Beruflich Dokumente
Kultur Dokumente
DIPARTIMENTO DI ENERGETICA
Risk Assessment
Risk Analysis / Safety and Risk Analysis
Methodologies - Part 5
Andrea CARPIGNANO
andrea.carpignano@polito.it
Ed. 2008/09
Functional Safety
T+
V1
P
V2
Phase 12
Decommissioning of
SIS
Phase 11
Modifications
Phase 2
Definition of the overall objective
of the Functional Safety Project
Phase 10
Operation and
Maintenance
Safety Life Cycle
Phase 3
Risk Analysis
Phase 4
Allocation of the safety functions
to the Independent Levels of
Protection & SIL Allocation
Phase 5
Specification of the
requirements of the
Safety of SIS (SRS)
Phase 6
Design and
engineering of SIS &
SIL Verification
Phase 9
Site Acceptance Test
(SAT)
Phase 8
Installation and
Commissioning
Service of SIS
Phase 7
Factory Acceptance
Test (FAT)
STANDARD EN 50402
Electrical Apparatus for the detection and measurement of
combustible or toxic gases or vapours or of oxygen. Requirements on
the functional safety of fixed gas detection systems
1.
2.
3.
4.
Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project
System Description
Hazard Identification
Not critical
Selection of critical
events
Historical Analysis
HAZID
HAZOP
FMECA
Risk Matrix
Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences
Probabilistic Analysis
Acident Simulation
Risk Assessment
Not Tolerable
Tolerability Criteria
Tolerable
END
Increasing
level of
conservativity
in the
allocation of
SILs
PROCESS
PARAMETER
DEVIATION
CAUSE
OP. PHASE
EFFECTS
(Local
System
Plant)
FREQ.
DETECTION,
PREVENTION,
MITIGATION
METHODS
ACTIONS
NOTES
DESCRIPTION
DESCRIPTION
No important effects
Temporary injuries to
people (recovery within
max 3 days)
Temporary injuries to
people (recovery in more
than 3 days)
Permanent disabilities or
fatalities
DAMAGE
(Production)
DESCRIPTION
No important effects
12
16
12
R>8
Events with very high criticality on which to intervene with preventive and/or
mitigative actions
4R8
2R3
R=1
SIL 2
SIL 3
SIL 4
SIL 4
SIL 1
SIL 2
SIL 3
SIL 4
SIL 1
SIL 2
SIL 2
SIL 3
No SIL
required
SIL 1
SIL 1
SIL 2
4
D
R>8
Events with very high criticality on which to intervene with preventive and/or
mitigative actions
4R8
2R3
R=1
10
PROCESS
PARAMETER
DEVIATION
CAUSE
OP. PHASE
EFFECTS
(Local
System
Plant)
FREQ.
DETECTION,
PREVENTION,
MITIGATION
METHODS
ACTIONS
NOTES
Pressure
More
Normal
operation
Possible
release of
flammable
substance
fire and/or
explosion 1
or more
fatalities
None
Provide a
new SIF:
detection of
high pressure
on vessel and
shutdown of
inlet/outlet
lines
Perform
SIL
Study
for the
new SIF
11
12
SIF REQUIRED:
detection of high
pressure on vessel and
shutdown of inlet/outlet
lines
ALLOCATION:
SIL 3
Overpressure in vessel
Fire/Explosion
1 or more fatalities
Frequent exposure of
operators/maintainers
13
ACCEPTABLE
Damage
Extended
(10 or more
fatalities, large
exposed groups)
Serious
(severe injuries, 1
or more fatalities,
small exposed
groups)
Minor
(light injuries)
1,0 E-06
ev/y
1,0 E-07
ev/y
1,0 E-08
ev/y
1,0 E-09
ev/y
1,0 E-10
ev/y
Frequency
(*)
0,1
Reference
incidental
scenario
highlighted
by the
HAZOP
Design preventive
actions (over
dimensioning and
ratings, intrinsic
safety, ATEX, etc.
0,1
Basic Process
Control System
(protections)
Procedural
protections,
safety escape
ways, etc.
Passive
protections
and other
IPLs
(*) NOTE: the mitigated frequency for each single cause is within the limits set by the
acceptability criteria, but the frequency of the overall scenario (sum of all causes) NOT!
A PFD of 10-2 is not sufficient, the requirement in terms of PFD for the new SIF must be
lower!
14
15
16
1.
2.
3.
4.
Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project
START
System Description
Hazard Identification
Not critical
Selection of critical
events
Historical Analysis
HAZID
HAZOP
FMECA
Risk Matrix
Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences
Probabilistic Analysis
Acident Simulation
Risk Assessment
Not Tolerable
Tolerability Criteria
Tolerable
END
17
SIL Verification
SIL VERIFICATION for the project of a SIS
HARDWARE
requirements
verification
Probabilistic
requirements
verification
SIL verification
is successful
only if BOTH
Hardware AND
Software
requirements
are met!!
Architectural and
Functional
requirements
verification
SOFTWARE
requirements
verification
New Software
development
Existing Software
verification
18
19
SD SU DD
SU DD DU
SD
SD is the expected failure rate for all safe failures that can be detected by means of
diagnostic tests
SU is the expected failure rate for all safe failures that cannot be detected by means of
diagnostic tests
DD is the expected failure rate for all dangerous failures that can be detected by means of
diagnostic tests
DU is the expected failure rate for all dangerous failures that cannot be detected by means
of diagnostic tests
dangerous = failure that is able to cause the loss of the SIF or to
reduce the probability of correct intervention of the SIF
20
Each portion of the SIS must comply with one of the possible combinations of
SFF&HFT as long as consistent with a SIL 2 allocation
Specification
Implementation
Testing
Debugging
Documentation
21
SIL Verification
22
()
23
ARCHITECTURAL/FUNCTIONAL RESULTS
HFT = 0, SFF > 99% SIL 3
Verification succesfull, the project of the SIS is compliant to SIL 3 AS LONG AS:
2.
3.
4.
Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project
START
System Description
Hazard Identification
Not critical
Selection of critical
events
Historical Analysis
HAZID
HAZOP
FMECA
Risk Matrix
Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences
Probabilistic Analysis
Acident Simulation
Risk Assessment
Not Tolerable
Tolerability Criteria
Tolerable
END
24
Esercizio
L
T+
P1 P2
V2
V1
Ed. 2008/09
25
Esercizio
L
T+
P1 P2
V2
V1
SIF: intercettare il
flusso in caso di
bassa pressione a
valle
Ipotesi:
Se perdo i segnali o le
alimentazioni i
componenti si portano
in sicurezza
FMEA
COMP.
TEST
INTERVAL
(h)
RILEVABILITA'
mancato
intervento
intervento
spurio
segnale
errato
segnale
assente
non apre
2.00E-06
1.00E-05
autodiagnosi
3.00E-07
10000 autodiagnosi
2.00E-05
10000 autodiagnosi
5.00E-06
10
non
chiude
perdita
interna
perdita
esterna
5.00E-06
10
10000 test
1.00E-06
10
10000 test
1.00E-05
10
10000 fire&gas
EFFETTI
SULLA
FUNZIONE DI
SICUREZZA
SFF
CATEGORY
10000 autodiagnosi
SFF=
HFT=
TYPE
SIL MAX=
Ed. 2008/09
FMEA
COMP.
SFF=
HFT=
EFFETTI
SFF
SULLA
CATEGORY
FUNZIONE DI
SICUREZZA
si
DD
2.00E-06
no
SD
1.00E-05
mancato
intervento
intervento
spurio
segnale
errato
segnale
assente
non apre
2.00E-06
10000 autodiagnosi
1.00E-05
autodiagnosi
3.00E-07
10000 autodiagnosi
si
DD
6.00E-07
2.00E-05
10000 autodiagnosi
no
SD
4.00E-05
5.00E-06
10
SD
5.00E-05
non
chiude
perdita
interna
perdita
esterna
5.00E-06
10
10000 test
si
DU
0.02509999
1.00E-06
10
10000 test
si
DU
0.00509999
1.00E-05
10
10000 fire&gas
no
SD
1.00E-04
0.86
0
TYPE
SIL MAX=
A
2
MCS
V1nc*V2n
c
V1pi*V2pi
V1nc*V2pi
6.30E-04
69.0%
2.60E-05
1.28E-04
2.8%
14.0%
V1pi*V2nc
1.28E-04
14.0%
P1mi*P2m
i
Lse
Q(TOP)
4.00E-12
0.0%
6.00E-07
9.13E-04
0.1%
100.0%
L
T+
P1 P2
V2 V1
Ed. 2008/09
26
Esercizio
L
T+
P1 P2
V2
V1
SIF: intercettare il
flusso in caso di
bassa pressione a
valle
Ipotesi:
Se perdo i segnali o le
alimentazioni i
componenti si portano
in sicurezza
TOP=V1nc*V2nc+V1pi*V2pi+V1pi*V2nc+V1nc*V2pi+P1*P2+L
Q(TOP)=9.13 x 10-4
Ed. 2008/09
27