PROCESS SAFETY STANDARDS

Process SafetyRecent Events

Recent - High profile chemical plant incidents

West Fertilizer Company, West TX, 2013 –

• Ammonium nitrate explosion, loss of life, injuries, and property loss

Williams Chemicals, Giesmar LA, 2013

• Olefins plant explosion, loss of life, injuries, and property loss

BP Amoco, Texas City TX, 2005

• Refinery Explosion in Isom Unit, loss of life, injuries, and property loss

Older high profile incidents

Union Carbide, Bhopal India, 1984

• Toxic release of Methyl Isocyanate 20K+ fatalities: Essentially there were breakdowns in most areas of PSM, poor mechanical integrity

(vessel condition, vent scrubbers, temper control systems), poor planning (manual operations/close to large population centers), poor

usage of safety systems (system turned off and in disrepair), poor operation of the plant (too much MIC stored in a vessel), etc..

Chemical plants by there very nature of

containing volatile chemicals and operating

temperature are dangerous.

Often the control system are the “last line of

defense” in protecting from a loss event.

Process SafetyTheory & Common Terms

Process Safety Management (PSM)The proactive and systematic identification, evaluation, and mitigation or prevention of chemical releases that

could occur as a result of failures in process, procedures, or equipment.

• Part of OSHA Occupational Safety and Health Standards, Process Safety Management of Highly Hazardous Chemicals (29 CFR 1910.119)

• PSM applies to most industrial processes containing 10,000+ pounds of hazardous material

What does PSM cover?• Process Control and Information Systems• Mechanical Integrity (piping, vessels, instruments, and

containment systems)• Employee training, Involvement, and Contractor

management• Process Hazard Analysis, LOPA, FMEA and other risk

assessment work processes• Operating Procedures (Pre-Startup Safety Review,

Safe/Hot Work Permits, and Management of Change)• Incident Investigation & Emergency Planning and

Response• Compliance Audits

Process SafetyTheory & Common Terms

Process Safety Management is a regulation, promulgated by the U.S. Occupational Safety and Health Administration (OSHA). A process is any activity or combination of activities including any use, storage, manufacturing, handling or the on-site movement of highly hazardous chemicals (HHCs) as defined by OSHA and the Environmental Protection Agency.

ANSI/ISA S84: is a consensus standard for SIS for process industries. Includes electrical, electronic, and programmable electronic technology. Provides information related to the design and manufacture of SIS products, selection, application, installation, commissioning, pre-startup acceptance test, operation, maintenance, documentation and testing.

ESD/Safety System: Refers to a Emergency Shutdown System. Typically a completely separate control system (separate field instruments, controller, IO, power supply and enclosures from BPCS) which monitors. key safety inputs and shutdowns the system in event an unsafe condition is detected. Typically SIL rated.

SIF: Control functions performed by an SIS are called Safety Instrumented Functions. Example of a SIF Measure temp of reactor, if too high, close feed valve, turn on cooling pump.

SIL: Refers to Safety Integrity Level. It is a relative level of risk-reduction provided by a safety function. The higher the SIL rating, the lower the Probability of Failure on Demand (PFD).

SIS: Safety Instrumented System. A set of HW & SW controls used on safety systems. Typically separate instruments, power supplies, and controllers from the BPCS to independently ensure process safety.

Process SafetyTheory & Common Terms

PHA/H&RA: Refers to Process Hazard Analysis (the term used by OSHA) and Hazard and Risk Assessment (the term used by IEC/ISA). This is a study to identify what Hazards are present, the likelihood of Harm (explosion, damage of equipment or human/environmental health) and what is required to Mitigate the identified risk (likelihood of harm).

Methods to achieve this include HAZID, HAZOP, What If Checklist, FMEA, etc.

These studies lead into process design considerations (e.g. Relief, Vessel Pipe ratings)and SIS requirements (e.g. SIL rating).

The US Government is taking noticeResponding to recent catastrophic chemical facility incidents in the United States, President Obama issued Executive Order (EO) 13650:“Improving Chemical Facility Safety and Security” on August 1, 2013.

The focus of the EO is to reduce

risks associated with hazardous

chemical incidents to owners and

operators, workers, and

communities by enhancing the

safety and security of chemical

facilities.

OSHA Requirements

• Where it applies

• “A process which involves a chemical at or above the specified threshold quantities listed in Appendix A .”

• 10,000lbs of Anhydrous Ammonia

• 1,500lbs of Chlorine

• 10,000lbs of Flammable Liquid (flashpoint <100oF) or Gas (Category 1)

• “ This OSHA standard is required by the Clean Air Act Amendments as is the Environmental Protection Agency's Risk Management Plan.”

• Where is DOES NOT apply

• Oil or Gas drilling facilities, Service operations, or normally unoccupied remote facilities.

In 1991 OSHA published 29CFR1910.119, Process Safety

Management (PSM) of highly hazardous chemicals.

What Does Complying with OSHA Mean?• What does all of this mean ?

• It means you can (as an End User) develop your own Processes internally which meet all of the objectives laid out in 29CFR1910.119

OR

• You can follow a Process Safety standard written by End Users, for End Users, based on all of the lessons the International Process community has learned over the years.

• What is that Process Safety standard ?

• IEC61511 - Functional safety – Safety instrumented systems for the Process Industry Sector

• ISA84.00.01 - Functional Safety: Safety Instrumented Systems for the Process Industry Sector

How OSHA PSM and Industry STDs Sync

• OSHA 29CFR1910.119

• Mandates PHA by May 1997 and every 5 years after.

• Mandates prompt implementation of recommendations.

• Mandates operating procedures/safe work practices (yearly validated).

• Mandates training, refreshed at least very 3 years.

• Mandates a Mechanical Integrity program.

• Mandates testing (RAGAGEP).

• Mandates ‘Management of Change’.

• Mandates ‘Incident Investigation’.

• Mandates Compliance audits every 3 years.

• ANSI/ISA 84.00.01/IEC61511

• Perform an H&RA (PHA), update/review on change.

• Define Safety Requirements (SRS).

• Design SIS according to SRS.

• Install, Commission & Validate SIS (against SRS).

• Maintain SIS.

• MOC process.

Prescriptive (legislation), with little guidance Performance, with guidance & examples

Verify

Verify

Verify

Verify

Verify

Verify

Verify

Verify

Hazard & Risk Analysis

(H&RA)

Allocation ofSafety Functions

to Protection Layers

SafetyRequirements

Specification (SRS)

Design & EngineerSafety

InstrumentedSystem (SIS)

Install,Commissionand Validate

OperationAnd Maintenance

Modification

Decommissioning

Functional Safety Management (FSM), Functional Safety Audits (FSA) & LifeCycle Planning

Cla

use

8C

lau

se 9

Cla

use

10,1

2

Cla

use

11,1

2C

lau

se 1

4,1

5

Cla

use

16

Cla

use

17

Cla

use

18

Analyze Phase Realize Phase Operate Phase

Lifecycle

Based

ISA84 Standard - History

• 1996 – ANSI/ISA-S84.01 was published.

• The intent of ISA-S84.01 was to publish a “Sector Specific Safety Standard”, based on the CCPS principles, published in the 1991 book “Guidelines for the Safe Automation of Chemical Processes”.

• 2004 – ANSI/ISA-84.00.01 was published.

• This is identical to IEC61511, Edition 1, with the exception that clause 1y was added, which related to “grandfathering” so that it would not conflict with OSHA 29CFR1910.119 (OSHA PSM).

ISA84.00.01 is the US National Standard for Process Safety

ISA84 Standard - Information

• 2004 – ANSI/ISA-84.00.01 Parts 1, 2 & 3.

• These are identical in content and purpose as IEC61511.

• ISA84 Technical Reports.

• There are seven (7) Technical Reports, which have been produced by cross functional teams intended to provide specific guidance and examples.

ISA84.00.01 like IEC61511 has three (3) parts, but it does differ from IEC61511 in that it has multiple ‘Technical Reports’.

ISA84 Standard - Information

• TR84.00.02 – SIL Calculations.

• TR84.00.03 – Mechanical Integrity.

• TR84.00.04 – Guidance on implementation of IEC61511.

• TR84.00.05 – Burner Management.

• TR84.00.07 – Fire and Gas.

• TR84.00.08 – Wireless for Safety.

• TR84.00.09 – Security for SIS.

Process Safety Fundamentals

13

Safety Systems are defined by Two International Standards

• Product Manufacturers (Rockwell Automation)

• System Integrators and End Users

IEC61511 Information

• IEC61511-1

• This is what in IEC terms is called the ‘Normative’ part, this is essentially the part that provides the ‘Mandatory’ clauses, although it should be noted that not all clauses are in fact mandatory.

• IEC61511-2

• This is a clause by clause explanation of the meaning of part 1, this is known as an ‘Informative’ part.

