leif mortensen, pa-4443-s-1, 2012-05-31 abb …€¦ · abb offshoredag 2012 800xa high integrity...

© ABB GroupJune 4, 2012 | Slide 1

ABB Offshoredag 2012800xA High Integrity – A Case Story

Leif Mortensen, PA-4443-S-1, 2012-05-31


800xA High Integrity – A Case Story

Preem – short introductionPreem requirements to safety systems and suppliersImplementation of Functional Safety Management at PreemCase 1 : Preemraf GothenburgCase 2 : Preemraf Lysekil

Agenda


Preemraff Sweden

Private owned companyTwo refineries, Lysekil and Gothenburg470 gasoline stations in SwedenLysekil

Refine 12 mill. ton crude per year600 employeesCurrent safety systems:

ABB SafeGuardEmerson Delta-VHoneywell

GothenburgRefine 6mill. ton crude per year300 employeesCurrent safety system Honeywell


Preemraf – Case 1 Gothenburg Refinery




Agenda



Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instumented Functions According to Safety Integrity Level = 3Integrated and standardized solutions for hardware and software (OGP REUSE)Online upgrade, online software modification, online hardware extension. 6 years between site turn around.Price competitiveLocal presence and competencesSupplier should have responsive attitude to customer demands

Preem requirements to safety systems and suppliers


USA

Inte

rnat

iona

lG

erm

any

UK

1995

IEC SC 65 IEC 61508

ISO 10418

DIN VDE 0801

DINVDE 19250

HSE PES

OHSA CFR1910.119

ISA dS84.01

API RP14C

1995Draft

1995Draft

1993

1991

1989

1987

1974

ANSI/ISAS84.01

1999

2005

IEC 61511 2003

19961992

1974

, Flix

boro

ugh

1976

, Sev

eso

1984

, Bho

pal

1986

, Che

rnob

le

1988

, Pip

er A

lpha

1989

, Pas

aden

a

PRESCRIPTIVE STANDARDS

PERFORMANCE STANDARDS

ANSI/ISAS84.00.01

(IEC 61511 Mod)

2004

Safety StandardsHistory and evolution


Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.

IEC61508

Ed 2 released2010-4-15

Functional Safety StandardsIEC 61508 and IEC 61511

IEC 62061 : Machinery Sector

IEC60601Medical Devices

IEC 61513 :Nuclear SectorIEC 61511 :

Process Sector

IEC 61800

Adjustable Speed

Electric Power DrivesEN50128:Railways

EN50156:Furnaces


Functional Safety StandardsRelations between IEC 61508 and IEC 61511



Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instrumented Functions According to Safety Integrity Level = 3Integrated and standardized solutions for hardwareand software (OGP REUSE)Online upgrade, online software modification, online hardware extension. 6 years between site turn around.Price competitiveLocal presence and competencesSupplier should have responsive attitude to customer demands



Safety Instrumented System – SISSafety Instrumented Function – SIF

• A Safety Instrumented System (SIS) is a collection of sensors, controllers and actuators.

• It executes one or more Safety Instrumented Functions (SIFs) that are implemented for a common purpose.

Safety Instrumented System with multiple SIF’s

Controller

Level Switch

Solenoid

Pump

SIF A

SIF B

SIF C

SIF D

SIL is applicable for a LOOP


System 800xA HI – Integrated SafetyCustomer value of integration – available today

Plant-wide Sequence of Events

Same operations interface and engineering

Centralized Historian and Data Archiving

Centralized Historian and Data Archiving

Common, integrated asset management

strategy

Common system therefore reduced

spare parts, training etc…Process control

and safety in the same HI controller Centralized

Historian and Data Archiving

Process control and safety running in

separate controllers


Certificates 800xA High Integrity – Meets Industry Standards

AC800M HI Controller – SIL 1-3 / CAT PLe 1-4

certified

S800 Safety I/O (AI, DI, DO) – SIL 1-3 / CAT PLe

1-4 certified

I/O Communication – SIL 1-3 / CAT PLe 1-4

certified

Standard I/O and communication modules –

certified interference-free* (*Listed in safety manual)



Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instrumented Functions According to Safety Integrity Level = 3Integrated and standardized solutions for hardware and software (OGP REUSE)Online upgrade, online software modification, online hardware extension. 6 years between site turn around.Price competitiveLocal presence and competencesSupplier should have responsive attitude to customer demands



OGP REUSE Solutions

Typical solutions originating from the North Sea O&G experience with almost a decade of refinement throughout number of customer projects and installationsBuilding blocks for application engineers enabling them to “tailor” applications by using ready and well proven swmodules and featuresOGP REUSE includes functionality and features widely applicable in OGP customer projects

Libraries of Control Module Types (CMT)Features for Engineering and Operational efficiencyCustomizable Workplace and Graphical templates

Typical solutions for efficient engineering and operation


OGP REUSE Solutions

The Control Module types are grouped in libraries according to the main functionality.

