applying the process safety standards

Copyright exida Asia Pacific © 2014

Singapore +65 6222 5160 Vietnam +84 854 042 580Hong Kong +852 2633 7727Australia / NZL +64 3 472 7707Germany +49 89 4900 0547USA +1 215 453 1720

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Switzerland +41 22 364 14 34Mexico +52 55 5611 9858South Africa +27 31 267 1564

Exida Contacts

Applying the Process Safety StandardsSteve Burke, CFSE

The Representative Office of exida Asia Pacific Pte. Ltd. in Ho Chi Minh city

Copyright exida Asia Pacific © 2014 [email protected] 22

What is…?

Today’s Objective– Introduce Process Safety Concepts and Essential Principles

Standards to help with design a Safety Instrumented System (SIS) Determine level of safety performance; Safety Integrity Level (SIL) Safety Requirement Specification (SRS) Safety Instrumented Function (SIF) Design and Equipment Selection Verification and Validation of your SIF design Overview of CyberSeurity Overview of Alarm Management

– Who are exida and what we do…


Why do we need a Process Safety Standard?


Because bad things do happen…

Bhopal 19842,500 Dead, >100,000 Injured

Flixborough 197428 Dead, 36 Injured

Seveso 1976Dioxin cloud over local town

Piper Alpha 1988165 Dead, 61 Injured


Still happening…….

Firefighters fight flames at the BP plant in Texas City after the July 28, 2005 explosion. (15 dead & 170 injured)


Primary Cause of Failures?

Specification

Changes after Commission

Operation and Maintenance

Design and Implementation

Installation and Commission

Source Health, Safety & Environmental Agency

The majority of accidents are:… Preventable if a systematic

Risk-Based Approach is adopted…

The majority of accidents are:… Preventable if a systematic

Risk-Based Approach is adopted…


Findings of the Lord Cullen Report

“The operator should be required ... submit a Safety Case … of each installation.”

‘Regulations should be performance oriented (set goals), rather than prescriptive.’

Note: The Lord Cullen report was the detailed study of the Piper Alpha accident commissioned by the English government.


Which Standard?


Which Standard?

DIN VDE 0801

DIN V 19250

NAMUR

ISAS84.01

HSEPES

EWICS

IEC61508

Functional safety of electrical/electronic/programmable electronic safety-related systems


Which Standard?

IEC 61508Functional Safety for E/E/PES Safety Related Systems



Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available

Which Standard?





Which Standard?

IEC 61513Nuclear

IEC 61513Nuclear

IEC 61511Process Industry




ISO 26262Road VehiclesISO 26262Road Vehicles

IEC 62061Machinery

IEC 62061Machinery



Which Standard?

IEC 61513Nuclear

IEC 61513Nuclear






End Users - Systems IntegratorsEnd Users - Systems Integrators

IEC 62061Machinery

IEC 62061Machinery


Relationship IEC 61508 – IEC 61511

Manufacturers and Suppliers of Devices

IEC 61508

Manufacturers and Suppliers of Devices

IEC 61508

Safety Instrumented System designers, Integrators and users

IEC 61511

Safety Instrumented System designers, Integrators and users

IEC 61511

Process Sector Safety Instrumented System StandardsProcess Sector Safety Instrumented System Standards


Copyright © 2013 exida

Prescriptive/Functional StandardsPrescriptive Standard

– Tells you what to do

MINERALS MANAGEMENT SERVICEGULF OF MEXICO OCS REGION

NTL No. 2000-G13 Effective Date: May 25, 2000

NOTICE TO LESSEES AND OPERATORS OF FEDERAL OIL, GAS, AND SULPHURLEASES IN THE OUTER CONTINENTAL SHELF, GULF OF MEXICO OCS REGION

Production Safety Systems Requirements

This Notice to Lessees and Operators (NTL) supersedes NTL No. 2000-G09, dated March 29, 2000, on this subject. It makes minor technical amendments and corrects some cited authorities.

1. 30 CFR 250.802(b). Exclusion of pressure safety high (PSH) and pressure safety low (PSL) sensors on downstream vessels in a production train

As specified in American Petroleum Institute (API) Recommended Practice (RP) 14C, Section A.4, you must install a PSH sensor to provide over-pressure protection for a vessel. If an entire production train operates in the same pressure range, the PSH sensor protecting the initial vessel will detect the highest pressure in the production train, thereby providing primary over-pressure protection to each subsequent vessel in the production train. The intent of API RP 14C is not compromised under this scenario. Therefore, you may use API RP 14C Safety Analysis Checklist (SAC) reference A.4.a.3 to exclude all subsequent PSH sensors other than the PSH sensor protecting the initial vessel in a production train.

you must install a PSH sensor to provide over-pressure protection for a vessel

American Petroleum Institute (API) Recommended Practice (RP) 14C, Section A.4

API RP 14C Safety Analysis Checklist (SAC)

• Functional or Performance Standard– Tells you what performance level you need to meet



Prescriptive Standard– Tells you what to do

7.1.1 Requirements (guidance to IEC 61511-1 only)

7.1.1.1 IEC 61511−1 recognizes that organiza�ons will have their own procedures for verifica�on and does not require it always to be carried out in the same way. Instead, the intent of this clause is that all verification activities are planned in advance, along with any procedures, measures and techniques that are to be used.

