| Home » Chapter 4 |
CHAPTER 4 |
|||
| 4.1.1 | Defining the objective based on the expected deliverable | ||
 |
The objective of a risk assessment exercise might be expressed like this example. ‘The objective of the risk assessment is to review the risks related to ………. (system), specifically focussing on the hazards …….. (such as one or more energy) or types of problems associated with …………. (such as a type of hazard), in order to produce………… (an output such as information for a Plan)’ The objective of the risk assessment may be associated with one of the following intended deliverables (note that this is not an all inclusive list). It is important to establish the desired deliverable from the risk assessment before deciding on the risk assessment method. THIS IS A KEY ISSUE. |
||
| A. B. C. D. E. F. G. H. I. J. K. L. M. |
Formal Safety Assessment development Risk or Hazard Register development Risk acceptability determination Identification of critical control measures and development of performance indicators Information for major or principal hazard plans Assessment of Safety Instrumented Systems Information for operational guidelines Information for maintenance plans or guidelines Hardware design review Option selection/review Review of change management plan Information for drafting of Standard Operating Procedures (SOPs) Risk awareness in informal day-to-day tasks |
||
|
Following are brief outlines explaining these example potential deliverables. For example, to explore more information on various risk assessment approaches try: |
|||
 |
http://www.mishc.uq.edu.au/publications/Risk_Analysis_Methods_a_Brief_Review.pdf |
||
|
NSW Department of Urban Affairs and Planning, 1992. Guidelines for Hazard Analysis, Hazardous Industries Planning Advisory Paper No. 6. ISBN 0 7305 71254. This useful resource is only available as a hardcopy. The publication can be purchased online (http://www.planning.nsw.gov.au/) or alternatively contact the Department to order the publication) | ||
| back
to top 4.1.1.A. Formal Safety Assessment development With both large and small complex facilities, the process of managing safety issues effectively requires formal methods for both assessing and managing safety. The term ‘Safety Case’ is used to describe the argument or case that the operation of a specific facility is managed within acceptable, clearly defined risks. The Safety Case is intended to provide a level of assurance to the senior management/board of a facility/operation or a regulator that the facility is capable of being run safely and has the necessary processes, systems and people in place to ensure that this happens. A Safety Case is the document that sets out the measures adopted to prevent major incidents and how to reduce the effects should one occur. It is therefore a combination of robust risk assessment methodologies appropriate to the hazards present and a rigorous, comprehensive, detailed and integrated safety management system. The Safety Case is usually designed to demonstrate to a regulator that measures are appropriate and adequate to ensure that risks from potential major accidents have been reduced to a level 'as low as reasonably practicable' (ALARP1) or some defined level of residual risk. 1ALARP is used in the UK, but terms such as ALAP (as low as practicable) and ALARA (as low as reasonably achievable) and SFAP (so far as practicable) are used by other pieces of legislation. It should be noted that these phrases have different meanings and put very different responsibilities on the operator of the facility. See Section 4.1.5 for further information on risk acceptability. Typically, a Safety Case contains information on how the facility will be run safely, including such items as: |
|||
 |
Hazard identification | ||
|
Safety assessment | ||
|
Control measure identification, selection and performance standards | ||
|
Safety management system that supports the control measures | ||
|
Emergency plan | ||
|
Management of change | ||
|
Process for reviewing and keeping the safety case up-to-date | ||
From the above it is clear that a Safety Case is not a particular risk assessment method but rather a management methodology based on a rigorous Formal Safety Assessment (FSA) method. The FSA method usually involves a systematic review of the operation, initially using preliminary or broad brush risk assessment methods as well as more detailed techniques to examine major issues in depth. The FSA methodology can be applied at minerals industry sites for comprehensive operational review. For example, to explore more information on Safety Cases and Formal Safety Assessment approaches try: |
|||
|
http://www.mishc.uq.edu.au/publications/Development_of_a_Safety_Case.pdf | ||
|
http://www.industry.gov.au/library/content_library/Facility.pdf | ||
|
http://www.workcover.vic.gov.au/vwa/home.nsf/pages/so_majhaz_guidance/$File/GN3.pdf | ||
|
http://www.hse.gov.uk/railway/criteria/ | ||
|
http://www.hse.gov.uk/railway/rsc.htm | ||
|
http://tube.tfl.gov.uk/content/about/report/sqe/default.asp?exp=3 London Underground System Safety Case | ||
|
|
|||
|
http://www.hse.gov.uk/hid/spc/perm09.htm | ||
|
Worksafe Victoria MHAC Agenda Item 1.2.5, 8th August 2001. Available from the Major Hazards Unit of Worksafe Victoria | ||
Risk identification tools that can assist with Formal Safety Assessment (FSA) development include: |
|||
|
|
|||
|
|
Consequence Analysis | ||
|
|
Preliminary
Hazard Analysis (PHA), Hazard Analysis (HAZAN) or Workplace Risk Assessment
and Control (WRAC) |
||
|
|
|||
|
|
|||
|
|
Level of Protection Analysis (LOPA) | ||
|
|
Hazard and Operability Studies (HAZOP) | ||
|
|
Failure Mode and Effect Analysis (FMEA) | ||
The nature and detail of an FSA may also warrant the application of other risk assessment techniques such as HAZOP or FMEA. |
|||
| back to top | |||
| 4.1.1.B.
Risk or Hazard Register development The Objective of creating a Risk or Hazard Register is to prepare a document that lists, outlines and prioritises the risks in an operation or organisation. As such it is an exposure document intended to communicate and monitor the current status of priority risks on the site. Normally, communication is the primary intention of a Risk Register. Obviously, regular review of the Risk Register is important due to changes in exposure over time and possibly a better understanding of the hazards and consequences (hazards change, methods change, etc.) |
|||
|
The inputs to a Risk or Hazard Register may come from a wide variety of sources including: |
|||
|
Major hazards from risk analysis | ||
|
Information from Safety Case | ||
|
Information developed through Management of Change | ||
|
SHE Hazards from: | ||
|
|||
| Potential
data for the Hazards Register is screened using a Risk Matrix and
only those hazards rated as extreme, high or moderate risks are recorded.
Low or negligible risks are expected to be tracked and resolved by
local management systems. A key part of the Hazard Register is hazard tracking and close out mechanisms. A key deliverable from a risk/hazard report is a SHE Critical Activities List. This list is a summary of activities required to control each identified hazard. The activities may include: |
|||
|
A listing of control measures and performance measures | ||
|
Engineering changes | ||
|
Organisational and / or procedural control | ||
|
Training and competence assurances | ||
|
Recovery measures | ||
| All
activities will be assigned to individual responsibilities with an
appropriate time frame. In the Templates Appendix is a sample page from a risk register (no 9). This page is formatted for a Safety Case and hence the description of control measures includes reference to the SMS, performance standard and COP (Critical Operating Parameter) as required by the guidelines for a Safety Case. Regardless of the Safety Case requirement, all risk registers need these if the control is critical.  Figure 4.1 Hazards register data flow This deliverable is referred to as “Broad Brush Risk Assessment" (BBRA) in the New South Wales "MDG 1010 Guideline for Risk Management in the Minerals Industry". BBRA has been done in the minerals industry to identify a list of site risk management priorities. Risk identification tools that can assist with preparation of a Risk or Hazard Register include: |
|||
|
Consequence Analysis | ||
|
Preliminary Hazard Analysis (PHA) | ||
|
Hazard Analysis (HAZAN) | ||
|
Workplace Risk Assessment and Control (WRAC) | ||
|
Hazard and Operability Study (HAZOP) | ||
For example, to explore more information on determining Risk or Hazard Register try: |
|||
|
http://www.planning.nsw.gov.au/plansforaction/mihaps-docs/mihaps-docs.html (MIHAP paper no 3 Hazard Identification, Risk Assessment and Risk Control) |
||
| back to top | |||
| 4.1.1.C.
