Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 359 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
359
Dung lượng
29,21 MB
Nội dung
Practical Industrial Safety, Risk Assessment, and Shutdown Systems by Dave Macdonald • ISBN: 0750658045 • Publisher: Elsevier Science & Technology Books • Pub Date: January 2004 Preface Most of today's computer controlled industrial processes involve large amounts of energy and have the potential for devastating accidents Reliable, well-engineered safety systems are essential for protection against destruction and loss of life This book is an intensive practical and valuable exposure to the most vital, up-to-date information and practical know-how to enable you to participate in hazard studies and specify, design, install and operate the safety and emergency shutdown systems in your plant, using international safety practices This book will provide you with a broad understanding of the latest safety instrumentation practices and their applications to functional safety in manufacturing and process industries This book could save your business a fortune in possible downtime and financial loss The objectives of the book are to: • Expand your practical knowledge in the application of safety instrumented systems (SIS) as applied to industrial processes • Provide you with the knowledge of the latest standards dealing with each stage of the safety life cycle fi*om the initial evaluation of hazards to the detailed engineering and maintenance of safety instrumented systems • Give you the ability to plan hazard and risk assessment studies, then design, implement and maintain the safety systems to ensure high reliability • Assist your company to implement functional safety measures to international standards There are least six practical exercises to give you the hands-on experience you will need to implement and support hazard studies; perform reliability evaluations; specify requirements; design, plan and install reliable safety and emergency shutdown systems in your business Although a basic understanding of electrical engineering principles is essential, even those with a superficial knowledge will substantially benefit by reading this book In particular, if you work in any of the following areas, you will benefit fi-om reading this book: • histrumentation and control engineers and technicians • Design, installation and maintenance engineers and technicians in the process industries • Managers and sales professionals employed by end users • Systems integrators • Systems consultants • Consulting electrical engineers • Plant engineers and instrument technicians • Operations technicians • Electrical maintenance technicians and supervisors • histrumentation and control system engineers • Process control engineers • Mechanical engineers Preface xvii The structure of the book is as follows Chapter 1: Introduction, A review of the fundamentals in safety instrumentation focussing on a discussion on hazards and risks, safety systems engineering, and introduction to the lEC 61508 and ISA S84 standards A concluding review of the safety life cycle model and its phases C h a p t e r : H a z a r d s a n d risk r e d u c t i o n An examination of basic hazards, the chemical process, hazards studies, the lEC model, protection layers, risk reduction and classification and the important concept of the safety integrity level (SIL) Chapter 3: Hazard studies A review of the outline of methodologies for hazard studies 1, and Chapter 4: Safety requirements specifications A discussion and guide to preparing a safety requirements specification (SRS) Chapter 5: Technology choices and the conceptual design stage An examination of how to get the concepts right for the specific application and choosing the right type of equipment for the job, not the particular vendor but at least the right architecture for the logic solver system and the right arrangement of sensors and actuators to give the quality of system required by the SRS Chapter 6: Basic reliability analysis applied to safety systems This discusses the task of measuring or evaluating the SIS design for its overall safety integrity Chapter 7: Safety in field instruments and devices This chapter examines the range of instrumentation design techniques that have accumulated in the industry through experience that began a long time before the days of PES and the high performance logic solvers Chapter 8: Engineering the safety system: hardware An examination of two aspects of engineering work for building an SIS Firstly there is a look at some aspects of project engineering management and secondly some basic engineering practices Chapter 9: Engineering the application software Guidance is provided here on how to deal with the application software stages of an SIS project with an examination of some of the basic concepts and requirements that have been introduced in recent years to try to overcome the major concerns that have arisen over the use of software in safety applications Chapter 10: Overall planning: lEC Phases 6,7 and A brief look at the planning boxes marked in on the lEC safety life cycle Chapter 1 : Installation and commissioning (lEC phase 12) TWS chapter tracks the safety system from its building stage through factory acceptance testing, delivery and installation and into final testing for handover to the operating team xvlii Preface Chapter 12: Validation, operations and management of change (IEC p h a s e s , a n d ) A discussion on validation, operations and maintenance Chapter 13: Justification for a safety instrumented system, in practice engineers and managers have to make choices on the type, quaUty, and costs of the safety solutions available within the constraints imposed by the essential safety requirements This is discussed in detail in this chapter Table of Contents