Determinación de PFDavg (SIL) de un Sistema Instrumentado de Seguridad

Determinación de PFDavg (SIL) de

un Sistema Instrumentado de

Se-guridad (SIS)

Preparado para: Curso en Análisis de Riesgos y Seguridad Funcional Preparado por: Victor Machiavelo Salinas

Risk Software SA de CV www.risksoftware.com.mx

1. Introducción

El valor de PFDavg (Probabilidad de Fallas Sobre Demanda Promedio) es utilizado en la Seguridad Funcional para determinar el Nivel de Integridad de Seguridad -NIL- (Safety Integrity Level- SIL) que un Sistema Instrumentado de Seguridad -SIS- tiene para una Función Instrumentada de Seguridad -FIS- dada.

La figura #1 nos muestra la relación que guarda un Sistema Instrumentado de Seguridad entre la relación (frecuencia) de demandas (eventos/año) en que el SIS es requerido por el proceso dada una condición insegura y la relación (frecuencia) de eventos indeseados finales (eventos/año) ocurridos dados la ineficiencia/falla/incapacidad, del SIS.

El nivel NIL/SIL, es una relación del valor numérico calculado de PFDavg para un SIS, donde incluimos a los elementos sensores (presión, temperatura, Flujo, etc), al controlador lógico programable y a los elementos finales de control (válvulas, motores, actuadores, etc).

El valor de la PFDavg Total para un SIS es la suma algebraica de la probabilidad de fallas sobre demanda promedio del sensor mas la del controlador lógico mas la del elemento final de control como se muestra en la figura #2

para realizar el calculo de la PFDavg de un sistema SIS, el estándar ANSI/ISA 84.01-2004 recomienda tres métodos: 1. Ecuaciones Simplificadas (Diagramas de Bloques de Confiabilidad)

2. Análisis de Arboles de Falla (FTA) 3. Modelos de Markov.

El presente informe técnico se centra en el calculo de la PFDavg, utilizando los dos primeros métodos, los cuales son los mas utilizados en la seguridad funcional, aclarando que los modelos de Markov son mas precisos y pueden modelar sistemas en el tiempo, con secuencias y reparables.

Determinación de la PFDavg 1

Risk Software S.A. de C.V.

Relación de Demandas (D) Relación de Eventos (H)

Figura #1

PFDavg = H/D = 1/(Factor de Reducción de Riesgos)

SIS Sensor Elementos Finales

Figura #2

PFDavg

_Total

= PFD

_S

+ PFD

_L

+ PFD

_EF

Controlador Logico

2. Falla de los Sistemas

Es necesario comprender la forma en que los sistemas y equipos fallan, debido a que las ecuaciones utilizadas para determinar el valor de PFDavg depende directamente del mecanismo de falla de los sensores, controlador lógico y elementos finales.

La figura #3 muestra los modos de falla que pueden tener los componentes de un SIS.

MTBF = Mean Time Between Failures (Tiempo Medio Entre Fallas) MTTF = Mean Time To Fail (Tiempo medio Para Fallar)

Modos de Falla Descubiertas:

Son conocidas también como fallas “Reveladas” debido a que estas fallas son conocidas en cuanto suceden, como ejemplo tenemos la falla de la señal de un sensor cuando los cables que conducen la señal son cortados o bien la falla de la bobina de una válvula solenoide.

Las fallas descubiertas normalmente generan una respuesta del sistema conocida como “Falla Segura” la consecuencia mas común es una parada por emergencia del proceso. A esto se le conoce como “Relación de Disparos en Falso” en muchos procesos esta condición es indeseada debido a que afecta directamente a la producción o a los tiempos de producción, en procesos continuos como en la industria química o petrolera esta condición es muy costosa debido a que volver a iniciar los procesos no es una tarea fácil ni rápida, en ciertos procesos esta condición también puede ser muy peligrosa, ya que parar proceso inherentemente peligrosos donde se manejan grandes cantidades de materia y energía puede ocasionar condiciones riesgosas para el personal, medio ambiente y bienes de las empresas.

La forma en que podemos evitar que esto ocurra es incrementando la tolerancia a falla en los sistemas y equipos (redundan-cia). La norma IEC-61511 en el punto 11.4 nos indica los mecanismos y niveles de tolerancia a falla para los sistemas SIS.

Determinación de la PFDavg 2

Risk Software S.A. de C.V.

