Prepared By:Amiya Ray

Sandeep Sidhu

RISK & IDENTIFICATION TECHNIQUE

RISK ASSESSMENT & RISK REDUCTION

PROTECTION LAYERS

FTA ANALYSIS

SIL VERIFICATION

2

3

In safety standards such as IEC 61511, what's at risk is identified as personnel and the environment. However, most companies use an expanded list of risk categories that can also include:

• Public safety and health• Liability costs• Production interruptions and quality issues• Equipment damage and repair costs

“What’s the likelihood a harmful event will happen, and what are the consequences if it does?”

4

The challenge is to identify risks in advance so that they can be reduced or eliminated – for example, by changing a product’s formulation or reducing the quantities of hazardous material present.

• Preliminary Hazard Analysis

• Risk Analysis During Hazop Study

• Fault Tree Analysis

• Event Tree Analysis

• Cause Consequence Analysis

5

6

Sample likelihood risk assessment model

Adapted from IEC 61511-3, Table C.1 - Frequency of hazardous event likelihood

ASSESSING RISK .1ASSESSING RISK .1

7

Sample consequence risk assessment model

Adapted from IEC 61511-3, Table C.2 - Criteria for rating the severity of impact of hazardous events.

8

The purpose of a plant safety program – including safety instrumented systems – is to ensure this exposure is tolerable at all times.

IEC 61511 describes tolerable risk as “risk which is accepted in a given context based on the current values of society.” Occupational Safety & Health Administration (OSHA),Environmental Protection Agency (EPA) ALARP MODEL

9

If inherent risk is greater than tolerable risk, the first choice should be to eliminate the risk. If it can't be eliminated, it must be minimized or mitigated — by active means such as relief valves or safety systems, or by passive means such as containment dikes or bunds.

But how safe is safe enough?

That's why it's important to identify how much the risks need to be reduced, and then design a solution that delivers the appropriate level of protection.

10

How much do we need to reduce the risk? There are two ways of finding an answer: quantitative and qualitative.

QuantitativeRisk a + Risk b + Risk c + Risk d……………………. Risk z = RRF x (Risk Tolerable )

For example, we may want to reduce the frequency of a fatality from once every 10 years to once every 10,000 years. In other words, we want to reduce risk by a factor of 1000 — which our Risk Reduction Factor or RRF.

Although this approach is used increasingly often, it raises two challenges. • We need to collect a lot of data to make the calculations meaningful. • We have to express specific, quantified levels of risk that you're

11

QualitativeThe second way of assessing the required risk reduction is to use qualitative rankings like those in the example consequence and likelihood models introduced

Likelihood of a tank rupture as "medium" and the consequence as "serious."

12

So how do we achieve the necessary level of risk reduction? By adding protection layers.

Safety standards define a protection layer as "any independent mechanism that reduces risk by control, prevention, or mitigation." The sum of the protection layers provides what is called functional safety — the functionality that ensures freedom from unacceptable risk.

13

The safety instrumented system (SIS) provides an independent protection layer that is designed to bring the process to a safe state when a hazardous condition occurs.

A typical SIS might include • Sensors, logic solvers, and final

control elements• Power and grounding• Communication networks• Supporting elements such as HART

multiplexers and asset-management software.

DEFINITIONS OF TERMINOLOGY

Consequence – The consequence is the result of the failure of the safety system. It is what the safety system is designed to prevent. The consequence can include impacts on safety, economics or the environment.

Probability of Failure on Demand – The PFD indicates the probability that the SIS will fail to respond to a process demand. This is related to the covert failure of the SIS.

Availability – The system availability is the fraction of time that the SIS is available to prevent or mitigate hazardous events.

Process Demand – This is a condition that requires the action of the SIS to prevent a hazardous event.

WHAT IS “Safety” ?

PFD ： Probability of Failure on Demand

Global standards describes the safety by PFD.

IEC 61508 requires that an SIL （ Safety Integrity Level ） be selected

4 ≧ １０－５ to ＜１０－４

3 ≧ １０－４ to ＜１０－３

2 ≧ １0

－３ to ＜１0

－２

1 ≧ １０－２ to ＜１０－１

RRF (Risk Reduction Factor)

10000 – 100000

1000 – 10000

100 – 1000

10 – 100

SIL PFD

RRF = 1/PFD

Higher SIL, More Safety

What is PFD?

If we look at the safety integrity level from the viewpoint of the safety integrity requirement:for example, specifying SIL3 as the safety integrity requirement for a safety instrumented system to be introduced, means that the safety instrumented system is asked to reduce the frequency with which the original hazardous situation occurs, to 1/1000 or less, because PFD of SIL is 10-4 or above, and less than 10-3.

