Process Safety Engineering

Module 5.1 : Functional Safety

 Topics

 What is Functional Safety ?

 Safety Instrumented System (SIS)
 Instrumented Protective Function (IPF)
 Layers of Protection
 Safety Integrity Level (SIL)
 Layers of Protection Analysis (LOPA)
 What is Functional Safety ?
The traditional approach to specifying instrumented protection was to use
experience-based, prescriptive standards like API 14C, irrespective of the
hazards (and therefore risk) in a particular situation. Functional Safety was
introduced to compliment a risk-based approach to process safety, i.e.

• Identifying the required safety functions using HAZOP, FMEA, etc.

• Assess the risk reduction required by the safety function, using a
‘safety integrity level’ (SIL) assessment.
• Ensuring the safety function performs to the design intent.
• Verify that the system meets the assigned SIL rating.
• Conduct functional safety audits to confirm that the appropriate
techniques were applied consistently throughout the relevant
lifecycle stages.
 IEC Standards 61508 & 61511
IEC 61508 - Functional safety of electrical / electronic /
programmable electronic safety related systems
• Generic approach for all safety lifecycle activities (concept,
design, implementation, operation and maintenance) for all
industries
• Describes a risk-based assessment to define the necessary
integrity (i.e. availability) performance of sensors, controllers
and actuators
• Describes techniques to demonstrate / validate that
equipment meets the requirements
IEC 61511 - Functional Safety of safety instrumented systems for the
process industry sector (issued in 2003)
SAFETY INSTRUMENTED SYSTEM

A Safety Instrumented System (SIS) consists of individual

Instrumented Protective Functions (IPF) or ‘trips’, each comprising:

One or more One or more

Logic
initiators final elements
solver

Purpose of IPF or trip:

to prevent a hazard in the event of failure of the process control
system to maintain operation within safe design limits
 SAFETY INSTRUMENTED SYSTEM

IPF #1
Initiator: High
Pressure
FE #1: SDV
isolates input Initiator:
IPF #2 Low Level
SEPARATOR

IPF #3

FE #2/3: SDV
isolates output

P&ID only shows initiators and final elements, not logic solver
Layers of Protection in Process Plants
Community Emergency Response
Plant Emergency Response
Mitigation
Mechanical Mitigation Systems
Safety Instrumented Control Systems
Safety Instrumented Mitigation Systems

Prevention
Mechanical Protection Systems
Process Alarm Operator Supervision
Safety Instrumented Control Systems
Safety Instrumented Prevention Systems

Basic Process Control Systems.

Monitoring Systems (Process Alarms).
Operator Supervision

Process Design
 Process Safety Layers of Protection
Process Safety as a Protective Barrier
Accidents occur as a result of a ‘line up’ of system and other failures
Process Safety Systems act as multiple safety barriers to prevent incidents
Types of Protective Layers
• Many types of protective layers are possible.
• Preventive = process alarms and trips, check
valves, operator supervision.
• Mitigation = pressure relief valves, deluge,
bunds, gas alarms, restricted access, evacuation
procedures.
• A scenario may require one or many protection
layers depending on the process complexity and
potential severity of a consequence.
• Note that for a given scenario, only one layer
must work successfully for the consequence to
be prevented.
• However, since no layer is perfectly effective,
sufficient protection layers must be provided to
render the risk of the accident tolerable.
 Protection Layers
An Independent Protection Layer (IPL) must
•reduce risk by at least a factor of 100.
•have an availability greater than 0.9.
•be specific to the hazard and designed to prevent or mitigate its consequences.
•be independent of the other protection layers associated with the hazard.
•be capable of being validated by regular testing or audit, and maintained.

All IPLs are safeguards but not all safeguards are IPLs.

