Critical Analysis of Design Criteria and Reliability Of Safety Instrumented System (Sis) For Offshore Oil & Gas Production Platforms In India by ijcsiseditor


									                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                        Vol. 9, No. 9, September 2011

        Critical Analysis of Design Criteria And Reliability Of Safety
       Instrumented System (Sis) For Offshore Oil & Gas Production
                              Platforms In India
                                                 Rakesh Sethi1, Manjeet Patterh2
                           Superintending Engineer ONGC Research scholar Punjabi university Patiala, India
                              Director, University College of Engineering Punjabi University Patiala, India

In this paper observed that there is a growing need in offshore
oil & gas industry to gain insight into the significant aspects              USER                        BASIC PROCESS
and parameters of safety instrumented systems so as to                    INTERFACE                     CONTROL SYSTEM
manage the process in a more reliable and safer manner. The
diversity of issues and the use of different subsystems demand
a multidisciplinary team with expertise in process,
instrumentation, control, safety, maintenance, reliability and
management to develop the basis for the design,
implementation, and maintenance and successfully design
Criteria and Reliability of Safety Instrumented System for
Offshore Oil & Gas Production Platform in India.
Keywords: safety Instrumented System, Offshore Oil and Gas                                     LOGIC
I. INTRODUCTION                                                        SENSORS
                                                                       ELEMENTS                                      FINAL
As hydrocarbon demand continues to rise, oil and gas
companies are forced to explore and exploit at increased water
depths, in harsher environments and to handle fluids at higher
pressures and temperatures. Offshore process, well-head flow                 Fig: Definition of safety Instrumented System
lines, risers, sub-sea pipelines and plant structures are
increasing in complexity, warranting more reliable and              To maintain a safe state of process, safety instrumented
effective methods of risk assessment and mitigation                 functions are implemented in SIS and each safety
techniques with minimum possible cost. As a part of overall         instrumented function is assigned a target safety integrity level
risk management policy, E&P (Exploration and Production)            (SIL).
companies use a variety of safeguards or protection layers to                 SIL is a measure of system reliability in terms of
reduce the risk to the tolerable level.                             probability of failure of SIS on demand [1]. It is a way to
         They are devices, systems or actions that are capable      indicate the tolerable failure rate of a particular safety function
of preventing a scenario from proceeding to an undesired            or in other words, the level of performance needed to achieve
consequence. e.g. inherently safe design features, physical         the user’s process safety objective. Worldwide, within the
protection such as relief devices, post-release physical            regulatory framework of country and self defined acceptable
protection such as fire suppression systems, plant &                risk criteria; companies use various methodologies to
community emergency response plan, Basic Process Control            determine target SIL for safety instrumented functions of SIS.
System (BPCS) and Safety Instrumented System (SIS). Safety          Methodologies used for determining SIL include, but not
Instrumented Systems are probably one of the most important         limited to modified HAZOP (Hazard & Operability), risk
risk reduction and mitigation measures.                             graph, risk matrix, safety layer matrix, layer of protection
                                                                    analysis (LOPA), fault tree analysis (FTA) and Markov
          Safety Instrumented System (SIS) is a highly reliable     Analysis.
system of interconnected sensors, final elements and logic                    Following table shows the relationship between
meant to fulfill the intended safeguarding functions of the         average probability of failure on demand (PFDavg.),
concerned process. Purpose of the SIS is to take the process to     availability of the safety system, risk reduction and the SIL
a safe state when predetermined conditions are violated such        levels [2].
as set points for pressure, temperature or any other process
parameter. It consists of the instrumentation or controls that
are installed for the purpose of identification and mitigation of
process hazards.

                                                                                                   ISSN 1947-5500
                                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                                            Vol. 9, No. 9, September 2011

Safety            Availability    PFDavg.          Risk                 ISA and IEC standards are based on the concept of safety life
Integrity                                          Reduction            cycle, though there may be points where iterations are
Level (SIL)                                                             necessary.
       4          0.9999 to       10-4 to 10- 5    104 to 105
                  0.99999                                               Following are the some of design considerations, combination
      3           0.9990 to       10-3 to 10- 4    103 to 104           of which is used to meet the desired SIL of a SIS [7] .
                  0.99990                                               A. Separation – Identical or Diverse
      2           0.9900 to       10-2 to 10- 3    102 to 103
                  0.99900                                               Separation between BPCS and SIS functions reduces the
      1           0.9000 to       10-1 to 10- 2    101 to 102           probability that both control and safety functions become
                  0.99000                                               unavailable at the same time, or that inadvertent changes
                                                                        affect the safety functions of the SIS. Therefore, it is generally
   Safety integrity level (SIL) can be considered as a statistical      necessary to provide separation between the BPCS and SIS
   representation of reliability and availability of safety             functions.
   instrumented system (SIS) at the time of process demand and          Separation between the SIS and BPCS may be identical or
   design of SIS plays a major role in it.                              diverse. Identical separation would mean using the same
                                                                        technology for both the BPCS and SIS whereas diverse
   II. SIS DESIGN CONSIDERATIONS                                        separation would mean using different technologies for the
                                                                        same or different manufacturer.
   Old offshore oil & gas installations in India are designed on        Compared with identical separation, which helps against
   the basis of recommended practices mentioned in API RP14C            random failures, diverse separation offers the additional
   [3], API RP14G [4] and API 14J [5]. When these                       benefit of reducing the probability of systematic faults and of
   recommended practices were developed, safety systems were            reducing common cause failures.
   pneumatic or relay based and offshore processes were
   relatively simple. Time has changed, and so has our need for         Identical separation between the SIS and BPCS may have
   the right tools. Present requirement is programmable logic           some advantages in design and maintenance because it
   controllers with more and more complex logic and standards           reduces the likelihood of maintenance errors. This is
   like IEC 61511 or ANSI ISA S-84 are more relevant for                particularly the case if diverse components are to be selected,
   instrumentation of offshore safety . Recommended practices           which have not been used before within the user’s
   like RP14C were conceived to lower risk associated with              organization.
   personal injury only.       They were created to address             Following are the areas where separation between SIS and
   “dangerous” failures and are not concerned with “safe”               BPCS is needed to meet the safety functionality and safety
   failures because they don’t lead to personnel injury. Present        integrity requirements:-
   day safety systems are more integrated with overall risk
   management of the companies. They are created to minimize                 •   Field sensors
   dangerous failures, but they also recognize that some safe                •   Final control elements
   failures (nuisance trips) are responsible for unnecessary                 •   Logic solver
   downtime and revenue loss. This increases safety as well as               •   Wiring
   profitability but also calls for “measurable” performance                 •   Communications between BPCS and SIS
   levels for a safety system and provides requirements for
                                                                        Identical separation between SIS and BPCS is generally
   evaluating the performance of a safety system. The ability to
                                                                        acceptable for SIL1 and SIL2 applications although the
   establish measurable performance levels allows to lower risk
                                                                        sources and effects of common cause failures should be
   to an acceptable level [6].
                                                                        considered and their likelihood reduced. For SIL3 safety
                                                                        instrumented functions, diverse separation is typically used to
   Design of a SIS starts with Safety Life Cycle which covers all
                                                                        meet the required safety integrity.
   the SIS activities, right from initial conception to
   decommissioning, such as:                                            On de-energize to trip systems, it is generally not necessary to
                                                                        separate the signals between the BPCS and SIS field
          •   Performing conceptual process design                      instruments. This means the signals wires may be shared in a
          •   Performing Process Hazard Analysis            & Risk      common multi-conductor cable and terminated in a common
                                                                        terminal box. Only for SIL1 application, use of single
              Assessment                                                sensor/control valve is allowed, provided the safety integrity
          •   Defining non-SIS protection layers                        requirements are met.

          •   Defining the need for an SIS                              There may be special case where it is not possible to provide
                                                                        separation between BPCS and SIS (e.g., a gas turbine control
          •   Determining required Safety Integrity Level               system includes both control and safety functions). Additional

                                                                                                       ISSN 1947-5500
                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                       Vol. 9, No. 9, September 2011

considerations are required when combining control and              connected in a 1oo2 voting scheme. Diverse separation,
safety functions in the same device. e.g.                           redundancy and exhaustive diagnostic capabilities are
                                                                    considered significant aspects of a SIL3 systems.
    •    Evaluation of the failure of common components and
         software and their impact on SIS performance.
                                                                    D.SIS Management of Change (MOC)
    •    Limiting access to the programming or configuration
         functions of the system.                                   The objective is to ensure that the MOC requirements are
                                                                    addressed in any changes made to an operating SIS. It requires
B. Redundancy – Identical or Diverse                                a written procedure, which shall be in place to initiate,
Redundancy can be applied to provide enhanced safety                document, review, approve and implement any changes to an
integrity or improved fault tolerance. The designer should          operating SIS. MOC procedure shall ensure that the following
determine the redundancy requirements that achieve the SIL          considerations are addressed prior to any change:-
and reliability requirements for all components of the SIS              • The technical basis and impact of proposed change
including sensors, logic solver and final control elements. It is            on safety and health
applicable to both hardware and software. Diverse redundancy
                                                                        •    Authorization requirements for the proposed change
uses different technology, design, manufacture, software,
firmware etc. to reduce the influence of common cause faults.           •    Availability of memory space and effect on response
Diverse technology should be used if it is required to meet the              time
SIL. Diverse technology should not be used where its                    •    On-line versus off-line change
application can result in the use of lower reliability
components that will not meet system reliability requirements.          •    Modification for operating procedures
Some of the measures that can be used to achieve diverse
redundancy are as follows:-                                         Safety integrity level is also affected by the following
     • The use of different measurement technologies of the         parameters:-
         same variable (e.g. displacer and differential pressure
         level transmitter)                                             •    Device integrity (i.e. failure rate and failure mode)
     • The use of different measurements (e.g. pressure and
         temperature) when there is a known relationship                •    Functional testing interval ( i.e. at a specific time
         between them                                                        interval, testing is performed to determine that the
     • The use of geographic diversity (e.g. alternate routes                device can achieve the failsafe condition)
         for redundant communications media)
     • The use of different types of PES for each channel of            •    Diagnostic coverage (i.e. automatic, on-line testing of
         redundant architecture                                              various failure modes of a device)

C. Architecture
                                                                    III. ROLE OF QUANTITATIVE RELIABILITY
Selection of the SIS architecture is an activity performed               ANALYSIS
during the conceptual design step of safety life cycle. The
architecture has a major impact on the overall safety integrity     Terms such as safety, reliability and availability are in a
and reliability of SIS. Some of the activities involved in          certain way connected with each other. In fact, various
determining the SIS architecture are as follows:-                   techniques that are applied in the field of reliability
    • Selection of energize to trip or de-energize to trip          engineering are also applied for the determination of safety
         design                                                     integrity levels. To prevent abnormal operating conditions
    • Selection of redundancy for power sources and SIS             from developing into an accident, high reliability of SIS is
         power supplies                                             very important. Reliability and availability of SIS is linked to
                                                                    the estimation and evaluation of failure rates, failure modes
    •    Selection of operator interface components (e.g.           and common cause failures of its components. Quantitative
         CRT, alarm annunciator, push-buttons) and their
                                                                    reliability analysis of safety instrumented systems represents a
         method of interconnection to the SIS
                                                                    systematic tool for design optimization so as to strike a
    •    Selection of data communication interface between          balance of safety, production, availability and cost. To
         SIS and other subsystems ( e.g. BPCS) and their            perform the reliability calculations and to quantify the results,
         method of communication ( e.g. read only or                reliability data related to SIS subsystems is required. There are
         read/write)                                                many sources of required reliability data e.g. end user (E&P
                                                                    companies) maintenance records, documented reliability
Let us take an example. To meet the SIL3 requirements, SIS          studies, manufacturer data and public available data like
may include two separate and diverse 1oo1 (1 out of 1)              OREDA (Offshore Reliability Database) or WOAD
arrangements, each with their own sensor, logic solver and          (Worldwide Offshore Accident Database) which are used for
final control element. The 1oo1 arrangements would be               SIL determination and SIS design. Although generic data

                                                                                                  ISSN 1947-5500
                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                      Vol. 9, No. 9, September 2011

represent the broad spectrum of failure modes/ failure rates      modes/ failure rates of components of SIS are to large extent
across industry, yet its suitability and relevance for Indian     depend upon the company policies and actual process
offshore industry needs to be investigated. e.g.                  conditions [10]. A methodology should be developed for
                                                                  collection and compilation of company specific failure
Are shelf-state failure data from the vendors which is based on   frequency database from offshore installations. To develop the
laboratory testing on predictive failures models include the      company specific failure frequency database, a format should
impact of process environment?                                    be designed to collect the data from offshore installation. Visit
                                                                  to offshore installations should be planned to collect archival
Are failure data from valves used in North Sea representative     records and history of operating safety instrumented systems.
for valves on Mumbai High offshore installation?                  Format may have the provision to collect random failures,
                                                                  systematic failures, common cause failures, dangerous as well
Are Indian offshore operation and maintenance practices           as safe failures and spurious trip failures. Vendor supplied
which have direct impact on failure rates and failure modes       failure data along with data related to diagnostic coverage and
are comparable with the operation and maintenance practices       functional testing intervals should also be collected and
of Norway?                                                        compared with site specific data.

Several such issues associated with generic as well as vendor     3) Calculation of reliability in terms of probability of
data, when used for safety instrumented systems for the Indian       failure on demand (PFD)
offshore oil & gas industry need to be answered by developing
company specific failure data from all the offshore operating     Reliability of various safety instrumented functions of safety
companies and integrating them in one common database [8].        instrumented system (SIS) is established in terms of average
                                                                  probability of failure of SIS on demand (PFDavg.). PFDavg.
A. Approach To Reliability Analysis                               is calculated for each safety instrumented function of SIS
                                                                  using company specific failure data after applying suitable
Some of the steps used to perform the reliability analysis of a   correction factors. Calculated values of reliability of safety
typical Safety Instrumented System are as follows [9]:-           instrumented functions should be used to verify the safety and
                                                                  reliability requirements of the offshore installation.
1) Development of methodology for performing Safety
    Integrity Level (SIL):
Within the regulatory framework of country and self defined       4) Study the factors affecting the result of reliability of
acceptable risk criteria, companies use various methodologies        target Safety Instrumented System (SIS)
to determine the target safety integrity level (SIL) of safety
instrumented functions of safety instrumented system (SIS).       Factors causing under-protection or over-protection of safety
Based on present regulatory requirements in India for offshore    instrumented functions of target safety instrumented system
operations and resources committed by the company for the         (SIS) should be critically investigated after studying the
risk management, best suited methodology should be                existing design, implementation, operational and maintenance
developed for SIL determination for target offshore               practices of target SIS. Based on the reliability evaluation of
installation of present study. Current standards, regulatory      safety instrumented system and analysis of factors affecting it,
guidelines, design, operational & maintenance practices of        specific recommendations should be brought forward to
safety instrumented systems (SIS) for production platforms        improve the reliability and overall performance of safety
operating in Indian offshore should be scrutinized to gain a      instrumented system of offshore oil & gas installation.
clear understanding of current status. Previous SIL &
reliability studies and safety audits carried out by the          IV. CONCLUSION
organizations should be reviewed and their findings should be
critically analyzed. To record and measure the opinions of        It is currently observed that there is a growing need in
industry experts, questionnaires should be prepared along with    offshore oil & gas industry to gain insight into the significant
interviews with corporate QHSE representatives, plant             aspects and parameters of safety instrumented systems so as to
instrument engineers, design engineers and technical experts      manage the process in a more reliable and safer manner.
from suppliers of SIS components.                                 Indian Exploration & Production (E&P) companies are
                                                                  currently struggling with uncertainty in reliability of safety
2) Development of methodology for collection and                  instrumented systems due to a number of problems related to
   compilation of company specific failure frequency              design, implementation, operation and maintenance of safety
   database:                                                      instrumented systems. A systematic quantitative reliability
Available failure frequency database like OREDA (Offshore         analysis can address, evaluate and resolve these concerning
Reliability Database) which are used presently for SIL            issues, which shall help the Indian E&P companies in more
determination and SIS design are generic in nature with           effective risk management of their offshore operations. This
almost negligible contribution from Indian Offshore Industry.     shall not only result in increased safety but also help the
Vendor supplied failure data is also uncertain as the failure

                                                                                                 ISSN 1947-5500
                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                      Vol. 9, No. 9, September 2011

company to be more productive and effective in operational             [7] Rakesh Sethi, “Critical evaluation of selection
and maintenance practices, thus minimizing process downtime                criteria for safety instrumented system at offshore oil
to the extent possible. The diversity of issues and the use of             and gas offshore platforms,” HSE Conference-2006,
different subsystems demand a multidisciplinary team with                  IPSHEM, 2006
expertise in process, instrumentation, control, safety,
maintenance, reliability and management to develop the basis           [8] IEOT/RRE/2006-07(2006): HAZID/HAZOP studies
for the design, implementation, maintenance and finally the                in offshore/onshore construction.
periodic quantitative reliability assessment of a SIS capable of
achieving SIL requirements of high risk offshore oil and gas           [9] Rakesh Sethi, “Evaluation of reliability of safety
platforms.                                                                 instrumented system for risk management of offshore
                                                                           oil & gas production platforms in India.” Punjabi
REFERENCES                                                                 University, Patiala, 2007

    [1] ANSI/ISA-ISA 84.01-1996, ISA, Research Triangle                [10] Wang Y, West H.H, Mannan M.S. , “The impact of
        Park, NC (1996): Application of Safety Instrumented                 Data Uncertainty in determining Safety Integrity
        Systems for the Process Industries.                                 Level,” Process Safety and Environmental
                                                                            Protection, 82 : 393-397 , 2004
    [2] International Electro technical Commission (IEC),
        Ganeva (2003): IEC 61511: Functional Safety –
        safety instrumented systems for the process industry

    [3] API (American Petroleum Institute) Recommended
        Practice (RP) 14C: Analysis, Design, Installation
        and Testing of Basic Surface Safety Systems on
        Offshore Production Platforms.

    [4] API (American Petroleum Institute) Recommended
        Practice (RP) 14G: Recommended Practice for Fire
        Prevention and Control on Open Type Offshore
        Production Platforms.

    [5] API (American Petroleum Institute) Recommended
        Practice (RP) 14J: Recommended Practice for Design
        and Hazard Analysis for Offshore Production

    [6] Wayne Ruschel, “The Future of Offshore
        Instrumented System,” EDG Engineering, 2005
        OREDA (1992).

                                                                                                 ISSN 1947-5500

To top