Transcript Application of SIL assessment, Bow-tie and API 14C to ensure a

Application of SIL assessment,
Bow-tie and API 14C to ensure a
thorough Safety Concept
Prepared by:
Fabienne Salimi & Tino Vande Capelle
26 January 2011
Technical Safety Design
Hazard Identification
- HAZID based on ISO 17776 Checklist
- HAZOP
- etc.
Safety Strategy
- Need of Risk Reducing measures
- Role of Risk Reducing measures
Supporting Studies
- Qualitative Risk Analysis
- Quantitative Risk Analysis
- Other Safety Studies
Specific Safety Performance Standards
- Role
- Interfaces & Utilities
- Functional Requirements
- Integrity- Availability and Reliability
- Survivability
Specifications / Philosophies for Safety Systems
Causes of incident identified by HSE (UK)
Safety Barrier Management
Bow-Tie
Safety barrier hierarchy & effectiveness
Organisation
Hazard
Work Systems
Losses
Equipment & Design
Experience & Competency
This figure shows that Systematic failures can be anywhere in the Life Cycle,
therefore having the right systematic approach with the necessary verification,
validation and assessment techniques in place under a proper Functional
Safety management with competent people could be your only way forward.
API 14C: at least 2 Independent & diverse
levels of protection
Accident external to
process

Mechanical
deterioriation
LSH
High Level
Nornal operating
conditions
Overflow
Abnormal
operation
conditions
High Level at
downstream
componenet
Safety
device
LSL
Low Level
Gas Blowby
Consequence of
undesireable events
Undesirable events
Support systems &
IPM
FLOW CHART OUTLINE
High pressure at
downstream
componenet
Pressure Component
Oxygen
Personal
injury
PSV
PSH
High Pressure
Overpressure
PSV
Vent
PSL
(d)
Atmos. Component
Process
Equipment
Failure
Pressure Component
Gas
make up
PSL
Vacuum
Release of
Hydrocarbon
(Leak)
Gas Detector (ash)
Ventilation
FSV
(d)
Fire or
Explosion
Facility
Damage
Underpressure
LSL
PSV
Vent
(e)
Containment
Atmos. Component
Pollution

Excess Fuel

Low Level
TSH
TSH
Madia or process stack
LSL
TSH
Madia or process & stack

FSL
Low Flow
TSH
Media

Limited heat
transfer
Excess Temperature
Media & stack
TSH
Stack
Natural Draft
(a)

Air intake
Flame emission
from air intake
PSL
(c)
Forced Draft


Spark emission
from stack
Fuel or air supply
control failure
Direct ignition
source
Ignition Prevention
Measures (IPM)
(b)
Electrical
BSL
or
TSL
Fuel
PSL
Air (c)
Others
LEGEND
PSM
&
PSL
(a) Air intake flame arrestor
Excess fuel in firing
chamber during ignition
(b) Stack spark arrestor
(c) Motor starter interlock
(d) For pressure components
(e) Foratmospheric componenet
 Applicable only to fired componenet
Bow-Tie Diagram, a Life Cycle approach
Hierarchy of Safety Barriers
Design Quality Assurance
Safe Operating
Pressure
Structural
Code
Integrity
Compliance
HAZOP
Process Control
Strategy &
Tuning
Operating
Procedures
High Pressure
Trip
Pressure
Relief Valve
Multiple Failures
Gas
Release
-
Post Incident
Control and Mitigation
Incident Prevention
Overpressure
None of the Safety Barriers is Perfect!
None of the safety barriers is perfect and 100% functional on demand.These
flaws are eliminated, reduced or prevented by:
•
•
•
•
•
New technologies
Increase redundancy
Shorten the period of test
Risk based inspection and preventive maintenance
Procedures (design, procurement, construction, commissioning,
maintenance and operation)
Suitable
Software
Today
Suitable
Software
In 5 Years
Semi-Quantitative Approach
LOPA
Risk Reduction by Layers of Protection
Increasing Risk
Initial risk Without reduction measures
Risk Reduction by
Inherent Process Stability
Risk Reduction by
Basci Control Systems
Risk Reduction by
Pre Alarms
Risk Reduction by
Instrumented Safety
Risk Reduction by
Mechnical Devices
Tolerable Risk
Risk Reduction by
Other Means
Residual Risk
Layers of Protection
LOPA & SIL assessment
Severity level: C = Catastrophic, E = Extensive, S = Serious, M = Minor
Likelihood values are events per year. Other numerical values are probabilities of failure on demand average.
