Applying the Process Safety Standards Steve Burke, CFSE The Representative Office of exida Asia Pacific Pte. Ltd. in Ho Chi Minh city
Exida Contacts Singapore Vietnam Hong Kong Australia / NZL Germany USA
+65 6222 5160 +84 854 042 580 +852 2633 7727 +64 3 472 7707 +49 89 4900 0547 +1 215 453 1720
Canada United Kingdom Netherlands Switzerland Mexico South Africa Copyright exida Asia Pacific © 2014
+1 403 475 1943 +44 2476 456 195 +31 318 414 505 +41 22 364 14 34 +52 55 5611 9858 +27 31 267 1564
What is…? Today’s Objective – Introduce Process Safety Concepts and Essential Principles
Standards to help with design a Safety Instrumented System (SIS) Determine level of safety performance; Safety Integrity Level (SIL) Safety Requirement Specification (SRS) Safety Instrumented Function (SIF) Design and Equipment Selection Verification and Validation of your SIF design Overview of CyberSeurity Overview of Alarm Management
– Who are exida and what we do…
Copyright exida Asia Pacific © 2014
[email protected]
2
Why do we need a Process Safety Standard?
Copyright exida Asia Pacific © 2014
[email protected]
3
Because bad things do happen…
Flixborough 1974
Seveso 1976
28 Dead, 36 Injured
Dioxin cloud over local town
Bhopal 1984
Piper Alpha 1988
2,500 Dead, >100,000 Injured
165 Dead, 61 Injured
Copyright exida Asia Pacific © 2014
[email protected]
4
Still happening…….
Firefighters fight flames at the BP plant in Texas City after the July 28, 2005 explosion. (15 dead & 170 injured) Copyright exida Asia Pacific © 2014
[email protected]
5
Primary Cause of Failures? Installation and Commission Design and Implementation Specification Operation and Maintenance
Changes after Commission Source Health, Safety & Environmental Agency
The majority of accidents are: … Preventable if a systematic Risk-Based Approach is adopted…
Copyright exida Asia Pacific © 2014
[email protected]
6
Findings of the Lord Cullen Report “The operator should be required ... submit a Safety Case … of each installation.” ‘Regulations should be performance oriented (set goals), rather than prescriptive.’
Note: The Lord Cullen report was the detailed study of the Piper Alpha accident commissioned by the English government.
Copyright exida Asia Pacific © 2014
[email protected]
7
Which Standard?
Copyright exida Asia Pacific © 2014
[email protected]
8
Which Standard?
ISA S84.01
DIN V 19250
DIN VDE 0801
EWICS
NAMUR
HSE PES
IEC61508 Functional safety of electrical/electronic/programmable electronic safety-related systems Copyright exida Asia Pacific © 2014
[email protected]
9
Which Standard?
IEC 61508 Functional Safety for E/E/PES Safety Related Systems
Copyright exida Asia Pacific © 2014
[email protected]
10
Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508 Functional Safety for E/E/PES Safety Related Systems
Copyright exida Asia Pacific © 2014
[email protected]
11
Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508 Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
Copyright exida Asia Pacific © 2014
[email protected]
12
Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508 Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
End Users - Systems Integrators
Copyright exida Asia Pacific © 2014
[email protected]
13
Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508 Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
End Users - Systems Integrators
Copyright exida Asia Pacific © 2014
[email protected]
14
Relationship IEC 61508 – IEC 61511 Process Sector Safety Instrumented System Standards
Manufacturers and Suppliers of Devices IEC 61508
Copyright exida Asia Pacific © 2014
Safety Instrumented System designers, Integrators and users IEC 61511
[email protected]
15
Prescriptive/Functional Standards Prescriptive Standard – Tells you what to do
• Functional or Performance Standard – Tells you what performance level you need to meet MINERALS MANAGEMENT SERVICE GULF OF MEXICO OCS REGION NTL No. 2000-G13
Effective Date: May 25, 2000
NOTICE TO LESSEES AND OPERATORS OF FEDERAL OIL, GAS, AND SULPHUR LEASES IN THE OUTER CONTINENTAL SHELF, GULF OF MEXICO OCS REGION Production Safety Systems Requirements This Notice to Lessees and Operators (NTL) supersedes NTL No. 2000-G09, dated March 29, 2000, on this subject. It American Petroleum Institute (API) Recommended Practice makes minor technical amendments and corrects some cited authorities. 1.
(RP) 14C,
Section A.4
30 CFR 250.802(b). Exclusion of pressure safety high (PSH) and pressure safety low (PSL) sensors on downstream vessels in a production train As specified in American Petroleum Institute you(API) must Recommended install aPractice PSH sensor (RP) 14C, Section to provide A.4, you must over-pressure install a PSH sensor to provide over-pressure protection for a vessel. If an entire production train operates in the same protection for a vessel pressure range, the PSH sensor protecting the initial vessel will detect the highest pressure in the production train, thereby providing primary over-pressure protection to each subsequent vessel in the production train. The intent of API RP 14C is not compromised under this scenario. Therefore, you may use API RP 14C Safety Analysis API RPPSH 14C Safety (SAC) Checklist (SAC) reference A.4.a.3 to exclude all subsequent sensors other Analysis than the PSH Checklist sensor protecting the initial vessel in a production train.
Copyright © 2013 exida
Copyright exida Asia Pacific © 2014
[email protected]
16
Prescriptive/Functional Standards Prescriptive Standard – Tells you what to do
• Functional or Performance Standard – Tells you what performance level you need to meet
7.1.1 Requirements (guidance to IEC 61511-1 only) 7.1.1.1 IEC 61511−1 recognizes that organiza ons will have their own procedures for verifica on and does not require it always to be carried out in the same way. Instead, the intent of this clause is that all verification activities are planned in advance, along with any procedures, measures and techniques that are to be used.
