Reliability of Safety-Critical Systems Chapter 2. Concepts and requirements

Transcription

1 Reliability of Safety-Critical Systems Chapter 2. Concepts and requirements Mary Ann Lundteigen and Marvin Rausand & RAMS Group Department of Production and Quality Engineering NTNU (Version 1.4 per August 2016) Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 1 / 34

2 Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and Applications Marvin Rausand Homepage of the book: books/sis Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 2 / 34

3 Learning objectives Key learning objectives from this chapter are to become familar with: SIS/SIF design issues, such as Redundancy and voting Hardware fault tolerance Mode of operation SIFs role in risk control: Effects on hazardous events Hazardous event frequency (HEF) Key performance measures of SIFs: Safety integrity level (SIL) PFD and PFH Safety lifecycle as a structured approach to design and operation The main content of these slides builds on Chapter 2 in the textbook. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 3 / 34

4 Subsystems, Groups, Channels, and Elements IEC distinguishes between subsystem, groups, channel, and elements. These terms are not used consistently in the IEC standards. In this chapter, the terms are defined as follows: Pressure transmitter Channel Voted group Pressure transmitter Pressure transmitter Logic Solver Solenoid valve & pilot valve Solenoid valve & pilot valve Shutdown valve Shutdown valve Group Voted group Temperature switch Temperature switch Channel (and element) Circuit breaker Element Sensor subsystem Logic solver subsystem Final element subsystem Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 4 / 34

5 Redundancy Redundancy: The presence of more than one element to carry out the same function. Redundancy......provides fault tolerance... increases the reliability...adds some complexity (which must be weighted against the positive effect on reliability) Redundancy may be classified as follows: Active redundancy Standby redundancy Hardware redundancy Software redundancy Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 5 / 34

6 Voting koon voted structure: A structure of elements that is functioning when k-out-of-n channels are functioning, and which fails when (n-k+1) or more of its elements fail. 1 A 2oo3 structure of sensors: A 1oo3 structure of valves: Pressure transmitter Shutdown valve 1 Shutdown valve 2 Shutdown valve 3 Pressure transmitter V Pipeline Pressure transmitter 2oo3 voting 1 This implies that give the voting with respect to success ( Good (G) ), which formally should have been defined as koon:g. An alternative would be to denote this same function as (n k + 1)oon:F, where F stands for failure. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 6 / 34

7 Hardware fault tolerance Hardware fault tolerance is an in-built design property, achieved by the use of redundancy. Hardware fault tolerance (HFT): The ability of a hardware subsystem to continue to perform a required function in the presence of faults or errors. HFT is given as digit numbers, as 1, 2, etc. Voting HFT Voting HFT 1oo1 0 1oon n-1 1oo2 1 koon n-k 1oo3 2 2oo2 0 2oo3 1 Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 7 / 34

8 Interaction with the equipment under control (EUC) The reliability of a SIS (or SIF) cannot be defined or evaluated unless we have determined: Demands Mode of operation Hazardous event Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 8 / 34

9 Demands and demand rate Demand: An event or a condition where a response of a SIF is required. Demands are often regarded as random events with no duration ( shock events ), and can be modeled accordingly: Typical model: homogeneous Poisson process (HPP) with rate λ de. The demand rate may then be estimated by counting up the number of demands over a time period: λ de = N de(t) t (May need to consider several plants to be able to collect sufficient evidence) Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 9 / 34

10 Demand duration In some cases, it may not be realistic to assume zero/no duration of the demand. demand duration. Some examples: Fire extinguishing system: Start of fire extinguishing system is in itself not enough to stop fire. It is also important that fire water is provided over some time. Railway signaling system: Rail tracks are split into section, where each section must be locked from other trains to enter if a train is already present. The locking of the rail section must be maintained until the train leaves the section. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 10 / 34

11 Modes of operation It is common to distinguish between: Low-demand mode: Demands occur less frequent than once per year. High-demand mode/ continuous demand mode: Demands occur more frequent than once per year. Characteristics of a SIF that operates in: Low-demand mode: Rare activations. A non-safety related control system handles normal operation. High-demand/continuous demand mode: More frequent activations. A non-safety related control system may handle normal operation, or control and safety are merged into one safety-critical system. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 11 / 34

12 Hazardous events General definition of hazardous : Hazardous event: The first event in a sequence that, if not controlled, will lead to an undesired consequences to some assets. In relation to SIFs: Hazardous event: The event where the SIF fails to perform in response to the demand. This situation may occur if: That the SIF is unable to start responding to the demand, or That the SIF fails while responding to the demand Example: Fire pumps fail to start upon detected fire, or fails after they have started to distribute water. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 12 / 34

13 Hazardous events Illustration of hazardous events: Demands Demands Barrier 1 Hazardous event 1 Barrier 2 Hazardous event 2 Accident λ de,1 λ de,2 Intermediate barriers Ultimate barrier Note that a demand can be the hazardous event generated upon failure of an earlier (in sequence) barrier. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 13 / 34

