Professional Documents
Culture Documents
AM-08-25
Presented By: Iwan van Beurden Director of Engineering Exida Sellersville, PA William M. Goble Principal Partner Exida Sellersville, PA Chris OBrien Director of Business Development Exida Sellersville, PA
www.npra.org
This paper has been reproduced for the author or authors as a courtesy by the National Petrochemical & Refiners Association. Publication of this paper does not signify that the contents necessarily reflect the opinions of the NPRA, its officers, directors, members, or staff. Requests for authorization to quote or use the contents should be addressed directly to the author(s)
Keywords
ANSI / ISA 84.00.01-2004, IEC 61508, IEC 61511, Safety Instrumented Systems, Safety Instrumented Functions, PFDavg, PFH, MTTFS, SIL verification
Abstract
With the adoption of the international functional safety standards IEC 61508 [1], IEC 61511 [2], and the US version, ANSI/ISA 84.00.01-2004 [3], many process plant operations are being challenged with determining if they are in compliance. These new international and national standards have two basic purposes. First, to define the Safety Lifecycle which is a practical methodology that defines the steps necessary to ensure overall plant safety for process plants. Second, to define how to determine the required level of risk reduction, necessary to reduce plant hazards, and the achieved level of risk reduction of the safety instrumented equipment. These levels of risk reduction are expressed in the Safety Integrity Level (SIL) parameter. The safety lifecycle process can be overwhelming at first and one can argue that there is a tremendous emphasis on upfront engineering work. There are however many reasons why upfront engineering work will not only provide adequate risk reduction where necessary, but also assist in overall cost reduction for the implementation of functional safety. This paper will discuss several aspects of cost reduction and improvement in overall plant reliability and availability.
AM-08-25 Page 1 of 8
CausesofIndustryAccidentsinvolving ControlSystems
Changesafter Commissioning 20% Specification 44%
Installation& Commissioning 6%
One of the key findings in this study was that 44% of all accident causes originated in the specification phases of the control system. Other than that there was no major contributor to accident causes, with the remaining phases, design and implementation, installation and commissioning, maintenance and operation, and modifications after commissioning, contributing somewhat equally. This demonstrates that it is important to clearly define a systems requirements, but also to ensure that functional safety is ensure during the remainder of the various lifecycle phases. Consequently a lifecycle approach is required. Each of the functional safety standards, the international IEC 61508, the process industry specific IEC 61511, and the American ANSI/ISA 84.00.01-2004 describes in detail the various steps of its specific safety Lifecycle. Figure 2 shows the Safety Lifecycle as defined in IEC 61511 (as well as ANSI/ISA 84.00.01-2004). The lifecycle can be divided into three main phases: the Analysis Phase, the Realization Phase and the Operation Phase.
AM-08-25 Page 2 of 8
Risk Analysis and Protection Layer Design Sub-clause 8 Allocation of Safety Functions to Safety Instrumented Systems or Other Means of Risk Reduction Sub-clause 9 Safety Requirements Specification for the Safety Instrumented System Sub-clause 10 Design and Development of Safety Instrumented System Sub-clause 11
Verification
ANALYSIS
Design and Development of Other Means of Risk Reduction Sub-clause 9
REALIZATION OPERATION
Sub-clause 7, 12.7
Decommissioning Sub-clause 16
The Analysis Phase is focused on determining and documenting how much safety is needed. It involves the process hazard identification and risk analysis. In the process hazard identification, for example performed by means of a HAZOP study, potential hazards, their cause, and available safeguards (if any) are identified. Next for each hazard its associated risk is determined. Potential hazards with enough risk, i.e. a risk level higher than the tolerable risk level, may warrant the design of a Safety Instrumented Function (SIF) in order to achieve risk reduction. For hazards that require the design of a Safety Instrumented Function, a target Safety Integrity Level (SIL) is assigned to the safety function according to risk reduction targets based on tolerable risk criteria [5]. As a reminder, the combination of Safety Instrumented Functions for a process or process unit makes up the Safety Instrumented System. The Realization Phase is focused on the actual design and implementation of the system and documents the safety achieved with the actual design. A Safety Instrumented Function is designed for each hazard to meet the specified target Safety Integrity Level. The design process involves many issues like the selection of the technology to be used, selecting particular pieces of equipment, and configuring that equipment with sufficient redundancy (if required) to meet both the safety requirements and the process uptime (availability) requirements. The design process results in a conceptual design for each Safety Instrumented Function. Next for each Safety Instrumented Function it is verified if the designed solution actually meets all specified requirements. The verification includes for example a reliability analysis of the Safety Instrumented Function to calculate average Probability of Failure on Demand (PFDAVG) or Probability of a Dangerous Failure per Hour (PFH) and Mean Time To Fail Spurious (MTTFS) [6]. Finally, the Operation Phase is focused on the activities and documentation required in operating and maintaining the system. From a timeline point of view, this phase essentially takes up the majority of a processs life as this is the step where the process and all its equipment is in service. From a safety lifecycle point of view this is the least interesting phase since decisions made in the previous phases will dictate the properties of this phase. During the operation phase maintenance activities need to be conducted to ensure that designed safety integrity is maintained. This typically manifests itself through the conduction of proof test and replacement of components that have reached the end of their useful life.
AM-08-25 Page 3 of 8
2.1
It can be considered apparent that re-design costs will be reduced if a design specification doesnt change during the design phases, or in other words no design changes have to be made at all. Spending more efforts on creating a design specification that is correct in the first place will therefore avoid re-design efforts and expenses. It is therefore acceptable to state that a well thought through safety requirement specification will reduce re-design expenses. This is also concluded by [9] where it is stated that successful projects are characterized by early, extensive pre-project planning, a complete and well-defined scope-of-work, a cost estimate coordinated with the scope, and a rigorous approach to the management of change. The graph shown in Figure 3 displays the design change flexibility and the design change cost as a function of time or project progress.
High
Low
Time
Figure 3 Design Change Flexibility And Cost
Figure 3 shows the inverse relationship between engineering influence and cost, meaning that as the development of a project progresses the design change flexibility dramatically decreases, indicating that it will become difficult to make any last minute changes. In addition the cost of a design change increases considerably with project progress. Hence Figure 3 emphasizes that a
AM-08-25 Page 4 of 8
well thought through, and probably more expensive, safety requirement specification will reduce re-design costs, especially considering that design change costs increase with project progress. The cost effect of a late project re-design is illustrated in the snowball effect sideline presented in [9]. Here an extra pump-out line from a vessel to a tank farm is added. For the change an additional 40 engineering hours and an installed cost of $35,000 are estimated. The snowball effect is that the installed pump does not have enough horsepower and is replaced by a pump with more horsepower capabilities. This requires the next-size-up electrical starter and also the next-size-up cable for the power supply. Furthermore the new larger pump requires the nextsize-up base plate, exceeding the current foundation. The sideline continues for a while concluding with the final installed cost of the small change to be $150,000 with a six-week slippage in the mechanical completion schedule and an additional engineering budget of 160 hours.
2.2
The new functional safety standards are performance-based standards [8]. This means safety integrity is only designed into an installation when risk reduction is needed. In addition when risk reduction is needed it is determined how much reduction is actually needed to indicate the level of safety integrity required. Figure 4 was published by a major oil company. It shows the results of a re-evaluation of the allocated Safety Integrity Levels of Safety Instrumented Functions for a hydrogen manufacturing unit, based on a SIL selection method derived by the major oil company from the functional safety standards.
Refinery:HydrogenManufacturingUnit
SIFOK 47% SIFOver Designed 49%
The results of this re-evaluation show that 49% of the analyzed Safety Instrumented Functions were over-designed, meaning that these functions provided more risk reduction than required. Additionally 4% of the Safety Instrumented Functions was under-designed, indicating that these functions didnt provide the required risk reduction. Finally 47% of the Safety Instrumented Functions analyzed provided the safety integrity that was required. The initial concern these results should raise is of course the 4% of Safety Instrumented Functions that didnt provide the required safety integrity. It is safe to assume that these Safety Instrumented Functions were re-designed, resulting in re-design costs that were already referred to in the previous section. In case these safety instrumented functions were not redesigned there is still additional cost to be expected as the likelihood of an accident increases and therefore costs associated with the accident need to be accounted for. The over-design of 49% of the safety instrumented functions is probably caused by a natural tendency of designers to better do it right and make sure it is safe. However when considering
AM-08-25 Page 5 of 8
these 49% of over-designed safety instrumented functions, an interesting cost-savings opportunity is revealed. A general observation with regard to safety integrity is that the higher the level of safety integrity to be provided, the higher the cost of the safety instrumented function. This is caused by essential redundancy of field equipment, i.e. one valve doesnt provide enough risk reduction resulting in a series-voting necessity for two valves meaning one extra valve needs to be purchased. Another example is the need for a certified safety PLC instead of a general purpose PLC. If 49% of the safety instrumented functions analyzed was over-designed it probably means that in those cases too much or higher safety integrity equipment was used in the function. Just imagine how the equipment expenses could have been reduced, just one valve instead of two in a particular safety instrumented function will justify the entire additional up front expenses, associated with the safety Lifecycle approach, to create a well thought through safety requirement specification. A document like this will mitigate the natural tendency of designers to better do it right and make sure it is safe as it clearly points out the level of risk reduction and therefore safety integrity that is required to protect against a specific hazard. Apart from the reduction in equipment procurement, maintenance expenses will also decrease with a reduction in installed equipment.