7.1.1.2 No further guidance provided.

7.1.1.3 It is important that the results of verification are available so that it can be demonstrated that effective verification hastaken place at all phases of the safety lifecycle.

8 Process Hazard and Risk Analysis

8.1 ObjectivesThe overall objective here is to establish the need for safety functions (e.g., protection layers) together with associated levels of performance (risk reduction) that are needed to ensure a safe process. It is normal in the process sector to have multiple safety layers so that failure of a single layer will not lead to or allow a harmful consequence. Typical safety layers are represented in Figure 9 of IEC 61511-1.

8.2 Requirements (guidance to IEC 61511-1 only)

8.2.1 The requirements for hazard and risk analysis are specified only in terms of the results of the task. This means that an organization may use any technique that it considers to be effective, provided it results in a clear description of safety functions and associated levels of performance.

7.1.1.1 IEC 61511−1 recognizes that organiza�ons will have their own procedures for verification and does not require it always to be carried out in the same way.

IEC 61511Functional Safety – Safety Instrumented Systems for the Process

Industry Sector

8.2.1 The requirements for hazard and risk analysis are specified only in terms of the results of the task.

• Functional or Performance Standard– Tells you what performance level you need to meet

Prescriptive/Functional Standards


Performance Targets

Safety Integrity Level

Probability of failure on demand (PFD)

per year(Demand mode of operation)

Risk Reduction Factor

SIL 4 >=10-5 to <10-4 100000 to 10000

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10


The IEC 61511 Safety Lifecycle



Management and Planning

Management and Planning Analysis PhaseAnalysis Phase

Realization PhaseRealization Phase

Operate and MaintainOperate and Maintain


FSM Key Issues

Functional Safety ManagementSafety Planning – create a FSM Plan

– Specify management and technical activities during the Safety Lifecycle to achieve and maintain Functional Safety

– Design Guidelines

Roles and Responsibilities– Must be clearly delineated and communicated– Each phase of SLC and its associated activities

Interface Management– Critical in large projects / Disjointed Supply Chains– Defined in Roles and Responsibility

Documented Processes, Documentation Control, Documentation

Functional Safety Verification and Assessment

Personnel Competency

Operations and Maintenance

Management of Change

The organizational complexity of Upstream operations puts added priority on defined roles and responsibility and on accountability


Minimum independence for functional safety assessment

Safety Assessment Verification and Validation

Minimum Level of Independence

Safety Integrity Level1 2 3 4

Independent Person HR HR1 NR NRIndependent Department -- -- HR1 NRIndependent Organization -- -- HR2 HR

NOTE Depending upon the company organization and expertise within the company, the requirement for independent persons and departments may have to be met by using an external organization. Conversely, companies

that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization.

• VerificationActivity of demonstrating for each phase of the safety lifecycle by analysis and/or tests that, for the specific inputs, the deliverables meet the objectives and requirements set for the specific phase.

• Validation the activity of demonstrating that the safety instrumented function(s) and safety instrumented system(s) under consideration after installation meets in all respects the safety requirements specification.

Safety System

Safety Requirements

Task

Task Objectives

Verification

Task

Task Objectives

Verification

Validation


Personnel Competency

Training, experience, and qualifications should all be addressed and documented

– System engineering knowledge– Safety engineering knowledge– Legal and regulatory requirements knowledge– More critical for novel systems or high SIL requirements

“Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.”

-IEC 61511, Part 1, Paragraph 5.2.2.2


What is Risk?

Risk is a measure of the likelihood and consequence of an adverse effect.

1. How often can it happen?

2. What will be the effects if it does?

Risk Receptors: Personnel Environment Financial

Equipment/Property DamageBusiness InterruptionBusiness LiabilityCompany ImageLost Market Share

Financial RiskFinancial may overwhelm other Receptors, diluting focus on Personnel/Environmental


Individual Risk and ALARP

Negligible Risk

High Risk

10-3/yr (workers) 10-4/yr (public)

10-6/yr

Intolerable Region

ALARP or Tolerable Region

Broadly Acceptable Region

No way

If it’s worth it

We accept it

Individual risk: frequency an individual may receive a given level of harm (usually death) from the outcome of specified hazards

UK HSE Tolerability of Risk framework


Tolerable Risk Level

Matrix form with guiding statement:All extreme risk will be reduced and all moderate risks will be reduced where practical.

