Applying IEC 61511 to Industrial Turbines

Chris OBrien

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Chris OBrien
Chris O'Brien is a Partner with Exida Consulting. He has over 20 years experience in the design, manufacturing and marketing of process automation, reserve power systems, and safety related equipment. He focuses on supporting new and existing customers with their implementation of the IEC 61508 and IEC 61511 functional safety standards as well as reliability analysis for mechanical devices. He was formerly Vice President of the Power Systems Business Unit of C&D Technologies, a business that specialized in the design and implementation of high reliability back up power systems. Prior to that, he was with Moore Products/Siemens Energy and Automation where he held several positions including General Manager of the Instrumentation Division. Chris is the author of Final Elements and the IEC 61508 and IEC 61511 Functional Safety Standards and has been awarded 5 patents, including a patent of the industry's first safety rated pressure transmitter. He has a Bachelors of Mechanical Engineering from Villanova University.

e ida

Copyright exida 2011

Topics
1. The Application of IEC 61511 to Industrial Turbines 2. Demonstrating compliance with regulations 3. Strategies for effective implementation of IEC 61511 4. Questions

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Application of IEC 61511 to Turbine Applications

There has been some discussion as to whether turbines should be treated under machinery or process safety standards
For hazards such as crushing or burning machinery safeguarding standards should be applied For hazards such as explosion or overspeed process safety standards (IEC 61511) should be applied

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

API 670 Machinery Protection Systems

A new revision of API 670 is in development and is expected to be released in late 2011 or early 2012. Key provisions of the new standard include: API 670 will reference the IEC standards for functional safety (IEC 61508, IEC 61511, and IEC 62061) Tolerable Risk is a function of operating company and local legislation. SIL Targeting is a function of tolerable risk, equipment, and site specific considerations. API 670 has a major focus on testing and diagnostics (automatic diagnostics for everything from the sensor through the trip block, proof testing on the final element). Speed of response is part of the test requirements.

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Forces Influencing SIL Adoption

Competitive Offering

National Standards and Regulation

Turbine Protection Systems

Application Standards

Customer Expectations

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Industrial SIL Drivers

Industrial
National Regulations Application Standards Customer Expectations Competitive Offering
+ ++ +++ Not Required Occasional Requirement Typical Requirement Extensive Requirement Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 7

North America

South America

Europe

Asia

ROW

++ ++ +++ +++

+ + + +

+++ +++ +++ +++

+ + ++ ++

+ + ++ ++

e ida

Power Market SIL Drivers

Power Market
National Regulations Application Standards Customer Expectations Competitive Offering
+ ++ +++ Not Required Occasional Requirement Typical Requirement Extensive Requirement Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 8

North America

South America

Europe

Asia

ROW

+ + + ++

+ +

++(+) ++(+) +++ +++

+ +

+ + + +

e ida

Power Market SIL Drivers

Power Market
National Regulations Application Standards Customer Expectations Competitive Offering
+ ++ +++ Not Required Occasional Requirement Typical Requirement Extensive Requirement Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 9

North America

South America

Europe

Asia

ROW

+ + + ++

+ +

++(+) ++(+) +++ +++

+ +

+ + + +

e ida

Demonstrating Compliance

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

10

Why is There a Need for a Standard?

To provide a safer working environment for people, that is to save lives. To protect investments in plant and equipment and insure continuous operations, that is to save money. To demonstrate compliance with regulatory requirements, that is to avoid fines.
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 11

How Could A Standard Help?

Documents industry best practice Provides consistency across organizations
OEMs Integrators End Users EPCs

Less likely to miss a key step if you are following a step by step method Common, or known mistakes are explicitly addressed
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 12

Functional Safety Lifecycle

How bad can it be ? (LOPA) How reliable is it ?

Hazard Identification

Risk Analysis & SIL Selection

Safety Requirements

SIL Verification

SIL Sustain

What can go wrong ? (PHA/HAZOP)

What needs to be done ?

How to keep it safe ?

e ida

Safety Lifecycle IEC 61511

Management of Functional Safety and Functional Safety Assessment

Analysis

Safety Lifecycle Structure and Planning

Process Hazard & Risk Analysis [Clause 8] Allocate Safety Function to Protection Layers [Clause 9] SIS Safety Requirements Specification [Clauses 10 & 12] SIS Design and Engineering [Clauses 11 & 12]

Verification

FEED

Concept Design & Build Test Install Validate Proof Test Manage
Clause 7 & Clause 12.7

Realisation

SIS FAT [Clause 13] SIS Installation & Commissioning [Clause 14] SIS Safety Validation [Clause 15] SIS Operation & Maintenance [Clause 16] SIS Modification [Clause 17] SIS Decommissioning [Clause 18]

Clause 5

Clause 6.2

e ida

Operation

14

Copyright exida.com LLC 2001-

Safety Integrity Level

Used THREE ways: To establish risk reduction requirements To set probabilistic limits for hardware random failure To establish engineering procedures to prevent systematic design errors
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 15

Safety Integrity Level

SIL 4 SIL 3 SIL 2 SIL 1

e ida

Implications of IEC 61511

Use of an appropriate SIL determination methodology Use of a high-integrity automated safety system as the means of protecting against a hazard Intentionally separating both physically and electrically the safety system from basic process control Completion of periodic proof testing in accordance with procedures established during the protection systems design Documented proof that regularly scheduled protection system reviews were conducted per applicable regulatory and standards requirements
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 16

Compliance Requirements
SIL Capability

Compliance

Architectural Constraints

Probability of Failure

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

17

Meeting Requirements
SIL Capability

Architectural Constraints

Probability of Failure

Strength SIL Capability Probability of Failure Architecture Constraints Strength against systematic failure Strength against random failure Strength against undetected failures
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Methodology Certification or Proven in Use Analysis PFD Calculation SFF Redundancy

e ida

18

IEC 61511 Type Certification

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

19

Effective Implementation
Benchmark Study Gap Resolution Plan Develop Project Functional Safety Management Plan System Design Implementation Operation and Maintenance
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

20

Benchmark Study Focus

Safety Management Safety Lifecycle Risk Assessment SIL Selection Safety Requirements Specification Safety Instrumented System Design Safety Integrity Level Verification SIS Software Design
e ida

SIS Software Verification SIS Factory Acceptance Test SIS Installation and Commissioning SIS Validation SIS Operation and Maintenance SIS Modification and Decommissioning SIS Documentation
21

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

Sample Benchmark Study

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

22

Typical Gaps
No Structured Process No Agreed Upon Tolerable Risk Poor Communication Across Organizations Missing or Incomplete Documentation Non SIL Rated Equipment Not Including All Components Unrealistic Modeling Assumptions Incorrectly Modeled Shared Equipment
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

e ida

23

SafetyLifecycleActivity

Establish a Process

General

PlantPlantOwner

SafetyManagement SafetyLifecycleActivity

PlantPlantOwner PlantPlantOwner

Components
GasTurbine Assessment RiskAssessment SILSelection SafetyRequirementSpecification (SRS) SISDesign SILVerification SISSoftwareSRS SISSoftwareVerification SISFactoryAssessmentTest(FAT) Exida Exida Exida Exida Exida Exida Exida Exida Documentation OEM OEM OEM OEM OEM OEM OEM OEM SteamTurnine Assessment TBD TBD TBD TBD TBD TBD TBD TBD Documentation OEM OEM OEM OEM OEM OEM OEM OEM Assessment Exida Exida Exida Exida Exida Exida Exida Exida HRSG Documentation OEM OEM OEM OEM OEM OEM OEM OEM Assessment Exida Exida Exida Exida Exida Exida Exida Exida BOP Documentation EPC EPC EPC EPC EPC EPC EPC EPC

InstallationandCommissioning Validation/Site AcceptanceTest (SAT) UnitFunctionalSafetyAssessment OperationandMaintenance Planning/SISDocumentation SAT/SITVerification SiteFunctionalSafetyAssessment

Exida Exida Exida

OEM OEM OEM

TBD TBD TBD

OEM OEM OEM

Exida Exida Exida

OEM OEM OEM

Exida Exida Exida

EPC EPC EPC

PlantPlantOwner ExidaPlantLevel ExidaPlantLevel

ComercialDeliveryofPlant OperationsandMaintenance Modification Decommissioning

OEM PlantOwner PlantOwner PlantOwner

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

24

SIS Project V-Model

Safety Requirements Specification

VALIDATION
V

Site Acceptance Testing

V
Conceptual Design

Factory Acceptance Testing

V
Internal Integrated Testing

V V
Hardware Detailed Design

Hardware Internal Testing

Software Detailed Design

Software Internal Testing

V V

Software Configuration

Hardware Build

e ida

Copyright exida.com LLC 2001-2011

25

Functional Safety Documents

Functional Safety Management Plan
Detail top level requirements, i.e. description of competency, independence Address all phases of the safety lifecycle Clear description of handoffs betweens phases and groups Appendixes to contain information that is needed throughout a project
Definitions SIL levels

Group Procedure
Process description for relevant phase Inputs required Outputs delivered

Project Plan
Tracking document for each project Who, what, when, where, how Sign-offs

e ida

26

Copyright exida.com LLC 2007

Group Procedures FSM Plan FSM Required? FSM Required?

