View
4.023
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Mike BoudreauxDeltaV SIS Brand Manager
Not all activities in life are safe…
…and we have different levels of risk tolerance
FallPrevention
PersonalProtectiveEquipment
StructuralDesign
Ergonomics WorkSchedules
EmployeeTraining
MechanicalIntegrity
ManagementOf Change
Policies &Procedures
Process safety
Personalsafety
InherentlySafer
DesignFunctional
Safety
RiskAssessment s
FacilitySiting
Total Recordables
EmergencyResponse
SafetyAudits
Occupationalsafety
Process safety
EmployeeTraining
MechanicalIntegrity
ManagementOf Change
Policies &Procedures
InherentlySafer
Design
FunctionalSafety
RiskAssessment s
FacilitySiting
EmergencyResponse
SafetyAudits
Bhopal, India, 1984
Chernobyl, Russia, 1986
Piper Alpha, UK, 1988
Texas City Refinery, USA, 2004
Why do accidents happen?
“You can have a very good accident rate for ‘hard hat’ accidents but not for process ones.”
“The fact that you’ve had 20 years without a catastrophic event is no guarantee that there won’t be one tomorrow.”
Process safety
EmployeeTraining
MechanicalIntegrity
ManagementOf Change
Policies &Procedures
InherentlySafer
Design
RiskAssessment s
FacilitySiting
EmergencyResponse
SafetyAudits
FunctionalSafety
FunctionalSafety
Functional safety
IEC 61511
PFDavg
LOPA
RRF
SIS
HAZOP
SRS
PHA
IEC 61508
FMEDA
BPCS
SIL
SIF
IEC61508: All Industries
IEC61511: Process Industry Sector
IEC62061: Machinery Sector
IEC61513 :Nuclear Sector
For product designersand manufacturers
For system designersintegrators and users
Source: http://www.wordle.net/show/wrdl/2276332/IEC_61511
BPCS
• Basic Process Control System
• Also: DCS, PAS• PID Control• Discrete control• Sequencing• Batch automation• Dynamic
Control element
Transmitter
Controller
Workstation
Final element
Transmitter
Logic solver
SIS
• Safety Instrumented System
• Emergency Shutdown (ESD)
• Burner Management System (BMS)
• Fire & Gas System (FGS)
ICSS
BPCS SIS
Safety function
Process conditions What to do SIL
SIF #1 High level Drive output 1 1SIF #2 High pressure Drive outputs 1 + 2 3
SIF #2
SIF #1
PHA
• Identify hazards• Evaluate safeguards
SRS
• Define SIF’s• Define SIL for each SIF
Design
• Specify devices• Design architecture
Verify• Verify SIL meets SRS
PHA
HAZOP
What If?
Checklist
FMEA
Fault Tree
Event Tree
LOPA
SIL General description
4 Catastrophic community impact
3 Employee & community impact
2 Major Property and Production Impact; Possible Injury to Employee
1 Minor Property and Production Impact
PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101
SIF #1
FV-101
Logic solver
PT-101
SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
Functional safety
IEC 61511
PFDavg
LOPA
RRF
SIS
HAZOP
SRS
PHA
IEC 61508
FMEDA
BPCS
SIL
SIF
TÜV
?
Safety Lifecycle Management
The IEC 61511 Safety lifecycle
Safety Lifecycle Management
Functional Safety Management
Safety Management
System
Organization and resources
Risk evaluation and risk management
Planning
Implementation and Monitoring
Assessment, auditing, and revisions
Configuration Management
Safety Management
System
Quality Management
System
• Organization and responsibilities• Competency management• Documentation structure and control• Configuration management• Supplier assessment process
Organization and Responsibilities• Responsible for functional safety
policies and procedures
• Responsible for ensuring of policies and procedures are implemented by organization
Safety Management
Team• Responsible for functional
safety management on projectsProject Leadership
• Competent personnel doing work on SISSafety Roles
Safety Leadership
Team
Safety Role
Safety Activities
Mgmt. & Leadership
skills
Experience
Knowledge & Training
CompetencyRequirements
• Activity / phaseVerification
• Installed and commissioned SISValidation
• Overall process riskAssessment
• Procedures, policies and processesAudit
Safety Management
System
Safety Requirements Specification
Activity / phase
objectives
Process Hazards Analysis
Verify
Source: IEC 61511-1, Figure 12 – Software development lifecycle (the V-Model)
Functional safety
assessment
Hazard and risk assessment is carried out
PHA recommendations are implemented.
Design change procedures are in place and implemented
Recommendations from the previous assessment are resolved
SIS is properly validated against the SRS.
Procedures are in place for the Operate phase.
Employees are trained.
Future assessment plans are in place.
Safety Life-cycle Structure and Planning
Safety Lifecycle Planning
Ensure safety
Criteria
Techniques Measures
Procedures
Verification Planning
Who?• Responsible parties• Levels of independence
What?
• Verification activities• Items to be verified• Information to be verified against
When?• At which points verification will occur
How?
• Procedures, measures, techniques to be used• Non-conformance management• Tools and supporting analysis
Safety life-cycle structure
?
