Impact of Deficiencies and Errors in Hazard Assessment Studies on SIS Functionality and Performance

Transcription

1 Impact of Deficiencies and Errors in Hazard Assessment Studies on SIS Functionality and Performance Dr. Leszek Kasprzak 12 th International TÜV Rheinland Symposium Functional Safety and Security in Industrial Applications Cologne, Germany, May 10-11, 2016

2 Introduction The primary aim of my presentation is to show how seriously the functionality and reliability of SIS may be impaired due to insufficient or incorrect evaluation of hazardous scenarios during early stages of the project lifecycle; The cases discussed in this presentation are selected from findings which I made by myself in the hazard identification and SIS assessment reports during their informal and formal verification within last 15 years; The intention of showing the very specific and carefully selected cases is to bring to attention that there is undeniable and strong link between achieving safety and competence of people involved in design of hazardous installation; These examples, their outcomes and presented statistics SHALL NOT be understood as the overall picture of the design or operation staff competence condition in regards to safety principles implementation and safety management reas across whole industry. 2

3 Hazard Identification in IEC Hazard & Risk Assessment (1) Management of functional safety & functional safety assessment (10) Safety Lifecycle structure & planning (11) Allocation of Safety Functions to Protection Layers (2) Safety Requirements Specification for the Safety Instrumented System (3) Design & engineering of safety Instrumented system (4) Installation, commissioning & validation (5) Operation & Maintenance (6) Modification (7) Design & development of other means of risk reduction FSA Stage 3 Verification (9) Decommissioning (8) 3

4 Distribution of Causes of the Control and Safety Systems Failures Through Lifecycle Phases Source: HSE UK Out of Control (ISBN ) 4

5 Design House Responsibilities Since the hazard identification is one of the key elements deciding about the accuracy of the Safety Requirements Specification (SRS) then this is a design house duty to assure that Safety Lifecycle processes are properly applied from the early stages of design. The activities usually include: Development and Implementation of Safety Plan; Selection of safety engineering staff with relevant skills and competencies; Applying the best available engineering solution in liaison with licensors and customer; Development and implementation of safety studies schedule in line with design progress for each unit; Selection of third party Chairmen for HAZOP and SIL assignment / determination workshops; Selection of third party Consultants to perform independent studies and verification activities as required by law, design standards or good practice; 5

6 Expected Competencies as per HSE UK Guide Technical skills - e.g. hazard analysis, report writing Behavioural skills - e.g. personal integrity, interpersonal skills, problem solving, attention to detail Underpinning knowledge - e.g. domain (application area) knowledge Underpinning understanding - e.g. principles of safety and risk 6

7 Hazard Identification During Design Activities During a design process a several ways may be applied to identify and review the safety aspects associated with designed installation: Interdisciplinary design review made internally by project teams to rise the operational and safety concerns in line with applicable design standards and good practice, HAZID, HAZOP and SIL workshops supported by independent facilitators to link the potential safety and operational issues with proposed safeguarding and identify potential gaps within it, Developing FTA/ETA to acquire detailed picture of hazardous scenarios development, Applying QRA to identify the design restriction (e.g. layout) or additional requirements for the areas under impact (e.g. fire and explosion proof of the occupied buildings), Employing third party consultants to validate the safety findings. 7

8 What May Go Wrong? Approach to hazard identification may be too generic in cases where the design of process unit is well known and already includes its own safeguarding, also specific SIFs with already predetermined SIL what may lead to: insufficient understanding of the alarms and trips purpose in vendor packages; gaps in risk reduction, since the predetermined SIL allocated to SIFs may not reflect the its actual location in terms of distance to the occupied areas. Insufficient understanding of the principles and rules of the standardized studies such as HAZID or HAZOP in terms of the safeguarding identification and applications; Incorrect transition of the HAZID or HAZOP (or other relevant studies) findings into model of Protection Layers to be used for assessment of the target SIL for particular SIF; Use of unjustified factors in quantitative assessment of Initiating Cause frequency or Protection Layers performance; Reports are not providing sufficient information regarding the basis of their conclusions; Acting under pressure of overall project schedule what prevents deeper discussion on some complex issues. 8

9 Protection Layers and SIL If there is any hazardous scenario missing or the model of Protection Layers for the particular hazardous scenario contains errors or deficiencies then it is possible that: SIF is missing from the plant design and specific risk may remain unprotected or unmitigated; SIF functionality is not correctly defined; SIF response / performance on demand is significantly compromised; Consequences of spurious trip may not be identified correctly. 9

10 Protection Layers as per IEC Part 3 Specificity: An PL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event. Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action by a IPL. Independence: An PL is independent of the other protection layers if it can be demonstrated that there is no potential for common cause or common mode failure with any other claimed PL. Dependability: It can be counted on to do what it was designed to do by addressing both random failures and systematic failures during its design. Auditability: It is designed to facilitate regular validation of the protective functions. 10

11 Impact of the Incorrect HAZOP Outcomes on LOPA Study SIF purpose/function was not identified correctly, or a hazardous scenario has been associated with the wrong SIF and subsequently SIS is unable to perform required action to prevent or mitigate the hazardous event consequences, Independent Protection Layer (IPL) applied in the LOPA assessment is not applicable to the evaluated scenario (e.g. it does not actually prevent the scenario at any points of its development), IPLs applied in the LOPA assessment are not independent from each other, IPL applied in the LOPA assessment is not independent from the initiating event, IPL applied in the LOPA assessment is not independent from the SIF being assessed, 11

12 Impact of the Incorrect HAZOP Outcomes on LOPA Study Conditional Modifiers (ignition, occupancy etc.) applied without proper justification, High reliability assigned to operator actions, High risk action assigned to operator, The calculations of initiating event frequencies are incorrect. 12

13 SIF Verification Status Through Design Stages In general, the findings made in reviewed safety studies and associated design documents can be split into three following categories: CAT 1 - SIFs/SISs complying applicable standards and additional design requirements; CAT 2 - SIFs/SISs where the assessment shown deficiencies against practice and applicable standards, but the identified errors do not incur the increase of the risk for personnel or environment; CAT 3 - SIFs/SISs where the errors in assessment may lead to significant gap in risk reduction measures 13

14 SIF Verification Status Through Design Stages FEED Stage of design EPC Stage of Design 14

15 SIF Verification Status Through Design Stages The serious errors in SIF development are well managed and rectified during the transition from FEED into EPC stage of plant design, however their number; The remaining serious errors in SIF development during the EPC stage are usually a result of design changes and can be rectified during pre-commissioning stage (FSA Stage 3); The major concern may be a significant proportion of the minor deficiencies in SIF development which may result in some operational issues during start-up and further maintenance, however these deficiencies should not create any hazardous conditions and may be rectified through FSA Stage 3. 15

16 Lesson Learned 1 HP Gas - Liquid Separator PAHH 1 PC Fire Case/Blocked Outlet/ PV Failure Flare Header 12 ESDV1 PV Gas Blow-by/Blocked Outlet LALL 1 LC1 PAHH 2 12 PC2 PV LAHH 2 ESDV2 LV 12 2 Vent or Downstream Unit Gas blow-by case Separator Operating Pressure = 120 barg Flash Drum Design Pressure = 10 barg LC2 LALL 2 LV or Transfer Pump Transfer Pump ESDV2 Closure Time = 12 sec Note: Similar hazardous scenario is possible at Amine Treatment Unit. ESDV3 6 Drain or Downstream Unit 16

17 Lesson Learned 1 HP Gas - Liquid Separator Design Intention of the Implemented SIFs: PAHH1 on separator high pressure in separator which may be caused gas line blockage or pressure control valve failure at the separator inlet line or valve closure downstream separator which may lead to serious separator damage and gas release, LALL1 on separator loss of liquid in high pressure separator which may lead to gas breakthrough to low pressure flash drum which may lead to its rupture and gas release, PAHH2 on flash drum high pressure in flash drum caused by flashing gas outlet blockage downstream which may lead to flash drum damage and loss of containment, LAHH2 on flush drum high liquid level in flash drum caused by liquid pump failure, line blockage etc. Which may lead to liquid carryover to flashing gas outlet, LALL2 on flash drum low liquid level in flash drum caused by liquid pump control system failure which may lead to pump damage and potentially its leakage. 17

