Professional Documents
Culture Documents
UNIT No.: 02: - 2A. Define Safety Instrumentation Systems (Terms)
UNIT No.: 02: - 2A. Define Safety Instrumentation Systems (Terms)
UNIT No.: 02: - 2A. Define Safety Instrumentation Systems (Terms)
- : UNIT No. : 02 : -
-The pressures of project schedules can result in errors or oversights and the HAZOP allows
these to be corrected before such changes become too expensive. Because they are easy to
understand and can be adapted to any process or business, HAZOPs have become the most
widely used hazard identification methodology.
- The HAZOP technique was initially developed to analyze chemical process systems, but
has later been extended to other types of systems and also to complex operations and to
software systems.
- The Inputs to the HAZOP are the Process and Instrumentation Diagrams (P&Ids), Cause
and Effect charts (C&E : Cause & Effect Analysis) and the operating company’s risk matrix.
It is important that a HAZOP team is made up of personnel who will bring the best
balance of knowledge and experience, of the type of plant being considered, to the
study. A typical HAZOP team is made up as follows:
As a basis for the HAZOP study the following information should be available:
- Process flow diagrams, - Piping and instrumentation diagrams (P&IDs)
- Layout diagrams, - Material safety data sheets, - Provisional operating instructions
- Heat and material balances,
- Equipment data sheets Start-up and emergency shut-down procedures.
The following modes of plant operation should be considered for each node:
- Normal operation, - Reduced throughput operation, - Routine start-up,
- Routine shutdown, - Emergency shutdown, - Commissioning, - Special operating modes
> NODE : A node is a specific location in the process in which (the deviations
of) the design/process intent are evaluated.
Examples might be: separators, heat exchangers, scrubbers, pumps, compressors, and
interconnecting pipes with equipment.
> DEFININTION : The design intent is a description of how the process is expected to
behave at the node; this is qualitatively described as an activity (e.g., feed, reaction,
sedimentation) and/or quantitatively in the process parameters, like temperature,
flow rate, pressure, composition, etc.
> DEVIATION : A deviation is a way in which the process conditions may depart from
their design/process intent.
In failure modes effects and criticality analysis (FMECA), the term FAILURE MODE is used
in the way that RCM uses the term functional failure. However, the RCM community uses
the term failure mode to refer to the event that causes functional failure.
> The standard’s criteria for a process that identifies failure modes are,
• All failure modes reasonably probable to cause each functional failure shall be identified.
• The method used to decide what constitutes a reasonably probable failure mode shall be
acceptable to the owner or user of the asset.
• Failure modes shall be identified at a level of causation that makes it possible to identify an
appropriate failure management policy.
• Lists of failure modes shall include failure modes that have happened before, failure modes
that are currently being prevented by existing maintenance programs, and failure modes that
have not yet happened, however they are thought to be reasonably likely (credible) in the
operating context.
• Lists of failure modes should include any event or process that is likely to cause a functional
failure, including deterioration, human error whether caused by operators or maintainers, and
design defects.
• Failure effects shall describe what would happen if no specific task were done to anticipate,
prevent, or detect the failure.
• Failure effects include all the information needed to support the evaluation of the
consequences of the failure, such as
- What is the evidence (if any) that the failure has occurred (in the case of hidden
functions, what would happen if multiple failures occurred)?
- What it does (if anything) to kill or injure someone, or to have an adverse effect on the
environment?
- What it does (if anything) to have an adverse effect on production or operations?
- What physical damage (if any) is caused by the failure?
- What (if anything) must be done to restore the function of the system after the failure?
- PFD is calculated for typical sensors failure rates and repair times and assumes a
contribution from common causes for redundant configurations.
It often may be desirable to express the SIL level in terms of the hazard reduction factor,
where HRF is defined as: HRF = 1 / PFD
-PFD = 1 / RRF.
-PFD is a probability and therefore is a dimensionless quantity with a value between zero and
1.
-PFD of between 1 (no risk reduction) and 0.1, SIL1 is required.
-A PFD of 0.1 is generally the most risk reduction that can be claimed for a non-SIL
rated system.
-PFD of 0.1 may be claimed for independent alarms.
-λDu is used to calculate the PFD: the Probability of Failure on Demand, i.e. the chance that
the safety systemwill miss the ability to command the output to a safe state in case there is a
demand from the process". λSd , λSu and λDd can cause a before mentioned spurious action and
therefore the sum of these fractions can be used to calculate the process availability.
