Functional Safety Questions & Answers

What is PHA ?

Process Hazard Analysis: First step in an organized and systematic assessment of the potential hazards associated with an industrial process.

What is LOPA ?

Layer of Protection Analysis: A PHA tool that starts with data developed in the Hazard and Operability analysis and accounts for each hazard by documenting and initiating cause and protection layers that prevent or mitigatre the hazard.

What is SIS ?

Safety Instrumented System: IEC61511 defines SIS as an “instrumented system used to implement one or more safety instrumented functions. Composed of any combination of sensors, logic solvers, and final elements.”

What is SIF ?

Safety Instrumented Function: Designed to respond to the conditions within a plant that may be hazardous in themselves, or if no action is taken, could result in a hazardous event. Each SIF is assigned a particular SIL.

What is SIL ?

Safety Integrity Level: The output of the Process Hazards Analysis effort is the operational definition and the assignment of a SIL rating to each safety loop.SIL 3 is the highest rating used in the process industries.

What is SFF ?

Safe Failure Fraction: To achieve a specific SIL, a DEVICE must have less than the specified SFF. Probablilities are calculated using a FMEDA.

What is PFDavg ?

Probablity of failure on demand: To achieve a specific SIL, a DEVICE must have less than the specified PFDavg. Probablilities are calculated using a FMEDA.

What is FMEDA ?

Failure Modes, Effects, and Diagnostic Analysis. Actual targets required for DEVICES vary depending on the likelihood of a demand, the complexity of the devices, and the types of redundancy used.

Abbreviation of IEC ?

International Electrotechnical Commission

SIF vs SIL Relation

Based on the specific process application, a risk reduction factor (SIL rating) must be defined for each safety loop (SIF) The required SIL of a specific SIF is determined by taking into account the required risk reduction factor provided by that function. SIL varies for SIFs that operate continuous vs demand mode.

 What is IEC-61508 ?

SIS Hardware/Software Design Guidance: Targeted at suppliers of systems used for the reduction of risk. Defines standards for functional safety of electrical/electronic/programmable electronic (E/E/PE) safety related systems.

What is Functional Safety ?

The overall program to ensure that the safety-related E/E/PE system brings about a safe state when called upon to do so.

Parts of IEC-61508 ?

General safety requirements, specific system and software requirements, and guidelines to applications.

IEC-61508 SIS Vendor Software Quality Plan ?

Part 3, Clause 7 includes software safety lifecycle requirements:

• 7.1: General requirements
• 7.2: Software safety requirements specification
• 7.3: Software safety validation planning
• 7.4: software design and development
• 7.5: programmable electronics integration (hw and sw)
• 7.6: software operation and modification procedures
• 7.7: software safety validation
• 7.8: software modification
• 7.9: software verification

 IEC61508-3 ANNEX A

provides a listing of “techniques and measures” used for software development where different development techniques are chosen depending on SIL level of software

IEC61508-3 ANNEX B

Nine detailed tables of design and coding standards as well as analysis and testing techniques that are to be used in the safety-related software development, depending on the SIL of the software and in some cases the choice of the development team.

IEC61511

SIS Design Guidance for the Process Industry Sector

2 parts of IEC61511

The safety lifecycle and safety integrity levels.

Safety Lifecycle

The engineering process that includes all of the steps necessary to achieve required functional safety

Basic philosophy behind the safety lify cycle

Develop and document a safety plan, execute that plan, document its execution (to show that the plan has been met) and continue to follow that safety plan through decommissioning – with further appropriate documentation being generated throughout the life of the system.

IEC61511-1

Framework, definitions, system, hardware and software requirements

IEC61511-2

Guidelines on the application of 61511-1

IEC61511-3

Guidance for the determination of the required safety integrity levels

IEC61511 vs ANSI/ISA-84.00.01-2004

Standards mirror each other with the exception of the “grandfather clause” in ISA-84. Each has 3 main parts, but ISA-84 also includes a series of technical reports

ISA-84 Grandfather Clause

“For existing SIS designated and constructed in accordance withcodes, standards and practices prior to the issuance of ISA-84, the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner” originated with OSHA 1910.119

Safety Lifecycle – Throughout the Lifecycle

• Management of functional safety and functional safety assessment and auditing
• Safety lifecycle structure and planning
• Verification

Safety Lifecycle – Analysis Phase

• Hazard and risk assessment
• Allocation of Safety Functions to protection layers
• Safety requirements specifications for the SIS

SMS

Safety Management System: Ensures that functional safety objectives are met and appropriate auditing processes are defined.

SRS

Safety Requirements Specification: document that ensures the safety requirements are adequately specified prior to proceeding to detailed design.

Safety Lifecycle – Implementation Phase

• Design and Engineering of SIS
• Design and development of other means of risk
• Installation, commissioning, and validation

Safety Lifecycle – Operation Phase

• Operation and maintenance
• Modification
• Decommissioning

Common PHA Methods

• Checklist
• What if?
• What if/checklist
• HAZOP
• FMEA (Faliure mode effect analysis)
• Fault tree analysis
• Event tree analysis
• LOPA

Assignment of SIL

There are no regulations to assign a SIL to a particular process or hazard. The SIL assignment is a company based decision based on risk management and risk tolerance philosophy.

Does OSHA require an SIS?

NO, but . . . “ANSI/ISA S84.01-1996 does mandate that companies should design their safety instrumented system to be consistent with similar operating process units within their own companies and at other companies. Likewise, in the US, ASHO PSM and EPA RPM require that industry standards and good engineering practice be used in the design and operation of process facilities. This means that the assignment of safety integrity levels must be carefully performed and thoroughly documented.”

Common methods used to convert PHA data into SIL?

• Modified HAZOP
• Consequence only
• Risk matrix

Modified HAZOP

SIL assignment method – Actually an extension of HAZOP and relies on SUBJECTIVE assignment based on the team’s expertise. Since it’s subjective, team memeber consistency from project to project needs to be addressed.

Consequence Only

SIL assignment method – Uses estimation of potential consequence of the incident and doesn’t take into effect the frequency.Simplest to use, but most conservative.

Risk Matrix

SIL assignment method – provides correlation of risk severity and risk likelyhood to the SIL, based on EVENT SEVERITY and EVENT LIKELIHOOD. Commonly used.

Risk Graph

SIL assignment method – provides correlation of:

• Consequence
• Frequency and exposure time
• Possibility of avoiding the hazardous event
• Probability of the unwanted occurrence

Quantitative Assessment (i.e. fault tree or process demand)

SIL assignment method – determines the process demand or incident likelihood and requires an extensive understanding of potential causes and probability of failure. MOST RIGOROUS TECHNIQUE!

Company Mandated SIL

SIL assignment method – assumes that the greatest cost increase occurs when a SIL is greater than 1; therefore, the company takes the approach that all SIFs shall be SIL3. This assignment is the least time comsuming, reduces documentation of SIL selection and ensures consistency.

Failure Rates of SIS Components

• 50% – Final element (Valve, etc.)
• 42% – Sensor (switch, transmitter, etc.)
• 8% – Logic solver

Abbreviation of FMEA

Failure Modes and Effects Analysis

Common Cause Failure

Failure which is the result of one or more events, causing failures of two or more seperate channels on a multiple channel system, leading to system failure.

Common Mode Failure

Failure of two or more channels in the same way, causing the same erroneous result

Dangerous Failure

Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state

External Risk Reduction Facilities

Measurs to reduce or mitigate the risks, which are seperate and distinct from the SIS

Final Element

Part of a safety instrumented system which implements the physical action necessary to achieve a safe state.

Impact Analysis

Acitivity of determining the effect that a change to a function or component will have to other functions or components in that system as well as to other systems

Mitigation

Action that reduces the consequences of a hazardous event

Protection Layer

Any independant mechanism that reduces risk by control, prevention or mitigation

Proven-In-Use

When a documented assessment has shown that there is appropriate evidence, based on the previous use of a component, that the component is suitable for use in a safety instrumented system

Safety

Freedom from unacceptable risk

Systemic Failure

Failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or the manufacturing process, operational procedures, documentation or other relevent factors

IEC61131-3

Deals with programming languages and defines 2 graphical (LD=ladder and FBD = function block diagram) and 2 textual (ST = structured text and SFC = sequential function chart)

IEC62061

Machine Safety Standard

Breakout of Safety I/O Type in Process Industry

• SIL1 – 51%
• SIL2 – 32%
• SIL3 – 8%
• SIL4 – 1%
• No SIL – 8%

Two types of Risk Analysis

• Quantitative Risk Analysis
• Qualitative Risk Analysis

Abbreviation of ALARP

As Low As Resonably Practicable

Abbreviation of RRF

Risk Reduction Factor

Abbreviation of CEM

Cause and Effect Matrices

Markov Analysis

Looks at a sequence of event and analyzes the tendency of one event to be followed by another.

The IEC 61511 standard lists goals for safety planning. List three of the five goals of safety planning

According to IEC 61511, safety planning has five goals. They are:

• ensure that the functional safety objectives and the safety integrity level objectives are achieved for all relevant modes of the process
• ensure proper installation and commissioning of the safety instrumented system
• ensure the safety integrity of the safety instrumented functions after installation
• maintain the safety integrity during operation (e.g., proof testing, failure analysis, etc.)
• manage the process hazards during maintenance activities on the safety instrumented system

Also Read : Safety Systems Interview Questions