1

SIS and SIS technology

Mary Ann Lundteigen
(mary.a.lundteigen@ntnu.no)
Updated Sept 2011

NTNU,RAMS September 2007

Safety instrumented system (SIS)

Control room

Logic solver (PLC)

Pressure transmitters

Valve

NTNU, September 2007

Safety instrumented system (SIS)

A SIS is a safety system that includes at least one electrical, electronic, or programmable electronic (E/E/PE) component. A SIS is used to perform one or more safety instrumented functions. A SIS is often split into three subsystems: Sensors/inputs, logic solvers, and final elements/actuating devices. Also called E/E/PE safety related system

NTNU, September 2007

Safety instrumented function (SIF)

Control room

Logic solver (PLC)

Pressure transmitters

Valve

NTNU, September 2007

Safety instrumented function (SIF)

A SIF is a safety function that is performed by the SIS. A SIF is used to reduce risk below the stated acceptance criteria.

NTNU, September 2007

Equipment under control (EUC)

Equipment under control (EUC): Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities. In our context: An EUC is associated with some hazards or threats. EUC in the process industry may be a process section In Norwegian Petroleum industry (through the OLF 070), we distinguish between: Those protected by global safety functions Those protected by local safety functions

NTNU, September 2007

Functional safety
Functional safety: part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safetyrelated systems and other risk reduction measures (IEC 61508). Relates to the ability to protect vulnerable objects from damage in relation to an EUC. Relies on the ability of a SIS (and other safety barriers) to bring the EUC to a safe state, under normal situations and foreseeable fault situations.

NTNU, September 2007

Example functional safety

EUC: The car To be protected: The driver, the passengers

NTNU, September 2007

Equipment under control (EUC)

NTNU, September 2007

10

Equipment under control (EUC)

NTNU, September 2007

11

EUC risk and risk reduction

NTNU, September 2007

12

Risk reduction practices process industry

Layers of protection: These lines or layers serve to either prevent an initiating event (such as loss of cooling or overcharging of a material to a reactor, for example) from developing into an incident (typically a release of a dangerous substance), or to mitigate the consequences of an incident once it occurs

Layers of protection

See e.g., http://www.hse.gov.uk/research/misc/ vectra3002017r02.pdf

NTNU, September 2007

13

Risk reduction practices process industry

Layers of protection key requirements (IEC 615113):
Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (for example, a runaway reaction, release of toxic material, a loss of containment, or a fire). Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action of one IPL; Independence: An IPL is independent of the other protection layers associated with the identified danger. Dependability: It can be counted on to do what it was designed to do. Both random and systematic failures modes are addressed in the design. Auditability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary. Risk reduction of minimum 10 (or availability greater than 0.9)

NTNU, September 2007

14

Risk reduction practices

Defense in depth (nuclear industry):
Defense in depth consists in a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive materials and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant.
(http://wwwpub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf )

Key strategies: Conservative design Control of operation Engineered safety features (Some) additional features: Procedures for handling multiple failures Accident prevention strategies Emergency preparedness Diversity

Analysis of defense in depth: http://pbadupws.nrc.gov/docs/ML0718/ML071860536.pdf

NTNU, September 2007

15

Defense in depth levels

http://wwwpub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf
NTNU, September 2007

16

Risk reduction practices

Risk reduction principles with machinery systems

NTNU, September 2007

17

Risk reduction practices

Risk reduction principles with machinery systems

NTNU, September 2007

18

Mode of operation (IEC 61508)

Low demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is no greater than one per year High demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year Continuous mode: where the safety function retains the EUC in a safe state as part of normal operation

3
NTNU, September 2007

19

Mode of operation (IEC 61511)

(On) demand mode: where a specified action (for example, closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the safety instrumented function a potential hazard only occurs in the event of a failure in the process or the BPCS Continuous (or high demand) mode: where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it.
Low demand if: 1 demand per year

3
NTNU, September 2007

20

Mode of operation why important?

On demand: The failure is likely to have been corrected before the demand. The probability that an accident occurs in the presence of a SIS failure is PFD.
demand
SIS ok

SIS failed

Test

Test

Test

Test

Test

demands

High/continuous demand: Less likely that the failure is revealed and corrected before the next demand, and the accident frequency is more or less the SIS failure frequency

SIS ok

SIS failed

Test

Test

Test

Test

Test

NTNU, September 2007

21

Mode of operation
System Emergency shutdown (ESD/NAS) Fire and gas detection (F&G/B&G) Process shutdown (PSD/PAS) High Integrity Pressure Protection System (HIPPS) Signalling system for railway Automatic safe load indicator (crane) Airbag system (car) Antilock braking system (ABS) Isolation of well (Workover intervention) x* x x x x* Low D x x x* x x x* High D

*Mode may differ for different installations

NTNU, September 2007