SIL Allocation. - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

Similar documents
innova-ve entrepreneurial global 1

Every things under control High-Integrity Pressure Protection System (HIPPS)

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Knowledge, Certification, Networking

Understanding safety life cycles

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

Valve Communication Solutions. Safety instrumented systems

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

Section 1: Multiple Choice

Advanced LOPA Topics

SAFETY SEMINAR Rio de Janeiro, Brazil - August 3-7, Authors: Francisco Carlos da Costa Barros Edson Romano Marins

Impact on People. A minor injury with no permanent health damage

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Using LOPA for Other Applications

Implementing IEC Standards for Safety Instrumented Systems

The Risk of LOPA and SIL Classification in the process industry

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

Understanding IPL Boundaries

Section 1: Multiple Choice Explained EXAMPLE

Partial Stroke Testing. A.F.M. Prins

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Workshop Functional Safety

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

FUNCTIONAL SAFETY: SIL DETERMINATION AND BEYOND A CASE STUDY FROM A CHEMICAL MANUFACTURING SITE

Ultima. X Series Gas Monitor

Proposal title: Biogas robust processing with combined catalytic reformer and trap. Acronym: BioRobur

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Engineering Safety into the Design

PREDICTING HEALTH OF FINAL CONTROL ELEMENT OF SAFETY INSTRUMENTED SYSTEM BY DIGITAL VALVE CONTROLLER

High Integrity Pressure Protection Systems HIPPS

Solenoid Valves used in Safety Instrumented Systems

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Hydraulic (Subsea) Shuttle Valves

4-sight Consulting. IEC case study.doc

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Safety Manual OPTISWITCH series relay (DPDT)

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

The Key Variables Needed for PFDavg Calculation

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Safety Manual VEGAVIB series 60

Hazard Operability Analysis

DeZURIK. KSV Knife Gate Valve. Safety Manual

Risk reducing outcomes from the use of LOPA in plant design and operation

Solenoid Valves For Gas Service FP02G & FP05G

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

A study on the relation between safety analysis process and system engineering process of train control system

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

SPR - Pneumatic Spool Valve

Operational Risk Using BowTie Methodology

Quantitative Risk Analysis (QRA)

COMMON MISUNDERSTANDINGS ABOUT THE PRACTICAL APPLICATION OF IEC 61508

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Bespoke Hydraulic Manifold Assembly

Designing to proposed API WHB tube failure document

Expert System for LOPA - Incident Scenario Development -

EMERGENCY SHUT-DOWN RELIABILITY ADVANTAGE

Combining disturbance simulation and safety analysis techniques for improvement of process safety and reliability

Safety Manual VEGAVIB series 60

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

MAHB. INSPECTION Process Hazard Analysis

Safety-critical systems: Basic definitions

Session: 14 SIL or PL? What is the difference?

Marine Risk Assessment

CT433 - Machine Safety

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System (HIPPS) to IEC 61511

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Introduction to HAZOP Study. Dr. AA Process Control and Safety Group

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

PSM TRAINING COURSES. Courses can be conducted in multi-languages

Hazard Identification

New Thinking in Control Reliability

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

Instrumented Safety Systems

PART 1.2 HARDWARE SYSTEM. Dr. AA, Process Control & Safety

Process Safety Journey

INHERENTLY SAFER DESIGN CASE STUDY OF RAPID BLOW DOWN ON OFFSHORE PLATFORM

HOW LAYER OF PROTECTION ANALYSIS IN EUROPE IS AFFECTED BY THE GUIDANCE DRAWN UP AFTER THE BUNCEFIELD ACCIDENT

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY CHAPTER P: REFERENCE OPERATING CONDITION STUDIES (PCC)

The Relationship Between Automation Complexity and Operator Error

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

Failure Modes, Effects and Diagnostic Analysis

Pressure Relief Valves is there a need when there are EDVs?

Inherently Safer Design Analysis Approaches

The Best Use of Lockout/Tagout and Control Reliable Circuits

Major Hazard Facilities. Major Accident Identification and Risk Assessment

Point level switches for safety systems

Using what we have. Sherman Eagles SoftwareCPR.

