Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

Similar documents
PPA Michaël GROSSI - FSCE PR electronics

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

2015 Functional Safety Training & Workshops

Safety in the process industry

67 th Canadian Chemical Engineering Conference EDMONTON, AB OCTOBER 22-25, 2017

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

IEC61511 Standard Overview

Measurement of Safety Integrity of E/E/PES according to IEC61508

Failure Modes, Effects and Diagnostic Analysis

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

Certification Report of the ST3000 Pressure Transmitter

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

FUNCTIONAL SAFETY CERTIFICATE

Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

Failure Modes, Effects and Diagnostic Analysis

Certification Report of the ST 3000 Pressure Transmitter with HART 6

The agri-motive safety performance integrity level Or how do you call it?

New Developments in the IEC61511 Edition 2

Digital EPIC 2 Safety manual

Strathayr, Rhu-Na-Haven Road, Aboyne, AB34 5JB, Aberdeenshire, U.K. Tel: +44 (0)

Failure Modes, Effects and Diagnostic Analysis

100 & 120 Series Pressure and Temperature Switches Safety Manual

Functional Safety Application of IEC & IEC to asset protection

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Functional Safety: the Next Edition of IEC 61511

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

Changes in IEC Ed 2

Is your current safety system compliant to today's safety standard?

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Practical Methods for Process Safety Management

Addressing Challenges in HIPPS Design and Implementation

Session Ten Achieving Compliance in Hardware Fault Tolerance

United Electric Controls One Series Safety Transmitter Safety Manual

Simply reliable: Process safety from Endress+Hauser

IEC Functional Safety Assessment

Failure Rate Data, Safety System Modeling Concepts, and Fire & Gas Systems Moderator: Lori Dearman, Webinar Producer Thursday, May 16th, 2013

Failure Modes, Effects and Diagnostic Analysis

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Soliphant M with electronic insert FEM52

Australian Standard. Functional safety Safety instrumented systems for the process industry sector

Where Process Safety meets Machine Safety

Technical Manual for the Manual Alarm Call Point BG

Options for Developing a Compliant PLC-based BMS

Failure Modes, Effects and Diagnostic Analysis

InstrumentationTools.com

Failure Modes, Effects and Diagnostic Analysis

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

IEC Functional Safety Assessment

Failure Modes, Effects and Diagnostic Analysis

ADIPEC 2013 Technical Conference Manuscript

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

New requirements for IEC best practice compliance

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

FUNCTIONAL SAFETY CERTIFICATE. BG Break Glass Unit

INTERNATIONAL STANDARD

Failure Modes, Effects and Diagnostic Analysis

Safety Instrumented Systems

IEC an aid to COMAH and Safety Case Regulations compliance

Failure Modes, Effects and Diagnostic Analysis

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

This document is a preview generated by EVS

Failure Modes, Effects and Diagnostic Analysis

Pressure Transmitter cerabar S PMC 731/631 cerabar S PMP 731/635 with ma output signal

Functional Safety: What It Is, Why It s Important And How to Comply

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Session Number: 3 SIL-Rated Fire (& Gas) Safety Functions Fact or Fiction?

Karl Watson, ABB Consulting Houston LOPA. A Storage Tank Case Study. ABB Inc. September 20, 2011 Slide 1

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

This document is a preview generated by EVS

PRIMATECH WHITE PAPER CHANGES IN THE SECOND EDITION OF IEC 61511: A PROCESS SAFETY PERSPECTIVE

Functional Safety Solutions

Differential Pressure Transmitter deltabar S PMD 230/235 deltabar S FMD 230/630/633 with ma output signal

Reliability and Safety Assessment in Offshore and Process Industries

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

Proservo NMS5- / NMS7-

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Functional Safety of Machinery: EN ISO Stewart Robinson. Overview of the presentation. References. TÜV SÜD Product Service

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

Mechanics issn Transport issue 1, 2009 Communications article 0342

SAFETY MANUAL. PointWatch Eclipse Infrared Hydrocarbon Gas Detector Safety Certified Model PIRECL

INTERNATIONAL STANDARD

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

INTERNATIONAL STANDARD


Integrated but separate

Safety Instrumented Systems Overview and Awareness. Workbook and Study Guide

Process Safety Workshop. Avoiding Major Accident Hazards the Key to Profitable Operations

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

Technical Report Proven In Use SITRANS P500

INTERNATIONAL STANDARD

Session Ten: The importance of a clear Safety Requirements Specification as part of the overall Safety Lifecycle

Proof Testing Level Instruments

Failure Modes, Effects and Diagnostic Analysis

Rosemount 2140:SIS Level Detector

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

Fire and Gas Detection and Mitigation Systems

Beyond Compliance Auditing: Drill til you find the pain points and release the pressure!

Replacement of SIS Logic Solvers Whilst the Process Remains Operational Clive Timms C&C Technical Support Services

Transcription:

TÜV Rheinland International Symposium in China Functional Safety in Industrial Applications October 18 19, 2011 in Shanghai China Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511 1

HIPPS High Integrity Pressure Protection Systems Why do we need a SIF? Because the plant equipment is not fully rated to the potential pressures to which it might be exposed under certain reasonably foreseeable circumstances Mechanical protective systems are present but inadequate to prevent loss of containment 2

HIPPS High Integrity Pressure Protection Systems HIPPS implemented only after all other risk control measures considered and discounted: Inherently Safe measures and design Process Control Systems Passive Protection Measures Mechanical Active Protection Measures HIPPS 3

Problem Statement Requirement - Sour Gas Reinjection into Existing Wells Requirement New Compression Capability - 550 Barg Problem - Existing Wells MAWP -450 Barg Eliminate potential for casing damage in event of tube failure 4

Process Hazard and Risk Assessment Critical examination of plant operations on completed design Identifies detail hazard, control and operability problems. Reviews existing safety measures Often uses Hazard and Operability study (HAZOP) method Should be completed before detailed design/ procurement begins 5

HAZOP Study Procedure Definition Phase Scope & objectives-- Responsibilities--Select team Preparation Phase Plan--Collect Data--Choose recording method Estimate time required- Arrange the schedule Examination Phase Divide system into elements--examine element for deviations from design intent Identify possible deviations, cause, consequences, protection needs Agree actions -repeat for each element Reporting and Follow-up Phase Record on worksheets--sign off records--produce report Follow up actions - Restudy where needed- Issue final report 6

IEC 61511 - Mapping HAZOP Data to LOPA Data 7

The LOPA Process 1. Define the unwanted Impact 2. Determine and list all of the initiating events 3. Determine and list all of the layers of protection 4. Quantify the frequency of the initiating events 5. Quantify the effectiveness of the layers of protection 6. Calculate the resultant frequency of the unwanted impact 8

Typical LOPA Worksheet 9

PHRA and LOPA identified two hazard event scenarios to be considered and the worse case scenario target SIL 2 1. Operates as a Preventative IPL isolating the well when a downstream failure occurs such as compressor control system failure leading to high pressure Target SIL2 2. Operates as a Mitigative IPL reducing the escalation effects from the flow lines when an upstream failure occurs such as tube failure Target SIL1 10

Applying IEC 61511 Lifecycle Phases for HIPPS Implementation Phase 1 Process Hazard and Risk Assessment (PHRA) Phase 2 Allocations of Safety Functions (LOPA) Phase 3 Safety Requirements Specification (SRS) Phase 4 Design and Engineering of HIPPS Phase 5 Installation, Commissioning and Validation Handover to O & M after FSA Stage 3 Completed 11

IEC 61511 Lifecycle Concept Hazard & Risk Assessment (1) Management of functional safety & FSA (10) Safety Lifecycle structure & planning (11) Safety requirements specification for the safety instrumented system (3) Design & engineering of safety Instrumented system (4) FSA Stage 2 FSA Stage 3 FSA Stage 4 FSA Stage 5 Allocation of Safety functions to protection layers (2) FSA Stage 1 Installation, commissioning & validation (5) Operation & Maintenance (6) Modification (7) Design & development of other means of risk reduction Analysis Phase Realization Phase Operation Phase Verification (9) Decommissioning (8) 12

IEC 61511 Safety Lifecycle Documentation for HIPPS Phase All phases Process Hazard and risk analysis & Allocation of Safety Functions Safety Requirements Specification Design & Engineering Installation and commissioning Safety validation Operation and maintenance Information Functional Safety Management Plan including IEC 61508 Systematic Avoidance Techniques & Measures HAZOP, SIL Determination, LOPA, ETA, FTA, QRA, COMAH etc reports Specification of HIPPS with functional and integrity requirements, cause and effects SIS design, FDS, SDS, SMDS, HFT, GA, Control and logic philosophy, SLD, circuit diagrams, manuals, reliability analysis etc Checklists, Integration, FAT, SAT specification and reports, Installation and commissioning plans and functional checklists Functional safety Assessment, Verification and Validation report Functional Testing, Inspection and Maintenance Logs, FS audit reports Modification and Decommissioning Change management / modification request, impact analysis reports, 13

IEC 61511 Safety life-cycle goals (Clause 6.2.3) 1. Ensure that the SRS is met for all relevant modes of the process; 2. Ensure proper installation and commissioning of the SIS; 3. Ensure the SIL of the SIFs after installation; 4. Maintain the SIL during operation - proof testing, failure analysis 5. Manage the process hazards during SIS maintenance activities. 14

Challenges in Achieving Functional Safety The challenge is to design a HIPPS in such away as to prevent or minimise the impact of dangerous failures or to control them when they occur from: Competency of Safety Practitioners - TüV Rheinland FSP - FSE Incorrect specifications of hardware or software Omissions in the safety requirements specification Random & Systematic hardware failure mechanisms Software errors Common cause failures Human error Environmental influences Supply system voltage disturbances 15

