基于检验测试策略的PFD模型建立与分析*

为制定合理检验测试策略,提高安全仪表系统（SIS）在低要求运行模式下的安全性,提出要求平均失效概率(PFDavg)通用计算模型,引入检验测试分布因子和共因失效修正因子,表征部分和完全检验测试对SIS安全性的影响。结果表明:该模型适用于所有同构koon架构系统,可应用于周期性、非周期性部分检验测试及共因失效影响较大的场景,可以为企业制定检验测试策略提供理论依据。     

Generalized analytical expressions for safety instrumented systems' performance measures: PFDavg and PFH

Safety Instrumented Systems (SIS) constitute an indispensable element in the process of risk reduction for almost all of nowadays' industrial facilities. The main purpose of this paper is to develop a set of generalized and simplified analytical expressions for two commonly employed metrics to assess the performance of SIS in terms of safety integrity, namely: the Average Probability of Failure on Demand (PFD_avg) and the Probability of Dangerous Failure per Hour (PFH). In addition to the capability to treat any K-out-of-N architecture, the proposed formulas can smoothly take into account the contributions of Partial Stroke Testing (PST) and Common Cause Failures (CCF). The validity of the suggested analytical expressions is ensured through various comparisons that are carried out at different stages of their construction.     

Reliability assessment of safety instrumented systems subject to different demand modes

Safety instrumented systems (SISs) are commonly used in the process industry, to respond to hazardous events. In line with the important standard IEC 61508, SISs are generally classified into two types: low-demand systems and high-demand systems. This article explores this classification by studying the SIS reliability for varying demand rates, demand durations, and test intervals. The approach is based on Markov models and is exemplified by two simple system configurations. The SIS reliability is quantified by the probability of failure on demand (PFD) and the frequency of entering a hazardous state that will lead to an accident if the situation is not controlled by additional barriers. The article concludes that very low-demand systems are similar and may be treated as a group. The same applies to very high-demand system. Between these group, there is a rather long interval where the demand rate is neither high-demand nor low-demand. These medium-demand systems need a specific treatment. The article shows that the frequency of entering into a hazardous state increases with the demand rate for low-demand systems, while it is nearly independent of both the demand rate and the demand duration for high-demand systems. The PFD is an adequate measure for the SIS reliability for low-demand systems, but may be confusing and difficult to interpret for high-demand systems.     

安全仪表系统的应用及发展

探讨安全仪表系统在过程工业中的必要性与重要性,以ISA/S84.01安全仪表系统生命周期为基本框架,介绍安全仪表系统的基本组成和生命周期各阶段的主要工作,阐述安全仪表系统与过程控制系统的异同。研究安全仪表系统设计过程中风险分析与安全完整性水平等的关键技术;总结了目前安全仪表系统所呈现出的新特点、新趋势;指出安全仪表系统未来发展的方向;同时认为安全仪表系统作为一种有效的安全保障措施,应当以风险与危害分析为基础,按照最低合理可行原则,根据对象的不同特点,确定适当的安全完整性水平。该应用研究成果对于安全仪表系统的设计与应用具有一定的指导意义。     

我国安全生产行政执法统计指标体系研究与应用

我国安全生产行政执法统计指标体系自施行以来,一直存在统计指标体系过于繁杂、部分统计指标较笼统,未充分体现安全生产重点工作及其成效等问题,创新改革安全生产行政执法统计制度具有重要的理论意义和实用价值。通过梳理安全生产行政执法统计指标体系演变脉络,在实地调研和现场访谈的基础上,基于PDCA理论提出以执法人员-执法对象-执法行为“三位一体”的安全生产行政执法统计指标体系,明确包含执法力量、执法对象、执法检查和事故查处等方面的综合评价指标,并在实践中得以应用和检验,为全面分析安全生产执法效能拓展空间,统计制度的后续修订和安全生产综合分析工作奠定基础。     

