mecot fastsetting av sil krav2

8/20/2019 MECot Fastsetting Av SIL Krav2

1/47

- Deterministic vs. risk-based approach- Layer Of Protection Analysis (LOPA) overview

SIL Allocation

2012-03-07


2/47

15% Design and

Implementat ion

6% Instalat ion

and Start-up

44% Specif icat ion

15% Maintenance

and Operat ion

20% Changes after

Start-up

Ref “Out of Control: Why control systems go wrong and how to prevent failure”

Published by UK HSE

Origin and causes of accidents involving control system failure

2012-03-072


3/47

SIS Safety Lifecycle, IEC61511 Assessment of hazard s

and risks

Allocation of the safety

functions to the protectionlayers

Specification of the safety

requirements for the safetyinstrumented system

Design and engineering ofthe safety instrumented

system

Installation , reception and validation

Operation and maintenance

Modification

Decommissioning

Managementof functional

safety andassessment

and audit of

functionalsafety

Structureand

planning ofth e safety

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

Assessment of hazardsand risks





Des ign and engineering ofthe safety instrumented

system

Installation , Receipt and Validation


Modification

Decommissioning


assessment

and audit of

functionalsafety

Structureand

planning of

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

other means of reducing risk Design and development of

2012-03-073


4/47

SIL Allocation in the IEC61511 Safety Lifecycle Assessment of hazard s

and risks





Design and engineering ofthe safety instrumented

system

Installation , reception and validation


Modification

Decommissioning


safety andassessment

and audit of

functionalsafety

Structureand

planning ofth e safety

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10






Des ign and engineering ofthe safety instrumented

system

Installation , Receipt and Validation


Modification

Decommissioning


assessment

and audit of

functionalsafety

Structureand

planning of

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

other means of reducing risk Design and development of

2012-03-074


5/47

SIL Allocation & SIL Verification Assessment of hazardsand risks

Specification of the safetyrequirements for the safetyinstrumented system

system

In

stallation,receptionandvalidation

Modification

Decommissioning

Man

agementof functionalsafety andassessmentand audit offunctionalsafety

andp

lanning ofthe safety

3

4

56

7

,

and

SIL 1

SIL 2

SIL3

SIL Allocation

Minimum SIL requirementsLOPA, Risk graphs,



system

In

stallation,receptionandvalidation

ModificationDecommissioning

Man

agementof functionalsafety andassessmentand audit offunctionalsafety

andplanning ofthe safety 1

3

5

6

7

,

and

Design & EngineeringSIL Verification calculations (PFD)

FMECA, SAR, Safety Manuals,

etc.

Set targetDemonstrate

target is met

Determine if additional

SIF are required and ifyes then allocate the

target SIL

Address target SIL (Fault

Tolerance & PFD)

• Select system technology• Configuration / vooting

• Test interval

• Diagnostic

2012-03-075


6/47

SIL Allocation – The two approaches

Deterministic

ISO10418

OLF070

Risk-Based

LOPA, Risk graph,

QRA

2012-03-076


7/47

SIL Allocation – Deterministic approach

ISO10418, API RP14C

for offshore

installations

NFPA 85, 86, APIRP556 for various

types of fired

equipments

…etc.

• Prescriptive recommendation for protective

measures

• Based on experience and recognized

practice

• Acceptable level of safety achieved (refer to

clearly defined hazards and standardized

behavious of safety systems and barriers)

1. Design in accordance with process industry standards

2012-03-077


8/47

SIL Allocation – Deterministic approach

Minimum SIL Requirements

OLF070 Application of IEC

in the Norwegian Petroleum

Industry

Company Governing

Documentation

2. Allocate SIL based on predetermined requirements

• Minimum SIL requirement is

derived from expected reliability

(PFD) of typical SISs. i.e.

achievable by standard solutions

considered good industry practice.

• Not based on required risk

reduction conforming to specific

RTC

• Enforces quality requirements inthe SIS design, installation and

operation

2012-03-078


9/47

SIL Allocation – The two approaches

Deterministic

ISO10418

OLF070

TES

Risk-Based

LOPA, Risk graph,

QRA

2012-03-079


10/47

The safety „onion‟ – Integrated approach

COMMUNITY EMERGENCY REPSONSE

PLANT EMERGENCY REPSONSE

PHYSICAL PROTECTION (DI KES)

PHYSICAL PROTECTION (RELIEF DEVICES)

AUTOMATIC ACTION SIS OR ESD

CR ITICAL ALARMS, OPER ATOR

SUPERVISION , AND MANUAL IN TERVENTION

BASIC CONTROLS, PROCESS ALARMS,

AND OPERATOR SUPERVISION

PROCESS

DESIGN

LAH

1

I

Independent

Protection

Layers

Layer of SIS

2012-03-0710


11/47

Trip set point

High level

High Level Alarm Operator Takes Action

Process level

SIS Action

Low level

Normal Level

PT

PCS

PT

PSD logic

Alternative view - protecting by multiple protection layers

2012-03-0711


12/47

Reducing risks with protection layers

Increasing risk

Required risk reduction

Initial

Risk

(frequency)

Risk

tolerance

criteria

Risk reduction

externalRisk reduction

Other technologies

Risk reduction

SIS

Achieved risk reduction

Remaining

risk

Closing the safety gap

between risk and target

2012-03-0712

Missing

adequate

barriers ?


13/47

Applicability of risk assessment methods for risk judgements

HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA

Good Good Overkill

Poor to Okay for risk

judgmentUsually Good Good

Technique

Applicability to

simple issues

Applicability to

complex issues

Qualitative analysis(100% of scenarios are

analyzed using qualitativemethods)

Simplified-quantitative

or semi-qualitative

analysis(1-5% of scenarios, 100% of SIF)

Quantitative analysis(


14/47

SIL Allocation process (risk-based)

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)

For each scenario, SIF determination & SIL allocation with

simplified risk analysis technique(e.g. LOPA, risk graph)

E

v a l u a t e o t h e r n o n - S I S

I P L o

r d e s i g n c h a n g e

SIL1, SIL2

or SIL3 with TESwhere further

assessment is

needed?

Quantitative risk assessment for dedicated scenario

SRS, CDD, etc.

YES

NO

Complete SIL allocation for each SIF & Reporting

Plant – Facilities & SafetyConceptual strategies / philosophies

Design & Operating principles / Performance Standards / Acceptance criteriaPlant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

NO

NO

SIL4 Requiredby a single

SIS?

Apply fordispensation to

TR2041

YES

SIF determination & SIL Allocation

SIL4?

ORSIL3 with no TES?

Design change or

other non-SIS IPLpossible?

YES

SIL1, SIL2, SIL3or SIL4 by

multiple SIS?

YES

NO

Qualitative

Semi-qualitative

Simplified-quantitative

Quantitative

2012-03-0714SRS, SAR, etc.

GALE

GALE


15/47

LOPA – Layer of Protection Analysis

• Multidiscipline team exercise. Immediately after HAZOP (1w/m)

• Good synergy with HazOp (Cause, consequence, safeguards)

• Simple rules (reproducible), order of magnitude of the risk

• Barrier/Protection layers analysis methodology

• Focus on Safety Instrumented Systems

• Will also address credit for other Safety Related Systems

• Identification of required and expected performance of critical systems

• Closes the gap between „expected‟ system performance and required „Risk

Tolerance‟

• Determines Safety Integrity Level (SIL) of „gap‟

• Can be an entry point to QRA

2012-03-0715


16/47

• Does my system (planned or actual) ensure my criteria are met?

• Do I need additional Safety Instrumented System?• Are there alternatives?

• IEC 61511 - LOPA will meet requirements (Part 3, Annex F))

• AIChE endorsement

• Risk-based approach common in downstream industry, especially for PSD

• LOPA often used In Americas. Europe often using risk graphs

• Some O&G companies have developed their own software / spreadsheets

LOPA – Can address the following

LOPA – References and applicability in the industr y

2012-03-0716

http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733


17/47

LOPA – Procedure

Step 1: Establish TTC

Step 4: Determine IE frequency

Step 5: Identify IPLs and select the

probability of failure

Step 6: Identify Conditional Modifiers and

select the probability

Step 7: Evaluate Scenario frequency and

compare with TTC

Step 3: Evaluate impact severity on

safety, environment and assets

Step 2: Preliminary selection of scenarios

Step 8: Identify SIF and

Allocate SIL

Step 10: Evaluate consequences of

spurious failure

Step 9: Evaluate need for

other non-SIS IPL or redesign

Step 11: Reporting

2012-03-0717


18/47

Step1 – Establish Target Tolerance Criteria (TTC)

2012-03-0718

1

2

3

4

5

6

7

8

I m p a c t

l e v e l

Frequency (/year)

< 1E-4 1E-4 1E-3 1E-3 0.01 0.01 – 0.05 0.05 – 0,3 0.3 – 0.7 0.7- 1.4 > 1.4

1 2 3 4 5 6 7 8

Frequency Level

Category

Target

Tolerance

Criteria

8 /

Catastrophic1 x E-6 pr year

7 /Major

1 x E-5 pr year

6 /

Severe

1 x E-4 pr year

5 /

Serious

1 x E-3 pr year

4 /

Moderate

1 x E-2 pr year


19/47

Step1 – Establish TTC

• The criteria are dependant on numbers used for initiating events,

risk reduction factors etc.

• Economic impact should include the total loss• Demolition cost

• Installed equipment costs (x3 purchase price)

• Cost of business interruption

(value of product that cannot be shipped out, not cost of lost production)

• Corporate TTC should be used as a basis to establish localapplicable TTC

2012-03-0719


20/47

Step2 – Preliminary selection of scenarios/SIFs

• Scenarios/SIF identified from C&E, interlocks narrative and P&IDs

• Additional scenario where a SIF is recommended for evaluation (e.g.

identified during HAZID, HAZOP or other project/facility review)

• High impact severity scenarios (i.e. category 7 and 8 in TTC)

Logic Solver

(PLC)

Temperature

transmitter

Temperature

transmitter

Level Switch

Flow transmitter

On/off valveSolenoide

On/off valveSolenoide

Pump

2012-03-0720


21/47

Step2 – Identification of scenario

Consequence DInitiating

Event 1

C A U S E S

C O N

S E Q U E N C E S

PREVENTION MITIGATION &

RECOVERY

Terminate the

chain of events,

reduce frequency

Initiating

Event 1

Initiating

Event 2

Initiating

Event 3

BPCSOperator

response to Alarm

from monitoring

system SIS PSV

Consequence D

Ignition

control

TOP EVENTE.g. Loss of Containment

ESD

Fire Water

Consequence B

Consequence A

Reduce

consequence

severity

Consequence C

No consequence

LOPA scenario : single cause – consequence pair

2012-03-0721


22/47

Step3 – Evaluate Impact severity

• Define “worst reasonably credible” consequences that result if the

chain of events continues without interruption.

• Select Impact severity from TTC for all categories (People‟s safety,

Environment, Economic).

Category

Target

Tolerance

Criteria

8 /

Catastrophic1 x E-6 pr year

7 /

Major1 x E-5 pr year

6 /

Severe

1 x E-4 pr year

5 /

Serious

1 x E-3 pr year

4 /

Moderate

1 x E-2 pr year

2012-03-0722


23/47

• Identify all possible initiating events, i.e. causes

• Mechanical, Instrument or Human failures

Step4 – Determine Initiating Event Frequency

Mechanical Initiating Event failure/year

Canned/Magnetic Drive Pump Failure 1,00E-02

Compressors, Pumps and Crane fail 1,00E+00

Control valve failure 1,00E-01

Cooling Water Failure 1,00E-01

Double Mechanical Seal Pump Failure 1,00E-02

Expansion Joint Fails 1,00E-02

General Utility Failure 1,00E-01

Heat Exch. tube leak 100 tubes 1,00E-01

Heat Exch. tube rupture 100 tubes 1,00E-02

Loss Cooling 1,00E-01

Loss Power 1,00E-01

Manual valve failure 1,00E+00

Pressure safety valve failure 2,00E-01

Pressure Vessel Failure Significant Release 1,00E-05

Pump Failure Loss of Flow 1,00E-01

Single Mechanical Seal Pump Failure 1,00E-01Unloading/Loading Hose Failure 1,00E-01

Instrument Initiating Event failure/year

BPCS Instrument Loop Failure 1,00E-01

BPCS Sensor failure 1,00E-01

Control loop failure 1,00E-01Loss of instrument air 1,00E-01

Human Initiating Event failure/year

3rd Party Intervention 1,00E-02

Human error in a no-routine, low stress 1,00E-01

Human error in a routine, once per day opportunity 1,00E+00

Human error in a routine, once per month opportunity 1,00E-01Operator Failure Action more than once per quarter 1,00E-01

ie f

Complexity Simplest Routine & SimpleRoutine but RequiresCare

Complicated non-Routine

No Stress 1 10-4 1 10

-3 1 10

-2 0.1

Moderate Stress 1 10-3 1 10

-2 5 10

-2 0.3

High stress 1 10-2 1 10

-1 - 1.0 0.25 – 1.0 1.0

Human Error probability for not correctly performing a task for various situations per demand

2012-03-0723


24/47

• Enabling event, e.g. adjust to the “time at risk”,

i.e. multiply by fraction of time during which the risk is present

Step4 – Determine Initiating Event Frequency

ie f

• SIF operating in continuous mode of operation

ie f

PFD*2=

2012-03-0724


25/47

Essential Requirements

• Specific. Detect Decide and Deflect

• Effective. big Enough, fast Enough, strong Enough, smart Enough

• Independent. Its performance must not be affected by other protection

layers and must be Independent of the events causing the accident

• Reliable: The protection given by the IPL reduce the risk in a knownand specific quantity.

• Auditable: It must allow periodic checks and tests of the protection

function.

Step5 – Identify IPLs and select probability of failures

All IPL are protection Layers, but all protection layers are not IPLs

2012-03-0725


26/47

• Process design – Inherent safety in design

− Initial risk, not an IPL.

− Minimize, Substitute, Moderate, Simplify

• Process control system

− Actions to return the process in within normal operating envelope (e.g.minimum flow control)

− Process shutdown (shadowing the SIS in the PCS)

− Alarms (+operator response)


2012-03-0726


27/47

• Process control system

− Maximum PFD claimed 0,1 if independent of initiating events and other IPLs

− It the initiating event is caused by PCS control loop failure, PCS can be

considered an IPL if:

• Sensors, I/O cards and final elements are independents

• Logic controller designed with high level of reliability by reference to

recognized industry standards (e.g. redundant CPUs).

− PFD lower than 0,1 requires that the PCS is designed according to IEC61511

− PCS cannot be catered twice as IPL.


Sensor 1

Sensor 2

Input 1

Input 2

Logic

Controler

Output 1

Output 2

Final

Element 1

Final

Element 2

IE

IPL

2012-03-0727


28/47

• PCS supervision & Alarms – Human intervention

− direct connection between the alarm, which indicates the event, and the

measures to be taken by staff to avoid the event

− Safety Alarms requiring intervention should be prioritized, configuration

access restricted

− Time needed vs time available due to process dynamics:

alarm processing

limited troubleshooting

decide action

trigger action and get action to be effective

Min 15-20 min if automatic; min 30-1h if manual local action

Written procedure in use, training


Time

Final Consequences

Top event (e.g. Loss of integrity)

SIS trip point

PCS pre-alarm set point

Time available for the

operator to take action

Process Safety time

2012-03-0728


29/47

• Preventive SIS (PSD)

• Mitigation SIS

− ESD, F&G, Emergency Depressurization or Dumping system, Fire water,

etc.

− Have a role in risk reduction but should not be considered IPL for

evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent

scenario without relying on mitigation SIS (residual consequences even ifsuccessful). May be given credit in QRA.

− Design against scenario shall be demonstrated, claimed reliability shall

be demonstrated, appropriate maintenance and testing.


2012-03-0729


30/47

• Mechanical mitigation system

− PSV and rupture disk

Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release todisposal system.

PSV fulfils the 3E? release damageable? Fouling service?

− Check valve

IPL, with restriction on service and technology, frequent testing required

− Flame arrestor (in line)

Can be IPL. Design against deflagration will not prevent detonation, testing

− Explosion doors

Not an IPL. can be considered for selection of lower impact severity. Design must be

checked against explosion load

− Excess flow valves

Mitigation, generally not an IPL


2012-03-0730


31/47

• Post release physical protection (Passive)

− Dike, Fire wall, Passive fire protection, Collision protection

− Should not considered IPL for evaluation of preventive SIF with LOPA.

May be given credit in QRA. Design against scenario shall be

demonstrated, appropriate maintenance

• Emergency response (Evacuation and rescue)

− Relying on Evacuation and rescue is the last resort. No credit for risk

reduction shall be granted as IPL. Considered in the selection of

conditional modifier (Probability of personnel present)


2012-03-0731


32/47


IPL PFDIndependent protection layer PFDSingle check valve in clean liquid service 2,00E-01

Single check valve in gas service 1,00E+00

Two check valves in series in clean gas or liquid service 2,00E-02

Process Safety Valve fail to open. Clean service. 1,00E-02

Control loop /PCS 1,00E-01

Explosion doors 1,00E+00Flame arrestor 1,00E-01

Operator response to alarm (15-20 minutes) 1,00E-01

2012-03-0732


33/47

• Probability of Ignition for flammable release

• Probability that personnel are present at the time of the hazardous event

= Occupancy X Probability to avoid the hazardous event once the SIS has failed

• Probability of death (vulnerability)

Not taken into account (conservative but simpler)

Step6 – Conditional modifiers

ignition P

present person P

Ignition Probability Modifier Probability

Gas Major (1-50kg/s) EXPLOSION 8,40E-03

Gas Major (1-50kg/s) FIRE 7,00E-02

Gas Massive (>50kg/s) EXPLOSION 9,00E-02

Gas Massive (>50kg/s) FIRE 3,00E-01

Gas Minor (50kg/s) FIRE 8,00E-02

Liquid Minor (


34/47

− Occupancy


0,1: Rare to occasional exposure in the hazardous zone:

Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default

choice for normal operation and when something goes spontaneously wrong

1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10%

Most continuous process plants will have troubleshooting, testing and maintenance activities

upon certain alarms. This can mean that several people are exposed to a hazard when it

happens.

The correct action for hazardous work and when something goes wrong is to evacuate the

premises as much as possible; (ARCO 1989 tank explosion).

Consider specific scenarios during shut-down or start-up with almost permanent exposure

(e.g. lightning of fired heaters).

Batch plants and semi-batch plants that often require semi-continuous human supervision.

2012-03-0734

St 6 C diti l difi


35/47

− Probability to avoid the hazardous event once the SIS has failed


1 : Almost impossible to avoid the hazard: this is the default probability.

Credit for using personal protective equipment to avert a hazard should not be taken, unless it is

certain that the personal protective equipment will actually be worn. Usually, systems are

designed on the assumption that the use of such equipment is not absolutely required to achieve

a sufficient degree of safety, although it is recognized that it can further improve safety.

0,1: Possible to avoid the hazard under certain conditions: needs strong justification.

Should be only selected if all the following conditions are true:

• Facilities are provided to alert the operator that the SIS has failed

• Independent facilities are provided to shut down such that the hazard can be avoided or which

enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with

no vertical or spiral staircase, no rescue required, etc.)

• The time between the operator being alerted and a hazardous event occurring exceeds 1 hour

or is definitely sufficient for the necessary actions

Caution: Don‟t cater twice for the same “operator intervention” (e.g. Alarm+operator intervention)

2012-03-0735

St 7 C i f ith TTC


36/47

Step7 – Compare scenario frequency with TTC

present personignition

IPLn

IPLn IPL IPLie scenario LOPA P P PFD PFD PFD f f ****** 21


Event 1

Step8 – Identify SIF and Allocate SIL

Step9 – Evaluate needfor other non-SIS IPLor redesign

TTC

f

RRF

scenario LOPA

< 1Scenario «passes» LOPA

TTC

f RRF

scenario LOPA > 1 Risk reduction needed

2012-03-0736

St 8 Id tif SIF d All t SIL


37/47

Step8 - Identify SIF and Allocate SIL

Increasing risk

Risk Reduction by

BPCS

Risk Reduction by

Operator response to alarms

Risk Reduction bySafety Instrumented System

Risk Reduction by

Mechanical devide

Risk Reduction by

Other means

Initial Process Risk (Without IPL)

Target Tolerance Criteria

Residual Risk (With IPL)

R i s k r e d u c t i o n r e d u c t i o n N e e d e d

i . e .

S a

f e t y G a p ( S G )

R i s k r e d u c t i o n f a c t o r

( R R F )

r e q u i r e d f o r t h e S I S

R i s k r e d u c t i o n R e d u c t i o n A c h i e v e d

Closing the safety gap by SIS

2012-03-0737

St 9 E l t d f th SIS IPL


38/47

Step9 – Evaluate need for other non-SIS IPL

• LOPA is focused on identification of SIF to close the safety gap, it does not

necessarily mean that a SIS is needed

• By order of preference:

• Design the problem out of the process using inherently safe principles

• Protection by non-SIS protective measure

• Passive rather than active

• A SIF should be the solution of last resort when other solutions are notpracticle

Step10 – Evaluate consequences of spurious trip failure

• Spurious failure: failure trigging action in an untimely manner

• Consider need for „robust to spurious trip‟ design (e.g. 2oo3 instead of 1oo2)

• Set minimum mean time to fail safe requirement (MTTFS=1/ STR)

2012-03-0738

St 10 R ti SIL All ti R t


39/47

Step10 – Reporting. SIL Allocation Report

• Methodology

• Identified IPL listing that is regarded part of the PCS, e.g. alarm function

requiring operator action

• Identified SIF list and SIL allocation result, corresponding SIS

• SIF/SIL Allocation worksheet

All assumption, uncertainties and sensitivities should be recorded

Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation

• Starting point for the Safety Requirement Specification (SRS)

2012-03-0739

St 10 R ti SIL All ti R t


40/47

Step10 – Reporting. SIL Allocation Report

• SIF/SIL Allocation worksheet

2012-03-0740

Target Tolerance Criteria = 10-5/yr

SIL Allocation & SIL Verification


41/47

SIL Allocation & SIL Verification Assessment of hazardsand risks


system

Installation,receptionandvalidation

Modification

Decommissioning

Managementof functionalsafety andassessmentand audit offunctionalsafety

andplanning ofthe safety

3

4

5

6

7

,

and

SIL 1

SIL 2

SIL3

SIL Allocation

Minimum SIL requirementsLOPA, Risk graphs,



system

Installation,receptionandvalidation

ModificationDecommissioning

Managementof functionalsafety andassessmentand audit offunctionalsafety

andplanning ofthe safety 1

3

5

67

,

and

Design & EngineeringSIL Verification calculations (PFD)

FMECA, CDD, SAR, SafetyManuals, etc.

Set targetDemonstrate

target is met

determine if additional

SIS are required and ifyes then allocate the

target SIL

Address target SIL (Fault

Tolerance, PFD, software req.)

• Select system technology• Configuration / vooting

• Test interval

• Diagnostic

2012-03-0741


42/47

SIL Allocation – Layer of protection analysis

Presenters name: Mathilde Cot

Presenters title: Principal Consultant, Safety Technology, CFSE

[email protected], tel: +47 95785095

www.statoil.com

Thank you

2012-03-0742

Special cases handling

http://www.cfse.org/http://www.cfse.org/


43/47


• Global Safety Instrumented Systems for consequence Mitigation

ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc.

Release and other events cannot be interrupted by mitigation SIS.

Severity reduction, but residual consequences even if the mitigation SIS is

successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation)


Event 1

C A U S E S

C O N S E Q U E N C E S

PREVENTION MITIGATION &

RECOVERY

Terminate the

chain of events,

reduce frequency

Initiating

Event 1

Initiating

Event 2

Initiating

Event 3

BPCSOperator

response to Alarm

from monitoring

system SIS PSV

Consequence D

Ignition

control

TOP EVENTE.g. Loss of Containment

ESD

Fire Water

Consequence B

Consequence A

Reduce

consequence

severity

Consequence C

No consequence

PFD*TTC (large uncontroled fire)

1*TTC (controlled fire)

Same protection GAP?

2012-03-0743



44/47


• Global Safety Instrumented Systems for consequence Mitigation

Preferred approach: Deterministic

Divide Global SIS

• Detection SIS

• Action SIS

S1

S2

S3 V2

V1

Detection SIS:

incomplete safety

instrumented system: Action SIS:

Incomplete safety

instrumented systemoutput

signal

Inputsignal

PLC

Safety

logigram

S1

S2

S3 V2

V1

Detection SIS:

incomplete safety

instrumented system: Action SIS:

Incomplete safety

instrumented systemoutput

signal

Inputsignal

PLC

Safety

logigram

2012-03-0744



45/47


• Safety-related parts of control systems for machinery

• SIS in process under patented license

• Permissive safety function

• Staggered safety functions

• Overpressure protection via SIS

2012-03-0745

LOPA Limitations

Plant – Facilities & SafetyConceptual strategies / philosophies


46/47

LOPA - Limitations

• Simplified risk assessment.

SIL 3 with no TES and SIL4

(implemented by independent SIS)

shall be further assessed by

quantitative method

• Components shared between the IE

and candidate IPLs. No

independence.• Several independent SIS with same

functionality and possibility for

common cause failures

• Complex scenarios sequences

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)

For each scenario, SIF determination & SIL allocation with

simplified risk analysis technique(e.g. LOPA, risk graph)

E v a l u a t e o t h e r n o n

- S I S

I P L o r d e s i g n c h a n g e

SIL1, SIL2

or SIL3 with TESwhere further

assessment is

needed?

Quantitative risk assessment for dedicated scenario

SRS, CDD, etc.

YES

NO

Complete SIL allocation for each SIF & Reporting

Design & Operating principles / Performance Standards / Acceptance criteriaPlant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

NO

NO

SIL4 Required

by a singleSIS?

Apply fordispensation to

TR2041

YES

SIF determination & SIL Allocation

SIL4?

OR

SIL3 with no TES?Design change or

other non-SIS IPLpossible?

YES

SIL1, SIL2, SIL3or SIL4 by

multiple SIS?

YES

NO

2012-03-0746

Step2 Identification of SIF


47/47

• Design Intent

• Safe State

• Demand mode vs Continuous mode of operation (IEC61511-1 definitions)

Demand mode:

where a specified action (e.g. closing of a valve) is taken in response to process

conditions or other demands. In the event of a dangerous failure of the SIF a

potential hazard only occurs in the event of a failure in the process or the PCS

Continuous mode:

where in the event of a dangerous failure of the safety instrumented function a

potential hazard will occur without further failure unless action is taken to prevent it

A SIF operates in continuous mode when the frequency of demands for operationon the SIF is more than once per year or more than twice the SIF proof test

frequency.

Step2 – Identification of SIF

PFD

PFH

mecot fastsetting av sil krav2

Documents