mecot fastsetting av sil krav2
TRANSCRIPT
-
8/20/2019 MECot Fastsetting Av SIL Krav2
1/47
- Deterministic vs. risk-based approach- Layer Of Protection Analysis (LOPA) overview
SIL Allocation
2012-03-07
-
8/20/2019 MECot Fastsetting Av SIL Krav2
2/47
15% Design and
Implementat ion
6% Instalat ion
and Start-up
44% Specif icat ion
15% Maintenance
and Operat ion
20% Changes after
Start-up
Ref “Out of Control: Why control systems go wrong and how to prevent failure”
Published by UK HSE
Origin and causes of accidents involving control system failure
2012-03-072
-
8/20/2019 MECot Fastsetting Av SIL Krav2
3/47
SIS Safety Lifecycle, IEC61511 Assessment of hazard s
and risks
Allocation of the safety
functions to the protectionlayers
Specification of the safety
requirements for the safetyinstrumented system
Design and engineering ofthe safety instrumented
system
Installation , reception and validation
Operation and maintenance
Modification
Decommissioning
Managementof functional
safety andassessment
and audit of
functionalsafety
Structureand
planning ofth e safety
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
Assessment of hazardsand risks
Allocation of the safety
functions to the protectionlayers
Specification of the safety
requirements for the safetyinstrumented system
Des ign and engineering ofthe safety instrumented
system
Installation , Receipt and Validation
Operation and maintenance
Modification
Decommissioning
Managementof functional
assessment
and audit of
functionalsafety
Structureand
planning of
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
other means of reducing risk Design and development of
2012-03-073
-
8/20/2019 MECot Fastsetting Av SIL Krav2
4/47
SIL Allocation in the IEC61511 Safety Lifecycle Assessment of hazard s
and risks
Allocation of the safety
functions to the protectionlayers
Specification of the safety
requirements for the safetyinstrumented system
Design and engineering ofthe safety instrumented
system
Installation , reception and validation
Operation and maintenance
Modification
Decommissioning
Managementof functional
safety andassessment
and audit of
functionalsafety
Structureand
planning ofth e safety
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
Assessment of hazardsand risks
Allocation of the safety
functions to the protectionlayers
Specification of the safety
requirements for the safetyinstrumented system
Des ign and engineering ofthe safety instrumented
system
Installation , Receipt and Validation
Operation and maintenance
Modification
Decommissioning
Managementof functional
assessment
and audit of
functionalsafety
Structureand
planning of
life cycle
Verification
1
2
3
4
5
6
7
8 9 11 10
other means of reducing risk Design and development of
2012-03-074
-
8/20/2019 MECot Fastsetting Av SIL Krav2
5/47
SIL Allocation & SIL Verification Assessment of hazardsand risks
Specification of the safetyrequirements for the safetyinstrumented system
system
In
stallation,receptionandvalidation
Modification
Decommissioning
Man
agementof functionalsafety andassessmentand audit offunctionalsafety
andp
lanning ofthe safety
3
4
56
7
,
and
SIL 1
SIL 2
SIL3
SIL Allocation
Minimum SIL requirementsLOPA, Risk graphs,
Assessment of hazardsand risks
Specification of the safetyrequirements for the safetyinstrumented system
system
In
stallation,receptionandvalidation
ModificationDecommissioning
Man
agementof functionalsafety andassessmentand audit offunctionalsafety
andplanning ofthe safety 1
3
5
6
7
,
and
Design & EngineeringSIL Verification calculations (PFD)
FMECA, SAR, Safety Manuals,
etc.
Set targetDemonstrate
target is met
Determine if additional
SIF are required and ifyes then allocate the
target SIL
Address target SIL (Fault
Tolerance & PFD)
• Select system technology• Configuration / vooting
• Test interval
• Diagnostic
2012-03-075
-
8/20/2019 MECot Fastsetting Av SIL Krav2
6/47
SIL Allocation – The two approaches
Deterministic
ISO10418
OLF070
Risk-Based
LOPA, Risk graph,
QRA
2012-03-076
-
8/20/2019 MECot Fastsetting Av SIL Krav2
7/47
SIL Allocation – Deterministic approach
ISO10418, API RP14C
for offshore
installations
NFPA 85, 86, APIRP556 for various
types of fired
equipments
…etc.
