sil allocation - · pdf filetarget sil address target sil ... step2 – preliminary...
TRANSCRIPT
- Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview
SIL Allocation
2012-03-07
15% Design and
Implementation
6% Instalation
and Start-up
44% Specification
15% Maintenance
and Operation
20% Changes after
Start-up
Ref “Out of Control: Why control systems go wrong and how to prevent failure”
Published by UK HSE
Origin and causes of accidents involving control system failure
2012-03-07 2
SIS Safety Lifecycle, IEC61511
Assessment of hazard s and risks
Allocation of the safety functions to the protection
layers
Specification of the safety requirements for the safety
instrumented system
Design and engineering of the safety instrumented
system
Installation , reception and validation
Operation and maintenance
Modification
Decommissioning
Management of functional safety and
assessment and audit of functional
safety
Structure and
planning of th e safety life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
Assessment of hazards and risks
Allocation of the safety functions to the protection
layers
Specification of the safety requirements for the safety
instrumented system
Des ign and engineering of the safety instrumented
system
Installation , Receipt and Validation
Operation and maintenance
Modification
Decommissioning
Management of functional
assessment and audit of functional
safety
Structure and
planning of
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
other means of reducing risk
Design and development of
2012-03-07 3
SIL Allocation in the IEC61511 Safety Lifecycle
Assessment of hazard s and risks
Allocation of the safety functions to the protection
layers
Specification of the safety requirements for the safety
instrumented system
Design and engineering of the safety instrumented
system
Installation , reception and validation
Operation and maintenance
Modification
Decommissioning
Management of functional safety and
assessment and audit of functional
safety
Structure and
planning of th e safety life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
Assessment of hazards and risks
Allocation of the safety functions to the protection
layers
Specification of the safety requirements for the safety
instrumented system
Des ign and engineering of the safety instrumented
system
Installation , Receipt and Validation
Operation and maintenance
Modification
Decommissioning
Management of functional
assessment and audit of functional
safety
Structure and
planning of
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
other means of reducing risk
Design and development of
2012-03-07 4
SIL Allocation & SIL Verification
Assessment of hazard s and risks
Specification of the safety requirements for the safety instrumented system system
Installation , reception and validation
Modification
Decommissioning
Management of functional safety and assessment and audit of functional safety and planning of th e safety
3 4
5 6 7
,
and
SIL 1
SIL 2
SIL3
SIL Allocation Minimum SIL requirements
LOPA, Risk graphs,
Assessment of hazard s and risks
Specification of the safety requirements for the safety instrumented system system
Installation , reception and validation
Modification
Decommissioning
Management of functional safety and assessment and audit of functional safety and planning of th e safety
1
3
5 6 7
,
and
Design & Engineering SIL Verification calculations (PFD)
FMECA, SAR, Safety Manuals,
etc.
Set target Demonstrate
target is met
Determine if additional
SIF are required and if
yes then allocate the
target SIL
Address target SIL (Fault
Tolerance & PFD)
• Select system technology
• Configuration / vooting
• Test interval
• Diagnostic
2012-03-07 5
SIL Allocation – The two approaches
Deterministic
ISO10418
OLF070
Risk-Based
LOPA, Risk graph,
QRA
2012-03-07 6
SIL Allocation – Deterministic approach
ISO10418, API RP14C
for offshore
installations
NFPA 85, 86, API
RP556 for various
types of fired
equipments
…etc.
• Prescriptive recommendation for protective
measures
• Based on experience and recognized
practice
• Acceptable level of safety achieved (refer to
clearly defined hazards and standardized
behavious of safety systems and barriers)
1. Design in accordance with process industry standards
2012-03-07 7
SIL Allocation – Deterministic approach
Minimum SIL Requirements
OLF070 Application of IEC
in the Norwegian Petroleum
Industry
Company Governing
Documentation
2. Allocate SIL based on predetermined requirements
• Minimum SIL requirement is
derived from expected reliability
(PFD) of typical SISs. i.e.
achievable by standard solutions
considered good industry practice.
• Not based on required risk
reduction conforming to specific
RTC
• Enforces quality requirements in
the SIS design, installation and
operation
2012-03-07 8
SIL Allocation – The two approaches
Deterministic
ISO10418
OLF070
TES
Risk-Based
LOPA, Risk graph,
QRA
2012-03-07 9
The safety „onion‟ – Integrated approach
COMMUNITY EMERGENCY REPSONSE
PLANT EMERGENCY REPSONSE
PHYSICAL PROTECTION (DIKES)
PHYSICAL PROTECTION (RELIEF DEVICES)
AUTOMATIC ACTION SIS OR ESD
CRITICAL ALARMS, OPERATOR
SUPERVISION, AND MANUAL INTERVENTION
BASIC CONTROLS, PROCESS ALARMS,
AND OPERATOR SUPERVISION
PROCESS
DESIGN
LAH
1
I
Independent
Protection
Layers
Layer of SIS
2012-03-07 10
Trip set point
High level
High Level Alarm Operator Takes Action
Process level
SIS Action
Low level
Normal Level
PT
PCS
PT
PSD logic
Alternative view - protecting by multiple protection layers
2012-03-07 11
Reducing risks with protection layers
Increasing risk
Required risk reduction
Initial
Risk
(frequency)
Risk
tolerance
criteria
Risk reduction
external Risk reduction
Other technologies
Risk reduction
SIS
Achieved risk reduction
Remaining
risk
Closing the safety gap
between risk and target
2012-03-07 12
Missing
adequate
barriers ?
Applicability of risk assessment methods for risk judgements
HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA
Good Good Overkill
Poor to Okay for risk
judgmentUsually Good Good
Technique
Applicability to
simple issues
Applicability to
complex issues
Qualitative analysis(100% of scenarios are
analyzed using qualitative
methods)
Simplified-quantitative
or semi-qualitative
analysis(1-5% of scenarios, 100% of SIF)
Quantitative analysis(<1
o/oo of scenarios, 1% of SIF)
2012-03-07 13
SIL Allocation process (risk-based)
Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)
For each scenario, SIF determination & SIL allocation with
simplified risk analysis technique(e.g. LOPA, risk graph)
Eva
lua
te o
the
r n
on
-SIS
IP
L o
r d
esig
n c
ha
ng
e
SIL1, SIL2
or SIL3 with TES
where further
assessment is
needed?
Quantitative risk assessment for dedicated scenario
SRS, CDD, etc.
YES
NO
Complete SIL allocation for each SIF & Reporting
Plant – Facilities & SafetyConceptual strategies / philosophies
Design & Operating principles / Performance Standards / Acceptance criteria
Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)
NO
NO
SIL4 Required
by a single
SIS?
Apply for
dispensation to
TR2041
YES
SIF determination & SIL Allocation
SIL4?
OR
SIL3 with no TES?Design change or
other non-SIS IPL
possible?
YES
SIL1, SIL2, SIL3
or SIL4 by
multiple SIS?
YES
NO
Qualitative
Semi-qualitative
Simplified-quantitative
Quantitative
2012-03-07 14 SRS, SAR, etc.
GALE
GALE
LOPA – Layer of Protection Analysis
• Multidiscipline team exercise. Immediately after HAZOP (1w/m)
• Good synergy with HazOp (Cause, consequence, safeguards)
• Simple rules (reproducible), order of magnitude of the risk
• Barrier/Protection layers analysis methodology
• Focus on Safety Instrumented Systems
• Will also address credit for other Safety Related Systems
• Identification of required and expected performance of critical systems
• Closes the gap between „expected‟ system performance and required „Risk
Tolerance‟
• Determines Safety Integrity Level (SIL) of „gap‟
• Can be an entry point to QRA
2012-03-07 15
• Does my system (planned or actual) ensure my criteria are met?
• Do I need additional Safety Instrumented System?
• Are there alternatives?
• IEC 61511 - LOPA will meet requirements (Part 3, Annex F))
• AIChE endorsement
• Risk-based approach common in downstream industry, especially for PSD
• LOPA often used In Americas. Europe often using risk graphs
• Some O&G companies have developed their own software / spreadsheets
LOPA – Can address the following
LOPA – References and applicability in the industry
2012-03-07 16
LOPA – Procedure
Step 1: Establish TTC
Step 4: Determine IE frequency
Step 5: Identify IPLs and select the
probability of failure
Step 6: Identify Conditional Modifiers and
select the probability
Step 7: Evaluate Scenario frequency and
compare with TTC
Step 3: Evaluate impact severity on
safety, environment and assets
Step 2: Preliminary selection of scenarios
Step 8: Identify SIF and
Allocate SIL
Step 10: Evaluate consequences of
spurious failure
Step 9: Evaluate need for
other non-SIS IPL or redesign
Step 11: Reporting
2012-03-07 17
Step1 – Establish Target Tolerance Criteria (TTC)
2012-03-07 18
1
2
3
4
5
6
7
8
Imp
ac
t le
ve
l
Frequency (/year)
< 1E-4 1E-4 1E-3 1E-3 0.01 0.01 – 0.05 0.05 – 0,3 0.3 – 0.7 0.7- 1.4 > 1.4
1 2 3 4 5 6 7 8
Frequency Level
Category
Target
Tolerance
Criteria
8 /
Catastrophic 1 x E-6 pr year
7 /
Major 1 x E-5 pr year
6 /
Severe
1 x E-4 pr year
5 /
Serious
1 x E-3 pr year
4 /
Moderate
1 x E-2 pr year
Step1 – Establish TTC
• The criteria are dependant on numbers used for initiating events,
risk reduction factors etc.
• Economic impact should include the total loss • Demolition cost
• Installed equipment costs (x3 purchase price)
• Cost of business interruption
(value of product that cannot be shipped out, not cost of lost production)
• Corporate TTC should be used as a basis to establish local applicable TTC
2012-03-07 19
Step2 – Preliminary selection of scenarios/SIFs
• Scenarios/SIF identified from C&E, interlocks narrative and P&IDs
• Additional scenario where a SIF is recommended for evaluation (e.g.
identified during HAZID, HAZOP or other project/facility review)
• High impact severity scenarios (i.e. category 7 and 8 in TTC)
Logic Solver
(PLC)
Temperature
transmitter
Temperature
transmitter
Level Switch
Flow transmitter
On/off valveSolenoide
On/off valveSolenoide
Pump
2012-03-07 20
Step2 – Identification of scenario
Consequence DInitiating
Event 1
CA
US
ES
CO
NS
EQ
UE
NC
ES
PREVENTION MITIGATION &
RECOVERY
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Initiating
Event 2
Initiating
Event 3
BPCSOperator
response to Alarm
from monitoring
system SIS PSV
Consequence D
Ignition
control
TOP EVENTE.g. Loss of Containment
ESD
Fire Water
Consequence B
Consequence A
Reduce
consequence
severity
Consequence C
No consequence
LOPA scenario : single cause – consequence pair
2012-03-07 21
Step3 – Evaluate Impact severity
• Define “worst reasonably credible” consequences that result if the
chain of events continues without interruption.
• Select Impact severity from TTC for all categories (People‟s safety,
Environment, Economic).