IEC 61511 7.1.1.2 No further guidance provided. Functional Safety – Safety Instrumented Systems for the Process 7.1.1.3 It is important that the results of verification are available so that it can be demonstrated that effective verification has Industry Sector taken place at all phases of the safety lifecycle. 8 Process Hazard and Risk Analysis 8.1 Objectives IEC 61511−1 recognizes that organiza ons havelevels their The overall objective here is to 7.1.1.1 establish the need for safety functions (e.g., protection layers) together withwill associated of own performance (risk reduction) that are needed to ensure a safe process. Itand is normal in the process sector to multiple procedures for verification does not require ithave always tosafety be carried layers so that failure of a single layer will not lead to or allow a harmful consequence. Typical safety layers are represented in out in the same way. Figure 9 of IEC 61511-1. 8.2 Requirements (guidance to IEC 61511-1 only)
8.2.1 requirements for hazard andThis risk analysis 8.2.1 The requirements for hazard and risk analysis areThe specified only in terms of the results of the task. means that an are organization may use any technique that it considers to be effective, provided it resultsof in athe clear results descriptionof of safety functions specified only in terms the task. and associated levels of performance. Copyright © 2013 exida Copyright exida Asia Pacific © 2014
[email protected]
17
Performance Targets
Safety Integrity Level
Probability of failure on demand (PFD) per year
Risk Reduction Factor
(Demand mode of operation)
SIL 4
>=10-5 to <10-4
100000 to 10000
SIL 3
>=10-4 to <10-3
10000 to 1000
SIL 2
>=10-3 to <10-2
1000 to 100
SIL 1
>=10-2 to <10-1
100 to 10
Copyright exida Asia Pacific © 2014
[email protected]
18
The IEC 61511 Safety Lifecycle
Copyright exida Asia Pacific © 2014
[email protected]
19
The IEC 61511 Safety Lifecycle
Management and Planning
Analysis Phase
Realization Phase
Operate and Maintain
Copyright exida Asia Pacific © 2014
[email protected]
20
The IEC 61511 Safety Lifecycle
Management and Planning
Copyright exida Asia Pacific © 2014
[email protected]
21
FSM Key Issues Functional Safety Management Safety Planning – create a FSM Plan –
Specify management and technical activities during the Safety Lifecycle to achieve and maintain Functional Safety
–
Design Guidelines
Roles and Responsibilities –
Must be clearly delineated and communicated
–
Each phase of SLC and its associated activities
The organizational complexity of Upstream operations puts added priority on defined roles and responsibility and on accountability
Interface Management –
Critical in large projects / Disjointed Supply Chains
–
Defined in Roles and Responsibility
Documented Processes, Documentation Control, Documentation Functional Safety Verification and Assessment Personnel Competency Operations and Maintenance Management of Change Copyright exida Asia Pacific © 2014
[email protected]
22
Safety Assessment Verification and Validation • Verification Activity of demonstrating for each phase of the safety lifecycle by analysis and/or tests that, for the specific inputs, the deliverables meet the objectives and requirements set for the specific phase.
Safety Requirements
• Validation Task Objectives Verification
Validation
Task
Task Objectives Verification
Task
Safety System
Copyright exida Asia Pacific © 2014
the activity of demonstrating that the safety instrumented function(s) and safety instrumented system(s) under consideration after installation meets in all respects the safety requirements specification. Minimum independence for functional safety assessment
Minimum Level of Independence
Safety Integrity Level 1
2
3
4
Independent Person
HR
HR1
NR
NR
Independent Department
--
--
HR1
NR
Independent Organization
--
--
HR2
HR
NOTE Depending upon the company organization and expertise within the company, the requirement for independent persons and departments may have to be met by using an external organization. Conversely, companies that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization.
[email protected]
23
Personnel Competency “Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.” -IEC 61511, Part 1, Paragraph 5.2.2.2
Training, experience, and qualifications should all be addressed and documented – – – –
System engineering knowledge Safety engineering knowledge Legal and regulatory requirements knowledge More critical for novel systems or high SIL requirements
Copyright exida Asia Pacific © 2014
[email protected]
24
The IEC 61511 Safety Lifecycle
Management and Planning
Copyright exida Asia Pacific © 2014
Analysis Phase
[email protected]
25
What is Risk? Risk is a measure of the likelihood and consequence of an adverse effect. 1. How often can it happen? 2. What will be the effects if it does? Financial Risk
Risk Receptors: Personnel Environment Financial
Financial may overwhelm other Receptors, diluting focus on Personnel/Environmental
Equipment/Property Damage Business Interruption Business Liability Company Image Lost Market Share
Copyright exida Asia Pacific © 2014
[email protected]
26
Individual Risk and ALARP
High Risk
No way
UK HSE Tolerability of Risk framework Individual risk: frequency an individual may receive a given level of harm (usually death) from the outcome of specified hazards
Intolerable Region
10-3/yr (workers)
If it’s worth it
10-4/yr (public)
ALARP or Tolerable Region
10-6/yr
We accept it Copyright exida Asia Pacific © 2014
Broadly Acceptable Region Negligible Risk
[email protected]
27
Tolerable Risk Level Matrix form with guiding statement: All extreme risk will be reduced and all moderate risks will be reduced where practical. Recordable Lost Time Injury Injury
Permanent Many Injury/Death Deaths
1 per 100 years
Acceptable
Moderate
Extreme
Extreme
1 per 1000 years
Acceptable
Acceptable
Moderate
Extreme
1 per 10,000 years
Acceptable
Acceptable
Moderate
Moderate
1 per 100,000 Acceptable years
Acceptable
Acceptable
Moderate
Example Only Copyright exida Asia Pacific © 2014
[email protected]
28
Process Hazard Analysis (PHA) Identifying hazards – – – – –
HAZOP (Hazards and Operability Study) Checklist / What If Analysis FMEA (Failure Modes and Effects Analysis) Fault Tree Analysis Etc.
