08.1 - 20056_c_A_ppt_06 - Safety Instrumented Systems.pdf

7/24/2019 08.1 - 20056_c_A_ppt_06 - Safety Instrumented Systems.pdf

1/41

Safety instrumented systems

EP - 20056_c_A_ppt_06 - Safety Instrumented Systems


2/41

Content

Overview Purpose

The different safety instrumented systems

Performance objectives

Typical safety system architecture

The main systems

HIPS

ESD F&G

USS



3/41

Purpose

To reduce the potential of escalation from an unwanted event:

Limit the loss of containment (ESDVs, SDVs) Eliminate sources of ignition (Electrical isolation)

Reduce flammable inventory (Emergency depressurization)

Quickly and without the need for control during the sequence

WARNING:

Safety Systems do not eliminate all hazards (e.g. hot spots)

Safety Systems sequence must be safe in itself and lead to a safe andstable final status

Special cases (e.g. down-graded mode of operation or simultaneousoperation) cannot always be covered by safety systems



4/41

The different safety systems

Process Control System: Controls & associated (PCS) alarms

Process Shutdown System: Trips & associated SD (PSS) actions

High Integrity Protection System: High reliability no mechanical

protection (HIPS)

Emergency Shutdown System: Emergency SD actions (ESD)

Fire & Gas System: F&G detection/action + Link with ESD

system

Ultimate Safety System: Back-up of essential ESD actions

(USS)

Multiple protection layers principle

PSV (HIPS)

PSS

ALARMS

CONTROL

SYSTEM

ESD / F&G

USS

PROCESS



5/41

Safety systems performance objectives

Safety systems are operating upon demand

Reliability

How to improve the reliabilityof systems activated upon demand? (One single component)

* PFD = f( ,T)* PFD = Probability of Failure upon Demand

To select component with low failure rate (per year)

To reduce the Testing interval T (per year)

AVAILABILITY High availability is required. Redundancy may be considered

Equivalent compensating measure has to be set up in case ofunavailability.



6/41

Effect of testing interval on system reliability



7/41

Reliability Safety integrity level (IEC-61508

RELIABILITY

Safety Integrity Level (SIL) Average Probability of Failure on Demand

4 10-5to 10-4

3 10-4to 10-3

2 10-3to 10-2

1 10-2to 10-1



8/41

Reliability Applicability

SIL covers the whole loop

PRIMARY ELEMENT (sensor)

THE LOGIC SOLVER (I/O cards + Programmable Logic Controller(PLC) + POWER SUPPLY)

THE FINAL ELEMENTS (valve)

LOGIC SOLVER

PSHH SDV

I/OI/O



9/41

Reliability Typical sensors configuration

Integrity Levels Typical Architecture

SIL 1 1oo1

SIL 2 1oo2 or 2oo3

SIL 3 1oo3

SIL 4 Special requirements (see IEC 61508)

SENSORS

(PSHH)

LOGIC

SOLVER(P.L.C.)

FINAL

ELEMENT(SDV)


li bili i l fi l l fi i


10/41

Reliability Typical final elements configuration


R li bilit SIL i t


11/41

Reliability SIL requirement

PSS logic solver: SIL 2

ESD, F&G logic solvers: SIL 3

Certification required for the hardware, the system software, butnot the application software

Specific ESD loops: SIL 2 or 3 may be requested

HIPS: no preset value, a risk analysis is required


A il bilit


12/41

Availability

No criteria imposed but:

Unavailability entails production losses Frequent break-down induces hazards (transient, restart sequence)

(Too) high availability requirement leads to complexity and cost

Recommendedfigures:

Availability of the whole loop between 99% and 99.9% Availability of the solver between 99.9% and 99.99%

Warning

High availability figures are useless if safety systems are too difficult

to repair (high qualified technician or vendors representative) On-line repair capability highly recommended


Performan es obje ti es A ailable tools


13/41

Performances objectives Available tools

TOOL EFFECT

Voting 1ooN increases reliabilityMooN decreases spurious trips

Redundancy Increases MTBF (Mean Time Between Failure)(availability)

Diversification Decreases common mode failures

Testing Increases testing frequency decreases probability failureon demand

On-line repair Increases drastically MTBF (availability)

Fault coverage Decreases probability of failure upon demand

Fault tolerance Increases MTBF and reliability

Independency Increases MTBF and reduce risk of operator errors


Systems architecture Recommendations


14/41

Systems architecture Recommendations

SEGREGATION OF PCS, PSS, ESD, F&G: for independency anddiversification

Tappings, sensors, transmitters

Transmission

Valves, contactors, etc.

1 Programmable Logic Controller for the PCS and PSS: for redundancyand independency

Segregation of the I/O cards, racks and processors

SIL 2

1 PLC for the ESD, 1 PLC for the F&G: for independencyand redundancy

SIL 3

USS: for diversification

Solid state


Safety systems typical architecture


15/41

Safety systems, typical architecture

PCS PSS ESD F&GUSSSIL 3 SIL 3Solid State

F&GESD0PB

ESD1PB

T

PKGE

Fire

fighting

Electrical

breakers

ESDV s

BDV s

Large Motors

Power Grid

ESDV s

BDV s

Power Grid

ESDV s

BDV s

UPS

PKGE

PKGE

SDV s

motors

PKGEFIELD

terminal

elements

(2)

(3)

(5)

(1)

2

(4)

1

initiators

T

FIELDinitiators

links

logic

solvers

links

Final

elements

Process Control Process Safety Ultimate Safety Emergency S/D Fire &Gas

(5)

(3)

SIL 2

Actions Actions

Data

Data

HVAC

ESDPSD

Notes:The Links for action only are represented

(1)Accommodation + Office smoke detectors addressable

(2)Fired equipment package shutdown

(3)High reliability timer

(4)A duplicated data bus is an acceptable alternative

(5)PSS/ESD/F&G links for data only are serial (duplicated/triplicated data bus)

hardwired link

1

2

serial link

single data bus

duplicated data bus

Legend:

Safety Integrity LevelSIL

PackagesPKGE


Main system HIPS


16/41

Main system HIPS

High Integrity Protection System

High Integrity Protection System (HIPS):

Instrument-based systems of sufficient integrity (involving highreliability redundant and/or diversified instruments) so as to makethe probability of exceeding the design parameters lower than aspecified value upon demand (typically SIL 2 to 4)

The great majority of HIPS are:

Instrumented Pressure Protection System (IPPS)

IPPS exclusively devoted to over-pressure protection


Main system: HIPS


17/41

Main system: HIPS

HIPS purpose:

To replace PSV A HIPS (or IPPS) is made up of dedicated components for detection

of the overpressure and isolation by SDVs/ ESDVs

The HIPS components shall be independent from the PCS, PSD andthe ESD systems, with the exception of the SDVs and ESDVs which

can be used for both the HIPS and ESD (or PSD)

Conventional design (API-RP-14C)

2 independent safety barriers

First barrier: PSS system (PSHH + SDV)

Second barrier: Pressure relief valve (PSV)


Main system: without HIPS


18/41

PSHH

Well

Subsea

Pipeline

SDV

Topside

Choke

Liquids

Full flow PSV

Gas

Riser ESDV

PSS

Design press: 450 Barg Design press: 80 Barg

Failure scenario:

Choke fails open

1stBarrier(instrum) 2ndBarrier

(mechanical)

Main system: without HIPS


Main system: with HIPS


19/41

PSHH

Well

Subsea

Pipeline

SDV

Topside

Choke

Liquids

Gas

Riser

ESDV

PSS

Design press: 450 Barg Design press: 80 Barg

HIPSLOGIC

PSHH PSHH PSHH

2ndBarrier(instrum)

1stBarrier(instrum)

Main system: with HIPS


Main system HIPS Typical example


20/41

Main system HIPS Typical example

HIPS arrangement (typical) Reliability study

CCF ofHumanfailure

5.48E -06

1E -05

5.8E -03

HIPSSDV 2fails

HIPS 1 fails

HIPSSDV 1fails

4.4E -044.4E -04

5.8E -03

Humanfailure torestore

after test

6.3E -03

Pressureswitch

fails

6.3E -03

3.97E -05

Humanfailure torestore

after test

6.3E -03 6.3E -03

3.97E -05

1.0E -04 1.0E -04

CCFof

HIPS

CCFof PS

6.3E -04 4.4E -05

HIPS FAILURE6.84 E-04

Pressureswitch

fails

Pressureswitch

fails

Pressureswitch

fails

HIPS 2 fails

2EP - 20056_c_A_ppt_06 - Safety Instrumented Systems

Example of HIPS on Girassol process


21/41

Example of HIPS on Girassol process

DS301

DS302IG401 & DA 450

To WaterTreatment

EC301 A/B

IG402 & DA 401or DA450

To water treatment

DS351

IG450 et

DA 450

DS303

1stStage

separator

2ndStage

separator

3

rd

Stageseparator

From inlet

manifold


Security barriers for Hard HIPS on Girasso


22/41

DS303

DS301

DS302

IG401 / DA 401

SDV

3007

SDV

3002

LV1/2

3005SDV3008

SDV

3021

SDV

3037

LV1/2

3025

SDV

3003

LSLL3006

LSHH3026

PSHH3028

Security barriers for Hard HIPS on Girasso

DS351

LSLL3506

SDV

3506

SDV

3505

Start-up in 2 phase

SDV

3507

SDV

3508

LV1/2

3508

EC301

Hard HIPS

Soft HIPS

HuileEau Huile Eau

1stStage

separatorROSA

Separator

2ndstage

Separator


Integration hard & soft HIPS


23/41

g

ESD2


Security Hard HIPS


24/41

y


Main system HIPS PROS & CONS


25/41

y

HIPS can be considered if no alternative is available

ADVANTAGES:

Environment friendly (no release to atmosphere)

DISADVANTAGES:

Difficulty of controlling risks:

Reliability calculations cannot take into account all factors (Humanfactors & construction errors)

Must be closely monitored from project to start-up

Stringent testing and maintenance requirements for operationteam


Emergency shut down system ESD logic diagram


26/41

ESD logic diagram mandatory for each installation for operators

reference

Causes and effects matrix is also required for instrumentmaintenance and testing

4 SD levels are generally required

Each SD level must be safe in itselfand corresponding to a safe

and stable status of the facilities


ESD and SD levels definition As per GS-EP-SAF-261


27/41

ESD-0: Total black shutdown of the whole facility (within

Restricted Area) Highest level of ESD, intended to make an installation safe before

evacuation

Manually initiated only once the voluntary decision has been takenby the site RSES or OIM to evacuate the installation

ESD-1: Fire Zone Emergency Shut-Down e.g. Complete shutdown of one Fire zone due a confirmed gas

detection

SD-2: Unit Shut-Down (within one Fire Zone)

e.g. Gas Compression unit shutdown

SD-3: Equipment shutdown (within one unit)

e.g. Pump shutdown


Implementation of ESD and (E)SD levels


28/41


Causes & effects matrix


29/41

Effects

Alarm ESD1FiFi

Pumpstarts

Delugeactivated

HVACShut

Down

CO2Release

ESD2 ESD3

Causes

FD x x x x x

GD x x x x

SD x x x x

H2SD x


ESD-0: complete installation shutdown


30/41

REQUIREMENT:

Offshore (mandatory), onshore (recommended)

CAUSES:

Manual activation (PBs)

ACTIONS:

ESD-1 of all fire zones Complete shutdown of all fire zones

Does not stop the diesel fire pumps if these have already started)

Emergency depressurization (mandatory offshore, optional onshore) of allfire zones

Complete de-energization of the installation, including battery powered

systems (except NAVAIDS, emergency lighting, emergency telecom, PAGA) Close down hole safety valves (DHSVs) of production wells

Escape and evacuation means from the installation if necessary


ESD-1: individual fire zone shutdown


31/41

CAUSES:

ESD-0 Manual activation (PBs)

Gas Detection

Fire Detection (in process / Hydrocarbon handling areas)

UPS batteries Low voltage

ACTIONS:

Complete shutdown of the fire zone: close all ESDVs

Emergency depressurization (mandatory offshore, optionalonshore) of the fire zone

ESD-1-F activates fire fighting means in the fire zone

ESD-1-G shuts down ignition sources in the fire zone except controlsand emergency equipment suitable for zone 1 hazardous area


SD-2: unit shutdown


32/41

CAUSES:

ESD-1

Manual activation (PBs)

Major process faults

Flare drum LSHH

Instrument air PSLL

Fuel gas PSLL if used to prevent air ingress in flare

Loss of normal electrical power supply

ACTIONS:

Shut down all the HC processing equipment, transfer or utility units

Close SDVs

Shut down motors

Shut down some non HC associated equipment (e.g. chemical treatment) Permissive to perform manually emergency depressurisation


SD-3: equipment shutdown (utility


33/41

CAUSES:

ESD-1 of the fire zone ESD-2 of the unit

Manual activation (PBs / local panel)

FD or GD inside enclosed packages (e.g. gas turbines, gas engines)

Equipment trip (when not handled by package)

ACTIONS:

Shuts down package (e.g. compressor)

Shuts down associated electrical / fired equipment

Close SDVs


SD causes Summary


34/41

CAUSES SHUT-DOWN TYPEPush button SD-2 SD-3ESD-0 ESD-1

ESD-0 (direct action) ESD-1

PSLL in pipelines to Installation ESD-1

Confirmed gas detection ESD-1

Process Areas fire detection ESD-1

Low UPS battery voltage ESD-1

ESD-1 (direct action) SD-2Relevant process fault SD-2

Loss of containment SD-2

LSHH flare KO drum, PSLL air SD-2

Low fuel gas pressure SD-2

SD-2 (direct action) SD-3

Equipment Fault SD-3Fire detection inside package SD-3

Gas detection inside package SD-3


Emergency depressurisation


35/41

Significantly reduce thecontributing gas inventory(e.g. jet fire).

Avoid mechanical rupture ofvessels engulfed in fire, by

reducing stress.

Limit HC inventory in case ofleak.


Emergency De-Pressurisation requirement


36/41

Flammable gas & two phaseshydrocarbon

P > 7 bar g andPVgas > 100 bar.m3

Liquefied hydrocarbon

(refrigerated or under pressure)

M gas or M liq. > 2 tons of

C3/C4

Equipment or piping isolated and exposed to fire simultaneously,and

Toxic inventories: as required for safety to life ofpersonnel/public

Target Pressure Reduction:

7 Barg or 50 % of design pressure (considering the fire heat input)whichever is most stringent, (API RP: 521)

Depressurisation Time:

15 minutes base case (if wall thickness > 1 inch, otherwise less)

8 minutes for vessels containing LPG's (risk of BLEVE)


Emergency De-Pressurisation (EDP) principles


37/41

Initiation of EDP:

Offshore: automatic upon ESD1 Onshore: manual or automatic, always in case of ESD1

Interruption:

Normally, EDP continues till atmospheric pressure is reached, andBDVs are locally reset

EDP remote interruption can however be considered:

One Push-Button in the control room for each fire zone

Remote closure of all BDVs of the fire zone

Does not stop the other ESD sequences: ESDVs close, motor shut-down, electrical shut-off,

Active fire-fighting, etc.


Fire and Gas system logic


38/41

ACTIONS

FIRE DETECTIONOutdoorsMachinery enclosure

ESD-1 + Activate Fi FiESD-3 + Activate Fi Fi + stop HVAC +close dampers

SMOKE DETECTIONInside buildingsInside technical rooms

Stop HVAC + close dampers +extinguishing agent release (if any)

FLAMMABLE GAS DETECTIONOutdoorsMachinery enclosure

ESD 1 + Electrical isolationESD 3 + Electrical isolation + close

dampers

TOXIC GAS DETECTION Alarm only



39/41

Ultimate Safety System (USS)


Principles


40/41

PURPOSE

To provide a highly reliable means of closing the ESDVs and openingthe BDVs

To avoid common modes of failure in electronic devices and incontrol software

HOW?

Simple, non programmable, hardwired system

Same push buttons for the USS and ESD

To de-energise relevant 24V DC, air, hydraulic controls

NOT MANDATORY

Not for simple installations (wellhead platforms), or if it can bedemonstrated that the SIL Requirements are achieved by the ESD &F&G alone.


Typical architecture


41/41


08.1 - 20056_c_A_ppt_06 - Safety Instrumented Systems.pdf

Documents

Transcript of 08.1 - 20056_c_A_ppt_06 - Safety Instrumented Systems.pdf