PFSE- Day 1 * Overview of TOV FS Program ‘Introduction to Safety {nstrumented Systems. Training Manual © Safety Standards v3.0 © Regulations & Enforcement * Process Hazard Analysis © Safety integrity Level (SIL) © SIL Determination Methods Premier Functional Safety Engineering ‘Safety instrumented System Training Course PFSE- Day 2 5 Layer of Protection Analysis 5 (LOPA) © Semi-Quantitative SIL. Methodology + Safety Requirement Specification (SRS) Template. PRSE- Day 3 * SIL Validation/Verificetion TEC-61508/61511 Methods Fault Tree Analysis (FTA) . ‘QRA Methodology ‘le Human Error Ie Management of Functional Safety Role of Individuals Plan for Verification Design, Operation & Maintenance Examples: 1- IEC Risk Graph Methods SIL Determination 2. LOPA 3. Semi-Quantitative 4- Simplified Equations for SIL. Verification Premier Consulting Services Supporting Technical Papers i- Proven-in-Use 2. SIS Logic Solver Test 3- Integrating Control & Safety 4- Assigning a SIL toa BPCS 5- Partial Stroke Testing 6- Functional Safety Management 7- TOV general Guidelines 8 TOV Safety PLC Certification [PREWIER CONSULTING SERVICES@ IN war MALO Be ENTIAD pare PFSE Premier Functional Safety Engineering Safety Instrumented Systems Training Course Day Mv PCS is TOV Industrie Service GmbH, ASI accepted course provider for the TUV Functional Safety Program A Tov Premier Consulting Services ‘TOV Rheinland Group Agentia - Day 1 > Overview of the TUV Functional Safety Program > Introduction to Safety Instrumented Systems > Applicable Safety Standards > Regulations and Enforcement Process Hazard Analysis > Safety Integrity Level (SIL) > SIL Determination Methods Premier Consulting Servicestec 6I5O% tec Gisil Why Are You Here? rvices > IEC-61508-1, 6.2.1 a Those organizations or individuals that have overail responsibility for one or more phases of the overall, E/E/PES or software safety lifecycles shall, in respect of those phases for which they have overall responsibility, specify all management and technical activities that are necessary to ensure that the E/E/PE safety-related systems achieve and maintain the required functional safety. In particular, Premier Consulting Se Why Are You Here? > (h) the procedures for ensuring that applicable parties involved in any of the overall, E/E/PES or software safety lifecycle activities are competent to carry out the activities for which they are accountable; in particular, the following should be specified: > — the training of staff in diagnosing and repairing faults and in system testing; >— the training of operations staff; > — the retraining of staff at periodic intervals; Premier Consulting Servicesane ME Why Are You Here? DIEC-61514-1 , 5.2.1 DAIl persons involved in any Safety Lifecycle activity, including management activities shall have the appropriate training, technical knowledge, experience and qualifications relevant to the specific duties they have to perform. Premier Consulting Services TSR] Why Are You Here? vices >Persons, departments or organizations involved in safety life-cycle activities shall be competent to carry out the activities for which they are accountable. 1 oe for Ke Premier Consulting SerWhat Is the Ty Functional Safety Program? a TOV Tv Anwintant rou TOV Functional Safety Program ‘An extended vocational training program institutionalized by TOV Industrie Service SmbH, ASI together with international course providers ~ accepted according to the TUY Functional Safety Program - to support knowledge, know-how and expertise transfer ta engineers working in the field of functional safety. Our aim is to achieve a global, clear 2nd uniform standard of ‘competence towards compliance to the requirements of IEC 61508, IEC 61511 and further relevant intermational standards, {See more information at WWW. tuvasi.com) Premier Consulting Services TUV (Technisher Uberwachungs-Verien) Whats the TUY Functional Safety Program? TOV Functional Safety Programme Premier Consulting ServicesPremier Consulting Services | | Z 2 2 i Z i i : Premier Consulting Services lovensys-Premier Consuiting Services offers the PFSE training course addressing Functional Safety inthe fla of safety instrumented Systems. (see more information st www.premierts.com) ‘Contents, material and final exams fr this course have been reviewed and assessed positively by TUV industie Service GmbH, ASI 1 Pcs is TOVindustie Serie GmbM, ASI accepled couse provider for the TOV Functional Setety Program Parzipants of the Premior Consulting Services PFSE traning course wil receive, ‘upon successful complet, a TUY certificate 7 including @ TOV Functional Safety Encineer a F Jogo and ID number. 1 Pcs course instructors are crtifed TOV Functional Safety Experts - SIS. ‘According tothe TOV Functional Safety Program Premier Consulting Services ER a TOV Rheintand Group - www.tuvasi.com PCS Course instructors ae corte ‘XOv Functional Safety Experts = SiS Aecording tothe ‘Fav Functional Safety Program overt S. Adamaki TUVES ExpertiO No. 0100, | Bi Ronin uecrea stole TOVFS Expertip No. c104 PCS web site: www.premier-fs.com.| TOV Functional Safety Program Instructors must be certified Functional Safety Experts according to the TUV Functional Safety Program Exams Scope of exams: multiple choice questions problem solving questions Each exam to be sent in original to TUV-ASI Archiving of exams at TUV-AS) Cotogne Premier Consulting Services a TOV Functional Safety Program > A certificate will be submitted to each participant who has attended the course continuously and successfully passed the final exam. (Monitoring the course is not allowed) ices Servi D .S> TUV submits the certificate to the participants after proof of exam, nsulti > The certificate states, that the person mentioned has © - successfully participated in the course/training and has @ demonstrated knowledge in the field of “S/S Functional 2 Safety” & ° {> FS Eypert and FS Engineer: cannot represent or imply as representative, agent, partner or affiliate of ar in any other way associated with TUV. 7TUV Functional Safety Engineer Each paticipant ofa TUV Functional Safety Program Waning, wto passes the final exam successtuly can use the ‘TOV Functional Safety Engineer mark Fs ergnoer ‘on isher company’s business card, === The following regulations have to be respected: fom sheets (sent tothe patcipant together wth the TUV FS Engineer certificate) have tobe filed in accordingly and retuned to TUV Rheinland The matk may not be changed in any way, neither in fort nor indesign and size The mark may only be used on the business card. Not on any other media, 9. not as email-signatute, not on stationery, not on any technical reports, documents et. o vo Premier Consulting Services A TOV rovinanesone (Student Neme) 10V Functional att Enatneer | Foes Premier Consulting Services> Working in hazardous. exposure. Premier Consulting Services Thirty-five Years Ago > Living near industry was known to result in > Risk in industry had increased over time due to shift from small, single train or batch operations to large multitrain, continuous operations. en] industrial facilities was known to be > Caprotactam oxidation A 14 inch Premier Consulting Services a Flixborough UK June 1, 1974 roe production unit involving cyclohexane > Original design was six reactors arranged in series operating at 310F and 120 psig permit gravity flow One of the reactors required structural maintenance. > Economic pressures forced a piping retrofit with no mechanical or structural design engineering offset was used between the reactors toa ee rl » Flixtorough Explosion Impact & The Unconfined 2 Vapor Cloud ® Explosion (UVCE) D 028 fatalities on-site 1036 injuries on-site 256 injuries off-site 0 $170 million in damages on-site Off-site damage ‘spread 8 miles including over 2,400 homes, shops, and factories a Premier Consul a Pi Boiler Explosion Premier Consulting Servicesa e-———"Seveso italy July 10, 1976 > 2,4,5-trichlorophenol (TCP) was produced in a batch reactor > Reaction step involving the reaction of tetrachlorobenzene (TCB) and caustic soda was, completed. > The vacuum distillation step to remove xylene and glycol had been initiated. > At 5:00 am, the plant was shutdown for the weekend, the distillation, heating and agitation were halted Premier Consulting Services —— Seveso Italy (continued) >7 1/2 hours later, a spontaneous exothermic reaction caused the reactor rupture disk to lft. > A plume of highly caustic material containing dioxin was released. 75 kg of > Minor human injury and serious environmental damage resulted ‘No permanent injuries or fatalities resulted aCaustic burns and chloracne affected 477 people, a4 square kilometers of agricultural land was sterilized for years Premier Consulting Services= a a: Bhopal India December 2, 1984 > Cyanide release resulting from the introduction of water io a methyl isocyanate storage tank > Runaway reaction resulted in discharge through the vessel relief system > Protective equipment was out of order: cotank refrigeration was shut down, udischarge scrubber not available oflare out of service Premier Consulting Services [omc aA aaa] Bhopal India-1984 — catastrophic impact GAS DEATHS IN INDIA EXCEED © the surrounding 1,000, WITH THOUSANDS HURT, community. GANDHI SEEKS COMPENSATION 07,000 fatalities Be TS “teantismiessy 200.000 injuries ‘ici ser 2000 2 Thousands of the < ones injured are seriously disabled, suffering long term neuro- logical and respiratory damage. Many victims suffer post traumatic stress syndrome. Premier Consulting ServicesPasatiena Texas USA October 23, 1989 > Release of ethylene and isobutane were released from HDPE unit > Vapor cloud developed for nearly 1 minute before igniting > Blast equivalent to 10 tons of TNT ‘> Catastrophic damage to facility and on-site personnel 023 fatalities aver 100 injuries Over $750,000,000 US in economic losses Premier Consulting Services i Pasatiena Texas USA October 23, 1989 Premier Consulting ServicesPremier Consulting Services | Summary of Recent Accidents | ineident 7 | L tl | Femex Tae co ee w Tae ie TDF To Pasadenn TX Coannetien, 78 ~ PHPESVED STR - UP pDe@DURES Premier Consulting Services | } ARCO, CHANNELVIEW, TX EVENTS: eno] ‘During Mantenance Flammable Fuel Ae More Develops From Poroxise ‘Decorposton ara Light Hysocarbon sDotecove Oxyaen AralyzerDie Not Alen Operations sinter Expiesion Dring Compressor Stan Preventative Measures:AEH ERERSED SPRCING TCT MUN EES —Depaover Fie ROOF NG pn PIRE pRoTeCHIOW ELM PROD EHEXGENCP TSOLATIO® LEM prove ENEngency PRoKPURES Premier Consulting Services © PBR EER anaes PEE, MENICD CITY, MENICD occ Hb0bbbOG ges TIENT eens rob eat” ne 60000000000] ean fine Leck er Sees Minin =" a fines EE wn 3 Process Hazard Control 3 France “The Netherlands B Registered Works for Statute of 23 November 1977 D environment Protection September 1976 European Community = 82/S02/EEC s Germany ® starardous incident Ordinance AiO" Accident lazards Directive 8 1980 a BC nited States, United States "E EPASARA Title IIL OSHA 1910 © emergency Planning and Process Safety Manigement of Highly © Community Right to Know Hazardous Chemicals Octoder 1986 mi 1990 16Premier Consulting Services a = Process Hazard Control Australia - Europe Victoria, Australia Occupational Health and Safety (Major Hazard Facilities) Regulations 2000 Statutory Rule European Directive 96/82/CE "Seveso I” and No. 50/2000 22 June 2000 Modification Directive 2003/105/CE Queensland Major acident prevention pote New South Wales eyes South Australia Premier Consulting Services = What is a Safety Instrumented System (SIS) ? >“A system designed to respond to conditions in the plant which may be hazardous in themselves or, if no action was taken, could eventually give rise to a hazard, and to generate the correct outputs to mitigate the hazardous consequences or prevent the hazard.” © Source - Health and Safety Executive (HSE}, 1987, YWfii o ° > “An SIS is composed sensor (S) eS Be , and final element (s commonly known as Premier Consul g Safety Instrumented System of any combination of logic solver (s) i] Yee > Itis an instrumented system used to implement one or more safety instrumented functions (SIF) instrument loop. IEC 61511-1 Standarts Note Premier Consulting Services 2 11.5.24 components and sub-systems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as. appropriate, or else they shall be in accordance with sub- clauses 11.4 and 11.5.3 to 11.5.5.7, as appropriate.Premier Consulting Services Vessel Level Control Premier Consu SIF High Level TripPremier Consulting Services 20a Risk Reduction ee] Tolerable Risk Inherent Process Level Risk SV, ete, SIs Des: Sve ete} Ce PROCESS Premier Consulting Services fib aT Risk Reduction Necessary risk reduction Increasing, | Actual risk reduction Risk Vy etereat echtion iis Premier Consulting Services afia ices Safety Standards Premier Consulting Servi SEE Standards Compliance ANSI/ISA $84.01-1996 een eo) HSE PES 1 and 2 Be Ol SEPA nitsus Environmental Protection Agency Premier Consulting Services 22Standards Germany Germany DIN V 19250 DIN V VDE 0801 AS61508/61511 HSE PES 1 and 2 ANSI/SA $84.01-2004 (ECGIS11 Mod) Premier Consulting Services TEC 61508 TEC 61511 6 i National and International Standards for Safety inetrumented Systems (S18) ISA SP-91 “Identification of Emergency Shutdown Systems and Controls That are Critical to Maintaining Safety in Process Industries” ‘ANSIISA S84.01- 1996 (2004) “Application of Safety Instrumented Systems for the Process Industries” IEC 61508 “Functional Safety: Safety Related Systems” TEC 61514 “Functional Safety instrumented Systems for the Process Industry Sector” IEC-62061 *Satoty of machinery - Functional safety of electrical, electronic and ‘programmable control systems for machinery” Premier Consulting Services 23Standards and the Law > In most countries the Standards are enforceabie by !aw if they are referenced in the regulations by name or by referencing “Applicable or Industry Accepted Standards”, > Otherwise a “general duty” clause may make the standards enforceable. > Insurance companies may require use of the standards. > However, beware of the litigators!! Premier Consulting Services fie SR ISA-TR91.00.02-2003 > 1.2 This guideline is developed to assist engineering, operations, and maintenance personnel with establishing the classification of their instrumentation, thus facilitating all aspects of designing and maintaining reliable operating facility instrumentation. 