An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

IEC61508标准指导城市轨道交通设备安全功能指标实施

IEC61508标准提出电气／电子／叮编程电子（E／E／PE）安全相关系统的功能安全,成为了电气／电子／可编程电子（E／E／PE）安全相关系统的功能安全的基本和核心标准。城市轨道交通设备越来越多地采用了电气／电子／可编程电子系统（E／E／PES）,确保这些设备功能安全指标的落实是工程建设,以及运营安全的一个重要组成环节。     

Human and organisational factors in the operational phase of safety instrumented systems: A new approach

The international standards IEC 61508 and IEC 61511, which provide a general framework for the design and implementation of safety instrumented systems, require quantification of the achieved risk reduction, expressed as a safety integrity level (SIL). Human and organisational factors affect the performance of safety instrumented systems during operation and may threaten the achieved SIL, but this is usually not explicitly accounted for. This article presents a new approach to address human and organisational factors in the operational phase of safety instrumented systems. This approach gives a prediction of the operational SIL and can also be used to improve safety. It shows which human and organisational factors are most in need of improvement and it provides guidance for preventive or corrective action. Finally, the approach can be used as part of a SIL monitoring strategy in order to maintain the achieved SIL at the required level during the operational phase.     

Procedure for assessing hardware safety integrity in legacy systems

Functional safety is related to the safety functions of a safety-related system that uses electrical/electronic/programmable (E/E/PE) devices such as sensors, logic solvers, and final elements. A legacy system is a safety-related system which offers safety functions but which was not designed to comply with the IEC 61508 standard. This paper presents a procedure for assessing the hardware safety integrity of a legacy system so as to confirm its functional safety. The procedure defines the systematic relationship between the safety function and hardware system using a function-structure map (FSM) and assesses the hardware safety integrity centered on the safety function. The proposed procedure is applied to a boiler control system of a fossil-fuel power plant.     

安全联锁设备SIL验证中的参数估计偏差分析*

为提高安全联锁系统（SIS）不可用度计算的准确性,减少SIL验证的不确定性偏差,研究参数估计置信度分别为70%和90%时功能安全标准IEC61508的恒定失效率算法与实际非恒定失效率（威布尔分布）算法结果的偏差。结果表明:在70%置信度时,采用指数分布算法计算PFDavg,比威布尔分布算法的计算结果偏大,2者的相对偏差平均值为68.01%;90%置信度时,2者的相对偏差平均值为42.63%,揭示功能安全标准IEC61508恒定失效率计算将显著高估SIS的不可用性,可能造成企业不必要的整改和相应的维护成本。     

安全控制系统的设计思想

介绍了安全控制领域的国际标准IEC61508.给出了安全整体性要求的4个等级(SIL)相应的技术指标.从硬件故障的控制、系统故障的避免及安全系统软件的设计3个方面阐述了安全控制系统的设计思想.对硬件故障控制中的1oo2D和2oo3系统进行了比较,给出了相应的SIL计算方法.针对避免系统故障,提出了系统设计的6条原则和方法.介绍了 3种面向过程控制和对实时性要求较高的安全系统软件的设计方法.     

SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估,受人因因素影响水平并未明确,且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例,采用HAZOP结合LOPA方法对其进行风险分析,在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上,确定并验证其安全仪表系统的SIL,再依据间歇生产装置人工依赖性高,即部分安全仪表系统未接入自动联锁且需人工手动触发的特点,建立人因可靠性模型,来分析人因可靠性对安全仪表系统SIL的影响,并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响;可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

汽车工业中的功能安全研究

介绍了汽车工业中的电气/电子/可编程电子系统,分析了早期汽车生命周期过程、汽车开发和安全的集成过程以及汽车功能安全生命周期的组成,研究了从IEC61508功能安全转变为适用于汽车工业的安全标准的过程,阐述了汽车功能安全中的一些重要概念,给出了汽车功能安全分析的几种方法及其优缺点。     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

