Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Session 15
The Application of IEC61511 to a
Circulating Fluidised Bed Boiler Project
Ian Pennington
Project Technical Manager, CH2MHill Australia
Abstract
This paper describes the processes and implications of applying the IEC61508
/ IEC61511 safety life cycle to a Circulating Fluidised Bed Boiler (CFB) project.
Design issues, project management/program constraints and available data are
covered for this current project. The combustion processes (coal, biomass and
diesel start-up) will also be briefly explored to provide background to the SILs
applied to the boiler Safety Instrumented Functions (SIFs). A discussion on the
combustion related boiler SIFs will give you an insight into the safety issues
related to a CFB boiler. Site testing to validate SIFs and the change process for
modifications will also be discussed.
Introduction
IEC61508/IEC61511 are functional safety performance standards that have
been set-up to provide a guideline and structure for ensuring safety systems
like a boiler management system are implemented correctly and with the
required verification. These standards provide a set of criteria that must be met
depending on the amount of risk reduction required as determined by the end
user. These standards are not yet universally mandatory in all Australian
States and industries; however this is expected in the not too distant future.
The CFB project was the first of its type designed in Australia, so it had many
development aspects that provided challenges to all involved. The application
of IEC61511 was one of these challenges and it took the concerted effort of the
final Client and engineering teams from two Contractors to achieve a
satisfactory outcome.
The CFB combustion and fuel admission equipment systems are different to
more conventional pulverized coal or grate fired boilers that introduced safety
aspects that required a practical approach.
2013 Safety Control & Instrumented Systems Conference
1
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Plant Overview
The Cogeneration Power Plant consists of:
•
2 off 360 t/h 160 barg 540oC Fired Natural Circulation Reheat Circulating
Fluidised Bed Boilers. Fuels: Coal (main), Biomass (alternative
supplementary) and Light Fuel Oil (start-up)
•
2 off Siemens SST-700/900 HP/IP Reheat Back Pressure Steam
Turbines with HP Gearbox, Lube Oil System and Generator (72MVA)
•
Condensate treatment plant with 3 off 600 t/h polishing trains, tanks and
heat exchangers
The plant is capable of producing 2 x 57 MWe and 2 x 303 t/h process steam at
two pressure levels (13.5 barg and 4.7 barg) utilising coal
Figure 1: Photo of Cogeneration Plant taken February 2013
2013 Safety Control & Instrumented Systems Conference
2
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
CFB Combustor and Boiler
CFB Combustion Process
Combustion takes place in a turbulent fluidized bed environment containing
large amounts of bed material with a relatively small concentration of fuel.
CFBs have no defined bed height, solids (bed material, fuel, additives) are
continuously forming clusters, which are lifted inside the furnace, eventually fall
down and break up, enabling the particles to be fluidized again and to re-enter
the process. Solid density decreases gradually towards furnace top. Owing to
high superficial velocity in a CFB the majority of fine grained bed material is
carried out from furnace into a downstream cyclone type separator. More than
99% of these solids are separated in the cyclone and returns into the lower part
of the furnace, the rest leaves the cyclone along with hot flue gas entering the
boiler second pass.
Figure 2: CFB Boiler Cross-Section
2013 Safety Control & Instrumented Systems Conference
3
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Furnace Upper Part
The upper part of the furnace is enclosed by gas tight tube-fin-tube water walls
working as evaporator heating surfaces.
Near the front wall twelve wingwall panels are installed in the upper half of the
furnace that serves as superheaters. The heat transfer to these surfaces is
strongly dependent on the density of gas/solids-mixture. The density profile
depends on grain size distribution of bed material, primary to secondary air split
and superficial velocity (i.e. velocity of flue gas at actual furnace
temperature/pressure over the total cross section without bed material).
The outlet windows for the flue gas/solids mixture leaving furnace are located in
the rearwall on either side just below the top of the furnace.
Bed
Material
Sand
Figure 3: CFB Boiler Combustor Sections
Furnace Hopper
The lower part of the furnace (bed area) is an uncooled, refractory lined hopper
with several openings to introduce ash from the siphon, combustion air, fuel
and additives as well as to remove bottom ash via three bed ash hoppers. This
is the area with the highest solid densities (highest bed pressure), but also the
area with the highest gradients for the solid densities and most important it is
the area where the combustion mainly takes place.
The biggest openings in the front wall of the furnace hopper are the openings
for the return leg from the cyclones/siphons, where the recirculated material
from cyclones and a share of fuel enter the furnace with a high impulse. In the
return leg the fuel already gets pre-heated and pre-mixed with the recirculated
material from the siphon and the high impulse leads to a good distribution of
fuel via the entire furnace.
2013 Safety Control & Instrumented Systems Conference
4
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Two fuel chutes (one coal and one biomass) serving as additional feeding
points are located symmetrically at the front wall. The driving force to push the
fuel into the furnace is gravity supported by secondary air. Secondary air
mainly prevents flue gas backdraft into the fuel conveying system and improves
fuel penetration into the dense fluidised bed. Additionally the chutes are kept
warm, which prevents the formation of agglomerations and blockages.
About 35-60 % (depending on fuel mixture and load) of total air enters through
nozzle grid and (at high load) through nozzles above nozzle grid as primary air
to promote bed fluidisation and to initialize substoichiometric combustion for
limiting NOx-formation.
Figure 4: CFB Boiler Combustor Photo
Before entering the primary air windbox below the furnace, excess HP-blowerair and recirculation gas are added to primary air system. From the windbox
primary air flows through the nozzle grid consisting of many air nozzles, which
distribute the air evenly over the whole cross section of the lower furnace. To
achieve this even distribution, the nozzles create sufficient pressure drop.
Injection of the secondary air at two different levels ensures combustion
efficiency with high carbon burnout, CO and hydrocarbon conversion. The
automatically calculated and controlled split of all these air flows can be
manually adjusted by operator to provide optimum combustion conditions,
circulation rate and emission control.
Secondary air is also supplied to the following:
2013 Safety Control & Instrumented Systems Conference
5
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
•
Combustion air for the burners #1 to #5.
•
Sealing air for siphon expansion joint seal.
•
Sealing air for the coal fuel feeding points at the siphons.
•
Sealing air for the biomass fuel feeding point and coal feeding points at
the front chutes
LFO Combustion System
For start up and for supporting biomass/coal fire, a light fuel oil (LFO) firing
system is installed. This light fuel oil firing can also be used as an independent
firing system up to a certain boiler capacity. This LFO firing system consists of five
start-up burners and six bed lance burners.
Light fuel oil is atomised by atomising air for the start-up burners. The bed lances
are atomised with atomising steam.
For light-off each start-up burner has a high energy ignitor. As soon as furnace
bed temperature has exceeded 593 °C the first bed lance can be started.
LFO firing system is designed to reach 649 °C bed temperature in furnace, which
is the release for starting biomass/coal firing.
Coal Combustion System
The coal flows from the bunkers to the metering feed conveyors which control
the flow of fuel and transport it to the hammer mills. The hammer mills reduce
the material size to less than 8mm maximum particle size. This material is then
transported through other conveyors and chutes until it arrives at the rotary
feeders. These feeders maintain an air lock to the furnace. The transport
conveyors are speed controlled to follow the metering conveyor but the rotary
feeders are fixed speed. Two isolation gates are fitted beneath each rotary
feeder, one actuated and one manual.
Biomass Combustion System
The circular screw reclaimers (CSR) deliver biomass from the storage bunker
into the injection system. Biomass is then transported from the reclaimers via a
system of conveyors and chutes to the rotary feeders. These feeders maintain
an air lock to the furnace. Two isolation gates are fitted beneath each rotary
feeder, one actuated and one manual. A consistent supply of biomass is
maintained through the use of a surge bin in this system. The surge bin is fitted
with level instruments which control the operation of the CSR. The CSR is fitted
with a VVVF drive so its speed can be matched to the overall biomass fuel flow.
