Introduction to Safety Basics

Presented by Sven Grone of HIMA

Safety Standards Explained

What is a SIS (Safety Instrumented System) What is SIL (Safety Integrity Level)

What is a SIF (Safety Instrumented Function)

How is a SIS different from DCS (BPCS) Examples of SIF Loop Design

Safety Acronyms
SIS Safety Instrumented System SIF Safety Instrumented Function SIL Safety Integrity Level PFD Probability of Failure on Demand PHA Process Hazard Analysis

LOPA Layer Of Protection Analysis

SRS Safety Requirement Specification PES Programmable Electronic System

BPCS Basic Process Control System

Industry Standards for Safety Instrumented Systems (SIS)

Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA 84.01, Application of Safety Instrumented Systems for the Process Industry, 1996 (revised 2004). International Electrotechnical Commission (IEC), IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Sector

Performance Based Standards

4

Evolving Standards
1984 1987 1989 1994 1996 1997 2003 2004 Today TUV Guidelines for PES (SK Safety Classes 1-9) HSE PES Guidelines Parts 1 & 2 DIN 19250/ VDE 0801 for PES (AK Safety Classes 1 - 8) Appendix to VDE 0801 - Harmonisation Document ISA SP84 - Safety Lifecycle, Quantitative Approach IEC 61508 - Safety Lifecycle, Quantitative and Qualitative Approach ANSI/ISA 84.01 = IEC61511 - Functional Safety, SIS for the Process industry sector DIN 19250 withdrawn and Introduction of Machine Safety Standard IEC 62061 Many more to come?

Evolving Standards IEC 61508 is an umbarella standard for functional safety across all industries Each industry then uses IEC 61508 as a guide to develop industry specific standards IEC/AS 61511 Process Industry IEC 61513 Nuclear Industry IEC 62061 Machinery Industry Future Rail, Medical, Automotive, Transport

Evolving Standards Other standards reference safety standards FM AS 7605 Programmable Logic Control (PLC) Based Burner Management FM AS 7610 Combustion safeguards and Flame Sensing NFPA 85 Boiler and Combustion Systems Hazards Code OSHA Process Safety Management & duty of care.

Why do we need Functional Safety?

Analysis Of 34 Incidents, based on 56 causes identified
20 % Changes after commissioning 44 % Specifications

15% Operations and maintenance

6% Installations and commissioning

15% Design and implementations

Out of control Why control systems go wrong and how to prevent failure?
(2nd edition, source: Health & Safety Executive HSE UK)
8

IEC 61511 & ISA 84.01 Lifecycle

Manage ment of Functional Safety and Functional Safety Assess ment Safety Lifecycle Structure and Planning Verifica tion

Risk Analysis and Protection Layer Design 1 Subclause 8

Allocation of Safety Functions to Protection Layers Subclause 9

Analysis Phase

Safety Requirements Specification for the Safety Instrumented System 3 Subclause 10

Design and Engineering of Safety Instrumented System Subclause 11 4

Design and Development of Other Means of Risk Reduction Subclause 9

Realisation Phase

Installation, Commissioning and Validation Subclauses 14 5

Operation and Maintenance 6 Subclause 15

Modification 7 Sub -clause 6.2 8 Subclause 15.4

Operation Phase

Clause 5 10

Decommissioning Subclause 16

Sub -clause 7, 12.7 11

Safety Lifecycle

Conceptual Process Design Process Hazards Analysis SIF Definition SIL Selection PSAT Conceptual Design SIL Verification Design Specifications Operation, Maintenance and Testing Management of Change Procedure Development

Construction, Installation, And Commissioning

10

Safety & Instrumented Layers of Protection Safety Function

11

Independent Protection Layers

M I T I G A T I O N
Plant and/or Emergency Response

Emergency response layer

Dike

Passive protection layer Active protection layer

Emergency Shut Down action

Relief valve, Rupture disk Safety Instrumented System

Isolated protection layer

Trip level alarm

P R E V E N T I O N

Operator Intervention

Wild process parameter

Process control layer

High level alarm High level

Basic Process Control System Plant Design

Process value

Normal behavior

Process control layer

Low level

12

What is a SIS?
Formal Definition:

SIS instrumented system used to implement one or more safety instrumented functions (SIF). A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s) (IEC 61511 / ISA 84.01)

Informal Definition:
Instrumented Control System that detects out of control conditions and automatically returns the process to a safe state

Last Line of Defense

Not basic process control system (BPCS)

13

What makes up a SIS?

Process Process

Input SIS Program Transmitter

Output
IAS

SV

Safety valve

Sensor(s)

Logic solver(s)

Final Element(s)

14

How SIS are Different from BPCS?

SIS
USC 102

PT 102 PT 101 UV 102 PIC 101

PV 101

BPCS
15

Safety PLC vs. standard PLC whats the difference?

Standard PLC has unknown failure modes dont know how it will fail before it fails Safety PLC is guaranteed to fail safely to within certified probability (SIL 1, 2 or 3) Safety PLC is certified by a 3rd party to international standards IEC 61508, IEC 61511 TV Certification includes certificate, report to the certificate AND operation as per safety manual of PLC Safety PLC must be configured by person with appropriate safety competency
16

Where would I need a SIS?

Typical applications for SIS ESD: Emergency ShutDown System F&G: Fire and Gas System BMS: Burner Management System TMC: Turbo Machinery Control System HIPPS: High Integrity Pressure Protection System WHCP: Well Head Control Panel

17

What is a Safety Instrumented Function (SIF)?

Formal Definition:

SIF function to be implement by a SIS which is

SIS
USC 102

PT 102 PT 101 UV 102 PIC 101

PV 101

intended to automatically achieve or maintain a safe state for the process with respect to a specific hazardous event. (IEC61511 ISA SP 84.01)

BPCS

Informal Definition:

Independent safety loop or interlock that

automatically brings process to a safe state in response to specific initiating events

18

SIS versus SIF

SIF

SIS

Logic Solver

Sensors
Final elements

19

Safety Instrumented Function

Common Misconceptions: Over temp on the burner exhaust is a SIF Generating an operator alarm indication is a SIF Detecting a flammable gas cloud is a SIF Detecting smoke or fire is a SIF

None of the above include an action, associated with a final element that automatically bring the plant to a safe state
20

What is (SIL) Safety Integrity Level?

Safety Integrity Level

Informal Definition:
SIL ..the Safety Integrity Level of a specific Safety Instrumented Function (SIF) which is being implemented by a Safety Instrumented System (SIS).

SIL 4 SIL 3

OR
The amount of risk reduction achieved by a specific Safety Instrumented Function (SIF)

SIL 2
SIL 1

21

SIL expressed as PFD

PFDavg = DU TI / 2
PFD (t)

PFD: Probability of Failure on Demand

DU:
Dangerous Undetected Failures

SIL 1 SIL 2

SIL 3
SIL 4
test interval
time

PFDavg

TI: Test Interval (proof)

22

Different levels of SIL

Safety Integrity Level

Safety

Probability of Failure on Demand

Risk Reduction Factor

SIL 4 SIL 3 SIL 2

> 99.99% 99.9% to 99.99% 99% to 99.9%

0.001% to 0.01% 0.01% to 0.1% 0.1% to 1%

100,000 to 10,000 10,000 to 1,000 1,000 to 100

SIL 1

90% to 99%

1% to 10%

100 to 10

23

What is Risk?

the likelihood of a specified undesired event occurring within a specified period or in specified circumstances. RISK = Likelihood x consequence
Likelihood

Serious consequence x high likelihood = higher risk

high

moderate

Minor consequence x low likelihood = low risk

low
minor serious extensive Consequence

24

Effects of taking too much risk

Likelihood high

Injury / death to Personnel Environment damage and consequential clean up costs Damage and loss of equipment / property Business interruption associated losses

minor serious extensive Consequence

moderate

low

Legal liability, litigation & duty of care defense

Company image Lost market share

25

Tolerable Risk
Moral, Legal and financial responsibility to limit our risk In some countries, the law mandates tolerable risk levels Meeting OSHA requirements as minimum
Make plant as safe as possible, disregard cost Comply with regulation as written, regardless of cost or level of risk

Legal

Moral

Financial

Build the lowest cost plant and keep operating budget as small as possible
26

Reducing Risk

Inherent Process Risk

Likelihood

Unacceptable Risk Region Tolerable Risk Region

Consequence
27

Reducing Risk

Inherent Process Risk

Active Protection e.g. PRV

Likelihood

Unacceptable Risk Region Tolerable Risk Region

Consequence
28

Reducing Risk

Inherent Process Risk

Passive Protection e.g. Containment Dyke Active Protection e.g. PRV

Likelihood

Unacceptable Risk Region Tolerable Risk Region

Consequence
29

Reducing Risk

Inherent Process Risk

Passive Protection e.g. Containment Dyke Active Protection e.g. PRV

Likelihood

SIS Applied

Unacceptable Risk Region

Tolerable Risk Region

Consequence
30

Reducing Risk

Inherent Process Risk

Passive Protection e.g. Containment Dyke Active Protection e.g. PRV

Likelihood

SIL 1
SIL 2 SIS Applied SIL 3

Unacceptable Risk Region

Tolerable Risk Region

Consequence
31

Conceptual Design

Select Technology
Device Failure Rate Certifications (TUV) for use in SIS applications Read Safety Manual for Certified Equipment Restrictions

32

Conceptual Design

Select Architecture / Voting

Select degree of fault tolerance required for Safety Select degree of fault tolerance for plant availability Apply required redundancy to BOTH field devices and logic solver

Identify potential common-cause failures that could defeat redundant architecture

33

Conceptual Design

Functional Proof Tests

Frequency Online or during Shutdown Full Functional Test or Partial Test

Diagnostic Testing
Frequency Response to detected fault

34

Typical SIL 1 Design

Product Separator

LIC 101

V-101
SV
IAS

LT -102

LT -101

LV -101

XV-101
35

Typical SIL 1 Design Higher MTTF Spurious

Vote 2oo2

Product Separator

LIC 101

V -101
SV
IAS

LT -102

LT -101

LAL

LT -103

LV -101

XV -101
36

Typical SIL 2 Design

Vote 1oo2
Overhead to Vapor Recovery Product Separator

LIC 101

V-101
SV
IAS

SV
IAS

LT-102

LT-101

LAL

LT-103

LV -101

XV-101 XV-102
37

Typical SIL 2 Design Higher MTTF Spurious

Vote 2oo3
Overhead to Vapor Recovery Product Separator

LT -104 V -101

LIC 101
2oo2 SOV
IAS

2oo2 SOV

IAS

LT -102

LT -101

LAL

LT -103

LV -101

XV -101

XV -102
38

Summary
ISA 84.01/IEC 61511 are the applicable safety standards for the process industry They are performance based standards and address the entire safety lifecycle They are considered best engineering practice by industry and OSHA Compliance will help reduce risk and help meet obligations under OSHA SIS PLC is different from normal PLC & must be certified by 3rd party (TV) to IEC 61508, 61511 A SIS is an independent layer of protection separate from the BPCS SIS is made up of sensors, logic solver and final elements BPCS and SIS should not normally share the same field devices

39

Summary
SIF consists of detection, logic and automatic action to bring plant to safe state SIL is a measure of risk reduction provided by a specific SIF

Risk is a product of likelihood and consequence

Implementing a SIS can help you move from inherent risk region to tolerable risk region Conceptual design of SIS involves many elements not just equipment SIS device testing, voting and plant availability must all be considered in design

40

Thank You