Bottom Line Benefits of Safety Lifecycle Implementation The impact of IEC 61508 [1] on the general functional safety philosophy since the final part of this functional safety standard was released in 2000 has been quite enormous. IEC 61508 fueled the creation of IEC 61511 [2], the process industry sector derivative of IEC 61508, released in 2003. The IEC 61511 standard has since been adapted by the ISA S84 committee into ISA 84.00.01-2004 [4], identical to IEC 61511 with the addition of a grandfather clause, replacing the 1996 version, ANSI/ISA 84.01 [3], of the ISA standard. A nuclear industry derivative IEC 61513 [5] and a machinery industry derivative IEC 62061 [6] have also been released, a clear indication that the initial IEC 61508 standard has as broad acceptance over many different industry groups. An informal end-user survey performed by exida over the past years indicates an increased recognition of the functional safety standards and the adaptation of the standards in company procedures.
Are you using or planning on using IEC 61511 / IEC 61508?
Total Responses
100%
90%
80%
92%
70%
60% 40% 20% 0%
30% 8% 2001
2002
2003
2004
2005
Figure 1 exida Informal End-User Surveys
In addition to the increased recognition of the functional safety standards by end-users, a change in products designed for use in safety applications has also occurred. Manufacturers / OEMs are now designing products per IEC 61508. More and more design efforts are focused on higher impact components, looking at a product from a system performance perspective rather than a single component perspective. The elimination of prescriptive development requirements has lead to an increased acceptance of single / non-redundant products, designed for functional safety with additional diagnostic capability. Furthermore the use of diagnostic techniques has drastically increased, not only within the product development, from the manufacturers / OEM perspective, but also on the application level, the end-user perspective. External comparison and partial stroke testing are more and more implemented to achieve higher levels of diagnostics for transmitters and final elements respectively.
1 Key Concepts in Functional Safety Standards The functional safety standards are built on two key concepts. The first concept is the use of a safety lifecycle, safety is designed into the process by adequate development procedures, © exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 1 of 8
operation and maintenance procedures, etc. The objective of the Safety Lifecycle is that functional safety is continuously considered in a design, from the conceptual phase to the decommissioning phase. This process insures that safety is initially designed into a product or process rather than being an after-thought once most of the design is completed. The second concept is the performance based approach in the standards. This quantitative approach allows easy identification of the weakest link and subsequently addressing of this weakest link rather than over designing a specific solution. The performance approach is put into practice using the Safety Integrity Level (SIL) parameter. Safety Integrity Levels define a quantitative measure of required safety integrity or risk reduction a Safety Instrumented Function needs to provide to protect against a specific hazard. The Safety Integrity Levels also provide a quantitative measure of the achieved safety or risk reduction for each Safety Instrumented Function (SIF).
1.1
Safety Lifecycle
A simplified graphical representation of the Safety Lifecycle is provided in Figure 2. This drawing shows the main steps in the Safety Lifecycle; • • • •
Perform Hazard and Risk analysis Document requirements for each SIF Perform SIL verification Operation
1
→ Determine Target SIL → Write Specification → Calculate Achieved SIL
Hazard Analysis / Risk Assessment Define Design Targets
2
Modify
Conceptual Design
3
Evaluate Design – Reliability Analysis of Safety Integrity, Availability OK
4
Operation
Figure 2 Simplified Safety Lifecycle
The first step of the simplified Safety Lifecycle, the problem analysis, involves the process hazard identification and risk analysis. In the process hazard identification, typically in the form of a HAZOP study, potential hazards, their cause, and available safeguards (if any) are identified. For each hazard its associated risk is determined. Potential hazards with a risk level higher than the tolerable risk level may warrant the design of a Safety Instrumented Function (SIF) in order to achieve adequate risk reduction. For hazards that require the design of a Safety Instrumented Function, a target Safety Integrity Level (SIL) is assigned to that safety function according to risk reduction targets based on tolerable risk criteria. The second step of the simplified Safety Lifecycle embodies the documentation of the functional and integrity requirements for each of the Safety Instrumented Functions identified in the Safety Requirements Specification. The integrity requirements are expressed by the target SIL: the © exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 2 of 8
functional requirements indicate the conditions that the process must violate for the Safety Instrumented Function to act. Based on the Safety Requirements Specification, a Safety Instrumented Function is designed for each hazard to meet the specified target Safety Integrity Level. The design process involves many issues like; the selection of the technology to be used, selecting particular pieces of equipment, and configuring that equipment with sufficient redundancy (if required) to meet both the safety requirements and the process uptime (availability) requirements. The design process results in a conceptual design for each Safety Instrumented Function. In the third step of the simplified Safety Lifecycle reliability calculations are performed for each Safety Instrumented Function to verify if the designed solution actually meets all specified requirements. If all requirements are not met, the conceptual design needs to be modified. The verification results include for example the calculated average Probability of Failure on Demand (PFDavg) or Probability of a Dangerous Failure per Hour (PFH) and Mean Time To Fail Spurious (MTTFS). The fourth and final step of the simplified Safety Lifecycle, operation, will, take up the majority of a process’s timeline or life-cycle as this is where the process and all its equipment is in service. However, apart from the operators performing periodic proof tests, the safety as designed into the system will not be changed. Operator interfaces and maintenance procedures will already be in place. Operator errors and maintenance engineer errors could lead to hazardous situations but their interfaces have been designed in the early phases of the Safety Lifecycle. Modification procedures, requiring for example an impact analysis and proper authorization, need to be in place as well.