Below the surge bin, a twin screw conveyor meters the flow of biomass to the
downstream process. The set point for the speed of the twin screws is obtained
from the DCS depending on the required biomass percentage to the fuel mix
2013 Safety Control & Instrumented Systems Conference
6
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Figure 5: Solid Fuel and Sand PFD
2013 Safety Control & Instrumented Systems Conference
7
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Risk Assessment
In order to determine the SIL requirements of each safety function the project
employed the risk graph method as described in AS 61511 part 3.
Personnel Injury
To classify the SIS related to personnel injury, the following three questions
were answered:
1. What is the potential extent of human injury (C) per demand if the SIS fails
on demand, i.e. when a hazardous situation occurs? If there is no injury (CA),
the risk is as low as is reasonably practicable and therefore the SIF is as safe
as it can practicably be and so not required for personnel safety and this part of
the classification is finished. Any other C value leads to a next step in the
personnel safety risk diagram.
2. What is the likelihood or presence of the person (F) who may be injured in
the area affected by the possible hazardous situation? FB shall be selected
when the persons are likely to be present at the time of the hazardous situation,
e.g. the demand occurs during local manual start when people are attending
the boiler or turbine; or the hazardous situation occurs after the persons have
arrived on the scene to investigate a developing abnormal situation. For CA this
step is not required.
3. Is it likely for the hazardous situation to be avoided (P)? This step is not
required for CA. Note that the possibility to avoid a hazardous situation should
not be increased from PB to PA on the assumption that the person will wear
personal protective equipment, unless it is certain that protective equipment will
be worn. Usually, systems are designed on the assumption that the use of such
equipment is not absolutely required to achieve a sufficient degree of safety,
although it is recognized that it can improve safety still further.
If the result of the classification is ‘a’, the SIS is not required for personnel
safety. For other results, following the risk diagram along the lines of C, F and
P, the SIS for the function related to personnel safety can be obtained from the
relevant W column.
The study adopted the safety category illustrated in Figure 6.
Economic Impact
Economic impact is also considered in SIL classification. However, as SIL
rating could be driven by economic impact, where the SIL rating is solely
classified based on the consequence of economic impact, the company could
decide to lower the SIL rating by accepting the potential risk rose from
economic losses.
The study adopted the economic impact category illustrated in Figure 6.
Environmental Impact
Where the consequence involves environmental impact, the environmental
impact is recorded and the category adopted was per Figure 6.
2013 Safety Control & Instrumented Systems Conference
8
Sessiion 15: The Ap
pplication of IE
EC61511 to a circulating Flu
uidised Bed Project
P
Freq
quency off Demand
A de
emand on a SIS may be cause
ed by instrrument ma
alfunction, operator error,
e
servvices failure
e, etc. Aftter recordin
ng the con
nsequencess, the first question to
t be
answ
wered is: How
H
often is the SIS activated (W classifiication)? T
The IEC 61
1511
desccribes the frequencyy of dema
and in qua
alitative terms: low, moderate and
high
h. The 3 ca
ategories are
a as follo
ows:
•
W1: Low
L
(dema
and less th
han 0.1 perr year),
•
W2: Moderate
M
(
(demand
r
rate
betwee
en 0.1 and
d 1 per yea
ar),
•
W3: High
H
(demand rate between
b
1 and
a 10 perr year).
Exa
ample
: SIF
S 10a & 10b – Low Bed
B Tem
mperaturre
Fig
gure 6: Ris
sk Graph Classificat
C
tion
2013 Safety Contro
ol & Instrumen
nted Systems Conference
9
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
The SIL study participants’ experience of failures in similar systems and their
plant was used to estimate the frequency of demand. During the frequency of
demand analysis, the provision of other independent layers of protection for the
specific scenario was reviewed and a risk reduction factor was determined.
This risk reduction factor was applied to the identified frequency of demand.
The risk graph methodology was implemented using the Ex Silentia software
tool produced by Exida.com.
Boiler SIFs
SIF Tag Description
ExSILentia
(Target SIL)
ExSILentia
(Achieved SIL)
1
ID Fan Not Operating
2
2
2
PA Fan not running
2
2
3
SA Fan not running
1
2
4
Boiler Drum Water Level (Low Low)
2
2
5
Total air flow low
2
2
6
Drum water level (High)
2
2
8
Furnace Pressure (High)
2
2
10a
Bed Lance Oil Release Temperature (Low)
2
2
10b
Coal Oil Release Temperature (Low)
2
2
11
Primary Air Flow (Low)
1
2
13
E-Stop
1
2
14
Fluidised Bed Temperature (High)
1
2
15
Steam Drum pressure (High)
1
2
44
Main Steam Temp (High High)
2
2
45
Reheat Steam Temp (High High)
2
2
46
Secondary Air Flow Low
1
2
47a
Bed Lance Fuel Supply Pressure (Low)
1
2
47b
Start-up Burner Fuel Supply Pressure (Low)
1
2
48
Bed Lance Loss of Atomising Air
1
2
49
Start-up Burner Loss of Atomising Air
1
2
50 (A-E) Start-up Burner, Loss of Flame
2
2
Instrument Air Pressure (Low )
1
2
51
Figure 7: Table of Boiler SIFs
2013 Safety Control & Instrumented Systems Conference
10
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
The SIFs that are particular to a CFB boiler and associated with the combustion
systems are discussed below with the following described for each SIF:
•
The possible cause of the hazard and the consequence of the event
•
The actions performed by the SIF, including detection
•
The SIL required and the SIL that is expected to be achieved
SIF 01 ID Fan Not Operating
The Induced Draught (ID) Fan removes flue gas from the furnace and expels it
to the stack. Failure of this fan could lead to a pressure build up in the furnace,
with the potential for localised explosion within the boiler causing structural
damage and possible steam and flame releases.
The SIL target is set at 2 based on the personnel safety impact of the event.
Failure of the ID fan is detected by an auxiliary contact on the fan motor circuit
breaker in the MCC and a MFT is initiated to achieve a safe state. Reliability
calculations indicate the SIF achieves a SIL 2. PFDavg is governed by the final
element group and the MTTFS is governed by the sensor group
SIF 05 Total air flow (Low)
Total airflow to the boiler must be continuously monitored to assure that the
fuel/O2 ratio is maintained within design parameters. PA and SA fans both
supply air to the combustion chamber and a minimum airflow must be
maintained. Low total airflow could lead to an accumulation of fuel in the
combustion chamber with possibility of a localised explosion resulting in
moderate injuries.
The SIL target is set at 2 based on the economic impact of the event.
The airflow on each fan is monitored with triple redundant flow meters that
utilise temperature and pressure compensation for the flow measurements. For
each fan, the median compensated flow is selected and values for the two fans
are summed. Should the transmitter diagnostics identify a failed transmitter, the
lower of the two remaining values is selected for the summation.
Low total airflow will initiate a MFT to achieve a safe state. Reliability
calculations indicate the SIF achieves a SIL 2. PFDavg is governed by the final
element group and the MTTFS is governed by the logic solver
SIF 10a Bed Lance Oil Release Temperature (Low)
A low furnace bed temperature due to an unspecified situation can create a
potential for unburned fuel to collect inside the furnace. This fuel accumulation
in the furnace may be ignited by a startup burner creating a potential for a
furnace explosion and multiple fatalities.
The SIL target is set at 2 based on the personnel safety of the event. This
safety function is required under NFPA 85.
The furnace bed temperature is monitored with triple redundant temperature
transmitters. Sensor voting is set at 2oo3 within the group.
2013 Safety Control & Instrumented Systems Conference
11
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Low Bed Temperature in the furnace will initiate a bed lance fuel trip by the
BMS to achieve a safe state. Reliability calculations indicate the SIF achieves
a SIL 2. PFDavg is governed by the sensor group and the MTTFS is governed
by the final element group
Figure 8: Bed-Lance Cross-Section
Figure 9: Bed-Lance Photo
2013 Safety Control & Instrumented Systems Conference
12
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
SIF 10b Coal Release Temperature (Low)
A low furnace bed temperature due to an unspecified situation can create a
potential for unburned fuel to collect inside the furnace. This fuel accumulation
in the furnace may be ignited by startup burner creating a potential for a
furnace explosion and multiple fatalities.
The SIL target is set at 2 based on the personnel safety of the event. This
safety function is required under NFPA 85.
The furnace bed temperature is monitored with triple redundant temperature
transmitters. Sensor voting is set at 2oo3 within the group.
Low Bed Temperature in the furnace will initiate a solid fuel trip (stop rotary
valves and close slide gate valves) to achieve a safe state. Reliability
calculations indicate the SIF achieves a SIL 2. PFDavg is governed by the
sensor group and the MTTFS is governed by the final element group.
Figure 10: Coal Rotary Valve
SIF 11 Low Primary Air Flow
The Primary Air (PA) Fan provides air to fluidise the bed and facilitate
combustion of the coal/biomass. Failure of this fan could lead to bed slump,
with the potential for localised explosion contained within the boiler.
2013 Safety Control & Instrumented Systems Conference
13
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
The SIL target is set at 1 based on personnel safety and the economic impact
of the event.
Primary air flow is monitored with triple redundant flow sensors that utilise
temperature and pressure compensation for the flow measurements. The
compensation instruments were excluded from the SIL analysis as failure of
these instruments was proven to not result in a dangerous condition. Voting is
set at 2oo3 within the group.
Low primary air flow will initiate a MFT to achieve a safe state. Reliability
calculations indicate the SIF achieves a SIL 2. PFDavg is governed by the final
element group and the MTTFS is governed by the logic solver.
SIF 14 Fluidised Bed Temperature (High)
A high furnace bed temperature can be due to loss of control of the Flue Gas
Recirculation (FGR) fan, very dry fuel, loss of bed temp control, or incorrect
sand loading. Clinker could buildup in the furnace causing a high furnace
temperature when the clinker is ignited. A potential exists for high temperature
steam generation, a turbine trip, higher than expected NOx and SOx levels,
and a potential breach in emission licenses.
The SIL target is set at 1 based on the personnel safety of the event.
The furnace bed temperature is monitored with triple redundant temperature
transmitters. Sensor voting is set at 2oo3 within the group.
High Bed Temperature in the furnace will initiate a MFT to achieve a safe state.
Reliability calculations indicate the SIF achieves a SIL 2. PFDavg is governed
by the final element group and the MTTFS is governed by the logic solver.
SIF 46 Secondary Air Flow (Low)
The Secondary Air (SA) Fan provides adjustment air for O2 management.
Failure of this fan could lead to loss of rotary valve air seal and potentials fire in
fuel biomass/coal supply.
The SIL target is set at 1 based on personnel safety and the economic impact
of the event.
Secondary air flow is monitored with triple redundant flow sensors that utilise
temperature and pressure compensation for the flow measurements. The
compensation instruments were excluded from the SIL analysis as failure of
these instruments was proven to not result in a dangerous condition. Voting is
set at 2oo3 within the group.
Low secondary air flow in the furnace will initiate a MFT to achieve a safe state.
Reliability calculations indicate the SIF achieves a SIL 2. PFDavg is governed
by the final element group and the MTTFS is governed by the logic solver
SIF 47a Bed Lance Fuel Supply Pressure (Low)
Low Fuel Supply pressure due to pump failure, or burner flow control valves not
adequately opened. Inadequate combustion and may result in unstable flame
and has potential to cause bed lance tip damage.
2013 Safety Control & Instrumented Systems Conference
14
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
The SIL target is set at 1 based on the economic impact of the event.
The pressure is monitored with dual redundant pressure transmitters. Sensor
voting is set at 1oo2 within the group.
Low pressure in the fuel supply to the bed lances will initiate a fuel trip closing
the common bed lance fuel valve and all the individual bed lance valves to
achieve a safe state. Reliability calculations indicate the SIF achieves a SIL 2.
PFDavg is governed by the sensor group and the MTTFS is governed by the
final element group.
SIF 49 Start-Up burner, Loss of Atomising Air
Loss of atomising air due to loss of pressure control, or isolation would allow
unburned fuel to enter the furnace due to inadequate combustion and may
result in unstable flame. Potential exists for burner tip damage.
The SIL target is set at 1 based on the environmental and economic impact of
the event.
The air pressure is monitored with triple redundant pressure transmitters.
Sensor voting is set at 2oo3 within the group.
Loss of atomising air to the start-up burners will initiate a fuel trip closing the
common start-up burner fuel valve and all the individual start-up burner valves
to achieve a safe state. Reliability calculations indicate the SIF achieves a SIL
2. PFDavg is governed by the sensor group and the MTTFS is governed by the
final element group
Figure 11: Start-up Burner Cross-Section
2013 Safety Control & Instrumented Systems Conference
15
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Figure 12: Start-up Burner Photo
SIF 50 (A-E) Start-up burner loss of flame
Loss of flame would allow unburned fuel to enter the furnace and may
accumulate in the bed. Potential temperature runaway excursion and explosion
would occur and rupture the furnace.
The SIL target is set at 2 based on the personnel safety and economic impact
of the event.
Loss of flame to the start-up burners will initiate a fuel trip by the BMS, closing
the common start-up burner fuel valve and all the individual start-up burner
valves to achieve a safe state. Reliability calculations indicate the SIF achieves
a SIL 2. PFDavg is governed by the sensor group and the MTTFS is governed
by the sensor group.
2013 Safety Control & Instrumented Systems Conference
16
Sessiion 15: The Ap
pplication of IE
EC61511 to a circulating Flu
uidised Bed Project
P
615
511 Lifec
cycle in Practice
P
Proccess Hazard Analysiss (Box 1) & Allocation of Safetyy Functionss (Box 2)
•
Prelimin
nary HAZO
OP
•
CHAZO
OP worksho
op
•
NFPA 85
8 review
•
Final HA
AZOP ana
alysis
•
Facilitatted SIL stu
udy with Client
C
to de
efine the safety functtions, agre
ee on
the risk and deterrmine the SIFs
S
=> SIL
L Classifica
ation Repo
ort
Fig
gure 13: IE
EC61511 Safety
S
Life
ecycle
Safe
ety Require
ements Sp
pecification
n (Box 3)
•
A SRS documentts key dessign require
ements for each SIF
F that form
m the
basis of
o final de
esign: riskk assessm
ment and safe statte, target risk
reductio
on and safety
s
funcction func
ctionality requiremen
r
nts and reset
r
requirem
ments
•
Assignm
ment of th
he demand
d rate (W)), Safety (C), Asset Loss (A), and
Environ
nmental Co
onsequencces (E) for each SIF
•
Most SIFs are linked to the
e BMS resu
ulting in a Master Fu
uel Trip (M
MFT),
which closes
c
all th
he fuel inle
et valves.
Design & Engiineering off Safety Insstrumented
d System (Box
(
4)
•
Hardwa
are Realisa
ation: PLC with SIL-3
3 approved architectu
ure
•
Softwarre Specificcation: Initially SAMA
A diagram
ms with ove
erall functional
description follow
wed by detailed
d
functional
f
descriptio
ons with flow
diagram
ms develop
ped late in the projectt
2013 Safety Contro
ol & Instrumen
nted Systems Conference
17
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
•
Logic programming
Installation Commissioning & Validation (Box 5)
•
•
•
Hardware Site Acceptance Test: the logic solver and associated
communications modules, power supplies, input / output modules, as
well as the master fuel trip (MFT) relay panel are tested for correct
functioning.
Software Acceptance Test: each scenario of each functional logic path
or sequence is simulated in logical order. Each result is judged against
the desired outcome in the design basis documents
Safety Instrumented Function (SIF) Test: a SIF is validated by physically
simulating the process parameter at the sensor group and then field
verifying the BMS hardware, software, and the associated final elements
function as per the design basis documents. The full MFT group is
verified to function at least one time.
Operation & Maintenance (Box 6)
•
O&M Manual development and operator training.
•
Future use by Client, particularly for rotary valves, slide gate valves,
airflow measurement, flame scanners, limit switches on fuel oil lines &
drum level measurement.
Modification and Decommissioning (Boxes 7 and 8)
•
Rigorous change management process.
Management and Planning (Boxes 9 & 10)
•
Difficult to apply correct planning to a project with significant new
development aspects.
•
Project program required equipment to be ordered before design of SIS
was complete.
•
BMS panels were shipped before final design and acceptable FAT were
completed.
Design Verification (Box 11)
•
Safety Integrity Level (SIL) calculations were performed and Safety
Instrumented Functions (SIFs) documented in the Boiler Management
System (BMS) Safety Instrumented System Review to check and
confirm that what has been done, has been done the right way.
The next section on architectural groups provides some key features arising
from details of the design verification process, which is based on the guidelines
given in AS 61511.
2013 Safety Control & Instrumented Systems Conference
18
Sessiion 15: The Ap
pplication of IE
EC61511 to a circulating Flu
uidised Bed Project
P
Arc
chitectural Group
ps
Arch
hitectural group
g
cate
egories: th
he sensorr, logic so
olver, and final elem
ment
grou
ups. PFDa
avg is heavvily influen
nced by th
he numberr of compo
onents and
d the
arch
hitectural structure,
s
consequently this should
s
be considere
ed first in
n the
desiign.
Sing
gle Senso
or Group
SIF 01: ID fan motor run
n signal is used to initiate MFT trip, conse
equently it was
mod
delled as a single gro
oup with 1o
oo1 voting within the group.
SIF 08: three independe
ent furnace
e pressure
e transmitte
ers where it takes tw
wo of
the three sig
gnals to trip (2oo3
3) before a safetyy response is initia
ated,
conssequently it was mod
delled as one group with
w a 2oo3
3 voting wiithin the grroup.
Figure 14
4: Single Sensor
S
Gro
oup
Multtiple Sens
sor Groups
SIF 05: two groups:g
SA
A fan airflo
ow and PA
A fan airflo
ow, each w
with three flow
w temperrature and pressure compensa
ation. Median (2oo3
3) air
transmitters with
w from each
h fan are summed
s
to
o determine
e a total airflow. The
e SIF will trip
t if
flow
totall airflow is below set point with 2oo2 votin
ng.
Figure 15: Multiple Sensor Group
2013 Safety Contro
ol & Instrumen
nted Systems Conference
19
Sessiion 15: The Ap
pplication of IE
EC61511 to a circulating Flu
uidised Bed Project
P
Fina
al Elementt Group Master
M
Fue
el Trip
A master
m
fuel trip (MFT
T) is define
ed in NFPA
A 85 as “a
an event rresulting in
n the
rapid
d shut-off of all fuell…” For this
t
Cogen
neration Plant
P
Project: that en
ntails
stop
pping 3 co
oal stream
ms, 1 biom
mass stream, 5 startt-up burne
ers and 6 bed
lancces.
F
Figure
16:: Master Fuel
F
Trip
2013 Safety Contro
ol & Instrumen
nted Systems Conference
20
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Architectural schematic illustrates the following actions must occur to achieve a
safe state for stopping the solid fuel:
•
Stop biomass feed by closing slide gate valve (SGV) OR close rotary
valve (RV)
•
Stop Coal 1 feed by closing slide gate valve (SGV) OR close rotary
valve (RV)
•
Stop Coal 2 feed by closing slide gate valve (SGV) OR close rotary
valve (RV)
•
Stop Coal 3 feed by closing slide gate valve (SGV) OR close rotary
valve (RV)
Figure 17: Master Fuel Trip
2013 Safety Control & Instrumented Systems Conference
21
Sessiion 15: The Ap
pplication of IE
EC61511 to a circulating Flu
uidised Bed Project
P
SIF 05 Archite
ectural Grraphics
Figurre 18: SIF0
05 Architectural Gra
aphics
Pie charts illusstrate the contributio
on of senso
ors, logic solver
s
and final elem
ments
on the
t
PFDavvg (i.e. SIIL level in
n terms off average probabilityy of failure
e on
dem
mand) and the
t MTTFS
S (mean tim
me to failure on a spurious bassis)
SIF0
05: to imprrove PFDavg, the reliability of th
he sensor groups wo
ould need to
t be
imprroved and that the fin
nal elemen
nt is the mo
ost likely ca
ause of spurious trips
s
F
Figure
19: SIF05 Pie
e Chart forr PDFavg and
a
MTTF
FS
mponentt Informa
ation
Com
One
e challenge
e of the pro
oject was to
t obtain re
eliability information that accurately
reprresents the
e compone
ents in the
e SIFs. Where
W
speccific inform
mation was
s not
avaiilable, gene
eric inform
mation was used.
The next para
agraphs pro
ovide some indicatorrs of how the
t data w
was establis
shed
and what qualifications the instrum
ments have for SIL du
uties.
2013 Safety Contro
ol & Instrumen
nted Systems Conference
22
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Logic Solver
•
The BMS is a stand-alone segregated system, functionally integrated
with, but physically and electrically completely separate from and
independent of the DCS and other control systems
•
PLC-based hardware meets the requirements of TUV-certification
suitable up to a Safety Integrity Level 3
•
The PLC was modelled as the logic solver in ExSILentia as the logic
solver for most of the SIFs => conservative approach
•
SIF 4b and SIF 13 include a hardwire layer of protection that utilises a
hardwire relay as the logic solver. The relay is suitable up to SIL 3
service. This component is certified under IEC 61508 for high demand
service
Generic Components
•
Thermocouples for all temperature measurements
•
Wedge gate valves in MFT final element groups
•
Pneumatic piston actuator on wedge gate valves
•
Solenoids on gate valve actuators
•
SIF 13 E-Stop switches
Auxiliary Contact
•
The Auxiliary Contact is used in the sensor group of the SIF 01 (ID fan),
SIF 02 (PA fan) and SIF 03 (SA fan)
•
Published failure rate data, so calculations were performed using
generic switch data. WAPL has operating experience with the contactors
so the components are accepted under Proven in Use guidelines
Transmitters:
•
TÜV certified under IEC 61508 for low demand service up to SIL 2
service in 1oo1 architecture: Differential Pressure, Gauge Pressure and
Temperature
Flame Scanner:
•
The flame scanner is not certified for SIL service
•
Failure rate information provided by the Vendor
Solenoids:
•
The solenoid is used on all the liquid fuel valves in the master fuel trip.
•
Vendor supplied certificate that included failure rate information that was
modelled
LFO Shut-off Valves (common & individual):
•
This component is TÜV certified under IEC 61508 and IEC61511 for low
demand up to SIL 3 service
2013 Safety Control & Instrumented Systems Conference
23
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Site Validation and Modification
Site validation of the BMS SIS and a well controlled modification process are
an essential part of a safety system.
BMS SIS Validation Test Records:
•
Site calibration records of all SIF transmitters
•
Hardware Site Acceptance Test Validation Records
•
Software Test Validation Records
•
SIF Test Records
•
Field Instrument Test Equipment Calibration Records
Figure 20: SIF10b Test Sheet
2013 Safety Control & Instrumented Systems Conference
24
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
BMS Change Procedure that is included in Life-Cycle Documentation
•
Change Request Registered with Appropriate Approvals
•
Changes Implemented are Recorded
•
Change Validated and Witnessed
•
Change Closed Out
Figure 21: BMS Change Request Form
2013 Safety Control & Instrumented Systems Conference
25
Session 15: The Application of IEC61511 to a circulating Fluidised Bed Project
Conclusions & Recommendations
The lifecycle of the boiler and SIS was considered up to the plant being
operational. Any modifications which may be made to the boiler or the SIS or
decommissioning of the plant will need to be considered separately
During operation of the boiler, data will need to be collected from the functional
checks as well as false trips to demonstrate that the required SIL rating is being
achieved in practice
The equipment Operating and Maintenance Manuals must be used to guide
operators and maintenance personnel in their day-to-day tasks
The IEC61511 life-cycle was well followed on Cogeneration Power Plant,
despite the problems associated with an actual project
References
•
Boiler Management System Safety Instrumented Systems Review SIL
Determination and Analysis Report - Document No. 80090-107-REP0002
•
SIL Classification Boiler and Turbine Packages – Document AUS73891
•
Boiler Package Life Cycle Report - Document No. 80090-100-REP-010 /
AUS73891
•
IEC61511 and IEC61508
2013 Safety Control & Instrumented Systems Conference
26