Non-independent Protection Layer (PL)

Other protection layers include mechanical, structural and procedural protection,
which reduce the severity of impact but do not prevent occurrence e.g.
pressure relief valves, deluge, bunds, gas alarms, restricted access, evacuation
procedures, etc.
 Introduction to ‘Safety Integrity Level’

• The Safety Integrity Level (SIL) rating for process

trips is the the target availability, expressed as
the probability of failure on demand.
• It is determined in accordance IEC61508/61511.
• Asset Integrity Level (AIL) Environment Integrity
Level (EIL) are also considered
 Integrity Levels (IL)
IL PFD Reliability Action
0 0 to 0.1 Up to 90% No
Instrument
SIL
requirement
1 0.1 to 0.01 >90% SIL1
designation
2 0.01 to >99% SIL2
0.001 designation
3 0.001 to >99.9% SIL3 (Full
0.0001 LOPA
required)
4 <0.0001 >99.99% Redesign
 Safety Integrity Level

Part 1 SIL Classification – setting the target

Why is SIL done ? > Target-setting
How is it done ? > Risk Graph method
How is it reported ? > Worksheet format
How is it organised ? > Team composition / Timing
Is it any good ? > Pros and Cons
Part 2 Validation – confirm that target is met
Reliability analysis – using component failure rate data
Adjust test frequency (within limits) to achieve the SIL target
 HAZARD SCENARIOS
Risk Impact SAFETY ENVIRONMENT ASSET / PROD

Consequence Fire & Uncontrolled Increased Equipment

Explosion Discharge Emissions Damage

Loss of
Containment

Causes Piping, Vessels Mechanical Combustion

Failure of Heat Exchangers Equipment Equipment

Process Equipment Machinery Burner

Conditions Utilities Malfunction Failure
Upset
Pressure Cooling Vibration Flame-out
Condition
Level Sealing Overheating Fuel-Air Ratio
Temperature Lubrication Overspeed Flue Temp.
 SIL Targets
SIL targets are based on the ‘Probability of Failure on Demand’ of IPFs
which experience a low demand rate, i.e. are not normally in operation.

Rating Probability of failure

on demand Implications

No Special Requirement -
NSR 10 - 1 - < 10 - 0 normal control or alarm function

Usually 1oo1 for initiator, end

SIL 1 10 - 2 - < 10 - 1 element and logic solver

Usually 2oo3 for initiator and

SIL 2 10 - 3 - < 10 - 2 end element, frequent testing
2oo3 for initiator, 1oo2 for end
SIL 3 10 -4
- < 10 -3
element & frequent testing

Not recommended.
SIL 4 10 - 5 - < 10 - 4 Consider re-design
 Method - Information Required

• Process drawings (P&IDs, PFDs) and plant layouts

• Cause & Effect diagrams (input links to outputs)
• Risk graphs (safety, enviro, asset)
• Hazard understanding (from HAZOP, HAZID, API RP 14C,
etc)
• Manning levels for each area of plant (numbers / duration)
• Knowledge of consequences (modelling studies)
• Expected fatalities for each type of event (from QRA)
• Expected effects of over-pressurisation (flange leak or rupture)
 RISK GRAPH - Personnel Safety

Consequence Personnel Alternatives Demand Rate

Severity Exposure ToAvoid W3 W2 W1
Danger
Very
High Low
Low
S1 Slight Injury
- - -
A1 Possible 1 - -
P1 Rare
A2 NotLikely
S2 Serious Injuries 2 1 -
or 1 Death A1 Possible
P2 Frequent 2 1 1
START A2 Not Likely
3 2 1
P1 Rare
S3 Multiple Deaths 3 3 2
P2 Frequent
NR 3 3
S4 Catastrophic
NR NR NR
= No special safety features required Safety Integrity Level (SIL)
NR= Not recommended. Consider alternatives
 CONSEQUENCE SEVERITY

The worst case consequences in terms of harm to personnel, if

the hazard under consideration is realised.
(The worst case consequence is often during an ignited
release).

Slight injury: Injury is reversible, rapid recovery

Serious injury or 1 death : Loss of limb or eye, single death
Multiple deaths : 2 to 4 deaths
Catastrophic : 5 or more local deaths
 PERSONNEL EXPOSURE

Risk is reduced if personnel are exposed to the hazard for

significantly less than full-time.
Rare : personnel in vicinity less than 10% of time
Frequent : personnel in vicinity more than 10% of time
‘Personnel’ includes maintenance and construction workers
as well as operators.
NB. Some hazards may only arise during a specific operation
when personnel are required to work in the vicinity of the
potential hazard. Thus their exposure could be frequent
even though their overall time in the area is less than 10%.
 ALTERNATIVES TO AVOID DANGER

Risk is reduced if there is a reasonable chance of avoiding the

consequences of the hazard after the protection has failed,
e.g. escape routes or independent shutdown facilities.
The only alternatives are Not Likely and Possible :
‘Possible’ is only valid if there is sufficient time for personnel
to escape or shut down the process before the hazardous
consequence is realised, i.e. all of the following are true :-
• Independent facilities to alert operator that protection has
failed (NOT that trip is about to operate).
• Adequate time between operator being alerted and
hazardous event occurring to allow escape to place of
safety
 DEMAND RATE

‘Demand Rate’ is the frequency at which the hazardous event may be

expected to occur if no protection is applied **
a) High : Once in 0.3 to 3 years
b) Low : Once in 3 to 30 years
c) Very Low : Less than once in 30 years
The Risk Graph may be extended for Fire & Gas systems which typically
have much lower demand rates, i.e.
d) Once in 300 to 3000 years
e) Less than once in 3000 years
** Sometimes another event(s) is required to occur when protection
fails before the hazard is realised, e.g. ignition.
To account for this, a Hazardous Event Probability is applied to the
Demand Rate and the resulting Hazardous Demand Rate is used in the
Risk Graph.
 RISK GRAPH - Environmental

Demand Rate
E0 W3 W2 W1
No release or a negligible impact
High Low Very
E1 Low
Release with minor impact
E2 1 - -
START
Release with moderate impact
2 1 -
E3 Release with temporary major impact
3 3 2
E4 Release with permanent major impact NR NR 3

Environmental Integrity
Level (EIL)
= No special safety features required

NR = Not recommended. Consider alternatives

 CONSEQUENCE - Environmental
Negligible:
enternal complaint; no permit violation; no formal report, no negative public
impact or perception, < 1 bbl liquid spill or moderate flange / valve leak.
Minor:
external complaint; permit violation or reportable incident; minor negative
public impact or perception; fine is unlikely; e.g. 1 to 10 bbl offshore spill.
Moderate
significant impact requiring agency notification; significant negative public
impact or perception, local media coverage, liquid spill > 50 bbl to sea, river
or land affecting ground water; acute air pollution, damage to ecosystem.
Major (temporary)
agency investigation; major fine; serious negative public, health or financial
impact; major media coverage; > 1000 bbl offshore spill.
Major (permanent)
major event affecting eco , socio and economic systems, which cannot be
remedied quickly and with persistent effects. National and international
coverage, serious harm to reputation.
 RISK GRAPH - Commercial

These values are set by the operator and need to align

with their ‘value of life’ and environmental harm criteria.
Demand Rate
C0 W3 W2 W1
No operational upset or equipment damage
High Low Very
C1 Low
Minor operational upset or < £10 K
equipment damage - - -
C2
START Moderate operational upset or
equipment damage £10 - 500 K - - -
C3
Major operational upset or £500 K - 5M.
equipment damage 1 1 -
C4 Damage to essential equipment,
< £5M. 2 2 1
major economic loss

Commercial Integrity
- = No special safety features required Level (CIL)

NR = Not recommended. Consider alternatives

 MECHANICAL PROTECTION
SIL Rating is based on the overall hazard. Therefore:
SIL = INSTRUMENTED PROTECTION +
MECHANICAL PROTECTION

Mechanical protection includes :

