Safety Instrumentation. Modern process and energy facilities are highly instrumented. The instruments are used to monitor on-going process conditions, provide information to the operating technicians, adjust operating variables, and take corrective action should process conditions move outside the safe range through the use of alarms, interlocks, and trips will all bring the system back to a safe state. This ebook provides an overview of instrumentation and its role in ensuring safety.
Safety Instrumented Systems
Safety instrumentation is often organized so as to be a part of a Safety Instrumented System (SIS) which is composed of a separate and independent combination of sensors, logic solvers, final elements, and support systems that are designed and managed to achieve a specified safety level. The SIS sets one or more Safety Instrumented Functions (SIF), each of which is related to a specific hazardous event. The SIF will initiate an action such as shutting down a process, opening a pressure relief valve or releasing fire suppressants.
The only purpose of an SIS is to respond to unsafe conditions. It has no normal control function and it is completely separate from the normal control system. The first action of an SIS will be to shut down the process automatically, regardless of what the operating instruments are doing. If that is not sufficient the fire and gas system is initiated (for example, an automatic deluge may be started).
A fully automated SIS should be installed when the consequences of an out-of-control situation could lead to a serious safety or environmental event or if the facility is unattended. An SIS can also be used if a shutdown involves a complex set of actions that may not be followed properly by the operators or if they cannot respond quickly enough to what is taking place or if they are presented with too much information to respond correctly.
All of the elements in an SIS (measurement devices, logic systems and actuators) must be highly reliable. The SIS management system should define how an owner/operator intends to assess, design, engineer, verify, install, commission, validate, operate, maintain, and continuously improve their SIS.
A critical part of the maintenance function is proof testing of the instrumented system in order to ensure that everything is working and performing as expected. Testing must include the verification of the entire system, logic solver, sensors, and final elements. The interval is the period of time that the testing occurs. The testing frequency varies for each SIS and is dependent on the technology, system architecture, and target SIL level.
The instrumentation settings in the SIS cannot be changed by the operations personnel. An extremely thorough safety review and Management of Change (MOC) analysis must be carried out before these critical alarm values can be modified.
At the heart of an SIS system is a quantitative risk analysis. Rather than providing a prescriptive formula to do with instrument and controller settings the analysis is used to determine the quantitative level of risk with the plant in its current configuration. Field data are collected through operational and mechanical integrity program activities to assess actual SIS performance. The calculated value is compared to, and compares that value with the desired value of risk. If there is a gap, i.e., if the calculated risk is higher than the desired value, then an SIS is needed.
With regard to the design of critical instrumentation and safety systems the following guidance should be considered:
- Provide critical systems with their own sensors, signal transmitters, and actuators or operating parts, separate from the process control functions.
- Design critical alarms and safety interlock systems to fail to a safe condition on loss of power or instrument air.
- Monitor and alarm critical process variables directly, not indirectly. For instance, if low flow to a furnace is a concern, monitor the flow should be measured directly rather than interpreting other variables such as temperature or pressure that may indicate low flow.
- Manual activating controls (switches, pushbuttons) must be accessible during the fire or release. As a general rule, the controls should be located at least 20 meters from the protected equipment. More spacing may be required depending on the layout of the plant and the type of hydrocarbon being handled.
- Safety interlock systems should have pre-shutdown alarms to warn that a trip is impending. This enables the operator to take corrective action if time permits before the shutdown actually occurs.
- Safety interlock systems should have a manual reset so that the process remains shut down until it is manually cleared by the operator. A manual reset eliminates the potential hazards of the protective system clearing (and the shutdown valve opening) before the condition that caused the shutdown has been investigated and rectified.
- Power supplies and distribution should allow non-safety-related equipment to be shut down for maintenance without impairing the safety interlock system operation.
- Whenever possible, the safety interlock system should be used to shut down equipment as part of a planned shutdown in order to test the protective system.
- Safety interlock systems should be well labeled and visible.
Generally ESD (Emergency Shutdown) valves should be provided at all battery limits, on all hydrocarbon product streams to storage. They should have the following attributes:
- Fail Closed (FC) on failure of air or electrical power.
- Supplied with power from the Uninterruptable Power Supply (UPS).
- Fire safe (valve and actuator).
- Provided with position transmitters and indicators.
- They should never be used for process control.
Table of Contents
Operating / Safe Limits
Distributed Control Systems
Safety Instrumented Systems
Safety Integrity Level
Testing and Inspection
Fire and Gas Detection
Flammable Gas Detection
Fire / Flame Detection
Detection by Persons
Toxic Gas Detection
Layout of Detectors
Portable Gas Detectors
Response to Alarms