CONTENTS Web viewFUNCTIONAL DESIGN OF SAFETY INSTRUMENTED SYSTEMS Functional Safety for the Process...

24 november 2004, 14:42

DSM

SHEP 4.4.3-4.1PracticeIssue: 2009-11Page: of 38

CONTENTS

1 Purpose2 General information2.1 Approach2.2 SIL of safety instrumented systems2.2.1 Requirements preliminary to design and assessment2.2.2 Contribution of normal process control to SIL 2.3 Make-up3 Pertaining documents4 Terms and definitions4.1 Abbreviations4.2 Definitions5 Applicability6 Requirements6.1 Design6.2 Reliability of equipment6.2.1 General6.2.2 Classification as type A and type B equipment6.2.3 Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment6.3 PFD and architectural constraints requirements6.3.1 General6.3.2 PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A

elements6.3.3 PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements6.4 Testing6.5 Common cause6.6 Selection of standard instrumented safety functions6.7 Effectiveness6.8 Prevention of spurious trips6.9 Assessment of existing safety instrumented systemsAppendix 1Appendix 2Appendix 3

This document contains annotations (bold and between brackets) toward the aspects: LAW, SHE and BEST PRACTICE; these annotations are informative.

1 PURPOSE

The purpose of this document is to define guidelines for safety instrumented systems. The methodology is laid down in this document can also be used for assessment of existing safety instrumented systems.

© DSM Limburg bv 2023This document is DSM Limburg bv property; copying, reproduction or disclosure to third parties is subject to written authorisation.

FUNCTIONAL DESIGN OF SAFETY INSTRUMENTED SYSTEMS

Functional Safety for the Process Industry

Issue: 2008-09 Page: 2 DSM SHEP 4.4.3-4.1

2 GENERAL INFORMATION

2.1 APPROACH

[SHE] Process hazards are identified in a number of Risk Assessment studies. The risk graph method (SHE Requirements Annex 3) is used for establishing the Risk Level (RL) of the scenario, based on the probability of loss of containment of such scenario.

[SHE; integrity] Process safety is assured by allocating safety provisions, ao safety instrumented systems.

The following technologies shall be used:

a. Re-Design (Inherently safe(r) design);b. Mechanical Safety Provisions (rupture discs, relief valves, flame arrestors, restrictions);c. Instrumental Safety Provisions (Safety instrumented systems);d. Procedural Safety Provisions.

The approach reflected in this guideline is in accordance with the IEC61511.

2.2 SIL OF SAFETY INSTRUMENTED SYSTEMS

2.2.1 Safety Requirement Specification

Requirements preleminairy to the design and assessment are listed in the Safety Requirement Specification (SRS).

Objective

To specify the requirements for the safety instrumented function(s)

The SIS requirements should be expressed and structured in such a way that they are:

clear, precise, verifiable, maintainable and feasible; and

written to aid comprehension by those who are likely to utilize the information at any phase of the life cycle

SRS Input is a team effort). The SIL Required as specified in the SRS shall meet the risk reduction allocated to the SIS.[SHE; requirements on safety provisions] The following information as a minimum shall be the input for the SRS:

description of consequences and effects

Identification numbers of scenario’s

description of scenario(s)

classification & justification (C=, F=, P=, W=, RL)

Process Safety Time

Allocation safety provisions M / I / P

For each SIF:


SIL required

SIF process measurements (Tag codes) and their trip points (accuracy)

SIF process output actions (Tag codes)

criteria for successful operation, e.g. requirements for leakage of valves, freezing, fouling, crystallisation, polymerisation.

Functional relationship between SIF inputs and outputs and any required permissives (Functional Logic Diagrams)

The information is to be transferred in the SRS format as given in Appendix 4.

2.2.2 Design and engineering Safety Instrumented System

Requirements prelieminairy to the design and assessment are listed in the SRS.

Objective

The objective of the requirements is to design one or multiple SIS to provide the safety instrumented function(s) and meet the specified safety integrity level(s).

General requirements

The requirements as mentioned in the SHE Req. Chapt 8 Annex 5A and 5C shall be followed.

The design of the SIS shall be in accordance with the SIS safety requirements specifications, taking into account all the requirements of this clause.

Where the SIS is to implement both safety and non-safety instrumented function(s) then all the hardware and software that can negatively affect any SIF under normal and fault conditions shall be treated as part of the SIS and comply with the requirements for the highest SIL.

Design details can be found in the Guideline Safety Instrumented Systems SHEP 4.4.3-5.1 .

For a conveniant workproces the following toolboxes and materials are available. ???????

