Design of SIS, Control Systems and Instrumentation Systems
New Excel tool for SIL verification of safety instrumented functions.
It calculate the SIL according to IEC-61508 of both simple and complex SIF, taking into account the three requirements of the Standard (systematic capability, failure probability and architectural constraints).
It allows all types of architectures and incorporates macros in VBA to compare SIFs, generate various types of reports and other functions.
We provide different training courses in the area of instrumentation and control.
Design of SIFs and SIL calculation. Very practical course focused on the design of safety instrumented functions and comparison of solutions according to cost and technical requirements. You learn the efficient use of the SILcet tool developed by us and include many practical examples including how to make the upgrading of old safety systems.
Practical design of the control system. It is a course provided by ISA Spain, developed by PLCdesign and other automation manufacturers that collaborate with ISA.
We offer different engineering services within the area of instrumentation and control, such as:
More info on the Enertria website
-Bid generator: Excel to compare, analyze and automatically generate the usual documents of an offer. Designed mainly for suppliers of Solutions (Automation, Mechanical, etc.)
-Cabinet Layout: Excel to design the internal layout of the components of any electrical or control cabinet. Designed mainly for panel builders and system integrators
-IO Builder: Excel to distribute the simple and redundant I / O signals of any control system. Designed for System Integrators.
Dangerous failures of the SIS When calculating Probability of Failure of a Safety Instrumented Function (SIF), the most important are the dangerous failures, as we see in the following equations of 1oo1 and 1oo2 architectures. The value Lambda DD is the rate of dangerous detected failures, and Lambda DU corresponds to the undetected ones. We can break down dangerous failures into 4 groups: DD failures: these are the dangerous failures detected by the product diagnostics, i.e., by the diagnostics integrated by the manufacturer of the safety PLC, transmitter, positioner, etc. In the valves, being mechanical elements, we do not have product diagnostics. DU failures convertible to DD: these are the dangerous failures not detected by the automatic diagnostics, but that can be detected if we implement some application diagnostic in the SIF. Typical cases are, for example, the detection if analog signal is out-of-range or the PST test (Partial Stroke Test) on the safety valves. DU1 failures: are dangerous failures not detected by the automatic diagnostics, but that we detect in the manual tests (proof tests) made to the SIF every TI hours (Test Interval). The greater the effectiveness of these tests, the higher the value of the Cpt (coverage proof test), which is very important parameter in the formulas to calculate the failure probability. DU2 failures: are the dangerous failures that we never detect, neither with the automatic diagnostics nor in the manual tests. These are “hidden” faults that do not show up in tests and that can be very diverse in nature. Keep in mind that the tests we must perform periodically to all safety functions are never perfect. Therefore, we can define the “effectiveness of the tests” in the following way: Cpt = DU1 / (DU1 + DU2) In the process industry this value varies, between 70 and 95% in the subsystems SENSOR and LOGIC SOLVER, and between 40 and 95% in the ACTUATOR subsystem. We treat in our courses all these concepts and many others.
The importance of diagnostics in the SIS The diagnostics in an Safety Instrumented System (SIS) are of crucial importance because they are the key to reduce the rates of undetected dangerous failures and, therefore, to reduce the probability of failure on demand (PFD / PFH) and increase the SIL. We can see it in the following 2 equations (used in SILcet), for the 1oo1 and 1oo2 architectures, which are used to calculate the Probability of Failure and the SIL achieved. The objective of the diagnostics is to detect any internal failure in a component. What they do is to monitor the correct operation of the devices that intervene in a SIF (safety instrumented function). We can classify the diagnostics in 2 types: Product diagnostics or self-diagnostics. They are those that come integrated from factory with the product (sensors, PLC, final elements). In the safety PLCs the self-diagnostics are very high, in certified 4-20 mA transmitters they are high. It is in the final elements of the SIF that, depending on the type, we can find certified products without product diagnostics (as in shut off valves) because they are usually purely mechanical elements. Application diagnostics. They are additional diagnostics of each specific application. They are not always necessary because it depends on many factors, but for SIL-2 and 3 levels they can be essential to meet the required SIL. To implement them we will need to add some software routines in the PLC and, sometimes, also external wiring to the PLC and some additional hardware components (limit switch, valve positioner, line monitoring resistor, transmitter, DO feedback to DI, etc.) Some practical examples of this type of diagnostic: 4-20 mA transmitter signal diagnostic (out of range, frozen signal, etc.) Diagnostics by comparison (IEC-61508 gives them a lot of credit). Use of the Hart protocol to diagnose problems in the transmitters or in their wiring from the PLC to the instrument (due to earth leakage, etc.) Diagnostic to detect the failure of the digital outputs in a PLC as it is not a standard feature in all PLCs. The partial stroke test (PST) in a safety valve. Diagnostic of valve failures by using transmitters. It is an interesting application that can be used only in certain designs. Other cases such as detection of cable break, etc. These are some examples that we explained in the course SIFs Design and calculation of SIL.
