Different roles in the process industry

Authors: Marcel Richter Product Management and Marketing for Positioners and Valve Accessories, Samson Monika Schneider Technical Documentation, Samson

An uncontrolled exothermic reaction in a reactor in Seveso, Italy, caused a safety relief valve to burst open in 1976. As a result, an unknown amount of highly toxic dioxin was released into the atmosphere. In Bhopal, India, several tons of toxins were released into the atmosphere in 1984 due to the failure of the safety systems. In 1988, a fire destroyed the Piper Alpha offshore oil platform moored in the North Sea. This catastrophe was caused by a tempora-rily missing high-pressure valve as well as several other sources of error such as a negligently secured pipeline, insufficient explosion protection and external platforms continuing to pump oil towards Piper Alpha during the fire. Deaths and severe injuries among staff and residents as well as environmental damage are merely the visible consequences of such accidents.

The risk created by a plant increases with the severity of the consequences in the event of a fail-ure and the probability that such a failure will occur. To reduce the residual risk to a tolerable level, plant-specific emergency plans, passive and active mechanical safety measures and electronic safety instrumented systems (SIS) are implemented. These safety instrumented systems, which are independent of the basic process control system, comprise sensors, a safety control system and a final element. There is a clear assignment of roles within the SIS. The sensors measure the controlled variable (e. g. temperature, pressure, filling level) and transmit the measured data to the safety control system. The safety control system processes the received data independently of the basic process control system (BPCS) and causes the final element to perform the safety instrumented function in case of a failure. The final element executes the safety instrumented function, i. e. it opens or closes the valve as required. The term “final element” refers to the entire control valve including all mounted accessories, such as a solenoid valve, positioner and booster.

These components are expected to interact in the event of a failure and maintain the plant in a safe state. The performance required of a safety instrumented function is quantified in four discrete safety integrity levels (SIL 1 to 4). The safety instrumented system is categorised based on IEC 61508 and IEC 61511. While IEC 61508 (Functional safety of elec- trical/electronic/programmable electronic safety-related systems) is directed at manufacturers of individual components for use in a safety instrumented system, IEC 61511 (Functional safety – Safety instrumented systems for the process industry sector) is relevant to planners, builders and operators of safety instrumented systems.

As part of a holistic safety lifecycle, manufacturers of safety components develop the required hardware and software in compliance with IEC 61508. As a result, they are also responsible for assessing the safety of their prod-ucts. The materials employed and the technical design a unit is based on are just two of the most important factors in this connection. Alternatively, the suitability of a product for use in a safety instrumented system can be determined empirically, which has the added benefit that real ambient and process-related influences are taken into account.

The manufacturer identifies all characteristic values with a bearing on safety with the help of the mathematical models and calculation methods of the FMEDA (failure modes, effects and diagnostic analysis) and possibly also proven-in-use data (see table). These values are documented and confirmed in a product-specific manufacturer’s declaration which the manufacturer is responsible for. The development process can optionally be supervised and certified by an independent body. The manufacturer is also responsible for providing instructions regarding a prod-uct’s proper use, which are given in the safety manual. The characteristic values supplied by the manufacturer only describe the safety integrity that an individual component can theoretically achieve. A manufacturer obviously cannot make any statements regarding the safety integrity of a complete safety instrumented system.

Plant owners assess the requirements placed on the safety instrumented system (SIL rating) using a suitable method such as a risk graph, risk matrix or LOPA (layer of protection analysis). Planners and builders are responsible for designing the entire safety instrumented system to match the SIL rating and for selecting the individual safety components (sensors, final elements and safety control system), taking account of the latest advances in safety engineering. According to the standard, the suitability of a selected component must be certified for the ambient conditions and the specific process. As far as control valves are concerned, this means they must be sized correctly and the sizing process documented appropriately.

The performance achieved by the safety instrumented function, or SIL rating, depends on the device type used (degree of complexity as defined by the standard), the selected architecture and the probability of failure. Ideally, operators should rely on probability of failure values gathered from their own experience, i. e. prior use. These empirical values can be backed up by Namur data. The organisation also publishes a series of practical recommendations for plant planners and builders including Namur Recommendation 130, which deals with proven-in-use devices, and Namur Recommendation 106 on the test intervals for safety instrumented systems.

cpp-net.com/0214400