584 5 Safety and Risk i n Engineering Design – the ‘estimated reportable hazard frequency’ arising from functional failure of the item, – the ‘estimated physical condition’ of the item related to its safety. • The actual degree of safety. This is measured according to the contribution of: – the ‘actual disabling injury frequency’ arising from functional failure of the item, – the ‘actual reportable hazard frequency’ arising from functional failure of the item, – the ‘actual physical condition’ of the item related to its safety. The assessment of ‘estimated disabling injury frequency’ considers severity criteria such as: • Life risk—when the occurrence of critical functional failures can be expected to result in a risk of loss of life every time. • Loss risk—when the occurrence of critical functional failures can be expected to result in a risk of loss of limb every time. • Health risk—when the occurrence of critical functional failures is expected to result in the risk o f a health hazard every time. The assessment of ‘estimated reportable hazard frequency’ considers severity crite- ria such as: • People risk—when the occurrence of critical functional failures can be expected to result in the risk of an accident affecting people working in the area every time. • Environment risk—when the occurrence of critical functional failures can be ex- pected to result in the risk of an accident affecting the environment every time. • Process risk—when the occurrenceof critical functional failures can be expected to result in the risk of an accident affecting the production process every time. • Product risk—when the occurrenceof critical functional failures can be expected to result in the risk of an accident affecting the related product every time. The assessment of ‘estimated physical condition’considers severity criteria such as: • Loss risk—when the item’s physical condition can be expected to result in pro- cess losses in the system that will result in critical functional failures becoming imminent. • Damage risk—when the item’s physical condition can be expected to result in physical damage to related items that will result in critical functional failures becoming imminent. • Defects risk—when the item’s physical condition can be expected to result in physical defects arising in the item or its parts that will result incritical functional failures becoming imminent. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 585 The various severity criteria described above are rated by designating a pro bability value from 0.1 to 1.0, for each criterion relevant to each failure mode, according to a risk assessment scale. The severity criteria is designated a value ranging from 10 to 1. The most severe degree of safety (disabling injury—life risk) is valued at 10, andnosafetyriskisvaluedat1. The probability value is assessed for different categories called ‘actual’, ‘proba- ble’ and ‘possible’. These probability values range from: 0.95 to 1.00 for the category actual 0.50 to 0.95 for the category probable 0.01 to 0.50 for the category possible. The estimated risk is thus rated according to the risk assessment scale shown in Table 5.7, using the following probability qualifiers: Actual occurrence: 0.95 to 1.00 Probable occurrence: 0.50 to 0.95 Possible occurrence: less than 0.50. Table 5.7 Risk assessment scale Risk assessment scale Estimated degree of Risk assessment values: safety: Degree of severity × Probability Severity criteria Actual Probable Possible 0.95 to 1.00 0.50 to 0.95 0.01 to 0.05 (Disabling injury) Deg. Prob. Risk Deg. Prob. Risk Deg. Prob. Risk Life risk 10 10 10 Loss risk 9 9 9 Health risk 8 8 8 (Reported accident) People risk 7 7 7 Process risk 6 6 6 Product risk 5 5 5 (Physical condition) Damage risk 4 4 4 Defects risk 3 3 3 Loss risk 2 2 2 (No safety risk) 1 1 1 Overall risk Total Total Total Overall average Average Av erage Average 586 5 Safety and Risk i n Engineering Design Table 5.8 Initial failure rate estimates Qualification Failure rate (×10 −6 ) Very low < 1 Lo w 1 to 10 Fair 10 to 100 High 100 to 1,000 Very high > 1, 000 Once an overall total and an overall average value of risk has been assessed, a safety criticality rank can be defined as follows: Criticality rank = Risk×Failure rate (5.7) If the failure rate for the item cannot been determined, qualifying values for ini- tial failure rate estimates can be used (Table 5.8). 5.2.1.7 Summary of Safety and Risk Analysis in Engineering Design Up to this point, the various conventional deductive and inductive analysis tech- niques for safety hazards and risk analysis have been considered without giving much attention to their specific application in each engineering design phase. Some of the more appropriate techniques that relate to the progressive phases in the engi- neering desig n process are the following: • Design cost risk analysis. Design cost risk analysis consists of identifying independent variables relating to the system or equipmentattributes such asmass, size, volume, material thickness, etc. plus the cost of ensuring the required reliability and safety relative to the se- lected attributes. The independent variables, also called cost drivers, are selected through statistical analysis, and form the basis of cost estimating relationships (CERs). • Operational risk analysis. Operational risk analysis considers risk in their operating environment. As a re- sult, it is necessary and useful to develop a safety hypothesis, expressed as a risk equation, which relates system throughput capacity to risk. Such a risk equation has its roots in financial risk management and has been expanded to measure the mean expected loss risk, which is more suitable for process systems in general. Such a measure not only quantifies risk but also clarifies system safety principles during conceptual design. Early identification of specific risk costs and safety benefits of different design alternatives enables avoidance or mitigation of haz- ards that could result in operational losses. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 587 • Operability analysis—formally, hazards and operability (HAZOP) analysis. Operability analysis considers safety issues throughout an engineered installa- tion’s life cycle, from d esign, manufacture, installation, assembly and construc- tion, through to start-up and operation. The later that hazardous operating modes are detected in this development process, the more serious and expensive they become to avoid or mitigate through the required plant modifications. Extensive and systematic examination of safety aspects has to be carried out carefully and at the earliest possible opportunity in the engineering design stage. • Point process analysis—formally, Markov chain point processes. Point process analysis is intended to model a probabilistic situation that places points on a time axis. For safety analysis, these points are termed accident or incident events. • Fault-tree analysis (FTA). Fault-tree analysis is the most frequently used in the assessment of safety protec- tion systems for systems design. For potentially hazardous process engineering systems, it is required statutory practice to conduct a quantitative assessment of the safety features at the engineering design stage. The design is assessed by pre- dicting the probability that the safety systems might fail to perform their intended task of either preventing or reducing the consequences of hazardous events. • Root cause analysis (RCA). Root cause analysis (RCA) considers multiple failures arising fr om a common cause. This was first studied on a formal basis in the nuclear power industry. In order to o btain sufficiently h igh levels of reliability and safety in critical risk con- trol circuits, redundancy was introduced. In applying redundancy, several items can be used in parallel with only one required to be in working order. • Cause-consequence analysis (CCA)—failure modes and safety effects analysis. Cause-consequence analysis for safety systems design explores the system’s re- sponses to an initiating deviation from p re-determined norms (such as the lim- its of safe operating parameters), and enables evaluation of the probabilities of unfavourable outcomes at each of a number of mutually exclusive loss levels, depending upon the extent of deviation from these norms. • Hazards analysis (HAZAN)—probabilistic risk analysis. Hazards analysis considers identifying potential hazards that may be caused ei- ther by the nature of the process or the intended systems configuration. A thor- ough safety and hazards analysis is compulsory during the engineering design and development stages, for official approval to commence with construction. These tech niques are considered in detail below, within the appropriate conceptual, preliminary or detail design phases of the engineering design process. 588 5 Safety and Risk i n Engineering Design 5.2.2 Theoretical Overview of Safety and Risk Prediction in Conceptual Design Safety and risk prediction attempts to identify initial pr oblems or preliminary haz- ards, and to estimate the risks related to the severity of their consequences and re- lated probabilities of occurrence. Safety and risk prediction is considered in the conceptual design phase of the engineering design process, and includes concepts of modelling such as: i. Cost risk models in designing for safety ii. Process operational risk modelling iii. Hazard and operability studies. 5.2.2.1 Cost Risk Models in Designing for Safety Cost estimates during the early stages of engineering design are crucial. They influ- ence the go, no-go decisions concerning the development of engineering projects. In many cases, from 70 to 80% of a design’s cost is committed during the concept phase (Mileham et al. 1993). Making a wro ng decision concerning designing for reliability and safety can be extremely costly later in the development project. System modifications and pro- cess alterations become more expensive as the project progresses into manufacture, installation and construction. However, the difficulties of cost estimating at the con- ceptual design phase arewell recognised (Meisl 1988).The two major obstacles that need to be addressed in estimating costs at the conceptual design phase are, first, working with a limited amount of available data concerning the new design and, second, identifying the requirements that determine how cost estimates are derived, including assumptions and risks. The task in overcoming these obstacles, particu- larly in estimating risk costs for safety in engineerin g design, is concerned with the choice of cost estimating methods, some of which include the following: • Traditional cost estimating. • Parametric estimating. • Feature-based costing. • Qualitative cost estimating. a) Traditional Cost Estimating In traditional costing, there are two main estimates: a ‘first sight’ or ‘first round’ estimate, which is done in the early design phases, and a detailed estimate, done later to calculate costs precisely. The former of these cost estimating methods is based largely on the experience of the estimator. For example, it is not uncommon for a ‘first round’ project estimate to be based upon a past similar p roject, or purely 5.2 Theoretical Overview of Safety and Risk in Engineering Design 589 on costing experience. Although useful for a rough order of magnitude estimate, this type of estimating is too subjective in engineering designs of large integrated systems, and more quantified and justified estimates are essential (Roy et al. 1999). For detailed estimates, risk cost is based upon a knowledge of the cost of opera- tions and the cost of failure repair. Typically, such a cost model would incorporate the following TC = C i +C o +C r (5.8) where: TC = total cost (safety life-cycle cost) C i = initial cost (design and manufacture) C o = operating cost C r = risk cost. The risk cost component of this safety life-cycle (SLC) costing of a process engi- neering design can be expressed in terms of two cost components: • the average cost of failure C f ,and • the expected life of the system L t C r = C f ·L t MTBF (5.9) where: MTBF = mean time between failures. The risk cost component of the average cost of failure, C f , can in turn also be ex- pressed in terms of two cost components: • the cost of failure loss, and • the cost of failure repair C f =[C s (MTTR+T m )+C l ] (5.10) +[C m (MTTR+ T m )+C d +C p ] where: T m = repaired system response time C s = cost of loss of service C l = cost of incident/accident loss C m = cost of failure repair C d = cost of failure delay C p = cost of parts replacement MTTR = mean time to r epair. The expected life of the system L t , expressed as a ratio against the mean time be- tween failures (MTBF), is in effect the expected number of failures over the life span of the system, which is a measure of the system’s reliability, R. This reasoning 590 5 Safety and Risk i n Engineering Design is based on the understanding that MTBF is a measure of the average time until the occurrence of failure. Thus R = L t MTBF (5.11) C r = C f ·R (5.12) Because risk cost is based upon a detaile d knowledge of the cost of system op- erations and repair, the method is not useful during the conceptual design phase of project development. In order to estimate costs during this phase, other approaches are required. b) Parametric Estimating A widely used method for estimating costs at the early stages of process develop- ment is known as parametric estimating (PE). Typically, for most systems in pro- cess engineering, mass relates to the cost of its manufacture. That is, as the weight of a pressure vessel increases, due to an increase in size (volume) or in thickness of material, so does the cost of manufacturing it. Furthermore, this particular relation- ship is often described as linear. Using relatively simple algebra, it is possible to derive a formula to determine a mathematical relationship for cost to mass (or size). The linear equation y = ax+b is used to describe the line of best fit for points representing this relationship and, once described, it is then possible to use the formula to predict the cost of other similar pressure vessels, based on their size or weight alone. Within the field of cost estimating, this relationship is known as a cost estimating relationship (CER). This is a rather simplistic illustration describing the main principles of paramet- ric estimating. As CERs become more complex, involving several variables, more complex mathematical equations are used to describe the relationships. When CERs become too complex for mathematical equations to solve, cost algorithms are devel- oped, such as genetic algorithms (GAs) for determining the extent of the risk cost associated with designing for reliability and safety. An example of the use of su ch an algorithm is in optimising a risk cost function in the allocation of component redundancy to a safety control system (Coit et al. 1996). Parametric estimating can be used throughout the life cycle of an engineered in- stallation. However, it is used mainly during the early stages of development (i.e. conceptual design phase), and for design to cost (DTC) analyses, which is consid- ered later. The techniques are acceptable for both military and industrial application (PCEI 1999). However,parametric estimating does have its disadvantages—for example, CERs of many conceptual designs are too simplistic to forecast costs. Furthermore, para- metric estimating is based primarily on statistical assumptio ns concerning cost driver relationships to cost, and estimations should not completely rely upon sta- tistical analysis. Hypotheses based on experience, common sense and engineering 5.2 Theoretical Overview of Safety and Risk in Engineering Design 591 knowledge should come first, andthen the relationship should be tested with statisti- cal analy sis. M ost CER stud ies apply parametric estimating for quantitative criteria in design, but not for vague or unknown criteria requiring qualitative or expert judg- ment. Current research in this area has demonstrated the validity of the approach (Roy et al. 1999). Design to cost The objective with design to cost (DTC) is to make the design con- verge to an acceptable cost, rather than to let the cost converge to design. DTC activities, during the conceptual and early design phases, are those of determining the trade-offs between cost and performance for each of the concept alternatives. DTC can produce massive savings on risk cost before system development be- gins. The generalapproachis to set a cost goal, then allocate the goal to the elements of the design, including designing for reliability and designing for safety. The de- sign must then beconfined to the alternativesthat satisfy the cost constraint (Michael et al. 1989). However, this is only possible once a risk cost algorithm has been developed that can be used to determine the impact of these elements of the design such as designing for reliability and safety. These algorithm s are used primarily to monitor the impact of design decisions on risk cost, rather than the converse, throughout the engineering design process. It is thus the cost engineers who are responsible for es- tablishing sufficient information on cost in the early stages of systems development that will enable the design engineers to make meaningful decisions. c) Feature-Based Costing A relatively new formof PE is thatof feature-based costing (FBC). This has become popular due to the rise and sophistication of computer aided tools in engineering design. The growth of CAD/CAM technology and that of 3D modelling tools have largely influenced the development of feature-based costing. Researchers have for some time investigated the integration of design, process planning and manufactur- ing for costing using a feature-based modelling approach (Wierda 1991). However, feature-based costing has not yet been fully established or developed with respect to costing safety in engineering design. Nonetheless, there are several good reasons for examining the use of features as a basis for risk costs during the early design phases where certain equipment (i.e. assemblies, sub-assemblies and components) have already been identified. Such equipment can essentially be de- scribed as a number of associated features, i.e. holes, flat faces, edges, folds, etc. It follows that each equipment feature has cost implications, since the m ore f ea- tures the equipment has, the more manufacturing it will require, and the greater its safety risk with respect to operational reliability, durability and robustness. There- fore, choices regarding the inclusion or o mission of a feature impact the risk costs of equipment, especially process control equipment. 592 5 Safety and Risk i n Engineering Design d) Qualitative Cost Estimating Fuzzy logic, possib ility theory and artificial neural networks present the next gen- eration in computerising the human thought processes. Many researchers and prac- titioners are fast developing and investigating the use of artificial intelligence (AI) systems and applying these to cost estimating. For risk cost estimating purposes, the basic idea of using neural networks is to provide data to a computer so that it can computationally learn which saf ety attributes mostly influence the cost. This is achieved by training the system with data from past case examples with respect to the cost o f losses due to hazardous failure, the estimated frequency of the initiating event, and the severity and probability of the consequen ces. The neural network then approximates the functional relationship between the attribute values and the risk cost. Safety attribute values such as estimate values of frequencies and/or probabili- ties are input to the network, which applies the approximatedfunction obtained from the training data and computes a prospective risk cost. Relatively recent work has demonstrated that, under certain conditions, neural networks produce better cost- ing predictions than do conventional regression costing methods. However, in cases where appropriate CERs can be identified, regression models have significant ad- vantages in terms of accuracy, variability, model creation and model examination (Smith et al. 1997). Artificial neural networks (ANN) requirea large case base in order to be effective, which is notalways the case with safety attributes of equipment in process engineer- ing systems. In addition, the case base needs to be comprised of similar equipment in common applications, and new designs need to be of a similar nature, in order for the cost estimate to be effective. Thus, neural networks cannot cope easily with uniquenessor innovationin engineeringdesign. With regression analysis, safety and risk issues in the design can be argued logically, and an audit trail of the develop- ment of the risk cost estimate can be established. This is because a CER equation is developed that is based on common sense and logic. In many cases, when con- sidering neural networks, the resultant equation does not appear logical even if it was extracted by examining the weights, architecture, and nodal transfer functions that are associated with the final trained model. The artificial neural network truly becomes a ‘black box’ CER. This is disadvantageous if a detailed list of the reasons and assumptions behind the risk cost estimate is required. The black box CER also limits the use of risk analysis, which is a prime benefit of parametric estimating, and which will be considered now in greater detail. e) Parametric Costing and Risk Analysis This sub-section provides fundamental knowledge concerning the tools and tech- niques currently used within the area of parametric costing and risk analysis within the conceptual design phase. The method of parametric cost estimating (PCE) is commonly used to estimate the cost of new engineering designs. It provides a tech- nique for predicting cost based on historical relationships between cost and one or 5.2 Theoretical Overview of Safety and Risk in Engineering Design 593 more predictor variables such as cost estimating relationships (CERs). The method uses a statistical approach, and is commonly used for risk cost estimation during the conceptual design phase (Rush et al. 2000). Cost Estimating Relationship (CER) Development Cost estimating relationships (CERs) can range from simple heuristics (rules of thumb) to complex relationships involving multiple variables. The principal func- tion of CERs is to provide equations or graphs that summarise historical cost data from which future cost estimates can be made. A general methodology for d evelop- ing CERs includes activities such as data collection, testing a CER’s logic, statisti- cal analysis, CER significance tests, and validation. The collection of data is o ften a very critical and time-consuming activity, requiring more effort to be devoted to assembling a quality database than to any other task in the CER development pro- cess. After a database is developed, the next step is the mathematical formulation of a hypothesisand then to test the mathematical form ofthe CER in orderto determine its logic. This involves identifying potential cost driving variables and identification of cost relationships. In order to test and validate a CER, the statistical analysis technique of multiple regression is used to test the hypothesis. Although widely accepted, PCE is based on statistical assumptions concerning cost driver relationships to cost, particularly risk cost, and should therefore not be completely reliant upon statistical analysis but based also on experience, common sense and engineering knowledge. Because estimating is based on assumptions concerning the likely risk cost of an as yet un- developed design, the preferred approach is to combine the statistical techniques of parametric estimating with statistical risk analysis. The introduction of risk cost analysis ensures that the consequences of risks are correctly taken into account to be able to quantify risk cost early in the design stage of the life cycle of a system. f) Risk Cost Analysis The first step in analysing risk cost is identification of the CER variables. This is readily available fromthe results of the parametric cost estimating method. The risk cost consists of independent variables relating to the system or equipment attributes such as mass, size, volume, material thickness, etc. included in the CERs, plus the cost o f ensuring the required reliability and safety relative to th e selected attributes. The independent variables, also called cost drivers, are selected through statistical analysis, and form the basis of the CER. The risk cost can be expressed in terms of the following principal cost compo- nents: the parametric cost estimates, and the cost of ensuring reliability and safety RC = C 0 +[C 1 (mass) +C 2 (material)]+C s (5.13) . detail design phases of the engineering design process. 588 5 Safety and Risk i n Engineering Design 5.2.2 Theoretical Overview of Safety and Risk Prediction in Conceptual Design Safety and risk. of Safety and Risk in Engineering Design 589 on costing experience. Although useful for a rough order of magnitude estimate, this type of estimating is too subjective in engineering designs of. considered in the conceptual design phase of the engineering design process, and includes concepts of modelling such as: i. Cost risk models in designing for safety ii. Process operational risk modelling iii.