Scribd
Upload
137 views23 pages

4-5 - Basic Process Control System (BPCS) Layers

Uploaded by

Ibrahim Abd elhalim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
137 views23 pages

4-5 - Basic Process Control System (BPCS) Layers

Uploaded by

Ibrahim Abd elhalim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

Cairo Engineering Team

Basic Process Control System (BPCS) Layers


of Protection
Module 05 (35 m)

Page 1/23
Objectives

• Recognise Instrument related Layers of Protection (LoP) that are in the


BPCS* and that are taken as a credit in a LOPA:
− Control Loop
− Safety Related Alarms (SRA)
− BPCS interlock function
− (note the above excludes SIFs which are in the SIS logic solver)
• Define a Safety Related Alarm (SRA)
• Recognise dependent and independent LoPs
• Identify LoP controllers and SRA’s on HMI graphics

*BPCS = Basic Process Control System, also known as:


− PAS - Process Automation System or
− DCS – Distributed Control System
A2

Instrument Layers of Protection are in Various Systems

Instrumented Layers of Protection can be in any of the following systems:


We’ll talk
Talked about about BPCS/
SIS in an Human Machine
Interface (Operator Alarms in this
earlier module Console) module
Communications
Network
Marshalling Marshalling

SIS Logic
BPCS
Sensor Control

Production Separator
D-1 Level control valve
Shutdown valve

Fire and Gas SIS BPCS

Integrated Control and Safety System (ICSS)


Operating Limits

Existing -- Safe Design Envelope between Trip Points


Operating Limits

Existing -- Safe Design Envelope between Trip Points


Operating Limits

Existing -- Safe Design Envelope between Trip Points


Operating Limits

Existing -- Safe Design Envelope between Trip Points


Operating Limits

New -- Normal Operation Envelope between Alert Limits


New -- Monitoring to a Target Value
BPCS Layers of Protection –
1. Control Loop

PC
1 Flare

CV-1

PT-1

Production Separator
HV-2 SDV-3
D-1

• Controls the process within normal operating limits


• If control loop failure is an initiating cause for a hazard, it can’t be considered an LoP
• To be credited in LOPA :
a) Control loop must be in automatic mode at least 95% of the time (per GP 30-81, 8.3)
− that works out to be 22.8 hours per day
b) Not prevented from fulfilling the protection role assumed in the LOPA (per GP 30-81, 8.3):
− Managed use of manual mode
− Capable of mitigating hazard (e.g. not having saturated output)
− Not moving the setpoint out of the Normal Operating Limits (more on this later)
− High priority corrective action if it fails (e.g. faulty instrument)
c) Operator must know that a credit was taken in LOPA (per GP 30-80, 10.3)
− Ideally the control loop should be uniquely identified on the operator graphics (more on this later)
BPCS Layers of Protection –
2. Safety Related Alarm (SRA)
PAH
2 PC
1 Flare

CV-1

PT-2 PT-1

Production Separator
HV-2 SDV-3
D-1

• Notifies the operator to potentially unsafe conditions in the process


• The human response is part of the alarm
• To be credited in LOPA an SRA has to (per GP 48-03, 12.5):
a. Be independent of other LoPs
b. Be prioritized so it receives timely operator intervention
c. Occur in a control room where an operator is always present
d. Have operators who are trained to respond
e. Have response documented in operating procedures- Alarm Response Manual (ARM)
f. The operator has the time to prevent the hazard
g. Operator must know that a credit was taken in LOPA (per GP 30-80, 10.3):
− Ideally the SRA should be uniquely identified on the operator graphics (more on this later)
BPCS Layers of Protection –
3. BPCS Interlock Function
PAH
2 PC
1 Flare
PX
3 CV-1

PT-3 PT-2 PT-1

Production Separator
HV-2 SDV-3
D-1

• Is typically a sensor and a valve, sometimes through a separate


Programmable Logic Controller (PLC)
Other requirements for BPCS LoPs
- Independence
PC
1
PAH
2

Process Unit
Assume the flow rate must stay below a given value

• Control Loop and SRA can be considered independent:


– if we have separate sensors and final control elements (valves)
– even if they are both in the BPCS but only if certain rules are
followed per BP ETPs and industry standards
• Even if not credited in the LOPA, they are important since they
reduce demands on the SIS
Other requirements for BPCS LoPs
- Identification on HMI graphics
Operator must know that a credit was taken in LOPA for
control loops, alarms or interlocks (per GP 30-80, 10.3): PC
1

Why? CV-1

• To minimize placing the control loop in manual


PT-1
(remember >95% in Automatic mode)
• To manage the setpoint within the Normal Operating
Limits PAH
2
• To initiate high priority corrective action
• So SRAs are not shelved without appropriate controls
• BPCS Logic is not defeated without appropriate PT-2
HV-2
control
SIF
3
Ideally these should be uniquely identified on the operator
graphics PT-3

SDV-3
A1

Identification of Control Loop & SRA on the HMI


graphics - Examples

Safety
Related

LoP

Control
Loop

Guidance Note (GN) 30-451 has information on showing LoPs on HMI graphics
Lets take a closer look at Alarm Requirements

• An Alarm is defined as:


“Notification to an operator of an abnormal situation
that requires timely action by the operator”
• Alarms that don’t meet this criteria should be reviewed/addressed with alarm management or
convert them to alerts
– Facilitated by performing alarm rationalization
• SRAs contribute significantly to the management of a safety or environmental risk
• Alarms with operator actions credited in LOPA are always SRAs
• SRAs should not be shelved without appropriate controls
• When presented with a number of alarms at the same priority, SRAs should be addressed first
• SRAs can be pre trip alarms (they alarm before a trip)
• However, some SRAs are the last instrumented LoP before a relief valve (or other mechanical
device) activates
Reference GP 30-47 – Alarm System Design and Management for more alarm information
• SRAs Require high priority corrective action if they fail
Critical Fault Alarms

• Critical Fault Alarms indicate a problem with LoP equipment or systems


• An example is a deviation alarm – when we have multiple sensors measuring the same
pressure, temperature, level, etc., and these are in safety related service, we can compare the
values, and alarm if the values differ from each other by a defined tolerance
• Another example is an alarm when the SIS logic identifies a fault
• Credit is not taken in LOPA for the critical fault alarms, but they have a role in operating
safely
• Critical Fault alarms should be investigated and corrected as a high priority

Comparison P1 Operator receives


deviation alarm
P2 when values differ
Pressure
by more than 10%
PT-3 PT-2 PT-1 P3 (Note: The
tolerance varies by
Production Separator
application)
D-1

Time
Identification of SRA’s in the Alarm 1 min
Summary Page

GP 30-47 Definition of Alarm Priority:


“The relative importance assigned to an alarm within the alarm system to
indicate the urgency of response (i.e. a function of seriousness of consequence
and urgency”

Which alarm would you respond to first?


• High High Pressure Trip on Well12
• Low Level on V101 Oil Separator
• Safety Shower Area 5 activated
Identification of SRA’s in the Alarm
Summary Page

GP 30-47 Definition of Alarm Priority:


“The relative importance assigned to an alarm within the alarm system to
indicate the urgency of response (i.e. a function of seriousness of consequence
and urgency”

Which alarm would you respond to first?


• High High Pressure Trip on Well12
• Low Level on V101 Oil Separator
• Safety Shower Area 5 activated Someone is in trouble now!
Identification of SRA’s in the Alarm 1 min
Summary Page

GP 30-47 Definition of Alarm Priority:


“The relative importance assigned to an alarm within the alarm system to
indicate the urgency of response (i.e. a function of seriousness of consequence
and urgency”

Which alarm would you respond to first?


• High High Pressure Trip on Well12
• Low Level on V101 Oil Separator
• Safety Shower Area 5 activated Someone is in trouble now!

Which alarm would you respond to first?


High Level of the hot oil reservoir
[SRA] Low Level on V101 Oil Separator
UPS Fault
Identification of SRA’s in the Alarm
Summary Page

GP 30-47 Definition of Alarm Priority:


“The relative importance assigned to an alarm within the alarm system to
indicate the urgency of response (i.e., a function of seriousness of consequence
and urgency”

Which alarm would you respond to first?


• High High Pressure Trip on Well12
• Low Level on V101 Oil Separator
• Safety Shower Area 5 activated Someone is in trouble now!

Which alarm would you respond to first?


High Level of the hot oil reservoir Two alarms are equal
priority but respond to
[SRA] Low Level on V101 Oil Separator the SRA first
UPS Fault
Safety Related Alarm Register

• Every operator should have access to the complete list of SRA's and a
documented defined response
• This example from BP Alaska shows an “Online ARM” (Alarm Response
Manual) integrated into the BPCS displays. It can be viewed:
– In static mode i.e. as a list that you can search through
– In dynamic mode i.e. where it displays the currently active alarms
Principal ARM Fields:
• Alarm tag number
Alarm • Alarm tag descriptor
Summary • Alarm categorisation flags
Page • Alarm setting / condition
• Initiating causes of the alarm
• Consequence description
• Time to event (TTE)
• Operator response and corrective
action
• Operator Response Time (ORT)
• Alarm priority
Alarm • Invalid operational modes
Response
Manual
Summary - Basic Process Control System Layers of
Protection
• There are three Instrument LoPs in the BPCS:
− Control Loop
− Safety Related Alarm
− Interlock Function
• They must be independent of each other to be credited in a LOPA
• Control Loops:
− Should be in automatic mode at least 95% of the time
− Shouldn’t be prevented from providing protection (e.g. by being saturated, in manual, or the setpoint
outside of Normal Operating Limits)
• Safety related alarms:
a. Prioritized so it is acted on to prevent the hazard
b. The operator is always present
c. Operator has received training in the response
d. The response is documented in the operating procedures (ARM)
e. Action takes place in quickly enough to prevent the hazard
• SRAs should not be shelved without appropriate controls
• SRAs should be acted on first when multiple alarms are received
• Instrument LoPs are to be identified to the operator and maintenance technicians
• High priority corrective action is required if an LoP fails (e.g. deviation alarm or faulty instrument)
Useful reading, contacts and websites

• GP 48-03 Layer of Protection Analysis (LOPA):


http://etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GP%2048-03&docType=
etp
• GP 30-80 SIS Specification and Implementation
http://etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GP%2030-80&docType=
etp
• GP 30-47 Alarm System Design and Management
http://
etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GP%2030-47&docType=etp
• GN 30-471 Guidance Creating and Maintaining an Alarm Philosophy Document
http://
etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GN%2030-471&docType=gn
• GN 30-472 Guidance on Creating and Maintaining an Alarm Response Manual
http://
etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GN%2030-472&docType=gn
• GN 30-404 Control Loop Performance Management – Fundamentals
http://
etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GN%2030-404&docType=gn

You might also like