IEC-61508 Implementing a Compliance Program - PowerPoint PPT Presentation

About This Presentation
Title:

IEC-61508 Implementing a Compliance Program

Description:

IEC-61508 Implementing a Compliance Program Motivation Education Implementation Overview Overview Overview Motivation Do you or your company believe in the ... – PowerPoint PPT presentation

Number of Views:254
Avg rating:3.0/5.0
Slides: 65
Provided by: SeanAt
Category:

less

Transcript and Presenter's Notes

Title: IEC-61508 Implementing a Compliance Program


1
IEC-61508 Implementing a Compliance Program
  • Motivation
  • Education
  • Implementation

2
Overview
3
Overview
4
Overview
5
Motivation
  • Do you or your company believe in the
    infallibility of Engineered systems?

6
Motivation
  • Roche Ireland does not have this delusion
  • 25 years operational experience
  • Including some close calls
  • Reality has motivated out safety culture.

7
Education
  • Much of the rest of this presentation has been
    generated from training presentations given in
    Roche Ireland to
  • Management
  • Process Engineering
  • Instrument / Electrical Engineering

8
Education
  • Need to educate yourself
  • Guidelines for Safe Automation of Chemical
    Processes CCPS/AIChE
  • ISA S84
  • Functional Safety, Smith Simpson
  • IBC conferences
  • Various WWW resources (exida/ sis-tech etc)

9
IEC-61508, SOP 973
  • Functional safety of electrical / electronic
    programmable electronic safety-related systems.
  • Critical Protective equipment - Safety
    Instrumented Systems

10
IEC-61508, SOP 973
  • Safety requires protection from hazards of
    different causes (movement, heat, radiation, el.
    shock, etc.)
  • Functional Safety means protection from hazards
    due to incorrect functioning.

11
IEC-61508 Will Effect
  • Process Engineers
  • Instrument/Electrical Designers
  • Mechanical Engineering
  • Commissioning- Extra Effort
  • Documentation - Extra Effort

12
IEC-61508 is legally vague
  • Not legislation
  • Meets Reasonably practicable duty
  • Health, safety welfare at Work act, 1989
  • Have to put in place a compliance program.

13
Risk (deaths/year)
Intolerable region
1 x 10-4
ALARP
1 x 10-6
Negligible risk
Figure 65-1
14
RISK Reduction - ALARP
  • As low as reasonably practicable.
  • IEC 61508 based on ALARP concept.
  • ALARP concerns region of risk.
  • Risk is an emotive and irrational thing.
  • Commonly accepted values areupper limit 1 x
    10-4 deaths per yearlower limit 1 x 10-6 deaths
    per year

15
Safety life cycle - milestone approach
  • ISA S84 life cycle depicted in Fig 65-3.
  • ISA S84 focuses on Box 9 of IEC 61508.

16
Passive systems layer
Active systems layer
Fail-safe design
One way valves
Controlsystems layer
ESD
Duality
Alarm handling
Intrinsic safety
Back-up
FG
Diagnostics
Bursting discs
Alarms, trips interlocks
Pressure relief valves
Figure 64-1
17
Start
Figure 65-3
1 Conceptual process design
2 Perform process HAZAN risk assessment
3 Apply Category 0 protection systems to prevent
hazards reduce risk
No
4 Are any Category 1 protection systems required?
5 Define target safety integrity levels (SIL)
6 Develop safety requirements specification (SRS)
7 Conceptual design of active protection systems
verify against SRS
8 Detailed design of protection system
11 Establish operating
9 10 Installation, commissioning
maintenance procedures
and pre-start-up acceptance testing
12 Pre-start-up safety review
13 Protection system start-up, maintenance
periodic testing
yes
14 Modify protection system?
End
15 Decommission system
18
Process Engineering
  • First Stage of realisation of high-integrity
    safety instrumented systems
  • Modified PHA
  • Feeds into SRS
  • Based on good process data good process
    judgement.

