Safety Instrumented System Managementkonyvtar.uni-pannon.hu/doktori/2010/Baradits_Gyorgy_dissertation.pdf · elején tart, mert a kiadott folyamatbiztonsággal kapcsolatos szabványok

Safety Instrumented System Management

Page 1/160


Page 2/160

DOKTORI (PhD) ÉRTEKEZÉS

György Baradits

Pannon Egyetem

2010.


Page 3/160


Értekezés doktori (PhD) fokozat elnyerése érdekében

a Pannon Egyetem School of Chemical and Material Engineering Science

Doktori Iskolájához tartozóan.

Írta: Baradits György

Készült a Pannon Egyetem Kémiai és Anyagmérnöki Tudományok iskolája/ programja/alprogramja keretében

Témavezető: Dr. Chovan Tibor

Elfogadásra javaslom (igen / nem)

....................………………………. (aláírás)

A jelölt a doktori szigorlaton …......... % -ot ért el,

Az értekezést bírálóként elfogadásra javaslom:

Bíráló neve: …........................ …................. igen /nem

....................………………………. (aláírás)

Bíráló neve: …........................ ….................) igen /nem

....................………………………. (aláírás)

Bíráló neve: …........................ ….................) igen /nem

....................………………………. (aláírás)

A jelölt az értekezés nyilvános vitáján …..........% - ot ért el.

Veszprém, 2010 ...................………………………….

a Bíráló Bizottság elnöke

A doktori (PhD) oklevél minősítése….................................

...................………………………….

Az EDHT elnöke


Page 4/160

University of Pannonia Faculty of Chemical and Process Engineering

Department of Process Engineering Safety Instrumented System Management

PhD Thesis György Baradits Supervisor Tibor Chován, PhD, associate professor PhD School of Chemical and Material Engineering Science 2010.


Page 5/160

Acknowledgements:

Herewith I would like to say many thanks to those who contribute and assist in my work and supported me professional level.

Ezúton is szeretnék köszönetet mondani mindazoknak, akik hozzájárultak ezen értekezés elkészüléséhez, professzionális módon támogattak.


Page 6/160

Kivonat

Az olaj-, petrokémia- és vegyipar fejlődése kapcsán a felhasznált anyagok toxikussága és robbanás veszélyessége miatt bekövetkezett súlyos ipari balesetek rávilágítottak arra, hogy az iparág nem képes belsőleg szabályozni önmagát, ezért különböző biztonsági szabványok formájában állami, EU szintű szabályzó rendszerek léptek életbe, az Európai Unión belül Direktívák, vagy Szabványok formájában. Céljuk az iparág tevékenységének a biztonságosabbá tétele, a balesetek számának és a következmények súlyosságának a csökkentése. Az Európai Unión belül a Direktívák bevezetése és használata az összes Európai tagállamra nézve kötelező, míg a szabványok bevezetése kötelező, alkalmazása pedig ajánlott. Ennek eredményeképpen a 2000 évektől kezdődően új szakma jött létre, melyet Folyamatbiztonsági mérnöknek nevezhetünk. Jelenleg ez a folyamat az oktatás és képzés területén még az út elején tart, mert a kiadott folyamatbiztonsággal kapcsolatos szabványok (IEC 61508 és IEC 61511) tág és néha félreérthető interpretálási lehetőséget adnak a szabvány alkalmazóinak.

Az ipari gyakorlatban használt folyamatirányító rendszerek alkalmazásával törekednek arra, hogy a lehető legjobban kihasználják a technológiai folyamat nyújtotta lehetőségeket (DCS, APC és OTS alkalmazása). Ennek okán az optimális üzemeltetési körülmények egyre inkább közelebb kerülnek a fizikai és kémiai törvények által meghatározott korlátokhoz, emiatt szigorúbb biztonsági előírásokat is figyelembe kell venni az optimális üzemeltetési tartományok behatárolása során. A feladat megoldásához olyan eszközök kifejlesztése és alkalmazása nyújt segítséget, melyek az előre meghatározott határértékeknél az üzemet biztonságos állapotba hozzák, megakadályozva a baleset bekövetkeztét. Ezeket a rendszereket az IEC 61511-es szabvány Műszeres Biztonsági Rendszereknek nevezi (az angol kifejezése SIS = Safety Instrumented System).

A - több részfejezetből álló - dolgozat célja ezeknek a Műszeres Biztonsági Rendszereknek az Európai Direktívák és Szabványok által előírt Funkcionális Biztonsági működtetési megoldásainak egy lehetséges, gyakorlatban is alkalmazható modelljeinek a létrehozása, figyelembe véve mindazokat a mérnöki tevékenységeket, melyek hatással vannak, vagy lehetnek a működés és működtetés biztonságára, de ezen modellek alkalmazásával csökkenthető a balesetek száma és a következmények súlyossága, valamint költség megtakarítást tesznek lehetővé. A kutatás kiterjedt a technológiák kockázatainak, a Műszeres Biztonsági Rendszerek tervezésének és karbantartásának a menedzselésére.

Mint minden rendszer, a biztonsági rendszer létrehozása és működtetése is pénzbe kerül, ezért egyrészt a realizáláskor figyelembe kell venni az úgynevezett ALARP (As Low As Reasonable Possible) elvet, mely a kockázat csökkentésére fordított összeg és az elért kockázat csökkentés szintjére vonatkozik, másrészt optimalizálni kell a Műszeres Biztonsági Rendszer működtetési/karbantartási költségeit. Kutatásom egyik célja a Műszeres Biztonsági Rendszerek karbantartásának (úgynevezett Proof Teszt intervallum) költség optimalizálási modelljének a kidolgozása volt, melynek alkalmazása bizonyítottan költség megtakarítást jelenthet a modellt alkalmazók számára.


Page 7/160

A szerző egyéb munkái során a gyakorlatban is sikeresen alkalmazta a „HAZOP template” modellt, a „Kumulatív LOPA” módszert valamint a szabvány SIS tervezésére és realizálására vonatkozó, a szabvány gyakorlatban átültetett interpretációját és az ezekre kidolgozott szabály rendszert.

Summary

As the process industry develops, the optimal operation conditions get closer and closer to their physical and chemical limits. Therefore, there is a need for rigorous safety rules and instrumented safety systems which are regulated by IEC EN 61508 and IEC EN 61511 standards.

The goal of the dissertation, which consists of more parts, is to build functional safety models based on the European Directives and Standards which take into consideration the negative influence of all human activity, reduce the number of serious consequences of accidents, and give financial advantage to the owners of industrial plants. The research deals with the analysis of technological risks, the design and maintenance of safety instrumented systems.

Auszug

Sowie die Prozessindustrie entwickelt hat, kommen die optimalen Betriebsbedingungen näher und näher an ihre physikalischen und chemischen Grenzen. Dadurch ist es notwendig, strenge Sicherheitsvorschriften und instrumentierte Sicherheitssysteme zu haben, die von der IEC EN 61508 und IEC EN 61511 Normen geregelt sind.

Das Ziel der Dissertation, die aus mehreren Teilen besteht, ist, funktionale Sicherheitsmodelle auf den Europäischen Richtlinien und Normen zu bauen. Diese Richtlinien und Normen berücksichtigen den negativen Einfluss aller menschlichen Aktivitäten, reduzieren die Anzahl der schwerwiegenden Folgen von Unfällen und geben den Eigentümer der Industrieanlagen finanziellen Vorteil. Die Forschung befasst sich mit der Analyse der technologischen Risiken, mit dem Design und der Wartung der instrumentierten Sicherheitssysteme.


Page 8/160

Confidentiality of acquired field information

To a large extent, information coming from companies which are active in the process industries, is used within this thesis, e.g. as described by various examples and the included case studies. The author has gathered this information during many projects and site visits as a consultant of SIL4S Ltd. Because company-related safety issues and safety policies are often considered to be confidential information, the names of the involved companies as described in the cases have been withheld.


Page 9/160

Table of Content

1 SAFETY AND RISK: INTRODUCTION INTO THE PROCESS SAFETY ........................ 19

1.1 WHY PROCESS SAFETY IS SO IMPORTANT?.......................................................... 19 1.2 GROWING COMPLEXITY OF INDUSTRIAL PROCESSES ................................................ 20 1.3 HISTORY OF THE DIRECTIVES AND SAFETY STANDARDS ........................................... 21 1.4 FUNCTIONAL SAFETY ................................................................................... 22 1.5 CORRELATION BETWEEN RISK, ACCEPTABLE RISK, RESIDUAL RISK AND RISK REDUCTION ... 23 1.6 SEVESO DIRECTIVES ................................................................................. 24

1.6.1 Introduction ....................................................................................... 24 1.6.2 Seveso disaster................................................................................... 24 1.6.3 Seveso directives history...................................................................... 25 1.6.4 Objectives of Seveso directives ............................................................. 25 1.6.5 Requirements of Seveso Directive.......................................................... 26 1.6.6 Improvement of SEVESO Directives ....................................................... 26

1.7 ATEX DIRECTIVES ..................................................................................... 28 1.7.1 Introduction ....................................................................................... 28 1.7.2 ATEX Directives .................................................................................. 29 1.7.3 ATEX 100........................................................................................... 29 1.7.4 ATEX 137........................................................................................... 29 1.7.5 ATEX and Functional Safety .................................................................. 31

1.8 PROCESS SAFETY STANDARDS......................................................................... 31 1.8.1 Process Safety in General ..................................................................... 31 1.8.2 Introduction ....................................................................................... 33 1.8.3 Life Cycle philosophy ........................................................................... 34 1.8.4 Management of Functional Safety .......................................................... 36 1.8.5 IEC 61508 Standard ............................................................................ 36 1.8.6 IEC 61511 Standard ............................................................................ 37 1.8.7 Safety Integrity Level (SIL) .................................................................. 40 1.8.8 Application of IEC 61508 and IEC 61511................................................. 41

1.9 OBJECTIVES OF THE PROCESS SAFETY STANDARDS ................................................ 41 1.9.1 Objectives for manufacturers ................................................................ 41 1.9.2 Objectives for System integrators.......................................................... 42 1.9.3 Objectives for end-users ...................................................................... 42 1.9.4 Objectives of Authority and Standardisation Body .................................... 42 1.9.5 Requirement of the Process Safety Standards.......................................... 43 1.9.6 Requirement for manufacturers............................................................. 43 1.9.7 Requirement for System integrators....................................................... 43 1.9.8 Requirement for end-users ................................................................... 43 1.9.9 Requirement for Authority .................................................................... 43

1.10 APPLICATION OF THE PROCESS SAFETY STANDARDS ............................................... 43 1.10.1 Application of the Process Safety Standards for manufacturers ............... 44 1.10.2 Application of the Process Safety Standards for system integrators.......... 44 1.10.3 Application of the Process Safety Standards for end-users...................... 44

1.11 GENERAL PHENOMENA IN THE STANDARDS .......................................................... 44 1.11.1 Functional Safety ............................................................................. 44 1.11.2 SIF and SIS..................................................................................... 44 1.11.3 Verification and validation ................................................................. 45 1.11.4 Summary and evaluation................................................................... 46

2 RESEARCH OBJECTIVE, SCOPE AND METHODOLOGY ......................................... 48


Page 10/160

2.1 RESEARCH SPECIFICATION AND SCOPE............................................................... 48 2.1.1 Research question one: Hazard and Risk analysis practice and how to improve its cost effectiveness, HAZOP template principle ............................................... 49 2.1.2 Research question second: IPL allocation, using cumulative LOPA method ... 50 2.1.3 Research question third: interpreting the “good engineering practice” of SIS Design........................................................................................................ 50 2.1.4 Research question forth: Cost effective Proof Test Management ................. 51

2.2 RESEARCH SCOPE....................................................................................... 51 2.2.1 Control of Safety................................................................................. 51 2.2.2 Hazard and Risk analysis ...................................................................... 51 2.2.3 Cumulative LOPA ................................................................................ 51 2.2.4 SIS Design ......................................................................................... 52 2.2.5 Proof test optimalisation....................................................................... 52

2.3 RESEARCH TYPE AND METHODOLOGY ................................................................. 52 2.3.1 Design science.................................................................................... 53 2.3.2 Research methodology......................................................................... 53 2.3.3 Research program............................................................................... 54

2.4 RESEARCH EXPECTATION .............................................................................. 59 2.5 OUTLINE OF THIS THESIS .............................................................................. 60

3 PROCESS HAZARD AND RISK ANALYSIS MANAGEMENT: A KNOWLEDGE BASED COST EFFECTIVE HAZOP STUDY METHOD ...................................................................... 61

3.1 OVERVIEW AND CRITICAL EVALUATION OF TOOLS OF HAZARD AND RISK ANALYSIS SUGGESTED BY STANDARDS .................................................................................................. 61

3.1.1 Objective of hazard and risk analysis according to Standards..................... 61 3.1.2 Requirement of hazard and risk analysis according to Standards ................ 61 3.1.3 Risk matrix......................................................................................... 63 3.1.4 Risk graph.......................................................................................... 64 3.1.5 Fault tree analysis ............................................................................... 67 3.1.6 Event tree analysis .............................................................................. 68 3.1.7 LOPA................................................................................................. 69 3.1.8 Reliability Block Diagram analysis .......................................................... 70 3.1.9 Markov Modelling ................................................................................ 75 3.1.10 HAZOP............................................................................................ 77 3.1.11 Comparison and evaluation of tools suggested by the standards ............. 77

3.2 OVERVIEW OF IEC 61882 HAZOP STANDARD .................................................... 78 3.3 OVERVIEW OF PREPARING HAZOP STUDY........................................................... 81

3.3.1 About the hazards situations in general .................................................. 81 3.3.2 General requirements of evaluating hazards and risks .............................. 83 3.3.3 What is Hazard and Risk analysis According to the Safety Standards? ......... 83 3.3.4 General requirement of preparing Hazard and Risk analysis....................... 84

3.4 OVERVIEW AND CRITICAL ANALYSIS OF RECENT HAZOP PRACTICE .............................. 85 3.4.1 Overview of HAZOP methodology .......................................................... 85 3.4.2 Overview of cost effective HAZOP studies ............................................... 86 3.4.3 Automating of preparing HAZOP study ................................................... 87 3.4.4 Functional approach of HAZOP .............................................................. 88 3.4.5 Comparison of traditional HAZOP and functional HAZOP............................ 88 3.4.6 Knowledge-based expert system ........................................................... 88 3.4.7 Problems of the recent solutions............................................................ 89

3.5 DEVELOPMENT OF NEW SOLUTION OF PREPARING HAZOP......................................... 89 3.5.1 HAZOP manager: cost effective HAZOP study solution .............................. 90 3.5.2 HAZOP template example..................................................................... 93 3.5.3 Summary and evaluation...................................................................... 97

3.6 IMPLEMENTATION OF THE TEMPLATE HAZOP METHOD INTO TOOL4S SOFTWARE ............... 97


Page 11/160

3.6.1 Objective of Tool4S SOFTWARE............................................................. 97 3.6.2 Requirement of Tool4S SOFTWARE ........................................................ 97 3.6.3 Result of development of Tool4S software............................................... 98 3.6.4 Description of Tool4S software .............................................................. 98

4 MANAGEMENT OF RISK ASSESSMENT: CUMULATIVE LOPA................................. 99

4.1 OVERVIEW OF LOPA METHOD......................................................................... 99 4.1.1 History of LOPA method ....................................................................... 99 4.1.2 Basic about LOPA .............................................................................. 100 4.1.3 Objectives of LOPA procedure ............................................................. 101 4.1.4 Why is LOPA used for SIL determination? ............................................. 102 4.1.5 SIL calculation with LOPA method........................................................ 103 4.1.6 LOPA method in the practice ............................................................... 105

4.2 CRITICAL EVALUATION OF THE SIMPLE LOPA METHOD ........................................... 106 4.2.1 Critical evaluation and comparison of LOPA methods .............................. 107

4.3 DEVELOPMENT NEW METHOD OF LOPA CALCULATION: CUMULATIVE LOPA ................... 108 4.3.1 Cumulative LOPA calculation process.................................................... 108 4.3.2 Cumulative LOPA calculation algorithm................................................. 110

4.4 IMPLEMENTATION OF CUMULATIVE LOPA METHOD SOFTWARE: TOOL4S ................... 113 4.5 SUMMARY AND CONCLUSION ........................................................................ 115

5 SIS DESIGN MANAGEMENT: PRACTICAL INTERPRETATION OF THE PROCESS SAFETY STANDARDS.................................................................................................... 117

5.1 OVERVIEW OF SIS DESIGN.......................................................................... 117 5.1.1 Objectives of SIS Design .................................................................... 117 5.1.2 Requirement of SIS Design................................................................. 117

5.2 INTEGRATION AND SEPARATION OF BPCS AND SIS.............................................. 117 5.2.1 Why separation is requested? ............................................................. 118 5.2.2 Separation of information between SIS and BPCS .................................. 119 5.2.3 Separation of functions between SIS and BPCS...................................... 119

5.3 COMMON CAUSE FAILURES........................................................................... 120 5.3.1 Common cause within SIS .................................................................. 120 5.3.2 Common cause between SIS and BPCS ................................................ 122 5.3.3 Common cause between IPLs.............................................................. 122

5.4 SYSTEM BEHAVIOUR ON DETECTION OF FAULT..................................................... 123 5.4.1 Hardware Fault Tolerance and its realisation ......................................... 124 5.4.2 Hardware fault tolerance .................................................................... 124 5.4.3 Minimum hardware fault tolerance of PE logic solvers ............................. 125 5.4.4 Minimum hardware fault tolerance of sensors and final elements.............. 126 5.4.5 Exception for hardware fault tolerance in case of sensors and final elements 127 5.4.6 Minimum hardware fault tolerance according to IEC 61508...................... 128 5.4.7 Prior in use....................................................................................... 128 5.4.8 Role of diagnostic.............................................................................. 129 5.4.9 Requirements for selection of components and subsystems ..................... 130

5.5 SIS DESIGN VERIFICATION ......................................................................... 130 5.5.1 Pre-validation ................................................................................... 130

5.6 SUMMARY AND CONCLUSION ........................................................................ 130

6 SIS MAINTENANCE MANAGEMENT: PROOF TEST MANAGEMENT ............... 132

6.1 OVERVIEW OF PROOF TESTING ACCORDING STANDARD .......................................... 132 6.2 OVERVIEW AND CRITICAL ANALYSIS OF RECENT PRACTICE....................................... 135

6.2.1 SIF and failure rates .......................................................................... 135 6.2.2 Critical analysis of proof test model according to IEC 61511 .................... 136


Page 12/160

6.2.3 Critical analysis of recent practice........................................................ 138 6.2.4 Proof test scheduling ......................................................................... 139 6.2.5 Proof test interval and proof test strategy ............................................. 140

6.3 PROOF TEST COVERAGE FACTOR .................................................................... 141 6.3.1 Imperfect proof testing ...................................................................... 141 6.3.2 Coverage factor approach................................................................... 142 6.3.3 Problems with coverage factor approach............................................... 143

6.4 NEW MODEL OF UNDETECTED DANGEROUS FAILURES............................................. 144 6.4.1 Degraded failure model concept .......................................................... 145 6.4.2 Markov model of the new development................................................. 146

6.5 SIMULATION RESULTS OF THE NEW MODEL ........................................................ 147 6.6 SUMMARY AND CONCLUSION ........................................................................ 149

7 THESIS ..................................................................................................... 150

1 INTRODUCTION AND AIM OF THE WORK.................................................. 150

2 NEW SCIENTIFIC RESULTS ....................................................................... 151

3 RESULTS IN THE PRACTICE ...................................................................... 153

4 FURTHER RESEARCH POSSIBILTIES ......................................................... 154


Page 13/160

Table of Figures

FIGURE 1 RISK REDUCTION CONCEPT 24 FIGURE 2 SEVESO II RISK TABLE 28 FIGURE 3 DYNAMICS OF PROCESS BEHAVIOURS 32 FIGURE 4 HISTORY OF PROCESS SAFETY STANDARD 35 FIGURE 5 SURVEY ABOUT 34 CASE STUDY OF INDUSTRIAL DISEASE 34 FIGURE 6 IEC 61509 LIFE CYCLE STRUCTURE 38 FIGURE 7 IEC 61511 LIFE CYCLE STRUCTURE 39 FIGURE 8 APPLICATION DIFFERENCES BETWEEN IEC 61508 AND IEC 61511 42 FIGURE 9 COMPARISON OF BPCS AND SIS STRUCTURE 45 FIGURE 10 TREE STRUCTURE OF FAILURES 134 FIGURE 11 EXAMPLE OF FAULT TREE ANALYSIS 68 FIGURE 12 EVENT TREE ANALYSIS EXAMPLE 69 FIGURE 13 ONION-PEEL-MODEL OF LOPA 70 FIGURE 14 RELIABILITY BLOCK DIAGRAM, 2OO3, 1OO2 VOTING EXAMPLE 71 FIGURE 15 LINKAGE OF N COMPONENTS INTO A SERIAL STRUCTURE 71 FIGURE 16 LINKAGE OF N COMPONENTS INTO A PARALLEL STRUCTURE 72 FIGURE 17 IPL AS PARALLEL SYSTEM 74 FIGURE 18 MARKOV MODEL, SINGLE NONREPAIRABLE COMPONENT 76 FIGURE 19 MARKOV MODEL, SINGLE REPAIRABLE COMPONENT 76 FIGURE 20 MARKOV MODEL, 2*2 MATRIX 76 FIGURE 21 EXAMPLE OF A NATURAL GAS BURNER 94 FIGURE 22 EXAMPLE OF THE FUNCTIONALITY OF THE FURNACE TEMPLATE 94 FIGURE 23 EXAMPLE OF GAS BURNER’S HAZARD SCENARIOS 95 FIGURE 24 EXAMPLE OF MAIN GAS BURNER PRESSURE HIGH HAZARD SCENARIO 95 FIGURE 25 EXAMPLE OF MAIN GAS BURNER PRESSURE LOW HAZARD SCENARIO IN

EDITABLE MODE 96 FIGURE 26 EXAMPLE OF MAIN GAS BURNER PRESSURE LOW HAZARD SCENARIO, SIF

SRS 97 FIGURE 27 STRUCTURE OF A LOPA DIAGRAM 100 FIGURE 28 TYPICAL LOPA STRUCTURE 102 FIGURE 29 METHOD OF SIL CALCULATION 104 FIGURE 30 CUMULATIVE LOPA CALCULATION PROCEDURE 112 FIGURE 31 EDIT PFD VALUE OF SAFEGUARDS IN TOOL4S SOFTWARE 114 FIGURE 32 DEFINITION OF NON-MITIGATED FREQUENCY MATRIX OF CAUSES 114 FIGURE 33 DEFINITION OF TOLERABLE FREQUENCY MATRIX 114 FIGURE 34 EXAMPLE FOR RISK RANKING 115 FIGURE 35 EXAMPLE FOR THE RESULT OF A CUMULATIVE LOPA 115 FIGURE 36 SIS AND BPCS INDEPENDENCE 118 FIGURE 37 EXAMPLE OF POWER SUPPLY SEPARATION WITHIN SIS 121 FIGURE 38 EXAMPLE OF COMMON CAUSE OF IPLS 123 FIGURE 39 PROOF TEST MODEL INSPIRITED BY IEC 61511 137 FIGURE 41 PROOF TEST MODEL IN THE REALITY, BASED ON IEC 61511 137 FIGURE 42 PFD – TIME FUNCTION WITH 100% COVERAGE FACTOR ACCORDING TO IEC

61511 139 FIGURE 43 PFD TIME FUNCTION WITH NOT 100% COVERAGE FACTOR ACCORDING TO

IEC 61511 140 FIGURE 44 NEW MODEL OF PROOF TEST 138 FIGURE 45 CONCEPT OF PROOF TEST FROM IEC 61508N 141 FIGURE 46 PFD WITH PROOF TEST COVERAGE FACTOR 143


Page 14/160

FIGURE 47 CLASSICAL DU FAILURE MODEL 145 FIGURE 48 NEW DU FAILURE MODEL (“DEGRADED FAILURE MODEL”) 146 FIGURE 49 MARKOV MODEL OF THE “DEGRADED FAILURE MODEL” 147 FIGURE 50 NO DEGRADATION FAILURE 148 FIGURE 51 SUDDEN FAILURE 148 FIGURE 52 DEGRADATION FAILURE 149


Page 15/160

Tables

TABLE 1 HOW IEC 61508 BUILDS UP .................................................................... 37 TABLE 2 SIL DEFINITION AND RISK REDUCTION FACTOR ........................................ 40 TABLE 3 PROGRAM FOR RESEARCH QUESTION 1 .................................................... 55 TABLE 4 PROGRAM FOR RESEARCH QUESTION 2 .................................................... 55 TABLE 5 PROGRAM FOR RESEARCH QUESTION 3 .................................................... 56 TABLE 6 PROGRAM FOR RESEARCH QUESTION 4 .................................................... 57 TABLE 7 RISK MATRIX EXAMPLE........................................................................... 63 TABLE 8 DEFINITION OF CONSEQUENCE CATEGORY ............................................... 64 TABLE 9 DEFINITION OF PROBABILITY CATEGORY.................................................. 64 TABLE 10 TYPICAL RISK GRAPH METHOD .............................................................. 65 TABLE 11 DEFINITION OF RISK PARAMETERS: CONSEQUENCE ................................. 65 TABLE 12 DEFINITION OF RISK PARAMETER: FREQUENCY ....................................... 66 TABLE 13 DEFINITION OF RISK PARAMETER: POSSIBILITY OF AVOIDING .................. 66 TABLE 14 DEFINITION OF RISK PARAMETER: OCCURRENCE..................................... 66 TABLE 15 TRUTH TABLE FOR A I=3....................................................................... 73 TABLE 16 2OO3 VOTING SYSTEM ......................................................................... 74 TABLE 17 EVALUATION AND COMPARISON OF HAZARD AND RISK ANALYSIS METHODS

.......................................................................................................... 77 TABLE 18 TOLERABLE FREQUENCIES FOR PEOPLE’S HEALTH & SAFETY...................... 82 TABLE 19 TOLERABLE FREQUENCIES FOR ECONOMIC AND BUSINESS CONSEQUENCES82 TABLE 20 TOLERABLE FREQUENCIES FOR ENVIRONMENTAL CONSEQUENCES............. 82 TABLE 21 HFT FOR LOGIC SOLVER ..................................................................... 125 TABLE 22 HFT FOR SENSOR, FINAL ELEMENTS SUBSYSTEMS ................................. 126 TABLE 23 VOTING AND HFT............................................................................... 127 TABLE 24 HARDWARE SAFETY INTEGRITY: ARCHITECTURAL CONSTRAINTS ON TYPE B

SAFETY-RELATED SUBSYSTEMS .......................................................... 128 TABLE 25 EXAMPLE SIF (PRESSURE TRIP) ........................................................... 142 TABLE 26 INFLUENCE OF PTC ON PFDAVG FOR A GENERIC AIR ACTUATED BALL VALVE

WITH 3-WAY SOV ............................................................................... 143


Page 16/160

Abbreviations

ALARP As Low As Reasonable Possible AIB Automated Independent Backup ANSI American National Standards Institute APC Advance Process Control ARL Acceptable Risk Level ATEX Atmosphere Explosive BPCS Basic Process Control System (IEC 61511) CAPEX Capital Expense CC Common Cause CCPS Centre of Chemical Process Safety (USA) CE matrix Cause and Effect Matrix CFR Code of Federal Regulation (USA) C&E Cause and Effect DCS Distributed Control System DC Diagnostic Coverage E/E/PE Electric/Electronic/Programmable Electronic EMC Electro Magnetic Compatibility EPA Environmental Protection Agency (USA) EPC Engineering and Procurement Contractor ERRF External Risk Reduction Facility ESD Emergency Shut Down ETA Event Tree Analysis EUC Equipment Under Control FAR Fatal Accident Rate FAT Factory Acceptance Test FEL Front End Loading FMEA Failure Mode and Effect Analysis FTA Fault Tree Analysis FSQM Functional Safety Quality Manual HAZOP Hazard and Operability H&RA Hazard and Risk Analysis HSE Health Safety and Environment IEC International Electrotechnical Commission IEV International Electrotechnical Vocabulary IPF Instrumented Protective Function IPL Independent Protection Layer ISA Instrument Society of America and Control


Page 17/160

ISO International Organization for Standardization ISS Integrated Safety System LOPA Layer of Protection Analysis LS Logic Solver (Safety PLC) LTI Lost Time Injuries MIR Maturity Index on Reliability MIS Management Information System MOC Management Of Change MOS Maintenance Override Softwareitch MSDS Material Safety Data Sheets MTBF Mean Time Between Failure MTTF Mean Time To Failure MTTR Mean Time To Repair OPEX Operation Expense OSHA Occupational Safety and Health Administration (USA) PDP Product Development Process PHA Process Hazard Analysis PLC Programmable Logic Controller POS Process Override Switch PRP Product Realization Process PFD Probability of Failure on Demand PFDavg Average Probability of Failure on Demand PFSavg Average Probability of a Safely tripped process PHA Process Hazard Analysis P&ID Piping and Instrumentation Diagram PSM Process Safety Management PT Proof Test PTM Proof Test Management RBD Reliability Block Diagram QMS Quality Management System QTRM Qualitative Tolerable Risk Matrix RMP Risk Management Plan RR Risk Reduction RRF Risk Reduction Factor PST Partial Stroke Test SAM Safety-Related Activity Management SAT Site Acceptance Test SF Safety Function SIF Safety Instrumented Function SFF Safe Failure Fraction


Page 18/160

SHE Safety, Health and Environment SIF Safety-Instrumented Function SIL Safety Integrity Level SIS Safety-Instrumented System SLAM Safety Lifecycle Activity Management SLC Safety Life Cycle SLM Safety Lifecycle Management SMS Safety Management System SR Safety-Related SRS Safety-Related System SRS Safety Requirement Specification STR Spurious Trip Rate SOFTWAREIFT Structured What If Technique TI Off-line Proof Test Interval TR Trip Rate TSRS Other Technology Safety Related System


Page 19/160

1 Safety and Risk: introduction into the Process Safety In this Chapter 1 it was overviewed the History of safety, development of the related Standards and Directives, without completeness focusing only those which important in our Thesis following the sub-clause of the standards referred.

The history of safety thinking is going back to the very beginning of the nineteenth century (1815) when Sir Humpry Davy developed the first firedamp (now According to ATEX it is explosion proof) lamp. The Davy lamp is a safety lamp containing a candle. It was created for use in coal mine, allowing deep seams to be mined despite the presence of methane and other flammable gases.

Davy had discovered that a flame enclosed inside a mesh of certain fineness cannot ignite firedamp. The screen acts as a flame arrestor; air (and any firedamp present) can pass through the mesh freely enough to support combustion, but the holes are too fine to allow a flame to propagate through them and ignite any firedamp outside the mesh. The first trial of a Davy lamp with a wire sieve was at Hebburn Colliery on 9 January 1816.

The lamp also provided a crude test for the presence of explosive gases. If flammable gas mixtures were present, the flame of the Davy lamp burned higher with a blue tinge. Miners could also place a safety lamp close to the ground to detect gases, such as carbon dioxide, that are denser than air and therefore could collect in depressions in the mine; if the mine air was oxygen-poor (asphyxiate gas), the lamp flame would be extinguished (black damp or chokedamp).

This application contains some important principles which become standards nowadays:

The first principle is the protection of the human life even the business losses (the mine is destroyed).

The second principle, how to handle the explosive gases was leading to ATEX directives and standards [ATX_100], [ATX_137]. Now it is part of the „good engineering practice” in the area where explosive gases are present in the technology

The third principle is the detection of explosive, even toxic (oxygen-poor air) gas mixtures nowadays are known as Fire&Gas application

The forth principle is prevention and mitigation philosophy as a basic principle in the safety

1.1 Why Process Safety is so important?

A Brussels Report stated in 2002: “According to European Statistics, in EU-15, because of an accident at work one worker becomes a victim every 5 seconds and one worker dies every two hours. In 2001, this means 7.6 million accidents at work, 4.9 million of these resulted in more than 3 days of absence from work and 4 900 fatalities. The cost of accidents at work and occupational diseases in EU 15 ranges for most countries from 2.6 to 3.8% of Gross National Product (GNP).


Page 20/160

Additionally, in 2002 in new EU member states were almost 2.5 million accidents at work and 1 400 fatalities were recorded. Besides the accidents at work, major accidents results extensive consequences to people, environment and the property. A major accident such as the Toulouse disaster on 21st September 2001 resulted in 1 500 million € of damages, 27 000 homes and 1 300 companies damaged. The explosion killed 30 people (21 on site with 10 employees and 11 sub-contractors, 9 off-site), 2 242 were injured (officially), and 5 000 persons have been treated for acute stress. This disaster has upset the public, traumatised an industrial city and led the politicians to close down the AZF plant (450 direct jobs) and the SNPE phosgene related activities (492 jobs, 600 sub-contracting jobs).”

Over the facts and statistics, many good reasons can be enumerated that justify the application of the various safeguarding measures in the process industry. These reasons can be divided as follows:

Protect people from harm.

Protect the environment.

Satisfy laws and regulations.

Reduce production losses and down time and cost due to damage of equipment.

Lower losses due to negative impact on ‘company image’.

Lower plant risk profile (Insurance premium cost).

Whether these aspects are relevant or not, depends on the typical application, environmental circumstances, and requirements from local legislation. It is the responsibility of a company (According to the Standards called “Operator”) to establish the need of dealing with these aspects.

1.2 Growing complexity of industrial processes

In the last decades, industrial processes are becoming more and more complex [Lee_96]. Expanding product and production requirements led to further optimization of the concerned processes. The continuously increasing competition, and application of Advance Process Control (APC) solutions to increase productivity of Plants, is forcing process installations to operate closer and closer to their limits.

High level instrumentation, which also makes process control more and more complex, is expected to control the technology and safeguard these processes. As a consequence of the growing complexity of the process installations, the control instrumentation, and safeguarding instrumentation, safety-related business processes have become even more difficult to manage [Kne_00], [Kne_98]. Furthermore, many individuals and organizations are involved in the design, implementation, and operation of process installations, including the end-user, the engineering contractor, the system integrator, and the equipment suppliers. For instance, let me consider an oil company that decides to build a new refinery at a certain location. Normally, an engineering contractor, who becomes responsible for the design and realization of the new installations, is hired. Dedicated system integration engineering companies are assigned to provide automated process control equipment.

Manufacturers, vendors, and suppliers of instruments all are responsible for the design and development of those instruments but they are also interested in


Page 21/160

making profit which is sometimes in conflict with the technical content of the supplied solution.

The only way of overcome this type of problems to prepare a HAZOP study and SIL calculations at the earliest stage of the project, when all documentation is accessible for preparing the studies. Preparing the HAZOP study is the best method of avoiding both over engineering and under engineering.

Using LOPA [AIC_01], [AIC_2] method for the SIL calculation one have possibility of reducing the cost of the complete “Integrated Safety System”, see Chapter 2.5.

1.3 History of the Directives and Safety Standards

The general safety consideration is simultaneous with the Technology itself. The first technologies were the mining, later on machines for the mining. The first breakthrough was the developing of the steam machines, where the over pressure protection was the first recognition of the hazards in the steam technology after analysing the consequences of the overpressure for the people (may be killed) and business losses (machine broke down).

This period of time was an accident driven safety device (even standards) development age, where “first accident, then action” was the basic. The more accident happened, the more effort was of developing protective devices, methods and regulation and the result was forming and accepting the “good engineering practice” philosophy. This philosophy is more or less valid in recent days also, but the globalisation will not help to provide higher safety in the work, without having world wide Process Safety Standards, and being different Safety culture in the different countries of world wide.

The safety questions could be divided in three segments which were not developed parallel:

Mechanical engineering like overpressure protection, chemical resistance, corrosion etc.

Safety problems connected to Electrical engineering like electrocution, over voltage protection, lighting protection, surge protection and EMC.

Process engineering like explosive and toxic technologies, batch technologies.

In this progress the first step was done by the mechanical engineers developing safer and safety machines and equipment using more safe materials and developing mechanical safety devices as well laying down the basis for the standardisation in the field of mechanical engineering like pressurised vessel and equipments, material standards etc.

In the field of electrical engineering this progress started later, when the electricity becomes the part of our everyday life. The first step was the protection of human life against the electrical shock (electrocution) and first started a standardisation process in the application of electricity in the non-explosive surrounding, and later on in explosive technologies. Nowadays the result is positive as the ATEX 100 [ATX_100], ATEX 137 [ATX_137] and EN 1127 1 – 7 [EN_1127] become a good engineering practice for the electrical engineers and


Page 22/160

end users also. These standards are based on laboratory research involving a lot of measurement, proving that anybody following these standards will be protected against explosive problems using electric, electronic equipments in explosive atmosphere. The approach of these standards is deterministic.

In the field of Process Industry there was no similar improvement of the area of safety like in the area of Mechanical and Electrical engineering. It happened in the seventies of last century some very serious accident in Europe and world wide like Dow Chemical plant in Bhopal, India or Seveso, Italy which focused the attention on the negative consequence for the human life and environment in case of accident. The result of the first action in Europe was the SEVESO I Directive I directive in 1987 and SEVESO II Directives was accepted by 12 European countries in late seventies of last Century [SEV_II]. The main goal of this Directive was the protection of the public in case of similar accident which would happen in plant having explosive and toxic material in a technology, storing, processing and transporting them.

In the US, the Government control the process industry if the industry itself unable to control its activity. The first result of this action was issuing the ISA-TR84 process safety Standard which was followed by the Application Guides in 2001 – 2003 [ISA_TR84].

Meanwhile in Europe, based on the German Standards, the IEC 61508 1 – 7 [IEC_508] standards were published in 1998. This generic (industrial segment independent) standard was followed by the IEC 61511 1-3 [IEC_511] Process Industry Safety standards in 2003. This latest standard is valid in the Chemical, Petrochemical, Oil and Gas and Pharmaceutical Industry. These two standards were accepted in Europe and, joining to European Community, in Hungary also.

In Europe the Directives are mandatory while the Standards are only recommended, but there are three exceptions:

Any Government can make it mandatory (Sweden, Norwegian)

May be involved in the contract between two parties

It would be dedicated as “Good Engineering Practice” like in USA.

In USA the IEC 61511 was introduced as ANSI/ISA 84.00.01 2004 Part 1 – Part 3 (IEC 615111 Part 1 – Mod) [ISA_84] and was dedicated as “Good Engineering Practice”. In USA there was an attachment called “Grandfather Law”.

In the field of Factory Automation one shall take into consideration the IEC 61508 and IEC 62061 [IEC_61] (machine specific standard) also.

1.4 Functional Safety

Functional Safety is the most often used expression in my thesis that is why it is so important to define what means in practice [BÖR_08].

With the introduction of electronic programmable system in the safety relevant applications, “Functional Safety” has become a central concept. The term “Functional safety” appears in the titles of the international standards IEC 61508 [IEC_508] and IEC 61511 [IEC_511], published a number of years ago.


Page 23/160

In general, “Functional Safety” means that a component or a system performs its safety-relevant task correctly and in accordance with the risk to be managed. The system either performs this function, or if internal faults or failure occur, or it will assume a pre-defined safe state.

To fulfil this requirement, an understanding of safety engineering and a comprehensive knowledge of the existing standards are required. This begins with examining a safety systems life cycle, performing hazard and risk analysis (HAZOP study: Chapter 3), specifying the safety-related components and systems (LOPA study: Chapter 4), developing and implementing the system (SIS design: Chapter 5), and the process ends with system’s operation and maintenance (SIS maintenance, Proof test Chapter 6).

1.5 Correlation between Risk, Acceptable Risk, Residual Risk and Risk Reduction

The Figure 1 shows how the risk would be decreased to acceptable level. That is the basic principle of risk reduction for a given hazard independently the type of the risk involved. This figure shows in plausible manner the influence of specific safety measures on risk reduction.

The existing risk must be reduced at least to acceptable risk, which is not always purely objective rather strongly dependent and influenced by subjective opinions.

The Figure 1 makes it obvious that the risk is reduced not only through SIS (Safety Instrumented System) safety measures, but also through different measures like release valve and other not instrumented system involving engineering, trainings etc. This non SIS safety measures influence the risk parameters and consequently lead to decrease of SIL value of SIFs. The safety of a system could be reached therefore in different but equivalent ways. The conducted measures can be mutually supplement or replace each others.

The requirement arise from a given safety goal and partial risk that should be covered by the SIS safety equipments. This partial risk is being described quantitatively through these parameters (see more about SIL calculation in Chapter 4.1.4). With their help the SIL values can be calculated. An exact gradual allocation of measures to the different requirements however is not possible, mainly because of the possible measures are very diverse.


Page 24/160

Figure 1 Risk reduction concept

1.6 SEVESO Directives

1.6.1 Introduction

Consequence of increasing industrialization is the significant increase of accidents involving dangerous substances (toxic and explosive as well). There was some initiative accident in Europe.

The so called Seveso Directive [SEV_II] is concerned with the prevention concept and the overall assessment of certain industrial activities with view of plant safety and environmental protection as a first harmonisation step on European level in 1982.

Following this Directive, Member States shall introduce the necessary measures to ensure that the competent authorities will get all information regarding to the plant, the substances and operational conditions involved. The Seveso Directive applies to both new and already existing industrial activities. It has been amended several times (last amended by Directive 96/82/EC).

1.6.2 Seveso disaster

‘Seveso” accident happened in 1976, a Sunday afternoon in Seveso, Italy, where dioxin and other dangerous substances were diffused through a broken valve in total amount of 200 ton and amount of 1 ton of Dioxin into the air, to be the following consequences:

disease similar to sunburn within 5 days

80.000 domestic animal were killed

More than 600 people had to be evacuated

2.000 people were treated for dioxin poisoning

Residual risk Process risk

without preventive

Unacceptable range Tolerable range Acceptable range

Low Risk High Risk

Process risk without SIS

Process risk with SIS

Necessary Risk reduction

Total Risk reduction


Page 25/160

20 acre forest were planted in the place of the plant

1.6.3 Seveso directives history

1982: 82/501/EEC Seveso Directive was adopted and accepted by all member of EU.

1984, Bhopal, India, Union Carbide: leak of methyl isocyanides caused more than 2.500 death.

1986, Basel, Switzerland, Sandoz: water contaminated with mercury, organophosphate pesticides caused death of half a million fish in the Rhine.

1987: SEVESO directive was amended by directive 87/216/EEC and in 1988 SEVESO directive was amended by directive 88/610/EEC.

1996: 96/82/EC Seveso II Directive was adopted and the SEVESO II Directive has fully replaced its predecessor. Member states had up to 2 years to bring into force the national laws, regulations and administrative provision to comply with the Directive. From 3 February 1999 the adherence of the Directive have become mandatory for the Member States

Important changes:

Extension of the scope

Introduction of new requirements related to safety management systems (application According to IEC 61508 [IEC_508] and IEC 61511 [IEC_511] for the process industry

Emergency planning

Land-use planning

Reinforcement of the provisions on inspections

Introduction of new requirements relating to safety management systems

Emergency planning

Land-use planning

Reinforcement of the provisions on inspections

1.6.4 Objectives of Seveso directives

The aim is two-fold:

Prevention of major-accident hazards involving dangerous substances and limitation of the consequences of the accidents that occur:

For human being safety and health aspect

From environmental aspect

Both aims can ensure high levels of protection throughout the Community in a consistent and effective manner.

Scope of SEVESO II [SEV_II] directive is presence of dangerous substances in establishments and it covers:

Industrial activities


Page 26/160

Storage of dangerous chemicals and

Transporting dangerous materials

1.6.5 Requirements of Seveso Directive

Company who holds less dangerous substance than the threshold levels given in the Directive is not covered by this legislation, but will be controlled by general provisions on:

Health

Environment

Business

Lower tie: Companies who hold a larger quantity of dangerous substance, above the lower threshold will be covered by the lower tier requirements

Upper tie establishments: Companies who hold even larger quantity of dangerous substance, above the lower threshold will be covered by all the requirements of the Directive.

The Directive contains general and specific obligations on both Operators (Company Owners) and Member States’ authorities. Provisions fall into two main categories:

Prevention of major accidents.

If it may happen then limitation of consequences of major accidents (mitigation).

Operators, coming under the scope of the Directive, needs to send a notification to the competent authority, to establish a Major-Accident Prevention Policy and also in case of upper tier establishments they need to establish:

Safety Report

Safety Management System According to IEC 61508 [IEC_508] and IEC 61511 [IEC_511].

Emergency Plan.

We have to consider the development of new managerial and organizational methods when introducing the Functional Safety Management System, as over the past 10 years significant changes have occurred in industrial practice relating to risk management (see IEC 61508 [IEC_508] and IEC 61511 [IEC_511] in the Process Industry). According to statistics since 1982 the management factors is proven to be a significant causative factor in over 90 % of the accidents in the EU. The main objectives are: to prevent or reduce accidents caused by management factors.

1.6.6 Improvement of SEVESO Directives

There were happened three industrial accidents generating the extension of SEVESO II Directive by the Directive 2003/105/EC on 16/12/2003 with deadline of 1 July 2005 [SEV_II]. These accidents were:

Enschede Firework exploded,


Page 27/160

Toulouse, France ,fertilizer explosion, 2001, Ammonium nitrate explosion,

Baia Mare (Nagybánya), Romania, spread of cyanide spill, 2002 Made the Tisza river dead for a period of time

Most important aim of the extensions to cover risk arising from:

Storage and processing activities in mining (Baia Mare, Nagybánya, cyanide contamination, Tisza and Danube)

Pyrotechnic and explosive substances (Enschede, explosion in a firework manufacturing plant)

Ammonium nitrate and ammonium nitrate-based fertilizers (Toulouse, fertilizer explosion).

The last version of SEVESO Directive is DIRECTIVE 2003/105/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 December 2003 [SEV_II] and the Hungarian version is the “18/2006. (I. 26.) Korm. rendelet a veszélyes anyagokkal kapcsolatos súlyos balesetek elleni védekezésről” [SEV_HUSEV_II].

The SEVESO II Directives are basic Process Safety Standards with aim of protection of public from the Industrial diseases. An important statement of the SEVESO II Directives:

“(15) Whereas analysis of the major accidents reported in the Community indicates that the majority of them are the result of managerial and/or organisational shortcomings; whereas it is therefore necessary to lay down at Community level basic principles for management systems, which must be suitable for preventing and controlling major-accident hazards and limiting the consequences thereof;”

This statement of the SEVESO II Directive leads to the application of IEC 61508 [IEC_508] general and IEC 61511 [IEC_511] Process Safety Standards in which specific obligations of the operator shall be in consideration the build up and maintain the Functional safety for all the life cycle of the Plant referred, including the safety/protection systems. The cornerstone figure of Company QTRM for human is seen on Figure 2 (10-5 fatality rate).


Page 28/160

Figure 2 SEVESO II Risk table

1.7 ATEX Directives

ATEX abbreviation means Atmosphere Explosive and ATEX Directives are dealing with and covering installations of electric, electronic equipments in explosive atmosphere. ATEX Directives (ATEX 100 [ATX_100], ATEX 137 [ATX_137]) are mandatory in Europe.

1.7.1 Introduction

Explosive atmospheres can be caused by flammable gases, mists or vapours or by combustible dusts. If there is enough of the substance, mixed with air, then all it needs is a source of ignition to cause a gas or dust explosion.

Explosions can cause loss of life and serious injuries as well as significant damage. There are two widely used ways of reducing the risk:

Preventing releases of dangerous substances, which can create explosive atmospheres.

Preventing sources of ignition being present. Using the correct equipment can help greatly in this.

An explosive atmosphere is defined as a mixture of dangerous substances with air, under atmospheric conditions, in the form of gases, vapors, mist or dust in which, after ignition has occurred, combustion spreads to the entire unburned mixture.

Many workplaces may contain, or have activities that produce, explosive or potentially explosive atmospheres. Examples include places where work activities

FB

1 10 10 1.000 10.00010-9

10-8

10-7

10-6

10-5

10-4

10-3

10-2

Fatality (N)

RISK

LEVEL

I. Not acceptable range

III. Acceptable range

II. Reduction

necessary

/year


Page 29/160

create or release flammable gases or vapors, such as vehicle paint spraying, or in workplaces handling fine organic dusts such as grain flour or wood.

The ATEX Directives are dealing with equipments operated by electricity and installed and commissioned in explosive area.

1.7.2 ATEX Directives

ATEX is the name commonly given to the framework for controlling explosive atmospheres and the standards of equipment and protective systems used in this area. It is based on the requirements of two European Directives.

“1) Directive 99/92/EC (also known as ‘ATEX 137’ or the 'ATEX Workplace Directive’) on minimum requirements for improving the health and safety protection of workers potentially at risk from explosive atmospheres.”

The text of this Directive and the supporting EU guidelines are available on the EU-website.

“2) Directive 94/9/EC (also known as ‘ATEX 95’ or ‘the ATEX Equipment Directive’) on the approximation of the laws of Members States concerning equipment and protective systems intended for use in potentially explosive atmospheres.”

The text of this Directive and EU supporting guidelines are available on the EU website.

1.7.3 ATEX 100

Regarding to the explosion risk such a specific Directive 94/9/EC [ATX_100] has been adopted by the European Parliament and the Council concerning equipment and protective systems intended for use in potentially explosive atmospheres. This Directive is well known as 'ATEX 100 a - Directive' [ATX_100]. The ATEX 100 a - Directive applies to all equipment capable of causing an explosion through their own potential sources of ignition. 'Equipment' means machines, apparatus, fixed or mobile devices, control components and instrumentation thereof and detection or prevention systems, separately or jointly.

ATEX 100a covers not only equipment itself but also “systems”. This point of view it applies even to safety devices, controlling devices and regulating devices intended for use outside potentially explosive atmospheres but required for or contributing to the safe functioning of equipment and protective systems with respect to the risks of explosion.

1.7.4 ATEX 137

Gases, vapours, mists and dusts can all form explosive atmospheres with air. Hazardous area classification is used to identify places where, because of the potential for an explosive atmosphere, special precautions over sources of ignition are needed to prevent fires and explosions [ATX_137].

Hazardous area classification should be carried out as an integral part of the risk assessment to identify places (or areas) where controls over ignition sources are needed (hazardous places) and also those places where they are not (non hazardous places) present. Hazardous places are further classified in Zones which distinguish between places that have a high chance of an explosive atmosphere occurring and those places where an explosive atmosphere may only occur occasionally or in abnormal circumstances. The definitions of the Zones also recognise that the chance of a fire or explosion depends on the likelihood of


Page 30/160

an explosive atmosphere occurring at the same time as an ignition source becomes active.

Assessing the risk means identifying hazardous or non-hazardous areas should be carried out in a systematic way. Risk assessment should be used to determine if hazardous areas exist and to then assign zones to those areas. The assessment should consider such matters as:

the hazardous properties of the dangerous substances involved;

the amount of dangerous substances involved;

the work processes, and their interactions, including any cleaning, repair or maintenance activities that will be carried out;

the temperatures and pressures at which the dangerous substances will be handled;

the containment system and controls provided to prevent liquids, gases, vapours or dusts escaping into the general atmosphere of the workplace;

any explosive atmosphere formed within an enclosed plant or storage vessel; and,

any measures provided to ensure that any explosive atmosphere does not persist for an extended time, e.g. ventilation.

Taken together these factors are the starting point for hazardous area classification, and should allow for the identification of any zoned areas. The following paragraphs give further information on what to consider during an assessment.

The properties of a dangerous substance, that need to be known, includes the boiling point and flash point of any flammable liquid, and whether the flammable gas or vapour that may be evolved is lighter or heavier than air.

For dusts, information on particle size and density will be needed, once it has been shown that a particular dust can form an explosive atmosphere. Often, relevant information is contained on a safety data sheet provided with the product.

Some potential sources of release may be so small that there is no need to specify a hazardous area. This will be the case if the consequence of an ignition following a release is unlikely to cause danger to people in the vicinity.

However, in the wrong circumstances ignition of quite small quantities of flammable gas/vapour mixed with air can cause danger to anyone in the immediate vicinity. Where this is the case, as in a relatively confined location, from which rapid escape would be difficult, area classification may be needed even where quite small quantities of dangerous substance are present.

The size of any potential explosive atmosphere is, in part, related to the amount of dangerous substances present. Industry specific codes have been published by a variety of organizations to provide guidance on the quantities of various dangerous substances that could be stored.


Page 31/160

Hazardous places are classified in terms of zones on the basis of the frequency and duration of the occurrence of an explosive atmosphere. That means a probabilistic approach instead of deterministic approach involving a new direction in how the new standards are build up.

1.7.5 ATEX and Functional Safety

The statement of ATEX Directives are based on research and test in laboratories using acceptable safety margins and that is why ATEX directives now are part of the “Good Engineering Practice” in EU and proving a given level of Functional Safety. ATEX Directives are belonging to the very first step of the hazard and Risk analysis reflecting the questions like: is this technology explosive or not. In case of “YES” answer the designer shall follow the instruction the ATEX Directives and will design an “explosively safe” system control technique in electric point of view. Other words the electric, electronic equipment, installed in explosive atmosphere, will not be ignition source in case of loss of explosive containment (taking into consideration all possible release sources).

Application of ATEX Directives means an independent protection layer (IPL) for the explosive plants and as a minimum Functional Safety requirement shall be taken into consideration, but not given any credit to this protection layer as being part of the basic process control system.

When an “ATEX” component, like isolator for a transmitter which is installed in explosive atmosphere, is part of a safety instrumented loop (SIF), in the SIL calculation [EXI_1] one shall take into consideration the dangerous undetected failure rate of the isolators [IEC_508], [IEC_511], [BÖR_06] , [BÖR_08] being part of the Safety Instrumented Function loop (SIF). That means the use of SIL certified isolator is highly recommended.

Not following these Directives means a “built in Hazard” in the process and avoiding this is mandatory. In other words an explosive plant has to be “explosively safe” before start-up, following the good engineering practice (ATEX Directives).

1.8 Process safety standards

In this chapter we overview the process safety standards: the history, objectives and requirements.

1.8.1 Process Safety in General

The chemical, oil and petrochemical, pharmaceutical and even in the food industry in both the dominant part of the raw materials and the products are explosive and/or toxic materials.

Figure 3 shows schematics how the process works. In this figure we summarised the typical process behaviour and this figure will show us the tasks of how to make our process safer and what the risk means: deviation from the design parameters.

From this figure one can see that what one should do to make his/her process safer. Every process, not having any protection layer, is inherently unsafe caused by any of the followings actions:


Page 32/160

Lack of Hazard and Risk analysis

Poor design

Poor installation and commissioning

Poor maintenance and operation

Components failures

Device failures

Human/operators failures

Etc.

Figure 3 Dynamics of process behaviours

It is shown in Figure 3 that the process going out of the control (for example because of failures of BPCS) may reach the dangerous condition leading to explosion.

That is why one has to control this process during the overall life time of plant using protection layers like:

Engineering

Basic Process Control System.

Alarm system.

Emergency Shut Down system (Safety Instrumented System).

Active protection layers like relief valves.

Passive protection layers like dike.

Etc.

Trip Setting

Pre-alarm Setting

Process Safety Time

Time

Proc

ess

Varia

ble Consequence Realised

Trip point

Pre alarm trip point

Process Safety Time

Consequences realized


Page 33/160

Any of this layers in general are functionally safe if the given layer performs its safety relevant task correctly (for example a relief valve open at preset 64 bar) and in accordance to the risk to be managed (ie. process is risky (exploded) above 64 bar). If the protection layer works correctly (functional safety) it drives the process into safe stage, in our case depressurises the process and leads the overpressure to the flare.

To fulfil this requirement, an understanding of safety engineering and a comprehensive knowledge of the existing standards are required.

1.8.2 Introduction

The history of the process safety standards started in the seventies of last century, when the first need of application of electronic equipment in safety system (ESD = Emergency Shut Down System) inducted [TÜV_73], [DIN_00], [DIN_81], [DIN_BAS], [DIN_54], [VDE_16]. This demand speeded up the process of application oriented standards developments. Overview about the development of the safety standards is shown in Figure 5.

The basic entity of Process Safety Standards is the Safety Related System (SIS – Safety Instrumented System) [IEC_511], [ISA_2004], which is used already for years for carrying out safety-related functions in the process industry. The safety system should drive the supervised process into safe state in case of demand. The required safety function, protecting equipment, depend on many application specific factors and form a part of overall safety, which protect the equipment under control (BPCS). Safety, which is to be ensured by safety function, can be achieved by a multiplicity of protective systems, which are based on the most different technologies, like mechanics, pneumatics or programmable electronics. These safety functions serve functional safety and reduce the risk of a functional loss with possible serious consequences. The question which safety function is used and where, is determined by a Process Hazards Analysis (PHA).

The term “safety system” is also replaced in different standards by the designation of “safety critical” or “safety-related system”. The general understanding of a “safety, safety critical or safety-related system” is a system, consisting of one or more safety function and which, if they fail, can lead to dangerous consequences. Therefore, it is necessary to develop safety critical system with certain minimum standard level, so that the demand on functional safety are fulfilled and can be reviewed.

In the standards numerous methods are described to perform safety analysis and are guaranteed that the safety systems fulfil the requirements of appropriate standards during of the overall life cycle.

The Figure 5 is shows the development of the Process Safety Standards from the first demand of application of microprocessor in safety system to nowadays.

The development of the Process Safety Standards focuses on (without completeness):

Operability of plants;

Maintainability of the plant;


Page 34/160

Electric, Electronic and programmable Electronic equipment (referred in the standards as E/E/PES);

New approach of safety (life cycle philosophy, functional safety, integrated safety);

Statistical approach (Hazard and Risk analysis, ALARP, LOPA, probability, availability);

Component design (both HW and SOFTWARE);

System design (SIF, SIS, SIL);

Activities connecting to safety (design, installation, commissioning, validation, maintenance, management of change).

1.8.3 Life Cycle philosophy

In the late eighties of last century a survey was published about 34 serious industrial diseases and the result is shown in Figure 4.

Both IEC 61508 [IEC_508] and IEC 61511 [IEC_511] are based on the life cycle philosophy.

Figure 4 Survey about 34 case study of Industrial disease

44,1 %

Specification

14,7 %

Design and Realization

5,9 %

Installation and Commissioning

14,7 %

Operation and Maintenance

20,6 %

Modification after installation (MOC)

Saf

ety

Inst

rum

ente

d Sys

tem

Man

agem

ent

Pa

ge 3

5/16

0

Sta

nd

ard

N

am

e,

Co

nte

nt,

Vali

dati

on

Ap

pli

cati

on

Sp

eci

fic

IEC

61

51

1,

Pro

cess

In

du

stry

IEC

61

51

3,

Nu

clear

Ind

ust

ry

IEC

62

06

1,

Mach

inery

In

du

stry

Pro

gra

mm

ab

le

Lo

gic

Con

tro

ller

I

EC

61

13

1-2

: H

ard

ware

Pro

pert

ies

IE

C 6

11

31

-3:

So

ftw

are

Pro

pert

ies

Basi

c S

afe

ty

Sta

nd

ard

IEC

61

50

8,

SIL

1…

4 S

afe

ty L

ifecy

cle

Qu

an

tita

tive

Co

nsi

dera

tio

ns

I

EC

61

50

8

In

dep

en

den

t

fro

m

Ap

plica

tio

n

DIN

31

00

– G

en

era

l R

eq

uir

em

en

t, A

K 1

…8

DIN

V V

DE 0

81

Mic

rop

roce

sso

rs i

n S

afe

ty A

pp

lica

tio

n

DIN

V 1

92

50

Basi

c S

afe

ty E

valu

ati

on

fo

r M

easu

rem

en

t &

Co

ntr

ol

DIN

V 1

92

50

Req

uir

em

en

ts &

Measu

res,

Qu

ali

tati

ve

Co

nsi

dera

tio

n

wit

hd

raw

n

Ap

pli

cati

on

Ori

en

ted

(exam

ple

)

VD

E 0

11

6 E

lect

rica

l Eq

uip

men

t fo

r

Bu

rner

Ap

pli

cati

on

DIN

EN

95

4 S

afe

ty f

or

Mach

inery

PrE

N 5

01

56

IE

C 6

20

16

PrE

N I

SO

13

84

9

Ava

ilab

le b

oo

k

TÜ

V B

oo

k,

Mic

roco

mp

ute

r in

Safe

ty A

pp

lica

tio

n,

Safe

ty C

lass

is 1

…5

leve

l

Year

19

82

1

98

9 1

99

0

20

02

20

04

Figu

re 5

His

tory

of

proc

ess

safe

ty s

tand

ard


Page 36/160

This survey investigated and evaluated the root cause of the industrial accidents and the conclusion from this survey was to split this causes into five categories:

Specification phase

Design and realisation phase

Installation and commissioning phase

Operation and maintenance phase

Modification after installation

This statistic spotlights the followings:

Important to maintain the functional safety through the whole life time of the system;

The cause of two third of the accidents was built in the system before start up.

This statistic also emphases the importance of the preliminary works, like hazard and risk analysis specifying the Safety Instrumented System (SRS), the completeness of the work procedures regarding activities involved in how the system is build up (SIS design, SIS installation and commissioning).

1.8.4 Management of Functional Safety

Conclusion of the survey (Figure 4) together with SEVESO Directive’s [SEV_II] statement about the mandatory operation of Safety Management System within the given Company, and the detailed instruction about how the Functional Safety Management to be operated According to the Process Safety Standards, was to give the possibility of building up an integrated functional safety system covering all aspect of the safety (human, environment and business) within the given Company.

The Management of Functional Safety is a more complex issue of course, but our point of view less important, supposing that all Company has their own system. Our thesis would give possibility for any Company to build in Application Guides, as part of Management of Functional Safety.

1.8.5 IEC 61508 Standard

The IEC 61508 [IEC_508] standard is a general one, sometime called umbrella or basic safety standard, covering all industrial segments, except nuclear industry, and it was published in 1998. The IEC 61508 standard consists of 7 volumes, see Hiba! A hivatkozási forrás nem található..

Figure 6 shows the basic philosophy of the IEC 61508, differing 16 different life cycle phase of a Safety Instrumented system.

The IEC 61508 (and IEC 61511 also) considers the safety-relevant function, i.e., it always covers an entire function chain, i.e., from sensors – to logic solver – to actuator. The represented function chain must completely fulfil the requirements of the respective safety integrity level matching the definition of IEC 61508. Thus the field bus systems are to be included into the picture.


Page 37/160

The definition of the safety integrity level, described in Chapter 1.8.7, determines the range and effectiveness of the safety-relevant measures which must be realized in the Safety Instrumented Systems.

Table 1 How IEC 61508 builds up

IEC 61508-1 General Requirements 1998

IEC 61508-2 E/E/PES HW Requirements 2000

IEC 61508-3 E/E/PES Software Requirements 1998

IEC 61508-4 Definitions 1998

IEC 61508-5 Examples of methods for determination of SIL 1998

IEC 61508-6 Guidelines on the application of Parts 2 and 3 2000

IEC 61508-7 Overview of techniques and measures 2000

1.8.6 IEC 61511 Standard

The IEC 61511 [IEC_511] standard is a Process Industry specific safety standard, published in 2004. This standard is accepted in the US (ANSI/ISA—84.00.01—2004 Part 1 - 3 (IEC 61511-1 - 3 Mod)) [ISA_84] and dedicated to “good engineering practice”.

The title of this standard is: “Functional safety: Safety Instrumented System for process industry sector”.

Figure 7 shows the basic philosophy of the IEC 61511, defining 8 different life cycle phase and three general ones covering the complete 8 phase. This international standard applies to safety-related system in the process industry.

Applying IEC 61511 to the process industry requires the execution of the hazard and risk analysis described in the first phase of this standard. From this analysis a specification for safety-relevant system can be provided. This standard fits within the framework of IEC 61508 applicable to the process industry. The terms, defined in the IEC 61508 “safety life cycle” and “safety integrity level” (SIL) forms the basis for the application of the international standard.

The safety-related system consists of those components and subsystems, starting from sensors through Logic Solver up to actuators, which are necessary for the execution of the specified safety-related functions. That is the end – to - end approach, taking into consideration the process side of the sensors and the process side of the actuator via safety logic solver.

Saf

ety

Inst

rum

ente

d Sys

tem

Man

agem

ent

Pa

ge 3

8/16

0

Figu

re 6

IEC

615

09 li

fe c

ycle

str

uctu

re

#2

Ove

rall

sco

pe d

efi

nit

ion

#3

Haza

rdan

d

Ris

k

#4

Ove

rall

Safe

ty

Ove

rall

pla

nn

ing

o

f…

.

#6

O

pera

tio

n

#7

Safe

ty

vali

dati

on

#8

In

stall

ati

on

&#

9 E

/E

/P

ES

(S

IS)

#1

0 O

ther

tech

no

log

ical

safe

ty

rela

ted

sy

stem

#1

1

Exte

rnal

Ris

k

Red

uct

ion

Fa

cili

ty

#1

2 I

nst

all

ati

on

, co

mm

issi

on

ing

#1

3 S

afe

ty V

ali

dati

on

#1

4 O

pera

tio

n a

nd

m

ain

ten

an

ce

Back

to

pro

per

SLC

#1

6 D

eco

mm

issi

on

ing

an

d d

isp

osa

l

#1

5 M

od

ific

ati

on

an

d

retr

ofi

t

#1

Co

nce

pt

#5

Safe

ty R

eq

uir

em

en

ts

Reali

zati

on

An

aly

sis

Ow

ner/

lice

nso

r/co

Op

era

tio

n

Ow

ner/

Su

pp

lier

Reali

zati

on

S

up

pli

er/

ow

ner

No

t in

volv

ed

in

th

is

stan

dard

Saf

ety

Inst

rum

ente

d Sys

tem

Man

agem

ent

Pa

ge 3

9/16

0

Figu

re 7

IEC

615

11 li

fe c

ycle

str

uctu

re

#1

Haza

rd &

ris

k

#2

All

oca

tio

n o

f sa

fety

fu

nct

ion

to

pro

tect

ion

#3

Safe

ty r

eq

uir

em

en

ts

speci

fica

tio

n (

SR

S)

for

#4

Desi

gn

an

d

en

gin

eeri

ng

of

SIS

D

esi

gn

an

d

deve

lop

men

t o

f N

ON

SIS

#5

In

stall

ati

on

, co

mm

issi

on

ing

an

d

#6

Op

era

tio

n &

#7

Mo

dif

icati

on

#8

Deco

mm

issi

on

ing

#1

0

Man

ag

em

en

t o

f fu

nct

ion

al

safe

ty a

nd

fu

nct

ion

al

safe

ty

ass

ess

men

t an

d

au

dit

ing

#1

1

Safe

ty

life

-cyc

le

Str

uct

ure

an

d

pla

nn

ing

#9

V

eri

fica

tio

n

An

aly

sis

Op

era

tio

n

En

d

Reali

zati

on

V

en

do

r /C

on

tract

or

No

deta

iled

re

qu

irem

en

ts

Wh

ole

lif

e

cycl

e


page 40/160

The IEC 61511 (Figure 7) divides the activities of a Safety System into eight life cycle phases:

Process hazard and risk analysis

Allocation of safety functions to protection layers

SIS safety requirements specification

SIS design and engineering

SIS installation and commissioning, validation

SIS operation and maintenance

SIS modification

SIS decommissioning

In addition to these activities this standard lays down general activities covering the complete life cycle, like:

Verification

Management of functional safety and functional safety assessment and auditing

Safety life-cycle structure and planning

The message of this standard is that companies shall operate a Functional Safety Management System, incorporating all activities, to maintain and verify all actions which may influence the level of safety and persons, departments, organisation carrying responsibility for these activities. Also have to maintain a management of change system (MoC) that follows up both the modification in the plants and modification in the Safety Standard and their legislation.

1.8.7 Safety Integrity Level (SIL)

Table 2 shows the definition of the SIL According to IEC 61580 and IEC 61511.

Table 2 SIL definition and Risk Reduction factor

Safety Integrity Level

SIL

Low Demand Mode

Operation:

PFD

Continuous/High

Demand Mode,

Operation: PFHRisk Reduction

4 >=10-5 - < 10-4 >=10-9 - < 10-8

h-1 10 - 100

3 >=10-4 - < 10-3 >=10-8 - < 10-7

h-1 100 – 1.000

2 >=10-3 - < 10-2 >=10-7 - < 10-6

h-1 1.000 – 10.000

1 >=10-2 - < 10-1 >=10-6 - < 10-5

h-1 10.000 – 100.000


page 41/160

The only difference between IEC 61508 and IEC 61511 is that IEC 61511 uses continuous mode instead of high demand mode. The role of the modes will be important for us when discussing the role of the fault, failures and “Proof Test” in the last Chapter.

The SIL value of a safety-related system gives information about the “strength” of the system i.e., in the ability of how to reduce the risk. The Table 2 shows the function between the SIL value and the risk reduction factor (RRF).

I would like to emphases the importance of the Safety-related systems since SIS is the only scalable protection system to reduce the risk involved in the hazards. All the other systems have a fix, experienced based risk reduction factor, like release valves, exploded disk, dike etc. The range of risk reduction factor of safety instrumented system (SIS), is from the range of 10 – up to 100.000 covering five decades scaling possibility. This feature of safety-related system is very important and useful, as after the hazard and risk analysis, the designer able to choose the most economic safety-related system reaching the safety target at reasonable cost level.

1.8.8 Application of IEC 61508 and IEC 61511

Figure 8 shows the difference between the two standards.

From application point of view we distinguish developer, manufacturer, system integrators and end-users. In the following paragraph we analyse the objective and requirements for this groups taking into consideration the statement of this standards.

1.9 Objectives of the Process Safety Standards

General objectives of the IEC 61508 and IEC 61511 standards are to develop, manufacture, design, integrate and build safety-related system (SIS) with calculated SIL value, to reach the target SIL and Risk Reduction value and maintain the functional safety of the system and the target safety value of the system all over the life cycle.

1.9.1 Objectives for manufacturers

All manufacturer – manufacturing components for the Process Safety Application - shall have to comply the IEC 61508 – 2 in case of hardware and IEC 61508 – 3 in case of software.

IEC 61508 – 2 titled “Requirements for electrical, electronics, programmable electronics safety-related system” is applicable to each safety related system/subsystem and their units, which contains at least one electrical, electronic or programmable electronic unit. This part specifies how the safety requirements and their allocation to the safety-related E/E/PES system are defined and converted into functional requirements.

IEC 61508 – 3 titled “Software requirements” and applies to the development of the software, which is also part of the safety-related system. The development of the software results hereby in defined sections. Each section of the software safety life cycle must be divided into elementary activities, whereby ranges of application, inputs and outputs have to be specified.


page 42/160

Figure 8 Application differences between IEC 61508 and IEC 61511

1.9.2 Objectives for System integrators

The System Integrators must follow relevant description of IEC 61508 and IEC 61511 to be compliant with these standards. This activity shall involve both software and hardware solutions applicable for the given project covering both basic and detailed engineering.

1.9.3 Objectives for end-users

According to the SEVESO II Directives the end-user (in term of the standard: OPERATOR) shall prepare Functional Safety Management System covering the 8 life cycle phases of the IEC 61511 taking into consideration of the tasks and responsibility of the persons, departments who may concern within the organisation.

1.9.4 Objectives of Authority and Standardisation Body

Objectives of Authorities (both National and European) are laid down in the Directives, instead of the standards. Their roles in the Directives are more administrative then preventive and are limited to the evaluation of the accident, extracting conclusion of how to prevent similar event.

The standards talks about the competence and independence of the people dealing with process safety but not about the role of the Authorities.

The objectives of Standardisation Bodies are the investigation of highest level of the good engineering practice.

DEVELO-PING

NEW

HARD-WARE

DEVICES

HARDWARE

USING

PROVEN-

IN-

-USE

HARD-WARE

DEVICES

USING

HARD-WARE

DEVE-LOPED

AND

ACCESSED

TO

IEC 61508

DEVELO-PING

EMBEDDED

(SYSTEM)

SOFTWARE

DEVELO-PING

APPLICA-TION

SOFTWARE

USING FULL

VARIABI-LITY

LANGUAGES

DEVELO-PING

APPLICA-TION

SOFTWARE

USING

LIMITED

VARIABI-LITY

LANGUAGES

SOFTWARE

PROCESS SECTOR

SAFETY INSTRUMENTED

SYSTEM


page 43/160

1.9.5 Requirement of the Process Safety Standards

General requirements of the IEC 61508 and IEC 61511 standards are connected to the life cycle may concern giving requirements for developers, system integrators and end-users but not for the Authority and Standardisation Body (except deadlines for issuing the new versions of the standards).

In general, there shall be written guidelines within the company, dealing with the all activity of all life cycle phase of the Safety Instrumented System including the responsibilities of persons and Departments, Safety Plan for the separate projects, competence and independence of people, who conduct verification and validation of the SIS.

1.9.6 Requirement for manufacturers

According to the standards both hardware and software have to be approved by third party, independent organisation like TÜV, EXIDA, Risknowlodgy. Without certificates it is highly not recommended of using components in the safety-related systems. These certificates are also the basis for the validation of the safety-related system.

The Certificates and report referred in the Certificates shall be accessible for the system integrator, end-users, and third party validation organisations. Other rules for the manufacturer of preparing Safety Instruction Manual is describing the maintenance activity of the components and suggested proof test interval and procedures.

1.9.7 Requirement for System integrators

The system integrators –preparing the basic and detailed engineering, application SOFTWARE etc.- shall follow the description of the Safety Plan handed over by the main Contractor. Preparing Safety Plan is the end-user’s responsibility.

The system integrator shall have TÜV certified safety engineers dealing with the SIS HW, application SOFTWARE and detailed engineering.

1.9.8 Requirement for end-users

The end-user shall prepare the Functional Safety Quality Manual covering all activities in the different life cycle of the SIS and including the responsibility of persons, departments, giving the competence of different activities.

The end-user shall prepare Guidelines for the activities in the different life cycle phases to reach and maintain the functional safety of SIS overall life cycle phase.

The end-user shall prepare Safety Plan for all individual projects, and require the SIS suppliers to follow the procedures, including the Safety Plans, proving the Functional Safety in the given life cycle phase.

1.9.9 Requirement for Authority

The Authority shall follow the instructions of Directives covering the given projects.

No requirements are given for the Authorities in the Standards.

1.10 Application of the Process Safety Standards

The first reaction of the people is always following statement of the Standards:


page 44/160

3) The documents produced have the form of recommendations for international use and are published in the form of standards, technical reports or guides and they are accepted by the National Committees in that sense.

There are three exceptions when these standards are mandatory:

Government makes it mandatory

Use of standards is mandatory according to bi-lateral contract

Dedicated as a “good Engineering Practice”

1.10.1 Application of the Process Safety Standards for manufacturers

The manufacturers shall follow the IEC 61508 Part 2 for the hardware and IEC 61508 Part 3 for the software. That is mandatory for the both hardware and software manufacturers as the TÜV Certification process for the given components are executed according to these standards.

1.10.2 Application of the Process Safety Standards for system integrators

System integrators shall follow the instruction of the IEC 61511 standard taking into consideration of the contracted Company’s safety policy involving the target safety matrices and other in house standards for the safety instrumented systems.

1.10.3 Application of the Process Safety Standards for end-users

The end-user shall follow the instruction of the IEC 61511 standard and SEVESO II Directives when building up their company specific Functional Safety Quality Management System including the QTRM. This FSQM and QTRM description is mandatory for everybody offering and delivering safety instrumented systems for the given Company.

1.11 General phenomena in the Standards

The new standards, the generic IEC 61508, and the Process specific IEC 61511 changed basically the philosophy of the process safety. In the next Chapters I define and analyse these new approaches introduced by these standards.

1.11.1 Functional Safety

Functional safety means that our SIS works correctly and able to reduce the risk at the target level all over its safety life cycle.

That is why the SIS shall be validated and proof tested within the given period of time according to the Safety Requirement Specification. Proof test is performed periodically after SIS’s installation and commissioning. Details about the proof test one can be found in Chapter 6.

1.11.2 SIF and SIS

The definition of SIF (Safety Instrumented Function) is similar to that of control loops in the BPCS (Basic Process Control System) shown in Figure 9:


page 45/160

Figure 9 Comparison of BPCS and SIS structure

SIS consist of SIFs (Safety Instrumented Function) and one SIF composed of

Sensors (sampling valve, tubing, cabling, isolators etc.)

Safety Logic Solver (CPU, IO card, communication etc.)

Actuators (cabling, magnetic valves etc.)

1.11.3 Verification and validation

Both standards (IEC 61508 and IEC 61511) deal with verification and validation but in different ways. Now we focus on the objectives and requirement of IEC 61511 standard regarding the verification and validation.

First we are analysis what the difference between verification and validation is. According to IEC 61511 (Clause 7, 12.3, 12.7; clauses 13 and 15, Part 1) and refer 1.4.6 respectively:

“Verification is an activity of demonstrating for each phase of the relevant safety life cycle by analysis and/or tests, that, for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase”

The verification activities shall include:

Reviews on outputs (documents from all phases of the safety life cycle) to ensure compliance with the objectives and requirements of the phase taking into account the specific inputs to that phase;

Design reviews;

Tests performed on the designed products to ensure that they perform According to their specification;

BPCS

S1

Sn

A1

An

SIS PLC

S1

Sk

A1

Ak

BPCS (DCS)

SIS


page 46/160

Integration tests performed where different parts of a system are put together in a step-by-step manner and by the performance of environmental tests to ensure that all the parts work together in the specified manner.”

Verification planning shall define all activities required for the appropriate phase of the safety life cycle. It shall conform to IEC 61511 standard by providing the following:

the verification activities;

the procedures, measures and techniques to be used for verification including implementation and resolution of resulting recommendations;

when these activities will take place;

the persons, departments and organizations responsible for these activities, including levels of independence taking into consideration the competence of the people involved in this activities;

identification of items to be verified;

identification of the information against which the verification is carried out;

how to handle non-conformances;

tools and supporting analysis;

verification documentation.

Verification is a difficult, well planned and documented procedure, confirming with reviewing, inspecting, testing, etc. to establish and document that a SIS system meets the regulatory, standards and specification requirements in all safety life cycle of the SIS system. Verification is usually an internal (within the company) process, ensuring "one built the product as intended and maintained as intended." Verification deals with all stage of a project under building up to match the original and planned intention.

According to IEC 61511 the validation is performed as the last activity when the Safety system is installed and commissioned, to match the Functional safety and reach the targeted Safety level and risk reduction. This activity is performed by the supplier perspectives controlled by the end-user, called sometime Site Acceptance Test. The more detailed the validation process is in written form as a procedure to be followed including the responsibility of the supplier and end-user the better result achieved is.

Validation ensures "you built the right product" from the end-user perspective.

According to the Management of Change phase of IEC 61511, in any case when the modification jeopardise the safety of the plant, after the modification is installed and commissioned, the validation procedure shall be repeated for the modification of SIS.

1.11.4 Summary and evaluation

In Chapter 1 I showed the difficulties of the Safety Science taking into consideration without completeness the measures which may influence the result of hazard and risk analysis.


page 47/160

I followed the structure of the standard but amended with my interpretation based on my practice and interpretation research in this field. This interpretation practice was introduced in our work when we I:

Built up safety instrumented systems

Holding training in the field of process safety

Preparing HAZOP templates for the firing furnace and burners

Preparing hazard and risk analysis

Preparing SIL calculations

These works gave feedback for me the correctness of my interpretation of the standards and the interpretation (like for the SIS design and engineering) see in Chapter 5, hazard and risk methods research and development (HAZOP template as cost effective method, see Chapter 3), cumulative LOPA as the only correct interpretation of the LOPA procedure in SIL calculation, see Chapter 4 and new probability model for the sensors and actuators see in Chapter 6.4.


page 48/160

2 Research objective, scope and methodology Based on the recently observed type of problems with regard to safety in the process industries, as described in the previous chapter, it is expected that new enhancements of the management and control of the safety-related business processes are highly needed in all life cycle phase according to IEC 61511 [IEC_511].

The objective of this thesis in our case is to focus on a particular aspect of safety lifecycle models in standards [IEC_511], namely Hazard and Risk analysis (Phase 1), Allocation (Phase2), Safety Requirement Documentation (Phase3), SIS Design (Phase4) and Proof Test aspect of Operation and Maintenance (Phase5), being highly critical elements and activity of managing SIS. The question that arises is how these can contribute to a better control of safety-related business processes. With regard to this, the problem to be studied will be further specified and subsequently, the research questions, objective and scope will be defined. Furthermore, this chapter will describe and discuss the characteristics and justification of the research methodology used in this thesis. Finally an overview of the research program and its main steps will be given.

2.1 Research specification and scope

It is currently observed that there is a growing need in the process industry to gain insight into the significant aspects and parameters to apply given part of safety lifecycle models, namely the first, second, third, forth in order fifth lifecycle in our case, and to enable the process industry to operate in a more reliable and safer manner taking into consideration the cost aspects of building and maintaining a safety instrumented system (ALARP philosophy) involving the nonelectrical independent protection layers also. It is generally expected that in the near future the process industry will switch to an approach where pure and only certification of the safeguarding instrumentation (Safety PLC) is not enough to ensure safety, rather the complete safety life cycle should be under control giving a more integrated view of process safety which will lead to more detailed, controlled and validated activity and certification of the entire life cycle of the technical process installation, plant, and organization.

It appears that companies are currently struggling with a number of problems related to the implementation and operation of Safety Instrumented Systems (SIS). Often heard questions and statement in the process industry are:

Which Hazard and Risk analysis method is the best?

We have only two weeks, and not more, time for preparing HAZOP study (time and cost pressure)

How shall we prepare HAZOP study faster?

Is it possible and how to automate HAZOP study?

Why we use LOPA instead of simple Risk matrix?

Why we need Company Quantity Tolerable Risk Matrix (QTRM)?

The Standards are not mandatory!

Why is the independency so important?


page 49/160

We want to use common transmitters, valves for BPCS and SIS!

Why we need to make proof test?

Why we need SIL certified SIS components?

These currently observed questions and problems in the process industry have resulted in the definition of our four research problems detailed in these paragraphs as topics for my thesis.

2.1.1 Research question one: Hazard and Risk analysis practice and how to improve its cost effectiveness, HAZOP template principle

According to the IEC 61511 [IEC_511] standard the first safety life cycle phase is the Hazard and Risk analysis. Without preparing this, it is impossible to build up correct Safety Instrumented System (SIS).

Analysing the problems of the recent practice of the hazard and risk analysis, like Risk matrices and Risk Graph, because of lack of company target risk matrices and the influence of subjective (human) evaluation of the hazards, I stated that this practice does not satisfy the requirement of the plant management and Owners. Based on our experience in preparing more than some 100 HAZOP meeting, LOPA Study and SIL calculations and some 30 interviews with Operators, Technologist and plant Managers I made a statistic and stated:

A one third of the cases, the Safety Instrumented System was over engineered, causing extra costs for the factories because of extra components built in;

A one third of the cases, the Safety Instrumented System was under engineered, causing poor protections against the consequences of the hazards, stated in the hazard and risk analysis, and resulting in potential extra losses during operation of the plant when hazard realised;

A only one third of the cases, the Safety Instrumented System was engineered correctly.

I investigated the reason for over engineering and under engineering and my conclusion was:

It is asked whether and how these lifecycle phase can be used to improve safety-related business processes;

Lack of Company Target Risk matrices (QTRM);

Lack of technical information (P&ID, PFD etc.) needed for preparing HAZOP study;

Poor level (not complete) of Hazard and Risk analysis (time and cost pressure of the participant);

Lack of automated HAZOP/LOPA/SIL calculation SOFTWARE to make the studies practical and comprehensive.

I investigated these questions and gave the answers for them developing the Tool4S (Tool for Safety) software involving the possibility of the template based HAZOP study method, cumulative LOPA method and target SIL and Risk Reduction factor calculation (see research questions in the next points).


page 50/160

2.1.2 Research question second: IPL allocation, using cumulative LOPA method

Both in the IEC 61508 [IEC_508] and IEC 61511 [IEC_511], LOPA is mentioned as one of the methods, which gives the possibility of calculation the required SIL value and Risk Reduction Factor of SIF.

LOPA [AIC_01], [AIC_2] is a semi-quantitative risk analysis technique that is applied following a qualitative hazard identification tool such as HAZOP.

Problems of application of LOPA are the followings:

It is called semi-quantitative;

Minimum requirement of using LOPA is having Qualitative Tolerable Risk Matrix (QTRM) which is sometime does not exist at all in the given Company;

Only “per scenario” method is simple, but not correct;

“More scenario” solution is only manually possible in EXIDA software [EXI_1]

Differences between “more scenario” and “cumulative scenario” methods;

Only “cumulative LOPA” method takes into consideration in depth influence of causes and consequences for each others

No SOFTWARE supports the automatic “cumulative LOPA” method exists.

I investigated these questions and gave the answers for them, developing the Tool4S (Tool for Safety) software involving the possibility of automatic calculation of cumulative LOPA method [AIC_01], [AIC_01] described in Chapter 4.

2.1.3 Research question third: interpreting the “good engineering practice” of SIS Design

Design of Safety Instrumented System, nowadays shows very strange picture because of the lack of correct interpretation of the standards and guidelines, and there are no rules and regulation about the style and content of documentation, nor the education and competence (certification) of the designer, validation and verification. The statistics show very close coherence with the number of accident, caused by incorrect design, which is higher than 30%.

That is why I investigated and analysed these questions in depth and all aspect of SIS design, and evaluated the existing methods, evaluated the potential “built in” accident point of view, and developed methods and solutions of avoiding this problems like:

Integration of BPCS and SIS;

Wiring and tubing

Common cause failures;

Redundancy;

Critical alarm systems;

Power supply;


page 51/160

Documentation;

Management of Change.

2.1.4 Research question forth: Cost effective Proof Test Management

According to the Process Safety Standards the Functional Safety has to be maintained. It means that the Safety System has to work at the same safety level in their total life cycle and always have to reach their risk reduction target. One key issue of this strategy is the calculation of the Proof Test interval.

I developed a Proof Test model [BGS_09] optimising the cost of the Proof Tests, but maintaining the Risk Reduction ability of the SIS. This model support the maintenance cost saving strategy of the Plant Management and answer the following questions:

Analysing the inspirited model of IEC 61511 [IEC_511];

What is the content of proof test;

How often the Proof test is performed and how to split the total life time of components;

Markov model of proof test;

Optimalisation of Proof Test cost.

2.2 Research scope

The research was particularly focused on the application practice of IEC 61511 [IEC_511], Process Safety Standard discussing the first, second, third, forth and fifth life cycle phases (proof test strategy only). The following aspects further discuss the reason why I focused on safety instrumented systems and define the research scope.

2.2.1 Control of Safety

The use of lifecycle models is not necessarily restricted to the safe control of human life (fatality rates). For instance, other standards concerning the control of quality or the environment have also adopted lifecycle models into the applicable standards, such as ISO 9000 series for quality control and the ISO 14000 series concerning environmental pollution, even highlighting the SEVESO II Directives for human, which I integrated into corporate QTRM.

2.2.2 Hazard and Risk analysis

The Hazard and Risk analysis of the process is the very first and important part of improving Process Safety. In our aspect I deal with the operation hazard of a running plant involving the start up, shut down and hazardous state condition of operation. That is why in my point of view the Hazard and Risk analysis means preparing HAZOP Study, based on the HAZOP Standard [IEC_882] and highlighting the cost and time sensitivities of preparing such a HAZOP study. In my thesis I describe a method and gave an example of a cost effective HAZOP preparing method.

2.2.3 Cumulative LOPA

In the thesis investigated the possibility of improving the level of hazard and Risk analysis and design of Safety Instrumented System developing a multi layer Hazard evaluation system, based on LOPA (Layer of protection Analysis) [AIC_01], [AIC_2], which makes the work more objective, and solves the


page 52/160

evaluation of the consequences of the Hazards more precise way and less semi-qualitative.

Using the semi-qualitative method (LOPA), gives possibility of reducing the consequences with applying for other, not instrumented systems, which might be cheaper in the phase of installation. The principle of “cumulative LOPA”, introduced in my thesis, made the LOPA less “semi-quantitative”.

2.2.4 SIS Design

The IEC 61508 [IEC_508], and IEC 61511 [IEC_511], standards lay down “rules”, leaving free space for interpretation. Unfortunately the “interpretation” may be influenced by the cost of the realised Safety System, influencing the strength of the Functional Safety.

I investigated the key issue of the standards and gave answer for them based on more decades of my practice and experience of installing tens of Safety Instrumented Systems. These installations, running for years without any problem, confirmed me about the correctness of my interpretation. This interpretation was also cost effective ones without influencing the Functional Safety of the systems.

2.2.5 Proof test optimalisation

The maintenance cost, being a key problem of OPEX, was the first issue why I focused onto the proof test. The second issue was the “inspiration” of the IEC 61508 [IEC_508], and IEC 61511 [IEC_511], which simplify the Proof test method, not tell anything about the difference between the Function Test and the Proof Test, even nothing about the content of the Proof Test. My focus was to analyze these problems looking for a better model, distinguish the Function Test and Proof Test, stating the content of the Proof Test, giving a better model for Proof Test.

I also redefine the features of the dangerous undetected failures and focus on the scheduling strategy of proof test, analysing the cost side of this maintenance work developing a cost optimising model.

2.3 Research type and methodology

In general it could be stated that research goes beyond description and requires analysis. It looks for explanations, relationships, comparisons, predictions, generalizations and theories [Phi_87], [Ake_99], [AIC_92] distinguishes three categories of scientific research, namely:

Formal sciences, such as philosophy and mathematics.

Explanatory sciences such as the natural sciences and major sections of the social sciences.

Design sciences, such as the engineering sciences, medical science, and modern psychotherapy.

The mission of a design science is to develop knowledge to be used in the design and realization of artifact, such as solving construction problems, or the improvement of existing entities, such as solving improvement problems [AIC_92], [Ake_99].

Based on the described problem area and the defined research objective, this research project will consist of what is called ‘positivist design research’, as


page 53/160

opposed to causal and formal science based on theoretical and formal constructions of the solution of the problem, respectively.

Another classification of this research project concerns a kind of research called applied research, which can be described as ‘interfering in practice and attempting to solve practical problems by designing theoretically sound solutions’ [SOL_99]. As opposed to this, another type of research called theoretical research describes instead a generic theory by observing specific phenomena [SOL_99].

This thesis will not further discuss the various types of research methods and strategies, rather will instead discuss the design science type of research in more detail. This kind of research is considered to be the best representative for the kind of research that is described and applied in this thesis.

2.3.1 Design science

This ‘design science’ research type is intended to design and develop a model that initially explains and then solves a problem. The solution is intended to be expressed in the form of a prescription, meaning that the solution will be expressed as ‘an instruction to perform a finite number of acts in a given order and within a given aim’ [AIC_85], [AIC_92], [Ake_99].

Prescription driven research is solution-focused, rather than problem-focused. Of course, the problem should be analyzed, but the emphasis of the analysis is on those aspects which determine the choice and effectiveness of the solution. ‘The so-called technological rules or design prescriptions are based on both scientific-theoretical knowledge as well as tested rules (rule effectiveness systematically tested within the context of its intended use)’.

‘A tested technological rule is one whose effectiveness has been systematically tested within the context of its intended use. Grounding a technological rule on explanatory laws does not necessarily mean that every aspect of it (and of its relations with the context) is understood. Typically, several aspects keep their “black box” character, but under certain conditions specific interventions give the desired results. Testing within the context is necessary to account for its effectiveness’.

With regard to process safety, and the process safety standards the improvement of the safety level depends on many aspects which are related to social, technical and psycho-technical elements. Therefore, the influence of a particular aspect will be difficult to demonstrate. Furthermore, the demonstration and explanation might be difficult and complex because its influence might be related to the other aspects.

Grounded and tested technological rules are therefore expected to be typical deliverables of this research.

2.3.2 Research methodology

According to Nagel et al. [Nag_79], [NAG_91], Mukesh et al. [MUK_94] and , Mylaraamy et al. [MYL_94], most academic research in management is based on the paradigm that the mission of all science is to understand, i.e. to describe, explain and possibly predict. Subsequent question is which tools and methods could be best used to describe, explain and predict, and how to collect the necessary information. Moore et al. [Moo_83] recognizes the following research methods:


page 54/160

Interviews

Questionnaires

Sampling

Experiments

Historical research

Operational research

Case studies

Evaluation and performance management

Action research

Based on the exploration and analysis of the problem, a theoretical solution will have to be defined. Due to the nature of the problem description and problem area, it is presupposed that case studies are the best way to validate the theoretical solution. According to Moore [[Moo_83]] however, case studies provide the framework within which other methods are employed for specific purposes.

A logic question that arises is ‘what is a case study?’. Venkatasubramanian et al. [VEN_94], Vinson et al. [VIN_98], Wintermantel et al. [WIN_99] and Yin et al. [Yin_94] defines a case study as ‘an empirical inquiry that investigates a contemporary phenomenon within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident’. Also According to Yin case study is one of several ways of doing scientific research. Other ways include experiments, surveys, histories, and the analysis of archival information. In general, case studies are the preferred strategy when ‘how’ or ‘why’ questions are being posed, when the investigator has little control over events, and when the focus is on a contemporary phenomenon within some real-life context.

According to Moore et al. [Moo_83], case studies are chosen not because they are representative of all authorities, but on the grounds that they would shed some light on the general trends while at the same time being sufficiently comparable so as to provide a basis for generalization. Case studies are usually used when the research is attempting to understand complex organization problems, or the diffuse causes and effects of change. In essence it allows the researcher to focus on something which is sufficiently manageable to be understood in all its complexity.

An advantage of case studies is the fact that they provide a means of looking in some depth at complex problems. By using case studies it is possible to compare a number of different approaches to a problem in sufficient detail as to be able to draw out lessons which have general applicability. A disadvantage is that case studies lack the statistical validity of samples which have been properly sampled, and therefore the extent to which valid generalizations can be made depends on the degree to which the case studies themselves are typical and the care used in drawing conclusions [Moo_83].

2.3.3 Research program

The research started with an exploration of the problem area and the current state-of-the art methodologies and techniques that were used to handle these problems area.


page 55/160

Subsequently, it was established that this research followed the typical approach as defined by [AIC_85], [AIC_92] and [Ake_99] concerning ‘design science’. This type of research is characterized by the following cycle; problem analysis, definition of a solution choosing a theoretical case, planning and implementing practical cases (on the basis of the problem solving cycle), comparing the results to the theory and, finally, testing and refining the theory in subsequent practical cases by Dapena et al. [Dap_01]. The main activities carried out in this research project are presented in Table 3, Table 4, Table 5, Table 6.

Table 3 Program for research question 1

Research question 1: Hazard and Risk analysis practice and how to improve its cost effectiveness

Problem definition

1 Definition of the problem, and focus of the research scope and objective.

Problem analysis

2 Survey of existing literatures and solutions.

3 Analysis of the problem, illustrated by practical cases, and analysis of current state-of the-art of solutions, based on a reference criteria framework.

Solution design

4 Theoretical construction of models and parameters, which describe the utilization process of “Hazard and Risk Analysis” safety lifecycle phase.

5 Practical construction of a methodology in order to measure the degree to which the control models and parameters are implemented.

Solution validation

6 Empirical validation and verification of the “HAZOP Template” methodology and guidelines of their practical use in industrial case studies.

7 The validity involved in applying the methodology in practice.

Evaluation and feedback

8 Refinements and enhancements of the models and methodology.

9 Verification of the developed solution in order to check whether the research questions are completely and correctly ansoftwareered and the research objective is achieved.

6.7.



page 56/160

Research question 2: IPL allocation, using cumulative LOPA method

Problem definition


Problem analysis

2 Survey of existing literatures and standards.


Solution design

4 Theoretical construction of models and parameters, which describe the utilization process of second safety lifecycle of IEC 61511.


Solution validation

6 Empirical validation and verification of the methodology and guidelines of their practical use in industrial case studies.




9 Verification of the developed solution in order to check whether the research questions are completely and correctly answered and the research objective is achieved.



page 57/160

Research question 3: interpreting the “good engineering practice” of SIS Design

Problem definition


Problem analysis



Solution design

4 Theoretical construction of models and parameters, which describe the utilization process of “SIS Design” safety lifecycle.


Solution validation








page 58/160

Research question 4: Cost effective Proof Test Management

Problem definition


Problem analysis



Solution design

4 Theoretical construction of models and parameters, which describe the utilization process of proof test in the safety lifecycle phase 5, in IEC 61511

5 Practical construction of a methodology in order to measure the degree to which the models and parameters are implemented.

Solution validation





For better and clear understanding herewith a short definition of the activities performed for all research questions in this thesis.

A. Definition of the problems, and focus of the research scope and objective

An overview of the observed problem area, which results in the problem definition and a formal specification of the research objective and scope, has been defined in referred chapters, and in sections. Furthermore, the various industrial cases described throughout this thesis will illustrate the typical characteristics of the problem area.

B. Survey of existing literature and standards

Current standards and legislation will be thoroughly scrutinized together with an analysis of the methods and techniques described in literature to gain a clear understanding of the current state-of-the-art practices. Particularly, the field of Hazard and Risk analysis, Allocation of Independent Protection Layers, Safety


page 59/160

Requirement Documentation, SIS Design and Proof Test will be explored and analyzed in Chapter 3, Chapter 4, Chapter 5, and Chapter 6 According to safety lifecycle models of the latest safety legislation and standards, in details.

C. Solution design

The solution design will be split into two phases. Firstly, models and criteria will be developed which describe the most relevant aspects and parameters on how to utilize the given safety lifecycle model, based on our practices, result of the reports and discussions with our industrial partners (feedback driven research). Second as a result of this, a solution will be defined and developed which describes a stepwise implementation route that results in a full implementation of the given safety lifecycle model.

D. Solution validation

In order to closely measure results and gain maximum benefits, a close contact with the representatives of the actual process industry is thus required. Finally, experiences, obtained from the predefined industrial cases is expected to offer a new and better understanding and knowledge of the application of safety lifecycles model and contribute to an increased safety level in the industry.

E. Evaluation and feedback

Conclusions on the effectiveness and efficiency of the designed solution together with the observed added value of the utilization of safety lifecycle models will be discussed following the case studies. Refinements and enhancements of the initial concepts will be discussed based on these conclusions. Finally, a verification of the developed solution will be done in order to check whether the research questions are completely and correctly answered and the research objective is achieved.

2.4 Research expectation

As discussed in Chapter 1, the typical safety problem is that the process industry currently struggles with particularly the result of the growing complexity of safety systems and organizations. In order to deal with these typical so-called ‘business process problems’ requires more clarity and understanding of these safety-related techniques and business processes. The adoption of lifecycle models in safety standards has led to the expectation that these models might provide a structure for these business processes. Therefore, it is expected that using these lifecycle models do offer the highly needed clarity and understanding.

With regard to correct implementation of a safety lifecycle model into the safety management systems, it is the expectation that relational parameters will need to be identified, which subsequently will result in additional and new safety management models.

In order to verify whether an organization has correctly implemented the safety management models, as described in Section 1.8.6, it will be required to develop a methodology to observe and solve the typical safety-related technical and business process problems. It is expected that the measurement method, that needs to be developed, will be able to identify and allocate these problems and in combination with the new safety management models will enable the process of finding the necessary cost effective solutions.


page 60/160

2.5 Outline of this thesis

In this chapter an outline is given of the research scope and objective, the research methodology and research program.

In general my approach in the research was to optimise the cost of the Functional Safety in the complete life time cycle.

That is why I developed a new definition: the principle of “Integrated Safety System”. According to my definition the ISS means the followings:

Safety Instrumented System (SIS)

Mechanic Protection System (analysed by LOPA in Chapter 4)

Safe Design, Chapter 5

Alarm management, human intervention

Passive protection layers

Proof Test Management

Based on this definition I had more freedom to optimize the cost of the Functional Safety, This is opposite to recent practice when only the SIS is taken into consideration in cost optimalisation. Optimising all components of ISS, the result will give the minimum life cycle cost of Functional Safety.

Chapter 3 will give an overview and analysis about the hazard and risk analysis measures and techniques being the basic method to build safety-instrumented systems for analysing of the business (cost) aspect of the problems related to HAZOP study, the preferred hazard and risk analysis method in the literature, I described my new method, which will make the HAZOP study cost effective.

Chapter 4 will give an overview and analysis about the SIL calculation. Our choice was LOPA (Layer of protection Analysis), as a typical risk reduction measure, to protect process installations. One describes a safety-instrumented system as a specific layer of protection for process installations. Analysing the business (cost) aspect of the problems related to LOPA [AIC_01], [AIC_2] study, solutions offered in the literature, I described my new method, called “cumulative LOPA”, which will make the LOPA study and SIL calculation less semi quantitative and more cost effective. Also as a practical example I demonstrate this solution with our Tool4S software.

In Chapter 5 an overview will be given about the SIS Design, analysing the recent practice and giving clear interpretation of the statement of the IEC 61508 [IEC_508] IEC 61511 [IEC_511] standards. My solution was tested in practice of building a big SIS (some 2.000 IO channel involved) system for an application in a Refinery.

Chapter 6 will give an overview and analysis about the proof test inspired by the IEC 61511 [IEC_511]. I analysed the different solutions in the literature, evaluated them and developed new models for the time scheduling of Poof test work, redefined the content of the Proof Test, and developed a new model for how to interpret the proof test coverage factor and the dangerous undetected failures. Finally I developed a model calculation to optimize the cost of the proof test interval.


page 61/160

3 Process Hazard and Risk Analysis Management: a knowledge based cost effective HAZOP study method

3.1 Overview and critical evaluation of tools of Hazard and Risk analysis suggested by Standards

The method, employed in my practice at Refineries for investigating hazards, risks and operating problems was the HAZOP analysis. In the next Chapter 3.1 I analyzed all other possible method, offered by the IEC 61508 and IEC 61511 standards, and at the end I made an application comparison table, see Table 17.

3.1.1 Objective of hazard and risk analysis according to Standards

According to IEC 61511 [IEC_511] the objective of Hazard and Risk analysis is:

“to determine the hazards and hazardous events of the process and associated equipment;

to determine the sequence of events leading to the hazardous event;

to determine the process risks associated with the hazardous event;

to determine any requirements for risk reduction;

to determine the safety functions required to achieve the necessary risk reduction;

to determine if any of the safety functions are safety instrumented functions.

Present the facility or the technological process in full detail

Systematically examine all parts of the facility or the technological process in order to determine the mode of eventual deviations from the requirements specified in the course of engineering, and

Judge whether such deviations may lead to the occurrence of hazards or to the development of operating problems”.

3.1.2 Requirement of hazard and risk analysis according to Standards

The requirement of Hazard and Risk analysis is that hazard and risk assessment shall be carried out on the process and its associated equipment (for example, BPCS). It shall result in

“a description of each identified hazardous event and the factors that contribute to it (including human errors);

a description of the consequences and likelihood of the event;

consideration of conditions such as normal operation, start-up, shutdown, maintenance,

process upset, emergency shutdown;

the determination of requirements for additional risk reduction necessary to achieve the required safety;

description of, or references to information on, the measures taken to reduce or remove hazards and risk;

a detailed description of the assumptions made during the analysis of the risks including probable demand rates and equipment failure rates, and of any credit taken for operational constraints or human intervention;


page 62/160

allocation of the safety functions to layers of protection (see Clause 9) taking account of

potential reduction in effective protection due to common cause failure between the safety layers and between the safety layers and the BPCS (see note 1);

identification of those safety function(s) applied as safety instrumented function(s).

The denominations and physical & chemical properties of all materials present in each particular process equipment must be recorded in the course of the HAZOP process. The effects of each in respect of harm to human health or fire hazards must be indicated separately.

All potential discharges typical of hazardous events (e.g. process upsets) must be recorded: e.g. pipe rupture, piping leakage, cracking of weld joints, incorrect operation, opening of flanged joints, leakage of disconnectable joints, valve failure, overfilling, etc. Potential discharges typical of process upsets must be classified and recorded According to the following categories: small discharge, large discharge, fire or poisoning, explosion.

All mechanical protection devices installed on process equipment (e.g. safety relief valves, rupture disks, etc.) must be recorded and the possibilities for the safe blow-down of gases/vapours from the safety valve or other protective equipment – e.g. to flare – must be investigated in the case of highly incendiary, oxidizing as well as toxic and caustic media. It also must be established whether the actuation of the mechanical protective devices entails any additional risks.

The maximum design pressure and temperature of all process equipment (e.g. pressure vessels, reactors, columns, drums & tanks) must be indicated. Should the pressure or temperature generated in process equipment exceed the maximum permissible level as a consequence of some hazardous event, then this fact must also be recorded.

The severity of the consequences arising in respect of human life & health, economic losses and the environment upon the occurrence of a specific hazard must be determined.

It must be established whether the series of undesired events leading to the development of hazards can be interrupted.

It must be established whether a hazard can be mitigated of eliminated.

It must be established whether a safety function or functions (E/E/PE or non-E/E/PE) reducing the potential for the development of a specific hazardous event may be allocated to that hazard.”

Analysing the methods of evaluating the risk and calculating the SIL values of SIFs the IEC 61508 and IEC 61511 suggest only partial solutions and some of the methods are good for components, the other fits small loops, also some of them important to calculate the reliability of systems involving maintenance works etc. but there is now complete solution.

Increasing the complexity of the plants, the technical development resulted systems which always require better analysis methods.

In the next chapter, following the technical development, I overview the solutions suggested and evaluate their application area and they are more economic to use.


page 63/160

3.1.3 Risk matrix

The risk matrix method [MAR_02] will preferable be used to define the risk of a system. This is a simple qualitative method which does not require any special abilities.

In the simplest solution for the composition of a Risk Matrix starts with the probabilities classification for dangerous events in low medium and high level. Their consequences will be classified with low, serious and grave.

An assignation of the probabilities and consequences in definite categories will follows as clarified in the following formula:

R = f * C

where:

R = Risk

F = frequency of the unwanted event

C = consequence of the unwanted event realised

According to the IEC 61508 and IEC 61511 standards, a simple example is shown on Table 7.

Table 7 Risk Matrix example

The definition of the Risk matrix is shown in Table 7.

2 1 NR

32 1

3 3 1

Probability

Consequ-encences

Low Serious Important

Low

High


page 64/160

Table 8 Definition of Consequence category

Consequence category Description

Low Marginal injuries

Serious One or several considerable injuries possible, damage up to 1 million €

Massive One or several fatality, damage at least in millions

Table 9 Definition of Probability category

Probability category

Occurrence / year Description

Low < 10-4 The probability of failure is very low and is not expected within a lifetime of a plant

Medium 10-2 - 10-4 The probability of failure is low and is not expected within a lifetime of a plant

High > 10-2 The probability has increased, so that a failure within the lifetime is expected

The matrix of Table 7 includes NR (not relevant) for an event, with meaning of no SIL needed.

According to IEC 61511-3 further analysis is needed if the result is SIL 3. The Risk matrix is not suitable for SIL 4 applications.

The standard gives the possibility of creating 4*4 Risk matrix or 5*5 Risk Matrix depending on the corporate strategy.

3.1.4 Risk graph

The risk graph was developed in Germany and controlled According to [DIN_250]. The method is a qualitative procedure that results in requirement classes according to DIN Standard and SIL According to IRC 61508 and IEC 61511 standards.

This norm however limits itself to validation of safety functions and therefore can not be applied to an entire system only after hazard and risk analysis like HAZOP study. For example not the whole process plant is being viewed, but for example the safety equipment that protect the vessel from overpressure within this plant.

The risk graph is implemented for risk that originates at the failure of specific measurement and control safety equipment. It explicitly does not refer to risk that emanates from the system as a whole. The procedure is application and technology independent. The norm further limits itself to the discovery of SIL values.

In Chapter 1.5 I described the correlation between Risk, Acceptable Risk, Residual Risk and Risk reduction which is the basic for Risk Graph method.


page 65/160

In order to determine the risk of a technical process or a condition, one decides about the frequency of the initial event and the consequence of this event if it would happen (R=f*C).

Table 10 Typical Risk Graph Method

Table 11 Definition of Risk parameters: Consequence

Risk parameter Classification

C1 Minor injury

C2 Serious permanent injury of one or more person; death to one person

C3 Death of several people

C

Consequence

C4 Very many people killed

Notes for Table 11:

The classification system has been developed to deal with injury and death of people. Other classification schemes would need to be developed for environmental and business damage.

For the interpretation of C1, C2, C3, C4 the consequences of the accident and normal healing shall be taken into account.

a

1

2

3

4

b

---

a

1

2

3

4

---

---

a

1

2

3

W3 W2 W1

--- = No safety requirements

a = No special safety requirement

b = A single E/E/PES is not sufficient

Starting point for

CA

CB

CC

CD

X1

X2

X3

X4

X5

X6

PA

PB

PA

PB

PA PB

PAPB

FA

FB

FA

FB

FA

C = Consequence risk parameter

F = Frequency and exposure time risk parameter

P = Possibility of failing to avoid hazard risk parameter

W = Probability of the unwanted occurrence

n

Actuator


page 66/160

Table 12 Definition of Risk parameter: Frequency


F1 Rare to more often exposure in the hazardous zone F

Frequency of, and exposure time in, hazardous zone

F2 Frequent to permanent exposure in the hazardous

zone

Notes for Table 12: See 1 and 2 Notes

Table 13 Definition of Risk parameter: Possibility of avoiding


P1 Possible under certain conditions P

Possibility of avoiding the

hazardous eventP2 Almost impossible

Notes for Table 13:

This parameter takes into account

Operation of process (supervised or not supervised)

Rate of development of hazardous event (for example: suddenly, quickly)

Ease of recognition of danger (for example seen immediately, detected by technical measures)

Avoidance of hazardous event (for example escape routes possible, not possible)

Actual safety experience (such experience may exist with an identical EUC or similar EUC or may not exist

Table 14 Definition of Risk parameter: Occurrence


W1 A very slight probability that the unwanted occurrences will come to pass and only few unwanted occurrence are likely

W2 A slight probability that the unwanted occurrences will come to pass and few unwanted occurrence are likely

W

Probability of unwanted occurrence

W3

A relatively high probability that the unwanted occurrences will come to pass and frequent unwanted occurrence are likely


page 67/160

Notes for Table 14:

The purpose of the W factor is to estimate the frequency of the unwanted occurrence taking place without the addition of any safety-related systems but including some external facilities

If a little or no experience exists of EUC, or the EUC control system (BPCS), or of a similar EUC and BPCS, the estimation of the W factor may be done by calculation. In case of such an event a worst case prediction shall be used.

3.1.5 Fault tree analysis

Fault tree analysis (FTA) has been initially developed in 1961 by G. Watson together with A. Means in the “Bell Laboratories” for “Minuteman” rocket launch system. Wider and wider applications initiates that the “Fault Tree Handbook” [FTH_81], which served as a basis for development of various methods and tools for FTA support, was published in US in 1981.

Fault Tree Analysis should not be confused with Event Tree Analysis (ETA, see in Chapter 3.1.6). Event Tree Analysis uses an inductive approach, ie. one searches for failure, which lead to undesirable consequences (bottom up or forward analysis). The FTA method uses an opposite or deductive approach. The undesirable event is present and one searches for all causes (Top-Down or backward analysis).

Fault tree analysis is en effective tool for revealing logical relations between failing components or subsystem. Those combinations of failures which lead to undesirable event, are to be avoided, or, at least, the probability of they occurrence is to be minimised.

Fault tree analysis has the following objectives:

Systematic identification of all possible failure combination (causes) leading to a given undesirable event (quality analysis);

Evaluation of the system reliability attributes (e.g. frequency of failures, failure combinations, frequency of not desirable events occurrence or unavailability of the system on demand) by calculating reliability attributes of the units of the system (quantitative analysis).

The Fault Tree Analysis should be divided into eight subsequent steps:

1. Precise structural analysis of the system,

2. Determination of undesirable events and the failure parameters,

3. Determination of the relevant probability parameters and the time intervals,

4. Determination of the component failure modes,

5. Creation fault tree,

6. Determination of the basic events (such as: type of failures, time of fault occurrence and unavailability),

7. Analysis fault tree

8. Evaluation of result


page 68/160

In the one can be see an example how the Fault Tree Analysis work According to IEC 61511, Volume 3 [IEC_511].

For more detailed description about Fault Tree, see Josef Börcsök, Functional Safety, Basic Principle of Safety-related systems [BÖR_08].

Figure 10 Example of Fault Tree analysis

3.1.6 Event tree analysis

Event Tree analysis (ETA) belongs to the inductive type of analysis. According to these methods, subsequent events are concluded from the initial events. Initial events are considered as basic event for the ETA. The subsequent events are in simple cause and effect relation with the initial events. They take place after the initial event is finished. ETA is important and would be used for system described by cause-effect chains. In the process industry all events are similar, but using ETA for Hazard and Risk analysis is far too difficult because of the size of the process plants and it does not allow analysing complex situation, only always one event is taken into consideration.

Sensor fails

BPCS fails Valve

Stuck

BPCS function

fails

External

Event (fire)

Overpressure

0.1/year

Consequ-ence

Basic Event

Transfer gate

Notes:

OR


page 69/160

Even Tree Analysis is a simple and easy to implement technique starting with initiating events, represented by the left part of the tree, and then the tree deviate into several branches, which represent subsequent events. Each branch leads to a situation with different outcomes so the event tree can lead to different outcome scenarios.

In the Figure 37 I show a simple example of ETA. In our case we took into consideration the following events:

Starting event is the overpressure in a vessel which may happen with a frequency of 10-1/year. According to the corporate policy the target frequency is only 10-4/year.

When the pressure raises the first event is the high pressure alarm followed by an operator intervention. If any of this action failed the next action is the relief valve. If the relief valve fails an unexpected release will happen. This example is given in the IEC 61511, Volume 3 [IEC_511] and it can be seen that in this example the release frequency is higher than the tolerable frequency of the Company.

The method, how to reach the tolerable value given by the Company (how to reduce the risk), is LOPA (Layer of Protection Analysis), see Chapter 3.1.7.

For more detailed description about Event Tree Analysis, see Josef Börcsök, Functional Safety, Basic Principle of Safety-related systems [BÖR_08].

Figure 11 Event Tree analysis example

3.1.7 LOPA

LOPA (Layer of Protection Analysis) is a modified event tree analysis. It is being used for a risk analysis in the chemical, petrochemical and oil and gas industry and was developed in the 1990s in USA. LOPA determines the Safety Integrity Level (SIL) of SIFs for safety oriented processing plants. The principle of protection levels, their number and their evaluation, was published first time by R. Growland in 1993 by the Center for Chemical Process Safety (CCPS)

Overpressure

High alarm

3 Release to environment, 9x10-4/year

5 Release to environment, 1x10-3/year

2

4Release from the prevention layer to environment (ie. flare), 9x10-3/year

1 No release, 8x10-2/year

No success

10-1/year

0,9

10-1

0,9

10-1

0,9

0,9

10-1

Release from the prevention layer to environment (ie. flare), 8x10-3/year

10-1

Success

Operator action

Relief valve


page 70/160

[CCPS_93]. The different protection levels (layers) within a plant fraught with risk are being described most descriptively through the onion-peel-model. An example of onion-peel-model from the process industry is shown in Figure 12.

Figure 12 Onion-peel-model of LOPA

The single levels (layers) are independent and physically separated.

LOPA is being very important in Hazard Risk analysis, and one of my research questions was the cumulative LOPA method. That is why more details are given in Chapter 4.1.1.

3.1.8 Reliability Block Diagram analysis

The reliability block diagram (RBD) is a stable probability model that is quite easy to use for reliability and failure probability calculations [BÖR_08], in the USA it is considered as fundamental for the network modelling [GOB_98]. Each block in the diagram represents a component of the system. The configuration of the blocks represents the logical relation between the potential losses of the components.

Process

Control and monitoring

Basic Process Control system - BPCS

Prevention (for example ESD)

Mechanical prevention layer

Process alarms with operator action

SIS

Mitigation (for example F&G)

Mechanical mitigation

SIS

Factory havaria plant

Public havaria plan


page 71/160

In practice there are two possible connections. One can connect the blocks in serial (horizontal arrangement) meaning AND connection, and one can connect parallel (vertical arrangement) meaning OR connection. In the graph one can also depict complex components groups like 2oo3, 1oo2 voting see Figure 13. The failure rate of these blocks is determined by particular mathematical calculation. The RBD is strictly mathematical and therefore easy to apply.

Figure 13 Reliability Block Diagram, 2oo3, 1oo2 voting example

In reality the application is restricted because only mathematically computable events lead to the result. The Reliability Block Diagram (RBD) shows which element of a system fulfils the demanded function and which might fall out. The RBD is one of the most widely used methods to represent systems in graphical form. The system is dismantled into elements in order to prepare a RBD; those elements fulfil a specific task. Each block relays a reliability characteristic of the component. If a component has several types of failure each type must be represented by way of a block. This makes the application a little bit difficult.

There is an essential difference between RBD and a function diagram. In a RBD elements can occur several times even though they exist only once as a hardware.

Serial and parallel structures are the simplest kinds to link components. The Figure 14 shows the linking of n components in a serial structure (AND structure), while the Figure 15 show the parallel structure (OR structure).

Figure 14 Linkage of n components into a serial structure

With the assumption that these components are independent from each other, one can describe the probability of failure F(f) of a serial system with equation 1.

Definitions:

Ri = Probability of success for component i

Fi = Probability of failure for component i

1 2 n

Sensor

Sensor

Sensor

Logic Solver

Actuator


page 72/160

Rs = Probability of success for the system

Fs = Probability of failure for the system

For n component series system the probability of success of the system is:

∏=

=n

IiS RR

1

Equation 1

In a serial network it is generally simpler to work with success probabilities and if it is composed of nonrepairable components with constant failure rates (exponential function), it is possible to substitute

ti

ieR λ−= Equation 2

and

∏ −=n

i

tS

ieR71

λ Equation 3

where λ is failure rate.

Thus, failure rates for components in a serial system can be added to obtain the failure rate for the system:

∑ == n

i iS 1λλ Equation 4

For a parallel system, see the Figure 15.

Figure 15 Linkage of n components into a parallel structure

For an n component system the result is given in ∏=

=n

iiS FF

1

Equation 5 and

∏=

−=−=n

iiSS FFR

1

11 Equation 6.

1

2

n


page 73/160

∏=

=n

iiS FF

1

Equation 5

These equations come from the fact that all components must fail for failing a parallel system.

To obtain the probability of success for an “n” component system, the rule of complementary events is used:

∏=

−=−=n

iiSS FFR

1

11 Equation 6

A simplified method of calculation of Rs and Fs values of a parallel system is when one built up the “truth table”, see Table 15 where the truth table for three component parallel system is shown. It is supposed that all component failure rate (λ) is equal, and the components are independent from each others.

Table 15 Truth table for a i=3

Item Element 1 Element 2 Element 3 Result

01 λ λ Λ System Success

02 λ 1-λ Λ System Success

03 1-λ λ Λ System Success

04 1-λ 1-λ Λ System Success

05 λ λ 1-λ System Success

06 λ 1-λ 1-λ System Success

07 1-λ λ 1-λ System Success

08 1-λ 1-λ 1-λ System Failure

The same method is used when one want to evaluate a voting system, which is a parallel system.

Voting is expressed as number of independent paths (M) required out of the total number of existing paths (N) in order to perform safety function. Voting is often expressed as MooN where:

M express the number of voting

N express the number of redundancy

For example: 1oo2, 2oo3, 2oo4, etc.

Table 16 shows a 2oo3 voting system, ie. two existing paths (N=2) from three (total number of path, M=3) is required to perform safety function.


page 74/160

Table 16 2oo3 voting system

Item Element 1 Element 2 Element 3 Result

01 λ λ λ System Success

02 λ 1-λ λ System Success

03 1-λ λ λ System Success

04 1-λ 1-λ λ Failure

05 λ λ 1-λ System Success

06 λ 1-λ 1-λ Failure

07 1-λ λ 1-λ Failure

08 1-λ 1-λ 1-λ Failure

One can gives real probability of failure figures in this table and able to calculate the results (system success and failures).

This model (see Figure) is suitable for calculation the probability failures for Independent Protection Layers (Chapter 4).

Figure 16 IPL as parallel system

IPL 1

Alarm system

IPL 2

Operator action

IPL n

Relief valve


page 75/160

Table 15 shows Table how one calculates the efficiency of the independent protection layers replacing the lambda values with PFD values. See the

interpretation at in ∏=

=n

iiS PFDF

1

Equation 7.

∏=

=n

iiS PFDF

1

Equation 7

SF means that the occurrence frequency of the unwanted event will be reduced by this figure.

More details about this type of application see Chapter 4.

3.1.9 Markov Modelling

Till now I am discussing the reliability models of systems not having maintenance (except the voting systems).

In case of repairable system, which is typical in industrial environment, another model applies. The reparable systems (voting systems, or other words fault tolerant systems, offers many advantage in terms of system availability and safety.

Repairs take time. Simple reliability network modelling methods do not directly account for repair time. The method, looking for, must account for realistic repair times, realistic system features, including self diagnostic. This technique must apply to systems that are fully repairable and systems that are partially repairable.

Markov modelling, a reliability and safety modelling technique that uses state diagram fulfil these goals using only two simple symbols. Circles (states) show combination of successfully operating components and failed components. Possible component failures and repairs are shown with transition arcs, arrows that go from one state to another. A number of different combination of failed and successful components are possible. It should be note that multiple failure modes can be shown on one drawing.

A Markov model can show on a single drawing the entire operation of a fault-tolerant control system. If the model is created completely, it will show full system success states. It also will show degraded states where the system is till operating successfully but vulnerable to further failures. The drawing will also show all failure modes.

Andrei Andreyevich Markov (1856-1922), a Russian mathematician defined the Markov process, in which the future variable is determined by the present variable but is independent of predecessors. These methods apply to the failure/repair process because of combination of failures create discrete system states. In addition, the failure/repair process moves between discrete states only as a result of current state and current failure.

The Markov model building technique involves definitions of all mutually exclusive success/failure in a system. These are represented by labelled circles. The system can transition from one state to another whenever a failure or a repair occurs. Transitions between states are shown with arrows (transition arcs) and are labelled with the appropriate failure or repair probabilities. This model is used to describe the behaviour of the system with time. If time is modelled in


page 76/160

discrete increments (for example, once per hour) simulations can be run using the probabilities shown in the models.

Figure 17 Markov Model, Single nonrepairable Component

Figure 17 shows the Markov model for a nonrepairable component while the Figure 18 shows the Markov model for repairable component. These two simple figures demonstrate the principle of Markov modelling. “λ” is the probability of failure while the “µ” is the probability of repair based on a time interval which matches the process under discussion.

Figure 18 Markov Model, Single repairable Component

The Markov model can be represented by showing its possibilities in matrix form. An n*n matrix, in our case shown in Figure 18, while the 2*2 matrix is shown in

⎥⎦

⎤⎢⎣

⎡−

−=

μμλλ

11

P Equation 8.

⎥⎦

⎤⎢⎣

⎡−

−=

μμλλ

11

P Equation 8

Figure 19 Markov Model, 2*2 matrix

This matrix is known as the stochastic transition probability matrix, and is often called “transition matrix” with sign as P.

Each row and each column represents one of the states.

In Figure 19 the row 0 and the column 0 represent state 0, while row 1 and column 1 represent sate 1. If more states existed, they would be represented by additional rows and columns. The numerical entry in a given row and column is the probability of moving from the sate represented by the row to the state represented by the column. The moving from one state to another state always refers the basic time interval. The transition matrix contains all necessary information about a Markov model. It is used as the starting point for further calculation methods.


page 77/160

I used the Markov model in the dangerous undetected fault modelling, see Chapter 6.

3.1.10 HAZOP

HAZOP is being very important in Hazard Risk analysis, and one of my research questions was the HAZOP template method. That is why one can found more details See in details in Chapter 3.1.

3.1.11 Comparison and evaluation of tools suggested by the standards

In this chapter I give a summary of the application and other features of different methods discussed in previous chapters, see Table 17.

Table 17 Evaluation and comparison of Hazard and Risk analysis methods

Methods Feature Application area Weakness Strength

Risk Matrix Qualitative Up to SIL2 Subjective, IPL not included

Easy to use

Risk Graph Qualitative Up to SIL2 Subjective, IPL not included

Easy to use

Fault Tree Quantitative Control loop Component level Easy to use

Event Tree Quantitative Events IPL included Easy to use

LOPA Semi-Quantitative

After HAZOP for complete plant IPL included HAZOP/LOPA

integration

Block diagram Quantitative Control loop Nonrepairable

system only

Used for LOPA calculation

Markov Model Quantitative

Control loop, any kind of time based process

Need failure data

Repairable system.

Correct matrix calculation

HAZOP Qualitative First step of Hazard and Risk analysis

Time consuming Completeness

One has to distinguish the methods historic point of view. Nowadays the application of Risk Matrix and Risk graph is very seldom in application, exclusive below SIL 2 and a draft approach.

Fault tree, reliability block diagrams and Markov models are useful for reliability calculation of control loop even for components, but not for SIL calculation.


page 78/160

Event tree is only useful in analysing the subsequent events, but not for SIL calculation.

Only LOPA, after and together with HAZOP study is suitable for preparing “correct” target SIL calculation. In this case the “correct” word means that the accuracy of the result is in balance with the efforts invested.

Process HAZOP study nowadays is the mandatory first step of hazard and Risk analysis. The highlight is on the process word.

Summary: an integrated HAZOP study and LOPA calculation is a state of art solution.

3.2 Overview of IEC 61882 HAZOP standard

Because of the various methodologies to identify and assess risk, specific attention has been paid to HAZOP, formalised by the Institute of Chemical Industry (ICI) at the end of the 1960s and subsequently developed to assess safety risks in process plants and identify operational problems which, although not particularly dangerous, may seriously undermine plant performance [AIC_92], [AIC_85], [BIN_04], [FAN_00], [FEW_00], [KLE_76], [LAW_74], [LIN_01], [MUK_94], [RUS_94], [VIN_98].

In May of 2001 there was published a European Standard CEI IEC 61882 which has the following main goals:

• “Identifying potential hazards in the system. The hazards involved may include both those essentially relevant only to the immediate area of the system and those with a much wider sphere of influence, e.g. some environmental hazards;

• Identifying potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations likely to lead to nonconforming products.”

The HAZOP standard [IEC_882] describes the method and procedure of how to make a HAZOP study. This standard gives one method and procedure of how prepare HAZOP study. Preparing HAZOP is very time and man power consuming and not having any software supporting the HAZOP work documentation. Meanwhile HAZOP software was launched but the method remained unchanged.

The HAZOP team consists of as minimum from the following people:

HAZOP leader

HAZOP secretary

Operators

Technologist, process engineer

Mechanical engineer

Instrument engineer

The technique appears to be particularly useful in risk identification and assessment during the commissioning phase for the following reasons:

risk analysis in a dynamic and complex context such as commissioning requires an inductive approach able to identify a priori and in detail all negative events which may theoretically occur and not merely those which have occurred in the past. HAZOP is typically a bottom-up methodology and thus most suitable in this case;

to ensure that an inductive approach is effective, a systematic analysis is needed to guarantee that the search for potential dangers is sufficiently


page 79/160

exhaustive. In applying all the guide words to each node in the study, HAZOP fulfils this requirement;

HAZOP identifies all deviations which can actually occur and analyses the respective causes and consequences. This approach lends itself well to the identification of possible preventive and protective measures which can be implemented in the system.

The HAZOP (Hazard and Operability Study) Study [KLE_76] and, [KLE_99] are structured critical examinations of plant or processes, either batch or continuous, and are undertaken by an experienced team of company staff, which seeks to identify systematically the risks, faults and operational problems may compromising personal or environmental safety, or plant operation, even damage the business of the Company. Moreover, it can also assess the consequences of deviation from design intent, taking into consideration all undesirable effects regarding safety, operability and the environment, and propose corrective actions and safeguards reducing the severity of the consequences.

The procedure is based on the generation of a series of questions for submission to a multi-disciplinary team with expertise in the process under examination. Then a combination of parameters and guide words is applied to all parts of the plant considered potentially dangerous. In addition to being particularly demanding from the point of view of the man-hours required, HAZOP studies have strong systematic and multi-disciplinary features typical of plant projects, and can thus be considered as small projects in themselves.

The possible deviations are generated by rigorous questioning, prompted by a series of standard ‘guidewords’ applied to the intended design.

The deviations from the intended design are generated by coupling the guideword with a variable parameter or characteristic of the plant or process, such as the quantity of reactants, the reaction sequence, stirring, temperature, pressure, flow, phase, etc. In other words:

GUIDEWORD + PARAMETER = DEVIATION

For example, when considering a reaction vessel in which an exothermic reaction is to be undertaken and one of the reactants is to be added stepwise, the guideword "more" would be coupled with the parameter "reactant" and the deviation generated “more reactant “, the cause of which may have been double charging, leading to the consequence of "thermal runaway".

The approach described above will generate hypothetical deviations from the design intention. The success or failure of study depends on four factors:

accuracy of the design drawings (P&ID, PFD), and other data used as the basis for the study;

technical skills and expertise of the team;

ability of the team to use the approach as an aid to their imagination in visualising possible deviations, causes and consequences; and

ability of the team to maintain a sense of proportion, particularly when assessing the seriousness of the hazards which are identified.


page 80/160

Since, however, HAZOP was designed to analyse the operation of a process plant under standard working conditions, ie. BPCS involved, it cannot be used in its original form for a detailed examination of plant commissioning procedures.

The main reasons are:

the methodology overlooks two important elements - the operator(s) and the control system - which in the implementation of the start-up procedures decisively modify the plant/process system, this contribute to the development of critical situations which may compromise correct start-up;

a plant operation under standard working conditions is a steady state phenomenon, and by studying the parameters in each node at a given instant, HAZOP is able to detect every deviation which occurs in the system. Plant commissioning, on the other hand, is a transient state phenomenon during which each single sub-system continually varies over time in function of the sequence in which operations are carried out.

To describe plant commissioning comprehensively, an accurate analysis of the commissioning procedures, i.e. the driver of changes in state in this transitory phase, is required. This should provide an effective description of each task performed by the operator in sequence in the plant/process system, and, above all, highlight the mechanisms which may generate possible operating problems and/or negative consequences during execution of these tasks.

E. Cagno et al. [CAG_02] describes a technique, termed Human HAZOP, designed precisely with the aim of transferring the HAZOP philosophy to the in-depth study of the deviations which may occur during human implementation of operational procedures. Instead of plant nodes, the method takes the single steps of a procedure as the elementary unit of analysis. In order to identify all possible deviations, it maintains the approach based on the use of guide words (appropriately modified), but these words must be applied to the single tasks defined by the procedure in question, rather than to the process parameters. From the point of view of application to plant commissioning, Human HAZOP overcomes two important limitations of traditional HAZOP:

in exploiting the analytical approach typical of traditional HAZOP and focusing on the study of the execution of procedures by operators, the technique registers the progressive change of state in process parameters and plant conditions over time during start-up process;

the analysis includes the fundamental element of commissioning, i.e. the operator.

Unfortunately, in the present case, not even Human HAZOP is a valid starting point, as it, too, has a number of limitations:

it does not explicitly consider the role played by the control system during execution of a procedure, nor the final/initial states of the plant/process following a given procedure;

in focusing on execution of procedures, Human HAZOP has the advantage of considering implicitly changes over time in plant/process state, but it does not record the strong inter-relationship between two or more subsequent steps in a start-up procedure, i.e. the fact that the physical


page 81/160

state of the system in a given moment depends fundamentally on how previous steps have been carried out.

3.3 Overview of preparing HAZOP study

3.3.1 About the hazards situations in general

In our every day life continuously we are facing hazardous event, and knowing their nature, we can avoid the consequences, or if it happen we can reduce the consequences.

What is a Hazard? A hazard is a situation which poses a level of threat to life, health, property, environment and business. Most hazards are hidden or potential, with only a theoretical risk of harm, however, once a hazard becomes 'active', it can create an emergency situation. The question, to be answered is, how often the hazard becomes “active” and if it will be active, what the consequence is for people, environment and business and how to reduce the consequences at the tolerable level of risk.

What is the procedure of discovering “sleeping Hazards”? In the next paragraph we will analyze different methods of discovering and evaluating hazards. But the final question is to prevent the hazardous event being active, and/or reduce, mitigate the consequences.

When a potential hazard has been identified, actions have to be taken in order to ensure it does not become an incident. This may not be an absolute guarantee for no risk, but it is likely to have been undertaken to significantly reduce the danger and consequences.

There are a number of methods of classifying a hazard, but most systems use some variation on the factors of Likelihood of the hazard turning into an incident and the Seriousness of the incident if it were to occur.

General method of scoring a hazard is:

Risk = Likelihood of Occurrence x Seriousness if incident occurred.

This score can then be used to identify which hazards may need to be prevented, even mitigated.

There are Directives and Standards (see Chapter 1) controlling the activities of the companies, with goals to save the public against any harm caused by the given company. All Company shall have safety policy, dealing with the Safety behaviour of the company, analysing the risk of people working in explosive, toxic environment. The corporate Safety Policy also shall involve a Target Safety Matrix for people, business and environment (QTRM). An example of this Qualitative Target Risk Matrix is seen on Table 18 for people, Table 19 for business losses and Table 20 for environment damages.

Only, in case of preparing a Qualitative Tolerable Risk Matrix for business losses, there is freedom for Company to scale the consequence/frequency curve. In case of risk of human life, there are cornerstones in the SEVESO II Directives (see Chapter 1.4). This cornerstone, the probability of one fatality shall be less then 10-5, mandatory, is seen the Figure 2.

In practice not every Company has a Qualitative Tolerable Risk Matrix (QTRM), and uses qualitative methods for evaluating the risk like Risk Matrix and Risk


page 82/160

Graph. These methods are very simple and subjective and they are analysed in Chapter 3.1 in details.

Table 18 Tolerable frequencies for people’s health & safety

Category Consequence Acceptable frequency

A Slight injury & harm to health (first-aid) 10-2 event/year

B Major injury (accident) & harm to health 10-3 event/year

C Severe injury (accident) & harm to health 10-4 event/year

D One fatality or group accident 10-5 event/year

E Multiple fatalities 10-6 event/year

Table 19 Tolerable frequencies for economic and business consequences


A Minor loss (business loss: 1 – 10 kEUR) 10-1 event/year

B Major loss (business loss: 10 – 100 kEUR) 10-2 event/year

C Severe loss (business loss: 0.1-1 mEUR) 10-3 event/year

D Very severe loss (business loss: 1-10 mEUR) 10-4 event/year

E Catastrophic loss (business loss: >10 mEUR) 10-5 event/year

Table 20 Tolerable frequencies for environmental consequences


A Minor effect 10-1 event/year

B Major effect 10-2 event/year

C Severe (local) effect 10-3 event/year

D Very severe effect 10-4 event/year

E Catastrophic effect 10-5 event/year

If one wants to make a comprehensive Hazard and Risk analysis, the minimum requirement is of having Qualitative Tolerable Risk Matrix. Without this matrix there is no possibility of using Layer of Protection Analysis methods (LOPA is discussed in Chapter 3.1.7) which is nowadays accepted as a comprehensive semi qualitative method of evaluating the risk and giving possibilities of decreasing it with using Independent Protection Layers.


page 83/160

3.3.2 General requirements of evaluating hazards and risks

The hazards identified at the HAZOP study meeting have to be analyzed in respect of the following considerations and the findings have to be recorded in the HAZOP documentation:

The denominations and physical & chemical properties of all materials present in each particular process plant, even equipments, must be recorded in the course of the HAZOP study process. The effects of each in respect of harm to human health or fire hazards must be indicated separately.

In general all potential discharges (loss of containment) is typical hazardous events (e.g. process upsets) must be recorded: e.g. pipe rupture, piping leakage, cracking of weld joints, incorrect operation, opening of flanged joints, leakage of disconnectable joints, valve failure, overfilling, etc. Potential discharges, typical of process upsets, must be classified and recorded according to the following categories: small discharge, large discharge, fire or poisoning, explosion. This type of HAZOP analysis is called SEVESO II Directive HAZOP study. Its main target is to protect the civil community surrounding the premises of the given Company.

All mechanical protection devices installed on process equipment (e.g. safety relief valves, rupture disks, etc.) must be recorded and the possibilities for the safe blow-down of gases/vapours from the safety valve or other protective equipment – e.g. to flare – must be investigated in the case of highly incendiary, oxidizing as well as toxic and caustic media. It also must be determined whether the actuation of the mechanical protective devices entails any additional risks.

The maximum design pressure and temperature of all process equipment (e.g. pressure vessels, reactors, columns, drums & tanks) must be indicated. Should the pressure or temperature generated in process equipment exceed the maximum permissible level as a consequence of some hazardous event, then this fact must also be recorded. The study investigates all events involved causing a deviation from the design intent.

The severity of the consequences arising in respect of human life & health, economic losses and the environment upon the occurrence of a specific hazard must be determined.

It must be examined whether the series of undesired events leading to the development of hazards can be interrupted.

It must be established whether a hazard can be mitigated or eliminated

It must be established whether a safety function or functions (E/E/PE or non-E/E/PE) reducing the risk potential for the development of a specific hazardous event can be allocated to that specific hazard.

3.3.3 What is Hazard and Risk analysis According to the Safety Standards?

In Chapter 1.8 we introduced the process safety standards, which split the life time cycle of a Safety Instrumented Systems into different parts, and the first one is Hazard and Risk analysis. It means that the first step of building a safety system is preparing a hazard and risk analysis of the plant to be protected.


page 84/160

3.3.4 General requirement of preparing Hazard and Risk analysis

Hazard & Risk Analysis: identification of the hazards and hazardous events (emergency situations) inherent in the process and its associated equipment as well as of the sequence of events leading to an emergency, the process risks related to emergencies, the requirements of risk reduction and the safety functions necessary for achieving the required level of risk reduction.

There is some criterion of preparing Hazard analysis as required inputs:

Company’s Functional Safety Quality Assurance (FSQA) manual

Company’s Risk Assessment Criteria: Quantitative Tolerable Risk Matrix (QTRM)

Process Flow (PFD) Diagrams

Piping & Instrumentation (P&I) Diagrams

Layout Drawings

Hazardous Area Classifications

Material Safety Data Sheets (MSDS) of all substances encountered

Preliminary Operating Manuals (Technological Instructions)

Equipment & Machinery Datasheets

Start-up & Emergency Shut-down Procedures (operating instructions)

Outputs:

The hazards and hazardous events are inherent in the technological process and its associated equipment

The sequence of events leads to emergency situation

The risk level of the process originating in the dangerous event

The hazard & risk analysis (HAZOP) report

The safety functions necessary for achieving the required level of risk reduction and their tasks (preliminary C-E matrix)

Activities and procedures:

Identify the hazards and hazardous events inherent in the technological process and its associated equipment

Identify the sequence of events leading to any emergency situation

Identify the initial causes leading to hazards and hazardous events (emergencies)

Determine the frequency of the occurrence of initial causes

Determine the severity of consequences related to identified hazards for

Humans

Environment

Business


page 85/160

Estimate the risk levels related to identified hazards (unmitigated frequency)

Specify the requirements of risk reduction using the QTRM

Specify the instrumented safety functions necessary for achieving the required level of risk reduction (see LOPA in details in Chapter 4)

Check whether the planned safety functions would be sufficient for achieving the specified level of risk reduction (see LOPA in details in Chapter 4).

Criteria of successful performance:

Employment of complete, accurate and up-to-date source documents

A well prepared, authentic and well organized H&RA team

Systematic and throughout investigation

Investigation of toxicity, fire and explosion hazards in respect of people, the environment and economics, business

Identified and accurately placed risk-reducing safety solutions and recommendations

Accurate and clear-cut H&RA documentation.

3.4 Overview and critical analysis of recent HAZOP practice

Recently the HAZOP study is the most frequently used method to analyse the hazard and risky operation situation in a plant of chemical, petrochemical, oil and gas industry. The HAZOP method is described in the HAZOP standard [IEC_882] in deep details.

There are some practical problems with making the HAZOP study:

It has to be start a training of the participant equalising the knowledge about the HAZOP study methodology

HAZOP study is a time (and of course cost) consuming process

The quality of the study depend on the practice of the participants

Not so easy to split a plant to Nodes

Neither the HAZOP standards [IEC_882] practice nor the recent practice do use only nodes, and no sub-nodes at all, which makes the work less practical

In practice there are no automated solution, preparing automatic HAZOP study

In practice there are not “knowledge based” solutions

I developed a solution and implemented into the Tool4S software for this questions and problems.

3.4.1 Overview of HAZOP methodology

Since the development of hazard and operability (HAZOP) studies by ICI in the mid 60's they have been a cornerstone in risk assessment of process plants. The purpose of the HAZOP study is to investigate how the facility responds to deviations from design intent or normal operation, e.g. to find out if the plant


page 86/160

has sufficient control and safety features to ensure, that it can cope with expected deviations encountered during normal operations. A traditional HAZOP study has the following phases (Skelton et al., 1997):

Pre-meeting phase: The purpose and objective of the study is defined. The leader of the HAZOP study gathers information about the facility, such as process flow diagrams (PFD), process & instrumentation diagrams (P&ID), a plant layout, chemical hazard data sheets etc., and proposes a division of the plant into sections and nodes. For each node - or for the plant as a whole - the leader identifies relevant process parameters and deviations from design intent or normal operation based on either past experience or company guidelines. The leader also identifies the participants, who will participate in the review of the different sections of the plant, and ensures their availability. Typically this includes the process design engineer, the control engineer, the project engineer and an operator besides the experienced team leader. All these people are with large demands on their time during a project. The team leader schedules a sufficient number of half day HAZOP meetings.

Meeting phase: At the start of the HAZOP meeting the technique is briefly reviewed, and the specific scope of the present study is stated. The overall facilities are described e.g. using a 3D computer model. Then the team considers each P&ID or PFD in turn. The team leader ensures that process parameters and deviations are considered in a rigorous and structured manner, results are recorded, and all areas meriting further consideration are identified by action items.

Post-meeting phase: After the HAZOP meeting all action items are followed up by the persons assigned to them during the meetings and the results of the follow-up is reported to the team leader. The team might call a review meeting to determine the status of all actions items, and decide if additional efforts are needed

In practice there are many type of HAZOP like Major Hazards Analysis (Baybutt et al. in 2003, 2008, [BAY_03a], [BAY_03b], [BAY_08] in US and SEVESO HAZOP in EU, Process HAZOP which analyse the discrepancy of operation of a Plant. In my thesis I focused the Process HAZOP only.

3.4.2 Overview of cost effective HAZOP studies

In early years of 1990 there were critical question of the cost of HAZOP study, in spite of the fact that the contribution to the total cost is unbelievable low. Comparing the cost of the HAZOP study to the result (saving human life, environment and business) it is a very fast pay back investment, everybody accept this argument. In spite of this calculation a very often asked question is: shall we reduce the time of the HAZOP study as our people are busy, overloaded etc.

This approach decreases the possibility of the local people learning more about their plant and about the safety, increasing their safety culture.

Reducing the cost of HAZOP study covering the following solutions suggested:

Equipment modelling for automatic HAZOP (Bartollozzi et al., 2000, [BAR_00], Venkatasurbramanian et al., 2000 [VEN_00])

Functional approach of HAZOP study (Rossing et al., 2005)[ROS_05]


page 87/160

Knowledge-based expert system (Khan et al., 1997, [KHA_97a][KHA_97b], Zhao et al., 2009, [ZHA_09], Rahman et al., 2009, [RAH_09])

3.4.3 Automating of preparing HAZOP study

A rule-based expert system prototype called HAZOPEX was developed using the KEE shell by Karvonen et al. (1990) [KAR_90]. The HAZOPEX system’s knowledge base consisted of the structure of the process system and rules for searching causes and consequences. The rules for the search of potential causes are of the type, ‘If deviation type AND process structure: conditions THEN potential cause’. One important drawback of these rules is that the condition part of the rules depended on the process structure.

Nagel et al. (1991) [NAG_91], developed an inductive and deductive reasoning based approach to automatically identify potential hazards in chemical plants caused by hazardous reactions, the requisite conditions that enable the occurrence of these reactions, and the design or operational faults . This is a reaction-based hazard identification approach limited to only such hazards, and thus is not as general or as useful as conventional PHA approaches.

Catino et al. (1995), [CAT_95] developed a prototype HAZOP identification system, called Qualitative Hazard Identification (QHI). QHI works by exhaustively positing possible faults, automatically building qualitative process models, simulating them, and checking for hazards [CAT_95]. QHI matches a library of general faults such as leaks, broken filters, blocked pipes and controller failures against the physical description of the plant to determine all specific instances of faults that can occur in the plant.

Suh et al. (1997), [SUH_97] developed a knowledge based prototype expert system for automated HAZOP analysis. This system comprises of three knowledge bases: unit knowledge base, organizational knowledge base and material knowledge base, and three hazard analysis algorithms: deviation, malfunction and accident analysis algorithm.

Khan et al. (1997) [KHA_97a], [KHA_97b] proposed a knowledge based software tool, called TOPHAZOP, for conducting HAZOP . The knowledge base consists of two main branches: process-specific and general.

To overcome shortcomings of purely quantitative and qualitative HAZOP analysis methods, Srinivasan et al. (1998), [SRI_98] proposed a hybrid knowledge - based mathematical programming framework where the overall features of a particular hazardous scenario are extracted by inexpensive qualitative analyses.

HAZOPExpert is a model-based, object-oriented, intelligent system for automating HAZOP analysis developed by Venkatasubramanian et al. during 1990–1994 for continuous processes [VEN_94]. In their approach, they recognized that while the results of a HAZOP study may vary from plant to plant, the approach itself is systematic and logical, with many aspects of the analysis being the same and routine for different process flow sheets. It turns out that about 70% of time and effort is spent on analyzing these routine process deviations, their causes, and consequences [VEN_00].

Most of the above approaches to automated hazards analysis were demonstrated on small-scale processes or academic prototypes. They were, in general, limited to the process that was under consideration and were difficult to modify and apply to a wide-variety of industrial-scale process plants. The other problem of


page 88/160

this solution was that using special symbols of instruments and equipment instead of using P&ID meaning extra works for the HAZOP team members.

Other problems of these methods are that one unable to identify and evaluate the Safeguards.

3.4.4 Functional approach of HAZOP

The functional HAZOP provides a structured approach for dividing the plant into sections and the sections into nodes. The procedure involves the following steps:

State the aim or purpose of the plant.

Divide the plant into sections each of which has a clear sub-purpose or -aim in contributing to the overall purpose of the plant.

Divide each section into nodes, the function of which can be directly described by physical or chemical phenomena. Examples of such nodes are: gas transport, liquid transport, liquid storage and gas-liquid contact.

For each type of node, i.e. each physical or chemical phenomenon, describe the process parameters, which identify design intent or normal operation. For a node with the function 'gas transport' normal operation could be described by flow rate, temperature, pressure and number of phases.

For each process parameter the relevant deviations are specified. For flow the relevant deviations are more, less and reverse. In this work the deviation 'no flow' is considered as a limiting situation of 'less flow', and hence is not considered separately.

3.4.5 Comparison of traditional HAZOP and functional HAZOP

Rossing et al. (2005), [ROS_05] has compared the result of a traditional HAZOP of the reflux section of the distillation pilot plant with the functional approach described and found that the functional HAZOP requires about half the effort by counting the number of lines in the HAZOP report. This number is assumed to be proportional to the time required for the study. A traditional HAZOP of the mentioned section resulted in 14 lines in the HAZOP report, while the structural approaches just 8 lines.

Rossing et al. (2005), [ROS_05] also report, that the functional approach facilitates discovering causes of deviations, which originate far from the node in which the deviation occurs. Some recent loss events in the chemical industry have involved such situations.

Nowadays the functionality of the HAZOP is clear for everybody, but efforts are made to make HAZOP studies more cost effectives.

3.4.6 Knowledge-based expert system

HAZOP analysis done by human teams has the following shortcomings: time consuming, laborious, expensive and inconsistent. To solve these problems, various model and/or rule-based HAZOP expert systems have been developed during the last decade, which was respectively reviewed by Venkatasubramanian, at al. (2000), [VEN_00]. These systems, however, can only address “routine” or process-generic HAZOP analysis. “Routine” HAZOP analysis means that its reasoning logic can be applied to different processes while the “non-routine” HAZOP analysis means that its reasoning logic is process specific or plant specific. Generally analysis of deviations is generated by using guidewords “other than”, “as well as” and “part of” are “non-routine”. As a result,


page 89/160

these kinds of deviations are hardly addressed in literature about HAZOP expert systems.

In the Process Industry, “routine” HAZOP analysis roughly occupies 60–80% while “non-routine” HAZOP analysis occupies 20–40%. Due to the lack of self-learning capability in existing HAZOP experts systems, the knowledge of “non-routine analysis” can be hardly formulized and reused for similar chemical processes, and the “non-routine” HAZOP analysis still needs to be addressed by human experts.

To evaluate the output quality of the signed directed graph (SDG) model based HAZOP expert system HAZID developed by McCoy et al. (1999) [www.hazid.com]. The result of five industrial plant systems which had not been used during the model development stage were selected as a test set (McCoy, et al., 2000. The output of HAZID was compared against the results of conventional HAZOP study which was done by human teams. The result of HAZID expert system was less then expected and new PetroHAZOP software was developed. The PetroHAZOP expert system was based on looking for similarity like five types of attributes for each case: object such as equipment, string such as the material name, numeric such as operating temperature of equipment, interval-numeric such as design parameters and set object such as materials. Based on different similarity algorithms employed to calculate the similarities of different types of attributes were calculated.

3.4.7 Problems of the recent solutions

Analysing the methods of reducing the man power and time consuming of preparing HAZOP studies I was facing several problems. For better understanding I started from the definition of the HAZOP study:

• “Identifying potential hazards in the system. The hazards involved may include both those essentially relevant only to the immediate area of the system and those with a much wider sphere of influence, e.g. some environmental hazards;

• Identifying potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations likely to lead to nonconforming products.”

Reading this definition it is clear that as many plant as many HAZOP exist, and even as many HAZOP team, as many HAZOP studies for the same plant are generated also.

A more detailed analysis of the existing problems is described in 3.5.1 where I define my research goal and requirement based on this analysis.

3.5 Development of new solution of preparing HAZOP

I analysed the research results published in the Hazard and Risk analysis area. My conclusion was that the researchers focused on automation of HAZOP study rather than looking for other practical way. The best result was 30% of the studies would be automated.

My first question was what about the 70%? That is why I decided to look for other ways of doing HAZOP study.

In this part of thesis my goal was:

Finding typical solutions in the process industry like

Burner Management

Turbines


page 90/160

Compressors etc.

Making templates for this typical solution

Build up a software tool which support this solution

Test it in the practice

The result of my research was the Tool4S software, see [Tool4S], and an example of this solution is found in Chapter 3.5.2.

The feedback from the application of this method indicated that this direction of the research is a good way of reducing the cost of preparing HAZOP study.

3.5.1 HAZOP manager: cost effective HAZOP study solution

A very often asked question is how many people and how much time is needed for preparing a given HAZOP study. Before we start analysing of how to reduce the number of people, and the time spent with preparing HAZOP study, it is important to determine the minimum technical and knowledge requirement of HAZOP study.

Minimum technical requirements are:

P&I diagrams

PFD diagrams

Licensor description and requirements

Technological description

Manuals and descriptions for the operators

Classification of the toxic and explosive material used in the technology.

Company safety policy including

Target risk matrices for the people

Target risk matrices for the environment

Target risk matrices for the business

Description of the Shutdown system

Alarm management system and alarm set points

Trip set points

Actual instrument list (tag list)

BPCS configuration and connection to SIS, control system topology.

The problems are arising from missing some of the above requirement. The reasons of not having the information are that either the HAZOP study is prepared in very early stage of the investment (like preliminary HAZOP) or when there is revamp of old plant, this documentation does not exist or not up to date at the given time. The more of the requirement of above listed is available, the better and more cost effective HAZOP study will be produced.

Other issue is the number and profession of people taking part in the HAZOP study. The HAZOP team has to be composed to match the Hazard problem to be analysed, ie. turbines, or compressor needs mechanical and instrument engineers, while a distillation tower needs chemical engineers. Also important question is the position of the participant. Our experience shows that highest


page 91/160

position would be the plant manager, but the better is the operators and shift leader. The HAZOP team leader has to build up an atmosphere within the team, where everybody has the freedom of saying his/her honest opinion based on his/her knowledge. The HAZOP team leader has to work like a reporter or even as a moderator at the HAZOP meetings. It is preferable to change the participant even day by day According to the problem to be analysed.

Functionality of the HAZOP study is clear for everybody but the HAZOP team leader shall take over the responsibility to structure the plant into HAZOP nodes in advance.

The preferable structure is:

Project, for example: HAZOP and SIL study of General Refinery

Project unit, for example: Hydrogen Plant of General Refinery

HAZOP study, for example: Furnace in the Hydrogen Plant of General Refinery

HAZOP Node, for example: Furnace 1 of Hydrogen Plant of General Refinery

HAZOP Sub-nodes for Furnace 1, for example: Fuel gas line of Burners of Furnace1 in the Hydrogen Plant of General Refinery

HAZOP Scenarios for Furnace 1, Fuel gas line of the burner with parameter and guidewords, for example:

Natural Gas pressure is low

Natural Gas pressure is high.

There are attempt of automating the HAZOP study. The question is what and why.

When building of a new chemical, petrochemical or refinery plant start, first the technology licensor is selected who will provide the basic engineering of the plant. The basic engineering never takes into consideration the local specialities and requests. For example, a Hydrogen plant in the world, even having the same licensor but different EPC partner and end-user never will be 100 % identical. Question is how to automate the HAZOP study for a Hydrogen plant? Which part and why will be automated? And who will make this work?

At a given point of view a pump is everywhere is pump etc. but this approach drives us to a misinterpretation of the problem, since this is not automation, within a plants a copy and paste task and it is just not more.

Another “hot” question is who will automate the HAZOP and which part of the HAZOP shall be automated: HAZOP nodes, HAZOP sub-nodes, even HAZOP Scenarios? Who will take over the responsibility of the results? Who has the competence to decide that the result is good? Will it be good for all company?

Too much questions are to be an answered, and we feel that this solution will not drive to the future.

Another suggested solution when somebody (HAZOP leader or end-user?) draws schematics about the HAZOP nodes building up automatically the Hazard scenarios. That means that the complete plant has to be redrawn in a simplified mode again. Who will pay for this extra work? Drawing is much slower procedure


page 92/160

than the HAZOP meeting itself. What will happen if the drawing is not correct? The HAZOP study also will be miss-interpreted too.

Other development direction is the adaptive HAZOP node. Behind this philosophy, there is an aim of building up a knowledge base and feedback into HAZOP nodes. The question is what the result of this feedback is. Who has the better answer for the Hazard scenarios and why? Who will decide about adapting or not adapting the new Hazard knowledge?

The above question leaded us to the following question: what does the knowledge-base mean? After preparing some 100 HAZOP studies in the Refinery Industry, we discovered and identified a lot of similarities in our work. However this was not more than only a copy and paste method, for handling the similarity.

Our conclusion was that the best way is preparing HAZOP node “template”, and using them to speed up our work and to make it more effective.

This solution will give the possibility of improving our knowledge-base philosophy and giving an editable template to the hand of HAZOP leader and HAZOP team, leaving the only work of filling up the template with the current actual tag names, and scaling the consequences According to the Company’s target matrices and checking the template’s IPL (Independent Protection Layers) with the realised ones and modify them accordingly.

A very minimum requirement of preparing HAZOP study is the availability of correct P&ID drawings. Without them this it is impossible to prepare HAZOP study. But if the P&ID drawings are correct, based on our template philosophy, the 90% of the Hazard scenarios would be prepared in advance. Sending this preliminary HAZOP study to the end-user in electronic form will give the possibility of reducing the time spent on the oral HAZOP study.

What is the advantage of this method?

The template is a knowledge based solution

The template is a context-independent method to solve the problem

Preparing a preliminary HAZOP needs only one person

Giving possibility for the end-user to study, ask questions, suggest modification of the preliminary HAZOP study before the oral HAZOP meeting;

In the oral HAZOP meeting there is no need of secretary since 90 % of the HAZOP study is in written form in advance and on the HAZOP meeting it shall be modified only

Save time of the end-user, since no need on site typing, it is not necessary at all, or just in small quantity, comparing to the traditional HAZOP studies.

We implemented this solution in our Tool4S (Tool for SIL) software as an option.

Using our program everybody can modify extent the Template Library and case by case supervise and modify it, feed back the experience of their company and even other companies.

What is the disadvantage of this method?


page 93/160

The knowledge base refers to our experience and practice in preparing HAZOP study and safety application in the Process Industry

Now, neither a forum nor competent authority exists to certify the correctness of templates.

In the next paragraph we will show an example how we built up a Burner Management template in the petrochemical Industry.

3.5.2 HAZOP template example

In our simple example (see

Figure 20), we show all the feature of our Furnace Template, realised in the “Tool4SIL” software.

We build up the following structure the Furnace unit is divided into six different “Sub Nodes” (see Figure 21): Technology, Gas burner, Oil burner, Radiation Zone, Convection Zone Steam Drum. In the example the structure shows the functionality of the HAZOP study:

Project: SIL template Library

Project unit: Furnace templates

HAZOP Node: Furnace templates HAZOP study

HAZOP Sub-nodes:

Technology

Gas burner

Oil burner

Radiation

Convection Zone

Steam drum

with parameters and guidewords (see Figure 22), for example in case of gas burners:

Main burner fuel gas pressure is low

Main burner fuel gas pressure is high

Pilot burner fuel gas pressure is low

Pilot burner fuel gas pressure is high

Furnace combustion air flow is low/no

Unsuccessful ignition of [H] furnace pilot burner - AT START-UP

Unsuccessful ignition of [H] furnace main burner - AT START-UP


page 94/160

Figure 20 Example of a Natural gas burner

Figure 21 Example of the Functionality of the Furnace template

SIL Template Library

Templates: Furnace

Furnace HAZOP

Furnace HAZOP sub-nodes


page 95/160

Figure 22 Example of gas burner’s hazard scenarios

Figure 23 Example of main gas burner pressure high hazard scenario


page 96/160

Figure 24 Example of main gas burner pressure low hazard scenario in editable mode

In Figure 22 I show the functionality of the Template Library regarding different hazard scenarios and in Figure 23, Figure 24 some hazard scenarios of gas burners.

The Hazard Scenarios has a feature called parameter, in our example, it is the pressure, and trip feature, in our example it is the high trip. The exact trip value will be given on the HAZOP meeting by the HAZOP team.

Using the menu part (in red frame) in edit mode, one can freely modify any box of the Hazard Scenario clicking onto the box, and a green line of the left side of the box will indicate where one is. One can also delete any of the boxes, or even add a new box before or after the determined box.

In the other menu part (in black frame), one can scale the unmitigated frequency of the Hazard causes, and rank the consequence for human, environment and business based on the given company qualitative target risk matrix (QTRM).

In the other menu part (in purple frame in Figure 24), one can select and set all IPL (Independent Protection Layer), taken into consideration for the given Hazard Scenario. The PFD value of the IPL is set in the same part on the given box.

In the 1.1.1 box of Figure 24 one can find the SIF (Safety Instrumented Function) protecting against the given hazard scenario. Another part of the Tool4S software gives possibility to build up the SIF (logic, narratives, SRS etc.). This feature is also shown in Figure 25.


page 97/160

Figure 25 Example of main gas burner pressure low hazard scenario, SIF SRS

3.5.3 Summary and evaluation

In the thesis I demonstrated a different approach of preparing HAZOP study in cost effective way. This method was tested in Slovnaft first as a Pilot Project, and after a detailed discussion about this method with our partner and their staff supported this type of HAZOP study technology we were used this methods for preparing more then 100 HAZOP study in a very efficient way in Slovnaft Refinery.

Our method is knowledge based and template driven expert system, which highly speeds up the process of making HAZOP study. Unfortunately without experience in Process Industry, and oil and gas, petrochemical technology is impossible to use this method. In practice one shall be a process engineer expert to use this method.

3.6 Implementation of the template HAZOP method into Tool4S software

3.6.1 Objective of Tool4S SOFTWARE

After studying the existing HAZOP and LOPA software in the world market I decided to develop new integrated HAZOP and LOPA study software with following objectives:

Developing better and effective software than those available in the world market.

3.6.2 Requirement of Tool4S SOFTWARE

The requirements of the Tool4S software to be developed were:

Using the highest level Microsoft development tools


page 98/160

Web based software

Multiuser possibilities

Group HAZOP study possibility (more people can work parallel on the same HAZOP study)

Multilevel HAZOP study structure

Integration of HAZOP study and LOPA calculation

Developing better and more precise LOPA calculation

Reports

HAZOP

SRS

SIF list

Tag list

List of recommendation

3.6.3 Result of development of Tool4S software

The result of the Tool4S software was used in more than 100 HAZOP studies and LOPA calculations and made our work very efficiency and economic and save a lot of labour time of our partners.

After the development of the integrated HAZOP/LOPA software I decided to add a new feature: SIL validation to be integrated intool4S software.

3.6.4 Description of Tool4S software

The Description of Tool4S software is downloadable www.sil4s.com/Tool4S/help.


page 99/160

4 Management of Risk assessment: cumulative LOPA In the thesis I investigated the possibility of improving the objective assessment level of Hazard and Risk analysis of Safety Instrumented System by developing a multi layer Hazard evaluation system, based on LOPA (Layer of protection Analysis) which makes the work more objective, and solve the evaluation of the consequences of the Hazards by calculating the SIL value for all SIF in the Safety Instrumented System. I also introduced a semi-qualitative method (LOPA), which gives possibility of reducing the consequences using other (not instrumented) system, which can be cheaper than the safety instrumented system.

LOPA was a well known method of evaluating risk reduction ability of a system, but the proposed method, called multi layer LOPA method, which take into consideration all hazard and risk (Hazard Scenario) which is protected by the same SIF (Safety Instrumented Function). With the help of this method one can calculate much more accurate SIL value of the SIFs. Also developing target was to calculate the RRF (Risk reduction factor) value for all SIFs, giving the possibility of the design of Proof Test interval more precisely. Based on this requirements an integrated HAZOP/LOPA SOFTWARE (called Tool4S, Tool for Safety) was developed and tested in more than 100 hazard and Risk analysis project in Slovnaft and Danube Refinery.

4.1 Overview of LOPA method

In this chapter I analysed the LOPA methods used in practice for determination of SIL values of SIFs.

4.1.1 History of LOPA method

In the 1990s, companies and industry groups developed standards to design, build, and maintain, that time called, ESD system focusing only the PLC part of the system. The PLC, in “safety application”, was classified According to the German Standards [DIN_00], [DIN_250]], [DIN_81], [DIN_BAS], [DIN_54], [VDE_16]. The first general safety standard, the IEC 61508 1-7 [IEC_508], was issued in 1998 in the Europe, and in the US [ISA_84], which changed dramatically the safety thinking both in general and in industrial segment specific way. In 2004 the IEC 61511 1-3, process industry sector safety standard [IEC_511], which is valid for Chemical, Petrochemical, Oil and Gas Industry, was published. This standard introduced the first principle of Safety Instrumented Systems (SIS) and Safety Instrumented Function (SIF).

A key input for the tools and techniques required to implement these standards was the target Probability of Failure on Demand (PFD) (the SIL value of SIF see Chapter 1.8.7, Table 2), for each Safety Instrumented Function (SIF) calculated. Process Hazard Analysis (PHA) teams and project teams struggled to determine the required Safety Integrity Level (SIL) for all SIFs (“interlocks”) of all hazard scenarios.

Within these techniques, the concept of layers of protection analysis (LOPA), an approach to analyze the number of layers needed, to protect the process against the unwanted consequences of the Hazards, was first published by the Centre for Chemical Process Safety (CCPS) Book Guidelines for Safe Automation of Chemical Processes [CCPS_93] in 1993. From those concepts, several companies developed internal procedures for Layer of Protection Analysis (LOPA) [AIC_01],


page 100/160

and in 2001 CCPS published a book describing LOPA methods and also referring [CAG_00], [CAG_02] and [CAT_95].

In the thesis I briefly described the LOPA process, and discussed my experience in implementing this technique.

4.1.2 Basic about LOPA

In Chapter 3.1.7 I gave an example about the onion-peel-model of LOPA (see Figure 12). Based on this, the layer of protection analysis model was adapted by different industry sectors According to their specific needs [DOW_97], [CAG_00], [CAG_02], [CAT_95], [MAR_02].

The following criterions are valid for all protection levels that are being developed in order to reduce the risk:

Specific potency: an independent protection level must be developed specifically for a precise requirement in order to prevent the consequences being observed.

Independence: the protection level must function completely independently from all different protection levels, equipment can not be used simultaneously for different protection levels.

Reliability: the protection level of safety system should reliably protect from the occurrence of a consequence. Systematic as well as random failures must be taken into consideration at the development of the device.

Verifiability: the protection layer and safety system must be tested and maintained. Such functional tests are necessary to ensure the reduction of the risk.

Instead of Onion Peel Model the so called LOPA diagram according to the event tree analysis is being used. This shows, with the help of two symbols (arrow and blocks) the direction of an action of a failure/disturbance and the different independent protection layers that are supposed to neutralize or prevent the disturbance, see Figure 26 and for the calculation and background information see 3.1.8 and Figure 15.

IPL IPL IPLIPL IPL IPLIPL1 IPL2 IPL3

Consequenceoccur

Figure 26 Structure of a LOPA diagram

Just like the general form of the event tree analysis, one begins with an initiating event (cause), and extends it into a chain of incidents when the next independent protection layer failed.

According to the IEC 61511 a protection layer reduces the risk by controlling and regulating it, applying safety and damage prevention measures. Protection layers can be procedural measures like building receptacles, technical facilities like safety related systems or organisational measures like a response plan. Three typical protection layers are described, and used in the process industry:


page 101/160

Instrumented systems like

Basic process Control System

Alarm system

Physical/mechanical facilities like

Relieve valve

Rupture Disk

External measure to reduce the risk like:

Dike

Firewall

In order to declare a protection layer to be an independent protection layer (IPL), the following criteria are useful and are known as “3D”, 4E’s”, and Big I.

The “3D” means:

Detect: an IPL should be able to recognise the danger

Decide: an IPL initiate a corresponding answer

Deflect: an IPL reduce the consequence of a danger

The effect of an IPL could be classified through the “4E’s”:

Sufficient size (“big enough”)

Sufficient speed (“fast enough”)

Sufficient strength (“strong enough”)

Intelligence (“smart enough”)

The most important criteria is however the independence (“Big I”). An IPL must under all circumstances be independent of the actuating cause and of the other different protection levels and can only be taken into consideration once. More details can read in Chapter 5 (SIS design).

LOPA is a semi-quantitative risk analysis method; ideally it is used after a qualitative risk analysis like HAZOP.

The Figure 27 shows a typical diagram of a protection layer analysis.

The output of HAZOP study is the FNM unmitigated frequency of the cause. That shall be compared to the QTRM table of the given Company. The SIL calculation procedure with LOPA is shown in deep details in the Figure 29. More about the mathematics of how the LOPA works is found in Chapter 3.1.8.

4.1.3 Objectives of LOPA procedure

The LOPA main objectives are the following:

identify the safety protection layers

allocate the safety functions to the protection layers

determine if one or more safety instrumented functions (SIF) are required to achieve the target risk reduction

determine for each SIF, if required, the safety integrity level (SIL).


page 102/160

Figure 27 Typical LOPA structure

4.1.4 Why is LOPA used for SIL determination?

The SIL determination methods, suggested in the IEC 61508 [IEC_508] and IEC 61511 [IEC_511], giving possibility for calculation of the target SIL value of SIF are split into three groups:

Qualitative, like risk matrix see Chapter 3.1.3 , risk graph see Chapter 3.1.4

Semi quantitative, like LOPA

Quantitative, like Failure Mode and Effect Analysis (FMEA), Reliability Block Analysis see Chapter 3.1.8 and MARKOV modelling see Chapter 3.1.9.

The qualitative methods are simple, inaccurate and too subjective, that is why they are not widely applied in the practice of Process Industry nowadays. On the other side the quantitative methods are too complex and slow for practical usage; furthermore the process industry is more and more complex to be handled in a simple way by these methods. That is why the semi quantitative methods, like LOPA seem to be a good compromise.

However while the LOPA is quantitative, we have some argument why the usage of LOPA is preferable:

It is not as subjective as the qualitative methods.

It needs Company Target Risk Matrix, so it increases the safety culture of the given company as the company needs to build up the Functional Safety Quality Manual.

Initial event IPL1

IPL2

IPL3

IPL4

IPL5

Safe

IPL1 failed, Tolerable Safe condition

IPL1, IPL2 failed, Tolerable Safe condition

IPL1, IPL2, IPL3 failed, Tolerable Safe condition

IPL1, IPL2, IPL3, IPL4 failed, Tolerable Safe condition

IPL1, IPL2, IPL3, IPL4, IPL5 failed, dangerous not tolerable condition

Frequency, FNM

FNM = Non mitigated frequency

F = Mitigated frequency

2

3

4

5

6

1

2

3

4

5

6

1


page 103/160

LOPA is the only method that is able to take into consideration the non-instrumented protection layers.

LOPA gives the possibility of discovering all non-instrumented protection layers.

LOPA gives the possibility of building up the most cost effective protection system (called here as Integrated Safety System) including instrumented and non instrumented protection layers.

That is why LOPA is widely accepted SIL calculation method in the Process Industry and why focused in the research to make this method more precise, cost effective and automatic.

4.1.5 SIL calculation with LOPA method

My goal was to overview, define and fix the problems of the existing methods used in practical LOPA application for determination the SIL value for a given SIF.

Based on the Safety Life Cycle, it is necessary to get convinced that the existing /designed SIS is appropriate for the particular process from the viewpoint of functional safety (pre-validation, validation). How does one get convinced about this? Based on the IEC-61511 standard [IEC_511], one should perform the following steps:

Hazard and Risk analysis

IPL allocation and SIL calculation of SIFs

Safety Requirement Documentation

The Figure 28 shows how this procedure works step by step in general.

Both in the IEC 61508 and IEC 61511, LOPA is mentioned as one of the methods, which gives a possibility for the determination of the required SIL value of SIF.

LOPA [CCPS_93], [CCPS_01] is a quantitative risk analysis technique that is applied following a qualitative hazard identification tool such as HAZOP.

LOPA is described as a semi-quantitative method because even if the technique does use numbers and generates a numerical risk estimate, the input numbers are rough estimates, their accuracy is about at the order-of-magnitude level; and the result is intended to be conservative (overestimating the risk). But even if the LOPA is semi-quantitative, the estimated risk is usually adequate to understand the required SIL for the SIFs. If a more complete understanding of the risk is required, more rigorous quantitative techniques such as fault tree analysis or quantitative risk analysis may be required. In case of process plants the latest solution does not practical or even impossible.

Figure 28 shows the procedure how to calculate the SIL values of a given SIF.

The procedure of LOPA in Figure 28 is the following:

Starting point is the unmitigated cause frequency and the target cause frequency based on evaluating and comparing the consequences of the given hazard scenario to QTRM table for people, environment and business

Identify the possible non instrumented safety protection layers.

Allocate the safety functions to the protection layers.


page 104/160

Determine if one or more safety instrumented functions (SIF) are required to achieve the target risk reductions.

Determine for each SIF, if required, the safety integrity level (SIL) and Risk Reduction Factor (RRF).

Figure 28 Method of SIL calculation

The main goal of LOPA is to evaluate the risk of selected hazardous scenarios without any protection layer (but BPCS involving) and the starting point is the unmitigated frequency. Practically, the LOPA is used to determine whether the identified (existing and/or proposed) protection layers are “strong” enough to reduce the risk or not, i.e. the LOPA is used to make risk avoiding (protective and preventive) decisions, for details see Chapter 4.1.

LOPA starts with reducing an undesired consequence – usually, an event with environmental, health, safety, business, or economic impact. The severity of the consequence is estimated using appropriate techniques, which may range from simple “look up” tables to sophisticated consequence modelling software tools.

The consequence always has one or more initiating events (causes). Each cause-consequence pair is called “scenario”, and LOPA focuses on one scenario at a time. The frequency of the initiating event is also estimated (usually from look-up tables or historical data). The initiating event (cause) frequency is called


page 105/160

unmitigated frequency. The rule for HAZOP study is to analyse the hazard problems of EUC (Equipment Under Control) and the BPCS is always part of the EUC system.

After identifying all causes and consequences in the given Process, the possible safeguards (protections layers) are evaluated for two key characteristics:

Is the safeguard effective in preventing the scenario from reaching the consequence? AND

Is the safeguard independent from the initiating event and the other IPLs (Independent Protection Layers)?

If the safeguard meets both of these criteria, it is an Independent Protection Layer (IPL) and will be used in LOPA calculation.

The LOPA calculation is based on the calculation described on Reliability Block Diagram, see Chapter 3.1.8. The IPLs as Reliability Blocks are connected to in serial, and all of them have to fail, to result an unwanted event of hazard scenario. Other approach: in case of an IPL is working well will save the process against the unwanted consequences of the given hazard scenario.

LOPA estimates the likelihood of the undesired consequence by multiplying the frequency of the initiating event (unmitigated frequency) by the product of the probability of failure on demand (PFD) of applicable IPLs:

∏⋅=j jinitiatingmit PFDFF Equation 9

The PFD gives the probability that the given IPL cannot prevent and protect against the scenario to reach the unwanted consequence on demand.

Hence the result of the LOPA is a risk measure for the Hazard scenario – an estimate of the likelihood AND consequence. This estimate can be considered as a “mitigated consequence frequency”. The frequency is “mitigated” by the independent protection layers to reduce the risk to the tolerable level (measure of tolerable frequency) matching the QTRM value for the given cause’s frequency and consequence pair. The risk estimate can therefore be compared to company criteria for tolerable risk for that particular consequence severity (QTRM). If additional risk reduction is needed, more IPLs must be added to the design.

Figure 27 shows a simple diagram to illustrate how the probability of occurrence of the unwanted consequence decreases by using IPLs ie. frequency is decreasing from unmitigated frequency level to the tolerable frequency level.

4.1.6 LOPA method in the practice

LOPA (Layer of Protection Analysis) is a risk assessment method that is uniquely useful for determining how “strong” should be a SIF (Safety Instrumented Function – “interlock”) to be designed (SIL calculation). LOPA is a semi-quantitative tool which is readily applied after the Process Hazard Analysis (PHA) – for example, HAZOP – and before Fault Tree Analysis/Quantitative Risk Assessment, if needed. In most of the cases, the SIF’s Safety Integrity Level requirements can be determined by LOPA without using the more time-consuming tools of Fault Tree Analysis/Quantitative Risk Assessment.

LOPA starts from a cause with one consequence, as unwanted event. At the HAZOP study the HAZOP team shall decide about how often this cause may happen without any protection layer (only BPCS is involved in the system). This frequency is called “unmitigated” frequency. Taking into consideration the


page 106/160

consequences, one can compare this result to the QTRM table of the given Company, giving the tolerable risk for the given cause – consequence pair, which is called Hazard Scenario. Please refer to Figure 1 where I analysed how the risk would be reduced. Since the consequence of the given Hazard Scenario is fixed by the HAZOP team, the only possibility of reducing risk is to reduce the frequency of the unwanted event. Reducing the frequency of the given outcome the risk will be reduced. That is why one can say: reducing the frequency of the unwanted event the risk will be reduced also.

The starting frequency is the unmitigated frequency. The only possibility of reducing the frequency is using Independent Protection Layer, which protect the process, regarding the given hazard Scenarios, against negative events that may happen.

The strength of Independent Protection Layer is measured by the probability failure on demand (PFD) (likelihood of not protecting the process and not responding on demand). Multiplication of the PFD values of all IPL, taken into consideration for this given Hazard Scenario, with the unmitigated frequency, the result will be the mitigated frequency. This frequency will differ from the tolerable frequency in the QTRM table for the given Hazard Scenario and this difference shows whether SIF is needed (see Chapter 3.1.8).

This method seems to be simple, but the problem of classical LOPA approach is that, it takes into consideration only one hazard scenarios at the time, called per scenario method. However one SIF may belong to several hazard scenarios, to be protected by the given SIF, increasing the demand onto the given SIF. That is why in practice there is a need for a solution which takes into consideration this practical aspect of the LOPA calculation making it more precise and giving more correct result.

One method is using the highest SIL value of the given SIF from the different Hazard Scenario. That means, if we have five Hazard scenarios involving the same SIF, one shall make five SIL calculations, and the highest SIL value will be the SIL value of the given SIF. This method needs a lot of manual work and it is not correct. In Chapter 4.2.1 I demonstrated the problem of this method by an example.

I developed the cumulative LOPA method where I can take into account all hazard scenarios in LOPA calculation which have identical SIF as a Safety Instrumented Independent Protection Layer. I laid down the mathematics of cumulative LOPA, and implemented this method in Tool4S software. I show some example on the software application and the description of the Tool4S software (downloadable from www.sil4s.com/Tool4S/help).

4.2 Critical evaluation of the simple LOPA method

The fundament of the LOPA calculation is the tolerable risk criteria. The typical risk criteria give tolerable risk figures (typical tolerable frequency) for a person, for environment and for business. The risk measure is the frequency in our case and there is a frequency gap between unmitigated frequency and tolerable frequency, ie. after LOPA, the mitigated frequency. This mitigation is reached by the Independent protection Layers. During the LOPA, one always compares the mitigated risk to the tolerable risk. If the mitigated risk is lower than the tolerable risk or at least it is “as low as is reasonably practicable” there is no need for other protection layers. If not, there is a need for new protection layers


page 107/160

and/or other risk reduction measures (see the “Main steps of LOPA” in Chapter 4.1.5). The key point for LOPA is that it starts with the application of less expensive independent protection layers like Alarm system, relieve valves etc. In that case if, with these type of protection layers, one does not reach the tolerable frequency, ie. the risk is not reduced enough with non instrumented protection layers, then the “frequency gap” is filled up with SIS. This frequency difference is the basis for the calculation of the SIL and Risk Reduction Value of the given SIF protecting the given hazard scenario.

The tolerable risk categories (frequency) are always set up by the given Company and the QTRM must be involved in the Company Safety Policy. As the corporate criteria determines the tolerable risk values for people, environment and business, practically the LOPA focuses on the calculation of the mitigated risk with goal to determine the necessary risk reduction factor for this targeted group. However because the tolerable risk is based on a unit such as a person, it is not enough to calculate the mitigated risk for every scenario and compare them against the tolerable risk value(s). This so-called “per scenario” method has the disadvantage that it cannot take into consideration that a hazard may contain several scenarios with one or more causes and consequences using even the same or even different protection layers. From the SIL and RRF calculation point of view the SIF as a common protection layer is the most important. In this case there is more than one demand on the given SIF and instead of “per scenario” method, one should use the “cumulative” risk calculation method, taking into account all hazard scenarios protected by the same SIF.

The first problem with the “simple per scenario” method of LOPA is the lack of completeness.

Exida [EXI_1] tried to overcome this problem, giving the possibility of taking into account more consequences, but only manually, which is a time consuming process involving the possibility of human failures for example missing some hazard scenario with same SIF.

4.2.1 Critical evaluation and comparison of LOPA methods

In nowadays one used a simplified method called per scenario method.

Let see first an example about the difference between the “per scenario” LOPA and the “cumulative” LOPA method. Let assume that the hazard scenario is high pressure of a vessel and two possible initial events are:

The pressure control fails, the frequency of this event is F1

The downstream line is blocked, the frequency of this event is F2

Let us assume that in both cases the consequence is vessel rupture. Also let assume that there is an independent high pressure trip, i.e. a SIF which can protect against the high pressure in both cases, and there is no any other IPL, to simplify our example. This simplification will not affect the result.

When the “per scenario” LOPA method is used, one will calculate in the following way: The necessary risk reduction factor (target risk reduction factor) for the first scenario is: RRF1 = F1 / Ftol, where the Ftol is the tolerable frequency for the given consequence based on the QTRM. The target risk reduction factor for the second scenario is: RRF2 = F2 / Ftol. The final target RRF in the every day practice for the SIF is the higher RRF value. E.g. if RRF2 > RRF1, the final RRF will be:


page 108/160

2RRFRRF scenarioper =− Equation 10

In contrast, the “cumulative” LOPA method adds up all the RRF values, so the target RRF for the SIF will be:

21 RRFRRFRRFcumulative += Equation 11

This is a higher value than the result of “per scenario” LOPA method.

The above mentioned difference is important because the IEC-61511-3 suggests calculating the total risk:

“The last step is to add up all the mitigated event likelihood for serious and extensive impact events that present the same hazard”.

It means that the standard suggests using “cumulative” LOPA instead of the “per-scenario” LOPA, because in our case the Hazard is the rupture of the vessel, and the two causes result in the same consequence of the same hazard protected by the same SIF. The two different scenario protected by the same SIF are independent from each other.

The result of the example shown above is independent from the number of the IPLs. In our example I do not take into account that always other IPLs also exist in the protection system and possible that in our case the two per scenarios has different IPLs involved. One concludes from this example that “per Scenario method” is a very simple approach, which does not take into consideration the co-existing hazard scenarios applying for the same SIF even as IPL different non SIS IPLs involved mitigating the consequence of the hazard.

The difference between the results of the two LOPA techniques may be very high when the given SIF can be found in several scenarios as instrumented IPL (SIS). This difference is usually much more than the uncertainty of the LOPA method, this neglecting of cumulative LOPA may lead totally wrong SIL calculation and over riding, as a false simplified interpretation, the description of IEC 61511 standard.

4.3 Development new method of LOPA calculation: cumulative LOPA

In this chapter I described the Cumulative LOPA method, developed for replacing the old (per scenario) methods, and developing the full automatic calculation techniques, implementing in Tool4S software.

Because of the problems of “per scenario” LOPA method, we suggested here the “cumulative” LOPA method, which can take into consideration all hazard scenarios which are protected by the same SIF. The cumulative LOPA method makes the “per scenario” LOPA method less semi-quantitative, more correct and fully automatic.

4.3.1 Cumulative LOPA calculation process

I developed the “cumulative” LOPA method with the following features and methods:

The basic is the common SIF

One SIF may belong to more scenarios, comprising a “scenarios group”

A “scenarios group” has a common feature applying the same SIF, as instrumented IPL


page 109/160

Developing the mathematics of how to cumulate the SIL and RRF value for a “scenarios group”

How to make the calculation automatic, programmable way

Developing the program, called Tool4S, (downloadable from www.sil4s.com/tool4s/help).

First let’s see the method and the mathematic behind it. Figure 29 shows the flow diagram of the process.

The hazard scenario is the output of the HAZOP study. At the HAZOP study meeting the HAZOP team decides about how often the hazard scenario may happen, called unmitigated frequency (Fnon-mit) and about the possible consequence if it would happen for human, environment and business.

Based on the Fnon-mit, the possible consequences and QTRM, the HAZOP team decides about the tolerable frequency for the given hazard scenario, called tolerable frequency for human, business and environment ( tenvironmenbusinesshuman ,, toltoltol FFF ). The developed Tool4S program calculates these frequencies automatically and takes into consideration smallest (minimum) one from these tree frequencies.

The HAZOP team also looks for non SIS independent protection layers (alarm system included) for the given hazard scenarios. The measure of the IPL is the PFD value. Calculating with this PFD value one can get the mitigated frequency, of course without SIF. The mitigated frequency will depend heavily on consequences for human, business or environment taken into consideration in the QTRM table.

Using a pessimistic approach the minimum value of tenvironmenbusinesshuman ,, toltoltol FFF will be

set in the calculation when the imitF value is calculated, where “i” is the running

index for the hazard scenarios demanding the same SIF. This process is done for all hazard scenarios.

Parallel with this process the HAZOP team also decides about SIFs belonging to different hazard scenarios, if requested, based on the previous calculation. If i

mitF

> itolF then SIF is necessary. In other case the non SIS protection layers are able

to reduce the risk to the tolerable level without using Safety Instrumented Function. When SIF is needed, the risk reduction factor and the SIL value of the SIF shall be calculated. Of course the SIL value of the same SIF, belonging to different hazard scenarios, will be different depending on the consequences of the given hazard scenario and different IPLs involved in that scenarios.

The question to be answered is what the real SIF value is and how to cumulate the SIL values of one SIF involved as an instrumented protection layer in different scenarios?

As all hazard scenarios are independent from each other (in the case, when the HAZOP study is correct), the SIL values of the same SIF, belonging to different hazard scenarios shall be added. Figure 29 shows the procedure applied in our Tool4S software.

The mathematics of the “cumulative” LOPA method is discussed in Chapter 4.3.2.


page 110/160

Main detailed steps of cumulative LOPA method for hazard scenarios are shown on Figure 29. In this flow diagram I took into consideration whether the same SIF protect one or more hazard scenario.

The steps are:

Develop each impact event scenario based on HAZOP.

Evaluate the severity consequences for human, business and environment of the individual impact event scenario.

Set the impact event scenario’s target likelihoods after mitigation, to meet the Company’s Functional Safety Quality Management (FSQM) QTRM table for human, business and environment.

Identify and set the initiating event(s) and related enabling factors.

Calculate the enabled initiating event(s) likelihood.

Add independent protection layers (IPL) to mitigate the impact event scenario.

Set the probability of failure on demand (PFD) values of IPLs.

Set the impact event scenario mitigation credit factors.

Calculate the likelihood of the impact event scenario after mitigation; and check if the likelihood meets the company’s target safety matrix. If one or more target likelihoods are not met, go back to beginning.

When all the target likelihoods are met, assess the next impact event scenario.

When no more hazard scenario with same SIF, take next hazard scenario otherwise go to beginning.

When no more hazard scenario, produced the Safety Requirement Specification is complete.

Project finished.

4.3.2 Cumulative LOPA calculation algorithm

In the followings I analysed the cumulative LOPA calculation algorithm step by step.

First step

In the first step, the software takes the frequency of the cause. The cause frequency is defined after the HAZOP meeting and it is called non-mitigated frequency. The Tool4S software takes the cause frequency category and looks for the non-mitigated frequency value from the QTRM (Qualitative Tolerable Risk Matrix) table. The attributes of non-mitigated frequency are:

Variable : Fnon-mit

Name : Non-mitigated frequency

Unit : 1/year

Range : Real number, mitnonF −≤0


page 111/160

Second step

The software takes the severity categories of the consequence, and look for the tolerable frequency values from the QTRM table. In the QTRM, there are tables, see an example for QTRM in Table 18, Table 19, Table 20, in Chapter 3.3.1 which inform us about the tolerable frequency of different types of consequences. Typically there are three types of consequences, see table referred above:

Human

Business

Environment

In the followings, we assume that these three consequence types are used in the every day practice.

The attributes of tolerable frequencies:

Variable : tenvironmenbusinesshuman ,, toltoltol FFF

Name : Tolerable frequency (target frequency to be reached)

Unit : 1/year

Range : Real number, ...0 tolF≤

Third step

The software calculates the Scenario’s Risk Reduction Factor (without SIF) based on the PFD values of safeguards. The PFD values are manually given by the user in the HAZOP and Tool4S software illustrates an example in Figure 30). The attributes of PFD:

Variable : PFD

Name : Probability of Failure on Demand

Unit : -

Range : Real number, 10 ≤≤ PFD

The attributes of scenario risk reduction factor:

Variable : scenRRF

Name : Scenario Risk Reduction Factor (without SIF)

Unit : -

Range : Integer, scenRRF≤0

The calculation of scenario risk reduction factor is:

( )tolmitscen FFRRF /int up= Equation 12

where upint is an integer round up function (“ceil function”), and the Ftol and Fmit

are calculated from the QTRM table, taking into consideration the PFD values of the given IPLs, as:

( )tenvironmenbusinesspeople ,,min toltoltoltol FFFF = Equation 13


page 112/160

HAZOP StudyHazardScenario

Yes

NO

Decision about frequency of cause

Decision about consequences

Allocation of first IPL, PFDIPL1

QTRMRisk matrix

Calculatedtarget frequency

HumanEnvironment

Business

UnmitigatedFrequency

SIL and RRF calculation and

refresh

FMitigated > FTargetExist more Non SIS

IPL?

Take next IPL, PFDIPL,I&Allocation

NO

Yes

No SIF necessary

Take next Scenario

Exist more Scenarios

with same SIF?

NO

Yes

Target SIL and Risk Reduction

Factor

Figure 29 Cumulative LOPA calculation procedure

and

∏⋅= − j jmitnonmit PFDFF Equation 14

where j is a running index for the safeguards in the given Hazard scenario.

The PFD value is comes from either of the experience of the given company or international data case. The PFD values of the IPLs are critical point and the


page 113/160

international data always have to be evaluated according to the local application environment of the given IPL.

Fourth step

Finally the software calculates the cumulative target risk reduction factor and SIL values. Both values are calculated automatically for a given SIF based on all referenced Hazard scenarios (see the Figure 34).

The attributes of target risk reduction factors are:

Symbol : tarRRF

Name : Target Risk Reduction Factor

Unit : -

Range : Integer, tarRRF≤0

The calculation of cumulative target risk reduction factor:

( )⎟⎠

⎞⎜⎝

⎛= ∑i

itol

imittar FFRRF /int up Equation 15

where i is running index for Hazard Scenarios in which the given SIF can be found as safeguard.

The attributes of Target SIL are:

Variable : tarSIL

Name : Target Safety Integrity Level

Unit : -

Range : Integer

The calculation method of Target SIL:

( )( )tartar RRFSIL 10down logint= Equation 16

where downint is an integer round down function (“floor function”).

4.4 Implementation of cumulative LOPA method SOFTWARE: Tool4S

There are several software tools for making HAZOP and LOPA, however my experience showed that most of them only can calculate the RRF value for one scenario (per scenario method), but do not accumulate them. Therefore it is the task of the user to do it manually.

My experience also showed that the same SIF can exist in several hazard scenario in the process industry. If a user uses software which does not support the cumulative LOPA method, finally he/she will make mistakes or try to forget the cumulative LOPA method just because it is too tiresome.

Hence, we built the cumulative LOPA into our Tool4S software to avoid making the calculation automatic. In the following, it will be presented how the cumulative LOPA is realised in our Tool4S software.


page 114/160

Figure 30 Edit PFD value of safeguards in Tool4S SOFTWARE

The base of the calculation is the “non-mitigated frequency” matrix for causes and the “tolerable frequency” matrix of the given company. The non-mitigated frequency matrix can contain one or more pre-defined likelihood values for the initial events (causes). Figure 31 shows an example about the non-mitigated frequency matrix of causes. It is the user1s task to define these values, and the Tool4S software gives freedom that he/she can easily add or remove items to/from the matrix. Certainly it is not necessary to use this matrix for every case; the user can give a unique frequency value manually for every initial event if the pre-defined values do not fit to the given case, see Figure 33.

Figure 31 Definition of non-mitigated frequency matrix of causes

The tolerable frequencies are also user defined. The user can define the number of consequence types (there is the three default value: for human, for business and for environment), the possible severity categories, and the specific tolerable frequencies for each severity. Figure 32 shows an example about the definition of the tolerable frequency matrix.

Figure 32 Definition of tolerable frequency matrix

PFD setting IPL


page 115/160

Every pre-defined non-mitigated frequency and tolerable frequency value has a code. The user can easily do the risk ranking by only selecting the appropriate code; Figure 33 shows an example.

Figure 33 Example for risk ranking

The risk ranking must be done for every cause-consequence pair, but if the consequence is the same for more causes, the Tool4S software will copy the consequence ranking information to save manual work.

The main concept in the software is that every SIF has a unique tag name and own SRS (Safety Requirement Specification). When a SIF is added into the HAZOP, the software automatically collect every scenario in which the SIF can be found, and calculates the cumulative RRF. The Figure 34 shows an example from the Tool4S software. In this figure one can see the short description of the SIF and a list of all hazard scenarios, where the same SIF involved.

Figure 34 Example for the result of a cumulative LOPA

4.5 Summary and conclusion

I evaluated the existing methods for calculating the SIL and Risk Reduction value of SIFs within a HAZOP study using LOPA method. I analysed the traditional

Where the same SIF can be found

Target SIL and Risk Reduction factor

Hazard Scenarios references SIF code

SIF narrative


page 116/160

LOPA method called “per scenario” in which only one scenario/SIF is taken into consideration. I showed that the result of this calculation is far away from to be correct.

I developed and analysed the “cumulative LOPA method” that takes into consideration all Hazard scenario which contain the same SIF as an instrumented independent protection layer.

This method has only one disadvantage that it is not easy to realise manually. That is why I developed the principle of the Tool4S, the integrated HAZOP/LOPA study software, which automatically calculates the result of the “cumulative” LOPA method. That is an iterative calculation process, as when the HAZOP study is proceeds and a new hazard scenario is found, protecting by a SIF which was used for protecting other hazard scenarios, automatic recalculate the SIL values and Risk Reduction factor of this SIF and amend the referred hazard scenario list of this SIF, shown in the Figure 34.

The Tool4S SOFTWARE overcomes the problem of manual and very slow calculation, where the result is not always correct, mainly in case when the technology is too complex and even more than 100 SIF co-exist.

The Tool4S was tested over more than 100 HAZOP and LOPA study and proved that is fast, correct with high reliability.


page 117/160

5 SIS Design Management: practical interpretation of the process safety standards

One of the most critical part of the procedure in building up the Safety Instrumented System is the Design of the safety system. There is some recommendation of the standard which definitely shall be considered in this design phase and attention shall be paid that designing a safety system differs from BPCS or PLC design.

The basis of the SIS design is the Safety Requirement Documentation which is the output documentation of HAZOP/LOPA study and contains all essential information which is relevant in the design procedure.

In the next chapters I analyse the key problems of SIS design and interpret the statements of the standard practical point of view, answering a lot of questions related this part of the process safety standards.

5.1 Overview of SIS design

5.1.1 Objectives of SIS Design

According to the IEC 61511 the objective of SIS Design is: “The objective of the requirements of this clause is to design one or multiple SIS to provide the safety instrumented function(s) and meet the specified safety integrity level(s).”

The objective of SIS Design is to provide guidance in the design of the SIS. Each SIF has its own SIL. A component of a SIS, for example, a logic solver, may be used by several SIFs with different SILs.

5.1.2 Requirement of SIS Design

The design of the SIS shall be in accordance with the SIS safety requirements specifications (SRS), taking into consideration all the other requirements of IEC 61511 [IEC_511].

The standard, as main general requirement, focuses on the independency, see Chapter 5.2.

Also there are other requirements:

For system behaviour on detection of a fault

For hardware fault tolerance

For selection of components and subsystems.

Field devices

Interfaces

Maintenance or testing design requirements

SIF probability of failure

5.2 Integration and separation of BPCS and SIS

The general rule is if the basic process control system is not intended to be qualified according to IEC 61508 standard, then the basic process control system shall be designed to be separated and independent to the extent that the functional integrity of the safety instrumented system shall not be compromised.


page 118/160

The SIS and BPCS perform two separate tasks (see Figure 9) and according to the IEC 61511 shall be maintain separation (or other words independence) between the two systems, see Figure 35.

5.2.1 Why separation is requested?

To reduce the effects of the BPCS on the SIS, especially when they share common equipment

To retain flexibility for changes, maintenance , testing and documentation related to the BPCS

To facilitate the validation and functional safety assessment of the SIS

Where a failure of the common equipment can cause a demand on the SIS, then an analysis should be conducted to ensure that the overall hazard rates satisfies the expectations (common sensors, common valves, common HMI)

To avoid the common cause failures like

Plugging of instrument connections

Corrosion and erosion

Hardware faults due to environmental causes

Software errors

Power supplies and power sources

Human errors

The SIS normally has more robust requirements than the BPCS and the intent is not to subject the BPCS to the same robust requirements that are required for the SIS. However it should be noted that uncontrolled BPCS modifications can be a causes of increased demand on the SIS.

Figure 35 SIS and BPCS independence

SIS

DCS

Information

Information

Non safety Function

IEC 61508

Safety Function

Safety Function IEC 61508

OR

OR

OR IEC 61508


page 119/160

The human mentality of dealing with SIS and BPCS shall be different:

Written procedure for SIS needed to modify or to activate

Trip point

Logic connections

Input and output range

Software modification

Handling of MOS and POS by software

There are no flexible behaviour allowed in case of SIS

Better trained and tested maintenance persons are requested for SIS both for operation and maintenance

There are special requirement for operators, handling critical alarm which are taken into consideration like Independent Protection Layers in the SIL calculations:

Written procedure about the action of the operator to reduce the risk is required for:

Minimum 10 minutes for the actions to bring back the technology in the normal operation

Yearly training and examine for the operators for all critical alarm

Adequate independence (separation) means that neither the failure of any non-safety functions nor the programming access to the non-safety software functions is capable of causing a dangerous failure of the safety instrumented functions.

5.2.2 Separation of information between SIS and BPCS

Basic rule is that operating information may be exchanged but should not compromise the functional safety of the SIS.

In practice there is no limitation of transferring data from SIS to BPCS, like diagnostic data of the SIS or SER (Sequence Event Recording) solutions.

Information, coming from BPCS to SIS is prohibited, OR if this solution exists and compromises the functional safety of SIS then BPCS shall be certified According to IEC 61508, Part2 OR it can be shown that a failure of the basic process control system does not compromise the safety instrumented functions of the safety instrumented system.

5.2.3 Separation of functions between SIS and BPCS

The safety function and non safety function separation has to be distinguished, see Figure 35.

In case of non safety function, the separation rules are:

Where the SIS is to implement both safety and non-safety instrumented function(s) then all the hardware and software that can negatively affect any SIF under normal and fault conditions shall be treated as part of the SIS and comply with the requirements for the highest SIL.

Wherever practicable, the safety instrumented functions should be separated from the non-safety instrumented functions.


page 120/160

In case of safety functions separation the rules in general, if any part of the BPCS (sensor(s), Valve(s), IO card(s)) is part of the SIS the following criteria shall be matched, see also Chapter 5.2.1:

Where a failure of the common equipment can cause a demand on the SIS, then an analysis should be conducted to ensure that the overall hazard rates satisfy the expectations. The overall hazard rate will be the sum of the dangerous failure rate of the common elements and the hazard rate from other sources of demand (including dangerous failure of the independent parts of the SIS).

Taking into consideration this rule means the followings in practice:

Extra calculation which is time consuming and not easy to perform an FMEA calculation for all case

The cause of hazard scenarios is divided into two part:

The cause is arise from the technology

The cause is arise from the BPCS

There is no problem with cause arising from technology

There are problems with cause arising from BPCS

The case when the cause arising from sensor(s) means a conflict between the cause and the protection. One can not use the transmitters for protection if this transmitter is the cause of the hazard scenario.

The same problem exists when the valve(s) are involved both in BPCS and SIS

The same problem is arises when one uses the transmitters and BPCS for critical alarms when the cause of the hazard scenario is the BPCS. This solution hurts the independency principle of the Independent Protection Layers.

One should always analyse the cause of the hazard scenario before starting of designing the given SIL and alarm system which protects against the consequences of the Hazard Scenario to reduce the risk to the acceptable level.

If one does not follow this rule a common cause factor arises, see Chapter 5.3, and the influence of this factor shall be calculated case by case and procedures are necessary to ensure that the SIS is not dangerously affected, and the SIS designer will have to specify the procedures to be applied.

Neglecting this rule will reduce the strength of the functional safety of the SIS.

5.3 Common cause failures

The different type of common cause cases are:

Common cause within SIS

Common cause between SIS and BPCS

Common cause between IPLs

5.3.1 Common cause within SIS

The common cause failure within SIS may arise from:

Identical manufacturer

Identical components


page 121/160

Identical connection to the technology

Identical sampling valves

Identical power supply

Identical cable

Identical cable track

Identical calibration devices and procedures

All this identities may reduce the reliability of the systems having redundant or voting solutions and influence the functional safety of SIS.

The main task of the designer to avoid these identities and if this is not possible the influence of common cause shall be held under control at all safety life cycle.

An example of power supply separation is shown on Figure 36.

One can see that all Cabinets (SIS and Marshalling) have individual power supply from UPS, supplying the safety power supply unit of the cabinet (power supply unit works in 2oo3 system), and that is why three separate cable was connected to one Cabinet. One separate non UPS power cable is connected to all cabinet for service purpose.

Within the Cabinet all sub-racks are supplied with separate power cables from the 2oo3 power supply bus.

Similar consideration shall be taken into consideration when one design a SIF safety loop to avoid any influence of common cause listed above.

Date

2004.01.04.

Drawn BY

BGS MOL RT, Danube Refinary

HIMA ESD System

Emerson:GOK36002500/120-122 ESDs&MCs Power Supply

UPS&non UPS Power Supply Distribution for ESD&MC-s in SCR (ESD2&ESD3) Bareng Kft, Veszprém

ESD Power Supply Cabinet

Code: B03HI-07.DWG754

119_MC11-R

119_MC11-F

119_MC12-R

119_MC12-F

119_MC13-R

119_MC13-F

119_ESD01-R

119_ESD01-F

119_ESD02-R

119_ESD02-F

3*3*2.5mm2

3*3*2.5mm2

1*3*2.5mm2 1*3*2.5mm2 1*3*2.5mm23*3*2.5mm2

2*3*4mm2

1*3*2.5mm2 1*3*2.5mm2

3*3*2.5mm2

3*3*2.5mm2

3*3*2.5mm2

119_MC14-R

119_MC14-F

119_MC15-R

119_MC15-F

119_MC16-R

119_MC16-F

119_ESD03-R

119_ESD03-F

119_ESD04-R

119_ESD04-F

3*3*2.5mm2

3*3*2.5mm2

1*3*2.5mm2 1*3*2.5mm2 1*3*2.5mm23*3*2.5mm2

2*3*4mm2

1*3*2.5mm2 1*3*2.5mm2

3*3*2.5mm2

3*3*2.5mm2

3*3*2.5mm2 Notes:220VAC UPS Power Supply for ESDs& MCs

220VAC Power Supply for Service

For All

For ESD1 in MCR see 119_ESD01-R Power Supply

Figure 36 Example of Power Supply separation within SIS


page 122/160

5.3.2 Common cause between SIS and BPCS

In Chapter 5.2.2 and Chapter 5.2.3 I analysed the problems regarding the separation of BPCS and SIS.

If the designer proves that the separations between BPCS and SIS there is satisfied to hundred percent, it does not exist common cause problem.

In every day practice the designer is forced to make compromise, mainly from financial reasons. In this case designer has to pay attention of extra considerations to calculate the common cause factors of the designed SIF, which will be then, taken into consideration in SIL calculation after the installation and commissioning phase, in the validation process.

The cost of this type of calculation sometimes overrides the cost of hardware which should be taken into consideration to avoid the common cause problems.

5.3.3 Common cause between IPLs

The independency of the IPLs is a well known requirement, everybody know this criteria but, in the every day practice, according my experience the designer built in this mistake in the system.

I was looking for, why and where this mistake would happen and discovered that many times this is built in the LOPA study phase, when the participant are preparing the Safety Requirement Specification, which is the basic of the SIS Design.

What is the reason of this mistake? The answer was easy to discover. The HAZOP team neglects the basic principle of the IPL ie. the cause of the hazard scenario never would be protected by the cause itself.

For example see Figure 37, where a vessel level control and overfilling protection is shown.

The question to be answered is if LAH is a critical alarm, what the independency means, what the correct solution is and where the high level alarm signal is to be connected to.

In every day practice this signals are connected to BPCS. That means in case of BPCS failure the LAH as independent protection layer will not operate and will not send alarm signal warning to the operator to start an action of decreasing the level in the vessel. BPCS failure is a common cause factor (involving the HMI) which should be taken into consideration in the SIL calculation.

A better solution is when the LAH signal is connected to Logic Solver, but in this case, the SIS and the Critical alarm are not independent. Because of the better reliability figure of Logic Solver, in this solution, the common cause factor is more or more negligible.

The correct, but more expensive solution, which matches the standards, is an independent Critical Alarm Management System with a separate HMI.


page 123/160

Figure 37 Example of common cause of IPLs

5.4 System behaviour on detection of fault

There are two aspects of Safety System behaviour (the detection of a dangerous fault by diagnostic tests, proof tests or by any other means:

The target is to maintain the functional safety of the system in case of a single hardware fault with:

a specified action to achieve or maintain a safe state or

continued safe operation of the process whilst the faulty part is repaired

If the repair of the faulty part is not completed within the mean time to restoration (MTTR) assumed in the calculation of the probability of random hardware failure, then a specified action shall take place to achieve or maintain a safe state. The specified action (fault reaction) required to achieve or maintain a safe state should be specified in the safety requirements. It may consist, for example, of the safe shutdown of the process or of that part of the process which relies, for risk reduction, on the faulty subsystem or other specified mitigation planning.

There are some important rules for the designer:

when the above actions, depend on an operator taking specific actions in response to an alarm (for example, opening or closing a valve), then the alarm shall be considered as a part of the safety instrumented system (i.e., independent of the BPCS).

PS

LT

LAH

SV LCV

LS1

LS2

LOGIC Solver

Independent Protection Layer

(IPL)

BPCS


page 124/160

where the above actions depend on an operator notifying maintenance to repair a faulty system in response to diagnostic alarm, this diagnostic alarm may be a part of the BPCS but shall be subject to appropriate proof testing and management of change along with the rest of the SIS

In case of detection of a dangerous fault (by diagnostic test, proof tests or by any other means) in any subsystem having no redundancy the repair of the faulty subsystem shall be done within the mean-time-to-restoration (MTTR) period assumed in the calculation of the probability of random hardware failure. During this time the continuing safety of the process shall be ensured by additional measures and constraints. The risk reduction provided by these measures and constraints shall be at least equal to the risk reduction provided by the safety instrumented system in the absence of any faults

It is found more about the faults and failures can be found in Chapter 6.

5.4.1 Hardware Fault Tolerance and its realisation

There are two possibilities:

Using IEC 61508-2 which specifies the factors and specifies the extent of fault tolerance required

Using IEC 61511-1,2 in which it was considered that the requirements for fault tolerance of field devices and non PE logic solver could be simplified and the requirements in IEC 61511-1 could be applied as an alternative.

It should be also noted that subsystem designs may require more component redundancy than that is stated in Table 21, Table 22 in order to satisfy availability requirements.

The requirements for hardware fault tolerance can apply to individual components or subsystems required to perform a SIL value of a SIF. For example, in the case of a sensor subsystem comprising a number of redundant sensors, the fault tolerance requirement applies to the sensor subsystem in total, not to individual sensors.

SIS designer shall use Table 21, Table 22 in designing the SIF loops According to the SRS, independently of the solutions involved in subsystems or logic solvers. 2oo4 voting system involved in a logic solver CPU does not mean that Figures of Table 22 are satisfied in case of a SIL3 SIF loop.

Figures of the Table 21, Table 22 refer to the HFT value of the SIF loops and not for the component level itself. For example if a transmitter used redundancy inside the electronic to provide the SIL 3 category and one used it in a SIL 3 SIF loop, according to the Table 21 one shall design the SIF loops with HTF = 1 value.

5.4.2 Hardware fault tolerance

Hardware fault tolerance is the ability of a component or subsystem to continue to be able to undertake the required safety instrumented function in the presence of one or more dangerous faults in hardware. A hardware fault tolerance of one means that there are, for example, two devices and the architecture is such that the dangerous failure of one of the two components or subsystems does not prevent the safety action from occurring.


page 125/160

The minimum hardware fault tolerance has been defined to alleviate potential shortcomings in SIF design that may occur due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of components or subsystems used in various process applications.

It is important to note that the hardware fault tolerance requirements represent the minimum component or subsystem redundancy. Depending on the application, component failure rate and proof-testing interval, additional redundancy may be required to satisfy the SIL of the SIF to match the target value of the probability failure on demand and/or risk reduction factor.

The traditional approach of safety system design was to ensure that no single fault would result in loss of the intended function. System architectures such as 1oo2 or 2oo3 have a fault tolerance of one because they are able to function on demand even in the presence of one dangerous fault. Such systems were employed as a standard approach for safety systems to ensure they were sufficiently robust to be able to withstand random hardware failures. Fault tolerance architectures also gave protection to a wide range of systematic faults (mainly in hardware) because such faults do not necessarily arise at the same instant of time.

Because of the different levels of performance it is no longer appropriate to expect all safety integrity levels to be fault tolerant. In selecting the architecture to be used for a specified integrity level it is however important to ensure that it is sufficiently robust for both random hardware faults and systematic faults.

The requirements for hardware fault tolerance can apply to individual components or subsystems required to perform a SIF. For example, in the case of a sensor subsystem comprising a number of redundant sensors, the fault tolerance requirement applies to the sensor subsystem in total, not to individual sensors.

5.4.3 Minimum hardware fault tolerance of PE logic solvers

The IEC 61511-1 gives a minimum hardware fault tolerance of Logic Solvers requirement for the designer according to Table 21.

Table 21 HFT for Logic Solver

Minimum Hardware Fault Tolerance SIL

SFF < 60 % SFF 60 % to 90 % SFF > 90 %

1 1 0 0

2 2 1 0

3 3 2 1

4 Special requirements apply (see IEC 61508)

The hardware fault tolerance requirement depends on the required SIL of the SIF and the PE subsystem’s safe failure fraction (SFF). Information on safe failure fraction of logic solvers can normally be obtained from the PE logic solver vendor. If the PE logic solver is not used, according to the assumptions made in


page 126/160

the calculation of the SFF then the claims made for safe failure fraction should be carefully considered.

The SFF is related to random hardware failures only. In establishing the SFF it is acceptable to assume that the subsystem has been properly selected for the application and is adequately installed, commissioned and maintained such that early life failures and age related failure may be excluded from the assessment. Human factors do not need to be considered when determining SFF. Data sources and assumptions made during a calculation of SFF should be documented.

5.4.4 Minimum hardware fault tolerance of sensors and final elements

Table 22 of IEC 61511-1 defines the basic level of fault tolerance for sensors, final elements, and non-PE logic solvers having the required SIL claim limit in the first column. The requirements in Table 22 refer on the requirements in IEC 61508-2 for PE devices with a SFF between 60 and 90 %. The requirements are based on the assumption that the dominant failure mode is the safe state or that dangerous failures are detected.

Table 22 HFT for sensor, final elements subsystems

SIL Minimum Hardware Fault Tolerance

1 0

2 1

3 2

4 Special requirements apply (see IEC 61508)

The designer shall have possibility to satisfy the minimum HTF values using voting system.

There are some reasons why the redundancy or voting is designed in the SIS system:

Increase the availability of the system

Making the maintenance work more practical

Matches the Hardware Fault Tolerance values description of the standards

What does the voting mean? Voting is expressed as:

Number of independent paths (M) required out of the total number of existing paths (N) in order to perform safety function

Voting is often expressed as MooN

M express the number of voting

N express the number of redundancy

For example: 1oo2, 2oo3, 2oo4, etc.

Hardware fault tolerance of N means

N+1 fault could cause a loss of safety function


page 127/160

Hardware fault tolerance is easy to calculate

For any MooN system the HFT=N-M

For example for a 2oo3 system the HFT=3–2=1

Table 23 Voting and HFT

Architecture Voting Redundancy HFT

1oo1 1 NO 0

2oo2 2 NO 0

1oo2 1 1 1

2oo3 2 1 1

1oo3 1 2 2

2oo4 2 2 2

From dangerous failure point of view the following are:

1oo1 and 2oo2 identical



5.4.5 Exception for hardware fault tolerance in case of sensors and final elements

For all subsystems (for example, sensor, final elements and non-PE logic solvers) excluding PE logic solvers the minimum fault tolerance specified in Table 22 may be reduced by one if the devices used comply with all of the following:

the hardware of the device is selected on the basis of prior use (see Chapter 5.4.7);

the device allows adjustment of process-related parameters only, for example, measuring range, upscale or downscale failure direction under operation and;

the adjustment of the process-related parameters of the device is protected, for example jumper, password (“write protected”) and all action regarding parameter modification is well documented;

the function has an SIL requirement of less than 4.

This sub-clause allows the hardware fault tolerance of all subsystems except PE logic solvers to be reduced by one on certain conditions. These conditions will apply to devices such as valves or smart transmitters and reduce the likelihood of systematic failures such that the requirements are aligned to the requirements of IEC 61508-2 for non PE devices.

In some cases it may be possible to reduce the fault tolerance by following the fault tolerance requirements of IEC 61508-2. This may be achieved by introducing additional diagnostics such as signal comparison or regularly scheduled partial stroke testing such that the SFF of the subsystems is higher than 90 %.


page 128/160

My conclusion is that all field elements having “SIL” Certificate according to IEC 61508-2 shall conform the “prior in use” criteria and in safety application the HFT values in Table 22 may be reduced by one.

5.4.6 Minimum hardware fault tolerance according to IEC 61508

In Chapter 5.4.6 there was a reference to IEC 61508-2. Let’s see what is in IEC

61508-2. The SFF definition is inDUDDSUSD

DDSUSDSFFλλλλ

λλλ+++

++= Equation 17.

Alternative fault tolerance requirements may be used providing an assessment is made in accordance to the requirements of IEC 61508-2 shown at Table 24 in the context of hardware safety integrity. The highest safety integrity level that can be claimed for a safety function is limited by the hardware fault tolerance and safe failure fraction of the subsystems that carry out that safety function.

The architectural constraints have been included in order to achieve a sufficiently robust architecture, taking into account the level of subsystem complexity.

The architecture and subsystem derived to meet the hardware fault tolerance requirements is that used under normal operating conditions.

From application point of view either IEC 61508 or IEC 61511 is taken consideration, in practice one hardware fault tolerance is needed for the SIF when SIL = 3.

Table 24 Hardware safety integrity: architectural constraints on type B safety-related subsystems

Hardware Fault Tolerance Safe Failure Fraction 0 1 2

< 60 % Not allowed SIL 1 SIL 2

60 – 90 % SIL 1 SIL 2 SIL 3

90 - < 90 % SIL 2 SIL 3 SIL 4

>= 90 % SIL 3 SIL 4 SIL 4

5.4.7 Prior in use

According to Chapter 5.4.5 the designer has the possibility to design a SIS system based on “Prior in Use” basis.

There are very few field devices (sensors and valves) that are designed per IEC 61508-2 and IEC 61508-3, but their number is increasing. Users and designers will therefore have to depend more heavily on using field devices that have been “proven-in-use”.

The basis of this solution is that in the case of field devices (for example, sensors and final elements) fulfilling a given function, this function is usually identical in safety and non-safety applications, which means that the devices will perform in a similar way in both type of applications. Therefore, consideration of the performance of such devices in non-safety applications should also be deemed to satisfy this requirement.


page 129/160

First criteria for “Prior in Use“ application is that appropriate evidence shall be available about the components and subsystems are suitable for use in the safety instrumented system.

“Prior in Use” solution, which means that in the case of field elements, extensive operating experience may be either in safety or non-safety applications. This can be used as a basis for the evidence.

The level of details of the evidence should be in accordance with the complexity of the considered component or subsystem and with the probability of failure necessary to achieve the required safety integrity level of the safety instrumented function(s). The probability failures are important because without this there is no possibility of preparing the validation calculation of SIF loops. That is why the statement like this field device is “proven in use” is not enough in itself.

Many users have a list of instruments that are approved or recommended for use in their facility. These lists have been established by extensive successful operating experience on their BPCS. Sensors and valves that have had a history of not performing as desired have been eliminated.

Normally the sensors and valves that are on these approved or recommended lists for the BPCS could also be considered as proven-in-use for SIS subject to the assessment required by 61511-1. This list of instruments should include the version of the device and be supported by documented monitoring of field returns at the user and at the manufacturer. In addition, the manufacturer should have a modification process which evaluates the impact of reported failures and modifications.

If such a list does not exist, then users and designers need to conduct an assessment on the sensors and valves to ensure that they are satisfied i.e. the instrument will perform as desired.

In practice the “prior in use” approach is rather acceptable and used in case of field sensors and actuators than in case of logic solvers.

It is important to know that all safety system shall be validated after installation and commissioning. When one wants to validate a SIF using “proven in use” component he/she may run into trouble not having lambda value for the probability calculation. It is a good point in case of “proven in use” to decrease the HFT value with one, but on the other hand for the lambda values of the component there are a lot of criteria of the standard which is not easy to perform and not having correct numbers nobody are able to validate the safety instrumented system.

5.4.8 Role of diagnostic

The standards has statement about how to be performed the diagnostic, also about the operator action after having diagnostic alarm, but nothing is found how to interpret that special case when for example the transmitter is “smart”, ie. it has “built in” diagnostic features, but the diagnostic signals are not accessible for the operator and in this case, the diagnostic part of the lambda value does not exist.

As it was shown, the safe failure fraction will be modified

(DUDDSUSD

DDSUSDSFFλλλλ

λλλ+++

++= Equation 17) accordingly.


page 130/160

DUDDSUSD

DDSUSDSFFλλλλ

λλλ+++

++= → DUSU

SUSFFλλ

λ+

=

In a simple case when all lambda values are equal in the first case the SFF = 0.75; while not having diagnostic action at all SFF = 0.5.

Based on the calculation with realistic figures the lack of diagnostic action may mean a half of SIL value and according Table 24 the SFF < 60% means that one have to be added to HFT value in the table. In practice if the requested SIL = 2 and the diagnostic was installed the HFT = 1, however in case of no diagnostic action HFT = 2.

Conclusion: the application of Hart or Foundation Field bus components is not enough, a diagnostic data acquisition system have to be installed also, with actions performed by the operators and maintenance persons.

5.4.9 Requirements for selection of components and subsystems

For the SIS designer the standard defines two levels of requirements:

specifying the requirements for the selection of components or subsystems which are to be used as part of a safety instrumented system,

specifying the requirements to enable a component or subsystem to be integrated in the architecture of a SIS.

The first criterion to be performed is the hardware fault tolerance. That should be calculated SIF by SIF.

The second criteria are to decide whether proven in use or certified component method shall be taken into consideration. In case of using certified components the only task left for the designer: preparing a pre validation SIF by SIF. In case of using proven in use method means that this is not the designers decision rather the customers, herewith this becomes the responsibility of the customer.

5.5 SIS Design verification

According to IEC 61511 all life cycle phase has to be verified.

That means for the designer that a strict design procedure in written form to be followed and verified.

That is the main difference between designing traditional PLC or SIS system.

This written procedure should involve the competence of the person, department, decision people, certification of components and people etc.

5.5.1 Pre-validation

The standard does not tell anything about the pre-validation.

However it is important for the designer to be sure that the designed SIF matches the target SIL and target risk reduction values. Otherwise after commissioning and installation at the validation phase there will be problems with the SIS meaning extra cost of modification and delay in the plant start up.


Designing a SIS system follows rules laid down in the IEC 61508 and IEC 61511 standard like:


page 131/160

Hardware fault tolerance

Safe failure fraction

Methods of the certification (TÜV or proven in use)

Who makes the decision about the methods

Verification procedure

All this aspect has the same importance and priority and if any of them missed, the SIS will not be correct causing potential risk for the end-user.


page 132/160

6 SIS maintenance management: Proof test management Maintenance costs, earlier or later, will be key parameters of designing a safety system. Nowadays everybody uses fix parameter for proof test interval in the SIL calculation (for example two years) or playing with the proof test interval (increasing or decreasing it) to get the target SIL values and risk reduction factors requested. That means that one have to design not only safety system, but the maintenance activity of the safety system as well.

First I analyzed the different time schedule optimalisation strategies, and then based on the best strategy I build up a new failure model for the dangerous undetected failures (lambda_DU), then I started the optimalisation of the proof test interval of SIF loops itself. This would be a good basic on maintenance cost analysis which is based on realistic Company maintenance costs. The result of this work will be implemented in Tool4S HAZOP/LOPA study SOFTWARE later on.

6.1 Overview of proof testing according Standard

According to IEC 61511 the failures are classified like:

Safe failure: the subsystem fails safe, if it carries out the safety function without a demand arriving from the process;

Dangerous failure: the subsystem fails dangerous, if it cannot carry out the safety function upon demand from the process;

Detected failure: the failure is detected, if a built in diagnostic reveals the failure;

Undetected failure: the failure is undetected, if only proof test is able to reveal the failure (or in some case it is impossible to detect it at all).

In the area of Process Safety the components have four different failures:

Safe detected : SDλ ;

Safe undetected : SUλ ;

Dangerous detected : DDλ ;

Dangerous undetected : DUλ .

Reveal of failures may be via:

Through normal process operation, when for example the operator, based on his/her experience regarding the given technology, discover incoherency between different parameters caused by sensors and/or actuator;

Through built-in diagnostic tests, for example HART maintenance system for the transmitters and valves;

Through periodic proof tests.

In the standard there is an important definition called safe failure fraction, SFF,

seeDUDDSUSD

DDSUSDSFFλλλλ

λλλ+++

++= Equation 17:


page 133/160

DUDDSUSD

DDSUSDSFFλλλλ

λλλ+++

++= Equation 17

Other important definition is the coverage factor seeDUDD

DDSFFλλ

λ+

= Equation 18:

DUDD

DDSFFλλ

λ+

= Equation 18

Revealing failures through normal process operation means that the process behaviour on its own reveals the failure of the subsystem, for example

The factory shut down due to a safe failure in the pressure transmitter, or

A vessel cannot be emptied due to a dangerous stuck closing the drain valve.

This way of revealing failures is not useful, and efficient neither from the safety point of view, but nor from the process availability point of view. The standards offer solution to overcome this problem.

In the safety industry a lot of testing takes place

Built-in diagnostic tests

Periodic proof tests

Any test feature has two properties:

Frequency: how often the test is carried out

Coverage: the percentage of failures detected (0–100 %) by the test

The test is only useful if we can act upon results and decisions are made for further action with:

given frequency,

given coverage factor,

and given action.

Test is called proof test if

Test is not automatic, OR

Frequency is too low comparing the demand rate.

A proof test is

Initiated by a human action and

Usually “not built-in”, additional equipment is necessary to carry out the test.

For example an operator performs a Partial Stroke Test (PST) on a safety valve.

Usually a diagnostic test is a “built-in” feature of the safety components, for example a memory test, CPU test, watch dog etc. The test is called diagnostic test, when that test

is carried out automatically, AND

is carried out frequently, AND


page 134/160

is used to reveal failures that could jeopardize the safety function, AND

results in an automated safe response.

How often a test should be carried out to be called a Diagnostic Test:

At least minimum one magnitude (factor 10) less than the expected demand rate

Typical question what is in practice the difference between the Diagnostic Test and a Periodic Proof Test? Which is better and why? The answer is simply, the distinction between the Diagnostic Test and a Periodic Proof Test lies in the detection time:

If the expected demand rate is one per year, and automatically partial stroke is performed more often than once per months, then the Partial stroke test is designated as a Diagnostic Test

The same automatically partial stroke is performed once every two months; the Partial stroke test is designated as a periodic Proof Test.

But the other big difference is:

Diagnostic Test detects the failure immediately, the Proof Test only when performed.

Figure 38 shows the connection between the results of the failures (safe or dangerous), the methods of how to reveal the failures (diagnostic and proof test) and the type of the failures (lambda values).

I will discuss the cost effective methods of proof testing, as a research thesis in Chapter 6.

Figure 38 Tree structure of failures

Device

Safe

Dangerous

Proof Test

Diagnostic

Proof Test

Diagnostic

Safe Undetected

Safe Detected

Dangerous Undetected

Transfer gate

Revealed byResult of failure


page 135/160

6.2 Overview and critical analysis of recent practice

The process safety systems (SIS) are built on the basis of IEC 61508 and IEC 61511. The IEC 61508 [IEC_508] is general standard and a strict guideline for the safety product developer and manufacturer (both software and hardware), while the IEC 61511 is a process industry specific one which controls the activity of the system integrators and end users. That is why I focused on IEC 61511 [IEC_511].

Here I am only deal with the 6th of the safety lice cycle, namely the operation and maintenance phase of IEC 61511. In this life cycle phase of the safety system, the requirement is to maintain the functionality and reliability of the safety system under operation and maintenance all over the life cycle of the safety system and to prove that the targeted SIL requirement is reached. In 3rd Safety Requirement Specification” of IEC 61511, for each Safety Instrumented Function (SIF), there is designed the maintenance parameter of the safety system (process safety time, spurious trip rate) and also is calculated a proof test interval. The probability of failure on demand value (PFD value) and the Risk Reduction Factor (RRF) for each SIF is calculated in the 2nd allocation of safety function to protection layers” life cycle phase of IEC 61511, using Layer of Protection Analysis (Cumulative LOPA) method, see Chapter 4. In this calculation the proof test interval (TI) is taken into consideration. The output of this calculation is the PFD value and the risk reduction factor value of the given SIF. Both of these parameters are changing (becoming worse) with the time (shown in Figure 42 and Figure 43)xxx.

6.2.1 SIF and failure rates

SIF by definition of IEC 61508 and IEC 61511 is Safety Instrumented Function, the only scalable independent protection layer, preventing, reducing the consequences of the hazard.

All SIF consist of:

Group of Sensors

Logic Solver

Group of Actuators

Taking into consideration that in practice the “sensor part”, connected in serial mode, consist of

Sensors,

Sampling systems,

Isolators,

Power supply unit.

The SIF becomes a more complex sub-system that the SIL value to be calculated in a simple way. The result of a calculation will vary case-by-case depending on the materials involved in the given part of the technology, the components used in the sensor loop. Using quantitative methods (FMEA or MARKOV analysis) of calculation the SIL value of SIFs, the calculation will be time consuming, not talking about the problems of not having correct failure rates for the components of the sub-systems like sampling lines, sampling valves etc. The failure rates (lambda values) are important not only in the SIL calculation but in the evaluation of the proof test of SIFs.


page 136/160

The design shall allow for testing of the SIS either end-to-end or in parts (the term end-to-end means from process fluid at sensor end to process fluid at actuation end). Where the interval between scheduled process downtime is greater than the proof test interval, online testing facilities are required.

When on-line proof testing is required, test facilities shall be an integral part of the SIS design to test for undetected failures, see also Chapter 5.4.8.

The proof test interval should be selected to achieve the average probability of failure on demand as required in the safety requirements specification.

According to the standard the failure rates are grouped as follows, see in more details in Chapter 6.1:

Safe detected – λSD

Dangerous detected - λDD

Safe undetected - λSU

Dangerous undetected - λDU

Safe failure is when the failure drives the technology in Safe State (called spurious trip), while the dangerous failure is when the system is unable to take action on demand.

From the proof test point of view, the λDU value is critical and only would be revealed by proof test, when the plant is not running.

6.2.2 Critical analysis of proof test model according to IEC 61511

According to IEC 61511: „16.3.1.1 Periodic proof tests shall be conducted using a written procedure (see 16.2.8) to reveal undetected faults that prevent the SIS from operating in accordance with the safety requirement specification. 16.3.1.2 The entire SIS shall be tested including the sensor(s), the logic solver and the final element (s) (for example, shutdown valves and motors). 16.3.1.3 The frequency of the proof tests shall be as decided using the PFDavg calculation.”

Studying one can see that if the proof test is performed, the PFD value will be identical with “as new” status by definition of IEC 61511 standard (for more details see in Chapter 6.3.).

The standard inspires that a proof test is identical to the functional test, but this simple approach would give possibility of misinterpretation in the application of the standards. Further analyzing what IEC 61511 standard inspires about the proof test we are facing some problem.

The question is what the standard does not answer, when the proof test is successful? There are two possible answers:

The proof test is running well without founding any failure;

The proof test is failed.

In Figure 39 a simplified Markov model about what IEC 61508 standard inspiring is shown.

In Figure 40 one can see clearly, that the functional test never drives the system to “as new” stage.


page 137/160

Figure 39 Proof test model inspirited by IEC 61511

Figure 40 Proof test model in the reality, based on IEC 61511

This model explains the main reasons why the proof test coverage factor was introduced. The lack of the standard is the definition of what the Proof test coverage factor mean. There are two possible interpretations:

The proof test is failed, and the ratio of the failed proof test is the proof test coverage factor.

After successful function test, even if it was OK, or with maintenance, some hidden failure remained. The ratio of hidden failure to the total failure is called proof test coverage factor.

The first interpretation is not correct, since after the failure trouble shooting and repair or replacement of failed components, the system will be “as new” ie. the

SIF

Proof test is „OK”

SIF with

failure

SIF,

as new

Proof test is

„NOT OK” SIF Maintenance

and Repair

SIF

Proof test is „OK”

SIF, with

failure

SIF,

as new

Proof test is

„NOT OK” SIF Maintenance


page 138/160

proof test was 100 % successful, and the proof test coverage factor was also 100 %.

The second interpretation is in contradiction with the IEC 61511 standard, starting that the goal of proof test reveals the undetected dangerous failures of the SIFs.

The only correct interpretation of the proof test coverage factor is the ratio of the hidden (undiscovered) failure rate at the given moment, when the proof test was performing. In Chapter 6.4 I introduced a new model to overcome this problem.

How does the proof test works?

The PFD value is vary with time According to Figure 42 and

Figure 43 shows, that the Test Interval is a critical parameter in the PFD and RRF calculation. In these two figures one can see the influence of the proof test coverage factor.

6.2.3 Critical analysis of recent practice

The proof test shall include according to our practice and A.C.Torres-Echeverrı´ at.cw. [TOR05]:

Maintenance of the complete SIF loops

Testing the functionality of given SIF and documentation of the results (validation).

If one is not using this two stages model of proof test procedure, then SIF never will be “as new”. Of course this model will increase the cost of proof test, but our plant will be safer, A.C.Torres etw. [TOR05].

We concluded from this model, that it is not useful and practical to save money by decreasing the content of the proof tests and that is why I focused on the time period of the proof test rather then the content of the proof test.

SIF Compo-

nent

Any Test is not OK

Maintenance & Repair

Failed SIF Compo-nents

SIF „as new” Proof test

is OKLabor test is OK

Figure 41 New model of Proof test

In the first step I investigated and evaluated two models of proof test interval (for results on see chapter 6.4. later).

Time period between proof tests is equal


page 139/160

1

0

Average PFD

TI (Test Interval)

time t

Probability

of component

failure F(t) 0

Time period between proof tests is not equal, but decreasing with time

6.2.4 Proof test scheduling

There are two possibilities of setting of TI (Proof test interval). In the first case the TI value is given for the SIF, for example SIF 001 TI = 2 years. The second version, when there are different TI values for sensors, logic solvers and actuator, for example Sensor TIS = 6 year, Logic solver TIL = 10 years and Actuator TIA = half year gives possibility for optimalisation.

There are also two possibilities of scheduling the proof test. In the first case the proof test remains the same value under the total life cycle of the SIF, while in second case the proof test interval decreases with time, ie. in the first period of time will be longer and later on will become shorter.

According to my calculation practically there is not too much difference between the two strategies.

That is why the Proof test interval would vary SIF by SIF and using the same proof test interval for a complete SIS is a very simplified mode.

Typical question is the coverage factor of the proof test introduced by the standard, see in details Chapter 6.3. The reason why coverage factor was introduced in the standard is the potential imperfectness of the proof test. The Figure 42 shows a perfect proof test; while Figure 43 shows a not perfect proof test (coverage factor is less than 100%). Comparing the two figures one can see the difference in PFDavg. In case of when the coverage factor is 100 %, the PFDavg value will not change with time in the total life cycle of the components. In case of a not perfect proof test the PFDavg will increase with the time. The

( )

I

T

avg T

dttPFD

PFD

I

∫ ⋅

= 0

Equation 19

( )

I

T

avg T

dttPFD

PFD

I

∫ ⋅

= 0

Equation 19 show how to calculate the PFDavg values.

( )

I

T

avg T

dttPFD

PFD

I

∫ ⋅

= 0 Equation 19

Figure 42 PFD – time function with 100% coverage factor According to IEC 61511


page 140/160

Figure 43 PFD Time function with not 100% coverage factor according to IEC 61511

The difference between Figure 42 and Figure 43 gives a possible interpretation of the proof test coverage factor. But not having any interpretation what the proof test coverage factor means, one can not use this in a correct way.

In Chapter 6.4.1 I focused on the possible interpretation of the proof test coverage factor by giving a deeper probabilistic model for the real features of dangerous undetected failure.

6.2.5 Proof test interval and proof test strategy

Proof test interval (TI), given in year or months and involved in the Safety Requirement Specification, is a scheduled time period with purpose of revealing the dangerous undetected failures of SIFs (λDU).

Cost of proof test is involved in OPEX, managed by the maintenance department and that is why companies become more and more sensitive about OPEX figures and that is why so important to optimize the cost of the proof test. The standard does not give detailed information about the proof test, and only talks about it as a “possibility of revealing the undetected dangerous failures”. There is not detailed content of proof test in the standard, and that is why we are analyzing different content strategy in Chapter 6.4.

There are a number of strategies being used to select the proof test interval for a SIF.

Some users like to make this proof test interval as long as possible to minimize maintenance cost and the potential impact of testing. In this case, the SIS design may include more redundancy in equipment, increased diagnostic coverage and robust components.

Other users may wish to standardize on the basis of a defined test interval and test all systems in a manufacturing plant at the same test interval. For example, they may wish to test each SIF annually thus they design each SIS with the same TI interval in the safety requirement documentation.

In selecting of a proof test interval, considerations should be given to the demand rate for the systems with High Demand Mode (in continues mode there is not proof test), the failure rate of each component are tested, and the overall system performance requirements and the results are laid down in the safety requirement specification SIF by SIF.

In practice there are other two possibilities of selecting the proof test interval:

One makes a preliminary data for it, and inserts it into the SRS.

Probability

of component

failure F(t)

0TI (Test Interval)

time t

Average PFD

1


page 141/160

One prepares the SIS design, and decides about the proof test interval at validation phase for SIF by SIF.

6.3 Proof test coverage factor

6.3.1 Imperfect proof testing

The IEC 61508 defines the proof test as a “periodic test performed to detect failures in a safety related systems so that the system can be restored to an “as new” condition or close as practical to this condition.” Practically it means that the proof test is always perfect or near perfect. The Figure 44 illustrates that model concept:

State = ??(possible failure)

State = Not OK (known failure)

State = OK (“as new”)

No failure found

Failure found

Repair

Figure 44 Concept of proof test from IEC 61508N

A SIF consists of three parts: sensor(s), logic solver and final element(s). The standard was developed for E/ES/EPS systems for which that model concept is acceptable. But that concept is doubtful for field devices, especially for valves. Even if the valve works well during the test - i.e. no failure found by the proof test - it does not mean that the valve can be considered as “new” due to the corrosion, erosion, and other environmental stress. R.J. Tiezema etw. [TIE03] also claims that “IEC 61508 standard considers proof tested equipment as “new” after the test. That may be valid for electronic system, but it is surely not acceptable for most sensors and final elements”.

We focus on actuators because usually they contribute with highest ratio to the probability of failure on demand of a safety loop. In order to demonstrate it, let me evaluate a simple SIF: e.g. there is a SIF which consists of a generic pressure transmitter (sensor), a generic SIL 2 certified PLC (logic solver) and a generic ball valve with a 3-way solenoid valve (actuator). Table 25 shows the failure data (achieved from Exida database) and calculated PFDavg values of this SIF. One can see that the actuator part determines more than 70% of the total PFDavg.


page 142/160

Table 25 Example SIF (pressure trip)

SIF part Failure data (from Exida database)

PFDavg (1 year)

PFDavg %

Generic pressure transmitter λDD = 7.0·10-7 1/hλDU = 6.0·10-7 1/h

2.63·10-3 17.7%

Generic SIL 2 certified PLC λDD = 4.3·10-6 1/hλDU = 2.6·10-7 1/h

1.14·10-3 7.7%

Generic air actuated ball valve + generic 3-way solenoid valve

λDD = 0λDU = 2.5·10-6 1/h

1.08·10-2 72.8%

My team completed about one hundred HAZOP study in the Refinery Industry, and found that the actuator part determines more than half of the PFD value in most cases (especially if the actuator is a valve). [HOU04], and [GOB_98] also indicates that valves contribute the most of PFDavg of a safety loop.

6.3.2 Coverage factor approach

Since proof test has significant influence on the final PFDavg value, the imperfectness of proof testing is not negligible. But how the imperfectness of a proof test can be quantified? The classical approach is introduction of the so-called proof test coverage factor similarly to the diagnostic coverage factor. The proof test coverage factor (PTC) gives the fraction of undetected failures which can be detected by proof testing. Namely the undetected failure rate is separated into two parts:

DUPTDU PTC λλ ⋅= Equation 20

( ) DUNPTDU PTC λλ ⋅−= 1 Equation 21

where PTDUλ is the rate of dangerous undetected failures that can be revealed, and

NPTDUλ is the rate of dangerous undetected failures that cannot be revealed by

proof testing.

The application of this approach is very simple: when the PFD is calculated, one has to calculate two PFD curves with the two failure rates and summarize them. The following figure illustrates this solution, see Figure 45.

PFD

Time

PFDtotal

PFDNPT

PFDPT

TI TI TI


page 143/160

Figure 45 PFD with proof test coverage factor

6.3.3 Problems with coverage factor approach

The application of proof test coverage factor is easy and widely accepted in the functional safety practice. SIL calculation programs, e.g. EXSILentia, also can take into consideration the proof test coverage factor. It is obvious that this factor cannot be neglected. Table 26 shows how the PFDavg depends on the PTC factor for a generic ball valve actuator.

Table 26 illustrates that the PTC factor has a very big influence on the SIL calculation. Hence a question arises: How much the proof test coverage factor should be in a particular case?

Unfortunately, as far as I know, there is no any guideline about the scale of PTC factor The IEC 61508 and 61511 standard do not mention the proof test coverage factor, and most articles which deal with proof testing just assume (explicitly or implicitly) that testing and repair are perfect. R.J. Tiezema et. al. [TIE03] claims that “high proof test coverage factors can hardly be demonstrated for sensors and final elements” but do not give specific example or confirmation.

Table 26 Influence of PTC on PFDavg for a generic air actuated ball valve with 3-way SOV

PTC % PFDavg for 10 years, (PTI = 1 year)

100% 1.08·10-2

90% 2.04·10-2

80% 2.99·10-2

70% 3.93·10-2

60% 4.86·10-2

Unfortunately, as far as I know, there is no any guideline about the scale of PTC factor The IEC 61508 and 61511 standard do not mention the proof test coverage factor, and most articles which deal with proof testing just assume (explicitly or implicitly) that testing and repair are perfect. R.J. Tiezema et. al. [TIE03] claims that “high proof test coverage factors can hardly be demonstrated for sensors and final elements” but do not give specific example or confirmation.

It seems to be that virtually nobody has ever asked what the PTC factor really means and everybody uses it without thinking over it. Using an important factor in a calculation without even knowing what it is and how much it should be: this is a bad engineering practice.


page 144/160

First let us think over what the PTC factor means. It means that there are some random hardware failures which cause that the system will not able to perform its safety function on demand and these failures are not detectable by proof-test. E.g. in a case of valves, there are random failures that causes the valve cannot close properly and it is not possible to detect these failures by proof test.

A proof test usually consists of a real simulation of the safety function. E.g. in a case of valves, a proper proof test means testing whether the valve can close fully and fast enough. Therefore if the proof test is comprehensive enough, the chance of not found a dangerous failure is near zero (i.e. the PTC will be near 100%).

Consequently a low PTC value means that something is wrong with the proof test procedure. But a proof test must be comprehensive because the standard demands it. Additionally, to do a comprehensive proof test of a safety valve is also possible in practice: it is enough to do a full stroke test and a leakage test at process conditions.

Here we get into a contradiction: on one hand we state that in practice the proof test coverage factor cannot be high for final elements (valves) but on the other hand we concluded that it must be near 100%. The next section will show why we got this contradiction and what the right solution is.

6.4 New model of undetected dangerous failures

Why a new failure model is needed?

The above introduced contradiction comes from that the proof test coverage factor is a bad concept. The quantity of PTC factor depends on the proof test procedure itself and there is no any direct connection between the PTC factor and the subsystem as e.g R.J. Tiezema etw. [TIE03] inspires it. The proof test is imperfect due to the proof tested equipment cannot be considered as “new” even after the successful test (see 6.3.1 section) and not because the proof test procedure is wrong.

In order to understand the above statements a few aspects of failure model have to be considered. In the IEC 61508, the hardware failure model is very simple, every subsystem has only two states (from viewpoint of dangerous failures):

Good state: the subsystem can perform its function.

Bad state: the system cannot perform its function.

Figure 46 shows the classical concept (focusing on the dangerous undetected – DU – failures and proof test):

OK

DU Failure

Maintenance

Dangerous

Fault

Proof test Repair


page 145/160

Figure 46 Classical DU failure model

One can see that this failure model has a big deficiency: the system will be always restored to a perfect (“as new”) condition after a well performed proof test just because there is no other state in the model. In order to understand why the classical failure model is too simple, we shall consider the types of failures. There are two main types of hardware failures:

Sudden failure

Degraded failure

The sudden failure is typically a random hardware failure that may happen at any time. The sudden failure does not have “memory”, hence the rate of sudden failure is typically constant over a period of time.

A typical degraded failure is a failure which comes from corrosion, erosion, deposition, high temperature and other effects from the process and environment. These effects accumulate slowly with the time hence the degraded failure has “memory”. It means that the rate of degraded failure changes over time.

The IEC-61508 standard always calculates with constant failure rate, therefore it cannot take into account the dangerous failures from the degradation. It is acceptable for E/ES/PES systems, where the degraded failure is not important, but not acceptable for mechanical systems (especially for valves) where the failures from degradation are very important factor. The degradation failures of mechanical parts of a valve cannot be neglected. E.g. depositions on seat, corrosion or erosion of moving parts are typical problems of safety valves that may lead to dangerous failure. It means that there is a need for a model that takes into account the degraded failures and not only the sudden failures.

6.4.1 Degraded failure model concept

The most important difference between degradation failure and sudden failure is that the sudden failure resembles a binary variable while the degradation failure resembles a continuous variable. The sudden failure will happen or will not happen at a given time period. If it happens, the system will be in dangerous state; if it does not happen, the system will be in good state. There are not other possibilities. The degradation has very different nature. The degradation is usually a slow process; the system changes slowly but it can perform its function for a long time.

The corrosion of a valve is a good example for degradation. First the corrosion does not cause problem; the valve can close and open without any problem. However as the corrosion progresses, sooner or later the valve will not be able to close properly, i.e. will not able to perform its safety function according to the safety specification.

Even if the system can perform its function after some degradation, it does not mean that the system is in perfect condition because a degraded system can fail more easily than an “as new” system. It means that to describe the degradation we must introduce a new state which models the degradation of the system.

Hence the main concept is to incorporate a new intermediate state into the failure model that represents the degradation. Figure 47 shows the suggested model concept (focusing on the DU failures) which we call “degraded failure model”.


page 146/160

As new

Sudden failure

Dangerous

Inter- mediate

DegradationSudden failure /

degraded failure

Maintenance

Maintenance

Fault

Proof test Repair

Proof test

Figure 47 New DU failure model (“degraded failure model”)

In this model there are three possible states of a component:

“As new” state: the system is in perfect state.

Intermediate state: the system is not perfect (not “as new”) due to the degradation but it can perform its safety function.

Dangerous state: the system cannot perform its safety function.

Please note that the intermediate degraded state is defined as the system can perform its safety function when it is in this state. It means that a proof test cannot distinguish between perfect state (“as new” state) and intermediate degraded state. The proof test will result in “OK” in both cases because the system can perform its function. However, as it was mentioned, the degraded state is not the same as the “as new” state because a degraded valve can fail more easily than the “as new” valve.

Theoretically it is possible to define more complex models, e.g. in which there are several intermediate states which represent the different stage of degradation but in the thesis I will not use more complex models because this model is complex enough to examine the effects of the degradation failure on the proof testing strategy.

6.4.2 Markov model of the new development

Figure 48 figure shows the Markov model of the degraded failure model:


page 147/160

As new Dangerous

Intermediate

Fault

DU1λ

DU2λ DU

3λ

Mμ

Mμ

PTμRμ

Figure 48 Markov model of the “degraded failure model”

The model has three failure-type state transition rates:

DU1λ : DU failure rate from “as new” state to “fault” state,

DU2λ : DU failure rate from “as new” state to “intermediate” state,

DU3λ : DU failure rate from “intermediate” state to “fault” state.

The model also has three repair-type state transition rates:

Mμ : rate of maintenance,

PTμ : rate of maintenance,

Rμ : rate of repair.

The above rates can be calculated as

MM T/1=μ

PTPT T/1=μ

MTTRR /1=μ where MT is the periodic interval of maintenance, PTT is the periodic interval of the proof-test and MTTR is the mean time to repair.

The following equation describes a transition matrix for the Markov model. The elements of the matrix are probability densities from the different transition rates. The states which are represented in the 1st, 2nd, etc. rows / columns are respectively “As new”, “Intermediate”, “Dangerous” and “Fault”. The transition matrix is:

( )( )

( )⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢

⎣

⎡

⋅−⋅⋅⋅+−⋅

⋅⋅+−⋅⋅⋅⋅+−

=

dtdtdtdtdt

dtdtdtdtdtdt

P

RR

PTPTMM

DUDUMM

DUDUDUDU

μμμμμμ

λλμμλλλλ

000

00

33

1221

22. Equation

6.5 Simulation results of the new model

To investigate the effect of degradation we chose three cases:


page 148/160

In the first case, see Figure 49 there is no degradation failure, only sudden failure. (i.e. DU

1λ = 2.5 10-6 1/h, DU2λ = DU

3λ = 0 1/h).

0 1 2 3 4 5 6 7 8 9 100.8

0.85

0.9

0.95

1x1

0 1 2 3 4 5 6 7 8 9 100

0.05

0.1

0.15

0.2

time [y]

x2x3x4

Figure 49 No degradation failure

In the second case, on Figure 50 there are sudden failure and degradation failure too, assuming that the rate of sudden and degradation failure is the same. (i.e. DU1λ = 1.25·10-6 1/h, DU

2λ = 1.25 10-6 1/h, DU3λ = 1.25·10-6 1/h).

0 1 2 3 4 5 6 7 8 9 100.75

0.8

0.85

0.9

0.95

1x1

0 1 2 3 4 5 6 7 8 9 100

0.05

0.1

0.15

0.2

time [y]

x2x3x4

Figure 50 Sudden failure

The third case is shown on Figure 51 when is no sudden failure but only degraded failure. (i.e. DU

1λ = 1.25·10-6 1/h, DU2λ = 1.25 10-6 1/h, DU

3λ = 1.25·10-6 1/h.).


page 149/160

0 1 2 3 4 5 6 7 8 9 100.7

0.8

0.9

1x1

0 1 2 3 4 5 6 7 8 9 100

0.05

0.1

0.15

0.2

0.25

time [y]

x2x3x4

Figure 51 Degradation failure


The problematic interpretation of the proof test lead me developing a new failure mode for the dangerous undetected type failures which will solve this problem and help us in understanding better the features of the undetected dangerous failures.

Our first conclusion was that the proof test inherently problematic by definition.

Our second conclusion was that the simple model offered by the standard will not solve, rather generate, problems by introducing the proof test coverage factor without any interpretation and examples.

Our third conclusion was that I have to focus onto the feature of lambda_DU type failure and finding a good model which resolves this conflict by the definition and solving the problems above.

Unfortunately the degradation part of the lambda_DU will vary case by case and only possibility of handling this problem is gathering as much information about the valves as possible, for example of using partial stroke test solution and diagnostics.


page 150/160

7 Thesis

1 Introduction and aim of the work The international reactions for the industrial diseases happened in the twentieth century (Bhopal, SEVESO etc.) – discovering that a profit oriented process industry unable to limit itself- made the Governments, both in Europe and in United States, to think on actions to control the toxic and explosive activities of these industrial processes. As a result in Europe the SEVESO I was published first, then later on the SEVESO II Directive. The SEVESO Directives contain regulations and limitation amount of toxic and explosive materials stored to protect the civil sphere, and prove their protection at a tolerable level, even decrease the consequences if accidents happen.

Following the SEVESO Directives the IEC 61508 (between 1998 and 2000), which is valid for all industrial segment except nuclear industry was published. In this, called umbrella standard the overall life cycle model, the SIL value (Safety Integrity Level) and how to manage the functional safety, which are also referred in the SEVESO Directives was defined.

The next step was the publication of the process industry specific IEC 61511 standard (published in 2003 – 2004) which applies for the safe operation of the oil and gas, petrochemical and chemical industry, being either continuous or batch technology.

In the European the law and order the compliancy of Directives is mandatory, while the standards are only proposals. That is why the interpretation of the standards as proposals includes the possibility of miss interpretation often neglecting the fact that many times the Directives refer to the standards as “good engineering practice”.

The SEVESO II directives demand the operation of the functional safety management system within the given company, without giving any further information about the method of how to make and operate it. The methodology is discussed in the process safety standards (IEC 61508 and IEC 61511) making them mandatory in this point of view.

The clear message of the cited standards is that the functional safety shall be maintained all over the life cycle. That means, that the risk reduction ability of the safety instrumented system never can be lower than the target risk reduction factor.

Analysing the problems of the recent practice of the Hazard and Risk analysis, like Risk matrices and Risk Graph, lack of Company target Risk matrices, the influence of subjective (human) evaluation of the hazards, I stated that this practice could not satisfy the requirement of the Plant Management and Owners.

in 1/3 of the cases the Safety Instrumented System was over engineered, causing extra costs for the factories

in 1/3 of the cases the Safety Instrumented System was under engineered, causing poor protections against the consequences of the hazards, and resulting extra losses for the factories


page 151/160

in only 1/3 of the cases the Safety Instrumented System was engineered correctly.

Taking into consideration the publication date of these standards, the time since they have been effective is too short, that the questions arising to be answered.

The practical question can be sorted in the following way:

Interpretation of the statement and description of these standards are sometimes are too flexible

Questions regarding the effective calculation of the operation risks of the technology

Questions regarding the quantitative calculation of the operation risks of the technology

Question regarding the design of the safety instrumented systems

Question regarding the operation and maintenance of the safety instrument-ted systems

The deficiencies of the standards may arise from the iterative method of preparing the standards and making a lot of compromise during this process. These imperfection of standards would explain also that nobody can say: “ if you make this and this, accidents will never happen”. This compromise can also be explained with the different safety culture of the different counties and the lobby activity of the multination companies. It is not a goal if this dissertation to deal with this aspect of the standards.

Taking into consideration the problems and questions above for the topic of the dissertation I choose the research and development of point from 2 - 5 as the topic of the dissertation expecting that new principles, methods gives the possibilities of avoiding both the over engineering and under engineering.

Studying the point 4, over viewing the most important questions, based on my experience I proposed, as a result, a design method, which was tested in the everyday practice, and provides clear guidelines in the SIS design for those, who are think in a similar way.

The goal of the dissertation the research of the questions found in point 3 – 5 and developing new methods and solution, which allow solving these problems.

These results of my research constitute the bases of my theses.

2 NEW SCIENTIFIC RESULTS

1. I developed a new method and software, based on this method, which improves the recent practice of the HAZOP study method, makes the work more efficient with less expenditure in both time and man power point of view.

A very often asked question when investigating the operation risk and their consequences of the technologies is the time and main power spent for this work.

The most widely used approach for the determination of the operation risk of technology is the HAZOP study method. During the HAZOP study meeting the


page 152/160

HAZOP team looking for all the risk of the technology, the frequency of these risks and the all of the consequences for the people, environment and business. This work is multidisciplinary and time consuming team work with rather big costs.

Analysing the methods described in the literature, I stated that the adaptation of the suggested ones into the everyday practice is possible only with big difficulties and completeness. These methods were limited to the automation of the parameter/keyword combination suggested in the HAZOP standard.

I developed a methodology and a supportive new software tool which gives the possibility of preparing a knowledge based HAZOP study, improving the efficiency of the HAZOP study meetings.

The result of this research is the Tool4S (Tool for Safety) software which gives possibility for both the HAZOP maker and user to build up a continuously growing experience and knowledge based library.

This solution also gives possibilities for exchanging the knowledge and experience based on information regarding the safety operation of the plants, improving the safety culture and reducing the risk in operation of the plants within a company.

The developed method is presented on the example of the a fire furnace in the oil industry, illustrating the advantage of the, ie. the reduction in the time and man power cost of preparing HAZOP study to one quarter.

In practice the developed method was used in a supervision project of 40 fire furnace in the oil industry proving the preliminary expectations in its effectiveness.

2. I developed a new, so called cumulative LOPA method and its software implementation to calculate the quantitative evaluation of the operation risk of the technologies insisting on the tight interpretation of the referred standards.

At the HAZOP meeting, the causes of the operation risk of the technology, the frequency of their occurrence, the consequences and their severities for the people, environment and the business are determined.

The standards offer both qualitative and quantitative methods for the evaluation of these consequences. Using quantitative method the result will be less subjective and more precise. I stated that the results requested, taking into consideration the criteria of the every day practice, can only be satisfied with using LOPA (Layer of Protection Analysis) methodology.

Analysing the everyday practice of LOPA method, I pointed out that the commercial software do not satisfy the fully comprehensive requirements of the standards.

I developed a method, called cumulative LOPA, which satisfy the fully comprehensive requirements of the standards.

The new, cumulative LOPA, method was implemented into the Tool4S software, and was tested in the practice.


page 153/160

The successful test in the everyday practice showed that this method has significant advantages, ie. gives the possibility of finding non instrumented (cheaper) protection layers, as well as their application and calculation in the LOPA.

The other advantage of the method is that the Tool4S software calculates not only the SIL values of the safety instrumented functions but their risk reduction abilities too. Therefore the accuracy of the SIL calculation from one order of magnitude modified to a concrete figure, which depends on only the accuracy of the PFD (Probability Failure on Demand) values of the components. Besides the improved accuracy, the consistency of the calculations increased. This is a very important issue of this method.

The algorithm built in the Tool4S software decreases the calculation time of SIL and risk reduction values with one order of magnitude.

The cumulative LOPA method with the support of Tool4S was tested in every day practice and proved its effectiveness and correctness by the fast and accurate calculation.

3. I developed a failure model, improving the failure model of the standards, for the maintenance of the safety instrumented systems, which describes the realistic behaviour of the actuators in the safety instrumented loops, taking into consideration of the influence and interaction of the technology.

The referred standards give guidance for the maintenance and periodic proof test of the safety instrumented systems. This guidelines does ot deal with the content of the test action. It only says if that the “proof test is successful, and then the component can be taken into consideration as new”.

After recognising that this is a very simplified definition, the „proof test coverage factor”, showing the efficiency of the proof test, ie. how percentage of the dangerous undetected failures was discover by the proof test was discovered by the proof test, was introduced in the every day practice. This practical solution is a compromise not gives definition what the overall safety means (100%).

The cause of this problem is the simplified failure model described in the standard.

I developed a failure model, which gives a better approach and understanding of the behaviour of the actuators in the safety instrumented loops taking into consideration of the influence and interaction of the given technology.

Studying the failure model I recognised that the process of the proof test is not complete without the maintenance, against that the standard does not provide any correlation between the proof test and the maintenance.

This model helps to understand what the proof test, coverage factor and the maintenance is, and what kind of relationship exists between them.

3 RESULTS IN THE PRACTICE


page 154/160

The result presented in the dissertation was introduces into our everyday practice and was tested while preparing HAZOP study and LOPA calculations.

The Tool4S software developed for solving the discussed problems was used over some 100 risk analysis and proved the efficiency of this way of risk analysis.

The Tool4S software also gave the possibility that the consequences of the hazards could be evaluated quantitatively matching the requirement of the standards and making the calculation more accurate and the work more effective.

4 FURTHER RESEARCH POSSIBILTIES

The result presented in the dissertation brought up some new research topic too.

One of this is the extension of the HAZOP template method for other process unit, like distillation towers, turbines, packages etc.).

Another possibility is the further development of the MARKOV failure model of the actuators of the safety instrumented loops giving the possibility of better understanding of the interaction between the techno-logy and actuators and on this bases providing better and efficient maintenance design.


page 155/160

Bibliography

[AIC_01] Layer of Protection Analysis – Simplified Process Risk Assessment, American Institute of Chemical Engineers, New York, NY, 2001

[AIC_2] Centre for Chemical Process Safety (CCPS), Guidelines for Safe Automation of Chemical Processes, American Institute of Chemical Engineers, New York, NY, 1993.

[AIC_85] AIChE. Use of hazard and operability studies in process analysis. New York, USA, 1985.

[AIC_92] AIChE. Guidelines for hazard evaluation procedures, second edition with worked examples, New York, USA, 1992.

[Ake_99] Aken, van Joan E. – Management theory developments on the basis of the design paradigm – The quest for tested and grounded technological rules Eindhoven University of Technology Report EUT/BDK/93, Eindhoven 1999

[ATX_100] DIRECTIVE 94/9/EC OF THE EUROPEAN PARLIAMENT AND THE COUNCIL of 23 March 1994. Equipment and protective systems intended for use in potentially explosive atmospheres.

[ATX_137] DIRECTIVE 1999/92/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 December 1999. on minimum requirements for improving the safety and health protection of workers potentially at risk from explosive atmospheres (15th individual directive within the meaning of Article 16(1) of Directive 89/391/EEC)

[BAR_00] V. Bartolozzi, 2000, Qualitative models of equipment units and their use in automatic HAZOP analysis

[BAY_03a] Paul Baybutt, Major Hazard Analysis – An Improved Hazard Analysis Method, Process Safety Progress, Vol. 22, No. 1, pps. 21-26, March, 2003

[BAY_03b] Paul Baybutt, On the Ability of Hazard Analysis Method to Identfy Accidents, Process Safety Progress, Vol. 22, No. 3, September, 2003

[BAY_08] Paul Baybutt and Remigio Agraz-Boeneker, A comparison of the hazard and operability (hazop) study with major hazard analysis (mha): a more efficient and effective process hazard analysis (pha) method, the1st Latin American Process Safety Conference and Exposition, Center for Chemical Process Safety, Buenos Aires, May 27 – 29, 2008.

[BGS_09] G. Baradits Sr., J. Madár PhD, J. Abonyi PhD*, Optimization of proof test intervals based on a novel model of proof test coverage factor

[BIL06] R. Billinton & Jun Pan, Optimal maintenance scheduling in a two identical component parallel redundant system, Power Systems Research Group, University of Saskatchewan, Saskatoon, Saskatchewan, Canada

[BIN_04] Ken Bingham,m 2004 : Integrating HAZOP and SIL/LOPA Analysis: Best practice Recommendations


page 156/160

[BÖR_06] Functional Safety, Basic Principles of Safety-related Systems, Josef Börcsök

[BÖR_08] Electronic Safety System, Hardware Concepts, Models, and Calculation, Josef Börcsök

[CAG_00] E. Cagno, F. Caron, M. Mancini, Cost Estimation of Industrial Risk in the Bidding Process, Department of Mechanical Engineering Politecnico di Milano

[CAG_02] E. Cagno, F. Caron, M. Mancini, Risk analysis in plant commissioning: the Multilevel Hazop, Reliability Engineering and System Safety 77 (2002) 309–323 [CAM_05] Process System Risk Management, Ian Cameron and Raghu Raman

[CAL07] Jose´ A. Caldeira Duarte a,*, Joaõ C. Taborda A. Craveiro b, Toma´s Pedro Trigo b, Optimization of the preventive maintenance plan of a series components system, Mathematical Department, Instituto Politećnico de Setu´bal/Escola Superior de Tecnologia de Setu´bal, Campus do IPS, Estefanilha, 2914-508 Setubal, Portugal b MIIT, Manutençaõ Industrial Informatizada e Tecnologia, Lda, Av. Elias Garcia, 123, 58, Lisboa, Portugal

[CAT_95] Catino, C., & Ungar, L. H. (1995). Model-based approach to automated hazard identification of chemical plants. American Institute of Chemical Engineering Journal, 41 (1), 97–109.

[CCPS_01] Center for Chemical Process Safety, Layer of protection Analysis, Simplified Process Risk Assessment

[CCPS_85] Center for Chemical Process Safety (CCPS) (1985). Guidelines for hazard evaluation procedures. New York: American Institute of Chemical Engineering.

[CCPS_93] Center for Chemical Process Safety (CCPS), Guidelines for Safe Automation of Chemical Process, American Institute of Chemical Engineers, New York, NY, 1993.

[Dap_01] Dapena, P. Rodríguez – Software Safety Verification in Critical Software Intensive Systems Ph.D. thesis, Eindhoven University of Technology, Beta 2001 (to be published)

[DEV04] Devarun Ghosh 1, Sandip Roy, Maintenance optimization using probabilistic cost-benefit analysis, Department of Chemical Engineering, Indian Institute of Technology, Bombay 400 076, India5]

[DIM_97] Dimitradis, V. D., Shah, N., & Pantelides, C. C. (1997). Model-based safety verification of discrete:continuous chemical processes. American Institute of Chemical Engineering Journal, 43 (4), 1041– 1059.

[DIN_00] DIN 3100 – General Requirement, AK 1…8

[DIN_250] DIN V 19250, Grundlegende Sicherheitsbatrachtungen für MSR-Schutzeinrichtungen

[DIN_54] DIN EN 954 Safety for Machinery

[DIN_81] DIN V VDE 081 Microprocessors in Safety Application


page 157/160

[DIN_BAS] DIN V 19250 Basic Safety Evaluation for Measurement & Control

[DIN_REQ] DIN V 19250 Requirements & Measures, Qualitative Consideration

[DOW_00] Foster Wheeler Energy Ltd., 2000: Safer Safety

[DOW_02] Arthur M. (Art) Dowell, III, P.E. Dennis C. Hendershot, Simplified Risk Analysis – Layer of Protection Analysis (LOPA), AIChE 2002 National Meeting Paper 281a

[DOW_97] Dowell, A.M., III, Layer of Protection Analysis: A New PHA Tool. After HAZOP, Before Fault Tree Analysis

[EN_1127] Application of electric and electronic equipment in explosive atmosphere. Definition, calculation and statement.

[Eur_1] Eurostat, Work and health in the EU, A statistical portrait, Data 1994–2002 (2004), ISBN 92-894-7006-2

[EXI_1] EXIDA, ExSILentia SOFTWARE, www.exida.com

[FAN_00] Dr. Ch.E. P. Fanelli, Invensys Process Systems, Applying LOPA Methodology for SIL Determination: a worked example

[FEN-00] P Fenelon, 2000: Applying HAZOP to Software Engineering Models

[FEW_00] Foster Wheeler Energy Ltd., 2000: Safer Safety

[FTH_81] Fault Tree Handbook, US, 1981

[GOB_98] Control Systems Safety Evaluation & Reliability, 2nd Edition, William M. Goble, 1998

[GOB07] W.M. Goble and J.V. Bukowski, “Development of a Mechanical Component Failure Database,” 2007 Proceedings of the Annual Reliability and Maintainabiltiy Symposium, NY: NY, IEEE, 2007.

[GRU_98] Safety Shutdown Systems: Design, Analysis and Justification, Paul Gruhn, P.E. and Harry L. Cheddie, P.E.

[HOU04] M. J. M. Houtermans, J. L. Rouvroye, D. Karydas, Risk Reduction Through Partial Stroke Testing, 2004

[HSE_02] Safety Line Institute: Occupational Health & Safety Practitioner, management of major hazard facilities

[IEC_508] IEC 61508 1 – 7: Functional safety of electrical / electronic / programmable electronic safety - related systems.

[IEC_511] IEC 61511 1 – 3 : Functional Safety: Safety Instrumented Systems for the Process Industry Sector

[IEC_61] Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems. (IEC 62061:2005)

[IEC_882] 10IEC 61882, Hazard and operability studies, First Edition, 2001-05

[ISA_84] The Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA 84.01-1996, Application of Safety Instrumented Systems to the Process Industries, The Instrumentation, Systems, and Automation Society, Research Triangle Park, NC, 1996.


page 158/160

[KAR_90] Karvonen, I., Heino, P., & Suokas, J. (1990). Knowledge-based approach to support HAZOP studies. Technical Research Center of Finland: Research Report.

[KHA_00] Faisal I. Khan, S.A. Abbasi, Towards automation of HAZOP with a new tool EXPERTOP, Environmental Modelling & Software 15 (2000) 67–77

[KHA_97a] Faisal I Khan and S A Abbasi, 1997, Mathematical model for HAZOP study time estimation

[KHA_97b] Faisal I. Khan and S. A. Abbasi, 1997, TOPHAZOP: a knowledge-based software tool for conducting HAZOP in a rapid, efficient yet inexpensive manner

[KLE_76] Kletz T. HAZOP and Hazan, notes on the identification and assessment of hazards. Rugby, UK: Institution of Chemical Engineers; 1974.

[KLE_99] Trevor A Kletz, 1999: Hazop, past and future

[Kne_00] Knegtering, B. Brombacher, A.C. – A method to prevent excessive numbers of Markov states in Markov models for quantitative safety and reliability ISA-transactions 39, 363-369, 2000

[Kne_98] Knegtering, B. Application of Micro Markov models for quantitative safety assessment to determine safety integrity levels ISA-Expo, Houston 1998

[LAB_07] Juraj Labovsky, 2007, Model-based HAZOP study of a real MTBE plant, Journal of Loss Prevention in the Process Industries 20 (2007) 230–237

[LAW_74] Lawley HG. Operability studies and hazard analysis. Chemical Engineering Progress 1974;70.

[Lee_96] Lees F. P. – Loss prevention in the process industries Butterworth-Heinemann (second edition) 1996

[LIN_01] Morten Lind: Functional Approach to HAZOP studies, 2001

[MAR_02] Marszal, E., Scharpf, E., Safety Integrity Level Selection, Systematic Methods including Layer of Protection Analysis

[Min_00] Ministry of Defence Standard 00-58 Issue 2 Publication Date 19 May 2000, HAZOP Studies on Systems Containing Programmable Electronics Part 2 General Application Guidance

[Moo_83] Moore, N - How to do research, The library association - London 1983

[MUK_94] Mukesh D. Include HAZOP analysis in process development. Chem Engng Prog 1994;76.

[MYL_94] Mylarasoftwareamy, D., Kavuri, S. N., & Venkatasubramanian, V. (1994). A framework for automated development of causal models for fault diagnosis. San Francisco: American Institute of Chemical Engineering Annual Meeting.

[Nag_79] Nagel, E. – The structure of science Hackett, Indianapolis - USA 1979


page 159/160

[NAG_91] Nagel, C. J. (1991). Identification of hazards in chemical process systems. Ph.D. Thesis, USA, MIT.

[OHS_00] Safety Line Institute: Occupational Health & Safety Practitioner, MANAGEMENT OF MAJOR HAZARD FACILITIES

[Phi_87] Phillips, E. M., Pugh, D. S. – How to get a Ph.D. Managing the peaks and troughs of research Open university press Milton Keynes, Philadelphia USA 1987

[RAH_09] Shibly Rahman, Faisal Khan, Brian Veitch, Paul Amyotte, ExpHAZOPţ: Knowledge-based expert system to conduct automated HAZOP Analysis, Journal of Loss Prevention in the Process Industries 22 (2009) 373–380

[RISK_96] Risk Guidelines as a Risk Management Tool, Prepared for presentation at the 1996 Process Plant Safety Symposium Houston, Texas April 1-2, 1996 Session 3

[ROS_05] Netta Liin Rossing, Morten Lind*, Johannes Petersen*, Sten Bay Jørgensen and Niels Jensen1Morten, A Functional approach to HAZOP studies.

[RUS_94] Rushton AG, Gowers RE, Edmondson JN, Al-Hassan T. Hazard and operability studies: a survey of variations in practice. In: IchemE, editor. Hazards XII: European advances in process safety. Rugby, UK: Institute of Chemical Engineers; 1994.

[SEV_HU] 18/2006. (I. 26.) Korm. rendelet a veszélyes anyagokkal kapcsolatos súlyos balesetek elleni védekezésről

[SEV_II] DIRECTIVE 2003/105/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 December 2003 amending Council Directive 96/82/EC on the control of major-accident hazards involving dangerous substances.

[SLI_02] Safety Line Institute: Occupational Health & Safety Practitioner, Management of major hazard facilities, 2002

[SOL_99] Solingen, R. van – Product focused Software Process Improvement. SPI in the embedded software domain BETA. Ph.D. thesis. Eindhoven University of Technology, 1999

[SRI_98] Srinivasan, R., Dimitradis, V. D., Shah, N., & Venkatasubramanian, V. (1998). Safety verification using a hybrid knowledge-based mathematical programming framework. American Institute of Chemical Engineering Journal, 44 (2), 361–371.

[SUH_97] Suh, J. C., Lee, S., & Yon, E. S. (1997). New strategy for automated hazard analysis of chemical plant. Part 1 & 2. Journal of Loss Prevention in the Process Industries, 10 (2), 113–134.

[TEX_96] Risk Guidelines as a Risk Management Tool, Prepared for presentation at the 1996 Process Plant Safety Symposium Houston, Texas April 1-2, 1996 Session 3

[TIE03] R.J. Tiezema, Risk Reduction in the Process Industry - Proof testing, 2003

[Tool4S] Tool4S, Tool for Safety, www.sil4.com


page 160/160

[TOR05] A.C.Torres-Echeverrı, S.Martorell, H.A.Thompson, Modelling and optimization of proof testing policies for safety instrumented systems.

[TÜV_73] TÜV Book, Microcomputer in Safety Application, Safety Classis 1…5 level

[TWE_03] Managing Risk and Reliability of Process Plant, Mark Tweeddale

[VDE_16] VDE 0116 Electrical Equipment for Burner Application

[VEN_00] Venkat Venkatasubramanian, 2000, Intelligent systems for HAZOP analysis of complex process plants

[VEN_94] Venkatasubramanian, V., & Vaidhyanathan, R. (1994). A knowledgebased framework for automating HAZOP analysis. American Institute of Chemical Engineering Journal, 40, 496–505.

[VIN_98] James W. Vinson, 1998: Putting the “OP” Back in “HAZOP”

[WIN_99] K. Wintermantel, Process and product engineering – achievements, present and future challenges, Chemical Engineering Science, 54 (1999) 1601–1620

[Yin_94] Yin, Robert K – Case study research: design and methods - 2nd ed. – London : Sage, 1994. – XVII

[ZHA_09] Jinsong Zhao, Lin Cui, Lihua Zhao, Tong Qiu, Bingzhen Chen, Learning HAZOP expert system by case-based reasoning and ontology, Computers and Chemical Engineering 33 (2009) 371–378

[ZHA_98] Zhao, J., Visoftwareanathan, S., Venkatasubramanian, V., Vinson, J., & Basu, P. (1998). Automated process hazard analysis of batch chemical plants. American Institute of Chemical Engineering Annual Meeting, Miami:, USA.

Documents

Safety Instrumented System Managementkonyvtar.uni-pannon.hu/doktori/2010/Baradits_Gyorgy_dissertation.pdf · elején tart, mert a kiadott folyamatbiztonsággal kapcsolatos szabványok