Post on 18-Jul-2015
Luis Avila
Functional Safety Engineer TUV #
Safety Life Cycle SeminarFor the Process Industry Sector
Not all activities in life are safe…
…and we have different levels of risk tolerance
Fall
Prevention
Personal
Protective
Equipment
Structural
Design
Ergonomics Work
Schedules
Employee
Training
Mechanical
Integrity
Management
Of Change
Policies &
Procedures
Process safety
Personalsafety
Inherently
Safer
Design
Functional
Safety
Risk
Assessments
Facility
Siting
Total
Recordables
Emergency
Response
Safety
Audits
Occupationalsafety
Process safety
Employee
Training
Mechanical
Integrity
Management
Of Change
Policies &
Procedures
Inherently
Safer
Design
Functional
Safety
Risk
Assessments
Facility
Siting
Emergency
Response
Safety
Audits
Bhopal, India, 1984
Chernobyl, Russia, 1986
Piper Alpha, UK, 1988
Texas City Refinery, USA, 2004
Why do accidents happen?
“You can have a very
good accident rate for
‘hard hat’ accidents
but not for process
ones.”
“The fact that you’ve
had 20 years without
a catastrophic event
is no guarantee that
there won’t be one
tomorrow.”
Process safety
Employee
Training
Mechanical
Integrity
Management
Of Change
Policies &
Procedures
Inherently
Safer
Design
Risk
Assessments
Facility
Siting
Emergency
Response
Safety
AuditsFunctional
Safety
FunctionalSafety
Functional safety
IEC 61511
PFDavg
LOPA
RRF
SIS
HAZOP
SRS
PHA
IEC 61508
FMEDA
BPCS
SIL
SIF
The purpose of Process safety management is to reduce the frequency and severity of potentially catastrophic chemical accidents
IEC61508:
All Industries
IEC61511:
Process Industry Sector
IEC62061:
Machinery Sector
IEC61513 :
Nuclear Sector
For product designers
and manufacturers
For system designers
integrators and users
ISA 84.01 mirrors IEC61511
Source: http://www.wordle.net/show/wrdl/2276332/IEC_61511
BPCS
• Basic Process Control System
• Also: DCS, PAS
• PID Control
• Discrete control
• Sequencing
• Batch automation
• Dynamic
Control
element
Transmitter
Controller
Workstation
Final
element
Transmitter
Logic
solver
SIS
• Safety Instrumented System
• Emergency Shutdown (ESD)
• Burner Management System (BMS)
• Fire & Gas System (FGS)
A Safety Instrumented System (SIS) is defined as an instrumented system used
to implement one or more safety instrumented functions (SIF) composed of any
combination of sensor(s), logic solver(s), and final elements(s). These systems
are designed to take action to bring the equipment under control to a safe state
when a process is beyond the range of normal operating limits and other layers
of control, including operators and the basic process control system (BPCS), are
unable keep the process within safe operating limits.
ICSS
BPCS SIS
Safety
function
Process conditions What to do SIL
SIF #1 High level Drive output 1 1
SIF #2 High pressure Drive outputs 1 + 2 3
SIF #2
SIF #1
PHA
• Identify hazards
• Evaluate safeguards
SRS
• Define SIF’s
• Define SIL for each SIF
Design
• Specify devices
• Design architecture
Verify• Verify SIL meets SRS
PHA
HAZOP
What If?