SIS Toolbox

SHE Practices

BG accepted Instrument List

Safety Requirement Specification


2.2.3 Contribution of normal process control to Rl SIL risk level reduction.

BEST PRACTICE; background information]In the risk graph technique the contribution of process control to the SIL is factored in through the W scale.The frequency of occurrence on the W scale shall take account of the presence of effective process control systems (basic control, override control, constraint control, on-off control, operator actions etc.).

[SHE; guidance note] For more detail consult RAT “equipment under control” (under construction)

(table: proposal DNP Thomas Meier-Künzig)Variante-1 (simple) W3 W2 W1Low process control QU-standard, e.g.: not documented evidence of System-hardware-IQ, System-OQ, no alarm-system, self-revealing interlocks, no

RL a

Medium process control QA-standard RL ahigh process control QA-standard RL a

RL-1

Variante-2 (detailed) W3 W2 W1HardwareGaps in System wiring diagram (installation changes not 100% documented), and IQ, no or unknown document-history

x

No fail-safe principle (no life-zero, no Drahtbruch) xSystem wiring diagram up to date, with redlined manual updates and document history

x

Fail-safe principles (life-zero, de-energized, OFF=safe position) xSystem wiring diagram up-dates after minor updates, and after changes of irreversible/no-self revealing interlocks, document-management-system

x

Fail-safe principles (life-zero, deenergized, OFF=safe position,)System-HW-HAZOP present

x

SoftwareNo documented or unknown System-OQ, xdocumented System-OQ, track changes xdocumented System-OQ, audit-trail, automated track changes xno alarm-system, no (manual) Alarm tracking in “Schichtbuch” logbook xStandard alarm system on DCS-screen / alarm printer, Alarm history xHigh-end alarm system on DCS-screen / alarm printer, Alarm history including operator-ID logged

x

No or unknown Change management of software, “spaghetti-code” xChange management of software, modular-code in context of plant- and functional- design

x

SW-segregation-concept, widely used, modular-code in context of plant-designseparated logics for safety-, interlock logics, redundancy & diversity of interlock-triggers and final-elements fail-safe principles of SW-designChange management of software, tested and documented evidence of changes, audit trail,System-SW-HAZOP present,

X

Sum of ticks n.A. n.A. Below 5, W2

All safety provisions are left out of consideration here during scenario definition in HAZOP studies


[BEST PRACTICE; SHE]It is recommended that effective and robust process control systems be put in place enabling the process to be kept on-stream as long as possible so preventing unnecessary downtime.

If the prime function of control loops is to reduce the frequency in the W scale, such loops shall be included in a documentation system, an administration system and an inspection system so that proper performance is assured.

2.3 Make-up

[BEST PRACTICE; background information ]A safety instrumented system is made up of five elements:

[a.] Media contact of process to Sensor Sensor, incl. communication with logic solver;a.[b.] Logic solver;b.[c.] Final element, incl. communication with logic solver. Media contact of process c.[d.] Supporting provisionsd.[e.] Utilities

3 PERTAINING DOCUMENTS

This SHEP is inextricably related to the following standardizing documents:

- SHEP 1-20.1 Classification of safety systems in Safety Integrity Level (SIL) using the risk graph technique based on loss of containment. It also deals with the allocation and technology of safety systems for all defined scenarios;

- SHEP 4.4.3-5.1 Guideline for safety instrumented systems; - SHED 4.1-25.1.2 Instrument List - Auxilary systems ????????- Supporting provisions ???????- SHEP 4.4.3-8.1 Verification of safety instrumented systems in existing plants- RP 4.3-11.9-1.1 Calibrating and testing- SHEP 4.4.3-10.1 Verification of safety instrumented systems in new projects 4 TERMS AND DEFINITIONS

4.1 ABBREVIATIONS

RL = Risk LevelSIL = Safety Integrity LevelSRS = Safety Requirement SpecificationSIF = Safety Instrumented FuctionSIS = Safety Instrumented SystemFLD = Functional Logic DiagramsDC = Diagnostic CoveragePFD = Probability of Failure on DemandAK = AnforderungsKlasseOOR =Out Of Rangen.a. =not acceptable >> n/a= not applicable

>>> confusion !oo = out ofSFF = Safe Failure FractionQA = quality assurance?

4.2 DEFINITIONS

Safety Integrity LevelA discreet level (1,2,3 or 4) for specifying the safety integrity requirements that have to be performed by the applied safety instrumented systems, to anticipate of a specific scenario.


AnforderungsKlasseAK denotes the integrity level of each component in a safety circuit and is based on DIN 19250.The relationship between SIL and AK is as follows.SIL denotes the integrity level of a safety circuit as a whole.The relationship between SIL and AK is shown below.

SIL AK PFD PLinvullen

Mean Probability of a dangerous failure per hour

SIL to IEC 61508

a 1 a >10-5 till < 10-4 No special safety requirement

1 2.3 <10-1 b >3 *10-6 till <10-5 12 4 <10-2 c >*10-6 till < 3 10-

5 1

3 5.6 <10-3 d >10-7 till < 10-6 24 7 <10-4 e <10-8 till < 10-7 3b 8 n.a.

========================================================

Hold tabellen integreren Germaanse tekst weg=========================================================Probability of Failure on DemandThe average probability that a safety provision fails on the moment that there is an appeal to the system.

Diagnostic Coverage factorThe DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly funtion.

SFFThe Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of safe and unsafe failure.

Common cause (ß)A common cause of failure in a redundant equipment of process control and/or safety instrumented system.

SensorDetecting element (including process connections, sensors, transmitters, convertor, wiring, input cards, etc.) included in a safety instrumented system capable of establishing whether the process operates within acceptable limits.E.g. thermocouples, pressure transmitters, emergency shut-down switches and pH meters.

OOR-alarm

The OOR –alarm from an analog signal in a SIS case has as function to give straight a fault signal to the operator indicating the reduced availability during the repair time.


Logic solverA decision-making element in a safety instrumented system which effects a final element.

Final elementA final controlling element (including output cards, output relays, solenoid valves and cabling) included in a safety instrumented system. E.g.: valves, trip circuits for rotating equipment, alarm systems.

For definitions not included in this list, refer to IEC 61508 Part 4.

5 APPLICABILITY

This EP shall be applicable to all new safety instrumented systems, and those to be modified, that are classified to prevent loss of containment. (LOC) The design guide is used in the judgment of these precautions

6 REQUIREMENTS

6.1 DESIGN

[SHE] Safety instrumented systems shall be designed as follows:

List the requirement in the SRS

a. Establish the equipment features that affect performance reliability;

1. classify the equipment into TYPE A or TYPE B (Section 6.2.2);2. the Diagnostic Coverage factor (DC) / Safe Failure Fraction (SFF) (Section 6.2.3);

b. Determine the PFD and architectural constraints to IEC 61508 for the required SIL (Section 6.3);c. Determine the test interval (Section 6.4);d. Identify common causes (Section 6.5);e. Select a standard safety instrumented system that meets the given SIL (Section 6.6). Where deviating

parameters and configurations are used, consultation shall take place with the specialist on how the required PFD is to be achieved;

f. Design an instrumented safety system that protects against the defined scenario (Section 6.7);g. Consider adding measures preventing spurious trips (Section 6.8).

6.2 RELIABILITY OF EQUIPMENT

6.2.1 General

[SHE] The elements of a safety instrumented system shall be approved for the appropriate SIL or equivalent AK. The reliability is henceforth expressed as TYPE A or TYPE B in combination with the SFF.

SHEP 4.1-25.1.2 " Instrument List " states the class (TYPE A or B), the SFF and the SIL or AK.Equipment not included in this SHED shall be classified in consultation with the administrator of this SHP, i.e. DSM SHE&M GMCC Plant Automation -

6.2.2 Classification as type A and type B equipment

[SHE] The elements of a safety instrumented system, such as the sensor, logic solver, final element and auxiliary equipment shall be classified as TYPE A or TYPE B in accordance with the following statements.

TYPE A elements


An element is classified as TYPE A if it is suitable for the intended application and meets the following requirements.

based on Section 2 of IEC 61508:

- the failure mode of each component in the element must be known AND;- the failure mode of the sub-system (the element ) as a whole must be completely clear AND ;- reliable failure data gained in practice must indicate that the element performs satisfactorily.

OR

- based on "Proven in use":- the failure mode of the element is known from practice covering at least 10,000 service hours in at least

two years AND ; - the element has been used in that period in at least ten different applications without a single failure AND;- all failures have been recorded.

Example: An element giving satisfactory performance over a period of five to ten years is type "A".

TYPE B elements:

These are elements suitable for the intended application but fail to meet the requirements of TYPE A .

Examples include:

- elements whose failure modes are not accurately known from practice;- complex and high maintenance elements (e.g. analyzers);- elements of which little or no experience is available

- Instrumented software with limited experience

6.2.3 Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment

[SHE] The DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly function.

DC=ΣλDDΣλD

DD is the probability of unsafe detected failure (Dangerous Detect).D is the probability of unsafe failure (Dangerous).

No DC: DC < 60% No or limited automatic feedback on satisfactory or unsatisfactory performance of the element.

