CONTENTS



ADVANCE \d 1 FUNCTIONAL DESIGN OF SAFETY INSTRUMENTED SYSTEMS Functional Safety for the Process IndustryDSM SHEP 4.4.3-4.1PracticeIssue:2009-11Page: of PAGEREF "BKEnd"343433CONTENTS1Purpose2General information2.1Approach2.2SIL of safety instrumented systems2.2.1Requirements preliminary to design and assessment2.2.2Contribution of normal process control to SIL 2.3Make-up3Pertaining documents4Terms and definitions4.1Abbreviations4.2Definitions5Applicability6Requirements6.1Design6.2Reliability of equipment6.2.1General6.2.2Classification as type A and type B equipment6.2.3Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment6.3PFD and architectural constraints requirements6.3.1General6.3.2PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A elements6.3.3PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements6.4Testing6.5Common cause6.6Selection of standard instrumented safety functions6.7Effectiveness6.8Prevention of spurious trips6.9Assessment of existing safety instrumented systemsAppendix 1Appendix 2Appendix 3This document contains annotations (bold and between brackets) toward the aspects: LAW, SHE and BEST PRACTICE; these annotations are informative.1 PurposeThe purpose of this document is to define guidelines for safety instrumented systems. The methodology is laid down in this document can also be used for assessment of existing safety instrumented systems.2 General information2.1 Approach[SHE] Process hazards are identified in a number of Risk Assessment studies. The risk graph method (SHE Requirements Annex 3) is used for establishing the Risk Level (RL) of the scenario, based on the probability of loss of containment of such scenario. [SHE; integrity] Process safety is assured by allocating safety provisions, ao safety instrumented systems. The following technologies shall be used:Re-Design (Inherently safe(r) design);Mechanical Safety Provisions (rupture discs, relief valves, flame arrestors, restrictions);Instrumental Safety Provisions (Safety instrumented systems);Procedural Safety Provisions.The approach reflected in this guideline is in accordance with the IEC61511.2.2 SIL of safety instrumented systems2.2.1 Safety Requirement Specification Requirements preleminairy to the design and assessment are listed in the Safety Requirement Specification (SRS).ObjectiveTo specify the requirements for the safety instrumented function(s)The SIS requirements should be expressed and structured in such a way that they are:clear, precise, verifiable, maintainable and feasible; andwritten to aid comprehension by those who are likely to utilize the information at any phase of the life cycleSRS Input is a team effort). The SIL Required as specified in the SRS shall meet the risk reduction allocated to the SIS.[SHE; requirements on safety provisions] The following information as a minimum shall be the input for the SRS:description of consequences and effectsIdentification numbers of scenario’sdescription of scenario(s)classification & justification (C=, F=, P=, W=, RL)Process Safety TimeAllocation safety provisions M / I / PFor each SIF:SIL requiredSIF process measurements (Tag codes) and their trip points (accuracy)SIF process output actions (Tag codes) criteria for successful operation, e.g. requirements for leakage of valves, freezing, fouling, crystallisation, polymerisation.Functional relationship between SIF inputs and outputs and any required permissives (Functional Logic Diagrams)The information is to be transferred in the SRS format as given in Appendix 4.2.2.2 Design and engineering Safety Instrumented SystemRequirements prelieminairy to the design and assessment are listed in the SRS.ObjectiveThe objective of the requirements is to design one or multiple SIS to provide the safety instrumented function(s) and meet the specified safety integrity level(s).General requirementsThe requirements as mentioned in the SHE Req. Chapt 8 Annex 5A and 5C shall be followed.The design of the SIS shall be in accordance with the SIS safety requirements specifications, taking into account all the requirements of this clause.Where the SIS is to implement both safety and non-safety instrumented function(s) then all the hardware and software that can negatively affect any SIF under normal and fault conditions shall be treated as part of the SIS and comply with the requirements for the highest SIL. Design details can be found in the Guideline Safety Instrumented Systems SHEP 4.4.3-5.1 .For a conveniant workproces the following toolboxes and materials are available. ??????? SIS Toolbox SHE Practices BG accepted Instrument List Safety Requirement Specification 2.2.3 Contribution of normal process control to Rl SIL risk level reduction.BEST PRACTICE; background information]In the risk graph technique the contribution of process control to the SIL is factored in through the W scale.The frequency of occurrence on the W scale shall take account of the presence of effective process control systems (basic control, override control, constraint control, on-off control, operator actions etc.).[SHE; guidance note] For more detail consult RAT “equipment under control” (under construction)(table: proposal DNP Thomas Meier-Künzig)Variante-1 (simple)W3W2W1Low process control QU-standard, e.g.: not documented evidence of System-hardware-IQ, System-OQ, no alarm-system, self-revealing interlocks, no RL aMedium process control QA-standardRL ahigh process control QA-standardRL aRL-1Variante-2 (detailed)W3W2W1HardwareGaps in System wiring diagram (installation changes not 100% documented), and IQ, no or unknown document-historyxNo fail-safe principle (no life-zero, no Drahtbruch)xSystem wiring diagram up to date, with redlined manual updates and document historyxFail-safe principles (life-zero, de-energized, OFF=safe position)xSystem wiring diagram up-dates after minor updates, and after changes of irreversible/no-self revealing interlocks, document-management-system xFail-safe principles (life-zero, deenergized, OFF=safe position,)System-HW-HAZOP presentxSoftwareNo documented or unknown System-OQ, xdocumented System-OQ, track changesxdocumented System-OQ, audit-trail, automated track changesxno alarm-system, no (manual) Alarm tracking in “Schichtbuch” logbookxStandard alarm system on DCS-screen / alarm printer, Alarm history xHigh-end alarm system on DCS-screen / alarm printer, Alarm history including operator-ID loggedxNo or unknown Change management of software, “spaghetti-code”xChange management of software, modular-code in context of plant- and functional- design xSW-segregation-concept, widely used, modular-code in context of plant-designseparated logics for safety-, interlock logics, redundancy & diversity of interlock-triggers and final-elements fail-safe principles of SW-designChange management of software, tested and documented evidence of changes, audit trail,System-SW-HAZOP present, XSum of ticks n.A.n.A.Below 5, W2 All safety provisions are left out of consideration here during scenario definition in HAZOP studies[BEST PRACTICE; SHE]It is recommended that effective and robust process control systems be put in place enabling the process to be kept on-stream as long as possible so preventing unnecessary downtime.If the prime function of control loops is to reduce the frequency in the W scale, such loops shall be included in a documentation system, an administration system and an inspection system so that proper performance is assured.2.3 Make-up[BEST PRACTICE; background information ]A safety instrumented system is made up of five elements: Media contact of process to Sensor Sensor, incl. communication with logic solver;Logic solver;Final element, incl. communication with logic solver. Media contact of process Supporting provisionsUtilities 3 Pertaining documentsThis SHEP is inextricably related to the following standardizing documents: SHEP 1-20.1Classification of safety systems in Safety Integrity Level (SIL) using the risk graph technique based on loss of containment. It also deals with the allocation and technology of safety systems for all defined scenarios;SHEP 4.4.3-5.1Guideline for safety instrumented systems; SHED 4.1-25.1.2Instrument List Auxilary systems ????????Supporting provisions ???????SHEP 4.4.3-8.1 Verification of safety instrumented systems in existing plantsRP 4.3-11.9-1.1 Calibrating and testingSHEP 4.4.3-10.1 Verification of safety instrumented systems in new projects 4 Terms and definitions4.1 AbbreviationsRL= Risk LevelSIL= Safety Integrity LevelSRS= Safety Requirement SpecificationSIF= Safety Instrumented FuctionSIS= Safety Instrumented SystemFLD= Functional Logic DiagramsDC= Diagnostic CoveragePFD= Probability of Failure on DemandAK= AnforderungsKlasseOOR=Out Of Rangen.a.=not acceptable >> n/a= not applicable >>> confusion !oo= out ofSFF= Safe Failure FractionQA= quality assurance?4.2 DefinitionsSafety Integrity LevelA discreet level (1,2,3 or 4) for specifying the safety integrity requirements that have to be performed by the applied safety instrumented systems, to anticipate of a specific scenario.AnforderungsKlasseAK denotes the integrity level of each component in a safety circuit and is based on DIN 19250.The relationship between SIL and AK is as follows.SIL denotes the integrity level of a safety circuit as a whole.The relationship between SIL and AK is shown below.SIL AK PFD PLinvullenMean Probability of a dangerous failure per hourSIL to IEC 61508a 1 a>10-5 till < 10-4No special safety requirement1 2.3 <10-1 b>3 *10-6 till <10-512 4 <10-2 c>*10-6 till < 3 10-513 5.6 <10-3 d>10-7 till < 10-624 7 <10-4 e<10-8 till < 10-73b 8 n.a. ======================================================== Hold tabellen integreren Germaanse tekst weg=========================================================Probability of Failure on DemandThe average probability that a safety provision fails on the moment that there is an appeal to the system. Diagnostic Coverage factorThe DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly funtion.SFFThe Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of safe and unsafe mon cause (?)A common cause of failure in a redundant equipment of process control and/or safety instrumented system.SensorDetecting element (including process connections, sensors, transmitters, convertor, wiring, input cards, etc.) included in a safety instrumented system capable of establishing whether the process operates within acceptable limits.E.g. thermocouples, pressure transmitters, emergency shut-down switches and pH meters.OOR-alarmThe OOR –alarm from an analog signal in a SIS case has as function to give straight a fault signal to the operator indicating the reduced availability during the repair time.Logic solverA decision-making element in a safety instrumented system which effects a final element.Final elementA final controlling element (including output cards, output relays, solenoid valves and cabling) included in a safety instrumented system. E.g.: valves, trip circuits for rotating equipment, alarm systems.For definitions not included in this list, refer to IEC 61508 Part 4.5 ApplicabilityThis EP shall be applicable to all new safety instrumented systems, and those to be modified, that are classified to prevent loss of containment. (LOC) The design guide is used in the judgment of these precautions6 Requirements6.1 Design[SHE] Safety instrumented systems shall be designed as follows:List the requirement in the SRSEstablish the equipment features that affect performance reliability; classify the equipment into TYPE A or TYPE B (Section 6.2.2);the Diagnostic Coverage factor (DC) / Safe Failure Fraction (SFF) (Section 6.2.3);Determine the PFD and architectural constraints to IEC 61508 for the required SIL (Section 6.3);Determine the test interval (Section 6.4);Identify common causes (Section 6.5);Select a standard safety instrumented system that meets the given SIL (Section 6.6). Where deviating parameters and configurations are used, consultation shall take place with the specialist on how the required PFD is to be achieved; Design an instrumented safety system that protects against the defined scenario (Section 6.7);Consider adding measures preventing spurious trips (Section 6.8).6.2 Reliability of equipment6.2.1 General[SHE] The elements of a safety instrumented system shall be approved for the appropriate SIL or equivalent AK. The reliability is henceforth expressed as TYPE A or TYPE B in combination with the SFF.SHEP 4.1-25.1.2 " Instrument List " states the class (TYPE A or B), the SFF and the SIL or AK.Equipment not included in this SHED shall be classified in consultation with the administrator of this SHP, i.e. DSM SHE&M GMCC Plant Automation - 6.2.2 Classification as type A and type B equipment[SHE] The elements of a safety instrumented system, such as the sensor, logic solver, final element and auxiliary equipment shall be classified as TYPE A or TYPE B in accordance with the following statements. TYPE A elementsAn element is classified as TYPE A if it is suitable for the intended application and meets the following requirements.based on Section 2 of IEC 61508:the failure mode of each component in the element must be known AND;the failure mode of the sub-system (the element ) as a whole must be completely clear AND ;reliable failure data gained in practice must indicate that the element performs satisfactorily.ORbased on "Proven in use":the failure mode of the element is known from practice covering at least 10,000 service hours in at least two years AND ; the element has been used in that period in at least ten different applications without a single failure AND;all failures have been recorded.Example: An element giving satisfactory performance over a period of five to ten years is type "A".TYPE B elements:These are elements suitable for the intended application but fail to meet the requirements of TYPE A .Examples include:elements whose failure modes are not accurately known from practice;complex and high maintenance elements (e.g. analyzers);elements of which little or no experience is availableInstrumented software with limited experience 6.2.3 Diagnostic Coverage factor (DC) and Safe Failure Fraction (SFF) of equipment[SHE] The DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in an automatic diagnostic test and the feed back of not properly function.?DD is the probability of unsafe detected failure (Dangerous Detect).?D is the probability of unsafe failure (Dangerous).No DC: DC < 60%No or limited automatic feedback on satisfactory or unsatisfactory performance of the element. Low DC: 60 < DC < 90% Limited automatic feedback on satisfactory or unsatisfactory performance of the element. Medium DC: 90 < DC < 99%Substantial automatic feedback on satisfactory or unsatisfactory performance of the element. High DC: DC > 99%Almost complete automatic feedback on satisfactory or unsatisfactory performance of the element. The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.?DD is the probability of unsafe detected failure (Dangerous Detect).?D is the probability of unsafe failure (Dangerous).No DC: DC < 60%No or limited automatic feedback on satisfactory or unsatisfactory performance of the element. Low DC: 60 < DC < 90% Limited automatic feedback on satisfactory or unsatisfactory performance of the element. Medium DC: 90 < DC < 99%Substantial automatic feedback on satisfactory or unsatisfactory performance of the element. High DC: DC > 99%Almost complete automatic feedback on satisfactory or unsatisfactory performance of the element. The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of unsafe failure.6.3 PFD and architectural constraints requirements6.3.1 General[SHE] The following tables list the PFD and architectural constraints to IEC 61508 for safety instrumented systems based on:The required SIL;TYPE A or TYPE B elements;SFF.6.3.2 PFD and architectural constraints (to IEC 61508) for safety instrumented systems using type A elements[SHE] SILSFF<60%60%<SFF<90%90%<SFF<99%SFF >=99%PFDa1 oo 11 oo 11 oo 11 oo 111 oo 11 oo 11 oo 11 oo 1< 10-121 oo 21 oo 11 oo 11 oo 1< 10-231 oo 31 oo 21 oo 11 oo 1< 10-34n.a.1 oo 31 oo 21 oo 1< 10-4bn.a.n.a.n.a.n.a.n.a.n.a. = not acceptableoo = out of6.3.3 PFD and architectural constraints (to IEC 61508) for instrumented systems using type B elements[SHE] SILSFF<60%60%<SFF<90%90%<SFF<99%SFF >=99%PFD-1 oo 11 oo 11 oo 11 oo 1a1 oo 11 oo 11 oo 11 oo 111 oo 21 oo 11 oo 11 oo 1< 10-121 oo 31 oo 21 oo 11 oo 1< 10-23n.a.1 oo 31 oo 21 oo 1< 10-34n.a.n.a.1 oo 31 oo 2< 10-4bn.a.n.a.n.a.n.a.n.a.n.a. = not acceptableoo = out of6.4 Testing[BEST PRACTICE; SHE]Automatic diagnostic tests do not cover the entire safety instrumented system. Manual testing by verifying the measured value and conducting a functional test is (remains) necessary, as are preventive measures such as valve refurbishment and cleaning.[SHE] Test intervals at the loop level needed to achieve the required SIL for standard safety instrumented systems are specified in Appendix 3.6.5 Common cause[BEST PRACTICE; achtergrond background informatione]Common cause means a common cause in the failure of process control systems and the safety instrumented system and/or of redundant elements.[BEST PRACTICE; standaardizsatione, bedrijfservaring experience en and SHE]The following countermeasures are recommended:Applying diversity as to technology, supplier and type;Using different input and output cards and individual rather than common fusing of power supply systems;Preventing plugging by means of flushing and preventing freezing by means of winterizing, etc.[SHE] The diversity required by IEC 61508 for standard safety instrumented systems is indicated in Appendix 2.[BEST PRACTICE; SHE]The designs of the standard safety instrumented systems in Appendix 2 are based on approx. 5% common cause.6.6 Selection of standard instrumented safety functions[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]A number of standard safety instrumented systems functions have been worked out (Appendix 2).These functions meet the PFD and architectural constraints to IEC 61508 and the general technology requirements stated in Appendix 1 for each SIL .These data are based on standard DSM failure data and reduction factors for instrumentation.In addition, test intervals at the loop level are stated; these enable the PFD requirements to be met (Appendix 3).Any deviating configuration shall preferably be designed in consultation with the administrator of this SHEP, i.e., DSM CSHE&M GMCC Plant Automation - Prior In use and Proven IN use6.7 Effectiveness[SHE] Safety instrumented systems shall be designed to be effective especially in respect of the scenario and related process parameters, process dynamics, test intervals and process operation:Process dynamics: The scenario imposes requirements as to the response time of the safety instrumented system, e.g. its ability to perform a particular function within x seconds. For more details see DSM Standard SHP 4.4.3-5.1 Appendix 1 Re / Par. 5.4.3; Application aspects: Depending on the fluid pressure, temperature and the risk of crystallization, suitable measures may need to be taken such as purging, flushing, tracing and monitoring of these systems;For more details refer to RP integrity control of impuls lines in a SIL application.Scenario: choice of measurement technology and final element;Wherever practical, safety instrumented systems shall fail safe in the event of a fault developing (e.g. loss of auxiliary energie; e.g. loss of energy supply, short-circuit or broken-wire Unmonitored signal connections shall normally fail safe, i.e. the system shall be de-energized to trip on loss of power or loss of signal;Circuits with analogue sensors having self-diagnostics (e.g. Out Of Range detection, utility monitoring) shall be provided with:for SIL 1 and SIL 2: Integrity alarm and a procedure for correcting the fault;for SIL 3: Integrity alarm, a time-dependent shut-down and a procedure for correcting the fault.In exceptional cases it is better to opt for an energize-to-trip system. In that case the de-energized circuit shall be monitored (signal monitoring, continuity check). In addition, suitable instructions and procedures shall be put in place.6.8 Prevention of spurious trips[BEST PRACTICE; verhogen beschikbaarheid installatieincrease availability of the installation ]Elements of safety instrumented systems shall be duplicated or triplicated for enhanced reliability. This, however, increases the frequency of spurious trips. Spurious trips can be avoided by using a 2 out of 3 configuration in place of a 1 out of 2 configuration. 6.9 Assessment of existing safety instrumented systems[SHE] Existing safety instrumented systems shall be assessed as to the following points:Compare the safety instrumented systems with the configurations in Appendix 2 "Standard safety instrumented systems" and Appendix 1 "General design requirements and recommendations";Compare the specified reliability figures of the elements:classify as TYPE A or TYPE B (Section 6.2.2);the Safe Failure Fraction (SFF) (Section 6.2.3);Test intervals (Section 6.4 and Appendix 3). Common cause failure (Section 6.5);Effectiveness of the loop (Section 6.7).Compare the SIL so determined with the required SIL. [BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]If a particular architecture fails to meet the PFD and architectural constraints relating to a SIL, the PFD can in principle be decreased in three ways:Increasing reliability through the use of TYPE A elements, increasing the DC factor , increasing the degree of redundancy; Reducing the test intervals. Where necessary, test intervals of less than one year shall be avoided by modifying the safety instrumented system;Reducing common cause failure where it exceeds 5%.Appendix 1 GENERAL DESIGN REQUIREMENTS AND RECOMMENDATIONSNrDesignRequirements SIL:Recommendations SIL:a1234a12341[BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]Install a pre-alarm if the operator is in a position to take corrective action in time.xxxx2[SHE] All sensors in safety instrumented systems shall have an audio-visual alarm.xxxx3[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]An audio-visual alarm of a safety instrumented system may not be self-resetting.xxxx4[BEST PRACTICE; increase availability of the installation verhogen beschikbaarheid installatie]The selected technology must allow periodic testing (accessibility reach, override, calibration valves, etc.).xxxx5[SHE] Common cause failure of a process control function and a safety instrumented system shall be prevented wherever possible. x x x x6[SHE] Solenoids on control valves must be placed between the valve positioner and the valve motor and shall have sufficient relieving capacity. x x x x7[SHE] The switch action of a safety instrumented system may not be self-resetting.xxxx8[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Install an alarm if the operator can be relied upon to respond as per instruction. Otherwise, assign SIL a. (see 10)9[BEST PRACTICE; kostenbesparingcost reduction]One and the same sensor may be used for the alarm and for process control.10[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Automatic binary intervention by the safety instrumented system is required, preferably in conjunction with a solenoid valve. x11[BEST PRACTICE; cost reductionkostenbesparing]The process control system may be used as a logic solver.x12[SHE] One and the same transmitter may be used for control purposes and for a SIL a system if the dangerous failure of the transmitter is not negative to cause the scenario to take place. x 13[SHE] The valve may be a solenoid-operated control valve, if valve failure will not initiate the scenario in question and no demand is made on the safety instrumented system. x x x x14[SHE] Automatic binary intervention by the safety instrumented system is required.xxx15[SHE] A safety instrumented system shall be fully segregated from process control systems (for the same function). x x x16[SHE] SIL 1 or AK 2/3 logic solvers shall be in the form of a relay, PLC, solid state, or magnetic core, with a certificate issued by a notified body*. xNrDesignRequirements SIL:Recommendations SIL:a1234a123417[SHE] SIL 2 or AK 4 logic solvers shall be in the form of a relay, PLC, solid state, or magnetic core, with a certificate issued by a notified body*. x18[SHE] SIL 3 or AK 5/6 logic solvers shall be in the form of a relay, PLC, solid state, magnetic core, with a certificated issued by a notified body*. x19[SHE] Diverse redundancy shall be applied, i.e. diverse technologies, makes and types, in order to reduce common cause failures to a minimum. x x x20[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.1.21[BEST PRACTICE standardization, experience and ; standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.2.x 22[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.3 and 3.4.x23[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.5 and 3.6.x24[BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]The requirements according to Appendix 2 Section 3.7 and 3.8.x25[SHE] The requirements according to Appendix 3 for the concerning SIL. xxxx26[SHE]A purely instrumented solution is not acceptable. Change the design to obtain a lower SIL.x28[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]Deviations in consultation with the administrator of this Standard. (DSM TechnoPartners, Plant Automation - Equipment Dept.). x x x x* A Notified Body is e.g.: T?V, FM (Factory Mutual in the USA) and UL (Underwriters Laboratories Inc. in the USA, Canada and Japan).Appendix 2STANDARD INSTRUMENTED SAFETY FUNCTIONS[BEST PRACTICE; standardization, experience and standaardisatie, bedrijfservaring en SHE]1GENERAL A number of standard safety instrumented systems functions are detailed below for the following elements:TYPE A and TYPE B with; Approx. 5% common cause and; Various SFFs.These functions meet the PFD and architectural constraints to IEC61508 for the various SILs as well as the general design requirements stated in Appendix 1. 2SYMBOLS USED3STANDARD INSTRUMENTED SAFETY FUNCTIONS3.1SIL -; TYPE A OR TYPE B ELEMENTS3.2SIL a; TYPE A OR TYPE B ELEMENTS3.3SIL 1--PFD 10-1; TYPE A ELEMENTS3.4SIL 1--PFD 10-1; TYPE B ELEMENTS3.5SIL 2--PFD 10-2; TYPE A ELEMENTSmodified Verbinding naar X ontbreekt 2.1 moet worden 2.2 en de oude 2.1 laten bestaan3.6SIL 2--PFD 10-2; TYPE B ELEMENTSCalculations in DCS x-y .v instead of the PLC 2.1 moet worden 2.2 en de oude 2.1 laten bestaan To be modified3.7SIL 3--PFD 10-3: TYPE A ELEMENTS2.1 is OK 2.2 ontbreekt echter maken3.8SIL 3--PFD 10-3; TYPE B ELEMENTSintroduce SIL 3 Tuningfork Ioop@DNP Grenzach, calculations of Loop-typicalsAppendix 3TEST INTERVALS[BEST PRACTICE; background information]achtergrond informatie]The loop configurations shown below are often used in safety instrumented system designs. Each loop may be adapted for the following services: flow, pressure, level, temperature, speed, vibration, position etc.1SINGLE LOOP CONFIGURATIONS[BEST PRACTICE; background information]achtergrond informatie]The loops need to be adapted to suit the architectural constraints mentioned in Appendix 2.2DEVICE TYPE, Required SiL and the Acceptable TEST INTERVALS[SHE] Test intervals have been determined for each loop configuration based on TYPE A elements and a common cause b of approx. 5 % with which the required PFD can be met. A distinction is made between full loop tests and partial loop tests. The former is preferred and should preferably be conducted under normal operating conditions if the process allows. Permissible test intervals are tabulated below in two main columns:Full loop test:test intervals for verification functional test of the entire loop are indicated for each SIL;Partial loop test:test intervals for verification of functional test of the sensor circuit are stated in the sensor column;test intervals for functional test of the logic solver plus the final element (trip test) are stated in the appropriate columnsPermissible test intervals shown are dependent on the loop configuration for each SIL.TEST INTERVALS (year) Full loop testPartial loop testCONFIGURATIONSIL 1SIL2SIL3SIL 1SIL2SIL3SENSOR CIRCUITLOOP looplooploopsensorlogic solver + final elementsensorlogic solver + final elementsensorlogic solver + final elementPressure electronica211141414Pressure with OOR-alarma222242414Flow electronica1111414n.a.n.a.Flow with OOR-alarma221141414Level electronica222242414Level with OOR-alarma222242414Temperature electronicb1111414n.a.n.a.Temperature with OOR-alarmb211141414Pressure switchc221141414Flow switchc211141414Temperature switchc222242414Level switchc1n.a.n.a.n.a.n.a.n.a.n.a.n.a.n.a.Smart Level switchPressure switch cardd2111414n.a.n.a.Flow switch cardd1111414n.a.n.a.Level switch cardd222242414Temperature switche11n.a.1414n.a.n.a.OOR = Out of Range.n.a. = not acceptable. Check with MSD work 2004[BEST PRACTICE; background information]achtergrond informatie]Assumptions made:Test intervals must not last longer than four years;Test intervals must not be shorter than one year; if they are (indicated by n.a. = not acceptable), it is recommended to redesign the safety instrumented system;Test intervals stated for SIL3 are heavily dependent on the value of ?; ?=0.002 for completely diverse , ?=0.02 for partly diverse and ?=0.2 for non-diverse;? = 0.002 has been entered for SIL3.[BEST PRACTICE; standardization, experience andstandaardisatie, bedrijfservaring en SHE]Note on SILa and SIL-:The recommended test intervals are four years for the functional loop test, verification of measured value and functional testing of the logic solver and the final element provided the application allows. Where the process fluid has a strongly fouling effect or may crystallize, the test intervals shall be shortened so that proper performance is assured. General note:Full loop test under normal operating conditions is to be preferred if the process allows;If this is not practicable under normal operating conditions, the same test should be carried out during the next turnaround;If this is not practicable either, run a partial test of the sensor during normal operation in combination with a test of the logic solver plus the final element during a turnaround.. The test should include a check on the availability and operation of ancillary systems such as tracing, purges, insulation, mechanical interlocks of bypasses and the like.Test procedures are specified in RP 4.11.9-1.1 "Calibration and testing ". Check calibration of sensors.The interval at which the calibration of sensors is checked need not be linked to the functional test period of the sensor circuit. Instead, this interval is to be determined on basis of maintenance experience regarding drift, wear, ageing, etc.Appendix 4 Grenzach typicals DNP Grenzach, calculations of Loop-typicals Architecture of a Safety Instrumented System including instrument specificationInsert Checklist SRS DSM verplaatsen naar Guidance note ResinsGeneral SIF RequirementsRefAttributeDetailIdentity FORMTEXT {reference to the SIF overview like SIF 3.2}Description FORMTEXT {like:ratio between Air and Nitrogen to Reactor R24}P&ID FORMTEXT {Drawing number of the P&ID}Functional Logic Diagram FORMTEXT {Drawing number of the Functional Logic diagram}Equipment FORMTEXT {like R-24}Safe State FORMTEXT {like: Stop heating/Start Cooling/Stop feeding/Stop dosing/De-Pressurize}Demand Source FORMTEXT {Air/N2 flow ratio deviation fail due to pipe blockage}Demand Rate FORMDROPDOWN Mode of Operation Low Demand (≤ 1pY) FORMCHECKBOX High Demand / Continuous (>1pY) FORMCHECKBOX Integrity RequirementsImpactIntegrity LevelRRFSafety FORMDROPDOWN FORMDROPDOWN Environment FORMDROPDOWN FORMDROPDOWN Commercial FORMDROPDOWN FORMDROPDOWN Required Integrity LevelOverall FORMDROPDOWN FORMDROPDOWN Additional Mitigation FORMDROPDOWN SIF Proof Test Interval FORMDROPDOWN Process Safety Time FORMDROPDOWN Process Response TimeAfter action is fullfilled FORMDROPDOWN Overall Response Time FORMDROPDOWN Pocess Overrides FORMDROPDOWN Related Interlock FORMTEXT {DCS interlocks to prevent process disorder}Max. Spurious Trip RateLess than FORMDROPDOWN Protection Method FORMDROPDOWN Manual Shutdown FORMDROPDOWN Maintenance Overrides FORMDROPDOWN Trip Reset FORMDROPDOWN Mission Time FORMDROPDOWN Specific requirements related to procedures for starting and restarting the SIS{Program auto reset only during start-up logic solver.Close a contolve inline with safety valve}Special Requirements{………………………………….}Non-safety actions{……………………………….. }SIF SchematicThe functional relationship of the sensor, logic solver and final elements is represented in the following diagram. SIF Sensor RequirementsThe sensor subsystem groups are voted as follows;RefAttributeDetailVoting FORMDROPDOWN The SIF consists of the following sensor groups. SIF Sensor Group 1The main features of this sensor group are as follows;RefAttributeDetailGroup Type FORMDROPDOWN Voting FORMDROPDOWN Action FORMDROPDOWN Trip setting FORMTEXT ?????{Value of the tripsetting eng. Units like >10 Barg}MTTR FORMDROPDOWN Proof Test Interval FORMDROPDOWN Common Cause SourcesSame device FORMCHECKBOX Same environment FORMCHECKBOX FORMCHECKBOX Same sensing point FORMCHECKBOX FORMCHECKBOX Similar technology FORMCHECKBOX Human Factors FORMCHECKBOX {other} FORMCHECKBOX Beta Factor (?) FORMDROPDOWN Proof Test Coverage FORMDROPDOWN Wire Diagnostics FORMDROPDOWN Process ConnectionClean Service FORMCHECKBOX Remote Seal FORMCHECKBOX Impulse – Low FORMCHECKBOX Impulse – Med FORMCHECKBOX Impulse - High FORMCHECKBOX Thermocouple FORMCHECKBOX RTD FORMCHECKBOX {other} FORMCHECKBOX Interface FORMDROPDOWN FORMTEXT ????? FORMDROPDOWN Degraded Voting - Fail FORMDROPDOWN Degraded Voting - Override FORMDROPDOWN Environmental Extremes FORMDROPDOWN Start requirements FORMDROPDOWN Re-Start requirements FORMDROPDOWN Supporting provisions{like: E-tracing, jacketing, flushing, purching, isolation, }Other Special requirements FORMTEXT {Specify special requirements}Notes FORMTEXT {Fill in additional info when needed}The components within this group are detailed as follows: TagTypeP&IDModel / Data SheetFail ActionMOS{sensor tag} FORMTEXT {AI / DI} FORMTEXT {enter P&ID drawing number} FORMTEXT {enter model/type/supplier} FORMTEXT {High or Low} FORMTEXT {Yes /No}SIF Logic Solver RequirementsThe logic solver subsystem groups are voted as follows;RefAttributeDetailVoting FORMDROPDOWN The SIF consists of the following logic solver groups. SIF Logic Solver Group 1The main features of this logic solver group are as follows;RefAttributeDetailGroup Type FORMDROPDOWN Voting FORMDROPDOWN MTTR FORMDROPDOWN Proof Test IntervalLowest proof tests interval of a SIFUnsafe Process condition FORMDROPDOWN Unsafe Process states FORMDROPDOWN Common Cause SourcesSame device FORMCHECKBOX Same environment FORMCHECKBOX Same power source FORMCHECKBOX Similar technology FORMCHECKBOX Human Factors FORMCHECKBOX {other} FORMCHECKBOX Beta Factor (?) FORMDROPDOWN Proof Test Coverage FORMDROPDOWN DiagnosticsManufacturer standardDegraded Voting - Fail FORMDROPDOWN Degraded Voting - Override FORMDROPDOWN Start requirements FORMDROPDOWN Re-Start requirements FORMDROPDOWN Other Special requirements FORMTEXT {like: Powering and physical location separated from control}Notes FORMTEXT {Fill in additional info when needed}The components within this group are detailed as follows: TagModel / Data Sheet{Tags logic solvers} FORMDROPDOWN If you do max. prooftests, what should be the coverage. See the changing of the PFD in time in the Exida reportSIF Final Element RequirementsThe final element subsystem groups are voted as follows;RefAttributeDetailVoting FORMDROPDOWN The SIF consists of the following final element groups.SIF Final Element Group 1The main features of this final element group are as follows;RefAttributeDetailGroup Type FORMDROPDOWN Voting FORMDROPDOWN Action FORMDROPDOWN MTTR FORMDROPDOWN Proof Test Interval FORMDROPDOWN Common Cause SourcesSame device FORMCHECKBOX Same environment FORMCHECKBOX Same power source FORMCHECKBOX Same action point FORMCHECKBOX Same wiring route FORMCHECKBOX Similar technology FORMCHECKBOX Human Factors FORMCHECKBOX {other} FORMCHECKBOX Beta Factor (?) FORMDROPDOWN DiagnosticsNoneProcess ConnectionTight Shut-off leak class FORMDROPDOWN Severe service FORMCHECKBOX InterfaceDegraded Voting - Fail FORMDROPDOWN Degraded Voting - Override FORMDROPDOWN Environmental Extremes FORMDROPDOWN Start requirements FORMDROPDOWN Re-Start requirements FORMTEXT {like: Powering and physical location separated from control}Supporting provisions{like: E-tracing, jacketing, flushing, isolation, }Other Special requirements FORMTEXT {Fill in additional info when needed}Notes FORMTEXT {Fill in additional info when needed}The components within this group are detailed as follows: TagTypeP&IDModel / Data SheetFail ActionReset FORMTEXT {final element tag} FORMTEXT {DO or AO} FORMTEXT {enter P&ID ref} FORMTEXT {enter model/type/supplier} FORMDROPDOWN FORMDROPDOWN ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download