Acceptable

Acceptable ModerateAcceptableAcceptable1 per 100,000 years

ModerateModerateAcceptableAcceptable1 per 10,000 years

ExtremeModerateAcceptable1 per 1000 years

ExtremeExtremeModerateAcceptable1 per 100 years

Many Deaths

Permanent Injury/Death

Lost Time Injury

Recordable Injury

Example Only


Process Hazard Analysis (PHA)

Identifying hazards– HAZOP (Hazards and Operability Study)– Checklist / What If Analysis– FMEA (Failure Modes and Effects Analysis)– Fault Tree Analysis– Etc.

Causes Consequences Safeguards RecommendationsColumn Steam Reboiler pressure control fails, causing excessive heat input

Column overpressure and potential mechanical failure of the vessel and release of its contents

1) Pressure relief valve

2) Operator intervention on high pressure alarm

3) Mechanical Design

Install SIS to stop reboilersteam flow upon high column pressure

Low flow through pump causes pump failure and subsequent seal failure

Pump seal fails and releases flammable materials

1) Low output flow pump

2) Shutdown SIS

Existing safeguards are adequate


Reviewing The Process


HAZOP ANALYSIS GW DEVIATION CAUSES CONSEQUENCES SAFEGUARDS REF# RECOMMENDATIONS BY

No No Agitation Agitator motor drive fails

Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure.

High Temperature and High Pressure Alarm in DCS. Shortstop system.

Add SIF to chemically control runaway reaction. Add a pressure safety relief valveIf necessary, add a de-pressurization SIF. Use LOPA to determine required SIL.

More Higher Temperature

Temperature control failure causes overheating during steam heating

High temperature could damage reactor seals causing leak. Indicated by high temperature.

High Temperature Alarm in DCS.

Add high-temperature SIF. Use LOPA to determine required SIL

More Higher Level Flow control failure allows the reactor to overfill

Reactor becomes full, possible reactor damage and release. Indicated by high level or high pressure.

High Level Alarm in DCS. Add high-level SIF. Use LOPA to determine required SIL


HAZOP ANALYSIS 1 (pressure)Guide Word: No

Deviation: No Agitation

Causes: Agitator motor drive fails

Consequences: Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure.

Safeguards: High Temperature and High Pressure Alarm in DCS. Shortstop system.

Ref # P&ID #’s

Recommended Actions:

Add a pressure safety relief valve If necessary, add a de-pressurization SIF. Use LOPA to determine required SIL.

By: CMF


Pressure SIF


SAFETY LIFECYCLESIL SELECTION

Safety Standards for Process Industry

SIL 3SIL 1 SIL 2

DETOUR




SIL 4

SIL 3

SIL 2

SIL 1

Used THREE ways:

1. To establish risk reduction requirements

2. To set probabilistic limits for hardware random failure

3. To establish engineering procedures to prevent systematic design errors


Safety Integrity Level – 1st Usage


SIL 4

SIL 3

SIL 2

SIL 1

Risk Reduction Factor

100000 to 10000

10000 to 1000

1000 to 100

100 to 10

1. Each safety instrumented function has a requirement to reduce risk. The order of magnitude level of risk reduction required is called a SIL level.


Safety Integrity Levels – 2nd Usage


SIL 4

SIL 3

SIL 2

SIL 1

Probability of failure on demand(Demand mode of operation)

>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

Random Failure Probability2. A Safety Function

meets a SIL level if a calculated probability falls within the associated band on one of two different charts. This view looks at RANDOM FAILURES.



Safety Integrity Level- 3rd Usage


SIL 4

SIL 3

SIL 2

SIL 1

3. To establish engineering procedures to prevent systematic design errors

The equipment used to implement any safety instrumented function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.


Multiple layers of protection

Community Emergency Response

Plant Emergency Response

Physical Protection (Dikes)

Physical Protection (Relief Devices)

Safety Instrumented System

Alarms, Operator Intervention

Basic Process Control

Process


Outcome considerations

1. The only outcome of interest is accident occurs2. All branches where protection layers are successful end in

termination of analysis

Process

Risk

Risk inherent in the process


BPCSAlarmsSISOther Mech


LOPA - Event tree modified for layer of protection analysis

Initiating Protection Protection Protection Final Event Layer 1 layer 2 Layer 3 Outcome

PL3 Fails Accident OccursPL2 Fails

PL1 FailsInit Event

PL3 Success No Impact Stop



1. Proceed with event tree, but only calculate the probability of accident2. The Accident is initiating event frequency multiplied by PFD of all

protection layers


Example 1 – Reactor Explosion LOPA

Draw the Layer of Protection Analysis Diagram for the following situation

– An accident whose consequence is an explosion due to runaway reactor caused by the agitator motor failure.

