IEC-61508 Implementing a Compliance Program
description
Transcript of IEC-61508 Implementing a Compliance Program
Pharm
aceuticals
IEC-61508 Implementing a Compliance Program
• Motivation
• Education
• Implementation
Pharm
aceuticals
Overview
Pharm
aceuticals
Overview
Pharm
aceuticals
Overview
Pharm
aceuticals
Motivation
• Do you or your company believe in the infallibility of Engineered systems?
Pharm
aceuticals
Motivation
• Roche Ireland does not have this delusion
• 25 + years operational experience
• Including some close calls
• Reality has motivated out safety culture.
Pharm
aceuticals
Education
Much of the rest of this presentation has been generated from training presentations given in Roche Ireland to
• Management
• Process Engineering
• Instrument / Electrical Engineering
Pharm
aceuticals
Education Need to educate yourself : • Guidelines for Safe Automation of
Chemical Processes {CCPS/AIChE}• ISA S84• Functional Safety, {Smith & Simpson}• IBC conferences • Various WWW resources (exida/ sis-tech
etc)
Pharm
aceuticals
IEC-61508, SOP 973
• Functional safety of electrical / electronic & programmable electronic safety-related systems.
• Critical Protective equipment - Safety Instrumented Systems
Pharm
aceuticals
IEC-61508, SOP 973 Safety requires protection from hazards of different causes
(movement, heat, radiation, el. shock, etc.)
“Functional Safety” means protection from hazards due to incorrect functioning.
... heatProtection against ...
...electrical shock
... hazards due to incorrect function
... radiation
Pharm
aceuticals
IEC-61508 Will Effect:
• Process Engineers:
• Instrument/Electrical Designers:
• Mechanical Engineering
• Commissioning:- Extra Effort
• Documentation :- Extra Effort
Pharm
aceuticals
IEC-61508 is legally vague
• Not legislation
• Meets ‘Reasonably practicable’ duty
• Health, safety & welfare at Work act, 1989
• Have to put in place a compliance program.
Pharm
aceuticals
Figure 65-1
Intolerableregion
Negligible risk
Risk(deaths/year)
1 x 10-4
1 x 10-6ALARP
Pharm
aceuticals
RISK Reduction - ALARP
• As low as reasonably practicable.
• IEC 61508 based on ALARP concept.
• ALARP concerns region of risk.
• Risk is an emotive and irrational thing.
• Commonly accepted values are:upper limit 1 x 10-4 deaths per yearlower limit 1 x 10-6 deaths per year
Pharm
aceuticals
Safety life cycle - milestone approach
• ISA S84 life cycle depicted in Fig 65-3.
• ISA S84 focuses on Box 9 of IEC 61508.
Pharm
aceuticals
Figure 64-1
Active systems layer
Passive systems layer
Controlsystems layer In
trinsic safety
Fail-safe design
Bursting discs
Pressure relief valves
One w
ay va
lves
Alarms, trips & interlocks
ESD
F&G
Duality
Back-up
Alarm handling
Diagnostics
Pharm
aceuticals
1 Conceptual process design
3 Apply Category 0 protection systems to prevent hazards & reduce risk
4 Are any Category 1 protection systems required?
6 Develop safety requirements specification (SRS)
8 Detailed design of protection system
12 Pre-start-up safety review
13 Protection system start-up, maintenance & periodic testing
14 Modify protection system? End
2 Perform process HAZAN & risk assessment
Start
5 Define target safety integrity levels (SIL)
7 Conceptual design of active protection systems & verify against SRS
Figure 65-3
No
9 & 10 Installation, commissioning 11 Establish operating &
maintenance proceduresand pre-start-up acceptance testing
yes15 Decommission system
Pharm
aceuticals
Process Engineering
• First Stage of realisation of high-integrity safety instrumented systems
• Modified PHA
• Feeds into SRS
• Based on good process data & good process judgement.
Pharm
aceuticals
Process Chemistry
• Carius Tube test for decomposition
• Pressure Dewar Calorimetry
• Understanding of Exotherms
• Knowledge of onset temperatures
• {Chilworth}
Pharm
aceuticals
Process Engineering
• Good process judgement.
• Hazop
• Margins of safety
Pharm
aceuticals
Hazard identification, Interlock Identification
• Reactant being transferred in from Reactor 1 without agitation could accumulate & react in a sudden, violent manner.
• Reactor 2 Inlet valve 205 should OPEN only if agitator ON
Pharm
aceuticals
Hazard identification, Interlock Identification
• Simplified Technique.• MIL Std 882
Pharm
aceuticals
Consequences
• Consequence of this is overpressure, loss of batch, over-temperature, possible destruction of vessel.
• 1 week downtime to recover.• Fatality or Serious injury unlikely.• Critical • (C2)
Pharm
aceuticals
Occupancy factor
• Building is continually occupied• (F2)
Pharm
aceuticals
Manual Avoidance factor
• There is quite a good chance of an operator observing that something is going wrong & intervening successfully.
• (P1)
Pharm
aceuticals
Unmitigated demand rate.
• Likely to occur once every 5 years.• Occasional• The process is DCS automated. • DCS is not a SIS – no SIL rating. • DCS control reduces frequency of
Unmitigated Demand.• (W2)
Pharm
aceuticals
11233
4x2?
112334
11233
W3 W2 W1
P1P2P1P2
F1
F2
F1F2
C2
C3
C1
C4
Start
Most risk
Least risk
x0?
x0?
x0?
EN 954 Approach
Pharm
aceuticals
Rating of the SIL required for a SIS, as per IEC 61508 Section 5, Table E.1 & as per Roche K9Number ofIndependentProtections
x x x x x x x x x ?1 x x x ?1 1 x x ?1 1 1 3
x x x x x x x x ?1 1 x x ?1 1 1 ?1 1 1 1 2 2
x x x x ?1 x x ?1 1 2 x ?1 1 1 2 1 2 2 2 3 1ely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Event
Frequency
Negligible Marginal Critical Catastrophic Eventconsequence
Catastrophic People Fatalities >1Environment Significant loss to offsite environment. Indictable breach of LicenseBusiness Loss > €8 million : Interruption > 1 Month
Critical People Serious injuries (permanent damage). Multiple lost time accidents.Environment Only site area affected. Serious breach of licence.Business Loss €200 thousand to €8 million : Site interruption > 1 week
Marginal People Lost time accidentEnvironment Only site area affected. Minor breach of licenceBusiness Loss €5 thousand to €200 thousand. Interruption 1 day to 1 week
Negligible People Minor InjuriesEnvironment Negligible effect on environmentBusiness Loss < €5 thousand. Interruption < 1 day
Frequent Once per month Rare Once per 20 years
Moderate Once per year Unlikely Once per 100 years
Occasional One per 5 years V Unlikely Once per 1000 years
ROCHE IRELAND LIMITED INDEX: SOP 973POLICIES AND PROCEDURES ATTACHMENT: 3.001
PAGE: 1of1ISSUED:17/07/2002SUPERSEDES: NoneWRITTEN BY:
SECTION: Engineering APPROVED BY:________________________________________________________________________
SUBJECT: Safety Instrumented System – Safety Integrity Determination
Pharm
aceuticals
Roche ConsequencesRating of Consequences
class rating consequences
I catastrophic people fatalities, evacuation outside the site area
environment irreversible, long-term damage outside the site area
business loss: > 10 mio. US $interruption: > 6 monthimage: severely damaged, > 1 week, national
II critical people serious injuries, irritations outside the site area
environment reversible, short-term damage outside the site area
business loss: < 10 mio. US $interruption: > 2 weeksimage: damaged, > 1 week, regional
III marginal people minor injuries, molestation outside the site area
environment only site area affected
business loss: < 1 mio. US $interruption: 2 days to 2 weeksimage: < 1 week, local
IV negligible people no effects
environment no effects
business loss: < 100'000 US $interruption: < 2 daysimage: no effects
Pharm
aceuticals
Roche ‘unmitigated’ demand rate.
Rating of Probabilityclass rating probability
A frequent once a year or more
B moderate once in 5 years
C occasional once in 10 years
D rare once in 25 years (e.g. once in life cycle of the system)
E unlikely once in 100 years (e.g. once in life cycle of a site)
F very unlikely once in 1'000 years or less (e.g. once in life cycle of Roche or less)
Pharm
aceuticals
Instrument / Electrical Design
• Second Stage of realisation of high-integrity safety instrumented systems
• Modified Instrument design
• Modified Instrument Commissioning
• Feeds into SRS
Pharm
aceuticals
SafetyintegritylevelSIL
HazardreductionfactorHRF
Demand mode of operation Continuous mode
PFD(fractional)
Availability A(fractional)
Failure rate (failures per hr)
1
2
3
4
>101
>102
>103
>104
10-1 to 10-2
10-2 to 10-3
10-3 to 10-4
10-4 to 10-5
0.9 to 0.99
0.99 to 0.999
0.999 to 0.9999
0.9999 to 0.99999
10-5 to 10-6
10-6 to 10-7
10-7 to 10-8
10-8 to 10-9
Table 65-1
Pharm
aceuticals
Equipment implications
• SIL value is measure of quality of protection system, end to end.
• System has to be designed, specified, built and maintained to that standard.
• Proof testing at regular intervals• Conformance assessment for safety systems
Pharm
aceuticals
PFD Calculation
• Simplified Equation • ISA-TR84.00.02-2002 Part 2• Equation B.34 – Rare event approximation• “Adequate” for SIL 1 or 2, where the plant is well
controlled, well maintained, understood process, conservative engineering with good mechanical integrity
Pharm
aceuticals
PFD Calc. Motion Sensor
• MTBF = Mean (Average) time between failures• Information provided by vendor.• MTBF = 86 Years
Pharm
aceuticals
PFD Calc. Motion Sensor
Failures can be • fail to danger (Falsely shows agitator moving)or• fail to safe (Falsely shows agitator stopped)• Aim of good design is to maximise fail to safe,
minimise fail to danger. The failure mode split is the percentage in the fail to danger category.
• Failure mode split = .1 (SA estimate)
Pharm
aceuticals
PFD Calc. Motion Sensor
• Proof test interval = 1 year (8760 hours) • Time between re-tests of the interlock.• Need to be genuine tests
Pharm
aceuticals
PFD Calc. Motion Sensor
• 86 years * 8760 hours/year = 753,000 (MTBF in hours)
= 1/ MTBF = 1.30 E-6 failures per hour• FMS =.1• Proof test = 1 year (8760 hours)
• PFD(SS) = 1.30 E-6 * .1 * 1 * (8760/2)• PFD(SS)=.0006
Pharm
aceuticals
PFD Calc. Barrier 6
• MTBF = 4 Years• Failure mode split = .4• Proof test interval = 1 year (8760 hours)
= 1/ MTBF = 2.87 E-5 failures per hourPFD(B6) = 2.87 E-5 * .4 * 1 * (8760/2)
• PFD(B6)=.0500
Pharm
aceuticals
PFD Calc. Relay 5
• MTBF = 100 Years• Failure mode split = .01• Proof test interval = 1 year (8760 hours)
= 1/ MTBF = 1.14 E-6 failures per hourPFD(R5) = 1.14 E-6 * .01 * 1 * (8760/2)
• PFD(R5)=.00005
Pharm
aceuticals
PFD Calc. Main Barrier
• MTBF = 10 Years• Failure mode split = .9• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hourPFD(MB) = 1.14 E-5 * .9 * 1 * (24/2)
• PFD(MB)=.001242
Pharm
aceuticals
PFD Calc. Solenoid
• MTBF = 10 Years• Failure mode split = .4• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hourPFD(SOL) = 1.14 E-5 * .4 * 1 * (24/2)
• PFD(SOL)=.00006
Pharm
aceuticals
PFD Calc. Valve & Actuator
