ris methodology presentation

Reliability Instrumented SystemsTraining

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007

MCE-RIS

Safety?Process

Availability?

Manage Risk ?

Quality?

Cost saving?

How do I address all of these needs?

RIS IntroductionRIS Introduction

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 33

Reliability Instrumented Systems (RIS)Reliability Instrumented Systems is a methodology for performance management of process instrumentation as well as safety instrumented systems. It accomplishes this through the integration of tools, processes and workflows for Calibration Management, Safety Instrumented System Life Cycle Management (SLCM), and Reliability Management tools.


SafetyInstrumented

Systems

InstrumentationReliability

ManagementCalibration

Management


Instrumentation Reliability ManagementInstrumentation Reliability Management is an integral part of the performance management of all instrumentation. Meridium has integrated component and system reliability tools that can be used to assess actual reliability of the instruments used in the Safety Instrumented Systems. The actual instrument MTBF can be evaluated against the values that were used in the design of the Safety Instrumented Systems. Instruments not performing as originally specified can be identified and required changes implemented.


SafetyInstrumented

Systems



ManagementInstrumentation

ReliabilityManagement


Calibration Management


SafetyInstrumented

Systems



ManagementCalibrationManagement

Calibration Management provides manual and automated tools to specify, schedule and execute detailed calibrations on all types of instruments and analyzers. In order to effectively manage and assess instrumentation performance the accuracy, drift and repeatability of an instrument to measure a process value is needed. Calibration Management addresses this need by collecting the actual calibration results need to make these type of evaluations possible.


Safety Instrumented System

Safety Instrumented System: A system designed to respond to hazardous conditions in the plant and generate the correct outputs to prevent the hazardous consequence.


SafetyInstrumented

Systems



Management

SafetyInstrumented

Systems


Safety Instrumented System Life Cycle ManagementSafety Instrumented System Life Cycle Management provides the tools and methodology to assess Safety Integrity Levels (SIL) as needed to achieve the required tolerable risk for a defined Safety Instrumented Function (SIF). The system also provides the analysis tools to validate that Safety Instrumented System (SIS) meets the required Safety Integrity Level (SIL). With the integrated reliability tools actual equipment failure rates can be compared to those used during the engineering and design phase of the SLCM.


SafetyInstrumented

Systems



ManagementSafety

InstrumentedSystems


Industry Hazards

Industry HazardsIndustry Hazards


Industry Hazards Section Objectives

SIL AssessmentSIL Assessment

General awareness of major industrial accidents that have driven the industry to standardize safety

Methods for Identifying Potential Hazards• What-If Study• Checklists• Failure Modes and Effect Analysis• Hazard and Operation Analysis


Industry accidences have driven the development of international standards for safety systems.

Industry Accidences



• Loss of life• Environmental Damage• Loss of assets• Production Losses• Loss of contracts/clients• Loss of Public Confidence• Fines, Judgments Against the Company

and Legal Fees

Consequences of Industrial Accidents



Costs of Industrial AccidentsChernobyl Nuclear Plant

– 100,000 deaths– Cost US $5.5 Billion

Bhopal 1984 – 2000 deaths & 300,000 injuries– Law Suite settlement of $470 million

Three Mile Island Nuclear Plant 1979– Cost US $1.3 Billion

Flixborough 1974, – 28 deaths & 100 injuries

Piper Alpha 1988 – 167 deaths– Costs US $3 Billion

Phillips 1989– 23 deaths and 232 injuries– OSHA Fines exceeded 5.7 million



The occurrence of industry accidents have dropped but they are still occurring. BP Texas City Refinery March 23, 2005 - killed 15 workers and costs are currently over 2.6 billion US dollars.

BP Incident ReviewWhat safeguards should have prevented this

incident?http://www.chemsafety.gov/index.cfm?folder=current_investigations&page=info&INV_ID=52


Shortcut to BP_Animation_pdl.wmv.lnk

http://www.taproot.com/blog/BP%20Trailers.jpg


BP Incident Report – The Baker Report


Since ISA 84.01-96 was published ten years ago, the technical consultants expressed their belief that BP has not implemented this standard in a timely manner.

Discussed with BP refinery instrumentation subject matter experts indicated that it might be another ten years before ISA 84.01 would be fully implemented in the BP U.S. refineries.

As a result, the technical consultants also concluded that none of BP’s U.S. refineries had an effective and credible plan to achieve full compliance with ISA 84.01 in a timely manner.


The following are a few of the methods used in the process automation industry to help identify hazard and risks:– What-if– Checklists– Failure Mode and Effect Analysis (FMEA)– Hazard and Operability Analysis (HAZOP)

Hazard Analysis


Qualitative vs Quantitative Analysis Qualitative Analysis – The use

personal experience/judgment in order to evaluate the frequency and/or the consequence of potential accidents.

Quantitative Analysis – The systematic development of numerical estimates of expected frequency and/or consequences of potential accidents

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1616Industry HazardsIndustry Hazards


Summary: Industry Hazards• Industry has experiences a number of very

significant failures that have lead to governments and industries to develop standards for maintaining safety.

• Qualitative Analysis – based on experience and personal judgment

• Quantitative Analysis – statistical evaluation of the probability of and event occurring.

• Hazards are evaluated with the following tools:– What-if– Checklists– Failure mode and effect analysis (FMEA)– Hazard and Operability analysis (HAZOP)



Definition ofSafety Instrumented Systems

Definition of Safety Instrumented SystemDefinition of Safety Instrumented System


Definition of Safety Instrumented SystemSection Objectives


Definition and understanding of relationship of Safety Instrumented Function (SIF) to SIS.

Definition of Safety Instrumented System (SIS) Safety Loop and Safety Loop Subsystem and

the relationship to SIF/SIS Understand Safety Integrity & Safety Integrity

Level •SIL for Demand Mode•SIL for High/Continuous Mode

Probability of Failure on Demand Average (PFD Avg)


What is an Safety Instrumented System (SIS)?


Is used to implement one or more Safety Instrumented Functions (SIF’s). An Safety Instrumented System (SIS) is composed of any combination of • sensor(s), • logic solver(s) • and final element(s).

Parts of the Safety Instrumented System

PC83

2

FC

PT832

SOV

832

HV83

2

Logic Solver

Subsystem SensorSubsystem

Final Element

Subsystem

SafetyInstrumente

dFunction

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2121Definition of Safety Instrumented System


Safety Instrumented Functions (SIF) - safety function with a specific integrity level which is necessary to achieve or maintain functional safety for a specific hazardous event.– respond to conditions in the plant which may be

hazardous in themselves or, – if no action was taken, could eventually give rise to a

hazard, and – to respond to these conditions by taking defined actions

that will either prevent the hazard or mitigate the hazard consequences

Safety Instrumented Functions are generally defined in a PHA such as a HAZOP.

Safety Instrumented Function


Example Safety Instrumented Functions• Close outlet valve on high pressure separator

when level is lost, prevent over pressuring and rupturing downstream equipment.

• Shut off feed to exothermal reaction when high pressure is detected, prevent rupture of vessel and explosion.

• Close fuel to burner system when the fuel pressure is no longer enough to sustain combustion, prevent flameout and possible explosion due to build up fuel in combustion chamber.

• Turn on deluge water to hydrocarbon storage tank when a Lower Explosion Limit detector goes into alarm, prevent possible fire and/or explosion do to tank leakage.

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2323© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2323Definition of Safety Instrumented SystemDefinition of Safety Instrumented System

Control and Protective Instrumented Functions• Basic Process Control Systems (BPCS) are not

included in Safety Instrumented Functions. These are function that are engaged in the control, monitoring and alarming of the basic processes.

There are cases where an input signal or a valve may be used by both the SIF and BPCS. Careful assessment of possible common cause failures and systematic failures must be taken into consideration in.

• Protective Instrumented Functions (PIF’s) are instrumented functions that interlock or shutdown a process that is not safety related. These instrumented functions protect equipment and processes. Protective Instrumented Functions (PIF’s) are sometimes built into the Safety Instrumented System (SIS) . When this is done they need to be treated the same as an Safety Instrumented Function (SIF) according to ISA/IEC.

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2424Definition of Safety Instrumented SystemDefinition of Safety Instrumented System


Safety Loop and Safety Loop Subsystem The Safety Loop is the physical

components that will be used to fulfill the requirements of the Safety Instrumented Function (SIF) and meet the Safety Integrity Level (SIL) requirements for that function.

The Safety Loop Subsystem is the components that make up the sensor, logic solver, and/or final element.

Definition of Safety Instrumented System


Safety Integrity Safety integrity is the average

probability of a safety instrumented system to satisfactorily perform the required safety instrumented function under all the stated conditions with a stated period of time.



Safety Integrity Level (SIL) Discrete level (1,2,3 or 4) for

specifying the safety integrity requirements of the safety instrumented function to be allocated to the safety instrumented system.

– SIL is applied to the Safety Instrumented Function– SIL is specified in Probability of Failure on Demand

Average (PFD avg)– Each SIL level has a specific risk reduction factor

range.



Probability of Failure on Demand

Probability of Failure on Demand - the probability of a device or system failing to respond to a demand while in service.

Example Calculations for PFD avg


PFD Avg

= λ D (1-DC)(t/2 + MTTR) + (DC x MTTR)

[ ] = λD t

2PFD Avg

λD – Failure Rate Dangerous, DC – Diagnostic Coverage, t – Test Interval, MTTR – Mean Time to Restore


Safety Integrity Levels – Low Demand Mode

Low Demand Mode of OperationSafety

IntegrityLevel (SIL)

Target average probability of

failure on demand (PFD Avg)

% Availability Risk Reduction Factor (RRF)

4 ≥ 1x10-5 to < 1x10-4

> 99.99% > 10,000 to ≤100,000

3 ≥ 1x10-4 to < 1x10-3

99.9% to 99.99%

> 1000 to ≤10,000

2 ≥ 1x10-3 to < 1x10-2

99% to 99.9% > 100 to ≤1000

1 ≥ 1x10-2 to < 1x10-1

90% to 99% > 10 to ≤100RRF = 1/PFDavg, % Availability = 1 – PFDavgAvailability = system uptime / total system lifetimeNo safety instrumented function with a SIL higher then that associated with a SIL 4 will be allocated to a safety instrumented system. Applications that require the use of a single SIF of a SIL 4 are very rare in the process industry.



Summary: Definition of Safety Definition of Safety Instrumented SystemInstrumented System• An Safety Instrumented System (SIS) has one or more

SIF’s.• Safety Integrity Level (SIL) is a probability function and is

assigned to a Safety Instrumented Function not to the SIS or equipment.

• The Safety Instrumented Function (SIF) is associated with a Safety Instrument Loop that achieves the desired safety function.

• There are different Safety Integrity Level (SIL) criteria for Low Demand and High/Continuous mode SIF’s. Low Demand Mode is used most often in the process automation industry.

• Demand Mode Safety Integrity Levels are given in ranges of Probability of Failure on Demand average.

• High/Continuous Mode Safety Integrity Levels are given in ranges of Probability of Failure per Hour.

• SIL 4 is not generally used in the process automation industry



Industry Standards for Safety Systems

Industry StandardsIndustry Standards


Industry Standards for Safety SystemsSection Objectives

Identify Industry Organizations That Are Generating Safety Standards

Understanding of IEC 61508 and IEC 61511• Purpose of IEC 61508• Purpose and Application of the IEC 61511

Understanding of the alignment of ISA 84.00.01-2004 to IEC 61511 Understanding of the Safety Instrumented

System Life Cycle Management processIndustry StandardsIndustry Standards


Industry Standards for Safety Systems• IEC The International Electro technical

Commission (IEC) is an international standards organization dealing with electrical, electronic and related technologies. Some of its standards are developed jointly with ISO.”

• ISA – Instrumentation, Systems and Automations Society

• API – American Petroleum Institute• American Institute of Chemical Engineers,

CCPS – Guidelines for Safe Automation of Chemical Process, 1993

• HSE (Health and Safety Executive) – Programmable Electronic Systems for Use in Safety Related Applications, 1987


IEC 61508 A Safety Umbrella for the World

Random failures

Specification failures

Design & implementation

failuresInstallation &

commissioning failuresOperation &

maintenance failuresModification failures

3434Industry StandardsIndustry Standards

Industry Accidences have driven the development of international standards for safety systems.

IEC 61508 Generic and Industry Standards

IEC61508

IEC61511 :Process Sector

Medical SectorIEC61513 :Nuclear Sector

IEC62061 : Machinery Sector

3535Industry StandardsIndustry Standards


This standard refines the functional safety requirements laid down by IEC 61508 specifically for the process industry sector, for example refineries and chemical/ pharmaceutical plants. This standard was first published in 2003.

IEC 61511 - Functional safety - Safety instrumented systems for the process industry sector



ANSI/ISA-84.00.01-2004 Parts 1-3, Functional Safety: Safety Instrumented Systems for the Process Industry SectorThis standard addresses the application of safety instrumented systems for the process industries. It addresses safety instrumented systems which are based on the use of electrical/electronic/programmable electronic technology.

– Part 1 is the Framework, Definitions, System, Hardware and Software Requirements for a Safety Instrumented System.

– Part 2 sets forth the guidelines for the Application of ANSI/ISA-84.00.01-2004 Part 1.

– Part 3 is the guidance for the Determination of the Required Safety Integrity Levels.

This standard is the same as the IEC 61511 except for the grandfatherclause that makes exceptions of companies that designed their

systems to ISA 84 1996 standard.

ANSI/ISA 84.00-01-2004



Applying SIS Industry Standards



(9) Verification

(1)Hazard & Risk

Assessment(2) Allocation of

Safety Functions to Protection

Layers(3) Safety

Requirements Specification

(5) Installation, Commissioning

& Validation

(6) Operation & Maintenance

(7) Modifications

(8) Decommissionin

g

(4) Design & Engineering SIS

Design & Develop other means of risk

reduction

(11) Life Cycle

Structure &

Planning

(10) Manageme

nt of Functional Safety &

Functional Safety

Assessments & Audits

ISA 84/IEC 61511 SIS Safety Life Cycle Phases



Primary causes of control system failures [HSE95]

Changes After Commissioning, 21%

Design & Implementation, 15%

Specification, 43%

Operation & Maintenance, 15%

Installation & Commissioning, 6%



Section Summary: Industry Safety Instrumentation Standards• Industry standards are performance based and not

prescriptive.• IEC 61508 is an international standards focused on

electronic safety systems, this standard is used to develop other safety standards.

• IEC 61511 is related to the IEC 61508 but is focused on safety systems in the process industries

• ISA originally published ISA 84.00.01 in 1996 ISA worked with IEC to help produce IEC 61511 and adopted it 2004

• IEC/ISA have defined a process for SIS life cycle management that includes risk assessment, definition, design, test, operate and maintain, modifications and auditing.

• IEC 61511/ISA 84 are the predominate industry standards for Safety Instrumented System (SIS)



Safety Integrity Level (SIL)

Assessment



Safety Integrity Level (SIL) Section Objectives


Risk Qualitative Analysis vs Quantitative Analysis As Low As Reasonably Practical (ALARP) Safety Integrity Level (SIL) Assessment

Methods• Risk Matrix• Layer of Protection Analysis (LOPA)• Event Tree• Fault Tree• Risk Graph

Risk Reduction

ACCEPTABLE RISK

UNACCEPTABLE

RISK

Cons

eque

nces

Probability

Risk is the combination of the frequency of occurrence of the consequence and the severity of the consequence

4444SIL AssessmentSIL Assessment


As Low as Reasonably Practical (ALARP)

Broadly acceptable region

Tolerable region

Unacceptable region

Incr

easi

ng R

isks

Risk cannot be justified except in extraordinary circumstances

Tolerable Risk only if:

a. Further risk reduction is impractical or if its costs is grossly disproportional to the gains

b. Society desires the benefit of the activity given the associated risk

Level of residual risk regarded as negligible and further measures to reduce risk not usually required.


Costs

Costs of safe-guarding

Total Costs

Costs of risk

Level ofSafe-guarding

Optimum

Concept – Costs of risk, Costs of safe-guarding and total costs

4646SIL AssessmentSIL Assessment

Example Guidelines For Tolerable Levels of Risk When developing a Layer of Protection Analysis a

target frequency of occurrence must be defined.

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4747SIL Assessment - LOPASIL Assessment - LOPA

Consequence categories and levels are based on the descriptions from the described risk matrix.

Consequence Category Consequence Level

Acceptable Mitigated Frequency (Target) per annual

Safety, Health & Environment incidents

A (Affect outside the boundaries – Public)

1 x 10-6

A (Affect within the boundary only)

1 x 10-5

B 1 x 10-4

C 1 x 10-3

Production/Economic loss only – No SHE incident

A 1 x 10-5

B 1 x 10-4

C 1 x 10-3


SIL Assessment Methods Safety Integrity Level (SIL) assessment is the

process of selecting the appropriate risk reduction required for the Safety Instrumented Function (SIF) to achieve an acceptable level of risk.

Below is a list of acceptable qualitative and quantitative methods used to assign Safety Integrity Level (SIL) to the identified risk.– Risk Matrix– Layer of Protection Analysis (LOPA)– Event Tree – Fault Tree– Risk Graph


Qualitative vs Quantitative Analysis Qualitative Analysis – The use

personal experience/judgment in order to evaluate the frequency and/or the consequence of potential accidents.

Quantitative Analysis – The systematic development of numerical estimates of expected frequency and/or consequences of potential accidents

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4949SIL AssessmentSIL Assessment


Risk Matrix Risk matrix is a qualitative tool used to assess risk. It

plots defined probabilities and against defined levels of consequences. The matrix can be applied to one or more consequence types. The probability levels used are constant.

Increasing Probably

Increasing Consequence

Severity Low

Risk

High Risk

SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix


Consequence levels as defined in SABIC SHEM 10

SABIC - Consequence Categories and Levels

Safety/Health Score RatingEvent potentially resulting in loss of life 12 A

Event potentially resulting in injury/illness that causes a lost workday

6 B

Event potentially resulting in injury/illness that requires medicaltreatment

4 C

Event potentially resulting in injury/illness that requires only first aid.

2 D

No safety/healthImpact 1 E




Environment – Release/Spill Score Rating

Event with a potential release / spillage Greater then 10 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/ spillage incident resulting in fatality to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises

12 A

Event with a potential release / spillage between 4-10 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident resulting in injuries to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises.

6 B

Event with a potential release / spillage between 1- 4 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises and not resulting in injuries to personnel outside the SABIC Divisions, Affiliates and Subsidiaries premises.

4 C

Event with a potential release / spillage <1 MT of Hazardous Chemicals / Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises and not resulting in injuries to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises.

2 D

Event with no release / spill Hazardous Chemicals / Substance or Hazardous Waste inside/outside the SABIC Divisions 1 E




Environment – Water Contamination Score Rating

Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of greater then 70 metric tons of contaminated soil

12 A

Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of 30 to 70 metric tons of contaminated soil

6 B

Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of less than 30 metric tons of contaminated soil

4 C

DEvent does not result in contamination of deep / potable water aquifer 1 E





Environment – Other Score RatingA

Event with a potential release of Non- Hazardous Chemicals/ Substance (including polymers, fertilizer etc) within or outside the SABIC Divisions, Affiliates and Subsidiaries premises and Release/spillage > 50 MT

6 B

Event with a potential release of Non- Hazardous Chemicals/ Substance (including polymers, fertilizer etc) within or outside the SABIC Divisions, Affiliates and Subsidiaries premises and Release/spillage of 20-50 MT OREvent with an potential emission from vent/stack including dust (except steam) of contaminants greater than the local regulations or failure of Pollutant control device. Or Event that potentially results in 5 minutes of cumulative smoky flaring within any two hours during normal operations

4 C

All other events with a potential release/spillage of Non- Hazardous Chemicals / Substance <20 MT 2 D

Event will not potentially result in a release/spillage of Non- Hazardous Chemicals / Substance 1 E



Economic Score

Rating

Event potentially resulting in equivalent of greater then 5 days of production lossof any operating plant because ofload reduction or partial or completeshutdown.

Event potentially resulting in total economic loss greater than 10M SAR.

12 A

Event potentially resulting in equivalent of between 5 to 3 days of production loss of

any operating plant because of load reduction

or partial or complete shutdown.

Event potentially resulting in total economic loss of 1 million to 10 million SAR.

6 B

Event potentially resulting in a production loss

between 3 to 1 days of any operating plant

because of load reduction or partial orcomplete shutdown.

Event potentially resulting in total economic loss of 100,000 to 1 million SAR.

4 C

Event potentially resulting in a production loss

between 24 hours to 8 hours of any operating

plant because of load reduction or partial or

complete shutdown.

Event potentially resulting in total economic loss of 10,000 to 100,000 SAR.

2 D

Event potentially resulting in less than 8 hours

of production loss of any operating plantbecause of load reduction or partial orcomplete shutdown.

Potential economic loss Less then

10,000 SAR1 E


SABIC - Probabilities

Probability Score

Rating

Extreme (Likely to occur one or more times per year) 8 AHigh (Likely to occur 10 or less times in 25 years) 6 BModerate (Likely to occur 2 or less time in 25 years) 4 CLow (May occur once in 25 years) 2 D

Remote (Not likely to occur in 25 years) 1 E



Criticality/Risk MatrixConsequence x Probability = Risk


Consequence Criticality Rating

A (12) B (12) B (24) A (48) A (72) A (96)

B (6) C (6) B (12) B (24) A (36) A (48)

C (4) D (4) C (8) B (16) B (24) A (32)

D (2) D (2) D (4) C (8) B (12) B (16)

E (1) D (1) D (2) D (4) C (6) C (8)

Probability Remote (1)

Low (2) Moderate (4)

High (6) Extreme (8)

“A” – Critical system, device or equipment, if risk includes safety or environment risk then they are set to safety critical.“B” – Moderately Critical system, device or equipment“C” – Low Critical system, device or equipment“D” – Non-Critical system, device or equipment


Assigning SIL Level Based on Criticality/Risk Matrix


Consequence Criticality Rating with SIL

A (12) B (12)SIL 2

B (24)SIL 2

A (48)SIL 3

A (72)SIL 3

A (96)SIL 3

B (6) C (6)SIL 1

B (12)SIL 2

B (24)SIL 2

A (36)SIL 3

A (48)SIL 3

C (4) D (4) C (8)SIL 1

B (16)SIL 2

B (24)SIL 2

A (32)SIL 3

D (2) D (2) D (4) C (8)SIL 1

B (12)SIL 2

B (16)SIL 2

E (1) D (1) D (2) D (4) C (6)SIL 1

C (8)SIL 1

Probability Remote (1)

Low (2) Moderate (4)

High (6) Extreme (8)


Example - Risk Matrix SIL Assessment


Conse-quence Criticality Rating with SIL

A B (12)SIL 2

B (24)SIL 2

A (48)SIL 3

A (72)SIL 3

A (96)SIL 3

B C (6)SIL 1

B (12)SIL 2

B (24)SIL 2

A (36)SIL 3

A (48)SIL 3

C D (4) C (8)SIL 1

B (16)SIL 2

B (24)SIL 2

A (32)SIL 3

D D (2) D (4) C (8)SIL 1

B (12)SIL 2

B (16)SIL 2

E D (1) D (2) D (4) C (6)SIL 1

C (8)SIL 1

Proba-bility

Remote Low Mod-erate

High Extreme

If we consider an overpressure condition of a reactor which occurred as a result of a failure of a pressure control valve what SIL would be assigned to the SIF based on the data below:• Documented 4 valve

breakdown work orders in past 10 years.

• One work order indicated that the plant was down for 1 day and the cost to repair was 28,000 SAR.

• Potential to cause a fatalities if it failed to work when run away conditions occurred Where would you plot this valve on the risk matrix and what

would the Safety Integrity Level (SIL) level be?


Example - Risk Matrix SIL Assessment


Conse-quence Criticality Rating with SIL

A B (12)SIL 2

B (24)SIL 2

A (48)SIL 3

A (72)SIL 3

A (96)SIL 3

B C (6)SIL 1

B (12)SIL 2

B (24)SIL 2

A (36)SIL 3

A (48)SIL 3

C D (4) C (8)SIL 1

B (16)SIL 2

B (24)SIL 2

A (32)SIL 3

D D (2) D (4) C (8)SIL 1

B (12)SIL 2

B (16)SIL 2

E D (1) D (2) D (4) C (6)SIL 1

C (8)SIL 1

Proba-bility

Remote Low Mod-erate

High Extreme

• Documented 4 valve breakdown work orders in past 10 years.

• One work order indicated that the plant was down for 1 day and the cost to repair was 28,000 SAR.

• Potential to cause a fatalities if it failed to work when run away conditions occurred Where would you plot this valve on the risk matrix and what

would the Safety Integrity Level (SIL) level be?

If we consider an overpressure condition of a reactor which occurred as a result of a failure of a pressure control valve what SIL would be assigned to the SIF based on the data below:


• LOPA is a semi-quantitative risk analysis technique for easier validation. It is not as rigorous as a HAZOP and the technique evaluates risks by orders of magnitude of the selected accident scenarios. It builds on the information developed in a qualitative hazard evaluation.

• LOPA is one of the more popular methods for assessing Safety Integrity Level (SIL) requirements.

• Provides a defined PFD gap (i.e. required SIL) that the Safety Instrumented System (SIS) is required to fulfill in order to reach tolerable risk

LOPA – Layers of Protection Analysis

SIL Assessment - LOPASIL Assessment - LOPA


Layers of Protection



PFD SIF= P required mitigated consequence frequency (tolerable risk)P intermediate mitigated consequence frequency

SIS Fills the Gap Between Acceptable Risk and the Risk not mitigated by the existing layers of protection.


Example Protective Layer PFD’sProtective Layer PFDControl Loop / BPCS 1 x 10-1

Human performance (trained, no stress)

1 x 10-2 to 1 x 10-4

Human performance (under stress) .5 to 1Operator response to alarm 1 x 10-1

Vessel pressure rating above maximum challenged from internal and external pressure source

1 x 10-4

PFD data from ISA ANSI/ISA-84.00.01-2004 Part 3



Consequence

InitiatingEvent

Initiating Event

Frequency

Protection Layers Intermediate Mitigated ConsequenceFrequency

Required Mitigated Consequence frequency (TolerableRisk)

SIL Required

Process

Design

BPCS AlarmsAddition

alIPL

Fire from distillation column/PossibleFatality

Loss of cooling water

1E-06 SIL-2

0.1 0.1

0.1 0.1 .0001PFDav

g

=0.01

Initiating Event X IPL1 X IPL2 X IPL3 X IPL4 X IPLn = Intermediate Event FrequencyEach Independent Protection Layer (IPL) is evaluated based on the Probability of a Dangerous Failure. That is a failure that would prevent that layer from mitigating the consequence.

