Functional Safety Demystified

Transcription

1 Functional Safety Demystified BOB WEISS - FUNCTIONAL SAFETY CONSULTANT IICA TECHNICAL EVENING 9 TH JULY 07 Purpose Explains how to comply with AS IEC using a case study TOPICS What is Functional Safety? SIS, SIF and SIL Standards IEC 6508 and IEC 65 An example to demonstrate compliance 4.5 day TÜV FSEng course in 45 minutes! One day course also available

2 What is Functional Safety? New term in IEC 6508 (introduced in 999) Part of Overall Safety freedom from unacceptable risk Achieved by a Safety Instrumented System (SIS) E/E/PE Safety System in IEC 6508 Examples: Trip System Emergency Shutdown System Burner Management System Includes field devices as well as logic solver A SIS places or maintains a process in a safe state Process = Equipment Under Control (EUC) in IEC 6508 Implements Safety Instrumented Functions (SIFs) Each SIF achieves a Safety Integrity Level (SIL) Acronyms to remember: SIS, SIF and SIL!. 3 IEC 6508 or IEC 65 IEC 6508 SIS device manufacturers SIS integrators & users SIL -3 SIS integrators & users SIL 4 IEC 65 SIS integrators & users SIL -3 for process industries Integrators & users in the process industries can use either IEC 6508 or IEC 65 IEC 65 is generally simpler to apply 4

3 Why Functional Safety? Buncefield, England Dec 005 Storage tank level gauge showed constant reading High level switch left in test mode Gasoline tank overflowed Mist exploded largest peacetime explosion in Europe 0 tanks on fire burned for three days significant environmental impact hundreds of millions of pounds damage Should have complied with IEC Basic Terminology Sensing subsystem Logic subsystem Final element subsystem Temperature transmitter Temperature transmitter Pressure transmitter SIF : TZH34 SIL Logic Solver (e.g. Safety PLC) Solenoid SIF : PZHH34 Relay in MCC Shut-off valve SIL Flow transmitter Component Subsystems Solenoid Safety Instrumented System - SIS Safety Instrumented Function - SIF Safety Integrity Level - SIL Globe valve July, 07 IICA - FUNCTIONAL SAFETY DEMYSTIFIED 6 3

4 Safety Integrity Level vs. Risk Reduction SIL 4 3 Risk Reduction Factor > 0,000 >,000 0,000 > 00,000 > 0 00 Probability of Failure on Demand (PFD avg ) 0-5 < < < < 0 - Safety Availability > 99.99% > % > % > 90 99% BPCS* % = / PFD avg = / RRF = 00( PFD avg ) * Basic Process Control System Used to specify SIL required Used to specify SIL achieved For Demand Mode SIFs only 7 Safety Lifecycle IEC Management Safety Hazard and risk assessment CDV Verification of functional life-cycle safety and functional safety structure and planning Allocation of safety functions to protection layers assessment and auditing Engineering Contractor SIS Vendor 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system 5 Installation, commissioning and validation Design and development of other means of risk reduction End User Operation and maintenance Modification Decommissioning 8 4

5 Complying with IEC 65 Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Random failure rate (PFD avg ) Architectural constraints (hardware fault tolerance) Systematic capability for each component Field devices, logic solver, shutdown valves etc. Not just TÜV certification Though it helps! Not just meeting PFD avg target. 9 Comply Throughout Lifecycle For the rest of the presentation we ll follow the SIS lifecycle What do we need to do to comply at each stage? See the following example Only the main elements of compliance are covered. 0 5

6 Hazard and Risk Assessment Output is a list of hazardous events with their process risk and acceptable risk. 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure functional and Allocation of safety planning safety functions assessment to protection layers and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning A hazard PSV- LIC 300t LPG Feed Product P- P- A potential source of harm 300t of Liquefied Petroleum Gas can potentially cause harm Hazardous Event Example BLEVE (video) 6

7 Identify Hazardous Events: HAZOP PSV- H LIC 300t LPG Feed Product P- P- Node: LPG Tank Guideword: HIGH LEVEL Consequence: High Pressure, possible tank rupture & major fire Existing Controls: Pressure Safety Valve (PSV-) New Controls: Add High Level Alarm 3 Risk The product of severity and likelihood Consequence severity Major Medium Minor LOW MEDIUM The expected value of loss HIGH Likelihood of occurrence 4 7

