Design of SIS, Control Systems and Instrumentation Systems

Why Cpt is so important? In the process industry when we calculate the Probability of Failure on Demand (PFDavg) of a Safety Instrumented Function (SIF) we use equations of the following type:   “Cpt” parameter is one of the most important and often is not paid much attention. “Cpt” (Proof Test Coverage) parameter is defined in IEC-61511 as follows: “Periodic test performed to detect dangerous hidden faults in a SIS so that, if necessary, a repair can restore the system to an as new condition or as close as practical to this condition.” These tests must be done every TI hours to try to detect the dangerous failures (DU) that have not been detected by the automatic diagnostics implemented in the SIS. The greater the effectiveness of these tests, the greater the value of Cpt. We find with certain frequency valve manufacturers that calculate the PFDavg with a Cpt value of 100% which is impossible in reality, especially in the case of the final elements. The impact of the value of Cpt on the result of the PFDavg, and therefore on the SIL achieved, can be enormous in many cases. By using one of the calculation functions of the SILcet tool we have made some examples that can illustrate us. EXAMPLE 1: Let’s suppose an architecture of the SIF as shown in the image. The result is as follows. We have calculated 12 values of PFDavg reducing, in steps of 2%, the initial value of Cpt = 90% of the actuator subsystem. The first value corresponds to the starting point (90%) and we observe how we pass from the SIL-2 zone to the SIL-1 zone when reducing the Cpt value. In a case like this, a difference of 5-10% in the Cpt can change completely the result. EXAMPLE 2: Suppose a SIF architecture similar to the previous one. We use the same components except in the final element because in this case we have supposed much lower failure rates. In this case DU =700 FITS instead of the 3000 FITS of the previous case. We also start from Cpt = 90% in the actuator and we are reducing its value in steps of 2%. In this case we see that the impact of modifying Cpt towards more realistic values is not so great because we have selected a final element with much lower DU failure rates. CONCLUSION It is very important to define correctly the procedure of proof tests that we are going to carry out in the Safety Functions and that will give us what value of Cpt we should use in the calculations of PFDavg. In general, we should not accept Cpt values of 100% as they are not realistic. In the case of final elements, if we do not know its value, it is advisable to be conservative and use values around 65-75%. The most advisable is to use some method to evaluate the failure modes, quantifying the failure rates by type (SD / SU / DD / DU) and the percentages detectable with the proof tests that we are going to perform. The manufacturer’s support in this task is important. Calculating with very high Cpt values that have not been analysed correctly can lead us to erroneous achieved SIL values. From version 4.1.1 of SILcet we have included a simple Excel to calculate the Cpt value of the actuator subsystem. Visit our website about Functional Safety

The importance of diagnostics in the SIS The diagnostics in an Safety Instrumented System (SIS) are of crucial importance because they are the key to reduce the rates of undetected dangerous failures and, therefore, to reduce the probability of failure on demand (PFD / PFH) and increase the SIL. We can see it in the following 2 equations (used in SILcet), for the 1oo1 and 1oo2 architectures, which are used to calculate the Probability of Failure and the SIL achieved. The objective of the diagnostics is to detect any internal failure in a component. What they do is to monitor the correct operation of the devices that intervene in a SIF (safety instrumented function). We can classify the diagnostics in 2 types: Product diagnostics or self-diagnostics. They are those that come integrated from factory with the product (sensors, PLC, final elements). In the safety PLCs the self-diagnostics are very high, in certified 4-20 mA transmitters they are high. It is in the final elements of the SIF that, depending on the type, we can find certified products without product diagnostics (as in shut off valves) because they are usually purely mechanical elements. Application diagnostics. They are additional diagnostics of each specific application. They are not always necessary because it depends on many factors, but for SIL-2 and 3 levels they can be essential to meet the required SIL. To implement them we will need to add some software routines in the PLC and, sometimes, also external wiring to the PLC and some additional hardware components (limit switch, valve positioner, line monitoring resistor, transmitter, DO feedback to DI, etc.) Some practical examples of this type of diagnostic: 4-20 mA transmitter signal diagnostic (out of range, frozen signal, etc.) Diagnostics by comparison (IEC-61508 gives them a lot of credit). Use of the Hart protocol to diagnose problems in the transmitters or in their wiring from the PLC to the instrument (due to earth leakage, etc.) Diagnostic to detect the failure of the digital outputs in a PLC as it is not a standard feature in all PLCs. The partial stroke test (PST) in a safety valve. Diagnostic of valve failures by using transmitters. It is an interesting application that can be used only in certain designs. Other cases such as detection of cable break, etc. These are some examples that we explained in the course SIFs Design and calculation of SIL.