Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Search
Fault Tree Analysis as a Tool for Safety Instrumented System (SIS) Performance Evaluation
Kimberly A. Dejmek Senior Engineer Wilfred Baker Engineering, Inc. Sugar Land, TX 77478
KEYWORDS
Safety Instrumented Systems, SIS, Safety Integrity Level, SIL, Performance, Fault Tree Analysis, FTA
ABSTRACT
The standards defining the requirements for the management of Safety Instrumented Systems, namely ANSI/ISA S84.01-1996 Application of Safety Instrumented Systems for the Process Industries and the upcoming IEC 61511 Functional Safety Instrumented Systems for the Process Industry Sector, have a common fundamental basis in the concept of Safety Integrity Level (SIL). This SIL is a measure of system criticality and defines the safety performance criteria for the system in terms of its availability. Given that SIL has been defined as a quantitative performance target, verification of system performance through quantitative analysis is required. Fault Tree Analysis (FTA) is an excellent tool for performing such evaluations of Safety Instrumented Systems. This well-known tool is easily applicable to the evaluation of SIS and provides numerous benefits to those who use it. The principal benefits include: A clear graphical representation of the system Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by) Results directly indicate key contributors to system unavailability Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals Easy conversion of system model for evaluation of nuisance trip rates Publicly available software tools for performing FTA This paper will provide an introduction to the application of FTA to Safety Instrumented Systems and discuss the benefits and limitations of the technique .
INTRODUCTION
Menu
Search
The standards defining the requirements for the management of Safety Instrumented Systems, namely ANSI/ISA S84.01-1996 Application of Safety Instrumented Systems for the Process Industries and the upcoming IEC 61511 Functional Safety Instrumented Systems for the Process Industry Sector, have a common fundamental basis in the concept of Safety Integrity Level (SIL). This SIL is a measure of system criticality and defines the safety performance criteria for the system in terms of its availability. Given that SIL has been defined as a quantitative performance target, verification of system performance through quantitative analysis is required. Fault Tree Analysis (FTA) is an excellent tool for performing such evaluations of Safety Instrumented Systems.
Menu
Search
Condition. Human errors can be failure to carry out a desired task (failure to place controller in automatic), failure to perform a specific recovery action (failure to start a backup system), or execution of a wrong action that has adverse effects on the fault tree top event (isolated transmitter from process). An adverse condition is not necessarily a failure but in combination with other events can lead to failure. For example, the temperature being below 32 F is an adverse condition necessary for the failure of pressure detection due to a frozen impulse line. Basic events are always assumed to be independent of each other. This means that the occurrence of one basic event does not influence the probability of occurrence of any other basic event. For example, suppose that there are two diesel generators, and the failure of either to start on demand is a basic event. Independence of the basic events says that if one diesel generator fails to start on demand, this does not alter the probability that the second diesel generator will fail to start. A common cause event, such as two diesel generators fail to start because of unusually cold weather, must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically independent of all other basic events. Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event. There are two basic types of gates: OR gates and AND gates. OR gates are used to relate sufficient events, a combination of events where only one is required for the secondary condition to be created. An example of a set of sufficient events would be the failure of the alarm clock or traffic problems resulting in the secondary condition of late to work. AND gates are used to represent combinations of necessary events, a set of events all of which are needed to create the secondary condition. An example of a set of necessary events is the failure of the electric firewater pump AND the diesel driven firewater pump creating the secondary condition firewater pumps fail to deliver water. A number of symbols are used in the construction of fault trees in order to reflect the various types of events and logical gates. The most common symbols are presented below.
OUT
IN
BASIC EVENT
UNDEVELOPED EVENT
EXTERNAL EVENT
TRANSFER GATE
Menu
Search
1. 2. 3. 4. 5.
Identify the SIS safety function Define the top event Construct the fault tree Perform qualitative analysis Perform quantitative analysis
A brief description of each step and information specific to the evaluation of SIS has been provided below. Additional instruction in fault tree analysis is available in a number of books on risk and reliability assessment, including the Guidelines for Performing Chemical Process Quantitative Risk Assessment by the CCPS, Loss Prevention in the Process Industries by Frank Lees, and Probabilistic Risk Assessment by Henley and Kumamoto. Identify the SIS safety function The SIS safety function is the function to be implemented by the SIS that is intended to achieve or maintain a safe state in order to avoid a specific hazardous event. The SIS safety function can be either simple or complex, depending upon the process and the hazardous event that it addresses. An example of a simple safety function would be the prevention of a tank overflow by shutting down the supply pump when a high level condition is reached. The prevention of a runaway reaction by monitoring the temperature, pressure, and concentration within the reactor that stops all reactant flow, initiates cooling, and injects a reaction kill chemical when required, is a single complex safety function. Define the top event As previously discussed, the two most relevant top events in the evaluation of SIS are SIS failure on demand and SIS spurious trip. Construct the Tree Fault trees are constructed by beginning with the top event, and deducing the major events that can directly lead to it. When modeling SIS, the first level of the tree below the top event is typically the sufficient events of Failure of the Input Devices, Failure of the Logic Solver, Failure of the Output Action, or Failure of the Support Systems. Next each of these intermediate events is considered in turn. The events that that occur to contribute to this single event are identified and connected with the appropriate logical gate. This development of the fault tree continues until all of the branches have been terminated by basic, undeveloped, or external events. An example fault tree for the failure on demand of a simple SIS has been provided below in Figure 1. Qualitative Fault Tree Evaluation The qualitative evaluation of a fault tree can indicate how many pathways to the top event exist, the smallest number of events that form a set of sufficient events, and an indication of the importance of a particular basic event. Once the fault tree has been completely drawn, a number of computations can be performed. The first of which is the determination of the minimal cut sets. The minimal cut sets are the various unique sets of events that could lead to the top event. The order of the cut sets is determined by counting the number of events in each set. This indicates the system redundancy as well as any single points of failure. A
Menu
Search
review of the minimal cut set list and specifically at the basic events in each cut set, it is possible to identify any events that appear in numerous events. Special attention should be paid to such events because they are important to the overall system performance.
TANK_OVERFILL Fail to Detect High Level Condition Pump Fails to Shutdown Safety PLC Fails on Demand
INPUTS High Level Switch Fails Level Transmitter Fails Low Motor Starter Relay Fails to Open
LOGIC_SOLVER
LEVEL_SWITCH
LEVEL_XMIT
MOTOR_STARTER
IPR
Quantitative Fault Tree Evaluation The fault tree can be quantified in order to determine the probability of SIS failure on demand (PFD) or the spurious trip rate (STR). The first step in the quantification of a fault tree is the identification of failure rate data for each of the basic events. Through the use of generic published data or company-collected data, the appropriate data can be identified. In the determination of the PFD, the quantified result is a probability. Therefore, all of the basic events must be expressed as probabilities. The failure frequency can be converted to a probability using an equation that reflects the operating mode of the device. Equations are available for continuously operating components without repair, operating components with repair, and stand-by components with periodic testing. The majority of SIS components are operated in a stand-by mode with periodic testing. However, some devices such as redundant transmitters with deviation alarming can be treated as repairable, operating components. Once the basic event probabilities have been calculated, the minimal cut-set probabilities are calculated. The probability of each minimal cut set is determined by:
Ci = q1q 2 q k where, C i is the minimal cut set probabilit y q k is the basic event probabilit y
(1)
Menu
Search
The resulting information is quite useful. The relative importance of each of the minimal cut sets can be determined and the system areas where improvement would be most effective will be apparent. The top event probability can be calculated by either of two methods: one based on the minimal cut sets and one based upon the fault tree model. The top event probability is calculated by calculating the union of all min. cut sets. For very small cut set probabilities, this is estimated by adding the cut set probabilities. For an exact calculation, the following formula must be applied:
P( A1 A2 or P( A1 A2
An ) = P( Ai ) P ( Ai A j ) + + (1) n P (A1 A2 An )
(2)
An ) = 1 (1 Pi )
i =1 n
If the top event probability is to be calculated from the fault tree model, computation is performed at each gate, working from the bottom of the tree to the top. The probability at an AND gate is calculated by multiplying the probabilities of all events entering the gate. The resulting probability of an OR gate is calculated by using equation (2b) above. Similar calculations are performed for the determination of the spurious trip rate, however, it is important to remember that the STR is a rate, not a unitless probability. Therefore, care must be taken while performing the calculation to ensure that the proper units are maintained.
Menu
Search
The Fault Tree Analysis method is well suited to the use of computerized tools and since the method has been used for decades there are a number of software packages that are currently available for supporting risk analysts in performing FTAs. These tools can aid in the production of the graphical fault tree logic models, the generation of cut sets, and fault tree quantification. When selecting a FTA software tool, there are a number of features that should be considered. In addition to price, these include rigorous mathematics, user interface(s) for tree construction, data management, and report generating features. The price of FTA software packages ranges from around $500 a copy to about $5,000 per copy. There are programs throughout this range that have the necessary features for conducting FTA on SIS. Rigorous computational methods employed by the software package are the most important feature to consider when making a selection. The key mathematical features to require are cut set generation rather than tree based calculations, full equations for probability calculations rather than rare event approximations, and the capability to work in both the frequency and probability domains. When evaluating the fault tree construction capabilities, one should consider tree presentation, auto-formating, and auto-pagination features. Valuable data management features are built-in tables for frequently used data and the ease of creating sensitivity cases for evaluating various test intervals. The use of these tools improves the accuracy, efficiency, and ease of communication when performing fault tree evaluations.
Menu
Search
The limitations of the technique are minimal when FTA is applied to the evaluation of SIS. These include the inability to address partially failed states and time-dependent failure rates, as well as the requirement for training of the analyst. FTA assumes that a device is in only one of two states working or failed. This does not allow for the consideration of functioning, but damaged states. This limitation is rarely an issue when addressing SIS field devices; however, it does limit the application of FTA to the evaluation of complex logic solvers. When modeling redundant technology programmable logic solvers it is often necessary to employ Markov modeling, which does allow for the inclusion of degraded states. The second mathematical limitation is that a constant failure rate must be used. This indicates that the quantitative evaluation is not applicable to the break-in and wear-out periods in the life of the device. This limitation is not, however, unique to fault tree analysis. All of the methods included in the draft of ISA TR84.0.02 are limited to the consideration of constant failure and repair rates. The final noted disadvantage, the requirement for a trained analyst, is also not unique to FTA. However, there are numerous courses in FTA offered by industry associations and risk/reliability consultants. There are many more practitioners of FTA, when compared to Markov modeling; hence, the availability of training resources is much greater.
CONCLUSIONS
Fault tree analysis is an established tool for the evaluation of complex systems and sequences of events, and it is well suited to the analysis of safety instrumented system performance. There are numerous unique benefits associated with fault tree analysis that more than justify the effort required to learn the method.
REFERENCES
1. Application of Safety Instrumented Systems for the Process Industries, ANSI/ISA-SP 84.01-1996, ISA, Research Triangle Park, NC, 1996. 2. Ford, K.A. and Summers, A.E., Are Your Instrumented Safety Systems Up To Standard, Chemical Engineering Progress, November 1998. 3. Safety Instrumented Systems (SIS) -- Safety Integrity Level (SIL) Evaluation Techniques, ISA-TR84.0.02, ISA, Research Triangle Park, NC, 1999. 4. Dejmek, Mark W., Overcoming the Reliability Data Gap in the Process Industries, The 33rd Annual Reliability Engineering and Management Institute (REMI), Tucson, AZ, 1995. 5. CCPS/AIChE Guidelines for Chemical Process Quantitative Risk Analysis, New York: American Institute of Chemical Engineering, 1989.