Safety Related System Is a Designated System That Both Implements the Required Safety Functions

G-26

IMPLEMENTING SAFETY INSTRUMENTED SYSTEMS

Dinesh Govind

Sr. Loss Prevention Engineer

Onshore Engineering, Qatar Petroleum

Doha, Qatar

Introduction

It is recognized that there is a great variety of electric, electronic and computer based programmable applications in a variety of application sectors, covering a wide range of complexity, hazard and risk potentials. In any particular application, the exact prescription of safety measures will be dependent on many factors specific to the application. The concepts of built-in safety at the design stages, rapid influence of automation and cost conscious engineering have resulted in thoughts on layers of protection to optimize safety in process industry. The first safeguard that is built into a chemical plant is the process design that strives to build a plant with minimum potential for chemical releases. In its extremely basic form, a chemical process has a risk associated with it and that risk could be greater than we can tolerate. Such risks could be reduced by adding basic process control systems, implementing safe operating procedures, critical alarms, safety related systems such as emergency shut down systems, relief devices, dikes and enclosures for containment, emergency procedures and so on. This paper provides guidance on implementation of safety related systems and concerns faced by process industry, with reference to examples related to high integrity pressure protection systems.

Safety Related System and its Integrity

Safety related system is a designated system that both implements the required safety functions necessary to achieve or maintain a safe state for the equipment under control and is intended to achieve, on its own or with other electric, electronic or programmable electronic safety related systems, other technology safety related systems or external risk reduction facilities, the necessary safety integrity for the required safety functions. Safety Integrity is defined as the probability of a safety related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. The higher the level of safety integrity of the safety related systems, the lower the probability that the safety related systems will fail to perform the required safety functions. A purely instrumented safety related system or an instrumented protection system is considered as a Safety Instrumented System (SIS).

Determining Safety Integrity Level

There are two aspects of Safety Integrity Level (SIL) determination. One is defining a target Safety Integrity Level during the preliminary design stage and later verifying the Safety Integrity Level during the detail design stage, when design of safety instrumented systems are completed and vendor information are available.

SIL Assessment

In general, target safety integrity level for a single safety related protection system can be determined using the relation

PFDTARGET FA / FSRS

where PFD is the average targeted Probability of Failure on Demand in order to meet the necessary risk reduction, FA is the acceptable risk frequency and FSRS is the frequency of demand on the safety related system. The frequency of hazardous event is directly related to FSRS. Thus, for FA= 1 X 10-4 and FSRS = 1 X 10-1, targeted PFD will be 10-3 . From IEC 61508, the calculated target PFD corresponds to SIL 3. Frequency and exposure time risk parameters, consequence risk parameters, possibility of failing to avoid hazard risk parameters , probability of unwanted occurrence and risk graphs are available in IEC 61508 and IEC 61511, which could also be used to determine the target safety integrity levels. Whereas IEC 61508 is a generic standard common to several industries, the process industry has currently started using IEC 61511, which is its own sector specific standard.

Figure.01 – Risk Graph from IEC 61508 / IEC 61511 – Useful tool to determine SIL

during HAZOP sessions.

The first step to SIL assessment would be to identify safety related systems. This requires critical review of piping and instrumentation (P&I) diagrams, understanding of various safety related loops and shutdowns. This could be performed as part of the Hazard & Operability (HAZOP) study, where effective brain storming is possible with a multi-disciplinary team. The risk graph shown in Fig.01 is used during HAZOP sessions in order to define the target SIL.