8 Risk reduction concept Residual risk Acceptable risk Process risk Necessary risk reduction Actual risk reduction Increasing risk Partial risk reduction by SIS Partial risk reduction by other means of risk reduction Overall risk reduction achieved by all means 5 Is risk acceptable? Hazard - 300t of LPG Process under control Level stable LAH Alarm Process deviation or disturbance Process out of control Control valve sticks Level Increasing PSV Hazardous situation Hazardous event High Pressure Vessel fails What is risk? Is it tolerable? Impact / Consequence 300t of boiling LPG released - likely major fire and fatalities 6 8

9 Risk Analysis - Layers of Protection Mechanical PSV X 00 Alarm LAH X! Control System (BPCS) Hazardous Situation : per y Process Target: per 0,000y Hazardous Event!! Risk Reduction Required: x 0,000 Only have x 00!! 7 Allocation of Safety Functions Often called SIL Assessment, SIL Analysis or SIL Determination Output is a list of Safety Instrumented Functions together with their required Safety Integrity Level. 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning 8 9

10 Risk is unacceptable - reduce further Hazard - 300t of LPG Process under control Level stable Process deviation or disturbance Control valve sticks LAH Alarm LZHH Trip Process out of control Hazardous situation PSV Hazardous event Level Increasing High Pressure Vessel fails How do we reduce risk further? Impact / Consequence 300t of boiling LPG released - likely major fire and fatalities 9 Add a high level trip LZHH LZT PSV- LIC H 300t LPG Feed Product P- High Level Trip LZHH added Shuts off flow when High High level reached P- 0 0

11 Layers of Protection SIL assessment SIL Mechanical PSV X 00 SIF LZHH Alarm LAH X! Control System (BPCS) Hazardous Situation : per y Process X 00 Target: per 0,000y Hazardous Event!! Risk Reduction Required: x 0,000 SIF must reduce risk by 0,000/00 = 00 Safety Integrity Level vs. Risk Reduction SIL 4 3 Risk Reduction Factor > 0,000 >,000 0,000 > 00,000 > 0 00 Probability of Failure on Demand (PFD avg ) 0-5 < < < < 0 - Safety Availability > 99.99% > % > % > 90 99% BPCS % = / PFD avg = / RRF = 00( PFD avg ) Used to specify SIL required For Demand Mode SIFs only Used to specify SIL achieved

12 Phase & Compliance Achieved! Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) random failure rate (PFDavg) Systematic Capability of each component 3 3 Safety Requirements Specification - SRS Defines functional and integrity requirements of SIS Output is a set of documents ready for detail design. 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning 4

13 SIF Instrument Range Trip Point Units CLOSE VALVE LZV-0 CLOSE VALVE UV-03A CLOSE VALVE UV-03B OPENS VALVE UV-03C Set LIC to MAN, OP=0 /07/07 Safety Requirements Specification Functional Requirements desired behaviour of each SIF behaviour in response to faults timing requirements human machine interface normal and abnormal modes of operation bypass requirements etc. Safety Integrity Requirements Safety Integrity Level for each SIF basis for SIL testing requirements special requirements to maintain SIL etc. 5 Cause-and-Effect Diagram SIFs commonly documented by Cause and Effect diagrams Should include required SIL somewhere examples: Tag# Description BS-0 Burner Loss of Flame ~ ~ X X X PSL-0 Fuel Gas Pressure Low ~ 7 X X X LZHH-0 LPG Tank High High Level mm 0 6 3

14 4 Design and Engineering SIS vendor or contractor for logic solver EPC contractor or end-user for field hardware 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning 7 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) Random failure rate (PFD avg ) Systematic Capability of each component 8 4

15 Types of failures Random failures components ( elements ) wear out use high reliability components use redundant components test frequently automated and/or manual Systematic failures human error redundant components provide no protection! techniques and measures to avoid faults detect faults to avoid failures Functional Safety Management System quality system for functional safety 9 Control of systematic failures For integration of components into a system (SIS): Functional Safety Management System (FSMS) for all phases of lifecycle including operation quality system for SIS verification, validation, audit and assessment can comply with either IEC 65 or IEC 6508 Within each component: ensure quality design in accordance with IEC 6508 ensure appropriate techniques and measures from IEC 6508 used for the SIL of the target SIF measured by the term systematic capability SC to 4 corresponding to SIL to 4 Formerly called SIL x Capability independent certification or prior use 30 5