IEC61511标准及在石化行业安全管理中的应用

功能安全的定量评定技术已成为确保石化行业安全生产的重要手段。针对石化行业普遍存在的功能安全问题,笔者以国际电工学会(IEC)专门制定的功能安全评定标准IEC61508及IEC61511为指导,介绍其标准制定的背景、目的、体系结构以及如何利用标准开展石化行业安全联锁系统(Safety Instrumented System,SIS)的安全与误跳车定量分析。通过对SIS开展定量安全评估,可发现联锁功能存在的安全不足与误跳车现象,对于提高我国石化行业安全生产水平具有重要的促进作用,标准中有关寿命周期功能安全管理方法及重要的工程经验也对提高我国石化安全生产水平具有借鉴作用。     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估,受人因因素影响水平并未明确,且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例,采用HAZOP结合LOPA方法对其进行风险分析,在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上,确定并验证其安全仪表系统的SIL,再依据间歇生产装置人工依赖性高,即部分安全仪表系统未接入自动联锁且需人工手动触发的特点,建立人因可靠性模型,来分析人因可靠性对安全仪表系统SIL的影响,并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响;可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

Addressing the challenges of implementing safety instrumented systems in multi-product batch processes

Adapting the requirements of IEC 61511 to a batch system can be frustrating, particularly for multi-product units. While a Safety Instrumented System (SIS) for continuous operation is often a straightforward detect-decide-act loop, implementing a SIS for a batch system may involve multiple safety functions, time- or state-dependence, intricate calculations, or complex installations. Relationships between the SIS elements and the basic process control system (BPCS) must be tightly managed, providing both for the safety of the unit and its ability to operate without spurious trips or other hindrances. These issues are further complicated when multiple products requiring different functions or setpoints are produced in the same SIS-protected batch unit.This paper will discuss the challenges particular to the design, operation, and maintenance of a SIS in multi-product batch operations and present practical options for successfully resolving the concerns. A key insight into successful adaptation is treating the batch SIS as a “permission” system for the BPCS to operate. Although many items can be addressed through clever engineering practices, sustainable success relies on proactive, robust management of the safety lifecycle.     

GO-FLOW方法在共因故障中的应用

共因故障是影响高冗余系统可用度的重要因素。针对如何评估它对系统可用度的影响,简要介绍了GO-FLOW方法,给出利用GO-FLOW计算受共因故障影响的系统不可用度的方法和步骤,并引用实例加以说明。     

A formulation to optimize the risk reduction process based on LOPA

This paper presents a mixed integer nonlinear programming (MINLP) model to improve the computational use of the layer of protection analysis (LOPA). For a given set of independent protection layers to be implemented in a process, the proposed optimization model is solved to: a) Include costs associated with the different prevention, protection and mitigation devices, and b) Satisfy the risk level typically specified in the LOPA analysis through the occurrence probability. The underline purpose focuses on improving the analysis process and decision making to obtain the optimal solution in the safeguards selection that satisfies the requirements to be considered as IPL’s. The optimization is based on economic and risk tolerance criteria. As a first stage of this proposal, the safety instrumented system (SIS) design is optimized so that the selection of SIS components minimizes the risk and satisfies the safety integrity level (SIL) requirements. A case study is presented to validate the whole proposed approach.     

Integration of intelligent sensors in Safety Instrumented Systems (SIS)

This article deals with the assessment of Safety Instrumented Systems using intelligence in the field devices. The integration of intelligent instruments within safety oriented applications presents a challenge. The justification for using these instruments in safety applications is not fully proven and the dependability evaluation of such systems is not trivial. The work presented in this article deals with modeling in order to evaluate the performances relating to the dependability for structures which contains intelligent instruments. This architecture constitutes a Safety Instrumented System (SIS). In the modeling of the system, the functional and dysfunctional aspects coexist and the dynamic approach using the Stochastic Activity Network (SAN) is proposed to overcome the difficulties mentioned above. Monte-Carlo method is used to assess the dependability parameters in compliance with safety standards related to SIS (IEC 61508 & IEC 61511). The proposed method and associated tools allow this evaluation by simulation and thus provide assistance in designing SIS integrating intelligence.     

