Siemens Process Safety USA

Let’s talk about SIX

Charles Fialkowski — Fri, 31 Oct 2008 18:58:00 GMT

Next week (Wednesday, November 5th) I have the honor of delivering a 45 minute presentation at the exiderdome in New York City. If you haven’t heard, or don’t know what exiderdome is, then check it out at www.sea.siemens.com/exiderdome the short of it, well it’s my companies corporate marketing extravaganza geared for the automation industry. If that’s not clear, then check out the website.

After securing the coveted, 4:15pm – 5pm timeslot, my next challenge was figuring out what to cover that would keep folks enlightened, entertained and of course awake. That’s where I came up with the clever them of “Let’s talk about SIX”, meaning of course, answering six of the most commonly misunderstood issues around process safety.

I invite anyone out there who wants to know the story behind any of these "SIX" important process safety topics to come join me next Wednesday, at exiderdome New York City.

1. What is the Safety Lifecycle?
2. How integrated can my safety and control system be?
3. How much redundancy is required for achieving my safety requirements?
4. How much safety (SIL) do I really needed?
5. Can I safety perform “On line changes” to my safety system?
6. How do I Calculate SIL levels?

And please let me know if you have any other questions you’d like me to answer as well at the next exiderdome.

When 1+1 doesn’t equal two

Charles Fialkowski — Tue, 16 Sep 2008 15:38:00 GMT

One would think that simple math would be sufficient when dealing with safety systems? For the most part this is true, as today, simplified formulas are widely accepted for modeling safety instrumented systems. The calculations used to help predict the performance of a specific safety design are derived from statistical formulas that most of us learned in our statistics courses we took in college. Today, there are a number of software based tools to help make all of this as simple as a few mouse clicks.
While I’ll be the first to agree software tools are great, we mustn’t lose site on the fundamentals.

As users, we have the ability to impact the system performance in any of the three key variables:
1. Redundancy (1oo1, 1oo2, 2oo2, 2oo3, etc.)
2. Component failure rate (dangerous vs safe)
3. Proof test interval (monthly, yearly, etc.)

I was challenged by a person whose belief was that two SIL 1 components could not, and would not make a SIL 2 design. This person had some experience plugging in the data, however the software tool that he was using was only yielding SIL 1.

Bottom line, we discovered his test interval was fixed (yearly) and that his redundancy was built for safety (1oo2), so we turned our focus on his component dangerous failure rate. Turns out, that the component dangerous failure rate was barely capable of achieving SIL1, with that being the case his statement was accurate, but if his dangerous failure rate dropped from .5 to .15 he would easily achieve SIL 2. It’s pretty easy to see for yourself, just use the equation for a 1oo2 design:
PFDavg = (λdu)2 *(TI)2/3
Where:
λdu = Dangerous undetected failure rate
TI = Manual test interval

Blow it up and they will come

Charles Fialkowski — Mon, 04 Aug 2008 20:25:00 GMT

Last week the Associated Press reported that an executive at the Imperial Sugar Co. testified at a hearing before the Senate Health, Education, Labor and Pensions subcommittee on workplace safety that he had found such "shocking" and "disgraceful" conditions at the Georgia plant last year that he warned his superiors that a fatal disaster was likely. A month later, an explosion ripped through the plant in Port Wentworth, GA, killing 13 workers and injuring dozens more.

The Occupational Safety and Health Administration (OSHA) have proposed nearly $9 million in fines against the sugar company for what is said were willful and egregious safety violations. Criminal charges are also being considered.

This unfortunate situation that happened at a sugar refinery should help to illustrate the potential impact incidents like this have and hopefully, help drive awareness around process safety and how seriously our federal government considers it.

This is for all of you naysayers out there who have thought to themselves…"I’ve been working here over 5 years, and not once have I seen an OSHA inspector". Consider yourself lucky (and now warned).

Process Safety BLOG goes Mainstream

Charles Fialkowski — Mon, 16 Jun 2008 21:01:00 GMT

Last week I was notified that my blog was getting picked up by a new website dedicated to Safety. Stay tuned, as www.Safetybase.com will be going live soon. It’s exciting to be a part of this new educational-based safety website dedicated to serve the safety needs of the general automation industry.

I’m honored to join this elite group of experts coming together to provide up-to-date ideas and information on for the changing landscape of process safety.

The website’s idea is simple, provide a single access point for obtaining critical safety information for both the process and machine industry.

Its design is community based, so information will be provided and shared by consultants, end-users and vendors to help you stay current on the latest advancements in safety. Get the safety information you need and enter into discussions with your peers – to leverage your knowledge base and maximize your productivity. If it’s about automation and machine safety – you’ll find it at SafetyBase.com.

Coming to the cyber world soon, check it out – www.SafetyBase.com and let me know what you think.

Update on the ISA84 Main Committee and Working Group meeting

Charles Fialkowski — Fri, 13 Jun 2008 17:15:00 GMT

Last week, about 40 process safety enthusiasts attended the spring 2008 S84 meeting in West Palm Beach, Florida.

The main committee meeting generally consists on brief updates on the individual working groups and the maintenance of the current ANSI/ISA S84.00.01 (IEC 61511 modified).

A couple topics that I thought were pretty interesting were the discussion on ongoing hardware fault tolerance requirements. I’ve blogged on this before and there’s some obvious concern over products that are reaching the market today claiming to have SIL 3 capabilities with no redundancy. I still think there is much confusion on this as one well respected end-user noted there dissatisfaction while trying a “new” transmitter claiming to provide high SIL levels, but caused them lot’s of problems with nuisance trips.
I still get aggravated with the misconception of safety and spurious trip rate. They are separate and have to be treated as such.

I’ll be the first person to say “yes, my company develops SIL 3 certified, non-redundant products, that will most likely have a higher spurious trip rate than a non-redundant, non-SIL certified device.” The ONLY way to combat the spurious trips is to add redundancy.

The other topic that puzzled me was the inaccurate statement made regarding the status of safety fieldbus. Again, it was erroneously stated that there was no safety fieldbus today for the process industries. Luckily, there were a few “informed” safety experts in the room that noted the existence of PROFISAFE and ASI-safe. I guess some people are still confused since FF-safety, has yet to be approved or released for safety communications.

I spent the rest of the meetings involved in Fire & Gas working group going over comments on the last draft we issued.

Introducing a non-redundant, redundant SIL 3 solution?

Charles Fialkowski — Tue, 03 Jun 2008 15:44:00 GMT

Last month, Siemens Energy and Automation released a new safety I/O card that claims to be the first Hart, Analog input, SIL 3
http://www2.sea.siemens.com/News/Industrial/First-SIL-3-Certified-Hart-Analog-Input-Module.htm

While some may find this as a break thru, it’s what I view as a direction of the industry. Siemens and other automation suppliers (Emerson, Yokogawa) have introduced and have been offering for several years now, “updated” safety systems, that don’t require redundancy to achieve high levels of safety. In the past, safety systems required dual, triple or even quadruple redundancy just to achieve high levels of safety. So what happened?

For starters, you need to have a clear understanding on what this means. These systems are designing safety into their core design. They no longer “need” additional hardware to internally compare with in order to achieve high safety levels. They utilized special designs with dedicated internal circuitry that can provided diagnostic coverage levels that had previously been not conceivable.

These advanced safety designs provide user benefits by increasing safety while allowing redundant architectures to perform the way they were intended to, prevention against nuisance trips. An additional benefit is that these systems are immune to system degradation where a conventional “voting” system, needed its redundant partner(s) to help provide high safety.

Another common misunderstanding is how these systems address field redundancy (sensors and final control elements). While I can’t speak for the Emerson or Yokogawa system, I do know for a fact that the new Siemens HART analog input module handles redundant field devices just like any dual, triple or quadruple redundant system would.

Treat your SIS better than Certified pre-owned

Charles Fialkowski — Tue, 06 May 2008 18:39:00 GMT

Last month we decided it was time to upgrade the old family car. After searching for several weeks, we decided on a very nice, 3 year-old, certified pre-owned. While I haven’t purchased a used vehicle in several years, I felt comfortable in this decision as the price was attractive, the warranty was extended, plus I had the assurance that this car had passed the manufactures’ grueling inspection.

After the first week of owning our new (used) car, I called the dealership to have them install one of those MP 3, auxiliary connections (a result of my purchase negotiations). While dropping off the car, I happened to mention the brakes were squeaking when lightly applying the brakes. I figured this was surely the result of new pads wearing in……. I mean they couldn’t “certify” a car with bad brakes? I had put less than 200 miles on the car, so it had to be something else, something minor, right?

The follow up call I got from the service manager answered that question. “Mr. Fialkowski, we replaced both front and rear brakes for you”. “No charge, it’s under warranty”. Boy was I glad to hear that…..

This experience had me wonder how end users in the process industry tackle their own certified Safety Instrumented Systems (SIS) tests. As most know, when we design an SIS we have to account that they system periodically, MUST BE TESTED. So how rigorous are we with carrying out these tests, would we allow something as critical as brakes slip under the cracks? Surely, we have developed exhaustive “punch-lists” that have been reviewed, validated and audited to minimize potential problems?

I once heard an end user state that when their technician tests their safety valve, it would not be uncommon to bang it with a wrench to “help it along”. If after this “adjustment” it moves to its “safe” position, he’ll note it as “test-passed”.

Makes me wonder just how my car could have passed this seemingly critical test, or am I just being too sensitive? I mean it was under warranty….I’m just thankful it wasn’t under critical circumstances.

Belts and Suspenders?

Charles Fialkowski — Fri, 07 Mar 2008 22:40:00 GMT

For so many years we have been trained (brainwashed) to believe more redundancy = more safety. While for some situations it’s true. Increase your level of redundancy your system will get better safety performance. However, if you do it WRONG, it’s a proven fact (not just me spouting off) your safety performance will degrade.

This week I ran into a very smart person, who just happened to say the dumbest thing all day. “We needed safety, so we made the thing redundant”.

My dad used to say to me “It’s like polishing the brass when the ships sinking”. If your going to do something, make sure its really worthwhile, otherwise you just wasting your time.

Does past experience equal Prior Use?

Charles Fialkowski — Tue, 26 Feb 2008 19:02:00 GMT

So you’re faced with the question of whether that trusty old transmitter you’ve been using as part of your safety shutdown system can meet the “prior use” requirements described in Section 11.5.3 of ANSI/ISA-84.00.01-2004 (IEC 61511-1 Mod).

Prior use, or Proven-in-use, is defined as a documented assessment showing there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system.

Let’s focus on the question “how much operating experience is required to make sure a product has enough safety integrity?”

Lucky for us, IEC 61508 provides specific details on this.

For a given component’s version level IEC 61508 suggests 100,000 unit hours for components targeted for SIL 1 applications and 10 million unit hours for components targeted for SIL 3 applications. Along with the operating hours, one must also provide documented proof test results for all detected dangerous failures.

Of course there’s a lot more discussion on ISA’s web site in an article written by Bill Goble. www.isa.org

Not Worth A SFF

Charles Fialkowski — Wed, 06 Feb 2008 15:12:00 GMT

In attending last week’s 63rd Annual Texas A&M Instrumentation symposium, I was shocked to hear from a well respected safety expert that SFF (Safe failure fraction) was a failed metric. No explanation, just that SFF was pretty much useless, followed by a cackle. I really hate when people make profound statements like this, with no reasoning or justification behind it. I felt as if the audience was just bullied into this person’s position, and all were just too intimidated to challenge it. So what’s wrong with SFF?

SFF is defined in ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod), as the fraction of the overall random hardware failure rate of a device that results in either a safe failure or a detected dangerous failure. It’s sole purpose was to help prevent over optimistic SIL claims by equipment manufactures, and helped to determine the required fault tolerance of your SIS (safety instrumented system).

While I didn’t get a chance to follow up directly with the individual, I’m pretty sure the argument has something to do with how your system actually responds to a detected dangerous fault. If your system detects a dangerous fault within itself, does it automatically shutdown your process, or just alarm the operator? If it’s the latter, than the SFF’s pretty much a failed metric.

Chose the Right SIL

Charles Fialkowski — Thu, 17 Jan 2008 15:58:00 GMT

Did you know that fatal automobile accidents in the USA would drop considerably if drivers (and passengers) wore approved protective headgear and flack jackets? While that might seem pretty obvious, it’s just not practical. For years automation suppliers have developed SIL 3 logic solvers, but rarely do they get implemented as such. I’ve personally witnessed users argue the need to have a triple modular redundant (TMR) SIL 3 safety logic solver only to be configured with a non-redundant, non-certified transmitter and valve. That’s like putting bicycle tires on your sports car.

So what SIL level should you chose? That’s a question NOBODY can just answer, even if they are “claimed” experts on your particular application. Instead, you will need to treat each application uniquely, evaluating all possible protection layers that exist for that particular unit. While this may seem tedious, it’s one of the best ways to answer that question. Even the most hazardous applications, might seem SIL 3 worthy, however a thorough analysis might deem a SIL 2 solution, saving you money on both equipment and maintenance. A number of study’s I’m familiar with have shown that more often we tend to over design than under design. Sure it seems safer, but really, who wants to drive around in their fancy sports car wearing their kids skateboard protective gear?

Wait for the BUS or go Old School

Charles Fialkowski — Fri, 21 Dec 2007 20:53:00 GMT

Here it is Friday, December 21, 2007 about 2:30pm, while most process safety specialists and marketing managers are enjoying the tidings; I just had to get something off my chest before I begin my holiday break.

I was hoping to make my 2008 Process Safety predictions but I find myself still pontificating on what next year will bring. So we’ll table that discussion (for now), and I’ll share with you another interesting discussion I just had.

A gentleman from the ISA safety list was inquiring about the speed of response for analog devices over Profibus/profisafe. At first he was concerned if the response time was sufficient for his high speed requirements. I’m not sure he liked my answer, because he kept responding that it wasn’t good enough. So what was good enough I inquired?

It’s been understood for years that pure electrical signals (i.e. 4-20ma) travel near the speed of light while a digital protocol is tracked at a specific baud rate (no where near the speed of light). No one would argue that, however I just wanted to make certain we also considered the device itself.

I went on to explain that a discrete device takes about 10ms to get the signal “on the wire” where an analog device is closer to 200ms. Now if you want to consider using digital communication, you will need to add the lag time for that as well. Profibus PA has about a 10ms overhead with an additional 10ms per device on the segment. So for example, if you wire 10 devices on a PROFIBUS drop, you can estimate that it will take 110ms response time on the wire. Now you add the device time (200ms) and the bus time (110ms) and it takes a little over 300ms for the signal to reach your control system.

Of course that’s just the half of it, because now your control system has to process the signal and drive their outputs (and that could take SECONDS).

So the choice should be easy, if the BUS isn’t fast enough, go Old School.

Merry Christmas and Happy New Year to all.

Charlie

Attention all safety product listings

Charles Fialkowski — Fri, 30 Nov 2007 19:50:00 GMT

I received an e-mail inquiring about a product being “listed” or not, which made me stop and think about how far we have come in the past 10 years regarding safety systems and their “type” of certification.

The term “listed” means equipment or materials included in a list published by an organization engaged in product evaluation, that maintains periodic inspection of production of listed equipment or materials, and whose listing states either that the equipment or material meets appropriate standards or has been tested and found suitable for use in a specified manner.

While “listed” might sound appropriate for some, many safety experts would argue that today, it’s not enough. Since the release of the International Electrotechnical commission (IEC) 61508 – Functional Safety – Safety Related Systems in 2000, safety performance criteria is now better defined in the terms of SIL (safety integrity levels).

Hopefully you can appreciate that today’s safety products need to meet two key requirements (i.e. functional and performance). Functional requirements will describe what the product is supposed to do, while performance requirements define just how well it’s supposed to do it.

Take for example one of your NFPA 85 standards. Along with the functional requirements, this standard also describes about 10 types of system failures (Failure effects). Worse yet, it states that the system logic designer (i.e. your system integrator) needs to ensure that these failures are covered. While I agree it was a good attempt, it by no means describes how “good” the detection of these failures has to be. That’s pretty much what “listed” gets you these days.

What the SIL are you talking about?

Charles Fialkowski — Fri, 26 Oct 2007 19:14:00 GMT

Have you had a chance to catch Bill Goble’s Hydrocarbon Processing (October 2007 issue) editorial titled “Still not using a safety PLC?”

Essentially Bill addresses the question of whether you can use conventional equipment (PLC or DCS) in compliance to ISA 84.00.01-2004 (IEC 61511 Mod.)? I think he did a nice job summing it up as follows:

SIL 3, must be certified to IEC 61508

SIL 2, maybe, if it’s accompanied with a formal assessment (not very practical) SIL 1, okay with justifying documentation

Bottom line, a safety PLC is required for all but SIL 1, and even with that comes baggage, makes one wonder why anyone would elect to go outside the slew of certified offerings.

Running to Destruction

Charles Fialkowski — Fri, 05 Oct 2007 20:01:00 GMT

Was not the response I was expecting to hear from an audience member during my presentation on new SIS (safety instrumented system) hardware development at this week’s ISA Expo. He obviously was concerned over my suggestion that with new SIS technology there’s no degradation of safety when you have a partial shutdown and, well in his words “run to destruction”. I wasn’t sure how to respond, as my objective during this 30 minute talk, was to address how some new SIS technologies are available that actually increase safety. As with any new concept, there’s bound to be objections, but this particular phrase just caught me off guard….hmm….so let me try to explain….

In the past, redundant systems were necessary to achieve both safety and availability. Marketing hype took over, and confused the industry with just how much redundancy (dual, triple or even quadruple) was really necessary, and what were the actual benefits.

Understanding the history, I wanted to tell a story. So I started by going back to the 1980’s where TMR (Triple Modular Redundancy) was born, then in the 1990’s with the advances of the microprocessor, it was now possible to get diagnostics allowing you to (arguably) get the same level of safety and availability, with less redundancy, while saving money.

Regardless of what level of redundancy you bought into, the fact still remained - if your system degraded from triple, to dual, (or dual to single) your level of safety would be negatively impacted. While it might be well known, there was concern that this mode degraded operation was often overlooked and needed to be addressed within a reasonable amount of time.

Today there are a couple of new SIS’s touting that they offer the highest level of safety (SIL 3) without the need for redundancy. To avoid a nuisance trip, redundancy could be added to enable the system to become fault tolerant. So what happens if your system experiences a component failure? You would hope that it would maintain its safety rating, and expect that somehow, something “else” is degraded, right?

While I was not suggesting anyone “run to destruction”, I was suggesting that it might be a better scenario to maintain safety at the expense of availability particularly during those short stints when you are running degraded.