Houston ISA October, 2015

Dan Poston P.E.

Instrument & Controls Consulting Engineer, Lyondellbasell

Dan Poston, PE, TÜV FS Eng Safety Instrumented Systems Engineer

Global Engineering Services (GES)

Tel. +1 281.862.5637

Cell +1 713.502.9435

Daniel.Poston@lyb.com

Dan.poston@yahoo.com Cell 713-430-6280

27 years’ experience in instrumentation, analytical systems, safety instrumented and basic process control systems. My current assignment is an Instrument, Electrical, and Controls Manager for the largest ethylene production facility expansion project. Hold a Masters and Bachelor degree in Electrical Engineering from Purdue University. His advanced academic studies include control systems, probabilistic methods, and microwave engineering.

A little about myself

Safety Moment

Typical Safety Instrumented Function (SIF)

Machinery Protective Function

API 670 Machinery Protection Systems

API Requirements 5th Edition

SIL Verification ◦ Reliability data

◦ API Recommendations

3

5

Trip Valve

Process

A/I Module

Safety PLC

D/O Module

DCS

SIS BPCS

Machinery Protective Function

Mitigation against Mechanical damage and production losses

Mitigation against Safety Hazards

Safety Requirements Specification (SRS)– Defines the performance criteria needed to place the machine in a safe state to mitigate a specific hazard.

Safety Integrity Level (SIL) Verification validates that the Machinery Protection System (MPS) satisfies the SIL requirements as defined in the SRS.

6

Governor/Surge Control

OSD ◦ Turbine Overspeed

ESD/SIS ◦ Low Lube Oil Pressure ◦ Low lube Oil Level ◦ Other Process conditions

Condition Monitoring System ◦ Turbine thrust ◦ Compressor thrust ◦ Axial displacement ◦ Bearing temperature

7

8

Vibration / Oil Press / Temp / Level

Sensor & Extension Cables

Sensors

Signal Cables

Signal Conditioners

(where required)

Relays

Power Supplies Display / Indicators

Inputs / Outputs Signal

Conditioning Alarms

Shutdown Logic Processing

Governor and Surge Control

Sensor & Extension Cables

Sensors

Signal Cables

Signal Conditioners

(where required)

Relays

Power Supplies Display / Indicators

Inputs / Outputs Signal

Conditioning Alarms

Shutdown Logic Processing

Overspeed Detection

Sensor & Extension Cables

Sensors

Signal Cables

Signal Conditioners

(where required)

Relays

Power Supplies Display / Indicators

Inputs / Outputs Signal

Conditioning Alarms

Shutdown Logic Processing

Final Element Shutdown Element (Solenoids, actuators, valves, etc.)

Shutdown System (ESD) Relays

Other Inputs Speed

Control Element

Relays

“API publications are published to facilitate the broad availability of proven, sound engineering and operating practices. These publications are not intended to obviate the need for applying sound engineering judgment regarding when and where these publications should be utilized. The formulation and publication of API publications is not intended in any way to inhibit anyone from using any other practices.”

The 5th edition references IEC61508 ◦ section 4.11.1

If specified, the requirements of Safety Instrumented Systems (SIS) shall apply to some or all of the machinery protection system.

The machinery protection system supplier(s) shall provide the reliability/performance documentation to allow the SIS supplier to determine the safety integrity level for the SIS.

SIS requirements are specified by IEC 61508.

11

Purchaser 4.11.1 ◦ Perform risk assessment for the unit, including

machinery

◦ Assign SIL for each machine protection function

◦ Include in RFQ for supplier to comply w/ assigned SIL

Supplier 4.11.1 ◦ Provide failure rate, FMEDA data for SIL

determination

Supplier 4.11.2 ◦ Support SIL verification activity

12

Supplier 4.17 ◦ Advise if any component is designed for a finite life

Sec. 6.1.7.1 ◦ Three separate passive magnetic speed sensors for OSD

Sec. 8.4.3.6 ◦ The electronic overspeed detection system design shall conform to

standards IEC61508, IEC61511, IEC62061(Machine Protection), or ISO13849 (Machine Protection).

Sec. 8.4.4 ◦ Maximum allowable rotor speed shall be determined (Annex O). System

response times (sensor, solver, relays, solenoid, valve, piping system delays, etc..) are needed to determine the max rotor speed.

13

12.4.11 Every component of the shutdown function

shall have the ability to be tested while the equipment is in operation. With the exception of the Trip valve.

12.3.3 Electro-hydraulic Solenoid Valves ◦ Shall be de-energized to shutdown

No other device between the SOV and the trip valve

◦ Shall have facilities to allow on-line testing

◦ The most common cause for an electro-hydraulic valve is silting of the spool.

Mechanical overspeed device. 1 IPL

Electronic overspeed added assign SIL1 or 2? Needs to meet IEC61511 requirement

Electronic overspeed a Logic solver

15

16

Overspeed Detection

Sensor & Extension Cables

Sensors

Signal Cables

Signal Conditioners

(where required)

Relays

Power Supplies Display / Indicators

Inputs / Outputs Signal

Conditioning Alarms

Shutdown Logic Processing

Final Element Shutdown Element (Solenoids, actuators, valves, etc.)

17

Probe #1

Probe #2

Probe #3

Protech or Turbosentry

R1

R2

R3

Shutdown Alarm

2oo3 Voter

ESD/SIS

Hydraulic Trip Header Drain

Trip Valve

Steam

Governor Valve

Governor

To Steam Turbine

Need SIL2 SIF for safety mitigation

Turn-around frequency 1/5yrs.

Steam trip valve is existing

2oo2 voted Solenoids for high reliability

19

Probe #1

Probe #2

Probe #3

Protech GII

R1

R2

R3

2oo3 Voter

ESD/SIS

Hydraulic Trip Header Drain

Trip Valve

Steam

To Steam Turbine

R1

R2

Redundant 2oo2

20

21

TUV Rheinland SIL3 Certified

API670/API612/API611 Compliant

Has a 2oo3 voter output

Considered Turbosentry ◦ Not a SIL certified device

◦ Requires specific wiring to meet SIL2 hardware requirements. Otherwise SIL1

22

23

Subsystem l lS lD lDD lDU b-Factor bD-Factor SFF

Block A/B/C

Power Supply 2.5E-06 2.0E-06 5.6E-07 5.0E-07 5.6E-08

Control Logic 1.3E-05 1.1E-05 1.9E-06 1.7E-06 1.8E-07

Output 1.1E-06 8.9E-07 2.3E-07 2.3E-07 2.3E-09

Sum 1.69E-05 1.42E-05 2.71E-06 2.47E-06 2.38E-07 0.99

Block D

Voter 1.3E-06 1.1E-06 2.5E-07 2.5E-07 2.5E-09

Sum 1.32E-06 1.07E-06 2.48E-07 2.46E-07 2.48E-09 1.00

Common Cause fractions 2.00% 2.00%

Diagnostic test interval TD/h 1

MTTR = 0

From Invensys QRA ◦ The Quadvoter Hydraulic Trip Block arrangement.

Failure rate = 5 FITS

From Parker Lab Data ◦ Failure rate of each Solenoid < 0 FITS

Exida Generic SOV ◦ Failure Data = 590 FITS

24

No Vendor reliability Data

No user Reliability Data

Other Sources

◦ NURG/CR-6928- Hydraulic Operated Valve

PFDavg=1.51e-3

Average Demands per year = 4.2

Failure Data = 723 FITS > 1/160 yrs.

◦ Kenexis -Trip and throttle Valve

Failure Data = 2280 FITS > 1/50 yrs.

◦ Exida – Generic Globe Valve

Failure Data = 1270 FITS > 1/90 yrs.

◦ Exida – Generic Hydraulic Ball Valve

Failure Data = 1430 FITS > 1/80 yrs.

25

+ +

=

Missing failure rate data for Valve

Options ◦ Torture the equations to get the answer we want?

◦ Change test frequencies?

◦ Uses a different generic valve with lower failure rates?

◦ Perform FMEDA on the valve?

Failure rate from FMEDA study ◦ 614 FITS

◦ Partial test coverage (PVST) = 40%

Generic Globe valve and actuator ◦ 1270 FITS

◦ Partial Test coverage = 70 %

Sec. 8.4.4 ◦ Maximum allowable rotor speed shall be determined (Annex O). System

response times (sensor, solver, relays, solenoid, valve, piping system delays, etc..) are needed to determine the max rotor speed.

Owners need to use Good Engineering Judgment in the design of the Turbine Overspeed Detection system

Suppliers need to be prepared to provide the information needed in order to determine if the performance criteria is achieved

Apply the consensus standards as needed (IEC/ISA) Take advantage of documented best practices (API/ISA) Its not just the responsibility of the Rotating Equipment

engineer. I&C discipline needs to be involved Consider the data sources for the failure rate data The response time needs to be defined for all SIF’s Testing frequency is more than just satisfying the

PFDavg requirements Start early in the design process

• All information (“Information”) contained herein is provided without compensation and is intended to be general in nature. You should not rely on it in making any decision. LyondellBasell accepts no responsibility for results obtained by the application of this Information, and disclaims liability for all damages, including without limitation, direct, indirect, incidental, consequential, special, exemplary or punitive damages, alleged to have been caused by or in connection with the use of this Information.

• LyondellBasell disclaims all warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, that might arise in connection with this information.

Disclaimer