sven grone functional safety whos safe
TRANSCRIPT
ACI CONNECT 2014 Principals of Func/onal Safety -‐ Are you Safe? Sven Gröne – TUV FS Engineer ID:973/07 Safety Services Prac/ce Director APAC & ME
ACI CONNECT 2014
§ What is Func/onal Safety
§ Why do we need Func/onal Safety
§ Relevant Func/onal Safety Standards
§ What is SIS, SIF, SIL ?
§ How is a SIS different from DCS (BPCS)
§ Classifying Risk
§ Prac/cal Implementa/on Considera/ons
§ Examples of SIF Loop Design
Agenda
SIS – Safety Instrumented System
SIF – Safety Instrumented Func/on
SIL – Safety Integrity Level
PFD – Probability of Failure on Demand
PHA – Process Hazard Analysis
LOPA – Layer Of Protec/on Analysis
SRS – Safety Requirement Specifica/on
PES – Programmable Electronic System
BPCS – Basic Process Control System
Func/onal Safety Acronyms
ESD – Emergency Shutdown System
PSD – Process Shutdown System
F&G – Fie & Gas Detec/on System
BMS – Burner Management System
TMC – Turbomachinery Control
BSS – Boiler Safety System
HIPPS – High Integrity Pressure Protec/on System
Func/onal Safety Applica/ons
What is Func/onal Safety Defini/on from IEC Website: Func/onal Safety is: 1. Freedom from unacceptable risk of physical injury or of
damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.
2. Part of the overall safety that depends on a system or equipment opera/ng correctly in response to its inputs.
3. Is the detec/on of a poten/ally dangerous condi/on resul/ng in the ac/va/on of a protec/ve or correc/ve device or mechanism to prevent hazardous events arising or providing mi/ga/on to reduce the consequence of the hazardous event.
What is Func/onal Safety From IEC Website:
• Func/onal safety is a concept applicable across all industry sectors that is fundamental to the enabling the use of complex technology for safety-‐related systems.
• It provides the assurance that the safety-‐related systems will offer the necessary risk reduc/on required to achieve safety for the equipment.
• The oil and gas industry, chemical, mining, nuclear plants, plas/cs, pulp & paper and many others, all rely heavily on func/onal safety to achieve overall safety for their opera/ons.
What is Func/onal Safety
• Func/onal safety relies on ac#ve systems.
For example: • The detec0on of smoke by sensors and the ensuing intelligent ac0va0on of a fire suppression system
• The ac0va0on of a level switch in a tank containing a flammable liquid, when a poten0ally dangerous level has been reached, which causes a valve to be closed to prevent further liquid entering the tank and thereby preven0ng the liquid in the tank from overflowing.
• Safety achieved by passive systems is not classed func/onal safety.
For example: • A fire resistant door or insula0on to withstand high temperatures. These are passive measures, and while
they can protect against the same hazards as func0onal safety concepts, they are not instances of func0onal safety.
Why do we need Func/onal Safety
Incide
nt Rates
Time
Facili/es & Engineering
Management Systems
Human Factors
(Personnel Safety )
Plateau
(Process Safety ) Major losses not trending as Rapidly
2000’s 2010’s 1980’s 1990’s
“A reduc/on in less serious injuries does not necessarily correspond to a propor/onate reduc/on in serious incidents and fatali/es” -‐ Thomas Krause Ph.D (Behavioural Science Technology Inc.)
Why do we need Func/onal Safety
44 %Specifications
20 %Changes after commissioning
15%Operations and
maintenance
6%Installations and commissioning
15%Design and
implementations
(2nd edi#on, source: © Health & Safety Execu#ve HSE – UK)
Analysis Of 34 Incidents, based on 56 causes iden#fied
Why do we need Func/onal Safety
PLC & Field Instrumentation
Why do we need Func/onal Safety
• Humans are fallible…..we make mistakes
• Having a good LTI and PPE compliance record does not mean the plant is safe
• Process industries and the automa/on technology employed is complex
• Designers can’t imagine (and mi/gate) every possible hazard scenario, both at day one and 20+ years ajer start-‐up
• Management needs to be aware of safety, and treat it as an “opera/onal integrity” issue – not a burden, or barrier to profits
• Increasing cost of safety incidents
Why do we need Func/onal Safety
Benefits of Func/onal Safety • Protect corporate reputa#on • Maximize business con#nuity
• Minimize business interrup/on • Minimize down/me • Minimize cost of an incident / damages • Minimize investment and lifecycle costs
• Maximize produc/on • Maximize Return On Assets • Maximize Overall Equipment Effec/veness
Benefits of Func/onal Safety
Slide 16
$afety Pays
Safety-‐related systems: E/E/PES
Realisa/on [see E/E/PES
Safety Lifecycle]
9
Concept 1
Overall Scope Defini/on
2
Hazard & Risk Analysis
3
Overall Safety Requirements
4
Safety Requirements Alloca/on
5
Overall Installa/on & Commissioning
12
Overall Safety Valida/on
13
Overall Opera/on & Maintenance
14
Decommissioning 16
Safety-‐related Systems: Other
Technology
Realisa/on
10
Overall Modifica/on & Retrofit
15
back to appropriate Overall Safety Lifecycle
Phase
Overall
Opera/on & Maint Planning
Overall Valida/on Planning
Overall
Installa/on & Com-‐
missioning Planning
Overall Planning
6 7 8 External Risk Reduc/on Facili/es
Realisa/on
11
Func/onal Safety Lifecycle – IEC 61508
Analysis Phase
Realisa/on
Phase
Opera/on Phase
Evolving Standards • IEC 61508 is an “umbrella standard” for func/onal safety across
all industries
• Each industry then uses IEC 61508 as a guide to develop industry specific standards Released 1997
Updated 2010 Released 2004 Updated 201x
Design and Development of Other
Means of Risk Reduc/on Subclause 9
Risk Analysis and Protec/on Layer Design
Subclause 8 Manage -‐ ment of
Func/onal Safety and
Func/onal Safety Assess -‐ ment
Clause 5
Safety Lifecycle Structure
and Planning
Sub -‐ clause 6.2
Design and Engineering of Safety Instrumented System
Subclause 11 4
Installa/on, Commissioning and Valida/on Subclauses 14
5 Opera/on and Maintenance 6 Subclause 15
Modifica/on 7 Subclause 15.4
Verifica -‐ /on
Sub -‐ clause 7, 12.7 Decommissioning
8 Subclause 16
Safety Requirements Specifica/on for the Safety
Instrumented System 3 Subclause 10
Alloca/on of Safety Func/ons to
Protec/on Layers Subclause 9 2
1
10 11
Func/onal Safety Lifecycle – IEC 61511
Analysis Phase
Opera/on Phase
Realisa/on
Phase
Lifecycle planning process
Lifecycle Mngt & Assessment
Lifecycle verification &
validation
Conceptual Process Design
Process Hazards Analysis
SIF Definition
SIL Selection
Conceptual Design
SIL Verification
Design Specifications
Construction, Installation, And Commissioning
PSAT
Operation, Maintenance and Testing
Procedure Development
Management of Change
Safety Lifecycle – simple view
Which standard do I use?
Standards Compliance • Compliance to func/onal safety standards is not legislated
• Compliance is considered “best engineering prac/se” • Standards are ojen referenced by regula/ons – in which case
compliance is legislated
• Regula/ons referencing IEC standards include • AS 3814 for Type B gas appliances • AS 1375 (Draj) for suspended fuel fired devices • NFPA 85/86 Boiler & combus/on systems • FM AS 7605 – PLC Based Burner Management
Independent Layers of Protec/on(IPL)
SIS is an IPL
Wild process parameter
Trip level alarm
High level High level alarm
Process value
Emergency Shut Down action
Low level Normal behavior
Safety Instrumented System
Basic Process Control System
Operator Intervention
Relief valve, Rupture disk
Dike
Active protection layer
Passive protection layer
Emergency response layer Plant and/or Emergency Response
Isolated protection layer
Process control layer
Process control layer
P R E V E N T I O N
M I T I G A T I O N
Plant Design
Preven/on vs. mi/ga/on (IPL)
Opera#onal Integrity + 20 years Design Integrity
TIME VISIBILITY COMPLACENCY
Hazard
Harm
Hazard
Harm
GAP
Why we need to manage IPL
…..Yukiya Amano, the head of the Interna/onal Atomic Energy Agency, told the Financial Times in an interview, ………. ............that complacency “is the enemy of nuclear safety”.
Formal Defini#on: • SIS – “instrumented system used to implement one or
more safety instrumented func/ons (SIF). A SIS is composed of any combina/on of sensor(s), logic solver(s), and final element(s)” (IEC 61511)
Informal Defini#on: § Instrumented Control System that detects “out of control” condi/ons and automa/cally returns the process to a safe state
“Last Line of Defense” § Not basic process control system (BPCS)
What is a SIS?
SIS Logic Processor
Process Process
Safety valve
Logic solver(s)
Output Input
Transmirer
Final Element(s) Sensor(s)
SV
IAS
What makes up a SIS?
PT102
PT101
USC102
PIC101
PV101
UV102
SIS
BPCS
How is a SIS different from the BPCS?
§ Standard PLC/BPCS has unknown failure modes – don’t know how it will fail before it fails
§ Safety PLC is guaranteed to fail safely to within cer/fied probability (SIL 1, 2 or 3) – very high level of auto test & internal diagnos/cs
§ Safety PLC is cer/fied by a 3rd party to interna/onal standards IEC 61508, IEC 61511 – TÜV
§ Cer/fica/on includes cer/ficate, report to the cer/ficate AND opera/onal requirements/restric/ons
§ Safety PLC must be configured by person with appropriate safety competency (i.e. training, experience or cer/fica/on)
What is special about a “safety” PLC?
Select Technology § Check device Failure Rate § Check cer/fica/ons (TÜV) for use in SIS applica/ons § Read Safety Manual for Cer/fied Equipment Restric:ons
Prac/cal considera/ons
www.tuv-‐fs.com
Formal Defini#on: • SIF – “func/on to be implement by a SIS which is
intended to automa/cally achieve or maintain a safe state for the process with respect to a specific hazardous event.” (IEC61511)
Informal Defini#on: • Independent safety loop or interlock that automa/cally
brings process to a safe state in response to specific ini/a/ng events
PT102
PT101
USC102
PIC101
PV101
UV102
SIS
BPCS
What is a SIF?
Sensors Final elements
SIS SIF # 1
Logic Solver
SIF vs. SIS?
SIF # 2
Informal Defini#on:
SIL ..the Safety Integrity Level of a specific Safety Instrumented Func/on (SIF) which is being implemented by a Safety Instrumented System (SIS).
OR
The amount of risk reduc/on achieved by a specific Safety Instrumented Func/on (SIF)
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
What is SIL ?
PFDavg = λDU TI / 2 PFD: Probability of Failure on Demand
λDU: Dangerous Undetected Failures TI: Test Interval (proof)
SIL expressed as a “probability”
SIL 1
SIL 2
SIL 3
SIL 4
PFD (t)
/me
PFDavg
test interval
Func/onal Proof Tests • Frequency • Online or during Shutdown • Full Func/onal Test or Par/al Test • Full proof test may require plant off-‐line, consider the cost and
select equipment that matches opera/onal requirements Diagnos/c Tes/ng
• Frequency • Response to detected fault • What credit can be claimed (e.g. par:al; stroke tes:ng)
Prac/cal considera/ons
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
Probability of Failure on Demand
0.001% to 0.01%
0.01% to 0.1%
0.1% to 1%
1% to 10%
Risk Reduc#on Factor
100,000 to 10,000
10,000 to 1,000
1,000 to 100
100 to 10
Safety
> 99.99%
99.9% to 99.99%
99% to 99.9%
90% to 99%
Different SIL levels
RISK is “the likelihood of a specified undesired event occurring within a specified period or in specified circumstances.”
RISK = Likelihood x consequence
Consequence
minor serious extensive
high
moderate
low
Likelihood
Minor consequence x low likelihood = low risk
Serious consequence x high likelihood = higher risk
How do we define RISK?
• Injury / death to Personnel • Environment damage and consequen/al clean up
costs • Damage and loss of equipment / property • Business interrup/on associated losses • Legal liability, li/ga/on & “duty of care defence” • Company image • Lost market share
Consequence
minor serious extensive
high
moderate
low
Likelihood
Consequences of too much risk
Legal Moral
Financial
Make plant as safe as possible, disregard cost
Build the lowest cost plant and keep opera/ng budget as small as possible
Comply with regula/on as wriren, regardless of cost or level of risk
§ Moral, Legal and financial responsibility to limit risk
§ In some countries, the law mandates tolerable risk levels
§ Mee/ng workplace safety requirements as minimum
What is “tolerable risk”
Tolerable risk varies between operators
Unacceptable Risk Region Li
kelih
ood
Consequence
Inherent Process Risk
Tolerable Risk Region
How can we reduce risk to tolerable level ?
Likelih
ood
Consequence
Inherent Process Risk
Ac#ve Protec#on e.g. PRV
How can we reduce risk to tolerable level ?
Unacceptable Risk Region Tolerable Risk
Region
Likelih
ood
Consequence
Inherent Process Risk
Ac#ve Protec#on e.g. PRV
Passive Protec#on e.g. Containment Dyke
How can we reduce risk to tolerable level ?
Unacceptable Risk Region Tolerable Risk
Region
Likelih
ood
Consequence
Inherent Process Risk
Ac#ve Protec#on e.g. PRV
SIS Applied
How can we reduce risk to tolerable level ?
Passive Protec#on e.g. Containment Dyke
Unacceptable Risk Region Tolerable Risk
Region
Likelih
ood
Consequence
Inherent Process Risk
Ac#ve Protec#on e.g. PRV
SIS Applied
SIL 1
SIL 2
SIL 3
How can we reduce risk to tolerable level ?
Passive Protec#on e.g. Containment Dyke
Unacceptable Risk Region Tolerable Risk
Region
LT -‐ 101
V -‐ 101
LIC 101
LT -‐ 102
SV IAS
LV -‐ 101 XV -‐ 101
Product Separator
Vote 1oo1
Typical SIL 1 SIF (min req’d for safety)
LT -‐ 101
V -‐ 101
LIC 101
LAL
SV IAS
Vote 2oo2
LV -‐ 101 XV -‐ 101
Product Separator
LAL
LT -‐ 102
LT -‐ 103
Typical SIL 1 SIF (safety + higher availability)
LT -‐ 101
V -‐ 101
LIC 101
LAL
SV IAS
Vote 1oo2
SV IAS
LV -‐ 101 XV -‐ 101 XV -‐ 102
Product Separator
Overhead to Vapor
Recovery
LAL
LT -‐ 102
LT -‐ 103
Typical SIL 2 SIF (min req’d for safety)
LT -‐ 101
V -‐ 101
LIC 101
LAL
IAS
Vote 2oo3
LV -‐ 101 XV -‐ 101 XV -‐ 102
Product Separator
Overhead to Vapor
Recovery
LAL
LT -‐ 102
LT -‐ 103
LT -‐ 104
2oo2 SOV 2oo2
SOV IAS
Typical SIL 2 SIF (safety + higher availability)
Select Architecture / Vo/ng § Select degree of fault tolerance required for Safety § Select degree of fault tolerance for plant availability § Apply required redundancy to BOTH field devices and logic solver § Iden/fy poten/al common-‐cause failures that could defeat redundant architecture
§ Don’t assume any given voting architecture automatically delivers required SIL
Prac/cal considera/ons
Slide 52