Focus on mission success: Process safety for the Atychiphobist

Modern process plants are complex engineering systems. While thorough reviews of system safeguards are performed, catastrophic events continue to occur, often unfolding in unforeseen ways. Success in process safety demands safe processes, and understanding rare, high consequence events is central to the traditional process safety approach. This philosophy is common to all high-hazard industries, offering the potential for sharing approaches, experience, and lessons learned. The problem, however, is that people (and organizations and entire industries) who fear failure (atychiphobia) sometimes obsess about failure so much that they miss opportunities to succeed.This paper examines selected risk management practices in the power generation and aerospace industries and how those practices have led to improved performance. Risk informed decision making (RIDM) has had widespread application in the nuclear and aerospace industries, and is undergoing enhancements to become a key framework for risk management. Additionally, rather than focusing on avoidance of loss, there are emerging approaches supporting achievement of success. This approach provides a more direct link of risk to business and operational objectives, but does challenge conventional risk approaches founded in a loss prevention-centric view. The paper reflects upon risk informed decision making and success modeling, and suggests how these methods may be applied in the field of process safety. Specific examples are drawn from the defense in depth approach from the nuclear power industry and mission success concepts developed for NASA.     

The role of component arrangement in complex safety instrumented systems—A case study

The arrangement of components plays a key role in the performance of complex Safety Instrumented Systems (SIS), in which a SIS logic solver is interlocked with other logic solvers, to share a final element, for instance. The position of the components and the way they are utilized affects the reliability characteristics, such as the Probability of Failure on Demand (PFD), Spurious Trip Rate (STR), architectural sensitivity and model uncertainty. This case study uses quantitative and qualitative approaches to elaborate on various aspects of component arrangement in complex SIS. Numerous simplified models are analyzed; new classification is introduced for SIS components based on their response to demand; a set of guidelines are developed for SIS architecture design, with a focus on component arrangement; and the use of these guidelines is demonstrated in a real-life example, where an existing turbine SIS is modified to incorporate a new over-speed protection system. The simplified models and the turbine upgrade project are also used to explain the issue of unknowns and uncertainties in reliability analysis and how these issues can be addressed in SIS architecture by optimizing component arrangement.     

基于BDD考虑共因失效的接触网系统可靠性分析

为分析共因失效对高速铁路接触网系统的影响，将二元决策图(Binary Decision Diagram，BDD)与共因失效理论引入到接触网系统可靠性分析中。利用逻辑相邻优先组合法(Logic Neighbor Priority Connect，LNPC)将高速铁路接触网系统的故障树模型转化为BDD模型并求取其可靠度表达式，利用隐式方法对考虑了共因失效的接触网系统可靠度进行计算，利用MATLAB绘制考虑共因失效和不考虑共因失效情况下接触网系统可靠度变化曲线。研究结果表明:提出的分析方法适用于接触网系统的可靠性分析，为接触网系统的可靠性分析提供了一定的理论依据。     

A framework to estimate the risk-based shutdown interval for a processing plant

Petrochemical plants and refineries consist of hundreds of pieces of complex equipment and machinery that run under rigorous operating conditions and are subjected to deterioration over time due to aging, wear, corrosion, erosion, fatigue and other reasons. These devices operate under extreme operating pressures and temperatures, and any failure may result in huge financial consequences for the operating company. To minimize the risk and to maintain operational reliability and availability, companies adopt various maintenance strategies. Shutdown or turnaround maintenance is one such strategy. In general, shutdown for inspection and maintenance is based on the original equipment manufacturer's (OEM) suggested recommended periods. However, this may not be the most optimum strategy given that operating conditions may vary significantly from company to company.The framework proposed in this work estimates the risk-based shutdown interval for inspection and maintenance. It provides a tool for maintenance planning and decision making by considering the probability of the equipment or system for failure and the likely consequences that may follow. The novel risk-based approach is compared with the conventional fixed interval approach. This former approach, characterized as it is by optimized inspection, maintenance and risk management, leads to extended intervals between shutdowns. The result is the increase in production and the consequent income of millions of dollars.The proposed framework is a cost effective way to minimize the overall financial risk for asset inspection and maintenance while fulfilling safety and availability requirements.     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

安全仪表系统的开发与要求

综述安全仪表系统的发展过程;对其主要组成、特点以及其各自要求进行研讨;给出安全仪表系统开发的简化流程;探讨安全仪表系统的经济性分析和仪表选择方法;对安全仪表系统整体生命周期中的计划编制、设计、实施、运行、维护和确认等各阶段活动的关键要求进行了讨论和研究。该研究对安全仪表系统的深入理解有指导作用,并为安全仪表系统的分析、设计、实施、运行和维护等活动提供参考。     

Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions

Standards and industry guidelines for Safety Instrumented Systems (SISs) describe the use of hazard and risk analysis to determine the risk reduction required, or Safety Integrity Levels (SILs), of Safety Instrumented Functions (SIFs) with reference to hazardous events and risk tolerance criteria for them. However, significant problems are encountered when putting this approach into practice. There is ambiguity in the meaning of the term hazardous event. Notably, even though it is a key concept in the process-sector-specific SIS standard, IEC 61511/ISA 84, it is not defined in the standard. Consequently, risk tolerance criteria for hazardous events are ill-defined and, therefore, they are not the most appropriate criteria to use. Most current approaches to SIL determination use them and therefore they are flawed fundamentally.An informed decision on the tolerability of risk for a facility cannot be made by determining only the tolerability of risk for individual hazardous events. Rather, the tolerability of the cumulative risk from all hazard scenarios and their hazardous events for a facility must be determined. Such facility risk tolerance criteria are the type used by regulators. This issue applies to all per event risk tolerance criteria. Furthermore, determining the tolerability of risk for a facility based only on the risks of single events, be they hazard scenarios or hazardous events, and comparing them to risk tolerance criteria for the events is not meaningful because there is no consideration of how many such events can actually occur and, therefore, no measure of the total risk. The risks from events should be summed for a facility and compared with overall facility risk tolerance criteria.This paper describes and illustrates SIL determination using a risk model implemented within the framework of Layers of Protection Analysis (LOPA) that overcomes these problems. The approach allows the allocation of risk across companies, facilities, processes, process units, process modes, etc. to be managed easily.     

Process safety challenges for SMEs in China

While process safety regulations and standards have been in place in western countries for more than two decades, China has only recently started to officially embrace these issues with the adoption of its Process Safety Management (PSM) regulation AQ/T 3034-2010 (SAWS, 2010). However, compliance with this regulatory framework requires substantial resources and may therefore appear too complex to be efficiently implemented by small and medium sized enterprises (SMEs) in the chemical sector. This is of particular relevance as about 99% of chemical companies in China are SMEs, accounting for more than 80% of all chemical accidents. To address this issue, additional local regulations and planning activities related to process safety have been implemented in China, including the establishment of hundreds of chemical industry parks. Some of the process safety problems faced by chemical industry parks are identified and discussed in this paper. To help solve these problems, UNEP's “Responsible Production approach for Chemical Hazards Management along the Value-Chain” is introduced in this paper and suggested as a simplified PSM approach targeted specifically at SMEs which, regardless of handling hazardous chemicals in their daily operations, may not have the knowledge or capacity to efficiently implement PSM and may not fall in the scope of the PSM regulation AQ/T 3034-2010. By introducing PSM to SMEs in a more manageable way, relevant steps can be progressively implemented by companies towards full compliance with the current regulatory framework, contributing to increased safety in chemical industry parks in China.     

Systematic inherent safety and its implementation in chlorine liquefaction process

As a proactive safeguard, inherent safety has been regarded as the top hierarchy for loss prevention and risk management due to its salient features in eliminating or significantly reducing risks at source rather than mitigating them by add-on protections. Simultaneously, various assessment tools have been developed for ranking and selecting inherently safer designs or modifications. However, there still lacks a metric that can systematically incorporate various hazardous factors, which may hinder most industries from utilizing it to a full extent. To address this limitation, this work developed a Systematic Inherent Safety Metric (SISM) for measuring the inherently safer modifications. Firstly, the conceptual framework of SIS was proposed based on 5M1E (man, machine, material, method, measurement, and environment). Subsequently, analytic hierarchy process and fuzzy comprehensive evaluation were adapted to conduct risk identification and assessment. Finally, taking chlorine liquefaction process as a case study, the applicability and efficacy of SIS were validated based on PDCA (plan-do-check-action) cycle. The results show that the SISM value has improved from the relatively dangerous (RD) to the relatively safe (RS) after implementing SIS, thus demonstrating that the revised design is inherently safer than the base design.