SIL calculations for HIPS High Integrity Protection Systems : problems and solutions

1
SIL calculations for HIPS (High Integrity
Protection Systems) problems and solutions
- SIGNORET Jean-Pierre
2
Summary
Fault tree
Problem exposure
Example tools
Common cause failures
Multi Phase Markov
Component behaviour
Conclusions
Petri Net
3
Problem exposure
4
Typical HIPS
High Integrity (Pressure) Protection System
Over- Pressure
Safety Instrumented System
Relief Valve
Size
Cost
API 14C
IEC 61508 IEC 61511
5
Standards and Referential
HIPS Committee
GS SAF 261
IEC 61 511
"Hard"
"Soft"
High Integrity (Pressure) Protection System
CR HSE 042
API 14C
Normally not allowed
Referential to be strictly applied
Derogation needed
GS SAF 260
IEC 61 508
6
High Integrity Protection Systems
Process Sector Safety Instrumented System
Standards
IEC 615 11
IEC 615 08
- Designers - Integrators - Users
- Manufacturers - Suppliers
Very Interesting but ... Some difficulties
7
Safety Integrity Level - Principle -
Safety Integrity Function
No clear relationship with safety ! This
parameter is not really relevant
Redundancy
Fault Tolerance
"Ratio" of revealed Failures ?
"Safe Failure Fraction"
PFD
SIL4
SIL1
SIL3
SIL2
8
Beware of certified SILs Components
Type of Logic
Loss of Power
Emission of Power
Safe
Unsafe
Failure mode
Not on line with IEC standards
Effects are System Dependant
SIL on the Shelf ?

• Effects of Component Failures
• are not "intrinsic"
• but are System dependant

9
Confusion with a Failure "due" to the demand
Safety Integrity definition(s)
Be cautious
A "Probability of Not Functioning on
Demand"
Actually an "Average Availability"
Failure
Not a true "Probability of Failure on Demand"
Safety Integrity Average probability of a
SIS satisfactorily performing the required,SIF
under all the stated conditions within a stated
period of time
IEC 61 511
Safety Integrity Probability of a SIS
satisfactorily performing the required,SIF
under all the stated conditions within a stated
period of time
IEC 61 508
Actually a "Reliability"
10
Calculation Problems IEC 615 08
Appendix 6
Stop !!!
Other Solutions are needed
Not general
Fault Tree
Difficult to use
Had-hoc Formulae
Difficult to improve
MARKOV
Difficult to manage for a whole system
PETRI Nets
11
Component behaviour
12
Failure taxonomy
Unsafe failure
Revealed failure
Diagnostic Test (Logical Solver)
Periodic Test 1
Periodic Test 2
Unsafe
Repair starts
Repair starts
Yes
Yes
Repair starts
No
No
No Repair
Yes
Yes
No
No Repair
Yes
No
Repair starts
No Repair
Component Failure
Safe
Repair starts
No
Yes
Spurious Failure
Others
Not Relevant
13
Component behaviour
ARALIA Workshop
Valid only if EUC is Shut Down when testing
and repairing !!!
14
Single Tested component Parameters
Non Aging Components
l Failure Rate (1 / MTTF)
The Commonly Used Parameters
t Test interval
If no Shut down during repair
m Repair Rate (1 / MTTR)
To be analysed and used when relevant
q 1st test interval (staggering tests)
g Probability of failure on demand (Failure
due to the test itself)
s Test coverage (Probability of not detecting
a failure)
Important when components are off line during
tests
w Probability of reconfiguration Error after
testing
p Test Duration
15
Policy upon partial failure /test
No dangerous Failure detected
Nothing
2oo3
. Remains in 2oo2 . Modified in 1oo2
l,t valid only in this case
1st dangerous Failure detected OR 1
Channel Off Line ( under test) OR 1 Channel
under repair
Transformed into a safe failure gt 1002
Shut Down
Etc.
Canal 1
Canal 2
2oo3
2nd dangerous Failures detected
Shut Down
Canal 3
16
Fault tree
17
Fault Tree OR Gate
2
1
Max 1.81 10-1 Mean 9.37 10-2
Max 1.39 10-1 Mean 9.01 10-2
l 1e-4 t 1000

• Conservative

9.75 10-2

• No Max value
• Staggering not possible

Correct Calculations
Usual Calculations
Staggering
5e-2 (lt/2)
5e-2 (lt/2)
18
Fault Tree AND Gate
Max 9.05 10-3 Mean 3.13 10-3
Max 4.6 10-3 Mean 1.92 10-3

• Non conservative for common test policy

2.25 10-3

• No Max value
• Staggering not possible

Correct Calculations
Usual Calculations
Staggering
5e-2 (lt/2)
5e-2 (lt/2)
19
Beware of approximations
Even with the simplest hypothesis this can
lead to non conservative results
Using average values (PFD per IEC 615 08/11) is
irrelevant for periodically tested systems
1oo1
1oo2
1oo3
20
Common cause failures
21
Common Cause / Dependant Failures
- Design - Systematic
Non Simultaneous Failures
- Manufacturing - Bad set of components -
Aging - ....
Internal causes
Component 1 Failure
Detectable by test after the 1st failure
- Flooding - Fire - ...
Environment
Component 2 Failure
- Corrosion -Wax - ...
To be analysed an in depth analysis
Logic Solver
Simultaneous Failures
Command-Control
- Power Supply - Compressed air -
hydraulic power - ...
A Thorough Analysis of CCF is needed !!!
Utilities
Component n Failure
Cascade Failure
- Misusing - Bad reconfiguration - no failure
detection - ...
Human factor
22
Independent versus Common Cause Failures
2oo3
Independent failures are not so much negligible

