Upload
mpica
View
16
Download
1
Embed Size (px)
Citation preview
part of the Aker group
Practical use of ISO 10418
Morten Andresen , Specialist Process EngineerAker Kværner Engineering & Technology
23-Nov-07 Slide 2
© 2006 Aker Kvaerner
part of the Aker group
Introduction
■ Purpose of presentation:
● Give a brief overview of differences between the prescriptive approach outlined in API RP 14C compared to the risk-based approach outlined in ISO 10418 and give a brief summary of risk based methods
● Give a brief summary of how the risk-based approach has been utilised on the Skarv/Idun Project
23-Nov-07 Slide 3
© 2006 Aker Kvaerner
part of the Aker group
API RP 14C vs ISO 10418
■ API RP 14C:• Prescriptive approach, Safety Analysis Tables (SAT) shall be followed
(inconsistent with the risk-based approach of IEC 61511).• Two levels of protection to be provided• Primary and secondary protection shall be independent of and in
addition to, the control devices used in normal operation• The two levels of protection should be provided by functionally different
types of devices• Well established practice in the Offshore Oil & Gas Industry
■ ISO 10418:● Allows compliance with either API RP 14C or risk-based methods in
ISO 17776, ISO 13702 & IEC 61511.● Instrument-based protection as per IEC-61511-1 listed as alternative
solution on secondary protection● Risk based methods included as alternative to use of Safety
Analysis Tables (SAT)● ESS ( Fire & gas system) to meet functional requirements of the fire
and explosion strategy developed per ISO 13702
23-Nov-07 Slide 4
© 2006 Aker Kvaerner
part of the Aker group
Risk based approach – basic philosophy
From ISO 17776
• Step 1: Identification of the hazard=> define cases and frequency
• Step 2: Assessment of the risk=> define consequences and acceptability
• Step 3: Elimination or reduction of the risk => develop functional requirements for instrumented functions
23-Nov-07 Slide 5
© 2006 Aker Kvaerner
part of the Aker group
■ Realistic definition of demand rates for each hazard is of greatimportance, all operating scenarios needs to be fully understood
● Overestimation of demand rates will have an impact on regularity=>Redesign (and/or sack the process engineer)
● Underestimation of demand rates may compromise the overall integrity=>Redesign at a late stage, if error is detected
● Shell survey■ 65% of applications over-engineered■ 25% correct■ 10% were under-engineered
Hazard identification and demand rates (step 1)
23-Nov-07 Slide 6
© 2006 Aker Kvaerner
part of the Aker group
Acceptance Criterias (step 2)Acceptance criteria for an event needs to be defined before integritylevel assessment can start
3x10-4/yearEvent resulting in 1 or more disabling injuriesE
3x10-3/yearEvent resulting in 1 or more lost time injuriesF
3x10-2/yearEvent resulting in 1 or more first aid injuriesG
3x10-5/yearEvent resulting in 1 to 10 fatalitiesD
3x10-6/yearEvent resulting in 10 to 50 fatalitiesC
3x10-7/yearEvent resulting in 50 to 200 fatalitiesB
3x10-8/yearEvent resulting in more than 200 fatalitiesA
TMEL (Target MitigatedEvent Likelihood)
Safety consequenceSeveritylevel
Table above example only, can vary from operator to operator
Operators also have similar matrices for commercial & environmental risk assessment
23-Nov-07 Slide 7
© 2006 Aker Kvaerner
part of the Aker group
■ Eliminate risk or reduce risk as requiredIntegrity level (IL) requirements needs to be defined for each instrumentedfunction, can be done by one of the following methods:
■ QRA (Quantitative Risk Analysis)■ LOPA (Layer of Protection Analysis), semi-quantitative■ Risk matrices■ Risk graphs
Develop functional requirements (step 3)
Challenge: 1. The above mentioned methods may give different IL requirements (Risk
graph and risk matrices will give higher IL than LOPA)2. IL requirements highly dependent on how the Project assume demand
rates and select acceptance criterias
23-Nov-07 Slide 8
© 2006 Aker Kvaerner
part of the Aker group
Case study, overpressure protection of Inlet Separator
Step 1: Hazard identification and demand rates:packed flowline will overpressure separator above test pressure due to maloperation in start-up sequence, flowrate abovedesign capacity of the flare system. Unplanned shutdowns root cause for hazardDemand rates per flowline, unplanned shutdowns:
12 PSDs per year5 ESDs per yearTotal 12 + 5 = 17 per year
Step 2: Consequence : Overpressure of separator resulting in leakage and ignition => 1 to 10 fatalities assumed => acceptance criteria 3x10-5/year
Assumption, based on experience from otherfacilities
Inlet Separator
Inlet Manifold5 flowlinesfrom Subsea
Choking strategy: Subsea choke used to control production,topside choke normally fully open
PSV
To Flare
XVESV
PSHH
23-Nov-07 Slide 9
© 2006 Aker Kvaerner
part of the Aker group
Case study, overpressure protection of Inlet Separator
Inlet Separator
Inlet Manifold
IOPPS2
Step 3: Define functional requirements
Risk reduction required: 17 / 3x10-5 = 567000Instrument functions need to reduce risk such that the acceptance criteria of 3x10-5/year is met
Assumption:Subsea PSD : Successful subsea shutdown will prevent packed flowline, SIL 1 assumed , demand rate 17/10=1.7Topside PSD: PSHH to close 5 XV valves. Assumed to fail 1 out of 10 times (SIL 1), demand rate 1.7/2=0.65IOPPS1: Close 1 XV valve. Assumed to fail 1 out of 100 times (SIL 2), demand rate 0.65/100 = 0.0065 >> 3x10-5 => additional risk
reduction required 0,0065/3e-5=217IOPPS2: Close 1 ESD valve. Assumed to fail 1 out of 100 times (SIL 2), demand rate 0.0065/100 => 0.000065 > 3x10-5 additional risk
reduction required 0,000065/ 3x10-5 = 2,17 => almost there (!) if key assumption can be confirmed
5 flowlinesfrom Subsea
PSV
To Flare
XVESV
PSHH
Is this still valid if topside choking is applied? SIL 1 realistic for subsea PSD?
10000 to 1000000.00001 to 0.0001SIL 4
1000 to 100000.0001 to 0.001SIL 3
100 to 10000.001 to 0.01SIL 2
10 to 1000.01 to 0.1SIL 1
1 to 100.1 to 1SIL 0
Risk ReductionFactor (RRF)
Probability offailure on demandaverage range (PFD avg)
Safety IntegrityLevel (SIL)
IOPPS1
SIL definitions as per IEC 61508:
Key assumption:flow assurance work can confirm realistic valve closing times
Subsea PSD
23-Nov-07 Slide 10
© 2006 Aker Kvaerner
part of the Aker group
Skarv/Idun approach
■ Prescriptive approach as per API RP 14C is the starting point
■ SAT developed and incorporated on P&IDs■ HAZOP performed■ LOPA performed after HAZOP
23-Nov-07 Slide 11
© 2006 Aker Kvaerner
part of the Aker group
Skarv/Idun FEED LOPA
Use of LOPA of SISsfound on P&IDs
HAZID to identifyother SISs
If PFD = 1 If IL 0 If IL 1 If IL 2 If IL 3
Evaluate whetherSIS should be removed or not
yes
no
The SIS can be removed
No further assessmentneeded The SIS not to be removed. No special requirements.
No further assessmentis needed. Some risk reduction is required for the SIS
No further assessmentis needed. IL 1 is required for the SIS
No further assessmentis needed. IL 2 is required for the SIS
Quantitative methodsshould be used
LOPA (Layer of Protection Analysis) was performed on each instrument-based safety function, approach below as per internal Client guidelines
23-Nov-07 Slide 12
© 2006 Aker Kvaerner
part of the Aker group
Skarv/Idun FEED LOPA results
● Most process safety functions were assessed (approx. 150). The functions were included as a result of the prescriptive approach (Safety Analysis Tables)
● Approx. 50% of the process safety functions, had no IL-requirement, implying risk reduction not required and hence SIS-function not required.
● In the majority of cases, commercial or environmental requirements gave the IL-requirement by being more stringent than the safety requirement
● Project has at this stage not yet agreed on whether functions with no IL-requirement shall be removed or not.
● Some functions were deemed to critical for LOPA (IL 3 functions) and were routed to QRA for further assessment (overpressure protection of Separators, overpressure protection of Cargo Tanks, overpressure protection of Flare KO Drums)
23-Nov-07 Slide 13
© 2006 Aker Kvaerner
part of the Aker group
Experience from the Skarv/Idun Project
■ The LOPA method is new to AK process engineers and lack of knowledge to themethodology created a lot of confusion in the beginning
■ LOPA training course was arranged by the Client, and in perspective it has beenrecognised that this was crucial to get the right commitment from the Project Team
■ Quality of LOPA sessions highly dependent on key personnel being present. Severalsessions had to be cancelled/rescheduled due to absence of key personnel
■ Change of personnel during project execution create additional confusion as newproject members not familiar with LOPA method question the work performed at an earlier stage
■ LOPA results identified significant potential for reduction in Instrumented Functions, results inline with Shell survey (65% of applications over-engineered,25% correct, 10% were under-engineered)
23-Nov-07 Slide 14
© 2006 Aker Kvaerner
part of the Aker group
Summary – From a process discipline point of view■ Risk-based approach vs prescriptive approach
● Design of process safety functions more time-consuming if risk-based approach is selected, needs to be taken into account in planning activities at an early stage
● Common understanding on how to apply risk-based approach in design between Contractor and Client is crucial in order to minimise risk in the project execution phase
● Risk-based approach may add risk to the project execution => Disagreements related to methodology, demand rates, acceptance criterias and critical assumptions may introduce changes at a late stage and add risk to the Project
● Care should be taken when including suppliers into these type of activities as cost and schedule impact must be expected
● Performance monitoring and testing of ESS (Fire & Gas) critical, as credit for ESS is main reason for reduction in Instrument-based safety functions.
● Risk based approach will reduce no. of instrumented functions => potential for cost savings in operating phase
● A pragmatic mix of prescriptive and risk-based approaches is recommended
23-Nov-07 Slide 15
© 2006 Aker Kvaerner
part of the Aker group
Copyright
Copyright of all published material including photographs, drawings and images in this document remains vested in Aker Kvaerner and third party contributors as appropriate. Accordingly, neither the whole nor any part of this document shall be reproduced in any form nor used in any manner without express prior permission and applicable acknowledgements. No trademark, copyright or other notice shall be altered or removed from any reproduction.