No Detectadas

Por Diagnosticos Por Pruebas _manuales Detectadas

Fallas Cubiertas Relación de Paros Peligrosos

λD = 1/MTTF

Se debe vivir con perdida de la producción

Paro de Planta o Permanecer en Riesgo

Mientras se Repara

El SIS esta Fuera Durante las

Pruebas Fallas Descubiertas

Relación de Paros en Falso

λS = 1/MTBFsp

Modos de Falla

Figura #3 Modos de Falla

Modos de Falla Cubiertas:

Las fallas cubiertas, son fallas peligrosas hasta que son detectadas y corregidas. El calculo de la PFDavg se basa en este tipo de fallas. Típicamente las fallas cubiertas se manifiestas en dispositivos que tienen la función de generar o conducir al evento final, como pueden ser los dispositivos de salida de las tarjetas del PLC, la bobina del relevador, el actuador de la válvula o bien la lógica del controlador. El problema principal de estas fallas se presenta en dispositivos que no han sido operados por periodos lagos de tiempo, tres tipos de condiciones se presentan en las fallas cubiertas:

1. Fallas que pueden ser detectadas por auto diagnósticos. 2. Fallas que pueden ser encontradas en un periodo de pruebas.

3. Fallas que permanecen ocultas sin ser detectadas en el sistema hasta que se presenta una falla en demanda.

Cada una de estas fallas contribuyen al valor de PFDavg del SIS. Cada falla requiere un tratamiento diferente de calculo de confiabilidad.

Las formulas para el calculo de sistemas basados en Auto diagnósticos, están generalmente referidas a controladores lógicos programables ya que estos sistemas utilizan técnicas avanzadas de diagnósticos, en la mayoría de los sistemas cuando nos referimos a “diagnósticos” no estamos refiriendo a la capacidad del sistema a realizar pruebas sin necesidad de intervención del ser humano, estos diagnósticos que también son referidos como “activos” son pruebas funcionales del estado del siste-ma, como por ejemplo seria cambiar de estado la posición de las salidas de las tarjetas del controlador abrir/cerrar (On/Off) para poder probar que el sistema tiene la capacidad de llevar al proceso a condición segura. Estas pruebas se realizan de forma muy rápida generalmente en milisegundos, evitando que las pruebas sean en si mismas una condición peligrosa para el proceso.

Cálculos:

El calculo de las fallas reveladas (llamadas también fallas seguras) es importante desde el punto de vista de la operación de los procesos, la instalación de un sistema de seguridad es un proceso complicado y costoso, lo que menos deseamos es que este sistema sea en si mismo quien genere una condición potencialmente inseguro o binen sea quien ocasiona perdidas de producción o económicas. La selección de un sistema de seguridad sin tolerancia a fallas deberá ser cuidadosamente evaluada desde el punto de vista de la seguridad y de la operación de los procesos, el diseño del sistema bajo el concepto de ciclo de vida deberá incluir los costos de disparos en falso y los costos asociados a la tolerancia a fallas. las fallas releva-das también tienen dos componentes, fallas seguras detectables y fallas seguras no detectables. El echo de que ambas con-duzcan a un paro seguro del proceso minimiza la necesidad de detallar cada una en una ecuación diferente.

Las fallas cubiertas (llamadas también peligrosas) como se muestra en la figura # 3 tienen dos componentes,

Determinación de la PFDavg 3

1) Fallas peligrosas detectadas por auto diagnósticos, las cuales realizan el proceso de prueba y detección de errores y fallas de forma automática, asociamos a estas fallas a las provocadas por los sistemas complejos como los controladores lógicos, sin embargo en los últimos años algunos dispositivos de campo como sensores y actuadores de válvulas, han incorporado altos niveles de auto diagnostico en su electrónica. Típicamente el tiempo de las pruebas con auto diagnósticos fluctúa entre 1 y 10 segundos.

2) Fallas peligrosas detectadas por pruebas manuales, son pruebas que no pueden ser realizadas por diagnósticos y es ne-cesario que manualmente se realice la prueba y el diagnostico, típicamente el tiempo de estas pruebas es mucho menor que el MTBF, este tipo de pruebas esta asociada a dispositivos de campo y elementos finales de control.

La figura #4 muestra la diferencia de pruebas requeridas para los diferentes dispositivos, existe una gran diferencia entre las ecuaciones utilizadas para modelar el valor de PFDavg para sensores y elementos finales de control y las ecuaciones para modelar a los controladores lógicos, no solo por que estos realizan sus pruebas de auto diagnostico, también debido a que cada sistema puede contener diferentes dispositivos en diferentes configuraciones y numero (módulos de entradas y salidas, fuentes de poder, procesadores, comunicaciones, etc).

Las ecuaciones para modelar a los controladores lógicos programables han sido definidas a detalle en la norma IEC 61508-6.Edición 2.0 2010-04. También se cuentan con ecuaciones simplificadas para los controladores lógicos programa-bles, que hacen mas fácil pero menos exacta la determinación del de la PFDavg.

Determinación de la PFDavg 4

Risk Software S.A. de C.V.

Sensor Controlador Logico Relación de Demandas (D) Relación de Eventos (H) Elementos Finales Figura #4

Requerimientos de Pruebas para Dispositivos

Pruebas Manuales Pruebas Auto Diagnosticos Pruebas Manuales

3. Determinación de la Relación de Disparos en Falso STR

Ecuaciones para la determinación de la Relación de Disparos en Falso (Spurious Trip Rate -STR).

Como comentamos anteriormente es conveniente conocer la relación de disparos en falso que un sistema tendrá, esto nos permitirá seleccionar sistemas basados en los costos asociados a disparar/parar un procesos por la falla de alguno de los componentes del sistema instrumentado de seguridad:

Arquitectura Ecuación Compleja/ISA TR 8402p2 Ecuación Simplificada /ISA TR

8402p2

1oo1

" 27 "

ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9)

S _spurious

MTTF

1

=

$

1oo1

(Eq. No. 10)

STR

=

$

S

+

$

DD

+

$

_FS

Where

$

S

is the safe or spurious failure rate for the component,

$

DD

is the dangerous detected failure rate for the component, and

$

F

S

_{is the safe systematic failure rate for the component.}

The second term in the equation is the dangerous detected failure rate term and the third term is the

systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation

when the detected dangerous failure puts that channel (of a redundant system) or system (if it is

non-redundant) in a safe (de-energized) state. This can be done either automatically or by human

intervention. If dangerous detected failure does not place the channel or system into a safe state, this

term is not included in Equations 10 through 15.

1oo2

(Eq. No. 11)

STR

= 2

[

%

(

$

S

+

$

DD

)

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12)

STR

= 3

[

%

(

$

S

+

$

DD

)

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13)

STR

= 2

[

%

$

S

(

$

S

+

$

DD

)

%

MTTR

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. This

equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe

failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be

substituted for MTTR.

2oo3

(Eq. No. 14)

STR

= 6

[

%

( ) (

$

S

%

$

S

+

$

DD

)

%

MTTR

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15)

STR

=

[

12

%

(

$

S

+

$

DD

)

3

%

MTTR

2

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are detected unless redundancy of components is provided. Accounting for additional failures while repairs are being made is typically not considered due to the relatively short repair time. Common cause and systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

STR

=

$

S

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

( )

S

MTTR

%

%

=

2

$

2

2oo3

(Eq. No. 14a)

STR

( )

S

MTTR

%

%

=

6

$

2

2oo4

(Eq. No. 15a)

STR

=

12

%

( )

$

S 3

%

MTTR

2

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall MTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTFspurious for the SIS.

1oo2

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) S _spurious

MTTF 1 =

$

1oo1 (Eq. No. 10) STR S DD F S =

$

+

$

+

$

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$

F

S _{is the safe systematic failure rate for the component.}

The second term in the equation is the dangerous detected failure rate term and the third term is the systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by human intervention. If dangerous detected failure does not place the channel or system into a safe state, this term is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) STR= 2

[

%

(

$

S+

$

DD

)

]

+

[

,

%

(

$

S +

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. 1oo3

(Eq. No. 12) STR= 3

[

%

(

$

S+

$

DD

)

]

+

[

,

%

(

$

S +

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. 2oo2

(Eq. No. 13) STR= 2

[

%

$

S

(

$

S +

$

DD

)

%MTTR

]

+

[

,

%

(

$

S +

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. This equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be substituted for MTTR.