1.2
Safety Integrity Level
The functional safety standards define up to 4 different Safety Integrity Levels. In the process industry only SIL 1, 2, and 3 are used. The process industry sector standards claim that processes that need more risk reduction from a single protection function than a SIL 3 Safety Instrumented Function can provide, need to be re-evaluated / re-designed. The Safety Integrity Levels relate to bandwidths of average Probability of Failure on Demand (PFDavg) and bandwidths of Risk Reduction Factors (RRF), where the Risk Reduction Factor is the reciprocal value of the average Probability of Failure on Demand for low demand mode applications. The Safety Integrity Levels relate to bandwidths of Probability of a Dangerous Failure per Hour (PFH) for high and continuous demand mode applications. The relationship between Safety Integrity Level, PFDavg, RRF and PFH is depicted in Table 1. Table 1 Safety Integrity Levels and associated parameters Low Demand Mode
SIL
PFDavg
High / Continuous Demand Mode -1
RRF
PFH [hr ]
4
≥ 10-5 to < 10-4
> 10,000 to ≤ 100,000
≥ 10-9 to < 10-8
3
≥ 10 to < 10
> 1,000 to ≤ 10,000
≥ 10-8 to < 10-7
2
≥ 10-3 to < 10-2
> 100 to ≤ 1,000
≥ 10-7 to < 10-6
1
≥ 10-2 to < 10-1
> 10 to ≤ 100
≥ 10-6 to < 10-5
-4
-3
A Safety Integrity Level needs to be specified or calculated for an entire Safety Instrumented Function. A single component cannot be a specific SIL component; it can only be judged applicable for use in a specific SIL application, also known as SIL capable. A Safety Instrumented System consists of one or more Safety Instrumented Functions, each Safety © exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 3 of 8
Instrumented Function having its own target and achieved Safety Integrity Level. When there is only one Safety Instrumented Function constituting the Safety Instrumented System, a Safety Integrity level can be assigned to a Safety Instrumented System. In all other cases, the Safety Instrumented System does not have a Safety Integrity Level.
2 Safety Life Cycle Approach Reduces Cost The summarized safety life cycle, shown in Figure 2, emphasizes the initial steps that lead to the process matched risk reduction requirements. These risk reduction requirements do not necessarily need to be based on personnel safety alone, environmental risk, assets risk, and others, are also likely to be considered [7]. The consideration of all potential risk receptors is a good example of the risk based approach by the new functional safety standards compared to the rule based approach of the older standards [8]. The additional safety investments a company needs to make in the early phases of the safety life cycle should not be a concern to management, as a good safety life cycle design approach will save costs in later phases of the lifecycle.
2.1
Reduction Redesign Activities
One example of avoiding additional costs in later phases of the lifecycle is a reduction in redesign costs because of the thoroughness of the safety requirement specification that was created. If a design specification doesn’t change during the design phase there will be minimum or no re-design costs. Utilizing more effort on creating a design specification that is correct in the first place will avoid re-design efforts and expenses. It is also safe to say that a well thought out safety requirement specification will reduce or eliminate re-design costs as well. This was also concluded by W. Colt in his Chemical Engineering article [9] where he stated that “successful projects are characterized by early, extensive pre-project planning, a complete and well-defined scope-of-work, a cost estimate coordinated with the scope, and a rigorous approach to the management of change”.
High
Design change flexibility Conceptual Planning Design Procurement
Design change cost
Construction
Low
Startup
Time → Figure 3 Design Change Flexibility And Cost
Figure 3 shows the inverse relationship between engineering influence and cost, as the development of a project progresses the design change flexibility dramatically decreases, indicating that it will become difficult to make any last minute changes. In addition, the cost of a design change increases considerably as the project progresses in time. Concluding that a well thought out and probably more expensive, safety requirement specification will minimize or eliminate re-design costs. © exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 4 of 8
2.2
Design Matches Risk Reduction Needs
A second example of avoiding additional costs is that the design will exactly match the process risk requirements. Therefore no extra design parameters and costs will be included. As the functional safety standards are performance-based [8], safety integrity is designed into an installation only when risk reduction is needed. In addition when risk reduction is needed, it is determined how much reduction is actually needed to provide the level of safety integrity required. Figure 4, published by a major oil company [7], shows the results of a re-evaluation of the allocated Safety Integrity Levels of Safety Instrumented Functions for a hydrogen manufacturing unit, based on a SIL selection method derived from the functional safety standards.
