2013 Honeywell Users EMEA Nice. Johan School. Concepts and Implementation of Process Risk Management using Safety Manager

Transcription

1 2013 Honeywell Users EMEA Nice Johan School Concepts and Implementation of Process Risk Management using Safety Manager 1

2 Agenda Introduction What about safety Safety Instrumented Systems Industry Standards & Risk analysis Honeywell Safety project services Honeywell Safety Management Systems Operational integration; The human factor approach Introduction to Cyber security Q&A 2

3 About your presenter Johan School 19 years with Honeywell Product Manager Safety Solutions Active member national and international standard committees TÜV Functional Safety engineer 3

4 2013 Honeywell Users EMEA Nice What about Safety? 4

5 Introduction to Safety standards Compliance Safety Process Availability Risks Cost 5

6 IEC A safety umbrella for the world ed ed

7 Types and names of SIS Instrumented Protective Systems Safety Interlocks Safety Related Systems Emergency Shut-down Systems Burner Management Systems Fire & Gas Systems High Integrity (Pressure) Protection System 7

8 Technologies applied during the last 80 years Electromechanical based technology Replacement of hydraulic and pneumatic operating equipment Electronic (solid state) technology Replacement of relay based safety systems Programmable electronic technology Replacement of solid state safety systems Increasing functionality and complexity 8

9 Terminology E/E/PE: Electrical / Electronic / Programmable Electronic PES: Programmable Electronic System PFD: Probability of Failure on Demand SF: Safety Function SIF: Safety Instrumented Function BPCS: Basic Process Control System SIS: Safety Instrumented System EUC: Equipment Under Control EUCcs: EUC control system RR(F): Risk Reduction (Factor) SRS: Safety Related System SRS: Safety Requirements Specification SIL: Safety Integrity Level PST: Process Safety Time SLC: Safety Life Cycle LS: Logic Solver SLS: Safety Logic Solver 9

10 Layers of Protection It is important to have the right layers of protection With a clear understanding of how work errors or incidents develop, and with the many tools available to help mitigate these situations, one can plan for the inevitable. Anatomy of Disaster Protection is Key A typical process plant has many variables in many processes that under normal circumstances operate within the normal limits of process control 10

11 Protection is Key An abnormal situation can evolve from an operating upset that could potentially become a catastrophic event involving serious destruction and harm to the plant and/or the surrounding community. 11

12 Some incidents as found on the ASM consortium website (Oct 2013) 12 Direct link:

13 IEC Key Item 1: risk reduction Residual risk Acceptable risk EUC risk Necessary risk reduction Actual risk reduction Increasing risk Partial risk covered by other technology safety-related systems Partial risk covered by E/E/PE safety-related systems Partial risk covered by external risk reduction facilities Risk reduction achieved by all safety-related systems and external risk reduction facilities 13

14 What is Risk? Risk is defined as the combination of the frequency of occurrence of harm and the severity of that harm UNACCEPTABLE RISK FREQUENCY ACCEPTABLE RISK SEVERITY 14

15 IEC Safety Integrity Levels Target failure measures for a safety function, allocated to an E/E/PE safety-related system TABLE 2: SAFETY INTEGRITY LEVELS: TARGET FAILURE MEASURES SAFETY INTEGRITY LEVEL (SIL) Low demand mode of operation (Average probability of failure to perform its design function on demand) High demand or continuous mode of operation (Probability of a dangerous failure per hour) 10-5 to < to < to < to < to < to < to < to <

16 Risk based on Frequency and Severity of consequence Severity Frequency Risk Once in 20 million flights Globally per year, ie 5 x 10E-8 1 x 10E-5 LOWER Plane crash 200 deaths 10 times in road incidents per year in a large City ie, 1 x 10E-3 2 x 10E-3 HIGHER Car crash 2 deaths 16

17 Costs of risk <-> Costs of Safeguarding Costs Optimum Total costs Costs of safeguarding Costs of risk Level of safe-guarding Level of Risk reduction Vs Cost 17

18 Protection Layer Part 1, of IEC 61511: any independent mechanism that reduces risk by control, prevention or mitigation 18

19 IEC LOPA-model COMMUNITY EMERGENCY RESPONSE Emergency Broadcasting PLANT EMERGENCY RESPONSE Evacuation Procedures MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems Operator Supervision PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems CONTROL and MONITORING Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision PROCESS 19

