08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Safety instrumented systems
EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Content
 Overview
• Purpose
• The different safety instrumented systems
• Performance objectives
• Typical safety system architecture
 The main systems

• HIPS
• ESD
• F&G
© 2012 - IFP Training

• USS
EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 2

Purpose
 To reduce the potential of escalation from an unwanted event:

• Limit the loss of containment (ESDVs, SDVs)
• Eliminate sources of ignition (Electrical isolation)
• Reduce flammable inventory (Emergency depressurization)
 Quickly and without the need for control during the sequence
 WARNING:
• Safety Systems do not eliminate all hazards (e.g. hot spots)
• Safety Systems sequence must be safe in itself and lead to a safe and
stable final status
• Special cases (e.g. down-graded mode of operation or simultaneous
operation) cannot always be covered by safety systems

The different safety systems
 Process Control System:  Multiple protection layers principle

• Controls & associated (PCS) alarms
 Process Shutdown System:
• Trips & associated SD (PSS) actions USS
 High Integrity Protection System: ESD / F&G

• High reliability – no mechanical
protection (HIPS) PSV (HIPS)
 Emergency Shutdown System: PSS

• Emergency SD actions (ESD)
ALARMS
 Fire & Gas System:
• F&G detection/action + Link with ESD CONTROL
system SYSTEM
 Ultimate Safety System: PROCESS

• Back-up of essential ESD actions
(USS)

Safety systems performance objectives
 Safety systems are operating upon demand
 Reliability
How to improve the reliability

of systems activated upon demand? (One single component)
* PFD = f(λ ,T)

* PFD = Probability of Failure upon Demand
• To select component with low failure rate λ (per year)
• To reduce the Testing interval T (per year)
 AVAILABILITY

• High availability is required. Redundancy may be considered
• Equivalent compensating measure has to be set up in case of
unavailability.
Effect of testing interval on system reliability

Reliability – Safety integrity level (IEC-61508)
RELIABILITY
Safety Integrity Level (SIL) Average Probability of Failure on Demand
4 10-5 to 10-4
3 10-4 to 10-3
2 10-3 to 10-2
1 10-2 to 10-1

Reliability – Applicability
 SIL covers the whole loop
• PRIMARY ELEMENT (sensor)
• THE LOGIC SOLVER (I/O cards + Programmable Logic Controller

(PLC) + POWER SUPPLY)
• THE FINAL ELEMENTS (valve)
I/O I/O
LOGIC SOLVER
PSHH SDV

Reliability – Typical sensors configuration
LOGIC FINAL
SENSORS
SOLVER ELEMENT
(PSHH…)
(P.L.C.) (SDV…)
Integrity Levels Typical Architecture

SIL 1 1oo1
SIL 2 1oo2 or 2oo3
SIL 3 1oo3
SIL 4 Special requirements (see IEC 61508)

Reliability – Typical final elements configuration

Reliability – SIL requirement
 PSS logic solver: SIL 2
 ESD, F&G logic solvers: SIL 3

• Certification required for the hardware, the system software, but
not the application software
 Specific ESD loops: SIL 2 or 3 may be requested
 HIPS: no preset value, a risk analysis is required

Availability
 No criteria imposed but:

• Unavailability entails production losses
• Frequent break-down induces hazards (transient, restart sequence)
• (Too) high availability requirement leads to complexity and cost
 Recommended figures:
• Availability of the whole loop between 99% and 99.9%
• Availability of the solver between 99.9% and 99.99%
 Warning
• High availability figures are useless if safety systems are too difficult
to repair (high qualified technician or vendor’s representative)

• On-line repair capability highly recommended

Performances objectives – Available tools
TOOL EFFECT
Voting 1ooN increases reliability
MooN decreases spurious trips
Redundancy Increases MTBF (Mean Time Between Failure)
(availability)
Diversification Decreases common mode failures
Testing Increases testing frequency decreases probability failure
on demand
On-line repair Increases drastically MTBF (availability)
Fault coverage Decreases probability of failure upon demand
Fault tolerance Increases MTBF and reliability
Independency Increases MTBF and reduce risk of operator errors

Systems architecture – Recommendations
 SEGREGATION OF PCS, PSS, ESD, F&G: for independency and

diversification
• Tappings, sensors, transmitters
• Transmission
• Valves, contactors, etc.
 1 Programmable Logic Controller for the PCS and PSS: for redundancy
and independency
• Segregation of the I/O cards, racks and processors
• SIL 2
 1 PLC for the ESD, 1 PLC for the F&G: for independency and redundancy
• SIL 3
 USS: for diversification

