1
Functional Safety
Copyright © 2012 IHS Inc.
Safety
2
Copyright © 2012 IHS Inc.
Functional Safety (per IEC 61508 definition)• Part of the overall safety relating to the process
and the Basic Process Control System (BPCS) which depends on the correct functioning of the SIS and other protection layers.
• Is determined considering the system as a whole.
• Has to consider the environment with which it interacts .
Function Safety
Copyright © 2012 IHS Inc.
Example of Functional Safety: Over-temperature protection device of an electric motor to de-energise the motor before overheat.
Example of non-Functional Safety: Providing specialised insulation to withstand high temperatures
Functional Safety vs. Non-Functional Safety
3
Copyright © 2012 IHS Inc.
LIC
1
LIC
2
LCV1
LCV2
PCV
PSV
Gas & LiquidFeed
To Flare
SeparatorVessel
V-1@
300 psig
SeparatorVessel
V-2@
50 psig
Flash Gas
LiquidEffluent
3"
3"Bypass
LG1
LAH
1
Offgas toCompressor
10" Line
12" Line
Plant FieldOperator
STEP Example: Schematic for Gas Compression Train
4"Line 6"Line
Demister
LAHH
1
I
Com pressor ShutdownInterlock
Example of Functional Safety: High level protection device to prevent liquid carry over from vessel to compressor
Copyright © 2012 IHS Inc.
Safety Functions
Safety functions are implemented by safety related systems such as:
• Safety Instrumented System (SIS)
• Safety related technology, e.g. PSV
• External risk reduction facilities, e.g. Drain system, dike
which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event
4
Copyright © 2012 IHS Inc.
Determine Necessity of Functional Safety
• First, consider inherent safety through design tocontrol hazards
• Perform Hazard and Risk Assessment (H & RA)
1. Identify Hazards
2. Evaluate Risk
3. Determine Risk reduction
4. Identify Safety Functions
Hazard and Risk Assessment determines necessity of functional safety
Copyright © 2012 IHS Inc.
Functional Safety - Example
PAH1
PSH1
PCV2
safety trip on flam efailure
Natural G as
FC V 1 M ainLine
FC V 2 P ilotLine
Flam eDetector
Interlockshuts
FCV-1 andFCV-2
Burners
Com bustionC ham ber
Exam ple: S im plified D iagram of gas fired furnace
5
Copyright © 2012 IHS Inc.
Suppose that a process plant has a large fired heater.
• HA identifies that the combustion chamber could explode if there is a buildup of unburned gas and air after a loss of flame event.
• This could happen if the gas supply is not shut off as soon as the flame is lost.
A Safety Function is needed: Flame detection sensorsthat will
• trip out the main and pilot gas supplies as soon as theflame is lost and
• start the purge timer to prevent startup of the pilotflame for a specified period of time.
Functional Safety - Example
Copyright © 2012 IHS Inc.
Hazards & Risk Assessment: Ensures that the safety integrityof the safety function is sufficient so no one is exposed to anunacceptable risk associated with the hazardous event.
The following are evaluated:
Severity
Likelihood
Safety Integrity
Potential damage due to explosion
Frequency of a flame out incident
that leads to explosion
Functional Safety - Example
6
Copyright © 2012 IHS Inc.
To summarize :
Hazard Analysis identifies what has to be done
Risk assessment determines safety integrity of safety system required to reduce the risk to an acceptable level
What safety function has to be performed?
What degree of certainty is necessary that the safety function will be carried out ?
Functional Safety
Copyright © 2012 IHS Inc.
Challenges in Achieving Functional Safety
• High complexity
• Difficult to predict safety performance
Designing in a way to prevent dangerous failures or to control them when they arise is a challenge. Dangerous failures : Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state.
Functional Safety
7
Copyright © 2012 IHS Inc.
Dangerous failures may arise from:
• Software errors;
• Common cause failures;
• Human error;
• Environmental influences
• Supply system voltage disturbances
• Incorrect specifications
• Omissions in the safety requirements specification
• Random hardware failure mechanisms
• Systematic hardware failure mechanisms
IEC 61508 contains requirements to minimise these failures
Functional Safety
Safety Instrumented Function & Safety Instrumented System
8
Copyright © 2012 IHS Inc.
Safety Instrumented System
• Safety Instrumented Systems:
Instrumentation or controls
that are installed for the purpose of mitigatingthe hazard or bring the process to a safe state in the event of a process upset.
Copyright © 2012 IHS Inc.
Safety Instrumented System
Think
Measure Response
9
Copyright © 2012 IHS Inc.
Safety Instrumented Function
• ANSI/ ISA-84.00.01-2004 (IEC 61511 Mod) defines SIF as a:
“ Safety function with a specified Safety Integrity Level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function”
Copyright © 2012 IHS Inc.
Safety Instrumented Function
• Instrumented loops that address a specific risk
• It intends to achieve or maintain a safe state for the specific hazardous event.
• A SIS may contain one or many SIFs and each is assigned a Safety Integrity Level (SIL).
• As well, a SIF may be accomplished by more than one SIS.
10
Copyright © 2012 IHS Inc.
Examples of SIF in Process Industry
• Flame failure in the furnace initiates fuel gas ESDVs to close
• High fuel gas pressure initiates fuel gas ESDV (Emergency shutdown valve)
• High level in the vessel initiates Compressor shut down
• Loss of cooling liquid to reactor trips isolation and depressurization of reactor
Copyright © 2012 IHS Inc.
Safety Integrity
• Average probability of a SIS satisfactorily performing the required SIF(s) under all the stated conditions within a stated period of time.
• There are 4 levels.
• Measure by failure rate in the dangerous mode of failure or the probability of a SIF failing to operate on demand.
11
Copyright © 2012 IHS Inc.
Safety Integrity Levels: Probability of failure on demand
Copyright © 2012 IHS Inc.
Safety Integrity Levels
• What is PFD?
• It is statistical representation of the integrity of the SIS when a process demand occurs.
• A demand occurs whenever the process reaches the trip condition and causes the SIS to take action.
12
Copyright © 2012 IHS Inc.
Safety Integrity Levels: frequency of dangerous failures of the SIF
Copyright © 2012 IHS Inc.
When HA has determined that the • mechanical integrity of the process equipment
• the process control and
• other protective equipment
are insufficient to mitigate the potential hazard.
Then, one should consider installing Safety Instrumented System as an additional means for risk reduction.
When would SIS be required?
13
Copyright © 2012 IHS Inc.
SIS Design Requirements
What are you trying to achieve when you design a
SIS ???
Meet Standards & Regulations
Fail Safe
Minimize Falsely Trip
Detect Dangerous
Failures
Meet Functional Safety
Requirements
Design Manual Testing
Procedure
Cost Effective
SIS Versus BPCS
14
Copyright © 2012 IHS Inc.
Two Phase Separator
To Compressor,C 130
To Flare
LSHH214
LT214
LT213
LC213 LCV
213
ESDV172
I
V 180
PSV170
ShutdownCompressor
C 130
Two-phase flowhydrocarbons
LAHH214
Copyright © 2012 IHS Inc.
Two Phase Separator
To Compressor,C 130
To Flare
LSHH214
LT214
LT213
LC213 LCV
213
ESDV172
I
V 180
PSV170
ShutdownCompressor
C 130
Two-phase flowhydrocarbons
LAHH214
SIS: Monitors a process variable (Level in this case) and initiates action when required (trips ESDV 172 and shutdown compressor C130)
BPCS: Maintain a process variable within prescribed limits (Level in this case)
15
Copyright © 2012 IHS Inc.
Two Phase Separator
To Compressor,C 130
To Flare
LSHH214
LT214
LT213
LC213 LCV
213
ESDV172
I
V 180
PSV170
ShutdownCompressor
C 130
Two-phase flowhydrocarbons
LAHH214
SIS: Hard to detect failure. Typically operates on static boolean variables.
BPCS: Signals are dynamic; easier to detect failures, e.g. out of range signals, flat line outputs etc.
Copyright © 2012 IHS Inc.
Safety Control vs. Process ControlProcess Control Safety Control
Control type Active, complex Passive, simple, direct acting
Functions Maintain variables within a range. Obtain best performance from the process within safe limits.
Monitor a process variable which is strictly defined. Designed to guard the system against hazardous events.
Control Modes Auto, manual, supervisory Auto, no manual interventions, no external command levels
Communication between devices
Open systems, Use Fieldbus
Limited, specialized. Difficult with bus networks
Setting Changes Easy to make, password protected configurable parameter changes
Parameter changes is strictly controlled and password protected.
Diagnostics Limited Can be intensive and needs proof testing
Redundancy Required to maintain high availability
Required to maintain high reliability
16
Copyright © 2012 IHS Inc.
SIS and BPCS-Examples
• BPCS failure modes• Control valve output high
• Process parameter indication high
• Control valve output low
• Process parameter indication low
• Process parameter erratic indication
• SIS failure modes• Fail to operate on
demand
• Spuriously operation
• Function delayed
Copyright © 2012 IHS Inc.
SIS and BPCS
• How SIS can affect operating conditions?
• Example:
• Centrifugal compressor
• Operating speed- 5000 rpm
• Over speed trip- 5500 rpm
17
Copyright © 2012 IHS Inc.
SIS and BPCS
SIS operating condition
Process Protection Available
Failure indication
Normal Normal at 5000 rpm
Yes at 5500 rpm
Not applicable
Fail safe Shut down of compressor, speed 0 rpm
Not applicable
Yes, High speed trip indication
Fail danger Normal at 5000 rpm
NO at 5500 rpm
Not without diagnostic
Copyright © 2012 IHS Inc.
Safety Instrumented Functions and Other Functions
Safety Instrumented Function