pk6022 sis terms

1

NTNU, September 2007RAMS

SISandSIStechnology

MaryAnnLundteigen([email protected])

Updated Sept 2011

2

NTNU, September 2007

ValvePressure transmitters

Logic solver(PLC)

Control room

Safetyinstrumentedsystem(SIS)

3


Safetyinstrumentedsystem(SIS)

ASISisasafetysystemthatincludesatleastone electrical,electronic,orprogrammableelectronic(E/E/PE)component.

ASISisusedtoperformoneormoresafetyinstrumentedfunctions.

ASISisoftensplitintothreesubsystems:Sensors/inputs,logicsolvers,andfinalelements/actuatingdevices.

AlsocalledE/E/PEsafety‐relatedsystem

4


ValvePressure transmitters

Logic solver(PLC)

Control room

Safetyinstrumented function(SIF)

5


Safetyinstrumentedfunction(SIF)

ASIFisasafetyfunctionthatisperformedbytheSIS.

ASIFisusedtoreduceriskbelowthestatedacceptancecriteria.

6


Equipmentundercontrol(EUC)

Equipmentundercontrol(EUC):Equipment,machinery,apparatusorplantusedformanufacturing,process,transportation,medicalorotheractivities.

Inourcontext:• AnEUCisassociatedwithsomehazardsorthreats.• EUCintheprocessindustrymaybeaprocesssection

InNorwegianPetroleumindustry(throughtheOLF070),wedistinguishbetween:• Thoseprotectedbyglobalsafetyfunctions• Thoseprotectedbylocalsafetyfunctions

7


Functionalsafety

Functionalsafety:partoftheoverallsafetyrelatingtotheEUCandtheEUCcontrolsystemthatdependsonthecorrectfunctioningoftheE/E/PEsafety‐relatedsystemsandotherriskreductionmeasures(IEC61508).

• RelatestotheabilitytoprotectvulnerableobjectsfromdamageinrelationtoanEUC.

• ReliesontheabilityofaSIS(andothersafetybarriers)tobringtheEUCtoasafestate,undernormalsituationsand foreseeablefaultsituations.

8


Example– functionalsafety

EUC:ThecarTobeprotected:Thedriver,thepassengers

9



10



11


EUC riskandriskreduction

12


Riskreductionpractices– processindustryLayersofprotection:Theselinesorlayersservetoeitherpreventaninitiatingevent(suchaslossofcoolingoroverchargingofamaterialtoareactor,forexample)fromdevelopingintoanincident(typicallyareleaseofadangeroussubstance),ortomitigatetheconsequencesofanincidentonceitoccurs

Layers of protection

Seee.g.,http://www.hse.gov.uk/research/misc/vectra300‐2017‐r02.pdf

13


Riskreductionpractices– processindustry

Layersofprotection– keyrequirements(IEC61511‐3):Specificity:AnIPLisdesignedsolelytopreventortomitigatetheconsequencesofonepotentiallyhazardousevent(forexample,arunawayreaction,releaseoftoxicmaterial,alossofcontainment,orafire).Multiplecausesmayleadtothesamehazardousevent;and,therefore,multipleeventscenariosmayinitiateactionofoneIPL;Independence:AnIPLisindependentoftheotherprotectionlayersassociatedwiththeidentifieddanger.

Dependability:Itcanbecountedontodowhatitwasdesignedtodo.Bothrandomandsystematicfailuresmodesareaddressedinthedesign.

Auditability:Itisdesignedtofacilitateregularvalidationoftheprotectivefunctions.Prooftestingandmaintenanceofthesafetysystemisnecessary.

Riskreductionofminimum10(oravailabilitygreaterthan0.9)

14


Riskreductionpractices

Defenseindepth(nuclearindustry):Defenseindepthconsistsinahierarchicaldeploymentofdifferentlevelsofequipmentandproceduresinordertomaintaintheeffectivenessofphysicalbarriersplacedbetweenradioactive materialsandworkers,thepublicortheenvironment,innormaloperation,anticipatedoperationaloccurrencesand,forsomebarriers,inaccidentsattheplant.(http://www‐pub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf )

Keystrategies:• Conservativedesign• Controlofoperation• Engineeredsafetyfeatures• (Some)additionalfeatures:

• Proceduresforhandlingmultiplefailures

• Accidentpreventionstrategies

• Emergencypreparedness• Diversity

Analysisof defense indepth:http://pbadupws.nrc.gov/docs/ML0718/ML071860536.pdf

15


Defense indepth ‐ levels

http://www‐pub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf

16



Riskreductionprincipleswithmachinerysystems

17



Riskreductionprincipleswithmachinerysystems

18


Modeofoperation(IEC61508)

Low demand mode:where the safety function is only performed on demand, in order totransfer the EUC into a specified safe state, and where the frequency of demands is no greater than one per year

High demand mode:where the safety function is only performed on demand, in order totransfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year

Continuous mode: where the safety function retains the EUC in a safe state as part of normal operation

3

19


Modeofoperation(IEC61511)

(On) demand mode:where a specified action (for example, closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the safety instrumented function a potential hazard only occurs in the event of a failure in the process or the BPCS

Continuous (or high demand) mode:where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it.

Low demand if:1 demand per

year1 2 3 4 5

3

20


Modeofoperation– whyimportant?

On demand: The failure is likely to have been corrected before the demand. The probability that an accident occurs in the presence of a SIS failure is PFD.

SIS failed

Test Test Test Test Test

demand

SIS ok

Test Test Test Test Test

demands

SIS ok

SIS failed

High/continuous demand: Less likely that the failure is revealed and corrected before the next demand, and the accident frequency is more or less the SIS failure frequency

21


Modeofoperation

System Low D HighDEmergencyshutdown(ESD/NAS) xFire andgasdetection(F&G/B&G) xProcessshutdown(PSD/PAS) x* x*HighIntegrityPressureProtectionSystem(HIPPS) xSignallingsystemforrailway xAutomaticsafeloadindicator (crane) xAirbagsystem(car) xAnti‐lockbrakingsystem(ABS) xIsolationofwell(Workover intervention) x* x*

*Mode may differ for different installations

pk6022 sis terms

Documents