2oo3

(Eq. No. 14) STR= 6

[

%

( ) (

$

S %

$

S+

$

DD

)

%MTTR

]

+

[

,

%

(

$

S+

$

DD

)

]

+

$

S_F

The second term is the common cause term, and the third term is the systematic error rate term. 2oo4

(Eq. No. 15) STR=

[

12%

(

$

S +

$

DD

)

3%MTTR2

]

+

[

,

%

(

$

S +

$

DD

)

]

+

$

_FS

ISA-TR84.00.02-2002 - Part 2

" 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are

detected unless redundancy of components is provided. Accounting for additional failures while repairs

are being made is typically not considered due to the relatively short repair time. Common cause and

systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to

the following:

1oo1

(Eq. No. 10a)

STR

=

$

S

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

=

2

%

( )

$

S 2

%

MTTR

2oo3

(Eq. No. 14a)

STR

( )

S

MTTR

%

%

=

6

$

2

2oo4

(Eq. No. 15a)

STR

12

( )

S 3

MTTR

2

%

%

=

$

5.2.6

Combining spurious trip rates for components to obtain SIS MTTF

spurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall

MTTF

spurious

for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F

S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTF

spurious

for the SIS.

1oo3

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) S _spurious

MTTF

1

=

$

1oo1 (Eq. No. 10)

STR

S DD F S

=

$

+

$

+

$

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$

F S

is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is the systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by human intervention. If dangerous detected failure does not place the channel or system into a safe state, this term is not included in Equations 10 through 15.

1oo2

(Eq. No. 11)

STR

= 2

[

%

(

$

S

+

$

DD

)

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. 1oo3

(Eq. No. 12)

STR

= 3

[

%

(

$

S

+

$

DD

)

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. 2oo2

(Eq. No. 13)

STR

= 2

[

%

$

S

(

$

S

+

$

DD

)

%

MTTR

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term and the third term is the systematic error rate term. This equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be substituted for MTTR.

2oo3

(Eq. No. 14)

STR

= 6

[

%

( ) (

$

S

%

$

S

+

$

DD

)

%

MTTR

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

The second term is the common cause term, and the third term is the systematic error rate term. 2oo4

(Eq. No. 15)

STR

=

[

12

%

(

$

S

+

$

DD

)

3

%

MTTR

2

]

+

[

,

%

(

$

S

+

$

DD

)

]

+

$

S_F

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are detected unless redundancy of components is provided. Accounting for additional failures while repairs are being made is typically not considered due to the relatively short repair time. Common cause and systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

STR

S

=

$

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

( )

S

MTTR

%

%

=

2

$

2

2oo3

(Eq. No. 14a)

STR

=

6

%

( )

$

S 2

%

MTTR

2oo4

(Eq. No. 15a)

STR

12

( )

S 3

MTTR

2

%

%

=

$

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall MTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTFspurious for the SIS.

2oo2

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) S _spurious MTTF 1 = $ 1oo1 (Eq. No. 10) STR S DD F S =$ +$ +$

Where $S is the safe or spurious failure rate for the component, $DD is the dangerous detected failure rate for the component, and

$F S

is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is the systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by human intervention. If dangerous detected failure does not place the channel or system into a safe state, this term is not included in Equations 10 through 15.

1oo2 (Eq. No. 11)

[

(

)

]

[

(

)

]

SF DD S DD S STR= 2%$ +$ +,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. 1oo3 (Eq. No. 12)

[

(

)

]

[

(

)

]

S F DD S DD S STR= 3%$ +$ +,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. 2oo2

(Eq. No. 13) STR= 2

[

%$S

(

$S+$DD

)

%MTTR

]

+

[

,%

(

$S+$DD

)

]

+$S_F

The second term is the common cause term and the third term is the systematic error rate term. This equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be substituted for MTTR.

2oo3

(Eq. No. 14) STR= 6

[

%

( ) (

$S %$S+$DD

)

%MTTR

]

+

[

,%

(

$S+$DD

)

]

+$S_F

The second term is the common cause term, and the third term is the systematic error rate term. 2oo4 (Eq. No. 15)

[

(

)

]

[

(

)

]

SF DD S DD S MTTR STR= %$ +$ 3% 2 +,%$ +$ +$ 12 ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are detected unless redundancy of components is provided. Accounting for additional failures while repairs are being made is typically not considered due to the relatively short repair time. Common cause and systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

STR

S

=

$

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

( )

S

MTTR

%

%

=

2

$

2

2oo3

(Eq. No. 14a)

STR

( )

S

MTTR

%

%

=

6

$

2

2oo4

(Eq. No. 15a)

STR

=

12

%

( )

$

S 3

%

MTTR

2

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall MTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTFspurious for the SIS.

2oo3

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) S _spurious MTTF 1 = $ 1oo1 (Eq. No. 10) STR S DD F S =$ +$ +$

Where $S is the safe or spurious failure rate for the component, $DD is the dangerous detected failure rate for the component, and

$F

S _{is the safe systematic failure rate for the component.}

The second term in the equation is the dangerous detected failure rate term and the third term is the systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by human intervention. If dangerous detected failure does not place the channel or system into a safe state, this term is not included in Equations 10 through 15.