Analysis Phase
Hazard and risk assessment
Allocation of safety functions to protection layers
Source: IEC 61511-3, Figure 4 – Risk and safety integrity concepts
Source: IEC 61511-3, Figure 2
Containment, Dike/Vessel Passive protection layer
Emergency response layerPlant andEmergency Response
OperatorIntervention
Process control layer
Fire and GasSystem Active protection layer
Prevent
Mitigate
Process control layer
SISEmergencyShutdownSystem
Safety layer
ProcessValue Normal behavior
Trip level alarm
Operator intervention
Process alarm
Emergency shutdown
BPCS
Incident
Unacceptable Risk Region
Negligible Risk Region
ALARP Risk Region
Increasin
g RiskInherent Risk of Process
Consequence
Likelihood
SIL3Overall Risk
SIL2SIL1
SIS Risk Reduction
Overall Risk
Baseline Risk
Non-SIS Preventative Safeguards
Non-SIS Mitigating Safeguards
Overall Risk
As low as reasonably practicable (ALARP)
10-3 / man-year (worker)
10-5 / man-year (worker)
10-4 /year (public)
Intolerable Risk
Negligible Risk
ALARP or Tolerable Risk Region
10-6 /year (public)
Government mandates for tolerable risk levels
10-2 10-3 10-4 10-5 10-6 10-7 10-8
Australia (NSW) -
Hong Kong -
Netherlands -
United Kingdom -
10-9
The United States does not set tolerable risk levels, or offer guidelines.
Chemical industry benchmarks for tolerable risk
10-2 10-3 10-4 10-5 10-6 10-7 10-8
Company I -
Company II -
Company III -
Small companies -
10-9
Large, multinational chemical companies tend to set levels consistent with international mandates
Smaller companies tend to operate in wider ranges and implicitly, at higher levels of risk
PHA
HAZOP
What If?
Checklist
FMEA
Fault Tree
Event Tree
LOPA
Item Deviation Causes Consequences Safeguards Action
Vessel High level Failure of BPCS
High pressure Operator
High pressure 1) High level2) External
fire
Release to environment
1) Alarm operator, protection layer
2) Deluge system
Evaluate conditions for release to environment
Low / no flow Failure of BPCS
No consequence of interest
Reverse flow No consequence of interest
Quantitative Risk AssessmentWeaknesses• Time consuming• Resource intensive• Complex, difficult to use• Can produce same results via
qualitative analysis
Strengths• More rigorous• Least conservative• Good for complex scenarios• Better quantification of
incremental protection layers
Qualitative Risk AssessmentWeaknesses• High subjectivity• Inconsistent results• Hard to document rationale• Not much resolution between
protection layers
Strengths• Easy to use• Good for subjective
consequence assessment• Good for screening and
categorizing hazards• Team approach provides better
evaluations
Qualitative risk analysis – Safety layer matrix
Consequence Severity
Category SIL Requirement
Extensive 3 3 3* 1 2 3 1 1
Serious 1 2 3 1 2
Minor 1 2 1
Consequence Frequency Category
Low
Med
High
Low
Med
High
Low
Med
High
1 2 3
Number of non-SIS Protection Layers
SIL 151%
SIL 232%
SIL 38%
SIL 41%
No SIL8%
Process Industry I/O by Safety Integrity Level
Source: Exida Safety and Critical Control Systems in Process and Machine Automation July 2007
Safety Requirement Specification
?
Implementation Phase
Implementation Phase
Implementation Phase
Design and Engineering of theSafety Instrumented System
Select technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Iterate if requirements are not met.
Technology selectionSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Sensors– Analog vs. discrete signal– Smart vs. conventional transmitter– Certified vs. proven-in-use
Pressure50%
Tem-perature
13%
Flow8%
Level8%
Fire and Gas21%
Sensor Sales by Measurement Type
Point switch
Direct wired
4-20 mA
HART
Smart
PFD
PFD
PFD
User provesIt’s safe
SIS Application?
Certified Prior-Use
Mfg provesIt’s safe
User provesIt’s safe
Technology selectionSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Logic solver– Relays vs. PLC vs. Safety PLC– HART I/O vs. conventional analog– Centralized vs. modular– Integrated vs. Standalone
Relays & Switches
General Purpose PLC
Safety PLC
Smart Logic Solver
1oo2
2oo3
2oo2 1oo2D
2oo4
Safety PLC(SIS Logic Solver)
Centralized Logic Solver– 100’s of SIF’s in one box.– Good for large projects.– Single point of failure.
Modular Logic Solver– Isolates SIF’s– Scalable for large & small
projects– Eliminates single point of
failure.