> PFD calculated by comparing the Maximum Tolerable Risk λMTR, with the Intermediate
Level Event Likelihood, or the hazard frequency, λHAZ.
λDU is the dangerous undetected failure rate and β is the contribution from common
cause failures section.
TP is the proof test interval and MDT is the Mean Down Time.
-PFD PLC = [(1/15) *.25 * (1/2) = 0.008 PFD system = (0.17 * 0.008)/3 = 0.00045
RRF (risk reduction factor) = 1/PFD = 2,222
- The following assumptions were used to perform the safety (PFD) analysis:
MTTFd PLC = 10 years, 99% diagnostics All components were tested annually (assumes
perfect testing):
PFD safety PLC = [(1/10) *.01 * (1/2) = 0.0005
-RRF (risk reduction factor) = 1/PFD = 2,000NOTE: This system would also be suitable for
use in SIL 2 (RRF 100 – 1000) since the logic solver should generally only account for
approximately 10% of the system PFD.)
>Failure modes and effects analysis (FMEA) should be used to identify the following
information that is necessary for the logic tree evaluation of each FSI.
>The following examples refer to the failure of a pump providing cooling water flow:
• Function: The normal characteristic actions of the item (e.g., to provide cooling water flow
at 100 to 240 gpm to the heat exchanger).
• Functional failure: How the item fails to perform its function (e.g., pump fails to provide
required flow).
• Failure cause: Why the functional failure occurs (e.g., bearing failure).
• Failure effect: What are the immediate effect and the wider consequence of each functional
failure (e.g., inadequate cooling leading to overheating and failure of the system).
>A failure modes and effects analysis (FMEA) becomes a basis for establishing a probability
for failure evaluation. To conduct a valid FMEA, there has to be a history of equipment repair
and some idea of the life expectancy of the parts you are trying to evaluate. Without repair
history on equipment and parts life, decisions to stock or not to stock become very subjective
and logic takes a back seat in the final decision.
>Some of the rules of logic applied when conducting a FMEA are listed below and as you
can see, it becomes a “what if” scenario and if in doubt, error on the side of safety stock.
> Per IEC, “Safe failure fraction is the ratio of the (total safe failure rate of a subsystem plus
the dangerous detected failure rate of the subsystem) to the total failure rate of the
subsystem.” (In IEC terms, subsystem refers to individual devices.)
> Its a number that shows the percentage of possible failures that are self-identified by the
device or are safe and have no effect. The key number in this calculation is Dangerous
Undetected failures—those that are not identified and do have an effect.
> Definition - The fraction of the overall failure rate of a device that results in either a safe
fault or a diagnosed (detected) unsafe fault. The safe failure fraction includes the detectable
dangerous failures when those failures are annunciates and procedures for repair or shutdown
are in place.
-The SFF is the percentage of safe failures, e.g. those that are safe or detected.
-A Safety Integrity Level is determined via a procedure called Risk/Process Hazard Analysis
(PHA).
-It identifies all the hazards of a process and estimates the risks inherently involved and
determines if that risk is tolerable/ acceptable.
-The PHA then evaluates outcomes of an accident, the safeguards in place to prevent
that accident and measures that can be recommended to reduce the process risks.
- A hardware fault tolerance of N means that N+1 faults could cause the loss of the safety
function.
-In determining the hardware fault tolerance, no account shall be taken of other measures that
may control the effects of faults such as diagnostics.
-Hardware Fault tolerance architectures also gave protection to a wide range of systematic
faults (mainly in hardware) because such faults do not necessarily arise at the same instant of
time.
-This standard recognizes that the process industry needs more than one level of performance
from safety systems.
- In selecting the architecture to use for a specified integrity level it is however important to
ensure that it is sufficiently robust for both random hardware faults and systematic faults. –
-To ensure robustness against random hardware faults this standard requires that a reliability
analysis be carried out.
-In deciding the extent of fault tolerance needed there are a number of factors that should be
taken into consideration as follows :
The complexity of the devices used within the subsystem. A device will be less likely to be
subject to systematic faults if the failure modes are well defined . the behaviour under fault
conditions can be determined and there is sufficient failure data from field experience;
The extent to which faults lead to a safe condition or can be detected by diagnostics so
that a specified action can be taken . This capability is termed the safe failure fraction of
the device;
-The requirements for hardware fault tolerance can apply to individual components or
subsystems required to perform a SIF For example, In the case of a sensor subsystem
comprising a number of redundant sensors, the fault tolerance requirement applies to the
sensor subsystem in total, not to individual sensors.
>DEFINITION: HIPPS is an acronym for High Integrity Pressure Protection System, which
is a specific application of Safety Instrumented System (SIS) The function of a HIPPS is to
protect downstream equipment against overpressure or upset conditions coming from the
upstream.
-This is achieved by quickly closing two in-series dedicated safety shut-off valves to
preventing further pressurisation of downstream piping.
- High Integrity Pressure Protection System (HIPPS) is a Safety Instrumented System (SIS),
which by definition, is a distinct, reliable system used to safeguard a process to prevent a
catastrophic release of toxic, flammable, or explosive chemicals.
> As per ASME Section VIII, UG-140, which covers ‘Over-pressure Protection by System
Design’, HIPPS can be used for the following applications:
• Chemical reactions so fast the pressure propagation rate could result in loss of containment
prior to the relief device opening.
• Chemical reactions so fast the lowest possible relieving rate yields impractically large vent
areas.
• Exothermic reactions occurring at uncontrollable rates.
• Plugging, polymerization, or deposition formed during normal operation.
• Reactive process chemicals relieved into lateral headers with polymerization and thus
plugging, rendering the relief device useless;
• Multi-phase venting, where actual vent rate is difficult to predict.
• Reducing Greenhouse gas [GHG] through regulations such as Kyoto protocol.
-The Safety Life Cycle (SLC) is one of the most fundamental concepts detailed in IEC 61508
and ANSI/ISA 84.01. This common sense engineering procedure can be summarized in three
steps:
1) Analyze the problem, 2) Design the solution, 3) Verify that the solution solves the
problem.
> Following factor should be consider for Safety Life Cycle:
-Figure shows each phase require necessary data as input data to be analyse and after analysis
useful output data can be derive for implementation in the field from that Phase. Each Phase
is described in detail below:
>INPUT DATA FOR PHASE-1 : Define the scope of the hazard analysis.
>OUTPUT DATA OF PHASE-1 :
-Description of, and information relating to, the hazard and risk analysis.
-Hazard and Risk Analysis: Hazards; Initiating event frequencies; Other measures to reduce
risks; Consequences; Risk; Consider maximum tolerable risk; availability of data;
Document assumptions.
-Specification for the overall safety requirements in terms of the safety functions
requirements and the safety integrity requirements. Note: safety functions not technology
specific. SIL target should specify target reliability.
>INPUT DATA FOR PHASE-2 : OUTPUT DATA OF PHASE-1 will be input data for
PHASE-2.
>OUTPUT DATA OF PHASE-2 :
-Specification of safety functions.
-Information on the allocation of the overall safety functions, their target failure measures,
and associated safety integrity levels.
-Assumptions made concerning other risk reduction measures that need to be managed
throughout the life of the process.
>INPUT DATA FOR PHASE-3 : OUTPUT DATA OF PHASE-2 will be input data for
PHASE-3.
>OUTPUT DATA OF PHASE-3 :
-Specification of the SIS safety requirements.
-May include C&E, Shall include:
a) specification of safe state; b) requirement for proof tests;
c) response time; d) operator interfaces necessary;
e) interfaces to other systems; f) modes of operation;
g) behaviour on detection of a fault; h) requirements for manual shutdown;
i) application software requirements; j) SIL and target reliability measure;
k) duty cycle and lifetime; l) environmental conditions likely to be encountered;
m) EMC limits;
n) Constraints due to CCFs. ; Refer to IEC61511-1, 10.3 for complete requirements.
>Phase 3 addresses the Safety Requirements Specification (SRS) which enables the
Design and Engineering Phase (Phase 4) to begin.
>INPUT DATA FOR PHASE-4 : OUTPUT DATA OF PHASE-3 will be input data for
PHASE-4.
>OUTPUT DATA OF PHASE-4 :
-Realisation of each SIF according to the SIS safety requirements specification.
>PHASE-4 also deliver data to sub phase: DESIGN AND DEVELOPMENT OF OTHER
MEASURES
>This Sub phase will give output data: Realisation of each other risk reduction measure
according to the safety requirements for that measure.
>Phase 4 may be adequately addressed in a single Functional Design Specification
(FDS) or similar document, which sets the scene, defines the process, the
environmental and operational considerations and establishes the scope of the
following phases.
-A plan for operating and maintaining the SIS Provides planning for routine and abnormal
operation activities; proof testing, maintenance activities, procedures,
techniques and measures to be used, schedule, personnel and departments responsible,
method of verification against the operation and maintenance procedures.
>INPUT DATA FOR PHASE-6 : OUTPUT DATA OF PHASE-5 will be input data for
PHASE-6.
>OUTPUT DATA OF PHASE-6 :
-Continuing achievement of the required functional safety for the SIS.
-The following shall be implemented: O&M Plan; Operation, maintenance and repair
procedures; Implementation of procedures; Following of maintenance schedules;
Maintain documentation; Carry out regular FS Audits;
Document modifications; Chronological documentation of operation and maintenance of the
SIS;
->The inputs, outputs and activities associated with Phase 7 – Modification, are
essentially the same for Phase 8 – Decommissioning. In effect, decommissioning is
a modification which occurs at the end of the lifecycle and is initiated with the same
controls and managed with the same safeguards.
>INPUT DATA FOR PHASE-7&8: OUTPUT DATA OF PHASE-6 will be input data for
PHASE- 7&8.
- SIF is that of an instrument safety loop that performs a safety function which provides a
defined level of protection (SIL) against a specific hazard by automatic means and which
brings the process to a safe state.
- A SIF is made up of sensors, logic solver, and final elements that act in concert to detect a
hazard and bring the process to a safe state.
-‘SIF’ includes all instrumentation in the interlock function, from the sensor and transmitter
through the control system all the way to the final element (e.g., isolation valve)
� SIL 2 – 5% of SIFs,
• High pressure in a vessel opens a vent valve: The specific hazard is overpressure of the
vessel. The high pressure is detected by a pressure-sensing instrument, and logic
(PLC, relay, hardwired, etc.) opens a vent valve, bringing the system to a safe state.
• High temperature in a furnace that can cause tube rupture shuts off firing to furnace: The
specific hazard is tube rupture. Instrumentation automatically causes a main fuel trip
that removes the heat, bringing the system to a safe state.
• Flame-out in an incinerator that can lead to a release of toxic gas causes process gas feed to
be shut off: The specific hazard is a flame-out. The automatic instrument protective
action is to close
process gas feed to the
incinerator, which stops
any toxic gas release
bringing the system to
a safe state.
• Flame-out in an
incinerator that could
cause fuel gas
accumulation and
explosion causes a
main fuel gas trip: The
specific hazard is a
flame-out. The
automatic instrument
protection action is a main fuel gas trip, which cuts off the fuel and prevents fuel gas
accumulation, bringing the system to a safe state.
-The design and verification is compiled into a document called the Safety Requirement
Specification (SRS).
- The purpose of the SRS, according to IEC 615082, is “to develop the specifications
requirements and safety integrity requirements, for the E/E/PES safety related
systems, other technology safety related systems and external risk reduction
facilities, in order to achieve the required functional safety.”
-The SRS is created after the hazard and risk analysis and the allocation of safety functions
to protective layers in the safety life cycle.
The process itself shall be described in order to give detailed information regarding the
process parameters to the personnel dealing with the SRS documentation. Drawings that
support the description of the process itself are useful. Later on this process information is
important for the personnel dealing with implementation of SIS and SIF. Specific process
conditions that are important for the safety must be addressed.
The PHA report is needed. This report gives valuable information about the hazards and the
hazardous events for the intended Safety Instrumented System. Important information are
also the hazard frequencies and hazard consequences.
� Target SIL : The target SIL shall be defined for each SIF.
� Regulatory requirements :
If there are any regulatory requirements that affect the design of the SIS, the SRS shall
include these requirements.
The possibilities of common cause failures must be taken in account. These failures could
reduce or eliminate the redundant safety measures applied in the SIF or SIS. Sometimes it is
tricky to find the common cause failures that affect the safety measures. The personnel
involved in the design of the SIS or SIF must identify possible common cause failures.
COURTESY