Professional Documents
Culture Documents
In safety standards such as IEC 61511, what's at risk is identified as personnel and the environment. However, most companies use an expanded list of risk categories that can also include: Public safety and health Liability costs Production interruptions and quality issues Equipment damage and repair costs
Whats the likelihood a harmful event will happen, and what are the consequences if it does?
The challenge is to identify risks in advance so that they can be reduced or eliminated for example, by changing a products formulation or reducing the quantities of hazardous material present.
Sample likelihood risk assessment model Likelihood Low (e.g., less than 1/10,000 annually) Medium (e.g., 1/10,000 1/1000 annually) High (e.g., more than 1/1000 annually) Type of events Events such as multiple failures of diverse instruments or valves, multiple human errors in a stress-free environment, or spontaneous failures of process vessels.
Events such as dual instrument or valve failures, or major releases in loading/unloading areas.
Events such as process leaks, single instrument or valve failures, or human errors that result in small releases of hazardous materials.
Adapted from IEC 61511-3, Table C.1 - Frequency of hazardous event likelihood
ASSESSING RISK .1
Sample consequence risk assessment model
Consequence
Minor (e.g., injury or more than $120,000 of damage or lost production)
Impact
Events such as multiple failures of diverse instruments or valves, multiple human errors in a stress-free environment, or spontaneous failures of process vessels.
Serious Events such as dual instrument or valve failures, (e.g., hospitalization or major releases in loading/unloading areas. or more than $250,000 of damage or lost production) Extensive (e.g., death or more than $1,000,000 of damage or lost production) Events such as process leaks, single instrument or valve failures, or human errors that result in small releases of hazardous materials.
Adapted from IEC 61511-3, Table C.2 - Criteria for rating the severity of impact of hazardous events
The purpose of a plant safety program including safety instrumented systems is to ensure this exposure is tolerable at all times.
IEC 61511 describes tolerable risk as risk which is accepted in a given context based on the current values of society. Occupational Safety & Health Administration (OSHA), Environmental Protection Agency (EPA)
ALARP MODEL
If inherent risk is greater than tolerable risk, the first choice should be to eliminate the risk. If it can't be eliminated, it must be minimized or mitigated by active means such as relief valves or safety systems, or by passive means such as containment dikes or bunds. But how safe is safe enough? That's why it's important to identify how much the risks need to be reduced, and then design a solution that delivers the appropriate level of protection.
How much do we need to reduce the risk? There are two ways of finding an answer: quantitative and qualitative. Quantitative Risk a + Risk b + Risk c + Risk d. Risk z = RRF x (Risk Tolerable ) For example, we may want to reduce the frequency of a fatality from once every 10 years to once every 10,000 years. In other words, we want to reduce risk by a factor of 1000 which our Risk Reduction Factor or RRF. Although this approach is used increasingly often, it raises two challenges. We need to collect a lot of data to make the calculations meaningful. We have to express specific, quantified levels of risk that you're
10
Qualitative The second way of assessing the required risk reduction is to use qualitative rankings like those in the example consequence and likelihood models introduced
11
So how do we achieve the necessary level of risk reduction? By adding protection layers. Safety standards define a protection layer as "any independent mechanism that reduces risk by control, prevention, or mitigation." The sum of the protection layers provides what is called functional safety the functionality that ensures freedom from unacceptable risk.
12
The safety instrumented system (SIS) provides an independent protection layer that is designed to bring the process to a safe state when a hazardous condition occurs. A typical SIS might include Sensors, logic solvers, and final control elements Power and grounding Communication networks Supporting elements such as HART multiplexers and asset-management software.
13
DEFINITIONS OF TERMINOLOGY
Consequence The consequence is the result of the failure of the safety system. It is what the safety system is designed to prevent. The consequence can include impacts on safety, economics or the environment.
Probability of Failure on Demand The PFD indicates the probability that the SIS will fail to respond to a process demand. This is related to the covert failure of the SIS. Availability The system availability is the fraction of time that the SIS is available to prevent or mitigate hazardous events. Process Demand This is a condition that requires the action of the SIS to prevent a hazardous event.
What is PFD?
WHAT IS Safety ?
PFDProbability of Failure on Demand If we look at the safety integrity level from the Global standards describes the safety by PFD. viewpoint of the safety integrity requirement: for example, specifying SIL3 as IEC 61508 requires that an SILSafety Integrity Levelbe selected the safety integrity requirement for a safety instrumented system to be Higher SIL, More Safety introduced, means that the RRF (Risk Reduction Factor) safety instrumented system is asked to reduce the frequency SIL 10000 100000 with which the original PFD hazardous situation occurs, to 1/1000 or less, because PFD 1000 10000 4 to -4 of SIL is 10 or above, and less than 10-3. 100 1000
3 2 1
In other words, for example, by installing a safety instrumented system in a plant where no countermeasures are in place and a hazardous event may occur once every 10 years, it becomes possible to achieve an improvement to reduction in this frequency to once or less in every 10,000years.
to
10 100
to 0
to
RRF = 1/PFD
Classifying the failure Detected or Undetected Dangerous or Safe When the failure would be detected, you can take action for safety. Even if it was the dangerous, you can. If the failure wouldnt be detected, the safe failure should be taken action for safety. (e.g. proof test)
su
In case of the Undetected and Dangerous failure, taking action for safety is impossible except a proof test . The Undetected and Dangerous failure should be reduced!!
dd d u
2
du
detected undetected
du
Output
Power Supply
Pressure SW
Solenoid Valve
Relief Valve
CALCULATION SHEET
FTA -SAMPLE
RESULTS
VOTING SCHEME
Voting Scheme The field device and logic configurations defined as follows: 1oo1 Single No voting 1oo2 Dual Fail safe arrangement (one out-of-two voting to trip) 2oo2 Dual - Fail operational Arrangement (two out-of-two voting to trip) 2oo3 Triple Fail safe & fail operational Arrangement (two-out-of-three voting trip)
THANK YOU