1、 ISA-TR84.00.05-2009 Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner Management Systems (BMS) Approved 10 December 2009 ISA-TR84.00.05-2009, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner Management Systems (BMS) ISBN: 978-1-936007-41-
2、7 Copyright 2009 by ISA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written p
3、ermission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 - 3 - ISA-TR84.00.05-2009 Copyright 2009 ISA. All rights reserved. Preface This preface is included for information purposes and is not part of ISA-TR84.00.05-2009. This technical report ha
4、s been prepared as part of the service of ISA, the International Society of Automation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary
5、, Standards and Practices Board; ISA, 67 Alexander Drive; P.O. Box 12277; Research Triangle Park, NC 277099; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. This ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in
6、 general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards, recommended practices, and technical reports. The Department is further aware of the benefits to users of ISA standards documents of incorporating suitable references to the SI (and t
7、he metric system) in their business and professional dealings with other countries. Toward this end, the Department will endeavor to introduce SI and acceptable metric units in all new and revised standards documents to the greatest extent possible. The Metric Practice Guide, which has been publishe
8、d by the Institute of Electrical and Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individ
9、uals and interests in the development of ISA standards. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION
10、 ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF AN
11、Y PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING
12、 TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NON-DISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT
13、CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING
14、TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA
15、 STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ISA-TR84.00.05-2009 - 4 - Copyright 2009 ISA. All rights reserved. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL
16、 POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITAT
17、IONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. The following served as voting mem
18、bers of ISA84 and approved this technical report: NAME COMPANY W. Johnson, Chair E I du Pont V. Maggioli, Managing Director Feltronics Corp R. Adamski RA Safety Consulting LLC T. Ando Yokogawa Electric Co R. Avali Westinghouse Electric Corp L. Beckman Safeplex Systems Inc J. Campbell ConocoPhillips
19、I. Chen Aramc M. Coppler Ametek Inc M. Corbo ExxonMobil K. Dejmek Baker Engineering b) Provide examples of typical safety assessments for the following equipment with BMSs: boilers (single burner), fired process heaters (multi-burner), thermal oxidizers, oil heater treaters and glycol reboilers. - 1
20、1 - ISA-TR84.00.05-2009 Copyright 2009 ISA. All rights reserved. 4 References 4.1 ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1, 2 & 3, ISA, 2004. www.isa.org/standards. 4.2 CCPS/AICHE, Guidelines for Hazard Evaluation
21、 Procedures, Second Edition with Worked Examples, 1992. 4.3 ISA-TR84.00.02-2002, Safety Instrumented Systems (SIS) Safety Integrity Level (SIL) Evaluation Techniques, ISA, www.isa.org/standards. 4.4 NFPA 85, Boiler and Combustion Systems Hazards Code, National Fire Protection Association, 2003. 4.5
22、NFPA 86, Standards for Ovens and Furnaces, National Fire Protection Association, 2004. 4.6 API RP 556, Instrumentation, Control and Protective Systems for Fired Heaters and Steam Generators, 1997. 4.7 ASME CSD-1, Controls and Safety Devices for Automatically Fired Boilers, American Society of Mechan
23、ical Engineers, 2006. 4.8 API RP 14C. Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms, 2001. ISA-TR84.00.05-2009 - 12 - Copyright 2009 ISA. All rights reserved. 5 Abbreviations and Acronyms 1oo2 One out of Two Vot
24、ing 2oo2 - Two out of Two Voting 2oo3 Two out of Three Voting AIChE American Institute of Chemical Engineers ANSI American National Standards Institute API American Petroleum Institute API RP American Petroleum Institute Recommended Practice BMS Burner Management System BPCS Basic Process Control Sy
25、stem CCPS Center for Chemical Process Safety E/E/P E Electrical/Electronic/Programmable Electronic HAZOP Hazards and Operability Study IEC International Electrotechnical Commission IPF Instrumented Protective Function IPL Independent Protection Layer ISA International Society of Automation LEL Lower
26、 Explosion Limit LOPA Layers of Protection Analysis MTTF Mean Time to Failure MTTFD - Mean Time to Failure Dangerous MTTFS Mean Time To Fail Safe MTTR Mean Time to Repair or Restore NFPA National Fire Protection Association OSHA U.S Occupational Safety and Health Agency P&ID . Piping and Instrumenta
27、tion Diagram PE Programmable Electronic PES Programmable Electronic System PFDavg Probability of Failure on Demand Average PHA Process Hazards Analysis PLC Programmable Logic Controller SIF Safety Instrumented Functions SIL Safety Integrity Level SIS Safety Instrumented Systems - 13 - ISA-TR84.00.05
28、-2009 Copyright 2009 ISA. All rights reserved. 6 Safety Lifecycle and Protection Concepts 6.1 The Safety Lifecycle 6.1.1 Overview Safety consequences can result from the misoperation of fired equipment during start-up, normal operation, maintenance, and shutdown. A BMS is implemented to prevent miso
29、peration and to safely handle faults caused by equipment failure. Misoperation can be caused by equipment failure or improper firing and can potentially result in uncontrolled fires, explosions, or implosions and in the unintended release of the materials being heated. Consequently, the hazard and r
30、isk analysis for the fired equipment often focuses on events that lead to hydrocarbon fuels being introduced into the equipment under abnormal operating conditions. The ANSI/ISA-84.00.01-2004 Safety Lifecycle addresses SISs used to prevent unacceptable hazardous events, generally involving harm to p
31、eople and/or damage to the environment. The lifecycle is supported by a management system that focuses on reducing the potential for SIS failure through effective SIS design and management. The Safety Lifecycle includes steps for: Identifying the hazardous events resulting in unacceptable consequenc
32、es Identifying the safety functions that prevent hazardous events Establishing the performance criteria (e.g., the risk reduction) for these safety functions Allocating safety functions to systems designed and managed to achieve the performance criteria Documenting the functional and integrity requi
33、rements in a design specification Verifying that the design and management practices are sufficient to meet the performance requirements Documenting and implementing operation and maintenance procedures to support performance requirements Managing changes to the process equipment and its safety syst
34、ems to ensure safe operation Many types of fired equipment are subject to application-specific good engineering practices. The hazard and risk analysis described in ANSI/ISA-84.00.01-2004 can be used to classify these already identified BMS functions. The BMS design should meet the intent of any app
35、licable good engineering practice, regardless of the perceived risk. This technical report demonstrates how ANSI/ISA-84.00.01-2004 complements other good engineering practices, allowing the owner/operator to define the requirements for each instrumented system consistent with methods used for other
36、process equipment. ANSI/ISA-84.00.01-2004 work processes can also be used to determine whether planned BMS design and management practices are sufficient to provide the required risk reduction for identified hazardous events. This technical report addresses various aspects of the Safety Lifecycle an
37、d its application to BMS. While this technical report provides examples of hazardous events, it does not illustrate all of the hazardous events possible with the referenced equipment. Hazardous event identification can be accomplished through a variety of methods ranging from checklists based on pri
38、or design and experience to formal, structured techniques, such as Hazard and Operability Studies (HAZOP) and What If?/checklists. The choice of method is not specific to BMS. More information on the hazard identification can be found in Guidelines for Hazard Evaluation Procedures (Reference 4.2). I
39、SA-TR84.00.05-2009 - 14 - Copyright 2009 ISA. All rights reserved. 6.1.2 Safety Instrumented Functions An SIS may implement one or more SIFs to address unacceptable hazardous events associated with process equipment operation. The starting point for this technical report is a description of the meas
40、urements and actions taken by various BMS functions required by applicable practices. The reader is cautioned that identification of an individual SIF within an SIS may seem simple, but many errors are common, such as: Not including all of the process measurements that can detect the hazardous condi
41、tion Including actions that are not required to achieve or maintain a safe state Including measurements that do not detect the hazardous condition The risk analysis is further complicated when multiple initiating causes can result in a hazardous event, but not all initiating causes are detected by t
42、he same process measurement. In this case, multiple SIF may be defined, each of which provide risk reduction against a set or subset of the initiating events that can cause the hazard. When selecting the risk reduction and the associated SIL for these SIF, the aggregation effect of the multiple SIFs
43、 protecting against the same hazardous event should be considered. In many cases, the lack of independence between the SIFs necessitates the consideration of the functions as a single function with diverse process measurements. 6.1.3 Safety Integrity Level When a BMS function is classified as an SIS
44、, the risk reduction allocated to the BMS function is related to its SIL. The required risk reduction can be defined using qualitative, semi-quantitative or quantitative risk analysis techniques. All techniques rely on process hazards analysis to identify hazardous events. The primary difference bet
45、ween the techniques is the different degrees of rigor employed to estimate the event likelihood (or frequency) and consequence severity. Various hazard and risk analysis techniques are discussed in Guidelines for Hazard Evaluation Procedures (ref. 4.2). While all techniques follow the same general s
46、teps, there is much variability in the detail and degree of resolution between different owner/operators that apply ANSI/ISA-84.00.01-2004. This report does not endorse a specific methodology for performing risk analysis. The CCPS concept book Layers of Protection Analysis: A Simplified Risk Assessm
47、ent discusses a semi-quantitative risk analysis technique, which uses order-of-magnitude bands to assess the event likelihood. The risk analysis process can be summarized as: 1) Identify the hazardous event (e.g., the event that the SIF under consideration is preventing). 2) Estimate consequence sev
48、erity of the hazardous event. 3) Estimate likelihood (or frequency) of the hazardous event, considering all credible initiating causes. 4) Assess the process risk of the hazardous event as a function of its consequence severity and likelihood (or frequency). 5) Compare process risk to the risk crite
49、ria to determine the risk reduction requirements. 6) Identify safety functions required to achieve the risk reduction requirements. 7) Assign an SIL to the SIF that meets the risk reduction requirements. - 15 - ISA-TR84.00.05-2009 Copyright 2009 ISA. All rights reserved. ANSI/ISA-84.00.01-2004 defines four discrete levels of SIL. Each SIL is an order of magnitude range of values associated with the probability that the SIS will perform its required function under all stated conditio