6
5
Ref
1
Impact Event
Description
2
3
Severity Level Initiating Cause
4
Initiation
Likelihood
7
Protection Layers (PLs)
General
Process Design
BPCS
Alarms
Additional
mitigation
restricted
Access
IPL Additional
Mitigation,
Bunds, PRV
8
9
10
Intermediate
Event
Likelihood
SF PFD
Mitigated Event
Likelihood
1a
S
Loss of
cooling water
0.5
1
0.1
0.1
0.1
1
5.00E-04
1.00E-02
5.00E-06
1b
Four fatality
case
E
Loss of
cooling water
0.5
1
0.1
0.1
0.08
1
4.00E-04
1.00E-03
4.00E-07
2
Notes
High pressure
causes
column
rupture
Fire From
Distillation
column
rupture
(Individual
risk)
Fire From
Distillation
column
rupture
(Individual
risk)
11
High pressure
causes
column
rupture
S
Steam control
loop failure
1
0.1
1
0.1
0.1
PRV 0.01
1.00E-05
1.00E-02
1.00E-07
In this example fire from distillation column is considered as the “impact
event” for both “loss of cooling” and “steam control failure” as independent
scenarios without any interaction on each other.
Loops are in interaction!
If in this LOPA the interaction between condenser cooling and reboiler
heating systems are considered then severity for both cases will be ranked
as “Catastrophic” with possible impact on the public safety and property
damage.
Therefore, the higher
“SIF PFDs” for both loops
are required.
Semi-Quantitative Approach
Risk Graphs
Calibrated Risk Graphs & SIL Assessment
Calibrated Risk Graphs & SIL Assessment
Demand Rate Category
Consequence Category
(time between demand)
S
Health & Safety
L
Economic
E
Environment
D0
Negligible
Demand
0
No injury or Heath
Effect
No Loss
No Effect
-
-
-
-
-
S1
Slight Injury or
Health Effect
Slight Loss
<10K USD
Slight Effect
-
-
a1
a2
a2
S2
Minor Injury or
Health Effect
Minor Loss
10-100K USA
Minor Effect
-
a1
a2
1
2
S3
Major Injury or
Health Effect
Local Loss
0.1-1M USA
Localised Effect
-
a2
1
2
3
S4
Between 1-3
Fatalities
Major Loss
1-10M USA
Major Effect
-
1
2
3
4(X)
S5
Multiple Fatalities
Extensive Loss
>10M USA
Massive Effect
-
2
3
4(X)
X
Exposure
Possibility to avert danger
Very rare (1)
(less than 10 manminutes per day)
Occasionally (2)
(less than 6 manhours per day)
Frequently to
continuously (3)
(more than 6 manhours per day)
Little or none (3)
-1
0
0
In some circumstances (2)
(more than 25 % of cases)
-1
-1
0
In almost all circumstances (1)
-2
-1
-1
D1
>20 years
D2
4-20 years
D3
0.5-4 years
D4
0-05 years
IPF Safety Integrity Level (SIL)
Consequence Severity
Safety Integrity Level (SIL)
Required PFD
a1
No requirements
IPS Approval (AK
Class)
-
a2
No requirements
1
1
0.01≤ PFD <0.1
3
2
0.001≤ PFD <0.01
4
3
0.001≤ PFD <0.001
5
4
0.0001≤ PFD <0.001
7
X
Intolerable
8
Is a SIL3 protection against gas ingress required?
Source of Fuel
Explosion & Fire
Source of Ignition
Escalation to adjacent
equipment
A 2oo3 Gas detection, logic and two dampers are required to achieve SIL3.
Exposure time and Probability to advert danger
Depending on the judgement of SIL assessment team for “exposure time” and
“Possibility of avert danger” due to the following factors the SIL requirements
for gas ingress protection cab be reduced to SIL1 or SIL2:
•
Probability of adverse wind direction
•
Size of gas release
•
Distance of source of fuel and release
•
Fuel Inventory and duration of release
•
Congestion of process area and natural ventilation between source of
fuel and source of ignition
•
F&G ESD for process area
•
Blowdown facilities at process equipment
A SIL2 gas ingress protection system is achievable with a 2oo3 gas detection,
logic and one damper and is in line with the common practice in oil & gas
industry.
Quantitative SIL assessment
Combination of Event & Fault Trees
Immediate
ignition?
Leak frequency (1/yr)
Release
Delayed ignition?
Yes
Outcome
Jet fire
Explosion
No
Yes
Flash fire
Initiating event
No
Barrier functions
Dispersion
Detect Failure
Incorrect fitting of
flanges or bolts
during maintenance
Consequences
Detect release prior to
normal production
“State state”
Failure revealed
Self-control /
Checklist
OR
OR
&
&
Control of work /
inspection
OR
&
Leak Test
“State state”
Failure revealed
OR
&
Release
Overpressure Scenarios
Ref.
HIPPS
Undesireable Event
SAll
All scenarios including:
Safegaurding
Event
Safe Shutdown
HIPPS
Ci
10
State
Works
FAll
1.3E-02
Probability
(SIL2)
0.999
R1
0.083
ALARP
Fault Tree
Frequency
(1/yr)
Type
FAT-OV.1T
1.3E-02
S1
Compressor Overspeed
FAT-OV.1a
8.3E-03
S2
Block outlet
(Mode Series)
FAT-OV.1b
3.2E-03
R2
0.032
ALARP
S3
Block outlet
(Mode Parallel)
FAT-OV.1c
1.2E-03
R3
0.012
ALARP
S4
HP/LP interface failure
(300 to 210 barg)
FAT-OV.1d
9.83E-09
R4
9.8E-08
Tolerable Risk
S5
HP/LP interface failure
(210 to 144 barg)
FAT-OV.1e
8.4E-05
R5
0.001
Tolerable Risk
S6
Seal failure (start up)
FAT-OV.1f
2.5E-04
R6
0.002
ALARP
S7
Fast changeover
FAT-OV.1g
1.0E-04
R7
0.001
Tolerable Risk
FAT-SF.1
Fault Tree
Overpressure safeguarding failure
9.17E-04
CSU
Safegaurding
SIL3
SIL
CSU(M1)
Catastrophic Rupture
Event
6.88E-04
SIL(M1)
SIL3
CSU(M2)
4.59E-04
SIL(M2)
SIL3
Type
HIPPS
Ci
100000
State
Fails
FAll
1.2E-05
0.0009
R1
0.76
ALARP
R2
0.30
ALARP
OR
Probability
FAT-SF.1a
Detection or Logic failure
7.36E-07
CSU
SIL4
SIL
&
PSH
HIPPS
Detection or Command
by ESD trip
Detection or command by HIPPS
CSU
6.04E-03
CSU
1.22E-04
SIL
SIL2
SIL
SIL3
OR
OR
PSH.a
PSH.b
HIPPS.a
HIPPS.b
FAT-SF.1b
1PZA-HH-5106
Logic including I/O card
(Single PLC)
1PZA-2p631/2/3
Logic including I/O card (Single
PLC)
ESD Actions
1oo2
CSU
9.16E-04
PFD
1.31E-03
PFD
4.38E-03
PFD
6.31E-05
PFD
4.38E-05
SIL
SIL3
CSU
1.61E-03
CSU
4.43E-03
CSU
7.75E-05
CSU
4.43E-05
CSU(M1)
SIL
SIL2
SIL
SIL2
SIL
SIL4
SIL
SIL4
SIL(M1)
SIL3
CSU(M2)
4.58E-04
Voting
None
Voting
None
Voting
2oo3
Voting
SIL3
&
Fail to Stop compressor
Mod-2
change in time of test
Mod-1
change in time of test
Open Surge valves
Ref.
Client data for time of test
t(M2)
24 month
t(M1)
PFD(M2)
4.58E-04
PFD(M1)
6.87E-04
PFD
9.16E-04
CSU(M2)
4.58E-04
CSU(M1)
6.87E-04
CSU
9.16E-04
SIL(M2)
SIL3
SIL(M1)
SIL3
SIL
SIL3
36 months
t
48 months
0.11
ALARP
R4
9.01E-07
Tolerable Risk
R5
0.01
ALARP
R6
0.02
ALARP
R7
0.01
ALARP
Event Tree
6.87E-04
SIL(M2)
R3
This action is not vital. It
helps for a smooth and
surge free ESD.
Limited release
Release (Medium)
Event
Jet fire
Event
3.7E-02
State
Works
Jet fire
0.105
CA
100000
CRed
100
IS-01
Gas
0.9562
Explosion
0.001
F
3.7E-03
FRed
3.7E-04
Module
Medium
Medium
F&G
0.9562
Flash fire
0.030
RA
M (kg)
26948
Fr (1/yr)
Consequence
F&G ESD
ESD System
Ignition probability
12.0
Rate (kg/s)
0.04
ALARP
Explosion
Event
CA
100000
CRed
10000
F
3.2E-05
FRed
3.25E-06
No No
RA
37
T (min)
RRed
Event
BD Rate (kg/s)
Automatic BD?
Risk reduction
required
367
Jet fire
Risk reduction
required
3.2
Explosion
RRed
0.03
ALARP
TPFP (min)
-
Continuous release
Lflame @ 5min (m)
21
ESD System
DJet-Target (m)
10
State
Fails
X340 mbar (m)
22
Gas
No
No
F&G
TBD (min)
Flange guard?
Event
Jet Fire Escalates
Event
CA
100000
CRed
100
1.7E-04
FRed
2.30E-05
Ignition probability
Jet fire
0.105
F
0.0438
Explosion
0.009
RA
0.0438
Flash fire
0.301
Event
100000
CRed
100000
1.5E-05
FRed
2.03E-06
F
Target Risk
1
RA
SIL2
ALARP
Explosion Escalates
383
Required SIL
0.002
CA
Max. Risk
without ESD
2.61E-03
RRed
Event
SIL Assessment for ESD
Required PFD
Risk reduction
required
16.8
Jet Fire Escalates
Risk reduction
required
1.5
Explosion Escalates
RRed
0.2
ALARP
Event Tree
FAT-IS-02a
ESD System with Gas detection
only
(Explosion Case)
ESD System with F&G detection
(Fire Case)
PFD
2.98E-02
PFD
3.00E-02
CSU
2.99E-02
CSU
3.01E-02
SIL1
SIL
SIL
Fault Tree
SIL1
PFD(M)
2.98E-02
PFD(M)
3.00E-02
CSU(M)
8.95E-03
CSU(M)
9.09E-03
SIL(M)
SIL2
SIL(M)
SIL2
OR
FAT-IS-02b
FAT-IS-02c
FAT-IS-02d
Fire & Gas Detection
ESD Logic
Isolation of Injection Compressors
PFD
9.59E-09
Type
Programmable Safety System
Single System
PFD
2.54E-02
CSU
6.43E-05
PFD
4.38E-03
CSU
2.54E-02
SIL
SIL4
CSU
4.43E-03
SIL
SIL
SIL2
SIL1
PFD(M)
4.45E-03
CSU(M)
4.46E-03
SIL(M)
&
FAT-IS-02b.1
FAT-IS-02b.2
Gas
FAT-IS-02b.3
Operator
HP
HP
Type
Type
SIL2
OR
Absent
Absent
FAT-IS-02d.2
Fire
No.
1
No.
1
1.97E-04
PFD
1.0
PFD
9.59E-09
PFD
1.27E-02
Tag
1ESD-2p10
CSU
2.12E-04
CSU
1.0
CSU
6.43E-05
CSU
1.27E-02
PFD
1.27E-02
SIL3
SIL
SIL0
SIL
SIL4
SIL
&
HP
Present
MP
Absent
&
SIL1
CSU
Jet Fire
PFD(M)
3.29E-05
SIL
Others
CSU(M)
3.30E-05
Mod-1
1oo2 Seloind Valve
SIL(M)
SIL4
Mod-2
t reduced to from 12 to 6 months
PFD(M)
4.42E-03
CSU(M)
4.43E-03
SIL(M)
SIL2
LP
&
Point GD in area
Voting
1
1oo2
Inlet ESD valve
Others
Others
PFD
SIL
No.
FAT-IS-02d.3
Outlet ESD valve
Type
Acoustic GD in area
No.
Voting
0
none
UV/IR Flame detector in
area
No.
Voting
1
1oo2
Heat Detector in area
No.
Voting
Compressor Output ESD
1.27E-02
SIL1
Compressor Output Control Valve
1
No.
1
No.
0
1oo2
Tag
1ESD-2p10
PFD
1.00E+00
1.00E+00
PFD
1.97E-04
PFD
1.53E-03
PFD
1.75E-04
PFD
5.48E-05
PFD
1.27E-02
CSU
CSU
2.12E-04
CSU
1.63E-03
CSU
2.52E-02
CSU
2.55E-03
CSU
1.27E-02
SIL
SIL
SIL3
SIL
SIL2
SIL
SIL1
SIL
SIL2
SIL
SIL1
Mod-3
SIL0
Change the 1PCV-2p15 to dual
ESD, control functions valve
Mod-1
1oo2 Seloind Valve on ESDVs
No(M)
1
Mod-2
t reduced to from 12 to 6 months
Tag
1PCV-2p15
PFD(M)
4.42E-03
PFD
7.45E-03
CSU(M)
4.43E-03
CSU
7.46E-03
SIL(M)
SIL2
SIL
SIL2
p=1 to 3
Common Cause & Systematic failures
ESV / XV
PFD
1.27E-02
PSF
1.00E-05
CSU
1.27E-02
SIL(PFD)
SIL1
SIL(CSU)
SIL1
1.75E-02
PST
OR
Pilot / Solenoid Valve
ESV / XV
Des.
Main valve including
actuator. Not including
pilot valve.
Des.
Pilot valve on hydralically
or pneumatically operated,
process or wellhead, shutoff or ESV/XV valves.
Process Switch (conventional)
Des.
Ref.
Ref.
Testing
SINTEF-2004(8)
functional
Incomplete
functional
Incomplete
Ref.
Location
t
lDU
lSTU
2.00E-06
2.70E-06
t
lDU
lSTU
PSF*
1.00E-05
PSF*
TIF
bTIF
bPFD
CkooN
No.
12
2.28E-09
5%
2%
No voting
1
TIF
bTIF
bPFD
CkooN
No.
SINTEF-2004(8)
9.00E-07
1.30E-06
PSF
1.00E-03
TIF
2.28E-07
Is included in in TIF for the
main valve
2%
No voting
1
Voting
none
none
PFD
8.76E-03
PFD
3.94E-03
PSF
1.00E-05
PSF
CSU
8.77E-03
CSU
PST
1.18E-02
SIL(CSU)
PST
Withoutsensing
sensingline
line
Without
1.60E-06
12
none
none
none
SIL2
SINTEF-2004(8)
t
lDU
lSTU
On
valves
differentvalves
Ondifferent
Voting
SIL(CSU)
System
Pressure switch
including sensor and
pneumatic switch.
3.94E-03
SIL2
5.69E-03
bTIF
bPFD
CkooN
No.
12
9.00E-07
10%
5%
2.40
1
Voting
2oo3
2oo3
PFD
8.41E-04
PSF
1.20E-04
CSU
9.61E-04
SIL(CSU)
PST
SIL3
3.94E-04
Thank You for your
Kind Attention!