sven grone functional safety whos safe

ACI CONNECT 2014 Principals of Func/onal Safety -‐ Are you Safe? Sven Gröne – TUV FS Engineer ID:973/07 Safety Services Prac/ce Director APAC & ME

ACI CONNECT 2014

§  What is Func/onal Safety

§  Why do we need Func/onal Safety

§  Relevant Func/onal Safety Standards

§  What is SIS, SIF, SIL ?

§  How is a SIS different from DCS (BPCS)

§  Classifying Risk

§  Prac/cal Implementa/on Considera/ons

§  Examples of SIF Loop Design

Agenda

SIS – Safety Instrumented System

SIF – Safety Instrumented Func/on

SIL – Safety Integrity Level

PFD – Probability of Failure on Demand

PHA – Process Hazard Analysis

LOPA – Layer Of Protec/on Analysis

SRS – Safety Requirement Specifica/on

PES – Programmable Electronic System

BPCS – Basic Process Control System

Func/onal Safety Acronyms

ESD – Emergency Shutdown System

PSD – Process Shutdown System

F&G – Fie & Gas Detec/on System

BMS – Burner Management System

TMC – Turbomachinery Control

BSS – Boiler Safety System

HIPPS – High Integrity Pressure Protec/on System

Func/onal Safety Applica/ons

What is Func/onal Safety Defini/on from IEC Website: Func/onal Safety is: 1.  Freedom from unacceptable risk of physical injury or of

damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.

2.  Part of the overall safety that depends on a system or equipment opera/ng correctly in response to its inputs.

3.  Is the detec/on of a poten/ally dangerous condi/on resul/ng in the ac/va/on of a protec/ve or correc/ve device or mechanism to prevent hazardous events arising or providing mi/ga/on to reduce the consequence of the hazardous event.

What is Func/onal Safety From IEC Website:

•  Func/onal safety is a concept applicable across all industry sectors that is fundamental to the enabling the use of complex technology for safety-‐related systems.

•  It provides the assurance that the safety-‐related systems will offer the necessary risk reduc/on required to achieve safety for the equipment.

•  The oil and gas industry, chemical, mining, nuclear plants, plas/cs, pulp & paper and many others, all rely heavily on func/onal safety to achieve overall safety for their opera/ons.

What is Func/onal Safety

•  Func/onal safety relies on ac#ve systems.

For example: •  The detec0on of smoke by sensors and the ensuing intelligent ac0va0on of a fire suppression system

•  The ac0va0on of a level switch in a tank containing a flammable liquid, when a poten0ally dangerous level has been reached, which causes a valve to be closed to prevent further liquid entering the tank and thereby preven0ng the liquid in the tank from overflowing.

•  Safety achieved by passive systems is not classed func/onal safety.

For example: •  A fire resistant door or insula0on to withstand high temperatures. These are passive measures, and while

they can protect against the same hazards as func0onal safety concepts, they are not instances of func0onal safety.

Why do we need Func/onal Safety

Incide

nt Rates

Time

Facili/es & Engineering

Management Systems

Human Factors

(Personnel Safety )

Plateau

(Process Safety ) Major losses not trending as Rapidly

2000’s 2010’s 1980’s 1990’s

“A reduc/on in less serious injuries does not necessarily correspond to a propor/onate reduc/on in serious incidents and fatali/es” -‐ Thomas Krause Ph.D (Behavioural Science Technology Inc.)


44 %Specifications

20 %Changes after commissioning

15%Operations and

maintenance

6%Installations and commissioning

15%Design and

implementations

(2nd edi#on, source: © Health & Safety Execu#ve HSE – UK)

Analysis Of 34 Incidents, based on 56 causes iden#fied


PLC & Field Instrumentation


•  Humans are fallible…..we make mistakes

•  Having a good LTI and PPE compliance record does not mean the plant is safe

•  Process industries and the automa/on technology employed is complex

•  Designers can’t imagine (and mi/gate) every possible hazard scenario, both at day one and 20+ years ajer start-‐up

•  Management needs to be aware of safety, and treat it as an “opera/onal integrity” issue – not a burden, or barrier to profits

•  Increasing cost of safety incidents

Benefits of Func/onal Safety •  Protect corporate reputa#on •  Maximize business con#nuity

•  Minimize business interrup/on •  Minimize down/me •  Minimize cost of an incident / damages •  Minimize investment and lifecycle costs

•  Maximize produc/on •  Maximize Return On Assets •  Maximize Overall Equipment Effec/veness

Benefits of Func/onal Safety

$afety Pays

Safety-‐related systems: E/E/PES

Realisa/on [see E/E/PES

Safety Lifecycle]

