things iec61508/61511 doesn't tell you about safety ... · pdf filethings iec61508/61511...
TRANSCRIPT
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Things IEC61508/61511 Doesn't Tell You About Safety Systems- Why You Should Care!
Implementing IEC61511 on real Process Plants
2
Presenter
• Simon Lucchini is the Chief Controls Specialist for Fluor Canada at the Calgary, Alberta Office (an engineering, fabrication & construction company) and is also the Fluor Global Fellow for Safety Systems design. He has worked at Fluor for 15 years
• He was previously with ICI Australia/Orica for 23 years where he worked in operations, maintenance and engineering at hazardous explosives, chemical and petro-chemical facilities applying SIS. His last position was as Company Instrument and Controls Engineer.
• He is currently the Chair of the SIS committee under the ISA Safety & Cybersecurity Division.
Agenda Overview
• Far too many slides for 60 minutes – Questions are more important than answers
• What is a Safety Function? • ISA84.01, IEC 61508 & IEC 61511 Background • Key IEC 61511 Clause • Basic reliability & risk reduction factor • Various Discussion Points • ISA Safety & Cyber Security web page (10 minutes) • Questions (15 minutes)
3
Various Discussion Points
• Hazard Identification and PHA/HAZOP • Certifications and Approvals • Understand the Process & effect of spurious trips • Over reliance on multiple instrument layers
– Basic Control; Alarm/Interlock; Safety Function; High Integrity Pressure Protection System; Fire & Gas System?
• Over analyzing designs based on inadequate field data • Use of diagnostics & Partial Stroke Testing
– Low demand & sticking behaviours
• Proof Testing & Operations
4
Items for Further Thought (not really covered today)
• Proper scheduling of PHA/HAZOP and HAZID • Details of SIL allocation (e.g. LOPA) • How are functional and integrity requirements identified
for safety functions? • How to properly document functional requirements? • Where do reliability equations come from and are there
conditions that they are not valid? • Common cause, common mode failures
5
Items for Further Thought (not really covered today)
• What does operations and maintenance need to do? • Providing operations with a workable design that can be
maintained • How do we cater for the complexity of software
interactions in today’s programmable systems; failure as an emergent property?
• Systematic Capability & Hardware Fault Tolerance • Over-emphasis on complex reliability equations
6
What is a Safety Function? A Primer
• Logic Solver (PLC, DCS, SIS, Hardwired) • Instrument Rack Room & HVAC • Power Supply/Air Supply • Wiring & Cabling System • Field Instrument Installation • Process & Process Hazard Identification • HSSE Standards • Operation and Maintenance • Engineering & Design • Management & Regulatory Framework • Approved Vendors & Commercial
7
What is a Safety Function? A Primer
S
FEED 1
FEED 2
FFIC
S
IAS
IAS
PI H HH
FT 1
FT 2
TTPT A
PT B
IEFlare/Vent
Generic Chemical Reactor
IEC 61511 Allocation of safety functions to protection layers
9
High Alarm Level Operator Action
Process Operators
Trip Level
SIS controlled
Emergency Shutdown Action
Mechanical Shutdown Action
ESD Safety System
Boom!
F&G Safety System
High Level
process value
Low Level
Time
Process PLC/DCS
Protection Layers Graphic
What is a Safety Function? Systems Engineering
11
Physical PlantPhysical Environment
Safety Instrumented FunctionEngineering
Design
Control Room Operators Plant OperatorsMaintenance
Project Management
Maintenance Manager OperationHSSE (Plant
Process Safety)
Plant Manager
Project HSSE
Project HSSE Standards
Project Contract
Corporate HSSE Standards
Plant HSSE Standards
Corporate Management
Business Management
National Regulators
Local RegulatorsProject Director
Project Business Management
Plant Project Representatives
What is a Safety Function? Simon’s Complexity Function
12
Complexity = 2N
where N = number of interfaces
SIS International Standards History
• IEC61508 Generic standard applicable to any industrial electrical/electronic/programmable safety-related systems (first published in 1998) – drew from organizations such as ICI and HSE in the UK, DIN in
Germany and ISA in the USA (ANSI/ISA S84.01 1996) – basis for assessing the suitability of individual items of equipment
for application in a safety-related system – development of embedded software – Development of full variability program (e.g. C++, visual basic) – generic for any industry – more for manufacturers – performance based rather than prescriptive
SIS International Standards
• IEC61511/ANSI/ISA 84.00.01 Functional safety of SIS for the process industry sector (first published in 2003) – group of international experts – substantial contributions from chemical/petrochemical process
plant operating companies such as BP, Shell, DuPont, BASF and British Nuclear Fuels Limited.
– sets criteria for the selection of equipment to be used in the system.
– development of limited variability application software – specific to the process industry – more for systems integrators & end-users
• Part 2 Guidelines for Part 1 • Part 3 SIL Allocation Guidelines (including LOPA) • ISA TR84.00.XX SIS Implementation Guidelines
14
IEC 61511 Safety Life Cycle
15
IEC 61511Key Clause
16
Clause 10.2 provides an excellent description of the general requirements for producing a SRS (safety requirements specification). “The safety requirements shall be derived from the allocation of SIF and from those requirements identified during H&RA. The SIS requirements shall be expressed and structured in such a way that they are •clear, precise, verifiable, maintainable and feasible; •written to aid comprehension and interpretation by those who will utilise the information at any phase of the safety life-cycle.” Important for verification and validation of safety functions
Hazard Identification & PHA no story is complete without a comment
• PHA Identifies Hazards and their mitigation/control • Most critical part of the Safety Life Cycle • PHA
– theoretical “paper” exercise – relatively easy to apply – relatively easy to get wrong – no immediate impact to the SIF design – HSE department does not have to implement the design – Process & HSE are the main drivers (SIS only one part) – Getting earlier in project life cycle – SIF designers may not be present – SIL verification engineers may not be appointed yet – SIL verification procedure most likely not started
17
Hazard Identification & PHA the result
• Over emphasis on instrumentation for safety – Basic Process Control – Alarms & Interlocks – SIF – HIPPS – Fire & Gas System?
• Field instrumentation is the “same” for all Protection Layers!
• Industry anecdotal information – 50% SIF over designed; spurious trips? – 5% SIF under designed; safety performance plateau?
• Please, no SIL 3
18
Hazard Identification & PHA try something different
• Basic training QRA & PHA all participants before PHA • Prepare SIL verification procedure before the
PHA/LOPA; alignment with Business, Operations and Maintenance – plant turnaround schedule – plant availability targets (spurious trips) – proof test intervals & PST philosophy – testing by Operations – preventative maintenance schedule – repair philosophy – approved equipment list; reliability data
• Prepare SIL 1, 2 & 3 typicals/templates for PHA/LOPA – reality check done at the source of the problem – do not succumb to snowball effect
19
PHA Action Item Example proper definition • Consider flow transmitter failure • Consider if failure rate of flow transmitter places
unacceptable demand on safeguards. If unacceptable evaluate alternate technologies and present cost benefit study to be evaluated at a ALARP review with operations
Get the best from PHA/HAZOP/HAZID
1. Application of HAZOP and What-If Safety Reviews to the Petroleum, Petrochemical and Chemical Industries, Dennis P. Nolan (ISBN 0-8155-1353-4)
2. Guidelines for Hazard Evaluation Procedures, Center for Chemical Process Safety (third edition ISBN 978-0-471-97815-2)
3. Loss Prevention in the Process Industries, Prof Frank P. Lees (second edition ISBN 0-7506-1547-8)
4. Layer of Protection Analysis: simplified process risk assessment, Center for Chemical Process Safety (ISBN 978-0-8169-0811-0)
5. Various books by Trevor Kletz
21
Hazard Mitigation & Reliability Equations
• Hazard Frequency (mitigated) = Hazard Frequency (unmitigated) / RRF
• Hazard Frequency (mitigated) = Hazard Frequency (unmitigated) * PFDavg
• RRF (target) = Hazard Frequency (unmitigated) / Hazard Frequency (tolerable)
• Hazard Frequency = Hazard Rate
22
Basic IEC 61511 Safety Function Integrity Requirements
• Safety Integrity Level (SIL) components i. Reliability or likelihood that it can fail (term = PFDavg) ii. Hardware fault tolerance; redundancy iii. Systematic Capability (QA/QC).
• Higher the risk requires higher SIL (123) – Higher reliability – Increased redundancy – Improved “quality assurance against systematic failures”
• Systematic Capability definition – “….which applies to an element with respect to its confidence
that the systematic safety integrity meets the requirements of the specified safety integrity level”
23
Hazard Mitigation & Reliability Example
• PFDavg (availability) – Proportional to failure rate X proof test interval
24
Unprotected Hazard Rate (1/yrs)
Target Hazard Rate (1/yrs)
RRF SIL
1 in 10 1 in 100 10 1
1 in 10 1 in 1000 100 2
Control System Reliability
• Hazard Rate = Control System Failure Rate * Safety Function PFDavg
• Control System (DCS, PLC) equally important as SIS to plant safety
• Safety relies on having both not just one or the other; backup
• Systematic failures are more important but more difficult to analyze – 3rd Party Qualification to IEC 61508 – Prior use (i.e. experience in similar applications)
25
Graphical Derivation of Reliability (PFDavg)
Reliability Equation (simplified & no redundancy)
• Based on low demand (i.e. does not have to act very frequently)
• Tested more frequently than demand rate • Constant failure rate systems • PFDavg = ½* λ * T
– T = proof test interval & λ = failure rate of the device
27
Certifications & Approvals
• SIS Logic Solver Certification TUV/DIN standards – significant history prior to IEC 61508 and ANSI/ISA 84 – well established s/w & h/w testing & validation processes to DIN
V 19250 & DIN V 801 (now withdrawn) – very defined/controlled boundary of installation & operation – less complex & more defined functions than for process control – controlled testing – widely accepted industry certification
• IEC 61508 gives the requirements but not details: – manufacturing quality system – safety life cycle – h/w design & tests – s/w design & tests – competency of personnel
28
Certification of field SIF components
• Not a long history of certification prior to IEC/ISA standards
• Not a well defined boundary for installation & operation – temperature extremes – vibration – process fluids; corrosion, fouling, – access for maintenance – documentation
• Reliability Data Relevance – accelerated wear out testing; low demand versus high demand – proven-in-use data for different plants; different environments – vendor return data; incomplete – FMEDA; calibrated against different applications
29
Certification of field SIF components
• SIL Certificate does not appear in IEC 61508 nor IEC 61511
• Safety Manual (i.e. product safety manual) is mentioned 49 instances in IEC 61508 & >100 times in IEC 61511
• Details performance requirements for equipment used in safety functions
• Does not give details on how to validate reliability data for equipment used in safety functions
30
SIS International Standards
• Widely accepted and utilized international standards – Mandatory in UK, Europe – Not mandatory in North America unless there is an incident – OSHA “Reasonable Care Standard”
• Guidance on the Safety Life Cycle – establishing Safety Plan – acceptable designs – maintenance requirements – and much more
• Comprehensive SIS literature & training • There should be no issues with designing & maintaining
Safety Instrumented Systems? • However…….
31
Bridging the Gap between Design & Operations
• Operations do not want that SIS design – Partial Stroke Testing – Tripping on diagnostics
• Maintenance does not want that SIS design – Proof Test Methods – Repair Methods – Non standard instrumentation – Documentation of Basis of Design – SIL 3 Safety Functions
• Business Managers do not want that SIS design – Spurious Trips – Speak a strange language (pedantic even for instrumentation
folk) – Is it a SIS or a SIF?
32
Improving Performance
• Confirm with Process & Operations that the design correctly addresses the hazard
• Review diagnostics and proof testing methodology with maintenance and operations before finalizing the SIL verification calculation,
• Use proven in use equipment wherever possible, • Validate how maintenance is actually done, • Validate how the plant is actually operated, • Consider plant operating modes and operating
procedures that have a bearing on proof testing, • Make reliability visible to operations (e.g. valve
performance)
33
Improving Performance
• Question unrealistic risk mitigation for SIF, – Avoid SIL 3 at all costs (are they realistic?)
• Consider what facilities are required for proof testing, • Determine how the instrumentation will be repaired,
– trip valve replacement
• Consider designing proof tests for Operations rather than Maintenance groups,
• Give adequate consideration to the design of Operational and Maintenance Overrides,
• Consider the effect of spurious trips on the reliability and safety of the Plant.
34
Plant Transitions Startup & Shutdown
• IEC61511 requires the “identification of the dangerous combinations of output states of the SIS that need to be avoided”
• IEC 61511 requires that “Where reasonably practicable, processes should be designed to be inherently safe.”
• PHA/HAZOP is a blunt instrument that looks at deviations for one variable at a time – does not easily identify transition states – not very good at hazards caused by combinations of states – Markov?
• Reducing spurious trips is crucial for a safe design; increased risks during plant transitions
35
Terminology
• FMEDA = Failure Modes & Effects Diagnostic Analysis • HAZOP = HAZard and OPerability analysis, a type of PHA • HAZID = Hazard Identification • Lambda (λ) = Failure Rate per unit of time • LOPA = Layers of Protection Analysis • MTBF = Mean Time between Failures • MTTF = Mean Time to Failure (MTBF=MTTF + MTTR) • MTTR = Mean Time to Repair • PFDavg = Probability of Failure Dangerous (on average) • PHA = Process Hazard Analysis • QRA = Quantitative Risk Analysis • PST = Partial Stroke Test(ing) • RRF = Risk Reduction Factor (inverse of PFDavg) • SIF = Safety Instrumented Function • SIL = Safety Integrity Level • SIS = Safety Instrumented System • SRS = Safety Requirements Specification • Startup = Potential Hazard & Hopefully Making Money • T = Proof Testing Interval • Trip/Shutdown = Potential Hazard & Loss of Money • Turnaround = When Plant is shutdown for extensive/statutory maintenance
Refinery Plant Transitions Startup & Shutdown Considerations
• Size of the Facility – Parallel Units – Utilities (Steam, Power, Air, Flares & Vents)
• Complexity & Integration of the Facility – Multi Step Separation and Reforming – Reprocessing to obtain quality specification – Multi Stream Production – Environmental Controls
• Extensive Energy Recovery Systems • Tight Energy Conservation pushes processing limits • Recycle Flows
• Startup & Shutdown • Long time to stabilize controls • Many “timely” operator actions
37
Complex Processes Refinery
38
Nice Day for a Proof Test
39
Identification of Unsafe combinations how many are there?!
• How many trip valves in a typical refinery sub-unit S/D – 5, 10, 20?
• Combinations = 2N
– 32; 1024; 1,048,576
• Are these the only combinations need to be considered, – DCS outputs (increase demand on Safety Functions) – manually operated valves – other operator actions?
• Other considerations – hot versus cold restarts – inventory and surge capacities – manual line ups
• More emphasis on spurious trip rates 40
Chemical Processes
• Size of the Facility – Can still be large scale
• Complexity & Integration of the Facility – Usually less complex process – Little or no Reprocessing – One or small number of Streams – Environmental Controls
• Extensive Energy Recovery Systems • Energy conservation is more straight forward
• Startup & Shutdown • Stabilizing Reaction is faster/easier • Hot startup versus cold startup less complex • PST perhaps easier to sell
41
Chemical Processes Explosives Ammonium Nitrate
42
Chemical Process Ethylene Di-Chloride intermediate for vinyl chloride
43
Plant Transitions Basic Message
• Avoid Spurious Trips – Understand complexity of the Process: – Startup interactions – Dangerous trip interactions and states – Hot startup versus cold startup – Purge cycles – Dumping to effluent streams – Product re-processing
• SIF designers work with Operations • Consider PHA Effectiveness (from before)
44
Partial Stroke Testing scared of big valves?
45
Partial Stroke Testing scared of big valves?
46
Partial Stroke Testing he is not scared of big valves!
47
Partial Stroke Testing he knows it’s the smaller guys you worry about!
48
Partial Stroke Testing Example:
• The good: – Devised SIS programming for carrying out PST – Arrange for checking stroke times of trip valves for FAT – PST point of 80% open or measured time delay – Devise test procedure and sign-off at acceptance test with client – Repeated checks & acceptance tests at Site
• The bad: – Valve smaller than 4 inch were too fast even with relatively fast
SIS
• The ugly – Operators did not allow PST to be commissioned – What was assumed for PFDavg calculation?
49
Partial Stroke Testing Example: Background
• Difficult to undertake complete proof testing on trip valves outside Plant Turnarounds – Tests need to be done online – Easier for measurements; duplicate measurements – Hard for final elements
• PST is one way to achieve PFDavg target • Plug/Seat Considerations
– 30% to 70% test coverage? – Leakage requirements (e.g. heat off , backflow) – Clean, fouling, erosive or corrosive service – High pressure drop, severe service, vibration – Speed of response requirements
50
Partial Stroke Testing: qualitative review PST effect on PFDavg
• Potential faults that can be found by a full test – Tested less frequently
• Potential faults that can be found by a partial test – Tested more frequently
• Overall improvement in reliability or PFDavg by PST when plant turnaround periods increase
• However, must ensure that Operations accept the methodology
51
Partial Stroke Testing: review simplified equations for PST effect on PFDavg
• PFDavg = Cm*λd*t/2 +(1-Cm)*λd*T/2 – (Cm/n + (1-Cm) )*λd*T/2 – Cm test coverage factor (e.g.70%) – T proof test interval – t the PST test interval – n the ratio of proof test to PST interval – assume 100% coverage at proof test interval – assume RRF 100 with no PST
• Improvement in RRF = 1/((Cm/n + (1-Cm)) • Cm = 30% to 70% and N = 5 to 10
– RRF improvement 130 to 270
• Benefits? • Risks?
52
Partial Stroke Testing traditional straightforward design
53
Partial Stroke Testing
• Traditional: momentarily de-energize the solenoid • Today there are more options
– special SIS I/O cards are available with some systems – latest digital positioners provide more options with controlled
operation – continuous positioning versus on/off control
• Solenoids and/or positioner for control of on/off valves • Get involved with
– ISA TR84 SIS Guidelines – ISA TR96.05.01 PST Guidelines
54
SIL Verification:
• What is the purpose of SIL verification calculation? – Manipulate the variables/options to get the required answer – Calculate what the SIF actually is and not “tweak” the factors to
get the result that LOPA prescribed – There are traps when using sophisticated SIL verification
software for the unwary
• Where does the reliability data come from – Does the instrument need to work or is the SIL certificate the
ultimate selection criteria – some oil & gas majors uses only standard instrumentation for
their Proven-In-Use database and not “special” SIS instruments – others do use only “special” SIS instruments
• There is more than one answer!
55
SIL Verification: the assumptions for the SRS
• Basis for maintenance; document how verification was done – Instrumentation Model Listing – Reliability Data – Process Connection Details – Use of PST – Proof test coverage – Common Mode failure – Tripping on diagnostics & Coverage factor – Plant Turnaround periods – Proof Test Methods
56
SIL Verification: Example: Process Fluid and Connections
57
Process Fluid
Process Connection
Clean Remote Seal Impulse Plugging
Low Med High
Steam (outside) X
Steam (inside) X
BFW Condensate (outside) X
BFW Condensate (inside) X
Intrument Air, Utility Air, N2, O2 , PSA Hydrogen X
Naphtha, Diluent, C5+ Product, Butane X
Lub Oil (outside) X
Lub Oil (inside) X
Gas Oil , LVGO, HVGO, Crude Unit, Depropanizer X
Atmospheric Bottoms, Vacuum Bottoms, DAO X
Soot Slurry X
Asphaltene X
Fuel Gas, Tail Gas, Syngas, Process Gas, X
Reliability/Failure Rate Data another topic • SIL certificates versus Product Safety Manual • SIL certified versus SIL capable • Performance standards versus detailed requirements • Sources of reliability data for SIL verification
– Proven in use – Stress testing – FMEDA (failure modes & effects diagnostics analysis)
Proven In Use Data
• Where can it be obtained? • Vendor returns and service history
– does it met IEC 61511 criteria? – how does the vendor know? – there are SIL certificates issued this way by well known certifying
bodies!
• Industry sector data – OREDA (Offshore REliability DAta); how applicable to onshore? – generic databases; very conservative
• End user records & analysis – difficult to set up
Reliability/Failure Rate Data
• System for collecting Proven-in-Use reliability data – Failure data categorized by process application (e.g. DP level on
gasoline) from DCS & SIS – Make & Model not as relevant – Difficult for smaller companies to get statistically valid data
• Why use instrumentation already in place to the facility – Documentation – Vendor backup – Training – Track record; known to work – Larger statistical base
• When is reliability data valid (useful life)
60
Equipment Useful Life When is reliability data valid (useful life)
Infant MortalityDecreasing Failure Rate
Normal Life (Useful Life)Low “Constant” Failure
rate
Wear-OutPhase
Useful Life Phase
Burn-in Phase
Incr
ease
d Fa
ilure
rate
Operating Life (t)
Ie. 10,000 cycles
The Bathtub CurveFailure Rate versus Time
ClassicalBathtub
Failure Rates, Plant Turnaround, Proof Test Interval & Useful Life
• PFDavg = λd*T/2 • λd valid for only the useful life period (life time) • Plant turnaround periods increasing • Low Demand Mode • Final elements “seizing/sticking” • PFDavg = Cm*λd*T/2 +(1-Cm)*λd*LT/2
– Cm is proof test coverage factor (e.g.70%) – LT is device life time – Are devices being replaced after LT? – How are devices being maintained – Proof test does not equal maintenance
Stress Testing Does it work?
