1、SAFETYINSTRUMENTEDSYSTEMS:Design, Analysis,and Justification2nd EditionBy Paul Gruhn, P.E., CFSEandHarry Cheddie, P.Eng., CFSEGruhnCheddie05-front.fm Page i Thursday, July 28, 2005 1:52 PMNoticeThe information presented in this publication is for the general education of thereader. Because neither t
2、he author nor the publisher have any control over the use of theinformation by the reader, both the author and the publisher disclaim any and all liabilityof any kind arising out of such use. The reader is expected to exercise sound professionaljudgment in using any of the information presented in a
3、 particular application.Additionally, neither the author nor the publisher have investigated or considered theaffect of any patents on the ability of the reader to use any of the information in a particu-lar application. The reader is responsible for reviewing any possible patents that mayaffect any
4、 particular use of the information presented.Any references to commercial products in the work are cited as examples only. Nei-ther the author nor the publisher endorse any referenced commercial product. Any trade-marks or tradenames referenced belong to the respective owner of the mark or name.Neit
5、her the author nor the publisher make any representation regarding the availability ofany referenced commercial product at any time. The manufacturers instructions on use ofany commercial product must be followed at all times, even if in conflict with the informa-tion in this publication.Copyright 2
6、006 by ISA - The Instrumentation, Systems, and Automation Society67 Alexander DriveP.O. Box 12277 Research Triangle Park, NC 27709All rights reserved. Printed in the United States of America. 10 9 8 7 6 5 4 3 2ISBN 1-55617-956-1No part of this work may be reproduced, stored in a retrieval system, or
7、 transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher.Library of Congress Cataloging-in-Publication Data Gruhn, Paul.Safety instrumented systems :design, analysis, and justification /by Paul Gruhn
8、 and Harry Cheddie. - 2nd ed.p. cm.Includes bibliographical references.ISBN 1-55617-956-1 (pbk.)1. System safety. 2. Process control. 3. Industrial safety.I. Cheddie, Harry. II. Title.TA169.7.G78 2006620.86-dc22 2005019336GruhnCheddie05.book Page ii Friday, July 22, 2005 1:37 PMiiiTABLE OF CONTENTSA
9、BOUT THE AUTHORS, XIHarry L. Cheddie, P.Eng., CFSE, xiPaul Gruhn, P.E., CFSE, xiCHAPTER 1 INTRODUCTION, 11.1 What Is a Safety Instrumented System?, 21.2 Who This Book Is For, 41.3 Why This Book Was Written, 41.4 Confusion in the Industry, 61.4.1 Technology Choices, 61.4.2 Redundancy Choices, 61.4.3
10、Field Devices, 61.4.4 Test Intervals, 71.4.5 Conflicting Vendor Stories, 71.4.6 Certification vs. Prior Use, 71.5 Industry Guidelines, Standards, and Regulations, 81.5.1 HSE - PES, 81.5.2 AIChE - CCPS, 81.5.3 IEC 61508, 91.5.4 ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) is a licensed professional enginee
11、r inTexas; and a certified functional safety expert (a TV certification).GruhnCheddie05.book Page xii Friday, July 22, 2005 1:37 PM11INTRODUCTIONChapter Highlights1.1 What Is a Safety Instrumented System?1.2 Who This Book Is For1.3 Why This Book Was Written1.4 Confusion in the Industry1.4.1 Technolo
12、gy Choices1.4.2 Redundancy Choices1.4.3 Field Devices1.4.4 Test Intervals1.4.5 Conflicting Vendor Stories1.4.6 Certification vs. Prior Use1.5 Industry Guidelines, Standards, and Regulations1.5.1 HSE - PES1.5.2 AIChE - CCPS1.5.3 IEC 615081.5.4 ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) relay, solid state
13、, or microprocessor?Does this depend on the application? Relay systems are still common forsmall applications, but would you want to design and wire a 500 I/O(input/output) system with relays? Is it economical to do a 20 I/O systemusing a redundant programmable system? Some people prefer not to uses
14、oftware-based systems in safety applications at all, others have no suchqualms. Are some people “right” and others “wrong”?Many feel that the use of redundant PLCs (Programmable Logic Control-ler) as the logic solver is the be all and end all of satisfying the systemdesign requirements. But what abo
15、ut the programming of the PLCs? Thesame individuals and procedures used for programming the control sys-tems are often used for the safety systems. Should this be allowed?1.4.2 Redundancy ChoicesHow redundant, if at all, should a safety instrumented system be? Doesthis depend on the technology? Does
16、 it depend on the level of risk? If mostrelay systems were simplex (non-redundant), then why have triplicatedprogrammable systems become so popular? When is a non-redundantsystem acceptable? When is a dual system required? When, if ever, is atriplicated system required? How is such a decision justif
17、ied?1.4.3 Field DevicesA safety system is much more than just a logic box. What about the fielddevicessensors and final elements? Should sensors be discrete switchesor analog transmitters? Should smart (i.e., intelligent or processor-based)devices be used? When are redundant field devices required?
18、What aboutpartial stroking of valves? What about field buses? How often should fielddevices be tested? GruhnCheddie05.book Page 6 Friday, July 22, 2005 1:37 PMIntroduction 71.4.4 Test IntervalsHow often should systems be tested? Once per month, per quarter, peryear, or per turnaround? Does this depe
19、nd on technology? Do redundantsystems need to be tested more often, or less often, than non-redundantsystems? Does the test interval depend on the level of risk? Can systemsbe bypassed during testing, and if so, for how long? How can online test-ing be accomplished? Can testing be automated? How doe
20、s a deviceslevel of automatic diagnostics influence the manual test interval? Does theentire system need to be tested as a whole, or can parts be tested sepa-rately? How does one even make all these decisions?!1.4.5 Conflicting Vendor StoriesEvery vendor seems to be touting a different story line, s
21、ome going so faras to imply that only their system should be used. Triplicated vendors takepride in showing how their systems outperform any others. Dual systemvendors say their systems are just as good as triplicated systems. Is thispossible? If one is good, is two better, and is three better still
22、? Some ven-dors are even promoting quad redundant systems! However, at least onelogic system vendor claims Safety Integrity Level (SIL) 3 certification for anon-redundant system. How can this even be possible considering theplethora of redundant logic systems? Who should one believeand moreimportant
23、lywhy? How can one peer past all of the sales hype? Whenoverwhelmed with choices, it becomes difficult to decide at all. Perhapsits easier just to ask a trusted colleague what he did!1.4.6 Certification vs. Prior UseConsidering all the confusion, some vendors realized the potential benefitof obtaini
24、ng certifications to various standards. Initially, this was done uti-lizing independent third parties. This had the desired effect of bothproving their suitability and weeding out potential competition, althoughit was an expensive undertaking. However, industry standards in no waymandate the use of
25、independently certified equipment. Users demandedthe flexibility of using equipment that was not certified by third parties.How might a user prove the suitability of components or a system basedon prior use and “certify” the equipment on their own? How much accu-mulated experience and documentation
26、is required to verify thatsomething is suitable for a particular application? How would you defendsuch a decision in a court of law? How about a vendor certifying them-selves that they and their hardware meet the requirements of variousstandards? Considering how hard it is to find your own mistakes,
27、 doesGruhnCheddie05.book Page 7 Friday, July 22, 2005 1:37 PM8 Introductionsuch a claim even have any credibility? The standards, annexes, technicalreports and white papers address these issues in more detail.1.5 Industry Guidelines, Standards, and Regulations“Regulations are for the obedience of fo
28、ols and for the guidance of wise men.” RAF mottoOne of the reasons industry writes its own standards, guidelines and rec-ommended practices is to avoid government regulation. If industry isresponsible for accidents, yet fails to regulate itself, the government maystep in and do it for them. Governme
29、nts usually get involved once risksare perceived to be alarming by the general populace. The first successfulregulatory legislation in the U.S. was passed by Congress over 100 yearsago after public pressure and a series of marine steamboat boiler disasterskilled thousands of people. Some of the foll
30、owing documents are perfor-manceor goaloriented, others are prescriptive.1.5.1 HSE - PESProgrammable Electronic Systems In Safety Related Applications, Parts 1 its just a matter of when. People can usuallyoverride any system. Procedures will, on occasion, be violated. Its easy tobecome complacent be
31、cause weve been brought up to believe that tech-nology is good and will solve our problems. We want to have faith thatthose making decisions know what theyre doing and are qualified. Wewant to believe that our team is a leader, if for no other reason than thefact that were on it. Technology may be a
32、 good thing, but it is not infallible. We as engineersand designers must never be complacent about safety. 1.9 Theres Always More to LearnThere are some who are content to continue doing things the way theyvealways done. “Thats the way weve done it here for 15 years and wehavent had any problems! If
33、 it aint broke, dont fix it.” Thirty years ago, did we know all there was to know about computers andsoftware? If you brought your computer to a repair shop with a problemand found that their solution was to reformat the hard drive and installDOS as an operating system (which is what the technician
34、learned 15years ago), how happy would you be?Thirty years ago, did we know all there was to know about medicine?Imagine being on your death bed and being visited by a 65-year-old doc-tor. How comfortable would you feel if you found out that that particulardoctor hadnt had a single day of continuing
35、education since graduatingfrom medical school 40 years ago?Thirty years ago, did we know all there was to know about aircraftdesign? The Boeing 747 was the technical marvel 30 years ago. The largestengine we could make back then was 45,000 pounds thrust. Weve learneda lot since then about metallurgy
36、 and engine design. The latest generationGruhnCheddie05.book Page 16 Friday, July 22, 2005 1:37 PMIntroduction 17engines can now develop over 100,000 pounds thrust. It no longer takesfour engines to fly a jumbo jet. In fact, the Boeing 777, which has replacedmany 747s at some airlines, only has two
37、engines. Would you rather learn from the mistakes of others, or make them allyourself? Theres a wealth of knowledge and information packed intorecent safety system standards as well as this textbook. Most of it waslearned the hard way. Hopefully others will utilize this information andhelp make the
38、world a safer place.So now that weve raised some of the issues and questions, lets see how toanswer them.SummarySafety instrumented systems are designed to respond to the conditions ofa plant, which may be hazardous in themselves, or if no action is takencould eventually give rise to a hazardous eve
39、nt. They must generate thecorrect outputs to prevent or mitigate the hazardous event. The properdesign and operation of such systems are described in various standards,guidelines, recommended practices, and regulations. The requirements,however, are anything but intuitively obvious. Setting specific
40、ations,selecting technologies, levels of redundancy, test intervals, etc. is notalways an easy, straightforward matter. The various industry standards,as well as this book, are written to assist those in the process industriestasked with the proper selection, design, operation, and maintenance ofthe
41、se systems.References1. Programmable Electronic Systems in Safety Related Applications - Part 1- An Introductory Guide. U.K. Health & Safety Executive, 1987. 2. Guidelines for Safe Automation of Chemical Processes. American Insti-tute of Chemical Engineers - Center for Chemical Process Safety,1993.3
42、. ANSI/ISA-84.00.01-2004, Parts 1-3 (IEC 61511-1 to 3 Mod). Func-tional Safety: Safety Instrumented Systems for the Process Industry Sec-tor and ISA-84.01-1996. Application of Safety Instrumented Systems forthe Process Industries.4. IEC 61508-1998. Functional Safety of Electrical/Electronic/Programm
43、a-ble Electronic Safety-Related Systems.GruhnCheddie05.book Page 17 Friday, July 22, 2005 1:37 PM18 Introduction5. 29 CFR Part 1910.119. Process Safety Management of Highly Hazard-ous Chemicals. U.S. Federal Register, Feb. 24, 1992.6. Leveson, Nancy G. Safeware - System Safety and Computers. Addi-son-Wesley, 1995.GruhnCheddie05.book Page 18 Friday, July 22, 2005 1:37 PM