|
If you have Adobe Reader you can also download a
.pdf version. 
Applying the latest standard for Functional Safety - IEC 61511
A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith (4-sight Consulting)
Synopsis
This paper focuses on a technique for risk assessment, Layer of Protection Analysis (LOPA), that
is relatively new to Europe and compares it with two established techniques: Quantitative Risk Assessment (QRA) and Risk Graphs. It describes our experience in applying the latest standard
for functional safety “BS IEC 61511:2003 Functional Safety - Safety Instrumented Systems (SIS) for the Process Industry Sector”1. The main lessons learned are illustrated by real examples,
changed to preserve confidentiality but still illustrating relevant issues.
Acknowledgements
Section 3.5 was first published by Springer2 and we are grateful to them and the Safety Critical
Systems Club for permission to include it. The other definitions in Section 3 and Section 9 are quoted from IEC 615111.
Introduction
“Functional” and “safety” are words that have been used for centuries and, although using “functional safety” to
describe the action of a protection system is a relatively recent innovation, the meaning is clear enough. Other
terms used are less obvious and are defined in the standard and repeated below for those not familiar with
them. This paper discusses the application of three popular methods of determining Safety Integrity Level (SIL
) requirements – Quantitative Risk Assessment (QRA), risk graph methods and Layer Of Protection Analysis
(LOPA) – to process industry installations. It identifies some of the advantages and limitations of each method
and suggests criteria for identifying which of these methods is appropriate in specific situations.
Definitions
IEC 61511 covers the whole lifecycle as shown in Figure 1, but this paper is concerned only with phases 1
through 3, leading to the “Safety Requirements Specification for the Safety Instrumented System”.
Figure 1 - Lifecycle from IEC 61511
Layers of Protection
The introduction of the layers of protection concept shown in Figure 2 originates from the American approach
to Safety Instrumented Systems (SIS) in ANSI ISA-SP 84.01-19963. This American standard has been the major influence in the differences between IEC 615084 and IEC 61511 and the importance of independence
between layers and the implications of common cause issues between layers is emphasised. The allocation
of safety functions to specific layers or systems (for example a hazard may be protected by a combination of
relief valves, physical barriers and bunds and a SIS); and the contribution required of each element to the
overall risk reduction should be specified as part of the transfer of information from the risk analysis to those responsible for the design and engineering.
Figure 2 - Typical risk reduction methods found in process plants from IEC 61511-1 Figure 9
BPCS
The Basic Process Control System (BPCS) is a key layer of protection “which responds to input signals from
the process, its associated equipment, other programmable systems and/or operator and generates output
signals causing the process and its associated equipment to operate in the desired manner but which does
not perform any safety instrumented functions with a claimed SIL ≥ 1”. Note that in IEC 61508 the BPCS is part of the definition of Equipment Under Control (EUC).
SIF
A Safety Instrumented Function (SIF) is a safety function with a specified SIL which is necessary to achieve
functional safety. IEC 61511 also includes a note to explain that this normally refers to protection systems and
that if it is applied to control systems then “further detailed analysis may be required to demonstrate that the system is capable of achieving the safety requirements”.
SIS
A Safety Instrumented System (SIS) is used to implement one or more SIFs. A SIS is composed of any
combination of sensor(s), logic solver(s), and final element(s).
SIL
The two standards (IEC 61508 and IEC 61511) define Safety Integrity as “probability” of success and then
define the Safety Integrity Level (SIL) as four discrete levels (1 to 4) such that “level 4 has the highest safety
integrity”. Although the standards concentrate on “Safety” and “SIL”, the principles that they address can also
be applied to protection against environmental and financial risks; “EIL” and “FIL” can be applied analogously
with “SIL”, and Integrity Level (IL) used as a term applying to all three protection functions.