16 Measures to avoid or control failures Systematic techniques to specify hardware and software requirements Design requirements Requirements management techniques Revision control Testing techniques Documentation control Project management... 3 Functional Safety Management System Quality system with safety aspects Safety management system that includes: policy and strategy to achieve safety responsible persons, departments, organizations relationship between those responsible and allocation to safety lifecycle phases selected techniques and measures references to the deliverables the functional safety assessment process (Functional Safety Assessment Plan) procedures for ensuring prompt follow-up of actions from hazard and risk analysis, verification, validation etc. configuration and change management

17 Competence must be managed Competence of all involved, including management shall be managed engineering knowledge, training and experience appropriate to the process technology SIS technology field devices used hazard & risk analysis knowledge of the legal and regulatory requirements relevant management and leadership skills Appropriate to the potential consequence of the event SIL of the SIF novelty and complexity of the application and technology Manage using a procedure and regular assessments e.g. competency matrix updated at annual performance reviews 33 SIL Verification LZHH SIL LZT PSV- LIC H 300t LPG Feed Product P- P- Does the design of SIF LZHH meet SIL? 34 7

18 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) Random failure rate (PFDavg) Systematic Capability of each component 35 Hardware Fault Tolerance Architectural constraints in IEC 6508 Aim is to avoid unrealistic reliability claims from single components Use IEC (Route H) constrains SIF architecture based on: Safe Failure Fraction complexity of device ( Type A or Type B ) target SIL OR use Table 6 in IEC Ed. simplified, relaxes previous unrealistic restrictions based on IEC 6508 Route H see next slide Outcome is required minimum Hardware Fault Tolerance (HFT) no. of voted devices minus no. required to perform safety function For MooN architecture, HFT = N - M 36 8

19 Case Study: Hardware Fault Tolerance HFT IEC 65 Ed. Table 6 Radar gauge, smart device assumptions Diagnostic Coverage > 60% We know λ DU with confidence limit > 70% SIF operates in Low Demand mode For SIL min HFT = 0 (see below) Only one device required SIL Mode Minimum required HFT Any 0 Low demand 0 High demand or continuous 3 Any 4 Any 37 Safe Failure Fraction Block valve, normally open & normally energized In case of an out of control process, the valve has to close SAFE Closes spontaneously due to loss of energy DANGEROUS Stuck at open Undetected Detected by voltage control Detected by diagnostics Undetected SFF 38 9

20 Architectural Constraints IEC Table Table 3 Safe Failure Fraction Type A Subsystems e.g. pressure switches Hardware Fault Tolerance 0 < 60% SIL * SIL * SIL 3* 60 < 90% SIL SIL 3 SIL 4 90 < 99% SIL 3 SIL 4 SIL 4 99% SIL 3 SIL 4 SIL 4 Type B Subsystems e.g. logic solver, smart transmitters Safe Failure Fraction Hardware Fault Tolerance 0 < 60% Not allowed SIL SIL 60 < 90% SIL * SIL * SIL 3* 90 < 99% SIL SIL 3 SIL 4 99% SIL 3 SIL 4 SIL 4 * IEC HFT for field devices For MooN N-M = HFT 39 Case Study: Architectural Constraints LZHH LZT PSV- LIC H 300t LPG Feed Product P- Transmitter LZT is a smart radar gauge Can we use single transmitter to satisfy SIL? Must also check for logic solver and valve P- 40 0

21 Case Study: Architectural Constraints Smart Transmitter = Type B device use Table 3 in IEC Safe Failure Fraction = 9% from certificate For SIL, required Hardware Fault Tolerance = 0 Therefore one transmitter is ok for SIL LTZ Type B Subsystems e.g. logic solver, smart transmitters Safe Failure Fraction Hardware Fault Tolerance 0 < 60% Not allowed SIL SIL 60 < 90% SIL * SIL * SIL 3* 90 < 99% SIL SIL 3 SIL 4 99% SIL 3 SIL 4 SIL 4 4 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) Random failure rate (PFD avg ) Systematic Capability of each component 4

