Another look at Integrated Safety What is it again? Luis Duran, Product Marketing Manager Safety Systems, Dec2011 Another look at Integrated Safety What is it again? © ABB Group September 21, 2018 | Slide 1 1

Agenda Access to critical information for efficient decision making Independent Protection Layers Interface vs. Integrate Safety Standards and Integration Advantages of Integration over Interfaces Integration of Field Devices and Final Elements Effective response to Abnormal Conditions Human Factors, the engineering responsibility Conclusions

Is about access to information… © ABB Group September 21, 2018 | Slide 3

Seamlessly and in context © ABB Group September 21, 2018 | Slide 4

From Independent Protection Layers (IPL) Operator Intervention Automatic SIS Safety relief valve Rupture disk, etc Containment Dike, Bunker, etc Plant response Community response Process variable BPCS ALARMS SIS Each IPL must independently protect against the hazard they are designed to safeguard Hazard occurs when a layer fails to respond to the process demand Objective of SIS IPL must be maintained © ABB Group September 21, 2018 | Slide 5

Functional and independent systems shouldn’t mean... © ABB Group September 21, 2018 | Slide 6

Interface Control & Safety System! Why ? Operator Intervention Automatic SIS Safety relief valve Rupture disk, etc Containment Dike, Bunker, etc Plant response Community response Process variable BPCS ALARMS SIS Safety System Interface Control System C S S C Physical Separation © ABB Group September 21, 2018 | Slide 7

What is an Interfaced Control & Safety System? Remote Clients Engineering Workplace Engineering Workplace Workplace System Servers Control Network Communication Interface Process Automation Safety SIS operation shall not be dangerously affected by Failures, Operation or Maintenance of the BPCS © ABB Group September 21, 2018 | Slide 8 8

What are the requirements for such “Interface” What are the requirements for such “Interface”? Integrated Control and Safety Systems (ICSS) Bypass & Override Management of Change Audit Trail Safety Related Alarm & Events Access Control SIS Health Information Engineering Workplace Engineering Workplace Workplace System Servers System Servers Control Network Process Automation Write Protection Safety Module Bus Operation Confirmation © ABB Group September 21, 2018 | Slide 9 Additional Information on TUV Cooperation Website www.tuv-fs.com

IEC 61511 Part 1, 9.5.1 The design of the protection layers shall be assessed to ensure that the likelihood of common cause, common mode and dependent failures between protection layers and between protection layers and the BPCS are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. The assessment may be qualitative or quantitative. Source: IEC 61511 © ABB Group September 21, 2018 | Slide 10

From IEC 61511 Part 2 Diversity of design and physical separation are two effective methods of reducing the likelihood of common cause failures. This is usually the preferred approach. 9.5.2 physical separation will reduce the impact of common cause failures due to physical causes.  11.2.4 Physical separation between BPCS and SIS may not be necessary provided independence is maintained, and the equipment arrangements and the procedures applied ensure the SIS will not be dangerously affected by failures of the BPCS; Source: IEC 61511 © ABB Group September 21, 2018 | Slide 11

The Advantage of Integrated vs. Interfaced Potential common cause are analyzed and minimized during the design phase by the product development team and independently reviewed by the assessor during the certification of the product Access control is implemented as a standard off-the shelf feature including write protection and bypassing and override mechanism Integrated testing is performed during the design validation and verification test, which includes also Network Security as part of the test protocol Version control, compatibility and interoperability testing are all part of the release procedure © ABB Group September 21, 2018 | Slide 12

Security System Security And Embedded Firewalls Provides functions for protection of SIL classified applications in AC800M HI Controllers SIL Access Control and Authorization Force Control / Override Control / Bypass Management Confirmed Online Write / Confirmed Operation Embedded firewalls and confirmation procedures protect the SIL application from inadvertent / accidental control actions Access Management Access Management is a set of functions that may be divided in the two following main branches: • Access Control, • Override Control Access Control AC 800M HI controller need to be able to communicate with other safety controllers and with process control systems on the same network. This enables use of common HSI facilities and introduces the possibility of connecting external equipment used in the process operation and production monitoring also to the safety system. Undesired access is therefore necessary to avoid, by implementing an access control function. User Re-authentication and Double Authentication Re-authentication can be optionally used for critical operations such as writes to the control system, batch operations, and configuration changes. This option forces the user to re-supply his/her user credentials before the operation is executed. A double authentication may also be optionally used. In this case an additional person who has the respective secondary authentication authority has to give username and password in order to approve the operation. (1. User re-authentication and double authentication are together with user log-over, see User log-over on page 42, called Advanced Access Control in price lists, etc.) Override Control The use of override functions in safety related equipment introduces a potential hazard to the installation and to the people it is designed to secure. Any force of a safety critical input or output represents a degradation of the safety level and a possibility for failure on demand. Nevertheless, such functions are necessary to gain a reasonable availability of the process. All field equipment needs maintenance or replacement at regular intervals and this is included in the design of the safety system regarding e.g. number, wiring and location of field instruments. In these cases the safety level may be maintained by other measures, while necessary maintenance operations are carried out. Access management enable project/application specific configuration of the appropriate level of restrictions regarding operation of the AC 800M HI controllers and have the following functionality: • Setting forced I/O points in an application will be restricted by the access control mechanisms. The override control restricts the number of concurrent forced I/O points • User configurable maximum number of forced I/O points in the application when programming a SIL application in the Control Builder M • The Access Management system software will keep track of the number of forced I/O points for each application as well as make the figures visible • If the maximum number of forced I/O points is reached, the user will be notified by a system event and the force will not be set • System event or alarm upon force (operator write actions) • Audit trail //// Text from the overview. Access Control to SIL applications includes functionality for configuration, operations and maintenance. When designing a SIL application, each safety object is given an applicable access level; Read Only, Confirm or Confirm and Access Enable. In Operations, these SIL access levels are automatically enabled. However for the highest access level, a physical input must be enabled to secure authorized access. When Access Enable is active, permission is given to make online changes in the SIL application. Confirm Operation, together with Access Control, is the embedded firewall mechanism for safe access of object variables during operation and maintenance. Force Control, Override Control, or Bypass Management functionality is necessary to maintain availability of the process in many situations, for example during automatic startup or maintenance of SIS related field equipment. The Force Control in the AC 800xA HI follows the lifecycle of the SIS. During design of a SIL application, the safety engineer defines the maximum number of concurrent forced inputs and outputs. During operations and maintenance, the Access Management SW keeps track of the active number of forced I/O points. This information is presented via the safety operator's personalized workplace. To meet regulatory compliance, a Digital Input is embedded in the SIS for Reset of all forces. In case it is not possible to reset, the operator may reset all forces through the workplace. An output “Any Force Active” feedback signal is also available. © ABB Group September 21, 2018 | Slide 13

Security Roles & Responsibilities Users can be assigned with different permissions according to their responsibilities Restriction of access to the SIS (operation and engineering) High flexibility Process Operator Safety Operator Process Engineer Safety Engineer Operate BPCS X Operate SIS Engineer BPCS Engineer SIS © ABB Group September 21, 2018 | Slide 14

Built in familiarity...to minimize human error Changes after commissioning 21% Specification 43% Installation & commissioning ISA-84.00.01-2004 part 2: “Identical separation between the SIS and BPCS may have some advantages in design and maintenance because it reduces the likelihood of maintenance errors.” 58% !! 6% Operation & maintenance Design & 15% implementation 15% Source: Out of control: Why control systems go wrong and how to prevent failure HSE Books © ABB Group September 21, 2018 | Slide 15

Systematic Capabilities Concept developed for systematic safety integrity compliance for elements and sub-systems Replaces the term: “effectiveness against systematic failure” Measure on a scale 1-4 that the systematic safety integrity of an element fulfills the given safety function Considering the instructions stated in the safety manual Source: IEC 61508 Clause 7.4.7.6 © ABB Group September 21, 2018 | Slide 16

Safety Layer Architectural design to meet target SIL requirements Sensors Logic Solver Actuators © ABB Group September 21, 2018 | Slide 17

Certified Field Devices, what’s wrong with the old one Certified Field Devices, what’s wrong with the old one? IEC61508 certification or “Proven in Use” Less risks or “Proven in Use” solution? With this certification users can use transmitters in safety loops The IEC61508 certification, issued by TUV NORD, allows installation up to SIL2 (1oo1) and SIL3 (redundant conf.) No Hardware Fault Tolerance (HFT=0) For more critical application use 268, i.e. the only product on the market with redundant measurement, certified Hardware Fault Tolerance 1 (HFT=1) Stress the fact that proven in use move to the owner © ABB Group September 21, 2018 | Slide 18

Emerging Digital Fieldbus requires Certified systems, network, devices and final elements Operation Engineering Asset Management Logic Solver H1 Fieldbus HSE Fieldbus Operation Engineering Proprietary SIS Network Logic Solver Conventional Hardwired I/O © ABB Group September 21, 2018 | Slide 19

HART and Asset Management/Asset Integrity Partial Valve Stroke example SIL3 ESD safety valve controller Enable integrated PST functionality Launching a PST Manual (DTM) Local buttons Analog Output (set to 16.4mA ) Scheduler (DTM) © ABB Group September 21, 2018 | Slide 20

Integration must be designed to avoid Common Cause Failures What are the benefits of ICSS to Operations? Better response to abnormal conditions Integrated control and safety system implementations enable end-users to fully leverage the capabilities on the BPCS (800xA) Information Management Reporting Alarm Management Sequence Of Events Asset Optimization Engineering Etc Integration must be designed to avoid Common Cause Failures © ABB Group September 21, 2018 | Slide 21

Monitor the Process and respond to Abnormal Conditions Thanks to a Common Operation Environment… …Operator can take timely action There are several functions available for the projects not being part of the standard product. Monitor the Process and respond to Abnormal Conditions © ABB Group September 21, 2018 | Slide 22

More Efficient and Effective Troubleshooting Safety relevant information is readily available Alarms, Events, Audit Trail, and SOE displays for root cause analysis Real-time information Standard functionality for inhibiting of specific safety functions Status supervision of Safety System Elements Flexible Report Creation and Scheduling Valve Leak Test, Verification, Automatic Shutdown Reporting, SIL status © ABB Group September 21, 2018 | Slide 23

It’s all about safe operations… If you think safety is expensive… It is critical for an operator to sustain a high level of alertness and understanding of the progress through the production cycle during the slow times and, at the same time, have real-time access to critical information in context to be able to make correct decisions immediately when circumstances dictate. This is the challenge operators face in the process industries and the reason why operational errors are the highest single cause for unscheduled slowdowns and shutdowns. Source ARC View June 2011 Improving Operational Performance by Improving the Operator Experience

What about safety standards? Is already in IEC61511, 11.7.1.1 The operator should be given enough information on one display to rapidly convey critical information. Display consistency is important and methods, alarm conventions and display components used should be consistent with the BPCS displays. Source: IEC 61511

Are ICSS Good, Bad or Ugly? Advantages and Challenges Lower engineering & lifecycle cost Lower training & maintenance expenses Easier time synchronization Improved asset & event management Increased risk of common cause failures Need careful design to ensure that BPCS failure does not affect SIS Greater management challenges All personnel involved with safety systems shall be sufficiently competent … …and follow appropriate Functional Safety Management System Source: ARC The Coming Wave of Safety Systems Migration

Engineering Responsibilities Competence Architectural Design to meet target SIL requirements PFD Calculations using appropriate reliability data for the desired loop configuration SIL capability SIS Design Hardware and Software Integration Verification and Validation Functional Safety Assessments Information on operation and maintenance requirements - Building on Manufacturers supplied data Instructions for testing Installation and commissioning Functional Safety Management for Design and Built activities © ABB Group September 21, 2018 | Slide 27 Source: IEC 61511

Looking for design and implementation guidelines Looking for design and implementation guidelines? Safety Lifecycle and Functional Safety Management Management of functional safety and functional safety assessment and auditing 10 Safety Life-Cycle structure and planning 11 Verification 9 Hazard and Risk Assessment 1 Allocation of safety functions to protection layers 2 Safety Requirements specification for the safety instrumented system 3 Design & Development of other means of risk reduction Design & Engineering of Safety Instrumented System 4 Installation, Commissioning and Validation 5 Operation and Maintenance 6 Modification 7 Decommissioning 8 © ABB Group September 21, 2018 | Slide 28 Source: IEC 61511

Field Instrumentation Total Safety Offering Field Instrumentation SIL rated Instrumentation Actuators SIS Systems TUV Certified Flexible and Scalable System 800xA Proof Testing Support TRAMs Proof test period Maintenance Lifecycle Support Alarm Management Benchmarking EEMUA 191 Training Support Installed Systems Review SIL assessment Benchmarking Unique to ABB is a full scope of supply from defining safety requirements to maintaining safety over the entire lifecycle of the facility. SIL Determination Analysis TRAC Training Mentoring IEC61508/IEC61511 Compliance Compliance Management FSMS © ABB Group September 21, 2018 | Slide 29

Conclusion ABB has not only addressed the fundamental design elements to maintain independent protection layers while fully integrating safety systems into 800xA ABB developed a leading edge family of field devices …and introduced the consulting services to support you in the process of designing, implementing and maintaining a safety system through the IEC61511 safety lifecycle ABB provides the enabling technology to integrate safety to the core of your operations

© ABB Group September 21, 2018 | Slide 31