Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Titles in the series Practical Cleanrooms: Technologies and Facilities (David Conway) Practical Data Acquisition for Instrumentation and Control Systems (John Park, Steve Mackay) Practical Data Communications for Instrumentation and Control (Steve Mackay, Edwin Wright, John Park) Practical Digital Signal Processing for Engineers and Technicians (Edmund Lai) Practical Electrical Network Automation and Communication Systems (Cobus Strauss) Practical Embedded Controllers (John Park) Practical Fiber Optics (David Bailey, Edwin Wright) Practical Industrial Data Networks: Design, Installation and Troubleshooting (Steve Mackay, Edwin Wright, John Park, Deon Reynders) Practical Industrial Safety, Risk Assessment and Shutdown Systems for Instrumentation and Control (Dave Macdonald) Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems (Gordon Clarke, Deon Reynders) Practical Radio Engineering and Telemetry for Industry (David Bailey) Practical SCADA for Industry (David Bailey, Edwin Wright) Practical TCP/IP and Ethernet Networking (Deon Reynders, Edwin Wright) Practical Variable Speed Drives and Power Electronics (Malcolm Barnes) Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Dave Macdonald BSc(Eng) Newnes An imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP 200 Wheeler Road, Burlington, MA 01803 First published 2004 Copyright  2004, IDC Technologies All rights reserved No part of this publication may be reproduced in any material form (including photocopying or storing in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, England W1T 4LP Applications for the copyright holder’s written permission to reproduce any part of this publication should be addressed to the publisher British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 07506 58045 For information on all Newnes publications, visit our website at www.newnespress.com Typeset and Edited by Vivek Mehra, Mumbai, India (vivekmehra@tatanova.com) Printed and bound in Great Britain Contents Preface xvi Introduction 1.1 Definition of safety instrumentation 1.2 What is this book about? 1.3 Why is this book necessary? 1.4 Contents of the book 1.5 Introduction to hazards and risks 1.5.1 Risk reduction 1.6 Fatal accident rate (FAR) 1.7 Overview of safety systems engineering (SSE) 1.7.1 Introduction 1.7.2 What we mean by safety functions? 1.7.3 Functional safety 7 Why be systematic? 1.8 1.8.1 1.8.2 1.8.3 1.8.4 1.9 UKHSE publication HSE summary Conclusion: It pays to be systematic Scope of safety systems engineering 9 10 11 Introduction to standards: IEC 61508 and ISA S84 11 1.9.1 1.9.2 1.9.3 1.9.4 1.9.5 1.9.6 1.9.7 11 12 13 13 13 15 15 Driving forces for management of safety Evolution of functional safety standards Introducing standard IEC 61508 Key elements of IEC 61508 Features of IEC 61508 Introducing Standard ANSI/S 84.01 Introducing Draft Standard IEC 61511 1.10 Equipment under control 16 1.11 The safety life cycle model and its phases (SLC phases) 17 1.11.1 Basic SLC 1.11.2 ISA SLC 1.11.3 IEC SLC versions 17 18 18 Implications of IEC 61508 for control systems 20 1.12.1 Some implications of IEC 61508 for control systems 1.12.2 Potential problems using IEC 61508 20 21 1.12 vi Contents 1.13 Summary 21 1.14 Safety life cycle descriptions 21 1.14.1 Overview of the safety life cycle based on Table of IEC 61508 part 24 1.15 Some websites for safety systems information 26 1.16 Bibliography and sources of information 27 1.16.1 Suggested books 1.16.2 Publications 1.16.3 Reports 28 28 29 1.17 Guidelines on sector standards 29 Hazards and risk reduction 2.1 Introduction 33 2.2 Consider hazards under some main subjects: 34 2.2.1 General physical 2.2.2 Mechanical plant 2.2.3 Materials 2.2.4 Electrical 2.2.5 Chemical and petroleum 2.2.6 Food processing 2.2.7 Bio-medical/pharmaceuticals 2.2.8 Nuclear power 2.2.9 Domestic 2.2.10 Industries where functional safety systems are common 34 34 34 34 34 34 34 35 35 35 Basic hazards of chemical process 35 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 35 36 37 37 37 2.3 2.4 2.5 Some causes of explosions, fire and toxic release Logic diagram for an explosion Fires: causes and preventative measures Toxic material release Failures of equipment 33 Introduction to hazard studies and the IEC model 38 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 38 38 39 39 39 40 Introduction to hazard studies Alignment with the IEC phases Box 1: Concept Box 2: Scope definition Box 3: Hazard and risk analysis Conclusions Process control versus safety control 40 2.5.1 Historical 2.5.2 Separation 2.5.3 Functional differences 40 41 42 Contents vii 2.5.4 Specials: integrated safety and control systems 43 Simple and complex shutdown sequences, examples 45 2.6.1 Simple shutdown sequence 2.6.2 Complex shutdown sequences 45 47 Protection layers 49 2.7.1 Prevention layers 2.7.2 Mitigation layers 2.7.3 Diversification 51 52 52 2.8 Risk reduction and classification 