12.2 Safety systems
12.2.1 Introduction to safety systems
Measurement system reliability is
usually inexorably linked with safety issues, since measuring instruments to
detect the onset of dangerous situations that may potentially compromise safety
are a necessary part of all safety systems implemented. Statutory safety
legislation now exists in all countries around the world. Whilst the exact
content of legislation varies from country to country, a common theme is to set
out responsibilities for all personnel whose actions may affect the safety of
themselves or others. Penalties are prescribed for contravention of the
legislation, which can include fines or custodial sentences or both.
Legislation normally sets out duties for both employers and employees.
Duties of employers include:
To ensure that process plant is
operated and maintained in a safe way so that the health and safety of all
employees is protected
To provide such training and
supervision as is necessary to ensure the health and safety of all employees
To provide a monitoring and shutdown
system (safety system) for any process plant or other equipment that may cause
danger if certain conditions arise
To ensure the health and safety, as
far as is reasonably practical, of all persons who are not employees but who
may reasonably be expected to be at risk from operations carried out by a
company.
Duties of employees include:
To take reasonable care for their own
safety
To take reasonable care for the
safety of others
To avoid misusing or damaging any
equipment or system that is designed to protect people’s safety.
The primary concern of measurement
and instrumentation technologists with regard to safety legislation is,
firstly, to ensure that all measurement systems are installed and operated in a
safe way and, secondly, to ensure that instruments and alarms installed as part
of safety protection systems operate reliably and effectively.
Intrinsic safety
Intrinsic safety describes the
ability of measuring instruments and other systems to operate in explosive or
flammable environments without any risk of sparks or arcs causing an explosion
or fire. The detailed design of systems to make them intrinsically safe is
outside the scope of this book. However, the general principles are either to
design electrical systems in a way that avoids any possibility of parts that
may spark coming into contact with the operating environment or else to avoid
using electrical components altogether. The latter point means that pneumatic
sensors and actuators continue to find favour in some applications despite the
advantages of electrical devices in most other respects.
Installation practice
Good installation practice is
necessary to prevent any possibility of people getting electrical shocks from
measurement systems. Instruments that have a mains power supply must be subject
to the normal rules about the condition of supply cables, clamping of wires and
earthing of all metal parts. However, most measurement systems operate at low
voltages and so pose no direct threat unless parts of the system come into
contact with mains conductors. This should be prevented by applying codes of
practice that require that all cabling for measurement systems be kept
physically separate to that used for carrying mains voltages to equipment.
Normally, this prohibits the use of the same trunking to house both signal
wires and mains cables, although some special forms of trunking are available
that have two separate channels separated by a metal barrier, thus allowing
them to be used for both mains cables and signal wires. This subject is covered
in depth in the many texts on electrical installation practice.
12.2.2 Operation of safety systems
The purpose of safety systems is to
monitor parameter values in manufacturing plant and other systems and to make
an effective response when plant parameters vary away from normal operating
values and cause a potentially dangerous situation to develop. The response can
either be to generate an alarm for the plant operator to take action or else to
take more direct action to shut down the plant automatically. The design and
operation of safety systems is now subject to guidelines set by the
international standard IEC61508.
IEC61508
IEC61508 (1999) sets out a code of
practice that is designed to ensure that safety systems work effectively and
reliably. Although primarily concerned with electrical, electronic and
programmable-electronic safety systems, the principles embodied by the standard
can be applied as well to systems with other technologies, such as mechanical,
pneumatic and hydraulic devices.
The IEC61508 standard is
subdivided into three sets of requirements:
Proper management of design,
implementation and maintenance of safety systems
Competence and training of personnel
involved in designing, implementing or maintaining safety systems
Technical requirements for the safety
system itself.
A full analysis of these various
requirements can be found elsewhere (Dean, 1999).
A key feature of IEC61508 is the
safety integrity level (SIL), which is expressed as the degree of confidence
that a safety system will operate correctly and ensure that there is an
adequate response to any malfunctions in manufacturing plant etc. that may
cause a hazard and put human beings at risk. The SIL value is set according to
what the tolerable risk is in terms of the rate of failure for a process. The
procedure for defining the required SIL value is known as risk analysis. What
is ‘tolerable’ depends on what the consequences of a dangerous failure are in
terms of injury to one or more people or death to one or more people. The
acceptable level of tolerance for particular industries and processes is set
according to guidelines defined by safety regulatory authorities, expert advice
and legal requirements. Table 12.1 gives the SIL value corresponding to various
levels of tolerable risk for continuous operating plant.
The safety system is required to have
sufficient reliability to match the rate of dangerous failures in a plant to
the SIL value set. This reliability level is known as the safety integrity of
the system. Plant reliability is calculated by identical principles to those
set out in section 12.1 for measurement systems, and is based on a count of the
number of faults that occur over a certain interval of time. However, it must
be emphasized that the frequency of potentially dangerous failures is usually
less than the rate of occurrence of faults in general. Thus, the reliability
value for a plant cannot be used directly as a prediction of the rate of
occurrence of dangerous failures. Hence, the total failures over a period of
time must be analysed and divided between faults that are potentially dangerous
and those that are not.
Once risk analysis has been carried
out to determine the appropriate SIL value, the required performance of the
safety protection system can be calculated. For example, if the maximum
allowable probability of dangerous failures per hour is specified as 10-8
and the actual probability of dangerous failures in a plant is calculated as 10-3
per hour, then the safety system must have a minimum reliability of 10-8/10-3,
i.e. 10-5 failures for a one-hour period. A fuller account of
calculating safety system requirements is given elsewhere (Simpson, 1999).
12.2.3 Design of a safety system
A typical safety system consists of a
sensor, a trip amplifier and either an actuator or alarm generator, as shown in
Figure 12.3. For example, in a safety system designed to protect against
abnormally high pressures in a process, the sensor would be some form of
pressure transducer, and the trip amplifier would be a device that amplifies
the measured pressure signal and generates an output that activates either an
actuator or an alarm if the measured pressure signal exceeded a preset
threshold value. A typical actuator in this case would be a relief valve.
Software is increasingly embedded
within safety systems to provide intelligent interpretation of sensor outputs,
such as identifying trends in measurements. Safety systems that incorporate
software and a computer processor are commonly known as microprocessor-based
protection systems. In any system containing software, the reliability of the
software is crucial to the overall reliability of the safety system, and the
reliability–quantification techniques described in section 12.2 assume great
importance.
To achieve the very high levels of
reliability normally specified for safety systems, it is usual to guard against
system failure by either triplicating the safety system and implementing
two-out-of-three voting or, alternatively, by providing a switchable, standby
safety system. These techniques are considered below.
Two-out-of-three voting system
This system involves triplicating the
safety system, as shown in Figure 12.4. Shutdown action is taken, or an alarm
is generated, if two out of the three systems indicate the requirement for
action. This allows the safety system to operate reliably if any one of the
triplicated systems fails and is often known as a two-out-of-three voting
system. The reliability RS is given by:
RS =
Probability of all three systems operating correctly
+ Probability of any two
systems operating correctly
= R1R2R3
+ R1R2F3 + R1F2R3
+ F1R2R3
(12.17)
where R1, R2, R3
and F1, F2 and F3 are the reliabilities and
unreliabilities of the three systems respectively. If all of the systems are
identical (such that R1 + R2 = R3 = R etc.):
RS = R3
+ 3R2 F = R3 + 3R2 (1 – R) (12.18)
Example 12.7
In a particular protection system,
three safety systems are connected in parallel and a two-out-of-three voting
strategy is applied. If the reliability of each of the three systems is 0.95,
calculate the overall reliability of the whole protection system.
Solution
Applying (12.18), RS =
0.953 + [3
Standby system
A standby system avoids the cost of
providing and running three separate safety systems in parallel. Use of a
standby system means that only two safety systems have to be provided. The
first system is in continuous use but the second system is normally not
operating and is only switched into operation if the first system develops a
fault. The flaws in this approach are the necessity for faults in the primary
system to be reliably detected and the requirement that the switch must always
work correctly. The probability of failure FS of a standby system of
the form shown in Figure 12.5, assuming no switch failures during normal
operation, can be expressed as:
FS = Probability of systems S1 and S2
both failing, given successful switching
+ Probability of S1 and
the switching system both failing at the same time
= F1F2RDRW
+ F1 (1 - RDRW)
System reliability is given by:
RS = 1 - FS
= 1 - F1 (1 + F2RDRW - RDRW)
(12.19)
where RD is the
reliability of the fault detector and RW is the reliability of the switch.
The derivation of (12.19) assumes
that there are no switch failures during normal operation of the system, that
is, there are no switch failures during the time that the controlled process is
operating satisfactorily and there is no need to switch over to the standby
system. However, because the switch is subject to a continuous flow of current,
its reliability cannot be assumed to be 100%. If the reliability of the switch
in normal operation is represented by RN, the expression in (12.19) must be
multiplied by RN and the reliability of the system becomes:
RS = RN[1 - F1
(1 + F2RDRW - RDRW ] (12.20)
The problem of detecting faults in
the primary safety system reliably can be solved by operating both safety
systems in parallel. This enables faults in the safety system to be distinguished
from faults in the monitored process. If only one of the two safety systems
indicates a failure, this can be taken to indicate a failure of one of the
safety systems rather than a failure of the monitored process. However, if both
safety systems indicate a fault, this almost certainly means that the monitored
process has developed a potentially dangerous fault. This scheme is known as
one-out-of-two voting, but it is obviously inferior in reliability to the
two-out-of-three scheme described earlier.
Example 12.8
In a particular protection system, a
switchable standby safety system is used to increase reliability. If the
reliability of the main system is 0.95, that of the standby system is 0.96*,
that of the switching system is 0.95 and the reliability of the switch in
normal operation is 0.98, calculate the reliability of the protection system.
Solution
Applying (12.19), the parameter
values are F1 = 0.05, F2 = 0.04, RDRW
D 0.95.
Hence:
RS = 0.98[1 - 0.05 (1 + (0.04
Actuators and alarms
The final element in a safety system
is either an automatic actuator or an alarm that requires a human response. The
reliability of the actuator can be calculated in the same way as all other
elements in the system and incorporated into the calculation of the overall
system reliability as expressed in equations (12.17)–(12.20). However, the
reliability of alarms cannot be quantified in the same manner. Therefore,
safety system reliability calculations have to exclude the alarm element. In
consequence, the system designer needs to take steps to maximize the
probability that the human operator will take the necessary response to alarms
that indicate a dangerous plant condition.
Some useful guidelines for
measurement technologists involved in designing alarm systems are provided in a
paper by Bransby (1999). A very important criterion in system design is that
alarms about dangerous conditions in plant must be much more prominent than
alarms about conditions that are not dangerous. Care should also be taken to
ensure that the operator of a plant is not bombarded by too many alarms, as
this leads the operator to get into the habit of ignoring alarms. Ignoring an
alarm indicating that a fault is starting to occur may cause dangerous
conditions in the plant to develop. Thus, alarms should be uncommon rather than
routine, so that they attract the attention of the plant operator. This
ensures, as far as possible, that the operator will take the proper action in
response to an alarm about a potentially dangerous situation.
No comments:
Post a Comment
Tell your requirements and How this blog helped you.