Hazards equal trips or alarms or both

Anyone who has been involved in the application of IEC 61508 and IEC 61511 by undertaking the Safety Integrity Level (SIL) determination for Safety Instrumented Systems (SIS) will appreciate the amount of effort and tenacity that is required to undertake the task. SIL determination of Safety Instrumented Systems requires considerable commitment and tenacity to get the job done, but it is like climbing to the top of a hill only to be faced with a mountain when we come to consider what is involved in reviewing or configuring a typical alarm system.A medium sized process facility may have a few hundred or so primary Safety Instrumented Functions (SIF) or trips configured into a Safety Instrumented System, but the number of alarms configured into a process control system (PCS), that need to be assessed and prioritised, can often run into the thousands.There is synergy between safety instrumented functions and alarms because they both make a contribution to reduce the risk of having unwanted events, and both need an assigned appropriate criticality.This paper details various methods of criticality assessment which have been successfully applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips and to rationalise those of no value. It will also cover the use of software tools which can significantly reduce the effort involved in this process.     

HAZOP、LOPA和SIL方法的应用分析

通过概括介绍危险与可操作性分析(HAZOP)、保护层分析(LOPA)和安全完整性等级分析(SIL)三种方法的特点,总结三种分析方法之间的关系.LOPA分析是HAZOP分析的继续,可以解决HAZOP分析中残余风险不能定量化的不足,是对HAZOP分析结果的丰富和补充;SIL分析则在LOPA分析的基础上,进一步对需要增加的安全仪表系统(SIS)进行设计,并对LOPA分析结果进行验证,即HAZOP、LOPA分析是SIL分析的前期准备工作.因此,在详细介绍SIS的组成、安全生命周期阶段、SIL的选择确定方法以及SIL分析流程之前,也简要介绍了HAZOP、LOPA分析方法,梳理了两种方法的分析流程.最后通过引入示例来展示三种分析方法之间的关系.     

安全仪表系统的性能维护及指标值计算

安全仪表系统（SIS）作为保障工业生产安全的重要措施,需要在危险发生时正确地执行其安全功能,采取有效措施维持安全仪表系统在运行阶段的性能是保障系统功能安全的关键。详细阐明了SIS在运行阶段应遵循风险评估分析、安全功能分配文件、安全要求规范、安全分析报告、安全完整性等级符合性等重要文档中的要求,给出了维持SIS安全完整性的主要活动,并在加强旁路、禁止和超驰控制管理,对SIS失效的响应、记录和分析,进行定期检查、维护和功能测试以及安全仪表系统的变更管理等方面提出了要求。提出了SIS的安全性能指标及目标值的简易计算方法,给出失效率更新流程、计算方法和功能安全测试间隔调整技术。所提的技术方法为如何保证安全仪表系统运行阶段的安全性能提供了有力指导,其可操作性强,便于在实际工程中进行应用。     

Risk reduction concept to provide design criteria for Emergency Systems for onshore LNG plants

The functional safety requirement is widely applied in the process plant industry in accordance with the international standards, such as IEC and ISA. The requirement is defined as safety integrity level (SIL) based on the risk reduction concept for protection layers, from original process risk to tolerable risk level. Although the standards specify both, the Prevention System and the Emergency System, as level of protection layers, the standards specify in detail only the use of the Prevention System (i.e., Safety Instrumented System (SIS)). The safety integrity level is not commonly allocated to the Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System). This is because the required risk reduction can be normally achieved by only the Prevention System (i.e., SIS and Pressure Safety Valve (PSV)). Further, the risk reduction level for the Emergency System is very difficult to be quantified by the actual SIL application (i.e., evaluated based on the single accident scenario, such as an accident from process control deviation), since the escalation scenarios after Loss of Containment (LOC) greatly vary depending on the plant design and equipment. Consequently, there are no clear criteria for evaluating the Emergency System design. This paper aims to provide the functional safety requirement (i.e., required risk reduction level based on IEC 61508 and 61511) as design criteria for the Emergency System.In order to provide clear criteria for the Emergency System evaluation, a risk reduction concept integrated with public’s perception of acceptable risk criteria is proposed and is applied to identify the required safety integrity level for the Emergency System design. Further, to verify the safety integrity levels for the Emergency Systems, the probabilistic model of the Emergency Systems was established considering each Emergency System (e.g., Fire and Gas System, Emergency Shutdown System and Emergency Depressuring System) relation as the Overall Emergency System. This is because the Overall Emergency System can achieve its goal by the combined action of each individual system, including inherent safe design, such as separation distance.The proposed approach applicability was verified by conducting a case study using actual onshore Liquefied Natural Gas Plant data. Further, the design criteria for Emergency Systems for LNG plants are also evaluated by sensitivity analysis.     

A cascaded fuzzy-LOPA risk assessment model applied in natural gas industry

Natural gas plants demand high amount of energy provided through immense fuel gas units that may suffer risk hazards. Implementing a safety management system is the most efficient way of allocating resources for safety. This paper adopts The Layer of Protection Analysis (LOPA) risk Management associated with Fuzzy Logic methodology to prevent or limit industrial accidents. We provide an innovative cascaded fuzzy-LOPA model for certain hazardous scenarios and at different frequencies of occurrence. The introduced model is tested at moderate and high risk levels controlled in its practical limits through the use of Safety Integrity Functions (SIF). Obtained results show how this fuzzy-LOPA achieves better results to maintain the Safety Integrity Level (SIL) rating to acceptable limits.     

Cost effective alternative in meeting the required Safety Integrity Level (SIL)

Demonstrating process safety has always been one of the paramount concerns of Engineering, Procurement, and Construction (EPC) companies in the industrial sector, especially with the development of stringent standards such as IEC-61508 and IEC-61511. One of the means of process safety demonstration is through Safety Integrity Level (SIL) Verification. In some cases, SIL verification results show that several Safety Instrumented Functions (SIFs) do not meet their required SIL; and one of the actions is to add new SIF components. However, with the addition of new components comes a change order, which eventually leads to added cost and time overruns for design and construction projects; and in some instances, introduces additional risks to the system. This paper presents a case study based on the SIL verification report of a design and construction project. The scenario of interest involves the over-pressurization in the High Pressure (HP) Flare Knock-Out (KO) Drum which activates a SIF that will close two Shutdown Valves (SDVs), preventing added pressure to be delivered to the KO Drum. Seeing as two SDVs in a 2oo2 configuration need to be closed, the SIF was not able to meet its target failure measure of SIL 2. Three cases were set, in order to meet the required SIL. The first one involves adding new SDVs; the second case made use of upstream existing SDVs, while the third one is similar with the second but differs in configuration of the SDVs. SIL verification was performed for all three cases through the Fault Tree Analysis modeling technique. Results of this study suggest that using existing instruments can be a cost effective way of meeting the required SIL, which eliminates all the hassle and potential risk introduced when bringing in new instruments to the design.     

Promoting inherent safety

By inherent safety is meant that a hazard is eliminated rather than being managed by various add-on equipment and procedures. Practices of inherent safety have been developed in the chemical industry, and include for instance the substitution of hazardous substances by less hazardous ones. Inherently safer design strives to eliminate the possibility of major adverse events even when the probabilities of these events are small or cannot be meaningfully estimated. Considerations of security can be more easily incorporated into this approach than into most other branches of risk and safety analysis. Therefore, inherent safety has a great potential as a meeting-ground for the much-needed coordination of safety and security work. Its philosophical underpinnings are outlined, and proposals are made for more efficient promotion of its principles.     

Risk assessment of safety and health (RASH) for building construction

In this research Risk Assessment of Safety and Health RASH method for building construction has been developed with risks classified into Safety Risks and Health Risks. 11 factors representing safety risks and 8 factors representing health risks were identified based on field survey in Oman. 40 Safety and Health specialists were involved in carrying out risk assessment using the existing method of risk analysis RA and the proposed RASH method. It was found that RASH method resulted in superior accuracy for assessment of risk zones than the existing RA method. The accuracy by RASH was almost twice the accuracy by RA. The overall percentages of the correct answers for the four scenarios using the RASH method and the RA method were 72.5 percent and 40 percent respectively. The proposed RASH method gave fewer errors than the existing RA method for all scenarios. Two scenarios were found to be the most problematic ones with largest overestimation of risks occur when using the existing RA method. Wilcoxon Ranked Test showed that the two methods are significantly different (z = −3.357, p > 0.01). The new method RASH is statistically acceptable and it resulted in better response in terms of estimating the risk than the RA method.     

化工园区安全容量分析探讨

化工园区的安全容量问题一直是地方政府普遍关心的重要问题。本文采用量化风险分析的方法着重对化工园区的运输风险进行分析，以此来评判化工园区的安全容量是否合适，并给出了运输风险分析的模型和风险接受标准。通过对南方某化工园区整个危险品物流的统计分析，经风险计算给出了不同水平个人风险的半宽。结合化工园区的远期规划，经反算给出了新增合理安全容量在约30～90万m^3之间，总安全容量在470～530万m^3之间。     

Dynamic model based safety analysis of a three-phase catalytic slurry intensified continuous reactor

Safety analysis like the HAZOP (HAZard OPerability) study can be much more efficient if a dynamic model of the system under consideration is available to evaluate the consequences of hazard deviations and the efficiency of the proposed safety barriers. In this paper, a dynamic model of a three-phase catalytic slurry intensified continuous chemical reactor is used within the context of its HAZOP (HAZard OPerability) study. This reactor, the RAPTOR®, is an intensified continuous mini-reactor designed by the French company AETGROUP SAS that can replace batch or fed-batch processes in the case of highly exothermic reactions involving hazardous substances. The highly hazardous hydrogenation of o-cresol under high pressure and temperature is taken as an example of application. Deviations as a temperature increase of the cooling medium or no cooling medium flow can produce an overheating of the reactor. Thus, three possible safety barriers are evaluated by simulation: shut off the gaseous reactant feed, shut off the liquid reactant feed or stop the agitation. The more efficient actions are the stopping of the agitation and/or of the gas reactant feed. The simulation results can efficiently help the reactor design and optimisation. Safety analysis can also be one of the criteria to compare batch and intensified continuous processes.     

3-Parameters SPW technique: A new method for evaluation of target safety integrity level

Introduced by IEC-61508 standard, safety integrity levels (SIL) have been used for assessing the reliability of safety instrumented functions (SIF) for protection of the system under control in abnormal conditions. Different qualitative, semi-qualitative and quantitative methods have been proposed by the standard for establishing target safety integrity levels amongst which “Risk Graph” has gained wide attention due to its simplicity and easy-to-apply characteristics. However, this method is subject to many deficiencies that have forced industry men and experts to modify it to fit their demands. In this paper, a new modification to risk graph parameters has been proposed that adds more flexibility to them and reduces their subjective uncertainties but keeps the method as simple as before. Three parameters, namely severity (S), hazard avoidance probability (P), and demand rate (W) are used instead of former four parameters. Hence, the method is named SPW. The outcome results of this method can be directly converted to probability of failure on demand (PFD) or risk reduction factor (RRF). The proposed method has been tested on an example case that has been studied before with conventional risk graph and LOPA techniques. The results show that new method agrees well with LOPA and reduces costs imposed by conservative approximations assumed during application of conventional risk graph.     

Generalized analytical expressions for safety instrumented systems' performance measures: PFDavg and PFH

Safety Instrumented Systems (SIS) constitute an indispensable element in the process of risk reduction for almost all of nowadays' industrial facilities. The main purpose of this paper is to develop a set of generalized and simplified analytical expressions for two commonly employed metrics to assess the performance of SIS in terms of safety integrity, namely: the Average Probability of Failure on Demand (PFD_avg) and the Probability of Dangerous Failure per Hour (PFH). In addition to the capability to treat any K-out-of-N architecture, the proposed formulas can smoothly take into account the contributions of Partial Stroke Testing (PST) and Common Cause Failures (CCF). The validity of the suggested analytical expressions is ensured through various comparisons that are carried out at different stages of their construction.     

An evaluation approach using a HARA and FMEDA for the hardware SIL

Safety instrumented systems (SIS) are becoming increasingly complex, and form a growing proportion of programmable electronic parts. The IEC 61508 global standard was established to ensure the functional safety of SIS; however, it was expressed in highly macroscopic terms. The safety integrity level (SIL) is a criterion describing whether a component meets the safety requirements of a SIS. The safety requirements give a target SIL for the expected risks using hazard analysis and risk assessment (HARA). The SIL must correspond to the safety requirements. This study introduces an evaluation process for determining the hardware SIL through failure modes, effects, and diagnostic analysis (FMEDA). First, the components of the SIS subsystem are defined in terms of failure modes and effects, and then the failure rate and failure mechanism distribution are assigned to each component. The safety mode and detectability of each failure mode are determined for each component and, finally, the hardware SIL is evaluated. We perform a case study to evaluate the hardware SIL of the flame scanner system using HARA and FMEDA, where the safety requirement of the flame scanner was determined using the risk graph method. We verified that the hardware SIL of the flame scanner corresponded to the safety requirement.     

Application of domino effect quantitative risk assessment to an extended industrial area

Escalation of primary accidental scenarios triggering a “domino effect” have caused extremely severe accidental events in the chemical and process industry. The identification of possible escalation events is required in the safety assessment of sites where relevant quantities of hazardous substances are stored or handled. In the European Union, “Seveso-II” Directive requires the assessment of on-site and off-site possible escalation scenarios in sites falling under the obligations of the Directive. In the present study, a methodology developed for the quantitative assessment of risk due to domino effect was applied to the analysis of an extended industrial area. Recently developed equipment damage probability models were applied for the identification of the final scenarios and for escalation probability assessment. The domino package of the Aripar-GIS software was used for risk recomposition. The results evidence that quantitative risk assessment of escalation hazard is of fundamental importance in order to identify critical equipment and to address prevention and protection actions.     

New considerations for SIL verification of functional safety fieldbus communication

Safety integrity level (SIL) verification of functional safety fieldbus communication is an essential part of SIL verification of safety instrumented system (SIS), and it requires quantifying residual error probability (RP) and residual error rate of function safety communication. The present quantification method of residual error rate uses RP of cyclic redundancy check (CRC) to approximately replace the total RP of functional safety communication. Since CRC only detects data integrity-related errors and CRC has intrinsically undetected error, some other residual errors are not being considered. This research found some residual errors of the present quantification method. Then, this research presents an extended new approach, which takes the found residual errors into account to determine more comprehensive and reasonable RP and residual error rate. From perspective of the composition of safety message, this research studies RPs of those controlling segments (sequence number, time expectation, etc.) to cover the found residual errors beyond CRC detection coverage, and the influences of insertion/masquerade errors and time window on RP are investigated. The results turn out these residual errors, especially insertion/masquerade errors, may have a great influence on quantification of residual error rate and SIL verification of functional safety communication, and they should be treated seriously.     

The safety barometer: How safe is my plant today? Is instantaneously measuring safety level utopia or realizable?

During the last decade, serious accidents have continued to occur in the process industry. Apparently the scenarios of various undesired events leading to those accidents are still not sufficiently controlled. The key question is how potentially hazardous situations develop, what processes form the basis for this development, and how to control them? Safety level is not static but depends on many risk factors that change in presence and intensity over location and time. Safety level is dependent not only on technical process parameters that have immediate effects on the ‘frequency’ or probability of catastrophic consequences, but also depends on equipment integrity degradation, operational and management quality, attitudes, and cultural processes which may change over a prolonged time. The time and human interaction aspects make dynamic risk assessment complex. This paper will outline a conceptual approach using in addition to the regular process parameter signals received, also weak and slowly changing signals from various safety indicators, enabling to keep track of the risk factors. In theory this could lead to obtaining an instantaneous safety level ‘measure’ making possible forecast alarming for an imminent event to occur. Such concept could be regarded as a ‘writing’ safety barometer, or barograph. However, there are quite a number of problems to be solved which in the paper will be discussed.     

The impact of risk tolerance,risk perception and hazardous attitude on safety operation among airline pilots in China

The present study integrates personality approach and social cognition approach to investigate the relationships between risk tolerance, risk perception, hazardous attitude and safety operation behavior in order to understand the mechanisms underlying pilots’ safety operation behavior in aviation. The study sample consisted of 118 commercial airline pilots from China Southern Airlines Ltd. The results show risk tolerance displays an indirect effect on safety operation behavior through influencing hazardous attitude; risk perception has a significant moderating effect on the relationship between risk tolerance and safety operation behavior. Based on the above, it can be concluded that the low risk tolerance primarily influences safety operation behavior indirectly through affecting hazardous attitude. With risk perception increasing, the negative effects of risk tolerance on safety operation behavior are gradually reduced. Practical implications for aviation safety campaigns are also discussed.     

基于人因可靠性的间歇装置SIL分析与改进

IEC 61508和IEC 61511等标准针对连续工艺装置提出了安全仪表系统安全完整性等级评估方法。但对于间歇装置的SIL评估，受人因因素影响水平并未明确，且没有提出相应计算模型。以某六氟磷酸锂间歇生产装置典型SIS为例，采用HAZOP结合LOPA方法对其进行风险分析，在明确间歇生产装置存在人员中毒、窒息及燃烧爆炸风险的基础上，确定并验证其安全仪表系统的SIL，再依据间歇生产装置人工依赖性高，即部分安全仪表系统未接入自动联锁且需人工手动触发的特点，建立人因可靠性模型，来分析人因可靠性对安全仪表系统SIL的影响，并进行改进研究。研究结果表明:人因因素对安全仪表系统SIL有显著影响；可通过改变SIS元件冗余结构、测试策略并结合改进人因管理措施来提高SIL。     

Reducing unknown risk: The safety engineers’ new horizon

A significant gap exists between accident scenarios as foreseen by company safety management systems and actual scenarios observed in major accidents.The mere fact that this gap exists is pointing at flawed risk assessments, is leaving hazards unmitigated, threatening worker safety, putting the environment at risk and endangering company continuity. This scoping review gathers perspectives reported in scientific literature about how to address these problems.Safety managers and regulators, attempting to reduce and eventually close this gap, not only encounter the pitfalls of poor safety studies, but also the acceptance of ‘unknown risk’ as a phenomenon, companies being numbed by inadequate process safety indicators, unsettled debates between paradigms on improving process safety, and inflexible recording systems in a dynamic industrial environment.The immediacy of the stagnating long term downward major accident rate trend in the Netherlands underlines the need to address these pitfalls. A method to identify and systematically reduce unknown risks is proposed. The main conclusion is that safety management can never be ready with hazard identification and risk assessment.     

SIL determination: Recognising and handling high demand mode scenarios

The International Standards for Functional Safety (IEC 61508 and IEC 61511) are well recognised and have been adopted globally in many of the industrialised countries during the past 10 years or so. Conformance with these standards involves determination of the requirements for instrumented risk reduction measures, described in terms of a safety integrity level (SIL). During this period within the process sector, layer of protection analysis (LOPA) has become the most widely used approach for SIL determination. Experience has identified that there is a type of hazardous event scenario that occurs within the process sector that is not well recognised by practitioners, and is therefore not adequately handled by the standard LOPA approach. This is when the particular scenario places a high demand rate on the required safety instrumented function. This paper will describe how to recognise a high demand rate scenario. It will discuss what the standards have to say about high demand rates. It will then demonstrate how to assess this type of situation and provide a case study example to illustrate how to determine the necessary integrity level. It will conclude by explaining why it is important to treat high demand rate situations in this way and the resulting benefit of a lower but sufficient required integrity level.