Safety Engineering - Hazard Identification Techniques - M. Jahoda

THE BAKER REPORT HOW FINDINGS HAVE BEEN USED BY JOHNSON MATTHEY TO REVIEW THEIR MANUFACTURING OPERATIONS

NORMAL OPERATING PROCEDURES Operating Parameter Information

The IEC61508 Operators' hymn sheet

Transcription:

SIL Allocation - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

Origin and causes of accidents involving control system failure 44% Specification 20% Changes after Start-up 15% Design and Implementation 6% Instalation and Start-up 15% Maintenance and Operation Ref Out of Control: Why control systems go wrong and how to prevent failure Published by UK HSE 2

SIS Safety Lifecycle, IEC61511 Management of functional safety and assessment and audit of functional safety Structure and planning of th e safety life cycle 1 2 Assessment of hazards s and risks Allocation of the safety functions to the protection layers Verification 3 Specification of the safety requirements for the safety instrumented system 4 Design and engineering of the safety instrumented system Design and development of other means of reducing risk 5 Installation, Receipt reception and Validation validation Operation and maintenance 6 7 Modification 10 11 Decommissioning 8 9 3

SIL Allocation in the IEC61511 Safety Lifecycle Management of functional safety and assessment and audit of functional safety Structure and planning of th e safety life cycle 1 2 Assessment of hazards s and risks Allocation of the safety functions to the protection layers Verification 3 Specification of the safety requirements for the safety instrumented system 4 Design and engineering of the safety instrumented system Design and development of other means of reducing risk 5 Installation, Receipt reception and Validation validation Operation and maintenance 6 7 Modification 10 11 Decommissioning 8 9 4

SIL Allocation & SIL Verification Management of functional Assessment and risks of s hazard assessment safety planning and and audit and e safety th of functional of safety requirements Specification for of the the instrumented system safety 3 4 system Installation validation reception and, 5 6 Modification 7 Decommissioning Set target Demonstrate target is met Management of functional Assessment and risks of s hazard assessment safety planning and and functional audit and e safety th of of 1 safety requirements Specification for of the instrumented system safety 3 system Installation validation reception and, 5 6 Modification 7 Decommissioning SIL Allocation Minimum SIL requirements LOPA, Risk graphs, Determine if additional SIF are required and if yes then allocate the target SIL SIL 1 SIL 2 SIL3 Design & Engineering SIL Verification calculations (PFD) FMECA, SAR, Safety Manuals, etc. Address target SIL (Fault Tolerance & PFD) Select system technology Configuration / vooting Test interval Diagnostic 5

SIL Allocation The two approaches Deterministic Risk-Based ISO10418 OLF070 LOPA, Risk graph, QRA 6

SIL Allocation Deterministic approach 1. Design in accordance with process industry standards ISO10418, API RP14C for offshore installations NFPA 85, 86, API RP556 for various types of fired equipments Prescriptive recommendation for protective measures Based on experience and recognized practice Acceptable level of safety achieved (refer to clearly defined hazards and standardized behavious of safety systems and barriers) etc. 7

SIL Allocation Deterministic approach 2. Allocate SIL based on predetermined requirements Minimum SIL Requirements OLF070 Application of IEC in the Norwegian Petroleum Industry Company Governing Documentation Minimum SIL requirement is derived from expected reliability (PFD) of typical SISs. i.e. achievable by standard solutions considered good industry practice. Not based on required risk reduction conforming to specific RTC Enforces quality requirements in the SIS design, installation and operation 8

SIL Allocation The two approaches Deterministic Risk-Based ISO10418 OLF070 LOPA, Risk graph, QRA TES 9

The safety onion Integrated approach Independent Protection Layers COMMUNITY EMERGENCY REPSONSE PLANT EMERGENCY REPSONSE PHYSICAL PROTECTION (DIKES) PHYSICAL PROTECTION (RELIEF DEVICES) AUTOMATIC ACTION SIS OR ESD CRITICAL ALARMS, OPERATOR SUPERVISION, AND MANUAL INTERVENTION BASIC CONTROLS, PROCESS ALARMS, AND OPERATOR SUPERVISION I PROCESS DESIGN LAH 1 Layer of SIS 10

Alternative view - protecting by multiple protection layers SIS Action Trip set point High Level Alarm Operator Takes Action PSD logic PCS High level Process level Low level Normal Level PT PT 11

Reducing risks with protection layers Missing adequate barriers? Remaining risk Risk tolerance criteria Initial Risk (frequency) Increasing risk Required risk reduction Achieved risk reduction Risk reduction SIS Risk reduction Other technologies Risk reduction external Closing the safety gap between risk and target 12

Applicability of risk assessment methods for risk judgements Qualitative analysis (100% of scenarios are analyzed using qualitative methods) Simplified-quantitative or semi-qualitative analysis (1-5% of scenarios, 100% of SIF) Quantitative analysis (<1 o / oo of scenarios, 1% of SIF) Technique Applicability to simple issues Applicability to complex issues HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA Good Good Overkill Poor to Okay for risk judgment Usually Good Good 13

SIL Allocation process (risk-based) Plant Facilities & Safety Conceptual strategies / philosophies Design & Operating principles / Performance Standards / Acceptance criteria Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.) Qualitative Risk Assessment / Process Hazard Analysis (PHA) / IPL definition (e.g. HAZOP) SIF determination & SIL Allocation Semi-qualitative Simplified-quantitative Quantitative NO For each scenario, SIF determination & SIL allocation with simplified risk analysis technique (e.g. LOPA, risk graph) SIL1, SIL2 or SIL3 with GALE TES where further assessment is needed? YES NO SIL4? OR SIL3 with no GALE TES? YES Design change or other non-sis IPL possible? NO Quantitative risk assessment for dedicated scenario Evaluate other non-sis IPL or design change SIL1, SIL2, SIL3 or SIL4 by multiple SIS? NO SIL4 Required by a single SIS? YES Apply for dispensation to TR2041 YES Complete SIL allocation for each SIF & Reporting 14 SRS, CDD, SAR, etc.

LOPA Layer of Protection Analysis Multidiscipline team exercise. Immediately after HAZOP (1w/m) Good synergy with HazOp (Cause, consequence, safeguards) Simple rules (reproducible), order of magnitude of the risk Barrier/Protection layers analysis methodology Focus on Safety Instrumented Systems Will also address credit for other Safety Related Systems Identification of required and expected performance of critical systems Closes the gap between expected system performance and required Risk Tolerance Determines Safety Integrity Level (SIL) of gap Can be an entry point to QRA 15

LOPA Can address the following Does my system (planned or actual) ensure my criteria are met? Do I need additional Safety Instrumented System? Are there alternatives? LOPA References and applicability in the industry IEC 61511 - LOPA will meet requirements (Part 3, Annex F)) AIChE endorsement Risk-based approach common in downstream industry, especially for PSD LOPA often used In Americas. Europe often using risk graphs Some O&G companies have developed their own software / spreadsheets 16

LOPA Procedure Step 1: Establish TTC Step 2: Preliminary selection of scenarios Step 3: Evaluate impact severity on safety, environment and assets Step 4: Determine IE frequency Step 5: Identify IPLs and select the probability of failure Step 6: Identify Conditional Modifiers and select the probability Step 7: Evaluate Scenario frequency and compare with TTC Step 8: Identify SIF and Allocate SIL Step 9: Evaluate need for other non-sis IPL or redesign Step 10: Evaluate consequences of spurious failure Step 11: Reporting 17

Impact level Step1 Establish Target Tolerance Criteria (TTC) 1 2 3 Category 8 / Frequency (/year) Catastrophic < 1E-4 1E-4 1E-3 1E-3 0.01 0.01 0.05 0.05 0,3 0.3 0.7 7 / 0.7-1.4 Major > 1.4 6 / Severe 5 / Serious 4 / Moderate Target Tolerance Criteria 1 x E-6 pr year 1 x E-5 pr year 1 x E-4 pr year 1 x E-3 pr year 1 x E-2 pr year 4 5 6 7 8 1 2 3 4 5 6 7 8 Frequency Level 18

