The Use of an Operator as a SIL 1 component in a Tank Overfill Protection System

Similar documents
InstrumentationTools.com

IEC61511 Standard Overview

Australian Standard. Functional safety Safety instrumented systems for the process industry sector

PPA Michaël GROSSI - FSCE PR electronics

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

New Developments in the IEC61511 Edition 2

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

100 & 120 Series Pressure and Temperature Switches Safety Manual

United Electric Controls One Series Safety Transmitter Safety Manual

Digital EPIC 2 Safety manual

PRIMATECH WHITE PAPER CHANGES IN THE SECOND EDITION OF IEC 61511: A PROCESS SAFETY PERSPECTIVE

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

ADIPEC 2013 Technical Conference Manuscript

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Functional Safety: the Next Edition of IEC 61511

This document is a preview generated by EVS

Safety lnstrumentation Simplified

INTERNATIONAL STANDARD

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

67 th Canadian Chemical Engineering Conference EDMONTON, AB OCTOBER 22-25, 2017

Process Safety Workshop. Avoiding Major Accident Hazards the Key to Profitable Operations

Safety Instrumented Systems Overview and Awareness. Workbook and Study Guide

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

The SIL Concept in the process industry International standards IEC 61508/ 61511

Beyond Compliance Auditing: Drill til you find the pain points and release the pressure!

Control and Safety in Gas and Oil Complex Industries. Turkey, Istanbul, Wyndham Grand Istanbul Levent. Training Course :

Mobrey Magnetic Level Switches

Session Number: 3 SIL-Rated Fire (& Gas) Safety Functions Fact or Fiction?

Failure Modes, Effects and Diagnostic Analysis

New requirements for IEC best practice compliance

SIL DETERMINATION AND PROBLEMS WITH THE APPLICATION OF LOPA

Failure Modes, Effects and Diagnostic Analysis

This document is a preview generated by EVS

Changes in IEC Ed 2

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Karl Watson, ABB Consulting Houston LOPA. A Storage Tank Case Study. ABB Inc. September 20, 2011 Slide 1

Failure Rate Data, Safety System Modeling Concepts, and Fire & Gas Systems Moderator: Lori Dearman, Webinar Producer Thursday, May 16th, 2013

Implementing Safety Instrumented Burner Management Systems: Challenges and Opportunities

Session Ten Achieving Compliance in Hardware Fault Tolerance

INTERNATIONAL STANDARD

Functional Safety Solutions

Options for Developing a Compliant PLC-based BMS

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

BRIDGING THE SAFE AUTOMATION GAP PART 1

Using HAZOP/LOPA to Create an Effective Mechanical Integrity Program

Why AC800M High Integrity is used in Burner Management System Applications?

Failure Modes, Effects and Diagnostic Analysis

White Paper. Integrated Safety for a Single BMS Evaluation Based on Siemens Simatic PCS7 System

Integrated but separate

Safety Instrumented Systems The Smart Approach

Practical Methods for Process Safety Management

INTERNATIONAL STANDARD

Soliphant M with electronic insert FEM52

INTERNATIONAL STANDARD

Fire and Gas Detection and Mitigation Systems

Addressing Challenges in HIPPS Design and Implementation

IEC PRODUCT APPROVALS VEERING OFF COURSE

Key Topics. Steven T. Maher, PE CSP. Using HAZOP/LOPA to Create an Effective Mechanical Integrity Program. David J. Childs

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

Safety in the process industry

This is a preview - click here to buy the full publication

Rosemount 2140:SIS Level Detector

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

Applying Buncefield Recommendations and IEC61508 and IEC Standards to Fuel Storage Sites

Failure Modes, Effects and Diagnostic Analysis

LOPA. DR. AA Process Control and Safety Group

High Integrity Pressure Protection System

excellence in Dependable Automation ALARM MANAGEMENT

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

Failure Modes, Effects and Diagnostic Analysis

This document is a preview generated by EVS

2015 Functional Safety Training & Workshops

Certification Report of the ST3000 Pressure Transmitter

Failure Modes, Effects and Diagnostic Analysis

Certification Report of the ST 3000 Pressure Transmitter with HART 6

IEC an aid to COMAH and Safety Case Regulations compliance

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Management of installed safety instrumented systems (SIS)

Benchmarking Industry Practices for the Use of Alarms as Safeguards and Layers of Protection

USER APPROVAL OF SAFETY INSTRUMENTED SYSTEM DEVICES

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

The Role of Engineering Judgement in Fire and Gas (F&G) Mapping

Presenter Joe Pittman

HazLoc Essential Guides:

The agri-motive safety performance integrity level Or how do you call it?

