week 10 dif notes safety engineering
DESCRIPTION
Design and Innovation Fundamentals NotesTRANSCRIPT
Week 10: Lecture Notes / SAFETY ENGINEERING • How can I be sure a system is safe, how do I know it is safe to operate? • Risks to be As Low As Reasonably Practicable (ALARP). Major Hazard Facilities • Major Hazard Facilities (MHF) are facilities that have the potential to cause major
accidents, where the consequences may rival natural disasters in terms of loss of life, injury, damage to property and disruption of activities affecting people at the workplace and the surrounding community and environment. All MHF’s must be registered or licensed.
• A major accident is defined by the Major Hazard Facility regulations as a sudden occurrence at the facility causing serious danger or harm to a person at or near the facility, an at-risk community, or property or the environment near the facility, whether the danger or harm occurs immediately or at a later time.
Piper Alpha Disaster • Operated from 1976-1988 and was an oil and gas platform and used a pipeline to
send oil and gas to shore. An explosion and resulting fire destroyed it on July 6, 1988, killing 167 men. Total insured loss was about £1.7 billion (US$ 3.4 billion).
• In the aftermath there was a royal commission conducted by Lord Cullen who recognised that the current level of standards and policies were inadequate. He claimed that operators of a potentially hazardous facility to demonstrate that:
o The facility is fit for its intended purposes, o The risks associated with its functioning are sufficiently low o Sufficient safety and emergency measures have been instituted
• He also called for the introduction of both: o Safety Management System that’s assessed o Safety Case justifying that the facility was safe
• As details of the causes of the disaster emerged, the industry changed and every offshore operator undertook wide-ranging assessments of their installations and management systems:
o Improvements to “Permit to work” management systems o Relocation of some pipeline emergency shutdown valves o Installation of sub-sea pipeline isolation systems o Mitigation of smoke hazards o Improvements to evacuation and escape systems o Initiation of Formal Safety Assessments
• Piper Alpha disaster created a need for Formal Assessment of the Safety Management System.
Safety Case and Safety Management Systems • Safety Management Systems should be system that is workable, appropriate to
the MHF, and which meets the essential principles.
• A Safety Case constitutes three main elements: o Safety requirements and objectives, which define what are the goals of
the analysis. o Safety evidence, which defines the evidence are on which the analyses
rely. o Safety argument, which describes and argues how the safety evidence
is sufficient to demonstrate the achievement of the safety objectives. The ALARP Principle • Where there is residual risk you need ALARP. Where there is a risk to safety:
o All efforts should be made to reduce risks to the lowest level possible until the point is reached where the cost of introducing further safety measures is grossly disproportionate to the safety benefit that would be achieved.
o A risk should be tolerated only if it can be demonstrated that there is a clear benefit in doing so
• The focus of risk management, from a Safety perspective, is that residual risk is As Low As Reasonably Practicable (ALARP). The basis for the ALARP judgement is that the risk is to be treated to the point where:
o The cost of further treatment is excessive compared with the resulting reduction in risk
o No further treatment is possible; or o The risk is negligible
• A number of factors are taken into account to determine what would be reasonably practicable:
o Nature and severity of the hazard o Knowledge of severity of the hazard o Knowledge of solutions o Availability of solutions o Common standards of practice o Cost of solutions
• ALARP principle is used as it defines effort necessary to reduce risk, gross disproportion rule applies and it is a required standard in safety regulations.
Risk Analysis Tools – Part Two • Conduct deductive method where we start from an incident and work out from
there what are we going to do once that incident unfolds and how successful the controls we implement will be.
Event Tree Analysis
• Used to analyse the controls you put in place once you have an event. What
controls could be put in place to contain the incident so it doesn’t lead to a disaster. You are using negative logic.
• An event tree analysis (ETA) is a deductive procedure that shows all possible
outcomes resulting from an accidental (initiating) event, taking into account whether installed safety barriers are functioning or not, and additional events and factors.
• By studying all relevant accidental events (that have been identified by a preliminary hazard analysis, a HAZOP, or some other technique), the ETA can be used to identify the outcome of accident scenarios and sequences in a complex system.
