We facilitated two 4-day HAZOP studies for the pre-construction design and pre-commissioning of a bio-syngas facility, highlighting potential gaps in the design and safety management systems, ready for the design to progress to a fully functional large-scale pilot plant.
To do this, we reviewed the P&IDs and Process Description and developed HAZOP study nodes. We also confirmed the HAZOP procedure and risk-ranking criteria. We scheduled the HAZOP study in order of most-hazardous systems first; most benign systems last.
We also supported the client by reviewing the adequacy of the HAZOP action responses; i.e. was the concern raised actually addressed.
Functional Safety Technical Review
We developed a risk assessment approach based upon Layer of Protection Analysis (LOPA) theory to assess the integrity requirements for a fire and gas (F&G) detection system on a Floating Storage Unit (FSU) to be moored in the UK North Sea.
The FSU safety systems were specified per Norwegian standard OLF070 but the approach in this standard is slightly different from the approach used in international standard IEC61511 and unfortunately some confusion had arisen which was causing design problems.
There was no exemplar on which to base our methodology, so we developed our own conservative approach:
We reviewed all the rooms on the vessel to determine which were likely to be occupied.
We developed a manning profile, and subsequently an occupancy demographic, based on our experience and engineering judgement.
We developed various rule sets to allow a conservative approach to the risk assessment, making it robust and able to withstand challenge.
The outcome of this exercise was that even in the three higher-risk areas identified (engine room, equipment room, submerged turret area), there was no requirement for an equivalent integrity rating.
This work led to an additional request to undertake a similar scope for Emergency Shutdown (ESD) and Process Shutdown (PSD) functions. We also undertook additional scrutiny on the F&G system from a commercial perspective.
We prepared a high level evaluation to determine if a SIL rating was appropriate for the ESD functions. We used our experience and engineering judgement to determine a frequency of occurrence and likely consequences.
The outcome of the review was that a formal SIL rating beyond SIL1 was not justifiable.
SIL Verification Calculations
We undertook Safety Integrity Level (SIL) verification calculations for a COMAH site in the UK. The site had made changes to its process operations and installed new equipment.
We visited site and gathered information on what make and model the plant equipment in each safety instrumented function was. We then sought to obtain failure rate data from the equipment manufacturers.
For SIL-rated equipment compliant with the requirements of international standard IEC61508, this normally comes in the form of a Failure Modes, Effects and Diagnostic Analysis (FMEDA) document. Note that motor contactors are more frequently SIL rated per standards EN ISO 13849 or perhaps EN 62061 and are unlikely to have a FMEDA.
Our preference for SIL verification calculations is to use manufacturer’s failure rate data. Because such data is obtained in optimal conditions, we apply a conservative approach and increase the failure frequency by an order of magnitude. This approach also allows some flexibility to account for non-perfect proof tests.
Where manufacturer’s failure rate data is not available (typical for non-SIL rated equipment), we tend to use generic data (e.g. from the Center for Chemical Process Safety or the Offshore Reliability Database).
The outcome of the exercise was that the systems under consideration required testing on a monthly basis to achieve the target SIL. Obviously, this is an onerous burden on the maintenance department although on a batch plant, may be achievable. For a continuous process, this arrangement would be very unlikely to be suitable and therefore our recommendation is to procure SIL rated equipment in the first instance.
Functional Safety Assessments
Some modifications to an oil storage facility and recommissioning of a storage tank was being undertaken in the UK. A hazard & risk assessment was performed and this identified that some safety instrumented functions (SIFs) were required to provide protection in case of maloperation. Further evaluation identified that these SIFs would require to be SIL rated per the international standard IEC61511.
IEC61511 requires that functional safety assessments (FSAs) are undertaken on any SIFs which are either being design, in operation, or being modified/decommissioned. There are five stages of FSA which cover the lifecycle of a SIF. We undertook two functional safety assessments on the design; FSA1 and FSA2.
FSA1 is set at a high level and is focused on ensuring the basics are in place and correct, such that the likelihood of errors in the design is minimised. It seeks to establish that a functional safety management system is in place and that adequately competent personnel are used in the design process. Planning for assessment and verification activities should also be in place to ensure that sufficient personnel, physical resources and arrangements are provided such that the requirements of the standard are met. This is systematic capability and is one of the three tenets on which a claimed SIL rating is based.
FSA2 is more focused on the design itself and seeks to ensure that provisions for minimising systematic capability weaknesses are minimised by asking more in-depth questions. It also asks high-level questions about cyber security, as well as the development, testing and verification planning for any software and hardware.
In addition, the FSA2 considers what recommendations were raised in the FSA1 (as is common with all FSAs, the outcome of any previous FSA should be considered).
The outcome of the FSA1 was that although the design company was an established EPC which should have had processes and procedures in place, no evidence was provided to support any claim of compliance with the standard.
The outcome of the FSA2 was that although good design practice was being followed for standard instrumentation design development, the lead designer was not aware that the design needed to comply with the requirements of the standard. This is a clear breakdown in communication and highlights why it is vital to ensure that the requirements of the standard which are assessed in FSA1 should be implemented.
SIL Verification Test Procedure authoring
When Safety Instrumented Functions (SIFs) are designed and installed, they need to be tested before they are put into operation and relied upon to give a discrete amount of risk reduction (i.e. to keep your people and assets safe). The international functional safety standard, IEC61511, requires that in addition to the functionality of the SIF in normal conditions, the functionality in abnormal (i.e. fault) conditions, is thoroughly tested.
We prepared over 100 SIL verification test procedures for a brand new offshore installation in the UK North Sea.
The procedures contained the following content:
SIF description: what it does, unique identifiers, SIL rating, process safety time.
SIF Inventory: a schedule of makes, models and serial numbers of all equipment in each SIF, as well as IP addresses for any programmable electronic logic solvers.
SIF testing pre-requisite information: space for recording permit to work numbers and risk assessment reference; details of any test equipment required and space for recording make/model/calibration date; a list of equipment tags to bee visually inspected for obvious signs of damage.
Test protocol for testing engineered overrides; negative testing of sensors and final elements.
Test protocol for end-to-end function test.
Witness signatures section.
Independent Witnessing Onshore/Offshore
A UK onshore COMAH plant had recently undergone a HAZOP which had identified the need for some Safety Instrumented Functions (SIFs). These had been evaluated in a Layer of Protection Analysis (LOPA) study and a safety integrity level (SIL) rating was allocated, per the international standard IEC61511.
The standard requires that before a SIF enters the operational phase, i.e. before it is relied upon to provide protection, it must undergo verification testing to prove that it meets design requirements.
We were requested to witness the verification testing. When undergoing verification testing, a single failure in any part of the test means a failure for the whole test.
One part of the test involves proving that the SIF acts within its process safety time. This is important because the process safety time is calculated as the time between a loss of process control and a hazardous event occurring; the SIF must provide protection within this time. This is the SIF response time.
We witnessed that a SIF acted in a time greater than its process safety time. Naturally, the SIF failed its testing. Upon investigation, it was determined that the process safety time specified had been erroneously substituted with the SIF response time. One other thing that came to light during the investigation was that a software-based delay timer had been implemented and this had been neglected during the response time calculation. The response time of a SIF is the time taken to detect the hazardous process variable up until the final element has finished acting.
We also witnessed testing offshore for a brand new Floating Storage Unit in the UK North Sea. A number of SIFs had been specified and testing identified that the final elements (valves, in this instance) did not fail to a safe state; they had to be hydraulically moved. This is known as ‘Energise to Trip’ and the standard requires that the loss of the motive force (i.e. the hydraulic pressure) was alarmed for operator action and thus becomes part of the SIF and requires verification testing in its own right. No motive force = no trip when required.
Hazardous Area Classification Onshore/Offshore
When undertaking hazardous area classifications for flammable releases, there are several key pieces of guidance, depending what industry you are in. The onshore natural gas distribution industry may use IGE/SR/25, for example. Offshore, the Energy Institute guidance in EI15 is used and handily, there are some tables included for the type of flammable gas you may be considering, with distances to the lower flammable limit based on the system pressure and the release point dimensions (i.e. hole size). EI15 used to be known as IP15, before the Institute of Petroleum was renamed.
We analysed some potential gas releases scenarios for modifications to a UK North Sea platform, using IP 15 guidance. However, the gas pressures used on the platform were in excess of those in the guidance. We could have extrapolated the data and made some interpretations, but we felt this was not the best approach. We decided to use some modelling software to determine the hazardous distances; known as the Lower Flammable Limit (LFL). Beyond the LFL, the release should have dispersed to such an extent that it is no longer flammable.
Firstly, we revalidated the data in IP15 and then substituted our parameters. Then we determined the distance to the standard approach of half the lower flammable limit (1/2 LFL). The ½ LFL value is used because it is difficult to say with accuracy that each release will act in the same manner.
For the same platform, we also undertook some unignited flare release modelling. This assessed potential flammable atmospheres on the platform, and also considered potential for pool fires. The flare gas composition was known to vary so we also formulated a heavy gas composition to allow a droplet dispersion analysis.
When specifying electrical equipment that must operate in a flammable area, standard BS EN 60079-10 gives a useful approach, which echoes other standards. Hazardous areas, i.e. those where there may be a flammable release, either by design or by accident, are zoned as follows for gases:
Zone 0: continuous flammable atmosphere
Zone 1: flammable atmosphere expected 100 or more hours per year
Zone 2: flammable atmosphere expected between 10 to 1000 hours per year.
Anything less than 10 hours per year is unclassified. Note that there are similar specifications for flammable dusts: Zones 20/21/22.