2.3
When evaluating the technology evolution of Safety Instrumented Systems a transition from relay logic to solid state logic to PLCs to safety PLCs can be distinguished. Each technology has its own advantages and disadvantages. When it comes to the implementation of that logic one can see the installation of relays and solid state logic in the 1960s and 1970s in only those places where a need was recognized. In the late 1980s early 1990s the conduction of Process Hazard Analyses become more popular and Safety Functions were installed in those places where hazard consequences where severe. Quite often these Safety Functions followed corporate design guidelines. By following the Safety Lifecycle and using the performance based approach of the functional safety standards, not just hazard consequences are evaluated but also hazard likelihoods. This is important since the combination of consequence and likelihood provides the actual risk associated with a hazard. If only hazard consequence is evaluated both under design and over design of Safety Instrumented Functions can result; consider the following examples If the occurrence of a hazard leads to the need for first aid for an operator, this consequence may be considered not severe and not warrant any safety instrumented function. However if the hazard likelihood indicates that we can expect it to occur every week, we may conclude that weekly first aid events are a too high a risk considering the cost associated with OSHA reporting and bandage supply. Similarly lets consider the consequence of an asteroid hitting a specific plant. Those consequences will be catastrophic. Based on prescriptive corporate guidelines we could conclude that we need to provide a safety instrumented function that protects against the hazard. This would be an interesting design, use a Hubble telescope like satellite to monitor asteroid activity, which transfers information to earth, where a logic solver uses a preconfigured algorithm to launch a rocket that will destroy the asteroid. Now this may sound ridiculous but if we would base our SIF design purely on consequence this is most likely what we would conclude needs to be done. If we also evaluate the likelihood of the asteroid being of a great enough size and precisely hitting our plant than we would conclude that the actual risk associated with the hazard is so insignificantly small that a Safety Instrumented Function is not necessary.
AM-08-25 Page 6 of 8
How has this anything to do with reduction in nuisance trip cost? Well it all fits in the installation of Safety Instrumented Functions based on the recognition of a need. Without actually evaluating risk levels associated with specific hazards engineers are likely to implement SIFs where there is no direct need. This was already discussed in the previous section, Design Matches Risk Reduction Needs. Each SIF will have a likelihood of shutting the process down when no process demand is present, with the elimination of unnecessary SIFs the overall nuisance trip likelihood will reduce. This was also recently brought to the attention of one of the authors when a student in his class, trying to grasp the concept of SIF demands indicated an expected demand frequency of once per month, which actually appeared to be the current nuisance trip rate. During the remainder of the class it appeared that many interlocks were implemented without thorough analysis of the actual need for these interlocks.
4 References
[1] [2] [3] IEC 61508, Functional safety of electrical / electronic / programmable electronic safetyrelated systems, 2000, International Electrotechnical Commission, Geneva, Switzerland IEC 61511, Functional safety: Safety Instrumented Systems for the process industry sector, 2003, International Electrotechnical Commission, Geneva, Switzerland ANSI/ISA 84.00.01-2004 (IEC 61511 Modified), Functional safety: Safety Instrumented Systems for the process industry sector, 2004, Instrument Society of America, Research Triangle Park, NC, USA Heath and Safety Executive, Out of Control: Why Control Systems go Wrong and How to Prevent Failure, 1995, Sheffield, UK
AM-08-25 Page 7 of 8
[4]
[5]
[9]
Marszal E., Scharpf E., Safety Integrity Levels, Systematic Selection with Layer of Protection Analysis, 2002, Instrument Society of America, Research Triangle Park, NC, USA van Beurden I., et al, Safety Integrity Level VERification, Technology update ISA volume 414, ISA 2001, Houston, Texas, USA van Beurden I., Amkreutz R., How to Justify the cost of Safety, Control Solutions, February 2002, Northbrook, Illinois, USA Marszal E., van Beurden I., Risk-Based Instrumented Safeguard Design, presented at 2002 Spring National Meeting AIChE Refining processing Application of Control in Refining, 10-14 March 2002, New Orleans, LA, USA Colt W., Improve Your Project Via Effective Scope Definition and Control, Chemical Engineering Progress, March 1997, New York, NY, USA
SIF SIL
SIS
exida.com
AM-08-25 Page 8 of 8