Professional Documents
Culture Documents
2019 Hon-EMEA13-School-Process-Risk-Management PDF
2019 Hon-EMEA13-School-Process-Risk-Management PDF
Johan School
Concepts and Implementation of Process Risk
Management using Safety Manager
1
Agenda
• Introduction
• What about safety
• Safety Instrumented Systems
• Industry Standards & Risk analysis
• Honeywell Safety project services
• Honeywell Safety Management Systems
• Operational integration; The human factor approach
• Introduction to Cyber security
• Q&A
2
About your presenter
• Johan School
• 19 years with Honeywell
• Product Manager Safety Solutions
• Active member national and international
standard committees
• TÜV Functional Safety engineer
3
2013 Honeywell Users EMEA Nice
4
Introduction to Safety standards
Compliance
Safety
Process
Availability
Risks Cost
5
IEC 61508 - A safety umbrella for the world
6
Types and names of SIS
7
Technologies applied during the last 80 years
8
Terminology
E/E/PE: Electrical / Electronic / Programmable Electronic 61508
PES: Programmable Electronic System
PFD: Probability of Failure on Demand
SF: Safety Function 61508
SIF: Safety Instrumented Function 61511
BPCS: Basic Process Control System 61511
SIS: Safety Instrumented System 61511
EUC: Equipment Under Control 61508
EUCcs: EUC control system 61508
RR(F): Risk Reduction (Factor)
SRS: Safety Related System 61508
SRS: Safety Requirements Specification 61511
SIL: Safety Integrity Level
PST: Process Safety Time
SLC: Safety Life Cycle
LS: Logic Solver
SLS: Safety Logic Solver
9
Protection is Key
Layers of Protection
• It is important to have the
right layers of protection
• With a clear understanding of
how work errors or incidents
develop, and with the many
tools available to help
mitigate these situations, one
can plan for the inevitable.
Anatomy of Disaster
• A typical process plant has many
variables in many processes that
under normal circumstances operate
within the normal limits of process
control
10
Protection is Key
11
Some incidents as found on the ASM consortium website (Oct 2013)
Residual
Acceptable risk EUC risk
risk
Risk reduction achieved by all safety-related systems and external risk reduction facilities
13
What is Risk ?
UNACCEPTABLE RISK
FREQUENCY
ACCEPTABLE RISK
SEVERITY
14
IEC 61508 - Safety Integrity Levels
Target failure measures for a safety function, allocated to an E/E/PE safety-related system
15
Risk based on Frequency and Severity of consequence
2 x 10E-3
10 times in 10000 road HIGHER
incidents per year in a large
City ie, 1 x 10E-3
Car crash – 2
deaths
16
Costs of risk <-> Costs of Safeguarding
Costs of safeguarding
Costs of risk
Level of
safe-guarding
17
Protection Layer
18
IEC 61511 LOPA-model
COMMUNITY EMERGENCY RESPONSE
Emergency Broadcasting
MITIGATION
Mechanical Mitigation Systems
Safety Instrumented Control Systems
Safety Instrumented Mitigation Systems
Operator Supervision
PREVENTION
Mechanical Protection System
Process Alarms
Operator Supervision
Safety Instrumented Control Systems
Safety Instrumented Prevention Systems
PROCESS
19
Layers Of Protection
Figure 9 of IEC 61511
20
Layered safety approach
Emergency shutdown
Burner management
21
2013 Honeywell Users EMEA Nice
22
SIS,SIF and SIL Safety Instrumented System
• A system composed of sensors, logic solvers, and
final control elements for the purpose of automatically
taking the process to a safe state when pre-
determined conditions are violated.
Safety Instrumented System (SIS) Basic Process Control System
PT PT
1A 1B
I/P
FT
Reactor
23
SIS,SIF and SIL Safety Instrumented Function
Shut-off
Solenoid
Temperature valve
transmitter
Logic Solver
Level switch (PLC) MCC
Globe
Solenoid
valve
Flow
transmitter
24
What is the safety system ?
25
As good as the Weakest Link
26
2013 Honeywell Users EMEA Nice
27
Safety Standards - Compliance to what ?
28
Prescriptive and Normative standards
• Prescriptive standards specify the requirement to
meet the code while normative or performance
based standards only give a guideline to the
designer / end user.
• Some examples:
29
Common standards used in the Process industry
30
What does IEC61511or ISA 84.01 require?
31
Safety best engineering practices
33
Safety Life Cycle per the standards (IEC61511)
34
The Safety Life Cycle simplified
Conceptual Process
Design
Develop Safety Requirements Establish Operation &
Specification Maintenance Procedures
No
Modify or Decommission
SIS Required ? SIS ?
SIS Installation Commissioning
and Pre-Startup Acceptance Test
Yes
Decommission
36
2. Allocation of Safety Functions
• Often called SIL Analysis or SIL Determination
• Output is a list of Safety Instrumented Functions
together with their required Safety Integrity Level.
37
3. Safety Requirements Specification - SRS
38
SRS should include the following information (1)
39
SRS should include the following information (2)
• Description of SIS process output actions and the criteria for successful
operation, for example, requirements for tight shut-off valves;
• The functional relationship between process inputs and outputs,
including logic, mathematical functions and any required permissives;
• Requirements for manual shutdown;
• Requirements relating to energize or de-energize to trip;
• Requirements for resetting the SIS after a shutdown;
• Maximum allowable spurious trip rate;
• Failure modes and desired response of the SIS;
• Any specific procedure requirements for starting up and restarting the
SIS;
• All interfaces between the SIS and any other system (including the
BPCS and operators);
• Description of the modes of operation of the plant and identification of
the safety instrumented functions required to operate within each mode;
40
SRS should include the following information (3)
41
Cause-and-Effect Diagram
• SIFs commonly documented by
Cause and Effect diagrams
• Should include SIL.
Trip Point
Units
SIL
Tag# Description
BS-01 Burner Loss of Flame 1 ~ ~ X X X
PSL-01 Fuel Gas Pressure Low 2 ~ 7 X X X
42
4. Design and Engineering
• SIS vendor for logic solver
• EPC contractor or end-user for field hardware.
43
Standards Compliance
44
Compliance to ……
Work
People
Process
Technology
People
Processes
Product
45
5. Installation, Commissioning, Validation
• Logic Solver installed with field equipment
• Includes loop checking, validation and final functional
safety assessment.
46
6. Operations, Maintenance and Modification
47
Operations and Maintenance Obligations
48
Responsibilities during the SLC (for logic solver)
51
IEC 61511 Safety Lifecycle Services
Project Services
52
Honeywell Global Projects and Services Excellence
53
Global Processes and Standard Builds
SIS Modifications
SIS Modifications
Operational life
T (years)
<1 5 10 15
54
Standard builds
55
Standard builds
Solution
Binder
HMI
Standard Shapes
56
Recommended reading
• IEC 61508
• IEC 61511
• Seveso II Directive
• Guidelines for Safe Automation of Chemical Processes. CCPS,
AIChE, New York, 1993
• Guidelines for Technical Management of Chemical Process Safety
- Center for Chemical Process Safety (CCPS) (1989) New York:
American Institute of Chemical Engineers.
57
2013 Honeywell Users EMEA Nice
58
Integrated SIS evolution
Advanced Experion integration &
Universal Safety Logic Solver
2012
Remote Universal Safe IO
2010
Safety Manager QPP-0002 and PCDI
2008
Experion Safety Manager
TUV Certification to IEC 61508/61511 SIL3
QMR Integrated into Experion 2004
59
Global development
London (ON)
Unisim
Fort Washington (PA)
RIO development
Integration test ‘s-Hertogenbosch
Phoenix (AZ)
Engineering tools
Bangalore
Builder
Perth
HMI Integration
60
Design Overview
61
Digital Output of a general purpose PLC
+ 24 Vdc
What can
“1” go wrong?
CPU
Normally energized
LEAD BREAKAGE
=
Nuisance trip
LOAD,
e.g. SOV
0 Vdc
62
Digital Output of a general purpose PLC
+ 24 Vdc
What can
go wrong? LOAD,
e.g. SOV
0 Vdc
63
Digital Output Safety Manager
+ 24 Vdc
CPU
STATUS
LOAD,
e.g. SOV
0 Vdc
Diagnostics!
64
Diagnostics within Safety Manager
65
Digital Output Safety Manager
+ 24 Vdc
Secondary means
of de-energization
& “0” de-energized
CPU
STATUS
Short circuit
STATUS
Defect
LOAD,
“0” de-energized
e.g. SOV
0 Vdc
66
Digital Output Safety Manager
Fault tolerance for availability via redundant hardware
+ 24 Vdc
“0” de-energized “1” energized
Secondary means
of de-energization
& &
CPU
STATUS STATUS
STATUS STATUS
LOAD,
“1” energized
e.g. SOV
0 Vdc
67
2013 Honeywell Users EMEA Nice
69
Operational integration: The human factor approach
• How to achieve an integrated
1st Transparency control and safety solution with
advanced functionality and
productivity, without compromising
2nd Communication safety and security ?
3rd Information
70
Operational integration: The human factor approach
Transparency
71
Operational integration: The human factor approach
72
Operational integration: The human factor approach
Provide information
73
Operational integration: The human factor approach
Publication
• single point of data entry,
• all information (can be) replicated to
other databases.
Control builder • Available for use at all levels of the
safety and control topology.
74
Operational integration: The human factor approach
75
Operational integration: The human factor approach
76
Operational integration: The human factor approach
77
2013 Honeywell Users EMEA Nice
78
Cyber security
79
Cyber security, why worry
80
Incident types
Hacker
Disgruntled
employee
Technician
Equipment, software
Malware (Virus,
Worm, Trojan)
81
Cyber security and Safety
82
What can we do to prevent this
83
Embedded device robustness testing
84
Embedded device cyber security
85
Functional Security Assurance Certification
Integrated Threat Analysis FSA – Evaluate the defenses provided by the embedded device
(ITA) and what system level protection is required
86
Safety Manager certified topologies
• Safety Manager out of the box certified for use in:
Safety
Applications Icon
Station
Experi
on
Server
(S)NTP
PTP
SM-
SM - C300 P2P over FTE
Network
C200
Safety Safety
Manager Manager
Other device
C300 Controller
Universal
Safety I/O
SM-
SM - C300 P2P Modbus TCP
FTE
Other device
Safety Manager
C300 Controller
87
What’s next
• Customers
– Should add Cyber security requirements to the RFQ
• ISASecure certification
– Should assess the overall security of their system/plant
– Should approach security similarly as Safety
• Competence of people, security lifecycle, well defined processes
88
And……
89