Professional Documents
Culture Documents
Safety
is measured primarily by a parameter called Average Probability of Failure on Demand (PFDavg). This indicates the chance that a SIS will not perform its preprogrammed action during a specified interval of time (usually the time between periodic inspections).
Reliability
Reliability is the ability of a technical device to fulfill its function during its operation time. This is often no longer possible if one component has a failure. So the MTBF (Mean Time Between Failure) is often taken as a measurement of reliability. It can either be calculated statistically via systems in operation or via the failure rates of the components applied. The reliability does not say anything about the safety of a system! Unreliable systems are safe if an individual failure put the plant to the safe state each time.
Availability
Availability is the probability of a system being a functioning one. It is expressed in per cent and defines the mean operating time between two failures (MTBF) and the mean down time (MDT), according to the following formula:
The mean down time (MDT) consists of the fault detection time andin modular systems- the time it takes to replace defective modules. The availability of a system is greatly increased by a short fault detection time. Fast fault detection in modern electronic systems is obtained via automatic test routines and a detailed diagnostic display.
The availability can be increased through redundancy, e.g. central devices working in parallel, IO modules or multiple sensors on the same measuring point. The redundant components are put up in a way that the function of the system is not affected by the failure of one component.
Here as well a detailed diagnostic display is an important element of availability. Measures designed to increase availability have no effect on the safety. The safety of redundant systems is however only guaranteed, if there are automatic test routines during operation or if e.g. nonsafety related sensor circuits in 2-oo3 order are regularly checked. If one component fails, it must be possible to switch off the defective part in a safe way. A related measure is called Safety Availability. It is defined as the probability that a SIS will perform its preprogrammed action when the process is operating. It can be calculated as follows:
PRF = 1/PFDavg
Hazards Analysis
Generally, the first step in determining the levels of protective layers required involves conducting a detailed hazard and risk analysis. In the process industries a Process Hazards Analysis (PHA) is generally undertaken, which may range from a screening analysis through to a complex Hazard and Operability (HAZOP) study, depending on the complexity of operations and severity of the risks involved. The latter involves a rigorous detailed process examination by a multidisciplinary team comprising process, instrument, electrical and mechanical engineers, as well as safety specialists and management representatives.
Risk
Risk is usually defined as the combination of the severity and probability of an event. In other words, how often can it happen and how bad is it when it does happen? Risk can be evaluated qualitatively or quantitatively. Roughly,
Risk reduction
Risk reduction can be achieved by reducing either the frequency of a hazardous event or its consequences or by reducing both of them. Generally, the most desirable approach is to first reduce the frequency since all events are likely to have cost implications, even without dire consequences. Safety systems are all about risk reduction. If we cant take away the hazard we shall have to reduce the risk. This means: Reduce the frequency and / or reduce the consequence The basic definitions of the safety related terminologies will be studied in this course; there are three main examples of the required safety actions as follow:
Sustained improvements in accident prevention can only come from changes to the overall mix of the above factors. The model defines Workplace risk as a formula such that:
RISK = Employee Exposure X Probability of the Accident Sequence Taking Place = Potential Consequence of the Accident Noting that Risk = Consequence x Frequency and Frequency = Demand rate x Probability of failure of the safety function We can define Five-Step Safety Process Model as follows:
Step 1: Identification of risks that are producing accidents and injuries. Step 2: Perform accident / incident problem-solving on each identified risk:
1. Process includes: 2. Definition of problem 3. Contributing factors 4. Root Causes
Step 3: Develop a schedule for implementation of each preventive action Preventive action should all have
1. Responsible party 2. Resources to support actions 3. Timetable for completion:
Risk Evaluation
There is no such thing as zero risk. This is because no physical item has a zero failure rate, no human being makes zero errors and no piece of software design can foresee every possibility.
Risk assessment
The measurement of risk Quantitative scale: Minor Injury to one person involving less than 3 days absence from work Major Injury to one person involving more than 3 days absence from work Fatal consequences for one person Catastrophic Multiple fatalities and injuries. Qualitative scale Unlikely Possible Occasionally Frequently Regularly
Alternatively
One hazardous event occurring on the average once every 10 years will have an event frequency of 0.1 per year. A rate of 104 events per year means that an average interval of 10 000 years can be expected between events.
