Case Study: The High-Pressure Separator

To illustrate the complete Functional Safety Lifecycle (IEC 61511 / IEC 61508), this case study follows a realistic scenario from the process industry from hazard identification to operation and testing.

Scenario

An HP Separator receives a mixture of oil and gas from a well. The gas is separated and sent out through a top outlet, while the oil exits through the bottom.

• Process Condition: Operating Pressure is 30 bar; Design Pressure is 45 bar.
• Hazard: If the gas outlet is blocked, pressure will rise rapidly. If it exceeds the vessel's burst pressure, the vessel could rupture, leading to a massive explosion and potential fatalities.

(Place the HP Gas-Oil Separator Line Diagram Here)

Step 1: Hazard and Operability Study (HAZOP)

The team conducts a HAZOP to identify deviations.

• Node: HP Separator Vessel
• Parameter: Pressure
• Deviation: High

Conclusion: The existing safeguards are analyzed to see if they are sufficient. The team decides a Safety Instrumented Function (SIF) is required to automatically shut off the inflow if pressure gets too high.

Step 2: Risk Analysis & SIL Determination (LOPA)

We use Layer of Protection Analysis (LOPA) to determine the required reliability of the new SIF.

A. Establish Criteria

• Corporate Risk Tolerance (Target Frequency): \(1 \times 10^{-5}\) per year (1 in 100,000 years) for a fatality event.

B. Determine Initiating Event (IE) Frequency

• IE: PCV Fails Closed.
• Frequency: Industry data suggests a control loop fails about once every 10 years.

C. Identify Independent Protection Layers (IPLs)

Not all safeguards are IPLs. They must be specific, auditable, independent, and dependable.

1. BPCS Alarm: The operator has 10 minutes to respond. We credit this as an IPL.
   • Probability of Failure on Demand (PFD): \(0.1\) (1 in 10 chance operator fails).
2. Pressure Safety Valve (PSV): The PSV is sized correctly to handle the full flow.
   • PFD: \(0.01\) (1 in 100 chance PSV sticks closed).

D. Calculate the Gap (Required Risk Reduction)

We calculate the frequency of the consequence with existing IPLs but without the new SIF.

The Gap: Our calculated risk is \(10^{-4}\), but our target is \(10^{-5}\). We need to reduce the risk by a factor of 10.

E. SIL Determination

The Risk Reduction Factor (RRF) required is:

Looking at the SIL Table (IEC 61511):

• SIL 1: RRF 10 – 100
• SIL 2: RRF 100 – 1,000
• SIL 3: RRF 1,000 – 10,000

Result: We need a SIL 1 SIF.

Step 3: Safety Requirements Specification (SRS)

The SRS is the "blueprint" for the safety system. It translates the math into engineering requirements.

• SIF Function: "Close Incoming ESD Valve (XZV-101) on High Pressure."
• Trip Point: 40 bar (Above operating pressure, below PSV setpoint).
• Safety Integrity Level: SIL 1 (RRF > 10).
• Safe State: Valve Closed (De-energize to trip).
• Response Time: System must close the valve within 15 seconds (Process Safety Time is calculated as 30 seconds).
• Architecture: 1oo1 (One out of One) is likely sufficient for SIL 1, but 1oo2 might be chosen to avoid spurious trips (nuisance trips).

Step 4: Design & Implementation

The engineering team designs the SIF loop.

Components Selected:

1. Sensor: 1x Pressure Transmitter (PT-101) certified for SIL 2.
2. Logic Solver: Safety PLC (certified SIL 3 capability).
3. Final Element: 1x ESD Ball Valve with Actuator and Solenoid (certified for SIL 2).

SIL Verification (Math Check):

The team calculates the \(PFD_{avg}\) of the total loop (Sensor + Logic + Valve) to ensure it meets the SIL 1 requirement (\(PFD < 0.1\)).

• Sensor PFD: \(1.5 \times 10^{-3}\)
• Logic PFD: \(1.0 \times 10^{-4}\)
• Valve PFD: \(1.2 \times 10^{-2}\)

RRF Achieved:

Conclusion: The design provides an RRF of 73.5, which is well within the SIL 1 range (10–100). The design is approved and installed.

Step 5: Operation & Maintenance (Proof Testing)

Once the plant is running, the safety system must be maintained. If the valve gets stuck due to rust and no one checks it, the RRF drops to zero.

Proof Testing Strategy

The SRS requires a Proof Test Interval of 12 months.

The Test Procedure (Simplified):

1. Bypass: Place the Logic Solver in "Bypass" mode (to prevent shutting down the whole plant accidentally).
2. Sensor Test: Apply a known pressure (using a hand pump) to the transmitter PT-101. Verify the value on the Safety PLC matches.
3. Logic Test: Force the trip signal in the software. Verify the output to the solenoid de-energizes.
4. Final Element (Partial Stroke): Since we cannot stop production, we perform a "Partial Stroke Test" (moving the valve 10%) to ensure it isn't stuck.
5. Full Stroke: During the planned plant shutdown (turnaround), perform a Full Stroke Test (close the valve completely) and measure the closing time (must be < 15s).
6. Restore: Remove bypass and sign off the safety certificate.

Summary of the Lifecycle

1. HAZOP: Found the danger (Overpressure).
2. LOPA: Calculated we needed a risk reduction of 10x.
3. SIL Determination: Classified this as a SIL 1 requirement.
4. SRS: Defined the trip point (40 bar) and timing (<15s).
5. Design: Built a loop with RRF ~73.
6. Operation: We test it annually to ensure it works when needed.