工业控制系统功能安全与信息安全一体化防护措施研究

现代工业控制系统面临着越来越严峻的信息安全问题,因此信息安全措施越来越广泛地应用于工业控制系统当中。然而,这些信息安全措施是否会对原有的功能安全措施产生影响,两者之间是否存在潜在的矛盾和冲突,两者如何有效兼容运行,业内并无公认的、可落地执行的解决方案。为保证工业控制系统安全功能的可靠执行,同时又能有效抵御越来越严重的信息安全攻击,须探索一种适用于工业控制系统的、有效确保信息安全与功能安全措施相互兼容的技术方案。以典型的SIL3和SL3工业控制系统为例,基于功能安全措施,逐一遍历信息安全措施,识别出两者潜在的矛盾问题,采用事件树和风险分析相结合的方法给出功能安全与信息安全协同解决方案,最终得到工业控制系统功能安全与信息安全一体化防护措施。     

Planning protection measures against runaway reactions using criticality classes

A systematic approach to the assessment of thermal risks linked with the performance of exothermal reactions at industrial scale was proposed a long time ago. The approach consisted of a runaway scenario starting from a cooling failure and a classification of these scenarios into criticality classes. In the mean time these tools became quite popular and many chemical companies use them. Recently, the international standard IEC 61511 required the use of protection systems with reliability depending on the risk level. Since the criticality classes were developed as a tool for the choice of risk reducing measures as a function of the criticality, it seems obvious that the criticality classes may be used in the context of the standard IEC 61511, which provides a relation between the risk level and the reliability of protection systems.Firstly, the runaway scenario and the criticality classes will be shortly described. Secondly, the assessment criteria for severity and probability of occurrence of a runaway scenario will be described together with the required data and their interpretation in terms of risk. Thirdly, the assessment procedure is exemplified for the different criticality classes. Finally, the design of protection measures against runaway and the required IPL and SIL are based on the risk assessment obtained from the criticality classes. This approach allows minimising the required data set for the safety assessment and for the definition of the protection system designed in order to avoid the development of the runaway.     

Risk and system integrity concepts for safety-related control systems

This paper provides an overview of the concepts of “risk” and “safety-integrity” in relation to safety-related electrical/electronic/programmable electronic systems. The paper is an abridged version of Annex A of the emerging International Electrotechnical Commission (IEC) Standard; “Functional safety of electrical/electronic/programmable electronic systems”. Although based on Annex A, the authors have deviated in a few instances, from the strict wording of Annex A in order to more properly represent their own views. Where this occurs, a note in the text has been added to alert the reader of the deviation. The concepts of risk (including tolerable risk; safety integrity; safety-related system; System and Software Integrity Levels) are discussed.     

合成氨装置系统安全仪表系统安全完整性等级分析

论文在介绍安全仪表系统、安全完整性等级的基本原理基础上,综合分析了危险与可操作性分析(HAZOP)、保护层分析(LOPA)等系统风险分析理论的应用方法。并结合上述理论,确定了安全仪表系统的安全完整性等级(SIL)定级。以合成氨装置为例,应用HAZOP及保护层分析方法,得出了合成塔压力过高及废热锅炉液位过低2个场景下的安全完整性SIL等级。结果表明:合成塔装置仪表的SIL等级为1,废热锅炉仪表的SIL等级为2。     

New considerations for SIL verification of functional safety fieldbus communication

Safety integrity level (SIL) verification of functional safety fieldbus communication is an essential part of SIL verification of safety instrumented system (SIS), and it requires quantifying residual error probability (RP) and residual error rate of function safety communication. The present quantification method of residual error rate uses RP of cyclic redundancy check (CRC) to approximately replace the total RP of functional safety communication. Since CRC only detects data integrity-related errors and CRC has intrinsically undetected error, some other residual errors are not being considered. This research found some residual errors of the present quantification method. Then, this research presents an extended new approach, which takes the found residual errors into account to determine more comprehensive and reasonable RP and residual error rate. From perspective of the composition of safety message, this research studies RPs of those controlling segments (sequence number, time expectation, etc.) to cover the found residual errors beyond CRC detection coverage, and the influences of insertion/masquerade errors and time window on RP are investigated. The results turn out these residual errors, especially insertion/masquerade errors, may have a great influence on quantification of residual error rate and SIL verification of functional safety communication, and they should be treated seriously.     

考虑人因可靠性的安全仪表功能SIL验证方法研究

油气站场一般设置有紧急停车系统（ESD）等存在操作员介入的非常规安全仪表功能（SIF）,为解决已有的安全完整性等级（SIL）评估方法不能针对此类SIF进行功能安全评价的情况。对存在操作员介入的非常规SIF进行研究,将其中的人为因素细分为观察、决策和执行3个阶段;根据各类人因可靠性分析方法优缺点,筛选CREAM和HCR方法分别分析紧急情景环境和应急响应时间对非常规SIF人因失效概率的影响,建立考虑人因可靠性的SIL验证模型;基于此模型选取某输油站典型SIF开展SIL评估,分析人因失效对SIF整体可靠性的影响水平,并提出改善措施。结果表明:将操作员应急响应过程中的人因失效概率引入传统的SIL验证模型中,可实现对非常规SIF的功能安全评价;人因失效对非常规SIF具有显著影响,筛选的人因可靠性模型可准确计算人因失效概率。     

Hazards equal trips or alarms or both

Anyone who has been involved in the application of IEC 61508 and IEC 61511 by undertaking the Safety Integrity Level (SIL) determination for Safety Instrumented Systems (SIS) will appreciate the amount of effort and tenacity that is required to undertake the task. SIL determination of Safety Instrumented Systems requires considerable commitment and tenacity to get the job done, but it is like climbing to the top of a hill only to be faced with a mountain when we come to consider what is involved in reviewing or configuring a typical alarm system.A medium sized process facility may have a few hundred or so primary Safety Instrumented Functions (SIF) or trips configured into a Safety Instrumented System, but the number of alarms configured into a process control system (PCS), that need to be assessed and prioritised, can often run into the thousands.There is synergy between safety instrumented functions and alarms because they both make a contribution to reduce the risk of having unwanted events, and both need an assigned appropriate criticality.This paper details various methods of criticality assessment which have been successfully applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips and to rationalise those of no value. It will also cover the use of software tools which can significantly reduce the effort involved in this process.     

基于FFTA-LOPA的化工装置安全仪表系统SIL确定方法

为了优化确定化工装置安全仪表系统（SIS）安全完整性等级（SIL）,分析了现有确定SIL的不足,针对化工装置的失效数据缺失和不确定性特点,提出模糊事故树-保护层（FFTA-LOPA）模型计算安全仪表系统SIL。以某低密度聚乙烯反应釜为例,建立了该反应釜爆炸事故树,运用模糊理论定量分析顶上事件发生的概率,最终确定其安全仪表系统安全完整性等级为SIL 1。结果表明:该方法结合两种风险分析理论,分析结果与实际和理论统计结果符合性较好,具有一定地准确性和实用性,可以为定量确定系统SIL提供理论指导。     

An extension of the fuzzy improved risk graph and fuzzy analytical hierarchy process for determination of chemical complex safety integrity levels

The risk graph (RG) is widely used to evaluate the safety integrity level (SIL) of safety instrument systems (SIS). However, subjective opinion-based conventional RGs cannot provide successful results for the problems of risk parameters, such as shortages or lack of data; hence, the output of a conventional approach lacks sufficient reliability. We introduced the fuzzy improved risk graph (FIRG), an extension of fuzzy set theory, to deal with possible ambiguities during SIL study and increase the reliability of conventional RGs. In the present study, the levels of consequences defined as linguistic terms were converted into qualitative intervals; therefore, by correlating the proposed approach with experts’ opinions and attributing weight factors, a desired SIL value was obtained. The output of this new approach can be compared directly with quantitative risk assessment techniques to improve the safety performance of industrial systems.     

基于SIL评估的LNG加气站安全仪表系统问题分析及改进建议*

为分析LNG加气站安全仪表系统的功能完备性与可靠性,以3座典型的三级LNG加气站为研究对象,全面开展安全仪表功能辨识、安全完整性等级（SIL）定级与验证,进而提出针对性的改进建议。结果表明:3座LNG加气站的安全仪表系统均存在功能不完备、设备组件缺少失效数据的问题;为满足风险控制要求,三级LNG加气站需设置15个安全仪表功能,其中1个应达到SIL2等级,14个应达到SIL1等级;LNG加气站的安全仪表系统应选用获得功能安全认证的设备组件,并在设计阶段开展SIL评估工作。研究结果可为今后LNG加气站安全仪表系统的设计与管理提供重要参考。