Safety System

7/13/2019 Safety System

1/81

Safety System/Emergency

Shutdown System (ESD)


2/81

The Need for Safety

InstrumentationManaging and equipping industrial plant with the rightcomponents and su!systems for optimal operationalefficiency and safety is a comple" tas#$ SafetySystems Engineering (SSE) descries a disciplined%

systematic approach% which encompasses ha&ardidentification% safety requirements specification%safety systems design and uild% and systemsoperation and maintenance o'er the entire lifetime of

plant$ The foregoing acti'ities form what has ecome#nown as the safety ife!cycle* model% which is atthe core of current and emerging safety relatedsystem standards$


3/81

+is# and +is# +eduction

MethodsSafety Methods employed to protect against or mitigateharm/damage to personnel% plant and the en'ironment%and reduce ris# include,

- .hanging the process or engineering design

- Increasing mechanical integrity of the system

- Impro'ing the asic 0rocess .ontrol System (0.S)

- De'eloping detailed training and operational procedures

- Increasing the frequency of testing of critical system

components- 1sing a safety Instrumented System (SIS)

- Installing mitigating equipment


4/81


5/81

2ther terms used for safety

systems are,Safety Instrumented Systems (SIS)%Emergency Shutdown System (ESD)%

Safety +elated System (S+S)% orE/E/0E Safety +elated System (E/E/PE 3

Electric/Electronic/0rogrammale

Electronic)


6/81

o4ecti'es of a shutdown

control system5! 0rotection of life6! 0rotection of plant equipment

7! 8'oidance of en'ironmental pollution9! Ma"imi&ing plant production i.e a'oiding

unnecessary shutdowns


7/81

Safety% +eliaility% and

8'ailailitya) SafetySafety means a sufficient protection from

danger$- Safety related controls are needed e$g$ for

trains% lifts% escalators% urns% etc$ The

safe controls must e designed in a way

that any component fault and other

imaginale influences do not cause

dangerous states in the plant$


8/81

The safe state

is the state to which a system can e put out ofits current operational state and which has asystem specific lower ha&ard potential than theoperational state$ The asolutely safe with thelowest amount of energy in'ol'ed$ :uite often itis not possile to otain the safe state withoutany danger in'ol'ed% 4ust y switching the de'ice

off (e$g$ a plane)$ The plane in the airta#en as asystem! has no safe state$ ;ere the ris# can onlye reduced y redundant equipment (e$g$ forpropulsion and na'igation systems)$


9/81

Safety

is measured primarily by a parameter

called Average Probability of Failure

on Demand (PFDavg). This indicatesthe chance that a SIS ill not perform

its preprogrammed action during a

specified interval of time (usually thetime beteen periodic inspections).


10/81

+eliaility

+eliaility is the aility of a technical de'ice to fulfill itsfunction during its operation time$

This is often no longer possile if one component has afailure$ So the MT< (Mean Time

etween


11/81

8'ailaility8'ailaility is the proaility of a system eing afunctioning one. It is e"pressed in per cent and definesthe mean operating time etween two failures (MT


12/81

The a'ailaility can e increased through redundancy% e$g$ central de'ices wor#ingin parallel% I2 modules or multiple sensors on the same measuring point$ Theredundant components are put up in a way that the function of the system is notaffected y the failure of one component$

;ere as well a detailed diagnostic display is an important element of a'ailaility$

Measures designed to increase a'ailaility ha'e no effect on the safety$ The safetyof redundant systems is howe'er only guaranteed% if there are automatic testroutines during operation or if e$g$ non>safety related sensor circuits in 6!oo!7order are regularly chec#ed$ If one component fails% it must e possile to switchoff the defecti'e part in a safe way$

A related measure is called Safety Availability. It is defined as the probability that aSIS ill perform its preprogrammed action hen the process is operating. It can becalculated as

follos"

Safety Availability = 1 PFDavg

Another parameter is called the #is$ #eduction Factor (##F). It represents theratio of ris$

ithout a SIS divided by the ris$ ith a SIS. It can be calculated as follos"

PRF = 1/PFDavg


13/81

?hat is ha&ard and what is

ris#@8 ha&ard is Aan inherent physical orchemical characteristic that has the

potential for causing harm to people%

property% or the en'ironmentB$ In chemical

processes% AIt is the comination of a

ha&ardous material% an operating

en'ironment% and certain unplannede'ents that could result in an accidentB$


14/81

Hazards Analysis

Cenerally% the first step in determining the le'els ofprotecti'e layers required in'ol'es conducting a detailedha&ard and ris# analysis$ In the process industries a0rocess ;a&ards 8nalysis (0;8) is generally

underta#en% which may range from a screening analysisthrough to a comple" ;a&ard and 2peraility (;820)study% depending on the comple"ity of operations andse'erity of the ris#s in'ol'ed$ The latter in'ol'es arigorous detailed process e"amination y a multi!

disciplinary team comprising process% instrument%electrical and mechanical engineers% as well as safetyspecialists and management representati'es$


15/81

+is#

A+is# is usually defined as the comination

of the se'erity and proaility of an e'ent$

In other words% how often can it happen

and how ad is it when it does happen@

+is# can e e'aluated qualitati'ely or

quantitati'ely$B +oughly%


16/81

+is# reduction

+is# reduction can e achie'ed y reducing either thefrequency of a ha&ardous e'ent or its consequences or yreducing oth of them$ Cenerally% the most desiraleapproach is to first reduce the frequency since all e'ents areli#ely to ha'e cost implications% e'en without dire

consequences$

Safety systems are all aout ris# reduction$ If e can%t ta$eaay the ha&ard e shall have to reduce the ris$. Thismeans" #educe the fre'uency and or reduce theconse'uence

The basic definitions of the safety related terminologies illbe studied in this course there are three main e"amples ofthe required safety actions as follow,


17/81

Emergency Shutdown (ESD)

Typical actions from ESD systems are,

- Shutdown of part systems and equipment

- Isolate hydrocaron in'entories

- Isolate electrical equipment- 0re'ent escalation of e'ents

- Stop hydrocaron flow

- Depressuri&e / low down- Emergency 'entilation control

- .lose watertight doors and fire doors$


18/81

0rocess Shutdown (0SD)

8 process shutdown is defined as the automatic isolationand de!acti'ation of all or part of a process$ During a 0SDthe process remains pressuri&ed$ asically 0SD consists offield!mounted sensors% 'al'es and trip relays% a systemlogic unit for processing of incoming signals% alarm and ;MI

units$ The system is ale to process all input signals andacti'ating outputs in accordance with the applicale .auseand Effect charts$

Typical actions from PSD systems are

- Shutdown the whole process

- Shutdown parts of the process

- Depressuri&e / lowdown parts of the process$


19/81


20/81

Typical actions from


21/81

Emergency Shutdown (ESD)

The Emergency Shutdown System (ESD) shall minimi&ethe consequences of emergency situations% related totypically uncontrolled flooding% escape of hydrocarons%or outrea# of fire in hydrocaron carrying areas orareas which may otherwise e ha&ardous$ Traditionallyris# analyses ha'e concluded that the ESD system is inneed of a high Safety Integrity e'el% typically SI 6 or 7$

asically the system consists of field!mounted sensors%'al'es and trip relays% system logic for processing ofincoming signals% alarm and ;MI units$ The system isale to process input signals and acti'ating outputs inaccordance with the .ause F Effect charts defined forthe installation$


22/81

Typical actions from ESD

systems are:- Shutdown of part systems and equipment- Isolate hydrocaron in'entories

- Isolate electrical equipment (G)

- 0re'ent escalation of e'ents

- Stop hydrocaron flow

- Depressuri&e / lowdown

- Emergency 'entilation control (G)

- .lose watertight doors and fire doors(G)


23/81

Process Shutdown (PSD)

The 0rocess Shutdown system ensures a rapid detection andsafe handling of process upsets$

Traditionally ris# analyses ha'e concluded that the 0SDsystem is in need of low to medium Safety Integrity e'el$

The reason for a low to medium requirement% eing that 0SDsystems uilt in accordance with 80I +0 59. ha'erequirements for oth primary (the computeri&ed system) andsecondary (mechanical de'ices) protection$ asically the

system consists of fieldmounted sensors% 'al'es and triprelays% a system logic unit for processing of incoming signals%alarm and ;MI units$ The system is ale to process all inputsignals and acti'ating outputs in accordance with theapplicale .ause F Effect charts$


24/81

Typical actions from 0SD

systems are,- Shutdown the whole process- Shutdown parts of the process

- Depressuri&e /lowdown parts of theprocess


25/81


26/81

Safety 0rocess Ceneral

2'er'iewSafety y definition is the *absence ofris$*$ There is ris# in e'erything we do% sothe safety

process model is designed to effecti'elyidentify F reduce ris#$ This includes,

- 0hysical plant ris#- ;uman factor!related ris#

- 8ttitudinal +is#$


27/81

Sustained impro'ements in accident pre'ention can onlycome from changes to the o'erall mi" of the ao'efactors$

The model defines ?or#place ris# as a formula suchthat,

#IS+ 3 Employee ,-posure Probability of the Accident

Se'uence Ta$ing Place / Potential 0onse'uence of theAccident

1oting that #is$ 3 .onsequence "


28/81


29/81

- Step 5,Identification of ris#s that are

producing accidents and in4uries$

- Step 6,0erform accident / incidentprolem!sol'ing on each identified ris#,

5$ 0rocess includes,

4. Definition of problem

5. 0ontributing factors

6. #oot 0auses

- Step 7,De'elop a schedule for

implementation of each pre'enti'e action0re'enti'e action should all ha'e

7. #esponsible party

4. #esources to support actions

5. Timetable for completion,


30/81

Step 9,.ontinuously measure to ensurepre'enti'e actions are wor#ing as e"pected$

3easure timetable to ensure each action is

enabled.

Step H,Employees in'ol'ed in wor#

en'ironment must e gi'en feedac# on acontinuous asis$

(i$e$ positi'e reinforcement)$


31/81

The process for managing ris#

the process for managing ris#


32/81

+is# E'aluation

There is no such thing as &ero ris#$ This is

ecause no physical item has a &ero

failure rate% no human eing ma#es &ero

errors and no piece of software design canforesee e'ery possiility$


33/81

ey :uestions to 8s#

8 process control engineer implementing aSafety Instrumented System must answerse'eral

questions,5$ ?hat le'el of ris# is acceptale@

6$ ;ow many layers of protection areneeded@

7$ ?hen is a Safety Instrumented Systemrequired@

9$ ?hich architecture should e chosen@


34/81

+is# assessment

The measurement of risk

uantitati!e scale:

- Minor > In4ury to one person in'ol'ing less than 7 days asencefrom wor#

- Ma4or > In4ury to one person in'ol'ing more than 7 days asence

from wor#- Multiple fatalities and in4uries$

ualitati!e scale

1nli#ely

- 0ossile

- 2ccasionally

-


35/81

8lternati'ely

- 2ne ha&ardous e'ent occurring on the

a'erage once e'ery 5J years will ha'e an

e'ent frequency of J$5 per year$

- 8 rate of 5JK9 e'ents per year means that

an a'erage inter'al of 5J JJJ years can

e e"pected etween e'ents$


36/81

Another alternati!e is to use a semi"#uantitati!escale or $and of fre#uencies to match up words

to fre#uencies% &or e'ample:

- 0ossile 3 ess than once in 7J years- 2ccasionally 3 More than once in 7J years ut less

than once in 7 years

- AMa4orB in4ury li#ely to occur

A2ccasionallyB

- +is# item no$ 6 > AMinorB in4ury li#ely to occurA


37/81

+isk matri' e'ample ,


38/81

+isk matri' e'ample -


39/81

Scales of conse#uence


40/81

+is# classification of accidents


41/81

. t f 8l d t l l i #


42/81

.oncepts of 8larp and tolerale ris#

The Alarp (as low as reasona$ly practica$le) principle reconizesthat there are three $road cateories of risks:

- 1egligible ris$" roadly accepted y most people as they go aouttheir e'eryday li'es% these would include the ris# of eing struc# ylightning or of ha'ing ra#e failure in a car$

- Tolerable ris$" ?e would rather not ha'e the ris# ut it is tolerale in'iew of the enefits otained y accepting it$ The cost in incon'enienceor in money is alanced against the scale of ris#% and a compromise isaccepted$

- !nacceptable ris$" The ris# le'el is so high that we are not prepared to

tolerate it$ The losses far outweigh any possile enefits in the situation$


43/81

8larp diagram


44/81

Step 5

The estimated le'el of ris# must first ereduced to elow the ma"imum le'el ofthe 8larp region at all costs$

This assumes that the ma"imum acceptaleris# line has een set as the ma"imum

tolerale ris# for the society or industryconcerned$ This line is hard to find% as weshall see in a moment$