• Design and procedural weaknesses can be identified, and probabilities of the various outcomes from an accidental event can be determined.
• Given an undesired event (eg fault), what’s the probability that system responds successfully (safely)
• System design is such that response to initialising event is a logical sequence of components that are engaged in response to the event.
• Suited to analysis of failsafe mechanisms in safety critical systems
Event Tree Analysis - Steps • Identify (and define) a relevant accidental (initial) event that may give rise to
unwanted consequences • Identify the barriers that are designed to deal with the accidental event • Construct the event tree • Describe the (potential) resulting accident sequences • Determine the frequency of the accidental event and the (conditional) probabilities
of the branches in the event tree • Calculate the probabilities/frequencies for the identified consequences (outcomes) • Compile and present the results from the analysis • Probability of success given the event is Sum of probabilities for each path
leading to success • In the preceding example: (1-PFA) * (1-PFB) + (1-PFA) * PFB * (1-PFC) • Failures assumed to be statistically independent • Violation may occur if failure due to Poor maintenance and Defective parts from
same batch
Fault Tree Analysis • Fault tree analysis (FTA) is a top-down approach to failure analysis, starting with
a potential undesirable event (accident) called a TOP event, and then determining all the ways it can happen
• The analysis proceeds by determining how the TOP event can be caused by individual or combined lower level failures or events
• The causes of the TOP event are “connected” through logic gates - typically AND-gates and OR-gates
• FTA is the most commonly used technique for causal analysis in risk and reliability studies.
• A model that logically and graphically represents the various combinations of possible events, both faulty and normal, occurring in a system that leads to the top undesired event.
• FTA uses a tree to show the cause and- effect relationships between a single, undesired event (failure) and the various contributing causes
• The tree shows the logical branches from a single failure at the top of the tree to the root cause(s) at the bottom of the tree
• Standard logic symbols connect the branches of the tree. For example, “gates” permit or inhibit the passage of fault logic up the tree through the “events.”
• Fault tree does not necessarily contain all possible failure modes of the components of the system. Fault tree contains only those failure modes whose existence contribute to the existence of the top event
• Suitable for further analysing undesired events (failures) identified by other tools such as PHA and FMEA
• FTA starts with a pre-identified event, (Top Event). System is then drilled down to find the initiating events and which combinations of events (Cut-set elements) leads to the failure.
• Note the difference between AND and OR events in terms of the number of sub-events required to trigger the Top Event.
• Redundancy / Safety functions use AND gates. The more AND triggers the safer the system will be.
• Event Trees focus on system’s ability to recover from an event. • Fault Trees enable the causes of undesirable events to be determined. FTA + ETA
becomes a Bow Tie Diagram
Where to use FTA • Root Cause Analysis - Identify all relevant events & conditions leading to
undesired event • Risk Assessment - Calculate the probability of an undesired event (level of risk)
Design Safety Assessment - Demonstrate compliance with requirements
Steps • Definition of the system, the TOP event (the potential accident), and the boundary
conditions • Construction of the fault tree • Identification of the minimal cut sets • Qualitative analysis of the fault tree • Quantitative analysis of the fault tree • Reporting of results
Immediate, Necessary and Sufficient Causes • Read the Intermediate Gate event wording • Identify all Immediate, Necessary and Sufficient events to cause the Intermediate
Gate event. • Structure the Immediate Necessary and Sufficient casual events with appropriate
logic: o Immediate – what is the most immediate direct cause o Necessary – include only what is actually necessary o Sufficient – only include the minimum necessary
Primary, Secondary and Control Causes • Consider the type of fault path for each Enabling Event and identify each causing
event as one of the following path types: o Primary Fault – unplanned failure modes o Secondary Fault – condition based failure modes o Command Fault – Induced Fault, Sequential Fault
Reliability Equations Bow Tie Analysis • The Bow Tie analysis was developed for the oil and gas industries as a tool for the
development of safety cases • Designed for management of risk rather than the detailed quantitative assessment
of risk. • Diagrammatic representation of the relationship between the management system
and the hazards being managed, linking hazards and their consequences through event lines illustrating the routes to accidents.
• Preventive and Recovery controls show the fundamental components of the safety management system.