Professional Documents
Culture Documents
Document Version:
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
• A submitted manuscript is the version of the article upon submission and before peer-review. There can be
important differences between the submitted version and the official published version of record. People
interested in the research are advised to contact the author for the final version of the publication, or visit the
DOI to the publisher's website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page
numbers.
Link to publication
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
• You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please
follow below link for the End User Agreement:
www.tue.nl/taverne
PROCEEDINGS
In this book the lectures are gathered from the symposium "Safety in the Process
Industry", which is held at the 24th of September in 's-Hertogenbosch.
The symposium is organized by the study association ' dispuut dQ' and members of the
group 'Reliability of Mechanical Equipment' from the faculty Mechanical Engineering at
the Eindhoven University of Technology.
Preface
In today's complex society risk prevention is a must. In preventing risk a number of measures
can be taken. The lowest level of prevention is locally in the plants. Of course this is important
and this is the theme of this symposium. Other preventive actions can be taken on a higher
level for example in spatial planning, where the distance between production and customer can
be reduced thus preventing transportation riks. Also, the search for and development of new,
less dangerous products or processes, can play an important role in risk reduction.
In the Dutch province of Noord-Brabant, the largest industrial production region in the
Netherlands, a more integrated way of risk management is encouraged.
Honeywell
HOLECI+I
1
GASTECI
(~AEA KEMA~
STCJRK®
2
The symposium committee would like to thank the following companies
for making the symposium possible:
3
Testing and certification of electronic controls
GASTEC NV
Centre of Gas Technology
P.O. Box 137
7300 AC Apeldoarn
The Netherlands
Wilmersdorf 50,
Apoldoorn
Tel. +31 555 393 393
Fox +31 555 393 494
E-mail postOgastec .nl
ACCESSIBLE KNOWLEDGE
ACCESSIBLE PEOPLE
Contents
Preface
Mr. F.J.M. Houben ...... ... · o • • o · •••••• 0 •• o · . o· •• • 0 •• o · . o · •• · o •• 0 •• o · • • · o •• 0 •• • • • • • • • •••• ••• 0 •• 0 • • ••• • o • ••••• 1
SjJonsors .. .. ............ ... .... ..... .. .. ...... .. ... 0 ... . 0 •• 0 . .. .. . . .. . 0 . . . . . .. .. .. . . 0 ...... .. . .. .. . ....... . .... . .. . .. 0 ••• •• •• 3
Symposium committee 1996 .. .. ... ........ ....... ... ... ... ........ ... .... .... .. ... ..... .. .... .... ..... ..... .. .. . 7
Proceedings
Introduction
Prof.Dr.Ir. A. C. Brombacher.. .......... .. .... ........ .. ........ ...... .......... .............. .. ........ 9
Aspects of TOV type certification and safety-related application ofprogrammable
electronic systems
Dipi.-Ing. R.I.Faller..... ... ... ... ..... ............ ... ...... ......... ... .. ... .. ......... ...... .. .... ... ... .. . 17
PLC 's in safety related applications
Ir. K. Kemps .. .... .. .. ..... ........ ... ..... .. ..... ... ..... ... ....... .. .. .. .... ........ .................. 0 ... ... 39
lhe importance offield instrumentation in safety instrument systems
Ing. L. Korteweg ........ .... .. .... .. ....... .... ... ..... .. ..... .. .... ..... ... .... .... .... .... 0 0 ........... . .. 59
Reliability for safety and plant life management
Ir. C.M. Pietersen .. .... .. ...... .... .. .. .... .... .......... ....... ........... .... .................. ..... .... 127
Commissioning of a type approved PLC
Dipi.-Phys. E. Pofahl ... .. .... .... .... ..... .. .... .... ....... .... ..... ... .......... ...... .. ......... ..... .. 137
Improving management of technological risk: reliability certification of saf ety
systems
P. Stavrianidis MSc ..... ........ .. .... ........... .... .. ............. ... ... ... .. .. o • • o . . . . . . . . . . . . . o· · · · · · · 159
Eliminating the unexpected- the dedicated safety processor
Ing. R.J. Tiezema ...... .. ...... ... .... ............. ... ....... .... .. ... .... ... ... ...... ...... ............ .. . 179
A corporate perspective of industrial safety
Ir. F. van Woerden .. .. .. ...... .... .... .......... ......... ...... .. .. ....... ........ .. ...... .. .. .. .......... 203
lhe Seveso-II directive- a brief overview of contents and consequences for major
hazards plants
Drs. G.C.M. Lommers ........ .. ............ .............. ........ .. ... .. .... ... .... 0 ........ . .. ... .. ... 217
The study association "dispuut dQ" ...... .. ... .. .. ... .. .... .. ........ ...... ......... .. .... .. ...... .... .. . 241
"Reliability of Mechanical Equipment" .... .... ............. ................ ........... .. .. ...... .. .... 243
5
Symposium committee 1996
• Unexpectedly Tido van der Meulen passed away at August 26, 1996. After all his contributions to the
symposium and the pleasant coorporation with us we are sad and bewildered.
7
For more than a century Econosto speciali-
zes in valves and related equipment (both
DIN and ANSI). Thanks to a large stock
{over a million individual items) and a well
organized expedition, our customers never
have to wait for their orders. However,
Econosto s service goes beyond stockholding et:OnOSTO
and expedition. Our specialists are trained to
Econosto Nederland B. V.
assist customers in any way they can. We Valves & Instrumentation
Cypresbaan 63
also offer training courses for our customers. 2908 LT Capelle a/d IJssel
P.O. Box 84164
Further services include our 'day-store', 3009 CD Rotterdam
Tel.: 010 - 284 11 00
repair facilities and of course our own Fax: 010 - 284 14 74
by
9
Prof.Dr.Ir. A.C. Brombacher
Function:
• Professor in "Engineering Reliability of Mechanical Equipment" at EUT
• Senior Scientist Philips Research Development Support reliability group (section
CFT).
Experience:
Aarnout Brombacher has experience in industrial reliability analysis projects and the
development of reliability analysis software, has authored and co-authored several papers
on these subjects and has written a book with the title "Reliability by Design". Since July
I st I993 he has been appointed professor in "Engineering Reliability of Mechanical
Equipment" at Eindhoven University of Technology. Main task of his job at Philips is
research on, as well as application of new methods and techniques for reliability
engineering and reliability automation, especially for the early phases of the development
process.
Organisations:
• Member ofthe NVvB (Dutch association of reliability engineers)
• Member of American Society ofMechanical Engineers
• Member of NAP (Dutch association of companies m the process and process
equipment industry)
• Voting member of the: ISA-SP84 working group for writing a national US Safety
Instrumented Standard
II
Introduction
(Petro-)chemical processes and oil & gas production sites can hann people and
envirorunent when running out of control. Protection and Fire & Gas systems are
expensive both initial investments as maintenance. The 'safety quality', essential system
size and validation techniques of specially the instrumented protection systems are today
the subject of discussion and investigation.
• In the first place the social communities do not accept risks for life and envirorunent
from industrial activities. They know there will be always a certain risk, but it has to be
as low as possible. The latest is the source of a lot of problems and uncertainty,
because what will be an acceptable risk and who will make that decision?
• In the second place the industries do not like to invest heavily in protection systems,
because they consider the costs not productive and disturbing the balance of being
competitive when not all the industrial players have to meet the same Plant Safety
Requirements.
The last couple of years have shown an increasing interest in the area of safety in process
industry. Reasons for this increased interest are, for example, accidents like Chemobyl,
Seveso and Bhopal where failures of industrial processes have affected the health (and
lives) oflarge groups of people.
These accidents have resulted in strong demands from the public opinion to analyse the
potential risks of certain processes before a plant is built. Potential hazards in process
equipment can have enonnous consequences on safety and investments and different
analysis techniques point to totally different solutions. On the other hand the owners of
plants have to maintain a balance between investments and pay-off of these investments in
tenns of safety.
13
Purpose of this symposium is:
• to present an overview ofthe different aspects of safety of industrial process systems
• to compare different methods (qualitative and quantitative) for the assessment of safety
of industrial process systems
• to discuss what methods (and related tools) to use in what situations
• to give guidelines in assessment and certification procedures
The papers presented in this symposium represent viewpoints, both from government,
academia, certifYing bodies, suppliers to the process industry and from the process
industry itself.
14
SURLYN DACRON DuPont. een van 's werelds
grootste maatschappijen op het
NYLON MYLAR gebied van wetenschap en nieuwe
toepassingen sinds 200 jaar,
VITON · is thans een belangrijke leverancier
NOME X
van produkten en technologieen die
ons dagelijks Ieven beschermen en
ANTRON CORIAN verbeteren
SILVERSTONE CROMALIN ·
QUALLOFIL TEFLON
ALLY -~~
GLEAN '/:)ee1rYTREL
LYCRA KEVLAR'
by
17
Dipl.-Ing. R.I. Faller
Function:
Manager of the Department 'Eiektrotechnik, Maschinen, Automatisierung- IQSE', TOv
Product Service GmbH
Experience:
• Development engineer at MAN, division "New Technology". Main field of activity:
Development of an electronic tracking system for busses in public transport.
• Expert resp. general manager at Institute for Quality and Safety in Electronics ofTOv
Bayern e.V.
• Project leader for safety approvals, e.g. of PLC's, protection systems in
(Petro)chemical industry as well of electronic control systems in medical, traffic and
conveyor techniques.
Organisations:
• Chairman of the committee GK 914 "Computers in safety related systems" of DKE
(German Electrotechnical Commission)
• Collaboration in international standardization groups like CEN TC 58 WG 6 and IEC
TC72WG8
19
TlJV
PRODUCT SERVICE
Rainer Faller
TOV Product Service GmbH
Department Elektrotechnik, Maschinen, Automatisierung - IQSE
Internet: www.tuvps.com and Faller@tuvps.com
getting harder for them as competition is often taking money and availability first and safety
later. Thus we need very experienced operators and engineers who can efficiently address
both requests.
(-- - -- - -r ----------------------------------,
:
1 IEC 1508 part 1
I IEC 1508
1part 2 and 3
I
l DIN v 19250
DIN V 19251
I ' - - - - - - - - - ; D I N v VDE 0801
1-
II
+amendment A1
(End-user
responsibility) UL 1998 I
Functional Safety
I:
t... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -_-_-_-_-_-_-_----~ - ,
Ii I
m EN 50082-2
EN50081 -2
I I IEC 801-x
EN55011 : NE21
1
:
1 1
~ EMC-Oireclive ~--------I
,-------------------------------\
1
IEC 1010 or
IEC 1131-2 or
1 1
IEC 68-2-x
I
EN 60204 1 1
I
1 Basic safety I Low Voltage Directive
~
EN298
I
I
P<EN 1954
pr£N 50158 I
LH PfEN 50128
PfEN 50129
I Application standard$
developer and QE specialists with an easy-to-grasp process flow with a strong interaction
between the development process and the verification & validation. So, it supplies a simple
proof of traceability.
help very much if one needs to make a decision for the set of techniques appropriate for his
development. Thus the manufacturers who are new in the field of safety-related PE(S) will
need more training, or will take the decision to not enter the safety field. To a certain extent
this has already been initiated by DIN V VDE 0801 . The market will convert to more
specialised companies completely committed to safety.
Type evaluation and certification according to IEC 1508 will be different from the German
approach following DIN V 19250 and DIN V VDE 0801 . The today's TOV type certification
approach stems from the German procedure for plant assessment as shown in Figure 3:
Inspection of safety-critical plant installations in Germany.
Training
I '"
'-- - - - - - - - - - - I
TOV Type
Certification
,..- - -- - - - - - -
I ..}
I ,..
I
requirements 1
Pre-tested ' ,.. ,..
In Germany plants that bear a high consequence of potential hazards are inspected by
independent application experts from .,Gewerbeaufsichtsamt" - organization similar to OSHA
in the USA or HSE in GB - and TOV. That covers plants that fall under the German
..Storfallverordnung" - German conversion of the European Seveso Directive - and large
furnaces and steam production facilities. They assess the process, the mechanics and the
safety instrumented loops. Thus the TOV type certification could be limited to PES related
system considerations such as:
• Safety-related input and output configurations
• Safety-related and non-safety-related communication
• Safety procedures for the design and programming of a safety-related application
program
• Special mode of operation such as maintenance override and on-line modification of the
application program
The gap that might have occurred by the clear allocation of tasks has been bridged by the
regular training for the application experts and by the TOV type testing divisions supporting
the application experts in the assessment of difficult safety instrumented loop configura-
tions.
IEC 1508 will force the TOV type certification to consider much more the system aspect.
The consequences are manifold:
• The whole safety instrumented loop will have to be considered including possible and
recommendable configurations of field instruments
• The required quality and safety management of the engineering companies will have to
be described more thoroughly
• The vendor will have to describe what to consider for his PES during each phase of the
life cycle of the complete installation. This has already been a strong recommendation
for the vendor's safety manual but now it is a requirement
These are significant improvements for applications where the German or Durch plant
assessment procedure can not be assumed.
The emphasis of IEC 1508 on procedural aspects of quality engineering might help to
increase the quality of existing ISO 9001 certified quality management systems. Most often
the development departments were not audited with sufficient knowledge about the
requirements and procedures in the development of safety-related products. Also the
required competence both at the development team and at the quality engineering team
might help the manufacturer in the end to compile high expertise at their teams. However it
will require comparable technical competence at the quality engineering team as at the
development team. This might give problems to small companies.
There is also a considerable likelihood that IEC 1508 opens the door for some less positive
or even negative changes. The hardware requirements for SIL1 are less than the present
German requirements. We consider it a significant reduction in safety.
IEC 1508 initiates a procedural change of the type testing and certification. The involve-
ment of the test house in Germany is presently much more intensive than it seems to be in
other parts of the world. Following IEC 1508 the analysis and test work necessary for the
safety demonstration will not be executed anymore by the test house but by the manufac-
turer. The test house will concentrate on assessment. Today TOV advises such an
assessment strategy only to experienced manufacturers as it might have controversial
results. Positively a more detailed planning in advance of each development and V&V step
(Verification & Validation) and more clear specifications of all work packages will take place
at the manufacturer. Also the detailed safety knowledge being developed by the develop-
ment team will be more thorough. Today the test house helps considerably in the interpre-
tation of standards and in the detailed definition of test specifications. Negatively the
quality of the type certification might decrease. As assessment can never enter the
development in very much technical detail, the safety of the product relies more on the
TOV PRODUCT SERVICE GMBH 27 Presentation Eindhoven
Eleclrotechnology, Machinery, Automation - IQSE Department
RidlerstraBe 31 Rainer Faller
0-80339 MOnchen September 03, 1996
Phone: +49/8915791 -1801 ; Fax: -1396
TDV
PRODUCT SERVICE
competence of the manufacturer than with the German emphasis on deep technical analy-
ses. Our experience with standards as ISO 9001 that rely heavily on assessment and audit
is not favourable. Missing expertise at the manufacturers and strong competition between
inexperienced test houses reduces the depth of the audit to the lowest possible common
sense and create a .gold rush mentality". Who will control the quality of the assessment
and certification?
Due to the assessment strategy IEC 1508 asks for much more documentation. In my
opinion much more documentation will improve the traceability for the assessment but not
the product. With the today's need for a shorter time to market the efforts for much more
documentation will take away resources from the design verification.
Since 1992, TOV Product Service IQSE has been standing for the combination of both
approaches. The procedure is shown in Figure 4: Combination of deterministic and
statistical procedures.
r-------------------------------------,
1 Combination of qualitative and quantitative evaluations of PES I Quantitative evaluation of
I I instrumented protective loop
I I
I I
+ hardwar no dangerous single fauh of PES I
e FMEA sys1em
structure Initiator
seW-lest software seW-test
interval
Actuator
Probabil Probability of
hardware Part count Alri Fault tree analysis transfhon Markov models Failur~Demr~ of PES Failure on Demand
Markov models
method (FTA) rates Probabili)Y ht Revealed Failure rat
Revealed Failu of PES
I I
1I
L- _ - - - - - - - - __ - - - - - - ______rega~t~. ~~~~---- _ _ _1 ~ _ _ _ _
Many people forget that IEC 1508 specifies both ,fault count" and probabilistic require-
ments. TOV IQSE developed a procedure for their combination to make the merge of both
views as smooth and cost effective as possible. The procedure is shown in the figure
.,Combination of qualitative and quantitative evaluations developed by TOV PS IQSE".
Using FMEA (Failure Mode and Effects Analysis), FTA (Fault Tree Analysis) and Markov
models, a considerably more accurate model of system reliability is achieved than by the
usual reliability calculations. The method provides justifiable numerical values for the test-
coverage due to the thorough knowledge of the automatic checking and the fault reactions
derived from FMEA and software analysis. Also the influence of application-related time
constraints such as Process-Safety-Time and interval and duration of manual and automatic
checks will be included. Thus it can be used to demonstrate the safety improvement by
automatic checks and to give guidance on how frequent manual test shall be executed.
This procedure has already been extended together with SHELL for their internal evaluation
of instrumented protective loops.
The structure of a Markov model will be demonstrated with Figure 5: Simplified Markov
model of a 2oo2 system. Human errors in operation and maintenance I repair are not
modeled. The shown Markov model assumes that the operator immediately initiates a repair
action after a revealed failure and that the automatic diagnostics or manual tests of the
channels do not take a significant amount of time - i.e. test duration = 0.
Abbreviations
States State transitions
ok (both) channels are ok J..L ( repair time )"1
·~ test interval )"
1
r revealed failure of one channel
d detectable failure of one channel 'ti~e ( life time of the system )"
1
The Markov model can be transformed to a set of first order differential equations. Using
1
numeric matrix calculation one can calculate the probability to be in a particular state. The
sum of the probabilities of all states within the area of . (yet) unrevealed critical failures"
1
Usually the mathematical evaluation of Markov models require constant failure rates. However
numerical evaluation methods are described that allow for failure rates that change over time [L2].
TOV PRODUCT SERVICE GMBH 30 Presentation Eindhoven
Electrotechnology, Machinery, Alltomation- lOSE Department
Ridlerstral!.e 31 Rainer Faller
D-80339 MOnchen September 03, 1996
Phone: +49/89/5791-1801 ; Fax: -1 396
TOV
PRODUCT IEIMCE
represents the Probability of Failure-on-Demand (PFD). The probability of the state within
the area of .revealed failures" represents the Probability of Nuisance Trips.
By its definition of probabilistic target values, IEC 1508 goes considerably farther than the
German risk classification standard DIN V 19250. The definition of periodic maintenance
actions and intervals will be determined by probabilistic evaluations. This will result in more
precise and cost effective procedures.
2.4 Impact of IEC 1508 and similar standards on the market of safety-related
systems and field instruments
The publication of the German standards DIN V 19250 and DIN V VDE 0801 did change
the way end-users buy and use systems in safety-related applications. Formerly one often
saw combinations of dedicated electronics or relay logic with conventional control systems.
These combinations were trimmed to give safety to a particular application. This has pretty
much gone. End-users buy more and more off-the-shelf safety-devices such as safety-
PLC's with a large range of possible applications. In the mid '80s multi-national petro-
chemical companies started to investigate intensively on programmable protective systems.
In their invitations for bids they ask today for programmable systems certified by TOV
against the currently available functional safety standards. Also the standardisation
committee of the German chemical industry NAMUR published in 1993 a guideline for the
application of process control systems (NE 31 .Proze~leittechnik"). Therein programmable
systems are required to have TOV certification. Even the German nuclear industry now
considers and uses safety-PLC's - designed for the process industry - at medium criticality
levels.
Considerable commercial benefits drive the trend towards off-the-shelf safety devices. The
operating companies save investment and engineering costs by general purpose PES
designs and functional safety certification. The development and certification costs will be
split into many applications. The vendors can develop, sell and install many devices with
identical specification. The evolution over the past years triggered by the German standard
DIN V VDE 0801 has shown that even the device costs for complex, safety-related
computer systems dropped dramatically because of this standardization effect. Also the
safety level and the safety-related specification of programmable electronic systems
became comparable. Thus the vendors and engineering companies can concentrate more
on their particular safety and availability requirements of each of the individual applications.
The discussion whether off-the-shelf programmable electronics or home-made solutions will
be used has been decided in favor of off-the-shelf safety-systems - either solid state
systems or safety-PLC's. The decision is simple today, as the market offers a very
complete set of solutions. However the system approach of IEC 1508, DIN V 19251 and
ISA S84.01 emphasizes that also (smart) field instrumentation must comply with the safety
requirements. To increase the plant safety and availability, while reducing manpower,
better and more automated testing shall be provided by the field instrumentation by means
of:
• a high level of self-diagnostics
and
• a high level of measurement diagnostics
and
• transmitting diagnostics results to the Safety Instrumented System
The operating companies argue for single field-element configuration in SIL 1 and SIL 2.
The process hazard analyses of multi-national and German operating companies show that
a large share of safety instrumented loops are SIL 2. SIL 3 will not often be required for
safety loops and the end-users prefer to configure a SIL 3 loop by using field instruments of
SIL 2 level in a 1oo2, 1oo2D2 or 2oo3 configuration. For SIL 2 additional fault detection
means might be needed by the safety-related logic solver or by measurement diagnostics in
the process control system. The vendors and TOV will have to show that two SIL 2
compliant field instruments using field proven measurement technolgy fulfill the SIL 3
requirements.
For field-instruments the fault analysis must cover much more than electronics. The most
critical failure modes of field-instruments are not within the electronics but at the process
interface as clogging of the sense lines and corrosion or physical damage.
After intensive discussions with operating companies TOV Product Service IQSE went from
a single testing and certification scheme for intelligent field instruments to two schemes that
complete each other. The simpler scheme considers only the sensing and processing elec-
tronics including the safety of the (fieldbus) communication. As non of the present fieldbus
protocols includes all safety provisions required additional safety shells around the protocols
are needed today. The safety of the mechanics and the process connection is subject to
the measurement diagnostics and to the field-proven design of the initiator. Measurement
diagnostics are provided by different software packages of field instruments and DCS
vendors. Measurement diagnostics can also be achieved by application-oriented functional
diversity (e.g., diverse measurement of temperature and pressure or of flow and level).
The more comprehensive scheme covers the fault possibilities of the mechanics and of the
process connection. For this it is necessary to compile the appropriate failure mode for
each individual design. TOV uses the procedure defined by DIN 25448. This procedure
refines the complete device I system into sub-units. Then one determines by physical
reasoning and by data books such as the Reliability Analysis Center (RAC) book .Non
Electric Parts Reliability Data" the possible failure modes of each sub-unit. These lists are
then bespoken to each individual design. The determination and classification of the
mechanical failure modes follows the product life cycle:
• Systematic errors in design
e.g. Inadequate specification of chemical and physical operating conditions;
Insufficient protection or detection against faulty installation or operating conditions
• Incorrect information given by the user manual
e.g. Incorrect specification of chemical and physical operating conditions;
Incomplete guidance against faulty installation or operating conditions
• Faults in manufacturing
e.g. Defective basic material; Incorrect processing of the material; Incorrect molding
and welding; Incorrect spacing /length I diameter of critical parts
• Faults in engineering and installation
e.g. Inadequate chemical medium; Inadequate physical operating conditions; Incorrect
model chosen; Inadequate installation I position I angle; Sensor and evaluation unit do
not match; Incorrect electrical connection; Incorrect setting I calibration
• Faults during operation
e.g. Aging I wear and tear; Clotting of the sense line; Ice formation; Even I uneven
corrosion I deposition of material; Random breakdown; Extemal noise signal
2
1oo2D means 1oo2 for discrepancies caused by undetected faults and 2oo2 for detectable faults.
The 1oo2D voting can be realised in the safety-related logic solver.
TOV PRODUCT SERVICE GMBH 32 Presentation Eindhoven
Electrotechnology, Machinery. Automation · lOSE Department
RldleratraBe 31 Rainer Fal\er
D-80339 MOnchen September 03, 1996
Phone: +4918915791-1601; Fax: -1396
TDV
PRODUCT SERVICE
This new type of field-devices is designed such that electronic fault possibilities or mechani-
cal and electronic fault possibilities are detected by the safety-related PE of the field instru-
ment. The advantages of these field instruments are manyfold:
• the field instruments are fail-safe, thus the homogeneous redundancy of field
elements at the process level and the necessary handling by the application
program can be reduced
• preventive manual testing can be reduced as most of the failure modes detected by
periodic inspection will be detected by the integrated PE. That results in additional
benefits such as less human errors and less life time costs.
• Appropriate safety-related smart instruments could also lead to de-centralized safety
instrumented functions simpler to understand than centralized layouts. This needs
increased awareness for the safety aspect of future field bus communication .
able that were designed with safety in mind each development team has to develop a
safety-related PES from scratch. With the larger market being expected for safety systems
the time to market at equivalent quality and safety level will become a more important issue.
To reduce the development time and to cope with the increasing complexity the design
teams watch out for hardware subsystems and software components that can be integrated
into their designs. The time of building blocks is about to arrive I
To reduce the development time significantly however the building blocks from third parties
must be designed with safety being a mayor objective and they must be pre-tested. Safety-
related and pre-tested building blocks can standardize the development of safety applica-
tions for the engineering companies and can ease the development of safety-related soft-
ware for PES in many ways:
1 Application development
1.1 Function libraries to build applications such as burner controls, emergency stop func-
tions or ISO 104183 safety functions
1.2 Application program development systems for the IEC 1131-3 PLC languages
2 System software development
2.1 Operating systems
2.2 Libraries to implement communication protocols and graphical user interfaces
2.3 Certified high level languages.
The concept of building blocks is an important step in the layered approach of TOV PS
IQSE to safety-related software. The layered software safety philosophy is shown in Figure
6: Layered Software Safety Philosophy. The software building blocks as listed above can
help considerably in layer 3 "Operating Systems; Libraries" and in layer 4 "Embedded Appli-
cation Software; User Interface" and 5 ,User Supplied Application Software".
3
ISO 10418; Petroleum and natural gas industries; Offshore production platforms; Analysis, design,
installation and testing of basic surface safety systems.
TOV PRODUCT SERVICE GMBH 34 Presentation Eindhoven
Electrotechnology, Machinery, Automation -lOSE Department
Ridlerstralle 31 Rainer Faller
D.ao339 MOnchen September 03, 1996
Phone: +4918915791-1801; Fax: -1396
TDV
PfiOOUCT IBMC£
In the hardware domain few activities have been encountered yet. Development teams in
the medical industry have tried to collaborate with hardware subsystem vendors without
much success.
)JJ
Prototype
t
V///l' Standards
~;:m----.,
OJ
Requirements spec.
DirectM!s • standards
4.7 Oe$ign
verffica:tion
Requirements
User needs
Order
User needs I
Evaluation
and
ISO 9001 and ISO 9000-3
products
14. Preventille
action
•
Product
Unfortunately, some ISO 9001 certification bodies must stand the accusation of trying to
make a quick buck with ignorant customers. Even for manufacturers with clearly safety-
relevant products, e.g., products referenced by EC-Directives, ISO 9000 audits had the
only purpose of getting information about formal and consistent quality management proce-
dures on a high-level. The propriety of the procedures and measures in the development of
safety-related products and the fulfilment of the "Essential Requirements" were totally
TOV PRODUCT SERVICE GMBH 36 Presentation Eindha.len
Electrotechnology, MachineJY, Automation- IQSE Department
RldlerstraBe 31 Rainer Faller
~MOnchen September 03, 1996
Phone: +49/8915791-1801 ; Fax: -1396
TOV
PRODUCT SERVICE
omitted. Exceptions to the rule are audits according to module H of the modular approach
of EC or according to the respective EC-Directive by a Notified Body.
Certifications by ISO 9000-3 ,Software" or TICKIT or ITQS seem to fare better. Beside the
formal consideration of the QA procedures there is an additional consideration of proce-
dures in development, configuration management and field observation of the software
products. Yet there are only spot-checks as to the propriety to the product. As for the
success rate of by US Department of Defense (DoD) required models for the continuous
improvement of quality management and quality engineering (Bootstrapping or SEI model),
there is no sufficient evidence yet that would allow to pass judgement on a whole project.
The weak spots of the ISO 9001 certification are simply predestined for those companies
that are developing and dealing in manifold products. Consulting and certification can cover
only a few areas in detail just for money reasons alone. The other areas must be viewed
with analogy. Thus the development of a PC is being lumped together with the develop-
ment of the operating system for a safety-related automation system.
Herein is no intention whatsoever to criticise the ISO 9001 certification in general. It is only
a call to improve the procedures in the safety-related area and to carefully check the
influences of an ISO 9001 certification upon the relation between the customer and manu-
facturer.
;!/
Samen werkt het beter. GasuniE
PLC's in safety related applications
by
Ir. K. Kemps
Honeywell Safety Management Systems BV
39
Ir. K. Kemps
Function:
Director Sales & Marketing ofHoneywell Safety Management Systems BV
Experience:
Kees Kemps has 22 years experience in the safety business as active interface between the
users/market and manufacturer/technical realisation. Full involvement in requirement
analysis for product development as well as communicator of the safety solution to the
market. Various technologies have been developed and supported by HSMS, varying from
relay based technology, triplicated PLC-based solutions resulting in the latest dedicated
developed FSC-technology.
41
Safety is mandatory!!
What about av
Safety mandatory I I
STANDARDS
List of applicable (safety) standards over last 15 years.
• TOY-booklet 180
• DIN V 19250/19251 25/18
• DIN V VDE 0801 180
• IEC 801 240
• DIN VDE 0180 120
• DIN VDE 0110 80
• DIN VDE 0116 110
• SP 84.01 (draft) USA 340
• PES guidelines 150
• etc•..
TOTAL NUMBER OF PAGES: 2000
"SOCIETY"
Manufacturers
MANUFACTURERS USERS
USERS
COMMUNICATION
2-0UT-OF-3 VOTING
"MR. TUV''
TOV-CERTIFICATE
:4\M.~
HARDWARE
PEOPLEWARE
Honeywell SMS
THE OBJECTIVES
THE OBJECTIVES
THE OBJECTIVES
~gh
'"" -
~w ..flty~~t-.-CCIT'MI)CI'Iclngtolher~...t~
.......... ......... 3 4 I 5 I s 8
''"'"'
....
- - - "'"
Sll1 Sll2 Sll4
Eft'ectr..nnsdm~
L.eoand: l.,.. ....... ....
SAFETY IN THE PROCESS INDUSTRY Honeywell SMS
QUANTITATIVE
• PASSIVE METHODOLOGY:
- QUALITY SYSTEMS
-QUANTITATIVE ANALYSIS
-MIL-SPEC COMPONENTS
-ETC.
• RESULT: RELIABILITY
EXPRESSED IN %, THE LEVEL OF COMPETENCE AND THEREFORE THE
LEVEL OF INCOMPETENCE.
- MAINTAINABILITY
- AVAILABILITY
- OPERABILITY
- PROFITABILITY
IEC-1508
Random Hardware\
failures "-.. I /
Modification
failures
HSMS SOLUTIONS
1992......... TOV-Approval AK-4
1995....... UL-508 and UL-1998
1996......... (pending) SIL2
HSMS SOLUTIONS
INCREASED
OPTIMAL
AVAILABILITY
SUMMARY
• Check on suitable hardware
- TOV-approved according applicable standards
• Use adequate software tools for programming
- build-in checks for safety "challenge" engineers on safety
• Use the supporting features of the safety system
-during design
-during operation
-during maintenance
• More guidance/support from the safety system
results in less risk with "peopleware"
::::-~ppoL~s II
We offer careers for all tastes . On the technical
Shell is a truly international group of compani<
We employ over 5,000 expatriate staff from E
different nat ions . It is common practice to de·
assignments in consultatron with the individu:
side this entails: Exploration & Production. Although it may not be possible to grant all w
Manufacturing, Chemicals and Research & · et anging ne•
Technical services. On the commercial side we •: ain: we
have opportunities in Marketing, Finance. ou want t
Information Technology, Human Resources and
Legal Affairs. We are interested in all outstanding
students, irrespective of your degree. If you are
not sure yet in which area you would like to work , Want to know more?
send us your application form and we will be very .· We challenge you to get to know us better.
happy to discuss your various career opportu- Take part in one of the schemes we provide f
nities. students:
- Gouram i Bus iness Course (applications in
A contribution from day one autumn)
We operate in more than 100 countries and our -Work experience on one of our Prem ium
global turnover exceeds £ 120 billion . Every one Placements (applications year-round)
of our operations throughout the world takes -International Placements (applications in aut
responsibility for its own bottom-line performance. .- Travel Bursaries (appl ications in early spring)
In your first assignment you wi ll be expected to If you are interested in one of these scheme!
achieve clearly specified objectives dictated by a in employment with Shell. ask for our gradua
demanding business plan . You will certainly find brochure Visions & Focus or an application fo
by
Ing. L. Korteweg
Shell International Oil Products B V
59
Ing. L. Korteweg
Function:
Senior Instrument Engineer, Shell International Oil Products BV
Experience:
In the instrumentation department focal point for Honeywell matters and responsible for
all subjects related to Instrumented Protection. Experience Joined Shell in 1976. Had
assignments in The Hague, Singapore, Oman, The Hague and Hong Kong and returned to
The Hague in 1991 to take up present position. Worked in the fields of Project
Engineering, Construction, Maintenance and General Instrumentation Service.
Organisations:
Is a member of IEC 1511 committee 'Application Specific Standard on Process Control -
Functional Safety Requirements for E/E/PES Safety - Related Systems for the Process
Industries.
61
TABLE OF CONTENTS
1. INTRODUCTION ....... .. ........ .... ..... ..... ...... ..... ...... .. ... .. .......... .. ..... .... ... ............ ......... .. 65
1. 1. SCOPE ..... ... ... ... .......... ..... .... ... .. .. .......... .... .. .. ..... .. ..... ...... ... .. ....... ......... ...... ......... 65
1 .2 . DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS .. .. .............. .. 65
1 .3 . DEFINITIONS .. .... ......... .... ......... .. ........... ..... ......... ........ .. ......... .. ..... ..... ......... ..... ... 65
1.4 . ABBREVIATIONS .... ..... .. ........ ..... ............. ... ... ... ........ ........ .... ... ... .. ........ .. ........ ...... 68
1 .5. CROSS-REFERENCES ... ..... ..... .. .. .. ...... .. .. .. ........... ..... .......... .......... ..... ... .. .. ............. 68
2 . GENERAL ...... .... ....... ...... .......... ........ ........ ........... ... ... ........ .. ........... .. ............ ..... .. ... 69
3. INSTRUMENTED PROTECTIVE FUNCTIONS CLASSIFICATION METHODOLOGY .... ........ 70
3.1. BACKGROUND ....... ... .. ..... .. .... .......... .... ............. .. ... ......... ................... .. ...... ........ .. 70
3 .2 . THE CLASSIFICATION PROCESS .. .. ...... ..... ...... ...... .......... .. .. .. ...... .. .... .... ........... ..... 70
4 . IMPLEMENTING THE CLASSIFICATION RESULTS ....... .. .. ....... .. .... ............. .............. .... 81
4. 1 . INTRODUCTION .. ... ... ... ....... ........ ....... ..... ............ ........ ................. .. .... .......... ........ 81
4.2. GENERAL RULES ...... ... ............ .. ... .... ...... ................ ......................... ..... ........ ... ..... 81
4.3. IPF CLASS OF INITIATOR, LOGIC SOLVER AND FINAL ELEMENT ... ............ .............. 83
4.4. BASIC IMPLEMENTATION STEPS .. .. ......... ........ ........... ...... ........ .. .. .... .. ... ...... .......... 83
5. IMPLEMENTATION OF PROCESS UNIT RELATED INSTRUMENTED PROTECTIVE
FUNCTIONS ... ... ..... ... ........................ ..... .. ......... ......... .... .. ..... .. .. ...... ................ 85
5.1. GENERAL ........ ..... ............ ...... .. ....... ....... .. ........ .. .... .... .. .. ............... .... ........... .. ..... 85
5 .2 . INITIATOR ...... ..... .... ... .............. ... .......... ... ................................... ... .. ................... 85
5 .3. INSTRUMENTED PROTECTIVE SYSTEM ........................ ... ... ............. .. ................ .... 87
5.4. FINAL ELEMENT ...... ... ... ............ .. ... ... ............ ..... .. ...... ..... ........... ..... .................... . 89
5 .5. CABLING ...... .... .... .... .... .... ... ... .... ...... ....... ....... ... .... .... ...... ... ...... .. ... .. ... .......... ....... 90
5 .6 . HUMAN-MACHINE INTERFACE ...... ........ .. .... .............. ... .... .. ... .. ............ ... .. .. ........... 90
5 .7. COMMUNICATION INTERFACES WITH OTHER SYSTEMS ............... .. .. ..... ... .. ...... ..... 91
5.8. MAINTENANCE OVERRIDES .... ...... .. ............ ..... ... .. ..... ........... .. ............ .... .............. 92
5 .9. OPERATIONAL OVERRIDES ... ...... .............. ........ ... .... .... ....... ............ ... ........ .. ....... .. 94
6 . IMPLEMENTATION OF FIRE GAS AND SMOKE DETECTION INSTRUMENTED PROTECTIVE
FUNCTIONS ....... ...... ............. ... ......... ...... ......... .. .... ... .... ........ ..... ........... ... ... .... 95
6.1. GENERAL ......... .. .. ........... .... ... .. ... ............................ .... .. ...................... ................ 95
6 .2. INITIATOR ..... ...... ............................. ............................. .......... .............. .............. 95
6.3. INSTRUMENTED PROTECTIVE SYSTEM ............................ ....... ............... .............. . 95
6.4. FINAL ELEMENT ... ............ .... ...... ...... ............... ..... .... .. .. .. ....... .......... ....... ......... ... .. 95
6 .5 . CABLING ..... ... ........ ...... ..... ..... ...... .... ....................... .... ... ........................ ........ .. ... 95
7 . TESTING ........... ........ .. .. ..................... .. .... ................ ............. .. .. ......... .... ......... ..... .. 96
7 . 1. CLASSIFICATION RESULTS AND TEST PHILOSOPHY ........... ........... ... .. ..... ..... .... ..... 96
7 .2. TEST COVERAGE FACTORS ....... .. ... .......... .. ......... ... .... ...... .. .. ......... .. ..................... 97
7 .3 . INITIATOR TESTING ........ .. ........ ...... .......... ... ............... .. .. ........ ........ ...... .. .......... ... 97
7.4. LOGIC SOLVER TESTING ............. .. ....... ...... ............ ...... .. ... ....... ........ ......... .. ......... 97
7.5. FINAL ELEMENT TESTING ............ .. ... .................... .... ..... ........ ... ..... ...... ... ....... .. .... . 97
7 .6 . AUTOMATIC TESTING ... .. ............ ... ............ ...... .. .. ... ... ......... ... ....... ... ............ ........ 98
8 . IPF CALCULATION METHODOLOGY ......... ...... .......... ...... ...... .... ......... .............. .. ... .. 100
8.1. GENERAL .............. ... ... .... ............. ................. .... ...................... .............. ... .... ... .. 100
8.2. ASSUMPTIONS ..... .. .... ......... ... ........ ... ...... .... .. .. .... .. ... ..... ....... .. ...... ............. .. ...... 100
8.3. INPUTS INTO THE CALCULATION METHODOLOGY ....... ... .... ..... ....... .. .. ... ...... .. .... .. 100
8.4. OUTPUTS OF THE CALCULATION METHODOLOGY .. .. .. .. ...................... .. .... .. .. .. .... . 102
8.5. CALCULATION OF TEST INTERVAL - SPECIAL CASES .. ... .............. ....... ........ ...... .. . 102
9 . MAINTENANCE ... ......................... ................ .......... .... .............. .. ..... .. ... .. ....... ..... ... 104
9.1 . INTEGRITY .... .. ........... .. .. ..... ............................ .. ... ... .. ... ... ........ ........ ....... ... .... .... 104
63
9.2. TEST PROCEDURES ..... ......... ..... ............ ... .. .... ...... .. ... ..... ...... .... .. ....... .. .... .... ....... 104
9 .3. TEST RESULTS ... ... ...... ..... ........... ........ .. ..... .. ..... ... .. ........ ... ....... ... .. .... ..... ..... .. .... 104
9 .4. SCHEDULED MAINTENANCE ................. ... .. ..... ... ...... .. ... .............. ..... ..... ..... .. .. .. ... 105
9.5. TRIP REPORTS ..... .. .... .... ... ........ ..... ......... ...... ................ .................. ..... ..... ... ...... 105
9.6 . MODIFICATIONS ... ... ..... .... ... ....... ..... ... ... ...... ... ...... .... .... ....... .... ... ... ... .. ..... ........ .. 105
9 .7. AUDITS .. .. ....... ... ..... ....... .. .......... ... ...... ...... ... ...... .... ..... ..... .. ...... .. .. ..... ..... .. ..... .. .. 105
10. REFERENCES .... .... ... .. ... ...... ...... .. ..... ........ ....... ... ..... .. ..... ...... ........ .. .. .... .. .. ... ...... .. 106
APPENDICES
APPENDIX 1 SUGGESTIONS ON HOW TO SET UP A CLASSIFICATION EXERCISE . .... ... 107
FIGURES ... .... .... ... .... ... .. ....... .... ....... ... .... .... ........ .... ......... ............. .. ..... .. . ····· ·· 108
64
1. INTRODUCTION
1.1. SCOPE
This document specifies requirements and gives recommendations for classifying
Instrumented Protective Functions and implementing them .
1.3. DEFINITIONS
65
Hazardous Situation
The potential to cause harm, including ill health and injury, damage to property, products
or the environment, production losses or increased liabilities.
Hazard Rate
The frequency at which Hazardous Situations occur. Dimension (time-1).
Hazard Rate = Frequency of Demand * Probability of Failure on Demand
Initiator
A device or combination of devices that indicates whether a process or equipment item is
operating outside the operating envelope. The Initiator includes input cards and input
relays. Examples are manual switches, position switches and measurement systems
(including process connections, sensors, transmitters, cabling, trip amplifiers or input
cards etc.).
Instrumented Protective Function
A function comprising the Initiator function, Logic Solver function and Final Element
function for the purpose of preventing or mitigating Hazardous Situations.
Instrumented Protective Function Class
Unrevealed Failure class I, II, Ill, IV, V, VI and X, plus Revealed Failure class F or N
detailing the requirements for an Instrumented Protective Function.
Instrumented Protective System
The electromechanical, electronic and/or programmable electronic Logic Solver
component of the Instrumented Protective Function, complete with input and output
equipment.
Logic Solver
The portion of an Instrumented Protective Function which performs the application logic
function. The Logic Solver excludes trip amplifiers, input cards and output cards.
Examples are electromechanical relays, solid-state/magnetic-core logic and the Central
Processing Unit (CPU) section of programmable electronic systems.
Mitigation
Makes a consequence less severe or relieves consequences.
Permissive
The result of a check on whether or not a combination of conditions is healthy, to allow
the Logic Solver to proceed with the next step in a sequence.
Probability of Failure on Demand
The probability of the Instrumented Protective Function failing to respond to a Demand.
Dimensionless.
Process Safety Time
The period of time in which the process can be operated without protection and with a
demand present, without entering a Hazardous Situation. Dimension (time).
Revealed Failure
A failure whose occurrence is inherently apparent.
Revealed Failure Robust
A configuration in which plant availability is not jeopardised by the Revealed Failure of a
single IPF component.
Risk
The Hazard Rate multiplied by the consequence of a Hazardous Situation.
Trip
An Instrumented Protective Function action to bring the Final Element(s) to a safe state.
66
Unrevealed Failure
A failure which is dormant in the Instrumented Protective Function and can only be
revealed when the system has to perform a certain action or through testing.
Unrevealed Failure Robust
A configuration in which plant safety is not jeopardised by the Unrevealed Failure of a
single IPF component.
67
1.4. ABBREVIATIONS
AK Anforderungsklasse (requirement class)
CAPEX Capital expenditure
CPU Central processing unit
DCS Distributed control system
DIN Deutsche Industria Norm (German industrial standard)
ESD Emergency shutdown
FGS Fire gas and smoke detection and protection system
FLO Functional logic diagram
HAZOP Hazard and operability study
HSE Health, safety and environment
IEC International Electrotechnical Commission
IPF Instrumented protective function
IPS Instrumented protective system
MOS Maintenance override switch
MVC Measurement validation and comparison
NDE Normally de-energised
NE Normally energised
NRV Non-retum valve
oos Operational override switch
OPEX Operational expenditure
PC Personal computer
PEFS Process engineering flow scheme
PFD Probability of failure on demand
PLC Programmable logic controller
SER Sequence of events recorder
SIL Safety integrity level
TSO Tight shut off
TOV Technischer Oberwachungsverein (German body, translates to
Technical Inspection Agency).
NOTE: Throughout this document, reference to TOV means enher TOV Bayem or TOV Rheinland.
1.5. CROSS-REFERENCES
Where cross-references to other parts of this document are made, the referenced
section number is shown in brackets. Other documents referenced in this document are
listed in (10.).
68
2. GENERAL
69
3. INSTRUMENTED PROTECTIVE FUNCTIONS CLASSIFICATION METHODOLOGY
3.1. BACKGROUND
The initial risk in operating a process unit or a piece of equipment can be reduced by
facilities other than an IPF, such as increased wall thickness for high pressure protection,
resulting in an intermediate risk. See Figure 1. If this intermediate risk is lower than a
tolerable risk, an IPF is not required. If the intermediate risk is higher than a tolerable
risk, an IPF is required to reduce the risk. Such a tolerable risk level is determined by
sound current practice.
A protection system can be mechanical (relief valves, bursting discs, etc.) and/or
instrumented (IPF). In most designs both types of protection systems are applied, with
the mechanical system being the last line of defence wherever possible.
The requirement for an IPF results from proper design practices which are checked by
the technical desk HSE review or the HAZOP study. This document provides a
methodology to classify these IPFs. It is not intended to replace the quantitative risk
assessment, technical desk HSE review or the HAZOP study.
The consequence of an IPF failing on demand is discussed during a technical desk HSE
review or a HAZOP study and is also one of the basic inputs to the classification
methodology. The classification exercise could therefore be an extension of a technical
desk HSE review or a HAZOP study.
The full process of classification and implementation of IPFs is indicated in Figure 2 and
Figure 3. Comparison of these two figures shows that the classification methodology
described in this document removes the requirement to provide a tolerable hazard rate
for each IPF, and removes the requirement for accurate calculation of the frequency of
demand on each IPF.
3.2.1. General
The IPF classification and implementation methodology should be applied during
development of the PEFSs and the safeguarding narratives, i.e. during the Basic Design
and Engineering Package (BDEP) or Project Specification phase.
Following the technical desk HSE rev::. •• vr rlAZOP study, a comprehensive IPF
classification exercise shall be performed.
The IPF classification and implementation methodology can also be applied to existing
plants, generating the benefits as described in (2.).
A well-developed issue of the following documents shall be available to the team
performing the classification:
- process and utility engineering flow schemes (PEFSs);
- safeguarding memorandum with process safeguarding flow schemes (PSFSs);
- safeguarding narratives;
- cause and effect matrices.
Controls which protect process units or equipment from operating outside the operating
envelope, such as minimum flow control and maximum or minimum pressure control, are
not IPFs. It is therefore not required to classify these controls. If present, alarms and
switch functions related to these controls shall be classified.
Appendix 1 gives suggestions on how to set up a classification exercise.
70
3.2.2. IPF classification team
The team performing the IPF classification shall be kept small. Competent personnel
responsible for the subjects of process technology, process safety, operations and
process control shall form the team. Other disciplines, e.g. rotating equipment specialists,
shall be consulted as required, e.g. when the IPFs of a compressor are classified.
A facilitator shall be appointed. The task of the facilitator is to guide the team through the
classification steps and to ensure that every step is recorded to the satisfaction of all
team members before the next step is dealt with.
The facilitator shall be familiar with the classification methodology as described in (3.)
and (4.).
2. An IPF may consist of a combination of IPF loops. For example a backflow protection function may consist of
low nowand low differential pressure ln~lators and two valves.
3. For permlsslves, valves or rotating equipment stop circuits are not necessarily the fonal element; the logic 80iver
may be the final element.
The classification shall be performed for each IPF. For an IPF consisting of one initiator
and one final element this is straightforward. Functions shall be extracted as indicated in
Figure 4 and Figure 5. With more than one initiator function and more than one final
element function, a combination of these two figures shall be applied.
Independent functions with a common initiator or a common final element shall be
classified individually assuming the other functions are operating properly.
It shall be noted that the logic solver may consist of more than one UZ block. For
example, a recycle gas low flow trip that trips the compressor and, via the compressor
and feed pump UZ blocks, also trips the feed pump.
As a starting point it may be taken that, in addition to alarms, every 'x' on the cause and
effect matrix is a function. This is not valid for functions consisting of more than one
initiator or more than one final element. To ensure that all functions have been classified,
the classification report shall be checked against the final functional logic diagrams.
To save time required for classification, the IPFs to be classified should be identified and
the IPF identification section of the classification report, see Figure 8, should be
completed before the team convenes for the classification exercise.
The number of IPFs to be classified if UZs are connected together as shown in Figure 6,
can grow dramatically. Figure 6 also shows how the classification effort can be reduced.
It is beneficial to prepare this type of diagram, known as a "spider diagram", giving an
overview of aiiiPFs in a unit, as preparation for a classification exercise.
3.2.4.1. General
The classification methodology is split into two parts:
- classification of IPF unrevealed failures (failures on demand, which are safety
related);
71
- classification of IPF revealed failures (often called 'nuisance' or 'spurious' failures,
which are related to economics).
The classification of IPF unrevealed failures is further split into:
- consequences related to personnel safety;
- consequences related to production and equipment loss;
- consequences related to the environment.
The basis of the classification methodology is the risk diagram related to personnel
safety published in DIN V 19250. Applying this risk diagram to an IPF results in a
requirement class (AK class) for that function. AK classes, however, are not easily
translated to implementation requirements for IPFs.
The DIN risk diagram was adopted by IEC/SC65A draft 1508, in informative annex D,
which uses Safety Integrity Levels (Sils) as the result of applying this diagram. These
Slls are related to Probability of Failure on Demand ranges. These PFD ranges can be
applied to calculate whether the implementation and maintenance strategy results in an
IPF of sufficient integrity.
NOTE: The informative annex Din IEC/SC65A draf\1508 indicates a general risk graph implementation and an example.
The example is the same as the DIN V 19250 version but with heavier weighting of the more severe consequences,
and has been selected for this document with minor changes.
The IEC/SC65A draft 1508 relates the SIL not only to probabilistic PFD requirements, but
also gives deterministic requirements which, as far as applicable, have been
incorporated in this document.
Risk diagrams have been added in this document for production and equipment loss and
for environmental consequences. Although the added risk diagrams are not related to
IEC/SC65A draft 1508, they shall not be changed without the approval of the Principal.
In line with the risk diagrams, diagrams to classify IPF revealed failures are also included
in the methodology promoted in this document.
The fuiiiPF classification methodology is indicated in Figure 7.
AIIIPFs, including alarms, shall be classified.
Classification of pre-alarms is not required. For pre-alarms it shall be confirmed that
corrective operator action to avoid the IPF action is feasible. If this is not the case, the
pre-alarm may be deleted. The result of this confirmation shall be recorded, preferably in
the classification report.
NOTE: n may not always be apparent that operator action Is feasible. If, for example. an IPF action (pre-alarm) would occur
If a controller setpolnt Is increased too much. operator action to avoid another IPF action (shutdown) is feasible by
reducing the setpolnt again.
3.2.4.2. Consequences
The consequences of IPF failure on demand and IPF revealed failure shall be recorded
as general descriptions. The descriptions shall be clear and unambiguous, such that
another expert is able to follow the reasoning for selecting the routes in the risk diagrams
described in the next sections.
If the failure on demand of an IPF has multiple consequences, all consequences shall be
classified and the most stringent IPF class shall be selected for that function. If the
demand has different causes, the consequences of failure on demand will usually be
different as well, requiring a classification for all causes and consequences.
Attention shall be paid to the fact that the location of a plant may have an impact on the
consequences, e.g. the difference between onshore and offshore production
installations, manned and unmanned operation, close to or far from the fence.
72
For permissives used in batch processes and sequences, two types of failures are
relevant:
- The permissive indicates that the conditions are safe to proceed while the actual
conditions are not safe to proceed. This failure is an unrevealed failure in terms of
classification. The consequence shall be described under consequence of failure on
demand.
- The permissive indicates that the conditions are not safe to proceed while the actual
conditions are safe to proceed. This failure is a revealed failure in terms of
classification. The consequence shall be described under consequence of revealed
failure.
74
L3 - Major operational upset or major damage to equipment.
Major operational upset, e.g.:
- An immediate large relief case that would cause violent high energy release
such as vapour breakthrough from high to low pressure, e.g. hydroprocessing
units, high pressure solvent treating units etc.
- Process fluid overflow.
- Solidification of product in a large unheated piping system requiring major
corrective action.
- Non-costly repair required of essential unspared equipment.
Major damage to equipment, e.g.:
- Costly repair required of major spared equipment or non-essential equipment.
L4 -Damage causing major loss of containment or damage to essential equipment
causing major economic loss.
Damage causing major loss of containment (rupture), e.g.:
- Excessive over-temperature such as exotherms and runaway reactions.
- Over-pressure resulting in major loss of containment if the IPF is the final
protection because the installation of a mechanical relief device is not possible
or practical.
Damage to essential equipment which from a damage point of view is similar to L 1,
L2 or L3 , but could cause a major economic loss (millions of US Dollars) due to the
disabling of essential unspared equipment for an extended repair or replacement
period, e.g.:
- Suction vessel high level IPF on a recycle gas compressor.
- Low suction level IPF of a multistage, high speed HCU feed pump.
- Fumace or boiler protection.
NOTE: For extreme economic losses, the IPF class may be Increased by one step to ensure an appropriate eo&t-
benef~ ratio.
If the result of the classification is LO, the IPF is not required for production and
equipment loss. For other results, the IPF class can be obtained from the diagram by
selecting the point corresponding to the L and W.
3.2.4.3.4. Environment
A diagram is provided in Figure 7 to classify environmental consequences.
A more detailed description of the potential environmental consequence (E) selections, is
indicated below:
EO -No release or release with negligible damage to the environment.
No release at all or a very minor release that is below the environmental quality
standard, not even justifying an alarm, e.g.:
- A very small release from a flange gasket or from a valve stem seal without
blow-out of gaskeVseal material.
E1 -Release with minor damage to the environment that should be reported.
A release that is not very severe but is large enough to be reported to plant
management or to local authorities, e.g.:
- A moderate leak from a flange gasket, a valve stem seal, a pump or compressor
seal, a small bore connection, a relief valve blowing hydrocarbons into the
atmosphere.
- Small-scale liquid spill contained on the location or platform.
- Small-scale soil pollution without affecting ground water.
75
E2 -Release within the fence with significant damage to the environment.
Significant loss of containment that damages the environment on the premises but
not outside the fence, e.g.:
- A cloud of obnoxious vapour travelling beyond the unit limit following flange
gasket blowout, compressor seal failure etc.
- A liquid release that is not collected in the drain system and could affect ground
water locally or could spill into a river or sea.
E3 -Release outside the fence with temporary major damage to the environment.
Major loss of containment travelling outside the premises causing environmental
damage that can be cleaned up without lasting consequences, e.g.:
- A vapour or aerosol release with or without liquid fallout that causes temporary
damage to plants, fauna or property, following venting to atmosphere, liquid
entrainment from flare, etc.
- Solids (dust, catalyst, soot, ash) fallout following an operational plant upset.
- Liquid spill into a river or sea.
E4 -Release outside the fence with permanent major damage to the environment.
Major loss of containment travelling outside the premises causing environmental
damage that cannot be cleaned up without lasting consequences, e.g. :
- A vapour or aerosol release with or without liquid fallout that causes lasting
damage to plants, fauna or property, following venting to atmosphere, liquid
entrainment from flare, etc.
- Solids (dust, catalyst, soot, ash) fallout following an operational plant upset.
- Liquid spill into a river or sea.
- Liquid release that could affect ground water outside the fence.
IPFs that prevent relieving to the atmosphere should be classified according to this
category as well.
Flaring, venting and noise may have an impact on public image and should therefore be
addressed when performing environment classification.
The following additional rules apply:
- If flaring is within the allowable environmental limits as set by the local authorities it
shall be considered for the classification as having no environmental consequences. If
flaring or venting is above these limits it shall be considered for the classification as
production loss, e.g. cost of shutdown, fine.
- If the classification team decides that, for a certain consequence, the related public
image is a very sensitive issue, E shall be increased by one level.
If the result of the classification is EO, the IPF is not required for environmental
protection. For other results , the IPF class can be obtained from the diagram by selecting
the point corresponding to the E and W .
76
tails gives 53 because In this case In all furnaces an uncontrolled fire or explosion may occur, hence the higher
classlf~eationfor the level trip lnniator.
2. The consequence of lnniator failure on demand could also resu~ in a lower IPF class compared to the highest
class resu~lng from the Individual classlf~eations of functions containing that lnniator. This is the case for e.g.
oxygen and natural gas shut-off in a Shell Gassification Process (SGP) where the consequence of leaving the
oxygen valve only open Is more severe than to leaving both valves open. Hence the class for the function initiator
to oxygen valve Is higher than the resu~ of the synergetic consequence of initiator failing classification. The latter
determines the required lnnlator class.
The above is not relevant for final elements because, for architectures where more
initiators activate one final element, final element failure is classified for each function
and as a minimum the most stringent classification is selected for the final element,
see also(- IPS technical specification;
- completed data requisition sheets.
4.3.).
77
In combined IPF and sequence control systems (e.g. furnace start-up), each step may
have to be classified separately because the frequency of demand and the
consequences may be different. This is also valid for different phases of plant operation.
For fire detection and protection classification, only the incremental consequence of IPF
failure on demand shall be taken into account, not the full consequence of a fire. The fire
is assumed to be there already and the IPF is installed for mitigation purposes, e.g. an
automatically triggered water deluge system or facility ESD.
3.2.4.4.1 . General
The revealed failure classification should be performed after the unrevealed failure class
implementation has been decided, because implementation of the requirements related
to the unrevealed failure class may impact the revealed failure rate of initiator or final
element configurations.
The revealed failure classification diagrams given in Figure 7 are based on:
- A pay-out period of 1 year.
- The assumption that the revealed failure robustness will reduce the revealed failure
rate to a negligible figure.
- Minimum CAPEX.
The classification diagrams should be applied; detailed calculations to justify revealed
failure robustness requirements should not be made.
Initiators and final elements should be classified separately, due to the possible
significant difference in cost of revealed failure robustness for initiators and final
elements.
NOTE: The revealed failure robustness classification diagrams may also be applied to parts of function components. Details
on the impact of IPF PFD and revealed failure rate calculations when part of a function component is Implemented
robust are covered by a separate document.
78
3.2.4.4.4. Cost of revealed failure
The cost of revealed failure related to the consequences described in (3.2.4.2.) shall be
determined (C classification).
NOTES: 1. The cost of revealed failure for aiiiPFs with the same final element shall be the same.
2. If the cost of an inttlator revealed failure differs slgnifocantly from the cost of actuator revealed failure due to e.g.
longer plant down lime, the C classifocatlon may be different for Initiator and actuator.
3. The cost of revealed failure should take into account potential consequential damages or loss e.g. where thermal
shocks may lead to premature furnace tubes material fatigue.
3.2.5. Documentation
The classification results shall be documented as part of the safeguarding narratives or
as a separate document.
The classification report shall be such that it shows that the classification was made on
objective and reasonable grounds, by a team with members qualified to perform the
classification. This can be achieved as follows:
- Build-up the team as indicated in (3.2.2.).
- A short statement indicating the consequences of IPF failure on demand and IPF
revealed failure shall be documented.
- If the team is unable to reach a consensus, the issue should be raised to a higher
level of management, again with all necessary disciplines represented and, if
applicable, the Principal shall be consulted.
To enable consistency checks and easy handling of data, classification results shall be
entered into a database. It shall be possible to search on any word in any field. As an
example, a print-out of a database record is given in Figure 8. Items in bold are the field
headings, the remainder are the database entries. For more examples see the report on
the test of the classification methodology. Figure 9 provides a blank classification form
that may be used during the classification exercise.
This database may also be used to enter the implementation data such as test frequency
etc.
For authority approval purposes, classifications where personnel or environment
consequences are above SO and EO respectively should be documented separately.
The question on the IPF classification form, 'is it a pre-alarm', shall be answered with yes
or no. If corrective operator action to avoid the IPF trip action is not feasible, a note shall
be made that the pre-alarm can be deleted.
If one of the selections made during the classification is WO, W1, W3, A2 or G1, an
explanatory note shall be recorded.
The classification report shall be updated as part of each plant change such that the
requirements for each IPF are at all times auditable and traceable.
79
A summary of the unrevealed failure classification results may be shown in a cause and
effect matrix, as shown in the example in Table 1, using the existing cause and effect
matrices.
Table 1 Cause and effect matrix summarising the unrevealed failure
classification
Cause.!. Effect Close Fuel Stop Initiator Overall Class
-... Gas Valve Compressor Failure Initiator
High Fuel Gas Pressure IV N/A IV
low Air Fuel Ratio IV N/A IV
Flame Failure IV N/A IV
Furnace Feed IV N/A IV
Hiah Furnace Outlet Temperature Ill N/A Ill
High Speed v N/A v
low lub-Oil Pressure Ill N/A Ill
High Compressor Outlet Temperature Ill IV v v
Overall IPF Class Final Element IV v
NOTES: 1. Empty enllies are also empty In the original cause and effect matrix.
2. Entries·-· have been classified as unclassified, and the IPF can be deleted.
3. The ruw 'Overall IPF Class Final Element' and the columns 'ln~lator Failure' (synergetic consequences) and
'OventiiiPF Class lnltiatof' are add~lonal to the original cause and effect matrix.
80
4. IMPLEMENTING THE ClASSIFICATION RESULTS
4.1. INTRODUCTION
This Section deals with general rules related to the implementation of the classification
results obtained as described in (3.). This Section indicates the basic implementation
steps that shall be taken to arrive at a test interval and to select the architecture.
The details of implementing the classification results are dealt with in (5.) to (9.).
An important group of IPFs that will often be deleted after classification are those IPFs
which protect against events that are already covered by other IPFs. This will reduce the
complexity of the functional logic diagrams.
EXAMPLE: The IPF action following high-high level in a recycle gas compressor suction vessel should only be to stop the
compressor. Any subsequent actions. such as stop feed, stop furnace. open low rate depressuring valve, should be
in~iated by recycle gas low flow alone. W~hout the IPF classiftcation methodology described in this document, these
cascading IPFs were common because of the tradttional dictum: "if you know tt already, take the action and do not
wa~ for subsequent initiators" .
Deletion of the cascading IPFs does not necessarily reduce the potential for revealed
failures. Only the deletion of an entire initiator will help to achieve better plant availability.
2. As an example where the valves may not be combined, consider flow streams A and B, each with their own flow
control, being mixed and reacted. A TZA-HH should stop flow A to ldll an e~othermlc reaction. The flow control
valve of A could well be the root cause of too much A, so tripping tt may not be effective, hence a separate IPF
valve Is required.
3. In batch processes valves are closed and opened frequently by the batch controller. S~uations exist where a
certain valve pos~ion Is a permissive to proceed with a next step, because starting the next step with the valve In
another position would give a hazardous s~uation. A malfunction of the valve may be the cause of the demand. A
separate means of stopping the batch, such as with a separate valve, shall therefore be provided when the IPF
Is classified as IPF class Ill or higher.
Because the operator has more information about the overall plant and evacuation
situation than any IPF, IPF class IV fire, gas and smoke detection functions may be
implemented with the operator as one link of the IPF chain, provided that:
- The control room is a safe area and continuously manned by competent personnel;
- The operator has time to take action, i.e. the process safety time exceeds the sum of
the IPF response time and the operator response time.
If an IPF operates a valve when activated, this action shall be communicated to the DCS,
triggering an action in the DCS to automatically switch the related controller to manual
and drive the output to the safe position, either zero or maximum, if this can be done at
acceptable cost. This DCS action shall only be triggered on receipt of the change of state
from normal to trip, without preventing the operator from changing the controller state
and output at any other time.
If an unrevealed failure robust initiator is required for one function, while the classification
of a second function with the same initiator requires a single configuration, one initiator
of the unrevealed failure robust set may be used for that function. See Figure 10. This
implementation reduces the revealed failure rate of the second function .
If one function is classified as IPF class I or II while others with the same initiator are
classified as IPF class Ill or higher, the former may be implemented in the DCS.
Implementing the IPFs in this manner requires separate initiators for the IPF class I or II
81
functions than for the IPF class Ill functions. This will only be cost effective if a separate
measurement for control or indication is available to be used for the IPF class I or II IPF.
If an IPF classified as IPF class I or II is implemented as IPF class Ill, testing
requirements for this function remain those for IPF class I or II, see (For special
requirements regarding cabling, refer other documents.
7.).
Pre-alarms should be obtained from the control transmitter signal in the DCS if this is
available.
The following documents shall be provided to specify the requirements and organisation
for implementation of IPFs:
- functional logic diagrams (FLDs);
- IPF classification results;
- typical block schemes;
- typical loop diagrams;
- IPS technical specification;
- completed data requisition sheets.
The same adding rule applies to logic solver components that are common to more than
one function, unless the functions are independent.
The adding rule is not valid for IPF class I (alarm only) functions because the operator
decides how he will act and he usually has more than one option in a particular situation.
4.4.1. General
Applying (3.), (4.2.), and (- IPS technical specification;
- completed data requisition sheets.
82
4.3.) will result in an IPF class for each initiator, the logic solver and each final element.
These classes shall be translated to implementation requirements as explained below.
From IEC/SC65A draft 1508 and DIN V 19250 the relation between IPF class, SIL,
required PFD and required AK class (from DIN V 19250) can be obtained as shown in
Table 3.
Table 3 Relation between IPF class, SIL, required PFD and required AK class
IPF Class Safety Required PFD IPS Approval
Integrity Level according AK
(SIL) Class
I - >10-1 -
II a >10·1 1
Ill 1 >10·2 - <10· 1 2-3
IV 2 >10-3- <1Q-2 4
v 3 >10· 4 - <10·3 5
VI 3 >10· 4 - <10·3 6
X 4 >10·5- <10· 4 7
X b Not Indicated 8
A deterministic requirement of IEC/65A draft 1508 is that IPF class V and VI initiators and
final elements shall be unrevealed failure robust.
Table 3 shows that the PFD requirement does not differ for IPF classes V and VI.
However, because the consequences resulting in class V or VI can be very different and
the calculation methodology does not take common mode failures and software failures
into account, the following additional requirements shall apply for IPF class VI functions:
- The initiator shall be diverse.
- The IPF shall not contain software.
- The final element shall be diverse.
84
5. IMPLEMENTATION OF PROCESS UNIT RELATED INSTRUMENTED PROTECTIVE
FUNCTIONS
5.1. GENERAL
The requirements given in this and the following chapters are based on the assumption
that a DCS is available. If this is not the case, the Principal shall be consulted for the
human-machine interface requirements.
The normally energised (fail-safe) design concept shall be implemented. For certain
process applications, however, a normally de-energised (non-fail-safe) design concept
for IPF final elements may be required. In such cases approval of the proposed
implementation shall be obtained from the Principal.
Requirements detailed in the technical specification of the IPS are as far as possible not
repeated in this document.
IPF loops class Ill and higher shall function independently of process control systems,
without any mutual influence, except where explicitly indicated in this document.
The separation between IPF and process control system is recommended in IEC/SC65A
draft 1508 and can be justified as follows:
- Assume that with a combined control and IPF measurement, 50% of the unrevealed
initiator failures will cause a hazardous situation because the process is out of control
in the hazardous direction. At the same time the IPF does not function .
- The default unrevealed failure rate of an IPF initiator is for example 0.024 per year.
- The number of hazardous situations caused by combining control and IPF
measurement is therefore 0.012 per year.
- A conservative estimate of the cost of one hazardous situation is USD 1,000,000.
- The cost of the hazardous situation caused by combining control and IPF
measurements is therefore USD 12,000 per year.
- The estimated cost of one IPF measurement is USD 10,000.
- The payback of separating control and IPF measurements is therefore approximately
one year.
If sequential functions and IPFs are difficult to split, the IPS shall also take care of
sequential control functions (e.g., for fired heaters).
5.2. INITIATOR
IPF class Ill and higher initiators shall have their own process tappings, impulse lines,
sensors, utilities (power fuses, air supply branch-offs), etc. Only elements such as orifice
plates and bluff bodies of vortex meters may be shared with control measurements.
Intelligent sensors with 4-20 rnA output signals are preferred to discrete, direct mounted,
field switches because they have lower failure rates, better accuracy, better stability and
allow sensor signal analysis and measurement comparison. These sensors shall
communicate with the IPS in 4-20 rnA signal mode. Digital communication protocols for
sensors are not yet acceptable. Use of hand-held communicators on intelligent sensors
shall, for reasons of integrity, be restricted and may only be applied if tests have proven
that their use will not cause adverse consequences regarding revealed or unrevealed
failures. Additional line resistors may be required to permit communication with the
sensor.
Manual switches shall be normally closed.
IPF initiators, except high liquid level IPF initiators, should have the same range and
accuracy as neighbouring process sensors in order to facilitate measurement
85
comparison. See also (For special requirements regarding cabling, refer other
documents.
7.). High liquid level displacer and dP cell IPF initiators should have vessel connections
at 80% and 100% to ensure proper functioning under varying density conditions
compared to design.
Where possible, separate trip amplifiers shall not be applied. Sensor signals shall be
connected directly to input cards integrally available in IPSs.
In case input cards are not available for signals used in the field, these signals shall be
converted in the field.
If intrinsically safe electrical equipment is applied in hazardous areas, isolation barriers
are required. To minimise the number of components in the IPF loop, ex 'n' , ex'e' or
ex 'd' type sensors should be applied in zone 2 or in zone 1 (except ex 'n') hazardous
areas.
For analogue inputs and for Normally Open contact inputs, open or short circuit cable
faults or sensor faults shall, as far as possible, be detected via line monitoring and self
testing features. Operators shall be informed in case of fault detection and maintenance
shall be initiated immediately. Revealed failure actions (spurious trips) may be avoided in
such cases provided that the following requirements are met:
- A second or back-up indication shall be available to the operator.
- The control room shall be continuously manned by competent personnel.
- An alarm shall be generated and annunciated on the DCS indicating that the IPF trip
measurement is faulty.
- Other ways to trip or stop the process shall be available to the operator.
- A maintenance override for that IPF should be available.
- The process dynamics shall be such that the operator has time to act.
- This automatic override functionality is time restricted, i.e. the trip measurement shall
be taken in maintenance override before a pre-set time of one hour has elapsed. In
case an MOS is not available, the fault will cause a spurious trip after the pre-set time
has elapsed.
For an implementation of the automatic override, see Figure 14.
It is recognised that it may not always be possible to avoid spurious trips under open
circuit or short circuit conditions. The possibility to implement automatic overrides does
not imply that time delays should be appli~rl to IPS inputs to avoid revealed failure
actions under such circumstances. Time delays for this purpose shall not be applied if
the sum of the required delay time and the IPF response time (including the IPS
response time which shall be taken as two times the IPS cycle time) exceeds the process
safety time and shall be approved by the Principal. The process safety time shall be
determined by Process Control and Technology departments.
If the IPS has line monitoring facilities, analogue sensors shall have "direct" output
signals only. If this is not the case, high trip sensors shall have "reverse" output.
For IPF loops class Ill and higher, the initiators should have a red colour and should have
a red nameplate with black lettering.
If diverse initiators are required , diverse measuring principles shall be applied. These
diverse measuring principles shall, where possible, include different types of process
connections. An example of a diverse measuring principle is ultrasonic and dP cell level
measurements. An example of a non-diverse measuring principle is displacer and dP cell
level measurements, because in both cases the tappings may block.
NOTE: Diverse measuring plinciples shall not be applied when this would resun In an increased unrevealed failure rate as
would be the case when a pressure transmitter is replaced by a pressure switch.
86
5.3. INSTRUMENTED PROTECTIVE SYSTEM
IPSs shall be based on either:
- electromechanical relays;
- solid-state/magnetic-core technology;
- microprocessor technology (PLCs).
Pneumatic and hydraulic relay based IPSs shall not be used for new or re-
instrumentation projects and are therefore not dealt with in this document.
For new or re-instrumentation projects, particular attention shall be paid to
electromechanical relay-based IPSs as they may not fulfil the requirements of IPF class
V and higher.
The IPS, including the IPS-PLC to IPS-PLC communication link for IPF class Ill and
higher safety related signals, shall fulfil the requirements of the DIN V 19250 risk class
(AK class) related to the IPF class resulting from the classification and shall be certified
by TOV.
In case an IPS-PLC is applied, the complete IPS, including system software versions and
releases, shall be evaluated and certified by TOV.
To avoid unexpected failures of software and/or hardware, only proven releases of
software and hardware shall be used. The release of the system should not be upgraded
after order placement for functionality enhancements. Upgrades to fix bugs that
jeopardise safety or plant availability shall be implemented but only after certification by
TOV.
The majority of the IPFs will be IPF class V or below; however, it is preferred to
purchase, as a minimum, AK class 5 TOV-certified IPSs so that the majority of plant
changes can be incorporated in the same IPS.
Although solid-state/magnetic-core and PLC-based systems are preferred, relay-based
systems may be selected for certain applications. Relay-based systems have the
disadvantages that no self-diagnostics are available, troubleshooting and making
modifications can be difficult and communication to a DCS is only possible for the output
signals. The DCS shall not be connected in series with the trip amplifiers that are
required to input analogue initiators into a relay based IPS.
Only IPS suppliers or system builders (integrators) which are accepted by the Principal
shall be used for IPS engineering, construction, wiring, testing, etc.
The IPS-PLC to IPS-PLC communication link shall be fail safe and revealed failure
robust, and the signals transmitted over this link shall be NE such that IPF trip actions
are taken when the link fails.
IPS quantitative reliability assessment studies have shown that, in order to obtain
revealed failure rates equal to or better than relay based IPSs, IPS-PLCs are only
acceptable when fail safe, revealed failure robust input and output cards and processors
are used. Output cards driving non-critical indication or alarm lamps should be single and
non-fail-safe.
When making a selection between solid-state/magnetic-core technology and PLCs, the
following shall be considered:
- actual field experience (installed base);
- requirements of national and/or local regulations;
- application complexity;
- level of automation;
- skills required.
Advantages of PLCs are:
87
- faster engineering, through configuration techniques;
- ease of FLO simulation, off-line on a PC;
- ease of logic modifications;
- ease of commissioning;
- ease of monitoring the integrity of field devices and their wiring;
- fewer different hardware cards;
- self-documenting facilities.
Disadvantages of PLCs are:
- special skills required;
- possible bugs in the software;
- higher revealed failure rates;
- protection against (on-line) logic modifications requires strict procedures.
IPS systems shall be as simple as possible and shall have a minimum number of
components.
IPS-PLCs shall not be applied when an IPF class VI integrity is required because the
software contribution to the unrevealed failure rates of PLCs is unknown, and therefore
not taken up in the IPF calculation methodology. Only in very exceptional cases, and with
the approval of the Principal, may PLCs be considered for class VI loops.
If a classification results in a number of IPF class VI loops and the remainder of the IPFs
implemented in the same IPS-PLC are IPF class V or lower, the IPF class VI loops may
be implemented in the IPS-PLC making use of the secondary means of de-energisation
functionality which bypasses all microprocessors in the system. In this case the IPS-PLC
shall comply with the requirements of IPF class V and the secondary means of de-
energisation facility shall be TOV certified according to DIN V 19250 AK class 6.
Process units should be allocated to IPSs with due consideration to IPS failure. Details
regarding the allocation of process units to Input and Output cards shall be given in the
IPS technical specification.
To ensure suitable response time for activation and sufficiently accurate time stamping,
the scan or cycle time of IPS-PLCs shall be less than 300 ms.
For each piece of rotating equipment, it shall be checked whether a 300 ms cycle time is
sufficient to protect the equipment, i.e. confirm that the process safety time of the
equipment exceeds 600 ms. If this is not the case, an IPS-PLC is not suitable.
If PLC based IPSs are considered for equipment packages, for reasons of integration,
spare parts, training and maintenance, the same IPS should be selected as those
applied in the remainder of the plant or project. It should be realised that doing this may
complicate the factory acceptance test of these equipment packages.
Time synchronisation between IPSs, SERs and DCS, shall be applied from an external
clock.
Initiator or final element and IPS robustness implementation shall be independent. For
example, assume a 2oo3 initiator has to be routed to an IPS with revealed failure robust
inputs. In that case each initiator is connected to one point of each of the dual input
cards, resulting in a total of 6 routes. A different set of dual input cards shall be used for
each initiator. See Figure 15.
On-line changes to tuning parameters may be made provided they are tested before
taking the loop into service. On-line logic changes and operating system software
upgrades should not be performed unless full functional tests can be performed with the
process unit in operation. If on-line changes are to be made then a thorough analysis
shall be made and agreed with Operations, addressing the following:
- What has to be changed?
88
- How and when is it to be changed?
- What are the contingencies for errors?
- What risk assessment will be made?
- What fall-back scenarios are in place?
IPS systems shall be fed via two separate power feeders, with at least one of them
connected to a vital uninterrupted power supply system (UPS), with automatic change-
over facilities and remote alarm in case of single failure.
To facilitate long term reliable operation of IPSs, this equipment shall be installed inside
(field) auxiliary rooms. These rooms shall have temperature and humidity control facilities
fulfilling the requirements stated in the IPS technical specification.
In order to reduce down-time and override time, 'card' or 'complete component'
replacement techniques shall be applied.
As a minimum a common cabinet utility alarm and a common system alarm shall be
transmitted to the DCS for the attention of the operator. When the alarm occurs the
operator shall contact the responsible maintenance person for further action.
Engineers should be trained before and during the factory acceptance test. Mechanics
and technicians should be trained during site acceptance testing and commissioning
activities. If own personnel are not properly trained and kept up-to-date, modifications
shall be left to the Supplier.
89
Power and air supply for NDE final elements shall be such that the impact of supply
failure on the IPF PFD is negligible, e.g. by means of an alarm in case the supply fails.
Instrument air supply requirements for depressurising systems are covered in a separate
document.
Detailed valve type IPF final element requirements are covered in a separate document.
Rotating equipment stop circuit type IPF final elements should be implemented by a 24
V(dc) output connected to the coil of an interposing relay. A contact of this relay should
be wired into the motor switchgear. This implementation is referred to as 'no special
equipment' in Figure 12.
5.5. CABLING
For certain applications, special cabling may be required.
The maximum allowable distance between the IPS and the solenoid valve shall be
checked.
5.8.1. General
The preferred and TOV-approved (see TOV document "Maintenance Override")
implementation is described in this Section.
Maintenance override switches (MOSs) are used to override IPF initiators to enable
maintenance or on-line functional testing. It shall be considered during the basis of
design (BOD) phase whether MOSs are required in those cases where spare process
units or equipment are available.
Maintenance override facilities may be provided only for those IPF initiators where a
second or back-up indication, and a means to stop the process, are available to the
operator. Furthermore, the process dynamics shall be such that the operator has time to
act.
Therefore, MOSs shall not be provided on, for example:
- flame sensors;
- (axial) displacement type sensors;
- manual ESD inputs.
A maximum of one trip initiator may be overridden per protection group (UZ group) at any
one time.
To reduce the number of MOSs, an MOS shall not be applied for 2oo3 IPF initiator
configurations. To reduce the IPF PFD, an MOS function shall be provided for each of
the initiators of 2oo2 IPF initiator configurations. Setting of one MOS shall create a
situation such that, during the time the override is switched on, the configuration
automatically functions as a 1oo2 system.
Outputs shall not be overridden because, within one protection group (UZ group), they
are usually the result of more than one input.
An MOS override shall not inhibit the alarm function.
For an implementation example, see Figure 16.
92
5.8.2. Operational considerations
Operations personnel shall be solely responsible and authorised to switch an IPF initiator
into override.
Before an MOS is activated, all work and permit procedures shall be followed, such that
a record is available indicating the name of the person who switched on the override.
When the IPF initiator is in override, the operator shall check the related control or
indicating transmitter measurement frequently such that manual actions (removal of the
override or manual ESD) can be taken if the process moves out of the operating
envelope.
The proposed set-up requires optimum (radio) communication between the operator and
the technician. A separate radio channel should be provided for this.
MOSs shall be activated for as short a time as possible.
5.8.3. Implementation
An MOS shall be activated from the DCS VDU/keyboard. When an MOS is activated, the
appropriate override signal shall be sent via the communications link to the IPS.
A hard-wired, yellow, back-lit MOS enable switch shall be provided on the DCS console.
At least one switch shall be provided per process unit. Only when this switch is in the
enable position is the MOS signal accepted by the actual protection logic. Because this
switch is hardwired, the operator has the possibility to de-activate any override when the
communication link fails.
The status of the MOS enable switch shall be read by the DCS via the serial link for
event logging purposes.
The logic to activate only one override per protection group (UZ group) shall be
implemented in the IPS.
In case the DCS to IPS communication link fails, the overrides shall remain as they were
before the failure and when the link is re-established there shall be no status change.
93
All MOS related events shall be recorded on the SER with a time stamp and shall also be
printed on the DCS printer. The service description which is also printed shall include the
tag name of the initiator being overridden.
MOS activation shall generate a (low priority) alarm on the DCS. If the MOS is not
removed the alarm shall be repeated every 4 hours.
The operator shall check, when switching on an override, that the indications described
above function properly.
94
6. IMPLEMENTATION OF FIRE GAS AND SMOKE DETECTION INSTRUMENTED
PROTECTIVE FUNCTIONS
6.1. GENERAL
Active fire protection equipment is covered in a separate document.
The Contractor shall check local regulation requirements related to the FGS, and if these
are more stringent than the requirements of this document, they shall prevail. In these
instances, the Principal shall be informed.
This section deals only with FGS IPF and IPS requirements which are additional to or
different from process unit IPF and IPS requirements as described in (5.).
FGS IPFs shall be separate from the process IPFs because the FGS IPFs shall remain
operable during plant shutdown.
6.2. INITIATOR
The requirements for the sensor part of the FGS IPF loops are given in a separate
document. In case of conflict between this separate document and the IPF class
requirements of the initiator, the Principal shall be consulted. The interface between the
sensor and the FGS IPS input card is either a 4-20mA signal or a potential free contact.
If the initiators are of the normally open (quiescent current) design, continuous line
monitoring facilities capable of detecting open loops and short circuits shall be applied
and an alarm raised if a fault is detected. No protective action shall be taken if such a
fault in the initiator circuit is detected.
6.5. CABLING
For special requirements regarding cabling, refer other documents.
95
7. TESTING
96
7.2. TEST COVERAGE FACTORS
An important factor in the IPF calculation methodology (8.) is the test coverage factor.
This factor is a measure on a 0-1 scale of how well the test is performed, i.e. which
proportion of the unrevealed failures possibly present in the IPF loop will be found by the
test.
In batch processes valves are closed and opened frequently by the batch controller.
Situations exist where a certain valve position is a permissive to proceed with a next
step, because starting the next step with the valve in another position would give a
97
hazardous situation. If the movement to the safe position of the valve during the batch is
checked by the batch controller and a report indicating functioning of the valve is
generated, the test interval may be assumed to be the time between the (batch
controlled) movements to the safe position.
7.6.1. General
Automatic functional testing is one way to reduce the test interval and at the same time
reduce human-induced unrevealed failures and nuisance trips caused by human errors
during manual testing.
Irrespective of the automatic tests performed, manual testing with a coverage factor of as
close as possible to 1 shall be performed during planned shutdowns (maintenance
interval). The maintenance interval shall be maximum 4 years if the planned shutdown
cycle exceeds 4 years.
98
If semi-automatic full valve stroke testing is applied to valves with leakage class V or VI
TSO requirements, the coverage factor shall be determined together with the discipline
responsible for stating the TSO requirement.
The basic testing principle for semi-automatic full valve stroke testing shall be as follows:
- The tester initiates the test from the DCS.
- The command to close the valve should be transmitted via the communication link
from the DCS to the IPS.
- The IPS sends the close command to the valve for a period exceeding the valve travel
time (such that the DCS can detect the safe position) after which it returns the valve
again to the position it had before the test.
- A valve safe position indication shall be available in the DCS.
- The test result shall be recorded by the DCS automatically.
- The consequence of the valve failing in the safe position as a result of this test should
be considered.
Another automatic test which may be implemented is to monitor stroking times during
each operation of the valve and raise an alarm when the stroking time exceeds a
specified limit.
99
8. IPF CALCULATION METHODOLOGY
8.1. GENERAL
The details of the IPF calculation methodology are described in a separate document.
The purpose of this calculation methodology is:
- To calculate required test intervals to fulfil the probabilistic IPF class requirements
taking into account unrevealed failure rates, test coverage factor, etc.
- To calculate the IPF revealed failure rate.
8.2. ASSUMPTIONS
The probabilistic calculations used in the calculation methodology do not take into
account common mode and systematic failures, nor are human errors taken into account
in the version of the calculation methodology available at the time of issue of this
document.
The failure rates used in the calculation methodology are assumed to be constant over
time. Failures that are expressed as failures per million operations, (operating) time
based failures, systematic failures and human errors, have to be converted to failure
rates constant over time. This can be done by making use of the test results, e.g. 1,000
solenoid valves proof tested with a regular interval over a period of 10 years yield a
number of failures per 10,000 'solenoid valve years' which can be converted to failures
per year for a solenoid valve.
NOTE: Preventive maintenance will reduce time dependent failures, resulting In lower converted unrevealed failure rates.
For NDE output circuits the failure rate of cables and connections, power supply,
instrument air supply, etc. shall be included in the unrevealed failure rate of the final
element, while for NE output circuits they shall be included in the revealed failure rate.
100
8.3.3. Failure rates
Both unrevealed and revealed failure rates of the following loop components shall be
entered into the calculation methodology:
The initiator, excluding the IPS input. For those cases where no failure rate data are
available from local records, the calculation methodology provides default failure
rates.
IPS input. For PLC type IPSs, this is the (robust) input card. For other IPSs this is the
trip amplifier and the first relay, solid-state module or magnetic-core. Except for 'other'
types of IPS systems, failure rates are fixed in the calculation methodology.
Logic solver. Except for 'other' logic solver types, failure rates are fixed in the
calculation methodology.
IPS output. For PLC type IPSs, this is the (robust) output card. For other IPSs this is
the last relay, solid-state module or magnetic-core. Except for 'other' types of IPS
systems, failure rates are fixed in the calculation methodology.
The final element, excluding the IPS output. For those cases where no failure rate
data are available from local records, the calculation methodology provides default
failure rates.
The failure rates for the initiator and IPS input are added to give the total initiator failure
rate because it is assumed that both the initiator and the IPS input are tested during the
regular manual or automatic proof test. For similar reasons, the failure rates for the IPS
output and final element are added to give the total final element failure rate.
An upgrade or new version of the IPS may necessitate an update of the failure rates
mentioned above.
8.3.4. Testing
The following types of information related to testing are required:
- Test interval for the initiator and IPS input combination, and for the IPS output and
final element combination . These two test intervals are not necessarily the same. The
logic solver is assumed to be tested only during the maintenance interval.
- Coverage factors with which these tests are performed.
- Test duration. It is assumed that the initiator is on maintenance override and the final
element is either mechanically prohibited from moving fully or bypassed. Hence during
the test both inputs and outputs are in the unrevealed failure condition. For tests
where this is not the case, e.g. automatic testing of initiators by MVC, the test duration
should be set to zero.
- Maintenance interval or lifetime. Both the input and the output combinations will be
tested during planned shutdown (maintenance interval) with a coverage factor as close
as possible to 1, see (For special requirements regarding cabling, refer other documents.
7.). The maintenance interval shall be maximum 4 years if the planned shutdown cycle
exceeds 4 years. Relay type logic solvers shall also be tested during the planned
shutdown, hence the maintenance interval is also applicable to this type of logic
solvers. Solid-state/magnetic-core and IPS-PLC logic solvers do not require testing
during planned shutdowns, hence the lifetime of this type of equipment shall be taken
into account.
- Repair time shall be taken into account for all components of the loop. The calculation
methodology assumes that the loop stays in override when an unrevealed failure is
found during the test. Repair times for both revealed and unrevealed failures are
assumed to be the same.
101
8.4. OUTPUTS OF THE CALCULATION METHODOLOGY
The calculation methodology provides the following outputs:
- PFD of the initiator and IPS input combination;
PFD of the logic solver;
PFD of the IPS output and final element combination;
PFD of the IPF, assuming the initiator and final element are in override during repair
and assuming the initiator and final element are not in override during repair,
IPF class of the IPF, assuming the initiator and final element are in override during
repair and assuming the initiator and final element are not in override during repair;
revealed failure rate of the above mentioned IPF components.
NOTE: IPF class V or VI cannot be obtained when the inrtiator or final element are single (loot) or revealed failure robust
(2oo2), irrespective of the PFO.
The PFD of the IPF loop components are given to enable test interval optimisation.
The IPF PFD shall be lower than the PFD required for the IPF class related to the IPF. If
this is not the case, test intervals, architecture or function components shall be changed
such that the PFD is sufficiently reduced.
102
8.5.3. Synergetic consequences
The following steps shall be taken to determine the test interval taking into account the
more stringent initiator requirements if synergetic consequences (3.2.4.3.5.) are
applicable:
(i) Calculate the PFD for each function and take the most stringent initiator PFD.
(ii) If the initiator IPF class resulting from the check on synergetic consequences is one
IPF class above the highest IPF class of that initiator for the classifications excluding
the synergetic consequences, reduce the test interval of the initiator such that the
PFD obtained in the first step is reduced by a factor 10.
(iii) If the initiator IPF class resulting from the check on synergetic consequences is two
IPF classes above the highest IPF class of that initiator for the classifications
excluding the synergetic consequences, reduce the test interval of the initiator such
that the PFD obtained in the first step is reduced by a factor 100.
(iv) Use this test interval as the initiator test interval.
If all individual functions are class IV or lower and due to synergetic consequences the
initiator shall be implemented as class V, the initiator shall be unrevealed failure robust.
The test interval shall in this case be calculated following the steps indicated above, with
the addition that in step (ii) or (iii) the unrevealed failure robustness is incorporated.
NOTE: The add~lon of unrevealed failure robustness may resuH In an Increased lesl interval.
103
9. MAINTENANCE
9.1. INTEGRITY
Integrity of IPFs shall be managed by applying the following :
- Modifications shall be carried out following plant change procedures.
Temporary modifications, e.g. defeat of an IPF loop, shall be separately identified
within the plant change procedure.
For software based IPSs, principles of system management shall be applied.
A focal point for Manufacturer/Supplier maintenance and support shall be appointed.
System revision and upgrades shall be avoided, see also (5.3.). In case a revision or
upgrade is required, procedures as described by the Manufacturer/Supplier shall be
adhered to. All revisions and upgrades shall be documented.
Software back-ups shall be made at regular intervals.
Security and access rights shall be documented.
A system logbook shall be available for recording all systems modifications.
System documentation shall be available.
Adherence to strict security procedures when remote maintenance is applied.
Follow-up of pending repairs.
104
Test reports shall be archived for at least ten years or for the life of the IPF, whichever is
longer.
9.6. MODIFICATIONS
Modifications shall follow the same IPF classification and implementation procedures as
applied to new designs.
9.7. AUDITS
A yearly audit should be carried out to confirm compliance with:
change procedures;
test procedures;
test schedule;
recording and analysis of results;
integrity management such as:
- changes made to the logics performed by the IPS;
- no 'forced' inputs or outputs present in the IPS;
- adherence to restrictions imposed by the IPS type approval.
105
10. REFERENCES
GERMAN STANDARDS
Control Technology; Fundamental Safety Aspects to be DIN V 19250
Considered for Measurement and Control Equipment.
Issued by:
Beuth Verlag GmbH
Burggrafenstrasze 6
Postfach 11 07
D-1 000 Berlin 30
Germany.
Wartungseingriffe/Maintenance Override,
Version 2.2, 08. September 1994.
Issued by: or:
TOV Rheinland rov Bayern
ISEB lOSE
Am Grauen Stein Ridlerstrasse 31
D-51105 Cologne D-80339 Munich
Germany. Germany.
INTERNATIONAL STANDARDS
Draft. Functional safety of safety related systems. IEC/SC65A draft
Parts 1-7. 1508
Industrial Process Control Valves IEC 534-4
Part 4: Inspection and routine testing.
Issued by:
Central Office of the lEG
3, Rue de Varembe
CH 1211 Geneva 20
Switzerland.
Copies can also be obtained from national standards organisations.
106
APPENDIX 1 SUGGESTIONS ON HOW TO SET LIP A CLASSIFICATION EXERCISE
Introduction
For the IPF classification exercise it is essential to set up a structure to optimise team
productivity and quality of output. This Appendix gives guidelines for the organisation of
an IPF classification exercise.
Planning
A planning schedule should be set up, detailing the individual team members by name
and discipline. No more than 5 hours per day should be spent on classification because
otherwise motivation and concentration may fall and the quality of team output may
reduce dramatically. Each function requires equal attention. Regular breaks should be
planned. The team members should not be disturbed during classification. Specialists
such as rotating equipment or fumace specialists should be on call and available when
their input is needed.
Team
The composition of an IPF classification team is defined in (3.2.2.). Efficiency will be
increased considerably by appointing a secretary who records the discussion in the IPF
database. The secretary role can be fulfilled by a junior technologist or engineer. It is
essential that the secretary has a technical background. The facilitator shall ensure that
the discussions are sufficiently detailed without losing the objectives of the classification .
Time keeping and preventing procedural errors are two important tasks for the facilitator.
Preparation
To minimise delays, all preparatory work shall be done prior to classification. Once the
team has started the classification process no time should be lost doing work that could
have been done in advance.
The following should be available before the start of the classification exercise:
- Copies of the documents which contain input information for the discussion.
- PC, including IPF classification database and IPF calculation software, overhead
projector, LCD panel screen etc. shall have been set up and tested.
- Identification of the IPF loops and the creation of records in a database. The order in
which they are going to be discussed shall have been ftxed .
The following documents and office equipment should be available:
Process and Utility Engineering Flow Schemes (PEFSs);
Process Flow Schemes (PFSs), Process Safeguarding Flow Schemes (PSFSs),
cause and effect matrices, process safeguarding memoranda and IPF & control
narratives;
overhead projector;
projection screen or equivalent;
LCD panel screen for use on the overhead projector;
PC installed in the meeting room (connected to LCD panel);
software package to store the classification results in a database, installed on the PC.
107
FIGURES
108
FIGURE 1 RISK REDUCTION - GENERAL CONCEPTS
_j J
I
INCREASING
K
RISK
NECESSARY MINIMUM
RISK REDUCTION
K Partial risk
ACTUAL RISK REDUCTION
109
FIGURE 2 IPF CLASSIFICATION AND IMPLEMENTATION WITHOUT METHODOLOGY OF
THIS DOCUMENT
PROCESS TECHNOLOGY
PROCESS CONTROL
SAFETY
INSTRUMENTATION
OPERATIONS
PROJECT ENGINEERING
PROCESS CONTROL
START START
RELIABILITY ENGINEERING
CALCULATE DEMAND RATE
(INPUT FROM ALL DISCIPLINES)
110
FIGURE 3 IPF CLASSIFICATION AND IMPLEMENTATION WITH METHODOLOGY OF THIS
DOCUMENT
PROCESS TECHNOLOGY
PROCESS CONTROL
SAFETY
INSTRUMENTATION
OPERATIONS
PROJECT ENGINEERING
PROCESS CONTROL
RELIABILITY ENGINEERING
IPF CLASSIFICATION
lll
FIGURE 4 MULTIPLE INITIATORS RELATED TO ONE FINAL ELEMENT
Function 2
112
FIGURE 6 REDUCTION OF CLASSIFICATION EFFORT
SPIDER DIAGRAM
Al1 Al2 Al3 811 812 813
UZ-A_TRIP
UZ-A UZ-B
ADD'L_TAG
Initiators Final Elements
113
2. Classify each ADD'L_TAG to final element function. The demand rate (W) on ADD'L_TAG
can be determined by summating the initiator Ws ( 10 or more W 1 s result in W2 and 10
or more W2s result in W3 with the W never above W3) or from experience. This results
in the required final element class.
NOTE: The synergetic consequence check on initiator failure is not required because it is embedded in step 1.
114
FIGURE 7 IPF CLASSIFICATION RISK DIAGRAMS
so
XQ:M- ~I.
51 111 I. START
fL--., h fL:
G1 Ill II I
hh h
52 Ill Ill II
i-=- h h fL--,
START- ~~ ~ hIll ENVIRONMENT
.. Lm_ V IV 111
3
DINV19250
r I A2 7h ~ bv
.L...., ; : . !W
AKCiass
IPF Clasa
54 x•
LL:_
X
!!____
~
lL_
__g_ VI V V
I--
~X
3
IEC 65A Draft 1508 X I
c__
SIL
=---.. . . . . . . . .
rN) Frequency d demand ~ 1-..monlod
WO= Unclu.tified
(1.) -
~ ,_...onoqulpmentlooo.,...
pn>ducticn and
Func:tlon demand
domond
W1 =Very lo¥r.t (demand rate once per 10-100 years) LO = No opetationaJ ~ no !Mmage tiD equ6pmMI:
=
W2 LOW' (demand l'llte once per 1-10 years) L1 = M i n o t - - - minor domoge ID oqu""*"
(S)
W3 = Relativetv high (demand rate mote than once per yea"
~ extent d human InJury per d4Hnand;, tnw'umentad
l2
l3 =
Mojo!-- - rnojcf . . . . _ . , _ . , . , _ ~
Protec:tive Function felt& on dem•nd L4 = Damage to ~ equipment cauetng major economic loaa: major lou
SO =No injury of containment
51 = Slight in,lury, non-permanent (E) - ......,.,.,_ ..,._ . .,.,.. .... - - w- -
S2 = SeYere Injury, dNth of one person Protective Function faita on derT.nd
53 = Death of wveral persons EO = No-a<--negligiblo--ID1he......,.,_.
54 = Cata&tropha, many casualties E1 = Releeae 'tMth minor darnalge to the erMronment tn.t thould be ~
(A} Duration of pra.ence In danget" zone E2 = R..._.. -Mthln r.nc. 'lll'ittllignificwft da~N~ge to the ..-Mronrnent
A 1 = Seldom 1D hequemty (o1 Hme ol demand) E3 = R - oulsldo r.nc.- -.,...,y rnojcf . . . , _ . , 1he INMron.-
A2 = Frequently to continuo~y (at time al demand} E4 =
Releeae outakie t.nc. 'Nitti penn8nent ma;or damage to the erMronment
(GI Possibility 1D...., hazard
G1 = Undef certain condition&
G2 = Hardly possible
~ F F F
1---
~ F F F
'--
(C) ~production looo P"'""""""""" w1-..monlod-
Function take. .ction without • demarMI
(R) F,.quoncyol- !Mu<e
R1 =llorylaw(-!Mure-onc:epo<10-100~r&l
co = Colt~ usc 1,000 R2 =Low (rewe.led fMurw ...c. once per 1-10 ~)
C1 = USO 1,000 <Colt$ USO 100,000 R3 = R--,. h i g h ( - , _ . . . . - mono...., once po< , _ ,
C2 =usc 100,000 < Collt $ uso 1,000,000
C3 =uso 1,000,000 < Collt ~ uso
10,000,000
C4 =uso 10,000,000 < CoA
115
FIGURE 8 IPF CLASSIFICATION RESULTS- DATABASE PRINT-OUT- EXAMPLE
IPF CLASSIFICATION
PEFS Initiator Tag: T-2.665.807-C
Initiator Tag: 17PDZA-002LL 17FZA-012LL Service Desc.: Backflow Detection R-1701 Feed
Related UZ1: 17UZ-020 Service Desc.: HC Feed Backflow IPS
Related UZ2: Service Desc.:
Related UZ3: Service Desc.:
Intermediate Tag1: 17UZ-021 17UZ-022
Intermediate Tag2:
Intermediate Tag3:
Final Element Tag: 17FCV-011 17UZ-021 Service Desc.: Feed To Reactor R-1701
Is It A Pre-Alarm: N
Consequence Of Failure On Demand:
Case 'a'. The consequences are backspinning of pump and rupture of vessel V-1701 since it is
impractical or impossible to protect it with a relief valve (too hot material). Vessel rupture is much
more severe than pump backspinning, therefore the latter is not dealt with in detail any further.
Case 'b'. The pump will be stopped by 17FZA-012LL or, if the trip level is not reached, the
operator will stop the pump as soon as he recognises the situation. If the backflow protection
system fails, the flare system will be over loaded both in terms of temperature and in terms of
flow, but the flare system will not be ruptured.
Consequence Of Revealed Failure:
The pump will stop. The unit will be out of feed for 7 hours. At end of run the chances of the
reactor temperature runaway protection system 17TZA-HHs activating are reasonably high which
would cause an outage of 24 hours. The cost of a revealed failure is 5,600 Ud*45 USD/t*1 d-USD
250,000.
Demand W: 1I
0
Personnel Safety S: 3 I 2 A: 2 I 1 G: - I 2 Personnel Safety Class VI-
Loss L: 4 I 4 Production And Eq't Loss Ill I
Class
Environment E: 1 I 0 Environment Class II/-
Overall Unrevealed Failure V
Class
Cost C: 2
CR Initiator: USD 7,500 RateR: 1 Revealed Failure Class N
CR Final Element: USD RateR: 2 Revealed Failure Class N
42,500
Nota 1:
There are more than one initiator and valve in the same function, but from the classification it will be clear that
these are provided to implement unrevealed failure robustness.
There are two occurrences that can cause backflow: a. Pump stoppage. and b. Inadvertent opening of 17RV-002.
These cases are indicated before and after the '/' respectively, i.e. a I b.
Nota 2:
For case 'a', every time the pump stops the possibility of backflow is present. This would result in a frequency of
demand of more than once per year. However, two non-return valves (NRVs) are installed to reduce the frequency
of demand on the IPF. One NRV reduces the frequency of demand by a factor 10 and two different makes and
types of NRVs reduce the frequency of demand by a factor 50. The laner is not a factor 1 00 because of common
mode failures not related to make and type. Because of the NRVs the classification of the frequency of demand on
the IPF is reduced from W3 to W1.
116
Note 3:
Inadvertent opening of 17RV-002 will happen very infrequently, W1 . However, because NRVs are installed the
frequency of demand on the IPF valves reduces to WO.
Note 4:
For case 'a', the most dangerous time is when the pump is started because a stop frequently occurs just after a
start. The pump has a local start. This means that more than one person w ill be present during the most dangerous
time and the classification shall therefore be A2.
Note 5:
Two valves in a 1oo2 configuration results in R2.
117
FIGURE 9 IPF CLASSIFICATION- BLANK FORM
IPF CLASSIFICATION
PEFS Initiator Tag:
Initiator Tag: Service Desc.:
Related UZ1 : Service Desc.:
Related UZ2: Service Desc.:
Related UZ3: Service Desc.:
Intermediate Tag1:
Intermediate Tag2:
Intermediate Tag3:
Final Element Tag: Service Desc.:
Is It A Pre-Alarm:
Demand W:
Personnel Safety S: A: G: Personnel Safety Class
Loss L: Production And Eq't Loss Class
Environment E: Environment Class
Overall Unrevealed Failure Class
Cost C:
CR Initiator: RateR: Revealed Failure Class
CR Final element: RateR: Revealed Failure Class
Note 1:
Note 2:
Note 3 :
Note 4:
Note 5:
118
FIGURE 10 ONE INITIATOR CONNECTED TO MULTIPLE FINAL ELEMENTS
119
FIGURE 12 POSSIBLE IMPLEMENTATION OF IPF CLASSES
- No special equipment
- Alarm only, if operator action can be relied upon. otherwise classify and implement as II
For all classes II-VI a pre-alarm shall be included, provided corrective operator action to avoid the IPF action is
feasible.
All actions for classes II-VI shall be announced by an alarm.
Revealed failure robustness may be added to all possible implementations without degrading the IPF class,
provided the test and maintenance intervals are selected according Figure 13.
In case the class already requires unrevealed failure robustness, the combination revealed and unrevealed failure
robustness shall be implemented.
NOTES: 1. Class YN1 reouires unrevealed {allure robus!ness.
2. The test and maintenance Intervals related to the selected arcMectures can be obtained from Figure 13.
3. The AK classes given above refer to DIN V 19250 requirement classes.
4. ~ ~ems are mandatOf)' minimum requirements.
NOTE: The 'F" originates from faun tOlerant. R has not been used in order to avoid confusion with the revealed failure rate
classiftcation.
120
FIGURE 13 POSSIBLE IMPLEMENTATION OF IPF CLASSES
ARCHITECTURES AND MAXIMUM TEST AND MAINTENANCE INTERVALS
~=
PLC UFR NIA
PLC s RFR NIA NIA NIA NIA
PLC YIIMe s UFRJRFR NIA NIA NIA NIA
s
~=
PLC UFR NIA NIA NIA NIA
PLC UFR UFR
UFR RFR NIA NIA NIA
~=
PLC NIA
PLC UFR UFRJRFR
PLC YIIMe RFR s NIA NIA NIA NIA
PLC YoM> RFR UFR NIA NIA NIA NIA
PLC VoM> RFR RFR NIA NIA NIA NIA
PLC YoM> RFR UFRJRFR NIA NIA NIA NIA
PLC VIIMe UFRJRFR s NIA NIA NIA NIA
PLC VoM> UFRJRFR UFR
PLC VoM> UFRJRFR RFR NIA NIA NIA NIA
PLC VoM> UFRJRFR UFRJRFR
Roily Rol. Eq1 s s NIA NIA NIA NIA
Roily Rot. Eq1 UFR s NIA NIA NIA NIA
Roily Rot. Eq1 RFR s NIA NIA NIA NIA
Roily Rot. Eq1 UFRJRFR s NIA NIA NIA NIA
s s NIA
~=
Roily NIA NIA NIA
Roily s UFR NIA NIA NIA NIA
s
~=
Roily RFR NIA NIA NIA NIA
Roily s UFRJRFR NIA NIA NIA NIA
s
~=
Roily UFR NIA NIA NIA NIA
Roily UFR UFR
Roily YIIMe UFR RFR NIA NIA NIA NIA
UFR UFRJRFR
~=
Roily
Roily RFR s NIA NIA NIA NIA
Roily YIIMe RFR UFR NIA NIA NIA NIA
~=
Roily RFR RFR NIA NIA NIA NIA
Reily RFR UFRJRFR NIA NIA NIA NIA
Reily YaM> UFRJRFR s NIA NIA NIA NIA
~=
Reily UFRJRFR UFR
Reily UFRJRFR RFR NIA NIA NIA N/A
Roily VoM> UFRJRFR UFRJRFR
SSIMC Rol. Eq1 s s NIA NIA NIA NIA
SSIMC Rot. Eq1 UFR s NIA NIA NIA N/A
SSIMC Rot. Eq1 RFR s NIA NIA NIA NIA
SSIMC Rot. Eq1 UFRJRFR s NIA NIA NIA N/A
s s
~=
SSIMC NIA NIA NIA NIA
SSIMC s UFR NIA NIA NIA NIA
SSIMC VIIMe s RFR NIA NIA NIA NIA
SSIMC VIIMe s UFRJRFR NIA NIA NIA NIA
SSIMC ':/liMe UFR s NIA NIA NIA N/A
SSIMC
~- UFR UFR
~=
SSIMC UFR RFR NIA NIA NIA N/A
SSIMC UFR UFRJRFR
s
~=
SSIMC RFR NIA NIA NIA NIA
SSIMC RFR UFR NIA NIA NIA NIA
SSIMC YIIMe RFR RFR NIA NIA NIA NIA
RFR UFRJRFR
~=
SSIMC NIA NIA NIA NIA
SSIMC UFRJRFR s NIA NIA NIA NIA
SSIMC YIIMe UFRJRFR UFR
SSIMC YIIMe UFRJRFR RFR NIA NIA NIA NIA
SSIMC YoM> UFRJRFR UFRJRFR
Actual tnp to teat, teat durat1on 1 E·16 Test I maintenance Interval• (yean) uaed :
Required PFD cannot be obtained by reducing test interval 10 0 .75 (9 monthal 0 .08 14 wooka)
Final Element (related interval is test Interval, maintenance interval It 4 years) 4 0 .5 (6 montha) 0 .04 12 wooka)
I Initiator (related interval I• test Interval, maintenance interval is 4 years) 3 0 .25 (3 montha) 0 .02 (1 wookl
LS Logic Solver (related interval is maintenance interval) 2 0 . 17 12 montha)
MC Magnetlc ·Core 1.6
N/A Not Applicable (unrovealod failure robust required for IPF clan VNII 1
Rot. Rotating Equipment Stop Circuit
Eq't
PFD Probability of Failure on Demand
RFR Revealed Failure Robust
s Single
ss Solid· State
UFR Unrevealed Failure Robuat
121
FIGURE 14 AUTOMATIC MAINTENANCE OVERRIDE
IPS
IPF
INITIATOR 1 - - - - REMAINDER
OF LOGIC
INPUT FAULT
DETECTED
ALARMS ETC. NOT INDICATED
2oo3
LOGIC
122
FIGURE 16 MOS IMPLEMENTATION
DeS CONSOLE
ESD lHZl
oos
-®
JC>.
C)PA
C)PZ
CJ
¥~
~
C)oos
MOS ~N;TrvATEO
ENABLE 'Q'
COMMON ,......c:::;--
MOSLAMP I \
Wan=MER
CONTROL IPS
PROCESSOR GATEWAY
a~
110
l COMM INSTRUMENTED
PROTEGnVE
MOS ~M SYSTEM
AGnVATED SIGNAL
SIGNAL
& 1-L-----1-41
VALVE
TEST
FEEDBACK CENTRALJFIELD AUXIUARY ROOM
CONTROL TRIP
ALARM
SWITCHING
FIElD
123
FIGURE 17 RELATION IPF PFD AND IPF CLASS- TEST INTERVAL
IPFCLASSIII
IPFCLASSVM
_______ . . _ 1oo2
-------
1.00E.{)5 +----+---t---'---t-----'-'-t----+----1i-----+----1
0 0.5 1.5 2.5 3 3.5 4
Test Interval (years)
IPF Component Unrevealed Failure Rate X (failures per year)
NOTE: FOf 1oo1 and 2oo2 conf~guratlons , the PFD vs. Test Interval lines stop at a PFD of UlOE-3 because of the deterministic
requirement that fOf IPF cia&& V and Vllhe conf~guration shall be unrevealed failure robust.
124
Oak met kunststof kooiconstructies
zijn we bijna door de bocht.
DSM, •t iseen
verrassende wereld.
Waar gewerkt wordt aan de toekomst, daar is DSM. stollen, die het traditionele staal in kooiconstructies
Zoals in de automobielindustrie. Met kunststoHen voor kunnen vervangen . En nog meer bescherming bie-
het interieur, de carrosserie en - extra hittebestendig den ook. Het is maar een voorbeeld van de betrok-
- onder de motorkap. Maar ook met speciale kunst- kenheid van DSM bij het Ieven van alledag .
DSM l~
OSM maakt grondsrotfen en naltfabrikaten die gebruikt worden in auto's, verpakkingen. elektroniCJJ en
geneesm1ddelen. Er werken 77.000 mensen bij D$M in Europa, de Veren;gde S ta ten en l'lel Veffe Oosten.
Reliability for safety and plant life
management
by
127
Ir. C.M. Pietersen
Function:
General Manager of AEA Technology Netherlands BV International safety and reliability
expert.
Experience:
• Chris Pietersen has a background in process control and safety instrumentation. He
started his professional career in Shell. Later he managed the Risk Analysis department
in TNO for more than 10 years. He acted as an independent investigator in disasters
and wrote many papers on process safety. Director of a safety consultant company in
India. In 1993 he was appointed as TNO Senior Research Fellow.
• In August 1994 he joined AEA Technology Netherlands BV in The Hague to develop
Safety and Reliability services to the industry. He acts as an advisor to governmental
bodies for safety and risk related items.
Organisations:
• Member of the European Safety Centre
• Member of the European Safety and Reliability Association
129
RELIABILITY FOR SAFETY AND PLANT LIFE MANAGEMENT
1. General
Plant Life Management is a term used for a broad spectrum of activities to optimise the Cost
of Ownership of process plants. This presentation is focussed on the conditions for a reliable
and safe operation and the way to assess these. It is stated that the new approaches presented
will lead to a better management tool and consequently can reduce the Cost of Ownership of a
plant. Designing and operating the plant in a fit for purpose way creates a sound basis for a
safe operation also . The presentation will cover the following:
Maintenance Outsourcing
Many companies are concentrating on the activities which are considered to be the core
business. Maintenance of the production plants are obviously often not considered to be core
business. This leads to outsourcing of maintenance to specialised maintenance contractors.
These contractors are faced with requirements for the quality of the maintenance, often
expressed in terms of availability requirements of the plants. This creates
131
the need for systematic availability studies making use of the best available data from
inspection and maintenance regimes of the specific plant and includes failure statistics.
Safety
The safety of a process plant need to be assured also during the different stages of the lifecycle
of the plant. This also holds for the different modes of operation: start-up, production,
maintenance and shutdown. The Risk Level of a plant need to be reduced to acceptable levels.
This for instance is part of the Responsible Care program from the Chemical industry. Also
legislation requirements are in place for this in most countries. From the Cost of Ownership
point of view, safety is also an important factor. Recent studies have shown that the costs of
accidents are often larger than expected and accounted for. The awareness of this in industry is
growing (see figure 2).
The remaining, residual risk need to be dealt with in emergency preparedness plans and
repressive systems as Fire & Gas systems.
2. Reliability Assessment
In order to have the full benefits of Reliability Assessment for Plant Life Management
purposes, it is important to use relevant data and assessment techniques. Even more crucial is
that the assessment is performed by (a team of) people with a good knowledge of the plant
and the inspection and maintenance history of the plant. Furthermore, different other
disciplines need to be involved in the assessment, depending on the subject under
consideration: eg Instrumented Systems (including PLC's) or Structural Integrity of pressure
vessels. The following will be dealt with in the presentation:
Necessary
Minimum Risk Reduction
< ,---------
Partial Risk
covered by
MC-protective
Acrual Risk Reduction
Partial Risk
covered by
non-MC-protective
MC:
Mcasuremenl and ConLrol
Measures Measures
133
Figure 2 Safety is good for business
134
Postbus 1161, 6160 BD Geleen
Burg. Lemmenssrraat 125.6163 ID Geleen
Telefoon: 046 4766362
Telefax: 046 4764790
Oprichnngsjaar: 1992
Aamal medewerkers: 438
Kontaktpersoon: M. Schlechniem,
Kwaliteitscertificering: ISO 900!/VCA & BS7750 techniek
Stork Limburg, uw veelzijdige, De- & montage aktiviteiten aan machines ter plaatse aile werkzaamheden
jlexibele panner op £/ekrrotech- o.a. pompen. ventilaroren. com- • Procesanalyse-appararuur Izoals; doen. Dit doen we teeen zeer
nisch, /nstrumentatieteclrnisch en pressoren en turbines. druk-. spanning-, stroom-. concurrerende pri)Ze~. Bovendien
lrerkruigbouwkundig gebied, heeft weerstand-. temperaruur-. zijn we 24 uur per dag bereikbaar
zich gespecialiseerd in het BUSINESS UNIT ELEKTRO- pulslfrequentie-. en debietrneters) om uw weegproblemen op re los-
realiseren van mono- en multi- E:'\ INSTRUMENTATIE- sen.
disciplinaire projekren ten SERVICES:
behoeve wn de industrie, alsmede l!Equipment Services-
in het onderhoud van produA1en - E/1 Construction Kalibratie
die in dt!"J! branclre worden toe- Nieuwbouw en onderhoudswerk- De kalibratiegroep en de afdeling
gepasL zaamheden in de industrie en weegwerkruigen van Stork Lim-
utiliteitsbouw. burg B.V zijn smds mei 1992
Het belangrijkste aspekt birmen O.a. aan kracht- en beveiligings- ISO- 9001 mertificeerd. Met dit
onze dienstverlening is de zorg installaties. meet-. regel-, & cenificaat i; Stork Limburg B. V
voor optimale Kwaliteit. Arbeids- schakelappararuur, procesbesru- bevoegd a! uw meetappararuur
omstandigheden & Milieu. Stork rings- en bewakingsappararuur voor; elektriciteit, srroming,
Limburg vindt continu verbeteren - Proces Besturing (PB)- testing gewicht en analyse te kalibreren.
belangrijk. Ons bedrijf is gecenifi- Controle. inspeklte en kalibratie SPECIALISMEN BII\'NEN DE Stork Limburg B.V beschikl hier-
ceerd volgens de ISO - 900 L VCA van totale procesbesruring. PRODUKTGROEP voor over zeer nauwkeurige stan-
& de BS7750 systematiek. Maken van loopchecks & funk- !/EQUIPMENT SERVICES daarden. die rechtstreeks herleid
tionele tests ,·an procesbesru- zijn van nationale en intemarionale
Stork Limburg is een zelfstandige ringsappararuur & ondersteuning !/Equipment Services srandaarden. Professionele kalibra-
werkmaatschappij van het Stork biJ opstan. \Ver~1 met standaarden we Ike tie vergt specialisrische kermis en
Concern en maakt dee! uit van de - Hoog-. Midden- & laag- gerelateerd zijn aan de nationale hoogwaardige appararuur.
ICM gtoep (Installation. Conrrac- spanning & E-Testing c.q. intemationale standaarden. Appararuur die Stork Limburg in
ting & Maintenance). Onderhoud. revisie. nieuwbouw haar bezit heeft! Stork Limburg
& modiftcatie van hoog-. midden !/Equipment Services- Gas- B. V werkt daamaast sam en met her
Stork Limburg heeft haar dienst- en laagsparmings-installaties & analyses Nederlandse Meetinstiruut om uw
verlening en \akkennis onder- componenten. Deze servicegroep is gespecia- weeginstallatie te kalibreren.
gebracht in 2 Business Units: liseerd in het oplossen \aR techni-
- Ell Werkplaats sche problemen, zij sraan garant De kalibratiegtoep beschikt over
BUSINESS UNITWERKTUIG- ContTOie. revisie. keuring en voor de keuring van a! uw gas- een oproepsysreem waarbij de
BOUWKUNDJGE SERVICES: onderhoud van: analysemeters en conditionerings- instrumenten die aan de beun zijn
• Elektromororen & rransforma- system en. voor kalibrarie sch.riftelijk worden
- Venpanen toren opgeroepen. De termijn waarbin-
Bewerkingen \an aile materia len. • Regelkleppen met aandrijving & l!Equipment Services- nen bepaalde weeg-, ijk-, test-. en
Onder andere draaien. frezen. klepstandsteller Weegwerktuigen hulpappararuur opnieuw
koneren en slijpen. Expenises zo- • Aile afsluirers en veerveilig- De afdeling weegwerkruigen. on- gekalibreerd dienen re worden,
ais Iappen. balanceren en honen heden. derdeel van Stork Limburg B. V, wordt bepaald door uw wensen en
· Apparatenbouw & Construe- • Fijnmechanische werkzaamheden kan weegwerktuigen voor u kali- de wenelijke eisen. De dienst
tion Piping Beheer. dokumentatie & planning breren volgens voorsch.riften van weegwerkruigen bewaakt de uit te
Bewerkingen aan aile metal en. de ijkwet. voeren periode van kalibratie en
Revisie. keuring & onderhoud - !/Equipment Services Dit varieen van laboratoriumweeg- neemt automarisch actie na
aan procesappararuur. Lassen Controle. repararie. kalibratie en schalen en plateauwegers tot op- aankondiging vari werkzaamheden.
nndt plaats onder keur IStoom- ijking aan: zakmachines en weegbruggen. Dit Desgewenst adviseren wij u op dit
wezen. Vinconel • Procesbesruringsappararuur alies is mogelijk met gebied. Het rranspon van instru-
- Rotating Equipment I 1elektronisch & pneumatisch) gecenificeerde standaarden. Stork menten verzorgt Stork Limburg
'lachine~· Services • Weegwerkruigen & afweeg- Limburg B. V is Oexibel en komt B.V voor u.
Commissioning of a type approved
PLC
by
Dipl.-Phys. E. Pofahl
TOV Rheinland, Cologne
Germany
137
Dipl.-Phys. E. Pofahl
Function:
• Expert in type testing and qualification of electrical, electronic and programmable
electronic systems to use in safety related application at TOv Rheinland .
• Expert in Software. Development of techniques and tools for inspections of safety
critical software.
Experience:
Worked in several projects in the area of assessment and certification of process safety for
electronic and programmable electronic systems
Organisations:
• Member of VDE GK 914 (VDE 0801) "Principles for computers in safety related
systems"
• Member of AK prEN 50156 "Electrical equipment for Furnaces"
139
Commissioning of a type approved
PLC
Content:
Introduction
Differences between ESD and Continuous Control Systems
PLC restrictions as a result of a type approval
Representative restriction
Commissioning and acceptance test
141
Introduction
Today there are a lot of technical systems and applications where the proper and safety
function of measurement and process control equipment is essential for the prevention of
human injury or death. As an integral part of this equipment, computer based systems
(programmable electronic systems, PES) increasingly perform safety functions. The fast
development of computer technology has led to many different applications with
programmable electronic systems (PES) in safety related systems.
As a subgroup of all PES one finds programmable logic controllers (PLC) in plants for
safety critical applications. Sometimes however there is not enough confidence in the
complex hardware and software design of modem PLCs.
One of the aims of using PLCs in a plant is to reduce risk, not to increase it by
inappropriate technology. This principle is shown e.g. in the DIN 19250 "Fundamental
safety aspects to be considered for measurement and control equipment", and in the paper
Draft IEC 1508 (former subcommittee 65A), "Functional safety: Safety related systems",
part 5: "Guidelines on the application of Part I (ofiEC 1508)".
Necessary minimum
risk reduction
142
TUV checks the design, hardware and the operating software of PLCs within a type
approval . This gives confidence in the PLC itself
Before a PLC is set to work in the plant however other steps are necessary to ensure the
PLC provides additional safety to reduce risk to an acceptable level as required by the
specific application. This is depicted in the following diagram:
TOV activities
Plant installation Focus : PLC
Concept
Engineering
On the left hand side all sequential activities, necessary from concept level to the
acceptance test in the plant, are shown. On the right hand side the corresponding TDv
activities are shown. As one can imagine, these activities need interdisciplinary knowledge.
143
Differences between ESD and Continuous Control Systems
There are significant differences between Emergency Shutdown (ESD) Systems and
Continuous Control Systems.
A typical ESD system is designed in such a way, that zero or de-energised is the safe state.
From the safety point of view therefore availability considerations are not needed. As soon
as faults, which can not be handled, are encountered, the system shuts down the
application. A burner control system demands an ESD system, which closes the relevant
valves in the event of errors. On the other hand, by system design one application can be
subdivided in logical groups, which could do a partial shut-down, as long as the main
controllers work. A typical example would be a large vessel with many groups of burners.
Most fire and gas applications are typical Continuous Control Systems. If a fire control
system detects failures within the system, an alarm must be generated. Shutting down the
system is not allowed and would not increase the safety. In the event of a fire it must be
possible to activate the relevant fire-extinguisher. For Continuous Control Systems high
safety and high availability is required. Normally this is implemented by using more
redundancy than would be needed for a specific level of safety.
A programmable logic controller (PLC) is a general purpose device which may be used
anywhere in a plant. It may be used it for measuring and controlling and it also may be used
in areas, where the safety of the whole plant is involved.
As most PLCs are not designed exclusively for safety applications, restrictions must be
compiled for PLCs used in a safety critical environment. As there is a manifold of PLC
technology on the market, each PLC has its own, specific restrictions.
The restrictions are compiled as a result of a type approval of the PLC. These restrictions
must be followed to ensure the whole system complies with safety standards.
PLC vendors publish the TDv restrictions within their user documentation. This ensures,
that everyone knows about the restrictions for the use of a PLC in safety critical
applications.
TDv is working on a paper, where the overall valid restrictions are combined regardless of
the PLC brand. This has already been done on the restrictions for maintenance override in
safety relevant PLCs. See also the paper "Maintenance Override", which is attached.
144
Representative restrictions
"The PLC may be run with disabled points only during the commissioning phase.
Before final operation it must be checked, that no points are left disabled".
It is possible to disable a physically connected device logically from the PLC, e.g. for test
and maintenance reasons. If this is done by the "normal" disabling feature of a PLC, there is
a high chance that enabling the points will be forgotten. Therefore simply "forcing" inputs
or outputs for maintenance and repair is forbidden. How this task can be carried out is
shown in the paper "Maintenance override", which is attached.
Commissioning means bringing the PLC-system, other control-equipment and the process
into interaction. It is TOY-philosophy to do accompanying consulting and acceptance
testing throughout construction and commissioning. Knowing that the plant constructor is
sometimes more concerned with meeting the time schedule this is recommendable.
Working under this pressure the constructors main interest is not safety and reliability.
From our point of view it is less the function of the system which has priority than it is for
the commissioning and construction engineer. We have to focus our attention on the
restrictions given by the government and technical rules, which have to be fulfilled in order
ensure safety and reliable operation throughout the lifetime of the plant. This ensures early
detection of construction, design or installation errors and can therefore be easily
corrected. Commissioning and acceptance engineers must work closely together at the
same time maintaining their independence. This ensures that the time schedule is met while
considering all aspects.
The use of PLCs in safety related systems requires special measures throughout the whole
lifecycle of the plant. The following typical factors must be considered when using a PLC
in a safety related system:
personnel
controlled equipment and related processes
environment
controlling equipment, e.g. PLCs and associated equipment
wiring (flammability, insulation temperature, survival of function for defined time)
installation requirements
145
Therefore before conuruss10ning, the commissioning engineer normally expects the
following to be carried out:
Validation of safety requirements according to the safety analysis and the subsequent
cause-effect-diagram.
Verification of the logic diagram and its conversion into the application software.
From the point of view of safety a quality control plan is needed for the user software
in order to help ensure thorough examination. Besides the testing of software by the
authors and the users, independent testing and evaluation is highly recommended .
Pre-installation simulation in the factory of the PLC with a complete function test of
the 110 level.
In the event of a complex system a process simulator is required. Among others the
following characteristics are tested :
response time,
behaviour of the system during PLC power failure, emergency stop and run mode
change.
The testing of the PLC-system is the next step and includes the following :
1. Testing of installation by using an installation report. This test must be carried out
extensively and concerns all relevant safety aspects.
These are:
field wiring, e.g. separate installation of redundant wiring and function survival of
very essential cables.
146
noise and transient suppression measures of noise coupling
147
4. System function tests and fault simulation
The commissioning functionality checks of PLC, process and other control equipment
must be performed according to a commissioning test plan. This test plan must also
include different modes of operation of the PLC:
local mode
remote operation with DCS interaction
maintenance
In this context special care has to be taken concerning restrictions written in the type
approval for the PLC system.
The fault simulation is usually performed after system functional tests. For this test a
list of faults must be generated. Experience shows that most of the faults occur at the
1/0 and other interfaces to the PLC. Therefore this list must include failure modes of:
The simulation must verifY that an identified fault causes an output to go into a pre-
defined state as the system operation requires.
Conclusion
Special attention must be paid to the commissioning of PLCs, which are used in safety
critical applications. In addition to electrical aspects architectural features of a PLC also
have to be considered. The items, which have to be looked at, are pointed out in the
user documentation and in the chapter "restrictions" in the report of the type
approval of the specific PLC.
148
References
VDIVDE 2180 Sicherung von Anlagen der Verfahrenstechnik mit Mitteln der
Mel3-, Steuerungs- und Regeltechnik.
Contact
149
TOV
Rheinland
TOV
PRODUCT SERVICE
Wartungseingriffe
Maintenance Override
150
TOV
Rheinland
TDV
PRODUCT SERVICE
Wartungseingriffe
Ubersicht
Wartungseingriffe
Es gibt zwei Grundmethoden zur Oberpriifung der an die SPS angeschlossenen sicherheits-
relevanten Peripherie:
Spezielle Schalter sind mit Eingangen der SPS verbunden. Diese Eingange werden
genutzt urn Stellglieder und Geber im Wartungsbetrieb abzuschalten. Die
Wartungsvorraussetzungen sind ein Teil des Anwenderprogramms der SPS.
Wahrend des Wartungsbetriebs werden Geber und Stellglieder von der SPS
spannungsfrei getrennt und manuell mit besonderen Mal3nahmen uberpriift.
In einigen Fallen ist es wtinschenswert (z.B. dort, wo das Platzangebot begrenzt ist) die
Wartungskonsole in die Bedienanzeige zu integrieren oder die Wartung durch andere
Strategien abzudecken, dies bedingt die 3. Alternative fur Wartungseingriffe:
Diese Moglichkeit ist mit Sorgfalt zu handhaben und wird im folgenden vorgestellt.
Die Anbindung an die SPS tiber serielle Schnittstellen ist hauptsachlich auf2 Arten moglich:
A Die serielle Kopplung wird mit Hilfe des MODBUS-RTU Protokolls oder anderer
zugelassener Protokolle ausgefuhrt. Die Wartungseingriffe durfen nicht durch SPS-
Entwicklungssysteme ausgefuhrt werden.
Die folgende Tabelle zeigt die allgemeinen Anforderungen. Die Unterschiede zwischen den
Losungen A und B sind in kursiver Schrift dargestellt.
151
TOV
Rheinland
TDV
PRODUCT SERVICE
Maintenance Override
Abstract
Suggestions are made about the use of maintenance override of safety relevant sensors and
actuators. Ways are shown to overcome the safety problems and the inconvenience of
hardwired solutions. A checklist is given.
Maintenance Override
There are basically two methods used now to check safety relevant peripherals connected to
PLC's :
Special switches connected to inputs of the PLC. These inputs are used to deactivate
actuators and sensors under maintenance. The maintenance condition is handled as part
of the application program of the PLC.
During maintenance sensors and actuators are electrically switched off of the PLC and
checked manually by special measures.
In some cases, e.g. where space is limited, there is the wish to integrate the maintenance
console to the operator display, or to have the maintenance covered by other strategies. This
introduces the third alternative for maintanence override :
This possibilty has to be handled with care and is introduced in this paper.
A. The serial link is done via the MODBUS RTU protocol or other approved serial
protocols. The maintenance override may not be performed by the engineering
workstation or programming environment.
152
TOV
Rheinland
TUV
PRODUCT SERVICE
153
TOV
Rheinland
TDV
PRODUCT SERVICE
The PLC alerts the operator, e. g. via the DCS, indicating the Project engineer, Commissioner
override condition. The operator will be warned until the
override is removed.
A: The override is removed via DCS. A: Operator, Maintenance
engineer
B: The maintenance engineer removes the override via the
programming environment. B: Maintenance engineer
A: There should be a second way to remove the maintenance A: Project engineer
override condition.
B: Ij urgent, the maintenance engineer can remove the override B:Maintenance engineer, Type
by the hard-wired switch. approval
During the time of override proper operational measures have to Project engineer, Commissioner,
be implemented. The time span for overriding shall be limited to DCS program, PLC program
one shift (typically not longer than 8 hours), or hard-wired
common maintenance override switch (MOS) lamps shall be
provided on the operator console (one per PLC or per process
unit).
154
TOV
Rheinland
Empfehlungen
=> Die Wartungseingriffe sollten durch das PLS und das SPS-Entwicklungssystem
dokumentiert werden. Der Ausdruck sollte beinhalten:
Zeitstempel tiber Anfang und Ende des Wartungseingriffes
Identifikation der Person, die den Wartungseingriff aktiviert - Wartungsingenieur
oder Bediener (falls die Information nicht ausgedruckt werden kann, sollte sie im
Arbeitsauftrag enthalten sein)
Bezeichnung des beeinfluBten Signals
=> Kommunikationspakete, unterschiedlich von typgepriiften MODBUS-Protokollen, sollten
mit CRC-Priifsumme, Adresspriifung und einer Oberpriifung der Kommunikationszeit
verbunden sein.
=> Kommunikationsstorungen sollten zu einer Wamung fur den Bediener und den
Wartungsingenieur fiihren. Nach einer Wamung sollte der Wartungseingriff zeitverzogert
aufgehoben werden.
SPS
Geber
_/.,
-- Slchefheitsgefichtetes -- steJigrieder
- Anwendungs.-
Programm -
I
.
Handhabung der Wartungseingriffe ..... Bedlener·
(Anwendoogsprogramm) / wamungan
fest-
~ I~
-drahteter
Schafter
Prozell- SPS-
leitsystem
Entwicklungs.-
(PLS)
system
Ausgabestand
Diese Version 2.2 ersetzt die Version 2.1 vom 24. Juni 1994.
!55
TOV
Rheinland
TDV
PRODUCT SERVICE
Recommendations
The following recommendations are given to improve the primary safety as described by the
list:
=> A program in the DCS that checks regularly that no discrepancies exist between the
override command signals from the DCS and the override activated signals received by
the DCS from the PLC.
=> The use of the maintenance override function should be documented on the DCS and on
the programming environment if connected. The print-out should include:
time stamp of begin and end
ID of the person who is activating the maintenance override - maintenance
engineer or operator ( if the information cannot be printed, it should be entered in
the work-permit)
tag name of the signal being overridden
=> The communication packages different from a type-approved MODBUS should include
CRC, address check and check of the communication time frame.
=> Lost communication should lead to a warning to the operator and maintenance engineer.
After loss of communcation a time delayed removal of the override should occur after a
warning to the operator.
PLC
--
---
Actualora
~ Safeguarding
Application
Program -
Jf /
Warning
Maintenance Override Handling ..... to the
/
(Application Program)
operator
~ I~
hard-wired
switch
Dlsbribuled Engi,_;ng
Control System
wor1< station
(DCS)
Version history
This version 2.2 supersedes the version 2. 1 from 24. Juni 1994.
156
FACTORY MuTUAL
RELIABILITY
CERTIFICATION
Paris Stavrianidis
Manager, Reliability Certification Services
FM Approvals Division
1151 Boston-Providence Turnpike
Norwood, MA 02062
Tel: (617) 255-4983 FAX: (617) 255-4024
email: PARASKEVAS@AOL.COM
Improving management of
technological risk: reliability
certification of safety systems
by
P. Stavrianidis MSc
Factory Mutual Research Corp.
159
P. Stavrianidis MSc
Function:
Manager Reliability Certification Services, Factory Mutual Research Corp.
Experience:
Mr. Paraskevas Stavrianidis is a senior Research Scientist with Factory Mutual Research
Corporation (Norwood MA). He received his B.S. and M.S. in Mechanical Engineering
from Northeastern University in 1980.
Organisations:
• Voting member of the: ISA-SP84 working group for writing a national US Safety
Instrumented Standard
• Member of American Society of Mechanical Engineers
161
IMPROVING MANAGEMENT OF TECHNOLOGICAL RISK:
RELIABILITY CERTIFICATION OF SAFETY SYSTEMS
Paris Stavrianidis
Senior Research Scientist
Manager, Reliability Certification Services
Factory Mutual Research Corporation
Norwood , Massachusetts
and
Eindhoven University of Technology
The Netherlands
John Rennie
Vice President & Manager
Approvals Division
Factory Mutual Research Corporation
Norwood, Massachusetts
ABSTRACT
This paper discusses a Process Safety Compliance Framework (PSCF) used to evaluate process
risk consistently and systematically. The PSCF assesses the compliance of the process to existing
standards and provides opportunities to improve the management of technological risk. An
essential element of the PSCF is a Reliability Certification Program. The certification program
assesses the reliability of safety products and systems employed within the PSCF to reduce
process risk to manageable levels.
The a Process Safety Compliance Framework relies on a Comprehensive Process Safety Assessment
and Lifecycle Model (CPSALM), which identifies the process safety target leve~ or alternatively the
process risk profile. The model evaluates the safety level attributed to existing safety systems (safety
layer) and assesses the effectiveness of process improvements that are required to meet or exceed the
process safety target level. This target is determined by examining the compliance of the process to
industry, jurisdictional and company specific standards.
The CPSALM is applied to several systems performing the same function and using different
technologies. The performance of these systems is compared using reliability as the selection criteria.
The appropriate system is then introduced into the PSCF to assess the process risk.
163
INTRODUCTION
During the last decade, a great emphasis has been placed on the improved management of
technological risks in the United States. Improvement has occurred in many business
environments (chemical, manufacturing, utilities, commercial, and transportation) using safety
guidelines from professional societies, industry sponsored organizations, trade associations,
government agencies that have jurisdiction, international associations, and the insurance industry
(ISA96; IEC96; API9S ; OSHA92; EPA9S). The primary focus of these guidelines, rules, or
standards is to define an overall dynamic framework that allows the systematic identification and
evaluation of risks and the development of risk reduction methodologies based on sound
engineering principles. The basic concepts of this framework are a process approach addressing
risk for the entire life cycle of the process, and performance based criteria that set a safety target
level (in the form of a process risk profile) which can be used to evaluate the benefits of
alternative risk management solutions.
A safety life cycle model (ISA96; CCPS93} is comprised of the significant process evolutionary stages
(i.e., design, testing, installation, start-up, operation, maintenance and final decommissioning). The
objective of the model is to improve the management of technological risk by investigating some
important reliability considerations that appear throughout the entire life of the process and/or system.
This provides opportunities for: a) pro-active decision-making on significant process parameters (i.e.,
environment, operating conditions, testing, maintenance, etc.); and b) monitoring system/process
enhancements using accepted industry metrics such as availability, risk of environmental damage,
property loss, and health impairment of personnel.
Acceptable levels of risk have traditionally been addressed through the development and enforcement
of prescriptive standards which offer little or no flexibility in realizing compliance. An alternative
approach, gaining acceptability in some industries, is the creation of performance based standards using
system or process performance based requirements. These standards stress the compliance with the
objective rather than the prescriptive measures to achieve the objective. They are more flexible, allow
for the development, testing and implementation of alternative solutions, and can be used to
systematically define a system/process safety target level.
Some industries (chemical, nuclear, utilities) have cooperated mutually and with government agencies
to develop and implement various techniques and methodologies using the concepts of the
comprehensive process safety assessment and lifecycle and performance based standards (CCPS93}.
These techniques provide management with guidelines to define a process safety target level based on
hazard identification, inherent safety principles, prudent engineering practice, qualitative evaluations
and quantitative analyses of risk. The use of these techniques represents the forward thinking of the
leading practitioners in this field.
The objective of this paper is to briefly discuss a methodology that applies existing risk assessment
techniques to industrial processes and provides opportunities for improving the management of
technological risk using a new Process Safety Compliance Framework (PSCF). Within this framework,
the need for a Reliability Certification Program is discussed and its benefits and advantages are
outlined.
164
PROCESS SAFETY COMPLIANCE FRAMEWORK (PSCF)
The Process Safety Compliance Framework (PSCF) is shown in Figure I. It consists of three stages: a)
the identification and application of standards; b) the determination of the desired process safety level
(safety target level); and c) the application of a comprehensive process safety assessment and lifecycle
model that identifies the current safety level of the process, assesses the compliance of the process to
the standards, and provides information for further process improvements and risk management.
At the end of the PSCF, the process may be modified or abandoned. If it is modified, a new safety
target level may be needed, or the new process safety has to be re-assessed. The proposed framework
follows a "process approach". The ramification of this statement is a need to define and formalize the
process and its boundaries. This requires extensive knowledge of the process itself, a definition of its
physical and functional boundaries, and the collection and comprehension of operational and safety
experience with the process. Technological risk is managed successfully only when the focus of the
analysis is the process. In other words, the analysis must concentrate on all process elements, their
interactions, and on the ways they contribute to its success (standards compliance, achievement of
safety target level, etc.).
The remainder of this paper discusses the three stages of the PSCF. Namely, the role of standards in
establishing the process safety target !eve~ the evaluation of existing process risk and the contribution
to process risk reduction by an established safety system reliability certification program.
Information and data from professional societies, industry sponsored organizations, trade associations,
government agencies that have jurisdiction, international associations, specific companies, and the
insurance industry are used to develop safety standards. All of these sources are employed to develop
two types of standards:
• prescriptive standards
• performance standards
165
MODIFY PROCESS
I
I
I
I ABA NOON
I PROCESS
____ _ __ _ __I
Prescriptive safety standards are traditionally developed on the basis of acceptable engineering
principles and practices. They are founded on past process history of undesired events and time tested
safety solutions. They constitute the current level of our knowledge and concentrate on prescribing
specific safety solutions to predefined deviations from normal operating conditions. Therefore, they are
general solutions to a set of abnormal conditions that are limited by past experience and available data.
Precisely for these reasons, they often do not propose the optimal solution to specific safety concerns.
Rather, they present a prescription to a general set of safety concerns, and attempt to deal with specific
problems utilizing safety factors.
Recognizing the limitations of prescriptive standards, some industries have begun focusing on the
development of performance based standards (ASME93; IEC96; ISA96; API95). The goals of this
approach are to improve the management of technological risk by setting process specific performance
based safety targets (such as process safety level or process risk level); and to identifY, evaluate and
certify the reliability of safety products and systems that can be used to achieve the safety target level.
This innovative approach is characterized by: a) the detail examination of a specific process; b) the
specification of safety solutions that account for the intricacies of the process; and c) the evaluation and
certification of safety systems based on objective performance criteria, such as system reliability.
The success of this approach does not depend on compliance to the minimum requirements of a
prescriptive standard. It requires a culture change that relies on a continuous and long term
commitment to understanding, evaluating and improving the process. This is achieved through the
process safety compliance framework and performance based criteria. The process safety target level
may be established using any of the following tools:
• Prescriptive standard(s) can be employed in accordance with the comprehensive process safety
assessment and lifecycle mode~ discussed in the following section, to obtain a baseline assessment
166
of the process risk profile. This baseline is achieved when the process is in full compliance to the
prescriptive standard(s).
• Performance based standard(s) that define a process safety target, or other performance criteria
such as process risk, without prescribing techniques or time tested solutions to achieve these
targets.
• Company specific standards and guidelines can be used to establish the process safety target or the
level of tolerable process risk.
The need for additional protection of the process can now be examined. This can be accomplished by
comparing the process risk profile obtained from the QRA analysis to the predefined target risk profile
or risk profile. If the comparison shows that the desired safety target level has not been attained, then
the process must be modified by either improving the reliability of existing safety systems or by
incorporating a new safety system. Any modification will ultimately change the risk associated with the
process. The degree and direction of change determines if the modifications are acceptable (i.e., if they
have achieved or exceeded the process safety target).
167
11 . Extern•l
Rl•k
•y•t•m • : Reduction
Othu T•chn . F•clllte•
Re•llz•tlo n
llh•llzatlon
of Othe r
Techno logy
168
Figure 3. Select a Safety System
The reliability of many safety systems is difficult to ascertain through classical techniques
(experience or statistics). These systems have not been in use for a sufficiently long time and in
large enough numbers. Therefore, a statistically significant population is not available to evaluate
their performance solely based on actuarial data. Advances in technology are made at such a pace
that a system may become obsolete by the time sufficient statistical information is available.
Performance data are specific for the system under investigation and may not apply to other
similar systems. With these limitations, a systematic evaluation of the performance of a system
may be obtained through the use of reliability prediction techniques.
Reliability analysis employs systematic methodologies that decompose a complex system to its
basic components. These components may be used in other systems and therefore, sufficient
performance data may be available. The performance and interactions of these basic components
are merged into reliability models to predict the overall system reliability (CCPS93; GOB92;
STA93). The procedure to evaluate the reliability of a safety system should be systematic, follow
established techniques, supported by good engineering practices. The outcome, safety system
reliability, must be objective, repeatable and certifiable by a third, independent, party (IEC96).
169
RELIABILITY CERTIFICATION PROGRAM
The performance of a safety system is typically established by three parameters (ISA96a; ST A92;
STA93):
• Reliability of the system is the probability that the system will perform its intended functions
under specific conditions within a time interval.
• The probability that the system will fail to respond to a process demand.
• The probability that the system will create a nuisance trip, i.e., the system operates without a
process demand.
Factory Mutual's Reliability Certification Program can objectively and systematically evaluate and
certifY these performance parameters. The program consists of two main functions: a) Safety Product
Reliability Certification; and b) Safety System Reliability Certification.
• component data (generic, military handbook, manufacturer's, field, data merging techniques)
• hardware modeling
• diagnostic coverage
• conunon cause modeling (modeling, avoidance techniques, collection, screening and use of data)
• functional failures (design errors, etc.)
• software reliability (software development process and firmware examination/testing)
• inspection and proof-testing interval
• standard compliance and adherence to accepted engineering practice
• functional testing (component, product, functions)
• opportunities for improvement of product
170
SAFETY SYSTEM RELIABILITY CERTIFICATION
The second major function, the Safety System Reliability Certification, is the site specific reliability
evaluation and certification of a safety system (Safety Related System) that incorporates the safety
product with a specific arrangement of sensors and final elements. The section of the comprehensive
process safety assessment and lifecycle model that addresses specifically the certification of the safety
system is shown in Figure 4. The analysis focuses rigorously on the safety system and incorporates site
specific conditions that may impact its performance, such as applicable plant specific inspection,
imperfect testing and repair/replacement policies and other organizational issues (e.g., training of
personne~ operating, emergency and testing procedures, etc.) that define the existing, site specific,
organizational safety culture. It focuses on the electrical/electronic/programmable electronic (FJFJPE)
safety system and the associated safety functions. It does not assess the effect of other safety systems
on the process safety target.
• users can make informed decisions when choosing a product for a specific application.
• users can have their system certified against national and international standards (ISA96;
IEC96)
• users will have a certified product installed and therefore achieve a recognized level of process
safety (JEC96; ISA96).
• users will have the potential for improved operations and profitability by:
0 fewer losses
0 fewer process interruptions and therefore start-ups and shut downs
0 high process utilization and productivity
171
The benefits of such a program to the manufacturers (OEMs) of the safety products are:
• OEMs will identify specific and practical opportunities to improve the performance of their
product.
• OEMs will have a competitive advantage through documented and demonstrated product
quality and reliability
• OEMs wiiVcan increase their market because of user reliance on certified products
If the new process and its associated risk is below the process safety target level, then the new
safety system has met its safety specifications and is in compliance with the standard(s). If
however, the new process risk is not acceptable, then additional areas of the process safety
compliance framework and comprehensive lifecycle model must be examined to detennine their
potential contribution to further risk reduction. An iterative procedure is then followed until the
process safety target level is achieved.
EXAMPLE APPLICATIONS
There are two significant benefits that result from the application of the aforementioned methodology.
The first benefit, a direct result of the Process Safety Compliance Framework, is the detailed
examination of the process, the identification of process hazards, the establishment of a process safety
target level and the assessment of the process risk profile. The second significant benefit is the reliability
certification program which can assist users to make informed decisions as to which safety system to
use for a specific process in order to meet the safety target level.
In recent years, some of these safety needs in the industry are being met by the use of sophisticated
electronic gauging systems (EGS). These solid state systems allow users to quickly identify and repair
failed components or systems and to implement more extensive control or safety logic. Several
systems, including a single programmable electronic system (PES), that can perform this function were
examined and were evaluated using the reliability certification methodology. The probability that a
172
system will fail to respond to a process demand (low water level conditions in the steam drum) is
presented in Figure 5 (KAR87; STA92; ISA96a).
From the results in Figure 5, the electronic gauging has a lower probability to fail to respond to a
process demand (low water level conditions in the boiler drum). This example demonstrates the
benefits of this approach. It allows for the objective selection among several systems, of different
technologies, using reliability as the basis of comparison. The selected system can be incorporated into
the process safety layers. The comprehensive process safety assessment and lifecycle model can be
used to evaluate the new process risk profile and determine if the safety target level has been achieved.
A new safety system, a Programmable Electronic System (PES) with a Safety Integrity Level (SIL)
Level 2 (IEC96) was used to further reduce the process risk to manageable levels. The dotted line in
Figure 6 represents the new process risk profile, reduced strictly by the application of the new safety
system.
CONCLUSIONS
A Process Safety Compliance Framework is proposed that pennits the consistent and systematic
evaluation of process risk, provides opportunities for improving the management of technological risk
and assess the compliance of the process to a safety target defined by standards. The PSCF relies on a
Comprehensive Process Safety Lifecycle Model which is applied from the design phase through the
installation, start-up, operation and decommissioning of the process. The model is used to define a
baseline process safety target level by examining the protection scheme consistent with the appropriate
standards. It then compares the certified reliability of alternative safety systems and provides
information for objective and prudent risk management decisions.
The methodology was exercised on a specific process that complied with eXIstmg prescnpt1ve
standards. The process risk profile was evaluated. An alternative protection scheme was examined,
using a PES with a certified reliability for SIL 2, and the risk profile was determined.
The reliability certification program, was also used to evaluate the reliability of several low water fuel
cut-off systems of different technologies, clearly identifying the more reliable system available to
respond to a process demand.
173
1.E+00
...()
1 .E-0 1
~
1.E-02 ~- ..
.c 1.E-03
~ -.-LWFC
-
_._EGS
ns
.c -o-- Single PES
~
a.. 1.E-04
0 5 10 15
Time Between Inspections (months)
Figure 5. Comparison of Safety Systems based on Reliability
1.0E+OO
1.0E.o3
""" ~
.......
Process With Proposed
PES
:I
u
u
0
1.0E-04
·· ... "
'c;
~
:c
1.0E.OS
1.0£.00
·....
" \
\
1l 1.0E.o7
e
g. 1.0E.o8
. ~
1.0E.o9
1.0&10
1.0E+01 1.0E+02 1.0E+03 1.0E+04 1.0E+05 1.0E+OO
174
REFERENCES
API95 - "API Recommended Practice 752: Management of Hazards Associated With Location of
Process Plant Buildings", American Petroleum Institute, Washington, DC, 1995
ASME92 - "ASME Boiler and Pressure Vessel Code", American Society of Mechanical Engineers,
1992.
ASME93- "ASME Risk Based Inspection Guidelines-Volume 3. Fossil Fuel Fired Electric Generating
Stations Applications", American Society ofMechanical Engineers, New York, NY, 1993.
CCPS93 - "CCPS - Guidelines for Safe Automation of Chemical Processes", Center for Chemical
Process Safety of the American Institute of Chemical Engineers, NY, 1993 .
EP A95 - "EPA 40 CFR Part 68; Risk Management Programs for Chemical Accidental Release
Prevention; Proposed Rule" Environmental Protection Agency, Washington, DC, 1995.
GOB92- William M Goble, ''Evaluating Control Systems Reliability", Instrument Society of America,
1992
ISA96 - "ISA dS84.01; Application of Safety Instrument Systems for the Process Industry",
Instrument Society of America Draft Standard, SP84, 1996.
ISA96a - "ISA - Programmable Electronic Systems used for Safety Applications; Technical Draft
Report 4", Instrument Society of America, SP84, 1996.
KAR87- Karydas, D.M., ''Probabilistic Analysis for Low Water Level Conditions in Boilers", Factory
Mutual Research Corporation, J.I. ON1E3 .RU, Norwood, MA, 1987.
OSHA92- "OSHA 29 CFR Part 1910; Process Safety management of Highly Hazardous Chemicals;
Explosives and Blasting Agents; Final Rule", Occupational Safety and Health Administration,
Washington, DC, 1992.
SIU94- Siu, N., ''Risk Assessment for Dynamic Systems: An Overview", Reliability Engineering and
System Safety, Volume 43, 1994.
175
STA93- Stavrianidis, P.A, and Karydas, D.M., "Methodology to Evaluate the Reliability of a Safety
System", SERAD Volume 1, Safety Engineering and Risk Analysis Division, ASME, 1993.
STA93 - Stavrianidis, P.A, Karydas, D.M., and Richards, P., "Reliability Analysis of an Electronic
Gauging System Used for Safety in Power Boilers", lASTED International Conference, Boston, MA,
1993.
176
In g. R.J. Tiezema
Function:
GTI Industrial Automation BV, Germany Business Development
Experience:
With over 30 years experience in the development and application of both Onshore and
Offshore Safety Systems Worldwide, Rein Tiezema, a Safety Systems Manager with GTI
Industrial Automation bv Apeldoom in Holland, is currently working at GTI, Germany
Business Development. By always being at the forefront of safety innovation, Rein
Tiezema's knowledge on this subject has led to him giving countless safety presentations
throughout Europe. Then, back in the 60's, he developed and patented succesfully
"Inherently Fail Safety Magnetic Logic", now known as "MagLog".
Organisations:
• Member of the NVvB (Dutch association of reliability engineers)
• Member oflnstrumented Safety Assessment
181
Elintinating the unexpected
Part 4
Moving
forward
and
same
time
183
Section 1: Introduction
The improvement of the efficiency and quality of industrial processes and the need for
more "flexibility" during engineering, as well as during operation, have introduced PLC's
as safety device in to the industry. Today, most safety-PLC's employ 11-processor
technology and software. Most designers of the current safety-PLC's have recognised the
limitations of the computer. Therefore they have tried to overcome this by introducing
hardware redundancy and additional software for self-diagnostics. Very often the result
is rather complicated, whereas the uncertainty in reliability of software
rernains.[Littlewood 92]
The Dedicated Safety Processor (DSP) however has been designed towards the objective
of a safety-PLC with an eminent and verifiable safety level. [Brombacher 92] The robust
safety achievement originates from its internal architecture and inherent self-test
hardware. Also the elimination of all system software is a unique property of the
programmable system using the DSP.
Regarding the main design requirements, it obviously appeared that failures in the logic
should instantaneously be detected to enable the outputs to function safely.
Here, the first point of focus is the PLC-input. Current input-circuitry requires a latch
function to convert the parallel data into serial data. Since PLC's operate sequential, a
stuck at one (or zero) should not occur.
The second point of focus is the correct decoding of the instruction- and address codes.
Faulty decoding input "X'' instead of input "Y" with both inputs in the same state will
stay undetected until input "X'' changes. Also incorrectly decoded instructions can only
be detected at the change of an input value.
Both problems can be solved by dynamic logic processing and diverse data handling to
eliminate these undetected failures: two unique features of the DSP.
184
This paper is not indented explain all the technical details of the DSP. However it
presents the considerations and principles of the DSP as part of a safety-PLC. It shows
the use of state-machines to avoid the need of operating software, the principle of
dynamic failure detection with time-windows and a method justification to produce a
quantitative reliability assessment.
185
Section 2: Concept Considerations
The DSP however, has been designed to eliminate this unsafe behaviour with unique fault
detection (hardware) to locate both (internal) processor faults and (external) code
memory faults.
As a result the DSP checks for the following possible failure modes in this manner:
• selection of the correct input upon input fetching, to avoid address mismatch,
• selection of the correct output upon output setting, to avoid address mismatch,
• selection of the correct instruction upon its fetching, to avoid address mismatch, or
incorrect decoding,
• stuck-at failures on input latches, internal registers or logic operator gates (AND, OR
etc.).
186
Further, the final design has a transparent structure to assure a high reliability confidence
factor.[Tiezema 95]
187
Section 3: The State-Machine
This property of the state-machine is used for the required dynamic fault detection of the
DSP-processor:
Atry steady state will arrest the DSP 's processing!
188
The examples above are very simplified
indeed. In practice the use of state-
machines with multiple states and cross-
coupled conditions are required. These
machines are indicated as Cross-Coupled-
State-machines: CCSM's.
Each basic building block inside the DSP is implemented via one or more CCSM's. Every
CCSM is continuously in motion, jumping between states according to a limited number
of possible sequences, dependent on the actual task in execution. Subtle time
synchronisation between the building blocks (time windows) is used to mould the
separate building blocks into an integrated functional unit. Timing also takes care to
merge operation and test for every processing step. Interfaces between basic building
blocks are realised via events and conditions, that force the CCSM to stay in motion and
at the same time serve to convey calculation results between them. Upon any failure in
any part of the processor, the timing relations necessary to synchronise the generation of
events and conditions (and their effect 'downstream') get disturbed, resulting in a full
stop.
Regarding this section it will be clear that the use of CCSM's is an excellent method to
detect stuck-at-one and stuck-at-zero failures in electronic circuitry's.
The CCSM principle is also of great importance to realise dynamic fault detection of the
logic handling. The next section describes this foremost part of a safety-PLC.
189
Section 4: Logic handling
Looking back to the PLC principle in figure : 1, a reliable failure detection of the
"switches" is the main objective in developing a safety-PLC. Especially the "logic
switches" (L: Load, A: And, 0: Or, S: Set and N: Inversion) should be designed with
the utmost care to protect the PLC against "stuck-at" failures.
Regarding the basic safety design problems with inversions the DSP design is based on a
concept where the "N-switch" has been eliminated. So, the DSP uses the LAOS (Load,
And, Or, Set) functions only. This does not mean that inversion functions are not
handled by the DSP, it simply means that the method used to process inversions in a safe
way has been changed. Inversions are executed by means of the so-called "time-
window" method.
To explain what this method implies, a review of the CCSM of figure: 3 is needed. Here,
as said previously, the observer watches a person
moving in a defined way, depending on the
weather and time conditions. In particular the time
condition becomes most interesting. Up to now it
was assumed that the observation took place
locally. Now, suppose the observer goes on a
journey to the opposite side of our globe watching
the scene again. However, in this situation there
will be a time shift of twelve hours! The time shift
causes a "mirrored" view. The person is still
moving, but obviously displaying a totally different
behaviour.
In other words, watching something through a
different time-window offers a new perspective.
Fig.:6 The 4~tate-machine
Returning to the DSP inversion- and logic
functions, these can be represented by a 4-state-
CCSM as shown in figure : 6.
For example, using the 4-state-machine to test an
AND-gate, the output of the AND-gate can be either in the 1-state or in the "0-state"
depending on the (logic) conditions. Transitions from 1 to 0 will take place only when
("stuck-at") errors are not detected. Of course referring to the previous section:
In practice the situation is more complicated. The states given in figure: 6 are not
"processed" by the DSP directly. The DSP needs the time-window principle to decide
which state either the "1" or the "0" should be used to execute the program.
In a healthy situation, the 4-state-CCSM steps with a frequency defined by the clock. A
second CCSM, stepping with a 4 times lower frequency samples the 1-state or the 0-
190
state. Which one is sampled, depends on the time-window. The time-window itself
consists of a third CCSM that is able to shift the phase of the sample signal.
This means that the DSP is free to process either the "logic-I" or the iTTVerted value (the
/ogic-0), depending of course on the program requirements.
clock
sample
The example in figure: 7 explains what happens. Starting in the 1-state, clock-pulse I
moves the machine into the "no-error'' -state, pulse 2 causes the 0-state, pulse 3 the "no-
error'' -state and pulse 4 moves the machine back into the !-state. Pulse 5 and 8 will cause
the same cyclus.
In this example the sample-pulses will generate logic- I 's only.
Then the time-window machine (TW) causes a phase shift of two clock-pulses.
Following the same procedure as for clock-pulse 0- 12, only logic-O's will be generated,
starting with pulse 18.
Resuming the above, inverted input values, iTTVerted AND's (NAND's) and OR 's (OR's)
are executed in a safe and simple way using the 4-CCSM architecture.
However, the capability of the DSP handling logic inversions by means of this
configuration was not the only objective that has been achieved. Inversions are also used
to test the logic functions.