20 Layers Of Protection Figure 9 of IEC

21 Layered safety approach Emergency shutdown Burner management Fire and Gas 21

22 2013 Honeywell Users EMEA Nice Safety instrumented Systems 22

23 SIS,SIF and SIL Safety Instrumented System A system composed of sensors, logic solvers, and final control elements for the purpose of automatically taking the process to a safe state when predetermined conditions are violated. Safety Instrumented System (SIS) Basic Process Control System Inputs Outputs Inputs Outputs PT 1A PT 1B I / P FT Reactor 23

24 SIS,SIF and SIL Safety Instrumented Function Temperature transmitter SAFETY INSTRUMENTED FUNCTION Temperature transmitter Solenoid Shut-off valve Level switch Logic Solver (PLC) MCC Flow transmitter Solenoid Globe valve Safety Instrumented System 24

25 What is the safety system? Sensor Logic Solver Final Element 25

26 As good as the Weakest Link Sensor SIL2 Logic Solver SIL3 Final Element SIL1 Complete loop SIL2 + SIL3 + SIL1 = SIL1 26

27 2013 Honeywell Users EMEA Nice Industry standards & Risk analysis 27

28 28 Safety Standards - Compliance to what?

29 Prescriptive and Normative standards Prescriptive standards specify the requirement to meet the code while normative or performance based standards only give a guideline to the designer / end user. Some examples: While NFPA 72 is a prescriptive the IEC / and ISA standards are normative. NFPA 72 code is primarily intended for Fire protection inside buildings. Other standards like EN54 is a performance based standard with some prescriptive guidelines 29

30 Common standards used in the Process industry IEC is a standard written with an intent to help design and develop products which are SIL rated for any industry. Manufactures of components for Safety Instrumented Systems are required to design their hardware and software in accordance with the international IEC61508 standard. IEC (ISA84.01) has been written to help analyze, design, realize, install, commission and maintain SIL loops for the Process industry. Safety Instrumented System designers, integrators and users should follow the international industry specific IEC61511 standard. 30

31 What does IEC61511or ISA require? IEC 61511/ISA covers the design and management requirements for SISs from cradle to grave. Its scope includes: initial concept, design, implementation, operation, and maintenance through to decommissioning. It starts in the earliest phase of a project and continues through startup. It contains sections that cover modifications that come along later, along with maintenance activities and the eventual decommissioning activities. 31

32 Safety best engineering practices Best engineering practices with regard to the application of Safety Instrumented Systems in the process industries concern the following: Hazard and risk assessment methodologies Safety Requirements Specification / SIL Selection SIS design concepts Reliability Analysis techniques, RBD, FMEA, Markov SIS validation techniques SIS operation, maintenance and testing SIS-related Process Safety Management Safety Lifecycle Management Safety verification, validation, audits and assessments All of these are covered within IEC

33 Safety best engineering practices Taking shortcuts through the Safety Life-Cycle to save money may result in serious consequences and long-term expense. It is well known that accidents do and will continue to happen in the process sector. As our awareness of IEC61508 and IEC61511 continues to grow and we strive to implement best industry practices, the process sector will be pacesetters when it comes to safety, plant reliability and the environment. 33

34 34 Safety Life Cycle per the standards (IEC61511)

35 The Safety Life Cycle simplified Conceptual Process Design Develop Safety Requirements Specification Establish Operation & Maintenance Procedures Perform Process Hazard Analysis & Risk Assessment Perform SIS Conceptual Design, and verify it meets the SRS Pre-startup Safety Review (Assessment) Apply non-sis protection layers to prevent identified hazards or reduce risk Perform SIS Design Detail SIS Startup Operation, Maintenance Periodic Functional testing No SIS Required? Yes SIS Installation Commissioning and Pre-Startup Acceptance Test Modify or Decommission SIS? Decommission Define Target SIL SIS Decommissioning 35 Analysis phase Realization phase Operation phase

36 1. Hazard and Risk Assessment Output is a list of hazardous events with their process risk and acceptable risk. 36

37 2. Allocation of Safety Functions Often called SIL Analysis or SIL Determination Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level. 37

38 3. Safety Requirements Specification - SRS Defines functional and integrity requirements of SIS Output is set of documents ready for detail design. 38

39 SRS should include the following information (1) Description of all the SIF necessary to achieve the required functional safety; Requirements to identify and take account of common cause failures; Definition of the safe state of the process for each identified SIF; Definition of any individually safe process states which, when occurring concurrently, create a separate hazard (for example, overload of emergency storage, multiple relief to flare system); The assumed sources of demand and demand rate on the SIF; Requirement for proof-test intervals; Response time requirements for the SIS to bring the process to a safe state; The SIL target and mode of operation (demand/continuous) for each SIF; Description of SIS process measurements and their trip points; 39

