Interlock test procedures

C

Thread Starter

Chris Jennings

I am looking at developing a standard methodology for developing interlock test procedures for safety critical systems for where I work. We have a number of systems that use dangerous chemicals and we need to have a standard methodology for how we develop these procedures.

I have looked around and can't seem to find information that might give me some ideas of what would be the best technique. I can develop my own Procedure but I would prefer if it was more about finding a standard technique so that others can apply the same technique and get very similar results.

Does anybody have any starting points for me to look at? I usually look for a good text book or information on the web.

Thanks in advance.

--
Chris Jennings
E/I Engineer
Australian Paper Maryvale
 
M

Mihir Ramkrishna

Well, Chris as far as I know I have not come across any written documentation about this. I also faced the same problem then eventually we talked to our licensor. As per for any given interlock, one can simulate all inputs physically. By physical simulation, I mean applying pressure to pressure switches using calibrating equipment, putting temperature elements/switches in temperature calibrating equipment bath in the field, creating actual level (if possible) etc. U can note down the performance of the interlock in a separate chart. This method will not only ensure the integrity check of the loop but will also help u to visualize the behaviour under specific conditions.
 
B
The basic requirements are in IEC-61511 and the coming new ISA S84 which is 61511 with a grandfather clause. ISA(www.isa.org) has a technical report ISA-TR84.00.03-2002, "Guidance for Testing of Process Sector Safety Instrumented Functions (SIF) Implemented as or Within Safety Instrumented Systems (SIS)." There is also a HSE document that is available on the internet at http://www.hse.gov.uk/research/crr_htm/2002/crr02428.htm .

I have written a number of SIS test procedures for different companies so if you want to discuss this please give me a call.

Bill Mostia
=====================================================
William(Bill) L. Mostia, Jr. P.E.
Partner
exida.com
Worldwide Excellence in Dependable Automation
[email protected] (b) [email protected] (h)
www.exida.com 281-334-3169
These opinions are my own and are offered on the basis of Caveat Emptor.
 
A

Andy Robinson

Chris,

In the plant I work at we have well over 500 interlocks spread between 3 different units that I am responsible for testing. Here are my thoughts from time spent in the field.

1) Make sure you have adequately documented your interlocks before even beginning to determine how to test them. Document the Hazard, the Purpose of the Interlock, etc. Make sure you have all the causal devices (i.e. pressure switches, flow indicators) and action devices (valves, etc.) in an easy to understand format. Make sure you know where each causal device resets, i.e. deadband. We've developed a very extensive interlock database in-house out of necessity and it is critical to performing good checkouts.

2) Interlocks can ususally be broken down into two camps. One is single input single output. For example, a single (or multiple) high level switch on a tank closes off the valve to the tank. The other grouping is multi-in multi-out. These are systems that have multiple interlocks that may perform multiple actions. An example of this might be a reactor where you monitor temperature, pressure, and feed ratios. On any given interlock you shut off the feeds, open the nitrogen, and maybe do a couple other things. You can approach these two types seperately.

For the SISO interlocks its usually most efficient to physically test the input devices and watch the output function correctly. So, pump up your pressure switches or raise the real level in tank and watch the outputs happen.

For MIMO interlocks we have found the best approach to be a staged one. First we physically test all the inputs separately. Then, once we know the device itself is working we take the liberty of installing jumpers on switches or simulators (Altek's or other 4-20 simulators for example) on analog devices. This way we can manipulate the inputs as needed to test each part of the interlock. With all the inputs satisfied in the non-interlocked state you can test the inputs one by one by lifting jumpers or simulating a signal.

With either approach it is critical to document As Found and As Left. I don't know how familiar you are with the new ISA S84 standards coming out but reliablity of your devices is a huge part of determining how long you can go between interlock checks. If you are checking an interlock every 2 years and the input or output device fails 2 out of 3 checks you need to either change the devices you are using to a more reliable one or increase your testing frequency. Either way, good documentation of your As Found and As Left is a solid base from which to determine your system's reliability.

I hope this points you in the right direction. Feel free to contact me if you have any more questions. I might also be able to provide you with some example Interlock documentation we use internally.

- Andy Robinson
 
Hi Chris,

maybe you simply would use CE/UL/... approved Safety Relay from Rockwell Automation (former Allen-Bradly)? And you don't heed any test procedure for Interlocks.

regards,
Leonid
 
C

Chris Jennings

I think most of my problems stem from the fact that I don't have a quantitative risk assessment for the interlock systems I am trying to write a test procedure for. This means that I am unable to effectively determine
what is an appropriate level of testing.

I should probably work through this by using accepted best practise. However I believe that to gain a full understanding of where we are with our system a full quantitative risk assessment is required. The thing that worries me is that these interlocks are for blocking valves that shut of chlorine gas that is used for bleaching pulp (yes some places still use chlorine gas).
These interlocks all come into a logic solver (in this case our DCS) but this is not separated from the normal process control system. I believe that a number of these interlocks would be regarded as safety interlocks.

So my main problem is, do I just complete the job as initially determined (that is develop a interlock test procedure to the best of my ability)? Or do I organise for a full risk assessment to determine what our requirements
are for the chlorine system?

Thanks for your help so far. Especially that link to the HSE document. I have read Safety Shutdown Systems:Design, Analysis and Justification by Paul Gruhn et al very useful to help me get a more practical description of IEC 61508.

I am thinking of getting some of these books, if anyone has read them could they give me feedback on how useful they proved to be:

Managing the Risks of Organizational Accidents
J. T. Reason
Managing Risk and Reliability of Process Plants
Mark Tweeddale
Inviting Disaster: Lessons From the Edge of Technology
James R. Chiles
Dispelling Chemical Engineering Myths
Trevor A. Kletz
What Went Wrong? : Case Studies of Process Plant Disasters
Trevor A. Kletz
Computer Control and Human Error
Trevor A. Kletz
Lessons from Disaster : How Organizations Have No Memory and Accidents Recur
Trevor A. Kletz

Chris Jennings
"Most discoveries are made regularly every 15 years". George Bernard Shaw
 
B
> I think most of my problems stem from the fact that I don't have a
> quantitative risk assessment for the interlock systems I am trying to
> write a test procedure for. This means that I am unable to effectively
> determine what is an appropriate level of testing. <

I am not sure what the meaning of this statement is. If you are concerned with the actual test, the test of the actual interlock does not change with risk level for safety instrumented systems(SIS) except for test interval
and typically for the natural complexity of the test due to additional redundancies for higher risk situations. For non-safety instrumented systems, there are less restrictions on things like test interval, training,
documentation, etc.

If you are talking about identifying what are interlocks and what are not and what types they are, then a process hazards analysis to identify the interlocks and their type would be necessary. This is quite commonly done as an adjunct to a HAZOP(or equivalent). It is not necessary that a quantitative risk analysis be done as qualitative analysis is accepted and quite commonly done, though there may be a few instances where the interlock or process interaction is complex which would require a quantitative analysis.. You can refer to IEC-61511-3 or possibly AS IEC-61511-3 (not sure what the status of this document is)
for typical industry qualitative methodologies. There is a ISA standard "ANSI/ISA-91.01-1995 - Identification of Emergency Shutdown Systems and Controls that are Critical to Maintaining Safety in Process Industries" that may be of interest.

> So my main problem is, do I just complete the job as initially determined
> (that is develop a interlock test procedure to the best of my ability)? Or
> do I organise for a full risk assessment to determine what our
> requirements are for the chlorine system? <

This appears to be a matter your current industry practices, of the regulations/standards apply to your industry, and your company's safety philosophy. My opinion is that you should identify all your instrumented
protection functions and test them (their reliable function provides to the company safety, environmental, or monetary value). As a minimum, all instrumented protection functions that involve life and limb or environmental safety should be tested. IEC-61511(AS IEC-61511) is a good start on how to handle interlocks.

You might find some articles written by me in CONTROL magazine on safety instrumented systems of interest. They can be found at:

"The Complete Safety System" http://www.controlmagazine.com/Web_First/ct.nsf/ArticleID/RDAT-4RPN79/

and

"The Safety Instrumented Function: An S-Word Worth Knowing"
http://www.easydeltav.com/news/viewpoint/SIF803.pdf

The book "Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis" by Ed Marszal and Dr. Eric Scharph might also be of interest. It is published by ISA (www.isa.org) ISBN: 1-55617-777-1. Dr. Scharph is out your way in New Zealand (Phone: +64-3-472-7707 ).

Also, there is a book by American Institute of Chemical Engineers, Center for Chemical Process Safety, on layer of protection analysis (LOPA) that may be of interest:

http://www.aiche.org/pubcat/seadtl.asp?ACT=S&Keyword=ON&Title=ON&ISBN=ON&Pubnum=ON&srchText=lopa

Here is also a paper on LOPA:
http://home.att.net/~d.c.hendershot/papers/pdfs/aiche11-02paper281a.pdf

Bill Mostia
=====================================================
William(Bill) L. Mostia, Jr. P.E.
Partner
exida.com
Worldwide Excellence in Dependable Automation
[email protected] (b) [email protected] (h)
www.exida.com 281-334-3169
These opinions are my own and are offered on the basis of Caveat Emptor.
 
Top