Step1 Establish TTC The criteria are dependant on numbers used for initiating events, risk reduction factors etc. Economic impact should include the total loss Demolition cost Installed equipment costs (x3 purchase price) Cost of business interruption (value of product that cannot be shipped out, not cost of lost production) Corporate TTC should be used as a basis to establish local applicable TTC 19

Step2 Preliminary selection of scenarios/sifs Scenarios/SIF identified from C&E, interlocks narrative and P&IDs Temperature transmitter Temperature transmitter Solenoide On/off valve Level Switch Logic Solver (PLC) Pump Flow transmitter Solenoide On/off valve Additional scenario where a SIF is recommended for evaluation (e.g. identified during HAZID, HAZOP or other project/facility review) High impact severity scenarios (i.e. category 7 and 8 in TTC) 20

Step2 Identification of scenario Initiating Event 1 PREVENTION Terminate the chain of events, reduce frequency MITIGATION & RECOVERY Reduce consequence severity No consequence CAUSES Initiating Event 2 BPCS Operator response to Alarm from monitoring system SIS PSV TOP EVENT E.g. Loss of Containment ESD Ignition control Fire Water Consequence A Consequence B Consequence C CONSEQUENCES Initiating Event 3 Consequence D Initiating Event 1 Consequence D LOPA scenario : single cause consequence pair 21

Step3 Evaluate Impact severity Define worst reasonably credible consequences that result if the chain of events continues without interruption. Select Impact severity from TTC for all categories (People s safety, Environment, Economic). Category 8 / Catastrophic 7 / Major 6 / Severe 5 / Serious 4 / Moderate Target Tolerance Criteria 1 x E-6 pr year 1 x E-5 pr year 1 x E-4 pr year 1 x E-3 pr year 1 x E-2 pr year 22

Step4 Determine Initiating Event Frequency Identify all possible initiating events, i.e. causes Mechanical, Instrument or Human failures f ie Instrument Initiating Event failure/year BPCS Instrument Loop Failure 1,00E-01 BPCS Sensor failure 1,00E-01 Control loop failure 1,00E-01 Loss of instrument air 1,00E-01 Human Initiating Event failure/year 3rd Party Intervention 1,00E-02 Human error in a no-routine, low stress 1,00E-01 Human error in a routine, once per day opportunity 1,00E+00 Human error in a routine, once per month opportunity 1,00E-01 Operator Failure Action more than once per quarter 1,00E-01 Mechanical Initiating Event Canned/Magnetic Drive Pump Failure Compressors, Pumps and Crane fail Control valve failure Cooling Water Failure Double Mechanical Seal Pump Failure Expansion Joint Fails General Utility Failure Heat Exch. tube leak <100 tube Heat Exch. tube leak >100 tubes Heat Exch. tube rupture <100 tubes Heat Exch. tube rupture >100 tubes Loss Cooling Loss Power Manual valve failure Pressure safety valve failure Pressure Vessel Failure Significant Release Pump Failure Loss of Flow Single Mechanical Seal Pump Failure Unloading/Loading Hose Failure failure/year 1,00E-02 1,00E+00 1,00E-01 1,00E-01 1,00E-02 1,00E-02 1,00E-01 1,00E-02 1,00E-01 1,00E-03 1,00E-02 1,00E-01 1,00E-01 1,00E+00 2,00E-01 1,00E-05 1,00E-01 1,00E-01 1,00E-01 Human Error probability for not correctly performing a task for various situations per demand Complexity Simplest Routine & Simple Routine but Requires Complicated Care Routine No Stress 1 10-4 1 10-3 1 10-2 0.1 Moderate Stress 1 10-3 1 10-2 5 10-2 0.3 High stress 1 10-2 1 10-1 - 1.0 0.25 1.0 1.0 non- 23

Step4 Determine Initiating Event Frequency Enabling event, e.g. adjust to the time at risk, i.e. multiply f ie by fraction of time during which the risk is present SIF operating in continuous mode of operation f ie = 2* PFD 24

