Introduction
These regulations have made it clear that the establishment of SIS is an effective measure to ensure the safety of petrochemical tank farms. However, due to the improper design and selection of SIS in tank farms, unreasonable redundant structure settings, lack of clear inspection and testing cycles, and weak targeted preventive maintenance strategies, SIS cannot achieve its high reliability and high availability. In view of these problems, today's article focuses on the design, selection and SIL verification of petrochemical tank farms, and uses Sinopec's risk assessment management and evaluation platform PHAMS to take propylene tank farms as an example for SIL verification, and through the verification results, the sensitivity analysis of SIFs that do not meet the target SIL is carried out, and the improvement and optimization scheme is proposed, and then the SIS design requirements of tank farms are proposed, which provides reference for the SIS design and management requirements of new and renovated tank farms.
Safety instrumented systems
As defined in IEC 61511SIS is an instrumentation system consisting of sensors, logic controllers, and actuators capable of performing one or more SIFs。A single SIS consists of multiple loops, and any SIF loop consists of a sensor subsystem, a logic controller subsystem, and an actuator subsystem.
SIL verification of safety instrumented systems
SIS's SIL verification work focuses on checking whether the SIF loop meets the target SIL level as defined in the SIL grading report. SIS's SIL verification work is mainly as follows:
1) According to the configuration of each SIF circuit, as well as inspection and testing and other related factors, the average failure probability (PFD**g) of each SIF circuit was checked.
2) Evaluate the hardware structure constraints of each SIF loop.
3) The malfunction parking rate of the SIF circuit was calculated, and its impact on the system availability was analyzed.
4) Sensitivity analysis was carried out on the loops that do not meet the SIF target SIL requirements, and an improvement and optimization scheme was proposed.
5) Determine the inspection and test cycle (TI) of each circuit. The SIL level of each SIF loop in a safety instrumented system is governed by a combination of PFD**G and hardware structural constraints.
The PFD**G calculation of each SIF in SIS is to decompose the SIF into subsystems such as sensors, logic controllers, and actuators, and then add the PFD**G of each subsystem to determine the corresponding SIL level that the results meet according to Table 1.
The safety integrity of hardware structural constraints is determined by the instrument type (logic controller, sensor, final element), safety failure score (SFF), and hardware fault margin (HFT). where SFF is calculated as shown in Eq. (2):
Tables 2 and 3 show the criteria for judging the structural constraints of Class A and Class B safety-related subsystems specified in IEC 61508, respectively. General sensors and solenoid valves are Class A safety-related subsystemsThe logic controller is a Class B safety-related subsystem.
Tank farm safety instrumented system design
Design of the SIS for petrochemical tank farmsIt is necessary to strictly follow the hazard and operability (HAZOP) analysis results and SIL classification report, not only to meet the requirements of Order No. 40 and Order No. 116 issued by the former State Administration of Production Supervision and Administration, but also to meet the provisions of GB T 50770-2013 "Code for the Design of Petrochemical Safety Instrumented Systems" for instrument selection and configuration。Generally, the setting of tank farm instruments should consider the aspects of economic reasonableness, mature technology, convenient maintenance and calibration or excellent after-sales service, etc., combined with the characteristics of the medium and the project investment. For the redundant configuration of each SIF circuit subsystem in the tank farm, it is first necessary to determine the SIL level of the SIF circuit of each tank group through the HAZOP analysis results, and determine the configuration of the tank instrument according to the SIL level.
The following takes the propylene spherical tank as an example to design the SIS of the tank farm.
Propylene belongs to Class A liquid, involving "two key points and one major", therefore, the propylene spherical tank tank farm should be set up with an independent SIS. The propylene storage tank adopts a spherical full-pressure storage tank. According to the HAZOP analysis results and SIL classification report of the propylene tank farm, the continuous feeding of the propylene spherical tank caused the liquid level to be high, resulting in the overpressure damage and leakage of the propylene tank, and the overflow of the full tank, resulting in propylene leakage and ignition source**. Requires a SIF loop to be set up in SIS:The high level interlock closes the feed valve, and the SIF circuit has a SIL rating of SIL2。According to the SIL grading results and according to the GB T50770-2013 regulations, determine the setting of the propylene spherical tank instrument, as shown in Figure 1.
A total of 3 liquid level gauges LZT-01, LZT-02, and LZS-03 are set up in the conventional propylene spherical tank, and the signal enters the SIS to participate in the "2OO3" liquid level high interlock and close the tank root feed valve XZV-01. The following is an introduction to the selection and design of each subsystem of SIS.
