Big Chemical Encyclopedia

Chemical substances, components, reactions, process design ...

Articles Figures Tables About

Operator-initiated SIF

A risk reduction equal to or greater than 10 can be claimed where an operator, as a result of an alarm, takes action to place the process in a safe state. To take credit for a risk reduction equal to or greater than 10, a risk analysis should be performed to verify its feasibility. It is especially important to determine whether there is sufficient human response time. Refer to Annex B.5 for more discussion on human response time. [Pg.48]

Copyright International Society of Automation Provided by IHS under Hoerrse with ISA [Pg.48]

No reproduction or networtdrrg permitted without license from IHS [Pg.48]

An operator-initiated SIF is often associated with a never exoeed never deviate alarm, where the operator is expected to mitigate risk in much the same manner as an automated SIF. Operator-Initiated SIFs are generally used when it is not possible to completely automate the function. The manually initiated action is typically comprised of the sensor detecting the hazardous condition, the logic solver that determines that the safety condition exists, alarm presentation, human response, and the equipment used by the operator to bring the process to a safe state. When risk reduction is taken for an operator-initiated SIF, the PFDavg should be determined for the instrumented system. This is discussed further in B.6. [Pg.49]

Finally, when allocating risk reduction, it is important to remember that one operator equals one response. Multiple alarms generally do not yield higher performance because the operator is the single point of failure for the necessary response. If the team has allocated risk reduction to an operator action in the BPCS layer, additional risk reduction should not be taken for an operator action allocated to the SIS layer for the same hazard scenario unless a detailed analysis is performed. When examining the overall risk reduotion that can be provided by the alarms, it is important to recognize the potential for common-mode failure due to operator or procedural error. [Pg.49]

ANSI/ISA-84.00.01-2004-1 establishes the premise that operator action can be a part of an SIF. The capability of the operator should be addressed when allocating risk reduction to an operator-initiated SIF. [Pg.47]

As shown in Tabie B.1, the hazard and risk anaiysis may identify operator actions that are aiiocated to the SiS iayer. When risk reduction is taken for an operator-initiated SiF, the evaiuation of the PFD of an operator-initiated SiF is performed simiiariy to the evaiuation of an automatic SiF. Figure B.1 is a representation of an operator-initiated SiF. This figure is adapted from ANSi/iSA-84.00.01-2004-1, Ciause 3.2.72, Figure 7. [Pg.52]

The verification of the operator-initiated SiF shouid consider the potentiai for operator error using user-approved criteria or anaiysis techniques. This assessment shouid inciude the human interface design and operating procedures. [Pg.52]

A simpiified exampie of an operator-initiated SIF architecture is provided in Figure B.2. Figure B.3 provides an exampie of the use of Fault Tree Analysis to evaluate the PFDavg of the example architecture. [Pg.52]

Figure B.2 - Operator initiated SIF action to close valve on high pressure... Figure B.2 - Operator initiated SIF action to close valve on high pressure...
The actions required to maintain safe operation during degraded or disabled states should be defined for each SIF. Refer to ISA-TR84.00.04-1, Annex B, for a discussion of operator-initiated safety functions and ISA-TR84.00.04-1, Annex F, for a discussion of the relationship between the SIS and BPCS. Any procedures required to continue safe operation should also be documented, followed by training of operation and maintenance personnel. [Pg.225]

Step 1 - Complete the LOPA without taking any credit for the SIF. First, determine the initiating events from HAZOP/What-if/EMEA study. Next, evaluate frequencies of all initiating events from company database and industry experience. Then, determine the probability that each IPL will function successfully from an industrial database. PFO yg of some typical protection layers are (CCPS, 2000) BPCS control loop = 0.10 Operator s response to alarm = 0.10 Rehef safety valve = 0.01 to 0.001 and vessel failure probability at maximum design pressure = 10 ". Finally, compare the calculated risk with the tolerable risk target... [Pg.86]

SIF description detailing the process variables measured and voting architecture, decision logic for initiation of the mitigating action, and the final elements and voting architecture along with any equipment necessary for actuation of the final elements (relays, solenoid operated valves etc.). Any support systems required for SIF, such as air/hydraulic/electrical supply should be documented. [Pg.44]

Is the possibility of accidental operator activation of SIF initiation minimized ... [Pg.51]

A demand mode SIF operates in response to a process demand that occurs when the process deviates from normal operation to the extent that action must be taken to prevent the process variable from exceeding the safe operating limits. The majority of SIF experience infrequent demands (i.e., less than once per year), so they operate in what is known as low-demand mode. As the demand rate increases, there is a transition from low-demand mode to continuous-mode operation. Continuous mode SIFs act continuously to prevent the hazard such that the dangerous failure of the SIF results in an immediate hazard. In other words, the dangerous failure of the SIF is an initiator of the hazardous event. [Pg.154]

Looking at a variation of this example, assume now that the filling operation is performed daily or 365 times per year. Also, assume that the operator follows the original procedure by monitoring the process variable and terminating the feed prior to SIF initiation. Using the calculation presented previously, the demand rate would be ... [Pg.156]

The estimated hazard rate (1/27 years) is higher than the SIF failure rate (1/50 years), which is not possible. Instead, the analysis should have considered that the SIF is actually operating in a high-demand mode (i.e., the SIF is the initiating cause), and the hazard rate is limited by the SIF failure rate or 1/50 years. The mechanical integrity of the SIF should be sufficient to ensure that its failure rate is equal to or less than 1/50 year. [Pg.157]

Temperature control of a batch reactor In a particular batch reaction process, temperature control is critical to the safe operation of the process, as excess heat resulting from control failure could cause a mnaway reaction. The reaction kinetics are such that insufficient time is available for an operator to respond to a high-temperature alarm. It was also determined that any actions initiated by a high-temperature SIF would be inadequate to prevent an overpressure demand on the mpture disk due to the response time of the sensor. [Pg.157]

Hazardous by-product forming A hazardous by-product is formed in a chemical reaction at a very small rate (ppm). The only control is on the main reaction. The by-product accumulates over a month in the reactor and becomes a hazard when it reaches a certain concentration. An online analyzer for the by-product stopping the recycle stream when high concentration is detected provides the only protection against this hazard and was initially defined as an SIF. Linder normal operation, the demand on the SIF occurs four times a year. This indicates that it may be more appropriate to consider this as a high-demand mode SIF. The final determination depends on the dangerous failure rate of the analyzer function. [Pg.158]

The SIF could be implemented using a dedicated pressure transmitter on the reactor and dedicated solenoid-operated valve on the each control valve. The SIF would not allow air to control valve positioners unless the pressure was < 5 Barg. This SIF design was determined to not be sufficiently independent of the initiating cause since it relied on the control valve for isolation. [Pg.159]

A block valve will be closed by the SIF if the BPCS control valves are determined to be open by limit switches, and the pressure in the vent line is too high. The required response time could be met using quick vents (fast-acting solenoids) to rapidly close the isolation valves. The presence of 2 conditions is necessary for the SIF to operate, increasing the SIF complexity. The 2 conditions and the response are independent of the initiating cause. However, the use of the limit switch addresses the failure mode that the valve opens completely, but does not address the failure mode that the control valve may not seat properly (partial failure). [Pg.160]

Mode of operation Although the SIF operates as part of normal operation 4 times per day, the SIF is not operating in continuous mode. The SIF dangerous failure is not the initiating cause of the hazardous event. The operating mode is determined by the process demand from a hazards standpoint. The hazardous event caused by misoperation of the control valve failure is estimated at 1/10 years. The SIF operates in demand mode with regard to the hazard. [Pg.161]

In this case, the process engineer determined that upon detection of a dangerous fault, the SIF should be initiated. A diagnostic alarm is displayed on the BPCS HMI to alarm when the SIF level signal falls below -5%, which indicates a failure of the SIF level transmitter. When the operator receives the alarm, the operator manually activates the SIF per the operating procedures to bring the system to a safe state. The hazard and risk analysis indicated that there was sufficient process safety time for the operator to respond effectively (refer to Annex B for more information on operator alarm with response). Alternatively, the SIF could be configured such that on detection of transmitter failure, the SIF is automatically initiated. [Pg.230]

This upset initiates a runaway reaction that can catastrophically rupture the reactor. The impact of this event was judged to be extensive, which, as discussed in Table 6 Note 1, leads to a tolerable frequency of 10 /year for a single scenario. Several failures in the control system could cause this upset, with operating experience indicating that this type of upset occurs about once every 10 years. Protection per Table 5 was the Shortstop addition, but the runaway reaction may be too fast for the operator to respond to an alarm. This protection layer is not included for risk reduction. The area is normally occupied, so it was assumed that personnel could be impacted by the event. The pressure safety valves (PSVs) are only estimated to be 90% effective, since plugging is a common problem in this service. Since the PSVs share a common relief line, they are conservatively considered to be a single Independent Protection Layer. This led to an intermediate event likelihood of a 10 per year. Per the conservative assumptions used in this example, only the PSVs qualified as an IPL. The PHA team reviewed all the process safety risk issues and decided that a SIF was appropriate. As shown in Table 7, this requires a SIL 3 SIF. [Pg.28]

Since initiating causes for scenarios 1 through 8 put demands on elements of the same SIFs, the demands must be summed to determine the mode of operation for each SIF. In this example, they sum to 0.8 demands/year, which is less than half the test frequency for the SIFs. Therefore, each SIF will operate in low demand mode. See ISA-TR84.00.04, Part 1, Annex I for guidance on demand versus continuous mode of operation. [Pg.36]

See other pages where Operator-initiated SIF is mentioned: [Pg.48]    [Pg.48]    [Pg.52]    [Pg.52]    [Pg.151]    [Pg.48]    [Pg.48]    [Pg.52]    [Pg.52]    [Pg.151]    [Pg.224]    [Pg.23]    [Pg.127]    [Pg.156]    [Pg.157]    [Pg.158]    [Pg.182]    [Pg.204]    [Pg.229]    [Pg.2106]    [Pg.348]    [Pg.470]    [Pg.28]    [Pg.29]    [Pg.29]   


SEARCH



Verification of an operator-initiated SIF

© 2024 chempedia.info