SIL Allocation - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview
Origin and causes of accidents involving control system failure 44% Specification 20% Changes after Start-up 15% Design and Implementation 6% Instalation and Start-up 15% Maintenance and Operation Ref Out of Control: Why control systems go wrong and how to prevent failure Published by UK HSE 2
SIS Safety Lifecycle, IEC61511 Management of functional safety and assessment and audit of functional safety Structure and planning of th e safety life cycle 1 2 Assessment of hazards s and risks Allocation of the safety functions to the protection layers Verification 3 Specification of the safety requirements for the safety instrumented system 4 Design and engineering of the safety instrumented system Design and development of other means of reducing risk 5 Installation, Receipt reception and Validation validation Operation and maintenance 6 7 Modification 10 11 Decommissioning 8 9 3
SIL Allocation in the IEC61511 Safety Lifecycle Management of functional safety and assessment and audit of functional safety Structure and planning of th e safety life cycle 1 2 Assessment of hazards s and risks Allocation of the safety functions to the protection layers Verification 3 Specification of the safety requirements for the safety instrumented system 4 Design and engineering of the safety instrumented system Design and development of other means of reducing risk 5 Installation, Receipt reception and Validation validation Operation and maintenance 6 7 Modification 10 11 Decommissioning 8 9 4
SIL Allocation & SIL Verification Management of functional Assessment and risks of s hazard assessment safety planning and and audit and e safety th of functional of safety requirements Specification for of the the instrumented system safety 3 4 system Installation validation reception and, 5 6 Modification 7 Decommissioning Set target Demonstrate target is met Management of functional Assessment and risks of s hazard assessment safety planning and and functional audit and e safety th of of 1 safety requirements Specification for of the instrumented system safety 3 system Installation validation reception and, 5 6 Modification 7 Decommissioning SIL Allocation Minimum SIL requirements LOPA, Risk graphs, Determine if additional SIF are required and if yes then allocate the target SIL SIL 1 SIL 2 SIL3 Design & Engineering SIL Verification calculations (PFD) FMECA, SAR, Safety Manuals, etc. Address target SIL (Fault Tolerance & PFD) Select system technology Configuration / vooting Test interval Diagnostic 5
SIL Allocation The two approaches Deterministic Risk-Based ISO10418 OLF070 LOPA, Risk graph, QRA 6
SIL Allocation Deterministic approach 1. Design in accordance with process industry standards ISO10418, API RP14C for offshore installations NFPA 85, 86, API RP556 for various types of fired equipments Prescriptive recommendation for protective measures Based on experience and recognized practice Acceptable level of safety achieved (refer to clearly defined hazards and standardized behavious of safety systems and barriers) etc. 7
SIL Allocation Deterministic approach 2. Allocate SIL based on predetermined requirements Minimum SIL Requirements OLF070 Application of IEC in the Norwegian Petroleum Industry Company Governing Documentation Minimum SIL requirement is derived from expected reliability (PFD) of typical SISs. i.e. achievable by standard solutions considered good industry practice. Not based on required risk reduction conforming to specific RTC Enforces quality requirements in the SIS design, installation and operation 8
SIL Allocation The two approaches Deterministic Risk-Based ISO10418 OLF070 LOPA, Risk graph, QRA TES 9
The safety onion Integrated approach Independent Protection Layers COMMUNITY EMERGENCY REPSONSE PLANT EMERGENCY REPSONSE PHYSICAL PROTECTION (DIKES) PHYSICAL PROTECTION (RELIEF DEVICES) AUTOMATIC ACTION SIS OR ESD CRITICAL ALARMS, OPERATOR SUPERVISION, AND MANUAL INTERVENTION BASIC CONTROLS, PROCESS ALARMS, AND OPERATOR SUPERVISION I PROCESS DESIGN LAH 1 Layer of SIS 10
Alternative view - protecting by multiple protection layers SIS Action Trip set point High Level Alarm Operator Takes Action PSD logic PCS High level Process level Low level Normal Level PT PT 11
