Abstract

This paper shows how to deal properly with "Safety Integrity Levels" (SIL) as per IEC 61508 [1] and 61511 [2] for "High Integrity Protection Systems" (HIPS) which are more and more extensively used in oil industry to replace traditional protection systems. If IEC 61508/511 are rather efficient from an organizational point of view, some difficulties unfortunately exist at definition and calculation levels. The formulae proposed in part 6 of IEC 61508 are, for example, not really tractable for actual industrial systems. This paper describes the probabilistic methods and tools that we have developed in our company to overcome the above difficulties. Three main conventional methods are investigated: "Fault Trees" which, when properly handled, are very efficient for low demand topside HIPS, markovian approach which is interesting but tractable only for very small systems and Monte Carlo simulation on behavioural models (Petri Nets or AltaRica Data Flow formal language) which is efficient in any cases. Results are given on simple examples in order to show the principles of the various approaches. It is interesting to notice that using those approaches is simpler than what is proposed in the standards. Therefore, until the publication of an updated version improving IEC 61508 part 6, it seems better to replace it by sound conventional methods and tools adapted to SIL calculations for production systems. We have began to disseminate this approaches toward our contractors.

Introduction

In the oil industry, the traditional protection systems0 defined in API 14C are more and more often replaced by safety0 instrumented systems: the so-called HIPS (High Integrity Protection Systems). Therefore, according to IEC 61508 and IEC 61511 Standards, their SILs (Safety Integrity Levels) shall be calculated

Unfortunately, when using above standards some difficulties arises [3, 4]. They often remain ignored by those who perform SIL studies and the main ones are the next:

  1. insufficient failure taxonomy and definitions,

  2. tests and maintenance procedures handling,

  3. introduction of the Safe failure Fraction (SFF) which is not a relevant concept,

  4. probability of Failure on Demand (PFD) and

Probability of Failure per Hour (PFH) Calculations. After presenting briefly the 3 first problems, the 4th one will be detailed more in depth to show what we have done to cope with the various SIL assessment problems encountered in the oil industry:

  1. topside HIPS easily tested and maintained,

  2. subsea HIPS difficult to test and maintain,

  3. preventive HIPS.

According to the standards topside and subsea HIPS are so-called "low demand mode" safety instrumented systems (SIS) while preventive HIPS are so-called "continuous" mode SIS. This paper is mainly focused on methods and tools devoted to low demand mode HIPS.

This content is only available via PDF.
You can access this article if you purchase or spend a download.