This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Today’s Objective– Introduce Process Safety Concepts and Essential Principles
Standards to help with design a Safety Instrumented System (SIS) Determine level of safety performance; Safety Integrity Level (SIL) Safety Requirement Specification (SRS) Safety Instrumented Function (SIF) Design and Equipment Selection Verification and Validation of your SIF design Overview of CyberSeurity Overview of Alarm Management
Prescriptive/Functional StandardsPrescriptive Standard
– Tells you what to do
MINERALS MANAGEMENT SERVICEGULF OF MEXICO OCS REGION
NTL No. 2000-G13 Effective Date: May 25, 2000
NOTICE TO LESSEES AND OPERATORS OF FEDERAL OIL, GAS, AND SULPHURLEASES IN THE OUTER CONTINENTAL SHELF, GULF OF MEXICO OCS REGION
Production Safety Systems Requirements
This Notice to Lessees and Operators (NTL) supersedes NTL No. 2000-G09, dated March 29, 2000, on this subject. It makes minor technical amendments and corrects some cited authorities.
1. 30 CFR 250.802(b). Exclusion of pressure safety high (PSH) and pressure safety low (PSL) sensors on downstream vessels in a production train
As specified in American Petroleum Institute (API) Recommended Practice (RP) 14C, Section A.4, you must install a PSH sensor to provide over-pressure protection for a vessel. If an entire production train operates in the same pressure range, the PSH sensor protecting the initial vessel will detect the highest pressure in the production train, thereby providing primary over-pressure protection to each subsequent vessel in the production train. The intent of API RP 14C is not compromised under this scenario. Therefore, you may use API RP 14C Safety Analysis Checklist (SAC) reference A.4.a.3 to exclude all subsequent PSH sensors other than the PSH sensor protecting the initial vessel in a production train.
you must install a PSH sensor to provide over-pressure protection for a vessel
American Petroleum Institute (API) Recommended Practice (RP) 14C, Section A.4
API RP 14C Safety Analysis Checklist (SAC)
• Functional or Performance Standard– Tells you what performance level you need to meet
7.1.1.1 IEC 61511−1 recognizes that organiza�ons will have their own procedures for verifica�on and does not require it always to be carried out in the same way. Instead, the intent of this clause is that all verification activities are planned in advance, along with any procedures, measures and techniques that are to be used.
7.1.1.2 No further guidance provided.
7.1.1.3 It is important that the results of verification are available so that it can be demonstrated that effective verification hastaken place at all phases of the safety lifecycle.
8 Process Hazard and Risk Analysis
8.1 ObjectivesThe overall objective here is to establish the need for safety functions (e.g., protection layers) together with associated levels of performance (risk reduction) that are needed to ensure a safe process. It is normal in the process sector to have multiple safety layers so that failure of a single layer will not lead to or allow a harmful consequence. Typical safety layers are represented in Figure 9 of IEC 61511-1.
8.2 Requirements (guidance to IEC 61511-1 only)
8.2.1 The requirements for hazard and risk analysis are specified only in terms of the results of the task. This means that an organization may use any technique that it considers to be effective, provided it results in a clear description of safety functions and associated levels of performance.
7.1.1.1 IEC 61511−1 recognizes that organiza�ons will have their own procedures for verification and does not require it always to be carried out in the same way.
IEC 61511Functional Safety – Safety Instrumented Systems for the Process
Industry Sector
8.2.1 The requirements for hazard and risk analysis are specified only in terms of the results of the task.
• Functional or Performance Standard– Tells you what performance level you need to meet
Minimum independence for functional safety assessment
Safety Assessment Verification and Validation
Minimum Level of Independence
Safety Integrity Level1 2 3 4
Independent Person HR HR1 NR NRIndependent Department -- -- HR1 NRIndependent Organization -- -- HR2 HR
NOTE Depending upon the company organization and expertise within the company, the requirement for independent persons and departments may have to be met by using an external organization. Conversely, companies
that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization.
• VerificationActivity of demonstrating for each phase of the safety lifecycle by analysis and/or tests that, for the specific inputs, the deliverables meet the objectives and requirements set for the specific phase.
• Validation the activity of demonstrating that the safety instrumented function(s) and safety instrumented system(s) under consideration after installation meets in all respects the safety requirements specification.
Training, experience, and qualifications should all be addressed and documented
– System engineering knowledge– Safety engineering knowledge– Legal and regulatory requirements knowledge– More critical for novel systems or high SIL requirements
“Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.”
Identifying hazards– HAZOP (Hazards and Operability Study)– Checklist / What If Analysis– FMEA (Failure Modes and Effects Analysis)– Fault Tree Analysis– Etc.
HAZOP ANALYSIS GW DEVIATION CAUSES CONSEQUENCES SAFEGUARDS REF# RECOMMENDATIONS BY
No No Agitation Agitator motor drive fails
Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure.
