hazop sif sil

1

Copyright © 2007 Yokogawa System Center Europe B.V.HAZOP – SIF - SIL

HAZOP – SIF - SIL

Global Safety Solutions Center

British GasMumbai - IndiaNovember, 2007

Page 2Copyright © 2007 Yokogawa System Center Europe B.V.HAZOP – SIF - SIL

HAZOP, SIF, SIL

Risk identification

Layers of protection

What are SIFs

Determine SIL

2


Risk assessment and SIL classification

Hazard and risk assessment

Allocation of safety functions

Safety requirements specification

1

2

3

Man

agem

ent o

f fun

ctio

nal s

afet

y

Safe

ty li

fecy

cle

Safe

ty li

fecy

cle

10 119

IEC 61511

No methodprescribed

General method : HAZOPHazard and operability study


Characteristics of the HAZOP method

Systematic Hazard Identification method for ProcessesTeam brainstorm sessionsBasis: P&ID drawingsUse of Guide words (ICI method)Wide spread use in Industry and Engineering Contractors

Results:Overview of all possible unwanted disturbancesDeterminate what safeguards in placeAction planning for improvements or required clarifications

HAZOP

3


Basic explanation

HAZOP technique provides opportunities to use your imaginations, going free and think of all possible ways in which hazards or operating problems might arise.

Reduce chance of missing something and therefore: do it in a systematic way!

Each pipeline, vessel, process part, etc has to be considered in turn.

To be done in a team. Members can stimulate each other and build upon each other’s ideas.

HAZOP


What we need !

Line diagrams or P&ID’s have to be complete and in front of each team member.

Process description has to be in place and complete.

Possible applicable Safety Functions as relief valves and Sensors/Safety Valves can be already proposed by the Process engineers, but have to be examined and justified fully.

Document the results of the HAZOP and justify Safety Functions!

HAZOP

4


Select deviation from “normal”

Move on to next deviation

No

Select node

Determine SAFEGUARD - SIF / Mechanical / Mitigation

Determine sensors and final elements (SIF)

Can it become hazardous? (Prevent efficient operation?)

Yes

Will the Control System adjust this deviation in time?

Yes

Control System fails, acts wrong, operator acts wrong

Yes

Describe possible hazard consequence

No

Consider other causes of deviation

No

Is deviation possible? - Possible cause?

Yes

HAZOP procedure


HAZOP Requirements

HAZOP tables to be filled in during the sessions (preferably with

video projection) by the secretary.

The team need to consist of different disciplines: Operator,

Process Design, E&I, Mechanical.

Experienced Chairman vital for the results and efficiency

Don’t try to solve all problems identified

Limit the duration: max. 6 hours a day.

Avoid external disturbances during the sessions

HAZOP

5


Hazop Method

Preparation:

Collect all information (P&ID, Process description)

Check whether info is up-to date!

Split the process in ‘functional nodes’ and indicate intention of the function

During the sessions:

One of the team members briefly explain each node before the analysis starts

The chairman starts to use the all relevant Guide words (More, Less etc.) for all

relevant Parameters (Temperature, Pressure etc.)

HAZOP


Guide words:

No

More

Less

Partly

As well as

Reverse

Other than

HAZOP

6


HAZOP


HAZOP

7


Layers of protection : Onion model

Community Emergency Response

TT

Process Design

Basic Controls

Critical Alarms and Manual Intervention

Automatic Action (SIF)

Physical Protection (Bund wall)

Plant Emergency Response


Layers of protection

Human layer

Control layer

Protective layer (instrumented)

Protective layer (physical)

Mitigation layer

Process

8


PEFS example (2 phase separator)

LRCA-003

PRCA-002 Gas out

Oil out

Emulsion inUZ-101 H

LRCA003 L

TIA001

H

LZA001

H

002PRCA

H

Human layer

Control layer

Protective layer (instrumented)

Protective layer (physical)

Mitigation layer

Process


SIF # 1 (e.g. SIL 4)

AvailabilityAll loops may effectAll loops may effectthe process availabilitythe process availability



SIF # 3 (e.g. SIL 3))


finalfinalelementelement

finalfinalelementelement

sensorsensor

sensorsensor

sensorsensor

sensorsensor

sensorsensor

triple voted

Safety Instrumented SystemSafety Instrumented System

finalfinalelementelementfinalfinal

elementelement

dual voteddual voted

logiclogicsolversolver

SIFs

9


Determine target SIL


Determine target SIL

IEC61508 : part 5ALARPRisk GraphRisk Matrix

IEC61511 : part 3 alsoFTA : Fault Tree AnalysesLOPA : Layers Of Protection Analyses

10


Alarp Principle

UnacceptableRegion

TolerableRegion

BroadlyAcceptableRegion

Incr

easi

ng I n

divi

dua l

Ris

k a n

d So

cia l

Con

cern

s

NegligibleRisk

Risk can not be justified except in extraordinary circumstances

Risk is tolerable only if:a. Further Risk reduction is

impractical or if it’s cost isdisproportionate to theimprovement gained or

b. Society desires the benefit ofthe activity given the associated Risk

As Risk is reduced, the less, inproportion, it is necessary to spendto satisfy ALARP, The concept ofdiminishing proportion isrepresented by the triangle

Level of residual risk regarded asnegligible, and further measures toreduce risk not usually required. Noneed for detailed working todemonstrate ALARP

I

II

III

IV

Intolerable Risk

Undesirable Risk and only Tolerable if Risk reductionis impracticalor if costs are grossly disproportionate to risk reductiongained

Tolerable Risk if the cost of riskreduction would exceed the improvement gained

NegligibleRisk

Interpretation Risk

Classes


Risk Graph (determination of SIL)

C Consequence of hazard– CA: Minor injury– CB: Serious injury, death of one person– CC: Death to several persons– CD: Very many people killed

F Frequency of exposure to hazard– FA: Rare to more often– FB: Frequent to permanent

P Possibility to avoid hazard– PA: Possible– PB: Almost impossible

W Probability of occurrence of hazard– W1: Very low– W2: Low– W3: High

CA

FA

PA

w3

a

1

2

3

4

b

CB

CC

CD

FB

FAFB

FA

FB

PB

PAPB

PAPB

PA

PB

X1

X2

X3

X4

X5

X6

w2

---

a

1

2

3

4

w1

---

---

a

1

2

3

--- No safety requirementsa No special safety requirementsb A single E/E/PES is not sufficient1- 4 Safety Integrity Level

CB; FA ; PB => SIL 1

CC; FB ; PB => SIL 3

1. Unmanned installation:

2. Manned installation:

11


Risk Graph (determination of SIL)


Risk Matrix

Consequences Demand Rate (time between demands)

Health and Safety

Economics (Loss in €)

Environmental effect

Negligible Demand

> 20 years

4 - 20 years

0.5 - 4 years

0 - 0.5 years

Slight Injury or Health Effect

Slight < 10 k Slight - - a 1 a 2 a 2

Minor Injury or Health Effect

Minor 10 k - 100 k Minor - a 1 a 2 1 2

Major Injury or Health Effect

Medium 100 k - 1 M Local - a 2 1 2 3

1 – 3 Fatalities

Major 1 M - 10 M Major - 1 2 3 4 (x)

Multiple Fatalities

Extensive > 10 M Massive - 2 3 4 (x) x

12


LOPA: example of defenses

Initiating events Pro

tect

ion

laye

rshazardReleased hazard ConsequencesC

ondi

tiona

l m

odifi

ers

Miti

gatio

nla

yers

The PZHH

function

Downstream blockage

Loss of containment

Explosion of gas cloud

One operator killed and 6 months downtime

pre-alarm and trip

RV pops Flaring RV repair &Environmental impact

ignition exposure


SIL Classification Methodology

Team effort:• Facilitator• Process Eng.• Operations/Maintenance Eng.• Safety Eng (pt)• Rotating Equipm. Eng (pt)

Consequence of Failure on Demand– Narrative describing:

• Failure on demand => hazardousevents => ultimate consequences

• Consequence severity• Personal Safety, Environment,

Economics

Demand scenario– Most likely initiating events– Other protections (not the SIF under

consideration)

Design intent of SIF– Hazardous situation to be protected

against

Identify the SIF– SIF ID – SIF description– References to HAZOP

13


EXAMPLE Risk Matrix

Consequences Demand Rate (time between demands)

Health and Safety

Economics (Loss in €)

Environmental effect

Negligible Demand

> 20 years

4 - 20 years

0.5 - 4 years

0 - 0.5 years

Slight Injury or Health Effect

Slight < 10 k Slight - - a 1 a 2 a 2

Minor Injury or Health Effect

Minor 10 k - 100 k Minor - a 1 a 2 1 2

Major Injury or Health Effect

Medium 100 k - 1 M Local - a 2 1 2 3

1 – 3 Fatalities

Major 1 M - 10 M Major - 1 2 3 4 (x)

Multiple Fatalities

Extensive > 10 M Massive - 2 3 4 (x) x


Health and Safety Consequences

Effect Description

Slight injury First aid case and medical treatment case. Not affecting work performance or causing disability.

Minor injury Lost time injury. Affecting work performance, such as restriction to activities or a need to take a few days to fully recover (maximum one week).

Major injury Including permanent partial disability. Affecting work performance in the longer term, such as prolonged absence from work. Irreversible health damage without loss of life, e.g. noise induced hearing loss, chronic back injuries.

1 - 3 fatalities Also includes the possibility of multiple fatalities (1 -3) in close succession due to the incident, e.g. explosion.

Multiple fatalities Catastrophe due or in close succession to the incident.

14


Economic Losses

Effect DescriptionSlight damage No disruption to operation< 10 k€

Minor damage Brief disruption10 k€ - 100 k€

Local damage Partial shutdown that can be100 k€ - 1 M€ restarted

Major damage Partial operation loss (2 weeks1 M€ - 10 M€ shutdown)

Extensive damage Substantial or total loss of operation> 10 M€


Environmental Consequences

Effect DescriptionSlight effect Local environmental damage. Within the fence

and within systems. Negligible financialconsequences.

Minor effect Contamination; damage sufficiently large to attack the environment; No permanent effect on the environment.

Local effect Limited loss of discharges of known toxicity; Affecting neighborhood beyond the fence.

Major effect Severe environmental damage. The company is required to take extensive measures to restore the contaminated environment to its original state.

Massive effect Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major loss for the company.

15


What are the SIFs ?

LRC

Thermal or FireRelief onlysetting 60 barg

DesignPressure60 Barg

100

V100

LCV100

PRCA

H

100

PCV100

SP50 barg

120 Bar

Hydrocarbons

SIF 1 : to protect the pump against gas.

SIF 2 : to protect the vessel againstoverpressure

P1


HAZOP, SIF, SIL

Known your risks : HAZOP

Define your SIFs

Determine the SIL for each SIF

Document all safety relevant requirements(SRS : safety requirement specification)

Questions?

16


Asset Excellence Solutions that maximize performance of assets and productivity of production.

hazop sif sil

Documents

hazop sif silcharacteristics

hazop sif silwhat

hazop sif sil page

hazop sif silrisk assessment

yescontrol system

possible ways

possible cause

process design