1 What is Functional Safety, SIF, SIS

1

Functional Safety

Copyright © 2012 IHS Inc.

Safety

2


Functional Safety (per IEC 61508 definition)• Part of the overall safety relating to the process

and the Basic Process Control System (BPCS) which depends on the correct functioning of the SIS and other protection layers.

• Is determined considering the system as a whole.

• Has to consider the environment with which it interacts .

Function Safety


Example of Functional Safety: Over-temperature protection device of an electric motor to de-energise the motor before overheat.

Example of non-Functional Safety: Providing specialised insulation to withstand high temperatures

Functional Safety vs. Non-Functional Safety

3


LIC

1

LIC

2

LCV1

LCV2

PCV

PSV

Gas & LiquidFeed

To Flare

SeparatorVessel

V-1@

300 psig

SeparatorVessel

V-2@

50 psig

Flash Gas

LiquidEffluent

3"

3"Bypass

LG1

LAH

1

Offgas toCompressor

10" Line

12" Line

Plant FieldOperator

STEP Example: Schematic for Gas Compression Train

4"Line 6"Line

Demister

LAHH

1

I

Com pressor ShutdownInterlock

Example of Functional Safety: High level protection device to prevent liquid carry over from vessel to compressor


Safety Functions

Safety functions are implemented by safety related systems such as:

• Safety Instrumented System (SIS)

• Safety related technology, e.g. PSV

• External risk reduction facilities, e.g. Drain system, dike

which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event

4


Determine Necessity of Functional Safety

• First, consider inherent safety through design tocontrol hazards

• Perform Hazard and Risk Assessment (H & RA)

1. Identify Hazards

2. Evaluate Risk

3. Determine Risk reduction

4. Identify Safety Functions

Hazard and Risk Assessment determines necessity of functional safety


Functional Safety - Example

PAH1

PSH1

PCV2

safety trip on flam efailure

Natural G as

FC V 1 M ainLine

FC V 2 P ilotLine

Flam eDetector

Interlockshuts

FCV-1 andFCV-2

Burners

Com bustionC ham ber

Exam ple: S im plified D iagram of gas fired furnace

5


Suppose that a process plant has a large fired heater.

• HA identifies that the combustion chamber could explode if there is a buildup of unburned gas and air after a loss of flame event.

• This could happen if the gas supply is not shut off as soon as the flame is lost.

A Safety Function is needed: Flame detection sensorsthat will

• trip out the main and pilot gas supplies as soon as theflame is lost and

• start the purge timer to prevent startup of the pilotflame for a specified period of time.



Hazards & Risk Assessment: Ensures that the safety integrityof the safety function is sufficient so no one is exposed to anunacceptable risk associated with the hazardous event.

The following are evaluated:

Severity

Likelihood

Safety Integrity

Potential damage due to explosion

Frequency of a flame out incident

that leads to explosion


6


To summarize :

Hazard Analysis identifies what has to be done

Risk assessment determines safety integrity of safety system required to reduce the risk to an acceptable level

What safety function has to be performed?

What degree of certainty is necessary that the safety function will be carried out ?

Functional Safety


Challenges in Achieving Functional Safety

• High complexity

• Difficult to predict safety performance

Designing in a way to prevent dangerous failures or to control them when they arise is a challenge. Dangerous failures : Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state.

Functional Safety

7


Dangerous failures may arise from:

• Software errors;

• Common cause failures;

• Human error;

• Environmental influences

• Supply system voltage disturbances

• Incorrect specifications

• Omissions in the safety requirements specification

• Random hardware failure mechanisms

• Systematic hardware failure mechanisms

IEC 61508 contains requirements to minimise these failures

Functional Safety

Safety Instrumented Function & Safety Instrumented System

8


Safety Instrumented System

• Safety Instrumented Systems:

Instrumentation or controls

that are installed for the purpose of mitigatingthe hazard or bring the process to a safe state in the event of a process upset.


Safety Instrumented System

Think

Measure Response

9


Safety Instrumented Function

• ANSI/ ISA-84.00.01-2004 (IEC 61511 Mod) defines SIF as a:

“ Safety function with a specified Safety Integrity Level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function”



• Instrumented loops that address a specific risk

• It intends to achieve or maintain a safe state for the specific hazardous event.

• A SIS may contain one or many SIFs and each is assigned a Safety Integrity Level (SIL).

• As well, a SIF may be accomplished by more than one SIS.

10


Examples of SIF in Process Industry

• Flame failure in the furnace initiates fuel gas ESDVs to close

• High fuel gas pressure initiates fuel gas ESDV (Emergency shutdown valve)

• High level in the vessel initiates Compressor shut down

• Loss of cooling liquid to reactor trips isolation and depressurization of reactor


Safety Integrity

• Average probability of a SIS satisfactorily performing the required SIF(s) under all the stated conditions within a stated period of time.

• There are 4 levels.

• Measure by failure rate in the dangerous mode of failure or the probability of a SIF failing to operate on demand.

11


Safety Integrity Levels: Probability of failure on demand


Safety Integrity Levels

• What is PFD?

• It is statistical representation of the integrity of the SIS when a process demand occurs.

• A demand occurs whenever the process reaches the trip condition and causes the SIS to take action.

12


Safety Integrity Levels: frequency of dangerous failures of the SIF


When HA has determined that the • mechanical integrity of the process equipment

• the process control and

• other protective equipment

are insufficient to mitigate the potential hazard.

Then, one should consider installing Safety Instrumented System as an additional means for risk reduction.

When would SIS be required?

13


SIS Design Requirements

What are you trying to achieve when you design a

SIS ???

Meet Standards & Regulations

Fail Safe

Minimize Falsely Trip

Detect Dangerous

Failures

Meet Functional Safety

Requirements

Design Manual Testing

Procedure

Cost Effective

SIS Versus BPCS

14


Two Phase Separator

To Compressor,C 130

To Flare

LSHH214

LT214

LT213

LC213 LCV

213

ESDV172

I

V 180

PSV170

ShutdownCompressor

C 130

Two-phase flowhydrocarbons

LAHH214


Two Phase Separator

To Compressor,C 130

To Flare

LSHH214

LT214

LT213

LC213 LCV

213

ESDV172

I

V 180

PSV170

ShutdownCompressor

C 130


LAHH214

SIS: Monitors a process variable (Level in this case) and initiates action when required (trips ESDV 172 and shutdown compressor C130)

BPCS: Maintain a process variable within prescribed limits (Level in this case)

15


Two Phase Separator

To Compressor,C 130

To Flare

LSHH214

LT214

LT213

LC213 LCV

213

ESDV172

I

V 180

PSV170

ShutdownCompressor

C 130


LAHH214

SIS: Hard to detect failure. Typically operates on static boolean variables.

BPCS: Signals are dynamic; easier to detect failures, e.g. out of range signals, flat line outputs etc.


Safety Control vs. Process ControlProcess Control Safety Control

Control type Active, complex Passive, simple, direct acting

Functions Maintain variables within a range. Obtain best performance from the process within safe limits.

Monitor a process variable which is strictly defined. Designed to guard the system against hazardous events.

Control Modes Auto, manual, supervisory Auto, no manual interventions, no external command levels

Communication between devices

Open systems, Use Fieldbus

Limited, specialized. Difficult with bus networks

Setting Changes Easy to make, password protected configurable parameter changes

Parameter changes is strictly controlled and password protected.

Diagnostics Limited Can be intensive and needs proof testing

Redundancy Required to maintain high availability

Required to maintain high reliability

16


SIS and BPCS-Examples

• BPCS failure modes• Control valve output high

• Process parameter indication high

• Control valve output low

• Process parameter indication low

• Process parameter erratic indication

• SIS failure modes• Fail to operate on

demand

• Spuriously operation

• Function delayed


SIS and BPCS

• How SIS can affect operating conditions?

• Example:

• Centrifugal compressor

• Operating speed- 5000 rpm

• Over speed trip- 5500 rpm

17


SIS and BPCS

SIS operating condition

Process Protection Available

Failure indication

Normal Normal at 5000 rpm

Yes at 5500 rpm

Not applicable

Fail safe Shut down of compressor, speed 0 rpm

Not applicable

Yes, High speed trip indication

Fail danger Normal at 5000 rpm

NO at 5500 rpm

Not without diagnostic


Safety Instrumented Functions and Other Functions


Documents

1 What is Functional Safety, SIF, SIS