Date post: | 12-Sep-2014 |
Category: |
Education |
View: | 2,508 times |
Download: | 28 times |
SIL Target Selection – SIL Verification
Shanghai, 16 March 2011Koen Leekens
Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727
Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505
Exida Contacts
Copyright exida LLC ® 2000-2011
g gGermany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34
Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564
IEC 61511 is Risk BasedIEC 61511 is Risk Based
“There is risk in reaping the cheese”Reduce the Risk to a tolerable level“There is risk in reaping the cheese”Reduce the Risk to a tolerable levelReduce the Risk to a tolerable levelReduce the Risk to a tolerable level
Copyright exida LLC ® 2000-2011
The IEC 61511 Safety Lifecycle
Analysis PhaseAnalysis PhaseAnalysis PhaseAnalysis Phase
Copyright exida LLC ® 2000-2011
What is…?
SIL Target Selection:
“Select the Safety Integrity Level (SIL) for each Safety Instrumented Function (SIF). The SIL Target is the risk reduction to be provided by the SIF to bring the ( ) g p y gactual risk below the tolerable risk”
Copyright exida LLC ® 2000-2011
SIL Target Selection Methods
Risk Graph
Hazard MatrixHazard Matrix
Frequency Based Targets (LOPA)Most Accurate resulting in best cost versus safety
Copyright exida LLC ® 2000-2011
SIL Target Selection Methods
Risk Graph
Hazard MatrixHazard Matrix
Frequency Based Targets (LOPA)Most Accurate resulting in best cost versus safety
Copyright exida LLC ® 2000-2011
Simplified Exercise
Risk of 1 Fatality …
per year
per 10 year
HIGH RISK
per 100 year
per 1,000 year
per 10,000 year
per 100 000 year
per 1,000,000 year
per 100,000 year
LOW RISK
Copyright exida LLC ® 2000-2011
“Risk‐O‐Mometer”
Simplified Exercise
Risk of 1 Fatality … Practical SIL Target Selection
per year
per 10 year
HIGH RISK
per 100 year
per 1,000 year
per 10,000 year
per 100 000 year
per 1,000,000 year
per 100,000 year
LOW RISK
Copyright exida LLC ® 2000-2011
“Risk‐O‐Mometer”
1. Define Tolerable Risk
Risk of 1 Fatality … Practical SIL Target Selection
per year
per 10 year
per 100 year
per 1,000 year Tolerable Risk must
per 10,000 year
per 100 000 year
be defined by Corporate
per 1,000,000 year
per 100,000 year
Copyright exida LLC ® 2000-2011
1. Define Tolerable Risk
Risk of 1 Fatality … Practical SIL Target Selection– Company Tolerable Risk Guidelines:
per year
per 10 year
1 Fatality per 100.000 year (=10‐5)
per 100 year
per 1,000 yearObjective
Reduce risk belowper 10,000 year
per 100 000 year
Reduce risk below this Tolerable Frequency
per 1,000,000 year
per 100,000 yearq y
Copyright exida LLC ® 2000-2011
2. Determine Actual Risk
Risk of 1 Fatality … Practical SIL Target Selection– Company Tolerable Risk Guidelines:
per year
per 10 year
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per 100 year
per 1,000 year
freezing and fracture of pipe, and explosion.
per 10,000year
per 100 000year
HAZOP PHA method to
per 1,000,000 year
per 100,000year PHA method to identify Hazards
Copyright exida LLC ® 2000-2011
2. Determine Actual Risk
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion. per 100 year
per 1,000 year
per 10,000year
per 100 000year
Actual RiskFrequence (1/time)
per 1,000,000 year
per 100,000year Frequence (1/time) Consequence (%)
Copyright exida LLC ® 2000-2011
2. Determine Actual Risk
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion.
– Actual Risk Frequency Flow Imbalance: 10 year
per 100 year
per 1,000 year Frequency Flow Imbalance: 10 yearConsequence: 1 fatalityper 10,000year
per 100 000year
per 1,000,000 year
per 100,000year
Copyright exida LLC ® 2000-2011
3. Take credit for “Other Layers of Protection”
InitiatingInitiatingEvent
Layers of Protection Outcome
Flow Imbalance
OperatorFails
No pipe fracture
No Ignition ExplosionImbalance Fails fracture
0.001
0.2 Per Year
0 50.5
0.1
0.1
Per Year No Event
Copyright exida LLC ® 2000-2011
3. Take credit for “Other Layers of Protection”
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion.
– Result of Risk AssessmentFrequency Flow Imbalance: 10 year
per 100 year
per 1,000 year Frequency Flow Imbalance: 10 yearConsequence: 1 fatality
– Layer of Protection Analyses (LOPA):Reduced Frequency: 1000 year
per 10,000year
per 100 000year educed eque cy 000 yea
per 1,000,000 year
per 100,000year
Copyright exida LLC ® 2000-2011
3. Take credit for “Other Layers of Protection”
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion.
– Result of Risk AssessmentFrequency Flow Imbalance: 10 year
per 100 year
per 1,000 year Frequency Flow Imbalance: 10 yearConsequence: 1 fatality
– Layer of Protection Analyses (LOPA):Reduced Frequency: 1000 year
per 10,000year
per 100 000year educed eque cy 000 yea
per 1,000,000 year
per 100,000year
Copyright exida LLC ® 2000-2011
4. Select SIL
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion.
– Result of Risk AssessmentFrequency Flow Imbalance: 10 year
per 100 year
per 1,000 year Frequency Flow Imbalance: 10 yearConsequence: 1 fatality
– Layer of Protection Analyses (LOPA):Reduced Frequency: 1000 year
per 10,000year
per 100 000yearSelect SIL
?10‐2
educed eque cy 000 yea
per 1,000,000 year
per 100,000yearHow much more risk reduction required?
Copyright exida LLC ® 2000-2011
4. Select SIL Target
Copyright exida LLC ® 2000-2011
4. Select SIL
Practical SIL Target Selection– Company Tolerable Risk Guidelines:
Risk of 1 Fatality …
1 Fatality per 100.000 year (=10‐5)– Result HAZOP “Cryogenic Heat exchange”
Imbalance warm/cold flow can result in f i d f t f i d
per year
per 10 year
freezing and fracture of pipe, and explosion.
– Result of Risk AssessmentFrequency Flow Imbalance: 10 year
per 100 year
per 1,000 year Frequency Flow Imbalance: 10 yearConsequence: 1 fatality
– Layer of Protection Analyses (LOPA):Reduced Frequency: 1000 year
per 10,000year
per 100 000year
10‐2 SIL2educed eque cy 000 yea
– Select SIL: 10‐3 to 10‐5 = 10‐2 so SIL2Risk Reduction below Tolerableper 1,000,000 year
per 100,000year
Copyright exida LLC ® 2000-2011
The IEC 61511 Safety Lifecycle
l hl hRealization PhaseRealization Phase
Copyright exida LLC ® 2000-2011
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida LLC ® 2000-2011
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess‐connection
It is easy to do the calculations right –
It is difficult to do the right
Copyright exida LLC ® 2000-2011
calculations
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida LLC ® 2000-2011
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
ifiifi ifi iifi iCertificateby VendorCertificateby Vendor
Justification by User
Justification by User
Copyright exida LLC ® 2000-2011
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1 SIL : SIL21. SILPFD: SIL2
2. SILAC : SIL1
3 SIL SIL3The SIL level for this Safety Instrumented3. SILCAP: SIL3Safety Instrumented Function (SIF) is:
???
Copyright exida LLC ® 2000-2011
What is…?
SIL Verification“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1 SIL : SIL21. SILPFD: SIL2
2. SILAC : SIL1
3 SIL SIL3The SIL level for this Safety Instrumented3. SILCAP: SIL3Safety Instrumented Function (SIF) is:
SIL1
Copyright exida LLC ® 2000-2011
Common Mistakes SIL Verification
DO NOT:– Use Spreadsheet without justification
Use optimistic (Dangerous) Failure Rates– Use optimistic (Dangerous) Failure Rates
– Use 100% Proof Test coverage
– Ignoring Common Cause Failures
– Ignoring Process Connections
– Ignoring SIL Capability
– Ignoring Hardware Fault Tolerance
Next CFSE Trainings China:May – June 2011
g g
– Engineer insufficiently trained
Certified by 3rd Party
Copyright exida LLC ® 2000-2011
y y
Copyright exida LLC ® 2000-2011