Module 01- Introduction to Functional Safety.pdf

Full Transcript

Module 1
Introduction to
Functional Safety

1 Introduction to Functional Safety
Introduction to Functional Safety

Content:
1.1 Accidents in the Process Industry Sector
1.2 International Safety Standards addressing Functional Safety
1.3 Local Laws and Regulations
1.4 Basic Terms and Definitions
1.5 Summary

Objectives of this training module:
- See what we can learn from major accidents in the past
- Learn about international Safety Standards
- Learn important key concepts and often used expressions of Functional Safety

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 14
 1.1 Accidents in the Process Industry Sector

Accidents
Well known accidents in the past:
Seveso, Italy, 1976 (leading to the Seveso-Directive; currently Seveso-III)
(Operational failures, poor safety concept, exposure of dioxin in populated areas)

Bhopal, India, 1984
(Operational failures, reduced and bad educated staff, non-functional safety systems,
exposure of methyl isocyanate (MIC) gas, ~16000 people died, ~500000 people injured)

Piper Alpha, North Sea, 1988
(Modified from oil production into gas production, poor risk analysis,
careless handling of forms and procedures, blocked fire extinguishing system,
no evacuation facility, 167 people died, economic impact: ~15 billion dollar

BP Texas City, TX, USA, 2005 (details see next slides…)
Buncefield, United Kingdom, 2005 (details see next slides…)
Deepwater Horizon, Gulf of Mexico, 2010 (details see next slides…)

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 15
1.1 Accidents in the Process Industry Sector

BP Texas City Accident

Fact Sheet
Location: Texas City, TX, USA
Date: 23rd March 2005
Direct consequences:
At least 5 explosions occurred
15 killed, over 170 injuries
Residence up to 5 miles away felt the explosions
Indirect consequences:
About 300 alleged violations were found in their safety rules
USD 21.3 million fine was paid to OSHA
USD 700 million was reserved to compensate the victims
> USD 3 billion set aside for development over 5 years at US BP plants

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 16
 1.1 Accidents in the Process Industry Sector

BP Texas City Accident
Headline in the news:
Refinery explosion due to several equipment and procedural failures
Some factors, which contributed to the accident:
Deficiencies in risk analysis: Accommodation container for workers placed near to hazardous area
Startup phase of refinery after maintenance works completed
Problems during shift change:
No experienced operator in control room, bad reporting, lost information
Bad indications (operators didn’t judge the real process situation correctly)
Inoperative alarms (some alarm devices didn’t work)
Ignitions sources in explosive areas

https://www.youtube.com/watch?v=goSEyGNfiPM Source: Wikipedia

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 17
1.1 Accidents in the Process Industry Sector

BP Texas City Accident – Pictures

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 18
1.1 Accidents in the Process Industry Sector

Buncefield Accident

Fact Sheet
Location: Hertfordshire – Buncefield,
United Kingdom
Date: 11th December 2005
Obvious problem:
Oil depot – overfilling tank due to equipment
failure, leading to vapor cloud which got
ignited
Direct consequences:
Explosion led to a large fire which took 5 days
to extinguish
23 storage tanks caught fire
43 people injured; 2,000 people evacuated
Indirect consequences:
Estimated economic impact GBP 1 billion

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 19
1.1 Accidents in the Process Industry Sector

Buncefield Accident – Lessons learned
At first glance a typical equipment failures:

A level gauge had stuck again and again after the tank had been serviced.
However, nobody responded effectively to its obvious unreliability.

The IHLS needed a padlock to retain its check lever in a working position.
If the padlock was not replaced, it was possible for the check lever to be left in the lower position or to
fall naturally. In either case the switch would be disabled.

At second glance lots of management failures:
- No Functional Safety Management (FSM) existing
- No proper Hazard and Risk Analysis (H&RA) executed
- No error culture existing
- No independent assessments & audits executed
- …
Below some recommendations and “Lessons learned” from accident reports (citations):
- Apply important process safety management principles!
- There should be a clear understanding of major accident risks and safety critical equipment!
- Detect signals of failure in safety critical equipment and respond to them quickly and effectively!
- Remove pressure on staff and managers!
- Execute frequent and effective assessments and audits!
“Buncefield: Why did it happen?” (COMAH)
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 20
1.1 Accidents in the Process Industry Sector

Deepwater Horizon Rig Accident

Fact Sheet
Location: Deepwater Horizon, Gulf of Mexico
Date: 20th April 2010
Problem:
Hydrocarbon escape from the Macondo well resulting in explosions and fire on
the rig
Direct consequences:
11 people killed; 17 others injured
Massive fire continued for 36 hours until the rig sank
Hydrocarbons (about 780 million liters) continued to flow for 87 days causing a
huge environment pollution
Indirect consequences:
BP set up a USD 20 billion relief fund...

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 21
1.1 Accidents in the Process Industry Sector

Deepwater Horizon Rig – Movie

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 22
1.1 Accidents in the Process Industry Sector

Deepwater Horizon Rig – Pictures

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 23
1.1 Accidents in the Process Industry Sector

Deepwater Horizon Rig

Failure at cost of life
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 24
1.1 Accidents in the Process Industry Sector

Deepwater Horizon Rig

Failure at cost of environment
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 25
1.2 International Safety Standards addressing Functional Safety

Lessons Learned:
We need more Safety : Functional Safety!
But isn’t that too expensive?
Beside the victims and environmental damage – let’s have a look to the costs:

Deepwater Horizon Bouncefield BP Texas City
Estimated total costs: Estimated total costs: Estimated total costs:
$62 billion 1 billion GBP > $1,5 billion

“…if you think safety is expensive, try an accident…” (Dr. Trevor Kletz)
Today, the cost of a major accident in the process sector can be more than
10x the investment cost
We have had terrible accidents in the past
The concepts of Functional Safety help us to avoid similar accidents in the future!

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 26
1.2 International Safety Standards addressing Functional Safety

Aim of Functional Safety:

Protection of human life, assets and environment

Safety (IEC 61508-4:2010 Clause 3.1.11)
Freedom from unacceptable risk, which is not tolerable

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 27
1.2 International Safety Standards addressing Functional Safety

Functional Safety deals with Active Systems!
Functional Safety is the part of the overall safety that depends on a
system or equipment operating correctly in response to its inputs.

Functional Safety is about the
 detection of a potentially dangerous condition resulting in the
 activation of a protective or corrective device or mechanism to
 prevent hazardous events or to reduce the consequence.

 Functional Safety basically relies on active systems. FS
Example: The activation of a level switch in a tank containing a hazardous liquid.
When a potentially dangerous level has been reached,
a valve will be closed to prevent further liquid entering the tank
and thereby preventing the liquid in the tank from overflowing.

 Safety achieved by measures that rely on passive systems
is not Functional Safety.
Example: A fire-resistant door or insulation to withstand high temperatures are measures that
X
FS

are passive in nature and can protect against the same hazards are controlled by functional
safety concepts but are not instances of functional safety.

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 28
1.2 International Safety Standards addressing Functional Safety

Fundamental Concepts of Functional Safety

Functional Safety (IEC 61511-1:2016 Clause 3.2.23)
Part of the overall safety relating to the process and the BPCS which depends on the
correct functioning of the SIS and other protection layers

Fundamental requirements and concepts:
Consideration of a plant or a system throughout the overall life-cycle
Introduce and apply Functional Safety Management System (FSMS)
Organizational
Carrying out a “Hazard and Risk Assessment”, leading to a
“Safety Requirements Specification” incl. SIL information
Ensure correct hardware and software design of the SIS, in particular:
- Avoid Random Hardware Failures
- Avoid Common Cause Failures
- Avoid Systematic Failures
Technical
Execute “SIL verification” and reliability analysis
Ensure resilience against identified security risks

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 29
1.2 International Safety Standards addressing Functional Safety