52 2.9 Risk reduction terms and equations 56 2.9.1 Introducing the average probability of failure on demand PFDavg 57 The concept of safety integrity level (SIL) 58 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 58 60 60 60 61 2.6 2.7 2.10 2.11 When to use an SIS and how good must it be? How can we determine the required SIL for a given problem? Quantitative method for determining SIL Example application Summary Practical exercise 61 2.11.1 Example of SIL determination by quantitative method 2.11.2 Comparative SILs table 61 63 Hazard studies 3.1 Introduction 65 3.2 Information as input to the SRS 65 3.2.1 Information from hazard studies must be used 3.2.2 The process hazard study life cycle 3.2.3 Alignment of process hazard studies with IEC safety life cycle 3.2.4 History 3.2.5 Guideline documents 66 66 68 69 69 Outline of methodologies for hazard studies 1, and 69 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 69 70 70 70 71 71 3.3 3.4 Process hazard study Outline of hazard study Timing Topics Environmental impact IEC: concept 65 Process hazard study 71 3.4.1 Outline 3.4.2 Hazard study – systematic procedure 72 72 viii Contents 3.5 Risk analysis and risk reduction steps in the hazard study 73 3.5.1 Hazards of the EUC control system 3.5.2 Event sequences leading to a hazard 3.5.3 Hazardous event frequencies 3.5.4 Inherent safety solutions 3.5.5 Estimating the risk 3.5.6 Adding more protection 3.5.7 Typical protection layers or risk reduction categories 3.5.8 Key measures to reduce the risk 3.5.9 Process and operational safety measures 3.5.10 Alarm functions 3.5.11 Safety instrumented functions 74 74 74 74 75 75 75 75 76 76 77 3.6 Interfacing hazard studies to the safety life cycle 78 3.7 Evaluating SIS requirements 79 3.7.1 3.7.2 3.7.3 3.7.4 3.7.5 3.7.6 3.7.7 3.7.8 3.7.9 80 80 80 80 80 80 81 81 81 3.8 3.9 Tolerable risk frequency Safe state of the process Trip functional requirements Action required to reach safe state Process safety time Tolerable rate of spurious trips SIS preliminary estimate Continuation to SRS Hazard report Meeting IEC requirements 82 3.8.1 IEC requirements for hazard and risk analysis 82 Hazard study 82 3.9.1 3.9.2 3.9.3 3.9.4 3.9.5 3.9.6 3.9.7 3.9.8 3.9.9 83 83 84 85 87 88 88 88 89 Outline of methodology for HAZOP Outline of HAZOP method Concepts of change paths and elements Generating deviations Study procedure Causes of deviations Consequences of deviations Adding protection layers Recording of HAZOP results and safety functions 3.10 Conclusions 3.11 Fault trees as an aid to risk assessment and the development of 3.12 89 protection schemes 89 3.11.1 Fault trees 89 Hazard study guidelines 95 Contents ix 3.12.1 3.12.2 3.12.3 3.12.4 3.12.5 3.13 Introduction Method Review of hazard study Hazard study report contents Diagrams and tables supporting hazard study 95 95 96 97 98 Hazard studies for computer systems 104 3.13.1 3.13.2 3.13.3 3.13.4 Examples of potential causes of failures Guidelines Outline of ‘Chazop’ Hazard study Chazop 105 105 105 106 3.14 Data capture checklist for the hazard study 106 Safety requirements specifications 4.1 Developing overall safety requirements 108 4.1.1 4.1.2 4.1.3 4.1.4 108 109 109 109 4.2 4.3 4.4 Components of the SRS SRS input section SRS functional requirements SRS integrity requirements 108 Development of the SRS 110 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 110 112 112 115 116 General development procedure The input requirements Developing the functional requirements Safety integrity requirements Conclusions on the SRS development Documenting the SRS 116 4.3.1 Checklist for SRS 4.3.2 Defining the functions 116 119 Determining the safety integrity 123 4.4.1 Diversity in SIL methods 4.4.2 Summary of methods for determination of SILs 4.4.3 Quantitative method 4.4.4 Design example 4.4.5 Summary of quantitative method 4.4.6 Risk graph methods 4.4.7 Defining parameters and extending the risk graph scope 4.4.8 Risk graph guidance from IEC 61511 4.4.9 Calibration of the risk graph 4.4.10 Software tools using risk graphs 4.4.11 The safety layer matrix method for SIL determination 4.4.12 The LOPA method for SIL determination 123 123 124 124 127 128 129 130 132 132 132 133 120 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry HS 01 SIS Logic Solver FO PV 02 PSH 02 Fuel Feed FV 01 Reactor FC FAL 02 Feed pump P1 FSL 02 Coolant Supply Figure 4.6 Proposed trip system for a reactor Narrative description The safety function is required to protect the reactor against overpressure or events that could lead to overpressure The function subdivides into three possible event responses or sub functions Sub-function 1: Loss of coolant The process feed to the reactor must be shut off automatically if there is a loss of coolant detected by the logic solver reading of flow meter FT 02 The feed is to be shut off by releasing the air supply from FV 01 and this is to be followed 30 seconds later by tripping of the feed pump P1 The reactor vent valve PV 02 is to be opened two minutes after tripping FV 01 Sub-function 2: High pressure event: If the pressure switch PSH 02 detects high pressure in the reactor the vent valve PV 02 is to be opened immediately and the process feed is to be shut off as per function Sub-function 3: Manual shutdown or loss of services: Sub function and Sub function will also be initiated by operating the manual shutdown pushbutton HS 01 In the event of loss of instrument power or loss of air supply trip valves FV 01 and PV 02 shall be released immediately and the pump P1 is to be stopped Matrix or cause and effect diagram The above narrative description can be stated in the form of an input/output table or cause and effect matrix as shown in Figure 4.7 The diagram shows the states of inputs on the left side and the states of outputs on the top right The required output states corresponding to input states are defined by crosses at the intersections The diagram assumes that all initiator signals are arranged to hold the tripped condition in the logic solver until reset by operator action This method of defining functions is good for placing on P&I drawings and for explicitly defining Safety requirements specifications 121 Reactor pressure high X Required SIL PSH-02 X 1600 Start timer T2 15 0-2000 kPag Stop pump P1 m 3/h Start timer T1 FT-01 Close valve FV-01 Trip setting 0-100 Description Open valve PV-02 Units Coolant flow low (FSL) Instrument tag Instrument range interlocks and basic trip logic It is not so good for defining shutdown sequences Note how the SIL requirement for each sub function has been placed on the diagram This is an option that may be of value but should not conflict with the safety integrity requirements section of the SRS X X X X 2 Manual trip X X X X XS-03 Loss of power X X X PSL-04 Loss of instrument air 0-1000 kPag 300 X X X KY-01 Timer T1 expired 0-300 secs 30 X KY-02 Timer T2 expired 0-300 secs 120 HS-01 X Note: All initiators are to stay tripped until reset by operator Figure 4.7 Cause-and-effect diagram or matrix table Trip logic diagrams 15 Start T1: 30 secs +ve FTFT-01 Coolant -ve 0-100 m3/hr 1600 Start T2: 120 secs FSL-01 Close FV -02 OR -ve PSHPSH-02 0-2000 kPag T2 out XSXS-03 Power Out HSHS-01 Manual trip OR T1 out OR OR PSLPSL-04 Inst air 0-1000 kPag 300 +ve Figure 4.8 Trip logic diagram Open PV -1005 Note: All initiators are to stay tripped until reset by operator Stop Pump P1 122 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Trip logic diagrams are widely used to define safety functions They are useful because a complete scheme can be followed on one drawing and also because many graphical programming systems use a similar format Figure 4.8 shows how the logic seen in the matrix table will look in this form Note that in this version a ‘true’ or ‘1’ state defines the safety function action to be taken Some versions are drawn to show the ‘1’ state as enabling the process to run and the trip is defined by ‘0’ states The latter will indicate fail safe states of the equipment but can be more difficult to follow The objective is to define the safety function requirements as clearly as possible and leave the fail safe design to the next phase of the SLC Trip link up diagrams Trip link up diagrams allow a complex trip function to be represented on a multiple set of engineering drawings This type of diagram is very useful when used as a means of defining the overall scheme to a design contractor because the task can be broken down into easily identified small sections It also provides a convenient format for adding descriptions and data S h eet In itia to r C o o la n t flo w low In s t F T - 01 R a nge Set Pt -1 0 m /hr 15 S IL T r ip L o g i c V en t T im e r o u t P S H -0 -2 0 kPag 1600 K Y -0 -3 0 secs 120 A ction F V -0 C lose P V -0 O p en T o S h eet R ea cto r p r essu r e h ig h In st N o t e : A ll i n i t ia t o r s a r e t o s t a y t r ip p e d u n t il r e s e t b y o p e r a t o r S h e et I n it i a to r T ag R ang e Set P t S IL T r ip L o g ic F ro m S hee t 1 L o ss o f c o n t r o l p ow e r X S - 03 L o s s o f in s t a ir P S L -0 M anual s h u td ow n H S -0 P u m p tim e r out K Y -0 01000 kP a g 300 2 -3 0 30 In st S ta r t Pump T imer K Y -0 S ta r t V e n t T imer X S -0 S to p P u m p P1 N o t e : A ll in iti a t o r s a r e t o s ta y t r ip p e d u n ti l r e s e t b y o p e r a t o r Figure 4.9 Trip link up diagram K Y -0 A ct io n Safety requirements specifications 123 Note of caution: It is attractive to consider using graphical software tools for defining the safety function and it can be even more efficient if the graphical tools can be used to directly generate the application program for a safety controller system However we must bear in mind that the SRS is a specification document and should be used to ensure the original functional requirements are defined independently of the final implementation There is a potential risk that by defining the safety function directly in the programming tool any errors in the original specification will be automatically copied through to the implementation without an intervening stage of verification 4.4 Determining the safety integrity As we have seen one of the most important tasks in the SRS development is to specify the safety integrity of each SIS function This needs to be done fairly early in the development stages to see that our proposed solutions are realistic, achievable and of course affordable The cost of the SIS will rise steeply with the SIL values even if we buy a logic solver that meets SIL the cost of sensors and actuators and engineering work will still be influenced strongly by the SIL rating It is important therefore that we have a consistent method of arriving at SIL values within any given organization To this we need to consider the most appropriate method of determining the SIL for any particular function There are at least recognized methods of doing this and these have been widely documented over recent years and now are built into the ISA and IEC standards 4.4.1 Diversity in SIL methods The reason for such diversity in methods of determining SILs is probably due to the difficulties of arriving at reliable and credible estimates of risk in the wide variety of situations faced in industries Whilst a quantitative risk assessment is desirable it may be worthless if the available data on fault rates is minimal or subject to huge tolerances Qualitative methods allow persons to use an element of judgment and experience in the assessment of risk without having to come up with numerical values that are difficult to justify One advantage of the SIL concept is that it provides a 10:1 performance band for risk reduction and for SIS in each safety integrity level Hence the classification of the safety system can be matched to a broad classification of the risk and the whole scheme is able to accept a reasonable tolerance band for the estimates of risks and risk reduction targets 4.4.2 Summary of methods for determination of SILs We have already seen that the methods divide into quantitative and qualitative types IEC 61508 part outlines one qualitative method and quantitative methods, namely: • Quantitative method using target risk reduction factors • Qualitative method using risk graphs • Qualitative method using hazardous event severity matrix For the process industry sector the newly released standard IEC 61511 provides more specific details of the established methods These are set out in IEC 61511 part and consist of: • Quantitative method using target risk reduction factors 124 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry • Qualitative method using risk graphs, variations are shown for use where the consequences are environmental damage or asset loss • Qualitative method using safety layer matrix • Qualitative/quantitative method using layers of protection analysis (LOPA) The last two items above are very similar in nature and use formalized definitions of safety layers and protection layers to allow hazard study teams to allocate risk reduction factors to each qualifying layer of protection We take a brief look here at the methods for SIL determination described by IEC 61508 You are advised that before attempting to carry out an SIL determination within an project you should carefully read through the material in IEC 61508 part or study IEC 61511 part 4.4.3 Quantitative method We have already been introduced to this procedure in Chapter but a further review using a simple application example may be helpful at this point We use fault tree analysis and diagrams as introduced in Chapter Firstly recall that risk reduction comes in parcels! The IEC risk reduction diagram shown here applies Residual Residual risk risk Acceptablerisk risk Acceptable EUCrisk risk EUC Increasing risk Necessary risk reduction Actual risk reduction Partial risk covered by other technology safety-related systems Partial risk covered by E/E/PE safety-related systems Partial risk covered by external risk reduction facilities Risk reduction achieved by all safety-related systems and external risk reduction facilities Figure 4.10 IEC risk reduction diagram 4.4.4 Design example Adding protection: Let’s return to the simple high level hazard example shown in Chapter Safety requirements specifications 125 Basic tank level control with over pressure release hazard Disch valve Disch Pump Figure 4.11 High level hazard Firstly we can draw a fault tree identifying the cause of the hazard and estimating the consequences as a possible fatality with estimated fatal accident rate Level control fails high Operator error Flammable cloud fails to disperse 0.2/yr 0.8/yr OR RV Opens 1/yr Flammable cloud AND 0.3/yr AND Fatality 0.003/yr Explosion 0.015/yr AND P = 0.3 Sparks from pump P = 0.05 Operator in area P = 0.2 EUC Risk = 0.003/yr FAR = 30 Tolerable FAR = 0.2 Overall SRS requires RRF = 30 0.2 = 150 Figure 4.12 Fault tree for the unprotected hazard We can set the tolerable risk frequency either by using the classification table we saw in Chapter or by setting the FAR target In this case we have set FAR target at External or mitigation layer Now we can add an external means of risk reduction in the form of a fence around the offending vessel so that the probability of an operator being nearby when the explosion 126 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry occurs is substantially reduced Note that this action does not change the hazard event rate but it does reduce the risk frequency of a fatality Level control fails high Operator error Flammable cloud fails to disperse 0.2/yr OR 0.8/yr RV Opens 1/yr Flammable cloud AND 0.3/yr AND Fatality 0.0003/yr Explosion 0.015/yr AND P = 0.3 Sparks from pump FAR P = 0.05 Operator in area Fence off the area P = 0.02 = Tolerable FAR = 0.2 Allocated RRF = 10 Figure 4.13 Fault tree with external protection layer In this case the FAR remains well above target and this leads us to suggest an SIS protection layer Adding the SIS The suggested SIS is the high level trip system designed to reduce the risk of overfilling and over pressurizing in the tank High level trip fails Allocated RRF = 15 P = 0.07 Level control fails high Operator error Flammable cloud fails to disperse 0.2/yr 0.8/yr AND OR 1/yr RV Flammable Opens 0.07/yr AND cloud 0.02/yr AND Fatality 0.00002/yr Explosion 0.001/yr AND P = 0.3 Sparks from pump P = 0.05 FAR Operator in area Fence off the area Figure 4.14 Fault tree with SIS and external protection layer P = 0.02 Allocated RRF = 10 = 0.2 Tolerable FAR = 0.2 Safety requirements specifications 127 We can calculate the desired RRF for the SIS using this fault tree Alternatively we can draw a risk reduction model or diagram as shown in the next diagram Risk Reduction Model Showing safety integrity allocations for tank example Consequence fatality EUC Risk FAR = 30 FNP = 0.003/yr Frequency = 0.003/yr Target FAR = 0.2 Target Risk Frequency = 0.00002/yr Overall Risk Reduction = 150 RRF = 15 RRF = 10 SIS High level trip Fence off area FP1 = 0.0002/yr FP2 = 0.00002/yr Tolerable Risk target FAR = 0.2 SIL = FAR based on 104 hrs exposure/yr FAR = x 10-5 x 108 104 = 0.2 Figure 4.15 Risk reduction model for the protected hazard Note how the risk reduction factor can be calculated for each component of the safety system Note how the failure rate target figures can be adjusted within a feasible range until a realistic model of the protection system is achieved Obtaining the SIL Now that we have isolated the risk reduction factors we can see how the safety integrity level can simply be obtained from the tables in the standards just as we did before in Chapter This exercise results in requirement for a safety integrity level of to be met by the SIS Assuming experience confirms that this is reasonable and feasible for the required task the result would be acceptable and the requirement would be confirmed into the SRS 4.4.5 Summary of quantitative method What we have seen here is an example of the quantitative method being used to assist in the development of the SRS and the defining of the SIL In summary: Evaluate hazard event rate without protection Define target risk frequency Record all details under phase of the SLC Add external and non SIS protection and evaluate effect on risk frequency Propose an SIS risk reduction measure which reduces the hazard event rate and hence the risk frequency 128 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Conclude a practical risk reduction factor for the SIS consistent with being below the target risk frequency Convert the risk reduction factor to an SIL value for the SIS Draft the SRS with a reference to the calculation sheet and risk reduction model Record all documents into phase of the SLC Finalize SIS detail SRS as part of phase of the SLC 4.4.6 Risk graph methods The origin of this method is the German standard VDE 19250 which arrived at an SIL classification code of AK to AK This method is a very attractive alternative for arriving at SILs because it avoids the need to place actual quantitative figures on the hazard demand rates, risk frequency and the consequences Since in many cases the figures we use are very approximate it is perhaps more realistic to use an approximate description SIL Classification by Risk Parameters Chart Risk Parameters: C – Extent of Damage C A : Slight injury C B: Severe irreversible injury to one or more persons or death of a person C C : Death of several persons C D : Catastrophic consequences multiple deaths F – Frequency & Exposure time F A : Seldom to relatively frequent F B: Frequent to continuous CA CB Starting point CC CD P – Hazard Avoidance/Mitigation P A: Possible under certain PB : conditions Hardly possible W – Occurrence Probability W : Very low W : Low W : Relatively high FA FB FA FB FA FB PA PB PA PB W3 W2 W1 a - - a - a b PA PB PA PB - = No safety requirements a = No special safety b = A isingle E/E/PES is not ffi i= Safety integrity 1,2,3,4 l l Figures 4.16 Risk parameters chart based on IEC 61508 example You can see how it works by looking at the next diagram Let us test it for our previous example Safety requirements specifications 129 SIL Classification by Risk Parameters Chart: Example Risk Parameters: C – Extent of Damage CA : Slight injury CB: Severe irreversible injury to one or more persons or death of a person CC : Death of several persons CD : Catastrophic consequences multiple deaths F – Frequency & Exposure time CA CB Starting point FA : Seldom to relatively frequent FB: Frequent to continuous FA FB FA C CD P – Hazard Avoidance/Mitigation PA : Possible under certain conditions PB: Hardly possible W – Occurrence Probability W 1: Very low W 2: Low W 3: Relatively high FB FA FB PA PB PA PB W3 W2 W1 a - - a - a b PA PB PA PB - = No safety requirements a = No special safety b = A isingle E/E/PES is not ffi i= Safety t integrity 1,2,3,4 l l Figure 4.17 Example of decision path in the risk parameters chart For the unprotected plant: Consequences: Cb Frequency of exposure or exposure time in zone: Fb Possibility of avoidance: Pa Probability: W3 Which leads us to an overall solution requirement of SIL If we then add the non SIS measures such as the fence we can test again for the task to be performed by the SIS In this case Fb changes to Fa and the SIL becomes SIL So the risk graph enables us to decide on the SIL based on our assessment of the risk when there is no SIS but it does allow us to include for the presence of other protection measures It seems a lot easier to arrive at the same conclusion that we achieved with the quantitative method However, the accuracy depends on the interpretation of the clauses 4.4.7 Defining parameters and extending the risk graph scope Before a risk graph can be used the project team must establish the definition of the parameters being used and decide on the design of risk graph to be used In practice in the process industries there are separate versions for three categories of hazard i.e.: • Harm to persons • Harm to environment • Loss of assets (production and equipment losses/repair costs) All three versions of the risk graph can have the same basic layout but for environment and asset loss the parameter F, for exposure, is considered to be permanent and can be 130 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry left out of the diagram For a full determination of SIL requirements each safety function should be evaluated for the three categories of hazard and the SIL target rating must be set to meet the highest value found from the three categories 4.4.8 Risk graph guidance from IEC 61511 IEC 61511 has generated a very useful example version of the factors affecting the parameters C, F, P and W We must be clear that for each application it is the responsibility of individual companies or safety departments to establish their own agreed parameters for the risk graph they wish to use The meaning of the parameters must first be clear Table B1 from IEC 61511, seen below, can be used for this In particular it is important to note the interpretation of the term W as being based on the assumption that no SIS is present Parameter descriptions table Parameter Consequence C Occupancy F Probability of avoiding the hazard P Demand rate W Description Average number of fatalities likely to result from the hazard Determined by calculating the average numbers in the exposed area when the area is occupied taking into account the vulnerability to the hazardous event Probability that the exposed area is occupied Determined by calculating the fraction of time the area is occupied The probability that exposed persons are able to avoid the hazard if the protection system fails on demand This depends on there being independent methods of alerting the exposed persons to the hazard and manual methods of preventing the hazard or methods of escape The number of times per year that the hazardous event would occur if no SIS was fitted This can be determined by considering all failures which can lead to one hazard and estimating the overall rate of occurrence Table 4.4 Deciding parameter values in a risk graph Risk tables must align with any existing risk profile specified by a user company for its operations and sites IEC 61511 contains a table of suggested consequence and frequency parameters that might be used to produce what is described as a ‘semi quantitative risk graph’ Other authorities such as UK Offshore Operators Association have produced their own consensus parameter descriptors Hence various well established risk graph versions can be used in relevant industries The values for personal hazards suggested by IEC 61511 part Annex D are indicated in the following table, but please note that the IEC standard and Annex D should be carefully studied for the exact wording and context Our notes here are intended for preliminary guidance only: Safety requirements specifications 131 Parameter Consequence: C = Average number of fatalities Occupancy (F) This is calculated by determining the length of time the area exposed to the hazard is occupied during a normal working period Range of values CA = Minor injury CB = Range 0.01 to < 0.1 CC = Range 0.1 to < 1.0 CD = Range > 1.0 FA = Rare to more often exposure in the hazardous zone Occupancy less than 0.1 FB = Frequent to permanent exposure in the hazardous zone Avoidance (P) Probability of avoiding the hazardous event if the protection system fails to operate PA = Possible to avoid Should only be selected if all the following are true: − facilities are provided to alert the operator that the SIS has failed − independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area − the time between the operator being alerted and a hazardous event occurring exceeds hour PB = Not possible to avoid Applies if any of PA conditions are not met Demand rate (W) The number of W = Demand rate less than 0,1 D per times per year that the hazardous event year would occur in the absence of the SIS W = Demand rate between 0,1 D and under consideration D per year See note W = Demand rate between D and 10D per year Note 1: In the demand rate table, D is a calibration factor decided by the user to ensure that the residual risk achieved by using the risk graph is acceptable to the organization It is possible that the IEC committee has introduced this term to encourage users to calibrate their risk graph designs against tolerable risk levels for their particular industry Draft versions of this standard carried defined values for W but there has been a temptation for users to take the value as a guide to acceptable risk, which was not the intention of the table By relating the risk graph decisions to risk reduction factors provided by SILs and comparing them with typical tolerable risk frequencies it appears that D might be typically in the range 0.1 to 0.5 However, we stress that this is for the end user to decide in terms of corporate policy and local conditions Table 4.5 Table of risk parameters based on IEC 61511-3 Annex D 132 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry For an individual company the values would be adjusted to align with any existing risk matrices or risk profile charts IEC 61511 Annex D also provides guidance for parameters relevant to using the risk graph for environmental hazards and for asset loss These scales are also likely to be modified by the end user but for the initial guidance we recommend users consult the IEC 61511 standard 4.4.9 Calibration of the risk graph IEC 61511 requires that the parameters table and the use of the risk graph be validated by first testing its results against examples where the SIL rating is agreed with some confidence This can be done conveniently by comparing the results of simple cases where a quantitative risk reduction model has been drawn In practice several practical examples would serve to confirm the calibration of the risk graph Another approach is to test the risk graph on well established safety systems within existing installations where the level of risk, consequence and effective SIL values are already known 4.4.10 Software tools using risk graphs In applications where a large number of safety functions are to be installed it is essential to set up a systematic method of specifying and recording the reasoning and decision making involved in arriving at the SIL target for each safety function Risk graph methods are adaptable to database management applications and provide an easy to use graphical interface for a design team to work with If the agreed and approved risk parameter descriptions and ranges are built into the application package this will ensure that all SIL decisions are made on a consistent basis The advantages of using a database package to record SIL decisions include the ability to maintain a life cycle record of the hazard study results and operating data that may have been used in the initial decision The software can keep a record of all changes affecting the safety functions and is easily revisited for periodic safety audits A number of companies have developed software tools for SIL determination and some references have been included in Appendix A 4.4.11 The safety layer matrix method for SIL determination Another qualitative method described by IEC standards is called the safety layer matrix method This is described in Annex E of IEC 61508 part The same procedure is detailed in the ISA standard S84.01 Annex A.3.1, where it is called the safety layer matrix and the same principles have been included in the recently issued IEC 61511 in annex along with the risk graph The origin of the method is attributed to the following well established reference book: Guidelines for Safe Automation of Chemical Processes, American Institute of Chemical Engineers, CCPS, 345 East 47th Street, New York, NY 10017, 1993, ISBN 8169 0554 IEC state some basic requirements for safety layers before the logic of the matrix diagram can be used: • Independent SIS and non SIS risk reduction facilities • Each risk reduction facility is to be an independent protection layer Safety requirements specifications 133 • Each protection layer reduces the SIL by (i.e it must be shown to be capable of an RRF of at least 10) • Only one SIS is used The method then determines the SIL for the SIS by applying the situation to a severity matrix chart such as the one shown in the next diagram SIL Classification by Hazardous Event Severity Matrix [C] [C] [C] [C] [C] [C] [C] SIL SIL [C] [C] SIL [C] SIL SIL SIL SIL SIL [B] SIL SIL SIL SIL SIL SIL [B] SIL [B] SIL [B] SIL [A] Low Med High Low Med High Low Med High Event likelihood [D] Minor Event likelihood [D] Serious Event likelihood [D] Extensive Figure 4.18 Hazardous event severity matrix Testing this using our previous example: • Severity: Serious event likelihood: • Medium number of independent protection layers: • SIL of the SIS = This seems even easier than the risk graph but it depends on a calibrated scale of severity and the correct identification of valid protection layers Obviously we need to be sure that each safety layer has a suitable integrity to qualify as a protection layer For example an alarm system would help with our example but we would have to analyze its effectiveness to be sure of its integrity There are some other variations on these methods detailed in the ISA annex and it is important to note that some industries, in particular the nuclear power industry prefer to determine the SIL requirements on the basis of ‘consequences only’ This approach is a conservative one and probably ensures adequate protection but it could result in relatively expensive solutions 4.4.12 The LOPA method for SIL determination The term LOPA is an abbreviation for layer of protection analysis The method is a continuation of the HAZOP study and accounts for each identified hazard by documenting the initiating cause and the protection layers that prevent or mitigate the 134 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry hazard The total amount of risk reduction recognized in the plant design and its protection systems is evaluated, typically using a table or spreadsheet format If the predicted risk level is higher than the acceptable target for the project or the company the need for additional protection is clear If the existing risk reduction layers are given quantitative failure on demand values (i.e PFD values) the additional PFD required from a safety system can be found and hence the SIL is determined from the standard SIL/PFD tables The version of LOPA described in IEC 61511 part Annex F is interesting and very useful because it includes suggested or typical PFD values for factors such as operator responses and alarm system integrities It also suggests a range of frequency values for demand categories This method is effectively a general purpose implementation of the quantitative method we have examined earlier in this chapter and previously in Chapter 4.5 Summary of this chapter This chapter has outlined what information has to be captured in the safety requirements specification and what has to be done to determine the safety integrity requirements Three development stages are involved in moving from an overall safety requirement to a detailed performance specification for the SIS Each stage allows the design to be placed in the context of the original protection needs so that continuity with the hazard analysis stage is maintained Some well established methods for determining the SILs have been described and the selection of one or more methods is a project choice dependent on company practices and the type of information available It is important that the project team recognizes the benefits of establishing high quality definitions for functional requirements and the benefits of optimizing the SIL requirements It will become clear from the next chapters that the cost of safety system rises steeply with increasing SIL values; hence there is considerable value in getting the SIL target right If the development data has been captured properly the SLC project is now ready for the conceptual design phase .. .Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry Titles in the series Practical Cleanrooms: Technologies and Facilities (David Conway) Practical Data... Practical Industrial Data Networks: Design, Installation and Troubleshooting (Steve Mackay, Edwin Wright, John Park, Deon Reynders) Practical Industrial Safety, Risk Assessment and Shutdown Systems. .. quantitatively’ Roughly: RISK = FREQUENCY × CONSEQUENCE OF HAZARD Consider the risk on a cricket field 4 Practical Industrial Safety, Risk Assessment and Shutdown Systems for Industry If we can’t