IEC-61508 Implementing a Compliance Program

Pharm

aceuticals

IEC-61508 Implementing a Compliance Program

• Motivation

• Education

• Implementation

Pharm

aceuticals

Overview

Pharm

aceuticals

Overview

Pharm

aceuticals

Overview

Pharm

aceuticals

Motivation

• Do you or your company believe in the infallibility of Engineered systems?

Pharm

aceuticals

Motivation

• Roche Ireland does not have this delusion

• 25 + years operational experience

• Including some close calls

• Reality has motivated out safety culture.

Pharm

aceuticals

Education

Much of the rest of this presentation has been generated from training presentations given in Roche Ireland to

• Management

• Process Engineering

• Instrument / Electrical Engineering

Pharm

aceuticals

Education Need to educate yourself : • Guidelines for Safe Automation of

Chemical Processes {CCPS/AIChE}• ISA S84• Functional Safety, {Smith & Simpson}• IBC conferences • Various WWW resources (exida/ sis-tech

etc)

Pharm

aceuticals

IEC-61508, SOP 973

• Functional safety of electrical / electronic & programmable electronic safety-related systems.

• Critical Protective equipment - Safety Instrumented Systems

Pharm

aceuticals

IEC-61508, SOP 973 Safety requires protection from hazards of different causes

(movement, heat, radiation, el. shock, etc.)

“Functional Safety” means protection from hazards due to incorrect functioning.

... heatProtection against ...

...electrical shock

... hazards due to incorrect function

... radiation

Pharm

aceuticals

IEC-61508 Will Effect:

• Process Engineers:

• Instrument/Electrical Designers:

• Mechanical Engineering

• Commissioning:- Extra Effort

• Documentation :- Extra Effort

Pharm

aceuticals

IEC-61508 is legally vague

• Not legislation

• Meets ‘Reasonably practicable’ duty

• Health, safety & welfare at Work act, 1989

• Have to put in place a compliance program.

Pharm

aceuticals

Figure 65-1

Intolerableregion

Negligible risk

Risk(deaths/year)

1 x 10-4

1 x 10-6ALARP

Pharm

aceuticals

RISK Reduction - ALARP

• As low as reasonably practicable.

• IEC 61508 based on ALARP concept.

• ALARP concerns region of risk.

• Risk is an emotive and irrational thing.

• Commonly accepted values are:upper limit 1 x 10-4 deaths per yearlower limit 1 x 10-6 deaths per year

Pharm

aceuticals

Safety life cycle - milestone approach

• ISA S84 life cycle depicted in Fig 65-3.

• ISA S84 focuses on Box 9 of IEC 61508.

Pharm

aceuticals

Figure 64-1

Active systems layer

Passive systems layer

Controlsystems layer In

trinsic safety

Fail-safe design

Bursting discs

Pressure relief valves

One w

ay va

lves

Alarms, trips & interlocks

ESD

F&G

Duality

Back-up

Alarm handling

Diagnostics

Pharm

aceuticals

1 Conceptual process design

3 Apply Category 0 protection systems to prevent hazards & reduce risk

4 Are any Category 1 protection systems required?

6 Develop safety requirements specification (SRS)

8 Detailed design of protection system

12 Pre-start-up safety review

13 Protection system start-up, maintenance & periodic testing

14 Modify protection system? End

2 Perform process HAZAN & risk assessment

Start

5 Define target safety integrity levels (SIL)

7 Conceptual design of active protection systems & verify against SRS

Figure 65-3

No

9 & 10 Installation, commissioning 11 Establish operating &

maintenance proceduresand pre-start-up acceptance testing

yes15 Decommission system

Pharm

aceuticals

Process Engineering

• First Stage of realisation of high-integrity safety instrumented systems

• Modified PHA

• Feeds into SRS

• Based on good process data & good process judgement.

Pharm

aceuticals

Process Chemistry

• Carius Tube test for decomposition

• Pressure Dewar Calorimetry

• Understanding of Exotherms

• Knowledge of onset temperatures

• {Chilworth}

Pharm

aceuticals

Process Engineering

• Good process judgement.

• Hazop

• Margins of safety

Pharm

aceuticals

Hazard identification, Interlock Identification

• Reactant being transferred in from Reactor 1 without agitation could accumulate & react in a sudden, violent manner.

• Reactor 2 Inlet valve 205 should OPEN only if agitator ON

Pharm

aceuticals

Hazard identification, Interlock Identification

• Simplified Technique.• MIL Std 882

Pharm

aceuticals

Consequences

• Consequence of this is overpressure, loss of batch, over-temperature, possible destruction of vessel.

• 1 week downtime to recover.• Fatality or Serious injury unlikely.• Critical • (C2)

Pharm

aceuticals

Occupancy factor

• Building is continually occupied• (F2)

Pharm

aceuticals

Manual Avoidance factor

• There is quite a good chance of an operator observing that something is going wrong & intervening successfully.

• (P1)

Pharm

aceuticals

Unmitigated demand rate.

• Likely to occur once every 5 years.• Occasional• The process is DCS automated. • DCS is not a SIS – no SIL rating. • DCS control reduces frequency of

Unmitigated Demand.• (W2)

Pharm

aceuticals

11233

4x2?

112334

11233

W3 W2 W1

P1P2P1P2

F1

F2

F1F2

C2

C3

C1

C4

Start

Most risk

Least risk

x0?

x0?

x0?

EN 954 Approach

Pharm

aceuticals

Rating of the SIL required for a SIS, as per IEC 61508 Section 5, Table E.1 & as per Roche K9Number ofIndependentProtections

x x x x x x x x x ?1 x x x ?1 1 x x ?1 1 1 3

x x x x x x x x ?1 1 x x ?1 1 1 ?1 1 1 1 2 2

x x x x ?1 x x ?1 1 2 x ?1 1 1 2 1 2 2 2 3 1ely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Unlikely Rare Occasional Moderate Frequent Event

Frequency

Negligible Marginal Critical Catastrophic Eventconsequence

Catastrophic People Fatalities >1Environment Significant loss to offsite environment. Indictable breach of LicenseBusiness Loss > €8 million : Interruption > 1 Month

Critical People Serious injuries (permanent damage). Multiple lost time accidents.Environment Only site area affected. Serious breach of licence.Business Loss €200 thousand to €8 million : Site interruption > 1 week

Marginal People Lost time accidentEnvironment Only site area affected. Minor breach of licenceBusiness Loss €5 thousand to €200 thousand. Interruption 1 day to 1 week

Negligible People Minor InjuriesEnvironment Negligible effect on environmentBusiness Loss < €5 thousand. Interruption < 1 day

Frequent Once per month Rare Once per 20 years

Moderate Once per year Unlikely Once per 100 years

Occasional One per 5 years V Unlikely Once per 1000 years

ROCHE IRELAND LIMITED INDEX: SOP 973POLICIES AND PROCEDURES ATTACHMENT: 3.001

PAGE: 1of1ISSUED:17/07/2002SUPERSEDES: NoneWRITTEN BY:

SECTION: Engineering APPROVED BY:________________________________________________________________________

SUBJECT: Safety Instrumented System – Safety Integrity Determination

Pharm

aceuticals

Roche ConsequencesRating of Consequences

class rating consequences

I catastrophic people fatalities, evacuation outside the site area

environment irreversible, long-term damage outside the site area

business loss: > 10 mio. US $interruption: > 6 monthimage: severely damaged, > 1 week, national

II critical people serious injuries, irritations outside the site area

environment reversible, short-term damage outside the site area

business loss: < 10 mio. US $interruption: > 2 weeksimage: damaged, > 1 week, regional

III marginal people minor injuries, molestation outside the site area

environment only site area affected

business loss: < 1 mio. US $interruption: 2 days to 2 weeksimage: < 1 week, local

IV negligible people no effects

environment no effects

business loss: < 100'000 US $interruption: < 2 daysimage: no effects

Pharm

aceuticals

Roche ‘unmitigated’ demand rate.

Rating of Probabilityclass rating probability

A frequent once a year or more

B moderate once in 5 years

C occasional once in 10 years

D rare once in 25 years (e.g. once in life cycle of the system)

E unlikely once in 100 years (e.g. once in life cycle of a site)

F very unlikely once in 1'000 years or less (e.g. once in life cycle of Roche or less)

Pharm

aceuticals

Instrument / Electrical Design

• Second Stage of realisation of high-integrity safety instrumented systems

• Modified Instrument design

• Modified Instrument Commissioning

• Feeds into SRS

Pharm

aceuticals

SafetyintegritylevelSIL

HazardreductionfactorHRF

Demand mode of operation Continuous mode

PFD(fractional)

Availability A(fractional)

Failure rate (failures per hr)

1

2

3

4

>101

>102

>103

>104

10-1 to 10-2

10-2 to 10-3

10-3 to 10-4

10-4 to 10-5

0.9 to 0.99

0.99 to 0.999

0.999 to 0.9999

0.9999 to 0.99999

10-5 to 10-6

10-6 to 10-7

10-7 to 10-8

10-8 to 10-9

Table 65-1

Pharm

aceuticals

Equipment implications

• SIL value is measure of quality of protection system, end to end.

• System has to be designed, specified, built and maintained to that standard.

• Proof testing at regular intervals• Conformance assessment for safety systems

Pharm

aceuticals

PFD Calculation

• Simplified Equation • ISA-TR84.00.02-2002 Part 2• Equation B.34 – Rare event approximation• “Adequate” for SIL 1 or 2, where the plant is well

controlled, well maintained, understood process, conservative engineering with good mechanical integrity

Pharm

aceuticals

PFD Calc. Motion Sensor

• MTBF = Mean (Average) time between failures• Information provided by vendor.• MTBF = 86 Years

Pharm

aceuticals


Failures can be • fail to danger (Falsely shows agitator moving)or• fail to safe (Falsely shows agitator stopped)• Aim of good design is to maximise fail to safe,

minimise fail to danger. The failure mode split is the percentage in the fail to danger category.

• Failure mode split = .1 (SA estimate)

Pharm

aceuticals


• Proof test interval = 1 year (8760 hours) • Time between re-tests of the interlock.• Need to be genuine tests

Pharm

aceuticals


• 86 years * 8760 hours/year = 753,000 (MTBF in hours)

= 1/ MTBF = 1.30 E-6 failures per hour• FMS =.1• Proof test = 1 year (8760 hours)

• PFD(SS) = 1.30 E-6 * .1 * 1 * (8760/2)• PFD(SS)=.0006

Pharm

aceuticals

PFD Calc. Barrier 6

• MTBF = 4 Years• Failure mode split = .4• Proof test interval = 1 year (8760 hours)

= 1/ MTBF = 2.87 E-5 failures per hourPFD(B6) = 2.87 E-5 * .4 * 1 * (8760/2)

• PFD(B6)=.0500

Pharm

aceuticals

PFD Calc. Relay 5

• MTBF = 100 Years• Failure mode split = .01• Proof test interval = 1 year (8760 hours)

= 1/ MTBF = 1.14 E-6 failures per hourPFD(R5) = 1.14 E-6 * .01 * 1 * (8760/2)

• PFD(R5)=.00005

Pharm

aceuticals

PFD Calc. Main Barrier

• MTBF = 10 Years• Failure mode split = .9• Proof test interval = 1 day (24 hours)

= 1/ MTBF = 1.14 E-5 failures per hourPFD(MB) = 1.14 E-5 * .9 * 1 * (24/2)

• PFD(MB)=.001242

Pharm

aceuticals

PFD Calc. Solenoid


= 1/ MTBF = 1.14 E-5 failures per hourPFD(SOL) = 1.14 E-5 * .4 * 1 * (24/2)

• PFD(SOL)=.00006

Pharm

aceuticals

PFD Calc. Valve & Actuator


= 1/ MTBF = 1.14 E-5 failures per hourPFD(VA) = 1.14 E-5 * .2 * 1 * (24/2)

• PFD(VA)=.00003

Pharm

aceuticals

PFD Calc. Overall

• PFD(VA)=.00003• PFD(SOL)=.00006• PFD(MB)=.00124• PFD(R5)=.00005• PFD(B6)=.0500• PFD(SS)=.0006• PFD = .052 => SIL 1

Pharm

aceuticals

Barrier

Instrument

RelayLogic

∑ PFD = 10% SIL 1 Limit

∑ PFD = 1% SIL 2 Limit

Overall

PFD Mapping

Valve

Barrier

Pharm

aceuticals

PFD Calc. Issues

• Elements in series: USYS Ui 62-16Elements in parallel: USYS Ui -17

• Common cause failure: SYS = IND + . MAX -18

• Voting systems: UKOON n.Uk -19

• For more complex systems – Fault Tree Analysis using ISA-TR84.00.02-2002 Part 3.

• “Probabilistic Risk Assesment” – Henley, E J

Pharm

aceuticals

Design issues

• Roche have decided that valve & actuator may be shared for SIL 1 only.

• SIS & BPCS share barrier, solenoid, actuator & Valve. This is not recommended

• Solenoid has local SMO, which might be OK for normal operation, but not for SIS.

Pharm

aceuticals

Design issues

Pharm

aceuticals

Design issues

• ##### ####-# type barrier not recommended (TTL Logic switching – independent energy source)

• No clear indication on loop sheet or in field of safety critical nature of instruments

Pharm

aceuticals

Design issues

• Design of periodic re-test method is the instrument designers responsibility.

• This would help facilitate periodic testing

• Loop sheet to indicate safety critical nature of instruments

Pharm

aceuticals

Improvement suggestions

• SIS to actuate solenoid in panel, which controls air supply to Shutoff Valve & Control Valve

• High energy panel mount solenoid, not IS pilot operated solenoid => more ‘suitable’ for SIS

• Control Valve should have positioner suitable for SIS

Pharm

aceuticals

Loop sheet modifications

Pharm

aceuticals

Commissioning Aspects

• IQ / OQ + Proof testing of the safety function

• Validation of the retest method

• Loop sheet to indicate safety critical nature of instruments

• Field marking

Pharm

aceuticals

Machine / Package Design

• Supplier might have correctly designed safety Engineering.

• That does not mean it reaches standard.

• Modified Instrument/Electrical design

• Modified Instrument/Electrical Commissioning

• Feeds into SRS

Pharm

aceuticals


• E Ex d motor – Surface temperature limits

• Variable Speed Drive.

• Never below 10 Hz

• Always with Thermistor Protection

Pharm

aceuticals


Pharm

aceuticals


ThermistorRelay

Pharm

aceuticals

Maintenance

• Vital part of ensuring safety function remains intact.

• Will have to retest interlocks on a periodic basis.

• Will need to follow methods set out during Instrument/Electrical design stage.

• Care required in effecting changes to the loop when in use.

Pharm

aceuticals

Safety Requirements Spec

• Document which brings together the design thread.

• Started by the Process Engineering group • Continued by the Instrument / Electrical

engineering group• Reviewed by Safety Engineering group.• Live document until pre-start safety review.

Pharm

aceuticals

New skills

• Different way of thinkingDefence in DepthLayers of Protection

• Risk Analysis • Basic Statistics• Fault Tree Analysis

Pharm

aceuticals

6 June 1967

Pharm

aceuticals

Pharm

aceuticals

Pharm

aceuticals

Documents

IEC-61508 Implementing a Compliance Program