Signal: Analog Input, Analog Input with voting, Analog Input for Fire and Gas, Digital Input, Digital Output etc. Final Elements: Valve (On/Off), Valve (Choke) PID Control, Motor Control, Circuit Breaker etc. Fire and Gas: Fire Area, Fire Overview, HVAC, Deluge, Watermist etc. Function elements: Latching, Totilizer, Function XY etc. Common logic elements: Add, AND, OR, Ton, etc.

There are 25+ “device” and function objects

Control Module Libraries


OGP REUSE Solutions

Library name Description Examples

REUSEcommon Common small Types for Logic and Data type conversions

AND, OR, SPLIT, KS, HSO, MSO

REUSEElectroLib Electro Types for interfacing Circuit Breakers and Motors

SBC_CB, SBC_IB, SBE_IM

REUSEfg Fire & Gas Types as Area, Watermist and Deluge

AREA, BLOCKING, HVAC, DELUGE, MA_FG, MB_FG

REUSEfgCommonLib Common Fire & Gas Types such as OR2_ISW and VOTE2_ISW

OR2_ISW VOTE2_ISW

REUSEflowelmentlib Flow Types as Valve and Motor SBV, SBE, SBC_F, SBC_I, SBE_VSD,

REUSEFuncElmentLib Function Types for Shutdown Level and Calculation

LB, YA, FL, HM, QA

REUSEsignallib Main Signal Types for Analog and Digital Input/Output

MA, MB, CA, CS, MAV, MA_SI, OA

REUSESystemStatusLib Type for presenting the System status

SystemStatusAC800

Types of libraries

Type of Libraries


Detailed Displays

1. GDSGroup Display Status

Maintenance Displays

4. Display TemplatesPCS, ESD, PSD

F&G

3. Trip & Interlock Display

Navigation

2. Operator Workplace

OGP REUSE SolutionsEngineering and Operational Efficiency

ProcessSFWA B H

Left screen Right screen

Overview DisplaysPCS, ESD, PSD, F&G

© ABB GroupJune 4, 2012 | Slide 19© ABB GroupJune 4, 2012 | Slide 19

OGP REUSE SolutionsErgonomic Display Templates

Dimmed ScreenLess bright colors when everything is Normal state

Secures operator attention during alarm situation


OGP REUSE Solutions

Alarm Handling, Application GuidelineAC 800M Application Guideline Library Programming GuidelineProcess Displays Guideline

Guidelines


OGP REUSE Solutions

NORSOK Standards:SCD System Control Diagram (I-005) – extends the IEC 61804 control applications levelsSAS Safety and Automation Systems (I-002)

Bringing this concept further to become an IEC standard (standardization committee 65B)

EEMUA 191:2007 Alarm Systems, a Guide to Design, Management and Procurement YA-711 Principals for Alarm System Design by the Norwegian Petroleum DirectorateSafety Compliance to

IEC61508IEC61511

API 14C1 for Process safety in Gulf of Mexico operations

1 Registration required for access

Compliance to standards and Best Practices


What is the scope of TÜV Certification?800xA High Integrity – ABB Safety Certificates

Product Safety Certificate

Development Department Safety Certificate

ABB A/SCertificate




Agenda


FSM has management attentionPreem has started a project to implement FSM into their organization. Preem have today procedures, standards, routines, instructions etc. that in some cases fulfill FSM, but in most of the cases they need to be rewritten or created.Top of Safety Life Cycle is implemented, due to handling as a project, and involvement of relatively few peopleChallenge is bottom of Safety Life Cycle, requires involvement of more people and a “complex” organization

Functional Safety ManagementPreem


IEC 61511 Safety Lifecycle

End user / operator

End user / operator

Engineering /Equipment Supplier

Identify hazards,specify requirements

Operate,maintain & modify

Configure to requirements

Analysis phase 1-2

Operation phase 6 - 8

Phases Activities Responsibilities

Design & InstallationCommissioningPhase 3-5

Phase 9-11 , responsible - ALL


SIL Risk Graph (Qualitative)

Scenario and Case Number Scenario

Description LOPA Target Initiating Event Enabling

Factor Independent Protection Layers Protection Gap Notes

Factor Factor Process Design

BPCS Control Action

Operator responds to alarms and

written procedures

SIS Function

A SIS

Function B

Pressure Relief Device

Other safety related

protection systems

Target is 0 or less

Safety Analysis 0 Business Analysis 0

Safety Analysis 0 Business Analysis 0

Layers of Protection Analysis (LOPA)

Hazardous Event Severity Matrix

Fault Tree Analysis (Quantitative)

Risk Assessment Options - Examples



End user / operator

End user / operator





Analysis phase 1-2






Safety Requirement Specification (SRS)For every loop

The SRS contains two types of requirements

Functional RequirementsDescription of the functions of the SIFHow it should work

Integrity RequirementsThe risk reduction and reliability requirementsHow well it should work

Solenoid

© ABB GroupJune 4, 2012 | Slide 29© ABB Group June 4, 2012 | Slide 29

Safety Requirement Specification Communication


Safety Instrumented System - SIS

Purpose of Safety Instrumented System Reduce the risk that a process may become hazardous to a tolerable levelThe SIS does this by decreasing the frequency of unwanted accidents

SIS senses hazardous conditions and then takes action

SIS moves the process to a safer state, preventing an unwanted accident from occurring.


The amount of risk reduction that a SIS can provide is represented by its

Safety Integrity Level (SIL)

which is defined as a range of Probability of Failure on Demand (PFD), Safe Failure Fraction (SFF)Avoidance of Systematic Failures

Safety Instrumented System - SIS


AC800M High Integrity Redundant Controller Configuration

SM811 BC810 PM865

Optical Modulebus

RCU LinkCEX bus

Redundant I/OTB 840


Engineering ResponsibilitiesCompetence

Architectural Design to meet target SIL requirementsPFD Calculations using appropriate reliability data for the desired loop configurationSIL capabilitySIS Design

Hardware and Software IntegrationVerification and ValidationFunctional Safety Assessments

Information on operation and maintenance requirements - Building on Manufacturers supplied dataInstructions for testingInstallation and commissioning Functional Safety Management for Design and Built activities

Source: IEC 61511



End user / operator

End user / operator





Analysis phase 1-2






Activities

FATSIS Installation and commissioningSIS Safety Validation. SATSIS Operation and MaintenanceSIS modificationSIS decommissioningInformation and documentation required


Documentation

Why should safety be documented ?We work in lifecycle phases, we need to pass on information to different engineering disciplinesWe need traceabilityWe need up to date information / version control

What is documentation ?Anything we can store and which can be properly identified


Typical Documentation

Hazop reportsSafety Requirement SpecificationFunctional Design Specification/Safety Analysis ReportSafety plan/ Safety Lifecycle Management PlanTest documents (Specifications & Records)Competence (Role descriptions & Competence requirements for each role)SIL Compliance report / SIL verification report


Competence requirement and roles in a safety project

The competence of people involved in safety projects is normative according to the IEC61511

CompetenceRole descriptionsCompetence requirements for each role

EducationTrainingExperience

If not in-house, use consultants and mentoring

Example of safety roles in a projectFunctional Safety ManagerSafety Lead EngineerSafety Assessor




Agenda


Preemraf – Case 1

Application: Modernization of the oil refinery’s safety system - ESDExchange of obsolete Honeywell FSC safety systemSince this is to be done during turn around (every 6 years) or regenerating stop (every third year part of site stop), this is a long term project.

Automation from ABB: System 800xA 5.1-based safety solution comprised of two (2) AC 800M HI controllers (PM 865) in redundant configuration. Safety assessed solution that meets SIL 3

Preem designRisk evaluation not performedBased on generic safety functionsApplication to be based on SIL2

FSM planImplement FSM /SLC in to operations, maintenance and project organization.

Gothenburg Refinery


Preemraf – Case 1

Project set-upHardware delivery – ABB SwedenIEC61508 and IEC61511 compliance of hardware and software – ABB Denmark

Gothenburg Refinery



SM811 BC810 PM865

Optical Modulebus

RCU LinkCEX bus

Redundant I/OTB 840




Agenda


Preemraf – Case 2

Application: Modernization of the oil refinery’s safety system for Gas burning Oven - ESD

Exchange of obsolete ABB safety solutionReplace non SIL equipment to fulfill SIL classificationReplace MP200 controllers (13pcs “interlock controllers”), with safety systemMove non SIL signals to DCS system and SIL classified signals that today is installed in DCS is to be moved to safety system.

Automation from ABB: System 800xA 5.1-based safety solution comprised of one (1) AC 800M HI controllers (PM 865) in redundant configuration. Safety assessed solution that meets SIL 3

Preem design specificationRisk evaluation and SIL classification of existing units performedDefined Safety Functions for Non SIL, SIL1 and SIL2 functionsImplement FSM /SLC in to operations, maintenance and project organization.Preem is using exSILentia as SIL classification software and Risk Matrix for SIL classifications. In case of a high SIL level on a SIF, SIL3 or in some cases SIL2, LOPA (Layers of Protection Analysis) is used on the specific SIF.

Lysekil Refinery


Preemraf – Case 2

Project set-upHardware delivery – ABB SwedenIEC61508 and IEC61511 compliance of hardware and software – ABB Denmark

Lysekil Refinery


Preemraf – Case 2Lysekil Refinery



SM811 BC810 PM865

Optical Modulebus

RCU LinkCEX bus

Redundant I/OTB 840


Functional Safety Management – Why ?Jan/Feb– 20 of April 21:49 - 2010


Installed Systems Review

•SIL assessment•Benchmarking

IEC61508/IEC61511 Compliance

•Compliance Management•FSMS

SIL Determination•Analysis•TRAC

•Training•Mentoring

Alarm Management•Benchmarking •EEMUA 191

•Training•Support

Total Safety Offering

Proof Testing Support•TRAMs

•Proof test period•Maintenance

•Lifecycle Support

SIS Systems•TUV Certified

•Flexible and Scalable•System 800xA

Field Instrumentation•SIL rated

•Instrumentation•Actuators

leif mortensen, pa-4443-s-1, 2012-05-31 abb …€¦ · abb offshoredag 2012 800xa high integrity...

Documents