ISA Seminars on the Web Live Experts on Hot Topics

Transcription

1 ISA Seminars on the Web Live Experts on Hot Topics Standards Certification Education and Training Publishing Conferences and Exhibits CSE PE Exam Review: Safety Systems EN00W6 Version Standards Certification Education and Training Publishing Conferences and Exhibits 1

2 Seminar Logistics Seminar materials Downloadable presentation Question and Answer session (audio and ) Survey Earn 1 Professional Development Hour (PDH) Seminar length 60 minute presentation Three 10-minute question and answer sessions Audio Instructions As a participant, you are in a listen-only mode. You may ask questions via the internet, using your keyboard, at any time during the presentation. However, the presenter may decide to wait to answer your question until the next Q&A Session. If you have audio difficulties, press *0. 2

3 Audio Instructions for Q&A Sessions Questions may be asked via your telephone line. Press the *1 key on your telephone key-pad. If there are no other callers on the line, the operator will announce your name and affiliation to the audience and then ask for your question. If other participants are asking questions, you will be placed into a queue until you are first in line. While in the queue, you will be in a listen-only mode until the operator indicates that your phone has been activated. The operator will announce your name and affiliation and then ask for your question. Introduction of Presenter Gerald Wilbanks, P.E. Vice President of Documentation and Engineering Services in Birmingham, Alabama has over 40 years of experience in engineering, management, consulting, and design in heavy industry. He is a registered professional engineer in 4 states, a member of NSPE, ASQ, and an International Former President (1995) of ISA. Gerald is a graduate of Mississippi State University with a Bachelors Degree in Electrical Engineering and was recognized as the Engineer of the Year in 1991 by the Engineering Council of Birmingham. He is a Distinguished Engineering Fellow of Mississippi State University and is a Life Fellow member of ISA. He has served as an instructor in many courses, seminars, and other educational sessions for ISA and in his own business. 3

4 Key Benefits of Seminar Identify areas of focus for more effective studying to assist with passing the PE examination Explain the basics of safety instrumented systems Discuss Safety Integrity Level Review meaning and use of Reliability Calculate Probability of Failure on Demand Definition of Risk Reduction Factor Safety Systems (Domain V) represents about 12 questions or 15% of the CSE PE exam Typical Control Loop Manipulated Variable Process Controlled Variable Signal Based on Error or Deviation and Effects of Control Modes Final Control Element Set Point Controller Transmitted Signal Transmitter Sensor 4

5 Section 1: Safety Systems Basics Description of safety instrumented systems Risk and sources Design Documentation Safety Layers and standards Safety Instrumented System (SIS) A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated. Safety Instrumented System (SIS) Inputs Outputs Basic Process Control System (BPCS) Inputs Outputs PT 1A PT 1B T-1 S FT 1 SDV 1 LV 1 5

6 Incident Occurrence By Phase Changes After Commissioning 20% Operations & Maintenance 15% Incorrect & Incomplete Specification 44% Installation & Commissioning 6% Design & Implementation 15% From Out Of Control (A compilation of incidents involving control systems) by the United Kingdom Health and Safety Executive (UK HSE) SIS Design Documents UK HSE: PES Programmable Electronic Systems for Use in Safety Related Applications, 1987 American Institute of Chemical Engineers, Center for Chemical Process Safety (AIChE, CCPS): Guidelines for Safe Automation of Chemical Processes, 1993 ANSI/ISA (IEC 61511): Functional safety: Safety Instrumented Systems for the process industry sector, 2004 International Electrotechnical Commission (IEC) Functional Safety - Safety Related Systems,

7 What is at Risk? SISs are used to protect: Personnel Safety system are installed to reduce risk Safety Layers Community Emergency Response Plant Emergency Response Physical Protection (Dikes) Physical Protection (Relief Devices) Safety Instrumented System Alarms, Operator Intervention Basic Process Control Process Defense in depth, or, don t put all your eggs in one basket. 7

8 Risk Reduction Residual Risk Level Tolerable Risk Level Risk inherent in the process Other Mech. SIS Alarms BPCS Process Risk Doing more in one box doesn t make it perform better Scope of Standards Covers specification, design, installation, operation and maintenance Specifies requirements, but not who is responsible for implementing them Applies to a wide variety of industries within the process sector: Chemicals, oil refining, oil and gas production, pulp and paper, non-nuclear power generation Certain industries may have additional requirements (ISA84, Section 1) 8

9 Management of Functional Safety Policy and strategy for achieving safety Persons/departments shall be identified and responsibilities assigned Persons shall be competent Engineering knowledge, training & experience (with the process, logic system technology, field devices, regulations, leadership skills, etc.) Assessments / audits To make a judgment on the functional safety achieved by the system At least one assessment carried out prior to hazards being present (ISA84, Section 5) Review of Key Points A safety instrumented system (SIS) is a separate and distinct layer of controls from the Basic Process Control System (BPCS) Safety Instrument Systems are for the protection of human life, equipment, environment, and the public Industrial incidents are the failure of several different elements Risk mitigation is documented by various standards Risk reduction can be accomplished in various levels of instrumentation Risk is reduced by following proven methodologies 9

10 Live Question and Answer Session During Q&A, questions may be asked via your telephone line. Press the *1 key on your telephone key-pad. If there are no other callers on the line, the operator will announce your name and affiliation to the audience and then ask for your question. If other participants are asking questions, you will be placed into a queue until you are first in line. While in the queue, you will be in a listen-only mode until the operator indicates that your phone has been activated. The operator will announce your name and affiliation and then ask for your question. Section 2: Safety Systems Design Overall safety system life cycle Risk analysis and types Safety systems levels and classifications Failure Modes Risk Reduction Factor (RRF) 10

11 Safety Design Life Cycle No detailed requirements given Detailed requirements given Other Means of Risk Reduction (9) Hazard & Risk Analysis (8) Allocation of Safety Layers (9) Develop Safety Req s Spec (10 & 12) Design & Engineering (11 & 12) Installation, Commissioning & Validation (14 & 15) Operations & Maintenance (16) Modification (17) Decommission (18) Steps performed throughout Management, Assessment, Auditing (5) Verification (7) (ISA84, Section 6) Risk Analysis Risk is a function of frequency (probability, likelihood) and severity (consequences) How often, and how bad The process industry was not the first group that needed to assess risk Military, nuclear 11

12 Overall Risk Low Risk Medium Risk High Risk High risk: Unacceptable design Change required Medium risk: Questionable design Change desirable Low risk: Acceptable design No change required Allocation of Safety Functions to Layers Allocation of safety functions to protection layers Determine the required safety instrumented functions Determine the SIL for each SIF SIL is a discrete number (1-4) specifying the performance of the SIF High risk does not necessarily lead to high SIL. There are other factors to consider (e.g., # of independent protection layers). (ISA84, Section 9) 12

13 Safety Integrity Levels Safety Integrity Level Probability of Failure on Demand (PFD) Risk Reduction Factor (1/PFD) Safety Availability (1-PFD) to <.0001 > 10,000 to 100,000 > to to <.001 > 1,000 to 10,000 > 99.9 to to <.01 > 100 to 1,000 > 99 to to <.1 > 10 to 100 > 90 to 99 0 Control (N/A) For Demand Mode of operation Failure Modes With a safety system, the concern shouldn t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways: Safe failures Initiating Overt Spurious Costly downtime Dangerous failures Inhibiting Covert Potentially dangerous Must find by testing D x U = 13

14 SIS Safety Requirements Develop the safety requirements specifications Definition of safe state of process Common cause failures Process inputs to SIS and trip points Process outputs from SIS and action required Functionally logic required Response time requirements Manual shutdown Response action to a logic failure Human machine interface (HMI) requirements Reset functions ISA84 Section 10 SIS Safety Requirements (cont d) Determined safety integrity requirements: The SIL of each function Reliability considerations if spurious trips may be hazardous ISA84 Section 10 14

15 Shutdown Systems Also called: Interlocks, protective systems, safety systems, safety interlock systems (SIS), emergency shutdown systems (ESD) When should systems be separate? When they protect or ensure: Human life Equipment damage Environmental damage Product quality Equipment protection Insurability Down Time vs. Repair Time Down time Realization Access Diagnosis Spares Replace Check Repair time In some cases MDT and MTTR are the same In others they are very different The realization time may be the largest factor 15

16 Integrated SD System Segregated SD System 16

17 SIS Definitions All stuff fails. Some stuff fails and you know it right away like a blowout like a blown fuse. Some stuff fails while in service, like a car battery. You learn about it when you ask for it to be used once again. In the SIS world, we characterize the statistics of the first type of failure with LAMBDAs for the safe failure rate. The second type of failure is covert and dangerous, since you have no warning that it has occurred. Here we use LAMBDAd for the dangerous failure rate. SIS Definitions RRF Risk Reduction Factor SIS Safety Instrumented System an active independent layer of protection created by instrumentation SIF Safety Instrumented Function example on HIHI temperature shuts down the feeds and applies cooling SIL Safety Integrity Level A SIL I design has an RRF characterized by 10<= RRF < 100. A SIL II design has an RRF characterized by 100<= RRF < A SIL III design has an RRF characterized by 1000<= RRF < A SIL IV design has an RRF characterized by < = RRF <

18 Safety Instrumented Systems For the SIS, there are two kinds of failures, those that fail dangerously and those that fail safe. Bad news, those that fail safe shutdown your plant. Those that fail dangerous, may not shutdown your plant and like a failed car battery that started a running engine, you can t tell that they happened. The SIS is there to protect you. We are after computing, PFD, Probability of Failure on Demand which is associated with LAMBDAd, the undetected unsafe failure of a device. LAMBDAd came out of Aero-Space and MIL Spec efforts. These tools have been used to evaluate design alternatives. They are well understood and accepted. Now we will use them in the process industry to design and maintain our SIS. Bath Tub Curve λ λ Life Time Failure rate = # of failures / unit of time Constant failure rate assumed for normal life of device MTTF = 1 / failure rate MTTF and Life are not the same 18

19 Where do Failure Rates come from? Calculation techniques (MIL HDBK 217)... a reliability prediction should never be assumed to represent the expected field reliability as measured by the user... (MIL HDBK 217F, Paragraph 3.3) Predictions can then be made for: Components Modules Complete System Class Example 1 - Failure Rate & MTTF 100 switches are checked annually 10 are found to be not working (i.e., suffered dangerous failures) What is the failure rate and MTTF? Failure rate = # of failures/total time = 10 failures / 100 years = 1 failure / 10 years 19

20 Class Example 1 - Failure Rate & MTTF (cont d) Failure rates, however, are normally expressed as failures per hour, therefore: since 1 year = 8,760 hours 1 failure / 87,600 hours, becomes 1.14 E- 5 failures / hour MTTF (which is normally expressed in years) = 10 years Review of Key Points Risk is the function of Frequency (Probability) and Severity (Consequences) Each Safety Instrument Function (SIF) should be classified by a Safety Integrity Level (SIL) Safety Systems can fail in two ways Safe and Dangerous Undetected There are several types of shutdown systems Reliability is of prime concern (mean time to fail and mean time to repair) There are four Safety Integrity Levels with values for Probability of Failure on Demand (PFD) and Risk Reduction Factor (RRF) 20

21 Live Question and Answer Session During Q&A, questions may be asked via your telephone line. Press the *1 key on your telephone key-pad. If there are no other callers on the line, the operator will announce your name and affiliation to the audience and then ask for your question. If other participants are asking questions, you will be placed into a queue until you are first in line. While in the queue, you will be in a listen-only mode until the operator indicates that your phone has been activated. The operator will announce your name and affiliation and then ask for your question. Section 3: Safety System Implementation Role of reliability in implementation Safety logic and use of fault trees Systems applied to logic solving Safety Integrity Level (SIL) Probability of Failure on Demand (PFD) 21

22 Reliability Block Diagrams A graphical way to represent system operation/ failure A B C D E F G The system would fail if either A, B, or G individually failed, or if the combination of either C & D, or E & F failed Reliability We are after a consistent way to model our systems so that we measure how good is the design. In addition we wish to tie a feedback loop around the actual performance to determine if we have achieved what we set out to accomplish. Reliability/Availability Mean time to failure MTTF Mean time to repair MTTR Mean time between failures MTBF Failure modes 22

23 Hardware Availability Availability = Uptime / Total Time = Uptime / (Uptime + Downtime) = MTTF / (MTTF + MDT) where: MTTF = 1/λ Many vendors substitute MTTR for MDT. This is only valid for safe failures! Notes: A Safe = MTTF s / (MTTF s + MTTR) This formula is only valid for simplex (non-redundant) systems Failure rates must be split between the two failure modes, safe and dangerous. Down Time vs. Repair Time Down time Realization Access Diagnosis Spares Replace Check Repair time In some cases MDT and MTTR are the same In others they are very different The realization time may be the largest factor 23

24 Hardware Safety Availability For dangerous faults, downtime must include not only the repair time, but the realization time - the time before you are even aware that a problem exists This can be represented by the test interval (TI) A Dang = MTTF d /(MTTF d + TI/2 + MTTR) Notes: This formula is only valid for simplex (non-redundant) systems Failure rates must be split between the two failure modes Reliability Block Diagram Math The math associated with RBDs is simply adding or multiplying probabilities A B C D You add probabilities of items in series You multiply probabilities of items in parallel 24

25 Fault Trees Fault tree elements Reliability block diagrams AND Parallel OR Series Fault Tree Examples Power failure Fire water deluge fails Main power supply Standby generator Fire detector Fire panel Fire pump PSU Standby Detect Panel Pump Circles represent basic events Rectangular boxes serve as descriptions 25

26 Simplex System Performance Probabilities Safe Dangerous A Dual System Performance Probabilities A B (1oo1) 1oo2 Safe Dangerous A B 2oo

27 Triple System Performance Probabilities Safe Dangerous A B C Majority Vote (1oo1) (1oo2) (2oo2) 2oo3 Vote Basic Reliability Formulas Configuration MTTFsp PFD 1oo1 1 / λ λ s du * (TI/2) 1oo2 1 / (2 λ s) (( λ du ) 2 * (TI) 2 ) / 3) 2 2oo2 1 / (2(λ s ) * MTTR) λ du * TI 2oo3 1 / (6 (λ 2 s) * MTTR) ( λ ) 2 * (TI) 2 du Where: λ λ = Failure rate MTTR = Mean Time To Repair TI = Test Interval s = Safe failure du = Dangerous undetected failure Note: These formulas are valid as long as λ << TI 27

28 Summary: Reliability Reliability/Availability Mean time to failure MTTF Mean time to repair MTTR Mean time between failures MTBF Failure modes Probability Theory Applied to the SIS We will break the SIS into its respective pieces. Each independent of each other. Our goal is to understand how improving the LAMDAd of a major piece, either by adding better devices, more devices, voting, etc. will improve the SIS performance. Using this tool, we can say that one design is better that another, by how much, and we can use the mathematics to calculate an ROI on improvements to the RRF. 28

29 SIS Block Diagram SIS Block Diagram These are the independent major pieces. Each has its own LAMBDAd. InputLAMBDAd LogicLAMBDAd OutputLAMBDAd 29

30 Safety Integrity Levels (SIL) Safety Integrity Levels are defined in ANSI/ISA with performance requirements. There are four SILs defined with the corresponding Probability of Failure on Demand (PFD). The Risk Reduction Factor (RRF) is the reciprocal value of PFD (1/PFD). The Safety Integrity Level of a system is based on the reliability data on all the components involved. How to Calculate the PFD of an SIS For our process systems the model uses the equation: PFD = Probability of Failure on Demand 30

31 SIL Performance Requirements SIL 4- Safety Availability : % PFD : RRF : 10,000 to 100,000 SIL 3- Safety Availability : % PFD : RRF : 1,000 10,000 SIL 2- Safety Availability : % PFD : RRF : SIL 1- Safety Availability : 90 99% PFD : RRF : Review of Key Points Mean Time To Fail (MTTF) is the inverse of the Failure Rate, Lambda (λ) Instrument Availability is key to an operational safety system The Test Interval (TI) must be used in the calculations for PFD Reliability Block Diagrams (RBD) and Fault Trees may be used to depict safety logic The failure rates of the input device, logic solver, and output device must be combined to determine the system failure rate There are advantages an disadvantages of Simplex, Duplex, and Triple function arrangements Each circumstance and application will require a specific SIL 31

32 Live Question and Answer Session During Q&A, questions may be asked via your telephone line. Press the *1 key on your telephone key-pad. If there are no other callers on the line, the operator will announce your name and affiliation to the audience and then ask for your question. If other participants are asking questions, you will be placed into a queue until you are first in line. While in the queue, you will be in a listen-only mode until the operator indicates that your phone has been activated. The operator will announce your name and affiliation and then ask for your question. How Many People Are at Your Site? Poll Slide Click on the appropriate number indicating the number of people that are at your site. 32

33 Sample Exam Problem - #1 When considering a safety instrumented system, which of the following configurations is the safest (i.e., the one most likely to respond to a true demand)? a. 1 out of 1 b. 1 out of 2 c. 2 out of 2 d. 2 out of 3 Sample Exam Problem - #2 Shutdown systems are known by many different names and serve various functions in the plant operation. A safety instrumented system protects against all the situations below except. a. Personnel safety b. Environmental damage c. Excessive alarms d. Equipment distruction 33

34 Sample Exam Problem - #3 There are many factors to consider in designing safety systems for protection of personnel and equipment. The RISK of the system is a function of which two factors listed below: I. Probability of an event II. Cost of the system event III. Classification of the area of the event IV. Severity of an event a. I and II b. III and IV c. I and IV d. II and III Sample Exam Problem - #4 A SIL 3 interlock, RRF = 1250, is required to mitigate a Category I hazard to Category III. If the covert failure rates of the SIS loop components are as follows, recommend a test frequency: Inputs = 1.0 x10 5/hr Logic solver = 7 x10 10/hr Valves = 3.0 x10 5/hr a. Once every 40 hours b. Once every 80 hours c. Once every 336 hours d. Once every 600 hours 34

35 Related Courses from ISA Safety Instrumented Systems: Design, Analysis & Justification (EC50) All ISA courses are available any time as on-site training For more information: or (919) Other Related Resources from ISA Control Systems Engineering Study Guide, 5 th Edition by ISA Press The ISA (Parts 1-5) Safety Instrumented Functions (SIF) and Safety Integrity Level (SIL) Evaluation Techniques 35

36 Other Related Resources from ISA ISA Membership is just $100 per year, which includes free membership in two Technical Divisions (a $20 value) - one from each Department: Automation and Technology and Industries and Sciences. For more information: or (919) ISA Certifications Certified Automation Professionals (CAP ) Certified Control Systems Technician (CCST ) Please visit us online for more information on any of these programs, or call (919)

37 Please take our Web Seminar Survey via Zoomerang The seminar survey was sent to you via during the seminar. Please do not forget to complete the Zoomerang survey. 37