Risk Based Design & SCE

1

Risk Based design Risk Based design

and and

Management of the Safety Critical ElementsManagement of the Safety Critical Elements

ADEPP Academy

Dr. Fabienne SALIMI

21st January 2009

2

ADEPP: Analysis & Dynamic Evaluation of Project Processes

3

The main ADEPP features are as follows:

Dynamic Simulation & Consequence Analysis

Dynamic Combined Event tree & Fault tree Analysis to determine the Safety, Environmental and Asset Critical Elements

Dynamic Requirement Engineering & Management

Why ADEPP?

4

Risk-Based design

Identification of the Safety Critical Elements (SCE)

Development of the SCE Performance standards during different phases of project

Management of SCEs by ADEPP monitor for the life cycle of major projects

Purpose of this presentation:

5

An occurrence resulting from uncontrolled developments in the course of the operation of any onshore establishment or pipeline or offshore installation, and leading to serious danger to human health or the environment, immediate or delayed, inside or outside the onshore establishment or offshore installation, and involving one or more dangerous substances.

This includes in particular a major:- Emission- Fire - Explosion

HSE defines a Major Accident as:

6

HAZARD

CONSEQUENCES

Plant

People

CONSEQUENCES

Plant

People

Incident

EngineeringEngineering

MaintenanceMaintenance

OperatorOperator

Safety

Management

System

(SMS)

Threats

Overpressure

Operatorerror

Uncontrolledgas release

CorrosionErosion INCIDENT

Threats

Overpressure

Operatorerror


CorrosionErosion

Overpressure

Operatorerror



CorrosionErosion INCIDENT

7

Qualitative SIL Assessment

TypeConsequence of Failure

on demandConsequence of Spurious

Function

Loop Function:

Action Logic:

Action:

SGas leaks from joints inside compressor house, potential for confined gas explosion

None

E Gas release to atmos none

A

E D: MajorP L: More than 10 days (if explosion then 100% loss of capacity)F L: £10M or more

P L: 6 hours

Instrument Based Protective Functions

Consequence

high high discharge pressure at second stage compressor 1C2p012

1PZA2p14-HH

1- Open 1st recycle valve 1ESD-2p31 and 2nd stage recycle valve 1ESD-2p402- Stop 1C2p011 and 1C2p0123- Close 1ESD-1p01, the gas inlet to 1D1p101 with 60 sec delay4- Close 1ESD-2p10, the the 1C2p012 outlet valve

Primary protection against high pressure at discharge of 2nd stage compressor 1C2p012

1- Open the 1st stage and 2nd stage recycle valves2- Stop 1st stage and 2nd stage compressors3- Isolate compressor train-p

Set Point Tag No.Description

8

Risk- based design aims to reduce the risk of Major Accident Hazard to as low as reasonably practicable (ALARP).

Risk based design enables the designers to identify and choose the optimal solutions to meet HSE targets using a systematic integration of the risk analysis in design process of the prevention and mitigation measures.

Risk based design considers the Life Cycle issues including the operation and need for a risk based regulatory framework.

The appropriate Methods and Tools should be applied for each case.

Risk-Based Design

9

PA PB PC PD PE

1 in 100,000 years

1 in 10,000 years

1 in 1,000 years

1 in 100 years

1 in 10 years

Catastrophic S5 100000 1 10 100 1000 10000

Severe S4 10000 0.1 1 10 100 1000

Critical S3 1000 0.01 0.1 1 10 100

Marginal S2 100 0.001 0.01 0.1 1 10

Negligible S1 10 0.0001 0.001 0.01 0.1 1

Severity Ranking

Frequency Ranking

Risk Acceptable Criteria

10

Identification of Safety Critical Elements

Safety Critical Systems

11

Example-2: Alarm Management: http://www.matrikon.com/portal/downloads/processguard/am_pres/process.htm

Consequence Modeling & Dynamic Simulation

ADEPP: Analysis & Dynamic Evaluation of Project Processes

12

Process Upset Primary Protection Secondary Protection Outcome

Yes

Yes

No

No

Safe State

Safe State

Undesirable

OverpressureOver TemperatureOverfillingGas blowbyVacuumUnder temperatureEtc.

