Safety System/Emergency Shutdown System (ESD)

P2

So what is the SIL achieved by the function? Clearly it is not unique, but depends on the hazard and in particular whether the demand rate for the hazard implies low or high demand mode.

SIL is a measure of the SIS performance related only to the devices that comprise the SIS. This measure is limited to device integrity, architecture, testing, diagnostics, and common mode faults inherent to the specific SIS design. It is not explicitly related to a cause-and-effect matrix, but it is related to the devices used to prevent a specific incident.

Further, SIL is not a property of a specific device. It is a system property; input devices through logic solver to output devices.

Finally, SIL is not a measure of incident frequency. It is defined as the probability (of the SIS) to fail on demand (PFD). A demand occurs whenever the process reaches the trip condition and causes the SIS to take action.

The new ANSI/ISA S84.01 standard requires that assign a target safety integrity level (SIL) for all safety instrumented systems (SIS) applications.

The assignment of the target SIL is a decision requiring the extension of the process hazards analysis (PHA) process to include the balance of risk likelihood and severity with risk tolerance.

Since SIL 4 is rarely used. SIL 3 is typically the highest specified safety level. Of the three commonly used levels, SIL3 has the greatest safety availability (RSA), and therefore the lowest average probability of failure on demand (PFD). Required Safety Availability (RSA) is the fraction of time that a safety system is able to perform its designated safety function when the process is operating.

A determination of the target safety integrity level requires:

1. An identification of the hazard involved.

2. Assessment of the risk of each of the identified hazard. In other words, how bad is each

hazard and how often is it expected to occur.

3. An assessment of other Independent Protection Layers (IPLs) that may be in place.

Risk Level Factors Based On Frequency

Risk Level Factors Based On Severity

Safety Architectures

Several system architectures are applied in process safety applications, including single-channel systems to triple redundant configurations. Control engineers must best match architecture to operating process safety requirements, accounting for failure in the safety system.

One concern is that many safety systems in operation, or under construction, do not follow basic protection principles. Unsafe practices include:

• Performing the safety shutdown within the basic process control systems (BPCS) or distributed control systems (DCS).

• Using conventional programmable logic controllers (PLCs) in safety critical applications (Safety PLCs) are certified to meet safety critical applications to SIL2 and SIL3.)

• Implementing single element (non redundant) microprocessor- based systems on critical processor.

The conventional PLC architecture provides only a single electric path. Sensors send process

signals to the input modules. The logic solver evaluates these inputs, determines if a potentially hazardous condition exists, and energizes or de-energizes the solid- state output. (Fire and gas detection systems, for example, use the “energized to trip” philosophy.)

Suppose the safety system de-energizes the output to move the process to a safe state. Suppose also that one of the components in the single path fails so that the output cannot be de-energized. Then the conventional PLC won’t provide its desired safety protection function.

A special class of programmable logic controllers, called safety PLCs, represents an alternative. Safety PLCs provide high reliability and high safety via special electronics, special software, pre-engineered redundancy, and independent certification.

The safety PLC has input/output circuits designed to be fail-safe, using built-in diagnostics. The central processing unit (CPU) of a safety PLC has built-in diagnostics for memory, CPU operation, watchdog timer, and communication systems.

• Accurately evaluating the safety level for a specific control device in the context of a potential hazardous event poses a major and difficult problem for many control engineers. Associations and agencies worldwide have made considerable progress toward establishing standards and implementation guidelines for safety instrumented systems. These standards attempt to match the risk inherent in a given situation to the required integrity level of the safety system.

• Unfortunately, many of these guidelines and standards are not specific to a particular type of process and deal only with a qualitative level of risk. Control engineers must use considerable judgment in evaluating risk and applying instrumentation that properly addresses established design procedures with budget restraints.

Typical Applications

A fault-tolerant control system identifies and compensates for failed control system elements and allows repair while continuing assigned task without process interruption. A high integrityn control system is used in critical process applications that require a significant degree of safety and availability. Some typical applications are:

1- Emergency Shutdown2- Boiler Flame Safety3- Turbine Control Systems4- Offshore Fire and Gas Protection

1- Emergency ShutdownSafety instrumented system provides continuous protection for safety-

critical units in refineries, petrochemical/chemical plants and other industrial processes. For example, in reactor and compressor units, plant trip signals – for pressure, product feed rates, expander pressures equalization and temperature – are monitored and shutdown actions taken if an upset condition occur.

Traditional shutdown systems implemented with mechanical or electronic relays provide shutdown protection but can also cause dangerous nuisance trips. Safety instruments provide automatic detection and verification of field sensor integrity, integrated shutdown and control functionality, and direct connection to the supervisory data highway for continuous monitoring of safety – critical functions.

2- Boiler Flame Safety

Process steam boilers function as a critical component in most refinery applications. Protection of the boiler from upset conditions, safety interlock for normal startup and shutdown, and flamesafety applications are combined by one integrated safety instrument system.

In traditional applications, these functions had to be provided by separate, non-integrated components. But with fault – tolerant, fail – safe integrated controller, The boiler operations staff can use a critical resource more productively while maintaining safety at or above the level of electromechanically protection systems.

3- Turbine Control Systems

The control and protection of gas or steam turbines requires high integrity as well as safety. The continuous operation of the fault – tolerant integrated controller provides the turbine operator with maximum availability while maintaining equivalent levels of safety.

Speed control as well as start-up and shutdown sequencing are implemented in a single integrated system. Unscheduled outages are avoided by using hot spares for the I/O modules. If a fault occurs in a module, a replacement module is automatically activated without operator intervention.

4- Offshore Fire and Gas ProtectionThe protection of offshore platforms from fire and gas

threats requires continuous availability as well as reliability. The safety instrument system provides this availability through online replacement of faulty modules; field wiring and sensors are managed automatically by built-in diagnostics.

Analog fire and gas detectors are connected directly to the controller, eliminating the need for trip amps. An operator interface monitors fire and gas systems as well as diagnostics for the controller and its attached sensors.

Traditional fire and gas panels can be replaced with a single integrated system, saving costly floor space while maintaining high levels of safety and availability.