Slide DT/ET - 1
Energise to trip?De-energise to trip?
Simple Choice?
Tony Foord & Colin Howardwww.4-sightConsulting.co.uk
+44 (0)1 582 462 324
Slide DT/ET - 2
Examples
Slide DT/ET - 3
Overview
• Available guidance• Why do trip systems fail?• Trip system issues• System failure modes• 3 examples• Architecture and Spurious trip frequency• Diagnostics and Reverse acting transmitters• References• Conclusions
Slide DT/ET - 4
Traditional Choices
Operation
Safety Availability
De-energise to Trip (DT)
Energise to Trip (ET)
Slide DT/ET - 5
Available Guidance
• Very little specific guidance publishedOne or two paragraphs only
Concentrate on “fail safe”WHY?
Custom and practice?Taken for granted?Principles assumed?
Slide DT/ET - 6
Overpressure protection for a turbine driven compressor
Slide DT/ET - 7
Why do trip systems fail?Inadequatespecification
Inadequate designandimplementationInadequateinstallation andcommissioningInadequateoperation andmaintenanceInadequatemodification
Source: Out of Control 2003
Slide DT/ET - 8
Trip system issues
• SIF Requirements• Passive / active systems• Utility Requirements• Effect on Fail to Danger and Spurious Trips
– Design policy / Architecture / Overrides (defeats)– People issues– Operate / Test / Repair policies– Component reliability– Diagnostics
Slide DT/ET - 9
System failure modes
Source: Sintef PDS Method Handbook 2006
Slide DT/ET - 10
SIF
Energise or De-energise to Trip?
Process unit
consumers
Emergency Feed
Surge Drum
OAF
LSZ
Slide DT/ET - 11
Addition of Reactor Inhibitor Options
BD1
CW In
HW In
CW Out
HW Out
Feed B
Feed ATT 1
PT 1
Product Out
Vent
N2 In
Dump tank
HP N2
Inhibitor
Inhibitor
Energise to Trip
De-energise to Trip
Slide DT/ET - 12
Architecture and Spurious Trip Frequency
0.0000001
0.000001
0.00001
0.0001
0.001
0.01
0.1
11oo1 1oo2 1oo3 2oo3
Freq
uenc
y
Slide DT/ET - 13
Valve failure modes ~ 80% open
Failure mode %
Blocking 5
External leak 15
Passing 60
Sticking 20
Data source: Smith: Reliability, Maintainability and Risk
Slide DT/ET - 14
Relay failure modes ~ 90% open
Failure mode %Contacts short circuit
10
Contacts open circuit
80
Coil 10
Data source: Smith: Reliability, Maintainability and Risk
Slide DT/ET - 15
Overpressure protection for a turbine driven compressor
Slide DT/ET - 16
DT fails to danger
Slide DT/ET - 17
ET fails to danger
Logic solver fails
Logic solverhardware fails
Logic solver fails
Logic solverhardware fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
2
Sensors fail
2oo3 sensorsfail
2
Sensors fail
2oo3 sensorsfail
FE 1 fails
Final element1 fails
FE 1 fails
Final element1 fails
FE 2 fails
Final element2 fails
FE 2 fails
Final element2 fails
Both FEs fail
Both finalelement
Both FEs fail
Sensors Logicsolver
Finalelements
Key toFaultTrees
Both FEs fail
Slide DT/ET - 18
DT (left) and ET fails to danger
Logic solver fails
Logic solverhardware fails
Logic solver fails
Logic solverhardware fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
2
Sensors fail
2oo3 sensorsfail
2
Sensors fail
2oo3 sensorsfail
FE 1 fails
Final element1 fails
FE 1 fails
Final element1 fails
FE 2 fails
Final element2 fails
FE 2 fails
Final element2 fails
Both FEs fail
Both finalelement
Both FEs fail
Sensors Logicsolver
Finalelements
Key toFaultTrees
Both FEs fail
Slide DT/ET - 19
DT spurious trips
Slide DT/ET - 20
ET spurious trips
Slide DT/ET - 21
DT (left) and ET spurious trips
Logic solver fails
Logic solverhardware fails
Logic solver fails
Logic solverhardware fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 1 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 2 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
Sensor 3 fails
2
Sensors fail
2oo3 sensorsfail
2
Sensors fail
2oo3 sensorsfail
FE 1 fails
Final element1 fails
FE 1 fails
Final element1 fails
FE 2 fails
Final element2 fails
FE 2 fails
Final element2 fails
Both FEs fail
Both finalelement
Both FEs fail
Sensors Logicsolver
Finalelements
Key toFaultTrees
Both FEs fail
Slide DT/ET - 22
Diagnostics and Reverse Acting Transmitters
• Safety Function operates on “high” signals• Transmitter failure leads to low signal
Diagnostics require separate inputReverse acting transmitter provides automatic protection– Avoids technical complexity BUT introduces
human factors and management complexity
Slide DT/ET - 23
References - 1• http://www.hse.gov.uk/comah/sragtech/index.htm
which includes links to Case Studies illustrating the importance of Control and Protection Systems, for example– Texaco Refinery - Milford Haven - Explosion and Fires (24/7/1994)– International Biosynthetics Ltd (7/12/1991) – BP Oil (Grangemouth) Refinery Ltd (22/3/1987)– Seveso - Icmesa Chemical Company (9/7/1976)
• Out of Control (2003), Second edition, HSE Books, ISBN 0-7176-2192-8
• IEC 61508 (1998 & 2000), Functional safety of electrical/electronic/programmable electronic safety-related systems Parts 1-7
Slide DT/ET - 24
References - 2• Reliability Prediction Method For Safety Instrumented
Systems. PDS Method Handbook (2006) SINTEF• ISA-TR84.00.02 (2002) - Safety Instrumented Function
(SIF) - Safety Integrity Level (SIL) Evaluation Techniques Part 1: Introduction – page 57
• Reliability Maintainability and Risk (2001) David J Smith ISBN 0-7506-5168-7
• Safety Shutdown Systems Design, Analysis and Justification (1998) Paul Gruhn and Harry Cheddie ISBN1-55617-665-1
• Safety-Critical Computer Systems (1996), Neil Storey, ISBN 0-201-42787-7
• Safeware: system safety and computers (1995), Nancy Leveson, ISBN 0-201-11972-2
Slide DT/ET - 25
Available Guidance on ET
Is there anything else out there?
Slide DT/ET - 26
Conclusions
• Choice less clear-cut than at first sight– Need to look holistically– Wider than simply the core SIF
• ET can be made to work – possibilities of getting it wrong are greater
• ET inherently more complex– Does everyone understand the
complexity?• Some DT systems have ET elements