The definition of SIL is clear for those SIFs that are only called upon at a low frequency / have a low demand
rate Elsewhere the same two standards recognise that safety functions can be required to operate in quite
different ways (for example, continuously) and SIL is defined as a failure rate (in units of failures/hour). These
two different uses of the same SIL terminology have caused considerable confusion. This section of this
paper was first presented at the Safety-Critical Systems Symposium in February 2004 (SSS04)2 and
attempts to clarify the definition of SIL. Consider a car; examples of low demand functions are:
- Anti-lock braking (ABS). (It depends on the driver, of course!).
- Secondary restraint system (air bags).
On the other hand there are functions that are in frequent or continuous use; examples of such functions are:
The fundamental question is how frequently will failures of either type of function lead to accidents. The answer
is different for the 2 types:
For functions with a low demand rate, the accident rate is a combination of 2 parameters – i) the
frequency of demands, and ii) the Probability the function Fails on Demand (PFD). In this case,
therefore, the appropriate measure of performance of the function is PFD, or its reciprocal, Risk Reduction Factor (RRF). For functions that have a high demand rate or operate continuously, the accident rate is the failure
rate, λ, which is the appropriate measure of performance. An alternative measure is Mean Time
To Failure (MTTF) of the function. Provided failures are exponentially distributed, MTTF is the reciprocal of λ.
These performance measures are, of course, related. At its simplest, provided the function can be proof
-tested at a frequency that is greater than the demand rate, the relationship can be expressed as:
- PFD = λT/2 or = T/(2 x MTTF), or
- RRF = 2/(λT) or = (2 x MTTF)/T
where T is the proof-test interval. (Note that to significantly reduce the accident rate below the failure rate of
the function, the test frequency, 1/T, should be at least 2 and preferably ≥ 5 times the demand frequency.) They
are, however, different quantities. PFD is a probability – dimensionless; λ is a rate – dimension t-1. The
standards, however, use the same term – SIL – for both these measures, with the following definitions:
In low demand mode, SIL is a proxy for PFD; in high demand / continuous mode, SIL is a proxy for failure rate.
(The boundary between low demand mode and high demand /continuous mode is in essence set in the
standards at one demand per year. This is consistent with proof-test intervals of 3 to 6 months, which in many cases will be the shortest feasible interval.)
Now consider a function which protects against 2 different hazards, one of which occurs at a rate of 1 every 2
weeks, or 25 times per year, i.e. a high demand rate, and the other at a rate of 1 in 10 years, i.e. a low
demand rate. If the MTTF of the function is 50 years, it would qualify as achieving SIL1 for the high demand
rate hazard. The high demands effectively proof-test the function against the low demand rate hazard. All else being equal, the effective achieved SIL for the second hazard is given by:
- PFD = 0.04/(2 x 50) = 4 x 10-4 ≡ SIL3
So what is the SIL achieved by the function? Clearly it is not unique, but depends on the hazard and in
particular whether the demand rate for the hazard implies low or high demand mode.
In the first case, the achievable SIL is intrinsic to the equipment; in the second case, although the intrinsic
quality of the equipment is important, the achievable SIL is also affected by the testing regime. This is
important in the process industry sector, where achievable SILs are liable to be dominated by the reliability of
field equipment – process measurement instruments and, particularly, final elements such as shutdown valves – which need to be regularly tested to achieve required SILs.
The difference between these two definitions of SIL often leads to misunderstandings.
Concepts of Residual Risk, Risk Reduction and Required SIL
Both IEC 61508 & 61511 imply that the only action of a SIS is to reduce the frequency or likelihood of a hazard
. Thus the model of risk (reproduced in Figure 3) is one-dimensional. All the methods of determining SIL are based on similar principles:
Step 1 Identify the “process risk” from the process and the BPCS. Step 2 Identify the “tolerable risk” for the particular process. Step 3 If the process risk exceeds the tolerable risk, then calculate the necessary risk reduction
and whether the protection layers will operate in continuous or demand mode Step 4 Identify the risk reduction factors achieved by other protection layers Step 5 Calculate the remaining risk reduction factor (RRF) or the failure rate that should be
achieved by the SIS and thus from Table 1 or 2 the required SIL
Figure 3 - Risk Reduction Model from IEC 61511
|
SIL
|
Range of Average PFD
|
Range of RRF*
|
|
4
|
10-5 ≤ PFD < 10-4
|
100,000 ≥ RRF > 10,000
|
|
3
|
10-4 ≤ PFD < 10-3
|
10,000 ≥ RRF > 1,000
|
|
2
|
10-3 ≤ PFD < 10-2
|
1,000 ≥ RRF > 100
|
|
1
|
10-2 ≤ PFD < 10-1
|
100 ≥ RRF > 10
|
|
*This column is not part of the standards, but RRF is often a more tractable parameter than PFD.
Table 1 - Definitions of SILs for Demand Mode of Operation from IEC 61511-1 (Table 3)
|
SIL
|
Range of λ
(failures per hour)
|
~ Range of MTTF
(years)*
|
|
4
|
10-9 ≤ λ < 10-8
|
100,000 ≥ MTTF > 10,000
|
|
3
|
10-8 ≤ λ < 10-7
|
10,000 ≥ MTTF > 1,000
|
|
2
|
10-7 ≤ λ < 10-6
|
1,000 ≥ MTTF > 100
|
|
1
|
10-6 ≤ λ < 10-5
|
100 ≥ MTTF > 10
|
|
*This column is not part of the standards, but the authors have found these approximate MTTF values to be useful in the process
industry sector, where time tends to be measured in years rather than hours.
Table 2 - Definitions of SILs for Continuous Mode of Operation from IEC 61511-1 (Table 4)
The residual risk is the process risk reduced by all the risk reduction factors and will normally be less than the
tolerable risk. Identifying the tolerable risk is a major issue that is discussed in Reducing Risks, Protecting People (R2P2)5 and is beyond the scope of this paper. Identifying the frequencies of all initiating causes (or
the demand rates used in Steps 1 & 3 above) is also difficult unless excellent records of all incidents are available.
Some Methods of Determining SIL Requirements
- IEC 61508 offers 3 methods of determining SIL requirements:
- Quantitative method.
- Risk graph, described in the standard as a qualitative method.
- Hazardous event severity matrix, also described as a qualitative method.
- IEC 61511 offers:
- Semi-quantitative method (incorporating the use of fault and event trees).
- Safety layer matrix method, described as a semi-qualitative method.
- Calibrated risk graph, described in the standard as a semi-qualitative method, but by some practitioners
as a semi-quantitative method.
- Risk graph, described as a qualitative method.
- Layer of protection analysis (LOPA). (Although the standard does not assign this method a position on
the qualitative / quantitative scale, it is weighted toward the quantitative end.)
These are developments and extensions of the methods originally outlined in IEC 61508-5. They have all been
used by various organisations in the determination of SILs, but with varying degrees of success and
acceptability; and do not provide an exhaustive list of all the possible methods of risk assessment. All of these
methods require some degree of tailoring to meet the requirements of an individual company, together with
training of the personnel who will apply them, before they can be used successfully. QRA, risk graphs and
LOPA are established methods for determining SIL requirements, particularly in the process industry sector, but LOPA is less well known in the UK and is the focus of this paper.
Typical Results
|
SIL
|
Number of Functions
|
% of Total
|
|
4
|
0
|
0%
|
|
3
|
0
|
0%
|
|
2
|
1
|
0.3%
|
|
1
|
18
|
6.0%
|
|
None
|
281
|
93.7%
|
|
Total
|
300
|
100%
|
|
Table 3 - Typical Results of SIL Assessment
As one would expect, there is wide variation from installation to installation in the numbers of functions that are
assessed as requiring SIL ratings, but the numbers in Table 3 were assessed for a reasonably typical offshore
gas platform. Typically in the process sector there might be a single SIL3 requirement in an application of this
size, while identification of SIL4 requirements is very rare. If a SIL3 or SIL4 requirement is identified it is
reasonable to investigate the use made of the basic process design and other protection layers in risk
reduction and whether undue reliance is being placed on the SIS; and indicates a serious need for redesign.
After-the-Event Protection
Some functions on process plants are invoked “after-the-event”, i.e. after a loss of containment, after a fire has
started or an explosion has occurred. Fire and gas detection and emergency shutdown are the principal
examples of such functions. Assessment of the required SILs of such functions presents specific problems:
- Because they operate after the event, there may already have been consequences that they can do
nothing to prevent or mitigate. The initial consequences must be separated from the later consequences
- The event may develop and escalate to a number of different eventual outcomes with a range of
consequence severity, depending on a number of intermediate events. Analysis of the likelihood of each outcome is a specialist task, often based on event trees (Figure 4).
Figure 4 - Event Tree for After the Event Protection
QRA
Quantitative Risk Assessment is usually done with Fault Trees and Event Trees or Reliability Block Diagrams
(RBDs). Some people refer to a combination of Fault and Event Tree as a Cause-Consequence Diagram.
Figure 4 shows an example of an Event Tree and Figures 5 and 6 show a Fault Tree and a RBD.
Figure 5 - Fault Tree for Overpressure at Compressor Outlet
Figure 6 - Reliability Bock Diagram of Compressor Outlet Pressure
Normally the “Top Event” will be a particular hazard and provided that:
- appropriate failure models are chosen for each basic event or block;
- accurate data is available for the particular environment for each of the failure modes, repairs and tests; and
- all the relationships are correctly modelled; then
the frequency at which the hazard occurs, and hence the risk can be calculated (see textbooks, for example6).
The successful outcome of a QRA is highly dependent on the assumptions that are made, the detail of the
model developed to represent the hazardous event and the data that is used. However well a QRA has been
done it does not provide an absolute indication of the residual risk. A sensitivity analysis of the data and assumptions is a fundamental element of any QRA.
Risk Graph Methods
Figure 7 shows a typical risk graph. The risk graph method is described in both IEC 61508 & 61511 and is an
excellent means of quickly assessing and screening a large number of safety functions so as to allow effort to
be focused on the small percentage of critical functions. The advantages and disadvantages and range of
applicability of risk graphs are the main topic of a previous paper by W G Gulland at SSS042. The results of
that paper are given in the conclusions below. In use the risk graph needs calibration to align with a company’s corporate risk criteria.
Figure 7 - Typical Risk Graph
A serious limitation of the risk graph method is that it does not lend itself at all well to assessing “after the
event” outcomes:
Demand rates would be expected to be very low, e.g. 1 in 1,000 to 10,000 years. This is off the
scale of most of the risk graphs used. The range of outcomes from function to function may be very large, from a single injured person to
major loss of life. The outcomes are also potentially random depending on a wide range of
circumstances. Where large-scale consequences are possible, use of such a coarse tool such as
the risk graph method can hardly be considered “suitable” and “sufficient”.
The QRA and the LOPA methods do not have these limitations, particularly if the LOPA method is applied
quantitatively and, as such, are more suited to analysing “after the event” outcomes.
Layer of Protection Analysis (LOPA)
The LOPA method was developed by the American Institute of Chemical Engineers as a method of assessing
the SIL requirements of SIFs (see textbooks, for example7).
The method starts with a list of all the process hazards on an installation as identified by Hazard And
Operability Studies (HAZOPs) or other hazard identification techniques. The hazards are analysed in terms of:
- Consequence description (“Impact Event Description”)
- Estimate of consequence severity (“Severity Level”)
- Description of all causes which could lead to the Impact Event (“Initiating Causes”)
- Estimate of frequency of all Initiating Causes (“Initiation Likelihood”)
The Severity Level may be expressed in semi-quantitative terms, linked to target Mitigated Event Likelihoods
expressed as target frequency ranges (analogous to tolerable risk levels), as shown in Table 4; or it may be
expressed as a specific quantitative estimate of harm, which can be referenced to F-N curves.
|
Severity
Level
|
Consequence
|
Target Mitigated Event
Likelihood
|
|
Minor
|
Serious injury at worst
|
No specific requirement
|
|
Serious
|
Serious permanent injury
or up to 3 fatalities
|
< 3E-6 per year, or
1 in > 330,000 years
|
|
Extensive
|
4 or 5 fatalities
|
< 2E-6 per year, or
1 in > 500,000 years
|
|
Catastrophic
|
> 5 fatalities
|
Use F-N curve
|
|
Table 4 - Example Definitions of Severity Levels and Mitigated Event Target Frequencies
Similarly, the Initiation Likelihood may be expressed semi-quantitatively, as shown in Table 5; or it may be
expressed as a specific quantitative estimate.
|
Initiation Likelihood
|
Frequency Range
|
|
Low
|
< 1 in 10,000 years
|
|
Medium
|
1 in > 100 to 10,000 years
|
|
High
|
1 in ≤ 100 years
|
|
Table 5 - Example Definitions of Initiation Likelihood
The strength of the method is that it recognises that in the process industries there are usually several layers of
protection against an Initiating Cause leading to an Impact Event. Specifically, it identifies:
General Process Design. There may, for example, be aspects of the design that reduce the
probability of loss of containment, or of ignition if containment is lost, so reducing the probability of a fire or explosion event. Basic Process Control System (BPCS). Failure of a process control loop is likely to be one of the
main Initiating Causes. However, there may be another independent control loop that could
prevent the Impact Event, and so reduce the frequency of that event. Alarms. Provided there is an alarm that is independent of the BPCS, sufficient time for an
operator to respond, and an effective action to take (a “handle” to “pull”), credit can be taken for
alarms to reduce the probability of the Impact Event up to a RRF of 10. Additional Mitigation, Restricted Access. Even if the Impact Event occurs, there may be limits on
the occupation of the hazardous area (equivalent to the F parameter in the risk graph method), or
effective means of escape from the hazardous area (equivalent to the P parameter in the risk
graph method), which reduce the Severity Level of the event. Independent Protection Layers (IPLs). A number of criteria must be satisfied by an IPL to be
assured that it is genuinely independent of other protective layers and achieves RRF ≥ 10. Relief
valves and bursting disks usually qualify for RRF ≥ 100.
Based on the Initiating Likelihood (frequency) and the PFDs of all the protection layers listed above, an
Intermediate Event Likelihood (frequency) for the Impact Event and the Initiating Event can be calculated. The
process must be completed for all Initiating Events, to determine a total Intermediate Event Likelihood for all
Initiating Events. This can then be compared with the target Mitigated Event Likelihood (frequency). So far no
credit has been taken for any SIF. The ratio:
(Intermediate Event Likelihood) / (Mitigated Event Likelihood)
gives the required RRF (or 1/PFD) of the SIF, and can be converted to a required SIL using Table 1.
Alternatively the inverse ratio
(Mitigated Event Likelihood) / (Intermediate Event Likelihood)
gives the required PFD of the SIF that can be converted to a required SIL using Table 1.
Examples of LOPA
Compressor (as shown in Figure 8)
Figure 8 - Example of overpressure protection for a compressor driven by a gas turbine
Pipeline
The Pipeline studied contained a liquid that would evaporate if released and had Passive Fire Protection
(PFP). Two of the impact events considered were Jet Fires and a Boiling Liquid Expanding Vapour Explosion
(BLEVE). Some of the results of the LOPA are shown in Table 7.
Discussion of all three methods
QRA
Page 31 of R2P25 states that “The use of numerical estimates of risk by themselves can, for several reasons .
.., be misleading and lead to decisions which do not meet adequate levels of safety. In general, qualitative
learning and numerical estimates from QRA should be combined with other information from engineering and
operational analyses in making an overall decision.”
Fault Trees, Event Trees and RBDs are very valuable in showing relationships between different parts of the
process, the BPCS and the protection systems. However, there are difficulties in obtaining good data for all
the relevant failure modes as many business sector reliability databases have not been maintained. Therefore
numerical estimates of risk will take the form of a range and judgement will be required to assess a realistic figure.
The problems with the data also apply if LOPA is used for quantitative assessments.
Risk Graphs
The implications of the issues highlighted by W G Gulland at SSS042 are:
Risk graphs are very useful but imprecise tools for assessing SIL requirements. (It is inevitable
that a method with 5 parameters – C, F, P, W and SIL – each with a range of an order of
magnitude, will produce a result with a range of 5 orders of magnitude.) They must be calibrated on a conservative basis to avoid the danger that they under-estimate the
unprotected risk and the amount of risk reduction / protection required. Their use is most appropriate when a number of functions protect against different hazards, which
are themselves only a small proportion of the overall total hazards, so that it is very likely that under
-estimates and over-estimates of residual risk will average out when they are aggregated. Only in
these circumstances can the method be realistically described as providing a “suitable” and
“sufficient”, and therefore legal, risk assessment. Higher SIL requirements (SIL2+) incur significant capital costs (for redundancy and rigorous
engineering requirements) and operating costs (for applying rigorous maintenance procedures to
more equipment, and for proof-testing more equipment at higher frequencies, and to rigorously
gather and analyse performance data). They should therefore be re-assessed using a more refined method.
LOPA
The LOPA method has the following advantages:
It can be used semi-quantitatively or quantitatively. Used semi-quantitatively it has many of the same advantages as risk graph methods.
Used quantitatively the logic of the analysis can still be developed as a team exercise, with the
detail developed “off-line” by specialists. It explicitly accounts for risk mitigating factors, such as alarms and relief valves, which have to be
incorporated as adjustments into risk graph methods (e.g. by reducing the W value to take credit
for alarms, by reducing the SIL to take credit for relief valves). A semi-quantitative analysis of a high SIL function can be promoted to a quantitative analysis
without changing the format. It can assist in all the team members obtaining and sharing a full appreciation of the issues and
uncertainties associated with the hazardous event(s).
Conclusions
To summarise, the relative advantages and disadvantages of these methods are shown in Table 8, and as can
be seen from Table 8 there is no ideal candidate to cover all requirements - an assessment has to be made
as to the most appropriate method for a specific requirement. Should the total number of functions requiring
assessment be small (< 10) and acceptable reliability data available then our experience would be to apply
LOPA in a semi-quantitative manner. However on new installations the number of functions identified in the
HAZOP as requiring a SIF can be very large requiring the involvement of critical people in a team activity over
a considerable period of time. Sufficient time for this is a rare commodity these days and, in such a situation,
we would recommend the use of risk graphs initially for all required functions (approx. 25 functions assessed
per day on average) and then repeat the assessment using LOPA for those functions assessed as ≥ IL2
(approx. 5 functions assessed per day on average).
Whatever process of analysis is applied they all require a corporate risk policy defining what risk level is
deemed acceptable from both individual and societal perspectives – a politically sensitive decision has to be
agreed within any business organisation, with an acute awareness of the perception of risk held by the general public.
Whilst the standards IEC 61508/61511 only relate to Safety of people there is little doubt that the
Environmental agencies will require businesses focus to improve the environment whilst stake-holders will
require similar attention to commercial performance.
References
2003, BS IEC 61511 Functional safety - Safety instrumented systems for the process industry
sector. Gulland, W. G., 2004, Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and
Cons, Proceedings of the Safety-Critical Systems Symposium - February 2004. 1996, Application of Safety Instrumented Systems for the Process Industries, Instrument Society of
America Standards and Practices, ANSI / ISA-SP 84.01-1996. 1998 - 2000, BS IEC 61508, Functional safety of electrical / electronic / programmable electronic
safety-related systems 2001, Reducing risks, protecting people – HSE’s decision making process, (R2P2), HSE Books,
ISBN 0-7176-2151-0 Smith, D. J., 2001, Reliability, Maintainability and Risk, 6th Edition, ISBN 0-7506-5168-7
2001, Layer of Protection Analysis – Simplified Process Risk Assessment, American Institute of
Chemical Engineers, ISBN 9-780816-908110
|
