Impact of Deficiencies and Errors in Hazard Assessment Studies on SIS Functionality and Performance

Similar documents
Safety Integrity Level (SIL) Assessment as key element within the plant design

Safety Integrity Level (SIL) Studies Germanischer Lloyd Service/Product Description

Version: 1.0 Last Edited: Guideline

Safety Requirements Specification Guideline

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

TÜV Rheinland Functional Safety Program Functional Safety Engineer Certification

WELLHEAD FLOWLINE PRESSURE PROTECTION USING HIGH INTEGRITY PROTECTIVE SYSTEMS (HIPS)

HSE information sheet. Fire and explosion hazards in offshore gas turbines. Offshore Information Sheet No. 10/2008

A methodology For the achievement of Target SIL

TÜV FS Engineer Certification Course Being able to demonstrate competency is now an IEC requirement:

Brochure. Hazard identification and risk assessment For the hazardous process industries

Michael A. Mitchell, Cameron Flow Control, DYNATORQUE Product Manager

USING INSTRUMENTED SYSTEMS FOR OVERPRESSURE PROTECTION. Dr. Angela E. Summers, PE. SIS-TECH Solutions, LLC Houston, TX

SOFTWARE-IMPLEMENTED SAFETY LOGIC Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP

SAFETY LIFE-CYCLE HOW TO IMPLEMENT A

Events Calendar. ABB Consulting Seminar, training course, conference, webinar and forum programme 2016

by Paul Baybutt and Remigio Agraz-Boeneker Primatech Inc. 50 Northwoods Blvd. Columbus, Ohio, USA

Powerful information management services and software for the oil, gas, and chemical industries

Safe management of industrial steam and hot water boilers A guide for owners, managers and supervisors of boilers, boiler houses and boiler plant

Fisher FIELDVUE Instrumentation Improving Safety Instrumented System Reliability

Performance Based Gas Detection System Design for Hydrocarbon Storage Tank Systems

Mitigating safety risk and maintaining operational reliability

What is CFSE? What is a CFSE Endorsement?

Risk Matrix as a Tool for Risk Assessment in the Chemical Process Industry

Select the Right Relief Valve - Part 1 Saeid Rahimi

Hazard Operability Studies (HAZOP) Germanischer Lloyd Service/Product Description

Final Element Architecture Comparison

DeltaV SIS for Burner Management Systems

Implementation of Process Hazard Analysis at SINOPEC-SABIC Tianjin Petrochemical Company Ltd, China

Shell s Health, Safety and Environment (HSE) management system (see Figure 11-1) provides the framework for managing all aspects of the development.

Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?

Guidance note. Risk Assessment. Core concepts. N GN0165 Revision 4 December 2012

Logic solver application software and operator interface

BEST PRACTICE FOR THE DESIGN AND OPERATION OF HIGH HAZARD SITES

PFSE Premier Functional Safety Engineering Safety Instrumented Systems Course Outline

Factory owners must ensure the boiler is:

The SPE Foundation through member donations and a contribution from Offshore Europe

ESTIMATION AND EVALUATION OF COMMON CAUSE FAILURES IN SIS

RECOMMENDED GUIDELINES FOR THE APPLICATION OF IEC AND IEC IN THE PETROLEUM ACTIVITIES ON THE NORWEGIAN CONTINENTAL SHELF

Gas Standards and Safety. Guidance Note GAS INSTALLATIONS SUPPLIED FROM BIOGAS FACILITIES - ACCEPTANCE REQUIREMENTS GAS ACT 2000

Risk Management at Chevron

Process Safety Management Training

CYBER SECURITY RISK ANALYSIS FOR PROCESS CONTROL SYSTEMS USING RINGS OF PROTECTION ANALYSIS (ROPA)

Maxi Pressurisation Units (Maxi, Maxi Plus & HP)

Understanding Safety Integrity Levels (SIL) and its Effects for Field Instruments

Does Aligning Cyber Security and Process Safety Reduce Risk?

NEBB STANDARDS SECTION-8 AIR SYSTEM TAB PROCEDURES

Boiler Preparation, Start-Up and Shutdown

Basic Fundamentals Of Safety Instrumented Systems

On-Site Risk Management Audit Checklist for Program Level 3 Process

Functional Safety Management: As Easy As (SIL) 1, 2, 3

Overview of IEC Design of electrical / electronic / programmable electronic safety-related systems

A PROCESS ENGINEERING VIEW OF SAFE AUTOMATION

HAZARDOUS MATERIALS MANAGEMENT ISSUE 2

Double Jeopardy for $1000 Alex - What It Is and How to Apply It

A PROGRESSIVE RISK ASSESSMENT PROCESS FOR A TYPICAL CHEMICAL COMPANY: HOW TO AVOID THE RUSH TO QRA

ecomax Instructions for use Wall hung room sealed fan assisted condensing boilers For the user

Obsolescence Management for Industrial Assets. Don Ogwude President Creative Systems International

Designing an Effective Risk Matrix

What is Functional Safety Management?

Safety controls, alarms, and interlocks as IPLs

Model RFQ for Performance Based Fire and Gas System Design Basis Development and Validation. Revision 0, 7 June 2011

Practical Implementation of Safety Management Systems at Unregulated Upstream Oil & Gas Facilities

Operational Flexibility Enhancements of Combined Cycle Power Plants. Dr. Norbert Henkel, Erich Schmid and Edwin Gobrecht

APPLICATION OF IEC AND IEC IN THE NORWEGIAN PETROLEUM INDUSTRY

A Job Safety Execution Plan is required. mixtures of the above called, natural gas liquids (NGL's) refined products and their components

Industrial Steam System Process Control Schemes

Controlling Risks Safety Lifecycle

COMAH Competent Authority

Take a modern approach to increase safety integrity while improving process availability. DeltaV SIS Process Safety System

Hardware safety integrity Guideline

Human Error Probability Estimation for Process Risk Assessment with emphasis on Control Room Operations

SIL in de praktijk (Functional Safety) Antwerpen Compliance of Actuators and Life Cycle Considerations. SAMSON AG Dr.

TÜV Rheinland Functional Safety Engineer Certificate (Process Hazard & Risk Analysis)

FAQ SHEET - LAYERS OF PROTECTION ANALYSIS (LOPA)

Preventing Overheated Boiler Incidents

TRAINING AND SAFETY FOR AD

Climate-friendly technology alternatives to HCFC/HFC. Safety standards and risk assessment. Tel Aviv, Israel 27 th to 28 th May 2015

Safety Integrated. SIMATIC Safety Matrix. The Management Tool for all Phases of the Safety Lifecycle. Brochure September Answers for industry.

Incident Investigation on the Basis of Business Process Model for Plant Lifecycle Engineering

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

IEC Overview Report

Occupational Health Program Safety Training Series. Lockout/Tagout Safety Awareness Training

GUIDELINES FOR THE CONDUCT OF OIL, GAS & PETROCHEMICAL RISK ENGINEERING SURVEYS

PROCESS SAFETY CENTER

Version: 1.0 Latest Edition: Guideline

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

Nitrogen Blanketing for Methanol Storage and Transportation

Inspection and Testing of Water-Based Systems

Risktec Training Catalogue 2016

SAFE TRANSFER OF POWDERS INTO FLAMMABLE LIQUIDS David E. Kaelin Sr., Senior Process Safety Specialist

EXPLOSIVE ATMOSPHERES - CLASSIFICATION OF HAZARDOUS AREAS (ZONING) AND SELECTION OF EQUIPMENT

AE R6 December Digital Capacity Control for Copeland Scroll Refrigeration Compressors AE R6

Brochure. Projects and engineering Engineering expertise to enhance your operations

HAZARDS AND RELATED ISSUES IN THE WHISKY DISTILLATION INDUSTRY

HIPPS Application in the Gulf of Mexico. Christopher Lindsey-Curran BP Senior Subsea Engineer

