- Department of Control and

Report
VUT 6.4.2006
1
Funkční bezpečnost
elektrických přístrojů
souvisejících s bezpečností
VUT 6.4.2006
Funkční bezpečnost
Část celkové bezpečnosti týkající se
EUC a systému řízení EUC závislá na
správném fungování E/E/EP systémů
souvisejících s bezpečností,
systémech souvisejících s bezpečností
založených na jiných technických
principech a vnějších prostředcích pro
snížení rizika
ČSN EN 61508-4
2
3
VUT 6.4.2006
VUT 6.4.2006
Process.
Mechanical Safety Action (if available)
Plant Shut-down
Wild Process
parameter
If Operator takes action
High Alarm level
DCS
Functionality
Certain Process
parameter value
High Control level
Normal behavior
Low Control level
Time
4
Safety System.
VUT 6.4.2006
Mechanical Safety Action (if available)
Plant Shut-down
Safety Instrumented
System Functionality
ESD controlled
Trip level
Wild Process
parameter
If Operator takes action
High Alarm level
DCS
Functionality
Certain Process
parameter value
High Control level
Normal behavior
Low Control level
Time
5
VUT 6.4.2006
Have You Been Asked This?
“How can you demonstrate that you are safe?”
6
VUT 6.4.2006
Safety Issues for End User / Operators
• How do you demonstrate that your operations are ‘safe’?
• How do you demonstrate that your equipment is ‘safe’?
• How do you demonstrate that your safety and protective
systems protect against your hazards?
You can answer these questions by demonstrating compliance
with Industry Safety Standards
IEC61508 - Functional safety of
electrical/electronic/programmable electronic
safety-related systems
7
VUT 6.4.2006
What is IEC61508?
8
•
An international standard relating to the Functional Safety
of electrical / electronic / programmable electronic safety
related systems
– Mainly concerned with E/E/PE safety-related systems
whose failure could have an impact on the safety of
persons and/or the environment
– Could also be used to specify any E/E/PE system used
for the protection of equipment or product
•
It is an industry best practice standard to enable you to
reduce the risk of a hazardous event to a tolerable level
Technologies Concerned
VUT 6.4.2006
• E
•
• E
•
• PES
•
•
•
•
Electrical
electro-mechanical / relays / interlocks
Electronic
solid state electronics
Programmable Electronic Systems
Programmable Logic Controllers
(PLC’s);
Microprocessor based systems
Distributed Control Systems
Other computer based devices
(“smart” sensors / transmitters /
actuators)
VUT 6.4.2006
Features
•
•
•
•
•
Generic Standard
Guidance on the use of E/E/PES
Comprehensive approach involving concepts of Safety Lifecycle and
includes all elements of the protective system
Risk-based approach leading to determination of Safety Integrity
Levels (S.I.Ls)
Considers the entire Safety Critical Loop
VUT 6.4.2006
Generic and Application Sector Standards
11
IEC61513 :
Nuclear Sector
IEC61511 :
Process Sector
Medical Sector
IEC62061 :
Machinery Sector
VUT 6.4.2006
IEC61511
Functional Safety
Safety instrumented systems
for the
Process industry sector
VUT 6.4.2006
IEC 61511
13
“FUNCTIONAL SAFETY: SAFETY
INSTRUMENTED SYSTEMS FOR
THE PROCESS INDUSTRY
SECTOR”
Industries
VUT 6.4.2006


Applies to a wide variety of
industries across the process
sector
Including:






14
Chemicals
Oil refining
Oil and gas production
Pulp and paper
Non-nuclear power
generation
Pharmaceuticals / Fine
Chemicals
VUT 6.4.2006
Scope
• Process (chemicals, oil & gas, paper, nonnuclear power generation)
• End-to-end safety instrumented system (SIS) h/w, s/w, mgt. and human factors
• Full safety lifecycle - specification, design,
integration, operation, maintenance
• Intended for integrators / users
– not for equipment designers / vendors
15
Structure
VUT 6.4.2006
 IEC 61511 – Structure
Normative

Part 1 – “Framework, definitions, system,
hardware and software requirements”.

Part 2 – “Guidelines for the application of
IEC 61511-1”.
Informative

16
Part 3 – “Guidance for the determination of
safety integrity levels”.
IEC 61511
VUT 6.4.2006
TITLE - “Functional Safety – Safety Instrumented
Systems for the Process Industry sector”
• This international Standard gives requirements for
the specification, design, installation, operation and
maintenance of a safety instrumented system, so
that it can be confidently entrusted to place and/or
maintain the process in a safe state.
• This standard has been developed as a process
sector implementation of IEC 61508.
17
VUT 6.4.2006
Relationship IEC 61511 & IEC 61508
VUT 6.4.2006
Relationship IEC 61511 & IEC 61508
VUT 6.4.2006
Similarities (IEC 61508 - IEC 61511)
20
• Whole safety lifecycle
– Concept, Hazard & Risk Analysis and Design
– through operation & maintenance to eventual
decommissioning
• Safety requirements specification
• Safety integrity levels (SIL 1 to 4)
• End-to-end system
– (Sensor via Logic to Actuator)
• Hardware reliability analysis (PFD)
• Management of functional safety
• Architectural constraints (fault tolerance)
VUT 6.4.2006
Key Differences IEC 61511 (IEC 61508)
• Terminology
– Process (EUC)
– Basic Process Control System (EUC Control
system)
– Safety Instrumented System (E/E/PE S-R-S)
– Safety Instrumented Function (Safety function)
• Presentation
– less rigorous than IEC 61508
– more guidance (especially in Parts 2 & 3)
21
VUT 6.4.2006
Overall Safety Lifecycle in IEC 61508
22
1
Concept
2
Overall Scope Definition
3
Hazard Risk Analysis
4
Overall Safety Requirements
5
Safety Requirements Allocation
9
Overall Planning
6
Overall
Operation &
Maintenance
Planning
7
Overall
Validation
Planning
8
Overall
Installation &
Commissioning
Planning
Safety Related
Systems:
E / E / PES
10
Realisation
12
Overall Installation
& Commissioning
13
Overall Safety Validation
14
Overall Operation & Maintenance
16
Decommissioning
Safety Related
Systems:
Other
Technology
Realisation
11
External Risk
Reduction
Facilities
Realisation
Back to appropriate
Overall Safety Lifecycle
Phase
15
Overall Modification & Retrofit
VUT 6.4.2006
IEC 61508 - ownership of phases
PRE-DESIGN
End user / operator
(Phases 1 to 5)
DESIGN AND
INSTALLATION
(Phases 6 to 13)
Engineering Contractors
/ Equipment
Supplier
OPERATION
End user / operator
(Phases 14 to 16)
23
VUT 6.4.2006
Pre-Design : Phases 1 - 5
1 : Concept
2 : Overall Scope
Definition
3 : Hazard Risk
Analysis
4 : Overall Safety
Requirements
5 : Safety
Requirements
Allocation
24
Can you demonstrate that
you have identified all
your hazards?
Can you demonstrate that
you are using adequate
and correct methods of
hazard protection?
Design & Implementation : Phases 6 - 13
VUT 6.4.2006
How do you ensure
competencies for all these
activities?
Can you demonstrate that you
pass the necessary information
into these activities?
Overall Planning
6 : Overall Operations and
Maintenance Planning
7: Overall Validation
Planning
9 : Safety
Related
Systems :
E/E/PES
8: Overall Installation &
Commissioning Planning
Can you demonstrate that all
necessary information has been
passed to you from these activities?
25
10 : Safety
Related
Systems :
Other
Technology
11 : External
Risk
Reduction
Facilities
12 : Overall Installation &
Commissioning
13 : Overall
Safety Validation
VUT 6.4.2006
Operation : Phases 14 - 16
14 : Overall
Operations and
Maintenance
15 : Overall
Modification and
Retrofit
16 : Decommissioning
26
Can you demonstrate that
you maintain / test /
analyse your protective
systems correctly?
Can you demonstrate
that you are in control
of your modification
process?
Supply Chain
IEC 61511
VUT 6.4.2006
Requirement
Specification
End User
System Designer –
Integrator
IEC 61508
27
Commissioning
and Use
Sub-system
Designer
Component
Manufacturer
VUT 6.4.2006
Risk
VUT 6.4.2006
What is Risk?
• The probable rate of occurrence of a hazard
causing harm
AND
• the degree of severity of the harm
– Qualitatively - Words
– Quantitatively - Figures
29
Levels of Risk and ALARP
(As Low As Reasonably Practicable)
Risk cannot be justified
except in extraordinary
circumstances
VUT 6.4.2006
Unacceptable
region
Tolerable only if risk reduction
is impracticable or if its cost is
grossly disproportionate to the
improvement gained
The
ALARP
or
Tolerability region
(Risk is undertaken only
if a benefit is desired)
As the risk is reduced the less,
proportionately, it is necessary to
spend to reduce it further. The
concept of diminishing proportion
is shown by the triangle.
Broadly acceptable
region
(No need for detailed working
to demonstrate ALARP)
Negligible risk
Necessary to maintain
assurance that risk
remains at this level
31
VUT 6.4.2006
VUT 6.4.2006
Risk reduction: General concepts
Actual risk
remaining
Risk to meet
Level of Safety
Plant Under
Control risk
Necessary minimum risk reduction
Actual risk reduction
Partial risk covered
by Other Technology
safety-related systems
Partial risk covered
by E/E/PES
protective systems
Partial risk covered
by External Risk
Reduction Facilities
Risk reduction achieved by all protective systems &
External Risk Reduction Facilities
32
Increasing
risk
VUT 6.4.2006
Extent of Safety Related System
Equipment (plant)
Under
Control (EUC)
PE
SRS
SENSOR
33
PROGRAMMABLE
ELECTRONICS
ACTUATOR
What is a Safety Related System (SRS) ?
VUT 6.4.2006
Examples
• Any system that
implements safety
functions necessary to
achieve a safe state for
the “Equipment Under
Control”, or to maintain it
in a safe state.
VUT 6.4.2006
Hazard Identification and Risk Analysis
A typical Methodology for Hazard Identification and Risk
Analysis
(by the end user)
•
•
•
•
•
•
•
Hazard studies and HAZOPs
Evaluate possible consequences
Establish tolerable frequencies vs ALARP
Build event chain
Estimate demand rates
Define protection required
Specify required SIL
“ Failure categories” in IEC 61508
VUT 6.4.2006
•
A = Random Hardware Failures
OR
•
B = Systematic Failures
• specification;
• systematic hardware;
• software;
• maintenance;
• all failures that are not random
A
B
VUT 6.4.2006
Safety Integrity Level SIL
LOW DEMAND MODE
OF OPERATION
SAFETY
(Probability of failure
INTEGRITY
to perform its
LEVEL
designed function on
(SIL)
demand)
CONTINUOUS/HIGH
DEMAND MODE OF
OPERATION
(Probability of one
dangerous failure per
hour)
4
>= 10-5 up to < 10-4
>= 10-9 up to < 10-8 h-1
3
>= 10-4 up to < 10-3
>= 10-8 up to < 10-7 h-1
2
>= 10-3 up to < 10-2
>= 10-2 up to < 10-1
>= 10-7 up to < 10-6 h-1
>= 10-6 up to < 10-5 h-1
1
PFD
PFH
Probability of Failure on Probability of Failure per
Demand
Hour
38
Basic
Design
Unacceptable
Increasing Severity
VUT 6.4.2006
Risk and Determination of Safety Integrity
Levels
No
Protection
Increasing Likelihood
VUT 6.4.2006
Risk Reduction Requirements
39
Safety Integrity Risk Reduction
Level
1
10-100
2
100 – 1,000
3
1,000 – 10,000
4
10,000 – 100,000
VUT 6.4.2006
Reliability, Failure Rate and Availability at each level
40
Reliability
Probability of
failure on
demand
Trip Unavailable
(per year)
90% - 99%
0.1 to 0.01
876 to 87.6hrs
99% - 99.9%
0.01 to 0.001
87.6 to 8.76hrs
SIL 1
SIL 2
SIL 3
99.9% 99.99%
0.001 to 0.0001
8.76hrs to 52.6
mins
SIL 4
99.99% 99.999
%
0.0001 to 0.00001
52.6 mins to 5.3
mins
VUT 6.4.2006
Protective System Technology
SIL 1
SIL 2
SIL 3
SIL 4
41
Standard components, single channel or twin
non-diverse channels
Standard components, 1 out of 2 or 2 out of 3,
possible need for some diversity. Allowance for
common-cause failures needed
Multiple channel with diversity on sensing and
actuation. Common-cause failures a major
consideration. Should rarely be required in
Process Industry
Specialist design. Should never be required in
the Process Industry
VUT 6.4.2006
Determined to achieve the correct SIL level...
VUT 6.4.2006
SIL assessment
• Various methods available:
• Qualitative risk graph
• Calibrated risk graph (methodology only –
not definitive)
• Layer Of Protection Analysis (LOPA)
• Hazardous event severity Matrix
• Quantified Risk Analysis (QRA)
• Which one to use? Develop your own?
VUT 6.4.2006
Calculation of PFDAVG
35% of PFD
Avg SE
15% of PFD
Avg LS
50% of PFD
Avg FE
Distribution of the Failure Measures
35 % Sensors + 15 % Logic solver + 50 % Final elements
VUT 6.4.2006
PFD-figures for a HIMA system, example
35 %
15%
50%
Risk Graph acc. DIN V VDE 19250
probability of the
frequency possibility unwanted occurrence
& exposure of avoiding relatively
slight
very slight
time
hazardous
high
events
minor injury
no influence
to the environment
possible
VUT 6.4.2006
consequence
risk
parameter
dead of 1 person
rare
not
possible
periodic influence
to the environment
possible
frequent
not
possible
dead to
several people
rare
permanent influence
to the environment frequent
disaster
RC/AK according DIN V VDE 19250
SIL according IEC 61508
requirement
classes
RC or AK
Safety Integrity
Levels (SIL)
IEC 61508
Concept of layers of protection acc. IEC 61511
VUT 6.4.2006
LOPA
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Evacuation procedures
MITIGATION
Mechanical mitigation systems
Safety instrumented control systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety instrumented control systems
Safety instrumented prevention systems
CONTROL and MONITORING
Basic process control systems
Monitoring systems (process alarms)
Operator supervision
PROCESS
VUT 6.4.2006
Hazardous event severity Matrix
VUT 6.4.2006
Funkční bezpečnost
49
Část celkové bezpečnosti týkající se
EUC a systému řízení EUC závislá na
správném fungování E/E/EP systémů
souvisejících s bezpečností,
systémech souvisejících s bezpečností
založených na jiných technických
principech a vnějších prostředcích pro
snížení rizika

similar documents