Systematic failures A single systematic fault can cause failure in multiple channels of a redundant system. Systematic failures cannot be accurately predicted because the events leading to them cannot be easily predicted. FS Management helps avoid systematic failures by providing methods and guidelines to prevent design errors. A system implemented using such methods should be relatively free of systematic errors. 16

Why apply FSM to avoid Systematic Failures HSE UK : Out of Control Figure 10 (ISBN 978 0 7176 2192 7) 17

FS Verification & Validation, Assessments, Audits to avoid Systematics Verification - (IEC 61511 Clause 7) Verification is carried out after each lifecycle phase Check of values used in LOPA Check of failure data used and calculations undertaken Check of SFF and correct Hardware Fault Tolerance applied Validation - (IEC 61511 Clause 15) Validation is a phase in the lifecycle It is carried out at the end of the Project, before process hazards are introduced Validation verifies that the SRS has been met Functional Safety Assessment (FSA) - (IEC 61511 Clause 5.2.6) Assesses that IEC 61511 has been correctly implemented Must be carried out with sufficient independence to meet the target SIL 18

How to Achieve the target SIL Selection of Components and Sub Systems Design to achieve the target PFD average Design for safe behaviour on detection of a fault Ensure functional independence from control system Comply with hardware fault tolerance requirements Design to reduce common cause failures Provide secure interfaces between components 19

Design Considerations to meet the HIPPS Target SIL Design needs to evaluate the potential for random hardware failures and for systematic errors in design or in software Random hardware failures. Each subsystem must satisfy SIL tables for HW fault tolerance Each subsystem must satisfy SIL tables for PFD or PFH Overall system must satisfy SIL tables for PFD or PFH Systematic failures Adequate measures to avoid systematic errors during design. project procedures safety lifecycle methods verifications Software engineering design must incorporate safety techniques and measures appropriate to required SIL SIL rating of the safety function defined by the lowest SIL of the above 20

For HIPPS to Qualify for a SIL2 Target or Prior Use (11.5.3) Build to IEC 61508-2 & 3 HW & SW Smart Device (FPL) SIL 1 or 2 Non PE Certify to IEC 61508 SIL 3 requires formal assessment Apply IEC 61511 Limitations (11.5.4) PFD must satisfy SIL target 21

HIPPS Configuration 22

HIPPS - 2oo3 Simplified Example for ISA.TR84.00.02-2002 Channel Diagnostics Channel 2oo3 Channel 2oo3 physical block diagram PFD avg = [(λ DU ) 2 x (TI) 2 ] + [3λ DU x λ DD x MTTR x TI] + [βx λ DU x TI/2] + [λ D F x TI/2] The second term in the equation represents multiple failures during repair. This factor is typically negligible for short repair times. The third term is the common cause term. The fourth term is the systematic error term. 23

Considerations for CCF Calculation IEC 61508 Part 6 Annex D Method for quantifying CCF 2010 version updated and based on PDS methodology Based on the following factors from IEC 61508-6 Table D.1 to D5: Separation/segregation; Diversity/redundancy; Complexity/design/application/experience; Assessment/analysis & feedback of data; Procedures/human interface; Competence/training/safety culture; Environmental Control and Testing. 24

Common Cause Failures Systems Diagram 1oo2 λ d Common cause failures λ cc λ d PFD avg = (λ d ) 2 x TI 2 + λ cc x TI 3 2 CCF should be shown as an additional 1oo1 block in the RBD or as an input to an OR gate in an FTA and then summed with the 1oo2 block to calculate overall sub system PFDavg 25

Hardware Fault Tolerance We must also Consider hardware Fault Tolerance of Type A and B Sub-Systems based on achieved SFF For 60% to 90% SFF Simple Devices (Non PES) Type A Complex Devices Type B Safety Integrity. Min. Fault tolerance. Minimum Architecture Min. Fault tolerance. Minimum Architecture SIL 1 0 1oo1 0 1oo1 SIL 2 0 1oo1 1 1oo2 or 2oo3 SIL 3 1 1oo2 or 2oo3 2 1oo3 SIL 4 2 1oo3 Special requirements apply, see IEC 61508 26

Calculated Hardware Verification Target = SIL 2 Achieved = SIL 2 Target PFD = 1.0E-2 to 1.0E-03 Achieved PFD = 9.32E-3 Test Interval = 3 monthly test interval Worse case SFF = 60% - Type A for Gate Valve Required HFT for SIL2 = 0 Spurious trip leading to a HIPPS valve closure = 1 every 11 yrs. 27

Summary The IEC 61511 Requirements for SIL of 2 are achieved by the HIPPS FSM has been applied to combat systematic failures IEC 61508 3 rd party certified components used where possible With respect to the current design the single gate valve is a single point of failure Design can be improved by the addition of a 2 nd gate valve in series with 1 st - PFD improvement = 33% (6.21E-03) gives 50% of the SIL 2 PFD band A Key issue is competence of Operations and Maintenance to maintain the target Safety Integrity of the Plant lifetime 28

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback