best safety practices for critical applications

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Best Safety Practices for Critical Applications

CFSE&PHA LeaderCarlos R. Jacobo Vargas


Carlos Jacobo, CFSE, PHA Leader

Carlos is the Senior Safety Leader of the HSE (Health and Safety Environment) department at the Mexican Institute of Petroleum (IMP) of México. Carlos joined the IMP in 1994 and currently leads PHA (Process Hazard Analysis) and implements SIL Selection and Verification for Oil & Gas Process Plants at different subsidiaries within Pemex. Carlos is the President of the ISA México. He holds a Chemical Engineer degree by the University of México and is a Certified Functional Safety Expert (CFSE) and Certified Process Hazard Analysis Leader.

Speaker


Mexican Institute of Petroleum

• Created in 1965, The Mexican Institute of Petroleum(IMP),was built to develop technology for critical processes in the Petroleum Industry

• Scientific researching and human technological development to serve the National Petroleum Industry

• Dedicated to technological development through the commercialization of products and services, as a result of the preparation of highly specialized human resources.

Mission: “Transform knowledge in innovative industrial applications for strategic priorities in the Oil & Gas Industry”


The Safety Instrumented Systems

• An automatic response for the process under certain condition to carry out to a safe state.

– It integrate, sensors + logic solver + final elements

EtherNet/IP

BPCSESD

Pressure: 18 Kg/cm2

SIS Function

Pressure: 10 Kg/cm2

Process Function


The Safety Instrumented System

• Safety Instrumented Function (SIF), or “safety loop” proceeded by the Safety Instrumented System

• Requirements of functionality and integrity– What is the safety function for?– What is the reliability required (integrity) - SIL

• Integrity– Referred as SIL, RRF or PFDavg


Design Criteria

• Design is based on completion of standards, using mainly Electronic Programmable Technology

• The solutions that have been developed are designed with certified instrumentation for safety applications

• The design cycle is developed through risk analysis and detailed engineering

Design Criteria

• The phase of verification of the SIL determined that the Safety Instrumented Functions (SIF) or loops that form the SIS, not only depends on the estimation of the PFDavg, but also SIL capability and architectural constraints

EQUIPMENT DESIGN

DIAGNOSTICS

Select the minor ofSILCAP, SILAC, SILPDFavg

SIL by PFDavg CALCULATION (SIL PFDavg)

SAFE FAILURE FRACTION (SFF)FAILURE MODES

FREQUENCY OF TESTING PROOF

FAILURE RATES

CONCEPTUAL DESIGN

SILACHIEVED

SIL CAPABILITY(SIL CAP)

SIL ACHIEVED by ARQUITECTURAL

CONSTRAINS (SIL AC)

HARDWARE FAULT TOLERANCE


Design Criteria

• IEC.61511, 11.2.8 manual means independent of the logic solver, shall be provided to actuate the SIS final elements unless otherwise directed by the safety requirement specification

• All emergency shutdown valves are instrumented with field operating buttons, which is a requirement of NRF-204-PEMEX-2008

• On the other hand, only piston type pneumatic actuators are utilized for high torque with spring return that closes when air is missing

• A pneumatic back up cylinder for three “open-close” cycles is also installed, in order to avoid false trips


Design Criteria

• Standard 10.3.1. indicates: definition of the requirement for any safety instrumented function necessary to survive a major accident event

• For that purpose the protection with fireproofing material is specified for the actuator and components of the valve for 30 minutes of operation. According to the UL 1709 or similar such protection must meet a working condition of at least 1050°C

Definition of the requirement for any safety instrumented function necessary to survive a major accident event

Design Criteria

• In general, the usage of “transmitters” (PIT) is preferred instead of switches (PSH), due to access to diagnostics

• According to our design vision, in the case with a SIL 2 application requirement, a second sensor is added and the principle of using n+1 architecture is considered. With this, a maintenance outline is provided when it does not leave the process at «risk» when a sensor is in maintenance.

• With the redundant outline for sensors, we obtain high levels of performance, even in the cases of maintenance. For example, if a SIF is designed with a 2oo3 configuration for sensors, it is warned that in case of maintenance of a sensor, the original configuration most be reconfigured to a 1oo2 configuration in order to maintain the SIL objective.


Design Criteria

• The Logic Processor is a part of the SIS that handles one or more logic functions.

• Although it is the component with less contribution to the PFDavg of the SIF, it may become the weakest point of the SIS in the following cases:– When the available space is critical

(Offshore platforms)– When due to process requirements,

the SIS must grow in the number of SIF with a higher SIL than the maximum assigned before the SIS “upgrade” .

– When a PLC-SIS is required, with low PFDavg and a low rate of nuisance trips.


Design Criteria

• 11.4.1 IEC-61511

• For safety instrumented functions, the sensor, logic solvers and final elements shall have a minimum hardware fault tolerance.– Hardware fault tolerance is the ability of a component or subsystem to be able to

undertake the required safety instrumented function in the presence of one or more dangerous faults in hardware….


Design Criteria


Design Criteria

• From IEC-51508-1 2010• 7.2.2.2 ….. if any subsystem of an E/E/PE safety related system with a

hardware fault tolerance of zero is taken off-line for testing, the continuing safety of the EUC shall be maintained by additional measures and constrains……[that Measures] shall be at least equal to the safety integrity provided by E/E/PE safety related system

• 7.4.4 Hardware safety integrity architectural constrains– Route 1H based on hardware fault tolerance and safe failure fraction concept; or,– Route 2H based on component reliability data from feedback from end users,

increased confidence levels and hardware fault tolerance for specified safety integrity levels.

• We prefer the use of route 1H for this requirement, and the selection PLC´s with at least one fault tolerance in hardware


Challenges in Functional Safety

• Select only certified equipment for safety application• Low values of Probability of Failures on Demand• Good performance for low Spurious Trip Rate

– Typically the design consider MTTFsp bout 15-25 years• No use a single logic solver• Low power consumption• Small space for logic solver• Use the appropriate PLCs according to the quantity of inputs• Speed response of about 300ms• Analog output


Issues and Solutions

• Low STR– In some applications the requirement for MTFFsp, are as large as 25 years, the

safety PLC was the problem and AADvance was the solution in a 1oo2D architecture

• Low power consumption– For an existent offshore platform the power source available was very limited, and

we needed a safety controller with very low requirements for power, we evaluated many options and found a AADvance met this requirement

• High density for signal process– In an Alkylation Plant and FCC the quantity of safety sensors as final elements were

very large, and the requirement were for SIL up to SIL-3, we selected Trusted


Issues and Solutions

• Small requirements of I/O– In a small application distribution terminal, the quantity for signals was

very small - about 7 Safety Functions - and we needed a flexible PLC with high integrity

• Analog output– In a Pump Station, we needed to stop the pumps required for a Safety

Function, the driver is a turbine and the stop required modulating the feed of gas to the turbine. For this application we needed an analog output certified for a SIL application, the solution was an analog output for AADvance PLC.


Benefits

• Small requirements of I/O– Optimize the cost for a SIS in small application

• Analog output– With this issue we can stop turbines in a way that provides high

integrity. For customers this is very valuable the ability

• Power consumption and space– Decreasing the requirement of power consumption the limitation in

space also optimize, because the capacity of HVAC decrease and the capacity of UPS an battery bank is small, reducing the space required in control room.



Benefits

• Return on Investment has always been a difficult subject to deal with, with the administrative people at the plants. They expect an increment of production due to investment in safety and it is not always so direct.

• The right metrics are different “How much I am losing by not investing in Safety”

• The support of the investments we have accomplished for safety projects is based on the following simple concept:


Return on Investment?

• In most cases, the cost/benefit in safety is always positive with this simple rule and the customer´s criteria of risk acceptance


Questions?

best safety practices for critical applications

Business