Introduction on Functional Safety - Insatech · Functional Safety Safety: “Freedom from...

| confidential document | March 15, 2017 |

© Yokogawa Electric Corporation

Insatech Procesdage 2017

Introduction on Functional Safety

‘12 months of warranty’

1

Niels Huttenhuis – The Netherlands



Niels Huttenhuis

2

Account Manager Safety Solutions

TUV FS Engineer (9257/ 14)

Yokogawa functional safety

350 TUV FS Engineers 14 TUV FS Experts (leading: appr. 10% of global)

Voting member of IEC-61511 steering committee

Session note: Interactive session




Agenda

1. Introduction on Functional Safety

2. Five most significant aspects

3. 12 months of warranty….

4. Summary



Yokogawa IA Portfolio

4



Not all activities in life are safe…



…and we have different levels of risk tolerance



Cycling in Denmark



Introduction movie

self riding bike

Cycling in the Netherlands



Change of winning the first price

LOTTO 1,83 x 10-6

ONSDAGSLOTTO 1,23 x 10-7

JOKER 1 x 10-7

TIPS 13 1,59 x 10-5

Fatality rates



Fredericia Harbour 2016

11



What happened?

12

‘The fire department requires

million damages after a big

fire at the port of Fredericia’

‘Lisbet Ogstrup, senior

adviser in the Danish Nature

Conservation Association,

called the spill an

"environmental disaster".’



Buncefield incident 11 December 2005

13



Buncefield incident 11 December 2005

14



15



Sequence of events:

16

• 10/12/2005 21:00

• T912 starts filling with petrol

• 11/12/2005 00:00

• Terminal closes and tank levels all checked ok

• 11/12/2005 03:00

• T912 control level gauge stops operating ‘flat lining’

• 11/12/2005 03:00 –05:20

• T912 Independent High Level Switch fails to detect high level.

• 11/12/2005 05:38

• Vapour from the escaping fuel is first visible in CCTV footage.

• 11/12/2005 06:01

• First Explosion



Buncefield: economic impact

• No fatal injuries

• 40 injured

• Aviation: = €310,000,000

• Site operators(compensation claims): = €790,000,000

• Comp Authority & Gov interventions = €17,000,000

• Environmental impact on water supplies = €2,500,000

• Emergency response = €9,000,000

TOTAL > €1,1 Billion



Causes of Accidents

26% Equipment failures (including ESD system: 4%)

source: TNO investigations of 216 accidents

39.5%

Human failures

34.5%

Random reasons:

- wrong material,corrosion,etc.

- power loss

- negligent maintenance

- static electricity

- sabotage

- short circuit

- design



History of functional safety standards

Accidents

Standards

Law / rules

1976

Seveso (Italy)

TCDD cloud

1984

Bhopal (India)

MIC cloud

(US company)

1988

Piper Alpha (UK)

Oil platform fire

1999

IEC 61508

1996

ISA S84

U.S.

1989

DIN

Germany

1982

Seveso

directive

EC

1992

PSM / PSA

OSHA

U.S.

2003

IEC 61511

1999

Seveso

directive II

EC

1990 2000 2010 1980

2003

Seveso

directive III

EC

2020

2010

IEC 61508

Ed 2

2005

Texas Refinery

2010

Gulf of Mexico

2016

IEC 61511

Ed 2



Laws and legislation

Europe

Seveso III requires local laws in each country .

E.g. in UK: Control of major Accident Hazards

Regulations

IEC 61508 / 61511 not a law but often required to show

compliance with the law.

E.g. in UK: Health and Safety at Work

Regulations



IEC 61508 : functional safety of electrical /

electronic / programmable electronic safety-

related systems.

- a generic standard

(much attention for development)

IEC 61511 : functional safety for

the process industry

(much attention for the application)

The IEC 61508 / 61511 industry standard



Functional Safety

Safety:

“Freedom from unacceptable risk” (IEC 61508 / IEC 61511)

Risk:

“Combination of the frequency of occurrence of harm and the

severity of that harm” (IEC 61508 / IEC 61511)

Functional Safety :

“part of safety that depends on safety functions implemented in a

safety system”



Safety system for risk reduction

Reduction

Consequence

Frequency

Consequence/severity



Process Risk

Required overall risk reduction

Process

Mechanical

►relief valves

►rupture disks

►break pins

► ……

Analysed Process Risk

e.g. 0.0001 e.g. 0.001

Initial

process risk

level

(not tolerable)

e.g. 0.1

Tolerable

risk level

e.g. 0.00001

Residual

risk level

External

(mitigation)

► drain systems

► fire walls

► dykes

► Fire and Gas

system

► ……..

e.g. 0.01

Design

► piping classes

► control systems

► operational

envelopes

► ……

SIS (functional safety)

►sensor(s)

►logic solver

►final element(s)



(For Low Demand mode)

Average Probability of Failure on Demand

PFDAVG

4

3

2

1

Safety Integrity

Level

0 No safety requirements

Risk Reduction Factor

(1 / PFDAVG)

> 1 000 to ≤ 10 000

> 100 to ≤ 1 000

> 10 to ≤ 100

> 10 000 < 10-4

10-4 to < 10-3

10-3 to < 10-2

10-2 to < 10-1

IEC 61508-1,

table 2

SIL, PFDavg and Risk Reduction



Incident

Deficiency

in the protection

Swiss Cheese model of harm

Initiating

event

Layers of protection



27

Five most significant aspects of the IEC 61508 & 61511



1. The Safety Lifecycle

28



1. IEC61511 Safety Lifecycle

Simplified version



1. Overall Safety Lifecycle according to the IEC 61511



2. The “Pipe-To-Pipe” approach

31



Protection logic O

Process pipe

Sensors

Process pipe

Final elements

Safety

valve

Logic solver

Output Input

Transmitter

Air Vent.

A

D

Pipe to pipe

SIF

Safety Instrumented Function




3. The quantitative safety assessment

33



1 2

3 4


Risk Graph

Risk Matrix

LOPA (layers of protection analysis)

The safety requirement for a pipe-to-pipe safety loop (SIF) is

expressed as Safety Integrity Level (SIL)

For each SIF the target SIL must be determined



To assign an integrity level, the following

consequences are categorised and rated between

0 - 4:

Human safety

Commercial impact

Environmental impact

The most severe consequence is used as integrity

level for the SIF.

3. Safety Integrity Level SIL



=> SIL 2

Trip rate: approx. once every 2 yrs

No people around the installation

Repair cost of vessel: €200k

Production loss: €100k / day

Repair time: 5 days

Fluids: contain methane gas

3. Example : Risk Matrix



3. Practical example from Oil/Gas end user

37



3. SIL, PFDAVG and Risk Reduction

Must be calculated (quantitative) that the average

Probability of Failure on Demand (PFDAVG) for the SIF is lower

than the maximum for the target SIL

IEC 61508-1,

table 2

The table above is for “Low demand”-rate (meaning less than once per year) Examples of this are : Emergency Shutdown Systems, Emergency break of a train, Airbag, etc.



4. Hardware Fault Tolerance

39



4. Redundancy – HFT - Availability



4. Hardware fault tolerance (HFT)

The target SIL indicates the maximum PFDAVG .

Depending on the type and the quality of the device double / triple devices (1oo2, 1oo3 or 2oo3) might be required.

Logic Solver

There are tables for this in both standards



5. Functional Safety Management

43



End-user, Contractor, SIS supplier

Most important for Safety Projects is to make sure that all steps of the lifecycle are really executed. For this there is a special quality system, the Functional Safety Management (FSM). You may think of it as a “super ISO 9000”.

Employ competent personnel Plan the actions and execute them Use adequate procedures, tools and templates Verify / review thoroughly by another person Verify / test thoroughly by another person Record and document the plan and the execution of all steps Validate

5. Functional Safety Management System

WHY ?

Functional Safety Management aims to reduce or avoid systematic failures and consequently increase the systematic safety integrity.

HOW ?

WHO ?



Summary

1. The Safety Lifecycle



4. The hardware fault tolerance (HFT)

5. The Functional Safety Management System (FSM)

45



46

12 months of warranty….



IEC61511 Safety Lifecycle

Simplified version



Phase 6 Operation and Maintenance

48

Competence

Procedures SIF

Functional Safety Management (system)



QA system for Functional Safety (FSM)

Specific for that part of the Safety Lifecycle

Overall FSM procedure

Operations procedures

Maintenance procedures

(Proof)test procedures

Modification procedures

Safety Instrumented Function

Documented

PFD avg compliant

HFT compliant

Competent personel

Proven competency of all involved in the safety lifecycle

Registration and documented

Training records with expiry dates

49



50

Summary



Buncefield – what happened?

Competence

Procedures SIF

Functional Safety Management (system)



52

Buncefield – what happened?

BP Texas refinery accident (2005) example



Yokogawa Functional Safety

Safety Solutions team in the Netherlands:

SIS realisation

Brownfield migration

Training (TÜV Certified)

Consultancy

Life cycle Services

Yokogawa is a TÜV certified course provider

for training & certifying FS Engineers

and Technicians



Thank you for your time

Any Questions ?

54

Niels Huttenhuis

Accountmanager Safety Solutions

Yokogawa Amersfoort, The Netherlands

[email protected]

www.yokogawa.com/eu

Introduction on Functional Safety - Insatech · Functional Safety Safety: “Freedom from...

Documents

Transcript of Introduction on Functional Safety - Insatech · Functional Safety Safety: “Freedom from...