No Slide Title
Download
Report
Transcript No Slide Title
• Motivation
• Education
• Implementation
Pharmaceuticals
IEC-61508 Implementing a
Compliance Program
Pharmaceuticals
Overview
Pharmaceuticals
Overview
Pharmaceuticals
Overview
• Do you or your company believe in the
infallibility of Engineered systems?
Pharmaceuticals
Motivation
• Roche Ireland does not have this delusion
• 25 + years operational experience
• Including some close calls
• Reality has motivated out safety culture.
Pharmaceuticals
Motivation
Much of the rest of this presentation has been
generated from training presentations given
in Roche Ireland to
• Management
• Process Engineering
• Instrument / Electrical Engineering
Pharmaceuticals
Education
Need to educate yourself :
• Guidelines for Safe Automation of
Chemical Processes {CCPS/AIChE}
• ISA S84
• Functional Safety, {Smith & Simpson}
• IBC conferences
• Various WWW resources (exida/ sis-tech
etc)
Pharmaceuticals
Education
• Functional safety of electrical / electronic &
programmable electronic safety-related
systems.
• Critical Protective equipment - Safety
Instrumented Systems
Pharmaceuticals
IEC-61508, SOP 973
Safety requires protection from hazards of different
causes (movement, heat, radiation, el. shock, etc.)
“Functional Safety” means protection from hazards
due to incorrect functioning.
... hazards due to
incorrect function
... heat
Protection
against ...
...electrical
shock
... radiation
Pharmaceuticals
IEC-61508, SOP 973
•
•
•
•
•
Process Engineers:
Instrument/Electrical Designers:
Mechanical Engineering
Commissioning:- Extra Effort
Documentation :- Extra Effort
Pharmaceuticals
IEC-61508 Will Effect:
•
•
•
•
Not legislation
Meets ‘Reasonably practicable’ duty
Health, safety & welfare at Work act, 1989
Have to put in place a compliance program.
Pharmaceuticals
IEC-61508 is legally vague
Intolerable
region
1 x 10-4
ALARP
1 x 10-6
Negligible
risk
Figure 65-1
Pharmaceuticals
Risk
(deaths/year)
•
•
•
•
•
As low as reasonably practicable.
IEC 61508 based on ALARP concept.
ALARP concerns region of risk.
Risk is an emotive and irrational thing.
Commonly accepted values are:
upper limit 1 x 10-4 deaths per year
lower limit 1 x 10-6 deaths per year
Pharmaceuticals
RISK Reduction - ALARP
• ISA S84 life cycle depicted in Fig 65-3.
• ISA S84 focuses on Box 9 of IEC 61508.
Pharmaceuticals
Safety life cycle - milestone
approach
Pharmaceuticals
Passive systems layer
Active systems layer
ESD
Alarm handling
Diagnostics
F&G
Alarms, trips & interlocks
Figure 64-1
Intrinsic safety
Control
systems layer
Figure 65-3
1 Conceptual process design
2 Perform process HAZAN & risk assessment
3 Apply Category 0 protection systems to prevent hazards & reduce risk
No
4 Are any Category 1 protection systems required?
5 Define target safety integrity levels (SIL)
6 Develop safety requirements specification (SRS)
7 Conceptual design of active protection systems & verify against SRS
8 Detailed design of protection system
9 & 10 Installation, commissioning
and pre-start-up acceptance testing
11 Establish operating &
maintenance procedures
12 Pre-start-up safety review
13 Protection system start-up, maintenance & periodic testing
yes
14 Modify protection system?
15 Decommission system
End
Pharmaceuticals
Start
• First Stage of realisation of high-integrity
safety instrumented systems
• Modified PHA
• Feeds into SRS
• Based on good process data & good process
judgement.
Pharmaceuticals
Process Engineering
•
•
•
•
•
Carius Tube test for decomposition
Pressure Dewar Calorimetry
Understanding of Exotherms
Knowledge of onset temperatures
{Chilworth}
Pharmaceuticals
Process Chemistry
• Good process judgement.
• Hazop
• Margins of safety
Pharmaceuticals
Process Engineering
• Reactant being transferred in from Reactor
1 without agitation could accumulate &
react in a sudden, violent manner.
