Functional safety requirements of overfill prevention systems on explosive dangerous chemical
1 Scope
This document specifies the functional safety requirements of overfill prevention systems installed on dangerous chemical tanks.
This document is applicable to atmospheric tanks for petroleum and other dangerous chemical liquids fixed above the ground with a volume of more than 5 m3. It may be implemented as reference for fixed atmospheric tanks for liquid with a volume of 5 m3 or less.
This document does not apply to LPG/LNG tanks, dedicated buffer tanks, engine fuel tanks, heating tanks, and oil tanks that collect oil only from wheeled tankers (such as oil tank trucks or rail tank cars).
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20438.2-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 3: Software requirements
GB/T 21109.1-2007 Functional safety — Safety instrumented systems for the process industry sector — Part 1: Framework definitions system hardware and software requirements
GB/T 29639 Guidelines for enterprises to develop emergency response plan for work place accidents
GB 50093 Code for construction and quality acceptance of automation instrumentation engineering
?
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
3.1
alarm
audible and/or visual indication to an operator in case of equipment faults, process deviations, or other anomalies requiring a timely response
3.2
alert
audible and/or visual prompt to an operator in case the operating condition defined by the operator reaches a certain value
Note: Alert is set to remind the user/operator of investigating or performing other corresponding actions.
3.3
atmospheric tank
tank with a designed pressure of less than 0.1 MPa, built on the ground, storing non-manually refrigerated, non-toxic petroleum, chemicals and other liquid media
3.4
level of concern; LOC
appropriate alert level, alarm level and automatic overfill prevention trigger level set by the owner or operator by calculating the medium level of the tank
3.5
maximum working level; MW
maximum level allowed for tank feeding during normal operation
3.6
critical high level; CH
maximum level that can be reached during the tank feeding without harmful influence, beyond which medium overfill or tank damage will occur
Note: In terms of engineering design, the critical high level is also called "tank design level".
3.7
high-high tank level; HH
level sufficiently below the CH to be able to terminate the feed or medium transfer before reaching the CH
3.8
high-high tank level alarm; LAHH
alarm triggered at high-high tank level
3.9
high tank level; H
level of concern set between the maximum working level and the high-high tank level to provide alert or alarm to operators
3.10
high tank level alarm; LAH
alarm triggered at high tank level
3.11
response time; RT
duration required from the start of the alarm trigger to the completion of the set action (which may be performed manually or by an automatic system)
3.12
final element
valve, pump or other device that can stop inflow and prevent tanks from being overfilled
3.13
overfill prevention system; OPS
protection system for preventing tank medium from overfilling
Note: OPS may be a technical measure, a management measure, or both.
3.14
manual overfill prevention system; MOPS
overfill prevention system operated by operators
3.15
automatic overfill prevention system; AOPS
overfill prevention system unnecessarily operated by operators
3.16
dangerous failure
failure of components and/or subsystems and/or systems with effects on the performance of safety functions, which may:
a) prevent a safety function from being performed if required (request mode), or lead to the failure of safety function (continuous mode), thus causing the EUC to enter a dangerous or potentially dangerous state;
b) reduce the probability that a safety function is performed correctly if required
[Source: GB/T 20438.4-2017, 3.6.7]
?
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General requirements of OPS
5.1 General requirements
5.2 Classification of tank monitoring modes and instrumentation configurations of OPS
5.3 Functional safety requirements of OPS in the full life cycle
6 Safety management requirements for overfill prevention
6.1 General requirements
6.2 Requirements for management of level of concern and periodic review
6.3 Functional safety assessment requirements of OPS
6.4 Requirements of safety management system on overfill prevention
6.5 Safety procedure requirements of overfill prevention operation
6.6 Requirements of emergency response plan for tank overfilling accidents
7 Risk assessment on tank overfilling
7.1 General requirements
7.2 Requirements for implementation of risk assessment
8 Safety requirement allocation for OPS
8.1 General requirements
8.2 Requirements for implementation of safety requirement allocation
9 Design requirements for OPS
9.1 General requirements
9.2 Design of level of concern
9.3 Classification and composition of OPSs
9.4 Functional safety design of AOPS
9.5 Safety protection design of OPS
10 Installation requirements for OPS
11 Safety validation requirements for OPS
11.1 Installation validation requirements
11.2 Hardware validation requirements
11.3 Function validation requirements
11.4 Application validation requirements
11.5 Operation validation requirements
12 Acceptance requirements for OPS
13 Proof test and maintenance requirements for OPS
13.1 General requirements
13.2 Technical requirements
14 MOC requirements for OPS
14.1 General requirements
14.2 MOC requirements
14.3 Requirements for changed documents
15 Decommissioning requirements for OPS
Annex A (Informative) Installation requirements for level detection instruments
Bibliography
Figure 1 General technical model of OPS
Figure 2 Tank level of concern
Table 1 Classification of tank monitoring modes and instrumentation configurations of OPS
Table 2 Correspondence table of tank monitoring modes and level of concern setting
Table A.1 Installation requirements for level detection instruments
爆炸危險化學品儲罐防溢系統
功能安全要求
1 范圍
本文件規定了對危險化學品儲罐設置儲罐防溢系統的功能安全要求。
本文件適用于5m3以上的地上固定式石油及其他危險化學品液體常壓儲罐。5m3及以下固定式液體常壓儲罐可參照執行。
本文件不適用于LPG/LNG罐、專用的緩沖罐、發動機燃料油罐、供暖油罐、收油僅來自于輪式的槽車(比如油罐車或鐵路油罐車)的油罐。
2 規范性引用文件
下列文件中的內容通過文中的規范性引用而構成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應的版本適用于本文件;不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 20438.2—2017 電氣/電子/可編程電子安全相關系統的功能安全 第2部分:電氣/電子/可編程電子安全相關系統的要求
GB/T 20438.3—2017 電氣/電子/可編程電子安全相關系統的功能安全 第3部分:軟件要求GB/T 21109.1—2007過程工業領域安全儀表系統的功能安全 第1部分:框架、定義、系統、硬件和軟件要求
GB/T 29639 生產經營單位生產安全事故應急預案編制導則
GB 50093 自動化儀表工程施工及質量驗收規范
3 術語和定義
下列術語和定義適用于本文件。
3.1
報警 alarm
通過聲音和/或可視的方式向操作員指示需要及時響應的設備故障、過程偏差或其他異常情況。
3.2
警示 alert
當操作員預定義的操作條件已經達到某個值時,采用聲和/或光提示操作員的方法。
注:警示的目的是提醒用戶/操作員需要進行調查或者執行其他對應的動作。
3.3
常壓儲罐 atmospheric tank
設計壓力小于0.1MPa、建造在地面上、儲存非人工制冷、非劇毒性的石油、化工等液體介質的儲罐。
3.4
關注液位 level of concern;LOC
業主或操作員通過計算儲罐的介質液位設置的合適的警示液位、報警液位和儲罐自動防溢功能觸發液位。
3.5
最高工作液位 maximum working level;MW
正常操作時儲罐進料允許達到的最高液位。
3.6
極限液位 critical high level;CH
儲罐進料能夠達到的、無有害影響的最高液位,超過此液位即發生介質溢出或儲罐損壞等情況。
注:在工程設計中,極限液位也稱“儲罐設計液位”。
3.7
高高液位 high-high tank level;HH
在達到極限液位(CH)之前能夠終止進料或介質轉運,足夠低于極限液位(CH)的液位。
3.8
高高液位報警 high-high tank level alarm;LAHH
在達到高高液位時觸發的報警。
3.9
高液位 high tank level;H
在最高工作液位與高高液位之間設置的,向操作人員提供警示或報警的關注液位。
3.10
高液位報警 high tank level alarm;LAH
當罐液位達到高液位時觸發的報警。
3.11
響應時間 response time;RT
從報警觸發開始到執行設定動作(可以是人為操作也可以是自動系統)完成所需的時間。
3.12
最終元件 final element
閥門、泵或其他可以終止流入、防止儲罐溢出的設備。
3.13
儲罐防溢系統 overfill prevention system;OPS
防止儲罐介質溢出的保護系統。
注:OPS可以是技術措施也可以是管理措施,也可以兩者皆有。
3.14
手動儲罐防溢系統 manual overfill prevention system;MOPS
需要操作人員操作的儲罐防溢系統。
3.15
自動儲罐防溢系統 automatic overfill prevention system;AOPS
無需操作人員操作的儲罐防溢系統。
3.16
危險失效 dangerous failure
對執行安全功能有影響的組件和/或子系統和/或系統的失效,其:
a) 在要求時阻止安全功能的執行(要求模式),或導致安全功能失效(連續模式)以致EUC進入危險或潛在危險的狀態。
b) 降低在要求時安全功能正確執行的概率。
[來源:GB/T 20438.4—2017,3.6.7]
3.17
安全失效 safe failure
對于執行安全功能有影響的組件和/或子系統和/或系統的失效,其:
a) 導致安全功能的誤動作從而使EUC(或其一部分)進入或保持安全狀態;或
b) 增加安全功能的誤動作從而使EUC(或其一部分)進入或保持安全狀態的概率。
[來源:GB/T 20438.4—2017,3.6.8]
3.18
功能安全 functional safety
與過程和BPCS有關的整體安全的組成部分,它取決于SIS和其他保護層的正確功能執行。
[來源:GB/T 21109.1—2007,3.2.25]
3.19
功能安全評估 functional safety assessment
基于證據的調查,以判定由一個或多個保護層所實現的功能安全。
[來源:GB/T 21109.1—2007,3.2.26]
3.20
隨機硬件失效 random hardware failure
在硬件中,由一種或幾種可能的退化機理而產生的,在隨機時間出現的失效。
注1:在各種元件中,存在以下不同速率發生的許多退化機理,在這些元件工作不同的時間之后,這些機理可制造公差引起元件發生故障,從而使包含許多元件的設備將以可預見的速率,但在不可預見的時間(即隨機時間)發生失效。
注2:隨機硬件失效和系統性失效的主要區別是由隨機硬件失效導致的系統失效率(或其他合適的度量)可以用合理的精度來量化,但系統性失效無法精確預計,因此,系統性失效引起的系統失效率則不能精確地用統計法量化。也就是說,由隨機硬件失效引起的系統失效率以用合理的精度來量化,但是由系統性失效引起的系統失效率不能精確地用統計法量化,因為導致系統性失效的這些事件無法簡單預測。
[來源:GB/T 20438.4—2017,3.6.5]
3.21
安全儀表系統 safety instrumented system;SIS
用來實現一個或幾個安全儀表功能的儀表系統。SIS可以由傳感器、邏輯控制器和執行器的任何組合組成。
[來源:GB/T 21109.1—2007,3.2.72]
3.22
安全完整性 safety integrity
在安全儀表系統在規定時段內.在所有規定條件下滿足執行要求的安全儀表功能的平均概率。
[來源:GB/T 21109.1—2007,3.2.73]
3.23
安全儀表功能 safety instrumented function;SIF
具有某個特定SIL的,用以達到功能安全的安全功能,它既可以是一個安全儀表保護功能,也可以是一個安全儀表控制功能。
注:該術語與GB/T 21109.1—2007不同,以體現行業應用習慣。
3.24
安全完整性等級 safety integrity level;SIL
用來規定分配給安全儀表系統的安全儀表功能的安全完整性要求的離散等級(4個等級中的一個)。SIL4是安全完整性的最高等級,SIL1為最低等級。.
[來源:GB/T 21109.1—2007,3.2.74]
3.25
安全要求規格書 safety requirements specification;SRS
包含安全儀表系統應執行的安全儀表功能的所有要求的規格書。
注:該術語與GB/T 21109.1—2007不同,以體現行業應用習慣。
3.26
檢驗測試 proof test
為揭露安全儀表系統中未檢測到的故障而執行的測試,以便在必要時把系統修復到所設計的功能。
[來源:GB/T 21109.1—2007,3.2.58]
3.27
安全狀態 safe state
達到安全時的過程狀態。
注1:本文件中的安全狀態主要指將不會造成儲罐溢流的進料過程狀態。
注2:該術語的定義同GB/T 21109.1—2007中的定義有差別,以體現行業應用習慣。
4 縮略語
下列縮略語適用于本文件。
AOPS:自動儲罐防溢系統(Automated Overfill Prevention System)
ATG:自動液位計(Automatic Tank Gauge)
BPCS:基本過程控制系統(Basic Process Control System)
EMC:電磁兼容(Electro Magnetic Compatibility)
EUC:受控設備(Equipment Under Control)
FMEA:失效模式及后果分析(Failure Mode and Effects Analysis)
FPL:固定程序語言(Fixed Program Language)
FVL:全可變語言(Full Variabilty Language)
HAZOP:危險與可操作性分析(Hazard and Operability Study)
HFT:硬件故障裕度(Hardware Fault Tolerance)
LVL:有限可變語言(Limited Variability Language)
MOC:變更管理(Management of Change)
MOPS:手動儲罐防溢系統(Manual Overfill Prevention System)
MTTR:平均恢復時間(Mean Time to Restoration)
OPS:儲罐防溢系統(Overfill Prevention System)
PE:可編程電子(Programmable electronic)
PFD:要求時危險失效概率(Probability of Dangerous Failure on Demand)
PFH:每小時危險失效平均概率(Average Frequency of a Dangerous Failure Per Hour)
SIF:安全儀表功能(Safety Instrumented Function)
SIL:安全完整性等級(Safety Integrity Level)
SIS:安全儀表系統(Safety Instumented System)
SRS:安全要求規格書(Safety Requirements Specification)
UPS:不間斷電源(Uninterruptible Power Supply)
5 儲罐防溢系統通用要求
5.1 一般要求
5.1.1 儲罐防溢系統應包括技術措施和管理措施。
5.1.2 儲罐防溢系統技術措施可包括高液位報警、液位超高聯鎖等。典型的技術措施設置見圖1。
