Ecisgroup Training Functional Safety 01+02+03

FUNCTIONAL SAFETY TRAINING
01 – RISK & RISK REDUCTION
Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 1

DEFINITIONS
• HAZARD: intrinsic
HAZARD i t i i property
t off a material,
t i l or off its
it physical
h i l conditions
diti th
thatt
can cause a damage to humans or to the environment
• RISK: exposure to the possibility of damage
• SAFETY: freedom from unacceptable risk of physical injury or of damage to

the health of people, either directly, or indirectly as a result of damage to
property
p p y or to the environment
• FUNCTIONAL SAFETY: the fraction of safety of a system or portion of

equipment
i t that
th t depends
d d on ththe system
t or equipment
i t operating
ti correctly
tl iin
response to its inputs, including the safe management of likely operator
errors, hardware failures and environmental changes.

TERMINOLOGY
• ESD Emergency Sh
E Shutdown
td S
System
t
• EUC Equipment Under Control
• F&RSU Flare and Relief Systems Unit
• HIPPS High Integrity Pressure Protection System
• HIPS High Integrity Protection System
• I/O Input/Output Field Device
• ICSS Integrated Control and Safety System
• SIF S f t Instrumented
Safety I t t d Function
F ti
• SIS Safety Instrumented System implementing one or more SIFs.
• E/E/PS Electrical, Electronic and Programmable Systems
• SIL Safety Integrity Level

EXAMPLE OF SIF
LOGIC SOLVER
SENSOR FINAL ELEMENT

RISK
• RISK: exposure to the possibility of damage
= frequency of event x impact of event

e.g. = times/year x loss of money
e.g. = times/year x area of contamination
e.g. = times/year x killed people

RISK MATRIX EXAMPLE
Frequency
Damage
g Remote Rare Unlikely Possible Likely
Catastrophe Many deads 5 6 6 6 6
Major
Some deads 4 4 5 5 5
Damage
Local
Injury, 1 dead 2 4 4 5 5
Damage
Minor
Mi
Minor I j
Injury 1 1 2 3 3
Damage
Harmless No dead 0 0 0 0 0

ALARP ZONE (carrot diagram)
LIMITS ARE SENSIBLE TO:

• Laws & regulations
• Social acceptance
• Standards
• Company practice
• Economical damage
•…
As Low As Reasonably Practical

ALARP ZONE
Unacceptable
Risk
Frequency
q y
eg: times/year
ALARP
zone
Tolerable
Risk
Damage eg: no of deads

SIL CLASSIFICATION (IEC61508 & IEC61511)
CONSEQUENCE
W3 W2 W1 •Ca
C Mi
Minor Injury
I j
•Cb Serious injury, single death
Ca
a = = •Cc Some deaths
•Cd
Cd Many deaths
Pa SIL1 a = FREQUENCY
•Fa Rare to frequent
Cb Fa Pb
•Fb
Fb Frequent
F t to
t continuous
ti
Fb SIL2 SIL1 a
Pa
AVOIDANCE
Cc Fa Pb •Pa Sometimes p
possible
SIL3 SIL2 SIL1
Fb •Pb Almost impossible
Pa
Cd
Fa Pb SIL4 SIL3 SIL2 •OCCURRENCE PROBABILITY
Fb •W1
W1 Very
V slight
li ht
Pa •W2 Slight
Pb b SIL4 SIL3 •W3 Relatively High
a = no requirement / b = single SIS not enough

RISK REDUCTION (REQUIRED)
Acceptable Risk Risk

(no protection)
Required Risk Reduction Risk

PROTECTIONS AGAINST RISK
Protections are implemented to reduce risk:
reducing frequency of exposure
and / or
reducing possible damage

Frequency
Damage
g Remote Rare Unlikely Possible Likely
Major
Damage
Local
Damage
Minor
Minor
Mi Injury
I j 1 1 2 3 3
Damage

(INDIPENDENT) LAYERS OF PROTECTION
Community Emergency Response
Plant Emergency Response
Mechanical Segregation & Containment
Mechanical Protection (PSV)
Safety Instrumentation Systems
C t l&M
Control Monitoring,
it i Alarms
Al
Process Design

