Design of SIS, Control Systems and Instrumentation Systems
New Excel tool for SIL verification of safety instrumented functions.
It calculate the SIL according to IEC-61508 of both simple and complex SIF, taking into account the three requirements of the Standard (systematic capability, failure probability and architectural constraints).
It allows all types of architectures and incorporates macros in VBA to compare SIFs, generate various types of reports and other functions.
We provide different training courses in the area of instrumentation and control.
Design of SIFs and SIL calculation. Very practical course focused on the design of safety instrumented functions and comparison of solutions according to cost and technical requirements. You learn the efficient use of the SILcet tool developed by us and include many practical examples including how to make the upgrading of old safety systems.
Practical design of the control system. It is a course provided by ISA Spain, developed by PLCdesign and other automation manufacturers that collaborate with ISA.
We offer different engineering services within the area of instrumentation and control, such as:
More info on the Enertria website
-Bid generator: Excel to compare, analyze and automatically generate the usual documents of an offer. Designed mainly for suppliers of Solutions (Automation, Mechanical, etc.)
-Cabinet Layout: Excel to design the internal layout of the components of any electrical or control cabinet. Designed mainly for panel builders and system integrators
-IO Builder: Excel to distribute the simple and redundant I / O signals of any control system. Designed for System Integrators.
Why Cpt is so important? In the process industry when we calculate the Probability of Failure on Demand (PFDavg) of a Safety Instrumented Function (SIF) we use equations of the following type: “Cpt” parameter is one of the most important and often is not paid much attention. “Cpt” (Proof Test Coverage) parameter is defined in IEC-61511 as follows: “Periodic test performed to detect dangerous hidden faults in a SIS so that, if necessary, a repair can restore the system to an as new condition or as close as practical to this condition.” These tests must be done every TI hours to try to detect the dangerous failures (DU) that have not been detected by the automatic diagnostics implemented in the SIS. The greater the effectiveness of these tests, the greater the value of Cpt. We find with certain frequency valve manufacturers that calculate the PFDavg with a Cpt value of 100% which is impossible in reality, especially in the case of the final elements. The impact of the value of Cpt on the result of the PFDavg, and therefore on the SIL achieved, can be enormous in many cases. By using one of the calculation functions of the SILcet tool we have made some examples that can illustrate us. EXAMPLE 1: Let’s suppose an architecture of the SIF as shown in the image. The result is as follows. We have calculated 12 values of PFDavg reducing, in steps of 2%, the initial value of Cpt = 90% of the actuator subsystem. The first value corresponds to the starting point (90%) and we observe how we pass from the SIL-2 zone to the SIL-1 zone when reducing the Cpt value. In a case like this, a difference of 5-10% in the Cpt can change completely the result. EXAMPLE 2: Suppose a SIF architecture similar to the previous one. We use the same components except in the final element because in this case we have supposed much lower failure rates. In this case DU =700 FITS instead of the 3000 FITS of the previous case. We also start from Cpt = 90% in the actuator and we are reducing its value in steps of 2%. In this case we see that the impact of modifying Cpt towards more realistic values is not so great because we have selected a final element with much lower DU failure rates. CONCLUSION It is very important to define correctly the procedure of proof tests that we are going to carry out in the Safety Functions and that will give us what value of Cpt we should use in the calculations of PFDavg. In general, we should not accept Cpt values of 100% as they are not realistic. In the case of final elements, if we do not know its value, it is advisable to be conservative and use values around 65-75%. The most advisable is to use some method to evaluate the failure modes, quantifying the failure rates by type (SD / SU / DD / DU) and the percentages detectable with the proof tests that we are going to perform. The manufacturer’s support in this task is important. Calculating with very high Cpt values that have not been analysed correctly can lead us to erroneous achieved SIL values. From version 4.1.1 of SILcet we have included a simple Excel to calculate the Cpt value of the actuator subsystem.
Dangerous failures of the SIS When calculating Probability of Failure of a Safety Instrumented Function (SIF), the most important are the dangerous failures, as we see in the following equations of 1oo1 and 1oo2 architectures. The value Lambda DD is the rate of dangerous detected failures, and Lambda DU corresponds to the undetected ones. We can break down dangerous failures into 4 groups: DD failures: these are the dangerous failures detected by the product diagnostics, i.e., by the diagnostics integrated by the manufacturer of the safety PLC, transmitter, positioner, etc. In the valves, being mechanical elements, we do not have product diagnostics. DU failures convertible to DD: these are the dangerous failures not detected by the automatic diagnostics, but that can be detected if we implement some application diagnostic in the SIF. Typical cases are, for example, the detection if analog signal is out-of-range or the PST test (Partial Stroke Test) on the safety valves. DU1 failures: are dangerous failures not detected by the automatic diagnostics, but that we detect in the manual tests (proof tests) made to the SIF every TI hours (Test Interval). The greater the effectiveness of these tests, the higher the value of the Cpt (coverage proof test), which is very important parameter in the formulas to calculate the failure probability. DU2 failures: are the dangerous failures that we never detect, neither with the automatic diagnostics nor in the manual tests. These are “hidden” faults that do not show up in tests and that can be very diverse in nature. Keep in mind that the tests we must perform periodically to all safety functions are never perfect. Therefore, we can define the “effectiveness of the tests” in the following way: Cpt = DU1 / (DU1 + DU2) In the process industry this value varies, between 70 and 95% in the subsystems SENSOR and LOGIC SOLVER, and between 40 and 95% in the ACTUATOR subsystem. Go deeper into these and many other concepts in our RECOMMENDED “online” COURSE on Functional Safety: “Design of SIFs and SIL calculation”
