1、Safety Instrumented Functions (SIF)- Safety Integrity Level (SIL)Evaluation Techniques Part 1:IntroductionApproved17 June 2002ISA-TR84.00.02-2002 - Part 1TECHNICAL REPORTISA The Instrumentation,Systems, andAutomation Society TMNOTICEOFCOPYRIGHTThis is a copyrighted document and may not be copied or
2、distributed in anyform or manner without the permission of ISA. This copy of the document wasmadeforthesoleuseofthepersontowhomISAprovideditandissubjecttothe restrictions stated in ISAs license to that person. It may not be provided toany other person in print, electronic, or any other form. Violati
3、ons of ISAscopyright will be prosecuted to the fullest extent of the law and may result insubstantial civil and criminal penalties.ISA-TR84.00.02-2002 Part 1Safety Instrumented Functions (SIF) Safety Integrity Level (SIL) Evaluation Techniques Part 1:IntroductionISBN: 1-55617-802-6Copyright 2002 by
4、ISA The Instrumentation, Systems, and Automation Society. All rights reserved.Not for resale. Printed in the United States of America. No part of this publication may be reproduced,stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical,photocopying, recording
5、, or otherwise), without the prior written permission of the Publisher.ISA67 Alexander DriveP.O. Box 12277Research Triangle Park, North Carolina 27709- 3 - ISA-TR84.00.02-2002 - Part 1PrefaceThis preface, as well as all footnotes and annexes, is included for information purposes and is not part ofIS
6、A-TR84.00.02-2002 Part 1.This document has been prepared as part of the service of ISA the Instrumentation, Systems, andAutomation Society toward a goal of uniformity in the field of instrumentation. To be of real value, thisdocument should not be static but should be subject to periodic review. Tow
7、ard this end, the Societywelcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards andPractices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709;Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org.The ISA Stan
8、dards and Practices Department is aware of the growing need for attention to the metricsystem of units in general, and the International System of Units (SI) in particular, in the preparation ofinstrumentation standards. The Department is further aware of the benefits to USA users of ISAstandards of
9、 incorporating suitable references to the SI (and the metric system) in their business andprofessional dealings with other countries. Toward this end, this Department will endeavor to introduceSI-acceptable metric units in all new and revised standards, recommended practices, and technicalreports to
10、 the greatest extent possible. Standard for Use of the International System of Units (SI): TheModern Metric System, published by the American Society for Testing and redundant element with one or more safety instrumented function.Each element should be evaluated with respect to all the safety instru
11、mented functions with which it isassociated to ensure that it meets the integrity level required for each safety instrumented function; to understand the interactions of all the safety instrumented functions; and to understand the impact of failure of each component.This document does not provide gu
12、idance in the determination of the specific SIL required (e.g., SIL 1, 2,and 3) for the SIS. The user is again referred to ANSI/ISA-84.01-1996 or to other references.ISA-TR84.00.02-2002 - Part 1 - 12 -The primary focus of this document is on evaluation methodologies for assessing the capability of t
13、heSIS. The SIS lifecycle model is defined in ANSI/ISA-84.01-1996. Figure I.2 shows the boundaries of theSIS and how it relates to other systems.StartConceptualProcessDesignPerformProcess HazardAnalysis systematic failures may be introduced during the specification,design, implementation, operational
14、 and modification phase and may affect hardware as well as software.ANSI/ISA-84.01-1996 addresses systematic safety integrity by specifying procedures, techniques,measures, etc. that reduce systematic failures.SIS BoundaryISA-TR84.00.02-2002 - Part 1 - 14 -An acceptable safe failure rate is also nor
15、mally specified for a SIF. The safe failure rate is commonlyreferred to as the false trip, nuisance trip, or spurious trip rate. The spurious trip rate is included in theevaluation of a SIF, since process start up and shutdown are frequently periods where chances of ahazardous event are high. Hence
16、in many cases, the reduction of spurious trips will increase the safety ofthe process. The acceptable safe failure rate is typically expressed as the mean time to a spurious trip(MTTFspurious).NOTE In addition to the safety issue(s) associated with spurious trips the user of the SIS may also want th
17、e acceptableMTTFspuriousto be increased to reduce the effect of spurious trips on the productivity of the process under control. This increase inthe acceptable MTTFspuriouscan usually be justified because of the high cost associated with a spurious trip.The objective of this technical report is to p
18、rovide users with techniques for the evaluation of the hardwaresafety integrity of SIF (PFDavg) and the determination of MTTFspurious. Methods of modeling systematicfailures are also presented so a quantitative analysis can be performed if the systematic failure rates areknown.ISA-TR84.00.02-2002 sh
19、ows how to model complete SIF, which includes the sensors, the logic solverand final elements. To the extent possible the system analysis techniques allow these elements to beindependently analyzed. This allows the safety system designer to select the proper system configurationto achieve the requir
20、ed safety integrity level.ISA-TR84.00.02-2002 - Part 1 provides a detailed listing of the definition of all terms used in this document. These are consistent with theANSI/ISA-84.01-1996, IEC 61508 and IEC 61511 standards. the background information on how to model all the elements or components of a
21、 SIF. It focuses onthe hardware components, provides some component failure rate data that are used in the examplescalculations and discusses other important parameters such as common cause failures and functionalfailures. a brief introduction to the methodologies that will be used in the examples s
22、hown in this document.They are Simplified equations (3), Fault Tree Analysis (4), and Markov Analysis (5).ISA-TR84.00.02-2002 - Part 2 provides simplified equations for calculating the SIL values for DemandMode Safety Instrumented Functions (SIF) installed in accordance with ANSI/ISA-84.01-1996,“App
23、lications of Safety Instrumented Systems for the Process Industries.“ Part 2 should not beinterpreted as the only evaluation technique that might be used. It does, however, provide theengineer(s) performing design for a SIS with an overall technique for assessing the capability of thedesigned SIF.IS
24、A-TR84.00.02-2002 - Part 3 provides fault tree analysis techniques for calculating the SIL for DemandMode Safety Instrumented Functions (SIF) installed in accordance with ANSI/ISA-84.01-1996,“Applications of Safety Instrumented Systems for the Process Industries.“ Part 3 should not beinterpreted as
25、the only evaluation technique that might be used. It does, however, provide theengineer(s) performing design for a SIS with an overall technique for assessing the capability of thedesigned SIF.ISA-TR84.00.02-2002 - Part 4 provides Markov analysis techniques for calculating the SIL values forDemand M
26、ode Safety Instrumented Functions (SIF) installed in accordance with ANSI/ISA-84.01-1996,“Applications of Safety Instrumented Systems for the Process Industries.“ Part 4 should not beinterpreted as the only evaluation technique that might be used. It does, however, provide theengineer(s) performing
27、design for a SIS with an overall technique for assessing the capability of thedesigned SIF.- 15 - ISA-TR84.00.02-2002 - Part 1ISA-TR84.00.02-2002 - Part 5 addresses the logic solver only, using Markov Models for calculating thePFD of E/E/PE logic solvers because it allows the modeling of maintenance
28、 and repairs as a function oftime, treats time as a model parameter, explicitly allows the treatment of diagnostic coverage, and modelsthe systematic failures (i.e., operator failures, software failures, etc.) and common cause failures.Figure I.3 illustrates the relationship of each part to all othe
29、r parts.ISA-TR84.00.02-2002 - Part 1 - 16 -Figure I.3 ISA-TR84.00.02-2002 Overall FrameworkPart 1Part 2Part 3Part 4Part 5Development of the overall terms, symbols, explanation ofSIS element failures, comparison of system analysistechniques, and uncertainty analysis examples.Development of SIL for SI
30、F usingSimplified Equation Methodology.Development of SIL for SIF usingFault Tree Analysis Methodology.Development of SIL for SIF usingMarkov Analysis Methodology.Guidance indeterminingthe PFD ofE/E/PE logicsolver(s) viaMarkovAnalysis.- 17 - ISA-TR84.00.02-2002 - Part 11 Scope1.1 ISA-TR84.00.02-2002
31、 - Part 1 is informative and does not contain any mandatory clauses. ISA-TR84.00.02-2002 is intended to be used only with a thorough understanding of ANSI/ISA-84.01-1996(see Figure I.1). Prior to proceeding with use of ISA-TR84.00.02-2002 in a safety application, theHazards and Risk Analysis must ha
32、ve been completed and the following information provideda) It is determined that a SIS is required.b) Each safety instrumented function to be carried out by the SIS(s) is defined.c) The SIL for each safety instrumented function is defined.1.2 ISA-TR84.00.02-2002 - Part 1 providesa) guidance in Safet
33、y Integrity Level analysis;b) methods to implement Safety Instrumented Functions (SIF) to achieve a specified SIL;c) discussion of failure rates and failure modes (Annex D) of SIS and their components;d) discussion of diagnostic coverage, covert faults, common cause, systematic failures, redundancy
34、ofSIF;e) tool(s) for verification of SIL; andf) discussion of the effect of functional test interval.1.3 The objective of ISA-TR84.00.02-2002 - Part 1 is to introduce the reader to the performance basedapproach for evaluating the reliability of SIF and to present system reliability methodologies tha
35、t can beused to evaluate the system performance parameters, namely, the probability that the SIF fails to respondto a demand and the probability that the SIF creates a nuisance trip. ISA-TR84.00.02-2002 - Part 1serves as an introduction for all other parts.2 References1. ANSI/ISA-84.01-1996 “Applica
36、tion of Safety Instrumented Systems for the Process Industries,“ ISA,Research Triangle Park, NC, 27709, February 1996.2. ISA-TR84.00.02-2002, “Safety Instrumented Functions (SIF) Safety Integrity Level EvaluationTechniques, Part 1: Introduction; Part 2: Determining the SIL of a SIF via Simplified Eq
37、uations; Part 3:Determining the SIL of a SIF via Fault Tree Analysis; Part 4: Determining the SIL of a SIF via MarkovAnalysis; Part 5: Determining the PFDavg of SIS Logic Solvers via Markov Analysis,“Instrumentation, Systems and Automation Society, Technical Report, Research Triangle Park, NC,27709,
38、 2002.3. Reliability, Maintainability and Risk (Practical Methods for Engineers), 4thEdition, D.J. Smith,Butterworth-Heinemann, 1993, ISBN 0-7506-0854-4.4. “Guidelines for Safe Automation of Chemical Processes,“ Center for Chemical Process Safety,American Institute of Chemical Engineers, New York, N
39、Y 10017, 19935. “Evaluating Control Systems Reliability”, W. M. Goble, Instrument Society of America, ResearchTriangle Park, NC, 27709, 1992.ISA-TR84.00.02-2002 - Part 1 - 18 -6. “Introduction to Reliability Engineering,“ E.E. Lewis, John Wiley (2) internal structure of a SIS subsystem; (3) arrangem
40、ent ofsoftware programs; (4) voting.3.1.4 availability:see “safety availability.”3.1.5 Basic Process Control System (BPCS):a system which responds to input signals from the process, its associated equipment, otherprogrammable systems and/or an operator and generates output signals causing the proces
41、s and itsassociated equipment to operate in the desired manner but which does not perform any safetyinstrumented functions with a claimed SIL 1. Some examples include control of an exothermic reaction,anti-surge control of a compressor, and fuel/air controls in fired heaters. Also referred to as the
42、 ProcessControl System.ISA-TR84.00.02-2002 - Part 1 - 20 -3.1.6 channel:a channel is an element or a group of elements that independently perform(s) a function. The elementswithin a channel could include input/output(I/O) modules, logic system, sensors, and final elements. Theterm can be used to des
43、cribe a complete system, or a portion of a system (for example, sensors or finalelements).NOTE A dual channel (i.e., a two channel) configuration is one with two channels that independently perform the same function.3.1.7 common cause:3.1.7.1. common cause fault:a single fault that will cause failur
44、e in two or more channels of a multiple channel system. The singlesource may be either internal or external to the system.3.1.7.2 common cause failure: a failure, which is the result of one or more events causing coincident failures of two or more separatechannels in a multiple channel system, leadi
45、ng to a system failure.3.1.8 communication:3.1.8.1 external communication:data exchange between the SIS and a variety of systems or devices that are outside the SIS.These include shared operator interfaces, maintenance/engineering interfaces, data acquisitionsystems, host computers, etc.3.1.8.2 inte
46、rnal communication:data exchange between the various devices within a given SIS. These include bus backplaneconnections, the local or remote I/O bus, etc.3.1.9 coverage:see “diagnostic coverage.”3.1.10 overt:see “undetected.“3.1.11 Cumulative Distribution Function (CDF):the integral, from zero to in
47、finity, of the failure rate distribution and takes values between zero and one.3.1.12 dangerous failure:a failure which has the potential to put the safety instrumented function in a hazardous or fail-to-functionstate.NOTE Whether or not the potential is realised may depend on the channel architectu
48、re of the system; in systems with multiplechannels to improve safety, a dangerous hardware failure is less likely to lead to the overall hazardous or fail-to-function state.3.1.13 decommissioning:the permanent removal of a complete SIS from active service.3.1.14 de-energize to trip:SIS circuits wher
49、e the outputs and devices are energized under normal operation. Removal of the sourceof power (e.g., electricity, air) causes a trip action.- 21 - ISA-TR84.00.02-2002 - Part 13.1.15 demand:a condition or event that requires the SIS to take appropriate action to prevent a hazardous event fromoccurring or to mitigate the consequence of a hazardous event.3.1.16 detected:in relation to hardware and software, detected by the diagnostic tests, or through normal operation.NOTE 1 For example, physical inspection and manual tests, or through normal operation.NOTE 2 These a