INDIPENDENT LAYERS OF PROTECTION
otection
otection
otection
ayer 1
ayer 2
ayer 3
Risk Risk Risk Risk
Pro
la
Pro
Pro
la
la
Safe condition
Event Tolerable condition
Tolerable condition
Failure
Failure
Failure
RISK REDUCTION (IMPLEMENTED)
Residual Risk Acceptable Risk Risk

(with protection) (no protection)
Achieved Risk Reduction
Protection Protection Protection

layer 1 layer 2 layer 3

SIL REDUCTION FACTOR (IEC61508 & IEC61511)
PFD avg PFH

SIL Risk Reduction Factor
LOW DEMAND MODE HIGH DEMAND MODE
10E 5 <<= PFD < 10E‐4

10E‐5 10E 4 10E 9 <<= PFH < 10E‐8
10E‐9 10E 8
4 10 000 < RRF <= 100 000
10E 4 <= PFD < 10E‐3

10E‐4 10E 3 1 000 < RRF <= 10 000 10E 8 <= PFH < 10E‐7
10E‐8 10E 7
3
10E‐3 <= PFD < 10E‐2 100 < RRF <= 1 000 10E‐7 <= PFH < 10E‐6
2
10E‐2 <= PFD < 10E‐1 10 < RRF <= 100 10E‐6 <= PFH < 10E‐5
1

SIL ALLOCATION
Residual Risk Acceptable Risk Risk

(with protection) (no protection)
Achieved Risk Reduction
Protection Protection Protection

layer 1 layer 2 layer 3
SIL3 SIL 1 SIL 1

SOME OF THE NEXT TOPICS
• Safety Lifecycle
• Probability of Failure on Demand (PFD)
• Reliability
• Availability
• Failure Rate (λ)
• Proof Test Interval between two proof tests (T[Proof])
• Failure In Time (FIT)
• Mean Time To Failure (MTTF)
• Mean Time Between Failure (MTBF)
• Mean Time To Repair (MTTR)
• Safe Failure Fraction (SFF)

http://www.ecisgroup.it/
END OF PRESENTATION

02 – FAILURES
Functional Safety Training Dr. Ing. Carlo Lebrun 1

FAILURE
FAILURE is the loss of performance of something due,

required or expected
required,
= loss of ability to perform a function.

function
Both major functions & accessory functions shall be considered

…
Protective functions
Information functions
U Interface
User I t f f ti
functions
EXAMPLE OF SIF
LOGIC SOLVER
SENSOR FINAL ELEMENT

MAJOR CAUSES OF ACCIDENTS
Extracted from paper:
Use of Incident Data Collection from Various

Sources For Industrial Safety Performance
Assessments
Nir Keren
T. Michael O’Connor
M. Sam Mannan
Texas A&M University System

FAILURE RATE
λ (Failure rate) = frequency with which an engineered system or component fails,
expressed normally in failures / millions of hours. (1/106 hours)
FIT (Failures In Time) = frequency with which an engineered system or component

fails, expressed normally in failures / billions of hours. (1/109 hours)
MTBF (Mean Time Between Failures) = often used instead of the failure rate
rate.
Assuming the likelihood of failure remains constant with respect to time, the failure rate
is simply the multiplicative inverse of the MTBF
MTBF =1/λ

FAILURES ANALYSIS
FMEA Failure Mode and Effects Analysis
FMECA Failure Mode, Effects, and Criticality Analysis
FMEDA Failure Mode, Effects, and Diagnostic Analysis

FAILURES ANALYSIS: FMEA
Failure Effects
Identifi- Mission Phase Failure

Failure Modes Next Higher Compensating
cation Item Name Function / Operational Local Effects End Effects Detection Severity Remarks
and Causes Effects Provisions
Number Mode Method
Ref Des Name & Function Failure Mode Local Effect Next Higher Effect Sev
Sev. End Effect Failure Cause Item Causing
1A1 Bulb dim light flashlight output dim 3 flashlight output dim
- Provides the light
source for the flashlight
no light no flashlight output 2 no flashlight output
1A2 Switch intermittent flashlight sometimes 3 flashlight sometimes
- Turns flashlight on or will not turn on will not turn on
off
Stuck closed constant flashlight 1 constant flashlight
output output
Stuck open no flashlight output 2 no flashlight output
1A3 Contact intermittent flashlight sometimes 3 flashlight sometimes
- No Data will not turn on will not turn on
no contact no flashlight output 2 no flashlight output
poor contact flashlight output dim 3 flashlight output dim
1A4 Battery low power flashlight output dim 3 flashlight output dim
- Provides the power
source for the flashlight
g
no power no flashlight output 2 no flashlight output

FAILURES ANALYSIS: FMEDA EXAMPLE
Failure, M odes, Effects, and Diagnostics Analysis
System Description:
Failure Rate Safe Dangerous

Component Device Failure Mode Effect FIT Safe Dangerous Detectable Diagnostic Coverage Coverage
Component 1 Make/Model 1 Mode 1 Inhibiting 100 100 0 (None) 0 0

Mode 2 Initiating 200 200 0 (None) 0 0
Mode 3 Inhibiting 300 300 0 (None) 0 0
Component 2 Make/Model2 Mode 1 Initiating 400 400 0 (None) 0 0

Total (FIT) 2100 600 1500 0 0

Percent Safe Failures 29% Safe Coverag 0%
Safe Failure Fraction 29% Dangerous Coverage 0%
Total (Rate per hr) 2.1E-06 6E-07 1.50E-06

FAILURES ANALYSIS: FMEDA RESULT

FAILURES ANALYSIS PROCEDURE
- Assemble the team.

- Establish the ground rules.
- Gather
G h and d review
i relevant
l iinformation.
f i
- Identify the item(s) or process(es) to be analyzed.
-Identify the function(s),
function(s) failure(s),
failure(s) effect(s)
effect(s), cause(s) and control(s)
for each item or process
- Evaluate the risk associated with the issues identified byy the
analysis.
- Prioritize and assign corrective actions.
- Perform
P f corrective
ti actions
ti and d re-evaluate
l t risk.
i k
- Distribute, review and update the analysis, as appropriate.

FAILURES TYPE
FAILURE TYPE DETECTABLE UNDETECTABLE
SAFE SAFE DETECTABLE SAFE UNDETECTABLE

λSD λSU
DANGEROUS DANGEROUS DETECTABLE DANGEROUS UNDETECTABLE

λDD λDU

FAILURES TYPE (other point of view)
TOTAL FAILURES
λ
SAFE FAILURES DANGEROUS FAILURES

λS λD
SAFE DETECTABLE SAFE UNDETECTABLE DANGEROUS DETECTABLE DANGEROUS UNDETECTABLE

λSD λSU λDD λDU

SAFE FAILURE FRACTION
SFF = (λSD + λSU + λDD) / (λS + λD) =
= 1 – λDU / λ
λS = safe failure rate

λD = dangerous failure rate
λSD = rate off detectable
d bl safe
f failure
f il
λSU = rate of undetectable safe failure
λDD = rate of detectable dangerous failure

SENSOR FAILURE MODES
Detectable
- Output Saturated Hi
- Output Saturated Lo
Undetectable
- Frozen Output
- Indication Error Hi
- Indication Error Lo
- Diagnostic Failure

FINAL ELEMENT FAILURE MODES
- Solenoid plunger stuck Fail-Danger

- Solenoid coil burnout Fail-Safe
- Actuator shaft failure Fail-Danger*
Fail Danger
- Actuator seal failure Fail-Safe
- Actuator spring failure Fail-Danger
- Actuator structure failure - air Fail-Safe
- Actuator structure failure - binding Fail-Danger*
- Valve shaft failure Fail-Danger*
- Valve external seal failure No Effect
- Valve internal seal damage Fail-Danger
- Valve ball stuck in position Fail-Danger
* If unpredictable: assume worst effect

