Professional Documents
Culture Documents
15% Maintenance
and Operation
15% Design and
Implementation
6% Instalation
and Start-up
Ref Out of Control: Why control systems go wrong and how to prevent failure
Published by UK HSE
2012-03-07
Structure
and
planning of
the safety
life cycle
Assessment of hazards
hazards
and risks
Verification
Installation, Receipt
reception
and Validation
validation
5
Modification
Decommissioning
10
2012-03-07
11
Structure
and
planning of
the safety
life cycle
Assessment of hazards
hazards
and risks
Verification
Installation, Receipt
reception
and Validation
validation
5
Modification
Decommissioning
10
2012-03-07
11
Set target
4system
Installation
reception
validation
and,
5
6
Modification
7
Decommissioning
Demonstrate
target is met
Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of 1
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3
system
Installation
reception
,
validation
and
5
6
Modification
7
Decommissioning
SIL Allocation
SIL 1
SIL 2
SIL3
Determine if additional
SIF are required and if
yes then allocate the
target SIL
2012-03-07
Deterministic
Risk-Based
ISO10418
OLF070
2012-03-07
2012-03-07
Company Governing
Documentation
2012-03-07
Deterministic
Risk-Based
ISO10418
OLF070
TES
9
2012-03-07
Independent
Protection
Layers
LAH
1
Layer of SIS
10 2012-03-07
SIS Action
Trip set point
Operator
Takes Action
High level
Process level
Normal Level
PSD logic
Low level
PCS
PT
11 2012-03-07
PT
Remaining
risk
Missing
adequate
barriers ?
Initial
Risk
(frequency)
Risk
tolerance
criteria
Increasing risk
Risk reduction
Other technologies
12 2012-03-07
Risk reduction
external
Qualitative analysis
Simplified-quantitative
or semi-qualitative
analysis
Quantitative analysis
Technique
HAZOP, What if
Applicability to
simple issues
Good
Good
Overkill
Applicability to
complex issues
Usually Good
Good
13 2012-03-07
Qualitative
(e.g. HAZOP)
Semi-qualitative
Simplified-quantitative
NO
SIL1, SIL2
or SIL3 with GALE
TES
where further
assessment is
needed?
NO
SIL4?
YES
OR
Design change or
SIL3 with no GALE
TES?
other non-SIS IPL
possible?
NO
YES
Quantitative
NO
SIL4 Required
by a single
SIS?
YES
Apply for
dispensation to
TR2041
YES
14 2012-03-07
SRS,
etc.
SRS, CDD,
SAR, etc.
15 2012-03-07
16 2012-03-07
LOPA Procedure
Step 1: Establish TTC
Step 2: Preliminary selection of scenarios
Step 3: Evaluate impact severity on
safety, environment and assets
Step 4: Determine IE frequency
Step 5: Identify IPLs and select the
probability of failure
Step 6: Identify Conditional Modifiers and
select the probability
Step 7: Evaluate Scenario frequency and
compare with TTC
Step 8: Identify SIF and
Allocate SIL
17 2012-03-07
1E-4 1E-3
1E-3 0.01
0.01 0.05
0.05 0,3
0.3 0.7
Impact level
1
2
8/
Catastrophic
7/
0.7- 1.4 Major > 1.4
6/
Severe
5/
Serious
4/
Moderate
3
4
5
6
7
8
1
Frequency Level
18 2012-03-07
Target
Tolerance
Criteria
1 x E-6 pr year
1 x E-5 pr year
1 x E-4 pr year
1 x E-3 pr year
1 x E-2 pr year
19 2012-03-07
Temperature
transmitter
Solenoide
Temperature
transmitter
Level Switch
Flow transmitter
Logic Solver
(PLC)
On/off valve
Pump
Solenoide
On/off valve
20 2012-03-07
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Reduce
consequence
severity
No consequence
CAUSES
BPCS
Initiating
Event 2
Operator
response to Alarm
from monitoring
SIS
system
Consequence A
PSV
TOP EVENT
ESD
Consequence B
Ignition
control
Consequence C
Fire Water
Initiating
Event 3
Consequence D
Initiating
Event 1
Consequence D
CONSEQUENCES
PREVENTION
Category
8/
Catastrophic
7/
Major
6/
Severe
5/
Serious
4/
Moderate
22 2012-03-07
Target
Tolerance
Criteria
1 x E-6 pr year
1 x E-5 pr year
1 x E-4 pr year
1 x E-3 pr year
1 x E-2 pr year
f ie
Instrument Initiating Event
BPCS Instrument Loop Failure
BPCS Sensor failure
Control loop failure
Loss of instrument air
Human Initiating Event
3rd Party Intervention
Human error in a no-routine, low stress
Human error in a routine, once per day opportunity
Human error in a routine, once per month opportunity
Operator Failure Action more than once per quarter
failure/year
1,00E-01
1,00E-01
1,00E-01
1,00E-01
failure/year
1,00E-02
1,00E-01
1,00E+00
1,00E-01
1,00E-01
failure/year
1,00E-02
1,00E+00
1,00E-01
1,00E-01
1,00E-02
1,00E-02
1,00E-01
1,00E-02
1,00E-01
1,00E-03
1,00E-02
1,00E-01
1,00E-01
1,00E+00
2,00E-01
1,00E-05
1,00E-01
1,00E-01
1,00E-01
Human Error probability for not correctly performing a task for various situations per demand
Complexity
Simplest
No Stress
Moderate Stress
High stress
1 10-4
1 10-3
1 10-2
1 10-3
1 10-2
1 10-1 - 1.0
23 2012-03-07
Routine but
Care
1 10-2
5 10-2
0.25 1.0
Requires
Complicated
Routine
0.1
0.3
1.0
non-
f ie
24 2012-03-07
2*
PFD
25 2012-03-07
26 2012-03-07
Input 1
Output 1
Final
Element 1
Output 2
Final
Element 2
Logic
Controler
Sensor 2
Input 2
IPL
PFD lower than 0,1 requires that the PCS is designed according to IEC61511
27 2012-03-07
alarm processing
limited troubleshooting
decide action
PCS pre-alarm set point
Time
29 2012-03-07
Check valve
IPL, with restriction on service and technology, frequent testing required
Explosion doors
Not an IPL. can be considered for selection of lower impact severity. Design must be
checked against explosion load
30 2012-03-07
31 2012-03-07
PFD IPL
32 2012-03-07
PFD
2,00E-01
1,00E+00
2,00E-02
1,00E-02
1,00E-01
1,00E+00
1,00E-01
1,00E-01
Pignition
Probability
8,40E-03
7,00E-02
9,00E-02
3,00E-01
4,00E-04
1,00E-02
3,60E-03
3,00E-02
2,40E-02
8,00E-02
4,00E-04
1,00E-02
Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact)
Probability that personnel are present at the time of the hazardous event
Pperson present = Occupancy X Probability to avoid the hazardous event once the SIS has failed
33 2012-03-07
34 2012-03-07
The time between the operator being alerted and a hazardous event occurring exceeds 1 hour
or is definitely sufficient for the necessary actions
Caution: Dont cater twice for the same operator intervention (e.g. Alarm+operator intervention)
35 2012-03-07
Consequence D
n IPL
RRF
f LOPA scenario
RRF
f LOPA scenario
TTC
TTC
36 2012-03-07
<1
>1
Risk Reduction by
BPCS
Risk Reduction by
Operator response to alarms
Risk reduction factor (RRF)
required for the SIS
Risk Reduction by
Safety Instrumented System
Risk Reduction by
Mechanical devide
Risk Reduction by
Other means
Consider need for robust to spurious trip design (e.g. 2oo3 instead of 1oo2)
Set minimum mean time to fail safe requirement (MTTFS=1/ STR)
38 2012-03-07
39 2012-03-07
40 2012-03-07
Set target
4system
Installation
reception
validation
and,
5
6
Modification
7
Decommissioning
Demonstrate
target is met
Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of 1
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3
system
Installation
reception
,
validation
and
5
6
Modification
7
Decommissioning
SIL Allocation
SIL 1
SIL 2
SIL3
determine if additional
SIS are required and if
yes then allocate the
target SIL
41 2012-03-07
Thank you
SIL Allocation Layer of protection analysis
Presenters name: Mathilde Cot
Presenters title: Principal Consultant, Safety Technology, CFSE
mcot@statoil.com, tel: +47 95785095
www.statoil.com
42 2012-03-07
Terminate the
chain of events,
reduce frequency
Initiating
Event 1
Reduce
consequence
severity
No consequence
CAUSES
BPCS
Initiating
Event 2
Operator
response to Alarm
from monitoring
SIS
system
Consequence A
PSV
TOP EVENT
ESD
Consequence B
Ignition
control
Consequence C
Fire Water
Initiating
Event 3
CONSEQUENCES
PREVENTION
Consequence D
43 2012-03-07
Consequence D
Detection SIS
Action SIS
Detection SIS:
incomplete safety
instrumented system:
S1
PLC
output
signal
Input
signal
S2
V1
S3
V2
Safety
logigram
44 2012-03-07
Action SIS:
Incomplete safety
instrumented system
45 2012-03-07
LOPA - Limitations
(e.g. HAZOP)
NO
SIL1, SIL2
or SIL3 with TES
where further
assessment is
needed?
NO
SIL4?
YES
OR
Design change or
SIL3 with no TES?
other non-SIS IPL
possible?
NO
YES
NO
SIL4 Required
by a single
SIS?
YES
Apply for
dispensation to
TR2041
YES
46 2012-03-07
47 2012-03-07