Category
Target
Tolerance
Criteria
8 /
Catastrophic 1 x E-6 pr year
7 /
Major 1 x E-5 pr year
6 /
Severe
1 x E-4 pr year
5 /
Serious
1 x E-3 pr year
4 /
Moderate
1 x E-2 pr year
2012-03-07 22
• Identify all possible initiating events, i.e. causes
• Mechanical, Instrument or Human failures
Step4 – Determine Initiating Event Frequency
Mechanical Initiating Event failure/year
Canned/Magnetic Drive Pump Failure 1,00E-02
Compressors, Pumps and Crane fail 1,00E+00
Control valve failure 1,00E-01
Cooling Water Failure 1,00E-01
Double Mechanical Seal Pump Failure 1,00E-02
Expansion Joint Fails 1,00E-02
General Utility Failure 1,00E-01
Heat Exch. tube leak <100 tube 1,00E-02
Heat Exch. tube leak >100 tubes 1,00E-01
Heat Exch. tube rupture <100 tubes 1,00E-03
Heat Exch. tube rupture >100 tubes 1,00E-02
Loss Cooling 1,00E-01
Loss Power 1,00E-01
Manual valve failure 1,00E+00
Pressure safety valve failure 2,00E-01
Pressure Vessel Failure Significant Release 1,00E-05
Pump Failure Loss of Flow 1,00E-01
Single Mechanical Seal Pump Failure 1,00E-01Unloading/Loading Hose Failure 1,00E-01
Instrument Initiating Event failure/year
BPCS Instrument Loop Failure 1,00E-01
BPCS Sensor failure 1,00E-01
Control loop failure 1,00E-01Loss of instrument air 1,00E-01
Human Initiating Event failure/year
3rd Party Intervention 1,00E-02
Human error in a no-routine, low stress 1,00E-01
Human error in a routine, once per day opportunity 1,00E+00
Human error in a routine, once per month opportunity 1,00E-01Operator Failure Action more than once per quarter 1,00E-01
ief
Complexity Simplest Routine & Simple Routine but Requires Care
Complicated non-Routine
No Stress 1 10-4 1 10-3 1 10-2 0.1
Moderate Stress 1 10-3 1 10-2 5 10-2 0.3
High stress 1 10-2 1 10-1 - 1.0 0.25 – 1.0 1.0
Human Error probability for not correctly performing a task for various situations per demand
2012-03-07 23
• Enabling event, e.g. adjust to the “time at risk”,
i.e. multiply by fraction of time during which the risk is present
Step4 – Determine Initiating Event Frequency
ief
• SIF operating in continuous mode of operation
ief
PFD*2=
2012-03-07 24
Essential Requirements
• Specific. Detect Decide and Deflect
• Effective. big Enough, fast Enough, strong Enough, smart Enough
• Independent. Its performance must not be affected by other protection
layers and must be Independent of the events causing the accident
• Reliable: The protection given by the IPL reduce the risk in a known
and specific quantity.
• Auditable: It must allow periodic checks and tests of the protection
function.
Step5 – Identify IPLs and select probability of failures
All IPL are protection Layers, but all protection layers are not IPLs
2012-03-07 25
• Process design – Inherent safety in design
− Initial risk, not an IPL.
− Minimize, Substitute, Moderate, Simplify
• Process control system
− Actions to return the process in within normal operating envelope (e.g.
minimum flow control)
− Process shutdown (shadowing the SIS in the PCS)
− Alarms (+operator response)
Step5 – Identify IPLs and select probability of failures
2012-03-07 26
• Process control system
− Maximum PFD claimed 0,1 if independent of initiating events and other IPLs
− It the initiating event is caused by PCS control loop failure, PCS can be
considered an IPL if:
• Sensors, I/O cards and final elements are independents
• Logic controller designed with high level of reliability by reference to
recognized industry standards (e.g. redundant CPUs).
− PFD lower than 0,1 requires that the PCS is designed according to IEC61511
− PCS cannot be catered twice as IPL.
Step5 – Identify IPLs and select probability of failures
Sensor 1
Sensor 2
Input 1
Input 2
Logic
Controler
Output 1
Output 2
Final
Element 1
Final
Element 2
IE
IPL
2012-03-07 27
• PCS supervision & Alarms – Human intervention
− direct connection between the alarm, which indicates the event, and the
measures to be taken by staff to avoid the event
− Safety Alarms requiring intervention should be prioritized, configuration
access restricted
− Time needed vs time available due to process dynamics:
alarm processing
limited troubleshooting
decide action
trigger action and get action to be effective
Min 15-20 min if automatic; min 30-1h if manual local action
Written procedure in use, training
Step5 – Identify IPLs and select probability of failures
Time
Final Consequences
Top event (e.g. Loss of integrity)
SIS trip point
PCS pre-alarm set point
Time available for the
operator to take action
Process Safety time
2012-03-07 28
• Preventive SIS (PSD)
• Mitigation SIS
− ESD, F&G, Emergency Depressurization or Dumping system, Fire water,
etc.
