The role of component arrangement in complex safety instrumented systems—A case study

The arrangement of components plays a key role in the performance of complex Safety Instrumented Systems (SIS), in which a SIS logic solver is interlocked with other logic solvers, to share a final element, for instance. The position of the components and the way they are utilized affects the reliability characteristics, such as the Probability of Failure on Demand (PFD), Spurious Trip Rate (STR), architectural sensitivity and model uncertainty. This case study uses quantitative and qualitative approaches to elaborate on various aspects of component arrangement in complex SIS. Numerous simplified models are analyzed; new classification is introduced for SIS components based on their response to demand; a set of guidelines are developed for SIS architecture design, with a focus on component arrangement; and the use of these guidelines is demonstrated in a real-life example, where an existing turbine SIS is modified to incorporate a new over-speed protection system. The simplified models and the turbine upgrade project are also used to explain the issue of unknowns and uncertainties in reliability analysis and how these issues can be addressed in SIS architecture by optimizing component arrangement.     

基于检验测试策略的PFD模型建立与分析*

为制定合理检验测试策略,提高安全仪表系统（SIS）在低要求运行模式下的安全性,提出要求平均失效概率(PFDavg)通用计算模型,引入检验测试分布因子和共因失效修正因子,表征部分和完全检验测试对SIS安全性的影响。结果表明:该模型适用于所有同构koon架构系统,可应用于周期性、非周期性部分检验测试及共因失效影响较大的场景,可以为企业制定检验测试策略提供理论依据。     

基于SIL评估的LNG加气站安全仪表系统问题分析及改进建议*

为分析LNG加气站安全仪表系统的功能完备性与可靠性,以3座典型的三级LNG加气站为研究对象,全面开展安全仪表功能辨识、安全完整性等级（SIL）定级与验证,进而提出针对性的改进建议。结果表明:3座LNG加气站的安全仪表系统均存在功能不完备、设备组件缺少失效数据的问题;为满足风险控制要求,三级LNG加气站需设置15个安全仪表功能,其中1个应达到SIL2等级,14个应达到SIL1等级;LNG加气站的安全仪表系统应选用获得功能安全认证的设备组件,并在设计阶段开展SIL评估工作。研究结果可为今后LNG加气站安全仪表系统的设计与管理提供重要参考。     

Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions

Standards and industry guidelines for Safety Instrumented Systems (SISs) describe the use of hazard and risk analysis to determine the risk reduction required, or Safety Integrity Levels (SILs), of Safety Instrumented Functions (SIFs) with reference to hazardous events and risk tolerance criteria for them. However, significant problems are encountered when putting this approach into practice. There is ambiguity in the meaning of the term hazardous event. Notably, even though it is a key concept in the process-sector-specific SIS standard, IEC 61511/ISA 84, it is not defined in the standard. Consequently, risk tolerance criteria for hazardous events are ill-defined and, therefore, they are not the most appropriate criteria to use. Most current approaches to SIL determination use them and therefore they are flawed fundamentally.An informed decision on the tolerability of risk for a facility cannot be made by determining only the tolerability of risk for individual hazardous events. Rather, the tolerability of the cumulative risk from all hazard scenarios and their hazardous events for a facility must be determined. Such facility risk tolerance criteria are the type used by regulators. This issue applies to all per event risk tolerance criteria. Furthermore, determining the tolerability of risk for a facility based only on the risks of single events, be they hazard scenarios or hazardous events, and comparing them to risk tolerance criteria for the events is not meaningful because there is no consideration of how many such events can actually occur and, therefore, no measure of the total risk. The risks from events should be summed for a facility and compared with overall facility risk tolerance criteria.This paper describes and illustrates SIL determination using a risk model implemented within the framework of Layers of Protection Analysis (LOPA) that overcomes these problems. The approach allows the allocation of risk across companies, facilities, processes, process units, process modes, etc. to be managed easily.     

Reliability analysis of subsea blowout preventers with condition-based maintenance using stochastic Petri nets

Blowout Preventer (BOP) has maintained its function as a safety barrier and the last line of defence against oil and gas spills since its development in the early 1900s. However, as drilling and exploration activities move further offshore, challenges pertaining to reliable operation of the subsea BOP systems continue to be a source of concern for stakeholders in the industry. In spite of recent advancements in reliability analysis of safety instrumented systems (SISs), the research on reliability assessment of BOP is still lacking in some regards. There are gaps in the literature with respect to the incorporation of preventive maintenance (PM) strategies as well as dynamic operating conditions into BOP reliability analysis. To address these gaps, this paper develops an advanced analysis method using stochastic Petri nets (SPN) to estimate the reliability of subsea BOP systems subject to condition-based maintenance (CBM) with different failure modes. The BOP system is divided into five subsystems which are connected in series with each other and categorised into degrading and binary units. The performance of the BOP system in terms of availability, reliability and mean-time-between failures (MTBF) is obtained and analysed. A sensitivity analysis is also performed to evaluate the effect of fault coverage factor and redundancy design on system performance. The results show that both the fault coverage factor and redundancy have significant impact on the BOP's reliability, availability and MTBF.     

Fuzzy multiphase Markov chains to handle uncertainties in safety systems performance assessment

In this article, we address the problem of imprecision in assessing the performance of safety instrumented systems (SIS) using fuzzy multiphase Markov chains. The elementary probabilities usually considered in Markov chains are replaced by fuzzy numbers. It allows experts to express their uncertainty concerning the basic parameters of systems and to evaluate the impact of this uncertainty on the SIS performance. We show how the imprecision induces significant changes on the Safety Integrity Level of the SIS. The proposed method ensures the relevance of the results. This is validated by a comparison with the results of an enhanced Markov Analysis.     

Common cause failures in safety instrumented systems on oil and gas installations: Implementing defense measures through function testing

This paper presents a common cause failure (CCF) defense approach for safety instrumented systems (SIS) in the oil and gas industry. The SIS normally operates in the low demand mode, which means that regular testing and inspection are required to reveal SIS failures. The CCF defense approach comprises checklists and analytical tools which may be integrated with current approaches for function testing, inspection and follow-up. The paper focuses on how defense measures may be implemented to increase awareness of CCFs, to improve the ability to detect CCFs, and to avoid introducing new CCFs. The CCF defense approach may also be applicable for other industry sectors.     

Integration of intelligent sensors in Safety Instrumented Systems (SIS)

This article deals with the assessment of Safety Instrumented Systems using intelligence in the field devices. The integration of intelligent instruments within safety oriented applications presents a challenge. The justification for using these instruments in safety applications is not fully proven and the dependability evaluation of such systems is not trivial. The work presented in this article deals with modeling in order to evaluate the performances relating to the dependability for structures which contains intelligent instruments. This architecture constitutes a Safety Instrumented System (SIS). In the modeling of the system, the functional and dysfunctional aspects coexist and the dynamic approach using the Stochastic Activity Network (SAN) is proposed to overcome the difficulties mentioned above. Monte-Carlo method is used to assess the dependability parameters in compliance with safety standards related to SIS (IEC 61508 & IEC 61511). The proposed method and associated tools allow this evaluation by simulation and thus provide assistance in designing SIS integrating intelligence.     

Designing sensor systems capable of differentiating children from adults

INTRODUCTION: Injury prevention systems intended to prevent children from entering hazardous locations (or at least alert caregivers if that occurs) often respond to every instance of a person's presence, regardless of whether the intruder is a child. This performance results in a high nuisance alarm rate that sometimes causes adults to disable or circumvent the safety system. If a child safety system can accurately identify intruders as adults or children, nuisance alarm rates can be decreased. METHOD: This analysis selects three human factors (height, foot length, and cognition) amenable to adult/child differentiation and describes likely sensor strategies, advantages, and disadvantages. RESULTS: Preliminary testing of prototypes systems shows that simple sensor systems are capable of acquiring adequate data for adult/child differentiation. The discussion addresses requirements for discriminator systems and the effects of various sensor combinations on overall performance.     

3-Parameters SPW technique: A new method for evaluation of target safety integrity level

Introduced by IEC-61508 standard, safety integrity levels (SIL) have been used for assessing the reliability of safety instrumented functions (SIF) for protection of the system under control in abnormal conditions. Different qualitative, semi-qualitative and quantitative methods have been proposed by the standard for establishing target safety integrity levels amongst which “Risk Graph” has gained wide attention due to its simplicity and easy-to-apply characteristics. However, this method is subject to many deficiencies that have forced industry men and experts to modify it to fit their demands. In this paper, a new modification to risk graph parameters has been proposed that adds more flexibility to them and reduces their subjective uncertainties but keeps the method as simple as before. Three parameters, namely severity (S), hazard avoidance probability (P), and demand rate (W) are used instead of former four parameters. Hence, the method is named SPW. The outcome results of this method can be directly converted to probability of failure on demand (PFD) or risk reduction factor (RRF). The proposed method has been tested on an example case that has been studied before with conventional risk graph and LOPA techniques. The results show that new method agrees well with LOPA and reduces costs imposed by conservative approximations assumed during application of conventional risk graph.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估，受人因因素影响水平并未明确，且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例，采用HAZOP结合LOPA方法对其进行风险分析，在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上，确定并验证其安全仪表系统的SIL，再依据间歇生产装置人工依赖性高，即部分安全仪表系统未接入自动联锁且需人工手动触发的特点，建立人因可靠性模型，来分析人因可靠性对安全仪表系统SIL的影响，并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响；可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

An extension of the fuzzy improved risk graph and fuzzy analytical hierarchy process for determination of chemical complex safety integrity levels

The risk graph (RG) is widely used to evaluate the safety integrity level (SIL) of safety instrument systems (SIS). However, subjective opinion-based conventional RGs cannot provide successful results for the problems of risk parameters, such as shortages or lack of data; hence, the output of a conventional approach lacks sufficient reliability. We introduced the fuzzy improved risk graph (FIRG), an extension of fuzzy set theory, to deal with possible ambiguities during SIL study and increase the reliability of conventional RGs. In the present study, the levels of consequences defined as linguistic terms were converted into qualitative intervals; therefore, by correlating the proposed approach with experts’ opinions and attributing weight factors, a desired SIL value was obtained. The output of this new approach can be compared directly with quantitative risk assessment techniques to improve the safety performance of industrial systems.     

基于危险工艺装置设置安全联锁系统的研究

针对危险工艺装置设置安全联锁系统(SIS)问题进行分析和研究,提出在装置建设和改造中,应合理设置独立的SIS,并根据生产装置的安全度等级选择合适的联锁回路,并具有一定的冗余能力,以避免由于硬件随机失效或系统故障时造成联锁功能无法执行;指出SIS在设计时应遵循独立原则、故障安全型原则、共享原则、可靠性原则等。研究结果表明:SIS可提高化工装置的本质安全度,保障生产过程的安全、稳定运行,最大限度地减少由于过程失控造成的人身伤害和设备损坏。     

安全仪表系统的开发与要求

综述安全仪表系统的发展过程;对其主要组成、特点以及其各自要求进行研讨;给出安全仪表系统开发的简化流程;探讨安全仪表系统的经济性分析和仪表选择方法;对安全仪表系统整体生命周期中的计划编制、设计、实施、运行、维护和确认等各阶段活动的关键要求进行了讨论和研究。该研究对安全仪表系统的深入理解有指导作用,并为安全仪表系统的分析、设计、实施、运行和维护等活动提供参考。     

Probability and frequency calculations related to protection layers revisited

This article casts a new glance over some methods dedicated to the calculation of the likelihood (probability or frequency) of failure of systems and, in particular, safety-related systems working alone or in association with other protection layers. It consists first in examining with a critical eye the relevancy of the aforementioned methods, which are still often used in spite of their restrictive limitations, and second in proposing an alternative approach for each of them. The correctness of the examinated methods is tested by applying them to very simple systems modeled by fault tree models, with intent to show why these methods are debatable and how they can be replaced by other ones, more appropriate. The particular case of several protection layers having to react on the demand resulting from the global failure of their associated control system is considered. That case leads to revisit the common assumption of the independence between the above protection layers and control system, by taking into account the order of their respective failures from a qualitative and quantitative point of view.     

Systematic inherent safety and its implementation in chlorine liquefaction process

As a proactive safeguard, inherent safety has been regarded as the top hierarchy for loss prevention and risk management due to its salient features in eliminating or significantly reducing risks at source rather than mitigating them by add-on protections. Simultaneously, various assessment tools have been developed for ranking and selecting inherently safer designs or modifications. However, there still lacks a metric that can systematically incorporate various hazardous factors, which may hinder most industries from utilizing it to a full extent. To address this limitation, this work developed a Systematic Inherent Safety Metric (SISM) for measuring the inherently safer modifications. Firstly, the conceptual framework of SIS was proposed based on 5M1E (man, machine, material, method, measurement, and environment). Subsequently, analytic hierarchy process and fuzzy comprehensive evaluation were adapted to conduct risk identification and assessment. Finally, taking chlorine liquefaction process as a case study, the applicability and efficacy of SIS were validated based on PDCA (plan-do-check-action) cycle. The results show that the SISM value has improved from the relatively dangerous (RD) to the relatively safe (RS) after implementing SIS, thus demonstrating that the revised design is inherently safer than the base design.     

