safety system - emergency shutdown system p1

41
Safety System/Emergency Shutdown System (ESD)

Upload: -

Post on 14-Dec-2015

127 views

Category:

Documents


10 download

DESCRIPTION

safety

TRANSCRIPT

Safety System/Emergency Shutdown System (ESD)

The Need for Safety Instrumentation

Managing and equipping industrial plant with the right components and sub-systems for optimal operational efficiency and safety is a complex task. Safety Systems Engineering (SSE) describes a disciplined, systematic approach, which encompasses hazard identification, safety requirements specification, safety systems design and build, and systems operation and maintenance over the entire lifetime of plant. The foregoing activities form what has become known as the “safety Life-cycle” model, which is at the core of current and emerging safety related system standards.

Risk and Risk Reduction MethodsSafety Methods employed to protect against or mitigate

harm/damage to personnel, plant and the environment, and reduce risk include:

• Changing the process or engineering design• Increasing mechanical integrity of the system• Improving the Basic Process Control System (BPCS)• Developing detailed training and operational procedures• Increasing the frequency of testing of critical system

components• Using a safety Instrumented System (SIS)• Installing mitigating equipment

Other terms used for safety systems are:Safety Instrumented Systems (SIS),

Emergency Shutdown System (ESD),

Safety Related System (SRS), or

E/E/PE Safety Related System (E/E/PE = Electric/Electronic/Programmable Electronic)

objectives of a shutdown control system1- Protection of life

2- Protection of plant equipment

3- Avoidance of environmental pollution

4- Maximizing plant production i.e avoiding unnecessary shutdowns

Safety, Reliability, and Availabilitya) Safety

Safety means a sufficient protection from danger.

• Safety related controls are needed e.g. for trains, lifts, escalators, burns, etc. The safe controls must be designed in a way that any component fault and other imaginable influences do not cause dangerous states in the plant.

The safe state

is the state to which a system can be put out of its current operational state and which has a system specific lower hazard potential than the operational state. The absolutely safe with the lowest amount of energy involved. Quite often it is not possible to obtain the safe state without any danger involved, just by switching the device off (e.g. a plane). The plane in the airtaken as a system- has no safe state. Here the risk can only be reduced by redundant equipment (e.g. for propulsion and navigation systems).

Safety

is measured primarily by a parameter called Average Probability of Failure on Demand (PFDavg). This indicates the chance that a SIS will not perform its preprogrammed action during a specified interval of time (usually the time between periodic inspections).

ReliabilityReliability is the ability of a technical device to fulfill its function during its operation time.This is often no longer possible if one component has a failure. So the MTBF (Mean TimeBetween Failure) is often taken as a measurement of reliability. It can either be calculatedstatistically via systems in operation or via the failure rates of the components applied.

The reliability does not say anything about the safety of a system! Unreliable systems are safe ifan individual failure put the plant to the safe state each time.

AvailabilityAvailability is the probability of a system being a functioning one. It is expressed in per cent and defines the mean operating time between two failures (MTBF) and the mean down time (MDT), according to the following formula:

The mean down time (MDT) consists of the fault detection time and- in modular systems- the time it takes to replace defective modules. The availability of a system is greatly increased by a short fault detection time. Fast fault detection in modern electronic systems is obtained via automatic test routines and a detailed diagnostic display.

The availability can be increased through redundancy, e.g. central devices working in parallel, IO modules or multiple sensors on the same measuring point. The redundant components are put up in a way that the function of the system is not affected by the failure of one component.

Here as well a detailed diagnostic display is an important element of availability.Measures designed to increase availability have no effect on the safety. The safety of redundant systems is however only guaranteed, if there are automatic test routines during operation or if e.g. non–safety related sensor circuits in 2-oo-3 order are regularly checked. If one component fails, it must be possible to switch off the defective part in a safe way.

A related measure is called Safety Availability. It is defined as the probability that a SIS will perform its preprogrammed action when the process is operating. It can be calculated asfollows:

Safety Availability = 1 – PFDavg

Another parameter is called the Risk Reduction Factor (RRF). It represents the ratio of riskwithout a SIS divided by the risk with a SIS. It can be calculated as follows:

PRF = 1/PFDavg

What is hazard and what is risk?

A hazard is ‘an inherent physical or chemical characteristic that has the potential for causing harm to people, property, or the environment’. In chemical processes, ‘It is the combination of a hazardous material, an operating environment, and certain unplanned events that could result in an accident’.

Hazards Analysis

Generally, the first step in determining the levels of protective layers required involves conducting a detailed hazard and risk analysis. In the process industries a Process Hazards Analysis (PHA) is generally undertaken, which may range from a screening analysis through to a complex Hazard and Operability (HAZOP) study, depending on the complexity of operations and severity of the risks involved. The latter involves a rigorous detailed process examination by a multi-disciplinary team comprising process, instrument, electrical and mechanical engineers, as well as safety specialists and management representatives.

Risk

‘Risk is usually defined as the combination of the severity and probability of an event.

In other words, how often can it happen and how bad is it when it does happen? Risk can be evaluated qualitatively or quantitatively.’ Roughly,

Risk reductionRisk reduction can be achieved by reducing either the frequency of a hazardous event or its consequences or by reducing both of them. Generally, the most desirable approach is to first reduce the frequency since all events are likely to have cost implications, even without dire consequences.

Safety systems are all about risk reduction. If we can’t take away the hazard we shall have to reduce the risk. This means: Reduce the frequency and / or reduce the consequence

The basic definitions of the safety related terminologies will be studied in this course; there are three main examples of the required safety actions as follow:

Emergency Shutdown (ESD)

Typical actions from ESD systems are:• Shutdown of part systems and equipment;• Isolate hydrocarbon inventories;• Isolate electrical equipment;• Prevent escalation of events;• Stop hydrocarbon flow;• Depressurize / Blow down;• Emergency ventilation control;• Close watertight doors and fire doors.

Process Shutdown (PSD)A process shutdown is defined as the automatic isolation and de-activation of all or part of a process. During a PSD the process remains pressurized. Basically PSD consists of field-mounted sensors, valves and trip relays, a system logic unit for processing of incoming signals, alarm and HMI units. The system is able to process all input signals and activating outputs in accordance with the applicable Cause and Effect charts.

Typical actions from PSD systems are:

• Shutdown the whole process;• Shutdown parts of the process;• Depressurize / Blowdown parts of the process.

Fire and Gas Control (F&G)This is denoted as Fire Detection and Protection system FDP in some other definitions. FDP provides early and reliable detection of fire or gas, wherever such events are likely to occur, alert personnel and initiate protective actions automatically or manually upon operator activation.

Basically the system consists of field-mounted detection equipment and manual alarm stations, a system logic unit for processing of incoming signals, alarm and HMI units. The system shall be able to process all input signals in accordance with the applicable Fire Protection Data Sheets or Cause & Effect charts. FDP SIL requirements typically range from SIL 2, SIL 1 or defined as a system without SIL requirement pending on the risk analysis.

Typical actions from FDP systems are:• Alert personnel;• Release fire fighting systems;• Emergency ventilation control;• Stop flow of minor hydrocarbon sources such as

diesel distribution to consumers;• Isolate local electrical equipment (may be done

by ESD);• Initiating ESD and PSD actions;• Isolate electrical equipment;• Close watertight doors and fire doors.

Emergency Shutdown (ESD)The Emergency Shutdown System (ESD) shall minimize the consequences of emergency situations, related to typically uncontrolled flooding, escape of hydrocarbons, or outbreak of fire in hydrocarbon carrying areas or areas which may otherwise be hazardous. Traditionally risk analyses have concluded that the ESD system is in need of a high Safety Integrity Level, typically SIL 2 or 3.

Basically the system consists of field-mounted sensors, valves and trip relays, system logic for processing of incoming signals, alarm and HMI units. The system is able to process input signals and activating outputs in accordance with the Cause & Effect charts defined for the installation.

Typical actions from ESD systems are:• Shutdown of part systems and equipment• Isolate hydrocarbon inventories• Isolate electrical equipment (*)• Prevent escalation of events• Stop hydrocarbon flow• Depressurize / Blowdown• Emergency ventilation control (*)• Close watertight doors and fire doors(*)

Process Shutdown (PSD)

The Process Shutdown system ensures a rapid detection and safe handling of process upsets.

Traditionally risk analyses have concluded that the PSD system is in need of low to medium Safety Integrity Level.

The reason for a low to medium requirement, being that PSD systems built in accordance with API RP 14C have requirements for both primary (the computerized system) and secondary (mechanical devices) protection. Basically the system consists of fieldmounted sensors, valves and trip relays, a system logic unit for processing of incoming signals, alarm and HMI units. The system is able to process all input signals and activating outputs in accordance with the applicable Cause & Effect charts.

Typical actions from PSD systems are:• Shutdown the whole process

• Shutdown parts of the process

• Depressurize /Blowdown parts of the process

Fire / gas Detection and Protection (FDP)Typical actions from FDP systems are:• Alert personnel• Release fire fighting systems• Emergency ventilation control (*)• Stop flow of minor hydrocarbon sources such as diesel

distribution to consumers. (*)• Isolate local electrical equipment (may be done by ESD)• Initiating ESD and PSD actions• Isolate electrical equipment (*)• Close watertight doors and fire doors(*)(*) - May alternatively form a part of the Emergency

ShutDown system

Safety Process General Overview

Safety by definition is the “absence of risk”. There is risk in everything we do, so the safetyprocess model is designed to effectively identify & reduce risk. This includes:

• Physical plant risk;• Human factor-related risk;• Attitudinal Risk.

Sustained improvements in accident prevention can only come from changes to the overall mix of the above factors.The model defines Workplace risk as a formula such that:

RISK = Employee Exposure X Probability of the Accident Sequence Taking Place = Potential Consequence of the Accident

Noting that Risk = Consequence x Frequency and Frequency = Demand rate x Probability of failure of the safety functionWe can define Five-Step Safety Process Model as follows:

Five-Step Safety Process Model

• Step 1: Identification of risks that are producing accidents and injuries.

• Step 2: Perform accident / incident problem-solving on each identified risk:

1. Process includes:

2. Definition of problem

3. Contributing factors

4. Root Causes

• Step 3: Develop a schedule for implementation of each preventive action Preventive action should all have

1. Responsible party

2. Resources to support actions

3. Timetable for completion:

Step 4: Continuously measure to ensure preventive actions are working as expected.

Measure timetable to ensure each action is enabled.

Step 5: Employees involved in work environment must be given feedback on a continuous basis.

(i.e. positive reinforcement).

The process for managing risk

the process for managing risk

Risk Evaluation

There is no such thing as zero risk. This is because no physical item has a zero failure rate, no human being makes zero errors and no piece of software design can foresee every possibility.

Key Questions to Ask

A process control engineer implementing a Safety Instrumented System must answer severalquestions:

1. What level of risk is acceptable?2. How many layers of protection are

needed?3. When is a Safety Instrumented System

required?4. Which architecture should be chosen?

Risk assessmentThe measurement of riskQuantitative scale:

• Minor – Injury to one person involving less than 3 days absence from work

• Major – Injury to one person involving more than 3 days absence from work

• Fatal consequences for one person• Catastrophic – Multiple fatalities and injuries.

Qualitative scale Unlikely

• Possible• Occasionally• Frequently• Regularly

Alternatively

• One hazardous event occurring on the average once every 10 years will have an event frequency of 0.1 per year.

• A rate of 10−4 events per year means that an average interval of 10 000 years can be expected between events.

Another alternative is to use a semi-quantitative scale or band of frequencies to match up wordsto frequencies. For example:

• Possible = Less than once in 30 years• Occasionally = More than once in 30 years but less

than once in 3 years• Frequently = More than once in 3 years• Regularly = Several times per year.

Once we have these types of scales agreed, the assessment of risk requires that for each hazardwe are able to estimate both the likelihood and the consequence. For example:

• Risk item no. 1 – ‘Major’ injury likely to occur ‘Occasionally’

• Risk item no. 2 – ‘Minor’ injury likely to occur ‘Frequently’.

Risk matrix example 1

Risk matrix example 2

Scales of consequence

Risk classification of accidents