SIL verification – PFD or PFH – how to decide?

Get the safety requirements specification (SRS) JonKeswick,CFSE Share 0 AbouttheauthorJonKeswickisaCertifiedFunctionalSafetyExpert(CFSE)andfounderofeFunctionalSafety.FeelfreetomakecontactviaLinked-InorcommentonanyoftheeFunctionalSafetyblogpages. eFS-PROPreviewoure-Learningcourses Learnmore SILverification–PFDorPFH–howtodecide?February27,2020LastupdatedonAugust19,2022 ThisblogwillhelpifyouhaveeverattemptedaSILverificationprobabilityoffailurecalculationofasafetyfunction.Asafetyintegritylevel-SILverificationisrequiredforcompliancewithIEC61511/ISA61511intheprocesssectorandinIEC62061projectsinthemachinerysector.Inthisblog,we'lloutlinewhytherearecalculationscalledPFDandPFHfordifferentmodesofoperation. BLOGTableofContents 1LimitationsofSILverification2Getthesafetyrequirementsspecification(SRS)3Selectamodellingmethodandtool4Findconservativefailuredata5Agreeonallassumptions6CompletingtheSILverification7FAQ's LimitationsofSILverificationAttheoutset,let'sbeclearthat probabilityoffailurecalculationsarefarfromanexactscience.Calculatingapossibilitydoesnotmaketheoutcomeaccurate,especiallyiftheassumptionsareincompleteoriftheunderlyingdataisflawed.So,aprobabilityoffailurecalculationaimstoensurethatsafetyfunctionsresultinsufficientintegrity,nottocalculateaprecisenumber.Estimationsshouldalwaysbeasrealisticanderronthesideofconservativeestimates.Getthesafetyrequirementsspecification(SRS)TheSafetyRequirementsSpecification(SRS)mustbethestartingpointforanySILverificationprobabilityoffailurecalculationexercise.Requirementsforeachsafetyfunctionprovideavitallinktothehazardandriskanalysis.Ifcompletedcorrectly,theSRSwillspecifywhateachsafetyfunctionmustachieve,includingwhattosenseandactuatetoachieveormaintainasafestate.TheSRSisalsotheprimaryreferencesourcefortheSILtargetandothercriticalperformancefactorslikerequiredresponseandreactiontime.Intheearlystagesofdesign,theSRSmaynotspecifytheactualequipmentoreventherequiredlevelofredundancy.ItiscommonplacefortheretobeseveralupdatesoftheSRSfollowingSILverificationatmultiplestagesindesign.SelectamodellingmethodandtoolTheanalystmustdecideonacalculationmethodtocompleteaSILverification.Belowarethemostcommonmethodsusedinindustrytoday.SimplifiedequationssuchasthosepublishedinIEC61508-6.Reliabilityblockdiagram(RBD)modellingtoolssuchas IsographRBD.FaulttreeanalysistoolssuchasFaultTreeAnalyserorIsographFTA. SpecialistSILverificationtoolssuchasaeSolutions aeShieldorexidaexSILentiaforprocessapplicationPFDcalculations.PerformanceLevel(*PL)calculationtoolSISTEMAformachinerysafetyPFHcalculations. *NotethatthetermPerformanceLevel(PL)isusedinsomemachinerysafetyapplicationsasspecifiedinISO13849-1.EachPLcanbeapproximatelymappedtoanequivalentSIL. Everymethodhaspositivesandnegatives,butwithhigherintegrityrequirements(higherSIL),analystsshouldadoptamorerigorousapproachorusemultipleways.CalculatingthemostcommonSIL1safetyfunctiondesignsispossibleusingsimplifiedequationsprovidedinbasicsafetystandardIEC61508part6..Agoodsourceforsafetyfunctionequations,RBDandfaulttreesis ISO/TR12489:2013.Sadly,veryfewoftheaboveitemsarefree,soitiswisetochoosecarefullyorgetaspecialistcompanytoprovidesupport.FindconservativefailuredataFailureratesofequipmentitemsarethesourceinformationneededforanyPFDorPFHcalculation.Agoodreferencesourceisimportant.Somegoodindustryreferencesourcesareprovidedbelow:OffshoreReliabilityDatabase(OREDA)exidasafetyautomationequipmentlistAgreeonallassumptionsItisanexcellentideatodevelopachecklisttoagreeontheassumptionsforthecalculations.Considerthefollowingquestionsasastartingprompt:Whichstandardorcodeisbeingfollowed?HowwillyoudemonstrateSystematicCapability?Whatisthemaintenanceregimeandmeanrepair/restorationtimesinthecaseoffailure?Isthereanoptimumprooftestintervaltotieinwithturnarounds?Whatprooftestcoveragewillyouexpectbyequipmenttype?Howwillyouestimatecommoncauseforanyredundantelements?Whatistherequiredservicelifeormissiontime?CompletingtheSILverificationCompletingtheSILverificationexercisemayinvolveseveralcalculationstages,safetyrequirementspecificationupdateandre-calculationasthedesignmaturesandequipmentselectionoccursforanew-buildproject.Ifyouarealreadyoperatingasafetysystem,youcancompletethecalculationsbasedontheinstalledequipment.Iffieldfailureratedataisavailable,thenyoushouldusethatinpreferencetootherdatasources.TheconclusionofaSILverificationcalculationrequiresthattheresultingPFDorPFHforeachsafetyfunctionmeetsthetargetsetintheSRS.ThetargetmaybesimplyaSILband,inwhichcasethePFDorPFHistechnicallyonlyrequiredtomeettheminimumrequirementinthatband.Ifthetargetisanumericalvalue,thePFDorPFHachievedmustbeLOWERthanthisvalue.TheSILverificationexerciseisnotfullycompleteuntilotherfactorshavealsobeenconsidered,includinghardwarefaulttoleranceandsystematiccapability.FAQ's WhatdoesSILstandfor? SafetyIntegrityLevel(SIL) isnowsomewhatfamiliartomostprocessplantswithhazardsrequiringindependentprotectionlayers.Whencorrectlyapplied,aSILrequirementfromSIL1toSIL4canbeassignedtoanend-to-endsafetyfunctiontoprovideamarkerofthelevelofintegrityrequiredforequipmenthardwareandsoftwareconcerningtheriskofagivenhazard;SIL1beingthelowestintegrityandSIL4thehighest. WhyisSILverificationneeded? Equipmentdesignedforautomaticallysensingandreactingtohazardscanbecreatedandemployedinmanyapplications.Typicalprocessindustryapplicationsincludeemergencyshutdownortripsystemsthatpreventpotentiallydangerouspressure,temperatureorlevelconditionsfromescalating.Forhazardousmachinery,automatedsafetyfunctionsdetecthumanproximityandbringaboutasafestatetoprotectworkersfromharm.Whatevertheapplication,thehazardownershoulddecidetheSILtargetforeachsafetyfunction.ThisprocessisknownasSILdeterminationorSILselection.APFDorPFHcalculationisrequiredtodemonstratethateachsafetyfunctioncanmeetrandomfailuretargets. PFDandPFH PFD=ProbabilityofFailureonDemandPFH=ProbabilityofFailureperHour Whyaretheretwodifferenttypesofcalculation:PFDandPFH? TherearetwocalculationmethodsduetothedifferentMODESOFOPERATIONdefinedforasafetyfunction;LOWDEMANDMODEandHIGHDEMAND/CONTINUOUSMODE.  ArePFDorPFHtheonlythingthatneedtobedemonstratedforSIL? TheanswertothisisanemphaticNO!PFD/PFHcalculationsareonlyapartofamuchlargerpicture. MODEofoperation Putsimply,thisistheway(mode)inwhichasafetyfunctionoperates.Examplesfollowinthedefinitionsbelow. LOWDEMANDMODE Asthenameindicates,thisiswheretheendapplicationofasafetyfunctiongetscalleduponveryINFREQUENTLY.Thestandardsdefinelowdemandmodeasa maximumfrequencyofdemandsnogreaterthanonceperyear.LOWDEMANDMODEsafetyfunctionsrequireaProbabilityofFailureonDemand-*PFDcalculation.Thesearecommoninprocessindustryapplications.*Note:ThetechnicallycorrecttermisPFDavg;where"avg"istheabbreviationfor"average". HIGHDEMANDMODE Thisiswhereasafetyfunctionstillworksondemand,butthefrequencyofdemandsisgreaterthanonceperyear.HIGHDEMANDMODEsafetyfunctionsrequireaProbabilityofFailureperHour(*PFH)calculation.*Note:PFHismoreaccuratelyknownasPFHDinmachinerysafetystandardsIEC62061andISO13849-1. CONTINUOUSMODE Notethattheword"demand"doesnotappearinthiscase.Thistypeofsafetyfunctioniscontinouslyoperatingtoretainasafestate.CONTINOUSMODEsafetyfunctionsrequireaProbabilityofFailureperHour(*PFH)calculation.*Note:PFHismoreaccuratelyknownasPFHD inmachinerysafetystandardsIEC62061andISO13849-1. {"email":"Emailaddressinvalid","url":"Websiteaddressinvalid","required":"Requiredfieldmissing"} Closedialogue Sessionexpired Pleaseloginagain. Theloginpagewillopeninanewtab.Afterlogginginyoucancloseitandreturntothispage. > Successmessage! Warningmessage! Errormessage!