Post on 28-Apr-2018
PPA 2011 8 Dec 2011
© HIMA 2011
Why is it so difficult to learnfrom someone else’s mistakes?
222
Functional Safety Seminar-Speaker
Tino Vande Capelle§ Director – Functional Safety Consultancy§ Safety Critical Systems Engineering§ TÜV Functional Safety Expert and Trainer
Contact:§ Mobile: +49.172.624.2277.§ Email: tino.vdc@hima.com
PPA 2011 8 Dec 2011
© HIMA 2011
333
Introduction
§Why is it so difficult to learn from mistakes others have made in our industry?
§Would you rather learn from the mistakes of others or make them all yourself?
§Certainly, you will learn better by making your own mistakes, but those lessons can come with extreme high risk and cost
444
Modern history of industrial disasters
§There have been several unfortunate industrial disasters in the process industry in the past. There will likely be many more to follow as our daily working conditions, materials, equipment and performances keep changing and getting more and more demanding.
§Major accidents like Seveso, Flixborough, Piper Alpha, Bhopal, Chernobyl, Texas City and the most recent Deepwater Horizon have all painfully revealed certain failures that we can learn from. Failures that come with a cost of life, environment and capital investment.
PPA 2011 8 Dec 2011
© HIMA 2011
555
Modern history of industrial disasters
§Bhopal, Union Carbide India, 2-3 December 1984
§ 3 storage tanks for Methyl IsoCyanate (MIC), a unstable liquid if temp >15 ºC then deadly toxic components decomposes such as hydrocyanide acid or cyanide
§ The 4 layers of protection were defeated by 1 common cause failure and operator / maintenance errors
666
Modern history of industrial disasters
§Bhopal, Union Carbide India, 2-3 December 1984
§ > 3,000 – 5,000 people killed by inhaling 41 tons of poisonous gas
§ > 500,000 people were exposed to the deadly gas
§ > June 2010: 23,000 dead and counting…
PPA 2011 8 Dec 2011
© HIMA 2011
777
Modern history of industrial disasters
§Deepwater Horizon, BP, 21st April 2010
888
Modern history of industrial disasters
§Deepwater Horizon, BP, 21st April 2010– The environment in which the oil drilling took place –
5,000 feet below the ocean's surface – is extremely hazardous
– 11 people killed
§Update 20th July 2011– To date, the fund has paid $4.7 billion to 198,475
claimants. The total number who have sought money stands at 522,506, many with multiple claims. In all, the fund has nearly 1 million claims and continues to receive thousands of claims each week.
PPA 2011 8 Dec 2011
© HIMA 2011
999
Functional Safety Standards Milestones
1996 ISA SP84 - Safety Lifecycle, Quantitative Approach
1997 IEC 61508 - Safety Lifecycle, Quantitative / Qualitative Approach
2004 ANSI/ISA 84.00.01 = = IEC61511 - Functional Safety, SIS for the
Process industry sector
2010 IEC 61508 – maintenance revision released
101010
IEC61508 ed 2.0 released April 2010
§Personal competence: It now a normative requirement (was informative in the ed 1.0)
§How to you prove that you are COMPETENT?
PPA 2011 8 Dec 2011
© HIMA 2011
111111
Forced Safety Culture
§Human nature does not like to admit or reveal knowledge of problems. So for the past 30 years, certain standards have helped engineers apply good engineering practices, but the weakest link in the safety culture remains the human being
§The standards have minimized the random hardware and common cause failures, but is still puzzling people with some basic concepts leading into very often made systematic failures
121212
Why is it so difficult to learn from other ones mistakes?
PPA 2011 8 Dec 2011
© HIMA 2011
131313
Organizations have NO Memory!
§ Incidents that have similarities with Buncefield:– April 1962, Houston Texas, USA
– Jan 1977, Baytown Texas, USA
– Jan 1983, Texaco, Newark, New Jersey, USA
– Dec 1985, Naples Harbour, Italy
– Oct 1991, St Herblain, France
– Jan 1993, Jacksonville, Florida, USA
– Dec 1999, Laem Chabang, Thailand
– Dec 2005, Buncefield, UK
– Oct 2009, Jaipur IOC, India
141414
Similar types of incidents keep occurring ?
§ Why not Keep It Simple Stupid or was it Stupid Simple (KISS)?§ The reason is:
YOUYOUMEMEAll of USAll of US
PPA 2011 8 Dec 2011
© HIMA 2011
151515
Why do we need Functional Safety?
44 %Specifications
20 %Changes after commissioning
15%Operations and
maintenance
6%Installations and commissioning
15%Design and
implementations
Analysis of 34 incidents, based on 56 causes identified
Out of control: Why control systems go wrong and how to prevent failure?(2nd edition, source: © Health & Safety Executive HSE – UK)
161616
Systematic Failures – Human Errors?
PPA 2011 8 Dec 2011
© HIMA 2011
171717
If we only would have done…
§Today, we have the knowledge that each could have been prevented if people would have designed the plant/process for failure and used the adequate competency to avoid such things happening again in the future.
§But as Mr. T. Kletz once stated:
“Accidents are not due to lack of knowledge but failure to use the knowledge we have.”
181818
Competency & training (update Nov 2011)
§HIMA Trained + 1500 people over the last 6 years
§TUV Rheinland program
§ +4500 by end 2011 certified?
§Source: www.TUVASI.com
PPA 2011 8 Dec 2011
© HIMA 2011
191919
TOP 10 Failures based on experiences…
§During the last 20 years conducting seminars, workshops and trainings, meeting thousands of people from all continents of the world, we have made a TOP 10 collection of typical failures often found in our daily discussion with them…
202020
TOP 10 Failures based on experiences…
TOP 10
PPA 2011 8 Dec 2011
© HIMA 2011
212121
TOP 10 Failures based on experiences…
1.
222222
1. Hazard identification
§The most crucial phase of any project starts with the CORRECT and COMPLETE identification of the potential HAZARD(S). Once all hazards are identified the job is (can be) half done…
§ Is the first and most important step when identifying the required safety functions for your safety system
§SIS systems not based on hazards are either over dimensioned €€ or under dimensioned €€€€
PPA 2011 8 Dec 2011
© HIMA 2011
232323
1. Hazard identification
§A safety function is useless when it is not linked to a hazard or hazardous event
§HAZOP is a very popular technique, BUT:
– Select the study nodes according your experiences
– Keep your sessions:
– within the brainpower time
– with max 6-8 of the most experienced engineers
– well documented and have FSA to follow up!
242424
TOP 10 Failures based on experiences…
2.
PPA 2011 8 Dec 2011
© HIMA 2011
252525
2. Risk Reduction tools
§Some of you were told to use Risk Reduction tools like Risk Matrix, Risk Graph, LOPA, etc…
BECAUSE:– Corporate office has defined the criteria
– The EPC contractor has proposed you a preference
– Your consultant made a proposal
– Simply because maybe you have a preference
262626
2. Risk Reduction tools
§Whatever tool you decide to use, make sure:– You calibrate the tool(s) first to your specific needs,
criteria, environment, project & plant specifics
– You don’t accept just cut-copy-paste between projects
– You periodically review (e.g. yearly) your tools and recalibrate them if needed
PPA 2011 8 Dec 2011
© HIMA 2011
272727
TOP 10 Failures based on experiences…
3.
282828
3. Layers of Protection (LOPA)
PPA 2011 8 Dec 2011
© HIMA 2011
292929
3. Layers of Protection (LOPA)
§Depending on a single reliable layer?
303030
3. Layers of Protection (LOPA)
§Remember:
§Choose your layers TOTALLY INDEPENDENT
§Take only ONCE credit for the layer in LOPA
§Any combination of normal PLC or DCS/BPCS interlocks are maximum RRF <= 10 (SIL 0)
§AVOID common design (systematic) failures
PPA 2011 8 Dec 2011
© HIMA 2011
313131
TOP 10 Failures based on experiences…
4.
323232
4. SIL - PFD
§Most of you here today will easily pronounce Safety Integrity Level (SIL), even Probability to Fail on Demand (PFD)
§Some of you may believe or have been told that those parameters are enough to describe the SAFETY needed?
§For those quoting ONLY “SIL & PFD”, it is like ordering a “RED” car with a “Horse” as symbol for the specifications for a very well known car…
PPA 2011 8 Dec 2011
© HIMA 2011
333333
4. SIL - PFD
343434
4. SIL - PFD
§But you could get easily WHAT you have asked for…
PPA 2011 8 Dec 2011
© HIMA 2011
353535
4. SIL - PFD
§Remember that ‘SIL’ has:
§TECHNICAL requirements
§NON-TECHNICAL requirements (management)
363636
TOP 10 Failures based on experiences…
5.
PPA 2011 8 Dec 2011
© HIMA 2011
373737
5. Safety Instrumented Function
§The weakest element can take down the complete Safety Integrity of that loop
383838
§Remember:
§Every SINGLE SUBSYSTEM should fulfil the SIL requirements you like to achieve for that SIF
§Often the weakest link will be your final element (e.g. solenoid, valve)
§Or maybe your cheapest interface somewhere in the SIF (e.g. interposing relay)
5. Safety Instrumented Function
PPA 2011 8 Dec 2011
© HIMA 2011
393939
TOP 10 Failures based on experiences…
6.
