Consulting and Engineering Services
Doc No. 0418D10SD02 – Rev.01 www.LiutaioCES.com
Functional Safety Glossary
A B C
D
E
F
G
H
I
J K L M
N
O
P
Q R
S
T
U
V
W X Y Z
A |
|
||||||||||||||||||||||||||||||||||||||||
Analogue signal |
A signal type that can handle the measurement of a process variable. |
||||||||||||||||||||||||||||||||||||||||
In
other words, failure that has NO IMPACT in safety, the related SIF will
perform properly on demand, BUT
when this kind of failure happens “Fault Detection capabilities”
(Diagnostics) WILL NOT work. NOTE: “Annunciation UnDetected
Failure Rate” should be included as part of the “Safe Failure”
rate, according to IEC-61508.This failure rate WILL NOT affect system reliability or safety, and it should not
be included in “Spurious Trip Rate” calculations. |
|||||||||||||||||||||||||||||||||||||||||
Average Probability in Time |
See "Continuous Probability
in Time". |
||||||||||||||||||||||||||||||||||||||||
Continuous probability calculated
from the "Probability of Dangerous Failure on Demand" (PFD) in a period of time.
|
|||||||||||||||||||||||||||||||||||||||||
B |
|
||||||||||||||||||||||||||||||||||||||||
Beta Factor (b, or bD) |
See "Common Cause Failure
(CCF) factor (b)", and "Common Cause Detected Failure factor (bD)" |
||||||||||||||||||||||||||||||||||||||||
A type
of signal that can have two(2) states only. These
ones can be: One(1)/Zero(0), True/False, On/Off,
Running/Stop, Safe/Normal, High/Low, etc. |
|||||||||||||||||||||||||||||||||||||||||
C |
|
||||||||||||||||||||||||||||||||||||||||
Certification |
Process
in which several tests and/or revisions are applied/done to a SIS, SIF or
Device of a SIF, in order to verify and confirm that
it was designed, assembled and installed as indicated in the SRS (“Safety
Requirements Specification”) document and it complies with the standards IEC‑61508
and/or IEC-61511. |
||||||||||||||||||||||||||||||||||||||||
Channel |
Element or a group of elements
that independently perform(s) a function, and can
set the whole group in the "Normal State" o "Safe
State”. |
||||||||||||||||||||||||||||||||||||||||
Command
signal, INTERLOCK |
The Interlock command signal is applied to a single (or
more) “TARGET signal(s)”, and it can be in the NORMAL or SAFE state. In SAFE state,
there has been “A Demand” of the INTERLOCK function. When the Interlock command signal is in the NORMAL state,
the INTERLOCK has no effect on the associated “SIF Output Signals”. When the Interlock command signal is in the SAFE state,
“A Demand” of the INTERLOCK function has occurred, next when any of the
associated “SIF Output Signals” report a transition from the NORMAL to the
SAFE state, then the INTERLOCK forces such “SIF Output Signal” to be in
the SAFE state, superseding the associated “Safety Logic”. I.E., the
“SIF Output Signal” remains in the SAFE state, regardless the “Safety
Logic” result that will occur later. When
the Interlock command signal changes back to NORMAL state, then the INTERLOCK
allows the “Safety Logic” to determine the “SIF Output Signal” state. |
||||||||||||||||||||||||||||||||||||||||
Command signal, Manual RESET |
In NORMAL operation, the “Safety Logic” sets its “TARGET
signal(s)” in NORMAL state. When “A Demand” occurs, the “Safety Logic” sets its
“TARGET signal(s)” in SAFE state. When the operation condition returns to NORMAL, and the
“Safety Logic” sets back its output to NORMAL state, its “TARGET signal(s)”
remains in SAFE state if a “Reset Logic” was implemented for such “TARGET
signal(s)”. The purpose of the manual RESET command is to disable
temporarily the “Reset Logic” to allow the related “Safety Logic” output to
pass to the “TARGET signal(s)”, in order to set
it(them) to the NORMAL state, if the “Safety Logic” output is already in
NORMAL state. The manual RESET command signal is normally in the
“De-Energized” state. When
the manual RESET is applied, the manual RESET command signal is changed
temporarily to the “Energized” state. |
||||||||||||||||||||||||||||||||||||||||
Command, Self‑RESET |
See
“Command, Automatic RESET”. |
||||||||||||||||||||||||||||||||||||||||
Command, Self‑Resetting |
See
“Command, Automatic RESET”. |
||||||||||||||||||||||||||||||||||||||||
Command, |
When
the Automatic “RESET command” is included as part of a “Reset Logic”, and the
related “Safety Logic” result changes its output back to the NORMAL state and
it remains in that state, then the related “SIF Output Signals” change to the
NORMAL state, without user interaction. |
||||||||||||||||||||||||||||||||||||||||
Common Cause Detected Failure factor (bD) |
Of those failures that are
detected by the diagnostic tests, the fraction that have a common cause
(expressed as a fraction in the equations and as a percentage elsewhere).
|
||||||||||||||||||||||||||||||||||||||||
Common Cause Failure (CCF) |
Failure, that is the result of one
or more events, causing concurrent failures of two or more separate channels
in a multiple channel system, leading to system failure. Common Cause Failure (CCF) causing
multiple failures from a single shared cause. The multiple failures may occur
simultaneous or over a period of time;
|
||||||||||||||||||||||||||||||||||||||||
Common Cause Failure (CCF) factor (b) |
The fraction of undetected
failures that have a common cause (expressed as a fraction in the equations
and as a percentage elsewhere).
