Palaniappan R. Kannan, Consultant – Facility Risk Analysis and Safety Instrument System, mailto:rmp66@singnet.com.sg
Safety Instrument Systems(SIS) is one of the critical layers for accident prevention. SIS performs various Safety Instrument Functions. Acceptable Failure on demand probabilities – called Safety Integrity Levels(SIL) of each of these functions need to be determined for design and latter verified. In this article the author has attempted to provide a methodology for SIL determination of the Safety Instrument Functions using less time consuming simple quantitative technique.
Safety Integrity Level, SIL, SIL determination, Risk analysis, LOPA.
The primary function of Safety Instrument System in a facility is to mitigate the unwanted incidents and resulting consequences which can cause harm. The major impact of these consequences include:
On-site consequences
Ø Fatality of plant personnel
Ø Personal injury to plant personnel
Ø Equipment damage
Ø Business interruption
Off-site consequences
Ø Death or injury for living beings in the near by community
Ø Property damage
Environmental Consequences
Ø Contamination and damage to nature
The challenge is to study what are the events that can result in unwanted consequences, at what frequency they are likely to occur and how to prevent or mitigate them. There are various risk analysis techniques – both qualitative and quantitative. Based on the overall risk requirement estimates, the Safety Instrument Systems and their functions are designed to act as a layer of protection.
The risk depends on the effect of consequences from the hazardous event and their frequency of occurrence. It is possible to design redundancies and multiple independent layers of protection in order to bring the risk to negligible level. However, it should be remembered that business is about the bottom line, and risk reduction costs money. So a tolerable level of risk should be accepted. The damage caused by a hazard can be categorized as follows:
Ø Financial loss
Ø Human Fatalities
Ø Environmental damage
Risk reduction targets need to be fixed for all the above categories. This depends on stake holders risk tolerance levels.
The various protection layers have to be designed in order to meet these risk reduction targets. Depending on the number of independent layers, risk reduction requirement for each safety instrument function is determined. This requirement is classified into various Safety Integrity Levels (SIL). IEC 61508[1] provide various Safety Integrity Levels for given range of risk reduction.
|
SAFETY INTEGRITY LEVEL (SIL) |
PROBABILITY OF FAILURE ON DEMAND (PFDavg) |
RISK REDUCTION FACTOR (RRF) |
|
4 |
10-5 - 10-4 |
10,000 – 100,000 |
|
3 |
10-4 - 10-3 |
1,000 – 10,000 |
|
2 |
10-3 - 10-2 |
100 – 1,000 |
|
1 |
10-2 - 10-1 |
10 – 100 |
Layer of Protection Analysis technique is an objective quantitative risk analysis and mitigation design technique. It is also simple and straight forward. This can be used for analyzing most of the hazard scenarios. Layer of protection technique is a derivative of a quantitative risk analysis tool called Event tree analysis. In Layer of Protection, instead of multiple consequences for an initiating event, an initiating event – consequence pair, is taken for analysis. This provides a good opportunity for identifying whether, Safety Instrument Function is required and if so what should be its Safety Integrity Level. The methodology is presented here.
This is an important step in which the unwanted event and the causes for this event are clearly identified from the Hazard Analysis. The detail of the consequence has to be first stated. Then the scenario which can create this consequence has to be described. This scenario will have the details of initiating event, required enabling conditions if any, and details of independent protection layers(IPL).
Here is an example:
Consequence detail: Over Pressure in the vessel V1.
Scenario Description: Failure of pressure control loop (initiating event) AND failure of PSV (failure of protection layer) RESULTING IN over pressure in vessel V1 (consequence).
Apart from description, the frequency of initiating event
has to be provided here. Initiating events can be the result of various
underlying root causes such as external events, equipment failures or human
failures. These failure rates can be got from various industrial data bases or
can be derived from various component failure rates, contributing to the
initiating event. For the above example the Control Loop failure frequency can
be 1 X 10-1.
Some scenarios require an enabling condition for the initiating event to result in the occurrence of the hazard. Some examples are Start-up mode, Shut down mode, Tank filling phase etc., The description of these conditions as well as probabilities are required, for the calculation.
Other required probabilities for the initiating event resulting in the identified consequence can be:
Ø Probability of ignition
Ø Probability of people present in the affected area
Ø Probability of fatality
This is the frequency that the identified hazard consequence will occur, for the particular scenario if there are no protection layers designed. Its simply the product of all the above frequencies and probabilities.
Suppose there is a tank containing flammable liquid and the consequence is fire while the initiating event is overflow of liquid due to Control loop failure. Then the frequency of fire is:
frfire = fr bpcs failure x Pignition say
= 0.1 / year x 0.1
= 1 x 10-2 (OR) 0.01 / year.
This is the target frequency for a scenario, is based on Risk tolerance level of the stake holders. There are qualitative and quantitative methods that can be used for determination[2].
An independent protection layer(IPL) is a device, system, or action capable of preventing an initiating event from resulting into a consequence. These protection layers should be independent of initiating event and other protection layer/s associated with the scenario. Utmost care should be taken in assigning protection layer for various scenarios. For example, if DCS failure is the initiating event, then the alarms generated by DCS can not be a layer of protection.
With all the above details and data already in place, the functional requirements of the proposed SIS function and its Probability of Failure on demand(PFD) requirement should be calculated.
PFD required for SIS function = Scenario frequency allowed based on risk analysis /
Scenario frequency with other IPLs in place.
As detailed in the SIL table earlier, the Safety Integrity level depends on the PFD requirement of SIS function.
For example, if the PFD required for SIS function = 0.01, then the Safety Integrity Level = SIL2
As on date many of the Safety Instrument functions in the process facilities around the world are providing under-protection or over-protection. One of the reasons is – erroneous risk analysis and SIL determination. The method described in this article is logical and less time consuming way of SIL determination for Safety System Functions. It also reduces the over engineering of SIS system resulting in safety system life cycle cost saving. However, in case of complexities this method can be used for screening and supplement other Quantitative Risk Analysis techniques.
In order the existing facilities also get the benefit out of this method, an SIS risk assessment cum auditing can be performed.
IEC 61508, Functional Safety of Electrical / Electronic / Programmable Electronic safety-related systems, International Electrotechnical Commission, Switzerland, Geneva, 1998.
Layer of Protection Analysis, CCPS, AIChE, New York, 2001.
Faisal I. Khan, Use Maximum-Credible Accident Scenarios for Realistic and Reliable Risk Assessment, Chemical Engineering Process, Nov 2001.
Guidelines for Safe Automation of Chemical Processes, CCPS, AIChE, New York, 1993.
Edward M. Marszal, Decrease Safety System cost by Considering Existing Layers of Protection, exida.com, 2000.
©Palaniappan R Kannan