功能安全的介紹-IntroToFunctionalSafety

Part01

IntrotofunctionalsafetyHeidiFuglumCertifiedFunctionalSafetyEngineer1dayintrotraininginFunctionalsafetyWhatisafunctionalsafephone?Ifitfailsittellsyou,soyoucantakecorrectiveactions.InthismoduleAccidentsinthenewsHistoryoffunctionalsafetyWhatisfunctionalsafetySafetyInstrumentedSystem(SIS)SISengineeringrequirementIEC61508andIEC61511IntroductiontoFunctionalSafetyDisastersthatmustnotberepeated!Safety–thehottopicRiskinourworldToreduceRiskandtoprotectPeople,EnvironmentandBusiness!RISK:-Acombinationoftheprobabilityofoccurrenceofharmandtheseverityofthatharm.ExxonValdezaccidentinMarch1988LiquidgastankinMexicoCityexplodes;334die-1984Whydowehavesafetystandards?IncidentsleadingtotheDevelopmentofSafetyStandardsSeveso,NorthernItaly–July1976TCDD(dioxin)release35,000+exposed,environmentalimpactResultedinSevesoDirective(EC)onlegalpolicyofinformingcitizensofnatureandintentofindustrialhazardsUCC,Bhopal,India–December19843,000Deaths,100,000InjuredResultedinOSHA1910(S84.01)Pemex,MexicoCity,Mexico–November1984500Deaths,7000+injured,terminaldestroyedOccidental,PiperAlpha–July6,1988167Deaths,platformdestroyedCreationofHSE(Offshore)&QualitativeRiskAnalysis(QRA)HistoryoftheStandardsandEvolutionUSAInternationalGermanyUK1995IECSC65IEC61508ISO10418DINVDE0801DINVDE19250HSEPESOHSACFR1910.119ISAdS84.01APIRP14C1995Draft1995Draft19931991198919871974ANSI/ISAS84.0119992005IEC615112003199619921974,Flixborough1976,Seveso1984,Bhopal1986,Chernoble1988,PiperAlpha1989,PasadenaPRESCRIPTIVESTANDARDSPERFORMANCESTANDARDSANSI/ISAS84.00.01(IEC61511Mod)2004Issafetyexpensive?Whyshouldweinvestinsafety?Doyouthinksafetyisexpensive,tryanaccidentWehavehadterribleaccidentsinthepastWelearnedbutstillaccidentswithseriousimpactarehappeningTrainingisonewaytohelppeoplebecomemoreawareandknowledgeableaboutsafetyWhatissafety?SafetyisdefinedasFreedomfromunacceptableriskWhatisfunctionalsafety?Functionalsafety(IEC61508,part4)PartoftheoverallsafetyrelatingtotheEUCandtheEUCcontrolsystemwhichdependsonthecorrectfunctioningoftheE/E/PEsafety-relatedsystems,othertechnologysafety-relatedsystemsandexternalriskreductionfacilitiesASafetysystemisfunctionallysafeifRandom,systematicandcommoncausefailuredonotleadtomalfunctioningofthesafetysystemanddonotresultinInjuryordeathofhumansSpillstotheenvironmentLossofequipmentorproductionProtectionisimplementedinmultipleLayersRiskReductionusingLOPABPCSvs.SISBothcomposedofsensors,controllersandfinalelementControlloop–maintainaprocessvariablewithinprescribedlimitsSISmonitorsaprocessvariableandtakeactionwhenrequiredDifferencesindynamicsBPCS-Signalsmovesoften,failurecanbedetectedbyplantpersonnelSIS–Signalsmaybemotionlessforyears(normallystatic),failuresdifficulttodetectSafetyInstrumentedSystem-SISLevelSwitchLogicSolverSolenoidPumpSafetyInstrumentedSystemwithmultipleSIF’sSolenoidSIF1SIF2SIF3SIF4ASafetyInstrumentedSystem(SIS)isacollectionofsensors,logicsolversandactuatorsthatexecuteoneormoreSafetyInstrumentedFunctions(SIFs)thatareimplementedforacommonpurpose.SafetyInstrumentedSystem-SISPurposeofSafetyInstrumentedSystem

