Staying

safe

Ratko Posta, Flowserve GESTRA AG,

Germany, focuses on flow control safety
design and safety integrity levels.

ntegrating safety procedures into the technical design, development, operation and
maintenance of flow control equipment protects people, increases uptime and
improves the reliability of associated production processes. Fundamental to the
enabling of complex technology used for safety related systems, 'functional safety'
provides a methodology for ensuring that safety related systems will reduce the risk of a
hazardous event. The oil and gas, nuclear power, chemical and many other industries
rely heavily on functional safety to achieve safe environments within their facilities.
The International Electrotechnical Commission (IEC) standard 61508 defines
appropriate means for achieving functional safety in the systems it covers, in order to
ensure they provide adequate protection against significant hazards. This article
introduces and highlights the key concepts of this safety standard, including: functional
safety design and evaluation, safety integrity and safety integrity levels. The article
touches on organisational and certification aspects of the IEC 61508 and the SIL
determination of multiple safety subsystems.
Good flow control system design incorporates operational safety, which is
comprised of multiple safety standards. Examples of these safety standards include:

Reprinted from March 2011 | HydrocarbonEngineering |

Fire and heat protection.

Flow and leakage protection.
Electric shock and electromagnetic interference protection.
Radiation and toxic substance protection.
Crash protection.

Functional safety is an increasingly important aspect of

operational safety considerations in a variety of flow control
applications and is becoming a requirement in oil and gas,
petrochemical, chemical and power plants.
Functional safety is defined in IEC 61508, the standard for
Functional Safety of Electrical/Electronic/Programmable Electronic
Safety Related Systems. The aim of functional safety design is to
assure that safety instrumented functions (SIF) will sufficiently
protect against physical injury, damage to property and
environmental hazards. SIF also enhances the bottom line by helping
to lower plant and production risks and related costs within
organisations.
Examples of SIF in flow control systems include:
Built in self test functionality in valve actuators.
Failsafe fluid level sensing configurations, with multiple
measurement points and redundant measuring circuits.
Distributed digital controllers with enhanced fault tolerance,
safety fieldbus communication protocol, fault tolerant network
topology, and emergency shutdown switches.
The scope of SIFs can be extended from a single component to a
complex safety process, ensuring the correct operation of entire flow
control systems. Overall safety functions are typically provided by a
safety instrument system (SIS). These safety functions may
incorporate safe management of possible operator errors and may
lower the overall risk of environmental influences such as loss or
buildup of heat. The increased system protection is often coupled

with an increased level of automation, which in turn improves system

performance while decreasing operational costs through increased
uptime, reliability and product quality.
To describe the extent of the risk reduction from implemented
SIFs, the term safety integrity level (SIL) is commonly used. The four
discrete SILs describe the performance of safety functions. Generally
speaking, the higher the SIL level, the more available the safety
functions will be to better detect and control a system failure.
The application of the SIL standard in flow control systems rests
on the concept of the safety lifecycle. This lifecycle starts from
concept design, through hazard and risk analysis, specification,
implementation, operation, maintenance and decommissioning.
There are functional safety requirements for each phase of the flow
control system life cycle.
Moreover, the IEC safety standard requires that companies
involved in safety system design, manufacturing and operation
initiate and certify a specific functional safety management (FSM)
system. The specific FSM requirements usually go beyond the
companys basic quality management system, including ISO 9000.
This high standard helps reduce the risk to processes and personnel
within organisations.

Categorisation
Quantitative and qualitative evaluation of fault causality, as well as
effective error control functionality, can help anticipate potentially
dangerous failures, preserving the integrity of the process. The
statistical and testing evaluation methods outlined in the IEC
standard require several safety function analyses, which address
architectural constraints, failure modes, and average system failure
probability.
The IECsafety standard includes anticipated dangerous failure
rates and mean downtime as key factors for determining average
safety function unavailability. The IEC functional safety assessment
attempts to predict the likelihood that an evaluated safety function is
performing satisfactorily. The standard distinguishes two operating
modes related to safety function availability.