•Relief valves
•Non-return (check) valves
•Key interlocks
 RELIEF VALVES

Function: 1oo1 pressure transmitter, logic solver, 1oo1 ESDV, 1oo1 RV

HH
PZA

Separator

Overpressure
protection -
Instrumented
function + RV
 RELIEF VALVES

• IPF reduces the demand rate on the relief valve

• SIL assesses the overall pressure protection system (IPF + RV)
to determine the required PFD.
• Classify IPF on its own. There may be additional objectives,
e.g. environment or production downtime if RV does not re-seat,
which may determine the minimum PFD for the IPF.
• Determine PFD of IPF and PFD of RV with given test intervals
for each.
• Ensure combined PFD meets the required SIL mid-band.
• Ensure any change to IPF or RV architecture and/or test
frequency is analysed to ensure that the total system retains the
required SIL/PFD.
 NON-RETURN VALVES (NRV)
• NRV reduces the demand rate on the IPF
• A single NRV (in a clean, non-corrosive duty) reduces demand
by factor of 5 and two dissimilar NRVs (in a clean, non-
corrosive duty) reduce demand by factor of 50.
… provided the valves are tested at least every 6 months.
• For other than clean duty, the test frequency should be
significantly higher.
• It can be assumed that a small leakage within the NRV will be
within the capacity of the downstream safety relief valve.
Caution: If NRVs are never tested, do not take credit for their
ability as protective systems to prevent backflow.
 SIL Classification Worksheet
Initiator Final Element Function description Purpose
60-LT-0003 60-XV-0009 Isolate slugcatcher MEG Primary safety
Slugcatcher low low level outlet
Protective Function : Overpressurisation protection for MEG/Condensate separator (DP = 46.8 barg) in the
event of loss of level upstream of weir, resulting in gas blowby. (Note: loss of interface level allowing condensate
to outflow via MEG outlet is not a hazard).
Cause of Demand : loss of interface level control 60-LIC-0002 (note: LCV fails closed)
Demand Rate 3 months - 3 years
Dangerous event prob 0.1 (ignition)
Dangerous demand rate 3 – 30 years (Low)
Consequence of Failure:
MEG / Condensate Separator would be overpressurised to less than 150% of desig n pressure (65 barg vs. DP of
46.8 barg) resulting in flange/joint leak (not vessel rupture), fire and explosion.
Safety Description
Consequence 2 Blast and burn injuries.
Exposure B Unlikely to affect whole A&C site. Occupancy = max. 2 people for >10% of time
Avoidance 2 None – low interface level alarm is ineffective if interface level controller fails.
SIL 2 **
Comments/Recommendations: Risk Graph - Personnel Safety
** Take credit for MEG/ Consequence Exposure Avoidance High Low
Very V.V. Ext.
Condensate Separator 60-PSV- Low Low Low
0035 (mechanical protection). 1. Slight injury NSR NSR NSR NSR NSR
1. Possible 1 NSR NSR NSR NSR
** Take credit for 60-PAHH-0026 2. Serious A. Rare
2. Unlikely 2 1 NSR NSR NSR
see sheet4 (instr. protection). injury or 1
death 1. Possible 2 1 1 NSR NSR
B. Frequent
2. Unlikely 3 2 1 1 NSR
3. Multiple A. Rare 3 3 2 1 1
deaths B. Frequent NR 3 3 2 1
4. Catastrophic NR NR NR 3 2
Signed Approved
 TYPICAL FINDINGS

80
70
60
50 % of total
40
30
20
10
0
SIL 0 SIL 1 SIL 2 SIL 3
 Integrity Levels (IL)
IL PFD Reliability Action
0 0 to 0.1 Up to 90% No
Instrument
SIL
requirement
1 0.1 to 0.01 >90% SIL1
designation
2 0.01 to >99% SIL2
0.001 designation
3 0.001 to >99.9% SIL3 (Full
0.0001 LOPA
required)
4 <0.0001 >99.99% Redesign
 TEAM COMPOSITION
Safety Input on technical safety issues, QRA
knowledge and corporate safety policy.
Arbiter on safety decisions
Process Input on hazard information and the
consequences of process control failure

Operations Input on operating practices and

knowledge of plant

Chairman / facilitator Compliance with SIL process. Provides

direction, objectivity and consistency.
Secretary Accurate and detailed recording of all
data and decisions made in reaching
SIL classification
 TIMING OF SIL ASSESSMENT
THE EARLIER THE BETTER !
Front-End Engineering Design (FEED)
• following Coarse HAZOP
• provides input into design of SIS architecture
• preferable to be completed before procurement
• requires Process Flow Diagrams, process safeguarding
philosophy, plant layout & manning data
Approved For Design (AFC)
• following Detailed HAZOP
• to confirm SIS design and test frequencies
 SIL BENEFITS

• Logical, risk-based approach which justifies cost of safeguarding

• Demonstrates integrity of SIS
• Ensure designs are of a suitable technical standard but not over-
engineered
• Sets design performance standards
• Provides a basis for maintenance test frequencies
• Provides an audit trail for demonstrating ALARP
 SIL LIMITATIONS
• Simplistic and imprecise (based on ‘orders of magnitude’)
• High SIL findings should be checked by QRA
• Risk graph has to be calibrated.
• Not suitable for high consequences, low frequency (F & G) events
• Obtaining reliability data for field devices can be difficult
• Experience shows poor repeatability of SIL assessments
• Not perfect but .. what did we do before SIL !!
 SIL Verification (by Reliability Analysis)
Ensures that the SIS architecture (1oo1, 2oo3, etc) meets the SIL
classification. Sets appropriate maintenance test intervals.
It is good practice to achieve the logarithmic mean of the SIL band,
not just the lower end, e.g. SIL 1 mid-band = 0.3 x 10 - 2
If the analysis shows that the SIL rating or (PFD) cannot be achieved
with the planned test frequency and SIF architecture, it is necessary
to re-design the SIF. Common cause/mode failure can be dominant.

