tekna presentation 2711_2007morten andresen

part of the Aker group

Practical use of ISO 10418

Morten Andresen , Specialist Process EngineerAker Kværner Engineering & Technology

23-Nov-07 Slide 2

© 2006 Aker Kvaerner


Introduction

■ Purpose of presentation:

● Give a brief overview of differences between the prescriptive approach outlined in API RP 14C compared to the risk-based approach outlined in ISO 10418 and give a brief summary of risk based methods

● Give a brief summary of how the risk-based approach has been utilised on the Skarv/Idun Project

23-Nov-07 Slide 3



API RP 14C vs ISO 10418

■ API RP 14C:• Prescriptive approach, Safety Analysis Tables (SAT) shall be followed

(inconsistent with the risk-based approach of IEC 61511).• Two levels of protection to be provided• Primary and secondary protection shall be independent of and in

addition to, the control devices used in normal operation• The two levels of protection should be provided by functionally different

types of devices• Well established practice in the Offshore Oil & Gas Industry

■ ISO 10418:● Allows compliance with either API RP 14C or risk-based methods in

ISO 17776, ISO 13702 & IEC 61511.● Instrument-based protection as per IEC-61511-1 listed as alternative

solution on secondary protection● Risk based methods included as alternative to use of Safety

Analysis Tables (SAT)● ESS ( Fire & gas system) to meet functional requirements of the fire

and explosion strategy developed per ISO 13702

23-Nov-07 Slide 4



Risk based approach – basic philosophy

From ISO 17776

• Step 1: Identification of the hazard=> define cases and frequency

• Step 2: Assessment of the risk=> define consequences and acceptability

• Step 3: Elimination or reduction of the risk => develop functional requirements for instrumented functions

23-Nov-07 Slide 5



■ Realistic definition of demand rates for each hazard is of greatimportance, all operating scenarios needs to be fully understood

● Overestimation of demand rates will have an impact on regularity=>Redesign (and/or sack the process engineer)

● Underestimation of demand rates may compromise the overall integrity=>Redesign at a late stage, if error is detected

● Shell survey■ 65% of applications over-engineered■ 25% correct■ 10% were under-engineered

Hazard identification and demand rates (step 1)

23-Nov-07 Slide 6



Acceptance Criterias (step 2)Acceptance criteria for an event needs to be defined before integritylevel assessment can start

3x10-4/yearEvent resulting in 1 or more disabling injuriesE

3x10-3/yearEvent resulting in 1 or more lost time injuriesF

3x10-2/yearEvent resulting in 1 or more first aid injuriesG

3x10-5/yearEvent resulting in 1 to 10 fatalitiesD

3x10-6/yearEvent resulting in 10 to 50 fatalitiesC

3x10-7/yearEvent resulting in 50 to 200 fatalitiesB

3x10-8/yearEvent resulting in more than 200 fatalitiesA

TMEL (Target MitigatedEvent Likelihood)

Safety consequenceSeveritylevel

Table above example only, can vary from operator to operator

Operators also have similar matrices for commercial & environmental risk assessment

23-Nov-07 Slide 7



■ Eliminate risk or reduce risk as requiredIntegrity level (IL) requirements needs to be defined for each instrumentedfunction, can be done by one of the following methods:

■ QRA (Quantitative Risk Analysis)■ LOPA (Layer of Protection Analysis), semi-quantitative■ Risk matrices■ Risk graphs

Develop functional requirements (step 3)

Challenge: 1. The above mentioned methods may give different IL requirements (Risk

graph and risk matrices will give higher IL than LOPA)2. IL requirements highly dependent on how the Project assume demand

rates and select acceptance criterias

23-Nov-07 Slide 8



Case study, overpressure protection of Inlet Separator

Step 1: Hazard identification and demand rates:packed flowline will overpressure separator above test pressure due to maloperation in start-up sequence, flowrate abovedesign capacity of the flare system. Unplanned shutdowns root cause for hazardDemand rates per flowline, unplanned shutdowns:

12 PSDs per year5 ESDs per yearTotal 12 + 5 = 17 per year

Step 2: Consequence : Overpressure of separator resulting in leakage and ignition => 1 to 10 fatalities assumed => acceptance criteria 3x10-5/year

Assumption, based on experience from otherfacilities

Inlet Separator

Inlet Manifold5 flowlinesfrom Subsea

Choking strategy: Subsea choke used to control production,topside choke normally fully open

PSV

To Flare

XVESV

PSHH

23-Nov-07 Slide 9



Case study, overpressure protection of Inlet Separator

Inlet Separator

Inlet Manifold

IOPPS2

Step 3: Define functional requirements

Risk reduction required: 17 / 3x10-5 = 567000Instrument functions need to reduce risk such that the acceptance criteria of 3x10-5/year is met