Checklist
FMEA
Fault Tree
Event Tree
LOPA
SIL General description
4 Catastrophic community impact
3 Employee & community impact
2Major Property and Production Impact;
Possible Injury to Employee
1 Minor Property and Production Impact
PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101
SIF #1
FV-101
Logic
solver
PT-101
SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
Functional safety
IEC 61511
PFDavg
LOPA
RRF
SIS
HAZOP
SRS
PHA
IEC 61508
FMEDA
BPCS
SIL
SIF
TÜV
Safety Lifecycle Management
The IEC 61511 Safety lifecycle
Safety Lifecycle Management
Functional Safety Management
Safety Management
System
Organization and resources
Risk evaluation and risk management
Planning
Implementation and Monitoring
Assessment, auditing, and revisions
Configuration Management
Safety Managent SystemThe SMS should address the following:
Functional safety management
Safety organization
Safety leadership team
SIS management team
Project leadership
Safety audit and revision
Competency policy
Safety lifecycle
Supporting processes
Selection and approval of contractors
Selection and approval of supplier equipment
Selection and approval of safety tools
Safety modification process.
Safety Management
System
Quality Management
System
• Organization and responsibilities
• Competency management
• Documentation structure and control
• Configuration management
• Supplier assessment process
Organization and Responsibilities
• Responsible for functional safety policies and procedures
• Responsible for ensuring of policies and procedures are implemented by organization
Safety Management
Team
• Responsible for functional safety management on projects
Project Leadership
• Competent personnel doing work on SIS
Safety Roles
Safety
Leadership
Team
Safety Role
Safety Activities
Mgmt. & Leadership
skills
Experience
Knowledge & Training
CompetencyRequirements
• Activity / phaseVerification
• Installed and commissioned SISValidation
• Overall process riskAssessment
• Procedures, policies and processesAudit
Safety
Management
System
Safety
Requirements
Specification
Activity /
phase
objectives
Process
Hazards
Analysis
Verify
Source: IEC 61511-1, Figure 12 – Software development lifecycle (the V-Model)
Functional safety
assessment
Hazard and risk assessment is carried out
PHA recommendations are implemented.
Design change procedures are in place and implemented
Recommendations from the previous assessment are resolved
SIS is properly validated against the SRS.
Procedures are in place for the Operate phase.
Employees are trained.
Future assessment plans are in place.
Safety Life-cycle Structure and Planning
Safety Lifecycle Planning
Ensure safety
Criteria
Techniques Measures
Procedures
Verification Planning
Who?
• Responsible parties
• Levels of independence
What?
• Verification activities
• Items to be verified
• Information to be verified against
When?• At which points verification will occur
How?
• Procedures, measures, techniques to be used
• Non-conformance management
• Tools and supporting analysis
Safety life-cycle structure
Analysis Phase
Hazard and risk
assessment
Allocation of safety functions to
protection layers
Source: IEC 61511-3, Figure 4 – Risk and safety integrity concepts
Source: IEC 61511-3, Figure 2
Containment,
Dike/VesselPassive protection layer
Emergency response layerPlant and
Emergency
Response
Operator
Intervention
Process control layer
Fire and Gas
System Active protection layer
Prevent
Mitigate
Process control layer
SISEmergency
Shutdown
SystemSafety layer
Process
Value Normal behavior
Trip level alarm
Operator
interventionProcess alarm
Emergency
shutdown
BPCS
Incident
Unacceptable
Risk Region
Negligible
Risk Region
ALARP Risk
Region
Inherent Risk
of Process
Consequence
L
i
k
e
l
i
h
o
o
d
SIL3Overall Risk
SIL2
SIL1
SIS Risk
Reduction
Overall Risk
Baseline Risk
Non-SIS
Preventative
Safeguards
Non-SIS
Mitigating
Safeguards
Overall Risk
As low as reasonably practicable (ALARP)
10-3 / man-year (worker)
10-5 / man-year (worker)
10-4 /year (public)
Intolerable Risk
Negligible Risk
ALARP or Tolerable
Risk Region
10-6 /year (public)
Government mandates for tolerable risk levels
10-2 10-3 10-4 10-5 10-6 10-7 10-8
Australia (NSW) -
Hong Kong -
Netherlands -
United Kingdom -
10-9
The United States does not set tolerable risk levels, or offer guidelines.