• Prescriptive recommendation for protective
measures
• Based on experience and recognized
practice
• Acceptable level of safety achieved (refer to
clearly defined hazards and standardized
behavious of safety systems and barriers)
1. Design in accordance with process industry standards
2012-03-077
-
8/20/2019 MECot Fastsetting Av SIL Krav2
8/47
SIL Allocation – Deterministic approach
Minimum SIL Requirements
OLF070 Application of IEC
in the Norwegian Petroleum
Industry
Company Governing
Documentation
2. Allocate SIL based on predetermined requirements
• Minimum SIL requirement is
derived from expected reliability
(PFD) of typical SISs. i.e.
achievable by standard solutions
considered good industry practice.
• Not based on required risk
reduction conforming to specific
RTC
• Enforces quality requirements inthe SIS design, installation and
operation
2012-03-078
-
8/20/2019 MECot Fastsetting Av SIL Krav2
9/47
SIL Allocation – The two approaches
Deterministic
ISO10418
OLF070
TES
Risk-Based
LOPA, Risk graph,
QRA
2012-03-079
-
8/20/2019 MECot Fastsetting Av SIL Krav2
10/47
The safety „onion‟ – Integrated approach
COMMUNITY EMERGENCY REPSONSE
PLANT EMERGENCY REPSONSE
PHYSICAL PROTECTION (DI KES)
PHYSICAL PROTECTION (RELIEF DEVICES)
AUTOMATIC ACTION SIS OR ESD
CR ITICAL ALARMS, OPER ATOR
SUPERVISION , AND MANUAL IN TERVENTION
BASIC CONTROLS, PROCESS ALARMS,
AND OPERATOR SUPERVISION
PROCESS
DESIGN
LAH
1
I
Independent
Protection
Layers
Layer of SIS
2012-03-0710
-
8/20/2019 MECot Fastsetting Av SIL Krav2
11/47
Trip set point
High level
High Level Alarm Operator Takes Action
Process level
SIS Action
Low level
Normal Level
PT
PCS
PT
PSD logic
Alternative view - protecting by multiple protection layers
2012-03-0711
-
8/20/2019 MECot Fastsetting Av SIL Krav2
12/47
Reducing risks with protection layers
Increasing risk
Required risk reduction
Initial
Risk
(frequency)
Risk
tolerance
criteria
Risk reduction
externalRisk reduction
Other technologies
Risk reduction
SIS
Achieved risk reduction
Remaining
risk
Closing the safety gap
between risk and target
2012-03-0712
Missing
adequate
barriers ?
-
8/20/2019 MECot Fastsetting Av SIL Krav2
13/47
Applicability of risk assessment methods for risk judgements
HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA
Good Good Overkill
Poor to Okay for risk
judgmentUsually Good Good
Technique
Applicability to
simple issues
Applicability to
complex issues
Qualitative analysis(100% of scenarios are
analyzed using qualitativemethods)
Simplified-quantitative
or semi-qualitative
analysis(1-5% of scenarios, 100% of SIF)
Quantitative analysis(
-
8/20/2019 MECot Fastsetting Av SIL Krav2
14/47
SIL Allocation process (risk-based)
Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)
For each scenario, SIF determination & SIL allocation with
simplified risk analysis technique(e.g. LOPA, risk graph)
E
v a l u a t e o t h e r n o n - S I S
I P L o
r d e s i g n c h a n g e
SIL1, SIL2
or SIL3 with TESwhere further
assessment is
needed?
Quantitative risk assessment for dedicated scenario
SRS, CDD, etc.
YES
NO
Complete SIL allocation for each SIF & Reporting
Plant – Facilities & SafetyConceptual strategies / philosophies
Design & Operating principles / Performance Standards / Acceptance criteriaPlant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)
NO
NO
SIL4 Requiredby a single
SIS?
Apply fordispensation to
TR2041
YES
SIF determination & SIL Allocation
SIL4?
ORSIL3 with no TES?
Design change or
other non-SIS IPLpossible?
YES
SIL1, SIL2, SIL3or SIL4 by
multiple SIS?
YES
NO
Qualitative
Semi-qualitative
Simplified-quantitative
Quantitative
2012-03-0714SRS, SAR, etc.
GALE
GALE
-
8/20/2019 MECot Fastsetting Av SIL Krav2
15/47
LOPA – Layer of Protection Analysis
• Multidiscipline team exercise. Immediately after HAZOP (1w/m)
• Good synergy with HazOp (Cause, consequence, safeguards)
• Simple rules (reproducible), order of magnitude of the risk
• Barrier/Protection layers analysis methodology
• Focus on Safety Instrumented Systems
• Will also address credit for other Safety Related Systems
• Identification of required and expected performance of critical systems
• Closes the gap between „expected‟ system performance and required „Risk
Tolerance‟
• Determines Safety Integrity Level (SIL) of „gap‟
• Can be an entry point to QRA
2012-03-0715
-
8/20/2019 MECot Fastsetting Av SIL Krav2
16/47
• Does my system (planned or actual) ensure my criteria are met?
• Do I need additional Safety Instrumented System?• Are there alternatives?
• IEC 61511 - LOPA will meet requirements (Part 3, Annex F))
• AIChE endorsement
• Risk-based approach common in downstream industry, especially for PSD
• LOPA often used In Americas. Europe often using risk graphs
• Some O&G companies have developed their own software / spreadsheets
LOPA – Can address the following
LOPA – References and applicability in the industr y
2012-03-0716
http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733
-
8/20/2019 MECot Fastsetting Av SIL Krav2
17/47
LOPA – Procedure
Step 1: Establish TTC
Step 4: Determine IE frequency
Step 5: Identify IPLs and select the
probability of failure
Step 6: Identify Conditional Modifiers and
select the probability
Step 7: Evaluate Scenario frequency and
compare with TTC
Step 3: Evaluate impact severity on
safety, environment and assets
Step 2: Preliminary selection of scenarios
Step 8: Identify SIF and
Allocate SIL
Step 10: Evaluate consequences of
spurious failure
Step 9: Evaluate need for
other non-SIS IPL or redesign
Step 11: Reporting
2012-03-0717
-
8/20/2019 MECot Fastsetting Av SIL Krav2
18/47
Step1 – Establish Target Tolerance Criteria (TTC)
2012-03-0718
1
2
3
4
5
6
7
8
I m p a c t
l e v e l
Frequency (/year)
< 1E-4 1E-4 1E-3 1E-3 0.01 0.01 – 0.05 0.05 – 0,3 0.3 – 0.7 0.7- 1.4 > 1.4
1 2 3 4 5 6 7 8
Frequency Level
Category
Target
Tolerance
Criteria
8 /
Catastrophic1 x E-6 pr year
7 /Major
1 x E-5 pr year
6 /
Severe
1 x E-4 pr year
5 /
Serious
1 x E-3 pr year
4 /
Moderate
1 x E-2 pr year
-
8/20/2019 MECot Fastsetting Av SIL Krav2
19/47
Step1 – Establish TTC
• The criteria are dependant on numbers used for initiating events,
risk reduction factors etc.
• Economic impact should include the total loss• Demolition cost
• Installed equipment costs (x3 purchase price)
• Cost of business interruption
(value of product that cannot be shipped out, not cost of lost production)
• Corporate TTC should be used as a basis to establish localapplicable TTC
2012-03-0719
-
8/20/2019 MECot Fastsetting Av SIL Krav2
20/47
Step2 – Preliminary selection of scenarios/SIFs
• Scenarios/SIF identified from C&E, interlocks narrative and P&IDs
• Additional scenario where a SIF is recommended for evaluation (e.g.
identified during HAZID, HAZOP or other project/facility review)
• High impact severity scenarios (i.e. category 7 and 8 in TTC)
Logic Solver
(PLC)
Temperature
transmitter
Temperature
transmitter
Level Switch
Flow transmitter
On/off valveSolenoide
On/off valveSolenoide
Pump
2012-03-0720
-
8/20/2019 MECot Fastsetting Av SIL Krav2
21/47
Step2 – Identification of scenario
Consequence DInitiating
Event 1
C A U S E S
C O N
S E Q U E N C E S
PREVENTION MITIGATION &
RECOVERY
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Initiating
Event 2
Initiating
Event 3
BPCSOperator
response to Alarm
from monitoring
system SIS PSV
Consequence D
Ignition
control
TOP EVENTE.g. Loss of Containment
ESD
Fire Water
Consequence B
Consequence A
Reduce
consequence
severity
Consequence C
No consequence
LOPA scenario : single cause – consequence pair
2012-03-0721
-
8/20/2019 MECot Fastsetting Av SIL Krav2
22/47
Step3 – Evaluate Impact severity
• Define “worst reasonably credible” consequences that result if the
chain of events continues without interruption.
• Select Impact severity from TTC for all categories (People‟s safety,
Environment, Economic).
Category
Target
Tolerance
Criteria
8 /
Catastrophic1 x E-6 pr year
7 /
Major1 x E-5 pr year
6 /
Severe
1 x E-4 pr year
5 /
Serious
1 x E-3 pr year
4 /
Moderate
1 x E-2 pr year
2012-03-0722
-
8/20/2019 MECot Fastsetting Av SIL Krav2
23/47
• Identify all possible initiating events, i.e. causes
• Mechanical, Instrument or Human failures
Step4 – Determine Initiating Event Frequency
Mechanical Initiating Event failure/year
Canned/Magnetic Drive Pump Failure 1,00E-02
Compressors, Pumps and Crane fail 1,00E+00
Control valve failure 1,00E-01
Cooling Water Failure 1,00E-01
Double Mechanical Seal Pump Failure 1,00E-02
Expansion Joint Fails 1,00E-02
General Utility Failure 1,00E-01
Heat Exch. tube leak 100 tubes 1,00E-01
Heat Exch. tube rupture 100 tubes 1,00E-02
Loss Cooling 1,00E-01
Loss Power 1,00E-01
Manual valve failure 1,00E+00
Pressure safety valve failure 2,00E-01
Pressure Vessel Failure Significant Release 1,00E-05
Pump Failure Loss of Flow 1,00E-01
Single Mechanical Seal Pump Failure 1,00E-01Unloading/Loading Hose Failure 1,00E-01
Instrument Initiating Event failure/year
BPCS Instrument Loop Failure 1,00E-01
BPCS Sensor failure 1,00E-01
Control loop failure 1,00E-01Loss of instrument air 1,00E-01
Human Initiating Event failure/year
3rd Party Intervention 1,00E-02
Human error in a no-routine, low stress 1,00E-01
Human error in a routine, once per day opportunity 1,00E+00
Human error in a routine, once per month opportunity 1,00E-01Operator Failure Action more than once per quarter 1,00E-01
ie f
Complexity Simplest Routine & SimpleRoutine but RequiresCare
Complicated non-Routine
No Stress 1 10-4 1 10
-3 1 10
-2 0.1
Moderate Stress 1 10-3 1 10
-2 5 10
-2 0.3
High stress 1 10-2 1 10
-1 - 1.0 0.25 – 1.0 1.0
Human Error probability for not correctly performing a task for various situations per demand
2012-03-0723
-
8/20/2019 MECot Fastsetting Av SIL Krav2
24/47
• Enabling event, e.g. adjust to the “time at risk”,
i.e. multiply by fraction of time during which the risk is present
Step4 – Determine Initiating Event Frequency
ie f
• SIF operating in continuous mode of operation
ie f
PFD*2=
2012-03-0724
-
8/20/2019 MECot Fastsetting Av SIL Krav2
25/47
Essential Requirements
• Specific. Detect Decide and Deflect
• Effective. big Enough, fast Enough, strong Enough, smart Enough
• Independent. Its performance must not be affected by other protection
layers and must be Independent of the events causing the accident
• Reliable: The protection given by the IPL reduce the risk in a knownand specific quantity.