− Have a role in risk reduction but should not be considered IPL for
evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent
scenario without relying on mitigation SIS (residual consequences even if
successful). May be given credit in QRA.
− Design against scenario shall be demonstrated, claimed reliability shall
be demonstrated, appropriate maintenance and testing.
Step5 – Identify IPLs and select probability of failures
2012-03-07 29
• Mechanical mitigation system
− PSV and rupture disk
Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release to
disposal system.
PSV fulfils the 3E? release damageable? Fouling service?
− Check valve
IPL, with restriction on service and technology, frequent testing required
− Flame arrestor (in line)
Can be IPL. Design against deflagration will not prevent detonation, testing
− Explosion doors
Not an IPL. can be considered for selection of lower impact severity. Design must be
checked against explosion load
− Excess flow valves
Mitigation, generally not an IPL
Step5 – Identify IPLs and select probability of failures
2012-03-07 30
• Post release physical protection (Passive)
− Dike, Fire wall, Passive fire protection, Collision protection
− Should not considered IPL for evaluation of preventive SIF with LOPA.
May be given credit in QRA. Design against scenario shall be
demonstrated, appropriate maintenance
• Emergency response (Evacuation and rescue)
− Relying on Evacuation and rescue is the last resort. No credit for risk
reduction shall be granted as IPL. Considered in the selection of
conditional modifier (Probability of personnel present)
Step5 – Identify IPLs and select probability of failures
2012-03-07 31
Step5 – Identify IPLs and select probability of failures
IPLPFDIndependent protection layer PFD
Single check valve in clean liquid service 2,00E-01
Single check valve in gas service 1,00E+00
Two check valves in series in clean gas or liquid service 2,00E-02
Process Safety Valve fail to open. Clean service. 1,00E-02
Control loop /PCS 1,00E-01
Explosion doors 1,00E+00
Flame arrestor 1,00E-01
Operator response to alarm (15-20 minutes) 1,00E-01
2012-03-07 32
• Probability of Ignition for flammable release
• Probability that personnel are present at the time of the hazardous event
= Occupancy X Probability to avoid the hazardous event once the SIS has failed
• Probability of death (vulnerability)
Not taken into account (conservative but simpler)
Step6 – Conditional modifiers
ignitionP
presentpersonP
Ignition Probability Modifier Probability
Gas Major (1-50kg/s) EXPLOSION 8,40E-03
Gas Major (1-50kg/s) FIRE 7,00E-02
Gas Massive (>50kg/s) EXPLOSION 9,00E-02
Gas Massive (>50kg/s) FIRE 3,00E-01
Gas Minor (<1kg/s) EXPLOSION 4,00E-04
Gas Minor (<1kg/s) FIRE 1,00E-02
Liquid Major (1-50kg/s) EXPLOSION 3,60E-03
Liquid Major (1-50kg/s) FIRE 3,00E-02
Liquid Massive (>50kg/s) EXPLOSION 2,40E-02
Liquid Massive (>50kg/s) FIRE 8,00E-02
Liquid Minor (<1kg/s) EXPLOSION 4,00E-04Liquid Minor (<1kg/s) FIRE 1,00E-02
Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact)
2012-03-07 33
− Occupancy
Step6 – Conditional modifiers
0,1: Rare to occasional exposure in the hazardous zone:
Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default
choice for normal operation and when something goes spontaneously wrong
1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10% Most continuous process plants will have troubleshooting, testing and maintenance activities
upon certain alarms. This can mean that several people are exposed to a hazard when it happens.
The correct action for hazardous work and when something goes wrong is to evacuate the premises as much as possible; (ARCO 1989 tank explosion).
Consider specific scenarios during shut-down or start-up with almost permanent exposure (e.g. lightning of fired heaters).
Batch plants and semi-batch plants that often require semi-continuous human supervision.
2012-03-07 34
− Probability to avoid the hazardous event once the SIS has failed
Step6 – Conditional modifiers
1 : Almost impossible to avoid the hazard: this is the default probability.
Credit for using personal protective equipment to avert a hazard should not be taken, unless it is
certain that the personal protective equipment will actually be worn. Usually, systems are
designed on the assumption that the use of such equipment is not absolutely required to achieve
a sufficient degree of safety, although it is recognized that it can further improve safety.
0,1: Possible to avoid the hazard under certain conditions: needs strong justification.
Should be only selected if all the following conditions are true:
• Facilities are provided to alert the operator that the SIS has failed
• Independent facilities are provided to shut down such that the hazard can be avoided or which
enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with
no vertical or spiral staircase, no rescue required, etc.)
• The time between the operator being alerted and a hazardous event occurring exceeds 1 hour
or is definitely sufficient for the necessary actions
Caution: Don‟t cater twice for the same “operator intervention” (e.g. Alarm+operator intervention)
2012-03-07 35
Step7 – Compare scenario frequency with TTC
presentpersonignition
IPLn
IPLnIPLIPLiescenarioLOPA PPPFDPFDPFDff ****** 21
Consequence DInitiating
Event 1
Step8 – Identify SIF and Allocate SIL
Step9 – Evaluate need for other non-SIS IPL or redesign
TTC
fRRF
scenarioLOPA < 1 Scenario «passes» LOPA
TTC
fRRF
scenarioLOPA > 1 Risk reduction needed
2012-03-07 36
Step8 - Identify SIF and Allocate SIL
Increasing risk
Risk Reduction by
BPCS
Risk Reduction by
Operator response to alarms
Risk Reduction by
Safety Instrumented System
Risk Reduction by
Mechanical devide
Risk Reduction by
Other means
Initial Process Risk (Without IPL)
Target Tolerance Criteria
Residual Risk (With IPL)
Ris
k r
ed
uctio
n r
ed
uctio
n N
ee
de
d
i.e
. S
afe
ty G
ap
(S
G)
Ris
k r
ed
uc
tio
n f
ac
tor
(RR
F)
req
uir
ed
fo
r th
e S
IS
Ris
k r
ed
uctio
n R
ed
uctio
n A
ch
ieve
d
Closing the safety gap by SIS
2012-03-07 37
Step9 – Evaluate need for other non-SIS IPL
• LOPA is focused on identification of SIF to close the safety gap, it does not
necessarily mean that a SIS is needed
• By order of preference:
• Design the problem out of the process using inherently safe principles
• Protection by non-SIS protective measure
• Passive rather than active
• A SIF should be the solution of last resort when other solutions are not
practicle
Step10 – Evaluate consequences of spurious trip failure
• Spurious failure: failure trigging action in an untimely manner
• Consider need for „robust to spurious trip‟ design (e.g. 2oo3 instead of 1oo2)
• Set minimum mean time to fail safe requirement (MTTFS=1/ STR)
2012-03-07 38
Step10 – Reporting. SIL Allocation Report
• Methodology
• Identified IPL listing that is regarded part of the PCS, e.g. alarm function
requiring operator action
• Identified SIF list and SIL allocation result, corresponding SIS
• SIF/SIL Allocation worksheet
All assumption, uncertainties and sensitivities should be recorded
Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation
• Starting point for the Safety Requirement Specification (SRS)
2012-03-07 39
Step10 – Reporting. SIL Allocation Report
• SIF/SIL Allocation worksheet
2012-03-07 40
Target Tolerance Criteria = 10-5/yr
SIL Allocation & SIL Verification
Assessment of hazard s and risks
Specification of the safety requirements for the safety instrumented system system
Installation , reception and validation
Modification
Decommissioning
Management of functional safety and assessment and audit of functional safety and planning of th e safety
3 4
5 6 7
,
and
SIL 1
SIL 2
SIL3
SIL Allocation Minimum SIL requirements
LOPA, Risk graphs,
Assessment of hazard s and risks
Specification of the safety requirements for the safety instrumented system system
Installation , reception and validation
Modification
Decommissioning
Management of functional safety and assessment and audit of functional safety and planning of th e safety
1
3
5 6 7
,
and
Design & Engineering SIL Verification calculations (PFD)
FMECA, CDD, SAR, Safety
Manuals, etc.
