Prepared By:

Amiya Ray
Sandeep Sidhu
 RISK & IDENTIFICATION TECHNIQUE

 RISK ASSESSMENT & RISK REDUCTION

 PROTECTION LAYERS

 FTA ANALYSIS

 SIL VERIFICATION

2
 In safety standards such as IEC 61511, what's at risk is identified as
personnel and the environment. However, most companies use an
expanded list of risk categories that can also include:

• Public safety and health

• Liability costs
• Production interruptions and quality issues
• Equipment damage and repair costs

3
 “What’s the likelihood a harmful event
will happen, and what are the
consequences if it does?”

The challenge is to identify risks in advance so

that they can be reduced or eliminated – for
example, by changing a product’s formulation
or reducing the quantities of hazardous
material present.

4
• Preliminary Hazard Analysis

• Risk Analysis During Hazop Study

• Fault Tree Analysis

• Event Tree Analysis

• Cause Consequence Analysis

5
Sample likelihood risk assessment model

Adapted from IEC 61511-3, Table C.1 - Frequency of hazardous event likelihood
6
ASSESSING RISK .1
Sample consequence risk assessment model

Adapted from IEC 61511-3, Table C.2 - Criteria for rating the severity of impact of hazardous events . 7
The purpose of a plant safety program –
including safety instrumented systems – is to
ensure this exposure is tolerable at all times.

IEC 61511 describes tolerable risk as “risk

which is accepted in a given context based on
the current values of society.”
 Occupational Safety & Health
Administration (OSHA),
Environmental Protection Agency (EPA)
ALARP MODEL

8
If inherent risk is greater than tolerable risk, the first choice should be to eliminate
the risk. If it can't be eliminated, it must be minimized or mitigated — by active
means such as relief valves or safety systems, or by passive means such as
containment dikes or bunds.

But how safe is safe enough?

That's why it's important to identify how much the risks need to be reduced, and
then design a solution that delivers the appropriate level of protection.

9
How much do we need to reduce the risk? There are two ways of finding an answer:
quantitative and qualitative.

Quantitative
Risk a + Risk b + Risk c + Risk d……………………. Risk z = RRF x (Risk Tolerable )

For example, we may want to reduce the frequency of a fatality from once
every 10 years to once every 10,000 years. In other words, we want to reduce
risk by a factor of 1000 — which our Risk Reduction Factor or RRF.

Although this approach is used increasingly often, it raises two challenges.

• We need to collect a lot of data to make the calculations meaningful.
• We have to express specific, quantified levels of risk that you're

10
 Qualitative
The second way of assessing the required risk reduction is to use qualitative
rankings like those in the example consequence and likelihood models introduced

Likelihood of a tank rupture as "medium" and

the consequence as "serious."

11
So how do we achieve the necessary level of risk reduction?
By adding protection layers.

Safety standards define a protection layer as "any independent mechanism that

reduces risk by control, prevention, or mitigation."
The sum of the protection layers provides what is called functional safety — the
functionality that ensures freedom from unacceptable risk.

12
The safety instrumented system (SIS) provides an independent protection layer
that is designed to bring the process to a safe state when a hazardous condition
occurs.

A typical SIS might include

• Sensors, logic solvers, and final
control elements
• Power and grounding
• Communication networks
• Supporting elements such as HART
multiplexers and asset-management
software.

13
 DEFINITIONS OF TERMINOLOGY

 Consequence – The consequence is the result of the failure of the safety

system. It is what the safety system is designed to prevent. The
consequence can include impacts on safety, economics or the
environment.
 Probability of Failure on Demand – The PFD indicates the probability that
the SIS will fail to respond to a process demand. This is related to the
covert failure of the SIS.
 Availability – The system availability is the fraction of time that the SIS is
available to prevent or mitigate hazardous events.
 Process Demand – This is a condition that requires the action of the SIS
to prevent a hazardous event.
 What is PFD? WHAT IS “Safety” ?
If we look at the safety PFD ： Probability of Failure on Demand
integrity level from the
viewpoint of the safety Global standards describes the safety by PFD.
integrity requirement:
for example, specifying SIL3 as IEC 61508 requires that an SIL （ Safety Integrity Level ） be selected
the safety integrity
requirement for a safety
instrumented system to be
introduced, means that the Higher SIL, More Safety
safety instrumented system is RRF (Risk Reduction Factor)
asked to reduce the frequency
with which the original SIL PFD 10000 – 100000
hazardous situation occurs, to
－５ －４
1/1000 or less, because PFD of 4 ≧ １０ to ＜１０ 1000 – 10000
SIL is 10-4 or above, and less
than 10-3. －３ 100 – 1000
3 ≧ １０
－４
to ＜１０
In other words, for example,
by installing a safety
10 – 100
－３ －２
instrumented system in a 2 ≧１0 to ＜１ 0
plant where no －２ －１
countermeasures are in place 1 ≧ １０ to ＜１０ RRF = 1/PFD
and a hazardous event may
occur once every 10 years, it
becomes possible to achieve
an improvement to reduction
in this frequency to once or
less in every 10,000years.
 Classifying the failure CLASSIFYING THE FAILURE
・ Detected or Undetected Reliability achieve by reducing the failure rate
・ Dangerous or Safe Safety achieve by classifying the failure,
When the failure would be
detected, you can take and making λdu reduce
action for safety. Even if it
was the dangerous, you
can. Detected Safe Undetected
Failure Safe Failure
If the failure wouldn’t be λsu
detected, the safe failure λsd
should be taken action for
safety. (e.g. proof test)
Detected Dangerous Undetected
Failure Dangerous
In case of the Undetected Failure
and Dangerous failure, λdd
taking action for safety is λdu
impossible except a proof λ ; Random hardware failure rate
test .

The Undetected and How to reduce the undetected dangerous failure ??

Dangerous failure should be
reduced!!
 HOW TO MINIMIZE THE UNDETECTED DANGEREOUS
FAILURE(1/2)
State transition model A: 1: detected dangerous
-> 0 state transits to 1, and failure
recover to 0 λdd λd d : detected dangerous failure rate
１
-> It needs MTTR. μd : 1/MTTR
State transition model B:
->0 state transits to 2, and μd MTTR ： Mean Time To Repair
recover to 0 0:Normal ０ λdu : undetected dangerous failure rate
 It is recovered only by μu μu : 1/(T/2)
Proof test.
The time for recovering 2 T : Mean Time between Proof Test
depends on T (mean time λdu
between proof tests). 2: undetected dangerous failure

MTTR ＜ T / 2
PFD avg. =λdd(MTTR)+λdu(T/2 ）
Probably MTTR is shorter
than 100 x T.
Accordingly, it is required
minimizing T for shortening Failure detected by Failure detected only
PFD. self- diagnosis by proof test

For minimizing PFD avg. , minimizing λ du is important.

HOW TO MINIMIZE THE UNDETECTED DANGEROUS
FAILURE(2/2)
Detected Undetected
Safe Safe
Failure λsd Failure
λsu

Detected Undetected detected ← →undetected

Dangerous Dangerous
Failure λdd Failure
λdu
λ ; Random hardware failure rate

With Self-diagnostic function

With
Self-diagnostic
Function !

Safe Failure

Dangerous Failure
Undetected Dangerous Failure
FAILURE DETECTION MECHANISM IN SAFETY SYSTEMS

CPU failure Controller and

detection: Processor failure switch failure
activating CPU circuit detection: Switch-off
periodically and check detection:
comparison of results periodically and check
the status the status
between redundant
processors
Input Short-
circuited
failure
detection: Safety Output short-
monitoring the circuited
circuit Instrumented failure
periodically System detection:
Input Calculation Output monitoring the
load impedance

Solenoid Valve
Power
Supply
Relief Valve
Pressure SW

Replace with
diagnostic
sensor
CALCULATION SHEET
 FAULT TREE ANALYSIS

Fault Tree Analysis

 Quantitative risk assessment was performed by modeling the safety-instrumented
system using Fault Tree Analysis (FTA). FTA was chosen, because it is a very
structured, systematic, and rigorous technique that lends itself well to
quantification.

Few Assumptions for Fault Tree Calculations for a SIF

 Component failure and repair rates are assumed to be constant over the life of
the SIF.
 Once a component has failed in one of the possible failure modes it cannot fail
again in one of the remaining failure modes. It can only fail again after it has first
been repaired.
 The Test Interval (TI) is assumed to be much shorter than the Mean Time To
Failure (MTTF)
 The logic solver failure rate includes the input modules, logic solver, output
modules and power supplies.
 The sensor failure rate includes everything from the sensor up to the signal
isolators in the marshalling cabinet including the process impacts (e.g., plugged
impulse line to transmitter).
FTA -SAMPLE
TYPICAL SIL VERIFICATION
RESULTS
SIL SOLVER DATA SHEET
 VOTING SCHEME

 Voting Scheme – The field device and logic configurations defined as

follows:

1oo1 – Single – No voting

1oo2 – Dual – Fail safe arrangement (one – out-of-two voting to trip)

2oo2 – Dual - Fail operational Arrangement (two – out-of-two voting to

trip)

2oo3 – Triple – Fail safe & fail operational Arrangement (two-out-of-three

voting trip)
THANK YOU