Professional Documents
Culture Documents
For
Engineers
Roger L. Brauer
Agenda
System Safety
In life there are events that results in gains or losses for people and organizations. Most
people do not want losses, although they will take a chance at achieving a gain in the face
of some potential loss. Risk involves avoidance of losses and unwanted consequences as
well as probability and potential for losses.
Rowe defines risk as the potential for realization of unwanted, negative consequences of an
event. Risk aversion is action taken to control or reduce risk. There are many definition of
risk. For safety and health, a common definition of risk infers a quantitative concepts. Risk
is the product of frequency and severity of potential losses. Frequency is the probability of
occurrence of an event, such as once per week or once per year or once every 100 years.
Severity is the potential loss when an event occurs. The loss may be expressed in human
terms, such as loss of life, serious injury, serious illness, number of cancer cases, and so
forth. The loss may also be expressed in financial terms, like dollars lost, cost to replace
loss equipment, cost of downtime, or cost to replace facilities. Loss may be expressed in
legal terms, such as claims, lawsuit, and liability.
There are formal methods and risk management methods. Risk assessment and
management applies to general operation of a business ultimately are financial. The idea of
risk for a business has a broad meaning that implies any kind of detriment to a business.
Companies apply risk to financial decisions, security or trade secrets and computer
systems, and other potential losses. Risk also is used in dealing with losses associated with
accidents, human error, and health exposures. It is the latter aspect of risk that this
discussion addresses.
The Process
Risk management involves five components:
1. Risk identification
2. Risk analysis
3. Eliminating or reducing risks
4. Financing risks
5. Administering the risk management process
The objectives of risk management can be divided into two groups; pre loss and
post loss objectives. Pre loss objectives address those things that may happen.
Post loss objectives involves application of resources to recover completely and
quickly from a loss. See table below, defines pre loss and post loss objectives.
Continuity of operations To return to or continue full operations following an interruption. Three may
be reduction in earnings. Keeping human and material resources available
Earnings stability Keeping earning stable through continued operations with cost control or
from funds to replace lost earnings
Continued growth Finding ways to expand growth by product development, market expansion,
acquisition, and mergers
Social responsibility Taking care of employees, customers, suppliers, and the public. Maintaining
public relations and public image.
Risk Identification
Risk identification is not an easy task because it is easy to overlook something. It
requires training and experience to see unsafe conditions and foresee unsafe
acts. It is not easy to see how combinations of things and the complexity of
operations, equipment, and facilities can lead to undesirable events.
The goal in risk identification is to reduce uncertainty in describing factors that
contribute to accidents, injuries, illnesses, and death. Risk identification involves
identification of hazards. It improves understanding of risks for particular situations
or groups. Risk identifications is conducted to determine whether and to what
degree effects in one situation apply to another. It involves gathering facts and
data. In risk identification, data are analyzed to determine what components
contribute to a process that produces injury or illness and to establish if data from
particular cases can be generalized to other situations or populations.
The final step is establishing a system to address the team’s findings and
recommendations in a timely manner through an action plan and schedule
Checklist for chemical processes can be detailed, involving hundreds or even thousands of
items. But, as illustrated in the vacation example, the effort expended in developing and using
checklists can yield significant results.
A typical process design safety checklist is shown in example checklist table Note that
three check off columns are provided. The first column is used to indicate those areas that
have been thoroughly investigated. The second column is used for those items that do not
apply to the particular process. The last column is used to mark those areas requiring
further investigation. Extensive notes on individual areas are kept separate from the
checklist.
The design of the checklist depends on the intent. A checklist intended for use during
the initial design of the process will be considerably different from a checklist used for a
process change. Some companies have checklist for specific pieces of equipment, such as
a heat exchanger or a distillation column.
Checklist should be applied only during the preliminary stages of hazards
identification and should not be used as a replacement for a more complete hazard
identification procedure. Checklists are most effective in identifying hazards arising from
process design, plant layout, storage of chemical, electrical systems, and so forth.
2.
3.
etc
2.
3.
etc
2.
3.
etc
2.
3.
etc
10. Repeat steps 5 through 9 until all applicable guide words have been applied to the
chosen process parameter
11. Repeat steps 4 through 10 until all applicable process parameters have been
considered for the given study node
12. Repeat steps 2 through 11 until all study node have been considered for the given
section and proceed to the next section on the flow sheet
The guide word as well as, part of, and other than can sometimes be conceptually
difficult to apply. as well as means that something else happens in addition to the
intended design intention. This could be boiling of liquid, transfer of some additional
component, or the transfer of some fluid somewhere else than expected. part of means
that one of the components is missing or the stream is being preferentially pumped to only
part of the process. Other than applies to situations in which a material is substituted for
the expected material, words sooner than, later than, and where else are
applicable to batch processing.
An important part of the HAZOP procedure is the organization required to record and
use the results. There are many methods to accomplish this and most companies
customize their approach to fit their particular way of doing things.
Table 10-6 presents one type of basic HAZOP form. The first column, denoted “Item”,
is used to provide a unique identifier for each case considered. The numbering system
used is a number-letter combination. Thus the designation “1A” would designate the first
study node and the first guide word. The second column list the study node considered.
The third column lists the process parameter, and the fourth column lists the deviations or
guide words. The next three columns are the most important results of the analysis. The
first column lists the possible causes. Three causes are determined by the committee and
are based on the specific deviation-guide word combination. The next column lists the
possible consequences of the deviation. The last column lists the action required to prevent
the hazard from resulting in an accident. Notice that the items listed in these three columns
are numbered consecutively. The last several columns are used to track the work
responsibility and completion of the work.
Fault tree analysis is one system safety method often used for complex systems.
Fault tree analysis, which was originated by H.A. Watson at Bell Telephone
Laboratories is 1962, is a boolean logic concept that evaluates events. The procedure
relies on building a tree structureas shown in figure 36-3. At the top is the principal or
top undesired event, which is broken down into contributing factors that are further
subdivided into event causes. Fault tree analysis is a deductive process that moves
from the general to the specific. Combinations of events are considered in the causal
chain. Interactions between events and elements of the system are a vital part of this
method.
Fault tree analysis as applied to system safety relies on preliminary hazard
analyses (PHA) or other analysis techniques to identify major undesirable events.
The tree is developed further from PHA and other analysis. After the tree is
constructed, qualitative, or quantitative analysis is performed. To perform quantitative
analysis, a probability must be assigned to each event cause. Today, computer
systems make the procedure of consructing and analyzing fault trees quite easy.
Qualitative analysis provides insights into fault paths and critical event causes.
Events
A normal event is one that has two states: it occurs or doesn’t occur. Normal
events are represented by a house shape and are sometimes called switch
events. In many cases, analysis of a tree should consider normal events in each
of their two states. Frequently, normal events have probabilities of 1.0 or 0.0;
sometimes other probabilities are assigned.
Because the elements in a fault tree are related by boolean algebra, symbols are
used to depict the kind of relationship among elements. Basic logic relationships
are OR and AND, and are represented by gate symbols. Both AND and OR gate
symbols have unique shapes.
An OR gate indicates that any one of the input events can cause an output event.
When quantitative analysis is conducted, probabilities for input events attached to
an OR gate are summed to compute the probability of the output event.
The other basic logic gates is an AND gate, which indicates that all of the input
events must occur to cause the output event. In quantitative analysis, the
probability of an output event is the product of all input events.
There are other logical relationships that can occur in a fault tree. Various notations
to AND and OR symbols indicate that special logical relationships or other symbols
are used. For example, two input events for an OR gate may be mutually
exclusive; that is, one excludes the other from occuring. An exclusive notation
attached to the OR gate indicates this condition.
There may be a condition in which at least two of three input events are necessary
for an output event to occur at an AND gate. A notation “Ai ≥ 2” attached to the
AND gate would note this special condition.
In another situation, one or more input events may have to occur before a third one
has any consequence. This is called a priority modification. A notation “C R1, R2”
would indicate that input event C is not significant unless input events R1 and R2
occur first.
For some events, certain conditions must be present for the input events to be
included in the tree. The input events may inhibit or enable the output event. A
hexagon symbol represents an inhibit gate.
When there is not enough space to complete a fault tree, it must be broken into
parts. Discontinuities are represented by a transfer symbol that has the shape of a
triangle. Identifying numbers or letters on both segments of a drawing indicate
where they tie together functionally. A fault tree may have identical branches at
more than one location. A transfer symbol reduces the need to completely
represent the branches at each location in the tree.
Primary Failures
Primary failures are internal problems with components that make them
inoperative. Repairing a primary failure returns a component to full operation. A
primary failure also is defined as a failure of a component within the design
envelope, such as an inherent characteristics of a component that causes the
component to fail. The primary failure of one component cannot contribute to
primary failure in another component
Primary Faults
Primary faults are events that are abnormal within an operation. They can lead to
undesired conditions in a system
Secondary Faults
Secondary Faults are events causations that are external causations. One form of
secondary fault is a command fault: an inadvertent operation of a component
resulting from failure of a control element. An example is accidentally bumping a
control switch that energizes a circuit.
Creating a fault tree gives analyst insight into the causes of an undesired event
and to system behavior. This alone may make the exercise worthwhile.
The elements of a fault tree can be evaluated to gain further insight into the
causes of a top event. Causes within the tree can be evaluated and judgments
can be made about the likelihood of faults or failures contributing to the top event.
Each event sequence can be looked at, and those that are most likely can be
considered first.
Another approach is to find the most likely sequences by analyzing the gates
using products of input events for AND gates and sums of input events for OR
gates. Products of values less than one are smaller than their sums. With this in
mind, the most likely event sequence often can be identified quickly by tracing
each branch of the tree from the top event to the bottom event. Branches linked
by OR gates typically have high probabilities of occurrence, whereas branches
linked by AND gates typically have low probabilities of occurrence.
D 3.45 x 10-7
J 6.89 x 10-4
K 7.33 x 10-3
L 6.05 x 10-3
M 1.88 x 10-4