| |
| |
|
|
| |
| STANDARDS
/ SAFETY INTEGRITY LEVELS ANSI/ISA
S84.01 & DRAFT IEC 61508
|
|
| |
| HOW
THIS STANDARD WILL AFFECT YOUR
BUSINESS |
| |
| KEYWORDS
|
| |
| Safety
Integrity Level, Process Hazards
Analysis, ISA S84.01 S84.01/ IEC
61508 |
| |
| INTRODUCTION
|
|
|
|
| If
your company is planning an expansion,
retro-fit, grass roots facilities,
or simply modifying a process
unit, and the process hazard analysis
(PHA) indicates you need a safety
instrumented system (SIS) as a
protective layer, then you need
to comply with ANSI/ISA S84.01.
Why? Because in February 1996,
the "Application of Safety
Instrumented Systems for the Process
Industries" was approved
and will be enforceable under
OSHA 29 CFR Part 1910. There are
at least five (5) references in
this Federal Register that state
"...accepted engineering
standards and practices".
For example : |
| |
| 1 |
Page
6404 Para. (3)(H)(ii) Safety
Systems (e.g. interlocks,
detection or suppression
systems) |
| 2 |
"The
employer shall document
that the equipment complies
with recognised and generally
accepted good engineering
practices." |
|
| |
| Furthermore,
EPA 40 CFR Part 68 has at least
ten (10) references to "...accepted
engineering standards and practices"
for mitigation or protective systems
designed to prevent an EPA incident.
Both OSHA and EPA make references
to National Standards e.g. American
National Standards Institute (ANSI).
ISA is an American National Standards
Institute (ANSI) accredited organisation.
With
over 100 user companies represented
on the S84 Committee, a standard
was produced that represents
a consensus of users and vendors..
A unanimous vote from the Committee
and the ISA membership, endorsed
the document as an "accepted
industry standard". Most
companies found little or no
conflict with their own internal
engineering practices for safety
systems, but others with no
formal engineering guidelines,
will have to modify their practices.
This standard joins the other
industry accepted standards
e.g. ASME vessel codes, NFPA
for burner management, IEEE
for electrical systems, or other
civil and building codes / standards.
User companies have strict compliance
policies for these standards
and would rarely if ever violate
their requirements. The new
S84.01 standard is no different,
its requirements insure a design
that will meet the process safety
integrity level. In addition,
US companies should be aware
of the increasing threat of
litigation by overzealous attorneys
and juries that have no sympathy
for companies who do not follow
standards in their designs.
The punitive sanctions of OSHA
or the EPA are insignificant
as compared to the class action
awards plaintiffs are receiving.
What is also
new to users, is the assignment,
and verification of the SIS
safety integrity level (SIL).
Assigning and qualifying safety
integrity levels, is undoubtedly
the one requirement of S84.01
that companies are having the
most difficulty with. SIL will
be discussed below |
| |
| TECHNIQUES
FOR ASSIGNING A TARGET SAFETY
INTEGRITY LEVEL |
|
| |
| The
new ANSI/ISA S84.01 standard
requires that companies
assign a target safety integrity
level (SIL) for all safety
instrumented systems (SIS)
applications. The assignment
of the target SIL is a decision
requiring the extension
of the process hazards analysis
(PHA) process to include
the balance of risk likelihood
and severity with risk tolerance.
This paper examines the
three most common techniques
currently utilised by many
process industries: the
risk matrix, the IEC 61508
methodology, and a strict
policy choice. The
OSHA Process Safety Management
(PSM) and EPA Risk Management
Program (RMP) dictate
that a process hazards
analysis be used to determine
the protective measures
necessary to protect workers,
the community and the
environment. A compliant
program will incorporate
"good engineering
practice," which
means that the program
follows the codes and
standards published by
such organisations as
the American Society of
Mechanical Engineers,
American Petroleum Institute,
American National Standards
Institute,National Fire
Protection Association,
American Society for Testing
and Materials, and National
Board of Boiler and Pressure
Vessel Inspectors.
In February
1996, the Instrument Society
of American published
a standard ISA S84.01,
"Application of Safety
Instrumented System for
the Process Industries".
This standard will become
an American National Standards
Institute (ANSI) standard
early this year. With
its acceptance as an ANSI
standard, it will be enforceable
under OSHA PSM and EPA
RMP.
The new
ANSI/ISA S84.01 and the
draft IEC 61508 standard
require that a target
safety integrity level
(SIL) be assigned for
the safety instrumented
system (SIS) for any process
in which the process hazards
analysis (PHA) has determined
that the mechanical integrity
of the process and the
process control are insufficient
to mitigate the potential
hazard. The SIS consists
of the instrumentation
or controls that are installed
for the purpose of mitigating
the hazard or bringing
the process to a safe
state in the event of
a process upset.
The safety
integrity level designations,
provided in ISA S84.01
and IEC 61508 (draft),
can be correlated to SIS
availability requirements.
As shown in the Figure,
IEC 61508 (draft) recognises
SIL 4, which the U.S.
domestic standard ISA
S84.01 does not consider. |
| |
 What
does SIL mean? It should
be understood that SIL and
availability are simply
statistical representations
of the integrity of the
SIS when a process demand
occurs. The acceptance of
a SIL 1 SIS means that the
level of hazard or economic
risk is sufficiently low
and that a SIS with a 10%
chance of failure (90% availability)
is acceptable. For example,
consider the installation
of a SIL 1 SIS for a high
level trip in a liquid tank.
The availability of 90%
would mean that out of every
10 times that the level
reached the high level trip
point there would be one
predicted failure of the
SIS and subsequent overflow
of the tank. Is this an
acceptable risk?
A
qualitative view of SIL
has slowly developed over
the last few years as
the concept of SIL has
been adopted at many chemical
and petrochemical plants.
This qualitative view
can be expressed in terms
of the impact of the SIS
failure on plant personnel
and the public or community.
|
| |
| 4 |
Catastrophic
Community Impact.
|
| 3 |
Employee
and Community Protection.
|
| 2 |
Major
Property and Production
Protection. Possible
injury to employee.
|
| 1 |
Minor
Property and Production
Protection. |
|
| |
| The
above qualitative view leaves
much open for discussion.
What is minor? What is major?
At what point, will a theoretical
injury or fatality occur?
There are no regulations
that assign a SIL to particular
processes or chemical operations.
There are no standards to
follow that recommend specific
SILs for certain process
hazards. The
assignment of SIL is a
corporate or company decision
based on risk management
and risk tolerance philosophy.
The caveat is that ANSI/ISA
S84.01 does mandate that
companies should design
their safety instrumented
systems (SIS) to be consistent
with similar operating
process units within their
own companies and at other
companies. Likewise, in
the U.S., OSHA PSM and
EPA RMP require that industry
standards and good engineering
practice be used in the
design and operation of
process facilities. This
means that the assignment
of safety integrity levels
must be carefully performed
and thoroughly documented.
Safety
integrity levels are assigned
after the process hazards
analysis (PHA) has concluded
that a safety instrumented
system is required. A
PHA is performed to identify
potential hazards in the
operation of a chemical
process. PHAs range from
the very simple screening
analysis to the complex
Hazard and Operability
Study (HAZOP). The HAZOP
is a systematic, methodical
examination of the process
design that utilises a
multi-disciplinary team
to identify hazards or
operability problems that
could result in an accident.
The HAZOP provides a prioritised
basis for the implementation
of risk mitigation strategies,
such as safety instrumented
systems (SIS) or emergency
shutdown systems (ESD).
When the HAZOP is completed,
the risk associated with
the process, in terms
of severity and likelihood
should be understood.
The event severity is
established based on some
measure of the anticipated
impact or consequence.
This can include: |
- On-site
consequences
- worker
injury or death
- equipment
damage
- Off-site
consequences
- community
exposure, including
injury and death
- property
damage
- Environmental
impact
- emission
of hazardous chemicals
- contamination
of air, soil, and
water supplies
- damage
to environmentally
sensitive area
|
| |
| The
risk likelihood is
determined by estimating
the probability of
expected occurrence.
The likelihood is
classified as high,
medium or low rate
of occurrence. This
is often determined
based on company operating
experience or competitor
operation history.
There
are several methods
of converting HAZOP
data into safety
integrity levels
(SIL). The methods
range from making
a corporate decision
on all safety system
installation to
more complex techniques
such as the IEC
61508 risk graph.
One
of the most common
techniques, among
U.S. chemical and
petrochemical companies,
uses a risk matrix
that is developed
based on a corporate
risk management
philosophy. The
risk matrix is a
correlation that
presents the required
risk reduction that
is necessary to
decrease the perceived
process risk to
an acceptable level.
The risk likelihood
and risk severity
determined during
the HAZOP is plotted
on the risk matrix
to determine the
required risk reduction
or safety integrity
level (SIL) for
that specific hazard
event. An example
of a risk matrix
is shown below |
| |
| QUALITATIVE
RANKING OF RISKS
|
|
| |
|
| When
there is no corporate
risk matrix, the best
method is the IEC
1508 risk graph technique.
Although still in
draft form, IEC 61508
does provide a rigorous
technique for determining
the SIL for a specific
process unit risk.
This technique is
based on determining
four factors: |
| |
| 1 |
consequence
(C), |
| 2 |
frequency
and exposure
time (F), |
| 3 |
possibility
of avoiding
the hazardous
event (P), |
| 4 |
probability
of the unwanted
occurrence (W). |
|
|
| |
| This
method is a qualitative
technique that requires
a multi-disciplinary team
to ensure that the four
parameters listed above
are properly chosen. The
optimum time to make the
parameter selection is during
the HAZOP process when many
of the process risks are
well documented and the
risk likelihood and severity
have been discussed.
However,
the IEC 61508 methodology
is more than just an extension
of the HAZOP process,
because it focuses most
of the evaluation on an
individual person’s
risk. The consequence,
exposure time, possibility
of escape and probability
of occurrence are evaluated
from the point of view
of a theoretical person
being in the incident
zone.
Thus, the consequence
is not simply defining
the incident in terms
of loss of containment,
fires or chemical releases,
as defined in the PHA
process. It is examining
the incident from the
exposed person’s
perspective in terms of
an injury or fatality.
For the consequence, the
following questions should
be evaluated for the incident:
|
| |
| » |
Is
there a potential
for injury or fatality?
|
| » |
Can
the exposed person
recover? |
| » |
Can
the exposed person
return to normal activities?
|
| » |
Are
the effects acute
or chronic? |
|
| |
| For
the exposure frequency,
the process unit must be
evaluated in terms of the
personnel presence and activity
in the unit. The questions
for this parameter should
address the following: |
| |
| » |
Is
the process unit remote
or in the main personnel
traffic area? |
| » |
How
close are operation
and maintenance stations?
|
| » |
How
often are operation’s
staff in the vicinity?
|
| » |
What
about support staff,
such as maintenance
crews or engineering
personnel? |
| » |
Is
this a main travel
area for access to
other process units?
|
|
| |
| Possibility
of escape can be difficult
for the hazards evaluation
team to agree upon, because,
as engineers and risk assessment
people, there is a tendency
to want to believe that
people can always escape
if there are alarms. However,
time becomes an important
factor in the escape. The
question that should be
asked is, "How easy
is it to escape from the
hazardous area?" Typical
issues that should be addressed
are as follows: |
| |
| » |
Are
the escape routes
well marked? |
| » |
Can
personnel in the exposure
area readily recognise
that a hazardous situation
exists? |
| » |
Are
there alarm sirens?
|
| » |
Have
personnel been through
accident scenario
training? |
|
| |
The
probability of occurrence
is an easier parameter to
evaluate since most process
hazards analysis already
uses the occurrence frequency
to prioritise HAZOP results.
The likelihood of the event
should be evaluated without
taking into account any
existing safety instrumented
systems.
Once these factors are determined,
the risk graph in IEC 61508
is utilised to determine
the minimum risk reduction
level and associated SIL. |
| |
 |
Necessary
Minimum Risk
Reduction Level
|
Safety
Integrity Level |
| |
|
| - |
No
safety requirements |
| a |
No
special safety
requirements |
| b,c |
1 |
| d |
2 |
| e,f |
3 |
| g |
4 |
| h |
An
E/E/PES SRS
is not sufficient |
|
|
| |
The
least time consuming method
is one being adopted by
many small, speciality chemical
plants that do not have
the manpower to devote to
the IEC 61508 or risk matrix
methodologies. This method
recognises that the greatest
increase in cost occurs
when you make the decision
that the SIL must be higher
than SIL 1. The selection
of SIL 2 or SIL 3 forces
the SIS design toward device
redundancy and diversity.
With this recognition, many
companies are taking the
approach that "a safety
system is a safety system
and therefore should be
SIL 3". This eliminates
the arguments about whether
escape is possible, someone
will be injured or killed
or the impact will be on-site
and/or off-site. It saves
time in the PHA process,
reduces documentation in
justifying the SIL choice,
and ensures consistency
across process units.
Unfortunately, there is
no easy answer when it comes
to assigning SILs. The choice
involves examining safety,
community, environmental,
and economic risks. Multi-disciplinary
teams must be involved in
the process to ensure that
the choice of SIL is consistent
with a company’s risk
management philosophy and
loss prevention goals. |
| |
| THE
RELATIONSHIP BETWEEN TUV
CLASS AND SIL |
|
| |
| ANSI/ISA
S84.01-1996 and draft IEC
61508 require the assignment
and verification of safety
integrity levels (SIL) for
any safety instrumented
system (SIS). Programmable
Electronic Systems (PES)
are often used as the logic
solver in SIS applications.
The PES is certified by
TUV to meet certain TUV
classes. With the increased
interest in SIL, many Users
are now asking about the
relationship between TUV
Class and SIL. This technical
letter will provide an introduction
to the origin of TUV classes
and SIL and demonstrate
the importance of these
acronyms to SIS design.
Following the catastrophic
incidents in Seveso Italy,
Flixborough UK, and Bhopal
India, there was rapid
movement in many countries
to develop standards and
regulations that would
minimize the impact of
industrial accidents on
citizens. In Germany,
the methodology of defining
the risk to individuals
was established in DIN
V 19250, "Control
technology; fundamental
safety aspects to be considered
for measurement and control
equipment." DIN V
19250 established the
concept that safety systems
should be designed to
meet certain designated
classes, Class 1 through
Class 8. The choice of
the class was made dependent
on the level of risk posed
by the process. Therefore,
DIN V 19250 was simply
an attempt to force Users
to look at the hazards
involved in their processes
and to determine the integrity
of the safety-related
system that would be required.
As PES use in safety
system designs became
prevalent, there was increased
concern about how to determine
whether the design of
the PES was sufficiently
rigorous for the application
and for the DIN V 19250
class. The standard DIN
V VDE 0801 was developed
to address these concerns.
"Principles for computers
in safety-related systems,"
DIN V VDE 0801, sets forth
the following specific
measures that are to be
utilized in the evaluation
of PES:
|
| |
| » |
Design, |
| » |
Coding
(system level), |
| » |
Implementation
and Integration, and
|
| » |
Validation.
|
|
| |
| Within
the standard, each measure
is broken down into specific
techniques that can be thoroughly
tested and documented by
independent organizations.
Thus, DIN V VDE 0801 provided
a means of determining that
the PES met certain DIN
V 19250 classes.
DIN V 19250 related risk
to class and DIN V VDE
0801 related class to
PES requirements. Now
the remaining piece was
a certifying body to ensure
that the PES met the class
by the measures and techniques
presented in DIN V VDE
0801. TUV is a German
regulatory body, which
some people compare to
OSHA in the United States,
since one of the divisions
of TUV has regulatory
authority over industry
in Germany. However, this
comparison is overly simplistic,
because TUV’s impact
on worldwide safety system
design is through its
certification division.
TUV tests and certifies
PESs for DIN V 19250 class
or TUV Class. While there
are other certifying organisations
in the world that are
important for certain
applications or in certain
countries, TUV is currently
the internationally recognised
certification body for
PES.
It must be acknowledged
that the achievement of
TUV Class is not absolute.
Due to the complexity
of PES, all TUV certifications
are rewarded based on
particular design, diagnostic,
operational, testing,
and maintenance restrictions.
These are documented in
the certification report
from TUV. All PES have
restrictions for TUV Class
5 and 6. Some of these
restrictions can result
in the requirement that
the PES operate in a configuration
that is different from
the advertised product.
These restrictions must
be examined carefully
toensure that the PES
meets the required TUV
class in the configuration
that will be used in operation.
The two German standards
provided a mechanism for
relating risk to PES integrity,
but it was always understood
that risk reduction had
to include the evaluation
of the complete safety-related
system or safety instrumented
system (SIS). Draft IEC
61508, "Functional
Safety: Safety Related
Systems," is an international
standard, designed to
address the complete SIS
in the process, transit
and medical industries.
The standard introduces
the concept of a safety
lifecycle model to illustrate
that the integrity of
a SIS is not limited to
device integrity, but
is also a function of
design, operation, testing,
and maintenance.
The draft IEC 61508 standard
created 4 safety integrity
levels (SIL) that were
indexed to specific probability
to fail on demand ranges
(Table 1). According to
the standard, a SIL is
assigned based on the
required risk reduction
as determined from a process
hazards analysis. From
an overall viewpoint,
SIL was established as
the litmus test of whether
the SIS design, operation,
testing, and maintenance
was acceptable. The SIL
encompasses device integrity,
architecture, voting,
diagnostics, systematic
and common cause failures,
testing, operation, and
maintenance. Since the
original DIN V 19250 related
risk to TUV class, the
draft IEC 1508 standard
provides a correlation
between SIL and TUV class. |
| |
| Table
1. Safety Integrity Level
with Probability to Fail
on Demand (PFD) |
|
| |
|
Safety
Integrity Level |
Probability
to Fail on Demand |
|
IEC
61508 |
|
4 |
E-005
to < E-004 |
|
|
ISA
S84 |
3 |
E-004
to < E-003 |
|
|
|
2 |
E-003
to < E-002 |
|
|
|
1 |
E-002
to < E-001 |
|
| |
| ANSI/ISA
S84.01-1996 is the United
States’ standard for
safety systems in the process
industry. The SIL classes
(Table 1) from draft IEC
61508 were utilised and
the TUV class relationships
were maintained. ANSI/ISA
S84.01-1996 did not incorporate
the highest SIL class, SIL
4. The S84 Committee felt
that SIL 4 was very applicable
for medical and transit
systems in which the only
layer of protection is the
safety instrumented layer.
In contrast, the process
industry can incorporate
many layers of protection
in the design of the process.
The overall risk reduction
from these layers of protection
is equal to or greater than
that of other industries.
The graphic in Figure
1 provides a view of the
relationship of TUV classes
and SIL. As the required
SIL increases, the SIS
integrity, as measured
by probability to fail
on demand or availability,
must also increase. Since
SIL is a measure of the
overall system integrity,
the PES chosen for the
application must meet
the required SIL and,
therefore, must meet a
specific TUV class.
The relationship between
TUV classes and SIL is
extremely important and
should not be overlooked.
These designations were
developed in response
to serious incidents that
resulted in the loss of
life. Finally, these designations
are intended to serve
as a foundation for the
effective selection and
appropriate design of
safety instrumented systems. |
| |
| Figure
1. Cross Reference between
SIS Class and Standards
|
|
| |
 |
| IEC
International Electrotechnical
Commission |
|
| |
|
|
|
| |
| |
|
|
|
|
|
 |
|
|
|
|
|
|
| © 2010 Design copyright Instrument-Net.co.uk Names, pictures and logos - owner copyright,. Details for informational use and subject to change without notice Instrument-Net.co.uk 2009 Telelephone: 0191 261 0919 Fax: 0191 261 0919 Email:
info2009@Instrument-Net.co.uk |
|
|
| |
"the UK resource centre and online buyers guide for all interested in the UK instrument industry"
| |
|
|
