ris methodology presentation
DESCRIPTION
Methodology for Risk and Impact AssessmentTRANSCRIPT
Reliability Instrumented SystemsTraining
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007
MCE-RIS
Safety?Process
Availability?
Manage Risk ?
Quality?
Cost saving?
How do I address all of these needs?
RIS IntroductionRIS Introduction
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 33
Reliability Instrumented Systems (RIS)Reliability Instrumented Systems is a methodology for performance management of process instrumentation as well as safety instrumented systems. It accomplishes this through the integration of tools, processes and workflows for Calibration Management, Safety Instrumented System Life Cycle Management (SLCM), and Reliability Management tools.
RIS IntroductionRIS Introduction
SafetyInstrumented
Systems
InstrumentationReliability
ManagementCalibration
Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 44
Instrumentation Reliability ManagementInstrumentation Reliability Management is an integral part of the performance management of all instrumentation. Meridium has integrated component and system reliability tools that can be used to assess actual reliability of the instruments used in the Safety Instrumented Systems. The actual instrument MTBF can be evaluated against the values that were used in the design of the Safety Instrumented Systems. Instruments not performing as originally specified can be identified and required changes implemented.
RIS IntroductionRIS Introduction
SafetyInstrumented
Systems
InstrumentationReliability
ManagementCalibration
ManagementInstrumentation
ReliabilityManagement
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 55
Calibration Management
RIS IntroductionRIS Introduction
SafetyInstrumented
Systems
InstrumentationReliability
ManagementCalibration
ManagementCalibrationManagement
Calibration Management provides manual and automated tools to specify, schedule and execute detailed calibrations on all types of instruments and analyzers. In order to effectively manage and assess instrumentation performance the accuracy, drift and repeatability of an instrument to measure a process value is needed. Calibration Management addresses this need by collecting the actual calibration results need to make these type of evaluations possible.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 66
Safety Instrumented System
Safety Instrumented System: A system designed to respond to hazardous conditions in the plant and generate the correct outputs to prevent the hazardous consequence.
RIS IntroductionRIS Introduction
SafetyInstrumented
Systems
InstrumentationReliability
ManagementCalibration
Management
SafetyInstrumented
Systems
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 77
Safety Instrumented System Life Cycle ManagementSafety Instrumented System Life Cycle Management provides the tools and methodology to assess Safety Integrity Levels (SIL) as needed to achieve the required tolerable risk for a defined Safety Instrumented Function (SIF). The system also provides the analysis tools to validate that Safety Instrumented System (SIS) meets the required Safety Integrity Level (SIL). With the integrated reliability tools actual equipment failure rates can be compared to those used during the engineering and design phase of the SLCM.
RIS IntroductionRIS Introduction
SafetyInstrumented
Systems
InstrumentationReliability
ManagementCalibration
ManagementSafety
InstrumentedSystems
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 88
Industry Hazards
Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 99
Industry Hazards Section Objectives
SIL AssessmentSIL Assessment
General awareness of major industrial accidents that have driven the industry to standardize safety
Methods for Identifying Potential Hazards• What-If Study• Checklists• Failure Modes and Effect Analysis• Hazard and Operation Analysis
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1010
Industry accidences have driven the development of international standards for safety systems.
Industry Accidences
Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1111
• Loss of life• Environmental Damage• Loss of assets• Production Losses• Loss of contracts/clients• Loss of Public Confidence• Fines, Judgments Against the Company
and Legal Fees
Consequences of Industrial Accidents
Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1212
Costs of Industrial AccidentsChernobyl Nuclear Plant
– 100,000 deaths– Cost US $5.5 Billion
Bhopal 1984 – 2000 deaths & 300,000 injuries– Law Suite settlement of $470 million
Three Mile Island Nuclear Plant 1979– Cost US $1.3 Billion
Flixborough 1974, – 28 deaths & 100 injuries
Piper Alpha 1988 – 167 deaths– Costs US $3 Billion
Phillips 1989– 23 deaths and 232 injuries– OSHA Fines exceeded 5.7 million
Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1313
The occurrence of industry accidents have dropped but they are still occurring. BP Texas City Refinery March 23, 2005 - killed 15 workers and costs are currently over 2.6 billion US dollars.
BP Incident ReviewWhat safeguards should have prevented this
incident?http://www.chemsafety.gov/index.cfm?folder=current_investigations&page=info&INV_ID=52
Industry HazardsIndustry Hazards
Shortcut to BP_Animation_pdl.wmv.lnk
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1414
BP Incident Report – The Baker Report
Industry HazardsIndustry Hazards
Since ISA 84.01-96 was published ten years ago, the technical consultants expressed their belief that BP has not implemented this standard in a timely manner.
Discussed with BP refinery instrumentation subject matter experts indicated that it might be another ten years before ISA 84.01 would be fully implemented in the BP U.S. refineries.
As a result, the technical consultants also concluded that none of BP’s U.S. refineries had an effective and credible plan to achieve full compliance with ISA 84.01 in a timely manner.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1515
The following are a few of the methods used in the process automation industry to help identify hazard and risks:– What-if– Checklists– Failure Mode and Effect Analysis (FMEA)– Hazard and Operability Analysis (HAZOP)
Hazard Analysis
Industry HazardsIndustry Hazards
Qualitative vs Quantitative Analysis Qualitative Analysis – The use
personal experience/judgment in order to evaluate the frequency and/or the consequence of potential accidents.
Quantitative Analysis – The systematic development of numerical estimates of expected frequency and/or consequences of potential accidents
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1616Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1717
Summary: Industry Hazards• Industry has experiences a number of very
significant failures that have lead to governments and industries to develop standards for maintaining safety.
• Qualitative Analysis – based on experience and personal judgment
• Quantitative Analysis – statistical evaluation of the probability of and event occurring.
