Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
Academy & Life Care
3
SAFETY & STANDARDS
4
SAFETY
• People
Workers
Public
• Environment
• Assets
5
Public Interest in Safety is Emerging
Health, Safety, and Environment are more of concern to the public than ever before
More news coverage than ever and increasing
This is shaping public opinion and is setting higher standards of care
It is an indicator of the new awareness of safety
More public involvement in risk decisions
6
SAFETY of the Process Plant
7
Role of Standards
8
Safety Life Cycle
Philosophy
Documentation from Conceptual Engineering through
Operations to final Decommissioning
9
Standards
• Product
• Materials: Chemicals / Plastics / Metals
• Process
• Management System Standards
• Prescriptive
• Performance
10
Voluntary Standard
If a company accepts a higher standard
than generally accepted industry
practice, then it will be held to that higher
standard
11
Generic Management System Standards
Common Features
• Certification by 3rd Party Assessor
Conformity Assessment
• Registration
Maintain Registration by Audit
• Continual Improvement
12
One Management System
13
Technical Societies And Special Interest Groups
• NFPA • ILO
• ASME • OIML
• API • ASTM
• TAPPI • SOCMA
• ISA • ACC (MCA)
• NEMA • AIChE
• IMO • Chlorine Institute
14
Equipment Hardware and Software
Certification
• Technische Űberwachung Verein (TŰV)
• US Factory Mutual
• Underwriters Laboratory
15
Professional Certification
as a measure of “competency”
• Professional Engineer / Chartered Engineer
Recognized by Law
16
CONFORMITY ASSESSMENT
documenting compliance
• Documenting that products, materials, services, systems or people measure up to
the specifications of a relevant standard.
17
Common Features
• Increased Documentation
• Audit
• Management of Change
18
SAFETY CONCEPTS
19
HAZARD
A possible source of danger is called hazard. A hazard is an agent which has the potential to
20
In Risk Assessment
A hazard is any agent that can cause harm or damage to humans, environment or property.
Risk is defined as the probability that exposure to a hazard will lead to a negative consequence.
21
Hazards can be dormant or potential, with only a theoretical probability of harm.
The likely severity of the undesirable consequences of an incident associated with a hazard,
combined with the probability of this occurring, constitute the associated risk.
22
What is a hazard?
Hazard is 'inherent physical or chemical characteristics that have the potential to harm humans, environment
or property.‘
In a chemical process: "a combination of hazardous materials, operating environment, and certain unplanned
events that can cause accidents."
23
What is a risk?
In other words, how often can it happen and how bad does it happen?
24
The points
25
Risk reduction
26
Risk reduction
When starting to design a protection system, you have to decide how to do it well.
We need to decide how much risk reduction we need (and this can be one of the
most difficult things to approve).
27
Risk reduction: design principles
28
ALARP (as low as reasonably practicable)
29
3
broad categories of risk
Negligible Risk: broadly accepted by most people as they go about their everyday lives, these would
include the risk of being struck by lightning or of having brake failure in a car.
Tolerable risk: We would rather not have the risk but it is tolerable in view of the benefits obtained by
accepting it. The cost in inconvenience or in money is balanced against the scale of risk and a
compromise is accepted. This would apply to traveling in a car, we accept that accidents happen but we
do our best to minimize our chances of disaster. Does it apply to Bungee jumping?
Unacceptable risk: The risk level is so high that we are not prepared to tolerate it. The losses far
outweigh any possible benefits in the situation. Essentially this principle guides the hazard analysis
participants into setting tolerable risk targets for a hazardous situation. This is the first step in setting up
a standard of performance for any safety system.
30
Risk Control
Process
Risk
31
32
33
34
DIFFERENCE Self-Diagnosis Methods
35
De-energized To Safe (DTS/ESD, trip)
36
Energized To Safe (ETS/F&G system)
37
38
Independent Protection Layers
M Plant and/or
I Emergency Emergency response layer
T Response
I
G
A
Dike Passive protection layer
T
I
Relief valve,
O Rupture disk Active protection layer
N
Safety Emergency Shut
Instrumented
System Down action Isolated protection layer
Trip level alarm
P
R Operator Wild process
E Process control layer
Intervention parameter
V High level alarm
E High level
N Basic
T Process Process
Control value Process control layer
I
System
Normal behavior
O Low level
N Plant
Design
39
Safety & Layers of Protection
40
Layers of Protection
41
Key Concepts in Process Safety
42
Safety Through Layers of Protection
Plant and x x
Emergency Emergency response layer
Response
Mitigate Dike Passive protection layer
Relief valve,
Rupture disk ESDActive protection layer
Safety Emergency failed
Instrumented
System Shut Down Operator Safety layer
Prevent Trip level alarm
Operator
Process failed
Intervention Shutdown ControlProcess control layer
Basic failed Process alarm
Process
Process Process control layer
Normal behaviour
Control Value
System
43
Safety Instrumented System
44
Safety Instrumented System
1. Shutdown functions.
2. Permissive functions.
45
Safety Instrumented System
Therefore, an SIS :
46
Safety Instrumented System
BPCS vs SIS :
Similiarities
A Basic Process Control System (BPCS), like a SIS, is also composed of
sensors, controllers/logic solvers, and final elements.
Differencies
The primary function of a BPCS is generally to maintain a process variable
within prescribed limits. A SIS monitors a process variable and inititates
action when required.
47
Safety Instrumented System
SDV CV
48
Layers of Protection Analysis
reduction
49
Layers of Protection Analysis
when is used
50
Layers of Protection Analysis
NGHẶT NGHÈO/KHỐC
LIỆT Kịch bản, tình huống
51
Layers of Protection Analysis
Developing Scenarios
Không mong muốn
đc dự đính/ mong
đợi
IPL operates as intended Undesired consequence
Bắt đầu
prevented by action of the
Initiating event IPL
Enabling event
Undesired consequence
occurs despite the
IPL fails to operates as presence of the IPL
intended hậu quả không mong muốn xảy ra mặc dù có
sự xuất hiện của IPL
55
Layers of Protection Analysis
Developing Scenarios
What is :
1. Initiating event ?
2. Enabling condition ?
3. IPL ?
4. Consequences ?
56
Layers of Protection Analysis
Key:
Impact
Thickness of arrow represents frequency of the frequency
Event
consequence if later IPLs are not successful
59
Layers of Protection Analysis
60
Layers of Protection Analysis
61
Layers of Protection Analysis
General Calculations
62
Layers of Protection Analysis
63
Layers of Protection Analysis
64
US ARMY Chemical Weapon Destruction Project
Hazard Severity Level Definition
I—Catastrophic > IDLH outside engineering Illness, death, or injury involving >25% and/or >1 month to
controls permanent total disability repair
II—Critical ³ AEL outside of engineering Injury involving permanent partial 10% to 25% and/or
controls disability 1 week to 1 month to
repair
III—Marginal ³ AEL inside nonagent areas Injury involving temporary total disability <10% and/or 1 day to
1 week to repair
IV—Negligible < AEL nonagent areas Injury involving only first aid or minor No system loss downtime,
supportive treatment or repairs completed
within 1 day
65
US ARMY Chemical Weapon Destruction Project
Hazard Frequency Level Definition (event/year)
B — probable 1E–01 > 1E–02 10.0 > 1.0 1.0 > 1E–01
C — occasional 1E–02 > 1E–03 1.0 > 1E–02 1E–01 > 1E–02
D — remote 1E–03 > 1E–04 1E–02 >³ 1E–04 1E–02 >³ 1E–03
E — improbable 1E–04 > 1E–06 1E–04 > 1E–06 1E–03 > 1E–06
66
Table 3—RAC Matrixa
Severity Level
Qualitative I II III IV
Frequency (catastrophic) (critical) (marginal) (negligible)
A — frequent 1 1 1 3
B — probable 1 1 2 3
C — occasional 1 2 3 4
D — remote 2 2 3 4
E — improbable 3 3 3 4
F — rare 4 4 4 4
aAcceptability criteria:
RAC Description Resolution Authority
1 Unacceptable ASA
2 Undesirable PMCD
3 Acceptable with controls PMATA-Safety
4 Acceptable
ASA = Assistant Secretary of the Army / PMATA = Product Manager for Alternative Technologies and Approaches /
67 PMCD = Office of Program Manager for Chemical Demilitarization
Risk Control
Process
Risk
68
Hardware Fault Tolerance (IEC61508)
69
• The architectural constraints of a device are a function of the device type, (Type A or Type B),
and its Safe Failure Fraction (SFF).
70
71
72
Redundancy for System Control
73
Risk assessment
Risk assessment is like a captured spy. If you torture it long enough, it will
tell you anything you want.
William Ruckelshaus
74
From Reactive to Proactive
• Make risk management a way of doing business – imbedded in the culture of the company as a standard
work process
75
RISK ASSESSMENT
is now
an integral requirement
Processing Industry
76
Control and Safety Systems
A process control system is used to monitor data and control equipment on the plant.
Very small installations may use hydraulic or pneumatic control systems, but larger plants with up
to 30.000 signals to and from the process require a dedicated distributed control system.
The purpose of this system is to read values from a large number of sensors, run programs to
monitor the process and control valves switches etc. to control the process.
At the same time values, alarms, reports and other information are presented to the operator and
command inputs accepted.
77
78
Field instrumentation: sensors and switches that sense process conditions such as temperature, pressure or flow. These
are connected over single and multiple pair electrical cables (hardwired) or communication bus systems called
fieldbus.
• Control devices, such as Actuators for valves, electrical switchgear and drives or indicators are also hardwired or
connected over fieldbus.
• Controllers execute the control algorithms so that desired actions are taken. The controllers will also generate events
and alarms based on changes of state and alarm conditions and prepare data for operators and information systems.
• A number of servers perform the data processing required for data presentation, historical archiving, alarm processing
and engineering changes.
• Clients such as operator stations and engineering stations are provided for human interfaces.
• The communication can be laid out in many different configurations, often including connections to remote facilities,
remote operations support and similar.
79
80
The main function of the control system is to make sure the production, processing and utility systems
operate efficiently within design constraints and alarm limits.
The control is typically specified in programs s a combination of logic and control function blocks such as
AND, ADD, PID.
For a particular system, a library of standard solutions such as Level Control Loop, Motor Control is defined.
This means that the system can be specified with combinations of typical loops, consisting of one or more
input devices, function blocks and output devices, rather than formal programming.
81
The system is operated from the Central Control Room (CCR) with a combination of graphical process
displays, alarm lists, reports and historical data curves.
Desk screens are often used in combination with large wall screens as shown on the right.
With modern system the same information is available to remote locations such as an onshore corporate
operations support centre.
82
Field devices in most process areas must be protected not to act as ignition sources
for potential hydrocarbon leaks.
Safe Area.
83
Beyond the basic functionality the control system can be used for more advanced control and optimization functions.
Some examples are:
• Well control may include automatic startup and shutdown of a well and/or a set of wells. Applications can include
optimization and stabilization of artificial lift such as Pump off control and Gas lift Optimization.
• Flow assurance serves to make sure that the flow from wells, in pipelines and risers are stable and maximized under
varying pressure, flow and temperatures. Unstable flow can result in slug formation, hydrates etc.
• Support for Remote Operations, where facility data is available to company specialists located at a central support
center.
• Support for remote operation where the entire facility is unmanned or without local operators full or part time, and is
operated from a remote location.
84
Emergency Shutdown and Process Shutdown
The process control system should control the process when it is operating within normal constrains such as level,
pressure and temperature.
The Emergency Shutdown (ESD) and Process Shutdown (PSD) systems will take action when the process goes into a
malfunction or dangerous state.
For this purpose the system maintains four sets of limits for a process value, LowLow (LL), Low (L), High (H) and HighHigh
(HH). L and H are process warning limits which alert to process disturbances.
LL and HH are alarm conditions and detects that the process is operating out of range and there is a chance of undesirable
events and malfunction.
85
86
Separate transmitters are provided for safety systems. One example is the LTLL (Level Transmitter LowLow) or LSLL
(Level Switch Low Low) alarm on the oil level.
When this condition is triggered, there is a risk of Blow-by which means gas leaks out of the oil output and gives high
pressure in the next separation stage or other following process equipment such as a desalter.
87
Emergency shutdown actions are defined in a cause and affect chart based on a study of the process.
This HAZOP study identifies possible malfunctions and how they should be handled.
On the left of the chart we have possible emergency events; on top we find possible shutdown actions.
On an oil and gas facility the primary response is to isolate and depressurize In this case the typical action would be to
close the inlet and outlet Sectioning valves (EV 0153 20, EV 0108 20 and EV 0102 20 in the diagram), and open the
blowdown valve (EV 0114 20).
This will isolate the malfunctioning unit and reduce pressure by flaring of the gas.
88
These actions are handled by the Emergency Shutdown System and Process Shutdown System.
System requirements are set by official laws and regulations and industry standards such as IEC
61508/61511. which set certification requirements for process safety systems and set criteria for the safety
integrity level (SIL) of each loop.
89
Events are classified on a scale, e.-g. 1 to 5 plus and Abandon Platform level.
On this scale, the lowest level, APS means a complete shutdown and evacuation of the facility.
The upper levels (i.e. PSD 3, PSD 4, PSD 5), represent single equipment or process section shutdowns.
A split between APS/ESD and PSD is done in large installations because most signals are PSD and could be
handled with less strict requirements.
90
The main requirements concern availability and diagnostics both on the system itself and connected
equipment.
The prime requirement is on demand failure, or the system’s ability to react with a minimum probability, to an
undesirable event with a certain time with.
The second criteria is not to cause actions due to a spurious event or malfunction.
91
Control and Safety configuration
Piping and Instrumentation Diagrams (P&ID) show the process, additional information is needed for the
specification of the Process Control and Safety Systems.
The illustration shows one typical format common format for the Norwegian offshore industry: The Njård
Separator 1 and 2 Systems Control Diagram (SCD.
Essentially, the P&ID mechanical information has been removed, and control loops
92
93
Fire and Gas Systems
The Fire and Gas System is not generally related to any particular process.
Instead it divides into fire areas by geographical location. Each fire area should be designed to be self
contained, in that it should detect fire and gas by several types of sensors, and control fire protection and fire
fighting devices to contain and fight fire within the fire area.
In case of fire, the area will be partially shut off by closing ventilation fire dampers.
A fire area protection data sheet typically shows what detection exists for each fire area and what fire
protection action should be taken in case of an undesirable event.
94
95
A separate package related to fire and gas is the diesel or electrically driven fire water pumps for
the sprinkler and deluge ring systems.
The type and number of the detection, protection and fighting devices depend on the type of
equipment and size of the fire area and is different for e.g. Process areas, electrical rooms and
accommodations.
96
Fire detection:
- Gas detection: Combustible and Toxic gas, Electro catalytic or optical (IR) detector.
- Manual pushbuttons
Firefighting, protection:
- Warning and escape: PA systems, beacons/lights, fire door and damper release
97
For detection, coincidence and voting is often used to false alarms. In such schemes, it is required that
several detectors in the same area detect a fire condition or gas leakage for automatic reaction.
This will include different detection principles e.g. To trig on fire but not welding or lightening.
Action is controlled by a fire and gas system. Like the ESD system, F&G action is specified in a cause and
action chart called the Fire Area Protection Datasheet.
This chart shows all detectors and fire protection systems in a fire area and how the system will operate.
98
99
The F&G system often provides supervisory functions, either in the F&G or the PIMS to handle such tasks as
maintenance, calibration, replacement and hot work permits e.g. welding.
Such action may require that one or more Fire and Gas detectors or systems are overridden or bypassed.
Specific work procedures should be enforced, such as a placing fire guards on duty and make sure all
devices are re-enabled when the work permit expires or work is complete.
100
At Emerson Exchange last year, Rafael Lachmann presented on the topic of Fire & Gas System (FGS)
solutions with DeltaV SIS.
In his presentation, he provided a basic overview of FGS concepts and then he described how DeltaV SIS
could be used for FGS applications.
He described how emergency shutdown (ESD) systems are different from FGS, how onshore FGS differs
from offshore FGS applications, and how DeltaV SIS can be used for FGS applications.
101
For an ESD, a process upset will result in a process shutdown. ESD systems are preventative layers of
protection, meaning that they act to prevent a hazardous event like a chemical release, fire, or explosion from
occurring.
A FGS is a mitigating layer of protection, because the purpose is to reduce the consequence severity of such
an event when it occurs. When a combustible gas, a toxic gas, smoke, flame, or heat is detected, then the
FGS will respond by annunciating audible and visual alarms and initiate a water deluge, fire suppression
system, or a process shutdown.
In the event of a gas leak, the FGS can act to prevent it from becoming a fire or explosion by isolating the
leak and ignition sources. In the Deepwater Horizon Accident Investigation Report that was issued by BP in
September 2010, this was listed as one of the 8 barriers that were breached.
102
The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated beyond areas on Deepwater Horizon
that were electrically classified to areas where the potential for ignition was higher.
The heating, ventilation and air conditioning system probably transferred a gas-rich mixture into the engine rooms, causing
at least one engine to overspeed, creating a potential source of ignition.
A typical ESD safety instrumented function (SIF) is typically quite simple when compared to what is implemented for a
FGS. A FGS SIF can be very complex and highly distributed, with 1ooN or 2ooN voting from a large number of detector
devices located throughout a unit, process, and plant area.
103
Another important difference is that an ESD is typically designed as normally energized (de-energize-to-trip)
so that it is fail-safe.
This way, if there is loss of power or connectivity between system components then the SIS will respond by
tripping.
This results in higher safety integrity, but it can result in increased spurious trips of the process. For FGS, a
spurious trip can have dangerous results.
For example, initiating a water deluge system inside a building can cause damage to equipment and can be
hazardous to personnel. Chemical fire suppression can be dangerous to personnel, and false alarms degrade
the willingness to respond by plant personnel.
104
In a NDE design, the loop must be energized in order to initiate a trip of the FGS. This means that failures
such as loss of power or connectivity between components are covert failures unless there is adequate
diagnostics to detect the failures.
In a NDE design, line monitoring is essential to detect open and short circuit failures in wiring between logic
solver I/O and field devices.
The major differences between offshore and onshore FGS design result from the difficulty to evacuate and
limited offsite emergency response assistance when an offshore incident occurs.
105