45/81

Step 6


46/81

Estalishing tolerale ris# criteria

E"amples are,

- Probable 8oss of 8ife (P88)" Numer of

fatalities L frequency of e'ent

- Fatal accident rate (FA#)" Numer of

fatalities per 5J h wor#ed at the site

where the ha&ard is present$


47/81


48/81

Tolerale ris# conclusion

The indications are that many companies determinetolerale ris# targets using consensus from the types ofstatistics we ha'e een loo#ing at$ Mar&al concluded thatthe range of 0 'alues in industry is still a wide one

from 5JK7 to 5JK for the upper le'el$

?e must also rememer to allow for the effect of multipleha&ard sources$ It appears that financial cost enefitanalysis often 4ustifies greater ris# reduction factors than

the personal or en'ironmental ris# criteria$ ?e shallre'isit this issue when we come to safety integrity le'el(SI) determination practices later in this course$


49/81

0ractical e"ercise

Now is good time to try practical E"ercise

No$ 5% which is set out towards the ac# of

the manual in module 56$ This e"ercise

demonstrates the calculation of indi'idualris# and


50/81

Hazard analysis techni#ues

In the European Standard EN 5JHJ 8nne" there aredescriptions of se'eral techniques for ha&ard analysis$

The notes there ma#e an important distinctionetween two asic approaches$ These are calleddeducti'e and inducti'e. This is how the standarddescries them,

AIn the deducti'e method the final e'ent is assumedand the e'ents that could cause this final e'ent arethen sought$


51/81

Summary of ha&ard!identification

methods;ere is a summary of the ha&ard!identification methods$It is useful to ha'e this list ecause many companies willha'e preferences for certain methods or will presentsituations that require a particular approach$ ?e need toha'e a choice of tools for the 4o and to e aware of theirpros and cons$ It is also apparent that similar methodswill ha'e a 'ariety of names$

8ll guides agree that ;a&op pro'ides the most

comprehensi'e and auditale method for identification ofha&ards in process plants ut that some types ofequipments will e etter ser'ed y the alternati'es listedhere$


52/81

Deducti'e method

8 good e"ample of a deducti'e method is


53/81

Inducti'e method

So!called Awhat ifB methods are inducti'eecause the questions are formulated andanswered to e'aluate the effects of componentfailures or procedural errors on the operaility

and safety of the plant or a machine$


54/81


55/81


56/81


57/81


58/81


59/81


60/81

+ating for Safety

The following e"pression defines therelationship etween safety 8'ailailityand 0


61/81

Safety Integrity e'els and different

safety standards


62/81

8 .lass F SI


63/81

in#ing +is#s to SI

To determine the application of a SIS for anactual installation% the control engineer shoulduse a qualitati'e classification of ris#assessment$

8 qualitati'e e'aluation of safety integrity le'elweighs the se'erity and li#elihood of the

ha&ardous e'ent$ It also considers the numerof independent protection layers addressingthe same cause of a ha&ardous e'ent$


64/81

Safety Integrity e'el (SI)

During the 5OOJs the concept of safety!integrityle'els (#nown as SIs) e'ol'ed and is used inthe ma4ority of documents in this area$ Theconcept is to di'ide the AspectrumB of integrity

into a numer of discrete le'els (usually four)and then to lay down requirements for eachle'el$

.learly% the higher the SI then the morestringent ecome the requirements$


65/81

Safety!Integrity e'els (SIs)

To further understand these important terms let us as# a fundamental


66/81

To further understand these important terms let us as# a fundamentalquestion which is how frequently will failures of either type of function lead toaccidents$ The answer is different for the 6 types,


67/81

Definitions of SIs for ow Demand Mode from S

EN 5HJ

Definitions of SIs for ;igh Demand / .ontinuous

Mode from S EN 5HJ

So hat is the SI achie ed the f nction@ .learl it is not


68/81

So what is the SI achie'ed y the function@ .learly it is notunique% ut depends on the ha&ard and in particular whetherthe demand rate for the ha&ard implies low or high demandmode$

SI is a measure of the SIS performance related only to thede'ices that comprise the SIS$ This measure is limited tode'ice integrity% architecture% testing% diagnostics% and commonmode faults inherent to the specific SIS design$ It is not

e"plicitly related to a cause!and!effect matri"% ut it is related tothe de'ices used to pre'ent a specific incident$


69/81

The new 8NSI/IS8 S9$J5 standard requires that assign atarget safety integrity le'el (SI) for all safetyinstrumented systems (SIS) applications$

The assignment of the target SI is a decision requiring thee"tension of the process ha&ards analysis (0;8)process to include the alance of ris# li#elihood andse'erity with ris# tolerance$

Since SI 9 is rarely used$ SI 7 is typically the highestspecified safety le'el$ 2f the three commonly usedle'els% SI7 has the greatest safety a'ailaility (+S8)%

and therefore the lowest a'erage proaility of failure ondemand (0


70/81

8 determination of the target safety

integrity le'el requires,5$ 8n identification of the ha&ard in'ol'ed$

6$ 8ssessment of the ris# of each of the

identified ha&ard$ In other words% how ad

is eachha&ard and how often is it e"pected to occur$

7$ 8n assessment of other Independent

0rotection ayers (I0s) that may e inplace$

+is# e'el


71/81

+is# e'el


72/81

Safety 8rchitectures

Se'eral system architectures are applied in

process safety applications% including

single!channel systems to triple redundant

configurations$ .ontrol engineers mustest match architecture to operating

process safety requirements% accounting

for failure in the safety system$

ne concern is that many safety systems in


73/81

ne concern is that many safety systems in

operation* or under construction* do not follow

$asic protection principles% 3nsafe practices

include:

- 0erforming the safety shutdown within the asicprocess control systems (0.S) or distriutedcontrol systems (D.S)$

- 1sing con'entional programmale logiccontrollers (0.s) in safety critical applications(Safety 0.s) are certified to meet safety critical

applications to SI6 and SI7$)- Implementing single element (non redundant)microprocessor! ased systems on criticalprocessor$


74/81

The con'entional 0. architecture

pro'ides only a single electric path$Sensors send processsignals to the input modules$ The logic sol'er e'aluates

these inputs% determines if a potentially ha&ardous

condition e"ists% and energi&es or de!energi&es the solid!state output$ (


75/81

8 special class of programmale logic controllers%called safety 0.s% represents an alternati'e$

Safety 0.s pro'ide high reliaility and highsafety 'ia special electronics% special software%pre!engineered redundancy% and independentcertification$

The safety 0. has input/output circuits designedto e fail!safe% using uilt!in diagnostics$ Thecentral processing unit (.01) of a safety 0.has uilt!in diagnostics for memory% .01

operation% watchdog timer% and communicationsystems$

- 8ccurately e'aluating the safety le'el for a specific


76/81

y g y pcontrol de'ice in the conte"t of a potential ha&ardouse'ent poses a ma4or and difficult prolem for manycontrol engineers$ 8ssociations and agenciesworldwide ha'e made considerale progress towardestalishing standards and implementation guidelinesfor safety instrumented systems$ These standardsattempt to match the ris# inherent in a gi'en situationto the required integrity le'el of the safety system$

- 1nfortunately% many of these guidelines andstandards are not specific to a particular type ofprocess and deal only with a qualitati'e le'el of ris#$

.ontrol engineers must use considerale 4udgment ine'aluating ris# and applying instrumentation thatproperly addresses estalished design procedureswith udget restraints$


77/81

Typical 8pplications

8 fault!tolerant control system identifies and compensatesfor failed control system elements and allows repairwhile continuing assigned tas# without processinterruption$ 8 high integrityn control system is used incritical process applications that require a significantdegree of safety and a'ailaility$ Some typicalapplications are,

5! Emergency Shutdown

6! oiler


78/81

5! Emergency Shutdown

Safety instrumented system pro'ides continuous protection for safety!critical units in refineries% petrochemical/chemical plants and otherindustrial processes$ are monitored andshutdown actions ta#en if an upset condition occur$

Traditional shutdown systems implemented with mechanical orelectronic relays pro'ide shutdown protection ut can also causedangerous nuisance trips$ Safety instruments pro'ide automaticdetection and 'erification of field sensor integrity% integratedshutdown and control functionality% and direct connection to the

super'isory data highway for continuous monitoring of safety >critical functions$


79/81

6! oiler


80/81

7! Turine .ontrol Systems

The control and protection of gas or steam turinesrequires high integrity as well as safety$ The continuousoperation of the fault > tolerant integrated controllerpro'ides the turine operator with ma"imum a'ailailitywhile maintaining equi'alent le'els of safety$

Speed control as well as start!up and shutdown sequencingare implemented in a single integrated system$1nscheduled outages are a'oided y using hot spares

for the I/2 modules$ If a fault occurs in a module% areplacement module is automatically acti'ated withoutoperator inter'ention$

9 2ffshore


81/81

9! 2ffshore

Documents

Safety System