API 14C calls for at least two level of independent and diverse protections for any undesirable event which could lead to a Major Accident.

16

Secondary pressure protection

(PSV)

“Safe state”without Environmental

impact

ReleaseRisk of Fire & Explosion

“Safe state”Pressure <tolerable level

Overpressure Shut off inflow Pressure ReliefRemain integrity of

containment Outcome

Primary pressure protection

(PSD)

Pressure over (PAHH)

Residual strength in steel

“Safe state”with Environmental Impact

Example (Design-Prevention)

17

Leak frequency (1/yr)Immediate ignition?

Delayed ignition? Outcome

Release Yes Jet fire

Explosion

No Yes

Flash fire

No Dispersion

Example (Design-Mitigation)

18

Example (Operational-Procedures)

Incorrect fitting of flanges or bolts

during maintenance

Self-control / Checklist

Control of work / inspection

“Safe state”Failure revealed

Release

“Safe state”Failure revealed

Leak Test

Detect FailureDetect release prior to

normal production

Initiating event

(Frequency)

Barrier functions Consequences

OR

&

OR

&

OR

&

OR

&

OR

&

OR

&

OR

&

OR

&

19

OR

OR

AND

AND

AND

OR

ESD SystemFailure

InitiationFailure

MechanicalFailure

SOV Failure

OR

Valve bodyFailure

ICSSFailure

ESD ValveFailure

ManualFire & GasDetection

Gas Detection

FireDetection

Control Room

Local

OR

Communication Push-button

Action

ActuatorFailure

Common Cause Failure

An Element

A Subsystem

No person

Each Safety Barrier consists of the Subsystems and Elements.

20

If the failure of the system in the Event Tree:- Cause a major accident or,- Contribute substantially to a major accident, or- Prevent or limit the mitigation of the consequences of a major accident,

Then it shall be considered as the “Safety Critical System”.

Brainstorming sessions are used to identify quickly and systematically the Safety Critical Systems.

SCE Identification Matrices are the outcome of these brainstorming sessions and provides Company, Contractors and Verification Party a traceable and auditable tool to follow efficiently the requirements, the rational behind the changes and required actions.

The actions could be numerous and multi-disciplines. An online Action Tracking System eases the:- follow up the great number of actions and requirements- communication of the people who are located in physically remote offices.

Identification of the Safety Critical SystemQualitative Approach

21

http://adepp.webexone.com

Performance monitor

Location A

Location CLocation B

Location D

ADEPP monitor is a secure Online Monitoring system which: UTILISES: Data generated by HSE reviews such as HAZOP, HAZID and HSE studies like QRA, FERA, etc.

TO DETERMINE:

Credible scenarios Safety Critical Element ( SCE) Performance Standards for SCEs

Critical Tasks and activities are assigned online to Company, Contractors, and Verification Party

The SCE data can be exported easily if required for Risk based design.

22

Event

Ref. Undesireable Event Fault TreeFrequency

(1/yr)Type HIPPS Ci

SAll All scenarios including: FAT-OV.1T 1.3E-02 State Works FAll

S1 Compressor Overspeed FAT-OV.1a 8.3E-03 Probability 0.9991 R1 0.083

S2Block outlet (Mode Series)

FAT-OV.1b 3.2E-03 R2 0.032

S3Block outlet (Mode Parallel)

FAT-OV.1c 1.2E-03 R3 0.012

S4HP/LP interface failure(300 to 210 barg)

FAT-OV.1d 9.83E-09 R4 9.8E-08


FAT-OV.1e 8.4E-05 R5 0.001

S6 Seal failure (start up) FAT-OV.1f 2.5E-04 R6 0.002

Event

Type HIPPS Ci

State Fails FAll

Probability 0.0009 R1 0.76

R2 0.30

R3 0.11

R4 9.01E-07

R5 0.01

R6 0.02

DesignUltimate

pressure (barg)Time to reach

(sec)

S1 Compressor Overspeed 834 0.1 SIL3 300 375 2

S2Block outlet (Mode Series)

322 0.1 SIL3

S3Block outlet (Mode Parallel)

119 0.1 SIL3


0 0.1 None


8 0.1 SIL1

S6 Seal failure (start up) 25 0.1 SIL2 210 300

SWorst Worst Case Scenario 834 0.1 SIL3

143

270

Overpressure Scenarios

None

Worst case Overpressure

3.1E-04

8.4E-04

Safegaurding Safe Shutdown

10

1.3E-02

Catastrophic Rupture

ALARP

ALARP

1.2E-04

Required SILRequired PFD

ALARP

ALARP

Tolerable Risk

ALARP

ALARP

1.2E-04

Event tree Analysis for Safegaurding by HIPPS against Overpressure at Injection Compressors Train-p (p=1 to 3)

Tolerable Risk

Tolerable Risk

ALARP

Safegaurding

ALARP

100000

1.2E-05

ALARP

SIL Assessment for Compressor HIPPS

Pressure (bar)

Operating

4.0E-03

Target riskOverpressure scenarioRef

1.2E-02

Risk Without HIPPS

Identification of the Safety Critical SystemsQuantitative Approach

Process Safeguarding (PSD)

23

F (1/yr) 1.31E-02

SIL SIL1

CSU 8.34E-03 CSU 3.22E-03 CSU 1.19E-03 CSU 9.83E-09 CSU 8.38E-05 CSU 2.50E-04

SIL SIL2 SIL SIL2 SIL SIL2 SIL SIL4 SIL SIL4 SIL SIL3

FAT-OV.1Fault Tree Analysis for Overpressure scenarios at Injection Compressor Train-p (p=1 to 3)

FAT-OV.1T

Overpressure due to Injection Compressor

Block outlet (Mode Parallel)

FAT-OV.1c FAT-OV.1eFAT-OV.1a

Compressor Overspeed

FAT-OV.1bHP/LP interface failure

(300 to 210 barg)Block outlet

(Mode Series)

FAT-OV.1f

Seal failure (start up)

FAT-OV.1dHP/LP interface failure

(210 to 144 barg)

OR

Derived from the HAZOP Study

24

CSU 9.17E-04

SIL SIL3

CSU(M1) 6.88E-04

SIL(M1) SIL3

CSU(M2) 4.59E-04

SIL(M2) SIL3

CSU 7.36E-07

SIL SIL4

CSU 6.04E-03 CSU 1.22E-04

SIL SIL2 SIL SIL3

Voting None Voting None Voting 2oo3 Voting 1oo2 CSU 9.16E-04

PFD 1.31E-03 PFD 4.38E-03 PFD 6.31E-05 PFD 4.38E-05 SIL SIL3

CSU 1.61E-03 CSU 4.43E-03 CSU 7.75E-05 CSU 4.43E-05 CSU(M1) 6.87E-04

SIL SIL2 SIL SIL2 SIL SIL4 SIL SIL4 SIL(M1) SIL3

CSU(M2) 4.58E-04

SIL(M2) SIL3

Mod-2 change in time of test Mod-1 change in time of test Ref. Client data for time of test

t(M2) 24 month t(M1) 36 months t 48 months

PFD(M2) 4.58E-04 PFD(M1) 6.87E-04 PFD 9.16E-04

CSU(M2) 4.58E-04 CSU(M1) 6.87E-04 CSU 9.16E-04

SIL(M2) SIL3 SIL(M1) SIL3 SIL SIL3

FAT-SF.1Fault Tree Analysis for Safegaurding against Overpressure at Injection Compressor Train-p (p=1 to 3)

PSH HIPPS

Logic including I/O card (Single PLC)

HIPPS.b

Detection or Command by ESD trip

Detection or command by HIPPS

1PZA-HH-5106Logic including I/O card

(Single PLC)1PZA-2p631/2/3

HIPPS.aPSH.a PSH.b

Fail to Stop compressor

This action is not vital. It helps for a smooth and

surge free ESD.

Open Surge valves

FAT-SF.1

Overpressure safeguarding failure

FAT-SF.1a

Detection or Logic failure

FAT-SF.1b

ESD Actions

OR OR

&

&

OR

Derived based on the P&IDs and C&E Matrix

25

F&G ESD

Event Jet fire Event Jet fire

F(1/yr) 2.04E-02 State Works Jet fire 0.99 C 1000 CRed 100

Ref. IS-01 Gas 0.9881 Explosion 0 F 2.0E-02 FRed 2.0E-03

M (kg) 6200 F&G 0.9881 Flash fire 0.01 R Risk reduction required RRed ALARP

T (min) 70

TBD (min) 36 Event Explosion Event Explosion

C 10000 CRed 1000

F 0.0E+00 FRed 0.00E+00

R Tolerable Risk RRed Tolerable Risk

Event Jet Fire Escalates Event Jet Fire Escalates

C 10000 CRed 1000

State Fails Jet fire 0.99 F 2.4E-04 FRed 2.41E-05

Gas 0.0119 Explosion 0 R ALARP RRed ALARP

F&G 0.0119 Flash fire 0.01

Event Explosion Escalates Event Explosion Escalates

C 100000 CRed 10000

F 0.0E+00 FRed 0.00E+00

R Tolerable Risk RRed Tolerable Risk

Release (S) ESD System Ignition probability

Event (1) Event (2) Event (3) Event (4) Event (5)

ESD System Ignition probability

26

Goal – What the SCE does;

Scope – What are the boundary limits

Functionality affecting QRA values

Functionality - What the SCE must do and the criteria it must achieve

Availability/Reliability - How often it will work when required

Survivability – The extent required to function after a hazardous event has occurred

Interactions – Affected by or effects on other SCEs

Performance Standards

The followings shall be covered by a performance Standard:

27

Requirement Engineering- Checklist Approach

Action: To be considered by process to modify the isolation and sampling philosophy, Doc. No (P-125).

XHave a "deadman" (spring to close) sampling valves been installed in high pressure, flammable, or lethal systems to prevent continued flow of material if the operator becomes incapacitated?

Refer to paragraph (n) of the design ESD philosophy, Doc. No. (P-003)

XHas a hazard analysis of the process been conducted to determine the fail safe position of control valves during a specific or total utility outage (electrical power, instrumentation air, etc.)?

Justifications/remarks/CommentsNoYes

Compliance Requirement

Action: To be considered by process to modify the isolation and sampling philosophy, Doc. No (P-125).

XHave a "deadman" (spring to close) sampling valves been installed in high pressure, flammable, or lethal systems to prevent continued flow of material if the operator becomes incapacitated?

Refer to paragraph (n) of the design ESD philosophy, Doc. No. (P-003)

XHas a hazard analysis of the process been conducted to determine the fail safe position of control valves during a specific or total utility outage (electrical power, instrumentation air, etc.)?

Justifications/remarks/CommentsNoYes

Compliance Requirement

28

The welded pipeworks shall be used at compression area and number of flanges and instrumentation shall be minimised.Flange guards should be applied where safe direction jet fire is practical.

SR3Option 29.2

The equipment and associated pipework of compression area shall be passively protected to resist a jet fire impingement and/or thermal radiation for at least 30 minutes.

SR2Option 19.1

Performance standardfor the Passive Fire Protection (PFP) at compression area. Section: Survivability(Doc. Design-HSE-PS-001)

9

Duration of medium jet fires at compressors pipework is about 25 minutes. This fire could impinge the compressor scrubbers.

DK3Fire & Explosion study (Doc. Design-HSE-003)

8

If unprotected equipment is exposed to the jet fire (300 kW/m2) it will be failed with 5 minutes.

DK2API 22187

Impairment Criteria:-Exposure to 8 kW/m2 thermal radiation from jet or pool fires

DK1API 22186

The safety barriers will be designed for one fire at the time.

ASS1Design HSE PhilosophyDoc (Design-HSE-002)

5

The impairment criteria of API 2218 for fire impairment shall be applied.

SR1Design HSE PhilosophyDoc (Design-HSE-002)

4

Requirement from Hazard & Effect Management Process:Fire & Explosion study (Doc. Design-HSE-003) shall be performed to identify the foreseeable scenarios and quantify their frequency and consequences.

Designer

TR1

Design HSE Plan Doc. (Design-HSE-001)

3

The safety barriers shall be designed to limit the probability of accident in fire & explosion hazard areas to expand to the installation as a whole.The criterion is that the frequency of immediate loss of safety barrier protecting persons or safety systems shall not be more than 1/10000 year.

User TR1

Company HSE Plan, Doc. (Client-001)

2

HSEMS of project shall be in compliance with Company HSE Plan Doc. (Client-001)

UR1Contract1

StatementTypeSourceStep

The welded pipeworks shall be used at compression area and number of flanges and instrumentation shall be minimised.Flange guards should be applied where safe direction jet fire is practical.

SR3Option 29.2

The equipment and associated pipework of compression area shall be passively protected to resist a jet fire impingement and/or thermal radiation for at least 30 minutes.

SR2Option 19.1

Performance standardfor the Passive Fire Protection (PFP) at compression area. Section: Survivability(Doc. Design-HSE-PS-001)

9

Duration of medium jet fires at compressors pipework is about 25 minutes. This fire could impinge the compressor scrubbers.

DK3Fire & Explosion study (Doc. Design-HSE-003)

8

If unprotected equipment is exposed to the jet fire (300 kW/m2) it will be failed with 5 minutes.

DK2API 22187

Impairment Criteria:-Exposure to 8 kW/m2 thermal radiation from jet or pool fires

DK1API 22186

The safety barriers will be designed for one fire at the time.

ASS1Design HSE PhilosophyDoc (Design-HSE-002)

5

The impairment criteria of API 2218 for fire impairment shall be applied.

SR1Design HSE PhilosophyDoc (Design-HSE-002)

4

Requirement from Hazard & Effect Management Process:Fire & Explosion study (Doc. Design-HSE-003) shall be performed to identify the foreseeable scenarios and quantify their frequency and consequences.

Designer

TR1

Design HSE Plan Doc. (Design-HSE-001)

3

The safety barriers shall be designed to limit the probability of accident in fire & explosion hazard areas to expand to the installation as a whole.The criterion is that the frequency of immediate loss of safety barrier protecting persons or safety systems shall not be more than 1/10000 year.

User TR1

Company HSE Plan, Doc. (Client-001)

2

HSEMS of project shall be in compliance with Company HSE Plan Doc. (Client-001)

UR1Contract1

StatementTypeSourceStep

Requirement Engineering- Multilayer Traceability Approach

Example: Rational for setting the performance standard for survivability requirements at compression area

29

AND

OR

User Requirement (UR1)

User Textual Rational (TR1)

Designer Textual Rational TR1

SR2

SR1 ASS1 DK3

DK1 DK2

AND

Performance Standardoptions

UR: User Requirement

SR: System Requirement

TR: Textual Rationale

ASS: Assumption

DK: Domain Knowledge

Contract Compliance

Design codes, studies, know-how

SR3

Performance StandardsInterface between Contract Requirements and Design codes, studies and knowhow

30

Tree to treecorrespondence

Interface links

Functional Technical Verification

(a) Vertical linkage (b) Horizontal linkage

Performance StandardsShould reflect precisely and rationally the Cross References in different documents

31

ADEPP MonitorADEPP MonitorOnline Performance Standard Setting & Action Tracking ToolOnline Performance Standard Setting & Action Tracking Tool

32

Check the Supporting documents

Define the activity and tasks

Hazard identification traceability and audibility


33

Add SCEs


Online SCE assessment tool

34

Update

Critical Tasks

Communicate


Online Management of the Performance Standards

35

Link to EERperformance Standards

CompanyContractorsConsultantsVerification party

Have access and can update


Communication of the Performance Standards

36


Critical Tasks for management of SCEs

37

Thank you for your kind Thank you for your kind attention!attention!

Risk Based Design & SCE

Technology

Transcript of Risk Based Design & SCE