Project Plan

Analysis

Analysis HAZOP SRS

Design

Operation and Maintenance

e ida

27

Non SIL Rated Equipment

Per IEC 61511 all equipment must be assessed per IEC 61508 or justified based on proven in use
IEC 61508 Applies to Automatic Protection Systems (M)/E/E/PE
In every case, the standard applies to the entire E/E/PE safety-related system (for example from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator). For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole.

Provides measures of protection against random hardware failures and systematic design failures
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 28

Proven in Use Requirements

Places the burden on the equipment user Difficult to collect statistically meaningful data Requires formal functional safety assessment for SIL 3 applications user performing IEC 61508 assessment on equipment
e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 29

Not Including All Components

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

30

Overview of SIL 3 Turbine Solutions

Marketed SIL Rating Sensors PLC Trip Block/Final Element MFG 1 SIL 3 Up to 2oo3 SIL 3 Certified Not Addressed

MFG 2

SIL 3

Up to 2oo3

SIL 3 Certified

Not Addressed

MFG 3

SIL 3

Up to 2oo3

SIL 3 Certified

Not Addressed

MFG 4

SIL 3

Redundant 1oo2

Not specified

2oo3 Trip Block, FE not addressed 2oo3 Trip Block, Showing 2oo3 FE, but 1 valve is the control valve 2oo3 Trip Block, FE not addressed

MFG 5

SIL 3

Up to 2oo3

Not specified

MFG 6

SIL 3

Up to 2oo3

SIL 3 Certified

MFG 7

SIL 3

Up to 2oo3

SIL 3 Certified

Not Addressed

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

31

Unrealistic Modeling Assumptions

Modeling higher coverage than achievable:
100% for valves

Neglecting to account for mission time Neglecting to account for Beta (common cause)

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

32

Optimistic Proof Test Coverage

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

33

Summary of Calculation Errors

Proof Test Coverage DU Mission Time PFDAVG Risk Reduction Factor 100% 1250 FITS 20 years 5.44E-03 184 70% 1250 FITS 20 years 3.57E-02 28

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

34

Methods for Modeling Shared Components

Method 1: Take no credit for valve redundancy
Models SIS as SISIND (1oo1 architecture) Result is very conservative and may lead to costly redesign

Method 2: Assume shared component provides full redundancy

Models SIS as SISSHARED (1oo2 architecture) Result can be dangerously optimistic

Method 3: Assume shared component provides partial redundancy

Models SIS performance as weighted average of performances of 1oo1 and 1oo2 architectures In considering initiating event frequency, double counts failure of shared component Result is realistic but conservative

Method 4: Assume shared component provides partial redundancy

Same as Method 3 except: In considering initiating event frequency, counts failure of shared component only once Result is realistic but less conservative than Method 3

e ida

Slide 35

Steam Turbine Instrumentation

Steam turbine shown instrumented with control loop and safety loop. The safety loop can de-energize both the shutdown valve and control valve.

e ida

Slide 36

SISIND and SISSHARED Boundaries

Identification of components that are only utilized by the safety loop (SISIND) and the components that are shared with the control loop (SISSHARED). SISIND functions like 1oo1 architecture SISSHARED functions like 1oo2 architecture

e ida

Slide 37

Method 3: System Event Tree

Initiating Event SIS PFD AVG Intermediate Event Frequency Outcome Frequency

SIS PFDAVG (1oo2) Total IE Frequency 1.0E-01 7.69E-03 * = year Branch 1

7.69E-04 year +

1.475E-03 year

SIS PFDAVG (1oo1) BPCS A/CV Failure 2.0E-02 3.53E-02 * = year Branch 2

7.06E-04 year

e ida

Slide 38

RRF Results from Various Methods

200

Risk Reduction Factor

100

Method1 Method2 Method3 Method4

0 0.01 0.02 0.03 0.04

SharedComponent Failure Rate (failures/year)

e ida

Slide 39

System Design
Select SIL certified equipment when possible Make provisions for automatic testing
Diagnostic Proof Testing

Consider the impact of turbine refurbishment on mission time

Are valves rebuilt?

Use a tools that correctly models all variables

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

40

SIL Verification Tool

Specify Mission Time Specify Startup Time Specify Demand Mode

Comments

e ida

41

SIL Verification Tool

e ida

42

Implementation
Ensure all parties clearly understand their roles and responsibilities
Examples
Does the system integrator have a software specification and validation plan Is the safety PLC physically configured per the OEMs requirements for the given SIL level Is the delivered PLC code exactly the same as the FAT code

Perform Pre-startup Functional Safety Assessment

e ida
Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500 43

Operation and Maintenance

Control access to safety PLC configuration Perform and document all required tests Confirm rebuilds occur as planned Identify and correct any systemic component issues

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

44

Questions
Global Network of Expertise

e ida

Copyright Exida Consulting LLC 2011 cobrien@exida.com / 267-261-1500

45