Sections from work sheets of a preliminary design phase HAZOP study for a 12 inch crude oil loading pipeline to a Single Buoy Mooring facility are shown in Table 01. The crude oil storage tanks and loading pumps are located onshore about 2 kms from the coast. The surge system is located near the crude oil metering area at the shore. During this HAZOP study SIL values were determined using the risk graph provided in Figure 01. C, F, P an W are the consequence, frequency of exposure, possibility of avoidance and probability of occurrence respectively. Frequencies, level of consequences and probabilities indicated in the work sheets is qualitative and are based on discussions during the HAZOP sessions. For the example, in Table 01, risk path followed were Cb-Fa-Pb-W2 for high pressure in the pipeline and Cb-Fa-Pb-W3 for high level in surge tank. High probability of tank overflow, W3 from risk graph, resulted in a higher value of safety integrity level. Thus the target SIL for the shutdown loop of crude oil loading pumps, was determined as 2.

Thus, using risk graph during HAZOP sessions will be useful to define SIL targets, without undergoing a separate exercise. However, SIL target values could be based on the team attitude, individual influence and competence of facilitator. Two different teams could arrive at different SIL targets. It is a good practice to review safety integrity levels of 3 and above, using quantitative risk assessment techniques, explicitly modeled for the safety loops with a high SIL.

Another example where risks are quantified is during implementation of high integrity pressure protection system in a process, where provision of other layers of protection such as conventional relief could not be cost effective and environmental friendly.

Safety Instrumented System Design.

Once the integrity level for a safety related system is defined, a description of the safety instrumented functions necessary to achieve the required functional safety shall be prepared. Safety related functions shall always be separated from process control functions and other non safety related functions. The architecture of the safety related system with safety instrumented functions shall be prepared using guidelines in IEC61508 or IEC61511 standard. The design shall take into account human capabilities and limitations and be suitable for the task assigned to operators and maintenance staff. The design of all human-machine interfaces shall follow good human factors practice and shall accommodate the likely level of training or operator awareness. Appropriate diagnostics shall be included in the design to detect dangerous faults in any subsystem. The detection of such dangerous faults in any subsystem which can tolerate a single hardware fault shall result in either a specified action to achieve or maintain a safe state or continued safe operation of the process whilst the faulty part is repaired. However, if the repairs are not completed within the Mean Time To Repair (MTTR) assumed in the SIL verification calculations, a specified action shall take place to achieve or maintain a safe state. MTTR is considered while determining the safe failure rate, where failures are revealed. In this paper, only unrevealed failures are considered for determining

SIS integrity.

G-26

Parameter : Pressure ( Node : crude oil loading line)
Deviation / Cause / Consequence / Safeguard / C / F / P / W / SIL / Recommendation
HIGH / Ship side valve closed / Pressure surge, potential for pipeline rupture and fire / High Pressure Alarm
Surge valve opening into a dedicated surge tank. / Cb / Fa / Pb / W2 / 1
Parameter : Level ( Node : Surge Tank)
HIGH / Surge valve opens (due to high pressure on loading line)
. / Possible overflow of surge tank. Potential for fire, environment damages. / High level alarm for surge tank.
Operating procedures / Cb / Fa / Pb / W3 / 2 / Provide shutdown of crude oil loading pumps on loading line PHH.

Table 01 – Modified HAZOP worksheet.

G-26

The detection of dangerous fault in any subsystem having no redundancy and on which a safety instrumented function is entirely dependent shall result in either a specified action to achieve or maintain a safe state or supported by additional measures and constraints during repair within MTTR. It is a practice to arrange devices of a safety related system in ‘de-energized to trip’ mode. The fault tolerance of devices and subsystems when arranged in ‘de-energized to trip’ mode is provided in Table 02.

Subsystems comprising simple devices, not processors.
Sensors such as pressure transmitters.
Final actuation elements such as valves and electrical contactors.
Logic system such as relays, solid stage logic. / Subsystems comprising complex devices, including microprocessors.
Sensors such as smart transmitters.
Final actuation elements such as smart valves.
Logic system such as PLCs.
Safety Integrity Levels / Minimum Fault
Tolerance / Typical
Architecture / Minimum Fault
Tolerance / Typical
Architeture
SIL 1 / 0 / Single, non-redundant. / 0 / Single, non-redundant
SIL 2 / 0 / Single, non-redundant / 1 / Dual, redundant.
SIL 3 / 1 / Dual, redundant / 2 / Triple, redundant.
SIL 4 / 2 / Triple redundant / Special requirements as per IEC 61508

Table 02 – Minimum Fault Tolerance of sub-systems – Useful tool whilst designing architecture of a safety related system.

