Energise to Trip
advertisement
Energise to trip? De-energise to trip? Simple Choice? Tony Foord & Colin Howard www.4-sightConsulting.co.uk +44 (0)1 582 462 324 Slide DT/ET - 1 Examples Slide DT/ET - 2 Overview • • • • • • • • • Available guidance Why do trip systems fail? Trip system issues System failure modes 3 examples Architecture and Spurious trip frequency Diagnostics and Reverse acting transmitters References Conclusions Slide DT/ET - 3 Traditional Choices Safety Availability De-energise to Trip (DT) Energise to Trip (ET) Operation Slide DT/ET - 4 Available Guidance • Very little specific guidance published X One or two paragraphs only X Concentrate on “fail safe” WHY? ¾Custom and practice? ¾Taken for granted? ¾Principles assumed? Slide DT/ET - 5 Overpressure protection for a turbine driven compressor Slide DT/ET - 6 Why do trip systems fail? Inadequate specification Inadequate design and implementation Inadequate installation and commissioning Inadequate operation and maintenance Inadequate modification Source: Out of Control 2003 Slide DT/ET - 7 Trip system issues • • • • SIF Requirements Passive / active systems Utility Requirements Effect on Fail to Danger and Spurious Trips – – – – – Design policy / Architecture / Overrides (defeats) People issues Operate / Test / Repair policies Component reliability Diagnostics Slide DT/ET - 8 System failure modes Source: Sintef PDS Method Handbook 2006 Slide DT/ET - 9 Energise or De-energise to Trip? LSZ Process unit consumers SIF OAF Surge Drum Emergency Feed Slide DT/ET - 10 Addition of Reactor Inhibitor Options HP N2 Inhibitor De-energise to Trip Inhibitor Dump tank BD1 Vent Feed A TT 1 PT 1 N2 In Feed B Energise to Trip HW In CW Out CW In HW Out Product Out Slide DT/ET - 11 Architecture and Spurious Trip Frequency 1 1oo1 1oo2 0.1 Frequency 0.01 0.001 0.0001 0.00001 0.000001 0.0000001 Slide DT/ET - 12 1oo3 2oo3 Valve failure modes ~ 80% open Failure mode Blocking % 5 External leak 15 Passing 60 Sticking 20 Data source: Smith: Reliability, Maintainability and Risk Slide DT/ET - 13 Relay failure modes ~ 90% open Failure mode % Contacts short circuit Contacts open circuit Coil 10 80 10 Data source: Smith: Reliability, Maintainability and Risk Slide DT/ET - 14 Overpressure protection for a turbine driven compressor Slide DT/ET - 15 DT fails to danger Slide DT/ET - 16 ET fails to danger Key to Fault Trees 2oo3 sensors 2oo3 fail sensors fail Both final Both FEs fail element Logicsolver solver Logic hardware fails hardware fails 2 Sensors fail Sensors Sensor 1 fails Sensor 1 fails Sensor 2 fails Sensor 2 fails Sensor 3 fails Sensor 3 fails Sensor 1 fails Sensor 2 fails Sensor 3 fails Logic solver fails Slide DT/ET - 17 Logic solver Both FEs fail Final element element Final 1 fails 1 fails Final element element Final 2 2 fails fails FE 1 fails FE 2 fails Final elements DT (left) and ET fails to danger Key to Fault Trees 2oo3 sensors 2oo3 fail sensors fail Both final Both FEs fail element Logicsolver solver Logic hardware fails hardware fails 2 Sensors fail Sensors Sensor 1 fails Sensor 1 fails Sensor 2 fails Sensor 2 fails Sensor 3 fails Sensor 3 fails Sensor 1 fails Sensor 2 fails Sensor 3 fails Logic solver fails Slide DT/ET - 18 Logic solver Both FEs fail Final element element Final 1 fails 1 fails Final element element Final 2 fails fails 2 FE 1 fails FE 2 fails Final elements DT spurious trips Slide DT/ET - 19 ET spurious trips Slide DT/ET - 20 DT (left) and ET spurious trips Key to Fault Trees 2oo3 sensors 2oo3 fail sensors fail Both final Both FEs fail element Logicsolver solver Logic hardware fails hardware fails 2 Sensors fail Sensors Sensor 1 fails Sensor 1 fails Sensor 2 fails Sensor 2 fails Sensor 3 fails Sensor 3 fails Sensor 1 fails Sensor 2 fails Sensor 3 fails Logic solver fails Slide DT/ET - 21 Logic solver Both FEs fail Final element element Final 1 fails 1 fails Final element element Final 2 fails fails 2 FE 1 fails FE 2 fails Final elements Diagnostics and Reverse Acting Transmitters • Safety Function operates on “high” signals • Transmitter failure leads to low signal z Diagnostics require separate input y Reverse acting transmitter provides automatic protection – Avoids technical complexity BUT introduces human factors and management complexity Slide DT/ET - 22 References - 1 • http://www.hse.gov.uk/comah/sragtech/index.htm which includes links to Case Studies illustrating the importance of Control and Protection Systems, for example – Texaco Refinery - Milford Haven - Explosion and Fires (24/7/1994) – International Biosynthetics Ltd (7/12/1991) – BP Oil (Grangemouth) Refinery Ltd (22/3/1987) – Seveso - Icmesa Chemical Company (9/7/1976) • Out of Control (2003), Second edition, HSE Books, ISBN 07176-2192-8 • IEC 61508 (1998 & 2000), Functional safety of electrical/electronic/programmable electronic safety-related systems Parts 1-7 Slide DT/ET - 23 References - 2 • Reliability Prediction Method For Safety Instrumented Systems. PDS Method Handbook (2006) SINTEF • ISA-TR84.00.02 (2002) - Safety Instrumented Function (SIF) - Safety Integrity Level (SIL) Evaluation Techniques Part 1: Introduction – page 57 • Reliability Maintainability and Risk (2001) David J Smith ISBN 0-7506-5168-7 • Safety Shutdown Systems Design, Analysis and Justification (1998) Paul Gruhn and Harry Cheddie ISBN155617-665-1 • Safety-Critical Computer Systems (1996), Neil Storey, ISBN 0-201-42787-7 • Safeware: system safety and computers (1995), Nancy Leveson, ISBN 0-201-11972-2 Slide DT/ET - 24 Available Guidance on ET Is there anything else out there? Slide DT/ET - 25 Conclusions • Choice less clear-cut than at first sight – Need to look holistically – Wider than simply the core SIF • ET can be made to work – possibilities of getting it wrong are greater • ET inherently more complex – Does everyone understand the complexity? • Some DT systems have ET elements Slide DT/ET - 26
