PPA 2011 8 Dec 2011

© HIMA 2011

Why is it so difficult to learnfrom someone else’s mistakes?

222

Functional Safety Seminar-Speaker

Tino Vande Capelle§ Director – Functional Safety Consultancy§ Safety Critical Systems Engineering§ TÜV Functional Safety Expert and Trainer

Contact:§ Mobile: +49.172.624.2277.§ Email: tino.vdc@hima.com

PPA 2011 8 Dec 2011

© HIMA 2011

333

Introduction

§Why is it so difficult to learn from mistakes others have made in our industry?

§Would you rather learn from the mistakes of others or make them all yourself?

§Certainly, you will learn better by making your own mistakes, but those lessons can come with extreme high risk and cost

444

Modern history of industrial disasters

§There have been several unfortunate industrial disasters in the process industry in the past. There will likely be many more to follow as our daily working conditions, materials, equipment and performances keep changing and getting more and more demanding.

§Major accidents like Seveso, Flixborough, Piper Alpha, Bhopal, Chernobyl, Texas City and the most recent Deepwater Horizon have all painfully revealed certain failures that we can learn from. Failures that come with a cost of life, environment and capital investment.

PPA 2011 8 Dec 2011

© HIMA 2011

555

Modern history of industrial disasters

§Bhopal, Union Carbide India, 2-3 December 1984

§ 3 storage tanks for Methyl IsoCyanate (MIC), a unstable liquid if temp >15 ºC then deadly toxic components decomposes such as hydrocyanide acid or cyanide

§ The 4 layers of protection were defeated by 1 common cause failure and operator / maintenance errors

666

Modern history of industrial disasters

§Bhopal, Union Carbide India, 2-3 December 1984

§ > 3,000 – 5,000 people killed by inhaling 41 tons of poisonous gas

§ > 500,000 people were exposed to the deadly gas

§ > June 2010: 23,000 dead and counting…

PPA 2011 8 Dec 2011

© HIMA 2011

777

Modern history of industrial disasters

§Deepwater Horizon, BP, 21st April 2010

888

Modern history of industrial disasters

§Deepwater Horizon, BP, 21st April 2010– The environment in which the oil drilling took place –

5,000 feet below the ocean's surface – is extremely hazardous

– 11 people killed

§Update 20th July 2011– To date, the fund has paid $4.7 billion to 198,475

claimants. The total number who have sought money stands at 522,506, many with multiple claims. In all, the fund has nearly 1 million claims and continues to receive thousands of claims each week.

PPA 2011 8 Dec 2011

© HIMA 2011

999

Functional Safety Standards Milestones

1996 ISA SP84 - Safety Lifecycle, Quantitative Approach

1997 IEC 61508 - Safety Lifecycle, Quantitative / Qualitative Approach

2004 ANSI/ISA 84.00.01 = = IEC61511 - Functional Safety, SIS for the

Process industry sector

2010 IEC 61508 – maintenance revision released

101010

IEC61508 ed 2.0 released April 2010

§Personal competence: It now a normative requirement (was informative in the ed 1.0)

§How to you prove that you are COMPETENT?

PPA 2011 8 Dec 2011

© HIMA 2011

111111

Forced Safety Culture

§Human nature does not like to admit or reveal knowledge of problems. So for the past 30 years, certain standards have helped engineers apply good engineering practices, but the weakest link in the safety culture remains the human being

§The standards have minimized the random hardware and common cause failures, but is still puzzling people with some basic concepts leading into very often made systematic failures

121212

Why is it so difficult to learn from other ones mistakes?

PPA 2011 8 Dec 2011

© HIMA 2011

131313

Organizations have NO Memory!

§ Incidents that have similarities with Buncefield:– April 1962, Houston Texas, USA

– Jan 1977, Baytown Texas, USA

– Jan 1983, Texaco, Newark, New Jersey, USA

– Dec 1985, Naples Harbour, Italy

– Oct 1991, St Herblain, France

– Jan 1993, Jacksonville, Florida, USA

– Dec 1999, Laem Chabang, Thailand

– Dec 2005, Buncefield, UK

– Oct 2009, Jaipur IOC, India

141414

Similar types of incidents keep occurring ?

§ Why not Keep It Simple Stupid or was it Stupid Simple (KISS)?§ The reason is:

YOUYOUMEMEAll of USAll of US

PPA 2011 8 Dec 2011

© HIMA 2011

151515

Why do we need Functional Safety?

