Determination of safety interlocks and SIL levels

M

Thread Starter

Mike Boudreaux

Dear list:

I am interested in finding out how other companies handle the determination of safety interlocks that go into the safety interlock system (aka ESD, SIS, etc.). I am not interested in quantitative analysis, but instead would like
to find out how qualitative analysis can be incorporated into PHA's or HAZOP's. If consequence and probability rankings are used, I am interested in how they are defined and how the results are used to determine SIS requirements. I have read many papers and books on this subject, but I would like to know more about how users are actually doing this in practice.

Also, if anyone is using qualitative analysis to determine SIL, I am interested in problems associated with this method. Does it work well?

Any information about this subject is greatly appreciated.

Mike Boudreaux
http://mike.boudreaux.net/control.htm
 
B

Bruce Durdle

Mike,
Good question.......

It's not a "one size fits all" scenario - but whan you are talking risk management nothing ever is.

In my experience, you can only ever justify a maximum of 4 risk classes-

0 no problem
1 be careful
2 be VERY careful
3 DONT DO IT!!

In practice, class 1 means you have to take steps such as supply trip and alarm hardware separately from your normal control hardware, and class 2 means you have to use multiple-redundant systems.

I have done a few of these - some with a "gut feel, thumbsuck" approach, others where we tried to put semi-numerical weightings on different factors. The second approach will have more standing in court, and may also give some surprising results - in one such system, we came out convinced that the LPG tanks with 3 levels of level protection in fact needed an additonal level of pressure protection. It is probably worth
going to a little bit of extra effort.

You need to decide on 3 or 4 levels of probability, and 3 or 4 levels of severity. This
can be in terms of chances of failure being 1 per year (frequent), 1 in 10 years (uncommon) or 1 in 100 years (rare), with severity being in terms of injury or financial life or preferably a combination of both. (The bean-counters will freak out when you talk aboput lives per annum, so give them some dollars to worry about as well.) The same thing works for environmental effects.

A typical set of severity groupings could be:
0 minor injury-no lost time
1 major lost-time injury
2 several major injuries - 1 fatality
3 multiple fatalities

0 no loss of production-repair within normal guidelines
1 less than 12 hours loss of production - off-line spare available
2 between 12 hours and 2 days production lost - non-spared plant out of service
3 more than 2 days production loss

0 minor spill confined to plant limits
1 minor spill beyond plant limits
2 major spill beyond plant limits - no significant impact
3 major spill with significant impact beyond plant limits

However, each operation will have its own constraints, particularly on these last two, and you need to set them with full consultation well in advance and get them agreed to by the people who hold the purse-strings.

IEC61508 has some indicated values that you might find useful. If you need more ideas, feel free to contact me.

Bruce.

Bruce Durdle
[email protected]
 
B

Bronson, Robert

We have used ACM Automation's "PHASIL" process to determine the risk associated with a specific facility and to ensure that this risk has been
reduced to an acceptable level. We have done this primarily on projects where high risk has been identified. For example on one project a High Integrity Presure Protection System (HIPPS) was being considered. (See http://www.acm.ab.ca for more info)

We are continuing to look at ways to combine the SIL accessment part of the process with our standard HAZOP process. At my company the process
engineers and safety personnel are responsible for the overall safety model at a site and they take their jobs very seriously. The IEC 61508 and ISA S84.01 standards are just starting to be understood by control system engineers (those of us who are left at the owner companies) but are not well understood by our safety personnel and process engineers. Until there is a better understanding by these people - I'm not sure we'll see them used in practice (at least in Canada where there is less reguatory push.)
 
M

Mike Boudreaux

This response is in agreement with my feelings on the subject - using a risk matrix can result in positive results. I am not as familiar with IEC 61508 as I am with ISA S84.01, but I am going to look into how IEC suggest ranking should be performed.

I feel most strongly about your comment about how using a risk matrix will have more value in court. With this method, there is at least some
documentation for why you chose to include/leave out an interlock from your safety system. If you use the method of "gut feeling", it seems more
arbitrary and it can be argued that factors other than risk analysis went into your decision (such as the role of cost, personal interest, etc.). To
me, it has the same effect as documenting why you chose a specific vendor when purchasing equipment or why you chose a certain size relief valve.

Regards,

Mike Boudreaux
http://mike.boudreaux.net/control.htm
 
Top