• Hazards are evaluated with the following tools:– What-if– Checklists– Failure mode and effect analysis (FMEA)– Hazard and Operability analysis (HAZOP)
Industry HazardsIndustry Hazards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1818
Definition ofSafety Instrumented Systems
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 1919
Definition of Safety Instrumented SystemSection Objectives
SIL AssessmentSIL Assessment
Definition and understanding of relationship of Safety Instrumented Function (SIF) to SIS.
Definition of Safety Instrumented System (SIS) Safety Loop and Safety Loop Subsystem and
the relationship to SIF/SIS Understand Safety Integrity & Safety Integrity
Level •SIL for Demand Mode•SIL for High/Continuous Mode
Probability of Failure on Demand Average (PFD Avg)
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2020
What is an Safety Instrumented System (SIS)?
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
Is used to implement one or more Safety Instrumented Functions (SIF’s). An Safety Instrumented System (SIS) is composed of any combination of • sensor(s), • logic solver(s) • and final element(s).
Parts of the Safety Instrumented System
PC83
2
FC
PT832
SOV
832
HV83
2
Logic Solver
Subsystem SensorSubsystem
Final Element
Subsystem
SafetyInstrumente
dFunction
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2121Definition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2222
Safety Instrumented Functions (SIF) - safety function with a specific integrity level which is necessary to achieve or maintain functional safety for a specific hazardous event.– respond to conditions in the plant which may be
hazardous in themselves or, – if no action was taken, could eventually give rise to a
hazard, and – to respond to these conditions by taking defined actions
that will either prevent the hazard or mitigate the hazard consequences
Safety Instrumented Functions are generally defined in a PHA such as a HAZOP.
Safety Instrumented Function
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
Example Safety Instrumented Functions• Close outlet valve on high pressure separator
when level is lost, prevent over pressuring and rupturing downstream equipment.
• Shut off feed to exothermal reaction when high pressure is detected, prevent rupture of vessel and explosion.
• Close fuel to burner system when the fuel pressure is no longer enough to sustain combustion, prevent flameout and possible explosion due to build up fuel in combustion chamber.
• Turn on deluge water to hydrocarbon storage tank when a Lower Explosion Limit detector goes into alarm, prevent possible fire and/or explosion do to tank leakage.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2323© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2323Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
Control and Protective Instrumented Functions• Basic Process Control Systems (BPCS) are not
included in Safety Instrumented Functions. These are function that are engaged in the control, monitoring and alarming of the basic processes.
There are cases where an input signal or a valve may be used by both the SIF and BPCS. Careful assessment of possible common cause failures and systematic failures must be taken into consideration in.
• Protective Instrumented Functions (PIF’s) are instrumented functions that interlock or shutdown a process that is not safety related. These instrumented functions protect equipment and processes. Protective Instrumented Functions (PIF’s) are sometimes built into the Safety Instrumented System (SIS) . When this is done they need to be treated the same as an Safety Instrumented Function (SIF) according to ISA/IEC.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2424Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2525
Safety Loop and Safety Loop Subsystem The Safety Loop is the physical
components that will be used to fulfill the requirements of the Safety Instrumented Function (SIF) and meet the Safety Integrity Level (SIL) requirements for that function.
The Safety Loop Subsystem is the components that make up the sensor, logic solver, and/or final element.
Definition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2626
Safety Integrity Safety integrity is the average
probability of a safety instrumented system to satisfactorily perform the required safety instrumented function under all the stated conditions with a stated period of time.
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2727
Safety Integrity Level (SIL) Discrete level (1,2,3 or 4) for
specifying the safety integrity requirements of the safety instrumented function to be allocated to the safety instrumented system.
– SIL is applied to the Safety Instrumented Function– SIL is specified in Probability of Failure on Demand
Average (PFD avg)– Each SIL level has a specific risk reduction factor
range.
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2828
Probability of Failure on Demand
Probability of Failure on Demand - the probability of a device or system failing to respond to a demand while in service.
Example Calculations for PFD avg
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
PFD Avg
= λ D (1-DC)(t/2 + MTTR) + (DC x MTTR)
[ ] = λD t
2PFD Avg
λD – Failure Rate Dangerous, DC – Diagnostic Coverage, t – Test Interval, MTTR – Mean Time to Restore
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 2929
Safety Integrity Levels – Low Demand Mode
Low Demand Mode of OperationSafety
IntegrityLevel (SIL)
Target average probability of
failure on demand (PFD Avg)
% Availability Risk Reduction Factor (RRF)
4 ≥ 1x10-5 to < 1x10-4
> 99.99% > 10,000 to ≤100,000
3 ≥ 1x10-4 to < 1x10-3
99.9% to 99.99%
> 1000 to ≤10,000
2 ≥ 1x10-3 to < 1x10-2
99% to 99.9% > 100 to ≤1000
1 ≥ 1x10-2 to < 1x10-1
90% to 99% > 10 to ≤100RRF = 1/PFDavg, % Availability = 1 – PFDavgAvailability = system uptime / total system lifetimeNo safety instrumented function with a SIL higher then that associated with a SIL 4 will be allocated to a safety instrumented system. Applications that require the use of a single SIF of a SIL 4 are very rare in the process industry.
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3030
Summary: Definition of Safety Definition of Safety Instrumented SystemInstrumented System• An Safety Instrumented System (SIS) has one or more
SIF’s.• Safety Integrity Level (SIL) is a probability function and is
assigned to a Safety Instrumented Function not to the SIS or equipment.
• The Safety Instrumented Function (SIF) is associated with a Safety Instrument Loop that achieves the desired safety function.
• There are different Safety Integrity Level (SIL) criteria for Low Demand and High/Continuous mode SIF’s. Low Demand Mode is used most often in the process automation industry.
• Demand Mode Safety Integrity Levels are given in ranges of Probability of Failure on Demand average.
• High/Continuous Mode Safety Integrity Levels are given in ranges of Probability of Failure per Hour.