• MTBF = 10 Years• Failure mode split = .2• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hourPFD(VA) = 1.14 E-5 * .2 * 1 * (24/2)
• PFD(VA)=.00003
Pharm
aceuticals
PFD Calc. Overall
• PFD(VA)=.00003• PFD(SOL)=.00006• PFD(MB)=.00124• PFD(R5)=.00005• PFD(B6)=.0500• PFD(SS)=.0006• PFD = .052 => SIL 1
Pharm
aceuticals
Barrier
Instrument
RelayLogic
∑ PFD = 10% SIL 1 Limit
∑ PFD = 1% SIL 2 Limit
Overall
PFD Mapping
Valve
Barrier
Pharm
aceuticals
PFD Calc. Issues
• Elements in series: USYS Ui 62-16Elements in parallel: USYS Ui -17
• Common cause failure: SYS = IND + . MAX -18
• Voting systems: UKOON n.Uk -19
• For more complex systems – Fault Tree Analysis using ISA-TR84.00.02-2002 Part 3.
• “Probabilistic Risk Assesment” – Henley, E J
Pharm
aceuticals
Design issues
• Roche have decided that valve & actuator may be shared for SIL 1 only.
• SIS & BPCS share barrier, solenoid, actuator & Valve. This is not recommended
• Solenoid has local SMO, which might be OK for normal operation, but not for SIS.
Pharm
aceuticals
Design issues
Pharm
aceuticals
Design issues
• ##### ####-# type barrier not recommended (TTL Logic switching – independent energy source)
• No clear indication on loop sheet or in field of safety critical nature of instruments
Pharm
aceuticals
Design issues
• Design of periodic re-test method is the instrument designers responsibility.
• This would help facilitate periodic testing
• Loop sheet to indicate safety critical nature of instruments
Pharm
aceuticals
Improvement suggestions
• SIS to actuate solenoid in panel, which controls air supply to Shutoff Valve & Control Valve
• High energy panel mount solenoid, not IS pilot operated solenoid => more ‘suitable’ for SIS
• Control Valve should have positioner suitable for SIS
Pharm
aceuticals
Loop sheet modifications
Pharm
aceuticals
Commissioning Aspects
• IQ / OQ + Proof testing of the safety function
• Validation of the retest method
• Loop sheet to indicate safety critical nature of instruments
• Field marking
Pharm
aceuticals
Machine / Package Design
• Supplier might have correctly designed safety Engineering.
• That does not mean it reaches standard.
• Modified Instrument/Electrical design
• Modified Instrument/Electrical Commissioning
• Feeds into SRS
Pharm
aceuticals
Machine / Package Design
• E Ex d motor – Surface temperature limits
• Variable Speed Drive.
• Never below 10 Hz
• Always with Thermistor Protection
Pharm
aceuticals
Machine / Package Design
Pharm
aceuticals
Machine / Package Design
ThermistorRelay
Pharm
aceuticals
Maintenance
• Vital part of ensuring safety function remains intact.
• Will have to retest interlocks on a periodic basis.
• Will need to follow methods set out during Instrument/Electrical design stage.
• Care required in effecting changes to the loop when in use.
Pharm
aceuticals
Safety Requirements Spec
• Document which brings together the design thread.
• Started by the Process Engineering group • Continued by the Instrument / Electrical
engineering group• Reviewed by Safety Engineering group.• Live document until pre-start safety review.
Pharm
aceuticals
New skills
• Different way of thinkingDefence in DepthLayers of Protection
• Risk Analysis • Basic Statistics• Fault Tree Analysis
Pharm
aceuticals
6 June 1967
Pharm
aceuticals
Pharm
aceuticals
Pharm
aceuticals