Functional safety is the task of developing and implementing automatic safety systems used to manage risks in many industries where hazardous processes and machinery are used. Functional Safety from Scratch: A Practical Guide to Process Industry Applications provides a practical guide to functional safety, as applied in the chemical process industry, including the oil and gas, petrochemical, pharmaceutical and energy sectors. Written by a seasoned professional with many years of functional safety experience, this book explains the purpose of the relevant international standard IEC 61511 and how to achieve compliance efficiently. It provides in-depth coverage of the entire lifecycle of a functional safety system, assuming no prior knowledge of functional safety and only a basic understanding of process safety concepts. SIL assessment, the functional safety management plan, the safety requirements specification, verification, validation and functional safety assessment are covered in particular detail.
Functional Safety from Scratch: A Practical Guide to Process Industry Applications is a highly practical source for process and instrumentation engineers, engineering managers and consultants, whether new to the field or already experienced.
Author(s): Peter Clarke
Publisher: Elsevier
Year: 2023
Language: English
Pages: 354
City: Amsterdam
Front Cover
Functional Safety from Scratch
Functional Safety from Scratch
Copyright
Contents
About the author
Acknowledgements
Abbreviations
Glossary
Introduction
Which industries are covered?
Who is the book suitable for?
Who developed this book?
1 - Introduction to functional safety
1.1 What could possibly go wrong?
1.2 Hazard and risk
1.2.1 What is a hazard?
1.2.2 What is harm?
1.2.3 What is risk?
1.2.4 What is tolerable risk?
1.2.5 Risk management through functional safety
1.3 Functional safety standards: IEC 61508 and IEC 61511
1.3.1 Purpose of the standards
1.3.2 Scope of IEC 61511
1.3.3 Why comply with IEC 61511?
1.4 IEC 61511 key concepts
1.4.1 The functional safety lifecycle
1.4.2 Intrinsically safer design
1.4.3 The safety requirements specification (SRS)
1.4.4 Assuring that functional safety is achieved
1.4.5 Random and systematic failures
1.4.6 Competency
1.5 The structure of IEC 61511
1.6 The origins of IEC 61511
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 4—Answer
References
Further reading
2 - Basic terminology: SIF, SIS and SIL
2.1 The meaning of SIF, SIS and SIL
2.1.1 What is a SIF?
2.1.2 What is a SIS?
2.1.3 SIL, reliability, and integrity
2.1.4 What is an interlock (or trip)?
2.2 Anatomy of a SIF
2.2.1 The sensor subsystem
Other components of the sensor subsystem
The MooN concept for initiators
2.2.2 The logic solver subsystem
2.2.3 The final element subsystem
Actuated valves
Motor control circuits
Other final elements
Other elements of the final element subsystem
The MooN concept for final elements
2.2.4 Permissives and inhibit functions
2.2.5 Other important aspects of a SIF
2.3 Development of a SIF
2.3.1 SIL assessment
2.3.2 SIL verification
2.4 Failure
2.4.1 Failure modes
2.4.2 Failure rates
2.4.3 Hardware fault tolerance
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Question 6—Answer
Question 7—Answer
Question 8—Answer
References
3 - Risk evaluation
3.1 Identifying hazardous scenarios
3.2 Expressing risk in numbers
3.3 Tolerable risk
Defining a tolerable risk per event
Defining a total tolerable risk per risk receptor
3.4 How much precision is needed?
3.5 The ALARP concept
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
References
4 - Introduction to SIL assessment
4.1 Safety instrumented function (SIF) operating modes
4.1.1 What are low demand, high demand and continuous modes?
4.1.2 Selecting an operating mode
4.1.3 Formal definition of operating modes
4.1.4 The significance of operating modes
Definition of SIL
Failure rates
SIL assessment methodology
4.1.5 Tips on selecting the operating mode
4.2 The objectives of SIL assessment
4.2.1 Low demand mode SIFs
4.2.2 High demand and continuous mode SIFs
4.2.3 Why not use default SIL targets?
4.2.4 Prevention or mitigation?
4.3 Identifying and documenting SIFs
4.3.1 Objective
4.3.2 Using process control narratives, interlock descriptions
4.3.3 Using cause & effect diagrams (C&EDs)
4.3.4 Using HAZOP and old SIL assessment study reports
Should BPCS trips be included?
4.3.5 Using binary logic diagrams
4.3.6 Using interlock logic diagrams
4.3.7 Using piping & instrumentation diagrams (P&IDs)
4.4 Separating complex interlocks into SIFs
4.5 The double jeopardy rule
4.6 Independent protection layers
4.6.1 Pressure relief devices (PRDs)
4.6.2 Alarms with operator response
4.6.3 Control loops
4.6.4 Autostart of standby equipment
4.6.5 BPCS interlocks
4.6.6 Interlocks in other PLCs
4.6.7 Check valves
4.6.8 Other mechanical protective devices
4.6.9 Operating procedures
4.6.10 Spill containment
4.6.11 Trace heating
4.6.12 Backup utility supplies
4.6.13 Another SIF
4.6.14 Typical IPL credit available
4.6.15 Examples of insufficient independence
4.7 Critical common element analysis
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Question 6—Answer
Question 7—Answer
Question 8—Answer
Question 9—Answer
Question 10—Answer
Question 11—Answer
Question 12—Answer
Question 13—Answer
References
5 - SIL assessment methodology
5.1 Introduction
5.2 Overview of SIL assessment methods
Features of SIL assessment common to all methods
5.3 Selecting initiating events
Typical initiating events
Determine the initiating event in sufficient detail
Control loop malfunctions
Failure of safeguards as initiating events
5.4 Assessing the likelihood of initiating events
5.5 Assessing the consequence severity
5.6 Documenting the SIL assessment study
5.7 Risk matrix method
5.7.1 Method overview
5.7.2 Likelihood and severity categories
5.7.3 The risk matrix
5.7.4 Calibration of the risk matrix
5.7.5 Handling multiple initiating events
5.7.6 Handling enabling conditions and conditional modifiers
5.7.7 Handling independent protection layers (IPLs)
5.7.8 Estimating the SIF demand rate
5.7.9 Risk matrix and ALARP
5.7.10 High demand and continuous mode SIFs
5.8 Risk Graph method
5.8.1 Method overview
5.8.2 Parameters used in Risk Graph
5.8.3 Risk Graph examples
5.8.4 Selecting parameter categories
Demand frequency (W parameter)
Exposure (F parameter)
Avoidance (P parameter)
5.8.5 Calibration of the Risk Graph
5.8.6 Handling multiple initiating events
5.8.7 Handling enabling conditions and conditional modifiers
5.8.8 Handling independent protection layers (IPLs)
5.8.9 Estimating the SIF demand rate
5.8.10 High demand and continuous mode SIFs
5.9 Layer of protection analysis (LOPA)
5.9.1 Method overview
5.9.2 Enabling conditions
5.9.3 Conditional modifiers
5.9.4 Handling multiple initiating events
5.9.5 Estimating the SIF demand rate
5.9.6 Example LOPA worksheet
5.9.7 High demand and continuous mode SIFs
5.10 Fault tree analysis
5.10.1 Method overview
5.10.2 Documenting Fault Tree analysis
5.11 Cost/benefit analysis
5.11.1 Introduction
5.11.2 Calculating the cost of the outcome
Example
5.11.3 Calculating the cost of the SIF
5.11.4 Selecting the optimal solution
5.12 The SIL assessment workshop
5.12.1 The SIL assessment team
5.12.2 Overall objectives of the SIL assessment workshop
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Question 6—Answer
Question 7—Answer
Question 8—Answer
Question 9—Answer
Question 10—Answer
Question 11—Answer
Question 12—Answer
Question 13—Answer
Question 14—Answer
Question 15—Answer
Question 16—Answer
Question 17—Answer
Question 18—Answer
References
6 - SIL assessment: special topics
6.1 Redundant initiators
Handling redundant initiators
6.2 Redundant safety functions
What determines if two SIFs are redundant?
One SIF as backup to another
Redundant SIFs in low risk situations
6.3 One SIF—two hazards
6.4 The IPLs vary depending on demand case
6.5 The demand case is activation of another SIF
6.6 One SIF cascades to another
6.7 Initiating event involves multiple simultaneous failures
Example 1
Example 2
6.8 Permissives
Demand frequency
Defining physical initiators and final elements
6.9 Multiple sensors distributed across a wide area
6.10 Operator action as initiator
6.11 Duty and standby pumps
Variable number of pumps running
Duty pump switchover
6.12 Alarms from cascade control loops
6.13 Final elements are shared between the basic process control system (BPCS) and the SIS
6.14 Selecting primary final elements
6.14.1 Introduction
6.14.2 The safe state
6.14.3 Selecting primary final elements
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Question 6—Answer
Question 7—Answer
Question 8—Answer
Question 9—Answer
Reference
7 - Key functional safety documents
7.1 The how and why of documentation
7.2 The functional safety management plan
7.2.1 Introduction
7.2.1 Introduction
7.2.2 The functional safety lifecycle
7.2.2 The functional safety lifecycle
What information is needed for each lifecycle phase?
7.2.3 Management of change and configuration management
7.2.3 Management of change and configuration management
Management of change
Configuration management
7.2.4 Management requirements in the FSMP
7.2.4 Management requirements in the FSMP
Overall planning
Document management
Competency management
Action item management
Contractor management
SIL capability management
Assurance planning
7.2.5 Why the FSMP is important
7.2.5 Why the FSMP is important
7.3 The Safety Requirements Specification (SRS)
7.3.1 Introduction
7.3.1 Introduction
7.3.2 What is the purpose of the SRS?
7.3.2 What is the purpose of the SRS?
7.3.3 When is the SRS developed?
7.3.3 When is the SRS developed?
7.3.4 What should the SRS contain?
7.3.4 What should the SRS contain?
Example wording for SIF logic description
Information you should consider adding to the SRS
7.3.5 Common cause failures
7.3.5 Common cause failures
7.3.6 SIF demand rates
7.3.6 SIF demand rates
7.3.7 Selecting a spurious trip rate target
7.3.7 Selecting a spurious trip rate target
7.4 The safety manual
7.5 Maximising the effectiveness of documentation
Minimise repetition
Minimise repetition
Automate, but be careful
Automate, but be careful
Consider the future
Consider the future
7.6 Complete overview of functional safety documentation
Exercises
Essay or discussion question
Essay or discussion question
Answers
Question 1—answer
Question 1—answer
Question 2—answer
Question 2—answer
Question 3—answer
Question 3—answer
Question 4—answer
Question 4—answer
Question 5—answer
Question 5—answer
Question 6—answer
Question 6—answer
Question 7—answer
Question 7—answer
Question 8—answer
Question 8—answer
Question 9—answer
Question 9—answer
Question 10—answer
Question 10—answer
Question 11—answer
Question 11—answer
Question 12—answer
Question 12—answer
Question 13—answer
Question 13—answer
Question 14—answer
Question 14—answer
Question 15—answer
Question 15—answer
Question 16—answer
Question 16—answer
Question 17—answer
Question 17—answer
Question 18—answer
Question 18—answer
Question 19—answer
Question 19—answer
Reference
8 - Safety instrumented system design
8.1 The goal of SIS basic design
8.2 PLC-based logic solvers
8.2.1 What is a SIS PLC?
8.2.2 PLC redundancy and diagnostics
8.2.3 Diagnostics for field devices
8.2.4 Setting trip parameters
Setpoints
Trip delay
Reset
8.2.5 Cybersecurity
8.3 Selection of field devices
8.3.1 Preferred types of SIF initiator
Selection of initiator type
Valve limit switches as initiators
8.3.2 Defining final element architecture
8.3.3 SIF architecture
8.3.4 Testing and maintainability
Are Bypass Lines Allowed on SIS Shutdown Valves?
8.3.5 Partial valve stroke testing
Is PVST a diagnostic?
8.3.6 Energise and de-energise-to-trip
8.3.7 Derating
8.3.8 Hard-wiring of field devices
8.4 Independence
8.4.1 Multiple SIFs in the same SIS
8.4.2 Multiple systems tripping a motor via the same MCC
8.4.3 Communications between SIS logic solver and BPCS
8.4.4 Implementing BPCS and SIS in a single logic solver
8.4.5 Implementing non-safety functions in the safety PLC
8.5 Non-PLC based logic solvers
Susceptibility to spurious trips
8.6 What comes next?
References
Further reading
9 - Meeting SIL requirements: SIL verification
9.1 What it takes to achieve a given SIL
9.2 Calculating the random hardware failure measure
9.2.1 Introduction
9.2.2 How the failure measure is calculated: SIL verification
Calculation of probability curves
Single devices
Multiple devices
The complete SIF
State-based calculations
9.2.3 High demand and continuous modes
9.3 More on proof testing
9.3.1 Optimising the proof test interval
9.3.2 The effect of human error during proof testing
9.4 Architectural constraints
9.4.1 Introduction
9.4.2 Hardware type A and type B
9.4.3 Safe failure fraction
9.4.4 HFT requirements in IEC 61508:2000
9.4.5 HFT requirements in IEC 61508:2010
9.4.6 HFT requirements in IEC 61511:2016
9.4.7 How to apply SFF requirements
9.5 SIL capability and SIL certification
9.5.1 Introduction
9.5.2 Assessing the element's performance in the field
9.5.3 What is the difference between ‘proven in use’ and ‘prior use’?
9.5.4 What is meant by a “SIL 2 shutdown valve”?
9.5.5 Software SIL capability
9.6 Calculating predicted spurious trip rate
9.7 What to do if SIS design targets are not met
Exercises
Descriptive questions
Numerical questions
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Question 6—Answer
Question 7—Answer
Question 8—Answer
Question 9—Answer
Question 10—Answer
Question 11—Answer
Question 12—Answer
Question 13—Answer
Question 14—Answer
Question 15—Answer
Question 16—Answer
Question 17—Answer
Question 18—Answer
Question 19—Answer
References
Further reading
10 - Assurance of functional safety
10.1 Introduction
10.2 Verification
10.2.1 Introduction
10.2.2 How verification works in practice
10.2.3 Verification checklists
10.2.4 Discrepancy handling
10.2.5 Competency and independence requirements
10.3 Validation
10.3.1 Introduction
10.3.2 Hardware inspection
Field equipment inspection
SIS logic solver inspection
10.3.3 End-to-end test
10.3.4 Specific tests for sensors
10.3.5 Specific tests for final elements
10.3.6 Test equipment
10.3.7 Document inspection
10.3.8 Discrepancy handling
10.3.9 Restoring the SIS after validation
10.3.10 Validation report
10.3.11 Revalidation
10.4 Functional safety assessment
10.4.1 Introduction
10.4.2 Which stakeholders need to perform FSA?
10.4.3 What sample size needs to be considered in FSA?
10.4.4 Independence requirements for FSA
10.4.5 How FSA is conducted in practice
10.4.6 Assessment tasks
10.4.7 Common pitfalls to avoid
10.4.8 Example: assessment of SIL verification
10.5 Functional safety audit
10.5.1 Introduction
10.5.2 Typical audit procedure
Exercises
Answers
Question 1—answer
Question 2—answer
Question 3—answer
Question 4—answer
Question 5—answer
Question 6—answer
Question 7—answer
Question 8—answer
Question 9—answer
Question 10—answer
Question 11—answer
Question 12—answer
Question 13—answer
Question 14—answer
Question 15—answer
Question 16—answer
11 - The SIS operational phase
11.1 Introduction
11.2 Training requirements
11.2.1 Operator training
11.2.2 Training for maintenance personnel
11.3 Proof testing
11.3.1 Introduction
11.3.2 Applying more than one test procedure per device
11.3.3 Test before performing maintenance
11.3.4 Document the duration of testing and repair
11.4 Monitoring of SIS performance
11.5 SIS modifications and partial decommissioning
11.5.1 The Management of Change procedure
11.6 Future challenges
11.7 Closing thoughts
Exercises
Answers
Question 1—Answer
Question 2—Answer
Question 3—Answer
Question 4—Answer
Question 5—Answer
Reference
A - Sample verification checklist
Outline placeholder
Verification checklist: SIL assessment
Section 1. Scope of work executed
Section 2. Inputs
Section 3. Outputs
Section 4. Quality
Section 5. Personnel
Section 6. Verification results
B - What is affected by SIL
Start of appendix
Index
A
B
C
D
E
F
G
H
I
K
L
M
N
O
P
Q
R
S
T
U
V
W
Back Cover
