Things IEC61508/61511 Doesn't Tell You About Safety Systems- Why You Should Care!

Transcription

1 Things IEC61508/61511 Doesn't Tell You About Safety Systems- Why You Should Care! Standards Certification Education & Training Publishing Conferences & Exhibits Implementing IEC61511 on real Process Plants

2 Presenter Simon Lucchini is the Chief Controls Specialist for Fluor Canada at the Calgary, Alberta Office (an engineering, fabrication & construction company) and is also the Fluor Global Fellow for Safety Systems design. He has worked at Fluor for 15 years He was previously with ICI Australia/Orica for 23 years where he worked in operations, maintenance and engineering at hazardous explosives, chemical and petro-chemical facilities applying SIS. His last position was as Company Instrument and Controls Engineer. He is currently the Chair of the SIS committee under the ISA Safety & Cybersecurity Division. 2

3 Agenda Overview Far too many slides for 60 minutes Questions are more important than answers What is a Safety Function? ISA84.01, IEC & IEC Background Key IEC Clause Basic reliability & risk reduction factor Various Discussion Points ISA Safety & Cyber Security web page (10 minutes) Questions (15 minutes) 3

4 Various Discussion Points Hazard Identification and PHA/HAZOP Certifications and Approvals Understand the Process & effect of spurious trips Over reliance on multiple instrument layers Basic Control; Alarm/Interlock; Safety Function; High Integrity Pressure Protection System; Fire & Gas System? Over analyzing designs based on inadequate field data Use of diagnostics & Partial Stroke Testing Low demand & sticking behaviours Proof Testing & Operations 4

5 Items for Further Thought (not really covered today) Proper scheduling of PHA/HAZOP and HAZID Details of SIL allocation (e.g. LOPA) How are functional and integrity requirements identified for safety functions? How to properly document functional requirements? Where do reliability equations come from and are there conditions that they are not valid? Common cause, common mode failures 5

6 Items for Further Thought (not really covered today) What does operations and maintenance need to do? Providing operations with a workable design that can be maintained How do we cater for the complexity of software interactions in today s programmable systems; failure as an emergent property? Systematic Capability & Hardware Fault Tolerance Over-emphasis on complex reliability equations 6

7 What is a Safety Function? A Primer Logic Solver (PLC, DCS, SIS, Hardwired) Instrument Rack Room & HVAC Power Supply/Air Supply Wiring & Cabling System Field Instrument Installation Process & Process Hazard Identification HSSE Standards Operation and Maintenance Engineering & Design Management & Regulatory Framework Approved Vendors & Commercial 7

8 What is a Safety Function? A Primer PI H HH IE Flare/ Vent PT A TT PT B FFIC IAS S FT 1 FEED 1 IAS S Generic Chemical Reactor FT 2 FEED 2

9 IEC Allocation of safety functions to protection layers 9

10 Protection Layers Graphic Boom! SIS controlled Emergency Shutdown Action Trip Level Mechanical Shutdown Action ESD Safety System F&G Safety System Operator Action High Alarm Level High Level Process Operators process value Low Level Process PLC/DCS Time

11 What is a Safety Function? Systems Engineering Corporate HSSE Standards Corporate Management National Regulators Project Business Management Business Management Project Contract Project Director Plant Manager Local Regulators Project Management Plant Project Representatives Maintenance Manager HSSE (Plant Process Safety) Operation Plant HSSE Standards Project HSSE Standards Maintenance Control Room Operators Plant Operators Project HSSE Engineering Design Physical Plant Physical Environment Safety Instrumented Function 11

12 What is a Safety Function? Simon s Complexity Function Complexity = 2 N where N = number of interfaces 12

13 SIS International Standards History IEC61508 Generic standard applicable to any industrial electrical/electronic/programmable safety-related systems (first published in 1998) drew from organizations such as ICI and HSE in the UK, DIN in Germany and ISA in the USA (ANSI/ISA S ) basis for assessing the suitability of individual items of equipment for application in a safety-related system development of embedded software Development of full variability program (e.g. C++, visual basic) generic for any industry more for manufacturers performance based rather than prescriptive

14 SIS International Standards IEC61511/ANSI/ISA Functional safety of SIS for the process industry sector (first published in 2003) group of international experts substantial contributions from chemical/petrochemical process plant operating companies such as BP, Shell, DuPont, BASF and British Nuclear Fuels Limited. sets criteria for the selection of equipment to be used in the system. development of limited variability application software specific to the process industry more for systems integrators & end-users Part 2 Guidelines for Part 1 Part 3 SIL Allocation Guidelines (including LOPA) ISA TR84.00.XX SIS Implementation Guidelines 14

15 IEC Safety Life Cycle 15

16 IEC 61511Key Clause Clause 10.2 provides an excellent description of the general requirements for producing a SRS (safety requirements specification). The safety requirements shall be derived from the allocation of SIF and from those requirements identified during H&RA. The SIS requirements shall be expressed and structured in such a way that they are clear, precise, verifiable, maintainable and feasible; written to aid comprehension and interpretation by those who will utilise the information at any phase of the safety life-cycle. Important for verification and validation of safety functions 16

17 Hazard Identification & PHA no story is complete without a comment PHA Identifies Hazards and their mitigation/control Most critical part of the Safety Life Cycle PHA theoretical paper exercise relatively easy to apply relatively easy to get wrong no immediate impact to the SIF design HSE department does not have to implement the design Process & HSE are the main drivers (SIS only one part) Getting earlier in project life cycle SIF designers may not be present SIL verification engineers may not be appointed yet SIL verification procedure most likely not started 17

18 Hazard Identification & PHA the result Over emphasis on instrumentation for safety Basic Process Control Alarms & Interlocks SIF HIPPS Fire & Gas System? Field instrumentation is the same for all Protection Layers! Industry anecdotal information 50% SIF over designed; spurious trips? 5% SIF under designed; safety performance plateau? Please, no SIL 3 18

19 Hazard Identification & PHA try something different Basic training QRA & PHA all participants before PHA Prepare SIL verification procedure before the PHA/LOPA; alignment with Business, Operations and Maintenance plant turnaround schedule plant availability targets (spurious trips) proof test intervals & PST philosophy testing by Operations preventative maintenance schedule repair philosophy approved equipment list; reliability data Prepare SIL 1, 2 & 3 typicals/templates for PHA/LOPA reality check done at the source of the problem do not succumb to snowball effect 19

20 PHA Action Item Example proper definition Consider flow transmitter failure Consider if failure rate of flow transmitter places unacceptable demand on safeguards. If unacceptable evaluate alternate technologies and present cost benefit study to be evaluated at a ALARP review with operations

21 Get the best from PHA/HAZOP/HAZID 1. Application of HAZOP and What-If Safety Reviews to the Petroleum, Petrochemical and Chemical Industries, Dennis P. Nolan (ISBN ) 2. Guidelines for Hazard Evaluation Procedures, Center for Chemical Process Safety (third edition ISBN ) 3. Loss Prevention in the Process Industries, Prof Frank P. Lees (second edition ISBN ) 4. Layer of Protection Analysis: simplified process risk assessment, Center for Chemical Process Safety (ISBN ) 5. Various books by Trevor Kletz 21

22 Hazard Mitigation & Reliability Equations Hazard Frequency (mitigated) = Hazard Frequency (unmitigated) / RRF Hazard Frequency (mitigated) = Hazard Frequency (unmitigated) * PFDavg RRF (target) = Hazard Frequency (unmitigated) / Hazard Frequency (tolerable) Hazard Frequency = Hazard Rate 22

23 Basic IEC Safety Function Integrity Requirements Safety Integrity Level (SIL) components i. Reliability or likelihood that it can fail (term = PFDavg) ii. iii. Hardware fault tolerance; redundancy Systematic Capability (QA/QC). Higher the risk requires higher SIL (1 2 3) Higher reliability Increased redundancy Improved quality assurance against systematic failures Systematic Capability definition.which applies to an element with respect to its confidence that the systematic safety integrity meets the requirements of the specified safety integrity level 23