• IEC61511-3

• This is another ‘Informative’ part of the standard, it provides ‘real’ examples of how to apply various methods and techniques referenced in part 1.

It is important to understand that IEC61511 has three (3) parts to the standard.

IEC61511 Status

• 2016 – IEC61511 Edition 2 was published (13 Years after Edition 1).

• There was no change in the intent of this standard, but new concepts around ‘Systematic Capability’ (Human Error) and ‘Cybersecurity’ were added. Other areas, such as Functional Safety Management, Requirements traceability, Proven in use, Detailed design and Software integration testing were clarified, strengthened and updated.

• A significant terminology change was made, ‘Software’ was changed to ‘Application Program’.

• There was some restructuring of the standard, the Application Software requirements were moved from Clause 12 to Clause 10.

• Current published ‘stability date’ is 2019.

The IEC61511 maintenance cycle was delayed, principally because it is derived from the IEC61508 standard, so it could not be updated until IEC61508 Edition 2 was published.

Changes to IEC61511

In July 2016, Edition 2 of IEC61511 was published by IEC, the key changes as stated by IEC are as follows:• This second edition cancels and replaces the first edition published in 2003. This edition

constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition:

• references and requirements to software replaced with references and requirements to application programming;

• functional safety assessment requirements provided with more detail to improve management of functional safety.

• management of change requirement added;

• security risk assessment requirements added;.

• requirements expanded on the basic process control system as a protection layer;

• requirements for hardware fault tolerance modified and should be reviewed carefully to understand user/integrator options.

Changes to IEC61511

References and requirements to software replaced with references and requirements to application programming

• The key thing here is that where ED1 referred to “Software”, where it was never really clear whether this applied to Application Configuration, Application Programming, Custom Software routines, etc. it now refers to “Application”.

• The standard specifically addresses Code/Configuration, designed and written in LVL and FPL languages for Devices and Logic Solvers. This is consistent with the diagram in ED1 (Fig 3), which addresses what software is covered by IEC61511 vs IEC61508.

• The Application Software requirements are now part of Clause 10, instead of Clause 12 in ED1.

Changes to IEC61511

Functional safety assessment requirements provided with more detail to improve management of functional safety.

• Requirements for Competence strengthened and specific clause requiring Competency management added.

• Suppliers claiming compliance with IEC61511 now require a Functional Safety Management System in place meeting IEC61508.

• FSA scope expanded and formalized as being required in required in 5 stages, only one was formal in ED1.

Changes to IEC61511

Management of change requirement added

• Management of Change has always been a requirement (Clause 17), what has changed is that Management of Change has been linked with the changes in Functional Safety Management (FSM – Clause 5), so Clause 17 now has references to an FSA from Clause 5.

Changes to IEC61511

Security risk assessment requirements added

• Security was not ignored in ED1, there are references to ‘security’ in Clause 11 and Clause 17, which in general have not changed.

• A new clause (8.2.4) has been added requiring an SIS Security Assessment for the SIS.

Changes to IEC61511

Requirements expanded on the basic process control system as a protection layer.

• Clause 8 and Clause 9 have additional detail that makes it clearer about where, when and how much credit can be taken for BPCS functions (and under what conditions).

Changes to IEC61511

Requirements for hardware fault tolerance modified and should be reviewed carefully to understand user/integrator options.

• The key thing here is that the term Safe Failure Fraction (SFF) has been eliminated from the standard.

• The two tables in ED1 for field devices and logic solvers that stated the HFT requirements based on SFF have now been replaced by a single table stating HFT based on SIL, although there are also specific requirements for DC (which are no longer part of the table).

• HFT requirements are now referred directly back to the requirements stated in IEC61508 (Route 1H or 2H).

Changes to IEC61511

Other general changes, that are no less important are:

• Definitions – are now in line with IEC61508.

• High Demand and Continuous Mode are now separately defined and addressed (in line with IEC61508).

• Process industry definition expanded.

• Grandfathering now added (part of Clause 5).

• Operation & Maintenance (Clause 16) expanded.

• Proven in Use and Prior Use clarified.

• Proven in use is the use of manufacturers data, Prior Use is documented service use.

How Rockwell Automation Can Help?

▪ An introduction to functional safety for process applications

▪ Based on Rockwell’s practical experience of Functional Safety applications over MANY years

▪ FREELY distributed to Customers….

http://literature.rockwellautomation.com/idc/groups/literature/documents/rm/safebk-rm003_-en-p.pdf