The evolution of the cookbook

Similar documents
Hardware Safety Integrity. Hardware Safety Design Life-Cycle

Point Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics

Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

Safe & available...vigilant!

COMMON CAUSE AND COMMON SENSE

Products Solutions Services. Functional Safety. How to determine a Safety integrity Level (SIL 1,2 or 3)

Version 5.53 TECHNICAL REFERENCE GUIDE

Removal of Hardware ESD, Independent of Safety Logic Solver

Mobrey Hydratect 2462

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Extension to Chapter 2. Architectural Constraints

BRIDGING THE SAFE AUTOMATION GAP PART 2

Proline Prowirl 72, 73

Accurate Modeling of Shared Components in High Reliability Applications

Using smart field devices to improve safety system performance

New developments about PL and SIL. Present harmonised versions, background and changes.

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

Safety Instrumented Systems: Can They Be Integrated But Separate?

Rosemount Functional Safety Manual. Manual Supplement , Rev AG March 2015

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

FUNCTIONAL SAFETY CERTIFICATE

T72 - Process Safety and Safety Instrumented Systems

The ApplicATion of SIL. Position Paper of

T57 - Process Safety and Critical Control What Solution Best Meets Your Needs?

Intelligent Valve Controller NDX. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

FMEDA and Proven-in-use Assessment. G.M. International s.r.l Villasanta Italy

Functional safety manual RB223

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Failure Modes, Effects and Diagnostic Analysis

Type Switching repeater. Safety manual

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL COMMISSION

ISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Application of Functional Safety in All-Electric Control Systems. Dr. Carsten Mahler Prof. Dr. Markus Glaser 24 October 2018

Safety Instrumented System- Requirements for Successful Operation and Maintenance

ED17: Architectures for Process Safety Applications

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Hytork XL Pneumatic Actuator

2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

Functional Safety Processes and SIL Requirements

SIL Safety Manual DOC.SILM.EF.EN Rev. 0 March EL-O-Matic F-Series Pneumatic Actuator SIL Safety Manual

Soliphant M with electronic insert FEM54

Certificate of Compliance No

It s a safe world after all

On the concept of safety instrumented systems

MANUAL Functional Safety

Hytork XL Pneumatic Actuator

ProductDiscontinued. Rosemount TankRadar Rex. Safety Manual For Use In Safety Instrumented Systems. Safety Manual EN, Edition 1 June 2007

Evaluation of Uncertainty in Safety Integrity Level (SIL) Calculations

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

SIL Safety Manual DOC.SILM.EF.EN, Rev. 0 March EL-O-Matic F-Series Pneumatic Actuator SIL Safety Manual

TWO CHANNELS REDUNDANT SAFETY ARCHITECTURE SINGLE CHANNEL NON-REDUNDANT SAFETY ARCHITECTURE

PSR-PC50. SIL 3 coupling relay for safety-related switch on. Data sheet. 1 Description

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Safety manual for Fisher FIELDVUE DVC6200 SIS Digital Valve Controller, Position Monitor, and LCP200 Local Control Panel

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

HART Temperature Transmitter for up to SIL 2 applications

ida Certification Services IEC Functional Safety Assessment Project: Masoneilan Smart Valve Interface, SVI II ESD Customer: GE Energy

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

Report. Certificate Z Rev. 00. SIMATIC Safety System

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

FUNCTIONAL SAFETY CERTIFICATE

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Report. Certificate M6A SIMATIC Safety System

SIRIUS Safety Integrated. Modular safety system 3RK3

!"# $ # # $ $ % $ &% $ '"# $ ()&*&)+(( )+(( )

Safe and Fault Tolerant Controllers

HART Temperature Transmitter for up to SIL 2 applications

Low voltage switchgear and controlgear functional safety aspects

SIS Operation & Maintenance 15 minutes

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

Technical Report Reliability Analyses

Commissioning and safety manual SIL2

High Performance Guided Wave Radar Level Transmitter

A Guide to the Automation Body of Knowledge

SAFETY MANUAL SIL Switch Amplifier

Energize to Trip Requirement for SIL 3 according to IEC 61511

DEMONSTRATION OF INDEPENDENCE

High Performance Guided Wave Radar Level Transmitter

HI HIPS Logic Solver (2oo3)

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

Soliphant M with electronic insert FEM57 + Nivotester FTL325P

Safety Considerations Guide

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY ASSESSMENT: AN ISSUE FOR TECHNICAL DIAGNOSTICS

INTERNATIONAL STANDARD

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Report. Certificate Z SIMATIC S7 F/FH Systems

Foundation Fieldbus Safety Instrumented System (FF SIS) FF-SIS Meeting. Hannover. April 21, 2004

DK32 - DK34 - DK37 Supplementary instructions

Safety Instrumented System (SIS)

Transcription:

The evolution of the cookbook Angela E. Summers, Ph.D., P.E Michela Gentile, Ph.D. Mary Kay O Connor Process Safety Center 2006 International Symposium Beyond Regulatory Compliance, Making Safety Second Nature Texas A&M University October 24-25, 2006

Outline Introduction Problem Definition Prescriptive Design: Cookbook Performance-based Design Example Conclusions

Introduction Normal process control designed to keep process within specified parameter ranges considered acceptable for normal and safe operation. Safe level S HH LT 1 LL HH LT 2 LL Level too high SIS designed to bring the process to a safe state when the parameters are outside the safe ranges.

Hazard and Risk Analysis (H&RA) Introduction Assesses the process risk associated with identified hazardous events Identifies need for SIS Independent protection layers (IPL) Reduce the process risk to the owner/operator risk criteria Safe level S HH LT 1 LL HH LT 2 LL Level too high Target safety integrity level (SIL) Performance benchmark for the SIS design and management

Introduction In the past integrity was achieved by using safety margins Now,, as less safety margin is built into the design, more importance is placed on the precision of the risk analysis. Safe level HH Today project/plant LT 1 personnel are LL under pressure to optimize (reduce safety margins) the processes. Safety Margin Safe level S HH LT 1 LL HH LT 2 LL Level too high

Introduction Target safety integrity level (SIL) Cookbook SIS design Common in the process industry at the time of the issuance of ISA 84.01-1996. Simpler but less flexible. Performance-based (84.01-2004/IEC 61511) Flexibility but also adds significant complexity, because a wide range of options.

Introduction Optimization Safety margins reduction Longer turnaround intervals Low flexibility Cookbook SIS design Complexity Safety margin Flexibility Performance-based (84.01/IEC 61511) Complexity

Problem Cookbook SIS design Successful mechanical reliability/ preventive maintenance programs Performance-based (84.01/IEC 61511) Prescriptive risk reduction strategies: experience and good engineering practice. Internal practices: required architecture, fault tolerance, voting, diagnostics, installation details, maximum proof test interval (6 month to 1 year) Extend the turnaround interval. Significant economic returns through improved production Conflicted with the documented proof test requirements.

Cookbook SIS Design

Cookbook SIS Design 1993: CCPS/AIChE published Guidelines for Safe Automation of Chemical Processes. Introduced the concept of safety integrity level (SIL) SIL: related to the probability that the SIS fails to perform as required when needed. SIL 3 PFD=1.0E-03 SIL 2 PFD=1.0E-02 SIL 1 Performance expectation increase (reduced tolerable probability of the SIS failure) Cookbook approaches require more rigor in the design, operation, inspection, and maintenance practices as the SIL increases

Cookbook SIS Design SIS internal practices Define the minimum requirements to achieve SIL 1, SIL 2, and SIL 3, covering device selection, configuration, diagnostics, and proof test intervals. Must be followed, unless deviation is justified and approved. Evolved over years and are generally sufficiently conservative that a wide range of devices could be used to implement the design. Require proof test intervals based on recommended designs and deviation from this test interval is only acceptable if quantitative analysis demonstrates that required risk reduction is met. Widely used to specify SIS requirements, especially for repetitive applications Ensure consistency in the SIS design and implementation across a facility.