Sensor subsystem
The level measurement of tank farms has the characteristics of wide measurement range and high measurement accuracy requirements. At present, in the tank farm level measurement, servo level gauge, radar level gauge, magnetostrictive level gauge, liquid level switch and other schemes are mainly used. Because the pressure spherical tank has requirements for the number of openings, the openings should be minimized, therefore, the lzt-01 of the propylene spherical tank uses a servo level gauge, the lzt-02 uses a radar level transmitter, and the lzs-03 uses an external ultrasonic level switch.
1) Servo level gauge. The servo level gauge is based on the principle of buoyancy balance, which is composed of a high-precision sensor, a servo motor system, a measuring magnetic drum, a measuring float and a steel wire, by measuring the change of the steel wire tension caused by the increase or decrease of the buoyancy of the float, the controller issues a command, the servo motor drives the measuring magnetic drum to rotate with a certain stride, and then drives the float to continuously track the change of the liquid level, and the counter records the rotation steps of the servo motor, and automatically calculates the displacement of the measuring float, that is, the change of the liquid level. The servo level gauge of the propylene spherical tank should be accompanied by the calibration cavity of the instrumentAccording to the explosion-proof area division diagram, the explosion-proof level is EXD IICT4;220V (AC) external power supply type;The propylene spherical tank is in high mine areas, and the signal and power supply need to be equipped with surge protectors;The servo level gauge should be equipped with a tankside indicator table as a monitoring instrument for the liquid level measurement siteSafety requirements: equipped with a waveguide tube and set up a maintenance cut-off full-bore ball valve;The servo level gauge meets the requirements of SIL2 class.
2) Radar level transmitter. The radar level transmitter is suitable for continuous level measurement of heavy oil, light oil, hydrocarbon liquids and storage tanks under harsh operating conditions. The radar level transmitter antenna form of the propylene spherical tank should be a plane antenna or a guided wave typeAccording to the explosion-proof area division diagram, the explosion-proof level is EXD IICT4;24V (DC) or 220V (AC) external power supply type;The propylene spherical tank is in high mine areas, and the signal and power supply need to be equipped with surge protectors;The radar level transmitter should be equipped with a tankside indicator table as a monitoring instrument for the liquid level measurement siteSafety requirements: equipped with a waveguide tube and set up a maintenance cut-off full-bore ball valve;The radar level transmitter meets SIL2 requirements.
3) Ultrasonic level switch. Externally mounted ultrasonic level switch for propylene spherical tanks, which can reduce the opening of pressure spherical tanks. The sensor (probe) of the external ultrasonic level switch generates a high-frequency ultrasonic pulse that passes through the spherical tank wall, which travels through the spherical tank wall and the propylene liquid, and is also reflected back. By detecting and calculating this reflective property, the height of the propylene level in the spherical tank can be detected. The ultrasonic level switch should be installed to ensure that the measurement direction of the sensor is in the ball, there are no obstacles such as parts, and the tank wall weld should be avoided. The explosion-proof level switch of the propylene spherical tank is EXD IICT4;24V (DC) external power supply type is selectedSurge protection is required for signal and power supplyMeets SIL2 requirements.
Logic controller subsystem
The SIS controller is a safety-certified device that meets the requirements of IEC 61508 61511 and is a stand-alone control unit. The SIL rating of this system is SIL3.
Actuator subsystem
The propylene spherical tank root valve XZV01 is installed on the inlet and outlet pipelines of the propylene spherical tank, and when there is an accident such as fire and pipeline leakage in the tank area or the liquid level of the propylene spherical tank exceeds the high and high liquid level, it can quickly interlock and cut off the feeding, so as to avoid the expansion of the tank farm accident or the occurrence of material overflow. XZV-01 is a TSO emergency shut-off ball valve, which is used for two-way flow, and two-way sealed valve trim should be selectedThe leakage rating is Class V (TSO);Exd IICT4;IP65 protection level;With fusible plug, melting point 250, fusible plug melting, valve closed;With fireproof cover, the fireproof cover should meet the UL1709 standard, and be able to resist hydrocarbon fire for 30min under 1093;On-site manual valve closing buttons or switches should be set up outside the fire hazard area for on-site manual operation in case of hazardous situations;The valve as a whole meets the requirements of SIL2 grade.
SIL verification of tank farms
The functional description and target SIL of the SIF loop are listed in Table 4. The SIF circuit was verified by using the PHAMS risk assessment platform of Sinopec.
Generally, petrochemical enterprises overhaul once every 4 years, so the detection and testing time interval of the sensor subsystem is 48 months, the detection and testing time interval of the logic controller subsystem is 48 months, and the detection and testing time interval of the actuator subsystem is 48 monthsAcrylic spherical tank SIF01 loop assembly MTTR 8H;The sensor service life is 10 A, the logic controller is 15 A, and the actuator life is 10 A. The failure rate data of each component of the SIF01 loop subsystem is selected from the general failure rate data corresponding to the corresponding component in the PHAMS platform, and the reliability block diagram is selected for the PFD**G calculation method. The SIL verification results are listed in Table 5.
Through the verification results, it can be seen that the PFD**G and SIL confinement structure constraints of the currently designed SIF01 loop do not meet the target SIL2 level requirements, and the sensitivity analysis of SIF01 is carried out below, and reasonable suggestions are put forward to make the SIF01 loop meet the SIL2 level requirements. The analysis of the validation results of each subsystem of SIF01 is listed in Table 6.
From the above results, it can be seen that the PFD**G of the valve accounts for the highest proportion of PFDSYS, about 988%, which is the weakest link in the system. In order to improve the SIL level of the circuit, the PFD**G of the valve can be reduced preferentially: for example, the "1oo2" redundant configuration of the valve can be used if the cost allowsShorten the inspection and testing time of the valve;It is also possible to significantly reduce the PFD**g of the valve with integral functional safety certification and a partial stroke test (PST) function.
Assuming that the propylene spherical tank is in the early stage of design, if the cost and process operating conditions allow, add 1 valve XZV-02 and XZV-01 for "1OO2" interlocking. The valve redundancy structure is changed to "1oo2" for verification, and other reliability data remain unchanged, the verification results of improvement scheme 1 are listed in Table 7, and the verification results of each subsystem are analyzed in Table 8.
From the verification results, it can be seen that the PFD**G and SIL confined structural constraints of the entire SIF circuit meet the requirements of SIL2 level, and the verification is passed. Therefore, increasing the redundancy configuration of valves can greatly improve the reliability of the system.
At the same time, it can be seen from the analysis of the verification results that the sensor subsystem part has little impact on the reliability of the total circuit, and the common liquid level "2oo3" redundant structure configuration is overdesigned, and the liquid level high and high interlock is changed to LZT-02 and LZS-03 with "1OO2" redundant configuration for verification. The results of the validation are presented in Table 9 and Table 10.
From the verification results, it can be seen that the SIF loop after the degradation of some redundant configuration of the sensor still meets the target SIL, and the original design level "2OO3" interlocking is over-designed, and LZT01 can be canceled to participate in SIS interlocking, but the availability should also be considered in the actual production process, and "2OO3" is still more appropriate.
Assuming that the propylene spherical tank is in the in-service device transformation stage, if the valve is planned to adopt a redundant configuration, but the installation space requirements of the valve and piping cannot be met, and the cost input cannot be accepted, the valve is composed of a solenoid valve, an actuator and a valve, generally speaking, the reliability of the solenoid valve is low, and the common failure is coil burning, which causes false shutdown. Therefore, in the whole system, the solenoid valve may be the most critical instrumentation equipment, and the solenoid valve with "1oo2" redundant configuration can be used to improve the reliability of the valve. The redundant configuration of the solenoid valve can increase the SIL-limiting structural constraint of the original actuator from SIL1 to SIL2. The verification results of improvement scheme 2 are listed in Table 11, and the analysis of the verification results of each subsystem is listed in Table 12.
From the verification results, it can be seen that although the SiL confinement structure constraint of the total circuit is increased to SIL2 by using the redundant structure configuration of the double solenoid valve "1oo2", the calculated PFD**G still does not meet the target SIL2 requirements. Then, the Ti3 of the actuator can be gradually reduced by using the PHAMS platform to reconfigure and calculate, and the Ti3 of the actuator can be shortened to at least 24 months to make the SIF meet the target SIL. The validation results are listed in Table 13, and the analysis of the validation results of each subsystem is listed in Table 14.
In order to ensure the safety and reliability of the SIS system, it is necessary to rationalize the redundant structure of each subsystem of the SIF circuit in the design stage and avoid over-designAt the same time, the relevant provisions of IEC 61511 functional safety management should be strictly implemented in installation, commissioning, operation and maintenance, and the functional safety assessment at all stages should be done.