SAFETY INTEGRITY LEVELS CONSIDERATIONS FOR NEW AND EXISTING ASSESSMENTS

Transcription

1 SAFETY INTEGRITY LEVELS CONSIDERATIONS FOR NEW AND EXISTING ASSESSMENTS Jo Fearnley Senior Consultant, Aker Kvaerner Consultancy Services; Layer of protection analysis is a common way of assessing safety integrity levels for safety instrumented systems in the chemical industry. However there is no consistent basis across industry for the layer of protection analysis. Variation exists in all aspects of the technique, ranging from the criteria to be used for acceptable risk through to the interpretation of what comprises a layer of protection. This paper discusses, with practical examples, what influences safety integrity levels. It considers application to new build, licensor package, and existing plants. The understanding of what protection is provided in a design, for safety, environment and financial aspects, as appropriate, needs to be understood by all those involved in the design and operation of chemical plants. Only if the layers of protection philosophy behind the design basis are clearly understood can the implication of change be clear to all those involved, such that safety integrity levels are incorporated within the management of change. KEYWORDS: SIL, safety integrity level, management of change, licensor package, layer of protection, safety instrumented system INTRODUCTION Safety integrity level (SIL) is a phrase which means a huge amount to those who are routinely involved in the translation of the BS EN [BSI, 2002] and BS EN [BSI, 2004] standards into reality, but for many other people involved in the day to day design and operation of chemical plants it is still a terminology of which they are aware, but are not fundamentally certain about what it means for them. This awareness, but general unease about the impact on their work, is equally valid for engineers of all disciplines involved in the design of new plant and equipment, and for those individuals involved in re-assessing the safety standards of existing plants. This uncertainty is sometimes due to not understanding the fundamentals of SIL assessment, but can also be a consequence of differing and conflicting information from SIL experts about when and how to carry out a SIL assessment. There is also an underlying risk, due to the unfamiliarity with the subject, that SIL assessments are seen as a one-off activity that can then be filed and forgotten about. As SIL assessments become more commonplace the need to have a common understanding of what is meant by SIL, in a practical and pragmatic way, becomes more important. There are differing ways in which a SIL assessment can be undertaken, but the most common is the layer of protection analysis (LOPA) technique. In this technique the level of acceptable risk for various potential hazardous consequences needs to be quantified. For each hazardous scenario identified the various events which need to occur in sequence for the consequence to be realised are determined. This enables an order of magnitude quantification of the likelihood of the scenario developing. The residual risk which needs to be addressed by the safety instrumented system (SIS) is the difference between the likelihood of the scenario occurring and acceptable risk for that consequence. The terminology means that the word safety is implicit in SIL and SIS acronyms, however integrity levels are also applicable to environmental and financial protection, although these are not always considered. Hence, when considering how SIL classification is going to be implemented, one fundamental decision is whether only safety/human harm consequences are going to be assessed, or whether the scope is to extend to cover environmental and/or financial consequences as well. The BS EN [BSI, 2002] and BS EN [BSI, 2004] standards only require that safety is considered, but many companies are extending the technique to be more comprehensive. If safety, environmental and financial SIL assessments are going to be completed, then three separate assessments are required. From these three assessments the highest outcome for SIL rating will be the defining case. Although in many cases this will be the determined by safety SIL rating the financial implications of a hazard scenario can sometimes lead to a higher SIL rating. This is especially applicable for a machine, such as a compressor, that on failure will not lead to any significant human or environmental harm but could damage the machine and cause months of outage. It should also be carefully assessed, when carrying out safety, environmental and financial SIL assessments that the identified layers of protection are applicable for all the assessments, and that the identified SIS actually protects against each case. For example a bund may contain an environmental loss, so addressing the majority of that risk, but if the material then evolved a toxic gas, it would not protect against human harm case. 1

2 CONSIDERATIONS FOR SIL ASSESSMENTS OF NEW DESIGN PLANTS SIL classification is usually based on a calibrated risk graph for the site in question. This calibration depends on company and national acceptable risk standards (such as fatal accident rates and societal risk tolerability) and on site specifics, such as local population (on-site and offsite) and the number of hazardous processes/activities carried out on the site. It should be remembered that this calibration is based on the site, not a plant, as the acceptable risk standards typically relate to an operating complex and not each individual asset. If a standard non-calibrated risk graph is used, such as in the BS EN [BSI, 2004] standard, then unless the plant is a stand-alone package, the overall risk of the site will probably be underestimated. One potential adjustment would be to increase all SIL assessments by an order of magnitude to be on the safe side however this would have significant cost implications, so it is better to use a calibrated risk graph wherever possible. For the design of a new plant, the SIL assessment activity needs to be built into the overall plan for the project. To fundamentally influence the design of the plant to make it inherently as safe as possible, and so