SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.     

Human and organisational factors in the operational phase of safety instrumented systems: A new approach

The international standards IEC 61508 and IEC 61511, which provide a general framework for the design and implementation of safety instrumented systems, require quantification of the achieved risk reduction, expressed as a safety integrity level (SIL). Human and organisational factors affect the performance of safety instrumented systems during operation and may threaten the achieved SIL, but this is usually not explicitly accounted for. This article presents a new approach to address human and organisational factors in the operational phase of safety instrumented systems. This approach gives a prediction of the operational SIL and can also be used to improve safety. It shows which human and organisational factors are most in need of improvement and it provides guidance for preventive or corrective action. Finally, the approach can be used as part of a SIL monitoring strategy in order to maintain the achieved SIL at the required level during the operational phase.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估,受人因因素影响水平并未明确,且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例,采用HAZOP结合LOPA方法对其进行风险分析,在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上,确定并验证其安全仪表系统的SIL,再依据间歇生产装置人工依赖性高,即部分安全仪表系统未接入自动联锁且需人工手动触发的特点,建立人因可靠性模型,来分析人因可靠性对安全仪表系统SIL的影响,并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响;可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

Hazards equal trips or alarms or both

Anyone who has been involved in the application of IEC 61508 and IEC 61511 by undertaking the Safety Integrity Level (SIL) determination for Safety Instrumented Systems (SIS) will appreciate the amount of effort and tenacity that is required to undertake the task. SIL determination of Safety Instrumented Systems requires considerable commitment and tenacity to get the job done, but it is like climbing to the top of a hill only to be faced with a mountain when we come to consider what is involved in reviewing or configuring a typical alarm system.A medium sized process facility may have a few hundred or so primary Safety Instrumented Functions (SIF) or trips configured into a Safety Instrumented System, but the number of alarms configured into a process control system (PCS), that need to be assessed and prioritised, can often run into the thousands.There is synergy between safety instrumented functions and alarms because they both make a contribution to reduce the risk of having unwanted events, and both need an assigned appropriate criticality.This paper details various methods of criticality assessment which have been successfully applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips and to rationalise those of no value. It will also cover the use of software tools which can significantly reduce the effort involved in this process.     

Functional safety concept for hazardous systems and new challenges

Selected issues associated with the functional safety analysis according to the international standards IEC 61508 and IEC 61511 are presented. Determining the safety integrity level (SIL) of electric/electronic/programmable electronic (E/E/PE) safety-related systems is outlined. The importance of quantitative probabilistic modeling of these systems in verifying SIL is emphasized. Some aspects concerning the functional safety analysis of systems for detecting the combustible or toxic gases in relation to a CENELEC draft standard prEN 50402 are shortly discussed. Basic principles of methodology for the functional safety assessment of protective systems for potentially explosive atmospheres proposed in a CEN draft standard prEN 15233 are addressed.     

Inherent thermal runaway hazard evaluation method of chemical process based on fire and explosion index

Thermal runaway hazard assessment provides the basis for comparing the hazard levels of different chemical processes. To make an overall evaluation, hazard of materials and reactions should be considered. However, most existing methods didn't take the both into account simultaneously, which may lead the assessment to a deviation from the actual hazard. Therefore, an integrated approach called Inherent Thermal-runaway Hazard Index (ITHI) was developed in this paper. Similar to Dow Fire and Explosion Index(F&EI) function, thermal runaway hazard of chemical process in ITHI was the product of material factor (MF) and risk index (RI) of reaction. MF was an indicator of material thermal hazards, which can be determined by initial reaction temperature and maximum power density. RI, which was the product of probability and severity, indicated the risk of thermal runaway during the reaction stage. Time to maximum rate under adiabatic conditions and criticality classes of scenario were used to indicate the runaway probability of the chemical process. Adiabatic temperature rise and heat of the desired reaction and secondary reaction were used to determine the severity of runaway reaction. Finally, predefined hazard classification criteria was used to classify and interpret the results obtained by this method. Moreover, the method was validated by case studies.     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

IEC61511标准及在石化行业安全管理中的应用

功能安全的定量评定技术已成为确保石化行业安全生产的重要手段。针对石化行业普遍存在的功能安全问题,笔者以国际电工学会(IEC)专门制定的功能安全评定标准IEC61508及IEC61511为指导,介绍其标准制定的背景、目的、体系结构以及如何利用标准开展石化行业安全联锁系统(Safety Instrumented System,SIS)的安全与误跳车定量分析。通过对SIS开展定量安全评估,可发现联锁功能存在的安全不足与误跳车现象,对于提高我国石化行业安全生产水平具有重要的促进作用,标准中有关寿命周期功能安全管理方法及重要的工程经验也对提高我国石化安全生产水平具有借鉴作用。     

Integration of intelligent sensors in Safety Instrumented Systems (SIS)