The importance of diagnostics in the SIS The diagnostics in an Safety Instrumented System (SIS) are of crucial importance because they are the key to reduce the rates of undetected dangerous failures and, therefore, to reduce the probability of failure on demand (PFD / PFH) and increase the SIL. We can see it in the following 2 equations (used in SILcet), for the 1oo1 and 1oo2 architectures, which are used to calculate the Probability of Failure and the SIL achieved. The objective of the diagnostics is to detect any internal failure in a component. What they do is to monitor the correct operation of the devices that intervene in a SIF (safety instrumented function). We can classify the diagnostics in 2 types: Product diagnostics or self-diagnostics. They are those that come integrated from factory with the product (sensors, PLC, final elements). In the safety PLCs the self-diagnostics are very high, in certified 4-20 mA transmitters they are high. It is in the final elements of the SIF that, depending on the type, we can find certified products without product diagnostics (as in shut off valves) because they are usually purely mechanical elements. Application diagnostics. They are additional diagnostics of each specific application. They are not always necessary because it depends on many factors, but for SIL-2 and 3 levels they can be essential to meet the required SIL. To implement them we will need to add some software routines in the PLC and, sometimes, also external wiring to the PLC and some additional hardware components (limit switch, valve positioner, line monitoring resistor, transmitter, DO feedback to DI, etc.) Some practical examples of this type of diagnostic: 4-20 mA transmitter signal diagnostic (out of range, frozen signal, etc.) Diagnostics by comparison (IEC-61508 gives them a lot of credit). Use of the Hart protocol to diagnose problems in the transmitters or in their wiring from the PLC to the instrument (due to earth leakage, etc.) Diagnostic to detect the failure of the digital outputs in a PLC as it is not a standard feature in all PLCs. The partial stroke test (PST) in a safety valve. Diagnostic of valve failures by using transmitters. It is an interesting application that can be used only in certain designs. Other cases such as detection of cable break, etc. These are some examples that we explained in the course SIFs Design and calculation of SIL.
The importance of common cause failures When designing a control system, we should paid special attention to common cause failures, that is, to the factors that may cause the simultaneous failure of several components or redundant channels. It is an even more important aspect in the case of safety instrumented systems (SIS) and is considered in international safety standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. We can perform an excellent design of the system or the safety instrumented function, but if we neglect the common cause failures the final result can be really bad. Not always the design engineer is aware of the importance of this. They are of vital importance in systems of high availability, i.e., in systems with redundant architectures 2oo3, 2oo4, 2oo2, 3oo3, etc. or in safety systems with architectures 1oo2, 1oo3, 2oo3, etc. Suppose for example a PLC with redundant CPU mounted inside a cabinet with insufficient ventilation, with errors in the design of grounding system and that has been tested by personnel with little experience (which greatly increases the possible software errors) . Any of these aspects can have a very negative effect on both CPUs simultaneously. How many System Integrators actually calculate the heat dissipation inside the control cabinet and under the specified temperature and humidity conditions? It is not a complicated calculation, but it serves as an example to draw attention to common cause failures. In the field elements, such as sensors or actuators, there are also many common factors that influence the operation of the system, such as how they are assembled and calibrated, if they have been correctly specified, or for example, if we are using the same multi cable and junction boxes for all redundant channels. In order to evaluate and quantify common cause failures, IEC-61508 makes several recommendations on how to do so and introduces the so-called β factor that should be used in formulas for calculation of failure probabilities and others. To give a better idea of what we are talking about, we show below some of the formulas used in the SILcet application, where we can see in red the term corresponding to the common cause failures, and that greatly influences the 1oo2, 2oo3 and 2oo4 results since the first term is usually the power of a very small number (<< 0.1).
What is a Safety Instrumented Function? The safety instrumented function is a control loop in a process or machine whose objective is safety. SIF is its acronym in English. In the following image we see the most common simplified representation of the SIF. The integrity and performance of the safety instrumented function depends on a large number of factors, and it is measured by the so-called “Safety Integrated Level” (SIL) which are covered by various international standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. Some of the main factors that influence the performance of the SIF are the following: The technology used: the quality of the components and the manufacturer, the safe and dangerous failure rates, the capacity of automatic diagnostics of the components, etc. The architecture used: component redundancy, common cause failures, etc. The response time of the components, the time to be repaired and restoration time to normal operation. The activities throughout the life cycle of the safety instrumented function such as periodic tests, documentation of failures and other actions, SIL level verifications, etc. In the following image we can see a more detailed representation of the SIF where you can see many other elements that make up the safety function. Sensors It is very important to consider everything around the sensor to work properly, such as an adequate connection to the process, a correct measurement technology in each case, or other aspects of the design such as wiring and interface components with the safety PLC. Logic solver The logic solver can be a PLC, a relay system or an electronic system in general (programmable or not) but must meet a series of requirements to be used in an safety instrumented function. In this article we talk for example about the safety PLC. The design should take into account both hardware and, software or firmware, as well as external factors such as cybersecurity. Final elements In the safety instrumented function the final elements are usually the weakest link in the chain for different reasons (mechanical elements and in direct connection with the process). It is very important to select well the construction materials, as well as all the components and a correct execution of the mounting on site. Other elements There are many other elements and external factors that greatly influence the performance and integrity of the safety instrumented function such as external temperature, vibrations, electromagnetic interferences, if there is dust in suspension (especially if it is corrosive), power supplies, operation and maintenance tasks, etc. All these factors are in the category that we call common cause failures and that must be analyzed in detail in order to minimize their impact on the performance of the SIF, i.e., to avoid the degradation of the required SIL level. Watch this video about the basics of Functional Safety. Go deeper into these and many other concepts in our RECOMMENDED “online” COURSE on Functional Safety: “Design of SIFs and SIL calculation”