Towards Performance-based Cookbook SIS design The user of the cookbook must understand the assumptions behind the cookbook. When any of the assumptions is violated, the performance achieved by the SIS may be insufficient to provide the required safety and reliability for the specific application. Prescriptive approaches are often favored over the performance-based ones due to the apparent simplicity offered by the cookbooks. Performance-based (84.01/IEC 61511)

Performance-based SIS Design

Performance-based ISA 84.01-2004/IEC 61511 uses a four-tiered SIL benchmark to establish SIS requirements. The flexibility of a performance-based standard allows owner/operators to determine how to invest the $$$$$. Test Interval Device redundancy Diagnostic capability, Test/bypass facilities Test Interval Capital Investment Operating Cost Capital Investment Operating Cost

Performance-based CAUTION!! The flexibility of a performance-based standard can lead to inconsistencies Inconsistency increases the potential systematic errors It is important to remember that: a performance-based process is only as good as the data and information fed into it Prescriptive internal practices are required to ensure consistency

Towards Performance-based Qualitative Semi-Qualitative Quantitative Cookbook SIS design Performance-based (84.01/IEC 61511) The cookbook concept is also acknowledged in ISA 84.01-1996: verification of SIL can be qualitative (comparison to prescriptive design) or quantitative. ISA 84.01/IEC 61511 eliminates the qualitative option, emphasizing a quantitative demonstration for SIL claims.

EXAMPLE

Example: Assumptions Failure rate of the devices is constant and random, which requires of inspection and preventive maintenance Devices are specified to fail to the safe state on loss of power and other support systems Redundant sensors are installed on separate process connections Block valves are specified as spring return fail-closed and are actuated using de-energize-to-trip solenoid operated valves The proof test procedure fully validates the required operation of each device

Example: Scenario HH PT 1 LL HH PT 2 LL Safe level S Level too high Control Valve Failure Vessel Overpressure Vessel Failure Release of flammables

Example: Scenario HH PT 1 LL HH PT 2 LL S SIF Safe state Control Valve Failure Vessel Overpressure SIF

Example: Options Architectures: SIL 1 SIL 1 architecture fault tolerant dangerous failures High Reliability SIL 1 SIS

Example: Options Architectures: SIL 2 SIL 2 architecture fault tolerant dangerous failures High Reliability SIL 2 SIS

Example: Options Architectures: SIL 3 SIL 3 architecture fault tolerant dangerous failures High Reliability SIL 3 SIS

Example: results Required SIL Case PFD AVG @ TI=1 PFD AVG @ TI=3 PFD AVG @ TI=5 MTTF S SIL 1 A 2.04E-02 6.04E-02 1.01E-01 18.5 SIL 1 High Reliab. 2.69E-02 7.96E-02 1.32E-01 51.8 SIL 2 A 3.73E-03 1.28E-02 2.40E-02 10.7 SIL 2 High Reliab. 2.16E-03 1.00E-02 2.29E-02 27 SIL 3 A 3.60E-04 2.75E-03 7.37E-03 9.4 SIL 3 High Reliab. 7.29E-04 5.94E-03 1.62E-02 27 SIL 1: PFDAVG between 1.0E-02 and 1.0E-01 SIL 2: PFDAVG between 1.0E-03 and 1.0E-02 SIL 3: PFDAVG between 1.0E-04 and 1.0E-03

Conclusions

Conclusions The prescriptive solutions were intended to be conservative to account for a wide variety of conditions. The perceived safety margin provided by the proposed architecture at TI=1 yr is lost when the test interval is extended to 5 years. As better analytical tools were developed, practices evolved to become more performance-based allowing increased flexibility. High reliability architectures have a larger number of devices, which yields a higher PFDAVG AVG. When the SIF architecture only achieves a marginal PFDAVG, the design should be considered insufficient for the required SIL.

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback