Skip to main content

SIS Bypass and Impairment – Safety Instrumented System

 Safety Instrumented System (SIS) Logics are built with safety interlocks considering multiple safe scenarios for protecting the equipment/plant. The functionality of such logics implemented either in the Basic Process Control System (BPCS) or Safety System (SIS) is very critical for the plant operations.


However, there may be a need to bypass an SIS or BPCS Independent Protection Layer (IPL) function for specific reasons such as startup, testing, or maintenance.


Again bypasses shall be counterchecked and removed for bringing back the equipment to operate in a safe manner. To manage this, there shall be a management system to ensure that a bypass is removed once the condition that required it has been satisfied. 


Bypass Rules

Written procedures shall exist for any hardware or software that permits bypass of an SIS function. 


For SIS, BPCS IPL safety functions, procedures to be made available to update, edit & Bypass (as and when required), and required System Access restrictions. The approach is applicable to all new installations, retrofits, and upgrade projects.


For BPCS protective function maximum time allowed for an instrument out of service should be minimized and be limited to 14 days.


Necessary Management of Change (MOC) policy ## must be followed so that safety will be assured by other technical or administrative controls and shall consider the availability/bypass condition of other protection layers for affected scenarios.


## Terminology may vary depending on the plant.


Bypass Requirements & Restrictions

By-pass switches must be protected by a key lock or password to prevent unauthorized use.

The indication must be provided that the SIS is bypassed by the alarm in DCS / Annunciator panel and/or develop the procedure.

Where a by-pass is required it should be installed such that alarms and manual shutdown facilities are not disabled.

Proper care to be taken for Bypassed instruments, valves also to be tested as part of SIS validation (when required).

Operators must be trained on the operation of the by-pass and requirements when it is to be used.

SIS design must minimize the need to impair the SIS while the unit is running.

Operation and maintenance procedures must be developed which provide the actions and constraints necessary to prevent or mitigate the hazard while the SIS is impaired.

Physical Hardware Restrictions

Bypass valves installed around SIS “Final elements” must be secured in the “safe” position (typically, this is the “closed” position) with mechanical locks or car seals.

A management system must include:

Control and access to lock keys or a half-yearly audit procedure for ensuring the integrity of seals.

In-service operation of a bypass valve requires a written procedure which includes:

Approval by the relevant Business Head and the Process Safety Leader.

Actions that are necessary to prevent an unsafe state

Must ensure that the time the bypass valve is actually used is minimized

An inspection of the block valve to ensure that it is returned to the secured “safe” position.

Physical Software Restrictions

As part of the software, it requires access restrictions for operating bypasses around SIS components. However the implementation of “access restriction” is more stringent and requires “physical” restriction:

Safety System Impairment

To protect against inadvertent bypassing of the protective function: software, hardware, and/or written procedures to be used so that the act of bypassing is annunciated and access-restricted – Implementation of the Safety System Impairment Standard is recommended. 


If “written procedures” are chosen as the method of preventing inadvertent bypassing, implementation of the practices to meet the intent of this requirement. 


Background


Need the ability to test Safety Instrumented System (SIS) when the plant is in operation.

Plant owners finalize Impairment requirements so that temporary safety system outages, impairments, and bypasses are always managed properly.

Brief Examples of SIS Impairment

What does it mean to “impair” a safety system?


Here are a few examples….


If a Safety Function requires a valve in a steam/gas line to close when activated, the scenario may not be prevented if a bypass valve is open around the SIS final element.

If a Safety Function requires a cooling water valve to open, the upstream block valve is closed, the scenario may not be prevented.

Similarly, the SIS function may not be functional if software logic bypasses and closure of block valves in sensor lines.

For instrument root valves: If the valve is clearly visible as an instrument root valve, SSI is not needed and the valve does not need to be locked open or tagged. This is because plant operations will not be using this valve to operate the plant. Since the instrument will have a Safety Instrument identification tag, this should be sufficient to alert maintenance personnel that the root valve will disable an SIS. However, if the root valve is located remotely from the instrument, it may not be obvious to operations that this is a maintenance valve. In this case, the SSI process should apply.

Labels:

Comments

Post a Comment

Popular posts from this blog

PLC Program for Mixing Tank

 Create a ladder diagram for controlling a batch mixing process. Implement a PLC program for mixing tank or Mixing Process using PLC Ladder Logic. PLC Program for Mixing Tank Fig : Mixing tank A tank is used to mix two liquids. The required control circuit operates as follows: A. When the START button is pressed, solenoids A and B energize. This permits the two liquids to begin filling the tank. B. When the tank is filled, the float switch trips. This de-energizes solenoids A and B and starts the motor used to mix the liquids together. C. The motor is permitted to run for 1 minute. After 1 minute has elapsed, the motor turns off and solenoid C energizes to drain the tank. D. When the tank is empty, the float switch de- energizes solenoid C. E. A STOP button can be used to stop the process at any point. F. If the motor becomes overloaded, the action of the entire circuit will stop. G. Once the circuit has been energized, it will continue to operate until it is manually stopped. Solution...
1 comment
Read more

What is Relay? How it Works? Types, Applications, Testing

 We use relays for a wide range of applications such as home automation, cars and bikes (automobiles), industrial applications, DIY Projects, test and measurement equipment, and many more. But what is Relay? How a Relay Works? What are the Applications of Relays? Let us explore more about relays in this guide. What is a Relay? A Relay is a simple electromechanical switch. While we use normal switches to close or open a circuit manually, a Relay is also a switch that connects or disconnects two circuits. But instead of a manual operation, a relay uses an electrical signal to control an electromagnet, which in turn connects or disconnects another circuit. Relays can be of different types like electromechanical, solid state. Electromechanical relays are frequently used. Let us see the internal parts of this relay before knowing about it working. Although many different types of relay were present, their working is same. Every electromechanical relay consists of an consists of an Elect...
1 comment
Read more

Chlorine dioxide Analyzer Principle

 Chlorine dioxide measurement Chlorine dioxide (ClO2) is an instable, non-storable, toxic gas with a characteristic scent. The molecule consists of one chlorine atom and two oxygen atoms – represented in the chemical formula ClO2. It is very reactive. To avoid the risk of spontaneous explosions of gaseous chlorine dioxide or concentrated solutions, it is generally handled in dilution with low concentrations. ClO2 is soluble in water, but tends to evaporate quickly. Typically it is prepared on site, for example from hydrochloric acid and sodium chlorite. The procedure provides solutions with approx. 2 g/l ClO2 that can be safely handled and stored for several days. Image Credits : krohne Sensor Parts : Reference electrode Applied chlorine dioxide specific potential Current needed to maintain the constant potential Counter electrode Measuring electrode The disinfection effect of ClO2 is due to the transfer of oxygen instead of chlorine, so that no chlorinated byproducts are formed. C...
6 comments
Read more