Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions

Standards and industry guidelines for Safety Instrumented Systems (SISs) describe the use of hazard and risk analysis to determine the risk reduction required, or Safety Integrity Levels (SILs), of Safety Instrumented Functions (SIFs) with reference to hazardous events and risk tolerance criteria for them. However, significant problems are encountered when putting this approach into practice. There is ambiguity in the meaning of the term hazardous event. Notably, even though it is a key concept in the process-sector-specific SIS standard, IEC 61511/ISA 84, it is not defined in the standard. Consequently, risk tolerance criteria for hazardous events are ill-defined and, therefore, they are not the most appropriate criteria to use. Most current approaches to SIL determination use them and therefore they are flawed fundamentally.An informed decision on the tolerability of risk for a facility cannot be made by determining only the tolerability of risk for individual hazardous events. Rather, the tolerability of the cumulative risk from all hazard scenarios and their hazardous events for a facility must be determined. Such facility risk tolerance criteria are the type used by regulators. This issue applies to all per event risk tolerance criteria. Furthermore, determining the tolerability of risk for a facility based only on the risks of single events, be they hazard scenarios or hazardous events, and comparing them to risk tolerance criteria for the events is not meaningful because there is no consideration of how many such events can actually occur and, therefore, no measure of the total risk. The risks from events should be summed for a facility and compared with overall facility risk tolerance criteria.This paper describes and illustrates SIL determination using a risk model implemented within the framework of Layers of Protection Analysis (LOPA) that overcomes these problems. The approach allows the allocation of risk across companies, facilities, processes, process units, process modes, etc. to be managed easily.     

HAZOP、LOPA和SIL方法的应用分析

通过概括介绍危险与可操作性分析(HAZOP)、保护层分析(LOPA)和安全完整性等级分析(SIL)三种方法的特点,总结三种分析方法之间的关系.LOPA分析是HAZOP分析的继续,可以解决HAZOP分析中残余风险不能定量化的不足,是对HAZOP分析结果的丰富和补充;SIL分析则在LOPA分析的基础上,进一步对需要增加的安全仪表系统(SIS)进行设计,并对LOPA分析结果进行验证,即HAZOP、LOPA分析是SIL分析的前期准备工作.因此,在详细介绍SIS的组成、安全生命周期阶段、SIL的选择确定方法以及SIL分析流程之前,也简要介绍了HAZOP、LOPA分析方法,梳理了两种方法的分析流程.最后通过引入示例来展示三种分析方法之间的关系.     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

Integration of intelligent sensors in Safety Instrumented Systems (SIS)

This article deals with the assessment of Safety Instrumented Systems using intelligence in the field devices. The integration of intelligent instruments within safety oriented applications presents a challenge. The justification for using these instruments in safety applications is not fully proven and the dependability evaluation of such systems is not trivial. The work presented in this article deals with modeling in order to evaluate the performances relating to the dependability for structures which contains intelligent instruments. This architecture constitutes a Safety Instrumented System (SIS). In the modeling of the system, the functional and dysfunctional aspects coexist and the dynamic approach using the Stochastic Activity Network (SAN) is proposed to overcome the difficulties mentioned above. Monte-Carlo method is used to assess the dependability parameters in compliance with safety standards related to SIS (IEC 61508 & IEC 61511). The proposed method and associated tools allow this evaluation by simulation and thus provide assistance in designing SIS integrating intelligence.     

Cost effective alternative in meeting the required Safety Integrity Level (SIL)

Demonstrating process safety has always been one of the paramount concerns of Engineering, Procurement, and Construction (EPC) companies in the industrial sector, especially with the development of stringent standards such as IEC-61508 and IEC-61511. One of the means of process safety demonstration is through Safety Integrity Level (SIL) Verification. In some cases, SIL verification results show that several Safety Instrumented Functions (SIFs) do not meet their required SIL; and one of the actions is to add new SIF components. However, with the addition of new components comes a change order, which eventually leads to added cost and time overruns for design and construction projects; and in some instances, introduces additional risks to the system. This paper presents a case study based on the SIL verification report of a design and construction project. The scenario of interest involves the over-pressurization in the High Pressure (HP) Flare Knock-Out (KO) Drum which activates a SIF that will close two Shutdown Valves (SDVs), preventing added pressure to be delivered to the KO Drum. Seeing as two SDVs in a 2oo2 configuration need to be closed, the SIF was not able to meet its target failure measure of SIL 2. Three cases were set, in order to meet the required SIL. The first one involves adding new SDVs; the second case made use of upstream existing SDVs, while the third one is similar with the second but differs in configuration of the SDVs. SIL verification was performed for all three cases through the Fault Tree Analysis modeling technique. Results of this study suggest that using existing instruments can be a cost effective way of meeting the required SIL, which eliminates all the hassle and potential risk introduced when bringing in new instruments to the design.     

Addressing the challenges of implementing safety instrumented systems in multi-product batch processes

Adapting the requirements of IEC 61511 to a batch system can be frustrating, particularly for multi-product units. While a Safety Instrumented System (SIS) for continuous operation is often a straightforward detect-decide-act loop, implementing a SIS for a batch system may involve multiple safety functions, time- or state-dependence, intricate calculations, or complex installations. Relationships between the SIS elements and the basic process control system (BPCS) must be tightly managed, providing both for the safety of the unit and its ability to operate without spurious trips or other hindrances. These issues are further complicated when multiple products requiring different functions or setpoints are produced in the same SIS-protected batch unit.This paper will discuss the challenges particular to the design, operation, and maintenance of a SIS in multi-product batch operations and present practical options for successfully resolving the concerns. A key insight into successful adaptation is treating the batch SIS as a “permission” system for the BPCS to operate. Although many items can be addressed through clever engineering practices, sustainable success relies on proactive, robust management of the safety lifecycle.     

SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.     

安全控制系统的设计思想

介绍了安全控制领域的国际标准IEC61508.给出了安全整体性要求的4个等级(SIL)相应的技术指标.从硬件故障的控制、系统故障的避免及安全系统软件的设计3个方面阐述了安全控制系统的设计思想.对硬件故障控制中的1oo2D和2oo3系统进行了比较,给出了相应的SIL计算方法.针对避免系统故障,提出了系统设计的6条原则和方法.介绍了 3种面向过程控制和对实时性要求较高的安全系统软件的设计方法.     

Planning protection measures against runaway reactions using criticality classes

A systematic approach to the assessment of thermal risks linked with the performance of exothermal reactions at industrial scale was proposed a long time ago. The approach consisted of a runaway scenario starting from a cooling failure and a classification of these scenarios into criticality classes. In the mean time these tools became quite popular and many chemical companies use them. Recently, the international standard IEC 61511 required the use of protection systems with reliability depending on the risk level. Since the criticality classes were developed as a tool for the choice of risk reducing measures as a function of the criticality, it seems obvious that the criticality classes may be used in the context of the standard IEC 61511, which provides a relation between the risk level and the reliability of protection systems.Firstly, the runaway scenario and the criticality classes will be shortly described. Secondly, the assessment criteria for severity and probability of occurrence of a runaway scenario will be described together with the required data and their interpretation in terms of risk. Thirdly, the assessment procedure is exemplified for the different criticality classes. Finally, the design of protection measures against runaway and the required IPL and SIL are based on the risk assessment obtained from the criticality classes. This approach allows minimising the required data set for the safety assessment and for the definition of the protection system designed in order to avoid the development of the runaway.     

安全仪表系统的性能维护及指标值计算

安全仪表系统（SIS）作为保障工业生产安全的重要措施,需要在危险发生时正确地执行其安全功能,采取有效措施维持安全仪表系统在运行阶段的性能是保障系统功能安全的关键。详细阐明了SIS在运行阶段应遵循风险评估分析、安全功能分配文件、安全要求规范、安全分析报告、安全完整性等级符合性等重要文档中的要求,给出了维持SIS安全完整性的主要活动,并在加强旁路、禁止和超驰控制管理,对SIS失效的响应、记录和分析,进行定期检查、维护和功能测试以及安全仪表系统的变更管理等方面提出了要求。提出了SIS的安全性能指标及目标值的简易计算方法,给出失效率更新流程、计算方法和功能安全测试间隔调整技术。所提的技术方法为如何保证安全仪表系统运行阶段的安全性能提供了有力指导,其可操作性强,便于在实际工程中进行应用。     

An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

IEC61511标准及在石化行业安全管理中的应用

功能安全的定量评定技术已成为确保石化行业安全生产的重要手段。针对石化行业普遍存在的功能安全问题,笔者以国际电工学会(IEC)专门制定的功能安全评定标准IEC61508及IEC61511为指导,介绍其标准制定的背景、目的、体系结构以及如何利用标准开展石化行业安全联锁系统(Safety Instrumented System,SIS)的安全与误跳车定量分析。通过对SIS开展定量安全评估,可发现联锁功能存在的安全不足与误跳车现象,对于提高我国石化行业安全生产水平具有重要的促进作用,标准中有关寿命周期功能安全管理方法及重要的工程经验也对提高我国石化安全生产水平具有借鉴作用。     

Human and organisational factors in the operational phase of safety instrumented systems: A new approach

The international standards IEC 61508 and IEC 61511, which provide a general framework for the design and implementation of safety instrumented systems, require quantification of the achieved risk reduction, expressed as a safety integrity level (SIL). Human and organisational factors affect the performance of safety instrumented systems during operation and may threaten the achieved SIL, but this is usually not explicitly accounted for. This article presents a new approach to address human and organisational factors in the operational phase of safety instrumented systems. This approach gives a prediction of the operational SIL and can also be used to improve safety. It shows which human and organisational factors are most in need of improvement and it provides guidance for preventive or corrective action. Finally, the approach can be used as part of a SIL monitoring strategy in order to maintain the achieved SIL at the required level during the operational phase.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估,受人因因素影响水平并未明确,且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例,采用HAZOP结合LOPA方法对其进行风险分析,在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上,确定并验证其安全仪表系统的SIL,再依据间歇生产装置人工依赖性高,即部分安全仪表系统未接入自动联锁且需人工手动触发的特点,建立人因可靠性模型,来分析人因可靠性对安全仪表系统SIL的影响,并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响;可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

Generalized analytical expressions for safety instrumented systems' performance measures: PFDavg and PFH

Safety Instrumented Systems (SIS) constitute an indispensable element in the process of risk reduction for almost all of nowadays' industrial facilities. The main purpose of this paper is to develop a set of generalized and simplified analytical expressions for two commonly employed metrics to assess the performance of SIS in terms of safety integrity, namely: the Average Probability of Failure on Demand (PFD_avg) and the Probability of Dangerous Failure per Hour (PFH). In addition to the capability to treat any K-out-of-N architecture, the proposed formulas can smoothly take into account the contributions of Partial Stroke Testing (PST) and Common Cause Failures (CCF). The validity of the suggested analytical expressions is ensured through various comparisons that are carried out at different stages of their construction.     

Functional safety concept for hazardous systems and new challenges

Selected issues associated with the functional safety analysis according to the international standards IEC 61508 and IEC 61511 are presented. Determining the safety integrity level (SIL) of electric/electronic/programmable electronic (E/E/PE) safety-related systems is outlined. The importance of quantitative probabilistic modeling of these systems in verifying SIL is emphasized. Some aspects concerning the functional safety analysis of systems for detecting the combustible or toxic gases in relation to a CENELEC draft standard prEN 50402 are shortly discussed. Basic principles of methodology for the functional safety assessment of protective systems for potentially explosive atmospheres proposed in a CEN draft standard prEN 15233 are addressed.     

安全联锁设备SIL验证中的参数估计偏差分析*

为提高安全联锁系统（SIS）不可用度计算的准确性,减少SIL验证的不确定性偏差,研究参数估计置信度分别为70%和90%时功能安全标准IEC61508的恒定失效率算法与实际非恒定失效率（威布尔分布）算法结果的偏差。结果表明:在70%置信度时,采用指数分布算法计算PFDavg,比威布尔分布算法的计算结果偏大,2者的相对偏差平均值为68.01%;90%置信度时,2者的相对偏差平均值为42.63%,揭示功能安全标准IEC61508恒定失效率计算将显著高估SIS的不可用性,可能造成企业不必要的整改和相应的维护成本。     

基于FFTA-LOPA的化工装置安全仪表系统SIL确定方法

为了优化确定化工装置安全仪表系统（SIS）安全完整性等级（SIL）,分析了现有确定SIL的不足,针对化工装置的失效数据缺失和不确定性特点,提出模糊事故树-保护层（FFTA-LOPA）模型计算安全仪表系统SIL。以某低密度聚乙烯反应釜为例,建立了该反应釜爆炸事故树,运用模糊理论定量分析顶上事件发生的概率,最终确定其安全仪表系统安全完整性等级为SIL 1。结果表明:该方法结合两种风险分析理论,分析结果与实际和理论统计结果符合性较好,具有一定地准确性和实用性,可以为定量确定系统SIL提供理论指导。     

The role of component arrangement in complex safety instrumented systems—A case study

The arrangement of components plays a key role in the performance of complex Safety Instrumented Systems (SIS), in which a SIS logic solver is interlocked with other logic solvers, to share a final element, for instance. The position of the components and the way they are utilized affects the reliability characteristics, such as the Probability of Failure on Demand (PFD), Spurious Trip Rate (STR), architectural sensitivity and model uncertainty. This case study uses quantitative and qualitative approaches to elaborate on various aspects of component arrangement in complex SIS. Numerous simplified models are analyzed; new classification is introduced for SIS components based on their response to demand; a set of guidelines are developed for SIS architecture design, with a focus on component arrangement; and the use of these guidelines is demonstrated in a real-life example, where an existing turbine SIS is modified to incorporate a new over-speed protection system. The simplified models and the turbine upgrade project are also used to explain the issue of unknowns and uncertainties in reliability analysis and how these issues can be addressed in SIS architecture by optimizing component arrangement.     

安全系统安全完整性等级确定方法比较研究

安全完整性等级的确定是开发和设计安全相关系统的前提和基础。为避免因方法选择不当而导致安全完整性等级确定不恰当的问题,针对常用的后果法、风险矩阵法、改进的HAZOP法、风险图法、保护层分析法和定量分析法进行了对比研究。在阐述和分析安全完整性等级内涵及其确定原理的基础上,根据每种方法自身的特点,从准确性、可量化性、工作量和运用的难易程度等方面对其进行了对比和研究,并分析和探讨了选择安全完整性等级确定方法时应重点考虑的因素。研究结果对合理选择安全完整性等级确定方法具有一定的实用价值和借鉴意义。