Reducing risks with protection layers Missing adequate barriers? Remaining risk Risk tolerance criteria Initial Risk (frequency) Increasing risk Required risk reduction Achieved risk reduction Risk reduction SIS Risk reduction Other technologies Risk reduction external Closing the safety gap between risk and target 12
Applicability of risk assessment methods for risk judgements Qualitative analysis (100% of scenarios are analyzed using qualitative methods) Simplified-quantitative or semi-qualitative analysis (1-5% of scenarios, 100% of SIF) Quantitative analysis (<1 o / oo of scenarios, 1% of SIF) Technique Applicability to simple issues Applicability to complex issues HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA Good Good Overkill Poor to Okay for risk judgment Usually Good Good 13
SIL Allocation process (risk-based) Plant Facilities & Safety Conceptual strategies / philosophies Design & Operating principles / Performance Standards / Acceptance criteria Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.) Qualitative Risk Assessment / Process Hazard Analysis (PHA) / IPL definition (e.g. HAZOP) SIF determination & SIL Allocation Semi-qualitative Simplified-quantitative Quantitative NO For each scenario, SIF determination & SIL allocation with simplified risk analysis technique (e.g. LOPA, risk graph) SIL1, SIL2 or SIL3 with GALE TES where further assessment is needed? YES NO SIL4? OR SIL3 with no GALE TES? YES Design change or other non-sis IPL possible? NO Quantitative risk assessment for dedicated scenario Evaluate other non-sis IPL or design change SIL1, SIL2, SIL3 or SIL4 by multiple SIS? NO SIL4 Required by a single SIS? YES Apply for dispensation to TR2041 YES Complete SIL allocation for each SIF & Reporting 14 SRS, CDD, SAR, etc.
LOPA Layer of Protection Analysis Multidiscipline team exercise. Immediately after HAZOP (1w/m) Good synergy with HazOp (Cause, consequence, safeguards) Simple rules (reproducible), order of magnitude of the risk Barrier/Protection layers analysis methodology Focus on Safety Instrumented Systems Will also address credit for other Safety Related Systems Identification of required and expected performance of critical systems Closes the gap between expected system performance and required Risk Tolerance Determines Safety Integrity Level (SIL) of gap Can be an entry point to QRA 15
LOPA Can address the following Does my system (planned or actual) ensure my criteria are met? Do I need additional Safety Instrumented System? Are there alternatives? LOPA References and applicability in the industry IEC 61511 - LOPA will meet requirements (Part 3, Annex F)) AIChE endorsement Risk-based approach common in downstream industry, especially for PSD LOPA often used In Americas. Europe often using risk graphs Some O&G companies have developed their own software / spreadsheets 16
LOPA Procedure Step 1: Establish TTC Step 2: Preliminary selection of scenarios Step 3: Evaluate impact severity on safety, environment and assets Step 4: Determine IE frequency Step 5: Identify IPLs and select the probability of failure Step 6: Identify Conditional Modifiers and select the probability Step 7: Evaluate Scenario frequency and compare with TTC Step 8: Identify SIF and Allocate SIL Step 9: Evaluate need for other non-sis IPL or redesign Step 10: Evaluate consequences of spurious failure Step 11: Reporting 17
Impact level Step1 Establish Target Tolerance Criteria (TTC) 1 2 3 Category 8 / Frequency (/year) Catastrophic < 1E-4 1E-4 1E-3 1E-3 0.01 0.01 0.05 0.05 0,3 0.3 0.7 7 / 0.7-1.4 Major > 1.4 6 / Severe 5 / Serious 4 / Moderate Target Tolerance Criteria 1 x E-6 pr year 1 x E-5 pr year 1 x E-4 pr year 1 x E-3 pr year 1 x E-2 pr year 4 5 6 7 8 1 2 3 4 5 6 7 8 Frequency Level 18
Step1 Establish TTC The criteria are dependant on numbers used for initiating events, risk reduction factors etc. Economic impact should include the total loss Demolition cost Installed equipment costs (x3 purchase price) Cost of business interruption (value of product that cannot be shipped out, not cost of lost production) Corporate TTC should be used as a basis to establish local applicable TTC 19
Step2 Preliminary selection of scenarios/sifs Scenarios/SIF identified from C&E, interlocks narrative and P&IDs Temperature transmitter Temperature transmitter Solenoide On/off valve Level Switch Logic Solver (PLC) Pump Flow transmitter Solenoide On/off valve Additional scenario where a SIF is recommended for evaluation (e.g. identified during HAZID, HAZOP or other project/facility review) High impact severity scenarios (i.e. category 7 and 8 in TTC) 20
Step2 Identification of scenario Initiating Event 1 PREVENTION Terminate the chain of events, reduce frequency MITIGATION & RECOVERY Reduce consequence severity No consequence CAUSES Initiating Event 2 BPCS Operator response to Alarm from monitoring system SIS PSV TOP EVENT E.g. Loss of Containment ESD Ignition control Fire Water Consequence A Consequence B Consequence C CONSEQUENCES Initiating Event 3 Consequence D Initiating Event 1 Consequence D LOPA scenario : single cause consequence pair 21
Step3 Evaluate Impact severity Define worst reasonably credible consequences that result if the chain of events continues without interruption. Select Impact severity from TTC for all categories (People s safety, Environment, Economic). Category 8 / Catastrophic 7 / Major 6 / Severe 5 / Serious 4 / Moderate Target Tolerance Criteria 1 x E-6 pr year 1 x E-5 pr year 1 x E-4 pr year 1 x E-3 pr year 1 x E-2 pr year 22
Step4 Determine Initiating Event Frequency Identify all possible initiating events, i.e. causes Mechanical, Instrument or Human failures f ie Instrument Initiating Event failure/year BPCS Instrument Loop Failure 1,00E-01 BPCS Sensor failure 1,00E-01 Control loop failure 1,00E-01 Loss of instrument air 1,00E-01 Human Initiating Event failure/year 3rd Party Intervention 1,00E-02 Human error in a no-routine, low stress 1,00E-01 Human error in a routine, once per day opportunity 1,00E+00 Human error in a routine, once per month opportunity 1,00E-01 Operator Failure Action more than once per quarter 1,00E-01 Mechanical Initiating Event Canned/Magnetic Drive Pump Failure Compressors, Pumps and Crane fail Control valve failure Cooling Water Failure Double Mechanical Seal Pump Failure Expansion Joint Fails General Utility Failure Heat Exch. tube leak <100 tube Heat Exch. tube leak >100 tubes Heat Exch. tube rupture <100 tubes Heat Exch. tube rupture >100 tubes Loss Cooling Loss Power Manual valve failure Pressure safety valve failure Pressure Vessel Failure Significant Release Pump Failure Loss of Flow Single Mechanical Seal Pump Failure Unloading/Loading Hose Failure failure/year 1,00E-02 1,00E+00 1,00E-01 1,00E-01 1,00E-02 1,00E-02 1,00E-01 1,00E-02 1,00E-01 1,00E-03 1,00E-02 1,00E-01 1,00E-01 1,00E+00 2,00E-01 1,00E-05 1,00E-01 1,00E-01 1,00E-01 Human Error probability for not correctly performing a task for various situations per demand Complexity Simplest Routine & Simple Routine but Requires Complicated Care Routine No Stress 1 10-4 1 10-3 1 10-2 0.1 Moderate Stress 1 10-3 1 10-2 5 10-2 0.3 High stress 1 10-2 1 10-1 - 1.0 0.25 1.0 1.0 non- 23
Step4 Determine Initiating Event Frequency Enabling event, e.g. adjust to the time at risk, i.e. multiply f ie by fraction of time during which the risk is present SIF operating in continuous mode of operation f ie = 2* PFD 24
Step5 Identify IPLs and select probability of failures Essential Requirements Specific. Detect Decide and Deflect Effective. big Enough, fast Enough, strong Enough, smart Enough Independent. Its performance must not be affected by other protection layers and must be Independent of the events causing the accident Reliable: The protection given by the IPL reduce the risk in a known and specific quantity. Auditable: It must allow periodic checks and tests of the protection function. All IPL are protection Layers, but all protection layers are not IPLs 25
Step5 Identify IPLs and select probability of failures Process design Inherent safety in design Initial risk, not an IPL. Minimize, Substitute, Moderate, Simplify Process control system Actions to return the process in within normal operating envelope (e.g. minimum flow control) Process shutdown (shadowing the SIS in the PCS) Alarms (+operator response) 26
Step5 Identify IPLs and select probability of failures Process control system Maximum PFD claimed 0,1 if independent of initiating events and other IPLs It the initiating event is caused by PCS control loop failure, PCS can be considered an IPL if: Sensors, I/O cards and final elements are independents Logic controller designed with high level of reliability by reference to recognized industry standards (e.g. redundant CPUs). Sensor 1 Sensor 2 Input 1 Input 2 Logic Controler PFD lower than 0,1 requires that the PCS is designed according to IEC61511 PCS cannot be catered twice as IPL. IE IPL Output 1 Output 2 Final Element 1 Final Element 2 27
Step5 Identify IPLs and select probability of failures PCS supervision & Alarms Human intervention direct connection between the alarm, which indicates the event, and the measures to be taken by staff to avoid the event Safety Alarms requiring intervention should be prioritized, configuration access restricted Time needed vs time available due to process dynamics: Final Consequences alarm processing Top event (e.g. Loss of integrity) limited troubleshooting decide action trigger action and get action to be effective SIS trip point PCS pre-alarm set point Min 15-20 min if automatic; min 30-1h if manual local action Written procedure in use, training Process Safety time Time available for the operator to take action Time 28
Step5 Identify IPLs and select probability of failures Preventive SIS (PSD) Mitigation SIS ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc. Have a role in risk reduction but should not be considered IPL for evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent scenario without relying on mitigation SIS (residual consequences even if successful). May be given credit in QRA. Design against scenario shall be demonstrated, claimed reliability shall be demonstrated, appropriate maintenance and testing. 29
Step5 Identify IPLs and select probability of failures Mechanical mitigation system PSV and rupture disk Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release to disposal system. PSV fulfils the 3E? release damageable? Fouling service? Check valve IPL, with restriction on service and technology, frequent testing required Flame arrestor (in line) Can be IPL. Design against deflagration will not prevent detonation, testing Explosion doors Not an IPL. can be considered for selection of lower impact severity. Design must be checked against explosion load Excess flow valves Mitigation, generally not an IPL 30
Step5 Identify IPLs and select probability of failures Post release physical protection (Passive) Dike, Fire wall, Passive fire protection, Collision protection Should not considered IPL for evaluation of preventive SIF with LOPA. May be given credit in QRA. Design against scenario shall be demonstrated, appropriate maintenance Emergency response (Evacuation and rescue) Relying on Evacuation and rescue is the last resort. No credit for risk reduction shall be granted as IPL. Considered in the selection of conditional modifier (Probability of personnel present) 31
Step5 Identify IPLs and select probability of failures PFD IPL Independent protection layer Single check valve in clean liquid service Single check valve in gas service Two check valves in series in clean gas or liquid service Process Safety Valve fail to open. Clean service. Control loop /PCS Explosion doors Flame arrestor Operator response to alarm (15-20 minutes) PFD 2,00E-01 1,00E+00 2,00E-02 1,00E-02 1,00E-01 1,00E+00 1,00E-01 1,00E-01 32
Step6 Conditional modifiers P ignition Probability of Ignition for flammable release Probability that personnel are present at the time of the hazardous event P person present Ignition Probability Modifier Probability Gas Major (1-50kg/s) EXPLOSION 8,40E-03 Gas Major (1-50kg/s) FIRE 7,00E-02 Gas Massive (>50kg/s) EXPLOSION 9,00E-02 Gas Massive (>50kg/s) FIRE 3,00E-01 Gas Minor (<1kg/s) EXPLOSION 4,00E-04 Gas Minor (<1kg/s) FIRE 1,00E-02 Liquid Major (1-50kg/s) EXPLOSION 3,60E-03 Liquid Major (1-50kg/s) FIRE 3,00E-02 Liquid Massive (>50kg/s) EXPLOSION 2,40E-02 Liquid Massive (>50kg/s) FIRE 8,00E-02 Liquid Minor (<1kg/s) EXPLOSION 4,00E-04 Liquid Minor (<1kg/s) FIRE 1,00E-02 Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact) = Occupancy X Probability to avoid the hazardous event once the SIS has failed Probability of death (vulnerability) Not taken into account (conservative but simpler) 33
