functional safety in singapore safety...

Can Functional Safety Improve Your Safety Case?

Confidential Property of Schneider Electric

Dr. Issam Mukhtar PhD (Eng.)Functional Safety Senior Expert (TÜV Rheinland) - Premier Consulting Services – Schneider ElectricEmail: [email protected] Mob: +61 447008310

Confidential Property of Schneider Electric |

1 Safety Case 2 Measures to Reduce Risk

3 Quantitative Approach for Risk Reduction

4 ALARP Concept

5 Functional Safety

6 IEC61511 Standard Lifecycle

7 Fire & Gas Detection System

8 Cyber Security 9 Conclusions

10 Questions


What is Safety Case?

A safety case is a written presentation of technical, management and operational information about the hazards and risks that may lead to a major incident at a major hazard Installation (MHI), and the control of those hazards and risks. In the safety case, the MHI operator provides justification for the measures the operator has taken or will take to ensure the safe operation of the MHI. By focusing attention on major incident prevention, the safety case can improve safety at the MHI. The safety case forms part of the MHI operator’s application for an MHI licence.

The safety case must demonstrate the adequacy of measures the operator will implement to control risks associated with major incidents that may occur. The safety case must also demonstrate that the MHI’s safety management system will control risks that could lead to – and arise from – a major incident.

Flow of Safety Case

Page 4Confidential Property of Schneider Electric |

Steps in Preparing the Safety Case Establish the Context

Safety Assessment

Identify Measures to reduce the risk

Have risks been

eliminated or minimised SFARP?

Is SFARP sustained?

(SMS)

Implement Measures to reduce Risk

Validate the performance of risk controls (SMS a audits)

Risk minimisation SFARP achieved and

sustained


Technical Measures to Reduce Risk


What is risk and what is the process risk? What level of risk level you want to achieve? How to decide the acceptable (tolerable risk)? Who decide that the risk acceptable (tolerable risk)? How one could be sure that there is sufficient risk reduction measures? Are the risk measures reducing you risk sufficient? What is the measure of the risk reduction?

Risk Reduction Measures

Risk Reduction Measures – Example 1

Required Risk ReductionRequired Risk ReductionRequired Risk ReductionRequired Risk Reduction

DCS

Acc

epta

ble

Ris

k

S I S

PES

Spee

d Pr

obes

Spee

d Pr

obes

Non-SIS (bolt) Physical Layer BPCSx x x

Unc

ontr

olle

d(H

igh)

Ris

k


Tole

rabl

e R

isk

Unc

ontr

olle

d (Im

med

iate

) Ris

k

Pr. Occupancy Pr. Ignition S I SNon – SIS

(PSV)Alarm &Operator Physical Layer

BPCSfailure

Un

Miti

gate

d R

isk

Inte

rmed

iate

Eve

nt L

ikel

ihoo

d

Haz

ardo

us E

vent

Lik

elih

ood

Required Risk Reduction

Flare

12,000 kPag

6,000 kPag

PIC

LIC

TIC

LIC

PES

PAH

H

PAH

Risk Reduction Measures – Example 2

An expectation of loss Always has an element of uncertainty Always refers to the future Usually refers to any unwanted

consequence Personnel injury or death is a risk,

Site downtime is also a risk

Risk is a combination of the frequency of occurrence of harm and the severity of that harm.

What is RISK?

Risk = Frequency x Consequence

How do one quantitatively assess risk? Risk may be quantitatively expressed by:

The Individual Risk Per Annum (IRPA), which is defined as:IRPA = Pr (Individual is killed during one year’s exposure)

Determining Risk

IRPA = Observed number of fatalities

Total no. of employee – years exposed

How can one make a decision on the acceptability, or tolerability, of a given risk?

17

0

0.002

0.004

0.006

0.008

0.01

0.012

0 2 4 6 8 10 12

Freq

uency

Consequence

0.01 IRPA profile

High Risk

Low Risk

Risk Classifications

I

II

III

IV

ALARP & Tolerable Risk

Typically risk can be classified into three categories: The risk is so great it must be refused altogether; or The risk is, or has been made, so small as to be insignificant; or The risk falls between the two states of a and b and has been reduced to

the lowest practicable level, bearing in mind the benefits and taking into account costs of further reduction.

ALARP & Tolerable Risk

ALARP =Any risk which has been reduced to a level

As Low As Reasonably Practicable

Tolerable risk

‘Tolerable risk’ is the level of risk in which organizations and society will bear but in fact the level of risk may not be as low as acceptable risk.

Tolerability does not mean acceptability!

It refers to the willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled.

To tolerate a risk means that we do not regard it as negligible, or something we might ignore, but something that we review and reduce further if possible.

How can one make a decision on the acceptability, or tolerability, of a given risk?

18

0

0.002

0.004

0.006

0.008

0.01

0.012

0 2 4 6 8 10 12

Freq

uency

Consequence

High Risk

Low Risk

Frequency and consequence have wide scales, for this reason risk profiles typically use logarithmic scales.

Log(risk) = log(F x Q) = Log(F) + Log(Q)

Therefore the risk curve will change from parabolic to a straight line:

19

1.00E‐08

1.00E‐07

1.00E‐06

1.00E‐05

1.00E‐04

1.00E‐03

1.00E‐02

1.00E‐01

1.00E+001 10 100 1000 10000 100000

Freq

uency

Consequence

The boundaries for tolerable risk could then be:

20

1.00E‐08

1.00E‐07

1.00E‐06

1.00E‐05

1.00E‐04

1.00E‐03

1.00E‐02

1.00E‐01

1.00E+001 10 100 1000 10000 100000

Freq

uency

Consequence

High Risk

Low Risk

Determining SIL from level of risk

Notable Significant Highly Significant

Serious Extremely Serious

Catastrophic

Almost Certain 1 to 10 /yr.Level

II 2M

Level

II 1M

Level

I 1M

Level

I 1W

Level

I 1D

Level

I 1D

Very Likely 0.1 /yrLevel

III 9M

Level

II 6M

Level

II 3M

Level

I 1M

Level

I 1D

Level

I 1D

Likely 10-2 /yrLevel

III 2Y

Level

III 1Y

Level

II 9M

Level

II 1M

Level

I 1W

Level

I 1W

Unlikely 10-4 /yrLevel

IVLevel

IVLevel

III 5Y

Level

III 5Y

Level

II 1Y

Level

I 1M

Very Unlikely 10-6 /yrLevel

IVLevel

IVLevel

IVLevel

IVLevel

III 5Y

Level

II 1Y

Extremely Unlikely-


Functional Safety refers to the use of instrumented systems to implement safety functions to achieve a defined level of risk reduction.

Each safety function is designed to detect a particular hazard and to execute some specific action to achieve or maintain a safe state.

Functional safety always starts with a clear definition of the hazard and how much risk reduction is required. It ends in being able to demonstrate that the required risk reduction is actually achieved.

What is Functional Safety?


“A system designed to respond to conditions in the plant which may be hazardous in themselves or, ifno action was taken, could eventually give rise to a hazard, and to generate the correct outputs tomitigate the hazardous consequences or prevent the hazard.”Source - Health and Safety Executive (HSE), 1987.

The SIS is composed of any combination of:

What is a Safety Instrumented System (SIS) ?

Application Software

Proc

ess

Proc

ess

Safetyvalve

Logic solver(s)

Transmitter

Final Element(s)Sensor(s)

IAS

E/E/PEInput

M

odul

e

Out

put

Mod

ule

SV

Quantitative value for the measure to reduce risk Often a Process Engineer would come to instrument

engineers for the design of a high pressure safety function. They would ask:

“How good do you want this safety function to be?” What is the interpretation of ‘good’?

How could one represent measures to reduce risk quantitatively?

It is the required measure integrity.

It is represented by the probability for this measure to fails on demand (PFD) (when required to act).

It is called safety integrity level (SIL) and there are four integrity level.

XV‐456

PAHH‐123PES

Safety Integrity Levels

SIL4 is not recommended for Process industry

Average Probability of Failure

on Demand(Demand mode)

4 0.0001 to 0.000013 0.001 to 0.00012 0.01 to 0.0011 0.1 to 0.01

Safety Integrity Level

Determining SILThe Safety Integrity Level would depend on:

1. The SIL depend on the consequences if the safety function fails on demand:

What is in the vessel? Water, HP steam, hydrocarbons, toxic materials, etc.

2. The demand likelihood (the cause).

3. What is the acceptable or tolerable risk?

4. What is the required risk reduction to reduce the risk to be tolerable?

5. Are there any other measures?

XV‐456

PAHH‐123PES

Required Risk ReductionRequired Risk ReductionRequired Risk ReductionRequired Risk Reduction

DCS

Acc

epta

ble

Ris

k

S I S

PES

Spee

d Pr

obes

Spee

d Pr

obes

1/min

Non-SIS (bolt) Physical Layer BPCS

0.10.010.10.1 x x x

1.0E-11/10 yrs

1.0E -51/100,000yrs

1.0E-31/1,000 yrs

1.0E-41/10,000 yrs

???

