基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估，受人因因素影响水平并未明确，且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例，采用HAZOP结合LOPA方法对其进行风险分析，在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上，确定并验证其安全仪表系统的SIL，再依据间歇生产装置人工依赖性高，即部分安全仪表系统未接入自动联锁且需人工手动触发的特点，建立人因可靠性模型，来分析人因可靠性对安全仪表系统SIL的影响，并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响；可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

石化装置火灾爆炸贝叶斯网络与防护层集成分析

复杂的石油化工装置在运转过程中存在诸多不确定因素,易发生火灾、爆炸等重大事故,给安全生产带来极大威胁。考虑到传统的系统安全分析方法在风险评估中存在一定局限性,引入贝叶斯网络与防护层集成分析模型。应用GeNIe软件将系统故障树转成贝叶斯网络,根据贝叶斯双向推理进行故障预测和诊断,快速识别系统薄弱环节并确定为风险贝叶斯故障节点,结合防护层分析提出相应的独立防护层,确定剩余风险水平。实例应用表明,所构建的贝叶斯网络与防护层集成分析模型对复杂系统进行风险评估是可行的,较传统的事件树、故障树分析方法更加科学、合理。     

Got a risk reduction strategy?

Process safety can be viewed as part of a triad that supports safety in a petrochemical facility. The other two parts are OSHA-type people safety (slips, falls, etc.) and industrial hygiene. The paper will look at process safety from a top down, plant centric view. Process safety can be distilled down to the basic concept of risk reduction. If we reduce risk, our facility will be safer. The obvious problem is that we have potential risks everywhere so how are we going to reduce all these risks to an acceptable level. Clearly we need a strategy or to use a less fancy word – a plan.Too many times it is easy to concentrate on certain aspects such as safety instrumented systems (SIS), layer of protection analysis (LOPA), behavioral safety, prevention, etc. and lose track of the whole picture of what risk reduction entails in a plant.This paper will look at risk reduction in a facility from a plant viewpoint and will cover the details and concepts of risk reduction across a wide spectrum of plant functionalities – safety climate and culture, process safety management, mechanical integrity and risk, layers of protection in risk reduction, loss of containment/hazard relationship, the risk reduction bow-tie diagram, developing a risk reduction strategy, risk reduction strategy elements, and sustainability.It will also discuss some key concepts in dealing with risk reduction in general.     

基于模糊保护层的池火灾事故风险分析

为计算引发池火灾事故的风险值,提高事故风险的量化水平,判断现有风险控制措施是否满足风险容忍度的要求,为制定减缓风险措施提供依据,给出了新的池火灾风险评估模型。基于传统的保护层分析模型(LOPA),结合模糊集合理论,引入模糊风险矩阵进行风险评估,构建适用于引发池火灾事故的模糊保护层(fL OPA)风险分析模型。该模型的特点是将模糊逻辑和保护层分析结合,减少了传统保护层分析方法计算过程中的不确定性因素,引入严重度减少指数(SRI)概念,使严重度计算、风险评估更加准确。运用该模型对原油储罐泄漏池火灾事故风险进行分析,给出风险决策方案,判断现有保护措施是否能控制风险在可容忍范围内,实例验证了模型的可行性。     

SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.     

Value at Risk Perspective on Layers of Protection Analysis

Layers of protection analysis (LOPA) is an established tool for designing, characterizing, and evaluating risk in the chemical process industry. Value at risk (VaR) is a method first introduced in the financial sector for modeling potential loss in a complex venture. In this paper we demonstrate the application of VaR principles to the LOPA of an ethylene refrigeration compressor. We calculate the changes in risk profile (probability versus loss) associated with adding or removing different safety interlocks around the compressor. The VaR analysis shows that the benefits of a given layer of protection are not necessarily captured by a single average number, since the entire probability–value curve is affected. This type of analysis will aid in the allocation of limited resources to process risk interventions.     

Layer of Protection Analysis – Quantifying human performance in initiating events and independent protection layers

Layer of Protection Analysis (LOPA) is widely used within the process industries as a simplified method to address risks and determine the sufficiency of protection layers. LOPA brings a consistent approach with added objectivity and a greater degree of understanding of the scenarios and risks as compared to purely qualitative studies such as Process Hazard Analyses. LOPA can be used to address a wide range of risk issues and serves as a highly effective aid to decision making.Incorporation of human performance within LOPA is recognized as an important, though often challenging, aspect of the analysis. The human role in potential initiating events or within human independent protection layers is important throughout the process industries, and becomes even more critical for batch processing facilities and in non-routine operations. The human role is key to process safety and the control of risks, necessitating the inclusion and quantification of human actions in independent protection layers for most companies. Human activities as potential initiating events and human performance within independent protection layers are reviewed and methods for quantification outlined. An extension into Human Reliability Analysis (HRA) is provided, including methods to develop Human Error Probabilities specific to the process safety culture and operations at a given plant site.     

