Safety Integrity Level analysis ( SIL) is typically used in high risk sectors (e.g. Energy, Transportation) to quantify the impact on safety provided by specific safety measures. Although the risks associated with a failure in an offshore wind turbine are quite different from e.g. a nuclear power plant, there are some significant hazards associated with the sector.
Wind farms do not require a permanent group of personnel to be on board to run their systems, however, when we consider the challenges posed by the environment it’s worth considering how SIL could be applied, so hopefully this example may stimulate some discussion around how techniques like SIL can be used in emerging sectors like offshore wind.
Scenario
A wind turbine manufacturer aims to design a safety system to protect the turbine from extreme wind speeds and mechanical failures. We’ll look at how SIL (Safety Integrity Level) can be used to reduce risk and improve the integrity of the final design. Here are our recommended stages:
Hazard Identification and Risk Assessment:
- Identify potential hazards like extreme wind speeds, structural failures, electrical faults, and fire. Probability Risk Assessment (PRA) is a good technique to apply here because it provides a quantitative approach to risk assessment, allowing for more accurate evaluation of safety risks.
- Assess the severity of potential consequences, considering factors like human injury, environmental impact, and equipment damage.
- Determine the frequency of occurrence for each hazard.
LOPA Analysis:
- Identify existing safeguards: Physical barriers, administrative controls, and safety instrumented systems (SIS).
- Assess the effectiveness of each safeguard, considering factors like reliability, maintainability, and fault tolerance.
- Determine the required SIL level for each safety function – e.g.
- Emergency Braking System (SIL 3): Rapidly stops the turbine blades in case of excessive wind speeds or mechanical failures.
- Pitch Control System (SIL 2): Adjusts the pitch angle of the blades to regulate power output and reduce loads on the turbine.
- Wind Speed and Direction Sensor (SIL 2): Provides accurate and reliable measurements of wind conditions.
- Gearbox Monitoring System (SIL 2): Monitors gearbox health to prevent catastrophic failures.
- Main Bearing Monitoring System (SIL 2): Monitors bearing health to prevent catastrophic failures.
- Blade Protection System (SIL 2): Detects blade damage and initiates appropriate actions.
- Generator Protection System (SIL 2): Protects the generator from overcurrent, overvoltage, and other electrical faults.
- Grid Connection Protection System (SIL 2): Ensures safe and reliable connection to the power grid.
- Fire Detection and Suppression System (SIL 2): Detects and suppresses fires in the nacelle or transformer.
- Redundant Control Systems (SIL 2): Provides backup control functionality in case of primary system failures.
- Software Fault Tolerance (SIL 2): Implements software techniques to mitigate the risk of software errors.
- Cybersecurity Measures (SIL 2): Protects the control system from cyberattacks and unauthorised access.
- Use FTA (Fault Tree Analysis) to identify potential failure modes and their causes for each safety function. (FTA helps identify potential failure modes and weak points in the system, allowing the manufacturer to take proactive measures to improve reliability). This helps in identifying the critical components and subsystems that contribute to the overall system failure.
- Use PRA to quantify the probability of these failures and their impact on system performance.
Safety Instrumented System (SIS) Design and Implementation:
- Component Selection: Choose components with appropriate safety integrity levels, considering factors like reliability, maintainability, and fault tolerance.
- Redundancy and Diversity: Implement redundancy and diversity techniques to reduce the probability of common-mode failures.
- Architectural Constraints: Factor in limitations like physical space, environmental conditions, and power supply constraints.
- Component Failure Rates: Determine the failure rates of individual components, such as sensors, actuators, and controllers.
- Human Error: Consider the potential for human error in system operation and maintenance.
- Common Cause Failures: Account for the possibility of multiple components failing simultaneously due to a common cause, such as power supply failure or environmental factors.
SIL Verification:
- PFD Calculation
- Probability of Failure on Demand (PFD): This is the probability that a safety function will fail to operate on demand when required.
- Use FTA to identify the ‘minimal cut sets’, which are combinations of component failures that can lead to system failure.
- Calculate the Probability of Failure on Demand (PFD) for each SIF component, considering factors like hardware failure rates, software reliability, and human error.
- Compare PFD to Target SIL: Ensure the calculated PFD meets the target SIL level.
- Redundancy and Diversity: Use redundancy and diversity techniques to improve the reliability of the SIF and reduce the PFD, applying PRA to evaluate the effectiveness of proposed techniques.
- Maintenance and Testing: Consider the impact of maintenance and testing on the SIF’s reliability. Implement effective maintenance strategies and test procedures to minimize downtime and maintain safety integrity.
Maintenance and Testing:
- Establish a robust maintenance program to ensure the ongoing reliability and safety of the system.
- Perform regular testing and inspections to identify and rectify potential issues.
- Consider the impact of maintenance and testing on the SIF’s reliability.
Best Practice Approach
- Involve a multidisciplinary team with expertise in safety, engineering, and risk assessment.
- Use standardised methodologies and guidelines, such as IEC 61508 and IEC 6151
- Validate and verify the SIL study results through testing and commissioning.
The Pisys 360 suite can help to manage multidisciplinary teams performing complex safety tasks.