Managing your risks with safety systems

May 1, 2011
Due to their isolation as well as their congestion and compact size, offshore facilities are inherently a higher risk environment than a similar land-based facility. Safety systems are one of the tools used to help manage risk by implementing the associated required safety integrity levels.

Ian Verhappen,Industrial Automation Networks Inc.

Due to their isolation as well as their congestion and compact size, offshore facilities are inherently a higher risk environment than a similar land-based facility. Safety systems are one of the tools used to help manage risk by implementing the associated required safety integrity levels. SIL (Safety Integrity Level) required to keep the overall risk of an incident to an “acceptable” level is calculated based on HAZOP (hazard and operability) and risk assessment processes. This means a level where the likelihood of an incident is kept below a certain level.

There are two parts to any Safety Instrumented System (SIS) – the system itself; and, then, once it has been installed, the associated maintenance to insure ongoing reliable operations. The overall SIL rating is determined from a combination of the inherent equipment reliability and the level of maintenance to confirm that when called upon, the equipment will work as required.

The DNV document “Key Aspects of an Effective US Offshore Safety Regime” has a number of relevant points here. Quoting from the document: “Because most accidents have been demonstrated to be due not to an unforeseen threat adequately addressed by regulations and company requirements but where safeguards have been allowed to degrade over time,” maintenance of a safety system is integral to achieving the required levels of reliability for these systems. Maintenance of safety systems requires controlled testing of the complete system – input, logic solver/controller, and output – to make sure that it will all work the way it should when called upon to do so. The SIL rating is an indication of the likelihood of a system failing when called upon (on demand) to do so.

As pointed out to me by a friend on the ISA-84 committee, an SIL rating of 10-1 means that there is a 10% chance the device will fail when called upon to do so; or, alternatively, if you have 10 devices installed, that one of them will fail each year.

The ISA-84 committee through ANSI is responsible for the two safety standards:

  • IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems (the document used as the basis for designing safety system hardware)
  • IEC 61511 Functional safety–safety instrumented systems for the process industry sector (the document describing how to install/implement a safety system).

The ISA-84 committee has also issued a number of technical reports (TR-84 documents) that provide additional information to the end user on how to install and maintain safety systems. It should also be noted that the ISA-84 standards have been adopted by OSHA regulation as 29 CFR (Code of Federal Regulations) 1910.119. This regulation is specifically targeting the process safety management of highly hazardous chemicals. Yet even thought these standards have been targeted for the chemicals industry, the majority of hydrocarbon processes are also adopting this performance-based standard. Performance or (function or goal-based) standards require the industry to document that their solution meets the level(s) of risk reduction set as targets in the standards.

However, as implied above, safety systems are just one tool used to protect people and equipment. The full system is called layers of protection analysis (LOPA), which is often referred to as an “onion,” in which each layer from the inside out reduces the “human factor” through the use of more automatic responses.

With LOPA, protection and risk reduction starts with the design of the process itself. This includes minimization of hazardous materials and conditions in the way the fluids are processed and stored; the layout of equipment within the facility; and protection of workers in the event of an incident.

The next layer is the basic process control system, which refers to the regulatory control loops used to keep the process running within its operating constraints in as close to steady state as possible. The control system then contains the next level of protection, its alarm system which draws abnormal situations to the operator’s attention with sufficient time for them to respond before a design constraint is broached. In some cases not all alarms can be managed from the control panel and an alarm can require local manual intervention by an operator in the field. This can either be the result of local lock-out requirements or because visual confirmation is required – although with the use of digital cameras, visual confirmation is becoming more commonly performed remotely at sites as well.

The penultimate layer is the “safety system” described above. Such a system automatically shuts down processes that can no longer be controlled within the design constraints; so the unit is safely brought to a non-operational condition. (For example, because the rate of change in the process is faster than the system can react.)

This is not ideal, because non-operational means non-revenue producing. To be sure, we have seen numerous cases both on and offshore where a shutdown is much better than a failure which requires not just recovery from production, but also rebuilding of equipment – not to mention the possibility of injury and loss of life. The last resort are mechanical intervention devices such as pressure safety valves that divert the process to flare to relieve the stress on the system.

As shown, though they are a critical part of the total safety regime in the offshore environment, safety systems are but one part of a safe environment that starts with the right people and the proper mindset. You can never completely design out the “human factor.” However, with proper ongoing risk management practices throughout the lifecycle of the facility, overall high levels of safety can be achieved – and that is the real reason we go through all this effort.

The author

Ian Verhappen, P. Eng., is an ISA Fellow, ISA Certified Automation Professional, and a recognized authority on Foundation Fieldbus and industrial communications technologies. As director of Industrial Automation Networks Inc., Verhappen leads this global consultancy which specializes in field level industrial communications, process analytics and hydrocarbon facility automation.

More Offshore Issue Articles
Offshore Articles Archives
View Oil and Gas Articles on PennEnergy.com