The Measurable Safety System Metric for Asset Protection of Safety Functions Designed According to IEC 61508 / 61511
Zug, Switzerland – 18 September 2007 – Risknowlogy®, a leading provider of services, consulting, training and certification in the field of risk, reliability, and safety announced today a new safety system metric that can be used for safety functions and systems that need to comply with IEC 61508, IEC 61511 and related functional safety standards. The new metric is called Spurious Trip Level™ and can be used by end-users, system integrators and product developers to classify the performance of safety devices, functions and systems. The Spurious Trip Level™ is particular important for end-users as they can measure how much asset protection is achieved with the designed safety system.
The IEC 61508 and IEC 61511 standards measure the performance of safety functions with the so called Safety Integrity Level (SIL). End-users (Chemical plant owners, machinery owners, train operators, etc) identify process hazards and define safety functions and their applicable SIL level to protect them against these hazards. The more dangerous the hazard the higher the SIL level and therefore the more available the safety functions needs to be. In practice there are 4 SIL levels, SIL 1 through SIL 4.
One of the requirements of the SIL level is to calculate the probability of failure on demand (PFD) of the safety function. In other words, how high is the probability that the safety function does not work the moment that a process demand comes. The higher the SIL level, the lower the PFD needs to be, and thus the more safety availability we have. Practical experience has shown though, that designing safety systems to only have good safety availability, often means that the safety function gets activated unnecessarily due to internal hardware and/or software failures. In this case the safety design will stop the process, which means that the end-user cannot produce any more, and thus causes undesired economic loss. Even more importantly, the most dangerous phases of a process are during process startup and unscheduled shutdown.
For an end-user it is important to have safety functions that offer both sufficient safety availability and sufficient process availability. Unfortunately process availability is of almost no interest in the existing functional safety standards like IEC 61508 and IEC 61511. These standards define SIL levels but do not define performance levels for spurious trips. Particularly for this reason, Risknowlogy developed the Spurious Trip Level™ (STL). The purpose of the STL level is to give end-users a measurable attribute that helps them define the desired process availability of safety functions and thus to protect their assets.
The STL level complements the SIL level. The STL level is a measurement of how often the safety function is carried out without a demand from the process. As of today the STL level is only expressed quantitatively, i.e., as the probability of fail safe (PFS), see Figure 1. The PFS is the probability that the safety function causes a spurious trip because of an internal failure of the safety function. The PFS complements the PFD value. The better the performance of the safety function the higher the STL level.
STL Probability of Fail Safe Per year
X >= 10E-(x+1) to < 10E-x
5 >= 10E-6 to < 10E-5
4 >= 10E-5 to < 10E-4
3 >= 10E-4 to < 10E-3
2 >= 10E-3 to < 10E-2
1 >= 10E-2 to < 10E-1
For end-users there is always a potential conflict between the cost of safety and the loss of profitability caused by spurious trips. Now, for the first time, end-users can define in an easy and understandable manner the performance of their safety functions in terms of process availability.” says Dr. Michel Houtermans, President of Risknowlogy. “Today end-users specify the SIL to achieve safety availability. Tomorrow they will also specify the STL level to get the best of both worlds; safety availability and process availability.”
The more financial damage the spurious trip can cause the higher the STL of the safety function should be. Each company needs to decide for themselves which level of financial loss they can or are willing to take. It depends on many factors, like the financial situation of the company, the insurance policy, the cost of process shutdown and startup, and so on. All these factors are unique to each company. In the following table, an example is given on how a company could select STL levels for their safety functions.
STL Levels STL Description
6 Spurious trip costs over €20M
5 Spurious trip costs between €10M and €20M
4 Spurious trip costs between €5M and €10M
3 Spurious trip costs between €1M and €5M
2 Spurious trip costs between €500k and €1M
1 Spurious trip costs between €100k and €500k
None Spurious trip costs between €0 and €100k
Risknowlogy is a leading provider of technical risk management solutions including services, consulting, training and certification in the field of risk, reliability, and safety. They are the developer of the Functional Safety Data Sheet® and Spurious Trip Level™ concept. Risknowlogy has offices in Switzerland, Argentina, Germany and The Netherlands. Visit their website at www.risknowlogy.com.