View the recorded presentation here - Schneider · PDF fileView the recorded presentation here ... (comparison of increased Online project costs versus Turnaround production outage

“Highlights from the 2014 Triconex Technical Conference”

View the recorded presentation here

Eloise Roche, CFSE Global SIS Process Automation Leader

Farshad Hendi Safety Services Practice

Leader Americas & Europe

Chris Stogner Triconex Brand Director

Your host: Introducing today’s presenters:

Special Guest:

Mike Scott, PE, CFSE Executive Vice President,

Process Safety and Technology

http://iom.real-time-answers.com/process-safety_webinar_141106_on-demand.html

Highlights from the 2014 Triconex® Technical Conference

Triconex –The Cornerstone of Safety Past, Presentation and Future

3 Schneider Electric – Triconex 2014 Technical Conference - The Cornerstone of Safety; Past, Present and Future

Welcome to the Highlights of the 2014 Triconex Technical Conference Webinar My name is Farshad Hendi


Featured speakers:


Mike Scott, PE, CFSE Executive Vice President, Process

Safety and Technology



Agenda

2014 Triconex conference highlights

Safety standards updates

Introduction to Safety Instrumented System Management

Q&A

6 6

2014 Triconex conference highlights


7

Enhanced MP (3009) V11.0

Application • ESD, TMC, BMS, HIPPS and Fire & Gas

Features • Form / Fit / functional replacement for 3008 • Faster application cycle time execution • New Hi Performance Main Chassis 8120E • Support for UCM 4610

Benefits • Future Proof Triconex SIS investments • Superior performance for critical applications

8

Enhanced MP (3009) 3008 (Current) 3009 (New) Improvement

Main Processor MPC860 32 bit 50MHz

Dual core 32 Bit 800MHz

16x faster

Memory 6MB Flash 64Mbytes of Flash 10x bigger

16MB DRAM 256Mbytes of DRAM 16x bigger

32KB SRAM 2Mbytes of NVRAM 62xbigger

Application 3008 (Current) 3009 (New) Improvement

ESD 59ms 23mS 2.5x Faster

TMC 41mS 16mS 2.5x Faster

F&G 296mS 111mS 2.6x Faster

ESD 59mS 13mS 4.5x Faster

TMC 41mS 8mS 5.1x Faster

F&G 296mS 60ms 4.9x Faster

Faster and more powerful application performance

8120E New Main chassis

8110 Main chassis


Unified Control and Safety Application

• Unified integration of DCS engineering and operational environments.

Solution • Triconex configuration integrated with the Control system • Single data entry, common configuration environment • Fully integrated real time, SOE and alarm data • Triconex as a control station on the Control Network • Unified system management

Benefits • Lower Total Cost of Ownership • Reduced physical space • Faster installation & commissioning • Maintain Separation

UCM

Operate

Engineer

Maintain

10

Unified Control and Safety

Control Network

Dedicated Safety Peer to Peer

Safety Controllers Process Controllers

Operator Stations Engineering / Maintenance Stations Alarms / SOE Real Time Data Historian Engineering Galaxy

Repository

11

Maintain Independence

Safety Triconex

Communications Module (TCM)

Control Unified

Communication Module (UCM)

Control Network

Safety Network (Peer to Peer)

12

Integrated Engineering Experience

Information Pane

Engineering / Maintenance Workstation

Control Network

Tristation

Galaxy Repository

13

Integrated Operator Experience

System Monitor Pane

System Management

Information Pane

Engineering / Maintenance Workstation

Control Network

Station Information Pane

TCX001

Safety System Information Pane

Galaxy Repository

Safety View V1.1 Safety View Core functionality

• Replace rigid safety bypass and other hardwired panel functions with TÜV certified Computer based VDU approach

What's New with Version 1.1 • New flexible HMI designer for constructing safety related HMI elements • New HMI Functions: Alarm Process Values, Bypass Area, Multi-view

faceplates , Global Acknowledge, ESD capabilities • Status for Health / Alarm block for link health • Display additional alarm data • Native TSAA Protocol configuration

Benefits • IEC61508:2010TUV approved to SC3 • Flexible design • Minimize production downtime due to operator error • Easy for clients to standardize

Manage operational risk with confidence

15

Electronic Overspeed Trip System Application Components and Case Study


Trip System Components Basic Components:

• Mechanical Overspeed Bolt

• Manual Trip Valve • Trip Solenoid

Valve • Hydraulic Relay

Valve • Stop Valve • Stop Valve Pilot

Pros: • Simple

design -strictly mechanical

Cons: • Testing

challenges • Single

point of vulnerability


What is EOSP?

