sil allocation - · pdf filetarget sil address target sil ... step2 – preliminary...

- Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

SIL Allocation

2012-03-07

15% Design and

Implementation

6% Instalation

and Start-up

44% Specification

15% Maintenance

and Operation

20% Changes after

Start-up

Ref “Out of Control: Why control systems go wrong and how to prevent failure”

Published by UK HSE

Origin and causes of accidents involving control system failure

2012-03-07 2

SIS Safety Lifecycle, IEC61511

Assessment of hazard s and risks

Allocation of the safety functions to the protection

layers

Specification of the safety requirements for the safety

instrumented system

Design and engineering of the safety instrumented

system

Installation , reception and validation

Operation and maintenance

Modification

Decommissioning

Management of functional safety and

assessment and audit of functional

safety

Structure and

planning of th e safety life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

Assessment of hazards and risks


layers


instrumented system

Des ign and engineering of the safety instrumented

system

Installation , Receipt and Validation


Modification

Decommissioning

Management of functional


safety

Structure and

planning of

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

other means of reducing risk

Design and development of

2012-03-07 3

SIL Allocation in the IEC61511 Safety Lifecycle



layers


instrumented system

Design and engineering of the safety instrumented

system



Modification

Decommissioning

Management of functional safety and


safety

Structure and

planning of th e safety life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

Assessment of hazards and risks


layers


instrumented system

Des ign and engineering of the safety instrumented

system

Installation , Receipt and Validation


Modification

Decommissioning

Management of functional


safety

Structure and

planning of

life cycle

Verification

1

2

3

4

5

6

7

8 9 11 10

other means of reducing risk

Design and development of

2012-03-07 4

SIL Allocation & SIL Verification


Specification of the safety requirements for the safety instrumented system system


Modification

Decommissioning

Management of functional safety and assessment and audit of functional safety and planning of th e safety

3 4

5 6 7

,

and

SIL 1

SIL 2

SIL3

SIL Allocation Minimum SIL requirements

LOPA, Risk graphs,




Modification

Decommissioning


1

3

5 6 7

,

and

Design & Engineering SIL Verification calculations (PFD)

FMECA, SAR, Safety Manuals,

etc.

Set target Demonstrate

target is met

Determine if additional

SIF are required and if

yes then allocate the

target SIL

Address target SIL (Fault

Tolerance & PFD)

• Select system technology

• Configuration / vooting

• Test interval

• Diagnostic

2012-03-07 5

SIL Allocation – The two approaches

Deterministic

ISO10418

OLF070

Risk-Based

LOPA, Risk graph,

QRA

2012-03-07 6

SIL Allocation – Deterministic approach

ISO10418, API RP14C

for offshore

installations

NFPA 85, 86, API

RP556 for various

types of fired

equipments

…etc.

• Prescriptive recommendation for protective

measures

• Based on experience and recognized

practice

• Acceptable level of safety achieved (refer to

clearly defined hazards and standardized

behavious of safety systems and barriers)

1. Design in accordance with process industry standards

2012-03-07 7

SIL Allocation – Deterministic approach

Minimum SIL Requirements

OLF070 Application of IEC

in the Norwegian Petroleum

Industry

Company Governing

Documentation

2. Allocate SIL based on predetermined requirements

• Minimum SIL requirement is

derived from expected reliability

(PFD) of typical SISs. i.e.

achievable by standard solutions

considered good industry practice.