• Auditable: It must allow periodic checks and tests of the protection
function.
Step5 – Identify IPLs and select probability of failures
All IPL are protection Layers, but all protection layers are not IPLs
2012-03-0725
-
8/20/2019 MECot Fastsetting Av SIL Krav2
26/47
• Process design – Inherent safety in design
− Initial risk, not an IPL.
− Minimize, Substitute, Moderate, Simplify
• Process control system
− Actions to return the process in within normal operating envelope (e.g.minimum flow control)
− Process shutdown (shadowing the SIS in the PCS)
− Alarms (+operator response)
Step5 – Identify IPLs and select probability of failures
2012-03-0726
-
8/20/2019 MECot Fastsetting Av SIL Krav2
27/47
• Process control system
− Maximum PFD claimed 0,1 if independent of initiating events and other IPLs
− It the initiating event is caused by PCS control loop failure, PCS can be
considered an IPL if:
• Sensors, I/O cards and final elements are independents
• Logic controller designed with high level of reliability by reference to
recognized industry standards (e.g. redundant CPUs).
− PFD lower than 0,1 requires that the PCS is designed according to IEC61511
− PCS cannot be catered twice as IPL.
Step5 – Identify IPLs and select probability of failures
Sensor 1
Sensor 2
Input 1
Input 2
Logic
Controler
Output 1
Output 2
Final
Element 1
Final
Element 2
IE
IPL
2012-03-0727
-
8/20/2019 MECot Fastsetting Av SIL Krav2
28/47
• PCS supervision & Alarms – Human intervention
− direct connection between the alarm, which indicates the event, and the
measures to be taken by staff to avoid the event
− Safety Alarms requiring intervention should be prioritized, configuration
access restricted
− Time needed vs time available due to process dynamics:
alarm processing
limited troubleshooting
decide action
trigger action and get action to be effective
Min 15-20 min if automatic; min 30-1h if manual local action
Written procedure in use, training
Step5 – Identify IPLs and select probability of failures
Time
Final Consequences
Top event (e.g. Loss of integrity)
SIS trip point
PCS pre-alarm set point
Time available for the
operator to take action
Process Safety time
2012-03-0728
-
8/20/2019 MECot Fastsetting Av SIL Krav2
29/47
• Preventive SIS (PSD)
• Mitigation SIS
− ESD, F&G, Emergency Depressurization or Dumping system, Fire water,
etc.
− Have a role in risk reduction but should not be considered IPL for
evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent
scenario without relying on mitigation SIS (residual consequences even ifsuccessful). May be given credit in QRA.
− Design against scenario shall be demonstrated, claimed reliability shall
be demonstrated, appropriate maintenance and testing.
Step5 – Identify IPLs and select probability of failures
2012-03-0729
-
8/20/2019 MECot Fastsetting Av SIL Krav2
30/47
• Mechanical mitigation system
− PSV and rupture disk
Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release todisposal system.
PSV fulfils the 3E? release damageable? Fouling service?
− Check valve
IPL, with restriction on service and technology, frequent testing required
− Flame arrestor (in line)
Can be IPL. Design against deflagration will not prevent detonation, testing
− Explosion doors
Not an IPL. can be considered for selection of lower impact severity. Design must be
checked against explosion load
− Excess flow valves
Mitigation, generally not an IPL
Step5 – Identify IPLs and select probability of failures
2012-03-0730
-
8/20/2019 MECot Fastsetting Av SIL Krav2
31/47
• Post release physical protection (Passive)
− Dike, Fire wall, Passive fire protection, Collision protection
− Should not considered IPL for evaluation of preventive SIF with LOPA.
