1

SIL verificatie van3 voorbeelden

Herman JansenSafety Solutions Consultants

6 november 2008

Voorbeeld 1 Temp. beveiliging project

Siemens

PCS7-F

SIL 3 certified

Target Integrity SIL 2Proof test interval 1 yearService Sulphuric acid

2

Onderdelen SIF

Sensor: Temperature transmitter ABB type TTH300Sensor: Temperature transmitter ABB, type TTH300

The transmitter is SIL 2 certified by TÜV Nord. Cert. report;Type B instrument, SFF: 91%, Dangerous undetected failure rate: 4,1 ⋅ 10-8 / hour.

SSC uses for the transm. + sensor the following failure rate:λDU 2,4 ⋅ 10-7 / hourSFF >90%Type B

Onderdelen SIF

Logic System

Siemens PCS7-F Safety PLCCertified by TÜV SÜD for application in SIL 3 SIF’s. A PFD is assumed of 1,0 ⋅ 10-4.

3

Onderdelen SIFFinal element Spring to close valve

Solenoid valve 3 way;Solenoid valve, 3-way;Failure rates (Exida):λDU 5,9 ⋅ 10-7 / hour SFF 72%Type A

Globe valveGlobe valveFailure rates (Exida):λDU 1,3 ⋅ 10-6 / hour (appl. ‘severe service, full stroke)SFF 28%Type A

SIL verificatie

Functional requirements:Functional requirements:

The SIF prevents the unwanted high temperature scenario.

4

SIL verificatie

Independency requirements:Independency requirements:

Separately realized from DCS.

SIL verificatie

Probabilistic requirements:

PFDsensor = 2,1 ⋅ 10-3PFDLogic Solver = 1,0 ⋅ 10-4 PFD valve = 1,6 ⋅ 10-2+PFDSIF = 1,8 ⋅ 10-2 : SIL 1

5

SIL verificatie

Architectural requirements:

Temp. Transmitter Type B, HWFT=0 and SFF> 90% : SIL 2Logic Solver TÜV certified : SIL 3Solenoid valve Type A, HWFT=0 and SFF= 60% : SIL 2Gl b l T A HWFT 0 d SFF 60% SIL 1Globe valve Type A, HWFT=0 and SFF< 60% : SIL 1

SIL verificatie

ConclusionThe target SIL is SIL 2. This SIF does not comply to the requirements of SIL 2.

RecommendationClose/stop additionally a second final element.Close/stop additionally a second final element.

6

Voorbeeld 2 Over speed beveiliging project

VSDS motor EM-007

Target Integrity SIL 2Proof test interval 1 year

Onderdelen SIF

Sensor Frequency sensor (inductive proximity sensor)

Failure rates (Exida):λDU 1,0 ⋅ 10-7 / hourSFF 60%Type Ayp

7

Onderdelen SIF

Frequency – current convertor type KFU8-UFC-1.D

Failure rates (Exida):λDU 1,0 ⋅ 10-7 / hourSFF 83%Type Byp

Onderdelen SIF

Fi l l MFinal element Motor

Failure rates (SINTEF):Circuit breaker:λDU 3,0⋅ 10-7 / hourSFF 62%Type AType A

8

SIL verificatie

Functional requirements:

At over speed, the motor will be stopped.

SIL verificatie

Independency requirements:Independency requirements:

Functional & physically separated from control system.

9

SIL verificatie

Probabilistic requirements:

PFDsensor = 8,6 ⋅ 10-4PFDconvertor = 8,6 ⋅ 10-4PFDMCC = 2,6 ⋅ 10-3+PFDSIF 4 3 10 3 SIL 2PFDSIF = 4,3 ⋅ 10-3 : SIL 2

SIL verificatie

Architectural requirements:

Proximity sensor Type A, HWFT=0, SFF= 60% : SIL 2Freq. current convertor Type B, HWFT=0, SFF= 83% : SIL 1Circuit Breaker Type A, HWFT=0, SFF= 62% : SIL 2

10

SIL verificatie

ConclusionThe target SIL is SIL 2. This SIF does not comply with the integrity requirements of SIL 2.

RecommendationInvestigate if there is any redundancy with other sensors which also detect (the consequences of) over speed. If so, these sensors may also be used to meet the SIL 2 requirements.

Voorbeeld 3 Gasdetectie beveiliging project

Kongsberg

F&G systemImtech

UCP-1852Stop ventilation

BI-TorqActuatorSpring to close

RDIO 401S

RAIC 400RedundantRCU500

Bürkert Sol. valve

MidlandShuttle valve

Instrument airreservoir

Target Integrity SIL 1Proof test interval 4 year

Gas detectors Instrument air6-10 barg

11

Sensor Infrared Hydrocarbon Gas Detector AutroPoint HC200 of Autronica. 2oo3.of Autronica. 2oo3.

The sensor is SIL certified by RWTÜV and Exida.λDU 1.23 ⋅ 10-7 / hourSFF 94%Type B

ß 5% (assumed by SSC)

Onderdelen SIF

F&G detection system Kongsberg, type AIM Safe 2000y g g, yp

1oo2 redundant set-up. SIL certified for SIL 2. PFD F&G system, 1 year 6.62 ⋅ 10-4

SSC assumes that the PFDF&G system 4 year is4 ⋅ 6.62 ⋅ 10-4 = 2.6 ⋅ 10-3.

12

Onderdelen SIF

UCP-1852 one relay

Failure rates (SINTEF):λDU 2.0⋅ 10-7 / hourSFF 60%Type A

Onderdelen SIF

Final element3/2 way solenoid valve Bürkert type 6014

j

Final element3/2-way solenoid valve, Bürkert, type 6014

Failure rate (based on Exida failure rate for Generic 3-way solenoid):λDU 5.9 ⋅ 10-7 / hour SFF 72%Type AType A

13

Onderdelen SIF

Final ElementShuttle valve, Midland

SSC assumes the following failure rate λDU 1 ⋅ 10-7 / hour SFF 60%Type A

Fire Damper type MFD of Wozair and Ltd BI-TORQ actuator type stainless steel, B5-SS-SR

h h ff h d b ll f d l l dTight air shut off is achieved by precision roll formed sprung stainless steel grade 316L (1.4404) side seals and welded top and bottom angle blade stops.The damper has been fully tested to the Solas Rules/FTP Code Resolution A754(18) together with its relevant means operation and also BS476 Pt20 for 4 hours. The damper is certified by Lloyds Register of Shipping and carries the MED/MRA mark of conformity. For smoke clearance the damper is certified at 300°C for 1 hour for high temperature operation. The damper is also type approved by DNV, BV, ABS, RINA, GL and USCG under the Marine. Equipment Directive/Mutual Recognition Agreement.

SSC assumes the following failure rate;λDU 3.0 ⋅ 10-6 / hour SFF > 60% Type A

14

SIL verificatie

Functional requirements:

An explosion within the HVAC accommodation will be prevented by shutting down the air inlet at measured HC concentration.

SIL verificatie

Independency requirements:Independency requirements:

Functional & physically separated from other layers of protection.

15

SIL verificatieProbabilistic requirements:PFD2oo3 IR detectors = 1.5 ⋅ 10-4PFDLogic Solver = 2.6 ⋅ 10-3PFDrelay = 4.1 ⋅ 10-3PFDsol. valve = 1.2 ⋅ 10-2PFDshuttle valve = 2.1 ⋅ 10-3PFDFire damper = 5.9 ⋅ 10-2+PFDInstrumentation = 8.0 ⋅ 10-2PFDl ti f 5 0 10 3PFDlocation of sensors = 5.0 ⋅ 10-3+PFDSIF = 8.5 ⋅ 10-2 : SIL 1

It is assumed by SSC that the detectors will not sense gas (in time) once per 200 gas releases due to unusual gas flow pattern in the ventilation duct.

SIL verificatie

Architectural requirements:q

IR detector Type B, HWFT=1 and SFF= 94% : SIL 3F&G system Certified by TÜV : SIL 2Relay Type A, HWFT=0 and SFF= 60% : SIL 2Solenoid valve Type A, HWFT=0 and SFF= 72% : SIL 2Shuttle valve Type A, HWFT=0 and SFF= 60% : SIL 2Fire Damper & act. Type A, HWFT=0 and SFF= 60% : SIL 2

16

SIL verificatie

ConclusionTh t t SIL 1 i t b d f t t i t l f 4The target SIL 1 is met based on a proof test interval of 4 years.

RecommendationThe closing function can overruled by switching a hand operated push/pull valve between air reservoir and damper is in ‘override’ position (air reservoir air flows to the damper actuator). Measures shall be taken to prevent that the hand valve is in overrideshall be taken to prevent that the hand valve is in override position during normal operation.

Safety Solutions Consultants BV

Laan van Westenenk 5017334 DT ApeldoornThe NetherlandsTel +31 55 549 3362E il j @ f tE-mail jansen@safety-sc.comWebsite www.safety-sc.com