4 - Kuwait Oil Company

More documents

Recommendations

Info

Fig. 1: Risk reduction layersIndependent Protection Layers(IPL) is a safeguard that worksindependent of other safeguards like relief valves, BPCS,interlocks, alarms, etc. In case ofan independent protection layer,the plant operator gets adequatetime to respond to prevent ahazardous event from occurring.However it is not a good practiceto have an operator or humanintervention to achieve safetyprotection layer, as they are notreliable enough during momentsof stress and can make systematicfailures. It is more advisable touse only as a secondary meansof shutdown. Furthermore, anyIPL must be totally independentto exclude common cause andcommon design problems.The effectiveness of IPL isdescribed in terms of theprobability that it will fail toperform its required functionwhen called upon to do so(demand) and the scenariocontinuous towards hazardousconsequences despite of thepresence of IPL. This is calledProbability of Failure on Demand(PFD).Layers of ProtectionAnalysis (LOPA)Layers of Protection Analysis(LOPA) is a simplified form ofrisk assessment. LOPA typicallyuses order of magnitudecategories for initiating eventfrequency, consequence, severity,and the likelihood of failure ofindependent protection layers(IPLs) to approximate the riskof scenario. LOPA is limitedto evaluating a single causeconsequencepair as a scenario.In LOPA, the initiating eventsare always described in terms offrequency.The LOPA method quantifiesrisk and therefore reducesit subjectively. It is mostlyperformed after HAZOP andfocuses on selected high riskissues. LOPA helps to choose fromvarious alternative safeguardsto get the most economicallyjustifiable safe guard. TheLOPA analysis includes hazardscenarios described by causeand consequences. All IPLs areanalyzed for their effectivenessand the combined effects arecompared against the tolerablerisk and decide the requirementof additional risk reduction.To execute a proper LOPA,experienced facilitators, anexperienced LPOA team andupdated relevant plant documents24October - December 2012
are required. Any irrelevantassumptions or unrealistic hazardevent frequency or misjudgmentmay lead to wrong risk levels asLOPA is a tool which deals withnumbers.Safety Instrumented System(SIS)A SIS is a system comprisingsensors, logic solvers and finalcontrol element (actuators) forthe purposes of taking a processto a safe state when normalpredetermined set points areexceeded, or safe operatingconditions are violated. It ismandatory that any protectionsystem (including a SIS) be keptfunctionally separate from theBasic Process Control System(BPCS) in terms of its ability tooperate independent of the stateof the BPCS. However, these twosystems need some integrationat certain levels to have effectiveplant control and monitoring.The classical shutdown systemis being eventually replacedby a safety certified protectionsystem due to the stringentsafety regulations and insurancerequirements.Safety InstrumentedFunction (SIF)Safety Instrumented Function(SIF) consists of sensors (e.g.transmitters), final controlelement (e.g. valves) and a logicsolver with safety algorithm. Thepurpose of the SIF is to increaseprocess safety or reduce risk.SIFs are usually implemented in asafety instrumented system (SIS).Each SIF is designed to meet aspecific Safety Integrity Level(SIL), which is called the level ofreliability.A SIF with SIL-1 must at leastperform nine times out of 10,which provides a risk reductionfactor (RRF) of 10 and Probabilityof Failure on Demand (PFD) of0.1. A SIL-2 SIF must performat least 99 times out of 100 andprovides RRF as 100 and PFD as0.01. Meanwhile, a SIL-3 SIF mustperform minimum 999 times outof 1000 providing RRF as 1000and PFD as 0.001.The SIL rating of a SIF dependson various factors such asreliability analysis of all loopcomponents, demand frequency,proof test interval, diagnosticcoverage, human factors, etc.SIF protects against a singlehazard usually on demand, buta SIS implements one or moreSIFs, often multiple connectivitybetween one initiator and severalfinal elements, a final elementand several initiators etc. SomeSIF’s mitigate after the eventconsequences, like the Fireand Gas system, which reduceescalation.The design of SIF is initiallybased on achieving the requiredsafety integrity levels (SIL). Inaddition to that, the SIF designmust also consider the acceptablelevels of spurious (or nuisance)trips, which is the likelihoodthe safety function will activateunnecessarily. Nuisance trip is notyet completely controlled by anymethods in SIF design until now,however methods are available topredict the expected frequency ofnuisance tips such as meantime tofailure spurious (MTTFS), but notto determine an acceptable levelfor any particular SIF function.A practical approach is that thesafety function should not causein more nuisance trips than truetrips.Probability of Failure onDemand (PFD) and RiskReduction Factor (RRF)PFD probability of failure ondemand is the chance that aspecific safe guard will notperform its intended functionwhen required. For example,failure of a shutdown valve toclose when an abnormal processhazard arises. If that valve fails toclose on time of 100 times, thenthe PFD value is 0.01). Deviceswith smaller PFD values helpto reduce risk more than thedevices with higher PFD value.The probability of failure ondemand depends on its frequencyof testing and repair. The prooftest coverage is also a veryimportant factor in maintaining aSIL loop performance compliance.A device which is not prooftested gets larger PFD value astime increases since the failureremains uncorrected.Using the maximum failureprobability is a safe andconservative method in SILevaluation, but a more realisticmethod is to use averageprobability of failure (PFD Avg.)during the entire testing interval.The demand for a safeguard tooperate can happen any timeduring the test interval with equalprobability.Two fundamental differentways to calculate PFD Avg. are1. The unreliability approachin which an unreliabilityfunction is calculated as afunction of time intervalfor a specific mission timeusually equal to a “proof test”interval. The average of thisfunction is considered overthe entire mission time. PFDavg. is the average value of theunreliability function plottedover the testing period.2. In another approach, PFD avg.is considered as steady stateunavailability. The identicalapproximation in both casesproves that either methodunreliability averaged orunavailability averaged may beused to calculate PFD Avg.The integrity of a SIF issometimes expressed as the RiskReduction Factor (RRF).October - December 2012 25
Page 2 and 3: October - December 2012The Kuwaiti
Page 5 and 6: Esam Al-Houti Returns Safely to Kuw
Page 9 and 10: Minister of Oil Hani Hussein (L) an
Page 11 and 12: At KOC, the Asset Action Planis alw
Page 13 and 14: Appendix II: 72 MonthsProduction Fo
Page 16 and 17: Figure 3: Comparison of any company
Page 18 and 19: Enterprise Content Management Busin
Page 20 and 21: • Identifying requirements andmak
Page 22 and 23: The Benefit of Variable Speed Drive
Page 24 and 25: The simulation results of the scala
Page 28 and 29: The risk reduction factor fromeach
Page 30 and 31: Caring for the CommunityKOC’s His
Page 32 and 33: An instructor gives a lesson in Eng
Page 34 and 35: Oil Origins: The Biotic Vs. Abiotic
Page 37 and 38: wells pumped water with a salinityl
Page 39 and 40: ground.” Dr. Kotwicki explainedth
Page 41 and 42: nanoscale photonic circuits, as exi
Page 43 and 44: heavy oil, density and viscosityare
Page 45 and 46: shipyards strategically located all
Page 47 and 48: childhood. Young children whooften
Page 49 and 50: she said, adding that she liked tov
Page 51 and 52: Wellhead Operator, 1959

4 - Kuwait Oil Company

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?