Background Image
Table of Contents Table of Contents
Previous Page  15 / 40 Next Page
Information
Show Menu
Previous Page 15 / 40 Next Page
Page Background

13

Chemical Technology • July 2015

and emergency plans. As mentioned earlier, it is common

to initially specify an SIS with modern technology. This

usually comprises a sensor to measure a variable, a logic

solver to manipulate the signal from the sensor, a converter

to change the signal into a usable form (often a solenoid

valve which changes an electric signal to a pneumatic or

hydraulic signal) and a final shut-off element (usually an

actuated valve or a power cylinder).

SISs can be designed and built with safety integrity to

comply with any of the specified SILs. Typically, a SIL1 would

be built as a single channel system with a single sensor,

a single logic solver stage and a single actuated valve as

shown in Figure 4. This configuration is referred to as a 1

out of 1 system, denoted 1oo1. Each of the three parts of

the SIS are called sub systems and all three subsystems

must satisfy SIL 1 requirements both separately and when

combined.

A SIL2 would typically be achieved by providing redun-

dancy as a dual channel shown for the sensors and actua-

tors in Figure 5. Here only one out of the 2 channels needs

to function for the SIS to function, ie, one channel can fail.

This configuration is referred to as a 1 out of 2 system,

denoted 1oo2.

A SIL3 may sometimes need to be built with 3 channels

as shown for the sensors in Figure 6. Here only one chan-

nel out of 3 needs to function for the SIS to function, ie, 2

channels can fail. This configuration is referred to as a 1 out

of 3 system, denoted 1oo3. Note that in extreme situations,

3 channels of solenoid valves and shut off valves could

also be used, but the reliability of two solenoid valve-shut

off valve combinations is usually high enough to obviate

the use of three.

Also, a SIL 3 usually requires a 1oo2 arrangement for

logic solvers as well as actuators. However some high

performance logic solvers can achieve SIL3 in a 1oo1 con-

figuration due to their ability to detect virtually all dangerous

failures and shutdown the process automatically.

A SIL4 would be very reliable, but also very expensive,

whereas a SIL 1 would be cheaper but less reliable, ie, of

lower integrity.

Protection system integrity

Consider a simple shut down system comprising a sensor,

logic solver solenoid valve and shut off valve. In the above

example this could be the high level trip. Assuming, as an

illustration, that each component (sub system) has a failure

rate of 0,1 per year, ie, it fails once in ten years, then the

total failure rate of the string (3 sub-systems in series) is

f = 0,1 + 0,1 + 0,1 + 0,1 = 0,4/year.

If the system is rarely or never tested, the probability

of failure on demand PFD increases with time and would

become very high. However, if tested every six months, one

could say that on average it would be in a fail state half

the test time. This is so because, say we divide the time

between tests T in 10, then if it fails after 0,1T it would be

in a fail state (1 - 0,1)T, if it failed after 0,2T it would be in

a fail state (1 - 0,2)T and continuing if it failed after 0,9T, it

would be in a fail state (1 - 0,9)T. Adding all ten failed times

and taking the average of the failed times is equal to 1/2T.

Thus in the example, if tested every six months, the av-

erage failed time is 6 months/2 = 3 months equal to 0,25

year. But the failure rate of the protection string f is 0,4 /

year, so the PFD = ½ * f * T = 0,4*0,25 = 0,1 or 10%. The

PFD can be reduced by testing more frequently. If tested

every three months, the PFD = ½ * 0,4 *3/12 = 0,05. This

meets the requirement of a SIL1.

The above result is not totally realistic because of ig-

noring common cause failures of the components due to

factors such as electrical interference, excessive vibration

or excessive temperatures, etc. This typically restricts the

PFD reduction to about 10 % of the 1oo1 PFD.

PFD can also be reduced by incorporating redundancy,

as mentioned earlier, into subsystems, eg, the level sensing.

Thus using 1oo2 or 1oo3 systems together with automatic

diagnostic fault detection, the PFD can be further reduced

to allow a SIL 2 and SIL 3 to be achieved. Such methods

can be applied to any of the sub systems and are generally

used to improve the performance of the weakest part of

the ‘string’. Typically 1oo2 is widely used and sometimes

1oo3 is justified.

Although a 1oo3 SIS is highly reliable, it is also vulnerable

Figure 3: Adding independent layers of protection

PLANT MAINTENANCE, SAFETY,

HEALTH & QUALITY

1 10 11 12 13 14 15 16 17 18 19 20 21 40  FlippingBook