• Solid state

Safety systems, typical architecture
PSD ESD
ESD0 ESD1 F&G initiators
FIELD PKGE PB PB
initiators
(1)
1
Actions
T T Actions links
Data (3) (3)
logic
PCS 2 PSS USS ESD Data
F&G solvers
Solid State SIL 3 SIL 3
SIL 2 (5) (5)
(4) links
FIELD PKGE SDV ’s PKGE ESDV ’s ESDV ’s ESDV ’s Electrical Fire HVAC
terminal motors BDV ’s BDV ’s BDV ’s breakers fighting
elements UPS Power Grid Large Motors Final
Power Grid elements
PKGE (2)
Process Control Process Safety Ultimate Safety Emergency S/D Fire &Gas

Notes: The Links for action only are represented Legend: PKGE Packages
(1) Accommodation + Office smoke detectors addressable SIL Safety Integrity Level
(2) Fired equipment package shutdown
hardwired link
(3) High reliability timer
serial link
(4) A duplicated data bus is an acceptable alternative
(5) PSS/ESD/F&G links for data only are serial (duplicated/triplicated data bus) 1 single data bus
2 duplicated data bus
Main system HIPS
High Integrity Protection System
 High Integrity Protection System (HIPS):

• Instrument-based systems of sufficient integrity (involving high
reliability redundant and/or diversified instruments) so as to make
the probability of exceeding the design parameters lower than a
specified value upon demand (typically SIL 2 to 4)
The great majority of HIPS are:
 Instrumented Pressure Protection System (IPPS)

• IPPS exclusively devoted to over-pressure protection

Main system: HIPS
 HIPS purpose:
• To replace PSV
• A HIPS (or IPPS) is made up of dedicated components for detection
of the overpressure and isolation by SDVs/ ESDVs
• The HIPS components shall be independent from the PCS, PSD and
the ESD systems, with the exception of the SDVs and ESDVs which
can be used for both the HIPS and ESD (or PSD)
 Conventional design (API-RP-14C)

• 2 independent safety barriers
− First barrier: PSS system (PSHH + SDV)
− Second barrier: Pressure relief valve (PSV)

Main system: without HIPS
1st Barrier
(instrum) 2nd Barrier
(mechanical)
Failure scenario:
PSS
Choke fails open
Topside PSHH Full flow PSV

Choke
SDV Gas
Riser ESDV
Subsea
Pipeline
Liquids
Design press: 450 Barg Design press: 80 Barg

Well

Main system: with HIPS
1st Barrier
2nd Barrier (instrum)
(instrum)
PSS
HIPS
LOGIC
Topside PSHH
Choke
SDV Gas
PSHH PSHH PSHH
Riser
ESDV
Subsea
Pipeline
Liquids
Design press: 450 Barg Design press: 80 Barg

Well

Main system HIPS – Typical example
 HIPS arrangement (typical)  Reliability study
HIPS FAILURE
6.84 E-04
5.48E -06
CCF
CCF of
CCF of
Human
of PS HIPS failure
6.3E -04 4.4E -05 1E -05

HIPS 1 fails HIPS 2 fails
5.8E -03 5.8E -03
HIPS Human HIPS Human

failure to failure to
SDV 1 restore SDV 2 restore
fails after test fails after test
4.4E -04 1.0E -04 4.4E -04 1.0E -04

3.97E -05 3.97E -05
Pressure Pressure Pressure Pressure

switch switch switch switch
fails fails fails fails
6.3E -03 6.3E -03 6.3E -03 6.3E -03

Example of HIPS on Girassol process
From inlet
manifold
DS301 1st Stage DS351
separator
EC301 A/B
DS302 2nd Stage

IG450 et
IG401 & DA 450 separator
To Water DA 450
Treatment IG402 & DA 401
or DA450
To water treatment DS303 3rd Stage
separator

Security barriers for Hard HIPS on Girassol
1st Stage ROSA
separator Separator
DS301 •LSLL3006 •LSLL3506

DS351
Eau Huile Huile Eau
SDV
SDV SDV LV1/2 LV1/2 SDV SDV
3506
SDV 3007 3002 3005 3508 3508 3507
3008 SDV
•PSHH3028 3505
SDV •LSHH3026
3003 EC301 DS302 Start-up in 2 phase
2nd stage
Separator
IG401 / DA 401 DS303