• SIL 4 is not generally used in the process automation industry
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3131
Industry Standards for Safety Systems
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3232
Industry Standards for Safety SystemsSection Objectives
Identify Industry Organizations That Are Generating Safety Standards
Understanding of IEC 61508 and IEC 61511• Purpose of IEC 61508• Purpose and Application of the IEC 61511
Understanding of the alignment of ISA 84.00.01-2004 to IEC 61511 Understanding of the Safety Instrumented
System Life Cycle Management processIndustry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3333
Industry Standards for Safety Systems• IEC The International Electro technical
Commission (IEC) is an international standards organization dealing with electrical, electronic and related technologies. Some of its standards are developed jointly with ISO.”
• ISA – Instrumentation, Systems and Automations Society
• API – American Petroleum Institute• American Institute of Chemical Engineers,
CCPS – Guidelines for Safe Automation of Chemical Process, 1993
• HSE (Health and Safety Executive) – Programmable Electronic Systems for Use in Safety Related Applications, 1987
Industry StandardsIndustry Standards
IEC 61508 A Safety Umbrella for the World
Random failures
Specification failures
Design & implementation
failuresInstallation &
commissioning failuresOperation &
maintenance failuresModification failures
3434Industry StandardsIndustry Standards
Industry Accidences have driven the development of international standards for safety systems.
IEC 61508 Generic and Industry Standards
IEC61508
IEC61511 :Process Sector
Medical SectorIEC61513 :Nuclear Sector
IEC62061 : Machinery Sector
3535Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3636
This standard refines the functional safety requirements laid down by IEC 61508 specifically for the process industry sector, for example refineries and chemical/ pharmaceutical plants. This standard was first published in 2003.
IEC 61511 - Functional safety - Safety instrumented systems for the process industry sector
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3737
ANSI/ISA-84.00.01-2004 Parts 1-3, Functional Safety: Safety Instrumented Systems for the Process Industry SectorThis standard addresses the application of safety instrumented systems for the process industries. It addresses safety instrumented systems which are based on the use of electrical/electronic/programmable electronic technology.
– Part 1 is the Framework, Definitions, System, Hardware and Software Requirements for a Safety Instrumented System.
– Part 2 sets forth the guidelines for the Application of ANSI/ISA-84.00.01-2004 Part 1.
– Part 3 is the guidance for the Determination of the Required Safety Integrity Levels.
This standard is the same as the IEC 61511 except for the grandfatherclause that makes exceptions of companies that designed their
systems to ISA 84 1996 standard.
ANSI/ISA 84.00-01-2004
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3838
Applying SIS Industry Standards
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 3939
(9) Verification
(1)Hazard & Risk
Assessment(2) Allocation of
Safety Functions to Protection
Layers(3) Safety
Requirements Specification
(5) Installation, Commissioning
& Validation
(6) Operation & Maintenance
(7) Modifications
(8) Decommissionin
g
(4) Design & Engineering SIS
Design & Develop other means of risk
reduction
(11) Life Cycle
Structure &
Planning
(10) Manageme
nt of Functional Safety &
Functional Safety
Assessments & Audits
ISA 84/IEC 61511 SIS Safety Life Cycle Phases
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4040
Primary causes of control system failures [HSE95]
Changes After Commissioning, 21%
Design & Implementation, 15%
Specification, 43%
Operation & Maintenance, 15%
Installation & Commissioning, 6%
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4141
Section Summary: Industry Safety Instrumentation Standards• Industry standards are performance based and not
prescriptive.• IEC 61508 is an international standards focused on
electronic safety systems, this standard is used to develop other safety standards.
• IEC 61511 is related to the IEC 61508 but is focused on safety systems in the process industries
• ISA originally published ISA 84.00.01 in 1996 ISA worked with IEC to help produce IEC 61511 and adopted it 2004
• IEC/ISA have defined a process for SIS life cycle management that includes risk assessment, definition, design, test, operate and maintain, modifications and auditing.
• IEC 61511/ISA 84 are the predominate industry standards for Safety Instrumented System (SIS)
Industry StandardsIndustry Standards
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4242
Safety Integrity Level (SIL)
Assessment
SIL AssessmentSIL Assessment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4343
Safety Integrity Level (SIL) Section Objectives
SIL AssessmentSIL Assessment
Risk Qualitative Analysis vs Quantitative Analysis As Low As Reasonably Practical (ALARP) Safety Integrity Level (SIL) Assessment
Methods• Risk Matrix• Layer of Protection Analysis (LOPA)• Event Tree• Fault Tree• Risk Graph
Risk Reduction
ACCEPTABLE RISK
UNACCEPTABLE
RISK
Cons
eque
nces
Probability
Risk is the combination of the frequency of occurrence of the consequence and the severity of the consequence
4444SIL AssessmentSIL Assessment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4545
As Low as Reasonably Practical (ALARP)
Broadly acceptable region
Tolerable region
Unacceptable region
Incr
easi
ng R
isks
Risk cannot be justified except in extraordinary circumstances
Tolerable Risk only if:
a. Further risk reduction is impractical or if its costs is grossly disproportional to the gains
b. Society desires the benefit of the activity given the associated risk
Level of residual risk regarded as negligible and further measures to reduce risk not usually required.
SIL AssessmentSIL Assessment
Costs
Costs of safe-guarding
Total Costs
Costs of risk
Level ofSafe-guarding
Optimum
Concept – Costs of risk, Costs of safe-guarding and total costs
4646SIL AssessmentSIL Assessment
Example Guidelines For Tolerable Levels of Risk When developing a Layer of Protection Analysis a
target frequency of occurrence must be defined.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4747SIL Assessment - LOPASIL Assessment - LOPA
Consequence categories and levels are based on the descriptions from the described risk matrix.
