33
Reliability and Safety Assessment in Offshore and Process Industries PSAM 7 / ESREL ´04 Berlin, Germany Lars Bodsberg SINTEF, Trondheim, Norway 1
Reliability and Safety Assessment in Offshore and Process Industries
PSAM 7 / ESREL ´04Berlin, Germany
Lars BodsbergSINTEF, Trondheim, Norway
1
”All models are wrong! Some are useful.”
(G.E. Box)
2
Empirical Safety Control:Traffic and work safety
Evolutionary Safety Control:Air craft crashes,
train collision
Analytical Safety Control:e.g., Major nuclear and
chemical hazards(CEC Seveso directive)
1
2
3
Control of accidentprocess based onpredicitive analysis ofpossible accidents
Control of accident processitself from reaction to individualpast accidents
Control of conditions andcauses from epidemiologicalanalysis of past accidents
HighLow Consequence of accident
Num
ber o
f acc
iden
ts c
ontri
butin
g to
tota
l los
s
Few
Many
Adapted from J. Rasmussen
Safety Management Principles
3
© Norsk Hydro
4
IEC 61508 and IEC 61511
The International standard IEC 61508: Functional safety of electrical/-electronic/programmable electronic (E/E/PE) safety-related systems“(7 parts)
Generic standard
The International standard IEC 61511: Functional safety –Safety instrumented systems for the process industry sector (3 parts)
Sector specific standard
5
Widespread use of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
The Petroleum Safety Authority Norway recommends the use of IEC 61508
The Norwegian Oil Industry Association (OLF) provides financial support to a joint industry project between operators and the various suppliers of services and equipment to establish a guideline
Guideline published at: www.itk.ntnu.no/sil
6
IEC 61508: Functional safety of electrical/-electronic/programmable electronic (E/E/PE) safety-related systems“
Generic standard, i.e.:Providing general framework, covering a wide range of complexity, hazards and risk potentialsConceived with a rapidly developing technology in mind - framework sufficiently robust and comprehensive
Major objective:Facilitate development of sector specific standardsProvide consistency within and across application sectorsProvide a generic approach for all lifecycle activitiesProvide qualitative and quantitative safety requirements to safety systems
7
IEC 61508 Overall
life cycle
Safety-relatedsystems:E/E/PES
Realisation
9
Concept1
Hazard & RiskAnalysis
3
Overall SafetyRequirements
4
Safety RequirementsAllocation
5
Overall Installation &Commissioning
12
OverallSafety Validation
13
Overall Operation &Maintenance
14
Decommissioning16
External RiskReductionFacilities
Realisation
11Safety-relatedSystems:
OtherTechnology
Realisation
10
Overall Modification& Retrofit
15
Back to appropriateOverall Safety Lifecycle
phase
Overall ScopeDefinition
2
OverallOperation&
MaintenancePlanning
OverallValidationPlanning
OveralIInstallation& Commis-
sioningPlanning
Overall Planning
7 86
8
Development of Safety System Requirements
Isolate and depressurize vessel
9999 out of 10000times
EUC Hazard
Risk
EUCrisk
Overpressure
Tolerablerisk
Safety requirements&
Safety Integrity Level
E/E/PES
OtherSafety-relatedsystems
Externalfacilities
Not part ofIEC 61508
Allocation
R
Design, etc
Req.
h/w s/w
9
Risk reduction in IEC 61508 - General concept
Tolerable risk
EUC risk
Necessary risk reduction
Actual risk reduction
Increasingrisk
Residualrisk
Partial risk covered by E/E/PE
safety-related systems
Partial risk covered by other technology
safety-related systems
Partial risk covered by external risk
reduction facilities
Risk reduction achieved by all safety-relatedsystems and external risk reduction facilities
Source: IEC 61508
10
Safety Integrity Level - SIL
SAFETYINTEGRITY
LEVEL- SIL
4
3
2
1
DEMAND MODE OFOPERATION
(Probability of Failureon Demand - PFD)
≥10-5 to < 10-4
≥ 10-4 to < 10-3
≥ 10-3 to < 10-2
≥ 10-2 to < 10-1
CONTINUOUS/HIGHDEMAND MODE OF
OPERATION(Probability of a dangerous
failure per hour)
≥ 10-9 to < 10-8
≥ 10-8 to < 10-7
≥ 10-7 to < 10-6
≥ 10-6 to < 10-5
11
IEC 61508 implications on safety and reliability modelling
The IEC 61508 standard sets out a risk-based approach for deciding the Safety Integrity Level (SIL) for systems performingsafety functions
On-going R&D to improve QRAs in Norway.
The IEC 61508 standard requires evaluation of reliability performance of the safety instrumented systems
The PDS method
12
13
Comparison PRA vs. QRATopic PRA QRA
Initiating events Root cause analysis of initiating events presented in fault trees. Identification of common cause initiators (CCIs). Predefined lists and handbooks.
No root cause analysis No CCI assessment Predefined categories of leakage Frequencies based on counting leakage point, or platform data.
Fault tree/ event tree analysis (system modeling)
Detailed modeling Support systems explicitly modeled. Link between event trees and fault trees. (Time-dependent models for living PSA).
Rough model Support systems not included Only partly use of fault trees No linking of event and fault trees.
Data and parameter estimation
Best estimates and confidence intervals. Classical and Bayesian framework. ‘Weighted’ plant-specific data
Best estimates Generic data and separate plant-specific data
Human reliability
Thorough analysis of important human actions (e.g. by THERP, SHARP, etc.).
Almost non-existing
Dependencies Partly inherent in models Separate dependency analysis Regarded as crucial
Partly inherent in models No separate analysis
Uncertainty Always included, at least qualitatively. Regarded as important
Absent
External events Covers some external events Linked to the ‘internal’ event
Covers many external events Separate analysis (Limited modeling effort)
Results Best estimate and uncertainty in short and long term fatalities. Cumulative distribution functions.
Single best estimate FAR-, and PLL-values
Reliability Assessment of Safety Instrumented Systems – the PDS Method
14
15
16
Balance between production and protection
Reason (1998)
Protection
Production
High Integrity Pressure Protection System (HIPPS)
RedundantLogic
PT2
PT1
V 2V 1
PT3
17
Safety performance – voting logic
0.006
0.005
0.004
0.003
0.002
0.001
Probability of failure on demand
Primary Investment2oo2 voting
1oo1 voting
2oo3 voting
1oo2 voting
18
Safety vs. LCC –Low Unavailability Cost pr Trip
Acceptance criteria
0.006
0.005
0.004
0.003
0.002
0.001
Probability of failure on demand
100 200 300 400 500
Primary Investment
Operation and maintenance cost
Unavailability cost pr trip
LCC in 1 000 Norwegian kroner
2oo2 voting
1oo1 voting
2oo3 voting
1oo2 voting
19
Safety vs. LCC –High Unavailability Cost pr Trip
Acceptance criteria
0.006
0.005
0.004
0.003
0.002
0.001
100 200 300 400 500
LCC in 1 000 Norwegian kroner
Probability of failure on demand
Primary Investment
Operation and maintenance cost
Unavailability cost pr trip
2oo2 voting
1oo1 voting
2oo3 voting1oo2 voting
20
Gareth Morgan
21
Failure Mode Classification in PDS and IEC
Safe (S)
Failure
Dangerous (D)
Spurious Trip (ST)
IEC
PDS
Non-critical(NONC)
22
Main Failure Modes in PDS
Dangerous (D)Safety system/module does not operate on demand(e.g. sensor stuck upon demand)
Spurious Trip (ST)Safety system/module operates without demand(e.g. sensor provides signal without demand)
Non-Critical (NONC)Main functions not affected(e.g. sensor imperfection which has no direct effect on control path)
The IEC standard does not distinguish between ST and NONC failures; both are referred to as Safe failures
23
Failure Cause Classification in PDS and IEC
Failure
Systematic(Non-physical)
Ageing Stress Interaction Design
Naturalageing(within designenvelope)
SandblastingHumidityOverheating
Software errorSensor doesnot distinguishtrue and falsedemandWrong locationof sensor
Examples Random Test/periodic
Scaffoldingcover upsensor
Leave inby-passCover upsensor
Random Hardware(Physical)
IEC
PDS
24
Loss of Safety Quantification in PDS and IEC
Failure
Systematic(Non-physical)
Ageing Stress Interaction Design
Random Hardware(Physical)
IEC
PDS
25
Reliability Performance MeasuresLoss of safety.
Critical Safety Unavailability (CSU):“The probability that the safety system will fail to automatically carry out a successful safety action on the occurrence of a hazardous/-accidental event”Probability of Failure on Demand (PFD):That part of CSU which is caused by random hardware failures
Loss of production regularity.Spurious Trip Rate (STR):“The mean number of spurious activations of the safety system per unit time”
Maintenance activity.Mean Corrective Maintenance (MCM):“The mean number of man-hours spent on CM per year”Mean Preventive Maintenance (MPM):“The mean number of man-hours spent on PM per year”
IECIEC
26
Loss of Safety Calculations - Example
Component PFD Random hardware
PSF Systematic
CSU Total
PT (1oo2) 1.1 ⋅10-5 3.6 ⋅10-5 4.7⋅10-5
Logic (1oo2) 0.2 ⋅10-5 2.5 ⋅10-5 2.7⋅10-5
V (1oo2) 11.8⋅10-5 0.03⋅10-5 11.8⋅10-5
Total 13.1⋅10-5 6.1⋅10-5 19.2⋅10-5
27
Safety require-ments allocation5
Overall operation andmaintenance planning6
RAMS targets andtradeoff values
Updated Relia-bility parameters
Followup plan
Maintenanceplan
Work Ordersystem
Overall operation,mainteance and repair14
Actual PM& CM
Follow upactions
Op. restrict.Budget allocation
Resource allocationInfrom regulator (NPD)
Data-base
DataAnalysis
Overall modifica-tion and retrofit15
Reporting
Generic Relia-bility parameters
Trends, Pareto, CCF, FCA etcExtended reliability databases
Manufactures and vendorsInfrom regulator (NPD)
Inprovementmeasures Failures
BacklogPM & CM
28
Summary
Risk-based approach adopted in Norwegian offshore productionWidespread application of the IEC 61508 standardRequirements to safety functions can normally not be obtained directly from the Quantitative Risk Analysis (QRA) as it is performed today. Cooperation between regulatory authorites, industry and R&D to establish guideline document for IEC 61508Ongoing research to improve QRAReliability analysis should support the balance betweenproduction and protection
29
IEC 61508 and 61511 – Lessons learned
Provides good framework for design, implementation and operation of safety-related systems
Sensible risk-based approach, however in an area, and at a level of detail, which is not yet very mature
Difficult to apply for systems involving several vendors“global functions”
30
”All models are wrong! Some are useful.”
(G.E. Box)
31
References
Reliability Prediction Method for Safety Instrumented Systems; PDS Method Handbook, 2003 EditionPublished by SINTEF (www.sintef.no/pds) and distributed by Sydvest(www.sydvest.com)
Reliability Data for Safety Instrumented Systems;PDS Data Handbook, 2003 EditionPublished by SINTEF (www.sintef.no/pds) and distributed by Sydvest(www.sydvest.com)
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryPublished at www.itk.ntnu.no/sil
32
Lars BodsbergPh.D - Research Director
Lars BodsbergPh.D - Research Director
SINTEF, Safety and ReliabilityN-7465 Trondheim
Telephone: +47 73 59 27 58Telefax: +47 73 59 28 96
http://www.sintef.no
SINTEF, Safety and ReliabilityN-7465 Trondheim
Telephone: +47 73 59 27 58Telefax: +47 73 59 28 96
http://www.sintef.no33