Chemical industry benchmarks for tolerable risk
10-2 10-3 10-4 10-5 10-6 10-7 10-8
Company I -
Company II -
Company III -
Small companies -
10-9
Large, multinational chemical companies tend to set levels consistent with international mandates
Smaller companies tend to operate in wider ranges and implicitly, at higher levels of risk
Quantitative Risk Assessment
• Time consuming
• Resource intensive
• Complex, difficult to use
• Can produce same results via qualitative analysis
• More rigorous
• Least conservative
• Good for complex scenarios
• Better quantification of incremental protection layers
Qualitative Risk Assessment
• High subjectivity
• Inconsistent results
• Hard to document rationale
• Not much resolution between protection layers
• Easy to use
• Good for subjective consequence assessment
• Good for screening and categorizing hazards
• Team approach provides better evaluations
Risk Reduction
Risk is recuded by one of two ways
Prevention – Reducing the likelihood of a risk
No smoking policies enforced around gasoline pumps reduce the likelihood of a fire, but don’t change the consequence of a fire
Mitigation – Reducing the consequence of a risk
Fire insurance reduces the financial consequence of a fire, but don’t do anything to change the likelihood of a fire
Either prevention of mitigation will reduce risk. A combination fo both might be more effective than either alone
Prevention – Reducing likelihood
Avoidance – Avoiding a hazardous activity altogether
Simplification – Minimizing or eliminating the chances for human error or equipment failure.
Substitution – Replacing process chemicals, technology or process equipment with less hazardous options
Primary contaiment – Using equipment designed or built to higher codes or standards
Process Control – Using automated procedures and control systems to reduce or limit the demands on the process
Detection and suppression – Provide independent active systems wich override the normal process when unsafe conditions are detected
Mitigation – Reducing Consequence
Reduction – Reducing the amount of hazardous chemical used or stored in process, reducing the number og dangerous pieces of equipment in use
Dilution – Operating with large volumes of reduced concentrations so that the outcome of release will be less intense.
Intensification – Operating at a more intense conditions sp that rates can be maintained with less chemical in the process.
Secondary Contaiment – Using systems capable of capturing and holding releases until they can be safely trated.
Emergency Response – Providing training, plans and capabilities for plant staff, public safety personnel and general public to react appropiately a hazardous event
Hazard and Risk Assessment Objetive: This assessment is conducted to identify hazards and hazardous
events of the process and associated equipment, process risks, requirements for risk reduction, and safety functions necessary to achieve an acceptable level of risk.
Outputs: A description of the hazards, of the required safety function(s), and of the associated risks, including:
Identified hazardous events and contributing factors
Consequences and likelihood of the event
Consideration of operational conditions (startup, normal, shutdown)
Required risk reduction to achieve required safety
References and assumptions
Allocation of safety functions to layers of protection
Identified safety functions as SIFs.
Responsibility: Process Manufacturer
PHA
HAZOP
What If?
Checklist
FMEA
Fault Tree
Event Tree
LOPA
Process Hazards and Risk AssesmentMethods
Fault Tree to Calculate Fault Prob
Calculate the Prob of independent OR gate
Calculate the Probality of the AND gate
Calculating the Probability of AND gate
Item Deviation Causes Consequences Safeguards Action
Vessel High level Failure of
BPCS
High pressure Operator
High pressure 1) High level
2) External
fire
Release to
environment
1) Alarm
operator,
protection
layer
2) Deluge
system
Evaluate
conditions for
release to
environment
Low / no flow Failure of
BPCS
No consequence of
interest
Reverse flow No consequence of
interest
Qualitative risk analysis –Safety layer matrix
Consequence
Severity
Category SIL Requirement
Extensive 3 3 3* 1 2 3 1 1
Serious 1 2 3 1 2
Minor 1 2 1
Consequence
Frequency
Category
Low
Med
Hig
h
Low
Med
Hig
h
Low
Med
Hig
h
1 2 3
Number of non-SIS Protection Layers
SIL 151%
SIL 232%
SIL 38%
SIL 41%
No SIL8%
Process Industry I/O by Safety Integrity Level
Source: Exida Safety and Critical Control Systems in Process and Machine Automation July 2007
Safety Requirement Specification
Safety Requirement Specification
The SRS specifies the requirements for the SIS in terms of the required safety instrumented functions in order to achieve the required functional safety.
Responsibility: Process manufacturer with support from the engineering contractor and/or SIS supplier
SRS Should include: Identified all SIFs necessary for required functional safety
Identified common cause failures
Defined safe state for each SIF. (Normally energized, Normally de-energized)
Demand rate for SIFs
Proof test intervals
Response time required
SIL for each SIF
SIS process measurements and trip points
SIS process outputs for successful operation
Relationship of inputs, outputs and logic required
Manual shutdown, overrides, inhibits, and bypass requirements
Starting up and resetting of SIS
Allowable spurious trip rate
SIF requirements for each operational mode
Meantime to repair for SIS
Identified dangerous combination of SIS output states
Identified extreme environmental conditions
Identified normal and abnormal modes and requirements for SIS to survive
major event.
Primary Causes of SIS Failure
Primary Causes of SIS Failure
14% Design &Implement
6% Installation &Commisioning
44 % Specification
15% Operation andMaint
21% Changes afterCommisioning
Source: Health, Safety excecutive Agency (USA)
Implementation Phase
Implementation Phase
Implementation Phase
Design and Engineering of theSafety Instrumented System
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Iterate if
requirements
are not met.
Technology selection
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Sensors
– Analog vs. discrete signal
– Smart vs. conventional transmitter
– Certified vs. proven-in-use
SIS Design and Engineering
Pressure50%
Temperature13%
Flow8%
Level8%
Fire and Gas21%
Sensor Sales by Measurement Type
PFD
PFD
PFD
User proves
It’s safe
SIS Application?
Certified Prior-Use
Mfg proves
It’s safe
User proves
It’s safe
Technology selection
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Logic solver
– Relays vs. PLC vs. Safety PLC
– HART I/O vs. conventional analog
– Centralized vs. modular
– Integrated vs. Standalone
1oo2
2oo3
2oo21oo2D
2oo4
Safety PLC(SIS Logic Solver)
Centralized Logic Solver
– 100’s of SIF’s in one box.
– Good for large projects.
– Single point of failure.
Modular Logic Solver
– Isolates SIF’s
– Scalable for large & small projects
– Eliminates single point of failure.
Source: ARC Advisory Group
Technology selection
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Final element
– Solenoid vs. DVC
– Automated vs. manual diagnostics
– Response time considerations
SIL 2
Proof Test Interval (years)
PF
D
Architecture selection
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Hardware fault tolerance (HFT) impacts performance
– Safety integrity
– Availability
– SIL capability
Architecture (MooN) 1oo1 2oo2 1oo2
Valve count (N) 1 2 2
Number to trip (M) 1 2 1
Safety HFT 0 0 1
Availability HFT 0 1 0
Valve
HFTs(MooN) = N – M
HFTa(MooN) = M – 1
Valve 1
Valve 2
Valve 2Valve 1
Dangerous undetected
failures
Dangerous detected
Safe detected
Safe undetected
Safe failure fraction
Device
TypeSFF HFTs = 0 HFTs = 1
Type A
<60% SIL1 SIL2
60% to < 90% SIL2 SIL3
90% to < 99% SIL3 SIL4
≥ 99% SIL3 SIL4
Type B
<60% Not allowed SIL1
60% to < 90% SIL1 SIL2
90% to < 99% SIL2 SIL3
≥ 99% SIL3 SIL4
Proof test philosophy
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Proof test frequency
– 5 yrs, 1 yr, 6 mos, 3 mos?
Online vs. offline proof testing.
Turnaround schedule?
Total SIF proof test or proof test components on different intervals?
Reliability evaluation
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Confirm that performance meets specifications
– Safety integrity (PFD)
– Availability (MTTFs)
– Response time
Architecture Average Probability
of Failure on Demand
(PFDAVG)
Spurious Trip Rate
(STR)
1oo1 λD T / 2 λS
1oo2 (λDT)2 / 3 2λS
2oo2 λDT2λS
2
( 3λS + 2/T )
2oo3 (λDT)2 6λS2
( 5λS + 2/T )
PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101
SIF #1
FV-101
Logic
solver
PT-101
SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
Detailed design & build
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design & build
Instrument design / specifications
Wiring drawings
Hardware design & build
Software design & implementation
BPCS / SIS integration
Factory acceptance testing
Factory Acceptance Testing (FAT)
Black box functionality tests
Performance tests
Environmental tests
Interface testing
Degraded mode tests
Exception testing
Installation, Commissioning and Validation
• Validate, through inspection and testing, that SIS achieves requirements stated in the SRS
Validation
• Commission the SIS so that it is ready for final system validation.
Commissioning
• Install the SIS according to specifications and drawings
Installation
Installation, commissioning, and Validation
Validation is the key difference between control and safety
systems.
Operation Phase
Operation and Maintenance Planning
Who?
• Responsible parties
• Competence and training
What?
• Routine and abnormal operation activities
• Proof testing and repair maintenance activities
• Recording of events and performance
When?
• Proof testing frequencies
• On process demand
• On failure of SIS
How?
• Procedures, measures, techniques to be used
• Non-conformance management
• Tools and supporting analysis
Procedures and training
Operation
Bypasses
Proof testing
Inspection
Performance monitoring
Maintenance and repair
Modification
• Reveals dangerous faults undetected by diagnostics
• Entire SIS tested: sensors, logic solver, final element
• Frequency determined during SIF design.
Proof Testing
• Ensures no unauthorized changes or deterioration of equipment
Inspection
Tests and Inspections Documentation
Description of tasks performed
Dates performed
Name of person(s) involved
Identifier of system (loop, tag, SIF name)
Results (“as-found” and “as-left”)
Fail Dangerous Undetected
7%
Fail Dangerous Detected
66%
Fail Safe Undetected
27%
Proof testing uncovers DU failures
SFF = 93%
Safely test the SIF
using actual process
variables
Test sensors in-situ
by other means
Perform wiring
continuity test
Remove sensor
and test on bench
Sensor testing options
Use smart features
to test electronics
and wiring continuity
Example –Rosemount 3051S Proof Test
Proof Test 1:
Analog output Loop Test
Satisfies proof test requirement
Coverage > 50% of DU failures
Proof Test 2:
2 point sensor calibration check
Coverage > 95% of DU failures
Note – user to determine
impulse piping proof test
Valve Testing Options
Offline• Total Stroke
• Process is down
Online• Total stroke
• By-pass in service
• Component test• Solenoid valve
• Partial stroke
Conventional testing methods
• Process unprotected during testing
• SIF not returned to normal after testing
• Risk of spurious trip
• Manually initiated in field
• Manpower intensive
• Subject to error
SIL 2
Proof Test Interval (years)
PF
D
Source: Instrument Engineers’ Handbook, Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy
Failures Failure ModesPartial
Stroke
Full
Stroke
Valve packing is seized Fails to close X X
Valve packing is tight Slow to move X X
Actuator air line crimped Slow to move X X
Actuator air line blocked Fails to close X X
Valve stem sticks Fails to close X X
Valve seat is scarred Fails to seal off X
Seat contains debris Fails to seal off X
Seat plugged Fails to seal off X
Modification
Documentation
• Description
• Reason
• Hazards
• Impact on SIS
• Approvals
• Competency mgmt.
• Tests / verification
• Configuration history