14 Hazardous event frequency (HEF) Hazardous event frequency (HEF) is influenced by two factors: (i) how often a barrier is demanded and (ii) how likely it is that the barrier fails to respond to the demand. This means that: HEF = PFD avg λ de where λ de is the demand rate, and PFD avg is the average probability that the SIF is unavailable at the time when demanded. The barrier may of course also fail while responding to the demand (fire pump fails after having started to pump fire water). We may extend the formula with this situation: HEF ( PFD avg + λ SF MDD ) λ de where λ SF is the average dangerous failure rate of the SIF (barrier) and MDD is the mean duration of demand. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 14 / 34

15 Safety integrity level (SIL) Safety integrity level (SIL) is a VERY important concept in relation to SIS. We will highlight: What we mean by safety integrity That safety integrity is split into four levels - safety integrity levels (SIL) That a SIL requirement is assigned to a SIF, and that the SIL requirement influences/restricts how the SIF can be designed. That it is necessary to demonstrate (by analyses, testing, and quality assurance) that the SIL requirement is met. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 15 / 34

16 Definition of safety integrity Safety integrity is a reliability measure used for a safety-critical function (SIF): Safety integrity: Probability of a SIS satisfactorily performing the specified SIF under all the stated conditions within a stated period of time. [Adopted from IEC 61508] What does this mean? Looks very much like the definition of reliability Applies to a SIF (function), and not to the SIS as such Focus on what is required to achieve safety Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 16 / 34

17 Safety integrity levels (SIL) Safety integrity is divided into four discrete safety integrity levels og SIL: SIL SIL 1 SIL 2 SIL 3 SIL 4 Description The lowest level that is allowed while being defined as a safety-critical system. A common requirement for low-demand systems where multiple layers of protection is adopted. A level representing a rather high reliability for low-demand systems, in particular if multiple layers of protection is adopted A more rare SIL requirement for low-demand systems. Applies to very critical functions, such as e.g. isolation of oil wells. This is the highest level recommended in process industry sector and for machinery The most strict requirement. Not normally used with low-demand systems. Used for very critical functions opering in the high/continuous demand mode, for example for control of light signals for railway signaling Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 17 / 34

18 SIL and tables for failure measures SIL is linked to two reliability measures that are tailor-made to safety: SIL PFD avg PFH (per hour) SIL to to 10 8 SIL to to 10 7 SIL to to 10 6 SIL to to 10 5 PFD avg : Average probability of failure on demand (due to dangerous failures) PFH: Average probability of having a dangerous failure per hour (or more precisely, failure frequency of dangerous failures) Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 18 / 34

19 What does a SIL 2 requirement imply? SIL PFD avg PFH (per hour) SIL to to 10 8 SIL to to 10 7 SIL to to 10 6 SIL to to 10 5 Examples A SIL 2 function operating in the low-demand should fail less often than once every 100 trials (demands or tests) A SIL 2 function operating in the high-demand should fail less often than once per 100 years a a 1 year hours Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 19 / 34

20 SIL requirement vs achieved SIL performance It is important to note that SIL means different things depending on the context: Required SIL ( SIL requirement ): The SIL that must be specified for a SIF in order to meet risk acceptance criteria. Achieved SIL performance: The SIL that can be claimed for a SIF in light of the results of the analyses, checks, and tests. Predicted SIL performance: The SIL that is claimed based on analyses, checks, and tests made prior to the SIF being put into operation. Experienced SIL performance: The SIL that is claimed based on operational experience and failure reporting. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 20 / 34

21 How to design according to SIL requirement A SIL requirement is broken down into three main sub-categories of requirements: Hardware safety integrity ( HSIL ) Software safety integrity ( SoftSIL ) Systematic safety integrity ( SystSIL ) Requirements from all three categories must be fulfilled (at the level assigned by SIL) in order to claim a SIL level ( No chain is stronger than the weakest link ). Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 21 / 34

22 SIL performance vs required SIL Risk analysis Assumes that risk analysis specifies a PFDavg for a SIF 2.4E-4 SIL requirement: SIL 3 Hardware safety integrity for SIL 3 Systematic Safety Integrity for SIL 3 Software Safety Integrity for SIL 3 Met? Yes Met? & Yes Yes Met? Achieved SIL performance is SIL 3 Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 22 / 34

23 What impacts SIL performance? SIL requirement Hardware safety integrity Systematic Safety Integrity Software Safety Integrity Architectural constraints Probabilistic analysis of failure measure Techniques and measures implemented to control failures in operation Use of proven in use devices Techniques and measures to avoid systematic failures in life cycle Techniques and measures for software design and implementati on Generic data Operational data Measures implemented in design phase Measures implemented in design as well as in operation Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 23 / 34

24 Hardware safety integrity Hardware safety integrity: Part of the safety integrity of a safety-related system relating to random hardware failures in a dangerous mode of failure [IEC 61508] Hardware safety integrity requirements are split into two parts: Demonstrating by probabilistic calculations that the failure measure (PFD or PFH) is within the specified SIL range Demonstrating that the design has been selected according to the requirements for architectural constraints Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 24 / 34

25 Safety life cycle The safety life cycle outlines a sequential pathway from initiation of a new system till it is installed and eventually removed. Safety life cycle. An engineering process designed to manage the design and operation of safety-critical systems, in light of requirements in standards like IEC [Slightly modified version of definition from the textbook]. The safety life cycle may be separate or embedded into a company s project, product or operation and maintenance process. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 25 / 34

26 Safety life cycle phases IEC suggests the following life cycle phases to achieve the desired level of functional safety: Preparation EUC familiarization Concept and scope: definition and delimitation Preparation (familiarization) Analysis (risk assessment and overall design specification) Implementation (realization of SIS, based on design specification) Operation (follow-up of SIS, including maintenance, modifications and eventually decommissioning) Parallel phases: Management of functional safety and functional safety assessment and auditing Analysis Identification of hazards and risk assessment Safety requirements Allocation of safety funcspecification for the SIS tions to protection layers Planning and development Design and development Planning of of other means of operation and maintenance risk reduction Design and engineering Manufacturing and of the SIS testing of SIS Installation Safety Installation and validation commissioning Operation and maintenance Operation and Modification maintenance Verification Planning, auditing, verification, and validation,++ Decommissioning Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 26 / 34

27 Analysis phases The purpose of the analysis phase is to identify the needs for safety instrumented functions (SIFs), and how reliable they must be in order meet the given risk acceptance criteria. Typical analyses and activities: Hazards and risk analyses: Needs for SIFs may be extracted SIL allocation: Extended analyses to allocate reliability targets (e.g., PFDavg) to each SIF: Layers of protection analysis (LOPA), mainly used in process industry Risk graph (used many sectors) Risk table (used in many sectors) Minimum SIL requirements (Norwegian petroleum industry) Derivation of first version of safety requirement specification (SRS) Carry out functional safety assessment (FSA) Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 27 / 34

28 Analysis phases Results of this phase are: SIL allocation (or SIL targeting) report SRS report To facilitate and develop these analyses and reports are typical consultancy services. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 28 / 34

29 Example: Consultancy services Source: Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 29 / 34

30 Implementation phase Implementation phase includes: Detailed design and construction of SIFs in accorance to SRS. From the system integrators perspective, this may include: Placing purchase orders and requesting compliance documentation such as SIlL certifications, safety analysis report (SAR) or safety manual from manufacturers) Application (software) program development Development of compliance reports Construction and commissioning as preparation for loop checks and factory acceptance tests Factory acceptance tests, reporting and follow-up Installation, commissioning, and site acceptance testing at final location Preparation of all documentation and procedures for use in operation, maintenance, and management of modifications. Carry out audits, such as functional safety assessment (FSA) Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 30 / 34

31 Operation phase Focus is to maintain the required performance, inlcuding SIL, over a long time period, typically years. Typical activities in the operational phase are: Testing, and reporting and correction of failures Replacements of equipment as needed Management of bypasses/inhibits Analysis and verification of any modifications initiated due to (i) lack of adequate performance (SIL or otherwise), (ii) changes in operational or environmental conditions, (iii) new tie-ins/expansions of existing systems, including SIS. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 31 / 34

32 Management of functional safety Management of functional safety is a term used to cover everything you need to do according to the functional safety standards. Typical management activities cover: Setting up plans, with all tasks as mandated by e.g. IEC Plans may be prepared to design phase, for installation phase, for operation phase etc. Keeping track of competence requirements and training needs of personnel Keeping procedures updated Carrying out audits and other assessments at regular intervals to verify compliance to regulatory and key standard requirements Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 32 / 34

33 Meaning of SIL in safety life cycle Recall that SIL is used in three different contexts: Required SIL (SIL requirement) Predicted SIL (performance) Experienced SIL (performance) At what point the different SILs are defined or demonstrated are indicated to the right. Predicted SIL (SIL achieved by analysis of design) EUC familiarization Analysis Identification of hazards 1 and risk assessment Allocation of safety func- 2 SIL requirements tions to protection layers Safety requirements 3 specification for the SIS Implementation Design and engineering Design and development 4 of the SIS of other means of risk reduction 5 Installation, commissioning, and validation Operation Experienced SIL (SIL achieved by analysis using operating experience) 6 7 Operation and maintenance Modification 8 Decommissioning Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 33 / 34

34 Revisiting learning objectives Key learning objectives from this chapter were to become familar with: SIS/SIF design issues, such as Redundancy and voting Hardware fault tolerance Mode of operation SIFs role in risk control: Mode of operation and demand rates Effects on hazardous events Key performance measures of SIFs: Safety integrity level (SIL) PFD and PFH Safety lifecycle as a structured approach to design and operation The main content of these slides builds on Chapter 2 in the textbook. Mary Ann Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.4) 34 / 34