1. Technology Training that Workswww.idc-online.com/slideshare
Safety Instrumentation
– including Safety
Integrity Levels (SILs)
by
Steve Mackay
2. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Thank You For Your Interest
If you are interested in further training or more
information, please visit:
http://www.idc-online.com/slideshare
4. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Flixborough, England, June 1, 1974:
"It was a still, warm, sunlit afternoon. One moment the teacups
were tinkling and the kettles whistling. The next moment, a
blast of nightmarish intensity as the giant plant blew up and
blotted out the sun.“ - Humberside Police Report
5. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Nypro Chemical
Works
Flixborough, UK
1 June 1974
Cyclohexane vapour
cloud ignited
Blast equivalent to
15 tons of TNT
28 killed28 killed
CAUSE:
Faulty temporary piping
design by poorly qualified design team
Accident led to the Control of Industrial Major Accident (CIMAH) Regulations
- now superseded by COMAH.
6. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Milan
Seveso
LOMBARDYLOMBARDY
Icmesa,
Seveso, Italy
10 July 1976
1976
Trichlorophenol (TCP) is an
intermediate used to produce
the disinfectant hexachlorophene.
Unexpected exothermic reaction caused
pressure build-up and release of
Dioxin by-product.
1983
41 barrels containing the toxic residues go
missing and are eventually found
and incinerated in late 1985
1995
Civil lawsuits still proceeding
Lombardy
Resulted in the Seveso I Directive that has influenced much subsequent legislation.
CAUSE:
Management failure by all parties in the post-accident phase
7. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Three Mile
Island,
Pennsylvania
28 March
1979
#2 Reactor
No deaths or
injuries
The term ‘cognitive overload’ was born. Raised awareness of HMI issues.
CAUSE:
Inadequate control room instrumentation and poor emergency response
8. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Bhopal
Bhopal, India
Union Carbide
3 December 1984
Dangerous chemical reaction occurred
when a large amount of water got into
the MIC storage tank #610
Exothermic reaction exploded the storage
tank
40 tons of methyl isocyanate
spread for 2 hours 8km down wind
over the city of 900,000 inhabitants
More than 3,800 died and 11,000 disabled
CAUSE: Management Failures + Disabled
safety systems
Resulted in several governments passing legislation that required better accounting and disclosure of chemical
inventories
9. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Milford
Haven, UK
24 July
1994
Texaco
refinery
Refer to the HSE report on this incident - ISBN 0 7176 1413 1
CAUSE: Operators lacked adequate information on which to make decisions following an
earlier incident. Contribution from Alarm Overload
10. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Sonat Exploration
Company
(Now El Paso
Production Co.)
Louisiana, 4
March 1998
Catastrophic
Vessel over-
pressurisation
4 killed
CAUSE:
Maloperation of the plant, no plant operating procedures, inadequate vessel relief
devices, and absence of any process hazard analysis (PHA) on the original plant design.
11. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
BP Refinery, Texas City, Tx : 23 March 2005
During the startup of the Isomerization Unit on Wednesday, March 23, 2005, explosions and
fires occurred, killing fifteen and harming over 170 persons in the Texas City Refinery,
operated by BP Products North America Inc.
13. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Safety System Basics:
The Safety Instrumented System General abbreviation: SIS
AKA: Trip system, shutdown system, instrumented protection system (IPS)
The SIS is an example of a Functional Safety System Meaning:
Safety depends on the correct functions being performed
Functional safety:
Part of the overall safety relating to the process and the BPCS which
depends on the correct functioning of the SIS and other protection layers.
(IEC 61511 clause: 3.2.25)
14. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Hardware components of a
control loop
Input devices
(e.g. sensors /
transmitters)
Output devices/
final elements
(e.g. valves)
PLC/Controller
15. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Process Control versus Safety Control
Separation of safety controls from process controls
Protection
System
Operating
Equipment
Control
System
DCS
SIS
16. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
(Hardware and Software)
Logic solver
Sensor Logic Solver Actuator
Scope of a Safety Instrumented System
17. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Definition of a Safety Instrumented
System
Logic
Solver
Sensors
SIS User
Interface
Basic Process
Control System
Actuators
3 Sub-systems: Each subsystem must meet SIL target
Fig 1.3
18. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Safety System Basics
• All types of safety measures are
intended to reduce risk of harm to
people, the environment and assets.
• The risks are due to the presence of
HAZARDS:
Hazardous Process or Procedure
HAZARD: An Inherent physical or chemical characteristic that has
the potential for causing harm to people, property or the
environment
19. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
What Is Hazard and What Is Risk?
Hazard
An inherent physical or chemical characteristic that
has the potential for causing harm to people,
property, or the environment.
Risk
The combination of the severity and probability of an
event.
20. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Simple Shutdown System: Example 1
Basic tank level control with overflow hazard
PSVPSV
Fluid
Feed
Vapour Hazard
LTLT
11
LCLC
11
I/PI/P
FCFC
21. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Simple Shutdown System
LTLT
11
PSVPSV
LCLC
11
I/PI/P
FCFC
FluidFluid
FeedFeed
FCFC
Logic SolverLogic Solver
LTLT
22
LAHHLAHH
22
ASAS
HSHS
22ResetReset
LILI
22
Tripped AlarmTripped Alarm
Fig 1.4
FC = fails closed on loss of air pressure
22. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Stage 1 Trip
Plant Emergency Shutdown Command
Stage 1
low level
Stage 1
high pressure
Stage 2 Trip
Stage 2
high level
Stage 2
high temperature
Time delay Stage 3 Trip
Stage 3
high level
Stage 3 tripped
Typical multiple stage plant trip and ESD system
23. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Risk reduction: the fast bowler
If we can’t take away the hazard we shall have to reduce the risk
Reduce the frequency and /or reduce the consequence
Example:
Brett Lee is the bowler: He is the Hazard
You are the batsman: You are at risk
Frequency = 6 times per over. Consequence = Ouch!
Risk = 6 x Ouch !
Risk reduction: Limit bouncers to 2 per over. Wear more pads.
Risk = 2x ouch !
Fig 1.5
24. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Measurement of Risk
Qualitative: High, Low, Moderate
An effective measure if we all have the same
understanding of the terms
Quantitative: 1 in 10 years x 5 people hurt
Effective if you can guess the numbers
25. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Risk = Frequency of Event x Consequence
Fatal Serious
injury
Minor
injury
Risk
Consequences
Frequency
26. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
To Reduce Risk:
Reduce Frequency or Consequence or do both
Fatal Serious
injury
Minor
injury
Risk
Frequency
Consequences
27. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Risk Reduction: Design
Principles
Hazard Identified
Risk Reduction
Requirement
Tolerable Risk
Established
Safety Function Defined
SIL Target Defined
Risk
Estimated/Calculated
28. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
SIS
Operating
Equipment
Control
System
Safety Control systems act independently of
the process or its control system to try to
prevent a hazardous event.
29. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
The SIS achieves risk reduction by
reducing the frequency (likelihood) of
the hazardous event
SIS
Operating
Equipment
Control
System
Fig 1.7
30. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
The amount of risk reduction achieved
is indicated by the risk reduction
factor: RRF
SIS
Operating
Equipment
Control
System
31. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
The amount of risk reduction allocated
to the SIS determines its “target Safety
Integrity Level” i.e. SIL
SIS
Operating
Equipment
Control
System
32. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Safety Integrity Levels
SIL RRF Probability of Failure
on Demand
4 >10 000 to < 100 000 >10-5
to <10-4
3 >1000 to < 10 000 >10-4
to <10-3
2 >100 to < 1 000 >10-3
to <10-2
1 >10 to < 100 >10-2
to <10-1
Safety Integrity Level defines the degree of confidence placed in the ability of
a system to provide functional safety. SIL values also indicate the quality of
care and attention taken to avoid systematic errors in design and
maintenance.
Fig 1.8
33. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
Intuitively what does SIL mean ?
• Statistical representations of integrity of SIS
• For example: SIL 1….
– SIS with availability of 90% is acceptable
– High level trip in a liquid tank
– Availability of 90% (10% chance of failure)
– One out of every 10 times the high level was
reached, there would be a failure
– Subsequent overflow 1 out of every 10 times.
34. www.eit.edu.au
Technology Training that Workswww.idc-online.com/slideshare
If you are interested in further training, please visit:
IDC Technologies Short Courses:
Two-day practical courses available to the public:
http://www.idc-online.com/slideshare
Editor's Notes
Its important to see that Risk is measured as Frequency or Likelihood of the Hazardous event multiplied by the Consequence of the Event.
Hence a high frequency of minor injury accidents is regarded as just as bad as a low frequency of major or fatal accidents. This no consolation to the next of kin! But it is true in statistical terms
This means that risk can be reduced by measures that reduce the frequency or likelihood of the hazardous conditions or by measures that reduce the consequences .
.
Reducing the frequency of occurrence is typically achieved by basic design features that make a plant or process as inherently safe as possible and by exposing the least possible persons to the hazard. These are then backed up by protection measures such as warning alarms and instrumented trip systems.
Reducing consequence is achieved through “Mitigation Layers” that provdide after the event protection. These are likely to include providing breathing masks, fire fighting equipment, evacuation procedures and medical response plans.
These protection and mitigation measures are known as “Layers of protection” , each contributing to the reduction of risk.