Copyright 2008 exida.com L.L.C. 64 N. Main Street Sellersville, PA, USA All rights reserved. No part of this publication may be reproduced,

Transcription

1 Copyright 2008 exida.com L.L.C. 64 N. Main Street Sellersville, PA, USA All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner. Printed by Signature Book Printing, ISBN-13: This book is available at a special discount when ordered in bulk quantities. For information, please contact exida at the address shown above or by via info@exida.com.

2 Prologue Although there have been huge technical strides in process safety over the last twenty years, there is still a gap between the current practice of many firms and what could be called good safety engineering practice. This book will identify where some of these gaps exist. The book also seeks to provide an introduction to the opportunities to bridge those gaps through applying various functional safety management tools. It is written at the introductory level to provide engineers and engineering managers with a basic understanding of what they can do to both improve safety and reduce costs. However, to achieve both of these goals, proper support from management, engineering, operations, maintenance, and process safety professionals is needed. The objective is to make these good safety engineering practices the norm. What is good safety engineering practice? It is the creation and effective use of safety lifecycle procedures and practices to prevent systematic and random flaws from jeopardizing plant safety. Safety equipment and support tools have made significant progress in the last fifteen to twenty years now the high quality assessment, design, operations, and maintenance procedures need to embrace these advancements and take full advantage of them. The first ISA 84 functional safety standard (ISA , Ref 1) initiated the safety lifecycle. This second, more international version, ISA 84 (ISA , Ref 2) and its equivalent, IEC 61511, refine the process through the increased emphasis on a Functional Safety Management (FSM) plan and a number of other important additions. But just creating the procedures is not the cure all. The fact that even the earlier process industry safety lifecycle standard released in 1996 lacked these planning and coordination elements strongly suggests that management had not fully bought into the complete lifecycle concept. The objective of the first chapter Why Embrace the New ISA 84 is to show that with good management support, functional safety can (and should) benefit the bottom line. The rest of the book then covers functional safety management and each safety lifecycle step, providing information and advice on how to put everything together to achieve positive results most effectively. If done properly, applying the new standard should give you a safer and more economical plant operation and this book will have served its purpose.

3 Dedication To my wife, Christine, and children Joshua, Peyton, and Chloe who have supported me with this new and exciting life! To the families who endured the hardships hurricanes Katrina and Rita To the fight against multiple sclerosis from which 13% of the proceeds of this book have gone (via the BP & Valero MS150 charity rides) Acknowledgments My sincerest appreciation goes to Dr. William Goble and Dr. Eric Scharpf who have been perfect technical coaches/editors. I must also thank Pat Goree for the original idea and the following list for their encouragement, notations, and/or informative discussion: Allie Barnes Ivan Cook Oswaldo Moreno Andrea Robinson Iwan van Beurden Owen Tavenor-Smith Andrew Dennant Jeff Mire Rainer Faller Brian Hampshire Jim Jensen Ralph Eguren Brian Pack Jody Lane Ray Miller Charles Fialkowski Joe Siebert Ray Wright Chet Barton John Baik Rolf Spiker Chris O Brien John Mulvany Sara Saxena David Hatch Jon Keswick Sherri Steele Dennis Zetterberg Louis Kuo Terry Hight Gene Cammack Marilee Clifton Titan Ten 85 Greg Mier Marion Miller Toby Miller Hal Thomas Martin Sotomayer Tom Hoglin Harold Howard Mike Crawford Harry Cheddie Monty Wilkins Background on the Author Curt Miller, CFSE, PE, Partner/Sr. Engineer with exida since 2004, has more than 18 years of professional experience with safety and control systems. Before he joined exida as a Partner/Sr. Engineer, he most recently spent six years supporting the Gulf Coast safety and control markets as an automation specialist for an automation supplier. In his position with exida, Curt is supporting end user applications and Gulf of Mexico bordered safety equipment manufacturers with the full breadth of functional safety lifecycle services listed in this book. Curt is a BSChE graduate of Texas A&M. He is very active in ISA local chapters up to the President level and will be the District 7 Vice President (TX, LA, and Mexico) for the fiscal years He also has applied for a business patent based on the quantitative benefits of the functional safety lifecycle approach discussed in Chapter 1. You can reach him at cmiller@exida.com.

4 Preface exida.com LLC is pleased to present this first edition of the A Manager s Guide to Functional Safety by Curt Miller. exida is one of the world s leading knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations like TÜV, manufacturers, and end-user companies, exida is a partnership with offices around the world. exida offers training, coaching, project oriented consulting services, internet based safety engineering tools, detailed product assurance and certification analysis, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on safety equipment. exida recently started exida Certification, a Geneva Switzerland based independent certification organization approved by UKASS for performing IEC certification assessments. As such exida Certification is the only certification body approved to execute IEC certifications. Knowledge Products exida has made the process of designing, installing, and maintaining a safety and high availability automation system easier. Years of experience in the industry have allowed a crystallization of the combined knowledge that is converted into useful tools and documents, called knowledge products. Knowledge products include procedures for implementing the safety life cycle tasks, software tools, and templates for all phases of design. Consulting and Training Although the problem solution and product orientation will help minimize the costs of safety and high availability automation, exida realizes there are situations where an in depth analysis, or intensive training is required. exida has the ability to solve the complex issues, like unique voting arrangement analysis, or rare event likelihood analysis for example, and stands ready to assist when needed. exida has developed a successful training suite. Personal training can be provided either as part of a project or by standard courses. On-line training is available to everyone who has internet access. End-user services exida provides the users of automation systems with the knowledge to cost-effectively implement safety and high availability automation systems. exida provides this information by creating knowledge products that ease the implementation of systems, by coaching and training in implementation of the safety life cycle, and by independent verification of systems. The exida end-user services include Hazard and Risk Analysis Safety Function Identification Safety Integrity Level Selection Safety Requirements Specification Safety Integrity Level Verification Safety Requirements Analysis Conceptual and Detail Design Assistance Operations and Maintenance Planning Pre-startup Safety Review Validation tests Hazard and Risk Analysis The selection and design of appropriate Safety Instrumented Systems hinges on an analysis of the risk due to the hazards inherently present at any plant because of its specific processes. exida can help identify and assess those hazards and their associated

5 risks. exida has a range of products and services that help with Process Hazards Analysis for hazard identification, and then provide quantitative tools and expert coaching and consulting to help analyze each specific hazard s associated risk, based on the likelihood and consequences of the hazard. Safety Integrity Level Selection The risk reduction that a Safety Instrumented Function (SIF) needs to achieve is specified by the Safety Integrity Level (SIL) parameter. exida is expert in, and in a lot of cases has helped develop the procedures that industry uses, to select the appropriate Safety Integrity Level. exida provides procedures and tools (e.g. SILect tool) to help select and document the SIL selection process, and offers expert review for selection of SIL for difficult to analyze Safety Instrumented Functions, where the hazard risk or the cost of the SIF is high. Safety Requirements Specification The Safety Requirements Specification (SRS) is the key Safety Instrumented System design document. The SRS specifies not only what actions each Safety Instrumented Function should take when predefined conditions are exceeded, but also how effective these actions should be performed, i.e. how much risk reduction each SIF should provide. exida offers template SRS documents, a SIF SRS tool (part of the exsilentia tool), and coaching on the preparation of the Safety Requirements Specification. Conceptual / Detailed Design exida assists in the SIF / SIS design process by providing template specifications and design documentation. In addition, exida provides the counseling that allows one to customize the templates to any particular application. exida also provides an independent review of the full range of documents that are input to the SIF / SIS design, from Safety Requirements Specification to vendor offers. Safety Integrity Level Verification After the Safety Instrumented Functions have been conceptually designed, the achieved Safety Integrity Level of each of the functions must be verified to insure that it meets the requirements of the SRS. Probabilistic reliability analysis can be performed with the exida SILver tool or performed as an independent verification by exida staff. Operation and Maintenance / Function Testing The deployment of a SIS does not end when the equipment is installed. exida helps technicians and engineers develop the procedures that are required to operate, maintain and periodically test the independent Safety Instrumented Functions and the SIS in general. exida can provide guidance on the test interval required to meet SIL requirements, and help to develop and execute the procedures required for an effective test. Pre-Startup Safety Review / Validation After design and installation but before startup, a review of each SIF and the SIS in general to insure that it meets the requirements laid out in the SRS is required. exida assists its clients by performing an independent third party review. Tools and products oriented to End-User Support exsilentia Integrated Safety Lifecycle Tool o SILect (SIL selection) o SIF SRS o SILver (SIL verification) o IEC Compliance Templates o Corporate Safety Manual Template o Standards Overview Documents