The method used to test these functions concerns the "LAOS-LOAS" logic execution
procedure.
The next section provides more information about this subject and explains how it is
achieved.
191
Section 5: The LAOS-LOAS logic execution
The previous section made mention ofthe DSP being a hardware device only. Hundreds
of logic gates are used in the DSP. Figure: 8 shows a small part of these gates. The
A
B
G
192
The DO- and WITH-instructions are directly coupled to the 4-CCSM to select either the
logic-! or the logic-0 of the related functions as described in the previous section. So, the
result is a safe execution. But what about the remaining executions for
OR, AND SET? DO A
WITH B
AND-IR C
DO IR C
The answer is already there for the taking, loading the DSP with the WITH B
OR-IRE
program of figure: 8 (the LAOS-code),or figure: 9 (the WAS-code) DO IRC
WITHD
will result in the same conclusion. AND-IR F
DO IRE
WITH IR F
Loading the LOAS-code (figure: 12) proceeds as follows: OR-IR G
SET G
Fig.11 : LAOS code
- Select the reversed input signals (A, B, D)
DOA
WITH B - Change all OR's into AND' s and vice-versa (CC, EE, FF, DD)
OR ~ IRCC
DO IR CC
- Select the reversed output (G)
WITH B
ANO~IR EE
DO IR CC If all gates are able to execute, the OR- as well as the AND-function
WITH D LAOS-LOAS, they must be healthy! This also means that the results
OR~ IR FF
DO IR EE will show the same output value enabling the safety-PLC to set its
WITH IR FF
AND ~ IRGG respective system output. It also means that:
SET G
Fig.:12 LOAS code This concept, based on CCSM 's and Time Windows, forces the same
silicon gates to be operated both in an active "high" and in a
"low" mode during every processing cycle. Therefor the DSP is defined as a device
with: Virtual hardware diversity.
Figure: 13 shows the timing ofthe LAOS-LOAS sequence. Between the two functions is
a tiny period to execute the AND-OR conversion. An attentive look at this picture also
provides information about the remarkable short execution time for the whole sequence
compared with ~ -processor based PLC's. The total sequence time just counts 1 millisec.
The LAOS-LOAS sequence itself to execute the logic functions, takes 0.9 ms as
indicated. The remaining time is used to fetch/strobe the in- and outputs and execution of
timer and other functions to complete a safety-PLC.
9SOua Fig.:13 The LAOS~OAS
CLKA CLKA
..IL _fL
Isn~• ~~npuh
fetch lnputa load u~
It is not the intention of this report to draw parallels with safety-PLC's, although
similarities do exist. But one significant difference will apply to the DSP-l/0. The DSP is
special developed to interface with inherent safe l/0, based on core-transistor-logic
(CTL) technology. There is no need for redundant l/0 in order to meet the highest level
of safety requirements used by other PLC' sl Single CTL- l/0 keeps the safety-PLC
193
simple and therefor reliable. For highest availability dual I/0 may be a requirement,
whereas other PLC's require triplicated I/0 at least.
- a sequence of 1 msec
- a 100% dynamic self-test as part of the operation
-decomposition into small junction blocks using CCSM's
- an interface to inherently safe 110
Referring to the CTL-interfacing, the next section presents a brief introduction about
CTL. It also shows the DSP using CCSM's to select the correct input and to define the
right input status.
194
Section 6: Input fetching
In general all PLC's use input circuitry to convert and to condition field signals into logic
signals and output circuitry to provide the opposite: drive capability for solenoids,
contactors etc. It will be clear that the conversion circuitry also requires a safety integrity
level as high as the level of the DSP.
After the start-up of the Safety PLC, the DSP generates the condition (time delay): dell
(figure: 15). This function measures the value of the CTL pulse output, being either Vee
or Grd in case there is no active output or a faulty one. The same variable is executed
after del 2 (2 JlSec) where as a result Vee represents a faulty signal.
195
Following the CCSM of figure:
16, condition del 1 causes a
transition from the inactive-state
to the off-state or the on-state,
depending on the variable
measured, being Grd and Vee
respectively. Del 2 causes the
transition from on- to the 1-state
(or error-state) and from off- to
the 0-state (or error-state). As
explained before, the 1- or 0-state
can be selected by the DSP to
execute the logic functions
(LAOS-LOAS). Obviously the
Fig.16: Input fetching
error-state will stop the CCSM
and because of this will halt the
PLC.
The machine itself shows more conditions derived from other states such as:
- snooze/not snooze
- unprobed
- filter
These states are part of a number of CCSM' s used to avoid address mismatch. They
operate in the same way using the Time Window principle and show more or less the
same structure as the example presented in figure: 16.
196
Section 7: DSP Safety Assessment
During the design of the DSP, a new analysing technique is developed to analyse complex
digital safe-guarding systems, which is called RIFIT (Random Internal Failure
Technique). The results are expressed in the failure probabilities which have to be known
to be able to calculate the safety level of a safe-guarding system.
Internal failures
n • 6.E+10 (gatelenl)
Therefore a high confidence
level of the results is obtained
by simulating the effects of the
internal failures in de DSP with
Safety functions
RIFIT.
n •1.E+3
Input
values Figure 17 gives an idea about
n• s.e.1•
what RIFIT can do.
Flg.:17 Random Internal failure injection technique The results, the safety effect
probabilities, can be used to
calculate the safety integrity levels. To calculate the level it is necessary to know the
probabilities of the existence of one or more undetected failures in the safe-guarding
system. It is possible to calculate those probabilities with help of a Markov model.
The results of the calculations to define the effect probabilities are as follows:
With a confidence level of99.95% can be stated that the probability that internal failures
are observed is larger than 32%. With a confidence level of99.95% can be stated that the
probability that internal failures result in a safety failure is smaller than 1.42%. This is
much smaller than the maximum probability of 10%, which the TiiV allows.
RIFIT is therefore a very valuable technique during the development of new safe-
guarding systems, because it gives insight in the causes of the safety failures. If these
causes are known it is possible to improve the safe-guarding system. In addition it is
possible to detennine safety effect probabilities of complex safe-guarding system which
are needed to apply for safety certificates and to calculate the probabilities of undetected
failures.
197
Section 8: Summary
The DSP has been designed towards the objective of a programmable safety device with
an eminent and verifiable safety level. Its design therefore departs from the well-known
schemes. The design intends to avoid the majority of systematic failures in the first place
by eliminating unnecessary complexity and by incorporating simple provisions for design
verification and inherent self-test.
198
Section 9: Epilogue
Eliminating the Unexpected, part 4, shows the properties and features of the DSP; a
processor with a verifiable safety level. The article could be considered as not complete
without mentioning the safety-system in which the DSP is used.
The DSP is used successfully in the safety-PLC, which is known as ProSafe-DSP. The
ProSafe-DSP is part of the ProSafe family, which covers a wide range of applications.
The complete ProSafe family consists of:
Segmentation
ProSafe-DSP aims towards segmentation of a safety system into simple units with
straightforward interfaces between them. This leads to lower complexity and therefore to
better technical mastering of the system. It also keeps operational problems from
propagating into unrelated system parts and allows maintenance and repair to be done
more easily. Therefore this design principle leads to higher safety integrity, higher
availability and lower operational costs.
199
Therefore ProSafe-DSP:
• eliminates the operating system by running the application code directly on the
hardware;
• limits application programs to a limited series of instructions that will always execute
in exactly the same linear order, every millisecond,
• allows historic information only in runrung timers and for feedback loops (such as
memory cells) and refreshes all other calculations in full during each cycle,
• does not include interrupt provisions, even at hardware level.
This results in a high degree of certainty that, when correct operation has been observed
during a single test, the same behaviour will be exhibited upon the same input stimuli
under all possible circumstances. Moreover the application program can be easily verified
manually against its specification in FLD function blocks.
200
Section 10: References
201
Tebodin is an independent, multi- and abroad . Our services cover consul- Tebodin B .V., Laan van Nieuw Oost-
disciplinary firm of consultants and engin- tancy, project management, design and lndie 25, P.O . Box 16029, 2500 BA
eers whose expertise spans a wide range engineering, procurement and construe- The Hague, the Netherlands, telephone
of industries and technological areas . tion management. We also undertake +31 70 348 09 11, fax +31 70 348 06 45.
large and small projects, constantly Construction projects over a wide range
building on the skills and experience of its of industrial sectors including oil and
~
Offrces l,e Hague . Henge iO G•orun9e11_ M aa strocl"'t Ern()T'l ove.-.. Sorrk enossE: Flush11'19 Beverw•l"- - Unrted l( n'I900m . Betgrum Germa ny
:::1ecn Reouo••c Hvngar'\- CroahJ . Bosn ra Herl ean " '" il '-'Q1,1n.:. Lrtnu anra L31v•a R ~,; :;:;,..; Ul(rarne Urute<J Arao E,m!1 31C':.. Ne tf'l er tanos. An\<ll es
.
A corporate perspective of
industrial safety
by
203
Ir. F. van Woerden
Function:
Environment & Safety Department Manager, Tebodin Consultants & Engineers, The
Hague, The Netherlands
Experience:
Frank van Woerden has 10 years of experience of advising industry and national
authorities on matters related to industrial safety. Expertise in the field of industrial safet)
comprise risk identification techniques, quantitative risk assessments, cost benefit analyses
and risk management systems.
205
A Corporate Perspective of
Industrial Safety
Introduction
It is not uncommon to see industrial safety as a matter of applying the correct techniques;
therefore, as a rule, the issue is left to safety specialists who are capable of selecting the
correct measures. However, there is a growing awareness that not all issues related to
industrial safety are taken into account this way and that not all opportunities are grasped
for optimum integration of safety with companies' policies.
A corporate view on safety is essential not only to minimise loss prevention but also to
achieve a higher up-time for installations and therefore higher production.
The choice that has to be made is all to clear. If a manufacturer invests little in safe
production the initial costs can be minimised but the risk of production failure and
damages are increased. Aternatively, maximum safeguarding may incur high investments
and may jeopardise a company's profitability. It is obvious that a production facility can
never be l 00% safe. A residual risk will always remain after various measures are taken.
Which residual risks and the extent to which they are acceptable is determined by societal
and economic demands. Some manufactures stop at what is prescribed by law and legal
permits or by what is incorporated in design and operating standards. However, it should
be noted that recently in many countries the nature of legislation in this respect has
changed: legislation and permits used to consist of detailed descriptions of safety measures
which had to be implemented. Nowadays, is has become more common by law to define a
framework within which necessary actions are defined. Additionally, safety issues are
related to other aspects of corporate management such as insurances, prevention of
production losses, professional diseases, occupational health, working conditions and the
image of the company. For the full validation of all these aspects it is essential to have a
clear insight into the organisational structure and human behaviour and issues such as a
sound streamlining and tuning of working procedures, personal attitude and the sense of
responsibility of employees. These are all issues that do not belong to the prime concern of
the technician but determine the safety of an installation to a high extent. These
207
observations require a company's management to clearly fonnulate its policy on safety, so
that the required measures can be based on this policy.
The main question is how these developments can be incorporated in the establishment of
a company's safety level. If this is based on the reduction of production losses, it may not
necessarily lead to the required working conditions. Some measures are generally good,
others conflict with each other.
How can a manufacturer make balanced decisions where all these aspects are sufficiently
taken into account? How should one distinguish between safety optimisation for existing
facilities and new installations? How should the increased knowledge over the last ten
years of industrial safety matters be integrated? To what extent should newly developed
management techniques be incorporated, which for example, by means of Business
Process Redesign (BPR), indicate how employees can be motivated best?
With this presentation I would like to introduce a project approach taking into account all
developments mentioned for achieving a balanced safety strategy. Firstly, attention will be
paid to some accidents of the past. Subsequently, the above mentioned management
aspects will be dealt with together with how improved knowledge can be applied to actual
situations, both for existing and new facilities. Finally, the approach is presented based on
a real-life situation.
Accidents
Looking at a large number of accidents in the past demonstrates that fires and explosions
are the most important incidents in industry. The release of toxic material (gases) is also a
major hazard. Fires are the most frequent accidents of these three categories, explosions
cause the highest number of fatalities and cause most damages. Characteristic of toxic
releases is the large number of fatalities that can be caused at greater distances from the
source of the accident.
Major explosions occurred in Mexico City where an accident with oil products (petrol and
LPG) cost the lives of 550 people and on the Piper Alpha, an offshore platfonn for oil and
gas production, where 165 people were killed. The disaster of Flixborough is one of the
most discussed and investigated gas explosions. In a cyclohexane production plant a
leakage occurred in a bypass. The bypass was temporarily installed during maintenance
activities. The leakage caused the release of cyclohexane gas. The subsequent vapour
cloud reached the burner of a hydrogen installation and exploded with the loss of 28 lives,
the complete destruction of the plant and major damage for several kilometres. The
investigation reports of this accident show that the disaster was not simply related to
design errors, but that many other factors including at management level had a role. The
installation of the tempory bypass was not made subject to stringent safety procedures and
many departments were involved in this.
Theoretically, toxic releases have the capacity of causing larger number of fatalities but
fortunately accidents at this scale are quite rare. The largest disaster involving toxic gases
took place in Bhopal (India, 1984) in which 2500 people were killed.
208
These are a few of the major accidents that have been recorded. Less spectacular accidents
have a much higher frequency. Accidents in general are an important risk to a company.
The research reports produced for large scale accidents normally show that causes are
very complex and that the last link in the safety chain, the operator making an error, is not
the only element responsible for the event. Examples of this are the above mentioned
accidents but also the Estonia and the Herald of Free Enterprise ferry accidents.
In the event of an accident, a company is effected at several management levels. Roughly,
a distinction can be made between economic and human or societal aspects, although this
distinction is not always a sharp one.
Economic aspects
An important economic aspect is the physical damage of installations. For safety
measures, the costs of the installation can be compared with the costs of the protective
measures and the chance of occurrence of an accident with the installation. Another aspect
is loss of production. The (partial) failure of the installation to produce will temporarily
effect the production output. Obviously this will seriously affect relationships with clients,
loss of income, penalties of supply contracts and image as a reliable supplier. Tht rd"'".:!
costs will also determine the level of required safety provisions. This aspect can be
investigated by looking at the up-time of the installation and the nett time that the
installation is productive. The up-time depends on a number of aspects such as
maintenance, but also on the level of safety precautions.
Another aspect is insurance. A company can insure many things: damage to installations,
liabilities (health cost claims, supply problems). Basically, insurance companies can insure
anything. However, the general rule applies that if a risk of the occurrence of certain
events is not known very well, insurance premiums will be high. It is therefore in the
interest of the company to be able to judge well which risks should be insured and how
premiums relate to the costs and mitigating effects of safety measures.
Corporate image is important as an economic aspect. A company certainly cannot afford
to have its corporate image damaged by a 'accident prone' reputation.
209
Also external safety is a relevant issue. In particular, the Seveso accident prompted the
European Union to consider risks for the public from hazardous industrial activities. A
European Directive for the Control of Major Accidental Hazards from industry came into
force in 1982. Its integration with national legislation has made many European industries
compile safety reports with an inventory of risks and control measures and descriptions of
emergency procedures. Also relevant is the changing attitude towards sickness leave and
occupational illness. Also in this case more and more responsibility is being put onto the
employer for the level of sickness leave and in particular problems in this related to the
nature of the industry's activities. It is therefore important to identify the risks of the work
for employees and to have good insight into how these risks can be reduced.
For all the aspects mentioned two parameters, strongly related, are important for their
evaluation: what is the effect of the accident, e.g. in terms of killed or injured people and
what chance of occurrence is related to the accident. For accidents with a small chance of
occurrence and little impact, special measures are not always required. For accidents with
a small chance of occurrence but with large effects measures are often necessary.
However, much attention in this case may be given to the effect of the accident leading to
an 'overkill' of safety precautions.
For a balanced approach these parameters should be recognised. The great number of
achievements in risk analysis tools in recent years has made this possible and the
knowledge and analysis tools are now readily available. A wide range of analysis tools
exists, from quite simple to very complex. The most complex analyses take great effort
and are normally applied to situations where the effects of accidents can be very large and
control measures are costly. The first level of analysis is the identification of hazards. A
higher level of investigation involves the evaluation of the resulting effects. Finally, the
failure rates of these incidents and the subsequent risks can be quantified. Often in the
latter case the incidents with small effects remain to a certain extent short of attention.
210
safety measures are mentioned. In this case risks are eliminated by substituting hazardous
with non-hazardous substances. This step deeply affects the production process. An
example is the substitution of inflammable solvents with water.
The best possibility for including measures from a level as high as possible in the sequence
described is during the design of new installations. This is not normally possible for
existing plants. The latter case would require the replacement of equipment that is fully
written-off and a temporary production stop. An economic evaluation of these measures
needs to include disinvestment, demolition costs and the costs of production loss.
In the assessment of the measures sequence it should be noted that causes of accidents
often include human failure: lack of operator knowledge, a design error or incorrect
operation. It is estimated, depending on how human failure is defined, that at least seventy
per cent of accidents are related to human failure. This does not mean that solutions for
this problem should only be sought in operating routines and procedures. It is useful to
improve the operability of the installation by means of technical measures. The operator
should not be a tight rope walker in the plant, he needs to have all the information and
technical facilities at hand to make him adequately respond to incidents. On the other hand
it is not wise to design an idiot-proof production facility, this reduces awareness of the less
frequent incidents.
Knowledge
The last decade has seen many technical and organisational developments in the field of
industrial safety. These developments have given detailed insight into how incidents occur
and what their consequences are. With this knowledge industry is not restricted to
measures that minimise the effects of accidents. Also prevention of accidents can be
incorporated more efficiently. These developments in knowledge technically enable
industry to improve the level of safety. An example of technical development is the
increased insight into ignition mechanisms such as static electricity. Techniques to prevent
static electricity can be found across the full sequence of measures: in some cases the
operating instructions should prescribe the use of special clothing and shoes when certain
handling operations are carried out. Passive technical measures are inertisation of gas or
increasing air humidity, but also the reduction of transport or drop velocities (friction
reduction). Inherent measures are the application of conducting materials. Another
technological development concerns the knowledge of dust explosions applied in food
industries, such as flour, dairy and sugar manufactures and cereal handling. A final
example is the largely increase knowledge on run-away reactions and other special process
conditions.
In relation to organisational measures the Business Process Redesign should be
mentioned. This is a technique applied to the whole production process which tries to
achieve streamlining of the provision and distribution of information within the company.
Involvement of all employees in the achievement of improvements is a vital aspect of the
BPR to accomplish acceptance and commitment for the new system. These techniques can
211
also be applied in the introduction of organisational modifications and a safety
management system.
Project approach
The project approach is discussed by using a concrete project that Tebodin carried out
with Raffineriegesellschaft Vohburgllngolstadt (RVI) as an example. This is a refinery
complex in Southern Germany with 24 plants and production installations which are
strongly interrelated. This company, formerly part of the British Petroleum Group,
decided in 1989 to review the safety aspects of all its production facilities, initiated by a
number of major accidents that occurred worldwide with oil companies. Additionally, the
introduction of computer controlled automation of all the production facilities was another
reason for the safety review.
In a complex situation like this a thorough approach is required which includes all the
previously mentioned aspects and which is able to monitor progress and costs at any point
in time. The following project phases were identified.
Phase 1 - Start-up
The first step is the identification of the scope of work. Which installations and which
parts of the organisation should be included in the review? What level of detail is
required?. The answer to these questions can be used to select the type of analytical tools
that will be used. For example, is it necessary to compile a full qualitative overview of the
total complex or can quantitative risk analyses immediately be applied to some of the
installations. A preliminary budget and planning is prepared and the project team
composition is determined. In the case of RVI the HAZOP technique was selected as the
most appropriate review instrument, including a review of operating procedures and safety
aspects of the computer control system. A programme was established for the review of
four to five installations per year. With an average review time of 4 weeks per plant the
project team was actively involved in the review for about 20 weeks per year. The
sequence of the plants under review was determined using some criteria. The first criterion
was the hazardous potential of raw materials and products, such as LPG, hydrogen and
hydrogensulphide. The second criterion was the complexity of the plant. It was decided
that the catalytic cracking unit should be reviewed first because of the risks of mixing air
and hydrocarbons. Also the history of certain plants was studied in view of incidents and
production stops. The presence of sensitive objects in the vicinity could be another reason
for prioritisation. An important issue was the presence and the quality of documentation
particularly those describing the interfaces between various installations. The availability of
staff can also be an issue with the execution of reviews with the intensity of HAZOP
studies. RVI decided to make two employees fully available for the project both with
many years of (operating) experience, so-called 'alte Hasen'. Furthermore the HAZOP
chairman and his secretary were hired externally, not in the least to ensure sound progress.
The plant managers and also specialists of various disciplines (inspection, maintenance,
instrumentation, management) were available during part of the mornings to participate in
212
the review sessions. With this involvement the acceptance of the recommended measures
was high .
Phase 2 - Analyses
The execution of the review will provide insight into the safety level of the concerned
plants. Recommendations are made for components which fall short of the standards used.
All important operating modes were taken into account. Naturally, standard operations
were reviewed but also special conditions such as the regeneration of catalysts, decoking
of furnaces. Startups and shutdowns are also examples of vital modes of the review.
Finally, a number of failures were investigated that may affect more that one installation
component: failure ofutilities (steam, power, plant air, nitrogen, cooling water etc.) and of
control systems specifically those for active safeguarding and the failure of computer
systems or parts of them.
Organisational aspects such as fire fighting, occupational health, security and
recommendations for new projects were included and linked to the reviews of individual
plants.
Phase 3 - Recommendations
In this phase the preliminary recommendations are analyzed resulting in a list of measures
to be taken with their priorities.
For R VI reports were prepared with cost estimates of all the recommended actions.
Subsequently, a costJbenefit analysis was performed including a indicative estimate of
costs involved if it would be decided not to implement the recommendation. Finally, a
planning for the execution of the authorised measures was made, which could be
problematic since some plants have a continuous production period of several years
without planned stops for maintenance.
Phase 4 - Implementation
For the implementation of the authorised control measures it is important to identifY clear
steps that can be easily monitored . A periodic report on the state of the implementation
program is essential for which one person is responsible. The results can be summarised as
follows. For each plant, depending on size and other aspects, between 50 and 200
recommendations were formulated . About 30% of these were dealt with after one year,
50% after two years and 80% after 4 years. Costs vary widely. For the catalytic cracking
unit with 150 recommendations this was about USD 150,000, the vacuum unit had 50
recommendations worth USD 300,000. About USD 600,000 was involved for the
implementation of recommendations of the somewhat older combi-cracker.
For RVI the safety review and the implementation of measures had an important impact
on the safety awareness of the company's management and operators. The awareness has
been increased significantly over the years resulting in a high level of safety at present.
213
R VI's management is permanently involved in maintaining this awareness through the
recommended measures related to training and audits. The company safety campaign has
resulted in one accident in three million production hours. It should be noted that this one
incident happened during a safety training session of the company's fire fighting crew.
Obviously it is difficult to measure the success of a safety project. The accidents that
should have happened if measures would not have been implemented do not take place.
This will always be the paradox for the safety conscious conscience.
214
SIEMENS
Cornoan ttDepartment
Street
To,·m/Postcode
SIMATIC: Defining
Automation Technology
The Seveso-11 directive
a brief overview of contents and
consequences for major hazards plants
by
217
Drs. G.C.M. Lommers
Function:
Head of External Safety Division, directorate for Chemicals, External Safety and
Radiation Protection, Directorate-General of the Environment, Ministry of Housing,
Spatial Planning and the Environment.
Experience:
Experience with City Planning for about I 0 years, worked 6 years as a coordinator of
environmental policy in the directorate-general of housing and contributed in this role to
the VROM-policy of more environmental friendly and more healthy building and planning.
For more than two years he contributed to the development of energy-saving-instruments,
like the energy-tax, in the directorate-general of the environment.
Since March 1994 Mr. Lommers is heading the external safety division of the Directorate-
General and as such responsible for the development of the external-safety-policy of the
ministry. He is also chairing the interdepartmental group that is responsible for the
implementation of the Seveso-11-directive in the Netherlands.
Organisations:
• Member of the Committee of Competent Authorities for the Seveso-directive of the
EU.
• Member of the Expert Group on Chemical Accidents of the OECD.
219
The SEVESO-ll direcme
a brief overview of important changes and consequences for major har.ards
plants in the Netherlands
Summary
After an introduction to the current external safety policy and practices in the
Netherlands an overview of relevant articles and changes in the new European Seveso
directive is presented. This also covers the relevance of certain of the new Seveso articles
to Dutch target groups.
In relation to the above some of the intentions of the Dutch authorities on
implementing the Seveso-JJ directive are highlighted. This also covers a general
description of intended changes to the Dutch Major Hazards Decree, through which the
Seveso-11 will be implemented, and descriptions of projects to produce guidances br
industry and local authorities.
221
1. Introduction
ln the Netherlands, there are about 4500 potentiaUy hazardous activities (cstablish:11eots),
ranging from relatively small LPG filling stations for motor cars to large chemica. sites
involving chlorine and ammonia production and storage. Risk acceptability criteria are
firstly used to detennine which risk reducing measures are necess<II)' for specific hazardous
activities. Secoruily risk criteria are used to determine generic or specific safety distances
for standard or complex establishments (e.g. LPG filling station vs oil refinery), b.lSed on
geograpic risk contour maps. The external safety policy is implemented at practical level
through strict regulations for cases where straightforward generic risk modelling can be
applied and through more sophisticated procedures for complex cases. In either case, risk
reduction at the source has priority over zoning. In many cases, risk canno[ be reduced
sufficiently at the source to mect the criteria for acceptable external risk levels outside
plant premises, and consequently zoning is required.
The methodology and policy used for 'fixed installations' is presently being adapted to
make it suitable for situations involving risk in the transport of dangerous chemicals. Tne
parameter.; of individual risk. and societal risk used in the policy for fiXed installat10ns, are
used in a sliglrtly modified framework, but along very parallel lines. This new approach
makes it possible to effectively deal with the problems of transport of dangerous
chemicals, that many countries are presently faced with, or will be in the near future.
Two of the topics central in the discussion of this sympol>ium \\ri.U be at the core of this
paper:
• What is an acceptable risk to the involved parties and who makes the decission?
* Can new safety criteria protect the world against major industrial disasters like
Cbemohyl, Bhopal and Piper Alpha?
The first part of this paper is a description of the risk management and control ba-;ed
philosophy used in the Netherlands to deal with external safety around 'fixed' hazardous
establishments. The p<.>!icy described is based solely on preventive environmental
protection legislation. The second part covers relevant sections of the new Europea.1
Seveso-ll directive which impacts on legislation on environmental protection, labou
protection and disaster planning. In relation to this the outlines of the way the Dutch
authorities intend to implement the Seveso-11 directive into Dutch legislation is pre,;ented.
The development or, what is known in as, the external safety policy with quantification of
risks in its current form in the ~etherlands originated in the beginning of the 1980' s, when
it became clear that the use of LPG would increase considerably. The other imporu111t
clement for the development o r an external safety policy was of coun;e tile Seveso
Directive from 1982. Obviously the occurrence of a number of major hazards -
Flixborough, Beek, Bhopal, Mexico City and Los Alfaqucs - catalysed the process I)[
developing policies aimed at improved prevention of accidents. The external safety policy
is based on environmental legislation and covers prevention of dangeroll<; accidents. Policy
222
on workers safety, mitigation and repression of accidents full under different legislation
(see section 6).
The basis for the Dutch quantitative risk approach was formed twelve years ago, in 1982,
with two large studies which were undertaken to fmd ways of managing risks connected
with hazardous activities:
0 The LPG integral study (performed by TNO) which determined risks of aU LPG
activities in quantitative tenns.
0 The COVO study, which covered six industrial activities in the Rijnmond area and
which showed the viability of quantitative risk assessments for determining tht extent
of hazards in activities with dangerous chemicals.
In these studies quantitative assessment of risks was found to be the most effective instru-
ment for dealing with the hazardous activities considered. In fact it enabled to arrive at an
effective policy lo control (major) hazards with these activities.
The LPG integral study led to a Memorandum that was accepted by the Parliament in
1984 and which laid down essentially three important elements for the Dutch external
safety policy:
0 The use of quantitative risk assessment to determine risks.
0 The adoption of two risk-determining measures:
o individual risk: the chance of death per person per year al a location armmd the
hazardous activity
o societal risk: the chances of death per year for groups of persons around the
hazardous activity
0 Acceptability criteria for both the individual risk and the societal risk.
These developments have resulted in an external safety policy in the Netherlands, which
can be summarised briefly as follows:
In the external safety policy, hazardous activities are evaluated with respect to their
risks, both in terms of individual risk and societal risk. For an activity identified as
dangerous, these risks are compared with acceptability criteria. If risks are foutld to be
WUJcceptable, risk reducing measures or zoning (or both) are applied to bring s'he risk
fo an acceptable level.
As a result of developments in recent years the status of criteria for acceptability or'
individual and societaJ risk have changed. There is mention only of one level of
acceptablitity', for both individual and societal risk, beyond which only the ALARA-
principle' for taking appropriate measures at the source is used and eX1emal developments
are not acceptable; furthermore the formal status of the acceptability of societal risk levels
is considered differently from that of the individual risk.
In the Netherland~, since march 1993 most of the environmental protection legislation is
I called the maximum allowable risk level (MTR) for individual or societal ruk:
2
As Low As Reasonable Achie\·able
223
either replaced by, or integrated in a new law, the Environmental Protection AcL :'\n
important principle of this new Act is that an establishment will obtain one single
Environment Protection Licence which covers all types of environmental protection (air,
water, soil, noise, risk, etc. ; in the 'old' situation for each type of environment protection
a separate licence was required.) A licence under the Environmental Protection Act also
covers measures to prevent major accidents. The Environmental Protection Act gi"es
general requirements for establishments, amongst which fall aJ! the Seveso establi~.hments,
that apply for a licence. For many of the establishments that come under the Seve:;o
criteria, an external safety report (EVR) is to be submitted together with the licen<:e
application. This EVR, including a description of safety measures, forms an integral part
of the licence. The obligation to submit an external safety report is imposed by thL: Major
Hazards Decree (1988).
The relationships between legislation, external safety reporting and risk acceptability
criteria are presented schematically in Figure 1.
u u
( Manual on risk crirz:ria ) Environmental ==> Major Haz.an:ls Deaec
Protection Act
Figure 1 ScheJDlltic overview of Dutcb legislative system with respect to enemal safety
(legislation and formal regulations are print:ed in italic).
A guidance manual on the practical applicati.on of risk acceptability criteria by the ~ocal
competent authorities (i .e. licensing authority, labour inspectorate and fire brigade) as
mentioned in this scheme is now available. It is intended that the criteria for individual
risk will be formalised by a pertinent Decree. Acceptability criteria for societal risk , which
will be regulated by the same decree, will have a somewhat different status in that
permitting authorities will be enabled to accept higher risk situations, provided that the
decisicn is properly motivated and a thorough balancing of interests has taken plllCI'.
In addition to the Major Hazards Decree standard generic regulations and guideline:; serve
to impose requirements on safety management for hazardous activities:
224
1. Administrative Decrees, e.g. for LPG filling staiions
2. General circulars, e.g. on pipeline transport
3. CPR guidelines on activities e.g. with dangerous bulk chemicals or pesticides
a. Identification of risks.
Generally, risks are identified by the nature of chemicals that are being produced, handled,
stored or used: chemical installations producing dangerous chemicals in larger quantities,
storage of gases under pressure or otherwise in large quantities, storage of pesti.cidt:s and
other chemicals in warehouses, tank storage, transhipment activities, transport by p1peline,
use of toxic gases in production or as a (cooling) medium, explosive materials, etcc:teras,
are well known. Within this broad range of hazardous activities, the industrial acti' ities
which come under the Seve:;o directive criteria obviously get considerable attentioc . Apart
from that, general hazardous activities receive attention in the Dutch external safety policy:
1be way to control the risk of these activities is dependent upon the type of risk in valved,
225
though the criteria for acceptability are the same for all cases, with the exception •)f
pipelines, for which the societal risk criterion is not applied'
226
c. Maintaining the acceptable risk.
The risk situation considered to be acceptable could change without being noticed if the
oprerator of a site identified as hazardous, would e.g change the way the plant is •:Jperated
or inspection schemes or the nature or quantities of the chemicals present at the site. Ibis
can be avoided by clear regulations, and a good inspection scheme by the compeetent
authorities. If there are important changes in the activities, the risk should be re-evaluated.
Figure 2. lndivid.aJ uo risk cootoun Oil a geographic map, indicating tile risk situation at
an industrial site {DSM, Geleeo - 1989).
·,
l
I
I
I
I
---J
227
4. Criteria for tbe acceptability of risk
The quantitative risks calculated in the external safety report, are evaluated again!>: risk
acceptability criteria, for both the individual risk and the societal risk.. The individual risk
criterion protects individual persons against hazards and does nor distinguish betwo!en the
size of accidents that may occur. The societal risk criterion on the other hand, pro~ects
groups of persons (society) against the occurrence in particular of major ('large scile')
accidents. This latter criterion is based on the consideration that even when the individual
risk criterion would be fully met, if a high population density is located close to the
'safety distance' which is to be kept to a hazardous activity, it is still possible that a major
accident could result in a large number of victims. The probability of such accidCI:ts need
therefore also to be considered in order to decide about its acceptability.
The basis for the calculation of the individual risk and the societal risk is also somewhat
different. The individual risk is calculated, regardless of the existence of people and
vulnerable objects around the hazmdous site. Also, contrary to the societal risk the chance
of being killed in an accidents at a certain location is calculated for a person prese at at
that location without any form of protection.
This is different for societal risk: in the calculation of societal risk the actual average
presence of persons is taken as the basis for the calculation, and a difference is made
between persons inside a building or in the open air with respect to their vulnerability in
the damage assessment.
In figure 3 and figure 4 the risk acceptability criteria are displayed. In the current external
safet}' policy only the maximwn acceptable risk (MTR) serves as a criterion. Beyond that
risk level it is required to use an ALARA approach to minimise risks.
ln figure 5 the policy for using acceptability criteria for individual risk and societai risk is
summarised schematically for the situation of Seveso establishments.
,.~L
- -- -
228
Figure 4. Acceptability criteri ll for
sociel31 risk .
229
Source oriented meausun:s or risk reduction measures at the hazardous site, alway; has
priority over effect oriented measures like zoning or keeping of safety distances. Only in
the case, that this can not bring the risk down to an acceptable level, land use phmning is
considered. For non-Seveso establishments a similar consideration can be followed, be it
that the formal structure is different in the sense that a specific risk analysis is not
formally requested. In such cases, generalised risk studies can lead to either specific or
generalised safety distances, on the basis of a specifically designed 'standard' set <,f safety
provisions for the activity. The current system of risk acceptability criteria for new and
ex.isting hazardous establishments or housing developments are summarised in tab!~ I.
Table 1
Overview of tbe risk aceeptability criteria sy.~tem used i• the Netherlands for new and
existing hazardous establisbmentli or housing developments. Risk parameter values are
frequencies (per year) for lethality (individulll risk) or cumulative accide•t probabilities (per
year) for N (ur more) casualties.
5. Current situation
Seveso establishments are of primary interest when applying the external safety policy. As
stated the Major Hazards Decree imposes the obligation to submit a quantitative risk
assessment which indicates on a geographic map, how risk contours are positioned around
the establishment, and where housing and other objects to be protected, are situated with
respect to these risk contou.'"S. This directly allows the application of acceptability criteria
for the individual risk.
If (further) risk reduction at the source, i.e. the establishment where the hazardous chemi-
cals are stored, processed or handled is not possible,the risk contours implicitly define
safety zones around the establishment
For a number of hazardous activities, specific.: legislation and specific guidelines have
been adopted. In some of these ca~es., risk assessment forms the basis of the decision on
acceptability of an activity in a specific situation. In other cases, in particular for mr>st
LPG activities and pipeline transport, this is achieved by using pre calculated safety
distances based on the same (maximum) risk acceptability criteria. In table 2 an ovtTView
of safety distances and safety zones used in relation with various hazardous activities in
the Netherlands is given_
230
For pipeline transport, safety distances are dependent upon pressure and pipeline diameter,
in particular for K I liquids. These distances are based on generalized model calculations
for conceived accident scenario's and a maximtnTI acceptable risk level of 10-<> per year.
For LPG tank filling stations, safety distances are based oo the same maximum oc::eptable
risk level and on risk versus distance calculations performed within the LPG Integral
project, of which the policy results were reported in the LPG Integral Memorandu-:n.
For pesticides storages and chemicals storages, the situation is slightly different. lr_ a
circular which defJ.D.es amongst others siting aspects of the external safety policy, distances
are based on the l o·7 rather than the 1o.o per year individual risk contour, calculakd for
modelled ·average storages' . If these distances to nearest housing can not be maintained,
the company has the option to present a quantitative risk assessment for the specific
situation, which shows that the nearest housing is not within the t o.o risk contour.
Table 2.
Overview of safety zoning systems adopted in the Netherland§ in relation with various
hazardous activities.
. LPG tank filling stations 80 m (50m 3 ) LPG tank filling stat.J ons
Decree
Railroad yards I 0-G IR contour Circulaire on railroac
yards
Pesticide storage's (> 10 50 m (100m 2 ) CPR 15-3 circulaire nn
tonnes) 200m (500 m 2 ) pesticides storage's
0 In the Netherlands currently 112 industrial establishments come under the criteria of
231
the Seveso directive and thereby under the criteria of the Major Hazards Decn~ (as
these criteria are identical). The criteria of the Seveso directive were modified by the
EC in 1988 in view of the conclusion that the Sandoz accident of November 1986
could not have been prevented in an EC country by the implemenrntion Seveso
directive 82!50 I . Most of these establishments have submitted external safety reports to
the authorities. From 1990 1991 the Ministry of Environment bas evaluated the
quality of safety reports submitted to the authorities and has reviewed the risk situation
in the Netherlands based on the risk indications from these safety reports. In Utble 3 a
summary of the risk situation is presented for 66 Seveso establishments.
Table3
Summary of risk situation for 66 Seveso establishments in the Netherlands: number of
sites involved in the indicated risk situation, as oonduded from safety reponing in
1989 and applying current risk acceptability criteria.
Total 58 8 66
From the evaluation executed by the Ministry of Environment, it was found tba the
majority of industrial sites do not pose considerable risks to the surrounding
envirorunent., due to their location ic industrial zones at a distance from nearest
housing. A limited number of industrial sites exceed the maximum tolerable individual
risk for cew situations. A few sites exceed the maximmn acceptable individual risk for
existing situations. It should be emphasized that table 3 is based on risk data fr•>m
several years ago, and that the risk has been decreased in several of these cases . either
by risk reduction at the source e.g. by lower inventories of hazardous chemical~: or by
safety zoning, or both.
0 Risks associated with transport of dangerous chemicals by rail are considered within
the external safety policy in co operation between the Ministries of VROM
(envirorunent) and V&W (transport). A distinction is made between 'free track' risks
and risks caused by marshalling yards. Tills latter aspect is of particular import<nce for
the following reasons:
marshalling yards are very often located quite near train stations in cities, wi1ich
are locations which ' attract' botiJ housing and office buildings, because of efficient
and envirorunenrnlly preferable possibilities for passenger transport.
a nurnher of llUirs.halling yards deal with the temporary presence and shunting
activities involving dan~Z.erous chemicals
232
because of nearby housing and increased concentrations of persons in office
buildings near to the marshalling yards, increased risk levels are effectively caused.
For these reasons, railroad marshalling yards are treated as Seveso type establi'lhmeots
in the Netherlands, regardless of the question whether they would formally be qualified
by the criteria of 82/501/EC. This means in practice, that 80 possibly hazardous
marshalling yards have been considered with respect to the quantities of dangerous
chemicals that can be present ate any time. It was found, that about 20 marshalling
yards could present risks that have to be considered further. For these identified sires,
quantitative risk assessments have been performed and reported. lt came out, that l 0
marshalling yards currently cause a societal risk: that exceeds the level considered
acceptable for industrial sites. Exceedance of the acceptability criteria for individual
risk plays a much lesser role in these cases. The majority of the risks is causec by
LPG and chlorine rail tank cars. The safety problems with marshalling yards are
considered in a national project called PAGE, in a co operation betwee:n the two afore
mentioned ministries and tile national railway company (NS). This project is armed at
solving on a national scale the risk problems for the marshalling yards which cause
high risk levels. The project runs since !993 and wifl be finalised this year.
C Stevedoor establishments which meet the criteria given in the annexes of the S::veso-
directive are considered as relevant with respect to possible risks. They have tc submit
external safety reports to the authorities. A generalized methodology facilitating the
quantitative assessment of risk bas recently been developed for those sites, whl;:h are
characterized by a rapidly changing variety of goods as well as chemicals, some of
which are dangerous. In the Rijnmond area, 30 stevedoor establishments have hecn
identified in addition to the very large establishments that had already previously been
identified as meeting the Seveso criteria. A recent risk study for establishments of this
type has indicated that neither individual risks nor societal risks for these
establishments in the Rijnmond area are likely to exceed MTR levels, due to
sufficiently larges distances to populated areas.
0 Ammonia refrigeration units are another class of possibly hazardous activities. For
these activities, a specific CPR guideline is available as a basis for the safety a-~pects of
licenses. This guideline is currently being improved in order to provide a better tool
for managing the pertinent risks. In addition., it will beconsidered whether a synem of
safety distances can be introdocuced for these type~ of installatons.
0 The Minister of VROM considers tbe possibility of formal legislation for the risk
acceptability criteria. Actual draft legislation is currently foreseen for l995/199r5. In
support of this legislation an overview of the use of risk criteria in the Netherlands in
comparison with other countries will be given along with an overview of the a.L1ual
risk situation in the Netherlands and an identification of the establishments whc are
likely to be affected by the legislation. Furthermore, a proposal for setting standard
requirements for performing risk assessments, and institutionalisation of these
requirements will be marle, in support of the draft legislation.
0 Our national airport, Schiphol (Amsterdam) has in the past few years been the o>bjcct
of extensive safety studies within the framework of plans to expand the airport. In
1993 a report on the external safety around Schiphol ( related to civil airplane
233
movements) was prepared by the RAND corporation. ) On the basis of this wport an
action plan aimed at improving the safety around Schiphol was presented to tbe
Parliament. In addition to this, in a study conducted by the NLR, safety zone:; have
5
been detennined to limit the risk for people living around Schipbol. Within the 10·
risk zone new construction of housing as well as other dwellings is prohibited. Within
the 5xl0'5 risk zone, existing housing will even be 'closed down' on the longer term.
Within the 1O-'~ contour area an overall risk policy is adopted, aimed at a stand-stiJ in
the development of the risk in the contour area. In an even larger area the con;truction
of dwellings is restricted to a certain extent. This also involves a policy with n:spect to
societal risk. As from 1999, the external safety situation around Scbiphol airport will
be re-evaluated every 5 years. )'
The Seveso-li directive is a fundamental review of the current Seveso directive. 1l1e
European Commission proposes a considerable revision. Under this revision, sbarp.=r
definitions of the scope and requirements of the directive are foreseen. Apart frorr: the
revision of existing articles, new articles are added.
Like Seveso-1 the Seveso-II directive obliges operators of fixed hazardous establishments
to supply the competent authorities with information on internal and external safety mat-
ters. Topics like process safety management systems, land use planning, safety me2sures,
safety assessment studies, domino effects and disaster planning are important infonnation
requirements. Furthermore the competent authorities have obligations towards the
reviewing and handling of safety reports and in the physical inspection of bazardo\:S instal-
lations.
In march this year the European Council approved of the official translations of tht: texts
of the Seveso Directive and bas had it published in the EC publication paper. It is :1ow up
to the European Parliament to give her final comments (3 months). The Commissicn then
haS got one month to work out the amendments of the Parliament. If all goes well this
year the Seveso-II directive will receive force of law. Th.is implies that 24 months ;rfter the
notification of the CoWlCiJ the directive has to be implemented in the national legislations
of the EU member countries. The Dutch legislation therefore has to be ready by tht: end of
I 998. The safety reports new style then can be expected two year later, i.e. by the •:nd of
the year 2000.
Meanwhile, tbe risk assessmCD!S perfo~ for Schiphol airport have attracurl inlematiorul
attention resulting in simil;:r as.e.ssmcnt for airport~ in otber countries
234
on classes of dangerous substances with two threshold values for the selection
of establishment falling (only) under the 'light' (art 617) or (also) the ho:avy (art
9) obligation; concentrated on classes of dangerous substances; furthermore
restricted to only a few selected substances mentioned by name and no
distinction anymore between the miminum amounts for storage and pro-::ess;
article 6 obligation for all selected establishments to provide written information on
general accident prevention provisions
article 7 requirement for operators of establishments to draw up a document stating their
Major Accident Prevention Policy as it is enforced by their Management
System. The MAPP must be reviewed periodically by senior management and
must be available at all times for the competent authorities;
article 8 domino effectS: requirement for tbe Competent Authorities to take nece~ISarY
steps for the exchange of information between operators of hazardous
establismemts with the potential of domino effects and to cooperate in t.he
preparation of Emergency Plans and the provision of inionnation to the public;
obligation for art 6 and art 9 establishments to as much as possible take
account of domino-effects due to neighbouring facillities, in tbe MAPP, the
Safety Management System, the safety reporting and the internal disaster
planning;
article 9 safety report: clearer requirements for the operators to submit reports on the
subject of the Major Accident Prevention Policy, risk assessment and internal
and external emergency planning;
requirement for tbe legislator (member countries) to develop hannonised criteria
for the selection of relevant ha7Mdous installations within one hazardotc:
establishment
article 12 siting and land use: requirement for the Competent Authorities to properly take
account of hazards in siting and land use issues, like e.g. housing developments,
use of ground and allocation of functions; the necessity has to be taken into
accoWJ.t that in the long term sufficient distance between the art 6/9
establishments and vulnerable functions, like living and natural habita1, must be
realised; (it will be clear that due to the described existing situation in the
Netherlands this new element can easily be facilitated in the current legal
system in the Netherlands);
article 18 the obligation to local competent authorities to set up an inspection system or
other coordinated control mechanism.
Implementation route
The implementation of the Seveso-II directive into Dutch legislation is done by the three
departments involved. The Ministry of the Housing, Spatial Planning and Environment
(VROM) has a key role as coordinator. VROM is primary responsible for legislation on
external safety. The Ministry of Labour (SZW) is primary responsible for the safety of
workers in hazardous plants. The Ministry of Internal Affairs (BIZA) is primary
responsible for matters concerning emergency planning and the Fire Brigade.
The current Seveso-1 directive implementation is based on the Major Ha7Mds Decn:e
(BRZO) of VROM and specific legislation of the other departments SZW and BIZA. At
present it is the intention to implement all the new information requirements of Seveso-II
235
in a new version of the Major Hazards Decree (BRZ0-11) and 1D restrict information obli-
gations to one notification/safety report. This integration thought comes from industry,
which is al present confronted by often overlapping reporting obligations. These
obligations originate from the Seveso-1 implementation in the Netherlands. The BRZO
obliges plant operators to submit an Exn:mal Safety Report (EVR) for the local Pt:rmitting
Authority, in order to perceive risks to nearby population and environment. The Llbour
Inspectorate requires a Labour Safety Report (AVR) to assess workers safety. The regional
Fire Brigade at last needs information from the plant operator on emergency and c.isaster
planning issues.
It will be clear that integrated reporting on safety issues in one Safety Report, however
advantageous to industry, also implies close(r) collaboration between local compett!nt
authorities. In this case it is intented that local permit authorities (mwricipal or provincial)
also responsible for disaster planning and physical planning perform a key role receiving
the Safety Repon. The permit authority then coordinates further action to the regicnal
Labour Inspectorate and the regional Fin: Brigade.
The future BRZO-H will contain the formal requirements to plant operators for informa-
tion notification on safety issues covering all the relevant articles of.Seveso-H. To aid
plant operators producing the requested Safety Report (VR) and the local competent
authorities in judging these reports a project has been started to produce a guidance
document for integrated safety reporting. Major effort will be the integration of th~ cu.rrent
requirements for EVR and A VR, also taking into account the new requirements of Seveso-
n and new development<;. like certification of environmental and safety management care
systems.
A nwnber of EC working groups, with representatives of competent authorities of the EC
member states, have produced concrete guid1111ce documents on different aspects of the
directive. One of these guidance docwnents gives an extensive overview of descriptions of
possible methodologies for safety assessment. The guidance documents however arc: not
obligatory for member states in the implementation of the directive. Member count.-ies can
use its own choices for policy instrumentation.
Regarding the above said at present nothing defLDitive can be stated about the shapz: of the
end product.
To aid the competent authorities, i.e. the permitting authority also responsible for land use
and disaster planning, the labour inspectorate and the fire brigade, with performing their
public administrative duties a project will start next year, producing a administrativ·~
guidance manual. In this project different organisational models of cooperation between
the local competent institutions, regarding the tasks of BRZO-II will be examined.
In policy deveJopments currently under way, the expected revision of the Seveso directive
is already being considered. Three studies have been conducted to determine the ex!ent, as
far as the number of plants involved is concerned. of the re.,;sion the Seveso-II:
I. An inventory of establishments which will come under article 9 of this directivt:
2. An inventory of establishments which will come under articles 6 and 7 of this cirective
3. An indication of the risk situation existing around establishments coming under these
articles.
These studies have lead to the foUowiog indicative results for the Netherlands:
236
o The number of establislunents that come under article 9 of the proposed revision of the
Seveso directive is expected to be around DO, as compared with II2 th:lt come under
article 5 of the current directive.
o The number of establishments that come under articles 6 and 7 of the proposed
revision of the Seveso directive is expected to be between I 00 and 150.
o The individual risks expected for the establishments that come under articles 6 and 7
of the proposed revision of the Seveso directive may exceecl the MTR in roughly an
equal number of cases as for establishments under article 9. From a viewpoint of risk
it is therefore relevant to consider these establishments under articles 6f7.
7. Concluding remarks
In the Netherlands the risk management approach provides an adequate tool to ass.~s risk
from major hazards sites in relation to its (populated) environment. The system is uses the
weighting of quantified risks to set acceptability criteria allowing for the evaluation of the
hazardous activity by considering risk reducing measures at the source and the apt: lication
of r.oning distances to vulnerable external objects.
With the Seveso-II directive new elements have to be implemented in national legislation.
a. o. in the field of safety management of potential hazardous establishments. For the
Dutch administration this provides a wellcome opportunity to increase effectivenes; and
efficiency of regulation by combining existing and new information requirements. The
intention is io have operators of hazardous plants in future submit only one form of
integrated safety reporting to the local competent authorities. At this moment the involved
ministries of Housing, Spatial Planning and Environment, responsible for legistlation on
external safety, the Ministry of Labour, responsible for legislation on labour safety . and
the Minsitry of Internal Affairs, responsible for disaster and emergency planning,
collaborate very closely in the implementation of Seveso-ll, with the integration of policies
pla}'ing an important role.
In one project, a guidance manual for setting up and reviewing of Seveso-H notification
requirements into one safety report will be produced. Another project will produce a
guidance manual for the required organisation of public administration.
Apart from the obvious obligations to implement articles of Seveso-11, at present it is too
early to give definite information on where the present initiatives will lead us. The two
projects mentioned will produce assessments of what will be possible.
237
Literature.
238
The study association "dispuut dQ"
The "dispuut dQ" is a study association, which aims for higher quality and skills of its members
of the department "Design and Construction", faculty of Mechanical Engineering at the
Eindhoven University of Technology.
General
The study association wants to achieve its goals through:
• Arrange contacts between industry and university.
• Promoting of social contacts and relationships.
To achieve this the study association organizes study tours and business excursions to take a
look at the industrial practice. Future engineers can take knowledge of the management in the
Netherlands and in foreign countries, which results in interesting comparisons. Besides this the
study association organizes symposia for students, university employees and industry. These
contacts between the different groups can result in productive relations as graduating
assignments, product innovations etc.
Composition
The study association is formed by students and employees of those sections of the
department, which deal with research, design and reliability of equipment of heat and mass
transfer processes. All student members are in the final stage of their study.
The supporters of the study association "dispuut dQ" can be distinguished as follows :
• The industry
• Students who are graduating at the above described sections
• Employees of those sections
Concern
If you, or your company, are interested in the activities of the study association "dispuut dQ",
then you can become a supporter. The supportership offers a contact with the Eindhoven
University of Technology, especially with the specific sections, its students and employees.
For more information:
Stichting "dispuut dQ"
Technische Universiteit Eindhoven, W-laag 1.19
Postbus 51 3 teL +31 40 247 2110
5600MB Eindhoven fax . +31 40 243 3445
241
"Reliability of Mechanical Equipment"
Faculty of Mechanical Engineering
Eindhoven University of Technology
The relatively young section 'Reliability ofMechanical Equipment' is active since 1993
with the following mission:
Research on -and implementation of- methods and tools for reliability and safety
assessment and optimisation of industrial products and processes.
This mission is being realised by assisting industry in the development of safe and reliable
products and processes by means off:
Areas in which this research is performed can be split into main fields:
Especially recent developments in this last research area were the main motive for
participation of our section in organising this symposium
243
Printing
"De Witte" Offsetdrukkerij B.V.
Eindhoven