Low demand mode

Low demand operating mode is considered when the safety related
function is needed less than once a year and not more than twice the
proof test frequency. For the low demand mode, the average system
unavailability is always derived from probability of failure on demand
Figure 1. The average probability of a failure for a simple control
loop, PFDsys.
(PFD) value. The PFD reciprocal is also called risk reduction factor
(RRF). An average probability of failure on demand
(PFDav) is derived from the dangerous undetected
and the required proof test interval.
failure rate
Table 1. Average Probability of Failure on Demand (PFDAV) and Average Probability of Failure Per
Hour (PFHAV) by Safety Integrity Level
Safety integrity standards require that a safety
system operates within the defined PFDav limits over
SIL
Probability of failure on demand (low
Frequency of dangerous failures per hour
the entire proof test interval. However, shorter proof
demand) PFDav [1 failed unit]
(high demand) PFHav [h-1]
test intervals require higher involvement of human
-2
-1
-6
-5
10 to 10
1
10 to 10
proof testing, leading to an increased probability of
2
10-3 to 10-2
10-7 to 10-6
human error.
3
4

10-4 to 10-3

10-5

to

10-8 to 10-7

10-4

High demand mode

10-9 to 10-8

Table 2. The SIL and the correspondent SFF ranges due to the HFT and complexity types
SFF/HFT

SFF/HFT

< 60%

not allowed

SIL 1

SIL2

< 60%

SIL 1

60%, < 90%

SIL 1

SIL 2

SIL 3

60%, < 90%

SIL 2

90%, < 99%

SIL 2

SIL 3

SIL 4

90%, < 99%

SIL 3

90%

SIL 3

SIL 4

SIL 4

90%

SIL 3

| HydrocarbonEngineering | Reprinted from March 2011

High demand mode is given when the frequency of

demands for
operation of the
safety function will
1
2
be greater than
SIL 2
SIL3
one per year or
SIL 3
SIL 4
when its demand
interval is less
SIL 4
SIL 4
than half of the
SIL 4
SIL 4
proof test interval

duration. When the system is operated in high demand mode, the

functional safety evaluation considers an average probability of
failure per hour (PFHav) rather than PFDav. Thus, system integrity is
defined by the number of dangerous failures per hour and not by
system unavailability. Table 1 classifies safety integrity levels in
accordance to the hazard units PFDav and PFHav.
In addition to PFD and PFH, the IEC 61508 standard assesses
architectural requirements for determining a safety related system
integrity level. Depending on the safety system hardware fault
tolerance (HFT) and device complexity category, the safe failure
fraction (SFF) is another decisive parameter to determine the safety
integrity level. Table 2 describes the relation between HFT and SFF,
which differs for safe system complexity types A and B.
The SFF value is defined as the ratio of the safe failure rate
compared to the total failure rate. For example the SFF value of 97%
states that only 3% of all system faults cannot be identified and
controlled by the system, excluding failures that will not impact the
overall system safety.
Functional safety related systems often contain redundant
channels. This architectural constraint, along with additional error
diagnostics, may increase the systems HFT and can significantly
increase the SFF. There exist a number of redundant architectures

that are characterised with a combination of channels and operating

modes as explained in Table 3.
Table 3 illustrates several fault tolerant architectures. In flow
control systems these SIS architectures are implemented by means
of multiple sensors, standby actuators and self monitoring
controllers. Duplication and comparison of self replicating control
channels and channel diagnostics are widely applied in the design of
digital controllers and distributed control systems. They ensure
higher error detection rates and support fault tolerant control
functions. For example, the one out of two diagnostic architecture
(1oo2D) increases safety by continuous monitoring and by comparing
the results of redundant units.
A comparison of two functional safety systems based on 1oo1
and 1oo2D architectures results in very different probabilities of
failure, leading to significantly different SFF and RRF values. The
1oo2D arrangement switches into a dangerous state only when both
channels fail and either error diagnostic unit does not detect these
failures. Especially in cases of a high diagnostic coverage factor and
short test and repair intervals, the calculated safety and the
availability of such sophisticated 1oo2D architecture proves to be
superior.
In addition to the above mentioned relevant safety parameters,
the IEC 61508 safety standards describe other values considered for
risk analysis and certification purposes. An alternative failure rate
measure is mean time to failure (MTTF). It has a reciprocal relation to
. The systems mean time between
the total system failure rate
failures (MTBF) can directly be calculated from the MTTF parameter
by adding the mean time to repair detected failures (MTTR) to the
MTTF interval. In low demand mode applications MTTF is usually
much higher than the MTTR. In this operation mode MTBF is
therefore similar to MTTF value.
Safety device lifetime expectancy is a significant parameter for
reliable implementation and operation of functional safety systems.
As the SIL rating invariably declares a constant failure rate, wear out
and ageing must have only minor impact within the considered
lifetime interval. A common way to estimate such an interval
includes component evaluations and their impact on the safety
system characteristics, assuming worst case scenarios. The
Figure 2. A flow control system with additional protection layers.
aforementioned proof test time interval can also significantly impact
the lifetime expectancy. Due to its importance for
safe system planning and operation, for every SIL
Table 3. Operation principles of some of the most typical safety systems architectures
classified product, a product lifetime should be
MooN fail safe
N independent
M logic solver tiers
Input channels, diagnostic and
documented in the product safety manual.
voting logic
input channels CN
needed to trip
logic solver arrangement
In addition to functional safety design and
1oo1
1
1
analysis for new products, existing control
products can be tested for a proven in use
functional safety designation. The safety system
1oo1D
1
1
is tested extensively and must stay below a
specific failure rate in order to reach a
confidence level (CL). Functional safety
1oo2
2
1
evaluations are typically stated for confidence
levels of 90%, 95% or 99%. However, the
confidence sample size calculation is sometimes
1oo2D
2
1
not the only criteria for testing.
Components of flow control systems,
sensors, controllers, valves and pumps, are
selected in accordance with their SIL level and in
1oo3
3
1
combination with required service proof intervals
and life expectancy. The overall safety for such
2oo3
3
2
control applications can be calculated from
values of every single system component. This
safety integrated level is called overall safety of
the control loop. The IEC 61508 standard
considers a safety integrity level only in