Consequence Category Consequence Level
Acceptable Mitigated Frequency (Target) per annual
Safety, Health & Environment incidents
A (Affect outside the boundaries – Public)
1 x 10-6
A (Affect within the boundary only)
1 x 10-5
B 1 x 10-4
C 1 x 10-3
Production/Economic loss only – No SHE incident
A 1 x 10-5
B 1 x 10-4
C 1 x 10-3
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4848
SIL Assessment Methods Safety Integrity Level (SIL) assessment is the
process of selecting the appropriate risk reduction required for the Safety Instrumented Function (SIF) to achieve an acceptable level of risk.
Below is a list of acceptable qualitative and quantitative methods used to assign Safety Integrity Level (SIL) to the identified risk.– Risk Matrix– Layer of Protection Analysis (LOPA)– Event Tree – Fault Tree– Risk Graph
SIL AssessmentSIL Assessment
Qualitative vs Quantitative Analysis Qualitative Analysis – The use
personal experience/judgment in order to evaluate the frequency and/or the consequence of potential accidents.
Quantitative Analysis – The systematic development of numerical estimates of expected frequency and/or consequences of potential accidents
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 4949SIL AssessmentSIL Assessment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5050
Risk Matrix Risk matrix is a qualitative tool used to assess risk. It
plots defined probabilities and against defined levels of consequences. The matrix can be applied to one or more consequence types. The probability levels used are constant.
Increasing Probably
Increasing Consequence
Severity Low
Risk
High Risk
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5151
Consequence levels as defined in SABIC SHEM 10
SABIC - Consequence Categories and Levels
Safety/Health Score RatingEvent potentially resulting in loss of life 12 A
Event potentially resulting in injury/illness that causes a lost workday
6 B
Event potentially resulting in injury/illness that requires medicaltreatment
4 C
Event potentially resulting in injury/illness that requires only first aid.
2 D
No safety/healthImpact 1 E
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5252
SABIC - Consequence Categories and Levels
Environment – Release/Spill Score Rating
Event with a potential release / spillage Greater then 10 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/ spillage incident resulting in fatality to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises
12 A
Event with a potential release / spillage between 4-10 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident resulting in injuries to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises.
6 B
Event with a potential release / spillage between 1- 4 MT of Hazardous Chemicals/ Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises and not resulting in injuries to personnel outside the SABIC Divisions, Affiliates and Subsidiaries premises.
4 C
Event with a potential release / spillage <1 MT of Hazardous Chemicals / Substance or Hazardous Waste inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises or Release/spillage incident inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises and not resulting in injuries to personnel inside/outside the SABIC Divisions, Affiliates and Subsidiaries premises.
2 D
Event with no release / spill Hazardous Chemicals / Substance or Hazardous Waste inside/outside the SABIC Divisions 1 E
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5353
SABIC - Consequence Categories and Levels
Environment – Water Contamination Score Rating
Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of greater then 70 metric tons of contaminated soil
12 A
Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of 30 to 70 metric tons of contaminated soil
6 B
Event that potentially results in contamination of deep / potable water aquifer or contamination requires remediation of less than 30 metric tons of contaminated soil
4 C
DEvent does not result in contamination of deep / potable water aquifer 1 E
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5454
SABIC - Consequence Categories and Levels
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
Environment – Other Score RatingA
Event with a potential release of Non- Hazardous Chemicals/ Substance (including polymers, fertilizer etc) within or outside the SABIC Divisions, Affiliates and Subsidiaries premises and Release/spillage > 50 MT
6 B
Event with a potential release of Non- Hazardous Chemicals/ Substance (including polymers, fertilizer etc) within or outside the SABIC Divisions, Affiliates and Subsidiaries premises and Release/spillage of 20-50 MT OREvent with an potential emission from vent/stack including dust (except steam) of contaminants greater than the local regulations or failure of Pollutant control device. Or Event that potentially results in 5 minutes of cumulative smoky flaring within any two hours during normal operations
4 C
All other events with a potential release/spillage of Non- Hazardous Chemicals / Substance <20 MT 2 D
Event will not potentially result in a release/spillage of Non- Hazardous Chemicals / Substance 1 E
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5555
SABIC - Consequence Categories and Levels
Economic Score
Rating
Event potentially resulting in equivalent of greater then 5 days of production lossof any operating plant because ofload reduction or partial or completeshutdown.
Event potentially resulting in total economic loss greater than 10M SAR.
12 A
Event potentially resulting in equivalent of between 5 to 3 days of production loss of
any operating plant because of load reduction
or partial or complete shutdown.
Event potentially resulting in total economic loss of 1 million to 10 million SAR.
6 B
Event potentially resulting in a production loss
between 3 to 1 days of any operating plant
because of load reduction or partial orcomplete shutdown.
Event potentially resulting in total economic loss of 100,000 to 1 million SAR.
4 C
Event potentially resulting in a production loss
between 24 hours to 8 hours of any operating
plant because of load reduction or partial or
complete shutdown.
Event potentially resulting in total economic loss of 10,000 to 100,000 SAR.
2 D
Event potentially resulting in less than 8 hours
of production loss of any operating plantbecause of load reduction or partial orcomplete shutdown.