Step5 Identify IPLs and select probability of failures Essential Requirements Specific. Detect Decide and Deflect Effective. big Enough, fast Enough, strong Enough, smart Enough Independent. Its performance must not be affected by other protection layers and must be Independent of the events causing the accident Reliable: The protection given by the IPL reduce the risk in a known and specific quantity. Auditable: It must allow periodic checks and tests of the protection function. All IPL are protection Layers, but all protection layers are not IPLs 25

Step5 Identify IPLs and select probability of failures Process design Inherent safety in design Initial risk, not an IPL. Minimize, Substitute, Moderate, Simplify Process control system Actions to return the process in within normal operating envelope (e.g. minimum flow control) Process shutdown (shadowing the SIS in the PCS) Alarms (+operator response) 26

Step5 Identify IPLs and select probability of failures Process control system Maximum PFD claimed 0,1 if independent of initiating events and other IPLs It the initiating event is caused by PCS control loop failure, PCS can be considered an IPL if: Sensors, I/O cards and final elements are independents Logic controller designed with high level of reliability by reference to recognized industry standards (e.g. redundant CPUs). Sensor 1 Sensor 2 Input 1 Input 2 Logic Controler PFD lower than 0,1 requires that the PCS is designed according to IEC61511 PCS cannot be catered twice as IPL. IE IPL Output 1 Output 2 Final Element 1 Final Element 2 27

Step5 Identify IPLs and select probability of failures PCS supervision & Alarms Human intervention direct connection between the alarm, which indicates the event, and the measures to be taken by staff to avoid the event Safety Alarms requiring intervention should be prioritized, configuration access restricted Time needed vs time available due to process dynamics: Final Consequences alarm processing Top event (e.g. Loss of integrity) limited troubleshooting decide action trigger action and get action to be effective SIS trip point PCS pre-alarm set point Min 15-20 min if automatic; min 30-1h if manual local action Written procedure in use, training Process Safety time Time available for the operator to take action Time 28

Step5 Identify IPLs and select probability of failures Preventive SIS (PSD) Mitigation SIS ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc. Have a role in risk reduction but should not be considered IPL for evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent scenario without relying on mitigation SIS (residual consequences even if successful). May be given credit in QRA. Design against scenario shall be demonstrated, claimed reliability shall be demonstrated, appropriate maintenance and testing. 29

Step5 Identify IPLs and select probability of failures Mechanical mitigation system PSV and rupture disk Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release to disposal system. PSV fulfils the 3E? release damageable? Fouling service? Check valve IPL, with restriction on service and technology, frequent testing required Flame arrestor (in line) Can be IPL. Design against deflagration will not prevent detonation, testing Explosion doors Not an IPL. can be considered for selection of lower impact severity. Design must be checked against explosion load Excess flow valves Mitigation, generally not an IPL 30

Step5 Identify IPLs and select probability of failures Post release physical protection (Passive) Dike, Fire wall, Passive fire protection, Collision protection Should not considered IPL for evaluation of preventive SIF with LOPA. May be given credit in QRA. Design against scenario shall be demonstrated, appropriate maintenance Emergency response (Evacuation and rescue) Relying on Evacuation and rescue is the last resort. No credit for risk reduction shall be granted as IPL. Considered in the selection of conditional modifier (Probability of personnel present) 31

Step5 Identify IPLs and select probability of failures PFD IPL Independent protection layer Single check valve in clean liquid service Single check valve in gas service Two check valves in series in clean gas or liquid service Process Safety Valve fail to open. Clean service. Control loop /PCS Explosion doors Flame arrestor Operator response to alarm (15-20 minutes) PFD 2,00E-01 1,00E+00 2,00E-02 1,00E-02 1,00E-01 1,00E+00 1,00E-01 1,00E-01 32

Step6 Conditional modifiers P ignition Probability of Ignition for flammable release Probability that personnel are present at the time of the hazardous event P person present Ignition Probability Modifier Probability Gas Major (1-50kg/s) EXPLOSION 8,40E-03 Gas Major (1-50kg/s) FIRE 7,00E-02 Gas Massive (>50kg/s) EXPLOSION 9,00E-02 Gas Massive (>50kg/s) FIRE 3,00E-01 Gas Minor (<1kg/s) EXPLOSION 4,00E-04 Gas Minor (<1kg/s) FIRE 1,00E-02 Liquid Major (1-50kg/s) EXPLOSION 3,60E-03 Liquid Major (1-50kg/s) FIRE 3,00E-02 Liquid Massive (>50kg/s) EXPLOSION 2,40E-02 Liquid Massive (>50kg/s) FIRE 8,00E-02 Liquid Minor (<1kg/s) EXPLOSION 4,00E-04 Liquid Minor (<1kg/s) FIRE 1,00E-02 Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact) = Occupancy X Probability to avoid the hazardous event once the SIS has failed Probability of death (vulnerability) Not taken into account (conservative but simpler) 33

Step6 Conditional modifiers Occupancy 0,1: Rare to occasional exposure in the hazardous zone: Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default choice for normal operation and when something goes spontaneously wrong 1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10% Most continuous process plants will have troubleshooting, testing and maintenance activities upon certain alarms. This can mean that several people are exposed to a hazard when it happens. The correct action for hazardous work and when something goes wrong is to evacuate the premises as much as possible; (ARCO 1989 tank explosion). Consider specific scenarios during shut-down or start-up with almost permanent exposure (e.g. lightning of fired heaters). Batch plants and semi-batch plants that often require semi-continuous human supervision. 34

Step6 Conditional modifiers Probability to avoid the hazardous event once the SIS has failed 1 : Almost impossible to avoid the hazard: this is the default probability. Credit for using personal protective equipment to avert a hazard should not be taken, unless it is certain that the personal protective equipment will actually be worn. Usually, systems are designed on the assumption that the use of such equipment is not absolutely required to achieve a sufficient degree of safety, although it is recognized that it can further improve safety. 0,1: Possible to avoid the hazard under certain conditions: needs strong justification. Should be only selected if all the following conditions are true: Facilities are provided to alert the operator that the SIS has failed Independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with no vertical or spiral staircase, no rescue required, etc.) The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions Caution: Don t cater twice for the same operator intervention (e.g. Alarm+operator intervention) 35

Step7 Compare scenario frequency with TTC Initiating Event 1 Consequence D f LOPAscenario f ie * PFDIPL * PFDIPL2 * * PFDIPLn 1 n IPL RRF RRF Step8 Identify SIF and Allocate SIL f f LOPA scenario TTC LOPA scenario TTC * P ignition * P person present < 1 Scenario «passes» LOPA > 1 Risk reduction needed Step9 Evaluate need for other non-sis IPL or redesign 36

Step8 - Identify SIF and Allocate SIL Increasing risk Initial Process Risk (Without IPL) Risk reduction Reduction Achieved Risk reduction reduction Needed i.e. Safety Gap (SG) Risk reduction factor (RRF) required for the SIS Risk Reduction by BPCS Target Tolerance Criteria Residual Risk (With IPL) Risk Reduction by Operator response to alarms Risk Reduction by Safety Instrumented System Risk Reduction by Mechanical devide Risk Reduction by Other means Closing the safety gap by SIS 37

Step9 Evaluate need for other non-sis IPL LOPA is focused on identification of SIF to close the safety gap, it does not necessarily mean that a SIS is needed By order of preference: Design the problem out of the process using inherently safe principles Protection by non-sis protective measure Passive rather than active A SIF should be the solution of last resort when other solutions are not practicle Step10 Evaluate consequences of spurious trip failure Spurious failure: failure trigging action in an untimely manner Consider need for robust to spurious trip design (e.g. 2oo3 instead of 1oo2) Set minimum mean time to fail safe requirement (MTTFS=1/ STR) 38

Step10 Reporting. SIL Allocation Report Methodology Identified IPL listing that is regarded part of the PCS, e.g. alarm function requiring operator action Identified SIF list and SIL allocation result, corresponding SIS SIF/SIL Allocation worksheet All assumption, uncertainties and sensitivities should be recorded Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation Starting point for the Safety Requirement Specification (SRS) 39

Step10 Reporting. SIL Allocation Report SIF/SIL Allocation worksheet Target Tolerance Criteria = 10-5/yr 40