May be given credit in QRA. Design against scenario shall be
demonstrated, appropriate maintenance
• Emergency response (Evacuation and rescue)
− Relying on Evacuation and rescue is the last resort. No credit for risk
reduction shall be granted as IPL. Considered in the selection of
conditional modifier (Probability of personnel present)
Step5 – Identify IPLs and select probability of failures
2012-03-0731
-
8/20/2019 MECot Fastsetting Av SIL Krav2
32/47
Step5 – Identify IPLs and select probability of failures
IPL PFDIndependent protection layer PFDSingle check valve in clean liquid service 2,00E-01
Single check valve in gas service 1,00E+00
Two check valves in series in clean gas or liquid service 2,00E-02
Process Safety Valve fail to open. Clean service. 1,00E-02
Control loop /PCS 1,00E-01
Explosion doors 1,00E+00Flame arrestor 1,00E-01
Operator response to alarm (15-20 minutes) 1,00E-01
2012-03-0732
-
8/20/2019 MECot Fastsetting Av SIL Krav2
33/47
• Probability of Ignition for flammable release
• Probability that personnel are present at the time of the hazardous event
= Occupancy X Probability to avoid the hazardous event once the SIS has failed
• Probability of death (vulnerability)
Not taken into account (conservative but simpler)
Step6 – Conditional modifiers
ignition P
present person P
Ignition Probability Modifier Probability
Gas Major (1-50kg/s) EXPLOSION 8,40E-03
Gas Major (1-50kg/s) FIRE 7,00E-02
Gas Massive (>50kg/s) EXPLOSION 9,00E-02
Gas Massive (>50kg/s) FIRE 3,00E-01
Gas Minor (50kg/s) FIRE 8,00E-02
Liquid Minor (
-
8/20/2019 MECot Fastsetting Av SIL Krav2
34/47
− Occupancy
Step6 – Conditional modifiers
0,1: Rare to occasional exposure in the hazardous zone:
Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default
choice for normal operation and when something goes spontaneously wrong
1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10%
Most continuous process plants will have troubleshooting, testing and maintenance activities
upon certain alarms. This can mean that several people are exposed to a hazard when it
happens.
The correct action for hazardous work and when something goes wrong is to evacuate the
premises as much as possible; (ARCO 1989 tank explosion).
Consider specific scenarios during shut-down or start-up with almost permanent exposure
(e.g. lightning of fired heaters).
Batch plants and semi-batch plants that often require semi-continuous human supervision.
2012-03-0734
St 6 C diti l difi
-
8/20/2019 MECot Fastsetting Av SIL Krav2
35/47
− Probability to avoid the hazardous event once the SIS has failed
Step6 – Conditional modifiers
1 : Almost impossible to avoid the hazard: this is the default probability.
Credit for using personal protective equipment to avert a hazard should not be taken, unless it is
certain that the personal protective equipment will actually be worn. Usually, systems are
designed on the assumption that the use of such equipment is not absolutely required to achieve
a sufficient degree of safety, although it is recognized that it can further improve safety.
0,1: Possible to avoid the hazard under certain conditions: needs strong justification.
Should be only selected if all the following conditions are true:
• Facilities are provided to alert the operator that the SIS has failed
• Independent facilities are provided to shut down such that the hazard can be avoided or which
enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with
no vertical or spiral staircase, no rescue required, etc.)
• The time between the operator being alerted and a hazardous event occurring exceeds 1 hour
or is definitely sufficient for the necessary actions
Caution: Don‟t cater twice for the same “operator intervention” (e.g. Alarm+operator intervention)
2012-03-0735
St 7 C i f ith TTC
-
8/20/2019 MECot Fastsetting Av SIL Krav2
36/47
Step7 – Compare scenario frequency with TTC
present personignition
IPLn
IPLn IPL IPLie scenario LOPA P P PFD PFD PFD f f ****** 21
Consequence DInitiating
Event 1
Step8 – Identify SIF and Allocate SIL
Step9 – Evaluate needfor other non-SIS IPLor redesign
TTC
f
RRF
scenario LOPA
< 1Scenario «passes» LOPA
TTC
f RRF
scenario LOPA > 1 Risk reduction needed
2012-03-0736
St 8 Id tif SIF d All t SIL
-
8/20/2019 MECot Fastsetting Av SIL Krav2
37/47
Step8 - Identify SIF and Allocate SIL
Increasing risk
Risk Reduction by
BPCS
Risk Reduction by
Operator response to alarms
Risk Reduction bySafety Instrumented System
Risk Reduction by
Mechanical devide
Risk Reduction by
Other means
Initial Process Risk (Without IPL)
Target Tolerance Criteria
Residual Risk (With IPL)
R i s k r e d u c t i o n r e d u c t i o n N e e d e d
i . e .
S a
f e t y G a p ( S G )
R i s k r e d u c t i o n f a c t o r
( R R F )
r e q u i r e d f o r t h e S I S
R i s k r e d u c t i o n R e d u c t i o n A c h i e v e d
Closing the safety gap by SIS
2012-03-0737
St 9 E l t d f th SIS IPL
-
8/20/2019 MECot Fastsetting Av SIL Krav2
38/47
Step9 – Evaluate need for other non-SIS IPL
• LOPA is focused on identification of SIF to close the safety gap, it does not
necessarily mean that a SIS is needed
• By order of preference:
• Design the problem out of the process using inherently safe principles
• Protection by non-SIS protective measure
• Passive rather than active
• A SIF should be the solution of last resort when other solutions are notpracticle
Step10 – Evaluate consequences of spurious trip failure
• Spurious failure: failure trigging action in an untimely manner
• Consider need for „robust to spurious trip‟ design (e.g. 2oo3 instead of 1oo2)
• Set minimum mean time to fail safe requirement (MTTFS=1/ STR)
2012-03-0738
St 10 R ti SIL All ti R t
-
8/20/2019 MECot Fastsetting Av SIL Krav2
39/47
Step10 – Reporting. SIL Allocation Report
• Methodology
• Identified IPL listing that is regarded part of the PCS, e.g. alarm function
requiring operator action
• Identified SIF list and SIL allocation result, corresponding SIS
• SIF/SIL Allocation worksheet
All assumption, uncertainties and sensitivities should be recorded
Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation
• Starting point for the Safety Requirement Specification (SRS)
2012-03-0739
St 10 R ti SIL All ti R t
-
8/20/2019 MECot Fastsetting Av SIL Krav2
40/47
Step10 – Reporting. SIL Allocation Report
• SIF/SIL Allocation worksheet
2012-03-0740
Target Tolerance Criteria = 10-5/yr
SIL Allocation & SIL Verification
-
8/20/2019 MECot Fastsetting Av SIL Krav2
41/47
SIL Allocation & SIL Verification Assessment of hazardsand risks
Specification of the safetyrequirements for the safetyinstrumented system
system
Installation,receptionandvalidation
Modification
Decommissioning
Managementof functionalsafety andassessmentand audit offunctionalsafety
andplanning ofthe safety
3
4
5
6
7
,
and
SIL 1
SIL 2
SIL3
SIL Allocation
Minimum SIL requirementsLOPA, Risk graphs,
Assessment of hazardsand risks
Specification of the safetyrequirements for the safetyinstrumented system
system
Installation,receptionandvalidation
ModificationDecommissioning
Managementof functionalsafety andassessmentand audit offunctionalsafety
andplanning ofthe safety 1
3
5
67
,
and
Design & EngineeringSIL Verification calculations (PFD)
FMECA, CDD, SAR, SafetyManuals, etc.
Set targetDemonstrate
target is met
determine if additional
SIS are required and ifyes then allocate the
target SIL
Address target SIL (Fault
Tolerance, PFD, software req.)
• Select system technology• Configuration / vooting
• Test interval
• Diagnostic
2012-03-0741
-
8/20/2019 MECot Fastsetting Av SIL Krav2
42/47
SIL Allocation – Layer of protection analysis
Presenters name: Mathilde Cot
Presenters title: Principal Consultant, Safety Technology, CFSE
[email protected], tel: +47 95785095
www.statoil.com
Thank you
2012-03-0742
Special cases handling
http://www.cfse.org/http://www.cfse.org/
-
8/20/2019 MECot Fastsetting Av SIL Krav2
43/47
Special cases handling
• Global Safety Instrumented Systems for consequence Mitigation
ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc.
Release and other events cannot be interrupted by mitigation SIS.
Severity reduction, but residual consequences even if the mitigation SIS is
successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation)
Consequence DInitiating
Event 1
C A U S E S
C O N S E Q U E N C E S
PREVENTION MITIGATION &
RECOVERY
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Initiating
Event 2
Initiating
Event 3
BPCSOperator
response to Alarm
from monitoring
system SIS PSV
Consequence D
Ignition
control
TOP EVENTE.g. Loss of Containment
ESD
Fire Water
Consequence B
Consequence A
Reduce
consequence
severity
Consequence C
No consequence
PFD*TTC (large uncontroled fire)
1*TTC (controlled fire)
Same protection GAP?
2012-03-0743
Special cases handling
-
8/20/2019 MECot Fastsetting Av SIL Krav2
44/47
Special cases handling
• Global Safety Instrumented Systems for consequence Mitigation
Preferred approach: Deterministic
Divide Global SIS
• Detection SIS
• Action SIS
S1
S2
S3 V2
V1
Detection SIS:
incomplete safety
instrumented system: Action SIS:
Incomplete safety
instrumented systemoutput
signal
Inputsignal
PLC
Safety
logigram
S1
S2
S3 V2
V1
Detection SIS:
incomplete safety
instrumented system: Action SIS:
Incomplete safety
instrumented systemoutput
signal
Inputsignal
PLC
Safety
logigram
2012-03-0744
Special cases handling
-
8/20/2019 MECot Fastsetting Av SIL Krav2
45/47
Special cases handling
• Safety-related parts of control systems for machinery
• SIS in process under patented license
• Permissive safety function
• Staggered safety functions
• Overpressure protection via SIS
2012-03-0745
LOPA Limitations
Plant – Facilities & SafetyConceptual strategies / philosophies
-
8/20/2019 MECot Fastsetting Av SIL Krav2
46/47
LOPA - Limitations
• Simplified risk assessment.
SIL 3 with no TES and SIL4
(implemented by independent SIS)
shall be further assessed by
quantitative method
• Components shared between the IE
and candidate IPLs. No
independence.• Several independent SIS with same
functionality and possibility for
common cause failures
• Complex scenarios sequences
Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)
For each scenario, SIF determination & SIL allocation with
simplified risk analysis technique(e.g. LOPA, risk graph)
E v a l u a t e o t h e r n o n
- S I S
I P L o r d e s i g n c h a n g e
SIL1, SIL2
or SIL3 with TESwhere further
assessment is
needed?
Quantitative risk assessment for dedicated scenario
SRS, CDD, etc.
YES
NO
Complete SIL allocation for each SIF & Reporting
Design & Operating principles / Performance Standards / Acceptance criteriaPlant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)
NO
NO
SIL4 Required
by a singleSIS?
Apply fordispensation to
TR2041
YES
SIF determination & SIL Allocation
SIL4?
OR
SIL3 with no TES?Design change or
other non-SIS IPLpossible?
YES
SIL1, SIL2, SIL3or SIL4 by
multiple SIS?
YES
NO
2012-03-0746
Step2 Identification of SIF
-
8/20/2019 MECot Fastsetting Av SIL Krav2
47/47
• Design Intent
• Safe State
• Demand mode vs Continuous mode of operation (IEC61511-1 definitions)
Demand mode:
where a specified action (e.g. closing of a valve) is taken in response to process
conditions or other demands. In the event of a dangerous failure of the SIF a
potential hazard only occurs in the event of a failure in the process or the PCS
Continuous mode:
where in the event of a dangerous failure of the safety instrumented function a
potential hazard will occur without further failure unless action is taken to prevent it
A SIF operates in continuous mode when the frequency of demands for operationon the SIF is more than once per year or more than twice the SIF proof test
frequency.
Step2 – Identification of SIF
PFD
PFH