• Not based on required risk

reduction conforming to specific

RTC

• Enforces quality requirements in

the SIS design, installation and

operation

2012-03-07 8

SIL Allocation – The two approaches

Deterministic

ISO10418

OLF070

TES

Risk-Based

LOPA, Risk graph,

QRA

2012-03-07 9

The safety „onion‟ – Integrated approach

COMMUNITY EMERGENCY REPSONSE

PLANT EMERGENCY REPSONSE

PHYSICAL PROTECTION (DIKES)

PHYSICAL PROTECTION (RELIEF DEVICES)

AUTOMATIC ACTION SIS OR ESD

CRITICAL ALARMS, OPERATOR

SUPERVISION, AND MANUAL INTERVENTION

BASIC CONTROLS, PROCESS ALARMS,

AND OPERATOR SUPERVISION

PROCESS

DESIGN

LAH

1

I

Independent

Protection

Layers

Layer of SIS

2012-03-07 10

Trip set point

High level

High Level Alarm Operator Takes Action

Process level

SIS Action

Low level

Normal Level

PT

PCS

PT

PSD logic

Alternative view - protecting by multiple protection layers

2012-03-07 11

Reducing risks with protection layers

Increasing risk

Required risk reduction

Initial

Risk

(frequency)

Risk

tolerance

criteria

Risk reduction

external Risk reduction

Other technologies

Risk reduction

SIS

Achieved risk reduction

Remaining

risk

Closing the safety gap

between risk and target

2012-03-07 12

Missing

adequate

barriers ?

Applicability of risk assessment methods for risk judgements

HAZOP, What if LOPA, Risk Graph ETA, FTA, QRA

Good Good Overkill

Poor to Okay for risk

judgmentUsually Good Good

Technique

Applicability to

simple issues

Applicability to

complex issues

Qualitative analysis(100% of scenarios are

analyzed using qualitative

methods)

Simplified-quantitative

or semi-qualitative

analysis(1-5% of scenarios, 100% of SIF)

Quantitative analysis(<1

o/oo of scenarios, 1% of SIF)

2012-03-07 13

SIL Allocation process (risk-based)

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)

For each scenario, SIF determination & SIL allocation with

simplified risk analysis technique(e.g. LOPA, risk graph)

Eva

lua

te o

the

r n

on

-SIS

IP

L o

r d

esig

n c

ha

ng

e

SIL1, SIL2

or SIL3 with TES

where further

assessment is

needed?

Quantitative risk assessment for dedicated scenario

SRS, CDD, etc.

YES

NO

Complete SIL allocation for each SIF & Reporting

Plant – Facilities & SafetyConceptual strategies / philosophies

Design & Operating principles / Performance Standards / Acceptance criteria

Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

NO

NO

SIL4 Required

by a single

SIS?

Apply for

dispensation to

TR2041

YES

SIF determination & SIL Allocation

SIL4?

OR

SIL3 with no TES?Design change or

other non-SIS IPL

possible?

YES

SIL1, SIL2, SIL3

or SIL4 by

multiple SIS?

YES

NO

Qualitative

Semi-qualitative

Simplified-quantitative

Quantitative

2012-03-07 14 SRS, SAR, etc.

GALE

GALE

LOPA – Layer of Protection Analysis

• Multidiscipline team exercise. Immediately after HAZOP (1w/m)

• Good synergy with HazOp (Cause, consequence, safeguards)

• Simple rules (reproducible), order of magnitude of the risk

• Barrier/Protection layers analysis methodology

• Focus on Safety Instrumented Systems

• Will also address credit for other Safety Related Systems

• Identification of required and expected performance of critical systems

• Closes the gap between „expected‟ system performance and required „Risk

Tolerance‟

• Determines Safety Integrity Level (SIL) of „gap‟

• Can be an entry point to QRA

2012-03-07 15

• Does my system (planned or actual) ensure my criteria are met?

• Do I need additional Safety Instrumented System?

• Are there alternatives?

• IEC 61511 - LOPA will meet requirements (Part 3, Annex F))

• AIChE endorsement

• Risk-based approach common in downstream industry, especially for PSD

• LOPA often used In Americas. Europe often using risk graphs

• Some O&G companies have developed their own software / spreadsheets

LOPA – Can address the following

LOPA – References and applicability in the industry

2012-03-07 16

http://www.amazon.com/gp/reader/0816908117/ref=sib_dp_pt/190-8041986-6626733

LOPA – Procedure

Step 1: Establish TTC

Step 4: Determine IE frequency

Step 5: Identify IPLs and select the

probability of failure

Step 6: Identify Conditional Modifiers and

select the probability

Step 7: Evaluate Scenario frequency and

compare with TTC

Step 3: Evaluate impact severity on

safety, environment and assets

Step 2: Preliminary selection of scenarios

Step 8: Identify SIF and

Allocate SIL

Step 10: Evaluate consequences of

spurious failure

Step 9: Evaluate need for

other non-SIS IPL or redesign

Step 11: Reporting

2012-03-07 17

Step1 – Establish Target Tolerance Criteria (TTC)

2012-03-07 18

1

2

3

4

5

6

7

8

Imp

ac

t le

ve

l

Frequency (/year)

< 1E-4 1E-4 1E-3 1E-3 0.01 0.01 – 0.05 0.05 – 0,3 0.3 – 0.7 0.7- 1.4 > 1.4

1 2 3 4 5 6 7 8

Frequency Level

Category

Target

Tolerance

Criteria

8 /

Catastrophic 1 x E-6 pr year

7 /

Major 1 x E-5 pr year

6 /

Severe

1 x E-4 pr year

5 /

Serious

1 x E-3 pr year

4 /

Moderate

1 x E-2 pr year

Step1 – Establish TTC

• The criteria are dependant on numbers used for initiating events,

risk reduction factors etc.

• Economic impact should include the total loss • Demolition cost

• Installed equipment costs (x3 purchase price)

• Cost of business interruption

(value of product that cannot be shipped out, not cost of lost production)

• Corporate TTC should be used as a basis to establish local applicable TTC

2012-03-07 19

Step2 – Preliminary selection of scenarios/SIFs

• Scenarios/SIF identified from C&E, interlocks narrative and P&IDs

• Additional scenario where a SIF is recommended for evaluation (e.g.

identified during HAZID, HAZOP or other project/facility review)

• High impact severity scenarios (i.e. category 7 and 8 in TTC)

Logic Solver

(PLC)

Temperature

transmitter

Temperature

transmitter

Level Switch

Flow transmitter

On/off valveSolenoide

On/off valveSolenoide

Pump

2012-03-07 20

Step2 – Identification of scenario

Consequence DInitiating

Event 1

CA

US

ES

CO

NS

EQ

UE

NC

ES

PREVENTION MITIGATION &

RECOVERY

Terminate the

chain of events,

reduce frequency

Initiating

Event 1

Initiating

Event 2

Initiating

Event 3

BPCSOperator

response to Alarm

from monitoring

system SIS PSV

Consequence D

Ignition

control

TOP EVENTE.g. Loss of Containment

ESD

Fire Water

Consequence B

Consequence A

Reduce

consequence

severity

Consequence C

No consequence

LOPA scenario : single cause – consequence pair

2012-03-07 21

Step3 – Evaluate Impact severity

• Define “worst reasonably credible” consequences that result if the

chain of events continues without interruption.

• Select Impact severity from TTC for all categories (People‟s safety,

Environment, Economic).

Category

Target

Tolerance

Criteria

8 /

Catastrophic 1 x E-6 pr year

7 /

Major 1 x E-5 pr year

6 /

Severe

1 x E-4 pr year

5 /

Serious

1 x E-3 pr year

4 /

Moderate

1 x E-2 pr year

2012-03-07 22

• Identify all possible initiating events, i.e. causes

• Mechanical, Instrument or Human failures

Step4 – Determine Initiating Event Frequency

Mechanical Initiating Event failure/year

Canned/Magnetic Drive Pump Failure 1,00E-02

Compressors, Pumps and Crane fail 1,00E+00

Control valve failure 1,00E-01

Cooling Water Failure 1,00E-01

Double Mechanical Seal Pump Failure 1,00E-02

Expansion Joint Fails 1,00E-02

General Utility Failure 1,00E-01

Heat Exch. tube leak <100 tube 1,00E-02

Heat Exch. tube leak >100 tubes 1,00E-01

Heat Exch. tube rupture <100 tubes 1,00E-03

Heat Exch. tube rupture >100 tubes 1,00E-02

Loss Cooling 1,00E-01

Loss Power 1,00E-01

Manual valve failure 1,00E+00

Pressure safety valve failure 2,00E-01

Pressure Vessel Failure Significant Release 1,00E-05

Pump Failure Loss of Flow 1,00E-01

Single Mechanical Seal Pump Failure 1,00E-01Unloading/Loading Hose Failure 1,00E-01

Instrument Initiating Event failure/year

BPCS Instrument Loop Failure 1,00E-01

BPCS Sensor failure 1,00E-01

Control loop failure 1,00E-01Loss of instrument air 1,00E-01

Human Initiating Event failure/year

3rd Party Intervention 1,00E-02

Human error in a no-routine, low stress 1,00E-01

Human error in a routine, once per day opportunity 1,00E+00

Human error in a routine, once per month opportunity 1,00E-01Operator Failure Action more than once per quarter 1,00E-01

ief

Complexity Simplest Routine & Simple Routine but Requires Care

Complicated non-Routine

No Stress 1 10-4 1 10-3 1 10-2 0.1

Moderate Stress 1 10-3 1 10-2 5 10-2 0.3

High stress 1 10-2 1 10-1 - 1.0 0.25 – 1.0 1.0

Human Error probability for not correctly performing a task for various situations per demand

2012-03-07 23

• Enabling event, e.g. adjust to the “time at risk”,

i.e. multiply by fraction of time during which the risk is present

Step4 – Determine Initiating Event Frequency

ief

• SIF operating in continuous mode of operation

ief

PFD*2=

2012-03-07 24

Essential Requirements

• Specific. Detect Decide and Deflect

• Effective. big Enough, fast Enough, strong Enough, smart Enough

• Independent. Its performance must not be affected by other protection

layers and must be Independent of the events causing the accident

• Reliable: The protection given by the IPL reduce the risk in a known

and specific quantity.

• Auditable: It must allow periodic checks and tests of the protection

function.

Step5 – Identify IPLs and select probability of failures

All IPL are protection Layers, but all protection layers are not IPLs

2012-03-07 25

• Process design – Inherent safety in design

− Initial risk, not an IPL.

− Minimize, Substitute, Moderate, Simplify

• Process control system

− Actions to return the process in within normal operating envelope (e.g.

minimum flow control)

− Process shutdown (shadowing the SIS in the PCS)

− Alarms (+operator response)


2012-03-07 26

• Process control system

− Maximum PFD claimed 0,1 if independent of initiating events and other IPLs

− It the initiating event is caused by PCS control loop failure, PCS can be

considered an IPL if:

• Sensors, I/O cards and final elements are independents

• Logic controller designed with high level of reliability by reference to

recognized industry standards (e.g. redundant CPUs).

− PFD lower than 0,1 requires that the PCS is designed according to IEC61511

− PCS cannot be catered twice as IPL.


Sensor 1

Sensor 2

Input 1

Input 2

Logic

Controler

Output 1

Output 2

Final

Element 1

Final

Element 2

IE

IPL

2012-03-07 27

• PCS supervision & Alarms – Human intervention

− direct connection between the alarm, which indicates the event, and the

measures to be taken by staff to avoid the event

− Safety Alarms requiring intervention should be prioritized, configuration

access restricted

− Time needed vs time available due to process dynamics:

alarm processing

limited troubleshooting

decide action

trigger action and get action to be effective

Min 15-20 min if automatic; min 30-1h if manual local action

Written procedure in use, training


Time

Final Consequences

Top event (e.g. Loss of integrity)

SIS trip point

PCS pre-alarm set point

Time available for the

operator to take action

Process Safety time

2012-03-07 28

• Preventive SIS (PSD)

• Mitigation SIS

− ESD, F&G, Emergency Depressurization or Dumping system, Fire water,

etc.

− Have a role in risk reduction but should not be considered IPL for

evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent

scenario without relying on mitigation SIS (residual consequences even if

successful). May be given credit in QRA.

− Design against scenario shall be demonstrated, claimed reliability shall

be demonstrated, appropriate maintenance and testing.


2012-03-07 29

• Mechanical mitigation system

− PSV and rupture disk

Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release to

disposal system.

PSV fulfils the 3E? release damageable? Fouling service?

− Check valve

IPL, with restriction on service and technology, frequent testing required

− Flame arrestor (in line)

Can be IPL. Design against deflagration will not prevent detonation, testing

− Explosion doors

Not an IPL. can be considered for selection of lower impact severity. Design must be

checked against explosion load

− Excess flow valves

Mitigation, generally not an IPL


2012-03-07 30

• Post release physical protection (Passive)

− Dike, Fire wall, Passive fire protection, Collision protection

− Should not considered IPL for evaluation of preventive SIF with LOPA.

May be given credit in QRA. Design against scenario shall be

demonstrated, appropriate maintenance

• Emergency response (Evacuation and rescue)

− Relying on Evacuation and rescue is the last resort. No credit for risk

reduction shall be granted as IPL. Considered in the selection of

conditional modifier (Probability of personnel present)


2012-03-07 31


IPLPFDIndependent protection layer PFD

Single check valve in clean liquid service 2,00E-01

Single check valve in gas service 1,00E+00

Two check valves in series in clean gas or liquid service 2,00E-02

Process Safety Valve fail to open. Clean service. 1,00E-02

Control loop /PCS 1,00E-01

Explosion doors 1,00E+00

Flame arrestor 1,00E-01

Operator response to alarm (15-20 minutes) 1,00E-01

2012-03-07 32

• Probability of Ignition for flammable release

• Probability that personnel are present at the time of the hazardous event

= Occupancy X Probability to avoid the hazardous event once the SIS has failed

• Probability of death (vulnerability)

Not taken into account (conservative but simpler)

Step6 – Conditional modifiers

ignitionP

presentpersonP

Ignition Probability Modifier Probability

Gas Major (1-50kg/s) EXPLOSION 8,40E-03

Gas Major (1-50kg/s) FIRE 7,00E-02

Gas Massive (>50kg/s) EXPLOSION 9,00E-02

Gas Massive (>50kg/s) FIRE 3,00E-01

Gas Minor (<1kg/s) EXPLOSION 4,00E-04

Gas Minor (<1kg/s) FIRE 1,00E-02

Liquid Major (1-50kg/s) EXPLOSION 3,60E-03

Liquid Major (1-50kg/s) FIRE 3,00E-02

Liquid Massive (>50kg/s) EXPLOSION 2,40E-02

Liquid Massive (>50kg/s) FIRE 8,00E-02

Liquid Minor (<1kg/s) EXPLOSION 4,00E-04Liquid Minor (<1kg/s) FIRE 1,00E-02

Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact)

2012-03-07 33

− Occupancy


0,1: Rare to occasional exposure in the hazardous zone:

Exposure time inferior to 10% Most continuous process plants will have only occasional exposure. This would be the default

choice for normal operation and when something goes spontaneously wrong

1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time). Exposure time superior to 10% Most continuous process plants will have troubleshooting, testing and maintenance activities

upon certain alarms. This can mean that several people are exposed to a hazard when it happens.

The correct action for hazardous work and when something goes wrong is to evacuate the premises as much as possible; (ARCO 1989 tank explosion).

Consider specific scenarios during shut-down or start-up with almost permanent exposure (e.g. lightning of fired heaters).

Batch plants and semi-batch plants that often require semi-continuous human supervision.

2012-03-07 34

− Probability to avoid the hazardous event once the SIS has failed


1 : Almost impossible to avoid the hazard: this is the default probability.

