What is Functional Safety?

Report
Functional Safety
Demystified
September 2011
Bob Weiss
Principal Consultant
Honeywell Process Solutions
[email protected]
Outline
• What is Functional Safety?
- SIS, SIF and SIL
• Standards AS IEC61508 and AS IEC61511
• An example to demonstrate compliance
• 4.5 day TÜV FSEng course in 45 minutes!
2
HONEYWELL - CONFIDENTIAL
File Number
What is Functional Safety?
• Part of Overall Safety
- freedom from unacceptable risk
• Achieved by a Safety Instrumented System (SIS)
- E/E/PE Safety System in IEC61508
- Examples:
 Emergency Shutdown System
 Burner Management System
- Includes field devices as well as logic solver
• A SIS places or maintains a process in a safe state
- Process = Equipment Under Control (EUC) in IEC61508
- Implements Safety Instrumented Functions (SIFs)
- Each SIF achieves a Safety Integrity Level (SIL)
• Acronyms to remember: SIS, SIF and SIL !.
3
HONEYWELL - CONFIDENTIAL
File Number
Some terms: SIS, SIF and SIL
Temperature
transmitter
SIF 1: TZH1234
SIL 2
Solenoid
Temperature
transmitter
Shut-off
valve
SIF 2: PZHH1234 SIL 1
Pressure
Transmitter
Flow
transmitter
Logic Solver
(Safety PLC)
Relay
in MCC
Solenoid
Globe
valve
Safety Instrumented System - SIS
Safety Instrumented Function - SIF
Safety Integrity Level - SIL
4
HONEYWELL - CONFIDENTIAL
File Number
Why Functional Safety?
• Buncefield, England 11 Dec 2005
• Storage tank level gauge showed
constant reading
• High level alarm switch jammed
• Gasoline tank overflowed
• Mist exploded
- Largest explosion in peacetime
- 20 tanks on fire
- Burned for three days
- Significant environmental impact
- Millions of pounds damage.
5
HONEYWELL - CONFIDENTIAL
File Number
Standards: IEC61508 or IEC61511 ?
AS/IEC 61508
SIS
Component
Manufacturers
AS/IEC 61511
SIS
Integrators
& Users
OR SIL4
APPLICATIONS
61508
6
61511
61511
61508
HONEYWELL - CONFIDENTIAL
61508
61511
File Number
IEC61511 Safety Lifecycle
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
Engineering Contractor
1
2
Hazard and risk analysis
End User
7
Verification
Allocation of
safety functions
to protection layers
3
Safety requirements
specification for the
safety instrumented system
4
SIS Vendor
11
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5
Installation, commissioning
and validation
6
Operation and maintenance
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Complying with AS IEC 61508 & AS IEC 61511
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
 Field devices, logic solver, shutdown valves etc.
• Not just TÜV certification
- Though it helps !
• Not just meeting PFDavg target.
8
HONEYWELL - CONFIDENTIAL
File Number
Comply Throughout Lifecycle
• For the rest of the presentation we’ll follow the SIS
lifecycle
• What do we need to do to comply at each stage?
• See the following example…
- Only the main elements of compliance are covered.
9
HONEYWELL - CONFIDENTIAL
File Number
1 Hazard and Risk Analysis
• Output is a list of hazardous events with their
process risk and acceptable risk.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
5
Design and
development
of other means
of risk reduction
Installation, commissioning
and validation
6 Operation and maintenance
10
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 1 A Hazard
PSV-1
LIC
1
300t LPG
Product
Feed
P-2
P-1
• “potential source of harm”
• 300t of Liquefied Petroleum Gas can
potentially cause harm
• Hazardous Event Example: BLEVE
11
YouTube .
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 2 HazOp
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-2
P-1
• Node: LPG Tank
• Guideword: HIGH LEVEL
• Consequence: High Pressure, possible tank rupture & major fire
• Existing Controls: Pressure Relief Valve (PSV-1)
• New Controls: Add High Level Alarm.
12
HONEYWELL - CONFIDENTIAL
File Number
2 Allocation of Safety Functions
• Often called SIL Analysis or SIL Determination
• Output is a list of Safety Instrumented Functions
together with their required Safety Integrity Level.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5 Installation, commissioning
and validation
6 Operation and maintenance
13
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 3 Design after HazOp
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-2
P-1
• Is Risk acceptable?
14
HONEYWELL - CONFIDENTIAL
File Number
Risk
The product of severity and likelihood
Consequence
severity
Major
Medium
Minor
LOW
15
MEDIUM
HONEYWELL - CONFIDENTIAL
HIGH
Likelihood
of occurrence
File Number
Case Study: 4a Risk Reduction
Hazard - 300t of LPG
Process under control
Level stable
Control valve sticks
Process deviation or disturbance
LAH Alarm
Process out of control
Hazardous situation
Level Increasing
High Pressure
PSV
Hazardous event
Vessel fails
Impact / Consequence
300t of boiling LPG released likely major fire and fatalities
16
HONEYWELL - CONFIDENTIAL
File Number
Risk Analysis - Layers of Protection 1
Mechanical
PSV
X 100
Target:
1 per 10,000y
Hazardous
Event !!
Alarm
LAH
Risk Reduction
X1 !
Control System
(BPCS)
Hazardous Situation : 1 per y
Required:
X 10,000
Only have
x 100 !!
Process
17
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 4b Risk Reduction
Hazard - 300t of LPG
Process under control
Level stable
Control valve sticks
Process deviation or disturbance
LAH Alarm
Process out of control
Level Increasing
LZHH Trip
Hazardous situation
High Pressure
PSV
Hazardous event
Vessel fails
Impact / Consequence
300t of boiling LPG released likely major fire and fatalities
18
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 5 Add a SIF
LZHH
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-2
P-1
• High Level Trip LZHH2 added
- Shuts off flow when High High level reached.
19
HONEYWELL - CONFIDENTIAL
File Number
SIL Determination 1 - Layers of Protection
Mechanical
PSV
X 100
SIL 2
SIF
LZHH
X 100
Alarm
LAH
Control System
(BPCS)
Hazardous Situation : 1 per y
Process
20
HONEYWELL - CONFIDENTIAL
Target:
1 per 10,000y
Hazardous
Event !!
Risk Reduction
Required:
X 10,000
SIF must
reduce risk
by
10,000/100 =
100
File Number
Safety Integrity Level vs. Risk Reduction
SIL
Risk Reduction
Factor
Probability of Failure
on Demand (PFDavg)
Safety
Availability
4
> 10,000
≥ 10-5 < 10-4
> 99.99%
3
1,000 - 10,000
≥ 10-4 < 10-3
99.9 - 99.99%
2
100 - 1,000
≥ 10-3 < 10-2
99 - 99.9%
1
10 - 100
≥ 10-2 < 10-1
90 - 99%
-
(Control ≤ 10)
= 1 / RRF
= 1 - PFDavg
Used later for verifying SIL achieved
21
HONEYWELL - CONFIDENTIAL
File Number
SIL is more than just PFD
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
22
HONEYWELL - CONFIDENTIAL
File Number
3 Safety Requirements Specification - SRS
• Defines functional and integrity requirements of SIS
• Output is set of documents ready for detail design.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5 Installation, commissioning
and validation
6 Operation and maintenance
23
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Cause-and-Effect Diagram
• SIFs commonly documented by
Cause and Effect diagrams
LZHH-02 LPG Tank High High Level
24
3200 mm
HONEYWELL - CONFIDENTIAL
2
X
X
X
X
X
X
Set LIC1 to MAN, OP=0
0-3500
OPENS VALVE UV-03C
2
CLOSE VALVE UV-03B
~
7
CLOSE VALVE UV-03A
~
~
CLOSE VALVE LZV-02
1
Units
Trip Point
Description
Burner Loss of Flame
Fuel Gas Pressure Low
SIL
Tag#
BS-01
PSL-01
Instrument Range
• Could include required SIL.
