downloading - POSC Caesar Association
advertisement
DSM SHEP 4.4.3-5.1 Practice Guideline Application of Safety Instrumented Systems Issue: Page: -CONTENTS 1 2 2.1 2.2 3 3.1 3.2 3.3 3.4 4 5 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.10 5.1.11 5.1.12 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.3 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 Purpose Pertaining documents Related documents Reference documents Terms and definitions A ... D E ... M N ... R S ... Z Applicability Requirements General Classification Plant design Control, alarms and safeguarding Segregation of control systems and safety systems SIL classification Safety redesign Combination of SILs Segregation of logic solvers Fail safe Redundancy/Duplication of protective functions Common cause failures Safe failure fraction Hardware Architecture of safety provision Choice of contacts Sensor circuits Setpoint adjustment Logic solvers Final elements Serial communication Auxillary systems Software Engineering/Design requirements General Engineering phases Design rules Documentation P&ID Procedural safety provision Alarms © DSM Limburg bv 2016 This document is DSM Limburg bv property; copying, reproduction or disclosure to third parties is subject to written authorisation. 2009-09 1 of 41 Issue: 2008-09 Page: 2 DSM SHEP 4.4.3-5.1 5.5 Overrides 5.5.1 Overrides general 5.5.2 Isolating valves 5.5.3 Overrides in electrical signals 5.5.4 Overrides in power supply systems 5.6 Emergency shut down 5.6.1 General 5.6.2 Plant shut down 5.6.2.1 Purpose 5.6.2.2 Operation of the plant shut down 5.6.2.3 Examples of actions executed by the plant shut down 5.6.3 Other shut down systems 5.6.3.1 NEN 1010 5.6.3.2 Equipment directive EN 954 5.6.3.3 Visa and other independent institutes 5.6.4 Requirements for plant emergency shut-down systems 5.6.4.1 Shut down switch design 5.6.4.2 Design of the electric circuit of the emegency shut down system 5.6.5 Typicals 5.7 Aspects of regulations for machinery safety 5.8 Start-up 5.8.1 Provisions for testing 5.8.2 Testing 5.8.3 Verification of implementation 5.9 Maintenance 5.9.1 Testing 5.9.2 Testfrequency 5.10 Additionel regulatory approvals Appendix 1 Appendix 2 Appendix 3 This document contains annotations (bold and between brackets) toward the aspects: LAW, SHE and BEST PRACTICE; these annotations are informative. 1 PURPOSE This document specifies: - 2 2.1 requirements and design rules for safety instrumented provisions classified SHEP 4.4.3-4.1 minimum requirements for documentation and maintenance of all instrumented safety provisions so as to assure plant integrity. PERTAINING DOCUMENTS RELATED DOCUMENTS The Engineering Requirements and Operational Requirements are applicable within DSM. This SHEP is one of a series of related DSM standards. - - SHEP 1-20.1 Classification of safety systems in safety integrity levels (SIL) using the risk graph technique. It is concerned with the classification of safety provisions in SILs by the risk graph method and the designs of safety provisions for each scenario; SHEP 4.4.3-4.1 Functional Design of safety instrumented provisions; RP 4.1-25.2: Instrument List.. Related documents: - Guideline for the Design-phase hazard study (ESA) See SHER 4.4.4.3-4.1 and PDG 3.9; Guideline for the classification of effect categories Issue: 2008-09 Page: 3 DSM SHEP 4.4.3-5.1 Guideline for the Hazard and operability study (SHEP 4.4.4.3 5.1 and PDG 3.9); SHEP 4.4.3-8.1 Description of conformity check to design; Guideline for the hazard study on safety systems sbldpe3.doc; Application guidelines Hima PLC; Report 92-0935 DSM Research; 94.064 CPC&EEC End report ”Uitvoeringsconcept proces bewakingsinstallaties uitgevoerd met PLC’s/DCS’en“. - 2.2 - REFERENCE DOCUMENTS IEC 61508 / 61511; DIN V 19250; NEN-EN 954 / EN 60204. Issue: 2008-09 3 TERMS AND DEFINITIONS 3.1 A ... D Page: 4 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 5 DSM SHEP 4.4.3-5.1 ALARM Audible and or visual warning signal initiated on excession of a predetermined limit value or following a status change; it prompts the operator to take a control action or a safety action. It may be included in a procedural safety system or serve as a pre-alarm for a SIL-classified safety system. ANNUNCIATION Presentation of a status change. AVAILABILITY The probability that a component, unit or system will perform its intended function at any point in time. Availability is described by: A = MTTF / [ MTTF + MTDF + MTTR ] ; MTTF mean time to failure; MTDF mean time to detect failure; MTTR mean time to repair. AUXILIARY ENERGY Auxiliary energy is the external energy, for instance hydraulic pressure, pneumatic pressure, electrical or mechanical energy, needed for control functions, measuring functions and safety functions in equipment items. BATCH CONTROL Batch control is based on sequence control to which continuous control is added. BLOCKING Use "interlock". MARGIN SAFETY TIME PERCENTAGE See Figure 3 in Appendix 1 CLASSIFICATION Establishing risk classes (RLs) by means of a risk graph. according DSM Requirements Annex 3, and PSNGN010: Classification Factors Final CONTINUOUS CONTROL Continuous control is a type of control in which continuous (e.g. 4-20 mA analog ) signals are processed for actuation of a final control element. CONTROL Actions taken to bring the process to a wanted condition and to keep the process within defined limits. DEMAND An event causing a safety circuit to be called upon. DIAGNOSTIC COVERAGE DC The DC factor is equal to the percentage of decrease in the probability of dangerous failure resulting in a automatic diagnostic test and the feedback of not properly function. DISCRETE CONTROL Discrete control, also known as binary or logic control, is a type of control that processes binary signals through logic decisions and sets binary outputs accordingly. DIVERSITY REDUNDANCY Redundancy using dissimilar means. (eg: different measuring principles for detectors; different technologies for logic solvers; different makes and types etc). Issue: 2008-09 3.2 Page: 6 DSM SHEP 4.4.3-5.1 E ... M EMERGENCY BUTTON A hand-operated switch enabling the consequences of an unwanted event to be mitigated. This includes the "Noodstop" and "Nooduitschakeling" referred to in NEN 1010. FAIL-SAFE The ability of a technical system to retain a defined safe state or to reach a defined safe state within a predetermined time on the development of a fault. Fail-safe implies that the process is rendered safe on loss of one or more auxiliary energy sources or on malfunction of components in the safety circuit. FAULT Non-conformance of at least one requirement of a requisite function of the system under consideration: Unrevealed fault; System fault; Revealed fault. FIRST FAILURE An alarm system design for a number of defined and related alarms, the first alarm being clearly recognizable. FUNCTION Particular performance of a device. FUNCTIONALITY Particular relation between input and output. HAZARDS A threat to people, equipment or environment that demands for a safety provision. HAZOP Hazard and operability study to be performed during the detail engineering acccording the Engineering Requirement ER 5.1 and Process Design Guide 3.9. INACCURACY See Figure 3 in Appendix 1 INTEGRITY ALARM Alarm initiated by a selfdiagnostics system, an instrument monitoring system and/or auxiliary circuits and connections. INTERLOCK A system which prevents a planned action when certain conditions are not fulfilled. MAINTENANCE OVERRIDE SWITCH (MOS) An override switch enabling on-line maintenance, calibration or replacement of safety systems. TO MONITOR To verify that specified conditions are maintained. Issue: 2008-09 3.3 N ... R Page: 7 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 8 DSM SHEP 4.4.3-5.1 NORMALLY DE-ENERGIZED CIRCUIT Said of an electrical circuit that carries a current when the intended function is being performed. In normal conditions, the actuation and release circuits do not carry a current. No action is initiated on inadvertent interruption of a joint. NORMALLY ENERGIZED CIRCUIT An electrical circuit which carries a current when the defined function is inactive. Thus, the safety circuit carries a current in normal conditions. It will cease to carry a current when a process variable transgresses its limit value or when joints are inadvertently interrupted . TO OVERRIDE To temporarily disable a safety circuit. PLANT SHUT DOWN A safety circuit that operates independently of all other plant safety provisions and designed to: eliminate a hazardous condition that may arise unintentionally (e.g. vibration, noise, imminent loss of containment). control the effects of an incident (e.g. fire). PROCESS LIMIT SWITCH A device which switches on transgression of a predetermined process value. PROCESS OVERRIDE SWITCH (POS) An override switch needed for process operations. PROLOCS Provisions against Loss Of Containment Systems. See VABA. REDUNDANCY The availability of more provisions than are needed for the performance of a specified function. See also Diversity redundancy. RELIABILITY The probability that a unit or system will perform its intended