Functional Safety Istec International Functional Safety SIL What

Functional Safety Istec International

Functional Safety (SIL) § § § § What is Functional Safety SIL Classification Impact on the organization Functional Safety Considerations How can we benefit Service Discussion Movie 2 Istec International BV | rotating, instrumentation and consultancy

“Functional Safety is achieved by using an active safety system designed to maintain the highest safety level required to prevent human, environmental and financial losses” Note: Functional Safety Management is the use of methods to prevent Systematic failures during the design and use of safety systems 3 Istec International BV | rotating, instrumentation and consultancy

What is Functional Safety § Process is also known as SIL and is used to design: § Safety Instruments (SI) (IEC 61508) § Safety Instrument Systems (SIS) (IEC 61511) 4 Istec International BV | rotating, instrumentation and consultancy 4

What is Functional Safety IEC 61508 § Functional Safety of electrical/electronic/programmable electronic safety-related systems 5 Istec International BV | rotating, instrumentation and consultancy 5

What is Functional Safety IEC 61511 § Safety Instrumented Systems for the process industry sector 6 Istec International BV | rotating, instrumentation and consultancy 6

What is Functional Safety LOPA Layer of Protection Analysis 7 Istec International BV | rotating, instrumentation and consultancy 7

What is Functional Safety? Safety Instruments (IEC 61508) / Safety Instrument Systems (IEC 61811) § Is SIL required by law? § IEC 61508 and IEC 61511 are guidelines, not directives § ATEX is directive § Machine Guideline is directive § Pressure Equipment is directive § Implementing relevant (state-of-the-art) safety systems and maintaining their functionality is required! § Case Law (Guidelines can be used as reference in court). 8 Istec International BV | rotating, instrumentation and consultancy 8

What is Functional Safety? Safety Instruments (IEC 61508) / Safety Instrument Systems (IEC 61811) § Is SIL required by law? § E. g. Under the UK Health & Safety Regulations, it is vitally important that any organization designing, building, testing and installing components or systems for safety related applications, must have, corporate policies and functional safety management procedures to ensure the integrity and provenance of the product. § The reduction of risk is a legal requirement. § The IEC 61508 standard is voluntary § It provides an excellent framework to work within § Along with other standards, it is a good basis for company procedures and policies. 9 Istec International BV | rotating, instrumentation and consultancy 9

What is Functional Safety? Safety Instruments (IEC 61508) / Safety Instrument Systems (IEC 61811) § Is SIL required by law? § The Machinery Directive, with the listed harmonized standards, defines the Essential Health and Safety Requirements (EHSR) for machinery at European Union level. The IEC 61508 standard is voluntary. § The EHSR states that machine manufacturers must apply the following principles in the given order: § Eliminate or minimize hazards as much as reasonably possible by considering safety aspects in machine design and construction phases. § Apply necessary protection measures against hazards that cannot be eliminated. § Inform users of the risks that remain despite all feasible protection measures being taken. § Specifying any requirements for training or personal protective equipment. 10 Istec International BV | rotating, instrumentation and consultancy 10

SIL Classification § SIL is divided in levels; low risk can be SIL 1, high risk can be SIL 3 or even 4 § The SIL level defines the reduction of the risk that a SIS Fails Dangerous § Probability to Fail Dangerous (PFD). § A dangerous Fail of the instrument is minimized in the design process of the instrument or by using proven concepts. 11 Istec International BV | rotating, instrumentation and consultancy

SIL Classification SIL Level Generalized Impact Probability of Failure on Demand (PFD) Probability of Success on Demand Risk Reduction Factor (RRF) 4 Catastrophic human and/or environmental impact 10 -4 to 10 -5 99, 99% to 99, 999% 10000 to 100000 3 Human and/or environmental impact 10 -3 to 10 -4 99, 9% to 99, 99% 1000 to 10000 2 Major financial impact, possible injury 10 -2 to 10 -3 99% to 99, 9% 100 to 1000 1 Minor financial impact 10 -1 to 10 -2 90% to 99% 10 to 100 12 Istec International BV | rotating, instrumentation and consultancy 12

Impact on the organization: Culture 13 Istec International BV | rotating, instrumentation and consultancy 13

Impact on the organization: Budget 14 Istec International BV | rotating, instrumentation and consultancy 14

Impact on the organization: Liability 15 Istec International BV | rotating, instrumentation and consultancy 15

Impact on the organization: Liability Cases § Violation of occupational safety regulations. § An employee dies at work. The heirs, together with the local government regulating compliance with health and safety regulations, sue the employer for failure to comply with the local legislation. § Accident at work. § An employee of a company specialized in the processing of timber, during the cleaning of a machine, suffer the amputation of 3 phalanxes. Local authorities find that the wood cutting machine was devoid of suitable protective equipment. § Environmental damage. § A company operates in the cosmetics industry. Municipal authorities find out that a large amount of pollutant material has been poured out of old pipe line system into the public sewer system. The management and the owners of the company are sued by both local authorities for environment damage, bad administration and damage to the good name of the company. During the legal trial it was proven that the board was aware of the bad conditions of the pipelines but nothing was done to limit the damage. § Damage to the consumer from contaminated product. § Directors of food-producing and freezing company are sued for violation of the local legislation on long life product conservation. In the specific case, the company did not produced and stocked the product conforming to food hygiene and long life regulations. Increasing Liability (Allianz) Directors & Officers’ Liability Increasing as Shareholder and Regulator Activism Rises Globally, According to New Allianz Report 16 Istec International BV | rotating, instrumentation and consultancy 16

Impact on the organization: Effort 17 Istec International BV | rotating, instrumentation and consultancy 17

Impact on the organization: Direct exposure to risk 18 Istec International BV | rotating, instrumentation and consultancy 18

Impact on the organization: Documentation 19 Istec International BV | rotating, instrumentation and consultancy 19

Functional Safety Considerations § End Users Responsibility!!!!!!! § Establish how to protect the application § SIL Level Safety Function (HAZOP) § Hardware Fault Tolerant / Voting § Safe Failure Fraction /Undetected Failures § Type A or B (Low Demand or High Demand) § Establishing SIL level 20 Istec International BV | rotating, instrumentation and consultancy 20

Functional Safety Considerations Architecture / Voting Redundancy HFT 1 oo 1 No redundancy 0 1 oo 2 Dual 1 2 oo 2 No redundancy 0 1 oo 3 Triple 2 2 oo 3 Triple 1 2 oo 4 Quadruple 2 Table 3: Redundancy versus HFT 21 Istec International BV | rotating, instrumentation and consultancy 21

Functional Safety Considerations § SFF Safe Failure Fraction § Safe Detected (SD) § Safe Undetected (SU) § Dangerous Detected (DD) § Dangerous Undetected (DU) 22 Istec International BV | rotating, instrumentation and consultancy 22

Functional Safety Considerations Type A Subsystem Hardware Fault Tolerance (HFT) Type B Subsystem Hardware Fault Tolerance (HFT) Safe Failure Fraction (SFF) 0 1 2 < 60% SIL 1 SIL 2 SIL 3 < 60% N. A. SIL 1 SIL 2 60% - < 90% SIL 2 SIL 3 SIL 4 60% - < 90% SIL 1 SIL 2 SIL 3 90% - < 99% SIL 3 SIL 4 90% - < 99% SIL 2 SIL 3 SIL 4 > 99% SIL 4 > 99% SIL 3 SIL 4 Table 1: Architectural Constraints Type A 23 Table 2: Architectural Constraints Type B Istec International BV | rotating, instrumentation and consultancy 23

Implementing a SIF (Safety Instrumented Function) 24 Istec International BV | rotating, instrumentation and consultancy 24

Which guideline? Hardware 25 New hardware development Use hardware based on proven in use Use hardware developed and assessed according to IEC 61508 Follow IEC 61511 Istec International BV | rotating, instrumentation and consultancy 25

Proven in Use IEC 61511 versus IEC 61508 certification § Initially when the IEC 61511 was released (2000) only limited IEC 61508 certified instruments where available § Proven in Use was the only option. § Now thousands of IEC 61508 certified instruments exist. § Two conditions need to be taken into account: § Application environment compatibility. § Safety Integrity. 26 Istec International BV | rotating, instrumentation and consultancy 26

Proven in Use versus IEC 61508 certification § Proven in use by end-users is still very common practice. § Large installed base, too expensive to replace, application reliability data available. § No IEC 61508 certified product is available for the application. 27 Istec International BV | rotating, instrumentation and consultancy 27

Example Proven in Use versus IEC 61508 certification § Application; Low RPM VSD cooling tower § Measuring unit mm/s § OEM trip limits defined in mm § Relation between measured signal and trip limit are speed dependent. § Incidents with dangerous structural damage without prior warning occurred in the past. 28 Istec International BV | rotating, instrumentation and consultancy 28

Example Proven in Use versus IEC 61508 certification § Specifications competitive products § Measuring up from 1 Hz § Trip levels speed independent § SIL 2 certified. § Conclusion § SIL certified § Solution does not cover the requirement § SIS invalidate the SIL certificate for this application. § Machine directive states: an application suited solution!!!! 29 Istec International BV | rotating, instrumentation and consultancy 29

Example Proven in Use versus IEC 61508 certification § Specifications VSV-300 § Measuring up from 0. 1 Hz § Trip levels speed dependent § Known manufacturer with excellent track record. § Conclusion § Not SIL certified § Solution covers the requirement, Machine Directive! § SIS (incorporation the failure mode and Undetected Failures ʎdu) overrules the SIL requirement. 30 Istec International BV | rotating, instrumentation and consultancy 30

Example Proven in Use versus IEC 61508 certification § Application; variable low speed mixer 30 - 90 RPM § Measuring unit mm/s. § Relation between measured signal and trip limit are speed dependent. § Customer, as OEM responsible for supplying a system as per machine directive. 31 Istec International BV | rotating, instrumentation and consultancy 31

Example Proven in Use versus IEC 61508 certification § Specifications competitive products § Simple 4 -20 m. Amp transmitter (1 HZ -1000 Hz). § SIL 2 certified. § No Safety Manual available. § Conclusion § SIL certified. § Does not cover the requirement, non compliant with Machine Directive. § SIS (incorporating the failure mode and ʎdu) invalidate the SIL certificate for this application. 32 Istec International BV | rotating, instrumentation and consultancy 32

Example Proven in Use versus IEC 61508 certification § Specifications VSV-300 § Measuring up from 0. 1 Hz. § Trip levels speed-dependent. § Known manufacturer with proven track record. § Conclusion § Not SIL certified. § Solution covers the requirement, Machine Directive! § SIS (incorporation the failure mode and Undetected Failures ʎdu) overrules the SIL requirement for this application. 33 Istec International BV | rotating, instrumentation and consultancy 33

Example Proven in Use versus IEC 61508 certification § Application; Large Petrochemical Site; Sabic Geleen § Replacement BN 3300. § Condition Monitoring. § Over 200 channels Machine Protection and Condition Monitoring. § For a number of channels SIL 1 required. § Future requirement SIL 2. § SIL 3 overspeed. 34 Istec International BV | rotating, instrumentation and consultancy 34

Example Proven in Use versus IEC 61508 certification § Specifications competitive products § BN 3500 for protection and System 1 for Condition Monitoring § SIL 1 § SIL 3 BN 3500 Overspeed § Conclusion § Although SIL certified, the solution has been certified based on proven in use. The product design is over 20 years old. No recent development going on. § Expected obsolescence life cycle is unknown. BN 3500 overspeed is recently discontinued for SIL overspeed monitoring. 35 Istec International BV | rotating, instrumentation and consultancy 35

Example Proven in Use versus IEC 61508 certification § Specifications VM-600 / Istec § Universal monitoring card. § SIL 1 certified, SIL 2 under development. § Competence on SIL and therefore able to down scale the SIL requirements; § Certified Functional Safety engineering. § Conclusion § Due to the proven continuous on-going development of the VM 600 , Meggitt Life Cycle statement, competence on Functional Safety, Customer selected Meggitt. § Long term customer relation added to the success! 36 Istec International BV | rotating, instrumentation and consultancy 36

Service and after sales § Fail Dangerous causes are called Undetected Failures Dangerous (λdu) § Once a SIS is implemented and the process is operational a maintenance plan has to be in place to maintain the integrity of the SIS. There are three ways to do this: 1. Diagnostic Test 2. Partial Proof Test 3. Full Proof Test 37 Istec International BV | rotating, instrumentation and consultancy 37

Service and after sales: Diagnostic Test § An integrated automated test function of the SI (when available) § Diagnostic Tests take place during active process conditions and are focused on the instrument function itself, not on the SIS § 100% coverage will never be achieved. § With an diagnostic Test the SIL level degrades. § How fast it will degrade depends on the Test Coverage. 38 Istec International BV | rotating, instrumentation and consultancy 38

Service and after sales: Partial Proof Test § On a scheduled interval. § Manual interaction. § Partially covers the SIS functionality. § 100% coverage can never be achieved. § SIL level will degrade over time. § The rate of degrading depends on the Partial Proof Test Coverage. 39 Istec International BV | rotating, instrumentation and consultancy 39

Service and after sales: Full Proof Test § Scheduled interval § Manual interaction § Proof Test covers 100% of the SIS functionality. § All dangerous Failure Modes will be covered. § SIL level will return to its original design values. § After the Full Proof Test the SIL degradation will start again. 40 Istec International BV | rotating, instrumentation and consultancy 40

Service and after sales: Full Proof Test 41 Istec International BV | rotating, instrumentation and consultancy 41

Service and after sales: Full Proof Test § How to define the scope for a proof test. § Analysis of the application. § Define Failure modes Undetected. § Read the Safety Manual for compliance with the application. § Define procedures and reporting. § Perform tests, where human interaction is required use four-eyes principle. § End user is responsible for safety and need to sign off on the test reports, accepting the results. 42 Istec International BV | rotating, instrumentation and consultancy 42

Service and after sales: Full Proof Test § Safety Manual VM-600 attention points 43 Istec International BV | rotating, instrumentation and consultancy 43

Service and after sales: Full Proof Test § Safety Manual VM-600 attention points § If any safety-relevant signal is to be shared between VM 600 cards in the same rack, then this function must be performed by external cabling using the buffered (raw) output from the IOC 4 T. 44 Istec International BV | rotating, instrumentation and consultancy 44

Service and after sales: Full Proof Test § Safety Manual VM-600 attention points § Proof test interval and product lifetime § A safety MPC 4 (MPC 4 SIL) card has a proof test interval of 5 years. § That is, as a SIL-certified product operating in the low demand mode in a safety instrumented system (safetyrelated system), it has a product lifetime of 5 years. § At the proof test interval, or earlier, an MPC 4 SIL card used in a SIS must be either proof tested or replaced in order to ensure that the card is working and performing as expected (with no faults). § To ensure the highest standards of reliability and risk reduction, Meggitt SA has elected to replace an MPC 4 SIL card used in a safety-related system at the proof test interval (end of product lifetime). § Every 5 years, an MPC 4 SIL card used in a safety an SIS must be returned to Meggitt SA for replacement. 45 Istec International BV | rotating, instrumentation and consultancy 45

Service and after sales: Full Proof Test § Human Interaction § Prevent human interaction as much as possible § Use calibrated tools § Use tools suited for the application § When human interaction is required, use the four-eyes principle 46 Istec International BV | rotating, instrumentation and consultancy 46

Discussion 47 Istec International BV | rotating, instrumentation and consultancy 47

Movie US Chemical Safety Board (CSB) BP 48 Istec International BV | rotating, instrumentation and consultancy 48

Literature Standards: § IEC 61508 - The IEC standard covering Functional Safety of electrical/electronic/programmable electronic safety-related systems. § IEC 61511 - The IEC standard for use of electrical/electronic/programmable electronic safety-related systems in the process industry. 49 Istec International BV | rotating, instrumentation and consultancy 49