|
||||||||||||||||||||||||||||||||||||||||
Common Mode Failure |
See " Common Cause
Failure". Common Mode Failures (CMF) are a particular case of CCF in which multiple equipment items
fail in the same mode. |
||||||||||||||||||||||||||||||||||||||||
Component Type "A" |
An element can be regarded as type
A if, for the components required to achieve |
||||||||||||||||||||||||||||||||||||||||
Component Type "B" |
An element shall be regarded as
type B if, for the components required to achieve the safety function: NOTE : This means
that if at least one of the components of an element itself satisfies the
conditions for a type B element then that element will be regarded as type B
rather than type A. |
||||||||||||||||||||||||||||||||||||||||
Console |
See “Control Console” |
||||||||||||||||||||||||||||||||||||||||
Console Operator |
Operator that sits down in front of the “Control Console” to monitor
and execute command through the Console to operate a plant. |
||||||||||||||||||||||||||||||||||||||||
Continuous Probability in Time |
Probability of an even to occur
within a "Sample Space", and within a period of
time. |
||||||||||||||||||||||||||||||||||||||||
Control Console |
A collection of one or more
workstations and associated equipment such as printers, communications
devices and panel/mimic/push/switch buttons used by a “Console Operator” to
interact with the plant control system and to perform plant operation functions. |
||||||||||||||||||||||||||||||||||||||||
Index that is used in FMECA study
to rank identified failure modes. It is calculated from: a)
Failure rate of
the component associated to the identified failure mode, b)
Failure mode
ratio associated to each failure mode among all identified failure modes of
the same safety device complement, c)
Conditional
probability of a failure mode in an operation condition, among all identified
operation conditions for the same failure mode, and d)
Mission time of
the related component. |
|||||||||||||||||||||||||||||||||||||||||
Combination
of the severity of an effect and the frequency of its occurrence or other
attributes of a failure mode as a measure of the need for addressing and
mitigation. “Criticality”
(C) can be calculated by a qualitative or quantitative approach. Qualitative
approach,refer to section
5.3.4.1 Quantitative approach, refer to
section 5.3.4. |
|||||||||||||||||||||||||||||||||||||||||
D |
|
||||||||||||||||||||||||||||||||||||||||
Dangerous Diagnostic Coverage (DCD) |
Fraction of "Dangerous Failures"
(lD) detected by automatic on-line
diagnostic tests. The fraction of dangerous failures is computed by using the
dangerous failure rates associated with the detected dangerous failures
divided by the total rate of dangerous failures. |
||||||||||||||||||||||||||||||||||||||||
Dangerous Failure Rate (lD) |
Failure of an element and/or
subsystem and/or system that plays a part in implementing the safety function
that: -- OR -- NOTE: Whether or not the potential is realized may depend on the
channel architecture of the system; in systems with multiple channels to
improve safety, a dangerous hardware failure is less likely to lead to the
overall hazardous or fail-to-function state.
|
||||||||||||||||||||||||||||||||||||||||
Demand |
Any
time a SIF changes the “Final Safety Element(s)” from the NORMAL to the SAFE
state, a “Demand” has occurred. |
||||||||||||||||||||||||||||||||||||||||
Demand
mode |
See
“Mode of Operation” |
||||||||||||||||||||||||||||||||||||||||
Demand
Mode, Continuous |
Continuous
Demand mode where the safety function retains the EUC in a safe state as part
of normal operation. |
||||||||||||||||||||||||||||||||||||||||
Demand
Mode, High |
High
Demand mode where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state,
and where the frequency of demands is greater than one per year. |
||||||||||||||||||||||||||||||||||||||||
Demand
Mode, Low |
Low
Demand mode where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state,
and where the frequency of demands is no greater than one per year. |
||||||||||||||||||||||||||||||||||||||||
Safe Detected
Failure Rate (lSD) Dangerous Detected Failure Rate (lDD) |
In relation to hardware, detected
by an automatic diagnostic tests, proof tests, operator intervention (for example
physical inspection and manual tests), or through normal operation.
NOTE: in practice, the above first definition SHALL NOT include proof tests,
operator intervention. ONLY automatic diagnostic test
shall apply.
The automatic diagnostic test execution frequency MUST BE higher than a “Proof Test” execution frequency. |
||||||||||||||||||||||||||||||||||||||||
Device Type "A" |
See "Component Type 'A'
" |
||||||||||||||||||||||||||||||||||||||||
Device Type "B" |
See "Component Type 'B'
" |
||||||||||||||||||||||||||||||||||||||||
Automated test (or tests) that an
electronic device executes at a pre-defined frequency in
order to identify, reveal or detect own faults, or other devices’
faults that are connected to it. Implementation
or installation that takes advantage of “Diagnostics” (Fault detection
capabilities) of an electronic device can communicate the results of
“Diagnostics” to other devices, or systems (SIS, DCS). Typical instrument protocols or
methodologies to communicate the “Diagnostic” results are HART, FieldBus, Profibus, NAMUR NE 43,
“NAMUR sensor” (EN‑60947-5-6:2000 and IEC-60947-5-6:1999). Implementation or installation
that DOES NOT take advantage of
“Diagnostics” (Fault detection capabilities) of an electronic device CANNOT communicate the results of
“Diagnostics” to other devices, or systems (SIS, DCS). |
|||||||||||||||||||||||||||||||||||||||||
See “Boolean Signal”. |
|||||||||||||||||||||||||||||||||||||||||
See
“Boolean Signal”. |
|||||||||||||||||||||||||||||||||||||||||
E |
|
||||||||||||||||||||||||||||||||||||||||
Element Type "A" |
See "Component Type 'A'
" |
||||||||||||||||||||||||||||||||||||||||
See "Component Type 'B'
" |
|||||||||||||||||||||||||||||||||||||||||
Equipment under control |
Machine, equipment or process
plant used for manufacturing, process, transportation, medical, or other
activities. |
||||||||||||||||||||||||||||||||||||||||
F |
|
||||||||||||||||||||||||||||||||||||||||
It is a methodology to identify ways a product, safety
device, process or system can fail. Refer to
IEC-60812. |
|||||||||||||||||||||||||||||||||||||||||
FMECA
is an extension of FMEA. In addition to FMEA, FMECA ranks the
identified failure modes in order of importance, according to calculation of
one of two(2) indexes: a)
“Risk Priority
Number” (RPN) or b)
Criticality
(C). |
|||||||||||||||||||||||||||||||||||||||||
A
FMEDA is a systematic detailed procedure that is an extension of the classic
FMEA procedure, which purpose is to calculate the failure rates of a safety
device or group of safety devices. This
technique was first developed for electronic devices and recently extended to
mechanical and electro-mechanical devices. A
FMEDA assessment of a hardware device or arrangement (group of devices)
provides the required failure data (or Reliability data) needed for “SIL
verification”, “SIL Certification” or to calculate the device contribution in
a “Safety Instrumented Function” (SIF) when the SIF’s SIL rating is
calculated. |
|||||||||||||||||||||||||||||||||||||||||
Reliability parameter [ λ(t) ] of an entity (single components or systems) such that “λ(t).dt
“is the probability of failure of this entity within [t, t+dt]
assuming that it has not failed during [0, t].
