SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.     

An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估,受人因因素影响水平并未明确,且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例,采用HAZOP结合LOPA方法对其进行风险分析,在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上,确定并验证其安全仪表系统的SIL,再依据间歇生产装置人工依赖性高,即部分安全仪表系统未接入自动联锁且需人工手动触发的特点,建立人因可靠性模型,来分析人因可靠性对安全仪表系统SIL的影响,并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响;可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

An extension of the fuzzy improved risk graph and fuzzy analytical hierarchy process for determination of chemical complex safety integrity levels

The risk graph (RG) is widely used to evaluate the safety integrity level (SIL) of safety instrument systems (SIS). However, subjective opinion-based conventional RGs cannot provide successful results for the problems of risk parameters, such as shortages or lack of data; hence, the output of a conventional approach lacks sufficient reliability. We introduced the fuzzy improved risk graph (FIRG), an extension of fuzzy set theory, to deal with possible ambiguities during SIL study and increase the reliability of conventional RGs. In the present study, the levels of consequences defined as linguistic terms were converted into qualitative intervals; therefore, by correlating the proposed approach with experts’ opinions and attributing weight factors, a desired SIL value was obtained. The output of this new approach can be compared directly with quantitative risk assessment techniques to improve the safety performance of industrial systems.     

Functional safety concept for hazardous systems and new challenges

Selected issues associated with the functional safety analysis according to the international standards IEC 61508 and IEC 61511 are presented. Determining the safety integrity level (SIL) of electric/electronic/programmable electronic (E/E/PE) safety-related systems is outlined. The importance of quantitative probabilistic modeling of these systems in verifying SIL is emphasized. Some aspects concerning the functional safety analysis of systems for detecting the combustible or toxic gases in relation to a CENELEC draft standard prEN 50402 are shortly discussed. Basic principles of methodology for the functional safety assessment of protective systems for potentially explosive atmospheres proposed in a CEN draft standard prEN 15233 are addressed.     

合成氨装置系统安全仪表系统安全完整性等级分析

论文在介绍安全仪表系统、安全完整性等级的基本原理基础上,综合分析了危险与可操作性分析(HAZOP)、保护层分析(LOPA)等系统风险分析理论的应用方法。并结合上述理论,确定了安全仪表系统的安全完整性等级(SIL)定级。以合成氨装置为例,应用HAZOP及保护层分析方法,得出了合成塔压力过高及废热锅炉液位过低2个场景下的安全完整性SIL等级。结果表明:合成塔装置仪表的SIL等级为1,废热锅炉仪表的SIL等级为2。     

基于SIL评估的LNG加气站安全仪表系统问题分析及改进建议*

为分析LNG加气站安全仪表系统的功能完备性与可靠性,以3座典型的三级LNG加气站为研究对象,全面开展安全仪表功能辨识、安全完整性等级（SIL）定级与验证,进而提出针对性的改进建议。结果表明:3座LNG加气站的安全仪表系统均存在功能不完备、设备组件缺少失效数据的问题;为满足风险控制要求,三级LNG加气站需设置15个安全仪表功能,其中1个应达到SIL2等级,14个应达到SIL1等级;LNG加气站的安全仪表系统应选用获得功能安全认证的设备组件,并在设计阶段开展SIL评估工作。研究结果可为今后LNG加气站安全仪表系统的设计与管理提供重要参考。     

考虑人因可靠性的安全仪表功能SIL验证方法研究

油气站场一般设置有紧急停车系统（ESD）等存在操作员介入的非常规安全仪表功能（SIF）,为解决已有的安全完整性等级（SIL）评估方法不能针对此类SIF进行功能安全评价的情况。对存在操作员介入的非常规SIF进行研究,将其中的人为因素细分为观察、决策和执行3个阶段;根据各类人因可靠性分析方法优缺点,筛选CREAM和HCR方法分别分析紧急情景环境和应急响应时间对非常规SIF人因失效概率的影响,建立考虑人因可靠性的SIL验证模型;基于此模型选取某输油站典型SIF开展SIL评估,分析人因失效对SIF整体可靠性的影响水平,并提出改善措施。结果表明:将操作员应急响应过程中的人因失效概率引入传统的SIL验证模型中,可实现对非常规SIF的功能安全评价;人因失效对非常规SIF具有显著影响,筛选的人因可靠性模型可准确计算人因失效概率。     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

Planning protection measures against runaway reactions using criticality classes

A systematic approach to the assessment of thermal risks linked with the performance of exothermal reactions at industrial scale was proposed a long time ago. The approach consisted of a runaway scenario starting from a cooling failure and a classification of these scenarios into criticality classes. In the mean time these tools became quite popular and many chemical companies use them. Recently, the international standard IEC 61511 required the use of protection systems with reliability depending on the risk level. Since the criticality classes were developed as a tool for the choice of risk reducing measures as a function of the criticality, it seems obvious that the criticality classes may be used in the context of the standard IEC 61511, which provides a relation between the risk level and the reliability of protection systems.Firstly, the runaway scenario and the criticality classes will be shortly described. Secondly, the assessment criteria for severity and probability of occurrence of a runaway scenario will be described together with the required data and their interpretation in terms of risk. Thirdly, the assessment procedure is exemplified for the different criticality classes. Finally, the design of protection measures against runaway and the required IPL and SIL are based on the risk assessment obtained from the criticality classes. This approach allows minimising the required data set for the safety assessment and for the definition of the protection system designed in order to avoid the development of the runaway.     

SIL评估及HAZOP分析技术在海洋平台安全评估中的应用

针对海洋平台安全仪表系统安全可靠性要求的提高,分析海洋平台安全仪表系统SIL评估及HAZOP分析方法,对SIL评估的必要性、目的和内容、方法与流程进行论述,对SIL等级选择的HAZOP和LOPA分析方法进行介绍,对SIL评估过程中的重要数据问题进行阐述,对SIL等级验证中各参数和失效数据的选取进行说明。通过案例进一步论述SIL评估及HAZOP分析技术的要点和实施步骤,针对该案例提出了提高SIL等级的建议和措施,为海洋平台安全仪表系统的SIL评估提供重要的参考和依据。     

Hazards equal trips or alarms or both

Anyone who has been involved in the application of IEC 61508 and IEC 61511 by undertaking the Safety Integrity Level (SIL) determination for Safety Instrumented Systems (SIS) will appreciate the amount of effort and tenacity that is required to undertake the task. SIL determination of Safety Instrumented Systems requires considerable commitment and tenacity to get the job done, but it is like climbing to the top of a hill only to be faced with a mountain when we come to consider what is involved in reviewing or configuring a typical alarm system.A medium sized process facility may have a few hundred or so primary Safety Instrumented Functions (SIF) or trips configured into a Safety Instrumented System, but the number of alarms configured into a process control system (PCS), that need to be assessed and prioritised, can often run into the thousands.There is synergy between safety instrumented functions and alarms because they both make a contribution to reduce the risk of having unwanted events, and both need an assigned appropriate criticality.This paper details various methods of criticality assessment which have been successfully applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips and to rationalise those of no value. It will also cover the use of software tools which can significantly reduce the effort involved in this process.     

基于FFTA-LOPA的化工装置安全仪表系统SIL确定方法

为了优化确定化工装置安全仪表系统（SIS）安全完整性等级（SIL）,分析了现有确定SIL的不足,针对化工装置的失效数据缺失和不确定性特点,提出模糊事故树-保护层（FFTA-LOPA）模型计算安全仪表系统SIL。以某低密度聚乙烯反应釜为例,建立了该反应釜爆炸事故树,运用模糊理论定量分析顶上事件发生的概率,最终确定其安全仪表系统安全完整性等级为SIL 1。结果表明:该方法结合两种风险分析理论,分析结果与实际和理论统计结果符合性较好,具有一定地准确性和实用性,可以为定量确定系统SIL提供理论指导。     

安全系统安全完整性等级确定方法比较研究

安全完整性等级的确定是开发和设计安全相关系统的前提和基础。为避免因方法选择不当而导致安全完整性等级确定不恰当的问题,针对常用的后果法、风险矩阵法、改进的HAZOP法、风险图法、保护层分析法和定量分析法进行了对比研究。在阐述和分析安全完整性等级内涵及其确定原理的基础上,根据每种方法自身的特点,从准确性、可量化性、工作量和运用的难易程度等方面对其进行了对比和研究,并分析和探讨了选择安全完整性等级确定方法时应重点考虑的因素。研究结果对合理选择安全完整性等级确定方法具有一定的实用价值和借鉴意义。     

Availability organisational analysis: Is it a hazard for safety?

This main issue of this article analyses the possible way to use for availability improvement, the organisational analysis methodology initially developed for accident safety investigations. As the last decade examples in the industrial world prove that some organisational weaknesses could either impact safety or availability, we have for purpose to make some important clarifications, with the help of the organisational paradigm, and grounded on our knowledge of safety accidents or local inquiries in hazardous technical complex systems.We will first give our definition of an availability event, by comparison with a safety event and recall what is for us an organisational analysis. Then we will consider the safety organisational paradigm pathogenic factors in wondering if these factors could also be seen as pathogenic factors for availability; or if specific availability pathogenic factors can be inferred from these safety pathogenic factors.In the end we will try to assess the common points and the differences between an availability oriented organisational analysis and a safety oriented one, with a particular attention to possible negative follows-up on safety issues and to the methodology issue.     

New considerations for SIL verification of functional safety fieldbus communication

Safety integrity level (SIL) verification of functional safety fieldbus communication is an essential part of SIL verification of safety instrumented system (SIS), and it requires quantifying residual error probability (RP) and residual error rate of function safety communication. The present quantification method of residual error rate uses RP of cyclic redundancy check (CRC) to approximately replace the total RP of functional safety communication. Since CRC only detects data integrity-related errors and CRC has intrinsically undetected error, some other residual errors are not being considered. This research found some residual errors of the present quantification method. Then, this research presents an extended new approach, which takes the found residual errors into account to determine more comprehensive and reasonable RP and residual error rate. From perspective of the composition of safety message, this research studies RPs of those controlling segments (sequence number, time expectation, etc.) to cover the found residual errors beyond CRC detection coverage, and the influences of insertion/masquerade errors and time window on RP are investigated. The results turn out these residual errors, especially insertion/masquerade errors, may have a great influence on quantification of residual error rate and SIL verification of functional safety communication, and they should be treated seriously.     

Application of human factors evaluation in engineering design and safe operation of dense phase ethylene treaters

Ethylene treaters are widely used in the petrochemical industry to remove impurities from ethylene feedstock imported from pipeline networks or storage caverns. The safety concerns of dense phase ethylene treaters due to the reactive and highly flammable nature of ethylene are well known and studied. Under certain conditions, ethylene may self-polymerize and decompose violently with heat release. Under other conditions, ethylene will auto-refrigerate, generating cold liquids that may cause potential brittle fracture hazards. Therefore, dense phase ethylene treaters present design challenges with the unique combination of high temperature decomposition and cold temperature brittle fracture hazards.Due to these safety concerns, it is important to select the appropriate engineering design options for dense phase ethylene treaters and the associated regeneration facilities. Totally automated treater regeneration systems add complexity and instrument maintenance requirements while manually operated systems rely heavily on operator training and procedures. Unfortunately, little or no information or design guidance is available from published research findings in the literature on the evaluation and risk assessment of current industrial design options and practices for dense phase ethylene treaters.This paper presents a systematic risk assessment method to evaluate the engineering design and safe operation options for dense phase ethylene treaters. The proposed risk assessment method integrates human factors task analysis into the traditional HAZOP, LOPA and fault tree analysis to allow evaluation of automated, manual and hybrid approaches with a goal of selecting and optimizing design options to ensure plant safety. This approach provides a realistic assessment of the operational risk and allows identification of fit-for-purpose risk reduction. Applying this systematic risk assessment approach, a simpler and more cost effective design solution can be justified, thereby avoiding the need for a high integrity protective system.     

Organisational safety indicators: Some conceptual considerations and a supplementary qualitative approach

This article discusses the extent to which indicators can represent organisational qualities in relation to safety and how a qualitative approach called the Operational Safety Condition (OSC) method can be a supplement and help improve safety. In light of the recent Safety Science debate on safety indicators, we suggest that it is difficult to capture organisational conditions using indicators, although they are indisputably important when identifying the risk of accidents. Safety climate and risk analysis approaches are discussed as methods that can build and assess indicators in relation to organisational safety quality. OSC and similar qualitative approaches can capture the complexity of organisational conditions, aid organisational learning at a double loop level and offer a tool for risk management.     

A formulation to optimize the risk reduction process based on LOPA

This paper presents a mixed integer nonlinear programming (MINLP) model to improve the computational use of the layer of protection analysis (LOPA). For a given set of independent protection layers to be implemented in a process, the proposed optimization model is solved to: a) Include costs associated with the different prevention, protection and mitigation devices, and b) Satisfy the risk level typically specified in the LOPA analysis through the occurrence probability. The underline purpose focuses on improving the analysis process and decision making to obtain the optimal solution in the safeguards selection that satisfies the requirements to be considered as IPL’s. The optimization is based on economic and risk tolerance criteria. As a first stage of this proposal, the safety instrumented system (SIS) design is optimized so that the selection of SIS components minimizes the risk and satisfies the safety integrity level (SIL) requirements. A case study is presented to validate the whole proposed approach.     

安全控制系统的设计思想

介绍了安全控制领域的国际标准IEC61508.给出了安全整体性要求的4个等级(SIL)相应的技术指标.从硬件故障的控制、系统故障的避免及安全系统软件的设计3个方面阐述了安全控制系统的设计思想.对硬件故障控制中的1oo2D和2oo3系统进行了比较,给出了相应的SIL计算方法.针对避免系统故障,提出了系统设计的6条原则和方法.介绍了 3种面向过程控制和对实时性要求较高的安全系统软件的设计方法.