08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Safety instrumented systems
EP - 20056_c_A_ppt_06 - Safety Instrumented Systems
Content
Overview
Purpose
The different safety instrumented systems
Performance objectives
Typical safety system architecture
The main systems

HIPS
ESD
F&G
USS
2012 - IFP Training
Purpose
To reduce the potential of escalation from an unwanted event:

Limit the loss of containment
Eliminate sources of ignition
Reduce flammable inventory
(ESDVs, SDVs)
(Electrical isolation)
(Emergency depressurization)
Quickly and without the need for control during the sequence
WARNING:
2012 - IFP Training
Safety Systems do not eliminate all hazards (e.g. hot spots)

Safety Systems sequence must be safe in itself and lead to a safe and
stable final status
Special cases (e.g. down-graded mode of operation or simultaneous
operation) cannot always be covered by safety systems
The different safety systems
Process Control System:
Controls & associated (PCS) alarms
Process Shutdown System:
Trips & associated SD (PSS) actions
High Integrity Protection System:
High reliability no mechanical

protection (HIPS)
Emergency Shutdown System:

Emergency SD actions (ESD)
Fire & Gas System:
F&G detection/action + Link with ESD

system
Ultimate Safety System:
Multiple protection layers principle

USS
ESD / F&G
PSV (HIPS)
PSS
ALARMS
CONTROL
SYSTEM
PROCESS
2012 - IFP Training
Back-up of essential ESD actions

(USS)
Safety systems performance objectives
Safety systems are operating upon demand
Reliability
How to improve the reliability
of systems activated upon demand? (One single component)
* PFD = f( ,T)
* PFD = Probability of Failure upon Demand
To select component with low failure rate (per year)

To reduce the Testing interval T (per year)
AVAILABILITY
High availability is required. Redundancy may be considered
Equivalent compensating measure has to be set up in case of
unavailability.
2012 - IFP Training
Effect of testing interval on system reliability
2012 - IFP Training
Reliability Safety integrity level (IEC-61508)
RELIABILITY
Safety Integrity Level (SIL)
4
Average Probability of Failure on Demand

10-5 to 10-4
10-4 to 10-3
10-3 to 10-2
10-2 to 10-1
2012 - IFP Training
Reliability Applicability
SIL covers the whole loop

PRIMARY ELEMENT (sensor)
THE LOGIC SOLVER (I/O cards + Programmable Logic Controller
(PLC) + POWER SUPPLY)
THE FINAL ELEMENTS (valve)
I/O
SDV
2012 - IFP Training
PSHH
LOGIC SOLVER
I/O
Reliability Typical sensors configuration
SENSORS
(PSHH)
LOGIC
SOLVER
(P.L.C.)
FINAL
ELEMENT
(SDV)
Integrity Levels
Typical Architecture
SIL 1
1oo1
SIL 2
1oo2 or 2oo3
SIL 3
1oo3
SIL 4
Special requirements (see IEC 61508)

2012 - IFP Training
Reliability Typical final elements configuration
2012 - IFP Training
10
Reliability SIL requirement
PSS logic solver: SIL 2
ESD, F&G logic solvers: SIL 3

Certification required for the hardware, the system software, but
not the application software
Specific ESD loops: SIL 2 or 3 may be requested
HIPS: no preset value, a risk analysis is required

2012 - IFP Training
11
Availability
No criteria imposed but:

Unavailability entails production losses
Frequent break-down induces hazards (transient, restart sequence)
(Too) high availability requirement leads to complexity and cost
Recommended figures:
Availability of the whole loop between 99% and 99.9%
Availability of the solver between 99.9% and 99.99%
Warning
2012 - IFP Training
High availability figures are useless if safety systems are too difficult
to repair (high qualified technician or vendors representative)
On-line repair capability highly recommended
12
Performances objectives Available tools

TOOL
Voting
Redundancy
Diversification
Testing
EFFECT
1ooN increases reliability
MooN decreases spurious trips
Increases MTBF (Mean Time
(availability)
Decreases common mode failures
Between
Increases testing frequency decreases probability failure

on demand
Increases drastically MTBF (availability)
Fault coverage
Decreases probability of failure upon demand
Fault tolerance
Increases MTBF and reliability
Independency
Increases MTBF and reduce risk of operator errors
2012 - IFP Training
On-line repair
Failure)
13
Systems architecture Recommendations
SEGREGATION OF PCS, PSS, ESD, F&G: for independency and

diversification
Tappings, sensors, transmitters
Transmission
Valves, contactors, etc.
1 Programmable Logic Controller for the PCS and PSS: for redundancy
and independency
Segregation of the I/O cards, racks and processors
SIL 2
1 PLC for the ESD, 1 PLC for the F&G: for independency and redundancy
SIL 3
USS: for diversification

Solid state
2012 - IFP Training
14
Safety systems, typical architecture

PSD
FIELD
ESD0
PKGE
PB
ESD1
ESD
F&G
PB
initiators
initiators
(1)
Actions
T
(3)
Data (3)
PCS
PSS
2
SIL 2
USS
(5)
links
Actions
Solid State
ESD
SIL 3
F&G
Data
SIL 3
(5)
links
(4)
FIELD
terminal
elements
PKGE
SDV s
motors
PKGE
logic
solvers
ESDV s
BDV s
UPS
ESDV s ESDV s Electrical

breakers
BDV s BDV s
Power Grid Large Motors
Power Grid
Fire HVAC
fighting
Final
elements
PKGE (2)
Process Control
Process Safety
Ultimate Safety
Emergency S/D
Legend:
PKGE
SIL
1
2
Packages
Safety Integrity Level
hardwired link
serial link
single data bus
duplicated data bus
2012 - IFP Training
Notes: The Links for action only are represented

(1) Accommodation + Office smoke detectors addressable
(2) Fired equipment package shutdown
(3) High reliability timer
(4) A duplicated data bus is an acceptable alternative
(5) PSS/ESD/F&G links for data only are serial (duplicated/triplicated data bus)
Fire &Gas
15
Main system HIPS

High Integrity Protection System
High Integrity Protection System (HIPS):

Instrument-based systems of sufficient integrity (involving high
reliability redundant and/or diversified instruments) so as to make
the probability of exceeding the design parameters lower than a
specified value upon demand (typically SIL 2 to 4)
The great majority of HIPS are:
Instrumented Pressure Protection System (IPPS)

IPPS exclusively devoted to over-pressure protection
2012 - IFP Training
16
Main system: HIPS
HIPS purpose:
To replace PSV
A HIPS (or IPPS) is made up of dedicated components for detection
of the overpressure and isolation by SDVs/ ESDVs
The HIPS components shall be independent from the PCS, PSD and
the ESD systems, with the exception of the SDVs and ESDVs which
can be used for both the HIPS and ESD (or PSD)
Conventional design (API-RP-14C)

2 independent safety barriers
PSS system (PSHH + SDV)

Pressure relief valve (PSV)
2012 - IFP Training
First barrier:
Second barrier:
17
Main system: without HIPS
1st Barrier
2nd Barrier
(instrum)
Failure scenario:
Choke fails open
(mechanical)
PSS
SDV
Topside
Choke
PSHH
Full flow PSV

Gas
Riser ESDV
Subsea
Pipeline
Design press: 450 Barg

2012 - IFP Training
Well
Liquids
18
Main system: with HIPS
1st Barrier
2nd Barrier
(instrum)
(instrum)
PSS
HIPS
LOGIC
SDV
Topside
Choke
PSHH
PSHH
PSHH
PSHH
Gas
Riser
ESDV
Subsea
Pipeline

2012 - IFP Training
Well
Liquids
19
Main system HIPS Typical example
HIPS arrangement (typical)
Reliability study
HIPS FAILURE
6.84 E-04
5.48E -06
CCF
of
HIPS
CCF
of PS
6.3E -04 4.4E -05

HIPS 2 fails
HIPS 1 fails
5.8E -03
1.0E -04
Human
failure to
restore
after test
HIPS
SDV 2
fails
4.4E -04
6.3E -03
Pressure
switch
fails
6.3E -03
Pressure
switch
fails
6.3E -03
2012 - IFP Training
6.3E -03
Pressure
switch
fails
1.0E -04
3.97E -05
3.97E -05
Pressure
switch
fails
1E -05
5.8E -03
Human
failure to
restore
after test
HIPS
SDV 1
fails
4.4E -04
CCF of
Human
failure
20
Example of HIPS on Girassol process

From inlet
manifold
DS301
DS351
1st Stage
separator
EC301 A/B
IG401 & DA 450

To Water
Treatment
IG402 & DA 401

or DA450
To water treatment
2nd Stage
separator
IG450 et
DA 450
DS303
3rd Stage
separator
2012 - IFP Training
DS302
21
Security barriers for Hard HIPS on Girassol

1st Stage
separator
DS301
Eau
ROSA
Separator
LSLL3006
LSLL3506
Huile
SDV
3008
SDV
3003
Hard HIPS
Soft HIPS
Huile
SDV
3007
SDV
3002
EC301
LV1/2
3005
LV1/2
3508
Eau
SDV
3506
SDV SDV
3508 3507
SDV
3505
PSHH3028
LSHH3026
DS302
Start-up in 2 phase
2nd stage
Separator
SDV
3037
SDV
3021
LV1/2
3025
DS303
2012 - IFP Training
IG401 / DA 401
DS351
22
Integration hard & soft HIPS

ESD2
2012 - IFP Training
23
Security Hard HIPS
2012 - IFP Training
24
Main system HIPS PROS & CONS

HIPS can be considered if no alternative is available
ADVANTAGES:
Environment friendly (no release to atmosphere)
DISADVANTAGES:
Difficulty of controlling risks:
Reliability calculations cannot take into account all factors (Human

factors & construction errors)
Must be closely monitored from project to start-up
2012 - IFP Training
Stringent testing and maintenance requirements for operation

team
25
Emergency shut down system ESD logic diagram
ESD logic diagram mandatory for each installation for operators

reference
Causes and effects matrix is also required for instrument
maintenance and testing
4 SD levels are generally required
2012 - IFP Training
Each SD level must be safe in itself and corresponding to a safe

and stable status of the facilities
26
ESD and SD levels definition As per GS-EP-SAF-261
ESD-0: Total black shutdown of the whole facility (within

Restricted Area)
Highest level of ESD, intended to make an installation safe before
evacuation
Manually initiated only once the voluntary decision has been taken
by the site RSES or OIM to evacuate the installation
ESD-1: Fire Zone Emergency Shut-Down

e.g. Complete shutdown of one Fire zone due a confirmed gas
detection
SD-2: Unit Shut-Down (within one Fire Zone)
SD-3: Equipment shutdown (within one unit)

e.g. Pump shutdown
2012 - IFP Training
e.g. Gas Compression unit shutdown
27
Implementation of ESD and (E)SD levels
2012 - IFP Training
28
Causes & effects matrix
Effects
Alarm
ESD1
FiFi
Pump
starts
Causes
Deluge
activated
HVAC
Shut
Down
FD
GD
SD
H2SD
CO2
Release
ESD2
ESD3
2012 - IFP Training
29
ESD-0: complete installation shutdown
REQUIREMENT:
Offshore (mandatory), onshore (recommended)
CAUSES:
Manual activation (PBs)
ACTIONS:
2012 - IFP Training
ESD-1 of all fire zones

Complete shutdown of all fire zones
Does not stop the diesel fire pumps if these have already started)
Emergency depressurization (mandatory offshore, optional onshore) of all
fire zones
Complete de-energization of the installation, including battery powered
systems (except NAVAIDS, emergency lighting, emergency telecom, PAGA)
Close down hole safety valves (DHSVs) of production wells
Escape and evacuation means from the installation if necessary
30
ESD-1: individual fire zone shutdown
CAUSES:
ESD-0
Gas Detection
Fire Detection (in process / Hydrocarbon handling areas)
UPS batteries Low voltage
ACTIONS:
2012 - IFP Training
Complete shutdown of the fire zone: close all ESDVs

Emergency depressurization (mandatory offshore, optional
onshore) of the fire zone
ESD-1-F activates fire fighting means in the fire zone
ESD-1-G shuts down ignition sources in the fire zone except controls
and emergency equipment suitable for zone 1 hazardous area
31
SD-2: unit shutdown
CAUSES:
ESD-1
Major process faults
Flare drum LSHH
Instrument air PSLL
Fuel gas PSLL if used to prevent air ingress in flare
Loss of normal electrical power supply
ACTIONS:
Shut down all the HC processing equipment, transfer or utility units

Close SDVs
Shut down motors
Shut down some non HC associated equipment (e.g. chemical treatment)
Permissive to perform manually emergency depressurisation
2012 - IFP Training
32
SD-3: equipment shutdown (utility)
CAUSES:
ESD-1 of the fire zone

ESD-2 of the unit
Manual activation (PBs / local panel)
FD or GD inside enclosed packages (e.g. gas turbines, gas engines)
Equipment trip (when not handled by package)
ACTIONS:
2012 - IFP Training
Shuts down package (e.g. compressor)

Shuts down associated electrical / fired equipment
Close SDVs
33
SD causes Summary
CAUSES
ESD-0
ESD-1
ESD-1
ESD-1
ESD-1
ESD-1
ESD-1
SD-2
SD-3
SD-2
SD-2
SD-2
SD-2
SD-2
SD-3
SD-3
SD-3
SD-3
2012 - IFP Training
Push button
ESD-0 (direct action)
PSLL in pipelines to Installation
Confirmed gas detection
Process Areas fire detection
Low UPS battery voltage
ESD-1 (direct action)
Relevant process fault
Loss of containment
LSHH flare KO drum, PSLL air
Low fuel gas pressure
SD-2 (direct action)
Equipment Fault
Fire detection inside package
Gas detection inside package
SHUT-DOWN TYPE
34
Emergency depressurisation
Significantly reduce the

contributing gas inventory
(e.g. jet fire).
Avoid mechanical rupture of
vessels engulfed in fire, by
reducing stress.
Limit HC inventory in case of
leak.
2012 - IFP Training
35
Emergency De-Pressurisation requirement
Equipment or piping isolated and exposed to fire simultaneously,

and
Flammable gas & two phases
hydrocarbon
Liquefied hydrocarbon
(refrigerated or under pressure)
Toxic inventories:
personnel/public
as
P > 7 bar g and

PVgas > 100 bar.m3
M gas or M liq. > 2 tons of
C3/C4
required
for
safety
to
life
of
Target Pressure Reduction:
7 Barg or 50 % of design pressure (considering the fire heat input)

whichever is most stringent, (API RP: 521)
15 minutes base case (if wall thickness > 1 inch, otherwise less)
8 minutes for vessels containing LPG's (risk of BLEVE)
2012 - IFP Training
Depressurisation Time:
36
Emergency De-Pressurisation (EDP) principles
Initiation of EDP:
Offshore: automatic upon ESD1
Onshore: manual or automatic, always in case of ESD1
Interruption:
Normally, EDP continues till atmospheric pressure is reached, and
BDVs are locally reset
EDP remote interruption can however be considered:
2012 - IFP Training
One Push-Button in the control room for each fire zone

Remote closure of all BDVs of the fire zone
Does not stop the other ESD sequences: ESDVs close, motor shutdown, electrical shut-off,
Active fire-fighting, etc.
37
Fire and Gas system logic

ACTIONS
FIRE DETECTION
Outdoors
Machinery enclosure
SMOKE DETECTION
Inside buildings
Inside technical rooms
FLAMMABLE GAS DETECTION
Outdoors
Machinery enclosure
Stop HVAC + close dampers

extinguishing agent release (if any)
ESD 1 + Electrical isolation

ESD 3 + Electrical isolation + close
dampers
Alarm only
2012 - IFP Training
TOXIC GAS DETECTION
ESD-1 + Activate Fi Fi
ESD-3 + Activate Fi Fi + stop HVAC +
close dampers
38
Ultimate Safety System (USS)
2012 - IFP Training
39
Principles
PURPOSE
To provide a highly reliable means of closing the ESDVs and opening
the BDVs
To avoid common modes of failure in electronic devices and in
control software
HOW?
Simple, non programmable, hardwired system
Same push buttons for the USS and ESD
To de-energise relevant 24V DC, air, hydraulic controls
NOT MANDATORY
2012 - IFP Training
Not for simple installations (wellhead platforms), or if it can be

demonstrated that the SIL Requirements are achieved by the ESD &
F&G alone.
40
Typical architecture
2012 - IFP Training
41

08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Uploaded by

Copyright:

Available Formats

Safety instrumented systems

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

The main systems

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

2012 - IFP Training

To reduce the potential of escalation from an unwanted event:

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

2012 - IFP Training

Safety Systems do not eliminate all hazards (e.g. hot spots)

The different safety systems

Process Control System:

Controls & associated (PCS) alarms

Process Shutdown System:

Trips & associated SD (PSS) actions

High Integrity Protection System:

High reliability no mechanical

Emergency Shutdown System:

Fire & Gas System:

F&G detection/action + Link with ESD

Ultimate Safety System:

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Multiple protection layers principle

Back-up of essential ESD actions

Safety systems performance objectives

Safety systems are operating upon demand

To select component with low failure rate (per year)

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

2012 - IFP Training

Effect of testing interval on system reliability

2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Reliability Safety integrity level (IEC-61508)

Average Probability of Failure on Demand

2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

SIL covers the whole loop

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

2012 - IFP Training

Reliability Typical sensors configuration

Special requirements (see IEC 61508)

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Reliability Typical final elements configuration

2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Reliability SIL requirement

PSS logic solver: SIL 2

ESD, F&G logic solvers: SIL 3

Specific ESD loops: SIL 2 or 3 may be requested

HIPS: no preset value, a risk analysis is required

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

No criteria imposed but:

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

2012 - IFP Training

Performances objectives Available tools

Increases testing frequency decreases probability failure

Decreases probability of failure upon demand

Increases MTBF and reliability

Increases MTBF and reduce risk of operator errors

2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Systems architecture Recommendations

SEGREGATION OF PCS, PSS, ESD, F&G: for independency and