Determining SIL – Example 1




Catastrophic


II 2M

Level

II 1M

Level

I 1M

Level

I 1W

Level

I 1D

Level

I 1D


III 9M

Level

II 6M

Level

II 3M

Level

I 1M

Level

I 1D

Level

I 1D


III 2Y

Level

III 1Y

Level

II 9M

Level

II 1M

Level

I 1W

Level

I 1W


IVLevel

IVLevel

III 5Y

Level

III 5Y

Level

II 1Y

Level

I 1M


IVLevel

IVLevel

IVLevel

IVLevel

III 5Y

Level

II 1Y

Extremely Unlikely-

SIL1

Tole

rabl

e ac

cept

able

Ris

k=1.

0E-6

Unc

ontr

olle

d (Im

med

iate

) Ris

k

Pr. Occupancy Pr. Ignition S I SNon – SIS

(PSV)Alarm &Operator Physical Layer

BPCSfailure

Initi

ator

Eve

nt L

ikel

ihoo

d

Inte

rmed

iate

Eve

nt L

ikel

ihoo

d

Haz

ardo

us E

vent

Lik

elih

ood

Required Risk Reduction

0.1x0x0.5x.01xx0.5x0.1PFDSIS= 0.04

Flare

12,000 kPag

6,000 kPag

PIC

LIC

TIC

LIC

PES

PAH

H

PAH

Determining SIL – Example 2




Catastrophic


II 2M

Level

II 1M

Level

I 1M

Level

I 1W

Level

I 1D

Level

I 1D


III 9M

Level

II 6M

Level

II 3M

Level

I 1M

Level

I 1D

Level

I 1D


III 2Y

Level

III 1Y

Level

II 9M

Level

II 1M

Level

I 1W

Level

I 1W


IVLevel

IVLevel

III 5Y

Level

III 5Y

Level

II 1Y

Level

I 1M


IVLevel

IVLevel

IVLevel

IVLevel

III 5Y

Level

II 1Y

Extremely Unlikely-

Measures Integrity verification

0.000

0.200

0.400

0.600

0.800

1.000

1.200

0 10 20 30 40 50

Pro

bab

ility

to

Fai

l Years

Probability of a Device to Fail

AverageProbability

Devices fails, it not a matter of if . It matter of when The Probability of a device to fail follow exponential function = (1-e-λt), where

λ=Device Failure Rate

t is time

Instruments part of safety function must be tested to keep the probability lower. Once it tested then the Probability to fail on demand average would be:

PFD(Avg.)= λdu TI / 2


Testing of the Measures to Reduce Risk


Safety Instrumented Systems (SIS) and other measures devices must be proof tested periodically.

The proof testing depend on the integrity required for the SIS or the measures.

The testing must follow certain procedure to ensure that the devices do not have any hidden failures.

The test must be conducted by trained instrument technician.

Testing


There are two main standards that are referred to for functional safety:

IEC61508 - ‘Functional Safety of electrical/electronic/programmable electronic safety-related systems’

IEC61511 - ‘Functional Safety – Safety instrumented systems for the process industry sector’

IEC61508 is a broader standard which may be applied to any industry. IEC61511 is simpler and easier to understand but only applies to process industries – not manufacturing industries.

Both follow the same fundamental concepts. Both are performance based standards.

IEC61511 is typically applied to chemical processes, oil and gas production and refining, pulp and paper, and (non-nuclear) power generation.

The IEC61508 / IEC61511 standards


1. Know your hazardous situations - HAZOP

2. Evaluate the acceptability of the risks of those hazardous situations,

3. Classify the required safety integrity of the protective measures (establish the SafetyIntegrity Level, SIL) - Layer of Protection Analyses (LOPA)

4. Implementation and testing based on the SIL,

5. Implement and maintain a Safety Management Plan, including:

• Documentation,

• Auditing, assessment and verification,

• Procedures and planning,

• Control of human factors.

Fundamentals of IEC61508 / IEC61511


IEC61511 Safety Lifecycle HAZOP

LOPA


Nothing much mentioned about Fire & Gas and fire fighting systems in IEC61508 or IEC61511.

Fire and Gas System are considered as an independent layer of protection for risk mitigation.

Independence is required for the prevention layer (SIS) and mitigation layer .

Guidelines are provided in both standards for assigning SIL for prevention layer but nothing on mitigation layer (Fire and Gas).

There is no clear indication that the Fire detection system is a safety function.

Fire and Gas Systems are design to be Energised and not De-Energised to Trip like most safety system which means it is designed with focus on high reliability as well as Integrity.

Fire and Gas Detection Systems


Fire and Gas Detection Systems Although Gas detection system have the same component of normal safety function and that is

Sensors, logic solver and final element however they are different in the following aspects:Conventional safety functions are designed to prevent the hazards (or reduce the frequency of the

unwanted to happen. Gas detection system on the other hand is designed to mainly mitigate (reduce the consequence) of the hazards although it some time used to prevent the Hazard (when detection of gas result in plant shut down) .

The Integrity of conventional safety function will depend on the direct integrity (PFDavg) of the all the components of the safety function including the sensor integrity.

In gas detection system sensors and final element may function properly, but they may not mitigate the hazards because:

1.Gas sensors fails to detect gas release because incorrect position of the sensors.2.Wind may dilute the gas before it can be detected .3.No sufficient detectors (coverage).4.Final element acted successfully but not failed to mitigate the Hazards.As a result it would be in accurate to consider PFD(Avg.) for a gas detection system as purely the

hardware integrity of the different components.

Confidential Property of Schneider Electric |a

HES Report of Gas Detectors Performance


Fire and Gas Detection Systems Effectiveness

Detector Coverage: The probability of the device actually being able to see the hazardous condition.

Hardware Response: The probability of the hardware responding properly to the demand. 1-PFD (Probability of Failure on Demand).

Mitigation effectiveness: The probability that the overall system response actually prevents or mitigates the hazardous event.


Fire and Gas Detection Systems Effectiveness

Gas Detector Converge Gas Detection SystemHardware Integrity PDF(Avg.)

Migration Effectiveness

99% SIL 3 99.99% 99%

Total Effectiveness=.99 x .9999*.99= .98

PFD(Avg.) =.02 Meets SIL1


Detector Converge Mapping / Gas Dispersion Modeling

20%LEL Alarm Setting

• 25 mm Hole Diameter and 20% LEL Cloud Boundary

• Still Gas undetected, No Trip

The 20% LEL pressurized release vapor envelope is expected to stop at the mesh wall of the fin fan structure, which is approximately 12 meters from M2 nozzle. The vapor will continue to travel, disperse and mix with air underneath the fin fan, where the lower concentration vapor will be blown vertically upwards by the fin fans and will intersect the line gas detectors GLR-2090. However, the existing line of sight gas detector may not be able to detect the vapour, as the vapour concentration may have been reduced to less than 20% LEL.


Detector Converge Mapping / Gas Dispersion Modeling

Release Location 10 mm 20% LEL

10 mm 40% LEL

10 mm 100% LEL

25 mm 20% LEL

25 mm 40% LEL

25 mm 100% LEL

50 mm 20% LEL

50 mm 40% LEL

50 mm 100% LEL

Slugcatcher Potentially undetected

Potentially undetected








Fuel gas system May be detected



May be detected

May be detected


May be detected

May be detected


Inlet separator: Nozzle M2 Potentially undetected



May be detected

May be detected


May be detected

May be detected

May be detected

Inlet separator: Nozzle N7 Potentially undetected









Turbo expander May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

Propane storage May be detected



May be detected

May be detected


May be detected

May be detected


Butane storage May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

Propane tanker loading bay May be detected

May be detected


May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

Butane tanker loading bay May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

Sale gas launcher May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected

May be detected


Quantitative Assessment of Fire & Gas System

Gas Detection System effectiveness depend largely on the sensors coverage capabilities including there numbers and voting.

History have showed that the probability of gas detection failure is high irrespective to the technology used and design techniques.

Accurate gas dispersion modelling that considers all possible scenario is essential in optimising the gas detector location.

Integrating gas dispersion modelling results with IEC61508/IEC61511and NFPA standards requirement is quite possible through the assessment of detector converge risk reduction more accurately.


The IEC61508/IEC61511 Mandate Security Risk Assessment

The recent ACSC threat report 2015 shows that the number, type and sophistication of cyber security threats worldwide are increasing.

Organisations could be a target for malicious activities even if they do not think that the information they held on their networks is valuable.

Source : ACSC Threat Report 2015



A new sub-clause has been introduced in the process and risk assessment section of edition 2.

A security Risk Assessment shall be carried out on the SIS and its associated devices.

And the assessment should cover:

Requirement for Security Risk Assessment

IEC 62443-2-1:2010Industrial communication

networks – Network and system security

ISO/IEC 27001:2012 Information technology

Security techniquesGuidelines for cybersecurityAdditional RR Measures

ConsequencesPhaseThreatsDevices


What is Cyber Security Event can be defined as?

Intentional or unintentional interference with proper process operation of industrial Automation And Control System or Safety Instrumented System through the use of Computer, Network, operation system, application and otherProgrammable/Configurable Electronic System.

What is it? Malware

Unauthorized intrusion

Accidental

Requirement for Security Risk Assessment


8.2.4 A security risk assessment shall be carried out on the SIS and its associated elements (e.g., the BPCS). It shall result in:

a) description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS);

b) description of identified threats that could exploit vulnerabilities and result in security events (including intentional attacks on the hardware and related software, as well as unintentional events resulting from human error);

c) description of the potential consequences resulting from the security events and the possibility of these events occurring; consideration of various phases such as design, implementation, commissioning, operation, and maintenance;

IEC 61511-1:2016 clause 11.2.12 – “The design of the SIS shall be such that it provides the necessary resilience against the identified security risks. Note Guidance related to SIS security is provided in IEC 62443-2-1:2010.”

IEC 62443


IEC62443 Cyber Security Management System


Intentioned Cyber attack could cause more damaged that normal process accident as it could be planed from more than one would not expect or considered during process risk assessment.

There is no quantitative risk assessment for cyber risk. Currently the assessment are qualitatively.

There are no quantitative measures value for cyber security protection measures (fire wall and others).

IEC62443

On Friday 25/9/1998, at about 12:26 PM

A vessel in Esso Logford’s Gas plant 1 fractured, releasinghydrocarbon vapors and liquid.

Explosions and a fire followed.

Two Esso employees were killed.

Eight others were injured.

The Supply of natural gas to domestic and industrial users ceased.


AccidentsESSO Longford Accident


AccidentsESSO Longford Accident

December 2, 1984

Cyanide release resulting from the introduction of waterto a methyl isocyanate storage tank

Runaway reaction resulted in discharge through thevessel relief system

Protective equipment was out of order:

• tank refrigeration was shut down

• discharge scrubber not available

• flare out of service


AccidentsBhopal India

Catastrophic impact to the surrounding community.

7,000 fatalities

200,000 injuries

Thousands of the injured are seriously disabled, sufferinglong term neuro-logical and respiratory damage.

Many victims suffer post traumatic stress syndrome.


AccidentsBhopal India

March 23, 2005

During the startup of the BP octane-boostingisomerization unit, when a distillation tower andattached blowdown drum were overfilled with flammableliquid hydrocarbons.

Because the blowdown drum vented directly to theatmosphere, there was a geyser-like release offlammable liquid, forming a vapor cloud that spreadrapidly through the area.

A diesel pickup truck that was idling nearby ignited thevapor, initiating a series of explosions and fires thatswept through the unit and the surrounding area.


AccidentsExplosion at BP Texas City Refinery


AccidentsExplosion at BP Texas City Refinery

Tole

rabl

e ac

cept

able

Ris

k=1.

0E-6

Unc

ontr

olle

d (Im

med

iate

) Ris

k

Pr. Occupancy Pr. Ignition S I SKD LSAlarm LS Alarm

LTAlarm

Operator Error

Initi

ator

Eve

nt L

ikel

ihoo

d

Inte

rmed

iate

Eve

nt L

ikel

ihoo

d

Haz

ardo

us E

vent

Lik

elih

ood=

1.0E

-4Required Risk Reduction

0.01x0x0.1x.1xx1x1PFDSIS=1




Catastrophic


II 2M

Level

II 1M

Level

I 1M

Level

I 1W

Level

I 1D

Level

I 1D


III 9M

Level

II 6M

Level

II 3M

Level

I 1M

Level

I 1D

Level

I 1D


III 2Y

Level

III 1Y

Level

II 9M

Level

II 1M

Level

I 1W

Level

I 1W


IVLevel

IVLevel

III 5Y

Level

III 5Y

Level

II 1Y

Level

I 1M


IVLevel

IVLevel

IVLevel

IVLevel

III 5Y

Level

II 1Y

Extremely Unlikely-

Conclusion

• Accidents may happen because of deficiencies in accurately identifying the consequences of a hazard.

• History also shows that many accidents occur because layers of protection(measures) were:

- Not correctly identified to protect against the hazard scenario identified.- Not taking into consideration all modes of operation.- Not sufficient to reduce the risk to a suitable level.- Incorrectly designed to the required risk reduction. - Lack of understanding to functional safety and the related standards

(the IEC 61511 / IEC 61508).- Not maintained, inspected and tested to keep the required performance.

Questions ?

THANK YOU.


functional safety in singapore safety...

Documents