40 SRS should include the following information (2) Description of SIS process output actions and the criteria for successful operation, for example, requirements for tight shut-off valves; The functional relationship between process inputs and outputs, including logic, mathematical functions and any required permissives; Requirements for manual shutdown; Requirements relating to energize or de-energize to trip; Requirements for resetting the SIS after a shutdown; Maximum allowable spurious trip rate; Failure modes and desired response of the SIS; Any specific procedure requirements for starting up and restarting the SIS; All interfaces between the SIS and any other system (including the BPCS and operators); Description of the modes of operation of the plant and identification of the safety instrumented functions required to operate within each mode; 40

41 SRS should include the following information (3) The application software safety requirements; Requirements for overrides/inhibits/bypasses including how they will be cleared; The specification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the SIS; The mean time to repair which is feasible for the SIS; Identification of the dangerous combinations of output states of the SIS that need to be avoided; The extremes of all environmental conditions that are likely to be encountered by the SIS shall be identified; Identification of normal and abnormal modes for both the plant as a whole (for example, plant start-up) and individual plant operational procedures (for example, equipment maintenance, sensor calibration and/or repair). Additional safety instrumented functions may be required to support these modes of operation; Definition of the requirements for any safety instrumented function necessary to survive a major accident event, for example, time required for a valve to remain operational in the event of a fire. 41

42 42 Cause-and-Effect Diagram SIFs commonly documented by Cause and Effect diagrams Should include SIL. SIL Instrument Range Trip Point Units CLOSE VALVE LZV-02 CLOSE VALVE UV-03A CLOSE VALVE UV-03B OPENS VALVE UV-03C Set LIC1 to MAN, OP=0 OPEN Deluge valve Tag# Description BS-01 Burner Loss of Flame 1 ~ ~ X X X PSL-01 Fuel Gas Pressure Low 2 ~ 7 X X X LZHH-02 LPG Tank High High Level mm X X F&G Det Fire and Gas Detectors 1 X

43 4. Design and Engineering SIS vendor for logic solver EPC contractor or end-user for field hardware. 43

44 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Random failure rate (PFD ave ) Architectural constraints ave Development process for each component. 44

45 Compliance to People Work Process People Technology Processes Product 45

46 5. Installation, Commissioning, Validation Logic Solver installed with field equipment Includes loop checking, validation and final functional safety assessment. 46

47 6. Operations, Maintenance and Modification User must follow a Functional Safety Management System for the lifetime of the SIS. 47

48 Operations and Maintenance Obligations Proof test each SIF at specified interval Monitor design assumptions Demand rates Component reliability Adjust test interval to suit process Control modifications Ensure Maintenance and Operational Overrides are used as designed Monitor and promptly follow-up diagnostics. 48

49 Responsibilities during the SLC (for logic solver) Activity Customer MAC EPC HAZOP Risk matrix R Conduct HAZOP S/A R Tolerable Risk criteria R Conduct SIL determination S/A R SIL verification (preliminary) A R? SRS generation S/A R System Design & Engineering A R S Installation, Validation A S R Commissioning R S S Operation R Maintenance, Modification R S R Responsible, S- Support, A-Approve 49

50 2013 Honeywell Users EMEA Nice Honeywell Safety Services Excellence 50

51 51 IEC Safety Lifecycle Services

52 IEC Safety Lifecycle Services Project Services 52

53 Honeywell Global Projects and Services Excellence Disciplines: Structured Global Operation by forming discipline based team for skills, processes, best practices, tools, knowledge and expertise deployment closely aligned with project engineering. Hardware and Field Engineering Systems Engineering Network and Interface Engineering Control Application Engineering Safety Engineering Operator Effectiveness Engineering Asset Effectiveness Engineering Plant Business Improvement Services Project Management and Lead Engineering Highest project quality and consistent global designs 53

54 Global Processes and Standard Builds SIS Modifications Operational life < SIS Modifications T (years) Global Project Execution Process & Tools TÜV certified (IEC 61511) Provides all documents, supportive guidelines & checklists and tools to execute safety projects. Based on proven-in-use Methods and Solutions (> 20 years). 54