Reprinted from March 2011 | HydrocarbonEngineering |

association with a specific safety function and with the related safety
loop.
The average probability of a failure for entire control loop is
defined as PFDsys. All components that actively protect the control
system must be taken into consideration for the PFDsys calculation.
A typical control loop configuration containing a sequence of
sensing, controlling and actuating instruments is shown in Figure 1.
PFDsys related to such a control loop is calculated as a total PFDav
sum from all the individual safety instruments in that loop.
PFDsys in Figure 1 is the average probability of the individual
components: the sensing element, signal transmitter, controller,
electro pneumatic converter and pneumatic valve. So, the PFDsys in
such a sequential control loop structure is mostly influenced by the
highest subsystem PFDav.
In addition to the safety instrumentation design, technical risk
reduction can be achieved by other means of failure protection. Figure 2
represents a flow control application with various layers of protection,
which all together contributes to the overall risk reduction.
Figure 2 illustrates five independent protection layers, all of which
should be considered when looking for measures to reduce the risk of
a dangerous failure. The depicted fault protection layers all refer to a
systems extension, whereas only the SIS functions add the integrated
SIF with the aim to recognise and to control common faults.

Conclusion
This article described some of the most relevant issues for safety
instrumented flow control applications that can be derived from the
generic safety systems guidance postulated in the IEC 61508
specification and applied in a safety related product design.

| HydrocarbonEngineering | Reprinted from March 2011

Integrating safety procedures in the technical design,

development, operation and maintenance of safety functions helps
increase uptime and protect flow control systems and people. Hazard
identification, risk assessment and facility hazard analysis heighten
awareness of the occurrence of likely hazards and enable evaluation
of the possible risk to the process should a hazard occur. Safety
integrity design requirements and safety functions can be combined
to provide a tolerable level of risk.
The safety level of a component, and the entire system, is an
internationally accepted quantitative evaluation in safety-related
electrical, electronic, and programmable electronic systems.

References

1. IEC/EN 61508: International Standard 61508 Functional Safety:

Safety-Related System. Geneva, International Electrotechnical
Commission.
2. EN 12952-11: Water-tube boilers and auxiliary installations - Part
11: Requirements for limiting devices of the boiler and accessories.
Brussels, European Committee for Standardisation, 2007.
3. EN 12953-09: Shell boilers - Part 9: Requirements for
limiting devices of the boiler and accessories. Brussels, European
Committee for Standardization, 2007.
4. BRCSK, J.: Comparison of PFD calculation. Bruhl, HIMA GmbH
& Co KG, 2005.
5. MUKHTAR, I.; ROGERS, G.: Standards Compliance and User
Requirements for Industrial and Utility Boiler Control Systems. IDC
Boilers Conference. Perth, 2008.
6. GESTRA: Water Level Limiter Level Switch NRS 1-50 (print No
808818-02). Bremen, GESTRA AG, 2009.
7. MUSCHET, A.: Suitability of control valves for usage in safety
integrity levels according to IEC 61508. Industrial Valves Magazine.
Essen, Vulkan-Verlag, 2004.
8. HUBER. T.: Experience with Functional Safety Management
Certification in the scope of IEC 61508 and 61511. Munich, TV
Industrial Services GmbH, 2008.