training functional safety 04 - risk assessment rev0

FUNCTIONAL SAFETY TRAINING

04 – RISK ASSESSMENT

1Dr. Ing. Carlo LebrunFunctional Safety Training

FUNDAMENTAL PART OF IEC61508 SAFETY LIFECYCLE

1 - CONCEPT

2 SCOPE2 – SCOPE DEFINITION

3 – HAZARD &3 – HAZARD & RISK ANALYSIS

4 – SAFETY REQUIREMENTS

5 – SAFETY REQUIREMENTS OC OALLOCATION

TO REALIZATION PHASE


RISK

• RISK: exposure to the possibility of damage

= frequency of event x impact of event

e.g. = times/year x loss of money

e.g. = times/year x area of contamination

e.g. = times/year x killed people


RISK MATRIX EXAMPLEFFrequency

Damage Remote Rare Unlikely Possible Likelyg

Catastrophe Many deads 5 6 6 6 6

Major Damage

Some deads 4 4 5 5 5

LocalDamage

Injury, 1 dead 2 4 4 5 5

MinorMi I j 1 1 2 3 3

Minor Damage

Minor Injury 1 1 2 3 3

Harmless No dead 0 0 0 0 0


RISK ASSESSMENT

= Hazard identification

+ consequences estimation

+ frequency assessment5Dr. Ing. Carlo LebrunFunctional Safety Training

q y

ALARP ZONE (carrot diagram)

LIMITS ARE SENSIBLE TO:• Laws & regulations• Laws & regulations• Social acceptance• Standards• Company practiceCompany practice • Economical damage• …

As Low As Reasonably Practical

6Dr. Ing. Carlo LebrunFunctional Safety Training - 01

EXAMPLE OF TOLERABLE RISKS TABLE

Functional Safety Training 7Dr. Ing. Carlo Lebrun

EXAMPLE OF TOLERABLE RISKS TABLE


SEVERAL POSSIBLE SOURCES OF RISK

Technical

Organizational

Human Factors

Natural Phenomena

…


RISK ANALYSIS METHODOLOGIESTECHNICAL SOURCES OF RISK

QUALITATIVE:

TECHNICAL SOURCES OF RISK

QChecklist

Preliminary Hazard Analysis (PHA)What-If

Failure Modes & Effects Analsysis (FMEA)Hazard & Operability Study (HAZOP)Hazard & Operability Study (HAZOP)

QUANTITATIVE:Fault Tree Analsys (FTA)Event Tree Analsys (ETA)


SOURCES OF RISK CAN BE

KNOWNRisk assessment should evaluate impact and probabilityp p y

(eg checklist)

UNKNOWNRisk assessment should also identify hazardsRisk assessment should also identify hazards

(eg HAZOP)


RISK ASSESSMENT GENERAL PROCEDURESYSTEM

DESCRIPTION

SCENARIO IDENTIFICATION

HAZARD IDENTIFICATION

FREQUENCY CONSEQUENCES

RISK DEFINITION

IDENTIFICATIONIDENTIFICATION

ANALYSYS OF PROTECTIONS

REQUIREMENTS


A SUMMARY OF POSSIBLE METHODOLOGIES


PHA: PRELIMINARY HAZARD ANALYSYS

TARGETSRisks identification in the earlier stages of design. Additional protections are normally g g ycheaper in the earlier stages of design. APPLICATIONDuring design Mostly in the earlier stages of designDuring design. Mostly in the earlier stages of design. METHODOLOGYMultidisciplinary. Based on previous knowledge of similar systems/process. It reviews consequences and probability of pre identified hazards Additional protections orconsequences and probability of pre-identified hazards. Additional protections or operating changes maybe proposed for inclusion in the design.ADVANTAGESSimple and cheap.DISADVANTAGESQualitative. Depends on previous experience, as hazards must be known in advance.


p p p ,

PRELIMINARY HAZARD ANALYSYS FORMID HAZARD CAUSE EFFECT PROBABILITY CORRECTIVEID HAZARD CAUSE EFFECT PROBABILITY CORRECTIVE or

PREVENTIVE ACTION


WHAT-IF ANALYSIS

TARGETSSsistematic analysisi of individual equipment to identify risk sources. Classification of the y yrisk sourcesAPPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operationMETHODOLOGYCollection of multidisciplinary documentation about process, substances, etc. answering to qeustions like : “what does it happens in case of ?” Applicable to operating errorsto qeustions like : what does it happens in case of …? Applicable to operating errors, failures, external events, etc.ADVANTAGESSimple and cheapDISADVANTAGESQualitative. Cases/events must be identified in advance (based on experience).


( p )

WHAT-IF ANALYSIS FORMI WHAT IF? CONSEQUENCE PROBABILITY SEVERITY CORRECTIVE or RECOMMENDATIONID

WHAT-IF? CONSEQUENCE PROBABILITY SEVERITY CORRECTIVE or PREVENTIVE ACTION

RECOMMENDATION

THE LIST OF WHAT IF CASES SHOULD BE PRE EXISTENTTHE LIST OF WHAT-IF CASES SHOULD BE PRE-EXISTENT

Example of environmentals what-if cases:AvalancheFloodingFreezing temperatures – snow - iceLightningEarthquakeSeismic activity


Storm

CHECKLISTS

TARGETSScreening of know risks, to detect their probabilityg yAPPLICATION Applicable to any phase of design, construction and operationMETHODOLOGYMETHODOLOGYA list of simple very specific checks requiring Yes/No answers (or very basic information filling). A reminder to ensure homogeneous analysis by every userADVANTAGESADVANTAGESSimple and cheapDISADVANTAGESHazards and detection methods must be identified in advanceNot a substitute of deeper methodologies


PROCESS DESIGN EXAMPLE CHECKLISTID CHECK YES NO T bID CHECK YES NO To be

defined

1 Special personnel required?

2 Unstable materials exposure to the atmosphere?

3 Detection of explosive conditions?

f f l4 Provisions for protection from explosions?

5 Hazardous reactions possible due to mistakes or contamination?

6 Provisions for rapid vent/drain of discharge fluids in an emergency?6 Provisions for rapid vent/drain of discharge fluids in an emergency?

7 Failure of equipment possible cause of hazards?

8 Hazards possible caused by gradual or sudden blockages in piping?

9 Hazards possible caused by gradual or sudden blockages in equipment?

10 Facilities for the disposal of toxic materials?


…

FMEA: FAILURE MODES & EFFECTS ANALYSIS

TARGETSSistematic search and review of each possible component failure, and the effects on the involved system.APPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operation.METHODOLOGYIdentify the potential failure of each component and its effects; assess the failures to determine actions that would eliminate the chance of occurrence; document the potentialdetermine actions that would eliminate the chance of occurrence; document the potential failuresADVANTAGESCapacity’ of detecting possible scenarios. Good documentation for easy communication.DISADVANTAGESFocused of individual components. Executed by a few specialists, the hazard


p y p ,identification may by subjective.

FMEA FLOW CHARTIDENTIFY ALL COMPONENTS

LIST THE FUNCTIONS OF EACH COMPONENTCOMPONENT

LIST ALL POTENTIAL FAILURE MODES

DESCRIBE THE EFFECTS OF EACH FAILURE

DEFINE IF/HOW IT IS DETECTED BY SYSTEM DIAGNOSTIC

FOR FMEDA

DESCRIBE THE SEVERITY OF THESE EFFECTS

SEVERITY x PROBABILITY = RISKDETERMINE THE PROBABILITY

OF EACH FAILURE

DEFINE THE PROTECTION


FMEA FORM AND EXAMPLEID ITEM FUNCTION CAUSES / OPERATIONAL DIRECT EFFECT FINAL EFFECT PROBABILITY SEVERITY CORRECTIVEID ITEM FUNCTION CAUSES /

FAILURE MODES

OPERATIONAL MODE

DIRECT EFFECT FINAL EFFECT PROBABILITY SEVERITY CORRECTIVE or PREVENTIVE ACTION

1 LIGHT TO PROVIDE BURNED NO LIGHT NO LIGHTBULB LIGHT

2 DISCONNECTED NO LIGHT / INTERMITTENT LIGHT

NO LIGHT

3 SWITCH TURN POWER LOCKED OFF NO LIGHT NO LIGHTON/OFF

4 LOCKED ON LIGHT ON , EVEN IF NOT REQUIRED

NO LIGHT, AFTER BATTERY POWER IS FINISHED

5 BATTERY PROVIDE LOW POWER INSUFFICIENT LIGHT NO LIGHT, AFTER5 BATTERY PROVIDE POWER TO THE LIGHT BULB

LOW POWER INSUFFICIENT LIGHT NO LIGHT, AFTER BATTERY POWER IS FINISHED

NO POWER NO LIGHT NO LIGHT

22Dr. Ing. Carlo LebrunFunctional Safety TrainingFunctional Safety Training 02 22Dr. Ing. Carlo Lebrun

A MAJOR USE OF FMEA

FMEDA (FAILURE MODES EFECTS AND DIAGNOSTIC ANALYSIS) is a avariant ofFMEA providing information on the diagnostic capabilities of the system.

IEC61508 id th ibl f FMEDA f th d fi iti f f il d th iIEC61508 consider the possible use of FMEDA for the definition of failures and theirclassification split into safe detectable, safe undetectable, unsafe detectable, unsafe undetectable.

=

IEC61508 consider the possible use of FMEDA for “SIL” certification ofmanufactured products.


HAZOP: HAZARD & OPERABILITY ANALYSIS

TARGETSAnalysys of all deviations of operating parameters, and their effects. Analysis of the y y g yrequired protections.APPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operation.METHODOLOGYMultidisciplinary. Subdivision in smaller systems (nodes). Sistematic review of all possible and impossible deviations using a standard series of keywords (more flow less flowand impossible deviations, using a standard series of keywords (more flow, less flow, more pressure, etc.).ADVANTAGESReliable and complete. Very readable documentation.DISADVANTAGESMany people involved. Time and money requirements.


y p p y q

TYPICAL USE OF RISK ANALYSYS METHODS

Checklist PHA What-If HAZOP FMEA

Basic Design Yes Yes Yesg

Detail Engineering Yes Yes Yes Yes

Construction Yes YesConstruction Yes Yes

Start-up Yes Yes

N l O ti Y Y Y YNormal Operation Yes Yes Yes Yes

Modifications & Revamping Yes Yes Yes Yes Yes

Accident analysis Yes Yes Yes

Decommissioning Yes Yes


Decommissioning Yes Yes

WHY TO DO ANWHY TO DO ANHAZOP ANALYSIS?

Most other methods are based on a predefined list of pfactors/risks/issues to be screened: they need previous experience.

Without previous experience you do not have alternatives


Without previous experience … you do not have alternatives.

HAZOP: A TEAM

• All specialists together with a common objective• All specialists together with a common objective• Everybody give a knowledge contribution / Everybody respect the others• The leader (“Chairman”) helps observing the rules and keep a productive di idiscussion• Everybody learn• Disagreement are discussed until solved or minuted for further separate evaluation• Voting is allowed as an extreme resource


HAZOP: REQUIRED DOCUMENTATIONPi i d I t t ti Di ( P&ID )• Piping and Instrumentation Diagrams ( P&IDs )

• Material balances• Sizing Process Calculations• Process Data Sheets• Instrument Data Sheets• Cause&Effects• Cause&Effects• Layouts/Plot Plans & Hazardous Area Classification • Process descriptions

• … and a parameters / keywords combination


HAZOP: PARAMETERS

• FLOW• FLOW• LEVEL• PRESSURE• TEMPERATURE• COMPOSITION• CONTAMINATION• SERVICE SUPPLY / POWER SUPPLY• … ?


HAZOP: KEYWORDS

• NONE• REVERSE• REVERSE• MORE• LESS• CHANGE• …?


HAZOP: KEYWORDS-PARAMETERS TABLENONE REVERSE MORE LESS CHANGENONE REVERSE MORE LESS CHANGE …

FLOW Blockage Reverse flow High flow Low flow Incorrect flow direction

LEVEL N l l Hi h l l L l lLEVEL No level - High level Low level -

PRESSURE Vacuum - High pressure Low pressure -

TEMPERATURE - - High Low -gTemperature Temperature

COMPOSITION - Wrong phase Excess of some component

Loss of some component

Wrong composition

CONTAMINATION - Leakage Too muchcontaminant

- -

SERVICE / POWER SUPPLY

Loss of power supply

- - Low power supply

-SUPPLY supply supply

…


HAZOP FORM: NODE DOCUMENTATION

STUDY TITLE ALI BABA GAS COMPRESSOR STATION

P&ID No. 12345678 ABCD Rev 3 Sheet 1 Date

TEAM COMPOSITION

See attachmentCOMPOSITION

PART CONSIDERED

Inlet from Battery limit, up to isolation valve SDV001, design flowrate 200 Nm3/h (common header to three trains)CONS t a s)

DESIGN INTENT Scope: inlet at 19 degrees (cooled by silica gel process) shall be warmed at about 35 degrees (at station discharge line)Material: Natural Gas (17.1 MW)

Source: Battery Limit Destination: Compressor K1234


HAZOP FORM: DEVIATIONS ANALYSISID DEVIATION CAUSES CONSEQUENCES SAFEGUARD RECOMMENDATION ACTION BY1-1 NO FLOW Station ShutDown Station Shutdown, with system

under pressureDesign Pressure is the same of Upstream Unit

1-2 NO FLOW No Flow from Battery Limit No effect for this node

1-3 NO FLOW Closure of SDV101 As Station Shutdown

1-4 NO FLOW Exchanger Blockage Not Credible

1-5 NO FLOW Accidental Closure Manual Isolation Valve

Sudden reduction of pressure in exchanger shell and piping. Valve closure takes about 10’.

Compressor Suction Trip (PT118A), antisurge system (PT109A), trip prealarm

1-6 REVERSE FLOW Low pressure upstream No effect for this node

1-7 MORE FLOW More flow from upstream Not Credible. Note: Pipeline is 66 km long (24”)(24”)

1-8 MORE FLOW Safety valve bypass open Loss of inventory Spectacle blind, and locked close valve

1-9 LESS FLOW Not reviewed. Same as NO FLOW case.

1-10 MORE LEVEL Not applicable

1 11 LESS LEVEL Not applicable1-11 LESS LEVEL Not applicable

1-12 MORE PRESSURE Not reviewed. Same as NO FLOW.

1-13 MORE PRESSURE Fire Pressure Increase. Piping and equipment rupture.

PSV are designed for fire case. Fire&Gas system, causing automatic shutdown.

SIL analisys

1-14 MORE PRESSURE One compressor trip with other Pressure increase within the Design Pressure1-14 MORE PRESSURE One compressor trip with other running.

Pressure increase , within the design pressure limit.

Design Pressure.

1-15 LESS PRESSURE Upstream low pressure. None for this node. The decrease of pressure will be gradual because of the pipeline length.Pressure indicators at compressor suction.


1-16 LESS PRESSURE Compressor suction giving low pressure.

None for this node. Compressor control & protection.

HAZOP: METHODOLOGY

• Discuss all deviations from normal operation

• Document the possible causes of those deviations

• Estimate the consequences of those deviations WITHOUT ANY PROTECTION!Estimate the consequences of those deviations WITHOUT ANY PROTECTION!

• Document operator capability to detect the change and manipulate it

• List provided safeguards

• Eventually recommend additional safeguards

• Follow up the implementation of the additional recommendations


• Follow up the implementation of the additional recommendations

WHAT’S NEXT?


LOPA: LAYERS OF PROTECTION ANALYSYS

- Used after the HAZOP

- Evaluates existing protections, and identifies the need for new ones

- Gives a classification of protections proportioned to risks


http://www.ecisgroup.it/

END OF PRESENTATION


training functional safety 04 - risk assessment rev0

Documents