Upload
william-hampton
View
221
Download
4
Embed Size (px)
Citation preview
1
VU
T 6
.4.2
006
Funkční bezpečnost elektrických přístrojů
souvisejících s bezpečností
2
VU
T 6
.4.2
006
Funkční bezpečnost
Část celkové bezpečnosti týkající se EUC a systému řízení EUC závislá na správném fungování E/E/EP systémů souvisejících s bezpečností, systémech souvisejících s bezpečností založených na jiných technických principech a vnějších prostředcích pro snížení rizika
ČSN EN 61508-4
3
VU
T 6
.4.2
006
4
VU
T 6
.4.2
006
Mechanical Safety Action (if available)
Plant Shut-down
Wild Process parameter
High Control level
High Alarm level
Time
If Operator takes action
Certain Processparameter value Low Control level
Normal behavior
DCS Functionality
Process.
5
VU
T 6
.4.2
006
Mechanical Safety Action (if available)
Plant Shut-down
Wild Process parameter
High Control level
High Alarm level
ESD controlledTrip level
Time
If Operator takes action
Certain Processparameter value
Safety InstrumentedSystem Functionality
Low Control level
Normal behavior
DCS Functionality
Safety System.
6
VU
T 6
.4.2
006
Have You Been Asked This?
“How can you demonstrate that you are safe?”
‘Regulator’
7
VU
T 6
.4.2
006
Safety Issues for End User / Operators
• How do you demonstrate that your operations are ‘safe’?
• How do you demonstrate that your equipment is ‘safe’?
• How do you demonstrate that your safety and protective systems protect against your hazards?
You can answer these questions by demonstrating compliance with Industry Safety Standards
IEC61508 - Functional safety of electrical/electronic/programmable electronic
safety-related systems
8
VU
T 6
.4.2
006
What is IEC61508?
• An international standard relating to the Functional Safety of electrical / electronic / programmable electronic safety related systems
– Mainly concerned with E/E/PE safety-related systems whose failure could have an impact on the safety of persons and/or the environment
– Could also be used to specify any E/E/PE system used for the protection of equipment or product
• It is an industry best practice standard to enable you to reduce the risk of a hazardous event to a tolerable level
VU
T 6
.4.2
006
Technologies Concerned
• E Electrical• electro-mechanical / relays / interlocks
• E Electronic• solid state electronics
• PES Programmable Electronic Systems• Programmable Logic Controllers
(PLC’s);• Microprocessor based systems• Distributed Control Systems• Other computer based devices
(“smart” sensors / transmitters / actuators)
VU
T 6
.4.2
006
Features
• Generic Standard
• Guidance on the use of E/E/PES
• Comprehensive approach involving concepts of Safety Lifecycle and includes all elements of the protective system
• Risk-based approach leading to determination of Safety Integrity Levels (S.I.Ls)
• Considers the entire Safety Critical Loop
11
VU
T 6
.4.2
006 Generic and Application Sector Standards
IEC61508
IEC61511 :Process Sector
Medical SectorIEC61513 :
Nuclear Sector
IEC62061 : Machinery Sector
VU
T 6
.4.2
006 IEC61511
Functional Safety
Safety instrumented systems
for the
Process industry sector
13
VU
T 6
.4.2
006
IEC 61511
“FUNCTIONAL SAFETY: SAFETY INSTRUMENTED SYSTEMS FOR THE PROCESS INDUSTRY SECTOR”
14
VU
T 6
.4.2
006
Industries
Applies to a wide variety of industries across the process sector
Including:
Chemicals
Oil refining
Oil and gas production
Pulp and paper
Non-nuclear power generation
Pharmaceuticals / Fine Chemicals
15
VU
T 6
.4.2
006
Scope
• Process (chemicals, oil & gas, paper, non-nuclear power generation)
• End-to-end safety instrumented system (SIS) - h/w, s/w, mgt. and human factors
• Full safety lifecycle - specification, design, integration, operation, maintenance
• Intended for integrators / users– not for equipment designers / vendors
16
VU
T 6
.4.2
006
Structure
IEC 61511 – Structure
Part 1 – “Framework, definitions, system, hardware and software requirements”.
Part 2 – “Guidelines for the application of IEC 61511-1”.
Part 3 – “Guidance for the determination of safety integrity levels”.
Normative
Informative
17
VU
T 6
.4.2
006
IEC 61511
TITLE - “Functional Safety – Safety Instrumented Systems for the Process Industry sector”
• This international Standard gives requirements for
the specification, design, installation, operation and
maintenance of a safety instrumented system, so
that it can be confidently entrusted to place and/or
maintain the process in a safe state.
• This standard has been developed as a process sector implementation of IEC 61508.
VU
T 6
.4.2
006
Relationship IEC 61511 & IEC 61508
VU
T 6
.4.2
006
Relationship IEC 61511 & IEC 61508
20
VU
T 6
.4.2
006
Similarities (IEC 61508 - IEC 61511)
• Whole safety lifecycle– Concept, Hazard & Risk Analysis and Design– through operation & maintenance to eventual
decommissioning• Safety requirements specification• Safety integrity levels (SIL 1 to 4)• End-to-end system
– (Sensor via Logic to Actuator)• Hardware reliability analysis (PFD)• Management of functional safety• Architectural constraints (fault tolerance)
21
VU
T 6
.4.2
006
Key Differences IEC 61511 (IEC 61508)
• Terminology– Process (EUC)– Basic Process Control System (EUC Control
system)– Safety Instrumented System (E/E/PE S-R-S)– Safety Instrumented Function (Safety function)
• Presentation– less rigorous than IEC 61508– more guidance (especially in Parts 2 & 3)
22
VU
T 6
.4.2
006
Overall Installation& Commissioning
11
2
External RiskReductionFacilities
Overall Scope Definition
Realisation
1 Concept
3 Hazard Risk Analysis
4 Overall Safety Requirements
Safety RelatedSystems:
E / E / PES
12
Realisation
Overall Planning
Safety RelatedSystems:
OtherTechnology
Realisation
10
OverallInstallation &
CommissioningPlanning
OverallValidationPlanning
OverallOperation &Maintenance
Planning
8
9
76
Safety Requirements Allocation5
Back to appropriateOverall Safety Lifecycle
Phase
15
16 Decommissioning
13 Overall Safety Validation
Overall Operation & Maintenance14 Overall Modification & Retrofit
Overall Safety Lifecycle in IEC 61508
23
VU
T 6
.4.2
006
IEC 61508 - ownership of phases
PRE-DESIGN
(Phases 1 to 5)
OPERATION
(Phases 14 to 16)
DESIGN AND INSTALLATION(Phases 6 to 13)
End user / operator
End user / operator
Engineering Contractors/ Equipment
Supplier
24
VU
T 6
.4.2
006
Pre-Design : Phases 1 - 5
1 : Concept
2 : Overall Scope Definition
3 : Hazard Risk Analysis
4 : Overall Safety Requirements
5 : Safety Requirements
Allocation
Can you demonstrate that you have identified all your hazards?
Can you demonstrate that you are using adequate and correct methods of hazard protection?
25
VU
T 6
.4.2
006
Design & Implementation : Phases 6 - 13
Overall Planning
6 : Overall Operations and Maintenance Planning
7: Overall Validation Planning
8: Overall Installation & Commissioning Planning
9 : Safety Related
Systems : E/E/PES
12 : Overall Installation & Commissioning
13 : Overall Safety Validation
10 : Safety Related
Systems : Other
Technology
11 : External Risk
Reduction Facilities
How do you ensure competencies for all these activities?
Can you demonstrate that you pass the necessary information into these activities?
Can you demonstrate that all necessary information has been passed to you from these activities?
26
VU
T 6
.4.2
006
Operation : Phases 14 - 16
14 : Overall Operations and
Maintenance
15 : Overall Modification and
Retrofit
16 : Decommissioning
Can you demonstrate that you maintain / test / analyse your protective systems correctly?
Can you demonstrate that you are in control of your modification process?
27
VU
T 6
.4.2
006
Supply Chain
IEC
615
11
IEC
615
08 Requirement
SpecificationCommissioning
and Use
End User
System Designer –Integrator
Sub-systemDesigner
ComponentManufacturer
VU
T 6
.4.2
006
Risk
29
VU
T 6
.4.2
006
What is Risk?
• The probable rate of occurrence of a hazard causing harm
AND
• the degree of severity of the harm
– Qualitatively - Words
– Quantitatively - Figures
VU
T 6
.4.2
006
Risk cannot be justified except in extraordinary circumstances
Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained
Necessary to maintainassurance that riskremains at this level
Unacceptable region
Broadly acceptable region
Negligible risk(No need for detailed working to demonstrate ALARP)
The ALARP or Tolerability region
As the risk is reduced the less, proportionately, it is necessary to spend to reduce it further. The concept of diminishing proportion is shown by the triangle.
(Risk is undertaken only if a benefit is desired)
Levels of Risk and ALARP(As Low As Reasonably Practicable)
31
VU
T 6
.4.2
006
32
VU
T 6
.4.2
006
Risk reduction: General concepts
Increasingrisk
Risk to meet Level of Safety
Plant Under Control risk
Necessary minimum risk reduction
Actual risk reduction
Risk reduction achieved by all protective systems & External Risk Reduction Facilities
Actual riskremaining
Partial risk covered by E/E/PES
protective systems
Partial risk covered by Other Technologysafety-related systems
Partial risk covered by External Risk
Reduction Facilities
33
VU
T 6
.4.2
006
SENSOR ACTUATORPROGRAMMABLE ELECTRONICS
Equipment (plant) Under
Control (EUC)
PESRS
Extent of Safety Related System
VU
T 6
.4.2
006
What is a Safety Related System (SRS) ?
• Any system that implements safety functions necessary to achieve a safe state for the “Equipment Under Control”, or to maintain it in a safe state.
Examples
VU
T 6
.4.2
006
Hazard Identification and Risk Analysis
A typical Methodology for Hazard Identification and Risk Analysis
(by the end user)
• Hazard studies and HAZOPs• Evaluate possible consequences• Establish tolerable frequencies vs ALARP• Build event chain• Estimate demand rates• Define protection required• Specify required SIL
VU
T 6
.4.2
006
“ Failure categories” in IEC 61508
• A = Random Hardware Failures
OR
• B = Systematic Failures
• specification;
• systematic hardware;
• software;
• maintenance;
• all failures that are not random
AB
VU
T 6
.4.2
006
Safety Integrity Level SIL
SAFETY INTEGRITY
LEVEL (SIL)
LOW DEMAND MODE OF OPERATION
(Probability of failure to perform its
designed function on demand)
CONTINUOUS/HIGH DEMAND MODE OF OPERATION (Probability of one dangerous failure per hour)
4 >= 10-5 up to < 10-4 >= 10-9 up to < 10-8 h-1
3 >= 10-4 up to < 10-3 >= 10-8 up to < 10-7 h-1
2 >= 10-3 up to < 10-2 >= 10-7 up to < 10-6 h-1
1 >= 10-2 up to < 10-1 >= 10-6 up to < 10-5 h-1
PFD PFHProbability of Failure on
DemandProbability of Failure per
Hour
38
VU
T 6
.4.2
006
Risk and Determination of Safety Integrity Levels
Basic
Design
Unacceptable
NoProtection
SIL 4SIL 3SIL 2SIL 1
Incr
easi
ng S
ever
ity
Increasing Likelihood
39
VU
T 6
.4.2
006
Risk Reduction Requirements
Safety Integrity Level
Risk Reduction
1 10-100
2 100 – 1,000
3 1,000 – 10,000
4 10,000 – 100,000
40
VU
T 6
.4.2
006
Reliability, Failure Rate and Availability at each level
SIL 1
SIL 2
SIL 3
SIL 4
Reliability Probability of failure on demand
Trip Unavailable (per year)
90% - 99% 0.1 to 0.01 876 to 87.6hrs
99% - 99.9% 0.01 to 0.001 87.6 to 8.76hrs
99.9% - 99.99%
0.001 to 0.0001 8.76hrs to 52.6 mins
99.99% - 99.999
%
0.0001 to 0.00001 52.6 mins to 5.3 mins
41
VU
T 6
.4.2
006
Protective System Technology
Standard components, single channel or twin non-diverse channelsSIL 1
Standard components, 1 out of 2 or 2 out of 3, possible need for some diversity. Allowance for common-cause failures needed
SIL 2
Multiple channel with diversity on sensing and actuation. Common-cause failures a major consideration. Should rarely be required in Process Industry
SIL 3
Specialist design. Should never be required in the Process IndustrySIL 4
VU
T 6
.4.2
006
Determined to achieve the correct SIL level...
VU
T 6
.4.2
006
• Various methods available:• Qualitative risk graph• Calibrated risk graph (methodology only –
not definitive)• Layer Of Protection Analysis (LOPA)• Hazardous event severity Matrix • Quantified Risk Analysis (QRA)
• Which one to use? Develop your own?
SIL assessment
VU
T 6
.4.2
006
Calculation of PFDAVG
35% of PFDAvg SE
15% of PFDAvg LS
50% of PFDAvg FE
Distribution of the Failure Measures
35 % Sensors + 15 % Logic solver + 50 % Final elements
VU
T 6
.4.2
006
35 % 15% 50%
PFD-figures for a HIMA system, example
VU
T 6
.4.2
006
RC/AK according DIN V VDE 19250SIL according IEC 61508
consequencerisk
parameter
minor injuryno influence
to the environment
possibilityof avoidinghazardous
events
frequency& exposure
time
probability of theunwanted occurrence
very slightrelativelyhigh
slight
dead of 1 personrare
frequent
periodic influenceto the environment
dead toseveral people
permanent influenceto the environment
disaster
rare
frequent
possible
notpossible
possible
notpossible
requirement classes
RC or AK
Safety IntegrityLevels (SIL)IEC 61508
Risk Graph acc. DIN V VDE 19250
VU
T 6
.4.2
006
Concept of layers of protection acc. IEC 61511
PROCESS
CONTROL and MONITORINGBasic process control systems
Monitoring systems (process alarms)Operator supervision
PREVENTIONMechanical protection system
Process alarms with operator corrective actionSafety instrumented control systems
Safety instrumented prevention systems
MITIGATIONMechanical mitigation systems
Safety instrumented control systemsOperator supervision
PLANT EMERGENCY RESPONSEEvacuation procedures
COMMUNITY EMERGENCY RESPONSEEmergency broadcastingLOPA
VU
T 6
.4.2
006
Hazardous event severity Matrix
49
VU
T 6
.4.2
006
Funkční bezpečnost
Část celkové bezpečnosti týkající se EUC a systému řízení EUC závislá na správném fungování E/E/EP systémů souvisejících s bezpečností, systémech souvisejících s bezpečností založených na jiných technických principech a vnějších prostředcích pro snížení rizika