Functional Safety Standards
Safety Instrumented Systems
for Process Sector

Standards

Safety Instrumented System
Manufacturers and suppliers
designers, integrators and
of devices
end-user

IEC 61508
IEC 61511

IEC 61508 - Functional Safety of
electrical / electronic / programmable electronic safety-related systems

IEC 61511 == ANSI/ISA 84.00.01
Functional Safety - Safety Instrumented Systems for the process industry sector
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 30
1.2 International Safety Standards addressing Functional Safety

Relevant Standards for SIS in Process Sector

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 31
1.2 International Safety Standards addressing Functional Safety

IEC 61508 – Framework for Safety Standards

IEC 61508
IEC 61513, 60880-
IEC 61784-3
IEC 61511 2, 61238 EN 50402
Profiles for safe
Process Industry Nuclear Power Gas Detection
communication
plants

ANSI/ISA EN 50126, 50128, IEC TS 61000-1-2
S84.00.01 IEC 61800-5-2
50129 EMC for functional
Process Industry Power Drives
Railway safety
USA

IEC 61326-3-x
IEC 62061 ISO 26262 IEC 62304
Immunity for
Machinery Automotive Medical Software
functional safety

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 32
1.2 International Safety Standards addressing Functional Safety

Overview IEC 61508

Part 1: General requirements
Part 2: Requirements for electrical, electronic,
programmable electronic systems
(E/E/PES)
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination
of safety integrity levels (SIL)
Part 6: Guidelines on the application of Parts 2 & 3
Part 7: Overview of techniques and measures

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 33
1.2 International Safety Standards addressing Functional Safety

Legal Status of IEC 61511

Standards are never legally binding, merely they are used for guidance, but...
Since its release (2003) IEC 61511 is considered
State-of-the-Art or Good Engineering Practice
State-of-the-Art means, IEC 61511 is
Technically feasible and applicable
Organizationally possible to plan
Economically feasible

State-of-the-Art is a legal term in many countries
This makes it almost impossible not to comply to IEC 61511
when it comes to Safety Instrumented Systems (SIS)

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 34
1.2 International Safety Standards addressing Functional Safety

Overview IEC 61511

Part 1: Framework, definitions, system, hardware
and software requirements (normative)
Part 2: Guideline for the applications of IEC 61511-1
(informative)
Part 3: Guidance for the determination of the required
safety integrity levels
(informative)
Reference number:
IEC 61511:1-2016(E)

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 35
1.3 Local Laws and Regulations

Local Standards (Module 9)

Germany
Australia

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 36
1.4 Basic Terms and Definitions

BPCS
Basic Process Control System (BPCS) (IEC 61511-1:2016 Clause 3.2.3)

System which responds to input signals from the process, its associated
equipment, other programmable systems and/or operators and
generates output signals causing the process and its associated
equipment to operate in the desired manner,
but which does not perform any SIF.
A BPCS typically may implement:
- Process control functions,
- Monitoring
- Alarms
- Other protective functions.

BPCS typically is not SIL rated and
therefore not allowed to execute any
safety functions!
Risk reduction factor typically ≤ 10

Failure in BPCS can trigger a demand to
the SIF (Safety Instrumented Function)!
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 37
1.4 Basic Terms and Definitions

Safety Instrumented Function (SIF)
Safety Instrumented Function (SIF) (IEC 61511-1:2016 Clause 3.2.66)
Safety function to be implemented by a safety instrumented system (SIS)
A SIF is designed to achieve a required SIL, which is determined in relationship with the other
protection layers participating to the reduction of the same risk.

Measure the temperature in the vessel and if the temperature is higher than 100 °C stop the
pump and drain the content of the vessel safely.
SIF response time is max. 30 seconds. SIL 2 required.

A SIF describes (verbal, as a sentence in a document!) a certain expected
safety functionality, which typically includes statements about:
 Measurement – evaluation – reaction – reaction time – SIL
(what must be done, how fast and in which quality…)

Additional detailed information for the SIF must be defined (see SRS…):
Safe state
Proof test interval
Demand mode (e.g. low demand)
Energize to trip – De-energize to trip
etc.

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 38
1.4 Basic Terms and Definitions

Safety Instrumented System (SIS)
Safety Instrumented System (SIS) (IEC 61511-1:2016 Clause 3.2.67)
Instrumented system, used to implement one or more SIFs.
SIS usually means technology (or simplified: SIS is the technical implementation of a SIF)

SIS consist out of subsystems, minimum: Sensors – Logic solver – Final elements

Subsystems consist out of devices (which can be redundant)

NP = Non-programmable
PE = Programmable electronics
(including software)
SIS can also include:
Communication
(e.g. safety protocol)
Ancillary equipment – such as
- Power supplies
- Impulse lines
- Heat tracing
-…
Human action as part of a SIF
Realistic SIS example see next slide…

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 39
1.4 Basic Terms and Definitions

Example for SIF and SIS
Primary function (SIF)
The flow in pipe Y is measured and evaluated by a controller, located in plant section A. When
threshold X is reached, another controller in plant section B must close the inlet A and inlet B.

Secondary function: Flow XV46 should be also closed due to operational reasons.

SIS subsystems needed for
execution of above SIF:
Flow transmitter FT33 XV44

PLC A (HIMA, HIMax) Material A
Chemical FT33
SafeEthernet protocol Process
XV45
PLC B (HIMA, HIMax)
Material B
Valve XV44
Valve XV45 XV46

Operational

PLC-B Safe communication PLC-A

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 40
1.4 Basic Terms and Definitions

Control Loop versus Safety Loop - Example
BPCS:
A SIS must be able to:
Control loop detect the process going into a hazardous condition
move the process to safe state
act independently of other systems / protection layers.

LZT-2
LT-1

CV-1

XV-2

Safety Loop (SIF) executed by SIS

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 41
1.4 Basic Terms and Definitions

Demand, Probability of Failure on Demand (PFD), EUC

Demand:
Process going out of control (due to a process upset or a failure of BPCS)
which requires a safety action (for example executed by a SIF)
to move the process to a safe state.

Average probability of dangerous failure on demand – PFDavg (IEC 61508-4 3.6.18)

Mean unavailability of the SIS to perform the SIF
when a demand occurs from the EUC or EUC control system
(the real value of PFDavg for the SIF must be calculated, see training module 5)

EUC - Equipment under control (IEC 61508-4 3.2.1
Equipment, machinery, apparatus or plant used for manufacturing,
process, transportation, medical or other activities

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 42
1.4 Basic Terms and Definitions

Typical Problems in a SIS

65 = 1000001

97 = 1100001
Bit Flip (RAM) failure
(e.g. due to cosmic rays or radiation)

SIF:
If the temperature goes
over 65 °C close the valve
within 10 seconds.
SIL2 required.

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 43
1.4 Basic Terms and Definitions

SIS States

A SIS can be in 4 different states:

OK: No internal failures  Process protected and in operation

Safe: The SIS fails in a way that the SIF is carried out without a demand  Process shutdown
(In previous example: Imagine the bit failure occurs in the input device
and compromises the field value in a way, that the SIF is executed without a demand)

Dangerous: The SIS fails in a way that the SIF cannot be carried out in case of a demand
 Process in operation but unprotected
(In previous example: Imagine the bit failure occurs in the physical memory where the trip value is saved)

Intermediate: The SIF can still be carried out despite one or more internal SIS failures
(e.g. because of existing redundancy),
 Process in operation, reduced SIS performance, repair required!

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 44
 1.4 Basic Terms and Definitions

Safety Integrity Level (SIL)
Safety Integrity Level (SIL) (IEC 61511-1:2016 Clause 3.2.69)
Discrete level (expressed on a scale of SIL 1 to SIL 4), allocated to
the SIF for specifying the safety integrity requirements to be achieved by the SIS.

From SIL 1 to SIL 4 increases the level of safety integrity
Needed SIL is an outcome from hazard and risk analysis
SIL applies to the complete SIF and defines the requirements for the SIS
SIL is how we measure the performance of a SIF carried out by a SIS
There are technical and non-technical requirements defined per SIL level
Example for technical requirements: SIS design (HFT, PFDavg, suitable devices…)
Example for non-technical requirements: Expected grade of independence for assessments
SIL defines target Probability of Failure on Demand (PFD) and required Risk Reduction Factor (RRF):

IEC61511-1 Table 4

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 45
 1.4 Basic Terms and Definitions

SIL Story at a Glance Documented in SRS:

Needed SIL is an outcome from
hazard and risk analysis:

SIL defines requirements on the SIS
But SIL is not only a technical requirement (e.g.): hardware: HFT, SC, PFDavg …

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 46
1.4 Basic Terms and Definitions

Human Error
Human Error (IEC 61511-1:2016 Clause 3.2.29)
Intended or unintended human
action or inaction that produces
an inappropriate result.
Mistakes
Slips
Lapses
are examples of human errors.

Human error can be one cause for common cause failures or systematic failures
Human error can be one cause for security problems
Human error must be considered during the hazard and risk analysis
(e.g. consider “alarm & operator protection layer during a LOPA or HAZOP)
Human error is neither “random failure” nor “systematic failure”,
but is often the root cause for systematic failures!

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 47
1.4 Basic Terms and Definitions

Protection Layers (PL)

Plant emergency
Emergency response layer
response
Mitigation

Embankment
Bunker Passive protection layer

Controlled relief
valve, rupture disk, Active protection layer
F&G system

Safety Instrumented Isolated protection layer
Emergency shutdown action
System (SIS) Trip level alarm

Alarm and operator Process parameters out of Process control layer
Prevention

intervention control High level alarm

High level
Basic Process Control
Normal process behaviour Process control layer
System (BPCS) or DCS
Low level

Plant and process
Inherent safe plant design
design

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 48
1.4 Basic Terms and Definitions

Deepwater Horizon Rig – Protection Layers Fail

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 49
1.4 Basic Terms and Definitions

Process Safety Time – Diagram
Process Value

Intolerable
error range

BPCS out of Possible Sensor Logic system Actuator Process delay time
control operator Input Reaction time Reaction time
Intervention processing (typically of contacts,
(incl. delays) 2 cycles) valves etc.
e.g. 1 Sec. e.g. 0,5 Sec. e.g. 2 Sec. Tolerable
error range
Time until the
SIF Reaction Time safeguard really effects
e.g.: 3,5 Sec. the process

SIF Trip Point

Alarm limit

Good range

Process Safety Time Time
e.g. 60 Sec.
1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 50
1.4 Basic Terms and Definitions

Process Safety Time – SIF Response Time

Process Safety Time (IEC 61511-1:2016 Clause 3.2.52.1)

Time period between a failure occurring in the process or the basic process control
system (with the potential to give rise to a hazardous event) and the occurrence of the
hazardous event if the SIF is not performed.

Property of the process
(process knowledge required, usually gained during H&R Analysis)
Basic information for SRS
Consider process lags (e.g. cooling of a vessel).
SIF response time must be fast enough to prevent the hazardous event
Process safety time >> expected SIF response time
SIF response time includes times for: sensing – evaluation – reaction

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 51
1.5 Summary

Lessons Learned…
Horrible accidents in the past triggered safety culture in process industries

Definition of Safety and Functional Safety

Two international standards define safety approach in process industries:
IEC 61508 (addresses mainly for manufactures of safety devices)
IEC 61511 (addresses mainly end-users, system integrators and programmers)

Basic terms:
SIL
SIS
SIF
System states
Protection Layers
Process Safety Time
SIF Response Time

1 Introduction to Functional Safety © HIMA Paul Hildebrandt GmbH 2024_1 52