44 %Specifications

20 %Changes after commissioning

15%Operations and

maintenance

6%Installations and commissioning

15%Design and

implementations

Analysis of 34 incidents, based on 56 causes identified

Out of control: Why control systems go wrong and how to prevent failure?(2nd edition, source: © Health & Safety Executive HSE – UK)

161616

Systematic Failures – Human Errors?

PPA 2011 8 Dec 2011

© HIMA 2011

171717

If we only would have done…

§Today, we have the knowledge that each could have been prevented if people would have designed the plant/process for failure and used the adequate competency to avoid such things happening again in the future.

§But as Mr. T. Kletz once stated:

“Accidents are not due to lack of knowledge but failure to use the knowledge we have.”

181818

Competency & training (update Nov 2011)

§HIMA Trained + 1500 people over the last 6 years

§TUV Rheinland program

§ +4500 by end 2011 certified?

§Source: www.TUVASI.com

PPA 2011 8 Dec 2011

© HIMA 2011

191919

TOP 10 Failures based on experiences…

§During the last 20 years conducting seminars, workshops and trainings, meeting thousands of people from all continents of the world, we have made a TOP 10 collection of typical failures often found in our daily discussion with them…

202020

TOP 10 Failures based on experiences…

TOP 10

PPA 2011 8 Dec 2011

© HIMA 2011

212121

TOP 10 Failures based on experiences…

1.

222222

1. Hazard identification

§The most crucial phase of any project starts with the CORRECT and COMPLETE identification of the potential HAZARD(S). Once all hazards are identified the job is (can be) half done…

§ Is the first and most important step when identifying the required safety functions for your safety system

§SIS systems not based on hazards are either over dimensioned €€ or under dimensioned €€€€

PPA 2011 8 Dec 2011

© HIMA 2011

232323

1. Hazard identification

§A safety function is useless when it is not linked to a hazard or hazardous event

§HAZOP is a very popular technique, BUT:

– Select the study nodes according your experiences

– Keep your sessions:

– within the brainpower time

– with max 6-8 of the most experienced engineers

– well documented and have FSA to follow up!

242424

TOP 10 Failures based on experiences…

2.

PPA 2011 8 Dec 2011

© HIMA 2011

252525

2. Risk Reduction tools

§Some of you were told to use Risk Reduction tools like Risk Matrix, Risk Graph, LOPA, etc…

BECAUSE:– Corporate office has defined the criteria

– The EPC contractor has proposed you a preference

– Your consultant made a proposal

– Simply because maybe you have a preference

262626

2. Risk Reduction tools

§Whatever tool you decide to use, make sure:– You calibrate the tool(s) first to your specific needs,

criteria, environment, project & plant specifics

– You don’t accept just cut-copy-paste between projects

– You periodically review (e.g. yearly) your tools and recalibrate them if needed

PPA 2011 8 Dec 2011

© HIMA 2011

272727

TOP 10 Failures based on experiences…

3.

282828

3. Layers of Protection (LOPA)

PPA 2011 8 Dec 2011

© HIMA 2011

292929

3. Layers of Protection (LOPA)

§Depending on a single reliable layer?

303030

3. Layers of Protection (LOPA)

§Remember:

§Choose your layers TOTALLY INDEPENDENT

§Take only ONCE credit for the layer in LOPA

§Any combination of normal PLC or DCS/BPCS interlocks are maximum RRF <= 10 (SIL 0)

§AVOID common design (systematic) failures

PPA 2011 8 Dec 2011

© HIMA 2011

313131

TOP 10 Failures based on experiences…

4.

323232

4. SIL - PFD

§Most of you here today will easily pronounce Safety Integrity Level (SIL), even Probability to Fail on Demand (PFD)

§Some of you may believe or have been told that those parameters are enough to describe the SAFETY needed?

§For those quoting ONLY “SIL & PFD”, it is like ordering a “RED” car with a “Horse” as symbol for the specifications for a very well known car…

PPA 2011 8 Dec 2011

© HIMA 2011

333333

4. SIL - PFD

343434

4. SIL - PFD

§But you could get easily WHAT you have asked for…

PPA 2011 8 Dec 2011

© HIMA 2011

353535

4. SIL - PFD

§Remember that ‘SIL’ has:

§TECHNICAL requirements

§NON-TECHNICAL requirements (management)

363636

TOP 10 Failures based on experiences…

5.

PPA 2011 8 Dec 2011

© HIMA 2011

373737

5. Safety Instrumented Function

§The weakest element can take down the complete Safety Integrity of that loop

383838

§Remember:

§Every SINGLE SUBSYSTEM should fulfil the SIL requirements you like to achieve for that SIF

§Often the weakest link will be your final element (e.g. solenoid, valve)

§Or maybe your cheapest interface somewhere in the SIF (e.g. interposing relay)

5. Safety Instrumented Function

PPA 2011 8 Dec 2011

© HIMA 2011

393939

TOP 10 Failures based on experiences…

6.

404040

6. Proof test coverage & frequency

PPA 2011 8 Dec 2011

© HIMA 2011

414141

6. Proof test coverage & frequency

424242

§Remember:

§Not only the FREQUENCY is important, but the amount of COVERAGE during your proof test is even MORE important

§ It will be extremely difficult to reach 80-90% coverage during a SIF proof test of devices and achieve as good as new for the safety function

§E.g. It doesn’t matter how often you go visit a doctor for a medical check up, make sure that doctor will find all potential problems

6. Proof test coverage & frequency

PPA 2011 8 Dec 2011

© HIMA 2011

434343

TOP 10 Failures based on experiences…

7.

444444

7. Hardware with Software, SIL by FMEA?

§Several field transmitters are sold a SILx compatible device based on a FMEA-FMEDA.

§E.g. a pure hardware SIL 2 transmitter can most likely be used as a 1oo2 for a SIL3 application. But a smart transmitter, where only the hardware was assessed by a FMEA for SIL2 cannot automatically be claimed for SIL3 in a 1oo2 architecture, since the software was only designed for use in SIL2 application…

PPA 2011 8 Dec 2011

© HIMA 2011

454545

7. Hardware with Software, SIL by FMEA?

464646

§Remember:

§Every component, devices or equipment that includes SOFTWARE, make SURE that the SOFTWARE has been tested and approved for the use up to the SIL level you try to achieve

§Rules of thump: IF you believe (been told) that you do NOT need the software for achieving your safety function, pull out the IC chip and throw it away… If your safety function still works, then you do NOT need to certify your software

7. Hardware with Software, SIL …

PPA 2011 8 Dec 2011

© HIMA 2011

474747

TOP 10 Failures based on experiences…

8.

484848

8. Certificate & Report

§A good certificate comes always with a report that will explain you possible restriction in use, how the assessment was done, etc.

§The magical A4...

PPA 2011 8 Dec 2011

© HIMA 2011

494949

§Remember:

§Make sure:

§You READ more than JUST the SIL number on the certificate

§You request a TEST report in able to understand:

§WHAT has been tested

§HOW the product was tested

§Potential restrictions

8. Certificate & Report

505050

TOP 10 Failures based on experiences…

9.

PPA 2011 8 Dec 2011

© HIMA 2011

515151

9. Safety versus Availability

§Safety Availability vs. Process Availability§ This sounds simple, but this is still the biggest

misunderstanding in our industry today.

§Objectives of process plants worldwide are two-fold:

– Achieve high levels of process AVAILABILITY

– Maximum production, higher turnover €€€ and keep the management happy ;-)

– Do this while maintaining a SAFE work environment and avoiding injury or death of humans, spills to the environment and loss of equipment or production

525252

9. Safety versus Availability

§How do we achieve this?– Redundancy

– Voting

– BUT how do we combine those and WHY?

§Before we show the table, let’s define:– Dangerous failures

– Safe failures

– HFT

PPA 2011 8 Dec 2011

© HIMA 2011

535353

9. MooN, HFT > Tino‘s tableArchitecture M

VotingN

RedundancyHFT(IEC/PFD)Dangerous

HFT (ISA/PFS)SAFE(new concept)

1oo12oo21oo22oo31oo32oo4

545454

TOP 10 Failures based on experiences…

10.

PPA 2011 8 Dec 2011

© HIMA 2011

555555

10. Functional Safety, a JUNGLE?

565656

10. Beware of FS Cowboys

SAFETYEXPERT

SIL

LOPACERTIFICATION

PFD

SFF

PROVEN IN USE

HFT

FMEA

HAZOP

CFSE TUV… TUV FSE

61508

61511REPORTS

FSAFSM

DIAGNOSTICS

PARTIAL STROKE

SIL VERIFICATION

SOFTWARE

HARDWARE VOTINGTYPE A - B

PPA 2011 8 Dec 2011

© HIMA 2011

575757

Summary

§All YOU need is:– Know How – Know How – Know How

– Experience – Experience – Experience

– Competency - Competency – Competency

§ In order to achieve the adequate safety culture, competency of every human being working in the lifecycle of our process industry is becoming the ‘de facto standard’ for those who want to keep their plant safe, productive and avoid very costly penalties and lawsuits should things go wrong like they have in the past.

585858

Have COMPETENT people

working and helping you

keeping YOUR plant

FUNCTIONAL SAFE. Nonstop.