What: Electronic Overspeed Protection (EOSP) is a reliable digital means of protecting the turbine from an overspeed event.

How: It is generally implemented as an alternative to the mechanical bolt.


Benefits of EOSP

Accuracy (repeatability)

Reliability through redundancy

Fault tolerance through redundancy

Testing without overspeeding the turbine

19

Trip System Upgrade Options

20

Conversion to EOSP

Basic retrofit includes: - Mechanical

- Multiple speed probes - Fault tolerant and reliable

trip block assembly

- Monitoring - Independent processing of

speed probes with interface to trip block assembly


Tooth Wheel and Probes


Existing Protective System


QV Retrofit

Before After

24

Migrating Legacy Shutdown Systems


Legacy S/D System Types

- Not SIS’s

- None at all or all in one system.

- Pneumatic Transmitters & Devices.

- Electrical Relays & Devices.

- Non-certified PLC’s.

- Obsolete SIS’s (Moore Quadlog, August Systems, GE 90/70 GMR).

- Lifecycle Upgrades (Honeywell FSC, Tricon MSW).


Why Migrate?

- Standards/Regulatory/Insurance Requirements. (especially true for Process Heaters/Boilers)

- Realization that current shutdown system does not meet required SIL.

- Obsolescence/Maintainability.

- Capacity/Expansion Issues.

- Improved Functionality.

- Improved Service Life.


Why haven’t Plants Migrated?

- Shutdown systems have been more reliable than other control systems.

- Shutdown systems are in the background unlike DCS/PLC which are actively controlling.

- Grandfather Clauses (ISA 84, CSA B149.3)

- Some S/D systems are easy to fix and support.


Types of Migrations

- Online:

Unit running and hot cut-over.

- Turnaround:

Unit shutdown and offline migration.

- Combination:

Turnaround portions may be required to facilitate an Online cut-over.


How do you Choose?

- Turnaround Windows/Process Availability.

- Project/Construction Resource Availability.

- Risk to the plant, impact of a nuisance trip.

- Cost (comparison of increased Online project costs versus Turnaround production outage costs)

- Fundamentally: Is it possible to do Online?


Turnaround Migration – Advantages

- Can’t trip the plant!

- All work can be completed.

- Can prove final elements.

- Can prove start-up sequence logic.


Turnaround Migration – Disadvantages

- Potentially many start-up issues all at once.

- Inability to go back.

- Operations start up on a new system during a critical period.

- Incorrect design - new IPF’s, setpoints, start-up bypasses (lack of) may impair start-up.

- Risk to Turnaround schedule.


Online Migration – Advantages

- Solves the Turnaround disadvantages.

(Deal with problems one at a time, Operations has time to adjust to new system, can revert back)

- Ability to truly as-build the existing system, expose undocumented functionality.

- Can validate the SIS process reading immediately.

- Not a schedule driven activity.


Online Migration – Disadvantages

- Lacks Turnaround advantages (F.E./Sequence testing, completes all work)

- Hybrid system. Potential inability of Ops to restart without project team.

- Plant overrides/impairments required.

- Risk of nuisance trips.

- May still required Turnaround work.

34 34

IEC 61508 and IEC 61511 Update

Mike Scott, PE, CFSE Executive Vice President,

Process Safety and Technology


Mike Scott, PE, CFSE

> Exec VP, Global Process Safety Technology with aeSolutions > BS Degree in Mechanical Engineering > Masters of Engineering > Registered Professional Engineer in SC,GA,IL and AK > Author of numerous technical papers related to process safety > Member of ISA and AIChE > ISA Course Developer / Instructor > ISA SP84 Voting Committee Member > ISA Safety Division FGS chair > Past ISA Safety Division BMS Subcommittee chair > IEC 61511 committee member


Update Status IEC61508 – Functional Safety of electrical/electronic/

programmable electronic safety-related systems > Revised and released in 2010.


