Risk Based Design & SCE
-
Upload
adepp -
Category
Technology
-
view
707 -
download
2
Transcript of Risk Based Design & SCE
1
Risk Based design Risk Based design
and and
Management of the Safety Critical ElementsManagement of the Safety Critical Elements
ADEPP Academy
Dr. Fabienne SALIMI
21st January 2009
2
ADEPP: Analysis & Dynamic Evaluation of Project Processes
3
The main ADEPP features are as follows:
Dynamic Simulation & Consequence Analysis
Dynamic Combined Event tree & Fault tree Analysis to determine the Safety, Environmental and Asset Critical Elements
Dynamic Requirement Engineering & Management
Why ADEPP?
4
Risk-Based design
Identification of the Safety Critical Elements (SCE)
Development of the SCE Performance standards during different phases of project
Management of SCEs by ADEPP monitor for the life cycle of major projects
Purpose of this presentation:
5
An occurrence resulting from uncontrolled developments in the course of the operation of any onshore establishment or pipeline or offshore installation, and leading to serious danger to human health or the environment, immediate or delayed, inside or outside the onshore establishment or offshore installation, and involving one or more dangerous substances.
This includes in particular a major:- Emission- Fire - Explosion
HSE defines a Major Accident as:
6
HAZARD
CONSEQUENCES
Plant
People
CONSEQUENCES
Plant
People
Incident
EngineeringEngineering
MaintenanceMaintenance
OperatorOperator
Safety
Management
System
(SMS)
Threats
Overpressure
Operatorerror
Uncontrolledgas release
CorrosionErosion INCIDENT
Threats
Overpressure
Operatorerror
Uncontrolledgas release
CorrosionErosion
Overpressure
Operatorerror
Uncontrolledgas release
Uncontrolledgas release
CorrosionErosion INCIDENT
7
Qualitative SIL Assessment
TypeConsequence of Failure
on demandConsequence of Spurious
Function
Loop Function:
Action Logic:
Action:
SGas leaks from joints inside compressor house, potential for confined gas explosion
None
E Gas release to atmos none
A
E D: MajorP L: More than 10 days (if explosion then 100% loss of capacity)F L: £10M or more
P L: 6 hours
Instrument Based Protective Functions
Consequence
high high discharge pressure at second stage compressor 1C2p012
1PZA2p14-HH
1- Open 1st recycle valve 1ESD-2p31 and 2nd stage recycle valve 1ESD-2p402- Stop 1C2p011 and 1C2p0123- Close 1ESD-1p01, the gas inlet to 1D1p101 with 60 sec delay4- Close 1ESD-2p10, the the 1C2p012 outlet valve
Primary protection against high pressure at discharge of 2nd stage compressor 1C2p012
1- Open the 1st stage and 2nd stage recycle valves2- Stop 1st stage and 2nd stage compressors3- Isolate compressor train-p
Set Point Tag No.Description
8
Risk- based design aims to reduce the risk of Major Accident Hazard to as low as reasonably practicable (ALARP).
Risk based design enables the designers to identify and choose the optimal solutions to meet HSE targets using a systematic integration of the risk analysis in design process of the prevention and mitigation measures.
Risk based design considers the Life Cycle issues including the operation and need for a risk based regulatory framework.
The appropriate Methods and Tools should be applied for each case.
Risk-Based Design
9
PA PB PC PD PE
1 in 100,000 years
1 in 10,000 years
1 in 1,000 years
1 in 100 years
1 in 10 years
Catastrophic S5 100000 1 10 100 1000 10000
Severe S4 10000 0.1 1 10 100 1000
Critical S3 1000 0.01 0.1 1 10 100
Marginal S2 100 0.001 0.01 0.1 1 10
Negligible S1 10 0.0001 0.001 0.01 0.1 1
Severity Ranking
Frequency Ranking
Risk Acceptable Criteria
10
Identification of Safety Critical Elements
Safety Critical Systems
11
Example-2: Alarm Management: http://www.matrikon.com/portal/downloads/processguard/am_pres/process.htm
Consequence Modeling & Dynamic Simulation
ADEPP: Analysis & Dynamic Evaluation of Project Processes
12
Process Upset Primary Protection Secondary Protection Outcome
Yes
Yes
No
No
Safe State
Safe State
Undesirable
OverpressureOver TemperatureOverfillingGas blowbyVacuumUnder temperatureEtc.
API 14C calls for at least two level of independent and diverse protections for any undesirable event which could lead to a Major Accident.
13
14
15
16
Secondary pressure protection
(PSV)
“Safe state”without Environmental
impact
ReleaseRisk of Fire & Explosion
“Safe state”Pressure <tolerable level
Overpressure Shut off inflow Pressure ReliefRemain integrity of
containment Outcome
Primary pressure protection
(PSD)
Pressure over (PAHH)
Residual strength in steel
“Safe state”with Environmental Impact
Example (Design-Prevention)
17
Leak frequency (1/yr)Immediate ignition?
Delayed ignition? Outcome
Release Yes Jet fire
Explosion
No Yes
Flash fire
No Dispersion
Example (Design-Mitigation)
18
Example (Operational-Procedures)
Incorrect fitting of flanges or bolts
during maintenance
Self-control / Checklist
Control of work / inspection
“Safe state”Failure revealed
Release
“Safe state”Failure revealed
Leak Test
Detect FailureDetect release prior to
normal production
Initiating event
(Frequency)
Barrier functions Consequences
OR
&
OR
&
OR
&
OR
&
OR
&
OR
&
OR
&
OR
&
19
OR
OR
AND
AND
AND
OR
ESD SystemFailure
InitiationFailure
MechanicalFailure
SOV Failure
OR
Valve bodyFailure
ICSSFailure
ESD ValveFailure
ManualFire & GasDetection
Gas Detection
FireDetection
Control Room
Local
OR
Communication Push-button
Action
ActuatorFailure
Common Cause Failure
An Element
A Subsystem
No person
Each Safety Barrier consists of the Subsystems and Elements.
20
If the failure of the system in the Event Tree:- Cause a major accident or,- Contribute substantially to a major accident, or- Prevent or limit the mitigation of the consequences of a major accident,
Then it shall be considered as the “Safety Critical System”.
Brainstorming sessions are used to identify quickly and systematically the Safety Critical Systems.
SCE Identification Matrices are the outcome of these brainstorming sessions and provides Company, Contractors and Verification Party a traceable and auditable tool to follow efficiently the requirements, the rational behind the changes and required actions.
The actions could be numerous and multi-disciplines. An online Action Tracking System eases the:- follow up the great number of actions and requirements- communication of the people who are located in physically remote offices.
Identification of the Safety Critical SystemQualitative Approach
21
http://adepp.webexone.com
Performance monitor
Location A
Location CLocation B
Location D
ADEPP monitor is a secure Online Monitoring system which: UTILISES: Data generated by HSE reviews such as HAZOP, HAZID and HSE studies like QRA, FERA, etc.
TO DETERMINE:
Credible scenarios Safety Critical Element ( SCE) Performance Standards for SCEs
Critical Tasks and activities are assigned online to Company, Contractors, and Verification Party
The SCE data can be exported easily if required for Risk based design.
22
Event
Ref. Undesireable Event Fault TreeFrequency
(1/yr)Type HIPPS Ci
SAll All scenarios including: FAT-OV.1T 1.3E-02 State Works FAll
S1 Compressor Overspeed FAT-OV.1a 8.3E-03 Probability 0.9991 R1 0.083
S2Block outlet (Mode Series)
FAT-OV.1b 3.2E-03 R2 0.032
S3Block outlet (Mode Parallel)
FAT-OV.1c 1.2E-03 R3 0.012
S4HP/LP interface failure(300 to 210 barg)
FAT-OV.1d 9.83E-09 R4 9.8E-08
S5HP/LP interface failure(210 to 144 barg)
FAT-OV.1e 8.4E-05 R5 0.001
S6 Seal failure (start up) FAT-OV.1f 2.5E-04 R6 0.002
Event
Type HIPPS Ci
State Fails FAll
Probability 0.0009 R1 0.76
R2 0.30
R3 0.11
R4 9.01E-07
R5 0.01
R6 0.02
DesignUltimate
pressure (barg)Time to reach
(sec)
S1 Compressor Overspeed 834 0.1 SIL3 300 375 2
S2Block outlet (Mode Series)
322 0.1 SIL3
S3Block outlet (Mode Parallel)
119 0.1 SIL3
S4HP/LP interface failure(300 to 210 barg)
0 0.1 None
S5HP/LP interface failure(210 to 144 barg)
8 0.1 SIL1
S6 Seal failure (start up) 25 0.1 SIL2 210 300
SWorst Worst Case Scenario 834 0.1 SIL3
143
270
Overpressure Scenarios
None
Worst case Overpressure
3.1E-04
8.4E-04
Safegaurding Safe Shutdown
10
1.3E-02
Catastrophic Rupture
ALARP
ALARP
1.2E-04
Required SILRequired PFD
ALARP
ALARP
Tolerable Risk
ALARP
ALARP
1.2E-04
Event tree Analysis for Safegaurding by HIPPS against Overpressure at Injection Compressors Train-p (p=1 to 3)
Tolerable Risk
Tolerable Risk
ALARP
Safegaurding
ALARP
100000
1.2E-05
ALARP
SIL Assessment for Compressor HIPPS
Pressure (bar)
Operating
4.0E-03
Target riskOverpressure scenarioRef
1.2E-02
Risk Without HIPPS
Identification of the Safety Critical SystemsQuantitative Approach
Process Safeguarding (PSD)
23
F (1/yr) 1.31E-02
SIL SIL1
CSU 8.34E-03 CSU 3.22E-03 CSU 1.19E-03 CSU 9.83E-09 CSU 8.38E-05 CSU 2.50E-04
SIL SIL2 SIL SIL2 SIL SIL2 SIL SIL4 SIL SIL4 SIL SIL3
FAT-OV.1Fault Tree Analysis for Overpressure scenarios at Injection Compressor Train-p (p=1 to 3)
FAT-OV.1T
Overpressure due to Injection Compressor
Block outlet (Mode Parallel)
FAT-OV.1c FAT-OV.1eFAT-OV.1a
Compressor Overspeed
FAT-OV.1bHP/LP interface failure
(300 to 210 barg)Block outlet
(Mode Series)
FAT-OV.1f
Seal failure (start up)
FAT-OV.1dHP/LP interface failure
(210 to 144 barg)
OR
Derived from the HAZOP Study
24
CSU 9.17E-04
SIL SIL3
CSU(M1) 6.88E-04
SIL(M1) SIL3
CSU(M2) 4.59E-04
SIL(M2) SIL3
CSU 7.36E-07
SIL SIL4
CSU 6.04E-03 CSU 1.22E-04
SIL SIL2 SIL SIL3
Voting None Voting None Voting 2oo3 Voting 1oo2 CSU 9.16E-04
PFD 1.31E-03 PFD 4.38E-03 PFD 6.31E-05 PFD 4.38E-05 SIL SIL3
CSU 1.61E-03 CSU 4.43E-03 CSU 7.75E-05 CSU 4.43E-05 CSU(M1) 6.87E-04
SIL SIL2 SIL SIL2 SIL SIL4 SIL SIL4 SIL(M1) SIL3
CSU(M2) 4.58E-04
SIL(M2) SIL3
Mod-2 change in time of test Mod-1 change in time of test Ref. Client data for time of test
t(M2) 24 month t(M1) 36 months t 48 months
PFD(M2) 4.58E-04 PFD(M1) 6.87E-04 PFD 9.16E-04
CSU(M2) 4.58E-04 CSU(M1) 6.87E-04 CSU 9.16E-04
SIL(M2) SIL3 SIL(M1) SIL3 SIL SIL3
FAT-SF.1Fault Tree Analysis for Safegaurding against Overpressure at Injection Compressor Train-p (p=1 to 3)
PSH HIPPS
Logic including I/O card (Single PLC)
HIPPS.b
Detection or Command by ESD trip
Detection or command by HIPPS
1PZA-HH-5106Logic including I/O card
(Single PLC)1PZA-2p631/2/3
HIPPS.aPSH.a PSH.b
Fail to Stop compressor
This action is not vital. It helps for a smooth and
surge free ESD.
Open Surge valves
FAT-SF.1
Overpressure safeguarding failure
FAT-SF.1a
Detection or Logic failure
FAT-SF.1b
ESD Actions
OR OR
&
&
OR
Derived based on the P&IDs and C&E Matrix
25
F&G ESD
Event Jet fire Event Jet fire
F(1/yr) 2.04E-02 State Works Jet fire 0.99 C 1000 CRed 100
Ref. IS-01 Gas 0.9881 Explosion 0 F 2.0E-02 FRed 2.0E-03
M (kg) 6200 F&G 0.9881 Flash fire 0.01 R Risk reduction required RRed ALARP
T (min) 70
TBD (min) 36 Event Explosion Event Explosion
C 10000 CRed 1000
F 0.0E+00 FRed 0.00E+00
R Tolerable Risk RRed Tolerable Risk
Event Jet Fire Escalates Event Jet Fire Escalates
C 10000 CRed 1000
State Fails Jet fire 0.99 F 2.4E-04 FRed 2.41E-05
Gas 0.0119 Explosion 0 R ALARP RRed ALARP
F&G 0.0119 Flash fire 0.01
Event Explosion Escalates Event Explosion Escalates
C 100000 CRed 10000
F 0.0E+00 FRed 0.00E+00
R Tolerable Risk RRed Tolerable Risk
Release (S) ESD System Ignition probability
Event (1) Event (2) Event (3) Event (4) Event (5)
ESD System Ignition probability
26
Goal – What the SCE does;
Scope – What are the boundary limits
Functionality affecting QRA values
Functionality - What the SCE must do and the criteria it must achieve
Availability/Reliability - How often it will work when required
Survivability – The extent required to function after a hazardous event has occurred
Interactions – Affected by or effects on other SCEs
Performance Standards
The followings shall be covered by a performance Standard:
27
Requirement Engineering- Checklist Approach
Action: To be considered by process to modify the isolation and sampling philosophy, Doc. No (P-125).
XHave a "deadman" (spring to close) sampling valves been installed in high pressure, flammable, or lethal systems to prevent continued flow of material if the operator becomes incapacitated?
Refer to paragraph (n) of the design ESD philosophy, Doc. No. (P-003)
XHas a hazard analysis of the process been conducted to determine the fail safe position of control valves during a specific or total utility outage (electrical power, instrumentation air, etc.)?
Justifications/remarks/CommentsNoYes
Compliance Requirement
Action: To be considered by process to modify the isolation and sampling philosophy, Doc. No (P-125).
XHave a "deadman" (spring to close) sampling valves been installed in high pressure, flammable, or lethal systems to prevent continued flow of material if the operator becomes incapacitated?
Refer to paragraph (n) of the design ESD philosophy, Doc. No. (P-003)
XHas a hazard analysis of the process been conducted to determine the fail safe position of control valves during a specific or total utility outage (electrical power, instrumentation air, etc.)?
Justifications/remarks/CommentsNoYes
Compliance Requirement
28
The welded pipeworks shall be used at compression area and number of flanges and instrumentation shall be minimised.Flange guards should be applied where safe direction jet fire is practical.
SR3Option 29.2
The equipment and associated pipework of compression area shall be passively protected to resist a jet fire impingement and/or thermal radiation for at least 30 minutes.
SR2Option 19.1
Performance standardfor the Passive Fire Protection (PFP) at compression area. Section: Survivability(Doc. Design-HSE-PS-001)
9
Duration of medium jet fires at compressors pipework is about 25 minutes. This fire could impinge the compressor scrubbers.
DK3Fire & Explosion study (Doc. Design-HSE-003)
8
If unprotected equipment is exposed to the jet fire (300 kW/m2) it will be failed with 5 minutes.
DK2API 22187
Impairment Criteria:-Exposure to 8 kW/m2 thermal radiation from jet or pool fires
DK1API 22186
The safety barriers will be designed for one fire at the time.
ASS1Design HSE PhilosophyDoc (Design-HSE-002)
5
The impairment criteria of API 2218 for fire impairment shall be applied.
SR1Design HSE PhilosophyDoc (Design-HSE-002)
4
Requirement from Hazard & Effect Management Process:Fire & Explosion study (Doc. Design-HSE-003) shall be performed to identify the foreseeable scenarios and quantify their frequency and consequences.
Designer
TR1
Design HSE Plan Doc. (Design-HSE-001)
3
The safety barriers shall be designed to limit the probability of accident in fire & explosion hazard areas to expand to the installation as a whole.The criterion is that the frequency of immediate loss of safety barrier protecting persons or safety systems shall not be more than 1/10000 year.
User TR1
Company HSE Plan, Doc. (Client-001)
2
HSEMS of project shall be in compliance with Company HSE Plan Doc. (Client-001)
UR1Contract1
StatementTypeSourceStep
The welded pipeworks shall be used at compression area and number of flanges and instrumentation shall be minimised.Flange guards should be applied where safe direction jet fire is practical.
SR3Option 29.2
The equipment and associated pipework of compression area shall be passively protected to resist a jet fire impingement and/or thermal radiation for at least 30 minutes.
SR2Option 19.1
Performance standardfor the Passive Fire Protection (PFP) at compression area. Section: Survivability(Doc. Design-HSE-PS-001)
9
Duration of medium jet fires at compressors pipework is about 25 minutes. This fire could impinge the compressor scrubbers.
DK3Fire & Explosion study (Doc. Design-HSE-003)
8
If unprotected equipment is exposed to the jet fire (300 kW/m2) it will be failed with 5 minutes.
DK2API 22187
Impairment Criteria:-Exposure to 8 kW/m2 thermal radiation from jet or pool fires
DK1API 22186
The safety barriers will be designed for one fire at the time.
ASS1Design HSE PhilosophyDoc (Design-HSE-002)
5
The impairment criteria of API 2218 for fire impairment shall be applied.
SR1Design HSE PhilosophyDoc (Design-HSE-002)
4
Requirement from Hazard & Effect Management Process:Fire & Explosion study (Doc. Design-HSE-003) shall be performed to identify the foreseeable scenarios and quantify their frequency and consequences.
Designer
TR1
Design HSE Plan Doc. (Design-HSE-001)
3
The safety barriers shall be designed to limit the probability of accident in fire & explosion hazard areas to expand to the installation as a whole.The criterion is that the frequency of immediate loss of safety barrier protecting persons or safety systems shall not be more than 1/10000 year.
User TR1
Company HSE Plan, Doc. (Client-001)
2
HSEMS of project shall be in compliance with Company HSE Plan Doc. (Client-001)
UR1Contract1
StatementTypeSourceStep
Requirement Engineering- Multilayer Traceability Approach
Example: Rational for setting the performance standard for survivability requirements at compression area
29
AND
OR
User Requirement (UR1)
User Textual Rational (TR1)
Designer Textual Rational TR1
SR2
SR1 ASS1 DK3
DK1 DK2
AND
Performance Standardoptions
UR: User Requirement
SR: System Requirement
TR: Textual Rationale
ASS: Assumption
DK: Domain Knowledge
Contract Compliance
Design codes, studies, know-how
SR3
Performance StandardsInterface between Contract Requirements and Design codes, studies and knowhow
30
Tree to treecorrespondence
Interface links
Functional Technical Verification
(a) Vertical linkage (b) Horizontal linkage
Performance StandardsShould reflect precisely and rationally the Cross References in different documents
31
ADEPP MonitorADEPP MonitorOnline Performance Standard Setting & Action Tracking ToolOnline Performance Standard Setting & Action Tracking Tool
32
Check the Supporting documents
Define the activity and tasks
Hazard identification traceability and audibility
http://adepp.webexone.com
33
Add SCEs
http://adepp.webexone.com
Online SCE assessment tool
34
Update
Critical Tasks
Communicate
http://adepp.webexone.com
Online Management of the Performance Standards
35
Link to EERperformance Standards
CompanyContractorsConsultantsVerification party
Have access and can update
http://adepp.webexone.com
Communication of the Performance Standards
36
http://adepp.webexone.com
Critical Tasks for management of SCEs
37
Thank you for your kind Thank you for your kind attention!attention!