The Spurious Trip Level™ Concept For Safety Functions

2007-09-18

 functional safety 

The Measurable Safety System Metric for Asset Protection of Safety Functions Designed According to IEC 61508 / 61511

Zug, Switzerland – 18 September 2007 – Risknowlogy®, a leading provider of services, consulting, training and certification in the field of risk, reliability, and safety announced today a new safety system metric that can be used for safety functions and systems that need to comply with IEC 61508, IEC 61511 and related functional safety standards. The new metric is called Spurious Trip Level™ and can be used by end-users, system integrators and product developers to classify the performance of safety devices, functions and systems. The Spurious Trip Level™ is particular important for end-users as they can measure how much asset protection is achieved with the designed safety system.

The IEC 61508 and IEC 61511 standards measure the performance of safety functions with the so-called Safety Integrity Level (SIL). End-users (Chemical plant owners, machinery owners, train operators, etc) identify process hazards and define safety functions and their applicable SIL level to protect them against them. The more dangerous the hazard the higher the SIL level and therefore the more available the safety functions needs to be. In practice, there are 4 SIL levels, SIL 1 through SIL 4.

One of the SIL level requirements is to calculate the probability of failure on demand (PFD) of the safety function. In other words, how high is the probability that the safety function does not work the moment that a process demand comes? The higher the SIL level, the lower the PFD needs to be, and thus the more safety availability we have. Practical experience has shown, though, that designing safety systems to only have good safety availability often means that the safety function gets activated unnecessarily due to internal hardware and/or software failures. In this case, the safety design will stop the process, which means that the end-user cannot produce any more, and thus causes undesired economic loss. Even more importantly, the most dangerous phases of a process are during process startup and unscheduled shutdown.

For an end-user, it is important to have safety functions that offer both sufficient safety availability and sufficient process availability. Unfortunately, process availability is of almost no interest in the existing functional safety standards like IEC 61508 and IEC 61511. These standards define SIL levels but do not define performance levels for spurious trips. Particularly for this reason, Risknowlogy developed the Spurious Trip Level™ (STL). The purpose of the STL level is to give end users a measurable attribute that helps them define the desired process availability of safety functions and thus to protect their assets.

The STL level complements the SIL level. The STL level measures how often the safety function is carried out without a demand from the process. As of today, the STL level is only expressed quantitatively, i.e., as the probability of fail-safe (PFS), see Figure 1. The PFS is the probability that the safety function causes a spurious trip because of an internal failure of the safety function. The PFS complements the PFD value. The better the performance of the safety function the higher the STL level.

 STL  Probability of Fail Safe Per year
    X           >= 10E-(x+1) to < 10E-x
    ...          
    5            >= 10E-6 to < 10E-5
    4            >= 10E-5 to < 10E-4       
    3           >= 10E-4 to < 10E-3
    2           >= 10E-3 to < 10E-2
    1           >= 10E-2 to < 10E-1

For end-users there is always a potential conflict between the cost of safety and the loss of profitability caused by spurious trips. Now, for the first time, end-users can define in an easy and understandable manner the performance of their safety functions in terms of process availability.” says Dr. Michel Houtermans, President of Risknowlogy. “Today end-users specify the SIL to achieve safety availability. Tomorrow they will also specify the STL level to get the best of both worlds; safety availability and process availability.”

The more financial damage the spurious trip can cause the higher the STL of the safety function should be. Each company needs to decide for themselves which level of financial loss they can or are willing to take. It depends on many factors, like the financial situation of the company, the insurance policy, the cost of process shutdown and startup, and so on. All these factors are unique to each company. In the following table, an example is given on how a company could select STL levels for their safety functions.

 STL     Description
     6      Spurious trip costs over €20M
     5      Spurious trip costs between €10M and €20M
     4      Spurious trip costs between €5M and €10M
     3      Spurious trip costs between €1M and €5M
     2      Spurious trip costs between €500k and €1M
     1      Spurious trip costs between €100k and €500k
    none          Spurious trip costs between €0 and €100k



Back to all news

We use cookies
Cookie preferences
Below you may find information about the purposes for which we and our partners use cookies and process data. You can exercise your preferences for processing, and/or see details on our partners' websites.
Analytical cookies Disable all
Functional cookies
Other cookies
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. Learn more about our cookie policy.
Accept all Decline all Change preferences
Cookies