HAZOP-LOPA方法与SIL定级在电镀废水处理中的应用

为了保证电镀废水处理工艺的安全性,首先采用危险与可操作性分析(HAZOP)方法定性辨识工艺中潜在的危险和危害,并提出安全对策措施;然后采用保护层分析(LOPA)方法定量计算现有保护措施是否能够将风险控制在可接受范围;如果风险较高,通过增加安全仪表等级(SIL)降低风险值。并通过实例分析证明HAZOP-LOPA分析方法能够有效地实现电镀废水处理工艺的风险评价。     

基于LOPA逻辑的罐区多米诺效应定量风险评估*

为了更好地降低化工企业罐区事故造成多米诺效应的风险,提出1种基于保护层分析（LOPA）的定量风险评估程序。首先,阐述基于保护层分析(LOPA)逻辑的多米诺定量风险评估流程,即引入包括可用性、有效性及3种逻辑门定义及量化的安全屏障定量评估;然后,利用LOPA的分析逻辑将安全屏障融入多米诺定量风险评估框架中;最后,选取2×2 000 m3苯乙烯罐区为对象,识别防火层与喷淋冷却系统2种安全屏障并开展基于LOPA逻辑的罐区多米诺效应定量风险评估,得出安全屏障能有效地降低多米诺事故发生频率及罐区个人风险的结论。研究结果表明:该分析方法可为化工企业开展多米诺效应定量风险评估提供参考。     

Advanced process control system with MPC as a new approach for layer of protection analysis

Layer of protection analysis (LOPA) is a widely used method to support process safety in the chemical industries. In the LOPA, the process is classified into many layers, one of such layers considers the basic process control system (BPCS) which commonly uses PID controllers. This kind of controllers cannot deal with constraints. For this reason, the main purpose of this work is to provide a framework to enhance the control layer in the LOPA, which consists of a model predictive control (MPC) with safety features. These features include: sublayers in the controller system (such as real time optimization, target calculation, and MPC), safety constraints, and guarantee of stability by adopting an Infinite Horizon MPC (IHMPC). Here, we propose an approach for control-inspired view to process safety, replacing the BPCS by an Advanced Process Control System (APCS). Moving forward with these concepts, first, a literature review emphasizes the content, showing two perspectives for the APCS. The APCS is designed for two varieties of controllers, a basic IHMPC and IHMPC with zone control to compare the performance. In this framework, the first sublayer consists of a real time optimization (RTO) structure, that calculates the optimal operating condition for the process controller, which computes the control action. Besides, RTO has an additional constraint called the safety index, based on the protection of process operational. RTO and basic IHMPC communicate directly, while for IHMPC with zone control there is an inner sublayer called Target Calculation, it computes a feasible target to the controller, working as another safety strategy in APCS. After that, we demonstrate both structures applied to a CSTR reactor. From the case study, we compared both controllers, and evaluated the effect that the safety index constraint causes in the setpoints, outputs, and control actions. The use of safety constraint in RTO proved to be a safe strategy for the control layer, as well as IHMPC with zone control presented a safer profile than basic IHMPC. Furthermore, the results show that safety constraint affect the economic goal, decreasing its value.     

An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

基于FFTA-LOPA的化工装置安全仪表系统SIL确定方法

为了优化确定化工装置安全仪表系统（SIS）安全完整性等级（SIL）,分析了现有确定SIL的不足,针对化工装置的失效数据缺失和不确定性特点,提出模糊事故树-保护层（FFTA-LOPA）模型计算安全仪表系统SIL。以某低密度聚乙烯反应釜为例,建立了该反应釜爆炸事故树,运用模糊理论定量分析顶上事件发生的概率,最终确定其安全仪表系统安全完整性等级为SIL 1。结果表明:该方法结合两种风险分析理论,分析结果与实际和理论统计结果符合性较好,具有一定地准确性和实用性,可以为定量确定系统SIL提供理论指导。     

安全仪表系统的开发与要求

综述安全仪表系统的发展过程;对其主要组成、特点以及其各自要求进行研讨;给出安全仪表系统开发的简化流程;探讨安全仪表系统的经济性分析和仪表选择方法;对安全仪表系统整体生命周期中的计划编制、设计、实施、运行、维护和确认等各阶段活动的关键要求进行了讨论和研究。该研究对安全仪表系统的深入理解有指导作用,并为安全仪表系统的分析、设计、实施、运行和维护等活动提供参考。     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

ExSys-LOPA for the chemical process industry

The chemical process industries are characterized by the use, processing, and storage of large amounts of dangerous chemical substances and/or energy. Among different missions of chemical plants there are two very important ones, which: 1. provide a safe work environment, 2. fully protect the environment. These important missions can be achieved only by design of adequate safeguards for identified process hazards. Layer of Protection Analysis (LOPA) can successfully answer this question. This technique is a simplified process of quantitative risk assessment, using the order of magnitude categories for initiating cause frequency, consequence severity, and the likelihood of failure of independent protection layers to analyze and assess the risk of particular accident scenarios. LOPA requires application of qualitative hazard evaluation methods to identify accident scenarios, including initiating causes and appropriate safeguards. This can be well fulfilled, e.g., by HAZOP Studies or What-If Analysis. However, those techniques require extensive experience, efforts by teams of experts as well as significant time commitments, especially for complex chemical process units. In order to simplify that process, this paper presents another strategy that is a combination of an expert system for accident scenario identification with subsequent application of LOPA. The concept is called ExSys-LOPA, which employs, prepared in advance, values from engineering databases for identification of loss events specific to the selected target process and subsequently a accident scenario barrier model developed as an input for LOPA. Such consistent rules for the identification of accident scenarios to be analyzed can facilitate and expedite the analysis and thereby incorporate many more scenarios and analyze those for adequacy of the safeguards. An associated computer program is under development. The proposed technique supports and extends the Layer of Protection Analysis application, especially for safety assurance assessment of risk-based determination for the process industries. A case study concerning HF alkylation plant illustrates the proposed method.     

A fuzzy logic and probabilistic hybrid approach to quantify the uncertainty in layer of protection analysis

Layer of protection analysis (LOPA) is a widely used semi-quantitative risk assessment method. It provides a simplified and less precise method to assess the effectiveness of protection layers and the residual risk of an incident scenario. The outcome failure frequency and consequence of that residual risk are intended to be conservative by prudently selecting input data, given that design specification and component manufacturer's data are often overly optimistic. There are many influencing factors, including design deficiencies, lack of layer independence, availability, human factors, wear by testing and maintenance shortcomings, which are not quantified and are dependent on type of process and location. This makes the risk in LOPA usually overestimated. Therefore, to make decisions for a cost-effective system, different sources and types of uncertainty in the LOPA model need to be identified and quantified. In this study, a fuzzy logic and probabilistic hybrid approach was developed to determine the mean and to quantify the uncertainty of frequency of an initiating event and the probabilities of failure on demand (PFD) of independent protection layers (IPLs). It is based on the available data and expert judgment. The method was applied to a distillation system with a capacity to distill 40 tons of flammable n-hexane. The outcome risk of the new method has been proven to be more precise compared to results from the conventional LOPA approach.     

合成氨装置系统安全仪表系统安全完整性等级分析

论文在介绍安全仪表系统、安全完整性等级的基本原理基础上,综合分析了危险与可操作性分析(HAZOP)、保护层分析(LOPA)等系统风险分析理论的应用方法。并结合上述理论,确定了安全仪表系统的安全完整性等级(SIL)定级。以合成氨装置为例,应用HAZOP及保护层分析方法,得出了合成塔压力过高及废热锅炉液位过低2个场景下的安全完整性SIL等级。结果表明:合成塔装置仪表的SIL等级为1,废热锅炉仪表的SIL等级为2。     

安全仪表系统的应用及发展

探讨安全仪表系统在过程工业中的必要性与重要性,以ISA/S84.01安全仪表系统生命周期为基本框架,介绍安全仪表系统的基本组成和生命周期各阶段的主要工作,阐述安全仪表系统与过程控制系统的异同。研究安全仪表系统设计过程中风险分析与安全完整性水平等的关键技术;总结了目前安全仪表系统所呈现出的新特点、新趋势;指出安全仪表系统未来发展的方向;同时认为安全仪表系统作为一种有效的安全保障措施,应当以风险与危害分析为基础,按照最低合理可行原则,根据对象的不同特点,确定适当的安全完整性水平。该应用研究成果对于安全仪表系统的设计与应用具有一定的指导意义。     

HAZOP、LOPA和SIL方法的应用分析

通过概括介绍危险与可操作性分析(HAZOP)、保护层分析(LOPA)和安全完整性等级分析(SIL)三种方法的特点,总结三种分析方法之间的关系.LOPA分析是HAZOP分析的继续,可以解决HAZOP分析中残余风险不能定量化的不足,是对HAZOP分析结果的丰富和补充;SIL分析则在LOPA分析的基础上,进一步对需要增加的安全仪表系统(SIS)进行设计,并对LOPA分析结果进行验证,即HAZOP、LOPA分析是SIL分析的前期准备工作.因此,在详细介绍SIS的组成、安全生命周期阶段、SIL的选择确定方法以及SIL分析流程之前,也简要介绍了HAZOP、LOPA分析方法,梳理了两种方法的分析流程.最后通过引入示例来展示三种分析方法之间的关系.     

安全仪表系统的性能维护及指标值计算

安全仪表系统（SIS）作为保障工业生产安全的重要措施,需要在危险发生时正确地执行其安全功能,采取有效措施维持安全仪表系统在运行阶段的性能是保障系统功能安全的关键。详细阐明了SIS在运行阶段应遵循风险评估分析、安全功能分配文件、安全要求规范、安全分析报告、安全完整性等级符合性等重要文档中的要求,给出了维持SIS安全完整性的主要活动,并在加强旁路、禁止和超驰控制管理,对SIS失效的响应、记录和分析,进行定期检查、维护和功能测试以及安全仪表系统的变更管理等方面提出了要求。提出了SIS的安全性能指标及目标值的简易计算方法,给出失效率更新流程、计算方法和功能安全测试间隔调整技术。所提的技术方法为如何保证安全仪表系统运行阶段的安全性能提供了有力指导,其可操作性强,便于在实际工程中进行应用。