Products Solutions Services

Functional Safety in the Process Industry

Safety Instrumented Systems (SIS) in the Process Industry

Definition of “Risk” Risk assessment and Risk reduction by SIS Safety Integrity Level (SIL) Design of Safety Instrumented Systems Safety Parameters and SIL determination Structure of Safety Instrumented Systems Functional Proof Testing Seals

Reason: - safety systems ignored during maintenance process - inappropriate design of safety systems - uncontrolled release of fuel from a vent stack - inappropriate behavior of workers trying to start and remove a truck - control room with many workers located close to distillation column Safety Culture! Consequence: - 15 People KILLED - 180 INJURED - estimated costs US$1,000,000,000

BP AMOCO Refinery Explosion Texas City March 2005

Elk River Spill West Virginia January 2014

• Chemical Spill contaminates water supply for 300,000

What is “Risk” ?

• Risk = Probability (P) of Event Occurrence x Damage (D) • Tolerable risk = maximum risk, which is acceptable according to

moral concepts (VDE 2180) • Risk reduction:

Reduction of initial risk below tolerable risk by organizational, constructional or protection measures (e.g. Safety Instr. Systems)

• Concept of Functional Safety:

Risk analysis Quantification of Risk

Quantification of required Safety Level of Protection measures

SafetyIntegrityLevel (SIL)

Tolerable Risk ?

7

•CFR & OSHA Regulations

Role of US regulations

Regulations enforced by the goverment

Ricardo Castaneda Slide 8

• OSHA/EPA will increase site inspection. • Fines will increase • Some violations may be treated more severely

Engaging customers on instrumentation related safety

Status - Executive Order (EO)13650 Improving Chemical Facility Safety and Security

• Issued by President Obama Aug 1, 2013 in response to recent catastrophic chemical facility incidents.

• Chemical Facility Safety and Security Working group (EPA, DOLDHS) formed to oversee the effort to “modernize” policies, regulations and standards and work with stakeholders to identify best practices to reduce safety and security risks in the production and storage of potentially harmful chemicals

• In May 2014, the group released a document – Actions to improve chemical facility safety and security - a shared commitment. • Modernizing OSHA’s Process Safety Management (PSM) standard and

EPA’s Risk Management Program (RMP) regulation

Slide 9 Craig McIntyre

IEC 61508 & IEC 61511: Functional Safety of Electrical/Electronic/Programmable Electronic Systems

safety related system standards

American Standard: ANSI/ISA 84.01

IEC 61511 3 parts

Safety Instrumented Systems Designers, Integrators & Users

IEC 61508

7 parts Manufacturers &

suppliers of devices

Manufacturer User

11

Containment, Dike/Vessel Passive protection layer

Emergency response layer Plant and Emergency Response

Operator Intervention

Process control layer Process Shutdown

Trip level alarm

Relief valve, Rupture disk Active protection layer

Prevent

Mitigate

Safety Instrumented Systems

Process Value Normal behavior

Basic Process Control System

Process control layer

Process alarm

Safety Instrumented System

Safety layer Emergency Shut Down

12

What is a SIF (Safety Instrumented Function) ?

IEC 61511 defines a Safety Instrumented System (SIS) as a:

“Instrumented system used to implement one or more safety instrumented functions.

A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).”

Keep the process running

Stop the process

(Shutdown)

13

SIS Loop

Logic Solver Sensor Final Control Element

SIL Certified

SIL Certified

SIL Certified

More diagnostics

More diagnostics Redundant hardware

How to get diagnostics

from a mechanical

device?

A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).”

14

Reducing Risk in Final Elements

Logic Solver Sensor Final Control Element

Redundant Devices Reduces the Risk of Safety Function not been executed

1oo2 (1 out of 2)

System COST MAINTENANCE PFDavg RRF

1oo1 1oo2 1oo1D

1oo2 (1 out of 2)

Hazard and Risk Assessment of a Process

a - no special requirements b - single system is not sufficient

Risk graph: W3 W2 W1

- -

SIL3 SIL2 SIL1

C2 F1

F2

P2

P1

C3 F1

F2

SIL1 a SIL2 Start

Risk analysis

a

SIL1 a -

b SIL4 SIL3

SIL4 SIL3 SIL2

C1

P2

P1

P2

P1

P2

P1

C4 F1

F2

Risk parameters: W - Occurrence Probability W1: very low probability < 0,03/year W2: low probability < 0,3 /year W3: relative high probability >0,3/ y C- Extent of damage C1: slight injury C2: severe irreversible injury to one or more persons or death of a person C3: Death of several persons C4: Catastrophic consequences, multiple deaths F- Exposure time F1: seldom to relatively frequent F2: frequent to continuous P- Hazard Avoidance P1: possible under certain conditions P2: hardly possible

16

Contributors To SIF Integrity

SIF=Safety Instrumented Function

Source: Exida

17

Reducing Risk

• SIS Loops reduces the risk of a hazardous condition by reducing the Probability of Failure on Demand

SIL PFD RRF

4 10-5 to 10-4 100,000 to 10,000

3 10-4 to 10-3 10,000 to 1,000

2 10-3 to 10-2 1,000 to 100

1 10-2 to 10-1 100 to 10

Failure Mode Effect and Diagnostics Analysis (FMEDA)

Probability of Failure Modes

Detected faults

Undetected faults

Safe faults λsd λsu Dangerous faults λdd λdu

λtot = λsu + λsd + λdu + λdd (+λ not relevant) MTBF = 1/ λtot

Pre-condition: - determine safety path (e.g. 4…20 mA output) - determine accuracy under fault condition ( e.g. ± 2 %) Failure modes:

• dangerous faults • safe faults • undetected faults • detected faults

PFD, PFH

Proof Testing

• Partial Proof Testing Returns the PFD (Probability of Failure On Demand ) to a percentage of the original.

• Full Proof Test Returns the PFD to a almost 100% of the original. Because of time in service, reaching 100% is not attainable.

• The percentage of recovery is based on the tests ability to exercise Dangerous Undetected faults.

Functional Safety in the Process Industry

Proof Testing

API2350

• API (American Petrochemical Institute) recommended practice 2350 states:

“The High-High level overfill prevention switch must be tested without raising the level to a dangerously high condition”

Proof Testing All Technologies Are Not Created Equal

•High- High Level Overfill • A Tuning Fork tested in a bucket of material is a

valid full proof test. • A capacitance switch tested in a bucket of

material is Not a valid full proof test.

Why Not?

Probability of a failure on demand - PFD PFD ≈ λdu t (λt << 1)

Ti = Proof test interval PTC= Proof test coverage = 92%

PFD

operation time t

SIL 1

SIL 2

SIL 3

Ti

Full proof Test at 3 years

2 4 6 8 10 12

Partial Proof Testing (PTC < 98%)

PFDav ≈ ½ λdu x Ti x PTC + ½ λdu x LT x (1-PTC) PTC= Proof test coverage (1=98 %) Ti = Test interval LT= life time

PFD

operation time t

SIL 1

SIL 2

SIL 3

Ti

Full proof Test at 12 years

2 4 6 8 10 12

In-Situ Testing What is the value of In-Situ testing in Dollars? • A full proof test which removes the switch from the process for

testing means: • Process Downtime – lost production -10 hours at $10,000 per hour

($100,000) • Maintenance Resource Time - $1500

• $101,500 per year X 12 years = $1,218,000 lifetime

Multiplied by the number of Overfill Switches in the facility

In-Situ Testing

Other considerations: • Possible damage to sensor • Re-Installed incorrectly • Exposure of personal and environment to process • Disposal of process material

Full “SIL capable” certified measurement family • Temperature, pressure, flow, level, and analytical • Reducing risk - Systematic management of the instrument

development process and lifecycle according to IEC 61508. • Reducing costs - insitu partial proof testing to reduce full inspection

proof testing requirement

Slide 27 Craig McIntyre

Products Solutions Services

Example 1- Level switch

Liquiphant M FTL 50/51 Liquiphant S FTL 70/71 Liquiphant S FTL 80/81/85 + FTL 825 Fail Safe

Self Diagnostics Liquiphant M/S (FEL 51… 57) • Continuous monitoring of vibration frequency • Reliable alarm function with each electronic insert!

sensor-

slarm 0,4 s delayed

400 fa-15%

fa fa+ 6,5%

1500 f [Hz]

25

0

0

Submersion depth of fork [mm]

corrosion

alarm 60 s delayed

sensor-

alarm 0,4 s delayed

Normal operation

fa-15% switch point at ca. 850 Hz

A

L

A

R

M

fa =vibration frequency in air ≈ 1 kHz

A

L

A

R

M

Folie 30

The Liquiphant Family – SIL capable SIL3 MAX

Liquiphant M FTL 50/51

Liquiphant S FTL 70/71

Electronic:

FEL51, 2-Wire AC

FEL52, 3-Wire DC-PNP

FEL54, AC/DC DPDT

FEL55, 8/16 mA

Periodic proof testing • Wet testing or

• Test in reference tank

Liquiphant M FTL50/51

Liquiphant S FTL70/71

+ FEL 57+ FTL3x5 P

Periodic proof testing • Test generator (push-button)

PFM

FTL 325P

SIL2 MIN/MAX

x

Liquiphant M FTL50/51

Liquiphant S FTL70/71

+FEL 56/58 + FTL325N

Periodic proof testing • Wet testing or

• Test in reference tank

• Alarm simulation (push-but)

FTL 325N

NAMUR

Liquiphant M FTL50/51

Liquiphant S FTL70/71

+FEL 57 + FTL3x5 P

Periodic proof testing •Test generator (push-button)

PFM

FTL 325P

Liquiphant S Failsafe FTL8x

Nivotester FTL825

Periodic proof testing • Continuous self-diagnostic

• Test generator (push-button)

• Proof test interval ≤ 12 years!

FTL 825 FTL 80,81,85

SIL 3 MIN/MAX

Liquiphant Fail Safe FTL 80/81/85 + FTL 825

Liquiphant FailSafe FTL80/81/85

Nivotester FTL825

4..20mA +

LIVE-Signal

SIL3 MIN/MAX

4..20mA +

LIVE-Signal

Optional

Liquiphant FailSafe FTL80/81/85

(S)SPS

Safety function

• SIL 3 capable with single device

• min/max safety function

• 2 safety relay outputs (FTL 825)

• proof test generator with push-button

• proof test interval ≤ 12 years !

LIVE-Signal Permanent dynamic LIVE-Signal

modulated onto the current signal (status good ≠ demand)

Additional diagnostic coverage of 90% of the remaining dangerous failure of the downstream devices (Nivotester, PLC)

E.g. diagnostic of stuck at failure, system error

Positive identification of Liquiphant FailSafe sensor

Transmission of sensor status “good“

Monitoring and visualization via LED integrated in Nivotester FTL825

Interpretation in PLC possible

LIVE-Signal 0.25Hz / ±0.5mA

4s

24 23 22 21 20

17 16 15 14 13 12 11 10

9 8 7 6 5 4 3 2 1

I [mA]

MIN / uncovered

MAX / covered

Sensor alarm

Short circuit

Cable breakage

MAX / uncovered

19 18

MIN / covered Status „good“

Status „dem

and(covered/uncovered)“

Total Proof test coverage (DC+PTC) according to IEC 61508

Total coverage (DC+PTC)

FTL80/81/85+ FTL825

FTL 80/81/85+ SSPS

Wet test 99% (Procedure IA MAX/MIN)

99% (Procedure IIA MAX/MIN)

Simulation (in situ testing!)

98 % (Procedure IB) (Testbutton: FEL85 od. FTL825)

95 % (Procedure IIB MAX/MIN) (Testbutton: FEL85)

Max

Min

Products Solutions Services

Example 2 – Level Continuous

Levelflex FMP 4x, FMP 5x Micropilot M/S FMR xxx

Levelflex FMP 5x

Safety Function: • Level of liquid or bulk solid material (4..20 mA) • Interface between 2 liquids (4..20 mA)

• Min, max, range • SIL 2 (1oo1), SIL 3 (1oo2)

Proof test procedures:

Test criterion: Trip level ±2 % a) Wet testing in the application/reference tank (PTC≈ 98 %, Ti= 3 years) b) In-situ level simulation (PTC≈ 92 %, Ti= 1 year)

(no process shutdown required!)

Micropilot FMR 5x

Proof test procedures: Test criterion: Trip level ±2 %

a) Wet testing in the application/reference tank (PTC≈ 98 %, Ti= 3 years) b) In-situ level simulation (PTC≈ 92 %, Ti= 1 year)

(no process shutdown required!)

Safety Function: • Level of liquid or bulk solid material (4..20 mA) • Min, max, range

• SIL 2/3 • LDM, HDM

Functional Safety - Related documentation

includes: - manufacturer declaration - fundamental safety parameters - assessment report - application information - parameter settings

Safety Manual www.endress.com/SIL Engine

Contents Set-up of the safety system

Description of the safety function Safety Parameters Ambient conditions, tolerance,

restrictions Behavior under normal and fault

operation Installation and commissioning Parameterization Functional proof test Maintenance and repair

The Functional Safety Manual

SIL-Approval – Who may issue it? Who is authorised to qualify the functional safety? IEC 61508 recommendation:

SIL Minimum degree of independence

SIL 1 Independent Person

SIL 2 Independent department

SIL 3 Independent organisation

SIL 4 Independent organisation

SIL approvals

SIL-Declaration of Conformity (Manufacturer)

SIL-Certificate (Approval body, e.g. TÜV, Exida)

Products Solutions Services

Thank you very much for attending.