Features CEW

Over the years, process plants have been designed in complex ways thereby resulting in a manifold increase in automation. This article will provide insights on the concept of safety in plants, why it is required and, its difference from earlier adopted procedures. Many steps to achieve maximum safety in process plants are detailed in the article.

he process plant industry has witnessed a number of serious accidents that has resulted in development of guidelines to achieve functional safety in process plants. Automation not only just controls plant operations and enhances production capacity, but also helps in achieving maximum safety.

There are various layers that are being adopted to achieve safety in process plants, which are classified in two categories, namely: Prevention Layers: Intended to prevent release of hazard (Figure 1). Mitigation Layers: Intended to mitigate consequence of hazard if it is released (Figure 2).

One of the important layers is the Safety Instrumented System in process plant. In plain terms, safety is to be achieved through instrumented system that involves sensors to measure parameter, logic solver to analyse and final control element to achieve safe state. If instrumentation is to be used for safety, then it is essential that they achieve certain minimum standards and performance level. More familiar terminology is SIL Safety Integrity Level. Need for SIL Simply stated, SIL involves analysing and designing instrumented systems to avoid unwanted inc idents , while p rotec ting human life. However, it is

also sometimes extended to protect asset and environment. Basic Terminologies Risk is Likelihood of Event TIMES Severity of Consequences. SIL is measure of amount of risk reduction required. S a f e t y I n s t r u m e n t e d F u n c t i o n ( S I F ) consists of sensor, logic solver and final control element that are used to achieve the required risk reduction. Difference between HAZOP and Functional Safety (SIL) A commonly asked question asked is how SIL is different from HAZOP. A HAZOP (Hazards & Operability) study is carried out

Figure 1: Prevention Layers for Safety in Process Plants

Figure 2: Mitigation Layers for Safety in Process Plants

www.cewindia.com

February 2012 69

CEW Features
for identifying among other reasons - where safety instrumented function (Interlock) is required to prevent/mitigate various hazardous situations (Table 1). SIL Classification is the process of estimation of risk if interlocks identified during HAZOP fail to operate as desired. It is essentially defining the risk benchmarks that are identified as SIL 1, 2, 3 and 4. The more the SIL, the more the risk, and the more risk reduction need to be achieved through safety-instrumented function. SIL Verification is the process of providing proof of Design of Safety Instrumented Function. It means design of Safety Instrumented Function (Interlock) to achieve required risk reduction by selecting components (Sensors, Logic solver, Final control element) in terms of redundancy of sensors, logic solver, final elements and reliability. Connecting Risk to SIL: SIL Classification A key aspect of this process is to estimate the risk and how to connect to SIL benchmarks. There are various methods published like HAZOP Identification of Interlocks To summarise, SIL Classification consists of identification of SIF, identification of cause of upset/initiating event, determining probability of occurrence, estimating consequence and severity, using predetermined risk benchmarks to determine SIL. If it is decided to determine SIL for asset and environment along with safety, then a maximum of three is considered as target SIL. SIL Verification For each SIL number, target average Probability of Failure on Demand (PFDavg) is defined in the standards. Total PFD is calculated for the Safety Instrumented Function (SIF) based on PFD value of each components of SIF (Table 2). PFD (Total) = PFD (Sensor 1,2,3 etc) + PFD (logic solver) + PFD (Valves 1,2,3 etc). PFD (Total) shall be less than target PFDavg as defined for SIL number determined during SIL classification. If not, then more reliable instruments are to be selected and/or redundant instruments are to be added. The actual process of SIL verification is far more complex and this established standards where failure data is available. Users have to depend more on using field devices that have been Proven in use. For logic solvers, most manufacturers can supply certified systems. Certified system is generally referred as Emergency Shutdown Systems (ESD). One of the key aspects needed to be kept in mind while selecting components is instruments that are used in industry for certain duration of period only can be used as SIF components. Failure data is available from FMADA reports for specific instrument models & suppliers. If FMADA reports are not available, then generic data published by various agencies can be used. Informative Sources For Further Details The International Standard IEC 61508: Functional safety of electrical/ electronic/programmable electronic (E/E/PE) safety-related systems (7 parts) - Generic Standard. The International standard IEC 61511: Functional Safety Safety Instrumented Systems for the process industry sector (3 parts) - Sector Specific Standard. OISD-Std-152: Safety Instrumentation For Process System In Hydrocarbon Industry.

SIL Classification: RISK Bench Marks SIL Verification: Proof of Design

SIL SIL : 1 SIL : 2 SIL : 3

Failure rates of Instruments Redundancy in Instrument Design

Table 1: Difference between HAZOP and Functional Safety (SIL)

Risk Graph, LOPA. etc. Readers can refer IEC61511 Part 3 for details of the same. Risk matrix basically consists of cross-matrix between likelihood and consequences. During SIL classification, for each safety-instrumented function, analysis is done in terms of likelihood and consequences, if safety instrumented functions fail to perform their intended action. Accordingly, a SIL number is decided. Another key and complex aspect of process safety is identification of Safety Instrumented Function (SIF). Generally, interlock function consists of many sensors and final elements. It is essential to identify them correctly and define the success criteria; otherwise it leads to under or over design and adds complications during SIL verification. Readers may note that it is not possible to elaborate steps here, and are advised to obtain key inputs from a HAZOP report.
70 February 2012

article is intended to provide an explanation to facilitate understanding of the basic concept. In addition to PFD calculations, criteria of architectural constraints and systematic capability are to be satisfied. Selection of SIF Components One of the major constraints during execution is the availability of failure data (PFD). There are very few devices (sensors and valves) that are designed as per Sr. No. Safety Integrity Level (SIL) SIL 4 SIL 3 SIL 2 SIL 1 Probability of Failure on Demand (PFDavg) 0.0001 to 0.00001 0.001 to 0.0001 0.01 to 0.001 0.1 to 0.01

Conclusion There are always a few questions raised, and these may include need for adoption of SIL process especially when plants have been running without it for many years. Happily, many companies have understood the advantages of a properly designed safety system. The activity takes care not only of designing system requirements during engineering, but also involves lifecycle requirements like validation and assessment during lifecycle of plant. Properly designed safety systems will definitely result in safe and reliable plants, while eliminating the extent of tragic events that involves loss of human life, asset and environment.

1 2 3 4

Author Details Rajanish D Lokhande Head of Instrumentation UHDE India Private Limited
E-mail: rd.lokhande@thyssenkrupp.com

Table 2: Calculated PFDavg standard per each SIL no.

www.cewindia.com