18 Lesson Learned 1 HP Gas - Liquid Separator HAZOP and SIL/LOPA teams assumptions, findings and conclusions: The key action to prevent gas breakthrough to flash drum is closure of ESDV2 this is correct, The cause leading to this scenario is either LV stuck open or LC failure this is correct, The primary safety loop preventing the gas breakthrough consequences is either LAHH2 or PAHH2 this is wrong, since this is not their primary purpose, Very often the high liquid alarm on LC2 or high pressure alarm on PC2 in flash drum or low level alarm LC1 in separator are accounted as a credible safeguard in HAZOP or even as IPL in LOPA this is wrong, since operator has no sufficient time to respond or the cause of alarm is uncertain, It needs to be highlighted that in several studies the operator action as an IPL, in response to LC2 or PC2, is to go to the site, override the control valve on flash gas line and set to full open position manually this is wrong, since it puts operator directly into hazard impact area. 18

19 Lesson Learned 1 HP Gas - Liquid Separator Summary: Findings are based on 20 various projects utilizing high pressure gas separation and/or amine treatment units which were verified at FEED, EPC and pre-commissioning stages; All reviewed hazard identification an SIL assessments reports identified correctly the initiating causes for gas blow-by scenario; All reviewed hazard identification an SIL assessments reports identified PSV as an applicable IPL and its design case was correctly validated; In four projects all of reviewed studies were correct and no serious gaps in SIF design were identified; About 60% studies considered high level trip or high pressure trip on flash drum as a primary SIF for this scenario. In 1 case the removal of low level trip in separator was recommended as it was considered as an redundant system; About 30% cases the operator response on high level or high pressure alarm in flash drum was considered as an credible IPL and led to reduction of target SIL for SIF. In two cases the operator was requested to go to the site and perform action when gas blow-by was already developing; In two projects all above listed errors were found. 19

20 Lesson Learned 2 Heat Exchanger Not reliable for tube rupture Flare Header PAHH COLD LP Tube Rupture HOT HP GAS HP GAS Blocked Outlet ESDV 12 No high pressure 12 safety loop Tube Operating Pressure = 100 barg Tube rupture case Shell Design Pressure = 10 barg ESDV2 Closure Time = 12 sec LP 20

21 Lesson Learned 2 Heat Exchanger The primary design intend of the high pressure trip (PAHH) on the exchanger shell is to stop gas flow in case of the flow loss of the cooling water. The boiling water may lead to shell overpressure and its damage. The secondary design intend of the PAHH on the exchanger shell is to stop gas flow of minor tube leakage. The gas line operating pressure is 120 barg whilst the shell design pressure is 10 barg. Some of the HAZOP and SIL/LOPA teams believe that PAHH function may be applied as the reliable IPL in case of the tube rupture, however the time required to close the emergency shut off valve (ESDV) is usually more than 10 seconds and the damage of shell side may occur before the safety action is completed. Given the very low frequency of tube rupture (based on historical OGP data), the properly designed PSV on exchanger shell is a sufficient safeguard to achieve ALARP. 21

22 Conclusions To reduce significantly the number of errors and deficiencies in SIF development affecting SRS, the design houses should take more care about relevant competencies in selection process of design team and external contractors in order to assure proper implementation of the safety systems life-cycle principles from the earliest stages of the plant design; Early identification of deficiencies and errors in SIF development reduces the costs of rectifying them. Therefore it is strongly advised to include FSA Stage 1 and FSA Stage 2 in the overall project schedule; Leaving a large number of unresolved issues till FSA Stage 3 may generate additional costs and may significantly delay the project execution; The larger number of errors during in SIF development process occurs the higher probability that some of them may not be capable to perform their function during plant operation. 22

23 Thank you for attention! Questions? 23