Simply reliable: Process safety from Endress+Hauser · 2015. 11. 3. · Simply reliable: Process...

08/08/2014

Products Solutions Services

Simply reliable: Process safety from Endress+Hauser

Safety by choice, not by chance: Functional Safety

Slide 1 Ngo

08/08/2014

Hai-Thuy Ngo

Industry Manager Oil & Gas

Oil & Gas industry

Slide 2 Ngo

08/08/2014

Oil & Gas industry

Global responsibility for Oil & Gas

• Visited countries for Oil & Gas business

Slide 3 Ngo

08/08/2014

Since 2005 working for Endress+Hauser

• Hai-Thuy Ngo

Oil & Gas industry

Slide 4 Ngo

08/08/2014

Simply reliable: Process safety from Endress+ Hauser

4 day functional safety training (April 2013)

• TUV: functional safety for safety instrument system professionals (IEC61511) conducted by Risknowlogy

• Including 4 hour exam.

Slide 5 Ngo

08/08/2014

Table of contents


• Functional Safety• Safety by choice – not by chance• Failures in electronics and software• Safety and availability• The safety life cycle• Conclusion

Slide 6 Ngo

08/08/2014

Where did this here happen?


NgoSlide 7

Buncefield incident UK 2005

08/08/2014

Safety systems protect you.


NgoSlide 8

08/08/2014

Recent incidents in the Oil & Gas industryFuture: Safety by choice, not by chance

• Deep Water Horizon offshore platform• Set up a 20 billion USD relief

fund• 11 people killed

• Buncefield incident• estimated total costs exceeding

£1 billion (~1.5 billion USD)• five companies were fined a total

of £9.5 million

• Let us help you to make your facility a little bit safer.


Slide 9 Ngo


08/08/2014

Functional Safety

SIL requirement is only one piece to achieve a IEC61511 compliant safety instrument system

Slide 10 Ngo

08/08/2014

What is functional safety?

• A safety instrumented system is 100%functionally safe if all random,common cause and systematic failuresdo not lead to malfunctioning of thesafety system and do not result in• Injury or death of humans• Spills to the environment• Loss of equipment or production

• 100% functional safety does not exist,but risk reduction SIL 1, 2, 3 or 4 does.


Slide 13 Ngo

08/08/2014


Risk reduction to tolerable level

• Freedom of unacceptable risks (ISO/IEC guide 51) There is always a remaining minimum risk

Slide 14 Ngo

08/08/2014

Risk assessment is country/customer specific


Slide 15 Ngo

08/08/2014

Risk graph to determine SILSimply reliable: Process safety from Endress+ Hauser

/ Occupancy

Slide 16 Ngo

08/08/2014


IEC 61511: Functional Safety Management by end-user

• Organization, Quality management, Safety plan• Lifecycle Management• Hazard identification and analysis• Risk analysis• Definition of the safety requirements specifications • Design and Engineering of the safety instrumented system• Definition of responsibilities and competencies• Measures for Software development („V-Model“)• Management, Documentation, Verification, Assessment • Audits, Validation• Operation and maintenance

• Periodic proof tests• Fault monitoring of Safety Instrumented Systems

• Modification management

Slide 17 Ngo

08/08/2014

Management of Functional Safety and Functional Safety Assessment and Auditing

Safety Lifecycle Structure and Planning

VerificationHazard and Risk assessment

Source: DIN EN 61511-1 – Fig. 8

Allocation of Safety Functions to Protection Layers (Quantification)

