Safety Functions in Different Operational Modes and IEC 61508 in the Hydropower Industry
MetadataVis full innførsel
Technical systems that comprise at least one electrical, electronic, or programmable electronic device and perform safety functions are called safety instrumented systems. Safety instrumented systems are used to reduce the risk related to hazardous events that may result in undesired consequences to humans, the environment, and assets, and the reliability of such systems is therefore important. The international standard IEC 61508 can be used to ensure safe and reliable safety instrumented systems, and it applies to all types of safety instrumented systems. Based on IEC 61508, the process industry and the machinery industry have developed their own versions called IEC 61511 and IEC 62061, respectively. IEC 61508 includes requirements for all activities necessary for achieving reliable safety instrumented systems throughout their whole lifecycle, and the standard introduces concepts and terminology that can be challenging to understand. Some basic concepts and terminology in IEC 61508 are clarified in this master thesis. A safety function, performed by a safety instrumented system, may be demanded from seldom to continuously. IEC 61508 distinguishes between safety functions that are demanded less frequent and more frequent than once per year, and these two modes of operation are called low-demand and high-demand, respectively. Furthermore, the standard requires that different reliability measures are used for demonstrating the reliability of the safety instrumented systems performing low-demand and high-demand safety functions. In two examples, the two reliability measures are used, and the calculated results show that there is an inconsistency with the classification of safety functions in IEC 61508. This inconsistency is, however, not experienced with the classification in IEC 61511, and the approach in IEC 61511 seems better. Other differences between low-demand and high-demand safety functions are not well explained in IEC 61508. Because IEC 61511 considers mainly low-demand safety functions and IEC 62061 considers only high-demand safety functions, specific requirements in these two standards are compared to reveal possible differences between low-demand and high-demand. It is concluded that there are essentially no differences between the compared requirements. Based on the event, loss of control, in an accident scenario, it is proposed a new approach for classifying safety functions. A definition of loss of control is suggested and it distinguishes between safety control functions and safety protection functions. These two functions are further related to two additional events in an accident scenario, and a model that illustrates the proposed classification in relation to the three events in an accident scenario is developed. The proposed classification is neither based on frequency of demands nor does it prescribe use of a specific reliability measure, and the classification is thus different from the classification in IEC 61508. The proposed classification is more similar to the classification in IEC 61511. Safety instrumented systems are used in the hydropower industry, but IEC 61508 is essentially not yet applied. The Machinery Directive requires machine manufacturers to meet the essential health and safety requirements, and some of these requirements can, for safety instrumented systems in machines, be met by complying with IEC 62061. Because IEC 62061 is based on IEC 61508, this is a relationship between IEC 61508 and the hydropower industry. From the perspective of a typical company operating hydropower plants in the Norwegian hydropower industry, some benefits and challenges related to implementation and use of IEC 61508 are discussed. IEC 61508 provides a rigorous, risk-based approach for achieving reliable safety instrumented systems and many of the concepts in the standard could be very useful in the hydropower industry. However, the standard is comprehensive and extensive resources and competence are prerequisites for successful implementation and use. It is concluded that IEC 61508 may not be what the hydropower industry needs, but a joint project for developing a unified approach for ensuring reliable safety instrumented systems may be a better option.