Causes
Consequences
Safeguards
Recommendations
Column Steam Reboiler pressure control fails, causing excessive heat input
Column overpressure and potential mechanical failure of the vessel and release of its contents
1) Pressure relief valve
Install SIS to stop reboiler steam flow upon high column pressure
2) Operator intervention on high pressure alarm 3) Mechanical Design
Low flow through pump causes pump failure and subsequent seal failure
Pump seal fails and releases flammable materials
Copyright exida Asia Pacific © 2014
1) Low output flow pump
Existing safeguards are adequate
2) Shutdown SIS
[email protected]
29
Reviewing The Process
Copyright exida Asia Pacific © 2014
[email protected]
30
HAZOP ANALYSIS GW
DEVIATION
CAUSES
CONSEQUENCES
SAFEGUARDS
REF#
RECOMMENDATIONS
No
No Agitation
Agitator motor drive fails
Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure.
High Temperature and High Pressure Alarm in DCS. Shortstop system.
Add SIF to chemically control runaway reaction. Add a pressure safety relief valve If necessary, add a de-pressurization SIF. Use LOPA to determine required SIL.
More
Higher Temperature
Temperature control failure causes overheating during steam heating
High temperature could damage reactor seals causing leak. Indicated by high temperature.
High Temperature Alarm in DCS.
Add high-temperature SIF. Use LOPA to determine required SIL
More
Higher Level
Flow control failure allows the reactor to overfill
Reactor becomes full, possible reactor damage and release. Indicated by high level or high pressure.
High Level Alarm in DCS.
Add high-level SIF. Use LOPA to determine required SIL
Copyright exida Asia Pacific © 2014
BY
[email protected]
31
HAZOP ANALYSIS 1 (pressure) Guide Word:
No
Deviation:
No Agitation
Causes:
Agitator motor drive fails
Consequences:
Ref #
Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure. High Temperature and High Pressure Alarm in DCS. Shortstop system. P&ID #’s
Recommended Actions:
Add a pressure safety relief valve If necessary, add a depressurization SIF. Use LOPA to determine required SIL.
By:
CMF
Safeguards:
Copyright exida Asia Pacific © 2014
[email protected]
32
Pressure SIF
Copyright exida Asia Pacific © 2014
[email protected]
33
SIL 1
SIL 2
SIL 3
DETOUR Safety Standards for Process Industry
SAFETY LIFECYCLE SIL SELECTION
Copyright exida Asia Pacific © 2014
[email protected]
34
Safety Integrity Level Used THREE ways: Safety Integrity Level
1. To establish risk reduction requirements
SIL 4
2. To set probabilistic limits for hardware random failure
SIL 3 SIL 2 SIL 1
Copyright exida Asia Pacific © 2014
3. To establish engineering procedures to prevent systematic design errors
[email protected]
35
Safety Integrity Level – 1st Usage
Safety Integrity Level
Risk Reduction Factor
SIL 4
100000 to 10000
SIL 3
10000 to 1000
SIL 2
1000 to 100
SIL 1
100 to 10
Copyright exida Asia Pacific © 2014
1. Each safety instrumented function has a requirement to reduce risk. The order of magnitude level of risk reduction required is called a SIL level.
[email protected]
36
Safety Integrity Levels – 2nd Usage
Random Failure Probability Safety Integrity Level
Probability of failure on demand
SIL 4
>=10-5 to <10-4
SIL 3
>=10-4 to <10-3
SIL 2
>=10-3 to <10-2
SIL 1
>=10-2 to <10-1
Copyright exida Asia Pacific © 2014
(Demand mode of operation)
Copyright © 2013 exida
2. A Safety Function meets a SIL level if a calculated probability falls within the associated band on one of two different charts. This view looks at RANDOM FAILURES.
[email protected]
37
Safety Integrity Level- 3rd Usage
Safety Integrity Level
SIL 4 SIL 3 SIL 2 SIL 1
Copyright exida Asia Pacific © 2014
3. To establish engineering procedures to prevent systematic design errors The equipment used to implement any safety instrumented function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.
[email protected]
38
Multiple layers of protection Community Emergency Response Plant Emergency Response Physical Protection (Dikes) Physical Protection (Relief Devices) Safety Instrumented System Alarms, Operator Intervention Basic Process Control Process
Copyright exida Asia Pacific © 2014
[email protected]
39
Outcome considerations 1. The only outcome of interest is accident occurs 2. All branches where protection layers are successful end in termination of analysis
Tolerable Risk Level
Other
Risk inherent in the process
Mech
SIS
Alarms
BPCS
Process
Risk Copyright exida Asia Pacific © 2014
[email protected]
40
LOPA - Event tree modified for layer of protection analysis Initiating Event
Protection Layer 1
Protection layer 2
Protection Layer 3
Final Outcome
PL3 Fails
Accident Occurs
PL2 Fails PL1 Fails Init Event PL3 Success PL2 Success PL1 Success
No Impact Stop
No Impact Stop
No Impact Stop
1. Proceed with event tree, but only calculate the probability of accident 2. The Accident is initiating event frequency multiplied by PFD of all protection layers
Copyright exida Asia Pacific © 2014
[email protected]
41
Example 1 – Reactor Explosion LOPA Draw the Layer of Protection Analysis Diagram for the following situation – An accident whose consequence is an explosion due to runaway reactor caused by the agitator motor failure. – The following layers of protection exist Batch process only runs 5 times per year The operator responds to alarms and stops the process Runaway reaction cancelled by addition of Shortstop The reactor has a pressure relief valve
Copyright exida Asia Pacific © 2014
[email protected]
42
Example 1 – Reactor Explosion LOPA
INITIATING EVENT PL #1 PL #2 PL#3 Agitator Motor Batch not Operator Adding Fails running Response Shortstop
PL#4 OUTCOME Pressure Explosion relief valve Explosion
No Event
Copyright exida Asia Pacific © 2014
[email protected]
43
Example – Column Rupture LOPA Quantify the accident frequency of the prior example – Agitator Motor fails once every 2 years Failure Frequency is 0.5 /yr
– Protection Layer PFD are Batch Process not running, PFD = 0.29 5 batches/yr * 3weeks/batch * 7days/week * 24hours/day = 2520 operational hours
= 29% of
the year.
