SECTION 2 Exercises G EngineeringTech Engineers & ConsultantsFSE I — Application Exercise 1 Name: Date: Title: Safety Instrumented System and Safety Lifecycle Introduction Duration: 15 Minutes Objective: At the end of this exercise, participants will have demonstrated an understanding of the basic context of the safety lifecycle. 1. What does the Safety Integrity Level (STL) measure? 2. What is the main difference between the older safety standards and the safety lifecycle based standards? 3. Describe the main 61508/61511 safety lifecycle activities in your own words,4, 5. What is a safety instrumented function? Why are personnel safety lifecycle competency requirements valuable?FSE I - Application Exercise 2 Name: Date: Title: Tolerable Risk i 20 Minutes Objective: At the end of this exercise, participants will be able to apply concept of ALARP to developing a tolerable risk statement for a company. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. 1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per 100 years to 1 per 100,000 year events and ranging from release inside the plant with small consequences up to a release outside the plant with large permanent consequences? Assume all extreme risks will be reduced and all moderate risks will be reduced where practical. 2. Compare your tolerance with that of the example matrix in the slides and identify the equality points. (Where does the tolerable frequency match for different consequences?) 3. Are there any significant points where the risk tolerance is inconsistent? For example does the tolerance for external releases with large temporary consequences match that for many human fatalities? SFSE I - Application Exercise 3 Name: Date: Title: Probability Duration: 15 Minutes Objective: At the end of this exercise, participants will be able to apply the rules of probability. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. 1. An insurance company studied 32400 persons for six months. There were 1800 accidents. If this dangerous condition is equally likely at any moment, what is the probability of an average person having an accident in any given year? _ 2. Wetoss three fair coins. What is the probability of getting three heads? 3. A system will fail if power supply fails or a controller fails. ‘The probability of a power supply failure during the next year is 0.05. The probability of a controller failure in the next year is 0.01. What is the probability of system failure? 4, A check valve has a probability of not stopping reverse flow of 0.015 in a one-year interval. ‘The probability of getting a dangerous condition in the next year is 0.004. What is the probability of dangerous condition AND having the check valve not stop reverse flow?FSE I - Application Exercise 4 Name: Date: Fault Trees 10 minutes Objective: At the end of this exercise, participants will be able to solve simple fault trees. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. 1. A fault tree is shown below. What is outcome frequency? Pa Pb OR Pe3. A fault tree is shown below. What is the output probability’? p=0.004 | Pa _ mo P= 0.010 oR rt 0.006 }—Pet © AND 6FSE I - Application Exercise 5 Name: Date: Title: Consequence Analysis Overview Duration: 20 minutes Objective: At the end of this exercise, participants will be able to use statistical analysis to estimate average consequences. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. 1 Your company is estimating the risk posed by the failure of a new railroad track switching system. Estimate the average consequence, in terms of injuries and fatalities, of a train accident using the following data. In 1996, 550 Fatalities 10,948 Injuries 2,443 Accidents Data from Transportation Statistics Annual Report 1998, Bureau of Transportation Statistics, US Department of Transportation, BTS98-S-01. Explain why average industry loss data may not be a valid way to estimate the consequence for chemical accidents? A high-pressure vessel containing flammable gas that is liquefied under pressure undergoes an incident where it is expected to instantaneously rupture. What type of incident outcome can be expected if there is a source of ignition? If there is no source of ignition? : SFSE I - Application Exercise 6 Name: Date: Title: Event Tree Analysis Duration: 20 minutes Objective: At the end of this exercise, participants will be able to build and quantify an event tree. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. 1, Draw an event tree that describes that following situation: (Use the back of this sheet) A toxic release can be initiated by a delivery driver pumping more material into a storage tank than the available capacity. The delivery driver may or may not realize there is not enough capacity for the material that he is delivering, and then not attempt to transfer the material. ‘The driver may carefully monitor the level in the storage tank and stop the material transfer before a release occurs. 