Vertigo™ SIS Lifecycle Management software conformance with VDE/VDI 2180 Part 3
In response to enquiries from German SIS Engineering, Kenexis has performed an assessment of our Vertigo SIS Safety Lifecycle Management Software in relation to the requirements contained in German standard VDI/VDE 2180 Part 3 – Functional Safety in the Process Industry – Verification of Probability of Failure on Demand. In summary, Kenexis meets all requirements contained in the standard and provides much more functionality than the standard requires. Kenexis performed a line-by-line review of all requirements to come to our conclusion. Some additional notes that were generated while we performed our review are shown below.
In some cases, the terminology used in VDE/VDI 2180 is different from IEC 61511, for instance in Figure 2 the terms MTTR and MDT are used as mean to to repair and mean down time, whereas IEC 61511 would use MRT and MTTR (i.e., mean repair time and mean time to restoration) for these concepts. Kenexis software is and will remain consistent with the IEC 61511 standard for nomenclature.
VDE/VDI 2180 Clause 7.2 Step 2 discusses calculation of the overall impact when subsystems have multiple groups – for instance a SIF might have 2oo3 voting pressure transmitters and 2oo3 voting temperature transmitters that are both capable of detecting a hazardous condition. VDE/VDI 2180 says that the PFD contributions from the groups should be summed – which implies if any group fails, the SIF fails. In Vertigo, we will implement this math if XooX group voting is selected. But Vertigo also allows 1ooX voting where ALL of the groups must fail for the SIF to fail.
VDE/VDI 2180 Clause 7.3 provides equations for various voting arrangements, but only for the contribution of dangerous undetected failures (du) and common cause failures. Kenexis Vertigo includes these sources of unavailability, but also allows for the contribution to PFD of never detected failures (DN) and dangerous detected failures that do not result in plant shutdown (DD), and even contribution to PFD associated with online testing (OT). Our equation sets exceed the minimal requirements in VDE/VDI 2108.
VDE/VDI 2180 Clause 7.3 provides information for diverse equipment in a voting arrangement. Kenexis Vertigo only allows one failure rate for a voting arrangement. If diverse devices are used, the most conservative value can be used to represent the group, or a Kenexis Arbor fault tree can be used to calculate the PFD of the subsystem and be linked into Vertigo as a “Black Box Model – BBM”.
VDE/VDI 2180 Clause 7.3.2 introduces the concept of staggered testing. Kenexis Vertigo software does not support calculations for staggered testing, if they occur, they will need to be modeled separately and entered into Vertigo as a Black Box Model. Of course, staggered testing virtually never happens in practice – so this is not an issue for any of our users.
VDE/VDI 2180 Clause 8 discusses reliability data provisioning. The Kenexis Vertigo failure rate database is consistent with this clause as we provide data from equipment vendors for certified equipment and also provide generic data based on field results. Generic data is calculated using a single sided confidence limit of 70% as prescribed in IEC 61511. Kenexis Vertigo does not contain the NAMUR database of generic failure rate data, but a Vertigo user can easily build their own custom library and enter this data in for their own use.
Overall, our software greatly exceeds the requirements of VDE/VDI 2180 Part 3, so German engineers can be assured that use of Kenexis Vertigo for SIS safety lifecycle management will meet their requirements.