risk analysis tips for maximizing value
DESCRIPTION
risk analysis, IEC61511, Safety, Hazard, safety lifecycleTRANSCRIPT
-
2/20/2014
Copyright exida.com LLC 2000-2013 1
Copyright exida.com LLC 2001-2014
Risk Analysis Tips
for Maximizing Value Regional Offices United Kingdom +44 1926 676 125 Netherlands +31 318 414 505 New Zealand / Aus +64 3 472 7707 US Gulf Coast +1 713 382 7170
Main Offices Germany +49 89 4900 0547 USA +1 215 453 1720 South Africa +27 31 267 1564 Switzerland +41 22 364 14 34 Canada +1 215 453 1720 Mexico +52 55 1518 0573 Singapore +65 5222 5160
SIL + device selection
SIL verification
Tools
Tools
Competence development
CFSE
FSM setup
SIL verification
Tools
Management support
Development support
Certification
Tools
OEM System
Designer
End User Engineering Contractor
Automotive
Nuclear
Automation
Process Industry
exida Industry Focus
Copyright exida.com LLC
2001-2014 2
-
2/20/2014
Copyright exida.com LLC 2000-2013 2
Presented by Dr. Eric Scharpf,
CFSE
Copyright exida.com LLC
2001-2014
exida partner since start up
Specialize in risk analysis and functional safety assessment
Lead machine and process safety projects
Wrote Safety Integrity Level Selection book in 2002 and Practical SIL Target Selection book in 2012
3
Webinar Objective
Present ten tips to ensure you get the maximum value from your risk analysis
Common mistakes to avoid
Potential analysis improvements
Identifying potential design improvements
Copyright exida.com LLC
2001-2014 4
-
2/20/2014
Copyright exida.com LLC 2000-2013 3
Tip 1: Get the Context Right
What type of risks do you manage?
Copyright exida.com LLC
2001-2014 5
IEC 61511 Safety Lifecycle
Management
of Functional
Safety
and
Functional
Safety
Assessment
Clause 5
Safety
Lifecycle
Structure
and
Planning
Clause 6.2
Allocate Safety Function to Protection
Layers [Clause 9]
Verification
Clause 7
&
Clause 12.7
An
aly
sis
O
n-S
ite
Op
era
tio
n
SIS Safety Requirements Specification
[Clauses 10 & 12]
Process Hazard & Risk Analysis
[Clause 8]
SIS Design and Engineering
[Clauses 11 & 12]
SIS Installation & Commissioning
[Clause 14]
SIS Operation & Maintenance
[Clause 16]
SIS Safety Validation
[Clause 15]
SIS Modification
[Clause 17]
SIS Decommissioning
[Clause 18]
Specify
SIS FAT
[Clause 13]
Design &
Build
Test
Install
Manage
Validate
Proof Test
Off
-Sit
e
Analyse
Risk
Copyright exida.com LLC
2001-2014 6
-
2/20/2014
Copyright exida.com LLC 2000-2013 4
Hazard and Risk Analysis Focus
Copyright exida.com LLC
2001-2014
Standard Objective Identify process hazards, estimate their risks and decide if the risk is tolerable
GOAL:
ANALYSIS UNDERSTANDING IMPROVEMENT
Event History
Application Standards
Hazard Characteristics
Consequence Database
Failure Probabilities
Identify Potential Hazards
Consequence Analysis
Identify Protection Layers
Likelihood Analysis (LOPA)
Potential Hazards
Hazard
Consequences
Layers of Protection
Hazard Frequencies
7
Safety Lifecycle as Risk Controller
Tolerable Risk
Set Point
Analysed Risk
Safety Requirements
Specification and Other
Means of Risk Reduction
+
-
Design and Build
Validate vs Spec
Operations Proof Testing
and SIS Demand Review
of Actual Risk
Equipment Modification
Request
Copyright exida.com LLC
2001-2014 8
-
2/20/2014
Copyright exida.com LLC 2000-2013 5
Copyright exida.com LLC
2001-2014
Tip 2: Define Risk and Risk
Tolerance Properly
Risk is a measure of the likelihood and consequence of an adverse effect. (i.e., How often can it happen and what will be the effects if it does?)
Risk receptors:
Personnel
Environment
Financial
Equipment/Property Damage
Business Interruption
Business Liability
Company Image
Lost Market Share
9
Defining Tolerable Risk
Needs both rigor and flexibility
Needs to consider all relevant forms of harm
Needs to be consistent with both company and society practice
Form defines SIL target selection method
Often a difficult and long-lead part of the safety lifecycle
Copyright exida.com LLC
2001-2014
Risk
Risk Risk
Tolerable?
10
-
2/20/2014
Copyright exida.com LLC 2000-2013 6
Individual Risk and ALARP
Copyright exida.com LLC
2001-2014
Negligible Risk
High Risk
10-3/yr (workers) 10-4/yr (public)
10-6/yr
Intolerable Region
ALARP or Tolerable Region
Broadly Acceptable Region
No way
If its worth it
We accept it
11
Tolerable Risk Level
Example
All potential hazards must have less than 0.0005 fatal accidents per (Person, Hazard or
Site) per year
0.005 injuries per (Person, Hazard or Site) per year
0.01 significant environmental release per (Hazard or Site) per year
$500,000 in business loss per (Hazard or Site) per year, etc.
The difference between per hazard and per site can be up to a factor of 100!
Copyright exida.com LLC
2001-2014 12
-
2/20/2014
Copyright exida.com LLC 2000-2013 7
Tip 3: Go All the Way from Hazard
to Harm HAZARD:
A potential source of harm
IEC 61508-4, Sub clause 3.1.2
A chemical or physical condition that has the potential for causing damage to people,
property, or the environment
(e.g., a pressurized tank containing 500 tons
of ammonia)
CCPS, Guidelines for CPQRA
Copyright exida.com LLC
2001-2014 13
Copyright exida.com LLC
2001-2014
Term: Initiating Event
Initiating Event: The first event in an event sequence that can lead to an accident (e.g., the failure of a pump motor which stops ammonia flow in a process line)
14
-
2/20/2014
Copyright exida.com LLC 2000-2013 8
Copyright exida.com LLC
2001-2014
Term: Intermediate Event
Intermediate Event: An event that propagates or mitigates the initiating event during an event sequence (e.g., low flow alarm failure, valve interlock failure, relief valve failure)
15
Copyright exida.com LLC
2001-2014
More Escalation Terms
Incident: The loss of containment of material or energy (e.g., leak of 10 kg/s of ammonia)
Incident Outcome: Form of the release (e.g. toxic release, pool fire, flash fire, vapor cloud explosion)
Consequence: Expected effects of an incident outcome case (e.g., 2 fatalities, 10 injuries, $1 Million Damage, 4 weeks downtime)
(Often the central point
on a Bow Tie diagram)
16
-
2/20/2014
Copyright exida.com LLC 2000-2013 9
From Potential To Reality
Analyze the full chain of events that leads to an accident
Copyright exida.com LLC
2001-2014
Accident
Consequence
Failure
Initiating Event
Failure
Intermediate
Event
Circumstance
Incident Outcome
Break the problem into generic events which are more likely to have supporting data
Calculate likelihood using probability logic
17
Pump Fails Alarm Fails
Failure
Intermediate
Event
Relief Fails 10 kg/sec
with Area
Occupied
Death, Injury,
and Damage
Incident
Tip 4: Use LOPA Properly Layer Of Protection Analysis
Risk assessment method often used to
determine Safety Integrity Level (SIL) targets
based on
Consequence severity
Initiating event frequency
Likelihood of failure of independent protection layers
Scenario risk compared to tolerable risk target
Semi-quantitative or quantitative tool
Requires hazard identification input from HAZOP
or equivalent Copyright exida.com LLC
2001-2014 18
-
2/20/2014
Copyright exida.com LLC 2000-2013 10
What LOPA does
LOPA helps reproducibly evaluate risks and identify additional risk reduction opportunities
Each LOPA scenario is limited to a single cause-consequence pair (path through an event tree).
IPL1 IPL2 IPL3
Consequence
Occurs
Initiating Event
success
success
success
failure
failure
failure
Safe Outcome
Undesired but tolerable
outcome Undesired but tolerable
outcome
Consequences exceeding
criteria
Source: AIChE CCPS LOPA
Fig 2.2 Comparison of LOPA
and event tree analysis
Copyright exida.com LLC
2001-2014 19
Typical Layer of Protection Sequence
Copyright exida.com LLC
2001-2013
Trip level alarm
Process alarm
Process
value Normal behaviour
Safety
Instrumented
System
Basic
Process
Control
System
Operator
Intervention
Relief valve,
Rupture disk
Dike
Active protection layer
Passive protection layer
Emergency response layer Plant and
Emergency
Response
P
R
E
V
E
N
T
I
O
N
Safety layer
Process control layer
Process control layer
Emergency Shut Down
Process shutdown
M
I
T
I
G
A
T
I
O
N
C
O
N
S
E
Q
U
E
N
C
E L
I
K
E
L
I
H
O
O
D
20
-
2/20/2014
Copyright exida.com LLC 2000-2013 11
Independent Protection Layer (IPL)
Attributes Specific
must be specifically designed to be capable of preventing the consequences of the potentially hazardous event
Independent
must be completely independent from all other protection layers
Dependable
must be capable of acting dependably to prevent the consequence from occurring (systematic and random faults)
Auditable
must be tested and maintained to ensure risk reduction is continually achieved
Copyright exida.com LLC
2001-2013 21
Tip 5: Use IPLs Properly:
Basic Process Control System (BPCS)
CONDITIONS
The BPCS and SIS are physically separate devices, including sensors, logic solver and final elements
Failure of the BPCS is not responsible for initiating the event
The BPCS has the proper sensors and actuators available to perform a function similar to the one
performed by the SIS
Copyright exida.com LLC
2001-2014
PFD > 0.1 (by definition)
22
-
2/20/2014
Copyright exida.com LLC 2000-2013 12
Operator Response as an IPL CONDITIONS
Operator Always Present
Operator Has Indication of Problem
Operator Has Time to Act
Operator is Trained in the Proper Response
Copyright exida.com LLC
2001-2014
PFD ~ 0.1 if all conditions met
PFD ~ 0.3 if most conditions met
PFD = 1.0 if conditions not well met
Get direct Operator confirmation.
(They know best and often are the ones at risk.)
PFD < 0.1 possible with Human Response Analysis (HRA) 23
Mechanical Relief Devices as IPLs
Relief Valves
Rupture Disks
Fusible Plugs
Copyright exida.com LLC
2001-2014
Be careful to include probability of
incorrect installation as well as
probability of failure in service.
Data shows typical RRF of 50 to 70.
24
-
2/20/2014
Copyright exida.com LLC 2000-2013 13
Mitigation Protection Layer:
External Risk Reduction
Fire Systems
Water Spray Curtains
Enclosures with Scrubbing
Bunds or dikes
Copyright exida.com LLC
2001-2014
LOPA MUST INCLUDE BOTH the SMALL CONSEQUENCE
when the system works AND the LARGE CONSEQUENCE
when it fails since BOTH CASES ARE RISKS!
Risk is usually minimized when mitigation RRF equals
the ratio of large to small consequence frequency target
25
Conditional Modifier:
Occupancy
Fraction of time that effect zone of incident outcome in question is occupied
Not valid if occupancy is already accounted for in the consequence analysis
Copyright exida.com LLC
2001-2014
P =
Time of Occupancy
Total Time Be Careful! Occupancy correlates with both initiating events
and other protection layer failures. (People usually go towards a hazard to try to fix it.)
26
-
2/20/2014
Copyright exida.com LLC 2000-2013 14
Copyright exida.com LLC
2001-2014
Tip 6: Avoid Independent Event Errors
A B Independent: P(A AND B) = P(A) * P(B)
A B Positively Correlated: P(A AND B) >> P(A) * P(B)
27
Ignoring event correlation can easily cause more than a 10X error in risk estimates!
Consider Common Modes of Failure
Assume that the proposed operator and
DCS protection layers
share the same sensor
and DCS logic solver but
with the operator using a
different manual field
valve to shut off the
process.
The common elements change the combined
failure probability by a
factor of 2.5.
Copyright exida.com LLC
2001-2014
Combined Operator/
DCS Layer Fails
Sensor
Fails
DCS
Fails
Operator Valve Fails
DCS Valve Fails
P = 0.1 P = 0.1 P = 0.03 P = 0.01
P = 0.01
P = 0.05
(P 0.02 = 0.14 x 0.14)
28
-
2/20/2014
Copyright exida.com LLC 2000-2013 15
Tip 7: Look at All the Options
Copyright exida.com LLC
2001-2014
Increasing
Risk
Process Risk Tolerable Risk Residual Risk
Minimum Risk Reduction
Optimal Risk Reduction (ALARP)
Process? Design? BPCS? Alarms? Relief? SIF?
29
Consider the simpler risk
reduction methods first.
SIFs are typically more
complicated and more
expensive.
Risk Reduction using Inherent Risk
Inherent risk measures the fundamental magnitude of a consequence
Manage inherent risk by reducing toxic,
flammable or explosive inventories
Good process engineering support is vital
Copyright exida.com LLC
2001-2014
Flammable Material Flammable Material
30
-
2/20/2014
Copyright exida.com LLC 2000-2013 16
Copyright exida.com LLC
2001-2014
Risk Reduction using Geographic Risk
Geographic risk measures the probability an event will occur in a specific geographic location
P-101 P-102 P-103
D-101 D-102
V-101 V-102
10-3 10-5 10-4
Manage personnel risk by controlling where the people are: control room, work areas and pathways
31
Copyright exida.com LLC
2001-2014
Non-SIS Risk Reduction
Increasing Risk
Consequence
L i k e l i h o o d
Acceptable Risk Region
ALARP Risk Region
Unacceptable Risk Region
Consequence
Reduction, e.g.,
material reduction,
containment dikes,
physical protection
Inherent
Risk of the
Process Non SIS Risk
Reduction, e.g.
Pressure Relief
Valves
32
-
2/20/2014
Copyright exida.com LLC 2000-2013 17
Copyright exida.com LLC
2001-2014
SIS Risk Reduction
Increasing Risk
Consequence
Acceptable Risk Region
ALARP Risk Region
Unacceptable Risk Region
Consequence
Reduction, e.g.,
material reduction,
containment dikes,
physical protection
Inherent
Risk of the
Process Non SIS Risk
Reduction, e.g.
Pressure Relief
Valves
SIS Risk
Reduction SIL 1-3
L i k e l i h o o d
33
TIP 8: Manage Risk for Both Kinds of Failures
Random Failures
A failure occurring at a random time (so
statistical methods work), which results
from one or more degradation mechanisms.
Systematic Failures
A failure coming from a direct cause, which can
only be eliminated by changing the design,
manufacturing process, operational procedures,
documentation, or other relevant factors (so
statistical methods fail and functional safety
management is needed).
Copyright exida.com LLC
2001-2014 34
-
2/20/2014
Copyright exida.com LLC 2000-2013 18
35
The Safety Lifecycle and Functional Safety Management is about
People
Procedures
Paperwork
Apply the same diversity to these as for
equipment to ensure systematic errors are:
Rarely created
Easily identified
Promptly corrected
Managing Systematic Failures
Copyright exida.com LLC 2001-2012
36
Functional Safety Assessment
Independent and diverse cross check of
safety lifecycle work to identify and
correct systematic failures
Use Independent Assessment
If you know you are not smart,
hire smart people.
If you are smart, hire other smart people
who are not afraid to disagree with you.
Copyright exida.com LLC
2001-2014
-
2/20/2014
Copyright exida.com LLC 2000-2013 19
Tip 9: Consider Cost Benefit Analysis
Can focus on financial risk in units of dollars per year
Very useful in finding optimal cost solutions when financial risk sets the SIL target
Balance: Cost of residual risk (with SIF) vs. Cost of more or less risk reduction
Identifies over design where SIF costs are much greater than residual risk
Identifies under design where residual risk costs are much greater than SIF costs
Copyright exida.com LLC
2001-2014 37
SIF Costs to Consider
Design, Capital Equipment, and Installation
Maintenance, Testing, and Spurious trip
down time
Typically $5,000 to $100,000 per year
If residual risk < $2,000 per year you have
potential overdesign
If residual risk > $200,000 per year you
have potential underdesign
Copyright exida.com LLC
2001-2014 38
-
2/20/2014
Copyright exida.com LLC 2000-2013 20
SLC Engineering Tools Lifecycle Cost Estimator
Copyright exida.com LLC
2001-2014 39
Tip 10: Consider the Safety
Requirements Specification Definition
IEC61511: specification that contains all the requirements of the safety instrumented functions in a safety instrumented system
Objective Specify all requirements of SIS needed for detailed engineering and
process safety information purposes
Functional Requirements Description of the functions of the SIF
How it should work
Integrity Requirements The risk reduction and reliability requirements
How well it should work
How quickly it should work
Often a contractual document prepared by one company and executed by another
Copyright exida.com LLC
2001-2014 40
-
2/20/2014
Copyright exida.com LLC 2000-2013 21
The SRS as a Living Document
The SRS is the backbone not just of the project Implementation & Testing but also a key point of reference during the Operation phase
The SRS should be constructed in a way that is:
Clear Jargon-free so everybody can read it
Concise To-the-point with minimal repetition
Complete All functional, integrity and non-functional requirements covered
Consistent Avoid contradicting statements or requirements
All modifications should be evaluated against the SRS, the better the background information provided, the better informed the change impact assessment
Copyright exida.com LLC
2001-2014 41
SRS The Source of Knowledge
Copyright exida.com LLC
2001-2014
Safety Requirement Specification
Process Information
Functionality
Integrity
System
Procedures
Hazard Information
Hazard Frequencies
Hazard Consequences
Target SIL
Regulatory Requirements
Information & Revision
Operations, Maintenance & Modifications
Hardware & Software Conceptual & Detailed Design & Validation
Analysis Implementation Operation
42
-
2/20/2014
Copyright exida.com LLC 2000-2013 22
Review
1. Get the Safety Lifecycle Context Right
2. Define Risk and Risk Tolerance Properly
3. Go All the Way from Hazard to Harm
4. Use LOPA Properly
5. Use Independent Protection Layers
(IPLs) Properly
43 Copyright exida.com LLC
2001-2014
Review Continued
6. Avoid Independent Event Errors
7. Look at All the Options
8. Manage Risk for Both Kinds of Failure
9. Consider Cost Benefit Analysis
10.Consider the Safety Requirements
Specification
44 Copyright exida.com LLC
2001-2014
-
2/20/2014
Copyright exida.com LLC 2000-2013 23
Copyright exida.com LLC
2001-2014 45
Questions now or by email: [email protected]