/>c)Markovanalysis</li><li>PFD=5.82E04<br/>ThePFDfor1oo2architectureisasfollows:<br/>or 48%</p> <p>An SFF of less than 60% (&lt;60%) and an HFT of one for a type B component allows for a SIL rating of two (2).</p> <h4 id="srsspecifications">SRS Specifications</h4> <h5 id="requiredinformationforeachsif">Required Information for Each SIF</h5> <ul> <li>Description of the SIF (what it does and its components).</li> <li>Common cause failures.</li> <li>Safe state definition.</li> <li>Proof test intervals.</li> <li>Response time to bring the process to a safe state.</li> <li>Safety Integrity Level (SIL) rating.</li> <li>Process measurements and their trip points.</li> <li>Process output actions and successful operation criteria.</li> <li>Manual shutdown requirements.</li> <li>Information regarding energizing or de-energizing to trip.</li> <li>Resetting after a shutdown.</li> <li>Maximum allowed spurious trip rate.</li> <li>Failure modes and SIS response to failures.</li> <li>Starting up and restarting the SIS.</li> <li>Interfaces between the SIS and any other system.</li> <li>Overrides / inhibits / bypasses and how they are cleared.</li> <li>Actions following a SIS fault detection.</li> </ul> <h4 id="selftest">Self-Test</h4> <ol> <li>What does the acronym STR stand for?</li> <li>List three (3) methods used to calculate the average probability of failure on demand.<br /> a)<br /> b)<br /> c)</li> <li>Calculate the PFD using simplified equations given the following information.<ul> <li>Two identical ESD valves in a 1oo2 architecture.</li> <li>A common cause beta factor of 3%.</li> <li>A proof test time interval of 8760 hours.</li> <li>A dangerous undetected failure rate of 2050 failures per billion hours.</li></ul></li> <li>Calculate the STR in failures per year using simplified equations given the following information.<ul> <li>A level switch.</li> <li>A safe failure rate of 118 failures per billion hours.</li> <li>A dangerous detected failure rate of 131 failures per billion hours.</li></ul></li> <li>Calculate the allowed SIL rating given the following information.<ul> <li>Three identical level switches (Type A) in a 2oo3 architecture.</li> <li>A safe failure rate of 118 failures per billion hours.</li> <li>A dangerous detected failure rate of 131 failures per billion hours.</li> <li>A dangerous undetected failure rate of 24 failures per billion hours</li></ul></li> <li>Using the RBD in Figure 6, answer the following questions.<br /> a) What is the PFDavg for this SIF and its SIL rating?<br /> b) What is the STRSIS for this SIF in failures per year?<br /> c) What is the overall allowed SIL for this SIF?</li> </ol> <h4 id="selftestanswers">Self-Test Answers</h4> <ol> <li>spurious trip rate</li> <li>a) simplified equations<br /> b) fault tree analysis<br /> c) Markov analysis</li> <li>PFD = 5.82 E-04<br /> The PFD for 1oo2 architecture is as follows:<br /> PFD = [(1-β) × (λDU ×TI)^2] / 3 + (β×λDU × TI) / 2 <br/>β=0.03<br/>λDU=20500E09failures/hr<br/>TI=8760hr</li><li>STR=0.00218Failures/year<br/>TheSTRforloolarchitectureisasfollows:<br/><br /> β= 0.03<br /> λDU = 20500 E-09 failures/hr<br /> TI = 8760 hr</li> <li>STR=0.00218 Failures/year<br /> The STR for lool architecture is as follows:<br /> STR = (λS + λDD) <br/>λDDis131E09failures/hr<br/>λis118E09failures/hr</li><li>AllowedSILratingisSIL4.</li></ol><p>Theswitchs2oo3architectureprovidesanHFTofone(1).<br/>λDU=24E09failures/hr<br/>λ=λDD+λDU+λs=(131E09)+(24E09)+(118E09)=273E09<br/><br /> λDD is 131 E-09 failures/hr<br /> λ is 118 E-09 failures/hr</li> <li>Allowed SIL rating is SIL 4.</li> </ol> <p>The switch's 2oo3 architecture provides an HFT of one (1).<br /> λDU =24 E-09 failures/hr<br /> λ = λDD + λDU +λs = (131 E-09)+(24 E-09)+(118 E-09) = 273 E-09<br />SFF = 1- (λDU / λ) = 1- (24 E-09) / (273 E-09) =1-0.088 = 0.91$$ or 91%
    An SFF of 90 to 99% and a HFT of one for a type A component allows for a SIL rating of four (4).

    1. a) PFDavg = 2.18E-03, SIL 2
      b) STRSIS 0.171 failures per year
      c) SIL 2