11. The purpose of Process safety management is to reduce the
frequency and severity of potentially catastrophic chemical
accidents
12. IEC61508:
All Industries
IEC61511:
Process Industry Sector
IEC62061:
Machinery Sector
IEC61513 :
Nuclear Sector
For product designers
and manufacturers
For system designers
integrators and users
ISA 84.01 mirrors IEC61511
16. BPCS
• Basic Process
Control System
• Also: DCS, PAS
• PID Control
• Discrete control
• Sequencing
• Batch automation
• Dynamic
Control
element
Transmitter
Controller
Workstation
17. Final
element
Transmitter
Logic
solver
SIS
• Safety Instrumented
System
• Emergency
Shutdown (ESD)
• Burner Management
System (BMS)
• Fire & Gas System
(FGS)
A Safety Instrumented System (SIS) is defined as an instrumented system used
to implement one or more safety instrumented functions (SIF) composed of any
combination of sensor(s), logic solver(s), and final elements(s). These systems
are designed to take action to bring the equipment under control to a safe state
when a process is beyond the range of normal operating limits and other layers
of control, including operators and the basic process control system (BPCS), are
unable keep the process within safe operating limits.
22. SIL General description
4 Catastrophic community impact
3 Employee & community impact
2
Major Property and Production Impact;
Possible Injury to Employee
1 Minor Property and Production Impact
24. SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
34. Organization and Responsibilities
• Responsible for functional safety
policies and procedures
• Responsible for ensuring of
policies and procedures are
implemented by organization
Safety
Management
Team
• Responsible for
functional safety
management on projects
Project Leadership
• Competent
personnel doing
work on SIS
Safety Roles
Safety
Leadership
Team
40. Functional
safety
assessment
Hazard and risk assessment is carried out
PHA recommendations are implemented.
Design change procedures are in place and
implemented
Recommendations from the previous
assessment are resolved
SIS is properly validated against the SRS.
Procedures are in place for the Operate phase.
Employees are trained.
Future assessment plans are in place.
43. Verification Planning
Who?
• Responsible parties
• Levels of independence
What?
• Verification activities
• Items to be verified
• Information to be verified against
When?
• At which points verification will occur
How?
• Procedures, measures, techniques to be used
• Non-conformance management
• Tools and supporting analysis
50. Containment,
Dike/Vessel Passive protection layer
Emergency response layer
Plant and
Emergency
Response
Operator
Intervention
Process control layer
Fire and Gas
System Active protection layer
Prevent
Mitigate
Process control layer
SIS
Emergency
Shutdown
System
Safety layer
Process
Value Normal behavior
Trip level alarm
Operator
intervention
Process alarm
Emergency
shutdown
BPCS
Incident
51. Unacceptable
Risk Region
Negligible
Risk Region
ALARP Risk
Region
Inherent Risk
of Process
Consequence
L
i
k
e
l
i
h
o
o
d
SIL3
Overall Risk
SIL2
SIL1
SIS Risk
Reduction
Overall Risk
Baseline Risk
Non-SIS
Preventative
Safeguards
Non-SIS
Mitigating
Safeguards
Overall Risk
52. As low as reasonably practicable
(ALARP)
10-3 / man-year (worker)
10-5 / man-year (worker)
10-4 /year (public)
Intolerable Risk
Negligible Risk
ALARP or Tolerable
Risk Region
10-6 /year (public)
53. Government mandates for tolerable
risk levels
10-2
10-3 10-4 10-5 10-6 10-7 10-8
Australia (NSW) -
Hong Kong -
Netherlands -
United Kingdom -
10-9
The United States does not set tolerable risk levels, or offer
guidelines.
54. Chemical industry benchmarks for
tolerable risk
10-2 10-3 10-4 10-5 10-6 10-7 10-8
Company I -
Company II -
Company III -
Small companies -
10-9
Large, multinational chemical companies tend to set levels consistent
with international mandates
Smaller companies tend to operate in wider ranges and implicitly, at
higher levels of risk
55. Quantitative Risk Assessment
• Time consuming
• Resource intensive
• Complex, difficult to use
• Can produce same results via
qualitative analysis
• More rigorous
• Least conservative
• Good for complex scenarios
• Better quantification of
incremental protection layers
56. Qualitative Risk Assessment
• High subjectivity
• Inconsistent results
• Hard to document rationale
• Not much resolution between
protection layers
• Easy to use
• Good for subjective
consequence assessment
• Good for screening and
categorizing hazards
• Team approach provides better
evaluations
57. Risk Reduction
Risk is recuded by one of two ways
Prevention – Reducing the likelihood of a risk
No smoking policies enforced around gasoline pumps reduce the
likelihood of a fire, but don’t change the consequence of a fire
Mitigation – Reducing the consequence of a risk
Fire insurance reduces the financial consequence of a fire, but
don’t do anything to change the likelihood of a fire
Either prevention of mitigation will reduce risk. A combination fo both
might be more effective than either alone
58. Prevention – Reducing likelihood
Avoidance – Avoiding a hazardous activity altogether
Simplification – Minimizing or eliminating the chances for human error
or equipment failure.
Substitution – Replacing process chemicals, technology or process
equipment with less hazardous options
Primary contaiment – Using equipment designed or built to higher
codes or standards
Process Control – Using automated procedures and control systems
to reduce or limit the demands on the process
Detection and suppression – Provide independent active systems
wich override the normal process when unsafe conditions are
detected
59. Mitigation – Reducing Consequence
Reduction – Reducing the amount of hazardous chemical used or
stored in process, reducing the number og dangerous pieces of
equipment in use
Dilution – Operating with large volumes of reduced concentrations so
that the outcome of release will be less intense.
Intensification – Operating at a more intense conditions sp that rates
can be maintained with less chemical in the process.
Secondary Contaiment – Using systems capable of capturing and
holding releases until they can be safely trated.
Emergency Response – Providing training, plans and capabilities for
plant staff, public safety personnel and general public to react
appropiately a hazardous event
60. Hazard and Risk Assessment
Objetive: This assessment is conducted to identify hazards and hazardous
events of the process and associated equipment, process risks,
requirements for risk reduction, and safety functions necessary to achieve an
acceptable level of risk.
Outputs: A description of the hazards, of the required safety function(s), and
of the associated risks, including:
Identified hazardous events and contributing factors
Consequences and likelihood of the event
Consideration of operational conditions (startup, normal, shutdown)
Required risk reduction to achieve required safety
References and assumptions
Allocation of safety functions to layers of protection
Identified safety functions as SIFs.
Responsibility: Process Manufacturer
66. Item Deviation Causes Consequences Safeguards Action
Vessel High level Failure of
BPCS
High pressure Operator
High pressure 1) High level
2) External
fire
Release to
environment
1) Alarm
operator,
protection
layer
2) Deluge
system
Evaluate
conditions for
release to
environment
Low / no flow Failure of
BPCS
No consequence of
interest
Reverse flow No consequence of
interest
67. Qualitative risk analysis –
Safety layer matrix
Consequence
Severity
Category SIL Requirement
Extensive 3 3 3* 1 2 3 1 1
Serious 1 2 3 1 2
Minor 1 2 1
Consequence
Frequency
Category
Low
Med
High
Low
Med
High
Low
Med
High
1 2 3
Number of non-SIS Protection Layers
68. SIL 1
51%
SIL 2
32%
SIL 3
8%
SIL 4
1%
No SIL
8%
Process Industry I/O by Safety Integrity Level
Source: Exida Safety and Critical Control Systems in Process and Machine Automation July 2007
70. Safety Requirement Specification
The SRS specifies the requirements for the SIS in
terms of the required safety instrumented functions
in order to achieve the required functional safety.
Responsibility: Process manufacturer with
support from the engineering contractor and/or
SIS supplier
71. SRS Should include:
Identified all SIFs necessary for required functional safety
Identified common cause failures
Defined safe state for each SIF. (Normally energized, Normally de-energized)
Demand rate for SIFs
Proof test intervals
Response time required
SIL for each SIF
SIS process measurements and trip points
SIS process outputs for successful operation
Relationship of inputs, outputs and logic required
Manual shutdown, overrides, inhibits, and bypass requirements
Starting up and resetting of SIS
Allowable spurious trip rate
SIF requirements for each operational mode
Meantime to repair for SIS
Identified dangerous combination of SIS output states
Identified extreme environmental conditions
Identified normal and abnormal modes and requirements for SIS to survive
major event.
72. Primary Causes of SIS Failure
Primary Causes of SIS Failure
14% Design &
Implement
6% Installation &
Commisioning
44 % Specification
15% Operation and
Maint
21% Changes after
Commisioning
Source: Health, Safety excecutive Agency (USA)
77. Design and Engineering of the
Safety Instrumented System
Select
technology
Select
architecture
Determine test
philosophy
Reliability
evaluation
Detailed
design
Iterate if
requirements
are not met.
84. 1oo2
2oo3
2oo2
1oo2D
2oo4
Safety PLC
(SIS Logic Solver)
Centralized Logic Solver
– 100’s of SIF’s in one box.
– Good for large projects.
– Single point of failure.
Modular Logic Solver
– Isolates SIF’s
– Scalable for large & small
projects
– Eliminates single point of
failure.
91. Device
Type
SFF HFTs = 0 HFTs = 1
Type A
<60% SIL1 SIL2
60% to < 90% SIL2 SIL3
90% to < 99% SIL3 SIL4
≥ 99% SIL3 SIL4
Type B
<60% Not allowed SIL1
60% to < 90% SIL1 SIL2
90% to < 99% SIL2 SIL3
≥ 99% SIL3 SIL4
92. Proof test philosophy
Select
technology
Select
architecture
Determine test
philosophy
Reliability
evaluation
Detailed
design
Proof test frequency
– 5 yrs, 1 yr, 6 mos, 3 mos?
Online vs. offline proof testing.
Turnaround schedule?
Total SIF proof test or proof test
components on different intervals?
96. SIL PFDavg RRF
4 ≥10-5 to <10-4 >10,000 to ≤ 100,000
3 ≥10-4 to <10-3 >1000 to ≤ 10,000
2 ≥10-3 to <10-2 >100 to ≤ 1000
1 ≥10-2 to <10-1 >10 to ≤ 100
Source: IEC 61511-1, Table 3 – Safety Integrity Levels: probability of failure on demand
100. • Validate, through
inspection and
testing, that SIS
achieves
requirements
stated in the SRS
Validation
• Commission the
SIS so that it is
ready for final
system validation.
Commissioning
• Install the SIS
according to
specifications and
drawings
Installation
Installation, commissioning,
and Validation
Validation is the key
difference between
control and safety
systems.
104. Operation and
Maintenance Planning
Who?
• Responsible parties
• Competence and training
What?
• Routine and abnormal operation activities
• Proof testing and repair maintenance activities
• Recording of events and performance
When?
• Proof testing frequencies
• On process demand
• On failure of SIS
How?
• Procedures, measures, techniques to be used
• Non-conformance management
• Tools and supporting analysis
106. • Reveals dangerous faults undetected by
diagnostics
• Entire SIS tested:
sensors, logic solver, final element
• Frequency determined during SIF design.
Proof Testing
• Ensures no unauthorized changes or
deterioration of equipment
Inspection
107. Tests and Inspections Documentation
Description of tasks performed
Dates performed
Name of person(s) involved
Identifier of system (loop, tag, SIF name)
Results (“as-found” and “as-left”)
109. Safely test the SIF
using actual process
variables
Test sensors in-situ
by other means
Perform wiring
continuity test
Remove sensor
and test on bench
Sensor testing options
Use smart features
to test electronics
and wiring continuity
110. Example –
Rosemount 3051S Proof Test
Proof Test 1:
Analog output Loop Test
Satisfies proof test requirement
Coverage > 50% of DU failures
Proof Test 2:
2 point sensor calibration check
Coverage > 95% of DU failures
Note – user to determine
impulse piping proof test
111. Valve Testing Options
Offline
• Total Stroke
• Process is down
Online
• Total stroke
• By-pass in service
• Component test
• Solenoid valve
• Partial stroke
112. Conventional testing methods
• Process unprotected during testing
• SIF not returned to normal after
testing
• Risk of spurious trip
• Manually initiated in field
• Manpower intensive
• Subject to error
114. Source: Instrument Engineers’ Handbook, Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy
Failures Failure Modes
Partial
Stroke
Full
Stroke
Valve packing is seized Fails to close X X
Valve packing is tight Slow to move X X
Actuator air line crimped Slow to move X X
Actuator air line blocked Fails to close X X
Valve stem sticks Fails to close X X
Valve seat is scarred Fails to seal off X
Seat contains debris Fails to seal off X
Seat plugged Fails to seal off X