This article deals with the assessment of Safety Instrumented Systems using intelligence in the field devices. The integration of intelligent instruments within safety oriented applications presents a challenge. The justification for using these instruments in safety applications is not fully proven and the dependability evaluation of such systems is not trivial. The work presented in this article deals with modeling in order to evaluate the performances relating to the dependability for structures which contains intelligent instruments. This architecture constitutes a Safety Instrumented System (SIS). In the modeling of the system, the functional and dysfunctional aspects coexist and the dynamic approach using the Stochastic Activity Network (SAN) is proposed to overcome the difficulties mentioned above. Monte-Carlo method is used to assess the dependability parameters in compliance with safety standards related to SIS (IEC 61508 & IEC 61511). The proposed method and associated tools allow this evaluation by simulation and thus provide assistance in designing SIS integrating intelligence.     

苯和甲苯硝化及磺化反应热危险性分级研究

首先介绍了化工工艺热安全性的内涵,并从反应过程热危险性分析的方法学出发,介绍间隙、半间歇化学反应工艺热危险性分级研究的总体思路及方法。然后,围绕甲苯和苯的硝化、磺化反应,用全自动反应量热仪(RC1e)和加速度量热仪(ARC)测定其反应过程的绝热温升(△Tad)、目标反应所能达到的最高温度(TM)、分解反应最大速率到达时间(θD)等参数。运用风险评价指数矩阵法(方法1)和基于失控过程温度参数的热危险评估法(方法2)分别对其硝化和磺化反应过程的热危险性进行了分级评估。结果表明,这两种方法具有良好的一致性;给定工艺条件下甲苯和苯的一段硝化反应过程的热危险度等级较低;而磺化反应的热危险较高。尽管这两种方法还有一定的局限性,但对于间歇、半间歇合成工艺的本质安全化设计、工艺热危险性的评估具有重要的参考价值和实用意义。     

Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions

Standards and industry guidelines for Safety Instrumented Systems (SISs) describe the use of hazard and risk analysis to determine the risk reduction required, or Safety Integrity Levels (SILs), of Safety Instrumented Functions (SIFs) with reference to hazardous events and risk tolerance criteria for them. However, significant problems are encountered when putting this approach into practice. There is ambiguity in the meaning of the term hazardous event. Notably, even though it is a key concept in the process-sector-specific SIS standard, IEC 61511/ISA 84, it is not defined in the standard. Consequently, risk tolerance criteria for hazardous events are ill-defined and, therefore, they are not the most appropriate criteria to use. Most current approaches to SIL determination use them and therefore they are flawed fundamentally.An informed decision on the tolerability of risk for a facility cannot be made by determining only the tolerability of risk for individual hazardous events. Rather, the tolerability of the cumulative risk from all hazard scenarios and their hazardous events for a facility must be determined. Such facility risk tolerance criteria are the type used by regulators. This issue applies to all per event risk tolerance criteria. Furthermore, determining the tolerability of risk for a facility based only on the risks of single events, be they hazard scenarios or hazardous events, and comparing them to risk tolerance criteria for the events is not meaningful because there is no consideration of how many such events can actually occur and, therefore, no measure of the total risk. The risks from events should be summed for a facility and compared with overall facility risk tolerance criteria.This paper describes and illustrates SIL determination using a risk model implemented within the framework of Layers of Protection Analysis (LOPA) that overcomes these problems. The approach allows the allocation of risk across companies, facilities, processes, process units, process modes, etc. to be managed easily.     

Safer management of process changes in chemical reactors

Nowadays many chemical industries are SMEs where multi-purpose batch or semi-batch reactors are commonly used. Vent sizing for realistic runaway scenario is not an easy task for such enterprises since they have usually few resources and use multi-purpose reactors with fast process turnovers. As a consequence these batch and semi-batch reactors are usually equipped with emergency relief systems sized once forever when the reactor is designed. This can lead to a large underestimation of the vent area in case of runaway reactions occurring when processes different from the ones considered for originally sizing the vent are carried out.The approach proposed in this work aims to identify the maximum reactor load leading to safe conditions even in case of runaway phenomena to be handled with the emergency relief system already installed (or even with a smaller vent area). This approach allows avoiding the change of the emergency relief system with a larger vent area (as required every time a new more hazardous process has to be carried out on existing reactors) at the price of lower plant productivity.     

Beyond-compliance uses of HAZOP/LOPA studies

Recent years have seen a convergence of scenario-based Hazard and Operability (HAZOP) studies, Layer of Protection Analyses (LOPAs), and safety integrity level (SIL) determinations. These can all be performed using order-of-magnitude estimates for the initiating cause frequency, the effectiveness of protection layers, the severity of loss event consequences, and the inclusion of other risk-reduction factors. Conducting a HAZOP study or a HAZOP/LOPA study in this manner makes it possible to extend the study results to not only determine required SILs, but also to sum scenario risks by process unit and show the quantitative benefit of implementing risk-reduction measures. The aggregated risk can be compared to process-wide tolerable risk criteria, in addition to comparing each scenario to a risk matrix or risk magnitude. This presentation demonstrates how a true risk-based HAZOP study can be performed with little additional effort over that required for commonly performed cause-by-cause HAZOP studies, and how facility managers and engineers can then use the results when deciding on and implementing risk-reduction measures.     

Natech guide words: A new approach to assess and manage natech risk to ensure business continuity

The risk posed by natural hazards to the technological systems is known as Natech risk. It is different from the more widely known and studied risk posed by such sites to the environment and society. Though currently, available risk assessment techniques recognize Natech, the specific qualitative technique for Natech risk assessment and reduction has not yet been developed. After analyzing past data of Natech accidents, relevant guide words have been suggested in this study. These guide words will help anticipate Natech risk and visualize the Natech scenario. Once the Natech risk is identified, corresponding risk reduction measures can be taken to avoid possible Natech accidents and consequences.     

新冠肺炎疫情下的高校复课综合风险评估

为评估新冠肺炎疫情下的高校复课综合风险,辅助高校进行复课组织决策,探讨一种高校复课风险评估方法。首先,引入压力-状态-响应(PSR)模型,分析各要素互相影响机制,并建立高校复课新冠肺炎疫情综合风险评估指标体系;然后,利用风险的致灾因子与受灾体的脆弱性衡量疫情综合风险度,提出一种高校复课新冠疫情风险的评估方法;最后,以西安市某高校为例,验证风险评估模型的可行性和有效性。结果表明:本模型能准确评估高校复课新冠肺炎疫情综合风险;学校所在地疫情风险等级、人员管控措施、学校应急演练与评估开展状况分别是P、S、R系统的主要影响因素,应重点关注。     

Risk-based reliability assessment under epistemic uncertainty

Existing risk in production systems has a direct relationship with unreliability of these systems. Under such circumstances, the approach to maximize the reliability should be replaced with a risk-based reliability assessment approach. Calculating the absolute reliability for systems and complex processes, when we are not provided with any data on failure, is extremely complex and difficult. Until now, studies of reliability assessment have been based on the probability theory, in which the failure time is anticipated after determining the type of size distributions. However, in this paper, the researchers have developed an approach to apply the possibility theory instead of the probability theory. Instead of using absolutely qualitative methods, this new approach applies the Dempster–Shafer Theory. It is obvious when there are insufficient data; an index is needed to make a decision. Then, a novel method is proposed and used in a real case study in order to determine the reliability of production systems based on risk when the available data are not sufficient, helping us to make decisions. After calculating the failure probability and analyzing the assessment matrix and risk criteria, we may conclude that the failure risk of equipment is reduced while the system reliability is increased.     

过氧化氢热爆炸研究进展

过氧化氢作为绿色环保的氧化剂,广泛应用于工业的各个领域,同时也因其热分解爆炸危险性导致了一系列严重的火灾爆炸事故。过氧化氢在高温或与一些不兼容化学物质作用下,将会激发其热危险性,进而引发热失控反应,最终导致爆炸事故的发生。结合近年来国内发生的过氧化氢热爆炸事故,简要概述了其热爆炸事故历程,并从理论研究和实验研究两个方面综述了过氧化氢热爆炸的研究进展。理论研究方面,主要介绍了化学反应失控模型和基于热动力学的研究方法,尤其对基于热失控模型的热风险评估进行了详细的阐述。实验研究方面,分析了高温条件下与杂质催化作用下过氧化氢的热危险性,包括无机杂质和有机杂质。最后就过氧化氢热爆炸的研究提出了进一步的研究方向。     

Reliability assessment of safety instrumented systems subject to different demand modes

Safety instrumented systems (SISs) are commonly used in the process industry, to respond to hazardous events. In line with the important standard IEC 61508, SISs are generally classified into two types: low-demand systems and high-demand systems. This article explores this classification by studying the SIS reliability for varying demand rates, demand durations, and test intervals. The approach is based on Markov models and is exemplified by two simple system configurations. The SIS reliability is quantified by the probability of failure on demand (PFD) and the frequency of entering a hazardous state that will lead to an accident if the situation is not controlled by additional barriers. The article concludes that very low-demand systems are similar and may be treated as a group. The same applies to very high-demand system. Between these group, there is a rather long interval where the demand rate is neither high-demand nor low-demand. These medium-demand systems need a specific treatment. The article shows that the frequency of entering into a hazardous state increases with the demand rate for low-demand systems, while it is nearly independent of both the demand rate and the demand duration for high-demand systems. The PFD is an adequate measure for the SIS reliability for low-demand systems, but may be confusing and difficult to interpret for high-demand systems.