Safety instrumentation systems protection layers

Layer of Protection Analysis (LOPA) Scenario- based Order-of- magnitude By preidentified scenario Processes likely to require independent protection layers, such as safety instrumented systems, to meet predefined risk criteria Dependent on comprehensiveness of scenario list identified by other method(s) Higher... 

The international standard IEC 61511 [2] gives advice on the design of safety instrumented systems (SIS) and presents a layer concept to achieve reliability of protection systems. These principles can be applied to the protection of chemical reactors [3]. Figure 10.3 represents this layer of protection principles. The first layer is the process itself, meaning that it should be designed in such a way that it cannot give rise to a runaway reaction. Some concepts for achieving this objective are reviewed in Section 10.3. 

Addition of layer of protection analysis (LOPA) in PHA to determine the safety integrity level (SIL) gap for safety instrumented systems (SIS)... 

Control System (BPCS), including functions of Supervisory Control and Data Acquisition (SCADA) system, the alarm system (AS) and Safety Instrumented Systems (SIS) performing defined Safety Instrumented Frmetions (SIF). Proper design of layers of protection is based on hazards analysis and risk assessment with consideration of human and organizational factors. It is essential to ensure required safety integrity level (SIL) for each of these layers. 

The level of overall availability for a system component is calculated as 1 minus the sum of the average probability of dangerous failure on demand. SIL-1 availability of 90-99 percent SIL-2 availability of 99-99.9 percent SIL-3 availability of 99.9-99.99 percent. See also Layers of Protection Analysis (LOPA) Safety Instrumented Function (SIF) Safety Instrumented System (SIS). 

NOTE 1 A safety instrumented function is considered to be entireiy dependent on a subsystem if a faiiure of this subsystem results in a failure of the safety instrumented function in the safety instrumented system under consideration, and the safety instrumented function has not also been allocated to another protection layer (see Clause 9). 

The team should examine how the safety functions are allocated to each protection layer, such as the basic process control system or safety instrumented system. The assessment should focus on minimizing the common-cause failures between the safety functions associated with each identified process hazard. Then, each protection layer should be reviewed to ensure that adequate independence and separation is provided between layers. 

ANSI/ISA-84.00.01-2004-1 introduced the concept that safety functions are identified during the hazard and risk analysis and allocated to protection layers. When the safety function is allocated to the safety instrumented system, the function becomes a safety instrumented function. The SIF is designed to mitigate a specified safety-related process risk using sensor(s), logic solver(s), and final element(s). At this time, SIF is a process industry sector specific term. 

Safety instrumented system (SIS) SIS is meant to prevent, control, or mitigate hazardous events and take the process to a safe state when predetermined conditions are violated. An SIS can be one or more SIFs, which is composed of a combination of sensors, logic solvers, and final elements. Other common terms for SISs are safety interlock systems, emergency shutdown (ESD) systems, and safety shutdown systems (SSDs). So, SIS is used as a protection layer between the hazards of the process and the public. SIS or SIF is extremely important when there is no other non-instrumented way of adequately eliminating or mitigating process risks. As per recommendations of standards lEC 61511 2003 (or ANSI/ ISA-84.00.01-2004), a multi-disciplinary team approach following the safety life cycle, conducts hazard analysis, develops layers of protections, and implements an SIS when hazardous events cannot be controlled, prevented, or mitigated adequately by non-instrumented means. 

Fault tree for overpressure example (Fig. VII/1.2.2-1). BPCS, basic plant control system C Valve, control valve E/E/PE, electrical/electronics/programmable electronics IPL, independent protection layer PHA, plant hazard analysis SIS, safety instrumentation system. 

Event tree for field process (Fig. VlIl/1.2.2 1) with independent protection layer (IPL) but without safety instrumentation system (SIS). 

The importance of safety systems has been gradually increasing in oil and gas industry. In general, safety systems, which are different and independent from each other, are considered to provide multiple protection layers. The typical multiple protection layers installed in oil and gas facilities are BPCS (Basic Process Control System), SIS (Safety Instrumented System) and Physical Mitigation System. 

The SIS safety requirements specification should be developed in association with the non-SIS protection layers. The lEC 61508 standard calls for the overall safety requirement to be defined first in phase 4 followed by an allocation phase 5, which defines the sharing of protection duties across the layers of protection. The final SRS for the safety-instrumented system is then part of the detail design activities for the SIS known in lEC terms as the realization phase (phase 9). This procedure can be rather confusing at first but it appears to be designed to ensure that the basics of the SRS are in place and verified before the design team goes too far with the technical specifications for the SIS. 

An example of a risk situation is used in this exercise. We are asked to use layers of protection analysis to arrive at a risk reduction model for the situation. The quantitative analysis method is then used to define the safety integrity level (SIL) required for the safety instrumented system. This model can also be used to check the practical application of qualitative methods for determining SILs. 

To define the layers of protection proposed for a polymer autoclave to reduce the risk of exposing site persoimel to toxic vapors. To draw a risk reduction model incorporating the layers of protection and use the model to decide the required SIL for the safety instrumented system. ... 

NOTE — This example is used with permission from AlChE, CCPS, Guidelines for Safe Automation of Chemical Processes, New York, 1993, available from AlChE, 345 East 47th Street, New York, NY 10017, Tel (212) 705-7657 and Process Industry Practices (PIP), Safety Instrumented Systems Guidelines, available from Process Industry Practices (PIP), 3925 West Braker Lane (R4500), Austin, TX 78759, Tel (512) 232-3041, www.PIP.org. The example Is modified to meet ANSI/ISA 84.00.01-2004 (lEC 61511 Mod) requirements. This example was chosen to facilitate understanding of SIS application as it progressed from CCPS Guidelines dated 1993 to ANSI/ISA S84.01-1996, to ANSI/ISA 84.00.00.01-2004 (IEC 61511 Mod). This example was also used in Appendix B of AlChE, CCPS, Layer of Protection Analysis, Simplified Process Risk Assessment, 2001. 

LOPA is a semi-quantitative tool for analyzing and assessing risk. This method includes simplified methods to characterize the consequences and estimate the frequencies. Various layers of protection are added to a process, for example, to lower the frequency of the undesired consequences. The protection layers may include inherently safer concepts the basic process control system safety instrumented functions passive devices, such as dikes or blast walls active devices, such as relief valves and human intervention. This concept of layers of protection is illustrated in Figure 11-16. The combined effects of the protection layers and the consequences are then compared against some risk tolerance criteria. 

General References Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples, American Institute of Chemical Engineers, New York, 1992 Layer of Protection Analysis A Simplified Risk Assessment Approach, American Institute of Chemical Engineers, New York, 2001 ISA TR84.00.02, Safety Instrumented Functions (SIF)—Safety Integrity Level (SIL) Evaluation Techniques, Instrumentation, Systems, and Automation Society, N.C., 2002. 

SIS This is the first automatic protection layer to BPCS and second overall layer of protection. It is desired that this shall be independent of BPCS. Even if these are combined it is necessary to ensure that single failure does not take toll of safety. SIS may stop part of plant operation and/or diverts some flow safely, etc. It may have separate set of instrumentation to detect and take safety action in the event of instrument/system failure. It has to be more aggressive than BPCS for safety functions. Under SIS, there will be several interlocks and protections to save the system and in many places like off shore design, ESD is considered as last resort or emergency plan achievable through PEs. 

Approach to safety requirement specification (SRS) as per lEC 61511. LOPA, layer of protection analysis SIF, safety instrument functions SIL, safety integrity level SIS, safety instrumenmtion system. 

For a non-SIL alarm function (in this context, a function that does not conform to the requirements of BS EN 61511 -1 for a safety instrumented function) an overall PFDavg of no less than 0.1 (see BS EN 61511 -1 Table 9) may be used. If, however, there is a view that there could be some increased time pressure on the operators, or other factor making the task conditions less favourable then a higher overall probability of failure may be considered. Note that a component of the protection layer may have a PFD lower than 0.1, but when combined with the rest of the system, it cannot result in an overall PFD lower than 0.1. 

---