22 SIL Verification LZHH SIL LZT PSV- LIC H 300t LPG Feed Product P- P- What is calculated PFD avg for SIF LZHH-? 43 Safety Integrity Level vs. Risk Reduction SIL 4 3 Risk Reduction Factor > 0,000 >,000 0,000 > 00,000 > 0 00 Probability of Failure on Demand (PFD avg ) 0-5 < < < < 0 - Safety Availability > 99.99% > % > % > 90 99% BPCS % = / PFD avg = / RRF = 00( PFD avg ) Used to specify SIL required For Demand Mode SIFs only Used to specify SIL achieved 44

23 Case Study: PFD Calculation Test interval = y Reliability data: Valve: λ DU = /0y (= 0.05 y - ) Logic solver: λ DU = /000y (= 0.00 y - ) Sensor: λ DU = /00y (= 0.0 y - ) PFD avg = λ DU x TI / = 0.05 x / = 0.05 for valve 0.00 x / = for logic solver 0.0 x / = for transmitter Total PFD avg = = Calculated SIL = (PFD avg range ) Required SIL = Not OK! How can this be fixed? LZV LZHH LZT 45 Case Study: Adjust Test Interval Test interval = month Reliability data: Valve: λ DU = /0y (= 0.05 y - ) Logic solver: λ DU = /000y (= 0.00 y - ) Sensor: λ DU = /00y (= 0.0 y - ) PFD avg = λ DU x TI / = 0.05 / / = 0.00 for valve 0.00 / / = for logic solver 0.0 / / = for transmitter Total PFD avg = = Calculated SIL = (PFD avg range ) Required SIL = OK BUT operations object to monthly testing! LZV LZHH LZT 46 3

24 Case Study: Duplicate Block Valves Test interval = year Reliability data: Valve: λ DU = /0y (= 0.05 y - ) Logic solver: λ DU = /000y (= 0.00 y - ) Sensor: λ DU = /00y (= 0.0 y - ) For valves oo voting: PFD avg = (was 0.05) PFD avg = = Calculated SIL = (PFD avg range ) Required SIL = OK LZV A LZHH LZT LZV B 47 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) random failure rate (PFD avg ) Systematic Capability of each component. How likely is it that each component is free from systematic faults ( bugs )? 48 4

25 Control of systematic failures For integration of components into a system (SIS): functional safety management system for all phases of lifecycle including operation verification, validation, audit and assessment can comply with either IEC 65 or IEC 6508 Within each component: ensure quality design in accordance with IEC 6508 ensure appropriate techniques and measures from IEC 6508 used for the SIL of the target SIF measured by the term systematic capability SC to 4 corresponding to SIL to 4 formerly called SIL Capability independent certification or prior use 49 Case Study: Transmitter Selection Must control systematic faults Transmitter selected must comply with IEC 6508 and IEC 65 Must either: be designed and manufactured in accordance with IEC 6508 confirmed by independent certificate (e.g. by a TÜV or exida) Systematic Capability from to 4 OR i.e. techniques and measures are suitable for SIL to 4 meet requirements for Prior Use (or proven in use ): sufficient experience gained in a comparable application Best practice: require BOTH prior use and certification 50 5

26 Component Certification An independent organisation certifies that the component meets the requirements of IEC 6508 for a particular SIL not only TÜV!!! Parts and 3 contain numerous techniques and measures required to avoid and control faults the rigour required increases with SIL The aim is to reduce the likelihood of systematic faults to an acceptably low level relative to the SIL The result is expressed as Systematic Capability or SC from to 4 corresponding to SIL to 4 was previously called SIL Capability The certificate also usually also includes failure data and whether the component is Type A or Type B details are in a companion report 5 Transmitter TÜV Certificate 5 6

27 Transmitter TÜV Certification 53 Prior Use (IEC 65) Requires that appropriate evidence is available that the component is suitable based on consideration of: the manufacturer s quality systems adequate identification of the devices demonstration of performance in similar operating environments the volume of operating experience Focus is on demonstrating freedom from systematic faults IEC 6508 term is Proven in Use more rigorous requirements 54 7

