SIL Methodology

April 4, 2018 | Author: Anonymous | Category: Documents
Report this link


Description

SIL Methodology Page 1 of 16 CONTENTS 1.0 PURPOSE..............................................................................................3 2.0 SCOPE.................................................................................................3 3.0 ABBREVIATION.......................................................................................3 4.0 REFERENCES.........................................................................................3 5.0 Responsibility and authority......................................................................3 6.0 description of activities...........................................................................4 6.1 General.............................................................................................................................4 6.2 Roles and Responsibilities...............................................................................................4 6.3 SIL Team Composition....................................................................................................5 6.4 SIL Study Schedule and Pre-requisites............................................................................5 6.5 SIL Methodology.............................................................................................................6 6.5.1 Risk Graph Technique...............................................................................................6 6.5.2 Layer of Protection Analysis.....................................................................................9 6.6 SIL Target Level............................................................................................................11 6.7 SIL Assessment Report..................................................................................................12 7.0 SIL VERIFICATION..................................................................................12 8.0 FOLLOW-UP AND CLOSE-OUT...................................................................13 9.0 Records..............................................................................................13 10.0 Appendices........................................................................................13 ...........................................................................................................13 APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA..........................................14 Page 2 of 16 1.0 PURPOSE The purpose of this procedure is to describe the recommended practice for performing Safety Integrity Level (SIL) assessment & verification studies of identified Instrumented Protective Functions. 2.0 SCOPE This procedure applies to the performance of SIL Studies on Oil & Gas facilities projects. The recommended practice outlined in this procedure shall be adopted on a project where client’s specific guidelines are not available. 3.0 ABBREVIATION C&E E/E/PE ESD HSE IEC IPF PCS PFD PEM PLC QRA SIL SIS SIF Cause and Effects Electrical, Electronics and Programmable Electronics Emergency Shutdown System Health Safety & Environment International Electro technical Commission Instrumented Protective Function Process Control System Probability of Failure on Demand Project Engineering Manager Programmable Logic Controller Quantitative Risk Assessment Safety Integrity Level Safety Instrumented System Safety Instrumented Function 4.0 REFERENCES  IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems  IEC 61511, Functional Safety – safety instrumented systems for the process industry sector  PFD data from vendors  Safety Equipment Reliability Handbook, by OREDA or any other handbook for generic data. 5.0 RESPONSIBILITY AND AUTHORITY N/A Page 3 of 16 6.0 6.1 DESCRIPTION OF ACTIVITIES General Instrument and control systems play a significant role in the management of hazards on oil and gas installations. Shutdown systems are traditionally recognised as safety systems which contribute to reducing the likelihood and consequences of dangers to personnel, but also limiting risks to environment, to assets and to continued production. Therefore, instrumented protective functions need to be reviewed through a systematic assessment process to determine any requirement for increased reliability and/ or higher integrity and hence reducing risks. The main objective of the SIL study is to assess the integrity level for all instrumented protection functions that have been provided for all process systems, in accordance with IEC 61511. SIL study workshop is conducted to perform a systematic review of plant process systems to identify failures in E/E/PE safety related control systems at each plant, which have the potential for harm to personnel (through illness and injury or loss of life) or to the environment (temporary or permanent). A secondary objective will be to identify where such failures have the potential to cause significant economic loss due to production loss and/or damage to capital equipment. The safety and environmental harm and the economic loss will generally arise due to loss of containment, either of the product or of a substance hazardous to health. 