|
|||||||||||||||||||||||||||||||||||||||||
Failure Rate, Dangerous Detected (lDD, or LdDD) |
See “Detected Failure”, “Dangerous Detected Failure Rate”. |
||||||||||||||||||||||||||||||||||||||||
Failure Rate, Dangerous UnDetected (lDU, or LdDU) |
See “UnDetected
Failure”, “Dangerous UnDetected Failure Rate”. |
||||||||||||||||||||||||||||||||||||||||
(lSD, or LdSD) |
|||||||||||||||||||||||||||||||||||||||||
Failure Rate, Safe UnDetected (lSU, or LdSU) |
See “UnDetected
Failure”, “Safe UnDetected Failure Rate”. |
||||||||||||||||||||||||||||||||||||||||
Fault |
Abnormal condition that may cause
a reduction in, or loss of, the capability of a functional unit to perform a
required function. |
||||||||||||||||||||||||||||||||||||||||
Fault Detection Capabilities |
See “Diagnostics, electronic
device”. |
||||||||||||||||||||||||||||||||||||||||
Fault Tolerance |
Ability of a functional unit to
continue to perform a required function in the presence of faults or errors. |
||||||||||||||||||||||||||||||||||||||||
Field Operator |
Operator that is normally at the plant field to monitor and to
execute action directly over the plant equipment or instruments. |
||||||||||||||||||||||||||||||||||||||||
Final Safety Element (FE or FSE) |
Last Device or "Safety
Channel Architecture" (SCA) in the "Main Safety Loop Series" (MSLS)
which executes in fact the safety action to protect the plant or system
against an identified Hazard. |
||||||||||||||||||||||||||||||||||||||||
Full
Valve Stroke Test (FVST) |
See
“Stroke Test”. In a
FVST, the valve is stroked from its NORMAL to its SAFE position. |
||||||||||||||||||||||||||||||||||||||||
Functional Safety Management (FSM) |
The Functional Safety Management
(FSM) is the management activity that prepares and follows up the execution
of the “Safety Plan”. The Safety Plan or Functional
Safety Management (FSM) Plan is a key document in any IEC 61508 / ISO 26262
development project. It specifies how functional safety will be ensured
throughout the entire development project and in production. The Safety Plan must identify all
roles and responsibilities that apply to the development process. The Safety
plan shall list various techniques and measures that will be implemented as
part of the project under development to ensure
that the targeted SIL is achieved. The deliverable of this task is
the draft Safety Plan that the Customer must subsequently refine and
implement in the project under development. |
||||||||||||||||||||||||||||||||||||||||
G |
|
||||||||||||||||||||||||||||||||||||||||
See
“Human Machine Interface” (HMI) |
|||||||||||||||||||||||||||||||||||||||||
H |
|
||||||||||||||||||||||||||||||||||||||||
Hardware fault tolerance is the
ability of a component or subsystem to continue to be able to undertake the
required safety instrumented function in the presence of one or more
dangerous faults in hardware. A hardware fault tolerance of 1 means that
there are, for example, two devices and the architecture is such that the
dangerous failure of one of the two components or subsystems does not prevent
the safety action from occurring. |
|||||||||||||||||||||||||||||||||||||||||
Hardware Fault
Tolerance (HFT), or Hardware
Fault Tolerance degree |
Ability
of a functional unit to continue to perform a required function in the
presence of faults or errors. Normally the “Hardware Fault
Tolerance Degree” is associated to the “Safety Channel Architecture” (SCA) XooN, where “Hardware Fault Tolerance” (HFT) is equal to
“N-X”, or in other words, the number of safety channels that can be in
failure condition, but the SCA can still perform the required safety. Examples:
Note
1: see “Redundancy” |
||||||||||||||||||||||||||||||||||||||||
Harm |
Physical injury or damage to the
health of people or damage to property or the environment. |
||||||||||||||||||||||||||||||||||||||||
HART |
Highway Addressable Remote
Transducer) is a hybrid analogue+digital industrial
automation protocol. Its most notable advantage is that it can communicate
over legacy 4–20 mA analogue instrumentation current loops, sharing the pair
of wires used by the analog only host systems. |
||||||||||||||||||||||||||||||||||||||||
Hazard |
Potential source of harm. |
||||||||||||||||||||||||||||||||||||||||
It is a structured and systematic examination of a complex
planned or existing process or operation in order to identify and evaluate problems that may represent risks
to personnel or equipment. The intention of performing a
HAZOP is to review the design to pick up design and engineering issues that
may otherwise not have been found. The HAZOP technique was initially developed to
analyse chemical process systems, but has later been
extended to other types of systems and also to complex operations such as
nuclear power plant operation and to use software to record the deviation and
consequence. A HAZOP is a qualitative technique based on guidewords and is
carried out by a multi-disciplinary team (HAZOP team) during a set of
meetings. |
|||||||||||||||||||||||||||||||||||||||||
Hazard and Operability Study
REPORT (HAZOP Report) |
The HAZOP Report is a key document pertaining to the
safety of the plant. It is crucial
that the benefit of this expert study is easily accessible and comprehensible
for future reference in case the need arises to alter the plant or its
operating conditions. Normally,
the HAZOP report includes the list and description of all identified “Safety
Instrumented functions” (SIFs). |
||||||||||||||||||||||||||||||||||||||||
Hazard DETECTION CONDITION |
After a Hazards occurs (Hazard
OCCURRENCE) the process plant physical conditions to allow instrumentation to
detect the hazard may not be in place yet. Some time is required to allow the
Hazard to develop a physical condition that allow instrumentation to detect
it. A Hazard reached the DETECTION
CONDITION when the instrumentation in fact is able to
detect such Hazard. |
||||||||||||||||||||||||||||||||||||||||
Hazard
Identification Study (HAZID), or Hazard Analysis |
It
is used as the first step in a process used to assess risk. The
result of a hazard analysis is the identification of different type of
hazards. |
||||||||||||||||||||||||||||||||||||||||
Hazard
OCCURRENCE |
Time
at the process operation when an even occurs that declares the initiation of
a HAZARD. |
||||||||||||||||||||||||||||||||||||||||
Human
Machine Interface (HMI) |
Also
known as an HMI. An HMI is a software application that presents information
to an operator or user about the state of a process, and to accept and
implement the operators control instructions. Typically, information is
displayed in a graphic format (Graphical User Interface or GUI). An HMI is
often a part of a SCADA (Supervisory Control and Data Acquisition) system, or
a DCS (Distributed Control system. |
||||||||||||||||||||||||||||||||||||||||
I |
|
||||||||||||||||||||||||||||||||||||||||
Initiator |
See
"Sensor", "Process variable". |
||||||||||||||||||||||||||||||||||||||||
Intrinsically Safe (IS) |
It is a protection technique for safe operation of
electrical equipment in hazardous areas by limiting the energy, electrical
and thermal, available for ignition. In signal and control circuits that can operate with low
currents and voltages, the intrinsic safety approach simplifies circuits and
reduces installation cost over other protection methods. Areas with dangerous
concentrations of flammable gases or dust are found in applications such as
petrochemical refineries and mines. As a discipline, it is an application of
inherent safety in instrumentation. High-power circuits such as electric
motors or lighting cannot use intrinsic safety methods for protection. |
||||||||||||||||||||||||||||||||||||||||
L |
|
||||||||||||||||||||||||||||||||||||||||
Logic Solver |
It is a device, part of a SIS that
can execute the “Safety Logic” (many “TRIP criteria”, “Voting Logics” and
“SIF Decision Logics”). Nowadays the “Logic Solver” could be part of a module
in the DCS (PCS), or an independent module based on electrical, electronic,
mechanical, pneumatic or hydraulic technology. Sometimes a hybrid “Logic
Solver” can be used. |
||||||||||||||||||||||||||||||||||||||||
M |
|
||||||||||||||||||||||||||||||||||||||||
Main Safety Loop Series (MSLS) |
Sequence in Series of "Safety
Channel Architectures" (SCA) that constitute a Safety Loop, or SIF, from
the Sensor(s) (or Initiator(s)) to the Final Safety Element(s) [FE(s)]. |
||||||||||||||||||||||||||||||||||||||||
MAINTENANCE times |
The SIF MAINTENANCE times are: MTTR, TD, MRT, TI, SLf and time constriants. These times have a direct impact
on the MAINTENANE effort to keep the SIF installation in good shape. The
following table shows typical “MAINTENANCE times” requirement for
a project:
|
||||||||||||||||||||||||||||||||||||||||
Maximum Allowed Response Time
(MART) |
See “Safety Response Time” (SRT). |
||||||||||||||||||||||||||||||||||||||||
Mean Repair Time (MRT) |
See "Mean Restoration
Time" (MRT). |
||||||||||||||||||||||||||||||||||||||||
Mean Restoration Time (MRT) |
Expected overall repair time |
||||||||||||||||||||||||||||||||||||||||
Mean Time Between Failures (MTBF) |
Mean time between the occurrence of two(2)
consecutive failures. |
||||||||||||||||||||||||||||||||||||||||
Mean Time To
Dangerous Failure (MTTFD) |
Expectation of the mean time to
dangerous failure. Mean Time to a failure of the SIS (or SIF, or Device) that will make it to fail on
demand. |
||||||||||||||||||||||||||||||||||||||||
Mean Time To
Failure (MTTF) |
Mean time since the Device/System
is on Duty up to the occurance of a failure. |
||||||||||||||||||||||||||||||||||||||||
Mean Time To
Failure Spuriously (MTTFspuriously,
or MTTFs) |
The mean time to a failure of the
SIS (or SIF, or Device) which results in a spurious or false trip of the
process or equipment under control (EUC) |
||||||||||||||||||||||||||||||||||||||||
Mean Time To
Repair (MTTR) |
See "Mean Time To Restoration" (MTTR). |
||||||||||||||||||||||||||||||||||||||||
Mean Time to Restoration (MTTR) |
Expected time to achieve
restoration |
||||||||||||||||||||||||||||||||||||||||
N |
|
||||||||||||||||||||||||||||||||||||||||
NAMUR |
User Association of Automation
Technology in Process Industries (NAMUR) (German: Interessengemeinschaft
Automatisierungstechnik der Prozessindustrie),
established in 1949, is an international association for users of automation
technology in the process industries with its headquarters in Leverkusen,
Germany. The association represents the interests of, and supports the
experience exchange among over, 140 member companies
and with other associations and organizations. Work results are published in
the form of NAMUR recommendations and worksheets and submitted to national
and international standardization bodies as proposed standards. |
||||||||||||||||||||||||||||||||||||||||
NAMUR NE 43 (For Analogue signals) |
The Namur NE 43 is a
recommendation which gives a guideline (for Analogue signals) how a sensor
fault can be indicated to a DCS or SIS by means of the 4‑20mA signal. A sensor fault is signaled by
extending the range of the 4-20mA signal. When the current is below 3,6 mA or
above 21 mA this is interpreted as a sensor fault. In order
to avoid false alarms. |
||||||||||||||||||||||||||||||||||||||||
NAMUR Sensor (For Boolean, Digital or Discrete
signals) |
(EN-60947-5-6:2000
and IEC-60947-5-6:1999) NAMUR format
that is used for switching devices (Sensors or Sensors’ interfaces) to
communicate the two switch states via two different current levels. Typically, 2.1 mA for one State
and 1.2 mA for the other State. Signal current value above 2.1 mA or below
1.2 mA indicates that a “Detected Failure” occurred. |
||||||||||||||||||||||||||||||||||||||||
Near miss |
"near hit", "close
call", or "nearly a collision" is an unplanned event that has
the potential to cause, but DOES NOT
actually result in human injury, environmental or equipment damage, or an
interruption to normal operation. |
||||||||||||||||||||||||||||||||||||||||
No Effect Failure Rate |
In
other words, failure that DOES NOT
prevent a “Target System” to perform its automatic protection function and DOES NOT initiate “Spurious Trip”. For
example: Failure of a digital display of a transmitter in the
field. NOTE: “No Effect Failure Rate” should be
included as part of the “Safe Failure” rate, according to IEC-61508. Nevertheless,
this failure rate WILL NOT affect
system reliability or safety, and it SHOULD
NOT be included in “SIL” and “Spurious Trip Rate” calculations. |
||||||||||||||||||||||||||||||||||||||||
NORMAL state |
It is the value, position, mode or
condition of a signal or safety equipment while the plant is in NORMAL
operation mode. |
||||||||||||||||||||||||||||||||||||||||
O |
|
||||||||||||||||||||||||||||||||||||||||
Out Of
Service (OOS) |
An Equipment or SIF device is set
in the “Out Of Service” condition when it is shutdown and set out of normal operation, in order to
allow to apply MAINTENANCE activities for a time longer than MTTR (Mean Time
to Restoration). |
||||||||||||||||||||||||||||||||||||||||
P |
|
||||||||||||||||||||||||||||||||||||||||
Partial
Valve Stroke Test (PVST) |
See
“Stroke Test”. In a
PVST, the valve is stroked from its NORMAL position up to an intermediate
position between the NORMAL and SAFE position. The valve never reaches the
SAFE position. |
||||||||||||||||||||||||||||||||||||||||
PE-based |
Programable Electronic based
system. CPU based system. |
||||||||||||||||||||||||||||||||||||||||
Periodical Test |
See "Proof Test" and
reference in IEC 61508-4, sec.385, NOTE 1. |
||||||||||||||||||||||||||||||||||||||||
Probability |
Probability of an event to
occur, or to do not occur, within a "Sample Space". |
||||||||||||||||||||||||||||||||||||||||
Probability of Dangerous Failure
on Demand (PFD) |
|
||||||||||||||||||||||||||||||||||||||||
Process Safety Time (PST) |
It is the maximum time bound that
is available for a Safety Implementation (SIF or IPF), from the time the
HAZARD occurs, up to the completion of the final safety action, to avoid the
development of such HAZARD into an ACCIDENT or Harm. |
||||||||||||||||||||||||||||||||||||||||
Process Variable |
See "Sensor",
"Initiator". |
||||||||||||||||||||||||||||||||||||||||
Proof Test |
Periodic test performed to detect
dangerous hidden failures in an element (component, device) of a safety
related system so that, if it is necessary, a repair can restore the system
to an “as new” condition or as close as practical to that condition. |
||||||||||||||||||||||||||||||||||||||||
Proof Test Coverage (PTC) |
See "Proof Test
Effectiveness" (Et). Faults in the safety system that
are not detected by either diagnostic tests or proof tests may be found by
other methods arising from events such as a hazardous event requiring
operation of the safety function or during an overhaul of the equipment. If the
faults are not detected by such methods it should be assumed that the faults
will remain for the life of the equipment. |
||||||||||||||||||||||||||||||||||||||||
Proof Test duration (TD) |
Amount of time to dedicate for the
Proof Test execution. Nor mally it is indicated in
hours [h]. |
||||||||||||||||||||||||||||||||||||||||
Proof Test Effectiveness (Et) |
(See also "Proof Test").
