safety system
DESCRIPTION
HAZOPTRANSCRIPT
-
7/13/2019 Safety System
1/81
Safety System/Emergency
Shutdown System (ESD)
-
7/13/2019 Safety System
2/81
The Need for Safety
InstrumentationManaging and equipping industrial plant with the rightcomponents and su!systems for optimal operationalefficiency and safety is a comple" tas#$ SafetySystems Engineering (SSE) descries a disciplined%
systematic approach% which encompasses ha&ardidentification% safety requirements specification%safety systems design and uild% and systemsoperation and maintenance o'er the entire lifetime of
plant$ The foregoing acti'ities form what has ecome#nown as the safety ife!cycle* model% which is atthe core of current and emerging safety relatedsystem standards$
-
7/13/2019 Safety System
3/81
+is# and +is# +eduction
MethodsSafety Methods employed to protect against or mitigateharm/damage to personnel% plant and the en'ironment%and reduce ris# include,
- .hanging the process or engineering design
- Increasing mechanical integrity of the system
- Impro'ing the asic 0rocess .ontrol System (0.S)
- De'eloping detailed training and operational procedures
- Increasing the frequency of testing of critical system
components- 1sing a safety Instrumented System (SIS)
- Installing mitigating equipment
-
7/13/2019 Safety System
4/81
-
7/13/2019 Safety System
5/81
2ther terms used for safety
systems are,Safety Instrumented Systems (SIS)%Emergency Shutdown System (ESD)%
Safety +elated System (S+S)% orE/E/0E Safety +elated System (E/E/PE 3
Electric/Electronic/0rogrammale
Electronic)
-
7/13/2019 Safety System
6/81
o4ecti'es of a shutdown
control system5! 0rotection of life6! 0rotection of plant equipment
7! 8'oidance of en'ironmental pollution9! Ma"imi&ing plant production i.e a'oiding
unnecessary shutdowns
-
7/13/2019 Safety System
7/81
Safety% +eliaility% and
8'ailailitya) SafetySafety means a sufficient protection from
danger$- Safety related controls are needed e$g$ for
trains% lifts% escalators% urns% etc$ The
safe controls must e designed in a way
that any component fault and other
imaginale influences do not cause
dangerous states in the plant$
-
7/13/2019 Safety System
8/81
The safe state
is the state to which a system can e put out ofits current operational state and which has asystem specific lower ha&ard potential than theoperational state$ The asolutely safe with thelowest amount of energy in'ol'ed$ :uite often itis not possile to otain the safe state withoutany danger in'ol'ed% 4ust y switching the de'ice
off (e$g$ a plane)$ The plane in the airta#en as asystem! has no safe state$ ;ere the ris# can onlye reduced y redundant equipment (e$g$ forpropulsion and na'igation systems)$
-
7/13/2019 Safety System
9/81
Safety
is measured primarily by a parameter
called Average Probability of Failure
on Demand (PFDavg). This indicatesthe chance that a SIS ill not perform
its preprogrammed action during a
specified interval of time (usually thetime beteen periodic inspections).
