Functional Safety and DETECTION Gas Detection Systems ...

1 Functional Safety andGas DETECTION SystemsSafety Integrity Level SILDETECTIONST-1220-200702 |RISK REDUCTION | SIL - Safety INTEGRITY LEVEL AND Functional SAFETYS afety Instrumented Systems are used to reduce the risk for the protection of people, plants, and on the way a process is designed and what kind of dangerous goods (especiallygases and vapours) are involved, industrial plants might pose a high risk to persons, property, and environment. In order to reduce the risk arising from those plants it might be necessary to automatically activate Safety measures to avoid dangerous on the acceptable risk therequired reliability of protection systemscan be ensured by employing the effectivemeasures of failure avoidance, failure DETECTION , and failure toleranceThis to a degree depends on the actualrisk, the so-called Safety Integrity gas DETECTION Systems , which have toactivate Safety relevant countermeasures incase of pre-defined gas concentrations, animportant question comes up.

2 What is theprobability of failing to perform the requiredcountermeasure ( Safety function) in caseof a demand from the process (meanswhen pre-defined gas concentrations havebeen exceeded) if an undetectable danger-ous failure has occurred?So, during development and design ofdevices and subsystems of Safety relevantsystems the main target is to keep the probability of failure as low as possible (failure avoidance), or to detect failures by diagnostic functions (failure DETECTION )and in case of a detected failure to force the Safety system to go into a safestate (failure tolerance).Risk analysisDepending on the extent of threat to per-sons, property and environment there arefour different classes of risk.

3 Generally arisk is a combination of the consequenceto be expected and the probability of occurrence of such an unwanted hazard. To classify the actual risk structured methods are used, the risk graph. Therisk graph is based on four different consequence categories, and the probabilityaspect is implemented by the criteria frequency of exposure of persons and the possibility of avoiding the hazardousevent .Such risk analysis can only be conductedby highly qualified persons who are familiarwith the process-specific conditions. As a result the risk analysis leads to thedefini tion of the necessary risk-reducingmeasures, combined with the definition of the Safety function and the required Safety Integrity LevelResidual riskIf the Functional Safety is realized by anelectrical, electronic or programmableelectronic system ( E/E/PES ), the appli-cable standard IEC 61508 or EN 61508requires evidence of the remaining residualrisk by identifying the so-called dangerousprobability of failure as a measure of theprotection system s the entire operational time noE/E/PES is absolutely free of there might be systematic or accidental failures, and wear-out partsneed to be considered.

4 However, consum-able components are not subject to theSIL-consideration they have to bereplaced ensuring failures caused by consumption shall not are design- or development-failures,which already exist at the time of deliveryand which are reproducible ( softwarefailures, incorrect rating or the operation of electronic components outside of their specification). By organizationalmeasures and Safety -orientated develop-ment procedures, systematic failures,especially software failures, can be mini-mized. Accidental are inevitable characteristic properties of components. They do not exist at thetime of delivery, but will occur at any timeduring operation. Accidental failures arespecified by a so-called constant failurerate which says that during equivalenttime intervals always the same percentageof components will fail.

5 The manufacturerderives this failure rate by means of special stress tests with a large number ofcomponents and determines or forecaststhe time at which 63 percent of the com-ponents have failed. The reciprocal valueof the resulting time, the so-called MTTF +Risk process is assumed to be safe if the actual riskis decreased below the level of the acceptable riskby means of risk-reducing measures. Always a resi-dual risk remains. If risk-reduction is performed bytechnical measures the term in focus is without risk reductionDangerSafetyacceptable riskRiskresidual risk is a mere statistical value which howeverenables engineers to calculate the proba-bility that a failure will of failureAnd statistics predict even more: If forexample 340 of 1000 equivalent deviceshave failed after 12 months in operation,then statistics predict a probability of failureof 34 percent for a single device.

6 The probability of failure continuously riseswith operational time, and at the time ofMTTF for a considered device this proba-bility is 63 to say that this can also be trans-ferred to the Safety function: Consideringa system which in case of danger needs toperform the Safety function, then the prob-ability not to perform the Safety function iszero at the time of function test (time 0),and the device is absolutely reliable. Butthe probability of failure rises continuously,and so does the probability that the safetyfunction will not be performed. However,after having tested the Safety functionagain, after reconditioning, and the testproved to be successful, then again theprobability of failure is zero. So one canreset the probability of failure at regularintervals, because at least at the time ofsuccessful proof test of the Safety functionthe system is 100 % reliable!

7 The average value of the resulting zigzag-curve can be expressed as a number: Multiplying half the proof test interval TPwith the failure rate leads to the averageProbability of Failure On Demand or PFD:PFDavg= TPIt is called On Demand because althoughthe Safety system is continuously in opera-tion a demand to perform its Safety functionis seldom, say less than once a year. Thiskind of operation called Low DemandMode is typical for Safety Systems in theprocess industry. If a demand is expectedto be more often the plant design engineers should think about the implementation of further protection Systems for risk reduction or to keep theprocess less dangerous by other to probability of failure of one component or device with the failure rate continuously rises during operational time.

8 At the time of the MTTF the probability of failure is 63 %.The probability of failure that in caseof demand the Safety function cannotbe performed also rises however the successful perform-ance of the Safety function is demon-strated by regular proof tests, then atthe time of test the probability that thesystem will perform correctly is 100 %,meaning that the probability of failure has been reset to zero witheach successful proof test (bluezigzag-curve).Probability of failure F(t)share of devices having failedoperational time t63 %100 %Probability that the Safety function is not performed when requiredoperational time tPFDavg100 %0 %TPTPTPTPTPTP| 03 Consequence (C)C1 minor injury or damageC2 serious permanent injury to one or more per-sons; death to one person.

9 Temporary seriousdamageC3 death to several people, serious or permanentenvironmental damageC4 very many people killedFrequency of, and exposure time in, the hazardous zone (F)F1 rare to more oftenF2 frequent to permanentPossibility of avoiding the hazardous event (P)P1 possible under certain conditionsP2 almost impossibleProbability of the unwanted occurrence (W)W1 very slightW2 slightW3 relatively high aW1W2W3C1F1P1P2P1P2F2F1F2C2C3C4 aSIL 1aSIL 1 SIL 1 SIL 1 SIL 1 SIL 2 SIL 1 SIL 2 SIL 3 SIL 2 SIL 3 SIL 3 SIL 3 SIL 3 SIL 4 SIL 3 SIL 4bano special Safety requirementsba single Safety system is not sufficientRisik graph acc. to IEC 61508 / that in case of the unwanted event, andbecause persons are frequently exposed to the hazar-dous area (F2), the consequence might be the deathof one person (C2) and avoidance of the hazardousevent is only possible under certain conditions (P1)and the probability of the unwanted occurrence isrelatively high (W3), then the protection systemshould be at least FunctionThe Safety function or Safety InstrumentedFunction SIF of a gas DETECTION system isto trigger gas alarm if gas concentrationsexceed the alarm thresholds.

10 If in case offailure the system cannot trigger gasalarms it must go into the safe state. The safe state of a gas DETECTION system isdefined as an action which is equivalent togas alarm. At least the same measures asfor gas alarm are activated, and additionallya fault signal is generated to ensuremaintenance and repair promptly beingperformed. But to achieve a safe state at all, failuresneed to be reliably detectable. This is why the failure analysis (Failure Modes,Effects and Diagnostic Analysis FMEDA)concerning the effects differentiatesbetween detectable and undetectable andbetween safe and dangerous failures. Safety -related failuresSurely there is no problem with a failure oftype SDwhich signals itself, and moreoveris not dangerous at all because the safetyfunction can be performed even if this kindof failure occurs.