Sie sind auf Seite 1von 23

2/20/2014

Risk Analysis Tips for Maximizing Value


Main Offices
Germany USA South Africa Switzerland Canada Mexico Singapore +49 89 4900 0547 +1 215 453 1720 +27 31 267 1564 +41 22 364 14 34 +1 215 453 1720 +52 55 1518 0573 +65 5222 5160

Regional Offices
United Kingdom Netherlands New Zealand / Aus US Gulf Coast +44 1926 676 125 +31 318 414 505 +64 3 472 7707 +1 713 382 7170

Copyright exida.com LLC 2001-2014

exida Industry Focus


Management support Development support Certification Tools FSM setup SIL verification Tools

OEM

System Designer

Automation Process Industry


Tools Competence development CFSE

Engineering Contractor

Automotive Nuclear
End User
SIL + device selection SIL verification Tools

Copyright exida.com LLC 2001-2014

Copyright exida.com LLC 2000-2013

2/20/2014

Presented by Dr. Eric Scharpf, CFSE


exida partner since start up Specialize in risk analysis and functional safety assessment Lead machine and process safety projects Wrote Safety Integrity Level Selection book in 2002 and Practical SIL Target Selection book in 2012

Copyright exida.com LLC 2001-2014

Webinar Objective
Present ten tips to ensure you get the maximum value from your risk analysis
Common mistakes to avoid

Potential analysis improvements


Identifying potential design improvements

Copyright exida.com LLC 2001-2014

Copyright exida.com LLC 2000-2013

2/20/2014

Tip 1: Get the Context Right


What type of risks do you manage?

Copyright exida.com LLC 2001-2014

IEC 61511 Safety Lifecycle


Operation On-Site Off-Site Analysis
Management of Functional Safety and Functional Safety Assessment Safety Lifecycle Structure and Planning Process Hazard & Risk Analysis [Clause 8] Allocate Safety Function to Protection Layers [Clause 9] SIS Safety Requirements Specification [Clauses 10 & 12] Verification

Analyse Risk Specify Design & Build Test Install Validate Proof Test Manage
Clause 7 & Clause 12.7

SIS Design and Engineering [Clauses 11 & 12]


SIS FAT [Clause 13] SIS Installation & Commissioning [Clause 14] SIS Safety Validation [Clause 15] SIS Operation & Maintenance [Clause 16] SIS Modification [Clause 17] SIS Decommissioning [Clause 18]

Clause 5

Clause 6.2

Copyright exida.com LLC 2001-2014

Copyright exida.com LLC 2000-2013

2/20/2014

Hazard and Risk Analysis Focus


Event History Application Standards Hazard Characteristics Consequence Database Identify Protection Layers Likelihood Analysis (LOPA) Identify Potential Hazards Consequence Analysis Potential Hazards Hazard Consequences Layers of Protection Hazard Frequencies

Failure Probabilities

Standard Objective
Identify process hazards, estimate their risks and decide if the risk is tolerable

GOAL:

ANALYSIS UNDERSTANDING IMPROVEMENT


Copyright exida.com LLC 2001-2014

Safety Lifecycle as Risk Controller


Equipment Modification Request
+ Analysed Risk Operations Proof Testing and SIS Demand Review of Actual Risk Safety Requirements Specification and Other Means of Risk Reduction

Tolerable Risk Set Point

Design and Build

Validate vs Spec

Copyright exida.com LLC 2001-2014

Copyright exida.com LLC 2000-2013

2/20/2014

Tip 2: Define Risk and Risk Tolerance Properly


Risk is a measure of the Risk receptors: likelihood and Personnel consequence Environment of an adverse effect. (i.e., How often can it Financial happen and Equipment/Property Damage what will be the effects Business Interruption if it does?) Business Liability Company Image Lost Market Share
Copyright exida.com LLC 2001-2014

Defining Tolerable Risk


Needs both rigor and flexibility Needs to consider all relevant forms of harm Needs to be consistent with both company and society practice Form defines SIL target selection method Often a difficult and long-lead part of the safety lifecycle
Copyright exida.com LLC 2001-2014

Risk

Risk Risk

Tolerable?

10

Copyright exida.com LLC 2000-2013

2/20/2014

Individual Risk and ALARP


High Risk

No way
10
-3/yr

Intolerable Region
10
-4/yr

(workers)

(public)

If its worth it
10-6/yr

ALARP or Tolerable Region

We accept it
Copyright exida.com LLC 2001-2014

Broadly Acceptable Region Negligible Risk


11

Tolerable Risk Level Example


All potential hazards must have less than
0.0005 fatal accidents per (Person, Hazard or Site) per year 0.005 injuries per (Person, Hazard or Site) per year 0.01 significant environmental release per (Hazard or Site) per year $500,000 in business loss per (Hazard or Site) per year, etc.