2 Global instrumentation manufacturers classify their equipment according to various country classification standards (see clauses 6.3, 6.7, 6.8). Premier Consulting Servicesices Premier Consulting Servi o ® a} 2 o o a aS 3 a < 3 ° § & 2 a ISA-TR91.00.02-2003 2 1.3 This guideline does not mandate what the classification of each instrument should be. It does provide information to assist each operating facility in determining the classification of its process instrumentation. It is the responsibility of an operating facility’s management to determine whether criticality classification is needed. WCritical JaNoneritical Figure 1 - Generic classification scheme 25ng Services Premier Consul Figure At - Example operating faciity process sector classification (see Clause 3.4) Sefety Yow Fisk Enecamenal feo. otnen Asse Potecten 6 ices Premier Consulting Servi Pia EC-61508 ONCTIONAL SAFETY RELATED SYSTEMS ~ Part 1: General Requirements —s Part 2: Requirements for Electricall Electronic! Programmable Electronic Systems (E/E/PES) + Part 3: Software Requirements + Part 4; Definitions and Abbreviations of Terms + Part 5: Guidelines om the Application of Part 1 + Part 6: Guidelines on the Application of Parts 2 and 3 + Part 7: Bibliography of Techniques and Measures 28Demand Mode / Continuous Mode ANSI $84.00.01- 2004 (IEC 61511 Mod) + aaa ‘demand mode safety instrumented function \wherea specified action (for example, closing of a valve) is taken ia response to process conditions or other demands, In the event of a dangerous failure oh the satey instrumented function a poten failure in the process or the BPCS. 7 I hazard only accurs i the event of a + 32432 continuous mode safety instrumented fune ‘wherein the event ofa dangerous aire ofthe safety instrumented Funetion a potential haeard wil occur without further fre une ss action is taken 0 + Common Cause BPCS embedded SIS + Systematic Errors, com IPL eliminated and hazard occurs directly on CC. Operates in continuous modeContinuous or Demand Mode? Example: 1 demand every 18 months 12 mo / 18 mo = 0.66 dem/y < | dem/y ; Demand mode Tk: 9 months Twice Tl = 18 mo: 12/18 = 0.66 /y 0.66 dem/y is not greater than 2x T]: Demand mode Continuous or Demand Mode? Demand 3 6 9 1215S 18 2 2% ' Reducing the TI to 9 months meets the requirements for demand mode of operationSAFETY INTEGRITY (IEC 61508) > “The Probability of a Safety-Related System Satisfactorily Performing the Required Safety Functions Under all Stated Conditions Within a Stated Period of Time.” > Safety Integrity Consists of Two Elements: oHardware Safety Integrity Systematic Safety Integrity Premier Consulting Services Pate AREA era rn ere] HARDWARE SAFETY INTEGRITY: >The achievement of the specified level of hardware safety integrity can normally be estimated to a reasonable level of accuracy. >The IEC 61508 Standard addresses hardware failures by specifying target failure measures for the safety-related systems which are a function of the safety integrity level. Premier Consulting Services 30fii failures, etc, Premier Consulting Servi : Sal 3 SYSTEMATIC SAFETY INTEGRITY: > Systematic failure rates are hard to predict since they can be caused by hardware design errors, software errors, operational errors, common cause > The IEC 61508 standard addresses systematic safety integrity by specifying procedures, techniques, measures, etc.. that reduce systematic failures. The techniques, measures, etc.. specified are a function of the safety integrity level. | cone per yoaror gre ® IEC 61508 SAFETY INTEGRITY LEVELS 3 & TARGET FAILURE MEASURES © | —sareiy | pana wont [cowwousr wax Q | wrecery | oF opersmion | Demand Mode OF LEVEL OPERATION a (Probability of failure £ to perform ts design | (Dangerous failures é function on demand) | per hour 5 PFOavg a 5 4 Set0ste tos | _> 10800" of 7s >=10410<107 | _>=10*to<107 s 2 32102 to 10 07 to <105| E 1 >= 10% to-<10" 0 to<105) 2 a ‘Continuous mode: where the fequency of demands for operation made ona SIS Is greater than taf tee the protest interval fares pr hour| ices Premier Consulting Serv > Demand mode is defined as a process variable such as high level, high pressure, High or low temperature, etc., meets a given target (e.g. set point) so as to place a demand on the safety instrumented function to insure the SIF places the process to a safe state e.g. shut down. Premier Consulting Services nT rr] Continuous or High Demand Mode NOTE: + Continuous mode is defined as: where the frequency of demands for operation made on a SIS is greater than one per year or greater than twice the proof-test interval 32| | | 8 8 : aiid 4 Risk Reduction Factors a a sit Pid RRF 2 = 1 >= Otto= 001 t0<01 | 100 to W1,000 oO 3 3 >= 0001 10<.001 | ¥/1,000to € ‘W10,000 é 4 >= ,00001 to 4¥10,000 to <.0004 100,000 o 8 5. COMPETENCE OF PERSONS 5 @® 25.1.1 The objective of the Requirements of this Ciause is to ensure that persons who have responsibilities for any Safety Lifecycle activity are competent to discharge those responsibilities. 25.2 Requirements 2 5.2. All persons involved in any Safety Lifecycle activity, including management activities shall have the appropriate training, technical knowledge, experience and qualifications relevant to the specific duties they have to perform. Premier Consulting 33. iL] ) rao 8 z iS aS | IEC 61508 z aeea oan a 7 = oo f sar 1 sce) SEE | Poe s | SS € ae INSTALLATION | 3 Baer ]| am 3 = aN a = = fe] Moc e 6. SAFETY MANAGEMENT A Safety Plan shalll be prepared in outline during the Overall Scope Definition (see Clause 7) and shall be updated throughout the entire Safety Lifecycle - A section in the Quality Plan entitled “Safety Plan”, or; - A separate document entitled “Safety Plan”, or; - Several documents which are referenced in either of the above (e.g.. one document could be for the Overall ‘System or one document for each of the E/E/PESs). ® ® 2 2 o a D = 3 a € 6 oO - 2 — 2 a 35—— [el 8 7. OWERALL SAFETY LIFECYCLE $ REQUIREMENTS tn orderto dein a systema manner wih all the activites necessary to BC the require Stet Inter Leve for he netted tems, Hy _ this tnternatonal Standard aps asthe framework an Overl Safety BP cite qm gure Thad ane dimenson a the Over Sytem Leet Ge igre). arava 3 —— 2 cecal e ifety tee (Eacompaseythe following risk reduction 3 ERPS safety edated eaten rs SZ - -orrer hn” teat sens © External risk reduction facilities. a [idee t—_Retrwsisesty 3 8 = oo no a 2 Ss a 2 5 = Oo Concept. R&D 3 E $s a A 36| 7.3 OVERALL SCOPE DEFINITION Premier Consulting Services 7.3.1.1 The first Objective of the Requirements of this Clause is to determine the boundary of the EUC. 7.3.1.2 The second Objective of the Requirements of this Clause is to define the scope of the hazard and risk analysis (e.g. process hazards,environmental hazards, security considerations such as unauthorized access). 