Hard HIPS SDV SDV LV1/2
Soft HIPS 3037 3021 3025

Integration hard & soft HIPS
ESD2

Security Hard HIPS

Main system HIPS – PRO’S & CON’S
HIPS can be considered if no alternative is available
 ADVANTAGES:
• Environment friendly (no release to atmosphere)
 DISADVANTAGES:
• Difficulty of controlling risks:
− Reliability calculations cannot take into account all factors (Human
factors & construction errors)
− Must be closely monitored from project to start-up
• Stringent testing and maintenance requirements for operation

team

Emergency shut down system – ESD logic diagram
 ESD logic diagram mandatory for each installation for operators

reference
 Causes and effects matrix is also required for instrument

maintenance and testing
 4 SD levels are generally required
 Each SD level must be safe in itself and corresponding to a safe

and stable status of the facilities

ESD and SD levels definition – As per GS-EP-SAF-261
 ESD-0: Total black shutdown of the whole facility (within

Restricted Area)
• Highest level of ESD, intended to make an installation safe before
evacuation
• Manually initiated only once the voluntary decision has been taken
by the site RSES or OIM to evacuate the installation
 ESD-1: Fire Zone Emergency Shut-Down

• e.g. Complete shutdown of one Fire zone due a confirmed gas
detection
 SD-2: Unit Shut-Down (within one Fire Zone)

• e.g. Gas Compression unit shutdown

 SD-3: Equipment shutdown (within one unit)
• e.g. Pump shutdown
Implementation of ESD and (E)SD levels

Causes & effects matrix
Effects
FiFi Deluge HVAC CO2
Alarm ESD1 Pump activated Shut Release ESD2 ESD3
Causes starts Down
FD x x x x x
GD x x x x
SD x x x x
H2SD x

ESD-0: complete installation shutdown
 REQUIREMENT:
• Offshore (mandatory), onshore (recommended)
 CAUSES:
• Manual activation (PBs)
 ACTIONS:
• ESD-1 of all fire zones
− Complete shutdown of all fire zones
Does not stop the diesel fire pumps if these have already started)
− Emergency depressurization (mandatory offshore, optional onshore) of all
fire zones
• Complete de-energization of the installation, including battery powered
systems (except NAVAIDS, emergency lighting, emergency telecom, PAGA)

• Close down hole safety valves (DHSV’s) of production wells
• Escape and evacuation means from the installation if necessary

ESD-1: individual fire zone shutdown
 CAUSES:
• ESD-0
• Gas Detection
• Fire Detection (in process / Hydrocarbon handling areas)
• UPS batteries Low voltage
 ACTIONS:
• Complete shutdown of the fire zone: close all ESDVs
• Emergency depressurization (mandatory offshore, optional
onshore) of the fire zone
• ESD-1-F activates fire fighting means in the fire zone

• ESD-1-G shuts down ignition sources in the fire zone except controls
and emergency equipment suitable for zone 1 hazardous area

SD-2: unit shutdown
 CAUSES:
• ESD-1
• Major process faults
• Flare drum LSHH
• Instrument air PSLL
• Fuel gas PSLL if used to prevent air ingress in flare
• Loss of normal electrical power supply
 ACTIONS:
• Shut down all the HC processing equipment, transfer or utility units
• Close SDVs
• Shut down motors
• Shut down some non HC associated equipment (e.g. chemical treatment)

• Permissive to perform manually emergency depressurisation

SD-3: equipment shutdown (utility)
 CAUSES:
• ESD-1 of the fire zone
• ESD-2 of the unit
• Manual activation (PBs / local panel)
• FD or GD inside enclosed packages (e.g. gas turbines, gas engines)
• Equipment trip (when not handled by package)
 ACTIONS:
• Shuts down package (e.g. compressor)
• Shuts down associated electrical / fired equipment
• Close SDVs

SD causes – Summary
CAUSES SHUT-DOWN TYPE

Push button ESD-0 ESD-1 SD-2 SD-3
ESD-0 (direct action) ESD-1
PSLL in pipelines to Installation ESD-1
Confirmed gas detection ESD-1
Process Areas fire detection ESD-1
Low UPS battery voltage ESD-1
ESD-1 (direct action) SD-2
Relevant process fault SD-2
Loss of containment SD-2
LSHH flare KO drum, PSLL air SD-2
Low fuel gas pressure SD-2
SD-2 (direct action) SD-3
Equipment Fault SD-3

Fire detection inside package SD-3
Gas detection inside package SD-3

Emergency depressurisation
 Significantly reduce the

contributing gas inventory
(e.g. jet fire).
 Avoid mechanical rupture of

vessels engulfed in fire, by
reducing stress.
 Limit HC inventory in case of

leak.

Emergency De-Pressurisation requirement
 Equipment or piping isolated and exposed to fire simultaneously,

and
Flammable gas & two phases P > 7 bar g and
hydrocarbon PVgas > 100 bar.m3
Liquefied hydrocarbon M gas or M liq. > 2 tons of
(refrigerated or under pressure) C3/C4
 Toxic inventories: as required for safety to life of

personnel/public
 Target Pressure Reduction:
• 7 Barg or 50 % of design pressure (considering the fire heat input)
whichever is most stringent, (API RP: 521)
 Depressurisation Time:

• 15 minutes base case (if wall thickness > 1 inch, otherwise less)
• 8 minutes for vessels containing LPG's (risk of BLEVE)

Emergency De-Pressurisation (EDP) principles
 Initiation of EDP:
• Offshore: automatic upon ESD1
• Onshore: manual or automatic, always in case of ESD1
 Interruption:
• Normally, EDP continues till atmospheric pressure is reached, and
BDV’s are locally reset
• EDP remote interruption can however be considered:
− One Push-Button in the control room for each fire zone
− Remote closure of all BDV’s of the fire zone
− Does not stop the other ESD sequences: ESDV’s close, motor shut-
down, electrical shut-off,

− Active fire-fighting, etc.

Fire and Gas system logic
ACTIONS
FIRE DETECTION
Outdoors ESD-1 + Activate Fi Fi
Machinery enclosure ESD-3 + Activate Fi Fi + stop HVAC +
close dampers
SMOKE DETECTION
Inside buildings Stop HVAC + close dampers +
Inside technical rooms extinguishing agent release (if any)
FLAMMABLE GAS DETECTION

Outdoors ESD 1 + Electrical isolation
Machinery enclosure ESD 3 + Electrical isolation + close
dampers

TOXIC GAS DETECTION Alarm only

Ultimate Safety System (USS)

Principles
 PURPOSE
• To provide a highly reliable means of closing the ESDVs and opening
the BDVs
• To avoid common modes of failure in electronic devices and in
control software
 HOW?
• Simple, non programmable, hardwired system
• Same push buttons for the USS and ESD
• To de-energise relevant 24V DC, air, hydraulic controls
 NOT MANDATORY
• Not for simple installations (wellhead platforms), or if it can be

demonstrated that the SIL Requirements are achieved by the ESD &
F&G alone.

Typical architecture


08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08.1 - 20056 - C - A - PPT - 06 - Safety Instrumented Systems PDF

Uploaded by

Copyright:

Available Formats

Safety instrumented systems

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

 The main systems

© 2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 2

 To reduce the potential of escalation from an unwanted event:

© 2012 - IFP Training

 Process Control System:  Multiple protection layers principle

 High Integrity Protection System: ESD / F&G

 Emergency Shutdown System: PSS

 Ultimate Safety System: PROCESS

© 2012 - IFP Training

 Safety systems are operating upon demand

How to improve the reliability

* PFD = f(λ ,T)

© 2012 - IFP Training

© 2012 - IFP Training

© 2012 - IFP Training

 SIL covers the whole loop

• PRIMARY ELEMENT (sensor)

• THE LOGIC SOLVER (I/O cards + Programmable Logic Controller

• THE FINAL ELEMENTS (valve)

© 2012 - IFP Training

Integrity Levels Typical Architecture

© 2012 - IFP Training

© 2012 - IFP Training

 PSS logic solver: SIL 2

 ESD, F&G logic solvers: SIL 3

 Specific ESD loops: SIL 2 or 3 may be requested

 HIPS: no preset value, a risk analysis is required

© 2012 - IFP Training

 No criteria imposed but:

© 2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 12

© 2012 - IFP Training

 SEGREGATION OF PCS, PSS, ESD, F&G: for independency and

 USS: for diversification

© 2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 14

© 2012 - IFP Training

 High Integrity Protection System (HIPS):

The great majority of HIPS are:

 Instrumented Pressure Protection System (IPPS)

© 2012 - IFP Training

 Conventional design (API-RP-14C)

© 2012 - IFP Training

Topside PSHH Full flow PSV

Design press: 450 Barg Design press: 80 Barg

© 2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 18

Design press: 450 Barg Design press: 80 Barg

© 2012 - IFP Training

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 19

 HIPS arrangement (typical)  Reliability study

6.3E -04 4.4E -05 1E -05

HIPS Human HIPS Human

4.4E -04 1.0E -04 4.4E -04 1.0E -04

© 2012 - IFP Training

Pressure Pressure Pressure Pressure

6.3E -03 6.3E -03 6.3E -03 6.3E -03

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems 20

DS302 2nd Stage

© 2012 - IFP Training