In other words, for example, by installing a safety instrumented system in a plant where no countermeasures are in place and a hazardous event may occur once every 10 years, it becomes possible to achieve an improvement to reduction in this frequency to once or less in every 10,000years.

CLASSIFYING THE FAILURE

Reliability achieve by reducing the failure rate Safety achieve by classifying the failure,

and making λdu reduce

How to reduce the undetected dangerous failure ??

λ ; Random hardware failure rate

λsd

λddλdu

λsu

Detected Safe Failure

Undetected Safe Failure

Detected Dangerous Failure

Undetected Dangerous Failure

Classifying the failure

・ Detected or Undetected

・ Dangerous or Safe

In case of the Undetected and Dangerous failure, taking action for safety is impossible except a proof test .

When the failure would be detected, you can take action for safety. Even if it was the dangerous, you can.

If the failure wouldn’t be detected, the safe failure should be taken action for safety. (e.g. proof test)

The Undetected and Dangerous failure should be reduced!!

PFD avg. =λdd(MTTR)+λdu(T/2 ）

λd d : detected dangerous failure rate

μd : 1/MTTR

MTTR ： Mean Time To Repairλdu : undetected dangerous failure rate

μu : 1/(T/2)

T : Mean Time between Proof Test

λdd

００

22

１１

λdu

μd

1: detected dangerous failure

2: undetected dangerous failure

Failure detected only by proof test

Failure detected

by self- diagnosis

HOW TO MINIMIZE THE UNDETECTED DANGEREOUS FAILURE(1/2)

μu

For minimizing PFD avg. , minimizing λdu is important.

0:Normal

State transition model A:-> 0 state transits to 1, and recover to 0 -> It needs MTTR.State transition model B:->0 state transits to 2, and recover to 0 It is recovered only by Proof test.The time for recovering depends on T (mean time between proof tests).

MTTR ＜ T / 2

Probably MTTR is shorter than 100 x T.Accordingly, it is required minimizing T for shortening PFD.

HOW TO MINIMIZE THE UNDETECTED DANGEROUS FAILURE(2/2)

λ ; Random hardware failure rate

λsd

λddλdu

λsu

Detected Safe Failure

Undetected Safe Failure

Detected Dangerous Failure

Undetected Dangerous Failure

Dangerous Failure

Safe Failure

Undetected Dangerous Failure

detected ← →undetected

With Self-diagnostic functionWith

Self-diagnostic Function !

FAILURE DETECTION MECHANISM IN SAFETY SYSTEMS

Pressure SWRelief Valve

Solenoid ValvePower Supply

Input Calculation

Output

Input Short-circuited failure detection: monitoring the circuit periodically

Output short-circuited failure detection: monitoring the load impedance

Replace with diagnostic sensor

CPU failure detection: activating CPU circuit periodically and check the status

Processor failure detection: comparison of results between redundant processors

Controller and switch failure detection: Switch-off periodically and check the status

Safety Instrumented

System

CALCULATION SHEET

FAULT TREE ANALYSIS

Fault Tree Analysis Quantitative risk assessment was performed by modeling the safety-instrumented

system using Fault Tree Analysis (FTA). FTA was chosen, because it is a very structured, systematic, and rigorous technique that lends itself well to quantification.

Few Assumptions for Fault Tree Calculations for a SIF Component failure and repair rates are assumed to be constant over the life of

the SIF. Once a component has failed in one of the possible failure modes it cannot fail

again in one of the remaining failure modes. It can only fail again after it has first been repaired.

The Test Interval (TI) is assumed to be much shorter than the Mean Time To Failure (MTTF)

The logic solver failure rate includes the input modules, logic solver, output modules and power supplies.

The sensor failure rate includes everything from the sensor up to the signal isolators in the marshalling cabinet including the process impacts (e.g., plugged impulse line to transmitter).

FTA -SAMPLE

TYPICAL SIL VERIFICATION

RESULTS

SIL SOLVER DATA SHEET

VOTING SCHEME

Voting Scheme – The field device and logic configurations defined as follows:

1oo1 – Single – No voting

1oo2 – Dual – Fail safe arrangement (one – out-of-two voting to trip)

2oo2 – Dual - Fail operational Arrangement (two – out-of-two voting to trip)

2oo3 – Triple – Fail safe & fail operational Arrangement (two-out-of-three voting trip)

THANK YOU