24 Hazard Mitigation & Reliability Example PFDavg (availability) Proportional to failure rate X proof test interval Unprotected Hazard Rate (1/yrs) Target Hazard Rate (1/yrs) RRF SIL 1 in 10 1 in in 10 1 in

25 Control System Reliability Hazard Rate = Control System Failure Rate * Safety Function PFDavg Control System (DCS, PLC) equally important as SIS to plant safety Safety relies on having both not just one or the other; backup Systematic failures are more important but more difficult to analyze 3 rd Party Qualification to IEC Prior use (i.e. experience in similar applications) 25

26 Graphical Derivation of Reliability (PFDavg)

27 Reliability Equation (simplified & no redundancy) Based on low demand (i.e. does not have to act very frequently) Tested more frequently than demand rate Constant failure rate systems PFDavg = ½* λ * T T = proof test interval & λ = failure rate of the device 27

28 Certifications & Approvals SIS Logic Solver Certification TUV/DIN standards significant history prior to IEC and ANSI/ISA 84 well established s/w & h/w testing & validation processes to DIN V & DIN V 801 (now withdrawn) very defined/controlled boundary of installation & operation less complex & more defined functions than for process control controlled testing widely accepted industry certification IEC gives the requirements but not details: manufacturing quality system safety life cycle h/w design & tests s/w design & tests competency of personnel 28

29 Certification of field SIF components Not a long history of certification prior to IEC/ISA standards Not a well defined boundary for installation & operation temperature extremes vibration process fluids; corrosion, fouling, access for maintenance documentation Reliability Data Relevance accelerated wear out testing; low demand versus high demand proven-in-use data for different plants; different environments vendor return data; incomplete FMEDA; calibrated against different applications 29

30 Certification of field SIF components SIL Certificate does not appear in IEC nor IEC Safety Manual (i.e. product safety manual) is mentioned 49 instances in IEC & >100 times in IEC Details performance requirements for equipment used in safety functions Does not give details on how to validate reliability data for equipment used in safety functions 30

31 SIS International Standards Widely accepted and utilized international standards Mandatory in UK, Europe Not mandatory in North America unless there is an incident OSHA Reasonable Care Standard Guidance on the Safety Life Cycle establishing Safety Plan acceptable designs maintenance requirements and much more Comprehensive SIS literature & training There should be no issues with designing & maintaining Safety Instrumented Systems? However. 31

32 Bridging the Gap between Design & Operations Operations do not want that SIS design Partial Stroke Testing Tripping on diagnostics Maintenance does not want that SIS design Proof Test Methods Repair Methods Non standard instrumentation Documentation of Basis of Design SIL 3 Safety Functions Business Managers do not want that SIS design Spurious Trips Speak a strange language (pedantic even for instrumentation folk) Is it a SIS or a SIF? 32

33 Improving Performance Confirm with Process & Operations that the design correctly addresses the hazard Review diagnostics and proof testing methodology with maintenance and operations before finalizing the SIL verification calculation, Use proven in use equipment wherever possible, Validate how maintenance is actually done, Validate how the plant is actually operated, Consider plant operating modes and operating procedures that have a bearing on proof testing, Make reliability visible to operations (e.g. valve performance) 33

34 Improving Performance Question unrealistic risk mitigation for SIF, Avoid SIL 3 at all costs (are they realistic?) Consider what facilities are required for proof testing, Determine how the instrumentation will be repaired, trip valve replacement Consider designing proof tests for Operations rather than Maintenance groups, Give adequate consideration to the design of Operational and Maintenance Overrides, Consider the effect of spurious trips on the reliability and safety of the Plant. 34

35 Plant Transitions Startup & Shutdown IEC61511 requires the identification of the dangerous combinations of output states of the SIS that need to be avoided IEC requires that Where reasonably practicable, processes should be designed to be inherently safe. PHA/HAZOP is a blunt instrument that looks at deviations for one variable at a time does not easily identify transition states not very good at hazards caused by combinations of states Markov? Reducing spurious trips is crucial for a safe design; increased risks during plant transitions 35

36 Terminology FMEDA = Failure Modes & Effects Diagnostic Analysis HAZOP = HAZard and OPerability analysis, a type of PHA HAZID = Hazard Identification Lambda (λ) = Failure Rate per unit of time LOPA = Layers of Protection Analysis MTBF = Mean Time between Failures MTTF = Mean Time to Failure (MTBF=MTTF + MTTR) MTTR = Mean Time to Repair PFDavg = Probability of Failure Dangerous (on average) PHA = Process Hazard Analysis QRA = Quantitative Risk Analysis PST = Partial Stroke Test(ing) RRF = Risk Reduction Factor (inverse of PFDavg) SIF = Safety Instrumented Function SIL = Safety Integrity Level SIS = Safety Instrumented System SRS = Safety Requirements Specification Startup = Potential Hazard & Hopefully Making Money T = Proof Testing Interval Trip/Shutdown = Potential Hazard & Loss of Money Turnaround = When Plant is shutdown for extensive/statutory maintenance

37 Refinery Plant Transitions Startup & Shutdown Considerations Size of the Facility Parallel Units Utilities (Steam, Power, Air, Flares & Vents) Complexity & Integration of the Facility Multi Step Separation and Reforming Reprocessing to obtain quality specification Multi Stream Production Environmental Controls Extensive Energy Recovery Systems Tight Energy Conservation pushes processing limits Recycle Flows Startup & Shutdown Long time to stabilize controls Many timely operator actions 37

38 Complex Processes Refinery 38

39 Nice Day for a Proof Test 39

40 Identification of Unsafe combinations how many are there?! How many trip valves in a typical refinery sub-unit S/D 5, 10, 20? Combinations = 2 N 32; 1024; 1,048,576 Are these the only combinations need to be considered, DCS outputs (increase demand on Safety Functions) manually operated valves other operator actions? Other considerations hot versus cold restarts inventory and surge capacities manual line ups More emphasis on spurious trip rates 40

41 Chemical Processes Size of the Facility Can still be large scale Complexity & Integration of the Facility Usually less complex process Little or no Reprocessing One or small number of Streams Environmental Controls Extensive Energy Recovery Systems Energy conservation is more straight forward Startup & Shutdown Stabilizing Reaction is faster/easier Hot startup versus cold startup less complex PST perhaps easier to sell 41

42 Chemical Processes Explosives Ammonium Nitrate 42

43 Chemical Process Ethylene Di-Chloride intermediate for vinyl chloride 43

44 Plant Transitions Basic Message Avoid Spurious Trips Understand complexity of the Process: Startup interactions Dangerous trip interactions and states Hot startup versus cold startup Purge cycles Dumping to effluent streams Product re-processing SIF designers work with Operations Consider PHA Effectiveness (from before) 44

45 Partial Stroke Testing scared of big valves? 45

46 Partial Stroke Testing scared of big valves? 46

47 Partial Stroke Testing he is not scared of big valves! 47

48 Partial Stroke Testing he knows it s the smaller guys you worry about! 48

49 Partial Stroke Testing Example: The good: Devised SIS programming for carrying out PST Arrange for checking stroke times of trip valves for FAT PST point of 80% open or measured time delay Devise test procedure and sign-off at acceptance test with client Repeated checks & acceptance tests at Site The bad: Valve smaller than 4 inch were too fast even with relatively fast SIS The ugly Operators did not allow PST to be commissioned What was assumed for PFDavg calculation? 49

50 Partial Stroke Testing Example: Background Difficult to undertake complete proof testing on trip valves outside Plant Turnarounds Tests need to be done online Easier for measurements; duplicate measurements Hard for final elements PST is one way to achieve PFDavg target Plug/Seat Considerations 30% to 70% test coverage? Leakage requirements (e.g. heat off, backflow) Clean, fouling, erosive or corrosive service High pressure drop, severe service, vibration Speed of response requirements 50

51 Partial Stroke Testing: qualitative review PST effect on PFDavg Potential faults that can be found by a full test Tested less frequently Potential faults that can be found by a partial test Tested more frequently Overall improvement in reliability or PFDavg by PST when plant turnaround periods increase However, must ensure that Operations accept the methodology 51

