SlideShare ist ein Scribd-Unternehmen logo

1. safety instrumented systems

Saiful Chowdhury
Saiful Chowdhury

SIS (safety instrumented systems)

Ingenieurwesen
1 von 19
Downloaden Sie, um offline zu lesen
359 15 Safety Instrumented Systems As defined by ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) [Ref. 4] a Safety Instrumented System (SIS) is a control system consisting of sensors, one or more controllers (frequently called logic solvers), and final elements. The purpose of an SIS is to monitor an industrial process for potentially danger- ous conditions and to alarm or execute preprogrammed action to either pre- vent a hazardous event from occurring or to mitigate the consequences of a hazardous event should it occur. An SIS: • Does not improve the yield of a process and • Does not increase process efficiency but • Does save money by loss reduction and • Does reduce risk cost. Risk Cost Risk is usually defined as the probability of a failure event multiplied by the consequences of the failure event. The consequences of a failure event are measured in terms of risk cost. The concept of risk cost is a statistical concept. An actual cost is not incurred each year. Actual cost is incurred only when there is a failure event (an accident). The individual event cost can be quite high. If event costs are averaged over many sites for many years, an average risk cost per year can be established. If actions are taken to reduce the chance of a failure event or the consequences of a failure event, risk costs are lowered.
360 Control Systems Safety Evaluation and Reliability Risk Reduction There are risks in every activity of life. Admittedly some activities involve more risk than others. According to Reference 1, the chance of dying dur- ing a 100 mile automobile trip in the midwestern United States is 1 in 588,000. The average chance each year of dying from an earthquake or vol- cano is 1 in 11,000,000. There is risk inherent in the operation of an industrial process. Sometimes that risk is unacceptably high. A lower level of risk may be required by corporate rules, regulatory environment, law, the insurance company, public opinion, or other interested parties. This requirement leads to the concept of “acceptable risk.” When inherent risk (perceived or actual) is higher than “acceptable risk,” then risk reduction is required (Figure 15-1). While “inherent risk” and even “acceptable risk” are very hard to quan- tify, risk reduction is a little easier. Several methods have been proposed to determine the amount of risk reduction to at least to an order-of-magni- tude level (Ref. 2). EXAMPLE 15-1 Problem: Records maintained over many sites for many years indicate that on average once every 15 years an industrial boiler has an accident if no protection equipment like an SIS is used. The average cost of each event is $1 million. What is the yearly risk cost with no protection equipment? Solution: The average yearly risk cost is $1,000,000/15 = $66,667. Figure 15-1. Risk Reduction
Safety Instrumented Systems 361 Risk Reduction Factor The risk reduction factor (RRF) may be defined as: RRF = Inherent Risk / Acceptable Risk An SIS provides risk reduction when it monitors a process looking for a dangerous condition (a process demand) and successfully performs its preprogrammed function to prevent an event. Assuming that the SIS has been properly programmed, it reduces risk whenever it operates success- fully in response to a process demand. It will not reduce risk if it fails to operate when there is a process demand. Therefore, an important measure of the risk reduction capability of an SIS is PFD, probability of failure on demand. In the case of a de-energize-to-trip system, this is the probability that the system will fail with its outputs energized. For low demand sys- tems, a dangerous condition occurs infrequently therefore PFDavg (Chap- ter 4) is the relevant measure of probability of dangerous failure. In such cases the risk reduction factor (RRF) achieved is defined as: RRF = 1 / PFDavg (15-1) How Much RRF is Needed? Some find it hard to numerically estimate the necessary RRF in an indus- trial process. That is one reason why functional safety standards provide an order-of-magnitude framework with which to work. This order of mag- nitude risk reduction framework is called “safety integrity level (SIL).” Figure 15-2 shows the safety integrity levels (SIL) established by IEC 61508 (Ref. 3) with some examples of various industrial processes. It should be noted that any particular industrial process can be assigned different SILs depending on the actual or perceived effect of events that are known (or likely) to occur in connection with that process. Several methods to determine SIL are published in Part 3 of ISA’s 84.01 standard (Ref. 4). One qualitative method from 84.01, Part 3 was devel- oped to deal with personnel death and injury is shown in Figure 15-3. This method is called a risk graph. The developer of a risk graph must deter- mine four things: the consequence (C), the frequency of exposure (F), the possibility of avoidance (P), and the probability of occurrence (W). The probability of occurrence of an event is characterized by three of the factors: F, P, and W. The fourth factor, C, completes the estimate of risk. A description of each factor is shown in Table 15-1.
362 Control Systems Safety Evaluation and Reliability Figure 15-2. Risk Reduction Categories Figure 15-3. Risk Graph SIL Determination Method Safety Integrity Level Average Probability of Failure on Demand (PFDavg) Low Demand 4 3 2 1 0.1 - 0.01 10 - 100 0.01 - 0.001 100 - 1,000 0.001 - 0.0001 1,000 - 10,000 < 0.0001 > 10,000 Risk Reduction Factor (RRF) Typical Applications Rail Transportation Utility Boilers Industrial Boilers Chemical Processes C1 C2 C3 C4 F1 F2 F1 F2 P1 P2 P1 P1 P1 P2 P2 P2 SIL1 SIL2 SIL3 SIL4 SIL1 SIL1SIL2 SIL2SIL3 SIL3SIL4 F2 F1 W3 W2 W1 NSS NSS NSS NS NS NS NS - No Safety Requirements NSS - No Special Safety Requirements NPES - Single SIS Insufficient NPES
Safety Instrumented Systems 363 The consequences refer specifically to personnel injury or death. The fre- quency of exposure is a measure of the chances that personnel will be in the danger area when an event occurs. If a process is only operated once a week and no operators are normally at the site, this constitutes a relatively low risk compared to continuous operation with personnel always on duty—given that both processes present similar inherent risks. The possibility of avoidance considers such things as warning signs, the speed at which an event will develop, and other avoidance measures such as protective barriers. The probability of unwanted occurrence parameter includes consideration of other risk reduction devices. The danger area is also an important consideration. If there is only risk of injury near the process unit then perhaps only the operators and other plant personnel need be considered in the analysis. But if a hazardous event could harm people in the neighborhood or over a wide geographic area, then that must be considered in the analysis. Table 15-1. Description of Risk Graph Factors Consequence C1 Minor Injury C2 Serious injury or single death C3 Death to multiple persons C4 Very many people killed Frequency of Exposure and Time F1 Rare to frequent F2 Frequent to continuous exposure Possibility of Avoidance P1 Avoidance possible P2 Avoidance not likely, almost impossible Probability of Unwanted Occurrence W1 Very slight probability W2 Slight probability, few unwanted occurrences W3 High probability EXAMPLE 15-2 Problem: An industrial process may need an SIS to reduce risk to an acceptable level. Use the risk graph of Figure 15-3 to determine this need.
364 Control Systems Safety Evaluation and Reliability Many corporations have versions of risk graphs in corporate procedures. Frequently, these documents provide detailed descriptions of how to clas- sify the various parameters. In addition to personnel risk, risk graphs are needed for equipment damage and environmental damage (Ref. 5). When all three graphs are completed for a process the largest risk reduction need is the one specified for the SIL (Figure 15-4). EXAMPLE 15-2 continued Solution: Experts estimate that an event may result in serious injury or a single death, C2. The process operates continuously and personnel are usually present; therefore, exposure is rated as frequent to continuous, F2. Since there is little or no warning of a dangerous condition the probability of avoidance is rated avoidance not likely, P2. Finally, it is judged that there is only a slight probability of occurrence, W2, because pressure relief valves are installed to provide another layer of protection. Using the risk graph, this process needs a SIL2 level of risk reduction. Figure 15-4. Screen Shot—Risk Graph for Personnel, Equipment, and Environmental (Ref. 5)
Safety Instrumented Systems 365 Another risk reduction determination method published in ISA-84.01 is called Layer of Protection Analysis (LOPA). This method considers all the valid, independent layers of protection and credits those layers for the risk reduction provided. LOPA can be used qualitatively or semi-quantita- tively with most practitioners using a semi-quantitative approach as shown in Figure 15-5. Quantitative Risk Reduction In some cases corporations and insurance companies determine risk reduction factors based on quantitative risk analysis. Statistics are com- piled on the frequency and severity of events. These statistics are used to determine risk reduction factors based on risk cost goals or event probabil- ity goals. While these methods may seem easy, it must be understood that the uncertainty of the statistical data and the variability of the factors con- tributing to an event must be taken into account. This is typically done by increasing the required risk reduction factor by a certain safety margin. Figure 15-5. Screen Shot—Frequency Based LOPA Results Example (Ref. 5)
366 Control Systems Safety Evaluation and Reliability SIS Architectures An SIS consists of three categories of subsystems: sensors/transmitters, controllers, and final elements, that work together to detect and prevent, or mitigate the effects of a hazardous event. It is important to design a sys- tem that meets RRF requirements. It is also important to maximize the production uptime (minimize false trips). In order to achieve these goals, system designers often use redundant equipment in various architectures (Chapter 14). These fault tolerant architectural configurations apply to field instruments (sensors/transmitters and final elements) as well as to controllers. Sensor Architectures An SIS must include devices capable of sensing potentially dangerous conditions. There are many types of sensors used including flame detec- tors (infrared or ultraviolet), gas detectors, pressure sensors, thermocou- ples, RTDs (resistance temperature detectors), and many types of discrete switches. These sensors can fail, typically in more than one failure mode. Some sensor failures can be detected by on-line diagnostics in the sensor itself or in the controller to which it is connected. In general, all of the reli- ability and safety modeling techniques can be used. EXAMPLE 15-3 Problem: The risk cost of operating an industrial boiler is estimated to be $66,667 per year. The insurance company that insures the operation of the boiler needs a risk cost of less than $1,000 per year in order to remain profitable without a significant increase in premiums. What is the needed risk reduction factor? Solution: The ratio of risk costs is 66667/1000 which equals 66.7. In order to account for the uncertainly of the data, the insurance company chooses a higher number and mandates that a safety instrumented function (SIF) with an RRF of 100 be installed in the SIS. (Note: this is a SIL2 category SIF). EXAMPLE 15-4 Problem: A two-wire pressure sensor transmits 4–20 mA to the analog input of a trip amplifier that is configured to de-energize a relay contact when the mA input current from the sensor goes higher than the trip point. The sensor manufacturer supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS
Safety Instrumented Systems 367 EXAMPLE 15-4 continued Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The pressure transmitter is configured to send its output to 20.8 mA (over-range) if a failure is detected by the internal diagnostics. The transmitter is fully tested and calibrated every five years. In this application, what is the PFDavg for a single transmitter in a 1oo1 architecture for a five year mission time? What is the Spurious Trip Rate (STR)? Solution: The trip amplifier will falsely trip if the transmitter fails with its output signal high. The system will fail dangerous if the transmitter fails with its output signal low or if it has a dangerous undetected failure. The failure rates are therefore: λS = (59 + 264) × 10-9 = 3.23 × 10-7 failures per hour λD = (33 + 37) × 10-9 = 7.0 × 10-8 failures per hour No automatic diagnostics are given credit in the PFD calculation since there is no diagnostic annunciation mechanism configured in the controller. Therefore, using equation 14-2, PFDavg = DU × 5 × 8760 / 2 = 0.0015. The term Spurious Trip Rate refers to the average rate at which a subsystem will cause a shutdown when no dangerous condition occurs. The STR is equal to the safe failure rate of 3.23 × 10-7 trips per hour. EXAMPLE 15-5 Problem: A two-wire pressure sensor transmits 4–20 mA to the analog input of a safety certified logic solver. The sensor manufacturer supplies a safety certificate with the term “Systematic Capability = SIL 3.” The sensor manufacturer also supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The logic solver is programmed to recognize an out-of-band current signal as a diagnostic fault and will hold the last pressure value while the failure is annunciated and repaired. Average repair time at the facility is 168 hours (one week). The transmitter is fully tested and calibrated every five years. What is the PFDavg for a single
368 Control Systems Safety Evaluation and Reliability Figure 15-6 shows two discrete sensors measuring the same process vari- able. These two sensors can be configured in a 1oo2 architecture by simply adding logic to initiate a shutdown if either of the two sensors signals a dangerous condition. Like the 1oo2 controller architecture (Chapter 14), this configuration will substantially reduce the chance of a dangerous fail- ure but will almost double the chance of a safe failure. Note that common cause failures apply when redundant configurations are used. The com- mon cause defense rules (Chapter 10; Common-Cause Avoidance) apply. Avoid close physical installation, use high strength sensors, use diverse design sensors, or some combination of all three techniques. EXAMPLE 15-5 continued transmitter in a 1oo1 architecture for a five year mission time? What is the Spurious Trip Rate (STR)? What does the term “Systematic Capability” mean? Solution: The logic solver will detect out-of-range current signals and hold the last pressure value. Therefore, these failures are dangerous detected (DD). The total DD failure rate is 356 FITS (One FIT = 1 × 10-9 failures per hour). Using Equation 14-2, PFDavg = 3.56×10-7 × 168 + 3.7×10-8 × 8760 × 5 / 2 = 0.00087 Spurious Trip Rate: Because the logic solver is configured to hold the last pressure reading on failure of the sensor, no false trips will occur. The STR is zero. The term Systematic Capability in an IEC 61508 certification means that the design, test, and manufacturing processes used to create and build the product have a level of integrity needed for SIL 3 to reduce design and manufacturing faults inside the product. This allows the designer of a Safety Instrumented System to use that component at up to and including the rated SIL level. A product with a systematic capability rating of SIL 3 can be used in SIL 1, SIL 2, or SIL 3 without safety integrity justification but cannot be used in a SIL 4 application without further justification based on extensive prior use. EXAMPLE 15-6 Problem: Two pressure switches measure the same process variable. They are connected to a safety certified logic solver with logic to perform a 1oo2 vote. The manufacturer supplies a certificate with the term “Systematic Capability = SIL 3.” The manufacturer also supplies the following failure rate data (Ref. 7): Fail Safe = 83.8 FITS Fail Danger Undetected = 61.3 FITS
Safety Instrumented Systems 369 The 1oo2 sensor concept can be applied to analog sensors as well. Figure 15-7 shows two analog sensors measuring the same process variable. A “high select” or “low select” function block (depending on the fail-safe direction) is used to select which analog signal will be used in the calculation. EXAMPLE 15-6 continued What is the PFDavg for a 1oo2 sensor subsystem for a five year mission time? What is the Spurious Trip Rate for the sensor subsystem? Solution: With a common-cause beta factor of 10% (0.10), the failure rates are: λSUC = 0.1 × 83.8E-9 = 8.4E-9 failures per hour λSUN = (1-0.1) × 83.8E-9 = 7.54E-08 failures per hour λDUC = 0.1 × 61.3E-9 = 6.1E-9 failures per hour λDUN = (1-0.1) × 61.3E-9 = 5.52E-08 failures per hour Since a common cause safe failure or a safe failure in either switch will cause a false trip, the STR equals 8.4E-9 + 7.54E-8 + 7.54E-8, which totals 1.59E-7 trips per hour. PFDavg can be calculated using Equation 14-5. Note that there are no detected failures, therefore RT (average repair time) = 0. PFDavg is 0.00014. Figure 15-6. 1oo2 Discrete Sensors Discrete Sensor Pressure Sensor Discrete Input Discrete Input Logic Solver 1oo2 logic trip if either sensor indicates a trip is needed + - + - Discrete Sensor Pressure Sensor
370 Control Systems Safety Evaluation and Reliability Figure 15-7. 1oo2 Analog Sensors EXAMPLE 15-7 Problem: A two wire pressure sensor transmits 4 –20 mA to the analog input of a safety certified logic solver. Two of these sensors measure the same process variable and are configured to trip if either sensor indicates a trip (1oo2 logic). The sensor manufacturer supplies a safety certificate with the term “Systematic Capability = SIL 3.” The manufacturer also supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The logic solver is programmed to recognize an out of range current signal as a diagnostic fault and will hold last pressure value while the failure is annunciated and repaired. Average repair time at the facility is 168 hours (one week). The transmitter is fully tested and calibrated every five years. What is PFDavg for a 1oo2 sensor subsystem architecture for a five year mission time? Assume a common cause beta factor of 10%. What is the Spurious Trip Rate (STR) of the sensor subsystem? Solution: The logic solver will detect out-of-range signals and hold the last pressure value. Therefore, these out-of-range failure rates are classified as dangerous detected (DD). The total DD failure rate for each sensor is 356 FITS. Considering common cause, the failure rates are: λDDC = 0.1 × 3.56E-7 = 3.56E-8 failures per hour λDDN = (1-0.1) × 3.56E-7 = 3.2E-7 failures per hour Analog Transmitter 4 to 20 mA Pressure Transmitter Analog Input Analog Transmitter 4 to 20 mA Analog Input Logic Solver + - + - 1oo2 Logic - high or low select depending on trip functionPressure Transmitter
Safety Instrumented Systems 371 The previous examples show different approaches to the design of sensor subsystems. The PFDavg and STR of these designs are shown in Table 15-2. The results show the significant advantage of using an analog sensor, especially if a logic solver configured to detect out of range current signals is used. This approach yields good safety as long as the repair time is short (less than one week per this example) and there is exceptional process availability. Many other sensor architectures are possible. A common approach in the days of relay logic was to use three transmitters in a 2oo3 architecture. This worked well to achieve good process availability and safety when automatic diagnostics were not available, and this approach is still being used. Other possible architectures are 2oo5 or the general MooN, used most often in fire and flammable gas applications. Note that some sensor architectures are not what they seem. In one installation, two toxic gas detectors are installed in each “zone.” Ten zones exist. At first look this might be described as a 2oo20 vote. The vote-to-trip logic in the logic solver requires a 2oo2 signal to trip from the sensor pair within each zone. But if any pair in any zone indicates a trip signal, the logic will initiate a trip. That portion of the logic appears to be 1oo10. However, the probabil- ity model is NOT 1oo10. A question might be asked, “Why 10 sets of sen- sors?” The answer is that one set could not be certain of detecting the hazard caused by the toxic gas. Given that answer, there are 10 safety functions, each of which has a 2oo2 sensor. There is no safety redundancy benefit from the 10 sets of sensors if each set is not able to independently detect the toxic gas hazard. EXAMPLE 15-7 continued λDUC = 0.1 × 3.7E-8 = 3.7E-9 failures per hour λDUN = (1-0.1) × 3.7E-8 = 3.33E-8 failures per hour Using Equation 14-5, PFDavg = 0.000088 STR = 0. Table 15-2. Sensor Subsystem Results Architecture PFDavg STR 1oo1 Analog Sensor/Trip Amp 0.0016 3.23-7 1oo1 Analog Sensor/Logic Solver 0.00087 0 1oo2 Switch 0.00014 1.67-7 1oo2 Analog Sensor/Logic Solver 0.000088 0
372 Control Systems Safety Evaluation and Reliability Final Element Architectures Final elements are the third major category of subsystems in an SIS. Final elements in the process industries are typically a remote-actuated valve consisting of an interface component (a solenoid-operated pneumatic valve), an actuator, and a process valve. Final elements have failure modes, failure rates, and (in some devices) on-line diagnostics. The reli- ability and safety modeling techniques developed for other SIS devices are appropriate. The simplest final element configuration is the 1oo1 as shown in Figure 15-8. The controller normally energizes a solenoid valve that supplies air under pressure to the actuator. The actuator keeps the valve open (or closed, if that is the desired position). When an unsafe condition is detected, the controller de-energizes the solenoid valve. The valve stops the compressed air delivery and vents air from the actuator. The spring return actuator then moves the valve to its safe position. In such final ele- ment systems, failure rates must be obtained for the solenoid valve and the actuator/ valve assembly. Figure 15-8. 1oo1 Final Element Assembly Controller Solenoid Valve Air Supply Actuator Valve VentDiscrete Output
Safety Instrumented Systems 373 Figure 15-9 shows a common implementation of a 1oo2 configuration for final elements. The valves close when a dangerous condition is detected. The system is considered successful if either valve successfully closes. This configuration is intended to provide higher safety than a single-valve sys- tem and can be effective especially if common cause is applied. EXAMPLE 15-8 Problem: Solenoid valve failure rates provided by the manufacturer from a third party FMEDA are λS = 71 FITS and λD = 100 FITS (Ref. 8). Actuator failure rates from a third party FMEDA are λS = 172 FITS and λD = 343 FITS (Ref. 9). Valve failure rates from a third party FMEDA are λS = 0 FITS and λD = 604 FITS (Ref. 10, full stroke). No automatic diagnostics are available. What is the total safe and dangerous failure rate of the final assembly? What is the STR? What is the PFDavg if the final element assembly is removed from service and tested/rebuilt every five years? Solution: The solenoid valve, actuator, and valve comprise a series system so the failure rates are added. The total is λS = 243 FITS and λD = 1047 FITS. The STR equals the safe failure rate: STR = 2.43-7 trips per hour. Equation 14-2 can be used to approximate the PFDavg. Substituting the failure rates, PFDavg = 0.000001047 × 5 × 8760/2 = 0.023 Figure 15-9. 1oo2 Final Element Subsystem Discrete OutputController Discrete Output Air Supply Valve Air Supply Valve
374 Control Systems Safety Evaluation and Reliability Safety Instrumented Function (SIF) Components An SIF consists of a process connection, sensor, power supplies, controller, and final element. The “process to process” approach must be used to ensure that the safety and reliability analysis includes all components, which may include a sensor impulse line (for pressure or vacuum) and possibly a manifold. When modeling entire SIFs (Ref. 11), all components needed for the protection function must be modeled. EXAMPLE 15-9 Problem: Using the failure rates of Example 15-8, what are the STR and PFDavg of a 1oo2 final element assembly? Assume a common- cause beta factor of 10%. No diagnostics are available. The final element assembly is removed from service and tested/rebuilt every five years. Solution: The failure rates are: λSUC = 24 FITS λSUN = 219 FITS λDUC = 105 FITS λDUN = 942 FITS Using a first order approximation, Equation 14-5, the PFDavg of this system is: PFDavg = ((0.000000942)2 × (5 × 8760) 2 )/3 + 0.000000105 × 5 × 8760/2 = 0.0029. This is considerably better than the PFDavg of Example 15-8. STR = (24+219+219) ×10-9 = 0.000000462 trips per hour. EXAMPLE 15-10 Problem: A pressure sensor is connected to a process via an impulse line. Records indicate that the impulse line clogs up, on average, once every twenty years. This condition is dangerous as the protection system may not respond to a demand. An algorithm based on high speed statistical analysis of the pressure signal (Ref. 12) can detect 80% of the clogs. When a clog is detected it is repaired in 168 hours on average. If the impulse line is inspected and cleaned out every five years, how will the diagnostic algorithm affect the PFDavg? Solution: Assuming a constant failure rate for the impulse line, the failure rate is calculated using Equation 4-18. λ = 1/(20 × 8760) = 0.0000057 failures per hour. Equation 14-2 can be used to approximate the PFDavg. Without the diagnostic algorithm the entire failure rate must be classified as dangerous undetected.
Safety Instrumented Systems 375 Exercises 15.1 A process is manned continuously and has no risk reduction mech- anism. An accident could cause death to multiple persons. Danger- ous conditions do build slowly and alarm mechanisms should warn of dangerous conditions before an accident. Using a risk graph, determine how much risk reduction is needed. 15.2 A quantitative risk assessment indicates an inherent risk cost of $250,000 per year for an industrial process. Plant management would like to reduce the risk cost to less than $25,000 per year. What risk reduction factor is required? What SIL classification is this? 15.3 What components must be considered in the analysis of an SIF? 15.4 A process connection clogs every year on average. This is a danger- ous condition. No diagnostics can detect this failure. Assuming a constant failure rate, what is the dangerous undetected failure rate? 15.5 Using the failure rate of Exercise 15.4, what is the approximate PFDavg for a three-month inspection interval in a 1oo1 architecture? EXAMPLE 15-10 continued Therefore, the PFDavg impulse = 0.0000057 × 5 × 8760 / 2 = 0.125. With the diagnostic algorithm, the failure rate is divided into dangerous detected (0.0000046 failures per hour) and dangerous undetected (0.0000011 failures per hour). Using Equation 14-2, the PFDavg impulse = 0.00000046 × 168 + 0.0000011 × 5 × 8760 /2 = 0.026. The diagnostics provide a considerable improvement.
376 Control Systems Safety Evaluation and Reliability Answers to Exercises 15.1 Death to multiple persons is classified as a C3 consequence. The frequency of exposure is continuous, F2. Alarms give a possibility of avoidance, P1. Since no protection equipment is installed the probability of unwanted occurrence is high, W3. The risk graph indicates SIL3. The risk reduction factor needed for an SIF would be in the range of 1,000 to 10,000. 15.2 The necessary risk reduction factor is 250,000/25,000 = 10. This is classified as SIL1. 15.3 SIF reliability and safety analysis should consider all components from sensor process connection to valve process connection. Typi- cally this includes impulse lines, manifolds, sensors, controllers, power supplies, solenoids, air supplies, valve actuators, and valve elements. If communications lines are required for safe shutdown by an SIS then they must be included in the analysis. 15.4 All failures are dangerous undetected. The dangerous undetected failure rate is 1/8760 = 0.000114155 failures per hour. 15.5 Using Equation 14-2, the approximate PFDavg is calculated as 0.125. At this high failure rate the approximation method is expected to have some error. Use of the full equation or a Markov based tool would eliminate the error. References 1. A Fistful of Risks. Discover Magazine. NY: Walt Disney Magazine Publishing Co., May 1996. 2. Marszal, E. M. and Scharpf, E. W. Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis. Research Triangle Park: ISA, 2002. 3. IEC 61508-2000. Functional safety of electrical/electronic/programmable electronic safety-related systems, Geneva: International Electrotechni- cal Commission, 2000. 4. ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector. Research Trian- gle Park: ISA, 2004. 5. exSILentia® Users Manual. Sellersville: exida, 2008. 6. Certificate – exida Certification, ROS 061218 C001. 3051S Safety Certi- fied Pressure Transmitter. Chanhassen: Rosemount, 2008.
Safety Instrumented Systems 377 7. Failure Modes Effects and Diagnostic Report, exida, Delta Controls S21 Pressure Switch, DRE 06/06-33 R001. Surrey, West Molesey: Delta Controls Ltd., Oct. 2006. 8. Certificate – exida Certification, ASC 041104 C001, 8320 Series Sole- noid Valve. Florham Park: ASCO, 2006. 9. Safety Equipment Reliability Handbook, Volume 3, Third Edition, Page 139, Bettis CB/CBA Series Spring Return Actuator. Sellers- ville: exida, 2007. 10. Safety Equipment Reliability Handbook, Volume 3, Third Edition, Page 209, Virgo N Series Trunnion Mount Ball Valve. Sellersville: exida, 2007. 11. Goble, W. M. and Cheddie, H. L. Safety Instrumented Systems Verifi- cation – Practical Probabilistic Calculations. Research Triangle Park: ISA, 2005. 12. Wehrs, D., Detection of Plugged Impulse Lines Using Statistical Process Monitoring Technology. Chanhassen: Rosemount, 2006.

Empfohlen

Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Schneider Electric
 
ISO-26262-Webinar.pptx
ISO-26262-Webinar.pptxISO-26262-Webinar.pptx
ISO-26262-Webinar.pptx
Karthika Keshav
 
IRJET- IoT Air Pollution Monitoring System using Arduino
IRJET- IoT Air Pollution Monitoring System using ArduinoIRJET- IoT Air Pollution Monitoring System using Arduino
IRJET- IoT Air Pollution Monitoring System using Arduino
IRJET Journal
 
Best Practices in SIS Documentation
Best Practices in SIS DocumentationBest Practices in SIS Documentation
Best Practices in SIS Documentation
Emerson Exchange
 
Dcs functional block diagrams
Dcs functional block diagramsDcs functional block diagrams
Dcs functional block diagrams
JesusLopez715693
 
Functional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.pptFunctional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.ppt
ssuserba01d94
 
20131216 cisec-standards-jp blanquart-jmastruc
20131216 cisec-standards-jp blanquart-jmastruc20131216 cisec-standards-jp blanquart-jmastruc
20131216 cisec-standards-jp blanquart-jmastruc
CISEC
 
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair GuidePanasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
SantySingh5
 

Empfohlen

Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Schneider Electric
 
ISO-26262-Webinar.pptx
ISO-26262-Webinar.pptxISO-26262-Webinar.pptx
ISO-26262-Webinar.pptx
Karthika Keshav
 
IRJET- IoT Air Pollution Monitoring System using Arduino
IRJET- IoT Air Pollution Monitoring System using ArduinoIRJET- IoT Air Pollution Monitoring System using Arduino
IRJET- IoT Air Pollution Monitoring System using Arduino
IRJET Journal
 
Best Practices in SIS Documentation
Best Practices in SIS DocumentationBest Practices in SIS Documentation
Best Practices in SIS Documentation
Emerson Exchange
 
Dcs functional block diagrams
Dcs functional block diagramsDcs functional block diagrams
Dcs functional block diagrams
JesusLopez715693
 
Functional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.pptFunctional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.ppt
ssuserba01d94
 
20131216 cisec-standards-jp blanquart-jmastruc
20131216 cisec-standards-jp blanquart-jmastruc20131216 cisec-standards-jp blanquart-jmastruc
20131216 cisec-standards-jp blanquart-jmastruc
CISEC
 
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair GuidePanasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
Panasonic Dmr ex99v Ex99veb Ex99veg Service Manual And Repair Guide
SantySingh5
 
Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019
Tonex
 
Open VPX Tutorial
Open VPX TutorialOpen VPX Tutorial
Open VPX Tutorial
Sundance Multiprocessor Technology Ltd.
 
Emergency Shutdown System, ESD System - Worldwide Oilfield Machine
Emergency Shutdown System, ESD System - Worldwide Oilfield MachineEmergency Shutdown System, ESD System - Worldwide Oilfield Machine
Emergency Shutdown System, ESD System - Worldwide Oilfield Machine
womgroup
 
IRJET- IoT based Air Pollution Monitoring System using Arduino
IRJET- IoT based Air Pollution Monitoring System using ArduinoIRJET- IoT based Air Pollution Monitoring System using Arduino
IRJET- IoT based Air Pollution Monitoring System using Arduino
IRJET Journal
 
Design and implementation of home automation system u...
Design and implementation of home automation system u...Design and implementation of home automation system u...
Design and implementation of home automation system u...
MUHAMMAD KHURSHID AHMAD
 
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO pptAUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
Ravi Shankar
 
IOT Based Air Pollution Monitoring System using Arduino
IOT Based Air Pollution Monitoring System using ArduinoIOT Based Air Pollution Monitoring System using Arduino
IOT Based Air Pollution Monitoring System using Arduino
IRJET Journal
 
green house monitoring system based arduino uno
green house monitoring system based arduino unogreen house monitoring system based arduino uno
green house monitoring system based arduino uno
radenluqmannul
 
Home Security System using ESP32-CAM and Telegram Application
Home Security System using ESP32-CAM and Telegram ApplicationHome Security System using ESP32-CAM and Telegram Application
Home Security System using ESP32-CAM and Telegram Application
IRJET Journal
 
Honeywell Experion HS
Honeywell Experion HSHoneywell Experion HS
Honeywell Experion HS
Shivam Singh
 
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec SheetDräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
Thorne & Derrick UK
 
Implementation Of GSM Based Fire Alarm and Protection System
Implementation Of GSM Based Fire Alarm and Protection SystemImplementation Of GSM Based Fire Alarm and Protection System
Implementation Of GSM Based Fire Alarm and Protection System
BUBT
 
ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
KoenLeekens
 
Gas detection
Gas detectionGas detection
Gas detection
ie-net ingenieursvereniging vzw
 
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
John Kingsley
 
Alarm management at DeltaV
Alarm management at DeltaVAlarm management at DeltaV
Alarm management at DeltaV
Robert-Emmanuel Mayssat
 
Arduino based automatic college bell
Arduino based automatic college bellArduino based automatic college bell
Arduino based automatic college bell
srikanth vaggu
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection system
Aashiq Ahamed N
 
Embedded system for traffic light control
Embedded system for traffic light controlEmbedded system for traffic light control
Embedded system for traffic light control
Madhu Prasad
 
LPG Gas detector
LPG Gas detectorLPG Gas detector
LPG Gas detector
ajay singh
 
Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)
Power Specialties, Inc.
 
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Thorne & Derrick UK
 

Weitere ähnliche Inhalte

Was ist angesagt?

Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019
Tonex
 
Design and implementation of home automation system u...
Design and implementation of home automation system u...Design and implementation of home automation system u...
Design and implementation of home automation system u...
MUHAMMAD KHURSHID AHMAD
 
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec SheetDräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
Thorne & Derrick UK
 

Was ist angesagt? (20)

Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019
 
Open VPX Tutorial
Open VPX TutorialOpen VPX Tutorial
Open VPX Tutorial
 
Emergency Shutdown System, ESD System - Worldwide Oilfield Machine
Emergency Shutdown System, ESD System - Worldwide Oilfield MachineEmergency Shutdown System, ESD System - Worldwide Oilfield Machine
Emergency Shutdown System, ESD System - Worldwide Oilfield Machine
 
IRJET- IoT based Air Pollution Monitoring System using Arduino
IRJET- IoT based Air Pollution Monitoring System using ArduinoIRJET- IoT based Air Pollution Monitoring System using Arduino
IRJET- IoT based Air Pollution Monitoring System using Arduino
 
Design and implementation of home automation system u...
Design and implementation of home automation system u...Design and implementation of home automation system u...
Design and implementation of home automation system u...
 
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO pptAUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
AUTONOMOUS LPG GAS SENSOR BOT USING ARDUINO ppt
 
IOT Based Air Pollution Monitoring System using Arduino
IOT Based Air Pollution Monitoring System using ArduinoIOT Based Air Pollution Monitoring System using Arduino
IOT Based Air Pollution Monitoring System using Arduino
 
green house monitoring system based arduino uno
green house monitoring system based arduino unogreen house monitoring system based arduino uno
green house monitoring system based arduino uno
 
Home Security System using ESP32-CAM and Telegram Application
Home Security System using ESP32-CAM and Telegram ApplicationHome Security System using ESP32-CAM and Telegram Application
Home Security System using ESP32-CAM and Telegram Application
 
Honeywell Experion HS
Honeywell Experion HSHoneywell Experion HS
Honeywell Experion HS
 
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec SheetDräger X-am 5000 Portable Gas Detectors - Spec Sheet
Dräger X-am 5000 Portable Gas Detectors - Spec Sheet
 
Implementation Of GSM Based Fire Alarm and Protection System
Implementation Of GSM Based Fire Alarm and Protection SystemImplementation Of GSM Based Fire Alarm and Protection System
Implementation Of GSM Based Fire Alarm and Protection System
 
ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
 
Gas detection
Gas detectionGas detection
Gas detection
 
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
 
Alarm management at DeltaV
Alarm management at DeltaVAlarm management at DeltaV
Alarm management at DeltaV
 
Arduino based automatic college bell
Arduino based automatic college bellArduino based automatic college bell
Arduino based automatic college bell
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection system
 
Embedded system for traffic light control
Embedded system for traffic light controlEmbedded system for traffic light control
Embedded system for traffic light control
 
LPG Gas detector
LPG Gas detectorLPG Gas detector
LPG Gas detector
 

Ähnlich wie 1. safety instrumented systems

Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Thorne & Derrick UK
 
NEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideNEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guide
Rianne Boek
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
Alex Apostolou
 
Methods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMethods of determining_safety_integrity_level
Methods of determining_safety_integrity_level
Mowaten Masry
 
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Mike Boudreaux
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
Belilove Company-Engineers
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 

Ähnlich wie 1. safety instrumented systems (20)

Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)
 
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
 
NEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideNEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guide
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
 
Understanding sil
Understanding silUnderstanding sil
Understanding sil
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
 
Sil 1 (1)1
Sil 1 (1)1Sil 1 (1)1
Sil 1 (1)1
 
Sis training course_1
Sis training course_1Sis training course_1
Sis training course_1
 
Methods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMethods of determining_safety_integrity_level
Methods of determining_safety_integrity_level
 
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
 
HAZARD IDENTIFICATION AND RISK ASSESSMENT IN WATCH MANUFACTURING PROCESS
HAZARD IDENTIFICATION AND RISK ASSESSMENT IN WATCH MANUFACTURING PROCESSHAZARD IDENTIFICATION AND RISK ASSESSMENT IN WATCH MANUFACTURING PROCESS
HAZARD IDENTIFICATION AND RISK ASSESSMENT IN WATCH MANUFACTURING PROCESS
 
F041123639
F041123639F041123639
F041123639
 
Risks in cc
Risks in ccRisks in cc
Risks in cc
 
SIL-LOPA-Presentation-19th-June-2016.pdf
SIL-LOPA-Presentation-19th-June-2016.pdfSIL-LOPA-Presentation-19th-June-2016.pdf
SIL-LOPA-Presentation-19th-June-2016.pdf
 
Chapter Nine(1).docx
Chapter Nine(1).docxChapter Nine(1).docx
Chapter Nine(1).docx
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
 
A Human-Centric Approach to Oil & Gas Industry Safety
A Human-Centric Approach to Oil & Gas Industry SafetyA Human-Centric Approach to Oil & Gas Industry Safety
A Human-Centric Approach to Oil & Gas Industry Safety
 
Session 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis ISession 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis I
 

Kürzlich hochgeladen

notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 

Kürzlich hochgeladen (20)

notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 

1. safety instrumented systems

  • 1. 359 15 Safety Instrumented Systems As defined by ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) [Ref. 4] a Safety Instrumented System (SIS) is a control system consisting of sensors, one or more controllers (frequently called logic solvers), and final elements. The purpose of an SIS is to monitor an industrial process for potentially danger- ous conditions and to alarm or execute preprogrammed action to either pre- vent a hazardous event from occurring or to mitigate the consequences of a hazardous event should it occur. An SIS: • Does not improve the yield of a process and • Does not increase process efficiency but • Does save money by loss reduction and • Does reduce risk cost. Risk Cost Risk is usually defined as the probability of a failure event multiplied by the consequences of the failure event. The consequences of a failure event are measured in terms of risk cost. The concept of risk cost is a statistical concept. An actual cost is not incurred each year. Actual cost is incurred only when there is a failure event (an accident). The individual event cost can be quite high. If event costs are averaged over many sites for many years, an average risk cost per year can be established. If actions are taken to reduce the chance of a failure event or the consequences of a failure event, risk costs are lowered.
  • 2. 360 Control Systems Safety Evaluation and Reliability Risk Reduction There are risks in every activity of life. Admittedly some activities involve more risk than others. According to Reference 1, the chance of dying dur- ing a 100 mile automobile trip in the midwestern United States is 1 in 588,000. The average chance each year of dying from an earthquake or vol- cano is 1 in 11,000,000. There is risk inherent in the operation of an industrial process. Sometimes that risk is unacceptably high. A lower level of risk may be required by corporate rules, regulatory environment, law, the insurance company, public opinion, or other interested parties. This requirement leads to the concept of “acceptable risk.” When inherent risk (perceived or actual) is higher than “acceptable risk,” then risk reduction is required (Figure 15-1). While “inherent risk” and even “acceptable risk” are very hard to quan- tify, risk reduction is a little easier. Several methods have been proposed to determine the amount of risk reduction to at least to an order-of-magni- tude level (Ref. 2). EXAMPLE 15-1 Problem: Records maintained over many sites for many years indicate that on average once every 15 years an industrial boiler has an accident if no protection equipment like an SIS is used. The average cost of each event is $1 million. What is the yearly risk cost with no protection equipment? Solution: The average yearly risk cost is $1,000,000/15 = $66,667. Figure 15-1. Risk Reduction
  • 3. Safety Instrumented Systems 361 Risk Reduction Factor The risk reduction factor (RRF) may be defined as: RRF = Inherent Risk / Acceptable Risk An SIS provides risk reduction when it monitors a process looking for a dangerous condition (a process demand) and successfully performs its preprogrammed function to prevent an event. Assuming that the SIS has been properly programmed, it reduces risk whenever it operates success- fully in response to a process demand. It will not reduce risk if it fails to operate when there is a process demand. Therefore, an important measure of the risk reduction capability of an SIS is PFD, probability of failure on demand. In the case of a de-energize-to-trip system, this is the probability that the system will fail with its outputs energized. For low demand sys- tems, a dangerous condition occurs infrequently therefore PFDavg (Chap- ter 4) is the relevant measure of probability of dangerous failure. In such cases the risk reduction factor (RRF) achieved is defined as: RRF = 1 / PFDavg (15-1) How Much RRF is Needed? Some find it hard to numerically estimate the necessary RRF in an indus- trial process. That is one reason why functional safety standards provide an order-of-magnitude framework with which to work. This order of mag- nitude risk reduction framework is called “safety integrity level (SIL).” Figure 15-2 shows the safety integrity levels (SIL) established by IEC 61508 (Ref. 3) with some examples of various industrial processes. It should be noted that any particular industrial process can be assigned different SILs depending on the actual or perceived effect of events that are known (or likely) to occur in connection with that process. Several methods to determine SIL are published in Part 3 of ISA’s 84.01 standard (Ref. 4). One qualitative method from 84.01, Part 3 was devel- oped to deal with personnel death and injury is shown in Figure 15-3. This method is called a risk graph. The developer of a risk graph must deter- mine four things: the consequence (C), the frequency of exposure (F), the possibility of avoidance (P), and the probability of occurrence (W). The probability of occurrence of an event is characterized by three of the factors: F, P, and W. The fourth factor, C, completes the estimate of risk. A description of each factor is shown in Table 15-1.
  • 4. 362 Control Systems Safety Evaluation and Reliability Figure 15-2. Risk Reduction Categories Figure 15-3. Risk Graph SIL Determination Method Safety Integrity Level Average Probability of Failure on Demand (PFDavg) Low Demand 4 3 2 1 0.1 - 0.01 10 - 100 0.01 - 0.001 100 - 1,000 0.001 - 0.0001 1,000 - 10,000 < 0.0001 > 10,000 Risk Reduction Factor (RRF) Typical Applications Rail Transportation Utility Boilers Industrial Boilers Chemical Processes C1 C2 C3 C4 F1 F2 F1 F2 P1 P2 P1 P1 P1 P2 P2 P2 SIL1 SIL2 SIL3 SIL4 SIL1 SIL1SIL2 SIL2SIL3 SIL3SIL4 F2 F1 W3 W2 W1 NSS NSS NSS NS NS NS NS - No Safety Requirements NSS - No Special Safety Requirements NPES - Single SIS Insufficient NPES
  • 5. Safety Instrumented Systems 363 The consequences refer specifically to personnel injury or death. The fre- quency of exposure is a measure of the chances that personnel will be in the danger area when an event occurs. If a process is only operated once a week and no operators are normally at the site, this constitutes a relatively low risk compared to continuous operation with personnel always on duty—given that both processes present similar inherent risks. The possibility of avoidance considers such things as warning signs, the speed at which an event will develop, and other avoidance measures such as protective barriers. The probability of unwanted occurrence parameter includes consideration of other risk reduction devices. The danger area is also an important consideration. If there is only risk of injury near the process unit then perhaps only the operators and other plant personnel need be considered in the analysis. But if a hazardous event could harm people in the neighborhood or over a wide geographic area, then that must be considered in the analysis. Table 15-1. Description of Risk Graph Factors Consequence C1 Minor Injury C2 Serious injury or single death C3 Death to multiple persons C4 Very many people killed Frequency of Exposure and Time F1 Rare to frequent F2 Frequent to continuous exposure Possibility of Avoidance P1 Avoidance possible P2 Avoidance not likely, almost impossible Probability of Unwanted Occurrence W1 Very slight probability W2 Slight probability, few unwanted occurrences W3 High probability EXAMPLE 15-2 Problem: An industrial process may need an SIS to reduce risk to an acceptable level. Use the risk graph of Figure 15-3 to determine this need.
  • 6. 364 Control Systems Safety Evaluation and Reliability Many corporations have versions of risk graphs in corporate procedures. Frequently, these documents provide detailed descriptions of how to clas- sify the various parameters. In addition to personnel risk, risk graphs are needed for equipment damage and environmental damage (Ref. 5). When all three graphs are completed for a process the largest risk reduction need is the one specified for the SIL (Figure 15-4). EXAMPLE 15-2 continued Solution: Experts estimate that an event may result in serious injury or a single death, C2. The process operates continuously and personnel are usually present; therefore, exposure is rated as frequent to continuous, F2. Since there is little or no warning of a dangerous condition the probability of avoidance is rated avoidance not likely, P2. Finally, it is judged that there is only a slight probability of occurrence, W2, because pressure relief valves are installed to provide another layer of protection. Using the risk graph, this process needs a SIL2 level of risk reduction. Figure 15-4. Screen Shot—Risk Graph for Personnel, Equipment, and Environmental (Ref. 5)
  • 7. Safety Instrumented Systems 365 Another risk reduction determination method published in ISA-84.01 is called Layer of Protection Analysis (LOPA). This method considers all the valid, independent layers of protection and credits those layers for the risk reduction provided. LOPA can be used qualitatively or semi-quantita- tively with most practitioners using a semi-quantitative approach as shown in Figure 15-5. Quantitative Risk Reduction In some cases corporations and insurance companies determine risk reduction factors based on quantitative risk analysis. Statistics are com- piled on the frequency and severity of events. These statistics are used to determine risk reduction factors based on risk cost goals or event probabil- ity goals. While these methods may seem easy, it must be understood that the uncertainty of the statistical data and the variability of the factors con- tributing to an event must be taken into account. This is typically done by increasing the required risk reduction factor by a certain safety margin. Figure 15-5. Screen Shot—Frequency Based LOPA Results Example (Ref. 5)
  • 8. 366 Control Systems Safety Evaluation and Reliability SIS Architectures An SIS consists of three categories of subsystems: sensors/transmitters, controllers, and final elements, that work together to detect and prevent, or mitigate the effects of a hazardous event. It is important to design a sys- tem that meets RRF requirements. It is also important to maximize the production uptime (minimize false trips). In order to achieve these goals, system designers often use redundant equipment in various architectures (Chapter 14). These fault tolerant architectural configurations apply to field instruments (sensors/transmitters and final elements) as well as to controllers. Sensor Architectures An SIS must include devices capable of sensing potentially dangerous conditions. There are many types of sensors used including flame detec- tors (infrared or ultraviolet), gas detectors, pressure sensors, thermocou- ples, RTDs (resistance temperature detectors), and many types of discrete switches. These sensors can fail, typically in more than one failure mode. Some sensor failures can be detected by on-line diagnostics in the sensor itself or in the controller to which it is connected. In general, all of the reli- ability and safety modeling techniques can be used. EXAMPLE 15-3 Problem: The risk cost of operating an industrial boiler is estimated to be $66,667 per year. The insurance company that insures the operation of the boiler needs a risk cost of less than $1,000 per year in order to remain profitable without a significant increase in premiums. What is the needed risk reduction factor? Solution: The ratio of risk costs is 66667/1000 which equals 66.7. In order to account for the uncertainly of the data, the insurance company chooses a higher number and mandates that a safety instrumented function (SIF) with an RRF of 100 be installed in the SIS. (Note: this is a SIL2 category SIF). EXAMPLE 15-4 Problem: A two-wire pressure sensor transmits 4–20 mA to the analog input of a trip amplifier that is configured to de-energize a relay contact when the mA input current from the sensor goes higher than the trip point. The sensor manufacturer supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS
  • 9. Safety Instrumented Systems 367 EXAMPLE 15-4 continued Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The pressure transmitter is configured to send its output to 20.8 mA (over-range) if a failure is detected by the internal diagnostics. The transmitter is fully tested and calibrated every five years. In this application, what is the PFDavg for a single transmitter in a 1oo1 architecture for a five year mission time? What is the Spurious Trip Rate (STR)? Solution: The trip amplifier will falsely trip if the transmitter fails with its output signal high. The system will fail dangerous if the transmitter fails with its output signal low or if it has a dangerous undetected failure. The failure rates are therefore: λS = (59 + 264) × 10-9 = 3.23 × 10-7 failures per hour λD = (33 + 37) × 10-9 = 7.0 × 10-8 failures per hour No automatic diagnostics are given credit in the PFD calculation since there is no diagnostic annunciation mechanism configured in the controller. Therefore, using equation 14-2, PFDavg = DU × 5 × 8760 / 2 = 0.0015. The term Spurious Trip Rate refers to the average rate at which a subsystem will cause a shutdown when no dangerous condition occurs. The STR is equal to the safe failure rate of 3.23 × 10-7 trips per hour. EXAMPLE 15-5 Problem: A two-wire pressure sensor transmits 4–20 mA to the analog input of a safety certified logic solver. The sensor manufacturer supplies a safety certificate with the term “Systematic Capability = SIL 3.” The sensor manufacturer also supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The logic solver is programmed to recognize an out-of-band current signal as a diagnostic fault and will hold the last pressure value while the failure is annunciated and repaired. Average repair time at the facility is 168 hours (one week). The transmitter is fully tested and calibrated every five years. What is the PFDavg for a single
  • 10. 368 Control Systems Safety Evaluation and Reliability Figure 15-6 shows two discrete sensors measuring the same process vari- able. These two sensors can be configured in a 1oo2 architecture by simply adding logic to initiate a shutdown if either of the two sensors signals a dangerous condition. Like the 1oo2 controller architecture (Chapter 14), this configuration will substantially reduce the chance of a dangerous fail- ure but will almost double the chance of a safe failure. Note that common cause failures apply when redundant configurations are used. The com- mon cause defense rules (Chapter 10; Common-Cause Avoidance) apply. Avoid close physical installation, use high strength sensors, use diverse design sensors, or some combination of all three techniques. EXAMPLE 15-5 continued transmitter in a 1oo1 architecture for a five year mission time? What is the Spurious Trip Rate (STR)? What does the term “Systematic Capability” mean? Solution: The logic solver will detect out-of-range current signals and hold the last pressure value. Therefore, these failures are dangerous detected (DD). The total DD failure rate is 356 FITS (One FIT = 1 × 10-9 failures per hour). Using Equation 14-2, PFDavg = 3.56×10-7 × 168 + 3.7×10-8 × 8760 × 5 / 2 = 0.00087 Spurious Trip Rate: Because the logic solver is configured to hold the last pressure reading on failure of the sensor, no false trips will occur. The STR is zero. The term Systematic Capability in an IEC 61508 certification means that the design, test, and manufacturing processes used to create and build the product have a level of integrity needed for SIL 3 to reduce design and manufacturing faults inside the product. This allows the designer of a Safety Instrumented System to use that component at up to and including the rated SIL level. A product with a systematic capability rating of SIL 3 can be used in SIL 1, SIL 2, or SIL 3 without safety integrity justification but cannot be used in a SIL 4 application without further justification based on extensive prior use. EXAMPLE 15-6 Problem: Two pressure switches measure the same process variable. They are connected to a safety certified logic solver with logic to perform a 1oo2 vote. The manufacturer supplies a certificate with the term “Systematic Capability = SIL 3.” The manufacturer also supplies the following failure rate data (Ref. 7): Fail Safe = 83.8 FITS Fail Danger Undetected = 61.3 FITS
  • 11. Safety Instrumented Systems 369 The 1oo2 sensor concept can be applied to analog sensors as well. Figure 15-7 shows two analog sensors measuring the same process variable. A “high select” or “low select” function block (depending on the fail-safe direction) is used to select which analog signal will be used in the calculation. EXAMPLE 15-6 continued What is the PFDavg for a 1oo2 sensor subsystem for a five year mission time? What is the Spurious Trip Rate for the sensor subsystem? Solution: With a common-cause beta factor of 10% (0.10), the failure rates are: λSUC = 0.1 × 83.8E-9 = 8.4E-9 failures per hour λSUN = (1-0.1) × 83.8E-9 = 7.54E-08 failures per hour λDUC = 0.1 × 61.3E-9 = 6.1E-9 failures per hour λDUN = (1-0.1) × 61.3E-9 = 5.52E-08 failures per hour Since a common cause safe failure or a safe failure in either switch will cause a false trip, the STR equals 8.4E-9 + 7.54E-8 + 7.54E-8, which totals 1.59E-7 trips per hour. PFDavg can be calculated using Equation 14-5. Note that there are no detected failures, therefore RT (average repair time) = 0. PFDavg is 0.00014. Figure 15-6. 1oo2 Discrete Sensors Discrete Sensor Pressure Sensor Discrete Input Discrete Input Logic Solver 1oo2 logic trip if either sensor indicates a trip is needed + - + - Discrete Sensor Pressure Sensor
  • 12. 370 Control Systems Safety Evaluation and Reliability Figure 15-7. 1oo2 Analog Sensors EXAMPLE 15-7 Problem: A two wire pressure sensor transmits 4 –20 mA to the analog input of a safety certified logic solver. Two of these sensors measure the same process variable and are configured to trip if either sensor indicates a trip (1oo2 logic). The sensor manufacturer supplies a safety certificate with the term “Systematic Capability = SIL 3.” The manufacturer also supplies the following failure rate data (Ref. 6): Fail Danger Detected High = 59 FITS Fail Danger Detected Low = 33 FITS Fail Danger Detected Diagnostics = 264 FITS Fail Danger Undetected = 37 FITS Fail Annunciation Undetected = 5 FITS The logic solver is programmed to recognize an out of range current signal as a diagnostic fault and will hold last pressure value while the failure is annunciated and repaired. Average repair time at the facility is 168 hours (one week). The transmitter is fully tested and calibrated every five years. What is PFDavg for a 1oo2 sensor subsystem architecture for a five year mission time? Assume a common cause beta factor of 10%. What is the Spurious Trip Rate (STR) of the sensor subsystem? Solution: The logic solver will detect out-of-range signals and hold the last pressure value. Therefore, these out-of-range failure rates are classified as dangerous detected (DD). The total DD failure rate for each sensor is 356 FITS. Considering common cause, the failure rates are: λDDC = 0.1 × 3.56E-7 = 3.56E-8 failures per hour λDDN = (1-0.1) × 3.56E-7 = 3.2E-7 failures per hour Analog Transmitter 4 to 20 mA Pressure Transmitter Analog Input Analog Transmitter 4 to 20 mA Analog Input Logic Solver + - + - 1oo2 Logic - high or low select depending on trip functionPressure Transmitter
  • 13. Safety Instrumented Systems 371 The previous examples show different approaches to the design of sensor subsystems. The PFDavg and STR of these designs are shown in Table 15-2. The results show the significant advantage of using an analog sensor, especially if a logic solver configured to detect out of range current signals is used. This approach yields good safety as long as the repair time is short (less than one week per this example) and there is exceptional process availability. Many other sensor architectures are possible. A common approach in the days of relay logic was to use three transmitters in a 2oo3 architecture. This worked well to achieve good process availability and safety when automatic diagnostics were not available, and this approach is still being used. Other possible architectures are 2oo5 or the general MooN, used most often in fire and flammable gas applications. Note that some sensor architectures are not what they seem. In one installation, two toxic gas detectors are installed in each “zone.” Ten zones exist. At first look this might be described as a 2oo20 vote. The vote-to-trip logic in the logic solver requires a 2oo2 signal to trip from the sensor pair within each zone. But if any pair in any zone indicates a trip signal, the logic will initiate a trip. That portion of the logic appears to be 1oo10. However, the probabil- ity model is NOT 1oo10. A question might be asked, “Why 10 sets of sen- sors?” The answer is that one set could not be certain of detecting the hazard caused by the toxic gas. Given that answer, there are 10 safety functions, each of which has a 2oo2 sensor. There is no safety redundancy benefit from the 10 sets of sensors if each set is not able to independently detect the toxic gas hazard. EXAMPLE 15-7 continued λDUC = 0.1 × 3.7E-8 = 3.7E-9 failures per hour λDUN = (1-0.1) × 3.7E-8 = 3.33E-8 failures per hour Using Equation 14-5, PFDavg = 0.000088 STR = 0. Table 15-2. Sensor Subsystem Results Architecture PFDavg STR 1oo1 Analog Sensor/Trip Amp 0.0016 3.23-7 1oo1 Analog Sensor/Logic Solver 0.00087 0 1oo2 Switch 0.00014 1.67-7 1oo2 Analog Sensor/Logic Solver 0.000088 0
  • 14. 372 Control Systems Safety Evaluation and Reliability Final Element Architectures Final elements are the third major category of subsystems in an SIS. Final elements in the process industries are typically a remote-actuated valve consisting of an interface component (a solenoid-operated pneumatic valve), an actuator, and a process valve. Final elements have failure modes, failure rates, and (in some devices) on-line diagnostics. The reli- ability and safety modeling techniques developed for other SIS devices are appropriate. The simplest final element configuration is the 1oo1 as shown in Figure 15-8. The controller normally energizes a solenoid valve that supplies air under pressure to the actuator. The actuator keeps the valve open (or closed, if that is the desired position). When an unsafe condition is detected, the controller de-energizes the solenoid valve. The valve stops the compressed air delivery and vents air from the actuator. The spring return actuator then moves the valve to its safe position. In such final ele- ment systems, failure rates must be obtained for the solenoid valve and the actuator/ valve assembly. Figure 15-8. 1oo1 Final Element Assembly Controller Solenoid Valve Air Supply Actuator Valve VentDiscrete Output
  • 15. Safety Instrumented Systems 373 Figure 15-9 shows a common implementation of a 1oo2 configuration for final elements. The valves close when a dangerous condition is detected. The system is considered successful if either valve successfully closes. This configuration is intended to provide higher safety than a single-valve sys- tem and can be effective especially if common cause is applied. EXAMPLE 15-8 Problem: Solenoid valve failure rates provided by the manufacturer from a third party FMEDA are λS = 71 FITS and λD = 100 FITS (Ref. 8). Actuator failure rates from a third party FMEDA are λS = 172 FITS and λD = 343 FITS (Ref. 9). Valve failure rates from a third party FMEDA are λS = 0 FITS and λD = 604 FITS (Ref. 10, full stroke). No automatic diagnostics are available. What is the total safe and dangerous failure rate of the final assembly? What is the STR? What is the PFDavg if the final element assembly is removed from service and tested/rebuilt every five years? Solution: The solenoid valve, actuator, and valve comprise a series system so the failure rates are added. The total is λS = 243 FITS and λD = 1047 FITS. The STR equals the safe failure rate: STR = 2.43-7 trips per hour. Equation 14-2 can be used to approximate the PFDavg. Substituting the failure rates, PFDavg = 0.000001047 × 5 × 8760/2 = 0.023 Figure 15-9. 1oo2 Final Element Subsystem Discrete OutputController Discrete Output Air Supply Valve Air Supply Valve
  • 16. 374 Control Systems Safety Evaluation and Reliability Safety Instrumented Function (SIF) Components An SIF consists of a process connection, sensor, power supplies, controller, and final element. The “process to process” approach must be used to ensure that the safety and reliability analysis includes all components, which may include a sensor impulse line (for pressure or vacuum) and possibly a manifold. When modeling entire SIFs (Ref. 11), all components needed for the protection function must be modeled. EXAMPLE 15-9 Problem: Using the failure rates of Example 15-8, what are the STR and PFDavg of a 1oo2 final element assembly? Assume a common- cause beta factor of 10%. No diagnostics are available. The final element assembly is removed from service and tested/rebuilt every five years. Solution: The failure rates are: λSUC = 24 FITS λSUN = 219 FITS λDUC = 105 FITS λDUN = 942 FITS Using a first order approximation, Equation 14-5, the PFDavg of this system is: PFDavg = ((0.000000942)2 × (5 × 8760) 2 )/3 + 0.000000105 × 5 × 8760/2 = 0.0029. This is considerably better than the PFDavg of Example 15-8. STR = (24+219+219) ×10-9 = 0.000000462 trips per hour. EXAMPLE 15-10 Problem: A pressure sensor is connected to a process via an impulse line. Records indicate that the impulse line clogs up, on average, once every twenty years. This condition is dangerous as the protection system may not respond to a demand. An algorithm based on high speed statistical analysis of the pressure signal (Ref. 12) can detect 80% of the clogs. When a clog is detected it is repaired in 168 hours on average. If the impulse line is inspected and cleaned out every five years, how will the diagnostic algorithm affect the PFDavg? Solution: Assuming a constant failure rate for the impulse line, the failure rate is calculated using Equation 4-18. λ = 1/(20 × 8760) = 0.0000057 failures per hour. Equation 14-2 can be used to approximate the PFDavg. Without the diagnostic algorithm the entire failure rate must be classified as dangerous undetected.
  • 17. Safety Instrumented Systems 375 Exercises 15.1 A process is manned continuously and has no risk reduction mech- anism. An accident could cause death to multiple persons. Danger- ous conditions do build slowly and alarm mechanisms should warn of dangerous conditions before an accident. Using a risk graph, determine how much risk reduction is needed. 15.2 A quantitative risk assessment indicates an inherent risk cost of $250,000 per year for an industrial process. Plant management would like to reduce the risk cost to less than $25,000 per year. What risk reduction factor is required? What SIL classification is this? 15.3 What components must be considered in the analysis of an SIF? 15.4 A process connection clogs every year on average. This is a danger- ous condition. No diagnostics can detect this failure. Assuming a constant failure rate, what is the dangerous undetected failure rate? 15.5 Using the failure rate of Exercise 15.4, what is the approximate PFDavg for a three-month inspection interval in a 1oo1 architecture? EXAMPLE 15-10 continued Therefore, the PFDavg impulse = 0.0000057 × 5 × 8760 / 2 = 0.125. With the diagnostic algorithm, the failure rate is divided into dangerous detected (0.0000046 failures per hour) and dangerous undetected (0.0000011 failures per hour). Using Equation 14-2, the PFDavg impulse = 0.00000046 × 168 + 0.0000011 × 5 × 8760 /2 = 0.026. The diagnostics provide a considerable improvement.
  • 18. 376 Control Systems Safety Evaluation and Reliability Answers to Exercises 15.1 Death to multiple persons is classified as a C3 consequence. The frequency of exposure is continuous, F2. Alarms give a possibility of avoidance, P1. Since no protection equipment is installed the probability of unwanted occurrence is high, W3. The risk graph indicates SIL3. The risk reduction factor needed for an SIF would be in the range of 1,000 to 10,000. 15.2 The necessary risk reduction factor is 250,000/25,000 = 10. This is classified as SIL1. 15.3 SIF reliability and safety analysis should consider all components from sensor process connection to valve process connection. Typi- cally this includes impulse lines, manifolds, sensors, controllers, power supplies, solenoids, air supplies, valve actuators, and valve elements. If communications lines are required for safe shutdown by an SIS then they must be included in the analysis. 15.4 All failures are dangerous undetected. The dangerous undetected failure rate is 1/8760 = 0.000114155 failures per hour. 15.5 Using Equation 14-2, the approximate PFDavg is calculated as 0.125. At this high failure rate the approximation method is expected to have some error. Use of the full equation or a Markov based tool would eliminate the error. References 1. A Fistful of Risks. Discover Magazine. NY: Walt Disney Magazine Publishing Co., May 1996. 2. Marszal, E. M. and Scharpf, E. W. Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis. Research Triangle Park: ISA, 2002. 3. IEC 61508-2000. Functional safety of electrical/electronic/programmable electronic safety-related systems, Geneva: International Electrotechni- cal Commission, 2000. 4. ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector. Research Trian- gle Park: ISA, 2004. 5. exSILentia® Users Manual. Sellersville: exida, 2008. 6. Certificate – exida Certification, ROS 061218 C001. 3051S Safety Certi- fied Pressure Transmitter. Chanhassen: Rosemount, 2008.
  • 19. Safety Instrumented Systems 377 7. Failure Modes Effects and Diagnostic Report, exida, Delta Controls S21 Pressure Switch, DRE 06/06-33 R001. Surrey, West Molesey: Delta Controls Ltd., Oct. 2006. 8. Certificate – exida Certification, ASC 041104 C001, 8320 Series Sole- noid Valve. Florham Park: ASCO, 2006. 9. Safety Equipment Reliability Handbook, Volume 3, Third Edition, Page 139, Bettis CB/CBA Series Spring Return Actuator. Sellers- ville: exida, 2007. 10. Safety Equipment Reliability Handbook, Volume 3, Third Edition, Page 209, Virgo N Series Trunnion Mount Ball Valve. Sellersville: exida, 2007. 11. Goble, W. M. and Cheddie, H. L. Safety Instrumented Systems Verifi- cation – Practical Probabilistic Calculations. Research Triangle Park: ISA, 2005. 12. Wehrs, D., Detection of Plugged Impulse Lines Using Statistical Process Monitoring Technology. Chanhassen: Rosemount, 2006.