function for a stated period of time under given conditions. Reliability is defined by R(t) = e - t. R where = mean failure rate in a particular time span t. Reliability is quantified by 1/ = MTBF, where MTBF is the mean time between failures; this equation is valid for many components used in instrumented safety systems. REVEALED FAULT A fault which reveals itself one way or another. RISK The probability of the occurrence of loss or damage in relation to a process or a condition, taking into account the expected frequency at which the damage-causing event occurs and the severity of the damage caused by the event. Residual risk That part of the overall risk which is not eliminated by safety provisions Maximum acceptable risk The greatest acceptable risk posed by a particular process or condition Issue: 2008-09 Page: 9 DSM SHEP 4.4.3-5.1 RISK CLASS Each risk shall be classified for the purpose of determining the requirements for the safety system. RISK GRAPH A graphical method of classifying potential risks (SIL levels). PFD (Probability on Failure in Demand) ??????? Issue: 2008-09 3.4 S ... Z Page: 10 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 11 DSM SHEP 4.4.3-5.1 SAFE FAILURE FRACTION (SFF) The Safe Failure Fraction (SFF) is the ratio of the mean probability of safe failure plus detected unsafe failure to the total mean probability of safe and unsafe failure. SFF s DD s D s is the probability of safe failure (Safe) DD is the probability of unsafe detected failure (Dangerous Detect) D is the probability of unsafe failure (Dangerous) SAFEGUARD Use "safety system". TO SAFEGUARD Reducing a risk by taking measures which either reduce the probability of occurrence of a damage-causing event or the severity of damage, or both. SAFEGUARDING ACTION Use "trip". SAFEGUARDING OPERATION Use "trip". SAFETY Condition in which the residual risk is below the maximum acceptable risk. SAFETY CIRCUIT An arrangement of components forming part of a safety system. SAFETY INSTRUMENTED SYSTEM (SIS) An instrumented system which on transgression of limits automatically intervenes in the process to prevent an unwanted event. SAFETY LOOP A loop made up of a safety circuit and a process. SAFETY MEASURE Use "safety provision". SAFETY PROVISION Technical or non-technical risk-reducing measure. SAFETY STRUCTURE See "safety system". SAFETY SWITCH Use "process limit switch". SAFETY SYSTEM System which on transgression of limits automatically intervenes in the process to prevent an unwanted event. SEQUENCE CONTROL Sequence control is a type of control whereby through discrete control conditional steps are made in a given time sequence. Issue: 2008-09 Page: 12 DSM SHEP 4.4.3-5.1 SFC Sequential Function Chart acc. definition in IEC 60848 and in IEC 1131-3. for the machine languages, also used in batch processes SPURIOUS TRIP A trip initiated without a limit transgression having taken place. TEST INTERVAL The time between two consecutive tests. TRIP The performance of an action by a safety circuit. Refer to: Spurious trip. UNAVAILABILITY The probability during a given time interval that a component, unit or system will fail to perform its specified function. UNAVAILABILITY ON DEMAND Use "unavailability". Probability of Failure on Demand PFD The probability of failure during the period in which a demand may be made on a safety circuit. VABA (Safety Narrative) A document giving background information on safety systems and alarms, including settings, test interval and operating principle. VARA (Control narrative) A document giving background information on functionality of control loops and alarms and the contribution of the loop to the W-scale in the risc graph (EP 1.20-1), including settings, background, information, test intervals, testing principle, etc. 4 APPLICABILITY This SHEP is applicable to: - Safety instrumented provisions to be newly built or to be changed; Packaged units classified in terms of loss of containment, environment and or financial loss. 5 REQUIREMENTS 5.1 GENERAL 5.1.1 Classification [LAW; implementation]The risk class of each safety provision shall be established in accordance 4.4.3-4.1 5.1.2 Plant design [SHE; integrity] Plant designs shall aim to: Issue: 2008-09 - Page: 13 DSM SHEP 4.4.3-5.1 Be inherently safe; Employ an optimum control concept; Control risks by means of safety provisions consisting of mechanical devices; Control risks by means of safety provisions consisting of Safety Instrumented Systems; Control risks by means of procedural safety provisions; Control risks by means of effect reducing measures. C O M M U N IT Y E M E R G E N C Y R E S P O N S E P LA N T EM E R G E N C Y R E SP O N S E M IT IG A T IO N - M E C H A N IC A L S Y S T E M S ( S P R IN K L E R ) - IN S T R U M E N T E D S Y S T E M S ( D E T E C T IO N , A L A R M ) P R E V E N T IO N - M E C H A N IC A L P R O T . S Y S T E M S - S A F E T Y IN S T R U M E N T E D P R O V IS IO N S - P R O C ES S A LA R M S - O P E R A T O R S U P E R V IS IO N CONTROL - B A S IC C O N T R O L - O V E R R I D E /C O N S T R A IN T - O N /O F F C O N T R O L PRO CESS D E S IG N Fig. 1: Risc reducing layers around a process 5.1.3 Control, alarms and safeguarding [BEST PRACTICE; standardizing, plant experience and SHE] - - Where an instrumented safety provision is needed, regardless of the SIL, an analysis shall first be made in order to establish if a stabilizing control system can be applied as the first layer to reduce the demand frequency. See figure. Control loops that reduce the demand frequency shall be designed for reliability (erroneous operation by operators shall be prevented (eg SP or mode) and periodic reporting); Stabilizing control systems may have pre-alarms only if it is possible for the operator to timely take corrective action. Refer to 5.4.7 Alarms and SHEP 4.4.3-4.1; Automatic intervention may be provided, preferably by means of discrete or analog override control, otherwise by means of a safety provision. Issue: 2008-09 5.1.4 Page: 14 DSM SHEP 4.4.3-5.1 Segregation of control systems and safety systems [SHE; integrity] If a protective circuit has not only control functions (continuous or on/off control) but also safety provisions of SIL 1, 2 or 3, the latter shall, in respect of process connections, instrument lines, instrumentation, trip amplifiers and logic solver, be fully segregated from control equipment and instruments; For sensors and final controlling elements, the control and safeguarding functions may be combined depending on the SIL. See SHEP 4.4.3-4.1. In exceptional cases, where a sequence control system is so heavily interwoven with the safety provisions of a specific SIL that the increased complexity due to segregation of safety functions and control functions highly increases the risk of errors in system design and maintenance, for instance a furnace start-up procedure, consideration may be given to the possibility of adding the sequence control system to the safety provision having the highest SIL. When this is opted for, the safety provision with the lower SIL shall be subjected to the same design and maintenance regimes as those having the highest SIL. The considerations leading to this decision shall be documented and shall be approved by plant management. - - Note: If the process allows, safety provisions for phase-dependant processes shall be designed to operate independently of the control system, e.g. by means of process variable or limit switch directly derived from the process. If a phase-depended override is needed this shall be activated by an override (monitor) mechanism in the safety system operating independently of the sequential control system. - When the phase-dependence of a batch control system can only be derived from the sequential control system, the safety provision shall be designed in such a way that during the unprotected phase the override is automatically operated via an override contact (DO) generated by the DCS. This override contact shall be activated by a monitor mechanism operating independently of the sequential control system. As soon as the watchdog does not detect the phase in which the override has to be active the override has to be deactivated. 5.1.5 SIL classification [LAW; implementation]Safety provisions shall be SIL-classified. In addition, SILs may be determined for financial loss or environmental damage. as in 4.4.3-4.1 [BEST PRACTICE; saving costs]The following is applicable to all equal SILs for safety, environment or financial loss: - 5.1.6 The design requirements of this SHEP; Joining of these SIL circuits related to the logic solver is allowed. Safety redesign [BEST PRACTICE; standardizing, plant experience and SHE]Where the SIL is higher than 2, consideration shall be given to redesigning the process such that the scenario can be controlled by a lower class safety instrumented provision. [SHE; integrity] SIL 4 scenario: an instrumented solution for this class is not acceptable. 5.1.7 Combination of SILs [BEST PRACTICE; standardizing, plant experience and SHE] All SIL levels may be combined in the same logic solver (SIL1, SIL2. SIL3) Issue: 2008-09 Page: 15 DSM SHEP 4.4.3-5.1 To prevent changes in a higher SILby accident, when working on a lower SIL (typing mistakes), it is however recommended to locate these in smaller separate PLC, e.g. SIL 3 in a “SIL 3 PLC”, for a limited number of in and outputs. The the lower SIL’s with higher numbers of outputs in a separate PLC for the applicable SIL level. Where SIL levels are combined, the logic solver shall comply with the requirements for the highest SIL. It is avised to segregate the SIL1, SIL2 and SIL3 by separation of the subprograms within the same prosessesor 5.1.8Segregation in one logic solvers [BEST PRACTICE; standardising, plant experience and SHE] A way to segregate the different SIL levels is to use the multitasking capabilities of PLC’s as in the HIMA HIMAX. Each group of SIL levels is assigned to his own multitasking program 5.1.9 Fail safe [BEST PRACTICE; standardizing, plant experience and SHE] The trip actions of all safety provisions shall be initiated by de-energizing the circuits with fail-safe instruments. See also the guideline for selection of contact type in Appendix 3: - - Analog input circuits shall be equiped with an out of range alarm to detect cable rupture or shortcircuiting; Discrete inputs and outputs shall in case of cable rupture initiate the trip action or drive the final controlling element to the safe position; Trip circuits in which a process limit switch or switches are inserted shall be normally energized; Failure of redundant electronic logic solvers shall lead to single-channel operation and initiate a trip depending on the SIL. SIL 3 after 72 hr; This implies for the Quad technology of HIMA the SIL 3 level still exists but the availability is reduced. Loss of auxiliary energy shall lead to initiation of a trip action or drive the final controlling element to a safe position; Activation and release circuits shall be normally de-energized; Where the supply voltage of relay-based systems is 110VDC , the positive pole shall be earthed. Where the voltage is 24VDC, the negative pole shall be earthed to ensure detection of earthfaults and potentially unwanted overrides; Relay coils shall be earthed at one end to prevent an unsafe situation in case of an earthfault. See also 5.2.5. 5.1.10 Redundancy/Duplication of protective functions The need for redundancy is determined by: - [SHE; requirements on safety provisions] Safety requirements as stated in SHEP 4.4.3-4.1 Section 6.3.2. [BEST PRACTICE; improve availability installation]Need for improved plant availability. [BEST PRACTICE; improve availability installation]The first requirement is mandatory, the second optional and shall be determined on the basis of financial loss or harm to the company image. Due to the first requirement the spurious trip frequency increases and can lead to an unacceptable level of plant availability. To increase the level of availability while retaining the reliability level, a 1oo1; 1oo2; 1oo3 safety circuit can be changed into a 2oo3 circuit. The following forms of redundancy can be distinguished: - For sensors: n out of m; For logic solvers: multiple voting system, hot stand-by and back-up systems; quod technology For final controlling elements: multiplication. Issue: 2008-09 Page: 16 DSM SHEP 4.4.3-5.1 Sensor circuits and circuits of final control elements shall be duplicated whilst the form of redundancy for logic solvers depends of the type. In the case of multiple sensor circuits, diversity redundancy is preferred. [LAW; implementation]For SIL 3 safety circuits diversity redundancy is mandatory if non-SIL certified equipment is used. 5.1.11 Common cause failures [LAW; implementation] Common cause failures may occur in installation, application, hardware, software and or operation. Common cause failures shall be prevented by diversity redundancy of safety provisions and auxiliary power systems. The effects of common cause failures shall be considered and documented during design and verification, specially the System Hazop.. Special attention shall be paid to EMC of the (compliancy) design. For safety instrumented provisions this check can be made using the guideline for the hazard study on safety systems. (See also 2.1). [BEST PRACTICE; standardizing, plant experience and SHE]In case of redundancy for SIL 1/2/3 process connections, power supplies, cable trays, etc. shall be separate and independent of each other. [BEST PRACTICE; standardizing, plant experience and SHE]SIL 2/3 safety provisions shall be designed with as simple means as possible to minimize the potential of human error in the design, installation, verification and maintenance (eg hardwired logic in place of PLC; (Eex)n vs PLC; Pneumatic vs Hydraulic; standard functionality vs new application programs). 5.1.12 Safe failure fraction [LAW; implementation]The minimum SFF shall be determined based on EP 4.4.3-4.1 for equipment to be used for the safety provision. The aim shall be to maximise the SFF, so maximizing the reliability and possibly reducing the test frequencies. Integrity alarms shall be interlaced with the safety provision. SIL 1/2 SIL 3 Alarm Alarm and trip action after 72 hr in case of single sensors /actuators. See also Auxiliary systems Chapter 5.2.8. 5.2 HARDWARE [LAW; implementation] Safety provisions shall utilize hardware that: - Complies with the DSM vendor list and is accepted for the appropriate SIL or; [SHE; requirements on safety provisions] Complies with the DSM vendor list and is designed to meet the type A/B, SFF and deterministic requirements stated in Section 7.2 of SHEP 4.4.3-4.1. Instruments with software are classified as type B instruments 5.2.1 Architecture of safety provision 5.2.1.1 BEST PRACTICE; background information] Issue: 2008-09 Page: 17 DSM SHEP 4.4.3-5.1 Safety provisions normally comprise the following four elements: 1. 2. 3. 4. Sensor circuit; Logic solvers; Final element; Auxiliary and energy systems. 5. Supporting provisions (purges, tracing/winterizing) Safety provisions, especially the sensor and logic solver, shall be electrical. Valves used as a final element may be pneumatically or hydraulically actuated depending on the required rate of response. 5.2.1.2 [LAW; implementation] SIL 2 equipment may be used in a SIL 2 loop provided that it can be evidenced that it is classified as Type A for the application in question and provided that the PFD of the loop as a whole is less than 10 2. 5.2.2 Choice of contacts [BEST PRACTICE; standardizing, plant experience and SHE] The choice of contact function is key to proper functioning of the safety provision. Depending of the function, a different type of contact shall be chosen. See Appendix 3. Where a motor status contact needs to be included in a safety instrumented provision, the status contact of the contactor in the power circuit shall be used for this purpose. As a consequence, however, a spurious trip will occur in the event of a brief voltage dip. Therefore, adding in the logic solver a time delay of at least three seconds shall be considered. For serial read-in of motor contacts, refer to chapter 5.2.7 5.2.3 Sensor circuits BEST PRACTICE; background information]Sensor circuits usually are made up of the following elements: - Process connection (including instrument valves, if any); Instrument line (including winterizing, if any); Sensor (including valved manifold, if any); Converter / control board); Signal lines (including marshalling boards and wiring). [BEST PRACTICE; standardizing, plant experience and SHE]Each element in a sensor circuit shall meet the following requirements: 1. 2. 3. 4. 5. 6. 7. In-line instruments are preferred provided as the calibration frequency allows; Process connections shall provide as intimate contact as possible between the process parameter to be measured and the sensor. Instrument valves shall be locked-open. Sensors shall be direct-mounted wherever possible. Manifolds, if used, shall have locked-open valves for the process connections and locked-closed valves for drain and test connections; Failure of tracing and / or purging of instruments and impulse lines shall initiate an integrity alarm for SIL 1 and higher systems; Instrument tubing shall be so sized as not to affect the process parameter. The tubing lay-out shall be designed to suit the fluid (consider slope and intentional filling with condensate, etc.); > 15 mm or lager Sensor signals shall preferably be monitored. Consequently, use proximity switches instead of mechanical switches, transmitters instead of switches; Sensors shall be capable of detecting the process variable and any changes in it, rapidly and accurately enough. This ability is affected by the instrument’s set-up and settings (range ability, damping, etc). See also Appendix 1; Converters shall not or shall only slightly affect the rate of signal transmission; Issue: 2008-09 Page: 18 DSM SHEP 4.4.3-5.1 8. Signal circuits shall be so designed that sensor signals are transmitted to process limit switches or logic solvers with the least possible delay; 9. In general, the elements of a safety provision shall be selected to comply with the SIL of the safety function; 10. SIL 1/2/3 safety provisions shall utilise the conventional signal for measured process values, e.g. 4-20 mA. Additional information from Hart / Fieldbus signals, such as other information, may be used for enhancing availability. Smart sensors in SIL a/1/2/3 systems shall deny access to their parameters; 11. Comparison of the measured values of different sensors increases the SFF to > 60%. SIL 3 signals shall be compared by the logic solver or in the DCS whilst SIL<3 signals shall be compared using the 4-20mA signals. This is required when the write protection function is unavailable. 5.2.4 Setpoint adjustment BEST PRACTICE; background information]The setpoint of the sensing element heavily impacts the effectivess of the safety provision. Setpoints depend on: - Process dynamics; Accuracy of sensor circuit; Hysteresis of sensor devices; Safety margins; Response times of overall detection loop in relation to desired process response times. See appendix 1. 5.2.5 Logic solvers [LAW; implementation]Logic solvers shall be designed according to the figure shown below. DCS Recipe / batch control Sequence control Continuous control analog / discrete Interlock SIL a I/O Logic Solver Logic Solver SIL 1/3 Instrumentation Process Instrumentation In safety provisions, logic may be processed by means of DCS, relay technology, solid-state logic or a PLC. DCS, PLC’s and solid state logic solvers need approval by a notified body (e.g. TÜV) for the appropriate SIL. Relay systems shall have a SIL classification or be composed of type A components. Logic solvers for SIL 3 safety provisions shall be designed in such a way that they cannot be altered while online. Earth fault detection is mandatory for SIL 1/2/3 logic solvers in order to detect a potential override in the field; earth fault detection systems shall be implemented as an integrity alarm. 5.2.6 Final elements BEST PRACTICE; background information]Final elements usually are comprised of the following elements: Issue: 2008-09 - Page: 19 DSM SHEP 4.4.3-5.1 Digital output of protective PLC; Interface relays; Relays in logic solver; Hard-wired logic; Final control actuators (these may or may not be included in circuits). [BEST PRACTICE; standardising, plant experience and SHE]These elements shall meet the following requirements: - - - Digital outputs shall utilize a normally de-energized –to-trip circuit, as shall interface relays and any relays in logic-processing units; Final controlling elements shall operate rapidly and effectively enough to prevent incidents in any conceivable scenario. By the same token, final controlling elements shall assume the safe position on loss of control signals and/or auxiliary energy. Examples of final controlling elements (several units of which may be inserted in a circuit) are cited below; Motor (e.g. of a pump; including motor control unit and/or variable speed drive); Fail-safe final elements (e.g. spring-loaded valves) are assumed to have a SFF of 60 to 90%. Solenoid valves have a SFF=0%. On/off valves equiped with limit switches and with a high operating frequency (> 1/24 hr) are assumed to have a SFF of 60 to 90%; To increase the SFF of final control elements in SIL a/1 safety provisions, motors and on/off valves may be equiped with a feedback system for the fail safe status (Motor contact; limit switch) that will initiate an alarm in case the set command is deviated from.(Comparable with DCS functionality, eg DCD or Digital Composite). This item is mandatory for SIL 2 and higher. If buffers are being applied, they have to be equipped with an alarm for the minimum amount of energy required to bring that part of the installation in a save condition. Important aspects of valves are the following: - Stroking time; Leak tightness; Action on loss of auxiliary energy. See also appendix 1. 5.2.7 Serial bus communication BEST PRACTICE; background information]The following types of serial communication can be distinguished: Reconsider this part - Communication within the safety provision (from I/O to logic solver or between logic solvers); From logic solver to DCS or vice versa. Serial communication within a SIL 1/2/3 safety provision is allowed provided the communication protocol and the application are SIL 1/2/3-certified. [BEST PRACTICE; standardising, plant experience and SHE]Serial communication within a SIL 1/2/3 safety provision shall be designed to be fail safe. Serial communication from a logic solver to DCS is allowed only for: - start/stop commands from the DCS; status information from I/O to DCS; status of overrides. The communication protocol shall be monitored on DCS Issue: 2008-09 Page: 20 DSM SHEP 4.4.3-5.1 See also Chapter 5.2.3, sensor circuits 5.2.8 Auxillary systems [BEST PRACTICE; standardising, plant experience and SHE] - These include auxiliary energy, instrument air, UPS, batteries, hydro accumulators etc. for the safety provision as a whole. To increase the SFF of these systems, it is necessary to monitor the availability of auxillary systems for SIL 1/2/3 safety circuits to prevent impairment of safety circuits. For the design and safeguarding of instrument air systems see DSM Standard EP 4.10.2-2.1 (in preparation); - - 5.3 Electrical power systems (batteries, UPS, supplies) shall be earthed and shall be equiped with over/undervoltage protection, detection of loss of primary supply and earth fault units. Electrical power supply systems shall be designed to provide sufficient time for the process to be rendered safe on loss of primary energy; Equipment in a safety provision shall operate within their specified ranges. For all SILs, a temperature alarm shall be installed in each cabinet containing safeguarding equipment; For implementation of alarms see 5.12, Safe Failure Fraction. SOFTWARE [BEST PRACTICE; standardizing, plant experience and SHE]Software in protective PLCs shall comply with the application guidelines for the hardware and software configuration of HIMA H51/H41 PLCs. Refer to DSM Research Document No. N 92 0935.or the HIMA MAX the software configuration as given in N 92 0935. or in Executing SIL Safety Instrumented systems in HIMA H51/H41 PLCs or HIMA HIMAX PLC’s On completion of configuration, the application for SIL 2/3 shall be tested against the checklist provided in guideline for the hazard study on safety systems. [LAW; implementation] DCSs may also be used in SIL a safety provisions provided that the following additional requirements are met: - System hardware and system software shall be certified for the appropriate SIL by an authorized body (TÜV, UL etc.) if the SIL is 1 or greater; The principles in the application guidelines for software configuation for H51/H41 PLCs (normally energized circuit, correct status of inputs and outputs on failure, etc.) shall be adhered to; The provisions shall be tested in accordance with the checklist in guideline for the hazard study on safety systems. (See also 2.1); SIL a/1/2/3 safety provisions shall be configured on the basis of the Functional Block diagrams and or Sequential Function charts given in IEC 61131-3; Configuring is preferred to programming. Thus, standard system functions shall be used for alarm initiation and no software shall be used for detection of process limits. Safety systems shall be segregated from control systems. The I/O shall be controlled via separate interlocking blocks. Parameter settings of interlocking blocks shall not be operator accessible. 5.4 ENGINEERING/DESIGN REQUIREMENTS 5.4.1 General [BEST PRACTICE; standardizing, plant experience and SHE]Safety provisions shall meet the following requirements. Additional requirements may be specified for higher plant availability. Refer to Section 5.1.10. Issue: 2008-09 5.4.2 Page: 21 DSM SHEP 4.4.3-5.1 Engineering phases [BEST PRACTICE; standardizing, plant experience and SHE] The engineering shall be carried out in accordance with the following flow chart. Opnemen flow chart for standard workflow Life cycle schema PHR / HAZOP etc. Risk Graph Preference Order Safety Provisions Existing Safety Provisions Classified Scenario SIL Required Process Safety Time Functional SIS definition PFD, Response times Conditions, etc. Verified Design Field installation Required vs. Installed Provisions Identify LOC / Scenario’s Classify Risk Level Allocate available Safety Provisions Identification Classification Determine Safety Requirements Verification of Design Verification of Field installation Verification Determine GAP GAP SHE Practice Design of SIS Dit plaatje is niet actueel. STEP 1 NO GAP Accept. GAP STEP 2 Closing Close the GAP incl. Update HAZOP the gaps STEP 3 5.4.3 Design rules [BEST PRACTICE; standardizing, plant experience and SHE] Safety provisions shall be designed taking account of: - Normal process conditions; Particular process conditions (e.g. start-up, shut-down, cleaning, dosing, filling, weighing); Abnormal process conditions The actions on failure of items during each of the various operations phases (failure of valves, sensors, I/O cards, logic solvers, including failure modes, e.g. I/O freeze upscale/downscale, valve leakage); Failure of auxillary systems; Effect on functional availability of the safety provision as a result of testing; Response times of the process in relation to the times needed for detection, logic solving, final controlling elements and safety limits. The design of SIL 1 and SIL 2/3 safety provisions shall be verified in accordance with EP conformity check to design SHEP 4.4.3-8.1. Issue: 2008-09 5.4.4 Page: 22 DSM SHEP 4.4.3-5.1 Documentation [SHE; requirements on safety provisions] Each safety instrumented provision shall be documented for each hazard regardless of its level. Fresh documents shall be added to these files as the engineering phase progresses. The files shall contain the following documents during the engineering phase. To guarantee the integrity of the installation the following documents are required depending on the SIL: Logics P&ID's SFC Scenario description as per 4.4.3-4.1 Circuit diagrams PLC programs Loop diagrams Safety Requirement Spec (SRS) Related Control narratives Verification report Procedures and/or instructions Test method for safety provision Basic x x x x Detail x x x x x x x x x x x x SIL alle alle alle alle alle alle alle alle alle 1/2/3 a/1/2/3 a/1/2/3 All documents supplied to the owner shall reflect the as-built situation. 