Professional Documents
Culture Documents
1 Abstract 2 Introduction
This paper introduces issues related to the design of The initial risk (without risk reduction measures)
safety-instrumentedsystems (SIS) using a risk-based associated with operating a process unit or a piece of
approach. The paper does not aspire to give an equipment, may be reduced by applying a range of risk
exhaustive guidance to actually designing such systems. reduction measures, including SISs. As shown in Figure
The design and realisation of safety systems is a highly 1, the summed conhihution of reductions from all risk
specialised skill, this paper only aims to introduce the reduction measures must bring the remaining or residual
various concepts and terminologies to the reader. risk to a level helow the acceptahle or tolerahle level
(defined by corporate risk tolerability criteria).
Ever since the IEC 61508 was being drafted, the risk As shown, reduction is usually achieved using a number
based design as opposed to deterministic designs, is of means, including mechanical devices (reIief valves,
becoming more and more accepted. Since the bursting discs, etc.) and instrumented devices (SIS). In
publication of ISNANSI SP84.01 and later IEC 61508, most desi-, I .. of protection systems are
both types
authorities started to require compliance or at least applied, with the mechanical system being usually the
regard compliance as the hest practice to compliance last line of defence wherever possible.
with authority regulations with regards to the design and An SIS is required if the summed contributions of all
maintenance of safety systems that use instruments to non-SIS risk reduction measures does not reduce risks
’
pelform the functions. E.g. OSHA regards ISNANSI below the acceptable or tolerable level. If the risk,
SP84.01 as the benchmark for compliance to their 29 without the SIS, is already acceptable, the SIS is not
CFR 1910.119. Authorities in Europercgard required.
compliance to IEC 61508/615I I as benchmark for The allocation of risk reduction to layers of protection
compliance to the Seveso 2 directive. (including SISs) is done via proper dsign practice
verified by a Technical Desk HSE Review, HAZOP or
Risk based design of safety instrumented systems (SIS) PHA study.
aims to establish the risk reduction that the SIS is to
provide to arrive at an acceptable or at least ,“-cm ~
Umd.-n
LOW Ris;
Cwuequerre
Figure 3, Risk reduction by safety functions
1384
Unacceptable Region
.
..
..
..
..
..
..
..
..
..
..
.. ........ .
..
..
..
..
..
..
..
..
..
..
..
..
. 1
imprastisabie or if N cool is
grOLIiY disproportionate fo the
improvement gained and
Fj:i:?:?<i:.:;.::,.,
............ bl socialydesirer me benefltof
Tolerable Reoion ............................
II the activily given the
associated risk
Broadly acceptable
region
\ .....
......
...
..... reduce nak not usually required. No
needfordetaiiedworkina to
Negligible risk
Figure 4, Tolerable risk & ALARP When determining if a safety system is ALARP the
following aspects are normally taken into account:
The initial investment cost and depreciation of
“unacceptable”, “tolerable” or “broadly acceptable” (see additional measures or systems
Figure 4). The additional yearly maintenance, managerial
and inspection costs.
Above a certain level, a risk is regarded as The new risks introduced by the additional
unacceptable. Such a risk cannot be justified in any measures. E.g. additional safety functions will
ordinary circumstances. If such a risk exists it must be lead to additional spurious trips causing
reduced so that it falls in either the “tolerable” or production and product losses and the
“broadly acceptable” regions, or the associated hazard additional safety risk associated with a re-start.
must be eliminated. The additional risk reduction achieved by the
Below that level, a risk is considered to be “tolerable” additional measures
provided that it has been reduced to the p i n t where the
benefit gained fiom further risk reduction is outweighed
by the cost of achieving that risk reduction, and
provided that generally accepted standards have been
4 Layers of protection
applied towards the control of the risk. The higher the The application of multiple protection layers to
risk, the more would be expected to be spent to reduce safeguard a process is oflen used In the process
it. A risk that has been reduced in this way is industries. It is illustrated in Figure 5.
considered to have been reduced to a level that is as
“low as is reasonably practicable’’ (ALARP) In this figure, each protection layer consists of physical
properties, equipment and/or administrativeconkols
Below the tolerable region, the levels of risk are that function in concert with other protection layers to
regarded as so insignificant that further improvements conwol and/or mitigate process risk
are not required. This is the broadly acceptable region
where the risks are small in comparison with the every When determining the initial risk without the SIS, all
day risks we all experience. While in the broadly available protection layers are taken into account. If the
acceptable region, there is no need for a detailed initial risk is already broadly acceptable, no SIS would
working to demonstrate ALARP; however, it is be required.
necessary to remain vigilant to ensure that the risk
remains at this level.
1388
qualitative hazard evaluation, such as hazard and
operability studies (HAZOPs).
5 Analysis of the layers of protection A HAZOP or HEMP team defines a hazardous scenario.
(LOPA) The scenario is basically the sequence of events
To establish the need for and the amount of additional between an initiator of the scenario (an equipment
(in addition to the layers already available or designed) failure for example) that may ultimately lead to a
riskreduction required, a widely accepted technique is significant consequence ifall safeguarding harriers fail
the 'layer of protection analysis' (LOPA). or are defeated. Pictorially, the LOPA analysis is given
in the following picture.
LOPA is an acknowledged and proven methodology of
ensuring that "Safety Instrument Functions" (SIF) are
classified properly - their requisite performance is
-.* HEMP 8."
-er* B."l...
1386
Each barrier has a
certain 'probability of
failure on demand'
(PFD). Ifthere is a
demand on a barrier it
will normally be
successful in
preventing the
consequences. Only
in case of failure on
demand, the
consequences will
occur. The kequency
at which the
consequences occur in
case of failure of the
barrier is equal to the
PFD of the barrier *
the kequency of
demand on the
barrier.
If the barriers are completely independent one may qualitative method -risk graph
calculate the hquency at which the consequences
occur, by multiplying the PFD's of the barriers in the Shell currently uses the semi qualitative method using a
path kom the initiatingevent to the occurrence of the calibrated risk matrix. Shell is developing a more
consequences. advanced method (SIFproTM) where LOPA is used to
determine the initial probability (hqquency) of
When Barrier3 is a SIS and the residual risk (the occul~enceofthe consequences of the hazard and a
product afthe demand rate on the barrier and the calibrated risk matrix to determine the SI1 required to
severity of the consequence ofharrier failure) is achieve a broadly acceptable remaining risk.
intolerable to the customer, the PFD ofBanier3 can he
improved by increasing the integrity requirements of tbe OAen a process design already includes the sensors and
SIS. final elements tbat should bring the process to a safe
state in any foreseen situation. This SIS design is often
6 Determining the Safety Integrity Level copied from a previous project.
In that case the SIL assessment would be done in the
(SIL) of the safety function fnllmuino Q+P..Q
Safety Integrity Probability of Risk Reduction of protection. n i s leads to the 'demand rate'
Level Failure on factor (RR) on the safety function. See Figure 7 for an
Demand (PFD) example LOPA analysis in SIFproTM.
SI1 - PFD>O.l < IO The demand rate used in step 5 is the
SIL 1 O.OI<PFD<O.l lOO>RR> IO frequency at which the consequence occur if
SIL 2 O.OOlCPFD< lOOO>RR> the PSHG function were not present.
0.01 IO0 4. Determine the consequence of failure on
SI1 3 0.0001< PFD < 10000 > RR > demand of the function. i.e. determine the
I 0.001 I 1000 severity of the consequences.
SI1 4 I PFD<0.0001 I RR>10000 5. Use the risk matrix to determine the SIL
-
There are various methods available and described in risk.
IEC615llpart3:- See Figure 8 for an example ofthe risk matrix
--
Semi qualitative method as used by Shell for SI1 assessments.
Safety Layer matrix method 6. In case the SIL can not practically be achieved
Semi qualitative method -calibrated risk graph or only at great expenditure, determine which -
4387
E.g. a process pressure trip is
set at I50 kPa. The
consequences of overpressure
will not be fully realised until
the pressure rises to 170 kPa.
Given the dynamics of the
process and the causes of the
none q i & t inj. I Mina in[. I Mojor inj. 1 One mi. 1 Muh cas.
overpressure, this will take at
least 2 minutes. The process
none ISlight$fedIMinoreHedI Lxd&Ik*linektko(hrive&.
safety time is 2 minutes.
none I slight I Minor 1 Medium I Mojor I h i v e
Figure 8, Semi qualitative Risk Assessment Matrix as used by Shell Note that in some cases the
consequences may also be
realised when the variable
lower- S L is ALARP by analysing all does not continue to rise
alternative designs that at least would reduce above the trip setting but remains too high for a long
the risk to a tolerable level. period (e.g. accelerated coke formation in fiunace tubes
above the outlet temperature trip setting).
As can be seen in Figure 8, Shell uses.3 consequence
categories to establish the consequence severity: 8 Designing the safety function
Personal safety
Environment 8.1 Function definition
Production and equipment losses (i.e. dollars)
According IEC 6151 I safety function is “intended to
achieve or maintain a safe state for the process, in
7 Process Safety Time respect of a specific hazardous event”. Such defintion is
The process safety time is the period of time in which not particular helpful if the functions is to be realised
the process can he operated without protection and with with actual instruments. Therefore Shell has defined a
a Demand present without entering a dangerous functions as “comprising of one or more Sensors, a
condition. The Process Safety Time determines the Logic Solver and one or more Final Elements whose
dynamic response requirements of the safety function. purpose is to prevent or mitigate hazardous situations”.
Dlning SIL assessment, the process safety time for each This implies that function is defmed by the sensor
safety function should he determined. As shown in subsystems (e.g. ‘High Pressure in Separator’), the
Figure 9, the process safety time is a function of the Logic Solver (e.g. ‘ESD system’) and the final elements
process dynamics and is defined as the period of time (E.g.‘Close inlet and outlet’).
that the process can be operated without protection and
with a demand preFnt without entering a dangerous In this definition, the sensor subsystems (a subsystem
condition. The process safety time will d e t m e the could comprise of multiple sensors e.g. in a 2003
trip setting and the combined dynamic performance and configuration) are all the subsystems required to detect
accuracy requirements for the components in the SIS, the hazard. The fmal element subsystems are all the
subsystems required to avert or sufficiently
. mitigate
- the
hazard.
1388
Likewise, in case multiple fmal element subsystems are and non-programmable electronic logic solvers IEC
required to successfully avert the hazard, one needs to 615 1 I requires the following minimum fault tolerance:
defme the success criterion. E.g. If all 4 inlet valves to a
vessel need to be closed to avoid overfilling, the success Table 2, Fault tolerance requirements for sensor and
criterion would be 4004. Fault tolerance
4389
t 2.30E42 6.29E44 2.3OE02 8.29E-DZ
1 1.27E43 3.48E45
1.27103 3.48145
-
1.27E43 3.48E-35
10 2 . W E M 200E-0d
Figure 10 Example PFD calculation Because many projects are executed in 3 phases, the
conceptual phase, the project specification phase and the
Diagnostic test coverage factor (the % of project execution phase, the lifecycle model needs to be
dangerous failure the diagnostic test may expanded to support this uractice. The resulting model
possibly detect) is shown in Figure 12.
Dangerous and safe failure rates (it is normally
-
assumed that the failures occur randomly) For each phase the following aspects should he
The common fault factor (B) for dangerous defined:-
failures. (the % of dangerous failures that will Deliverahles, tools, methods and inputs.
affect multiple channels in a redundant Responsible persons and delegated
subsystem) responsibilities
The common fault factor (0) for safe failures. Required competencies and possible training
The repair time in case component may be requirements
repaired on-lie. The repair time is the time the Procedures and work instructions
wmponent will be unable to perform its safety Procedures for management of change
function as caused by repairs following a Procedures for v d c a t i o n and validation of the
detected dangerous or safe failure. results.
Mission time of the component (e.g. 10 years) -
The manaeement nlan should ohviouslv avoid the
formulation of incompatible goals.
An example calculations is shown in Error! Reference
source not found.O
1390
PROJECT EXISTING
DNELOPMENT PHASE IPF LIFECYCLE PHASE
NSTALLATION
....
" " " " "........
. ..
10 References
[I] International Electro technical Committee (IEC)
IEC 61511 (dratl) Functional safety of Safely
Inswumented Systems for the Process Indushy
Sector
Part I: Framework, definitions, system, hardware
and soilware requirements
Pari 2: Functional safety: Safety Instrumented
Systems for the process industry sector -
Informative
Part 3 : Guidance for the determination of the
r e q e e d safety integrity levels - informative
1391