1、 TECHNICAL REPORT ISA-TR84.00.02-2015 Safety Integrity Level (SIL) Verification of Safety Instrumented Functions Approved 8 September 2015 ISA-TR84.00.02-2015, Safety Integrity Level (SIL) Verification of Safety Instrumented Functions ISBN: 978-1-941546-70-3 Copyright 2015 by ISA. All rights reserve
2、d. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. I
3、SA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 3 ISA-TR84.00.02-2015 Preface This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR84.00.02-2015. This document has been prepared as part of the service of I
4、SA toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practice
5、s Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the Internat
6、ional System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other count
7、ries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published
8、 by the American Society for Testing b) understanding the impact of diagnostics and mechanical integrity (MI) activities on the SIL and reliability; c) identifying sources of common cause, common mode and systematic failures; and d) using quantitative methodologies to verify the SIL and spurious tri
9、p rate. The approaches outlined in this document are performance-based; consequently, the reader is cautioned to understand that the examples provided do not represent prescriptive architectural configurations or MI requirements for any given SIL. Once a SIS is designed and installed, the ability to
10、 maintain the specified SIL requires the implementation of a structured MI program as described in TR84.00.03. TR84.00.03Mechanical Integrity of Safety Instrumented Systems (SIS)Lifecycle phases 5 and 6 (Figure 1/Table 1) involve the installation and testing of the SIS, the validation that the SIS m
11、eets the safety requirements specification, and the assurance that functional safety is maintained during long term operation and maintenance. An important aspect of achieving and maintaining the SIS integrity and its specified SIL is the implementation of an MI program that provides quality assuran
12、ce of the installed SIS performance. This technical report is an informative document providing guidance on establishing an effective MI program that demonstrates through traceable and auditable documentation that the SIS and its equipment are maintained in the “as good as new” condition. The techni
13、cal report addresses the identification of personnel roles and responsibilities when establishing an MI plan, important considerations in establishing an effective MI program, and detailed examples to illustrate user work processes used to support various activities of the MI program. Data and infor
14、mation collected as part of the MI program can be used to validate the SIL Verification calculations as discussed in TR84.00.02 and the selection and continued use of devices as discussed in TR84.00.04 Annex L. TR84.00.04Guidelines for the Implementation of ISA 84.00.01Lifecycle phases 2, 4, 9 and 1
15、0 (Figure1/Table 1) address the management of functional safety, allocation of safety functions to protection layers, SIS design and engineering, and SIS verification. This technical report is divided into two parts. Part1 provides an overview of the SIS lifecycle with references to annexes containi
16、ng more detailed guidance on various subjects. Part 2 provides an end-user example of “how to“ implement ISA-84.00.01. This report covers many aspects of the safety lifecycle including such topics as: “grandfathering“ existing SISs (Clause 3 and Annex A); operator initiated functions (Annex B), sepa
17、ration of the BPCS and SIS (Annex F), field device and logic solver selection (Annex L), manual shutdown considerations (Annex P), and design/installation considerations (Annex N). TR84.00.02 expands Annex G, which only provides a brief introduction to the topic of failure calculations.TR84.00.04 do
18、es not address the MI program, which is discussed in TR84.00.03. ISA-TR84.00.02-2015 10 Figure 1 SIS Safety Lifecycle Phases (modified ISA 84.00.01-1 Figure 8) 11 ISA-TR84.00.02-2015 Table 1 SIS safety life-cycle overview (modified ISA 84.00.01-1 Table 2) Safety lifecycle phase or activity Objective
19、s ISA-84.00.01 Requirements Clause ISA84 Technical Report Reference Figure 1 box number Title 1 Hazard and risk assessment To determine the hazards and hazardous events of the process and associated equipment, the sequence of events leading to the hazardous event, the process risks associated with t
20、he hazardous event the requirements for risk reduction and the safety functions required to achieve the necessary risk reduction. 8 None 2 Allocation of safety functions to protection layers Allocation of safety functions to protection layers and for each safety instrumented function, the associated
21、 safety integrity level. 9 ISA-TR84.00.04 Annexes B, F, and J 3 SIS safety requirements specification (SRS) To specify the requirements for each SIS, in terms of the required safety instrumented functions and their associated safety integrity, in order to achieve the required functional safety. 10 N
22、o specific guidance, but many annexes assist in development of the SRS. Alternative: No specific guidance on documenting the SRS. An example is shown in ISA-TR84.00.04 Part 2. All three technical reports provide fundamental considerations for SRS development. 4 SIS design understand its contribution
23、 to systematic, common cause, and common mode failures within and between SIFs; and ensure that it meets the performance necessary to achieve the required SIL of any SIF it services. The safety requirements specification (SRS) addresses the design features (hardware, software, redundancy, etc.) and
24、the operating plan (inspection/maintenance policy, frequency and method of testing, etc.) of the SIS. Verification demonstrates quantitatively that each SIF is capable of meeting the required SIL in the operating environment. How well this calculation reflects reality is dependent on whether the dat
25、a reflects the in-service performance of the equipment. Refer to ISA-TR84.00.03 for guidance on the mechanical integrity program and how to collect data during validation, inspection, testing, and process demands. Refer to ISA-TR84.00.04 for guidance on the user approval process, which uses mechanic
26、al integrity records to verify that equipment is fit for service and provides the required performance in-service. The objective of this technical report is to provide users with techniques for the evaluation of the average probability of failure on demand (PFDavg) and mean time to failure spurious
27、(MTTFSP). ISA-TR84.00.02-2015 shows examples of how to model complete SIF, which includes the sensors, the logic solver and final elements. 15 ISA-TR84.00.02-2015 2 Scope ISA-TR84.00.02-2015 is informative and does not contain any mandatory clauses. ISA-TR84.00.02 is intended for use by those with a