The difference between per hazard and per site can be up to a factor of 100!
Copyright exida.com LLC 2001-2014

12

Copyright exida.com LLC 2000-2013

2/20/2014

Tip 3: Go All the Way from Hazard to Harm


HAZARD:
A potential source of harm
IEC 61508-4, Sub clause 3.1.2

A chemical or physical condition that has the potential for causing damage to people, property, or the environment (e.g., a pressurized tank containing 500 tons of ammonia)
CCPS, Guidelines for CPQRA
Copyright exida.com LLC 2001-2014

13

Term: Initiating Event


Initiating Event: The first event in an event sequence that can lead to an accident (e.g., the failure of a pump motor which stops ammonia flow in a process line)

Copyright exida.com LLC 2001-2014

14

Copyright exida.com LLC 2000-2013

2/20/2014

Term: Intermediate Event


Intermediate Event: An event that propagates or mitigates the initiating event during an event sequence (e.g., low flow alarm failure, valve interlock failure, relief valve failure)

Copyright exida.com LLC 2001-2014

15

More Escalation Terms


Incident: The loss of containment of material or (Often the central point energy (e.g., leak of 10 kg/s on a Bow Tie diagram) of ammonia) Incident Outcome: Form of the release (e.g. toxic release, pool fire, flash fire, vapor cloud explosion) Consequence: Expected effects of an incident outcome case (e.g., 2 fatalities, 10 injuries, $1 Million Damage, 4 weeks downtime)

Copyright exida.com LLC 2001-2014

16

Copyright exida.com LLC 2000-2013

2/20/2014

From Potential To Reality


Analyze the full chain of events that leads to an accident Incident
Failure
Initiating Event

Failure
Intermediate Event

Failure
Intermediate Event

Circumstance
Incident Outcome

Accident
Consequence

Pump Fails

Alarm Fails

Relief Fails

10 kg/sec with Area Occupied

Death, Injury, and Damage

Break the problem into generic events which are more likely to have supporting data Calculate likelihood using probability logic
Copyright exida.com LLC 2001-2014

17

Tip 4: Use LOPA Properly


Layer Of Protection Analysis Risk assessment method often used to determine Safety Integrity Level (SIL) targets based on
Consequence severity Initiating event frequency Likelihood of failure of independent protection layers Scenario risk compared to tolerable risk target

Semi-quantitative or quantitative tool Requires hazard identification input from HAZOP or equivalent
Copyright exida.com LLC 2001-2014

18

Copyright exida.com LLC 2000-2013

2/20/2014

What LOPA does


LOPA helps reproducibly evaluate risks and identify additional risk reduction opportunities
Each LOPA scenario is limited to a single cause-consequence pair (path through an event tree).
IPL1 IPL2 IPL3 Consequence Occurs
success Safe Outcome success success
Source: AIChE CCPS LOPA Fig 2.2 Comparison of LOPA and event tree analysis

Initiating Event
failure

Undesired but tolerable outcome Undesired but tolerable outcome Consequences exceeding criteria

failure
failure

Copyright exida.com LLC 2001-2014

19

Typical Layer of Protection Sequence


M I T I G A T I O N P R E V E N T I O N
Plant and Emergency Response Dike

Emergency response layer

Passive protection layer

Relief valve, Rupture disk Safety Instrumented System

Active protection layer

Emergency Shut Down

C O N S E Q U E N C E

Safety layer

Trip level alarm


Operator Intervention Basic Process Control System

Process shutdown

Process control layer Process alarm

Process value

Normal behaviour

Process control layer

L I K E L I H O O D

Copyright exida.com LLC 2001-2013

20

Copyright exida.com LLC 2000-2013

10

2/20/2014

Specific

Independent Protection Layer (IPL) Attributes


must be specifically designed to be capable of preventing the consequences of the potentially hazardous event

Independent
must be completely independent from all other protection layers

Dependable
must be capable of acting dependably to prevent the consequence from occurring (systematic and random faults)

Auditable
must be tested and maintained to ensure risk reduction is continually achieved

Copyright exida.com LLC 2001-2013

21

Tip 5: Use IPLs Properly: Basic Process Control System (BPCS)


CONDITIONS The BPCS and SIS are physically separate devices, including sensors, logic solver and final elements Failure of the BPCS is not responsible for initiating the event The BPCS has the proper sensors and actuators available to perform a function similar to the one performed by the SIS

PFD > 0.1 (by definition)


Copyright exida.com LLC 2001-2014

22

Copyright exida.com LLC 2000-2013

11

2/20/2014

Operator Response as an IPL


CONDITIONS Operator Always Present Operator Has Indication of Problem Operator Has Time to Act Operator is Trained in the Proper Response PFD ~ 0.1 if all conditions met PFD ~ 0.3 if most conditions met PFD = 1.0 if conditions not well met

Get direct Operator confirmation. (They know best and often are the ones at risk.)
PFD < 0.1 possible with Human Response Analysis (HRA)
Copyright exida.com LLC 2001-2014

23

Mechanical Relief Devices as IPLs


Relief Valves Rupture Disks Fusible Plugs Be careful to include probability of incorrect installation as well as probability of failure in service. Data shows typical RRF of 50 to 70.
Copyright exida.com LLC 2001-2014

24

Copyright exida.com LLC 2000-2013

12

2/20/2014

Mitigation Protection Layer: External Risk Reduction


Fire Systems Water Spray Curtains Enclosures with Scrubbing Bunds or dikes

LOPA MUST INCLUDE BOTH the SMALL CONSEQUENCE when the system works AND the LARGE CONSEQUENCE when it fails since BOTH CASES ARE RISKS!

Risk is usually minimized when mitigation RRF equals the ratio of large to small consequence frequency target
Copyright exida.com LLC 2001-2014

25

Conditional Modifier: Occupancy


Fraction of time that effect zone of incident outcome in question is occupied Not valid if occupancy is already accounted for in the consequence analysis

Time of Occupancy

Be Careful! Total Time Occupancy correlates with both initiating events and other protection layer failures.
(People usually go towards a hazard to try to fix it.)
Copyright exida.com LLC 2001-2014

P=

26

Copyright exida.com LLC 2000-2013

13

2/20/2014

Tip 6: Avoid Independent Event Errors


Independent: P(A AND B) = P(A) * P(B) Positively Correlated: P(A AND B) >> P(A) * P(B)

A B A B

Ignoring event correlation can easily cause more than a 10X error in risk estimates!
Copyright exida.com LLC 2001-2014

27

Consider Common Modes of Failure


(P 0.02 = 0.14 x 0.14) Assume that the proposed operator and Combined Operator/ P = 0.05 DCS protection layers DCS Layer Fails share the same sensor and DCS logic solver but with the operator using a P = 0.01 different manual field valve to shut off the process. The common elements Operator DCS DCS Sensor change the combined Valve Valve Fails Fails Fails Fails failure probability by a factor of 2.5.
P = 0.1
Copyright exida.com LLC 2001-2014

P = 0.1

P = 0.03

P = 0.01
28

Copyright exida.com LLC 2000-2013

14

2/20/2014

Tip 7: Look at All the Options


Residual Risk Tolerable Risk Process Risk
Increasing Risk

Minimum Risk Reduction


Optimal Risk Reduction (ALARP)

SIF?

Relief?

Alarms?

BPCS? Design? Process?

Consider the simpler risk reduction methods first.


SIFs are typically more complicated and more expensive.
Copyright exida.com LLC 2001-2014

29

Risk Reduction using Inherent Risk


Inherent risk measures the fundamental magnitude of a consequence
Manage inherent risk by reducing toxic, flammable or explosive inventories Good process engineering support is vital

Flammable Material

Flammable Material

Copyright exida.com LLC 2001-2014

30

Copyright exida.com LLC 2000-2013

15

2/20/2014

Risk Reduction using Geographic Risk


Geographic risk measures the probability an event will occur in a specific geographic location
P-101 P-102 P-103

10-3 10-4
D-101 D-102

10-5

V-101

V-102

Manage personnel risk by controlling where the people are: control room, work areas and pathways
Copyright exida.com LLC 2001-2014

31

Non-SIS Risk Reduction


L Risk Non SIS Reduction, i e.g. Pressure Relief Valvesk e l i h o o d Acceptable Risk
Region

Consequence Reduction, e.g., material reduction, containment dikes, physical protection

Inherent Risk of the Process

Increasing Risk

Unacceptable Risk Region

ALARP Risk Region

Consequence
Copyright exida.com LLC 2001-2014

32

Copyright exida.com LLC 2000-2013

16

2/20/2014

SIS Risk Reduction


Non SIS Risk Reduction, e.g. Pressure Relief Valves Inherent Risk of the Process

L i k e l i h o o d

Consequence Reduction, e.g., material reduction, containment dikes, physical protection SIS Risk Reduction

Increasing Risk

SIL 1-3

Unacceptable Risk Region Acceptable Risk Region

ALARP Risk Region

Consequence
Copyright exida.com LLC 2001-2014

33

TIP 8: Manage Risk for Both Kinds of Failures


Random Failures
A failure occurring at a random time (so statistical methods work), which results from one or more degradation mechanisms.

Systematic Failures
A failure coming from a direct cause, which can only be eliminated by changing the design, manufacturing process, operational procedures, documentation, or other relevant factors (so statistical methods fail and functional safety management is needed).

Copyright exida.com LLC 2001-2014

34

Copyright exida.com LLC 2000-2013

17

2/20/2014

Managing Systematic Failures


The Safety Lifecycle and Functional Safety Management is about

People Procedures Paperwork


Apply the same diversity to these as for equipment to ensure systematic errors are: Rarely created Easily identified Promptly corrected
Copyright exida.com LLC 2001-2012

35

Use Independent Assessment


Functional Safety Assessment Independent and diverse cross check of safety lifecycle work to identify and correct systematic failures
If you know you are not smart, hire smart people. If you are smart, hire other smart people who are not afraid to disagree with you.
Copyright exida.com LLC 2001-2014

36

Copyright exida.com LLC 2000-2013

18

2/20/2014

Tip 9: Consider Cost Benefit Analysis


Can focus on financial risk in units of dollars per year Very useful in finding optimal cost solutions when financial risk sets the SIL target Balance: Cost of residual risk (with SIF) vs. Cost of more or less risk reduction Identifies over design where SIF costs are much greater than residual risk Identifies under design where residual risk costs are much greater than SIF costs

Copyright exida.com LLC 2001-2014

37

SIF Costs to Consider


Design, Capital Equipment, and Installation Maintenance, Testing, and Spurious trip down time Typically $5,000 to $100,000 per year If residual risk < $2,000 per year you have potential overdesign If residual risk > $200,000 per year you have potential underdesign
Copyright exida.com LLC 2001-2014

38

Copyright exida.com LLC 2000-2013

19

2/20/2014

SLC Engineering Tools Lifecycle Cost Estimator

Copyright exida.com LLC 2001-2014

39

Tip 10: Consider the Safety Requirements Specification


Definition
IEC61511: specification that contains all the requirements of the safety instrumented functions in a safety instrumented system

Objective
Specify all requirements of SIS needed for detailed engineering and process safety information purposes Functional Requirements
Description of the functions of the SIF How it should work

Integrity Requirements
The risk reduction and reliability requirements How well it should work How quickly it should work

Often a contractual document prepared by one company and executed by another


Copyright exida.com LLC 2001-2014

40

Copyright exida.com LLC 2000-2013

20

2/20/2014

The SRS as a Living Document


The SRS is the backbone not just of the project Implementation & Testing but also a key point of reference during the Operation phase The SRS should be constructed in a way that is:
Clear Concise
Jargon-free so everybody can read it To-the-point with minimal repetition

Complete

Consistent

All functional, integrity and non-functional requirements covered


Avoid contradicting statements or requirements

All modifications should be evaluated against the SRS, the better the background information provided, the better informed the change impact assessment
Copyright exida.com LLC 2001-2014

41

SRS The Source of Knowledge


Process Information
Functionality

Hazard Information
Integrity

Hazard Frequencies

Hardware & Software Conceptual & Detailed Design & Validation

System

Procedures

Hazard Consequences

Safety Requirement Specification

Operations, Maintenance & Modifications

Target SIL
Information & Revision

Regulatory Requirements Analysis Implementation Operation

Copyright exida.com LLC 2001-2014

42

Copyright exida.com LLC 2000-2013

21

2/20/2014

Review
1. 2. 3. 4. 5. Get the Safety Lifecycle Context Right Define Risk and Risk Tolerance Properly Go All the Way from Hazard to Harm Use LOPA Properly Use Independent Protection Layers (IPLs) Properly

Copyright exida.com LLC 2001-2014

43

Review Continued
6. Avoid Independent Event Errors 7. Look at All the Options 8. Manage Risk for Both Kinds of Failure 9. Consider Cost Benefit Analysis 10.Consider the Safety Requirements Specification

Copyright exida.com LLC 2001-2014

44

Copyright exida.com LLC 2000-2013

22

2/20/2014

Questions now or by email: escharpf@exida.com


Copyright exida.com LLC 2001-2014

45

Copyright exida.com LLC 2000-2013

23

Das könnte Ihnen auch gefallen