– The following layers of protection existBatch process only runs 5 times per yearThe operator responds to alarms and stops the processRunaway reaction cancelled by addition of ShortstopThe reactor has a pressure relief valve


Example 1 – Reactor Explosion LOPA

INITIATING EVENT PL #1 PL #2 PL#3 PL#4 OUTCOMEAgitator Motor Batch not Operator Adding Pressure ExplosionFails running Response Shortstop relief valve

Explosion

No Event


Example – Column Rupture LOPA

Quantify the accident frequency of the prior example– Agitator Motor fails once every 2 years

Failure Frequency is 0.5 /yr

– Protection Layer PFD are Batch Process not running, PFD = 0.29

5 batches/yr * 3weeks/batch * 7days/week * 24hours/day = 2520 operational hours = 29% of the year.

Operator response failure, PFD = 0.1 Shortstop failure, PFD = 0.1 Relief valve failure, PFD = 0.07


Example 1 – Reactor Explosion LOPA Solution

INITIATING EVENT PL #1 PL #2 PL#3 PL#4 OUTCOMEAgitator Batch in Operator Shortstop Pressure ExplosionMotor Fails Operation Response Fails Relief Valve

0.07 1.02E-040.1 Explosion

0.10.29

0.5 /yrNo Event

F = 0.5 /yr * 0.29 * 0.1 * 0.1 * 0.07 = 1.02 x 10-4/yr

That results in 1 explosion in every 9,804 years

Is that any good?


Know your tolerable RiskThis is Company specific.For our example, see table below:

Severity DefinitionTolerable

Frequency (events/year)

Extensive One or more fatalities 10-5

Severe Multiple medical treatment case injuries 10-4

Minor Minor injury or reversible health effects 10-3


Calculate your SIL required

Process

Risk

Risk of Explosion in Reactor due to Agitator Motor failing


Batch Notin OperationAlarmsShortstopRelief Valve

1.0x10-5

SIF

1.02x10-4

Expected event Frequency


Calculate your SIL required

We know the event frequency = 1.02x10-4

We know the Corporate tolerable risk level = 1x10-5

To achieve our target SIL:

PFD = Tolerable Risk / Expected Risk

PFD = 1x10-5 / 1.02x10-4 = 0.098

RRF = 1/PFD = 1/0.098 = 10.2

This means SIF should be SIL 1


Safety Requirements Specification

The SRS is the critical documentation for System Implementation & Testing

The SRS is the point of reference during the Operations phase

The better the SRS:• The better communication during the project • The more informed the change impact assessment for modifications.

Definition• IEC61511: “specification that contains all the requirements of the safety

instrumented functions in a safety instrumented system”

Tasks• Identify and describe safety instrumented functions• Document Safety Integrity Level• Document SIF action – Logic, Cause and Effect Diagram, etc.• Document SIF parameters – timing, maintenance/bypass requirements, etc.


SRS Elements

SIS GeneralNon-FunctionalRegulations & StandardsFailure, Start & RestartInterfacesEnvironmental conditions

SIF General• Maintenance Overrides• Manual Shutdown• Operating Modes• Failure Modes• Reset• Diagnostics

SIF Specific• Identification• Description/Duty/P&ID• Safe State• Required SIL• Proof Test Interval• Response Time• Architecture Summary

– Sensor(s)– Logic Solver– Final Element(s)

• Mode of Operation– Energize or De-energize– Demand or Continuous

• Trip Setting & Logic• Spurious Trip Requirements• Start-up Overrides• Special Requirements


Logic Description Methods

Plain Text– Strengths – Extremely flexible, No special

knowledge req’d– Weaknesses – Time-consuming, developing

program code difficult and error prone

Binary Logic Diagrams (ISA 5.2)– Strengths – More flexible than C-E diagrams,

direct transposition to a function block diagram program

– Weaknesses – Time consuming, knowledge of standard logic representation required

If one of the following conditions occur.

1. Switch BS-01 is deenergized, indicating loss of flame2. Switch PSL-02 is deenergized, indicating low fuel gas pressureThen the main fuel gas flow to the heater is stopped by performing

all of the following.1. closing valves, XV-03A, and XV-03B2. Opening valve XV-03C.

The respective valves will be opened and closed by deenergizingthe solenoid valve XY-03.

Example Only

• Cause-and-Effect Diagrams– Strengths – Low level of effort, clear visual

representation– Weaknesses – Rigid format (some

functions can not be represented w/ C-E diagrams), can oversimplify

Example Only

Example Only



An SIS is defined as a system composed of sensors, logic solvers and final elements designed for the purpose of:

1. Automatically taking an industrial process to a safe state when specified conditions are violated;

2. Permit process to move forward in a safe manner when specified conditions allow (permissive functions)

3. Taking action to mitigate the consequences of an industrial hazard.”

Equipment Under Control (EUC)

Power Supply

CPU Output Module

InputModule SIS

Power Supply

CPU Output Module

InputModule

Basic Process Control System (BPCS)


Safety Instrumented Function

A SIF is a specific, single set of actions and the corresponding equipment needed to identify a single

hazard and act to bring the system to a safe state.