• A batch of solenoids are operated for many thousands of cycles over a period of several weeks under varying environmental conditions. The failure rate data is then normalised to the anticipated usage of the device
• Reliability data derived by this methodology rarely applies to the process industry
• Review in context of reliability bath-tub curve
Equipment Useful Life: Low Demand Applications
Infant MortalityDecreasing Failure Rate
Normal Life (Useful Life)Low “Constant” Failure
rate
Wear-OutPhase
Useful Life Phase
Burn-in Phase
Incr
ease
d Fa
ilure
rate
Operating Life (t)
Ie. 10,000 cycles
The Bathtub CurveFailure Rate versus Time
ClassicalBathtub
Apparent useful life
Apparent End of Life
Failures
FEMA, FEMDA & FMECA
• Important analysis tool for determining failure rate data • Systematic process for identifying faults and errors in a
device • Detailed list of all components • Component failure modes, effect on other components
and the severity of the failure • Diagnostic coverage factor, criticality and failure type
(e.g. dangerous, spurious). • Team reviews the modes of operation & identify failure
mechanisms
Design out the Problem; SIL Verification is not Enough
• FMEDA process distilled into one variable – Each failure mode has differing mechanisms – Each failure mode has differing “durations”
• Calibration of critical “sticking” failure data? • Detailed failure modes confidential • Verification versus design by different parties • Identify the failure modes and remove the problem • Partial stroke testing can be an important tool
– Acceptance by operations? – Validating coverage factors?
Diagnostics: review simplified equations effect on PFDavg
• λd = λdu + λdd • λdd depends on diagnostic coverage (DC) • PFDavg = λdu*T/2 = (1-DC)*λd
– DC factor (e.g.70%) – T proof test interval – assume 100% coverage at proof test interval
• Improvement in RRF = 1/((Cm/n + (1-Cm)) • DC = 20% to 75%
– RRF improvement 25% to 300%
67
Diagnostics: who wants them?
• Improvement in PFDavg – Dangerous Detected versus Undetected – Comparison transmitters from DCS – Signal Fault diagnostics
• Automatic trip upon diagnostic detection • Manual intervention upon diagnostic detection
– Assumed repair times
• Dangerous Times – Shutdown – Startup – Upset conditions
68
Proof Test Intervals discuss with Operations, Maintenance & Business
• What is the plant turnaround schedule • Who will devise the proof tests methods • Can some proof tests be automated (e.g. recording valve
opening/closing performance) • Who does the proof testing • Is partial stroke testing acceptable • How will faulty final devices be replaced (s/d the plant?) • Is the design testable • Do the actual proof test methods ensure the assumed
coverage factors in the SIL verification calculation are valid 69
Proof Testing
• Checks by Operations – 24/7 – Logs, inspections and walk downs – Automatic valve closure & opening times – Revision control of SIS s/w – Example of pumping methanol in column sumps – Comparison checks & logs of measurements – Testing of duplicate offline trip valves
• Maintenance are typically fire fighters – Regular checks are lower priority to keeping plant online – Typical design of SIF does not take into account proof testing – Asset Management System; who has completely implemented?
70
Do we have all the answers? probably not, but!
• SRS is a very important document (IEC 61511 Sec10.3) • Standards have good performance requirements
– read/understand them
• Standards do not have the all the design details – learn about process and instrumentation
• Do not hide behind complex reliability equations • Let’s do more to get realistic reliability data • Get the right people in at HazID & PHA
– Realistic expectation for what can be done with instrumentation layers
– It is too easy to pass on the problem to the instrumented protection layers
• Please, no SIL 3 71
References
• Safety Instrumented Systems: Design, Analysis & Justification, Paul Gruhn & Harry Cheddie (ISBN 1-55617-956-1)…..ISA Publication
• Control Systems Safety Evaluation & Reliability, William M. Goble (ISBN 1-55617-966-0)…..ISA Publication
• Evaluating Control Systems Reliability, William M. Goble (ISBN 1-55617-128-5)…..ISA Publication (Markov)
• OREDA Offshore & Onshore Reliability Data 6th Edition Vol 1 Topside Equipment (ISBN 978-82-14-05948-9)
72
The SIS Engineers are back; are they going to disrupt my operations again?
73
Comments?
ISA Safety & Cyber Security Webpage
• Visit, contact and raise questions • Submit ideas for articles • Contribute articles
74