0
File Number
4 Design and Engineering
• SIS vendor for logic solver
• EPC contractor or end-user for field hardware.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5 Installation, commissioning
and validation
6 Operation and maintenance
25
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
26
HONEYWELL - CONFIDENTIAL
File Number
FS Management System - TÜV Certification
Planning
SIS Order
Received
Customer
Specifications
H/W checklist
S/W checklist
Document
Templates
Execution Plan
V & V Plan
Design Plans
Imperium Proj.
P2
Plan Project
Hardware Design
SRS
H/W Checklist
TIR’s
Completed H/W &
S/W checklists
P1
Review Customer
Specifications
H2
Order Hardware
(preliminary)
SRS (Approved)
Sys H/W Spec
Factory Drgs
SRS
FL Spec Template
S/W checklist
H/W checklist
H3
Verify Sys
H/W Spec &
Fact’y Dwgs
Safety Manual
Function Block
Library
S2
Configure &
Test Function
Blocks
PFD Calcs
Sys H/W Spec
(Approved)
Firm Hardware
Order
SRS
(Approved)
S3
Finalise Functional
Logic Spec
S4
Verify
Functional
Logic Spec
S/W checklist
H/W checklist
Int. Acceptance
Test Report
Assembled
Hardware
H4
Build, Deliver &
Test Hardware
(factory)
S1
Design Software
Hardware Order
on Factory
Hardware Implementation
Certified Design &
Build. Procedures
• See HPS TÜV Certificate
Software Design
System Hardware
Specification
H1
Design Hardware
Verified Func
Blocks
Func block test
sheets
FL Spec
(Approved)
Completed FL Rev
Checklist
Software Implementation
Failsafe Control
Integration
Guidelines
FAT Procedure
(Power-up
section)
H5
Integrate Factory
Hardware &
Marshalling
FL Spec
SRS (Approved)
Completed
FAT Power-up
Checklist
H6
Hardware
PreFAT
Code Walkthrough
Checklist
H/W Ready for
Integration
S5
Configure
Software on
Devel’t System
S6
Code
Walkthrough
S/W Ready for
Integration
Integration
FAT Procedure
(Pre-FAT)
N1
Integration &
Pre-FAT
FAT Procedure
System H/W Spec
FL Spec, SRS
N2
Factory
Acceptance
Test FAT)
Installation
Drawings
N3
Install Logic
Solver On Site
N4
Logic Solver
Site Accept.
Test (SAT)
SAT Procedure
N5
Install, Connect &
Test Field Equip.
& Control System
(by others)
Completed FAT
Proc Checklists
(FAT Report)
Completed SAT
Proc Checklists
(SAT Report)
Completed System
Ready for Safety
Validation
Configured
Software
Code Walkthrough
Report
• Covers compliance to
IEC 61508 & IEC 61511
• Periodic audits and
renewal
• Need comparable
processes for other
phases.
As Builts
N6
Safety Validation & Commissioning
(Led by Customer, with Honeywell input)
27
HONEYWELL - CONFIDENTIAL
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
28
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 6 PFD Calculation
LZHH
2
SIL 2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-2
P-1
• What is calculated PFDave for SIF LZHH2?.
29
HONEYWELL - CONFIDENTIAL
File Number
Safety Integrity Level vs. PFDave
Probability of Failure
on Demand (PFDavg)
Safety
Availability
SIL
Risk Reduction
Factor
4
>10,000
≥ 10-5 < 10-4
> 99.99%
3
1,000 - 10,000
≥ 10-4 < 10-3
99.9 - 99.99%
2
100 - 1,000
≥ 10-3 < 10-2
99 - 99.9%
1
10 - 100
≥ 10-2 < 10-1
90 - 99%
-
(Control < 10)
= 1 / RRF
= 1 - PFDavg
Implementation Focus
30
HONEYWELL - CONFIDENTIAL
File Number
Approximation to PFDave
1
Probability
item
has failed
PFD(t)
~
~
PFD average
time t
0
TI = test interval
PFD average = lDU TI / 2
Remember this!
where lDU = Dangerous Undetected failure rate
31
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 6 PFD Calculation
• Test interval = 1 y
LZV 2
• Reliability data:
- Valve:
- Logic solver:
- Sensor:
λDU = 1/10y (= 0.1 y-1)
λDU = 1/1000y (= 0.001 y-1)
λDU = 1/100y (= 0.01 y-1)
LZHH
2
LZT
2
• PFDave = λDU x TI / 2
= 0.1 x 1 / 2 = 0.05 for valve
0.001 x 1 / 2 = 0.0005 for logic solver
0.01 x 1 / 2 = 0.005 for transmitter
Total PFDave = 0.05 + 0.0005 + 0.005 = 0.0555
• Calculated SIL = 1 (PFDave range 0.01 – 0.1)
• Required SIL = 2 Not OK!
• How can this be fixed?
32
HONEYWELL - CONFIDENTIAL
File Number
Effect of Test Interval on PFDave
1
Probability
item
has failed
PFD(t)
~
~
Average PFD
0
TI (Test Interval)
1
PFD(t)
~
~
Average PFD
0
TI
TI
TI
TI
time t
33
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 7a Adjust Test Interval
• Test interval = 1 month
LZV 2
• Reliability data:
- Valve:
- Logic solver:
- Sensor:
λDU = 1/10y (= 0.1 y-1)
λDU = 1/1000y (= 0.001 y-1)
λDU = 1/100y (= 0.01 y-1)
LZHH
2
LZT
2
• PFDave = λDU x TI / 2
= 0.1 / 12 / 2 = 0.004 for valve
0.001 / 12 / 2 = 0.00004 for logic solver
0.01 / 12 / 2 = 0.0004 for transmitter
Total PFDave = 0.004 + 0.00004 + 0.0004 = 0.00444
• Calculated SIL = 2 (PFDave range 0.001 – 0.01)
• Required SIL = 2 OK
• BUT operations object to monthly testing !.
34
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 7b Duplicate Block Valves
• Test interval = 1 year
LZV 2A LZV 2B
• Reliability data:
- Valve:
- Logic solver:
- Sensor:
λDU = 1/10y (= 0.1 y-1)
λDU = 1/1000y (= 0.001 y-1)
λDU = 1/100y (= 0.01 y-1)
LZHH
2
LZT
2
• For 2 valves 1oo2 voting: PFDave = (0.1 x 1 / 2)2
= 0.0025
• PFDave = 0.0025 + 0.0005 + 0.005 = 0.0080
• Calculated SIL = 2 (PFDave range 0.001 – 0.01)
• Required SIL = 2 OK .
35
HONEYWELL - CONFIDENTIAL
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component.
Is one transmitter enough or do we need two?
36
HONEYWELL - CONFIDENTIAL
File Number
Architectural Constraints
• Aim is to avoid unrealistic reliability claims
- From single devices (“elements”)
• Constrains SIF architecture based on:
- Safe Failure Fraction
- Complexity of device (“Type A” or “Type B”)
- Target SIL
• Outcome is required Hardware Fault Tolerance
- No. of voted devices minus 1 (typically)
• Use Tables in IEC61508 part 2
- IEC61511 has simplified requirements.
37
HONEYWELL - CONFIDENTIAL
File Number
Safe Failure Fraction
• Safety valve, normally open & normally energized
• In case of an out of control process, the valve has to close
Undetected
SAFE
Closes
spontaneously
due to loss
of energy
DANGEROUS
Stuck at
open
38
HONEYWELL - CONFIDENTIAL
SAFE
Detected
by voltage control
Detected
by diagnostics
Undetected
File Number
Architectural Constraints – IEC61508.2
Table 2:
Type A subsystems – e.g. pressure switch
Safe failure fraction
Hardware fault tolerance
< 60 %
60 % - 90 %
90 % - 99 %
≥ 99 %
Table 3:
0
SIL1
SIL2
SIL3
SIL3
1
SIL2
SIL3
SIL4
SIL4
2
SIL3
SIL4
SIL4
SIL4
Type B subsystems – e.g. Logic Solver, Smart Tx
Safe failure fraction
Hardware fault tolerance
0
< 60 %
Not allowed
60 % - 90 %
SIL1
SIL2
SIL3
90 % - 99 %
≥ 99 %
1
SIL1
SIL2
SIL3
SIL4
2
SIL2
SIL3
SIL4
SIL4
Independent Channels Required = Hardware Fault Tolerance + 1
39
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 8 Architectural Constraints
LZHH
2
LZT
2
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-2
P-1
• Transmitter LZT 2 is a smart radar gauge
• Can we use single transmitter to satisfy SIL 2?
• Must also check for logic solver and valve.
40
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 8 Architectural Constraints
• Smart Transmitter = Type B device
- Use Table 3 in IEC61508.2
• Safe Failure Fraction = 91.8%
- From TÜV Certificate
• For SIL 2, required Hardware Fault Tolerance = 0
• Therefore one transmitter is ok for SIL 2.
Table 3:
Type B subsystems – e.g. Logic Solver, Smart Tx
Safe failure fraction
Hardware fault tolerance
0
Std Tx
LTZ 2
< 60 %
Not allowed
60 % - 90 %
SIL1
SIL2
SIL3
90 % - 99 %
≥ 99 %
41
HONEYWELL - CONFIDENTIAL
1
SIL1
SIL2
SIL3
SIL4
2
SIL2
SIL3
SIL4
SIL4
File Number
Architectural Constraints for Logic Solver
• E.g. Honeywell FSC and Safety Manager logic solvers
• 1oo2D architecture OR 2oo4D architecture
• All have 99% safe failure fraction
- Hence all are “SIL 3 capable”
• 2oo4D has lower spurious trip rate, but costs more.
Table 3:
Type B subsystems – e.g. Logic Solver, Smart Tx
Safe failure fraction
Hardware fault tolerance
0
< 60 %
Not allowed
60 % - 90 %
SIL1
SIL2
SIL3
90 % - 99 %
FSC, SM
42
≥ 99 %
HONEYWELL - CONFIDENTIAL
1
SIL1
SIL2
SIL3
SIL4
2
SIL2
SIL3
SIL4
SIL4
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
How likely is it that each component is free from
systematic faults (“bugs”) ?
43
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 9 – Transmitter Selection
• Must control systematic faults
• Transmitter selected must comply with IEC61508
and IEC61511
• Must either be:
- Proven in use:
 Comparable application
 Sample size sufficient for 70% confidence level
 All failures documented
or
- Designed and manufactured in accordance with IEC 61508
 Confirmed by independent certificate (e.g. by TÜV)
 “SIL x Capable”.
44
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 9 - Transmitter TÜV Certificate
45
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 9 - Transmitter TÜV Certification Mark
46
HONEYWELL - CONFIDENTIAL
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Design now complies.
47
HONEYWELL - CONFIDENTIAL
File Number
5 Installation, Commissioning, Validation
• Logic Solver installed with field equipment
• Includes loop checking, validation and final
functional safety assessment.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5 Installation, commissioning
and validation
6 Operation and maintenance
48
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Standards Compliance
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Verification, Validation, Functional Safety
Assessment.
