8/10/2019 Ts0708 6 Shutdown
1/45
David RansomeP&I Design Ltd
Automatic shut downIndustry example systems
& Methodology
8/10/2019 Ts0708 6 Shutdown
2/45
8/10/2019 Ts0708 6 Shutdown
3/45
BS EN 61508 BS EN 61511
Process Sector Safety System
Standards
Manufacturers &Suppliers of Devices
BS EN 61508
Safety Instrumented System Designers,
Integrators & Users
BS EN 61511
8/10/2019 Ts0708 6 Shutdown
4/45
Hazard and Risk AnalysisDefinition of Safety Functions
Design and Development ofAlternative Means of Risk Reduction
Safety Requirements Specificationfor Safety Instrument System(SIS)
Design and Development of SIS
Installation, Commissioning andValidation
Operation and Maintenance
Modification
Decommissioning
SAFETY LIFE CYCLE
Review process
8/10/2019 Ts0708 6 Shutdown
5/45
Hazard & Risk Assessment
BS EN 61511-1 Clause 8
to determine the hazardous events to determine the sequence of events leading to the hazardous event
to determine the process risks associated with the hazardous event to determine any requirements for risk reduction to determine the safety functions required
to determine if any of the safety functions are safety instrumentedsystems
8/10/2019 Ts0708 6 Shutdown
6/45
Hazard and Risk AnalysisDefinition of Safety Functions
Design and Development ofAlternative Means of Risk Reduction
Safety Requirements Specificationfor Safety Instrument System(SIS)
Design and Development of SIS
Installation, Commissioning andValidation
Operation and Maintenance
Modification
Decommissioning
SAFETY LIFE CYCLE
Review process
8/10/2019 Ts0708 6 Shutdown
7/45
Safety Instrumented Functions &
Safety Requirements SpecificationsDevelop safety instrument system specification
Each safety function requires defining, stating exactly whenand what should happen, together with the timescale ofevents (timescale is important to ensure that the SIS can
perform the function required safely and within anappropriate time frame)
Each safety instrumented function should be allocated aSafety Integrity Level (SIL)
8/10/2019 Ts0708 6 Shutdown
8/45
Safety Integrity Levels
SIL 4 is not normally used in the process industry.
SafetyIntegrity
Level
Probabilityof
failureon demand
Availability%
NonAvailabilityContinuous
Demand
Risk ReductionFactor
SIL 1 0.1 to 0.01 90 to 99% 876 to 87.6hours/year
10 100
SIL 2 0.01 to 0.001 99 to 99.9% 87.6 to 8.76hours/year
100 - 1000
SIL 3 0.001 to 0.0001 99.9 to 99.99% 8.76 to 0.876
hours/year
1000 - 10000
SIL 4 0.0001 to0.00001
99.99 to99.999%
52 to 5.2minutes/year
>10000
8/10/2019 Ts0708 6 Shutdown
9/45
SENSOR
SUBSYSTEM
LOGIC
SOLVER
SUBSYSTEM
FINAL
ELEMENT
SUBSYSTEM
Safety Instrumented Function
8/10/2019 Ts0708 6 Shutdown
10/45
Hazard and Risk AnalysisDefinition of Safety Functions
Design and Development ofAlternative Means of Risk Reduction
Safety Requirements Specificationfor Safety Instrument System(SIS)
Design and Development of SIS
Installation, Commissioning andValidation
Operation and Maintenance
Modification
Decommissioning
SAFETY LIFE CYCLE
Review process
8/10/2019 Ts0708 6 Shutdown
11/45
Safety Instrumented Functions &
Safety Requirements SpecificationsBS EN 61511-1 Clause 11
to design a system in that the Safety Instrumented Functions meet thespecified Safety Integrity Levels
8/10/2019 Ts0708 6 Shutdown
12/45
Design of Safety
Instrumented SystemPrepare all documentation and detailed specifications for
the SIS
Typical Documentation includes:
Functional Description SpecificationLoop DrawingsLogic Drawings
Installation DocumentationEquipment Specifications
Failure rate Data for equipment
8/10/2019 Ts0708 6 Shutdown
13/45
Design of Safety
Instrumented SystemEnsure that the system complies to the standard and
satisfies the required Safety Integrity Level
Typically:
Functional Safety Assessment and Design ReviewsReviews against the standard
Calculation of Probability of Failure on Demand values
Compliance to hardware fault tolerance criteriaAssessment for proven in use and process conditions
8/10/2019 Ts0708 6 Shutdown
14/45
Design of Safety
Instrumented SystemCalculate the nuisance trip levels for the system
Nuisance tripping is when the systems trips when it is not
in a dangerous state. Nuisance trips are much more likely than the system failingto danger, due to the relatively high safe fail fraction of the
SIF1oo2 systems have double the nuisance trips of a 1oo1
system.
8/10/2019 Ts0708 6 Shutdown
15/45
Design of Safety
Instrumented SystemPrepare testing and validation method statements
Typical Documentation includes:SIS Panel FAT
Equipment Failure Conditions Functional Test DocumentShutdown Conditions Functional Test DocumentProcess Conditions Functional Test Document
Analysis and Appraisal Documentation
8/10/2019 Ts0708 6 Shutdown
16/45
Rail Tanker off-loading
8/10/2019 Ts0708 6 Shutdown
17/45
Rail Tanker off-loading
Full terminal control ofoff-loading pumps and valves
8/10/2019 Ts0708 6 Shutdown
18/45
Ship off-loading
8/10/2019 Ts0708 6 Shutdown
19/45
Ship off-loadingSplit control
ofoff-loading
pumps andvalves
8/10/2019 Ts0708 6 Shutdown
20/45
Ship off-loadingSplit control
ofoff-loading
pumps andvalves
Surge Pressure Problems
8/10/2019 Ts0708 6 Shutdown
21/45
Ship off-loadingSplit control
ofoff-loading
pumps andvalves
1. Linked shutdown system between ship and shore, with correctshutdown sequence.
8/10/2019 Ts0708 6 Shutdown
22/45
Ship off-loadingSplit control
ofoff-loading
pumps andvalves
2. Closing time of valves comparable to dischargeflow rate to avoid surge pressures.
8/10/2019 Ts0708 6 Shutdown
23/45
Ship off-loadingSplit control
ofoff-loading
pumps andvalves
3. Shore to ship checklist and communications to ensure shutdown
8/10/2019 Ts0708 6 Shutdown
24/45
Pipeline transfer
Pipeline
PumpingStation
8/10/2019 Ts0708 6 Shutdown
25/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
8/10/2019 Ts0708 6 Shutdown
26/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
Surge Pressure Problems
8/10/2019 Ts0708 6 Shutdown
27/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
1. Closing time of valves comparable to flowrate to avoid surge pressures.
8/10/2019 Ts0708 6 Shutdown
28/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
2. Communications to pipeline
supplier to inform of shutdown (It maynot be possible to stop transfer, as
pipeline may be supplying multiple
users.
8/10/2019 Ts0708 6 Shutdown
29/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
3.Added complications may included slopstank for product changeover.
8/10/2019 Ts0708 6 Shutdown
30/45
Pipeline transfer
Split controlof pipeline,
pumps andvalves
Pipeline
PumpingStation
4. Unexpected increase in filling rate couldoccur if another pipeline user shuts
down.
8/10/2019 Ts0708 6 Shutdown
31/45
Jetty transfer system
High Highlevel in any
tank shutsJetty Valve
SLOWCLOSING
8/10/2019 Ts0708 6 Shutdown
32/45
Jetty transfer system
High Highlevel in any
tank shutsJetty Valve
High Highlevel in a tank
shuts itstankside valve
SLOWCLOSING
SLOWCLOSING
8/10/2019 Ts0708 6 Shutdown
33/45
SLOWCLOSING
Jetty transfer system
High Highlevel in any
tank shutsJetty Valve
High Highlevel in a tank
shuts itstankside valve
High Highlevel in anytank stops
ships pump
SLOWCLOSING
8/10/2019 Ts0708 6 Shutdown
34/45
Jetty transfer system
High Highlevel in a tank
shuts itstanksidevalves
High Highlevel in anytank stops
ships pump
SLOWCLOSING
Pi li t f t
8/10/2019 Ts0708 6 Shutdown
35/45
Pipeline transfer system
Pumpingstation
advised ofshutdown
High Highlevel in anytank shuts
valve
Pipeline valve
not underterminal
control, shutson high level,not fail safe
SLOPS TANK
P-33
SLOWCLOSING SMALL
TANK
Pipeline transfer system
8/10/2019 Ts0708 6 Shutdown
36/45
SLOPS TANK
P-33
Pipeline transfer system
High Highlevel in a tank
shuts itstankside valve
SLOWCLOSING
Pumpingstation
advised ofshutdown
High Highlevel in anytank shuts
valve
Pipeline valve
not underterminal
control, shutson high level,not fail safe
SMALLTANK
8/10/2019 Ts0708 6 Shutdown
37/45
Equipment
Sensors
Different techniques may be required for fixed roof and floating deck
Example Techniques: Vibronics, Displacer, Radar Ensure manufacturers reliability data is fully understood, e.g it may
be that on a Radar Gauge that the reliability data and PFD quoted areon internal relay outputs of the gauge and not necessarily on the
analog or comms output.
8/10/2019 Ts0708 6 Shutdown
38/45
Equipment
Logic Solvers
Simple systems utilise non programmable systems
If programmable system BS EN 61511 Clause 12 applies
8/10/2019 Ts0708 6 Shutdown
39/45
Equipment
Final Elements
Fail Safe actuated valves Pneumatic or electric
Pump Motors and motor control equipment, ensure independence, if BPCS stops the pump on high level, then the system will not be
independent if the high high level operates the same motor contactor
If using a 1oo2 final element architecture ensure that processconditions testing tests each valve separately. If not you will not
know the first valve has failed until the second fails
8/10/2019 Ts0708 6 Shutdown
40/45
MIIB Recommendation 6
If Ship off-loading, it is essential to ensure that the ship and
loading arms etc. are protected if the terminal shuts down,remember it could be a nuisance trip where no high high levelalarm is activated
Similarly for pipeline transfers, ensure the pipeline supplier knowsthe consequences of the terminal shutting down and that the
shutdown will not cause off-site incidents.
8/10/2019 Ts0708 6 Shutdown
41/45
8/10/2019 Ts0708 6 Shutdown
42/45
The End
Thank You
8/10/2019 Ts0708 6 Shutdown
43/45
8/10/2019 Ts0708 6 Shutdown
44/45
8/10/2019 Ts0708 6 Shutdown
45/45
Safety Integrity: - Designed to SIL 3