Process Safety Basics - w3.siemens.co.in SIMATIC PCS 7 Solution Partner - PCS 7 Safety Specialist . Restricted / © Siemens AG 2014. All Rights Reserved. ... S7ftimeb.xls PCS 7 Refresh

Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers

Process Safety Basics Franz Handermann, Siemens

Siemens Process Automation Conference (SPACe) 2014, Gurgaon, India


Definition / Basic / Standards

Restricted / © Siemens AG 2014. All Rights Reserved.

IEC61508

IEC61511

There are sector-specific standards based on IEC 61508, such as

IEC 61511 for the process industry

(IEC 61513 for nuclear industry, IEC 62061 for machinery safety).

These sector standards are important for planners and operators

of corresponding plants.

International safety standards

IEC 61508 serves as basic standard and basis for safety standardization . It

covers all areas where electrical, electronic or PLC systems are used to

realize safety-related protection functions.

Introduction - Basics from IEC 61511




PROCESS SECTOR INSTRUMENTED

SYSTEM STANDARDS

PROCESS SECTOR

SOFTWARE

PROCESS SECTOR

HARDWARE

FOLLOW

IEC 61511

USING

HARDWARE

DEVELOPED AND

ACCESSED

ACCORDING TO

IEC 61508

FOLLOW

IEC 61511

USING PROVEN-

IN-USE

HARDWARE

DEVICES

FOLLOW

IEC 61508

DEVELOPING NEW

HARDWARE

DEVICES

FOLLOW

IEC 61508-3

DEVELOPING

EMBEDDED

(SYSTEM)

SOFTWARE

FOLLOW

IEC 61508-3

DEVELOPING

APPLICATION

SOFTWARE USING

FULL

VARIABILITIY

LANGUAGES

FOLLOW

IEC 61511

DEVELOPING

APPLICATION

SOFTWARE USING

LIMITED

VARIABILITY

LANGUAGES OR

FIXED PROGRAMS




PROCESS SECTOR INSTRUMENTED

SYSTEM STANDARDS

• IEC 61511

Safety instrumented

systems designers,

integrators and end users

• IEC 61508

Manufacturers and

supplier of devices



• IEC 61511

Safety instrumented

systems designers,

integrators and users

The BIS is the national Standards Body of India working under

the aegis of Ministry of Consumer Affairs, Food & Public Distribution,

Government of India.

Bureau of Indian Standards (BIS)

• IS 61511




• IS 61511





Aim of Process Safety

• Required reduction of

the process risk, which

is arising from process

conditions which are

caused by unusual

events, to a tolerable

level. Targets of the

protection are:

Environment Personnel Machine Process

Protection: A legal requirement Protection: Makes economic sense

Safe operation of plants and machines. Aim

Hazards caused by malfunctions must be prevented before they arise.

Objective of safety engineering


Definition in the Standard:

Safety is the freedom from unacceptable risk of harm.

Risk is the result of multiplication between

the frequency of accidents and their consequences.

Safety Integrity Level, Standards


C: Consequence of failure

P: Probability of harm occurrence

Actual risk Tolerable

= C x P risk <

Basis of Hazard and Risk Assessment


If the acceptance limit is exceeded, measures must be

taken to achieve or to go below it.

necessary risk reduction

Standards and rules describe measures to

reduce risk to an accepted level.

What to do, if the acceptance limit of risk is exceeded?


Safety Integrety Level, Risk Reduction

Requirement

Risk

Risk for a

technical

facility

Acceptable

risk

Remaining

risk

Partial risk

covered by non

technical measures

Partial risk covered by safety measures

Risk

without safety

devices

Electr. safety system

(SIS) Mech. safety system

Neccessary risk reduction

Actual risk reduction

SIS… safety instrumented system


Plant

personnel

intervenes

Safety system

(automatic)

Basic

automation

Overpressure valve, rupture disc

Collection basin

Active protection

Passive protection

Disaster protection Disaster protection

Safety Instrumented

System (SIS)

Process value

Process alarm

Normal activity

Process control

system (BPCS)

Safety shutdown

SIS… safety instrumented system

BPCS… basic process control system

Safety concept for a plant


Some thoughts about product liability

Causes of Major Incidents - Failure Analysis of Control Systems

Note : Based on 34 investigated incidents in the UK

Health and Safety Executive (GB): Out of Control.

Why control systems go wrong and how to prevent failure.

