functional safety in singapore safety...
TRANSCRIPT
-
Can Functional Safety Improve Your Safety Case?
Confidential Property of Schneider Electric
Dr. Issam Mukhtar PhD (Eng.)Functional Safety Senior Expert (TÜV Rheinland) - Premier Consulting Services – Schneider ElectricEmail: [email protected] Mob: +61 447008310
-
Page 2Confidential Property of Schneider Electric |
1 Safety Case 2 Measures to Reduce Risk
3 Quantitative Approach for Risk Reduction
4 ALARP Concept
5 Functional Safety
6 IEC61511 Standard Lifecycle
7 Fire & Gas Detection System
8 Cyber Security 9 Conclusions
10 Questions
-
Page 3Confidential Property of Schneider Electric |
What is Safety Case?
A safety case is a written presentation of technical, management and operational information about the hazards and risks that may lead to a major incident at a major hazard Installation (MHI), and the control of those hazards and risks. In the safety case, the MHI operator provides justification for the measures the operator has taken or will take to ensure the safe operation of the MHI. By focusing attention on major incident prevention, the safety case can improve safety at the MHI. The safety case forms part of the MHI operator’s application for an MHI licence.
The safety case must demonstrate the adequacy of measures the operator will implement to control risks associated with major incidents that may occur. The safety case must also demonstrate that the MHI’s safety management system will control risks that could lead to – and arise from – a major incident.
-
Flow of Safety Case
Page 4Confidential Property of Schneider Electric |
-
Steps in Preparing the Safety Case Establish the Context
Safety Assessment
Identify Measures to reduce the risk
Have risks been
eliminated or minimised SFARP?
Is SFARP sustained?
(SMS)
Implement Measures to reduce Risk
Validate the performance of risk controls (SMS a audits)
Risk minimisation SFARP achieved and
sustained
-
Page 6Confidential Property of Schneider Electric |
-
Page 7Confidential Property of Schneider Electric |
Technical Measures to Reduce Risk
-
Page 8Confidential Property of Schneider Electric |
What is risk and what is the process risk? What level of risk level you want to achieve? How to decide the acceptable (tolerable risk)? Who decide that the risk acceptable (tolerable risk)? How one could be sure that there is sufficient risk reduction measures? Are the risk measures reducing you risk sufficient? What is the measure of the risk reduction?
Risk Reduction Measures
-
Risk Reduction Measures – Example 1
Required Risk ReductionRequired Risk ReductionRequired Risk ReductionRequired Risk Reduction
DCS
Acc
epta
ble
Ris
k
S I S
PES
Spee
d Pr
obes
Spee
d Pr
obes
Non-SIS (bolt) Physical Layer BPCSx x x
Unc
ontr
olle
d(H
igh)
Ris
k
-
Page 10Confidential Property of Schneider Electric |
Tole
rabl
e R
isk
Unc
ontr
olle
d (Im
med
iate
) Ris
k
Pr. Occupancy Pr. Ignition S I SNon – SIS
(PSV)Alarm &Operator Physical Layer
BPCSfailure
Un
Miti
gate
d R
isk
Inte
rmed
iate
Eve
nt L
ikel
ihoo
d
Haz
ardo
us E
vent
Lik
elih
ood
Required Risk Reduction
Flare
12,000 kPag
6,000 kPag
PIC
LIC
TIC
LIC
PES
PAH
H
PAH
Risk Reduction Measures – Example 2
-
An expectation of loss Always has an element of uncertainty Always refers to the future Usually refers to any unwanted
consequence Personnel injury or death is a risk,
Site downtime is also a risk
Risk is a combination of the frequency of occurrence of harm and the severity of that harm.
What is RISK?
Risk = Frequency x Consequence
-
How do one quantitatively assess risk? Risk may be quantitatively expressed by:
The Individual Risk Per Annum (IRPA), which is defined as:IRPA = Pr (Individual is killed during one year’s exposure)
Determining Risk
IRPA = Observed number of fatalities
Total no. of employee – years exposed
-
How can one make a decision on the acceptability, or tolerability, of a given risk?
17
0
0.002
0.004
0.006
0.008
0.01
0.012
0 2 4 6 8 10 12
Freq
uency
Consequence
0.01 IRPA profile
High Risk
Low Risk
-
Risk Classifications
I
II
III
IV
-
ALARP & Tolerable Risk
Typically risk can be classified into three categories: The risk is so great it must be refused altogether; or The risk is, or has been made, so small as to be insignificant; or The risk falls between the two states of a and b and has been reduced to
the lowest practicable level, bearing in mind the benefits and taking into account costs of further reduction.
-
ALARP & Tolerable Risk
ALARP =Any risk which has been reduced to a level
As Low As Reasonably Practicable
-
Tolerable risk
‘Tolerable risk’ is the level of risk in which organizations and society will bear but in fact the level of risk may not be as low as acceptable risk.
Tolerability does not mean acceptability!
It refers to the willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled.
To tolerate a risk means that we do not regard it as negligible, or something we might ignore, but something that we review and reduce further if possible.
-
How can one make a decision on the acceptability, or tolerability, of a given risk?
18
0
0.002
0.004
0.006
0.008
0.01
0.012
0 2 4 6 8 10 12
Freq
uency
Consequence
High Risk
Low Risk
-
Frequency and consequence have wide scales, for this reason risk profiles typically use logarithmic scales.
Log(risk) = log(F x Q) = Log(F) + Log(Q)
Therefore the risk curve will change from parabolic to a straight line:
19
1.00E‐08
1.00E‐07
1.00E‐06
1.00E‐05
1.00E‐04
1.00E‐03
1.00E‐02
1.00E‐01
1.00E+001 10 100 1000 10000 100000
Freq
uency
Consequence
-
The boundaries for tolerable risk could then be:
20
1.00E‐08
1.00E‐07
1.00E‐06
1.00E‐05
1.00E‐04
1.00E‐03
1.00E‐02
1.00E‐01
1.00E+001 10 100 1000 10000 100000
Freq
uency
Consequence
High Risk
Low Risk
-
Determining SIL from level of risk
Notable Significant Highly Significant
Serious Extremely Serious
Catastrophic
Almost Certain 1 to 10 /yr.Level
II 2M
Level
II 1M
Level
I 1M
Level
I 1W
Level
I 1D
Level
I 1D
Very Likely 0.1 /yrLevel
III 9M
Level
II 6M
Level
II 3M
Level
I 1M
Level
I 1D
Level
I 1D
Likely 10-2 /yrLevel
III 2Y
Level
III 1Y
Level
II 9M
Level
II 1M
Level
I 1W
Level
I 1W
Unlikely 10-4 /yrLevel
IVLevel
IVLevel
III 5Y
Level
III 5Y
Level
II 1Y
Level
I 1M
Very Unlikely 10-6 /yrLevel
IVLevel
IVLevel
IVLevel
IVLevel
III 5Y
Level
II 1Y
Extremely Unlikely-
-
Page 22Confidential Property of Schneider Electric |
Functional Safety refers to the use of instrumented systems to implement safety functions to achieve a defined level of risk reduction.
Each safety function is designed to detect a particular hazard and to execute some specific action to achieve or maintain a safe state.
Functional safety always starts with a clear definition of the hazard and how much risk reduction is required. It ends in being able to demonstrate that the required risk reduction is actually achieved.
What is Functional Safety?
-
Page 23Confidential Property of Schneider Electric |
“A system designed to respond to conditions in the plant which may be hazardous in themselves or, ifno action was taken, could eventually give rise to a hazard, and to generate the correct outputs tomitigate the hazardous consequences or prevent the hazard.”Source - Health and Safety Executive (HSE), 1987.
The SIS is composed of any combination of:
What is a Safety Instrumented System (SIS) ?
Application Software
Proc
ess
Proc
ess
Safetyvalve
Logic solver(s)
Transmitter
Final Element(s)Sensor(s)
IAS
E/E/PEInput
M
odul
e
Out
put
Mod
ule
SV
-
Quantitative value for the measure to reduce risk Often a Process Engineer would come to instrument
engineers for the design of a high pressure safety function. They would ask:
“How good do you want this safety function to be?” What is the interpretation of ‘good’?
How could one represent measures to reduce risk quantitatively?
It is the required measure integrity.
It is represented by the probability for this measure to fails on demand (PFD) (when required to act).
It is called safety integrity level (SIL) and there are four integrity level.
XV‐456
PAHH‐123PES
-
Safety Integrity Levels
SIL4 is not recommended for Process industry
Average Probability of Failure
on Demand(Demand mode)
4 0.0001 to 0.000013 0.001 to 0.00012 0.01 to 0.0011 0.1 to 0.01
Safety Integrity Level
-
Determining SILThe Safety Integrity Level would depend on:
1. The SIL depend on the consequences if the safety function fails on demand:
What is in the vessel? Water, HP steam, hydrocarbons, toxic materials, etc.
2. The demand likelihood (the cause).
3. What is the acceptable or tolerable risk?
4. What is the required risk reduction to reduce the risk to be tolerable?
5. Are there any other measures?
XV‐456
PAHH‐123PES
-
Required Risk ReductionRequired Risk ReductionRequired Risk ReductionRequired Risk Reduction
DCS
Acc
epta
ble
Ris
k
S I S
PES
Spee
d Pr
obes
Spee
d Pr
obes
1/min
Non-SIS (bolt) Physical Layer BPCS
0.10.010.10.1 x x x
1.0E-11/10 yrs
1.0E -51/100,000yrs
1.0E-31/1,000 yrs
1.0E-41/10,000 yrs
???
Determining SIL – Example 1
-
Determining SIL from level of risk
Notable Significant Highly Significant
Serious Extremely Serious
Catastrophic
Almost Certain 1 to 10 /yr.Level
II 2M
Level
II 1M
Level
I 1M
Level
I 1W
Level
I 1D
Level
I 1D
Very Likely 0.1 /yrLevel
III 9M
Level
II 6M
Level
II 3M
Level
I 1M
Level
I 1D
Level
I 1D
Likely 10-2 /yrLevel
III 2Y
Level
III 1Y
Level
II 9M
Level
II 1M
Level
I 1W
Level
I 1W
Unlikely 10-4 /yrLevel
IVLevel
IVLevel
III 5Y
Level
III 5Y
Level
II 1Y
Level
I 1M
Very Unlikely 10-6 /yrLevel
IVLevel
IVLevel
IVLevel
IVLevel
III 5Y
Level
II 1Y
Extremely Unlikely-
-
SIL1
Tole
rabl
e ac
cept
able
Ris
k=1.
0E-6
Unc
ontr
olle
d (Im
med
iate
) Ris
k
Pr. Occupancy Pr. Ignition S I SNon – SIS
(PSV)Alarm &Operator Physical Layer
BPCSfailure
Initi
ator
Eve
nt L
ikel
ihoo
d
Inte
rmed
iate
Eve
nt L
ikel
ihoo
d
Haz
ardo
us E
vent
Lik
elih
ood
Required Risk Reduction
0.1x0x0.5x.01xx0.5x0.1PFDSIS= 0.04
Flare
12,000 kPag
6,000 kPag
PIC
LIC
TIC
LIC
PES
PAH
H
PAH
Determining SIL – Example 2
-
Determining SIL from level of risk
Notable Significant Highly Significant
Serious Extremely Serious
Catastrophic
Almost Certain 1 to 10 /yr.Level
II 2M
Level
II 1M
Level
I 1M
Level
I 1W
Level
I 1D
Level
I 1D
Very Likely 0.1 /yrLevel
III 9M
Level
II 6M
Level
II 3M
Level
I 1M
Level
I 1D
Level
I 1D
Likely 10-2 /yrLevel
III 2Y
Level
III 1Y
Level
II 9M
Level
II 1M
Level
I 1W
Level
I 1W
Unlikely 10-4 /yrLevel
IVLevel
IVLevel
III 5Y
Level
III 5Y
Level
II 1Y
Level
I 1M
Very Unlikely 10-6 /yrLevel
IVLevel
IVLevel
IVLevel
IVLevel
III 5Y
Level
II 1Y
Extremely Unlikely-
-
Measures Integrity verification
0.000
0.200
0.400
0.600
0.800
1.000
1.200
0 10 20 30 40 50
Pro
bab
ility
to
Fai
l Years
Probability of a Device to Fail
AverageProbability
Devices fails, it not a matter of if . It matter of when The Probability of a device to fail follow exponential function = (1-e-λt), where
λ=Device Failure Rate
t is time
Instruments part of safety function must be tested to keep the probability lower. Once it tested then the Probability to fail on demand average would be:
PFD(Avg.)= λdu TI / 2
-
Page 32Confidential Property of Schneider Electric |
Testing of the Measures to Reduce Risk
-
Page 33Confidential Property of Schneider Electric |
Safety Instrumented Systems (SIS) and other measures devices must be proof tested periodically.
The proof testing depend on the integrity required for the SIS or the measures.
The testing must follow certain procedure to ensure that the devices do not have any hidden failures.
The test must be conducted by trained instrument technician.
Testing
-
Page 34Confidential Property of Schneider Electric |
There are two main standards that are referred to for functional safety:
IEC61508 - ‘Functional Safety of electrical/electronic/programmable electronic safety-related systems’
IEC61511 - ‘Functional Safety – Safety instrumented systems for the process industry sector’
IEC61508 is a broader standard which may be applied to any industry. IEC61511 is simpler and easier to understand but only applies to process industries – not manufacturing industries.
Both follow the same fundamental concepts. Both are performance based standards.
IEC61511 is typically applied to chemical processes, oil and gas production and refining, pulp and paper, and (non-nuclear) power generation.
The IEC61508 / IEC61511 standards
-
Page 35Confidential Property of Schneider Electric |
1. Know your hazardous situations - HAZOP
2. Evaluate the acceptability of the risks of those hazardous situations,
3. Classify the required safety integrity of the protective measures (establish the SafetyIntegrity Level, SIL) - Layer of Protection Analyses (LOPA)
4. Implementation and testing based on the SIL,
5. Implement and maintain a Safety Management Plan, including:
• Documentation,
• Auditing, assessment and verification,
• Procedures and planning,
• Control of human factors.
Fundamentals of IEC61508 / IEC61511
-
Page 36Confidential Property of Schneider Electric |
IEC61511 Safety Lifecycle HAZOP
LOPA
-
Page 37Confidential Property of Schneider Electric |
Nothing much mentioned about Fire & Gas and fire fighting systems in IEC61508 or IEC61511.
Fire and Gas System are considered as an independent layer of protection for risk mitigation.
Independence is required for the prevention layer (SIS) and mitigation layer .
Guidelines are provided in both standards for assigning SIL for prevention layer but nothing on mitigation layer (Fire and Gas).
There is no clear indication that the Fire detection system is a safety function.
Fire and Gas Systems are design to be Energised and not De-Energised to Trip like most safety system which means it is designed with focus on high reliability as well as Integrity.
Fire and Gas Detection Systems
-
Page 38Confidential Property of Schneider Electric |
Fire and Gas Detection Systems Although Gas detection system have the same component of normal safety function and that is
Sensors, logic solver and final element however they are different in the following aspects:Conventional safety functions are designed to prevent the hazards (or reduce the frequency of the
unwanted to happen. Gas detection system on the other hand is designed to mainly mitigate (reduce the consequence) of the hazards although it some time used to prevent the Hazard (when detection of gas result in plant shut down) .
The Integrity of conventional safety function will depend on the direct integrity (PFDavg) of the all the components of the safety function including the sensor integrity.
In gas detection system sensors and final element may function properly, but they may not mitigate the hazards because:
1.Gas sensors fails to detect gas release because incorrect position of the sensors.2.Wind may dilute the gas before it can be detected .3.No sufficient detectors (coverage).4.Final element acted successfully but not failed to mitigate the Hazards.As a result it would be in accurate to consider PFD(Avg.) for a gas detection system as purely the
hardware integrity of the different components.
-
Page 39Confidential Property of Schneider Electric |a
HES Report of Gas Detectors Performance
-
Page 40Confidential Property of Schneider Electric |
Fire and Gas Detection Systems Effectiveness
Detector Coverage: The probability of the device actually being able to see the hazardous condition.
Hardware Response: The probability of the hardware responding properly to the demand. 1-PFD (Probability of Failure on Demand).
Mitigation effectiveness: The probability that the overall system response actually prevents or mitigates the hazardous event.
-
Page 41Confidential Property of Schneider Electric |
Fire and Gas Detection Systems Effectiveness
Gas Detector Converge Gas Detection SystemHardware Integrity PDF(Avg.)
Migration Effectiveness
99% SIL 3 99.99% 99%
Total Effectiveness=.99 x .9999*.99= .98
PFD(Avg.) =.02 Meets SIL1
-
Page 42Confidential Property of Schneider Electric |
Detector Converge Mapping / Gas Dispersion Modeling
20%LEL Alarm Setting
• 25 mm Hole Diameter and 20% LEL Cloud Boundary
• Still Gas undetected, No Trip
The 20% LEL pressurized release vapor envelope is expected to stop at the mesh wall of the fin fan structure, which is approximately 12 meters from M2 nozzle. The vapor will continue to travel, disperse and mix with air underneath the fin fan, where the lower concentration vapor will be blown vertically upwards by the fin fans and will intersect the line gas detectors GLR-2090. However, the existing line of sight gas detector may not be able to detect the vapour, as the vapour concentration may have been reduced to less than 20% LEL.
-
Page 43Confidential Property of Schneider Electric |
Detector Converge Mapping / Gas Dispersion Modeling
Release Location 10 mm 20% LEL
10 mm 40% LEL
10 mm 100% LEL
25 mm 20% LEL
25 mm 40% LEL
25 mm 100% LEL
50 mm 20% LEL
50 mm 40% LEL
50 mm 100% LEL
Slugcatcher Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Fuel gas system May be detected
Potentially undetected
Potentially undetected
May be detected
May be detected
Potentially undetected
May be detected
May be detected
Potentially undetected
Inlet separator: Nozzle M2 Potentially undetected
Potentially undetected
Potentially undetected
May be detected
May be detected
Potentially undetected
May be detected
May be detected
May be detected
Inlet separator: Nozzle N7 Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Potentially undetected
Turbo expander May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
Propane storage May be detected
Potentially undetected
Potentially undetected
May be detected
May be detected
Potentially undetected
May be detected
May be detected
Potentially undetected
Butane storage May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
Propane tanker loading bay May be detected
May be detected
Potentially undetected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
Butane tanker loading bay May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
Sale gas launcher May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
May be detected
-
Page 44Confidential Property of Schneider Electric |
Quantitative Assessment of Fire & Gas System
Gas Detection System effectiveness depend largely on the sensors coverage capabilities including there numbers and voting.
History have showed that the probability of gas detection failure is high irrespective to the technology used and design techniques.
Accurate gas dispersion modelling that considers all possible scenario is essential in optimising the gas detector location.
Integrating gas dispersion modelling results with IEC61508/IEC61511and NFPA standards requirement is quite possible through the assessment of detector converge risk reduction more accurately.
-
Page 45Confidential Property of Schneider Electric |
The IEC61508/IEC61511 Mandate Security Risk Assessment
The recent ACSC threat report 2015 shows that the number, type and sophistication of cyber security threats worldwide are increasing.
Organisations could be a target for malicious activities even if they do not think that the information they held on their networks is valuable.
-
Source : ACSC Threat Report 2015
Page 46Confidential Property of Schneider Electric |
-
Page 47Confidential Property of Schneider Electric |
A new sub-clause has been introduced in the process and risk assessment section of edition 2.
A security Risk Assessment shall be carried out on the SIS and its associated devices.
And the assessment should cover:
Requirement for Security Risk Assessment
IEC 62443-2-1:2010Industrial communication
networks – Network and system security
ISO/IEC 27001:2012 Information technology
Security techniquesGuidelines for cybersecurityAdditional RR Measures
ConsequencesPhaseThreatsDevices
-
Page 48Confidential Property of Schneider Electric |
What is Cyber Security Event can be defined as?
Intentional or unintentional interference with proper process operation of industrial Automation And Control System or Safety Instrumented System through the use of Computer, Network, operation system, application and otherProgrammable/Configurable Electronic System.
What is it? Malware
Unauthorized intrusion
Accidental
Requirement for Security Risk Assessment
-
Page 49Confidential Property of Schneider Electric |
8.2.4 A security risk assessment shall be carried out on the SIS and its associated elements (e.g., the BPCS). It shall result in:
a) description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS);
b) description of identified threats that could exploit vulnerabilities and result in security events (including intentional attacks on the hardware and related software, as well as unintentional events resulting from human error);
c) description of the potential consequences resulting from the security events and the possibility of these events occurring; consideration of various phases such as design, implementation, commissioning, operation, and maintenance;
IEC 61511-1:2016 clause 11.2.12 – “The design of the SIS shall be such that it provides the necessary resilience against the identified security risks. Note Guidance related to SIS security is provided in IEC 62443-2-1:2010.”
IEC 62443
-
Page 50Confidential Property of Schneider Electric |
IEC62443 Cyber Security Management System
-
Page 51Confidential Property of Schneider Electric |
Intentioned Cyber attack could cause more damaged that normal process accident as it could be planed from more than one would not expect or considered during process risk assessment.
There is no quantitative risk assessment for cyber risk. Currently the assessment are qualitatively.
There are no quantitative measures value for cyber security protection measures (fire wall and others).
IEC62443
-
On Friday 25/9/1998, at about 12:26 PM
A vessel in Esso Logford’s Gas plant 1 fractured, releasinghydrocarbon vapors and liquid.
Explosions and a fire followed.
Two Esso employees were killed.
Eight others were injured.
The Supply of natural gas to domestic and industrial users ceased.
Page 52Confidential Property of Schneider Electric |
AccidentsESSO Longford Accident
-
Page 53Confidential Property of Schneider Electric |
AccidentsESSO Longford Accident
-
December 2, 1984
Cyanide release resulting from the introduction of waterto a methyl isocyanate storage tank
Runaway reaction resulted in discharge through thevessel relief system
Protective equipment was out of order:
• tank refrigeration was shut down
• discharge scrubber not available
• flare out of service
Page 54Confidential Property of Schneider Electric |
AccidentsBhopal India
-
Catastrophic impact to the surrounding community.
7,000 fatalities
200,000 injuries
Thousands of the injured are seriously disabled, sufferinglong term neuro-logical and respiratory damage.
Many victims suffer post traumatic stress syndrome.
Page 55Confidential Property of Schneider Electric |
AccidentsBhopal India
-
March 23, 2005
During the startup of the BP octane-boostingisomerization unit, when a distillation tower andattached blowdown drum were overfilled with flammableliquid hydrocarbons.
Because the blowdown drum vented directly to theatmosphere, there was a geyser-like release offlammable liquid, forming a vapor cloud that spreadrapidly through the area.
A diesel pickup truck that was idling nearby ignited thevapor, initiating a series of explosions and fires thatswept through the unit and the surrounding area.
Page 56Confidential Property of Schneider Electric |
AccidentsExplosion at BP Texas City Refinery
-
Page 57Confidential Property of Schneider Electric |
AccidentsExplosion at BP Texas City Refinery
-
Tole
rabl
e ac
cept
able
Ris
k=1.
0E-6
Unc
ontr
olle
d (Im
med
iate
) Ris
k
Pr. Occupancy Pr. Ignition S I SKD LSAlarm LS Alarm
LTAlarm
Operator Error
Initi
ator
Eve
nt L
ikel
ihoo
d
Inte
rmed
iate
Eve
nt L
ikel
ihoo
d
Haz
ardo
us E
vent
Lik
elih
ood=
1.0E
-4Required Risk Reduction
0.01x0x0.1x.1xx1x1PFDSIS=1
-
Determining SIL from level of risk
Notable Significant Highly Significant
Serious Extremely Serious
Catastrophic
Almost Certain 1 to 10 /yr.Level
II 2M
Level
II 1M
Level
I 1M
Level
I 1W
Level
I 1D
Level
I 1D
Very Likely 0.1 /yrLevel
III 9M
Level
II 6M
Level
II 3M
Level
I 1M
Level
I 1D
Level
I 1D
Likely 10-2 /yrLevel
III 2Y
Level
III 1Y
Level
II 9M
Level
II 1M
Level
I 1W
Level
I 1W
Unlikely 10-4 /yrLevel
IVLevel
IVLevel
III 5Y
Level
III 5Y
Level
II 1Y
Level
I 1M
Very Unlikely 10-6 /yrLevel
IVLevel
IVLevel
IVLevel
IVLevel
III 5Y
Level
II 1Y
Extremely Unlikely-
-
Conclusion
• Accidents may happen because of deficiencies in accurately identifying the consequences of a hazard.
• History also shows that many accidents occur because layers of protection(measures) were:
- Not correctly identified to protect against the hazard scenario identified.- Not taking into consideration all modes of operation.- Not sufficient to reduce the risk to a suitable level.- Incorrectly designed to the required risk reduction. - Lack of understanding to functional safety and the related standards
(the IEC 61511 / IEC 61508).- Not maintained, inspected and tested to keep the required performance.
-
Questions ?
-
THANK YOU.
Page 62Confidential Property of Schneider Electric |