Source: ARC Advisory Group
Technology selectionSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Final element– Solenoid vs. DVC– Automated vs. manual diagnostics– Response time considerations
Solenoid
Valve controller
Smart valve controller
Safety valve controller
Smart safety valve controller
SIL 2
Proof Test Interval (years)
PFD
Architecture selectionSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Hardware fault tolerance (HFT) impacts performance– Safety integrity– Availability– SIL capability
Architecture (MooN) 1oo1 2oo2 1oo2
Valve count (N) 1 2 2
Number to trip (M) 1 2 1
Safety HFT 0 0 1
Availability HFT 0 1 0
Valve
HFTs(MooN) = N – MHFTa(MooN) = M – 1
Valve 1
Valve 2
Valve 2Valve 1
Dangerous undetected
failures
Dangerous detected
Safe detected
Safe un-detected
Device Type SFF HFTs = 0 HFTs = 1
Type A
<60% SIL1 SIL2
60% to < 90% SIL2 SIL3
90% to < 99% SIL3 SIL4
≥ 99% SIL3 SIL4
Type B
<60% Not allowed SIL1
60% to < 90% SIL1 SIL2
90% to < 99% SIL2 SIL3
≥ 99% SIL3 SIL4
Proof test philosophySelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Proof test frequency– 5 yrs, 1 yr, 6 mos, 3 mos?
Online vs. offline proof testing. Turnaround schedule? Total SIF proof test or proof test
components on different intervals?
Reliability evaluationSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design
Confirm that performance meets specifications– Safety integrity (PFD)– Availability (MTTFs)– Response time
Architecture Average Probability of Failure on Demand
(PFDAVG)
Spurious Trip Rate (STR)
1oo1 λD T / 2 λS
1oo2 (λDT)2 / 3 2λS
2oo2 λDT2λS
2
( 3λS + 2/T )
2oo3 (λDT)2 6λS2
( 5λS + 2/T )
10 100 1,000 10,00010
100
1,000
10,000
100,000
Availability (MTTFs - years)
Ris
k R
educ
tion
(1/P
FDav
g - y
ears
)
1oo2
1oo1
2oo3
2oo2
λD = 0.02 failures/yrλS = 0.01 failures/yrT = 1 year
PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101
SIF #1
FV-101
Logic solver
PT-101
SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
Detailed design & buildSelect
technology
Select architecture
Determine test philosophy
Reliability evaluation
Detailed design & build
Instrument design / specifications Wiring drawings Hardware design & build Software design & implementation BPCS / SIS integration Factory acceptance testing
Factory Acceptance Testing (FAT)Black box functionality tests
Performance tests
Environmental tests
Interface testing
Degraded mode tests
Exception testing
Installation, Commissioning and Validation
• Validate, through inspection and testing, that SIS achieves requirements stated in the SRS
Validation
• Commission the SIS so that it is ready for final system validation.
Commissioning
• Install the SIS according to specifications and drawings
Installation
Installation, commissioning, and Validation
Validation is the key difference between control and safety
systems.
?
Operation Phase
Operation and Maintenance Planning
Who?• Responsible parties• Competence and training
What?
• Routine and abnormal operation activities• Proof testing and repair maintenance activities• Recording of events and performance
When?
• Proof testing frequencies• On process demand• On failure of SIS
How?
• Procedures, measures, techniques to be used• Non-conformance management• Tools and supporting analysis
Procedures and training
Operation
Bypasses
Proof testing
Inspection
Performance monitoring
Maintenance and repair
Modification
• Reveals dangerous faults undetected by diagnostics
• Entire SIS tested: sensors, logic solver, final element
• Frequency determined during SIF design.
Proof Testing
• Ensures no unauthorized changes or deterioration of equipment
Inspection
Tests and Inspections Documentation
Description of tasks performed
Dates performed
Name of person(s) involved
Identifier of system (loop, tag, SIF name)
Results (“as-found” and “as-left”)
Fail Dangerous Unde-tected
7%
Fail Dangerous De-tected66%
Fail Safe Unde-tected27%
Proof testing uncovers DU failures
SFF = 93%
Safely test the SIF using actual process
variables
Test sensors in-situ by other means
Perform wiring continuity test
Remove sensor and test on bench
Sensor testing options
Use smart features to test electronics
and wiring continuity
Example – Rosemount 3051S Proof Test
Proof Test 1:Analog output Loop TestSatisfies proof test requirementCoverage > 50% of DU failures
Proof Test 2:2 point sensor calibration checkCoverage > 95% of DU failures
Note – user to determine impulse piping proof test
Valve Testing Options
Offline• Total Stroke
• Process is down
Online• Total stroke
• By-pass in service• Component test
• Solenoid valve• Partial stroke
Conventional testing methods
• Process unprotected during testing• SIF not returned to normal after
testing• Risk of spurious trip• Manually initiated in field• Manpower intensive• Subject to error
SIL 2
Proof Test Interval (years)
PFD
Source: Instrument Engineers’ Handbook, Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy
Failures Failure Modes Partial Stroke
Full Stroke
Valve packing is seized Fails to close X X
Valve packing is tight Slow to move X X
Actuator air line crimped Slow to move X X
Actuator air line blocked Fails to close X X
Valve stem sticks Fails to close X X
Valve seat is scarred Fails to seal off X
Seat contains debris Fails to seal off X
Seat plugged Fails to seal off X
Modification
Documentation
• Description• Reason• Hazards• Impact on SIS• Approvals• Competency mgmt.• Tests / verification• Configuration history
?