Overview of Process Safety Management & Safety Instrumented Systems (Protective System)

Purpose of Presentation
Define Process Safety Management Define Safety Instrumented System Review Regulation / Standards / References for Safety Instrumented Systems Examine Methods of Selection and Design of Safety Instrumented Systems Provide Examples of Safety Instrumented Systems

Process Safety Management (PSM) Program:

A management methodology which is aimed at preventing the occurrence, or minimize the consequences, of catastrophic releases of toxic or explosive materials. Reference for Establishing Policies and Procedures for this presentation:

USA 29CFR1910.119 API RP750 NOM-028 Mexico AIChE/CCPS Text Books

Process Safety Management

Employee Participation

Process Safety Information

Process Hazard Analysis

Operating Procedures

Training

Contractors

Pre-Startup Safety Review

Mechanical Integrity

Hot Work Permits

Management of Change

Incident Investigation

Emergency Planning and Response

Compliance Audits

Trade Secrets

Process Hazards Analysis (PHA)

A PHA should be performed for all facilities which could potentially have a substantial release of dangerous materials. The purpose of the PHAs is to minimize the likelihood of such an occurrence by identifying, evaluating, and controlling the events that could cause a release.

Risk Assessment (Is Risk Acceptable?)

Severity of Hazard Likelihood of Occurrence Protection Layers

Concept of Protection Layers Using a Process Hazards Analysis Methodology, all potential process Hazards are identified. Hazard

Once a hazard has been identified, the available protection layers are evaluated using Risk Assessment Methodologies. 1 - Physical

Hazard 1

1 - Physical

2 - Human

Hazard 1 2

1 - Physical

2 - Human 3- BPCS
Hazard 1 2

1 - Physical

2 - Human 3- BPCS 4 - Mitigation

Hazard 1 2

1 - Physical

Hazard 1 2

2 - Human 3- BPCS 4 - Mitigation 5 - SIS

4
5

3
SIS Safety Instrumented Systems

What is a Safety Instrumented System (SIS) and associated Safety Instrumented Functions (SIF)? (In the past an SIS has been referred to as an Emergency Shutdown System (ESD) Example HL Area ESD System)

A SIS is an instrumented protective system that consists of an instrument component, group of instrument components, or instrument system that reduces processto be? preventing or If so, how Good does it need risk by mitigating the consequences of a process hazard.
A SIF is an do we know protective system within a SIS that How instrumented if its Good Enough? reduces process risk for a specific process hazardous cause.

Is a Safety Interlock Needed?

Example of SIS
PAHH 103

O C O C
ZI 103 Z5 103 SDV 103

I I

Symbol for SIS (Protective System)

SIS has (3) Safety Instrumented Functions (SIF) PAHH-103

LALL-108 LAHH-109
LAHH 109 LSHH 109

From Wells

FC

PT 103

SEPARATOR
LT 108

30%

I
LALL 108

FC

Oil
40%

SDV SDV 103 109

SDV 108

FC

FC

H2O

The SIS and Associated SIF Consist of:

Interface with Process Control System or Human Machine Interface (HMI) Sensor Wiring System Final Control Wiring System

Logic Solver

PT
Sensor & connection to process

Logic Solver Typically shared for multiple SIFs

SD
Final Control Device & all associated actuation components
SDV 109

Represents a single SIF within a SIS

Regulations That Address SIS (Protective Systems)

USA -OSHA CFR 29 -1910.119: Process Safety Management Regulation U.K. HSE Health & Safety Executive NORWAY NOR

These Regulations have common requirement for Safety Systems They shall be designed in accordance with generally accepted good engineering practices established by recognized codes and standards.

Standards & References for SIS (Protective Systems)

IEC 61508 Functional Safety: Electrical / Electronic
/Programmable Electronic Safety Related Systems

IEC 61511 Functional Safety: Safety Instrumented Systems

for the Process Industry Sector

ANSI/ISA S84.01 - Application of Safety Instrumented

Systems for the Process Industries

IEC 61511
Industry specific standard for the Process Sector Current Status: Published in 2002 (With exception of Part 2 Pending) For USA IEC 61511 shall replace ANSI-ISA-S84.01 with 2003 issue Standard has been been widely accepted throughout the world Standard has three (3) Parts and covers: Selection Methodologies For Determining Need and Classification of SIS Classification of SIS Design Requirements for SIS (Hardware / Software) Installation / Commissioning / Maintenance of SIS Management of Change (MOC) of SIS

Using this reference we now have some definitive methods for making good engineering decisions for the selection and design of Safety Instrumented Systems.

This is important for ensuring: Maximum safety for our processing units Compliance with Regulations.

Life Cycle Chart: Activities involved in the development and implementation of an SIS

Modified SIS Life Cycle

Application to New or Existing Process

Refinery defines evaluation requirements for new and existing facilities.

Modified SIS Life Cycle

Application to New or Existing Process Perform PHA

Identify Hazardous Consequences, Causes, and Safeguards This is accomplished through Process Hazards Analysis studies: HAZOPS Checklists

What-Ifs
During PHA it is now common to Risk Rank PHA issues based on Severity and Probability of Occurrence

Modified SIS Life Cycle

Application to New or Existing Process

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards

Risk Assessment is performed to determine: Severity of Hazardous Consequences Likelihood of Occurrence Adequacy of Safeguards Requirements for SIS/SIF

Risk Assessment Methodologies for SIL Selection: IEC-61511 (Part 3) Methods Risk Matrix Methodology Chart Methodology Fault-tree Analysis Layer of Protection Analysis (LOPA) Detailed training on Risk Assessment Methodologies are beyond this presentation.

Modified SIS Life Cycle

Application to New or Existing Process

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards

From Risk Assessment it is determined if additional protection in the form of an SIS/SIF is required or is being used for risk reduction. This evaluation is done for all identified Hazardous Consequences and their associated causes.

SIS Required

SIS Determination and Design should be accomplished only by individuals trained in the use of IEC61511.

Modified SIS Life Cycle

Application to New or Existing Process

IEC-61511 Defines Levels of Integrity for SIFs: Safety Integrity Level (SIL) The higher the integrity level the more risk reduction is obtained from the SIF. The required SIL is dependent upon the needed risk reduction as determined by the Risk Assessment.

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards

The SIL values and risk reducing values are defined with IEC-61511.
No
SIS Required

The SIF SIL is measured by its calculated Probability of Failure upon Demand (PFD). Yes

Determine SIL Required

In addition, the SIF shall also meet Refinery established requirements for Spurious Trip Rate (STR).

From IEC61511:
Safety Integrity Level: (PFD = 1 Availability) Level Safety Availability PFD

1 2 3 4

0.9 to 0.99 0.99 to 0.999 0.999 to 0.9999 0.9999 to 0.99999

10E(-1) to 10E(-2) 10E(-2) to 10E(-3) 10E(-3) to 10E(-4) 10E(-4) to 10E(-5)

Spurious Trip Rate Requirements: (STR = Years between Spurious Trips) Refinery Choice based on safety and economics

Modified SIS Life Cycle

Application to New or Existing Process Develop Safety Requirement Spec

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards
A Safety Requirement Specification (SRS) is required for the SIS and all associated SIFs. An SRS shall define: All functional requirements for each SIF All Integrity requirements for each SIF

No
SIS Required

Yes
Determine SIL Required

General Design Criteria for SIS/SIFs:

Specific requirements are defined in IEC-61511. Complete System must meet required PFD & MTBF (Spurious) Separation Component Selections System Configuration Reduce or Eliminate Common Cause Failures Eliminate Systematic errors Use proper interlock By-Passing Design Diagnostic Coverage

Complete System must meet required PFD & STR

Sensors Process Connections (Impulse Lines) Transmitters Input Wiring I/O System Logic Solver (Hardware & Software) Output Wiring Final Control Devices Other Components

Separation of Safety Interlock System: Must be independent from Basic Process Control System(BPCS) Must be protected from contamination from Human Machine Interface (HMI) components Must be housed in a separate enclosure Must be well labeled and marked as a Safety Instrumented System

System Configuration Redundancy Can Improve MTBF (Fail to Danger) - PFD Redundancy Can Reduce MTBF (Fail to Safety) - MTBF (Spurious) Hot Standby and 2oo3 Logic Systems Improves both Reliability and Availability

Redundancy and Hot Standby must be evaluated for all components of the Safety Instrumented System.

Common Cause Failures (CCF) Power Supplies Air Supply Cabling Environmental Conditions Many others

Eliminate Systematic Errors

Diversity FAT SAT Third Party Review

Interlock By-Passing Key Lock Switches Alarm when bypassed Special Operating Procedures when bypassed

Improve SIL with increased Diagnostic Coverage: Diagnostic Coverage: Ratio of detectable faults (found through testing) to total possible faults. Continuous Diagnostics (Logic Solver, Field Devices, Wiring) Component Inspections Component Testing Transmitters vs. Switches New Technologies for Field Equipment

New Technologies for Field Equipment

On Line Testing Capabilities Asset Management Systems Equipment Reliability / Availability Reporting Field Bus - Caution

Modified SIS Life Cycle

Application to New or Existing Process Develop Safety Requirement Spec Conceptual SIS Design

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards

Initial conceptual design for each SIF and the SIS shall be accomplished based on the applicable SRSs. Specific design requirements assigned SIL are defined within IEC 61511.

No
SIS Required

Yes
Determine SIL Required

Modified SIS Life Cycle

Application to New or Existing Process Develop Safety Requirement Spec Conceptual SIS Design Meet Specs.

Perform PHA
Risk Analysis Evaluate Consequences, Causes & Safeguards

No

Validation of SIS/SIF Design must be validated to demonstrate that:

No
SIS Required

All function specification are met All integrity specification are met

Yes
Determine SIL Required

SIS/SIF Validation
Functional (As defined by SRS and in accordance with IEC 161511): Checklist to ensure that all functional requirements are met such as: Sensor Inputs Logic Solver Requirement Final Control Device Safe State for all components S/D Logic Manual S/D Bypassing Reset Special Startup Requirements Human Machine Interface (HMI) Typically via DCS

SIS/SIF Validation
Integrity Requirements(As defined by SRS and in accordance with IEC-61511):
System Architecture To Improve PFD and/or STR, redundancy may be required in system components

System Test Interval The testing interval for SIFs will effect the PFD of the system and must be within an acceptable period for process operations
Equipment Selection Failure Rate in dangerous mode Facility Experience with equipment Diagnostic Coverage Component Self Testing and failure detection capabilities PFD & STR Calculations Simplified Equation in accordance with ANSI/ISA S84.01/TR.84.02

PFD & STR Validation:

Interface with Process Control System or Human Machine Interface (HMI) Sensor Wiring System Final Control Wiring System

Logic Solver

PT
Sensor & connection to process

Logic Solver Typically shared for multiple SIFs

SD
Final Control Device & all associated actuation components

SDV PFD PSi Si PFD PFD PFD PFD SIF Ai Li 109

STR STR STR S STR STR Ai Li PSi SIF Si F

Methods for Validation of SIL (PFD Calculations)

1oo1
Systematic Failures

TI PFD x ] avg DU [ [ 2

TI x ] F 2
D

DU = undetected dangerous failure rate DF = Dangerous systematic failure rate

1oo2
2

Systematic Failures
D F

Common Cause Failure

DU

Multiple failures during repair

2 PFD ) TI [ avg x ] DU [ ( 3

[x ] [ DU xTI] xTI x DD xMTTRxTI] 2 2

DD = detected dangerous failure rate Note: For short repair time MTTR is insignificant

2oo3

PFD )x 2 avg( 2 TI [ [ DU ]

Systematic Failures

Common Cause Multiple failures Failure during repair TI D TI DU DU DD x ] [x x ] [3 x xMTTRxTI F 2 2

Note: For short repair time MTTR is insignificant

Methods for Validation of prevention of Spurious Shutdowns MTTF Spurious Calculations

1oo1
Systematic Failures Detected Failure rate
DD S STR[ ] [ F ] [ ] S

S = Spurious trip rate for each component SF = Safe systematic failure rate for each component DD = Dangerous detected failure rate for each component

1oo2

DD S S [( STR S ) [ F ] ) 2 DD [( ] ]

Systematic Failures

Detected Failure rate

2oo3

DD S S [( ] [ F ] STR DD SS [ ( ) 6 xMTTR] )

Systematic Failures

Detected Failure rate

Modified SIS Life Cycle

Application to New or Existing Process Perform PHA Risk Analysis Evaluate Consequences, Causes & Safeguards Develop Safety Requirement Spec Conceptual SIS Design Meet Specs.

Once SIS/SIFs have been Validated, detailed design can be performed. IEC 61511 provide design requirements and acceptable practices.

No

Yes

No
SIS Required

Perform Detail SIS Design

Yes
Determine SIL Required

Modified SIS Life Cycle

New or Existing Process Perform PHA Risk Analysis Evaluate Consequences & Safeguards Develop Safety Requirement Spec Conceptual SIS Design Meet Specs.

SIS/SIF Verification Prior to installation (if applicable) SIS/SIFs shall be Factory Accepted Testing (FAT) in accordance with procedures defined in IEC 61511. IEC-61511 provides installation requirements and acceptable procedures. After installation the SIS/SIF shall be subject to Site Acceptance Testing in accordance with procedures defined IEC 61511.

No Yes
Perform Detail SIS Design SIS Installation and Commissioning

No
SIS Required

Yes
Determine SIL Required

Modified SIS Life Cycle

New or Existing Process Perform PHA Risk Analysis Evaluate Consequences & Safeguards Develop Safety Requirement Spec Conceptual SIS Design Meet Specs.
New or revision to operating procedures shall be developed for detailing the affects of the SIS/SIFs on facility operation.

Establish Operations & Maintenance Proc.

No Yes
Perform Detail SIS Design SIS Installation and Commissioning

No
SIS Required

Yes
Determine SIL Required

New or revision to maintenance procedures shall be developed for detailing: Routine maintenance of SIS/SIFs Periodic proof testing procedures based on Test Interval established with SRS integrity requirements.

Modified SIS Life Cycle

New or Existing Process Develop Safety Requirement Spec Conceptual SIS Design Meet Specs. Establish Operations & Maintenance Proc.

Perform PHA
Risk Analysis Evaluate Consequences & Safeguards

Pre-Startup Safety Review (PSSR)

No Yes
Perform Detail SIS Design SIS Installation and Commissioning

No
SIS Required

Yes
Determine SIL Required

A Pre-Start Up Safety Review in accordance with Refinery PSM requirements shall be accomplished prior to SIS/SIFs startup.

Modified SIS Life Cycle

New or Existing Process Develop Safety Requirement Spec Conceptual SIS Design Meet Specs. Establish Operations & Maintenance Proc.

Perform PHA
Risk Analysis Evaluate Consequences & Safeguards

Pre-Startup Safety Review (PSSR)

Operations, Testing, and Maintenance

No Yes
Perform Detail SIS Design SIS Installation and Commissioning

No
SIS Required

Yes
Determine SIL Required

The SIS/SIFs shall be operated and maintained (including periodic proof testing in accordance with IEC-61511.

Modified SIS Life Cycle

New or Existing Process Perform PHA Risk Analysis Evaluate Consequences & Safeguards Develop Safety Requirement Spec Conceptual SIS Design Meet Specs. Establish Operations & Maintenance Proc.

Pre-Startup Safety Review (PSSR)

Operations, Testing, and Maintenance

No Yes
Perform Detail SIS Design
SIS Installation and Commissioning

No
SIS Required

Modify or Decommission

Yes
Determine SIL Required

SIS Decommissioning