Chapter 13
SIL Targeting—Some Practical Examples
Abstract
This chapter explains in brief few practical examples regarding SIL targeting. Two different case studies analyzed using LOPA techniques are summarized in detail at the end as worksheets, used to determine PFD, using IPLs and IEFs.
Keywords
Human/system error; IEF; IPL; LOPA; Maximum tolerable failure rate; SIF; SIL targeting
13.1. A Problem Involving EUC/SRS Independence
Figure 13.1 shows the same equipment under control (EUC) as was used in Chapter 11. In this case, however, the additional protection is provided by means of additional K2 pilot valves, provided for each valve, V. This implies that failure of the valves, V, was (wrongly) not perceived to be significant. Closing the K2 pilot valve (via the PES and an I/P converter) has the same effect as closing the K1 pilot. The valve, “V,” is thus closed by either K1 or K2. This additional safety-related protection system (consisting of PES, I/P converters, and K2 pilots) provides a backup means of closing valve “V.”
The PES receives a pressure signal from the pressure transmitters P. A “high” signal will cause the PES to close the K2 pilots and thus valves “V.”
It might be argued that the integrity target for the add-on SRS (consisting of PESs, transmitters and pilots) is assessed as in Chapter 11. This would lead to the same SIL target as is argued in Chapter 11, namely 2.5 × 10−3 PFD (probability of failure on demand) being SIL 2.
However, there are two reasons why the SRS is far from INDEPENDENT of the EUC:
(a) Failures of the Valve V actuators, causing the valves to fail open, will not be mitigated by the K2 pilot.
(b) It is credible that the existing pilots K1 and the add-on pilots K2 might have common cause failures. In that case some failures of K1 pilots would cause failure of their associated K2 pilots.
Therefore, in Chapter 11, a design is offered which does provide EUC/SRS independence. What then is the SIL target for the SRS in Figure 13.1?
It becomes necessary to regard the whole of the system as a single safety-related system. It thus becomes a high-demand system with a Maximum Tolerable Failure Rate (see Chapter 11) of 10−5 pa. This is at the far limit of SIL 4 and is, of course, quite unacceptable. Thus an alternative design would be called for.
13.2. A Hand-held Alarm Intercom, Involving Human Error in the Mitigation
A rescue worker, accompanied by a colleague, is operating in a hazardous environment. The safety-related system, in this example, consists of a hand-held intercom intended to send an alarm to a supervisor should the user become incapacitated. In this scenario, the failure of the equipment (and lack of assistance from the colleague) results in the “alarm” condition not being received or actioned by the “supervisor” located adjacent to the hazardous area. This, in turn leads to fatality.
The scenario is modeled in Figure 13.2. Gate G1 models the demand placed on the safety-related system and Gate G2 models the mitigation. The events:
ATRISK are the periods to which an individual is exposed
SEP is the probability that the colleague is unavailable to assist
HE1 is the probability that the colleague fails to observe the problem
DEMAND is the probability that the incident arises during the event
FATAL is the probability that the incident would lead to fatality if the worker is not rescued.
Assume that the frequency of Gate G1 is shown to be 4.3 × 10−4 pa. Assume, also, that the target Maximum Tolerable Risk is 10−5 pa. In order for the frequency of the top event to equal 10−5 pa the probability of failure associated with Gate G2 must be 1 × 10−5/4.3 × 10−4 = 2.33 × 10−2. However the event HE2 has been assigned a PFD of 10−2, which leaves the target PFD of the intercom to be 1.33 × 10−2.
Thus a SIL 1 target (low demand) will be placed on this safety function. Notice how critical the estimate of human error is in affecting the SIL target for the intercom. Had HE2 been 2 × 10−2 then the target PFD would have been 2.33 × 10−2 − 2 × 10−2 = 3.3 × 10−3. In that case the target for the intercom would have been SIL 2.
13.3. Maximum Tolerable Failure Rate Involving Alternative Propagations to Fatality
In this example, as a result of instrument and plant failures, a toxic gas cloud is released. Two types of hazard are associated with the scenario:
(a). Concentration of Gas on Site
In this case a wind velocity of less than 1 m/s is assumed, as a result of which inversion would cause a concentration of gas within the site boundary, possibly leading to fatality.
Max. Tolerable Risk = 10−5 pa (perhaps 10−4 pa overall voluntary risk but 10 similar hazards).
Downstream pipe rupture due to 8 Bar = 10−2 pa.
Wind <1 m/s assumed to be 1 day in 30 = 3.3 × 10−2.
Plant in operation, thus causing exposure to the hazard, 100% of the time.