Risk acceptability determination The Objective of this deliverable is to decide if risks related to an issue, plan or system are acceptable. Determining risk acceptability involves initially determining the risk acceptance criteria. This is followed by some process of reviewing the issue, plan or system, establishing the relevant risks with controls in place and judging whether the relevant risks are or can be reduced to an acceptable level. See Section 4.1.5 for further information on risk acceptability criteria. |
|||
|
http://www.iee.org/Policy/Areas/Health/hsb36.pdf |
||
|
http://www.workcover.vic.gov.au/vwa/home.nsf/pages/so_majhaz_guidance/$File/GN16.pdf | ||
|
http://www.planning.nsw.gov.au/plansforaction/mihaps-docs/mihaps-docs.html Paper No 3 Hazard Identification, Risk Assessment and Risk Control Section 7 |
||
|
DNV Technica. Risk Assessment Guidelines. Prepared for ACC and the Victorian Government, Project No A1196. Melbourne 1995 (Chapter 6). Available from Health and Safety Organisation, Victoria. | ||
|
NSW Department of Urban Affairs and Planning, 1990. Risk Criteria for Land Use Safety Planning, Hazardous Industries Planning Advisory Paper No 4. ISBN 0 7305 71300. This useful resource is only available as a hardcopy. The publication can be purchased online (http://www.planning.nsw.gov.au) or alternatively contact the Department. | ||
| Risk identification tools that can assist with determining the acceptability of a risk include: | |||
|
|
Consequence Analysis | ||
|
|
Preliminary
Hazard Analysis (PHA), Hazard Analysis (HAZAN) or Workplace Risk Assessment
and Control (WRAC) |
||
|
|
|||
|
|
|||
|
|
Level of Protection Analysis (LOPA) | ||
| |
CHAIR | ||
| |
SIS | ||
| back to top | |||
| 4.1.1.D.
Identification of critical control measures and development of performance
indicators Control measures may be considered as the barriers between the inherent hazards of a facility and the realisation of an unwanted incident as a result of the hazards and ultimately the harm that may be caused to people, environment and equipment in the event of the unwanted incident. See Section 4.1.5.c Quantitative Risk Analysis, Bow Tie Diagram as a pictorial representation of the overall system. Control measures may be identified as part of the Hazard Identification process. For an existing facility a range of these measures would be readily identified both existing measures and possible alternatives. The assessment of the effect of the measures on the hazard / outcomes needs to be determined for each hazard and outcome. The record for this could be usefully maintained in the Hazard Register and reviewed at agreed intervals. It is important to determine which of the control measures are critical to the management of the facility, particularly if there are multiple control measures. The criticality of a measure has an important bearing on the maintenance frequency, test regime and management action if the measure has to be disabled. Some factors that might be considered that might indicate a critical control measure are: |
|||
|
|||
|
Control measure is relied on to prevent the most likely cause of significant incidents | ||
|
Control measure is relied on to reduce or mitigate incidents having potentially very severe consequences | ||
|
Other control measures that provide backup are known to be of poor reliability and effectiveness | ||
|
There are a small number of barriers for a significant hazard | ||
All the control measures identified through the various hazard identification processes need to be assessed as to: |
|||
|
|||
|
Survivability of the measure in an incident | ||
|
Reliability of the control, both individually and in combination with other controls | ||
|
Position
in the hierarchy of control ie is the control at the least desirable
end of the hierarchy or at a higher level |
||
|
Independence
and diversity. Can a set of controls be displayed by a single failure mechanism or does the failure of a control disable another? |
||
For all control measures, a range of performance indicators is required, particularly for those controls deemed critical. The performance indicators measure both how well the controls are performing and how well the management system is monitoring and maintaining the controls. The performance indicators for control measures will generally relate to some standards or target levels of performance.. The measures may be qualitative or quantitative and may include absolute targets allowing no deviation or targets which may have scope for limited tolerable deviation. Some Control Measures Proactive: These can also be subdivided into elimination of the hazard and prevention of realisation of the hazard. |
|||
Reactive: |
|||
|
|||
| For example, to explore more information on determining control measures approaches try: | |||
|
http://www.workcover.vic.gov.au/vwa/home.nsf/pages/so_majhaz_guidance/$File/GN10.pdf | ||
|
http://www.planning.nsw.gov.au/plansforaction/mihaps-docs/mihaps-docs.html MIHAPS Paper No 3 Hazard Identification, Risk Assessment and Risk Control Section 6 |
||
| back to top | |||
|
4.1.1.E. Information for major or principal
hazard plans When the Objective or the intended deliverable is to supply information for Major or Principal Hazard Management Plans, the intention is to analyse and assess risks related to potentially high consequence hazards as well as identify key controls. Major or Principal Hazard Management Plans are regulatory requirements in some Australian states for various mining hazards such as spontaneous combustion and gas drainage in underground mines. These Plans are intended to be carefully developed documents that outline the management system in place to ensure the risks related to the specific major hazard are acceptable. Originally these plans were derived for hazards where uncertainty about the nature of the locations of the hazard was high, such as for outbursts, ground control, inrush, etc. |
|||
|
Risk identification tools that can assist with determining the acceptability
of a risk include: |
|||
|
|
|||
|
|
Consequence Analysis | ||
|
|
Preliminary
Hazard Analysis (PHA) |
||
|
|
|||
|
|
Hazard Analysis (HAZAN) | ||
|
|
Workplace Risk Assessment and Control (WRAC) | ||
|
|
|||
|
|
Level of Protection Analysis (LOPA) | ||
|
|
SIS | ||
| back to top | |||
4.1.1.F. Assessment of Safety Intrumented Systems (SIS) * This section discusses the integrity of programmable electronic systems that are now extensively used in controlling remote operated equipment and processing plant in the mining industry. The article provides the necessary background for a basic understanding of a control that has often been seen as a black box that will always perform as defined. Reality is very different and the approach that should be used for assessing such systems and the applicable standards are covered. It is, as with all such processes that require a real understanding of the underlying theory, not to be undertaken without specialist assistance. Functional Safety Functional Safety is defined as the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. When the functional safety is achieved by safety instrumented systems, these systems will have to relate to the requirements set out in the standards AS/IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) or AS/IEC 61511 (Functional Safety of Safety instrumented systems for the process industry sector). Protection Layers Modern industrial processes tend to be technically complex, involve substantial energies, and have the potential to inflict serious harm to persons or property during a mishap (see also section 5.8 Identifying new controls or barriers). The AS/IEC 61508 standard defines safety as "freedom from unacceptable risk". In other words, absolute safety can never be achieved; risk can only be reduced to an acceptable level. Safety methods to mitigate harm and
reduce risk include: |
|||
|
|
Changing the process or mechanical design, including plant or equipment layout | ||
|
|
Increasing the mechanical integrity of equipment | ||
|
|
Improving the basic process control system (BPCS) | ||
|
|
Developing additional or more detailed training procedures for operations and maintenance | ||
|
|
Using a safety-instrumented system (SIS) | ||
|
|
Installing mitigating equipment to reduce harmful consequences; for example, explosion walls, foams, impoundments, and pressure relief systems | ||
The above safety methods are also called layers of protection or independent protection layers – IPL (see section 4.1.5.1.b Quantitative risk analysis - Level of Protection Analysis - LOPA). The effectiveness of a protection layer
is described in terms of the probability that it will fail to perform
its required function when called upon to do so (a demand), and
the scenario continues towards the undesired consequence despite
the presence of the protection layer. This is called the probability
of failure on demand (PFD). In the case of a SIS the PDF is described
and categorised by a Safety Integrity Level (SIL). See also Appendix
B. General format of LOPA Template. The following diagram, Figure 4.2, demonstrates the effect of adding independent layers of protection to the process to mitigate or reduce consequences of an unwanted event.
Figure 4.2 LOPA Process Diagram Management of Functional Safety Functional safety assessment is the critical activity that ensures functional safety has actually been achieved. Those carrying out the functional safety assessment shall be competent, shall have adequate independence and shall consider the activities carried out and the outputs obtained during each phase of every lifecycle and judge the extent to which the objectives and requirements of AS/IEC 61508 & 61511 have been met. During the past few decades, systems and instrumentation vendors have developed sophisticated safety instrumented systems (SIS) to shut down potentially dangerous out-of-control processes before they do damage and to help plant personnel identify potential sources of these problems. Whereas basic process control systems (BPCS) control the making of on-spec product, SISs are intended to protect people, product and the environment by enabling a safe shutdown of the process if control is lost. Protecting personnel, plant assets and communities starts with a properly designed safety instrumented system. A well-designed SIS not only reduces risks from out-of control processes; it can also help users meet regulatory demands. A well-designed system can also increase plant availability by reducing the number of spurious “trips” caused by an SIS that fails to properly evaluate a safety situation and unnecessarily shuts down a process.
Two new performance-based international standards govern the design and implementation of safety instrumented systems. The International Electrotechnical Commission’s (IEC) standard commonly referred to as IEC 61508, is targeted at suppliers of safety-related equipment and defines a set of standards for functional safety of electrical/electronic/programmable electronic safety-related systems. Safety standard AS/IEC 61508 is quickly becoming a major deciding factor for purchasing process instrumentation for safety applications. This standard directs the processes used through the entire life cycle of a product, from the earliest stages of concept and design, through the manufacturing and final decommissioning of the product. AS/IEC 61508 provides industry with an effective means to quantify process risk and offers direction for proper design and manufacturing. Another standard, AS/IEC 61511, is aimed at safety system users. The standard comprises formally collected best safety practices and addresses all safety life-cycle phases from initial concept, design, implementation, operations and maintenance modification, through to decommissioning. The AS/IEC standards include several concepts that are vital to determining the level of risk in a plant and selecting an SIS that can meet the facility’s safety needs. The first of those concepts is Safety Instrumented Function (SIF), which is defined as a single set of actions that protects against a single specific hazard. Each Safety instrumented system is comprised of one or more SIFs. AS/IEC 61508,
Parts 1–7 AS/IEC 61511,
parts 1–3 SIS Safety Lifecycle Most certifications
primarily address the end product. AS/IEC 61508, however, is process
based and, therefore, encompasses all activities involved in the
implementation of safety-related systems. Such activities begin
with the concept phase of a project and finish when all of the electric,
electronic, programmable electronic safety–related systems, other
technology safety-related systems, and external risk-reduction facilities
are no longer available for use. Once the process risks are identified and existing protection layers are evaluated, an SIS is implemented to reduce the process risks to a tolerable level. Once installed, the SIS must be functionally tested on some specific frequency per the Safety Requirements Specification (SRS) and the calculated Safety Integrity Level (SIL) requirements. The safety life cycle steps are as follows:
Process hazard and risk assessment AS/IEC 61508 & 61511 dictate that a process hazards analysis (PHA) be used to identify potential hazards in the operation of a process and to determine the protective measures necessary to protect workers, the community, and the environment. The scope of a PHA may range from a very simple screening analysis to a complex hazard and operability study (HAZOP). A HAZOP provides a prioritized basis for the implementation of risk mitigation strategies, such as SISs. If a PHA determines that the mechanical integrity of a process and the process control are insufficient to mitigate the potential hazard, an SIS is required. An SIS consists of the instrumentation or controls that are installed for the purpose of mitigating a hazard or bringing a process to a safe state in the event of a process upset. Allocation of safety functions to protection layers Safety Instrumented Systems (SISs) are subject to requirements based on the international standards AS/IEC61508 & 61511. Worley Safety and Risk Management offers assistance in identifying relevant requirements, carrying out necessary assessments and preparing required documentation. Safety instrumented systems Safety systems
are designed to respond to conditions of the plant, which may be
hazardous in themselves or, if no action were taken, could eventually
give rise to a hazard. They must generate the correct outputs to
prevent the hazard or mitigate the consequences.
The basic elements
of a SIS include all parts from the sensor to the actuator, including
inputs, outputs, power supplies and logic solvers: The purpose of Safety Instrumented Systems (SIS) is to take the process to a safe state when predetermined conditions are violated, such as set points for pressure, temperature, level, etc. SIS Factors According to the AS/IEC 61508 standard, the scope of an SIS is restricted to the instrumentation or controls that are responsible for bringing a process to a safe state in the event of a failure. The availability of an SIS is dependent upon: |
|||
|
|
Failure rates and modes of components | ||
|
|
Installed instrumentation | ||
|
|
Redundancy | ||
|
|
Voting | ||
|
|
Diagnostic coverage | ||
|
|
Testing frequency | ||
SIS safety requirement specification (SRS) An SRS consists of safety functional requirements and safety integrity requirements; it is a collection of documents or information. Safety functional requirements specify the logic and actions to be performed by an SIS and the process conditions under which actions are initiated. These requirements include such items as consideration for manual shutdown, loss of energy source, etc. Safety integrity requirements specify a SIL and the performance required for executing SIS functions. Safety integrity requirements include: |
|||
|
|
Required SIL for each safety function | ||
|
|
Requirements for diagnostics | ||
|
|
Requirements for maintenance and testing | ||
|
|
Reliability requirements if the spurious trips are hazardous | ||
| Safety
Instrumented Function probability of failure on demand / Safety-Integrity
Levels
The AS/IEC 61508 & 61511 standards require that companies assign a target safety integrity level (SIL) for all safety instrumented systems (SIS) applications. The assignment of the target SIL is a decision requiring the extension of the process hazards analysis (PHA). The assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to an acceptable level. All of the SIS design, operation, and maintenance choices must then be verified against the target SIL. The international standard AS/IEC 61508 defines four safety integrity levels (SIL1 to 4) to statistically represent the integrity of the safety instrumented system (SIS). They are defined as the measure for the safety performance of electrical or electronic control equipment. An SIL takes into account device integrity, architecture, voting, diagnostics, systematic and common-cause failures, testing, operation, and maintenance. An SIL establishes an order of magnitude target for risk reduction. This target failure measure is the intended probability of dangerous mode failures to be achieved with respect to the safety-integrity requirements. The failure is specified in terms of either the average probability of failure to perform the design function on demand (for a low demand of operation) or the probability of a dangerous failure per hour (for a high-demand or continuous mode of operation). The higher the SIL, the greater the impact of a failure and, therefore, the lower the failure rate that is acceptable. A SIL
can be considered a statistical representation of the availability
of an SIF at the time of a process demand. A SIL is the litmus test
of acceptable SIS design and includes the following factors: |
|||
|
|
Device integrity | ||
|
|
Diagnostics | ||
|
|
Systematic and common cause failures | ||
|
|
Testing | ||
|
Maintenance | ||
|
Safety Integration Levels Table Table
4.3. Safety integrety levels: probability of failure on demand Table
4.4. Safety integrity levels: frequency of dangerous failures per
hour The Probability to Fail on Demand is a statistical measurement of how likely it is that a process, system, or device will be operating and ready to serve the function for which it is intended. Among other things, it is influenced by the reliability of the process, system, or device, the interval at which it is tested, as well as how often it is required to function. Below are some representative sample PFD values. They are order of magnitude values relative to one another. Selection of a Safety Integrity Level A vital first step in the safety lifecycle is that the necessary safety functions are derived from an analysis of the hazards and risks. If a PHA concludes that an SIS is required, AS/IEC 61508 requires that a target SIL be assigned. Safety Integrity Levels or SILs define the levels of protection – amount of risk reduction needed for a particular SIF. The IEC standards describe four possible discrete SILs. The assignment of a SIL is a corporate decision based on risk management and risk tolerance philosophy. Safety regulations require that the assignment of SILs should be carefully performed and thoroughly documented. Completion of a HAZOP determines the severity and probability of the risks associated with a process. It is not only the safety integrity of the safety functions that is important, but also the effective and correct specification of the safety functions themselves. Once the SIL level of a given SIF has been calculated, the standard defines the acceptable probability of failure on demand (PFD) of the associated SIS. A SIF with a high SIL rating will require the use of a low system with a low average PFD. An important factor in determining the PFD is the frequency of system testing, including the stroking of its valves. The longer the time between tests, the higher the PFD. Several methods of converting HAZOP data into SILs are used. Functional safety standards provide information on a number of different methods that enable the safety integrity levels for the safety instrumented functions to be determined, among those are: |
|||
|
|
Semi-quantitative methods - calibrated risk graph | ||
|
|
The safety layer matrix | ||
|
|
Qualitative methods - risk graph | ||
|
|
Layers of protection analysis | ||
Company standard SIL selection method Any Safety Integrity Level selection method adopted by a company needs to be easy to use and yield results quickly. A labour intensive and time-consuming SIL selection method will surely be abandoned when companies attempt to apply the method to the hundreds or thousands of SIF evaluations that they will need to perform. Thus, to make the procedure easier to utilize, it is recommended that companies develop a database file that standardizes the procedure to be followed. WSRM has recently developed a very user friendly database file with the goals of compliance with applicable regulations, consideration of the practices of industrial peers, conformance with the recommendations of applicable standards, and consistence with each facility risk ranking schemes that can be used to select SILs. If such a company tuned databases were used, then it would allow multiple remote plant sites to quickly, efficiently and consistently evaluate SIL requirements for their Safety Instrumented Systems. This would allow facilities to make sound business decisions regarding the risks associated with their plant. Reliability analysis / Quantitative methods for Verification of safety integrity levels One of the activities that should be performed according to the international functional safety standards is the SIL verification for a Safety Instrumented Function. The first step in such a SIL verification or reliability analysis is the selection of a reliability analysis technique. Secondly input data should be gathered. These first two steps can be major hurdles to be taken. This calls for automated quantitative methods and tools that can easily perform these reliability analyses. The quantitative
methods can be utilized to select the appropriate Safety Integrity
Level associated with Safety Instrumented Systems. Selection of
an overly conservative Safety Integrity Level can have significant
cost impacts. These costs will either be associated with increased
Safety Instrumented System functional testing or complete removal
/ upgrade of the existing Safety Instrumented System. In today’s
highly competitive business environment, unnecessary costs of any
kind cannot be tolerated. Worley safety and risk management has developed a guideline for SIL verification in line with the functional safety standards and is using state of the art automated tools to carry out the task. The appropriate testing for an SIS is a key to insure safety availability requirements are satisfied. The quantitative
method to determine the frequency of testing is the accepted approach
by most companies. Reliability engineers generally use one or more
of the following methods: Markov modelling is a very complex, but exact, method for determining the availability of logic solvers. It is not recommended for the entire SIS or even a single loop calculation. The complex transition diagrams and matrix math can elevate the difficulty of a precision calculation of an entire SIS. Reliability
block diagrams are the reciprocal in complexity to Markov Models
in that the block diagrams are too simplistic. The block diagrams
can’t handle test intervals or repair times and therefore are almost
useless in calculating test frequencies. FTA is useful for a large SIS with many components or just a single loop. Example for SIL Verification – Sample Calculations The following sample calculation shall be performed for a single Safety Instrumented Function for a Safety Instrumented System to document the ease in which one can calculate the required Safety Integrity Level. Consider the
following physical block diagram for a safety instrumented function: Figure 4.5. Architecture of the Example The equations given in AS/IEC 61508 can be used to calculate PFDavg for sensors (2oo3) and block valves - final elements (1oo2) in series. Then, the following equation may be used to calculate PFDavg for the whole system: System PFDavg = Sensors PFDavg + Block Valves PFDavg + Controller PFDavg Using the AS/IEC 61508 equations and the automated tools will result in the following table: Table
4.6 SIL verification calculation results To determine the SIL, compare the calculated PFDavg to the Table 4.3 figures. In this example, the system is acceptable as an SIS for use in SIL3 applications. References To explore more information on SIS try following internet addresses: |
|||
|
http://www.sts-aiche.org/cast1202/ | ||
|
http://www.hcasia.safan.com/mag/hoct03/it46.pdf | ||
|
http://www.triconex.com/NR/rdonlyres/34D43700-882E-4D36-B01C-97B8D2E0DBF6/0/PCSTechnicalPaperTestingandByPassingSafetyInstrumentedSystems.pdf | ||
|
http://www.itk.ntnu.no/ansatte/Onshus_Tor/IEC61508/Guideline%20IEC%2061508%20rev%2013-10-00.pdf | ||
|
http://www.sensorsmag.com/articles/1004/33/main.shtml | ||
|
http://www.aesolns.com/articles/lss.pdf | ||
|
http://www.miinet.com/approvals/what_is_61508.pdf | ||
|
http://www.bently.com/articles/apnotes/an149409.pdf | ||
|
http://shop.era.co.uk/products.asp?recnumber=193 | ||
|
http://www.isa.org/InTechTemplate.cfm?Section=Article_Index&template=/Content | ||
|
http://www.hse.gov.uk/comah/sragtech/techmeascontsyst.htm | ||
|
http://www.ce-mag.com/archive/04/Armstrong.html | ||
|
http://www.automationtechies.com/sitepages/pid1071.php | ||
|
http://www.us.tuv.com/product_testing/related_articles/semi_safety.html | ||
|
http://www.nswmin.com.au/ohs/smhb2002/burgess.shtml | ||
|
http://www.hotkey.net.au/~mjbauer/ACS-SCS%20Paper.htm | ||
|
http://www.multiplan.co.ae/sil_assessment.htm | ||
* Section
4.1.1.F was provided by Dr Kyoumars Bahrami kyoumars.bahrami@worleyparsons.com |
|||
|
4.1.1.G. Information for operational guidelines | |||