5.4.5 P&ID [BEST PRACTICE; standardizing, plant experience and SHE] SIL - sensors shall be designated on P&IDs by the letter S. Code Z: The letter Z is used for indicating sensors that form part of a safety provision classified with: - safety or environment; and - classified as SIL 1 or higher. The alarm functions of such S and Z functions are not shown separately in P&IDs. Common process control functions, such as discrete control, sequencing etc., shall be indicated by the letter C in place of S in accordance with DSM standard RP 4.1-2.1. For the coding of H/L see RP 4.1-2.1 5.4.6 Procedural safety provision [SHE; requirements on safety provisions] Where an automatic safety provision is impracticable, safety shall be assured by operating procedures: - Alarms shall be presented to the operator such that the extent, the nature and the measures to be taken are immediately apparent; The operator shall have direct access to means of taking simple corrective actions; On detecting and interpreting the information, the operator shall have sufficient time to initiate corrective actions. Issue: 2008-09 5.4.7 Page: 23 DSM SHEP 4.4.3-5.1 Alarms [SHE; requirements on safety provisions] Alarms are applicable only if they enable the operator to take useful action within a reasonable period of time and if the need for such action is evident. [BEST PRACTICE; standardizing, plant experience and SHE]Each safety provision shall include one or more operator alarms, which shall be both audible and visible. To avoid alarm inflation, a distinction shall be made between the various operations phases (e.g. plant start-up, shut-down, normal operation, stand by / stop). [BEST PRACTICE; standardizing, plant experience and SHE]Different types of alarm (A/S/Z) shall be installed to enable the operator to identify the nature of the initiating event and its urgency. Such different types of alarm shall be made in accordance with DCS software conventions (eg Composite points/ DCD’s). [BEST PRACTICE; standardizing, plant experience and SHE]All alarms shall give an unmistakable indication (acoustically as well as optically) different depending on the urgency with which the operator is required to act. An alarm suppression system is allowed provided that: - Current process values/states continue to be displayed on the DCS screen; Only alarms are suppressed that are a logical sequel to a first initiating alarm. [SHE; requirements on safety provisions] Safety provisions (S/Z) shall not be self-resetting. Once a process switch has initiated a trip action, the system shall be reset by the operator (after the process variable has returned to within its normal range). Fresh alarms (A) shall not be self-acknowledging under normal operating conditions. 5.5 OVERRIDES 5.5.1 Overrides general SHE; ‘VVA’] Overrides may be used for all SILs., if all demands are fulfilled and all measures for overriding are taken. Since 100% SFF is not achievable, selected testable instruments included in a safety circuit shall be tested during normal operation. This may be necessary for maintenance or production purposes and involves disabling the protective function. Such testing is made possible by the following items: - Isolating valves in instrument connections on process lines and equipment; Isolating valves in instrument air lines ; Maintenance or process override switches affecting the processing of instrument signals; Override switches in the electrical power supply; Software/hardware over rides. Overrides in SIL 2/3 systems shall use only appropriate, pre-engineered tools (eg MOS; POS). 5.5.1.1 Override switches may be operated only temporarily (6 hr ±2 hr). Overrides that are needed frequently in SIL 2/3 (eg start up) shall be operated and cancelled automatically via a phase dependent sequence control. 5.5.1.2 Override switches shall not be used by way of, or in lieu of, a mechanical means of locking a valve in a particular positon (eg handwheels). Bypass valves that are safe in closed position shall be padlocked in closed position. 5.5.1.3 Limit switches and solenoid valves included in a SIL a/1/2/3 safety circuit shall be screened so that they cannot be overridden in the field. Issue: 2008-09 5.5.1.4 that they: - Page: 24 DSM SHEP 4.4.3-5.1 Overrides shall be implemented in a consistent manner for the various types of safety circuits such Cannot be operated inadvertently (key switches are preferred); Cannot lead to unforeseen unsafe conditions; Operate by one and the same method regardless of the type of measurement. 5.5.1.5 Phase / status-dependent overrides in the form of alterations or conditional program steps in the safeguarding programs of logic solvers are allowed for all SILs, provided that use is made of an aproved regular override program activated by means of a key switch (for changing setpoints, activating other logic elements etc.). 5.5.1.6 If the process allows, safety provisions for phase-dependant processes shall be designed to operate independently of the control system, eg by means of process variable or limit switch. When the phasedependence of a batch control system can only be derived from this batch control, the safety provision shall be designed in such a way that during the unprotected phase the override is automatically operated via an override contact (DO) generated by the DCS. This override contact shall be activated by a monitor mechanism operating independently of the sequential control system. 5.5.1.7 Overrides in multiple safety circuits shall be designed so that not more than one sensor element is overridden at any one time and the safety provisions’s functionality is retained (e.g. by creating a 2 out of 2 system). Overrides are not normally necessary for 2 out of 3 systems. 5.5.2 Locked open Locked close valves [BEST PRACTICE; standardizing, plant experience and SHE] Loced open Locked close valve - The lever or hand wheel shall be removable; They shall be lockable with a lock or tube over the stem. They shall be provided with an anti-tamper device such as a lock or tube enveloping the stem; They shall be marked ‘Locked open’ or ‘Locked closed’ on the P&ID. This applies to all valves between the process and the instrument and between the manifold and in-line calibration and/or block valves. 5.5.2.1 - Valves in instrument air lines shall for SIL a/1 and SIL 2/3 have the following features: The lever or hand wheel shall be removable; They shall be lockable with a lock or tube over the stem. Isolating valves en andere oude teksten 11.7.1.3 Bridging switches should be secured with key locks or pass-words to prevent unauthorized operation. 11.2.5 Requirements for operation, maintenance and testing should be taken during design. E.g. Testing security / alarms / by-passing. Issue: 2008-09 Page: 25 DSM SHEP 4.4.3-5.1 1. SHEP4.4.3 -.5.1 Chapter 5.5.2 Measuring point / process valves. Best Practice, standardization and SHE Factory Experience. Measuring point / process valves, process piping to serve SILA / SIL2 and 1 / 3 security provisions have the following implementation: • The operating handle or hand wheel removal; • Lock the control; • Characterized as LOCK-open/closed on P & ID. • Services must be installed on all valves between process and instrument. 5.5.2.1 Measuring air valves in pipelines to serve SILA / SIL2 and 1 / 3 have the following features: • The operating handle or hand wheel removal; • Lock the control; The purpose of the use of LO / LC facilities to prevent. unwanted bridging of safety devices Depending on the SIL is there a guideline how LO / LC valves must be designed. should beSIL ≤ a supplied with a clear marking / labeling / stick ring. is providedSIL ≤ 1 with a locked chain / key-lock locking devices on instrument air valves etc. needs to containSIL 2 ≤ ≤ 3 special-safety locks with keys. They also serve on the P & ID to be shown. 5.5.3 Overrides in electrical signals [BEST PRACTICE; standardizing, plant experience and SHE] Override switch designations shall indicate the function of the switch: MOS Maintenance Override Switch POS Process Override Switch 5.5.3.1 The signals shall be overridden within the logic solver. The safety device’s input signal to the logic solver shall not be subject to interference so as to ensure that the status indication or value on excession of a limit value remains intact. 5.5.3.2 alarms. Override switches shall individually send a signal to the DCS to suppress audible and visible 5.5.3.3 Electrical overrides shall be on a separate display in the DCS. The status of the override shall be historical archived in DCS. 5.5.3.4 SHE; ‘VVA’] Hard-wired POSs shall preferably be installed in the control room. Hard-wired MOSs shall be installed in the ICR. 5.5.3.5 [BEST PRACTICE; standardizing, plant experience and SHE] Override switches on outputs are not allowed unless: - Written approval is obtained from plant management; They are automatically set and reset via a phase dependent sequential control system; They are installed in the same way as overrides in input signals. 5.5.3.6 MOSs and POSs shall normally be de-energized to ensure that the process assumes the safe state on wire breakage. 5.5.3.7 For design requirements of override switches, refer to appendix 2. Issue: 2008-09 Page: 26 DSM SHEP 4.4.3-5.1 In the appendix there are 4 figures: - fig. 1 Override in a relay system; fig. 2 Override in a PLC system with signalling on conventional alarm panel (Not preferred); fig. 3 Override in PLC with signalling on DCS; fig. 4 Override in DCS. For figures 3 and 4, a single, unique key switch shall be used for acknowledgement for each SIL. SIL 1, 2 and 3 overrides shall be depicted in a single screen. 5.5.3.8 Overriding sensors via disconnect terminals with test connection on a distribution board is not allowed for SIL a/1 and SIL 2/3. 5.5.4 Overrides in power supply systems [BEST PRACTICE; standardizing, plant experience and SHE]All sensors and final controlling elements included in a SIL a/1/2/3 safety circuits shall be individually supplied and each circuit shall be fused to minimize the spurious plant trips. 5.5.4.1 Hardwired safety circuits shall be supplied from a rail with disconnecting means. It shall be possible to supply a safety circuit from a rail of a second power source so as to locate earth faults. 5.5.4.2 19-in. racks/ file containing instruments included in a SIL a/1/2/3 safety provision shall be individually supplied and fused. 5.5.4.3 Power plugs are not allowed for SIL 1 / 2 / 3. 5.6 EMERGENCY SHUT DOWN Emergency shut down in this document means a shut down system initiated by the operator as last line of defense with the purpose to prevent escalating the occurrence of a calamity (red push buttons), Sometimes the name “emergency shut down” system is also used to describe automatic trip systems to prevent calamities. 5.6.1 General [BEST PRACTICE; standardizing, plant experience and SHE] Emergency shut-down systems are required by various directives and regulations. In addition, DSM requires in some cases that a plant emergency shutdown system has to be provided in chemical process plants. 5.6.2 Process Plant Emergency shut down functions (LOC) [BEST PRACTICE; standardizing, plant experience and SHE] The contractor shall design and install emergency shut-down systems for the plant and/or plant sections on the basis of the “starting points for Emergency Shut-down”. 5.6.2.1 Purpose BEST PRACTICE; background information] Emergency shut-down systems shall be designed to prevent and/or control the effects of plant incidents such as loss of containment, fire, vibration, noise and so forth including escalation of such incidents. Issue: 2008-09 5.6.2.2 Page: 27 DSM SHEP 4.4.3-5.1 Operation of the plant shut down BEST PRACTICE; background information]The plant emergency shut-down system is used by the operator when they suspect that the safety provisions malfunction. This system is the last line of defense against unforeseen scenarios in the design, construction or changes, not automatically detected in case of failure of safety provisions, whether procedural, instrumented or mechanical. 5.6.2.3 Examples of actions executed by the plant shut down [BEST PRACTICE; standardizing, plant experience and SHE]Operation of the plant emergency shut-down system shall render the plant as safe as possible. This may require any or more of the following actions: stop energy supply to the process reduce the supply of, and release of, process media through closure of isolating valves at battery limits and/or between plant sections and buffer tanks, increase and/or decrease the feed rates of heating or cooling media, stop machines and packaged units, open discharge lines to safe locations such as flare. - 5.6.3 Other Emergency shut down systems [LAW]Emergency shut-down systems are required by a number of regulations and directives, including the following. 5.6.3.1 Low voltage regulations - National regulatios (e.g. Netherlands NEN 1010, Germany DIN....., US NEC…..) - Low voltage directive 2006/95/EC - Harmonized Standards, EU In the interest of electrical safety, machines and equipment must be provided with: emergency shut-down systems, emergency isolators. 5.6.3.2 Equipment regulations (Equipment directive) - National regulatios Machine directive 2006/42/EC Harmonized Standards o EN-ISO 13849-1 (PL) Safety of machinery-Safety-related parts of control systems o EN-IEC 62061 (SIL) Safety of machinery-Functional safety-related of E, E, PES. o EN-IEC 60204-1 Electrical safety of machinery 5.6.3.3 Fired gas systems and other independent regulations (international) - Emergency shut-down provision according to local rules - Machine directive 2006/42/EC Harmonized Standards o EN 746-2:2010 Industrial thermoprocessing equipment - Safety requirements for combustion and fuel handling systems NFPA85:2001 Boiler and Combustion Systems Hazards Code - 5.6.4 Requirements to plant emergency shut-down systems (ESD) [BEST PRACTICE; standardising, plant experience and SHE] The requirements for plant emergency shut-down systems are set out below under the following items: Issue: 2008-09 - Page: 28 DSM SHEP 4.4.3-5.1 procedural actions plant emergency shut-down switch; and circuit design of plant emergency shut-down systems Any deviation from these requirements shall require the principal’s permission. Procedural actions shall meet the requirements as per Process Safety Network Guidance Note No 004, (PSN-GN004) 5.6.4.1 Shut down switch design Plant emergency shut-down switches shall meet the following design requirements: a. The devices shall be operated by hand and incorporate double, mechanically connected contacts with positive opening (de energize to trip) and a non-self-resetting position when activated, through a key interlocking system. b. Emergency shut-down switches must be readily accessible and recognizable and shall be protected to prevent inadvertent operation. 1. 2. 3. c. Accessibility: Emergency shut-down switches shall so located as to be operator accessible in the event the foreseen incident. Rip cord switches shall be used where necessary. Recognizability: Push buttons shall be red and mushroom-shaped and shall have a yellow background. Unintended operation: Push buttons on an operating panel shall be protected against inadvertent operation. Activating the emergency shut-down switch(es) shall be communicated to the logic solver via a derived contact. This is to ensure that the switch status is updated in the logic solver and the process control system. Logic solver programs and control system programs shall where necessary be synchronized upon activation of the emergency shut-down system. 5.6.4.2 Design of the electric circuit of the emergency shut down system The electrical circuit of the plant emergency shut-down system shall be based on relay technology and shall be fail-safe for improved reliability. High reliability is essential given that this system is the last line of defense against the potentially serious effects of human error or failure of other safety provisions. a. Design of input circuit of plant emergency shut-down circuit: 1. 2. 3. b. Design of slave circuit of emergency stop relay 1. c. The design shall utilize an all-purpose emergency stop relay according to EN 954-1Category 4, EN ISO 13849-1 PL e or IEC 62061 SIL3, such as PILZ PNOZ X-3 or Siemens 3TK2825. Such relays include a separate feedback contact for signaling short-circuit/actuation of the input circuit. Plant emergency shut-down switches shall be two-pole. Multiple plant emergency shut-down switches may be series connected to an emergency stop relay provided that the voltage drop across the input circuit is acceptable. The maximum length of a 2 x 1.5mm2 cable is 900 m. Other slave relays may be inserted in the slave circuit of the emergency stop relay provided they have positive opening contacts. This means there must be a mechanical link between the armature and the contacts. Each slave relay shall send a feedback signal to the reset circuit of the emergency stop relay to indicate it is energized. Typicals for connection of type PILZ PNOZ X-3: Issue: 2008-09 1. 2. Page: 29 DSM SHEP 4.4.3-5.1 Appendix 4, Typical 1 shows the wiring in a plant emergency shut-down system by removing the 24VDC supply of PLC DO cards. Appendix 4, Typical 2 shows the wiring for disconnecting multiple users such as solenoid valves and packaged units. 2012-02-02 GEBLEVEN 5.7 ASPECTS OF REGULATIONS FOR MACHINERY SAFETY DIRECTIVE [LAW]The hazards posed by machines shall be assessed, classified and documented and installed by the vendor in conformity with 2006/42/EC and Harmonized Standards EN-ISO 13849-1 (PL) or ENIEC 62061 (SIL EN-IEC 60204-1 Also, machines shall be installed by the vendor. [SHE; LOC]In addition, machines may be assessed as to their hazards on loss of containment, environment and financial loss and may be classified to EP 1-20.1. The resultant SIL-classified safety provision shall be designed in accordance with this SHEP. [LAW]An additional emergency shut-down circuit to an existing machine safety system shall be designed to Section 5.6 provided the shut-down is Category 0 and and the maximum risk is Category 3 2006/42/EC and Harmonized Standards EN-ISO 13849-1 (PL) or EN-IEC 62061 (SIL EN-IEC 60204-1 5.8 START-UP 5.8.1 Provisions for testing [LAW; implementation]The test interval is dictated by the SIL and the instruments selected. Provisions for testing are therefore required for SIL a/1/2/3 enabling the safety provision to be tested during normal operation. Provisions for testing shall be designed in such a way that testing can be accomplished within 8 hours. Issue: 2008-09 5.8.2 Page: 30 DSM SHEP 4.4.3-5.1 Testing [BEST PRACTICE; standardising, plant experience and SHE]Testing shall take place in accordance with EP 4.11.9-1.1 All SIL a, 1, 2, 3 safety circuits shall be integrally (sensor, solver, final actuator) subjected to functional testing. Automatic testing is allowed. Automatic testing does not normally allow each component to be extensively or fully tested and verified. In case of automatic testing the coverage factor should be as high as possible. Automatic testing shall verify that the entire safety circuit is performing satisfactorily. Safety circuits with automatic testing shall also allow manual testing. 5.8.3 Verification of implementation [SHE; requirements on safety provisions] The implementation of each SIL 1/2/3 instrumented safety circuit shall be verified. Such verifications shall be carried out by a body that is independent of the project orginization that has designed and built the safety provision to be verified. The body shall possess adequate knowledge and expertise for carrying out the verification. Required information: - 5.9 Result of classification; All engineering documents bearing on the hazard protected against; Results of visual inspection in the field; List of apparatus approved by the Business Group. MAINTENANCE SHE; ‘VVA’] For DSM Limburg B.V. the VVA is applicable. See VVA chapter 9 for: - 5.9.1 Handling MOSs, POSs and overrides; Check of safety circuits; Preparation of Prolocs / VABAs, VARAs and the like. Testing [BEST PRACTICE; standardising, plant experience and SHE]A clear distinction is made between manual testing and automatic testing. Manual testing shall be minimized, because such human operations may affect the failure rate of the components. An exception is made where the protective function is fully retained during manual testing, i.e. if not a single component is disabled by an override. During manual testing, all components shall be tested, verified and replaced if necessary. Components shall preferably be replaced with complete spare units that have previously been fully tested and verified on the test bench. 5.9.2 Testfrequency BEST PRACTICE; background information] See SHEP 4.4.3-4.1 for test frequency of safety provisions. The test frequency may be reduced by adding an out of range alarm . See SHEP 4.4.3-4.1. Issue: 2008-09 Page: 31 DSM SHEP 4.4.3-5.1 If the reliability of components warrants shorter test intervals than stated in SHEP 4.4.3-4.1, they shall preferably be replaced by more reliable units. 5.10 ADDITIONEL REGULATORY APPROVALS BEST PRACTICE; background information]As well as the requirements of this EP, instrumented safety systems may need to satisfy additional safety requirements. These include the following: - The Regulations for Machinery Safety; 89/392/EEG; oud VISA regulations for burner installations; VVS (for radioactive materials); Explosion hazards; Electrical safety; Gas and fire detection; Statutory and DSM safety regulations. The requirements of this EP are extra to statutory regulations and the Engineering Requirements. In case of conflict, the statutory regulations shall govern. Hazards having the same SIL according to the above legislation and 4.4.3-4.1 may be assigned the same SIL. Issue: 2008-09 Page: 32 DSM SHEP 4.4.3-5.1 APPENDIX 1 BEST PRACTICE; background information]BACKGROUND INFORMATION Re/ General par 5. Design experience (General) Safety provision designs heavily affect plant integrity: a fault can have grave consequences for the community and the environment and may involve high expenditure. Consequently, safety systems should preferably be designed by DSM staff who have adequate experience with the design process, the systems, the process and the plant. . Re/ Par. 5.1.9. Fail safe / normally energized circuits Where normally energized safety provisions are used, their sensing elements, logic solvers and control elements carry a current under normal plant operating conditions. When the sensing element is activated, the current-carrying contacts break to interrupt the enire circuit, causing the controlling element to assume the safe condition. When this happens, the plant or a part of the plant trips. Loss of power or wire breakage anywhere in the circuit leads to the same result. The standard design calls for safety provisions, especially trip circuits, to be normally energized because this assures fail-safe response. Re/ Par. 5.1.9 Fail safe / normally de-energized circuits Where normally de-energized safety provisions are used, their sensing elements, logic solvers and control elements are currentless under normal plant operating conditions. When the sensing element is activated, the contacts make, closing the circuit and so allowing a current to flow througfh the circuit. The controlling element is energized and assumes the safe position. When this happens, the plant or a part of the plant trips. It is not possible for the plant to trip on power failure or wire breakage anywhere in the circuit. Thus, the circuit is not fail-safe, which is why normally de-energized system is employed only where a normally energized system is not practicable. This is a typical application for permissives and overrides. Re/ Par. 5.1.10 Diversity redundancy The existence of diverse ways and means of performing a required function, for example diverse physical principles, Note: There are various forms of diversity; functional diversity entails diverse approaches to arrive at the same result. Eg: In case there is a direct relation between the (vapour) pressure and the temperature then temperature could also be a diverse way of measuring pressure that could be difficult due to clogging of impulse lines. IEC 1508 gives the following definition: Existence of different means of performing a required function, for example, other physical principles, other ways of solving the same problem. Note: there are several types of diversity; functional diversity employs the use of different approaches to achieve the same result. Re/ Par.5.1.11 Common cause failures During the design, the aim shall be to identify and eliminate potential common cause failures wherever possible. Software failure shall be considered where software is used in conjunction with safety provisions. Examples of several failures that have occurred within DSM include the following: - Error in HIMA PLC operating system used in the KGF 1/3. See RO 93 0027 dd 28 july 1993 by R. Overhof; Bunker incident in PPF1 plant (common cause failure because of faulty down loading procedure in PLC) See LOE 94071 dd 18 october 1194 by L. de Loey; SMA plant fault in Fisher Rosemount Power converter card. See MP603191 dd 3 april 1996 by M te Pas; Wrong connection of TC compensation cable on transmitters. See RH98-57 dd 4 december 1998 by R. Hanssen. Issue: 2008-09 Page: 33 DSM SHEP 4.4.3-5.1 Such failures cause multiple in/outputs to simultaneously assume an undefined state for which the process has not been designed and which may not have been considered in the engineering HAZOP. Consequently, the following points should be born in mind: - The engineering HAZOP should consider the fact that a fault may cause multiple outputs to receive a faulty setpoint; The aim should be for protected process units to be as small as possible; Design for simplicity and transparency of design and operation; Process control and safety systems should be dissimilar in terms of hardware principle; Where the potential negative impact is high (SIL 2/3), avoid the use of software-based safety provisions and stick to simple hardware-based safety provisions (as required by DKS) and very well known equipment, engineering installation and verification standards. Re/ Par 5.4.3 Design rules Time aspects and process relations Introduction. An important design aspect of safety provisions is the control rate versus control power and protection rate versus protection power. Occurring events: A = Process limit value is exceeded. B = Transgression is detected. C = Switch action communicated to logic. D = Logic actions are completed. E = Final element is actuated. F = Final element action is completed. G = Process has returned to safe side of limit value. H = Incident occurring in unprotected process. Times: I = Response time of sensor loop. II = Processing time of sensor loop. III = Processing time of logic solver. IV = Signal transfer from logic to final element. V = Response time of final element. VI = Response time of process. VII = Time margin. VIII = Process safety time. The time periods in Figure 2 are determined by the following factors: I. Response time of sensor loop. This is determined by the sensor's accuracy in relation to the maximum rate at which the process can change (see Figure 3) and the delays in the loop resulting from, for instance, plugged metering runs; II. Processing time of sensor loop. This is determined by the sensor's response time in relation to the maximum rate at which the process changes (see Figure 3). This includes the time it takes for a relay, if used, to drop off and for the signal to be transmitted to the logic solver; III. Processing time of logic solver. If a relay panel is used, this is the time it takes for all sequential relays to drop off. If the logic solver is a PLC, this is the PLC's cycle time plus the time during which an interface relay, if used, has been de-energized; Issue: 2008-09 Page: 34 DSM SHEP 4.4.3-5.1 IV. Signal transfer from logic solver to final element. This is the time it takes to actuate the final element from the logic solver. It includes, for instance, the travel time of a solenoid valve; V. Response time of final element. An example is the travel time of a valve from fully open to fully closed; VI. Response time of the process. This is the time it takes for the process to return to safe conditions on operation by the final element. It is much dependent on the quality of the safety provision, especially of the final element; VII. Time margin. This is the time remaining between the intervention and the moment an incident would have occurred had there been no intervention; VIII. Process safety time. This is the time during which the process continues to operate on transgression of the limit value without the occurrence of an incident. Figure 2. Time aspects Fig. 3. Process response ) dt safety dt sensor loop Xmax. Tr dtr = time between exceeding process limit and incident. = time between exceeding process limit and detection. (determined by inaccuracy and response time of sensor circuit). = increase process value at maximum process gradient. = response moment final actuator. = response time SIS + process. Issue: 2008-09 1. Software (Re/ Par. 5.3) The document: Page: 35 DSM SHEP 4.4.3-5.1 Leon’s figuurtje opnemen ldPE System Management Procedures Appendix A2: Prototype change management document SBLDPE3.DOC; version 971219 Describes a procedure and related job instructions for adaptive change management in systems. One of the parts in this document describes and gives examples of a hazard study on safety systems. Issue: 2008-09 Page: 36 DSM SHEP 4.4.3-5.1 APPENDIX 2 [BEST PRACTICE; standardizing, plant experience and SHE]OVERRIDE OPTIONS 1. Relays Where relay technology is used, overrides shall include a key switch in the control room for each limit switch as per Figure 1. 2. PLC in conjunction with conventional facia system Where a PLC is used in conjunction with a conventional facia system, overrides shall include a key switch in the control room for each limit switch as per Figure 2. 3. PLC in conjuntion with a DCS Where a PLC is used in conjunction with a DCS, the override shall include a single key switch which shall be operated by the head of Production or the shift supervisor. This switch serves to acknowledge those limit switches which are designated by the operator to be overridden or reset (as per Figure 3). If the safety provision resides in a number of PLCs, the status of the key switch shall be entered into each PLC. 4. DCS Where a DCS is used, the override shall include a single key switch which shall be operated by the head of Production or the shift supervisor. This switch serves to acknowledge those limit switches which are designated by the operator to be overridden or reset (as per Figure 4). If the safety provision resides in a number of controllers, the status of the key switch shall be entered into each PLC. Issue: 2008-09 FIGURE 1 override in a relay system Page: 37 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 38 FIGURE 2 override in a PLC system and a conventional control system DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 39 FIGURE 3 override in a PLC system in combination with DCS DSM SHEP 4.4.3-5.1 Issue: 2008-09 FIGURE 4 override in a DCS Page: 40 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 41 DSM SHEP 4.4.3-5.1 APPENDIX 3 [BEST PRACTICE; standardizing, plant experience and SHE]CHOICE OF CONTACTS 1. Switch off commands and switch on conditions Unwanted: Wanted: unavailability due to wire rupture. switch off in case of wire rupture, no switch on in case off rupture. Design: switch not active switch active -contact closed. -contact open. 2. Switch on commands Unwanted: Wanted: switch on due to wire rupture. switch on impossible in case of wire rupture. Design: switch not active switch active -contact open. -contact closed. 3.Override switch or contact Unwanted: Wanted: override due to wire rupture. disabling of override in case of wire rupture. Design: switch not active switch active -contact open. -contact closed. 4. Motor status signal (see also 7) Unwanted: Wanted: unjust indication "motor runing" in case of wire rupture. signalling "motor stopped" in case of wire rupture. Design: motor runs motor stops -contact closed. -contact open. 5. Final elements Unwanted: Wanted: no transition to safe state possible due to wire rupture. transition to safe state in case of wire rupture. Design: final element is energized in operatiing condition. final element is de-energized in safe state. 6. Alarms Design as in 1. 7. Specials In some cases the final element can for technical reasons not be designed that the transition to the safe state will be achieved by de-energizing of the final element. One example is a high voltage motor. Another example is the switch in on of a low voltage motor, in case the safe condition of the motor is the running status of the motor. In these circumstances the principle of normally de-energized circuits will be applicable. The sensor and logic solver are to be in normally energized circuitry, adjustment towards a normally deenergized circuit shall be "as close as possible" to the final element. The signalling of the status of the motor via the C1-relay is often not sufficient. Often a additional indication is required, e.g. force/pressure/speed. Example: High voltage motor with fan. Issue: 2008-09 Page: 42 APPENDIX 4 5.6.5 Typicals [BEST PRACTICE; standardizing, plant experience and SHE] DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 43 DSM SHEP 4.4.3-5.1 + 24VDC UPS + 24VDC UPS ES*n Note: ES = Emergency Switch with mechanically coupled contacts ES2 4A slow or 6A fast ES1 + 24VDC note: 41-42 to DCS A1 B1 S11 S12 S21 S22 S31 S14 S33 S34 Y31 S32 13 23 33 41 14 24 34 42 e.g. PNOZ X3 A2 B2 S13 Y32 D O P L C reset D O P L C D O P L C per group of PLC outputs 24VDC 4A/100W 0 VDC 0 VDC UPS TYPICAL 1: - DO- PLC, load up to 100 VA/piece - One or more ES switches - Reset by hardware or PLC or DCS + 24VDC UPS ES*n Note: ES = Emergency Switch with mechanically coupled contacts ES2 + 24VDC ES1 + 24VDC UPS 24VDC or 110VDC or 240VAC 4A slow or 6A fast S21 S22 S31 S32 13 23 33 41 e.g. PNOZ X3 A2 B2 S13 S14 S33 S34 Y31 Y32 14 24 34 42 P.U. 1 reset d3 d1 d2 d1 e.g. emergency shutdown valve XEV-1 with mechanically coupled contacts 0 VDC 0 VDC TYPICAL 2: - multiplying contacts for emergency shut down of multiple users. - one or more ES switches - reset by hardware or PLC or DCS XEV-2 d2 d3 E.S. P.U.1 e.g. emergency shutdown package unit S11 S12 d1 e.g. operator alarm emergency shutdown B1 e.g activating plant alarm A1 d1 d1 note: 41-42 to DCS Issue: 2008-09 .1 Page: 44 DSM SHEP 4.4.3-5.1 DNP-Grenzach Vor-Local control : Gerät in Gehäuse IP 54, Betriebsmittel in Zündschutzart Ex „i“, Ex „d“ und Ex „nC“ Anlage: Ex-Zone 2 Reset Motorabgang Zündschutzgerät: II 3 G SensoreingangEx i SensoreingangEx i 2 LSL s TSH s Vor-Ort-Schaltgerät LLocal 24V Steuerspannun Ex d i PNOZ i 3 Signalisierung in PLS Ex nC 400 V Versorgung PLC Schaltraum Schaltung entspricht Kategorie 3 – PL d nach EN 945 bzw. EN ISO 13849-1 Ex nC TSH i LSL i Issue: 2008-09 DNP-Sisseln typicals final-elements: Page: 45 DSM SHEP 4.4.3-5.1 Issue: 2008-09 Page: 46 DSM SHEP 4.4.3-5.1
