Documente Academic
Documente Profesional
Documente Cultură
Guideline
Demonstrating prior use of elements of a
safety instrumented function in support of BS
EN 61511
Page 1 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Foreword
In promoting and leading on key sector process safety initiatives, CDOIF has developed through its
members a guideline on demonstrating prior use for elements of a safety instrumented function.
It is not the intention of this document to replace any existing corporate policies or processes. The
intent is to determine the process by which a user can review equipment to support a claim of prior
use.
There are no limitations on further distribution of this guideline to other organisations outside of
CDOIF membership, provided that:
1. It is understood that this report represents CDOIFs view of how to demonstrate a prior use
claim for sensors and final elements and non-PE logic solvers of a safety instrumented
function.
2. CDOIF accepts no responsibility in terms of the use or misuse of this document.
3. The report is distributed in a read only format, such that the name and content is not
changed and that it is consistently referred to as "CDOIF Guideline - Demonstrating prior
use of elements of a safety instrumented function in support of BS EN 61511".
4. It is understood that no warranty is given in relation to the accuracy or completeness of
information contained in the report except that it is believed to be substantially correct at the
time of publication.
Reference should be made to BS EN 61511, Functional safety - Safety instrumented systems for
the process industry sector, which provides detailed information relating to the demonstration of
Prior Use.
This guidance is not intended to be an authoritative interpretation of the law; however Competent
Authority (CA) inspectors may refer to it in making judgements about a duty holders compliance
with the law. This will be done in accordance with the CAs published enforcement policies (refer to
www.hse.gov.uk/pubns/hse41.pdf) and it is anticipated that this document will facilitate a consistent
national approach.
It should be understood however that this document does not explore all possible options for
demonstrating prior use, nor does it consider individual site requirements Following the guidance
is not compulsory and duty holders are free to take other action.
Page 2 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Contents
1.
EXECUTIVE SUMMARY........................................................................................................ 4
2.
2.2
3.
4.
4.2
4.3
4.4
Appendix A
A.1
A.2
A.4
A.5
A.6
Appendix B
Worked example....................................................................................................... 23
Appendix C
Abbreviations............................................................................................................ 27
Appendix D
Page 3 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
1.
EXECUTIVE SUMMARY
The final report of the Process Safety Leadership Groups (PSLG) safety and
environmental standards for fuel storage sites was published in December 2009.
Appendix 4 of that report provides guidance on the architecture and design of automatic
overfill protection systems for bulk gasoline storage tanks, one of the systems (or layers
of protection) necessary to achieve the target Safety Integrity Level (SIL) level identified
through the risk assessment.
The PSLG report provides supplementary guidance to the British Standard on the
design, operation and maintenance of safety instrumented systems (for example an
automatic overfill protection system) BS EN 61511, Functional safety Safety
instrumented systems for the process industry sector.
For a safety instrumented function designed to achieve a specific safety integrity level,
BS EN 61511 has architectural requirements for the subsystems that comprise that
safety instrumented function (sensors, logic solver and final elements). These
architectural requirements are in addition to the failure measure requirements for the
intended safety integrity level - BS EN 61511 Clause 11.4. The architectural
requirements are expressed in terms of hardware fault tolerance (the number of
dangerous failures that a subsystem can tolerate and still perform its function as
intended).
If the end user wishes to reduce the hardware fault tolerance requirements for a specific
safety instrumented function, the end user can gather evidence to meet the "Prior Use"
requirements described in BS EN 61511 Clause 11.5.3. This allows the end user to
reduce the hardware fault tolerance requirements by 1 - see BS EN 61511 Clause
11.4.4. The demonstration of "Prior Use" in BS EN 61511 is solely related to allowing a
modification of the hardware fault tolerance needed for a specific safety integrity level.
A working group was commissioned under CDOIF to develop this guideline to assist
users in preparing a case for demonstration of prior use. This is not intended to be
prescriptive in defining the mechanism by which prior use should be demonstrated, but
aims to highlight key factors that should be considered.
Page 4 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
2.
Figure 1
Sensor: The components of the sensor element of the SIF that are used to detect an
event. A component may be, for example, a level/pressure/temperature instrument or a
barrier providing isolation.
Logic Solver: The components of the logic solver element of the SIF that are used to
determine if an event has occurred. A component may be, for example, a simple
relay/logic circuit, or complex safety controller
Final element: The components of the final element of the SIF that are used to maintain
the process in a controlled state should an event occur. A component may be, for
example, an isolation barrier, solenoid, valve, or pump.
When considering whether a component may be a suitable candidate for a
demonstration of prior use, reference can be made to ISA-TR84.00.04 Guidelines for the
Implementation of IEC61511, Annex L1, which provides a work process for the selection
of devices.
2.1
Page 5 of 30
CDOIF
tolerance requirements for SIL 4 are beyond the scope of BS EN 61511 and the reader
of BS EN 61511 is referred to BS EN 61508. This guidance document on prior use will
likewise focus only on SIL 1, SIL 2 and SIL 3.
2.2
Table 1
SIL
The values in Table 1 apply provided that the dominant failure mode is to the safe state
or dangerous failures are detected, otherwise the fault tolerance shall be increased by
one. However, the standard also indicates that the values in Table 1 may be reduced by
one if the devices used comply with all of the following:
Page 6 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
The decision process for the hardware fault tolerance requirements for sensors, nonprogrammable logic solvers and final elements is illustrated in Figure 2. However, we
are still faced with the question, what is meant by Prior use?
Page 7 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Figure 2 Hardware Fault Tolerance Flowchart to BS EN 61511 (For Sensors, Final Elements and Non-Programmable Logic Solvers)
Page 8 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
3.
Page 9 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
4.
The component has been used before in an equivalent (or near equivalent)
process operation (which may be either safety or non-safety related) (Refer to
section 4.3)
The component has been used in sufficient volume to gain realistic and reliable
operating experience (Refer to section 4.4)
This demonstration of Prior Use suitability is an End User activity with respect to a
specific Safety Instrumented Function application.
4.1
Page 10 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Page 11 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
4.2
Temperature
Pressure
Viscosity
Chemical Properties
Response time
Any assessment between the functionality required and the component capabilities
should be made in the context of the requirements of the SIF defined in the Safety
Requirement Specification (SRS).
4.3
Page 12 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
4.4
The end-user needs to confirm that the component is on their list of approved
equipment1
Component reliability records (refer to the guidance provided in EEMUA 222 and
HSE SPC 48 for further information relating to component reliability records)
The number of years that the component has been used in equivalent (or near
equivalent) applications at a facility
The process and environmental conditions that the component has been used at
a facility
The different applications that the component has been used at a facility, where
this is relevant to the prior use assessment
Whether the component has been used at other of the users facilities
In order to control which components are used in safety applications, the end user
should create an approved or recommended vendor document from which to select
components. This document should detail all the different types of components along
with the manufacturers and vendors from whom those products may be sourced. If
there are any restrictions in terms of operating location or service, then this should
also be identified within the document. This document should be updated frequently
based upon the successful operating experience of components. Components that
have had a history of poor reliability should be removed from the list in preference for
more reliable devices
There should be a reliable system in place to detect and record failures to ensure
confidence in the failure records. Failures should be readily categorised in terms of
safe/dangerous, revealed/unrevealed, the failure type and cause. All failures should
be recorded consistently (refer also to Appendix A).
Sensors, valves and other devices that are located on the process.
Page 13 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
field devices are only added when sufficient operating experience has been
obtained;
field devices are removed when they show a history of not performing in a
satisfactory manner;
For field devices, failure rate information provided by the Manufacturer should not be
included as this does not demonstrate qualitative suitability under the users operating
conditions nor does it support a failure rate that relates to the users operating conditions.
Page 14 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Appendix A
A.1
Failure rate
For the calculation of PFDavg the best and most appropriate failure rate information
comes from the operational experience of the end user (refer to section 4.4).
Where an end user has no operational experience of a new item of equipment, there are
other sources of failure data that might be considered. These may include:
Generic failure rate data, from sources such as EEMUA, FARADIP, OREDA etc.
However, great care should be taken when using either of these alternative sources.
Firstly, manufacturers will almost certainly have no direct experience of the use of the
items under conditions similar to those of the end user. Furthermore, the data provided
by manufacturers is often simply a synthesised prediction of performance that they are
hoping for from the product.
Secondly, with the generic failure rates to be found databases there is no guarantee that
the component that the end user is considering will be similar in performance to the
database figure. Any use of generic data should have appropriate justification for its
appropriateness and should be regarded as a provisional figure until real experience is
available to support or reject the figure.
Preferentially end users own failure data should be used to calculate failure rates. This
represents the actual reliability of a given component in a given service and operating
environment. One mechanism to gather failure rate data for a component is through
analysis of records held within a maintenance management system (or equivalent),
which should indicate the number of components in use, the period of time the
component has been in use for, and record any failures and failure modes during that
time. The end user should have confidence in their maintenance management system to
ensure that records are kept correctly, and are up to date. As discussed in Section 4.4,
the system should sufficiently reliable to be able to accurately detect and record failures
Page 15 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
A.2
HSE SPC 48, Annex A and B Proof Testing of Safety Instrumented Systems in
the Onshore Chemical/Specialist Industry
The methodology adopted to calculate failure rates should be based on the rigour
required, and the data available to perform the calculation. Reference should be made
to BS EN 61508 part 6 for a full definition of the calculation methodologies available.
Page 16 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
A.2.1
A.2.2
Safe Failure a failure that when it occurs causes the system to perform the
function which puts the system into the safe state, this is performed without a
demand from the process and is often referred to a nuisance or spurious trip.
Safe failures can further be categorised as either:
When using maintenance records for prior use evidence, the end user should be able to demonstrate that
the records are sufficiently robust and statistically significant
Page 17 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Dangerous Failure - a failure that when it occurs does not cause the system to
perform the function which puts the system into the safe state, a failure that
occurs when the system fails to operate when the process puts a demand onto it.
Dangerous failures can further be categorised as either:
o
Dangerous undetected (DU) failures can only be identified on an actual process demand
or by proof testing (providing the proof test is designed to detect the failure).
The four different failure modes are described in reliability modelling as follows:
SU, Safe undetected failure
SD, Safe detected failure
DU, Dangerous undetected failure
DD, Dangerous detected failure
Using the failure mode data as defined above allows calculation of the PFD and SFF.
For a 1oo1 component, the average failure of probability on demand (PFD) can be
calculated as follows:
Where tce is the channel equivalent mean down time in hours (this is the combined down
time for all of the components in the channel of the sub-system), and can be calculated
as follows:
Page 18 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
A.3
Page 19 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
ID
Component
Description
Function
Failure Mode
Sub-system Effects
Detection Method
Detected
Failure
Rate
FTD/FTS
Mitigation
Interface relay
Provides shutdown
function to MCC
Fail to respond
(Coil open
Circuit)
Immediate
0.0002
FTS
Interface relay
Provides shutdown
function to MCC
Fail to respond
(Coil Short
Circuit)
Immediate
0.0002
FTS
Interface relay
Provides shutdown
function to MCC
Contacts failed
open circuit
Immediate
0.00003
FTS
Interface relay
Provides shutdown
function to MCC
Contacts failed
short circuit
None
Latent
0.00001
FTD
None
Page 20 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
A.4
A.5
Systematic capability
Systematic capability is mentioned in BS EN 61511, but is discussed in detail in BS EN
615085. It is particularly relevant in relation to items of equipment containing software.
The techniques and measures that have been employed during the development of the
software limit the safety integrity level that can be claimed for a safety instrumented
function that uses an equipment item containing software. BS EN 61508-2 relating to
hardware and BS EN 61508-3 relating to software contain tables of techniques and
measures and the safety integrity levels to which they apply.
It should be noted that this topic is not related to Prior Use demonstration.
A.6
Safety manuals
The Safety Manual is mentioned in BS EN 61511, and Part 1 defines Safety Manual as
safety manual: manual which defines how the device, subsystem or system can be
safely applied.
Note: This could be a stand-alone document, an instructional manual, a programming
manual, a standard document, or included in the user document(s) defining application
limitations.
However, it is a new significantly more prominent requirement in BS EN 61508 Edition 2.
BS EN 61508 Edition 2 introduces a new normative requirement in Part 2, Annex D
Safety Manual for Compliant Items. It defines the purpose of the Safety Manual as,
The purpose of the safety manual for compliant items is to document all the information,
relating to a compliant item, which is required to enable the integration of the compliant
item into a safety-related system, or a subsystem or element, in compliance with the
requirements of this standard.
In BS EN 61508-3 Edition 2, Annex D, there are further normative requirements for the
safety manual with respect to software, Safety manual for compliant items additional
requirements for software elements. This annex makes it clear that the safety manual
may comprise solely the manufacturers documentation, if that is sufficient to meet the
new normative BS EN 61508 Edition 2 requirements, or it should be created as part of
the design of the safety related system.
Thus, the safety manual is documentation that is produced by the supplier or the system
integrator.
Page 21 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
However, it should be noted that the safety manual does not relate to Prior Use and BS
EN 61508 Edition 2 does not even discuss the term Prior Use.
Page 22 of 30
CDOIF
Worked example
Please note this example is fictitious and the data used is to illustrate a methodology for compiling and
analysing field reliability data. There are alternate methods that can be employed and this paper in no way
implies this is the best or only technique.
Page 23 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Calculations
There are many sources and techniques for performing reliability calculations. Various formulae
and techniques can be found in BS EN 61508 and BS EN ISO 14224, to name just two. There are
also many technical publications on Reliability Assessments which provide further calculations.
For the purpose of this example, two techniques have been demonstrated, the first example
utilising a Mean Time between Failure calculation and the second utilising formulae within BS EN
61508 for a 1oo1 system.
Calculation Method 1 - Failure Data MTBF Calculation for 1oo1
Total number of dangerous failures = 1 See Footnote 7
Thus the MTBF is
per
Note Calculation will not work if there are no dangerous failures recorded and is only valid when repair
rate is much greater than failure rate.
8
The theory behind the formula is developed in Reliability, Maintainability and risk by David J Smith and
based upon algebraic simplifications of Markov models.
Page 24 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
960
960
960
1.04 x103
8760
3.10 x103
8760
2.08 x103
8760
Safe Undetected = SU = 0
D
237 + 0 + 356
237 + 0 + 356 + 118
593
711
.? @ .? @ @ A @ A @
= 7 hours
-9
Failures In Time (FIT) is the number of failures that can be expected in 1x10 (E-09) failures per hour.
Page 25 of 30
CDOIF
124
K
I J ML
12
. -( =
124
K
I J L
12
M
+ NKKOP + J
A[ XYZW\
122
I NKKOP
12
^. S TU VRW XYZW
As with the result of any calculation, a sanity and sensitivity check should be conducted to ensure
that the results are realistic. It is often a practise to provide a statistical analysis of uncertainties.
Page 26 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Appendix C
Abbreviations
Abbreviation
Description
BVAA
CA
Competent Authority
CDOIF
EEMUA
EMC
Electromagnetic Capability
FARADIP
FMEDA
FTS
Fail To Safe
HFT
HSE
MCC
MTBF
MTTR
PFD
PSLG
SFF
SIF
SIL
SIS
SRS
UKPIA
Page 27 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Appendix D
Further information relating to prior use can be found in the following publications
1) BS EN 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safetyrelated Systems
2) BS EN 61511, Functional safety - Safety instrumented systems for the process industry
sector
3) Safety and Environmental Standards for Fuel Storage Sites, Process Safety Leadership
Group Final Report
4) ISA-TR84.00.04, Guidelines for the Implementation of IEC61511
Page 28 of 30
CDOIF
This document was created as part of the Chemical and Downstream Oil Industry Forum Process
Safety work stream.
CDOIF wish to record their appreciation to the working group members who were responsible for
creating this guideline:
Name
Organisation
UKPIA
Dave Ransome
Alan G King
ABB
Ian Neve
Total
Stuart Williamson
Petroplus
Keith Willett
Petroplus
Mike Cook
Simon Storage
Neil Waller
INEOS
Ed Fergus
Peter Hirst
Rotork
Peter Churm
Page 29 of 30
CDOIF
Chemical and Downstream Oil
Industries Forum
Revision History
Rev. Section
Description
Date
Changed By
All
First Issue
30-June-2011
Peter Davidson
All
08-July-2011
Peter Davidson
All
15-Nov-2011
Peter Davidson
All
All
20-April-2012
13-July-2012
Alan G King,
Dave Ransome,
Peter Davidson
Peter Davidson
Page 30 of 30