Shared Field Instruments in SIS: Incidents Caused by Poor Design and Recommendations for Improvement

  • 1,019 views
Uploaded on

Even though the ISA 84 standard for Safety Instrumented Systems has been in use since 1996, there is still a lot of confusion about a key attribute of good SIS design – specifically separation of …

Even though the ISA 84 standard for Safety Instrumented Systems has been in use since 1996, there is still a lot of confusion about a key attribute of good SIS design – specifically separation of basic process control systems (BPCS) and safety instrumented systems (SIS). It could be argued that newer versions of SIS standards have further complicated the issue be specifically allowing combined safety and BPCS applications, given that certain requirements are met. The objective of the standard is not to enforce a complete separation between the systems but to either:
1) prevent a single point of failure from both creating a demand to the SIS to activate while simultaneously preventing the SIS from performing its critical action; or,
2) ensure that the frequency of this sort of single point of failure is low enough that tolerable risk goals are not violated.
The requirements for when sharing BPCS and SIS equipment is acceptable that are presented in the most recent version of the SIS functional safety standard (i.e., ISA 84.00.01-2004 – IEC 61511 Mod) are complex, confusing, and often misunderstood or simply ignored. Understanding when sharing is acceptable is and when it is not is further complicated by the fact that it is a multi-disciplinary effort, requiring knowledge not only of the instrumentation itself, but also of the process to which the equipment is connected. In fact, knowledge of the process and how it responds to BPCS failures is much more important. Verification that sharing BPCS and SIS equipment is acceptable thus requires a detailed analysis of all of the failure modes of the shared equipment along with an assessment of how each of those failure modes affects the process under control.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,019
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Ed – Can you clarify bullet 2 – “preventing” a sufficiently low frequency?
  • Ed – Do we need to cite that these are clauses in IEC 61511? Or address in voice over?
  • The image didn ’t port well from your copy to this template, maybe you can try it.
  • Ed – This graphic didn ’t port over well either
  • Ed – Did you want to add some items here?

Transcript

  • 1. Accidents Caused by Sharing SIS Field Devices Case Histories and Recommendations for Improving Safety
  • 2. Presenters
    • Ed Marszal
    • Gary Hawkins
  • 3. Introduction
    • IEC 61511 (ISA 84) allows sharing between BPCS and SIS – including field equipment
    • Objective is to prevent a single point of failure or mitigate to a sufficiently low frequency
    • Requirements are set for when sharing is permissible (often misunderstood or ignored)
    • Sharing requires understanding of the process and how devices are used – detailed analysis
  • 4. Requirements for Separation – IEC 61511
      • 8.2.1 Note 1
        • In determining safety integrity requirements, account will need to be taken of the effects of common cause between systems that create demands and the protection systems that are designed to respond to those demands.
      • 11.2.10 (paraphrased)
        • A device used to perform part of a SIF shall not be used for BPCS where a failure of of that device results in a failure of the BPCS function which places as demand on the SIS. (Unless confirmed to be acceptable)
  • 5. Case History #1 Fired Heater Low Pass Flow
    • Refinery – Northeast US
    • Early 2000 ’s
    • Process Side Tube Rupture
    • Total Destruction of Heater
    • >$10 Million
    • No injuries
  • 6. Process Schematic LAL XV-21 XV-22 UC 21 Fuel Gas F T-101 F V-101 FS 21
  • 7. Sequence of Events – Part 1
    • Heater in stable operation for significant period time
    • Cold spell occurs, temperatures <32 F for extended period of time
    • Insulation bag falls off transmitter (root cause undetermined)
    • Transmitter taps freeze, locking pressure at transmitter diaphragm in place
    • Operational situation calls for decrease in rates through the unit
  • 8. Sequence of Events – Part 2
    • Set point of pass flow controller set lower than the currently measured variable
    • Controller closes valve in attempt to decrease flow rate – controller wind-up causes output to go to zero (valve closed)
    • Since taps are frozen, flow at control point still indicates “normal” flow
    • Since transmitter is shared by BPCS and SIS, SIS input “appears” normal, no safety action taken
  • 9. Sequence of Events – Part 3
    • Loss of flow through heater tubes causes tubes to overheat because process fluid no longer carries away heat
    • Heater tubes exceed design temperatures and “melt” resulting in loss of containment of remaining process material in tubes
    • Large fire in and near heater firebox after tube rupture
    • Significant equipment damage to heater and appurtenances, significant loss of production, no injuries.
  • 10. Lessons Learned
    • Failure of transmitter is a single point of failure causing incident to occur and simultaneously preventing SIS action
    • Design is a violation of IEC 61511, Section 11.2.10
    • Proper design requires separate SIS and BPCS transmitters or demonstration of tolerable transmitter failure frequency
  • 11. Case History #2 Water Knockout Drum
    • Oil and Gas Production Middle East
    • 1990 ’s
    • Release of flammable liquids to oily water sewer
    • Explosion and destruction of oil water sewer – lost production
    • >$1 Million
    • No Injuries
  • 12. Process Schematic Atmospheric Storage Tank LT-101 V-101 LAL LT-102 SV LV-101 Water KO Drum
  • 13. Sequence of Events – Part 1
    • Process under normal conditions for significant period of time
    • Change in processing conditions results in significantly less water-make
    • Interface level decreases, controller sets output lower
    • Valve stuck in position due to lack of motion and fouling
    • No movement of valve due to controller action
  • 14. Sequence of Events – Part 2
    • Level falls below trip point, SIS de-energizes solenoid venting control valve diaphragm
    • No movement of valve – still stuck in position
    • Interface level continues to drop, hydrocarbon released into water sewer
    • Hydrocarbon flashing and accumulation of vapor
    • Source of ignition contacted – explosion
    • Significant equipment damage and lost production, no injuries
  • 15. Lessons Learned
    • Failure of control valve is a single point of failure causing incident to occur and simultaneously preventing SIS action
    • Design is a violation of IEC 61511, Section 11.2.10
    • Proper design requires a separate dedicated shutoff valve for the SIS
  • 16. Process for Assessing Shared Field Equipment
    • Shared equipment is generally discouraged
      • Physical and functional separation is safer
      • Effort to assess shared equipment may be more costly than purchasing the separate equipment
    • FMEA of Shared Equipment
      • Focus on identifying single point of failure that initiates accident and inhibits SIS
      • Should be formally documented and verified
  • 17. FMEA Process
    • List all shared equipment items for a given loop or function
    • List all of the failure modes of each item
    • For each failure mode describe the effect of the failure
      • Assume safeguards fail to determine ultimate effect
      • List safeguards
      • Assess safeguards to determine if the primary failure disables the safeguard
  • 18. Example – Water KO Drum #1 Water KO Drum LT-101 V-101 LV-101 Water Product Feed Hydrocarbon to Further Processing LSLL 101
  • 19. Design #1 FMEA (Simplified) Device Failure Mode Effect Safeguards Notes LT-101 Fail Upscale Controller output goes to zero, valve fully open Overfill Interlock – Failed Single point of failure Fail Downscale Controller output goes to max, valve fully closed No shared interlock Fail in Place Controller output goes fully open if set point is changed to a lower value. Overfill Interlock - Failed Single point of failure LC-101 Fail Upscale Controller output goes to max, valve fully closed No shared interlock Fail Downscale Controller output goes to zero, valve fully open Overfill Interlock - Failed Single point of failure
  • 20. Example – Water KO Drum #1 Atmospheric Storage Tank LT-101 V-101 LAL LT-102 SV LV-101 Water KO Drum
  • 21. Design #1 FMEA (Simplified) Device Failure Mode Effect Safeguards Notes LV-101 Fail open Valve fully open Overfill interlock failed Single point of failure Fail closed Valve closed No shared interlock Fail in place Pathway open to completely drain vessel if input rate drops Overfill interlock failed Single point of failure Bypass open Pathway open to completely drain vessel Overfill interlock failed Single point of failure
  • 22. Example – Water KO Drum #1 LT-101 V-101 LIC 101 LAL LT-102 SV IAS LV-101 XV-101 Product Separator
  • 23. Design #1 FMEA (Simplified) Device Failure Mode Effect Safeguards Notes No shared components
  • 24. Conclusions
    • Sharing field equipment between SIS and BPCS is allowed by IEC 61511 (ISA 84)
    • Requirements (if properly implemented) prevent doing so in an unsafe manner
    • Analysis of shared components is complex and often misunderstood or done poorly
    • Documented and verified FMEA of ALL shared components should be performed
  • 25. Where To Get More Information
    • www.kenexis.com/resources
    • Safety Integrity Level Selection – ISA