Professional Documents
Culture Documents
SIL RATED SYSTEMS THROUGH LIFECYCLE (final updated)
SIL RATED SYSTEMS THROUGH LIFECYCLE (final updated)
FACILITY LIFECYCLE
(SHORT COURSE)
BWO Singapore
June 2024
Leading the Way | Your partners in Risk, Safety, Environmental Engineering & Management
AGENDA
1. VRSA Company introduction
2. Safety Moment
3. General Overview
4. HAZOP and SIL in Lifecycle
5. Why having SIL Assessment?
6. SIL Assessment by LOPA Methodology Brief/Specific Rule Sets
7. SIL Verification and Validation
8. Safety Instrumented Functions (SIF) Assurance Through Lifecycle
9. Functional Safety Assessment in Operation
10. Conclusions & Discussions
Course Presenters:
Zoran Sekulic, Principal Consultant
Aliff Sohaimi, Senior Risk & Safety Engineer
VRSA COMPANY INTRODUCTION
VANGUARD – ABOUT US
Vanguard Risk & Safety Asia based in Singapore, affiliated company to Vanguard Solutions Group
• Vanguard Solutions Group other offices in Perth and Dubai. Specialists in HSE Systems Design, Process
Safety & Risk Management focusing on Oil & Gas Industry.
Services include:
• Safety Engineering & Risk Management
• HSE Studies, Assessments and Safety Cases
• Reliability & Maintainability Studies
• HSE MS, Process Safety & Risk Assessment Training Courses
• Outsourcing of Specialist Personnel (Secondments)
• Presenter – Zoran Sekulic
• Over 40 + years of professional experience in process safety/risk management and design specialising in
Safety, Risk, Loss Prevention and Process Design for Chemical Process Industry.
• Facilitating 130+ HAZID/HAZOP/SIL studies since 1992 (trained by ICI Engineering Risk Management).
Chaired HAZID/HAZOP/SIL/ALARP studies for number of major projects and FPSOs (White Rose, PSVM, Glen
Lyon, Kracken, TEN, MV-18/24/26, Woodside GED, Ichthys, Bacalhau, Opal, etc.) and other O&G facilities.
SAFETY MOMENT
16 July 2024 6
INSTRUMENTATION IN DESIGN
(INCIDENTS DO HAPPEN)?
What is common factor in incident below?
Safety incidents occur during every phase of operations:
1. Milford Haven (UK) startup, shutdown, process upsets and malfunctions,
• Activation of the pressure relief system – No High- maintenance activities (e.g.., cleaning), product transfer and
Pressure trip handling (e.g.., loading/unloading equipment), and emergency
2. Texas City (USA) response activities (e.g.., firefighting).
• During the startup, Operations personnel pumped
flammable liquid hydrocarbons into the tower for over
three hours Process Safety Incident Management Practices
• Critical alarms and control instrumentation provided
false indications that failed to alert the operators of 1. Understanding/recognising hidden hazards
the high level in the tower PHA techniques (HAZID/Bow-tie, HAZOP, SIL Assessment, etc.)
2. Establishing Safety Culture
Clearly Defined Roles and Responsibilities
Competency and Training
3. Audits and Inspections
Compliance Monitoring
Audits and inspection (FSA in operation)
4. Continuous Improvement and Lessons Learned
Incidents - implementing Corrective Actions
Sharing Lessons Learned
Well A B C D E F G H I
Commission
8
4 4 9
1 15
10 14
4 1 3
LAT
2
5 5
De-commission
FUNCTIONAL SAFETY LIFECYCLE
• According to IEC 61511 the purpose of a Functional Safety
Assessment (FSA) is to confirm that the Safety Instrumented
System (SIS) is compliant with IEC 61511.
• Stage 1 FSA is carried out once Hazard and Risk
Assessment studies completed and the Safety
Requirements Specification (SRS) is written
• Stage 2 FSA is carried out once the SIS Design and the
Factory Acceptance Test (FAT) have been completed
No/Less Flow
More Flow
Reverse/Misdirected
Flow/Leak
More Pressure
Less Pressure
More Temperature
Less Temperature
More Level
No/Less Level
Composition/Phase/
Contamination/Deposition
Corrosion / Erosion
Sampling/Testing
Control / Instrumentation
Others
BAROSSA RISK MATRIX
CONSEQUENCE SEVERITY AND SIL INPUTS
Consequence Consequence (Environment) SAFETY ENVIRONMENT
(Safety) Severity TMEL Severity TMEL
(per year) (per year)
Moderate (Harm to Moderate (Significant impact SIII 1.0E-02 EIII 1.0E-02
personnel/Medium to local population/
term impairment industry/ecosystem)
Major (Severe Harm Major (Long-term impact to SIV 1.0E-03 EIV 1.0E-03
to personnel / Long local population/
term impairment) industry/ecosystem)
Severe (Single Severe (Complete loss of local SV 1.0E-04 EV 1.0E-04
Fatality) population/ industry
/ecosystem factors)
Critical (Multiple Critical (Irreversible impact to SVI 1.0E-05 EVI 1.0E-05
Fatalities) regional population/industry
ecosystem factors)
Santos RM inputs for calibration of risk criteria for Target Mitigated Event Likelihood (TMEL).
HAZOP RULE SETS
Failures of protective systems are not considered as a cause of deviation, e.g.., PSV failure to open on demand, etc.
Failures of Control of Work (COW) related actions are not considered as a cause of deviation, e.g.., ILC/LC/LO valve inadvertent
action, removable spool/spectacle blind/blank flange maloperation, etc.
A single check valve (NRV) not specified as safety related device is not given credit for reverse flow scenario in the case of Safety,
Environmental or a significant Operability impact, unless otherwise justified.
In the case of having two (2x100 %) or more identical trains or equipment items of a system, only one train / equipment item is
assessed during the review. The relevant recommendations raised for a typical train, shall be applicable for the other identical train.
Simultaneous occurrence of two or more unrelated incidents (double/multiple jeopardy) are not considered as a probable cause.
Rupture/Leak of equipment is not considered as a cause, except for tube rupture of a tube/boundary failure in an exchanger.
Escalation can be considered by the HAZOP team only if its occurrence is established by other studies input. The initial and
escalated consequences need to be written separately.
Causes are sought only within the node reviewed but consequence/safeguards could be outside the node.
Causes can be listed together providing consequences and safeguards are identical. Note: If there is no credible cause proposed, it
shall be recorded as “No credible causes identified” within the HAZOP Worksheets.
If the discussion on particular cause and its consequences/safeguards cannot reach the team consensus, the facilitator is to curtail
further discussions and the issue will be either parked (“parked Items’) or a recommendation raised for further review
HAZOP SAFEGUARDING - IPL
1. HAZOP gives a list of agreed and documented safeguards
2. Independent Protection Layer (IPL) is to be designed to prevent a postulated accident sequence from proceeding (e.g.., PSHH, PSV)
3. Safety Instrumented Function (SIF) chosen based on Severity (e.g.. Sev V)
4. There could be more than one SIF available but having the same actions – one SIF chosen (e.g.. LSLL) with or without other IPL
THE HAZOP CHALLENGE
• How do we ensure that
our HAZOP studies are
transformed into a
success story ?
25
REVIEW OF HAZOPS REVEALS …..
MTI
0.001 0.01 0.01 1 10 100 1000
FREQUENCY
SIL ASSESSMENT ASPECTS
HAZOP LINKAGE TO SIL DETERMINATION
BY LOPA
• The key information needed from HAZOP is as follows:
• Initiating causes
• Consequence and severity category.
• Safeguards (as IPLs)
• LOPA relies on the result of HAZOP further evaluated by the
team
• LOPA review is concerned with hazardous events of specific
Severities related SIF/IPL whereas a HAZOP may include
safeguards that are not SIF.
• Assessment of Safety Instrumented Functions (SIF)s by SIL
Determination or adequacy of IPLs to match risk target for
specified hazardous event scenario.
SIL DETERMINATION METHODOLOGY
• Following IEC 61511 standards requirements
• Typically addresses Safety and Environmental consequence
demand in line with specified RM
• Determination by Layer of Protection Analysis (LOPA)
• Establishing risk reduction measures requirements
• For SIF in demand
• Could also require assurance that there are sufficient layers of
protection in absence of the SIF for the hazardous event consequences
• If required to put forward recommendations for further assessment to
manage the hazards to ALARP level.
• Software programs e.g.. PHAPro have special LOPA Module,
which could be tailored to a company or project requirements
CONCEPTS USED
Safety Instrumented Function (SIF) is
a function with a specified safety
integrity level which is necessary to
achieve functional safety typically as
a safety instrumented protective
function
Safety Instrumented System (SIS)
used to implement one or more SIFs.
A SIS is composed of any
combination of sensor (s), logic
solver (s), and final element (s).
Integrated Control and Safety System
(ICSS) combines elements of process
control and functional safety into a
single architecture (Separation of
Functional Safety and Control is
achieved within an architecture in
line with IEC 61508/11
requirements).
SAFETY INSTRUMENTED FUNCTION
• The hazardous event risk by evaluating the risk that would obtain in the
absence of the SIF (using available IPLs) comparing outcome to applicable
criteria for tolerability of the risk as Target Mitigated Event Likelihood
(TMEL).
• Establishing Unmitigated Event Frequency (UEF) resulting from Initiating
Events (IE) in presence of the Modifiers and Enabling Conditions
• Ignition probability (for flammable and high flash point hazards. Refer to ToR)
• Time at risk (a fraction of time the hazard is present. Specific batch operations)
• Occupancy factor (fraction of time that the hazard zone is not occupied. Rule Set for Barrosa
Safety Studies)
• Enabling event probability (a condition that must be present during the initiating event to
progress to the consequence(s) of the event)
• The Independent Protection Layer (IPL)
• Assessment of IPLs shall be performed to determine amount of risk reduction provided by
each, its dependability, and its independence from other IPLs.
LOPA METHOD STEPS (BRIEF)
• Preparation steps (Input from HAZOP)
• Identify hazardous events for the LOPA Scenario that result in consequence Severity
levels requiring a LOPA
• Identify initiating causes of the hazardous events - Check HAZOP causes
• Identify any existing SIFs and IPLs- Check HAZOP safeguards
• Prepopulation and LOPA Review
• Determine the initiating cause frequency of failure (likelihood) – ToR
• Consider frequency modifiers (Occupancy factor, Ignition probability, Time at Risk,
Enabling Conditions)
• Verify the consequence level targets in terms of Safety/Environment – Agree Severity for
TMEL
• Determine IPLs that can mitigate the initiating causes – ToR Rule Sets
HUMAN ERROR FREQUENCY FOR ACTIONS TAKEN LESS THAN ONCE PER MONTH
Conditions Probability of Error
Operator well trained with stress 0.1 / opportunity
Operator well trained with no stress 0.01 / opportunity
Operator well trained with no stress and with independent verification 0.001 / opportunity
MODIFIERS - IGNITION PROBABILITIES
Ignition Probability Rule Set Value Comments
Probability of ignition flammable fluid when a joint HC Rate of release through joint failure is < 1kg/s.
0.0025 -0.05
(gasket) or rotating machinery mechanical seal fails See below
Note 1: Ignition probability modifier does not normally apply to catastrophic vessel failure (full rupture)
Note 2: Ignition probability should be increased 10 times for releases to safe (non-classified) plant areas
Note 3: No credit for toxic gas impact
MODIFIERS – OTHERS
• Time at risk (T@R)- The hazardous event risk can occur continuously or during specific time event.
• A fraction of time the hazard is present can be applied to limit duration of the hazard (e.g. offloading
operations)
• Used only for revealed failures – Prior to start of the operation need to test equipment related to use of T@R
• “Time-at-risk considerations can only be applied when systems have been put in place to reliably ensure that potential failures that
could lead to incident scenarios are detected and corrected before the beginning of the time-at-risk state…”. Ref. CCPS, Guidelines
For Enabling Conditions And Conditional Modifiers In Layer Of Protection Analysis
• Occupancy factor - fraction of time that the hazard zone is not occupied. Rule Set for Opal (impact of
HCs releases)
• Single module (Sev IV & V) – 10 % for topside/hull areas as a conservative approach (5 % + as per FPSO
distribution)
• Multiple Modules (Sev VI) – 20 % as per additional personnel (group)
• Large area (Sev VI) – FPSO wide exposure (e.g. Flare System/Cargo Tanks ruptures) – No occupancy credit
• Start-up/Shutdown event, Human error at location (any Severity) – At location impact - No occupancy credit
• Enabling event probability - a condition that must be present during the initiating event to progress
to the consequence(s) of the event
• Rarely used – difficult to establish probability e.g., single or multiple train operation
• Specific with certainty of confidence interval (Opal - use of HC vs. IG blanketing)
ICSS IPL
IPL PFD Comments
Basic process 1 x 10-1 Can be credited as independent protection layer if not associated with
control system initiating event being considered.
control loop – IEC 61511 places limit of 0.1 for PFD of BPCS, unless BPCS is designed
Safety Related and maintained as safety system in accordance with IEC 61511(also refer
Control (SRC) to BPCS Section). SRC to meet specific set of requirements as per the
ToR.
Safety >= 1 x 10-1 Includes No Special Safety Functions required (SIL a) and No Safety
instrumented (to < 1) Function (NSF) required if residing in SIS.
function (in SIS Note: SIL a could use Control System functionality. Refer to IEC 61508
with no SIL rating) and IEC 61511 for lifecycle requirements and additional discussion
SIL 1 SIS >= 1 x 10-2 to Typically consists of single sensor, single logic solver, and single
<1 x 10-1 final element.
SIL 2 SIS >= 1 x 10-3 to Typically consists of multiple sensors (for fault tolerance), multiple
<1 x 10-2 channel logic solver (for fault tolerance), and multiple final element
(for fault tolerance).
SIL 3 SIS >=1 x 10 to Typically consists of multiple sensors, multiple channel logic solver,
-4
< 1 x 10-3 and multiple final elements. Requires careful design and frequent
proof tests to achieve low PFD figures.
Note: If the SIL level has been verified for a specific SIS, that value should be used as opposed to the range
listed.
MECHANICAL RELIEF IPL
IPL Conditions PFD
Relief Valve PSV sized to mitigate the scenario 0.01
Multiple full-load PSVs are available to mitigate the scenario 0.001
Multiple partial-load PSVs are available and sized such that more than one 0.01
PSV would need to fail for the scenario to occur
N number of partial-load PSVs required to mitigate the full load. This includes N x 0.01
staged release PSVs.
Plugging service with no protection. An unprotected PSV used in plugging 1
service is not considered sufficient for consideration as an IPL.
Plugging service with protection. The design is based on prior history in similar 0.01
services and may include the use of specially designed PRVs, inlet header
purges, and close coupled rupture discs.
PSV with two dissimilar NRV’s installed in series for a reverse flow protection - 0.01
likelihood reducing factor and an aid to PSV sizing factor (10 % flow area)
Vacuum breaker Designed for the hazard and inspected periodically 0.01
Rupture Disc / Designed to mitigate scenario (non-plugging service) 0.01
Buckling Pin
OTHER IPL
Risk Reduction Measures PFD Comments
Single NRV 1 x 10-1 Based on regular test frequency for a single NRV. Note 1
Two dissimilar NRVs 1 x 10-2 Based on a regular test frequency of two dissimilar NRVs. Note 1
Note 1: Check valves may be used as a layer of protection only if leakage is tolerable
Note 2: Given as “Fixed Equipment Failure”
Note 3: Not used as preventative IPLs but as post-event for specific LOPA (F&G, EERA, survivability, etc.,)
SIL DETERMINATION WORKSHEET (LOPA)
or
ALARM IPL
Operator response to alarm – Safety Related Alarm (SRA)
Operator has at least 15 minutes for intervention before SIF activation or an event (response time
< Time to Event, whichever comes first)
An intervention by operator shall be independent to any credited IPL final elements action
Alarm is independent of cause and is independent of any BPCS control loop claimed as an IPL.
BPCS control loop claimed as an IPL and alarm that share the same input card or processor
are not independent.
Operator is always present and available at alarm point (e.g.., at CCR as continuously manned).
Alarm is allocated a priority and gives clear indication of hazard.
The alarms shall be designated as at least High Priority which is highlighted on the HMI.
Operator detects alarm among potentially many other alarms.
Operator is trained in proper response and operations procedures associated with alarm state
ALARM MANAGEMENT/RATIONALISATION
• International standards (EEMUA 191 – 2007, ISA-18.2-
2008) provide guidance how to implement and maintain an
alarm system
• Alarm management activities are structured to follow IEC
61508/11 Lifecycle approach
• The first stage of the alarm management lifecycle involves
the creation of an alarm philosophy document.
• Rationalisation involves reviewing and justifying potential
alarms to ensure that they meet the criteria
• Defining the attributes of each alarm - activation time,
priority, classification, and type, as well as documenting the
cause, consequence, response time and operation action.
• Opal Configuration includes:
• First Out Alarms - Where a final element can be
tripped by more than one initiator, the SIS captures
the initiating cause of a trip via a first-out alarm
indication in HMI.
• Safety Related Alarms - All Alarms credited as an IPL
within the SIL assessment have been added to the
alarm list as Safety Related (High Priority).
ALARM SAFETY RESPONSE TIME
The definition of Urgency = Time To Consequence (TTC) is the difference between the
Time to Event (TTE) and the Operator Response Time (ORT)
• The ORT will be based on a generic rule set that shall take into account the location of the required response
(such as control room, aft machinery space) and the task required of the operator upon reaching the
equipment (such as line-up of equipment).
• For the TTC, where specific durations are not available, a similar rule set shall be established and agreed by
all team members (such as high Differential Pressure across a filter, increased bearing temperature).
58
SIMPLE EXAMPLE: FIRE RISK
Case: Oil & Gas Facility: fire consequence & risk
Without protection system:
→ Unacceptable risk
Frequency of fire development becomes improbable, since it can be shown that 99% of all fire
developments can be detected and extinguished in early stage
TMR
Pressure Sensors Logic
ZV Failure Failure Controller
Failure
-5 -6 -5
4.02 x 10 1.29 x 10 1.92 x 10
-3 -3 -7 -7 -7
6.34 x 10 6.34 x 10 4.32 x 10 4.32 x 10 4.32 x 10
Vanguardasia.com.sg
sportwest.com.au