ReducetheriskthataprocessmaybecomehazardoustoatolerablelevelTheSISdoesthisbydecreasingthefrequencyofunwantedaccidentsSISsenseshazardousconditionsandthentakesaction

tomovetheprocesstoasafestate,preventinganunwantedaccidentfromoccurring.TheamountofriskreductionthatanSIScanprovide

isrepresentedbyitsSafetyIntegrityLevel(SIL)whichisdefinedasarangeofProbabilityofFailureonDemand(PFD)SISEngineeringRequirementDesigntofail-safeDesigndiagnosticstoautomaticallydetectfail-dangerDesignmanualtestprocedurestodetectfail-dangerDesigntomeetinternationalandlocalstandardsAlsoSatisfythefunctionalrequirementSatisfyperformancerequirementSafetyIntegrityLevels-SILWhatisSIL?ItisaqualitativemeasureofsafetyItisaquantitativereliabilitymetricThereare4SafetyIntegrityLevels,1,23and4ProcessIndustryuseonly1,2and3WhatisnotSIL?OnlyaprobabilitycalculationsSafetyIntegrityLevelSIL4SIL3SIL2SIL1Probabilityoffailureondemand(LowDemandmodeofoperation)RiskReductionFactor>=10-5to<10-4>=10-4to<10-3>=10-3to<10-2>=10-2to<10-1>=

0.01to<0.1100000to1000010000to10001000to100100to10SILSafetyIntegrityLevelsF&G,PSDESDTrain,NuclearSafetyIntegrityLevel:AmeasurementoftheoverallperformanceofaSafetySystemexpressedin“ProbabilityofFailureonDemand”andSafeFailureFractionandHardwarefaultToleranceSafetyIntegrityLevels-SILThreeimportantSILpropertiesAppliestothecompletesafetyfunction/loopHigherSILmeansstricterrequirementsTherearetechnicalandnon-technicalrequirementsTechnicalrequirementsPDFcalculationsSafeFailureFractionArchitectureNon-technicalOperationmodeTestingSafetySystemsStatesAsafetysystemcanbein4differentstatesOKNointernalfailuresSafeThesafetysystemfailsinawaythatthesafetyfunctioniscarriedoutwithoutademandDangerousThesafetysystemfailsinawaythatthesafetyfunctioncannotbecarriedoutincaseofademandIntermediateSafetyfunctioncanstillbecarriedoutdespiteonormoreinternalsafetysystemfailuresSafetySystemvsprocessSafetySystemProcessEquipmentundercontrolOKstateProcessisavailableSafestateProcesshastrippedDangerousstateProcessisavailablebutnotprotectedIntermediatestateProcessisavailablebutitisabouttimetorepairthesafetysystemSafetySystemsFailuresSafetysystemcanfailbecauseofRandomhardwarefailureCommonCauseFailureSystematicFailureAnyofthesefailuresputsthesafetysystemintoaspecificsafetysystemstateSafeDangerousIntermediateRandomHardwareFailureDefinitionAspontaneousfailureofhardwarecomponentsatanygiventimePermanent–existuntilrepairedDynamic–existonlyundercertaincircumstancesIEC61508approachMeasuretocontrolfailureHardwarequalitativeandquantitative(pdf)reliabilitystudyDefinitionFailurewhichresultfromeventscausingsimultaneousorcoincidentfailuresoftwoormoreseparatechannelsinamultiplechannelsystemleadingtosafetyfailuresTheeventmustberelatedtoenvironment(heat,EMC,flooding)IECapproachDiversityasameasuretocontrolfailuresTakeintoaccountduringreliability(PFD)analysisCommonCauseHardwareFailuresSystematicFailuresDefinitionAhiddenfaultindesignorimplementation,canexistinSoftwareandhardwareDesignspecificationUsermanualProceduresCanoccurinanylifecyclephaseIEC61508approachMeasurestoavoidfailuresNOT:Notincludedinthereliability(PDF)analysisWhatisfunctionalsafety?Functionalsafety(IEC61508,part4)PartoftheoverallsafetyrelatingtotheEUCandtheEUCcontrolsystemwhichdependsonthecorrectfunctioningoftheE/E/PEsafety-relatedsystems,othertechnologysafety-relatedsystemsandexternalriskreductionfacilitiesASafetysystemisfunctionallysafeifRandom,systematicandcommoncausefailuredonotleadtomalfunctioningofthesafetysystemanddonotresultinInjuryordeathofhumansSpillstotheenvironmentLossofequipmentorproductionForsafetyinstrumentedsystemstherearetwoimportantstandardswhenitcomestofunctionalsafetyIEC61508–FunctionalsafetyofElectrical/Electronic/programmableelectronicsafety-relatedsystemsIEC61511–ANSI/ISA84.00.01Functionalsafety:safetyinstrumentedsystemfortheprocessindustrysectorFunctionalSafetyStandardsIEC61508Functionalsafetyofelectrical/electronic/programmableelectronicsafety-relatedsystems.Part0:FunctionalsafetyandIEC61508(IECTR61508-0)Part1:GeneralrequirementsPart2:Requirementsforelectrical/electronic/programmableelectronicsafetyrelatedsystemsPart3:SoftwarerequirementsPart4:DefinitionsandabbreviationsPart5:ExamplesofmethodsforthedeterminationofsafetyintegritylevelsPart6:GuidelinesontheapplicationofIEC61508-2andIEC61508-3Part7:OverviewoftechniquesandmeasuresNORMATIVESafetyLifecycle

11ExternalRiskReductionFacilitiesRealization1Concept2OverallScopeDefinition3Hazard&RiskAnalysis4OverallSafetyRequirements5SafetyRequirementsAllocation15OverallModification&Retrofit16Decommissioning12OverallInstallation&Commissioning13OverallSafetyValidation14OverallOperation&Maintenance9Safety-relatedsystems:E/E/PESRealization10Safety-relatedsystems:OtherTechnologyRealizationOverallInstallation&CommissioningPlanning678OverallOperation&MaintenancePlanningOverallValidationPlanningOverallPlanningBacktoappropriateOverallSafetyLifecyclephaseSILDeterminationHazardIdentificationSILImplementationOverallOperation&MaintenancePlanningOverallOperation&Maintenance

OverallModification&RetrofitAriskbasedapproachtodeterminethesafetyintegrityrequirementsAnoverallsafetylifecyclemodelasthetechnicalframeworkCoversallsafetylifecycleactivitiesfrominitialconcept,throughdecommissioningand/ordisposalEncompassessystemaspects(comprisingallthesubsystemscarryingoutthesafetyfunctions,includinghardwareandsoftware)andfailuremechanisms(randomhardwareandsystematic)Containsbothrequirementsforpreventingfailures(avoidingtheintroductionoffaults)andrequirementsforcontrollingfailures(ensuringsafetyevenwhenfaultsarepresent)Specifiesthetechniquesandmeasuresthatarenecessarytoachievetherequiredsafetyintegrity.What’sinit–IEC61508ThechallengesofassuringfunctionalsafetyIEC61508isacomplexstandardbecauseofthenatureofthecomplextechnologieswithwhichitdealsandwhatitaimstoachieve.IEC61508isnotahighlyprescriptivestandardandrequiresahighdegreeofcompetencetoassesswhethercompliancehasbeenachieved.Standards&SectorPenetrationIEC61508IEC62061:MachinerySectorMedicalSectorIEC61513:NuclearSectorIEC61511:ProcessSectorIEC61800(draft):AdjustableSpeedElectricPowerDriveSystemsApplicationareasIEC61508IEC61508appliesToanyelectrical/electronic/programmableelectronic(E/E/PE)safetyrelatedsystemEspeciallywherenofunctionalsafetystandardexistsAnywhereintheworldwhereitisacceptedQualifyingOpportunities–ByIndustryOil&Gas/RefiningEmergencyshutdowns(ESD)Processshutdownsystems(PSD)Fire&Gasmonitoring(F&G)HighIntegrityPressureProtection

System(HIPPS)Boiler/BurnerManagementChemical/PetrochemicalEmergencyshutdown(ESD)Processshutdownsystems(PSD)Boiler/BurnerManagementPulp&Paper,Metals&Mining,UtilityBoiler/BurnerManagementSource:ExidaMarketReport2005IEC61511TITLE-“FunctionalSafety–SafetyInstrumented

SystemsfortheProcessIndustrysector”ThisinternationalStandardgivesrequirementsforthespecification,design,installation,operationandmaintenanceofasafetyinstrumentedsystem,sothatitcanbeconfidentlyentrustedtoplaceand/ormaintaintheprocessinasafestate.ThisstandardhasbeendevelopedasaprocesssectorimplementationofIEC61508.IEC61511Defines61508applicationinProcessSectorDefinestheApplicationofSafetyInstrumentedSystemsfortheProcessIndustry

IEC61511-StandardLifeCycleIEC61511-StructureNormativeInformativeIEC61511-StructurePart1–“Framework,definitions,system,hardwareandsoftwarerequirementsPart2–“Guidelinesfortheapplicationof

IEC61511-1”.

Part3–“Guidanceforthedeterminationof

safetyintegritylevels”.IEC61511-Whodoesitapplyto?IEC61511:ProcessSectorEndUsersOperationofprocessDesignersProcessDesignHouses

SystemIntegratorsSafetySystemdesignersandintegratorsIEC61511–ApplicationareaIEC61511appliestoTosafetyinstrumentedsystemInstruments(E/E/PEornot)Logicsolver(E/E/PEornot)Actuators(E/E/PEornot)IEC61511andIEC61508PROCESSSECTORSAFETYINSTRUMENTE