HSE Books 1995

44,1%

20,6%

14,7%

5,9%

14,7% Design & implementation

Installation & commissioning

Operation & maintenance

Changes after startup

Specification


Some thoughts about product liability

Allocation of Failures to Plant Lifecycle

Safety Lifecycle

Competence of persons

Technical Requirements

Safety- Management

+

+

Failure root causes

Plant Lifecycle

Specifications

Design & Implementation

Changes after Commissioning

Installation & Commissioning

Operation & Maintenance

Analysis


Required Safety Competence Company Cerification in the Solution Partner Program


Company Certification

Solution Partner Program

PCS 7 Safety Specialist

Process Safety Certifications

Safety Community PA

Knowledge Exchange

Personnel Certification

Siemens Functional Safety

Professional SFSP (SIS)

SOP…Solution Partner

PA…Process Automation

SIS…Safety Instrumented System

Certified PCS 7 SOP

Safety in the Process Industry


Requirement

Certification

Project-

Evaluation

PCS 7

F-Technic

Workshops

Functional

Safety

Workshops

PCS 7 Safety Specialist Company

Quality-

Management /

IEC 61511

Safety Audit KPI

trained Employees

Re-Certification

certified PCS 7 Solution Partner Company

The SIMATIC PCS 7 Solution Partner - PCS 7 Safety Specialist


TUEV – Functional Safety

in the Process Industry

2 days (with exam)

Introduction to functional safety

Accident cause and product liability

Overview IEC 61508 / IEC 61511

Functional safety management

Safety lifecycle

- Risk analysis

- Allocation of safety functions to

protection layers

- Safety requirement specifications

- Design and engineering of safety

instrumented functions

- Installation and commissioning

- Operation and maintenance

- Modification (MOC) & Decommissioning

IEC 61511 – Practical Use

2 days

Practical use of the IEC 61511

Typical applications

Safety lifecycle with it steps:

- Hazard and risk assessment

- Allocation of safety functions to

protection layers

- Safety requirements specification

- Design and engineering of safety

instrumented function

- SIF verification (SIL calculation)

PCS 7 Process Safety

3 days (with exam)

Basics from IEC 61511

LOPA (Layer of Protection Analysis)

PFD (Probability of Failure on Demand),

Calculation of an SIF (Safety

Instrumented Function)

System architecture and diagnostics

Overview about F-Hardware

Parameter in HW- Configuration (safety

mode, sensor evaluation, addressing,

monitoring time, H-Parameter)

F-Library system functions

F-Library user functions

Wiring and Voting

Safety Matrix

Calculate and adjust F-times using

S7ftimeb.xls

PCS 7 Refresh –

Focus F-Technic

2 days

Theoretical basics and practical

exercises such as:

Multi-project

HW (fail safe) and net configuration

Technical hierarchy

CFC, SFC, OS engineering

Quality Process Safety

1,5 days

Safety applications

Up-Date safety knowledge

WS FS 14 E 01 WS PU 14 E 01 WS PS 14 E 01 WS REF 14 E 01

WS QS 14 E 01

must workshops

optional

workshop

optional

workshop

The PCS 7 Safety Specialist Solution Partner Program

Workshops and Description


Required Safety Competence Personal Cerification


Company Certification:

Functional Safety certified

Supplier / Contractor

Siemens Solution Partner

PCS 7 Safety Specialist

Personnel Certification:

Project Management with

Functional Safety certified Employee

PA…Process Automation

Safety Project Requirements

of the Market







Siemens Employee

System Integrator

End Customer

Functional Safety

Management FSM

Siemens Functional Safety Specialist for Process Automation: SFSP (SIS)


WS TÜV Functional Safety for Process Industry + Exam / Certification

WS PCS 7 Process Safety (F-Technology) + Exam

WS IEC 61511 – Practical Use

SFSE

Certificate

10 Year Experience

Evaluation for SFSE

PCS 7

Business

Knowledge Skills

Project & Technical Skills

Employees Know-How

PCS 7

Business

SFSP Certificate Siemens Functional Safety Professional

Experience Skills

3 Years Experience in Process Safety

2 Project Evaluation

Siemens Functional Safety Expert

Siemens Functional Safety Specialist: Process Automation


http://www.tuev-sued.de/rail-en/training-for-automation-sector/functional-safety-certification-program-fscp/certified-people

Siemens Functional Safety Professional (SFSP)


Safety Management … FSM


Safety Integrity Level (SIL)

English: Safety Integrity Level (SIL)

All measures have to be realized in order to achieve the required safety integrity

Determination of the required

safety integrity level out of

the hazard and risk analysis

(e.g. HAZOP)

SIL

Functional Safety

Management

Technical

design measures

(hard- and

software)

Required measures to

achieve the demanded

safety integrity Structured

safety life-cycle



English: Functional Safety Management (FSM)

Goal: Provision of the organizational general framework for the required safety activities throughout the safety lifecycle

Realization: The realization is made in two steps:

Reference: IEC 61511-1, chapter 5

Management of functional safety

Project independent FSM Project specific FSM

Add-on to the existing quality management system

regarding the needs of functional safety

Planning and follow-up of the safety activities in the

appropriate project

Determination of responsibilities Project Safety Manager

Operating procedures Safety Plan

Templates Verification and validation

Independent assessment

Gaps in many companies due to personnel turnover, changes in the organization (mergers, acquisitions) etc.








(e.g. HAZOP)

SIL

Functional Safety

Management

Technical

design measures

(hard- and

software)




safety life-cycle


The IEC 61511 (ISA S84, IS 61511, DIN EN 61511, VDE 810,…) Safety Lifecycle

Risk Analysis and Protection Layer Design

Sub-clause 8

Allocation of Safety Functions to Safety Instrumented Systems

or other means of risk reduction

Sub-clause 9

Safety Requirements Specification

for the Safety Instrumented

System

Sub-clause 10

Design and Development of

Safety Instrumented System

Sub-clause 11

Design and Development of

other means of Risk Reduction

Sub-clause 9

Installation, Commissioning and Validation

Sub-clause 14

Operation and Maintenance

Sub-clause 15

Modification

Sub-clause 15.4

Decommissioning

Sub-clause 16

Management

of Functional

Safety and

Functional

Safety

Assessment

Sub-clause 5

Safety

Lifecycle

Structure

and

Planning

Sub-clause

6.2

Verification

Sub-clause

7, 12.7


Steps in the Analysis Phase

Page 31

Process Hazard Analysis (PHA) / Consequence Analysis

• Safety Standards require all processes to be evaluated for the inherent risk of a

hazardous condition

Layer Of Protection Analysis

• When these risks are identified, various means of protection can be used in

layers to mitigate these risks to an acceptable (tolerable) level

Safety Integrity Level (SIL) Selection

• A level of desired risk reduction can be assigned to each protection layer

Safety Requirements Specification

• Protection layers, safety functions, desired SIL,

etc. must be documented

Safety

Requirements

Specification


PHA Example

Process

example


PHA Example

Pressure SIF

(detail)

SIF… safety instrumented function


Safety Integrety Level

The safety integrity level (SIL) specifies the necessary risk reduction of

safety instrumented functions (SIFs)

Safety Integrity Level

Probability of failure on demand (PFD)

(Demand mode of operation)

Risk reduction factor = 1/PFD

SIL 4

SIL 3

SIL 2

SIL 1

>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

100000 to 10000

10000 to 1000

1000 to 100

100 to 10


Steps in the Realization Phase

Page 35

Reliability and Safety Evaluation

• Select technology/ architecture for sensors, logic, and final elements

• Determine test philosophy (e.g. proof test intervals)

• Evaluate SIF to ensure it provides the desired level of risk reduction

SIS Detailed Design

SIS Installation/Commissioning


Steps in the Operation Phase

Page 36

Operation/Maintenance Planning

• Establish procedures for operation and maintenance of the SIS; including periodic proof testing

• Must follow manufacturer’s installation and operation guidelines

Pre-startup Safety Assessment

• User must verify the system operates according to the Safety Requirements Specification

Operation

• Startup / Operation

• Maintenance / Periodic Proof Tests

• Bypass & Override Management

Modification

• User must repeat Safety Lifecycle steps when

modifying SIS

Decommissioning


Safety lifecycle acc. IEC 61511

Aim:

Avoidance of systematical failures

during design, installation

commissioning, operation and

decommissioning of safety related

functions

Realization:

Structured safety process according

IEC 61511

Risk analysis (e. g. HAZOP)

Allocation of safety functions to protection layers (SIL)

Specification of the safety requirements

(SRS)

Design and engineering of the safety related function

Decommissioning

Modification

Operation and maintenance

Installation, commissioning and validation of the

safety related function

Risk analysis (e. g. HAZOP)

„Interface“ of the process world in the

automation world

Referenz: IEC 61511-1, Kapitel 6


Project Stages and Responsibilities according to IEC 61511

The whole responsibility lies according in each project phase with the EPC and end-user

Interdependence of purchaser, contractor, sub-contractor etc. particularly in international business

Scope of supply, limit of supply and responsibilities have to be clearly defined

Changes and

decommis-

sioning

Operation and

maintenance

(incl. proof

tests)

Installation,

commissioning

and validation

Design and

Designverifi-

cation for

each SIF

Specification

of safety

requirements

for each SIF

Verification

Risk analysis

and allocation

of safety

requirements

Each phase in the safety lifecycle must be verified

EPC

Enduser

EPC EPC

PCS supplier

Installer

PCS supplier

End-user EPC

End-user

Verification Verification Validation Verification

2

5

6

3

4

1 Project safety plan

Verification and validation plan,

Functional Safety Assessment

Plan

Safety requirement specification

Engineering guideline

Functional design specification

Test plan

1 2 3 4 5 6


Technical Requirements








(e.g. HAZOP)

SIL

Functional Safety

Management

Technical

design measures

(hard- and

software)




safety life-cycle


Goal:

• To increase the robustness against random (H/W only) and systematic failures

Realization:

• The realization is made in three steps:

Reference: IEC 61511-1, chapter 11 & 12

• Redundancy requirements

• Structural requirements

e.g. 1 out of 2 sensors

System & H/W architecture

• Requirements to the

probability of failure/

failure rate

System reliability

• Requirements for a

structured V-cycle

S/W development &

implementation process

Technical design measures


Restricted / © Siemens AG 2014. All Rights Reserved. SIS … safety instrumented system

Different SIS Architectures

Safety PLC’s use different architectures and

strategies to achieve safety integrity

Different SIS’s have different levels of

inherent fault tolerance

(availability or spurious trip rate)

Safety & Availability are independent issues - not related

Field device voting for safety is independent of

device voting for availability


Architectures


Time redundancy and instruction diverse processing

Time Redundancy and Software Diversity

instead of using two µPs (hardware redundancy)

Logical program execution and data flow monitoring, Diagnostics > 99%

Bool and Word operations processed in different “Processing Units” PU of the SIEMENS ASIC

2 independent hardware timer

Safety mechanisms in the CPU (SIMATIC S7-400 F) - 1oo1D “extended”

Time Time Redundancy

Operands

Encoding

Diversity Operands

Operation

Diversity Operation

Result

Diversity Result

Comparison Stop

A, B (Bool)

/A, /B (Word)

C

D = /C

At D /C

AND

OR

¹


Safety

1oo1D up to SIL3 1oo2D up to SIL 3

System Architecture - Central Controller Module

Diagnostic Circuit Diagnostic Circuit

µP

µP

2oo3

µP

2oo3

µP

2oo3

µP

2oo3 up to SIL 3

2oo3

µP

µP

µP

2oo3 up to SIL 3


Safety and Availability

2x 1oo1D each

up to SIL3

2x 1oo2D each

up to SIL 3


Diagnostic Circuit

µP

µP

2oo3

µP

2oo3

µP

2oo3

µP

2oo3 up to SIL 3

2oo3

µP

µP

µP

2oo3 up to SIL 3

Diagnostic Circuit

µP

µP

often named

2oo4D system

Diagnostic Circuit

Diagnostic Circuit



2x 1oo1D each

up to SIL3

2x 1oo2D each

up to SIL 3


Diagnostic Circuit

µP

µP

2oo3

µP

2oo3

µP

2oo3

µP

2oo3 up to SIL 3

2oo3

µP

µP

µP

2oo3 up to SIL 3 Diagnostic Circuit

µP

µP

Diagnostic Circuit

Diagnostic Circuit

1oo2 with time

limitation up to SIL 3

1oo2 with time

limitation up to SIL3



2x 1oo1D each

up to SIL3

2x 1oo2D each

up to SIL 3


Diagnostic Circuit

µP

µP

2oo3

µP

2oo3

µP

2oo3

µP

2oo3 up to SIL 3

2oo3

µP

µP

µP

2oo3 up to SIL 3 Diagnostic Circuit

µP

µP

Diagnostic Circuit

Diagnostic Circuit

1oo2 with time

limitation up to SIL 3

1oo2 with time

limitation up to SIL3


System Structure and Degradation

TÜV cooperation for functional safety

http://www.tuv-fs.com/index.htm

http://tuvasi.com/

http://www.tuev-sued.de/



2x 1oo1D each

up to SIL3

2x 1oo2D each

up to SIL 3


Diagnostic Circuit

µP

µP

2oo3

µP

2oo3

µP

2oo3

µP

2oo3 up to SIL 3

2oo3

µP

µP

µP

2oo3 up to SIL 3

Diagnostic Circuit

µP

µP

Diagnostic Circuit

Diagnostic Circuit

100% one fault tolerant architecture in the central controller level


Architectures of the SIF


Single digital sensors in 1oo1D for SIL 2

Single digital and analogue sensors in 1oo2D for SIL 3

Single outputs in 1oo2D for SIL 3

Single controller for SIL 3 (with time redundancy, software diversity and diagnostics >99%)

Input Module Controller Module Output Module

Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

1oo2D for SIL3

1oo1D for SIL2


System Design SIMATIC S7-400 F

Single Loop – only Safety Related

Diagnostic Circuit


Output Module

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

1oo2D up to SIL 3



SIMATIC F-DO with two Output Driver in

series… two Shut Down ways 1oo2,

HFT = 1 full filled the SIL 3 requirements

according the IEC 61511.


Single or dual sensors for inputs

Redundant circuitry within I/O modules

Redundant output circuits

One controller up to SIL 3 (with time redundancy, software diversity and diagnostics >99%)


Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

1oo2D for SIL3

1oo1D for SIL2




Diagnostic Circuit


Diagnostic Circuit

Structure like 2oo4 Systems, with high availability!!!


Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

2x (1oo2D for SIL3) 2x (1oo2D) 2x (1oo1D “extended”)

2oo2 of SIL 3 controller

System Design SIMATIC S7-400 FH

Fully-Redundant Setup

Diagnostic Circuit

Restricted / © Siemens AG 2014. All Rights Reserved. µ

P2

µP

3µ

P1

CH

2C

H3

CH

1

vo

tin

g

CM

1C

M3

CM

2

CH

2C

H3

CH

1

PT

x

CH

2C

H3

CH

1

PT

x

CH

2C

H3

CH

1

PT

x

CH

2C

H3

CH

1

vo

tin

g

System Architecture

SIF: “2oo3” Input Loop and “2oo2” Output Loop in a TMR System



Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

.

.

.

. Main Switch

Diagnostic Circuit

CPU

CPU

Output Circuit

3x (1oo2D)

2x (1oo1D “extended”) 2x (1oo2D) Diagnostic Circuit

Input Circuit

Input Circuit

CPU

CPU

L+

L+

System Architecture

SIF: “2oo3” Input Loop and “2oo2” Output Loop with SIMATIC S7-400 FH

Diagnostic Circuit

Diagnostic Circuit


Voting in S7-400FH CPU

Sensor 1

Sensor 2

Sensor 3

F 2oo3 Analog Voter Block (Mid-Select)

F_1oo2_R

Safety Matrix™

the 2oo3 voting for the Sensors

are realized in the CPU

in the user program


Flexible Modular Redundancy ©

Siemens provides with the

Flexible Modular Redundancy ™

concept a high level of

flexibility and scalability

for different safety-requirements

for different availability-levels

for plant structure and specific requirements

for the extension of existing systems

AI

DI

DO

DO

AI

AI

DI

DO

DO

AI

AI

Triple

Simplex

Dual


Flexible Modular Redundancy ©

IO and Field Device redundancy can be matched to:

• Minimize cost

• Maximize availability

AI

DI

DO

DO

AI

AI

DI

DO

DO

AI

AI

2oo3 PT 1oo2 Valves

Dual

Triple

1oo1 LS Simplex

simplified


Safety integrity via diagnostics rather than

voting

All architectures provide SIL 3 safety AND

availability

Fault tolerance is scalable rather than fixed -

mix & match I/O structures

Process availability not always impacted by

SIS availability

Siemens architecture gives you the choice to

pay for the availability you need

Please ask the right requirement

…according the IS 61511 and your plant

SIL3

µP2 µP3µP1

CH2 CH3CH1

CH2 CH3CH1

voting

CM1 CM3CM2

Summary – Differences in Architectures


Franz Handermann

Industry IA AS S MP 8

Process Safety Partner Manager

Siemensallee 84

76187 Karlsruhe

Phone: +49 (721) 595-4516

Email: [email protected]

Thank you for your attention!

siemens.com/answers

Process Safety Basics - w3.siemens.co.in SIMATIC PCS 7 Solution Partner - PCS 7 Safety Specialist . Restricted / © Siemens AG 2014. All Rights Reserved. ... S7ftimeb.xls PCS 7 Refresh

Documents