risk analysis tips for maximizing value

2/20/2014

Copyright exida.com LLC 2000-2013 1

Copyright exida.com LLC 2001-2014

Risk Analysis Tips

for Maximizing Value Regional Offices United Kingdom +44 1926 676 125 Netherlands +31 318 414 505 New Zealand / Aus +64 3 472 7707 US Gulf Coast +1 713 382 7170

Main Offices Germany +49 89 4900 0547 USA +1 215 453 1720 South Africa +27 31 267 1564 Switzerland +41 22 364 14 34 Canada +1 215 453 1720 Mexico +52 55 1518 0573 Singapore +65 5222 5160

SIL + device selection

SIL verification

Tools

Tools

Competence development

CFSE

FSM setup

SIL verification

Tools

Management support

Development support

Certification

Tools

OEM System

Designer

End User Engineering Contractor

Automotive

Nuclear

Automation

Process Industry

exida Industry Focus

Copyright exida.com LLC

2001-2014 2

2/20/2014


Presented by Dr. Eric Scharpf,

CFSE


2001-2014

exida partner since start up

Specialize in risk analysis and functional safety assessment

Lead machine and process safety projects

Wrote Safety Integrity Level Selection book in 2002 and Practical SIL Target Selection book in 2012

3

Webinar Objective

Present ten tips to ensure you get the maximum value from your risk analysis

Common mistakes to avoid

Potential analysis improvements

Identifying potential design improvements


2001-2014 4

2/20/2014


Tip 1: Get the Context Right

What type of risks do you manage?


2001-2014 5

IEC 61511 Safety Lifecycle

Management

of Functional

Safety

and

Functional

Safety

Assessment

Clause 5

Safety

Lifecycle

Structure

and

Planning

Clause 6.2

Allocate Safety Function to Protection

Layers [Clause 9]

Verification

Clause 7

&

Clause 12.7

An

aly

sis

O

n-S

ite

Op

era

tio

n

SIS Safety Requirements Specification

[Clauses 10 & 12]

Process Hazard & Risk Analysis

[Clause 8]

SIS Design and Engineering

[Clauses 11 & 12]

SIS Installation & Commissioning

[Clause 14]

SIS Operation & Maintenance

[Clause 16]

SIS Safety Validation

[Clause 15]

SIS Modification

[Clause 17]

SIS Decommissioning

[Clause 18]

Specify

SIS FAT

[Clause 13]

Design &

Build

Test

Install

Manage

Validate

Proof Test

Off

-Sit

e

Analyse

Risk


2001-2014 6

2/20/2014


Hazard and Risk Analysis Focus


2001-2014

Standard Objective Identify process hazards, estimate their risks and decide if the risk is tolerable

GOAL:

ANALYSIS UNDERSTANDING IMPROVEMENT

Event History

Application Standards

Hazard Characteristics

Consequence Database

Failure Probabilities

Identify Potential Hazards

Consequence Analysis

Identify Protection Layers

Likelihood Analysis (LOPA)

Potential Hazards

Hazard

Consequences

Layers of Protection

Hazard Frequencies

7

Safety Lifecycle as Risk Controller

Tolerable Risk

Set Point

Analysed Risk

Safety Requirements

Specification and Other

Means of Risk Reduction

+

-

Design and Build

Validate vs Spec

Operations Proof Testing

and SIS Demand Review

of Actual Risk

Equipment Modification

Request


2001-2014 8

2/20/2014



2001-2014

Tip 2: Define Risk and Risk

Tolerance Properly

Risk is a measure of the likelihood and consequence of an adverse effect. (i.e., How often can it happen and what will be the effects if it does?)

Risk receptors:

Personnel

Environment

Financial

Equipment/Property Damage

Business Interruption

Business Liability

Company Image

Lost Market Share

9

Defining Tolerable Risk

Needs both rigor and flexibility

Needs to consider all relevant forms of harm

Needs to be consistent with both company and society practice

Form defines SIL target selection method

Often a difficult and long-lead part of the safety lifecycle


2001-2014

Risk

Risk Risk

Tolerable?

10

2/20/2014


Individual Risk and ALARP


2001-2014

Negligible Risk

High Risk

10-3/yr (workers) 10-4/yr (public)

10-6/yr

Intolerable Region

ALARP or Tolerable Region

Broadly Acceptable Region

No way

If its worth it

We accept it

11

Tolerable Risk Level

Example

All potential hazards must have less than 0.0005 fatal accidents per (Person, Hazard or

Site) per year

0.005 injuries per (Person, Hazard or Site) per year

0.01 significant environmental release per (Hazard or Site) per year

$500,000 in business loss per (Hazard or Site) per year, etc.

The difference between per hazard and per site can be up to a factor of 100!


2001-2014 12

2/20/2014


Tip 3: Go All the Way from Hazard

to Harm HAZARD:

A potential source of harm

IEC 61508-4, Sub clause 3.1.2

A chemical or physical condition that has the potential for causing damage to people,

property, or the environment

(e.g., a pressurized tank containing 500 tons

of ammonia)

CCPS, Guidelines for CPQRA


2001-2014 13


2001-2014

Term: Initiating Event

Initiating Event: The first event in an event sequence that can lead to an accident (e.g., the failure of a pump motor which stops ammonia flow in a process line)

14

2/20/2014



2001-2014

Term: Intermediate Event

Intermediate Event: An event that propagates or mitigates the initiating event during an event sequence (e.g., low flow alarm failure, valve interlock failure, relief valve failure)

15


2001-2014

More Escalation Terms

Incident: The loss of containment of material or energy (e.g., leak of 10 kg/s of ammonia)

Incident Outcome: Form of the release (e.g. toxic release, pool fire, flash fire, vapor cloud explosion)

Consequence: Expected effects of an incident outcome case (e.g., 2 fatalities, 10 injuries, $1 Million Damage, 4 weeks downtime)

(Often the central point

on a Bow Tie diagram)

16

2/20/2014


From Potential To Reality

Analyze the full chain of events that leads to an accident


2001-2014

Accident

Consequence

Failure

Initiating Event

Failure

Intermediate

Event

Circumstance

Incident Outcome

Break the problem into generic events which are more likely to have supporting data

Calculate likelihood using probability logic

17

Pump Fails Alarm Fails

Failure

Intermediate

Event

Relief Fails 10 kg/sec

with Area

Occupied

Death, Injury,

and Damage

Incident

Tip 4: Use LOPA Properly Layer Of Protection Analysis

Risk assessment method often used to

determine Safety Integrity Level (SIL) targets

based on

Consequence severity

Initiating event frequency

Likelihood of failure of independent protection layers

Scenario risk compared to tolerable risk target

Semi-quantitative or quantitative tool

Requires hazard identification input from HAZOP

or equivalent Copyright exida.com LLC

2001-2014 18

2/20/2014


What LOPA does

LOPA helps reproducibly evaluate risks and identify additional risk reduction opportunities

Each LOPA scenario is limited to a single cause-consequence pair (path through an event tree).

IPL1 IPL2 IPL3

Consequence

Occurs

Initiating Event

success

success

success

failure

failure

failure

Safe Outcome

Undesired but tolerable

outcome Undesired but tolerable

outcome

Consequences exceeding

criteria

Source: AIChE CCPS LOPA

Fig 2.2 Comparison of LOPA

and event tree analysis


2001-2014 19

Typical Layer of Protection Sequence


2001-2013

Trip level alarm

Process alarm

Process

value Normal behaviour

Safety

Instrumented

System

Basic

Process

Control

System

Operator

Intervention

Relief valve,

Rupture disk

Dike

Active protection layer

Passive protection layer

Emergency response layer Plant and

Emergency

Response

P

R

E

V

E

N

T

I

O

N

Safety layer

Process control layer

Process control layer

Emergency Shut Down

Process shutdown

M

I

T

I

G

A

T

I

O

N

C

O

N

S

E

Q

U

E

N

C

E L

I

K

E

L

I

H

O

O

D

20

2/20/2014


Independent Protection Layer (IPL)

Attributes Specific

must be specifically designed to be capable of preventing the consequences of the potentially hazardous event

Independent

must be completely independent from all other protection layers

Dependable

must be capable of acting dependably to prevent the consequence from occurring (systematic and random faults)

Auditable

must be tested and maintained to ensure risk reduction is continually achieved


2001-2013 21

Tip 5: Use IPLs Properly:

Basic Process Control System (BPCS)

CONDITIONS

The BPCS and SIS are physically separate devices, including sensors, logic solver and final elements

Failure of the BPCS is not responsible for initiating the event

The BPCS has the proper sensors and actuators available to perform a function similar to the one

performed by the SIS


2001-2014

PFD > 0.1 (by definition)

22

2/20/2014


Operator Response as an IPL CONDITIONS

Operator Always Present

Operator Has Indication of Problem

Operator Has Time to Act

Operator is Trained in the Proper Response


2001-2014

PFD ~ 0.1 if all conditions met

PFD ~ 0.3 if most conditions met

PFD = 1.0 if conditions not well met

Get direct Operator confirmation.

(They know best and often are the ones at risk.)

PFD < 0.1 possible with Human Response Analysis (HRA) 23

Mechanical Relief Devices as IPLs

Relief Valves

Rupture Disks

Fusible Plugs


2001-2014

Be careful to include probability of

incorrect installation as well as

probability of failure in service.

Data shows typical RRF of 50 to 70.

24

2/20/2014


Mitigation Protection Layer:

External Risk Reduction

Fire Systems

Water Spray Curtains

Enclosures with Scrubbing

Bunds or dikes


2001-2014

LOPA MUST INCLUDE BOTH the SMALL CONSEQUENCE

when the system works AND the LARGE CONSEQUENCE

when it fails since BOTH CASES ARE RISKS!

Risk is usually minimized when mitigation RRF equals

the ratio of large to small consequence frequency target

25

Conditional Modifier:

Occupancy

Fraction of time that effect zone of incident outcome in question is occupied

Not valid if occupancy is already accounted for in the consequence analysis


2001-2014

P =

Time of Occupancy

Total Time Be Careful! Occupancy correlates with both initiating events

and other protection layer failures. (People usually go towards a hazard to try to fix it.)

26

2/20/2014



2001-2014

Tip 6: Avoid Independent Event Errors

A B Independent: P(A AND B) = P(A) * P(B)

A B Positively Correlated: P(A AND B) >> P(A) * P(B)

27

Ignoring event correlation can easily cause more than a 10X error in risk estimates!

Consider Common Modes of Failure

Assume that the proposed operator and

DCS protection layers

share the same sensor

and DCS logic solver but

with the operator using a

different manual field

valve to shut off the

process.

The common elements change the combined

failure probability by a

factor of 2.5.


2001-2014

Combined Operator/

DCS Layer Fails

Sensor

Fails

DCS

Fails

Operator Valve Fails

DCS Valve Fails

P = 0.1 P = 0.1 P = 0.03 P = 0.01

P = 0.01

P = 0.05

(P 0.02 = 0.14 x 0.14)

28

2/20/2014


Tip 7: Look at All the Options


2001-2014

Increasing

Risk

Process Risk Tolerable Risk Residual Risk

Minimum Risk Reduction

Optimal Risk Reduction (ALARP)

Process? Design? BPCS? Alarms? Relief? SIF?

29

Consider the simpler risk

reduction methods first.

SIFs are typically more

complicated and more

expensive.

Risk Reduction using Inherent Risk

Inherent risk measures the fundamental magnitude of a consequence

Manage inherent risk by reducing toxic,

flammable or explosive inventories

Good process engineering support is vital


2001-2014

Flammable Material Flammable Material

30

2/20/2014



2001-2014

Risk Reduction using Geographic Risk

Geographic risk measures the probability an event will occur in a specific geographic location

P-101 P-102 P-103

D-101 D-102

V-101 V-102

10-3 10-5 10-4

Manage personnel risk by controlling where the people are: control room, work areas and pathways

31


2001-2014

Non-SIS Risk Reduction

Increasing Risk

Consequence

L i k e l i h o o d

Acceptable Risk Region

ALARP Risk Region

Unacceptable Risk Region

Consequence

Reduction, e.g.,

material reduction,

containment dikes,

physical protection

Inherent

Risk of the

Process Non SIS Risk

Reduction, e.g.

Pressure Relief

Valves

32

2/20/2014



2001-2014

SIS Risk Reduction

Increasing Risk

Consequence

Acceptable Risk Region

ALARP Risk Region

Unacceptable Risk Region

Consequence

Reduction, e.g.,

material reduction,

containment dikes,

physical protection

Inherent

Risk of the

Process Non SIS Risk

Reduction, e.g.

Pressure Relief

Valves

SIS Risk

Reduction SIL 1-3

L i k e l i h o o d

33

TIP 8: Manage Risk for Both Kinds of Failures

Random Failures

A failure occurring at a random time (so

statistical methods work), which results

from one or more degradation mechanisms.

Systematic Failures

A failure coming from a direct cause, which can

only be eliminated by changing the design,

manufacturing process, operational procedures,

documentation, or other relevant factors (so

statistical methods fail and functional safety

management is needed).


2001-2014 34

2/20/2014


35

The Safety Lifecycle and Functional Safety Management is about

People

Procedures

Paperwork

Apply the same diversity to these as for

equipment to ensure systematic errors are:

Rarely created

Easily identified

Promptly corrected

Managing Systematic Failures

Copyright exida.com LLC 2001-2012

36

Functional Safety Assessment

Independent and diverse cross check of

safety lifecycle work to identify and

correct systematic failures

Use Independent Assessment

If you know you are not smart,

hire smart people.

If you are smart, hire other smart people

who are not afraid to disagree with you.


2001-2014

2/20/2014


Tip 9: Consider Cost Benefit Analysis

Can focus on financial risk in units of dollars per year

Very useful in finding optimal cost solutions when financial risk sets the SIL target

Balance: Cost of residual risk (with SIF) vs. Cost of more or less risk reduction

Identifies over design where SIF costs are much greater than residual risk

Identifies under design where residual risk costs are much greater than SIF costs


2001-2014 37

SIF Costs to Consider

Design, Capital Equipment, and Installation

Maintenance, Testing, and Spurious trip

down time

Typically $5,000 to $100,000 per year

If residual risk < $2,000 per year you have

potential overdesign

If residual risk > $200,000 per year you

have potential underdesign


2001-2014 38

2/20/2014


SLC Engineering Tools Lifecycle Cost Estimator


2001-2014 39

Tip 10: Consider the Safety

Requirements Specification Definition

IEC61511: specification that contains all the requirements of the safety instrumented functions in a safety instrumented system

Objective Specify all requirements of SIS needed for detailed engineering and

process safety information purposes

Functional Requirements Description of the functions of the SIF

How it should work

Integrity Requirements The risk reduction and reliability requirements

How well it should work

How quickly it should work

Often a contractual document prepared by one company and executed by another


2001-2014 40

2/20/2014


The SRS as a Living Document

The SRS is the backbone not just of the project Implementation & Testing but also a key point of reference during the Operation phase

The SRS should be constructed in a way that is:

Clear Jargon-free so everybody can read it

Concise To-the-point with minimal repetition

Complete All functional, integrity and non-functional requirements covered

Consistent Avoid contradicting statements or requirements

All modifications should be evaluated against the SRS, the better the background information provided, the better informed the change impact assessment


2001-2014 41

SRS The Source of Knowledge


2001-2014

Safety Requirement Specification

Process Information

Functionality

Integrity

System

Procedures

Hazard Information

Hazard Frequencies

Hazard Consequences

Target SIL

Regulatory Requirements

Information & Revision

Operations, Maintenance & Modifications

Hardware & Software Conceptual & Detailed Design & Validation

Analysis Implementation Operation

42

2/20/2014


Review

1. Get the Safety Lifecycle Context Right

2. Define Risk and Risk Tolerance Properly

3. Go All the Way from Hazard to Harm

4. Use LOPA Properly

5. Use Independent Protection Layers

(IPLs) Properly

43 Copyright exida.com LLC

2001-2014

Review Continued

6. Avoid Independent Event Errors

7. Look at All the Options

8. Manage Risk for Both Kinds of Failure

9. Consider Cost Benefit Analysis

10.Consider the Safety Requirements

Specification

44 Copyright exida.com LLC

2001-2014

2/20/2014



2001-2014 45

Questions now or by email: [email protected]

risk analysis tips for maximizing value

Documents

risk copyright

risk analysis focus

risk analysis tips

sis safety validation

risk tolerance

cfse copyright

sis modification clause

verification clause