Esd System Part1 (INTRO)

Process Safety Reliability & Efficiency
EMERGENCY SHUT-DOWN
Safety in the Process Industry is currently playing an increasingly and vitally important role.
In a more complex and multi disciplinary engineering environment there is a growing need for engineers,
technicians and management involved in process engineering to be aware of the implications of designing
and operating safetyrelated systems.
Emergency Shut !own components and systems were prepared by the ma"or Standards organi#ations in
Europe and the $S.
%ombined with the actuated shut down valve, ES! Solenoid valves are the final defense against a plant
failure causing a catastrophic accident. ES! solenoid valves are connected to a P&% and together with
sensors form a Safety &oop. 'henever the sensors detect a dangerous or ha#ardous situation it is
essential for the solenoid valves to reliably exhaust air from the actuator in the shut down valve(s so that
they return to a fail safe mode by means of spring force )fail close(open*.
BASIC ARCHITECTURE:

Emergency shut-down system introduction
Emergency shutdown system ,or Safety instrumented systems )SIS*, is defined as a system designed to
respond to conditions in the plant which may be ha#ardous in themselves or,if no action was ta+en,could
eventually give rise to a ha#ard. ,he SIS must generate the correct outputs to mitigate the ha#ardous
conse-uences or prevent the ha#ard.
Emergency shutdown valves are the final defense against process abnormality. In a modern system, ES!
valves are connected to P&% and with sensors forming a Safety &oop.
GOOD S!E SYSTEM
.ll safety loops need to be examined and assessed to ensure safe operation of a plant and compliance
with IE% /0123 or /0100. 'hen determining a SI&, all devices need to be considered in each specific
safety instrumented function )SI4* or field instrumentation, not "ust the logic solver. ,he most forward
thin+ing suppliers have all elements of the loop covered with SI& certified instrumentation and logic
solvers, from SI&0 through SI&5, protecting up to SI&6 with technology diversity.
IE%/0123 clearly pointed out that the standards to meet the SI& system for the protection of the overall
security assessment, must cover emergency shutdown valve and control system. ,he valve, actuator and
especially the solenoid valve are most li+ely to have faults such as no switching, faulty motion, coil failure
and air lea+age, 47&&7'I89 .RE ,:E ;.I8 RE<$IRE;E8, 47R SIS .PPR7=E! =.&=ES
Solenoid valve in this system are ,>= approval based on IE% /0 123 complying with SI& 6, and !I8 = 0?
@10
Stainless steel solenoid coil and valves particularly suited for explosive atmospheres and corrosion
resistant applications
"ntern#tion#$ %unction#$ s#%ety st#nd#rd&
!unction#$ S#%ety
.s a conse-uence of this accident, emergency shutdown systems have played a more and more
important role all over the world.
due to the critical nature of such systems, 7S:. recogni#es compliance with the standard .8SI(IS.
S36.20
Introduce SIS for the process industries, which is based on international standards from the International
Electro technical %ommission )IE%*. 7ne of the standards is IE% /0123, 4unctional Safety of
Electrical(Electronic(Programmable Electronic SafetyRelated Systems, Parts 0A, 0??3. It is an umbrella

standard applicable to all industries. IE% is in the process of developing a processindustryspecific
version of IE% /0123 based on .8SI(IS. S36.20 i.e. IE% /0100
S#%ety "ntegrity 'e(e$ )S"'*&
Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety
function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of
performance required for a Safety Instrumented Function (SIF). !e safety integrity level is
determined primarily from t!e assessment of t!ree factors"
#) Improved reliability. $) Failure to safety. %) &anagement, systematic tec!niques, verification
and validation. SIL refers to a single met!od of reducing in'ury (as determined t!roug! risk
analysis), not an entire system, nor an individual component
Improved reliability
For systems that operate continuously (continuous mode) and systems that operate more than
once per year (high demand), the allowable frequency of failure must be determined. For systems
that operate intermittently (less than once a year / low demand) the probability of failure is
specified as the probability that the system will fail to respond on demand.
SIL
Low demand mode:
average probability of failure on
demand
High demand or continuous mode:
probability of dangerous failure per
hour
# ( #)
*$
to + #)
*#
( #)
*,
to + #)
*-
$ ( #)
*%
to + #)
*$
( #)
*.
to + #)
*,
% ( #)
*/
to + #)
*%
( #)
*0
to + #)
*.
/ ( #)
*-
to + #)
*/
( #)
*1
to + #)
*0
Failure to safety
Calculation of safe failure fraction (SFF) determines how Fail-safe the system is. his compares
the li!elihood of safe failures with dangerous failures. "eliability by itself is not sufficient to
claim a S#$ le%el. here are charts in #&C'()*+ that specify the le%el of SFF required for each
S#$.
Management, systematic techniques, verification and validation
Specific techniques ensure that mista!es and errors are a%oided across the entire life-cycle.
&rrors introduced anywhere from the initial concept, ris! analysis, specification, design,
installation, maintenance and through to disposal could undermine e%en the most reliable
protection. #&C'()*+ specifies techniques that should be used for each phase of the life-cycle.

Certification to a Safety Integrity Level
he #nternational &lectrotechnical Commission,s (#&C) standard #&C '()*+, now #&C &- '()*+,
defines S#$ using requirements grouped into two broad categories. hardware safety integrity and
systematic safety integrity. / de%ice or system must meet the requirements for both categories to
achie%e a gi%en S#$.
he S#$ requirements for hardware safety integrity are based on a probabilistic analysis of the
de%ice. o achie%e a gi%en S#$, the de%ice must meet targets for the ma0imum probability of
dangerous failure and a minimum Safe Failure Fraction. he concept of ,dangerous failure, must
be rigorously defined for the system in question, normally in the form of requirement constraints
whose integrity is %erified throughout system de%elopment. he actual targets required %ary
depending on the li!elihood of a demand, the comple0ity of the de%ice(s), and types of
redundancy used.
1F2 (1robability of Failure on 2emand) and ""F ("is! "eduction Factor) of low demand
operation for different S#$s as defined in #&C &- '()*+ are as follows.
SIL PFD PFD (power) RRF
( *.(-*.*( (*
3(
- (*
34
(*-(**
4 *.*(-*.**( (*
34
- (*
35
(**-(***
5 *.**(-*.***( (*
35
- (*
36
(***-(*,***
6 *.***(-*.****( (*
36
- (*
3)
(*,***-(**,***
For continuous operation, these change to the following. (1robability of Failure per 7our)
SIL PFH PFH (power) RRF
( *.****(-*.*****( (*
3)
- (*
3'
(**,***-(,***,***
4 *.*****(-*.******( (*
3'
- (*
38
(,***,***-(*,***,***
5 *.******(-*.*******( (*
38
- (*
3+
(*,***,***-(**,***,***
6 *.*******(-*.********( (*
3+
- (*
39
(**,***,***-(,***,***,***
Ris+ , Ris+ Gr#-h&

The risk potential relating to a process technology system is determined in accordance with IEC
61511. A risk reduction should be implemented to address the particular risk involved. The
components used must meet the reuirements o! IEC 615"# or IEC 61511 i! this risk reduction is
achieved through the application o! electric$electronic automation technology. %oth standards
divide systems and risk reducing measures into sa!ety levels& these ranging !rom 'I( 1 )indicating
a low risk* to 'I( + )indicating an e,treme risk* based on IEC 615"#. IEC 61511 )the sector o!
process technology* has a limitation to 'I( -.
The greater the risk& the more reliable risk reduction measures must be implemented and&
conseuently& the greater the reliability the components used must e,hibit.
It is conse-uence driven and four parameters are used to characteri#e a potential ha#ardous eventB
%onse-uence )%*, 4re-uency of exposure )4*, Possibility of escape )P* and &i+elihood of event )'*. ,he
following is an example of Ris+ 9raph.
IEC 61508/61511
SAFETY INTEGRITY LEVEL(instrument)
IEC 615"# reuires a minimum degree o! .ardware /ault Tolerance )./T* relative to the 'a!e
!ailure !raction )'//*. This is shown in the table . The '// o! 0epperl1/uchs devices achieve the
range 6" 2 ... 3" 2& solenoid drivers being up to 1"" 2. This is why solenoid drivers also achieve
'I( - in the case o! 1oo1 loop structure.
HFT : Hardware fault tleran!e stands fr t"e ma#imum num$er f "ardware faults w"i!" will nt
lead t a dan%erus failure& A "ardware fault tleran!e f 'er means t"at a sin%le fault !an
!ause lss f t"e safet( fun!tin&

4a,imum permissible 'I( relative to the !ault tolerance and the proportion
o! 5sa!e6 !ailures )in compliance with IEC 615"#78* !or Type A sub7systems
)non comple, sub7systems*.
2roportion of
)safe* failures (SFF) Hardware Fault Tleran!e(HFF)
) # $
< 60 % SIL 1 SIL 2 SIL 3
60 % < 90 % SIL 2 SIL 3 SIL 4
90 % < 99 % SIL 3 SIL 4 SIL 4
> 99 % SIL 3 SIL 4 SIL 4
+F,:

Tproof:
-RGANISATI-NAL .EAS/RES:
A sa!ety system is usually in low demand mode in the !ield o! process automation. This is
euivalent to one demand per year. The most important organi9ational measure is there!ore a
regular !unction test conducted on the complete sa!ety system.
This test veri!ies the !unction o! the entire sa!ety system& including its mechanical components.
The shorter the interval between tests& the greater the probability that the sa!ety system will
!unction in a correct manner.

IEC 6!"# is an international standard of rules applied in industry. It is titled Functional Safety
of Electrical/Electronic/Programmable Electronic Safety-related Systems (E$E$%E& or
E$E$%ES).
#&C '()*+ has the following %iews on ris!s.
:ero ris! can ne%er be reached
Safety must be considered from the beginning
-on-tolerable ris!s must be reduced (/$/"1)

IEC 61511 is a technical standard which sets out practices in the engineering of systems that
ensure the safety of an industrial process through the use of instrumentation. Such systems
are referred to as Safety Instrumented Systems. he title of the standard is ;Functional safety
- Safety instrumented systems for the process industry sector;.
Certified to IEC615!
If t!e system !as an I34,#-)0 certification, t!en it5s important to understand t!e criteria used
by t!e
t!ird party assessor for issuing suc! certification to a First 6eneration Safety System. !e I34
,#-)0
standard recogni7es t!e follo8ing four criteria in t!e assessment of a Safety
2L4s92rogrammable
3lectronic Systems"
:ard8are Safety Integrity
;e!avior in presence of failure
Safe Failure Fraction
Systematic 4apabilities
IEC 615! Edition "
!ere are ot!er concepts added to I34 ,#-)0 3dition $ t!at mig!t affect compliance and s!ould
be considered 8!en c!oosing a 23S. !is paper 8ill concentrate only on t!e follo8ing t!ree
areas, but t!e aut!or encourages t!e reader to seek additional information on t!e topic.
#. Systematic 4apabilities
$. 4ompetence
%. Security
#ecurity$
In t!e case t!e !a7ard analysis identifies t!at malevolent or unaut!ori7ed action, constituting a
security t!reat, is reasonably foreseeable, t!en a security t!reats analysis s!ould be carried out
IEC 61511
#&C '()(( co%ers the design and management requirements for S#Ss from cradle to gra%e. #ts
scope includes. initial concept, design, implementation, operation, and maintenance through to
decommissioning. #t starts in the earliest phase of a pro<ect and continues through startup. #t
contains sections that co%er modifications that come along later, along with maintenance
acti%ities and the e%entual decommissioning acti%ities.
he standard consists of three parts.
(. Framewor!, definitions, system, hardware and software requirements

4. =uidelines in the application of #&C '()((-(
5. =uidance for the determination of the required safety integrity le%els
4. Hardware safety integrity which refers to the ability of the hardware to minimise effects of
dangerous hardware random failures, and is expressed as a PFD (probability of failure to danger)
value.
5. Behavior of the system following the detection of a fault condition. Safety-related systems need to
be capable of taking fail-safe action, which is a systems ability to react in a safe and
predetermined way (e.g. shutdown) under any and all failure modes. This is usually expressed as
the Safe Failure Fraction (SFF) and is determined from an analysis of the diagnostic cover the
design can achieve (see below).
,. The new important parameter introduced is Safe Failure Fraction (SFF) which is a measure of
the cover and effectiveness of the diagnostics in the system. In order to accommodate earlier
system designs based on high levels of redundancy and lower levels of diagnostic cover, the
standard considers the complete system architecture in the assessment of the SIL achieved.
Maximum SIL rating is related to Safe Failure Fraction (SFF) and Hardware Fault Tolerance
(HFT), according to Table 1 shown below.
7. Systematic safety integrity refers to failures that may arise due to the system development
process, safety instrumented function design and implementation, including all aspect of its
operational and maintenance lifecycle safety management.


SIL ' S()


C(*CL+SI(*
Internationally recogni9ed standards such as A:'I$
I'A '#+."1 and IEC 615"# serve as guidelines
to insure proper instrumentation is in place to
mitigate or avoid ha9ardous situations. In order to
meet these reuirements& e,ceptional euipment
availability& reliability& e,perience& and record o!
accomplishment are reuired.
!e o8ner9operator s!all determine t!at t!e equipment is designed, maintained, inspected,
tested, and operating in a safe manner.<$
#) 4onfirm t!at a !a7ard and risk analysis !as been done to determine qualitatively or
quantitatively t!e level of risk reduction needed for eac! SIF in t!e SIS.
$) 4onfirm t!at an assessment of t!e e=isting SIF !as been performed to determine t!at it
delivers t!e needed level of risk reduction.
If t!ose activities !ave not been done, t!ey s!ould be sc!eduled for revie8 at t!e >ne=t
appropriate opportunity< 8!ic! mean if any of t!e follo8ing conditions is met"
&odifications to t!e process unit t!at impact process risk managed by t!e SIS?
&odifications to t!e control system t!at impact protection layers used to ac!ieve safe
operation?
@!en an incident or near miss investigation !as identified an SIS deficiency? or
@!en t!e revie8 of anot!er process unit designed according to similar practice !as identified
an SIS deficiency.

Esd System Part1 (INTRO)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Esd System Part1 (INTRO)

Uploaded by

Copyright:

Available Formats

Process Safety Reliability & Efficiency

You might also like