In terms of achieving specified SIL level, the various components that comprise the safety related system must meet a minimum reliability performance standard . This standard is defined in terms of mean time between dangerous failures (MTBF). This is the failure mode that remains undetected until a proof test is performed.

There are a number of ways of configuring and testing a Safety Instrumented System (SIS) to achieve specified Safety Integrity Level. Recent studies have determined the extent to which varying the number and type of process shut-in valves, pressure transmitters and component proof test intervals effect the system unavailability. The proportion of time ( expressed as a fraction) during which the system is unavailable and would therefore not respond to a demand is the mean unavailability of the system. In order to define the method for arriving at a configuration for the safety instrumented system, typical example of High Integrity Pressure Protection Systems (HIPPS) implemented on pipelines and other process streams is considered.

Some of the previous studies have shown that the conventional safeguarding systems have a relatively high overall reliability, even though the primary and secondary systems may comprise of components that are not in themselves highly reliable. This is because the combination of an instrumented ESD system as the primary and mechanical relief as the secondary safeguard provides two diverse redundant systems that are independent and therefore not susceptible to common mode failures(CMF). Utilizing HIPPS as the ultimate safeguard as back-up to the instrumented ESD system introduces common cause and common mode failures since the two systems use similar technology. This erodes the apparent benefit of the high reliability from the HIPPS and great care is therefore necessary at the design stage to use components of high reliability and to minimise the effect of common mode failures. For any given application, a system designed to meet a higher SIL level would imply a lower probability of failure on demand and a concurrent increase in safety to plant, personnel and assets.

Recent environmental concerns over relief of hydrocarbons into the atmosphere has led to a trend towards totally instrumented systems gaining acceptance by more national regulatory bodies. Though the capital costs of providing relief and flare systems will be higher, it is interesting to note that the whole life cycle costs of relief systems will be lower than the HIPPS..

Figure 02 shows a typical configuration of HIPPS. The relief downstream of HIPPS valves is designed for leakages (upon closure of HIPPS valves) only. Prior to describing different HIPPS arrangements and their ability to achieve specified SIL requirements, it is necessary to understand how the particular attributes of a HIPPS effect its unavailability. The full theory of fault tree analysis and the software codes used are beyond the scope of this paper, however a brief description of this most widely used analysis tool is provided in the later part of the paper . It should be noted that this type of analysis assumes that all components are operating within their design limits, and so components are not expected to fail due to over-stressing, incorrect specification, etc.

There are three principle component groups in a HIPPS ; valves, pressure transmitters and logic solvers. Providing that the logic solver is of high reliability using discrete components (such as the magnetic logic type), the mean system unavailability will be dominated by Common Mode Failure (CMF) of the valves and pressure transmitters. Therefore most of the configuration options are defined by variation of the major defences employed in the design against CMF of these components, i.e. separation/segregation and redundancy/diversity. Proof Test Interval (PTI) also plays a role in the design of SIS. A method for determination of CMF is discussed in the later part of the paper.

The options considered include varying the number and type of valve, the level of separation/segregation between the valves and transmitters and the frequency at which the various components are proof tested. The options that were analysed are presented in a matrix format in Table 05 & 06 together with the results in the last column of the table. Failure rates considered for various elements of the HIPPS, used to develop the unavailability matrices, are given in Table 04. Failure rates are available in reliability hand books such as OREDA ( Off Shore Reliability Data), manufacturer’s records, data maintained by industry, and so on. It is a good practice for the chemical industry or any industry to maintain failure data of their equipment through an established maintenance management information system.