Documente Academic
Documente Profesional
Documente Cultură
com
ABSTRACT
A Safety Integrity Level (SIL) Analysis is the initial step in the Safety System Design Process. Where the HAZOP process normally discovers potential hazards and provides general recommendations, the SIL is a specific analysis which defines the Safety Criteria and Mitigation of hazards which can lead to a significant economic, safety and environmental consequences. There are three SILs utilized by ISA S84 and four by IEC 1508/1511 for Risk Classification, as defined in terms of Probability of Failure on Demand (PFD). This paper provides a methodology to evaluate and classify risk in terms of Consequences, and to determine the SIL for the process under consideration based on these Consequences and the Process Demand Rate. The methodology can be customized to comply with existing company standards, and should satisfy many of the critical OSHA 29 CFR - 1910.119 requirements. In addition, the paper addresses the configuration of the Safety Instrumented System (SIS) and the impact of field devices on the system SIL, including the necessity of redundancy and testing of field devices to achieve and maintain SILs of 2 or higher.
KEYWORDS
Programmable Electronic Systems (PES), Safety Instrumented Systems (SIS), Safety Integrity Level (SIL)
INTRODUCTION
Recent developments have dramatically changed the industrys perception of Process Safety Systems. The first of these was the enacting of OSHA 1910.119 on February 24, 1992 (1). This regulation mandated that both the process and related safety systems be reviewed as part of the Comprehensive Process Hazard Analysis (PHA), to identify and evaluate hazards associated with the process; and implement safety systems capable of mitigating these hazards. Compliance is not in question, as failure to comply with this regulation could result in both civil and criminal penalties being assessed against the company and individuals involved. Per the provisions of the OSHA regulation, the design and implementation of the safety system must meet good engineering practice. At that time, no consensus process safety standard existed; and as such, implementation was extremely subjective and difficult to audit. In 1996 the ISA S84.01 committee finalized and approved a standard addressing the implementation of Process Safety Systems. With this approval, good engineering practice had been defined; and while the S84.01 standard is performance based, it does clearly define safety performance criteria based on Safety Integrity Level (SIL) requirements. The standard was recently accepted by ANSI and is now referred to as ANSI/ISA S84.01www.safetyusersgroup.com Page 1 / 1
www.safeplexsystems.com safeplex@safeplexsystems.com
* 1996 (2). In addition, an international standard IEC 1508/1511 is in the final stages of development. It likewise uses the SIL concept, but defines four performance levels for Safety Systems, adding an SIL4. In order to likewise clearly define the relevant components of the safety system, ISA S91.01 was finalized and approved in 1995 (3). This standard addressed the classification of safety critical instrumentation as differentiated from instrumentation used for control. This clarification was necessary as all components of the safety system (sensor, final elements, etc.) must be inspected and tested on a periodic basis to maintain system integrity; and these tests must be fully documented. Given the above, the task at hand now becomes how to utilize the results of the PHA to evaluate the risk associated with the potential hazard, and given an allowable level of risk, implement protective measures to reduce the actual risk, so that it falls below the allowable level. Or stated in other terms, to determine the required safety margin and SIL for the process under consideration. While this methodology is still somewhat subjective, as regards other independent protection layers (measures); it is consistent and should be deemed to be in compliance with the S84.01 standard, as regards Safety Instrumented Systems (SIS). Refer to Figure 1 for further clarification.
Allowable Risk
RISK
The SIS is an independent protection layer installed for the purpose of mitigating the risk associated with the operation of a hazardous process. The SIS is composed of the logic solver and related field devices. If the logic solver is programmable (as opposed to hardwired, etc.), it is referred to as a Programmable Electronic System (PES). This designation was intended to differentiate the PES from a standard PLC, which lacks comprehensive internal diagnostics, and as such is a low integrity device not intended for safety related application. This is the case because of a high probability of sustaining a dangerous undetected failure which would render it unable to perform its intended safety functions. Of course, steps can be taken to implement PLC diagnostics by user enhancement as part of the application program itself; but this is undesirable as it is both subjective, and unnecessarily complex to implement and maintain. The safety performance of the SIS is defined in terms of its SIL, which is in turn defined by its Probability of Failure on Demand (PFD). As such, PFD = f (
DU
, TP)
www.safetyusersgroup.com
Page 2 / 2
www.safeplexsystems.com safeplex@safeplexsystems.com
* The specific functionality (f) is an attribute of the system architecture selected for the SIS (PES and field devices). The Proof Interval is that period of time over which the SIS must operate within the PFD limits of the specified SIL. It could be likened to a mission time, and should be as long as possible to reduce the possibility of human error associated with frequent proof testing of the SIS. The Dangerous Undetected Failure Rate is determined by the Coverage Factor of the various components (for normal mode failures); in that a failure on demand could result from either normal or common mode failure - as both can initiate a fail-to-function situation. Comprehensive internal diagnostics dramatically improve the Coverage Factor; thereby reducing the possibility of a dangerous undetected failure, and consequently minimizing the PFD. Coverage factors are typically highest in the PES, and lowest in the final elements. The three SILs (1, 2 and 3) defined in the S84.01 standard, specify an average PFD range. This average value is computed over the proof test interval. To satisfy the requirements of a given SIL, the PFDavg should not be less than the lower limit at any time during the Proof Test Interval. To achieve this level of performance, the SIS must be manually tested frequently, or have comprehensive internal diagnostics. Given this guideline, the SIL performance criteria of the SIS is now defined in quantitative terms, and can be used to select the required architecture of the SIS, including the field devices. The required diagnostics can be implemented in a proactive manner by functional testing; or in a reactive manner by comparison. Other less proven techniques are understandably suspect. All Triple Modular Redundant (TMR) architectures utilize the comparison approach, via 2oo3 voting. Functional testing diagnostics have several notable advantages in that they are reliable, deterministic, and provide an option to resolve the discrepancy prior to use in the application logic.
SIL Determination
Arriving at the SIL for the process itself is yet another matter, as a quantitative result is difficult to achieve. In lieu of a purely numeric approach, a classification methodology based on Event Severity and Process Demand Rate is a viable alternative. The S84.01 standard offers a classification technique as well, but it is not process oriented and as such is somewhat abstract. The following methodology comprehends most process hazard scenarios, and defines them in terms of Event Severity. Only the Injury category is addressed by the safety standards. The other categories, while not directly related to safety, have definite safety implications and must be considered as well. Refer to Figure 2 for details (4).
www.safetyusersgroup.com
Page 3 / 3
www.safeplexsystems.com safeplex@safeplexsystems.com
*
INJURY ECONOMIC(1) ENVIRONMENTAL NUISANCE TRIP(2)
EXTENSIVE
Significant Restart Hazards and Economics Intermediate Restart Hazards and Economics Minor Restart Hazards and Economics
SERIOUS
MINOR
No injuries
(1) Property Damage and Loss Production (Process Down Time) (2) Loss Production (Process Down Time)
FIGURE 2 - Event Severity Classification (Typical)
Note that in the case of Economic Events, the threshold values have not been defined. These values are highly subjective and should be based on corporate experience. The next step is to determine the Process Demand Rate, which is a measure of the stability of the process. A highly exothermic process will typically have a high demand rate, while an endothermic process will be significantly lower. The best source of information in this case might be the process operator, as he is quite familiar with the operating characteristics of the process. In any case, a realistic value is available and can be used with Figure 3 to determine the frequency.
FREQUENCY
DEMAND
2 OR MORE DEMANDS PER YEAR .5 TO 2 DEMAND PER YEAR LESS THAN .5 DEMANDS PER YEAR
FIGURE 3 - Process Demand Rate
Given the prior results for Event Severity and Process Demand Rate, a SIL can be determined for the process under consideration, using Figure 4 - the SIL Determination Matrix. Please note that the effectiveness of other independent protection layers can be comprehended as a reduction in the Process Demand Rate. The recommendation of the Center for Chemical Process Safety (CCPS) of the AIChE (5)
www.safetyusersgroup.com Page 4 / 4
www.safeplexsystems.com safeplex@safeplexsystems.com
* is that the Distributed Control System (DCS) not be considered as an independent protection layer, due to its accessibility.
DEMAND RATE
Note: Other Mitigation layers can be comprehended as a reduction in Demand Rate.
FIGURE 4 - Safety Integrity Level (SIL) Determination
Having arrived at a SIL for the process, it is now essential to utilize the S84.01 Standard (Table 3.1, Pg. 21) to define the SIS performance requirements necessary to meet or exceed the required safety margin. As previously discussed, this must necessarily comprehend both the logic solver (PES) and associated field devices.
SENSOR(S)
PFDSIS =
PES
PFDS + PFDPES + PFDFE
FINAL ELEMENT(S)
www.safetyusersgroup.com
Page 5 / 5
www.safeplexsystems.com safeplex@safeplexsystems.com
* Note that all components are in series and that the weak link prevails in all cases. As such, if the sensor(s) are SIL2, the PES is SIL3, but the final element(s) are SIL1; then the result is that the overall PFD of the SIS is SIL1. A simple example for this case is as follows:
PFD SIS = PFDS + PFDPES + PFDFE PFD SIS = 0.005 + 0.0005 + 0.05 (SIL2) (SIL3) (SIL1) = 0.0555 (SIL1)
It should also be observed that the use of a high integrity PES (SIL3) does not improve the overall PFD of the SIS. The SIS in the above example is suitable for SIL1 applications only, as the final element(s) and not the PES determine the SIL of the SIS. It is very important to comprehend that typically 85% of the PFD value for the SIS is allocated to the field devices (given a high integrity PES). As such, it is necessary to implement redundancy in the field devices to improve both safety integrity and availability. Various redundant architectures are available, and can be characterized as shown in Figure 6 for dual, triple and quad configurations.
Sensor(s) PES
Final Element(s)
Configuration
2oo4
Figure 7 provides some insight into the relative performance of the different architectures as regards both Safety (PFD) and Availability (False Trip Rate). Note that the 2oo4 (Quad) architecture has the best overall performance, and in both situations is superior to the 2oo3 (TMR) architecture by a factor of three.
www.safetyusersgroup.com
Page 6 / 6
www.safeplexsystems.com safeplex@safeplexsystems.com
H igh
2 o o2
1 oo 1
2 o o3
1 o o2 /2 oo4
1o o3
Low
H igh
1 o o3
1 o o2
1 oo 1
2 o o3
2 o o2 /2o o 4
Low
Various PES Configuration with simplex field devices (single sensor and single final element), where S = Simplex, D = Dual, and T = Triple
CPU S S S D D T I S D D S D T O S S D S D T
sys(10-6Hrs.)
93.7x10 -6 92.0x10 -6 87.9x10 -6 88.3x10 -6 82.5x10 -6 82.5x10 -6
Page 7 / 7
Time
2 Months
www.safetyusersgroup.com
www.safeplexsystems.com safeplex@safeplexsystems.com
*
FIGURE 8 - SIS Availability
As overall improvement of two (2) months is achieved by going from a single channel logic solver to a TMR architecture. This marginal improvement hardly justifies the significant additional cost incurred for implementing PES redundancy.
Conclusions
Compliance with the existing OSHA Process Safety Management (PSM) regulation is mandatory. An overview of the methodology for compliance is as follows:
Conduct Process Hazard Analysis (PHA) Identify Process Risk Comprehend other Risk Mitigation Measures (if any) Determine Safety Integrity Level required for the SIS Configure SIS to meet or exceed the required SIL Document your work for audit purposes
In addition, as regards the SIS, one should also consider the following:
ANSI/ISA S84.01 mandates that the SIL (PFD) of the SIS be maintained over the entire Proof Test Interval Utilize redundancy to improve the SIL of the SIS, in particular the field devices for SIL 2 or greater Manual/Automatic testing must be performed on field devices without comprehensive internal diagnostics, in particular valves Avoid unnecessary redundancy in the PES, and focus on Field Devices to improve both Safety Integrity and Availability of the SIS
References
1) U.S. Department of Labor, Occupational Safety and Health Administration (OSHA), Federal Regulation 29 CFR 1910.119, Process Safety Management of Highly Hazardous Chemicals, Explosives, and Blasting Agents; Final Rule, February 24, 1992. 2) ANSI/ISA-S84.01-1996, Application of Safety Instrumented Systems for the Process Industries, Instrument Society of America S84.01 Standard, Research Triangle Park, NC, 27709, February 1996. 3) ISA-S91.01-1995, Identification of Emergency Shutdown Systems and Controls That Are Critical to Maintaining Safety in Process Industries, Instrument Society of America S91.01 Standard, Research Triangle Park, NC, 27709, May 1995. 4) Donald J. Leonard, Consultant, personal communication. 5) Guidelines for Safe Automation of Chemical Processes, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993.
This document has been prepared by: Lawrence V. Beckman, Mr., Dr For more information see full contact details in Safety Users Group Directory
www.safetyusersgroup.com
Page 8 / 8