Potential economic loss Less then
10,000 SAR1 E
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5656
SABIC - Probabilities
Probability Score
Rating
Extreme (Likely to occur one or more times per year) 8 AHigh (Likely to occur 10 or less times in 25 years) 6 BModerate (Likely to occur 2 or less time in 25 years) 4 CLow (May occur once in 25 years) 2 D
Remote (Not likely to occur in 25 years) 1 E
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5757
Criticality/Risk MatrixConsequence x Probability = Risk
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
Consequence Criticality Rating
A (12) B (12) B (24) A (48) A (72) A (96)
B (6) C (6) B (12) B (24) A (36) A (48)
C (4) D (4) C (8) B (16) B (24) A (32)
D (2) D (2) D (4) C (8) B (12) B (16)
E (1) D (1) D (2) D (4) C (6) C (8)
Probability Remote (1)
Low (2) Moderate (4)
High (6) Extreme (8)
“A” – Critical system, device or equipment, if risk includes safety or environment risk then they are set to safety critical.“B” – Moderately Critical system, device or equipment“C” – Low Critical system, device or equipment“D” – Non-Critical system, device or equipment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5858
Assigning SIL Level Based on Criticality/Risk Matrix
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
Consequence Criticality Rating with SIL
A (12) B (12)SIL 2
B (24)SIL 2
A (48)SIL 3
A (72)SIL 3
A (96)SIL 3
B (6) C (6)SIL 1
B (12)SIL 2
B (24)SIL 2
A (36)SIL 3
A (48)SIL 3
C (4) D (4) C (8)SIL 1
B (16)SIL 2
B (24)SIL 2
A (32)SIL 3
D (2) D (2) D (4) C (8)SIL 1
B (12)SIL 2
B (16)SIL 2
E (1) D (1) D (2) D (4) C (6)SIL 1
C (8)SIL 1
Probability Remote (1)
Low (2) Moderate (4)
High (6) Extreme (8)
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 5959
Example - Risk Matrix SIL Assessment
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
Conse-quence Criticality Rating with SIL
A B (12)SIL 2
B (24)SIL 2
A (48)SIL 3
A (72)SIL 3
A (96)SIL 3
B C (6)SIL 1
B (12)SIL 2
B (24)SIL 2
A (36)SIL 3
A (48)SIL 3
C D (4) C (8)SIL 1
B (16)SIL 2
B (24)SIL 2
A (32)SIL 3
D D (2) D (4) C (8)SIL 1
B (12)SIL 2
B (16)SIL 2
E D (1) D (2) D (4) C (6)SIL 1
C (8)SIL 1
Proba-bility
Remote Low Mod-erate
High Extreme
If we consider an overpressure condition of a reactor which occurred as a result of a failure of a pressure control valve what SIL would be assigned to the SIF based on the data below:• Documented 4 valve
breakdown work orders in past 10 years.
• One work order indicated that the plant was down for 1 day and the cost to repair was 28,000 SAR.
• Potential to cause a fatalities if it failed to work when run away conditions occurred Where would you plot this valve on the risk matrix and what
would the Safety Integrity Level (SIL) level be?
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6060
Example - Risk Matrix SIL Assessment
SIL Assessment – Risk MatrixSIL Assessment – Risk Matrix
Conse-quence Criticality Rating with SIL
A B (12)SIL 2
B (24)SIL 2
A (48)SIL 3
A (72)SIL 3
A (96)SIL 3
B C (6)SIL 1
B (12)SIL 2
B (24)SIL 2
A (36)SIL 3
A (48)SIL 3
C D (4) C (8)SIL 1
B (16)SIL 2
B (24)SIL 2
A (32)SIL 3
D D (2) D (4) C (8)SIL 1
B (12)SIL 2
B (16)SIL 2
E D (1) D (2) D (4) C (6)SIL 1
C (8)SIL 1
Proba-bility
Remote Low Mod-erate
High Extreme
• Documented 4 valve breakdown work orders in past 10 years.
• One work order indicated that the plant was down for 1 day and the cost to repair was 28,000 SAR.
• Potential to cause a fatalities if it failed to work when run away conditions occurred Where would you plot this valve on the risk matrix and what
would the Safety Integrity Level (SIL) level be?
If we consider an overpressure condition of a reactor which occurred as a result of a failure of a pressure control valve what SIL would be assigned to the SIF based on the data below:
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6161
• LOPA is a semi-quantitative risk analysis technique for easier validation. It is not as rigorous as a HAZOP and the technique evaluates risks by orders of magnitude of the selected accident scenarios. It builds on the information developed in a qualitative hazard evaluation.
• LOPA is one of the more popular methods for assessing Safety Integrity Level (SIL) requirements.
• Provides a defined PFD gap (i.e. required SIL) that the Safety Instrumented System (SIS) is required to fulfill in order to reach tolerable risk
LOPA – Layers of Protection Analysis
SIL Assessment - LOPASIL Assessment - LOPA
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6262
Layers of Protection
SIL Assessment - LOPASIL Assessment - LOPA
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6363
PFD SIF= P required mitigated consequence frequency (tolerable risk)P intermediate mitigated consequence frequency
SIS Fills the Gap Between Acceptable Risk and the Risk not mitigated by the existing layers of protection.
SIL Assessment - LOPASIL Assessment - LOPA
Example Protective Layer PFD’sProtective Layer PFDControl Loop / BPCS 1 x 10-1
Human performance (trained, no stress)
1 x 10-2 to 1 x 10-4
Human performance (under stress) .5 to 1Operator response to alarm 1 x 10-1
Vessel pressure rating above maximum challenged from internal and external pressure source
1 x 10-4
PFD data from ISA ANSI/ISA-84.00.01-2004 Part 3
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6464SIL Assessment - LOPASIL Assessment - LOPA
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6565SIL Assessment - LOPASIL Assessment - LOPA
Consequence
InitiatingEvent
Initiating Event
Frequency
Protection Layers Intermediate Mitigated ConsequenceFrequency
Required Mitigated Consequence frequency (TolerableRisk)
SIL Required
Process
Design
BPCS AlarmsAddition
alIPL
Fire from distillation column/PossibleFatality
Loss of cooling water
1E-06 SIL-2
0.1 0.1
0.1 0.1 .0001PFDav
g
=0.01
Initiating Event X IPL1 X IPL2 X IPL3 X IPL4 X IPLn = Intermediate Event FrequencyEach Independent Protection Layer (IPL) is evaluated based on the Probability of a Dangerous Failure. That is a failure that would prevent that layer from mitigating the consequence.
Layer of Protection Worksheet
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6666
Qualifications for Independent Protective Layer (IPL)
• The protection provided reduces the identified risk by a large amount, minimum of a 10 fold reduction.
• The protective function is provided with a high degree of availability, 0.9 or greater.
