Safety instrumented function equipment

Figure 12-5 illustrates a second example using two transmitters. However, only one transmitter is part of the safety instrumented function equipment set. For this application signal comparison to achieve high diagnostics is done in the Safety PLC. It is also recommended that the BPCS transmitter be hardwired to the Safety PLC. This hardwiring could be via a signal splitter as shown. 

In some industries, the target periodic test interval corresponds with a major maintenance cycle, for example, two, three, or even five years. In other industries, a periodic inspection must be done more frequently. If these tests must be performed while the process is operating, online test facilities are designed into the system. A periodic inspection and test plan is required for aU the instrumentation equipment in each safety instrumented function. 

Once the technology, architecture, and periodic test intervals are defined, the designers do a reliability and safety evaluation (Ref. 14 and 15) to verify that the design has met the target safety integrity level and reliability requirements. In the past, this probabilistic evaluation has not been part of a conventional design process. The effort requires gathering failure rate data as a function of failure modes for each piece of equipment in the safety instrumented function. 

The commonality of a SIS and a BPCS has led many to treat the design process for each the same. Some even use their control equipment to perform the safety instrumented functions. 

Emphasis should be placed on the last phrase of the SIF definition, "specific hazardous event." This phrase helps one clearly identify what equipment is included in the safety instrumented function versus auxiliary equipment not actually needed to provide protection against the hazard. 

It seems logical to list the following equipment for this safety instrumented function pressure transmitter, logic solver, inlet feed valve, pump control relay, and outlet isolation valve. However, for each piece of equipment ask the question, "Is this piece of equipment needed to protect against the specific hazardous event " In this case, the pump is turned off just to protect the pump from backpressure burnout. (NOTE - This may be part of another safety instrumented function.) The outlet isolation valve is closed in order to avoid process disruptions in the remainder of the plant. Neither is required to protect against the hazard and should not be included in the SIF verification calculation. The pump control relay may be part of another SIF intended to protect the pump. However, it is likely that this SIF may have a lower safety integrity requirement. 

A cause and effect diagram shows logic for a function where two valves will be closed and a pump will be de-energized when either of two pressure sensors senses that pressure in a vessel goes too high. Valve 1 cuts off inlet feed to reduce pressure in the vessel. Valve 2 closes the outlet to prevent process disturbance downstream. De-energizing motor contactors turn off the pump in order to prevent pump failure. What equipment is part of the safety instrumented function ... 

The fault tree method requires that one define an undesirable event (often called the "top event"). Consider the equipment set used for the safety instrumented function in Figure 5-6. A fault tree drawing shown in Figure 5-7 shows a top event defined as probability of failure on demand for the safety instrumented function shown in Figure 5-6. 

It should be noted that the above failure mode categories apply to an individual instrument and may not apply to the set of equipment that performs a safety instrumented function because the equipment set may contain redimdancy. It should be also made clear that the above listings are not intended to be comprehensive or representative of all component types. 

Some practitioners recognize that certain failures within equipment used in a safety instrumented function prevent the automatic diagnostics from correct operation. When reHabihty models are built, many account for the automatic diagnostics ability to reduce the probabihty of failure. When these diagnostics stop working, the probability of dangerous failure or false trip is increased. While these effects may not be significant, unless they are modeled, the effect is not known. 

Some failures within a piece of equipment have no effect on the safety instrumented function, nor cause a false trip, nor prevent automatic diagnostics from working. Some functionality performed by the equipment is impaired, but that functionality is not needed. These may simply be called "No Effect" failures. They are typically not used in any reHabihty model intended to obtain probability of a false trip or probabihty of a fail-danger. Per 1EC61508, these would be classified as "Fail-Safe" or may be excluded completely from any analysis depending on interpretation of the analyst. 

PFD average (PFDavg) is a term used to describe the average probability of failure on demand. PFD will vary as a function of the operating time interval of the equipment. It will not reach a steady state value if any periodic inspection, test, and repair is done. Therefore, the average value of PFD over a period of time can be a useful metric if it assumed that the potentially dangerous condition (also called hazard) is independent from equipment failures in the safety instrumented function. 

The assumption of independence between hazards and safety instrumented function failures seems very realistic. (NOTE If control functions and safety functions are performed by the same equipment, the assumption may not be valid Detailed analysis must be done to insure safety in such situations, and it is best to avoid such designs completely.) When hazards and equipment are independent, it is realized that a hazard may come at any time. Therefore, international standards have specified that PFDavg is an appropriate metric for measuring the effectiveness of a safety instrumented function. 

A set of equipment used in a safety instrumented function is non-redundant (lool). The total dangerous detected failure rate is 0.002 failures per year. The total dangerous undetected failure rate is 0.0005 failures per year. Restore time average is 168 hours. The equipment is inspected and tested every two years with 100% test coverage. What is the PFD What is the PFDavg ... 

Equipment used in a safety instrumented function must be carefully chosen. The instrumentation must be fuUy capable of performing the functional requirement. All equipment must be justified so that the end user is totally confident that the instrumentation wiU properly perform in... 

The safety and availability of a set of equipment used for a safety instrumented function may benefit from testing. However, that depends on redundancy and how often the demand occurs. Three modes of operation have been defined in lEC 61508 for equipment providing a safety instrumented function continuous demand mode, high demand mode and low demand mode. This book will use the lEC 61508 definitions to designate those three different situations. 

Problem A set of non-redundant (loot) equipment is used to implement a safety instrumented function. Within the equipment, automatic diagnostics complete execution every one second. The instrument is programmed to take the process to a safe state when an internal failure of the equipment is detected. A dangerous condition occurs every one minute on average. What is the mode of operation and can the automatic diagnostics be given credit in the probability of failure calculation ... 

The first step in the calculation process is to properly identify the equipment required for each safety instrumented function. All equipment associated with a particular SIF must be classified into "primary" -equipment needed to provide the required protection against the identified hazard and "auxiliary" - equipment that provides useful functionality but not required to protest against the hazard. This classification is important because only primary equipment is included in the PFDavg analysis and the SFF analysis. 

Problem A safety instrumented function is identified in a SRS. If a low liquid level is detected in a separation unit, the outlet valve must be closed to protect downstream equipment from high pressure blow-by which is the identified hazard. The inlet valve must also be closed, a pump must be turned off to avoid pump damage and the inlet valve for another process unit must be turned off to minimize process disruption. The logic for this function is given in a cause and effect diagram shown in Figure 7-3. What equipment is classified as primary versus auxiliary ... 

Solution For each piece of equipment related to the safety instrumented function, one must ask if that equipment is needed to protect against the specified hazard. In this SIF, the hand-switch was added only to meet local regulatory requirements and is not part of the automatic protection so it is excluded. The pump is turned off to protect it from overload so it is not part of this SIF. The inlet valve for the other unit does not have to close to protect against this hazard so it is excluded. Although the need for the inlet valve closure is debatable, it does help reduce downstream pressure and was therefore included in the SIF. The SIF primary equipment is the LT-2025 level sensor, the VI-2002 Inlet Valve and the VI-2003 Outlet Valve. This is marked in the cause and effect diagram with an X. Other equipment is auxiliary. It is marked in the cause and effect diagram with an A. This information must be documented in the Safety Requirements Specification (SRS). 

Problem A set of non-redundant (hardware fault tolerance = 0) safety equipment is used to perform a safety instrumented function in continuous demand mode. Diagnostic time is given as one second. The following failure rate data is obtained when adding the failure rates of the categories of all components ... 

Table 13-2 shows the data used for the various components in calculating the PFDavg for the Case 1, high line pressure safety instrumented function. In addition to this data the "mission time" of the processing unit must be known. For process equipment this is the operating time interval between major turnarounds where the SIF equipment is completely tested, re-built and restored to like new condition. The example will use ten years. 

As part of the SIL selection, more than one safety instrumented function may have to be defined because there are different hazardous events associated with the loss of level. One SIP can be associated with the loss of the pump and another SIF can be associated with the effects on downstream equipment. Since the consequences, likelihood, and safeguards are different for the various hazardous events, the SIL determined can be different for each SIF. The SRS for each SIF must clearly state the hazardous event being mitigated or prevented by each individual SIF. 

All equipment used in the SIS must be classified as a safety instrumented system. The design, installation, operation and maintenance process must follow all the rules of ANSl/lSA-84.00.01-2004 (lEC 61511 Mod), put there to prevent systematic faults. If this is not done, the standard clearly states that any safety instrumented function cannot have a risk reduction greater than 10. This is the bottom of SlLl range so, in effect, that design cannot meet SIL 1 requirements. The practical effect of this requirement is that a designer cannot combine control functions and safety functions in the same equipment imless the equipment is classified as a safety instrumented system and follows aU the design rules of the standard. 

The next task is an analysis showing that no control system failure can cause an initiating event that can result in a hazard. If control system failure can initiate a hazardous sequence, then safety instrumented functions MUST NOT be designed into common equipment without detailed quantitative risk analysis. That language in the standard is strong and clear. Most of the time, initiating event analysis shows a problem with combined control and safety. 

NOTE 3 The required frequency of dangerous failures per hour for a continuous mode safety instrumented function is determined by considering the risk (in terms of hazard rate) caused by failure of the safety instrumented function acting in continuous mode together with the failure rate of other equipment that leads to the same risk, taking into consideration contributions from other protection layers. 

Safety instrumented function SIF stands for safety instmmented function. A set of control equipment intended to reduce the risk due to a specific hazard. SIF is designed to control, prevent, or mitigate a specific hazard and takes the process to... 

HIPS are critical safety systems, essentially replacing pressure relief and/ or flare systems. These systems are used to provide overpressure protection and/or flare load mitigation for process equipment, pipelines, wellhead flowlines, gas manifolds, or other special purpose applications. Technically HIPS is a safety instrumented function that consists of a set of components, such as sensors, logic solvers, and final control elements (e.g., valves), arranged for the purpose of taking the process to a safe state when predetermined conditions are violated. The HIPS shall operate independently and be completely separate from the basic process control system (BPCS). 

An SIS s correct operation requires a series of equipment to operate properly. The specific control functions carried out by a safety instrument system are known as safety instrumented functions (SIF). The overall objective of design, implementation, and follow-up of an SIS is ensuring that the SIS is able to carry out effectively its intended safety functions, when specific process demands occur. 

Many of the basic non-SIS solutions are built into processes through the experience of the equipment or process engineers before the HAZOP study is started. Any proposed safety instrumented functions will be reviewed at this stage. The HAZOP study validates these solutions and records them and often adds several more good basic safety solutions. 

Structural Fatigue and Failure Damage to Equipment Equipment Malfunction Vibration (and Noise) Control for Personnel Safety and Function Comfort, Acceptance, product "Feel" Effects on Instruments, Processes, and Precision Equipment... 

---