404040
6. Proof test coverage & frequency
PPA 2011 8 Dec 2011
© HIMA 2011
414141
6. Proof test coverage & frequency
424242
§Remember:
§Not only the FREQUENCY is important, but the amount of COVERAGE during your proof test is even MORE important
§ It will be extremely difficult to reach 80-90% coverage during a SIF proof test of devices and achieve as good as new for the safety function
§E.g. It doesn’t matter how often you go visit a doctor for a medical check up, make sure that doctor will find all potential problems
6. Proof test coverage & frequency
PPA 2011 8 Dec 2011
© HIMA 2011
434343
TOP 10 Failures based on experiences…
7.
444444
7. Hardware with Software, SIL by FMEA?
§Several field transmitters are sold a SILx compatible device based on a FMEA-FMEDA.
§E.g. a pure hardware SIL 2 transmitter can most likely be used as a 1oo2 for a SIL3 application. But a smart transmitter, where only the hardware was assessed by a FMEA for SIL2 cannot automatically be claimed for SIL3 in a 1oo2 architecture, since the software was only designed for use in SIL2 application…
PPA 2011 8 Dec 2011
© HIMA 2011
454545
7. Hardware with Software, SIL by FMEA?
464646
§Remember:
§Every component, devices or equipment that includes SOFTWARE, make SURE that the SOFTWARE has been tested and approved for the use up to the SIL level you try to achieve
§Rules of thump: IF you believe (been told) that you do NOT need the software for achieving your safety function, pull out the IC chip and throw it away… If your safety function still works, then you do NOT need to certify your software
7. Hardware with Software, SIL …
PPA 2011 8 Dec 2011
© HIMA 2011
474747
TOP 10 Failures based on experiences…
8.
484848
8. Certificate & Report
§A good certificate comes always with a report that will explain you possible restriction in use, how the assessment was done, etc.
§The magical A4...
PPA 2011 8 Dec 2011
© HIMA 2011
494949
§Remember:
§Make sure:
§You READ more than JUST the SIL number on the certificate
§You request a TEST report in able to understand:
§WHAT has been tested
§HOW the product was tested
§Potential restrictions
8. Certificate & Report
505050
TOP 10 Failures based on experiences…
9.
PPA 2011 8 Dec 2011
© HIMA 2011
515151
9. Safety versus Availability
§Safety Availability vs. Process Availability§ This sounds simple, but this is still the biggest
misunderstanding in our industry today.
§Objectives of process plants worldwide are two-fold:
– Achieve high levels of process AVAILABILITY
– Maximum production, higher turnover €€€ and keep the management happy ;-)
– Do this while maintaining a SAFE work environment and avoiding injury or death of humans, spills to the environment and loss of equipment or production
525252
9. Safety versus Availability
§How do we achieve this?– Redundancy
– Voting
– BUT how do we combine those and WHY?
§Before we show the table, let’s define:– Dangerous failures
– Safe failures
– HFT
PPA 2011 8 Dec 2011
© HIMA 2011
535353
9. MooN, HFT > Tino‘s tableArchitecture M
VotingN
RedundancyHFT(IEC/PFD)Dangerous
HFT (ISA/PFS)SAFE(new concept)
1oo12oo21oo22oo31oo32oo4
545454
TOP 10 Failures based on experiences…
10.
PPA 2011 8 Dec 2011
© HIMA 2011
555555
10. Functional Safety, a JUNGLE?
565656
10. Beware of FS Cowboys
SAFETYEXPERT
SIL
LOPACERTIFICATION
PFD
SFF
PROVEN IN USE
HFT
FMEA
HAZOP
CFSE TUV… TUV FSE
61508
61511REPORTS
FSAFSM
DIAGNOSTICS
PARTIAL STROKE
SIL VERIFICATION
SOFTWARE
HARDWARE VOTINGTYPE A - B
PPA 2011 8 Dec 2011
© HIMA 2011
575757
Summary
§All YOU need is:– Know How – Know How – Know How
– Experience – Experience – Experience
– Competency - Competency – Competency
§ In order to achieve the adequate safety culture, competency of every human being working in the lifecycle of our process industry is becoming the ‘de facto standard’ for those who want to keep their plant safe, productive and avoid very costly penalties and lawsuits should things go wrong like they have in the past.
585858
Have COMPETENT people
working and helping you
keeping YOUR plant
FUNCTIONAL SAFE. Nonstop.