USER MANUAL OPERATION AND USE OF CAR WITH. Diego G3 / NEVO SEQUENTIAL GAS INJECTION SYSTEM

Prescriptive and risk based SIL allocation methods used together

RISK Case Study: Safety in Design Process Development. Engineering Management Systems Engineering Management Systems

Building Commissioning

Transcription:

Impact of Deficiencies and Errors in Hazard Assessment Studies on SIS Functionality and Performance Dr. Leszek Kasprzak 12 th International TÜV Rheinland Symposium Functional Safety and Security in Industrial Applications Cologne, Germany, May 10-11, 2016

Introduction The primary aim of my presentation is to show how seriously the functionality and reliability of SIS may be impaired due to insufficient or incorrect evaluation of hazardous scenarios during early stages of the project lifecycle; The cases discussed in this presentation are selected from findings which I made by myself in the hazard identification and SIS assessment reports during their informal and formal verification within last 15 years; The intention of showing the very specific and carefully selected cases is to bring to attention that there is undeniable and strong link between achieving safety and competence of people involved in design of hazardous installation; These examples, their outcomes and presented statistics SHALL NOT be understood as the overall picture of the design or operation staff competence condition in regards to safety principles implementation and safety management reas across whole industry. 2

Hazard Identification in IEC 61511 Hazard & Risk Assessment (1) Management of functional safety & functional safety assessment (10) Safety Lifecycle structure & planning (11) Allocation of Safety Functions to Protection Layers (2) Safety Requirements Specification for the Safety Instrumented System (3) Design & engineering of safety Instrumented system (4) Installation, commissioning & validation (5) Operation & Maintenance (6) Modification (7) Design & development of other means of risk reduction FSA Stage 3 Verification (9) Decommissioning (8) 3

Distribution of Causes of the Control and Safety Systems Failures Through Lifecycle Phases Source: HSE UK Out of Control (ISBN 978 0 7176 2192 7) 4

Design House Responsibilities Since the hazard identification is one of the key elements deciding about the accuracy of the Safety Requirements Specification (SRS) then this is a design house duty to assure that Safety Lifecycle processes are properly applied from the early stages of design. The activities usually include: Development and Implementation of Safety Plan; Selection of safety engineering staff with relevant skills and competencies; Applying the best available engineering solution in liaison with licensors and customer; Development and implementation of safety studies schedule in line with design progress for each unit; Selection of third party Chairmen for HAZOP and SIL assignment / determination workshops; Selection of third party Consultants to perform independent studies and verification activities as required by law, design standards or good practice; 5

Expected Competencies as per HSE UK Guide Technical skills - e.g. hazard analysis, report writing Behavioural skills - e.g. personal integrity, interpersonal skills, problem solving, attention to detail Underpinning knowledge - e.g. domain (application area) knowledge Underpinning understanding - e.g. principles of safety and risk 6

Hazard Identification During Design Activities During a design process a several ways may be applied to identify and review the safety aspects associated with designed installation: Interdisciplinary design review made internally by project teams to rise the operational and safety concerns in line with applicable design standards and good practice, HAZID, HAZOP and SIL workshops supported by independent facilitators to link the potential safety and operational issues with proposed safeguarding and identify potential gaps within it, Developing FTA/ETA to acquire detailed picture of hazardous scenarios development, Applying QRA to identify the design restriction (e.g. layout) or additional requirements for the areas under impact (e.g. fire and explosion proof of the occupied buildings), Employing third party consultants to validate the safety findings. 7

What May Go Wrong? Approach to hazard identification may be too generic in cases where the design of process unit is well known and already includes its own safeguarding, also specific SIFs with already predetermined SIL what may lead to: insufficient understanding of the alarms and trips purpose in vendor packages; gaps in risk reduction, since the predetermined SIL allocated to SIFs may not reflect the its actual location in terms of distance to the occupied areas. Insufficient understanding of the principles and rules of the standardized studies such as HAZID or HAZOP in terms of the safeguarding identification and applications; Incorrect transition of the HAZID or HAZOP (or other relevant studies) findings into model of Protection Layers to be used for assessment of the target SIL for particular SIF; Use of unjustified factors in quantitative assessment of Initiating Cause frequency or Protection Layers performance; Reports are not providing sufficient information regarding the basis of their conclusions; Acting under pressure of overall project schedule what prevents deeper discussion on some complex issues. 8

Protection Layers and SIL If there is any hazardous scenario missing or the model of Protection Layers for the particular hazardous scenario contains errors or deficiencies then it is possible that: SIF is missing from the plant design and specific risk may remain unprotected or unmitigated; SIF functionality is not correctly defined; SIF response / performance on demand is significantly compromised; Consequences of spurious trip may not be identified correctly. 9

Protection Layers as per IEC 61511 Part 3 Specificity: An PL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event. Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action by a IPL. Independence: An PL is independent of the other protection layers if it can be demonstrated that there is no potential for common cause or common mode failure with any other claimed PL. Dependability: It can be counted on to do what it was designed to do by addressing both random failures and systematic failures during its design. Auditability: It is designed to facilitate regular validation of the protective functions. 10

Impact of the Incorrect HAZOP Outcomes on LOPA Study SIF purpose/function was not identified correctly, or a hazardous scenario has been associated with the wrong SIF and subsequently SIS is unable to perform required action to prevent or mitigate the hazardous event consequences, Independent Protection Layer (IPL) applied in the LOPA assessment is not applicable to the evaluated scenario (e.g. it does not actually prevent the scenario at any points of its development), IPLs applied in the LOPA assessment are not independent from each other, IPL applied in the LOPA assessment is not independent from the initiating event, IPL applied in the LOPA assessment is not independent from the SIF being assessed, 11

Impact of the Incorrect HAZOP Outcomes on LOPA Study Conditional Modifiers (ignition, occupancy etc.) applied without proper justification, High reliability assigned to operator actions, High risk action assigned to operator, The calculations of initiating event frequencies are incorrect. 12

SIF Verification Status Through Design Stages In general, the findings made in reviewed safety studies and associated design documents can be split into three following categories: CAT 1 - SIFs/SISs complying applicable standards and additional design requirements; CAT 2 - SIFs/SISs where the assessment shown deficiencies against practice and applicable standards, but the identified errors do not incur the increase of the risk for personnel or environment; CAT 3 - SIFs/SISs where the errors in assessment may lead to significant gap in risk reduction measures 13

SIF Verification Status Through Design Stages FEED Stage of design EPC Stage of Design 14

SIF Verification Status Through Design Stages The serious errors in SIF development are well managed and rectified during the transition from FEED into EPC stage of plant design, however their number; The remaining serious errors in SIF development during the EPC stage are usually a result of design changes and can be rectified during pre-commissioning stage (FSA Stage 3); The major concern may be a significant proportion of the minor deficiencies in SIF development which may result in some operational issues during start-up and further maintenance, however these deficiencies should not create any hazardous conditions and may be rectified through FSA Stage 3. 15

Lesson Learned 1 HP Gas - Liquid Separator PAHH 1 PC1 12 12 Fire Case/Blocked Outlet/ PV Failure Flare Header 12 ESDV1 PV Gas Blow-by/Blocked Outlet LALL 1 LC1 PAHH 2 12 PC2 PV LAHH 2 ESDV2 LV 12 2 Vent or Downstream Unit Gas blow-by case Separator Operating Pressure = 120 barg Flash Drum Design Pressure = 10 barg LC2 LALL 2 LV or Transfer Pump Transfer Pump ESDV2 Closure Time = 12 sec Note: Similar hazardous scenario is possible at Amine Treatment Unit. ESDV3 6 Drain or Downstream Unit 16

Lesson Learned 1 HP Gas - Liquid Separator Design Intention of the Implemented SIFs: PAHH1 on separator high pressure in separator which may be caused gas line blockage or pressure control valve failure at the separator inlet line or valve closure downstream separator which may lead to serious separator damage and gas release, LALL1 on separator loss of liquid in high pressure separator which may lead to gas breakthrough to low pressure flash drum which may lead to its rupture and gas release, PAHH2 on flash drum high pressure in flash drum caused by flashing gas outlet blockage downstream which may lead to flash drum damage and loss of containment, LAHH2 on flush drum high liquid level in flash drum caused by liquid pump failure, line blockage etc. Which may lead to liquid carryover to flashing gas outlet, LALL2 on flash drum low liquid level in flash drum caused by liquid pump control system failure which may lead to pump damage and potentially its leakage. 17

Lesson Learned 1 HP Gas - Liquid Separator HAZOP and SIL/LOPA teams assumptions, findings and conclusions: The key action to prevent gas breakthrough to flash drum is closure of ESDV2 this is correct, The cause leading to this scenario is either LV stuck open or LC failure this is correct, The primary safety loop preventing the gas breakthrough consequences is either LAHH2 or PAHH2 this is wrong, since this is not their primary purpose, Very often the high liquid alarm on LC2 or high pressure alarm on PC2 in flash drum or low level alarm LC1 in separator are accounted as a credible safeguard in HAZOP or even as IPL in LOPA this is wrong, since operator has no sufficient time to respond or the cause of alarm is uncertain, It needs to be highlighted that in several studies the operator action as an IPL, in response to LC2 or PC2, is to go to the site, override the control valve on flash gas line and set to full open position manually this is wrong, since it puts operator directly into hazard impact area. 18

Lesson Learned 1 HP Gas - Liquid Separator Summary: Findings are based on 20 various projects utilizing high pressure gas separation and/or amine treatment units which were verified at FEED, EPC and pre-commissioning stages; All reviewed hazard identification an SIL assessments reports identified correctly the initiating causes for gas blow-by scenario; All reviewed hazard identification an SIL assessments reports identified PSV as an applicable IPL and its design case was correctly validated; In four projects all of reviewed studies were correct and no serious gaps in SIF design were identified; About 60% studies considered high level trip or high pressure trip on flash drum as a primary SIF for this scenario. In 1 case the removal of low level trip in separator was recommended as it was considered as an redundant system; About 30% cases the operator response on high level or high pressure alarm in flash drum was considered as an credible IPL and led to reduction of target SIL for SIF. In two cases the operator was requested to go to the site and perform action when gas blow-by was already developing; In two projects all above listed errors were found. 19

Lesson Learned 2 Heat Exchanger Not reliable for tube rupture Flare Header PAHH 12 12 COLD LP Tube Rupture HOT HP GAS HP GAS Blocked Outlet ESDV 12 No high pressure 12 safety loop Tube Operating Pressure = 100 barg Tube rupture case Shell Design Pressure = 10 barg ESDV2 Closure Time = 12 sec LP 20

Lesson Learned 2 Heat Exchanger The primary design intend of the high pressure trip (PAHH) on the exchanger shell is to stop gas flow in case of the flow loss of the cooling water. The boiling water may lead to shell overpressure and its damage. The secondary design intend of the PAHH on the exchanger shell is to stop gas flow of minor tube leakage. The gas line operating pressure is 120 barg whilst the shell design pressure is 10 barg. Some of the HAZOP and SIL/LOPA teams believe that PAHH function may be applied as the reliable IPL in case of the tube rupture, however the time required to close the emergency shut off valve (ESDV) is usually more than 10 seconds and the damage of shell side may occur before the safety action is completed. Given the very low frequency of tube rupture (based on historical OGP data), the properly designed PSV on exchanger shell is a sufficient safeguard to achieve ALARP. 21

Conclusions To reduce significantly the number of errors and deficiencies in SIF development affecting SRS, the design houses should take more care about relevant competencies in selection process of design team and external contractors in order to assure proper implementation of the safety systems life-cycle principles from the earliest stages of the plant design; Early identification of deficiencies and errors in SIF development reduces the costs of rectifying them. Therefore it is strongly advised to include FSA Stage 1 and FSA Stage 2 in the overall project schedule; Leaving a large number of unresolved issues till FSA Stage 3 may generate additional costs and may significantly delay the project execution; The larger number of errors during in SIF development process occurs the higher probability that some of them may not be capable to perform their function during plant operation. 22

Thank you for attention! Questions? 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information