Training Functional Safety 05 - Sil Allocation and Classification Rev0.2

FUNCTIONAL SAFETY TRAININGFUNCTIONAL SAFETY TRAINING

05 - SIL ALLOCATION AND CLASSIFICATION

1Dr. Ing. Carlo LebrunFunctional Safety Training

WHAT IS A SIL CLASSIFICATION?

CLASSIFY THE RISKS

IN ORDER TO

CLASSIFY THE PROTECTIONS


FREQUENT SCENARIOS FOR SIL CLASSIFICATION

1 – A NEW PLANT, JUST AFTER THE HAZOP STUDY(RISKS ARE IDENTIFIED BY THE HAZOP)(RISKS ARE IDENTIFIED BY THE HAZOP)

2 – AN EXISTING PLANT, AN EXISTING SIS (AN ESD)(RISKS HAVE BEEN IDENTIFIED WHEN THE ESD WAS DESIGNED)( )


1 … JUST AFTER THE HAZOP STUDY

Browse all the consequences

Select the ones with possible damage to - Personnel- Personnel- Loss of production or damage to equipment- Environment- Environment

4Dr. Ing. Carlo LebrunFunctional Safety Training - 03

1 … JUST AFTER THE HAZOP STUDY ID DEVIATION CAUSES CONSEQUENCES SAFEGUARD RECOMMENDATION ACTION BY1-1 NO FLOW Station ShutDown Station Shutdown, with system

under pressureDesign Pressure is the same of Upstream Unit

1-2 NO FLOW No Flow from Battery Limit No effect for this node

1-3 NO FLOW Closure of SDV101 As Station Shutdown

1-4 NO FLOW Exchanger Blockage Not Credible

1-5 NO FLOW Accidental Closure Manual Isolation Valve

Sudden reduction of pressure in exchanger shell and piping. Valve closure takes about 10’.

Compressor Suction Trip (PT118A), antisurge system (PT109A), trip prealarm

1-6 REVERSE FLOW Low pressure upstream No effect for this node

1-7 MORE FLOW More flow from upstream Not Credible. Note: Pipeline is 66 km long (24”)(24”)

1-8 MORE FLOW Safety valve bypass open Loss of inventory Spectacle blind, and locked close valve

1-9 LESS FLOW Not reviewed. Same as NO FLOW case.

1-10 MORE LEVEL Not applicable

1 11 LESS LEVEL Not applicable1-11 LESS LEVEL Not applicable

1-12 MORE PRESSURE Not reviewed. Same as NO FLOW.

1-13 MORE PRESSURE Fire Pressure Increase. Piping and equipment rupture.

PSV are designed for fire case. Fire&Gas system, causing automatic shutdown.

SIL analisys

1-14 MORE PRESSURE One compressor trip with other Pressure increase within the Design Pressure1-14 MORE PRESSURE One compressor trip with other running.

Pressure increase , within the design pressure limit.

Design Pressure.

1-15 LESS PRESSURE Upstream low pressure. None for this node. The decrease of pressure will be gradual because of the pipeline length.Pressure indicators at compressor suction.


1-16 LESS PRESSURE Compressor suction giving low pressure.

None for this node. Compressor control & protection.

RISK REDUCTION (AS REQUIRED BY IEC65108)RiskAcceptable Risk Risk

(no protection)Acceptable Risk

RiskSIL is and index of the

Required Risk Reduction

In other words: how much do I have to reduce the risk?

for IEC61508 compliance: as a minimum I need to reduce my risk just as my SIL


2 … FOR AN EXISTING SIS

Analyze all implemented protections

(all SIFs in the SIS)


SIL CLASSIFICATION AS PER IEC61508

SIL classification is normally implemented through the independent assessment concerning:independent assessment concerning:

- Personnel Safety- Personnel Safety- Equipment / Production Loss- Environamental Damage- Environamental Damage

Users could use less/more/other assessmentsUsers could use less/more/other assessments, providing the dedicated custom risk matrix.


SIL CLASSIFICATION: PERSONNEL SAFETYW3 W2 W1

CONSEQUENCEC1 Mi I jW3 W2 W1

a - -

•C1 Minor Injury•C2 Serious injury, single death•C3 Some deaths•C4 Many deaths

C1

SIL1 a -

C4 Many deaths

FREQUENCY OF EXPOSURE•F1 Rare to frequentF2 F t t tiC2 F1

P1P2

SIL2 SIL1 a

SIL3 SIL2 SIL1

•F2 Frequent to continuous

AVOIDANCE•P1 Sometimes possibleC3

F1F2

F1P1P2

SIL3 SIL2 SIL1

SIL4 SIL3 SIL2

p•P2 Almost impossible

•OCCURRENCE PROBABILITYW1 V li ht

C4F2

F1P1P2

b SIL4 SIL3

•W1 Very slight•W2 Slight•W3 Relatively High

F2 P1P2


a = no safety requirement / b = single SIS not enough

SIL CLASSIFICATION: PERSONNEL SAFETY


SIL CLASSIFICATION: EQUIPMENT/PRODUCTION LOSS

W3 W2 W1 L – LOSS OF EQUIPMENT/PRODUCTION• L1 - minor operational upset, minor damage to equipment;L1

- - -damage to equipment;• L2 - moderate operational upset, moderate damage to equipment;• L3 - major operational upset, major L2

L1

a a -

SIL1 SIL1

j p p jdamage to equipment;• L4 - major damage to essential equipment.L3

a

SIL2 SIL2 SIL1

W - OCCURRENCE PROBABILITY•W1 Very slight•W2 SlightL4

SIL2 SIL2 SIL1•W3 Relatively High

a = no safety requirement


a = no safety requirement

SIL CLASSIFICATION: EQUIPMENT/PRODUCTION LOSS


SIL CLASSIFICATION: ENVIRONMENTAL DAMAGE

W3 W2 W1E - ENVIRONMENT

E1 Mi dW3 W2 W1

SIL2 SIL1 a

• E1 – Minor damage; • E2 – Release limited within complex fence;• E3 – Release outside complex

E1

SIL3 SIL3 SIL2

E3 Release outside complex fence with temporary but major damage to the environment.

W OCCURRENCE PROBABILITY

E2

B SIL4 SIL3

W - OCCURRENCE PROBABILITY•W1 Very slight•W2 Slight•W3 Relatively High

E3y g

a = no safety requirement / b = single SIS not enough

13Dr. Ing. Carlo LebrunFunctional Safety Training 13Dr. Ing. Carlo LebrunFunctional Safety Training

a no safety requirement / b single SIS not enough

SIL CLASSIFICATION: ENVIRONMENTAL DAMAGE


SITE OR PROJECT CUSTOM DEFINTIONS

Generic definitions included in the general graphs shouldGeneric definitions included in the general graphs should be defined ion detail for specific site or project.

An example:•minor damage (E1): moderate leak from gaskets or seal; release to atmospherefrom a relief valve; small scale liquid spill contained on the location; small scalesoil pollution not affecting ground water;

release limited to fence (E2): Hazardous gas cloud travelling beyond the unit•release limited to fence (E2): Hazardous gas cloud travelling beyond the unitlimit; liquid release not collected by drain system that could spill into surfacewater or ground water;

•temporary but major damage (E3): Release to atmosphere that causetemporary damage to fauna, plant, property; liquid spill into surface water; solidfallout following operational upset


fallout following operational upset.

SAME OVERPRESSURE RISK. AND SAME SIL?

GAS TO FLARE

GAS TO SUBSEA PIPELINE

WATER TO FIRE FIGHTING


RESULTS OF SIL CLASSIFICATION

FREQUENT RESULTS IN OIL & GAS INSTALLATIONS

SIL4 0%

SIL3 5%SIL3 5%

SIL2 80%SIL2 80%

SIL1 10%

No (special) safety requirements 5%


INDEPENDENT PROTECTION LAYERS

RISK REDUCTION IS NORMALLY ACHIEVED BY

ONE SINGLE PROTECTION (if proper SIL)• ONE SINGLE PROTECTION (if proper SIL)

• MORE INDEPENDENT PROTECTIONS• MORE INDEPENDENT PROTECTIONS


RISK REDUCTION (IMPLEMENTED)MORE INDEPENDENT PROTECTIONS FIGHT AGAINST THE SAME RISK

RiskAcceptable RiskResidual Risk

MORE INDEPENDENT PROTECTIONS FIGHT AGAINST THE SAME RISK

Risk (no protection)

Acceptable Risk Residual Risk(with protection)

RiskRequired Risk Reduction

Achieved Risk Reduction

Protection layer 1

Protection layer 2

Protection layer 3


LOPA (Layers Of Protection Analysis)

LOPA GIVES A GLOBAL VIEW OF THE IMPORTANCE OF EACH PROTECTION IMPLEMENTED.

IT IS USEFUL TO:

- ALTERNATIVE METHOD TO SIL CLASSIFICATION

- COMPARE SAFETY OF DIFFERENT DESIGN OPTIONS


(INDIPENDENT) LAYERS OF PROTECTIONCommunity Emergency Response

Plant Emergency Response

Community Emergency Response

MITIGATION

Mechanical Protection (PSV)

Mechanical Segregation & ContainmentMITIGATION

C t l & M it i Al

Safety Instrumentation Systems

Process Design

Control & Monitoring, Alarms

PREVENTION


LOPA SIMPLIFIED FLOW CHART

SELECT RISKs (from HAZOP)

ESTIMATE EFFECT OF OPERATOR REACTIONs TO ALARMs

ESTIMATE THE RISK FREQUENCY

ESTIMATE EFFECT OF SISFREQUENCY

ESTIMATE EFFECT OF

O S S

ESTIMATE EFFECT OF

IS RISK ACCEPTABLE?

ESTIMATE EFFECT OF PROCESS DESIGN ANY OTHER IPL

(eg PSV)

ESTIMATE EFFECT OF CONTROL SYSTEM

ESTIMATE REDUCED RISK FREQUENCY


LOPA REFERENCE VALUES: PROTECTIONS

INDEPENDENT PROTECTION LAYER PROBABILITY OF FAILURE ON DEMANDtimes / year

Control loop (DCS control action) 1 * 10-1

Pressure Safety Valve 1 * 10-2

Operator reacting to alarms 1 * 10-1

Operator normal activity (no stress) 1 * 10-2

Vessel pressure rating 1 * 10-4


LOPA REFERENCE VALUES: ACCIDENTS

INDEPENDENT PROTECTION LAYER PROBABILITY OF FAILURE ON DEMAND times / year

Check valve fails to check fully 1x100y

Check valve sticks shut 1x10-2

Regulator fails 1x10-1

Safety valve opens or leaks through badly 1x10-2

Pressure vessel fails catastrophically 1x10-6

Atmospheric tank failure 1x10-3

Small orifice (≤ 2”) vessel release 1x10-3

Cooling water failure 1x10 1Cooling water failure 1x10-1

Power failure 1x100

Instrument air failure 1x10-1

Pipe fails (large release) for ≤ 6" pipe 1x10-5

Pipe fails (large release) for > 6" pipe 1x10-6

Piping leak – minor - per each 50 ft. 1x10-3

Piping rupture or large leak – per each 50 ft. 1x1 0-5


External impact by vehicle (assuming guards are in place) 1x10-2

LOPA FORM

EVENT AND TOLERABLE PROBABILITY

INITIATING CAUSE & PROBABILITY

IPL1 and PFD(DESIGN)

IPL2 and PFD(DCS)

IPL3 and PFD(Operator)

IPL4 and PFD(SIS)

IPL5 and PFD(PSV)

MITIGATED EVENT RESULTING PROBABILITY

ID DEVIATION CAUSES CONSEQUENCE SAFEGUARD RECOMMENDATION ACTION BY

Versus HAZOP form

ID DEVIATION CAUSES CONSEQUENCE SAFEGUARD RECOMMENDATION ACTION BY


BASIC PROBABILITIES CALCULATIONS

IF ANY OUT OF MORE INITIATORS TRIGGER THE DANGEROUS EVENT:THE PROBABILITY OF THE EVENT IS THE SUM OF THE PROBABILITY OF THE INITIATORs.

PFD PFD + PFD + PFDPFDtot = PFD1 + PFD2 + PFD3

IF MORE SIMULTANEOUS INITIATORS TRIGGER THEIF MORE SIMULTANEOUS INITIATORS TRIGGER THE DANGEROUS EVENT:THE PROBABILITY OF THE EVENT IS THE MULTIPLICATION OF THE PROBABILITY OF THE INITIATORs.

PFDtot = PFD1 x PFD2 x PFD3


EXAMPLE OF PROBABILITIES CALCULATIONS

Probability of a blocked car due to a broken wheel?

1 - The probability of a broken wheel is 1 * 10-1 (times/year) = once every 10 years

Considering 4 wheels the combined probability is: 1 * 10-1 + 1 * 10-1+ 1 * 10-1 + 1 * 10-1 = 4 * 10-1 =1+ 1 10 1 + 1 10 1 4 10 1 = once every 2.5 years


EXAMPLE OF PROBABILITIES CALCULATIONS

Probability of 1 operator death in the plant due to toxic release after vessel rupture?

1 - An operator will pass close to the vessel for about 10 minutes per hift 30 i t 24 h 2%every shift = 30 minutes every 24 hours = 2%

2 - The probability of a vessel rupture is 1 * 10-4 (times/year) = once2 The probability of a vessel rupture is 1 10 4 (times/year) once every 10000 years

The combined probability is: 0.02 * 1 * 10-4 = 2 * 10-6= once every 500 000 years


SIL REDUCTION FACTOR (IEC61508 & IEC61511)

SILPFD avg

LOW DEMAND MODE Risk Reduction FactorPFH

HIGH DEMAND MODELOW DEMAND MODE HIGH DEMAND MODE

10E 5 < PFD < 10E 4 10E 9 < PFH < 10E 84

10E-5 <= PFD < 10E-410 000 < RRF <= 100 000

10E-9 <= PFH < 10E-8

10E 4 <= PFD < 10E 3 1 000 < RRF <= 10 000 10E 8 <= PFH < 10E 73

10E-4 <= PFD < 10E-3 1 000 < RRF <= 10 000 10E-8 <= PFH < 10E-7

210E-3 <= PFD < 10E-2 100 < RRF <= 1 000 10E-7 <= PFH < 10E-6

2

110E-2 <= PFD < 10E-1 10 < RRF <= 100 10E-6 <= PFH < 10E-5


EVENT AND INITIATING IPL1 and IPL2 and IPL3 and IPL4 and IPL5 and MITIGATED EVENT RESULTING

LOPA EXAMPLEEVENT AND TOLERABLE PROBABILITY

INITIATING CAUSE & PROBABILITY

IPL1 and PFD(DESIGN)

IPL2 and PFD(DCS)

IPL3 and PFD(Operator)

IPL4 and PFD(SIS)

IPL5 and PFD(PSV)

MITIGATED EVENT RESULTING PROBABILITY

SCENARIO 1 PC ISOLATION VALVE

PSV DCS CONTROL + ISOLATION VALVE + PSVVALVE

PCV1 failure 2E-2 - 1E-2 1 1.7E-3 1E-2 3.4 E-9

SCENARIO 2 PC ISOLATION VALVE

DCS CONTROL + ISOLATION VALVEVALVE

PCV1 failure 2E-2 - 1E-2 1 1.7E-3 - 3.4 E-7

SCENARIO 3 PSV PSV ONLY

PCV1 failure 2E-2 - - 1 - 1E-2 2 E-4

Probability of mitigated event:2E 2 * 1E 2 * 1 * 1 7E 3 * 1E 2 3 4E 92E-2 * 1E-2 * 1 * 1.7E-3 * 1E-2 = 3.4E-9

Risk Reduction Factor RRF


1E-2 * 1 * 1.7E-3 * 1E-2 = 1.7E-7 (> SIL4)

http://www.ecisgroup.it/

END OF PRESENTATION


Training Functional Safety 05 - Sil Allocation and Classification Rev0.2

Documents

Transcript of Training Functional Safety 05 - Sil Allocation and Classification Rev0.2