49
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 10 Verification and Validation
• Verification and Validation Plan for project
 V&V Plan Template
 SIL 2 independence required (i.e. independent engineer)
 Define responsibilities
• Verify Safety Requirements Specification
• Verify hardware design documents
• Verify functional specifications etc
• Implement code walkthrough
• Logic Solver Factory Acceptance Test
- Complete integration test of application software on target
hardware
• Logic Solver Site Acceptance Test
- Power up test on site
• Safety Function Testing
• Functional Safety Assessment.
50
HONEYWELL - CONFIDENTIAL
File Number
6 Operations, Maintenance and Modification
• The Cinderella Phases !
• User must follow a Functional Safety Management
System for the life of the SIS.
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
1
2
Hazard and risk analysis
11
Verification
Allocation of
safety functions
to protection layers
3 Safety requirements
specification for the
safety instrumented system
4
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5 Installation, commissioning
and validation
6 Operation and maintenance
51
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Ops and Maintenance Obligations
• Proof test each SIF at specified interval
• Monitor design assumptions
- Demand rates
- Component reliability
• Adjust test interval to suit
• Control modifications
• Ensure Maintenance and Operational Overrides are
used as designed
• Monitor and promptly follow-up diagnostics.
52
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 9 Operation and Maintenance
• Risk analysis assumed:
Mechanical: PSV
Target:
1 per 10,000y
X 100
Hazardous
Event !!
SIF: LZHH
SIL 2
X 100
Risk Reduction
Alarm
LAH
Required:X
10,000
Control System
(BPCS)
Hazardous Situation
- Demand on SIS once per year
- What happens in practice?
• SIL verification assumed:
- Transmitter failure rate 0.01 y-1
- What happens in practice?
• Etc etc . . .
1 per y
Process
• Must verify actual performance
against assumptions and
adjust testing as required
LZHH
2
LZT
2
• Documentation of assumptions
is critical.
PSV-1
H
LIC
1
300t LPG
Product
Feed
P-1
53
P-2
HONEYWELL - CONFIDENTIAL
File Number
Case Study: 12 - Modification
• LZHH logic needs modification after commissioning
• Validation needed depends on highest SIL in that SIS !
TECHNIQUE / MEASURE
Ref
SIL 1
SIL 2
SIL 3
SIL 4
1 Impact Analysis
B.35
HR
HR
HR
HR
2 Re-verify Changed Module
B.35
HR
HR
HR
HR
3 Re-verify Affected Modules
B.35
R
HR
HR
HR
4 Revalidate Complete System
B.35
---
R
HR
HR
5 Software Configuration Management
B.56
HR
HR
HR
HR
6 Data Recording and Analysis
B.13
HR
HR
HR
HR
During early design consider splitting SIL 2 and SIL 3 systems.
54
HONEYWELL - CONFIDENTIAL
File Number
Summary 1 – The SIS Lifecycle
10
9
Management
of functional
safety and
functional
safety
assessment
and auditing
Safety
life-cycle
structure
and
planning
Engineering Contractor
1
2
Hazard and risk analysis
End User
55
Verification
Allocation of
safety functions
to protection layers
3
Safety requirements
specification for the
safety instrumented system
4
SIS Vendor
11
Design and
engineering of
safety instrumented system
Design and
development
of other means
of risk reduction
5
Installation, commissioning
and validation
6
Operation and maintenance
7
Modification
8
Decommissioning
HONEYWELL - CONFIDENTIAL
File Number
Summary 2 – Requirements
• Target SIL must be specified for each SIF
based on hazard and risk analysis
• Processes for SIS throughout lifecycle must comply
• Each SIF must meet target SIL requirements for:
- Architectural constraints
- Random failure rate (PFDave)
- Development process for each component
• Not just TÜV certification
- Though it helps !
• Not just meeting PFDavg target
• Don’t forget spurious trip rate! .
56
HONEYWELL - CONFIDENTIAL
File Number
Thank You...
Questions?
58
HONEYWELL - CONFIDENTIAL
File Number

similar documents