2. Using the following data, quantify the frequency at which toxic releases occur. Based on historical data, delivery drivers are requested to deliver to storage tanks that do not have the required capacity approximately 3 times per yea Due to a training initiative educating the drivers on the hazards of overfilling the tank the probability that the driver will try to fill a tank that does not have sufficient capacity is estimated at 0.01 The probability that the driver will not detect a high level condition after he has begun transfer is estimated at 0.1. SFSE I - Application Exercise 7 1 ‘Draw a LOPA diagram that describes that following situation Reactant A (through manhole) To Safe 24 aoe Inhibitor Cooling Water, suv —{_ 1 ah. Product G) saa PROCESS: A pharmaceutical company has developed a new process to produce one of its drugs. ‘The process creates an aqueous solution that is withdrawn from the bottom of the pressurized, water cooling jacketed, continuously stirred tank reactor. Charging is done by filling the vessel with 250 kg of water and manually dumping 125 kg (or 5 bags) of reactant A into the vessel. Aer the vessel is charged and closed, the stirring mechanism is started and the vessel's jacket is flooded with cooling water. After the stirring and cooling have been established a small metered rate of 0.5 kg/min of reactant B is continuously added to the solution. Reactants A and B combine to form the desired product. Each batch operates for three weeks, and 12 batches are operated per year. HAZARDS: The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this process requires that an excess amount of reactant B never be allowed into the reactor, and that cooling water continuously be flowing through the jacket. Hazard analysis determined that the following events could cause a “runaway” reaction and physical explosion of the vessel. 1. Failure of controller FIC-O1 causing uncontrolled reactant B entry into the reaction vessel. 2. Failure of cooling water supply causing heat and pressure to build up in the vessel. ‘The following layers of protection were identified as a safeguard against explosion of the vessel due to runaway reaction. SA rupture disk set to relieve the pressure well below the design pressure of the vessel Operator intervention to high vessel temperature, high vessel pressure and low cooling water flow alarms. The alarm system is independent from the control system with no ‘common components. pe It. was also noted in the hazard assessment that the rupture disk pressure relief would not be effective in the situation where controller FIC-O1 failed, because pressure can not be vented as fast as itis generated. 2. Quantify the LOPA Diagrams The following frequencies and failure probabi reviewing the history of the plant. s were determined by a process engineer after Flow control fails open: 1/25 /year Cooling Water Pump Fails: 1/15 /year Rupture Disk PFD: 0.0956 Operator Fails to respond to Cooling Water Loss: O1 Operator Fails to response to Control Failure: 01 ° SFSE I - Application Exercise 8 Name: Date: Title: ‘Quantifying Initiating Events and Layers of Protection Duration: 20 minutes Objective: At the end of this exercise, participants will be able to use statistical average data to quantify initiating events and protection layer effectiveness. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. Use the excerpts from “Guidelines for Process Equipment Reliability Data” to quantify the rates and / or probabilities of the following situations. 1. A motor driven fan fails to provide cooling air, initiating an accident. 2. A flexible hose ruptures, initiating an accident 3. Anon-operated check valve, with a periodic inspection and test interval of four years, fails to prevent an accident. SFSEI - Application Exercise 9 Name: Date: Title: Assigning Safety Integrity Levels ‘Duration: 20 minutes Objective: At the end of this exercise, participants will be able to assign safety integrity levels given the consequence and likelihood of the hazard. The assignment will be performed using several tolerable risk representations. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers, An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a reactor that makes polycarbonate resin, Risk analysis has shown that the probable loss of life due to this release is 75.6 fatalities per event. The analysis also showed that the accident has an unmitigated frequency of once per 892 years. Use the hazard matrix (procedure 1), risk graph, frequency based target, and individual risk target methods described in the slides in this section to select safety integrity levels. NOTE: The different risk tolerances are not intended to match each other and you should expect different answers between the different cases. This is the result of different risk tolerances not the form or method used to express those tolerances. * Individual risk target for the facility is 1.0 x 10* /year. : SFSE I - Application Exercise 10 Name: Date: Comprehensive SIL Selection Exercise Duration: 40 minutes Objective: The purpose of this exercise is to allow the participant to practice and demonstrate all of the skills learned in this training course through one comprehensive exercise. This exercise should be done in small groups of approximately four participants. PROCEDURE: Each participant should individually attempt to do the exercises. When they are finished, the entire class will review the problems and the answers. ‘A chemical processor has just performed an upgrade of a process heater. The upgrade was complex enough for the Management of Change procedures to be used. During the process a new HAZOP was performed on the process section. Review the HAZOP study to determine if there are any new SIS requirements. If so, select a safety integrity level. The process plant’s tolerable risk target is based on the risk integral with a target individual risk of 1.0 x 10°. / §Process Diagram: core > ToUsers Lcation D Vert Flare Wet Gas from Reciprocating ‘Compressor Process Description: A “wet” hydrocarbon gas is compressed by a reciprocating compressor into a flash drum. In the flash drum liquid and vapor separate. ‘The liquid is withdrawn from the bottom of the flash drum under level control and vapor is withdrawn from the top of the vessel and either compressed and sent to downstream users or sent to flare under pressure control. The flare line has not been sized to pass the full discharge of the wet gas compressor to flare. HAZOP Report Output SIF: Open vent valve upon high pressure in vessel Consequence: Overpressure and rupture of vessel Initiating event: Outlet vapor compressor fails Protection Layers: Operator intervention Relief Valve Relief valve is pilot operated, tested annually. “Wet gas” compressor is a motor driven reciprocating compressor “Vapor withdrawal” compressor is a motor driven reciprocating compressor Operator is well trained, but only has 15 seconds to perform a shutdown before an accident occurs. Consequence analysis has determined a PLL=0.15 for the overpressure and explosion of the flash drum, _ 6FSEI - Application Exercise 1 SOLUTIONS Title: Safety Instrumented System and Safety Lifecycle Introduction 1. What does the Safety Integrity Level (SIL) measure? ‘The safety integrity level is a measure of the performance of a safety instrumented function. It is focused on a single function or hazard rather than an entire safety system. The SIL that is selected during the requirements portion of the safety life cycle is a measure of the risk reduction required to make the process risk tolerable. During the concept design verification part of the safety life cycle, the amount of risk reduction that each SIF can provide is quantitatively determined. 2. What is the main difference between the older safety standards and the safety lifecycle based standard: The old standards generally follow a prescription approach where they specify a particular equipment configuration for a particular situation without requiring a specific performance for that equipment. The safety lifecycle standards follow a performance approach where they require a specific performance to be defined instead and allow that performance to be provided by any number of different equipment configurations 3. Describe the main 61508/61511 safety lifecycle activities in your own words. The initial phases of the 61508/61511 safety lifecycle focus on defining the project, identifying the hazards and estimating the risks. It continues with work to determine if a SIF or other means of risk reduction is the best way to meet risk tolerances with a SIL rating for the SIFs depending on their required performance. This along with other safety requirements are documented in the safety requirements specification which acts to guide the design, verification, installation, commissioning and testing (validation) activities. Once these are complete along with the associated functional safety assessment, the hazards can be “taken live” as the plant is started up. Operation, maintenance and testing continue as the plant runs to identify any problems and make the corresponding changes until wither the safety system is replaced or the hazards are removed.‘What is a safety instrumented function? Specific single set of actions and the corresponding equipment needed to identify a single hazard and act to bring the system to a safe state. Why are personnel safety lifecycle competency requirements valuable? Separate from being essentially required in the safety lifecycle standards, it simply makes good sense to have such requirements to ensure that a company (and its customers) can have a reasonable level of confidence that its staff are able to carry out the safety lifecycle activities where they are responsible.FSE I - Application Exercise 2 Title: Tolerable Risk 1. Develop a tolerable risk guideline and risk matrix for environmental risks ranging from 1 per 100 years to 1 per 100,000 year events and ranging from release inside the plant with small consequences up to a release outside the plant with large permanent consequences? Assume all extreme risks will be reduced and all moderate risks will be reduced where practical. Internal release with | Internal release with | External release with | External release with small consequences | large consequences or | large temporary or | large permanent External release with | small permanent | consequences small temporary | consequences consequences Wi00 | Acceptable Moderate Extreme Extreme | yrs 171000 | Acceptable ‘Acceptable Moderate Extreme e.. 1 110,000 | Acceptable Acceptable Moderate Moderate ys 1/100,000 | Acceptable Acceptable ‘Acceptable Moderate vs 2. Compare your tolerance with that of the example matrix in the slides and identify the equality points. (Where does the tolerable frequency match for different consequences?) In the proposed answer, Recordable injury roughly matches internal release with small consequences. Lost time injury roughly matches internal release with large consequences or external release with small temporary consequences. Permanent injury roughly matches external release with large temporary or small permanent consequences. Many deaths roughly matches external release with large permanent consequences. In practice, companies try to manage these equality points in order to create a combined risk matrix with personnel, financial and environmental receptors included. 3. Are there any significant points where the risk tolerance is inconsistent? For example does the tolerance for external releases with large temporary consequences match that for many ‘human fatalities? In the proposed answer, most items are generally consistent depending on the view of one death vs external release with small permanent consequences. Better definition on the large and small consequences is probably needed to make this a more useful working guide. Note that with the same number of categories and the same risk tolerances, the matrix can be combined with the one from the slides relatively easily by incorporating a definitions table for the four different consequence magnitudes. ° SFSE I - Application Exercise 3 Title: Probability 1, An insurance company studied 32400 persons for six months. There were 1800 accidents. If this dangerous condition is equally likely at any moment, what is the probability of an average person having an accident in any given year? The probability of an event is the number of outcomes divided by the number of chances and can be approximated by the accident rate in this case. There are 32,400 people x ¥ year person-years of exposure and 1800 accidents. This converts to one accident for every nine person-years of exposure. So, outcomes __ 1800accidents chances 16200person__ years AL 9 2, We toss three fair coins. What is the probability of getting three heads? ‘The probability of getting three heads is the ANDing of the probabilities of getting a head on each of three individual tosses. For each individual toss the probability of heads is ¥2, P, =P) =P3=0.5 Povecas = Pi * P2 * Ps = 0.5 * 0.5 * 0.5 = 0.125 3. A system will fail if a power supply fails or a controller fails. The probability of a power supply failure during the next year is 0.05. The probability of a controller failure in the next year is 0.01. What is the probability of system failure? ‘The probability of system failure is given if the power supply OR the controller fails. The events are logically OR’d so use probability addition. Also, the events are not mutually exclusive (ie., both the power supply and controller can fail at the same time), so use the form: P(A or B) = Pa + Pa—Pa * Ps system failure = 0.05 + 0.01 ~ 0.05 * 0.01 = 0.0595 4, Accheck valve has a probability of not stopping reverse flow of 0.015 in a one-year interval. The probability of getting a dangerous condition in the next year is 0.004. What is the probability of dangerous condition AND not having the check valve operate? ‘The occurrence of the described situation is the logical ANDing of two probabilities. Use probability multiplication. Poyeatt = 0.015 * 0.004 = 0.00006 SFSE I - Application Exercise 4 1. A fault tee is shown below. What is outcome frequency? Freq. 0/ year _| p=00 —P2 | ann | Peso ne Outcome Frequency = Fa * Pb * Pe = 10 * 0.05 * 0.1 = 0.05 /year 2. A fault tree is shown below. What is the output probability? Pa Pb on Pe .001 Probability = 0.001 + 0.002 + 0.005 - 0.001*0.002 — 0.001*0.005 — 0.002*0.005 + 0.001*0,002*0.005 = 0.007983 OR Approx. Probability = 0.001 + 0,002 + 0.005 = 0.0083. A fault tree is shown below. What is the output probability? Pa \ P= 0.01988 Pb / OR Pe ] P= 0.000159 AND [ Leserettesteseeesel rc oes bald P=0.008 P=0.100 P for the top OR gate = 1 ~ (1 - 0.004)*(1 ~ 0.010)*(1 ~ 0.006) = 0.01988 ‘Approximate P for the top OR gate = 0.004 + 0.010 + 0.006 = 0.020 P for the bottom AND gate = 0.080*0.100 = 0.008 Total Probabilty = 0.01988*0.008 = 0.000159 Approximate Total Probabilty = 0.020*0,008 = 0.00016FSE I - Application Exercise 5 Title: ‘Consequence Analysis Overview 1. Your company is estimating the risk posed by the failure of a new railroad track switching system. Estimate the average consequence, in terms of injuries and fatalities, of a train accident using the following data. In 1996, 550 Fatalities 10,948 Injuries 2,443 Accidents, Data from Transportation Statistics Annual Report 1998, Bureau of Transportation Statistics, US Department of Transportation, BTS98-S-01. ‘The average consequence is calculated by dividing the total consequence by the number of ‘opportunities. Average Consequene = (# consequences) / (# opportunities) Average Fatalities = 550 / 2,443 = 0.225 Average Injuries = 10,948 / 2,443 = 4.48 2. Explain why average industry loss data may not be a valid way to estimate the consequence for chemical accidents? For industry average data to be valid two conditions must be satisfied. 1) There must be a large amount of incidents from which to draw data. 2) Each of the incidents must occur under roughly similar circumstances. Neither of these two conditions are true for chemical accidents. Luckily, the amount of chemical accidents is fairly small. Additionally, all chemical plants are very different. It is very unlikely that potential consequences of different plants will be similar enough to allow statistical analysis. 3. Ahigh-pressure vessel containing flammable gas that is liquefied under pressure undergoes an incident where it is expected to instantaneously rupture. What type of incident outcome ccan be expected if there is a source of ignition? If there is no source of ignition? If there is a source of ignition, a fireball may occur. If there is no source of ignition, the outcome will be the release of hazardous material. In either case, although the question did not ask it, the consequences could be fatalities and/or equipment damage. SFSE I - Application Exercise 6 Title: Event Tree Analysis PROCEDURE: Draw an event tree that describes that following situation: (Use the back of this sheet) + A toxic release can be initiated by a delivery driver pumping more material into a storage tank than the available capacity. * The delivery driver may or may not realize there is not enough capacity for the material that he is delivering, and then not attempt to transfer the material. * The driver may carefully monitor the level in the storage tank and stop the material transfer before a release occurs. INITIATING EVENT BRANCH 17)" BRANCH 200 More material than’ Driver does not Driver does not detect available space notice lack of high level in tank available Space after starting pump TRUE Spill TRUE FALSE No Event FALSE No Event “umyouTeOMe”:2. Using the following data, quantify the frequency at which toxic releases occur. ‘© Based on historical data, delivery drivers are requested to deliver to storage tanks that do not have the required capacity approximately 3 times per year. # Due to a training initiative educating the drivers on the hazards of overfilling the tank the probability that the driver will try to fill a tank that does not have sufficient capacity is estimated at 0.01. © The probability that the driver will not detect a high level condition after he has begun transfer is estimated at 0.1. INITIATING EVENT BRANCH? More material than Driver does not available space notice lack of available Space SSBRANCH 2 “outcome Driver does not detect high level in tank after starting pump TRUE Spill TRUE 0.1 0.003 year 3 lyear 0.07 FALSE, No Event, 0.9 0.027 /year FALSE No Event 0.99 2.97 lyearFSE I - Application Exercise 7 Title: Layer of Protection Analysis PROCEDURE: 1. Draw a LOPA diagram that describes that following situation (evo mal) Reectant 8 —| hy Cooling Water, suv —f 1 PROCESS: ‘A pharmaceutical company has developed a new process to produce one of its drugs. The process creates an aqueous solution that is withdrawn from the bottom of the pressurized, water cooling jacketed, continuously stirred tank reactor. The vessel is charged by filling it with 250 kg of water and manually dumping 125 kg, or 5 bags of reactant A into the vessel. Afier the vessel is charged and closed, the stirring mechanism is started and the vessel’s jacket is flooded with cooling water. After the stirring and cooling have been established a small metered rate of 0.005 kg/min of reactant B is continuously added to the solution. Reaetants A and B combine to form the desired product. Each batch operates for three weeks, and 12 batches are operated per year. " 6HAZARDS: The reaction of A and B is nearly instantaneous and highly exothermic. Safe operation of this process requires that an excess amount of reactant B never be allowed into the reactor, and that cooling water continuously be flowing through the jacket. Hazard analysis determined that the following events could cause a “runaway” reaction and physical explosion of the vessel. 1, Failure of controller FIC-O1 causing uncontrolled reactant B entry into the reaction vessel. 2. Failure of cooling water supply causing heat and pressure to build up in the vessel. The following layers of protection were identified as a safeguard against explosion of the vessel due to runaway reaction, 1. A rupture disk set to relieve the pressure well below the design pressure of the vessel 2. Operator intervention to high vessel temperature, high vessel pressure and low cooling water flow alarms. The alarm system is independent from the control system with no ‘common components. It was also noted in the hazard assessment that the rupture disk pressure relief would not be effective in the situation where controller FIC-01 failed, because pressure can not be vented as fast as itis generated. 2. Quantify the LOPA Diagrams ‘The following frequencies and failure probabilities were determined by a process engineer after reviewing the history of the plant. Flow control fails open: 1/25 /year Cooling Water Pump Fails: 1/75 /year Rupture Disk PFD: 0.0956 Operator Response to Cooling Water Loss: OL Operator Response to Control Failure: Ol In this case, use fraction is a layer of protection. An accident can only occur when the hazard is present. However itis important to note that we need to cross check our initiating event rates of flow control and cooling water pump failures. We need to be sure that these failure rates are for a 100% time base and also that all of these failures that take place during the time the hazard is not present are identified and repaired before the batch run begins. This is almost always the case with plant wide cooling water systems but itis less likely to be the case with occasionally used flow controllers and should be specifically confirmed before taking the credit calculated below. 3 weeks/batch * 7 days/week * 12 batches/year = 252 days/year of operation Use fraction is 252 days / 365 days = 0.69 = 69% ‘ SIE#1 ‘Operator Failure Use Fraction Explo: No Event 0.69 2.76E-03 on 1/25 lyr No Event Pump Failure Operator Failure Rupture Disk Fails Use Fraction Explosion 0.68 8,80E-05 0.0956| O41 4/75 yt No Event, SFSE I - Application Exercise 8 Title: Quantifying Initiating Events and Layers of Protection PROCEDURE: Use the excerpts from “Guidelines for Process Equipment Reliability Data” to quantify the rates and / or probabilities of the following situations. 1. A motor driven fan fails to provide cooling air, initiating an accident. Use data from “Guidelines for Process Equipment Reliability Data” table 3.3.4, use the mean failure rate. Failure mode of interest is “Fails while running”. 9.09 failures / 10° hours converting to failures per year, 9.09 failures ,, 8760hours 10°hours year * Initiating events described in frequency = 0.08 failures! year 2. A flexible hose ruptures, ting an accident Use data from “Guidelines for Process Equipment Reliability Data” table 3.2.5, use the mean failure rate. Failure mode of interest is “ ". 0.570 failures / 10° hours converting to failures per year, 0.570 failures , 8760hours a = 0.005 failures! year 10° hours lyear : S3. Anon-operated check valve, with a periodic inspection and test interval of four years, fails to prevent an accident. Use data from “Guidelines for Process Equipment Reliability Data” table 3.5.1.2, use the ‘mean failure rate. Use catastrophic, which are given per unit time, not failures per attempt. 3.18 failures / 10° hours PFDavg = (A * t) /2 PFDavg = (0.00000318 * 4 * 8760) / 2 = 0.055 * Protection layers must be described by a probability. In the case of periodic inspection and test, average probability of failure on demand, which is a function of failure rate and test interval, is the best probability to use. " SFSE I - Application Exercise 9 Title: Assigning Safety Integrity Levels PROCEDURE: An accident can occur that will cause the release of 2,000-pounds of highly toxic phosgene from a reactor that makes polycarbonate resin, Risk analysis has shown that the probable loss of life due to this release is 75.6 fatalities per event. ‘The analysis also showed that the accident has an unmitigated frequency of once per 892 years. Use the hazard matrix (procedure 1), risk graph, frequency based target, and individual risk target methods described in the slides in this section to select safety integrity levels. NOTE: The different risk tolerances are not intended to match each other and you should expect different answers between the different cases. This is the result of different risk tolerances not the form or method used to express those tolerances. * Individual risk target for the facility is 1.0 x 10“/year. SOLUTIONS: a. Hazard Matrix Consequence > C4 Likelihood > 1/892 year = D3 Hazard Matrix C2 BS SIL2 Sb. Risk Graph Consequence > CD Many Deaths/ Catastrophe Occupancy > FB * No credit taken for lack of occupancy. This factor is consolidated in the PLL = 75.6 estimate. Probability of Avoidance > PB * No credit taken for lack of occupancy. This factor is consolidated in the PLL = 75.6 estimate. Demand Rate > W1 Personnel Safety Following this path through the Risk Graph yields SIL 3 c. Frequency Based Target Select target based on consequence > Catastrophic, 2.0 x 10° RRF = (1/892) / 2.0 x 10° = 561 Selected SIFker must be greater than 561, so SIL 3 or SIL 2 with an RRF > 561 plus any margin for uncertainty not already applied. 4. Individual Risk Target Select target based on consequence Furget = 1.0 x 104 / 75.6 = 1.32 x 10° RRF = (1/892) / 1.32 x 10° / = 849 Selected SIFixe must be greater than 849, so SIL = 3 or SUL 2 with an RRF > 849 plus any margin for uncertainty not already applied. SFSE I - Application Exercise 10 Title: Comprehensive SIL Selection Exercise PROCEDURE: ‘A chemical processor has just performed an upgrade of a process heater. The upgrade was complex enough for the Management of Change procedures to be used. During the process a new HAZOP was performed on the process section. Review the HAZOP study to determine if there are any new SIS requirements. If so, select a safety integrity level. The process plant’s tolerable risk target is based on the risk integral with a target individual risk of 1.0 x 10%. Process Diagram: vor oak > ToUsers cation > Vent to Fare Wet Gas from Reciprocating ‘Compressor 7Process Description: A “wet” hydrocarbon gas is compressed by a reciprocating compressor into a flash drum, In the flash drum liquid and vapor separate. The liquid is withdrawn from the bottom of the flash drum under level control and vapor is withdrawn from the top of the vessel and either compressed and sent to downstream users or sent to flare under pressure control. ‘The flare line has not been sized to pass the full discharge of the wet gas compressor to flare. HAZOP Report Output SIF: Open vent valve upon high pressure in vessel Consequence: Overpressure and rupture of vessel Initiating event: Outlet vapor compressor fails Protection Layers: Operator intervention Relief Valve Relief valve is pilot operated, tested annually. “Wet gas” compressor is a motor driven reciprocating compressor “Vapor withdrawal” compressor is a motor driven reciprocating compressor Operator is well trained, but only has 15 seconds to perform a shutdown before an accident occurs. © Consequence analysis has determined a PLL=0.15 for the overpressure and explosion of the flash drum, SOLUTION Step 1 - The LOPA diagram for the overpressure consequence is as follows. INITIATING EVENT PLT EP OUTCOME ‘Outlet vapor ‘Operator Fails Relief valve fails ‘Overpressure compressor fails No Event Step 2 - Quantify the LOPA diagram. INITIATING EVENT PL #1 EE OUnEOMEs! Outlet vapor ‘Operator Falls Relief vaive fails ‘Overpressure compressor fails 0.00415 8.96E-02 21.6 /year No Event S‘Vapor withdrawal compressor failure — Table 3.3.2.1 2470.0 failures / 10° hours > 21.6 failures per year Operator Failure ~ Simplified Method Conditions for PFD=0.1 are not met — use PFD = 1.0 Relief valve fails ~ Table 4.3.3.1 4.15 failures / 10° demands PFD = 0.00415 Step 3 ~ Select SIL (Individual Risk / Risk Integral) Frarget = 1.0 x 10° / 0.15 = 6.67 x 10 PED = 6.67 x 10° / 0.0896 = 7.44 x 10° RRF = 134 SIL =3 (or SIL 2 with a RRF suitably greater than 134) : S