-
7/13/2019 Safety System
10/81
+eliaility
+eliaility is the aility of a technical de'ice to fulfill itsfunction during its operation time$
This is often no longer possile if one component has afailure$ So the MT< (Mean Time
etween
-
7/13/2019 Safety System
11/81
8'ailaility8'ailaility is the proaility of a system eing afunctioning one. It is e"pressed in per cent and definesthe mean operating time etween two failures (MT
-
7/13/2019 Safety System
12/81
The a'ailaility can e increased through redundancy% e$g$ central de'ices wor#ingin parallel% I2 modules or multiple sensors on the same measuring point$ Theredundant components are put up in a way that the function of the system is notaffected y the failure of one component$
;ere as well a detailed diagnostic display is an important element of a'ailaility$
Measures designed to increase a'ailaility ha'e no effect on the safety$ The safetyof redundant systems is howe'er only guaranteed% if there are automatic testroutines during operation or if e$g$ non>safety related sensor circuits in 6!oo!7order are regularly chec#ed$ If one component fails% it must e possile to switchoff the defecti'e part in a safe way$
A related measure is called Safety Availability. It is defined as the probability that aSIS ill perform its preprogrammed action hen the process is operating. It can becalculated as
follos"
Safety Availability = 1 PFDavg
Another parameter is called the #is$ #eduction Factor (##F). It represents theratio of ris$
ithout a SIS divided by the ris$ ith a SIS. It can be calculated as follos"
PRF = 1/PFDavg
-
7/13/2019 Safety System
13/81
?hat is ha&ard and what is
ris#@8 ha&ard is Aan inherent physical orchemical characteristic that has the
potential for causing harm to people%
property% or the en'ironmentB$ In chemical
processes% AIt is the comination of a
ha&ardous material% an operating
en'ironment% and certain unplannede'ents that could result in an accidentB$
-
7/13/2019 Safety System
14/81
Hazards Analysis
Cenerally% the first step in determining the le'els ofprotecti'e layers required in'ol'es conducting a detailedha&ard and ris# analysis$ In the process industries a0rocess ;a&ards 8nalysis (0;8) is generally
underta#en% which may range from a screening analysisthrough to a comple" ;a&ard and 2peraility (;820)study% depending on the comple"ity of operations andse'erity of the ris#s in'ol'ed$ The latter in'ol'es arigorous detailed process e"amination y a multi!
disciplinary team comprising process% instrument%electrical and mechanical engineers% as well as safetyspecialists and management representati'es$
-
7/13/2019 Safety System
15/81
+is#
A+is# is usually defined as the comination
of the se'erity and proaility of an e'ent$
In other words% how often can it happen
and how ad is it when it does happen@
+is# can e e'aluated qualitati'ely or
quantitati'ely$B +oughly%
-
7/13/2019 Safety System
16/81
+is# reduction
+is# reduction can e achie'ed y reducing either thefrequency of a ha&ardous e'ent or its consequences or yreducing oth of them$ Cenerally% the most desiraleapproach is to first reduce the frequency since all e'ents areli#ely to ha'e cost implications% e'en without dire
consequences$
Safety systems are all aout ris# reduction$ If e can%t ta$eaay the ha&ard e shall have to reduce the ris$. Thismeans" #educe the fre'uency and or reduce theconse'uence
The basic definitions of the safety related terminologies illbe studied in this course there are three main e"amples ofthe required safety actions as follow,
-
7/13/2019 Safety System
17/81
Emergency Shutdown (ESD)
Typical actions from ESD systems are,
- Shutdown of part systems and equipment
- Isolate hydrocaron in'entories
- Isolate electrical equipment- 0re'ent escalation of e'ents
- Stop hydrocaron flow
- Depressuri&e / low down- Emergency 'entilation control
- .lose watertight doors and fire doors$
-
7/13/2019 Safety System
18/81
0rocess Shutdown (0SD)
8 process shutdown is defined as the automatic isolationand de!acti'ation of all or part of a process$ During a 0SDthe process remains pressuri&ed$ asically 0SD consists offield!mounted sensors% 'al'es and trip relays% a systemlogic unit for processing of incoming signals% alarm and ;MI
units$ The system is ale to process all input signals andacti'ating outputs in accordance with the applicale .auseand Effect charts$
Typical actions from PSD systems are
- Shutdown the whole process
- Shutdown parts of the process
- Depressuri&e / lowdown parts of the process$
-
7/13/2019 Safety System
19/81
-
7/13/2019 Safety System
20/81
Typical actions from
-
7/13/2019 Safety System
21/81
Emergency Shutdown (ESD)
The Emergency Shutdown System (ESD) shall minimiðe consequences of emergency situations% related totypically uncontrolled flooding% escape of hydrocarons%or outrea# of fire in hydrocaron carrying areas orareas which may otherwise e ha&ardous$ Traditionallyris# analyses ha'e concluded that the ESD system is inneed of a high Safety Integrity e'el% typically SI 6 or 7$
asically the system consists of field!mounted sensors%'al'es and trip relays% system logic for processing ofincoming signals% alarm and ;MI units$ The system isale to process input signals and acti'ating outputs inaccordance with the .ause F Effect charts defined forthe installation$
-
7/13/2019 Safety System
22/81
Typical actions from ESD
systems are:- Shutdown of part systems and equipment- Isolate hydrocaron in'entories
- Isolate electrical equipment (G)
- 0re'ent escalation of e'ents
- Stop hydrocaron flow
- Depressuri&e / lowdown
- Emergency 'entilation control (G)
- .lose watertight doors and fire doors(G)
-
7/13/2019 Safety System
23/81
Process Shutdown (PSD)
The 0rocess Shutdown system ensures a rapid detection andsafe handling of process upsets$
Traditionally ris# analyses ha'e concluded that the 0SDsystem is in need of low to medium Safety Integrity e'el$
The reason for a low to medium requirement% eing that 0SDsystems uilt in accordance with 80I +0 59. ha'erequirements for oth primary (the computeri&ed system) andsecondary (mechanical de'ices) protection$ asically the
system consists of fieldmounted sensors% 'al'es and triprelays% a system logic unit for processing of incoming signals%alarm and ;MI units$ The system is ale to process all inputsignals and acti'ating outputs in accordance with theapplicale .ause F Effect charts$
-
7/13/2019 Safety System
24/81
Typical actions from 0SD
systems are,- Shutdown the whole process- Shutdown parts of the process
- Depressuri&e /lowdown parts of theprocess
-
7/13/2019 Safety System
25/81
-
7/13/2019 Safety System
26/81
Safety 0rocess Ceneral
2'er'iewSafety y definition is the *absence ofris$*$ There is ris# in e'erything we do% sothe safety
process model is designed to effecti'elyidentify F reduce ris#$ This includes,
- 0hysical plant ris#- ;uman factor!related ris#
- 8ttitudinal +is#$
-
7/13/2019 Safety System
27/81
Sustained impro'ements in accident pre'ention can onlycome from changes to the o'erall mi" of the ao'efactors$
The model defines ?or#place ris# as a formula suchthat,
#IS+ 3 Employee ,-posure Probability of the Accident
Se'uence Ta$ing Place / Potential 0onse'uence of theAccident
1oting that #is$ 3 .onsequence "
-
7/13/2019 Safety System
28/81
-
7/13/2019 Safety System
29/81
- Step 5,Identification of ris#s that are
producing accidents and in4uries$
- Step 6,0erform accident / incidentprolem!sol'ing on each identified ris#,
5$ 0rocess includes,
4. Definition of problem
5. 0ontributing factors
6. #oot 0auses
- Step 7,De'elop a schedule for
implementation of each pre'enti'e action0re'enti'e action should all ha'e
7. #esponsible party
4. #esources to support actions
5. Timetable for completion,
-
7/13/2019 Safety System
30/81
Step 9,.ontinuously measure to ensurepre'enti'e actions are wor#ing as e"pected$
3easure timetable to ensure each action is
enabled.
Step H,Employees in'ol'ed in wor#
en'ironment must e gi'en feedac# on acontinuous asis$
(i$e$ positi'e reinforcement)$
-
7/13/2019 Safety System
31/81
The process for managing ris#
the process for managing ris#
-
7/13/2019 Safety System
32/81
+is# E'aluation
There is no such thing as &ero ris#$ This is
ecause no physical item has a &ero
failure rate% no human eing ma#es &ero
errors and no piece of software design canforesee e'ery possiility$
-
7/13/2019 Safety System
33/81
ey :uestions to 8s#
8 process control engineer implementing aSafety Instrumented System must answerse'eral
questions,5$ ?hat le'el of ris# is acceptale@
6$ ;ow many layers of protection areneeded@
7$ ?hen is a Safety Instrumented Systemrequired@
9$ ?hich architecture should e chosen@
-
7/13/2019 Safety System
34/81
+is# assessment
The measurement of risk
uantitati!e scale:
- Minor > In4ury to one person in'ol'ing less than 7 days asencefrom wor#
- Ma4or > In4ury to one person in'ol'ing more than 7 days asence
from wor#- Multiple fatalities and in4uries$
ualitati!e scale
1nli#ely
- 0ossile
- 2ccasionally
-
-
7/13/2019 Safety System
35/81
8lternati'ely
- 2ne ha&ardous e'ent occurring on the
a'erage once e'ery 5J years will ha'e an
e'ent frequency of J$5 per year$
- 8 rate of 5JK9 e'ents per year means that
an a'erage inter'al of 5J JJJ years can
e e"pected etween e'ents$
-
7/13/2019 Safety System
36/81
Another alternati!e is to use a semi"#uantitati!escale or $and of fre#uencies to match up words
to fre#uencies% &or e'ample:
- 0ossile 3 ess than once in 7J years- 2ccasionally 3 More than once in 7J years ut less
than once in 7 years
- AMa4orB in4ury li#ely to occur
A2ccasionallyB
- +is# item no$ 6 > AMinorB in4ury li#ely to occurA
-
7/13/2019 Safety System
37/81
+isk matri' e'ample ,
-
7/13/2019 Safety System
38/81
+isk matri' e'ample -
-
7/13/2019 Safety System
39/81
Scales of conse#uence
-
7/13/2019 Safety System
40/81
+is# classification of accidents
-
7/13/2019 Safety System
41/81
. t f 8l d t l l i #
-
7/13/2019 Safety System
42/81
.oncepts of 8larp and tolerale ris#
The Alarp (as low as reasona$ly practica$le) principle reconizesthat there are three $road cateories of risks:
- 1egligible ris$" roadly accepted y most people as they go aouttheir e'eryday li'es% these would include the ris# of eing struc# ylightning or of ha'ing ra#e failure in a car$
- Tolerable ris$" ?e would rather not ha'e the ris# ut it is tolerale in'iew of the enefits otained y accepting it$ The cost in incon'enienceor in money is alanced against the scale of ris#% and a compromise isaccepted$
- !nacceptable ris$" The ris# le'el is so high that we are not prepared to
tolerate it$ The losses far outweigh any possile enefits in the situation$
-
7/13/2019 Safety System
43/81
8larp diagram
-
7/13/2019 Safety System
44/81
Step 5
The estimated le'el of ris# must first ereduced to elow the ma"imum le'el ofthe 8larp region at all costs$
This assumes that the ma"imum acceptaleris# line has een set as the ma"imum
tolerale ris# for the society or industryconcerned$ This line is hard to find% as weshall see in a moment$
-
7/13/2019 Safety System
45/81
Step 6
-
7/13/2019 Safety System
46/81
Estalishing tolerale ris# criteria
E"amples are,
- Probable 8oss of 8ife (P88)" Numer of
fatalities L frequency of e'ent
- Fatal accident rate (FA#)" Numer of
fatalities per 5J h wor#ed at the site
where the ha&ard is present$
-
7/13/2019 Safety System
47/81
-
7/13/2019 Safety System
48/81
Tolerale ris# conclusion
The indications are that many companies determinetolerale ris# targets using consensus from the types ofstatistics we ha'e een loo#ing at$ Mar&al concluded thatthe range of 0 'alues in industry is still a wide one
from 5JK7 to 5JK for the upper le'el$
?e must also rememer to allow for the effect of multipleha&ard sources$ It appears that financial cost enefitanalysis often 4ustifies greater ris# reduction factors than
the personal or en'ironmental ris# criteria$ ?e shallre'isit this issue when we come to safety integrity le'el(SI) determination practices later in this course$
-
7/13/2019 Safety System
49/81
0ractical e"ercise
Now is good time to try practical E"ercise
No$ 5% which is set out towards the ac# of
the manual in module 56$ This e"ercise
demonstrates the calculation of indi'idualris# and
-
7/13/2019 Safety System
50/81
Hazard analysis techni#ues
In the European Standard EN 5JHJ 8nne" there aredescriptions of se'eral techniques for ha&ard analysis$
The notes there ma#e an important distinctionetween two asic approaches$ These are calleddeducti'e and inducti'e. This is how the standarddescries them,
AIn the deducti'e method the final e'ent is assumedand the e'ents that could cause this final e'ent arethen sought$
-
7/13/2019 Safety System
51/81
Summary of ha&ard!identification
methods;ere is a summary of the ha&ard!identification methods$It is useful to ha'e this list ecause many companies willha'e preferences for certain methods or will presentsituations that require a particular approach$ ?e need toha'e a choice of tools for the 4o and to e aware of theirpros and cons$ It is also apparent that similar methodswill ha'e a 'ariety of names$
8ll guides agree that ;a&op pro'ides the most
comprehensi'e and auditale method for identification ofha&ards in process plants ut that some types ofequipments will e etter ser'ed y the alternati'es listedhere$
-
7/13/2019 Safety System
52/81
Deducti'e method
8 good e"ample of a deducti'e method is
-
7/13/2019 Safety System
53/81
Inducti'e method
So!called Awhat ifB methods are inducti'eecause the questions are formulated andanswered to e'aluate the effects of componentfailures or procedural errors on the operaility
and safety of the plant or a machine$
-
7/13/2019 Safety System
54/81
-
7/13/2019 Safety System
55/81
-
7/13/2019 Safety System
56/81
-
7/13/2019 Safety System
57/81
-
7/13/2019 Safety System
58/81
-
7/13/2019 Safety System
59/81
-
7/13/2019 Safety System
60/81
+ating for Safety
The following e"pression defines therelationship etween safety 8'ailailityand 0
-
7/13/2019 Safety System
61/81
Safety Integrity e'els and different
safety standards
-
7/13/2019 Safety System
62/81
8 .lass F SI
-
7/13/2019 Safety System
63/81
in#ing +is#s to SI
To determine the application of a SIS for anactual installation% the control engineer shoulduse a qualitati'e classification of ris#assessment$
8 qualitati'e e'aluation of safety integrity le'elweighs the se'erity and li#elihood of the
ha&ardous e'ent$ It also considers the numerof independent protection layers addressingthe same cause of a ha&ardous e'ent$
-
7/13/2019 Safety System
64/81
Safety Integrity e'el (SI)
During the 5OOJs the concept of safety!integrityle'els (#nown as SIs) e'ol'ed and is used inthe ma4ority of documents in this area$ Theconcept is to di'ide the AspectrumB of integrity
into a numer of discrete le'els (usually four)and then to lay down requirements for eachle'el$
.learly% the higher the SI then the morestringent ecome the requirements$
-
7/13/2019 Safety System
65/81
Safety!Integrity e'els (SIs)
To further understand these important terms let us as# a fundamental
-
7/13/2019 Safety System
66/81
To further understand these important terms let us as# a fundamentalquestion which is how frequently will failures of either type of function lead toaccidents$ The answer is different for the 6 types,
-
7/13/2019 Safety System
67/81
Definitions of SIs for ow Demand Mode from S
EN 5HJ
Definitions of SIs for ;igh Demand / .ontinuous
Mode from S EN 5HJ
So hat is the SI achie ed the f nction@ .learl it is not
-
7/13/2019 Safety System
68/81
So what is the SI achie'ed y the function@ .learly it is notunique% ut depends on the ha&ard and in particular whetherthe demand rate for the ha&ard implies low or high demandmode$
SI is a measure of the SIS performance related only to thede'ices that comprise the SIS$ This measure is limited tode'ice integrity% architecture% testing% diagnostics% and commonmode faults inherent to the specific SIS design$ It is not
e"plicitly related to a cause!and!effect matri"% ut it is related tothe de'ices used to pre'ent a specific incident$
-
7/13/2019 Safety System
69/81
The new 8NSI/IS8 S9$J5 standard requires that assign atarget safety integrity le'el (SI) for all safetyinstrumented systems (SIS) applications$
The assignment of the target SI is a decision requiring thee"tension of the process ha&ards analysis (0;8)process to include the alance of ris# li#elihood andse'erity with ris# tolerance$
Since SI 9 is rarely used$ SI 7 is typically the highestspecified safety le'el$ 2f the three commonly usedle'els% SI7 has the greatest safety a'ailaility (+S8)%
and therefore the lowest a'erage proaility of failure ondemand (0
-
7/13/2019 Safety System
70/81
8 determination of the target safety
integrity le'el requires,5$ 8n identification of the ha&ard in'ol'ed$
6$ 8ssessment of the ris# of each of the
identified ha&ard$ In other words% how ad
is eachha&ard and how often is it e"pected to occur$
7$ 8n assessment of other Independent
0rotection ayers (I0s) that may e inplace$
+is# e'el
-
7/13/2019 Safety System
71/81
+is# e'el
-
7/13/2019 Safety System
72/81
Safety 8rchitectures
Se'eral system architectures are applied in
process safety applications% including
single!channel systems to triple redundant
configurations$ .ontrol engineers mustest match architecture to operating
process safety requirements% accounting
for failure in the safety system$
ne concern is that many safety systems in
-
7/13/2019 Safety System
73/81
ne concern is that many safety systems in
operation* or under construction* do not follow
$asic protection principles% 3nsafe practices
include:
- 0erforming the safety shutdown within the asicprocess control systems (0.S) or distriutedcontrol systems (D.S)$
- 1sing con'entional programmale logiccontrollers (0.s) in safety critical applications(Safety 0.s) are certified to meet safety critical
applications to SI6 and SI7$)- Implementing single element (non redundant)microprocessor! ased systems on criticalprocessor$
-
7/13/2019 Safety System
74/81
The con'entional 0. architecture
pro'ides only a single electric path$Sensors send processsignals to the input modules$ The logic sol'er e'aluates
these inputs% determines if a potentially ha&ardous
condition e"ists% and energi&es or de!energi&es the solid!state output$ (
-
7/13/2019 Safety System
75/81
8 special class of programmale logic controllers%called safety 0.s% represents an alternati'e$
Safety 0.s pro'ide high reliaility and highsafety 'ia special electronics% special software%pre!engineered redundancy% and independentcertification$
The safety 0. has input/output circuits designedto e fail!safe% using uilt!in diagnostics$ Thecentral processing unit (.01) of a safety 0.has uilt!in diagnostics for memory% .01
operation% watchdog timer% and communicationsystems$
- 8ccurately e'aluating the safety le'el for a specific
-
7/13/2019 Safety System
76/81
y g y pcontrol de'ice in the conte"t of a potential ha&ardouse'ent poses a ma4or and difficult prolem for manycontrol engineers$ 8ssociations and agenciesworldwide ha'e made considerale progress towardestalishing standards and implementation guidelinesfor safety instrumented systems$ These standardsattempt to match the ris# inherent in a gi'en situationto the required integrity le'el of the safety system$
- 1nfortunately% many of these guidelines andstandards are not specific to a particular type ofprocess and deal only with a qualitati'e le'el of ris#$
.ontrol engineers must use considerale 4udgment ine'aluating ris# and applying instrumentation thatproperly addresses estalished design procedureswith udget restraints$
-
7/13/2019 Safety System
77/81
Typical 8pplications
8 fault!tolerant control system identifies and compensatesfor failed control system elements and allows repairwhile continuing assigned tas# without processinterruption$ 8 high integrityn control system is used incritical process applications that require a significantdegree of safety and a'ailaility$ Some typicalapplications are,
5! Emergency Shutdown
6! oiler
-
7/13/2019 Safety System
78/81
5! Emergency Shutdown
Safety instrumented system pro'ides continuous protection for safety!critical units in refineries% petrochemical/chemical plants and otherindustrial processes$ are monitored andshutdown actions ta#en if an upset condition occur$
Traditional shutdown systems implemented with mechanical orelectronic relays pro'ide shutdown protection ut can also causedangerous nuisance trips$ Safety instruments pro'ide automaticdetection and 'erification of field sensor integrity% integratedshutdown and control functionality% and direct connection to the
super'isory data highway for continuous monitoring of safety >critical functions$
-
7/13/2019 Safety System
79/81
6! oiler
-
7/13/2019 Safety System
80/81
7! Turine .ontrol Systems
The control and protection of gas or steam turinesrequires high integrity as well as safety$ The continuousoperation of the fault > tolerant integrated controllerpro'ides the turine operator with ma"imum a'ailailitywhile maintaining equi'alent le'els of safety$
Speed control as well as start!up and shutdown sequencingare implemented in a single integrated system$1nscheduled outages are a'oided y using hot spares
for the I/2 modules$ If a fault occurs in a module% areplacement module is automatically acti'ated withoutoperator inter'ention$
9 2ffshore
-
7/13/2019 Safety System
81/81
9! 2ffshore