Training Functional Safety 04 - Risk Assessment Rev0
description
Transcript of Training Functional Safety 04 - Risk Assessment Rev0
FUNCTIONAL SAFETY TRAINING
04 – RISK ASSESSMENT
1Dr. Ing. Carlo LebrunFunctional Safety Training
FUNDAMENTAL PART OF IEC61508 SAFETY LIFECYCLE
1 - CONCEPT
2 SCOPE2 – SCOPE DEFINITION
3 – HAZARD &3 – HAZARD & RISK ANALYSIS
4 – SAFETY REQUIREMENTS
5 – SAFETY REQUIREMENTS OC OALLOCATION
TO REALIZATION PHASE
2Dr. Ing. Carlo LebrunFunctional Safety Training
RISK
• RISK: exposure to the possibility of damage
= frequency of event x impact of event
e.g. = times/year x loss of money
e.g. = times/year x area of contamination
e.g. = times/year x killed people
3Dr. Ing. Carlo LebrunFunctional Safety Training
RISK MATRIX EXAMPLEFFrequency
Damage Remote Rare Unlikely Possible Likelyg
Catastrophe Many deads 5 6 6 6 6
Major Damage
Some deads 4 4 5 5 5
LocalDamage
Injury, 1 dead 2 4 4 5 5
MinorMi I j 1 1 2 3 3
Minor Damage
Minor Injury 1 1 2 3 3
Harmless No dead 0 0 0 0 0
4Dr. Ing. Carlo LebrunFunctional Safety Training
RISK ASSESSMENT
= Hazard identification
+ consequences estimation
+ frequency assessment5Dr. Ing. Carlo LebrunFunctional Safety Training
q y
ALARP ZONE (carrot diagram)
LIMITS ARE SENSIBLE TO:• Laws & regulations• Laws & regulations• Social acceptance• Standards• Company practiceCompany practice • Economical damage• …
As Low As Reasonably Practical
6Dr. Ing. Carlo LebrunFunctional Safety Training - 01
EXAMPLE OF TOLERABLE RISKS TABLE
Functional Safety Training 7Dr. Ing. Carlo Lebrun
EXAMPLE OF TOLERABLE RISKS TABLE
Functional Safety Training 8Dr. Ing. Carlo Lebrun
SEVERAL POSSIBLE SOURCES OF RISK
Technical
Organizational
Human Factors
Natural Phenomena
…
9Dr. Ing. Carlo LebrunFunctional Safety Training
RISK ANALYSIS METHODOLOGIESTECHNICAL SOURCES OF RISK
QUALITATIVE:
TECHNICAL SOURCES OF RISK
QChecklist
Preliminary Hazard Analysis (PHA)What-If
Failure Modes & Effects Analsysis (FMEA)Hazard & Operability Study (HAZOP)Hazard & Operability Study (HAZOP)
QUANTITATIVE:Fault Tree Analsys (FTA)Event Tree Analsys (ETA)
10Dr. Ing. Carlo LebrunFunctional Safety Training
SOURCES OF RISK CAN BE
KNOWNRisk assessment should evaluate impact and probabilityp p y
(eg checklist)
UNKNOWNRisk assessment should also identify hazardsRisk assessment should also identify hazards
(eg HAZOP)
11Dr. Ing. Carlo LebrunFunctional Safety Training
RISK ASSESSMENT GENERAL PROCEDURESYSTEM
DESCRIPTION
SCENARIO IDENTIFICATION
HAZARD IDENTIFICATION
FREQUENCY CONSEQUENCES
RISK DEFINITION
IDENTIFICATIONIDENTIFICATION
ANALYSYS OF PROTECTIONS
REQUIREMENTS
12Dr. Ing. Carlo LebrunFunctional Safety Training - 03
A SUMMARY OF POSSIBLE METHODOLOGIES
13Dr. Ing. Carlo LebrunFunctional Safety Training
PHA: PRELIMINARY HAZARD ANALYSYS
TARGETSRisks identification in the earlier stages of design. Additional protections are normally g g ycheaper in the earlier stages of design. APPLICATIONDuring design Mostly in the earlier stages of designDuring design. Mostly in the earlier stages of design. METHODOLOGYMultidisciplinary. Based on previous knowledge of similar systems/process. It reviews consequences and probability of pre identified hazards Additional protections orconsequences and probability of pre-identified hazards. Additional protections or operating changes maybe proposed for inclusion in the design.ADVANTAGESSimple and cheap.DISADVANTAGESQualitative. Depends on previous experience, as hazards must be known in advance.
14Dr. Ing. Carlo LebrunFunctional Safety Training - 03
p p p ,
PRELIMINARY HAZARD ANALYSYS FORMID HAZARD CAUSE EFFECT PROBABILITY CORRECTIVEID HAZARD CAUSE EFFECT PROBABILITY CORRECTIVE or
PREVENTIVE ACTION
15Dr. Ing. Carlo LebrunFunctional Safety Training - 03
WHAT-IF ANALYSIS
TARGETSSsistematic analysisi of individual equipment to identify risk sources. Classification of the y yrisk sourcesAPPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operationMETHODOLOGYCollection of multidisciplinary documentation about process, substances, etc. answering to qeustions like : “what does it happens in case of ?” Applicable to operating errorsto qeustions like : what does it happens in case of …? Applicable to operating errors, failures, external events, etc.ADVANTAGESSimple and cheapDISADVANTAGESQualitative. Cases/events must be identified in advance (based on experience).
16Dr. Ing. Carlo LebrunFunctional Safety Training - 03
( p )
WHAT-IF ANALYSIS FORMI WHAT IF? CONSEQUENCE PROBABILITY SEVERITY CORRECTIVE or RECOMMENDATIONID
WHAT-IF? CONSEQUENCE PROBABILITY SEVERITY CORRECTIVE or PREVENTIVE ACTION
RECOMMENDATION
THE LIST OF WHAT IF CASES SHOULD BE PRE EXISTENTTHE LIST OF WHAT-IF CASES SHOULD BE PRE-EXISTENT
Example of environmentals what-if cases:AvalancheFloodingFreezing temperatures – snow - iceLightningEarthquakeSeismic activity
17Dr. Ing. Carlo LebrunFunctional Safety Training
Storm
CHECKLISTS
TARGETSScreening of know risks, to detect their probabilityg yAPPLICATION Applicable to any phase of design, construction and operationMETHODOLOGYMETHODOLOGYA list of simple very specific checks requiring Yes/No answers (or very basic information filling). A reminder to ensure homogeneous analysis by every userADVANTAGESADVANTAGESSimple and cheapDISADVANTAGESHazards and detection methods must be identified in advanceNot a substitute of deeper methodologies
18Dr. Ing. Carlo LebrunFunctional Safety Training - 03
PROCESS DESIGN EXAMPLE CHECKLISTID CHECK YES NO T bID CHECK YES NO To be
defined
1 Special personnel required?
2 Unstable materials exposure to the atmosphere?
3 Detection of explosive conditions?
f f l4 Provisions for protection from explosions?
5 Hazardous reactions possible due to mistakes or contamination?
6 Provisions for rapid vent/drain of discharge fluids in an emergency?6 Provisions for rapid vent/drain of discharge fluids in an emergency?
7 Failure of equipment possible cause of hazards?
8 Hazards possible caused by gradual or sudden blockages in piping?
9 Hazards possible caused by gradual or sudden blockages in equipment?
10 Facilities for the disposal of toxic materials?
19Dr. Ing. Carlo LebrunFunctional Safety Training - 03
…
FMEA: FAILURE MODES & EFFECTS ANALYSIS
TARGETSSistematic search and review of each possible component failure, and the effects on the involved system.APPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operation.METHODOLOGYIdentify the potential failure of each component and its effects; assess the failures to determine actions that would eliminate the chance of occurrence; document the potentialdetermine actions that would eliminate the chance of occurrence; document the potential failuresADVANTAGESCapacity’ of detecting possible scenarios. Good documentation for easy communication.DISADVANTAGESFocused of individual components. Executed by a few specialists, the hazard
20Dr. Ing. Carlo LebrunFunctional Safety Training - 03
p y p ,identification may by subjective.
FMEA FLOW CHARTIDENTIFY ALL COMPONENTS
LIST THE FUNCTIONS OF EACH COMPONENTCOMPONENT
LIST ALL POTENTIAL FAILURE MODES
DESCRIBE THE EFFECTS OF EACH FAILURE
DEFINE IF/HOW IT IS DETECTED BY SYSTEM DIAGNOSTIC
FOR FMEDA
DESCRIBE THE SEVERITY OF THESE EFFECTS
SEVERITY x PROBABILITY = RISKDETERMINE THE PROBABILITY
OF EACH FAILURE
DEFINE THE PROTECTION
21Dr. Ing. Carlo LebrunFunctional Safety Training - 03
FMEA FORM AND EXAMPLEID ITEM FUNCTION CAUSES / OPERATIONAL DIRECT EFFECT FINAL EFFECT PROBABILITY SEVERITY CORRECTIVEID ITEM FUNCTION CAUSES /
FAILURE MODES
OPERATIONAL MODE
DIRECT EFFECT FINAL EFFECT PROBABILITY SEVERITY CORRECTIVE or PREVENTIVE ACTION
1 LIGHT TO PROVIDE BURNED NO LIGHT NO LIGHTBULB LIGHT
2 DISCONNECTED NO LIGHT / INTERMITTENT LIGHT
NO LIGHT
3 SWITCH TURN POWER LOCKED OFF NO LIGHT NO LIGHTON/OFF
4 LOCKED ON LIGHT ON , EVEN IF NOT REQUIRED
NO LIGHT, AFTER BATTERY POWER IS FINISHED
5 BATTERY PROVIDE LOW POWER INSUFFICIENT LIGHT NO LIGHT, AFTER5 BATTERY PROVIDE POWER TO THE LIGHT BULB
LOW POWER INSUFFICIENT LIGHT NO LIGHT, AFTER BATTERY POWER IS FINISHED
NO POWER NO LIGHT NO LIGHT
22Dr. Ing. Carlo LebrunFunctional Safety TrainingFunctional Safety Training 02 22Dr. Ing. Carlo Lebrun
A MAJOR USE OF FMEA
FMEDA (FAILURE MODES EFECTS AND DIAGNOSTIC ANALYSIS) is a avariant ofFMEA providing information on the diagnostic capabilities of the system.
IEC61508 id th ibl f FMEDA f th d fi iti f f il d th iIEC61508 consider the possible use of FMEDA for the definition of failures and theirclassification split into safe detectable, safe undetectable, unsafe detectable, unsafe undetectable.
=
IEC61508 consider the possible use of FMEDA for “SIL” certification ofmanufactured products.
23Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP: HAZARD & OPERABILITY ANALYSIS
TARGETSAnalysys of all deviations of operating parameters, and their effects. Analysis of the y y g yrequired protections.APPLICATION Applicable to any phase of design construction and operationApplicable to any phase of design, construction and operation.METHODOLOGYMultidisciplinary. Subdivision in smaller systems (nodes). Sistematic review of all possible and impossible deviations using a standard series of keywords (more flow less flowand impossible deviations, using a standard series of keywords (more flow, less flow, more pressure, etc.).ADVANTAGESReliable and complete. Very readable documentation.DISADVANTAGESMany people involved. Time and money requirements.
24Dr. Ing. Carlo LebrunFunctional Safety Training - 03
y p p y q
TYPICAL USE OF RISK ANALYSYS METHODS
Checklist PHA What-If HAZOP FMEA
Basic Design Yes Yes Yesg
Detail Engineering Yes Yes Yes Yes
Construction Yes YesConstruction Yes Yes
Start-up Yes Yes
N l O ti Y Y Y YNormal Operation Yes Yes Yes Yes
Modifications & Revamping Yes Yes Yes Yes Yes
Accident analysis Yes Yes Yes
Decommissioning Yes Yes
25Dr. Ing. Carlo LebrunFunctional Safety Training
Decommissioning Yes Yes
WHY TO DO ANWHY TO DO ANHAZOP ANALYSIS?
Most other methods are based on a predefined list of pfactors/risks/issues to be screened: they need previous experience.
Without previous experience you do not have alternatives
26Dr. Ing. Carlo LebrunFunctional Safety Training - 03
Without previous experience … you do not have alternatives.
HAZOP: A TEAM
• All specialists together with a common objective• All specialists together with a common objective• Everybody give a knowledge contribution / Everybody respect the others• The leader (“Chairman”) helps observing the rules and keep a productive di idiscussion• Everybody learn• Disagreement are discussed until solved or minuted for further separate evaluation• Voting is allowed as an extreme resource
27Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP: REQUIRED DOCUMENTATIONPi i d I t t ti Di ( P&ID )• Piping and Instrumentation Diagrams ( P&IDs )
• Material balances• Sizing Process Calculations• Process Data Sheets• Instrument Data Sheets• Cause&Effects• Cause&Effects• Layouts/Plot Plans & Hazardous Area Classification • Process descriptions
• … and a parameters / keywords combination
28Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP: PARAMETERS
• FLOW• FLOW• LEVEL• PRESSURE• TEMPERATURE• COMPOSITION• CONTAMINATION• SERVICE SUPPLY / POWER SUPPLY• … ?
29Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP: KEYWORDS
• NONE• REVERSE• REVERSE• MORE• LESS• CHANGE• …?
30Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP: KEYWORDS-PARAMETERS TABLENONE REVERSE MORE LESS CHANGENONE REVERSE MORE LESS CHANGE …
FLOW Blockage Reverse flow High flow Low flow Incorrect flow direction
LEVEL N l l Hi h l l L l lLEVEL No level - High level Low level -
PRESSURE Vacuum - High pressure Low pressure -
TEMPERATURE - - High Low -gTemperature Temperature
COMPOSITION - Wrong phase Excess of some component
Loss of some component
Wrong composition
CONTAMINATION - Leakage Too muchcontaminant
- -
SERVICE / POWER SUPPLY
Loss of power supply
- - Low power supply
-SUPPLY supply supply
…
31Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP FORM: NODE DOCUMENTATION
STUDY TITLE ALI BABA GAS COMPRESSOR STATION
P&ID No. 12345678 ABCD Rev 3 Sheet 1 Date
TEAM COMPOSITION
See attachmentCOMPOSITION
PART CONSIDERED
Inlet from Battery limit, up to isolation valve SDV001, design flowrate 200 Nm3/h (common header to three trains)CONS t a s)
DESIGN INTENT Scope: inlet at 19 degrees (cooled by silica gel process) shall be warmed at about 35 degrees (at station discharge line)Material: Natural Gas (17.1 MW)
Source: Battery Limit Destination: Compressor K1234
32Dr. Ing. Carlo LebrunFunctional Safety Training - 03
HAZOP FORM: DEVIATIONS ANALYSISID DEVIATION CAUSES CONSEQUENCES SAFEGUARD RECOMMENDATION ACTION BY1-1 NO FLOW Station ShutDown Station Shutdown, with system
under pressureDesign Pressure is the same of Upstream Unit
1-2 NO FLOW No Flow from Battery Limit No effect for this node
1-3 NO FLOW Closure of SDV101 As Station Shutdown
1-4 NO FLOW Exchanger Blockage Not Credible
1-5 NO FLOW Accidental Closure Manual Isolation Valve
Sudden reduction of pressure in exchanger shell and piping. Valve closure takes about 10’.
Compressor Suction Trip (PT118A), antisurge system (PT109A), trip prealarm
1-6 REVERSE FLOW Low pressure upstream No effect for this node
1-7 MORE FLOW More flow from upstream Not Credible. Note: Pipeline is 66 km long (24”)(24”)
1-8 MORE FLOW Safety valve bypass open Loss of inventory Spectacle blind, and locked close valve
1-9 LESS FLOW Not reviewed. Same as NO FLOW case.
1-10 MORE LEVEL Not applicable
1 11 LESS LEVEL Not applicable1-11 LESS LEVEL Not applicable
1-12 MORE PRESSURE Not reviewed. Same as NO FLOW.
1-13 MORE PRESSURE Fire Pressure Increase. Piping and equipment rupture.
PSV are designed for fire case. Fire&Gas system, causing automatic shutdown.
SIL analisys
1-14 MORE PRESSURE One compressor trip with other Pressure increase within the Design Pressure1-14 MORE PRESSURE One compressor trip with other running.
Pressure increase , within the design pressure limit.
Design Pressure.
1-15 LESS PRESSURE Upstream low pressure. None for this node. The decrease of pressure will be gradual because of the pipeline length.Pressure indicators at compressor suction.
33Dr. Ing. Carlo LebrunFunctional Safety Training - 03
1-16 LESS PRESSURE Compressor suction giving low pressure.
None for this node. Compressor control & protection.
HAZOP: METHODOLOGY
• Discuss all deviations from normal operation
• Document the possible causes of those deviations
• Estimate the consequences of those deviations WITHOUT ANY PROTECTION!Estimate the consequences of those deviations WITHOUT ANY PROTECTION!
• Document operator capability to detect the change and manipulate it
• List provided safeguards
• Eventually recommend additional safeguards
• Follow up the implementation of the additional recommendations
34Dr. Ing. Carlo LebrunFunctional Safety Training - 03
• Follow up the implementation of the additional recommendations
WHAT’S NEXT?
Functional Safety Training 35Dr. Ing. Carlo Lebrun
LOPA: LAYERS OF PROTECTION ANALYSYS
- Used after the HAZOP
- Evaluates existing protections, and identifies the need for new ones
- Gives a classification of protections proportioned to risks
Functional Safety Training 36Dr. Ing. Carlo Lebrun
http://www.ecisgroup.it/
END OF PRESENTATION
37Dr. Ing. Carlo LebrunFunctional Safety Training - 01