What elements should be included as SCE

The definition of what equipment makes up an SCE can in some situations be subjective. Whether you define SCE as individual pieces of equipment (a valve or a transmitter) or apply the systems approach (a complete trip function) you have to at some point define the equipment that is involved. For a simple de-energise to trip function, this is straightforward forward including only the components relating to the sensor, logic solver and final elements. As per the diagram.

SCE Function

But what happens if you have an SCE that doesn’t fit this mould? Maybe an energise to trip function that requires instrument air to complete the action. How much of the instrument air system should be included as part of the SCE? This blog aims to provide some definitions and give some examples.

MHF Definition

Below is an example of a definition of SCE

Safety Critical Element

This means any part of a facility or its plant (including a computer program) -

          • That has the purpose of preventing, or limiting the effect of, a major incident; and
          • The failure of which could cause or contribute substantially to a major incident.

Our previous blog on safety critical elements covered the subject of how to identify SCE -  https://blog.safetysolutions.com.au/are-you-over-cooking-your-safety-critical-elements

What can we learn from Functional Safety

From the functional safety standards, a safety function (which could be an SCE) is assessed based on the failure rate of the equipment. The specific failure rate used in the calculations for the integrity of the function is the frequency of dangerous undetected failures.

The functional safety approach leads to a definition of what equipment should be included in an SCE as:

“The equipment required to be included in an SCE are the ones that failure of which could directly lead to an undetected failure of the function”

 

Alarm Management - white 4x3

 

LOPA Training Course - white 4x3

 

Process Safety Foundations - white 4x3

 

Find out about our INTRODUCTION TO ALARM MANAGEMENT Course HERE! We offer Consulting Services for LOPA Studies HERE!  Find out about our next PROCESS SAFETY FOUNDATIONS course HERE!

Failure Detection

It can be considered that there are two levels of failure detection:

Detect and Act – On detection of a fault with the function, activate the trip by a safe means.

Detect and Alarm - On detection of a fault with the function, activate an alarm, the operator must know that it is important to act on that alarm as protection is compromised until it is resolved.

The first of these is preferable as it ensures the unit only runs when appropriate protections are in place. However, depending on the function a safe state may be to continue temporarily running until the protection system is fixed

Examples

Below are a couple of examples of how this definition may be applied.

 

Example1 - High-pressure trip of a unit with valves that are spring return to a safe state

For this example, all the equipment related to the Sensor Logic Solver and Valve Assembly would be required, but as these systems are fail-safe, they should fail to a safe state on loss of power/instrument air. Therefore, no auxiliary systems components are required to be part of the SCE.

Example 2 - High-pressure trip of a unit with valves that are double-acting

For this example, all the equipment related to the Sensor Logic Solver and Valve Assembly would be required, As the valves are double-acting they require instrument air pressure to action the trip.

Detect and act could be achieved if a trip valve is used (such as a fisher 377), where a detection of falling pressure will shut the valve whilst enough pressure remains to act. The Trip valve is then considered part of the SCE equipment

Detect and Alarm could be achieved with a pressure transmitter appropriately located on the instrument air system. This transmitter would then be considered part of the SCE Equipment