Credit for using personal protective equipment to avert a hazard should not be taken, unless it is

certain that the personal protective equipment will actually be worn. Usually, systems are

designed on the assumption that the use of such equipment is not absolutely required to achieve

a sufficient degree of safety, although it is recognized that it can further improve safety.

0,1: Possible to avoid the hazard under certain conditions: needs strong justification.

Should be only selected if all the following conditions are true:

• Facilities are provided to alert the operator that the SIS has failed

• Independent facilities are provided to shut down such that the hazard can be avoided or which

enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with

no vertical or spiral staircase, no rescue required, etc.)

• The time between the operator being alerted and a hazardous event occurring exceeds 1 hour

or is definitely sufficient for the necessary actions

Caution: Don‟t cater twice for the same “operator intervention” (e.g. Alarm+operator intervention)

2012-03-07 35

Step7 – Compare scenario frequency with TTC

presentpersonignition

IPLn

IPLnIPLIPLiescenarioLOPA PPPFDPFDPFDff ****** 21


Event 1

Step8 – Identify SIF and Allocate SIL

Step9 – Evaluate need for other non-SIS IPL or redesign

TTC

fRRF

scenarioLOPA < 1 Scenario «passes» LOPA

TTC

fRRF

scenarioLOPA > 1 Risk reduction needed

2012-03-07 36

Step8 - Identify SIF and Allocate SIL

Increasing risk

Risk Reduction by

BPCS

Risk Reduction by

Operator response to alarms

Risk Reduction by

Safety Instrumented System

Risk Reduction by

Mechanical devide

Risk Reduction by

Other means

Initial Process Risk (Without IPL)

Target Tolerance Criteria

Residual Risk (With IPL)

Ris

k r

ed

uctio

n r

ed

uctio

n N

ee

de

d

i.e

. S

afe

ty G

ap

(S

G)

Ris

k r

ed

uc

tio

n f

ac

tor

(RR

F)

req

uir

ed

fo

r th

e S

IS

Ris

k r

ed

uctio

n R

ed

uctio

n A

ch

ieve

d

Closing the safety gap by SIS

2012-03-07 37

Step9 – Evaluate need for other non-SIS IPL

• LOPA is focused on identification of SIF to close the safety gap, it does not

necessarily mean that a SIS is needed

• By order of preference:

• Design the problem out of the process using inherently safe principles

• Protection by non-SIS protective measure

• Passive rather than active

• A SIF should be the solution of last resort when other solutions are not

practicle

Step10 – Evaluate consequences of spurious trip failure

• Spurious failure: failure trigging action in an untimely manner

• Consider need for „robust to spurious trip‟ design (e.g. 2oo3 instead of 1oo2)

• Set minimum mean time to fail safe requirement (MTTFS=1/ STR)

2012-03-07 38

Step10 – Reporting. SIL Allocation Report

• Methodology

• Identified IPL listing that is regarded part of the PCS, e.g. alarm function

requiring operator action

• Identified SIF list and SIL allocation result, corresponding SIS

• SIF/SIL Allocation worksheet

All assumption, uncertainties and sensitivities should be recorded

Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation

• Starting point for the Safety Requirement Specification (SRS)

2012-03-07 39

Step10 – Reporting. SIL Allocation Report

• SIF/SIL Allocation worksheet

2012-03-07 40

Target Tolerance Criteria = 10-5/yr

SIL Allocation & SIL Verification




Modification

Decommissioning


3 4

5 6 7

,

and

SIL 1

SIL 2

SIL3

SIL Allocation Minimum SIL requirements

LOPA, Risk graphs,




Modification

Decommissioning


1

3

5 6 7

,

and

Design & Engineering SIL Verification calculations (PFD)

FMECA, CDD, SAR, Safety

Manuals, etc.

Set target Demonstrate

target is met

determine if additional

SIS are required and if

yes then allocate the

target SIL

Address target SIL (Fault

Tolerance, PFD, software req.)