Refinery: Hydrogen Manufacturing Unit 47% SIF OK
SIF over designed
49%
4% SIF under designed Figure 4 SIF Re-Evaluation Study
The results of this re-evaluation show that: •
49% of the analyzed Safety Instrumented Functions were over-designed, providing more risk reduction than required.
•
4% of the Safety Instrumented Functions was under-designed, not providing the required risk reduction.
•
47% of the Safety Instrumented Functions analyzed provided the safety integrity that was required.
The initial concern these results should raise is that 4% of Safety Instrumented Functions didn’t provide the required safety integrity. It is safe to assume that these Safety Instrumented Functions were re-designed, resulting in re-design costs, referred to in the previous example. If these safety instrumented functions were not re-designed, there is a potential additional cost to be incurred as the likelihood of an accident increases and the costs associated with the potential accident need to be accounted for. Secondly, the over-design of 49% of the safety instrumented functions probably caused by a natural tendency of designers to over design and to make sure it is safe provides a basis for an interesting cost-savings opportunity. A general observation on safety integrity is that the higher the level of safety integrity to be provided, the higher the cost of the safety instrumented function. Typically redundancy requirements for field equipment increase with the increase of required Safety Integrity Level. Lower equipment expenses are expected in a plant where the functional safety lifecycle is implemented.
© exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 5 of 8
3 Efficient Safety Lifecycle Engineering As the summarized safety life cycle, shown in Figure 2, emphasizes the initial steps that lead to the process matched risk reduction requirements extra engineering time will typically be required on projects. As this Safety Lifecycle Engineering can be rather time consuming, the use of computer-aided tools is advisable. Not only will these tools speed up the safety lifecycle engineering, they will also ensure a consistent approach as different engineers will use similar techniques and methods to determine the target SIL and while verifying the achieved safety integrity level. Though several OEM Manufactures and consulting companies have released tools to assist end users with the various steps in the safety lifecycle engineering, most tools are rather basic. These tools tend to be based on simplified algorithms that will not necessarily yield adequate results as many important parameters are ignored during for example the SIL verification activities. In addition most tools tend to be focused on a single step in the functional safety lifecycle. This means that significant amounts of time are spend to transfer data from one application to the next.
3.1
exSILentia Integrated Safety Lifecycle Engineering Tool
exida has chosen to provide an integrated safety lifecycle engineering tool in the form of exSILentia that was founded on its sophisticated SILver, SIL verification, tool (see underneath). The integration off the exSILentia software goes beyond the basic integration of SIL Selection and SIL verification. The exSILentia standard package integrates the SILect, SIF SRS, and SILver tools, as one would expect from any safety lifecycle engineering tool, and provides automatic documentation generation recording all required documentation for functional standard compliance. However in addition to these standard features optional modules are available that allow for example advanced importing of Process Hazard Analysis information from market leading tools like PHA-Pro® and PHAWorks®. Furthermore a refined system level Safety Requirements Specification is available that incorporates both the SIF SRS input as well as the SIL verification input and produces detailed cause and effect matrices for the different Safety Instrumented Functions including tag names, engineering units, trip levels, etc. A further option is the creation of detailed proof test procedures based on the equipment selections in the SIL verification process.
3.2
Safety Lifecycle Engineering Cost Reduction
Within exida the use of the exSILentia safety lifecycle engineering tool is standard. This ensures consistency among the exida partners and employees but also allows us to be very efficient in performing our safety lifecycle engineering support services. In an attempt to quantify the decrease in engineering time needed for the typical upfront safety lifecycle tasks exida performed a survey among exSILentia users. The survey primarily focused on the SIL verification aspect, as it was felt that the PHA Import option was too new at the time to yield statistically viable feedback, though most users were talking about several days of engineering time won because of the import. As a result of the survey the users were divided into two groups, typical users and advanced users. The latter category accounts for users that have been working with the functional safety standards for quite some time and that are very familiar with the various reliability modeling techniques. Also the benefits of the tool were divided into two categories, the modeling and calculation of the Safety Instrumented Function performance metrics and the gathering and using of the reliability data. © exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 6 of 8
When focusing on just the modeling and calculation of the Safety Instrumented Function performance metrics typical users indicated that they had little understanding of detailed reliability engineering, and consequently had trouble deriving the appropriate formulas for the reliability calculations. An average required time reduction factor of 10x was concluded for the typical users, assuming that they would be able to derive the appropriate reliability formulas. Users that were classified as advanced users are familiar with reliability modeling techniques. Consequently these users will be able to derive the appropriate reliability equations for each of the Safety Instrumented Function they evaluate. Despite that these users still reported an average 5x reduction factor in time required to perform the reliability calculations. Because the exSILentia tool incorporates the exida Safety Equipment Reliability Handbook [10] data in the SILver tool, users do not have to worry about gathering and entering reliability data. Both the typical and advanced users reported significant benefit from this incorporated equipment database. Estimates for the amount of time typically involved in the gathering of adequate reliability data ranged from 2 hours to an entire week depending on the product and the willingness of the OEM to supply data or details on the product such that the user could estimate adequate reliability data. Let alone the ability of the user to make these expert judgments.
4 Conclusion The impact that the functional safety standard IEC 61508 and its derivative industry sector specific standards have had over the last couple of years is drastic. The implementation of the Safety Lifecycle has led to an increase in upfront costs however the overall risk and the cost of risk reduction, for companies that already implemented functional safety, has gone down. Costly process re-design costs have also been minimized or eliminated as well. Companies that have switched to integrated software tools report significant efficiency increase, and consequently benefits to their bottom line, because of the interaction and information transfer between lifecycle phases as well as because of the more effective execution of the individual lifecycle phases.
5 Abbreviations and Definitions IEC
International Electrotechnical Commission
MTTFS
Mean Time To Fail Spurious
PFDavg
Average Probability of Failure on Demand
PFH
Probability of a Dangerous Failure per Hour
SIF
Safety Instrumented Function, a set of equipment intended to reduce the risk due to a specific hazard (a safety loop)
SIL
Safety Integrity Level, discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the Safety Instrumented Systems where Safety Integrity Level 4 has the highest level of safety integrity and Safety Integrity Level 1 has the lowest
SIS
Safety Instrumented System, implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s)
SRS
Safety Requirements Specification
© exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 7 of 8
6 References [1]
IEC 61508, Functional safety of electrical / electronic / programmable electronic safetyrelated systems, 2000, International Electrotechnical Commission, Geneva, Switzerland
[2]
IEC 61511, Functional safety: Safety Instrumented Systems for the process industry sector, 2003, International Electrotechnical Commission, Geneva, Switzerland
[3]
ANSI/ISA 84.01, Application of Safety Instrumented Systems for the Process Industries, 1996, Instrument Society of America, Research Triangle Park, NC, USA
[4]
ANSI/ISA 84.00.01-2004 (IEC 61511 Mod), Functional safety: Safety Instrumented Systems for the process industry sector, 2004, Instrument Society of America, Research Triangle Park, NC, USA
[5]
IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems, 2001, International Electrotechnical Commission, Geneva, Switzerland
[6]
IEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, 2005, International Electrotechnical Commission, Geneva, Switzerland
[7]
van Beurden I., Amkreutz R., How to Justify the cost of Safety, Control Solutions, February 2002, Northbrook, Illinois, USA
[8]
van Beurden I., et. al., Risk-Based Instrumented Safeguard Design, presented at 2002 Spring National Meeting AIChE Refining processing – Application of Control in Refining, 10-14 March 2002, New Orleans, LA, USA
[9]
Colt W., Improve Your Project Via Effective Scope Definition and Control, Chemical Engineering Progress, March 1997, New York, NY, USA
[10]
Safety Equipment Reliability Handbook, 2nd edition, 2005, exida.com L.L.C., Sellersville, PA, USA, ISBN-13 978-0-9727234-1-1
7 Author Iwan van Beurden Senior Safety Engineer exida.com L.L.C. Sellersville, PA 18960
[email protected] Iwan van Beurden is a senior safety engineer for exida. He is product manager of the exSILentia tool with its integrated SILect, SIF SRS, and SILver tools. Iwan supports manufacturers in achieving IEC 61508 compliance and certification. He has contributed to several successful IEC 61508 development process and product certifications. Iwan performs Failure Modes, Effects, and Diagnostic Analyses, along with a variety of reliability analyses. He gives training for exida and is also an ISA instructor. Iwan supports end-users through HAZOP facilitation, Layer of Protection Analysis, SIL selection, and SIL verification activities among others, Iwan previously worked for Yokogawa Industrial Safety Systems in the Netherlands as a Safety Assessment specialist. Iwan holds a Master of Science degree in Mechanical Engineering from Eindhoven University of Technology, Eindhoven, the Netherlands, where he majored in reliability engineering and graduated cum laude.
© exida.com Iwan van Beurden
bottom line benefits of slc implementation - exsilentia v01, Jun. 1, 2007 Page 8 of 8
