Functional Safety Application of IEC 61508 & IEC 61511 to asset protection Paulo Oliveira Engineering Manager Engineering Safety Consultants Ltd Engineering Safety Consultants Limited Page 1
Agenda Agenda Introduction General Scope Concept Comparison with IEC61511 practices Other sources Risk Criteria definition Example Case study Other benefits Q&A Engineering Safety Consultants Limited Page 2
Speaker Information Paulo Oliveira Chartered Engineer with over 10 years experience in systems design and asset management focusing on safety system lifecycle management (design through to decommission), gained in manufacturing industry (e.g. chemical, steel, offshore/onshore transfer hoses). Having previously worked as the Functional Safety Leader for CRISTAL Pigments UK Ltd between 2008 and 2013, leading implementation of Functional Safety Management systems which included Alarm Management principles since then Paulo has chaired and facilitated numerous Hazard Analysis and Risk Assessment (e.g. HAZOPLOPA) studies in the UK and Middle East, delivering Safety Requirement Specifications (SRS), SIL Verification studies and full lifecycle documentation including FS Management system reviews for oil & gas, chemical, water treatment and product manufacturing industries. Currently leads the Certification programme at ESC Ltd delivering product and type certification for multiple applications,e.g. Safety controllers, load cell systems, F&G detection, Valves (HIPPS, Subsea, Topsides and onshore) Engineering Safety Consultants Limited Page 3
Functional Safety Application of IEC61508/511 to asset protection Engineering Safety Consultants Limited Page 4
General Scope IEC61508/511 directly addresses safety impact of systems relying on E/E/PE safety functions through: Use of defined acceptable risk levels (e.g. ALARP) Hazard analysis - which may include likelihood and severity rating (e.g. HAZOP) Risk Assessing - hazard scenario and associated IE,IPLs to establish a risk reduction target (e.g. LoPA) SIF Hardware/software analysis to confirm its ability to provide the target Risk Reduction (e.g. RBD modelling) Verification and Validation processes Competence requirements Independence requirements Systematic Capability i.e. ability of processes and system to remove errors from each of the stages of the lifecycle. Engineering Safety Consultants Limited Page 5
LoPA- Layer of Protection Analysis Leads to fatality Residual Risk Tolerable Risk Level Intermediate Risk PFD < 0.1 PFD = 0.1 PFD = 0.1 PFD = 0.1 SRS Risk Gap Other Mech Alarms Process 10-5 /yr 10-4 /yr 10-2 /yr 10-1 /yr Hazard frequency Engineering Safety Consultants Limited Page 6
Concept Safety is impacted when hazardous events occur (Hazard is the potential to cause harm).let s take a step back So would it be correct to say hazardous events are created by the loss of an assets ability to provide adequate containment due to damage (short or long term)? Engineering Safety Consultants Limited Page 7
Introduction Asset protection consists of methods available to protect assets from liabilities arising elsewhere [1] [1] - Richard T. Williamson (2008). The Real Estate Investor's Guide to Corporations, LLCs & Asset Protection Entities. Kaplan Publishing. p. 43. ISBN 978-1-4277-9702-5. Engineering Safety Consultants Limited Page 8
LoPA- Layer of Protection Analysis Residual Risk Tolerable Risk Level Intermediate Risk PFD < 0.1 PFD = 0.1 PFD = 0.1 PFD = 0.1 SRS Risk Gap Other Mech Alarms Process 10-5 /yr 10-4 /yr 10-3 /yr 10-2 /yr Hazard frequency Engineering Safety Consultants Limited Page 9
Hazard Analysis Comparison with IEC 61511 practices Parameter > Pressure/Temperature/Flow Deviation > More/Less/No/ Cause > Equipment failures/human Error/External factors Consequence (likelihood/severity) > Damage to equipment /failure of barrier leading to loss of containment Could we also define potential for asset damage/loss? Operating windows Risk Assessment Loss Scenario from hazard analysis IE with designated frequency IPLs with designated PFD/PFH So what s missing? Engineering Safety Consultants Limited Page 10
Other Sources Risk Criteria definition! IEC61508/511 defines the need for establishing a risk criteria based on safety impact (people) CDOIF Guideline Environmental Risk Tolerability for COMAH Establishments defines target for impact to population of species Commercial? If aligned, the 3 risk criteria can allow for use of IEC61508/511 framework to identify asset protection systems to prevent major losses (shutdown, asset costs etc ) Note: API580 (RBI) defines the need for establishing a risk criteria based on loss levels ( s/$ s) Engineering Safety Consultants Limited Page 11
Example Severity Rating Safety consequence s Environmental consequences Commercial consequences 1 Minor injury or minimal health effect Minimal effect n/a 2 Injury requiring medical treatment or short terms health effect Slight effect <USD20,000 3 Lost workday injury or medium term health effect Minor effect, no USD20,000 to USD100,000 4 2 or more lost work day cases or 1 permanent disability case preventing return to work Local pollution near the asset or within site boundary, remediation within a matter of days USD100,000 to USD1 million 5 1 fatality or 2 5 permanent disability cases preventing return to work Significant pollution beyond the asset or site boundary, potential to affect third-parties USD1 million to USD100 million Engineering Safety Consultants Limited Page 12
Example 2 Engineering Safety Consultants Limited Page 13
Engineering Safety Consultants Limited Page 14
Estimated Impact of Asset Loss Engineering Safety Consultants Limited Page 15
Mission Critical Equipment? Critical Operational Equipment? Critical Task? Engineering Safety Consultants Limited Page 16
Case Study Oil & Gas operator Undefined Overall Risk Criteria for Asset Loss Defined loss levels per asset (e.g. compressor failure 7 to 10d outage > $5M) Results for assessments: Issues with single asset could cause losses of over $200M (worst case) due to asset replacement and investigation time Identification of existing protective systems for the compressor (mission critical systems) and associated PFH/PFDs <maintenance impact> Consequences of loss for the asset were defined in the assessment in terms of cost to repair/replace, outage time and ability to operate without asset Identification of manual operations which an specifically cause the asset to degrade quicker (loss of efficiency) Definition of cases where holding significant spares or redundancy will result in loss mitigation (e.g. 1d outage vs. 7-10d) Engineering Safety Consultants Limited Page 17
Other Benefits IEC 61508/61511 has a defined lifecycle with: Verification activities per stage/phase Validation of system protection prior to use Mapped management and planning activities Defined competency requirements for critical systems Requirements for Management of Change 1 single process, 1 single lifecycle 3 key areas of potential improvement (safety, environment, asset) Engineering Safety Consultants Limited Page 18
Any Questions? Engineering Safety Consultants Limited Page 19