Step6 Conditional modifiers Occupancy 0,1: Rare to occasional exposure in the hazardous zone: Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default choice for normal operation and when something goes spontaneously wrong 1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10% Most continuous process plants will have troubleshooting, testing and maintenance activities upon certain alarms. This can mean that several people are exposed to a hazard when it happens. The correct action for hazardous work and when something goes wrong is to evacuate the premises as much as possible; (ARCO 1989 tank explosion). Consider specific scenarios during shut-down or start-up with almost permanent exposure (e.g. lightning of fired heaters). Batch plants and semi-batch plants that often require semi-continuous human supervision. 34
Step6 Conditional modifiers Probability to avoid the hazardous event once the SIS has failed 1 : Almost impossible to avoid the hazard: this is the default probability. Credit for using personal protective equipment to avert a hazard should not be taken, unless it is certain that the personal protective equipment will actually be worn. Usually, systems are designed on the assumption that the use of such equipment is not absolutely required to achieve a sufficient degree of safety, although it is recognized that it can further improve safety. 0,1: Possible to avoid the hazard under certain conditions: needs strong justification. Should be only selected if all the following conditions are true: Facilities are provided to alert the operator that the SIS has failed Independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with no vertical or spiral staircase, no rescue required, etc.) The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions Caution: Don t cater twice for the same operator intervention (e.g. Alarm+operator intervention) 35
Step7 Compare scenario frequency with TTC Initiating Event 1 Consequence D f LOPAscenario f ie * PFDIPL * PFDIPL2 * * PFDIPLn 1 n IPL RRF RRF Step8 Identify SIF and Allocate SIL f f LOPA scenario TTC LOPA scenario TTC * P ignition * P person present < 1 Scenario «passes» LOPA > 1 Risk reduction needed Step9 Evaluate need for other non-sis IPL or redesign 36
Step8 - Identify SIF and Allocate SIL Increasing risk Initial Process Risk (Without IPL) Risk reduction Reduction Achieved Risk reduction reduction Needed i.e. Safety Gap (SG) Risk reduction factor (RRF) required for the SIS Risk Reduction by BPCS Target Tolerance Criteria Residual Risk (With IPL) Risk Reduction by Operator response to alarms Risk Reduction by Safety Instrumented System Risk Reduction by Mechanical devide Risk Reduction by Other means Closing the safety gap by SIS 37
Step9 Evaluate need for other non-sis IPL LOPA is focused on identification of SIF to close the safety gap, it does not necessarily mean that a SIS is needed By order of preference: Design the problem out of the process using inherently safe principles Protection by non-sis protective measure Passive rather than active A SIF should be the solution of last resort when other solutions are not practicle Step10 Evaluate consequences of spurious trip failure Spurious failure: failure trigging action in an untimely manner Consider need for robust to spurious trip design (e.g. 2oo3 instead of 1oo2) Set minimum mean time to fail safe requirement (MTTFS=1/ STR) 38
Step10 Reporting. SIL Allocation Report Methodology Identified IPL listing that is regarded part of the PCS, e.g. alarm function requiring operator action Identified SIF list and SIL allocation result, corresponding SIS SIF/SIL Allocation worksheet All assumption, uncertainties and sensitivities should be recorded Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation Starting point for the Safety Requirement Specification (SRS) 39
Step10 Reporting. SIL Allocation Report SIF/SIL Allocation worksheet Target Tolerance Criteria = 10-5/yr 40