55 55 Standard builds

56 Standard builds Solution Binder HMI Project Services Standard functions Standard Shapes 56

57 Recommended reading IEC IEC Seveso II Directive Guidelines for Safe Automation of Chemical Processes. CCPS, AIChE, New York, 1993 Guidelines for Technical Management of Chemical Process Safety - Center for Chemical Process Safety (CCPS) (1989) New York: American Institute of Chemical Engineers. 57

58 2013 Honeywell Users EMEA Nice Safety Management Systems 58

59 Integrated SIS evolution Advanced Experion integration & Universal Safety Logic Solver Safety Manager QPP-0002 and PCDI Remote Universal Safe IO Experion Safety Manager TUV Certification to IEC 61508/61511 SIL3 QMR Integrated into Experion FSC Integration to PlantScape FSC Integration to PlantScape and then to Experion TPS FSC Safety Manager Module SIS Integration with TDC/TPS FSC is certified to meet IEC SIL3 Honeywell Fail-Safe Controller (FSC FSC) Single and dual channel systems meet safety and availability objectives Pepperl & Fuchs Initial Purpose-built Systems Fault detection via testing, comparison and voting. Insufficient for TUV approval, move to Diagnostics-based solutions Redundant Standard PLCs (1-o-o-2) with added diagnostics 1980 Investigation with University of Eindhoven on GP-PLC s 1975 Relay-based technology 59

60 Global development London (ON) Unisim Fort Washington (PA) RIO development Integration test s-hertogenbosch Phoenix (AZ) Engineering tools Bangalore Builder Perth HMI Integration 60

61 Design Overview Fail Safe Design Fault Tolerant for Safety Continuous Testing of Safety Components Automatic and Accurate Fault Detection Isolation of Faulty Part Built on QMR Technology IEC SIL3 Compliant Safety: Freedom of Unacceptable Risk 61

62 Digital Output of a general purpose PLC + 24 Vdc 1 CPU Normally energized What can go wrong? LEAD BREAKAGE = Nuisance trip LOAD, e.g. SOV 0 Vdc 62

63 Digital Output of a general purpose PLC + 24 Vdc CPU 1 Normally energized SHORT CIRCUIT = Dangerous State What can go wrong? LOAD, e.g. SOV 0 Vdc 63

64 Digital Output Safety Manager + 24 Vdc CPU STATUS LOAD, e.g. SOV Diagnostics! 0 Vdc 64

65 Diagnostics within Safety Manager Memory check on processor and communication modules; Voting on processor level (1oo2D); Independent Watchdog; System Cycle Time check; Walking bit tests on data-busses; System temperature check; Voltage monitoring; Etc, etc, etc.. 65

66 Digital Output Safety Manager + 24 Vdc Secondary means of de-energization & 0 de-energized CPU STATUS STATUS Defect Short circuit 0 de-energized 0 Vdc LOAD, e.g. SOV 66

67 Digital Output Safety Manager Fault tolerance for availability via redundant hardware + 24 Vdc 0 de-energized 1 energized Secondary means of de-energization & & CPU STATUS STATUS STATUS STATUS 1 energized 0 Vdc LOAD, e.g. SOV 67

68 2013 Honeywell Users EMEA Nice Operational integration, the human factor approach 68

69 Operational integration: The human factor approach Advanced technology makes it possible to combine process Control and Safety Instrumented functions within a common automation infrastructure while ensuring regulatory compliance The most reliable approach to control and safety system integration maintains principles of segregation, with safety and control strategies developed by different groups using dedicated methods. Operational integration based on the separation principle offers better support for plant life-cycle management. 69

70 Operational integration: The human factor approach 1 st Transparency 2 nd Communication How to achieve an integrated control and safety solution with advanced functionality and productivity, without compromising safety and security? 3 rd Information In a typical industrial operation, four levels of integration are essential from a usability point of view: 4 rd Integrated tools 70

71 Operational integration: The human factor approach Transparency First, the operational integration must allow plant personnel to have a: Seamless, transparent interface to the process under control. Whether the actual strategy is running in the process controller, the safety system, or on a higher level makes no difference. All required information would be available on the operational level. 71

72 Operational integration: The human factor approach Peer to Peer communications Second, peer-to-peer communication between safety controllers and process controllers is the key to integration. Information from one controller needs to be communicated to peers quickly in order to anticipate process startup or abnormal situations in a controlled manner. 72

73 Operational integration: The human factor approach Provide information Third, all data available in the lowest level of process and safety I/O can be transferred to the higher level of operations and turned into information that is usable for various higher level applications. System information (incl. diagnostics) Process information (A&E, SOE) 73

74 Operational integration: The human factor approach Configuration tool integration Safety builder Finally, configuration tool integration only has added value if the point information is securely interchangeable. Publication Control builder single point of data entry, all information (can be) replicated to other databases. Available for use at all levels of the safety and control topology. 74

75 Operational integration: The human factor approach Choosing the right approach Safety and control strategies developed by different groups using dedicated methods Separated databases for Control and Safety strategies, Database integrity and security Managed and protected application environment Dedicated hardware & software Secure network environment Cyber security safety device certification 75

76 Operational integration: The human factor approach Benefits to end users (1) Provides one process window Includes relevant & critical process information Integrated Alarm & Events Integrated Sequence of Events Using an ASM compliant environment Adjust test interval to suit process schedule Ensure Maintenance and Operational Overrides are used as designed Monitor and promptly follow-up diagnostics as they are available within one environment 76

77 Operational integration: The human factor approach Benefits to end users (2) Change management made easy A change to the Safety environment is automatically available within HMI and for Process interaction What is defined within the Safety Manager to be available is automatically distributed within Experion, No communication address mix up or mistakes No direct interaction with Safety processor, but embedded Easier to implement, easier to understand, Safe landings of processes 77

78 2013 Honeywell Users EMEA Nice Introduction to Cyber Security 78

79 Cyber security Cyber security, why worry Cyber security and Safety Test / certification programs Architectures What s next? 79

80 Cyber security, why worry Control and safety systems have evolved over the years From proprietary hardware/software to a combination of proprietary and commercial of the shelve equipment Increased connectivity from process control networks to plant and enterprise networks Increased demand for remote access for operational and maintenance purposes The world has evolved Knowledge is easily obtainable: control system manuals, discussion groups through the internet Spreading of ideas The sport of hacking 80

81 Incident types Hacker Equipment, software Technician Disgruntled employee Malware (Virus, Worm, Trojan) Source: Repository of Industrial Security Incidents (RISI, 81

82 Cyber security and Safety Cyber security and Safety incidents have many things in common They both cause production loss They can cause reputational damage (Siemens, RIM) They can cause equipment damage (Stuxnet) They can cause casualties 82

83 What can we do to prevent this System level actions Product level actions 83

84 Embedded device robustness testing BCIT (British Columbia Institute of Technology) (2006) Wurldtech, Promoted by end users by lack of international standard De facto standard focused on robustness of end device as they are. ISA Security Compliance Institute Industry consortium, founding members: Chevron, ExxonMobil, Honeywell, Invensys, Siemens, Yokogawa Industry participants: ISA99 Standards committee 84

85 Embedded device cyber security ISCI developed the Embedded Device Security Assurance (EDSA) certification program Using the framework of the ISA99 Standards Roadmap. Modeled after the safety standard IEC61508 Providing detailed requirements An independent assessment program EDSA technical elements: Functional Security Assessment (FSA) Software Development Security Assessment (SDSA) Communication Robustness Testing (CRT) 85

86 Functional Security Assurance Certification SDSA Evaluate how cyber-security is designed into the system Integrated Threat Analysis (ITA) Software Development Security Assurance (SDSA) FSA Evaluate the defenses provided by the embedded device and what system level protection is required CRT Physical testing of the device to asses vulnerabilities and probability of false trip or failure of control Functional Security Assessment (FSA) Communications Robustness Testing (CRT) 86

87 (S)NTP PTP C200 (S)NTP PTP C200 CF-9 CF-9 SM-C300 P2P over FTE SM-C300 P2P SafeNet P2P over segregated Network SafeNet P2P over segregated Network Modbus TCP Modbus TCP Safety Manager certified topologies Safety Manager out of the box certified for use in: Applications Experi on Server Icon Safety Station Fully integrated network topologies FTE Safety Manager Safety Manager Other device C300 Controller Universal Safety I/O Fully segregated network topologies Segregated Process and Safety communication network Providing maximum security, availability and reliability C300 Controller Applications Safety Manager Experion Server Safety Manager Other device FTE Separated Safety network Safety Station Universal Safety I/O 87

88 What s next Customers Should add Cyber security requirements to the RFQ ISASecure certification Should assess the overall security of their system/plant Should approach security similarly as Safety Competence of people, security lifecycle, well defined processes 88

89 And Happy to answer your questions Always looking for feedback! You can reach me via : Johan.school@honeywell.com 89