Annual Meeting March 9-11, 2008 Manchester Grand Hyatt San Diego, CA

AM-08-25

Reliability and Availability: Lifecycle Lessons from Functional Safety

Presented By: Iwan van Beurden Director of Engineering Exida Sellersville, PA William M. Goble Principal Partner Exida Sellersville, PA Chris OBrien Director of Business Development Exida Sellersville, PA

National Petrochemical & Refiners Association

1899 L Street, NW Suite 1000 Washington, DC 20036.3896

202.457.0480 voice 202.457.0486 fax

www.npra.org

This paper has been reproduced for the author or authors as a courtesy by the National Petrochemical & Refiners Association. Publication of this paper does not signify that the contents necessarily reflect the opinions of the NPRA, its officers, directors, members, or staff. Requests for authorization to quote or use the contents should be addressed directly to the author(s)

Reliability and Availability Lifecycle Lessons from Functional Safety

Bill Goble Principal Partner exida Sellersville, PA 18960 wgoble@exida.com Chris OBrien Director of Business Development exida Sellersville, PA 18960 cobrien@exida.com Iwan van Beurden Director of Engineering exida Sellersville, PA 18960 vanbeurden@exida.com

Keywords
ANSI / ISA 84.00.01-2004, IEC 61508, IEC 61511, Safety Instrumented Systems, Safety Instrumented Functions, PFDavg, PFH, MTTFS, SIL verification

Abstract
With the adoption of the international functional safety standards IEC 61508 [1], IEC 61511 [2], and the US version, ANSI/ISA 84.00.01-2004 [3], many process plant operations are being challenged with determining if they are in compliance. These new international and national standards have two basic purposes. First, to define the Safety Lifecycle which is a practical methodology that defines the steps necessary to ensure overall plant safety for process plants. Second, to define how to determine the required level of risk reduction, necessary to reduce plant hazards, and the achieved level of risk reduction of the safety instrumented equipment. These levels of risk reduction are expressed in the Safety Integrity Level (SIL) parameter. The safety lifecycle process can be overwhelming at first and one can argue that there is a tremendous emphasis on upfront engineering work. There are however many reasons why upfront engineering work will not only provide adequate risk reduction where necessary, but also assist in overall cost reduction for the implementation of functional safety. This paper will discuss several aspects of cost reduction and improvement in overall plant reliability and availability.

1 The Safety Lifecycle

The Safety Lifecycle is simply a practical methodology that defines the steps necessary to ensure overall plant safety for process plants. By defining a sequence of phases and the deliverables from each phase, the Safety Lifecycle helps prevent the failures that have been seen historically in industrial accidents. In addition the safety Lifecycle approach optimizes Safety Instrumented System design as it is matched to the process specific risk reduction requirements. The essence is that the integrity of the safety provided is designed into a process or process unit instead of being added later on when the process unit has been fully designed. One of the studies that support the use of a safety lifecycle for functional safety applications that is referenced in many publications is the Out of Control: Why Control Systems go Wrong and How to Prevent Failure, from the Health and Safety Executive Committee in the UK [4]. This study documents the causes of industrial accidents involving control system. The results of the study are shown in Figure 1.

AM-08-25 Page 1 of 8

CausesofIndustryAccidentsinvolving ControlSystems
Changesafter Commissioning 20% Specification 44%

Operation& Maintenance 15%

Installation& Commissioning 6%

Design& Implementation 15%

Figure 1 Causes of Industry Accidents Involving Control Systems

One of the key findings in this study was that 44% of all accident causes originated in the specification phases of the control system. Other than that there was no major contributor to accident causes, with the remaining phases, design and implementation, installation and commissioning, maintenance and operation, and modifications after commissioning, contributing somewhat equally. This demonstrates that it is important to clearly define a systems requirements, but also to ensure that functional safety is ensure during the remainder of the various lifecycle phases. Consequently a lifecycle approach is required. Each of the functional safety standards, the international IEC 61508, the process industry specific IEC 61511, and the American ANSI/ISA 84.00.01-2004 describes in detail the various steps of its specific safety Lifecycle. Figure 2 shows the Safety Lifecycle as defined in IEC 61511 (as well as ANSI/ISA 84.00.01-2004). The lifecycle can be divided into three main phases: the Analysis Phase, the Realization Phase and the Operation Phase.

AM-08-25 Page 2 of 8

Management of Functional Safety and Functional Safety Assessment

Safety Lifecycle Structure and Planning

Risk Analysis and Protection Layer Design Sub-clause 8 Allocation of Safety Functions to Safety Instrumented Systems or Other Means of Risk Reduction Sub-clause 9 Safety Requirements Specification for the Safety Instrumented System Sub-clause 10 Design and Development of Safety Instrumented System Sub-clause 11

Verification

ANALYSIS
Design and Development of Other Means of Risk Reduction Sub-clause 9

Installation, Commissioning, and Validation Sub-clause 14 Operation and Maintenance Sub-clause 15

Clause 5 Subclause 6.2

REALIZATION OPERATION
Sub-clause 7, 12.7

Modification Sub-clause 15.4

Decommissioning Sub-clause 16

Figure 2 ANSI/ISA 84.00.01-2004 Safety Lifecycle

The Analysis Phase is focused on determining and documenting how much safety is needed. It involves the process hazard identification and risk analysis. In the process hazard identification, for example performed by means of a HAZOP study, potential hazards, their cause, and available safeguards (if any) are identified. Next for each hazard its associated risk is determined. Potential hazards with enough risk, i.e. a risk level higher than the tolerable risk level, may warrant the design of a Safety Instrumented Function (SIF) in order to achieve risk reduction. For hazards that require the design of a Safety Instrumented Function, a target Safety Integrity Level (SIL) is assigned to the safety function according to risk reduction targets based on tolerable risk criteria [5]. As a reminder, the combination of Safety Instrumented Functions for a process or process unit makes up the Safety Instrumented System. The Realization Phase is focused on the actual design and implementation of the system and documents the safety achieved with the actual design. A Safety Instrumented Function is designed for each hazard to meet the specified target Safety Integrity Level. The design process involves many issues like the selection of the technology to be used, selecting particular pieces of equipment, and configuring that equipment with sufficient redundancy (if required) to meet both the safety requirements and the process uptime (availability) requirements. The design process results in a conceptual design for each Safety Instrumented Function. Next for each Safety Instrumented Function it is verified if the designed solution actually meets all specified requirements. The verification includes for example a reliability analysis of the Safety Instrumented Function to calculate average Probability of Failure on Demand (PFDAVG) or Probability of a Dangerous Failure per Hour (PFH) and Mean Time To Fail Spurious (MTTFS) [6]. Finally, the Operation Phase is focused on the activities and documentation required in operating and maintaining the system. From a timeline point of view, this phase essentially takes up the majority of a processs life as this is the step where the process and all its equipment is in service. From a safety lifecycle point of view this is the least interesting phase since decisions made in the previous phases will dictate the properties of this phase. During the operation phase maintenance activities need to be conducted to ensure that designed safety integrity is maintained. This typically manifests itself through the conduction of proof test and replacement of components that have reached the end of their useful life.
AM-08-25 Page 3 of 8

2 Safety Lifecycle Approach Reduces Cost

The IEC 61511 safety Lifecycle, shown in Figure 2, emphasizes the up front steps that lead to the process matched risk reduction requirements. These risk reduction requirements do not necessarily need to be based on personnel safety alone, environmental risk and assets risk, among others, are also likely to be considered [7]. The consideration of all potential risk receptors is a good example of the risk based approach by the functional safety standards compared to the rule based approach of the older standards [8]. The additional safety investments a company needs to make in the early phases of the safety Lifecycle should not be a concern to management as a good safety Lifecycle design approach will in fact save expenses in phases later on in the lifecycle both from a functional safety as from a nuisance or spurious trip perspective. One example of avoiding additional expenses in later phases of the lifecycle is a reduction in re-design costs because a well thought through safety requirement specification is created. A second example is that the design will match the process risk requirements and no over design if performed. Both examples will be discussed in more detail.

2.1

Reduction Redesign Activities

It can be considered apparent that re-design costs will be reduced if a design specification doesnt change during the design phases, or in other words no design changes have to be made at all. Spending more efforts on creating a design specification that is correct in the first place will therefore avoid re-design efforts and expenses. It is therefore acceptable to state that a well thought through safety requirement specification will reduce re-design expenses. This is also concluded by [9] where it is stated that successful projects are characterized by early, extensive pre-project planning, a complete and well-defined scope-of-work, a cost estimate coordinated with the scope, and a rigorous approach to the management of change. The graph shown in Figure 3 displays the design change flexibility and the design change cost as a function of time or project progress.

High

Design change flexibility

Conceptual Planning Design Procurement Construction

Design change cost

Startup

Low

Time
Figure 3 Design Change Flexibility And Cost

Figure 3 shows the inverse relationship between engineering influence and cost, meaning that as the development of a project progresses the design change flexibility dramatically decreases, indicating that it will become difficult to make any last minute changes. In addition the cost of a design change increases considerably with project progress. Hence Figure 3 emphasizes that a
AM-08-25 Page 4 of 8

well thought through, and probably more expensive, safety requirement specification will reduce re-design costs, especially considering that design change costs increase with project progress. The cost effect of a late project re-design is illustrated in the snowball effect sideline presented in [9]. Here an extra pump-out line from a vessel to a tank farm is added. For the change an additional 40 engineering hours and an installed cost of $35,000 are estimated. The snowball effect is that the installed pump does not have enough horsepower and is replaced by a pump with more horsepower capabilities. This requires the next-size-up electrical starter and also the next-size-up cable for the power supply. Furthermore the new larger pump requires the nextsize-up base plate, exceeding the current foundation. The sideline continues for a while concluding with the final installed cost of the small change to be $150,000 with a six-week slippage in the mechanical completion schedule and an additional engineering budget of 160 hours.

2.2

Design Matches Risk Reduction Needs

The new functional safety standards are performance-based standards [8]. This means safety integrity is only designed into an installation when risk reduction is needed. In addition when risk reduction is needed it is determined how much reduction is actually needed to indicate the level of safety integrity required. Figure 4 was published by a major oil company. It shows the results of a re-evaluation of the allocated Safety Integrity Levels of Safety Instrumented Functions for a hydrogen manufacturing unit, based on a SIL selection method derived by the major oil company from the functional safety standards.

Refinery:HydrogenManufacturingUnit
SIFOK 47% SIFOver Designed 49%

SIFUnder Designed 4% Figure 4 SIF Re-Evaluation Study

The results of this re-evaluation show that 49% of the analyzed Safety Instrumented Functions were over-designed, meaning that these functions provided more risk reduction than required. Additionally 4% of the Safety Instrumented Functions was under-designed, indicating that these functions didnt provide the required risk reduction. Finally 47% of the Safety Instrumented Functions analyzed provided the safety integrity that was required. The initial concern these results should raise is of course the 4% of Safety Instrumented Functions that didnt provide the required safety integrity. It is safe to assume that these Safety Instrumented Functions were re-designed, resulting in re-design costs that were already referred to in the previous section. In case these safety instrumented functions were not redesigned there is still additional cost to be expected as the likelihood of an accident increases and therefore costs associated with the accident need to be accounted for. The over-design of 49% of the safety instrumented functions is probably caused by a natural tendency of designers to better do it right and make sure it is safe. However when considering
AM-08-25 Page 5 of 8

these 49% of over-designed safety instrumented functions, an interesting cost-savings opportunity is revealed. A general observation with regard to safety integrity is that the higher the level of safety integrity to be provided, the higher the cost of the safety instrumented function. This is caused by essential redundancy of field equipment, i.e. one valve doesnt provide enough risk reduction resulting in a series-voting necessity for two valves meaning one extra valve needs to be purchased. Another example is the need for a certified safety PLC instead of a general purpose PLC. If 49% of the safety instrumented functions analyzed was over-designed it probably means that in those cases too much or higher safety integrity equipment was used in the function. Just imagine how the equipment expenses could have been reduced, just one valve instead of two in a particular safety instrumented function will justify the entire additional up front expenses, associated with the safety Lifecycle approach, to create a well thought through safety requirement specification. A document like this will mitigate the natural tendency of designers to better do it right and make sure it is safe as it clearly points out the level of risk reduction and therefore safety integrity that is required to protect against a specific hazard. Apart from the reduction in equipment procurement, maintenance expenses will also decrease with a reduction in installed equipment.

2.3

Safety Lifecycle Approach Reduces Nuisance Trip Cost

When evaluating the technology evolution of Safety Instrumented Systems a transition from relay logic to solid state logic to PLCs to safety PLCs can be distinguished. Each technology has its own advantages and disadvantages. When it comes to the implementation of that logic one can see the installation of relays and solid state logic in the 1960s and 1970s in only those places where a need was recognized. In the late 1980s early 1990s the conduction of Process Hazard Analyses become more popular and Safety Functions were installed in those places where hazard consequences where severe. Quite often these Safety Functions followed corporate design guidelines. By following the Safety Lifecycle and using the performance based approach of the functional safety standards, not just hazard consequences are evaluated but also hazard likelihoods. This is important since the combination of consequence and likelihood provides the actual risk associated with a hazard. If only hazard consequence is evaluated both under design and over design of Safety Instrumented Functions can result; consider the following examples If the occurrence of a hazard leads to the need for first aid for an operator, this consequence may be considered not severe and not warrant any safety instrumented function. However if the hazard likelihood indicates that we can expect it to occur every week, we may conclude that weekly first aid events are a too high a risk considering the cost associated with OSHA reporting and bandage supply. Similarly lets consider the consequence of an asteroid hitting a specific plant. Those consequences will be catastrophic. Based on prescriptive corporate guidelines we could conclude that we need to provide a safety instrumented function that protects against the hazard. This would be an interesting design, use a Hubble telescope like satellite to monitor asteroid activity, which transfers information to earth, where a logic solver uses a preconfigured algorithm to launch a rocket that will destroy the asteroid. Now this may sound ridiculous but if we would base our SIF design purely on consequence this is most likely what we would conclude needs to be done. If we also evaluate the likelihood of the asteroid being of a great enough size and precisely hitting our plant than we would conclude that the actual risk associated with the hazard is so insignificantly small that a Safety Instrumented Function is not necessary.

AM-08-25 Page 6 of 8

How has this anything to do with reduction in nuisance trip cost? Well it all fits in the installation of Safety Instrumented Functions based on the recognition of a need. Without actually evaluating risk levels associated with specific hazards engineers are likely to implement SIFs where there is no direct need. This was already discussed in the previous section, Design Matches Risk Reduction Needs. Each SIF will have a likelihood of shutting the process down when no process demand is present, with the elimination of unnecessary SIFs the overall nuisance trip likelihood will reduce. This was also recently brought to the attention of one of the authors when a student in his class, trying to grasp the concept of SIF demands indicated an expected demand frequency of once per month, which actually appeared to be the current nuisance trip rate. During the remainder of the class it appeared that many interlocks were implemented without thorough analysis of the actual need for these interlocks.

3 Safety Lifecycle Reliability and Availability Improvements

The functional safety standards focus on performance based design. This means that safety instrumented functions are designed based on performance parameters rather than prescriptive requirements. Typical late 1980s early 1990s designs constituted of triplicated sensors, a high integrity safety PLC and a single control valve. Based on the current performance based design knowledge it is easy to see that the single control valve is the weak link in this design. Arguably the additional redundancy and the high integrity safety PLC most likely cost a lot but the complete SIF provides only little safety as the performance parameters will be completely dominated by the single control valve. Because of the performance based approach Safety Instrumented Functions are now designed with a focus on maximum probability of failure allowed and minimum levels of required redundancy. By calculating a probability of failure on demand for each of the subsystems of the SIF it is very easy to see what part contributes most to the overall SIF probability of failure. At the same time it is very clear which parts are potentially overdesigned when they contribute little to that probability of failure. Though the functional safety standards do not provide guidelines as to how the probability of failure of a SIF should be distributed over the various parts of that SIF, it is typically an indication of a risk matching design if the contribution of the various SIF parts is somewhat even. With the introduction of the performance based approaches, not only the probability of failure is calculated but also the expected nuisance or spurious trip rate. This is typically expressed in the Mean Time To Fail Spurious (MTTFS). Engineers will primarily focus on the probability of failure on demand parameter, however at the same time they will evaluate if the design does not provide too many spurious trips. The example in the previous section of a spurious trip at least every month shows that consideration of the MTTFS will result in improved overall plant availability.

4 References
[1] [2] [3] IEC 61508, Functional safety of electrical / electronic / programmable electronic safetyrelated systems, 2000, International Electrotechnical Commission, Geneva, Switzerland IEC 61511, Functional safety: Safety Instrumented Systems for the process industry sector, 2003, International Electrotechnical Commission, Geneva, Switzerland ANSI/ISA 84.00.01-2004 (IEC 61511 Modified), Functional safety: Safety Instrumented Systems for the process industry sector, 2004, Instrument Society of America, Research Triangle Park, NC, USA Heath and Safety Executive, Out of Control: Why Control Systems go Wrong and How to Prevent Failure, 1995, Sheffield, UK
AM-08-25 Page 7 of 8

[4]

[5]

[6] [7] [8]

[9]

Marszal E., Scharpf E., Safety Integrity Levels, Systematic Selection with Layer of Protection Analysis, 2002, Instrument Society of America, Research Triangle Park, NC, USA van Beurden I., et al, Safety Integrity Level VERification, Technology update ISA volume 414, ISA 2001, Houston, Texas, USA van Beurden I., Amkreutz R., How to Justify the cost of Safety, Control Solutions, February 2002, Northbrook, Illinois, USA Marszal E., van Beurden I., Risk-Based Instrumented Safeguard Design, presented at 2002 Spring National Meeting AIChE Refining processing Application of Control in Refining, 10-14 March 2002, New Orleans, LA, USA Colt W., Improve Your Project Via Effective Scope Definition and Control, Chemical Engineering Progress, March 1997, New York, NY, USA

5 Abbreviations and Definitions

IEC PFDAVG PFH MTTFS SFF International Electrotechnical Commission Average Probability of Failure on Demand Probability of dangerous Failure per Hour Mean Time To Fail Spurious Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function, a set of equipment intended to reduce the risk due to a specific hazard (a safety loop) Safety Integrity Level, discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the Safety Instrumented Systems where Safety Integrity Level 4 has the highest level of safety integrity and Safety Integrity Level 1 has the lowest Safety Instrumented System, implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s)

SIF SIL

SIS

exida.com

AM-08-25 Page 8 of 8