Spurious trip level (STL) is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious trips caused by the safety system. There is no limit to the number of spurious trip levels.
Safety functions and systems are installed to protect people, the environment and for asset protection. A safety function should only activate when a dangerous situation occurs. A safety function that activates without the presence of a dangerous situation (e.g., due to an internal failure) causes economic loss. The spurious trip level concept represents the probability that safety function causes a spurious (unscheduled) trip.
The STL is a metric that is used to specify the performance level of a safety function in terms of the spurious trips it potentially causes. Typical safety systems that benefit from an STL level are defined in standards like IEC 61508 [1] IEC 61511, [2] IEC 62061, [3] ISA S84, [4] EN 50204 [5] and so on. An STL provides end-users of safety functions with a measurable attribute that helps them define the desired availability of their safety functions. An STL can be specified for a complete safety loop or for individual devices.
IEC 61508 is an international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.
IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".
For end-users there is always a potential conflict between the cost of safety solutions and the loss of profitability caused by spurious trips of these safety solutions. The STL concept helps the end-users to end this conflict in a way that safety solutions provide both the desired safety and the desired process availability.
The spurious trip level represents asset loss due to an internal failure of the safety function. The more financial damage the safety function can cause due to a spurious trip the higher the STL level of the safety function should be. Each company needs to decide for themselves which level of financial loss they can or are willing to take. This actually depends on many different factors including the financial strength of the company, the insurance policy they have, the cost of process shutdown and startup, and so on. All these factors are unique to each company. The table below shows an example of how a company can calibrate its spurious trip levels.
STL | Description |
---|---|
6 | Spurious trip costs between 20M and 50M EUR |
5 | Spurious trip costs between 10M and 20M EUR |
4 | Spurious trip costs between 5M and 10M EUR |
3 | Spurious trip costs between 1M and 5M EUR |
2 | Spurious trip costs between 500k and 1M EUR |
1 | Spurious trip costs between 100k and 500k EUR |
None | Spurious trip costs between 0 and 100k EUR |
The STL level achieved by a safety function is determined by the probability of fail safe (PFS) of this safety function. The PFS value is determined by internal failures of the safety system that cause the safety function to be executed without a demand from the process. The table below demonstrates the PFS value and spurious trip reduction values of each STL level.
STL level | PFSavg | STR |
---|---|---|
X | ≥10−(X+1) to <10−X | 10X |
... | ... | ... |
5 | ≥10−6 to <10−5 | 100000 |
4 | ≥10−5 to <10−4 | 10000 |
3 | ≥10−4 to <10−3 | 1000 |
2 | ≥10−3 to <10−2 | 100 |
1 | ≥10−2 to <10−1 | 10 |
Today standards only define the safety integrity level (SIL) for safety functions. Standards do not define STL levels because they do in first instance not represent safety but economic loss. Despite this the STL is also a safety attribute, specially for safety functions in the process, oil & gas, chemical and nuclear industry. In those industries an undesired shutdown of the process leads to dangerous situation as the plant needs to be started up again. Startup and shutdown of a process plant are considered the two most dangerous operational modes of the plant and should be limited to the absolute minimum.
Safety integrity level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF).
In practice the STL and SIL concepts complement each other. Both factors are attributes of the same safety function. The STL level is determined by the average PFS value of the safety function. The SIL level is determined by the average probability of failure on demand. PFD value of the safety function. The STL level expresses the probability of spurious trips by the safety function, i.e., the safety function is executed without a demand from the process. The SIL level expresses the probability that the safety function does not work upon demand from the process. Both parameters are important to end-users in order to achieve safety and asset protection.
Description | Spurious Trip Level | Safety Integrity Level |
---|---|---|
Calculated via | Average PFS | Average PFD |
Represents | Process availability | Safety availability |
Expressed as ... | STL | SIL |
Number of levels ... | Unlimited | 1 through 4 |
In order to calculate the PFS or PFD value of a safety loop it is necessary to have a reliability model and reliability data for each component in the safety loop. The best reliability model to use is a Markov model (see Andrey Markov). Typical data required are:
Andrey Andreyevich Markov was a Russian mathematician best known for his work on stochastic processes. A primary subject of his research later became known as Markov chains and Markov processes.
Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.
Fault tree analysis (FTA) is a top-down, deductive failure analysis in which an undesired state of a system is analyzed using Boolean logic to combine a series of lower-level events. This analysis method is mainly used in the fields of safety engineering and reliability engineering to understand how systems can fail, to identify the best ways to reduce risk or to determine event rates of a safety accident or a particular system level (functional) failure. FTA is used in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries; but is also used in fields as diverse as risk factor identification relating to social service system failure. FTA is also used in software engineering for debugging purposes and is closely related to cause-elimination technique used to detect bugs.
Fieldbus is the name of a family of industrial computer network protocols used for real-time distributed control, standardized as IEC 61158.
Reliability engineering is a sub-discipline of systems engineering that emphasizes dependability in the lifecycle management of a product. Dependability, or reliability, describes the ability of a system or component to function under stated conditions for a specified period of time. Reliability is closely related to availability, which is typically described as the ability of a component or system to function at a specified moment or interval of time.
Note: Parts of this article are written from the perspective of aircraft safety analysis techniques and definitions; these may not represent current best practice and the article needs to be updated to represent a more generic description of hazard analysis and discussion of more modern standards and techniques.
Failure mode, effects and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA).
A safety instrumented system (SIS) consists of an engineered set of hardware and software controls which are especially used on critical process systems.
PurposeThis site seeks to promote deeper standardization within the oil and energy industry by highlighting areas where standardization has worked very well and where it has not and why, and provoking discussions on the path forward for better standardization.
A high-integrity pressure protection system (HIPPS) is a type of safety instrumented system (SIS) designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus preventing loss of containment through rupture (explosion) of a line or vessel. Therefore, a HIPPS is considered as a barrier between a high-pressure and a low-pressure section of an installation.
Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely human errors, hardware failures and operational/environmental stress.
ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems in production automobiles defined by the International Organization for Standardization (ISO) in 2011.
Partial stroke testing is a technique used in a control system to allow the user to test a percentage of the possible failure modes of a shut down valve without the need to physically close the valve. PST is used to assist in determining that the safety function will operate on demand. PST is most often used on high integrity emergency shutdown valves (ESDVs) in applications where closing the valve will have a high cost burden yet proving the integrity of the valve is essential to maintaining a safe facility. In addition to ESDVs PST is also used on high integrity pressure protection systems or HIPPS. Partial stroke testing is not a replacement for the need to fully stroke valves as proof testing is still a mandatory requirement.
IEC/EN 62061, ”Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems,” is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.
Hercules is a line of ARM architecture-based microcontrollers from Texas Instruments built around one or more ARM Cortex cores. This "Hercules safety microcontroller platform" includes series microcontrollers specifically targeted for Functional Safety applications, through such hardware-base fault correction/detection features as dual cores that can run in lock-step, full path ECC, automated self testing of memory and logic, peripheral redundancy, and monitor/checker cores.
IEC 84.00.07 is a technical report developed by the ISA 84 standards panel. It defines the lifecycle and technical requirements for ensuring effective design of fire and gas detection systems for use in the process industries. The technical report provides a lifecycle for performance based design of fire and gas detection systems, listing out the steps involved in a performance based design and establishing requirements to be implemented for each step. The technical report also defines performance metrics for application to fire and gas detection systems. The performance metrics established in this report for fire and gas system effectiveness include coverage and safety availability.
Failure modes, effects, and diagnostic analysis (FMEDA) is a systematic analysis technique to obtain subsystem / product level failure rates, failure modes and diagnostic capability. The FMEDA technique considers: