Professional Documents
Culture Documents
PAE2 Functional Safety Course en r0
PAE2 Functional Safety Course en r0
PAE2 Functional Safety Course en r0
HAZOP
Author:
Árpád POZSGAI
Functional Safety Professional
PROCOPLAN Ltd.
About us
Our company, ProCoPlan Ltd. was established in 1998, by former members of the
Instrumentation Design and Software Engineering Group, of the Hungarian Oil and Gas Plc –
Danube Refinery’s Instumentation & Automation Department.
Presently we work with 18 colleagues, 17 of them are engineers and one of them is a
draftswoman, who is also our office manager.
The members and employees are highly qualified in automation, process control, electronics,
electrical, mechanical and telecommunications engineering, having around 5 – 30 years of
experience in instrumentation, measurement and control technique and functional safety in
applications for the different fields in the industry.
We are familiar with designing for industrial facilities where an explosive atmosphere is present
or could occur (e.g: Oil & Gas or Chemical Industry, Power Plants etc.)
Among our colleagues you can also find experts specialized in some of the following areas:
• Burner Management Systems (BMS), Compressor Control Systems, Metering Stations (for
Custody Transfer), Tank Gauging Systems (for Inventory Systems), Rail Car, Truck or Barge
loading systems, Boiler and Steam Generator, Turbine
• For the most up-to-date process control or safety systems, such as: DCS system (Emerson,
Honeywell, Yokogawa etc.), PLC + SCADA, Field Bus Systems (FFB, Profibus etc.),
Wireless Measuring Systems, Safety Instrumented Systems (SIS) complying with IEC 61508
and 61511.
• Functional Safety activity: HAZOP, LOPA, FMEA, SRS, SIL verification
PAE 2. 2 Functional Safety
Safety Principles
Fundamental Safety Principles establishes principles for ensuring the protection of
workers, the public and the environment, now and in the future, from harmful
effects of ionizing radiation.
Abbreviation
• BPCS: Basic Process Control System – Alap folyamatirányító system
• DC: Diagnostic Coverage – Diagnosztikai lefedettség
• DCS: Distributed Control System – Osztott irányító system
• EUC: Equipment Under Control – Irányított berendezés
• H&RA: Hazard and Risk Analysis – Veszély- és kockázat analízis
• HFT: Hardware Fault Tolerance: hardver hibatűrő képesség
• LS: Logic Solver – Logikai vezérlő (kiértékelő)
• MooN: M out of N voting arrangement – M az N-ből szavazás
• MOS: Maintenance Override Switch – Karbantartási feloldó kapcsoló
• MTTF: Mean Time To Failure – Átlagos idő hibáig
• MTTR: Mean Time To Repair - Átlagos idő javításig
• MTBF: Mean Time Between Failure - Átlagos idő hibák között
• PFDavg: Average Probability of Failure on Demand – Hibázás átlagos valószínűsége
• PFH: Probability of failure per hour, average frequency of dangerous failure
• POS: Process Override Switch – Karbantartási feloldó kapcsoló
• SC: Systematic Capability: Szisztematikus (módszertani) képesség
• SIF: Safety Instrumented Function – Biztonsági műszerezett funkció
• SIL: Safety Integrity Level – Biztonsági integritási Level
• SIS: Safety Instrumented System – Biztonsági műszerezésű system
• SFF: Safe Failure Fraction: Biztonságos hiba aránya
• SLC: Safety Life Cycle – Biztonsági életciklus
• SRS: Safety Requirement Specification – Biztonsági követelmény specifikáció
• RR(F): Risk Reduction (Factor) – Kockázat csökkentési (tényező)
• TI: Proof Test Interval: Teszt intervallum
PAE 2. 4 Functional Safety
Directives, regulations and standards
PED Directive
MSZ / EN
Machinery
Standards
Directive
OAH IAEA
Directives Mandatory !
European Reference to
Union (EU)
EN standards Normative
(/ informative)
New Approach:
The European Union adopts legislation (EU Directives) that defines essential
requirements - in relation to safety and other aspects of public interest - which
should be satisfied by products and services being sold in the Europe as Single
Market;
The European Commission issues standardization requests (Mandates) to the
European Standardization Organizations (CEN, CENELEC and ETSI), which are
responsible for preparing technical standards and specifications that facilitate
compliance with these essential requirements
PAE 2. 7 Functional Safety
SAFETY ANALYSIS
Requirement 14: Scope of the safety analysis:
4.50. The consequences arising from all conditions in normal operation (including
startup and shutdown, where appropriate) and the frequencies and
consequences associated with all anticipated operational occurrences and
accident conditions shall be addressed in the safety analysis.
EN 61508 does not have the status of a harmonized European standard, and is
not referred to by any EC Directive.
EN 61511-1, 2, 3
10. Management Of functional safety and functional safety Assessment and auditing
assessment
2. Allocation of safety
functions to
protection layers
9. Verification
engineering of
SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission
10. Management Of functional safety and functional safety Assessment and auditing
assessment
• To determine the hazards of the process,
the sequence of events leading to the 2. Allocation of safety
functions to
hazardous event, the requirements for risk protection layers
3. Safety
requirements
to achieve the necessary risk reduction specification for SIS
Design and
development of other
• Allocation of safety functions to 4. Design and
means of
risk reduction
9. Verification
10. Management Of functional safety and functional safety Assessment and auditing
assessment
9. Verification
engineering of
conformance with the SIS design results of SIS
8. Decommission
3. Safety
adaptations to the SIS, ensuring that the requirements
Design and
specification for SIS
required safety integrity level is development of other
means of
achieved and maintained (MoC: 4. Design and risk reduction
9. Verification
engineering of
Management of Change) SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission
10. Management Of functional safety and functional safety Assessment and auditing
assessment
9. Verification
engineering of
SIS
5. Installation,
commissioning
and validation
6. Operation and
maintenance
7. SIS modification
8. Decommission
Analysis
10. Management Of functional safety and functional safety Assessment and auditing
Audit
assessment
Test
engineering of
SIS modification HR HR R R HR HR R SIS
Decommissioning HR HR R R
SIS functional safety assessment HR HR HR 5. Installation,
Description of Responsible Name / Company Responsibility commissioning
Customer / End-user MOL Co. I and validation
HSE Representative MOL Co. P/R
Main Contactor OTF I 6. Operation and
Process Designer / Licensor Haldor Topsoe P/R maintenance
Process Designer OLAJTERV P/R
Functional Safety Engineer / SIS specialist PROCOPLAN L / V*
Plant Operation MOL Co. Refinery P/R
SIS Detail Designer OLAJTERV / YEW / PCP I 7. SIS modification
SIS Vendor YOKOGAWA - Example
SIS Installer OTF -
SIS Maintenance PETROSZOLG - 8. Decommission
Functional Safety Assessor SIL4S FSA
NR: Not recommended, R: Recommended, HR: Highly recommended, L: Lead, P: Participate, R: Review, A:
Approval, I: Inform, V: Verify, FSA: Functional Safety Assessment
Definitions
• Hazard: potential source of harm
• Harm: physical injury or damage to the health of people, either directly
or indirectly, as a result of damage to property or to the environment
• Risk: combination of the frequency of occurrence of harm and the
severity of that harm
• Tolerable risk: risk which is accepted in a given context based on the
current values of society
• Safety: freedom from unacceptable risk
• Safe state: state of the process when safety is achieved
• Safety integrity: average probability of a safety instrumented system
satisfactorily performing the required safety instrumented functions
under all the stated conditions within a stated period of time
• Safety Integrity Level (SIL): discrete level (one out of four) for specifying
the safety integrity requirements of the safety instrumented functions to
be allocated to the safety instrumented systems.
Concequency
of hazardous Risk = Severity x Frequency
event
Severity
Non SIS SIS Safety Other
EUC risk Tolerable
Instrumented safety
risk reduction risk
(BPCS) System system
Frequency
Required risk reduction
Frequency of
hazardous
event
Unacceptably
high risks!
Medium
Acceptably
low risks!
Minor Frequency
LOW MEDIUM HIGH of occurrence
PL3 PL1
Medium
PL4 PL2
Minor Frequency
LOW MEDIUM HIGH of occurrence
ML
Mitigation
ML 1
2
Medium
ML
3
ML
4
Minor Frequency
LOW MEDIUM HIGH of occurrence
Hazard Major
Class PL2 PL1
Mitigation
Medium ML1
ML2
Minor Frequency
LOW MEDIUM HIGH of occurrence
Tolerable risk
The ALARP or
tolerability region ALARP: Tolerable only if further risk
reduction is impracticable or if its
(Risk is undertaken cost is grossly disproportionate to
only if a benefit is the improvement gained
desired)
(As Low As Reasonably Practicable)
Risk Criteria
1.0E-3
Individual
Risk:
Design intent
1.0E-4 Not acceptable
CDF 1.0E-5
ALARP
LRF 1.0E-6
1.0E-7 Acceptable
1.0E-8
Note: EN 61511 / 61508 does not define tolerable risk. Tolerable risk
for harm to people must be defined by the corporate body.
PAE 2. 34 Functional Safety
Layers of protection I&C:
IPL: COMMUNITY EMERGENCY REPSONSE: Broadcasting DiD-4
Independent Protection Layer DiD-5
PLANT EMERGENCY REPSONSE: Evacuation
Mitigation:
IPL4: Mechanical Mitigation system
Mitigation:
PSV Safety Instrumented System
Prevention:
IPL3: Mechanical protection System I&C:
SIS Prevention: DiD-2
Safety Instrumented System
IPL2: DiD-3a
Prevention:
Alarm Process alarm + operator’s action
I&C: DiD-3b
DiD-2
IPL1: Control and Monitoring:
BPCS, Monitoring System
BPCS I&C:
I
PROCESS
DESIGN
DiD-1
LAH
1
Protection Layers
BUMM
Mechanical Protection
Trip level HH
Safety action of SIS (ESD)
High level
BPCS (DCS)
Process Variable (PV) Normal operation
Low level
Risk reduction by
BPCS (DCS)
Total risk reduction
Risk reduction by
Alarm & operator’s
response
Risk reduction by
SIS
Protection Layers
PREVENTION MITIGATION
CENSEQUENCY
FOR PERSON
ENVIROMENT ACCIDENT
CONSEQUENCE FOR
CAUSE POPULATION
SYSTEM
CONSEQUENCY FOR
INCIDENT ENVIROMENT
(FAILURE)
HAZARD
CONSEQUENCY FOR
ECONOMY
Bert Lawley
Flowsheet of HAZOP
0. Data gathering
HAZOP
Determine deviations
7. Recommendations, actions
(parameter + guideword)
NO
Finish?
RISK
ASSESMENT
HAZOP glossary
HAZOP worksheet entries:
• Node / subnode: A node is a specific location in the process in which
(the deviations of) the design/process intent are evaluated. (e.g.
separators, heat exchangers, scrubbers, pumps, compressors, and
interconnecting pipes with equipment.)
• Design Intent: The design intent is a description of how the process is
expected to behave at the node; this is qualitatively described as an
activity (e.g., feed, reaction, sedimentation) and/or quantitatively in the
process parameters, like temperature, flow rate, pressure etc.
• Deviation: A deviation is a way in which the process conditions may
depart from their design/process intent.
• Parameter: The relevant parameter for the condition(s) of the process
(e.g. pressure, temperature, composition).
• Guideword: A short word to create the imagination of a deviation of the
design/process intent. The most commonly used set of guide-words
is: no, more, less, as well as, part of, other than, and reverse.
Deviation = Parameter + Guideword
PAE 2. 44 Functional Safety
HAZOP glossary
HAZOP worksheet entries:
• Cause: The reason(s) why the deviation could occur
• Consequence: The results of the deviation, in case it
occurs. Consequences may both comprise process
hazards and operability problems, like plant shut-down or
reduced quality of the product. Several consequences may
follow from one cause and, in turn, one consequence can
have several causes
• Safeguard: Facilities that help to reduce the occurrence
frequency of the deviation or to mitigate its consequences.
HAZOP members
HAZOP guidewords
The basic HAZOP guide-words are:
Guide Words Meaning
No (not, none) None of the design intent is achieved
More (more of, higher) Quantitative increase in a parameter
Less (less of, lower) Quantitative decrease in a parameter
As well as (more than) An additional activity occurs
Part of Only some of the design intention is achieved
Reverse Logical opposite of the design intention occurs
Other than (other) Complete substitution - another activity takes place
HAZOP documentation
Input documentation:
• Process Flow Diagram (PFD)
• Piping and Instrumentation Diagram (P&ID)!
• Detailed technological description
• Operational manual
• Safety Material Data Sheets (SMDS)
• Risk criteria’s for people, public, business and environment. Tolerable
risks (part of HSE policy)
• Logic Narrative, ESD system description
• Cause and Effect matrix (C&E)!
Output documentation:
• Introduction, methodology
• System definition and limitation
• Documents (on which the analysis is based)
• Methodology
• Team members, sessions, attendance
• HAZOP report
• HAZOP recommendations
Example
Example
HAZOP worksheet 2.
HAZOP worksheet 4.
Enabled Initial Event
Frequency
Mitigated Event
Frequency
Tolerate Event
Frequency
INITIATING EVENT
DEVIATION
FREQUENCY OF INITIATING EVENT
CAUSES
COUSES FREQUENCY
MECHANICAL
PROPOSED PROTECTION
PROTECTIONIPL & PFD
Example
Slight injury & harm to Capacity to work not affected, no lost time caused (first-aid,
A
health (first-aid) medical attention).
Nuclear accident with Nuclear Accident with Large Release. Extensive health impact.
N many people have been Expected death due to a significant number of radiation.
involved (INES 7 event: Major accident)
Example
PAE 2. 60 Functional Safety
Economic or business consequences:
Category Consequence Definition
Environmental consequences:
Category Consequence Definition
6. Calculation of Unmitigated
1. Identification of scenario
event frequency
2. Determination of severity of
consequence 7. PFD of IPL’s
4. Frequency of cause
9. Determination of SIL
SIF/SRS
LOPA: Layer of Protection Analysis Simplified Process Risk Assessment
by CCPS (concept book)
Applied LOPA software: DYADEM PHA-Pro7
Success
Initial Safety
event
Success Not desirable, but
fI
Failed (PFD1) acceptable
f1=fI*PFD1 Success
Not desirable, but
Failed (PFD2) acceptable
f2=f1*PFD2
Failed (PFD3) Dangerous
fC=f2*PFD3 fC
N
1
f C = f I ⋅ PFD1 ⋅ PFD2 ⋅ ⋅ ⋅ PFDN = f I ⋅ ∏ PFDi = f I ⋅
i =1 RRF
PAE 2. 66 Functional Safety
IPL requirements
IPL – Independent Protection Layer shall be (acc. to EN 61511-3/F.9.):
• Specificity: An IPL is designed solely to prevent or to mitigate the
consequences of one potentially hazardous event (for example, a runaway
reaction, release of toxic material, a loss of containment, or a fire).
Multiple causes may lead to the same hazardous event; and, therefore,
multiple event scenarios may initiate action of one IPL;
• Independence: An IPL is independent of the other protection layers
associated with the identified danger.
• Dependability: It can be counted on to do what it was designed to do.
Both random and systematic failures modes are addressed in the design.
• Auditability: It is designed to facilitate regular validation of the protective
functions. Proof testing and maintenance of the safety system is
necessary.
• 3 Enough's, Big/Fast/Strong Enough
• 3 D’s: Detect / Decide / Deflect
Typical PFD 1.
LOPA calculation
fUMF = f I ⋅ PE ⋅ PC
Initial event fUMF Hazardous
SW X IPL1 IPL2 IPL3 IPLN event
fI fMEF
N
f I = ∑ f Ii
Severity of
consequence
PE PC PFD1 PFD2 PFD3 PFDN fT
i
ENABLING CONDITIONAL RRF SIL
EVENT MODIFIER
O
M
f MEF fUEF N fI N
PE = ∏ PEi PC = ∏ PCi RRFSIF = = ⋅ ∏ PFDi = ⋅ PE ⋅ PC ⋅ ∏ PFDi
i i fT fT i =1 fT i =1
TE
PE =
TBASE TBASE
Time
TE (t)
PC
AEFF
fatality = V ⋅
AEFF ATOT p
ATOT
Avarage Probability of
Safety integrity level
Failure on Demand Risk Reduction Factor (RRF)
(SIL)
(PFDavg)
SIF1
SIF1 SIF2
S1 S1
SIF2 FE
1
S2 Logic S2 Logic
FE FE
Solver Solver
2 2
S3 (LS) S3 (LS)
SIF3 FE
S3 3
S4 SIF3
Typical SIF
• Typical SIF of BMS:
Fuel gas low pressure protection: SIF-102-02B/1..4
MPSL-087A/B/C
PSL 2oo3 1oo2 1oo2 MUV-002A/B/C
LOGIC (main burner 1.)
SOLVER:
MBAL-001-004
BSL Safety PLC
(main burner 1.)
MUV-004A/B/C
1oo3
(pilot burner)
8oo8 MUV-011..018
(pilot burner)
1oo2 voting
2oo2 voting
Failure Mode 1.
Safety
Safety failure: Detected
close Detected by
limit switch
Safety
Failure Undetected
Dangerous
Detected by Detected
PST
High Pressure
Dangerous
failure
4,0 mA
Time 3,8 mA
Spurious shutdown Failed
shutdown shutdown 3,6 mA
(safety) (dangerous)
Failure Mode 3.
Safety
λSD Detected
λSU Safety
Undetected
No failure
λDD
Dangerous
λDU Detected
Dangerous
Undetected
λ = λ D + λS = λ DD + λ DU + λSD + λSU
Failure rate
Constant:
λ(t)=λ
Time
Wear in
USEFUL LIFETIME!!! Wearing
(When failure rate is constant)
PFDavg
PFDavg: (Average Probability of Failure on Demand):
Probability
1
PFDAVG: average
1
TI
1
TI
− λ D ⋅t λD ⋅ TI
= ∫0 D ⋅ = − ⋅ ≈
TI ∫0
PFDAVG PFD (t ) dt 1 e dt
TI 2
λ = λ D + λU = λ DD + λ DU + λ SD + λ SU
λD λD λ DD + λ SD
DC = = =
λ λ D + λU λ DD + λ DU + λ SD + λ SU
λ DD + λ SD + λ SU
SFF =
λ DD + λ DU + λ SD + λ SU
Route: 1H
Route: 2H
(EN 61511)
1oo2 2oo3
Architecture HFT SFT
1oo1 0 0
2oo2 0 1
SIL verification
Failure rate
DIAGNOSTIC Failure Architecture PROOF TEST
DC l NooM PTI H&RA
mode
lDU, lDD
lSU, lSD
SRS
HW. Fault TOL.
SFF
HFT
Target SIL
Route: 2H
Route: 1H (EN 61511)
SILAC SILPFD SILPFH SILTAR
SIL Demand Mode: Low /
ARCHITECTURE High / Continuous
Constraint
MIN
NOT
SCn: SIL > OK
Systematic
Capability SCn Achieved
SIL
OK
PAE 2. 86 Functional Safety
SIL certificate
SIL verification
START OVERRIDE
ON (1): NORMAL
TRIP
OFF (0): TRIP
MOS
MAN.SHUTDOWN
POS LOCK-OUT
RESET NON VOLATILE ! Example
Example
PROCOPLAN KFT.
2030 Érd, Diósdi u. 107./C
Tel: +36 23 361-433
Fax: +36 23 364-124
Mail: procoplan@procoplan.hu
www.procoplan.hu
Review of the functional, performance and Design of the overall I&C architecture and assignment of the I&C
5.2.2 independence requirements
5.4 functions
5.5 Overall I&C operation plan 5.6. Overall I&C output documentation
System safety life cycle of individual I&C (for all of 1…N. individual I&C
5.5.2 Overall quality assurance (QA) programs 6 systems)
Safety life cycle of individual I&C system (for all of 1…N. individual I&C
5 Overall I&C system design 6 systems) Overall I&C system operation
8b and maintenance
Overall I&C system integration Individual I&C system Individual I&C system 7. Operation
5.1 and installation design 6.1 requirements specification
6.7 documentation