Methodology for Identification of Dangerous Combinations of Output States of SIS
MetadataShow full item record
Many operations in process industry and other application sectors involve inherent risk due to different hazards. A safety-instrumented system (SIS) is installed to prevent development of a hazard to an accident or to reduce associated consequence. The topic of reliability assessment of SIS has been widely discussed. However, identification of dangerous combinations of output states of SIS has not been paid enough attention by industry so far. It is a requirement stating explicitly in IEC 61511 Chapter 10.3. Normally, a SIS is designed in process system with a local perspective. The designer of SIS always analyses operational upsets in one part of the system individually, without considering the effects on system level caused by individually local effects occurring simultaneously in different parts in a large system. During process operation, such combinations of individual safe states in the SIS can cause a new situation that is dangerous. Although there are many different acceptable hazard identification methods, none of them is particularly suitable in the task of identification of the specified hazard. This report provides background and rationale for mostly common hazard identification methods. Main purpose is to propose a method, which can help to fill in the blanket of current solutions and can be applicable so that dangerous combinations of output states of SIS are able to be identified during process design and to be involved in safety requirement specification (SRS). A three-step method is proposed based on algorithms that typically present in modular process flowsheet simulator, qualitative hazard identification method and dynamic simulation. The three steps are: Step 1: Carry out system breakdown. Step 2: Identify dangerous combinations of safety trips. Step 3: Perform dynamic simulations. The analysis is based on a critical assumption of time-scales of dynamic responses. The hazard event resulting from simultaneous trips is only considered, when a same time-scale is utilized for determining the leading effects on process or plant. A stepwise analysis guides the analyst to confirm a list of dangerous combinations of safety trips. Probability assessment is taken into account with the purpose to focus on severe scenarios. Dynamic simulation is implemented to determine whether the combination violates the design limits of the process or plant from any starting point, where safety trips are occurring at the same time. Nowadays, there is an increasing number of subsea-well tied in topside platform in Norwegian Continental Shell (NCS) as well as many project requiring reassessing the capacity of previously designed flare header. Evaluation of effect in flare header (on system perspective) during blowdown is indispensable, even if depressurisation system (mostly SIS) is installed to protection process unit and pipeline on local level. Dynamic modelling plays a critical role in assessment of maximum allowable operational conditions in flare line. By taking advantage of OLGA Dynamic Multiphase Flow Simulator, the transient process with a comparison between two different scenarios, full blowdown and blowdown (BD) with a time sequence is presented by a case study. When an existing flare header can not be replaced due to limited project budget, a proper time sequence of BDV opening is an alternative solution to avoid overcapacity of flare header. The results of the first case study reveal that evaluation regarding different combinations of tripping BDVs is necessarily executed during design of the time sequence. In addition, the second case study is based on a process system consisting of a single piece of CSTR and cooling system. A dynamic model is established in Matlab. The case study demonstrates the applicability of the suggested three-step method, while the results of dynamic simulation confirm that simultaneously occurring safety trips can generate a hazard event. It is a valuable outcome to raise awareness to the industry about the specified hazard event. During process design, the work of identification of dangerous combinations of output states of SIS can not be disregarded.