Different from a SIS, which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes

6

1SIF

LogicSolver

Sensors

Final elements

2



Sensors

Final elements

An SIS includes several Safety Instrumented Functions (SIF)

SIF 1

SIF 2

SIF 3SIF 4

LogicSolver

1

2

3

4

5

6

7

8SIF 5


SIS, SIF and SIL

One SIS may have multiple SIFs each with a different SIL.

Therefore it is incorrect and ambiguous to define a SIL for an entire safety instrumented system

Safety Instrumented

System








Sensor

Logic Solver

SensingElement

SignalConditioning

SensingElement

SignalConditioning

SensingElement

Final ControlElement

SignalConditioning

Final ControlElement

Circuit Utilitiesi.e. Electrical Power,Instrument Air etc.

The actual implementation of any single safety instrumented function may include multiple sensors, signal conditioning modules, multiple final elements and dedicated circuit utilities like electrical power or instrument air.

Interconnections

Safety Instrumented Function (SIF) Implementation

Sensors Final Elements


RANDOMFailures

RANDOMFailures

IEC 61511 – Protection Against:

SYSTEMATICFailures

SYSTEMATICFailures

Random Failures?Random Failures? Systematic Failures?Systematic Failures?


Random and Systematic Failures

Random FailuresA failure occurring at a random time, which results from one or more degradation mechanisms. Usually a permanent failure due to a system component loss of functionality – typically hardware related

Systematic FailuresA failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.Usually due to a design fault – wrong component, error in software program, etc.


RANDOMFailures

RANDOMFailures

IEC 61511 – Protect Against:

SYSTEMATICFailures

SYSTEMATICFailures

HOW?HOW? HOW?HOW?


RANDOMFailures

RANDOMFailures


SYSTEMATICFailures

SYSTEMATICFailures

Probabilistic Performance Based

Design


DesignHOW?HOW?


SIF Design

The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)


Failure Modes

With a safety system, the concern shouldn’t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways:

Safe failures• initiating• overt• spurious• costly downtime

Dangerous failures• inhibiting• covert• potentially dangerous• must find by testing

D x U =


Probability of Failure on Demand


PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection


SSDSU

SAFE DETECTED

SAFE UNDETECTED

DANGEROUSUNDETECTED

DANGEROUSDETECTED

DDDDU

60%

40%

Divide each failure rate into specific failure modes

IEC 61508-6 Method


5V ISO.

1K

F

200K

10K

ac input

L2

D1

D2V1 V2Vin

+5V

OC1 10K

Conventional PLC Input Circuit


Failure Modes and Effects Analysis Failures/billion hours Safe Dangerous Component Mode Effect Criticality FIT Safe Dang. Det. Diagnostic Covered FITCoveredR1 - 1K short loose filter 1 Safe 0.13 0.125 0 0 0 0

open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0C1- 0.18 short read logic 0 1 Safe 2 2 0 0 0 0

open loose filter 1 Safe 0.5 0.5 0 0 0 0R2 - 200K short overvoltage 0 Dang. 0.13 0 0.13 0 0 0

open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0R3 - 10K short read logic 0 1 Safe 0.13 0.125 0 0 0 0

open overvoltage 0 Dang. 0.5 0 0.5 0 0 0

D1 short read logic 0 1 Safe 2 2 0 0 0 0

open blow out circuit 0 Dang. 5 0 5 0 0 0

D2 short read logic 1 0 Dang. 2 0 2 0 0 0

open blow out circuit 0 Dang. 5 0 5 0 0 0

OC1 led dim no light 1 Safe 28 28 0 0 0 0

tran. short read logic 1 0 Dang. 19 0 19 0 0 0

tran. open read logic 0 1 Safe 5 5 0 0 0 0

R4 - 10k short read logic 0 1 Safe 0.13 0.125 0 0 0 0

open read logic 1 0 Dang. 0.5 0 0.5 0 0 0

71 38.88 32.1 1 0

Total Safe Dang. Safe Coverage 0.0257Failure Rates

Dangerous Coverage 0

FMEDA for Conventional PLC Input Circuit


Safety Rated PLC Input Circuit


FMEDA for Safety Rated Input CircuitF ailu re M od es an d E f fec ts A n alys is F ailu res /b illion hou rs S afe D an g erous C om p on ent M od e E ffec t C riticality F IT S afe D ang . D et. D iagn os tic C overed F ITC overedR 1 - 1 0 K sh ort T hresh old s hif t 1 S afe 0 .13 0 .1 25 0 0 0 0

op en op en c ircu it 1 S afe 0 .5 0 .5 0 1 loose in pu t p uls e 0 .5 0R 2 - 1 0 0K sh ort sh ort in p ut 1 S afe 0 .13 0 .1 25 0 1 loose in pu t p uls e 0.12 5 0

op en T hresh old s hif t 1 S afe 0 .5 0 .5 0 0 0 0

D 1 sh ort overvoltag e 1 S afe 2 2 0 1 loose in pu t p uls e 2 0op en op en c ircu it 1 S afe 5 5 0 1 loose in pu t p uls e 5 0

D 2 sh ort overvoltag e 1 S afe 2 2 0 1 loose in pu t p uls e 2 0op en op en c ircu it 1 S afe 5 5 0 1 loose in pu t p uls e 5 0

O C 1 led d im n o lig h t 1 S afe 28 2 8 0 1 C om p . m is m atch 2 8 0

tran. sh ort read log ic 1 0 D an g . 10 0 10 1 C om p . m is m atch 0 1 0

tran. op en read log ic 0 1 S afe 6 6 0 1 C om p . m is m atch 6 0

O C 2 led d im n o lig h t 1 S afe 28 2 8 0 1 C om p . m is m atch 2 8 0

tran. sh ort read log ic 1 0 D an g . 10 0 10 1 C om p . m is m atch 0 1 0

tran. op en read log ic 0 1 S afe 6 6 0 1 C om p . m is m atch 6 0R 3 - 1 0 0K sh ort loose filter 1 S afe 0 .13 0 .1 25 0 0 0 0

op en in pu t f loat h igh 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 4 - 1 0 K sh ort read log ic 0 1 S afe 0 .13 0 .1 25 0 1 C om p . m is m atch 0.12 5 0

op en read log ic 1 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 5 - 1 0 0K sh ort loose filter 1 S afe 0 .13 0 .1 25 0 0 0 0

op en in pu t f loat h igh 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5R 6 - 1 0 K sh ort read log ic 0 1 S afe 0 .13 0 .1 25 0 1 C om p . m is m atch 0.12 5 0

op en read log ic 1 0 D an g . 0 .5 0 0 .5 1 C om p . m is m atch 0 0 .5C 1 sh ort read log ic 0 1 S afe 2 2 0 1 C om p . m is m atch 2 0

op en loose filter 1 S afe 0 .5 0 .5 0 0 0 0C 2 sh ort read log ic 0 1 S afe 2 2 0 1 C om p . m is m atch 2 0

op en loose filter 1 S afe 0 .5 0 .5 0 0 0 01 11 8 8.75 22 8 6.87 5 2 2

T otal S afe D ang . S afe C overag e 0 .9 78 9F ailu re R ates

D an gerou s C overage 1


What is…?

Safe Failure Fraction: A measurement of the likelihood of getting a dangerous failure that is NOT detected by automatic self diagnositcs

.

NOTE: Definitions refer to single channel architectures.


IEC 61508 Safe Failure Fraction (SFF)

SFF = SD + SU + DD

SD + SU + DD + DU

= 1 - DU

Total


SIF Design



Architectural Constraints

– As technology advances it is becoming easier to achieve the required PFDavg.

– However, PFDavg is not the only safety metric that needs to be satisfied.

– Architectural constraints also need to be satisfied.

– Architectural constraints look at the Hardware Fault Tolerance (HFT) and the Safe Failure Fraction (SFF) of each subsystem to determine if the SIL has been met

IEC 61508 Table 3Type B

Safe Failure Fraction

Hardware Fault Tolerance

0 1 2

< 60% NA SIL 1 SIL 2

60% < 90% SIL 1 SIL 2 SIL 3

90% < 99% SIL 2 SIL 3 SIL 4

> 99% SIL 3 SIL 4 SIL 4

IEC 61508 Table 2Type A

Safe Failure Fraction

Hardware Fault Tolerance

0 1 2

< 60% SIL 1 SIL 2 SIL 3

60% < 90% SIL 2 SIL 3 SIL 4

90% < 99% SIL 3 SIL 4 SIL 4

> 99% SIL 3 SIL 4 SIL 4

SFF =λSD + λSU + λDD

λSD + λSU + λDD + λDU


Example FMEDA 3051S


Example 3051S

Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function

ArchitectureHardware

FaultTolerance

1oo1 01oo1D 01oo2 12oo2 02oo3 1

2oo2D 01oo2D 11oo3 2


RANDOMFailures

RANDOMFailures


SYSTEMATICFailures

SYSTEMATICFailures


Design


DesignHOW?HOW?


RANDOMFailures

RANDOMFailures


SYSTEMATICFailures

SYSTEMATICFailures


Design


Design

Detailed Engineering Process

Detailed Engineering Process


SIF Design



Question?

Is Redundancy sufficient protection against SYSTEMATIC FAILURES?

REDUNDANCY IS NOT A PROTECTION AGAINST SYSTEMATIC FAILURES!