• Select system technology

• Configuration / vooting

• Test interval

• Diagnostic

2012-03-07 41

SIL Allocation – Layer of protection analysis

Presenters name: Mathilde Cot

Presenters title: Principal Consultant, Safety Technology, CFSE

[email protected], tel: +47 95785095

www.statoil.com

Thank you

2012-03-07 42

http://www.cfse.org/

Special cases handling

• Global Safety Instrumented Systems for consequence Mitigation

ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc.

Release and other events cannot be interrupted by mitigation SIS.

Severity reduction, but residual consequences even if the mitigation SIS is

successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation)


Event 1

CA

US

ES

CO

NS

EQ

UE

NC

ES

PREVENTION MITIGATION &

RECOVERY

Terminate the

chain of events,

reduce frequency

Initiating

Event 1

Initiating

Event 2

Initiating

Event 3

BPCSOperator

response to Alarm

from monitoring

system SIS PSV

Consequence D

Ignition

control

TOP EVENTE.g. Loss of Containment

ESD

Fire Water

Consequence B

Consequence A

Reduce

consequence

severity

Consequence C

No consequence

PFD*TTC (large uncontroled fire)

1*TTC (controlled fire)

Same protection GAP?

2012-03-07 43


• Global Safety Instrumented Systems for consequence Mitigation

Preferred approach: Deterministic

Divide Global SIS

• Detection SIS

• Action SIS

S1

S2

S3 V2

V1

Detection SIS:

incomplete safety

instrumented system:Action SIS:

Incomplete safety

instrumented systemoutput

signal

Input

signal

PLC

Safety

logigram

S1

S2

S3 V2

V1

Detection SIS:

incomplete safety

instrumented system:Action SIS:

Incomplete safety

instrumented systemoutput

signal

Input

signal

PLC

Safety

logigram

2012-03-07 44


• Safety-related parts of control systems for machinery

• SIS in process under patented license

• Permissive safety function

• Staggered safety functions

• Overpressure protection via SIS

2012-03-07 45

LOPA - Limitations

• Simplified risk assessment.

SIL 3 with no TES and SIL4

(implemented by independent SIS)

shall be further assessed by

quantitative method

• Components shared between the IE

and candidate IPLs. No

independence.

• Several independent SIS with same

functionality and possibility for

common cause failures

• Complex scenarios sequences

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition(e.g. HAZOP)

For each scenario, SIF determination & SIL allocation with

simplified risk analysis technique(e.g. LOPA, risk graph)

Eva

lua

te o

the

r n

on

-SIS

IP

L o

r d

esig

n c

ha

ng

e

SIL1, SIL2

or SIL3 with TES

where further

assessment is

needed?

Quantitative risk assessment for dedicated scenario

SRS, CDD, etc.

YES

NO

Complete SIL allocation for each SIF & Reporting

Plant – Facilities & SafetyConceptual strategies / philosophies

Design & Operating principles / Performance Standards / Acceptance criteria

Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

NO

NO

SIL4 Required

by a single

SIS?

Apply for

dispensation to

TR2041

YES

SIF determination & SIL Allocation

SIL4?

OR

SIL3 with no TES?Design change or

other non-SIS IPL

possible?

YES

SIL1, SIL2, SIL3

or SIL4 by

multiple SIS?

YES

NO

2012-03-07 46

• Design Intent

• Safe State

• Demand mode vs Continuous mode of operation (IEC61511-1 definitions)

Demand mode:

where a specified action (e.g. closing of a valve) is taken in response to process

conditions or other demands. In the event of a dangerous failure of the SIF a

potential hazard only occurs in the event of a failure in the process or the PCS

Continuous mode:

where in the event of a dangerous failure of the safety instrumented function a

potential hazard will occur without further failure unless action is taken to prevent it

A SIF operates in continuous mode when the frequency of demands for operation

on the SIF is more than once per year or more than twice the SIF proof test

frequency.

Step2 – Identification of SIF

PFD

PFH

2012-03-07 47

sil allocation - · pdf filetarget sil address target sil ... step2 – preliminary...

Documents