Personnel close enough = 75%
Propagation of failure to fatality is estimated to be 80%
Thus Max Tolerable PFD = 10−5 pa/(0.01 pa × 3.3 × 10−2 × 0.75 × 0.8)
= 5.1 × 10−2
(b). Spread of Gas to Nearby Habitation
In this case a wind velocity of greater than 1 m/s is assumed and a direction between north and north west, as a result of which the gas cloud will be directed at a significant area of population.
Max Tolerable Risk = 10−5 pa (public, involuntary risk)
Wind >1 m/s assumed to be 29 days in 30 = 97%
Wind direction from E to SE, 15%
Plant in operation, thus causing exposure to the hazard, 100% of the time
Public present = 100%
Propagation of failure to fatality is assumed to be 20%
Thus Max Tolerable PFD = 10−5 pa/(0.01 pa × 0.97 × 0.15 × 0.20)
= 3.4 × 10−2
The lower of the two Max Tolerable PFDs is 3.4 × 10−2, which becomes the target.
SIL targets for the safety-related systems would be based on this. Thus, if only one level of protection were provided a SIL 1 target would apply.
13.4. Hot/cold Water Mixer Integrity
In this example, programmable equipment mixes 70 °C water with cold water to provide an appropriate outlet to a bath. In this scenario, a disabled person is taking a bath, assisted by a carer. The equipment failure, which leads to the provision of 70 °C water, is mitigated by human intervention.
Figure 13.3 models the events leading to fatality. Gate G11 apportions the incidents between those failures occurring prior to the bath (such that it is drawn with scalding water) (G111) and those that occur during the bath (G112). It was assumed that a bath occupies 47 hrs per 2 days. Thus the probability of the former is 47/48 = 99% and the latter therefore 1%.
A 20% chance of a distraction arising is assumed.
A 10% chance of the carer responding to the distraction is assumed.
The human error whereby the carer fails to detect a scalding bath is estimated as 0.1.
The reader might care to study Figure 13.3 and verify that the probability associated with gate G11 is (0.99 × [0.1 × 0.2 + 0.1]) + (0.01 × [0.1 × 0.2]) = 0.119.
The probability of an incident becoming fatal has been estimated, elsewhere, as 8.1%. The maximum tolerable risk has been set as 10−5 pa, thus the maximum tolerable incident rate is 10−5/8.1% = 1.2 × 10−4 pa (Gate G1).
The maximum tolerable failure rate for the product is therefore:
13.5. Scenario Involving High Temperature Gas to a Vessel
In this example, gas is cooled before passing from a process to a vessel. The scenario involves loss of cooling, which causes high temperature in the vessel, resulting in subsequent rupture and ignition. This might well be a three-fatality scenario.
| Supply profile permits the scenario (pilot alight) | 100% |
| Probability that drum ruptures | 5% |
| Probability of persons in vicinity of site (pessimistically) | 50% |
| Probability of ignition | 90% |
| Probability of fatality | 100% |
Assuming a maximum tolerable risk of 10−5 pa, the maximum tolerable failure rate is 10−5 pa/(0.05 × 0.5 × 0.9) = 4.4 × 10−4 pa.
The scenario is modeled in Figure 13.4. Only Gate G22 (involving human intervention and a totally independent equipment) is independent of the ESD (emergency shutdown system). If a PFD in the SIL 1 range (say 3 × 10−2) is assigned to Gate G22 then the top event target reduces to 4.4 × 10−4 pa/3 × 10−2 pa = 1.5 × 10−2 pa, which is also SIL 1. Thus a SIL 1 target (low demand) is adequate for the ESD.
Assume that the frequency of the top event is 1.3 × 10−5 pa, which meets the target.
ALARP
If a cost per life saved criteria of £4,000,000 is used then the expenditure on any proposal which might reduce the risk to 10−7 pa (based on 10−6 pa but with 10 similar hazards) can be calculated (based on a 30-year plant life) as:
The frequency of the top event maps to a risk of 1 × 10−5 × (1.3 × 10−5/4.4 × 10−4) = 3 × 10−7 pa and is thus in the ALARP region.
£4,000,000 = £ proposed/([3 × 10−7 − 1 × 10−7] × 3 deaths × 30 yrs)
Thus £ proposed = £72
Any proposal involving less than £72, which would reduce the risk to 10−7 pa, should be considered. It is unlikely that any significant risk reduction can be achieved for that capital sum.
13.6. LOPA Examples
13.6.1. Example using the LOPA Technique (1)
In Section 2.1.2 the LOPA (Levels of Protection Analysis) method was described. In this example, a Safety Integrity Level (SIL) assessment is conducted for a hydro-electric dam plant for the requirements of a Flood Gate Control System (FGCS). The required SIL is assessed for the control of the flood gates. These flood gates are required to prevent the dam from being overtopped when there is more water draining into the loch than the hydro turbines can use.
The major hazards identified are:
“Dam overtopping and a flood of water over ground that is used by ramblers” (Table 13.1) and
“Water surge down the river which could cause a hazard to fishermen standing in the river” (Table 13.2).
Assignment of SIL requirements: the objective is to review the specified hazards and provide a quantitative assessment of the levels of risk reduction required in addition to the existing controls.
Current controls: there is remote control from a central control room, via communication links, to an independent SIL 2 remote manual flood gate control system.
There is also an independent local control panel which will provide a local manual facility to open/close the gate.
The LOPA analysis is to determine the functional safety requirements for a local automatic flood control system.
SIL targeting: Table 13.3 summarizes the LOPA and the required PFD values and corresponding SILs for each hazard.
The assessment of whether the targets are met is carried out in Section 16.1.
The LOPA Worksheets are presented below. Notice how the PFD, which determines the target SIL, is obtained, in each worksheet, from ratio of the “Maximum tolerable risk” to the column called “Intermediate Event Likelihood” (actually a frequency).
13.6.2. Example using the LOPA Technique (2)
In this example, a LOPA is conducted using SIL Comp® software, for a gas suction scrubber designed to remove contaminants from gas prior to downstream separation processes (Figure 13.5).
The major hazard is identified below:
Low low level in gas suction scrubber resulted in gas blow-by into equipment in excess of design pressure leading to potential rupture and loss of containment with subsequent fire/explosion and single employee fatality.
Table 13.1
LOPA worksheet—dam overtopping.
| Event (hazard) description | Consequence | Maximum tolerable risk (/yr) | Initiating cause | Initiating likelihood (/yr) | Vulnerability: e.g., probability of affectation, direction of release, wind | IPLs | Interimediate event likelihood | SIF requirement (PFD) | SIF requirement (SIL) | ||||||
| General purpose design: e.g., additional mechanical safety margin | Basic control system (BCS): e.g. independent control system, alarms | Additional control systems (independent of BCS) | Alarms (independent of BCS) | Additional mitigation—access: e.g., usage, restricted access, occupancy, fences, avoidance | Additional mitigation—procedural: e.g., operator action, detection, inspections | Additional mitigation—physical: e.g., alternative physical protection, spill ways etc. | |||||||||
| [a] | [b] | [c] | [d] | [e] | [f] | [g] | [h] | [j] | |||||||
| Dam overtopping due to gates failing to open on demand during a major storm (requiring the use of one gate), which spillways arc unable to mitigate. | Death of more than one person | 1.00E-06 | Adverse weather | 1 | 1 | 1 | 1 | 1 | 0.01 | 0.2 | 0.1 | 1 | 2.00E-04 | 5.00E-03 | SIL 2 |
| Storms severe enough to require the use of one gate occur once per year | Various weather/river level warnings available to operator in central control room—other parts of river will be rising, providing extra warning. Credit based on analysis of communica tions, and operator training/experience | From surveys it is estimated that there is less than 20% probability that the general public will be in the area during the adverse weather conditions | Local operator presence during storms gates can be opened using mechanical winder or power assisted drive. If a mechanical failure of the gate has occurred, the operator could open a different gate | ||||||||||||
Table 13.2
| IPLs | |||||||||||||||
| Event (hazard) description | Consequence | Maximum tolerable risk (/yr) | Initiating cause | Initiating likelihood (/yr) | Vulnerability: e.g., probability of affectation, direction of release, wind | General purpose design: e.g., additional mechanical safety margin | Basic control system (BCS): e.g., independent control system, alarms | Additional control systems (independent of BCS) | Alarms (independent of BCS) | Additional mitigation—access: e.g., usage, restricted access, occupancy, fences, avoidance | Additional mitigation—procedural: e.g., operator action, detection, inspections. | Additional mitigation—physical: e.g., alternative physical protection, spillways, etc. | Intermediate event likelihood | SIF requirement (PFD) | SIF requirement (SIL) |
| [a] | [b] | [c] | [d] | [e] | [f] | [g] | [h] | [j] | |||||||
| Water surge: Gate opening spuriously causing a surge of water which could drown multiple fishermen | Death of more than one person | 1.00E-06 | Output relay/contactor circuit fails closed | 1.00E-02 | 1 | 1 | 0.01 | 1 | 1 | 0.21 | 1 | 1 | 2.3E-03 | SIL 2 | |
| Failure rate of armature relay (30% dangerous contact S/C) | SIL 2 assessed | Fishing season lasts for 8 months per year. Fishing 15 hrs per day. Estimated fishing takes place 50% of possible time | 2.1E-05 | ||||||||||||
| Flood gate control PLC fails to danger, causing a gate to open at double speed. | 2.00E-03 | 1 | 1 | 1 | 1 | 1 | 0.21 | 1 | 1 | 4.2E-04 | |||||
| Rate at which either FG PLC energize the output contactor or open relay spuriously (and thus causes a gate to open at double speed) | Fishing season lasts for 8 months per year. Fishing 15 hrs per day. Estimated fishing takes place 50% of possible time | ||||||||||||||
| Total | 4.4E-04 | ||||||||||||||
Table 13.3
| Event (hazard) description | Consequence | Safety Instrumented Function (SIF) requirement (PFD) | SIF requirement (SIL) | SIF description |
| Dam overtopping due to gates failing to open on demand during a major storm (requiring the use of one gate), which spillways are unable to mitigate | Death of more than one person | 5.0 × 10−3 | SIL2 | PLC to provide independent automatic control of flood gates to open gates when there are flood conditions |
| Water surge: gates open spuriously causing a surge of water which could drown multiple fishermen | Death of more than one person | 2.3 × 10−3 | SIL2 | Watchdog to monitor the gate drive outputs from the PLC and if required disable outputs |
Assignment of SIL requirements: the objective is to review the specified hazard and provide a quantitative assessment of the levels of risk reduction required in addition to the existing controls.
Current controls: there is a pipeline relief valve (RV-4010) which is sized for gas breakthrough in clean service and is regularly tested.
The LOPA analysis is to determine the functional safety requirements for a gas suction scrubber.
SIL targeting: Table 13.4 summarizes the LOPA and the required PFD values and corresponding SILs for each hazard.
The LOPA worksheet is presented below. Notice how the PFD, which determines the target SIL, is obtained in the worksheet from the ratio of the “Target Risk Frequency” to the “Total Mitigated Event Frequency (MEF)”. “IEF” is the “Initiating Event Frequency” and “IPL” is the “Independent Layer of Protection.”
Table 13.4
Summary of the LOPA for example 2.
| PHA ID | 2 | SIF Tag/ID | 2-1 |
| SIF description | Detection of low low level by LT-4011 initiates an emergency shutdown and valve SDY-4012 closes to prevent high pressure gas flow to downstream equipment. | ||
| Hazardous event (deviation) | Low low level in gas suction scrubber resulting in gas blow-by into equipment in excess of design pressure leading to potential rupture and loss of containment with subsequent fire/explosion and single employee fatality. | ||
| Notes | |||
| LOPA summary | |||||
| Category | Target risk frequency (/yr) | Consequence description | Total MEF (/yr) | PFD target | SIL target |
| Safety | 1.0E-5 | 1–2 Fatalities | 5.0E-3 | 2.0E-3 | SIL 2 |
| Environmental | 1.0E-3 | Major release onsite | 2.0E-2 | 5.0E-2 | SIL 1 |
| Financial | 1.0E-4 | Between $100k and $1 MM | 2.0E-2 | 5.0E-3 | SIL 2 |
| Selected SIL target | SIL 2 | ||||
| Initiating events | ||||||
| Ref. | Initiating cause | IEF (/yr) | IPLs | Conditional modifiers | MEF (/yr) | |
| A | Type | B | ||||
| 1 | Control system failure: LT-4011 causes valve SDY-4012 to fail open. | 1.0E-1 | Y | Safety | Y | 2.5E-3 |
| Y | Env. | 1.0E-2 | ||||
| Data from LOPA rule set compared with site data and experience. | Y | Financial | 1.0E-2 | |||
| 2 | Manual valve V-4017 left open after maintenance. | 1.0E-1 | Y | Safety | Y | 2.5E-3 |
| Y | Env. | 1.0E-2 | ||||
| Data from LOPA rule set compared with site data and experience. | Y | Financial | 1.0E-2 | |||
| Independent protection layers/conditional modifiers | |||||
| Ref | Type | Tag | Description | Credit | |
| A | Mechanical | RV-4010 | Pipeline relief valve sized for gas breakthrough in clean service and regularly tested. | General | 1.0E-1 |
| B | Occupancy | General occupancy of the site is 25%. | Safety | 2.5E-1 | |
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.