Layer of Protection Worksheet


Qualifications for Independent Protective Layer (IPL)

• The protection provided reduces the identified risk by a large amount, minimum of a 10 fold reduction.

• The protective function is provided with a high degree of availability, 0.9 or greater.

• Has the following characteristics:– Specificity: An IPL is designed solely to prevent or to

mitigate the consequences of one specific potential hazard– Independence: An IPL is independent of the other protection

layers associated with the identified danger– Dependability: The IPL can be counted on to do what it was

designed to do. Both random and systematic failure modes are addressed in the design.

– Audit ability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary.



Sources for Failure Rates• OREDA Participants, OREDA Offshore Reliability Data Handbook (Second

Edition), DNV, P.O. Box 300, N-1322, Hovik, Norway, 1997• Safety Equipment Reliability Handbook, www.excida.com, ISBN 0-9727234• The Guidelines for Process Equipment Reliability Data with Data Tables,

American Institute of Chemical Engineers, New York, NY, 1989• SINTEF Reliability Data For Control and Safety Systems, 1998• IEEE Guide to collection and Presentation of Electrical, Electronic, Sensing

Components, and Mechanical Equipment Reliability Data for the Nuclear Power Generating Stations, IEEE std. 500-1984, The Institute of Electrical and Electronics Engineers, Inc., 1983

• The Systems Reliability Service Data Bank, National Centre of Systems Reliability, System Reliability Service, UKAEA, Culchetch, England

• W. Denson et al., Nonelectronic Parts Reliability Data, NPRD-91, Reliability Analysis Center, P.O. Box 4700, Rome, NY, 1991.

• Nuclear Plan Reliability Data System: Annual Reports of Cumulative System and Component Reliability for Period from July 1, 1974, through December 31, 1982, NPRD A02/A03 (INPO 83-034), Institute of Nuclear Power Operations, Atlanta, GA, October 1983.

• Reliability data generated by experience and failure rate analysis from SAP/ Meridium



Section Summary: SIL Assessment• There are qualitative and quantitative methods for

SIL assessment– Risk Matrix (qualitative)– LOPA (semi-quantitative)– Risk Graph (qualitative)– Event Tree (semi-quantitative)– Fault Tree (semi-quantitative)

• The risks used to evaluate Safety Integrity Level (SIL) are supplied by HAZOP,PHA or Safety Recommendations.

• As Low As Reasonably Practical (ALARP) is a method for defining what is acceptable level of risk.



Summary: SIL Assessment• The Safety Integrity Level (SIL) is

determined by the required risk reduction factor (RRF) needed to filling the gap between identified risk and acceptable level of risk



Safety Instrumented SystemDesign and Validation

SIS Design and ValidationSIS Design and Validation


Safety Instrumented System Design and ValidationSection Objectives


Failure Modes• Random Failures• Systematic Failures • Safe & Unsafe Failures• Detected & Undetected Failures

Relationship and calculations associated with of Failure Rate, MTBF, PFD, PFD Avg and SIF Architecture

SIL Validation Methods• Simplified Probability Calculations • Reliability Block Diagrams (RBD)• Fault Tree• Markov

Failure classification by cause of failure

Examples

Failure

Random Hardware Systematic

Ageing Stress Design Interaction

1. Natural ageing with (within design envelope)

1. Sandblasting2. Humidity3. Overheating

1. Software error2. Sensor does not

discriminate true and false demand

3. Inadequate location of sensor

1. Scaffolding cover up sensor

1. Leave in by-pass

2. Erroneous calibration of sensor

Random Test/periodic

Failurecauses

7272SIS Design and ValidationSIS Design and Validation


Systematic Failure

Systematic Failure are failures related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or relevant factorsExample– The specific gravity of liquid flow is different

then what the D/P instrument was calibrated for. The instrument is working but it is not meeting the intended function.

– The seal leg of a D/P level device is lost. The level transmitter is working but the level indication is wrong.


Failure Rate Bathtub Curve

Time (t)

Failu

re R

ate

Early Failure

Useful Life(Random)

Wear-out Failure

Failure Rate UsedIn SIS Calculations

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7474SIS Design and ValidationSIS Design and Validation

Classification of Random Failure Modes

Examples

RandomHardware

Safe Failures Dangerous Failures

SafeDetected

SafeUndetected

DangerousDetected

DangerousUndetected

Diagnostics detects and sends an alarm that there has been loss of linearization of temperature output of transmitter.

Transmitter fails high which causes shutdown as designed.

Smart positioners fails. The internal diagnostics detect failure and sets an alarm that the positioner has failed.

Solenoid valve is frozen and will not change states.


Failure Safe Mode Definition

Fail-Safe State: Failure which does not have the potential of putting the safety instrumented system into a hazardous or fail to function state State where module/unit output is de-energized.

Fail Safe Detected(SD): Failure that cause the module/unit to go to the defined fail-safe state without a

demand from the process and that is detected by the system and annunciated to initiate repair

Fail Safe Undetected(SU): Failure that causes the module/unit to go to the defined fail-safe state without a demand from the process and that is undetected by the system (detection by operator because of spurious trip, depending on system architecture, is not considered) 7676SIS Design and ValidationSIS Design and Validation

Failure Dangerous mode Definition

Fail Dangerous: Failure which has the potential of putting the safety instrumented system into a hazardous or potentially prevents the module/unit from responding to a demand.

Fail Dangerous Detected(DD): Failure that is dangerous but is detected by internaldiagnostics and annunciated to initiate repair (System reaction is user configurable to automatically transition to safe state if desired).

Fail Dangerous Undetected(DU):Failure that is dangerous and that is not being diagnosed by internal diagnostics.


“Reliability” vs. “Availability”

Reliability: The probability that an item or system will perform its intended function for a specified period under stated conditions.Availability: The probability that an item or system is not failed at a given point in time.

Failure Rate ( lambda λ) is the total number of failures divided by an interval such as mission time (usually in failures per hour) or cycles. The failure rate will change over time and can be greater than one (but will never be less than zero).


Failure Rate

= 1MTBF

Mean Time Between Failure (MTBF) – The reciprocal of the failure rate; the average time to fail. The MTBF is sometimes called the Mean Time To Fail (MTTF). Meant Time to Restore (MTTR) was referred to as Mean Time to Repair in the past. MTBF = MTTF + MTTR.

=


Number of FailuresTotal Mission Time

Total Mission Time – It is defined as the total operating hours of the instrument


Relationship of Failure Modes

Safe DetectedFailure

λ SD

DangerousUndetected

Failuresλ DU

Dangerous

Detected Failures

λ DD

Detected Failures

SafeUndetect

ed Failures

λ SU

Safe Failures

Dang

erou

s Fai

lure

sSIS Design and ValidationSIS Design and Validation

λ =λ SD λ SU λ DD+ + +λ DU

Locating Failure Rate Data for SIL Verifications


1. Obtain failure rate information from manufacturer of instrument or components. All SIL certified data will have detailed failure rate data available.

2. Use published references such as OREDA or Exida for reliability data.

3. Evaluate failure rates based on SAP reported work orders or other internal company sources. Calculate MTBF and/or mean failure rate. If you do not have this data check with your affiliates they may have data you can use. The Meridium system can be used to calculate the MTBF of an instrument or type of instrument.Use general rule for determining specific failure rate data as shown on the next slide.


PFD Avg CalculationsCalculations for PFD Avg


(Simplified PFD avg calculation for quick assessment and validation)

λD – Failure Rate Dangerous, DC – Diagnostic Coverage, t – Test Interval, MTTR – Mean Time to Restore

Risk Reduction Factor = 1 / PFD Avg

= λD t 2PFD Avg

PFD Avg = λD (1-DC)(t/2 + MTTR) + (DC x MTTR)

[ ] (IEC 61508 specified calculation for 1oo1 channel architecture)

(Both Dangerous Detected and Dangerous Undetected Failures are considered)

The Need for Testing

The maximum time the system could be failed is the interval between tests. On average the failure would be midway between test, leading to the formula.

Where T is the interval between test

(years) and is the fail to danger rate of the system (failures per year)

= λD t 2PFD Avg


Effect of Testing on PFD Avg Testing is intended to detect failures and validate

that the device is working properly.

PFD .1.01

.001

.0001

0

Untested

Test IntervalT1

Time


Safety System Response Time

Process Speed / Process Safety Time – It is the time between the process parameter deviation (goes out of control band) and the time at which the consequence occurs (ex. fire).

The safety system response time shall be less than ½ of the process speed to effectively carryout the safety function.

Process Paramete

r

Consequence (Fire)

Process Speed

Time

Action by SIS to prevent the

consequence

EXIDA Reliability Reference Data


OREDA Reliability Reference Data


Main Cause for SIS Failures

SIS Subsystem Failure Percentages

42%

8%

50%

Measurement

Logic Solver

Final Element

ARC White Paper, Reduce Risk with State of the Art Safety Instrumented System, Sept 2004



Subsystem Architecture Various types of configurations are used to achieve required level of

availability. This is described as the architecture and symbolized by M oo N. The “M” is the number of channels required to sufficiently

perform the safety instrumented function and the “N” is the number of independent channels. Below are example of some of the different architectures used:


1 oo 1

1 oo 2

2 oo 2

1 oo 3


1oo1 Subsystem ArchitectureThe architecture alone does not indicate what SIL level a loop can achieve. Depending on the SIL level and the Safe Failure Fractions (SFF) redundancy may be required.The Sensor, Logic Solver and/or the Final Element may have different architectures. You could have a 1002 Sensor and a 2oo3 Final Element. The Logic Solver input or output will often time reflect the architecture of the Sensor and/or the Final Element. Below is an example of a 1oo1 Safety Loop.


Sensor Logic Solver Final Element

s

LogicSolverPT 1oo1

1oo1


1oo2 Subsystem Architecture There is a relationship between the application the physical design of

the SIS architecture. In the example below the Final Element is series. If the application were to stop the flow during an unsafe condition this would be considered as a 1oo2 architecture.

If the safe state is to open the line then this would be considered a 2oo2 SIS architecture. Both valves would have to be open to satisfy in order to meet the requirement to vent or provide flow through this line.


s s

LogicSolverPT 1oo1

1oo2Sensor Logic Solver Final Element


1oo2D Subsystem Architecture In the case below the Logic Solver is configured to monitor

and alarm the deviation between the two input signals. This type of architecture is considered as 1oo2D. The D indicates that there are diagnostics being executed that will alarm when one of the one of the two devices is failing.

SensorLogic Solver

Final Element

s

LogicSolver

PT1oo1

PT

1oo2D


2oo3 Subsystem Architecture In the case of 2oo3 there are 3 inputs in parallel. As long as

two of the three signals agree the system will not indicate an unsafe condition has occurred.This architecture generally provide high availability and low spurious trip rates.


s s

LogicSolver

PT

2oo3 1oo2

Sensor

Logic Solver Final ElementPT

PT

Advantages of Architectures

Architecture

PFD Avg SIL STR

1oo1 1.1E-03 SIL 2 5.0E-051oo2 2.4E-05 SIL 3 1.0E-062oo2 2.2E-03 SIL 2 5.0E-122oo3 2.7E-05 SIL 3 1.2E-11

The above results are based on the same equipment type, failure rate data and a test interval of annually.


What would the PFD Avg (use simplified PFD Avg calculation) be if you had a safety loop with a 1oo1 sensor, logic solver and final control element given the following reliability data for each:

Sensor – λD = 10-5 , Test interval is 8760 Hours

Logic Solver – λD = 10-6 , Test interval is 43800 Hours

Final Control Element – λD = 10-4 , Test interval is 730 Hours

First you would calculate the PFD Avg for each subsystem and then calculate the system PDF Avg.


Example Safety Loop Calculation



Example Safety Loop Calculation Using Reliability Block Diagram

Sensor(PFD avg)

LogicSolver

(PFD avg)

FinalElement(PFD avg)

+ + = Loop(PFD avg)

Safety Loop (PFD avg) ≤ SIL

.0438 + .0219 + .0365 = .1022


Target PFD avg for Specified SIL

Average Probability of failure on demand - PFDavg

SIL 1 SIL 2 SIL 3 SIL 4

0.1 0.01

0.001 0.0001 0.00001

10-1 10-2 10-3 10-4 10-5

PFDavg = 0.005


SIL 1 SIL 2 SIL 3 SIL 4

Upfront Engineering Upfront Engineering & &

Initial Data GatheringInitial Data Gathering

- SIS Test PlansSIS Test Plans- Define and Schedule Test PlansDefine and Schedule Test Plans

- Executing Test Plans and Condition MonitoringExecuting Test Plans and Condition Monitoring- Documenting SIS TestingDocumenting SIS Testing- Generating and Tracking RecommendationsGenerating and Tracking Recommendations

SustainableSustainableClosed Loop Closed Loop

ProcessProcess

External DataExternal Data- SAP Maintenance HistorySAP Maintenance History- Condition MonitoringCondition Monitoring

- HAZOP/PHA- HAZOP/PHA- Gathering and Loading Failure Data, Gathering and Loading Failure Data, Design and Process DataDesign and Process Data

-SIS Evaluation/ReevaluationSIS Evaluation/Reevaluation• SIL ValidationSIL Validation• SIF System Reliability AnalysisSIF System Reliability Analysis

- SIS DefinitionSIS Definition• SIF DefinitionsSIF Definitions• SIL AssessmentSIL Assessment

Basic SLCM Phases In Meridium

© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9898Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management

SIS Model

9999

SafetyLoop

SensorSubgroup

LogicSolver

Subsystem

FinalElement

Subgroup

PTSensorSubsystem

SensorSubsystem

PS

Voting Logic

PLC

EOVFinal EleSubsystem

Final EleSubsystem

CV

(Valve + Actuator + SOV)

(Valve + Actuator + SOV)

(AI + CPUPS + DO)

(Loop Assessmen

t)

SIL VERIFICATION

ProofTest

ProofTest

Proof Test Template

Proof Test Tasks

Proof Test Template

Proof Test Tasks

SIL VALIDATION

RISRecom

© Copyright Meridium, Inc. 2009© Copyright Meridium, Inc. 2009

HAZOP /PHA

LOPA

SIS

SIF

SIF

SIF

LOPALOPA

LOPA

SIL ASSESSMENT


SIS Home Page

Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management


The Safety Instrumented System



Safety Instrumented Function



Performing the LOPA in Meridium



Safety Loop



Safety Loop Subsystem



• Industry sourced reliability data

• Manufacturer supplied data

• Corporate recommended data

• Actual maintenance history data

Reliability Reference Table



Predefine SIS test for reuse. Changes are monitored by Meridium so reports of all changes can be generated.

SIS Test Templates



SIS Validation and Proof Tests


RIS – System BenefitsEstablish a standard method for assessment and documentation of safety instrumented systems.

The RIS system provides a means for validating that safety systems are performing as specified in the design specification.

Provides testing standards for Safety Instrumented Systems and a process to optimize the test interval.

Standardized measurement of equipment failures which will be used to set benchmarks for all equipment types in SABIC. SABIC will then be able compared their equipment reliability against industry published benchmarks.

Based on equipment failure rate data best performers (equipment types and manufactures) will be identified and recommended for future equipment replacements or new installations.


RIS – System BenefitsRIS will provides standardized calibration methods. This includes the ability to use automated data collecting calibrators which can reduce time to complete a calibration and document the results by as much as 40%.

Capture and manage all calibration data to ensure that your company is meeting compliance requirements.

The system monitors the calibration result and failure data. This information is analyzed and reported to appointed personnel to investigate equipment that is not performing up to minimum standards.

The system provides a means to managing recommendations for improvements and change.

Best practices instrumentation reliability and performance will be monitored and shared with all affiliates.


ris methodology presentation

Documents

safety systems

safety instrumented

system reliability tools

mceris copyright meridium

actual reliability

analysis tools

safety integrity levels

automated tools