Assumption:Subsea PSD : Successful subsea shutdown will prevent packed flowline, SIL 1 assumed , demand rate 17/10=1.7Topside PSD: PSHH to close 5 XV valves. Assumed to fail 1 out of 10 times (SIL 1), demand rate 1.7/2=0.65IOPPS1: Close 1 XV valve. Assumed to fail 1 out of 100 times (SIL 2), demand rate 0.65/100 = 0.0065 >> 3x10-5 => additional risk

reduction required 0,0065/3e-5=217IOPPS2: Close 1 ESD valve. Assumed to fail 1 out of 100 times (SIL 2), demand rate 0.0065/100 => 0.000065 > 3x10-5 additional risk

reduction required 0,000065/ 3x10-5 = 2,17 => almost there (!) if key assumption can be confirmed

5 flowlinesfrom Subsea

PSV

To Flare

XVESV

PSHH

Is this still valid if topside choking is applied? SIL 1 realistic for subsea PSD?

10000 to 1000000.00001 to 0.0001SIL 4

1000 to 100000.0001 to 0.001SIL 3

100 to 10000.001 to 0.01SIL 2

10 to 1000.01 to 0.1SIL 1

1 to 100.1 to 1SIL 0

Risk ReductionFactor (RRF)

Probability offailure on demandaverage range (PFD avg)

Safety IntegrityLevel (SIL)

IOPPS1

SIL definitions as per IEC 61508:

Key assumption:flow assurance work can confirm realistic valve closing times

Subsea PSD

23-Nov-07 Slide 10



Skarv/Idun approach

■ Prescriptive approach as per API RP 14C is the starting point

■ SAT developed and incorporated on P&IDs■ HAZOP performed■ LOPA performed after HAZOP

23-Nov-07 Slide 11



Skarv/Idun FEED LOPA

Use of LOPA of SISsfound on P&IDs

HAZID to identifyother SISs

If PFD = 1 If IL 0 If IL 1 If IL 2 If IL 3

Evaluate whetherSIS should be removed or not

yes

no

The SIS can be removed

No further assessmentneeded The SIS not to be removed. No special requirements.

No further assessmentis needed. Some risk reduction is required for the SIS

No further assessmentis needed. IL 1 is required for the SIS

No further assessmentis needed. IL 2 is required for the SIS

Quantitative methodsshould be used

LOPA (Layer of Protection Analysis) was performed on each instrument-based safety function, approach below as per internal Client guidelines

23-Nov-07 Slide 12



Skarv/Idun FEED LOPA results

● Most process safety functions were assessed (approx. 150). The functions were included as a result of the prescriptive approach (Safety Analysis Tables)

● Approx. 50% of the process safety functions, had no IL-requirement, implying risk reduction not required and hence SIS-function not required.

● In the majority of cases, commercial or environmental requirements gave the IL-requirement by being more stringent than the safety requirement

● Project has at this stage not yet agreed on whether functions with no IL-requirement shall be removed or not.

● Some functions were deemed to critical for LOPA (IL 3 functions) and were routed to QRA for further assessment (overpressure protection of Separators, overpressure protection of Cargo Tanks, overpressure protection of Flare KO Drums)

23-Nov-07 Slide 13



Experience from the Skarv/Idun Project

■ The LOPA method is new to AK process engineers and lack of knowledge to themethodology created a lot of confusion in the beginning

■ LOPA training course was arranged by the Client, and in perspective it has beenrecognised that this was crucial to get the right commitment from the Project Team

■ Quality of LOPA sessions highly dependent on key personnel being present. Severalsessions had to be cancelled/rescheduled due to absence of key personnel

■ Change of personnel during project execution create additional confusion as newproject members not familiar with LOPA method question the work performed at an earlier stage

■ LOPA results identified significant potential for reduction in Instrumented Functions, results inline with Shell survey (65% of applications over-engineered,25% correct, 10% were under-engineered)

23-Nov-07 Slide 14



Summary – From a process discipline point of view■ Risk-based approach vs prescriptive approach

● Design of process safety functions more time-consuming if risk-based approach is selected, needs to be taken into account in planning activities at an early stage

● Common understanding on how to apply risk-based approach in design between Contractor and Client is crucial in order to minimise risk in the project execution phase

● Risk-based approach may add risk to the project execution => Disagreements related to methodology, demand rates, acceptance criterias and critical assumptions may introduce changes at a late stage and add risk to the Project

● Care should be taken when including suppliers into these type of activities as cost and schedule impact must be expected

● Performance monitoring and testing of ESS (Fire & Gas) critical, as credit for ESS is main reason for reduction in Instrument-based safety functions.

● Risk based approach will reduce no. of instrumented functions => potential for cost savings in operating phase

● A pragmatic mix of prescriptive and risk-based approaches is recommended

23-Nov-07 Slide 15



Copyright

Copyright of all published material including photographs, drawings and images in this document remains vested in Aker Kvaerner and third party contributors as appropriate. Accordingly, neither the whole nor any part of this document shall be reproduced in any form nor used in any manner without express prior permission and applicable acknowledgements. No trademark, copyright or other notice shall be altered or removed from any reproduction.

tekna presentation 2711_2007morten andresen

Documents