sis overview
TRANSCRIPT
Overview of
Process Safety Management&
Safety Instrumented Systems(Protective System)
Purpose of Presentation
Define – “Process Safety Management”Define – “Safety Instrumented System” Review Regulation / Standards /
References for “Safety Instrumented Systems”
Examine Methods of Selection and Design of “Safety Instrumented Systems”
Provide Examples of “Safety Instrumented Systems”
Process Safety Management (PSM) Program:
A management methodology which is aimed at preventing the occurrence, or minimize the consequences, of catastrophic releases of toxic or explosive materials.
Reference for Establishing Policies and Procedures for this presentation:USA 29CFR1910.119
API RP750NOM-028 Mexico
AIChE/CCPS Text Books
Process Safety Management
Employee Participation
Process SafetyInformation
Process Hazard
Analysis
Operating Procedures
Contractors
Training
Pre-StartupSafety Review
Mechanical Integrity
Hot WorkPermits
Management of Change
Incident Investigation
EmergencyPlanning and
ResponseCompliance
Audits
Trade Secrets
Process Hazards Analysis (PHA) A PHA should be performed for all facilities which could
potentially have a substantial release of dangerous materials. The purpose of the PHA’s is to minimize the likelihood of such
an occurrence by identifying, evaluating, and controlling the events that could cause a release.
Risk Assessment (Is Risk Acceptable?) Severity of Hazard Likelihood of Occurrence Protection Layers
Hazard
Concept of Protection LayersUsing a Process Hazards Analysis Methodology, all
potential process Hazards are identified.
Hazard
1
1 - Physical
Once a hazard has been identified, the availableprotection layers are evaluated using Risk Assessment Methodologies.
Hazard
1
1 - Physical
2
2 - Human
Hazard
1
1 - Physical
2
2 - Human
3
3- BPCS
Hazard
1
1 - Physical
2
2 - Human
3
3- BPCS
4
4 - Mitigation
Hazard
1
1 - Physical
2
2 - Human
3
3- BPCS
4
4 - Mitigation
5
5 - SIS
SIS – “Safety Instrumented Systems”
Is a Safety Interlock Needed?
If so, how Good does it need to be?
How do we know if it’s Good Enough?
What is a Safety Instrumented System (SIS) and associated Safety Instrumented Functions (SIF)?
(In the past an SIS has been referred to as an Emergency Shutdown System (ESD) – Example HL Area ESD System)
A SIS is an instrumented protective system that consists of an instrument component, group of instrument components, or instrument system that reduces process risk by preventing or mitigating the consequences of a process hazard.
A SIF is an instrumented protective system within a SIS that reduces process risk for a specific process hazardous cause.
SDV103
SEPARATORSEPARATOR
HH22OO
FromFromWellsWells
OilOil
PT103
I
FC
LSHH109 I
FC
LAHH109
FC
LT108
I
LALL108
FC
SDV109
SDV108
Z5103
ZI103
O
CO
C
40%
30%
SDV103
I Symbol for SIS (Protective System)
Example of SISPAHH
103
SIS has (3) Safety Instrumented Functions (SIF)• PAHH-103• LALL-108• LAHH-109
The SIS and Associated SIF Consist of:
Sensor & connection to process
PT
Sensor Wiring System
Logic Solver
SDV109
Represents a single SIF within a SIS
SD
Final Control Device & all associated actuation
components
Interface with Process Control System or Human Machine Interface (HMI)
Final Control Wiring System
Logic Solver – Typically shared for multiple SIFs
Regulations That Address SIS (Protective Systems)
USA -OSHA – “CFR 29 -1910.119”: “Process Safety Management Regulation” U.K. – HSE – “Health & Safety Executive” NORWAY – “NOR”
These Regulations have common requirement for Safety Systems – They shall be designed in accordance with generally accepted good engineering practices established by recognized codes and standards.
Standards & References for SIS (Protective Systems)
IEC 61508 – “Functional Safety: Electrical / Electronic /Programmable Electronic Safety Related Systems”
IEC 61511 – “Functional Safety: Safety Instrumented Systems for the Process Industry Sector”
ANSI/ISA S84.01 - “Application of Safety Instrumented Systems for the Process Industries”
IEC –61511
Industry specific standard for the Process Sector Current Status: Published in 2002 (With exception of Part 2 – Pending) For USA – IEC 61511 shall replace ANSI-ISA-S84.01 with 2003 issue Standard has been been widely accepted throughout the world Standard has three (3) Parts and covers:
Selection Methodologies For Determining Need and Classification of SISClassification of SISDesign Requirements for SIS (Hardware / Software)Installation / Commissioning / Maintenance of SISManagement of Change (MOC) of SIS
Using this reference we now have some definitive methods for making good engineering decisions for the selection
and design of Safety Instrumented Systems.
This is important for ensuring:•Maximum safety for our processing units •Compliance with Regulations.
Life Cycle Chart: Activities involved in the development and implementation of an SIS
Application to New or Existing Process
Modified SIS Life Cycle
Refinery defines evaluation requirements for new and existing facilities.
Perform PHA
Modified SIS Life Cycle
Application to New or Existing Process Identify Hazardous Consequences, Causes, and Safeguards
This is accomplished through Process Hazards Analysis studies:
HAZOPS
Checklists
What-Ifs
During PHA it is now common to “Risk Rank” PHA issues based on “Severity and Probability of Occurrence”
Perform PHA
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
Modified SIS Life Cycle
Application to New or Existing Process
Risk Assessment is performed to determine:
•Severity of Hazardous Consequences
•Likelihood of Occurrence
•Adequacy of Safeguards
•Requirements for SIS/SIF
Risk Assessment Methodologies for SIL Selection:
•IEC-61511 (Part 3) Methods•Risk Matrix Methodology •Chart Methodology•Fault-tree Analysis•Layer of Protection Analysis (LOPA)
Detailed training on Risk Assessment Methodologies are
beyond this presentation.
Perform PHA
SISRequired
Modified SIS Life Cycle
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
From Risk Assessment it is determined if additional protection in the form of an SIS/SIF is required or is being used for risk reduction.
This evaluation is done for all identified Hazardous Consequences and their associated causes.
SIS Determination and Design should be accomplished only by individuals trained in the use of IEC-61511.
Determine SIL Required
Modified SIS Life Cycle
Perform PHA
SISRequired
No
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
IEC-61511 Defines Levels of Integrity for SIFs:Safety Integrity Level (SIL)
•The higher the integrity level the more risk reduction is obtained from the SIF.
•The required SIL is dependent upon the needed risk reduction as determined by the Risk Assessment.
•The SIL values and risk reducing values are defined with IEC-61511.
•The SIF SIL is measured by its calculated Probability of Failure upon Demand (PFD).
•In addition, the SIF shall also meet Refinery established requirements for Spurious Trip Rate (STR).
Yes
From IEC61511:Safety Integrity Level: (PFD = 1 – Availability)
Level Safety Availability PFD 1 0.9 to 0.99 10E(-1) to 10E(-2)
2 0.99 to 0.999 10E(-2) to 10E(-3)
3 0.999 to 0.9999 10E(-3) to 10E(-4)
4 0.9999 to 0.99999 10E(-4) to 10E(-5)
Spurious Trip Rate Requirements: (STR = Years between Spurious Trips)
Refinery Choice based on safety and economics
Develop Safety Requirement Spec
Modified SIS Life Cycle
Determine SIL Required
Perform PHA
SISRequired
No
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
Yes
•A Safety Requirement Specification (SRS) is required for the SIS and all associated SIFs.
•An SRS shall define:
•All functional requirements for each SIF
•All “Integrity” requirements for each SIF
General Design Criteria for SIS/SIFs:
Specific requirements are defined in IEC-61511.
Complete System must meet required PFD & MTBF (Spurious)SeparationComponent SelectionsSystem ConfigurationReduce or Eliminate Common Cause FailuresEliminate “Systematic” errorsUse proper interlock By-Passing DesignDiagnostic Coverage
Complete System must meet required PFD & STR
Sensors Process Connections (Impulse Lines) Transmitters Input Wiring I/O System Logic Solver (Hardware & Software) Output Wiring Final Control Devices Other Components
Separation of Safety Interlock System:
•Must be independent from Basic Process Control System(BPCS)•Must be protected from contamination from Human Machine
Interface (HMI) components•Must be housed in a separate enclosure•Must be well labeled and marked as a “Safety Instrumented System”
System Configuration
• Redundancy Can Improve MTBF (Fail to Danger) - PFD• Redundancy Can Reduce MTBF (Fail to Safety) - MTBF
(Spurious)• Hot Standby and 2oo3 Logic Systems Improves both
Reliability and Availability
Redundancy and Hot Standby must be evaluated for all components of the Safety Instrumented System.
Common Cause Failures (CCF)Power SuppliesAir SupplyCablingEnvironmental ConditionsMany others
Eliminate Systematic Errors
DiversityFATSATThird Party Review
Interlock By-Passing
Key Lock SwitchesAlarm when bypassedSpecial Operating Procedures when bypassed
Improve SIL with increased Diagnostic Coverage:Diagnostic Coverage: Ratio of detectable faults (found
through testing) to total possible faults.
Continuous Diagnostics (Logic Solver, Field Devices, Wiring)
Component InspectionsComponent TestingTransmitters vs. SwitchesNew Technologies for Field Equipment
New Technologies for Field Equipment
On Line Testing CapabilitiesAsset Management SystemsEquipment Reliability / Availability ReportingField Bus - Caution
Conceptual SISDesign
Modified SIS Life Cycle
Develop Safety Requirement Spec
Determine SIL Required
Perform PHA
SISRequired
No
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
Yes
Initial conceptual design for each SIF and the SIS shall be accomplished based on the applicable SRSs.
Specific design requirements assigned SIL are defined within IEC –61511.
MeetSpecs.
No
Conceptual SISDesign
Modified SIS Life Cycle
Conceptual SISDesign
Develop Safety Requirement Spec
Determine SIL Required
Perform PHA
SISRequired
No
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
Yes
Validation of SIS/SIF
Design must be validated to demonstrate that:
•All function specification are met
•All integrity specification are met
SIS/SIF ValidationFunctional (As defined by SRS and in accordance with IEC 161511):
•Checklist to ensure that all functional requirements are met such as:•Sensor Inputs•Logic Solver Requirement•Final Control Device•Safe State for all components•S/D Logic•Manual S/D•Bypassing•Reset•Special Startup Requirements•Human Machine Interface (HMI) – Typically via DCS
SIS/SIF ValidationIntegrity Requirements(As defined by SRS and in accordance with IEC-61511):
•System Architecture•To Improve PFD and/or STR, redundancy may be required in system components
•System Test Interval•The testing interval for SIFs will effect the PFD of the system and must be within an acceptable period for process operations
•Equipment Selection •Failure Rate in dangerous mode•Facility Experience with equipment
•Diagnostic Coverage•Component Self Testing and failure detection capabilities
• PFD & STR Calculations•Simplified Equation in accordance with ANSI/ISA S84.01/TR.84.02
PFD & STR Validation:
Sensor & connection to process
PT
Sensor Wiring System
Logic Solver
SDV109
SD
Final Control Device & all associated actuation
components
Interface with Process Control System or Human Machine Interface (HMI)
Final Control Wiring System
Logic Solver – Typically shared for multiple SIFs
PSiPFDLiAiSiSIF PFDPFDPFDPFD
SFPSiLiAiSiSIF STRSTRSTRSTRSTR
Methods for Validation of SIL (PFD Calculations)Methods for Validation of SIL (PFD Calculations)
]TIx[PFD DUavg
2 ]TIx[ D
F 2
SystematicFailures
DU = undetected dangerous failure rateD
F = Dangerous systematic failure rate
]TIx[PFD DUavg
3)(
22 ]TIx[ D
F 2
SystematicFailures
]TIxx[ DU
2
Common Cause Failure
xMTTRxTI]x[ DDDU
Multiple failuresduring repair
DD = detected dangerous failure rate Note: For short repair time MTTR is insignificant
]TIx[PFD DUavg
22)( ]TIx[ D
F 2
SystematicFailures
]TIxx[ DU
2
Common Cause Failure
xMTTRxTI]x[ DDDU 3
Multiple failuresduring repair
Note: For short repair time MTTR is insignificant
1oo1
1oo2
2oo3
Methods for Validation of prevention of Spurious ShutdownsMethods for Validation of prevention of Spurious ShutdownsMTTF Spurious CalculationsMTTF Spurious Calculations
][STR S ][ S
F
SystematicFailures
S = Spurious trip rate for each componentS
F = Safe systematic failure rate for each component
DD = Dangerous detected failure rate for each component
][ DD
Detected Failure rate
][STR DDS )(2 ][ S
F
SystematicFailures
][ SDD )(
Detected Failure rate
xMTTR][STR DDSS )(6 ][ S
F
SystematicFailures
][ SDD )(
Detected Failure rate
1oo1
1oo2
2oo3
Yes
Perform DetailSIS Design
Modified SIS Life Cycle
MeetSpecs.
No
Conceptual SISDesign
Conceptual SISDesign
Develop Safety Requirement Spec
Determine SIL Required
Perform PHA
SISRequired
No
Application to New or Existing Process
Risk AnalysisEvaluate Consequences,
Causes & Safeguards
Yes
Once SIS/SIFs have been Validated, detailed design can be performed.
IEC 61511 provide design requirements and acceptable practices.
MeetSpecs.
YesNo
New or Existing Process
Perform PHA
Risk AnalysisEvaluate Consequences
& Safeguards
SISRequired
Yes
No
Determine SIL Required
Develop Safety Requirement Spec
Conceptual SISDesign
Perform DetailSIS Design
SIS Installation andCommissioning
Modified SIS Life Cycle
SIS/SIF Verification
•Prior to installation (if applicable) SIS/SIFs shall be Factory Accepted Testing (FAT) in accordance with procedures defined in IEC 61511.
•IEC-61511 provides installation requirements and acceptable procedures.
•After installation the SIS/SIF shall be subject to Site Acceptance Testing in accordance with procedures defined IEC 61511.
Establish Operations & Maintenance Proc.
Modified SIS Life Cycle
MeetSpecs.
YesNo
New or Existing Process
Perform PHA
Risk AnalysisEvaluate Consequences
& Safeguards
SISRequired
Yes
No
Determine SIL Required
Develop Safety Requirement Spec
Conceptual SISDesign
Perform DetailSIS Design
SIS Installation andCommissioning
•New or revision to operating procedures shall be developed for detailing the affects of the SIS/SIFs on facility operation.
•New or revision to maintenance procedures shall be developed for detailing:
•Routine maintenance of SIS/SIFs
•Periodic “proof testing” procedures based on Test Interval established with SRS integrity requirements.
Establish Operations & Maintenance Proc.
Pre-Startup Safety Review (PSSR)
Modified SIS Life Cycle
MeetSpecs.
YesNo
New or Existing Process
Perform PHA
Risk AnalysisEvaluate Consequences
& Safeguards
SISRequired
Yes
No
Determine SIL Required
Develop Safety Requirement Spec
Conceptual SISDesign
Perform DetailSIS Design
SIS Installation andCommissioning
•A Pre-Start Up Safety Review in accordance with Refinery PSM requirements shall be accomplished prior to SIS/SIFs startup.
Operations, Testing, and Maintenance
Modified SIS Life Cycle
Establish Operations & Maintenance Proc.
Pre-Startup Safety Review (PSSR)
MeetSpecs.
YesNo
New or Existing Process
Perform PHA
Risk AnalysisEvaluate Consequences
& Safeguards
SISRequired
Yes
No
Determine SIL Required
Develop Safety Requirement Spec
Conceptual SISDesign
Perform DetailSIS Design
SIS Installation andCommissioning
The SIS/SIFs shall be operated and maintained (including periodic “proof testing” in accordance with IEC-61511.
Modified SIS Life Cycle
Modify orDecommission
SISDecommissioning
Operations, Testing, and Maintenance
Establish Operations & Maintenance Proc.
Pre-Startup Safety Review (PSSR)
MeetSpecs.
YesNo
New or Existing Process
Perform PHA
Risk AnalysisEvaluate Consequences
& Safeguards
SISRequired
Yes
No
Determine SIL Required
Develop Safety Requirement Spec
Conceptual SISDesign
Perform DetailSIS Design
SIS Installation andCommissioning