A single systematic fault can cause failure in multiple channels of an identical redundant system. – example: A command was sent into a redundant DCS. The command

caused a controller to lock up trying to interpret the command. The diagnostics detected the failure and forced switchover to a redundant unit. The command was sent to the redundant unit which promptly locked up as well.


Equipment Capability

• PFD: Probability of Failure on Demand

• Architectural Constraints

• Equipment CapabilityIn order to combat Systematic Failures, IEC 61511 requires equipment used in safety systems to meet one of two requirements:• IEC 61508 certification

• Certified under IEC61508 to the appropriate SIL level

• Prior Use• justification based on “Proven in Use” criteria


Prior Use

“Prior use” generally means:

• Documented, successful experience (no dangerous failures)

• A particular version of a particular instrument

• Similar conditions of use

Functionality/Application Environment

• We do not have the failure data!• I do not want to take responsibility for equipment justification!• We do not take the time to record all instrument failures! • This is a new instrument!• I cannot justify PRIOR USE!


Product Certification

Functional safety certification for devices is accomplished per IEC 61508Products are certified to a Safety Integrity Level (SIL)The result is typically a certificate and a certification report

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failures

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failures


Pressure for Certification

End User Demand• Offers easier specification

• More consistency through project teams

• Allows use of new technology

• Quickly becomes “Best Practice”

Vendor Demand• In mature markets, may be cost of entry (i.e. Logic Solvers)

• Establishes credibility in Safety Market

• Allows introduction of Technology with Credibility

• In new markets, may provide significant differentiation, limit competition and create higher margins

Process Industry• Mature market in Logic Solvers

and Traditional Sensors

• New Market in New Technologies, Sensors and Final Elements


Market Support

The exida web site also has a list of process industry instrumentation equipment with IEC 61508 certification. With several thousand unique visitors per month, this list has become the most popular global “purchase qualification list” for many buyers.


IEC 61508 PLC Certification

idae

idae


IEC 61508 Level Transmitter Certification


IEC 61508 Solenoid Valve Certification


Market Support / Data

For every equipment type, exSILentia has a list of equipment showing certification status and all relevant data. Equipment on this list enjoys strong market exposure. exida customers are included in the list.


Example…

The SIL achieved is the minimum of:1. SILPFD: SIL22. SILAC : SIL13. SILCAP: SIL3

The SIL level for this Safety Instrumented

Function (SIF) is:???


Example

The SIL achieved is the minimum of:1. SILPFD: SIL22. SILAC : SIL13. SILCAP: SIL3

The SIL level for this Safety Instrumented

Function (SIF) is:SIL1


Objective Choose the right equipment for the purpose. All criteria used for

process control still applies.

Tasks Choose equipment - IEC 61508 certification or Prior Use

Justification (IEC-61511) Obtain reliability and safety data for the equipment Obtain Safety Manual for any safety certified equipment

Select Technology

Sensor Sub-System Logic Solver Sub-System Final Element Sub-System


Fault Propagation Models

Fault Tree Analysis

Event Tree Analysis

DU

Markov Analysis

Block Diagram


Simplified Equations

Voting

1oo1

1oo2

2oo2

2oo3

1oo2D

STR

S

2 S

6( S) 2 x MTTR

( S)2 x MTTR

PFDavg

Where:PFDavg = Probability of Failure on Demand (average)SFR = Spurious Failure RateMTTR = Mean Time To RepairTI = Test IntervalS = Safe Detected FailuresDU = Dangerous Undetected Failures

( DU )2 x TI 2

3( DU )2 x TI 2

3( S)2 x MTTR DU x TI

( DU) 2 x TI 2

DU x TI2


Conceptual Design/SIL Verification usingSILver™

SILver is Safety Integrity Level verification according to IEC 61508 / IEC 61511SILver calculates SIF performance parameters– PFDavg (Average Probability of Failure on Demand)– MTTFS (Mean Time To Fail Spurious)– SIL (Safety Integrity Level based on PFDAVG)– SIL (Safety Integrity Level based on Architectural

Constraints IEC 61508-2 table 2 & 3)– RRF (Risk Reduction Factor)


Third Party assessment of development processIEC 61508 compliant– No user justification

required for SIL verification up to SIL 3

SIL Verification using SILver™


SIL Verification Demo…


What is…?

Proof Testing: A manually initiated test designed to detect failure of any part of a SIF. Different proof test procedures can have different levels of

effectiveness.

No practical proof test will detect all

failures

No practical proof test will detect all

failures


Mission Time

Typical simplified equations assume perfect repair

However repair is typically not perfectLifetime / mission time needs to be considered

2TIPFDavg

DU

2

12

MTCTICPFDavgDU

PTIDU

PTI


PFD / PFDavg for Two Pressure Transmitter Proof Tests

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

PFDavg “PTC = 65%” = 1.53E-02

PFDavg “PTC = 98%” = 3.37E-03


Spurious Trip

A spurious trip is a shutdown (taking the process to a safe state) that occurs when it is not needed (no demand).

• STR – Spurious Trip Rate = 1/MTTFS

• MTTFS - Mean Time To Failure Spurious, SAFE failure

• MTTFD - Mean Time To Dangerous Failure

Two areas of Concern:

• Shutdown and Startup can be most dangerous times

• Operations likes to run


REGULATIONS, STANDARDS AND BEST PRACTICES

Industrial Control Systems Cybersecurity


Recent Events

Shamoon virus takes out 30,000 computers at Saudi AramcoUS Defense Secretary issues strong warning of cyber attacks on US critical infrastructureDHS issues alerts about coordinated attacks on gas pipeline operators


Control systems operate industrial plant equipment and critical processesTampering with these systems can lead to:– Death, Injury, Sickness– Environmental releases– Equipment Damage– Production loss / service interruption– Off-spec / Dangerous product– Loss of Trade Secrets

Control system security is about preventing intentional or unintentional Interference with the proper operation of plant

Control System Cyber Security


Now use commercial technologyHighly connectedOffer remote accessTechnical information is publically availableHackers are now targeting control systems

Control Systems are more vulnerabletoday than ever before


Actual Incident Data

Malware(virus, worm, trojan)

IT Dept, Technician

Network device, software

Disgruntled employee

Hacker

© 2011 Security Incidents Organization


Regulations

Department of Homeland Security– 6 CFR part 27: Chemical Facility Anti-Terrorism

Standards (CFATS)– National Cyber Security Division

Control Systems Security Program (CSSP)

Department of Energy– Federal Energy Regulatory Commission (FERC)

18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)

Nuclear Regulatory Commission– 10 CFR 73.54 Cyber Security Rule (2009)– RG 5.71


Standards

International Society for Automation (ISA)– ISA 62443 Industrial Automation and Control System (IACS)

Security (was ISA 99)

International Electrotechnical Commission (IEC)– IEC 62443 series of standards (equivalent to ISA 99)

National Institute for Standards and Technology (NIST)– SP800-82 Guide to Industrial Control Systems (ICS) Security


ISA / IEC 62443 Structure


The ICS Cybersecurity Lifecycle


Key Principles for Securing ICSStep 1 – Assess Existing SystemsStep 2 – Document Policies & ProceduresStep 3 – Train Personnel & ContractorsStep 4 – Segment the Control System NetworkStep 5 – Control Access to the SystemStep 6 – Harden the Components of the SystemStep 7 – Monitor & Maintain System Security


exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™

+Functional Security Certification ™

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)


Who are exida and what we do…


exida History

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services

“Independent provider of Tools, Services and Trainingsupporting Customers with Compliance and Certification to

any Standards for Functional Safety, Cyber Security and Alarm Management”

Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts

Dr. William GobleFormer Director Moore Products Co.Developed FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


What we do

EXPERTISE SCOPE

Tools

Training

Consultancy

Certification

INDUSTRIES

Process

Energy

Machine

Automotive

End Users

Manufacturer

Engineering

Integrators

CUSTOMERS

Functional Safety

Alarm Management

Cyber Security

Reliability


exida Customers (extract from 2000+)


exida Services and Training – Process Industry

Functional Safety Management Set-upFunctional Safety AssessmentPHASIL Determination SRS DevelopmentSIL VerificationAlarm Philosophy – RationalizationCyber Security AssessmentsTraining Programs


exida Tools – Process Industry


Global Functional Safety Certification Consultant3rd Party Accredited Certification Body Developer FMEDA TechniqueMechanical Failure DatabaseElectrical & Electronic Failure DatabaseInstrument & Equipment Failure DatabaseDevelopment Field Failure Database MethodologyGlobal Active Participation in IEC – ISO WorkgroupsFunctional Safety Engineering Tools

exida Industry Contributions


Experience – exida has done more certification projects in the process industries for currently marketed products than any other certification company. Excellence / Competency - We have staff with a cumulative experience of several hundred years in automation functional safety and dependability. exida is active in the 61508 (functional safety) and ISA 99 (security)committee and has developed many of the functional safety analysis techniques. Market Support / Data – exida supports the end user with analysis and data. That data goes into the exSILentia tool. exida provides training for field personnel. Broad Capabilities – exida can offer functional safety, security and Integrity Certification

Why exida Certification?


exida Library

exida publishes analysistechniques for functional safetyexida authors ISA best sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata

www.exida.comwww.exida.com

www.exida.com

www.exida.com


Questions and Discussion

applying the process safety standards

Documents

safety case

process safety concepts

exida contactsapplying

safety instrumented

availablewhich standard

injuredflixborough197428

systematicriskbased

din vde