Management of SIL performance of safety-instrumented systems - Implementation of requirements from design to operation
Abstract
Several serious incidents in the oil industry, and especially the Deepwater Horizon accident, have caused an increasing focus on safety and risk related to oil and gas production. Several standards and guidelines have been produced to try to standardize procedures and follow-up in operation between different operators. The most important standards used on the Norwegian continental shelf are the international standards IEC61508 and IEC61511 as well as the guide- line OLF 070 (Norwegian oil and gas application of IEC61508 and IEC61511 in the Norwegian petroleum industry).
One important part of risk management is barrier management. Barriers are used to prevent, detect, control and/or mitigate an undesired event. The barriers are usually divided into three different functions; organizational, operational and technical. This report has focused on the technical barriers, which usually include safety instrumented systems. The standards mentioned above are primarily focusing on these systems and identify them as crucial parts of processing systems. They are barriers preventing accidents, and are therefore required to have a very high reliability. The Petroleum Safety Authority management recommends using the IEC61508 to fulfill the safety integrity level requirements for components and systems within safety instrumented systems.
IEC61508 and OLF 070 highlight follow-up of safety instrumented systems as an important part of the risk management at the plant. One key aspect with follow-up of safety instrumented systems is proof testing which is meant to reveal dangerous undetected failures. The test intervals; the time between these tests, and the failure rate; how many dangerous undetected failures during a specific period of operation, are the foundation for the probability of failure on demand, which again is the main parameter for evaluating the safety integrity level. Two test interval update methods have been presented in this report. Which of them to use depends on the amount of operational data available for the plant. Example calculations have shown that the outcome of the two methods are similar when operational data is sufficient. Another parameter presented is β, which is representing how the component is influenced by common cause failures. The industry has historically only focused on single failures, however there is an increasing focus on common cause failures.
The Det norske oljeselskap ASA field Alvheim has been used as a case study for establishing improvement proposals for the follow-up of safety instrumented systems at the Ivar Aasen field. Operational data from Alvheim shows that there are several safety functions that do not achieve the required safety integrity level and most of them could do so by introducing more frequent proof testing. It has also been revealed that very few of the safety instrumented systems have sufficient operational data to conclude on changes in the test intervals based on statistical significance, even after five years of operation. LOPA has been suggested as a method for assessing how other barriers might account for the fact that a safety instrumented system does not reach the requirements. Three out of 10 barrier functions at Alvheim include safety instrumented systems and the rest of the systems are followed up by regular inspections and maintenance. There is a barrier panel monitoring all the barrier functions and their barrier systems. This panel high- lights the barriers where dangerous detected failures are active. It has been recommended also to include such a panel for safety functions not achieving required safety integrity level, based on the operational data. It would be easier to pinpoint where to put the focus by utilizing such an overview.
SOFUS has proven to be a good tool for following up the safety functions at Alvheim. It is straight-forward to monitor how the probability of failure on demand is influenced by operational data, hence it can be used for follow-up of the safety requirement specification document. The SOFUS tool is partly prepared for taking common cause failures into account, by updating the β. There seems to be a high correlation between components and number of dangerous undetected failures at Alvheim and the study done by SINTEF on common cause failures. Therefore it is recommended to do an assessment of the common cause failures vulnerability at Alvheim.
It is recommended to establish a SOFUS tool also for Ivar Aasen. However, as mentioned above at least five years of operation is probably needed and suggested in order to have statistical significant data to be used for assessment of test intervals and component failure rates. It is also recommended to have one test interval for each component type and to include calculations and suggestions for new test intervals in the tool, based on operational data. The results presented in this report shows that it might also be worthwhile incorporating a common cause failures procedure at Ivar Aasen to make sure the possibility of such an event is minimized.