The energy industry has taken steps to try to improve its safety record but too often it falls short.
Much could be written about functional safety, and indeed we plan to publish a briefing paper on this in the near future, but essentially it seeks to make sure a process is executed while risks are minimised. Functional safety controls a process and acts to bring it back to a safe state.
The Piper Alpha disaster of 1988 made people think about the importance of never having such a disaster again. The Buncefield storage explosion, in 2005, made it clear that this is an ongoing concern.
For example, a storage tank is being filled. The liquid can only go to a certain level in the tank before it becomes unsafe. When it starts to become too full, an alarm might sound. Should it continue to fill, a high-level alarm and trip will kick in to stop the tank filling. This exact type of failure actually occurred at the Texas City Refinery in 2005.
The idea is to reduce risks to ALARP – “as low as reasonably practicable”. In the example of the tank filling, a demand on the system intervening to stop the flow might only come once a year, or once in 100 years. The temptation might be to require the highest possible safety rating in all systems.
However, over-engineering safety systems is time-consuming and can divert limited resources and waste money. If you had an infinite amount of capital, you could remove any risk.
Working within the limits of reality, ALARP allows engineers to determine what is a practical risk reduction for any system based on the consequences of failure.
Better, then, to differentiate between absolutely critical processes. At the highest end is a process that might be required to prevent a nuclear meltdown but at the lowest end is a simple trip function to protect a piece of equipment.
The world of functional safety classifies the level of reliability in Safety Instrumented Systems to protect against these risks into safety integrity levels (SILs).
The SIL rating as per IEC 61508 rates risk reduction between 1 and 4 (SIL 1 to 4) with anything not requiring a specific reduction categorised as no specific reliability (sometimes referred to as SIL-0 or SIL-a). The higher the SIL level the lower the allowable probability of dangerous failure on demand, which typically categorises systems as the highest risk. Safety functions for most oil and gas processes are SIL 1 or 2, with the occasional SIL 3.
Those risks defined at the beginning of the process must be independently clear, rather than understood only through the inner workings of one company – or person.
Explanations and deductions must be recorded in order to allow future readers to understand how decisions were taken.
The operator must be able to replicate this diagnosis later on. If the reasoning is unclear, then decisions about how to mitigate and maintain the remedy become hopeless.
The challenge is to correctly identify the hazard, the consequence of the hazard and what a safety system needs to do to protect, in addition to assessing how reliable that safety system needs to be. Functional safety must look at the whole life cycle of the asset.
While the UK takes a slightly ad hoc approach to this, Norway’s Guideline 070 is far more centralised, defining the appropriate SIL for every instance. Such a rules-based approach can be overly prescriptive but it does have the benefit of creating a clearer set of directions for operators and engineers.
Problems at the start of the process can have a significant impact to operators. Those decisions taken early on must also be able to stand up to later verification. Part of this difficulty lies with those writing the standards, which are not written to be understood by all and can be interpreted in different ways.
Defining the risk early on can lead to unexpected consequences. Accurately judging risks may lead an operator to use a lower SIL safety function – and therefore be simpler and cheaper. Putting in that initial time and money investment should lead to savings later on.
Decisions on functional safety involve engineers from a range of different disciplines, in addition to commissioning and operations personnel. This diverse cast of characters runs the risk of obscuring who is responsible for what.
Get closer to Katoni’s experts, and dig even deeper into functional safety, on the Energy Voice Out Loud podcast. You can listen to this episode below, but subscribe in your podcast app for regular analysis and insight from the Energy Voice team and leaders all across the energy sector, as we lead the global energy conversation.
Recommended for you
