Functional Safety

Safety

Copyright 2012 IHS Inc.

Function Safety Functional Safety (per IEC 61508 definition)

Part of the overall safety relating to the process and the Basic Process Control System (BPCS) which depends on the correct functioning of the SIS and other protection layers.

Is determined considering the system as a whole. Has to consider the environment with which it interacts .
Copyright 2012 IHS Inc.

Functional Safety vs. Non-Functional Safety

Example of Functional Safety: Over-temperature protection device of an electric motor to deenergise the motor before overheat. Example of non-Functional Safety: Providing specialised insulation to withstand high temperatures

Copyright 2012 IHS Inc.

10" Line

Offgas to Compressor
PCV Com pressor Shutdow n Interlock

Flash Gas
PSV

Demister Gas & Liquid Feed 12" Line Separator Vessel V-1 @ 300 psig
LAHH 1

To Flare

LAH 1

Separator Vessel V-2 @ 50 psig

LIC 2

LG 1

LIC 1

4"Line
LCV 1

6"Line

LCV 2

Liquid Effluent

3"

3"Bypass Plant Field Operator

STEP Example: Schematic for Gas Compression Train

Copyright 2012 IHS Inc.

Example of Functional Safety: High level protection device to prevent liquid carry over from vessel to compressor

Safety Functions
Safety functions are implemented by safety related systems such as: Safety Instrumented System (SIS) Safety related technology, e.g. PSV External risk reduction facilities, e.g. Drain system, dike which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event

Copyright 2012 IHS Inc.

Determine Necessity of Functional Safety

First, consider inherent safety through design to control hazards Perform Hazard and Risk Assessment (H & RA) 1. Identify Hazards 2. Evaluate Risk 3. Determine Risk reduction 4. Identify Safety Functions Hazard and Risk Assessment determines necessity of functional safety
Copyright 2012 IHS Inc.

Functional Safety - Example

E xa m ple : S im p lifie d D iag ra m of g as fire d fu rn ac e

C om b ustio n C ha m b er

F la m e D e te cto r safe ty trip o n fla m e failu re F C V 1 M a in L in e N atu ra l G as PCV 2

Copyright 2012 IHS Inc.

B u rn e rs

F C V 2 P ilo t L in e

PSH 1

In terlo ck sh u ts F C V -1 a n d F C V -2

PAH 1

Functional Safety - Example

Suppose that a process plant has a large fired heater. HA identifies that the combustion chamber could explode if there is a buildup of unburned gas and air after a loss of flame event. This could happen if the gas supply is not shut off as soon as the flame is lost.

A Safety Function is needed: Flame detection sensors that will trip out the main and pilot gas supplies as soon as the flame is lost and start the purge timer to prevent startup of the pilot flame for a specified period of time.

Copyright 2012 IHS Inc.

Functional Safety - Example

Hazards & Risk Assessment: Ensures that the safety integrity of the safety function is sufficient so no one is exposed to an unacceptable risk associated with the hazardous event. The following are evaluated:

Potential damage due to explosion Frequency of a flame out incident that leads to explosion
Copyright 2012 IHS Inc.

Severity Likelihood

Safety Integrity

Functional Safety To summarize : Hazard Analysis identifies what has to be done Risk assessment determines safety integrity of safety system required to reduce the risk to an acceptable level
Copyright 2012 IHS Inc.

What safety function has to be performed? What degree of certainty is necessary that the safety function will be carried out ?

Functional Safety Challenges in Achieving Functional Safety

High complexity Difficult to predict safety performance

Designing in a way to prevent dangerous failures or to control them when they arise is a challenge. Dangerous failures : Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state.
Copyright 2012 IHS Inc.

Functional Safety Dangerous failures may arise from:

Incorrect specifications Omissions in the safety requirements specification Random hardware failure mechanisms Systematic hardware failure mechanisms Software errors; Common cause failures; Human error; Environmental influences Supply system voltage disturbances

IEC 61508 contains requirements to minimise these failures

Copyright 2012 IHS Inc.

Safety Instrumented Function & Safety Instrumented System

Safety Instrumented System

Safety Instrumented Systems:

Instrumentation or controls that are installed for the purpose of mitigating the hazard or bring the process to a safe state in the event of a process upset.

Copyright 2012 IHS Inc.

Safety Instrumented System

Measure Respons e

Copyright 2012 IHS Inc.

Think

Safety Instrumented Function

ANSI/ ISA-84.00.01-2004 (IEC 61511 Mod) defines

SIF as a: Safety function with a specified Safety Integrity Level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function

Copyright 2012 IHS Inc.

Safety Instrumented Function

Instrumented loops that address a specific risk It intends to achieve or maintain a safe state for the

specific hazardous event. A SIS may contain one or many SIFs and each is assigned a Safety Integrity Level (SIL). As well, a SIF may be accomplished by more than one SIS.

Copyright 2012 IHS Inc.

Examples of SIF in Process Industry

Flame failure in the furnace initiates fuel gas ESDVs to

close High fuel gas pressure initiates fuel gas ESDV (Emergency shutdown valve) High level in the vessel initiates Compressor shut down Loss of cooling liquid to reactor trips isolation and depressurization of reactor

Copyright 2012 IHS Inc.

Safety Integrity
Average probability of a SIS satisfactorily performing

the required SIF(s) under all the stated conditions within a stated period of time.
There are 4 levels. Measure by failure rate in the dangerous mode of

failure or the probability of a SIF failing to operate on demand.

Copyright 2012 IHS Inc.

10

Safety Integrity Levels:

Probability of failure on demand

Copyright 2012 IHS Inc.

Safety Integrity Levels

What is PFD?
It is statistical representation of the integrity of

the SIS when a process demand occurs.

A demand occurs whenever the process

reaches the trip condition and causes the SIS to take action.

Copyright 2012 IHS Inc.

11

Safety Integrity Levels:

frequency of dangerous failures of the SIF

Copyright 2012 IHS Inc.

When would SIS be required? When HA has determined that the

mechanical integrity of the process equipment the process control and other protective equipment

are insufficient to mitigate the potential hazard. Then, one should consider installing Safety Instrumented System as an additional means for risk reduction.
Copyright 2012 IHS Inc.

12

SIS Design Requirements

Meet Functional Safety Requirements Fail Safe Meet Standards & Regulations Cost Effective

What are you trying to achieve when you design a SIS ???

Minimize Falsely Trip Detect Dangerous Failures

Copyright 2012 IHS Inc.

Design Manual Testing Procedure

SIS Versus BPCS

13

Two Phase Separator

PSV 170

To Flare To Compressor, C 130 Shutdown Compressor C 130

I
ESDV 172

Two-phase flow hydrocarbons

LT 214

LSHH 214

LAHH 214

V 180
LT 213

LC 213

LCV 213

Copyright 2012 IHS Inc.

Two Phase Separator

PSV 170

SIS: Monitors a process variable (Level in this case) and initiates action when required (trips ESDV 172 and shutdown compressor C130)
Two-phase flow hydrocarbons

To Flare To Compressor, C 130 Shutdown Compressor C 130

I
ESDV 172

LT 214

LSHH 214

LAHH 214

V 180
LT 213

BPCS: Maintain a process variable within prescribed limits (Level in this case)
Copyright 2012 IHS Inc.

LC 213

LCV 213

14

Two Phase Separator

PSV 170

To Flare To Compressor, C 130 Shutdown Compressor C 130

SIS: Hard to detect failure. Typically operates on static boolean variables.

I
ESDV 172 LT 214 LSHH 214

Two-phase flow hydrocarbons

LAHH 214

V 180
LT 213

BPCS: Signals are dynamic; easier to detect failures, e.g. out of range signals, flat line outputs etc.
Copyright 2012 IHS Inc.

LC 213

LCV 213

Safety Control vs. Process Control

Process Control Control type Functions Active, complex Maintain variables within a range. Obtain best performance from the process within safe limits. Auto, manual, supervisory Open systems, Use Fieldbus Easy to make, password protected configurable parameter changes Limited Required to maintain high availability Safety Control Passive, simple, direct acting Monitor a process variable which is strictly defined. Designed to guard the system against hazardous events. Auto, no manual interventions, no external command levels Limited, specialized. Difficult with bus networks Parameter changes is strictly controlled and password protected. Can be intensive and needs proof testing Required to maintain high reliability

Control Modes Communication between devices Setting Changes

Diagnostics Redundancy
Copyright 2012 IHS Inc.

15

SIS and BPCS-Examples

BPCS failure modes
Control valve output high Process parameter indication

high Control valve output low Process parameter indication low Process parameter erratic indication

SIS failure modes Fail to operate on demand Spuriously operation Function delayed

Copyright 2012 IHS Inc.

SIS and BPCS

How SIS can affect operating conditions? Example: Centrifugal compressor Operating speed- 5000 rpm Over speed trip- 5500 rpm

Copyright 2012 IHS Inc.

16

SIS and BPCS SIS operating condition

Normal Fail safe

Process

Protection Available
Yes at 5500 rpm Not applicable NO at 5500 rpm

Failure indication
Not applicable Yes, High speed trip indication Not without diagnostic

Normal at 5000 rpm Shut down of compressor, speed 0 rpm Normal at 5000 rpm

Fail danger
Copyright 2012 IHS Inc.

Safety Instrumented Functions and Other Functions

Safety Instrumented Function

Copyright 2012 IHS Inc.

17