High Temperature and High Pressure Alarm in DCS. Shortstop system.
Add SIF to chemically control runaway reaction. Add a pressure safety relief valveIf necessary, add a de-pressurization SIF. Use LOPA to determine required SIL.
More Higher Temperature
Temperature control failure causes overheating during steam heating
High temperature could damage reactor seals causing leak. Indicated by high temperature.
High Temperature Alarm in DCS.
Add high-temperature SIF. Use LOPA to determine required SIL
More Higher Level Flow control failure allows the reactor to overfill
Reactor becomes full, possible reactor damage and release. Indicated by high level or high pressure.
High Level Alarm in DCS. Add high-level SIF. Use LOPA to determine required SIL
Consequences: Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure.
Safeguards: High Temperature and High Pressure Alarm in DCS. Shortstop system.
Ref # P&ID #’s
Recommended Actions:
Add a pressure safety relief valve If necessary, add a de-pressurization SIF. Use LOPA to determine required SIL.
3. To establish engineering procedures to prevent systematic design errors
The equipment used to implement any safety instrumented function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.
Draw the Layer of Protection Analysis Diagram for the following situation
– An accident whose consequence is an explosion due to runaway reactor caused by the agitator motor failure.
– The following layers of protection existBatch process only runs 5 times per yearThe operator responds to alarms and stops the processRunaway reaction cancelled by addition of ShortstopThe reactor has a pressure relief valve
Binary Logic Diagrams (ISA 5.2)– Strengths – More flexible than C-E diagrams,
direct transposition to a function block diagram program
– Weaknesses – Time consuming, knowledge of standard logic representation required
If one of the following conditions occur.
1. Switch BS-01 is deenergized, indicating loss of flame2. Switch PSL-02 is deenergized, indicating low fuel gas pressureThen the main fuel gas flow to the heater is stopped by performing
all of the following.1. closing valves, XV-03A, and XV-03B2. Opening valve XV-03C.
The respective valves will be opened and closed by deenergizingthe solenoid valve XY-03.
Circuit Utilitiesi.e. Electrical Power,Instrument Air etc.
The actual implementation of any single safety instrumented function may include multiple sensors, signal conditioning modules, multiple final elements and dedicated circuit utilities like electrical power or instrument air.
Random FailuresA failure occurring at a random time, which results from one or more degradation mechanisms. Usually a permanent failure due to a system component loss of functionality – typically hardware related
Systematic FailuresA failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.Usually due to a design fault – wrong component, error in software program, etc.
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
With a safety system, the concern shouldn’t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways:
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
FMEDA for Safety Rated Input CircuitF ailu re M od es an d E f fec ts A n alys is F ailu res /b illion hou rs S afe D an g erous C om p on ent M od e E ffec t C riticality F IT S afe D ang . D et. D iagn os tic C overed F ITC overedR 1 - 1 0 K sh ort T hresh old s hif t 1 S afe 0 .13 0 .1 25 0 0 0 0
op en op en c ircu it 1 S afe 0 .5 0 .5 0 1 loose in pu t p uls e 0 .5 0R 2 - 1 0 0K sh ort sh ort in p ut 1 S afe 0 .13 0 .1 25 0 1 loose in pu t p uls e 0.12 5 0
op en T hresh old s hif t 1 S afe 0 .5 0 .5 0 0 0 0
D 1 sh ort overvoltag e 1 S afe 2 2 0 1 loose in pu t p uls e 2 0op en op en c ircu it 1 S afe 5 5 0 1 loose in pu t p uls e 5 0
D 2 sh ort overvoltag e 1 S afe 2 2 0 1 loose in pu t p uls e 2 0op en op en c ircu it 1 S afe 5 5 0 1 loose in pu t p uls e 5 0
O C 1 led d im n o lig h t 1 S afe 28 2 8 0 1 C om p . m is m atch 2 8 0
tran. sh ort read log ic 1 0 D an g . 10 0 10 1 C om p . m is m atch 0 1 0
tran. op en read log ic 0 1 S afe 6 6 0 1 C om p . m is m atch 6 0
O C 2 led d im n o lig h t 1 S afe 28 2 8 0 1 C om p . m is m atch 2 8 0
tran. sh ort read log ic 1 0 D an g . 10 0 10 1 C om p . m is m atch 0 1 0
tran. op en read log ic 0 1 S afe 6 6 0 1 C om p . m is m atch 6 0R 3 - 1 0 0K sh ort loose filter 1 S afe 0 .13 0 .1 25 0 0 0 0
op en in pu t f loat h igh 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 4 - 1 0 K sh ort read log ic 0 1 S afe 0 .13 0 .1 25 0 1 C om p . m is m atch 0.12 5 0
op en read log ic 1 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 5 - 1 0 0K sh ort loose filter 1 S afe 0 .13 0 .1 25 0 0 0 0
op en in pu t f loat h igh 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 6 - 1 0 K sh ort read log ic 0 1 S afe 0 .13 0 .1 25 0 1 C om p . m is m atch 0.12 5 0
op en read log ic 1 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5C 1 sh ort read log ic 0 1 S afe 2 2 0 1 C om p . m is m atch 2 0
op en loose filter 1 S afe 0 .5 0 .5 0 0 0 0C 2 sh ort read log ic 0 1 S afe 2 2 0 1 C om p . m is m atch 2 0
op en loose filter 1 S afe 0 .5 0 .5 0 0 0 01 11 8 8.75 22 8 6.87 5 2 2
T otal S afe D ang . S afe C overag e 0 .9 78 9F ailu re R ates
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
– As technology advances it is becoming easier to achieve the required PFDavg.