Low DC: 60 < DC < 90% Limited automatic feedback on satisfactory or unsatisfactory performance of the element.

Medium DC: 90 < DC < 99% Substantial automatic feedback on satisfactory or unsatisfactory performance of the element.

High DC: DC > 99% Almost complete automatic feedback on satisfactory or unsatisfactory performance of the element.

The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.


DC=ΣλDDΣλD

DD is the probability of unsafe detected failure (Dangerous Detect).D is the probability of unsafe failure (Dangerous).

No DC: DC < 60% No or limited automatic feedback on satisfactory or unsatisfactory performance of the element.

Low DC: 60 < DC < 90% Limited automatic feedback on satisfactory or unsatisfactory performance of the element.

Medium DC: 90 < DC < 99% Substantial automatic feedback on satisfactory or unsatisfactory performance of the element.

High DC: DC > 99% Almost complete automatic feedback on satisfactory or unsatisfactory performance of the element.

The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.

6.3 PFD AND ARCHITECTURAL CONSTRAINTS REQUIREMENTS

6.3.1 General

[SHE] The following tables list the PFD and architectural constraints to IEC 61508 for safety instrumented systems based on:

- The required SIL;- TYPE A or TYPE B elements;- SFF.

-

-

6.3.2 PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A elements

[SHE]

SIL SFF<60% 60%<SFF<90% 90%<SFF<99% SFF >=99% PFDa 1 oo 1 1 oo 1 1 oo 1 1 oo 11 1 oo 1 1 oo 1 1 oo 1 1 oo 1 < 10-1

2 1 oo 2 1 oo 1 1 oo 1 1 oo 1 < 10-2

3 1 oo 3 1 oo 2 1 oo 1 1 oo 1 < 10-3

4 n.a. 1 oo 3 1 oo 2 1 oo 1 < 10-4

b n.a. n.a. n.a. n.a. n.a.

n.a. = not acceptable oo = out of

6.3.3 PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements

[SHE]


SIL SFF<60% 60%<SFF<90% 90%<SFF<99% SFF >=99% PFD- 1 oo 1 1 oo 1 1 oo 1 1 oo 1a 1 oo 1 1 oo 1 1 oo 1 1 oo 11 1 oo 2 1 oo 1 1 oo 1 1 oo 1 < 10-1

2 1 oo 3 1 oo 2 1 oo 1 1 oo 1 < 10-2

3 n.a. 1 oo 3 1 oo 2 1 oo 1 < 10-3

4 n.a. n.a. 1 oo 3 1 oo 2 < 10-4

b n.a. n.a. n.a. n.a. n.a.

n.a. = not acceptable oo = out of

6.4 TESTING

[BEST PRACTICE; SHE]Automatic diagnostic tests do not cover the entire safety instrumented system. Manual testing by verifying the measured value and conducting a functional test is (remains) necessary, as are preventive measures such as valve refurbishment and cleaning.

[SHE] Test intervals at the loop level needed to achieve the required SIL for standard safety instrumented systems are specified in Appendix 3.

6.5 COMMON CAUSE

[BEST PRACTICE; achtergrond background informatione]Common cause means a common cause in the failure of process control systems and the safety instrumented system and/or of redundant elements.

[BEST PRACTICE; standaardizsatione, bedrijfservaring experience en and SHE]The following countermeasures are recommended:

- Applying diversity as to technology, supplier and type;- Using different input and output cards and individual rather than common fusing of power supply systems;- Preventing plugging by means of flushing and preventing freezing by means of winterizing, etc.

[SHE] The diversity required by IEC 61508 for standard safety instrumented systems is indicated in Appendix 2.[BEST PRACTICE; SHE]The designs of the standard safety instrumented systems in Appendix 2 are based on approx. 5% common cause.

6.6 SELECTION OF STANDARD INSTRUMENTED SAFETY FUNCTIONS

[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]A number of standard safety instrumented systems functions have been worked out (Appendix 2).These functions meet the PFD and architectural constraints to IEC 61508 and the general technology requirements stated in Appendix 1 for each SIL .These data are based on standard DSM failure data and reduction factors for instrumentation.In addition, test intervals at the loop level are stated; these enable the PFD requirements to be met (Appendix 3).Any deviating configuration shall preferably be designed in consultation with the administrator of this SHEP, i.e., DSM CSHE&M GMCC Plant Automation -

PRIOR IN USE AND PROVEN IN USE

6.7 EFFECTIVENESS

[SHE] Safety instrumented systems shall be designed to be effective especially in respect of the scenario and related process parameters, process dynamics, test intervals and process operation:


a. Process dynamics: The scenario imposes requirements as to the response time of the safety instrumented system, e.g. its ability to perform a particular function within x seconds. For more details see DSM Standard SHP 4.4.3-5.1 Appendix 1 Re / Par. 5.4.3;

b. Application aspects: Depending on the fluid pressure, temperature and the risk of crystallization, suitable measures may need to be taken such as purging, flushing, tracing and monitoring of these systems;For more details refer to RP integrity control of impuls lines in a SIL application.

c. Scenario: choice of measurement technology and final element;d. Wherever practical, safety instrumented systems shall fail safe in the event of a fault developing (e.g. loss

of auxiliary energie; e.g. loss of energy supply, short-circuit or broken-wire e. Unmonitored signal connections shall normally fail safe, i.e. the system shall be de-energized to trip on

loss of power or loss of signal;f. Circuits with analogue sensors having self-diagnostics (e.g. Out Of Range detection, utility monitoring)

shall be provided with:

1. for SIL 1 and SIL 2 : Integrity alarm and a procedure for correcting the fault;2. for SIL 3 : Integrity alarm, a time-dependent shut-down and a procedure for correcting the fault.

g. In exceptional cases it is better to opt for an energize-to-trip system. In that case the de-energized circuit shall be monitored (signal monitoring, continuity check).

In addition, suitable instructions and procedures shall be put in place.

6.8 PREVENTION OF SPURIOUS TRIPS

[BEST PRACTICE; verhogen beschikbaarheid installatieincrease availability of the installation ]Elements of safety instrumented systems shall be duplicated or triplicated for enhanced reliability. This, however, increases the frequency of spurious trips. Spurious trips can be avoided by using a 2 out of 3 configuration in place of a 1 out of 2 configuration.

6.9 ASSESSMENT OF EXISTING SAFETY INSTRUMENTED SYSTEMS

[SHE] Existing safety instrumented systems shall be assessed as to the following points:

a. Compare the safety instrumented systems with the configurations in Appendix 2 "Standard safety instrumented systems" and Appendix 1 "General design requirements and recommendations";

b. Compare the specified reliability figures of the elements:

1. classify as TYPE A or TYPE B (Section 6.2.2);2. the Safe Failure Fraction (SFF) (Section 6.2.3);

c. Test intervals (Section 6.4 and Appendix 3). d. Common cause failure (Section 6.5);e. Effectiveness of the loop (Section 6.7).

Compare the SIL so determined with the required SIL.

[BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]If a particular architecture fails to meet the PFD and architectural constraints relating to a SIL, the PFD can in principle be decreased in three ways:

a. Increasing reliability through the use of TYPE A elements, increasing the DC factor , increasing the degree of redundancy;

b. Reducing the test intervals. Where necessary, test intervals of less than one year shall be avoided by modifying the safety instrumented system;

c. Reducing common cause failure where it exceeds 5%.


APPENDIX 1 GENERAL DESIGN REQUIREMENTS AND RECOMMENDATIONS


Nr Design Requirements SIL:

Recommendations SIL:

a 1 2 3 4 a 1 2 3 41 [BEST PRACTICE; standardization, experience

andstandaardisatie, bedrijfservaring en SHE]Install a pre-alarm if the operator is in a position to take corrective action in time.

x x x x

2 [SHE] All sensors in safety instrumented systems shall have an audio-visual alarm.

x x x x

3 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]An audio-visual alarm of a safety instrumented system may not be self-resetting.

x x x x

4 [BEST PRACTICE; increase availability of the installation verhogen beschikbaarheid installatie]The selected technology must allow periodic testing (accessibility reach, override, calibration valves, etc.).

x x x x

5 [SHE] Common cause failure of a process control function and a safety instrumented system shall be prevented wherever possible.

x

x

x

x

6 [SHE] Solenoids on control valves must be placed between the valve positioner and the valve motor and shall have sufficient relieving capacity.

x

x

x

x

7 [SHE] The switch action of a safety instrumented system may not be self-resetting.

x x x x

8 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Install an alarm if the operator can be relied upon to respond as per instruction. Otherwise, assign SIL a. (see 10)

9 [BEST PRACTICE; kostenbesparingcost reduction]One and the same sensor may be used for the alarm and for process control.

10 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Automatic binary intervention by the safety instrumented system is required, preferably in conjunction with a solenoid valve.

x

11 [BEST PRACTICE; cost reductionkostenbesparing]The process control system may be used as a logic solver.

x

12 [SHE] One and the same transmitter may be used for control purposes and for a SIL a system if the dangerous failure of the transmitter is not negative to cause the scenario to take place.

x

13 [SHE] The valve may be a solenoid-operated control valve, if valve failure will not initiate the scenario in question and no demand is made on the safety instrumented system.

x

x

x

x

14 [SHE] Automatic binary intervention by the safety instrumented system is required.

x x x

15 [SHE] A safety instrumented system shall be fully segregated from process control systems (for the same function).

x

x

x

16 [SHE] SIL 1 or AK 2/3 logic solvers shall be in the form of a relay, PLC, solid state, or magnetic core,

x


with a certificate issued by a notified body*.

Nr Design Requirements SIL:

Recommendations SIL:

a 1 2 3 4 a 1 2 3 417 [SHE] SIL 2 or AK 4 logic solvers shall be in the form

of a relay, PLC, solid state, or magnetic core, with a certificate issued by a notified body*.

x

18 [SHE] SIL 3 or AK 5/6 logic solvers shall be in the form of a relay, PLC, solid state, magnetic core, with a certificated issued by a notified body*.

x

19 [SHE] Diverse redundancy shall be applied, i.e. diverse technologies, makes and types, in order to reduce common cause failures to a minimum.

x

x

x

20 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.1.

21 [BEST PRACTICE standardization, experience and ; standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.2.

x

22 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.3 and 3.4.

x

23 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.5 and 3.6.

x

24 [BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.7 and 3.8.

x

25 [SHE] The requirements according to Appendix 3 for the concerning SIL.

x x x x

26 [SHE]A purely instrumented solution is not acceptable. Change the design to obtain a lower SIL.

x

28 [BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Deviations in consultation with the administrator of this Standard. (DSM TechnoPartners, Plant Automation - Equipment Dept.).

x

x

x

x

* A Notified Body is e.g.: TÜV, FM (Factory Mutual in the USA) and UL (Underwriters Laboratories Inc. in the USA, Canada and Japan).


APPENDIX 2

STANDARD INSTRUMENTED SAFETY FUNCTIONS[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]

1 GENERAL

A number of standard safety instrumented systems functions are detailed below for the following elements:

- TYPE A and TYPE B with; - Approx. 5% common cause and; - Various SFFs.

These functions meet the PFD and architectural constraints to IEC61508 for the various SILs as well as the general design requirements stated in Appendix 1.

2 SYMBOLS USED

3 STANDARD INSTRUMENTED SAFETY FUNCTIONS


3.1 SIL -; TYPE A OR TYPE B ELEMENTS

3.2 SIL a; TYPE A OR TYPE B ELEMENTS


3.3 SIL 1--PFD 10-1; TYPE A ELEMENTS


3.4 SIL 1--PFD 10-1; TYPE B ELEMENTS


3.5 SIL 2--PFD 10-2; TYPE A ELEMENTS


modified

Verbinding naar X ontbreekt 2.1 moet worden 2.2 en de oude 2.1 laten bestaan


Calculations in DCS x-y .v instead of the PLC 2.1 moet worden 2.2 en de oude 2.1 laten

bestaan To be modified


3.7 SIL 3--PFD 10-3: TYPE A ELEMENTS

Process

Sensors

LOGIC SOLVERSIL 3

Typical SIL 3A_1.1

DIVERS

DIVERS

Final Elements

from DCS

Process Pipe

.EV

.PV

XEV

XPV

DIVERS

DIVERS

e.g.PUMP/

COMPRESSORE-

MOTOR

DIVERS

Type A SFF<60%

SAFETY Type A SFF<60%

Type A SFF<60%SAFETY Type A

SFF<60%

Type A SFF<60%

SAFETY Type A SFF<60%

Acceptable,if dangerous failure of control valve

is not part of the scenario


2.1 is OK 2.2 ontbreekt echter maken



introduce SIL 3 Tuningfork Ioop@


DNP Grenzach, calculations of Loop-typicals


APPENDIX 3

TEST INTERVALS[BEST PRACTICE; background information]achtergrond informatie]

The loop configurations shown below are often used in safety instrumented system designs. Each loop may be adapted for the following services: flow, pressure, level, temperature, speed, vibration, position etc.

1 SINGLE LOOP CONFIGURATIONS[BEST PRACTICE; background information]achtergrond informatie]The loops need to be adapted to suit the architectural constraints mentioned in Appendix 2.

2 DEVICE TYPE, Required SiL and the Acceptable TEST INTERVALS[SHE] Test intervals have been determined for each loop configuration based on TYPE A elements and a common cause b of approx. 5 % with which the required PFD can be met. A distinction is made between full loop tests and partial loop tests. The former is preferred and should preferably be conducted under normal operating conditions if the process allows. Permissible test intervals are tabulated below in two main columns:

- Full loop test:

• test intervals for verification functional test of the entire loop are indicated for each SIL;

- Partial loop test:

• test intervals for verification of functional test of the sensor circuit are stated in the sensor column;• test intervals for functional test of the logic solver plus the final element (trip test) are stated in the

appropriate columns

Permissible test intervals shown are dependent on the loop configuration for each SIL.


TEST INTERVALS (year)

Full loop test Partial loop testCONFIGURATION SIL 1 SIL2 SIL3 SIL 1 SIL2 SIL3

SENSOR CIRCUIT LOOP loop loop loop sensor logic solver

+ final

element

sensor logic solver

+ final

element

sensor logic solver

+ final

elementPressure electronic a 2 1 1 1 4 1 4 1 4Pressure with OOR-alarm

a 2 2 2 2 4 2 4 1 4

Flow electronic a 1 1 1 1 4 1 4 n.a. n.a.Flow with OOR-alarm a 2 2 1 1 4 1 4 1 4Level electronic a 2 2 2 2 4 2 4 1 4Level with OOR-alarm a 2 2 2 2 4 2 4 1 4Temperature electronic b 1 1 1 1 4 1 4 n.a. n.a.Temperature with OOR-alarm

b 2 1 1 1 4 1 4 1 4

Pressure switch c 2 2 1 1 4 1 4 1 4Flow switch c 2 1 1 1 4 1 4 1 4Temperature switch c 2 2 2 2 4 2 4 1 4Level switch c 1 n.a. n.a. n.a. n.a. n.a. n.a. n.a. n.a.Smart Level switchPressure switch card d 2 1 1 1 4 1 4 n.a. n.a.Flow switch card d 1 1 1 1 4 1 4 n.a. n.a.Level switch card d 2 2 2 2 4 2 4 1 4Temperature switch e 1 1 n.a. 1 4 1 4 n.a. n.a.

OOR = Out of Range.n.a. = not acceptable. Check with MSD work 2004

[BEST PRACTICE; background information]achtergrond informatie]Assumptions made:

- Test intervals must not last longer than four years;- Test intervals must not be shorter than one year; if they are (indicated by n.a. = not acceptable), it is

recommended to redesign the safety instrumented system;- Test intervals stated for SIL3 are heavily dependent on the value of ß; ß=0.002 for completely diverse ,

ß=0.02 for partly diverse and ß=0.2 for non-diverse;- ß = 0.002 has been entered for SIL3.

[BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]Note on SILa and SIL-:The recommended test intervals are four years for the functional loop test, verification of measured value and functional testing of the logic solver and the final element provided the application allows. Where the process fluid has a strongly fouling effect or may crystallize, the test intervals shall be shortened so that proper performance is assured.

General note:

- Full loop test under normal operating conditions is to be preferred if the process allows;- If this is not practicable under normal operating conditions, the same test should be carried out during the

next turnaround;- If this is not practicable either, run a partial test of the sensor during normal operation in combination with a

test of the logic solver plus the final element during a turnaround..

The test should include a check on the availability and operation of ancillary systems such as tracing, purges, insulation, mechanical interlocks of bypasses and the like.


Test procedures are specified in RP 4.11.9-1.1 "Calibration and testing ".

Check calibration of sensors.The interval at which the calibration of sensors is checked need not be linked to the functional test period of the sensor circuit. Instead, this interval is to be determined on basis of maintenance experience regarding drift, wear, ageing, etc.

Appendix 4 Grenzach typicals

DNP Grenzach, calculations of Loop-typicals


Architecture of a Safety Instrumented System including instrument specification


Insert Checklist SRS DSM verplaatsen naar Guidance note Resins

General SIF Requirements

Ref Attribute Detaila) Identity {reference to the SIF overview like SIF 3.2}

b) Description {like:ratio between Air and Nitrogen to Reactor R24}

c) P&ID {Drawing number of the P&ID}

d) Functional Logic Diagram {Drawing number of the Functional Logic diagram}

e) Equipment {like R-24}

f) Safe State {like: Stop heating/Start Cooling/Stop feeding/Stop dosing/De-Pressurize}

g) Demand Source {Air/N2 flow ratio deviation fail due to pipe blockage}

h) Demand Rate 0.01 per year

i) Mode of Operation Low Demand

(≤ 1pY)High Demand /

Continuous (>1pY)

j) Integrity Requirements

Impact Integrity Level RRF

Safety 1 10-100

Environment - -

Commercial a 0-10

k) Required Integrity Level Overall 1 10-100

l) Additional Mitigation Yes

m) SIF Proof Test Interval 24 months

n) Process Safety Time > 60 seconds

o) Process Response TimeAfter action is fullfilled > 60 seconds

p) Overall Response Time 30 seconds

q) Pocess Overrides Yes

r) Related Interlock {DCS interlocks to prevent process disorder}

s) Max. Spurious Trip Rate Less than -t) Protection Method De-Engerize to Trip

u) Manual Shutdown No

v) Maintenance Overrides No

w) Trip Reset Manual

x) Mission Time 20 Years

y)

Specific requirements related to procedures for starting and restarting the SIS

{Program auto reset only during start-up logic solver.

Close a contolve inline with safety valve}


Ref Attribute Detailz) Special Requirements {………………………………….}

aa) Non-safety actions {……………………………….. }

SIF Schematic

The functional relationship of the sensor, logic solver and final elements is represented in the following diagram.


SIF Sensor RequirementsThe sensor subsystem groups are voted as follows;

Ref Attribute Detaila) Voting 1oo2

The SIF consists of the following sensor groups.

SIF Sensor Group 1The main features of this sensor group are as follows;

Ref Attribute Detaila) Group Type Pressure

b) Voting 1oo2D

c) Action High Tripd) Trip setting {Value of the tripsetting eng. Units like >10 Barg}

e) MTTR 4 Hours

f) Proof Test Interval 12 months

g) Common Cause Sources

Same device Same environment

Same sensing point

Similar technology

Human Factors {other}

h) Beta Factor (ß) -

i) Proof Test Coverage >90% & <100%

j) Wire Diagnostics No

k) Process Connection

Clean Service Remote Seal

Impulse – Low Impulse – Med

Impulse - High Thermocouple

RTD {other}

l) Interface Ex(i) barrier Panel

m) Degraded Voting - Fail None

n) Degraded Voting - Override None

o) Environmental Extremes None

p) Start requirements None

q) Re-Start requirements None

r) Supporting provisions {like: E-tracing, jacketing, flushing, purching, isolation, }

s) Other Special requirements {Specify special requirements}

t) Notes {Fill in additional info when needed}

The components within this group are detailed as follows:


Tag Type P&ID Model / Data Sheet Fail Action MOS

{sensor tag} {AI / DI}

{enter P&ID drawing number}

{enter model/type/supplier}

{High or Low}

{Yes /No}

, 27-10-09,


SIF Logic Solver RequirementsThe logic solver subsystem groups are voted as follows;


The SIF consists of the following logic solver groups.

SIF Logic Solver Group 1The main features of this logic solver group are as follows;

Ref Attribute Detaila) Group Type HIMA

b) Voting 1oo2

c) MTTR 4 Hours

d) Proof Test Interval Lowest proof tests interval of a SIFe) Unsafe Process condition Not Applicable

f) Unsafe Process states Not Applicable

g) Common Cause Sources


Same power source Similar technology


j) Beta Factor (ß) Not Applicable

k) Proof Test Coverage 100% after a restart

l) Diagnostics Manufacturer standardm) Degraded Voting - Fail None

n) Degraded Voting - Override None

o) Start requirements None

p) Re-Start requirements None

q) Other Special requirements {like: Powering and physical location separated from control}

r) Notes {Fill in additional info when needed}


Tag Model / Data Sheet{Tags logic solvers} SLS1508 , DeltaV SIS


SIF Final Element RequirementsThe final element subsystem groups are voted as follows;


The SIF consists of the following final element groups.

SIF Final Element Group 1The main features of this final element group are as follows;

Ref Attribute Detaila) Group Type Interface Relay 24V DC

b) Voting 1oo2

c) Action Open

d) MTTR 8 Hours

e) Proof Test Interval 24 months

f) Common Cause Sources


Same power source Same action point

Same wiring route Similar technology


j) Beta Factor (ß) -

k) Diagnostics None

l) Process Connection Tight Shut-off leak class IV Severe service

m) Interface

n) Degraded Voting - Fail Yes

o) Degraded Voting - Override None

p) Environmental Extremes None

q) Start requirements None

r) Re-Start requirements {like: Powering and physical location separated from control}

s) Supporting provisions {like: E-tracing, jacketing, flushing, isolation, }

t) Other Special requirements {Fill in additional info when needed}

u) Notes {Fill in additional info when needed}



Tag Type P&ID Model / Data Sheet Fail Action Reset

{final element tag}

{DO or

AO}{enter P&ID ref} {enter

model/type/supplier} Close Manual

CONTENTS Web viewFUNCTIONAL DESIGN OF SAFETY INSTRUMENTED SYSTEMS Functional Safety for the Process...

Documents

Transcript of CONTENTS Web viewFUNCTIONAL DESIGN OF SAFETY INSTRUMENTED SYSTEMS Functional Safety for the Process...