You are on page 1of 29

Prepared By: Amiya Ray Sandeep Sidhu



In safety standards such as IEC 61511, what's at risk is identified as personnel and the environment. However, most companies use an expanded list of risk categories that can also include: Public safety and health Liability costs Production interruptions and quality issues Equipment damage and repair costs

Whats the likelihood a harmful event will happen, and what are the consequences if it does?

The challenge is to identify risks in advance so that they can be reduced or eliminated for example, by changing a products formulation or reducing the quantities of hazardous material present.

Preliminary Hazard Analysis

Risk Analysis During Hazop Study Fault Tree Analysis Event Tree Analysis Cause Consequence Analysis

Sample likelihood risk assessment model Likelihood Low (e.g., less than 1/10,000 annually) Medium (e.g., 1/10,000 1/1000 annually) High (e.g., more than 1/1000 annually) Type of events Events such as multiple failures of diverse instruments or valves, multiple human errors in a stress-free environment, or spontaneous failures of process vessels.

Events such as dual instrument or valve failures, or major releases in loading/unloading areas.

Events such as process leaks, single instrument or valve failures, or human errors that result in small releases of hazardous materials.
Adapted from IEC 61511-3, Table C.1 - Frequency of hazardous event likelihood

Sample consequence risk assessment model

Minor (e.g., injury or more than $120,000 of damage or lost production)

Events such as multiple failures of diverse instruments or valves, multiple human errors in a stress-free environment, or spontaneous failures of process vessels.

Serious Events such as dual instrument or valve failures, (e.g., hospitalization or major releases in loading/unloading areas. or more than $250,000 of damage or lost production) Extensive (e.g., death or more than $1,000,000 of damage or lost production) Events such as process leaks, single instrument or valve failures, or human errors that result in small releases of hazardous materials.

Adapted from IEC 61511-3, Table C.2 - Criteria for rating the severity of impact of hazardous events

The purpose of a plant safety program including safety instrumented systems is to ensure this exposure is tolerable at all times.

IEC 61511 describes tolerable risk as risk which is accepted in a given context based on the current values of society. Occupational Safety & Health Administration (OSHA), Environmental Protection Agency (EPA)


If inherent risk is greater than tolerable risk, the first choice should be to eliminate the risk. If it can't be eliminated, it must be minimized or mitigated by active means such as relief valves or safety systems, or by passive means such as containment dikes or bunds. But how safe is safe enough? That's why it's important to identify how much the risks need to be reduced, and then design a solution that delivers the appropriate level of protection.

How much do we need to reduce the risk? There are two ways of finding an answer: quantitative and qualitative. Quantitative Risk a + Risk b + Risk c + Risk d. Risk z = RRF x (Risk Tolerable ) For example, we may want to reduce the frequency of a fatality from once every 10 years to once every 10,000 years. In other words, we want to reduce risk by a factor of 1000 which our Risk Reduction Factor or RRF. Although this approach is used increasingly often, it raises two challenges. We need to collect a lot of data to make the calculations meaningful. We have to express specific, quantified levels of risk that you're


Qualitative The second way of assessing the required risk reduction is to use qualitative rankings like those in the example consequence and likelihood models introduced

Likelihood of a tank rupture as "medium" and the consequence as "serious."


So how do we achieve the necessary level of risk reduction? By adding protection layers. Safety standards define a protection layer as "any independent mechanism that reduces risk by control, prevention, or mitigation." The sum of the protection layers provides what is called functional safety the functionality that ensures freedom from unacceptable risk.


The safety instrumented system (SIS) provides an independent protection layer that is designed to bring the process to a safe state when a hazardous condition occurs. A typical SIS might include Sensors, logic solvers, and final control elements Power and grounding Communication networks Supporting elements such as HART multiplexers and asset-management software.



Consequence The consequence is the result of the failure of the safety system. It is what the safety system is designed to prevent. The consequence can include impacts on safety, economics or the environment.
Probability of Failure on Demand The PFD indicates the probability that the SIS will fail to respond to a process demand. This is related to the covert failure of the SIS. Availability The system availability is the fraction of time that the SIS is available to prevent or mitigate hazardous events. Process Demand This is a condition that requires the action of the SIS to prevent a hazardous event.

What is PFD?

WHAT IS Safety ?

PFDProbability of Failure on Demand If we look at the safety integrity level from the Global standards describes the safety by PFD. viewpoint of the safety integrity requirement: for example, specifying SIL3 as IEC 61508 requires that an SILSafety Integrity Levelbe selected the safety integrity requirement for a safety instrumented system to be Higher SIL, More Safety introduced, means that the RRF (Risk Reduction Factor) safety instrumented system is asked to reduce the frequency SIL 10000 100000 with which the original PFD hazardous situation occurs, to 1/1000 or less, because PFD 1000 10000 4 to -4 of SIL is 10 or above, and less than 10-3. 100 1000

3 2 1

In other words, for example, by installing a safety instrumented system in a plant where no countermeasures are in place and a hazardous event may occur once every 10 years, it becomes possible to achieve an improvement to reduction in this frequency to once or less in every 10,000years.


10 100

to 0



Classifying the failure Detected or Undetected Dangerous or Safe When the failure would be detected, you can take action for safety. Even if it was the dangerous, you can. If the failure wouldnt be detected, the safe failure should be taken action for safety. (e.g. proof test)


Reliability Safety achieve by reducing the failure rate achieve by classifying the failure, and making du reduce
Detected Safe Failure sd Undetected Safe Failure


In case of the Undetected and Dangerous failure, taking action for safety is impossible except a proof test . The Undetected and Dangerous failure should be reduced!!

Detected Dangerous Failure dd

; Random hardware failure rate

Undetected Dangerous Failure du

How to reduce the undetected dangerous failure ??


State transition model A: -> 0 state transits to 1, and recover to 0 -> It needs MTTR. State transition model B: ->0 state transits to 2, and 0:Normal recover to 0 It is recovered only by Proof test. The time for recovering depends on T (mean time between proof tests). MTTR T / 2 Probably MTTR is shorter than 100 x T. Accordingly, it is required minimizing T for shortening PFD. 1: detected dangerous failure
d : 1/MTTR
du u T MTTR Mean Time To Repair : undetected dangerous failure rate : 1/(T/2) : Mean Time between Proof Test

dd d u

d d : detected dangerous failure rate


2: undetected dangerous failure

PFD avg. =dd(MTTR)+du(T/2

Failure detected by self- diagnosis Failure detected only by proof test

For minimizing PFD avg. , minimizing du is important.


Detected Safe Failure sd Detected Dangerous Failure dd Undetected Safe Failure su Undetected Dangerous Failure

detected undetected

; Random hardware failure rate

With Self-diagnostic Function !

With Self-diagnostic function

Safe Failure Dangerous Failure Undetected Dangerous Failure


CPU failure detection: activating
CPU circuit periodically and check the status

Processor failure detection: comparison

of results between redundant processors

Controller and switch failure detection:

Switch-off periodically and check the status

Input Shortcircuited failure detection:

monitoring the circuit periodically

Safety Instrumented System

Input Calculation

Output shortcircuited failure detection:

monitoring the load impedance


Power Supply
Pressure SW

Solenoid Valve

Relief Valve

Replace with diagnostic sensor



Fault Tree Analysis Quantitative risk assessment was performed by modeling the safety-instrumented system using Fault Tree Analysis (FTA). FTA was chosen, because it is a very structured, systematic, and rigorous technique that lends itself well to quantification. Few Assumptions for Fault Tree Calculations for a SIF Component failure and repair rates are assumed to be constant over the life of the SIF. Once a component has failed in one of the possible failure modes it cannot fail again in one of the remaining failure modes. It can only fail again after it has first been repaired. The Test Interval (TI) is assumed to be much shorter than the Mean Time To Failure (MTTF) The logic solver failure rate includes the input modules, logic solver, output modules and power supplies. The sensor failure rate includes everything from the sensor up to the signal isolators in the marshalling cabinet including the process impacts (e.g., plugged impulse line to transmitter).






Voting Scheme The field device and logic configurations defined as follows: 1oo1 Single No voting 1oo2 Dual Fail safe arrangement (one out-of-two voting to trip) 2oo2 Dual - Fail operational Arrangement (two out-of-two voting to trip) 2oo3 Triple Fail safe & fail operational Arrangement (two-out-of-three voting trip)