6.2 Roles and Responsibilities The SIL team should consist of the following persons: Chairman Responsible for chairing the SIL review meeting and ensuring the process runs smoothly in accordance with the procedure. The Chairman shall ensure the team remain focussed and do not deviate from the objective of the study. The chairman shall have experience of conducting a SIL or similar studies. The Chairman shall bring the SIL Assessment software. The SIL Assessment and SIL Verification report shall be prepared by the Chairman. Responsible for recording the discussion of the meeting, using the worksheets. It is preferable that the SIL Secretary has a technical background in Instrumentation. The Lead HSE (Design) Engineer on the project shall to ensure that the SIL is performed to the standards set out in this procedure. The Lead HSE Page 4 of 16 Secretary Lead HSE Design Engineer Engineer shall ensure the administrative tasks necessary to perform the SIL study completed (organisation of team, distributing the documents, Chairman Selection, selection of venue, etc). Lead Instrument Engineer Lead Instrument Engineer shall be responsible to ensure completion of Project design documents necessary prior to SIL study including vendor documents. He shall provide Chairman the list of tags, initiating devices, final elements and service description for each SIF to include into the worksheets. Lead Process Engineer shall ensure that the P&ID’s are updated in line with the recommendations given in the HAZOP. The Follow-up Coordinator shall be nominated by Project Engineering Manager (PEM) who can make project decisions on the conflicting requirements. The co-ordinator shall act on behalf of the PEM to facilitate and expedite the satisfactory close-out of recommendations raised by the SIL study. The overall responsibility of SIL close-out process lies with PEM. Lead Process Engineer Follow-up 6.3 SIL Team Composition Presence of following team members both from Contractor and the Operating Company is essential during the full duration of the review: • • • • • Process Engineer Control and Instrumentation Engineer HSE/ Safety Engineer Operation Representative Other discipline engineers( Mechanical, Civil, layout etc.) shall be available on need basis 6.4 SIL Study Schedule and Pre-requisites The SIL study should be scheduled after completion of HAZOP study and incorporation of major HAZOP recommendations onto the P&IDs and Cause & Effects Charts. The following project specific documents (latest revisions) shall be made available prior to the SIL workshop: Page 5 of 16 • • • • • Piping & Instrumentation Diagrams Cause and Effects Chart HAZOP Report QRA Reports Plot plans 6.5 SIL Methodology The common methods used for Target Safety Integrity Level determination are: • • Risk Graph Layer of Protection Analysis (LOPA) Both these methods are included in the IEC61508 and IEC61511 standard. The risk graph is a qualitative technique, the results tend to be quite subjective and lead to SIL levels biased on the high side. The Layers of protection analysis technique is quantitative and more accurate and it is becoming the widely accepted technique for SIL determination. It is advisable to consider Risk Graph method at the FEED stage and LOPA technique during detail design phase. Appropriate methodology should be chosen by the Project group after considering client guidelines or advice. In the absence of Client guideline follow LOPA methodology for Detailed Design. 6.5.1 Risk Graph Technique The risk graph method is a qualitative approach to determine the level of integrity required for the identified Instrumented Protective Functions (IPF) for the project. The approach is based on the International Electro technical Commission standard, IEC61511 [Ref. 2] Risk graph analysis uses four parameters to make a SIL selection. These parameters are consequence (C), occupancy (F), probability of avoiding the hazard (P), and demand rate (W). Consequence represents the average number of fatalities that are likely to result from a hazard when the area is occupied, and should include the expected size of the hazard and the receptor’s vulnerability to the hazard. Occupancy (Exposure Time Parameter) is a measure of the amount of time that the area that would be impacted by the incident outcome is occupied. The probability of avoiding the hazard will depend on the methods that are available for personnel to know that a hazard exists and also the means for escaping from the hazard. Page 6 of 16 The demand rate is the likelihood that the accident will occur without considering the effect of the SIF that is being studied, but including all other non-SIS protection layers. A combination of consequence, likelihood, occupancy, and probability of avoidance represents a level of unmitigated risk. Once those categories have been determined, the risk graph is used to determine that SIL that will reduce the risk by the appropriate amount. Figure 1 contains a typical risk graph, as presented in IEC 61511-3. The SIL is selected by drawing a path from the starting point on the left to the boxes at the right by following the categories that were selected for consequence, occupancy and probability of avoidance. The combination of those three determines the row that is selected. Page 7 of 16 Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511, Ref. 1) 1.1.1.1 Steps Prior to the assessment, the risk graphs will be calibrated according to Client Risk criteria. For each loop, the SIL is determined and recorded on worksheets as follows. 1. Identify the loop to be examined, and record the tag and P&ID number. 2. Agree the function of the loop (i.e. what is it for?). 3. Determine the cause of demand of the loop (most commonly control failure). 4. Identify the output actions (e.g. close specified valves). 5. Agree the consequence if the loop fails on demand. At this point no credit is taken for other relevant risk reduction measures. 6. Having gathered the above information, use combined judgement to agree the four parameters C, F, P and W on the safety risk graph. 7. W is the frequency of the cause of demand identified in step 3. 8. Apply the safety risk graph to determine the SIL required on safety risk considerations. 9. Agree the economic loss parameter L and use the economic risk graph to determine the SIL required on economic risk considerations. 10. Agree the environmental loss parameter E and use the environmental risk graph to determine the SIL required on environmental risk considerations. 11. Determine the SIL required for the function identified in step 2 as the highest of the three SILs determined in steps 7, 8, and 9. The above listed Steps are repeated for each of the IPF loops. Page 8 of 16 The risk graph parameters and criteria to be used for this assessment are outlined in Appendix-I of this document. 6.5.2 Layer of Protection Analysis LOPA is one of the techniques developed in response to a requirement within the process industry to be able to assess the adequacy of the layers of protection provided for an activity. Initially this was driven by industry codes of practice or guidance and latterly by the development of international standards such as IEC61508 [Ref 1] and IEC61511 [Ref 2]. Within the LOPA methodology the concept of the Independent Protective Layer (IPL) is well defined and important. “An IPL is a device, system or action which is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. The effectiveness and independence of an IPL must be auditable.” The SIL Selection is based on establishing a tolerable frequency for each consequence resulting from an initiating event. This tolerable risk guideline needs to be reviewed and accepted by the Company at the start of the SIL review process. Once the tolerable frequency for a SIF is established, all causes of the initiating event are listed. For each cause of the initiating event, its likelihood is established. The layers of protection and associated PFD for each cause are then listed. The mitigated event frequency for each cause is determined. After each cause is analyzed the total event frequency due to all causes for the initiating event is determined. The SIL is determined by comparing the established tolerable frequency (goal) with the total mitigated event frequency. 1.1.1.2 Steps Following are the important steps, which shall be addressed during SIL assessment sessions 1. Identify and list all Safety Instrumented Functions for the unit(s) 2. For each SIF identified: • • Define the worst consequence if the SIF failed to operate when a demand occurs. Categorize the consequence severity and tolerable frequency based on the Company Risk guidelines. The tolerable frequency will be selected from the reducible frequency band as per the table List all causes and likelihood for the initiating event For each cause identify all available layers of protection and assign failure probabilities for each layer • • Page 9 of 16 • For each cause calculate the mitigated event frequency considering all the layers i.e. F = Fe*PA*PB*PC*PD where F is the mitigated event frequency, Fe is non-mitigated event frequency based on the best industrial practices and PA/PB/PC/PD are the PFD values for each protection layer. Calculate the total event frequency due to all causes Compare the tolerable frequency goal with the total event frequency Assign the required SIL based on the additional risk reduction required Document the results of each analysis in the SIL Selection and Analysis worksheet. Include any notes and recommendations in the worksheet. Typical SIL Assessment worksheet format is given in Appendix II. • • • • 1.1.1.3 Independent Protection Layers (IPL) An Independent Protection Layer is a specific category of safeguard. Independent protection layers must meet the following criteria. Specificity – An independent protection layer must be specifically designed to prevent the consequences of one potentially hazardous event. Independence – The operation of the protection layer must be completely independent from all other protection layers, no common equipment can be shared with other protection layers. Dependability – The device must be able to dependably prevent the consequence from occurring. The probability of failure of an independent protection layer must be demonstrated to be less than 10%. Auditability – The device should be proof tested and well maintained. These audits of operation are necessary to ensure that the specified level of risk reduction is being achieved. 1.1.1.4 Typical Protection Layers While no two situations are the identical, there are a few protection layers and mitigating events that should always be considered when performing a layer of protection analysis in the process industries. These protection layers are shown below: • PCS Controls – In many cases the PCS control system is designed to automatically move the process to a safe state under abnormal conditions (Control loop or an On/Off loop). The criteria most used to determine whether the PCS system could be used, as a layer of protection is that a failure of the PCS system did not contribute in causing the initiating event. (Maximum Risk reduction credited shall be 1 in 10). Page 10 of 16 Many times, independent alarm in the PCS with operator action is provided to mitigate certain risks. In such a situation, credit for Alarm can be given only if the alarm signal is connected to an entirely independent initiator and I/O, other than the one carrying out the automatic controls. This will considerably reduce any common mode failures. (Maximum Risk reduction credited shall be 1 in 10). For PCS to be credited with Two (2) IPLs, initiators, I/O cards and final control elements must be independent of each other. Only the logic solver part could be shared provided, logic solvers are redundant. If the initiating or enabling event involves the failure of a PCS loop, then no more than one PCS loop should normally be credited as an IPL for the same scenario. Maximum total risk reduction credited for PCS as an independent layer shall be no more than 1 in 100. • Operator Intervention – Operator intervention to manually shut down a process when abnormal conditions are detected is a common safeguard. In order for this safeguard to meet the level required of an independent protection layer, the operator must always be present, be alerted to the abnormal situation, be trained in the proper reaction to the abnormal situation, and have ample time to consider the alarm and respond. (Maximum Risk reduction credited shall be 1 in 10) Mechanical Integrity of Piping or Vessel – In many cases, piping or a vessel will be designed to withstand the highest temperatures and pressures generated as the result of abnormal conditions. In these cases, the mechanical integrity of the vessel is a protection layer. (Maximum Risk reduction credited shall be 1 in 100) Physical Relief Device – Physical relief devices are common safeguards and include such devices as relief valve, rupture disks, and thermal fusible plugs. (Maximum Risk reduction credited shall be 1 in 100) Ignition Probability – When a flammable material is released to the atmosphere the probability that the release will ignite will depend on factors such as auto-ignition temperature and source of ignition present Other layers to be considered – Use factor, Explosion Probability, Occupancy and External risk reduction facilities like F& G systems, Dikes, etc. • • • • 6.6 SIL Target Level For each of the safety instrumented function operating in demand mode, the required SIL shall be specified in accordance with levels as stated in table below (Ref. 2): Page 11 of 16 Table 1: Probability of Failure on Demand for the SIL1, 2, 3 and 4 Safety Integrity Level (SIL) SIL 4 SIL 3 SIL 2 SIL 1 Target average Probability of Failure on Demand 10-5to< 10 10-4 to< 10 10-3 to< 10 10-2to< 10 –4 –3 –2 –1 6.7 SIL Assessment Report The SIL Assessment Report shall be prepared by Chairman using the company format and shall include the following as a minimum: • • • • • • Executive Summary The scope of SIL Study List of Participants The systems examined The results as captured in the worksheets Conclusions and Recommendations 7.0 SIL VERIFICATION During EPC phase of the project, SIL verification study will be performed if it required contractually or any specific instruction from the Company. SIL validation is not covered under this document as it is normally carried out during operation phase. The outcome of the SIL assessment is followed by a SIL verification study, where the design of the safety instrumented system (SIS) is verified. The risk reduction performance of any given SIF depends on the equipment chosen and the redundancy levels. The safety performance evaluation is called SIL verification and requires reliability analysis of the equipment with a view toward a particular failure mode titled "failure to function on demand" or "fail danger." A piece of equipment used to implement a SIF has a certain probability that it will not successfully protect a process if a dangerous condition (a demand) occurs. This average "probability of failure on demand" (PFD) is calculated and compared with the PFD average table to obtain a "design SIL." If the design SIL is Page 12 of 16 not greater than or equal to the target SIL, better technology or more redundancy is required. The first step in SIL verification is gathering failure rate data and failure mode data for the equipment selected. Thereafter, the designer calculates PFD sub avg using simplified equations, fault-tree analysis, or Markov analysis. There are two fundamental challenges faced during SIL verification: • • Gathering the failure rate/mode data and Building a PFD sub avg model. Failure rate data is available in a generic sense from several industry databases, including AIChE and OREDA. Failure rate data is also available from some manufacturers, although it is often difficult to source. 8.0 FOLLOW-UP AND CLOSE-OUT Upon completion of the SIL assessment workshop, the Chairman will present the findings of the study in the form of a SIL Assessment report. Recommendations of the SIL assessment will be generally closed out by Instrumentation discipline. It is important that Project allocate adequate resources to not only perform the SIL study but to ensure that the recommendations raised in the SIL report are satisfactorily closed out. The PEM shall be responsible to ensure that the adequate resources are available for timely completion of SIL study. In general almost all SIL actions belong to instrument group, therefore as a general practice PEM will nominate instrument engineer to own the SIL close-out responses. The PEM nominee shall prepare & issue the SIL Close-out report. 9.0 RECORDS N/A 10.0 APPENDICES Page 13 of 16 APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA (1) - IEC 61511 Safety Parameters Personnel Safety Risk parameter Consequence (C) Average number of Fatalities This can be calculated by determining the average numbers present when the area is occupied and multiplying by the vulnerability to the identified hazard. The Vulnerability will be determined by the nature of the hazard being protected against. The following factors are proposed V=0.01 Small release of flammable or toxic material V=0.1 Large release of flammable or toxic material V=0.5 As above but with a high chance of igniting or highly toxic. V=1 Rupture or explosion Exposure probability in the hazardous zone (F) This is calculated by determining the length of time the area is occupied during a normal working period. NOTE - If the time in the hazardous area is different depending on the shift being operated then the maximum should be selected. NOTE - It is only appropriate to use FA where it can be shown that the demand rate is random and not related o when occupancy could be higher than normal. The latter is the case with demands which occur at equipment start-up Possibility of avoiding the hazardous event (P) if the protection system PA Adopted if all conditions in column 4. PA should only be selected if all the FA In the hazardous zone. Occupancy less than 0.1 3. See comment 1 above. CA CB Classification Minor injury Comments 1. The classification system has been developed to deal with injury and death to people. 2.For the interpretation of CA, CB, CC and CD, the consequences of the accident and normal healing shall be taken into account. Range 0.01 to 0.1 CC Range >0.1 to 1.0 CD Range > 1.0 to 10 FB Frequent to permanent exposure in the hazardous zone. Occupancy more than 0.1 Page 14 of 16 Personnel Safety Risk parameter fails to operate. PB Classification 4 are satisfied Adopted if all the conditions are not satisfied Comments following are true:• Facilities are provided to alert the operator that the protection has failed • Independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area • The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions. Demand rate of the unwanted W1 occurrence (W) given no protection system. To determine demand rate it is necessary to consider all sources of W2 failure that will lead to a demand on the protection system. In determining the demand rate, limited credit can be allowed for W3 control system performance and intervention. The performance which can be claimed if the control system is not to be designed and maintained according to IEC61508, is limited to below the performance ranges associated with SIL1. (2) - IEC 61511 Asset Loss Parameters Demand rate less than 0.03 per year Demand rate between 0.3 and 0.03 per year 5. The purpose of the W factor Is to estimate the frequency of the hazard taking place without the addition of the SIS 6. If the demand rate is very high (e.g., 10 per year) then use failure rate and continuous demand method. Demand rate between 3 and 0.3 per year Page 15 of 16 Asset Loss Consequence (C) CA CB CC CD Possibility of avoiding the hazardous event (P) if the protection system fails to operate. PA PB Classification Minor operational upset or equipment damage Moderate operational upset or equipment damage Major operational upset or equipment damage Damage to essential equipment, major economic loss Adopted if all conditions in column 4 are satisfied Adopted if all the conditions are not satisfied Comments Monetary values can be assigned to each consequence parameter NOTE. The same conditions as personnel safety apply (3) - IEC 61511 Environmental Parameters Environmental Consequence (C) Classification A release with minor damage that is not very severe but is large enough to be reported to plant management or local authorities Moderate damage e.g. Release within the fence with significant damage Substantial damage e.g. Release outside the fence with major damage which can be cleaned up quickly without significant lasting consequences Serious damage e.g. Release outside the fence with major damage which cannot be cleaned up quickly or with lasting consequences Comments A moderate leak from a flange or valve Small scale liquid spill Small scale soil pollution without affecting ground water A cloud of obnoxious vapour travelling beyond the unit following flange gasket blow-out or compressor seal failure A vapour or aerosol release with or without liquid fallout that causes temporary damage to plants or fauna Liquid spill into a river or sea A vapour or aerosol release with or without liquid fallout that causes lasting damage to plants or fauna Solids fallout (dust, catalyst, soot, ash) Liquid release that could affect groundwater NOTE. The same conditions as personnel safety apply CA CB CC CD Possibility of avoiding the hazardous event (P) if the protection system fails to operate. PA PB Adopted if all conditions in column 4 are satisfied Adopted if all the conditions are not satisfied Page 16 of 16


Comments

Copyright © 2024 UPDOCS Inc.