FAILURE CLASSIFICATION: CAUSE
FAILURE
DESIGN MANUFACTURING USE
DESIGN WEAKNESS AGE ABUSE MISUSE

FAILURE CLASSIFICATION:TIME
FAILURE
INTERMITTENT EXTENDED
COMPLETE PARTIAL
SUDDEN GRADUAL SUDDEN GRADUAL

FAILURES TYPE
FAILURE TYPE DETECTABLE UNDETECTABLE
SAFE SAFE DETECTABLE SAFE UNDETECTABLE

λSD λSU
DANGEROUS DANGEROUS DETECTABLE DANGEROUS UNDETECTABLE

λDD λDU

FAILURES ANALYSIS: IEC61508 CERTIFICATION

SOME OF THE NEXT TOPICS
• Safety Lifecycle
• IEC61508 and IEC61511 Standards
• Probability of Failure on Demand (PFD)
• Reliability
• Availability
• Proof Test Interval between two proof tests (T[Proof])
• M
Mean Time
Ti TTo FFailure
il (MTTF)
• Mean Time To Repair (MTTR)

END OF PRESENTATION

03 – IEC61508 / IEC61511 STANDARDS

SOME MAJOR DISASTERS IN CHEMICAL INDUSTRY
September
p 21,, 1921: Oppau
pp explosion
p in Germany.y 4500 tonnes of a mixture of ammonium sulfate and ammonium nitrate fertilizer
exploded at a BASF plant, killing 500–600 people and injuring about 2000 more.
1932-1968: Minamata Bay disaster, Japan, was caused by the dumping of mercury compounds. The Chisso Corporation, petrochemical
company, was found responsible for polluting the bay for 37 years. Over 3,000 people suffered various deformities, severe mercury
poisoning symptoms or death
death.
April 16, 1947: Texas City Disaster, Texas. explosion occurred aboard a docked ship. The explosion is referred to as the worst industrial
disaster in America. 578 people lost their lives and another 3,500 were injured as the blast.
1948 The
1948: Th explosion
l i off a ttank
k wagon within
ithi a BASF site
it lloaded
d d with
ith chemicals,
h i l iin Ludwigshafen,
L d i h f G
Germany, causes 207 fatalities.
f t liti
June 1, 1974: Flixborough disaster, UK. An explosion at a chemical plant kills 28 people and seriously injures another 36.
July
y 10, 1976: Seveso disaster, in Seveso, Italy,
y in a chemical manufacturing
g plant of ICMESA. 193 people in the affected areas suffered
from chloracne and other symptoms.
December 3, 1984: The Bhopal disaster in India is the largest industrial disaster on record. A faulty tank containing poisonous methyl
isocyanate leaked at a Union Carbide plant and left nearly 4,000 people dead on the first night of the gas leak and at least 15,000 later from
related illnesses
illnesses.
June 28, 1988: Auburn, Indiana, US: improper mixing of chemicals kills four workers at a local metal-plating plant in the worst confined-
space industrial accident in U.S. history; a fifth victim died two days later.
O t b 23,
October 23 1989:
1989 Phillips
Philli Di
Disaster.
t Explosion
E l i and
d fifire kill
killed
d 23 and
d iinjured
j d 314 iin Pasadena,
P d T
Texas. Registered
R i t d3 3.5
5 on th
the Richter
Ri ht scale.
l

A CLOSER LOOK AT SEVESO ACCIDENT
July 10, 1976: in Seveso, Italy, in a chemical plant of ICMESA
Due to the
D h release
l off di
dioxins
i iinto the
h atmosphere
h 3
3,000
000 pets andd
farm animals died and, later, 70,000 animals were slaughtered to
prevent dioxins from entering the food chain
chain.
193 p
people
p suffered from chloracne and other symptoms.
y p
The disaster lead to the Seveso Directive, which was issued by

th European
the E Community
C it and
d iimposed
d muchhhharsher
h iindustrial
d ti l
regulations.

STANDARDS AS LEGAL REQUIREMENTS IN EU
These EC Directives are legal requirements for

process plants in EU:
- Seveso Directive II
- ATEX: Appareils destinés à être utilisés en ATmosphères
Explosibles
- Machinery Directive
- PED: Pressure Equipment Directive

SEVESO DIRECTIVE REQUIREMENTS
The Seveso Directive II (9 December 1996) is aimed at the
prevention of accidents related to dangerous substances, and the
limitation of their consequences. It applies to sites where
dangerous substances stored or used.
The owner/operating company shall develop a safety report to show that:

- hazards have been identified and measures to prevent accidents and/or to
limit the consequence have been set up
- implementation,
implementation construction
construction, installation and operation of the plant is
adequately safe and reliable.
Public
P bli authorities
th iti mustt sett up iinspections
ti tto regularly
l l check
h k operation,
ti
organization and management of the plant to confirm that the user can show:
a) he has undertaken measures to prevent severe accidents
b) he has provided adequate measures to limit the results of any accident.
(INDIPENDENT) LAYERS OF PROTECTION
Community Emergency Response
Plant Emergency Response

MITIGATION
Mechanical Segregation & Containment
Mechanical Protection (PSV)
Safety Instrumentation Systems

C t l&M
Control Monitoring,
it i Al
Alarms
Process Design PREVENTION

Protections are implemented to reduce risk:
reducing frequency of exposure
and / or
reducing possible damage

Frequency
g
Damage Remote Rare Unlikely Possible Likely
Major
Damage
Local
Damage
Minor
Minor
Mi Injury
I j 1 1 2 3 3
Damage

WHAT SYSTEMS DOES IEC 61508 COVER?
• IEC 61508 applies to safety-related

safety related systems when one or
more of such systems incorporate electrical and/or electronic
and/or programmable electronic (E/E/PE) devices.
• It covers p
possible hazards caused by
y failures.

IEC61508 MAY APPLY TO:
• Emergency Shut-Down Systems, Fire and Gas Systems,

Burner Management System
• Crane safe-load indicators
• Emergency systems for machinery
• Medical Devices
• Dynamic Positioning (control of a ship's movement),
• Railway Signalling
• Variable Speed Motor Drives
• Automobile Indicator Lights

IEC 61508 SCOPE IS:
• To improve in safety requirements definition

• To improve both safety performance of electrical / electronic /
programmable electronic technology
• To provide a risk-based approach for determining the required
performance of safety-related systems
FUNCTIONAL SAFETY IN SIMPLER WORDS:

q p
• Equipment failure must not become the cause of
a danger for persons or for the environment

THE CONCEPT OF LIFECYCLE
IEC61508 applies the concept of lifecycle:
Equipment
q p functional safety
y is not an intrinsic and static
feature.
It is variable depending on all phases of a system life: design,
inspection, installation, operation, maintenance, etc.

IEC61508 SAFETY LIFECYCLE: ANALYSIS
1 - CONCEPT
2 – SCOPE
DEFINITION
3 – HAZARD & RISK

ANALYSIS
4 – SAFETY
REQUIREMENTS
5 – SAFETY REQUIREMENTS
ALLOCATION
TO REALIZATION PHASE

IEC61508 SAFETY LIFECYCLE: IMPLEMENTATION
FROM ANALYSIS PHASE
6 – OPERATION & 7– 8– 9 – E/E/PES 10 – REALIZATION OF SAFETY 11 – EXTERNAL RISK

MAINTENANCE VALIDATION INSTALLATION SYSTEM RELATED SYSTEMS WITH OTHER REDUCTION
PLANNING PLANNING PLANNING REALIZATION TECHNOLOGIES FACILITIES
12 – INSTALLATION &
COMMISSIONING
13 – SAFETY VALIDATION
TO OPERATION PHASE

IEC61508 SAFETY LIFECYCLE: OPERATION
FROM IMPLEMENTATION PHASE
14 – 15 –
OPERATION & MODIFICATIONS AND
MAINTENANCE UPGRADES
16 –
DECOMMISSIONING

IEC61508 AND OTHER SAFETY STANDARDS
IEC 61800-5-2 IEC 61508 EN/IEC 13849-1

Variable Speed Machinery
Electrical Drives
IEC 61513 EN/IEC 62061

Nuclear Industry Machinery
EN 60601 EN 50156
Medical Devices Fired Heaters
IEC 61511 EN 50128

Railway
Process
Industry

IEC61511
This standard has been developed as a process sector implementation of

IEC 61508. It applies to a wide variety of industries including chemicals, oil
refining oil and gas production,
refining, production pulp and paper,
paper non-nuclear
non nuclear power
generation, etc.
IEC61511 gives
i requirements
i t for
f the
th specification,
ifi ti design,
d i installation,
i t ll ti
operation and maintenance of a safety instrumented system.

IEC61508 AND IEC61511
IEC61508
commonly applies to Manufacturers
IEC61511
commonly applies to Designers, Integrators, Users, Owners

USE OF IEC61508 AND IEC61511
HARDWARE
Development of new hardware IEC61508
Integration of IEC61508 validated hardware IEC61511
g
Integration of p
proven in use hardware IEC61511
SOFTWARE
D
Development
l t off embedded
b dd d software
ft IEC61508
Development of application software
by full variability languages IEC61508
Development of application software
by limited variability languages IEC61511

ACTIVITIES OF NOTIFIED BODIES
- Certification of Functional Safety Management implementation, by

manufacturers designers
manufacturers, designers, integrators
integrators, end-users
end-users, etc
etc.
- Certification of Functional Safetyy Experts

p
- Support concerning understanding and interpretation of Functional

S f t Requirements
Safety R i t
- Certification of Safety Instrumented Systems (or Review /

Validation of certification by others)

IEC61508 CERTIFICATE:
SENSOR

ACTUATOR

DEVELOPMENT, DESIGN
AND ENGINEERING

END OF PRESENTATION

Ecisgroup Training Functional Safety 01+02+03

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ecisgroup Training Functional Safety 01+02+03

Uploaded by

Copyright:

Available Formats

FUNCTIONAL SAFETY TRAINING

01 – RISK & RISK REDUCTION

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 1

• RISK: exposure to the possibility of damage

• SAFETY: freedom from unacceptable risk of physical injury or of damage to

• FUNCTIONAL SAFETY: the fraction of safety of a system or portion of

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 2

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 3

SENSOR FINAL ELEMENT

• RISK: exposure to the possibility of damage

= frequency of event x impact of event

e.g. = times/year x area of contamination

e.g. = times/year x killed people

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 5

Catastrophe Many deads 5 6 6 6 6

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 6

LIMITS ARE SENSIBLE TO:

As Low As Reasonably Practical

Damage eg: no of deads

a = no requirement / b = single SIS not enough

Acceptable Risk Risk

Required Risk Reduction Risk

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 10

Protections are implemented to reduce risk:

reducing frequency of exposure

reducing possible damage

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 11

Catastrophe Many deads 5 6 6 6 6

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 12

Plant Emergency Response

Mechanical Segregation & Containment

Mechanical Protection (PSV)

Safety Instrumentation Systems

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 13

Event Tolerable condition

Residual Risk Acceptable Risk Risk

Required Risk Reduction Risk

Achieved Risk Reduction

Protection Protection Protection

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 15

PFD avg PFH

10E 5 <<= PFD < 10E‐4

10E 4 <= PFD < 10E‐3

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 16

Residual Risk Acceptable Risk Risk

Required Risk Reduction Risk

Achieved Risk Reduction

Protection Protection Protection

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 17

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 18

Functional Safety Training ‐ 01 Dr. Ing. Carlo Lebrun 19

Functional Safety Training Dr. Ing. Carlo Lebrun 1

FAILURE is the loss of performance of something due,

= loss of ability to perform a function.

Both major functions & accessory functions shall be considered

SENSOR FINAL ELEMENT

Extracted from paper:

Use of Incident Data Collection from Various

Texas A&M University System

Functional Safety Training Dr. Ing. Carlo Lebrun 4

FIT (Failures In Time) = frequency with which an engineered system or component

Functional Safety Training Dr. Ing. Carlo Lebrun 5