Preface Introduction Hazards and risk reduction 33 Hazard studies 65 Safety requirements specifications 108 Technology choices and the conceptual design stage 135 Basic reliability analysis applied to safety systems 171 Safety in field instruments and devices 200 Engineering the safety system: hardware 230 Engineering the application software 244 10 Overall planning: IEC phases 6, and 255 11 Installation and commissioning (IEC phase 12) 264 12 13 Validation, operations and management of change (IEC phases 13, 14 and 15) 279 Justification for a safety instrumented system 296 App A: Practical exercises 306 App B: Glossary 343 Index 349 Introduction 1.1 Definition of safety instrumentation What is safety instrumentation? Here is a typical definition (Origin: UK Health and Safety Executive: 'Out of Control') 'Safety instrumented systems are designed to respond to conditions of a plant that may be hazardous in themselves or if no action were taken could eventually give rise to a hazard They must generate the correct outputs to prevent the hazard or mitigate the consequences' Abbreviation: The acronym SIS means ^safety instrumented system' We probably all know the subject by other names because of the different ways in which these systems have been applied Here are some of the other names in use: • • • • • Trip and alarm system Emergency shutdown system Safety shutdown system Safety interlock system Safety related system (more general term for any system that maintains a safe state for EUC) Fig 1.1 defines the SIS as bounded by sensors, logic solver and actuators with associated interfaces to users and the basic process control system We are talking about automatic control systems or devices that will protect persons, plant equipment or the environment against harm that may arise from specified hazardous conditions Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Basic Process Control System SIS User Interface Sensors Logic Solver Actuators Figure 1.1 Definition of a safety instrumented system We are talking about automatic control systems or devices that will protect persons, plant equipment or the environment against harm that may arise from specified hazardous conditions 1.2 What is this book about? This book is about instrumentation and control systems to support: • The safety of people in their workplaces • Protecting the environment against damage from industrial accidents • Protecting businesses against serious losses from damage to plant and machinery • Creating awareness of the good practices available for the delivery of effective safety instrumented systems • Providing basic training in well established techniques for engineering of safety systems • Assisting engineers and technicians to support and participate in the safety systems activities at their work with a good background knowledge of the subject • Being aware of what can go wrong and how to avoid it 1.3 Why is this book necessary? • Safety systems are reaching wider fields of application • Safety requires a multidiscipline approach • New standards and new practices have emerged There have been some steadily developing trends in the last 10 years which have moved the subject of so-called functional safety from a specialized domain of a few engineers into the broader engineering and manufacturing fields Basically, there is a need for a book to allow engineers and technicians to be aware of what is established practice in the safety instrumentation field without having to become specialists After all it is the technicians who have to service and maintain the safety systems and they are entitled to know about the best available practices Introduction This book is also intended to be useful for: • Project engineers and designers who may be involved in completely new projects or in the modification/upgrading of existing plants • Engineers involved in the development of packaged processing plants or major equipment items where automatic protection systems may be needed • Engineers and technicians working for instrumentation and control system suppliers 1.4 Contents of the book The subjects in this book cover the 'life cycle' of safety protection from the initial studies and requirements stages through to the operation and support of the finished systems, i.e • • • • Identification of hazards and specification of the protection requirements Technology choices Engineering of the protection systems Operations and maintenance including control of changes This subject is well supplied with specialized terms and abbreviations, which can be daunting and confusing We have attempted to capture as many as possible in a glossary This is located at the back of the book Reference book: Acknowledgments are given to the authors of the following book for many helpful features in their book that have been of assistance in the preparation of this particular book Details of this book are as follows: Title: Safety Shutdown Systems: Design, Analysis and Justification By: Paul Gruhn and Harry Cheddie Published by: Instrument Society of America, 1998 ISBN 1-5517-665-1 Available from ISA Bookstore website: www.isa.org 1.5 Introduction to hazards and risks The first part of the book is all about the identification of hazards and the reduction of the risks they present What is a hazard and what is a risk? A hazard is 'an inherent physical or chemical characteristic that has the potential for causing harm to people, property, or the environment' In chemical processes: 'It is the combination of a hazardous material, an operating environment, and certain unplanned events that could result in an accident.' Risk: 'Risk is usually defined as the combination of the severity and probability of an event In other words, how often can it happen and how bad is it when it does? Risk can be evaluated qualitatively or quantitatively' Roughly: RISK = FREQUENCY x CONSEQUENCE OF HAZARD Consider the risk on a cricket field Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry If we can't take away the hazard we shall have to reduce the risk Reduce the frequency and/or reduce the consequence I Example: Glen McGrath is the bowler: He is the Hazard { You are the batsman: You are at risk Frequency = times per over Consequence = bruises! Risk = X briiisesl Risk reduction: Limit bouncers to per over Wear more pads Risk -^ ^ siiial! bruise! L^, Figure 1.2 Risk reduction: the fast bowler 1.5.1 Risk reduction The reduction of risk is the job of protection measures In some cases this will be an alternative way of doing things or it can be a protection system such as a safety instrumented system When we set out designing a protection system we have to decide how good it must be We need to decide how much risk reduction we need (and this can be one of the hardest things to agree on) The target is to reduce the risk from the unacceptable to at least the tolerable This principle has a fundamental impact on the way we have to design a safety system as shown in the following diagram Hazard Identified I Risk ^dfcs Estimatedtalculated Tolerable Risk Established Risk Reduction I Safety Function Defined Figure 1.3 Risk reduction: design principles The concept of tolerable risk is illustrated by the following diagram showing what is known as the principle of ALARP Introduction ALARP boundaries for individual risks: Typical values Risk magnitude Intolerable region Typically fatality risk is higher than 10 £-4 The ALARP or tolerability region Risk cannot be justified except in extraordinary circumstances Tolerable only if further risk reduction is impracticable or if its cost is grossly iisproportionate to the improvement gained (risk is undertaken only if a benefit is desired) Tolerable if cost of reduction would exceed the improvements gained Broadly acceptable region Typically fatality risk is lower than 10 E-6 It is necessary to maintain assurance that risk remains at this level Figure 1.4 Principle of ALARP The ALARP (as low as reasonably practicable) principle recognizes that there are three broad categories of risks: • Negligible Risk: broadly accepted by most people as they go about their everyday lives, these would include the risk of being struck by lightning or of having brake failure in a car • Tolerable risk: We would rather not have the risk but it is tolerable in view of the benefits obtained by accepting it The cost in inconvenience or in money is balanced against the scale of risk and a compromise is accepted This would apply to traveling in a car, we accept that accidents happen but we our best to minimize our chances of disaster Does it apply to Bungee jumping? • Unacceptable risk: The risk level is so high that we are not prepared to tolerate it The losses far outweigh any possible benefits in the situation Essentially this principle guides the hazard analysis participants into setting tolerable risk targets for a hazardous situation This is the first step in setting up a standard of performance for any safety system 1.6 Fatal accident rate (FAR) This is one method of setting a tolerable risk level If a design team is prepared to define what is considered to be a target fatal accident rate for a particular situation it becomes possible to define a numerical value for the tolerable risk Whilst it seems a bit brutal to set such targets the reality is that certain industries have historical norms and also have targets for improving those statistical results 340 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry • Draw in the logic of the functions using logic block elements limited to AND, OR, NOT and TIMER The basic ANSI symbols are shown below for guidance, alternative symbols can be used if they are defined • Verify the result against the narrative description given above Information only: Any logical symbol set may be used for defining functional logic However the convention used must be strictly applied to be reliable The following symbols are based on ANSI Y32 14-1973 'Graphic Symbols for Logic Diagrams' These can be used for the FLD required in this practical ANSI symbols for functional logic elements 1) AND Symbol Truth table Inputs OutDuts A B c z 0 0 1 1 0 1 0 1 1 1 0 0 0 2) OR Symbol Truth table Inputs Outputs A B z 0 1 1 1 3) NOT Symbol Truth table Input A J^>0 A A A Output Appendix A - Practical exercises 341 4) Timer symbol; Delay initiation 5) Timer symbol; 'Delay Termination' Action Action Answers to Exercise - Conceptual design and in defining functional requirements The first part of the practical requires that the SIS arrangement be drawn in on the diagram The P&ID will then show the sensors and the actuator for the SIS functions The SIS will require independent sensors for temperature in the catalyst and for proving that air flow has been present for 10 minutes before the start up can be allowed These are shown below as TT-2 and FT-2 The actuator required to trip out the fuel feed should be fully independent of the control valve TV-1 since there is a high risk of common cause failure if TV-1 is used to shut off the fuel flow The actuator is shown as TV-2 with a solenoid valve used to vent the air supply fi*om the valve cylinder Fail-safe modes of the devices are shown by the arrow symbols of the actuators For the sensors the design should specify upscale burnout modes for both temperature sensors since failures upscale would force the control system and the SIS into a safe mode for the process 342 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Process air The functional logic diagram for the SIS must be arranged to show the complete operational cycle The diagram shown below uses AND, OR and NOT function blocks with two timers to define the logical requirements The top section defines the temperature limiting conditions The section below creates permissive conditions for the start up based on air flow greater than minimum for more than 10 minutes This is combined with the temperature limits to operate the ready lamp Finally the operator can press the start button and a 1-minute bypass condition on low temperature limit created After this period the catalyst must be in the safe range of temperature at all times to allow the operation to continue Any excursion outside of the limits will cause a trip, which will stay tripped until the 'ready' conditions ^:Q created again Catalyst temp Temp < max = Ready Start up < 60 sees Air flow 6H Airflow >min = Air > for 10 minutes since trip Trip = — < - Start/reset = start E = energize ^ valve £ Feed trip valve Appendix B Glossary Availability: The probability that an item of equipment or a control system will perform its intended task It is often expressed as a percentage of the time per year of use BPCS: basic process control system Generic term used to describe any control system equipment provided for the normal operation of a plant or machine A BPCS may or may not include safety functions CASS: Conformity Assessment of Safety related Systems Refers to the developing methods for assessment of project execution, equipment design as well as Functional Safety Management Capabilities In the UK, accredited certification bodies will be available at a fixture date to offer CASS assessment services to industry Cause and effect diagram: A matrix drawing showing the fimctional process safety interlocks between inputs and outputs of a safety system (see also 'FLD') Common-cause failure: Failure as a result of one or more events, originating from the same external or internal conditions, causing coincident failures of two or more separate channels in a multiple channel system (see also 'systematic failures') Coverage factor: See Diagnostic coverage Covert failure: A non-revealed defect in a system that is not detected by the incorporated test 344 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry De-energized safe condition: In this context: the electrical or pneumatic valves, which can shutdown the guarded process, are energized during the normal (safe) process situation If an unsafe condition arises, the (spring-loaded) valve will close, because the energy is cut off Diagnostic coverage: The efficacy of the self-diagnostics of a SIS, which makes it possible that a system successfully detects a specific type of component or software fault lEC 61508 defines diagnostic coverage as 'fractional decrease in the probability of dangerous hardware failures resulting from the operation of the automatic diagnostic tests' Diagnostic coverage factor (also Icnown as C-factor): The C-factor comprises the percentage of failures in modules, software, external wiring, internal wiring, cables, interconnections and other functions that are detected by the built-in test functions, or by a suitable test program It can be expressed in a probability or in a factor that is always smaller than (e.g C = 0.95) or as a percentage (e.g 95%) DCS: Distributed (or Digital) control system A process control system based on computer intelligence and using a data-highway to distribute the different functions to specialized controllers Dynamic logic circuit: In this context: the valid logic-state can only exist and perform logic control, if the circuit is activated continuously, using alternating logic signals Emergency shutdown: Commonly used terminology to refer to the safeguarding systems intended to shutdown a plant in case of a process parameter limit-excess See also SRS and SIS EMI: Electrical-magnetic interference EMC: Electrical-magnetic compatibility E/E/PES (Electrlcal/electronic/programmable electronic system): System for control, protection or monitoring based on one or more electrical/electronic programmable electronic (E/E/PE) devices, including all elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices EUC: Equipment under control Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities Appendix B - Glossary 345 EUC control system: System which responds to input signals from the process and/or from an operator and generates output signals causing the EUC to operate in the desired manner NOTE - The EUC control See also BPCS system includes input devices and final elements Fail-safe: A control system response that, after one or multiple failures, lapses into a predictable safe condition Failure modes: In safety-instrumented systems, types of failure mode are recognized: Detected safe failure, (revealed fault) Undetected safe failure (an unrevealed fault that leads to a dangerous state) Detected dangerous failure (a fault that is potentially dangerous but is detected by the system diagnostics, see revealed fault) Undetected dangerous failure (a fault that prevents the system from providing its safety function and remains hidden within the system permanently or until found by periodic fimctional testing Fault: lEC definition: 'abnormal condition that may cause a reduction in, or loss of, the capability of afunctional unit to perform a requiredfunction \ Fault tolerance: lEC definition: 'ability of a functional unit to perform a requiredfunction in presence of faults or errors \ FLD: Functional logic diagram A graphical representation of the system fimctions, showing the logic-gates and timers as well as the logic signal interconnections FMEA: Failure mode and effect analysis See lEC 61508 part for description HIPPS: High integrity pressure protection system Also called 'over pressure protection system' HMI: Human to machine interface or 'operator interface', usually a computer screen to present the actual process and system status 346 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry lEC: International Electrotechnical Commission Based in Geneva Develops a vast range of internationally supported standards See website list Inherently fail-safe: A particular designed dynamic logic principle that achieves the fail-safe property, from the principle itself and not from additional components or test circuits ISA: Instrument Society of America Based in Research Triangle Park, North Carolina Develops standards, technical reports and training material for the complete range of instrumentation with strong emphasis on process industries See website list Logic solver: E/E/PES components or subsystems that execute the application logic programmable electronics include input/output modules Electronic and MTBF: Mean time between failures This term is normally applied to serviceable equipment, typically instrument sensors, valves or PLCs Hence normally used in SIS reliability calculations MTTF: Mean time to fail This term is normally applied to disposable single life components such as relays or resistors which are replaced when they fail Numerically the same as MTBF when calculating reliability of an SIS MTTR: Mean time to repair The mean time between the occurrence of a failure and the return to normal failure-free operation after a corrective action This time also includes the time required for failure detection, failure search and re-starting the system Nuisance failure: See 'spurious trip' Overt faults: Faults that are classified as announced, detected, revealed, etc Opposite of 'covert fault' PFD: Probability of failure on demand (PFD): The probability of a system failing to respond to a demand for action arising from a potentially hazardous condition This parameter degrades (increases) during the mission time or test interval time Therefore the average figure, PFDavg, is used in calculating the reliability of a safety system over a given mission time PFD equals minus safety availability PLC: Programmable logic controller Appendix B - Glossary 347 Proof test: A 100% functional system test In practice, this is only possible when the SIS is disconnected from the process Hence on-line proof testing may leave a small fraction of the SIS untested Also termed 'trip testing' Redundancy (identical and diverse): Identical redundancy involves the use of elements identical in design, construction and in function with the objective to make the system more robust for self-revealing failures 'Diverse redundancy' uses non-identical elements and provides a greater degree of protection against the potential for common cause faults It can apply to hardware as well as to software Reliability: The probability that no functional failure has occurred in a system during a given period of time Reliability block diagram: The reliability block diagram can be thought of as a flow diagram from the input of the system to the output of the system Each element of the system is a block in the reliability block diagram and, the blocks are placed in relation to the SIS architecture to indicate that a path from the input to the output is broken if one (or more) of the elements fail Revealed failure: A failure in a system that results in a safe failure state of the system or is detected by the system's self-diagnostics Also known as a safe detected failure Safety availability: Probability that an SIS is able to perform its designated safety service when the process is operating The average probability of failure on demand (PFDavg) is the preferred term (PFD equals minus safety availability.) Safety instrumented systems (SIS): System composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated Other terms commonly used include emergency shutdown system (ESD, ESS), safety shutdown system (SSD), and safety interlock system Safety life cycle: Necessary activities involved in the implementation of safety related systems, occurring during a period of time that starts at the concept phase of a project and finishes when all of the E/E/PE safety related systems, other technology safety related systems and external risk reduction facilities are no longer available for use SCADA: Supervisory control and data acquisition This term is most commonly applied to PC based equipment interfaced to plant via PLCs or input-output devices 348 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry SER: Sequence of events recorder, based on real-time state changes of events in the system SIL: Safety integrity level defining a PFD by order of magnitude, which is related to the risk (PFD) involved in various types of processes In practice the SIL range is from to for most industrial processes Solid-state logic: A term used to describe circuits whose functionality depends upon the interconnection of electronic components as semiconductors, resistors, capacitors, magnetic cores, etc and which not depend on programmable electronics Spurious trip: A plant trip arising out of an overt or detected equipment failure in the SIS or an erroneous assessment of the situation (e.g error in the logic functions) A shutdown is initiated, though no real impairment of safety exists Also referred to as a 'false trip' or a 'nuisance failure' Spurious trips can contribute to the hazard rate of the plant through the disturbances so caused Systematic failures: Failures occurring in identical parts of a (redundant) system due to similar circumstances History shows that also errors in specification, engineering, software and environmental factors, such as electrical interference or maintenance errors must be considered Such faults can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors TMR: Triple modular redundancy An architecture for SIS logic solvers to achieve fault-tolerance by a out of voting configuration using identical redundant modules Trip: A shutdown of the process or machinery by a safety system Normally a trip implies that the equipment cannot start operating again until there is a manually initiated restart procedure TUV: Technische Ueberwachungs Verein A testing laboratory in Germany that certifies safety of equipment in terms of compliance with international standards or German national standards Unrevealed failure: A failure that impairs the system safety, but remains undetected (see also under 'covert failure') It is related to the risk (PFD) involved in various types of processes These types of failures can accumulate in a safety system, causing a degradation of the safety performance (SIL), as a function of time Index Actuator sensor interface (ASI), 225 ALARP principle, 4-5 negligible risk, tolerable risk, unacceptable risk, AND gate, 90, 91, 94, 144, 164, 319 Automatic diagnostic interval, 173 Basic process control system (BPCS), 41, 42, 74, 79, 137, 210, 211, 212, 213, 214, 223, 238, 239, 241, 270, 274, 277, 284, 285, 286 Broken wire fault, 152 Cause-and-effect diagram/matrix table, 120-1 see also Functional logic diagram Change path concepts, 84 Chemical process, basic hazards of, 35-8 causes of explosions, fire and toxic release, 35explosive mixture, 36 failures of equipment, 37-8 and operational faults in process plants, 38 fires: causes and preventative measures, 37 logic diagram for an explosion, 36 toxic material release, 37 Common-cause failure, 66 see also Systematic failures Computer hazops/'Chazops', 74 Conceptual design stage and technology choices, 135-170 definition of, 135-9 conceptual design stage summary, 138-9 lEC 615108 on conceptual design, 138 ISA conceptual design stage, 136 skills and resources, 138 safety PLCs, development of, 150-67 technologies for the logic solver, 139-49 basic SIS configuration, 139-61 characteristics of safety PLCs, 155 communication features of safety controllers, 164-6 designof safety PLCs, 157-61 lOOlD safety PLC, 160 1002D safety PLC, 160 common cause potentials in redundant PLCs, 160 diagnostic coverage, 159 mode switching PLCs, 160 parallel-connected type: loo2D, 160 process safety time, 158 series-connected type: loo2, 160 single-channel safety PLC architecture with diagnostics, 158 general purpose PLCs for safety functions, 150-5 hardware characteristics of a safety PLC, 156 new developments in communications, 166-7 pneumatics, 141 programmable systems for the logic solver, 149-50 relays, 141-2 safety PLC with loo3 architecture, 162-4 key features of the PILZ PSS, 163 safety relay, 143 shared functions, 140 software characteristics of a safety PLC, 156 solid-state systems, 144-9 communication, 146 diagnostics, 145 350 Index Conceptual design stage and technology choices (Continued) features, 145 intelligent technology, 145 module types, 146-9 solid-state system components, 146 technology choices, 141 triple modular redundant or TMR systems, 161 upgrading of PLCs for safety applications, 155 Control system failures, causes of, Covert failure, 151, 152, 154, 174-5,238 Data capture checklist for hazard study, 106-107 Data for instrumentation, 197-9 reliability data in books, 197-8 sources of data, 197 Design considerations, 187-95 comparison of protective systems, 191-2 diagnostic coverage, 194-5 Markov models, 192-3 proof testing basics, 187-90 reliability calculation software tools, 195 reliability in a high demand mode, 191 Developing SIL for each application, 234-6 architectural constraints, 235 integration, 235 operation and maintenance, 235 safe failure fi'action, 235 Diagnostic/communication module (DCM), 145 Draft Standard lEC 61511, 15-16 Emergency shutdown, 1,8, 148 see also SRS; Shutdown systems Engineering application software, 244-54 application software, 248 basics of the software life cycle, 246-8 benefits of limited variability languages, 249-51 end user position, 246 guidance for end users, 248-9 problem with software, 244-5 programming tools, 251-2 software safety life cycle, 248 Equipment under control, definition of, 17 see also EUC control system Ethernet, 145 EUC control system, 17, 39, 42, 51, 55, 73, 74, 78, 80, 82, 104, 106, 113, 158, 206, 233, 312 see also Basic process control system Factory acceptance tests (FAT), 262, 265, 266, 267, 268, 269, 275, 276 FAT supports ftinctional test specs, 269 scope and benefits of FATs, 265-6 simulation issues, 267-9 test facilities in development systems, 269 test methods for the FAT, 266-7 Fatal accident rate (FAR), 5, 6, 7, 125, 126, 127 Fault tolerance time/'process safety time', 80, 158 Fault tree, combinational rules for, 89, 90, 91, 93 Functional logic diagram (FLD), 339, 340 Functional safety, definition of, 37 Functional safety assessment (FSA), 282 Functional safety management (FSM), 232 Hazard, definition of, 33 Hazard and operability study (HAZOP), 67, 68 Hazard studies, 65-107 and the lEC model, introduction to, 38 alignment with the lEC phases, 38-9 introduction to hazard studies, 38 examples of potential causes of failures, 105 for computer systems, 104-106 'Chazop', 105-106 timing diagram, 105 guidelines, 105 hazard study Chazop, 106 extent of study, 106 final assessment of computer system, 106 information as input to the SRS, 65-9 guideline documents, 69 history, 69 information from hazard studies must be used, 66 input requirements for safety requirements' specification, 65-6 process hazard studies with lEC safety life cycle, 68-9 process hazard study life cycle, 66-8 to the safety life cycle, 78-9 Hazard study guidelines, 95-104 hazard study report contents, 97 actions identified in hazard study 1, 97 general information, 97 hazard summary pro-forma, 97 performance against criteria, 97 risk appraisals, 97 measure to prevent causes or mitigate consequences, 103 method, 95 basis for safety, 95-6 preparation, 95 systematic study, 95 review of hazard study 2, 96 functional safety issues, 96-7 review meetings, 96 Hazard study 3, 82-9 adding protection layers, 88 causes of deviations, 88 Index 351 concepts of change paths and elements, 84-5 consequences of deviations, 88 generating deviations, 85-7 derived guidewords, 86 outHne of HAZOP method, 83 outHne of methodology for HAZOP, 83 recording of HAZOP results and safety functions, 89 study procedure, 87 Hazards and risk reduction: bio-medical/pharmaceuticals, 34-5 chemical and petroleum, 34 domestic, 35 electrical, 34 food processing, 34 general physical, 34 identification of hazards, typical sources and examples, 33 in industries, 35 materials, 34 mechanical plant, 34 nuclear power, 35 Hazards and risks, introduction to, 3-5 risk reduction, 4-5 design principles, Health and Safety Executive (HSE), 1, 9, 27, 29, 41,208 summary, 9-10 analysis of incidents, design, 10 design problems, maintenance and modification, 10 operational problems, 10 specification, 10 High Integrity Pressure Protection Systems (HIPPS), 148 lEC modifications procedure model, 294 lEC requirements for hazard and risk analysis, 82 Impact analysis, 294-5 Information flow and documents at the engineering stage, 242-3 Installation, 269-77 and commissioning (lEC phase), 264-77 flow chart of activities, 264 procedures, 264 standards, 264 checks, 271-3 complete, 273-4 documentation for the PSAT, 274 handover to operations, 276 management of the installation phase, 269-71 pre-start-up acceptance tests (PSAT), 274 start up, 276-7 training of technicians and operators, 275-6 validation, 275 Instrument Society of America (ISA), 90 ISA: SIS detailed design, 236-42 general requirements, 236-8 Layers of protection analysis (LOP A), 124, 133,134 Limited variability languages (LVLs), 156, 249 Logic diagrams, 37, 80, 82, 83, 117, 121, 122, 340 see also Fault tree Lower explosive limit (LEL), 36 Manual test interval, 173 Markov models, 192-3 Methodologies for hazard studies, 69-71 environmental impact, 71 lEC: concept, 71 outline of hazard study 1, 70 process hazard study 1, 69 timing, 70 topics, 70 Methyl isocyanate (MIC), 50 MOC procedure, 294, 295 MODBUS, 145, 146, 148 MTBF, 173, 177, 182, 289, 290, 302 MTTF, 194,195,238 Nuisance trip see Spurious trip OR gate, 90, 91, 144,320 OREDA (Offshore REliability DAta), 197 Overall planning: lEC phases, 255-63 installation and commissioning planning, 261-3 commentary, 262 commissioning plan, 261 developing an installation plan, 262-3 installation plan, 261 installation and commissioning planning, 261 maintenance and operations planning, 256-60 validation planning, 260-1 Overall safety, Parameters used in reliability analysis of the safety systems, 196 Practical exercise, ^ example of SIL determination by quantitative method, 61-2 Pre-start-up acceptance tests (PSAT), 265, 269, 273, 274, 275, 276, 277 Process control versus safety control, 40-9 functional differences, 42-3 comparisons: process control versus safety control, 43 352 Index Process control versus safety control (Continued) process control versus safety control, 42 safety controls are passive/dormant, 42 historical, 40-1 integrated safety and control systems, 43 quotation from ANSI/ISA S 84.01, 41-2 quotation from IEEE, 41 separation, 41 Process hazard study 2, 71-3 Process hazards analysis (PHA), 66 PROFIBUS-DP, 148 Programmable Electronic Systems (PES), 12, 13, 15,31,41, 167,216 Project engineering, 230-1 functional safety assessment, 231 lEC requirements, 230-1 lEC 61508-1: Management of functional safety, 231 management of functional safety, 231 project problems, 230 responsibilities, 231-3 Proof test/'trip testing', 215, 216, 292 Protection layers, 49-52 diversification, 52 mitigation layers, 52 prevention layers, 51-2 alarm systems, 51-2 interlocks, 52 mechanical or non-SIS protection layers, 52 plant design, 51 process control system, 51 shutdown systems (SIS), 52 Protection layers, definition of, 49 Protection schemes, development of, 89-94 fault trees, 89 adding risk reduction measures in FT A, 93-4 event symbols, 91-3 event tree analysis, 94 functions of the gates, 91 introduction to fault tree analysis, 90 summary of rules for constructing fault trees, 93 Retrospective validation, 260 Risk, definition, Risk analysis and risk reduction steps in the hazard study, 73-8 adding more protection, 75 alarm functions, 76-7 estimating the risk, 75 event sequences leading to a hazard, 74 hazardous event frequencies, 74 hazards of the EUC control system, 74 examples of potential causes of failures in control systems, 74 inherent safety solutions, 74-5 key measures to reduce the risk, 75-6 process and operational safety measures, 76 safety instrumented functions, 77-8 typical protection layers or risk reduction categories, 75 Risk matrix table, 55 ranking value, 55 to tolerable risk, 55 Risk reduction and classification, 52-6 basic risk reduction model, 56 classification, 53-6 terms and equations, 56-7 Safe failure fraction, 181, 205, 210, 216, 218, 219, 224, 225, 226, 227, 229, 235, 242 Safety health and environmental audit (SHE), 67 Safety in field instruments and devices, 200-202 design requirements for field devices, 221-3 installation design features, 223 instrument selection, 222-3 proven in use, 221-2 field devices for safety, 201-202 key points about sensors and actuators, 201 sensors and actuators dominate reliability issues, 202 guidelines for the application of field devices, 210-23 design for fail-safe operation, 210 design techniques to minimize failures, 210 diversity, 220 redundancy in sensors and actuators, 216-20 common cause failures, 219 other points concerning redundancy, 219 sensor diagnostics, 214-15 separation of sensors from BPCS, 211-14 limited exceptions to the separation rules, 212 valve diagnostics, 215-16 offshore installation practices for ESD valves, 215-16 sensor types, 202-209 actuator types, 207-209 potential failures in final control elements, 208 remotely operated shut-off valves, 208 failure modes, 207 list of potential causes of failures in sensors, 206-207 transmitters, 203-204 using transmitters with trip amplifiers, 204-206 advantages of analog transmitters over switches, 205 Safety instrumentation, definition of, 1-2 Index 353 Safety instrumented system, 296-305 impact of safety system failures, 297-9 justification, 299 cost comparisons, 303-305 costing example, 301-303 life cycle cost method, 299-301 nuisance trip comparisons, 303 PFD comparisons, 303 responsibilities, 299 Safety integrity, determining the, 123-33 calibration of the risk graph, 132 design example, 124-8 adding the SIS, 126 external or mitigation layer, 125 obtaining the SIL, 127 diversity in SIL methods, 123 LOP A method for SIL determination, 3 ^ methods for determination of SILs, 123-^ parameters and extending the risk graph scope, 129-30 quantitative method, 124, 127-8 risk graph guidance from lEC 61511, 130 deciding parameter values in a risk graph, 130 risk graph methods, 128-9 safety layer matrix method for SIL determination, 132 software tools using risk graphs, 132 Safety integrity level (SIL), concept of, 33, 58, 97, 136 Safety layers and protection layers, definitions of, 124 Safety Life Cycle (SLC), 9, 12, 13, 14, 15, 17, 19, 20, 21, 22, 23, 24, 25, 26, 32, 38, 40, 66, 68, 69,73,78,82,89,95,96, 108, 111, 114, 118, 135, 136, 138, 156, 200, 230, 231, 233, 245, 246, 248, 249,253, 254, 255, 256, 260, 263, 274, 277, 280, 283, 284, 288, 293, 294, 296 model and its phases (SLC phases), 17-20, 96 basic SLC, 17 lEC SLC versions, 18-20 introducing SLC, 17 ISA SLC, 18 Safety requirements, overall, 108-109 components of the SRS, 108-109 SRS frinctional requirements, 109 SRS input section, 109 SRS integrity requirements, 109 Safety requirements specifications, 108-34 Safety systems engineering (SSE): overview of, 7-8, 11 scope of, 11 Safety systems information: websites for, 26 Secondary means of de-energizing (SMOD), 158 Shutdown sequences, 45-9 complex shutdown sequences, 47-9 all the trip logic is performed in the safety system, 47-8 burner management, 47 local process conditions, 47 machinery protection, 47 stages are interdependent, 47 simple shutdown sequence, 45-6 Shutdown systems (SIS), 52, 172-3, 173-5, 178-87 analysis models and methods, 178-87 analysis method, 179-85 calculations for spurious trips, 185-7 conclusions on analysis models, 187 architecture conventions, 168-70 design process, 172-3 failure modes, 173-5 covert failure mode, 174 reliability formulae, 175-8 SIS requirements, 79-82 checklist for SIS evaluation at hazard stage, 79-80 action required to reach safe state, 80 continuation to SRS, 81 hazard report, 81-2 process safety time, 80 safe state of the process, 80 SIS preliminary estimate, 81 tolerable rate of spurious trips, 80-1 tolerable risk frequency, 80 trip frinctional requirements, 80 Software activity steps, application, 252-4 certification of operating systems, 253-4 software quality management system, 253 Software changes, 295 Split system, 44 Spurious trip, 77, 80, 81, 152, 158, 174, 176, 177, 185,302,303 SRS, development of, 110-16 conclusions on the SRS development, 116 frinctional requirements, 112-15 for the overall SRS, 112-14 for the realization phase, 114-15 general development procedure, 110-12 input requirements, 112 safety integrity requirements, 115 SRS documentation, 116-23 checklist for SRS, 116-19 defining the frinctions, 119-23 matrix or cause and effect diagram, 120-1 narrative description, 120 trip linkup diagrams, 122-3 trip logic diagrams, 121-2 354 Index Standard ANSI/S 84.01: introduction, 15 features of IS A S84.01, 15 Standard TEC 61508: features of, 13-14 implications for control systems, 20-1 introduction and key elements of, 13 safety life cycle descriptions, 21-6 Standard operating procedure (SOP), 258, 259 Standards: lEC 61508 and ISA S84, 11-16 for management of safety, 11-12 functional safety standards, evolution of, 12-13 Systematic failures, 50, 66, 112, 115, 137, 138, 182, 192, 210, 217, 219, 220, 240, 270, 281,316 Technology issues, 224-9 application examples, 224-6 intelligent field devices: advantages and disadvantages, 224 safety critical transmitters and positioners, 226-9 safety certified positioner, 227 UKHSE publication, Upper explosive limit (UEL), 36 Validation, operations and management of change (lEC phases), 279-95 functional testing, 288-92 ISA requirements for operating procedures, 286 maintenance program, 286-8 lEC requirements, 286-8 ISA requirements, 286 operations, maintenance and repair, 284-8 operator's viewpoint, 284-6 alarm and event logs, 285 maintenance bypasses, 285-6 permissives, 284 permits for maintenance work, 285 process indications, 284 process overrides, 285 SIS alarms, 285 SIS status indicators, 284 status of drives, 285 Trip alarms, 285 trip resets, 285 variable set points, 286 practical functional testing, 290 output overrides, 291 practicalities of on-line testing, 291 recording the functional tests, 292 testing of ESD pipeline valves, 292 testing of final elements, 291-2 verification, validation and functional safety assessment, 279-84 functional safety assessment, 282-4 CASS developments, 282 graded independence of assessors, 282 validation, 282 verification, 279-81 voting system, 163, 164, 170, 316 ZA alarm, 241 ... previously published in ISA S84.01 and is expected to replace ISA S84.01 30 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Oil and gas industries Reference: UK... determined 40 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry • Evaluate EUC risk for each hazardous event • Use either quaUtative or quantitative assessment methods... the pump out stage shutdown 46 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Simple ShuMowii System Reset V : i ^ Fluid Feed Figure 2.8 Simple shutdown system: