6.1.11 webinar presentation

8/14/2019 6.1.11 Webinar Presentation

1/45

idae Copyright Exida Consulting LLC [email protected] / 267-261-1500

1

Applying IEC 61511 to

Industrial Turbines

Chris OBrien


2/45

idae

Chris OBrien

2Copyright exida 2011

Chris O'Brien is a Partner with Exida Consulting. He has

over 20 years experience in the design, manufacturing and

marketing of process automation, reserve power systems,

and safety related equipment. He focuses on supportingnew and existing customers with their implementation of

the IEC 61508 and IEC 61511 functional safety standards

as well as reliability analysis for mechanical devices.

He was formerly Vice President of the Power Systems

Business Unit of C&D Technologies, a business that

specialized in the design and implementation of high

reliability back up power systems. Prior to that, he was

with Moore Products/Siemens Energy and Automation

where he held several positions including General

Manager of the Instrumentation Division.

Chris is the author of Final Elements and the IEC 61508and IEC 61511 Functional Safety Standards and has been

awarded 5 patents, including a patent of the industry's first

safety rated pressure transmitter. He has a Bachelors of

Mechanical Engineering from Villanova University.


3/45

idae

Topics1. The Application of IEC 61511 to

Industrial Turbines2. Demonstrating compliance with

regulations

3. Strategies for effective implementationof IEC 61511

4. Questions

3Copyright Exida Consulting LLC 2011

[email protected] / 267-261-1500


4/45

idae

Application of IEC 61511 to

Turbine Applications

There has been some discussion as to

whether turbines should be treated undermachinery or process safety standards

For hazards such as crushing or burning machinery

safeguarding standards should be applied For hazards such as explosion or overspeed

process safety standards (IEC 61511) should be

applied




5/45

idae

API 670 Machinery Protection

SystemsA new revision of API 670 is in development and is expected to be

released in late 2011 or early 2012. Key provisions of the new

standard include:

API 670 will reference the IEC standards for functional safety (IEC

61508, IEC 61511, and IEC 62061)

Tolerable Risk is a function of operating company and local

legislation.

SIL Targeting is a function of tolerable risk, equipment, and site

specific considerations.

API 670 has a major focus on testing and diagnostics (automatic

diagnostics for everything from the sensor through the trip block,proof testing on the final element). Speed of response is part of

the test requirements.




6/45

idae 6Copyright Exida Consulting LLC [email protected] / 267-261-1500

Forces Influencing SIL Adoption

Turbine

ProtectionSystems

National Standards

andRegulation

Application

Standards

Customer

Expectations

Competitive

Offering


7/45


Industrial SIL DriversIndustrial

North

America

South

AmericaEurope Asia ROW

National Regulations ++ + +++ + +

Application Standards ++ + +++ + +

CustomerExpectations

+++ + +++ ++ ++

Competitive Offering +++ + +++ ++ ++

- Not Required

+ Occasional Requirement

++ Typical Requirement

+++ Extensive Requirement


8/45


Power Market SIL DriversPower Market

North

America

South


National Regulations + - ++(+) - +

Application Standards + - ++(+) - +


+ + +++ + +

Competitive Offering ++ + +++ + +

- Not Required





9/45


Power Market SIL DriversPower Market

North

America

South


National Regulations + - ++(+) - +

Application Standards + - ++(+) - +


+ + +++ + +

Competitive Offering ++ + +++ + +

- Not Required





10/45

idae

Demonstrating Compliance




11/45


Why is There a Need for a Standard? To provide a safer working environment

for people, that is to save lives. To protect investments in plant and

equipment and insure continuous

operations, that is to save money.

To demonstrate compliance with

regulatory requirements, that is to avoidfines.


12/45

idae

How Could A Standard Help? Documents industry best practice

Provides consistency across organizations

OEMs

Integrators

End Users

EPCs

Less likely to miss a key step if you are

following a step by step method

Common, or known mistakes are explicitly

addressed




13/45

idae

Functional Safety Lifecycle

Hazard

Identification

Risk

Analysis

& SIL

Selection

Safety

Requirements

SIL

VerificationSIL

Sustain

What can gowrong ?

(PHA/HAZOP)

How bad can

it be ?

(LOPA)

What needs to

be done ?

How to keep it

safe ?

How reliable

is it ?


14/45

idae Copyrightexida.com14

Safety Lifecycle IEC 61511

Management

of Functional

Safety

and

Functional

Safety

Assessment

Clause 5

Safety

Lifecycle

Structure

and

Planning

Clause 6.2

Al locate Safety Function to Protection

Layers [Clause 9]

Verification

Clause 7

&

Clause 12.7

Analysis

Realisation

Operatio

n

SIS Safety Requirements Specification

[Clauses 10 & 12]

Process Hazard & Risk Analysis

[Clause 8]

SIS Design and Engineering

[Clauses 11 & 12]

SIS Installation & Commissioning

[Clause 14]

SIS Operation & Maintenance

[Clause 16]

SIS Safety Validation

[Clause 15]

SIS Modification

[Clause 17]

SIS Decommissioning

[Clause 18]

