In the process of conducting functional safety assessments of safety instrumented systems, we often encounter safety interlocks (i.e. safety instrumented functions) implemented by DCS. So does this setting meet the requirements? In addition to the explicit requirement to set up an independent SIS system, there is also a confusing issue regarding the attribution of safety interlock settings that are in a "pending analysis" state. In this regard, the author will explore such issues based on relevant domestic and foreign document requirements and risk analysis results.
What are the requirements for safety instrumented systems (SIS) and DCS settings in China?
1. First, let's look at two explicit regulations.
Explicit Regulation (1): Article 13 of the Interim Provisions on the Supervision and Management of Major Hazardous Sources of Hazardous Chemicals (Order No. 40 of the State Administration of Work Safety) stipulates that for first or second level major hazardous sources involving toxic gases, liquefied gases, and highly toxic liquids, an independent Safety Instrumented System (SIS) shall be equipped.
Explicit Regulation (2): Article 5 of the "Criteria for Determining Hidden Hazards of Major Production Safety Accidents in Chemical and Hazardous Chemical Production and Operation Units (Trial)" stipulates that hazardous chemical tank areas involving first or second level major hazard sources of toxic gases, liquefied gases, and highly toxic liquids are not equipped with independent safety instrument systems.
The "Interim Regulations on the Supervision and Management of Major Hazardous Sources of Hazardous Chemicals" and the "Criteria for Determining Hidden Hazards of Major Production Safety Accidents in Chemical and Hazardous Chemical Production and Operation Units (Trial)" have clearly defined the relevant requirements, and an independent safety instrument system shall be established according to the relevant requirements.
2. Let's take another look at a guidance.
Article 14 of the Guiding Opinions of the State Administration of Work Safety on Strengthening the Management of Chemical Safety Instrumented Systems (State Administration of Work Safety [2014] No. 116) states that chemical enterprises and hazardous chemical storage units involved in "two key and one major" in-service production facilities shall conduct a comprehensive process hazard analysis (such as hazard and operability analysis), determine the safety instrument functions and their risk reduction requirements through risk analysis, and promptly evaluate whether the existing safety instrument functions meet the risk reduction requirements.
Evaluate whether the existing safety instrumented functions meet the risk reduction requirements specified in the third requirement of Document No. 116. Based on the evaluation results (i.e., risk reduction requirements), determine whether an independent SIS is needed. What kind of risk reduction requirements necessitate the configuration of an independent SIS?
3. The relevant standards and specifications in our country require.
According to the "Design Specification for Safety Instrumented Systems in Petrochemical Industry" GB/T50770-2013 8.2 Independent Setting Requirements for Logic Controllers, the results stated in the article are as follows: For the safety instrumented functions of SIL2 and SIL3, independent controller systems shall be set up in accordance with the requirements. For SIL1 safety instrumented functions: 'The logic controller should be separated from the basic process control system'. Does using 'Yi' here mean that if the safety instrument function circuit with a rating result of SIL1 can be implemented using DCS?
According to the classification criteria for Safety Integrity Level (SIL) in Table 4 of GB/T21109.1-2022 "Functional Safety of Safety Instrumented Systems in the Process Industry", the target risk reduction capability range for SIL1 level is ">10~≤ 100".
According to Article 9.3.2 of GB/T21109.1-2022, the risk reduction declared by the BPCS protection layer shall be ≤ 10. Article 9.3.3: If the BPCS declares a risk reduction greater than 10, the BPCS shall be designed and managed in accordance with the requirements of IEC61511. And according to Article 4.11.1 of the "Guidelines for Chemical Process Safety Management" AQ3034-2022 specifies that safety instruments (safety automation) include safety controls, safety alarms, and safety interlocks. These are process safety protection measures (protective layers) implemented through instruments and controls to achieve or maintain a process safety state for specific hazardous events. When implemented in the basic process control system, their risk reduction ability is limited to less than 10 times. If designed and managed strictly in accordance with GB/T21109, its risk reduction capability can exceed 10 times, which falls within the scope of Safety Instrumented Systems (SIS). In engineering practice, it is difficult to design and manage BPCS according to GB/T21109. The risk reduction capability of BPCS has been explained in both GB/T21109 and AQ3034-2022. Therefore, to meet the risk reduction requirements of 10 times or more, it is reasonable for the safety interlock of SIL1 to be implemented by the Safety Instrumented System (SIS).
What are the requirements for safety instrumented systems and DCS settings in foreign countries?
The UK Health and Safety Executive Committee strongly recommends that control and protection systems be separated and provided independently in the application of programmable electronic systems in relation to safety.
The American Institute of Chemical Engineering (AICHE) (CCPS) Guidelines for Safe Automation of Chemical Processes mention "providing physical and functional separation, and distinguishing logical operators, I/O modules, and racks between basic process control systems and safety interlock systems".
The IEC TC65 WG10: Overview of Electrical/Electronic/Programmable Safety Systems states that "the EUC (Controlled Equipment) control system should be independent and separate from the relevant safety systems and equipment for reducing external hazards".
ISASP84: "Programmable Electronic Systems for Security Applications" states that "components used for control cannot be used in security systems; Some processes may require more than one safety system protection layer, and each safety interlock system (SIS) layer must be completely separate and distinct from other SIS layers.
APIRP14C: "Analysis, Design, Installation, and Testing of Basic Safety Systems for Offshore Production Platforms" states that "the safety system should provide two levels of protection to prevent or minimize the effects of equipment failures during the process. The second level of protection should be independent and distinct from control equipment used for normal processes
IEEE Standard 603-1980, "Standard Criteria for Safety Systems of Nuclear Power Plants," states that "the design of safety systems shall be such that in the event of a real fault and actions that occur with other systems, the safety system shall not be hindered from meeting the requirements.
The US nuclear industry requires redundant safety systems to be "mutually independent and physically separate" and other regulations and drafts mention the significance of separating safety instrumented systems from DCS.
A brief summary based on different requirements is as follows: for safety interlocks with SIL level requirements (SIL ≥ 1), an independent SIS system shall be implemented, while safety interlocks without SIL level requirements (SIL < 1) can be implemented by DCS.
Reprinted from official account: instrument circle
Mega-tek Instrument Classroom