Homepage » Safety »

Getting a handle on the risk

Alarm concept with EX and SIL requirements
Getting a handle on the risk

The Safety Integrity Level (SIL) and explosion protection are fixed elements when it comes to planning and operating process plants and systems. There is a good reason for this, as the failure of machines, devices or software can have serious consequences – especially in applications with explosive atmospheres. These two aspects are also important in alarm concepts, which demand devices that fulfil both EX and SIL requirements.

Marlies Gerstkämper-Oevermann

The effects of each hazardous situation must be documented in a risk analysis in order to determine the SIL. It is especially important to state whether persons can be injured. The frequency and probability of an event are also taken into account when making the assessment. DIN EN 61511–3 lists various techniques for analysing the risk; one frequently used method is the risk graph. Once the SIL has been determined, then suitable measures can be taken to reduce the risk. In process plants and systems, safety-instrumented systems (SIS) are installed for this purpose, in which every safety-related function results in a safe state in case of a fault, for example a safe shutdown. The components used in the SIS must likewise correspond to the SIL and, if a fault occurs, change to a safe state.
Regarding the performance of a preliminary SIL hazard and risk analysis, DIN EN 61511–2 specifies that by “utilising the principle of intrinsic safety … hazards can be avoided or reduced as far as pos-sible.” This is the reason why the activities that result from the risk analysis in respect of explosion protection do not automatically play a role in risk minimisation through the use of an SIS. The situation is different if they simultaneously perform a safety-instrumented function (SIF) and, as such, need to be considered as an SIS or part of an SIS.
Alarm concepts support the identification of hazardous faults that occur during the process. The alarm can be part of the monitoring level (which is planned anyway) and/or plays a role as a safety-instrumented function to reduce the risk in the SIS in the sense of DIN EN 61511. This is the case if its function is required to achieve a previously defined safe state and its mean probability of failure corresponds to the required SIL. It goes without saying that all the devices used in the hazardous area, together with their associated equipment, must fulfil the requirements for explosion protection.
Typical plant
The EX and SIL measures are explained here with the help of an example. In one particular application, various materials are mixed in a dispersion system. The machine, which is located in a separate room, also processes solvents together with other chemical substances. Process alarms are provided at the monitoring device level. Level sensors are installed to ensure that the tank levels always conform to the process requirements. If sensors 1–01 and 1–02 respond, a status signal is sent to the evaluation unit to change the level in the tank.
The tank, inlet, outlet and any additional piping have neither flanges nor other locations where explosive substances could leak or escape. This is why the plant is considered “sealed” from a technical perspective. However, there are connection points to allow manual filling of the tank in exceptional situations, in other words gases can theoretically escape. In addition, a fork lift truck could damage the plant while it is delivering materials. The pumps could develop faults and the inlets and outlets could leak. Finally, somebody must occasionally enter the hazardous area to fill and clean the tank. Against this background information, the process-related risk, tolerable risk, and measures to minimise the risk have to be defined.
Alarm concept
In order to reduce the risk of explosion, the area around the filling connections is defined as Ex Zone 1. The reason for this is that potentially explosive atmosphere can occasionally form here. Detectors measure the concentration of hazardous gases in the vicinity of the tank, in order to be able to regulate the air discharge using the built-in extraction system. The production area is defined as Ex Zone 2 because the possibility that, in extreme cases, the gases might form a hazardous and explosive atmosphere cannot be completely ruled out. All devices should be certified as intrinsically safe in accordance with DIN EN 60079–11. The motor is excluded because DIN EN 60079–7 increased safety should be applied here. The level sensors derive their values from Zone 0. Depending on the type, this means an Ex II 1 G Ex ia certification. All of the devices mounted in Ex Zone 1 around the filling connections and the valves at the inlet must, as a minimum, comply with Ex II 2 G Ex ib. The other devices in Zone 2 must, as a minimum, fulfil Ex II 3 G Ex n according to DIN EN 60079–15 or, better still, Ex II 3 G Ex ic according to DIN EN 60079–11. Additional, intrinsically safe sensors, which display the maximum and minimum tank levels, are installed on the tank. The level sensors derive their values from Zone 0. Depending on the particular type, this means either Ex II 1 G Ex ia or Ex II 1/2 Ex ia certification.
Within the scope of the alarm concept, a pre-alarm is initiated if the maximum level is exceeded. Hazardous substances can be prevented from escaping by closing the inlet. If the tank contents have fallen below the minimum level, the motor is not allowed to run dry, as this would result in a temperature rise. This could represent a potential ignition source, so the motor is shut down. If the detector signals a slightly increased gas concentration, then the ventilation system is switched on. In addition, operating personnel are acoustically requested to leave the room or warned against entering the room.
A main alarm is output if the detector identifies a hazardous gas concentration that is higher than the lower protection limit. To prevent any hazards, the plant is subsequently de-energised and the power of the ventilation system increased. Once again, all operating personnel are acoustically and visually alerted by means of a flashing light.
SIL 2 must be fulfilled
On the basis of this initial situation, the safety team then generates a risk graph to determine the SIL. The effect (C) in the example described here can result in the death of several people. Generally speaking, only one person is present in the hazardous area. However, in the case of a fault, several persons could be attempting to resolve the problem – or a second, larger explosion could be set off as a result of the original explosion. This calls for a Cc classification. On the whole, though, persons are only present infrequently (FA). The plant is monitored by trained personnel. Despite this, it is conceivable that under certain circumstances the operating personnel might not notice the escaping gas and be unable to estimate reliably whether a hazardous amount of an explosive mixture has formed – and whether this danger can be avoided through manual intervention (PB). This would normally result in a SIL 3 classification. However, SIL 2 is sufficient as the measures already in place – including explosion protection – mean that the probability of occurrence is low.
Due to the result, the requirements for SIL 2 must be complied with in order to further minimise the risk. In this case, the components concerned must ensure that if a hazardous situation develops, the plant enters a safe state. To achieve this, the main alarm and pre-alarm measures should be designed as a safety-instrumented system with individual safety-instrumented functions. A flow sensor, which checks that the extraction system is working correctly, must also be installed. Each individual safety-instrumented function must, as a minimum, conform to the requirements of SIL 2.
Alarms generally perform a safety-related protective function. The target value for this demand level, as specified in DIN EN 61511, corresponds to a mean probability of failure from >-10–3 to <10–2 and a risk reduction from >100 to <-1000 for SIL 2. This is partially achieved by using components that have been assessed according to DIN EN 61508. Within the scope of the safety-instrumented function, all devices – and their probability of failure (PFD) – contribute to the overall probability of failure of the complete signal circuit. This also applies to associated, intrinsically safe operating equipment installed outside the production area. This equipment separates the intrinsically safe signal circuits from the control signal circuits and the evaluation unit. As far as the alarm functions are concerned, low demand is sufficient for the devices with the calculated probability of failure PFD plus the fault rates to be complied with. For SIL 2 and a simple configuration, this means a ratio between 60 and 90 % for non-hazardous faults to the sum of all possible faults.
Complete product portfolio
Planning flexibility for safety-instrumented systems (SIS) – including explosion protection – is continually increasing as more and more solutions are developed to address this particular task. Phoenix Contact offers an extensive portfolio of devices and equipment certified according to SIL and EX that is precisely tailored to these types of application. Amongst other things, the portfolio includes the Contactron family of products in the area of power electronics. The use of Ex-i isolators with SIL 2 or SIL 3 assessment or certification is recommended in order to achieve intrinsic safety. A wide range of space-saving concepts, optimised for installation and maintenance, can be implemented using the pluggable PI-Ex modules. The same is also true of the MACX Analog EX product family.
Hall 9, Booth F40
All Whitepaper

All whitepapers of our industry pages

Current Whitepaper

New filtration technology for highly corrosive media


Industrie.de Infoservice
Vielen Dank für Ihre Bestellung!
Sie erhalten in Kürze eine Bestätigung per E-Mail.
Von Ihnen ausgesucht:
Weitere Informationen gewünscht?
Einfach neue Dokumente auswählen
und zuletzt Adresse eingeben.
Wie funktioniert der Industrie.de Infoservice?
Zur Hilfeseite »
Ihre Adresse:














Die Konradin Verlag Robert Kohlhammer GmbH erhebt, verarbeitet und nutzt die Daten, die der Nutzer bei der Registrierung zum Industrie.de Infoservice freiwillig zur Verfügung stellt, zum Zwecke der Erfüllung dieses Nutzungsverhältnisses. Der Nutzer erhält damit Zugang zu den Dokumenten des Industrie.de Infoservice.
AGB
datenschutz-online@konradin.de