Determine SIS and SIL Using HAZOPS Héctor Javier Cruz-Campa and M. Javier Cruz-Gómez* Departamento de Ingenieria Quimica, Facultad de Quı́mica, Universidad Nacional Autónoma de México, Mexico City, D.F., Mexico; mjcg@servidor.unam.mx (for correspondence) Published online 26 February 2009 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10293 A simplified quantitative analysis methodology for the determination of required Safety Instrumented Systems (SIS) and the associated target Safety Integrity Levels (SIL) is presented. As prerequisites, the company policy for risk acceptability and a hazard and operability (HAZOP) study are needed. A risk acceptability criterion for large commodity chemical, petrochemical, or refining companies is discussed. The methodology starts with the selection of high potential risk scenarios from the HAZOP study. Then the effectiveness of the relevant process safeguards is evaluated based on layers of protection analysis, to assess if there are adequate and sufficient safety protection layers in the chemical process, so that the actual risk of the process is at an acceptable level. The method allows the user to determine first if a SIS is required and then, what SIL is required for each function it performs. If a SIS already exists in the process, the methodology can be used to verify the required SIL for each safety instrumented function. Ó 2009 American Institute of Chemical Engineers Process Saf Prog 29: 22–31, 2010 Keywords: Safety Instrumented Systems, Safety Integrity Levels, Layers of Protection Analysis, hazard and operability, risk, policy INTRODUCTION Safety Instrumented Systems (SISs), such as emergency shutdown systems, fire and gas systems, and safety interlocks, are safety related systems that implement one or more Safety Instrumented Functions (SIFs). A SIF’s job is to sense a hazardous condition and automatically take appropriate actions to move the process to a safe state. A SIS implements its SIFs by means of (a) one or more sensors (e.g., temperature, pressure, level, fire presence, toxic or flammable gas concentration), (b) one or more electrical, electronic, or programmable electronic (E/E/PE) logi- Ó 2009 American Institute of Chemical Engineers 22 March 2010 cal solvers [the most common is a safety programmable logic controller or (PLC)], and (c) one or more process control final elements (i.e., shutdown valves, electrical switches). The design of a SIS includes two parts: (a) establishing what it will do, that is, specifying the SIFs it will perform, and (b) for each SIF, establish how well it is required to work. In the United States, law [1] enforces the assurance of the mechanical integrity of emergency shutdown systems and safety controls (SISs), following ‘‘recognized and generally accepted good engineering practices.’’ The latter clause has been interpreted by many authorities as ‘‘comply with all applicable international standards.’’ The European Union and many countries around the world have similar laws. In countries where no similar law exists, international standards compliance is indirectly enforced by insurance company recommendations, by means of correlating degree of compliance with insurance rates. The current international standard applicable to the integrity of SISs is IEC 61511 [2], entitled ‘‘Functional safety—SISs for the process industry sector,’’ also accepted by ISA SP84 committee as ANSI/ISA 84.00.01-2004 [3]. The main difference between these two standards is the addition, in the ISA standard, of one extra clause applicable for systems commissioned before its publication date. This clause allows a company to keep their existing SIS designed to the previous version of the standard (ANSI/ISA S-84.01-1996) as long as the company determines that the equipment is designed, maintained, inspected, tested, and operating in a safe manner. To establish how well a SIF is required to work, IEC 61511 defines 4 Safety Integrity Levels (SILs), which are categories based on the probability of failure on demand (PFD) of the SIF. The inverse of the PFD is called the risk reduction factor (RRF). Table 1 shows the ranges of PFDs and associated RRFs for each SIL. IEC 61511 establishes requirements for the entire life cycle of the SISs. This ‘‘Safety Life Cycle’’ (SLC) includes requirements for the specification, design, Process Safety Progress (Vol.29, No.1) implementation, operation, maintenance, and modification of a SIS, from its conception to the decommissioning, but the most critical steps in the SLC of a SIS are the determination of: (a) if a SIS is required at all, and, if the answer is yes, (b) the required or target SIL for each SIF implemented. The lack of an adequate methodology and guidance for these two steps has been the cause of many unnecessary SIL 3 SISs been commissioned, when only SIL 1 SISs or non-SIS protections would be adequate. Adequate determination of the required SIS/SIL is important to ensure process risk is maintained at tolerable levels with the right investment on protection systems. Thus, the aim of this article is to provide a straightforward and easy to use methodology to achieve cost effective safety. Table 1. Safety integrity levels. SIL 1 2 3 4 PFD 0.1–0.01 0.01–0.001 0.001–0.0001 0.0001–0.00001 RRF 10–100 100–1,000 1,000–10,000 10,000–100,000 RISK QUANTIFICATION AND RISK ACCEPTABILITY Understanding risk in a semiquantitative way is the key to understand this methodology. Risk is the product of both the magnitude of the potential consequences of an unwanted event and its likelihood. By this definition, the risk of an undesirable event that may occur once per year is equivalent to the risk of another event whose consequences are 10 times greater but may occur only once in 10 years. Consequence quantification is a difficult task that can be addressed by using consequence categories, roughly representing the order of magnitude of the potential costs associated with such events. Suggested categories for consequences are illustrated in Table 2. The potential effects description in Table 2 is applicable to all company sizes, except for estimated costs involved. The monetary amounts used in Table 2 may be appropriate for large chemical commodities, refineries, and petrochemical companies, but for small or mid size chemical process companies an order or magnitude reduction is suggested (i.e., estimated cost greater than 1 million dollars would be considered catastrophic for a medium size or small company). There may be an event that could be categorized beyond category 5, involving multiple fatalities or costs greater than 100 million dollars. If such poten- Table 2. Consequence severity categories and potential effects. Severity Category 5: Catastrophic Receptor Personnel Community Environment Facility Category 4: Major Personnel Community Environment Facility Category 3: Critical Personnel Community Environment Facility Category 2: Minor Personnel Community Environment Facility Category 1: Negligible Personnel Community Environment Facility Potential Effects Description Fatality or permanently disabling injury One or more severe injuries Significant release with serious offsite impact and probable immediate or long-term health effects Major or total destruction of one or several process areas at an estimated cost greater than 10 million dollars or a significant loss of production One or more severe injuries One or more minor injuries Significant release with serious offsite impact Major damage to one or more process areas at an estimated cost greater than 1 million dollars or some loss of production Single injury, not severe; possible lost time Odor or noise complaint from the public Release that results in agency notification or permit violation Some equipment damage at an estimate cost greater than $100,000 dollars and with minimal loss of production Minor injury; no lost time No injury, hazard or annoyance to public Recordable event with no agency notification or permit violation Minor equipment damage at an estimated cost greater than $10,000 dollars and with no loss of production No injury, no lost time No injury, hazard or annoyance to public Recordable event with no agency notification or permit violation Minor equipment damage at an estimated cost of less than $10,000 dollars with no loss of production Reproduced from Ref. 4, with permission from AIChE. Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 23 Table 3. Frequency indexes for different kinds of expected events in a process plant lifetime. Order of Magnitude of the Frequency f (events/year) 1,000 100 10 1 1/10 Frequency Index (F) 10 9 8 7 6 1/100 5 1/1,000 4 1/10,000 1/100,000 1/1,000,000 1/10,000,000 3 2 1 0 Qualitative Description Occurs every shift Occurs weekly Occurs monthly Occurs yearly High probability of occurrence in the plants lifetime. Event has occurred at least once in similar plants Medium probability (26%) of occurrence in the plants lifetime. High probability of occurrence at least once in the lifetime of 10 similar plants Low probability (3%) of occurrence in the plants lifetime. Medium probability (26%) of occurrence in the lifetime of 10 similar plants Low probability (3%) of occurrence in the lifetime of 10 similar plants Low probability (3%) of occurrence in the lifetime of 100 similar plants Low probability (3%) of occurring one in the lifetime of 1,000 similar plants Inconceivable event for practical purposes tial consequences are known or discovered in a hazard identification study, the advice would be either to ensure that the process has adequate consequence reducing