1、Safety Instrumented Functions (SIF)- Safety Integrity Level (SIL)Evaluation Techniques Part 5:Determining the PFD of SIS LogicSolvers via Markov AnalysisApproved17 June 2002ISA-TR84.00.02-2002 - Part 5TECHNICAL REPORTISA The Instrumentation,Systems, andAutomation Society TMNOTICEOFCOPYRIGHTThis is a
2、 copyrighted document and may not be copied or distributed in anyform or manner without the permission of ISA. This copy of the document wasmadeforthesoleuseofthepersontowhomISAprovideditandissubjecttothe restrictions stated in ISAs license to that person. It may not be provided toany other person i
3、n print, electronic, or any other form. Violations of ISAscopyright will be prosecuted to the fullest extent of the law and may result insubstantial civil and criminal penalties.ISA-TR84.00.02-2002 Part 5Safety Instrumented Functions (SIF) Safety Integrity Level (SIL) Evaluation Techniques Part 5:De
4、termining the PFD of SIS Logic Solvers via Markov AnalysisISBN: 1-55617-806-9Copyright 2002 by The Instrumentation, Systems, and Automation Society. All rights reserved. Not forresale. Printed in the United States of America. No part of this publication may be reproduced, stored ina retrieval system
5、, or transmitted in any form or by any means (electronic mechanical, photocopying,recording, or otherwise), without the prior written permission of the Publisher.ISA67 Alexander DriveP.O. Box 12277Research Triangle Park, North Carolina 27709- 3 - ISA-TR84.00.02-2002 - Part 5PrefaceThis preface, as w
6、ell as all footnotes and annexes, is included for information purposes and is not part ofISA-TR84.00.02-2002 Part 5.This document has been prepared as part of the service of ISA the Instrumentation, Systems, andAutomation Society toward a goal of uniformity in the field of instrumentation. To be of
7、real value, thisdocument should not be static but should be subject to periodic review. Toward this end, the Societywelcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards andPractices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, N
8、C 27709;Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org.The ISA Standards and Practices Department is aware of the growing need for attention to the metricsystem of units in general, and the International System of Units (SI) in particular, in the preparation ofinstrumentation
9、 standards. The Department is further aware of the benefits to USA users of ISAstandards of incorporating suitable references to the SI (and the metric system) in their business andprofessional dealings with other countries. Toward this end, this Department will endeavor to introduceSI-acceptable me
10、tric units in all new and revised standards, recommended practices, and technicalreports to the greatest extent possible. Standard for Use of the International System of Units (SI): TheModern Metric System, published by the American Society for Testing and redundant element with one or more safety f
11、unction.Each element should be evaluated with respect to all the safety functions with which it is associated to ensure that it meets the integrity level required for each safety function; to understand the interactions of all the safety functions; and to understand the impact of failure of each com
12、ponent.ISA-TR84.00.02-2002 - Part 5 - 12 -This document does not provide guidance in the determination of the specific SIL required (e.g., SIL 1, 2,3) for the SIS. The user is again referred to ANSI/ISA-84.01-1996 or to other references.The primary focus of this document is on evaluation methodologi
13、es for assessing the capability of theSIS. To understand what is meant by the SIS, refer to the model defined in ANSI/ISA-84.01-1996 andrepeated in Figure I.2 defining the boundaries of the SIS.StartConceptualProcessDesignPerformProcess HazardAnalysis systematic failures may be introduced during the
14、specification, design, implementation, operational and modification phases and may affect hardware asSIS BoundaryISA-TR84.00.02-2002 - Part 5 - 14 -well as software. ANSI/ISA-84.01-1996 addresses systematic safety integrity by specifying procedures,techniques, measures, etc. that reduce systematic f
15、ailures.An acceptable safe failure rate is also normally specified for a SIS. The safe failure rate is commonlyreferred to as the false trip, nuisance trip, or spurious trip rate. The spurious trip rate is included in theevaluation of a SIS, since process start up and shutdown are frequently periods
16、 where chances of ahazardous event are high. Hence in many cases, the reduction of spurious trips will increase the safety ofthe process. The acceptable safe failure rate is typically expressed as the mean time to a spurious trip(MTTFspurious).NOTE In addition to the safety issue(s) associated with
17、spurious trips the user of the SIS may also want the acceptableMTTFspuriousto be increased to reduce the effect of spurious trips on the productivity of the process under control. This increase inthe acceptable MTTFspuriouscan usually be justified because of the high cost associated with a spurious
18、trip.The objective of this technical report is to provide users with techniques for the evaluation of the hardwareand systematic safety integrity of SIS (PFDavg) and the determination of MTTFspurious. The three methodsin this technical report allow modeling of both systematic failures so that a quan
19、titative analysis can beperformed.ISA-TR84.00.02-2002 shows how to model complete SIF, which include the sensors, the logic solver andfinal elements. To the extent possible the system analysis techniques allow these elements to beindependently analyzed. This allows the SIS designer to select the pro
20、per system configuration toachieve the required safety integrity level.ISA-TR84.00.02-2002 - Part 1 provides a detailed listing of the definition of all terms used in this document. These are consistent with theANSI/ISA-84.01-1996, IEC 61508 and IEC 61511 standards. the background information on how
21、 to model all the elements or components of a SIF. It focuses onthe hardware components, provides some component failure rate data that are used in the examplescalculations and discusses other important parameters such as common cause failures and functionalfailures. a brief introduction to the meth
22、odologies that will be used in the examples shown in this document.They are Simplified equations (3), Fault Tree Analysis (4), and Markov Analysis (5).ISA-TR84.00.02-2002 - Part 2 provides simplified equations for calculating the SIL values for DemandMode Safety Instrumented Functions (SIF) installe
23、d in accordance with ANSI/ISA-84.01-1996,“Applications of Safety Instrumented Systems for the Process Industries.“ Part 2 should not beinterpreted as the only evaluation technique that might be used. It does, however, provide theengineer(s) performing design for a SIS with an overall technique for a
24、ssessing the capability of thedesigned SIF.ISA-TR84.00.02-2002 - Part 3 provides fault tree analysis techniques for calculating the SIL for DemandMode Safety Instrumented Functions (SIF) installed in accordance with ANSI/ISA-84.01-1996,“Applications of Safety Instrumented Systems for the Process Ind
25、ustries.“ Part 3 should not beinterpreted as the only evaluation technique that might be used. It does, however, provide theengineer(s) performing design for a SIS with an overall technique for assessing the capability of thedesigned SIF.ISA-TR84.00.02-2002 - Part 4 provides Markov analysis techniqu
26、es for calculating the SIL values forDemand Mode Safety Instrumented Functions (SIF) installed in accordance with ANSI/ISA-84.01-1996,“Applications of Safety Instrumented Systems for the Process Industries.“ Part 4 should not beinterpreted as the only evaluation technique that might be used. It does
27、, however, provide the- 15 - ISA-TR84.00.02-2002 - Part 5engineer(s) performing design for a SIS with an overall technique for assessing the capability of thedesigned SIF.ISA-TR84.00.02-2002 - Part 5 addresses the logic solver only, using Markov Models for calculating thePFD of E/E/PE logic solvers
28、because it allows the modeling of maintenance and repairs as a function oftime, treats time as a model parameter, explicitly allows the treatment of diagnostic coverage, and modelsthe systematic failures (i.e., operator failures, software failures, etc.) and common cause failures.Figure I.3 illustra
29、tes the relationship of each part to all other parts.ISA-TR84.00.02-2002 - Part 5 - 16 -Figure I.3 ISA-TR84.00.02-2002 overall frameworkPart 1Part 2Part 3Part 4Part 5Development of the overall terms, symbols,explanation of SIS element failures, comparison ofsystem analysis techniques, and uncertaint
30、y.Development of SIL for SIF usingSimplified Equation Methodology.Development of SIL for SIF usingFault Tree Analysis Methodology.Development of SIL for SIF usingMarkov Analysis Methodology.Guidance indeterminingthe PFD ofE/E/PE logicsolver(s) viaMarkovAnalysis.- 17 - ISA-TR84.00.02-2002 - Part 51 S
31、cope1.1 ISA-TR84.00.02-2002 - Part 5 is informative and does not contain any mandatory requirements.ISA-TR84.00.02-2002 - Part 5 is intended to be used only with a thorough understanding of ISA-TR84.00.02-2002 - Part 1 which defines the overall scope.1.2 ISA-TR84.00.02-2002 - Part 5 provides:a) guid
32、ance in PFD analysis of logic solvers;NOTE The term “logic solver“ will be used throughout Part 5 to indicate the SIS logic solver. The logic solver technology maybe any E/E/PES.b) a method to determine the PFD of logic solvers;c) failure rates and failure modes of logic solvers;d) the impact of dia
33、gnostics, diagnostic coverage, covert faults, test intervals, common cause,systematic failures, redundancy of logic solvers on the PFD of the logic solver; ande) a method for the verification of PFD of logic solvers.1.3 The procedures and examples outlined in ISA-TR84.00.02-2002 - Part 5 provide the
34、 engineer withMarkov modeling steps to be followed in determining a mathematical value for the PFD for typicalconfigurations of SIS logic solvers designed according to ANSI/ISA-84.01-1996.1.4 Persons using ISA-TR84.00.02-2002 - Part 5 require a basic knowledge of Markov Analysis.1.5 See ISA-TR84.00.
