1 / 64

IEC-61508 Implementing a Compliance Program

IEC-61508 Implementing a Compliance Program. Motivation Education Implementation. Overview. Overview. Overview. Motivation. Do you or your company believe in the infallibility of Engineered systems?. Motivation. Roche Ireland does not have this delusion 25 + years operational experience

tolla
Download Presentation

IEC-61508 Implementing a Compliance Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEC-61508 Implementing a Compliance Program • Motivation • Education • Implementation

  2. Overview

  3. Overview

  4. Overview

  5. Motivation • Do you or your company believe in the infallibility of Engineered systems?

  6. Motivation • Roche Ireland does not have this delusion • 25 + years operational experience • Including some close calls • Reality has motivated out safety culture.

  7. Education Much of the rest of this presentation has been generated from training presentations given in Roche Ireland to • Management • Process Engineering • Instrument / Electrical Engineering

  8. Education Need to educate yourself : • Guidelines for Safe Automation of Chemical Processes {CCPS/AIChE} • ISA S84 • Functional Safety, {Smith & Simpson} • IBC conferences • Various WWW resources (exida/ sis-tech etc)

  9. IEC-61508, SOP 973 • Functional safety of electrical / electronic & programmable electronic safety-related systems. • Critical Protective equipment - Safety Instrumented Systems

  10. ... hazards due to incorrect function ... heat Protection against ... ... radiation ...electrical shock Safety IEC-61508, SOP 973 • Safety requires protection from hazards of different causes (movement, heat, radiation, el. shock, etc.) • “Functional Safety” means protection from hazards due toincorrect functioning.

  11. IEC-61508 Will Effect: • Process Engineers: • Instrument/Electrical Designers: • Mechanical Engineering • Commissioning:- Extra Effort • Documentation :- Extra Effort

  12. IEC-61508 is legally vague • Not legislation • Meets ‘Reasonably practicable’ duty • Health, safety & welfare at Work act, 1989 • Have to put in place a compliance program.

  13. Risk (deaths/year) Intolerable region 1 x 10-4 ALARP 1 x 10-6 Negligible risk Figure 65-1

  14. RISK Reduction - ALARP • As low as reasonably practicable. • IEC 61508 based on ALARP concept. • ALARP concerns region of risk. • Risk is an emotive and irrational thing. • Commonly accepted values are:upper limit 1 x 10-4 deaths per yearlower limit 1 x 10-6 deaths per year

  15. Safety life cycle - milestone approach • ISA S84 life cycle depicted in Fig 65-3. • ISA S84 focuses on Box 9 of IEC 61508.

  16. Passive systems layer Active systems layer Fail-safe design One way valves Controlsystems layer ESD Duality Alarm handling Intrinsic safety Back-up Diagnostics F&G Bursting discs Alarms, trips & interlocks Pressure relief valves Figure 64-1

  17. Start Figure 65-3 1 Conceptual process design 2 Perform process HAZAN & risk assessment 3 Apply Category 0 protection systems to prevent hazards & reduce risk No 4 Are any Category 1 protection systems required? 5 Define target safety integrity levels (SIL) 6 Develop safety requirements specification (SRS) 7 Conceptual design of active protection systems & verify against SRS 8 Detailed design of protection system 11 Establish operating & 9 & 10 Installation, commissioning maintenance procedures and pre-start-up acceptance testing 12 Pre-start-up safety review 13 Protection system start-up, maintenance & periodic testing yes 14 Modify protection system? 15 Decommission system End

  18. Process Engineering • First Stage of realisation of high-integrity safety instrumented systems • Modified PHA • Feeds into SRS • Based on good process data & good process judgement.

  19. Process Chemistry • Carius Tube test for decomposition • Pressure Dewar Calorimetry • Understanding of Exotherms • Knowledge of onset temperatures • {Chilworth}

  20. Process Engineering • Good process judgement. • Hazop • Margins of safety

  21. Hazard identification, Interlock Identification • Reactant being transferred in from Reactor 1 without agitation could accumulate & react in a sudden, violent manner. • Reactor 2 Inlet valve 205 should OPEN only if agitator ON

  22. Hazard identification, Interlock Identification • Simplified Technique. • MIL Std 882

  23. Consequences • Consequence of this is overpressure, loss of batch, over-temperature, possible destruction of vessel. • 1 week downtime to recover. • Fatality or Serious injury unlikely. • Critical • (C2)

  24. Occupancy factor • Building is continually occupied • (F2)

  25. Manual Avoidance factor • There is quite a good chance of an operator observing that something is going wrong & intervening successfully. • (P1)

  26. Unmitigated demand rate. • Likely to occur once every 5 years. • Occasional • The process is DCS automated. • DCS is not a SIS – no SIL rating. • DCS control reduces frequency of Unmitigated Demand. • (W2)

  27. Least risk W3 W2 W1 C1 x0? P1 1 F1 x0? P2 1 1 C2 x0? P1 2 1 1 F2 Start P2 2 3 1 F1 2 3 3 C3 F2 3 3 4 C4 4 3 x2? Most risk EN 954 Approach

  28. Roche Consequences

  29. Roche ‘unmitigated’ demand rate.

  30. Instrument / Electrical Design • Second Stage of realisation of high-integrity safety instrumented systems • Modified Instrument design • Modified Instrument Commissioning • Feeds into SRS

  31. Hazardreductionfactor HRF Safety integrity level SIL Demand mode of operation Continuous mode PFD (fractional) Availability A (fractional) Failure rate  (failures per hr) 1 10-1 to 10-2 0.9 to 0.99 10-5 to 10-6 >101 2 >102 10-2 to 10-3 0.99 to 0.999 10-6 to 10-7 3 >103 10-3 to 10-4 10-7 to 10-8 0.999 to 0.9999 4 >104 10-4 to 10-5 10-8 to 10-9 0.9999 to 0.99999 Table 65-1

  32. Equipment implications • SIL value is measure of quality of protection system, end to end. • System has to be designed, specified, built and maintained to that standard. • Proof testing at regular intervals • Conformance assessment for safety systems

  33. PFD Calculation • Simplified Equation • ISA-TR84.00.02-2002 Part 2 • Equation B.34 – Rare event approximation • “Adequate” for SIL 1 or 2, where the plant is well controlled, well maintained, understood process, conservative engineering with good mechanical integrity

  34. PFD Calc. Motion Sensor • MTBF = Mean (Average) time between failures • Information provided by vendor. • MTBF = 86 Years

  35. PFD Calc. Motion Sensor Failures can be • fail to danger (Falsely shows agitator moving)or • fail to safe (Falsely shows agitator stopped) • Aim of good design is to maximise fail to safe, minimise fail to danger. The failure mode split is the percentage in the fail to danger category. • Failure mode split = .1 (SA estimate)

  36. PFD Calc. Motion Sensor • Proof test interval = 1 year (8760 hours) • Time between re-tests of the interlock. • Need to be genuine tests

  37. PFD Calc. Motion Sensor • 86 years * 8760 hours/year = 753,000 (MTBF in hours) •  = 1/ MTBF = 1.30 E-6 failures per hour • FMS =.1 • Proof test = 1 year (8760 hours) • PFD(SS) = 1.30 E-6 * .1 * 1 * (8760/2) • PFD(SS)=.0006

  38. PFD Calc. Barrier 6 • MTBF = 4 Years • Failure mode split = .4 • Proof test interval = 1 year (8760 hours)  = 1/ MTBF = 2.87 E-5 failures per hourPFD(B6) = 2.87 E-5 * .4 * 1 * (8760/2) • PFD(B6)=.0500

  39. PFD Calc. Relay 5 • MTBF = 100 Years • Failure mode split = .01 • Proof test interval = 1 year (8760 hours)  = 1/ MTBF = 1.14 E-6 failures per hourPFD(R5) = 1.14 E-6 * .01 * 1 * (8760/2) • PFD(R5)=.00005

  40. PFD Calc. Main Barrier • MTBF = 10 Years • Failure mode split = .9 • Proof test interval = 1 day (24 hours)  = 1/ MTBF = 1.14 E-5 failures per hourPFD(MB) = 1.14 E-5 * .9 * 1 * (24/2) • PFD(MB)=.001242

  41. PFD Calc. Solenoid • MTBF = 10 Years • Failure mode split = .4 • Proof test interval = 1 day (24 hours)  = 1/ MTBF = 1.14 E-5 failures per hourPFD(SOL) = 1.14 E-5 * .4 * 1 * (24/2) • PFD(SOL)=.00006

  42. PFD Calc. Valve & Actuator • MTBF = 10 Years • Failure mode split = .2 • Proof test interval = 1 day (24 hours)  = 1/ MTBF = 1.14 E-5 failures per hourPFD(VA) = 1.14 E-5 * .2 * 1 * (24/2) • PFD(VA)=.00003

  43. PFD Calc. Overall • PFD(VA)=.00003 • PFD(SOL)=.00006 • PFD(MB)=.00124 • PFD(R5)=.00005 • PFD(B6)=.0500 • PFD(SS)=.0006 • PFD = .052 => SIL 1

  44. PFD Mapping ∑ PFD = 10% SIL 1 Limit Overall Valve Barrier ∑ PFD = 1% SIL 2 Limit Relay Logic Barrier Instrument

  45. PFD Calc. Issues • Elements in series: USYS Ui 62-16Elements in parallel: USYS  Ui -17 • Common cause failure: SYS = IND + . MAX -18 • Voting systems: UKOON n.Uk -19 • For more complex systems – Fault Tree Analysis using ISA-TR84.00.02-2002 Part 3. • “Probabilistic Risk Assesment” – Henley, E J

  46. Design issues • Roche have decided that valve & actuator may be shared for SIL 1 only. • SIS & BPCS share barrier, solenoid, actuator & Valve. This is not recommended • Solenoid has local SMO, which might be OK for normal operation, but not for SIS.

  47. Design issues

  48. Design issues • ##### ####-# type barrier not recommended (TTL Logic switching – independent energy source) • No clear indication on loop sheet or in field of safety critical nature of instruments

  49. Design issues • Design of periodic re-test method is the instrument designers responsibility. • This would help facilitate periodic testing • Loop sheet to indicate safety critical nature of instruments

More Related