52 Partial Stroke Testing: review simplified equations for PST effect on PFDavg PFDavg = Cm*λd*t/2 +(1-Cm)*λd*T/2 (Cm/n + (1-Cm) )*λd*t/2 Cm test coverage factor (e.g.70%) T proof test interval t the PST test interval n the ratio of proof test to PST interval assume 100% coverage at proof test interval assume RRF 100 with no PST Improvement in RRF = 1/((Cm/n + (1-Cm)) Cm = 30% to 70% and N = 5 to 10 RRF improvement 130 to 270 Benefits? Risks? 52

53 Partial Stroke Testing traditional straightforward design 53

54 Partial Stroke Testing Traditional: momentarily de-energize the solenoid Today there are more options special SIS I/O cards are available with some systems latest digital positioners provide more options with controlled operation continuous positioning versus on/off control Solenoids and/or positioner for control of on/off valves Get involved with ISA TR84 SIS Guidelines ISA TR PST Guidelines 54

55 SIL Verification: What is the purpose of SIL verification calculation? Manipulate the variables/options to get the required answer Calculate what the SIF actually is and not tweak the factors to get the result that LOPA prescribed There are traps when using sophisticated SIL verification software for the unwary Where does the reliability data come from Does the instrument need to work or is the SIL certificate the ultimate selection criteria some oil & gas majors uses only standard instrumentation for their Proven-In-Use database and not special SIS instruments others do use only special SIS instruments There is more than one answer! 55

56 SIL Verification: the assumptions for the SRS Basis for maintenance; document how verification was done Instrumentation Model Listing Reliability Data Process Connection Details Use of PST Proof test coverage Common Mode failure Tripping on diagnostics & Coverage factor Plant Turnaround periods Proof Test Methods 56

57 SIL Verification: Example: Process Fluid and Connections Process Connection Process Fluid Clean Remote Seal Impulse Plugging Low Med High Steam (outside) X Steam (inside) X BFW Condensate (outside) X BFW Condensate (inside) X Intrument Air, Utility Air, N 2, O 2, PSA Hydrogen X Naphtha, Diluent, C5+ Product, Butane X Lub Oil (outside) X Lub Oil (inside) X Gas Oil, LVGO, HVGO, Crude Unit, Depropanizer X Atmospheric Bottoms, Vacuum Bottoms, DAO X Soot Slurry X Asphaltene X Fuel Gas, Tail Gas, Syngas, Process Gas, X 57

58 Reliability/Failure Rate Data another topic SIL certificates versus Product Safety Manual SIL certified versus SIL capable Performance standards versus detailed requirements Sources of reliability data for SIL verification Proven in use Stress testing FMEDA (failure modes & effects diagnostics analysis)

59 Proven In Use Data Where can it be obtained? Vendor returns and service history does it met IEC criteria? how does the vendor know? there are SIL certificates issued this way by well known certifying bodies! Industry sector data OREDA (Offshore REliability DAta); how applicable to onshore? generic databases; very conservative End user records & analysis difficult to set up

60 Reliability/Failure Rate Data System for collecting Proven-in-Use reliability data Failure data categorized by process application (e.g. DP level on gasoline) from DCS & SIS Make & Model not as relevant Difficult for smaller companies to get statistically valid data Why use instrumentation already in place to the facility Documentation Vendor backup Training Track record; known to work Larger statistical base When is reliability data valid (useful life) 60

61 Equipment Useful Life When is reliability data valid (useful life) The Bathtub Curve Failure Rate versus Time Increased Failure rate Infant Mortality Decreasing Failure Rate Normal Life (Useful Life) Low Constant Failure rate Classical Bathtub Burn-in Phase Useful Life Phase Wear-Out Phase Operating Life (t) Ie. 10,000 cycles

62 Failure Rates, Plant Turnaround, Proof Test Interval & Useful Life PFDavg = λd*t/2 λd valid for only the useful life period (life time) Plant turnaround periods increasing Low Demand Mode Final elements seizing/sticking PFDavg = Cm*λd*T/2 +(1-Cm)*λd*LT/2 Cm is proof test coverage factor (e.g.70%) LT is device life time Are devices being replaced after LT? How are devices being maintained Proof test does not equal maintenance

63 Stress Testing Does it work? A batch of solenoids are operated for many thousands of cycles over a period of several weeks under varying environmental conditions. The failure rate data is then normalised to the anticipated usage of the device Reliability data derived by this methodology rarely applies to the process industry Review in context of reliability bath-tub curve

64 Equipment Useful Life: Low Demand Applications The Bathtub Curve Failure Rate versus Time Increased Failure rate Infant Mortality Decreasing Failure Rate Apparent End of Life Failures Normal Life (Useful Life) Low Constant Failure rate Classical Bathtub Apparent useful life Burn-in Phase Useful Life Phase Wear-Out Phase Operating Life (t) Ie. 10,000 cycles

65 FEMA, FEMDA & FMECA Important analysis tool for determining failure rate data Systematic process for identifying faults and errors in a device Detailed list of all components Component failure modes, effect on other components and the severity of the failure Diagnostic coverage factor, criticality and failure type (e.g. dangerous, spurious). Team reviews the modes of operation & identify failure mechanisms

66 Design out the Problem; SIL Verification is not Enough FMEDA process distilled into one variable Each failure mode has differing mechanisms Each failure mode has differing durations Calibration of critical sticking failure data? Detailed failure modes confidential Verification versus design by different parties Identify the failure modes and remove the problem Partial stroke testing can be an important tool Acceptance by operations? Validating coverage factors?

67 Diagnostics: review simplified equations effect on PFDavg λd = λdu + λdd λdd depends on diagnostic coverage (DC) PFDavg = λdu*t/2 = (1-DC)*λd DC factor (e.g.70%) T proof test interval assume 100% coverage at proof test interval Improvement in RRF = 1/((Cm/n + (1-Cm)) DC = 20% to 75% RRF improvement 25% to 300% 67

68 Diagnostics: who wants them? Improvement in PFDavg Dangerous Detected versus Undetected Comparison transmitters from DCS Signal Fault diagnostics Automatic trip upon diagnostic detection Manual intervention upon diagnostic detection Assumed repair times Dangerous Times Shutdown Startup Upset conditions 68

69 Proof Test Intervals discuss with Operations, Maintenance & Business What is the plant turnaround schedule Who will devise the proof tests methods Can some proof tests be automated (e.g. recording valve opening/closing performance) Who does the proof testing Is partial stroke testing acceptable How will faulty final devices be replaced (s/d the plant?) Is the design testable Do the actual proof test methods ensure the assumed coverage factors in the SIL verification calculation are valid 69

70 Proof Testing Checks by Operations 24/7 Logs, inspections and walk downs Automatic valve closure & opening times Revision control of SIS s/w Example of pumping methanol in column sumps Comparison checks & logs of measurements Testing of duplicate offline trip valves Maintenance are typically fire fighters Regular checks are lower priority to keeping plant online Typical design of SIF does not take into account proof testing Asset Management System; who has completely implemented? 70

71 Do we have all the answers? probably not, but! SRS is a very important document (IEC Sec10.3) Standards have good performance requirements read/understand them Standards do not have the all the design details learn about process and instrumentation Do not hide behind complex reliability equations Let s do more to get realistic reliability data Get the right people in at HazID & PHA Realistic expectation for what can be done with instrumentation layers It is too easy to pass on the problem to the instrumented protection layers Please, no SIL 3 71

72 References Safety Instrumented Systems: Design, Analysis & Justification, Paul Gruhn & Harry Cheddie (ISBN )..ISA Publication Control Systems Safety Evaluation & Reliability, William M. Goble (ISBN )..ISA Publication Evaluating Control Systems Reliability, William M. Goble (ISBN )..ISA Publication (Markov) OREDA Offshore & Onshore Reliability Data 6 th Edition Vol 1 Topside Equipment (ISBN ) 72

73 The SIS Engineers are back; are they going to disrupt my operations again? Comments? 73

74 ISA Safety & Cyber Security Webpage Visit, contact and raise questions Submit ideas for articles Contribute articles 74