|
||||||||||||||||||||||||||||||||||||||||
Proof Test Period |
Frequency in days, week, months,
or years in which a "Proof Test" is performed. |
||||||||||||||||||||||||||||||||||||||||
Pulse signal |
In signal processing, the term pulse has the following meanings: A rapid, transient change in the amplitude of a signal from a baseline value to a higher or lower value, followed by a rapid return to the baseline value. In process control, it is a Boolean signal that alternate the two(2) states [1/0, True/False, etc.] in time, following a pre-defined pattern and/or frequency range. Example: Flow Turbine type meter, Compressor/Machine speed, etc. |
||||||||||||||||||||||||||||||||||||||||
Punctual Probability |
See "Probability". |
||||||||||||||||||||||||||||||||||||||||
R |
|
||||||||||||||||||||||||||||||||||||||||
Redundancy |
Example
1: Duplicated functional components and the addition of parity
bits are both instances of redundancy. Redundancy is
used primarily to improve reliability (probability of functioning properly
over a given period of time) or availability
(probability of functioning at given instant). It may also be used in order to minimize spurious actions through
architectures such as 2oo3. Example
2:
Note 1: see “Hardware Fault Tolerance” Note 2: “Fault
Tolerance” is not a measure of “Redundancy”. In the “2oo4” SCA let’s say four(4) safety channels (or safety devices) are used: A,
B, C, and D. To
achieve the required safety the “2oo4” SCA shall evaluate the following
combinations: AB, AC, AD, BC, BD, CD. If one(1) channel (or device)
fails, let’s say “A”, then “2oo4” redundancy is “3”, because three(3)
combinations will not work, but the other three(3) will achieve required
safety: If two(2) channels (or devices) fail, let’s say “A” and “B”,
then “2oo4” redundancy is “1”, because five(5) combinations will not work,
but the remaining one will achieve required safety: |
||||||||||||||||||||||||||||||||||||||||
Reliability
Block Diagram (RBD) |
A “Reliability
Block Diagram” (RBD) is a diagrammatic method for showing how components
or Devices individual interaction and reliability contributes to the success
or failure of a complex system. RBD is also known as a dependence diagram
(DD). |
||||||||||||||||||||||||||||||||||||||||
Replace period |
See "Service Life" |
||||||||||||||||||||||||||||||||||||||||
Reset Function |
The purpose of a “Reset Function” is to keep a machine, equipment or
process plant in the SAFE condition, after it was performed a transition from
the NORMAL to the SAFE state. After such transition, the “Reset Function” is
activated. In other words, the “Reset Function” is activated after a SIF demand. Once the machine, equipment or process plant comes back to the NORMAL
state, a “RESET command” must be executed to make the “Reset Function” to
abandon the “Activated” condition, and to allow the “Safety Logic” output to
determine the NORMAL or SAFE state. The “Reset Function” can be implemented as a “Reset Logic” in the
“Logic Solver”, or as a mechanical device in the field, located at the “Trip
device”/“Final Safety Element”, or both. Refer to “Reset Logic” or “Mechanical Reset” for
further details. |
||||||||||||||||||||||||||||||||||||||||
Reset Logic |
The “Reset Logic” is implemented in a “Logic Solver, and it applies to
a “TARGET signal(s)”. The “Reset Logic” starts to work after a transition of the “Safety
Logic” output from the NORMAL to the SAFE state. At this time, the purpose of
the “Reset Logic” is to keep the related “TARGET signal” in the SAFE state,
superseding the “Safety Logic” output. I.E., the “TARGET signal” remains in
the SAFE state, regardless the “Safety Logic” output state value. Once the “Safety Logic” output changes back to NORMAL state, and
remains in that state, a “Reset Command” action is required on the “Reset
Logic” to disable it, in order to allow the “Safety
Logic” output to determine the “TARGET signal” state again. See “Command Automatic RESET” or “Command signal Manual RESET”, the
one that apply in the implementation. |
||||||||||||||||||||||||||||||||||||||||
Reset, Mechanical |
The “Reset Function” can be implemented as a mechanical
device in the field, located at the “Trip device”, “Final Safety Element”, or
both. The Mechanical “Reset Function” starts to work, after a
transition of the related “Trip device”/“Final
Safety Element” from the NORMAL to the SAFE state. At this time, the purpose of a Mechanical Reset is to
keep the “Trip device”/ “Final Safety Element” in the SAFE state, regardless
the related “SIF Output Signal” state changes that will occur later. Once the state of all the related “SIF Output Signals”
change back to NORMAL state, and such NORMA state remains, it is required
that the Field Operator executes a Manual “Reset Command” at the “Trip
device”/“Final Safety Element”. This command disables
the Mechanical Reset action, in order to allow the “Trip device”/“Final Safety Element” to change to the NORMAL state, and
to let the “SIF Output Signal” to determine the “Trip device”/“Final
Safety Element” state. |
||||||||||||||||||||||||||||||||||||||||
Index
that is used in FMECA study to rank identified failure modes. It
is calculated from: a)
Failure mode
Severity, b)
Probability of
occurrence of a failure mode for a predetermined or stated time
period, or an estimate of the chance a failure mode will occur, and c)
Detection index,
i.e. an estimate of the chance to identify and eliminate the failure before the
system is affected. |
|||||||||||||||||||||||||||||||||||||||||
Risk reduction that is required by
the machine, equipment or process plant “Safety Instrumented System”
(SIS) to ensure the related Hazard risk can be reduced up to the Tolerable
Risk. Not only SIS can be applied to
reduce risk, also other safety technologies, design changes to reduce risk,
or other physical risk reduction measures can be applied. |
|||||||||||||||||||||||||||||||||||||||||
S |
|
||||||||||||||||||||||||||||||||||||||||
SAFE
condition |
Plant
condition next to a shutdown request, in which the possibility of any harm
occurrence is eliminated, after applying safety actions to set all equipment
(Final Safety Elements) in the SAFE state. |
||||||||||||||||||||||||||||||||||||||||
Safe Diagnostic Coverage (DCS) |
Fraction of "Safe
Failures" (lS) detected by
automatic on-line diagnostic tests. The fraction of safe failures is computed
by using the safe failure rates associated with the detected safe failures
divided by the total rate of safe failures. |
||||||||||||||||||||||||||||||||||||||||
Safe Failure Fraction (SFF) |
Property of a safety related
element that is defined by the ratio of the average failure rates of safe (lS) plus dangerous detected failures (lDD) and safe plus dangerous failures (lS+lD). |
||||||||||||||||||||||||||||||||||||||||
Safe Failure Rate (lS) |
Failure of an element and/or
subsystem and/or system that plays a part in implementing the safety function
that: NOTE: This second definition includes many failures that DO NOT cause a false trip under any circumstances
and is quite different from the definition practitioners need to calculate
the false trip probability. Using this definition, all failure modes that ARE NOT dangerous are called “Safe.” For
example: No Effect” of “Annunciation” failures. These failures MUST NOT be included in the SIL
verification calculations.
|
||||||||||||||||||||||||||||||||||||||||
SAFE state |
It is the value, position, mode or
condition of a signal or safety equipment while the plant is in the safe
shutdown mode after execution of safety actions. |
||||||||||||||||||||||||||||||||||||||||
Safety Architecture |
|||||||||||||||||||||||||||||||||||||||||
Safety Channel Architecture (SCA) |
Connection skeme
including decision logic in which several devices are organized to provide
safety states transmission within the SIF's 'MAIN Safety Loop SERIES"
(MSLS). |
||||||||||||||||||||||||||||||||||||||||
Safety design maximum SIL limit (SDmaxSIL) |
Break line between SIL ratings to
guarantee that the safety design SIL rating will remain after implementation,
considering some amount of possible deviations. |
||||||||||||||||||||||||||||||||||||||||
Safety Instrumented Function (SIF) |
SIF is a safety function
implemented in a “Safety Instrumented System” (SIS), which purpose is to
avoid a machine or process plant to be operated under conditions that will
result in a harm of personal safety, environment or the machine/process plant
itself. When a SIF is performing its safety function, it is in the “On Duty”
condition. |
||||||||||||||||||||||||||||||||||||||||
Safety Instrumented System (SIS) |
It is an instrumented system used
to implement one or more safety instrumented functions (SIFs), which are
expected to set a plant or equipment to its SAFE condition, prior to any
hazard happens. A SIS is composed of any combination of sensor (s), logic
solver (s), and final safety elements(s). |
||||||||||||||||||||||||||||||||||||||||
Safety Integrity Level (SIL) |
Discrete level (one out of a
possible four(4)), corresponding to a range of
safety integrity values, where safety integrity level 4 has the highest level
of safety integrity and safety integrity level 1 has the lowest. In practice the “Safety Integrity
Levels” are defined as follows: |
||||||||||||||||||||||||||||||||||||||||
Safety
Logic |
It is a predefined logic which contains the rules of
making actions on “Safety Output Signals”, based on the of “Safety Input
Signal” states. The “Safety Logic” can be executed by a “Logic Solver”, or by
the same “Safety Input Signal” measuring device. When a
“Logic Solver” is used, it can contain many “TRIP criteria”, “Voting Logics”,
“Safety Logics”, Reset functions, Interlock
functions, Permissive functions and basic logic operations. |
||||||||||||||||||||||||||||||||||||||||
Safety
Output Signal |
See
“SIF Output Signal”. |
||||||||||||||||||||||||||||||||||||||||
Safety Related System |
See "Safety Instrumented
System". |
||||||||||||||||||||||||||||||||||||||||
Safety
Response Time (or SRT) |
It is the maximum allowed “Safety Instrumented Function”
(SIF or IPF) response time to avoid the development of a HAZARD into a Harm
or ACCIDENT. This time goes from the time the HAZARD reaches the
DETECTION CONDITION (Instrument can detect), up to the completion of the
final safety action. SRT is established to guarantee that a SIF/IPF will
achieve its duty, regardless any deviation or degradation from the safety
design and implementation, or due to normal instruments tear and wear. In case
of no clear project requirement, SIF design most comply: SRT £ (50% of PST). |
||||||||||||||||||||||||||||||||||||||||
Safety
Scenario |
Operation
condition that is identified during a HAZOP, which can cause an accident or
operability problem, due to a failure or operation mistake in the Equipment
Under Control (EUC), or due to a failure in the E/E/PE safety-related system. |
||||||||||||||||||||||||||||||||||||||||
Safety
shutdown mode |
See:
“Safe condition” |
||||||||||||||||||||||||||||||||||||||||
Sensor |
See "Initiator",
"Process variable". |
||||||||||||||||||||||||||||||||||||||||
Service Life (SLf) |
Period of time when a component of SIF's Element will be replaced. |
||||||||||||||||||||||||||||||||||||||||
SIF Decision Logic |
Logic configured in a “Logic
Solver” which determine the “SIF output signal” states based on “SIF input
signal” states. All SIFs are included in the "SIF decision logic". |
||||||||||||||||||||||||||||||||||||||||
SIF Input Signal |
It is the signal that provides
information about current condition of a process variable, plant or equipment
to a “Logic Solver” (part of a SIS). It can be of the Analogue or Boolean
type. |
||||||||||||||||||||||||||||||||||||||||
SIF Output Signal |
It is the output signal of “Logic
Solver”, part of a SIS, that will be sent to trip device in the plant or
equipment, in order to set a final safety element in its NORMAL or SAFE
state, which in conjunction with other ones, will move the plant/equipment
operation to the SAFE condition. |
||||||||||||||||||||||||||||||||||||||||
Signal |
It is
an indication, such as a gesture, colored light, electric current or
electromagnetic field, which serves as a means of communication from one
place to another one. |
||||||||||||||||||||||||||||||||||||||||
Soft Reset |
Manual
RESET command signal (see “Command signal, Manual RESET”) that is implemented
in the ICSS HMI. |
||||||||||||||||||||||||||||||||||||||||
Spurious Trip |
Refers to the shutdown of the
process for reasons not associated with a problem in the process that the SIF
is designed to protect (e.g., the trip resulted due to a hardware fault,
software fault, transient, ground plane interference, etc.). Other terms used
include nuisance trip and false shutdown. |
||||||||||||||||||||||||||||||||||||||||
Spurious Trip Rate |
The expected rate (number of trips
per unit time) at which a trip of the SIF can occur for reasons not |
||||||||||||||||||||||||||||||||||||||||
Conceptual
SRS |
“Safety
Requirements Specification” (SRS) document that is prepared during
project detail design phase. It MAY NOT include the final selected
devices information for SIF implementation, as well as verified information
from VENDOR. BUT, it shall
include the clear requirements for specifying SIF’s devices, how devices will
be connected, which “Diagnostics” are required inside each device or as part
of a configuration in the “Logic Solver” (or other systems), DCS-SIS
communication, SIF HMI in DCS, etc. |
||||||||||||||||||||||||||||||||||||||||
SRS, Process Safety SRS |
See “Conceptual SRS”. |
||||||||||||||||||||||||||||||||||||||||
SRS, Detailed Design SRS |
“Safety
Requirements Specification” (SRS) document that is prepared at the end of
project detail design, or end of SIS FAT. It shall include the final SIF
design/installation information and all the information missing or pending
for verification in the “Conceptual SRS”. |
||||||||||||||||||||||||||||||||||||||||
Safety Requirements Specification |
Specification
containing the safety requirements for just one, or ALL, “Safety Instrumented
Functions” (SIFs) that have to be performed by the “Safety Instrumented
System” (SIS). In a project, it shall include: the associated target safety
integrity levels, target Spurious Trip Rate, target Safety Time,
Interlock/Reset procedures, interface logic with external systems, etc. |
||||||||||||||||||||||||||||||||||||||||
Proof
test where a safety valve is stroked fully or partially from its NORMAL to its SAFE position, in
order to verify that it is in good condition to perform its safety
function when it is required. |
|||||||||||||||||||||||||||||||||||||||||
T |
|
||||||||||||||||||||||||||||||||||||||||
Transmitter |
Device that read the process
variable value from the Sensor, next amplify/normalize/convert the process
variable value to a standard communication protocol and sends that value (or
SIF Input Signal) to the “Trip criterion”. Nowadays some communication
protocols also send “Sensor/Transmitter” configuration and statuses
information. |
||||||||||||||||||||||||||||||||||||||||
Trip criterion |
Logic to apply to one[1] (or more)
“SIF input signal(s)” to determine if such value (or group of values) is
(are) in the NORMAL or in the TRIP state. |
||||||||||||||||||||||||||||||||||||||||
Trip device |
This device can be a Solenoid
Valve (SOV), a relay, a “Smart Position Transmitter” (SmPosT),
etc. The “Trip device” can be in the NORMAL or SAFE state. |
||||||||||||||||||||||||||||||||||||||||
Trip
logic |
See
“Trip criterion”. |
||||||||||||||||||||||||||||||||||||||||
Trip setting |
Value in which an analogue signal
value, input of a SIF, shall be above or below to change such signal from the
NORMAL state to the TRIP state. |
||||||||||||||||||||||||||||||||||||||||
Trip
setting logic |
See
“Trip criterion”. |
||||||||||||||||||||||||||||||||||||||||
TRIP state |
It is the value, position, mode or
condition of a “SIF input signal” when such signal abandons the “NORMAL
state”. This change is detected by a “Trip criterion”. |
||||||||||||||||||||||||||||||||||||||||
Trip value |
See "Trip setting". |
||||||||||||||||||||||||||||||||||||||||
Type A element (SIF’s Device) |
“Non-Complex” SIF device. An element can be regarded as type
A if, for the components required to achieve the safety function |
||||||||||||||||||||||||||||||||||||||||
“Complex” SIF
device (typically using microcontrollers or programmable logic). An element shall be regarded as
type B if, for the components required to achieve the safety function, |
|||||||||||||||||||||||||||||||||||||||||
U |
|
||||||||||||||||||||||||||||||||||||||||
UnDetected Failure Safe Undetected Failure Rate (lSU) |
In relation to hardware, UnDetected by the diagnostic tests, proof tests, operator intervention (for example
physical inspection and manual tests), or through normal operation.
NOTE: in practice the above first definition SHALL NOT include automatic
diagnostic test. ONLY proof tests and operator intervention shall apply.
-- Normal operation observation. |
||||||||||||||||||||||||||||||||||||||||
V |
|
||||||||||||||||||||||||||||||||||||||||
Voting logic |
It is a logic to be applied to
“Trip criterion” outputs, and/or more “SIF Input Signals”, in order to
determine if their condition is in the NORMAL or in the TRIP state. See “Safety Channel Architecture”. |