minimise the need for safety instrumented systems with an associated SIL rating, it is necessary to identify the hazards of the process as early as possible, and design them out wherever possible. This is fundamental to a good design basis anyway, but being able to justify inherently safer design through a reduced need for expensive (to install and maintain) safety instrumented systems is good business sense as well as best practice. A comprehensive process hazard assessment technique will be able to capture the majority of the potential hazardous scenarios associated with the outline plant design. A detailed assessment of these identified scenarios will enable an assessment of the fundamental eliminate, reduce, substitute, control and mitigate philosophy. Where it is not economically practical to design out the hazard then a SIL assessment of the hazardous scenario identified will enable a preliminary SIL rating to be determined. For a new plant, with SIL assessments completed at this early stage, the outcome will typically be preliminary only, as there will inevitably be ongoing change which must be carefully monitored to assess the effect on the SIL assessment. These changes could be SIL negative, where they remove or alter a previously identified layer of protection, or they could be SIL positive where they reduce the demand on the SIS. The consideration of SIL and the SIS, as well as the other layers of protection identified as part of the SIL assessment is fundamental to management of change during the design process. Guidance as to how to consider this change, and the associated implications, are discussed later. An underlying outcome of the preliminary assessment process is an understanding of what instrumentation and automated controls are within the design to control and mitigate the risk scenarios. For most new designs such instrumentation is split between the basic process control system (BPCS), and the independent high integrity safety and emergency shutdown system (ESS), which houses the SIL rated safety instrumented systems. Any control function within a BPCS is typically assumed within most SIL assessments to have a maximum integrity of 0.1 (i.e. a one in ten chance of failure on demand) when determining the likelihood of a control action occurring when required. The norm is that no more than two independent, applicable, control functions or alarms within a BPCS can be taken into consideration for a single SIL assessment. Some companies do allow SIL 1 instrumentation to be housed within a BPCS, due to the relatively high capabilities of modern systems, however other companies believe that control and safety instrumented systems should be kept totally separate. For the designers of the SIL rated system the implementation of high integrity controls in both systems can be complex and involves many factors in order to achieve the targeted risk reduction. It is only once the design has been finalised that the required SIL rating for the SIS can be confirmed, and the detailed engineering completed to deliver the requirement. It should be remembered that the achievement of a SIL rating is not only dependent on the design of the SIS, but also the installation, maintenance, proof testing, and auditing of the system. CONSIDERATIONS FOR SIL ASSESSMENTS FOR LICENSOR PACKAGES Chemical plants are routinely built around the world using a common process design package supplied by the licensor of the technology. Current licensor packages typically include safety instrumented systems that have SIL allocated to them deemed by the licensor to provide a minimum level of safety. With a licensor package it is normally stipulated that instrumentation can be relocated from the BPCS to the ESS, but not from the ESS to the BPCS without licensor agreement. The licensor assessment will have been completed using a set of risk factors and databases of equipment and automation reliability which is not normally shared as part of the licensor package. The independent safety layers of protection identified are usually the minimum required to ensure hazardous risks are kept at a minimum, and may not be consistent with the contractor/client s internal risk criteria, but quantifying the difference is not going to be achievable without the licensor data. A further complication which is frequently found with licensor packages is that the complete list of potential hazardous scenarios are not made available, but only those which are linked to a SIS or have identified layers of protection which the licensor needs to communicate. This means that if there are any changes to the standard design it is not immediately apparent whether the SIL requirements are affected, as the change could affect a scenario not identified as having a SIL implication in the licensor package. It is therefore very important that any change in the design from the basic licensor package 2

3 is specifically assessed for related hazardous scenarios and hence for potential SIL requirements. It is often a subjective view by the contractor/client as to whether the licensor package identified SIL requirements and other specified layers of protection are equivalent to those which would have resulted from a SIL assessment based on a client calibrated risk graph. If the assigned values seem to be comparable, then the assessment is usually accepted without query, but where it appears to be underestimated then a decision needs to be taken as to whether to complete a comprehensive, or partial, process hazard and SIL assessment for the design package, in order to satisfy the client internal standards. The inverse could be found, where the SIL requirements appear to be overestimated, but any change to the licensor package in this direction would be challenged by the licensor, and would be difficult to justify. The actual achievement of the layers of protection identified in the licensor package is part of the detailed design package, considering the complete SIS design, installation, maintenance, proof testing, and auditing. The achievement of the SIL design may consider specification of high integrity systems, redundancy, management of change, diagnostic coverage and periodic testing. Most licensor packages include operator response to a BPCS alarm as an independent layer of protection, but some clients will not accept this within a SIL assessment. In this case all the relevant SIL assessments will need to be reviewed and alternative protection identified, or SIL requirements changed appropriately. Where direct response to an alarm is not typically considered a layer of protection by a client this may be overcome by including a written procedure for the response to the alarm, to increase the integrity of response. The normal standard is that the alarm can only be used as a separate layer of protection if it is independent from the control system, and if the alarm is suitably prioritized in the BPCS system (i.e. alarm overload does not prevent the operator responding to it), and if the control room is permanently manned. If the alarm has to provide protection against a specific localised risk then the alarm must be repeated local to the hazard (with sound and light warning), e.g. to warn of a low oxygen level in a building to warn people to get out, or not to enter. The number of layers of protection within the BPCS which it is acceptable to consider in a SIL assessment may also vary between a licensor package and a client internal standards. It is not normal that more than two independent layers of protection are considered, and care must be taken to assure true independence of these within a BPCS. Detailed consideration of the potential for common mode failure of the BPCS, which would affect the independence, is needed. Common mode failure mechanisms could occur due to a variety of causes, such as I/O cards, parallel cable routing, physical location, common equipment supplier or duplicated equipment types. When considering a licensor design with respect to SIS requirements, it is important not to forget that the basis of the SIL assessment will have included a review of what physical, mechanical or inherent layers of protection are built into the design, as well as control and operational considerations. It is therefore fundamental that these layers of protection are not changed without considering the effect on the SIL requirements including verification with the licensor. Examples of these layers of protection include relief devices (pressure and vacuum), bunds, flare systems, vent headers, design conditions of equipment and pipework, restrictive devices and equipment types. Care needs to be taken with any change as in some cases what may appear a positive change, such as increasing the ground area of a bund, could have a negative effect as it could increase the size of a pool fire and hence the radiation effect. There are other general factors which may affect the licensor SIL/LOPA, such as: layout, geographical considerations, operating philosophy or population density. Examples are given below, with further details when change control is discussed.. Changes to the layout may affect the SIL classification identified for a particular risk, as the consequential effects may be different. For example, if the potential ignition source locations are changed compared to potential flammable release sources then this could change the likelihood of ignition from a low probability to a near certainty if the release was close to a permanent ignition source such as a fired boiler.. Geographical differences may change the required SIL classification. An extreme example is if the client site will be in a region prone to earthquakes, then there might need to be vibration/motion trips that initiate a shutdown of a hazardous installation that would not be in the licensor package. Alternatively if it is in a desert then sand may invalidate a particular protective measure such as by filling up a bund so it may not provide the capacity expected. If it is in a region prone to flooding then that may invalidate drainage routes and give a potential pool fire where it is not envisaged.. Operating philosophy changes may change a SIL classification, as the exposure/vulnerability of the operating personnel may be changed. A plant which was originally intended to be mainly remote operated with a low proportion of time spent on site will typically have used a low time at risk factor for certain events with a localised effect. If however the plant is to be located in a region with cheap labour costs, then this might not be a valid assumption if a more manual operating regime is to be utilised.. Population differences may change the required SIL classification. If there is a significant on- or off-site population for the client site then this could affect the SIL rating. SIL classification works in orders of magnitude, so if there is an order of magnitude change or effect for any of the examples above then it may be necessary to increase SIL classification by one level (e.g. SIL 1 to SIL 2), dependent on how the site risk graph is calibrated. 3

4 However, it is possible that a SIL rating was already on the boundary between two levels, such that a smaller change could have an effect, but without the detail behind the licensor package SIL assessments it is difficult to judge. Further, for all of these it is more difficult to judge whether a factor will have an effect where a scenario had not been SIL classified initially, and yet an order of magnitude change may take it to SIL 1. Significant changes from the licensor package should be discussed with the licensor to check that they do not invalidate the supplied SIL/LOPA data. CONSIDERATIONS FOR MANAGEMENT OF CHANGE AND THE EFFECT ON SIL ASSESSMENTS The need to control change is well understood in chemical plants in order to minimise risk arising from the change. The list of items on the check list for many companies is already extensive, and as the list grows, with each regulatory and legislation change, so does the risk that the activity becomes a tick-box exercise rather than a considered review of the effects of the change. In order to help those expected to implement the change control procedure it is useful for them to understand what can influence the area of concern, such that they can then identify if the proposed change could have that effect. SIL assessments are an area which many design and operating personnel do not fully understand, and hence do not appreciate the range of factors that influence the safety integrity level determined. Once a plant has been designed, or retrospectively assessed for SIL requirements, it must not be assumed that no further consideration of SIL is required. It is extremely important the potential implication on SIL assessments is included in the management of change procedures, both as part of the detailed design process for a new/licensor plant, and as part of ongoing operational controls for existing plant. It is vital that the management of change procedure for a company considers SIL assessment implications for design, layout, and operational changes, and that the periodic reviews of the operational safety of a plant also check that SIL assessments have not been affected by the changes since the last review. For the review an understanding is needed of what can provide a layer of protection for a hazardous scenario, and how to consider whether a proposed change will affect layers of protection. The link back to the actual hazardous scenarios, rather than just the instrument systems on the plant, is critical in understanding the potential effects of the change. Any change to the process or equipment design has the potential to change the assessment completed to identify the SIL requirements to protect against a hazardous scenario. These changes could be SIL negative, where they remove or alter a previously identified layer of protection, or they could be SIL positive where they reduce the demand on the SIS. As SIL assessments use an order of magnitude basis, changes might be dismissed as insignificant if they are not an order of magnitude different, however it is worth checking as, dependent on the original assessment, a relatively small change may move a SIL rating up or down a level if it was near the boundary between levels.. The on-site and off-site effects of layout changes typically have more effect on occupied building risks and planning consents but as SIL typically uses order of magnitude values, any significant change could have a consequential effect on the SIL requirement which is not directly obvious. For example the number of people who could be harmed by an event changes if the location of plant equipment changes relative to occupied buildings or main through routes, and changes external to a site could also affect the number of people who could be harmed by an event.. Changes to plant operating philosophy can affect the SIL rating. For example changing the amount of time an individual spends in a hazardous area means that the time at risk is increased or reduced. Reduction could be by the use of CCTV cameras, or remote operation of previously manual tasks. Changing the frequency with which a potentially hazardous operation or initiating event occurs could also have an effect, for example by reducing the number of cleanouts required on equipment where it is the start-up/shutdown which is the initiating event. Time at risk, especially for an unrevealed failure which could be identified by inspection, could be affected by changing the frequency of inspection, either of a planned routine, or of a visual check.. Changes to plant mechanical design can affect the SIL rating. Changing the design integrity of an item of equipment may influence the assessment, and there is the potential to make it inherently safe if, for example, the design pressure is raised above the potential pressure generated during a hazardous event. Layers of protection may be from a mechanical device. Thus, including, removing or altering a mechanical device, e.g. a nonreturn valve, a relief device or an interlock, could affect the SIL rating of an associated SIS. This is also applicable for including, removing or altering an external facility which provides mitigation against the consequences of an event, e.g. a containment bund.. Altering the priority of an alarm, or changing a common alarm, such that the likelihood that it is responded to alters is another way of altering a SIL assessment. A programmable control system, such as a BPCS or a other programmable logic controller are particularly prone to change. Protective layers are often built into a control system, and if there is a possibility of uncontrolled access which could lead to set points being changed, alarms or interlocks overridden, or visual displays altering then the protection assessed could be affected. Therefore if the control system is considered within SIL assessments then an appropriate security 4

5 and management of change system is required to prevent loss of integrity. It is not always obvious to those maintaining a BPCS what controls have been considered within a SIL assessment. It is therefore important that there is an awareness of SIL throughout an organisation, so that the questions relating to SIL are asked before instigating a change. The underlying problem with SIL assessments and management of change is how records are kept of what has been used as a layer of protection within a plant, and how easy to access these records are. There is no commonly accepted standard way of recording this, or communicating the outcome to people involved in the plant. Records of the layers of protection exist, but there may be up to a several hundred for a large plant, if all hazardous scenarios have been assessed, and reviewing all these when considering a plant change is not an effective use of time. This is a problem which has not been comprehensively addressed within the industry yet, but is currently reliant on key personnel, such as safety, design or operating representatives who were at the SIL reviews, and are also involved in the change process. As time passes and these personnel change roles this will not be a feasible option, and so a robust method is required such that the integrity of SIL assessments is maintained as time passes and change occurs. REFERENCES BSI, 2002, Functional safety of electrical/electronic/ programmable electronic safety-related systems Part 1: General requirements, BS EN :2002 BSI, 2004, Functional safety Safety instrumented systems for the process industry sector Part 3: Guidance for the determination of the required safety integrity levels, BS EN :2004 5