Some HPI operating companies view implementing specified interlocks as satisfying requirements for functional safety. While the NFPA listed interlocks are a good start to evaluating such hazards associate with fired equipment, they do not ensure that the risk has been reduced to a tolerable level. Several key concepts are not fully addressed by NFPA 85 including consequence severity and equipment reliability.
Consequence severity. A key element missing is an evaluation of the consequence for a hazard. It is important to consider the magnitude of the consequence to ensure that the risk is sufficiently reduced. The location of fired equipment has a direct impact on the severity of the consequence. For example, consider two identical
boilers—one is located in a remote
area of the plant, and the other is centrally located near offices and manned work areas. If interlocks, operation and maintenance are identical, then the frequency of an accident would theoretically be the same. However, the consequence of the accident would be much higher for the boiler located in the more heavily manned area. This is why it is important to do a risk assessment on each piece of equipment.
Equipment reliability. The NFPA standards do not set specific requirements for the equipment used in the safety interlocks. There is guidance on some equipment, such as programmable logic controller (PLC) and flame detectors; yet, it is not complete. To ensure that the interlocks provide the require risk reduction two things are needed a target risk reduction and reliability calculations for the interlocks. Quantifying the consequences associated with the hazard and comparing it to tolerable risk guidelines will address the first issue. Reliability calculations that consider the equipment selected, testing intervals, testing effectiveness and mission time of the system will confirm if the interlocks are providing the required risk reduction.
The achieved risk reduction will vary greatly, depending on how the interlocks are implemented. To illustrate the impact of interlock design, consider a typical NFPA compliant interlock implemented in two different ways (Table 2). The first interlock is implemented with a pressure switch and control relays, while the second interlock is done with a safety-rated transmitter and PLC. Both interlocks have identical valve configurations. The first interlock achieves a risk reduction of only 12 while the interlock that contains the safety-rated transmitter and PLC achieves a risk reduction of 270. Clearly, both approaches can be considered an interlock for low pressure, but the one that takes advantage of safety-rated equipment provides much greater risk reduction.
[Best practice. A best practice seen in the field is a blended approach and yields a solution that includes the strength of NFPA standards and IEC 61511/ISA S84.00.01. This approach includes:
• Verify that all pertinent NFPA interlocks are implemented
• Include fired equipment in process hazard analysis
• For hazards with significant consequences, do a formal safety integrity level (SIL) selection
• As indicated by the SIL selection results, treat the affected NFPA interlocks as safety instrumented functions (SIFs).
• Create safety requirement specifications (SRSs) and perform SIL verifications per IEC 61511.
This approach satisfies the requirements of the NFPA standards and provides alignment with the emerging functional safety standards.
Tidak ada komentar:
Posting Komentar