Study of chemical supply system of high-tech process using inherently safer design strategies in Taiwan

The photoelectric, semiconductor and other high-tech industries are Taiwan's most important economic activities. High-tech plant incidents are caused by hazardous energy, even when that energy is confined to the inside of the process machine. During daily maintenance procedures, overhauling or troubleshooting, engineers entering the interior of the machines are in direct contact with the source of the energy or hazardous substances, which can cause serious injury. The best method for preventing such incidents is to use inherently safer design strategies (ISDs); this approach can fully eliminate the dangers from the sources of hazardous energy at a facility.This study first conducts a lithography process hazard analysis and compiles a statistical analysis of the causes of the fires and losses at high-tech plants in Taiwan since 1996, the aim being to establish the necessary improvement measures by using the Fire Dynamics Simulation (FDS) to solve relevant problems. The researchers also investigate the lithography process machine in order to explore carriage improvement measures, and analyse the fires' causes and reactive materials hazardous properties, from 1996 to 2012. The effective improvement measures are established based on the accident statistics. The study site is a 300 mm wafer fabrication plant located in Hsinchu Science Park, Taiwan.After the completion of the annual maintenance jobs improvement from September 2011 to December 2012, the number of lithography process accidents was reduced from 6 to 1. The accident rate was significantly reduced and there were no staff time losses for a continuous 6882 h. It is confirmed that the plant safety level has been effectively enhanced. The researchers offer safety design recommendations regarding transport process appliances, chemical storage tanks, fume cupboard devices, chemical rooms, pumping equipment, transportation pipelines, valve manual box (VMB) process machines and liquid waste discharge lines. These recommendations can be applied in these industries to enhance the safety level of high-tech plants, facilities or process systems.     

An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

A new approach to quantitative assessment of reliability of passive systems

The objective of this paper is to show how probabilistic reliability can be assessed for complex systems in the absence of statistical data on their operating experience, based on performance evaluation of the dominant underlying physical processes. The approach is to distinguish between functional and performance probabilities when dealing with the quantification of the overall probability of a system to perform a given function in a given period of time (reliability). In the case of systems where sufficient statistical operating experience data are available, one can focus the quantitative evaluation entirely on the assessment of the functional probability for a given active item (e.g. a pump) by assuming that the specification, layout, construction and installation is such that the item is providing the assigned performance, e.g. in the form of generating the required flow rate. This is how traditional probabilistic safety assessments (PSAs) focus the reliability analysis for the various safety features on the calculation of values for the availability per demand. In contrast, for various systems relevant in advanced technical applications, such as passive safety features in innovative reactor designs, it is essential to evaluate both functional and performance probabilities explicitly and combine the two probabilities later on. This is of course due to the strong reliance of passive safety systems on inherent physical principles. In practice, this means that, for example, in case of a passive cooling system based on natural circulation of a given medium, one has to evaluate and to assess the probability to have a medium condition and a flow rate such that a cladding temperature, represented by a probability distribution, can be hold at a required level. A practical example of this method is given for the case of the reliability assessment of a residual passive heat removal system. General conclusions are drawn regarding reliability estimation of complex, interconnected systems in the absence of statistical performance data, such as for infrastructures.     

Development of a limit state approach for design against gas explosions

The design of topsides against explosions requires the definition of a design over-pressure, however, these values are often treated as deterministic and there is a wide variation within the industry in the treatment and interpretation of the loads.

This paper advocates the adoption of a number of limit state for explosion loading. Events of different magnitudes are differentiated on the basis of frequency and linked to appropriate degree of reliability thus avoiding disproportionate effects from minor events.

The two principal limit states considered are a limit state for all the safety critical systems for relatively high frequency events and a survival condition for low probability events. Parallels are drawn from other branches of engineering where extreme loads have to be designed for.