Safety in process industry - Endress+Hauser€¦ · Safety in the process industry •...
Transcript of Safety in process industry - Endress+Hauser€¦ · Safety in the process industry •...
Products Solutions Services
Safety in the process industry
Simply reliable
↙
Table of contents
Safety in the process industry
• Endress+Hauser: At home in the process safety• Smart devices and concepts for hazardous areas• Introduction to functional safety• Safety by choice - not by chance• Ensuring mechanical integrity• Development according IEC61508: A view on electronics and
software
• Safety and availability: The value of redundancy• Manage the safety life cycle• Conclusion
↙
What is safety?
• Reducing risk to a tolerable level
• Basic: equipment should not cause any problem (Explosion safety)
• One step further: Instrumentation as the safety fundament of SIS to bring
processes to a safe state
• Safety awareness, standards and recommendations driven by major
incidents: Bhopal, Seveso, Buncefield, Deepwater Horizon,….
Safety in the process industry
↙
Buncefield, UK
Safety in the process industry
↙
Intelligent safety switch
Safety in the process industry
Diverse + separate technology Self monitoring
Easy proof testing via push-button SIL3 with permanent self function control
PFM
▪ Switching between differently designed electronics
▪ 2nd line of defense
↙
Most comprehensive SIL portfolio
• Complete range of SIL devices: pressure, temperature, level, pH, flow
including system components
• www.endress.com/SIL
Safety in the process industry
Products Solutions Services
Functional safety
Equipment safeguarding chemical reactions and storage of goods
↙
Construction: Safety instrumented system
Safety in the process industry
Safety discussion
Assessment of risk and
classification(SIL)
Risk reducing measures
Elements safety instrumented
systems
Failure cause device
Failure modesFailure rates
Probability of failure
Proof test inteval
PFDavg= 1/2 DU TiFieldcheck TM
Heartbeat Technology TM
↙
Overall Safety Life-Cycle acc. IEC 61511
Management of Functional
Safety and Functional
Safety Assessment
and Auditing
Safety Lifecycle Structure
and Planning
Verification
Hazard and Risk Assessment
Sou
rce:
DIN
EN
61
51
1-1
–F
ig. 8
Allocation of Safety Functions to Protection Layers (Quantification)
Design and Engineering of the Safety Instrumented System
Design and Development of other Means of Risk Reduction
Safety Requirements Specifications for the Safety Instrumented System
Installation, Commissioning and Validation
Operation and Maintenance
Modification
Decommissioning
Safety Integrity Level (SIL) / Functional Safety Theory
Slide 27 Dept. GT / Thomas Fritz
↙
What is functional safety?
• A safety instrumented system is 100%
functionally safe if all random,
common cause and systematic failures
do not lead to malfunctioning of the
safety system and do not result in
• Injury or death of humans
• Spills to the environment
• Loss of equipment or production
• 100% functional safety does not exist,
but risk reduction SIL 1, 2, 3 or 4 does.
Safety in the process industry
Process industryExample: Petrochemical plant
↙
Safety in the process industry
Risk reduction to tolerable level
• Freedom of unacceptable risks
(ISO/IEC guide 51)There is always a
remaining minimum risk
↙
Risk assessment is country/customer specific
Safety in the process industry
↙
Risk graph to determine SIL
Safety in the process industry
/ Occupancy
↙
Safety in the process industry
Layers of protection
Plant emergency response Emergency response layer
Embankment Passive protection layer
Relief valve, rupture disk, F+G system
Active protection layer
Safety instrumented system EmergencyShutdown
Isolated protection layerTrip level alarm
Alarm & operator intervention “Wild” process
Process control layer
Basic process control system or DCS
Normal process
Process control layer
Plant and process design Inherent safe plant design
Mit
igat
ion
Pre
ven
tio
n
↙
Risk Reduction by Safety Instrumented Systems
Process
Communication
e.g. 4…20 mA
Communication
e.g. 4…20 mA
Actuator
Safety Instrumented System (SIS)
Logic unitSensor
Safety in the process industry
Process interface
Process interface
Residual × 𝑃𝐹𝐷Risk = 𝑃 × 𝐷
↙
Sensor35%
Actuator50%
Controller15%
PFDavg - Integration of the complete loop
Safety in the process industry
SIL 1: ≥10-2…<10-1
SIL 2: ≥10-3…<10-2
SIL 3: ≥10-4…<10-3
SIL 4: ≥10-5…<10-4
Common values for the distribution of PFDavg to subsystems
𝑃𝐹𝐷𝑎𝑣𝑔 = 𝑃𝐹𝐷𝑆𝑒𝑛𝑠𝑜𝑟 + 𝑃𝐹𝐷𝐶𝑜𝑛𝑡𝑟𝑜𝑙𝑙𝑒𝑟 + 𝑃𝐹𝐷𝐴𝑐𝑡𝑢𝑎𝑡𝑜𝑟
↙
Safety in the process industry
Layers of protection
Plant emergency response Emergency response layer
Embankment Passive protection layer
Relief valve, rupture disk, F+G system
Active protection layer
Safety instrumented system EmergencyShutdown
Isolated protection layerTrip level alarm
Alarm & operator intervention “Wild” process
Process control layerHigh level alarm
Basic process control system or DCS
Normal process
Process control layerbetween high level and low level
Plant and process design Inherent safe plant design
Mit
igat
ion
Pre
ven
tio
n
↙
Safety in the process industry
Mitigate the hazard with rupture disks
• Mechanical assemblies with
predictable failure modes
• E.g. in E+H Promass design
Products Solutions Services
Failures in electronics and software
Failure mode and effect analysis
↙
Failure Mode and Effect Analysis (FMEA)
Safety in the process industry
Component failure modes• Short circuit• Interruption• Drift
Additionally: FMEA of mechanical Components (z. B. Sensor)
Example:
Failure mode effect on safety function?
↙
Safety in the process industry
Failure Mode and Effect Analysis (FMEA)
tot = su +sd + du + dd (+λ not relevant)
MTBF = 1/tot
First step:• determine safety path (e.g. 4…20 mA output)• determine accuracy under fault condition ( e.g. ± 2 %)
Different failure modes:
PFD
Probability of failure modes
Detected faults Undetected faults
Safe faults lsd lsu
Dangerous faults ldd ldu
↙
Safety in the process industry
Absolute number of failures are more important than SFF
sd + su + dd
totSFF=
Safe Failure Fraction (SFF)(in %)
SFF 95 % Internal diagnostics improves SFF
SFF 85 %
Products Solutions Services
Safety and availability
The value of redundant architectures in SIS
↙
Single Channel System
Sensor Logic Actor System
SIL 2 3 2 ≤2
PFDav 0,3x10-2 0,05x10-2 0,4x10-2 0,71 x 10-2
Example: single channel overfill prevention
SIL 2PFDav= 0,35x10-2
SIL 3PFDav=0,05x10-2 SIL 2
PFDav=0,4x10-2
ActuatorLogicSensor
System= SIL 2
Safety in the process industry
PFDS+PFDL+PFDA < 10-SILsystem
SILS , SILL , SILA ≥ SILsystemDesign rules
↙
Architecture of Multi-Channel Systems
Safety in the process industry
Safety
Availability
1oo1 2oo2 3oo3
1oo2
1oo3
2oo3
4oo4
1oo4
Fundamental Safety Parameters• PFDav• HFT• SFFfor the complete system must be evaluated (e.g. Markov Model)
↙
Approximation formula (Source: VDI/VDE 2180, Sheet 4)
Safety in the process industry
DU = „dangerous undetected“, = Common cause Factor, T1 = Time interval for proof testing [h] (1 Jahr = 8.760 h)
Options of Circuit Approximation formula for PFDav
1oo1
1oo2
1oo3
1oo4
2oo2
2oo3
2oo4
23
1
2
121
TTPFD DUDU
oo
2
111
TPFD DU
oo
122 TPFD DUoo
2
12
132
TTPFD DU
DUoo
24
1
3
131
TTPFD DUDU
oo
2
13
142
TTPFD DU
DUoo
25
1
4
141
TTPFD DUDU
oo
This is simplified. Use MARKOV method to calculate
the PFD more accurate.
↙
Subsystem ActuatorSubsystem Logic UnitSubsystem Sensor
Sensor 1 Interface 1
Sensor 2 Interface 2
Sensor 3 Interface 3
2oo3
ControlModule 1
ControlModule 2
1oo2
Actu. 1Interface 4
Actu. 2Interface 5
2oo2
lDU = 500 FIT (per line)
b=10%, T1=1 year, SFF=✓
lDU = 50 FIT (per Module)
b=2%, T1=1 year, SFF=✓
lDU = 1200 FIT (per line)
b=10%, T1=1 year, SFF=✓
Formula for für 2oo3 Formula for für 1oo2 Formula for für 2oo2
PFDav (S) = 2,4 × 10-4 PFDav (LE) = 4,4 × 10-6 PFDav (A) = 1,1 × 10-2
Result: PFDav (System) = PFDav (S) + PFDav (LE) + PFDav (A) = 1,3 × 10-2 SIL 1
Target: SIL 2
Target not achieved! What to do?FIT = Failures In Time, 1 FIT = 10-9 1/h
Complex calculation example(1)
Safety in the process industry
↙
Action 1: Reduce Proof-Test Intervall from 1 year to ½ year Additional Cost!
Subsystem ActuatorSubsystem Logic UnitSubsystem Sensor
Sensor 1 Interface 1
Sensor 2 Interface 2
Sensor 3 Interface 3
2oo3
ControlModule 1
ControlModule 2
1oo2
Actu. 1Interface 4
Actu. 2Interface 5
2oo2
lDU = 500 FIT (per line)
b=10%, T1=½ year, SFF=✓
lDU = 50 FIT (per Module)
b=2%, T1=½ year, SFF=✓
lDU = 1200 FIT (per line)
b=10%, T1=½ year, SFF=✓
Formula for 2oo3 Formula for 1oo2 Formula for 2oo2
PFDav (S) = 1,1 × 10-4 PFDav (LE) = 2,2 × 10-6 PFDav (A) = 5,5 × 10-3
Result: PFDav (System) = PFDav (S) + PFDav (LE) + PFDav (A) = 5,6 × 10-3 SIL 2
Complex calculation example(2)
Safety in the process industry
↙
Safety data sheet on www.endress.com/sil
Safety in the process industry
↙
Safety in the process industry
Homogeneous Redundancy(same instruments)
Redundancy: Homogeneous or diverse?
Advantage of homogeneous system
• Control of random faults
• Simple stock management,
commissioning, maintenance …
Note: Systematic Integrity
(e.g. Software) can not
be enhanced!
Advantage of diverse system
• Control of random and systematic
faults (device + process)
• systematic integrity can be
enhanced
+z.B. 1oo2 SIL 3?
SIL 2 SIL 2
Diverse Redundancy(different instruments)
SIL 2 SIL 2
+z.B. 1oo2 SIL 3
Endress + Hauser offers multiple instruments which
are SIL2/3 capable.
You reach SIL 3 even in homogeneous redundancy.
SIL 3
Products Solutions Services
The safety life cycle
Maintain your safety at the highest level
↙
Probability of a failure on demand - PFD
Safety in the process industry
SIL 4SIL 3
SIL 2
SIL 1
Operation time
PFD
Ti Ti
Example: Safety component with low demand frequency (~1/a)PFD du t (t << 1)
SIL
0,1
0,001
0,0001
0,01
PFDav ½ du Ti
TiTi = Proof test intervalPTC= Proof test coverage = λdu
*/ λdu
(λdu*=failures revealed by the proof test)
du Ti
PTC=100 %
↙
Total Proof test coverage according to IEC 61508
Total coverage (DC+PTC)
FTL80/81/85+ FTL825
Wet test 99%(Procedure IA MAX/MIN)
Simulation(in situ testing!)
97 %(Procedure IB) Via test button
Max
Min
Safety in the process industry
Smart proof testing procedures reduce effort, increase safety and minimize shut down times.
↙
Safety in the process industry
Proof testing without dismounting the device
Not necessary to interrupt or manipulate the production process for
partial proof test.
Recommendedproof test interval
12 years 3 years 2 years
Products Solutions Services
Conclusion
Endress + Hauser: State of the art technology and solutions
for your process safety
↙
Improve safety with state of art technology - Liquiphant
Safety in the process industry
Explosion and fire at Buncefield Oil Storage Depot - Five companies to face prosecution
http://www.buncefieldinvestigation.gov.uk/press/b08002.htm
Failed !!!
↙
Safety in the process industry
Separation of process monitoring and safety function
Buncefield report, Volume 2, Annex 4, Recommendation 3, page 11
↙
Safety in the process industry
Need of record on site and a different location
↙
Summary
• Endress + Hauser offers an instrumentation portfolio for hazardous
areas and safety applications which is second to none.
• Robust measuring principles and material ensure reliability in
harshest processes
• Smart concepts to improve mechanical integrity are simulated,
implemented and tested in order keep your process safe under any
circumstances
• Hard- and software developed according IEC61508 and high
diagnostic coverage reduce dangerous, undetected failures to a
minimum and help to extent proof test interval
• Redundancy improves safety and availability
• Smart proof test procedures significantly safe cost
• Document your safety life cycle with W@M
Safety in the process industry
↙
And never forget…
Liquiphant FailSafe: THE safety switch for highest
demands.
Safety in the process industry
A unique device:SIL 3 and 12 years proof test interval.
Highest safety at minimum effort!