35、02-2002 - Part 1 (Introduction), Part 2 (Simplified Equations), Part 3 (Fault TreeAnalysis), and Part 4 (Markov Analysis) if it is necessary to mathematically evaluate the SIL of the safetyinstrumented function (SIF).NOTE The method illustrated herein (i. e. Markov analysis) may also be used to dete
36、rmine the PFD of other SIF components suchas sensors and final elements. The logic solver was selected to illustrate how Markov Analysis is applied to a complex SIFcomponent.2 References1. ANSI/ISA-84.01-1996 “Application of Safety Instrumented Systems for the Process Industries,“Instrumentation, Sy
37、stems, and Automation Society, Research Triangle Park, NC, 27709, February1996.2. ISA-TR84.00.02-2002, “Safety Instrumented Functions (SIF) Safety Integrity Level EvaluationTechniques, Part 1: Introduction; Part 2: Determining the SIL of a SIF via Simplified Equations; Part 3:Determining the SIL of
38、a SIF via Fault Tree Analysis; Part 4: Determining the SIL of a SIF via MarkovAnalysis; Part 5: Determining the PFD of SIS Logic Solvers via Markov Analysis,“ Instrumentation,Systems and Automation Society, Technical Report, Research Triangle Park, NC, 27709, 2002.3. “Reliability, Maintainability an
39、d Risk” by David J. Smith, 4thEdition, 1993, Butterworth-Heinemann,ISBN 82-515-0188-1.4. “Guidelines for Safe Automation of Chemical Processes,“ Center for Chemical Process Safety,American Institute of Chemical Engineers, New York, NY 10017, 1993.ISA-TR84.00.02-2002 - Part 5 - 18 -5. “Evaluating Con
40、trol Systems Reliability,“ W. M. Goble, Instrument Society of America, ResearchTriangle Park, NC, 27709, 1990.6. “Probabilistic Risk Assessment,“ Henley, Ernest J. and Kumamoto, Kiromitsu, IEEE Press, New York,New York, 1992.7. “Reliability by Design,“ A.C. Brombacher, John Wiley b) Reliability Eval
41、uation of Engineering Systems(10), Chapters 8 and 9;c) Introduction to Reliability Engineering(9), Chapter 9; andd) ISA-TR84.00.02-2002 Part 4.4.1 Probability of Failure on Demand (PFD)See ISA-TR84.00.02-2002 - Part 1, Clause 4 for information on the probability of failure on demand(PFD).- 19 - ISA-
42、TR84.00.02-2002 - Part 54.2 Markov modeling methodologyMarkov models(7,9,10)are created by identifying all the possible states that the logic solver may enter whiletransitioning from fully operational, through partially failed (degraded) states, to the failed state. Toaccomplish this task, the diffe
43、rent logic solver states are identified during the failure modes and effectsanalysis (FMEA) and the corresponding transition probabilities (i.e., probabilities of components that mustfail in order to transition from one state to another state) are shown as arcs on the Markov model.Markov model const
44、ruction starts with the state of the logic solver where all of the components arefunctioning properly (successful state). To develop the other states, the following general procedure isfollowed:For any statea) list all of the logic solver components, andb) list the ways the logic solver components m
45、ay leave that state. There are two ways that a componentcan leave a state.1) First, a component in an operating state can fail.2) Second, a component in a failed state can be repaired.In the former case, the probability of a component failure is the driving mechanism to force a transition outof the
46、state. For exponential failure and repair probability distributions and using the rare eventapproximation (ISA-TR84.00.02-2002 Part 5, Annex A, Clause A.4, Equation 4) the probability of failureis defined as l t, where l is the failure rate of the component and t is the time. For the latter case, th
47、erepair probability is given as m t, where m is the repair rate. Due to convention, these probabilities in theMarkov models are shown as simply failure rates and/or repair rates and are commonly referred to astransition rates. The transition probabilities are always considered in the formulation and
48、 analysis of themodels.Annex A illustrates how a Markov model is created for the logic solver shown in Figure 4.1 which is a DualPE logic solver having Dual Input and Dual Output modules, with One-out-of-Two (1oo2) shutdown logic.ISA-TR84.00.02-2002 - Part 5 - 20 -Figure 4.1 Hypothetical - dual PE l
49、ogic solver with dual I/O, one-out-of-two(1oo2) shutdown logicBefore a Markov Model can be developed an FMEA is typically performed to determine the hardwarefailure rates. The failure rate must be broken down into safe and dangerous fractions, so the completeperformance of the logic solver can be evaluated. In fact, the safe and dangerous failure rates shouldalso be broken down into the detected and undetected failures, as determined by the logic solver on-linediagnostics. Hence the FMEA should result in the determination of the component failure categoriesshown in