The importance of common cause failures When designing a control system, we should paid special attention to common cause failures, that is, to the factors that may cause the simultaneous failure of several components or redundant channels. It is an even more important aspect in the case of safety instrumented systems (SIS) and is considered in international safety standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. We can perform an excellent design of the system or the safety instrumented function, but if we neglect the common cause failures the final result can be really bad. Not always the design engineer is aware of the importance of this. They are of vital importance in systems of high availability, i.e., in systems with redundant architectures 2oo3, 2oo4, 2oo2, 3oo3, etc. or in safety systems with architectures 1oo2, 1oo3, 2oo3, etc. Suppose for example a PLC with redundant CPU mounted inside a cabinet with insufficient ventilation, with errors in the design of grounding system and that has been tested by personnel with little experience (which greatly increases the possible software errors) . Any of these aspects can have a very negative effect on both CPUs simultaneously. How many System Integrators actually calculate the heat dissipation inside the control cabinet and under the specified temperature and humidity conditions? It is not a complicated calculation, but it serves as an example to draw attention to common cause failures. In the field elements, such as sensors or actuators, there are also many common factors that influence the operation of the system, such as how they are assembled and calibrated, if they have been correctly specified, or for example, if we are using the same multi cable and junction boxes for all redundant channels. In order to evaluate and quantify common cause failures, IEC-61508 makes several recommendations on how to do so and introduces the so-called β factor that should be used in formulas for calculation of failure probabilities and others. To give a better idea of what we are talking about, we show below some of the formulas used in the SILcet application, where we can see in red the term corresponding to the common cause failures, and that greatly influences the 1oo2, 2oo3 and 2oo4 results since the first term is usually the power of a very small number (<< 0.1).
What is a Safety Instrumented Function? The safety instrumented function is a control loop in a process or machine whose objective is safety. SIF is its acronym in English. In the following image we see the most common simplified representation of the SIF. The integrity and performance of the safety instrumented function depends on a large number of factors, and it is measured by the so-called “Safety Integrated Level” (SIL) which are covered by various international standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. Some of the main factors that influence the performance of the SIF are the following: The technology used: the quality of the components and the manufacturer, the safe and dangerous failure rates, the capacity of automatic diagnostics of the components, etc. The architecture used: component redundancy, common cause failures, etc. The response time of the components, the time to be repaired and restoration time to normal operation. The activities throughout the life cycle of the safety instrumented function such as periodic tests, documentation of failures and other actions, SIL level verifications, etc. In the following image we can see a more detailed representation of the SIF where you can see many other elements that make up the safety function. Sensors It is very important to consider everything around the sensor to work properly, such as an adequate connection to the process, a correct measurement technology in each case, or other aspects of the design such as wiring and interface components with the safety PLC. Logic solver The logic solver can be a PLC, a relay system or an electronic system in general (programmable or not) but must meet a series of requirements to be used in an safety instrumented function. In this article we talk for example about the safety PLC. The design should take into account both hardware and, software or firmware, as well as external factors such as cybersecurity. Final elements In the safety instrumented function the final elements are usually the weakest link in the chain for different reasons (mechanical elements and in direct connection with the process). It is very important to select well the construction materials, as well as all the components and a correct execution of the mounting on site. Other elements There are many other elements and external factors that greatly influence the performance and integrity of the safety instrumented function such as external temperature, vibrations, electromagnetic interferences, if there is dust in suspension (especially if it is corrosive), power supplies, operation and maintenance tasks, etc. All these factors are in the category that we call common cause failures and that must be analyzed in detail in order to minimize their impact on the performance of the SIF, i.e., to avoid the degradation of the required SIL level.
SIL requirements – Systematic Capability, Failure Probability and Architectural Constraints. The designer of the safety instrumented function must verify that the 3 SIL requirements of the IEC61508 Standard are met. Each requirement will meet a certain maximum SIL level. The final SIL of the SIF will be the lowest of the three and must be greater than or equal to the required target SIL. 1-The systematic capacity of the element (sensor, PLC, valve, etc.) is reflected in the certification issued by certain entities such as Exida or TÜV. The rating (SC 1/2/3) achieved depends on the effectiveness of the quality system and other aspects. A category, for example SC3, means that the product is certified for applications up to SIL 3. Another option is the “prior use” that must be documented and justified. It is important to be clear that it is not enough, for complying with the SIL level, the use of certified products, but it is necessary to comply with all the SIL requirements. If the systematic capability of any of the elements is unknown, it should be indicated in the verification report. 2- The second requirement is determined by the average Probability of Failure on Demand of the SIF (PFDavg for low demand systems) or Probability of dangerous Failures per Hour in the SIF (PFH for high demand systems). The calculation is made for the selected architecture in each subsystem (sensor, logic solver and actuator) that are summed to obtain the probability of failure of the SIF (Safety Instrumented Function). If the required SIL is not met, it will have to be recalculated with another architecture (1oo2, 2oo3, etc.), or with products with lower failure rates or reducing other factors that affect this calculation (Interval Test, beta factor for common cause failures, etc.) It is important to use realistic failure rate values and if possible that they are based on historical data from similar applications. 2-The third SIL requirement is called “Architectural Constraints” based on the minimum hardware redundancy requirements. The tables of the SFF values (safe failure fraction = proportion of safe failures) and HFT (hardware fault tolerance) are used. If the selected architecture does not comply with any of the subsystems (sensor, logic solver, actuator), it will have to be recalculated with another safer architecture (1oo2, 2oo3, etc). There are 2 options (Route 1H and Route 2H). The 2H is used if the failure rates are realistic for the specific application. Otherwise Route 1H should be used, which was created as a defense against too low rates that are not too realistic. In Route 1H there are two HFT tables according to whether the element is type A (simple elements such as pressure switches, valves, etc.) or type B (complex elements such as smart transmitters or PLCs). The three SIL requirements must be met. The maximum SIL achievable by the SIF will be the lowest of the three. It’s the methodology we use in the tool SILcet to calculate and verify the SIL.