Presentation

1
Presentation
2
SIF Life Cycle
Hazards analysis (HAZOP /PHA)
SIS Requirements specification
SIF definition
Risk analysis (SIL assessment)
Design/Implementation
Assign tags / SFC to subsystems
Safe failure assessment (for SFCs)
Test intervals calcs
ALARP assessment
Analyze results (e.g. yearly)
Test Procedures
Execute Tests (validations)
3
Lets have a look how this valve can fail?
4
Dangerous Failure
GO
5
Safe Failure
STOP
6
RISK REDUCTION GENERAL CONCEPTS
ACTUAL
ACCEPTABLE
INTERMEDIATE
INITIAL RISK
REMAINING RISK
RISK
RISK
Risk with the
Risk without the
Risk with the
addition of other
addition of any
addition of other
TOLERABLE RISK
risk reduction
protective features
risk reduction
facilities and
facilities
SIF function
ALARP region
INCREASING
RISK
NECESSARY
RISK REDUCTION
ACTUAL RISK REDUCTION
Partial risk
other risk reduction facilities
covered by
SIF
Total risk reduction
7
LAYERS OF PROTECTION (THE ONION MODEL)
the bowtie
consequences
threats
(independent)
8
What is risk?

• Risk can be mapped on a graph

high risk
Increasing risk
Lines of equal risk
Likelihood
Consequences
low risk
9
What is risk?
High Risk
Likelihood
Low Risk
Consequence
10
Risk reduction
Preventive and Mitigating SIF effects
High Risk
Likelihood,(or DR)
Low Risk
CQ1
CQ2
Consequence
11
A Risk Assessment Matrix (RAM)
Broadly acceptable risks
Tollerable risk
The required SIL (to make the risk broadly
acceptable) can directly be entered in the cell
that represents the initial risk.
Intollerable risks
1
2
3
4
High Risk
1
a
1
2
3
Likelihood (y-1)
10-1
a
a
1
2
10-2
Example Only
-
a
a
1
Low Risk
Consequence
12
Risk Matrix
SIL2
SILa
SIL4
SIL3
SIL1
SILa
SIL4
SIL3
SIL2
SILa
SIL3
SIL2
SIL1
SIL2
SIL1
SILa
SIL1
SILa
SILa
13
Chain of events
Process under control
Process deviation or disturbance
Process out of control
Demand scenario
Hazardous situation
Design intent prevent ltreleased hazardgt
Released Hazard
SIF
Hazardous event
Consequences of failure on demand
Consequences
14
Risk Matrix
SILa
SIL4
SIL3
SIL2
SILa
SIL4
SIL3
SIL2
SIL1
SILa
SIL3
SIL2
SIL1
SIL2
SIL1
SILa
SILa
SILa
SIL1
15
Process Safety Time
16
SIL Assessment

• Team
• Facilitator (TE)
• Process engineer
• Operations
• Instr./Control eng.
• Operational safety
• Equipment specialists(PT)

• Min. Preparation
• Unit structure data
• PID/PFS
• CE diagrams etc.

• Required data
• Asset data
• failure rates
• complex/simple
• Safe F. frac.
• repair time
• LS type(s)
• Test related data
• Cov. factor
• duration
• Self diagnostic cov.

SIF design
17
Alarp Principle IEC 61511
Risk Classes
Interpretation
Unacceptable Region
Risk can not be justified except in
extraordinary circumstances
Intolerable Risk
I
Undesirable Risk Tolerable only if further risk
re -duction is impra -ticable or if its
cost is grossly disproportionate to improve
gained
Risk is tolerable only if a. Further Risk
reduction is Impractical or if its cost is
disproportionate to the Improvement gained
or b. Society desires the benefit of The
activity given the associated Risk As Risk
is reduced, the less, in Proportion, it is
necessary to spend To satisfy ALARP, The concept
of Diminishing proportion is Represented by the
triangle
II
Tolerable Region
Increasing Individual Risk and Social Concerns
Tolerable Risk if the cost of risk reduction
would exceed the im- provement gained
III
Level of residual risk regarded as Negligible,
and further measures to Reduce risk not usually
required. No Need for detailed working
to Demonstrate ALARP
Broadly Acceptable Region
Negligible Risk
IV
Negligible Risk
18
Tolerable and Acceptable risks
risk
SIL Class at least required to make the risk
tolerable the minimum solution, e.g. SIL 1
intolerable
SIL Class required to make the risk more
tolerable an intermediate solution, e.g.SIL 2
tolerable
SIL Class required to make the risk acceptable
the normal solution , e.g. SIL 3
broadly acceptable
SIL assessment aims to reduce the risk
to broadly acceptable
19
Tolerable/Acceptable Risk, defaults
Personal Safety
Severity rating

0

N

L

M

H

E

Demand
No
health
slight effect /
Minor health
Major health
PDT or 1 to 3
Multiple
interval (y)

effect/injury

injury

effect / injury

effect/injury

fatalities

fatalities


Consequence
severity


Production losses and Equipment damage
Severity rating

0

N

L

M

H

E

Demand
Very Slight
Slight
Minor
Local damage

Major
Extensive
interval (y)

damage

damage


damage

100K
-
1M

damage

damage

lt 1K

lt 10K

10K
-
100K

1M
-
10M

gt10M

Consequence
severity


Environment
Severity rating

0

N

L

M

H

E

Demand
No effect

Slight effect

Minor effect

Localized
Major effect

Massive effect

interval (y)

effect


Consequence
severity


20
Example
Personal Safety

• Demand rate 10 Yrs
• Safety Major Health Effect
• Economic loss 2 M
• Environment Minor Effect

Severity rating

0

N

L

M

H

E

Demand
No
health
slight effect /
Minor health
Major health
PDT or 1 to 3
Multiple
interval (y)

effect/injury

injury

effect / injury

effect/injury

fatalities

fatalities


Consequence
severity

Production losses and Equipment damage (Economic)

Severity rating

0

N

L

M

H

E

Demand
Very Slight
Slight
Minor
Local damage

Major
Extensive
interval (y)

damage

damage


damage

100K
-
1M

damage

damage

lt 1K

lt 10K

10K
-
100K

1M
-
10M

gt10M

Consequence
severity

Environment

Severity rating

0

N

L

M

H

E

Demand
No effect

Slight effect

Minor effect

Localized
Major effect

Massive effect

interval (y)

effect


Consequence
severity


21
Quiz

• What is the frequency of occurrence Loss of
  Containment in the following chain of events ?

PAH hi pressure alarm
22
Solution
Loss of containment only if the following
events (Alarm Success AND Operator Fails AND
Relief Fails) OR (Alarm Fails AND
ReliefFails)
23
Quizcontinued
Now add a SIF layer Probability of failure
0.01 So What is the frequency of occurrence
Loss of Containment In the following chain of
events?
PAH hi pressure alarm PZHH hi hi pressure
trip function,SIF
24
Solution
Real demand frequency (on SIF) (3x0,9x0.1)
(3x0.1) 0.57 Freq/Yr Real demand rate 1/0.57
1.75 years
Loss of containment only if the following
events (Alarm Success AND Operator Fails AND
SIF Fails AND Relief Fails) OR (Alarm Fails
AND SIF Fails AND Relief Fails)
25
Applied LOPA in SIFpro
26
Example of defenses
pre-alarm and trip
Downstream blockage
Loss of containment
Explosion of gas cloud
One operator killed and 6 months downtime
ignition
exposure
Conditional modifiers
Mitigation layers
Protection layers
Initiating events
hazard
Released hazard
Consequences
RV pops
Flaring
RV repair Environmental impact
The PSHH function
27
Lopa General Structure
Conditional modifiers
Mitigation layers
Protection layers
Initiating events
Hazardous event
Hazardous event
Consequences
Total initiating event frequency
Hazard rate
Real demand frequency
SIF
FG
28
Example- Furnace fuel
Furnace
Crude feed
TZHH
NG
Fuel gas
29
Example- Syngas reactor
Syngas (CO, H2) to Synthesis reactor
Syngas reactor
TZHH
CH4
O2
30
Example - Compressor
Collateral SIFs
Sensor M XZ2 XZ3
LZHH X X X
XZHH X X X
Seal oil
LZLL
XZ4
UZ3
UZ1
UZ2
M
XZHH
LZHH
31
How is it done?
Hazards analysis (HAZOP /PHA)
SIS Requirements specification
SIF definition
Risk analysis (SIL assessment)
Design/Implementation
Assign tags / SFC to subsystems
Safe failure assessment (for SFCs)
Test intervals calcs
ALARP assessment
Analyze results (e.g. yearly)
Test Procedures
Execute Tests (validations)
32
Instruments do fail sometimes!
frequency of failure (y -1)
time
33
Instruments fail randomly..
frequency of failure (y -1)
time
34
Probability of failure as function of time
First few years PFDt is about linear PFDt ld
t
35
PFD as function of time with testing
Because a demand may occur any time we are
interested in the average risk reduction, i.e.
the PFDavg
36
Thank You !