The Oil and Gas Engineering Guide

blog

fr en
Published Saturday 25/09/2010

SIL reviews

Recent development of industry standard related to Safety Instrumented Systems (SIS) in the Process Industry, ISA 84.00.00 in particular, have placed many new requirements on the design, selection, installation, operation and maintenance of instrumented safety systems.

 

These standards have prompted Safety Integrity Level (SIL) review to be systematically done on projects.

 

The objective is to ensure that each safety automation has the reliability required given its criticality.

 

 

It is done in two steps:

 

  • First review of the criticality and assignment of a required reliability level for the automation

 

  • Second check that the automation has indeed the required reliability

 

In the following text we will use the dedicated vocabulary. Safety Automation will therefore be called “Safety Instrumented Function (SIF)” and “reliability” will be called “Safety Integrity Level (SIL)”.

 

 

First step of the SIL study: SIL determination/assignment workshop

 

All SIF, i.e., instrumented interlocks, appearing on the project P&IDs are reviewed. For each one, the team evaluate qualitatively the consequence if the SIF fails. Consequences are evaluated in the field of impact of personnel (Safety), economical loss, environmental.

 

The consequence rating is done using categories, e.g. category 1 in case of fatalities on the public, category 2 in case of serious injury on public, category 3 if impact on personnel only etc.

 

The team then evaluates the likelihood of the SIF failure using a qualitative approach as well and categories: category A for 20 or more failure during the facility life, up to category D, once every 100 facility lives.

 

The product of the consequence severity and likelihood is the risk level. A matrix is defined, such as the one shown here, that indicates the tolerable risk area (low consequence, low probability), where no action is required, and the area were the risk is not tolerable.

 

In the non-tolerable risk area, one of the two following actions must be done:

 

  • Either assign the SIF the SIL target shown in the matrix

 

  • or, in case this protection is considered undesirable, due to the high SIL level required, such a SIL 3, additional safeguards or other risk reduction measures besides the SIF can be considered by the review team. The revised case shall then be subject to the same assessment as above to determine the new SIL target.

 

 

 

Once the required SIL level for each SIF is determined, comes the second step of the SIL Study.

 

 

Second step of the SIL study: the SIS performance verification.

 

This second step, which is done after outside the above step 1 workshop, consists of calculations of the actual Safety Integrity Level of each SIF. Such calculation takes into account the hardware used (component failure rates), architecture (redundancy, voting), test intervals etc.

 

In case were the calculated SIL is below the target set in the assignment workshop, improvements are required, such as increase of testing interval, change of SIF component types and  adding components for redundancy.

 

The deliverable of this second step is the documented calculations and recommendations “SIS performance verification results and recommendations”.

 

 

 

 

Most safety automations are the first of two barriers. A high pressure safety switch (PSHH) that shuts the fuel supply to a turbine driving a compressor, for instance, is the first barrier to stop the turbine in case of too high compressor discharge pressure.

 

If it fails to operate, a pressure safety relief valve (PSV) on the compressor discharge line will open, providing the second level of protection.

 

In most cases, 2 such safeguards are provided in the design: the safety automation is backed by a hard device. In these cases, the reliability of the automation is not thoroughly investigated as it is backed up.

 

The SIL review will focus on the few cases were the SIF is the only barrier. That would be the case if, for some reason, no PSV is installed on the compressor discharge line for the above case. In this case the SIF will be thoroughly examined, a SIL target set and the performance duly verified.



Comments(0)


Published Saturday 25/09/2010

The Design Criteria

The Basic Design Basis records reference values for the design of the facility, its main technical options, along with rules to be applied for sizing its equipment, pipe-work etc. The latter, called design criteria, either specified by the Client, or otherwise the Engineer’s standards and, in any case, within the limits permitted by the applicable codes.

Process design criteria include that for the design pressure of equipment and piping. The latter is set a few % above their maximum operating pressure. Such allowance is required for proper staging of overpressure protection system, avoiding its spurious operation. Setting the design pressure at 110% of the maximum operating pressure (MOP), for instance, will allow to set the pressure safety automation at 105% of the MOP and the pressure safety valve at 110%. This will avoid spurious trips due to drift in calibration of the high pressure safety sensor as well as spurious opening of the pressure safety valve.

The wall thickness of pressure vessels and lines is directly calculated from the design pressure, as per the formula given by the applicable design code. The design pressure criteria has therefore a large impact, not only in terms of material cost but also in terms of construction cost (increased pipe thickness will lead to increased welding time).

The impact of the design pressure on piping flanges is not as direct as on other piping items (straight pipes, elbows, tees), as flanges come in classes of admissible pressures (up to 20 bars, from 20 to 50 bars, from 50 to 100 bars, from 100 to 250 bars, etc.).

Other Process design criteria are defined, the most important being that defining the design temperature of equipment and lines, and the diameter of lines.

Both high and low design temperatures are specified. An allowance (10-20 degrees) is provided between the high design temperature and the maximum operating temperature, allowing some tolerance to process upset without the need to shutdown. The low design temperature is normally the one that is achieved during emergency depressurisation.

Both high and low design temperature dictate the selection of the material of construction. A low design temperature below -29C will, for instance require a low temperature carbon steel rather than a regular one.

The sizing criteria of lines come from the requirement to prevent line erosion, vibration and noise. It translates into a maximum fluid velocity, or kinetic energy, or both. It results in the selection of the diameter of each line, as a function of its flow. The line sizing cirteria has a large impact on the cost of a facility’s pipework, as it impacts both material and installation costs.



Comments(2)