Ensuring safe, ongoing operations at processing and asset-intensive facilities is more than "Work Smart" programs. To effectively meet the challenge of a holistic, sustainable approach to safety that follows best practices including IEC 61508, IEC 61511 and ISA84, we start with creating a safety plan that includes a framework for functional safety and incorporates process safety – from conception to decommissioning. OESuite™ supports key functional components and process safety management requirements via efficient, integrated, mobile-enabled modules. Designed from the ground-up to facilitate intuitive use, easy data input and analysis, the platform helps organizations standardize risk tolerances, implement best practices and standard operating procedures, and protect people, facilities, and processes for the long term.
PHA starts with defining the system boundaries and the equipment to be included in the hazard/risk analysis. Typical PHA studies use a qualitative risk assessment methodology such as a Hazard and Operability Study (HAZOP) to identify hazardous events, initiating causes, event severity, and initiating likelihood. HAZOP does not address whether safeguards are independent from one another, however. A team's subjective perception of the integrity of a specific safeguard may lead to inconsistency in the number of safeguards recommended to adequately mitigate risk.
To eliminate subjective safeguards, LOPA is used to indicate whether adequate risk reduction can be achieved. LOPA provides specific criteria and restrictions for evaluating independent protective layers (IPLs). Ideally protection layers are independent from one another so that any one will perform its function regardless of the initiative event or the action or failure of any other protection layer.
LOPA provides a method for evaluating the risk of hazard scenarios and comparing those risks with risk tolerance criteria to decide if existing safeguards are adequate. LOPA builds upon the information developed in the PHA. LOPA addresses safeguards that are IPLs, including:
These can be divided into two main types or protection layers: prevention layers that try to stop the hazardous event from occurring, and mitigation layers that reduce the consequence after a hazardous event. Plant design, safety instrumented systems, alarm systems, and operator intervention are designed to prevent. Plant and emergency response, dikes, berms and blast walls, and pressure relief devices are designed to mitigate.
SIS are also called interlocks, trip and alarm systems, and emergency shutdown systems. SIS are control systems that act to return a process to a safe state upon detection of conditions that may be hazardous, or could eventually give rise to a hazard if no action is taken. SIS perform Safety Instrumented Functions (SIF) by acting to prevent a hazard or to mitigate its consequences.
The degree of confidence that can be placed in the SIS to reliably perform its intended function is known as its safety integrity. Safety integrity is graded into four distinct bands known as Safety Integrity Levels (SIL) and these SIL numbers correspond to four levels of Risk Reduction Factor (RRF). We use RRF as a measure of safety integrity.
|SIL||Risk Reduction Factor||Probability of failure on demand (PFD)|
|4||>10,000 to <100,000||>10-5 to <10-4|
|3||>1,000 to >10,000||>10-4 to <10-3|
|2||>100 to <1,000||>10-3 to <10-2|
|1||>10 to <100||>10-2 to <10-1|
A SIS is chosen based on achieving a SIL that matches the required level of risk reduction, but the SIS is only one of the IPLs in a plant's overall risk reduction strategy.
Alarm systems have a very close relationship to SIS but they don't have the same function. Alarms are designed to draw an operator's attention to a condition outside of the desired range of conditions for normal operation – something requiring operator intervention. In contrast, SIS doesn't require a response from the operator… the SIS will act to return the process to a safe state (up to an including shutdown) if conditions warrant.
Alarm management continues to be essential due to the complexity of control system design and issues such as alarm floods (a period of multiple, often overlapping alarms). ISA 18.2 models the entire alarm management lifecycle. Key components such as Management of Change (i.e. alarm setpoint changes), alarm design, alarm rationalization, state based and dynamic alarming need to be addressed in any alarm management plan. In addition, plant personnel need to be trained to develop and maintain the system.
OESuite™ is compliant with ISA 18.2, EEMUA 191, and API RP 1167.