FEED

Concept

SIS FAT

[Clause 13]

Design &

Build

Test

Install

Manage

Validate

Proof

Test


15/45


Safety Integri tyLevel

SIL 4

SIL 3

SIL 2

SIL 1

Safety Integrity Level

Used THREE ways:

To establish risk reductionrequirements

To set probabilistic limits

for hardware randomfailure

To establish engineering

procedures to preventsystematic design errors


16/45

idae

Implications of IEC 61511 Use of an appropriate SIL determination methodology

Use of a high-integrity automated safety system as the

means of protecting against a hazard

Intentionally separating both physically and electrically

the safety system from basic process control

Completion of periodic proof testing in accordance withprocedures established during the protection systems

design

Documented proof that regularly scheduled protection

system reviews were conducted per applicableregulatory and standards requirements




17/45


Compliance RequirementsSIL Capabili ty

Probability of FailureArchitectural Constraints

Compliance


18/45

idae 18Copyright Exida Consulting LLC 2011


Meeting RequirementsSIL Capabilit y

Probability of FailureArchi tect ural Const raints

Strength Methodology

SIL Capabil ityStrength againstsystematic failure

Certification or Provenin Use Analysis

Probability of FailureStrength against

random failurePFD Calculation

Architecture

Constraints

Strength against

undetected failures

SFF

Redundancy


19/45

idae

IEC 61511Type

Certification

19

Copyright Exida Consulting LLC 2011



20/45

idae

Effective Implementation Benchmark Study

Gap Resolution Plan Develop Project Functional Safety

Management Plan

System Design

Implementation

Operation and Maintenance

20




21/45

idae

Benchmark Study Focus Safety Management

Safety Lifecycle

Risk Assessment

SIL Selection

Safety Requirements

Specification Safety Instrumented

System Design

Safety Integrity LevelVerification

SIS Software Design

SIS Software Verification

SIS Factory Acceptance

Test SIS Installation and

Commissioning

SIS Validation SIS Operation and

Maintenance

SIS Modification and

Decommissioning

SIS Documentation

21




22/45

idae

Sample Benchmark Study

22




23/45

idae

Typical Gaps No Structured Process

No Agreed Upon Tolerable Risk

Poor Communication Across Organizations

Missing or Incomplete Documentation

Non SIL Rated Equipment Not Including All Components

Unrealistic Modeling Assumptions

Incorrectly Modeled Shared Equipment

23




24/45

idae

Establish

a Process

24



SafetyLifecycleActivityGeneral

SafetyManagementSafetyLifecycleActivity

Assessment Documentation Assessment Documentation Assessment Documentation Assessment Documentation

RiskAssessment Exida OEM TBD OEM Exida OEM Exida EPCSILSelection Exida OEM TBD OEM Exida OEM Exida EPC

SafetyRequirementSpecification(SRS) Exida OEM TBD OEM Exida OEM Exida EPC

SISDesign Exida OEM TBD OEM Exida OEM Exida EPCSILVerification Exida OEM TBD OEM Exida OEM Exida EPC

SISSoftwareSRS Exida OEM TBD OEM Exida OEM Exida EPCSISSoftwareVerification Exida OEM TBD OEM Exida OEM Exida EPC

SISFactoryAssessmentTest(FAT) Exida OEM TBD OEM Exida OEM Exida EPC

InstallationandCommissioning Exida OEM TBD OEM Exida OEM Exida EPCValidation/SiteAcceptanceTest

(SAT) Exida OEM TBD OEM Exida OEM Exida EPC

UnitFunctional SafetyAssessment Exida OEM TBD OEM Exida OEM Exida EPCOperationandMaintenance Planning/SISDocumentation

SAT/SITVerificationSiteFunctional SafetyAssessment

Comercial DeliveryofPlantOperations andMaintenance

Modification

Decommissioning

PlantOwner

PlantOwner

PlantPlantOwner

Exida PlantLevel

Exida PlantLevel

OEM

PlantOwner

PlantPlantOwner

PlantPlantOwner

PlantPlant

Owner

Components

GasTurbine SteamTurnine HRSG BOP


25/45

idae

SIS Project V-Model

25Copyright exida.com LLC 2001-2011

SoftwareConfiguration

HardwareBuild

ConceptualDesign

SafetyRequirementsSpecification

HardwareDetailed

Design

SoftwareDetailedDesign

SiteAcceptance

Testing

SoftwareInternalTesting

HardwareInternal

Testing

FactoryAcceptance

Testing

InternalIntegrated

Testing

VALIDATION

V

V

V

V

V

V

VV

V


26/45

idae Copyrightexida.com26

Functional Safety Documents Functional Safety Management Plan

Detail top level requirements, i.e. description of competency, independence

Address all phases of the safety lifecycle

Clear description of handoffs betweens phases and groups Appendixes to contain information that is needed throughout a project

Definitions

SIL levels

Group Procedure

Process description for relevant phase

Inputs required

Outputs delivered

Project Plan

Tracking document for each project Who, what, when, where, how

Sign-offs


27/45

idae 27

FSM Plan

FSM Required?

Analysis

Design

Operation

and Maintenance

FSM Required?

Analysis

HAZOP

SRS

Group Procedures Project Plan


28/45

idae 28Copyright Exida Consulting LLC 2011


Non SIL Rated Equipment

IEC 61508 Applies to Automatic Protection

Systems (M)/E/E/PE

In every case, the standard appl ies to the entire E/E/PE safety-related system(for example from sensor, through control logic and communication systems, to

final actuator, including any crit ical actions of a human operator). For safety

funct ions to be effectively specified and implemented, it is essential to consider

the system as a whole.

Provides measures of protection against

random hardware failures and systematic

design failures

Per IEC 61511 all equipment must be

assessed per IEC 61508 or justified

based on proven in use


29/45

idae

Proven in Use Requirements

29Copyright Exida Consulting LLC [email protected] / 267-261-1500

Places the burden on

the equipment user

Difficult to collectstatistically meaningful

data

Requires formalfunctional safety

assessment for SIL 3

applications user

performing IEC 61508

assessment on

equipment


30/45

idae

Not Including All Components

30




31/45

idae

Overview of SIL 3 Turbine Solutions

31



Marketed

SIL RatingSensors PLC Trip Block/Final Element

MFG 1 SIL 3 Up to 2oo3 SIL 3 Certified Not Addressed



MFG 4 SIL 3 Redundant 1oo2 Not specified2oo3 Trip Block, FE not

addressed

MFG 5 SIL 3 Up to 2oo3 Not specified

2oo3 Trip Block, Showing 2oo3

FE, but 1 valve is the control

valve

MFG 6 SIL 3 Up to 2oo3 SIL 3 Certified2oo3 Trip Block, FE not

addressed



32/45

idae

Unrealistic Modeling Assumptions

Modeling higher coverage than

achievable:

100% for valves

Neglecting to account for mission time

Neglecting to account for Beta (commoncause)

32




33/45

idae

Optimistic Proof Test Coverage

33




34/45

idae

Summary of Calculation Errors

34



Proof Test Coverage 100% 70%

DU 1250 FITS 1250 FITSMission Time 20 years 20 years

PFDAVG 5.44E-03 3.57E-02

Risk Reduction Factor 184 28


35/45

idae

Methods for Modeling Shared Components Method 1: Take no credit for valve redundancy

Models SIS as SISIND (1oo1 architecture)

Result is very conservative and may lead to costly redesign

Method 2: Assume shared component provides full redundancy Models SIS as SISSHARED (1oo2 architecture)

Result can be dangerously optimistic

Method 3: Assume shared component provides partial redundancy

Models SIS performance as weighted average of performances of 1oo1 and

1oo2 architectures In considering initiating event frequency, double counts failure of shared

component

Result is realistic but conservative

Method 4: Assume shared component provides partial redundancy

Same as Method 3 except:

In considering initiating event frequency, counts failure of shared component

only once

Result is realistic but less conservative than Method 3

Slide 35


36/45

idae

Steam Turbine Instrumentation

Slide 36

Steam turbine shown instrumented with control loop and safety loop. The safety loop can

de-energize both the shutdown valve and control valve.


37/45

idae

SISIND

and SISSHARED

Boundaries

Slide 37

Identification of components

that are only util ized by the

safety loop (SISIND

) and the

components that are shared

with the control loop

(SISSHARED).

SISIND functions like 1oo1

architecture

SISSHARED functions

like 1oo2 architecture


38/45

idae

Method 3: System Event Tree

Slide 38

Initiating Event SIS PFDAVG

Intermediate Event

Frequency Outcome Frequency

Total IE Frequency SIS PFDAVG(1oo2)

1.0E-01 * 7.69E-03 = 7.69E-04 = 1.475E-03

year year year

Branch 1

+

BPCS A/CV Failure SIS PFDAVG(1oo1)

2.0E-02 * 3.53E-02 = 7.06E-04

year year Branch 2


39/45

idae

RRF Results from Various

Methods

Slide 39

0

100

200

0.01 0.02 0.03 0.04

Risk

Reduction

Factor

SharedComponentFailureRate(failures/year)

Method1

Method2

Method3

Method4


40/45

idae

System Design

Select SIL certified equipment when possible

Make provisions for automatic testing

Diagnostic

Proof Testing

Consider the impact of turbine refurbishment

on mission time

Are valves rebuilt?

Use a tools that correctly models all variables

40



SIL V ifi ti T l


41/45

idae

Specify Mission Time

Specify Startup Time

Specify Demand Mode

Comments

SIL Verification Tool

41


42/45

idae

SIL Verification Tool

42


43/45

idae

Implementation

Ensure all parties clearly understand

their roles and responsibilities

Examples Does the system integrator have a software

specification and validation plan

Is the safety PLC physically configured per theOEMs requirements for the given SIL level

Is the delivered PLC code exactly the same as

the FAT code

Perform Pre-startup Functional Safety

Assessment

43




44/45

idae

Operation and Maintenance

Control access to safety PLC

configuration

Perform and document all required tests

Confirm rebuilds occur as planned

Identify and correct any systemiccomponent issues

44




45/45

idae

Questions

45



Global Network of Expertise