IEC 61508 provides tables of PFD for the following parameters:

• Architecture – 1oo1, 1oo2, 2oo2, 2oo3.
• Equipment base failure rates
• Diagnostic coverage – 0%, 60%, 90%, 99%.
• Common cause failures - = 1%, 5%, 10%
• Testing intervals – 0.5, 1, 2, 10 years
• Repair times
 LOPA Overview
• Layers of Protection Analysis (LOPA) is more rigorous
than SIL but less rigorous than QRA.
• The primary purpose of LOPA is to determine if there
are sufficient layers of protection against an accident
scenario (i.e. can the risk be tolerated?).
• Like SIL, LOPA typically uses order of magnitude
categories for initiating event frequency, consequence
severity, and the likelihood of failure of independent
protection layers (IPLs) to estimate scenario risk.
• LOPA typically uses the information developed during a
qualitative hazard evaluation, such as HAZOP. So HAZOP
and LOPA are often run in tandem.
 When to Use LOPA

• LOPA can be applied when a hazard evaluation team

• believes a scenario is too complex for the team to
make a reasonable risk judgment using purely
qualitative judgment, or
• the consequences are too severe to rely solely on
qualitative risk judgment.
• ‘Too complex’ can mean:
• do not understand the initiating event well enough,
• do not understand the sequence of events well
enough, or
• do not understand whether safeguards are truly IPLs.
 The Language of LOPA
• LOPA provides a consistent basis for judging
whether there are sufficient IPLs to control the risk
of an accident for a given scenario.
• Alternatives encompassing inherently safer design
can be evaluated as well.
• LOPA does not suggest which IPLs to add or which
design to choose, but it assists in judging risk
reduction between alternatives .
• LOPA is not a fully quantitative risk assessment
approach. When the likelihood is very low and / or
the severity is very high, Quantified Risk analysis
(QRA) should be used.
 LOPA Methodology

1. Determine the Tolerable Risk Level

– Define the hazardous event (fire, overpressure, mechanical

failure, etc)
– Assess its severity (minor, serious, extensive)
– Consult the ‘risk table’ to establish the tolerable event
frequency.
Tolerable Event Frequency
 LOPA Methodology (2)

2.Determine the Unmitigated Hazardous Event Frequency

– Identify all initiating causes (e.g. from HAZOP)

– Assess the frequency of each cause and summate them.

‘Unmitigated’ means not having any risk reduction measures

to prevent, control or mitigate the hazardous event.
 LOPA Methodology (3)

3. Calculate the Intermediate Event Frequency

– Identify non-independent protection layers - PL (BPCS,
alarms, post-event mitigation)
– Identify Independent Protection Layers - IPL (preventive
and control measures)
– Assess the risk reduction by each PL and IPL and multiply
them
– Multiply the total risk reduction by the hazardous event
frequency.
 LOPA Methodology (4)
4. Determine the need for additional risk reduction

– Divide the tolerable event frequency (item 1) by the

Intermediate event frequency (item 3)
(SIF is only required if item 3 > item 1)

– This value is the target risk reduction for the SIF, i.e. the SIL
level for Safety

After ‘Safety’, repeat for’ Environmental’ and ‘Asset’.

Then select the highest integrity level.
 LOPA Worked Example
This exercise illustrates one application of LOPA.
It assesses the safety integrity of the over-fill prevention of bulk gasoline
storage tanks at an oil storage terminal. The tanks currently have a high
level alarm but no high level trip.
IEC 61511* has been used establish the ‘Mitigated Event Frequency’
achieved by adding a high level trip. The procedure is :
1.Use LOPA to determine the mitigated event frequency.
2.Use an event tree to determine the frequency of all possible
consequences from tank overfilling;
3.Select those consequences leading to potential fatalities, estimate the
number of fatalities for each consequence, summate and determine the
overall annual Potential Loss of Life (PLL).

[IEC 61511: “Safety Instrumented Systems for the Process

Industry Sector Functional Safety”]
LOPA of Tank Overflow