SIL classifications for ESD pushbuttons and F&G detectors 1

[ICLL]

Hope this is the right forum for this question...

I have a client who operates a not-normally-manned ten-year-old compressor station on a natural gas pipeline. He wants me to do a SIL evaluation of the ESD shutdown system (hardwired relay-based) for the station in accordance with IEC61511, as he is concerned that the station may not be sufficiently safe. (I am a reasonably experienced facilitator of such reviews). The compressor controls are a separate proprietary system and are excluded from the scope.

On examination of the ESD system I find that there are only three or four true "preventative" instrumented protective functions such as I'm used to in process plants (level and temperature shutdowns). The other 90% of the ESD system functions are what I would call "mitigating" functions such as ESD pushbuttons and fire and gas detectors. These would usually only help to stop a hazardous event from escalating and not prevent it in the first place. When I have done SIL classification reviews for other clients these sort of devices (pushbuttons and F&G detectors) have always been excluded from the scope. However, this client wants me to classify these devices. Environmental and asset damage evalutions are to be performed as well as the normal safety evaluation.

My questions are:

1. Do you think it is the intent of 61511 to include such devices in the safety lifecycle and should I include these devices in the classification scope?

2. If I should include them, how would you pick a demand rate for, say, an ESD pushbutton? (Remember this is a process plant shutdown pushbutton not a machinery protective emergency-stop). The button will only ever be pressed if a hazardous event such as a pipe rupture or catastrophic compressor damage has already occurred. And, of course, the facility is only manned, say, 10% of the time.

3. For fire and gas detectors, presumably the review would have to assess a SIL value based on the difference between the device being there (possibly only a small gas leak) or not being there (possibly an uncontrolled fire). Is this a valid approach?

Your thoughts?

 

[Ashereng]

It's been a while since I was involved in a SIL evalution.

With regards to the ESD PBs, I also do not remember them being included in the discussion.

In an unmanned station, the PB is basically a Failure on Demand isn't it. You need the ESD PB to be pushed, but it isn't happening. So, 90% on demand failure (you said it is manned 10% of the time).

With regards to the fire and gas detectors, the availability data should be available from the vendor, and you can then calculate it availability, and assign a SIL level to it.


On a separate thought, and this may be quibbling.

Level and pressure shutdowns in the SIS (Safety Intrumented System), PSVs, etc, I still consider mitigating layers, and are treated as such. Preventative solutions to me means the regular control system, a pressure vessel capable of withstanding the full pressure (ie, it can take the full pressure blocked in). The SIS is a separate system, and its function is to migitage (mimimise) the damage after the regulating (control system) fails in it job.

"Do not worry about your problems with mathematics, I assure you mine are far greater."
Albert Einstein
Have you read FAQ731-376 to make the best use of Eng-Tips Forums?

 

[controlnovice]

The manual shutdown action by the operator (ESD button) is considered in the IPL calculation (manual interaction portion). However, since this is an unmanned station, the IPL for this would be very, very low...almost ineffective.

Also, for the safety function we don't really care if the button doesn't work, after all if it doesn't work, the safety function (pressure, temperatures, etc) will need to act. So the probability of the button failing to work (including the probability of the operator failing to act/the alarm system failing to generate the alarm)should be accounted for in the IPL effectiveness.

The shutdown button would not be included in your PFDavg/SIL level calculation for the safety function.

What you may want to include in your calculations is the probability of the shutdown button to act when it is NOT supposed to, i.e. create a spurious trip. That is, if it is a normally closed switch and opening will cause the event.

I just took a class and asked this very question.

______________________________________________________________________________
This is normally the space where people post something insightful.

 

[ICLL]

Thanks for the comments; I probably haven't been clear enough in my explanation.

With regards to the fire and gas detectors, the availability data should be available from the vendor, and you can then calculate it availability, and assign a SIL level to it.

Absolutely right, but that's the verification part of the SIL process. The shutdown function (typically a detector triggering off some sort of valve closure) has to first be given a target SIL value (effectively an acceptable band for the PFD of the shutdown function to fall into when you verify it) That value is based on frequency of demand of the safety function and on the consequences of failure of the function. Then you go and get your vendor data and check that you meet your target SIL. I wanted to know how you would go about setting the target SIL in the first place for a fire or gas detector shutdown loop. Say you used the risk graph method, how would you pick the frequency of demand on the fire or gas detector, and how would you pick a consequence? After all, for a fire detector you have a fire whether the detector is there or not, so all the detector can do is limit the severity of the consequences by releasing extinguishant or by shutting off the supply of combustible material.

Also, for the safety function we don't really care if the button doesn't work, after all if it doesn't work, the safety function (pressure, temperatures, etc) will need to act.

No, not so. The only time the button would be pressed would be if there had been some sort of loss of containment and/or fire in an open area where the gas and flame detectors did not cover. Why would you press it before that? The compressor discharge will be protected by its own PSV so there is only going to be loss of containment by external sources such as a dropped object on the pipe or a truck hitting it or something.

So what is the demand on the PB? It must be the frequency of the damage event multiplied by the fraction the station is manned. However, the damage is probably only going to occur when the station IS manned (human error), so perhaps you'd take that. Perhaps all I need to do for the pushbuttons is to ask the operators how often they have needed to push the button in the past....Seems too simple...

 

[controlnovice]

Perhaps all I need to do for the pushbuttons is to ask the operators how often they have needed to push the button in the past

Past history should not be taken into account when determining SIL levels. You can take the history of a certain device failure - that's where we get the failure data/numbers, however I don't believe you can do that for human intervention.


______________________________________________________________________________
This is normally the space where people post something insightful.

 

[Ashereng]

ICLL,

To set the target SIL level requirement, there is two steps. Step 1 is to determine what can happen. Step 2 is to determine what mitigating layers are available, independento of the SIS system. Whatever is left over, is the requirement placed on the SIS.

So, for example, with the fire detector (UV/IR).

Step 1. What can happen?

A) What is the probability of a fire happening?
Solution:
- Is there historical data from your site, and/or other similar sites? If yes, use that. It is as good an estimate of the frequency of fires at a plant similar to yours as you can get.
- You should also crosscheck this number against the results of your HAZOP and your SIL evalution, just to make sure.
- What is the fuel source? If no fuel source, then no fire.
- How big is the fuel source? Continuous or batched?
- What type of fule source? HC gas? Oil?.
- What is the ignition source? If no ignition source (unlikely) then no problem. Is ignition source constant (pilot) or intermittent (coil discharge)?

B) In case of fire, what is the damage?
- Is it a standing fire or an explosion (conflagration)?
- What can get damaged? How much equipment is around? How badly? What are the chances of each severity.
- What type of damage? To equipment? To people? To environment? To reputation of company?
- The HAZOP will most likely also answer this.

Step 2. Independent mitigating layer(s).

A) Do you have any?
- Examples may be a video monitoring system?
- Pressure switch shutdown (control system).

B) Take credit for the mitigating layers.

C) Add it all up and convert to monetary value - dollars.

This is the left over SIL level that the SIS needs to meet.

Typically, each SIL level has a monetary threshhold. In some instances, it is a combination of monetary, down time, and news exposure. Some companies convert everything to an equivalent dollar value (much like the insurance companies). Others like to break it out for better "grasp" of the situation.

Each company has different weighting for each type of damage, as well as limits.

So, to answer you question, refer to Step 1 parts A and B above.

As always, there are no absolutes. Even with the best intentions and best efforts, things still happen. Your client is one of the more informed clients - rarely do clients get down into this type of detail.


"Do not worry about your problems with mathematics, I assure you mine are far greater."
Albert Einstein
Have you read FAQ731-376 to make the best use of Eng-Tips Forums?