9

Concept 1

Overall Scope Defini/on

2

Hazard & Risk Analysis

3

Overall Safety Requirements

4

Safety Requirements Alloca/on

5

Overall Installa/on & Commissioning

12

Overall Safety Valida/on

13

Overall Opera/on & Maintenance

14

Decommissioning 16

Safety-‐related Systems: Other

Technology

Realisa/on

10

Overall Modifica/on & Retrofit

15

back to appropriate Overall Safety Lifecycle

Phase

Overall

Opera/on & Maint Planning

Overall Valida/on Planning

Overall

Installa/on & Com-‐

missioning Planning

Overall Planning

6 7 8 External Risk Reduc/on Facili/es

Realisa/on

11

Func/onal Safety Lifecycle – IEC 61508

Analysis Phase

Realisa/on

Phase

Opera/on Phase

Evolving Standards •  IEC 61508 is an “umbrella standard” for func/onal safety across

all industries

•  Each industry then uses IEC 61508 as a guide to develop industry specific standards Released 1997

Updated 2010 Released 2004 Updated 201x

Design and Development of Other

Means of Risk Reduc/on Subclause 9

Risk Analysis and Protec/on Layer Design

Subclause 8 Manage -‐ ment of

Func/onal Safety and

Func/onal Safety Assess -‐ ment

Clause 5

Safety Lifecycle Structure

and Planning

Sub -‐ clause 6.2

Design and Engineering of Safety Instrumented System

Subclause 11 4

Installa/on, Commissioning and Valida/on Subclauses 14

5 Opera/on and Maintenance 6 Subclause 15

Modifica/on 7 Subclause 15.4

Verifica -‐ /on

Sub -‐ clause 7, 12.7 Decommissioning

8 Subclause 16

Safety Requirements Specifica/on for the Safety

Instrumented System 3 Subclause 10

Alloca/on of Safety Func/ons to

Protec/on Layers Subclause 9 2

1

10 11

Func/onal Safety Lifecycle – IEC 61511

Analysis Phase

Opera/on Phase

Realisa/on

Phase

Lifecycle planning process

Lifecycle Mngt & Assessment

Lifecycle verification &

validation

Conceptual Process Design

Process Hazards Analysis

SIF Definition

SIL Selection

Conceptual Design

SIL Verification

Design Specifications

Construction, Installation, And Commissioning

PSAT

Operation, Maintenance and Testing

Procedure Development

Management of Change

Safety Lifecycle – simple view

Which standard do I use?

Standards Compliance •  Compliance to func/onal safety standards is not legislated

•  Compliance is considered “best engineering prac/se” •  Standards are ojen referenced by regula/ons – in which case

compliance is legislated

•  Regula/ons referencing IEC standards include •  AS 3814 for Type B gas appliances •  AS 1375 (Draj) for suspended fuel fired devices •  NFPA 85/86 Boiler & combus/on systems •  FM AS 7605 – PLC Based Burner Management

Independent Layers of Protec/on(IPL)

SIS is an IPL

Wild process parameter

Trip level alarm

High level High level alarm

Process value

Emergency Shut Down action

Low level Normal behavior

Safety Instrumented System

Basic Process Control System

Operator Intervention

Relief valve, Rupture disk

Dike

Active protection layer

Passive protection layer

Emergency response layer Plant and/or Emergency Response

Isolated protection layer

Process control layer

Process control layer

P R E V E N T I O N

M I T I G A T I O N

Plant Design

Preven/on vs. mi/ga/on (IPL)

Opera#onal Integrity + 20 years Design Integrity

TIME VISIBILITY COMPLACENCY

Hazard

Harm

Hazard

Harm

GAP

Why we need to manage IPL

…..Yukiya Amano, the head of the Interna/onal Atomic Energy Agency, told the Financial Times in an interview, ………. ............that complacency “is the enemy of nuclear safety”.

Formal Defini#on: •  SIS – “instrumented system used to implement one or

more safety instrumented func/ons (SIF). A SIS is composed of any combina/on of sensor(s), logic solver(s), and final element(s)” (IEC 61511)

Informal Defini#on: §  Instrumented Control System that detects “out of control” condi/ons and automa/cally returns the process to a safe state

“Last Line of Defense” §  Not basic process control system (BPCS)

What is a SIS?

SIS Logic Processor

Process Process

Safety valve

Logic solver(s)

Output Input

Transmirer

Final Element(s) Sensor(s)

SV

IAS

What makes up a SIS?

PT102

PT101

USC102

PIC101

PV101

UV102

SIS

BPCS

How is a SIS different from the BPCS?

§  Standard PLC/BPCS has unknown failure modes – don’t know how it will fail before it fails

§  Safety PLC is guaranteed to fail safely to within cer/fied probability (SIL 1, 2 or 3) – very high level of auto test & internal diagnos/cs

§  Safety PLC is cer/fied by a 3rd party to interna/onal standards IEC 61508, IEC 61511 – TÜV

§  Cer/fica/on includes cer/ficate, report to the cer/ficate AND opera/onal requirements/restric/ons

§  Safety PLC must be configured by person with appropriate safety competency (i.e. training, experience or cer/fica/on)

What is special about a “safety” PLC?

Select Technology §  Check device Failure Rate §  Check cer/fica/ons (TÜV) for use in SIS applica/ons §  Read Safety Manual for Cer/fied Equipment Restric:ons

Prac/cal considera/ons

www.tuv-‐fs.com

Formal Defini#on: •  SIF – “func/on to be implement by a SIS which is

intended to automa/cally achieve or maintain a safe state for the process with respect to a specific hazardous event.” (IEC61511)

Informal Defini#on: •  Independent safety loop or interlock that automa/cally

brings process to a safe state in response to specific ini/a/ng events

PT102

PT101

USC102

PIC101

PV101

UV102

SIS

BPCS

What is a SIF?

Sensors Final elements

SIS SIF # 1

Logic Solver

SIF vs. SIS?

SIF # 2

Informal Defini#on:

SIL ..the Safety Integrity Level of a specific Safety Instrumented Func/on (SIF) which is being implemented by a Safety Instrumented System (SIS).

OR

The amount of risk reduc/on achieved by a specific Safety Instrumented Func/on (SIF)

Safety Integrity Level

SIL 4

SIL 3

SIL 2

SIL 1

What is SIL ?

PFDavg = λDU TI / 2 PFD: Probability of Failure on Demand

λDU: Dangerous Undetected Failures TI: Test Interval (proof)

SIL expressed as a “probability”

SIL 1

SIL 2

SIL 3

SIL 4

PFD (t)

/me

PFDavg

test interval

Func/onal Proof Tests •  Frequency •  Online or during Shutdown •  Full Func/onal Test or Par/al Test •  Full proof test may require plant off-‐line, consider the cost and

select equipment that matches opera/onal requirements Diagnos/c Tes/ng

•  Frequency •  Response to detected fault •  What credit can be claimed (e.g. par:al; stroke tes:ng)


Safety Integrity Level

SIL 4

SIL 3

SIL 2

SIL 1

Probability of Failure on Demand

0.001% to 0.01%

0.01% to 0.1%

0.1% to 1%

1% to 10%

Risk Reduc#on Factor

100,000 to 10,000

10,000 to 1,000

1,000 to 100

100 to 10

Safety

> 99.99%

99.9% to 99.99%

99% to 99.9%

90% to 99%

Different SIL levels

RISK is “the likelihood of a specified undesired event occurring within a specified period or in specified circumstances.”

RISK = Likelihood x consequence

Consequence

minor serious extensive

high

moderate

low

Likelihood

Minor consequence x low likelihood = low risk

Serious consequence x high likelihood = higher risk

How do we define RISK?

•  Injury / death to Personnel •  Environment damage and consequen/al clean up

costs •  Damage and loss of equipment / property •  Business interrup/on associated losses •  Legal liability, li/ga/on & “duty of care defence” •  Company image •  Lost market share

Consequence

minor serious extensive

high

moderate

low

Likelihood

Consequences of too much risk

Legal Moral

Financial

Make plant as safe as possible, disregard cost

Build the lowest cost plant and keep opera/ng budget as small as possible

Comply with regula/on as wriren, regardless of cost or level of risk

§  Moral, Legal and financial responsibility to limit risk

§  In some countries, the law mandates tolerable risk levels

§ Mee/ng workplace safety requirements as minimum

What is “tolerable risk”

Tolerable risk varies between operators

Unacceptable Risk Region Li

kelih

ood

Consequence

Inherent Process Risk

Tolerable Risk Region

How can we reduce risk to tolerable level ?

Likelih

ood

Consequence


Ac#ve Protec#on e.g. PRV


Unacceptable Risk Region Tolerable Risk

Region

Likelih

ood

Consequence



Passive Protec#on e.g. Containment Dyke



Region

Likelih

ood

Consequence



SIS Applied




Region

Likelih

ood

Consequence



SIS Applied

SIL 1

SIL 2

SIL 3




Region

LT -‐ 101

V -‐ 101

LIC 101

LT -‐ 102

SV IAS

LV -‐ 101 XV -‐ 101

Product Separator

Vote 1oo1

Typical SIL 1 SIF (min req’d for safety)

LT -‐ 101

V -‐ 101

LIC 101

LAL

SV IAS

Vote 2oo2

LV -‐ 101 XV -‐ 101

Product Separator

LAL

LT -‐ 102

LT -‐ 103

Typical SIL 1 SIF (safety + higher availability)

LT -‐ 101

V -‐ 101

LIC 101

LAL

SV IAS

Vote 1oo2

SV IAS

LV -‐ 101 XV -‐ 101 XV -‐ 102

Product Separator

Overhead to Vapor

Recovery

LAL

LT -‐ 102

LT -‐ 103

Typical SIL 2 SIF (min req’d for safety)

LT -‐ 101

V -‐ 101

LIC 101

LAL

IAS

Vote 2oo3

LV -‐ 101 XV -‐ 101 XV -‐ 102

Product Separator

Overhead to Vapor

Recovery

LAL

LT -‐ 102

LT -‐ 103

LT -‐ 104

2oo2 SOV 2oo2

SOV IAS

Typical SIL 2 SIF (safety + higher availability)

Select Architecture / Vo/ng §  Select degree of fault tolerance required for Safety §  Select degree of fault tolerance for plant availability §  Apply required redundancy to BOTH field devices and logic solver §  Iden/fy poten/al common-‐cause failures that could defeat redundant architecture

§  Don’t assume any given voting architecture automatically delivers required SIL


sven grone functional safety whos safe

Documents