28、 thorough understanding of ISA-84.00.01-2004 Part 1. This document assumes that a SIS is required. It does not provide guidance on the hazard and risk assessment used to identify the need for a SIS. The user is referred to ISA-84.00.01-2004 Part 3, and CCPSs Hazard Evaluation Procedures and Layers o
29、f Protection Analysis: Simplified Risk Assessment for guidance on assigning the SIL. Prior to proceeding with use of ISA-TR84.00.02-2015, the hazards and risk assessment and the allocation of safety functions to protection layers should be completed and the following information provided: At least o
30、ne SIF is required The functional requirements of the SIF The integrity requirements of the SIF ISA-TR84.00.02-2015 provides guidance on different issues that impact SIL verification: Assessing random and systematic failures, classifying failure modes, and estimating the failure rates for individual
31、 devices of an SIF; Assessing the impact of diagnostic and mechanical integrity choices on the performance of the SIF and its devices; Assessing and estimating the potential for common cause and common mode failures; and Verifying that the SIF achieves a specified SIL and spurious trip rate. ISA-TR8
32、4.00.02 provides guidance on techniques for evaluating the following: Average probability of failure on demand for low demand mode Spurious trip rate There are four topics that are being held until the next revision of ISA-TR84.00.02. Until then, the reader should refer to ISO 12489 for appropriate
33、methodologies. Modeling of continuous and high demand mode systems Understanding proof test effectiveness and how this is addressed by design and mechanical integrity practices Understanding how to model common cause and systematic contribution to the failure of subsystems and systems and to the occ
34、urrence of the hazardous event Expanding the discussion of common cause and systematic error to address these issues across the entire lifecycle ISA-TR84.00.02-2015 16 3 Background During a hazard and risk assessment, initiating causes for hazardous events are identified where deviation from intende
35、d operation results in abnormal process condition(s). Safety functions are identified that achieve or maintain a safe state of the process when defined safe operating limits are exceeded. Each safety function is allocated to an independent protection layer and allocated the risk reduction necessary
36、to reduce the process risk below the owner/operator risk tolerance criteria. When the safety function is allocated to the SIS, the allocated risk reduction determines its SIL according to Table 4 in ISA 84.00.01-2004. Clause 11.9 requires that the target failure measure assigned to the SIF be verifi
37、ed quantitatively. The SIL is related to a range of the average probability of failure on demand (PFD avg) for low demand mode. SIS device performance can be determined using historical data from maintenance records. A relatively large data pool is necessary to have a statistically significant popul
38、ation; so many users initially estimate the PFDavg using predictive analysis and comparison to previously approved equipment. As more data is collected, the data certainty improves. This technical report provides users with a discussion of quantitative analysis techniques that can be used to verify
39、whether a SIF meets the required SIL. Quantitative analysis breaks down complex systems to determine the effect of the failure of each device on the overall system. While this technical report will focus on the estimation of random hardware failure, the standard requires that the SIF meet the safety
40、 integrity requirements. This includes consideration of the SIF susceptibility to systematic failures. Safety integrity is defined as, “The probability of a Safety Instrumented Function satisfactorily performing the required safety functions under all stated conditions within a stated period of time
41、.” Safety integrity consists of two elements: 1) hardware safety integrity and 2) systematic safety integrity. Hardware safety integrity is based upon random hardware failures and can normally be estimated to a reasonable level of accuracy. ISA-84.00.01-2004 addresses the hardware safety integrity b
42、y specifying target failure measures for each SIL. Systematic integrity is difficult to quantify due to the diversity of causes of failures; systematic failures may be introduced during the specification, design, implementation, operation, and modification phases and may affect hardware as well as s
43、oftware. ISA-84.00.01-2004 addresses systematic safety integrity by requiring the implementation of a functional safety management system that seeks to identify and minimize the potential for systematic failures to a sufficiently low level. The target SIL serves as the performance benchmark for the
44、design and management practices used throughout the SIF life. The SIL establishes three criteria: 1) equipment should be user approved for the operating environment and claimed failure rate Refer to ISA-TR84.00.04 Annex L; 2) the subsystems should have the necessary fault tolerance against dangerous
45、 failure Refer to ISA-TR84.00.04 Annex K; and 3) the PFDavg for a low demand mode SIF. The target SIL also establishes a minimum level of management system rigor necessary to reduce the potential for systematic failures to a sufficiently low level. Systematic failures are caused, or indirectly induc
46、ed, by human error or unforeseeable complex process conditions. Systematic failures are not random events and must be addressed by the management system, using quality management processes to minimize systemic failures. Systematic failures are not easily included in the verification calculation. Ran
47、dom failures are easily modeled using probabilistic math, allowing the performance to be estimated. Random failures occur when stress causes a fault to develop in a component of a device. The performance calculation determines whether the planned SIF design can theoretically achieve the desired inte
48、grity and reliability, by considering factors such as: Mean time to failure (MTTF), 17 ISA-TR84.00.02-2015 Failure modes, Distribution of failure modes, Effect of failure mode on SIF operation, Voting architecture, Diagnostic coverage (DC), Diagnostic interval (DI) Test coverage (TC), Inspection and
49、 preventive maintenance interval, Testing interval (TI), Mean time to repair (MTTR), and Common cause failure. Once the SIF performance is benchmarked, it is possible to identify optimal solutions that meet the process units operability, maintainability, and reliability requirements. Any personnel assigned responsibility for verifying the risk reduction should understand how installed equipment fails and the strategies used to address its failures. There are many books available on the subject of reliability engineering, so this technical report provi
