The evolution of the cookbook Angela E. Summers, Ph.D., P.E Michela Gentile, Ph.D. Mary Kay O Connor Process Safety Center 2006 International Symposium Beyond Regulatory Compliance, Making Safety Second Nature Texas A&M University October 24-25, 2006
Outline Introduction Problem Definition Prescriptive Design: Cookbook Performance-based Design Example Conclusions
Introduction Normal process control designed to keep process within specified parameter ranges considered acceptable for normal and safe operation. Safe level S HH LT 1 LL HH LT 2 LL Level too high SIS designed to bring the process to a safe state when the parameters are outside the safe ranges.
Hazard and Risk Analysis (H&RA) Introduction Assesses the process risk associated with identified hazardous events Identifies need for SIS Independent protection layers (IPL) Reduce the process risk to the owner/operator risk criteria Safe level S HH LT 1 LL HH LT 2 LL Level too high Target safety integrity level (SIL) Performance benchmark for the SIS design and management
Introduction In the past integrity was achieved by using safety margins Now,, as less safety margin is built into the design, more importance is placed on the precision of the risk analysis. Safe level HH Today project/plant LT 1 personnel are LL under pressure to optimize (reduce safety margins) the processes. Safety Margin Safe level S HH LT 1 LL HH LT 2 LL Level too high
Introduction Target safety integrity level (SIL) Cookbook SIS design Common in the process industry at the time of the issuance of ISA 84.01-1996. Simpler but less flexible. Performance-based (84.01-2004/IEC 61511) Flexibility but also adds significant complexity, because a wide range of options.
Introduction Optimization Safety margins reduction Longer turnaround intervals Low flexibility Cookbook SIS design Complexity Safety margin Flexibility Performance-based (84.01/IEC 61511) Complexity
Problem Cookbook SIS design Successful mechanical reliability/ preventive maintenance programs Performance-based (84.01/IEC 61511) Prescriptive risk reduction strategies: experience and good engineering practice. Internal practices: required architecture, fault tolerance, voting, diagnostics, installation details, maximum proof test interval (6 month to 1 year) Extend the turnaround interval. Significant economic returns through improved production Conflicted with the documented proof test requirements.
Cookbook SIS Design
Cookbook SIS Design 1993: CCPS/AIChE published Guidelines for Safe Automation of Chemical Processes. Introduced the concept of safety integrity level (SIL) SIL: related to the probability that the SIS fails to perform as required when needed. SIL 3 PFD=1.0E-03 SIL 2 PFD=1.0E-02 SIL 1 Performance expectation increase (reduced tolerable probability of the SIS failure) Cookbook approaches require more rigor in the design, operation, inspection, and maintenance practices as the SIL increases
Cookbook SIS Design SIS internal practices Define the minimum requirements to achieve SIL 1, SIL 2, and SIL 3, covering device selection, configuration, diagnostics, and proof test intervals. Must be followed, unless deviation is justified and approved. Evolved over years and are generally sufficiently conservative that a wide range of devices could be used to implement the design. Require proof test intervals based on recommended designs and deviation from this test interval is only acceptable if quantitative analysis demonstrates that required risk reduction is met. Widely used to specify SIS requirements, especially for repetitive applications Ensure consistency in the SIS design and implementation across a facility.
Towards Performance-based Cookbook SIS design The user of the cookbook must understand the assumptions behind the cookbook. When any of the assumptions is violated, the performance achieved by the SIS may be insufficient to provide the required safety and reliability for the specific application. Prescriptive approaches are often favored over the performance-based ones due to the apparent simplicity offered by the cookbooks. Performance-based (84.01/IEC 61511)
Performance-based SIS Design
Performance-based ISA 84.01-2004/IEC 61511 uses a four-tiered SIL benchmark to establish SIS requirements. The flexibility of a performance-based standard allows owner/operators to determine how to invest the $$$$$. Test Interval Device redundancy Diagnostic capability, Test/bypass facilities Test Interval Capital Investment Operating Cost Capital Investment Operating Cost
Performance-based CAUTION!! The flexibility of a performance-based standard can lead to inconsistencies Inconsistency increases the potential systematic errors It is important to remember that: a performance-based process is only as good as the data and information fed into it Prescriptive internal practices are required to ensure consistency
Towards Performance-based Qualitative Semi-Qualitative Quantitative Cookbook SIS design Performance-based (84.01/IEC 61511) The cookbook concept is also acknowledged in ISA 84.01-1996: verification of SIL can be qualitative (comparison to prescriptive design) or quantitative. ISA 84.01/IEC 61511 eliminates the qualitative option, emphasizing a quantitative demonstration for SIL claims.
EXAMPLE
Example: Assumptions Failure rate of the devices is constant and random, which requires of inspection and preventive maintenance Devices are specified to fail to the safe state on loss of power and other support systems Redundant sensors are installed on separate process connections Block valves are specified as spring return fail-closed and are actuated using de-energize-to-trip solenoid operated valves The proof test procedure fully validates the required operation of each device
Example: Scenario HH PT 1 LL HH PT 2 LL Safe level S Level too high Control Valve Failure Vessel Overpressure Vessel Failure Release of flammables
Example: Scenario HH PT 1 LL HH PT 2 LL S SIF Safe state Control Valve Failure Vessel Overpressure SIF
Example: Options Architectures: SIL 1 SIL 1 architecture fault tolerant dangerous failures High Reliability SIL 1 SIS
Example: Options Architectures: SIL 2 SIL 2 architecture fault tolerant dangerous failures High Reliability SIL 2 SIS
Example: Options Architectures: SIL 3 SIL 3 architecture fault tolerant dangerous failures High Reliability SIL 3 SIS
Example: results Required SIL Case PFD AVG @ TI=1 PFD AVG @ TI=3 PFD AVG @ TI=5 MTTF S SIL 1 A 2.04E-02 6.04E-02 1.01E-01 18.5 SIL 1 High Reliab. 2.69E-02 7.96E-02 1.32E-01 51.8 SIL 2 A 3.73E-03 1.28E-02 2.40E-02 10.7 SIL 2 High Reliab. 2.16E-03 1.00E-02 2.29E-02 27 SIL 3 A 3.60E-04 2.75E-03 7.37E-03 9.4 SIL 3 High Reliab. 7.29E-04 5.94E-03 1.62E-02 27 SIL 1: PFDAVG between 1.0E-02 and 1.0E-01 SIL 2: PFDAVG between 1.0E-03 and 1.0E-02 SIL 3: PFDAVG between 1.0E-04 and 1.0E-03
Conclusions
Conclusions The prescriptive solutions were intended to be conservative to account for a wide variety of conditions. The perceived safety margin provided by the proposed architecture at TI=1 yr is lost when the test interval is extended to 5 years. As better analytical tools were developed, practices evolved to become more performance-based allowing increased flexibility. High reliability architectures have a larger number of devices, which yields a higher PFDAVG AVG. When the SIF architecture only achieves a marginal PFDAVG, the design should be considered insufficient for the required SIL.
Questions