Operator response failure, PFD = 0.1 Shortstop failure, PFD = 0.1 Relief valve failure, PFD = 0.07
Copyright exida Asia Pacific © 2014
[email protected]
44
Example 1 – Reactor Explosion LOPA Solution
INITIATING EVENT PL #1 PL #2 PL#3 Agitator Batch in Operator Shortstop Motor Fails Operation Response Fails
PL#4 OUTCOME Pressure Explosion Relief Valve 0.07 1.02E-04 0.1 Explosion
0.1 0.29 0.5 /yr No Event
F = 0.5 /yr * 0.29 * 0.1 * 0.1 * 0.07 = 1.02 x 10-4/yr Is that any good? That results in 1 explosion in every 9,804 years Copyright exida Asia Pacific © 2014
[email protected]
45
Know your tolerable Risk This is Company specific. For our example, see table below:
Severity
Definition
Tolerable Frequency (events/year)
Extensive
One or more fatalities
10-5
Severe
Multiple medical treatment case injuries
10-4
Minor
Minor injury or reversible health effects
10-3
Copyright exida Asia Pacific © 2014
[email protected]
46
Calculate your SIL required Tolerable Risk Level 1.0x10-5 Risk of Explosion in Reactor due to Agitator Motor failing
Expected event Frequency 1.02x10-4
SIF
Relief Valve
Shortstop
Alarms
Batch Not in Operation
Process
Risk Copyright exida Asia Pacific © 2014
[email protected]
47
Calculate your SIL required We know the event frequency = 1.02x10-4 We know the Corporate tolerable risk level = 1x10-5 To achieve our target SIL: PFD = Tolerable Risk / Expected Risk PFD = 1x10-5 / 1.02x10-4 = 0.098 RRF = 1/PFD = 1/0.098 = 10.2 This means SIF should be SIL 1
Copyright exida Asia Pacific © 2014
[email protected]
48
Safety Requirements Specification Definition • IEC61511: “specification that contains all the requirements of the safety instrumented functions in a safety instrumented system”
Tasks • • • •
Identify and describe safety instrumented functions Document Safety Integrity Level Document SIF action – Logic, Cause and Effect Diagram, etc. Document SIF parameters – timing, maintenance/bypass requirements, etc.
The SRS is the critical documentation for System Implementation & Testing The SRS is the point of reference during the Operations phase The better the SRS: • The better communication during the project • The more informed the change impact assessment for modifications.
Copyright exida Asia Pacific © 2014
[email protected]
49
SRS Elements SIS General Non-Functional Regulations & Standards Failure, Start & Restart Interfaces Environmental conditions
SIF Specific • • • • • • •
– Sensor(s) – Logic Solver – Final Element(s)
SIF General • • • • • •
Maintenance Overrides Manual Shutdown Operating Modes Failure Modes Reset Diagnostics
Copyright exida Asia Pacific © 2014
Identification Description/Duty/P&ID Safe State Required SIL Proof Test Interval Response Time Architecture Summary
• Mode of Operation – Energize or De-energize – Demand or Continuous
• • • •
Trip Setting & Logic Spurious Trip Requirements Start-up Overrides Special Requirements
[email protected]
50
Logic Description Methods Plain Text – Strengths – Extremely flexible, No special knowledge req’d – Weaknesses – Time-consuming, developing program code difficult and error prone
Example Only
If one of the following conditions occur.
Example Only
1. Switch BS-01 is deenergized, indicating loss of flame 2. Switch PSL-02 is deenergized, indicating low fuel gas pressure Then the main fuel gas flow to the heater is stopped by performing all of the following. 1. closing valves, XV-03A, and XV-03B 2. Opening valve XV-03C. The respective valves will be opened and closed by deenergizing the solenoid valve XY-03.
• Cause-and-Effect Diagrams – Strengths – Low level of effort, clear visual representation – Weaknesses – Rigid format (some functions can not be represented w/ C-E diagrams), can oversimplify
Binary Logic Diagrams (ISA 5.2) – Strengths – More flexible than C-E diagrams, direct transposition to a function block diagram program – Weaknesses – Time consuming, knowledge of standard logic representation required
Example Only Copyright exida Asia Pacific © 2014
[email protected]
51
The IEC 61511 Safety Lifecycle
Management and Planning
Copyright exida Asia Pacific © 2014
Analysis Phase
[email protected]
52
The IEC 61511 Safety Lifecycle
Management and Planning
Analysis Phase
Realization Phase
Copyright exida Asia Pacific © 2014
[email protected]
53
Safety Instrumented System Power Supply
An SIS is defined as a system composed of sensors, logic solvers and final elements designed for the purpose of:
CPU
Output Input Module Module
SIS
Equipment Under Control (EUC)
1. Automatically taking an industrial process to a safe state when specified conditions are violated; 2. Permit process to move forward in a safe manner when specified conditions allow (permissive functions)
Power Supply
CPU Output Input Module Module
Basic Process Control System (BPCS)
3. Taking action to mitigate the consequences of an industrial hazard.”
Copyright exida Asia Pacific © 2014
[email protected]
54
Safety Instrumented Function
A SIF is a specific, single set of actions and the corresponding equipment needed to identify a single hazard and act to bring the system to a safe state. SIF 1 2
Different from a SIS, which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes
Logic Solver
6
Sensors Final elements
Copyright exida Asia Pacific © 2014
[email protected]
55
Safety Instrumented System
SIF 1
1
Sensors
SIF 2
Final elements
2
6
3 SIF 3
4
Logic Solver
5
SIF 4
7 SIF 5
8
Copyright exida Asia Pacific © 2014
An SIS includes several Safety Instrumented Functions (SIF)
[email protected]
56
SIS, SIF and SIL Safety Instrumented System
Safety Instrumented Function
Safety Integrity Level
Safety Instrumented Function
Safety Integrity Level
Safety Instrumented Function
Safety Integrity Level
One SIS may have multiple SIFs each with a different SIL. Therefore it is incorrect and ambiguous to define a SIL for an entire safety instrumented system
Copyright exida Asia Pacific © 2014
[email protected]
57
Safety Instrumented Function (SIF) Implementation
Sensors Sensing Element
Signal Conditioning
Sensing Sensor Element
Signal Conditioning
Sensing Element
Logic Solver
Final Elements Signal Conditioning
Circuit Utilities i.e. Electrical Power, Instrument Air etc.
Final Control Element
Final Control Element
Interconnections
The actual implementation of any single safety instrumented function may include multiple sensors, signal conditioning modules, multiple final elements and dedicated circuit utilities like electrical power or instrument air.
Copyright exida Asia Pacific © 2014
[email protected]
58
IEC 61511 – Protection Against:
RANDOM Failures
SYSTEMATIC Failures
Random Failures?
Systematic Failures?
Copyright exida Asia Pacific © 2014
[email protected]
59
Random and Systematic Failures Random Failures A failure occurring at a random time, which results from one or more degradation mechanisms. Usually a permanent failure due to a system component loss of functionality – typically hardware related
Systematic Failures A failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors. Usually due to a design fault – wrong component, error in software program, etc.
Copyright exida Asia Pacific © 2014
[email protected]
60
IEC 61511 – Protect Against:
RANDOM Failures
SYSTEMATIC Failures
HOW?
HOW?
Copyright exida Asia Pacific © 2014
[email protected]
61
IEC 61511 – Protect Against:
RANDOM Failures
SYSTEMATIC Failures
Probabilistic Performance Based Design
HOW?
Copyright exida Asia Pacific © 2014
[email protected]
62
SIF Design The SIL achieved is the minimum of: 1. 2. 3.
SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH) SILAC : Hardware Fault Tolerance SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2014
[email protected]
63
Failure Modes With a safety system, the concern shouldn’t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways: Safe failures • initiating • overt • spurious • costly downtime
Dangerous failures • inhibiting • covert • potentially dangerous • must find by testing DxU=
Copyright exida Asia Pacific © 2014
[email protected]
64
Probability of Failure on Demand The SIL achieved is the minimum of: 1. 2. 3.
SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH) SILAC : Hardware Fault Tolerance SILCAP:Capability to prevent Systematic Failures (SILCAP)
PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection
Copyright exida Asia Pacific © 2014
[email protected]
65
IEC 61508-6 Method Divide each failure rate into specific failure modes SAFE DETECTED SAFE UNDETECTED 60% DANGEROUS UNDETECTED
SSDSU DDDDU
40% DANGEROUS DETECTED
Copyright exida Asia Pacific © 2014
[email protected]
66
Conventional PLC Input Circuit
5V ISO. ac input
Vin
D2
1K
V1
F
200K
+5V
V2
10K
D1
L2
OC1
Copyright exida Asia Pacific © 2014
10K
[email protected]
67
FMEDA for Conventional PLC Input Circuit Failure Modes and Effects Analysis
Failures/billion hours
Mode
Effect
R1 - 1K
short
loose filter
1 Safe
0.13
0.125
0
0
open
read logic 0
1 Safe
0.5
0.5
0
1 read input open
short
read logic 0
1 Safe
2
2
0
0
open
loose filter
1 Safe
0.5
0.5
0
0
short
overvoltage
0 Dang.
0.13
0 0.13
0
open
read logic 0
1 Safe
0.5
0.5
0
1 read input open
short
read logic 0
1 Safe
0.13
0.125
0
open
overvoltage
0 Dang.
0.5
0
short
read logic 0
1 Safe
2
open
blow out circuit
0 Dang.
short
read logic 1
open
C1- 0.18 R2 - 200K R3 - 10K
D1
D2
OC1
R4 - 10k
Criticality
FIT
Safe
Safe
Component
Dang. Det.
Diagnostic
Dangerous
Covered Covered FIT 0
0
0.5
0
0
0
0
0
0
0
0.5
0
0
0
0
0.5
0
0
0
2
0
0
0
0
5
0
5
0
0
0
0 Dang.
2
0
2
0
0
0
blow out circuit
0 Dang.
5
0
5
0
0
0
led dim
no light
1 Safe
28
28
0
0
0
0
tran. short
read logic 1
0 Dang.
19
0
19
0
0
0
tran. open
read logic 0
1 Safe
5
5
0
0
0
0
short
read logic 0
1 Safe
0.13
0.125
0
0
0
0
open
read logic 1
0 Dang.
0.5
0
0.5
0
0
0
1
0
71
38.88 32.1
Total Safe
Dang.
Safe Coverage
0.0257
Failure Rates Dangerous Coverage
Copyright exida Asia Pacific © 2014
0
[email protected]
68
Safety Rated PLC Input Circuit
Copyright exida Asia Pacific © 2014
[email protected]
69
FMEDA for Safety Rated Input Circuit F ailu re M o d es an d E f f e c ts A n alys is
F ailu res /b illion h o u rs
E ffec t
R 1 - 10K
s h ort
T h r e s h old s hift
1 S afe
0 .13
0 .1 2 5
0
0
0
0
op en
op e n c irc u it
1 S afe
0 .5
0 .5
0
1 loos e in p u t p uls e
0 .5
0
s h ort
s h ort in p u t
1 S afe
0 .13
0 .1 2 5
0
1 loos e in p u t p uls e
0.12 5
0
op en
T h r e s h old s hift
1 S afe
0 .5
0 .5
0
0
0
0
s h ort
overvoltag e
1 S afe
2
2
0
1 loos e in p u t p uls e
2
0
op en
op e n c irc u it
1 S afe
5
5
0
1 loos e in p u t p uls e
5
0
s h ort
overvoltag e
1 S afe
2
2
0
1 loos e in p u t p uls e
2
0
op en
op e n c irc u it
1 S afe
5
5
0
1 loos e in p u t p uls e
5
0
led d im
n o lig h t
1 S afe
28
28
0
1 C o m p . m is m atc h
28
0
tran. s h o r t
read log ic 1
0 D an g .
10
0
10
1 C o m p . m is m atc h
0
10
tran. op e n
read log ic 0
1 S afe
6
6
0
1 C o m p . m is m atc h
6
0
led d im
n o lig h t
1 S afe
28
28
0
1 C o m p . m is m atc h
28
0
tran. s h o r t
read log ic 1
0 D an g .
10
0
10
1 C o m p . m is m atc h
0
10
tran. op e n
read log ic 0
1 S afe
6
6
0
1 C o m p . m is m atc h
6
0
s h ort
loos e filter
1 S afe
0 .13
0 .1 2 5
0
0
0
0
op en
in p u t float h igh
0 D an g .
0 .5
0
0 .5
1 C o m p . m is m atc h
0
0 .5
s h ort
read log ic 0
1 S afe
0 .13
0 .1 2 5
0
1 C o m p . m is m atc h
0.12 5
0
op en
read log ic 1
0 D an g .
1 C o m p . m is m atc h
0
0 .5
s h ort
loos e filter
1 S afe
0
0
0
op en
in p u t float h igh
0 D an g .
s h ort
read log ic 0
1 S afe
op en
read log ic 1
0 D an g .
s h ort
read log ic 0
1 S afe
op en
loos e filter
s h ort op en
D1 D2
OC1
OC2
R 3 - 100K
R 4 - 10K R 5 - 100K R 6 - 10K C1 C2
F IT
S afe
D a n g . D et.
D iagn o s tic
D an g erous
M od e
R 2 - 100K
C ritic ality
S afe
C om p on e n t
C overed C F overed IT
0 .5
0
0 .5
0 .13
0 .1 2 5
0
0 .5
0
0 .5
1 C o m p . m is m atc h
0
0 .5
0 .13
0 .1 2 5
0
1 C o m p . m is m atc h
0.12 5
0
0 .5
0
0 .5
1 C o m p . m is m atc h
0
0 .5
2
2
0
1 C o m p . m is m atc h
2
0
1 S afe
0 .5
0 .5
0
0
0
0
read log ic 0
1 S afe
2
2
0
1 C o m p . m is m atc h
2
0
loos e filter
1 S afe
0
0 .5
0 .5
0
111
8 8.75
22
T otal
S afe
D ang.
S afe C overag e
0
0
8 6.87 5
22
0 .9 7 8 9
F ailu re R ates D a n gerou s C overage
Copyright exida Asia Pacific © 2014
1
[email protected]
70
What is…? Safe Failure Fraction: A measurement of the likelihood of getting a dangerous failure that is NOT detected by automatic self diagnositcs
.
NOTE: Definitions refer to single channel architectures. Copyright exida Asia Pacific © 2014
[email protected]
71
IEC 61508 Safe Failure Fraction (SFF)
SD + SU + DD SFF = SD + SU + DD + DU =1-
Copyright exida Asia Pacific © 2014
DU Total
[email protected]
72
SIF Design The SIL achieved is the minimum of: 1. 2. 3.
SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH) SILAC : Hardware Fault Tolerance SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2014
[email protected]
73
Architectural Constraints – As technology advances it is becoming easier to achieve the required PFDavg. – However, PFDavg is not the only safety metric that needs to be satisfied. – Architectural constraints also need to be satisfied. – Architectural constraints look at the Hardware Fault Tolerance (HFT) and the Safe Failure Fraction (SFF) of each subsystem to determine if the SIL has been met
λSD + λSU + λDD SFF =
λSD + λSU + λDD + λDU Copyright exida Asia Pacific © 2014
IEC 61508 Table 2 Type A Safe Failure Fraction
Hardware Fault Tolerance 0
1
2
< 60%
SIL 1
SIL 2
SIL 3
60% < 90%
SIL 2
SIL 3
SIL 4
90% < 99%
SIL 3
SIL 4
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
IEC 61508 Table 3 Type B Safe Failure Fraction
Hardware Fault Tolerance 0
1
2
< 60%
NA
SIL 1
SIL 2
60% < 90%
SIL 1
SIL 2
SIL 3
90% < 99%
SIL 2
SIL 3
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
[email protected]
74
Example FMEDA 3051S
Copyright exida Asia Pacific © 2014
[email protected]
75
Example 3051S Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function Architecture 1oo1 1oo1D 1oo2 2oo2 2oo3 2oo2D 1oo2D 1oo3
Hardware Fault Tolerance 0 0 1 0 1 0 1 2
Copyright exida Asia Pacific © 2014
[email protected]
76
IEC 61511 – Protect Against:
RANDOM Failures
SYSTEMATIC Failures
Probabilistic Performance Based Design
HOW?
Copyright exida Asia Pacific © 2014
[email protected]
77
IEC 61511 – Protect Against:
RANDOM Failures
SYSTEMATIC Failures
Probabilistic Performance Based Design
Detailed Engineering Process
Copyright exida Asia Pacific © 2014
[email protected]
78
SIF Design The SIL achieved is the minimum of: 1. 2. 3.
SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH) SILAC : Hardware Fault Tolerance SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2014
[email protected]
79
Question? Is Redundancy sufficient protection against SYSTEMATIC FAILURES? REDUNDANCY IS NOT A PROTECTION AGAINST SYSTEMATIC FAILURES! A single systematic fault can cause failure in multiple channels of an identical redundant system. – example: A command was sent into a redundant DCS. The command caused a controller to lock up trying to interpret the command. The diagnostics detected the failure and forced switchover to a redundant unit. The command was sent to the redundant unit which promptly locked up as well.
Copyright exida Asia Pacific © 2014
[email protected]
80
Equipment Capability • PFD:
In order to combat Systematic Failures, IEC 61511 requires equipment used in safety systems to meet one of two requirements: • IEC 61508 certification
Probability of Failure on Demand
• Architectural Constraints • Equipment Capability
• Certified under IEC61508 to the appropriate SIL level
• Prior Use • justification based on “Proven in Use” criteria
Copyright exida Asia Pacific © 2014
[email protected]
81
Prior Use “Prior use” generally means: • Documented, successful experience (no dangerous failures) • A particular version of a particular instrument • Similar conditions of use
Functionality/Application Environment
• • • • •
We do not have the failure data! I do not want to take responsibility for equipment justification! We do not take the time to record all instrument failures! This is a new instrument! I cannot justify PRIOR USE!
Copyright exida Asia Pacific © 2014
[email protected]
82
Product Certification Functional safety certification for devices is accomplished per IEC 61508 Products are certified to a Safety Integrity Level (SIL) The result is typically a certificate and a certification report
SIL Certification Vendor showed sufficient protection against Random and Systematic Failures
Copyright exida Asia Pacific © 2014
[email protected]
83
Pressure for Certification End User Demand • Offers easier specification • More consistency through project teams • Allows use of new technology • Quickly becomes “Best Practice”
Process Industry • Mature market in Logic Solvers and Traditional Sensors • New Market in New Technologies, Sensors and Final Elements
Vendor Demand • In mature markets, may be cost of entry (i.e. Logic Solvers) • Establishes credibility in Safety Market • Allows introduction of Technology with Credibility • In new markets, may provide significant differentiation, limit competition and create higher margins
Copyright exida Asia Pacific © 2014
[email protected]
84
Market Support
The exida web site also has a list of process industry instrumentation equipment with IEC 61508 certification. With several thousand unique visitors per month, this list has become the most popular global “purchase qualification list” for many buyers. Copyright exida Asia Pacific © 2014
[email protected]
85
IEC 61508 PLC Certification
e ida e ida
Copyright exida Asia Pacific © 2014
[email protected]
86
IEC 61508 Level Transmitter Certification
Copyright exida Asia Pacific © 2014
[email protected]
87
IEC 61508 Solenoid Valve Certification
Copyright exida Asia Pacific © 2014
[email protected]
88
Market Support / Data
For every equipment type, exSILentia has a list of equipment showing certification status and all relevant data. Equipment on this list enjoys strong market exposure. exida customers are included in the list. Copyright exida Asia Pacific © 2014
[email protected]
89
Example… The SIL achieved is the minimum of:
1. SILPFD: SIL2 2. SILAC : SIL1 3. SILCAP: SIL3 The SIL level for this Safety Instrumented Function (SIF) is: ???
Copyright exida Asia Pacific © 2014
[email protected]
90
Example The SIL achieved is the minimum of:
1. SILPFD: SIL2 2. SILAC : SIL1 3. SILCAP: SIL3 The SIL level for this Safety Instrumented Function (SIF) is: SIL1
Copyright exida Asia Pacific © 2014
[email protected]
91
Select Technology
Sensor Sub-System
Logic Solver Sub-System
Final Element Sub-System
Objective
Choose the right equipment for the purpose. All criteria used for process control still applies.
Tasks Choose equipment - IEC 61508 certification or Prior Use Justification (IEC-61511) Obtain reliability and safety data for the equipment Obtain Safety Manual for any safety certified equipment
Copyright exida Asia Pacific © 2014
[email protected]
92
Fault Propagation Models Fault Tree Analysis Markov Analysis
D U
Event Tree Analysis
Copyright exida Asia Pacific © 2014
Block Diagram
[email protected]
93
Simplified Equations PFDavg
STR
S
2oo2
DU x TI 2 ( DU )2 x TI 2 3 ( DU )2 x TI 2 3 DU x TI
( S)2 x MTTR
2oo3
( DU) 2 x TI 2
6( S) 2 x MTTR
Voting 1oo1 1oo2 1oo2D
2 S ( S)2 x MTTR
Where: PFDavg = Probability of Failure on Demand (average) SFR = Spurious Failure Rate MTTR = Mean Time To Repair TI = Test Interval S = Safe Detected Failures DU = Dangerous Undetected Failures Copyright exida Asia Pacific © 2014
[email protected]
94
Conceptual Design/SIL Verification using SILver™ SILver is Safety Integrity Level verification according to IEC 61508 / IEC 61511 SILver calculates SIF performance parameters – PFDavg (Average Probability of Failure on Demand) – MTTFS (Mean Time To Fail Spurious) – SIL (Safety Integrity Level based on PFDAVG) – SIL (Safety Integrity Level based on Architectural Constraints IEC 61508-2 table 2 & 3) – RRF (Risk Reduction Factor)
Copyright exida Asia Pacific © 2014
[email protected]
95
SIL Verification using SILver™ Third Party assessment of development process IEC 61508 compliant – No user justification required for SIL verification up to SIL 3
Copyright exida Asia Pacific © 2014
[email protected]
96
SIL Verification Demo…
Copyright exida Asia Pacific © 2014
[email protected]
97
The IEC 61511 Safety Lifecycle
Management and Planning
Analysis Phase
Realization Phase
Copyright exida Asia Pacific © 2014
[email protected]
98
The IEC 61511 Safety Lifecycle
Management and Planning
Analysis Phase
Realization Phase
Operate and Maintain
Copyright exida Asia Pacific © 2014
[email protected]
99
What is…? Proof Testing: A manually initiated test designed to detect failure of any part of a SIF. Different proof test procedures can have different levels of effectiveness.
No practical proof test will detect all failures
Copyright exida Asia Pacific © 2014
[email protected]
100
Mission Time Typical simplified equations assume perfect repair
DU TI PFDavg 2 However repair is typically not perfect Lifetime / mission time needs to be considered DU
CPTI PFDavg 2
Copyright exida Asia Pacific © 2014
TI
1 CPTI
DU
MT
2
[email protected]
101
PFD / PFDavg for Two Pressure Transmitter Proof Tests
PFDavg “PTC = 65%” = 1.53E-02 PFDavg “PTC = 98%” = 3.37E-03
1
2
3
4
Copyright exida Asia Pacific © 2014
5
6
7
8
9
10
11
12
13
14
15
[email protected]
102
Spurious Trip A spurious trip is a shutdown (taking the process to a safe state) that occurs when it is not needed (no demand). Two areas of Concern: • Shutdown and Startup can be most dangerous times • Operations likes to run • STR – Spurious Trip Rate = 1/MTTFS • MTTFS - Mean Time To Failure Spurious, SAFE failure • MTTFD - Mean Time To Dangerous Failure
Copyright exida Asia Pacific © 2014
[email protected]
103
The IEC 61511 Safety Lifecycle
Management and Planning
Analysis Phase
Realization Phase
Operate and Maintain
Copyright exida Asia Pacific © 2014
[email protected]
104
Industrial Control Systems Cybersecurity
REGULATIONS, STANDARDS AND BEST PRACTICES Copyright exida Asia Pacific © 2014
[email protected]
105
Recent Events Shamoon virus takes out 30,000 computers at Saudi Aramco US Defense Secretary issues strong warning of cyber attacks on US critical infrastructure DHS issues alerts about coordinated attacks on gas pipeline operators
Copyright exida Asia Pacific © 2014
[email protected]
106
Control System Cyber Security Control systems operate industrial plant equipment and critical processes Tampering with these systems can lead to: – – – – – –
Death, Injury, Sickness Environmental releases Equipment Damage Production loss / service interruption Off-spec / Dangerous product Loss of Trade Secrets
Control system security is about preventing intentional or unintentional Interference with the proper operation of plant Copyright exida Asia Pacific © 2014
[email protected]
107
Control Systems are more vulnerable today than ever before Now use commercial technology Highly connected Offer remote access Technical information is publically available Hackers are now targeting control systems
Copyright exida Asia Pacific © 2014
[email protected]
108
Hacker
Actual Incident Data
Disgruntled employee
Network device, software
IT Dept, Technician
Malware (virus, worm, trojan) Copyright exida Asia Pacific © 2014
© 2011 Security Incidents Organization
[email protected]
109
Regulations Department of Homeland Security – 6 CFR part 27: Chemical Facility Anti-Terrorism Standards (CFATS) – National Cyber Security Division Control Systems Security Program (CSSP)
Department of Energy – Federal Energy Regulatory Commission (FERC) 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
Nuclear Regulatory Commission – 10 CFR 73.54 Cyber Security Rule (2009) – RG 5.71
Copyright exida Asia Pacific © 2014
[email protected]
110
Standards International Society for Automation (ISA) – ISA 62443 Industrial Automation and Control System (IACS) Security (was ISA 99)
International Electrotechnical Commission (IEC) – IEC 62443 series of standards (equivalent to ISA 99)
National Institute for Standards and Technology (NIST) – SP800-82 Guide to Industrial Control Systems (ICS) Security
Copyright exida Asia Pacific © 2014
[email protected]
111
ISA / IEC 62443 Structure
Copyright exida Asia Pacific © 2014
[email protected]
112
The ICS Cybersecurity Lifecycle
Copyright exida Asia Pacific © 2014
[email protected]
113
Key Principles for Securing ICS Step 1 – Assess Existing Systems Step 2 – Document Policies & Procedures Step 3 – Train Personnel & Contractors Step 4 – Segment the Control System Network Step 5 – Control Access to the System Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security
Copyright exida Asia Pacific © 2014
[email protected]
114
exida Functional Integrity Certification™
Functional Integrity Certification™ Functional Safety Certification ™
+ Functional Security Certification ™ “Integrity is doing the right thing, even if nobody is watching.” (Anonymous)
Copyright exida Asia Pacific © 2014
[email protected]
115
Who are exida and what we do…
Copyright exida Asia Pacific © 2014
[email protected]
129
exida History Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services “Independent provider of Tools, Services and Training supporting Customers with Compliance and Certification to any Standards for Functional Safety, Cyber Security and Alarm Management”
Rainer Faller
Dr. William Goble
Former Head of TÜV Product Services Chairman German IEC 61508 Global Intervener ISO 26262 / IEC 61508 Author of several Safety Books Author of IEC 61508 parts
Former Director Moore Products Co. Developed FMEDA Technique (PhD) Author of several Safety Books Author of several Reliability Books
Copyright exida Asia Pacific © 2014
[email protected]
130
What we do EXPERTISE Functional Safety
SCOPE Tools
INDUSTRIES
CUSTOMERS
Process
End Users
Alarm Training Management
Energy
Manufacturer
Cyber Security
Consultancy
Machine
Engineering
Reliability
Certification
Automotive
Integrators
Copyright exida Asia Pacific © 2014
[email protected]
131
exida Customers (extract from 2000+)
Copyright exida Asia Pacific © 2014
[email protected]
132
exida Services and Training – Process Industry Functional Safety Management Set-up Functional Safety Assessment PHA SIL Determination SRS Development SIL Verification Alarm Philosophy – Rationalization Cyber Security Assessments Training Programs
Copyright exida Asia Pacific © 2014
[email protected]
133
exida Tools – Process Industry
Copyright exida Asia Pacific © 2014
[email protected]
134
exida Industry Contributions Global Functional Safety Certification Consultant 3rd Party Accredited Certification Body Developer FMEDA Technique Mechanical Failure Database Electrical & Electronic Failure Database Instrument & Equipment Failure Database Development Field Failure Database Methodology Global Active Participation in IEC – ISO Workgroups Functional Safety Engineering Tools
Copyright exida Asia Pacific © 2014
[email protected]
135
Why exida Certification? Experience – exida has done more certification projects in the process
industries for currently marketed products than any other certification company. Excellence / Competency - We have staff with a cumulative experience of several hundred years in automation functional safety and dependability. exida is active in the 61508 (functional safety) and ISA 99 (security) committee and has developed many of the functional safety analysis techniques. Market Support / Data – exida supports the end user with analysis and data. That data goes into the exSILentia tool. exida provides training for field personnel. Broad Capabilities – exida can offer functional safety, security and Integrity Certification
Copyright exida Asia Pacific © 2014
[email protected]
136
exida Library exida publishes analysis techniques for functional safety exida authors ISA best sellers for automation safety and reliability exida authors industry data handbook on equipment failure data www.exida.com Copyright exida Asia Pacific © 2014
[email protected]
137
Questions and Discussion
Copyright exida Asia Pacific © 2014
[email protected]
138