SIL Allocation & SIL Verification Management of functional Assessment and risks of s hazard assessment safety planning and and audit and e safety th of functional of safety requirements Specification for of the the instrumented system safety 3 4 system Installation validation reception and, 5 6 Modification 7 Decommissioning Set target Demonstrate target is met Management of functional Assessment and risks of s hazard assessment safety planning and and functional audit and e safety th of of 1 safety requirements Specification for of the instrumented system safety 3 system Installation validation reception and, 5 6 Modification 7 Decommissioning SIL Allocation Minimum SIL requirements LOPA, Risk graphs, determine if additional SIS are required and if yes then allocate the target SIL SIL 1 SIL 2 SIL3 Design & Engineering SIL Verification calculations (PFD) FMECA, CDD, SAR, Safety Manuals, etc. Address target SIL (Fault Tolerance, PFD, software req.) Select system technology Configuration / vooting Test interval Diagnostic 41
Thank you SIL Allocation Layer of protection analysis Presenters name: Mathilde Cot Presenters title: Principal Consultant, Safety Technology, CFSE mcot@statoil.com, tel: +47 95785095 www.statoil.com 42
Special cases handling Global Safety Instrumented Systems for consequence Mitigation ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc. Release and other events cannot be interrupted by mitigation SIS. Severity reduction, but residual consequences even if the mitigation SIS is successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation) PREVENTION MITIGATION & RECOVERY CAUSES Initiating Event 1 Initiating Event 2 BPCS Operator response to Alarm from monitoring system SIS PSV Terminate the chain of events, reduce frequency TOP EVENT E.g. Loss of Containment Reduce consequence severity ESD Ignition control Fire Water No consequence Consequence A Consequence B Consequence C CONSEQUENCES PFD*TTC (large uncontroled fire) 1*TTC (controlled fire) Initiating Event 3 Consequence D Same protection GAP? Initiating Event 1 Consequence D 43
Special cases handling Global Safety Instrumented Systems for consequence Mitigation Preferred approach: Deterministic Divide Global SIS Detection SIS Action SIS Detection SIS: incomplete safety instrumented system: S1 S2 output signal PLC Input signal Action SIS: Incomplete safety instrumented system V1 S3 V2 Safety logigram 44
Special cases handling Safety-related parts of control systems for machinery SIS in process under patented license Permissive safety function Staggered safety functions Overpressure protection via SIS 45
LOPA - Limitations Simplified risk assessment. SIL 3 with no TES and SIL4 (implemented by independent SIS) shall be further assessed by quantitative method Components shared between the IE and candidate IPLs. No independence. Several independent SIS with same functionality and possibility for common cause failures Complex scenarios sequences NO Plant Facilities & Safety Conceptual strategies / philosophies Design & Operating principles / Performance Standards / Acceptance criteria Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.) Risk Assessment / Process Hazard Analysis (PHA) / IPL definition (e.g. HAZOP) For each scenario, SIF determination & SIL allocation with simplified risk analysis technique (e.g. LOPA, risk graph) SIL1, SIL2 or SIL3 with TES where further assessment is needed? YES Quantitative risk assessment for dedicated scenario SIL1, SIL2, SIL3 or SIL4 by multiple SIS? SIF determination & SIL Allocation NO NO SIL4? OR SIL3 with no TES? SIL4 Required by a single SIS? YES YES Design change or other non-sis IPL possible? NO Apply for dispensation to TR2041 Evaluate other non-sis IPL or design change YES Complete SIL allocation for each SIF & Reporting SRS, CDD, etc. 46
Step2 Identification of SIF Design Intent Safe State Demand mode vs Continuous mode of operation (IEC61511-1 definitions) Demand mode: where a specified action (e.g. closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the SIF a potential hazard only occurs in the event of a failure in the process or the PCS PFD Continuous mode: where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it A SIF operates in continuous mode when the frequency of demands for operation on the SIF is more than once per year or more than twice the SIF proof test frequency. PFH 47