Another alternative is to use a semi-quantitative scale or band of frequencies to match up words to frequencies. For example: Possible = Less than once in 30 years Occasionally = More than once in 30 years but less than once in 3 years Frequently = More than once in 3 years Regularly = Several times per year. Once we have these types of scales agreed, the assessment of risk requires that for each hazard we are able to estimate both the likelihood and the consequence. For example: Risk item no. 1 Major injury likely to occur Occasionally Risk item no. 2 Minor injury likely to occur Frequently.
Scales of consequence
The Alarp (as low as reasonably practicable) principle recognizes that there are three broad categories of risks: Negligible risk: Broadly accepted by most people as they go about their everyday lives, these would include the risk of being struck by lightning or of having brake failure in a car.
Tolerable risk: We would rather not have the risk but it is tolerable in view of the benefits obtained by accepting it. The cost in inconvenience or in money is balanced against the scale of risk, and a compromise is accepted. Unacceptable risk: The risk level is so high that we are not prepared to tolerate it. The losses far outweigh any possible benefits in the situation.
Alarp diagram
Step 1
The estimated level of risk must first be reduced to below the maximum level of the Alarp region at all costs.
This assumes that the maximum acceptable risk line has been set as the maximum tolerable risk for the society or industry concerned. This line is hard to find, as we shall see in a moment.
Step 2
Further reduction of risk in the Alarp region requires cost benefit analysis to see if it is justified. This step is a bit easier and many companies define cost benefit formulae to support cost justification decisions on risk-reduction projects.
The principle is simple If the cost of the unwanted scenario is more than the cost of improvement the risk reduction measure is justified. The tolerable risk region remains the problem for us. How do we work out what is tolerable in terms of harm to people, property and environment?
Practical exercise
Now is good time to try practical Exercise No. 1, which is set out towards the back of the manual in module 12. This exercise demonstrates the calculation of individual risk and FAR, and uses these parameters to determine the minimum risk reduction requirements.
Deductive method
A good example of a deductive method is Fault tree analysis or FTA. The technique begins with a top event that would normally be a hazardous event. Then all combinations of individual failures or actions that can lead to the event are mapped out in a fault tree. This provides a valuable method of showing all possibilities in one diagram and allows the probabilities of the event to be estimated. Deductive methods are useful for identifying hazards at earlier stages of a design project where major hazards such as fire or explosion can be tested for feasibility at each section of plant. Its like a cause and effect diagram where you start with the effect and search for causes.
Inductive method
So-called what if methods are inductive because the questions are formulated and answered to evaluate the effects of component failures or procedural errors on the operability and safety of the plant or a machine. For example, What if the flow in the pipe stops? This category includes: Failure Mode and Effects Analysis or FMEA Hazop studies Machinery concept hazard analysis (MHCA).
Safety Availability = 1 PFD It often may be desirable to express the SIL level in terms of the hazard reduction factor, where HRF is defined as: HRF = 1 / PFD
Clearly, the higher the SIL then the more stringent become the requirements.
To further understand these important terms let us ask a fundamental question which is how frequently will failures of either type of function lead to accidents. The answer is different for the 2 types: For functions with a low demand rate, the accident rate is a combination of 2 parameters i) the frequency of demands, and ii) the probability the function fails on demand (PFD). In this case, therefore, the appropriate measure of performance of the function is PFD, or its reciprocal, Risk Reduction Factor (RRF).
For functions which have a high demand rate or operate continuously, the accident rate Page 32 of 189 is the failure rate, , which is the appropriate measure of performance. An alternative measure is mean time to failure (MTTF) of the function. Provided failures are exponentially distributed, MTTF is the reciprocal of . These performance measures are, of course, related. At its simplest, provided the function can be proof-tested at a frequency which is greater than the demand rate, the relationship can be expressed as:
PFD = T/2 or = T/(2 x MTTF), or RRF = 2/(T) or = (2 x MTTF)/T
So what is the SIL achieved by the function? Clearly it is not unique, but depends on the hazard and in particular whether the demand rate for the hazard implies low or high demand mode. SIL is a measure of the SIS performance related only to the devices that comprise the SIS. This measure is limited to device integrity, architecture, testing, diagnostics, and common mode faults inherent to the specific SIS design. It is not explicitly related to a cause-and-effect matrix, but it is related to the devices used to prevent a specific incident.
Further, SIL is not a property of a specific device. It is a system property; input devices through logic solver to output devices. Finally, SIL is not a measure of incident frequency. It is defined as the probability (of the SIS) to fail on demand (PFD). A demand occurs whenever the process reaches the trip condition and causes the SIS to take action.
The new ANSI/ISA S84.01 standard requires that assign a target safety integrity level (SIL) for all safety instrumented systems (SIS) applications. The assignment of the target SIL is a decision requiring the extension of the process hazards analysis (PHA) process to include the balance of risk likelihood and severity with risk tolerance.
Since SIL 4 is rarely used. SIL 3 is typically the highest specified safety level. Of the three commonly used levels, SIL3 has the greatest safety availability (RSA), and therefore the lowest average probability of failure on demand (PFD). Required Safety Availability (RSA) is the fraction of time that a safety system is able to perform its designated safety function when the process is operating.
Safety Architectures
Several system architectures are applied in process safety applications, including single-channel systems to triple redundant configurations. Control engineers must best match architecture to operating process safety requirements, accounting for failure in the safety system.
One concern is that many safety systems in operation, or under construction, do not follow basic protection principles. Unsafe practices include: Performing the safety shutdown within the basic process control systems (BPCS) or distributed control systems (DCS). Using conventional programmable logic controllers (PLCs) in safety critical applications (Safety PLCs) are certified to meet safety critical applications to SIL2 and SIL3.) Implementing single element (non redundant) microprocessor- based systems on critical processor.
The conventional PLC architecture provides only a single electric path. Sensors send process
signals to the input modules. The logic solver evaluates these inputs, determines if a potentially hazardous condition exists, and energizes or de-energizes the solidstate output. (Fire and gas detection systems, for example, use the energized to trip philosophy.) Suppose the safety system de-energizes the output to move the process to a safe state. Suppose also that one of the components in the single path fails so that the output cannot be de-energized. Then the conventional PLC wont provide its desired safety protection function.
A special class of programmable logic controllers, called safety PLCs, represents an alternative. Safety PLCs provide high reliability and high safety via special electronics, special software, pre-engineered redundancy, and independent certification.
The safety PLC has input/output circuits designed to be fail-safe, using built-in diagnostics. The central processing unit (CPU) of a safety PLC has built-in diagnostics for memory, CPU operation, watchdog timer, and communication systems.
Accurately evaluating the safety level for a specific control device in the context of a potential hazardous event poses a major and difficult problem for many control engineers. Associations and agencies worldwide have made considerable progress toward establishing standards and implementation guidelines for safety instrumented systems. These standards attempt to match the risk inherent in a given situation to the required integrity level of the safety system. Unfortunately, many of these guidelines and standards are not specific to a particular type of process and deal only with a qualitative level of risk. Control engineers must use considerable judgment in evaluating risk and applying instrumentation that properly addresses established design procedures with budget restraints.
Typical Applications
A fault-tolerant control system identifies and compensates for failed control system elements and allows repair while continuing assigned task without process interruption. A high integrityn control system is used in critical process applications that require a significant degree of safety and availability. Some typical applications are: 1- Emergency Shutdown 2- Boiler Flame Safety 3- Turbine Control Systems 4- Offshore Fire and Gas Protection
1- Emergency Shutdown
Safety instrumented system provides continuous protection for safetycritical units in refineries, petrochemical/chemical plants and other industrial processes. For example, in reactor and compressor units, plant trip signals for pressure, product feed rates, expander pressures equalization and temperature are monitored and shutdown actions taken if an upset condition occur.
Traditional shutdown systems implemented with mechanical or electronic relays provide shutdown protection but can also cause dangerous nuisance trips. Safety instruments provide automatic detection and verification of field sensor integrity, integrated shutdown and control functionality, and direct connection to the supervisory data highway for continuous monitoring of safety critical functions.