6 Training oriented to the End-User Support IEC / IEC Certified Functional Safety Expert CHAZOP BMS / LOPA Fire and Gas Various On-line Training Lessons and Course Manuals Manufacturer services exida provides the manufacturers of equipment to be used in automation systems with the knowledge to cost-effectively develop and certify safety and high availability automation system devices. exida provides this information by creating knowledge products that ease the gathering and tracking of safety related requirements to eventually proof compliance with the relevant functional safety standards. Furthermore exida provides coaching and training to implement the hardware / software design safety life cycles, and by independent verification of designs. In addition exida assesses compliance of products to standards like IEC The exida manufacturer services include Requirements definition Safety Design Support and Assessment Safety Case Equipment Certification Assistance Development Process Improvement and Assessment Functional Safety Management and V&V setup Failure Modes, Effects, and Diagnostic Analysis Software Criticality Analysis and Software HAZOP Probabilistic evaluation COTS RT-OS evaluation Since the safety automation marketplace is growing, with a growth rate significantly above the general control market, new opportunities are presented. However the safety automation market is changing, as international functional safety standards are rapidly being adopted. The result is that control engineers are carefully evaluating the instrumentation being selected for safety protection applications. Given the special attention the new functional safety standards put on the safety automation design process, the use of safety certified equipment has become the goal for all devices used in Safety Instrumented Functions / Safety Instrumented Systems. This demand for safety certified equipment considers all devices in a SIF ranging from the sensor part to the final element part. Companies in the chemical, petrochemical, oil and gas, nuclear, power and many other industries select certified safety equipment in order to be assured of the proper levels of safety and quality. The use of certified equipment also substantially reduces the design documentation required for safety assurance. The equipment certification process can become expensive, especially if analysis techniques and documentation methods must be learned through frustrating audit failures. Some equipment manufacturers have spent five times the initial budgeted cost and months of delay in releasing the product. exida has a staff of safety certification experts including equipment developers, certification engineers and reliability / safety engineers. exida has created a suite of software tools intended to assist in the certification process. exida can provide design verification assistance, Failure Modes, Effects, and Diagnostic Analysis (FMEDA) assistance, development process expertise, component failure data and even full reliability and safety analysis.

7 exida supplies expertise and semi-automatic tools to cut the cost and the time required for certification. These tools include an IEC requirements database in Microsoft Access and a set of document templates in Microsoft Word. The report generator from the database will automatically populate the dynamic portion of the document templates making the task of document update far less tedious than manual systems. exida also has the expertise to do hardware failure modes and diagnostic analysis, software HAZOP and criticality analysis, user literature preparation, process improvement, and design guidance. Tools and products oriented to Manufacturer Support SafetyCaseDB SIS Market report FMEDA tool CFSE Study Guide SILCap IEC Compliance Templates Training oriented to Manufacturer Support IEC / IEC Certified Functional Safety Expert Various On-line Training Lessons and Course Manuals FMEDA Software Criticality Analysis and HAZOP The exida customer groups are the foremost reason for exida s interest in safety equipment reliability data. For end-users to be compliant with the international functional safety standards they need to perform quantitative assessments to determine if the conceptual Safety Instrumented Function design meets the design goals set in the Safety Requirements Specification. In order to do so the end-users need equipment reliability data. On the other hand, the manufacturers supplying products to the safety and high availability automation markets need to provide reliability data for those products for them to be compliant with the international standards. Where exida is helping manufacturers evaluate the safety performance of their products, the endusers are automatically served with sources of reliability data. In addition, where exida is helping end-users perform the required quantitative assessments, it is easy to indicate which manufacturers need to provide product reliability data. The synergistic relation between the services provided by exida makes exida an excellent data collection and evaluation third party organization. The experience with our customers shows the need for a clear and comprehensive safety equipment reliability data reference list, which we provide with this handbook. For any questions and / or remarks regarding this handbook or any of the services mentioned in this book please contact exida at the following address. exida Consulting / Houston Operations Curt Miller cmiller@exida.com

8 Table of Contents Dedication...v Preface... vii Prologue...xiii Acknowledgments... xv Background on the Author...xvii 1 Why Embrace the New ISA ? (Benefit or Burden?) Background Behind an Industry Practice Poll (and a disclaimer on relevance) Polled Response Which benefits are most valued as a result of implementing the new ISA 84 Standard? Benefits Quantified "Show Me the Money Benefit #1: Production benefits by uncovering embedded reliability issues Benefit #2: Proper front-end selection of protection devices Benefit #3: Process Hazard Analysis (PHA) reviews should be more precise ("realistic") Benefit #4: There should be a decrease in "specification errors" and resulting accidents Benefit #5: Universal, world-wide process standard Benefit #6: Proof testing intervals may be lengthened Benefit #7: Besides direct personnel safety, equipment, and environmental consequences, impacts of production and corporate image losses can be quantified and included for a more accurate analysis Summary References The Safety Lifecycle (The Concept) and Functional Safety Management (The Lifeblood) What is Your Safety Culture Pulse? The Philosophy Behind ISA (1996 & 2004) Safety Lifecycle (SLC) - Essential Elements Functional Safety Management (FSM) - Essential Elements It is all part of the plan Polled Response Where are We? (What s missing from the plan?) Functional Safety Management procedures "Project Safety Plan" exida.com L.L.C. A MANAGER S GUIDE TO FUNCTIONAL SAFETY xix

9 TABLE OF CONTENTS 2.7 Fixing the gap References Process Hazard Analysis & Risk Assessment Process Hazard Analysis Risk Assessment Process Safety Management (used with ISA ) Significant Additions of ISA (since ISA ) Polled Response What is Industry Doing? Risk Assessment Tools Risk Assessment Summary References Legitimate LOPAs (Layer of Protection Analyses) LOPA - A Basic Background Significant Additions of ISA (since ISA ) Polled Response - How far has the Gulf gotten in LOPA execution? Polled Response Which IPLs are being Used? Mechanical Relief Device as an Independent Protection Layer (IPL) BPCS as an Independent Protection Layer (IPL) Operator Response as an Independent Protection Layer (IPL) Mechanical Integrity of Vessel as an Independent Protection Layer (IPL) External Risk Reduction as an Independent Protection Layer (IPL) Polled Response Which Enabling Event (Conditional Modifiers) are being Used? Ignition Probability as a Conditional Modifier Use "Occupancy" as a Conditional Modifier Use Explosion Probability" as a Conditional Modifier Use "Use Factor (Time at Risk)" as a Conditional Modifier More Guidance on Performing LOPAs REFERENCES SIL Determination We re Not There Yet A Basic Background Significant Additions of ISA (since ISA ) Polled Response Who is Using What? SIL Selection Engineering Tools SIL Selection Summary References...39 xx A MANAGER S GUIDE TO FUNCTIONAL SAFETY 2008 exida.com L.L.C.

10 TABLE OF CONTENTS 6 The SRS Your Design Template What an SRS Should Contain Supporting Input Functional Specification Integrity Specification What are some of the SRS Pitfalls? Significant Additions of ISA (since ISA ) Functional Specification Integrity Specification Polled Response Is your SRS doing what it should? SRS Guidance References New SIS Design Mandates What did ISA do for us? Significant Additions of ISA (since ISA ) Hardware Design Additions (in Clause 11) Software Development Additions (in Clause 12) Polled Response Are the Mandates Being Followed? Fixing the SIS Design Gap References Pre-Startup New Requirements Current Practices Significant Additions of ISA (since ISA ) Clause 13 - Factory Acceptance Testing (FAT) Clause 14 - SIS Installation and Commissioning Clause 15 - SIS Safety Validation (called PSAT in the 1996 version) Clause 5 Functional Safety Assessment (FSA) Polled Responses Are the Mandates Being Followed? Gulf Coast Area System Integrator Survey Some Guidance in Pre-Startup Practices References Post Installation New Requirements Current Post-Installation Practices Significant Additions of ISA (since ISA ) Clause 16 - SIS operation and maintenance Clause 17 - SIS modification exida.com L.L.C. A MANAGER S GUIDE TO FUNCTIONAL SAFETY xxi

11 TABLE OF CONTENTS Clause 18 - SIS decommissioning Clause 5 - Functional Safety Assessment (FSA) Clause 5 - Audits Polled Response Are the Mandates Being Followed? Proof Test Pitfalls According to a HSE Report Some Guidance to Post Installation Practices References ISA / IEC Hot Topics and Vague Subject Matter Interpretation of the Grandfather Clause Prior Use (a.k.a. Proven-in-Use) Failure Rate Data Industry Databases FMEDA Analysis Data Failure Rate Data Field Collection Methods PERD Initiative Minimal Site or Corporate Program Data Consortiums Alarm Management Fire & Gas system treatment ISA as a Supplement to Prescribed Standards References ISA / IEC Full Compliance Strategy A Three Phase Approach Phase I - Next Project Execution Phase II - Corporate Procedure Development & Audit Support Phase III Enterprise-Wide Field Implementation A Final Note on ISA / IEC Functional Safety References Abbreviations List of Tables List of Figures Index xxii A MANAGER S GUIDE TO FUNCTIONAL SAFETY 2008 exida.com L.L.C.