IEC-61508 Implementing a Compliance Program - PowerPoint PPT Presentation

About This Presentation

Title:

IEC-61508 Implementing a Compliance Program

Description:

IEC-61508 Implementing a Compliance Program Motivation Education Implementation Overview Overview Overview Motivation Do you or your company believe in the ... – PowerPoint PPT presentation

Number of Views:252

Avg rating:3.0/5.0

Slides: 65

Provided by: SeanAt

Category:

more less

Transcript and Presenter's Notes

Title: IEC-61508 Implementing a Compliance Program

1
IEC-61508 Implementing a Compliance Program

Motivation
Education
Implementation

2
Overview
3
Overview
4
Overview
5
Motivation

Do you or your company believe in the
infallibility of Engineered systems?

6
Motivation

Roche Ireland does not have this delusion
25 years operational experience
Including some close calls
Reality has motivated out safety culture.

7
Education

Much of the rest of this presentation has been
generated from training presentations given in
Roche Ireland to
Management
Process Engineering
Instrument / Electrical Engineering

8
Education

Need to educate yourself
Guidelines for Safe Automation of Chemical
Processes CCPS/AIChE
ISA S84
Functional Safety, Smith Simpson
IBC conferences
Various WWW resources (exida/ sis-tech etc)

9
IEC-61508, SOP 973

Functional safety of electrical / electronic
programmable electronic safety-related systems.
Critical Protective equipment - Safety
Instrumented Systems

10
IEC-61508, SOP 973

Safety requires protection from hazards of
different causes (movement, heat, radiation, el.
shock, etc.)
Functional Safety means protection from hazards
due to incorrect functioning.

11
IEC-61508 Will Effect

Process Engineers
Instrument/Electrical Designers
Mechanical Engineering
Commissioning- Extra Effort
Documentation - Extra Effort

12
IEC-61508 is legally vague

Not legislation
Meets Reasonably practicable duty
Health, safety welfare at Work act, 1989
Have to put in place a compliance program.

13
Risk (deaths/year)
Intolerable region
1 x 10-4
ALARP
1 x 10-6
Negligible risk
Figure 65-1
14
RISK Reduction - ALARP

As low as reasonably practicable.
IEC 61508 based on ALARP concept.
ALARP concerns region of risk.
Risk is an emotive and irrational thing.
Commonly accepted values areupper limit 1 x
10-4 deaths per yearlower limit 1 x 10-6 deaths
per year

15
Safety life cycle - milestone approach

ISA S84 life cycle depicted in Fig 65-3.
ISA S84 focuses on Box 9 of IEC 61508.

16
Passive systems layer
Active systems layer
Fail-safe design
One way valves
Controlsystems layer
ESD
Duality
Alarm handling
Intrinsic safety
Back-up
FG
Diagnostics
Bursting discs
Alarms, trips interlocks
Pressure relief valves
Figure 64-1
17
Start
Figure 65-3
1 Conceptual process design
2 Perform process HAZAN risk assessment
3 Apply Category 0 protection systems to prevent
hazards reduce risk
No
4 Are any Category 1 protection systems required?
5 Define target safety integrity levels (SIL)
6 Develop safety requirements specification (SRS)
7 Conceptual design of active protection systems
verify against SRS
8 Detailed design of protection system
11 Establish operating
9 10 Installation, commissioning
maintenance procedures
and pre-start-up acceptance testing
12 Pre-start-up safety review
13 Protection system start-up, maintenance
periodic testing
yes
14 Modify protection system?
End
15 Decommission system
18
Process Engineering

First Stage of realisation of high-integrity
safety instrumented systems
Modified PHA
Feeds into SRS
Based on good process data good process
judgement.

19
Process Chemistry

Carius Tube test for decomposition
Pressure Dewar Calorimetry
Understanding of Exotherms
Knowledge of onset temperatures
Chilworth

20
Process Engineering

Good process judgement.
Hazop
Margins of safety

21
Hazard identification, Interlock Identification

Reactant being transferred in from Reactor 1
without agitation could accumulate react in a
sudden, violent manner.
Reactor 2 Inlet valve 205 should OPEN only if
agitator ON

22
Hazard identification, Interlock Identification

Simplified Technique.
MIL Std 882

23
Consequences

Consequence of this is overpressure, loss of
batch, over-temperature, possible destruction of
vessel.
1 week downtime to recover.
Fatality or Serious injury unlikely.
Critical
(C2)

24
Occupancy factor

Building is continually occupied
(F2)

25
Manual Avoidance factor

There is quite a good chance of an operator
observing that something is going wrong
intervening successfully.
(P1)

26
Unmitigated demand rate.

Likely to occur once every 5 years.
Occasional
The process is DCS automated.
DCS is not a SIS no SIL rating.
DCS control reduces frequency of Unmitigated
Demand.
(W2)

27
W3
W2
W1
Least risk
C1
x0?
P1
1
F1
x0?
P2
1
1
C2
x0?
P1
2
1
1
F2
P2
Start
2
3
1
F1
2
3
3
C3
F2
3
3
4
C4
4
3
x2?
Most risk
EN 954 Approach
28
(No Transcript)
29
Roche Consequences
30
Roche unmitigated demand rate.
31
Instrument / Electrical Design

Second Stage of realisation of high-integrity
safety instrumented systems
Modified Instrument design
Modified Instrument Commissioning
Feeds into SRS

32
Hazardreductionfactor HRF
Safety integrity level SIL
Demand mode of operation
Continuous mode
PFD (fractional)
Availability A (fractional)
Failure rate ? (failures per hr)
1
10-1 to 10-2
0.9 to 0.99
10-5 to 10-6
gt101
2
gt102
10-2 to 10-3
0.99 to 0.999
10-6 to 10-7
3
gt103
10-3 to 10-4
10-7 to 10-8
0.999 to 0.9999
4
gt104
10-4 to 10-5
10-8 to 10-9
0.9999 to 0.99999
Table 65-1
33
Equipment implications

SIL value is measure of quality of protection
system, end to end.
System has to be designed, specified, built and
maintained to that standard.
Proof testing at regular intervals
Conformance assessment for safety systems

34
PFD Calculation

Simplified Equation
ISA-TR84.00.02-2002 Part 2
Equation B.34 Rare event approximation
Adequate for SIL 1 or 2, where the plant is
well controlled, well maintained, understood
process, conservative engineering with good
mechanical integrity

35
PFD Calc. Motion Sensor

MTBF Mean (Average) time between failures
Information provided by vendor.
MTBF 86 Years

36
PFD Calc. Motion Sensor

Failures can be
fail to danger (Falsely shows agitator moving)or
fail to safe (Falsely shows agitator stopped)
Aim of good design is to maximise fail to safe,
minimise fail to danger. The failure mode split
is the percentage in the fail to danger category.
Failure mode split .1 (SA estimate)

37
PFD Calc. Motion Sensor

Proof test interval 1 year (8760 hours)
Time between re-tests of the interlock.
Need to be genuine tests

38
PFD Calc. Motion Sensor

86 years 8760 hours/year 753,000 (MTBF in
hours)
? 1/ MTBF 1.30 E-6 failures per hour
FMS .1
Proof test 1 year (8760 hours)
PFD(SS) 1.30 E-6 .1 1 (8760/2)
PFD(SS).0006

39
PFD Calc. Barrier 6

MTBF 4 Years
Failure mode split .4
Proof test interval 1 year (8760 hours) ?
1/ MTBF 2.87 E-5 failures per hourPFD(B6)
2.87 E-5 .4 1 (8760/2)
PFD(B6).0500

40
PFD Calc. Relay 5

MTBF 100 Years
Failure mode split .01
Proof test interval 1 year (8760 hours) ?
1/ MTBF 1.14 E-6 failures per hourPFD(R5)
1.14 E-6 .01 1 (8760/2)
PFD(R5).00005

41
PFD Calc. Main Barrier

MTBF 10 Years
Failure mode split .9
Proof test interval 1 day (24 hours) ? 1/
MTBF 1.14 E-5 failures per hourPFD(MB) 1.14
E-5 .9 1 (24/2)
PFD(MB).001242

42
PFD Calc. Solenoid

MTBF 10 Years
Failure mode split .4
Proof test interval 1 day (24 hours) ? 1/
MTBF 1.14 E-5 failures per hourPFD(SOL) 1.14
E-5 .4 1 (24/2)
PFD(SOL).00006

43
PFD Calc. Valve Actuator

MTBF 10 Years
Failure mode split .2
Proof test interval 1 day (24 hours) ? 1/
MTBF 1.14 E-5 failures per hourPFD(VA) 1.14
E-5 .2 1 (24/2)
PFD(VA).00003

44
PFD Calc. Overall

PFD(VA).00003
PFD(SOL).00006
PFD(MB).00124
PFD(R5).00005
PFD(B6).0500
PFD(SS).0006
PFD .052 gt SIL 1

45
PFD Mapping
? PFD 10 SIL 1 Limit
Overall
Valve
Barrier
? PFD 1 SIL 2 Limit
Relay Logic
Barrier
Instrument
46
PFD Calc. Issues

Elements in series USYS ??? Ui
62-16Elements in parallel USYS ??? Ui
-17
Common cause failure ?SYS ?IND ?. ?MAX
-18
Voting systems UKOON ??n.Uk
-19
For more complex systems Fault Tree Analysis
using ISA-TR84.00.02-2002 Part 3.
Probabilistic Risk Assesment Henley, E J

47
Design issues

Roche have decided that valve actuator may be
shared for SIL 1 only.
SIS BPCS share barrier, solenoid, actuator
Valve. This is not recommended
Solenoid has local SMO, which might be OK for
normal operation, but not for SIS.

48
Design issues
49
Design issues

- type barrier not recommended (TTL
Logic switching independent energy source)
No clear indication on loop sheet or in field of
safety critical nature of instruments

50
Design issues

Design of periodic re-test method is the
instrument designers responsibility.
This would help facilitate periodic testing
Loop sheet to indicate safety critical nature of
instruments

51
Improvement suggestions

SIS to actuate solenoid in panel, which controls
air supply to Shutoff Valve Control Valve
High energy panel mount solenoid, not IS pilot
operated solenoid gt more suitable for SIS
Control Valve should have positioner suitable for
SIS

52
Loop sheet modifications
53
Commissioning Aspects