Luis Avila

Functional Safety Engineer TUV #

Safety Life Cycle SeminarFor the Process Industry Sector

Not all activities in life are safe…

…and we have different levels of risk tolerance

Fall

Prevention

Personal

Protective

Equipment

Structural

Design

Ergonomics Work

Schedules

Employee

Training

Mechanical

Integrity

Management

Of Change

Policies &

Procedures

Process safety

Personalsafety

Inherently

Safer

Design

Functional

Safety

Risk

Assessments

Facility

Siting

Total

Recordables

Emergency

Response

Safety

Audits

Occupationalsafety

Process safety

Employee

Training

Mechanical

Integrity

Management

Of Change

Policies &

Procedures

Inherently

Safer

Design

Functional

Safety

Risk

Assessments

Facility

Siting

Emergency

Response

Safety

Audits

Bhopal, India, 1984

Chernobyl, Russia, 1986

Piper Alpha, UK, 1988

Texas City Refinery, USA, 2004

Why do accidents happen?

“You can have a very

good accident rate for

‘hard hat’ accidents

but not for process

ones.”

“The fact that you’ve

had 20 years without

a catastrophic event

is no guarantee that

there won’t be one

tomorrow.”

Process safety

Employee

Training

Mechanical

Integrity

Management

Of Change

Policies &

Procedures

Inherently

Safer

Design

Risk

Assessments

Facility

Siting

Emergency

Response

Safety

AuditsFunctional

Safety

FunctionalSafety

Functional safety

IEC 61511

PFDavg

LOPA

RRF

SIS

HAZOP

SRS

PHA

IEC 61508

FMEDA

BPCS

SIL

SIF

The purpose of Process safety management is to reduce the frequency and severity of potentially catastrophic chemical accidents

IEC61508:

All Industries

IEC61511:

Process Industry Sector

IEC62061:

Machinery Sector

IEC61513 :

Nuclear Sector

For product designers

and manufacturers

For system designers

integrators and users

ISA 84.01 mirrors IEC61511

Source: http://www.wordle.net/show/wrdl/2276332/IEC_61511

BPCS

• Basic Process Control System

• Also: DCS, PAS

• PID Control

• Discrete control

• Sequencing

• Batch automation

• Dynamic

Control

element

Transmitter

Controller

Workstation

Final

element

Transmitter

Logic

solver

SIS

• Safety Instrumented System

• Emergency Shutdown (ESD)

• Burner Management System (BMS)

• Fire & Gas System (FGS)

A Safety Instrumented System (SIS) is defined as an instrumented system used

to implement one or more safety instrumented functions (SIF) composed of any

combination of sensor(s), logic solver(s), and final elements(s). These systems

are designed to take action to bring the equipment under control to a safe state

when a process is beyond the range of normal operating limits and other layers

of control, including operators and the basic process control system (BPCS), are

unable keep the process within safe operating limits.

ICSS

BPCS SIS

Safety

function

Process conditions What to do SIL

SIF #1 High level Drive output 1 1

SIF #2 High pressure Drive outputs 1 + 2 3

SIF #2

SIF #1

PHA

• Identify hazards

• Evaluate safeguards

SRS

• Define SIF’s

• Define SIL for each SIF

Design

• Specify devices

• Design architecture

Verify• Verify SIL meets SRS

PHA

HAZOP

What If?

Checklist

FMEA

Fault Tree

Event Tree

LOPA

SIL General description

4 Catastrophic community impact

3 Employee & community impact

2Major Property and Production Impact;

Possible Injury to Employee

1 Minor Property and Production Impact

PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101

SIF #1

FV-101

Logic

solver

PT-101

SIL PFDavg RRF

4 ≥10-5 to <10-4 >10,000 to ≤ 100,000

3 ≥10-4 to <10-3 >1000 to ≤ 10,000

2 ≥10-3 to <10-2 >100 to ≤ 1000

1 ≥10-2 to <10-1 >10 to ≤ 100

Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand

Functional safety

IEC 61511

PFDavg

LOPA

RRF

SIS

HAZOP

SRS

PHA

IEC 61508

FMEDA

BPCS

SIL

SIF

TÜV

Safety Lifecycle Management

The IEC 61511 Safety lifecycle

Safety Lifecycle Management

Functional Safety Management

Safety Management

System

Organization and resources

Risk evaluation and risk management

Planning

Implementation and Monitoring

Assessment, auditing, and revisions

Configuration Management

Safety Managent SystemThe SMS should address the following:

Functional safety management

Safety organization

Safety leadership team

SIS management team

Project leadership

Safety audit and revision

Competency policy

Safety lifecycle

Supporting processes

Selection and approval of contractors

Selection and approval of supplier equipment

Selection and approval of safety tools

Safety modification process.

Safety Management

System

Quality Management

System

• Organization and responsibilities

• Competency management

• Documentation structure and control

• Configuration management

• Supplier assessment process

Organization and Responsibilities

• Responsible for functional safety policies and procedures

• Responsible for ensuring of policies and procedures are implemented by organization

Safety Management

Team

• Responsible for functional safety management on projects

Project Leadership

• Competent personnel doing work on SIS

Safety Roles

Safety

Leadership

Team

Safety Role

Safety Activities

Mgmt. & Leadership

skills

Experience

Knowledge & Training

CompetencyRequirements

• Activity / phaseVerification

• Installed and commissioned SISValidation

• Overall process riskAssessment

• Procedures, policies and processesAudit

Safety

Management

System

Safety

Requirements

Specification

Activity /

phase

objectives

Process

Hazards

Analysis

Verify

Source: IEC 61511-1, Figure 12 – Software development lifecycle (the V-Model)

Functional safety

assessment

Hazard and risk assessment is carried out

PHA recommendations are implemented.

Design change procedures are in place and implemented

Recommendations from the previous assessment are resolved

SIS is properly validated against the SRS.

Procedures are in place for the Operate phase.

Employees are trained.

Future assessment plans are in place.

Safety Life-cycle Structure and Planning

Safety Lifecycle Planning

Ensure safety

Criteria

Techniques Measures

Procedures

Verification Planning

Who?

• Responsible parties

• Levels of independence

What?

• Verification activities

• Items to be verified

• Information to be verified against

When?• At which points verification will occur

How?

• Procedures, measures, techniques to be used

• Non-conformance management

• Tools and supporting analysis

Safety life-cycle structure

Analysis Phase

Hazard and risk

assessment

Allocation of safety functions to

protection layers

Source: IEC 61511-3, Figure 4 – Risk and safety integrity concepts

Source: IEC 61511-3, Figure 2

Containment,

Dike/VesselPassive protection layer

Emergency response layerPlant and

Emergency

Response

Operator

Intervention

Process control layer

Fire and Gas

System Active protection layer

Prevent

Mitigate

Process control layer

SISEmergency

Shutdown

SystemSafety layer

Process

Value Normal behavior

Trip level alarm

Operator

interventionProcess alarm

Emergency

shutdown

BPCS

Incident

Unacceptable

Risk Region

Negligible

Risk Region

ALARP Risk

Region

Inherent Risk

of Process

Consequence

L

i

k

e

l

i

h

o

o

d

SIL3Overall Risk

SIL2

SIL1

SIS Risk

Reduction

Overall Risk

Baseline Risk

Non-SIS

Preventative

Safeguards

Non-SIS

Mitigating

Safeguards

Overall Risk

As low as reasonably practicable (ALARP)

10-3 / man-year (worker)

10-5 / man-year (worker)

10-4 /year (public)

Intolerable Risk

Negligible Risk

ALARP or Tolerable

Risk Region

10-6 /year (public)

Government mandates for tolerable risk levels

10-2 10-3 10-4 10-5 10-6 10-7 10-8

Australia (NSW) -

Hong Kong -

Netherlands -

United Kingdom -

10-9

The United States does not set tolerable risk levels, or offer guidelines.

