ISA Seminars on the Web Live Experts on Hot Topics · – Three 10-minute question and answer...

© 2011, ISA EN00W6 (1.4) 1

Standards

Certification

Education and Training

Publishing

Conferences and Exhibits

ISA Seminars on the WebLive Experts on Hot Topics

Standards

Certification

Education and Training

Publishing

Conferences and Exhibits

CSE PE Exam Review: Safety Systems

EN00W6 Version 1.4

© 2011

© 2011, ISA EN00W6 (1.4) 2

Seminar Logistics

• Seminar materials

– Downloadable presentation

– Question and Answer session (audio and email)

– Survey

– Earn 1 Professional Development Hour (PDH)

• Seminar length– 60 minute presentation

– Three 10-minute question and answer sessions

Audio Instructions

• As a participant, you are in a “listen-only” mode.

• You may ask questions via the internet, using your keyboard, at any time during the presentation. However, the presenter may decide to wait to answer your question until the next Q&A Session.

• If you have audio difficulties, press *0.

© 2011, ISA EN00W6 (1.4) 3

Audio Instructions for Q&A Sessions

• Questions may be asked via your telephone line.

• Press the *1 key on your telephone key-pad.

• If there are no other callers on the line, the operator will announce your name and affiliation to the audience and then ask for your question.

• If other participants are asking questions, you will be placed into a queue until you are first in line.

• While in the queue, you will be in a listen-only mode until the operator indicates that your phone has been activated. The operator will announce your name and affiliation and then ask for your question.

Introduction of Presenter

• Gerald Wilbanks, P.E. Vice President of Documentation and Engineering Services in Birmingham, Alabama has over 40 years of experience in engineering, management, consulting, and design in heavy industry. He is a registered professional engineer in 4 states, a member of NSPE, ASQ, and an International Former President (1995) of ISA. Gerald is a graduate of Mississippi State University with a Bachelors Degree in Electrical Engineering and was recognized as the Engineer of the Year in 1991 by the Engineering Council of Birmingham. He is a Distinguished Engineering Fellow of Mississippi State University and is a Life Fellow member of ISA. He has served as an instructor in many courses, seminars, and other educational sessions for ISA and in his own business.

© 2011, ISA EN00W6 (1.4) 4

Key Benefits of Seminar

• Identify areas of focus for more effective studying to assist with passing the PE examination

• Explain the basics of safety instrumented systems

• Discuss Safety Integrity Level

• Review meaning and use of Reliability

• Calculate Probability of Failure on Demand

• Definition of Risk Reduction Factor

• Safety Systems (Domain V) represents about 12 questions or 15% of the CSE PE exam

Typical Control Loop

ManipulatedVariable

ControlledVariableProcess

Sensor

Transmitter

TransmittedSignal

Set Point

Controller

Final ControlElement

Signal Based onError or Deviationand Effects of Control Modes

© 2011, ISA EN00W6 (1.4) 5

Section 1: Safety Systems Basics

• Description of safety instrumented systems

• Risk and sources

• Design Documentation

• Safety Layers and standards

Safety Instrumented System (SIS)

A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated.

FT 1

Basic Process Control System (BPCS)

Inputs Outputs

PT1A

PT1B

Safety Instrumented System (SIS)

Inputs Outputs

T-1

S

LV 1

SDV 1

© 2011, ISA EN00W6 (1.4) 6

Incident Occurrence By Phase

From ‘Out Of Control’(A compilation of incidents involving control systems) by the United Kingdom Health and Safety Executive (UK HSE)

Incorrect & Incomplete Specification 44%

Changes After Commissioning 20%

Operations & Maintenance

15%

Installation & Commissioning 6% Design &

Implementation 15%

SIS Design Documents

• UK HSE: PES – Programmable Electronic Systems for Use in Safety Related Applications, 1987

• American Institute of Chemical Engineers, Center for Chemical Process Safety (AIChE, CCPS): Guidelines for Safe Automation of Chemical Processes, 1993

• ANSI/ISA 84 – 2004 (IEC 61511): Functional safety: Safety Instrumented Systems for the process industry sector, 2004

• International Electrotechnical Commission (IEC) 61508 - Functional Safety - Safety Related Systems, 2000

© 2011, ISA EN00W6 (1.4) 7

What is at Risk?

• SISs are used to protect:

– Personnel

–

–

–

–

–

• Safety system are installed to reduce risk

Safety Layers

Defense in depth, or, don’t put all your eggs in one basket.

Community Emergency Response

Plant Emergency Response

Physical Protection (Dikes)

Physical Protection (Relief Devices)

Safety Instrumented System

Alarms, Operator Intervention

Basic Process Control

Process

© 2011, ISA EN00W6 (1.4) 8

Residual Risk Level

Tolerable Risk Level

Risk Reduction

Risk

Process

Risk inherent in the process

BPCSAlarmsSISMech.Other

Doing more in one box doesn’t make it perform better

Scope of Standards

• Covers specification, design, installation, operation and maintenance

• Specifies requirements, but not who is responsible for implementing them

• Applies to a wide variety of industries within the process sector:

– Chemicals, oil refining, oil and gas production, pulp and paper, non-nuclear power generation

– Certain industries may have additional requirements

(ISA84, Section 1)

© 2011, ISA EN00W6 (1.4) 9

Management of Functional Safety

• Policy and strategy for achieving safety

• Persons/departments shall be identified and responsibilities assigned

• Persons shall be competent

– Engineering knowledge, training & experience (with the process, logic system technology, field devices, regulations, leadership skills, etc.)

• Assessments / audits– To make a judgment on the functional safety

achieved by the system

– At least one assessment carried out prior to hazards being present

(ISA84, Section 5)

Review of Key Points

• A safety instrumented system (SIS) is a separate and distinct layer of controls from the Basic Process Control System (BPCS)

• Safety Instrument Systems are for the protection of human life, equipment, environment, and the public

• Industrial incidents are the failure of several different elements

• Risk mitigation is documented by various standards

• Risk reduction can be accomplished in various levels of instrumentation

• Risk is reduced by following proven methodologies

© 2011, ISA EN00W6 (1.4) 10

Live Question and Answer Session

• During Q&A, questions may be asked via your telephone line.





Section 2: Safety Systems Design

• Overall safety system life cycle

• Risk analysis and types

• Safety systems levels and classifications

• Failure Modes

• Risk Reduction Factor (RRF)

© 2011, ISA EN00W6 (1.4) 11

Safety Design Life Cycle

Steps performed throughout

Hazard & Risk Analysis

(8)

Allocation of Safety Layers

(9)

Design & Engineering

(11 & 12)

Management, Assessment,

Auditing(5)

Develop Safety Req’s Spec (10 & 12)

Verification(7)

Installation, Commissioning

& Validation (14 & 15)

Other Means of Risk Reduction

(9)

Operations & Maintenance

(16)

Modification(17)

Decommission(18)

No detailed requirements given

Detailed requirements given

(ISA84, Section 6)

Risk Analysis

• Risk is a function of frequency(probability, likelihood) and severity (consequences)

– How often, and how bad

• The process industry was not the first group that needed to assess risk

– Military, nuclear

© 2011, ISA EN00W6 (1.4) 12

Overall Risk

• High risk:

– Unacceptable design

– Change required

• Low risk:

– Acceptable design

– No change required

• Medium risk:

– Questionable design

– Change desirable

High Risk

Low Risk

Medium Risk

Allocation of Safety Functions to Layers

• Allocation of safety functions to protection layers

• Determine the required safety instrumented functions

• Determine the SIL for each SIF

– SIL is a discrete number (1-4) specifying the performance of the SIF

– High risk does not necessarily lead to high SIL. There are other factors to consider (e.g., # of independent protection layers).

(ISA84, Section 9)

© 2011, ISA EN00W6 (1.4) 13

Safety Integrity Levels

Safety Integrity

Level

Probability of Failure on Demand (PFD)

Risk Reduction Factor (1/PFD)

Safety Availability

(1-PFD)

4 ≥ .00001 to < .0001 > 10,000 to ≤ 100,000 > 99.99 to ≤ 99.999

3 ≥ .0001 to < .001 > 1,000 to ≤ 10,000 > 99.9 to ≤ 99.99

2 ≥ .001 to < .01 > 100 to ≤ 1,000 > 99 to ≤ 99.9

1 ≥ .01 to < .1 > 10 to ≤ 100 > 90 to ≤ 99

0 Control (N/A)

For “Demand Mode” of operation

Failure Modes

Safe failures

– Initiating

– Overt

– Spurious

– Costly downtime

Dangerous failures

– Inhibiting

– Covert

– Potentially dangerous

– Must find by testing

D x U =

With a safety system, the concern shouldn’t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways:

© 2011, ISA EN00W6 (1.4) 14

SIS Safety Requirements

ISA84 Section 10

• Develop the safety requirements specifications

– Definition of safe state of process

– Common cause failures

– Process inputs to SIS and trip points

– Process outputs from SIS and action required

– Functionally logic required

– Response time requirements

– Manual shutdown

– Response action to a logic failure

– Human machine interface (HMI) requirements

– Reset functions

SIS Safety Requirements (cont’d)

ISA84 Section 10

• Determined safety integrity requirements:

– The SIL of each function

– Reliability considerations if spurious trips may be hazardous

© 2011, ISA EN00W6 (1.4) 15

Shutdown Systems

• Also called:

– Interlocks, protective systems, safety systems, safety interlock systems (SIS), emergency shutdown systems (ESD)

• When should systems be separate? When they protect or ensure:

– Human life

– Equipment damage

– Environmental damage

– Product quality

– Equipment protection

– Insurability

Down Time vs. Repair Time

Down time

• In some cases MDT and MTTR are the same

• In others they are very different

– The realization time may be the largest factor

Realization Access Diagnosis Spares Replace Check

Repair time

© 2011, ISA EN00W6 (1.4) 16

Integrated SD System

Segregated SD System

© 2011, ISA EN00W6 (1.4) 17

SIS Definitions

• All stuff fails.

• Some stuff fails and you know it right away like a blowout like a blown fuse.

• Some stuff fails while in service, like a car battery. You learn about it when you ask for it to be used once again.

• In the SIS world, we characterize the statistics of the first type of failure with LAMBDAs for the safe failure rate.

• The second type of failure is covert and dangerous, since you have no warning that it has occurred. Here we use LAMBDAd for the dangerous failure rate.

SIS Definitions

• RRF – Risk Reduction Factor

• SIS – Safety Instrumented System an active independent layer of protection created by instrumentation

• SIF – Safety Instrumented Function example – on HIHI temperature shuts down the feeds and applies cooling

• SIL – Safety Integrity Level

• A SIL I design has an RRF characterized by 10<= RRF < 100.

• A SIL II design has an RRF characterized by 100<= RRF < 1000.

• A SIL III design has an RRF characterized by 1000<= RRF < 10000.

• A SIL IV design has an RRF characterized by 10000 < = RRF < 100000

© 2011, ISA EN00W6 (1.4) 18

Safety Instrumented Systems

• For the SIS, there are two kinds of failures, those that fail dangerously and those that fail safe.

– Bad news, those that fail safe shutdown your plant.

– Those that fail dangerous, may not shutdown your plant and like a failed car battery that started a running engine, you can’t tell that they happened.

• The SIS is there to protect you. We are after computing, PFD, Probability of Failure on Demand which is associated with LAMBDAd, the undetected unsafe failure of a device. – LAMBDAd came out of Aero-Space and MIL Spec efforts. These

tools have been used to evaluate design alternatives. They are well understood and accepted. Now we will use them in the process industry to design and maintain our SIS.

Bath Tub Curve

Time

λ λ

Life

• Failure rate = # of failures / unit of time

• Constant failure rate assumed for normal life of device

• MTTF = 1 / failure rate

• MTTF and Life are not the same

© 2011, ISA EN00W6 (1.4) 19

Where do Failure Rates come from?

• Calculation techniques (MIL HDBK 217)

– “... a reliability prediction should never be assumed

to represent the expected field reliability as

measured by the user...” (MIL HDBK 217F, Paragraph 3.3)

• Predictions can then be made for:

– Components

– Modules

– Complete System

• 100 switches are checked annually

• 10 are found to be not working (i.e., suffered dangerous failures)

• What is the failure rate and MTTF?

Failure rate = # of failures/total time

= 10 failures / 100 years

= 1 failure / 10 years

Class Example 1 - Failure Rate & MTTF

© 2011, ISA EN00W6 (1.4) 20

Class Example 1 - Failure Rate & MTTF (cont’d)

• Failure rates, however, are normally expressed as failures per hour, therefore:

since 1 year = 8,760 hours

1 failure / 87,600 hours, becomes

1.14 E-5 failures / hour

MTTF (which is normally expressed in years) =

10 years


• Risk is the function of Frequency (Probability) and Severity (Consequences)

• Each Safety Instrument Function (SIF) should be classified by a Safety Integrity Level (SIL)

• Safety Systems can fail in two ways – Safe and Dangerous Undetected

• There are several types of shutdown systems

• Reliability is of prime concern (mean time to fail and mean time to repair)

• There are four Safety Integrity Levels with values for Probability of Failure on Demand (PFD) and Risk Reduction Factor (RRF)

© 2011, ISA EN00W6 (1.4) 21







Section 3: Safety System Implementation

• Role of reliability in implementation

• Safety logic and use of fault trees

• Systems applied to logic solving

• Safety Integrity Level (SIL)

• Probability of Failure on Demand (PFD)

© 2011, ISA EN00W6 (1.4) 22

Reliability Block Diagrams

• A graphical way to represent system operation/ failure

B

C E

G

The system would fail if either A, B, or G individually failed, or if the combination of either C & D, or E & F failed

A B

C E

G

D F

Reliability

We are after a consistent way to model our systems so that we measure how good is the design. In addition we wish to tie a feedback loop around the actual performance to determine if we have achieved what we set out to accomplish.

• Reliability/Availability

• Mean time to failure MTTF

• Mean time to repair MTTR

• Mean time between failures MTBF

• Failure modes

© 2011, ISA EN00W6 (1.4) 23

Hardware Availability

Availability = Uptime / Total Time

= Uptime / (Uptime + Downtime)

= MTTF / (MTTF + MDT)

where: MTTF = 1/λ

Many vendors substitute MTTR for MDT. This is only valid for safe failures!

ASafe = MTTFs / (MTTFs + MTTR)

Notes:

� This formula is only valid for simplex (non-redundant) systems

� Failure rates must be split between the two failure modes, safe and dangerous.

Down Time vs. Repair Time

Down time

• In some cases MDT and MTTR are the same

• In others they are very different

– The realization time may be the largest factor

Realization Access Diagnosis Spares Replace Check

Repair time

© 2011, ISA EN00W6 (1.4) 24

Hardware Safety Availability

� For dangerous faults, downtime must include not only the repair time, but the realization time - the time before you are even aware that a problem exists

� This can be represented by the test interval (TI)

ADang = MTTFd/(MTTFd + TI/2 + MTTR)

Notes:

� This formula is only valid for simplex (non-redundant) systems

� Failure rates must be split between the two failure modes

Reliability Block Diagram Math

• The math associated with RBDs is simply adding or multiplying probabilities

A B

You add probabilities of items in series

You multiply probabilities of items in parallel

C

D

© 2011, ISA EN00W6 (1.4) 25

Fault Trees

Fault tree elements

Reliability block diagrams

Parallel

Series

AND

OR

Fault Tree Examples

� Circles represent basic events

� Rectangular boxes serve as descriptions

Standby

Main power supply

Standbygenerator

Powerfailure

PSU Detect Panel Pump

Firedetector

Firepanel

Firepump

Fire waterdeluge fails

© 2011, ISA EN00W6 (1.4) 26

Simplex System Performance

A 0.01 0.02

Probabilities

Safe Dangerous

Dual System Performance

(1oo1)

1oo2

B

A

A

B

2oo2 0.0001

0.02 0.0004

0.04

Probabilities

Safe Dangerous

0.01 0.02

© 2011, ISA EN00W6 (1.4) 27

Triple System Performance

(1oo1)

(1oo2)

(2oo2)

A

B

C

Majo

rity

Vote

2oo3 Vote

0.0003 0.0012

Probabilities

Safe Dangerous

0.01 0.02

0.02 0.0004

0.0001 0.04

Basic Reliability Formulas

Where: λ

λ = Failure rate

MTTR = Mean Time To Repair

TI = Test Interval

s = Safe failure

du = Dangerous undetected failure

Configuration MTTFsp PFD

1oo1 1 / s du * (TI/2)

1oo2 1 / (2 s) (( du)2 * (TI)2) / 3)

2oo2 1 / (2(λ )s

2* MTTR) du * TI

2oo3 1 / (6 (λ ) s2

* MTTR) ( du)2 * (TI)2

Note: These formulas are valid as long as λ << TI

λ

λ

λ

λ

λ

λ

© 2011, ISA EN00W6 (1.4) 28

Summary: Reliability

• Reliability/Availability

• Mean time to failure MTTF

• Mean time to repair MTTR

• Mean time between failures MTBF

• Failure modes

Probability Theory Applied to the SIS

• We will break the SIS into its respective pieces.

• Each independent of each other.

• Our goal is to understand how improving the LAMDAd of a major piece, either by adding better devices, more devices, voting, etc. will improve the SIS performance.

• Using this tool, we can say that one design is better that another, by how much, and we can use the mathematics to calculate an ROI on improvements to the RRF.

© 2011, ISA EN00W6 (1.4) 29

SIS Block Diagram

SIS Block Diagram

InputLAMBDAd LogicLAMBDAd OutputLAMBDAd

These are the independent major pieces. Each has its own LAMBDAd.

© 2011, ISA EN00W6 (1.4) 30

Safety Integrity Levels (SIL)

• Safety Integrity Levels are defined in ANSI/ISA-84.00.01 with performance requirements.

• There are four SILs defined with the corresponding Probability of Failure on Demand (PFD).

• The Risk Reduction Factor (RRF) is the reciprocal value of PFD (1/PFD).

• The Safety Integrity Level of a system is based on the reliability data on all the components involved.

How to Calculate the PFD of an SIS

• For our process systems the model uses the equation:

PFD = Probability of Failure on Demand

© 2011, ISA EN00W6 (1.4) 31

SIL Performance Requirements

• SIL 4- Safety Availability : 99.9 – 99.999%

PFD : .0001 - .00001

RRF : 10,000 to 100,000

• SIL 3- Safety Availability : 99.9 – 99.99%

PFD : .001 - .0001

RRF : 1,000 – 10,000

• SIL 2- Safety Availability : 99 – 99.9%

PFD : .01 - .001

RRF : 100 -1000

• SIL 1- Safety Availability : 90 – 99%

PFD : .1 - .01

RRF : 10 - 100


• Mean Time To Fail (MTTF) is the inverse of the Failure Rate, Lambda (λ)

• Instrument Availability is key to an operational safety system

• The Test Interval (TI) must be used in the calculations for PFD

• Reliability Block Diagrams (RBD) and Fault Trees may be used to depict safety logic

• The failure rates of the input device, logic solver, and output device must be combined to determine the system failure rate

• There are advantages an disadvantages of Simplex, Duplex, and Triple function arrangements

• Each circumstance and application will require a specific SIL

© 2011, ISA EN00W6 (1.4) 32







How Many People Are at Your Site?

• Poll Slide

• Click on the appropriate number indicating the number of people that are at your site.

© 2011, ISA EN00W6 (1.4) 33

Sample Exam Problem - #1

• When considering a safety instrumented system, which of the following configurations is the safest (i.e., the one most likely to respond to a true demand)?

a. 1 out of 1

b. 1 out of 2

c. 2 out of 2

d. 2 out of 3


• Shutdown systems are known by many different names and serve various functions in the plant operation. A safety instrumented system protects against all the situations below except _________.

a. Personnel safety

b. Environmental damage

c. Excessive alarms

d. Equipment distruction

© 2011, ISA EN00W6 (1.4) 34


• There are many factors to consider in designing safety systems for protection of personnel and equipment. The RISK of the system is a function of which two factors listed below:

I. Probability of an event

II. Cost of the system event

III. Classification of the area of the event

IV. Severity of an event

a. I and II

b. III and IV

c. I and IV

d. II and III


• A SIL 3 interlock, RRF = 1250, is required to mitigate a Category I hazard to Category III. If the covert failure rates of the SIS loop components are as follows, recommend a test frequency:

Inputs = 1.0 x10 –5/hr

Logic solver = 7 x10 –10/hr

Valves = 3.0 x10 –5/hr

a. Once every 40 hours

b. Once every 80 hours

c. Once every 336 hours

d. Once every 600 hours

© 2011, ISA EN00W6 (1.4) 35

Related Courses from ISA

• Safety Instrumented Systems: Design, Analysis & Justification (EC50)

• All ISA courses are available any time as on-site training

• For more information: www.isa.org/training or (919) 549-8411

Other Related Resources from ISA

• Control Systems Engineering Study Guide, 5th Edition by ISA Press

• The ISA84.00.02–2002 (Parts 1-5) Safety Instrumented Functions (SIF) and Safety Integrity Level (SIL) Evaluation Techniques

© 2011, ISA EN00W6 (1.4) 36

Other Related Resources from ISA

• ISA Membership is just $100 per year, which includes free membership in two Technical Divisions (a $20 value) - one from each Department: Automation and Technology and Industries and Sciences.

– For more information: http://www.isa.org/membership/meminfo or (919) 549-8411

ISA Certifications

• Certified Automation Professionals ® (CAP ®)

– www.isa.org/CAP

• Certified Control Systems Technician® (CCST®)

– www.isa.org/CCST

• Please visit us online for more information on any of these programs, or call (919) 549-8411.

© 2011, ISA EN00W6 (1.4) 37

Please take our Web Seminar Survey

via Zoomerang

The seminar survey was sent to you via email during

the seminar. Please do not forget to complete the

Zoomerang survey.

ISA Seminars on the Web Live Experts on Hot Topics · – Three 10-minute question and answer...

Documents

Transcript of ISA Seminars on the Web Live Experts on Hot Topics · – Three 10-minute question and answer...