Chemical Technology July 2015

PLANT MAINTENANCE, SAFETY, HEALTH & QUALITY

Figure 3: Adding independent layers of protection

Protection system integrity Consider a simple shut down system comprising a sensor, logic solver solenoid valve and shut off valve. In the above example this could be the high level trip. Assuming, as an illustration, that each component (sub system) has a failure rate of 0,1 per year, ie, it fails once in ten years, then the total failure rate of the string (3 sub-systems in series) is f = 0,1 + 0,1 + 0,1 + 0,1 = 0,4/year. If the system is rarely or never tested, the probability of failure on demand PFD increases with time and would become very high. However, if tested every six months, one could say that on average it would be in a fail state half the test time. This is so because, say we divide the time between tests T in 10, then if it fails after 0,1T it would be in a fail state (1 - 0,1)T, if it failed after 0,2T it would be in a fail state (1 - 0,2)T and continuing if it failed after 0,9T, it would be in a fail state (1 - 0,9)T. Adding all ten failed times and taking the average of the failed times is equal to 1/2T. Thus in the example, if tested every six months, the av- erage failed time is 6 months/2 = 3 months equal to 0,25 year. But the failure rate of the protection string f is 0,4 / year, so the PFD = ½ * f * T = 0,4*0,25 = 0,1 or 10%. The PFD can be reduced by testing more frequently. If tested every three months, the PFD = ½ * 0,4 *3/12 = 0,05. This meets the requirement of a SIL1. The above result is not totally realistic because of ig- noring common cause failures of the components due to factors such as electrical interference, excessive vibration or excessive temperatures, etc. This typically restricts the PFD reduction to about 10 % of the 1oo1 PFD. PFD can also be reduced by incorporating redundancy, as mentioned earlier, into subsystems, eg, the level sensing. Thus using 1oo2 or 1oo3 systems together with automatic diagnostic fault detection, the PFD can be further reduced to allow a SIL 2 and SIL 3 to be achieved. Such methods can be applied to any of the sub systems and are generally used to improve the performance of the weakest part of the ‘string’. Typically 1oo2 is widely used and sometimes 1oo3 is justified. Although a 1oo3 SIS is highly reliable, it is also vulnerable

and emergency plans. As mentioned earlier, it is common to initially specify an SIS with modern technology. This usually comprises a sensor to measure a variable, a logic solver to manipulate the signal from the sensor, a converter to change the signal into a usable form (often a solenoid valve which changes an electric signal to a pneumatic or hydraulic signal) and a final shut-off element (usually an actuated valve or a power cylinder). SISs can be designed and built with safety integrity to comply with any of the specified SILs. Typically, a SIL1 would be built as a single channel system with a single sensor, a single logic solver stage and a single actuated valve as shown in Figure 4. This configuration is referred to as a 1 out of 1 system, denoted 1oo1. Each of the three parts of the SIS are called sub systems and all three subsystems must satisfy SIL 1 requirements both separately and when combined. A SIL2 would typically be achieved by providing redun- dancy as a dual channel shown for the sensors and actua- tors in Figure 5. Here only one out of the 2 channels needs to function for the SIS to function, ie, one channel can fail. This configuration is referred to as a 1 out of 2 system, denoted 1oo2. A SIL3 may sometimes need to be built with 3 channels as shown for the sensors in Figure 6. Here only one chan- nel out of 3 needs to function for the SIS to function, ie, 2 channels can fail. This configuration is referred to as a 1 out of 3 system, denoted 1oo3. Note that in extreme situations, 3 channels of solenoid valves and shut off valves could also be used, but the reliability of two solenoid valve-shut off valve combinations is usually high enough to obviate the use of three. Also, a SIL 3 usually requires a 1oo2 arrangement for logic solvers as well as actuators. However some high performance logic solvers can achieve SIL3 in a 1oo1 con- figuration due to their ability to detect virtually all dangerous failures and shutdown the process automatically. A SIL4 would be very reliable, but also very expensive, whereas a SIL 1 would be cheaper but less reliable, ie, of lower integrity.

13

Chemical Technology • July 2015