Chemical industry benchmarks for tolerable risk

10-2 10-3 10-4 10-5 10-6 10-7 10-8

Company I -

Company II -

Company III -

Small companies -

10-9

Large, multinational chemical companies tend to set levels consistent with international mandates

Smaller companies tend to operate in wider ranges and implicitly, at higher levels of risk

Quantitative Risk Assessment

• Time consuming

• Resource intensive

• Complex, difficult to use

• Can produce same results via qualitative analysis

• More rigorous

• Least conservative

• Good for complex scenarios

• Better quantification of incremental protection layers

Qualitative Risk Assessment

• High subjectivity

• Inconsistent results

• Hard to document rationale

• Not much resolution between protection layers

• Easy to use

• Good for subjective consequence assessment

• Good for screening and categorizing hazards

• Team approach provides better evaluations

Risk Reduction

Risk is recuded by one of two ways

Prevention – Reducing the likelihood of a risk

No smoking policies enforced around gasoline pumps reduce the likelihood of a fire, but don’t change the consequence of a fire

Mitigation – Reducing the consequence of a risk

Fire insurance reduces the financial consequence of a fire, but don’t do anything to change the likelihood of a fire

Either prevention of mitigation will reduce risk. A combination fo both might be more effective than either alone

Prevention – Reducing likelihood

Avoidance – Avoiding a hazardous activity altogether

Simplification – Minimizing or eliminating the chances for human error or equipment failure.

Substitution – Replacing process chemicals, technology or process equipment with less hazardous options

Primary contaiment – Using equipment designed or built to higher codes or standards

Process Control – Using automated procedures and control systems to reduce or limit the demands on the process

Detection and suppression – Provide independent active systems wich override the normal process when unsafe conditions are detected

Mitigation – Reducing Consequence

Reduction – Reducing the amount of hazardous chemical used or stored in process, reducing the number og dangerous pieces of equipment in use

Dilution – Operating with large volumes of reduced concentrations so that the outcome of release will be less intense.

Intensification – Operating at a more intense conditions sp that rates can be maintained with less chemical in the process.

Secondary Contaiment – Using systems capable of capturing and holding releases until they can be safely trated.

Emergency Response – Providing training, plans and capabilities for plant staff, public safety personnel and general public to react appropiately a hazardous event

Hazard and Risk Assessment Objetive: This assessment is conducted to identify hazards and hazardous

events of the process and associated equipment, process risks, requirements for risk reduction, and safety functions necessary to achieve an acceptable level of risk.

Outputs: A description of the hazards, of the required safety function(s), and of the associated risks, including:

Identified hazardous events and contributing factors

Consequences and likelihood of the event

Consideration of operational conditions (startup, normal, shutdown)

Required risk reduction to achieve required safety

References and assumptions

Allocation of safety functions to layers of protection

Identified safety functions as SIFs.

Responsibility: Process Manufacturer

PHA

HAZOP

What If?

Checklist

FMEA

Fault Tree

Event Tree

LOPA

Process Hazards and Risk AssesmentMethods

Fault Tree to Calculate Fault Prob

Calculate the Prob of independent OR gate

Calculate the Probality of the AND gate

Calculating the Probability of AND gate

Item Deviation Causes Consequences Safeguards Action

Vessel High level Failure of

BPCS

High pressure Operator

High pressure 1) High level

2) External

fire

Release to

environment

1) Alarm

operator,

protection

layer

2) Deluge

system

Evaluate

conditions for

release to

environment

Low / no flow Failure of

BPCS

No consequence of

interest

Reverse flow No consequence of

interest

Qualitative risk analysis –Safety layer matrix

Consequence

Severity

Category SIL Requirement

Extensive 3 3 3* 1 2 3 1 1

Serious 1 2 3 1 2

Minor 1 2 1

Consequence

Frequency

Category

Low

Med

Hig

h

Low

Med

Hig

h

Low

Med

Hig

h

1 2 3

Number of non-SIS Protection Layers

SIL 151%

SIL 232%

SIL 38%

SIL 41%

No SIL8%

Process Industry I/O by Safety Integrity Level

Source: Exida Safety and Critical Control Systems in Process and Machine Automation July 2007

Safety Requirement Specification

Safety Requirement Specification

The SRS specifies the requirements for the SIS in terms of the required safety instrumented functions in order to achieve the required functional safety.

Responsibility: Process manufacturer with support from the engineering contractor and/or SIS supplier

SRS Should include: Identified all SIFs necessary for required functional safety

Identified common cause failures

Defined safe state for each SIF. (Normally energized, Normally de-energized)

Demand rate for SIFs

Proof test intervals

Response time required

SIL for each SIF

SIS process measurements and trip points

SIS process outputs for successful operation

Relationship of inputs, outputs and logic required

Manual shutdown, overrides, inhibits, and bypass requirements

Starting up and resetting of SIS

Allowable spurious trip rate

SIF requirements for each operational mode

Meantime to repair for SIS

Identified dangerous combination of SIS output states

Identified extreme environmental conditions

Identified normal and abnormal modes and requirements for SIS to survive

major event.

Primary Causes of SIS Failure

Primary Causes of SIS Failure

14% Design &Implement

6% Installation &Commisioning

44 % Specification

15% Operation andMaint

21% Changes afterCommisioning

Source: Health, Safety excecutive Agency (USA)

Implementation Phase

Implementation Phase

Implementation Phase

Design and Engineering of theSafety Instrumented System

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Iterate if

requirements

are not met.

Technology selection

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Sensors

– Analog vs. discrete signal

– Smart vs. conventional transmitter

– Certified vs. proven-in-use

SIS Design and Engineering

Pressure50%

Temperature13%

Flow8%

Level8%

Fire and Gas21%

Sensor Sales by Measurement Type

PFD

PFD

PFD

User proves

It’s safe

SIS Application?

Certified Prior-Use

Mfg proves

It’s safe

User proves

It’s safe

Technology selection

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Logic solver

– Relays vs. PLC vs. Safety PLC

– HART I/O vs. conventional analog

– Centralized vs. modular

– Integrated vs. Standalone

1oo2

2oo3

2oo21oo2D

2oo4

Safety PLC(SIS Logic Solver)

Centralized Logic Solver

– 100’s of SIF’s in one box.

– Good for large projects.

– Single point of failure.

Modular Logic Solver

– Isolates SIF’s

– Scalable for large & small projects

– Eliminates single point of failure.

Source: ARC Advisory Group

Technology selection

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Final element

– Solenoid vs. DVC

– Automated vs. manual diagnostics

– Response time considerations

SIL 2

Proof Test Interval (years)

PF

D

Architecture selection

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Hardware fault tolerance (HFT) impacts performance

– Safety integrity

– Availability

– SIL capability

Architecture (MooN) 1oo1 2oo2 1oo2

Valve count (N) 1 2 2

Number to trip (M) 1 2 1

Safety HFT 0 0 1

Availability HFT 0 1 0

Valve

HFTs(MooN) = N – M

HFTa(MooN) = M – 1

Valve 1

Valve 2

Valve 2Valve 1

Dangerous undetected

failures

Dangerous detected

Safe detected

Safe undetected

Safe failure fraction

Device

TypeSFF HFTs = 0 HFTs = 1

Type A

<60% SIL1 SIL2

60% to < 90% SIL2 SIL3

90% to < 99% SIL3 SIL4

≥ 99% SIL3 SIL4

Type B

<60% Not allowed SIL1

60% to < 90% SIL1 SIL2

90% to < 99% SIL2 SIL3

≥ 99% SIL3 SIL4

Proof test philosophy

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Proof test frequency

– 5 yrs, 1 yr, 6 mos, 3 mos?

Online vs. offline proof testing.

Turnaround schedule?

Total SIF proof test or proof test components on different intervals?

Reliability evaluation

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design

Confirm that performance meets specifications

– Safety integrity (PFD)

– Availability (MTTFs)

– Response time

Architecture Average Probability

of Failure on Demand

(PFDAVG)

Spurious Trip Rate

(STR)

1oo1 λD T / 2 λS

1oo2 (λDT)2 / 3 2λS

2oo2 λDT2λS

2

( 3λS + 2/T )

2oo3 (λDT)2 6λS2

( 5λS + 2/T )

PFDSIF1 = PFDPT-101 + PFDlogic solver + PFDFV-101

SIF #1

FV-101

Logic

solver

PT-101

SIL PFDavg RRF

4 ≥10-5 to <10-4 >10,000 to ≤ 100,000

3 ≥10-4 to <10-3 >1000 to ≤ 10,000

2 ≥10-3 to <10-2 >100 to ≤ 1000

1 ≥10-2 to <10-1 >10 to ≤ 100

Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand

Detailed design & build

Select technology

Select architecture

Determine test philosophy

Reliability evaluation

Detailed design & build

Instrument design / specifications

Wiring drawings

Hardware design & build

Software design & implementation

BPCS / SIS integration

Factory acceptance testing

Factory Acceptance Testing (FAT)

Black box functionality tests

Performance tests

Environmental tests

Interface testing

Degraded mode tests

Exception testing

Installation, Commissioning and Validation

• Validate, through inspection and testing, that SIS achieves requirements stated in the SRS

Validation

• Commission the SIS so that it is ready for final system validation.

Commissioning

• Install the SIS according to specifications and drawings

Installation

Installation, commissioning, and Validation

Validation is the key difference between control and safety

systems.

Operation Phase

Operation and Maintenance Planning

Who?

• Responsible parties

• Competence and training

What?

• Routine and abnormal operation activities

• Proof testing and repair maintenance activities

• Recording of events and performance

When?

• Proof testing frequencies

• On process demand

• On failure of SIS

How?

• Procedures, measures, techniques to be used

• Non-conformance management

• Tools and supporting analysis

Procedures and training

Operation

Bypasses

Proof testing

Inspection

Performance monitoring

Maintenance and repair

Modification

• Reveals dangerous faults undetected by diagnostics

• Entire SIS tested: sensors, logic solver, final element

• Frequency determined during SIF design.

Proof Testing

• Ensures no unauthorized changes or deterioration of equipment

Inspection

Tests and Inspections Documentation

Description of tasks performed

Dates performed

Name of person(s) involved

Identifier of system (loop, tag, SIF name)

Results (“as-found” and “as-left”)

Fail Dangerous Undetected

7%

Fail Dangerous Detected

66%

Fail Safe Undetected

27%

Proof testing uncovers DU failures

SFF = 93%

Safely test the SIF

using actual process

variables

Test sensors in-situ

by other means

Perform wiring

continuity test

Remove sensor

and test on bench

Sensor testing options

Use smart features

to test electronics

and wiring continuity

Example –Rosemount 3051S Proof Test

Proof Test 1:

Analog output Loop Test

Satisfies proof test requirement

Coverage > 50% of DU failures

Proof Test 2:

2 point sensor calibration check

Coverage > 95% of DU failures

Note – user to determine

impulse piping proof test

Valve Testing Options

Offline• Total Stroke

• Process is down

Online• Total stroke

• By-pass in service

• Component test• Solenoid valve

• Partial stroke

Conventional testing methods

• Process unprotected during testing

• SIF not returned to normal after testing

• Risk of spurious trip

• Manually initiated in field

• Manpower intensive

• Subject to error

SIL 2

Proof Test Interval (years)

PF

D

Source: Instrument Engineers’ Handbook, Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy

Failures Failure ModesPartial

Stroke

Full

Stroke

Valve packing is seized Fails to close X X

Valve packing is tight Slow to move X X

Actuator air line crimped Slow to move X X

Actuator air line blocked Fails to close X X

Valve stem sticks Fails to close X X

Valve seat is scarred Fails to seal off X

Seat contains debris Fails to seal off X

Seat plugged Fails to seal off X

Modification

Documentation

• Description

• Reason

• Hazards

• Impact on SIS

• Approvals

• Competency mgmt.

• Tests / verification

• Configuration history