Embed Size (px)
DESCRIPTION
Some practical considerations
Citation preview
SOME PRACTICAL CONSIDERATIONS WHEN
APPLYING IEC-61508SIPI workshop
February, 2003
Erik DomNero Engineering
1
INTRODUCTIONThe IEC-61508 standard has now been around for a while, and after the euphoric reactions of the first years many companies are now applying it in practice, or at least they are trying. Being a general standard, it doesn’t offer too many worked out details, especially for the first 5 steps of the lifecycle model, where reference is made to other standards or current evaluation methods. For an “IEC” standard, it was even surprising to see these steps covered.Being involved with the standard since 1997, I’ve tried out different ways to apply it myself and as a consultant I’ve seen many different approaches. Even amongst “specialists” opinions differ and in recent years the standard has opened new commercial possibilities for companies that are now offering safety management tools, in some cases covering the whole lifecycle of the standard.For this short presentation I’ve picked out some items of the lifecycle, but similar remarks or discussion points could be made for the other steps.
Erik Dom
2
IEC-61508 LIFECYCLE MODEL1 Concept
2 Overall scope definition
3 Hazard and risk analysis
4 Overall safety requirements
5 Safety requirements allocation
Overall Installation and commissioning
Overall safety validation
Decommissioning or disposal
Overall operation and maintenance and repair
12
13
16
14 Overall modification and retrofit
Back to appropriateoverall safetylife cycle phase
15
Safety related systems: E/E/PES9 Realization (see E/E/PES
safety lifecycle)
External risk reduction facilities11
Realization
Safety related systems: other technologies
Realization
10Overall operation & maintenance planning
Overall planning
6Overall
installation and commissioning
planning
Overall validation planning
7 8
3
The DIN 19250 risk graph
Shown as an example in IEC 61508Applied in several companies, often in a different way
Definition of probability of unwanted occurrenceInterpretation of unwanted OCCURRENCECalibration of the risk graphInterpretation of “a” (“SIL 0”)
4
RISK GRAPH
a --bcdefg
h
a, b, c, d, e, f, g, h represent the necessary minimum risk reduction. The link between the necessary minimum risk reduction and the safety integrity level is shown in the table.
W1W2
abcdefg
-abcdef
Necessary minimum risk
reduction Safety integrity level
- No safety requirements
a No special safety requirements
b, c 1d 2
e, f 3g 4h An E/E/PE SRS is not
sufficient
W3
C = Consequence risk parameter
F = Frequency and exposure time riskparameter
P = Possibility of avoiding hazard riskparameter
W = Probability of the unwantedoccurrence
a, b, c ... h = Estimates of the required riskreduction for the SRSs
C1
P1F1Starting pointfor risk reduction
estimation
F2
F1
F2
P2C2
P1
P2
C3
C4
5
Probability of unwanted occurrence
The standard says:
W1 (LOW): A very slight probability…….only a few are likely.W2: A slight probability……. few are likely.W3 (HIGH): A relatively high probability……. frequent are likely
How is this currently interpreted by users?
6
Interpretation 1
W1 < 10-4/jr10-2/jr > W2 > 10-4/jrW3 > 10-2/jr
Interpretation 2
W1: 3 different independent failures are required for the occurrence to happenW2: 2 different independent failures are required for the occurrence to happenW3: 1 failure is sufficient for the occurrence to happen
7
Interpretation 3
W2: this is the “normal” probability for an event, arguments required to pass from W2 to W3 or W1
Interpretation 4
W1: less than 0.03 times per yearW2: between 0.3 and 0.03 times per yearW3: between 3 and 0.3 times per year
Used in IEC-61511 for calibrated matrixVery different from interpretation 1Leads to much lower SIL levelsProbability is replaced by “demand rate”
8
Interpretation of “Definition of unwanted occurrence”Case: overpressure in vessel containing flammable liquids leading to mechanical
rupture of vessel, release of product and finally a fire or an explosion with serious injury
Problems when defining the unwanted occurrence:
Very difficult to predict the final effect of a cloud (impossible to define during a “SIL” meeting) -> this has a major impact on the C factorThe case contains different events (rupture -> release -> explosion -> injury), where only the last event can be treated with the risk matrix (without injury C1 is always applicable). Releases are also considered as major risks by the authorities but can’t be covered by the risk graphProbabilities are often applied to other cases (i.e. An explosion is defined as unwanted occurrence while the probability of the overpressure is considered for the probability).This has a conservative effect on the result.
9
Risk reduction obtained by all protection layers
Necessary risk reduction
Actual risk reduction
Partial Risk by other protection layers
Partial Risk covered by SIS
Partial Risk by other non SIS prevention/mitigation protection
layers
RESIDUAL RISK
TOLERABLE RISK
EUC RISK
Increasing risk
Risk reduction is known (10, 100, 1000) but since the calibration is not known, what is
the absolute value of EUC risk and residual risk???
Increasing risk
RESIDUAL RISK
RESIDUAL RISK
EUCRISK
EUCRISK
?
?
Principle of risk reduction and residual risk
10
Interpretation of SIL “a”
Definition = “NO SPECIAL SAFETY REQUIREMENTS”
Means that the required risk reduction lies between 1 and 10Mostly interpreted as: can be installed in DCSMost companies don’t define the EUC, so is not clear if additional risk reduction is required (see example)
EUC
11
ConclusionUse of risk graph can be emotional/subjectiveNot suited for complex issues, one risk graph evaluation is often used for hazards with many different initiating events/scenario’sEUC is rarely defined, leading to a mix-up of control and safetyMany interpretations possible (W & P factors)What’s the residual risk?Depends heavily on the experience of the hazard teamResults can easily be “manipulated” in view of the required resultSIL “a” is often not consideredThe environmental graph (not shown in this presentation) is verysevere and leads to high SIL’s compared with human injuryDefinition of demand rate (IEC-61511) is confusing
12
The role of pressure relief valves in SIS
Should these be taken into account?If so, what SIL level to be assigned?
- Vendor data is not available- Valves are used in many different applications so that general reliability data
can’t be given be Vendors- Feedback from customers is not available since maintenance/repair is done
by specialized shops or customer itself- Depends strongly on application:
- Clean or dirty/agressive products- Outlet to safe area (confined) or to atmoshere- Rupture disc installed (P between disc and valve monitored?)Testing frequency and method?- How to define test interval?- Test method verifies only limited number of possible errors (setting).
Calculation errors, installation problems are not verified....
13
A POSSIBLE APPROACH FOR SAFETY VALVES
SIL 3 high pressure risk allocated to SIS & PSV
Clean service to confined
area
SIL 2 allocated to PSV
SIL 1allocated
to SIS
NO SIL allocated to PSV
SIL 3allocated
to SIS
YES NO
SIL OVERALL = SIL PSV + SIL SIF
14
Emergency handswitches in the process industry
Example: emergency stops to isolate plant areas in case of fire, leakage or explosion
To be treated according to IEC test intervals, calculations,...?Activated by human action + mitigatingDo they belong in SIS?Are these the same as the HS’s in the Machine Directive?
15
ALTERNATIVES FOR THE RISK MATRIX
LOPA (Layers of Protection Analysis)EVENT/FAULT TREE ANALYSIS
RISK GRAPH or
other qualitative
method
QUANTIFIED FMEA
LOPA Rough estimate with
event tree
Event tree Fault tree
HRA
SIMPLE ISSUES GOOD GOOD GOOD EXCESSIVE EXCESSIVE COMPLEX ISSUES POOR POOR FAIR FAIR GOOD
16
What is LOPA?
A simplified form of risk assessmentVerifies if sufficient layers of protection are presentLimited to evaluating a single cause-consequence pair as scenarioRepresents typically one path (worst case) through an event tree
17
Process Design
Basic Process Control SystemsMonitoring Systems (process alarms)
Operator Supervision
PREVENTIONMechanical Protection System
Process AlarmsOperator Supervision
Safety Instrument System
MITIGATIONMechanical Mitigation Systems
Safety Instrumented Control SystemsSafety Instrumented Mitigation Systems
PLANT EMERGENCY RESPONSE
COMMUNITY RESPONSE
Concept of layers of protection acc. to IEC-61511-1
18
An example of LOPA
Description Probability
Frequency (per year)
Consequence
Risk tolerance criteria
Maximum tolerance for serious fire Maximum tolerance for fatal injury
< 1 x 10-4
< 1 x 10-5 Initiating event Failure of DCS 1 x 10-1 Enabling event N/A
Probability of ignition 0.1 Probability of personnel in affected area 0.1 Probability of fatal injury 0.5
Conditional Modifiers
Others N/A Frequency of unmitigated consequence 5 x 10-4
SIF (not yet existing, to be added) 1 x 10-2 Independent Protection layers
Human action upon DCS alarm cannot be taken into account since DCS failure is the initiating event!
Total PFD for all IPL’s
1 x 10-2
Frequency of Mitigated Consequence 5 x 10-6 Actions required to meet required risk reduction
Install SIF with a PFD of 1 x 10-2
19
Another way of representing LOPA
1. No release of material, 8x10 -2/yr
Overpressure
10-1/yr
PAHalarm
Operator response
Protection layer 1:
PSV
Success
Failure
0,1
0,9
0,9
0,1
0,1
0,9
0,9
0,1
2. Release from PSV to flare, 8x10 -3/yr
3. Release to atmosphere, 9x10 -4 /yr
4. Release from PSV to flare, 9x10 -3/yr
5. Release to atmosphere, 1x10 -3/yr
20
When can LOPA be used?
Typically after a qualitative hazard evaluationThe consequences are too severe to rely on qualitative methods onlyWhen a scenario is too complex to use a qualitative method or when the hazard evaluation team does not fully understand:
• The initiating events• The sequence of events• The role of different IPLs (Independent Protection Layer)
As a screening tool before quantitative methodsTo verify the sufficiency of IPLsAlways applied to one scenario at a time
Never to replace quantitative risk analysis!
21
RELIABILITY DATA for SIL CALCULATIONS
OREDAVENDOR DATA (uncertified)CERTIFIED VENDOR DATAMIL (for electric/electronic components)Commercial databasesOwner’s database
OFTEN CONTRADICTORY!!!!!!!!!!!!!!!!!!!!!!
22
OREDA
Conservative (? )Availability of details of types of failure (but not of type of application)Some populations are (too) small (i.e. temperature)Instruments are not specified in detail
23
24
UNCERTIFIED VENDOR DATA
Based on theoretical calculationsBased on lab testsBased on feedback from customersInitial values are often adapted after a few years use with caution!
25
CERTIFIED VENDOR DATA
Few availableSometimes required information missingShould be interpreted with care, reliability data and details are only valid under certain conditionsExample of certificate for temperature transmitter
26
COMMERCIAL DATABASES
Some very expensive (purchase + support)What’s the basis of the reliability data?Sometimes with integrated safety management systemNot very flexibleSome “over-optimistic”, some values are very different from OredaSome allow to pick data depending on application (agressive or dirty fluids,...)
27
OWNER’s DATABASE
Requires some internal organizationTakes years before data are representativeImpossible for smaller companies with small installed baseWhy not in Belgian or European context?
28
WORKING WITH STANDARD SIS LOOPS
Conservative approach required not the most economical wayDifficult to cover all different applicationsDesign + components must be fixed since small deviations may lead to important deterioration of PFD’s (barriers, sensors,...)