• Has the following characteristics:– Specificity: An IPL is designed solely to prevent or to
mitigate the consequences of one specific potential hazard– Independence: An IPL is independent of the other protection
layers associated with the identified danger– Dependability: The IPL can be counted on to do what it was
designed to do. Both random and systematic failure modes are addressed in the design.
– Audit ability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary.
SIL Assessment - LOPASIL Assessment - LOPA
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6767
Sources for Failure Rates• OREDA Participants, OREDA Offshore Reliability Data Handbook (Second
Edition), DNV, P.O. Box 300, N-1322, Hovik, Norway, 1997• Safety Equipment Reliability Handbook, www.excida.com, ISBN 0-9727234• The Guidelines for Process Equipment Reliability Data with Data Tables,
American Institute of Chemical Engineers, New York, NY, 1989• SINTEF Reliability Data For Control and Safety Systems, 1998• IEEE Guide to collection and Presentation of Electrical, Electronic, Sensing
Components, and Mechanical Equipment Reliability Data for the Nuclear Power Generating Stations, IEEE std. 500-1984, The Institute of Electrical and Electronics Engineers, Inc., 1983
• The Systems Reliability Service Data Bank, National Centre of Systems Reliability, System Reliability Service, UKAEA, Culchetch, England
• W. Denson et al., Nonelectronic Parts Reliability Data, NPRD-91, Reliability Analysis Center, P.O. Box 4700, Rome, NY, 1991.
• Nuclear Plan Reliability Data System: Annual Reports of Cumulative System and Component Reliability for Period from July 1, 1974, through December 31, 1982, NPRD A02/A03 (INPO 83-034), Institute of Nuclear Power Operations, Atlanta, GA, October 1983.
• Reliability data generated by experience and failure rate analysis from SAP/ Meridium
SIL Assessment - LOPASIL Assessment - LOPA
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6868
Section Summary: SIL Assessment• There are qualitative and quantitative methods for
SIL assessment– Risk Matrix (qualitative)– LOPA (semi-quantitative)– Risk Graph (qualitative)– Event Tree (semi-quantitative)– Fault Tree (semi-quantitative)
• The risks used to evaluate Safety Integrity Level (SIL) are supplied by HAZOP,PHA or Safety Recommendations.
• As Low As Reasonably Practical (ALARP) is a method for defining what is acceptable level of risk.
SIL AssessmentSIL Assessment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 6969
Summary: SIL Assessment• The Safety Integrity Level (SIL) is
determined by the required risk reduction factor (RRF) needed to filling the gap between identified risk and acceptable level of risk
SIL AssessmentSIL Assessment
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7070
Safety Instrumented SystemDesign and Validation
SIS Design and ValidationSIS Design and Validation
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7171
Safety Instrumented System Design and ValidationSection Objectives
SIS Design and ValidationSIS Design and Validation
Failure Modes• Random Failures• Systematic Failures • Safe & Unsafe Failures• Detected & Undetected Failures
Relationship and calculations associated with of Failure Rate, MTBF, PFD, PFD Avg and SIF Architecture
SIL Validation Methods• Simplified Probability Calculations • Reliability Block Diagrams (RBD)• Fault Tree• Markov
Failure classification by cause of failure
Examples
Failure
Random Hardware Systematic
Ageing Stress Design Interaction
1. Natural ageing with (within design envelope)
1. Sandblasting2. Humidity3. Overheating
1. Software error2. Sensor does not
discriminate true and false demand
3. Inadequate location of sensor
1. Scaffolding cover up sensor
1. Leave in by-pass
2. Erroneous calibration of sensor
Random Test/periodic
Failurecauses
7272SIS Design and ValidationSIS Design and Validation
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7373
Systematic Failure
Systematic Failure are failures related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or relevant factorsExample– The specific gravity of liquid flow is different
then what the D/P instrument was calibrated for. The instrument is working but it is not meeting the intended function.
– The seal leg of a D/P level device is lost. The level transmitter is working but the level indication is wrong.
SIS Design and ValidationSIS Design and Validation
Failure Rate Bathtub Curve
Time (t)
Failu
re R
ate
Early Failure
Useful Life(Random)
Wear-out Failure
Failure Rate UsedIn SIS Calculations
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7474SIS Design and ValidationSIS Design and Validation
Classification of Random Failure Modes
Examples
RandomHardware
Safe Failures Dangerous Failures
SafeDetected
SafeUndetected
DangerousDetected
DangerousUndetected
Diagnostics detects and sends an alarm that there has been loss of linearization of temperature output of transmitter.
Transmitter fails high which causes shutdown as designed.
Smart positioners fails. The internal diagnostics detect failure and sets an alarm that the positioner has failed.
Solenoid valve is frozen and will not change states.
7575SIS Design and ValidationSIS Design and Validation
Failure Safe Mode Definition
Fail-Safe State: Failure which does not have the potential of putting the safety instrumented system into a hazardous or fail to function state State where module/unit output is de-energized.
Fail Safe Detected(SD): Failure that cause the module/unit to go to the defined fail-safe state without a
demand from the process and that is detected by the system and annunciated to initiate repair
Fail Safe Undetected(SU): Failure that causes the module/unit to go to the defined fail-safe state without a demand from the process and that is undetected by the system (detection by operator because of spurious trip, depending on system architecture, is not considered) 7676SIS Design and ValidationSIS Design and Validation
Failure Dangerous mode Definition
Fail Dangerous: Failure which has the potential of putting the safety instrumented system into a hazardous or potentially prevents the module/unit from responding to a demand.
Fail Dangerous Detected(DD): Failure that is dangerous but is detected by internaldiagnostics and annunciated to initiate repair (System reaction is user configurable to automatically transition to safe state if desired).
Fail Dangerous Undetected(DU):Failure that is dangerous and that is not being diagnosed by internal diagnostics.
7777SIS Design and ValidationSIS Design and Validation
“Reliability” vs. “Availability”
Reliability: The probability that an item or system will perform its intended function for a specified period under stated conditions.Availability: The probability that an item or system is not failed at a given point in time.
Failure Rate ( lambda λ) is the total number of failures divided by an interval such as mission time (usually in failures per hour) or cycles. The failure rate will change over time and can be greater than one (but will never be less than zero).
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 7979
Failure Rate
= 1MTBF
Mean Time Between Failure (MTBF) – The reciprocal of the failure rate; the average time to fail. The MTBF is sometimes called the Mean Time To Fail (MTTF). Meant Time to Restore (MTTR) was referred to as Mean Time to Repair in the past. MTBF = MTTF + MTTR.
=
SIS Design and ValidationSIS Design and Validation
Number of FailuresTotal Mission Time
Total Mission Time – It is defined as the total operating hours of the instrument
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8080
Relationship of Failure Modes
Safe DetectedFailure
λ SD
DangerousUndetected
Failuresλ DU
Dangerous
Detected Failures
λ DD
Detected Failures
SafeUndetect
ed Failures
λ SU
Safe Failures
Dang
erou
s Fai
lure
sSIS Design and ValidationSIS Design and Validation
λ =λ SD λ SU λ DD+ + +λ DU
Locating Failure Rate Data for SIL Verifications
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8181SIS Design and ValidationSIS Design and Validation
1. Obtain failure rate information from manufacturer of instrument or components. All SIL certified data will have detailed failure rate data available.
2. Use published references such as OREDA or Exida for reliability data.
3. Evaluate failure rates based on SAP reported work orders or other internal company sources. Calculate MTBF and/or mean failure rate. If you do not have this data check with your affiliates they may have data you can use. The Meridium system can be used to calculate the MTBF of an instrument or type of instrument.Use general rule for determining specific failure rate data as shown on the next slide.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8282
PFD Avg CalculationsCalculations for PFD Avg
Definition of Safety Instrumented SystemDefinition of Safety Instrumented System
(Simplified PFD avg calculation for quick assessment and validation)
λD – Failure Rate Dangerous, DC – Diagnostic Coverage, t – Test Interval, MTTR – Mean Time to Restore
Risk Reduction Factor = 1 / PFD Avg
= λD t 2PFD Avg
PFD Avg = λD (1-DC)(t/2 + MTTR) + (DC x MTTR)
[ ] (IEC 61508 specified calculation for 1oo1 channel architecture)
(Both Dangerous Detected and Dangerous Undetected Failures are considered)
The Need for Testing
The maximum time the system could be failed is the interval between tests. On average the failure would be midway between test, leading to the formula.
Where T is the interval between test
(years) and is the fail to danger rate of the system (failures per year)
= λD t 2PFD Avg
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8383SIS Design and ValidationSIS Design and Validation
Effect of Testing on PFD Avg Testing is intended to detect failures and validate
that the device is working properly.
PFD .1.01
.001
.0001
0
Untested
Test IntervalT1
Time
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8484SIS Design and ValidationSIS Design and Validation
Safety System Response Time
Process Speed / Process Safety Time – It is the time between the process parameter deviation (goes out of control band) and the time at which the consequence occurs (ex. fire).
The safety system response time shall be less than ½ of the process speed to effectively carryout the safety function.
Process Paramete
r
Consequence (Fire)
Process Speed
Time
Action by SIS to prevent the
consequence
EXIDA Reliability Reference Data
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8686SIS Design and ValidationSIS Design and Validation
OREDA Reliability Reference Data
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8787SIS Design and ValidationSIS Design and Validation
Main Cause for SIS Failures
SIS Subsystem Failure Percentages
42%
8%
50%
Measurement
Logic Solver
Final Element
ARC White Paper, Reduce Risk with State of the Art Safety Instrumented System, Sept 2004
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8888SIS Design and ValidationSIS Design and Validation
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 8989
Subsystem Architecture Various types of configurations are used to achieve required level of
availability. This is described as the architecture and symbolized by M oo N. The “M” is the number of channels required to sufficiently
perform the safety instrumented function and the “N” is the number of independent channels. Below are example of some of the different architectures used:
SIS Design and ValidationSIS Design and Validation
1 oo 1
1 oo 2
2 oo 2
1 oo 3
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9090
1oo1 Subsystem ArchitectureThe architecture alone does not indicate what SIL level a loop can achieve. Depending on the SIL level and the Safe Failure Fractions (SFF) redundancy may be required.The Sensor, Logic Solver and/or the Final Element may have different architectures. You could have a 1002 Sensor and a 2oo3 Final Element. The Logic Solver input or output will often time reflect the architecture of the Sensor and/or the Final Element. Below is an example of a 1oo1 Safety Loop.
SIS Design and ValidationSIS Design and Validation
Sensor Logic Solver Final Element
s
LogicSolverPT 1oo1
1oo1
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9191
1oo2 Subsystem Architecture There is a relationship between the application the physical design of
the SIS architecture. In the example below the Final Element is series. If the application were to stop the flow during an unsafe condition this would be considered as a 1oo2 architecture.
If the safe state is to open the line then this would be considered a 2oo2 SIS architecture. Both valves would have to be open to satisfy in order to meet the requirement to vent or provide flow through this line.
SIS Design and ValidationSIS Design and Validation
s s
LogicSolverPT 1oo1
1oo2Sensor Logic Solver Final Element
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9292
1oo2D Subsystem Architecture In the case below the Logic Solver is configured to monitor
and alarm the deviation between the two input signals. This type of architecture is considered as 1oo2D. The D indicates that there are diagnostics being executed that will alarm when one of the one of the two devices is failing.
SensorLogic Solver
Final Element
s
LogicSolver
PT1oo1
PT
1oo2D
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9393
2oo3 Subsystem Architecture In the case of 2oo3 there are 3 inputs in parallel. As long as
two of the three signals agree the system will not indicate an unsafe condition has occurred.This architecture generally provide high availability and low spurious trip rates.
SIS Design and ValidationSIS Design and Validation
s s
LogicSolver
PT
2oo3 1oo2
Sensor
Logic Solver Final ElementPT
PT
Advantages of Architectures
Architecture
PFD Avg SIL STR
1oo1 1.1E-03 SIL 2 5.0E-051oo2 2.4E-05 SIL 3 1.0E-062oo2 2.2E-03 SIL 2 5.0E-122oo3 2.7E-05 SIL 3 1.2E-11
The above results are based on the same equipment type, failure rate data and a test interval of annually.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9494SIS Design and ValidationSIS Design and Validation
What would the PFD Avg (use simplified PFD Avg calculation) be if you had a safety loop with a 1oo1 sensor, logic solver and final control element given the following reliability data for each:
Sensor – λD = 10-5 , Test interval is 8760 Hours
Logic Solver – λD = 10-6 , Test interval is 43800 Hours
Final Control Element – λD = 10-4 , Test interval is 730 Hours
First you would calculate the PFD Avg for each subsystem and then calculate the system PDF Avg.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9595
Example Safety Loop Calculation
SIS Design and ValidationSIS Design and Validation
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9696
Example Safety Loop Calculation Using Reliability Block Diagram
Sensor(PFD avg)
LogicSolver
(PFD avg)
FinalElement(PFD avg)
+ + = Loop(PFD avg)
Safety Loop (PFD avg) ≤ SIL
.0438 + .0219 + .0365 = .1022
SIS Design and ValidationSIS Design and Validation
Target PFD avg for Specified SIL
Average Probability of failure on demand - PFDavg
SIL 1 SIL 2 SIL 3 SIL 4
0.1 0.01
0.001 0.0001 0.00001
10-1 10-2 10-3 10-4 10-5
PFDavg = 0.005
9797SIS Design and ValidationSIS Design and Validation
SIL 1 SIL 2 SIL 3 SIL 4
Upfront Engineering Upfront Engineering & &
Initial Data GatheringInitial Data Gathering
- SIS Test PlansSIS Test Plans- Define and Schedule Test PlansDefine and Schedule Test Plans
- Executing Test Plans and Condition MonitoringExecuting Test Plans and Condition Monitoring- Documenting SIS TestingDocumenting SIS Testing- Generating and Tracking RecommendationsGenerating and Tracking Recommendations
SustainableSustainableClosed Loop Closed Loop
ProcessProcess
External DataExternal Data- SAP Maintenance HistorySAP Maintenance History- Condition MonitoringCondition Monitoring
- HAZOP/PHA- HAZOP/PHA- Gathering and Loading Failure Data, Gathering and Loading Failure Data, Design and Process DataDesign and Process Data
-SIS Evaluation/ReevaluationSIS Evaluation/Reevaluation• SIL ValidationSIL Validation• SIF System Reliability AnalysisSIF System Reliability Analysis
- SIS DefinitionSIS Definition• SIF DefinitionsSIF Definitions• SIL AssessmentSIL Assessment
Basic SLCM Phases In Meridium
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 9898Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
SIS Model
9999
SafetyLoop
SensorSubgroup
LogicSolver
Subsystem
FinalElement
Subgroup
PTSensorSubsystem
SensorSubsystem
PS
Voting Logic
PLC
EOVFinal EleSubsystem
Final EleSubsystem
CV
(Valve + Actuator + SOV)
(Valve + Actuator + SOV)
(AI + CPUPS + DO)
(Loop Assessmen
t)
SIL VERIFICATION
ProofTest
ProofTest
Proof Test Template
Proof Test Tasks
Proof Test Template
Proof Test Tasks
SIL VALIDATION
RISRecom
© Copyright Meridium, Inc. 2009© Copyright Meridium, Inc. 2009
HAZOP /PHA
LOPA
SIS
SIF
SIF
SIF
LOPALOPA
LOPA
SIL ASSESSMENT
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 100100
SIS Home Page
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 101101
The Safety Instrumented System
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 102102
The Safety Instrumented System
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 103103
Safety Instrumented Function
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 104104
Performing the LOPA in Meridium
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 105105
Performing the LOPA in Meridium
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 106106
Safety Loop
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 107107
Safety Loop Subsystem
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 108108
• Industry sourced reliability data
• Manufacturer supplied data
• Corporate recommended data
• Actual maintenance history data
Reliability Reference Table
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 109109
Predefine SIS test for reuse. Changes are monitored by Meridium so reports of all changes can be generated.
SIS Test Templates
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 110110
SIS Validation and Proof Tests
Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
RIS – System BenefitsEstablish a standard method for assessment and documentation of safety instrumented systems.
The RIS system provides a means for validating that safety systems are performing as specified in the design specification.
Provides testing standards for Safety Instrumented Systems and a process to optimize the test interval.
Standardized measurement of equipment failures which will be used to set benchmarks for all equipment types in SABIC. SABIC will then be able compared their equipment reliability against industry published benchmarks.
Based on equipment failure rate data best performers (equipment types and manufactures) will be identified and recommended for future equipment replacements or new installations.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 111111Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management
RIS – System BenefitsRIS will provides standardized calibration methods. This includes the ability to use automated data collecting calibrators which can reduce time to complete a calibration and document the results by as much as 40%.
Capture and manage all calibration data to ensure that your company is meeting compliance requirements.
The system monitors the calibration result and failure data. This information is analyzed and reported to appointed personnel to investigate equipment that is not performing up to minimum standards.
The system provides a means to managing recommendations for improvements and change.
Best practices instrumentation reliability and performance will be monitored and shared with all affiliates.
© Copyright Meridium, Inc. 2007© Copyright Meridium, Inc. 2007 112112Using Meridium for SIS Life Cycle ManagementUsing Meridium for SIS Life Cycle Management