1oo2 (Eq. No. 11)

[

(

)

]

[

(

)

]

S F DD S DD S STR= 2%$ +$ +,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. 1oo3 (Eq. No. 12)

[

(

)

]

[

(

)

]

S F DD S DD S STR= 3%$ +$ +,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. 2oo2 (Eq. No. 13)

[

(

)

]

[

(

)

]

S F DD S DD S S _MTTR STR= 2%$ $ +$ % + ,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. This equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be substituted for MTTR. 2oo3 (Eq. No. 14)

[

( ) (

)

]

[

(

)

]

S F DD S DD S S _MTTR STR= 6%$ %$ +$ % +,%$ +$ +$

The second term is the common cause term, and the third term is the systematic error rate term. 2oo4

(Eq. No. 15) STR=

[

%

(

$S+$DD

)

3%MTTR2

]

+

[

,%

(

$S+$DD

)

]

+$S_F 12

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are detected unless redundancy of components is provided. Accounting for additional failures while repairs are being made is typically not considered due to the relatively short repair time. Common cause and systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

STR

S

=

$

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

( )

S

MTTR

%

%

=

2

$

2

2oo3

(Eq. No. 14a)

STR

( )

S

MTTR

%

%

=

6

$

2

2oo4

(Eq. No. 15a)

STR

12

( )

S 3

MTTR

2

%

%

=

$

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall MTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTFspurious for the SIS.

2oo4

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) S _spurious

MTTF 1 = $ 1oo1 (Eq. No. 10) STR S DD F S =$ +$ +$

Where $S is the safe or spurious failure rate for the component, $DD is the dangerous detected failure rate for the component, and

$F S

is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is the systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by human intervention. If dangerous detected failure does not place the channel or system into a safe state, this term is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) STR= 2

[

%

(

$S+$DD

)

]

+

[

,%

(

$S+$DD

)

]

+$S_F

The second term is the common cause term and the third term is the systematic error rate term. 1oo3 (Eq. No. 12)

[

(

)

]

[

(

)

]

SF DD S DD S STR= 3%$ +$ + ,%$ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. 2oo2 (Eq. No. 13)

[

(

)

]

[

(

)

]

SF DD S DD S S _MTTR STR= 2%$ $ +$ % + ,% $ +$ +$

The second term is the common cause term and the third term is the systematic error rate term. This equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be substituted for MTTR. 2oo3 (Eq. No. 14)

[

( ) (

)

]

[

(

)

]

S F DD S DD S S _MTTR STR= 6%$ %$ +$ % + ,%$ +$ +$

The second term is the common cause term, and the third term is the systematic error rate term. 2oo4 (Eq. No. 15)

[

(

)

]

[

(

)

]

SF DD S DD S MTTR STR= %$ +$ 3% 2 + ,%$ +$ +$ 12 ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term. NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used, appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures are detected unless redundancy of components is provided. Accounting for additional failures while repairs are being made is typically not considered due to the relatively short repair time. Common cause and systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

STR

S

=

$

1oo2

(Eq. No. 11a)

STR

= 2

%

$

S

1oo3

(Eq. No. 12a)

STR

= 3

%

$

S

2oo2

(Eq. No. 13a)

STR

( )

S

MTTR

%

%

=

2

$

2

2oo3

(Eq. No. 14a)

STR

( )

S

MTTR

%

%

=

6

$

2

2oo4

(Eq. No. 15a)

STR

12

( )

S 3

MTTR

2

%

%

=

$

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall MTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16)

STR

SIS

STR

Si

STR

Ai

STR

Li

STR

PSi F S

=

#

+

#

+

#

+

#

+

$

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in individual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)

M T T F

s p u r io u s

S T R

S IS

=

1

The result is the MTTFspurious for the SIS. λS _{es la relación de fallas seguras o en falso para cada componente.}

λDD _{es la relación de fallas peligrosas detectadas para cada componente.} λSF es la relación de fallas sistemáticas seguras para cada componente.

El valor final de la relación de disparos en falso del sistema SIS (utilizando las ecuaciones simplificadas) es la suma de cada elemento del sistema:

STRSIS = ∑STRSensor + ∑STRCLP + ∑STREF + λSF

El valor de MTTF (Tiempo Medio Para Fallar) esta dado por: M TTF En Falso _{= 1/STRSIS}

Determinación de la PFDavg 5