• Reactor 2 Inlet valve 205 should OPEN
only if agitator ON
Pharmaceuticals
Hazard identification,
Interlock Identification
• Simplified Technique.
• MIL Std 882
Pharmaceuticals
Hazard identification,
Interlock Identification
• Consequence of this is overpressure, loss of
batch, over-temperature, possible
destruction of vessel.
• 1 week downtime to recover.
• Fatality or Serious injury unlikely.
• Critical
• (C2)
Pharmaceuticals
Consequences
• Building is continually occupied
• (F2)
Pharmaceuticals
Occupancy factor
• There is quite a good chance of an operator
observing that something is going wrong &
intervening successfully.
• (P1)
Pharmaceuticals
Manual Avoidance factor
•
•
•
•
•
Likely to occur once every 5 years.
Occasional
The process is DCS automated.
DCS is not a SIS – no SIL rating.
DCS control reduces frequency of
Unmitigated Demand.
• (W2)
Pharmaceuticals
Unmitigated demand rate.
C1
F1
C2
F2
Start
C3
F1
F2
C4
Most risk
EN 954 Approach
P1
P2
P1
P2
W3 W2 W1
x0?
1 x0?
1 1 x0?
2 1 1
3 2 1
3 3 2
4 3 3
x2? 4 3
Pharmaceuticals
Least risk
Pharmaceuticals
ROCHE IRELAND LIMITED
POLICIES AND PROCEDURES
INDEX:
SOP 973
ATTACHMENT:
3.001
PAGE:
1of1
ISSUED:
17/07/2002
SUPERSEDES:
None
WRITTEN BY:
SECTION:
Engineering
APPROVED BY:
________________________________________________________________________
SUBJECT:
Safety Instrumented System – Safety Integrity Determination
Number of
Independent
Protections
Rating of the SIL required for a SIS, as per IEC 61508 Section 5, Table E.1 & as per Roche K9
ely
x
x
x
x
x
x
x
x
x
x
x
x
Occasional
Rare
Moderate
x
x
?1
Frequent
Negligible
Catastrophic
Critical
Marginal
Negligible
People
Environment
Business
People
Environment
Business
People
Environment
Business
People
Environment
Business
x
x
x
Unlikely
x
x
x
Rare
x
?1
1
x
x
?1
Occasional
Moderate
?1
1
2
Frequent
x
x
x
Unlikely
x
x
?1
Rare
x
?1
1
Occasional
Critical
Marginal
Fatalities >1
Significant loss to offsite environment. Indictable breach of License
Loss > €8 million : Interruption > 1 Month
Serious injuries (permanent damage). Multiple lost time accidents.
Only site area affected. Serious breach of licence.
Loss €200 thousand to €8 million : Site interruption > 1 week
Lost time accident
Only site area affected. Minor breach of licence
Loss €5 thousand to €200 thousand. Interruption 1 day to 1 week
Minor Injuries
Negligible effect on environment
Loss < €5 thousand. Interruption < 1 day
Frequent
Once per month
Rare
Once per 20 years
Moderate
Once per year
Unlikely
Once per 100 years
Occasional
One per 5 years
V Unlikely
Once per 1000 years
?1
1
1
Moderate
1
1
2
Frequent
x
?1
1
x
1
2
Unlikely
Rare
?1
1
2
Occasional
1
1
2
Moderate
Catastrophic
1
2
3
Frequent
3
2
1
Event
Frequency
Event
consequence
Rating of Consequences
class
I
II
III
IV
rating
consequences
catastrophic
people
fatalities, evacuation outside the site area
environment
irreversible, long-term damage outside the site area
business
loss:
interruption:
image:
people
serious injuries, irritations outside the site area
environment
reversible, short-term damage outside the site area
business
loss:
interruption:
image:
people
minor injuries, molestation outside the site area
environment
only site area affected
business
loss:
interruption:
image:
people
no effects
environment
no effects
business
loss:
interruption:
image:
critical
marginal
negligible
> 10 mio. US $
> 6 month
severely damaged, > 1 week, national
< 10 mio. US $
> 2 weeks
damaged, > 1 week, regional
< 1 mio. US $
2 days to 2 weeks
< 1 week, local
< 100'000 US $
< 2 days
no effects
Pharmaceuticals
Roche Consequences
Rating of Probability
class
rating
probability
A
frequent
once a year or more
B
moderate
once in 5 years
C
occasional
once in 10 years
D
rare
once in 25 years (e.g. once in life cycle of the system)
E
unlikely
once in 100 years (e.g. once in life cycle of a site)
F
very unlikely
once in 1'000 years or less (e.g. once in life cycle of Roche or less)
Pharmaceuticals
Roche ‘unmitigated’ demand
rate.
• Second Stage of realisation of high-integrity
safety instrumented systems
• Modified Instrument design
• Modified Instrument Commissioning
• Feeds into SRS
Pharmaceuticals
Instrument / Electrical Design
Hazard
reduction
factor
HRF
PFD
(fractional)
Availability A
(fractional)
1
>101
10-1 to 10-2
0.9 to 0.99
10-5 to 10-6
2
>102
10-2 to 10-3
0.99 to 0.999
10-6 to 10-7
3
>103
10-3 to 10-4
0.999 to 0.9999
10-7 to 10-8
4
>104
10-4 to 10-5
0.9999 to 0.99999
10-8 to 10-9
Demand mode of operation
Table 65-1
Continuous mode
Failure rate
(failures per hr)
Pharmaceuticals
Safety
integrity
level
SIL
• SIL value is measure of quality of protection
system, end to end.
• System has to be designed, specified, built and
maintained to that standard.
• Proof testing at regular intervals
• Conformance assessment for safety systems
Pharmaceuticals
Equipment implications
•
•
•
•
Simplified Equation
ISA-TR84.00.02-2002 Part 2
Equation B.34 – Rare event approximation
“Adequate” for SIL 1 or 2, where the plant is well
controlled, well maintained, understood process,
conservative engineering with good mechanical
integrity
Pharmaceuticals
PFD Calculation
• MTBF = Mean (Average) time between failures
• Information provided by vendor.
• MTBF = 86 Years
Pharmaceuticals
PFD Calc. Motion Sensor
Failures can be
• fail to danger (Falsely shows agitator moving)or
• fail to safe (Falsely shows agitator stopped)
• Aim of good design is to maximise fail to safe,
minimise fail to danger. The failure mode split is
the percentage in the fail to danger category.
• Failure mode split = .1 (SA estimate)
Pharmaceuticals
PFD Calc. Motion Sensor
• Proof test interval = 1 year (8760 hours)
• Time between re-tests of the interlock.
• Need to be genuine tests
Pharmaceuticals
PFD Calc. Motion Sensor
• 86 years * 8760 hours/year = 753,000 (MTBF in
hours)
• = 1/ MTBF = 1.30 E-6 failures per hour
• FMS =.1
• Proof test = 1 year (8760 hours)
• PFD(SS) = 1.30 E-6 * .1 * 1 * (8760/2)
• PFD(SS)=.0006
Pharmaceuticals
PFD Calc. Motion Sensor
• MTBF = 4 Years
• Failure mode split = .4
• Proof test interval = 1 year (8760 hours)
= 1/ MTBF = 2.87 E-5 failures per hour
PFD(B6) = 2.87 E-5 * .4 * 1 * (8760/2)
• PFD(B6)=.0500
Pharmaceuticals
PFD Calc. Barrier 6
• MTBF = 100 Years
• Failure mode split = .01
• Proof test interval = 1 year (8760 hours)
= 1/ MTBF = 1.14 E-6 failures per hour
PFD(R5) = 1.14 E-6 * .01 * 1 * (8760/2)
• PFD(R5)=.00005
Pharmaceuticals
PFD Calc. Relay 5
• MTBF = 10 Years
• Failure mode split = .9
• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hour
PFD(MB) = 1.14 E-5 * .9 * 1 * (24/2)
• PFD(MB)=.001242
Pharmaceuticals
PFD Calc. Main Barrier
• MTBF = 10 Years
• Failure mode split = .4
• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hour
PFD(SOL) = 1.14 E-5 * .4 * 1 * (24/2)
• PFD(SOL)=.00006
Pharmaceuticals
PFD Calc. Solenoid
• MTBF = 10 Years
• Failure mode split = .2
• Proof test interval = 1 day (24 hours)
= 1/ MTBF = 1.14 E-5 failures per hour
PFD(VA) = 1.14 E-5 * .2 * 1 * (24/2)
• PFD(VA)=.00003
Pharmaceuticals
PFD Calc. Valve & Actuator
•
•
•
•
•
•
•
PFD(VA)=.00003
PFD(SOL)=.00006
PFD(MB)=.00124
PFD(R5)=.00005
PFD(B6)=.0500
PFD(SS)=.0006
PFD = .052 => SIL 1
Pharmaceuticals
PFD Calc. Overall
Pharmaceuticals
∑ PFD = 10%
SIL 1 Limit
PFD Mapping
Valve
Barrier
Overall
∑ PFD = 1%
SIL 2 Limit
Relay
Logic
Barrier
Instrument
• Elements in series: USYS Ui
62-16
Elements in parallel: USYS Ui
-17
• Common cause failure:
SYS = IND + . MAX
-18
• Voting systems:
UKOON n.Uk
-19
• For more complex systems – Fault Tree Analysis
using ISA-TR84.00.02-2002 Part 3.
• “Probabilistic Risk Assesment” – Henley, E J
Pharmaceuticals
PFD Calc. Issues
• Roche have decided that valve & actuator
may be shared for SIL 1 only.
• SIS & BPCS share barrier, solenoid,
actuator & Valve. This is not recommended
• Solenoid has local SMO, which might be
OK for normal operation, but not for SIS.
Pharmaceuticals
Design issues
Pharmaceuticals
Design issues
• ##### ####-# type barrier not
recommended (TTL Logic switching –
independent energy source)
• No clear indication on loop sheet or in field
of safety critical nature of instruments
Pharmaceuticals
Design issues
• Design of periodic re-test method is the
instrument designers responsibility.
• This would help facilitate periodic testing
• Loop sheet to indicate safety critical nature
of instruments
Pharmaceuticals
Design issues
• SIS to actuate solenoid in panel, which
controls air supply to Shutoff Valve &
Control Valve
• High energy panel mount solenoid, not IS
pilot operated solenoid => more ‘suitable’
for SIS
• Control Valve should have positioner
suitable for SIS
Pharmaceuticals
Improvement suggestions
Pharmaceuticals
Loop sheet modifications
• IQ / OQ + Proof testing of the safety
function
• Validation of the retest method
• Loop sheet to indicate safety critical nature
of instruments
• Field marking
Pharmaceuticals
Commissioning Aspects
• Supplier might have correctly designed
safety Engineering.
• That does not mean it reaches standard.
• Modified Instrument/Electrical design
• Modified Instrument/Electrical
Commissioning
• Feeds into SRS
Pharmaceuticals
Machine / Package Design
•
•
•
•
E Ex d motor – Surface temperature limits
Variable Speed Drive.
Never below 10 Hz
Always with Thermistor Protection
Pharmaceuticals
Machine / Package Design
Pharmaceuticals
Machine / Package Design
Thermistor
Relay
Pharmaceuticals
Machine / Package Design
Pharmaceuticals
Maintenance
• Vital part of ensuring safety function remains
intact.
• Will have to retest interlocks on a periodic
basis.
• Will need to follow methods set out during
Instrument/Electrical design stage.
• Care required in effecting changes to the loop
when in use.
• Document which brings together the design
thread.
• Started by the Process Engineering group
• Continued by the Instrument / Electrical
engineering group
• Reviewed by Safety Engineering group.
• Live document until pre-start safety review.
Pharmaceuticals
Safety Requirements Spec
• Different way of thinking
Defence in Depth
Layers of Protection
• Risk Analysis
• Basic Statistics
• Fault Tree Analysis
Pharmaceuticals
New skills
Pharmaceuticals
6 June 1967
Pharmaceuticals
Pharmaceuticals
Pharmaceuticals