28 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) random failure rate (PFDavg) Systematic Capability of each component Design now complies 55 5 Installation, Commissioning, Validation Logic Solver installed with field equipment Includes loop checking, validation and final functional safety assessment. 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning 56 8

29 Standards Compliance Target SIL must be specified for each SIF based on hazard and risk analysis Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) random failure rate (PFD avg ) Systematic Capability of each component Verification, Validation, Functional Safety Assessment 57 Case Study: Verification and Validation Project Verification and Validation Plan required Consider level of independence required (i.e. independent engineer) Define responsibilities Verify each phase e.g. Safety Requirements Specification Verify hardware design documents Verify functional specifications etc Implement code walkthrough Logic Solver Factory Acceptance Test Complete integration test validates application software on target hardware Logic Solver Site Acceptance Test Power up test on site Safety Function Testing SIS validation Functional Safety Assessment Note that terminology is from the ISO9000 discipline Some disciplines swap the meanings of verification and validation! 58 9

30 Verification... build the product right activity of demonstrating for EACH PHASE of the relevant safety life cycle by analysis and/or tests, that, for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase (IEC ) Performed progressively throughout the lifecycle 59 Validation... build the right product activity of demonstrating that the safety instrumented function(s) and safety instrumented system(s) under consideration after installation meets in all respects the SAFETY REQUIREMENTS SPECIFICATION (IEC ) Performed prior to introducing the hazards to the process Can take credit for software validation in Factory Acceptance Test CDV 60 30

31 Functional Safety Audit A systematic and independent examination to determine whether the PROCEDURES specific to the functional safety requirements to comply with the planned arrangements, are implemented effectively and are suitable to achieve the specified objectives. (IEC Ed and IEC ) For either an organisation or a project 6 Functional Safety Assessment investigation, based on evidence, to JUDGE the functional safety achieved by one or more protection layers (IEC ) Judgement based on evidence At least one required prior to hazard introduction, but may be progressive Independence required Increases with SIL (IEC 6508) 6 3

32 6 Operations, Maintenance and Modification The Cinderella Phases! User must follow a Functional Safety Management System for the life of the SIS. 0 9 Management Safety Hazard and risk assessment Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction Installation, commissioning and validation Operation and maintenance Modification Decommissioning 63 Ops and Maintenance Obligations Train operators & maintainers Proof test each SIF at specified interval Monitor design assumptions demand rates component reliability Adjust test interval to suit Control modifications Ensure Maintenance and Operational Overrides are used as designed Monitor and promptly follow-up diagnostics 64 3

33 Case Study: Operation and Maintenance Mechanical: PSV SIF: LZHH SIL Alarm LAH Control System (BPCS) Hazardous Situation Process LZHH LZT X 00 X 00 per y PSV- Target: per 0,000y Hazardous Event!! Risk Reduction Required: X 0,000 Risk analysis assumed: demand on SIF once per year what happens in practice? SIL verification assumed: transmitter failure rate 0.0 y - what happens in practice? Etc etc... Must verify actual performance against assumptions and adjust testing as required Documentation of assumptions is critical LIC H 300t LPG Feed Product P- P- 65 Summary The SIS Lifecycle 0 9 Hazard and risk assessment Management Safety Verification of functional life-cycle safety and structure Allocation of functional and safety functions safety planning to protection layers assessment and auditing Engineering Contractor SIS Vendor 3 Safety requirements specification for the safety instrumented system 4 Design and engineering of safety instrumented system Design and development of other means of risk reduction End User Installation, commissioning and validation Operation and maintenance Modification Decommissioning 66 33

34 Summary Requirements Target SIL must be specified for each SIF based on hazard and risk assessment Processes for SIS throughout lifecycle must comply Each SIF must meet target SIL requirements for: Hardware Fault Tolerance (architectural constraints) random failure rate (PFD avg ) Systematic Capability of each component. Not just TÜV certification though it helps! Not just meeting PFD avg target Don t forget spurious trip rate! 67 Need more? IICA runs the following courses: TÜV Rheinland Functional Safety Engineer course For those with 3+ years experience in functional safety Leads to Functional Safety Engineer (TÜV Rheinland) qualification Sydney 6-0 October 07 Melbourne June 08 (exact date set Dec 07) ISA One-day Introduction to SIS runs on request If interested please training@iica.org.au 68 34

35 Questions? 69 35