19
Process Chemistry
  • Carius Tube test for decomposition
  • Pressure Dewar Calorimetry
  • Understanding of Exotherms
  • Knowledge of onset temperatures
  • Chilworth

20
Process Engineering
  • Good process judgement.
  • Hazop
  • Margins of safety

21
Hazard identification, Interlock Identification
  • Reactant being transferred in from Reactor 1
    without agitation could accumulate react in a
    sudden, violent manner.
  • Reactor 2 Inlet valve 205 should OPEN only if
    agitator ON

22
Hazard identification, Interlock Identification
  • Simplified Technique.
  • MIL Std 882

23
Consequences
  • Consequence of this is overpressure, loss of
    batch, over-temperature, possible destruction of
    vessel.
  • 1 week downtime to recover.
  • Fatality or Serious injury unlikely.
  • Critical
  • (C2)

24
Occupancy factor
  • Building is continually occupied
  • (F2)

25
Manual Avoidance factor
  • There is quite a good chance of an operator
    observing that something is going wrong
    intervening successfully.
  • (P1)

26
Unmitigated demand rate.
  • Likely to occur once every 5 years.
  • Occasional
  • The process is DCS automated.
  • DCS is not a SIS no SIL rating.
  • DCS control reduces frequency of Unmitigated
    Demand.
  • (W2)

27
W3
W2
W1
Least risk
C1
x0?
P1
1
F1
x0?
P2
1
1
C2
x0?
P1
2
1
1
F2
P2
Start
2
3
1
F1
2
3
3
C3
F2
3
3
4
C4
4
3
x2?
Most risk
EN 954 Approach
28
(No Transcript)
29
Roche Consequences
30
Roche unmitigated demand rate.
31
Instrument / Electrical Design
  • Second Stage of realisation of high-integrity
    safety instrumented systems
  • Modified Instrument design
  • Modified Instrument Commissioning
  • Feeds into SRS

32
Hazardreductionfactor HRF
Safety integrity level SIL
Demand mode of operation
Continuous mode
PFD (fractional)
Availability A (fractional)
Failure rate ? (failures per hr)
1
10-1 to 10-2
0.9 to 0.99
10-5 to 10-6
gt101
2
gt102
10-2 to 10-3
0.99 to 0.999
10-6 to 10-7
3
gt103
10-3 to 10-4
10-7 to 10-8
0.999 to 0.9999
4
gt104
10-4 to 10-5
10-8 to 10-9
0.9999 to 0.99999
Table 65-1
33
Equipment implications
  • SIL value is measure of quality of protection
    system, end to end.
  • System has to be designed, specified, built and
    maintained to that standard.
  • Proof testing at regular intervals
  • Conformance assessment for safety systems

34
PFD Calculation
  • Simplified Equation
  • ISA-TR84.00.02-2002 Part 2
  • Equation B.34 Rare event approximation
  • Adequate for SIL 1 or 2, where the plant is
    well controlled, well maintained, understood
    process, conservative engineering with good
    mechanical integrity

35
PFD Calc. Motion Sensor
  • MTBF Mean (Average) time between failures
  • Information provided by vendor.
  • MTBF 86 Years

36
PFD Calc. Motion Sensor
  • Failures can be
  • fail to danger (Falsely shows agitator moving)or
  • fail to safe (Falsely shows agitator stopped)
  • Aim of good design is to maximise fail to safe,
    minimise fail to danger. The failure mode split
    is the percentage in the fail to danger category.
  • Failure mode split .1 (SA estimate)

37
PFD Calc. Motion Sensor
  • Proof test interval 1 year (8760 hours)
  • Time between re-tests of the interlock.
  • Need to be genuine tests

38
PFD Calc. Motion Sensor
  • 86 years 8760 hours/year 753,000 (MTBF in
    hours)
  • ? 1/ MTBF 1.30 E-6 failures per hour
  • FMS .1
  • Proof test 1 year (8760 hours)
  • PFD(SS) 1.30 E-6 .1 1 (8760/2)
  • PFD(SS).0006

39
PFD Calc. Barrier 6
  • MTBF 4 Years
  • Failure mode split .4
  • Proof test interval 1 year (8760 hours) ?
    1/ MTBF 2.87 E-5 failures per hourPFD(B6)
    2.87 E-5 .4 1 (8760/2)
  • PFD(B6).0500

40
PFD Calc. Relay 5
  • MTBF 100 Years
  • Failure mode split .01
  • Proof test interval 1 year (8760 hours) ?
    1/ MTBF 1.14 E-6 failures per hourPFD(R5)
    1.14 E-6 .01 1 (8760/2)
  • PFD(R5).00005

41
PFD Calc. Main Barrier
  • MTBF 10 Years
  • Failure mode split .9
  • Proof test interval 1 day (24 hours) ? 1/
    MTBF 1.14 E-5 failures per hourPFD(MB) 1.14
    E-5 .9 1 (24/2)
  • PFD(MB).001242

42
PFD Calc. Solenoid
  • MTBF 10 Years
  • Failure mode split .4
  • Proof test interval 1 day (24 hours) ? 1/
    MTBF 1.14 E-5 failures per hourPFD(SOL) 1.14
    E-5 .4 1 (24/2)
  • PFD(SOL).00006

43
PFD Calc. Valve Actuator
  • MTBF 10 Years
  • Failure mode split .2
  • Proof test interval 1 day (24 hours) ? 1/
    MTBF 1.14 E-5 failures per hourPFD(VA) 1.14
    E-5 .2 1 (24/2)
  • PFD(VA).00003

44
PFD Calc. Overall
  • PFD(VA).00003
  • PFD(SOL).00006
  • PFD(MB).00124
  • PFD(R5).00005
  • PFD(B6).0500
  • PFD(SS).0006
  • PFD .052 gt SIL 1

45
PFD Mapping
? PFD 10 SIL 1 Limit
Overall
Valve
Barrier
? PFD 1 SIL 2 Limit
Relay Logic
Barrier
Instrument
46
PFD Calc. Issues
  • Elements in series USYS ??? Ui
    62-16Elements in parallel USYS ??? Ui
    -17
  • Common cause failure ?SYS ?IND ?. ?MAX
    -18
  • Voting systems UKOON ??n.Uk
    -19
  • For more complex systems Fault Tree Analysis
    using ISA-TR84.00.02-2002 Part 3.
  • Probabilistic Risk Assesment Henley, E J

47
Design issues
  • Roche have decided that valve actuator may be
    shared for SIL 1 only.
  • SIS BPCS share barrier, solenoid, actuator
    Valve. This is not recommended
  • Solenoid has local SMO, which might be OK for
    normal operation, but not for SIS.

48
Design issues
49
Design issues
  • - type barrier not recommended (TTL
    Logic switching independent energy source)
  • No clear indication on loop sheet or in field of
    safety critical nature of instruments

50
Design issues
  • Design of periodic re-test method is the
    instrument designers responsibility.
  • This would help facilitate periodic testing
  • Loop sheet to indicate safety critical nature of
    instruments

51
Improvement suggestions
  • SIS to actuate solenoid in panel, which controls
    air supply to Shutoff Valve Control Valve
  • High energy panel mount solenoid, not IS pilot
    operated solenoid gt more suitable for SIS
  • Control Valve should have positioner suitable for
    SIS

52
Loop sheet modifications
53
Commissioning Aspects
  • IQ / OQ Proof testing of the safety function
  • Validation of the retest method
  • Loop sheet to indicate safety critical nature of
    instruments
  • Field marking

54
Machine / Package Design
  • Supplier might have correctly designed safety
    Engineering.
  • That does not mean it reaches standard.
  • Modified Instrument/Electrical design
  • Modified Instrument/Electrical Commissioning
  • Feeds into SRS

55
Machine / Package Design
  • E Ex d motor Surface temperature limits
  • Variable Speed Drive.
  • Never below 10 Hz
  • Always with Thermistor Protection

56
Machine / Package Design
57
Machine / Package Design
Thermistor Relay
58
Maintenance
  • Vital part of ensuring safety function remains
    intact.
  • Will have to retest interlocks on a periodic
    basis.
  • Will need to follow methods set out during
    Instrument/Electrical design stage.
  • Care required in effecting changes to the loop
    when in use.

59
Safety Requirements Spec
  • Document which brings together the design thread.
  • Started by the Process Engineering group
  • Continued by the Instrument / Electrical
    engineering group
  • Reviewed by Safety Engineering group.
  • Live document until pre-start safety review.

60
New skills
  • Different way of thinking
  • Defence in Depth
  • Layers of Protection
  • Risk Analysis
  • Basic Statistics
  • Fault Tree Analysis

61
6 June 1967
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com