Design and Engineering of the Safety Instrumented System

Design and Development of other Means of Risk Reduction

Safety Requirements Specifications for the Safety Instrumented System

Installation, Commissioning and Validation

Operation and Maintenance

Modification

Decommissioning

Overall Safety Life-Cycle acc. IEC 61511


Slide 18 Ngo

08/08/2014


Layers of protection

Plant emergency response Emergency response layer

Embankment Passive protection layer

Relief valve, rupture disk, F+G system

Active protection layer

Safety instrumented system EmergencyShutdown

Isolated protection layerTrip level alarm

Alarm & operator intervention “Wild” process

Process control layer

Basic process control system or DCS

Normal process

Process control layer

Plant and process design Inherent safe plant design

Miti

gatio

nPr

even

tion

Slide 19 Ngo

08/08/2014

Risk Reduction by Safety Instrumented Systems

Process

Communicatione.g. 4…20 mA

Communicatione.g. 4…20 mA

Actuator

Safety Instrumented System (SIS)Logic unit

Sensor


Process interface

Process interface

ResidualRisk

Slide 20 Ngo

08/08/2014

Sensor35%

Actuator50%

Controller15%

PFDavg - Integration of the complete loop Simply reliable: Process safety from Endress+ Hauser

SIL 1: ≥10-2…

08/08/2014

Safety Integrity Levels (SIL)

SIL PFD avg Safety Availability Risk Reduction1 0.1-0.01 0.9-0.99 10-1002 0.01-0.001 0.99-0.999 100-10003 0.001-0.0001 0.999-0.9999 1000-100004 0.0001-0.00001 0.9999-0.99999 10000-100000


PFDavgAverage probability of failure of a safety function working in low demand mode of operation

Slide 22 Ngo

Liquiphant is SIL3 capable

08/08/2014

Two regulations: One common target


Common Target - Plant Safety!

Supplier and manufacturers

System integrator/

Operator/User

SafetyRegulations

2. Application standard Implementation for Process

industries

1. Generic standardValid for all relevant sectors

IEC 61508 IEC 61511ISA 84.01

Slide 23 Ngo

08/08/2014

Separation of process instrumentation and safety instrumentation according IEC 61511

Product 2

PI LI TI

Product

FT

Product 1

Process instrument.

Basic ProcessControl System

(BPCS)LS

PI

Safety Functions

Safety related system

Safety Instrumented System (SIS)

08/08/2014


11.2.10 of IEC 61511 part 1

NgoSlide 25

• 11.2.10 A device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that the overall risk is acceptable.

• However API2350 and Buncefield report are asking for strict separation of safety function and inventory monitoring.


08/08/2014

Safety by choice – not by chance

Slide 26 Ngo

08/08/2014


Something to think about…

• Analysis of 34 incidents, based on 56 causes identifiedSource: HSE - UK

Slide 27 Ngo

08/08/2014


Proper instrument selection – your safety fundament

THE tool for instrument selection : APPLICATOR (www.endress.com/applicator)

Slide 28 Ngo

08/08/2014


Proper instrument selection by industry applications

Complete basket for your application!

Slide 29 Ngo

08/08/2014


Applicator: A detailed view on application conditions

Slide 30 Ngo

08/08/2014


Applicator: Corrosion warning and database

Make a proper choice right from the beginning.

Slide 31 Ngo

08/08/2014

Safety by choice not by chance

• We find the best method that serves your application in a best way• We have best materials and most robust concepts to ensure reliability

and availability


We want your plant to run safely and efficiently!

Safety measures should not unnecessarily impair operations

Slide 32 Ngo


08/08/2014

Safety and availability

The value of redundant architectures in SIS

Slide 33 Ngo

08/08/2014

Single Channel System

Sensor Logic Actor System

SIL 2 3 2 ≤2

PFDav 0,3x10-2 0,05x10-2 0,4x10-2 0,705 x 10-2

Example: single channel overfill prevention

SIL 2PFDav= 0,35x10-2

SIL 3PFDav=0,05x10-2 SIL 2

PFDav=0,4x10-2

ActuatorLogicSensor

System= SIL 2


PFDS+PFDL+PFDA < 10-SILsystem SILS , SILL , SILA ≥ SILsystemDesign rules

Slide 34 Ngo

08/08/2014

Architecture of Multi-Channel Systems


Safety

Availability1oo1 2oo2 3oo3

1oo2

1oo3

2oo3

4oo4

1oo4

Fundamental Safety Parameters• PFDav• HFT• SFFfor the complete system must be evaluated (e.g. Markov Model)

Slide 35 Ngo

Which multi-channel system is safer than

2oo3?

08/08/2014

Approximation formula (Source: VDI/VDE 2180, Sheet 4)


DU = „dangerous undetected“, = Common cause Factor, T1 = Time interval for proof testing [h] (1 Jahr = 8.760 h)

Options of Circuit Approximation formula for PFDav

1oo1

1oo2

1oo3

1oo4

2oo2

2oo3

2oo4

23

12

121

TTPFD DUDUoo

21

11TPFD DUoo

122 TPFD DUoo

2

12132

TTPFD DUDUoo

24

13

131

TTPFD DUDUoo

2

13142

TTPFD DUDUoo

25

14

141

TTPFD DUDUoo

This is simplified. Use MARKOV method to calculate

the PFD more accurate.

Slide 36 Ngo

08/08/2014

Subsystem ActuatorSubsystem Logic UnitSubsystem Sensor

Sensor 1 Interface 1



2oo3

ControlModule 1

ControlModule 2

1oo2

Actu. 1Interface 4

Actu. 2Interface 5

2oo2

lDU = 500 FIT (per line)b=10%, T1=1 year, SFF=

lDU = 50 FIT (per Module) b=2%, T1=1 year, SFF=

lDU = 1200 FIT (per line) b=10%, T1=1 year, SFF=

Formula for für 2oo3 Formula for für 1oo2 Formula for für 2oo2

PFDav (S) = 2,4 × 10-4 PFDav (LE) = 4,4 × 10-6 PFDav (A) = 1,1 × 10-2

Result: PFDav (System) = PFDav (S) + PFDav (LE) + PFDav (A) = 1,3 × 10-2 SIL 1

Target: SIL 2

Target not achieved! What to do?FIT = Failures In Time, 1 FIT = 10-9 1/h

Complex calculation example(1)

08/08/2014

Action 1: Reduce Proof-Test Intervall from 1 year to ½ year Additional Cost!





2oo3

ControlModule 1

ControlModule 2

1oo2

Actu. 1Interface 4

Actu. 2Interface 5

2oo2

lDU = 500 FIT (per line)b=10%, T1=½ year, SFF=

lDU = 50 FIT (per Module) b=2%, T1=½ year, SFF=

lDU = 1200 FIT (per line) b=10%, T1=½ year, SFF=

Formula for 2oo3 Formula for 1oo2 Formula for 2oo2




08/08/2014

Action 2: more redundancy (here: Actuator) additional costs!





2oo3

ControlModule 1

ControlModule 2

1oo2 2oo2



lDU = 1200 FIT (per line) b=10%, T1=1 year, SFF=

Formula for 2oo3 Formula for für 1oo2 Formula for 1oo2/2oo2

PFDav (S) = 2,4 × 10-4 PFDav (LE) = 4,4 × 10-6 PFDav (A) ≈ 1,2 × 10-3

SIL 2

Actu. 3Interface 6

Actu. 4Interface 71oo2

Actu. 1Interface 4

Actu. 2Interface 51oo2

Result: PFDav (System) = PFDav (S) + PFDav (LE) + PFDav (A) ≈ 1,5 × 10-3


Slide 39 Ngo

08/08/2014





2oo3

ControlModule 1

ControlModule 2

1oo2

Actu. 1Interface 4

Actu. 2Interface 5

2oo2




Formula for 2oo3 Formula for 1oo2 Formula for 2oo2



Action: Correct selection of components from the beginning (here: Actuator)


08/08/2014

Safety data sheet on www.endress.com/sil

Safety in the process industry

Jana Kurzawa / Hai-Thuy NgoSlide 41

08/08/2014

One example of a Multi-Channel SystemSimply reliable: Process safety from Endress+ Hauser

Pressurizedprocess

Overpressure protection

Subsystem Sensor

Sensor 1

Sensor 2

Sensor 3

2oo3

Subsystem Logic Unit

PLC

Subsystem Actuator

Actuator 1

Actuator 2

2oo2

Slide 42 Ngo

08/08/2014


Homogeneous Redundancy(same instruments)

Redundancy: Homogeneous or diverse?

Advantage of homogeneous system• Control of random faults• Simple stock management,

commissioning, maintenance …Note: Systematic Integrity

(e.g. Software) can not be enhanced!

Advantage of diverse system

• Control of random and systematicfaults (device + process)

• systematic integrity can beenhanced

+z.B. 1oo2 SIL 3?

SIL 2 SIL 2

Diverse Redundancy(different instruments)

SIL 2 SIL 2

+z.B. 1oo2 SIL 3

Endress + Hauser offers multiple instruments which

are SIL2/3 capable. You reach SIL 3 even in

homogeneous redundancy.

SIL 3

Slide 43 Ngo

08/08/2014

Homogeneous Redundancy: SIL2 + SIL2 = SIL3?

Safety Integrity Level (SIL) / Functional Safety Theory

PMP41Hardware: SIL2Software: SIL2


+ = SIL2

+ = SIL3FMG60

Hardware: SIL2Software: SIL3

FMG60Hardware: SIL2Software: SIL3

SD P

MP4

1SD

FM

G60

Slide 44 Dept. GT / Thomas Fritz

08/08/2014

Diverse Redundancy: SIL2 + SIL2 = SIL3?

Safety Integrity Level (SIL) / Functional Safety Theory



+ = SIL3

= SIL3PMD75

Hardware: SIL2Software: SIL3

FMR51Hardware: SIL2Software: SIL3

+

SD P

MP7

1SD

PM

D75

SD P

MP4

1SD

FM

R51

Slide 45 Dept. GT / Thomas Fritz


08/08/2014

Failures in electronics and software

Failure mode and effect analysis

Slide 46 Ngo

08/08/2014

Failure Mode and Effect Analysis (FMEA)Simply reliable: Process safety from Endress+ Hauser

Component failure modes• Short circuit• Interruption• Drift

Additionally: FMEA of mechanical Components (z. B. Sensor)

Example:

Failure mode effect on safety function?

Slide 47 Ngo

08/08/2014


Failure Mode and Effect Analysis (FMEA)

tot = su +sd + du + dd (+λ not relevant)

MTBF = 1/tot

First step:• determine safety path (e.g. 4…20 mA output)• determine accuracy under fault condition ( e.g. ± 2 %)

Different failure modes:

PFD

Probability of failure modes

Detected faults Undetected faults

Safe faults lsd lsuDangerous faults ldd ldu

Slide 48 Ngo

08/08/2014


Absolute number of failures are more important than SFF

sd + su + dd tot

SFF=

Safe Failure Fraction (SFF)(in %)

SFF 95 % Internal diagnostics improves SFF

SFF 85 %

Slide 49 Ngo

08/08/2014


Accuracy under fault condition

• With continuous overfill prevention instrument, you have to reduce the maximum level by the fault condition tolerance

• With Liquiphant you can fill up safely until the specified level. You can use the complete specified capacity of your tank.

No tolerance required

+/- 2 % +/-2%, +/- 5%, ???

Competitor

No fault condition tolerance for the

vibronic fork

Slide 50 Ngo

08/08/2014


Proof test coverage: Quantity is important!!!


• Proof test coverage is a measure of how many undetected dangerous failures are detected by the proof test.

• Which instrument gives you better safety?

Instrument A Instrument BProof Test Coverage

90% 50%

Dangerous Undetected Failures

40 FIT 2 FIT

Failures remaining unrevealed after proof test

4 FIT 1 FIT

08/08/2014


Proof test coverage: : Quantity is important!!!

NgoSlide 53

Instrument A Instrument BDangerous failures 100 FIT 100 FITλDD 10 FIT 90 FITλDU 90 FIT 10 FITPTC 80% 80%λDU converted to λDD 72 FIT 8 FIT

Never detected λDU 18 FIT 2 FIT

08/08/2014


Proof test coverage: : Quantity is important!!!

NgoSlide 54

Instrument A Instrument BDangerous failures 100 FIT 100 FITλDD 10 FIT 90 FITλDU 90 FIT 10 FITPTC 80% 80%λDU converted to λDD 72 FIT 8 FIT

Never detected λDU 18 FIT 2 FIT

08/08/2014


Level of Concerns (LOC) according API2350 4th Edition

Critical high (CH)

Automatic overfill prevention system (AOPS); Level may be equal to HH

High-high tank (HH) LAHHMaximum working (MW)

Slide 55 Ngo

08/08/2014


Maximum filling height for LAHH with radar

Critical high (CH)



E.g. 98 %

Better tank capacity utilization with point level sensor.

e.g. 2% fault tolerance

Slide 56 Ngo

08/08/2014


Maximum filling height for LAHH with Liquiphant

Critical high (CH)



100 %

Slide 57 Ngo


08/08/2014

The safety life cycle

Maintain your safety at the highest level

Slide 58 Ngo

08/08/2014

Probability of a failure on demand - PFDSimply reliable: Process safety from Endress+ Hauser

SIL 4SIL 3SIL 2

SIL 1

Operation time

PFD

Ti Ti

Example: Safety component with low demand frequency (~1/a)PFD du t (t

08/08/2014

Partial Proof Testing (PTC < 100%)Functional Safety in the Process Industry

PFD

Ti operation time t

SIL 1

SIL 2

SIL 3

LT

PFDav

PFDav ≈ ½ λdu x Ti x PTC + ½ λdu x LT x (1-PTC)

PTC= Proof test coverage (1=100 %)Ti = Test interval LT= life time

PTC < 100 %

Single channel system 1oo1

Slide 60 Klotz-Engmann

08/08/2014

Partial Proof Testing + Full Proof TestFunctional Safety in the Process Industry

PFD

Ti operation time t

SIL 1

SIL 2

SIL 3

LT

PFDav

PFDav ≈ ½ λdu x Ti x PTC + ½ λdu x Tj x (1-PTC)

PTC= Proof Test Coverage (1=100 %)Ti = Test interval (

08/08/2014

ASFM - Fuel for thought

Easy and convenient proof test on the tank

NgoSlide 62

4% of all devices, which are proof tested, get damaged during re-installation !!!According to a study of Akzo Chemical customer in Rotterdam.Of course, this does not happen in the Oil & Gas industry …

08/08/2014

Total Proof test coverage according to IEC 61508

Total coverage(DC+PTC)

FTL80/81/85+ FTL825

Wet test 99%(Procedure IA MAX/MIN)

Simulation(in situ testing!)

97 %(Procedure IB) Via test button

Max

Min


Smart proof testing procedures reduce effort, increase safety and minimize shut down times.

Slide 63 Ngo

08/08/2014

New: Liquiphant Fail Safe FTL 8x


Liquiphant FailSafe FTL80/81/85Nivotester FTL825

4..20mA +LIVE-Signal

SIL3 MIN/MAX

4..20mA +LIVE-Signal Optional

Liquiphant FailSafeFTL80/81/85

PLC

Safety function • 4…20 mA output with life signal (every 3

seconds self checking procedure)

• SIL 3 capable in single device

• min/max safety function

• proof test simulation with push-button

• proof test interval can be extended up to 12 years !

Slide 64 Ngo

08/08/2014


Proof testing without dismounting the device

Not necessary to interrupt or manipulate the production process for partial proof test.

Recommendedproof test interval

12 years 3 years 2 years

Slide 65 Ngo

08/08/2014


Sensortestbox+ Adapter

Sensor test (MID/Coriolis)

Simu-BoxSimulation ofsensor signal

FieldcheckCurrent outputFreq./puls outputService

Partial proof test with Fieldcheck

Proof test coverage via verification: 90 %

Slide 66 Ngo


08/08/2014

Ensuring mechanical integrity

Robust principles and materials

Slide 67 Ngo

08/08/2014


Vibronic level switches: 300.000 pieces/year

• Measuring Principle

• Liquiphant in practice

• Liquiphipant in safety

• Oil detection in pipes/sump pits Leakage detection presentation

Click the blue box

Slide 68 Ngo

08/08/2014


Welded gastight feedthrough(second line of defense)

Sealing concept in Liquiphant Failsafe

• Helium leakage test• Pressure test (approx. 80 bar)• sealed after test with sealing pin,

welded in and verified by radiographic test

Slide 69 Ngo

08/08/2014

Manual overfill protection system (MOPS)


Slide 70 Ngo

08/08/2014

Automatic overfill protection system (AOPS)


Slide 71 Ngo

08/08/2014

Assessed by external third party safety consultant

• Complete standardized engineered solutions by Endress+Hauser• Time saving• Cost saving• Reliable safety system• Reduced documentation efforts• Proven in use


Slide 72 Ngo

08/08/2014

Clear and detailed alarm notification and remedy info

• Digital proof-testing avoids staff in dangerous areas (e.g. on the tank)

• SIL3 vibronic fork is a fail safe device and reliable

• Independence and diversity of safety loop and inventory control loop offers the most reliable safety system.

• Easy digital proof testing process motivates the operator to perform the proof test


Slide 73 Ngo

08/08/2014

Most comprehensive SIL portfolio

• Complete range of SIL devices: pressure, temperature, level, pH, flow including system components

• www.endress.com/SIL


Slide 74 Ngo

08/08/2014


Conformity assessment acc. IEC 61508

Endress+Hauser:SIL 2 : Independent 3rd party assessment + Manufacturer DeclarationSIL 3: Independent 3rd party assessment + certificate

Third party certificate not required for SIL2, but Endress + Hauser create and publish it.

SIL Minimum degree ofindependence (IEC61508)

SIL 1 Independent Person

SIL 2 Independent department

SIL 3 Independent organisation

SIL 4 Independent organisation

Slide 75 Ngo

08/08/2014

TÜV Certified Functional Safety ManagementSimply reliable: Process safety from Endress+ Hauser

Slide 76 Ngo


08/08/2014

Conclusion

Endress + Hauser: State of the art technology and solutions for your process safety

Slide 77 Ngo

08/08/2014

Improve safety with state of art technology - Liquiphant


Explosion and fire at Buncefield Oil Storage Depot - Five companies to face prosecution

http://www.buncefieldinvestigation.gov.uk/press/b08002.htm

Failed !!!

Slide 78 Ngo

08/08/2014

Level measurement in Oil & Gas

Furthermore, Safety Integrity Level

Slide 79 Ngo

08/08/2014


Need of record on site and a different location

Slide 80 Ngo

08/08/2014

Proof test documentation with W@M


• Your 24/7 life cycle management platform:

• All safety manuals, technical information and certificates and proof testing reports available at your fingertip

• Upload of Data to W@M

• The spare-part recommendations for the specific device, which you have installed on site.

Slide 81 Ngo

08/08/2014

Instrument Task Overview e.g. Proof testingSimply reliable: Process safety from Endress+ Hauser

Indication of the status of the task (e.g. planned, overdue, warn etc.) Upload of attachment e.g.

proof test reports

Testing Interval

Slide 82 Ngo

08/08/2014

Summary

• Installing just a SIL device is not enough to comply to IEC61511• Endress + Hauser offers an instrumentation portfolio for hazardous

areas and safety applications which is second to none.• Robust measuring principles and material ensure reliability in

harshest processes• Smart concepts to improve mechanical integrity are simulated,

implemented and tested in order keep your process safe under any circumstances

• Hard- and software developed according IEC61508 and high diagnostic coverage reduce dangerous, undetected failures to a minimum and help to extent proof test interval

• Redundancy improves safety and availability• Smart proof test procedures significantly safe cost• Document your safety life cycle with W@M


Slide 83 Ngo

08/08/2014

And never forget…

Liquiphant FailSafe: THE safety switch for highest demands.


A unique device:SIL 3 and 12 years proof test interval.

Highest safety at minimum effort!

Slide 84 Ngo

08/08/2014

Complete SIL instrumentation portfolio up to SIL3


NgoSlide 85

08/08/2014

That’s it … relax now… it was not that difficult :-D


Slide 86 Ngo

Simply reliable: Process safety from Endress+Hauser · 2015. 11. 3. · Simply reliable: Process...

Documents

Transcript of Simply reliable: Process safety from Endress+Hauser · 2015. 11. 3. · Simply reliable: Process...