Functional safety requirements of overfill prevention systems on explosive dangerous chemical
1 Scope
This document specifies the functional safety requirements of overfill prevention systems installed on dangerous chemical tanks.
This document is applicable to atmospheric tanks for petroleum and other dangerous chemical liquids fixed above the ground with a volume of more than 5 m3. It may be implemented as reference for fixed atmospheric tanks for liquid with a volume of 5 m3 or less.
This document does not apply to LPG/LNG tanks, dedicated buffer tanks, engine fuel tanks, heating tanks, and oil tanks that collect oil only from wheeled tankers (such as oil tank trucks or rail tank cars).
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20438.2-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 3: Software requirements
GB/T 21109.1-2007 Functional safety — Safety instrumented systems for the process industry sector — Part 1: Framework definitions system hardware and software requirements
GB/T 29639 Guidelines for enterprises to develop emergency response plan for work place accidents
GB 50093 Code for construction and quality acceptance of automation instrumentation engineering
?
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
3.1
alarm
audible and/or visual indication to an operator in case of equipment faults, process deviations, or other anomalies requiring a timely response
3.2
alert
audible and/or visual prompt to an operator in case the operating condition defined by the operator reaches a certain value
Note: Alert is set to remind the user/operator of investigating or performing other corresponding actions.
3.3
atmospheric tank
tank with a designed pressure of less than 0.1 MPa, built on the ground, storing non-manually refrigerated, non-toxic petroleum, chemicals and other liquid media
3.4
level of concern; LOC
appropriate alert level, alarm level and automatic overfill prevention trigger level set by the owner or operator by calculating the medium level of the tank
3.5
maximum working level; MW
maximum level allowed for tank feeding during normal operation
3.6
critical high level; CH
maximum level that can be reached during the tank feeding without harmful influence, beyond which medium overfill or tank damage will occur
Note: In terms of engineering design, the critical high level is also called "tank design level".
3.7
high-high tank level; HH
level sufficiently below the CH to be able to terminate the feed or medium transfer before reaching the CH
3.8
high-high tank level alarm; LAHH
alarm triggered at high-high tank level
3.9
high tank level; H
level of concern set between the maximum working level and the high-high tank level to provide alert or alarm to operators
3.10
high tank level alarm; LAH
alarm triggered at high tank level
3.11
response time; RT
duration required from the start of the alarm trigger to the completion of the set action (which may be performed manually or by an automatic system)
3.12
final element
valve, pump or other device that can stop inflow and prevent tanks from being overfilled
3.13
overfill prevention system; OPS
protection system for preventing tank medium from overfilling
Note: OPS may be a technical measure, a management measure, or both.
3.14
manual overfill prevention system; MOPS
overfill prevention system operated by operators
3.15
automatic overfill prevention system; AOPS
overfill prevention system unnecessarily operated by operators
3.16
dangerous failure
failure of components and/or subsystems and/or systems with effects on the performance of safety functions, which may:
a) prevent a safety function from being performed if required (request mode), or lead to the failure of safety function (continuous mode), thus causing the EUC to enter a dangerous or potentially dangerous state;
b) reduce the probability that a safety function is performed correctly if required
[Source: GB/T 20438.4-2017, 3.6.7]
?
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General requirements of OPS
5.1 General requirements
5.2 Classification of tank monitoring modes and instrumentation configurations of OPS
5.3 Functional safety requirements of OPS in the full life cycle
6 Safety management requirements for overfill prevention
6.1 General requirements
6.2 Requirements for management of level of concern and periodic review
6.3 Functional safety assessment requirements of OPS
6.4 Requirements of safety management system on overfill prevention
6.5 Safety procedure requirements of overfill prevention operation
6.6 Requirements of emergency response plan for tank overfilling accidents
7 Risk assessment on tank overfilling
7.1 General requirements
7.2 Requirements for implementation of risk assessment
8 Safety requirement allocation for OPS
8.1 General requirements
8.2 Requirements for implementation of safety requirement allocation
9 Design requirements for OPS
9.1 General requirements
9.2 Design of level of concern
9.3 Classification and composition of OPSs
9.4 Functional safety design of AOPS
9.5 Safety protection design of OPS
10 Installation requirements for OPS
11 Safety validation requirements for OPS
11.1 Installation validation requirements
11.2 Hardware validation requirements
11.3 Function validation requirements
11.4 Application validation requirements
11.5 Operation validation requirements
12 Acceptance requirements for OPS
13 Proof test and maintenance requirements for OPS
13.1 General requirements
13.2 Technical requirements
14 MOC requirements for OPS
14.1 General requirements
14.2 MOC requirements
14.3 Requirements for changed documents
15 Decommissioning requirements for OPS
Annex A (Informative) Installation requirements for level detection instruments
Bibliography
Figure 1 General technical model of OPS
Figure 2 Tank level of concern
Table 1 Classification of tank monitoring modes and instrumentation configurations of OPS
Table 2 Correspondence table of tank monitoring modes and level of concern setting
Table A.1 Installation requirements for level detection instruments
爆炸危險化學品儲罐防溢系統(tǒng)
功能安全要求
1 范圍
本文件規(guī)定了對危險化學品儲罐設置儲罐防溢系統(tǒng)的功能安全要求。
本文件適用于5m3以上的地上固定式石油及其他危險化學品液體常壓儲罐。5m3及以下固定式液體常壓儲罐可參照執(zhí)行。
本文件不適用于LPG/LNG罐、專用的緩沖罐、發(fā)動機燃料油罐、供暖油罐、收油僅來自于輪式的槽車(比如油罐車或鐵路油罐車)的油罐。
2 規(guī)范性引用文件
下列文件中的內(nèi)容通過文中的規(guī)范性引用而構(gòu)成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應的版本適用于本文件;不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 20438.2—2017 電氣/電子/可編程電子安全相關(guān)系統(tǒng)的功能安全 第2部分:電氣/電子/可編程電子安全相關(guān)系統(tǒng)的要求
GB/T 20438.3—2017 電氣/電子/可編程電子安全相關(guān)系統(tǒng)的功能安全 第3部分:軟件要求GB/T 21109.1—2007過程工業(yè)領(lǐng)域安全儀表系統(tǒng)的功能安全 第1部分:框架、定義、系統(tǒng)、硬件和軟件要求
GB/T 29639 生產(chǎn)經(jīng)營單位生產(chǎn)安全事故應急預案編制導則
GB 50093 自動化儀表工程施工及質(zhì)量驗收規(guī)范
3 術(shù)語和定義
下列術(shù)語和定義適用于本文件。
3.1
報警 alarm
通過聲音和/或可視的方式向操作員指示需要及時響應的設備故障、過程偏差或其他異常情況。
3.2
警示 alert
當操作員預定義的操作條件已經(jīng)達到某個值時,采用聲和/或光提示操作員的方法。
注:警示的目的是提醒用戶/操作員需要進行調(diào)查或者執(zhí)行其他對應的動作。
3.3
常壓儲罐 atmospheric tank
設計壓力小于0.1MPa、建造在地面上、儲存非人工制冷、非劇毒性的石油、化工等液體介質(zhì)的儲罐。
3.4
關(guān)注液位 level of concern;LOC
業(yè)主或操作員通過計算儲罐的介質(zhì)液位設置的合適的警示液位、報警液位和儲罐自動防溢功能觸發(fā)液位。
3.5
最高工作液位 maximum working level;MW
正常操作時儲罐進料允許達到的最高液位。
3.6
極限液位 critical high level;CH
儲罐進料能夠達到的、無有害影響的最高液位,超過此液位即發(fā)生介質(zhì)溢出或儲罐損壞等情況。
注:在工程設計中,極限液位也稱“儲罐設計液位”。
3.7
高高液位 high-high tank level;HH
在達到極限液位(CH)之前能夠終止進料或介質(zhì)轉(zhuǎn)運,足夠低于極限液位(CH)的液位。
3.8
高高液位報警 high-high tank level alarm;LAHH
在達到高高液位時觸發(fā)的報警。
3.9
高液位 high tank level;H
在最高工作液位與高高液位之間設置的,向操作人員提供警示或報警的關(guān)注液位。
3.10
高液位報警 high tank level alarm;LAH
當罐液位達到高液位時觸發(fā)的報警。
3.11
響應時間 response time;RT
從報警觸發(fā)開始到執(zhí)行設定動作(可以是人為操作也可以是自動系統(tǒng))完成所需的時間。
3.12
最終元件 final element
閥門、泵或其他可以終止流入、防止儲罐溢出的設備。
3.13
儲罐防溢系統(tǒng) overfill prevention system;OPS
防止儲罐介質(zhì)溢出的保護系統(tǒng)。
注:OPS可以是技術(shù)措施也可以是管理措施,也可以兩者皆有。
3.14
手動儲罐防溢系統(tǒng) manual overfill prevention system;MOPS
需要操作人員操作的儲罐防溢系統(tǒng)。
3.15
自動儲罐防溢系統(tǒng) automatic overfill prevention system;AOPS
無需操作人員操作的儲罐防溢系統(tǒng)。
3.16
危險失效 dangerous failure
對執(zhí)行安全功能有影響的組件和/或子系統(tǒng)和/或系統(tǒng)的失效,其:
a) 在要求時阻止安全功能的執(zhí)行(要求模式),或?qū)е掳踩δ苁?連續(xù)模式)以致EUC進入危險或潛在危險的狀態(tài)。
b) 降低在要求時安全功能正確執(zhí)行的概率。
[來源:GB/T 20438.4—2017,3.6.7]
3.17
安全失效 safe failure
對于執(zhí)行安全功能有影響的組件和/或子系統(tǒng)和/或系統(tǒng)的失效,其:
a) 導致安全功能的誤動作從而使EUC(或其一部分)進入或保持安全狀態(tài);或
b) 增加安全功能的誤動作從而使EUC(或其一部分)進入或保持安全狀態(tài)的概率。
[來源:GB/T 20438.4—2017,3.6.8]
3.18
功能安全 functional safety
與過程和BPCS有關(guān)的整體安全的組成部分,它取決于SIS和其他保護層的正確功能執(zhí)行。
[來源:GB/T 21109.1—2007,3.2.25]
3.19
功能安全評估 functional safety assessment
基于證據(jù)的調(diào)查,以判定由一個或多個保護層所實現(xiàn)的功能安全。
[來源:GB/T 21109.1—2007,3.2.26]
3.20
隨機硬件失效 random hardware failure
在硬件中,由一種或幾種可能的退化機理而產(chǎn)生的,在隨機時間出現(xiàn)的失效。
注1:在各種元件中,存在以下不同速率發(fā)生的許多退化機理,在這些元件工作不同的時間之后,這些機理可制造公差引起元件發(fā)生故障,從而使包含許多元件的設備將以可預見的速率,但在不可預見的時間(即隨機時間)發(fā)生失效。
注2:隨機硬件失效和系統(tǒng)性失效的主要區(qū)別是由隨機硬件失效導致的系統(tǒng)失效率(或其他合適的度量)可以用合理的精度來量化,但系統(tǒng)性失效無法精確預計,因此,系統(tǒng)性失效引起的系統(tǒng)失效率則不能精確地用統(tǒng)計法量化。也就是說,由隨機硬件失效引起的系統(tǒng)失效率以用合理的精度來量化,但是由系統(tǒng)性失效引起的系統(tǒng)失效率不能精確地用統(tǒng)計法量化,因為導致系統(tǒng)性失效的這些事件無法簡單預測。
[來源:GB/T 20438.4—2017,3.6.5]
3.21
安全儀表系統(tǒng) safety instrumented system;SIS
用來實現(xiàn)一個或幾個安全儀表功能的儀表系統(tǒng)。SIS可以由傳感器、邏輯控制器和執(zhí)行器的任何組合組成。
[來源:GB/T 21109.1—2007,3.2.72]
3.22
安全完整性 safety integrity
在安全儀表系統(tǒng)在規(guī)定時段內(nèi).在所有規(guī)定條件下滿足執(zhí)行要求的安全儀表功能的平均概率。
[來源:GB/T 21109.1—2007,3.2.73]
3.23
安全儀表功能 safety instrumented function;SIF
具有某個特定SIL的,用以達到功能安全的安全功能,它既可以是一個安全儀表保護功能,也可以是一個安全儀表控制功能。
注:該術(shù)語與GB/T 21109.1—2007不同,以體現(xiàn)行業(yè)應用習慣。
3.24
安全完整性等級 safety integrity level;SIL
用來規(guī)定分配給安全儀表系統(tǒng)的安全儀表功能的安全完整性要求的離散等級(4個等級中的一個)。SIL4是安全完整性的最高等級,SIL1為最低等級。.
[來源:GB/T 21109.1—2007,3.2.74]
3.25
安全要求規(guī)格書 safety requirements specification;SRS
包含安全儀表系統(tǒng)應執(zhí)行的安全儀表功能的所有要求的規(guī)格書。
注:該術(shù)語與GB/T 21109.1—2007不同,以體現(xiàn)行業(yè)應用習慣。
3.26
檢驗測試 proof test
為揭露安全儀表系統(tǒng)中未檢測到的故障而執(zhí)行的測試,以便在必要時把系統(tǒng)修復到所設計的功能。
[來源:GB/T 21109.1—2007,3.2.58]
3.27
安全狀態(tài) safe state
達到安全時的過程狀態(tài)。
注1:本文件中的安全狀態(tài)主要指將不會造成儲罐溢流的進料過程狀態(tài)。
注2:該術(shù)語的定義同GB/T 21109.1—2007中的定義有差別,以體現(xiàn)行業(yè)應用習慣。
4 縮略語
下列縮略語適用于本文件。
AOPS:自動儲罐防溢系統(tǒng)(Automated Overfill Prevention System)
ATG:自動液位計(Automatic Tank Gauge)
BPCS:基本過程控制系統(tǒng)(Basic Process Control System)
EMC:電磁兼容(Electro Magnetic Compatibility)
EUC:受控設備(Equipment Under Control)
FMEA:失效模式及后果分析(Failure Mode and Effects Analysis)
FPL:固定程序語言(Fixed Program Language)
FVL:全可變語言(Full Variabilty Language)
HAZOP:危險與可操作性分析(Hazard and Operability Study)
HFT:硬件故障裕度(Hardware Fault Tolerance)
LVL:有限可變語言(Limited Variability Language)
MOC:變更管理(Management of Change)
MOPS:手動儲罐防溢系統(tǒng)(Manual Overfill Prevention System)
MTTR:平均恢復時間(Mean Time to Restoration)
OPS:儲罐防溢系統(tǒng)(Overfill Prevention System)
PE:可編程電子(Programmable electronic)
PFD:要求時危險失效概率(Probability of Dangerous Failure on Demand)
PFH:每小時危險失效平均概率(Average Frequency of a Dangerous Failure Per Hour)
SIF:安全儀表功能(Safety Instrumented Function)
SIL:安全完整性等級(Safety Integrity Level)
SIS:安全儀表系統(tǒng)(Safety Instumented System)
SRS:安全要求規(guī)格書(Safety Requirements Specification)
UPS:不間斷電源(Uninterruptible Power Supply)
5 儲罐防溢系統(tǒng)通用要求
5.1 一般要求
5.1.1 儲罐防溢系統(tǒng)應包括技術(shù)措施和管理措施。
5.1.2 儲罐防溢系統(tǒng)技術(shù)措施可包括高液位報警、液位超高聯(lián)鎖等。典型的技術(shù)措施設置見圖1。