IEC61511 – Safety instrumented systems for the process industry sector: 2003 In Maintenance Cycle

Part 1:Framework, definitions, system, hardware and software requirements Due to be released in 2015

Part 2:Guidelines for the application of IEC61511-1 Due to release in 2015

Part 3: Guidance for the determination of the required safety integrity levels Due to release in 2015

Update Status


Overview

The majority of the changes are improvements to the existing standard. The areas of concern for existing systems:

New requirements for Security Risk Analysis could result in modifications to existing systems.

Bypassing: Operating procedures need to include compensating measures defined, documented, and in-place.


IEC61511 Changes Clause 5

> Competency Procedure for SIS Lifecycle

> Functional Safety Assessment (FSA) - FSA required periodically during Operations and Maintenance Phase

- FSA required as part of MOC

- FSA performed by independent person (Project, Operations, and Maintenance)

> Functional Safety Audit - Conducted by Independent person

Clause 6 – Safety life-cycle requirements

> Applications Software Lifecycle requirements


IEC61511 Changes

Clause 8 – Hazard and Risk Assessment

> Security Risk Assessment

Clause 9 – Allocation of safety functions to protection layers

> Instrumented Risk Reduction >10,000 requires additional analysis for Common Cause and independence from other instrumented layers.

> BPCS Layer - Single Function limited to RRF < 10

- No more than two function in the BPCS Layer for same hazardous event unless initiating event in BPCS, then only one function.

Clause 10 – Safety Requirements Specification

> Applications program safety requirements (New)


IEC61511 Changes

Clause 11 – SIS design and engineering

> Safety Manual for all devices

> Design resilient to identified Security risks

> Hardware Fault tolerance based on IEC61508 Route 2H

> Systematic Capability Requirements for certified devices

> Quantification of random hardware failure - Proof Test Effectiveness

- Credibility of data used

- Data Uncertainty

Clause 12 – SIS Application Program Development (Major re-write)


IEC61511 Changes

Clause 13 – Factory Acceptance Testing (FAT)

> This clause is now normative and need determined during planning

Clause 16 – SIS Operation and Maintenance

> Procedures for data collection

> Requirement for compensating measures when bypassing or disabled

> Bypass log required

> Spare parts requirements to meet MTTR requirements

> Management procedure for deferrals

43 43

Introduction to Safety Instrumented System Management You Need More than Hardware and Software



Presenter

Eloise Roche, CFSE

> Global SIS Process Automation Leader for The Dow Chemical Company

> 23 years in the chemical industry

> Experiences include: Process Engineering, Process Automation, Maintenance Coordination, Operating Discipline and Training Coordination, Root Cause Analysis, and Process Safety Management.

> B.S. in Chemical Engineering from Rice University, Houston, Texas

Disclaimer: This presentation represents the personal views of Eloise Roche

and not those of The Dow Chemical Company.


Purpose

It is not feasible to cover all aspects of SIS documentation and management described in ISA-84 in this presentation.

This presentation will cover only some common elements of SIS

management > Key concepts of the requirement > Key discussion points which in my experience are the most

essential for long term success > Briefly note a few process safety incident case studies which may

be of interest to review offline


Acronyms

> FTF – False Trip Frequency > IE – Instrument/Electrical > MTTR – Mean Time To Repair (Restore) > PA – Process Automation > PFD – Probability of Failure on Demand > PHA – Process Hazard Analysis > PPM – Planned Preventative Maintenance > SCAI – Safety Controls, Alarms and Interlocks > SIF – Safety Instrumented Function > SIL – Safety Integrity Level > SIS – Safety Instrumented Systems > SRS – Safety Requirements Specification


Safety Lifecycle Overview – My take on ISA-84.00.01-2004 Part 1 Fig. 8

A. What can go wrong? How likely is that to happen? Is that acceptable? Can we redesign to make it safer?

B. What CAN we do to reduce the risk? What WILL we do to reduce the risk?

C. Design to do that

D. Implement it and PROVE it does what it is supposed to

E. Now PROVE you Kept it that Way (or managed change correctly)!

PHA and Inherently Safer Design

Protection Strategy defines SCAI, SIL, begins SRS, etc.

Complete SRS and related design docs

Verification Commissioning Validation Functional Safety Assessment


Maintenance Key requirement concepts:

- PFD ∝ proof test interval (including “mission time” if written proof test procedure coverage < 100% of dangerous failures)

- Failure rates (λ) used in SIL calculations depend on doing PPM - Achieving SIL requires that PPM and proof testing are done on time

Key discussion points between IE Design, PA Design, Process

Eng, Maintenance Rep and Facility Rep - - How to make the instruments accessible? - Is there redundancy available during online testing, will alternate

mitigations be needed while device is being tested online, or will the plant always be brought down to an inherently safe state for testing?

- What isolation valves, bleeds and taps are needed to facilitate PPM and proof testing per the written procedures?

- Don’t forget ppm and proof test of the logic solver


Where is this documented Intended Design:

- PHA and Protection Strategy Documentation - SRS: ISA-84 defines minimum content - Other key Plant Safety Information documents:

- P&IDs - Instrument wiring diagrams and specifications - Process Control Strategy Documentation (e.g. logic tables) - Computerized Maintenance Management Systems - Written detailed procedures

Proof that SIS was implemented correctly and it performs

- Field instrument commissioning and independent verification - Code simulation and independent verification - Validation of end-to-end performance of complete SIF - Ongoing Maintenance results (as-found, as-left) data


Repair Key requirement concepts:

- Repair is often in response to random failure – actual timing of random failure is unpredictable

- The mean time it takes to detect failure and restore to operation (MTTR) is part of the SIL calculation

- Need to set up the field instrument hardware, spare parts and personnel so MTTR can be met in an actual repair situation

Key discussion points between IE Design, PA Design, Process

Eng, Maintenance Rep and Facility Rep: - Much the same as for Maintenance, with the addition of… - Ensure parts, personnel, and the equipment are available quickly - How is the SIF going to act initially upon the detected failure (directly

affects PFD and FTF calculations)? - Incorporate checks to detect repeated or premature failures


Case Study – Response to frequent failure COMAH … Why did it happen? report

My high level summary of PART of the incident findings:

1. Large tank of flammable material being filled out of a distribution system.

2. Key Instrument: Tank analog level device had stuck (dangerous failure) 14 times in preceding 3.5 months

3. Frequent repeated failures of this key instrument was not recognized as process safety near miss by maintenance/ operations and/or are not escalated to plant management/process safety personnel

Abnormal → Normal 4. Analog level sticks again and this time the failure

goes unnoticed 5. Flow into tank continues – 3 alarms don’t ring due

to the failed analog instrument 6. Separate LSH interlock fails due to

undermanaged change in instrument technology 7. Tank of flammable materials overflows resulting in

a very large release 8. Vapor cloud results in a series of explosions

Over 40 people injured ~2000 evacuated Large parts of facility destroyed Damage to nearby residential properties Etc.


Enabling/Bypassing/Impairment

> Key requirement concepts: - All these words mean the SIS will intentionally not work during some time when

the equipment might be subject to the hazard - If bypass is done automatically for a short unchangeable period of time, it might be OK - If it is a manual bypass that could accidentally be left on or used at wrong time? Problem!

- The details of WHO, WHEN and HOW a bypass may be SAFELY used must be documented in a detailed written procedure.

- Risk must be mitigated during the bypass - The bypass must be access restricted

> Key discussion points: IE Design, PA Design, Facility Leadership,

Process Safety - When is it safe to bypass or how can it be made sufficiently safe? - How to access restrict, annunciate, and document? - Who gets to authorize and who gets to use the bypass?


Case Study - Bypassing U.S. Chemical Safety and Hazard Investigation Board Final Investigation Report No. 2004-10-I-IL

My high level PARTIAL summary: 1. Operator is washing out a reactor and

goes to empty out the washwater 2. HUMAN ERROR: Operator goes to

identical reactor next to the one he was actually washing and apparently does not notice the different labeling

3. Tries normal control panel to open the dump valve on the (running) reactor

4. Safety interlock prevents valve opening

5. Bypass on dump valve without effective access restriction - procedural management only

6. Operator uses the bypass to force open the valve without following procedure

7. Dumps contents of the running reactor to the slab → release and explosion

5 killed 3 Injured ~Local community evacuated Facility mostly destroyed


Change Management

Key requirement concepts: > RECOGNIZING a change > Having leadership WILLPOWER to ensure that the same rigorous

discipline is applied to change as to the initial design/construction > Executing the change following the safety life cycle

Key discussion points: Facility Leadership, Process Safety > Planning resources to fulfill independent verification reviews and

functional safety assessment > How will facility re-validate end-to-end performance of SIF after

modification of the SIS > Ensuring robust discipline in making updates to all the related

documentation


Case Study – Change Management U.S. Chemical Safety and Hazard Investigation Board Final Investigation Report No. 2009-01-I-PA

My high level summary of PART of the report:

1. Initial design only had one power supply and LSH from downstream tanks were interlocked into it

2. Change: An “temporary” “emergency” power supply was installed

3. Supervision decided to rely on alarm response instead of interlocking this 2nd power supply

4. “Temporary” 2nd power supply was never incorporated into plant documents or logic solver

5. Over ~28 years, everyone forgot about the “temporary” power supply EXCEPT for the operators, who had taught each other to use it during the briefly staffed weekend period to boost flow by running an additional pump

6. One weekend, the operator turned off the normal pump via the logic solver before leaving, but forgot to disconnect the second pump from the “emergency” power supply

7. Tank of toxic material overflows in the unmonitored plant

Fortunately: No fatalities Other site employees successfully evacuated Caused evacuation/shelter-in-place for 2500 nearby residents (three towns) Minor injury to an emergency responder


Auditing One take on Entropy (≈Boltzmann’s version)

> A structured system will degrade to disorder/chaos over time unless energy is put into the system to sustain the order

Put simply: Every device or system will break down if you give

it long enough without sufficient upkeep. Or as a well-known leadership adage would put it “You get what

you Inspect, not what you Expect.” SIS Performance and Management Systems must be

periodically inspected for weakness and corrected or the PROCESS SAFETY EFFECTIVENESS DEGRADES


Some key items to Audit for… SIS Performance vs. SIL Verification Assumptions

> SIF activation frequency > Proof test, PPM, and Diagnostic intervals and as-found failure rates > Repairs meeting MTTR assumptions

Bypasses are secured and were used only as authorized Unchanged or Change has been correctly managed

> Same make, model, electronic version of hardware devices? > Same configuration, diagnostic alarms, setpoints and delay timers in the application

code? > Underlying assumptions of PHA/protection strategy still apply? > Management of personnel changeover

PHA, SRS, and other plant safety documentation remain CONSISTENT,

COMPLETE, CLEAR and CORRECT


Summary > The SIS human management systems are just as essential as the

SIS hardware and software in meeting SIL performance

> Most effective SIS Management begins with the initial design of equipment, instrumentation/automation design, facility layout, spare parts program, and staffing of the organization. > Balance: Inherently safer process design options vs. using protection layers > Need to design the field hardware and safety application software for PPM, testing,

and safe impairment

> Consistent, Complete, Clear and Correct documentation (Plant

Safety Information) is essential to correct installation and to sustaining process safety performance despite change over time

> Process Safety program will fail if we don’t dedicate enough

resources to audit the management systems and correct them


References

> ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod) > COMAH – Buncefield: Why did it happen? > U.S. Chemical Safety Board Final Investigation Report No.

2004-10-I-IL > U.S. Chemical Safety Board Final Investigation Report No.

2009-01-I-PA

60 60

Closing and Q&A

Farshad Hendi Safety Services Practice

Leader Americas & Europe


April 27 – May 1 Dallas, TX

2015 Process Automation Global Client Conference

Watch for more information coming later this month

Questions


Share your viewpoint… Learn what others think

http://automation2.com/





This session is now available to view OnDemand here

http://iom.real-time-answers.com/process-safety_webinar_141106_on-demand.html

Documents

View the recorded presentation here - Schneider · PDF fileView the recorded presentation here ... (comparison of increased Online project costs versus Turnaround production outage