OBJETIVOS DE LA INVESTIGACION. METODO Y ESTRUCTURA DEL TRABAJO

Both qualitative and quantitative SIL determination methods and tools may be applied during phase four in the IEC safety life cycle (Figure 1.1). The quantita-tive method in IEC 61508, the OLF 070 guideline, the risk matrix, the safety layer matrix, the risk graph and the calibrated risk graph are SIL determination meth-ods that have been described in addition to LOPA. In qualitative methmeth-ods the parameters used as decision basis are subjective and estimated by expert judg-ment. Quantitative methods describe the risk by calculations, and a numerical target value is compared with the result. Which method to apply rely primarily on whether the necessary risk reduction is specified in a numerical manner or qualitative manner. The scope and extent of the analysis would also be an in-fluencing factor. Even if the assignment method is qualitative the SIL is always quantified by a numerical number.

The main objective of this thesis has been to gain knowledge of SIL deter-mination tools, with LOPA as the the main focus. This is accomplished, and the sub-objectives of the report is listed below, and the coverage and findings con-cerning each objective discussed.

• Literature survey and different approaches to LOPA found in the literature.

A literature survey has been carried out and different methodologies and approaches in literature has been presented and discussed. Especially, the IEC 61511 approach, Aker E&T and the approach in CCPS (2001) have been covered.

The guideline in BP (2006) seems reasonable and should have been covered to a greater extent. Most methodologies and approaches have the similar basis, but use different terms and have different sequence. Another distinction is how the

authors also use screening tools, i.e. risk graph, prior to, or embedded in the LOPA-process.

Compared to the approaches discussed in Section 3.5, the Aker E&T LOPA approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology also (e.g. Statoil or BP) found basis for the analysis. ISO 10418 (2003) helps the design team to implement safety functions in the P&IDs for the concerning system, and after all hazard identifi-cation is finished the LOPA is initiated. The further approach is similar to the approach presented in IEC 61511 (2003).

• Recommended LOPA approach

A stepwise preferred (recommended) approach has been developed and each step described. The approach is clear, and all basic concepts clarified. In the case study in Chapter 6 the need for more guidelines on how to credit IPLs has been identified, and this part needs to be improved. The preferred approach is an overall approach considering the planned / existing system without the proposed SIF. Several screening tools exists, but it is chosen to screen by con-sequence and SIL only. Conducting a risk graph-analysis for then to initiate a LOPA cause extra work and increased engineering cost. The approach is shown in Figure 4.1.

• Interfaces between LOPA and other risk analysis methods.

Interfaces between LOPA and HAZOP has been identified, but other risk analysis methods have not been covered. Information in columns as conse-quence and possible causes in the HAZOP worksheet can be directly transferred to the LOPA worksheet. Information in the other columns may require transfor-mation. This includes IPL PFD data and initiating cause frequency.

The thoughts behind a software tool transferring, facilitating, and adjusting data have been presented. This includes a program specification and a sim-ple illustration of a thought software program. The illustrated software program takes basis in automatic data transformation from HAZOP, IPL PFD and initiat-ing cause frequency databases, and a risk matrix includinitiat-ing the acceptance crite-ria. Linking all these aspects with a LOPA worksheet give the outline of the pro-gram. The illustrated program showed in Annex B seems reasonable, but should be evaluated more in detail. Expert judgment make an extensive amount of the analysis, and a program that ”learns by doing” is beneficial. An example is a program that has a database with previous analyzes, which provides previous information when a new analysis is performed, e.g. possible initiating causes of a specific type of valve.

• Discuss pros and cons related to LOPA

Advantages and disadvantages of LOPA and especially the limitations of LOPA, have not been covered.

• Discussion of the IPL concept and the applicability of LOPA in cases where the independence is violated

IPL has been defined, exemplified, and discussed. In the case study the IPL concept has been applied to a practical system. CCFs have not been covered to a great extent, which should have been the case.

IPL is defined as: Protection layer that is capable of preventing the process deviation from proceeding to the end-consequence regardless of other protec-tion layers associated with the same impact event - initiating cause pair, and of the initiating event. It must lead to a risk reduction factor of at least 10, and fulfill the specificity, independence, dependability and audibility criteria. The defini-tion is clear, but it is still uncertain how to apply the concept of IPL in practice.

• Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study.

The preferred approach, based on the literature study, has been applied to a combined system based on real systems by Aker Subsea and Aker E&T. The preferred approach was easy to use, but as mentioned the IPL concept was diffi-cult to apply. Where to draw the line where a component is independent or not was the key issue throughout the case study. The case concluded that process understanding and knowledge of basic reliability concepts are important.

This thesis may give some readers a more clear understanding of LOPA. The sections explaining and clarifying terms and the IPL discussion in the case study, may be a contribution to the LOPA discussion.

Still, many of the issues need to be clarified, and further work is recom-mended. Specific recommendations for further work are:

• More in depth analyzes of CCFs and IPLs.

– What is the effect of not considering CCFs?

– Guideline describing concept of IPL for different systems, with ex-tended definition of IPL.

• HAZOP integration software tool prototype that includes advanced func-tions which incorporates expert judgment and previous analyzes.

• Combined framework of LOPA and HAZOP including a common termi-nology and worksheet.

• Extend the development of the preferred approach.

– Include risk acceptance criteria development.

Bibliography

ACM Facility safety (2004). HAZOP / SIL analysis item and cost compari-son - Traditional way vs. integrated SILCore approach. Advertorial, Safety Users Group. Retrieved on 03.04.08 from internet address: http://www.

safetyusersgroup.com/documents/AD040001/EN/AD040001.pdf^.

ACM Facility Safety (2006). SIL Determination Techniques Report. "White Paper".

Retrieved on 30.02.08 from internet address: http://www.iceweb.com.au/

sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf. Baybutt, P. (2007). An improved Risk Graph Approach for Determination of

Safety Integrity Levels (SILs). Process Safety Progress, 26:66–76.

Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Au-tomation Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations.

BP (2006). Guidance on Practices for Layer of Protection Analysis (LOPA). British Petroleum procedure: Engineering Technical Practice (ETP) GP 48-03, 1^st edi-tion.

CCPS (2001). Layer of protection analysis - simplified process risk assessment.

American Institute of Chemical Engineers (AIChE), Centre for Chemical Pro-cess Safety (CCPS). 3 Park Avenue, New York.

Dowell, A. (1998). Layer of protection analysis for determining safety integrity level. ISA Transactions, 37:155–165.

Dowell, A. and Williams, T. (2005). Layer of Protection Analysis: Generating Sce-narios Automatically from HAZOP Data. Process Safety Progress, 24:38–44.

Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Prac-tical experience in determining safety integrity levels for safety instrumented systems.

Gowland, R. (2006). The accidental risk assessment methodology for industries (ARAMIS) / layer of protection analysis (LOPA) methodology: A step forward towards convergent practices in risk assessment? Journal of Hazardous Mate-rials, 130:307–310.

Harsem Lund, K. (2007). Alternative måter for SIL fastsettelse - en sammen-ligning (LOPA, Risk graf, OLF 070). In PDS forum, Trondheim. Scandpower, Kjeller.

IEC 6030039 (1995). Dependability management Part 3: application guide -section 9: Risk analysis of technological systems. International Electrotechni-cal Commission, Geneva.

IEC 61508 (2003). Functional safety of electrical/electronic/programmable elec-tronic safety-related systems. International Electrotechnical Commission, Geneva.

IEC 61511 (1998-2003). Functional safety - safety instrumented systems for the process industry sector. International Electrotechnical Commission, Geneva.

ISO 10418 (2003). Petroleum and natural gas industries offshore installations -Basic surface process safety systems. International Organization for Standard-ization, Geneva.

Marszal, E. and Scharpf, E. (2002). Safety Integrity Level Selection - Systematic Methods Including Layer of Protection Analysis. The Instrumentation, Systems and Society (ISA). Research Triangle Park, NC.

Nordhagen, L. (2007). Bruk av LOPA ved fastsettelse av IL krav, Aker Kværner Engineering &Technology. In PDS forum, Trondheim.

NORSOK Z-013 (2001). Risk and emergency preparedness analysis. Norwegian Technology Centre, Oslo.

OLF 070 (2004). Application of IEC 61508 and IEC 61511 in the norwegian petroleum industry. OLF.

Rausand, M. (2004). Reliability of safety systems (Slides). Retrieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ross/

slides/chapt10.pdf.

Rausand, M. (2005). HAZOP - Hazard and Operability Study (Slides). Re-trieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/

ross/slides/hazop.pdf^.

Rausand, M. and Høyland, A. (2004). System Reliability Theory. Models, Statisti-cal Methods, and Applications. 2^nd edition John Wiley & Sons. Hoboken, NJ.

Schönbeck, M. (2007). Introduction to reliability of safety systems, ROSS (NTNU) report 200702, NTNU, Trondheim. Technical report, NTNU, ROSS.

Summers, A. (2003). Introduction to layers of protection analysis. Journal of Hazardous Materials, 104:163–168.

The Dow chemical company (2002). Introducing dow application of layer of pro-tection analysis. In Introducing Dow Application of Layer of Propro-tection Analy-sis - LOPA.

Appendix A