644 5 Safety and Risk i n Engineering Design Fig. 5.34 High-integrity protection system (HIPS) Table 5.15 Component functions for HIPS system Component Code Function Failure modes λ and mean repair time Maint. interval Main PCV V1 Stop high-pressure surge passing through system Valve fails open: PCV-M 1.14×10 −5 , 36.0 4,360 Sub-PCV V2 S top high-pressure surge passing through system Valve fails open: PCV-S 1.14×10 −5 , 36.0 4,360 ESD valve V3 Stop high-pressure surge passing through system Valve fails open: V-ESD 5.44×10 −6 , 36.0 4,360 HIPS1 V4 Stop high-pressure surge passing through system Valve fails open: VH1 5.44×10 −6 , 36.0 4,360 HIPS2 V5 Stop high-pressure surge passing through system Valve fails open: VH2 5.44×10 −6 , 36.0 4,360 Solenoid Sol Supply power to valves Fails energised: PCVs M, S, and ESD, and SH1, SH2 5.00×10 −6 , 36.0 4,360 Relay contacts RC Supply power to solenoids (2 per solenoid) Fails closed: R1–R10 0.23×10 −6 , 36.0 4,360 Pressure sensors Pr S Indicate the level of pressure to the computer Fails to record actual pressure: P1–P6 1.50×10 −6 , 36.0 4,360 DCS DCS Reads information sent from pressure sensors and acts to close v alues Fails to read or act on information 1.00×10 −5 , 36.0 4,360 a high-pressure surge originating from process circulation pumps, to protect equip- ment located downstream of the process. The first level of protection is the emergency shutdown (ESD) sub-system. This comprises three pressure sensors (P1, P2, P3), for which two out of three must in- dicate a high pressure to cause a trip. Two pressure control valves (PCVs), a main 5.2 Theoretical Overview of Safety and Risk in Engineering Design 645 PCV, a subsidiary PCV, and an emergency shutdown (ESD) valve (V1, V2, V3) activate to trip. If a high-pressure surge is detected, the ESD sub-system acts to close the main PCV, the sub-PCV and the ESD valve. To provide an additional level of protection, a second sub-system is included, the high-integrity protection sub-system (HIPS). This sub-system also comprises three pressure sensors (P3, P4, P5), for which two out of three cause a trip, and two isolation valves labelled HIPS1 and HIPS2 (V4, V5). The HIPS works in a manner identical to that of the ESD but h as indepen- dent pressure sensors. These pressure sensors feed information for each sub-system into a common distributed control system (DCS). The cause-consequence diagram is constructed following the rules given in Sub- section f) above, including component failure event ordering, cause-consequence structure, reduction, and system failure quantification. g) Event Ordering and Cause-Consequence Diagram Construction The ordering is based on the action of components that could perform the task re- quired by the system, i.e. main valve, subsidiary valve, ESD valve, HIPS1 valve and HIPS2 valve. The cause-consequence diagram is constructed by considering the Fig. 5.35 Cause-consequence diagram for HIPS system (Ridley et al. 1996) 646 5 Safety and Risk in Engineering Design Fig. 5.36 Combination fault trees for cause-consequence diagram functionality of each valve and their effect on the system. Following the removal of all redundant decision boxes, the minimal cause-consequence structure can be developed as indicated in Fig. 5.35. The combination fault trees developed for each decision box are illustrated in Fig. 5.36. Following the construction of the cause-consequence diagram, each sequence path is inspected and any common independent sub-trees or basic events are iden- tified. The first sequence path inspected in the HIPS system reveals that a common sub-module is present in ft1, ft2 and ft3, namely the failure of the pressure sensors P1, P2 and P3 respectively. Extraction of this common sub-module, namely the failure of the pressure sen- sors P1, P2 and P3, results in a m odified cause-consequence diagram depicted in Fig. 5.37. The cause-consequence diagram is reduced to a minimal form by remov- ing any redundant decision boxes that have been identified. From the new version of the cause-consequence diagram, all sequence paths are investigated and modified 5.2 Theoretical Overview of Safety and Risk in Engineering Design 647 Fig. 5.37 Modified cause-consequence diagram for HIPS system (Ridley et al. 1996) accordingly, using the rules ou tlined previously in Sub-section f). This procedure is repeated until all sequence paths have been inspected and no repeated sub-trees or basic events discovered. The corresponding combination fault trees developed for the modified cause- consequence diagram for the HIPS system in Fig. 5.37—specifically,for ‘valve fails open’ (PCVs, M, S and ESD), as well as for ‘sensors fail’ (HIPS V1 and V2)—are given in Fig. 5.38. The final cause-consequence diagram with corresponding combined fault trees can now be constructed as illustrated in Fig. 5.39. The corresponding combined fault trees shown in Fig. 5.40 are now in a form where each path contains independent events in the decision boxes and can be easily quantified. The probability of a high-pressure surge could now be obtained by summing the probabilities of endin g in the consequence PS, which was reached via five mutually exclusive paths. Therefore Probability (High Pressure) = n ∑ i=1 P(Pathi) (5.83) 648 5 Safety and Risk in Engineering Design Fig. 5.38 Combination fault trees for modified cause-consequence diagram Component failures o n safety systems are not corrected during scheduled main- tenance. Their failure probabilities are given by Q i = λ i [ τ + θ /2] (5.84) where: Q i = probability of the ith failure λ i = ith failure rate τ = mean time to r epair θ = maintenance interval. The calculated system unavailability is identical to that produced by the FTA method. This result does reflect well on the cause-consequence diagram method, in comparison to the FTA method, as it emphasises the fact that the example sys- tem can fail by a single component, namely the DCS. The remaining minimal cut sets are of order 4 or more and, therefore, have little effect on the overall system unavailability. For a system that contains a large number of small order minimal cut 5.2 Theoretical Overview of Safety and Risk in Engineering Design 649 Fig. 5.39 Final cause-consequence diagram for HIPS system (Ridley et al. 1996) sets, it can be seen that the cause-consequence diagram method would yield a more accurate result than that obtained from FTA. The developed algorithm will produce the correct cause-consequence diagram and calculate the exact system failure probability for static systems with binary suc- cess or failure responses to the trigger event. This is achieved without having to construct the fault tree of the system, and retains the documented failure logic of the system (Ridley et al. 1996). The cause-consequence diagram is reduced to a minimal form by, first, removing any redundant decision boxes and, second, manipulating any common failure events that exist on the same path. The common failure events can be extracted as common 650 5 Safety and Risk in Engineering Design Fig. 5.40 Combination fault trees for the final cause-consequence diagram (Ridley et al. 1996) sub-modulesorindividual events.This process is equivalentto constructing the fault tree, and identifying and extracting independent sub-modules. Thus, exact, rather than approximate calculations are p erformed. 5.2.4.3 Failure Modes and Safety Effects Evaluation Failure modes and effects criticality analysis (FMECA) is a design discipline where an engineer examines and records the consequences of any (usually only single point) failure on the operation of a system. The purpose of the analysis is to high- light any significant problems with a design and, if possible, to change the design to avoid those problems (Price 1996). In contrast, failure modes and safety effects (FMSE) evaluation is a detail design discipline that examines and records the safety consequences of a system through safety criticality analysis. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 651 a) Safety Criticality Analysis In complex engineering designs, the determination of safety criticality is essentially an expansion of risk analysis in which focus is p laced upon the importance of safety- critical equipment early in the engineering design stage. Any significant effect on the operational performanceof critical equipment as a result of changesin designing for safety will inevitably have an impact on the performance of the total process. In effect, r isk-based safety criticality analysis quantifies these impacts on the total pro- cess performance, whereby preventive maintenance tasks are scheduled according to required frequencies. Essential preventive maintenance intervals are set by equip- ment age analysis in which the rate of deterioration and resulting potential failure ages are determined through the statistical method of residual life evaluation. Safety criticality in process engineering is complex, and basically depends upon the reli- ability of equipment subject to a variety of failure risks. This complexity is due to the interaction between the various risks of failure. These risks are defined as the result of multiplying the consequence of failure by the probability of its occur- rence. Consequence of failure The main concern for equipment failure, p articularly equipment functional failure, is its consequence. Consequences of functional fail- ures may range from the cost of replacement of a failed component, to the conse- quential damage of equipment, and possibly to a safety hazard through loss of life or limb. The more complex equipment designs are, with regard to constituent com- ponents and their configuration,the more ways there are in which various functional failures can possibly occur. Some typical process engineering consequences of functional failure are abnor- mal pressures, excessive vibration, overheating, cracking, rupturing, warping, etc. As many functional failures can be defined as there are different types of compo- nent functions. However, a point of interest that becomes evident after scrutinising these consequencesof failure is that there are two types of consequences that can be defined, specifically operational consequences of failure and physical consequences of failure. It is obvious that the consequences of f unctional failures such as abnormal tem- perature, abnormal pressure, excessive vibration, overheating,etc. are consequences affecting the operational function or working performance of the equipment or sys- tem. Similarly, the consequences of functional failures such as cracking, rupturing, warping, etc. are consequences affecting the physical function or material design of the equipment or system. Thus, at each level of a systems h ierarchy, or systems breakdown structure (SBS), an item at a specific level may have functional failures of its operational or physical functions that may have consequences of functional failure affecting the operational or physical functions of a higher level of the sys- tems hierarchy. These consequences of functional failure are then also recognised to be either operational consequences or physical consequences. Thus, the more complex equipment designs become, the more ways there are in which functional 652 5 Safety and Risk in Engineering Design failure can occur. As a result, equipment operational and physical consequences of functional failure can be grouped into five significant categories: • Safety operational and physical consequences. • Economic operational and physical consequences. • Environmental operational and physical consequences. • Systems operational and physical consequences. • Maintenance operational and physical consequences. Safety operational and physical consequences Safety operational and physical consequences of functional failure are alternately termed critical functional failure consequences. In g eneral, if the consequences of functional failure are critical, then the functional failures resulting from the inability to carry out the operational or physical functions are defined as critical failures. Safety consequences of functional failure in certain operational or physical functions are always critical. In evaluating functional failure, the first consideration is safety. Functional failures that fall into this category are classed as critical. These func- tional failures affect either the operational or physical functions of equipment that could have a direct effect on safety.Theterm‘direct’ implies cer tain limitations. The impact of the functional failure must be immediate if it is considered to be direct. Safety of equipment in this context implies certain specific definitions, where: Safety is defined as “not involving risk”. Risk is defined as “the chance of disaster or loss”. It can be inter preted from these definitions thatthe c oncept ofsafety as not involving risk in the form of disaster hastodowithpersonal protection against injury or the loss of ‘life or limb’ , and safety no t involving risk in the form of loss of property has to do with equipment protection against ‘consequential damage’. Safety can thus be classified into two categories, one relating to personal protection, the other relating to equipment protection. Risk can be quantified as the product of the probability of occurrence (chance), with the level of severity of the risk (disaster or loss). Risk is an indication of the degree of safety. Thus: Risk = Severity × Probability The measure of probability can be quantified in the form of statistical probability distributions or measures of statistical likelihood. Severity relates to the disaster or loss incurred. The measure of severity can thus be quantified based on two aspects— accidents and incidents, according to the two categories of safety (i.e. personal pro- tection and equipment protection). In this regard, an accident is an undesired event that results in disastrous physical harm to a person. An incident is an undesired event that could result in a loss. In the context of safety, this loss is in the form of an asset loss, which implies consequential damage to equipment or property. Assessment of severity related to risk, or the severity of risk, would therefore be an estimate of the disaster or loss that can occur, whereas an evaluation of the severity related to risk would be an account of the actual disaster or loss that has occurred. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 653 The estimated severity of risk is a vital tool in the evaluation of designing for safety, and is assessed on the basis of the estimated measure of severity,whichis quantified in terms of two aspects, namely accidents and incidents, according to which an estimation of the possible occurrences of accidents or incidents needs to be made. This is known as the estimated degree of safety (accidents or incidents). The estimated degree of safety—accidents: This is assessed according to the contribution of the estimated phy sical condition of the equipment to its safety, the estimated disabling injury frequency,aswellastheestimated reportable accident frequency, arising from functional failure predictions of the equipment resulting in disastrous safety consequence of failure. However, not every critical functional failure results in an accident. Some such failures may have occurred with no disastrous safety consequences but, rather, with a loss in the formofanasset loss, which implies consequentialdamage toequipment or property. The severity of risk in this case is assessed on the basis of the measure of severity quantified in incidents, where an estimation of the possible occurrences of incidents is made. This is known as the estimated degree of safety (in cidents). The estimated degree of safety—incidents: This is assessed accordingto the con- tribution of the estimated physical condition of the equipment to its safety, the esti- mated downtime frequency,aswellastheestimated reportable incident frequency, arising from functional failure predictions of the equipment resulting in an asset loss consequence of failure. Aside from an assessment of severity related to risk, or the severity of risk being an assessment of the disaster or loss that can occur, the issue in designing for safety is not whether the estimated degree of safety is based on ac- cidents or incidents being inevitable but, rather, whether they are probable—hence, themeasureofprobability in assessing risk. Safety operational and physical consequences should always be assessed at the most conservative level and, in the absence of proof that a functional failure can affect safety, it is precautionary to nevertheless classify it by d e fault as critical. In contrast,the actual severity ofrisk is a vital toolin the verification of designing for safety, where the statistics of safety operational and physical consequences of functional failure, as well as of the causes of critical fun ctional failures are essential for validating the safety criticality analysis applied during the detail design phase. The actual severity of risk is evaluated on the basis of the actual measure of severity that is quantified in the two aspects of accidents and incidents, according to which an analysis of the actual occurrences of accidents or incidents needs to be made. This is known as the actual degree of safety (accidents or incidents). The actual degree of safety—accidents: This is evaluated according to the contri- bution of the actual physical condition of the equipment to its safety, the actual dis- abling injury frequency,aswellastheactual reportable accident frequency,arising from the functional failure history of the equipment resulting in disastrous safety consequence of failure. Similarly, actual severity is evaluated on the basis of the measure o f severity quantified in incidents, where a determination of the actual oc- currences of incidents needs to be made. This is known as the actual degree of safety (incidents). . Overview of Safety and Risk in Engineering Design 653 The estimated severity of risk is a vital tool in the evaluation of designing for safety, and is assessed on the basis of the estimated measure of. examines and records the safety consequences of a system through safety criticality analysis. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 651 a) Safety Criticality Analysis In. 1996) 646 5 Safety and Risk in Engineering Design Fig. 5.36 Combination fault trees for cause-consequence diagram functionality of each valve and their effect on the system. Following the removal of all