protections, or use an alternate inherently safer process, so that maximum consequence category is 5. Consequence reducing protections include passive energy and materials containment, like dikes and concrete wall enclosures, and appropriate distance between hazard sources and potential receptors, such as facility spacing and safety buffer zones. No company should operate with conditions for a potential Bhopal or Seveso. On the other side, likelihood is expressed quantitatively in terms of an expected number of events per year, that is, in terms of a frequency. The useful range of frequencies for these kinds of studies normally has limits of 1027 to 103 events/year. Given the uncertainty of the frequency data available for these analyses and the wide range considered, we can work in terms of orders of magnitude in a simplified scale. In this simplified scale, frequency data are converted to an integer number from 0 to 10, which we will call ‘‘Frequency Index,’’ described in Table 3. The equivalence between raw frequency data and frequency indexes is given by Eq. 1: F ¼ IntðLog10 ðf ÞÞ þ 7 ð1Þ where F, frequency index; f, frequency in events/ year. According to this formula, the ‘‘Frequency Index’’ F equals the closest integer to the base 10 logarithm of the frequency f (that is, the base 10 exponent) plus 7, where the frequency is a number between 1027 and 103. In the quantitative description of the lower frequency numbers shown in Table 3 we have considered the probability of occurrence in a reference time of the typical lifetime of 1, 10, 100, and 1,000 similar process plants; this is, 30, 300, 3,000, and 30,000 24 March 2010 Published on behalf of the AIChE Figure 1. Representation of risk acceptability criteria in a frequency-severity diagram. equivalent operation years. The relationship between frequency and probability is given by Eq. 2: P¼1 e f T ð2Þ where P, event probability; f, frequency; and T, reference time. This way, if we know an event occurs once in 1,000 operation years (1023 events/year), there is a probability of 3% of the event occurring in the lifetime of one single plant and 26% of it occurring in the equivalent lifetime of 10 similar plants. To understand risk and risk acceptability, we can draw a diagram for consequence vs. frequency (likelihood) using a logarithmic scale for each axe (see Figure 1). In such diagram, the greatest risk is located at the top-right corner of the diagram, and equivalent risks can be drawn as straight lines, so we can establish three general zones, in relation to risk acceptability: • Totally unacceptable risks: All criteria agree that in this zone, the actions for risk reduction or mitigation are obligatory and urgent. DOI 10.1002/prs Process Safety Progress (Vol.29, No.1) Table 4. Limit frequency in the variable criteria zone for each consequence category. Lower Limit Frequency (events/year) 1/100,000,000 1/10,000,000 1/1,000,000 1/100,000 1/10,000 Consequence Severity Category 5—Catastrophic Category 4—Major Category 3—Critical Category 2—Minor Category 1—Negligible Table 5. Threshold frequency numbers for each consequence category. Consequence Severity Category 5—Catastrophic Category 4—Major Category 3—Critical Category 2—Minor Category 1—Negligible Maximum Acceptable Frequency (events/year) 1/10,000 1/1,000 1/100 1/10 1 Threshold Frequency Index (Ft) 3 4 5 6 7 • Totally negligible risks: All criteria agree that in this zone, actions for further risk reduction or mitigation are not required or convenient. • Variable criteria zone: In this zone, each criterion differs in how much risk reduction is needed, recommended or convenient, or the urgency of these actions. In this zone, each company or industry should choose how much it is practical to reduce or mitigate risks. The limits for each zone represented in Figure 1 were obtained from published government tolerable risk criteria [5] and enlisted in Table4. For the purposes of this article, establishing a risk acceptability policy means choosing a maximum acceptable frequency for each consequence category, between the two limits established in Table 4. For category 5 consequences, we suggest that the company at least should make sure that risk inside the process facility is not greater than general outside individual accident risk which is around 1024 events/year. Other companies may choose higher performance targets and use a frequency an order of magnitude less. This would mean that the company wants the operation of the process facility to be safer than the average. For this article we chose the first criterion for maximum acceptable frequencies, represented in Table5 along with the associated Frequency Indexes. The maximum allowable frequency index for each consequence category will be called ‘‘Threshold Frequency Index’’ (Ft). DESCRIPTION OF THE SIS/SIL DETERMINATION METHODOLOGY According to the SLC described in the IEC 61511 standard, before attempting to define a SIL for a SIS, a process risk analysis should be carried out and Process Safety Progress (Vol.29, No.1) Upper Limit Frequency (events/year) 1/1,000 1/100 1/10 1 10 non-SIS protection layers should be used to prevent or reduce the identified risks. Only if the non-SIS protection layers are found insufficient for risk mitigation to acceptable or tolerable levels can we recommend the use of a SIS, for which we need to define the required SIL. To carry out the definition of the SIS/ SIL, a semiquantitative methodology was developed based on the Layers of Protection Analysis (LOPA) [4], which is described next. The term SIS/SIL is used to indicate that the methodology helps to define first if a SIS is to be used and second what is the required SIL. This implies that in many risk scenarios no SIS may be justified and existing protection layers will be adequate for risk mitigation. Chemical process incidents involving hazardous chemicals, particularly catastrophic ones, occur when an initial enabling event is combined with the failure of one or more process protection layers. The estimated frequency for these incidents is equal to the frequency of the initial events multiplied by the probability of these layers failing simultaneously on demand. Depending on the severity of the potential consequences of an incident, risk acceptability criteria is used to establish a maximum allowable frequency. A semiquantitative evaluation of the demand frequency and the PFD of the applicable protection layers can determine if protections are sufficient for the established criteria. If available process protection layers are not sufficient, additional protection layers must be evaluated, which may include a Safety Instrumented System (SIS). When a SIS is recommended, the required SIL can be easily obtained. Steps in the SIL/SIS Evaluation Step 1: Identify a Hazardous Event and Assess its Severity We start this methodology with a hazard and operability (HAZOP) study, the most commonly used methodology for process plant hazard evaluation, from which the highest potential risk scenarios are selected. High potential risk scenarios are scenarios with high initiating event (cause) frequency and high unmitigated consequences. We can detect these scenarios by looking at the amount of existing or proposed protection systems (in the safeguards and recommendations columns), where a high number of protections can be related with high risk, or by searching explosion, fire, or toxic release potential mentioned in consequences. Other important scenarios for this methodology include those who mention existing or proposed SISs. Published on behalf of the AIChE DOI 10.1002/prs March 2010 25 More than 50,000 kg Catastrophic: Category 5 Catastrophic: Category 5 Catastrophic: Category 5 Catastrophic: Category 5 Critical: Category 3 5,000 to 50,000 kg Catastrophic: Category 5 Catastrophic: Category 5 Catastrophic: Category 5 Major: Category 4 Minor: Category 2 Using the information available from the consequences pointed out in the HAZOP study, consequence severity must be categorized to assign a threshold frequency for each scenario. Consequence severity must be assessed considering that all existing protections that could possibly fail, actually fail (passive consequence reducing protections such as dikes are considered to never fail, unless the design is judged to be inadequate). To help with the consequence categorization step based on size of release and consequences on production and facilities, LOPA [4] suggests using the guidelines in Tables6 and7. 26 March 2010 Combustible liquid Reproduced from Ref. 4, with permission from AIChE. BP, atmospheric boiling point. Critical: Category 3 Minor: Category 2 Minor: Category 2 Negligible: Category 1 Minor: Category 2 Negligible: Category 1 Negligible: Category 1 Negligible: Category 1 Major: Category 4 Critical: Category 3 Minor: Category 2 Minor: Category 2 500 to 5,000 kg Catastrophic: Category 5 Catastrophic: Category 5 50 to 500 kg Catastrophic: Category 5 Major: Category 4 5 to 50 kg Major: Category 4 Critical: Category 3 Step 3: Identify the Applicable Independent Protection Layers and Evaluate Their Effectiveness 0.5 to 5 kg Critical: Category 3 Minor: Category 2 The initial event for a scenario is taken from the cause column in the HAZOP study. When each scenario has been evaluated with a risk matrix, its frequency can be determined from this evaluation. This value must be compared with the ranges available in literature for validation. A very good source for equipment reliability data is available from Center for Chemical Process Safety (CCPS) [6]. As with the threshold frequency, an ‘‘Initiating Frequence Index’’ (Fi) is assigned to the frequency data to simplify handling. Table 5 can be used to assign a frequency index for the initiating event. Release Characteristic Extremely toxic above BP Extremely toxic below BP or highly toxic above BP Highly toxic below BP or flammable above BP Flammable below BP Table 6. Semiquantitative guide for consequence category selection based on size of release. Step 2: Identify the Initiating Event and Assess its Frequency Published on behalf of the AIChE Independent Protection Layers (IPLs) are devices, systems, or actions capable of preventing a scenario from continuing to the undesirable consequences; they are independent of the initial event and the action or failure of any other protection layer associated with the scenario. The commonly available protection layers in a chemical process are shown in Figure 2 (adapted from LOPA [4]). For the purposes of this methodology, the process design layer and contention systems must be taken into account in the potential consequences. The basic process control system (BPCS) layer will not be considered, because in a HAZOP study its failures are normally the causes or initiating events considered in each scenario. And finally, the emergency response layers are not taken into account, because the objective is to end up not needing these protection layers. So, only the following protection layers remain to consider in this methodology: (a) alarms and human response, (b) SISs, and (c) relief systems. The effectiveness of each layer is evaluated using an index related to the order of magnitude of the PFD (SPFD) according to Table8: The SPFD number allows us to translate the PFD in a value easy to manage whose magnitude is proportional to the effectiveness of the protection. A low SPFD number indicates a protection with low effectiveness and very high probability of failure in case we need it, and vice versa. SPFD numbers can be determined from the data published by the CCPS of the AIChE [6]. Some representative values are shown in Table9. DOI 10.1002/prs Process Safety Progress (Vol.29, No.1) • Inadequate design, e.g., worst case scenarios are not considered. • The construction was not carried out according Vessel Rupture 3,000 to 10,000 gal 100–300 psi Major: Category 4 Major: Category 4 to the design established in the basic engineering, e.g., poor materials of construction. • Maintenance less than adequate, e.g., no predictive maintenance programs. • Deficient inspection and testing of safety equipment. • Lack of operation training for safety systems operation. • Systematic disabling of safety systems because of operative problems. • Inadequate or nonexistent management of change. Plant Outage for Less/More Than 3 Months Major: Category 4 Major: Category 4 Obtaining the total effectiveness of the protection layers: Once we identify the IPLs applicable to each scenario and evaluate their effectiveness, the individual SPFD numbers must be added to obtain the total effectiveness of the protection (Es), where Es 5 S SPFD. The main advantage of using indexes instead of exponent numbers is shown here, where a multiplication of probabilities is handled as adding integer numbers. Plant Outage for 1 to 3 Months Major: Category 4 Critical: Category 3 Process Safety Progress (Vol.29, No.1) Step 4: Calculate the Expected Frequency for the Hazardous Event The total protection effectiveness number (Es) is used to calculate the expected frequency for the hazardous event taking into account the IPLs; this frequency will be called the reduced frequency (Fr) Fr ¼ Fi Reproduced from Ref. 4, with permission from AIChE. Plant Outage for Less Than 1 Month Critical: Category 3 Minor: Category 2 Facility Type Large plant, main product Small plant, by-products Mechanical Damage to Spared or Nonessential Equipment Minor: Category 2 Minor: Category 2 Table 7. Semiquantitative guide for consequence category selection according to consequences on production and facilities Vessel Rupture >10,000 gal >300 psig Catastrophic: Category 5 Catastrophic: Category 5 These typical values will usually require a slight adjustment when using this methodology, because several factors exist in practice that reduces the effectiveness of existent protections: ð3Þ Es Step 5: Determine the Need for Additional Layers of Protection and the Required SIL, if a SIS is Recommended Once the reduced frequency (Fr) is obtained, it is necessary to compare it with the threshold frequency (Ft) for the selected scenario: If Fr Ft, then protections are sufficient for the risk scenario (if Fr Ft, then there is an over-design according to the acceptability criteria). If Fr > Ft, then protections are insufficient for the risk scenario (the combined effectiveness of the protections are not enough to reduce the initiating event frequency to the maximum acceptable frequency for the scenario). When Fr > Ft, we need to establish a risk control strategy based on the required effectiveness (frequency reduction) (Sadd) as shown in Eq. 4: Sadd ¼ Fr ð4Þ Ft According to the value of Sadd, there are the following three cases: Published on behalf of the AIChE DOI 10.1002/prs March 2010 27 Figure 2. Layers of protection for a chemical process, purpose and consequences of failure on demand (adapted from LOPA [4]). Case 1: Sadd 1 If we already have protection layers applicable to the scenario (usually this is the case), we recommend improving the effectiveness of these layers (e.g., more frequent and systemized maintenance programs can improve existent protection reliability and operator response to alarms can be improved with training). If there are no protection layers applicable to the scenario, we must recommend installing a nonSIS protection layer. Only if no non-SIS protection layers can be applied, we could suggest using a SIS with SIL 1. Case 2: 2 Sadd 4 Table 8. Probability of failure on demand indexes Probability of Failure on Demand Index (SPFD) 0 1 2 3 4 5 Probability Range 1 1 to 1021 1021 to 1022 1022 to 1023 1023 to 1024 1024 to 1025 Expected Failures Based on 1,000 Demands 1,000 100 to 1,000 10 to 100 1 to 10 0.1 to 1 0.01 to 0.1 Non-SIS protection layers and existing protection layer improvement must be suggested if possible and reevaluated to determine if this is enough. If no nonSIS protection layers can be suggested and existing protections have been improved, we can suggest installing a SIS. If a Safety Instrumented System (SIS) is recommended, the required SIL can be determined from the Sadd value after considering the other non-SIS alternatives using Table10. Case 3: Sadd [ 4 Special Case: Determination of the Required SIL for an Already Installed SIS In case we want to determine the required SIL of a previously installed SIS, we can proceed by evaluating the scenario of risk without considering the SIS protection layer. The value of the corresponding Sadd will give the required SIL for the SIS. The value of Sadd is very high and a SIS protection would not be enough to mitigate the risk. Therefore, we must first recommend a reevaluation of the equipment or process searching for high effectiveness solutions and second, implement several SIS and non-SIS protection layers until the risk is at acceptable level. 28 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1) Table 9. Typical SPDF numbers for some Table 10. Determination of the required SIL from Sadd representative process items Process Item Centrifugal pump auctioned by an electric motor (spare) Check valve Manual valve Motorized valve Pneumatic valve Solenoid valve Firefighting system (diesel motor) Firefighting system (electric motor) Relief valve (PSV) SIL 1 SIS SIL 2 SIS SIL 3 SIS Simple human response to a process alarm (simple and clear procedure, more than 30 min to respond, low stress) Complex human response with short time to respond (less than 5 min) in high stress situations number. Typical SPFD 2 3 4 2 3 3 2 1 4 2 3 4 1 Sadd 2 3 4 Corresponding PFD 1021 to 1022 1022 to 1023 1023 to 1024 Required SIL 1 2 3 0 Figure 3. Process flow diagram for the absorber section of a sour gas treatment unit. COMPARISON TO ‘‘CLASSIC’’ LOPA In classic LOPA, probability and frequency data is used ‘‘as is.’’ In this methodology, math is simplified by using only the order of magnitude of frequency and probability data, so multiplication of probabilities and frequencies become simple additions of integer numbers. Classic LOPA uses several factors that affect the resulting frequency for the unwanted event: mainly use factor, ignition probability, explosion probability, and occupancy. In this methodology, use factor, that is, the fraction of time the hazardous process is in operation or the hazard is present in the system is assumed to be 1, implying continuous processes. Also, occupancy, that is, the probability that the effect zone of an accident will impact one or more personnel, and ignition and explosion probabilities, must be Cause Failure of LT indicating a false high level already taken into account all together when selecting a consequence severity category. WORKED EXAMPLE A simplified process flow diagram of the absorber section of a high pressure sour gas amine treatment unit is shown on Figure 3. The simplified process and instrumentation diagram (P&ID) of the bottom section of the absorber (T-1) and the amine flash drum (V-1) are shown on Figure 4. From the HAZOP study of this process unit section the following scenario was selected (Node: high pressure amine absorber (T-1) and Deviation: high level): Consequences Safeguards LV fully opens High pressure alarm in V-1 PIC and Loss of liquid seal in T-1 column operator response (LG indication is unreliable in this case) High pressure gas flows to low pressure flash tank V-1 (Note: PSV in V-1 is not designed for this scenario) Potential explosion of V-1 LV bypass valve could be erroneously opened in an attempt to control the ‘‘high level’’ in T-1, worsening the scenario Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE Recommendations Consider adding a SIS and implement a SIF for this scenario Lock LV bypass valve in closed position Update emergency operation procedures with this scenario and train operators accordingly DOI 10.1002/prs March 2010 29 Figure 4. Simplified P&ID of a section of a high pressure sour gas amine treatment unit. Figure 5. Modified P&ID including a SIS. Step 1: Identify a hazardous event and assess its severity. For this scenario, taking into account that facility spacing is adequate, that personal is mostly concentrated in a bunker control room at an adequate distance, and that the consequences involve a potential low pressure vessel rupture, we categorize the event as category 4 (Major). From Table 5, the associated threshold frequency is 4. Step 2: Identify the initiating event and assess its frequency. The initiating event for this scenario is the failure of a level transmitter indicating wrong high level. From Table 5 we determine that the initiating event frequency is in the order of 1021 events/year (an event with high probability of occurring in the plants lifetime), so the associated initiating frequency index (Fi) is 6. Step 3: Identify the applicable IPLs and evaluate their effectiveness. In this scenario, the only applicable protection layer is an alarm and associated human response. 30 March 2010 Published on behalf of the AIChE Assuming procedures are clearly written and operator training is adequate, from Table 9 we can assign an SPFD of 1 to this protection layer. The existing PSV and LG were already considered inadequate for this scenario in the HAZOP. So total protection effectiveness for this scenario is Es 5 1. Step 4: Calculate the expected frequency for the hazardous event, taking into account the IPLs. The reduced frequency for this scenario is Fr 5 Fi 2 Es 5 6 2 1 5 5. Step 5: Determine the need for additional layers of protection and the required SIL, if a SIS is recommended. The reduced frequency for this scenario is greater than the threshold frequency for the consequence category (Fr > Ft), so we calculate the required frequency reduction Sadd. Sadd ¼ Fr Ft ¼ 5 4¼1 As Sadd 5 1 and no non-SIS protection layers are applicable, we may suggest installing a SIS. The SIF DOI 10.1002/prs Process Safety Progress (Vol.29, No.1) would be to close an emergency shutdown valve installed in series with LV on detection of high pressure in V-1 flash drum (we cannot use the signal from the LT as its failure was the initiating event in the scenario). Its target SIL would be SIL 1. As normally a single valve will not be enough to meet SIL 1 requirements a solenoid 3-way valve would be needed on the air pressure control line from the LIC, to close both the emergency valve and the level control valve in emergency situations, as shown conceptually in Figure 5. CONCLUSIONS It is not always necessary to have a lot of protection layers or redundant SIS (SIL 2 or 3). Many risk scenarios can be best dealt with by improving process design and instrumentation to diminish the magnitude and frequency of the deviations in the process so we depend less on safety systems. The approach presented in this article can help to make decisions related with the investment in additional and sophisticated safety protection layers or improve already existent ones. Process Safety Progress (Vol.29, No.1) LITERATURE CITED 1. Process Safety Management of Highly Hazardous Chemicals, 29 CRF 1910, 119, United States Code of Federal Regulations, 1992. 2. International Electrotechnical Commission, Functional Safety—Safety Instrumented Systems for the Process Industry Sector, IEC 61511, IEC, International Electrotechnical Commission, Geneva. 3. ANSI/ISA-84.00.01–2004 (IEC 61511 mod), Functional Safety—Safety Instrumented Systems for the Process Industry Sector, ISA, Research Triangle Park, NC, 2004. 4. Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers (AIChE), Layers of Protection Analysis (LOPA): Simplified Process Risk Assessment, AIChE, New York, 2001. 5. Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers (AIChE), Guidelines for Chemical Process Quantitative Analysis, Second Edition, New York, 2000. 6. Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers (AIChE), Guidelines for Process Equipment Reliability Dates with Tables it Dates, New York, 1989. Published on behalf of the AIChE DOI 10.1002/prs March 2010 31
