A Case Story - ABB Group

Leif Mortensen, PA-4443-S-1, 2012-05-31

ABB Offshoredag 2012 800xA High Integrity – A Case Story © ABB Group June 4, 2012 | Slide 1

800xA High Integrity – A Case Story Agenda Preem – short introduction Preem requirements to safety systems and suppliers Implementation of Functional Safety Management at Preem Case 1 : Preemraf Gothenburg Case 2 : Preemraf Lysekil

© ABB Group June 4, 2012 | Slide 2

Preemraff Sweden Private owned company Two refineries, Lysekil and Gothenburg 470 gasoline stations in Sweden Lysekil Refine 12 mill. ton crude per year 600 employees Current safety systems: ABB SafeGuard Emerson Delta-V Honeywell Gothenburg Refine 6mill. ton crude per year 300 employees Current safety system Honeywell © ABB Group June 4, 2012 | Slide 3

Preemraf – Case 1 Gothenburg Refinery




800xA High Integrity – A Case Story Preem requirements to safety systems and suppliers Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instumented Functions According to Safety Integrity Level = 3 Integrated and standardized solutions for hardware and software (OGP REUSE) Online upgrade, online software modification, online hardware extension. 6 years between site turn around. Price competitive Local presence and competences Supplier should have responsive attitude to customer demands


Safety Standards History and evolution Germany International

PRESCRIPTIVE STANDARDS

1995 IEC SC 65 ISO 10418

1995 Draft

2005 IEC 61508

1999

IEC 61511

1993

2003

DIN VDE 0801 1991

UK

DIN VDE 19250

1989

1987

HSE PES


1996 1992

ISA dS84.01 1989, Pasadena

1988, Piper Alpha

1986, Chernoble

1984, Bhopal

1974 1976, Seveso

API RP14C

1974, Flixborough

USA

OHSA CFR 1910.119

2004 1995 Draft

ANSI/ISA S84.01

ANSI/ISA S84.00.01 (IEC 61511 Mod)

PERFORMANCE STANDARDS

Functional Safety Standards IEC 61508 and IEC 61511 Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.

IEC61508 IEC 61800

Ed 2 released 2010-4-15


EN50156: Furnaces

EN50128: Railways

IEC 61511 : Process Sector

IEC60601 Medical Devices

Adjustable Speed Electric Power Drives

IEC 61513 : Nuclear Sector

IEC 62061 : Machinery Sector

Functional Safety Standards Relations between IEC 61508 and IEC 61511


800xA High Integrity – A Case Story Preem requirements to safety systems and suppliers Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instrumented Functions According to Safety Integrity Level = 3 Integrated and standardized solutions for hardware and software (OGP REUSE) Online upgrade, online software modification, online hardware extension. 6 years between site turn around. Price competitive Local presence and competences Supplier should have responsive attitude to customer demands


Safety Instrumented System – SIS Safety Instrumented Function – SIF •

A Safety Instrumented System (SIS) is a collection of sensors, controllers and actuators.

•

It executes one or more Safety Instrumented Functions (SIFs) that are implemented for a common purpose. Safety Instrumented System with multiple SIF’s

Controller

SIF A Solenoid

Level Switch

Pump

SIF B SIF C SIF D


SIL is applicable for a LOOP

System 800xA HI – Integrated Safety Customer value of integration – available today Same operations interface and engineering

Process control and safety in the same HI controller

Centralized Historian and Data Archiving

Common system therefore reduced spare parts, training etc… Process control and Centralized safety running Historian and in separate controllers Data Archiving

Common, integrated Centralized asset management Historian and strategy Data Archiving © ABB Group June 4, 2012 | Slide 12

Plant-wide Sequence of Events

Certificates 800xA High Integrity – Meets Industry Standards AC800M HI Controller – SIL 1-3 / CAT PLe 1-4 certified S800 Safety I/O (AI, DI, DO) – SIL 1-3 / CAT PLe 1-4 certified I/O Communication – SIL 1-3 / CAT PLe 1-4 certified Standard I/O and communication modules – certified interference-free* (*Listed in safety manual)


800xA High Integrity – A Case Story Preem requirements to safety systems and suppliers Delivery according to Functional Safety Standards - IEC61508 and IEC61511 Compliance to implement hardware and software Safety Instrumented Functions According to Safety Integrity Level = 3 Integrated and standardized solutions for hardware and software (OGP REUSE) Online upgrade, online software modification, online hardware extension. 6 years between site turn around. Price competitive Local presence and competences Supplier should have responsive attitude to customer demands


OGP REUSE Solutions Typical solutions for efficient engineering and operation Typical solutions originating from the North Sea O&G experience with almost a decade of refinement throughout number of customer projects and installations Building blocks for application engineers enabling them to “tailor” applications by using ready and well proven sw modules and features OGP REUSE includes functionality and features widely applicable in OGP customer projects Libraries of Control Module Types (CMT) Features for Engineering and Operational efficiency Customizable Workplace and Graphical templates


OGP REUSE Solutions Control Module Libraries The Control Module types are grouped in libraries according to the main functionality. Signal: Analog Input, Analog Input with voting, Analog Input for Fire and Gas, Digital Input, Digital Output etc. Final Elements: Valve (On/Off), Valve (Choke) PID Control, Motor Control, Circuit Breaker etc. Fire and Gas: Fire Area, Fire Overview, HVAC, Deluge, Watermist etc. Function elements: Latching, Totilizer, Function XY etc. Common logic elements: Add, AND, OR, Ton, etc.

There are 25+ “device” and function objects


OGP REUSE Solutions Type of Libraries Types of libraries


Library name

Description

Examples

REUSEcommon

Common small Types for Logic and Data type conversions

AND, OR, SPLIT, KS, HSO, MSO

REUSEElectroLib

Electro Types for interfacing Circuit Breakers and Motors

SBC_CB, SBC_IB, SBE_IM

REUSEfg

Fire & Gas Types as Area, Watermist and Deluge

AREA, BLOCKING, HVAC, DELUGE, MA_FG, MB_FG

REUSEfgCommonLib

Common Fire & Gas Types such as OR2_ISW and VOTE2_ISW

OR2_ISW VOTE2_ISW

REUSEflowelmentlib

Flow Types as Valve and Motor

SBV, SBE, SBC_F, SBC_I, SBE_VSD,

REUSEFuncElmentLib

Function Types for Shutdown Level and Calculation

LB, YA, FL, HM, QA

REUSEsignallib

Main Signal Types for Analog and Digital Input/Output

MA, MB, CA, CS, MAV, MA_SI, OA

REUSESystemStatusLib

Type for presenting the System status

SystemStatusAC800

OGP REUSE Solutions Engineering and Operational Efficiency 1. GDS Group Display Status

Process A W F S B H

4. Display Templates PCS, ESD, PSD F&G

2. Operator Workplace

Overview Displays PCS, ESD, PSD, F&G Detailed Displays

Left screen

Right screen

3. Trip & Interlock Display Navigation Maintenance Displays


OGP REUSE Solutions Ergonomic Display Templates Less bright colors when everything is Normal state Secures operator attention during alarm situation


Dimmed Screen

OGP REUSE Solutions Guidelines Alarm Handling, Application Guideline AC 800M Application Guideline Library Programming Guideline Process Displays Guideline


OGP REUSE Solutions Compliance to standards and Best Practices 1 Registration

required for access

NORSOK Standards: SCD System Control Diagram (I-005) – extends the IEC 61804 control applications levels SAS Safety and Automation Systems (I-002) Bringing this concept further to become an IEC standard (standardization committee 65B)

EEMUA 191:2007 Alarm Systems, a Guide to Design, Management and Procurement YA-711 Principals for Alarm System Design by the Norwegian Petroleum Directorate Safety Compliance to IEC61508 IEC61511 API 14C1 for Process safety in Gulf of Mexico operations


What is the scope of TÜV Certification? 800xA High Integrity – ABB Safety Certificates

Product Safety Certificate


Development Department Safety Certificate

ABB A/S Certificate



Functional Safety Management Preem FSM has management attention Preem has started a project to implement FSM into their organization. Preem have today procedures, standards, routines, instructions etc. that in some cases fulfill FSM, but in most of the cases they need to be rewritten or created. Top of Safety Life Cycle is implemented, due to handling as a project, and involvement of relatively few people Challenge is bottom of Safety Life Cycle, requires involvement of more people and a “complex” organization


IEC 61511 Safety Lifecycle Phases Analysis phase 1-2

Design & Installation Commissio ning Phase 3-5

Operation phase 6 - 8

Activities

Identify hazards, specify requirements

Responsibilities End user / operator

Configure to requirements Engineering / Equipment Supplier

Operate, maintain & modify End user / operator

Phase 9-11 , responsible - ALL © ABB Group June 4, 2012 | Slide 25

Risk Assessment Options - Examples

Hazardous Event Severity Matrix

SIL Risk Graph (Qualitative)

Scenario and Case Number

Scenario Description

LOPA Target

Factor

Initiating Enabling Event Factor

Factor

Independent Protection Layers Process Design

Protection Gap

Notes

Operator Other SIS BPCS responds to SIS Pressure safety Target is 0 Function Function Control alarms and Relief related A or less B Action written Device protection procedures systems

Safety Analysis

0

Business Analysis

0

Safety Analysis

0

Business Analysis

0

Layers of Protection Analysis (LOPA) © ABB Group June 4, 2012 | Slide 26

Fault Tree Analysis (Quantitative)




Activities


Configure to requirements

Operate, maintain & modify


Responsibilities End user / operator

Engineering / Equipment Supplier

End user / operator

Safety Requirement Specification (SRS) For every loop The SRS contains two types of requirements Functional Requirements Description of the functions of the SIF How it should work

Integrity Requirements The risk reduction and reliability requirements How well it should work

Solenoid


Safety Requirement Specification Communication

© ABB Group © ABB Group June 4, 2012 | Slide 29

Safety Instrumented System - SIS

Purpose of Safety Instrumented System Reduce the risk that a process may become hazardous to a tolerable level The SIS does this by decreasing the frequency of unwanted accidents SIS senses hazardous conditions and then takes action SIS moves the process to a safer state, preventing an unwanted accident from occurring.


Safety Instrumented System - SIS

The amount of risk reduction that a SIS can provide is represented by its Safety Integrity Level (SIL) which is defined as a range of Probability of Failure on Demand (PFD), Safe Failure Fraction (SFF) Avoidance of Systematic Failures


AC800M High Integrity Redundant Controller Configuration SM811 BC810 PM865

TB 840

Redundant I/O

Optical Modulebus

CEX bus


RCU Link

Engineering Responsibilities Competence Architectural Design to meet target SIL requirements PFD Calculations using appropriate reliability data for the desired loop configuration SIL capability SIS Design

Hardware and Software Integration Verification and Validation Functional Safety Assessments

Information on operation and maintenance requirements - Building on Manufacturers supplied data Instructions for testing Installation and commissioning Functional Safety Management for Design and Built activities Source: IEC 61511 © ABB Group June 4, 2012 | Slide 33




Activities


End user / operator

Configure to requirements

Engineering / Equipment Supplier

Operate, maintain & modify

End user / operator


Responsibilities

Activities

FAT SIS Installation and commissioning SIS Safety Validation. SAT SIS Operation and Maintenance SIS modification SIS decommissioning Information and documentation required


Documentation

Why should safety be documented ? We work in lifecycle phases, we need to pass on information to different engineering disciplines We need traceability We need up to date information / version control

What is documentation ? Anything we can store and which can be properly identified


Typical Documentation

Hazop reports Safety Requirement Specification Functional Design Specification/Safety Analysis Report Safety plan/ Safety Lifecycle Management Plan Test documents (Specifications & Records) Competence (Role descriptions & Competence requirements for each role) SIL Compliance report / SIL verification report


Competence requirement and roles in a safety project

The competence of people involved in safety projects is normative according to the IEC61511 Competence Role descriptions Competence requirements for each role Education Training Experience If not in-house, use consultants and mentoring

Example of safety roles in a project Functional Safety Manager Safety Lead Engineer Safety Assessor © ABB Group June 4, 2012 | Slide 38



Preemraf – Case 1 Gothenburg Refinery Application: Modernization of the oil refinery’s safety system - ESD Exchange of obsolete Honeywell FSC safety system Since this is to be done during turn around (every 6 years) or regenerating stop (every third year part of site stop), this is a long term project. Automation from ABB: System 800xA 5.1-based safety solution comprised of two (2) AC 800M HI controllers (PM 865) in redundant configuration. Safety assessed solution that meets SIL 3 Preem design Risk evaluation not performed Based on generic safety functions Application to be based on SIL2 FSM plan Implement FSM /SLC in to operations, maintenance and project organization.


Preemraf – Case 1 Gothenburg Refinery Project set-up Hardware delivery – ABB Sweden IEC61508 and IEC61511 compliance of hardware and software – ABB Denmark





TB 840

Redundant I/O

Optical Modulebus

CEX bus


RCU Link





Preemraf – Case 2 Lysekil Refinery Application: Modernization of the oil refinery’s safety system for Gas burning Oven - ESD Exchange of obsolete ABB safety solution Replace non SIL equipment to fulfill SIL classification Replace MP200 controllers (13pcs “interlock controllers”), with safety system Move non SIL signals to DCS system and SIL classified signals that today is installed in DCS is to be moved to safety system. Automation from ABB: System 800xA 5.1-based safety solution comprised of one (1) AC 800M HI controllers (PM 865) in redundant configuration. Safety assessed solution that meets SIL 3 Preem design specification Risk evaluation and SIL classification of existing units performed Defined Safety Functions for Non SIL, SIL1 and SIL2 functions Implement FSM /SLC in to operations, maintenance and project organization. Preem is using exSILentia as SIL classification software and Risk Matrix for SIL classifications. In case of a high SIL level on a SIF, SIL3 or in some cases SIL2, LOPA (Layers of Protection Analysis) is used on the specific SIF.


Preemraf – Case 2 Lysekil Refinery Project set-up Hardware delivery – ABB Sweden IEC61508 and IEC61511 compliance of hardware and software – ABB Denmark


Preemraf – Case 2 Lysekil Refinery



TB 840

Redundant I/O

Optical Modulebus

CEX bus


RCU Link

Functional Safety Management – Why ? Jan/Feb– 20 of April 21:49 - 2010


Total Safety Offering Field Instrumentation •SIL rated •Instrumentation •Actuators SIS Systems •TUV Certified •Flexible and Scalable •System 800xA

Alarm Management •Benchmarking •EEMUA 191 •Training •Support SIL Determination •Analysis •TRAC •Training •Mentoring


Proof Testing Support •TRAMs •Proof test period •Maintenance •Lifecycle Support

Installed Systems Review •SIL assessment •Benchmarking

IEC61508/IEC61511 Compliance •Compliance Management •FSMS