SIL Allocation & SIL Verification Management of functional Assessment and risks of s hazard assessment safety planning and and audit and e safety th of functional of safety requirements Specification for of the the instrumented system safety 3 4 system Installation validation reception and, 5 6 Modification 7 Decommissioning Set target Demonstrate target is met Management of functional Assessment and risks of s hazard assessment safety planning and and functional audit and e safety th of of 1 safety requirements Specification for of the instrumented system safety 3 system Installation validation reception and, 5 6 Modification 7 Decommissioning SIL Allocation Minimum SIL requirements LOPA, Risk graphs, determine if additional SIS are required and if yes then allocate the target SIL SIL 1 SIL 2 SIL3 Design & Engineering SIL Verification calculations (PFD) FMECA, CDD, SAR, Safety Manuals, etc. Address target SIL (Fault Tolerance, PFD, software req.) Select system technology Configuration / vooting Test interval Diagnostic 41

Thank you SIL Allocation Layer of protection analysis Presenters name: Mathilde Cot Presenters title: Principal Consultant, Safety Technology, CFSE mcot@statoil.com, tel: +47 95785095 www.statoil.com 42

Special cases handling Global Safety Instrumented Systems for consequence Mitigation ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc. Release and other events cannot be interrupted by mitigation SIS. Severity reduction, but residual consequences even if the mitigation SIS is successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation) PREVENTION MITIGATION & RECOVERY CAUSES Initiating Event 1 Initiating Event 2 BPCS Operator response to Alarm from monitoring system SIS PSV Terminate the chain of events, reduce frequency TOP EVENT E.g. Loss of Containment Reduce consequence severity ESD Ignition control Fire Water No consequence Consequence A Consequence B Consequence C CONSEQUENCES PFD*TTC (large uncontroled fire) 1*TTC (controlled fire) Initiating Event 3 Consequence D Same protection GAP? Initiating Event 1 Consequence D 43

Special cases handling Global Safety Instrumented Systems for consequence Mitigation Preferred approach: Deterministic Divide Global SIS Detection SIS Action SIS Detection SIS: incomplete safety instrumented system: S1 S2 output signal PLC Input signal Action SIS: Incomplete safety instrumented system V1 S3 V2 Safety logigram 44

Special cases handling Safety-related parts of control systems for machinery SIS in process under patented license Permissive safety function Staggered safety functions Overpressure protection via SIS 45

LOPA - Limitations Simplified risk assessment. SIL 3 with no TES and SIL4 (implemented by independent SIS) shall be further assessed by quantitative method Components shared between the IE and candidate IPLs. No independence. Several independent SIS with same functionality and possibility for common cause failures Complex scenarios sequences NO Plant Facilities & Safety Conceptual strategies / philosophies Design & Operating principles / Performance Standards / Acceptance criteria Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.) Risk Assessment / Process Hazard Analysis (PHA) / IPL definition (e.g. HAZOP) For each scenario, SIF determination & SIL allocation with simplified risk analysis technique (e.g. LOPA, risk graph) SIL1, SIL2 or SIL3 with TES where further assessment is needed? YES Quantitative risk assessment for dedicated scenario SIL1, SIL2, SIL3 or SIL4 by multiple SIS? SIF determination & SIL Allocation NO NO SIL4? OR SIL3 with no TES? SIL4 Required by a single SIS? YES YES Design change or other non-sis IPL possible? NO Apply for dispensation to TR2041 Evaluate other non-sis IPL or design change YES Complete SIL allocation for each SIF & Reporting SRS, CDD, etc. 46

Step2 Identification of SIF Design Intent Safe State Demand mode vs Continuous mode of operation (IEC61511-1 definitions) Demand mode: where a specified action (e.g. closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the SIF a potential hazard only occurs in the event of a failure in the process or the PCS PFD Continuous mode: where in the event of a dangerous failure of the safety instrumented function a potential hazard will occur without further failure unless action is taken to prevent it A SIF operates in continuous mode when the frequency of demands for operation on the SIF is more than once per year or more than twice the SIF proof test frequency. PFH 47

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback