Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Safety Demystified September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions

Similar presentations


Presentation on theme: "Functional Safety Demystified September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions"— Presentation transcript:

1 Functional Safety Demystified September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions

2 2HONEYWELL - CONFIDENTIAL File Number Outline What is Functional Safety? - SIS, SIF and SIL Standards AS IEC61508 and AS IEC61511 An example to demonstrate compliance 4.5 day TÜV FSEng course in 45 minutes!

3 3HONEYWELL - CONFIDENTIAL File Number What is Functional Safety? Part of Overall Safety - freedom from unacceptable risk Achieved by a Safety Instrumented System (SIS) - E/E/PE Safety System in IEC Examples:  Emergency Shutdown System  Burner Management System - Includes field devices as well as logic solver A SIS places or maintains a process in a safe state - Process = Equipment Under Control (EUC) in IEC Implements Safety Instrumented Functions (SIFs) - Each SIF achieves a Safety Integrity Level (SIL) Acronyms to remember: SIS, SIF and SIL !.

4 4HONEYWELL - CONFIDENTIAL File Number SIF 1: TZH1234 Safety Instrumented Function - SIF Some terms: SIS, SIF and SIL SIF 2: PZHH1234 Safety Instrumented System - SIS Logic Solver (Safety PLC) Temperature transmitter Temperature transmitter Pressure Transmitter Flow transmitter Shut-off valve Solenoid Globe valve Solenoid Relay in MCC SIL 2 SIL 1 Safety Integrity Level - SIL

5 5HONEYWELL - CONFIDENTIAL File Number Why Functional Safety? Buncefield, England 11 Dec 2005 Storage tank level gauge showed constant reading High level alarm switch jammed Gasoline tank overflowed Mist exploded - Largest explosion in peacetime - 20 tanks on fire - Burned for three days - Significant environmental impact - Millions of pounds damage.

6 6HONEYWELL - CONFIDENTIAL File Number Standards: IEC61508 or IEC61511 ? AS/IEC SIS Component Manufacturers AS/IEC SIS Integrators & Users OR SIL4 APPLICATIONS 61508

7 7HONEYWELL - CONFIDENTIAL File Number IEC61511 Safety Lifecycle Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification Engineering Contractor SIS Vendor End User

8 8HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component  Field devices, logic solver, shutdown valves etc. Not just TÜV certification - Though it helps ! Not just meeting PFD avg target. Complying with AS IEC & AS IEC 61511

9 9HONEYWELL - CONFIDENTIAL File Number Comply Throughout Lifecycle For the rest of the presentation we’ll follow the SIS lifecycle What do we need to do to comply at each stage? See the following example… - Only the main elements of compliance are covered.

10 10HONEYWELL - CONFIDENTIAL File Number 1 Hazard and Risk Analysis Output is a list of hazardous events with their process risk and acceptable risk. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

11 HONEYWELL - CONFIDENTIAL File Number Case Study: 1 A Hazard “potential source of harm” 300t of Liquefied Petroleum Gas can potentially cause harm Hazardous Event Example: BLEVE YouTube. BLEVE YouTube

12 12HONEYWELL - CONFIDENTIAL File Number Case Study: 2 HazOp Node: LPG Tank Guideword: HIGH LEVEL Consequence: High Pressure, possible tank rupture & major fire Existing Controls: Pressure Relief Valve (PSV-1) New Controls: Add High Level Alarm. H

13 13HONEYWELL - CONFIDENTIAL File Number 2 Allocation of Safety Functions Often called SIL Analysis or SIL Determination Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

14 14HONEYWELL - CONFIDENTIAL File Number Case Study: 3 Design after HazOp Is Risk acceptable?

15 15HONEYWELL - CONFIDENTIAL File Number Risk Consequence severity Likelihood of occurrence Minor Medium Major LOWHIGHMEDIUM The product of severity and likelihood Increasing Risk

16 16HONEYWELL - CONFIDENTIAL File Number Case Study: 4a Risk Reduction Process under control Process deviation or disturbance Process out of control Hazardous situation Hazardous event Impact / Consequence Level stable Control valve sticks Level Increasing High Pressure Vessel fails 300t of boiling LPG released - likely major fire and fatalities PSV LAH Alarm Hazard - 300t of LPG

17 17HONEYWELL - CONFIDENTIAL File Number Risk Analysis - Layers of Protection 1 Mechanical PSV Alarm LAH Process Control System (BPCS) Hazardous Event !! Risk Reduction Hazardous Situation : 1 per y Target: 1 per 10,000y Required: X 10,000 X 100 Only have x 100 !! X 1 !

18 18HONEYWELL - CONFIDENTIAL File Number Case Study: 4b Risk Reduction Process under control Process deviation or disturbance Process out of control Hazardous situation Hazardous event Impact / Consequence Level stable Control valve sticks Level Increasing High Pressure Vessel fails 300t of boiling LPG released - likely major fire and fatalities LZHH Trip PSV LAH Alarm Hazard - 300t of LPG

19 19HONEYWELL - CONFIDENTIAL File Number Case Study: 5 Add a SIF High Level Trip LZHH2 added - Shuts off flow when High High level reached.

20 20HONEYWELL - CONFIDENTIAL File Number SIL Determination 1 - Layers of Protection Mechanical PSV SIF LZHH Alarm LAH Process Control System (BPCS) Hazardous Event !! Risk Reduction Hazardous Situation : 1 per y Target: 1 per 10,000y Required: X 10,000 X 100 SIL 2 SIF must reduce risk by 10,000/100 = 100

21 21HONEYWELL - CONFIDENTIAL File Number Safety Integrity Level vs. Risk Reduction = 1 / RRF Safety Availability > 99.99% % % % Probability of Failure on Demand (PFD avg ) ≥ <10 -4 ≥ <10 -3 ≥ <10 -2 ≥ <10 -1 SIL Risk Reduction Factor > 10,000 1, , , (Control ≤ 10) = 1 - PFD avg Used later for verifying SIL achieved

22 22HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component. SIL is more than just PFD

23 23HONEYWELL - CONFIDENTIAL File Number 3 Safety Requirements Specification - SRS Defines functional and integrity requirements of SIS Output is set of documents ready for detail design. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

24 24HONEYWELL - CONFIDENTIAL File Number Cause-and-Effect Diagram SIFs commonly documented by Cause and Effect diagrams Could include required SIL.

25 25HONEYWELL - CONFIDENTIAL File Number 4 Design and Engineering SIS vendor for logic solver EPC contractor or end-user for field hardware. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

26 26HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component. Standards Compliance

27 27HONEYWELL - CONFIDENTIAL File Number FS Management System - TÜV Certification See HPS TÜV CertificateHPS TÜV Certificate Covers compliance to IEC & IEC Periodic audits and renewal Need comparable processes for other phases.

28 28HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component. Standards Compliance

29 29HONEYWELL - CONFIDENTIAL File Number Case Study: 6 PFD Calculation What is calculated PFD ave for SIF LZHH2?. SIL 2

30 30HONEYWELL - CONFIDENTIAL File Number Safety Integrity Level vs. PFD ave = 1 / RRF Safety Availability > 99.99% % % % SIL Risk Reduction Factor >10,000 1, , , (Control < 10) = 1 - PFD avg Implementation Focus Probability of Failure on Demand (PFD avg ) ≥ <10 -4 ≥ <10 -3 ≥ <10 -2 ≥ <10 -1

31 31HONEYWELL - CONFIDENTIAL File Number Approximation to PFD ave 1 0 time t Probability item has failed PFD(t) PFD average PFD PFD average = DU TI / 2 where DU  = Dangerous Undetected failure rate TI = test interval Remember this! ~ ~

32 32HONEYWELL - CONFIDENTIAL File Number Case Study: 6 PFD Calculation Test interval = 1 y Reliability data: - Valve: λ DU = 1/10y (= 0.1 y -1 ) - Logic solver: λ DU = 1/1000y (= y -1 ) - Sensor: λ DU = 1/100y (= 0.01 y -1 ) PFD ave = λ DU x TI / 2 = 0.1 x 1 / 2 = 0.05 for valve x 1 / 2 = for logic solver 0.01 x 1 / 2 = for transmitter Total PFD ave = = Calculated SIL = 1 (PFD ave range 0.01 – 0.1) Required SIL = 2 Not OK! How can this be fixed?

33 33HONEYWELL - CONFIDENTIAL File Number Effect of Test Interval on PFD ave PFD(t) Probability item has failed PFD(t) time t Average PFD 1 0 TI (Test Interval) ~ ~ Average PFD 1 0 TI ~ ~

34 34HONEYWELL - CONFIDENTIAL File Number Case Study: 7a Adjust Test Interval Test interval = 1 month Reliability data: - Valve: λ DU = 1/10y (= 0.1 y -1 ) - Logic solver: λ DU = 1/1000y (= y -1 ) - Sensor: λ DU = 1/100y (= 0.01 y -1 ) PFD ave = λ DU x TI / 2 = 0.1 / 12 / 2 = for valve / 12 / 2 = for logic solver 0.01 / 12 / 2 = for transmitter Total PFD ave = = Calculated SIL = 2 (PFD ave range – 0.01) Required SIL = 2 OK BUT operations object to monthly testing !.

35 35HONEYWELL - CONFIDENTIAL File Number Case Study: 7b Duplicate Block Valves Test interval = 1 year Reliability data: - Valve:λ DU = 1/10y (= 0.1 y -1 ) - Logic solver: λ DU = 1/1000y (= y -1 ) - Sensor: λ DU = 1/100y (= 0.01 y -1 ) For 2 valves 1oo2 voting: PFDave = (0.1 x 1 / 2) 2 = PFD ave = = Calculated SIL = 2 (PFD ave range – 0.01) Required SIL = 2 OK.

36 36HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component. Standards Compliance Is one transmitter enough or do we need two?

37 37HONEYWELL - CONFIDENTIAL File Number Architectural Constraints Aim is to avoid unrealistic reliability claims - From single devices (“elements”) Constrains SIF architecture based on: - Safe Failure Fraction - Complexity of device (“Type A” or “Type B”) - Target SIL Outcome is required Hardware Fault Tolerance - No. of voted devices minus 1 (typically) Use Tables in IEC61508 part 2 - IEC61511 has simplified requirements.

38 38HONEYWELL - CONFIDENTIAL File Number Safe Failure Fraction Safety valve, normally open & normally energized In case of an out of control process, the valve has to close Closes spontaneously due to loss of energy SAFE Undetected Detected by diagnostics Undetected Detected by voltage control DANGEROUS Stuck at open SAFE

39 39HONEYWELL - CONFIDENTIAL File Number Architectural Constraints – IEC SIL1SIL2SIL3 SIL2SIL3SIL4 SIL3SIL4 SIL3SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type A subsystems – e.g. pressure switch 012 Safe failure fractionHardware fault tolerance Not allowed SIL1SIL2 SIL1SIL2SIL3 SIL2SIL3SIL4 SIL3SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type B subsystems – e.g. Logic Solver, Smart Tx 012 Safe failure fractionHardware fault tolerance Table 2: Table 3: Independent Channels Required = Hardware Fault Tolerance + 1

40 40HONEYWELL - CONFIDENTIAL File Number Case Study: 8 Architectural Constraints Transmitter LZT 2 is a smart radar gauge Can we use single transmitter to satisfy SIL 2? Must also check for logic solver and valve.

41 41HONEYWELL - CONFIDENTIAL File Number Case Study: 8 Architectural Constraints Smart Transmitter = Type B device - Use Table 3 in IEC Safe Failure Fraction = 91.8% - From TÜV Certificate For SIL 2, required Hardware Fault Tolerance = 0 Therefore one transmitter is ok for SIL 2. Not allowed SIL1SIL2 SIL1SIL2SIL3 SIL2SIL3SIL4 SIL3SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type B subsystems – e.g. Logic Solver, Smart Tx 012 Safe failure fractionHardware fault tolerance Table 3: LTZ 2 Std Tx

42 42HONEYWELL - CONFIDENTIAL File Number Architectural Constraints for Logic Solver E.g. Honeywell FSC and Safety Manager logic solvers 1oo2D architecture OR 2oo4D architecture All have 99% safe failure fraction - Hence all are “SIL 3 capable” 2oo4D has lower spurious trip rate, but costs more. Not allowed SIL1SIL2 SIL1SIL2SIL3 SIL2SIL3SIL4 SIL3SIL4 < 60 % 60 % - 90 % 90 % - 99 % ≥ 99 % Type B subsystems – e.g. Logic Solver, Smart Tx 012 Safe failure fractionHardware fault tolerance Table 3: FSC, SM

43 43HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component Standards Compliance How likely is it that each component is free from systematic faults (“bugs”) ?

44 44HONEYWELL - CONFIDENTIAL File Number Case Study: 9 – Transmitter Selection Must control systematic faults Transmitter selected must comply with IEC61508 and IEC61511 Must either be: - Proven in use:  Comparable application  Sample size sufficient for 70% confidence level  All failures documented or - Designed and manufactured in accordance with IEC  Confirmed by independent certificate (e.g. by TÜV)  “SIL x Capable”.

45 45HONEYWELL - CONFIDENTIAL File Number Case Study: 9 - Transmitter TÜV Certificate

46 46HONEYWELL - CONFIDENTIAL File Number Case Study: 9 - Transmitter TÜV Certification Mark

47 47HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component Design now complies. Standards Compliance

48 48HONEYWELL - CONFIDENTIAL File Number 5 Installation, Commissioning, Validation Logic Solver installed with field equipment Includes loop checking, validation and final functional safety assessment. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

49 49HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component Verification, Validation, Functional Safety Assessment. Standards Compliance

50 50HONEYWELL - CONFIDENTIAL File Number Case Study: 10 Verification and Validation Verification and Validation Plan for project  V&V Plan Template V&V Plan Template  SIL 2 independence required (i.e. independent engineer)  Define responsibilities Verify Safety Requirements Specification Verify hardware design documents Verify functional specifications etc Implement code walkthrough Logic Solver Factory Acceptance Test - Complete integration test of application software on target hardware Logic Solver Site Acceptance Test - Power up test on site Safety Function Testing Functional Safety Assessment.

51 51HONEYWELL - CONFIDENTIAL File Number 6 Operations, Maintenance and Modification The Cinderella Phases ! User must follow a Functional Safety Management System for the life of the SIS. Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification

52 52HONEYWELL - CONFIDENTIAL File Number Ops and Maintenance Obligations Proof test each SIF at specified interval Monitor design assumptions - Demand rates - Component reliability Adjust test interval to suit Control modifications Ensure Maintenance and Operational Overrides are used as designed Monitor and promptly follow-up diagnostics.

53 53HONEYWELL - CONFIDENTIAL File Number Case Study: 9 Operation and Maintenance Mechanical: PSV SIF: LZHH Alarm LAH Process Control System (BPCS) Hazardous Event !! Risk Reduction Hazardous Situation Target: 1 per 10,000y Required:X 10,000 X 100 SIL 2 Risk analysis assumed: - Demand on SIS once per year - What happens in practice? SIL verification assumed: - Transmitter failure rate 0.01 y -1 - What happens in practice? Etc etc... Must verify actual performance against assumptions and adjust testing as required Documentation of assumptions is critical. 1 per y

54 54HONEYWELL - CONFIDENTIAL File Number Case Study: 12 - Modification During early design consider splitting SIL 2 and SIL 3 systems. LZHH logic needs modification after commissioning Validation needed depends on highest SIL in that SIS !

55 55HONEYWELL - CONFIDENTIAL File Number Summary 1 – The SIS Lifecycle Hazard and risk analysis Allocation of safety functions to protection layers Design and engineering of safety instrumented system Installation, commissioning and validation Operation and maintenance Modification Decommissioning Design and development of other means of risk reduction Safety requirements specification for the safety instrumented system Management of functional safety and functional safety assessment and auditing Safety life-cycle structure and planning Verification Engineering Contractor SIS Vendor End User

56 56HONEYWELL - CONFIDENTIAL File Number Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: - Architectural constraints - Random failure rate (PFD ave ) - Development process for each component Not just TÜV certification - Though it helps ! Not just meeting PFD avg target Don’t forget spurious trip rate!. Summary 2 – Requirements

57 57HONEYWELL - CONFIDENTIAL File Number Need more? ISA Safety Instrumented Systems: An Overview - One day overview course - 3rd October, Perth - 16 November, Sydney TÜV Functional Safety Engineer Qualification - One week course and exam - Leads to formal qualification (requires 3+ years experience) - 24 th October, Melbourne.

58 58HONEYWELL - CONFIDENTIAL File Number Thank You... Questions?


Download ppt "Functional Safety Demystified September 2011 Bob Weiss Principal Consultant Honeywell Process Solutions"

Similar presentations


Ads by Google