• b 14.6

lt.b.t/2
Sum lt(1-b)2t2
lt 1.10-4 t 1000
Equality gt b2- 2 1/(2lt.t) .b 1 0
23
Common Cause Failures
Tests staggering effect
b factor
Max 1.4e-2 Mean 7.3e-3
Max 3.5e-2 Mean 1.4e-2
b 10

• 1e-4
• t 1000

24
CCF Choc model
Lethal choc
Max 3.27e-2 Mean 1.26e-2
Max 1.35e-2 Mean 3.33e-3
CCF
Almost half a SIL level
g
g 0.5
Non Lethal choc
25
EXAMPLE
Reveal.
Tested
Systematic
Non conservative for the common test policy
Max 4.94e-4 Mean 2.27e-4
Max 2.55e-4 Mean 1.51e-4
PDS Method
1.9e-4
26
Typical results ARALIA
Time spent in various SIL zones
Maximum value
"PFD"
SIL2
SIL3
Average 6.94e-4 .
Components tested at the same time
SIL3
SIL3
Average 4.46e-4 .
Max. decrease
Staggering tests
more CCF tests
27
Multi Phase Markov
28
Simple Example 2oo3 Subsea voting system
Fault tree unable to model logic changes
1/2
Test
Fault tree unable to model repair after 2 failures
1st failure
Fault tree unable to model rig mobilization
2nd failure
Repair
Test
29
Multiphase Markov Principle
Markov Graph phase
Linking Matrix
Linking matrix
1st test
2nd test
t 0
phase 1
phase 2
T
T
T tests intervals
30
Multi Phase Markov Process GRIF
Just before test
Just after test
Proba- bility
2oo3
1 2 3 4 5 6 7 8
1 5 8 8 5 8 8 8
1. 1. 1. 1. 1. 1. 1. 1.
Working
Failed
Linking matrix
REPAIR
Markov Graph
1oo2
31
Petri Net model
32
Petri Net sensor
Component runs again
End of Repair
Running
W
!nbFnbF-1
?DCC
l
Failure
DCC
End Rep.
!nbFnbF1
0
?EoR
!nbFnbF1
Component failed
R
Repair
Wait
Waiting
Rig
Rig on location
Detection
0
d 0
Start Rep.
?StR
Start of Repair
Failure detected
D
33
Petri Net Rig mobilization
No more repairs
?nbF0
End of Repair
non Mobilized
Dmb
2oo3 to 1oo2
nM
2oo3 again
Demob.
! EoR
Arrival on location
! 2oo3
Do nothing
! 1oo2
End of R
m
d2
d t() mod(t)
1 Failure
?nbF1
d1
Repair
R
Start of Repair
0 Failure
Periodical tests
?nbF0
Rig on location
!StR
d3
Start R
Rig
?nbFgt1
34
Example tools
35
Various Methodologies to handle SIS
Reliability Block Diagram
36
SIS Unavailability
Fault-Tree ARALIA Workshop (FT)
Fault tree
5.3 10-2
Sensors
Valves
37
Multiphase Markov COMBAVA - Markov.
Multi Phase Markov Model
AltaRica Data Flow Language
Markovian Model

Automatic generation
SIS Unavailability
5.3 10-2
38
Petri Nets Monte Carlo simulation GRIF -
Petri Nets
Monte Carlo

Petri Net

5.4 10-2

39
Monte Carlo
Petri Nets Monte Carlo simulation GRIF -
Stochastic BD
Stochastic Block diagrams
Petri Net Model

Automatic generation
5.4 10-2
PN Library
40
Conclusions
41
CONCLUSION -1-
Beware of IEC 615 08 / 11 definitions
Don't confuse pure PFD and "Mean Unavailability"
Simple calculation with average values (i.e. PFD)
lead to non conservative results
Think about Safe / Unsafe failure instead of
Dangerous / non dangerous
Mathematics for "true PFD" (, x) are not
relevant for "Mean Unavailability" calculations
(ò ò)
Beware of SIL on the shelf from suppliers
A saw tooth curve has both an average and a
maximum
??!!
Staggering tests is an efficient way to improve
Availability
Staggering tests is a natural way to decrease CCF
impact
Formulae of IEC 61508 appendix 6 are correct but
... almost unusable
Independent failures are not so much negligible
compared to CCF
42
GRIF
CONCLUSION -2-
ARALIA Workshop

• Revealed / hidden
• Periodically tested / not tested
• Reparable / non reparable
• CCF
• ... All kinds of failures

COMBAVA
Max
Built a detailed Model
Mean
Assess Maximum and Average unavailabilities and
time spent in SIL zones
Assess instantaneous unavailability
43
SIL barrier ?!!
Any Questions ?...
The End...