8 r Consulting Services | 7.3 OVERALL SCOPE DEFINITION “The physical equipment, including the EUC and its control system, to be ‘included in the seope of the hazard and risk analysis shall be identified 732.2 ‘The external events to be taken into account in the hazard and risk ‘analysis shall be identified; 132.3 ‘The sub-systems which are associated with the hazards shall be ide 73.24 Thetype of accident initiating events that need to be considered (e-¢. ‘component failures, procedural faults, human error, department failure mechanisms which can cause accident sequences to aecur) shall be identified, 7325 The information and results aequired in 7.3.2.1-7.3.24 shall be in the Overall Scope Definition Description. 6 38Premier Consulting Services ) | 7.4 HAZARD AND RISK ANALYSIS ‘The first Objective of the Requirements of this Clause is to identify the hazards of the EUC and its control system (in all modes of operation) and all reasonably foreseeable circumstances inclt ou 7412 The second Objective of the Requirements of this Clause is to identify the event sequences leading (0 the hazards identified in 14d. JA1.3 The third Objective of the Requirements of this Clause is to determine the EUC risk associated with the hazards identified in 74d. Premier Consulting Services| 7.5 OVERALL SAFETY REQUIREMENTS The II Safety Requirements Specification shall ym pris .e Overall Safety Functions Requirements ‘Specification and the Overall Safety Integrity | 2 Requirements Specification. Services 7.5.2.2 The safety functions, necessary to ensure functional safety for each identified hazard, shall be specified. This specification shall constitute the Overall Safety Functions Requirements Specification; 7.5.2.3 The level of safety shall be spe identified hazard. ied for each Premier Consulti 7.5 OVERALL SAFETY REQUIREMENTS NOTE: 2) _ The failure rate claimed for the EUC control system will need to be supported by data acquired through one of tse following: - actual operating experience of the control system in a similar application - a reliability analysis carried out to a recognized procedure Premier Consulting Services - an industry database of reliability of generic equipment. 41DESIGN 8 7.6 SAFETY REQUIREMENTS LOCATION 2 The Objective of the Requirements of this Clause is to allocate the target safety requirements, contained in the Overall Safety Requirements Specification (both safety functions requirements and safety integrity requirements) to the designated safety-related systems and external risk reduction facilities. 7.6.1.2 The second Objective of the Requirements of this, Clause is to allocate a Safety Integrity Level to each safety function contained in the Overall Safety Requirements Specification. Premier Consulting Services 42ell 71.6 SAFETY REQUIREMENTS ALLOCATION General Requirements ® o 2 & o a D 76. ‘The designated safety-related systems that are to be used to achieve functional safety shall be specified. The necessary risk reduction may S _beachieved by: a 6 External risk reduction facilities; ° © —- __erEIPES safety-related systems; Q~ “Other technology” safety-related systems; & 3 lause is applicable if one ofthe safety-related systems is an E/E/PES. a a 7.7 OVERALL OPERATION AND MAINTENANCE PLANNING Objective 7.1.1.1 The Objective of the Requirements of this Clause is to develop a plan (the Overall Operation and Maintenance Plan) to ensure the functional safety of the safety-related systems and external risk reduction facilities is maintained during operation and maintenance. Premier Consulting Services 43@ 77 OVERALL OPERATION AND -2 MAINTENANCE PLANNING 7.7 OVERALL OPERATION AND MAINTENANCE PLANNING the records which need (0 be m: hazardous incidents and alli potential to create hazards; the scope of the maintenance activities (as distinct from the modifications activities); f. the actions to be taken in the event of hazards occurring the contents of the Operation and Maintenance Log (see 15). Premier Consulting Services Fe re eS De tenn Ste routine actions which need tobe carried out to maintain thes = Aesgned™ one) oa softy rented ye 0 exert Fk s redwcton titen —_—e | a _—__— ~S tesco ng Gaia ar ey intra srma 8 operation, ror foreseeable gisturbances, faults or failures, and Shutdown preven anansaesatektuce the demands on he ste = ater eaasnainens so? 3 CCnsequcntr othe ear FE tnerecordt whieh eds io be maaained showing rel of Fucns £ Sey sui aed es a Picea am oaioein® i —— 44| 7.8 OVERALL VALIDATION PLANNING The Objective of the Requirements of this Clause is to develop the Overall Safety Validation Plan to enable the validation of the total combination of the safety- related systems and external risk reduction facilities to take place. ing Services S a c 9 °° . cy & 2 a rR 7.8 OVERALL VALIDATION PLANNING Requirements 7.8.2.1 An Overall Safety Validation Plan shall be developed and shalll include the following: a, details of when the validation shall take place; b. details of those who shall carry out the validation; c. identification of the relevant modes of the EUC operation including; Premier Consulting Services 4s7.9 OVERALL INSTALLATION AND COMMISSIONING PLANNING The first Objective of the Requirements in this Clause is to develop the Overall Installation Plan in order to install the safety-related systems and external risk reduction facilities in a controlled manner to ensure that the required functional safety is achieved. 7.9.1.2 The second Objective of the Requirements in this clause is to develop the Overall Commissioning Plan in order to commission the safety-related systems and external risk reduction facilities in a controlled manner to ensure the required functional safety is achieved. Premier Consulting Services 7.9 OVERALL INSTALLATION AND 2 COMMISSIONING PLANNING 792 Requirements 792.1 An Overall Installation Plan shall be developed describing: = the installation schedule; ~ who shall do the different parts of the installations + the procedures for the installation (Le. the sequence in which the various elements are to be integrated). = the phases ofthe install the sequence in which the various elements are integrated); = the criteria for declaring safety-related systems and external risk reduction facilities, oF parts thereof, ready for installation for declaring installation phases complete. = procedures for the resolution of failures and incomps Premier Consulting ServicesPremier Consulting Services el INSTALLATION Premier Consulting Services 7.13 OVERALL INSTALLATION AND COMMISSIONING The first Objective is to install the total combination of safety-related systems and external risk reduction facilities. The second Objective is to commission the total combination of safety-related systems and external risk reduction facilities. 48a — ta % @ 7.14 OVERALL SAFETY VALIDATION 5 ® 7.14.11 The Objective of the 2 Requirements of this Clause is to validate = that the total combination of safety- £ related systems and external risk 8 reduction facilities meet, in all respects, eI the Overall Safety Requirements fe Specification. s a Le 2 fied i a @ 7.14 OVERALL SAFETY VALIDATION é Requirements a The validation process shall be carried out in accordance with the Overall Safety Validation Plan, 3 2 — Alfequipment used for validation shall be calibrated © _ against a specification traceable to a National O Standard. - & The results shall be documented in the Overall Safety © Validation Report a 10 50| 7.15 OVERALL OPERATION AND MAINTENANCE ‘The Objective of the Requ -ments of this Clause is to operate and ‘maintain the EUC and its control system and the total co of safety-related systems and external risk reduction facilities such that the designed functional safety is maintained. ig Services 7AS2 Requirements = B 14521 The overt Operation and Maintenance Plans EES 55 Gpean and Matrerance roedure te Stare Operation GS shobisnnmneeroedures oe Pars? and Sot © Neuse Standard) and te eperatio and maintnnce preedres, 3B rsoiiertenlgy eyed stems an er = ‘soutn aig alle tplemenc Implementation ball E _lstoe tenon of number of actos hich shal cud: a | SRSA = es wY 8 7.15 OVERALL OPERATION AND MAINTENANCE = ‘The implementation procedures; & the fatlowing o msntenne seb: > & ‘the maintaining of records; S = sheconrsing ut, print, of Funeona try Audis a teat ° SB —— _therecerng ot matietns that have ben made oe ra EC enol otemsot.rne yen 5 even rede faci te ave sy pact E theta and which sl fecrdedn fhe Maar E tnd ek Management Deseo a tasing Services 3 2 < 3 ° . eS E 2 a aaa + =] 7.16 OVERALL MODIFICATION AND RETROFIT 7.16.1.1 The Objective is to ensure that the functional safety for the safety-related systems and external risk reduction facilities is appropriate during and after modification and retrofitting activities have taken place. 103 Premier Consulting Services | | rl 7.46 OVERALL MODIFICATION AND RETROFIT Prior to carrying out any modification or retrofit activity procedures shall be documented (see 6.2.2). NOTE: An example of a modification and retrofit procedure model is shown in Figure 11. yn and retrofit phase shall only be initiated by the (Overall Modification Request under the procedures spetified ia the Safety Plan (See Clause 6) which details the following the identified hazards which may be affected; the proposed change: the reasons for change. 52Figure 11: Modification Procedure Mode] Premier Consulting Services Premier Consulting Services 106Premier Consulting Services ES Relationship Between IEC 61511 & IEC 61508 (woes Ess = Premier Consulting Services, | Relationship Between IEC 61511 8. [EC 61508 1 56ss = ices 25.0 Management of functional safety. 26.0 Safety Lifecycle requirements 27.0 Verification 28.0 Process hazard and risk analysis 29.0 Allocation of safety functions to protection layers. Premier Consulting Servi > 10.0 SIS safety requirements specification. ‘Safety Requirements Specification 10.3 These requirements shall contain: the assumed sources of demand and demand rate on the safety instrumented function; requirement for proof testing intervals; oresponse time requirements for the SIS to bring the process to a safe state; athe safety integrity level for each safety function; Premier Consulting Services 18 59Premier Consulting Services Safety Requirements Specification 10.3 uRequirements for manual shut down; > maximum spurious trip rate; requirements for overrides / inhibits / bypasses; athe specification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the SIS. Any such action shall be determined taking account of all relevant human factors; as 18 Premier Consulting Services Safety Requirements Snecification 10.3 oThe minimum and worst-case repair time which is feasible for the SIS taking into account the travel time, location, spares holding, service contracts, environmental constraints, etc. 60ices Requirements 211.0 SIS design and engineering 212.0 Requirements for application software 213.0 Factory Acceptance Testing (FAT) 14.0 SIS installation and commissioning >15.0 SIS operation and maintenance 216.0 SIS decommissioning Premier Consulting Servi ol fie em Safety Lifecycle Motiel - ANSI ISA-S84.01 1996 RED DESIGN ‘OPERATION & MAINTENANCE Premier Consulting Services DecommnsioNiNG| 61ig Services Premier Consu Say gy (3) Methods for Determination Introduction 9 3 i e 3 o 2 = Ss a € 3 ° 8 £ 2 a What are the safety hazards when the level in this vessel goes high? What level of risk mitigation do you need to prevent or mitigate the risk? 622 Safety Integrity Level (SIL) aThe assignment of SIL is a corporate or company decision based on risk management Philosophy and risk tolerance. Premier Consulting Services 1% a aan aeanet] 8 Safety Integrity Level (SIL) 2 3.276 > Safety integrity level (SIL) discrete level (one out of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest Premier Consulting Services 632 2 SILTerms 8 > Probability to fail on Demand (PFD) >PFD Average PFD Instantaneous & 2SILVS PFD g> Demand VS Continuous Mode é a vr @ IEG SAFETY INTEGRITY LEVELS & & TARGET FAILURE MEASURES 2 @ [~ safety | DEWAND MODE | CONTINUOUS ® | intesry | oF OPERATION | HIGH DEMAND om] LeveL MODE OF | iec-isit £ (Probability of failure| OPERATION Target = to perform ts design Freeney of 5 function ondemardh | ¢oangerousfallures | SBE a PFDavg per hour) Per 5 4 32108 to <10 8 Le . 3 04 t0.<102 & 40%to<10? | >= 107 t0<10" 5 : a — 8 >= 103 t0.<10 ou ‘Continuous mode: where the frequency of demands for operation made on a SIS is ‘greater than one per year or greater than twice the proof-test interval 1% 64Premier Consulting Services 2 2 2 & o o aD = 3 a = ° ° = — 2 a jum Fault Tolerance acc. to IEC 61511 (Sensors and final elements) TEC 61511 Clause 14.4 Table 6 Sensor, fina elements and non PE loge solvers = a (Seecluses asand 14a)" v 7 ‘Speci equate apy See EC 158 * Clause 11.43 296 71.4.4 S00 nox shoo ca Minimum Fault Tolerance acc. to 1EG 61511 ‘{Sensers and final elements} * clause 114.2 -The minimum hardware faut tle ‘he dominant fare mode f the safe state o 18 number apples, provided erous flores are detected ‘Otnerwise the minimut hardware fault tolerance number is increased by 1. * clause 11.44 minimum haraware feu tolerance number may be reduced by 1 i compliance with allot the ttiowing, Prior use cite is uly mot Adjustments are limited to process parameters only. * clause 11.4.5 Aternativ fuk tolerance may be Used providing an assessment 1 made in accordance with IEC 615082, Tables 2and 3 manne] a 65® 8 e 3 o D Premier Consu a o S| Premier Consulting Servi [iconic Examples of Fail Danger Failure Modes > Electromechanical Relays ‘Contact fails to open when de-energized 1a Back EMF from inductive devices holds in relay ‘aContact corrosion prevents energization (ETT) > Solenoid Valves, ‘Plugging of ports or vent ‘aHosiile environment leads to sticky valve stem Ground faults uReset types ease of by-passing Examples of Fail Danger Failure Modes > Pressure Switches tlmpulse line blockage/leakage Mechanical damage to or fouling of switch Corrosion of contacts Excessive vibration or temperature at the field installation Excessive hysteresis in bellow or diaphragm ey 69Premier Consulting Services | Examples of Fail Danger Failure Modes > Thermocouples Common mode voltage oGround faults > Transmitters oSmart transmitter left in "test" mode almpulse line(bIockag@yor leakage almbalance in impulse line purge flow rates 1 ® ® po Z o an D Premier Consul Examples of Fail Danger Failure Motes > Transmitters (cont'd) Build up of liquids in impulse lines aLoss of seal fluid uProcess manifold valving incorrectly set aExcessive hysteresis in diaphragm Multi-dropping transmitters (not recommended) Excessive vibration or temperature at the field installation 70ices Premier Consulting Servi — Examples of Fail Danger Failure Motes >Trip Valves Valve no longer is tight shut-off Actuator sizing insufficient to close against new shutoff pressure Sticky valve stem or valve seat Blocked or crushed airline Premier Consulting Services | eae ce] 2 Fail safe is also referred to as probability to fail spurious (PF). This term is often calculated to estimate the probability of a safety instrumented function (SIF) to fait safe or spurious. NOTE: Many Safety Engineers will question or challenge the term “fail safe” indicating that a spurious trip in a process plant is seldom if ever “safe’ 1Examples of Fail Safe Failure Modes | >There are no 100% fail safe devices. However, there are devices that have a high percentage of failures in the fail safe mode. > Solenoid Valves Coil failure >Flame Detector oSelf-checking UV detector Premier Consulting Services | | | | \ Examples of Fail Safe Failure Modes > Thermocouple oLeft open in field installation 2 Air operated Valve Diaphragm failure Premier Consulting Services nRee ices Device Failures Things fail !! vo a q 3 3s 2 5 a z a a 3 g fal s S 5 = s a > When something fails, it must be replaced. > Generally there are two kinds of failures in hardware, oSystematic failures uRandom failures Premier Consulting Servi aero emea| > Systematic failures usually caused by stressing from external sources, e.g. heat, vibration, or operating equipment outside of manufactures specifications. Causes pre-mature failures that cannot be predicted or estimated. cHumans can have systematic failures by, smoking, drinking, eating fatty foods, and psychological stress. Premier Consulting Services 2BPremier Consulting Services cae Device Failures ise PO s/s Random atures Re \Cathose failures that occur randomly due to “things wearing out”. aCan be estimated and predicted by using mean time between failure (MTBF) data. MTBF is a measure of the average time until a component fails. 3c Fare EQ 066 | Poo ose PIL URE amar Premier Consulting Services Device Failures > Example: calf 100 of identical transmitters were installed and operated until they all fal, the MTBF would be obtained ‘by adding up the operating times until failure and dividing by the number of the installed. calf 30 failed in year3 = 90 1430 failed in year 5 150 1030 falled in year7 240 Final 19 failed in year 10 = 100 oMTBF = 550/100 SRN 4Premier Consulting Services Device Failures > Therefore: OMTBF = 5.5 yrs 5 or 0.18 failures per year. 18 rem] 3 2 Device Failures & >There are two general modes of failures; = 01.) Overt, revealed, spurious, safe, detected, S diagnosable, etc. e u2,) Covert, hidden, dangerous, undetected, un- & diagnosable etc. ‘S >There are variations of these terms e.g. & _odetected-dangerous —_aunedetected safeices IEC-61511 Definition of Device Failures IEC 61511 clause 11.4 defines SFF as Critical to the selection of required redundancy and diagnostic coverage in the implementation of a SIS. Premier Consulting Servi | | a ices 1EC-61511 Definition of Device Failures © SFF - Safe Failure Fraction. The fraction of safe failures and dangerous detected failures in relation to the total failures. 2 SFF = (SU + SD + DD) / (SU+ SD + DD + DU) SD: Safe Detected SU: Safe Undetected DD: Dangerous Detected DU: Dangerous Undetected. Premier Consulting Servi 2 16nm 19 2 a -_ —_ So @ on of Device Failures > Perform FMEA Failure Mode and Effect Analysis to determine the effect of each component on the ‘subsystem, > Categorize each failure mode as safe or dangerous. > Calculate the probability of safe and dangerous failures. > Estimate the fraction of safe and dangerous failures that are detected by the diagnostics tests. > Calculate the SFF safe failure fraction of the subsystem. Premier Consulting Services 18 ‘> \tis the COVERT, or Dangerous failure rate that is used when calculating PFD. 2 1.= failure rate per hour, input as Lambda. > The simple equation for probability is: P=A*TI2 P= failure probability of the device, 2.= failure rate per hour, input as Lambda, T = surveillance test interval in hours, input as Tau. Premier Consulting Services 1| | ! | 2 3 Format of Reported Data 5 “” > Failure Severity Classifications 2 aCatastrophiciCritical = aDegraded 3 ri a alncipient 8 > Failure Mode 5 _dEffectof failure on system "B__ aT womajortypes 5 ~ Demanded change of state is not achieved (covert) oO ~ Undesired change in condition (overt) Data Format (continued) > Failure rate reported per 10® hours or in PFD > Typically provide low, mean, and high value > Equations must be used to convert rates to probability Premier Consulting Services 80ices Premier Consulting Servi ee | Safety Related Function genom | sensor =>) ErerPEs = ‘Actuator || 40% | 5% | 55% ‘Typical % share of Failure Rates or Probability of Fail to Danger a Premier Consulting Services 81F(t) = 1-74 Premier Consulting Services PED (t) PED svg Residual Riek 82PED avy est Ri | Reduced On-line test interval t Premier Consulting Services | 83[ino EE creel PED average & PFD instantaneous >PFD average = PFD instantaneous at ~‘f the testing interval cycle. Premier Consulting Services 84g Services PFD instantaneous (—> Continuous SIL PRD 4 SIL PFD one TREO ‘sLz00 102 [sane Bese Sia 3mEO sea 10-08 save Beso saws 33608 st aoe Toe oF Premier Consulting Services PFD conversion to SIL. Instantaneous SIL = - Log (PFD) PFD inetantaneous 0 85Premier Consulting Services Selection of the methods for determining the required SIL reco Selection of the methods for determining the required safety integrity level >There are a number of ways of establishing the required safety integrity level for a specific application. The method selected for a specific application will depend on many factors, including: m 86ices Premier Consulting Servi | SIL Methods 2— the complexity of the application; 2-— the guidelines from regulatory authorities; > — the nature of the risk and the required risk reduction; 2-— the experience and skills of the persons available to undertake the work; > — the information available on the parameters relevant to the risk. Premier Consulting Services SIL Methods 2 A qualitative method may be used as a first pass to determine the required SIL of all SIFs. > Those which are assigned a SIL 3 or 4 by this method should then be considered in greater detail using a quantitative method e.g fault trees, to gain a more rigorous understanding of their required safety integrity 87aa SIL Methods 4. ALARP 2. Modified HAZOP 3. Consequence Only Method 4. Risk Matrices 5. Risk Graph - Qualitative 6. Risk Graph - Calibrated 7. Quantitative Analysis 8. Layer Of Protection Analysis (LOPA) 9. Semi-Quantitative 10. User Defined SN et Oe Premier ae Services SIL Methods At least two of these methods, LOPA and Semi-Quantitative can also be used to determine if a safety a 2 a] 2 o o > = 3 a 5 3 oO . 2 — 2 a instrumented system (SIS) is needed. 88,Picea ene RR 3 Risk Reduction 2 5 Qa mo = > s ; 7 — a | ‘Necessary risk reduction ees 3 | | Actual sisk reduetion | Risk 3 a) oo 2 = | 7 Tonreacionscheveliyabateywacisweneme | a ere] Risk and Safety Integrity 2A distinction must be made between risk and safety integrity: BRisk >> Function of Probability and Consequence of a specified hazardous event occurring Safety Integrity applies solely to the E/E/PE SIS and other safety related systems. ~ a measure of the likelihood of the SRS's achieving the required risk reduction. Premier Consulting Services 89Premier Consulting Services Risk and Safety Integrity > Once the tolerable risk has been set, and the necessary risk reduction estimated, the safety integrity requirements for the safety related systems can be allocated. Premier Consulting Services Sa | ALARP anti Tolerable Risks SDALARP = Any Risk Reduced to a Level As Low As Reasonably Practicable 90Regulating Industrial Risks a The risk is so great it must be refused altogether; or b The risk is, or has been made,so small as to be insignificant; or c The risk falls between the two states specified in a. and b. above and has been reduced to the lowest practicable level, bearing in mind the benefits and taking into account costs of further reduction. Premier Consulting Services ol a a 0 . 8 Tolerable Risk and ALARP 3 . 8 Risk caaot be justified Eagar ‘& Intolerable Region I Cheemstances s ———£° 5 The ALARP or 7 : @ tolerability region Toverabe only if further risk ie 7 reaction rimpacizatienit Hg Risk is undertaken in _/, itseosts gost disproportionate 1B et tothe impovenneatgained aos Broadly Acceptable re} Premiet Negligible Ris! 91> Tolerable here is different from acceptable- it indicates a willingness to live with a risk so far as to secure certain benefits, al the same time expecting it to be kept under review and reduced as and when this can be done. > Here a cost benefit assessment is required either explicitly or implicitly. Premier Consulting Services Example of Industry Tolerable Risk Design Criteria for Societal Risk Exposure social Rik ——s Frequency (#) Premier Consulting Services Number of tai (N) ey 92Premier Consulting Services Example of Industry Tolerable Risk Level of Risk Exposure Design Criteria for Worker Risk Exposure rr ices Premier Consulting Servi Tolerable Risk Target > Risk Class | is the unacceptable region; > Risk classes II and Ill are in the ALARP fegion, risk class li being just inside the ALARP region; > Risk class IV is the broadly acceptable Tegion.Premier Consulting Services Risk Classification ‘Table B.1- Risk classification of accidents j Fregueoey ~ Consequence ‘Yss_[ Casale [—Caeat| Margial | Nee Fee T T T T —t Probable 5 T T T 8 ‘Oreasennl_10_| 1 Tr ia oe aaa ea Remoie 30 7 i a av} Timpeobale YOO | a W Ww Toeredibie T00_| 17 Ww] W NOTE | Te ais pps wih tk dees Wand TV wi 5 a and was depend upon white acta equecies a or egunt robb ‘Thecefee, stale shoud seen a an expe O Row seh sae cul be epi ater thi ac a pet fo fate se NOTE? Peteminaion a te say egy level am the frequencies in is bes ‘ulin warnenC Premier Consulting Services ! | | | Risk Classes Table B.2- Interpretation of risk classes Wisk Chast Miss dsc an ay TT aS impracticable ofthe coms mae gx05ly disproportionate othe improvement gained Chas Tolerable ask ifthe cost of rik reduction would ceed the improvement gained Cas Negligible risk 8 94| SEE 8 SILAssignment Example SD Hydrocracker Reactor Fired Heater Low feed flow ~ Cause: Loss of feed from upstream unit ~ Consequences: Overheating the heater tubes. Potential for tube rupture. Potential for pool fire around heater. oLow fuel gas pressure ~ Causes: Loss of fuel gas supply, control valve failure ~ Consequences: If fuel gas pressure were to retum, potential for explosive mixture in heater. Potential for mixture to ignite from hot refractory Premier Consulting Services | The Motlified HAZOP > Extension of the existing PHA process > Subjective SIL assignment > Relies heavily on experience and knowledge of the team > Consistency maintained through development of rules and guidelines Premier Consulting Services Pin re 95Modified moor Example Premier Consulting Services sequence Only SIL ssignment ge > Only requires evaluation of consequences >More conservative approach > Reduced analysis effort Premier Consulting Services 96Premier Consulting Services SIL 0 [No injury 1 |Potential for minor injuries 2 |Potential for multiple serious injuries or 1 fatality 3 | Potential for multipie fatalities 4 |Catastrophic Event 8 Premier Consulting Services | Consequence Only - Example > Loss of feed flow 10 Pool fein area around heater 1 Potential for minor injuries ‘Therefore, SIL 1 (Reteto tebe inprevos si) > Loss of fuel gas «2 Potential for explosion « Potential for large indent in unit 1G Possible multiple fatalities Therefore, SIL3 i 97Development of Risk Matrix > The risk matrix should be established in accordance with corporate guidelines and standards. > The risk matrix is based on the various levels of Event Severity ‘a Event Likelihood > The risk matrix should include safety integrity level (SIL) designations corresponding to IEC-61511 Premier Consulting Services [iii = ER 0 : 8 Event Severity 5 ® = The event severity is established based on some = Teasure of anticipated impact or consequence. = 1G On-site consequences 3 = worker injury oF death g ~ equipment damage or economic loss 8 10 Off-site consequences m4 ~ community exposure, including injury or death & ~ Property damage Ea Environmental impact s ~ emission ot hazardous chemi o ~ contamination of air, sol and water supplies ~ damage to environmentally sensitive areas 98,a Premier Consulting Services >The likelihood of the event occurring must be determined by estimating the probability of expected occurrence. Otten occurs alsolated incidents ‘DNot likely to occur Almost impossible >This should be determined based on pilot plant or company operating experience or competitor operational history. (Peso faa 1 Premier Consulting Services yO | g 4 8 HIGH _| i ee § RISK ad eee i 18 99Premier Cansulting Services Premier Consulting Services RISK MATRIX EXAMPLE Loss of Feed Flow 2 SEVERITY 2 LIKELIHOOD Previous assessment indicated minor injuries oSeverity Rating = Serious Experience indicates that feed flow is lost without warning about once every 5 years aLikelihood Rating = Moderate SEROUS _ EXTENSIVE GATASTROPIE tients ton eae na we kiomec si 100—— a @ RISK MATRIK EXAMPLE $ Loss of Fuel Gas & — > SEVERITY Previous assessment indicated multiple on-site 2 fatalities 3 Severity Rating = Extensive ¢ > LIKELIHOOD 8 Experience indicates that fuel gas flow is very 5 reliable = No losses in over 20 years 2 O Likelihood Rating = Low a m [Petia eae ——— + RISK MATRIX EXAMPLE $ A 8 3 5 a = no 2 a : 5 Bl 2 3 Bob a gS B Fy et fe | peers 5 ; aK | srmecay E i £ = ae & a c 2 101/ } Credits for intienentient Protection Layers ina Risk Matrix SIL Determination > The layers of protection should be designed specifically for the mitigation of the process risk. independent from one another, so that failure of one layer does not cause the failure of another adependable, and Premier Consulting Services verifiable = ace a Safety Layer Matrix c Pobepaly] a tow |e an a ‘Low mes. Hah £ fe Cm 5 faccoes 2 ad wel) 5 wml 3) es Evene o [bea ace te a Bote o] [2] t-te Steed wihou candacean the = ee pemcranee £ a 102Fat pe 8 IEC 61508-5 Qualitative SIL Determination 2 Qualitative Risk Graph a (non-calibrated) 2 = >IEC 61508-5: Functional safety: Safety related a systems gives guidance for assigning SIL levels 8 (3 >IEC 61508 A-H designations for minimum risk & reduction levels. a ea OE \EC 61508-5 Risk Parameter Classification Consequence (C) C, Minor Injury Gq Serious permanent injury to one or more persons C3 Death to several people Premier Consulting Services Cy Very many people killed 6as Consequence Determination > Examine the potential worker health and safety issues: > What are the potential effects? lnjury or Death? Burns, hit by flying debris, exposed to hazardous fumes? ‘Can operator recover from exposure? Acute effects or Chronic effects? ‘Will operator eventually resume normal activities? Premier Consulting Services 8 IEC 61508-5 Risk Parameter Classification 5 Frequency and Exposure Time (F) > = Fl Rare to more often exposure in the 3 hazardous zone 5 5 3 F2 Frequent to permanent exposure in & the hazardous zone a am 104eS me] 8 Frequency and Time of Exposure >Determine the frequency of exposure and time of exposure for any personnel to any potential hazard, uRemote from main process facility? aHow close ate operation and maintenance stations? uHow often are operations staff in the vicinity? ‘aWhat about support staff, such as maintenance personnel or engineering personnel? tls this a main travel area for access to other parts of the facility? Premier CoE Le ervices [iia al IEC 61508-5 Risk Parameter Classification Possibility of Avoiding the Hazardous Event (P) P, Possible under certain conditions Py Almost impossible Premier Consulting Services a 105Premier Consulting Services | Possihility of Escape >How easy is it to escape from the hazardous area? ure the escape routes well marked? Are there alarm sirens? Are there gas or fire detectors? uls there time to escape? 12Can personnel in exposure area readily recognize that a hazardous situation exits? ‘aHave personne! been through accident scenario training? ‘a Has hazardous event occurred previously so personnel are aware of what happened and how to react? Premier Consulting Services a | IEC 61508-5 Risk Parameter Classification Possibility of Avoiding the Hazardous Event (P) > Rate of development of the hazardous event > Ease of recognition of danger caseen immediatelyldetected by technical measures detected without technical measures > Avoidance of hazardous event escape routes possible sunot possible uupossible under certain conditions 2 106pee re IEC 61508-5 Risk Parameter Classification Probability of the Unwanted Occurrence (WwW) Ww Avery slight probability that the unwanted ‘cccurrences will come to pass and only a few ‘unwanted occurrences are likely W A slight probability thatthe unwanted occurrences : ‘ill cere to pass and few unwarted occurences arelikely W; A relatively high probability thatthe unwanted ‘occurrences will come to pass and frequent uwanted ocurences are likely, Premier Consulting Services a Probability of Securrence > Determine the probability of occurrence. als the process manually operated or an automated facility? ‘if manually operated, how good is the operator training? Are there other priorities that might remove ‘operator attention from the potentially hazardous area? What type of basic process control systems or automatic control systems is in-place? How reliable is it? ‘What type of passive controls are present to minimize the consequence? 2 8 3 2 5 on oD & 3 3 2 ° oO 5 E 8 a 107aS Ee ‘Risk Granh lEC-61508-5: Example Premier Consulting Services Ss a 2 ° °° . s E 2 a surat poe ferrerducton |-C2 (a.b,6.6,05.98 sepresent the necessary minimum risk eduction. The ink between the necessary minimum risk reduction and the safety integrty level is chown inthe following table. 2s Risk Level versus Sit Necessary Minimum Risk ‘Safety Integrity Level ‘Reduetion Level No salty requlvements 7 To speci safety oavivements 28 108Risk Graph Example Loss of fuel gas > Consequence: Multiple Fatalities = C, ‘> Frequency of Exposure: fF Frequent to permanent exposure in the hazardous zone > Possibility of Escape: oP Possible under certain conditions ‘> Probability of Occurrence: 2 Relatively Low Probetilty = W, Premier Consulting Services ar h VEC-61508-5: Example (Qualitative) g Services (ab.cd.e./9,h) represent the necessary trinimum risk reduction. The ink between the necessary minima sk reduction and the safety integrity level is shown in the ‘ollowing table. Premier Consulti ° 28 109