Simply reliable: Process safety from Endress+Hauser

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Australian Standard. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 0: Functional safety and AS 61508

Safety Instrumented Systems

Strathayr, Rhu-Na-Haven Road, Aboyne, AB34 5JB, Aberdeenshire, U.K. Tel: +44 (0)

Circuit Breakers JANUARY The electronic pdf version of this document found through is the officially binding version

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Fire and gas safety systems:

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

Transcription:

The Use of an Operator as a SIL 1 component in a Tank Overfill Protection System By Andrew Derbyshire IEng MIET Senior Safety Consultant Det Norske Veritas

In the beginning Hazard XXIII held in Southport between 12 th 15 th November 2012 David Embrey and Jamie Henderson Human Reliability Associates, UK An independent evaluation of the UK Process Industry Association Gap Analysis tool for addressing the use of an operator as a SIL 1 component in tank overfill protection systems. The UK Process Industry Association (UKPIA) has developed a minimum set of requirements for an operator to be considered part of a SIL1 safety function in relation to tank overfill protection systems at refineries and terminals. The requirements address areas such as systems architecture, human factors, communication and alarm management. This set of requirements was used by the UKPIA to develop a self assessment tool (the SIL 1 human factors self assessment tool) for organisations to assess an actual or proposed Safety Instrumented System (SIS) that incorporates a human operator Det Norske Veritas AS. All rights reserved. 2

In the beginning Hazard XXIII held in Southport between 12 th 15 th November 2012 David Embrey and Jamie Henderson Human Reliability Associates, UK An independent evaluation of the UK Process Industry Association Gap Analysis tool for addressing the use of an operator as a SIL 1 component in tank overfill protection systems. The UK Process Industry Association (UKPIA) has developed a minimum set of requirements for an operator to be considered part of a SIL1 safety function in relation to tank overfill protection systems at refineries and terminals. The requirements address areas such as systems architecture, human factors, communication and alarm management. This set of requirements was used by the UKPIA to develop a self assessment tool (the SIL 1 human factors self assessment tool) for organisations to assess an actual or proposed Safety Instrumented System (SIS) that incorporates a human operator Det Norske Veritas AS. All rights reserved. 3

Operator to be considered part of a SIL 1 Safety Function What is a Safety Function?? Function to be implemented by an SIS, other technology safety related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event. IEC 61511:2004 Part 1 Clause 3.2.68 SAFETY FUNCTION OTHER MEANS OF RISK REDUCTION SAFETY INSTRUMENTED SYSTEM OTHER PROTECTIVE FUNCTION ALARM LEVEL GAUGE BPCS RELIEF VALVE MATERIAL SELECTION DESIGN PHILOSOPHY Det Norske Veritas AS. All rights reserved. 4

Operator to be considered part of a SIL 1 Safety Function Safety Function. SIL SAFETY FUNCTION OTHER MEANS OF RISK REDUCTION SIL SAFETY INSTRUMENTED SYSTEM SIL OTHER PROTECTIVE FUNCTION What is SIL?? discrete level for specifying the safety Integrity requirements of the SIFs to be allocated To the SISs IEC 61511:2004 Part 1 Clause 3.2.74 ALARM LEVEL GAUGE BPCS RELIEF VALVE MATERIAL SELECTION DESIGN PHILOSOPHY Det Norske Veritas AS. All rights reserved. 5

Safety Instrumented System that incorporates a Human Operator Safety Instrumented System. Instrumented System used to implement one or more safety instrumented functions. An SIS is composed of any combination of Sensor(s), Logic solver(s), and Final element(s). IEC 61511:2004 Part 1 Clause 3.2.72 SAFETY INSTRUMENTED SYSTEM e.g. Sensor Logic Solver Final Element SIF #1 SIF #2 SIF #3 SIF #4 NP NP NP PE PE PE Det Norske Veritas AS. All rights reserved. 6

Safety Instrumented System that incorporates a Human Operator Safety Instrumented System. Instrumented System used to implement one or more safety instrumented functions. An SIS is composed of any combination of Sensor(s), Logic solver(s), and Final element(s). IEC 61511:2004 Part 1 Clause 3.2.72 SAFETY INSTRUMENTED SYSTEM e.g. Sensor Logic Solver Final Element NP NP NP PE PE PE NOTE 5 When a Human action is a part of an SIS, the availability and reliability of the operator action must be specified in the SRS and included in the performance calculations for the SIS. See IEC 61511-2 for guidance on how to include operator availability and reliability in SIL calculations. IEC 61511:2004 Part 1 Clause 3.2.72 Det Norske Veritas AS. All rights reserved. 7

IEC 61511:2004 Vs IEC 61511:2012 (Draft) Safety Instrumented System. 2004: Instrumented System used to implement one or more safety instrumented functions. An SIS is composed of any combination of Sensor(s), Logic solver(s), and Final element(s). NOTE 5 When a Human action is a part of an SIS, the availability and reliability of the operator action must be specified in the SRS and included in the performance calculations for the SIS. See IEC 61511-2 for guidance on how to include operator availability and reliability in SIL calculations. IEC 61511:2004 Part 1 Clause 3.2.72 2012: Instrumented system used to implement one or more SIF NOTE 3 When a Human interaction is a part of an SIS, the availability and reliability of the operator action must be specified in the SRS and included in the performance calculations for the SIS. See IEC 61511-2 for guidance on how to include operator availability and reliability in SIL calculations. IEC 61511:2012 Part 1 Clause 3.2.71 Det Norske Veritas AS. All rights reserved. 8

Consideration..?? 1. Operator to be considered part of a SIL 1 Safety Function 2. Safety Instrumented System that incorporates a Human Operator Sensor to Alarm Annunciation Observe Diagnose Plan Action (Including Final Element) Det Norske Veritas AS. All rights reserved. 9

What if they are only Considering a Human Operator as interacting with the SIS The evidence in the paper to suggest contrary to this: 1. Introduction The terms of reference of the review were that, in accordance with IEC 61511, operators may form a part of a SIL 1 safety function inclusion of an operator within a SIL1 safety function as part of the end to end safety function factors necessary to justify the use of an operator as a SIL 1 component in a Safety Instrumented System (SIS) 2. Review of the Content of the Tool factors or conditions necessary for an operator to act as part of a SIL 1 safety function. This was interpreted as confirming that all variables that might affect operator response to an alarm in an overfill scenario were included in the tool 3. Restructuring the Tool which allows the focused evaluation of the most relevant factors necessary to justify the use of an operator as a SIL 1 component in a SIS. Operators and Safety Systems for Overfill Protection of Tanks The analysis should be concerned solely with the probability of the operator responding in a timely fashion to a SIL 1 alarm Det Norske Veritas AS. All rights reserved. 10

When would you consider a Human Operator interacting with a SIS λ DD Failure modes in a SIL Capable Element MTTR calculations Notify operator of SIS actions Notify operator of reduced HFT Bypassing of the SIS The Human may interact with a part of the SIS but must NOT be considered a part of implementing the Safety Instrumented Function. The important issue with any interaction between the SIS and the operator is That the means of interaction must not prevent the SIS from performing its SIF. Det Norske Veritas AS. All rights reserved. 11

Conclusion Functional Safety is about implementing risk reduction within a defined level of integrity in the form of an autonomous system capable of placing or maintaining a process in a safe state. In order to achieve this a Safety Instrumented System, as defined by IEC 61511, does not place any direct requirements on the individual operators or maintenance person. Neither IEC 61511 or any other Functional safety related standard allows the substitution of one of the fundamental 3 elements, Sensor(s), Logic Solver(s) or Final element(s) with a human operator. As defined in IEC 61511 a human operator maybe used within other means of risk reduction and this maybe considered in a LoPA study so long as there is sufficient independence. A human operator may interact with part of a SIS however this is not to say they form part of the Safety Instrumented Function being achieved by the SIS. Functional Safety and IEC 61511 in particular does not allow the use of a human operator to act as the logic solver in a SIS responding to an alarm in order to action the final element. A Human decision to respond to an alarm can be considered the case for other protective means but not for Functional Safety. The paper presented at the Hazard XXIII on the use of an operator as a component in a SIL 1 level tank overfill protection system is not in compliance with IEC set of Functional Safety standards and specifically IEC 61511. The use of terms such as SIL and SIS in the paper have been misinterpreted by the author and used out of their perceived context. The paper is in jeopardy of placing the process industry into a false sense of security by adopting these practices and I recommend that the IEC 61508 Association respond to UKPIA with a committee backed letter of disapproval of this practice. Det Norske Veritas AS. All rights reserved. 12

Safeguarding life, property and the environment www.dnv.com Det Norske Veritas AS. All rights reserved. 13

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback