View
46
Download
2
Embed Size (px)
Citation preview
© T O U C H B R I E F I N G S 2 0 0 7
Premises
In the oil industry, traditional protection systems as defined in
American Petroleum Institute (API) 14C are more and more often
replaced by high integrity protection systems (HIPS). In particular,
this encompasses the well-known high integrity pressure protection
systems (HIPPS) used to protect specifically against overpressure. As
safety instrumented systems (SIS) they have to be analysed through
the formal processes described in the International Electrotechnical
Commission (IEC) 61508 and IEC 61511 Standards in order to
assess which Safety Integrity Levels (SIL) they are able to claim.
What is really important when dealing with safety systems is that
the probability of accident is sufficiently low to be acceptable
according to the magnitude of the consequences. This can be done
in a lot of different ways: applying rules, know-how or standards
that may be deterministic, probabilistic, qualitative or quantitative,
using reliability analysis and reliability methods and tools, collecting
statistics, etc. Among them we find SIL calculations as per IEC
61508 and IEC 61511. Then we have to keep in mind that
calculating a SIL is not an end in itself. It is only a tool among many
others to help engineers to master safety through the whole life
cycle of the safety systems.
This proves to be very efficient from organisational point of view but,
unfortunately, some problems arise when probabilistic calculations
are performed by analysts thinking that it is a very easy job only
consisting to apply some magical formulae (found in IEC 61508-Part
6) or to build a kind of ‘Lego’ from certified SILed elements bought
from the shelf. Beyond the fact that sound mathematical theorems
(Bellman or Gödel) demonstrate that doing it that way gives no
guarantee of good results, this is the complete negation of the spirit
developed in the reliability field over the last 50 years that is based
on a sound knowledge of the probabilistic concepts and in-depth
analysis of systems under study. Therefore, a skilled reliability analyst
who aims to use the above standards in a clever and compatible way
with the traditional analysis has to solve several difficulties: this is
simple for the relationship between IEC standards probability
concepts and those recognised in the reliability field or for the failure
taxonomy and definitions which may need improvements; it is more
difficult for handling complex tests and maintenance procedures
encountered in oil industry; it is almost impossible for some concepts
like the ‘Safe Failure Fraction’ (SFF), which is not really relevant in
our field where spurious failures have to be thoroughly considered
and avoided.
SIL versus Traditional Concepts
The size of this article being limited, we will only give some
indications about our way to manage SIL calculations in an efficient
way for oil production installations. Figure 1 shows the links with the
traditional concepts. The first protection layer works in continuous
mode and the standards impose to calculate its Probability of Failure
per Hour (PFH). This is actually an average frequency of failure.
When the number of failures over [0, T] is small compared with 1,
PFH may be assimilated to F1(T)/T. When this is not the case, T/MTTF
shall be used instead. In these formulae F1(T) is the unreliability of
this layer over [0,T] and MTTF its classical Mean Time To Fail. Then,
in the general cases, PFH cannot be assimilated to a failure rate.
Anyway this gives the demand frequency on the second layer, which
runs in low demand mode (if the first layer is efficient). Its Probability
of Failure on Demand (PFD) as per the standards is in fact its the
average unavailability P2. Then F1(T).P2 is the probability that both
Jean-Pierre Signoret is the Reliability Expert at Total.He is part of the group of pioneers introducing anddeveloping probabilistic methods and tools in Franceand has worked the past 35 years in this field. On the operational side, he is in charge of theprobabilistic calculations in relationship with highintegrity protection systems (HIPS) and reliability,availability, maintainability (RAM) studies. On theR&D side, since the 1980s, he has developed theGRIF software package, which encompass all relevantmethods and tools needed for operationalprobabilistic studies in oil industry. He worked for 10years at the French Atomic Energy Commission (CEA)before moving to ELF in the early 1980s. He belongsto several international standard committees and isthe previous vice-chairman of the French Institute forSafety & Dependability (ISdF) and the previouschairman of the European safety and ReliabilityAssociation (ESRA).
High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective
a report by
Jean-Pierre S ignoret
Total
14
HSE
...we have to keep in mind that calculating a SIL isnot an end in itself. It is only a tool among manyothers to help engineers to master safety through
the whole life cycle of the safety systems.
Signoret_edit.qxp 10/4/07 4:16 pm Page 14
High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective
Figure 1: SIL versus Traditional Concepts
Fully independent protection layers
Continuous mode Demand mode
F1
P2
Protection layer n01 Protection layer n02
1-F1
1-P2
F1.P2
∞
RRF = ∞
PFD averageunavailability Accident
probability
New demand= PFH= F1.P2/T
New demand= PFH= F1/T
RRF = 1/P2
F1.(1-P2)Unreliabilityover (0, T)
Frequencyis infinite
?
Europe +44 (0)1702 616333
www.olympusindustrial.com/touch
Europe +44 (0)1702 616333
www.olympusindustrial.com/touch
IPLEX R-series Videoscope RangeMeeting your plant inspection needs
Choose from SA, SX and MX models - the most comprehensiverange of high performance vidoescopes in the market, offering:
• Wide Dynamic Range, for clear images in dark areas
• Solid-state Media, for still image and voice recording
• Network Ready - Ethernet & Wireless Control
• Versatile Inspection System with Interchangeable Probes
• Truly Portable Systems - 4.4kg in 4mm and 6mm ø
• Accurate, Intuitive Measurement
• Battery Operation
• LED Illumination
Signoret_edit.qxp 10/4/07 4:17 pm Page 15
E X P L O R A T I O N & P R O D U C T I O N – O I L & G A S R E V I E W 2 0 0 7 – O T C E D I T I O N
High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective
protection layers fail during a given period T. If there is no more
protection layer this is the probability of accident. If a third
protection layer is installed this will be is the demand frequency on
this layer. Note that the Risk Reduction Factor (RRF) is infinite when
working in continuous mode.
The standard split, the demand mode between low and high
according to the demand frequency (lower or greater than 1/year).
From probabilistic calculation point of view we prefer to consider
the relationship between test and demand frequencies to do that:
when the test frequency is big compared with the demand
frequency, PFD may be used, on the contrary it is better to use the
unreliability, which provides a conservative estimation.
From a failure mode point of view the main problem encountered is
that the genuine on demand failures are forgotten by the standards.
They are likely to occur when the system experiences sudden
changes of states. Therefore, they shall be taken under consideration
when calculating the PFD, which comprises both hidden failure
(occurring within test intervals) and genuine on-demand failures
(due to tests or demands themselves). Another commonly
encountered problem is that a superficial reading of the standard
leads one to think that every revealed failure becomes automatically
safe. This, of course, is not true. It remains unsafe as long as
something is done to make it safe. This also has to be considered in
the calculations.
Now it remains to evaluate the SIL of the safety system under
study and the most severe problem arises because IEC 61508-
Part 6 provides only a list of simplified formulae for some
cases but does not indicate the method used to establish them nor
the underlying hypotheses. Therefore, an important warning
has to be raised here: part 6 is informative, its content is not
intended to cope with all problems encountered and there is
no obligation to use it. Analysts trusting that they just have to apply
this part to obtain relevant results are wrong and softwares
developed on these bases shall be considered very cautiously.
As results obtained in this way are likely not to be conservative
this is very dangerous indeed and not acceptable from a safety point
of view. Part 6 is not really useable to deal with complex
safety systems such as those installed in oil industry and this
is why we have developed the methods and tools just described
hereafter.
Methods and Tools for Efficient SIL Calculations.
Our HIPS may be split between curative versus preventive and
topside versus subsea HIPS. Curative HIPS works on-demand mode
and needs PFD calculations when preventive HIPS works in
continuous mode and need PFH (unreliability) calculations. As
they are easy to test and maintain, the components of topside
HIPS are almost independent (from a probabilistic point of view)
from each other. It is the opposite for subsea HIPS. Therefore,
we have investigated three main techniques to cope with all this
various HIPS:
• fault tree approach – very efficient for topside curative HIPS, it is
widely used by most of our reliability contractors;
• markovian approach – efficient to model small HIPS of any category
it is sometimes known by our contractors; and
• behavioural modelling (Petri nets or AltaRica DF language) and
Monte Carlo simulation – the only way to deal with industrial sized
HIPS implying several interlinked protection layers.
Figure 2 shows an example of fault tree used for SIL calculations.
As FT does not allow combining PFD averages of individual
components, the calculation is performed by imputing the
instantaneous unavailabilities (saw tooth curves) and calculating
PFDavg as the average of the Top event instantaneous
unavailability. On this figure, the tests of individual components
have been staggered in order to decrease both the maximum of the
saw tooth curve and the impact of common causes failures. The
SIL menu of the ARALIA Workshop allows these calculations to
be performed.
Figure 2 shows that PFDavg is not a good safety indicator. It may be
SIL2 when a lot of time is spent in SIL1. This is why, for our HIPS, we
16
Figure 2: Fault Tree Used for SIL Calculations
1 2 3
CCF
Top
2003
+
Max: 1.4e -2
Mean: 7.3e-3
β = 10%
PFD(t)
λ = 1.10-4τ = 1,000
0 1,000 2,000 3,000 4,000 5,000
5.e -2
0 1,000 2,000 3,000 4,000 5,000
5.e -2
0 1,000 2,000 3,000 4,000 5,000
5.e -2
0 1,000 2,000 3,000 4,000 5,0002.e -3
-1.0000e-30.0000e+01.0000e-32.0000e-33.0000e-34.0000e-35.0000e-36.0000e-37.0000e-38.0000e-39.0000e-31.0000e-21.1000e-21.2000e-21.3000e-21.4000e-21.5000e-2
0.0000 1000.0000 2000.0000 3000.0000 4000.0000 5000.0000
Figure 3: Stochastic Petri Nets System
Rig on location
Rig
D
Detection
Failuredetected
δ = 0
Wait Waiting
!nbF = nbF + 1
!nbF = nbF - 1
!nbF = nbF + 1
DCCδ = 0
δ = 0?DCC
Failure
λ
RunningW
End of rep.
Repair
?EoR
R
δ = 0Start rep.
?StR
Signoret_edit.qxp 10/4/07 4:17 pm Page 16
require the calculation of the time spent in the various SIL zone in
addition of the average itself.
The second tool that we have developed is based on the multiphase
markovian approach. The number of states being generally too high
to be managed by hand we use a formal language (AltaRica Data
Flow implemented in the COMBAVA software) to generate them
automatically. Even if our computation engine MAR-XPR is able to
handle millions of states this method is really efficient only for small
systems and this is why we have developed a third tool based on
behavioural models and Monte Carlo simulation that are virtually
without limitations.
Our preferred model is stochastic Petri nets like that presented in
Figure 3. The method consists in building a finite state automata
behaving exactly as the system under study and to perform Monte
Carlo simulations on this model. This provides statistical results
which are used to calculate the probabilistic parameters under
interest. This method has been in use in our company since the early
1980s when we have begun to develop our GRIF-MOCA-RP
software. Mainly used for RAM analysis, it has been adapted to SIL
calculations by developing a library of sub Petri nets corresponding
to the element encountered in HIPS studies. It has been designed to
run very fast and there are no difficulties to reach accurate SIL4
estimations with the present time PCs.
Conclusion
Implementing SIL calculations as per IEC 61508 or IEC 61511 on
HIPS is not too difficult a task provided that an in depth analysis
of the standard is achieved and that alternatives to IEC 61508-Part6
are considered. Traditional approaches such as Fault trees, Markov
graphs or Monte Carlo simulation on behavioural models like
Petri nets have proven to be very efficient and easy to use for
this purpose. This is what we do in TOTAL, where a full set of
methods and software tools is available and used daily for our
SIL calculations. ■
High Integrity Protection Systems (HIPS) – Making SIL Calculations Effective
IDEADESIGN
VISION
www.vidaps.com
DanishFire
www.dafila.com
Laboratories
VID (Vision Idea Design)
The leading company within consultingand custom solutions for fire protectionwith little water consumptions at lowwater pressures. Member of IWMA theInternational Water Mist Association.
DFL (Danish Fire Laboratories)
Accreted fire test laboratory for full scalefire tests of extinguishing systems.Member of IWMA the International WaterMist Association.
Svalbardvej 13, DK-5700 Svendborg, Denmark.www.vidaps.com www.dafila.com
Another commonly encountered problem is that asuperficial reading of the standard leads one to
think that every revealed failure becomesautomatically safe.
Signoret_edit.qxp 10/4/07 4:18 pm Page 17