Mike BoudreauxDeltaV SIS Brand Manager

Not all activities in life are safe…

…and we have different levels of risk tolerance

FallPrevention

PersonalProtectiveEquipment

StructuralDesign

Ergonomics WorkSchedules

EmployeeTraining

MechanicalIntegrity

ManagementOf Change

Policies &Procedures

Process safety

Personalsafety

InherentlySafer

DesignFunctional

Safety

RiskAssessment s

FacilitySiting

Total Recordables

EmergencyResponse

SafetyAudits

Occupationalsafety

Process safety

EmployeeTraining

MechanicalIntegrity

ManagementOf Change

Policies &Procedures

InherentlySafer

Design

FunctionalSafety

RiskAssessment s

FacilitySiting

EmergencyResponse

SafetyAudits

Bhopal, India, 1984

Chernobyl, Russia, 1986

Piper Alpha, UK, 1988

Texas City Refinery, USA, 2004

Why do accidents happen?

“You can have a very good accident rate for ‘hard hat’ accidents but not for process ones.”

“The fact that you’ve had 20 years without a catastrophic event is no guarantee that there won’t be one tomorrow.”

Process safety

EmployeeTraining

MechanicalIntegrity

ManagementOf Change

Policies &Procedures

InherentlySafer

Design

RiskAssessment s

FacilitySiting

EmergencyResponse

SafetyAudits

FunctionalSafety

FunctionalSafety

Functional safety

IEC 61511

PFDavg

LOPA

RRF

SIS

HAZOP

SRS

PHA

IEC 61508

FMEDA

BPCS

SIL

SIF

http://www.ansi.org/

IEC61508: All Industries

IEC61511: Process Industry Sector

IEC62061: Machinery Sector

IEC61513 :Nuclear Sector

For product designersand manufacturers

For system designersintegrators and users

Source: http://www.wordle.net/show/wrdl/2276332/IEC_61511

http://www.siracertification.com/default.aspx

BPCS

• Basic Process Control System

• Also: DCS, PAS• PID Control• Discrete control• Sequencing• Batch automation• Dynamic

Control element

Transmitter

Controller

Workstation

Final element

Transmitter

Logic solver

SIS

• Safety Instrumented System

• Emergency Shutdown (ESD)

• Burner Management System (BMS)

• Fire & Gas System (FGS)

ICSS

BPCS SIS

Safety function

Process conditions What to do SIL

SIF #1 High level Drive output 1 1SIF #2 High pressure Drive outputs 1 + 2 3

SIF #2

SIF #1

PHA

• Identify hazards• Evaluate safeguards

SRS

• Define SIF’s• Define SIL for each SIF

Design

• Specify devices• Design architecture

Verify• Verify SIL meets SRS

PHA

HAZOP

What If?

Checklist

FMEA

Fault Tree

Event Tree

LOPA

SIL General description

4 Catastrophic community impact

3 Employee & community impact

2 Major Property and Production Impact; Possible Injury to Employee

1 Minor Property and Production Impact

PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101

SIF #1

FV-101

Logic solver

PT-101

SIL PFDavg RRF

4 ≥10-5 to <10-4 >10,000 to ≤ 100,000

3 ≥10-4 to <10-3 >1000 to ≤ 10,000

2 ≥10-3 to <10-2 >100 to ≤ 1000

1 ≥10-2 to <10-1 >10 to ≤ 100

Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand

Functional safety

IEC 61511

PFDavg

LOPA

RRF

SIS

HAZOP

SRS

PHA

IEC 61508

FMEDA

BPCS

SIL

SIF

TÜV

?

Safety Lifecycle Management

The IEC 61511 Safety lifecycle

Safety Lifecycle Management

Functional Safety Management

Safety Management

System

Organization and resources

Risk evaluation and risk management

Planning

Implementation and Monitoring

Assessment, auditing, and revisions

Configuration Management

Safety Management

System

Quality Management

System

• Organization and responsibilities• Competency management• Documentation structure and control• Configuration management• Supplier assessment process

Organization and Responsibilities• Responsible for functional safety

policies and procedures

• Responsible for ensuring of policies and procedures are implemented by organization

Safety Management

Team• Responsible for functional

safety management on projectsProject Leadership

• Competent personnel doing work on SISSafety Roles

Safety Leadership

Team

Safety Role

Safety Activities

Mgmt. & Leadership

skills

Experience

Knowledge & Training

CompetencyRequirements

• Activity / phaseVerification

• Installed and commissioned SISValidation

• Overall process riskAssessment

• Procedures, policies and processesAudit

Safety Management

System

Safety Requirements Specification

Activity / phase

objectives

Process Hazards Analysis

Verify

Source: IEC 61511-1, Figure 12 – Software development lifecycle (the V-Model)

Functional safety

assessment

Hazard and risk assessment is carried out

PHA recommendations are implemented.

Design change procedures are in place and implemented

Recommendations from the previous assessment are resolved

SIS is properly validated against the SRS.

Procedures are in place for the Operate phase.

Employees are trained.

Future assessment plans are in place.

Safety Life-cycle Structure and Planning

Safety Lifecycle Planning

Ensure safety

Criteria

Techniques Measures

Procedures

Verification Planning

Who?• Responsible parties• Levels of independence

What?

• Verification activities• Items to be verified• Information to be verified against

When?• At which points verification will occur

How?

• Procedures, measures, techniques to be used• Non-conformance management• Tools and supporting analysis

Safety life-cycle structure

?

Analysis Phase

Hazard and risk assessment

Allocation of safety functions to protection layers

Source: IEC 61511-3, Figure 4 – Risk and safety integrity concepts

Source: IEC 61511-3, Figure 2

Containment, Dike/Vessel Passive protection layer

Emergency response layerPlant andEmergency Response

OperatorIntervention

Process control layer

Fire and GasSystem Active protection layer

Prevent

Mitigate

Process control layer

SISEmergencyShutdownSystem

Safety layer

ProcessValue Normal behavior

Trip level alarm

Operator intervention

Process alarm

Emergency shutdown

BPCS

Incident

Unacceptable Risk Region

Negligible Risk Region

ALARP Risk Region

Increasin

g RiskInherent Risk of Process

Consequence

Likelihood

SIL3Overall Risk

SIL2SIL1

SIS Risk Reduction

Overall Risk

Baseline Risk

Non-SIS Preventative Safeguards

Non-SIS Mitigating Safeguards

Overall Risk

As low as reasonably practicable (ALARP)

10-3 / man-year (worker)

10-5 / man-year (worker)

10-4 /year (public)

Intolerable Risk

Negligible Risk

ALARP or Tolerable Risk Region

10-6 /year (public)

Government mandates for tolerable risk levels

10-2 10-3 10-4 10-5 10-6 10-7 10-8

Australia (NSW) -

Hong Kong -

Netherlands -

United Kingdom -

10-9

The United States does not set tolerable risk levels, or offer guidelines.

Chemical industry benchmarks for tolerable risk

10-2 10-3 10-4 10-5 10-6 10-7 10-8

Company I -

Company II -

Company III -

Small companies -

10-9

Large, multinational chemical companies tend to set levels consistent with international mandates

Smaller companies tend to operate in wider ranges and implicitly, at higher levels of risk

PHA

HAZOP

What If?

Checklist

FMEA

Fault Tree

Event Tree

LOPA

Item Deviation Causes Consequences Safeguards Action

Vessel High level Failure of BPCS

High pressure Operator

High pressure 1) High level2) External

fire

Release to environment

1) Alarm operator, protection layer

2) Deluge system

Evaluate conditions for release to environment

Low / no flow Failure of BPCS

No consequence of interest

Reverse flow No consequence of interest

Quantitative Risk AssessmentWeaknesses• Time consuming• Resource intensive• Complex, difficult to use• Can produce same results via

qualitative analysis

Strengths• More rigorous• Least conservative• Good for complex scenarios• Better quantification of

incremental protection layers

Qualitative Risk AssessmentWeaknesses• High subjectivity• Inconsistent results• Hard to document rationale• Not much resolution between

protection layers

Strengths• Easy to use• Good for subjective

consequence assessment• Good for screening and

categorizing hazards• Team approach provides better

evaluations

Qualitative risk analysis – Safety layer matrix

Consequence Severity

Category SIL Requirement

Extensive 3 3 3* 1 2 3 1 1

Serious 1 2 3 1 2

Minor 1 2 1

Consequence Frequency Category

Low

Med

High

Low

Med

High

Low

Med

High

1 2 3

Number of non-SIS Protection Layers

SIL 151%

SIL 232%

SIL 38%

SIL 41%

No SIL8%

Process Industry I/O by Safety Integrity Level

Source: Exida Safety and Critical Control Systems in Process and Machine Automation July 2007

Safety Requirement Specification

?

Implementation Phase

Implementation Phase

Implementation Phase

Design and Engineering of theSafety Instrumented System

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Iterate if requirements are not met.

Technology selectionSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Sensors– Analog vs. discrete signal– Smart vs. conventional transmitter– Certified vs. proven-in-use

Pressure50%

Tem-perature

13%

Flow8%

Level8%

Fire and Gas21%

Sensor Sales by Measurement Type

Point switch

Direct wired

4-20 mA

HART

Smart

PFD

PFD

PFD

User provesIt’s safe

SIS Application?

Certified Prior-Use

Mfg provesIt’s safe

User provesIt’s safe

Technology selectionSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Logic solver– Relays vs. PLC vs. Safety PLC– HART I/O vs. conventional analog– Centralized vs. modular– Integrated vs. Standalone

Relays & Switches

General Purpose PLC

Safety PLC

Smart Logic Solver

1oo2

2oo3

2oo2 1oo2D

2oo4

Safety PLC(SIS Logic Solver)

Centralized Logic Solver– 100’s of SIF’s in one box.– Good for large projects.– Single point of failure.

Modular Logic Solver– Isolates SIF’s– Scalable for large & small

projects– Eliminates single point of

failure.

Source: ARC Advisory Group

Technology selectionSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Final element– Solenoid vs. DVC– Automated vs. manual diagnostics– Response time considerations

Solenoid

Valve controller

Smart valve controller

Safety valve controller

Smart safety valve controller

SIL 2

Proof Test Interval (years)

PFD

Architecture selectionSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Hardware fault tolerance (HFT) impacts performance– Safety integrity– Availability– SIL capability

Architecture (MooN) 1oo1 2oo2 1oo2

Valve count (N) 1 2 2

Number to trip (M) 1 2 1

Safety HFT 0 0 1

Availability HFT 0 1 0

Valve

HFTs(MooN) = N – MHFTa(MooN) = M – 1

Valve 1

Valve 2

Valve 2Valve 1

Dangerous undetected

failures

Dangerous detected

Safe detected

Safe un-detected

Device Type SFF HFTs = 0 HFTs = 1

Type A

<60% SIL1 SIL2

60% to < 90% SIL2 SIL3

90% to < 99% SIL3 SIL4

≥ 99% SIL3 SIL4

Type B

<60% Not allowed SIL1

60% to < 90% SIL1 SIL2

90% to < 99% SIL2 SIL3

≥ 99% SIL3 SIL4

Proof test philosophySelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Proof test frequency– 5 yrs, 1 yr, 6 mos, 3 mos?

Online vs. offline proof testing. Turnaround schedule? Total SIF proof test or proof test

components on different intervals?

Reliability evaluationSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Confirm that performance meets specifications– Safety integrity (PFD)– Availability (MTTFs)– Response time

Architecture Average Probability of Failure on Demand

(PFDAVG)

Spurious Trip Rate (STR)

1oo1 λD T / 2 λS

1oo2 (λDT)2 / 3 2λS

2oo2 λDT2λS

2

( 3λS + 2/T )

2oo3 (λDT)2 6λS2

( 5λS + 2/T )

10 100 1,000 10,00010

100

1,000

10,000

100,000

Availability (MTTFs - years)

Ris

k R

educ

tion

(1/P

FDav

g - y

ears

)

1oo2

1oo1

2oo3

2oo2

λD = 0.02 failures/yrλS = 0.01 failures/yrT = 1 year

PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101

SIF #1

FV-101

Logic solver

PT-101

SIL PFDavg RRF

4 ≥10-5 to <10-4 >10,000 to ≤ 100,000

3 ≥10-4 to <10-3 >1000 to ≤ 10,000

2 ≥10-3 to <10-2 >100 to ≤ 1000

1 ≥10-2 to <10-1 >10 to ≤ 100

Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand

Detailed design & buildSelect

technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design & build

Instrument design / specifications Wiring drawings Hardware design & build Software design & implementation BPCS / SIS integration Factory acceptance testing

Factory Acceptance Testing (FAT)Black box functionality tests

Performance tests

Environmental tests

Interface testing

Degraded mode tests

Exception testing

Installation, Commissioning and Validation

• Validate, through inspection and testing, that SIS achieves requirements stated in the SRS

Validation

• Commission the SIS so that it is ready for final system validation.

Commissioning

• Install the SIS according to specifications and drawings

Installation

Installation, commissioning, and Validation

Validation is the key difference between control and safety

systems.

?

Operation Phase

Operation and Maintenance Planning

Who?• Responsible parties• Competence and training

What?

• Routine and abnormal operation activities• Proof testing and repair maintenance activities• Recording of events and performance

When?

• Proof testing frequencies• On process demand• On failure of SIS

How?

• Procedures, measures, techniques to be used• Non-conformance management• Tools and supporting analysis

Procedures and training

Operation

Bypasses

Proof testing

Inspection

Performance monitoring

Maintenance and repair

Modification

• Reveals dangerous faults undetected by diagnostics

• Entire SIS tested: sensors, logic solver, final element

• Frequency determined during SIF design.

Proof Testing

• Ensures no unauthorized changes or deterioration of equipment

Inspection

Tests and Inspections Documentation

Description of tasks performed

Dates performed

Name of person(s) involved

Identifier of system (loop, tag, SIF name)

Results (“as-found” and “as-left”)

Fail Dangerous Unde-tected

7%

Fail Dangerous De-tected66%

Fail Safe Unde-tected27%

Proof testing uncovers DU failures

SFF = 93%

Safely test the SIF using actual process

variables

Test sensors in-situ by other means

Perform wiring continuity test

Remove sensor and test on bench

Sensor testing options

Use smart features to test electronics

and wiring continuity

Example – Rosemount 3051S Proof Test

Proof Test 1:Analog output Loop TestSatisfies proof test requirementCoverage > 50% of DU failures

Proof Test 2:2 point sensor calibration checkCoverage > 95% of DU failures

Note – user to determine impulse piping proof test

Valve Testing Options

Offline• Total Stroke

• Process is down

Online• Total stroke

• By-pass in service• Component test

• Solenoid valve• Partial stroke

Conventional testing methods

• Process unprotected during testing• SIF not returned to normal after

testing• Risk of spurious trip• Manually initiated in field• Manpower intensive• Subject to error

SIL 2

Proof Test Interval (years)

PFD

Source: Instrument Engineers’ Handbook, Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy

Failures Failure Modes Partial Stroke

Full Stroke

Valve packing is seized Fails to close X X

Valve packing is tight Slow to move X X

Actuator air line crimped Slow to move X X

Actuator air line blocked Fails to close X X

Valve stem sticks Fails to close X X

Valve seat is scarred Fails to seal off X

Seat contains debris Fails to seal off X

Seat plugged Fails to seal off X

Modification

Documentation

• Description• Reason• Hazards• Impact on SIS• Approvals• Competency mgmt.• Tests / verification• Configuration history

?