– However, PFDavg is not the only safety metric that needs to be satisfied.
– Architectural constraints also need to be satisfied.
– Architectural constraints look at the Hardware Fault Tolerance (HFT) and the Safe Failure Fraction (SFF) of each subsystem to determine if the SIL has been met
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Is Redundancy sufficient protection against SYSTEMATIC FAILURES?
REDUNDANCY IS NOT A PROTECTION AGAINST SYSTEMATIC FAILURES!
A single systematic fault can cause failure in multiple channels of an identical redundant system. – example: A command was sent into a redundant DCS. The command
caused a controller to lock up trying to interpret the command. The diagnostics detected the failure and forced switchover to a redundant unit. The command was sent to the redundant unit which promptly locked up as well.
• Equipment CapabilityIn order to combat Systematic Failures, IEC 61511 requires equipment used in safety systems to meet one of two requirements:• IEC 61508 certification
• Certified under IEC61508 to the appropriate SIL level
• Prior Use• justification based on “Proven in Use” criteria
• Documented, successful experience (no dangerous failures)
• A particular version of a particular instrument
• Similar conditions of use
Functionality/Application Environment
• We do not have the failure data!• I do not want to take responsibility for equipment justification!• We do not take the time to record all instrument failures! • This is a new instrument!• I cannot justify PRIOR USE!
Functional safety certification for devices is accomplished per IEC 61508Products are certified to a Safety Integrity Level (SIL)The result is typically a certificate and a certification report
SIL Certification Vendor showed
sufficient protection against Random and Systematic Failures
SIL Certification Vendor showed
sufficient protection against Random and Systematic Failures
The exida web site also has a list of process industry instrumentation equipment with IEC 61508 certification. With several thousand unique visitors per month, this list has become the most popular global “purchase qualification list” for many buyers.
For every equipment type, exSILentia has a list of equipment showing certification status and all relevant data. Equipment on this list enjoys strong market exposure. exida customers are included in the list.
Where:PFDavg = Probability of Failure on Demand (average)SFR = Spurious Failure RateMTTR = Mean Time To RepairTI = Test IntervalS = Safe Detected FailuresDU = Dangerous Undetected Failures
SILver is Safety Integrity Level verification according to IEC 61508 / IEC 61511SILver calculates SIF performance parameters– PFDavg (Average Probability of Failure on Demand)– MTTFS (Mean Time To Fail Spurious)– SIL (Safety Integrity Level based on PFDAVG)– SIL (Safety Integrity Level based on Architectural
Shamoon virus takes out 30,000 computers at Saudi AramcoUS Defense Secretary issues strong warning of cyber attacks on US critical infrastructureDHS issues alerts about coordinated attacks on gas pipeline operators
Control systems operate industrial plant equipment and critical processesTampering with these systems can lead to:– Death, Injury, Sickness– Environmental releases– Equipment Damage– Production loss / service interruption– Off-spec / Dangerous product– Loss of Trade Secrets
Control system security is about preventing intentional or unintentional Interference with the proper operation of plant
Key Principles for Securing ICSStep 1 – Assess Existing SystemsStep 2 – Document Policies & ProceduresStep 3 – Train Personnel & ContractorsStep 4 – Segment the Control System NetworkStep 5 – Control Access to the SystemStep 6 – Harden the Components of the SystemStep 7 – Monitor & Maintain System Security
Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services
“Independent provider of Tools, Services and Trainingsupporting Customers with Compliance and Certification to
any Standards for Functional Safety, Cyber Security and Alarm Management”
Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts
Dr. William GobleFormer Director Moore Products Co.Developed FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books
Experience – exida has done more certification projects in the process industries for currently marketed products than any other certification company. Excellence / Competency - We have staff with a cumulative experience of several hundred years in automation functional safety and dependability. exida is active in the 61508 (functional safety) and ISA 99 (security)committee and has developed many of the functional safety analysis techniques. Market Support / Data – exida supports the end user with analysis and data. That data goes into the exSILentia tool. exida provides training for field personnel. Broad Capabilities – exida can offer functional safety, security and Integrity Certification
exida publishes analysistechniques for functional safetyexida authors ISA best sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata