The Risk of LOPA and SIL Classification in the process industry

Similar documents
innova-ve entrepreneurial global 1

Process Safety Journey

Every things under control High-Integrity Pressure Protection System (HIPPS)

Solenoid Valves used in Safety Instrumented Systems

Solenoid Valves For Gas Service FP02G & FP05G

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Expert System for LOPA - Incident Scenario Development -

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

THE BAKER REPORT HOW FINDINGS HAVE BEEN USED BY JOHNSON MATTHEY TO REVIEW THEIR MANUFACTURING OPERATIONS

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

Using LOPA for Other Applications

Bespoke Hydraulic Manifold Assembly

SPR - Pneumatic Spool Valve

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Hydraulic (Subsea) Shuttle Valves

PSM TRAINING COURSES. Courses can be conducted in multi-languages

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Safety in Petroleum Industry

Partial Stroke Testing. A.F.M. Prins

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Valve Communication Solutions. Safety instrumented systems

Knowledge, Certification, Networking

Risk reducing outcomes from the use of LOPA in plant design and operation

Section 1: Multiple Choice

High Integrity Pressure Protection Systems HIPPS

SAFETY SEMINAR Rio de Janeiro, Brazil - August 3-7, Authors: Francisco Carlos da Costa Barros Edson Romano Marins

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

4-sight Consulting. IEC case study.doc

Impact on People. A minor injury with no permanent health damage

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

FUNCTIONAL SAFETY: SIL DETERMINATION AND BEYOND A CASE STUDY FROM A CHEMICAL MANUFACTURING SITE

Lessons Learned from the Texas City Refinery Explosion Mike Broadribb

Combining disturbance simulation and safety analysis techniques for improvement of process safety and reliability

SIL Allocation. - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Understanding IPL Boundaries

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

The Key Variables Needed for PFDavg Calculation

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Jamesbury Pneumatic Rack and Pinion Actuator

DeZURIK. KSV Knife Gate Valve. Safety Manual

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Implementing IEC Standards for Safety Instrumented Systems

COMPLIANCE with IEC EN and IEC EN 61511

Advanced LOPA Topics

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Section 1: Multiple Choice Explained EXAMPLE

COMMON MISUNDERSTANDINGS ABOUT THE PRACTICAL APPLICATION OF IEC 61508

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

EMERGENCY SHUT-DOWN RELIABILITY ADVANTAGE

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

Dynamic simulation of Texas City Refinery explosion for safety studies

Proposal title: Biogas robust processing with combined catalytic reformer and trap. Acronym: BioRobur

REPEATED ACCIDENT CAUSES CAN WE LEARN?

Process Safety and the Human Factor

Hazard Operability Analysis

Major Hazard Facilities. Major Accident Identification and Risk Assessment

Understanding safety life cycles

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

PART 1.2 HARDWARE SYSTEM. Dr. AA, Process Control & Safety

Safety manual for Fisher GX Control Valve and Actuator

Ultima. X Series Gas Monitor

SEMS II: BSEE should focus on eliminating human error

Process Safety Management Of Highly Hazardous Chemicals OSHA 29 CFR

National Safety Council 94 th Annual Congress and Expo. Commitment to a Proactive Safety Culture: Abnormal Situation Recognition and Management

UNDERSTANDING SAFETY INTEGRITY LEVEL

Major Hazard Facilities. Control Measures and Adequacy

Double whammy: the benefits of valve signatures and partial stroke testing

Engineering Safety into the Design

Failure Modes, Effects and Diagnostic Analysis

Delayed Coker Automation & Interlocks

Are We Doing It Wrong? Jim McGlone, MBA, GICSP CMO, Kenexis

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

RELIEF VALVES IN PARALLEL

Failure Modes, Effects and Diagnostic Analysis

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

The Relationship Between Automation Complexity and Operator Error

Point level switches for safety systems

Part 2.5 Dispersion Modeling Using ALOHA

Rosemount 2130 Level Switch

Review and Assessment of Engineering Factors

The IEC61508 Inspection and QA Engineer s hymn sheet

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

INSPECTIONS OF THE LPG ESTABLISHMENTS IN PORTUGAL. Graça Bravo. 26th September 2017

HAMS-GPS : HAZOP Study for : MyCo.

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Safety Instrumented Systems in Regulator Station Design. SIL Verification of Standard Design Alan Burt

BROCHURE. Pressure relief A proven approach

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System (HIPPS) to IEC 61511

SYMPOSIUM SERIES NO 160 HAZARDS ABB

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Safety Manual VEGAVIB series 60

The Meaning and Context of Safety Integrity Targets

Transcription:

The Risk of LOPA and SIL Classification in the process industry Mary Kay O Connor Process Safety Center International Symposium Beyond Regulatory Compliance, Making Safety Second Nature October 28-29, 2008 Chris Pietersen Safety Solutions Consultants BV pietersen@safety-sc.com

Chris Pietersen Director SSC (before : TNO SSC) > TU Delft, Shell (Process Control) > 25 year in safety, TNO senior Research Fellow > Accident investigation (e.g. Bhopal, Mexico LPG) > Member Dutch Advisory Council for Hazardous Material > Leader Module Industrial Safety of official Dutch Safety Education Program >SSC: Life Cycle Process Safety: Consultant for the Process Industry.

Process Safety Philosophy Technical: HAZOP, SIL, LOPA, QRA Organisational Safety Management, Learning from incidents Culture Safety Culture Assessment (SCM) Behaviour

International SIL Standards: IEC 61508/ 61511: Risk Based Approach -Evaluate the Risk of a (HAZOP derived) scenario - Determine the required Risk reduction magnitude - Design or Verify the Risk Control Measure - Implement in Safety Management System

Potential Pitfalls (1) The quality of the HAZOP study Team composition/ experience As built drawings Project budget/ planning Inherent Safety Credibility, information of LOC scenario s for SIL/ LOPA The risk analysis capability of the team Consequence / frequency assessment (In) dependencies in causes and control measures

Potential Pitfalls (2) The SIL verification: Functionality check (In) dependencies PFD calculations Safety management of SIL Plan, Do, Check, Act approach Procedures and Workinstruction

The need for a SIS The risk of overfilling a vessel Examples from disasters Buncefield explosion (UK): Overfilling of storage tank (December 2005) Texas City disaster: Overfilling of distillation tower (March 2005) Mexico City LPG Disaster : Overfilling a storage sphere (November 1984)

Overfilling Tank 912 Buncefield Depot 11 December 2005 > Filling (from pipeline) with motorfuel (550-890 m3/hr) > Start filling tank: 19.00 hr, overfilling/release: 5.20 hr > Explosion: 06.01 hr > Automatic Overfill protection system failed (levelswitch): IEC 61511: Reliability of (overfill) protection system > Main Problem: Safety Management, no risk based approach.

Explosion Texas Refinery, 23 March 2005 Continued overfilling of the raffinate splitter in the isomerisation during start-up (closed outlet) Opening Relief valves to Blowdown drum and Loss of Containment (200 m3) via ventstack at 36 meter height. Explosion and fire, temporary trailers: 15 fatalities/ >170 injured persons

Texas disaster aspects Inherent Safety: vent to non-safe location Proposed modification not implemented. Post disaster reaction industry: SIL protection overfilling! IEC 61508: always consider inherent safety first Effort to be put at safe design/ controlled system; remaining risk: SIL HAZOP start-up not performed Common practice in industry: only continuous process IEC 61508: A systematic Hazard Identification for all Life Cycle phases is required before the SIL approach is applied.

Inherent Safety Example SIL Runaway reaction killing system Venting to non-safe location

Texas disaster aspects (2) Level instrumentation bottom splitter (Texas) Level transmitter voor Level Control (not functional). Level indication (control room) via transmitter: failed High Level Alarm (72%, 2,3 m) : normal functioning Separate, redundant, hardwired high level alarm (78%, 2,4 m): Failed Level Sight Glass: not functional (dark residue) No automatic overfill protection IEC 61511 SIL Approach: SIS required Operator dependence (alarms, sight glass) Maintenance of safety critical equipment

Mexico City LPG depot 19 November 1984 Overfilling storage sphere

Consequences of overfilling 500 people killed BLEVE phenomenum No HAZOP No MOC No Overfill protection

IEC 61508/ 61511 SIL approach Perform a systematic hazard identification study HAZOP study Evaluate the risks of the identified hazards : Risk matrix, Risk Graph, LOPA Determine the need for risk reduction : Compare with acceptable Risk level Determine the required SIL of the SIS Verify the SIL for the SIS

Overfill Example HAZOP: overfilling can lead to an explosion: 1 fatality gas liquid from Unit 100 Separator V1 LT LC liquid from Recovery unit P-01 CV liquid

Risk reduction for overfill scenario: Result SIL 1 Consequences? People present? Escape possible? Team requirements Company Risk Policy Frequency of occurence? W3 W2 W1 C1 a - - Start C2 F1 F2 P1 P2 P1 P2 1 a - 2 1 a 2 1 a 3 2 1 C3 F1 3 2 1 F2 4 3 2 C4 na 4 3

Proposed Overfill protection system liquid from Unit 100 clos e high level signal gas XV- 01 Separator V1 stop LT 1 LT 2 L C 2 Liquid from Recovery unit P-01 4 verification requirements: liquid CV- 02 Functionality Independence of Control Architectural constraints Probabilistic requirement

Often limited to Probabilistic requirement Failure frequency verification for SIL 1: PFD < 10-1 (PFD=Probability of Failure on Demand) I I PLC PFD SIS = PFD Sens + PFD Is + PFD PLC + PFD valve + PFD pump PFD ½ λ DU T λ = failure frequency/ hr T= Proof test interval

PFD calculation Level transmitter DU = 6,0 10-7 / hsource: Sintef Isolator DU = 1,5 10-7 / hsource: Exida MCC relais DU = 2,0 10-7 / hsource: Sintef Solenoid valve DU = 9,0 10-7 / hsource: Sintef Valve+ actuator DU = 2,1 10-6 / hsource: Exida PLC PFD = 5,0 10-3 Source: TÜV Prooftest interval T 4 year Result: PFD SIS = 7,8 10-2 PFD < 10-1; Conclusion: SIL 1 probabilistic requirement fulfilled. Remarks: Only one of the four verification requirements Only if failure rate field data are collected over the lifecycle Often narrowed to calculations

The Hitchhiker's Guide to the Galaxy (Douglas Adams) Calculate The Ultimate Answer to The Great Question of Life, the Universe, and Everything. Answer after seven and a half million years' work : Computer: answer is correct : may be you never actually know what the question is!

LOPA aspect: IPL? Failure level control LC-1: Failure (LOC) V7 PSV 1 Design pressure V7: 10 bar Pressure V7 on loss of level V1: 60 bar HP Separator V1 LC 1 Causes: IC1: Failure of leveltransmitter IC2: Opening of manual valve HV-1 60 barg LCV 1 LC Condensate Vessel V7 10 barg PSV 7 Possible Protection Layers, IPL s): Relief valve at V7: PSV-7 Low level alarm of LC-1 Operator training/ procedure: action after alarm HV 1

LOPA results PSV: 0,01 Is operator an IPL? IC1: failure LC control: Frequency: 0,1 /yr? Frequency correction: - Presence of the risk(ptr): 1,0 - exposure (Pp): 0,5 - Ignition (Pi): 1,0 - Vulnerability human: 1,0 Total: 0,5* 10-3 /yr Failure V7 (LOC) IC2: Operator error: Frequency: 0,8 /yr PSV: 0,01 Operator: 0,1 Frequency correction: - Presence of the risk(ptr): 1,0 - exposure (Pp): 1,0 - Ignition (Pi): 1,0 - Vulnerability human: 1,0 Total: 0,8* 10-3 /yr Total: 1,3* 10-3 /yr

Determining SIL with LOPA LOC frequency: 1,3 * 10-3 /yr Consequences: 5 fatalities Acceptation criterium: 10-6 /yr Required PFD of a SIS: PFD SIS = 10-6 / 1,3 * 10-3 = 0,8* 10-3 (PFD SIS = 10-6 / 0,85 * 10-3 = 1,2* 10-3 with operator IPL) Result: PFD < 10-3 SIL 3 (Result: PFD < 10-2 SIL 2 with operator IPL) Operator should generally not be seen as an IPL!

Before and after

Furnace

Explosion in furnace, 2003 3 people died HAZOP/ SIL Classification/ -verification: OK The Safety System was wrongly still in override during the start up of the furnace. SIL standard not fully implemented: Plan, Do, Check, Act in Safety Management System was lacking. 11th Stamicarbon Ureum Symposium 19 22 May, 2008, Noordwijk

Summary/ Conclusions The SIL concept (including the use of LOPA) is often narrowed down to SIL Classification and PFD calculations. It is a danger that the SIL/ LOPA approach becomes the objective in itself, instead of a means to reach high safety levels. The following main problem areas haven been considered: The tendency to go for safety systems instead of more inherent safety The quality of the HAZOP/ SIL/ LOPA team The unjustified over dependency of operators in safety systems The too large emphasis on PFD calculations, losing the real meaning behind it. The lack of implementation of HAZOP/ SIL/ LOPA in the companies Safety Management System. Overall: The risk exists that our safety standards and risk analysis methods are becoming counterproductive. The effectiveness for safety should be be monitored continuously.

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback