methodologies for risk analysis part 5 sil
DESCRIPTION
risk analysis metodologyTRANSCRIPT
-
1
Ed. 2008/09
Andrea CARPIGNANO [email protected]
Risk Assessment Risk Analysis / Safety and Risk Analysis
POLITECNICO DI TORINO DIPARTIMENTO DI ENERGETICA
Methodologies - Part 5
Standards IEC 61508 & 61511
Part 5: IEC 61508 & 61511
Safety Life Cycle in the design of process systems
-
2
Standard IEC/EN 61508
STANDARD IEC/EN 61508
Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related Systems
The Standard IEC 61508 is an international standard that sets the
general approach for all the activities of the Safety Life Cycle of
E/E/PE (Electrical / Electronic / Programmable Electronic) Systems
used to perform Safety Functions.
The Standard IEC 61508 provides a method for the development of
specific safety requirements, as well as introduce and use the safety
integrity levels (SIL).
Functional Safety
Functional Safety is the portion of total safety which depends on a
system, or a device, operating properly in response to one or more
logic inputs.
This portion is strictly related to the Process and to the Basic Process
Control System (BPCS), which depend on the correct functioning of
Safety Instrumented System (SIS) and other [Independent] Protection
Layers .
-
3
Safety Instrumented Functions
(SIFs)
A Safety Instrumented Function (SIF) is a function that has to be
implemented by a Safety Instrumented System (SIS) and by other
[Independent] Protection Layers, to maintain or restore safety in the
process, in relation to a specific dangerous event (when one or more
predetermined conditions are not met).
Standard IEC/EN 61508
Recipients of the standard:
Designers of equipment and "complex" systems
Designers of components for safety systems
Designers of software for managing safety systems
P
V2
V1 T+
L
-
4
Safety Instrumented Systems
(SISs)
A Safety Instrumented System (SIS) is a combination of one or more:
- Sensors (e.g. Transmitters, Switches, Sensors, etc.);
- Logic Solvers with E/E/PE technology, where:
E = Electric (eg. Electromechanical relay)
E = Electronic (eg. Logical solid state)
PE = Programmable Electronic (eg. PLC);
- Final elements (eg. Solenoids, Actuators, Valves, etc.);
- Input and output devices (I/O);
- User interfaces;
- Feeders.
subsystems The IEC 61508 considers two categories of systems / subsystems.
A system/subsystem is defined as Type A if it meets the following
requirements:
Typical examples of components of Type A, according to the standard, are
for example: switches, relays, solenoid valves, etc.
Typical components of Type B are: microprocessors and other electronic
components that implement complex logics.
failure modes of all the constituent components are well defined;
the behavior of the system under fault conditions can be determined in a
comprehensive and exhaustive way;
there are sufficient data from the field or from a test to support the
reliable data associated with different failure modes.
A system/subsystem is defined of Type B if not all of the above criteria
are met.
-
5
Structure of the Standard IEC/EN
61508
Part 1: General Requirements
Part 2: Requirements for Electrical/ Electronic/Programmable
Electronic Safety-Related Systems (E/E/PES)
Part 3: Software Requirements
Part 4: Definitions and Abbreviations
Part 5: Examples of Methods for the Determination of SILs
Part 6: Guidelines on the Application of Parts 2 and 3
Part 7: Overview of Techniques and Measures
Definition of Safety Integrity Level
(SIL)
The Safety Integrity Level (SIL) is a discrete level (one out of a possible
four), corresponding to a set of safety integrity values, where SIL 4 is
the highest and SIL 1 is the lowest.
It is a complex parameter indicating a range of probability that an SIS
run properly a safety instrumental function within a preset period of
time and respecting defined technical, architectural, functional and
design requirements.
It is important to remark that the SIL is allocated to an independent
Safety Instrumented Function (SIF), that can be implemented by one or
more SISs, not directly to a SIS (that anyway inherits the SIL allocated
to the implemented SIF).
-
6
Safety Life Cycle (I)
The Safety Life Cycle is represented by all the necessary activities
involved in the implementation of Safety-Related Systems,
occurring during a period of time that starts at the concept phase of
a project and finishes when all of the E/E/PE safety-related systems
and other risk reduction measures are no longer available for use
(decommissioning).
Safety Life Cycle (II)
Safety Life Cycle
Phase 1
General Conception of the
Functional Safety Project
Phase 2
Definition of the overall objective
of the Functional Safety Project
Phase 3
Risk Analysis
Phase 4
Allocation of the safety functions
to the Independent Levels of
Protection & SIL Allocation
Phase 5
Specification of the
requirements of the
Safety of SIS (SRS) Phase 6
Design and
engineering of SIS &
SIL Verification
Phase 7
Factory Acceptance
Test (FAT)
Phase 8
Installation and
Commissioning
Service of SIS
Phase 9
Site Acceptance Test
(SAT)
Phase 10
Operation and
Maintenance
Phase 11
Modifications
Phase 12
Decommissioning of
SIS
-
7
Standards derived from IEC/EN
61508 STANDARD IEC 61511 Functional Safety: Safety Instrumented Systems for the Process
Industry Sector
STANDARD IEC 61513 Nuclear Power plants - Instrumentation and Control for Systems
important to safety - General Requirements for Systems
STANDARD EN 50402 Electrical Apparatus for the detection and measurement of
combustible or toxic gases or vapours or of oxygen. Requirements on
STANDARD IEC 62061 Safety of machinery - Functional safety of safety-related electrical,
electronic and programmable electronic control
systems
System Description
Hazard Identification
Historical Analysis
HAZID
HAZOP
FMECA
Selection of critical
events
Risk Matrix
Design and Management
review
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences
Probabilistic Analysis Acident Simulation
Risk Assessment
END
Event Tree Analysis
Fault Tree Analysis
Simulation Models
Data Banks
Tolerability Criteria
START
Not critical
Critical
Tolerable Not Tolerable
APPLYING THE STANDARD IEC 61508
1. Definition of SILs
according to the risk
analysis of the
system
2.
3. Checking of the level
of SIL imposed
4. Commissioning and
management to
maintain the level of
SIL of the project
-
8
STEP 1 - SIL Allocation to Safety
Instrumented Functions
Identification of the hazards, of the related expected
frequencies, incidental scenarios, safety-related critical
systems, by means of qualitative and/or quantitative
techniques
Definition of a policy of SIL allocation to the SIFs (Safety
Integrity Levels) identified and deemed necessary
Approach to SIL Allocation
suggested by the Standard
HAZOP and Simplified Risk Matrixes
Calibrated Risk Graph Method
LOPA (Layer of Protection Analysis)
QRA (Quantitative Risk Assessment )
Increasing level of
complexity and detail
of the analyses
Increasing level of conservativity in the allocation of SILs
-
9
SIL Allocation: HAZOP & Simplified
Risk Matrixes (I) HazOp Hazard and Operability Studies
SYSTEM
DANNO
PROCESS PARAMETER
DEVIATION CAUSE OP. PHASE
EFFECTS (Local
System Plant )
FREQ. S E P A DETECTION, PREVENTION, MITIGATION
METHODS
ACTIONS NOTES
S Index of damage on Safety E Index of damage on Environment P Index of damage on Production A Index of damage on Assets
SIL Allocation: HAZOP & Simplified
Risk Matrixes (II)
FREQUENCY DESCRIPTION
1 Not exptected over system life cycle
2 May happen one time along the system lifecycle
3 Expected few times along the system lifecycle
4 Expected several times along the system lifecycle
Qualitative indexes for Frequencies (examples)
Qualitative indexes for Damages (examples) DAMAGE (Safety )
DESCRIPTION
1 No important effects
2 Temporary injuries to people (recovery within max 3 days)
3 Temporary injuries to people (recovery in more than 3 days)
4 Permanent disabilities or fatalities
DAMAGE (Production)
DESCRIPTION
1 No important effects
2
Damages to the system without any interruption of production, or slight reduction of production without interruptions
3 Damages to the system along with interruption of production within a week
4 Severe damages to the system along with long term loss of production (more than a week)
-
10
SIL Allocation: HAZOP & Simplified
Risk Matrixes (III)
Risk Matrix (qualitative acceptability criteria ) F 4 4 8 12 16
3 3 6 9 12
2 2 4 6 8
1 1 2 3 4
1 2 3 4
D
R>8 Events with very high criticality on which to intervene with preventive and/or mitigative actions
4 R 8 Critical events that require deepening (accurate cost-benefit analysis)
2 R 3 Low criticality events on which to intervene in case of identification of low cost preventive and/or mitigative solutions
R=1 Non critical events
The Risk Criteria depends on the type of considered damage (Safety , Environment, Asset , Production, etc.): each type has a specific Risk Matrix of reference
SIL Allocation: HAZOP & Simplified
Risk Matrixes (IV)
R>8 Events with very high criticality on which to intervene with preventive and/or mitigative actions
4 R 8 Critical events that require deepening (accurate cost-benefit analysis)
2 R 3 Low criticality events on which to intervene in case of identification of low cost preventive and/or mitigative solutions
R=1 Non critical events
F 4 SIL 2 SIL 3 SIL 4 SIL 4
3 SIL 1 SIL 2 SIL 3 SIL 4
2 SIL 1 SIL 2 SIL 2 SIL 3
1 No SIL required
SIL 1 SIL 1 SIL 2
1 2 3 4
D
SIL are allocated by means of a highly conservative approach to the different areas of the matrix
Simplified SIL Allocation
-
11
SIL Allocation: HAZOP & Simplified
Risk Matrixes (V) Simplified SIL Allocation (Example )
SYSTEM
DANNO
PROCESS PARAMETER
DEVIATION CAUSE OP. PHASE
EFFECTS (Local
System Plant )
FREQ. S E P A DETECTION, PREVENTION, MITIGATION
METHODS
ACTIONS NOTES
Pressure More
Normal operation
Possible release of flammable
substance fire and/or
explosion 1 or more fatalities
3 4 3 3 2 None Provide a new SIF :
detection of high pressure on vessel and shutdown of inlet/outlet
lines
Perform SIL
Study for the
new SIF
SIL Allocation to a new SIF: SIL 4 for Safety
SIL Allocation: Calibrated Risk Graphs (I)
(qualitative approach)
This approach does not refer to an explicit correlation with risk acceptability criteria : anyway , before applying the method , it is necessary to verify the consistence with the available reference criteria and perform the so called calibration
-
12
SIL Allocation: Calibrated Risk Graphs (II)
(qualitative approach)
SIL Allocation: Calibrated Risk Graphs (III)
(qualitative approach)
-
13
SIL Allocation: Calibrated Risk Graphs (IV)
(qualitative approach)
SIL Allocation by Risk Graphs (Example )
Overpressure in vessel Fire / Explosion
1 or more fatalities Frequent exposure of operators / maintainers
Expected few times in plant lifecycle (F 10 -1 ev(y)
SIF REQUIRED : detection of high pressure on vessel and shutdown of inlet /outlet lines
ALLOCATION: SIL 3
SIL Allocation: LOPA (I)
(semi-quantitative approach)
It is a - approach, more accurate and detailed
than the previous ones (higher need of time and resources but less
conservative and more realistic results)
It is used downstream the HAZOP and applied to all scenarios for
which the need of a SIF has been identified
It allows to highlight the existing safeguards, to distinguish the
related efficacy against all the initiating causes, to evaluate the
need of implementation of the new SIFs and to allocate the
required SIL
It has a direct and explicit link with Risk Acceptability Criteria
LOPA (Layer Of Protection Analysis)
-
14
SIL Allocation: LOPA (II)
Damage
Extended (10 or more
fatalities, large exposed groups)
Serious (severe injuries, 1 or more fatalities,
small exposed groups)
Minor (light injuries)
1,0 E-06 ev/y
1,0 E-07 ev/y
1,0 E-08 ev/y
1,0 E-09 ev/y
1,0 E-10 ev/y Frequency
Semi -quantitive Risk Acceptability Criteria (Example )
NOT ACCEPTABLE ACCEPTABLE
SIL Allocation: LOPA (III) (template suggested by IEC 61511)
Reference incidental scenario
highlighted by the HAZOP
INDEPENDENT
Design preventive actions (over dimensioning and ratings , intrinsic safety , ATEX, etc.
Basic Process Control System (protections )
Procedural protections ,
safety escape ways, etc.
Passive protections and other
IPLs
PFD required for an additional SIF
(*) NOTE: the mitigated frequency for each single cause is within the limits set by the acceptability criteria, but the frequency of the overall scenario (sum of all causes) NOT! A PFD of 10 -2 is not sufficient, the requirement in terms of PFD for the new SIF must be lower!
(* )
0,1 0,1
-
15
SIL Allocation: LOPA (IV)
SIL Allocation: LOPA (IV)
IPL Independent Protection Layers
Complete effectiveness against the consequences of scenario
Independence from all causes of the of initiating events and
from all other considered IPLs
Complete testability in terms of functional efficacy and of
reliability characteristics
-
16
SIL Allocation: LOPA (V)
The SIL defines the integrity in terms of safety of the requested SIF (and consequently of the SIS that will be in charge of its implementation) and of its capability to reduce the Risk Level .
Once defined the necessary value of PFD (Probability of Failure on Demand) , the allocation of the required SIL is performed by means of the following table :
SIL Allocation: LOPA (VI) (Alternative template suggested by references in IEC 61508&11)
Layer of Protection Analysis
Simplified Process Risk Assessment
(2001)
Center for Chemical Process
Safety (CPS)
Of the American Institute of
Chemical Engineers (AIChE )
-
17
1. Definition of SILs
according to the risk
analysis of the
system
2.
3. Checking of the level
of SIL imposed
4. Commissioning and
management to
maintain the level of
SIL of the project
System Description
Hazard Identification
Historical Analysis
HAZID
HAZOP
FMECA
Selection of critical
events
Risk Matrix
Design and Management
review
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences
Probabilistic Analysis Acident Simulation
Risk Assessment
END
Event Tree Analysis
Fault Tree Analysis
Simulation Models
Data Banks
Tolerability Criteria
START
Not critical
Critical
Tolerable Not Tolerable
APPLYING THE STANDARD IEC 61508
STEP 2 Design safety systems to
meet the required level of SIL
System architecture:
Redound (Fault Tolerant), separating and diversifying
Defense in depth (IPL Independent Protection Layers)
Quality and Reliability of components:
Improve the reliability and the maintainability of the components
Increase the availability improving maintenance
Improving the production process of Software
-
18
STEP 3 SIL Verification
The SIL Allocation described in the previous section, is performed with reference to a specific SIF (Safety Instrumented Function) , defined in terms of a set of functional, time, architectonic, probabilistic, maintenance requirements ( SRS - Safety Requirement Specifications ).
The SIF is implemented by means of a well defined SIS (Safety Instrumented System) , whose design inherits all the requirements of the SIF, in terms of SIL and SRS .
The phase of SIL Verification aims to analyze the project of the SIS and to verify that all the requirements in terms of SIL and SRS have been effectively met
SIL Verification
SIL VERIFICATION for the project of a SIS
HARDWARE requirements verification
SOFTWARE requirements verification
Probabilistic requirements verification
Architectural and Functional
requirements verification
New Software development
Existing Software verification
SIL verification is successful only if BOTH
Hardware AND Software
requirements are met !!