Set target Demonstrate
target is met
determine if additional
SIS are required and if
yes then allocate the
target SIL
Address target SIL (Fault
Tolerance, PFD, software req.)
• Select system technology
• Configuration / vooting
• Test interval
• Diagnostic
2012-03-07 41
SIL Allocation – Layer of protection analysis
Presenters name: Mathilde Cot
Presenters title: Principal Consultant, Safety Technology, CFSE
[email protected], tel: +47 95785095
www.statoil.com
Thank you
2012-03-07 42
Special cases handling
• Global Safety Instrumented Systems for consequence Mitigation
ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc.
Release and other events cannot be interrupted by mitigation SIS.
Severity reduction, but residual consequences even if the mitigation SIS is
successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation)
Consequence DInitiating
Event 1
CA
US
ES
CO
NS
EQ
UE
NC
ES
PREVENTION MITIGATION &
RECOVERY
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Initiating
Event 2
Initiating
Event 3
BPCSOperator
response to Alarm
from monitoring
system SIS PSV
Consequence D
Ignition
control
TOP EVENTE.g. Loss of Containment
ESD
Fire Water
Consequence B
Consequence A
Reduce
consequence
severity
Consequence C
No consequence
PFD*TTC (large uncontroled fire)
1*TTC (controlled fire)
Same protection GAP?
2012-03-07 43
Special cases handling
• Global Safety Instrumented Systems for consequence Mitigation
Preferred approach: Deterministic
Divide Global SIS
• Detection SIS
• Action SIS
S1
S2
S3 V2
V1
Detection SIS:
incomplete safety
instrumented system:Action SIS:
Incomplete safety
instrumented systemoutput
signal
Input
signal
PLC
Safety
logigram
S1
S2
S3 V2
V1
Detection SIS:
incomplete safety
instrumented system:Action SIS:
Incomplete safety
instrumented systemoutput
signal
Input
signal
PLC
Safety
logigram
2012-03-07 44
Special cases handling
• Safety-related parts of control systems for machinery
• SIS in process under patented license
• Permissive safety function
• Staggered safety functions
• Overpressure protection via SIS
2012-03-07 45
LOPA - Limitations
• Simplified risk assessment.
SIL 3 with no TES and SIL4
(implemented by independent SIS)
shall be further assessed by
quantitative method
• Components shared between the IE
and candidate IPLs. No
independence.
• Several independent SIS with same
functionality and possibility for
common cause failures
• Complex scenarios sequences
Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)
For each scenario, SIF determination & SIL allocation with
simplified risk analysis technique(e.g. LOPA, risk graph)
Eva
lua
te o
the
r n
on
-SIS
IP
L o
r d
esig
n c
ha
ng
e
SIL1, SIL2
or SIL3 with TES
where further
assessment is
needed?
Quantitative risk assessment for dedicated scenario
SRS, CDD, etc.
YES
NO
Complete SIL allocation for each SIF & Reporting
Plant – Facilities & SafetyConceptual strategies / philosophies
Design & Operating principles / Performance Standards / Acceptance criteria
Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)
NO
NO
SIL4 Required
by a single
SIS?
Apply for
dispensation to
TR2041
YES
SIF determination & SIL Allocation
SIL4?
OR
SIL3 with no TES?Design change or
other non-SIS IPL
possible?
YES
SIL1, SIL2, SIL3
or SIL4 by
multiple SIS?
YES
NO
2012-03-07 46
• Design Intent
• Safe State
• Demand mode vs Continuous mode of operation (IEC61511-1 definitions)
Demand mode:
where a specified action (e.g. closing of a valve) is taken in response to process
conditions or other demands. In the event of a dangerous failure of the SIF a
potential hazard only occurs in the event of a failure in the process or the PCS
Continuous mode:
where in the event of a dangerous failure of the safety instrumented function a
potential hazard will occur without further failure unless action is taken to prevent it
A SIF operates in continuous mode when the frequency of demands for operation
on the SIF is more than once per year or more than twice the SIF proof test
frequency.
Step2 – Identification of SIF
PFD
PFH
2012-03-07 47