1 of 129
2011-04-04
Scope
Process Safety focuses on preventing fires, explosions and accidental chemical
releases in chemical processes or other facilities dealing with hazardous materials.
Yara Process Safety Handbook (PSHb) provides Yara requirements and
background reading related to process safety.
As a Yara document the PSHb is:
A guideline for general methods for safety and risk studies
A reference for TOPS with regard to PS methods
A presentation of a set of Yara Green Rules which can be used in
contractor projects:
1. The Yara risk acceptance criteria
2. The Yara method for SIL analysis
3. The Yara failure data for safety functions and operator failures
Limited by TOPS /statutorily documents, which can overrule results from
methods presented herein
The contents are
Mainly description of:
o Reliability analysis
o Consequence analysis
o Qualitative and quantitative risk analyses and safety studies
Besides:
o Definitions of PS related concepts used in TOPS
o Reference to PS concepts in Yara TOPS 0-P04, ISO(OSHAS)18001,
Safety assessments in life cycle perspective
Another purpose of PSHb is internal training
INTERNAL
PROCESS SAFETY HANDBOOK
2 of 129
2011-04-04
Contents
1.1
1.2
1.3
1.4
2.1
2.2
2.3
4.1
4.2
4.2.1
4.3
4.4
5.1
5.1.1
5.1.2
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
6.1
6.2
6.2.1
6.2.2
6.3
6.4
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.4.1
1
Reference publications ...................................................................................................... 4
External references to standards and guidelines ........................................................................... 4
References to external specialist works ........................................................................................ 4
Yara reference documents............................................................................................................. 4
Process Safety categorised as 12 Elements (PSE) ........................................................................ 4
2
Structure of Process Safety .............................................................................................. 5
Structure of ISO (OSHAS) 18001 ................................................................................................ 5
ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements) ......................................... 5
Yara documents related to ISO 18001 .......................................................................................... 6
3
Definitions .......................................................................................................................... 9
4
Risk, risk analyses and safety studies ............................................................................ 17
Risk identification and risk ranking, ........................................................................................... 17
Risk acceptance criteria .............................................................................................................. 17
Acceptance in connection with risk ranking .............................................................................. 17
On- site risk acceptance (Yara Green Rule) ................................................................................ 19
Off site risk acceptance (Yara Green Rule) ................................................................................ 19
5
Hazards and consequences related to production activities ........................................ 21
Hazard identification by Check Lists .......................................................................................... 23
Simple Check- List .................................................................................................................... 23
Comprehensive checklist ........................................................................................................... 24
Hazard and Operability Studies (HAZOP) ................................................................................. 27
HAZOP study work process ...................................................................................................... 29
Operating procedures ................................................................................................................. 32
Computer- controlled processes................................................................................................. 32
Documentation needed for a HAZOP study .............................................................................. 33
Recording of the HAZOP work ................................................................................................. 33
Criticality ranking for maintenance purposes ............................................................................. 36
Purpose of criticality analysis and risk assessment ............................................................... 36
The risk assessment process ...................................................................................................... 38
Establishing local acceptance criteria ........................................................................................ 39
Carrying out the criticality analysis ranking .............................................................................. 40
Criticality analysis team and necessary documents ................................................................... 42
6
Probability analysis ......................................................................................................... 44
Reliability of equipment and systems ......................................................................................... 44
Reliability of safety functions, .................................................................................................... 48
Dangerous failures in safety functions....................................................................................... 48
Reliability of safety functions, safe failures .............................................................................. 49
Human Reliability ....................................................................................................................... 50
System analysis and modelling ................................................................................................... 51
7
Consequence analysis ...................................................................................................... 56
Release ........................................................................................................................................ 56
Gas dispersion ............................................................................................................................. 58
Evaporation ................................................................................................................................. 60
Ignition ........................................................................................................................................ 61
Fire .............................................................................................................................................. 63
Explosion .................................................................................................................................... 68
Exposure of toxic gases............................................................................................................... 74
8
SIL analyses ..................................................................................................................... 76
Safety integrity (Yara Green Rule) ............................................................................................. 76
Determination of SIL (Yara Green Rule).................................................................................... 77
Total risk reduction for a specific event ...................................................................................... 83
Examples of SIL analyses ........................................................................................................... 84
Ammonia oxidizing unit ............................................................................................................ 84
INTERNAL
PROCESS SAFETY HANDBOOK
3 of 129
2011-04-04
8.4.2
8.4.3
8.4.4
8.4.5
9.1
9.2
9.3
10.1
10.2
10.3
10.4
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
14.1
14.2
14.3
14.4
14.5
14.6
14.7
INTERNAL
PROCESS SAFETY HANDBOOK
4 of 129
2011-04-04
Reference publications
1.1
1.2
1.3
1.4
INTERNAL
PROCESS SAFETY HANDBOOK
5 of 129
2011-04-04
2.1
2.2
Clause
Content
1
2
3
4
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
Scope
Reference publications
Definitions
OH&S management system elements
General requirements
OH&S policy
Planning
Planning for hazard identification, risk assessment and risk control
Legal and other requirements
Objectives
OH&S management programme(s)
Implementation and operation
Structure and responsibility
Training, awareness and competence
Consultation and communication
Documentation
Document and data control
Operational control
Emergency preparedness and response
Checking and corrective action
Performance, measurement and monitoring
Accidents, incidents non- conformance and corrective and preventive action
Records and records management
Audit
Management review
INTERNAL
PROCESS SAFETY HANDBOOK
6 of 129
2011-04-04
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
2.3
Scope
Reference publications
Definitions
OH&S management system
elements
General requirements
OH&S policy
Planning
Planning for hazard identification,
risk assessment and risk control
Legal and other requirements
Objectives
OH&S management programme(s)
Implementation and operation
Structure and responsibility
Training, awareness and
competence
Consultation and communication
Documentation
Document and data control
Operational control
#no
PSE 1
PSE 2
PSE 8
PSE 3
PSE 4
PSE 5
PSE 11
PSE 6
PSE 10
Operating Procedures
Safe Work Practices
Pre- start up safety reviews
Safety Barriers
Emergency planning
PSE 7
PSE 12
PSE 9
PSE 12
Yara document
1
2
3
4
4.1
4.2
TOPS 0
TOPS 0
TOPS 0
Scope
Reference publications
Definitions
OH&S management system elements
General requirements
OH&S policy
INTERNAL
PROCESS SAFETY HANDBOOK
7 of 129
2011-04-04
Yara document
4.3
4.3.1
TOPS 0
4.3.2
4.3.3
4.3.4
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
Planning
Planning for hazard identification, risk
assessment and risk control
Legal and other requirements
Objectives
OH&S management programme(s)
Implementation and operation
Structure and responsibility
Training, awareness and competence
Consultation and communication
Documentation
Document and data control
Operational control
TOPS 0-P-08,-11
TOPS 1-01, 1-02, 1-03, 1-04, 1-05, 1-06, 1-07, 108, 1-09, 1-10, 1-11, 1-12, 1-11, 1-12,1-13, 1-14,
1-15, 1-16, 1-17,2-01, 2-04, 2-05, 3-01, 3-02, 303,3-04, 3-05, 3-06, 3-07, 4-01, 4-02, 5-01,5-02,
5-03, 5-04,
TOPS 0-P-04
The relation between, Process Safety Elements, ISO (OSHAS) 18001clauses and Yara
documents are also shown in the table below. Clauses related to process safety are in
italic. It is indicated where no relevant Yara document is identified.
Table 4. The relation between, ISO 18001 clauses related to process safety and
Yara documents
ISO 18001 Clause
Yara document no
4.3.1
TOPS 0-P-04
TOPS 0-P-10
4.3.2
4.3.3
4.3.4
4.4.1
4.4.2
TOPS 1- 01
4.4.3
4.4.4
4.4.5
4.4.6
TOPS 0-P-05
TOPS 1- 01
TOPS 1-02
TOPS 1-03
TOPS 1-04
INTERNAL
PROCESS SAFETY HANDBOOK
8 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
9 of 129
2011-04-04
Definitions
The definitions presented below are intended to comprise terms used in Yara HES
documents and handbooks
Acceptance criteria for risk
Criteria that are used to express a risk level that is acceptable for the activity in
question. Acceptance criteria may be expressed verbally or numerically.
ALARP
Principle to reduce risk As Low As Reasonable Practicable
Accident
An unintended incident which results in injury to persons and/or damage to property,
the environment, a third party or which leads to production loss
Availability
The proportion of time that an item is capable of operating to specification within a
large time interval
Barrier
Barrier is a device, system or action that is capable of preventing a scenario from
proceeding to the undesired consequence. Preventive measures are aimed at the
prevention of a LOC. In terms of risk such a measure is considered to reduce the
probability of an LOC. Mitigating measures are aimed at minimising the
consequences. In terms of risk, a mitigating measure is considered to reduce the
effect.
Business Unit
In this procedure the term is used to cover all units reporting to Upstream,
Downstream and Industrial management.
CAS-number:
The identification number for a substance in Chemical Abstract Service
Cause (failure cause, for components)
The physical or chemical processes, design defects, quality defects, partial
misapplication or other processes which are the basic reason for failure or which
initiate the physical process by which deterioration proceeds to failure.
Chemical agents
Any chemical element or compound used or produced in the process including raw
materials, intermediates, trade products, maintenance and auxiliary chemicals and
waste
CMR-chemicals
Carcinogenic and mutagenic chemical agents and chemicals those are toxic to
reproduction
Common cause failure
Failure, which is the result of one or more events, causing failures of two or more
separate channels in a multiple channel system, leading to a system failure.
Consequence
The result of the realisation of a hazard- material damage, environmental pollution,
injuries, fatalities or financial loss. Consequences may be expressed verbally or
numerically to define the extent of injury to humans, or environmental or material
damage
Contractors
INTERNAL
PROCESS SAFETY HANDBOOK
10 of 129
2011-04-04
Persons working for contractors who are under contract to execute work for the unit,
but not being part of the units work force.
Control room (CR):
For the purpose of this standard, a "control room" is an area from where an operator
can monitor and control a process that requires a safe shut- down and/or can
execute the emergency response actions necessary to prevent accident escalation.
The "control room" may be a central control room (CCR) for a complete facility or
a local control room (LCR) for a local unit.
Corrective maintenance
Maintenance carried out to restore operational effectiveness after a failure
Critical equipment
Equipment rated as critical in a criticality ranking
Criticality ranking (for maintenance purposes)
Analysis of events and faults and the ranking of these in order of the seriousness of
their consequences.
Customer
Customers of Yara are distributors of fertilizers and industrial and professional users
of Yara products.
Cut set
A list of components such that if they all fail then the system is also in the failed
state
Dangerous failure
Failure, which has the potential to put the safety system in a hazardous or fail- tofunction state.
Demand
A condition which requires a protective system to operate.
Design accidental event:
Accidental events that serve as the basis for layout, dimensioning and use of
installations and the activity at large, in order to meet the defined risk acceptance
criteria or according to defined deterministic scenarios
Deterministic process safety study
A set of accidental events or scenarios representing the safety picture shall be
defined. A maximum credible event shall be defined. Effective safety barriers shall
prevent credible effects of the scenarios.
Diagnostic coverage
Ratio of detected failure rate to the total failure rate of the component or system as
detected by diagnostic tests. Diagnostic coverage does not include any faults
detected by proof test.
Diversity
Means that various types of equipment, technologies and functions are used to
reduce the probability of common mode failure.
Down time
The time during which an item is not able to perform to specification
Effect
The effects of an incident scenario are e.g. blast, dispersion of toxic materials, heat
radiation etc.
Employees
Permanent employees of the unit and personnel on ordinary employment contracts
Exposure
INTERNAL
PROCESS SAFETY HANDBOOK
11 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
12 of 129
2011-04-04
Hired personnel
Personnel from other units or companies that are under contract to work full or part
time in position for the Yara unit, and are considered to be part of the work force
Important equipment
Equipment rated as important in a criticality ranking
Incident
A sudden work related accident or near miss, a security breach, sustained in service.
An injury or near miss injury 'in service' means when the incident occurs:
on company property or on property under Yara operational management
within agreed working hours
on an approved business trip
on approved training course, meeting, work assignment, entertaining business
associates, etc.
on a social event arranged by the employer.
Individual risk criteria
Criteria related to the likelihood with which an individual may be expected to sustain
a given level of harm from the realisation of specified hazards
Inherent safety principle:
Limit the hazard by minimizing the amount of hazardous material or processes,
substituting with less dangerous material, moderating the process conditions and
simplifying the equipment and process- when possible
LeakageThe term leakage used in risk analyses consists of rupture major leakage, and
minor leakage
For piping / pipelines rupture means full bore rupture, major leakage means a leak
area of 1/10 of a fall bore rupture, and minor leakage means leak area of 1/100 of a
full bore rupture.
For large pipes and pipelines, major leak is usually limited to 50mm. Minor leakage
then means a 1/10 of that of a major leakage.
For tanks and vessels, the failure mode rupture means a failure resulting in the
sudden release of their entire contents, while the failure mode major leakage means a
circular hole of diameter 50 mm. Minor leakages means a 1/10 of that of a major
leakage.
LOPA (Layer of protection analysis)
Layer of protection analyses (LOPA) is a semi-quantitative tool for analysing and
assessing risk. LOPA is a simplified form of risk assessment as typically "order of
magnitude" categories for initiating event frequencies, consequence severity and the
likelihood of failure of independent protection layers (IPLs) are taken into account.
Using this information, the risk of a scenario is assessed. The method thus falls in
between qualitative methods like HAZOP, What-If or FMEA and a quantitative
method like QRA.
Loss of containment (LOC)
Loss of containment is the top event in a scenario that one aims to prevent from
occurring. Examples of LOC are spill of materials, heat radiation, melting of
(electrical) isolation
Lost-time injury (LTI)
Injury at work leading to unfitness for work and absence beyond the day of the
incident
Maintainability
INTERNAL
PROCESS SAFETY HANDBOOK
13 of 129
2011-04-04
The probability that a failed item will be restored to operational effectiveness within
a period of time when the repair action is performed in accordance with prescribed
procedures.
Materials Compliance Solution
A software database tool consisting of two parts: "Intelligence Authoring" which is a
database and authoring tool for safety data sheets and tremcards, and "Document
Manager" which is a distribution and publishing tool for safety data sheets and
tremcards
Medical treatment case (MTC)
Injury at work (other than LTI and RWC) requiring treatment by a doctor, or nurse in
consultation with a doctor, before the injured person resumes normal work.
Near miss
An unintended incident, which under different circumstances could have become an
accident.
OEL
Occupational exposure limit: maximum allowable concentration of a chemical agent
in the working atmosphere, according to national or EU legislation
Operating instruction:
Document describing the various steps in a particular operation, identifying relevant
requirements and specifying required procedures and corrective action to ensure
controlled operation.
Operating routine
Activity or a succession of activities established to achieve a specific operational
result.
Preventive maintenance
The actions, other than corrective maintenance, carried out for the purpose of
keeping an item in a specified condition.
Probability of Failure on Demand
= Safety Integrity
Process risk
Risk related to potential for fire, explosion and/or accidental discharges or acute
exposure to harmful substances (toxic, burning, caustic etc.)
Process safety
Encompasses technical safety, operational safety and personnel safety
Product Stewardship
Management of a product throughout all stages of its lifecycle (development
materials procurement, manufacturing, distribution and use) in a safe way with
respect to health, environment, occupational and public safety, and security.
Protection layer (Independent protection layer, IPL)
See barrier
Proof test
Test performed to reveal undetected faults in a safety system so that, if necessary, the
system can be restored to its designed functionality
Redundancy
The provision of more than one means of achieving a function. Active redundancy
means that all items are operation prior to failure, standby means that replicated
items do not operate until needed.
Reflected pressure
The pressure on a structure that is perpendicular to the shock wave.
INTERNAL
PROCESS SAFETY HANDBOOK
14 of 129
2011-04-04
Reliability
The probability that an item will perform a required function, under the stated
conditions, for a stated period of time. Since observed reliability is empirical it is
defined as the ratio of items which perform their function for the stated period to the
total number in the sample.
Reliability centred maintenance
The application of quantified reliability techniques to optimising discard, times,
proof test intervals and spares levels.
Residual risk
The risk remaining after implementing protective measures. It is the residual risk
which is estimated in a risk analyses.
Restricted work case (RWC)
Injury at work that does not lead to absence after the day of the incident, because of
alternative job assignment.
Risk
The probability of specific adverse consequences. Risk can thus be considered as a
function of probability and consequences and describes the chance of realisation of a
hazard.
Risk analysis:
A systematic approach for describing and/or calculating risk. Risk analysis involves
the identification of potential undesired events, and the causes and consequences of
these events.
Risk assessment
The process of choosing risk analysis technique(s) and performing risk acceptance
criteria and drawing conclusions on the need for risk evaluation.
Risk contour
Lines that connect points of equal risk around the facility (iso- risk lines)
Risk evaluation
The process of comparing the results of a risk analysis with risk acceptance criteria
and drawing conclusions on the need for risk reduction.
Risk management
A decision making process where decisions for risk reduction are based on risk
analysis and risk evaluation.
Risk matrix
Matrix for risk acceptance. On the horizontal axis are probabilities of occurrence of
accidents; on the vertical axis are consequences.
Safe failure
Failure which does not have the potential to put the safety system in a hazardous or
fail-to- function state
Safety critical failure
Failure of equipment, which is a part of a safety system, and which error disables the
safety function so that its function cannot be carried out when needed.
Safety data sheet
A document consisting of HES information following a prescribed national or
international format as determined by specific legislation governing the labelling,
handling and use of chemical substances and chemical based products.
Safety function
Function to be implemented by a safety system, which is intended to achieve or
maintain a safe state for the process, with respect to a specific hazard.
INTERNAL
PROCESS SAFETY HANDBOOK
15 of 129
2011-04-04
Safety integrity
Average probability of a safety related system satisfactorily performing the required
safety functions under all the stated conditions within a stated period of time
Safety life cycle
Necessary activities involved in the implementation of safety functions occurring
during a period of time that starts at the concept phase of a project and finishes when
all of the safety functions no longer are available for use
Safety management
Systematic measures undertaken by an organisation in order to attain and maintain a
level of safety that complies with defined objectives.
Safety unavailability (SU)
SU=1- SI (Safety Integrity)
Security breach
Incidents which are illegal acts intended to or by accident harm Yara's personnel,
property, operations, transport or other interests
Shut down
Unexpected stop of equipment. Shut downs are either spurious or real
Sick leave
All absence that is authorized by a doctor's certificate or by legitimate selfdeclaration. Sick leave does not include carer's leave or maternity leave. Sick leave
are recorded in the unit in which the hours worked are recorded.
Side- on pressure
The pressure that would be recorded on the side of a structure parallel to the blast
SIL (Safety Integrity Level, according to the standards IEC 61508 / 61511)
Discrete level (three normally in use in process industry, 1 lowest 3 highest) for
safety integrity
Site
Production plant, terminal, warehouse, office.
SJA
Safe job analysis
Societal risk
The relationship between frequency and the number of people suffering from a
specified level of harm in a given population from the realisation of specified
hazards.
Societal risk criteria
Criteria related to the likelihood of a number of people suffering from a specified
level of harm in a given population from the realisation of specified hazards.
Substandard practice and substandard condition (unsafe act and unsafe condition)
A substandard practice (also called unsafe act) refers to a behaviour deviating from
an accepted standard, e.g. not following the procedure when carrying out a work
task. A substandard condition (also called unsafe condition) refers to a condition,
which deviates from an accepted standard, e.g. inadequate guard on a machinery.
Technical safety
Risk reduction by use of technology. By technology is here meant technological
knowledge and technical systems
TNT equivalency model
An explosion model based on the explosion of a thermodynamically equivalent mass
of TNT
Top event
INTERNAL
PROCESS SAFETY HANDBOOK
16 of 129
2011-04-04
The selected system outcome whose possible causes are analysed in a fault tree
Transport information
The transport of goods and products is regulated according to international and
national legislation and agreements. An assessment has to be made as to whether a
particular product is classifiable as dangerous goods or not. If a product is
classifiable, then specific transport information has to be entered into the appropriate
Yara product SAP database administered by Yara Operational Shared Services
(OSS) before the product can be transported either by road, rail, sea/waterways, or
air. In addition, it is a legal requirement worldwide that appropriate safety documents
are prepared containing safety information about the product to be transported. These
documents must accompany the shipment and must be written in appropriate
language(s) as stipulated in the international transport regulations.
Tremcard
Transport emergency information which is legally required to be issued to a
transporter of dangerous goods on road, and which shall be available with the driver
of the vehicle under Yara's management.
Trip
As Shut Down
Watchdog
Combination of diagnostics and an output device (typically a switch) for monitoring
the correct operation of the programmable electronic device and taking action upon
detection of an incorrect operation
Wind rose
A plan view diagram that shows the percentage of time the wind is blowing in a
particular direction
Worst credible incident
The most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes, that is considered
plausible or reasonably believable.
Worst possible incident
The most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes.
INTERNAL
PROCESS SAFETY HANDBOOK
17 of 129
2011-04-04
4.1
4.2
4.2.1
INTERNAL
PROCESS SAFETY HANDBOOK
18 of 129
2011-04-04
HIGH RISK
RISKS
CONSEQUENCES
MEDIUM RISK
VERY
FREQ.
LOW RISK
> 10 / yr
> 1 / yr
> 10-1 / yr
> 10-2 / yr
> 10-3 / yr
< 10-3/ yr
CATASTROPHIC
CRITICAL
DANGEROUS
SOME DANGER
MINOR DAMAGE
FREQUENT
PROBABLE
LOW PROB.
UNLIKELY
MOST
UNLIKELY
LEVELS
CATASTROPHIC
Several
fatalities
CRITICAL
One
fatality
DANGEROUS
Permanent
injury
SOME DANGER
Medical
treatment
MINOR
First aid
ENVIRONMENT
MATERIAL VALUES
DESCRIPTION
Damage with recovery time
more than 5 years.
International public attention
Damage with recovery time
less than 5 years.
.
-Evacuation of neighbourhood
required.
-National public attention
Damage with recovery time
less than 2 years.
-Warning of neighbour-hood
required
-Local public attention.
No durable damages
Release causing-unpleasant
smell outside site area
Insignificant damage
DAMAGE
No external reaction
COST
()
> 10M
< 10M
Considerable damage to
equipment, ruptures etc.
Considerable quality or
production loss
< 1M
< 0.1M
< 10.000
Typical areas where the risk matrix is recommended for use are shown in the table
below.
INTERNAL
PROCESS SAFETY HANDBOOK
19 of 129
2011-04-04
Table 7 Typical areas where the risk matrix is recommended for use
USE OF RISK MATRIX
1 Identification of safety critical parts in
production system
2 Identification of risk in fertilizer storages
DESCRIPTION
process unit
main equipment
fire
explosion
decomposition
leakage
fires
explosions
toxic gas release
preventive
mitigating
instrument based
safety relief devices
gas detection
fire extinguishing
fire walls / cells
bunds
fire cells
fire detection
4.3
Event
Probability
Cause
(0-5)
Consequence
Description
(1-5)
Comments
4.4
INTERNAL
PROCESS SAFETY HANDBOOK
20 of 129
2011-04-04
The societal risk describes the frequency of an accident that causes N or more
fatalities, F / N- curves. The limits for societal risk are set at f = 10-3 / N2 as a
guideline. For example, this means that accidents causing 20 or more fatalities
should not exceed 2.5.10-6 per year.
INTERNAL
PROCESS SAFETY HANDBOOK
21 of 129
2011-04-04
CHARACTERISTIC
Ammonia production
Based on hydrocarbons.
High pressure and temperature
Based on ammonia
Stable substance
NPK production
INTERNAL
PROCESS SAFETY HANDBOOK
22 of 129
2011-04-04
Hazard
Possible
consequences
Fire, explosion
Fire, explosion
Fire, explosion, toxic
release
Toxic release
Toxic release
Toxic release
Internal, high
Internal, high
Internal, high
Internal
Fire, explosion
Toxic release
Explosion
Explosion
Internal, high
Internal
External, high
External, high
Fire
Decomposition and toxic
release
Decomposition and toxic
release
Internal
Internal
Internal
Fire, explosion
Fire, decomposition and
toxic release
Fire, decomposition and
toxic release
Internal
Internal
Fire, explosion
Internal
External, high
External, high
External high
Internal
External, high
External
External
External
Internal
Internal
Internal
Internal
INTERNAL
PROCESS SAFETY HANDBOOK
23 of 129
2011-04-04
Urea storage
Urea transport
Power, Control, Utilities, Buildings, Conveyor belts
Power generation, distribution
Fire, explosion, production
shut down
Control systems
Fire, explosion, production
shut down
Steam generation
Fire, explosion, production
shut down
Buildings, structures
Fire
Conveyor belts
Fire
Others
CO2 production
Toxic release
CO2 tanks
Toxic release
CO2 transport
Toxic release
Salt of hartshorn
Coating tanks
Fire
Loading stations, formic acid, nitric Toxic release
acid
5.1
5.1.1
No
No
Internal, high
Internal
Internal
Internal, high
Internal, high
Internal
Internal
Internal
Internal
Possible impact
(only acute on people)
people, material values
INTERNAL
PROCESS SAFETY HANDBOOK
24 of 129
2011-04-04
5. Impact
5.1.2
Comprehensive checklist
A comprehensive checklist is shown below. The checklist is divided into the following
nine categories:
1. Materials
2. Material Handling
3. Storage
4. Reactions
5. Equipment
6. Instrumentation
7. Pressure Relief
8. Utility Systems
9. Fire Protection
Under each category several "Items" are listed in the left column with "Subjects to be
investigated" in the right column. In some cases several items are to be checked against
the same group of subjects. Each item in the left column should be checked against each
subject in the right column of the same row.
INTERNAL
PROCESS SAFETY HANDBOOK
25 of 129
2011-04-04
Crane handling
Conveyor belts
3. Storages
Storage tanks
Dikes
Storage halls
Silos
4. Reactions
Hazardous reactions
Combustible mixtures
Runaway reactions
5. Equipment
Vessels
Columns
Heat exchangers
Piping
Ducts
Valves
Machinery
Piping
Valves
Heat exchanger
Subjects to be investigated
Toxicity, flammability
Reactions, decompositions
Corrosiveness
Long-term storage behaviour
Total amount, possible reductions
Overfilling protection
Spill collection
Leak detection
Cleaning/inspection
Procedures
Dropped load and potential targets
Stop devices, guards
Overfilling protection
Fire protection
Explosion venting
Inerting/purging/blanketing
External mech. impact
Cleaning/inspection
Freezing/overheating
Deterioration of contents
Unintentional mixing
Wrong materials/contaminants
Wrong proportions
Deviation of process parameters
Unknown kinetics
Pump/agitator failure
Flow blockage
Isolation to stop reaction
De-pressuring/draining to stop reaction
Design, size
Material selection (corrosion)
Over pressure protection
Level, temperature protection
Reverse flow protection
Emergency isolation (remotely)
Emergency de-pressuring (remotely)
Vent and drain possibilities
Isolation for maintenance
Potential leaks: Glass components, small-bore connections
Inspection and maintenance
Compliance with codes
Certificates
Thermal stresses, movement, support, freeze protection. flushing
Maintenance: accessibility, bypass and isolation,
Fail safe in case of power failure
Function testing
Interlock against unintentional opening/closing
Tube rupture protection
INTERNAL
PROCESS SAFETY HANDBOOK
26 of 129
2011-04-04
Category / item
De-super-heater
Rotating machinery
6. Instrumentation
Sensors
Signal transmission
Signal processing
Status display
Alarms
Automatic actions
Actuators
Power supply
7. Pressure relief
Relief valves
Vacuum breakers
Rupture disc
Liquid seals
Liquid seals
8. Utility systems
Electric power
Steam
Cooling medium
Heating medium
Air (instrument + plant)
Chemicals
Electric power
Steam
Cooling medium
Chemicals
9. Fire protection
General measures
Subjects to be investigated
Too much/too little cooling liquid flow
Mechanical de-coupling from piping
Safety margin to critical speed
Reverse flow protection
Surge protection (minimum flow)
Reaction to sudden power failure/trip
Maintenance: isolation, start-up of
Function separation (survey, process control, safety)
Common cause failures
Redundant systems
Redundant power supplies
Fail safe principle
Spurious trips
Temporary non-availability (repair/calibration)
Environmental effects
Classification for hazardous area
Man-machine interface
Procedures for commissioning, operation maintenance
Reset of trip bypass
Tagging, documentation
Logic charts (cause/effect)
Installed where required, e.g. on all sections/vessels that can be overpressurised by equipment malfunction or operator error
Sizing criteria
Safe discharge without personal exposure
Blocking by solids (ice, sediments)
Drain points in discharge lines
Maximum back pressure in flare system
Maintenance: testing, repair, written procedure, interlock
Redundancy: spare device
Procedure for checking liquid level
Reliability of supply
Normal load/emergency load
Consequences of failure of one utility
Common cause failures
Consequences of failure of several utilities
Fail safe principle
Start-up/shut down
Maintenance/repair without process interruption
Potential ignition source
Classified equipment in hazardous areas
Thermal isolation of hot piping
Freeze protection of dead legs
Risk for burns at tap points
Tube ruptures in heat exchangers (pressure/contamination)
Tube ruptures in heat exchangers
Freeze protection (if water)
Maximum delivery pressure relative to design pressure of section
into which chemical is injected
Back flow protection
Isolation in emergency
Reduce inventory of flammables
INTERNAL
PROCESS SAFETY HANDBOOK
27 of 129
2011-04-04
Category / item
Water main
Hydrants
Sprinklers
Foam systems
Water mist systems
Nitrogen, inergen systems
Dual agent systems
Portable systems
Fire detectors
Manual alarms
Alarm system
Fire proofing
Liquid drain
5.2
Subjects to be investigated
Avoid leaks
Avoid ignition sources
Prevent fire propagation
Limit heat load from design fire by spacing
Provide easy access for fire fighting
Security of supply (pond, sea, public)
Two independent routes of supply
Sectioned ring main
Capacity related to maximum demand scenario
Freeze protection
Low pressure alarm
Procedure for regular testing, including pumps
Pumps protected from fire/explosion
Pump redundancy/inclusive drive and power supply
Number and location
Maximum distance to object: hose length limitations
Minimum distance to object: heat load
Number and location
Hazard category: low/medium/high
Capacity (mm/min = 1/m2 min) according to hazard category
Pressurised storage of flammables
Important structural members
Water impact on all heat exposed sides
Capacity (l/m2s) according to heat flux in maximum scenario
Number, type, location
Capacity
Maintenance procedures
Test procedures
Number, type, location
Reliability (function on demand)
Spurious trips due to open flames, sunlight
Voting logic
Number, location
Visual/acoustic alarm in Central Control
Room (CCR)
Visual/acoustic alarm in plant
Communication CCR/plant and vice versa
Public address system
Telephone, UHF radio
External assistance
Important structural members potentially exposed to gas fires, liquid
pool fires, and sufficient height above ground. Insulation sufficient to
limit steel temperature to < 450C in maximum duration fire
Drained away escaped flammable liquid from hazardous area
INTERNAL
PROCESS SAFETY HANDBOOK
28 of 129
2011-04-04
requires the expertise of a number of specialists familiar with the design and operation
of the plant. The team of experts systematically considers each item of the plant
applying as set of guidewords to determine the consequences of operating outside the
design intentions. Because of the structured form of a HAZOP, it is necessary that a
number of terms be clearly defined in the table below.
Table 14 HAZOP terms
HAZOP term
Cause
Consequence
Deviation
Hazard
Guideword
Node
Parameter
Explanation
Reasons why a deviation might occur.
Result of a deviation
Departure from the design intentions, discovered by systematic applications of
the guidewords
Consequence, which can cause damage, injury or loss.
Simple word used to qualify the intention and hence deviation.
In a process the main mode of operation can be examined by working
downstream through the plant a node at a time. A node could be a line
connecting vessels; it may incorporate a simple vessel such as a heat
exchanger. It could be a vessel itself, particularly where some significant
process change occurs in the vessel
Variable, components or activity referred to in the study
Explanation
No flow, pressure, etc.
High flow, high pressure, etc.
Low flow, low pressure, etc.
Material in addition to the normal process fluids.
A component is missing from the process fluid.
Reverse flow of process fluids.
pH
Sequence
Signal
Start / stop
Operate
Maintain
Services
Communication
INTERNAL
PROCESS SAFETY HANDBOOK
29 of 129
2011-04-04
5.2.1
INTERNAL
PROCESS SAFETY HANDBOOK
2011-04-04
30 of 129
INTERNAL
PROCESS SAFETY HANDBOOK
31 of 129
2011-04-04
For
every
process
stream
A
B
C
A
B
C
D
Changes in vessel
condition
Effluents
Emergencies
For
vessels
For
whole
section/
stage
Testing
Start-up
Maintenance
High/low reaction
High/low mixing
High/low level
High/low temperature and
pressure
Compatibility
Failure of power, working air,
steam, nitrogen, ventilation,
control- or shutdown system
Descriptions
Pump raising, delivery vessel pressure high, low pressure downstream, leakage heat exchanger
Pump stop, scaling, blockage, poor suction, cavitation, leakage heat exchanger, drain open, valve partly open
Pump failure, blockage, closed valve, empty suction vessel
Pump failure, receiving tank high pressure, loss of pressure upstream, siphoning
Boiling, cavitation, freezing, chemical breakdown, flashing, condensing, sedimentation, scaling, foaming, gas
release, priming, explosion, imploding. Changes in viscosity, density. External fire. Weather condition
Ignition source, electrical impulse to personnel
Changes in properties of mixture (Water, solvents)
Ingress of air, water, steam, fuel, lubricants, corrosion products, other process materials from higher pressure
systems, leakage in heat exchanger
Vacuum, pressure testing, high/low drains and vents
Concentration of reactants and intermediates
Purging, venting, sweetening, drying, warming, access, spares
Foaming, other reactions, run away, gassing, exothermic or endothermic reactions, stability, catalyst influence
Failure of mixer, vortex formation, settling, erosion
Flooding, siphoning, corrosion, sludge accumulation
Equipment design, use of steam cleaning, condensing gases, loss of cooling water. Philosophy and capacity of
relief systems
Reaction in culverts, drains, sewers, collecting mains
Drain connections, washing connections, traps, vents, rousing connections, stacks, flares
Consider total and part failure
Consider lighting of plant, instrument panels, and power for alarms, trip systems, and control system. General
emergency plan
Necessary reliability control and trip systems, common failure control and trip systems
Procedures and communication systems, co-ordination with other plants
INTERNAL
PROCESS SAFETY HANDBOOK
32 of 129
2011-04-04
5.2.2
Operating procedures
As a procedural sequence, the parts under examination during the HAZOP process are
the relevant sequential instructions. In addition to the standard guidewords Out of
sequence and Missing can be productive. In the list of parameters, the phrase
complete the step can be used to good effect, as it combines meaningfully with the
guidewords No, More, Less, Reverse, Part of; As well as, Out of sequence and Missing.
A major difference from process studies is that many of the causes of deviation are
related to human actions. These may be of omission or commission. Other possible
causes include poorly- written procedures; difficulties caused by poor layout, bad
lighting and parameter indicators with limited or poor ranges or too many alarms.
Example. A HAZOP study on an operating procedure is illustrated by the example below.
We consider a small batch process for the manufacture of a safety critical component. The
component must meet a tight specification in both its material properties and its colour.
The processing sequence is as follows:
1. Take 12 kg of powder "A"
2. Place in blender
3. Take 3 kg of colorant powder "B"
4. Place in blender
5. Start blender
6. Mix for 15 minutes; stop blender
7. Remove blended mixture into 3 x 5 kg bags
8. Wash out blender
9. Add 50 l to mixing vessel
10. Add 0.5 kg of hardener to mixing vessel
11. Add 5 kg of mixed powder ("A" & "B")
12. Stir for 1 minute
13. Pour mixture into moulds within 5 minutes
A HAZOP study is carried out to examine ways in which below-specification material may
be produced.
Recommended actions from a HAZOP of this operation can be:
Check quality assurance procedures at manufacturer
Check if powder A may be contaminated by spills, leakages or operator errors
Discuss if critical control point should be implemented after step 7
Implement a safeguard against adding too much hardener in step 9.
5.2.3
INTERNAL
PROCESS SAFETY HANDBOOK
33 of 129
2011-04-04
If standard computers for process control applications are used, techniques for
avoidance, detection and action in case of fail state are embedded. The HAZOP team
should decide if:
outputs from the computer have to be
fail safe that is causing valves to go in safe position
incremental- that is causing valves to freeze in current position
back up function is needed in case of computer failure
for manual control
information
for safety functions
redundancy in the computer system is needed for
availability reasons- that is avoiding production stop in case of failure of a single
computer
safety reasons- that is
monitoring by watch dog (or equivalent) and alarm so the operator can take
necessary actions
or SIL 1, 2 or 3 certified computers
To avoid failures in application software the following shall be applied:
verification of the programme by an independent person
routines for loop test prior to start up
routines for periodical proof test after operation has started to detect possible failures
which can arise due to changes, maintenance failures or component failures
Special attention must be paid to sequencing system since control of sequential
processes are often more complicated than continuous processes. Safety critical points
are:
Operator intervention such as manual control / bypassing / of steps
Handling of reset and acknowledging functions and test signals in relation to
automatic flags must be discussed.
Programmers and operators must participate in the HAZOP meetings.
5.2.4
5.2.5
INTERNAL
PROCESS SAFETY HANDBOOK
34 of 129
2011-04-04
It is underlined that all guidewords shall be covered in the study. However, not all
guidewords have to be reported. Three levels of reporting are possible:
record by exception- that is only when an action results
intermediate record- that is, where an action results, where a hazard exists or
where a significant discussion takes place
full record
Recording by exception requires an entry only when the team makes a recommendation.
This level can be used in existing processes with long operational experience.
At the intermediate level, a record is generated whenever there is any significant
discussion by the team, including those occasions where there is no associated action.
These include deviations identified by the team, which, through realistic and
unanticipated in the original design work, happen to be adequately protected by the
existing safeguards. This level is generally recommended.
In full recording, an entry is included for every deviation considered by the team, even
when no significant causes or consequences were found. At this level, each parameter is
recorded with each guideword for which the combination is physically meaningful. This
level should only be used in process unit that need to demonstrate the highest possible
standard of safety management.
But as underlined above, all guideword have to be discussed. It is assumed that a
guideword not reported is discussed and no deviation, comment or observation is found.
A table for recording of HAZOP is shown in table 18 below.
INTERNAL
PROCESS SAFETY HANDBOOK
35 of 129
2011-04-04
Project
Project phase
Ref.
Pipe, equipment no
P&ID (no/title)
Guideword and
deviation
Cause(s)
Consequence(s)
Date
Safeguard(s)
Recommendation(s) /
Comment(s)
Responsible
Decision /
Implemented
(Sign, date)
INTERNAL
PROCESS SAFETY HANDBOOK
36 of 129
2011-04-04
5.3
5.3.1
INTERNAL
PROCESS SAFETY HANDBOOK
37 of 129
2011-04-04
accepted - monetary risk. The table below illustrates how the corrective maintenance
budget, in principle, could be established by use of risk assessment methods:
Table 19 Illustration of corrective maintenance budget established by use of risk
Item
Component A
Component B
Sum = Total
plant
Probability of Monetary
failure
consequence per
failure
0.01 pr. year 100,000
0.001 pr. year 2,000,000
Budget for corrective mtce:
Example 1: A shell and tube heat exchanger contains 500 tubes, and the probability (i.e.
frequency) of one tube failing is 0.01 (one every 100 years) the total probability of a tube
failures in this heat exchanger becomes: 500 x 0.01 = 5 pr. year: If the consequences of a
tube rupture are large (e.g. the whole production has to stop because the final product gets
contaminated), the risk of failure (consequence x probability) may be considered
unacceptably high. Some kind of remedy (e.g. change to other tube material) should then be
evaluated. But if e.g. the tube-side carries the same fluid as the shell-side, the immediate
consequences of a tube rupture may be minor especially if the heat exchanger has some
surplus capacity. In this case therefore, the risk may be regarded as low / acceptable.
Example 2: Two identical pumps are serving two totally different functions. One is
pumping conditioning chemicals into the main process, and the other is pumping water to
the toilets in the 2nd floor of the administration building. It goes without saying that the first
pump requires more attention (periodic inspection, lubrication, etc.) than do the latter.
Also, the response upon failure (the corrective action / maintenance) should be prompt in the
first case, - whereas the toilet pump could wait till after the weekend. The probability of
losing the pumping function may be the same for both, but the consequences following a
failure may be regarded as critical for one pump, and non-critical for the other.
Hence, the fist pump carries a high risk and the latter a low risk.
Example 3: Two identical water pumps, - one is a hot spare for the other:
The consequences of losing the pumping function may be severe, and hence this function is
seen as critical to the plant operations. But, as the spare pump automatically starts if the
first pump fails the probability of losing the pumping function is very small. (If a standby
pump needs long time to start, it should not be considered as a hot spare). Hence, the risk
(consequence x probability, or criticality x likelihood) is low.
Example 4: Again, two identical pumps one is hot spare for the other, but these are
pumping toxic liquid. The pumps are located near the main control room. The pumping
function is just as critical to the plant operations as the pumps in example 3:
As the liquid is toxic a potential leak (which is one possible failure) could affect peoples
safety as well as the environment (especially if the pumps cannot be quickly isolated).
The probability of failure may be the same as in example 3, but the risk becomes higher
due to the potential safety as well as environment and production impact. Hence, these
pumps will be riskier than the pumps in example 3, and call for even more attention and
closer follow-up through inspection programs.
INTERNAL
PROCESS SAFETY HANDBOOK
38 of 129
2011-04-04
Example 5: A control valve with a full bore manual globe valve in bypass. The control
valve becomes sticky and / or the valve stem breaks. The consequence of losing the
controlling function may be critical, but it may be possible to uphold the operation by use of
the manual valve (especially if it can be operated from the control room). The probability of
completely loosing the controlling function (i.e. losing both the automatic control as well as
the bypass valve) is, therefore, low. Hence, the total risk could be low / acceptable.
Example 6: Two pipes, both carrying liquid that is potentially harmful to people as
well as the environment. One pipe has a 2 diameter and runs inside a building, - the
other is 8 and is located outdoors:
The probability of a leak may (or may not) be different for the two pipes, due to
the different location causing different external corrosion rates.
The probability of harming people may be higher inside the building than out in
the open but then again, the wind direction may be unfavourable.
There may be people inside the building, and there may not.
The leak may be small or big, and it may be easy or difficult to isolate.
The volume coming out may be small or big, and it may or may not be
containment / bund walls installed.
There may or may not be detectors installed giving alarm or automatic shutdown
of the whole plant or parts of the plant.
It may or may not be possible to carry out a temporary repair, and the repair may
or may not require scaffolding or other preparations. The repair costs may hence
be high, or not so high.
Etc.
The resulting risks of all these eventualities are?
Example 6 is meant to illustrate how difficult it sometimes is to foresee and assess all
possible consequences. Evaluating the probability of failure can also be tricky
although there is a lot of industrial failure statistics available. The example also
illustrates how complicated everything becomes if one attempts to evaluate the potential
consequences and the probability at the same time. It is therefore important that people
with relevant experience and sound judgement carry out the Risk Assessments, and that
the assessments are made in discrete steps (first evaluate the consequence, and then the
probability). Plant personnel know from own experience what the typical equipment
failures are, the typical frequency and the potential dangers associated with such failure,
the typical consequential stop in production, as well as the typical repair time and cost.
This practical insight must be utilised extensively. Otherwise, Risk Assessments could
easily become a comprehensive and hypothetical exercise.
This risk assessment is not a science offering absolute answers. It is more a tool for
overlooking and managing the plant operations and maintenance.
5.3.2
INTERNAL
PROCESS SAFETY HANDBOOK
39 of 129
2011-04-04
The probability of a loss of function does depend on the actual equipment and the
actual operational conditions.
In order to get the Risk Assessment process started, a number of initial and simplifying
assumptions may be needed. As and when real life experience is gathered and
systemised, these assumptions, and thereby also the risk assessment can be adjusted and
fine-tuned.
It is recommended to break the Risk Assessment into the following steps:
1
Establish Local Acceptance Criteria for the 5 values (peoples safety,
environment, product quality, production capability, assets / property).
Examples of criteria are given below.
2
Carry out Criticality Ranking, i.e. assess the potential Consequences of
equipment failure as High (3), Medium (2), or Low (1) and classify the
equipment accordingly as Critical, Important or General - for all the 5 values.
3
Carry out RBI, SIL and RCM methods, to estimate the probability and the
resulting Risk of failure (= consequence x probability). Start with the most
critical equipment failures.
This stepwise approach should filter out the non-important matters and set the priorities
for developing maintenance plans / programs. Steps 1) and 2) are further described in
the following chapters whereas the methods mentioned under step 3) are covered by
separate documents.
5.3.3
2
Important /
Medium
1
General /
Low
Production and/ or
product quality loss
(Note 1)
Equipment
restoring cost (Note
1)
Stop in production /
significant reduced rate of
production exceeding X
hours (specify duration)
within a defined period of
time.
Substantial cost
exceeding Y Euro
(specify cost limit)
No effect on production
within defined period of
time.
Insignificant cost
less than Z Euro
(specify cost limit)
INTERNAL
PROCESS SAFETY HANDBOOK
40 of 129
2011-04-04
The table below shows a typical application of the guidelines given above.
Table 21 Example of Consequence Classification for maintenance purposes
Criticality /
consequences
3
Critical /
High
2
Important /
Medium
1
General /
Low
5.3.4
Production and/ or
product quality loss
Equipment
restoring cost
INTERNAL
PROCESS SAFETY HANDBOOK
41 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
42 of 129
2011-04-04
Assume the failure mechanism is the one most frequently experienced (a damaged
bearing is more common than a broken shaft).
Assume that also safety equipment (like a safety valve) make suffer loss of
function.
But assume that automatic shutdown / isolation / pressure relief systems will
function as intended when needed (the probability of failures in the shutdown /
safety systems themselves will later be covered by the SIL analysis). I.e. do not
consider double contingencies.
Assume that necessary spares are available / not available as per plant experience.
Assume that the repair takes normally long.
Estimate the value of the typical total production loss (including typical rundown
and start-up time), and the typical cost to repair / replace the damaged equipment.
Comment: This approach is clearly a simplification, which basically describes the plants
actual historical experience. It is known that a broken shaft probably would have much
bigger consequences (longer repair / fix time) than a damaged bearing, and thereby the
possible consequences of loss of function will be under-rated when the damaged bearing is
selected as the dimensioning case. However, such potential under-ratings should be dealt
with during the RCM analysis where focus is put on the reliability of the various parts
inside a pump.
Xxx
Yyy
Zzz
Www
Equipment
ranking
Asset/repair
cost
Prod loss
Safety
Tag no.
Quality
Consequence rating
Environ
Critical
Critical
Important
General
INTERNAL
PROCESS SAFETY HANDBOOK
43 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
44 of 129
2011-04-04
Probability analysis
6.1
I: burn- in
time
Fig. 3 Reliability bathtub curve
In phase I in the figure the failure rate (hazard rate, force of mortality) will reduce as
weak components are eliminated, in phase II it will remain approximately constant, and
in phase III components will start to wear out and the failure rate will increase. For
phase II the exponential distribution applies. For phase I and III the Weibull distribution
can be used to model the reliability.
The reliability can be measured in several ways. The most common methods are further
explained below:
1. Expected number of failures per unit time, i.e. the failure rate
2. Expected lifetime (mean time to failure: MTTF) or expected time between failures
3. (MTBF)
4. The probability that the unit functions on demand
5. The availability of the unit, i.e. the time fraction the unit is functioning
Failure rate
The failure rate is the expected number of failures per time unit. A simple estimate of
the failure rate is obtained by dividing the total number of failures in a population of
"identical" components with the total test time (or observation time) of that population.
The failure rate can be divided into several failure modes or causes. The failure modes
"dangerous failures = safety critical failures" and "Safe failures = spurious operation"
are discussed below. It is natural to use the failure rate (together with down time) as a
measure of reliability for units that work continuously. Expected lifetime or time
between failures is estimated as the inverse of the failure rate.
INTERNAL
PROCESS SAFETY HANDBOOK
45 of 129
2011-04-04
Exponential distribution
With a constant failure rate, the reliability of the system can be represented by the
exponential lifetime distribution:
R(t) = et,
where:
t: time
R(t): is the probability of successful operation for the time t,
: the constant failure rate
e:
the base of natural logarithms.
The lifetimes are normally considered to be exponentially distributed in risk analyses.
This means that a unit fails completely at random and with the same probability at any
point of time. Furthermore, a repaired unit is considered as "as good as new".
System structures
A system with n different components is considered. The way the n components are
interconnected to fulfil a specified system function is called the system structure. A
system may constitute a series structure or a parallel structure or a combination of these
two types of structures. The series and parallel structures are shown in the reliability
block diagrams in figure 5 below.
In a series structure all components must function if the system is to function. This
structure is also called 1-out-of-n (1oon) structure. The reliability of a series structure is
the product of the reliability of the components.
In a parallel structure one or more of the components must function if the system is to
function. This structure is also called n-out-of-n (noon) structure. The failure probability
of a parallel structure is the product of the failure probabilities of the components.
A k-out-of-n structure (koon, voting structure) is a combination of a series structure and
a parallel structure. Such a structure functions if at least k of the n components are
functioning. The most common voting structure is 2-out-of-3 (2oo3) structure ( k=2 and
n =3).
INTERNAL
PROCESS SAFETY HANDBOOK
46 of 129
2011-04-04
1
2
n
Reliability block diagram of a parallel structure
MTBF
MTBF + MTTR
where MTBF is the mean (expected) time between failures and MTTR is the mean
(expected) repair time (or actually the down time, see below).
Down time
The down time of a unit is the period from the time the unit fails until it is back in the
system and working (replaced or repaired). Thus the down time includes the time to
detect the failure, waiting time, time for repair/reinstallation/reconfiguration or
replacement. For "passive" units (such as process safety systems), which are in a failed
state when inspected, down time is estimated as half that of the inspection interval,
assuming that the unit failed in the middle of this interval and that the repair time etc. is
INTERNAL
PROCESS SAFETY HANDBOOK
47 of 129
2011-04-04
negligible in comparison. This applies under the assumption that the inspection interval
is considerably shorter than the expected interval between demands on the unit.
Short about reliability of process safety functions
In this section a short description of reliability of safety functions is presented, a more
comprehensive is given in sec. 6.2.
In process safety systems, safety critical failures and failures due to spurious operation
may occur. The process safety systems are normally passive and may have un- revealed
failures. The probability of un- revealed safety critical failures is the Probability of
Failure on Demand (PFD) For a single channel system
PFD = DU
T
2
, where DU is the rate of dangerous un- detected failures- [per year]- and T is the
proof test interval [year].
Safety unavailability (SU) equals failure per demand. It is the probability that the unit
does not function when needed. Examples of this are a safety valve with failure mode
"does not open", a pump with failure mode "does not start", or a gas detector, which
"does not detect gas concentration above the defined alarm limit".
The rate of a single-channel protection system failing to protect successfully against a
hazard is the product of the safety unavailability and the demand rate, D:
hr = PFD x D
hr is called hazard rate.
Spurious operation in components of process safety systems means that a false alarm or
a groundless shut down occurs.
The SU and rate of spurious operation depends, in addition to the failure mode rates, on
the structure of the safety system.
When n safety functions constitute a series system, the SU for the system is the product
of the SU- s for the n safety functions, and the system's rate of spurious operation is the
sum of the spurious operation rates for the n safety functions.
When n safety functions constitute a parallel system, the SU for the system is higher
than the SU for each of the n safety functions, and the system's rate of spurious
operation is lower than the spurious operation rates for the n safety functions.
Voting structures (such as 2-out-of-3) combines low spurious operation rate and low
SU.
INTERNAL
PROCESS SAFETY HANDBOOK
48 of 129
2011-04-04
6.2
6.2.1
DU:
PFD:
PFDred:
PTIF:
hr = DU 1 +
DT
+ PTIF
hr = PFD D
When DT 1 or >1 use of this formula give conservative results. For DT>>1, the
formula to use is:
hr = DU
This is illustrated in the table below, where DU = 1 yr-1
Table 23 Accuracy of reliability formulas, DU = 1 yr-1, PTIF=0
hr / DU
Continuous operation
DT
Use of exact
formula
Use of demand
mode formula:
hr =PFD . D
0.03
0.1
0.5
1
2
4
8
0.0149
0.048
0.21
0.37
0.56
0.75
0.88
0.015
0.05
0.25
0.5
1
2
4
Use of
continuous
mode formula:
hr = DU
1
1
1
1
1
1
1
The demand mode formula (hr =PFD . D ) gives acceptable results when DT < 1.When DT
> 2, use of the demand mode formula give very conservative results. In this case the
continuous mode formula gives better approximations.
INTERNAL
PROCESS SAFETY HANDBOOK
49 of 129
2011-04-04
In redundant koon- structures where n>k, e.g. 1oo2, 2oo3 systems, the probability of
failure on demand is,
!
= + !! +
Where the common mode failure fraction = 0.1 typical for a duplicated, i.e. 1oo2
system, typical 0.05 for a 2oo3 structure.
In a 2oo2 system the probability of failure on demand is, when PD is for each channel:
PFD2oo2 = 2 PFD
6.2.2
S:
:
S2oo2 :
S2oo3 :
S1oo2 :
S1oo3 :
INTERNAL
PROCESS SAFETY HANDBOOK
50 of 129
2011-04-04
Human Reliability
In all technical systems, the human factor has an impact in one way or another. For
small and simple units, people are mainly involved in maintenance and repair, while for
larger units (plants) the demands on people are numerous and varied. As technical
components are becoming more and more reliable, the human factors' relative
importance is increasing, and man is becoming the critical part of a system. This means
that the human "component" of a system cannot be simply left out of the analysis, and
as long as the aim is to quantify probabilities of system failures, human reliability must
also be quantified.
Since people normally do discrete (not continuous) operations, human reliability will be
measured in terms of probability of failure per operation.
The probability of human failure is affected by several factors, e.g. motivation, stress,
working conditions and so on. For more detailed studies, the HEART could be used.
The HEART method and a selection of probabilities for human error under "average"
conditions are given in the section failure data. We recommend that these values are
INTERNAL
PROCESS SAFETY HANDBOOK
51 of 129
2011-04-04
used initially and in rough studies, modified if necessary to correct for obviously
unfortunate conditions.
6.4
TOP
SAFETY SYS
CONTROL
SENSOR
DCS
SD valve
VALVE
SD logics failing
LOGICS
SD sensor failing
SD sensor
INTERNAL
PROCESS SAFETY HANDBOOK
52 of 129
2011-04-04
A fault tree analysis should be used when detailed analysis of the reliability of a system
is required. For risk analysis, where the systems to be analysed are normally
complicated, this is a structured way to model the system without the risk of losing
track. An example is shown in the figure below.
Event Tree Analysis
The event tree analysis is a forward logic technique to systematically describe and
develop the different scenarios (sequences) and outcomes from a defined initial event,
and is therefore most applicable for analysing the effects from a specific event. The
analysis starts by defining the initial event and proceeds by subsequently identifying
and defining the alternative routes, either as sub-events occurring or safety systems that
may not function or fail. The method orders the events in time sequence and often the
final unwanted sequences form the top event for further fault tree analysis of safety
functions. In risk analysis the method is often used to develop and describe the
consequences of a hazardous release, see the figure below.
INTERNAL
PROCESS SAFETY HANDBOOK
53 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
54 of 129
2011-04-04
a) Hardware Approach. The hardware approach is normally used when hardware items
can be uniquely identified from schematics, drawings, maintenance manuals and
other engineering design data. The hardware approach is normally utilised in a
bottom-up approach.
b) Functional Approach. The functional approach is normally used when hardware
items cannot be uniquely identified or when system complexity requires analysis
from the initial indenture level downward through succeeding indenture levels. The
functional approach is normally utilised in an initial top-down approach
The FMEA procedure may be summarised as completing the following steps:
1. Define the system to be analysed
2. Construct a block diagram at equipment level
3. For each item of equipment, construct a block diagram at component level
4. Identify failure modes at appropriate levels
5. Assign effects to the failure modes
6. Enter other failure mode information such as failure detection methods
7. Recommend redesign or maintenance actions to reduce the likelihood of failures
An FMEA is conducted by identifying, through failure analysis techniques; significant
failure modes that can occur, their effect on safety and effectiveness, and the probability
of occurrence. When it is likely that a failure could adversely impact on safety or
effectiveness, the design should be modified to eliminate or minimise the failure cause
probability.
For those potential failure modes that cannot be corrected through redesign effort,
special controls such as labelling warnings, alarms, etc. should be provided. An FMEA
should include an evaluation of possible human-induced failures or hazardous
situations. Each potential failure mode should be considered in the light of its
probability of occurrence and characterised as to the severity of its effect on reliability,
safety and effectiveness.
An example of analysis form is shown in the table below.
Table 24 Example of FMEA analysis form
FMEA
SYSTEM:
DATE:
FUNCTION
COMP./
PART
FAILURE MODE
FAILURE
CONSEQUENCE
CAUSE
DETECTION
RECOMMENDATIO
N
DECISION/
IMPLEMENTED
INTERNAL
PROCESS SAFETY HANDBOOK
55 of 129
2011-04-04
Figure 8 shows a classification scheme for different causes. This scheme can be used as
a guide to qualitative analysis.
nalysis.
INTERNAL
PROCESS SAFETY HANDBOOK
56 of 129
2011-04-04
Consequence analysis
By consequence is here meant injury to people, damage on environment and assets
and production losses caused by accidents in production plants, transportation and
storage. In this chapter the following phenomena which can cause consequences are
described:
release
dispersion
ignition
fire
explosion
toxic gas exposure
7.1
Release
Accidental releases to be considered in risk analyses are divided into three main
categories:
gas releases
two-phase releases
liquid releases
Release models are depicted in fig. 9 and 10 below.
INTERNAL
PROCESS SAFETY HANDBOOK
57 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
58 of 129
2011-04-04
In liquid or two phase models pools on the ground or on water can develop.
7.2
Gas dispersion
The models used in gas dispersion calculations are illustrated in the figures 11, 12 and
13
INTERNAL
PROCESS SAFETY HANDBOOK
59 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
60 of 129
2011-04-04
d) Materials having nominal molecular weights less than that of air, but which may
form higher molecular weight fractions due to molecular association, e.g. hexamer
formation of hydrogen fluoride.
In the initial phases, heavy gas clouds spread horizontally due to gravity. This creates a
boundary layer between the gas and the ambient air at the top of the cloud and at the
edges where the velocity shear causes the air to be entrained into the cloud. At a later
stage, when the initial impulse and the gravity driven heavy gas dispersion has
decreased considerably, the atmospheric turbulence starts to dominate leading to passive
dispersion. This is of great importance particularly with respect to toxic gases that are
dangerous to man at very low concentrations.
When doing gas dispersion calculations, all major dispersion effects must be included.
This includes the atmospheric stability and the atmospheric boundary layer
(meteorological data), proper surface roughness, temperature, pressure and wind profile,
solar radiation and ambient humidity (especially for anhydrous gases such as ammonia).
All these effects must be taken into consideration. When calculating a specific release,
which has occurred, the conditions at the time of the release must be used. In risk
assessment, representative combinations of conditions or - for some parameters the
average value must be used.
If only a few gas dispersion scenarios are to be carried out in a safety study, at least two
weather situations should be considered:
1) Stable thermal atmospheric conditions (atmospheric stability category F) and low
wind velocities (1 - 2 m/s)
2) Neutral atmospheric stability (atmospheric stability category D) and 5 m/s wind
speed
F stability and low wind velocity will cause large downwind concentration and narrow
clouds while D stability and higher wind velocity will result in lower downwind
concentrations and broader clouds.
The dispersion of jet releases, plume releases, releases from area sources and
instantaneous releases are calculated using models specific to the mode of release.
7.3
Evaporation
When an evaporating liquid is released on to a surface it will spread due to gravity. The
slope of the surface will influence this process as will the temperature difference
between the liquid and the surface. In addition, the surface roughness, the permeability
and the heat capacity of the surface are of major importance.
If the surface is solid ground, a pool will form and the evaporation rate will decrease as
the surface temperature drops. If there is no dike (bund) around the source of release,
the cold liquid will continue to overflow ground of ambient bund temperature and the
total evaporation rate will not change substantially.
INTERNAL
PROCESS SAFETY HANDBOOK
61 of 129
2011-04-04
Ignition
The minimum ignition energy for different flammable gases differs considerably. For
instance, hydrogen is easily ignited and can also auto ignite when released at high
pressures, while ammonia is hard to ignite. The minimum ignition energies for the more
important gases related to risk analysis in Yara are listed in table below. Note that these
energies are generally low, and sparks generated by static electricity may therefore
easily ignite a flammable gas cloud.
INTERNAL
PROCESS SAFETY HANDBOOK
62 of 129
2011-04-04
Ammonia
Methane
Propane
Vinyl
Chloride
62.5
688
Ethylene
Hydrogen
17.03
16.04
813
44.10
723
28
763
2.01
673
0.43
0.1
3.5
0.45
3.7
0.52
3.4
6.5
0.83
28.0
3.5
18.6
9.5
50.0
4.0
46.4
7.73
18.6
6.5
59.5
30.0
120.0
3.4
3.7
3.7
3.9
3.2
16
5.0
2.2
3.8
3.1
4.0
25
15.0
9.5
29.3
32.0
75.0
>100
0.29
0.24
0.25
0.12
0.02
1.0
1.12
0.91
0.81
0.65
0.29
7.6
8.7
75
80
550
4
0
4
1
4
0
4.0
3.2
1
0
55
If a flammable gas comes into contact with an open flame or a hot surface, it will also
ignite. The lowest surface temperature at which a gas can ignite is called the Auto
Ignition Temperature (AIT). AITs for different gases are listed in the table.
For all installations containing flammable materials there are certain distances within
which every piece of equipment shall be spark proof and no hot surfaces or other
obvious sources of ignition shall be present (ex-zone). Nevertheless, there is always a
remaining possibility for an easily flammable gas to be ignited. Outside this ex-zone,
but still inside the plant area, the ignition probability increases. The presence of electric
equipment and vehicles also increases the ignition probability.
Public roads, residential and other areas outside the plant are other possible sources of
ignition.
In the table below, general probabilities for the ignition of different gases at different
locations are listed. These data must be used with great care, and if certain sources of
ignition like open flames, furnaces, motors or surfaces at temperatures above autoignition temperature can be defined inside the area of interest, the probability of ignition
must be chosen to be 1.
Typical ignition probabilities are shown in the table below.
INTERNAL
PROCESS SAFETY HANDBOOK
63 of 129
2011-04-04
Ignition probabilities *)
In EX- zone
In plant area
On public road
On farmland
1
1
1
0.5
Hydrogen
0.1
0.3
0.4
0.1
Ethylene
0.05
0.2
0.3
0.05
Methane
0.05
0.2
0.3
0.05
Ethane
0.05
0.2
0.3
0.05
Propane
0.05
0.2
0.3
0.05
VCM
0.01
0.02
0.05
0.01
Ammonia
*): The figures refer to a flammable cloud covering an area of 600m2. For other cloud sizes, the ignition
probability Pign = 1 - exp(-pA/600), where A is flammable cloud area (m2) and p is the figure given in
the table. For hydrogen the probabilities in the table are used independent of the gas cloud size.
However, since the hydrogen leakages may ignite so fast that a jet fire and not an explosion will be the
result, an explosion probability of 0.5 is often assumed.
7.5
Fire
This section describes different types of fire scenarios (such as jet fires, fireballs and
pool fires), which may be the result of releases of flammable materials. The effects of
thermal radiation are also discussed.
Fig. 15,16 and 17 depicts fire models
INTERNAL
PROCESS SAFETY HANDBOOK
2011-04-04
64 of 129
INTERNAL
PROCESS SAFETY HANDBOOK
65 of 129
2011-04-04
Fig 18 BLEVE
Jet fire
If a gas or two-phase jet ignites, the result will be a jet fire. A jet fire is characterised by
a very high heat transfer to the surroundings. The violent turbulence in a jet fire will
lead to effective air entrainment and thus a combustion process with high temperature
and significant heat radiation. The radiation intensity from a jet fire can reach up to 300
kW/m2. Due to the high velocities there will be a very high heat transmission to objects
engulfed or hit by the jet flame. In case of high release rates and thus high impulse, jet
fires can have lengths of more than 100 m.
Pool fire
If a pool containing a flammable liquid ignites, a pool fire will occur. A pool fire
usually produces lower average radiation intensity per m2 than a jet fire. The reason is a
less effective combustion process in a pool fire in pools with large diameters (> 3-5 m)
since the air entrainment is not large enough to maintain an efficient combustion. The
result is a reduced flame temperature, and at the same time soothing will shield the
surroundings from the flame. For pool fires in large pools the area of the visible flame
may be large and produce a high heat of radiation on the surroundings. The heat
radiation from the visible flame may be 150 - 200 kW/m2, while the part shielded by
soot may have a heat radiation of 25 kW/m2.
Distance from centre of a propane pool fire to different radiation levels dependent on
the pool diameter are given in the figure below
INTERNAL
PROCESS SAFETY HANDBOOK
66 of 129
2011-04-04
Figure 19 Distance from flame centre of a pool fire to different radiation levels
Flash fire
A flammable gas cloud dispersed in a relatively open area will in case of ignition burn
back to the release point. The characteristic of a flash fire is a relatively slow flame
velocity through the gas cloud (5-10 m/s). However, the velocity will be fast enough to
harm persons inside or just on the outside of the gas cloud. A flash fire will normally be
followed by a jet fire or a pool located at the position of the release point. The radiation
intensity from the flame in a flash fire will normally be 50 - 100 kW/m2.
BLEVE
A BLEVE (Boiling Liquid Expanding Vapour Explosion) is a fireball which will occur
in case of a tank rupture and simultaneous ignition of the liquid in a tank containing a
liquid which is pressurised at a temperature higher than its normal boiling point. A
BLEVE may also occur if the tank is exposed to heat radiation. This radiation may
cause simultaneous weakening of the tank and pressure rise in the tank. The section of
the tank wall covered by liquid on the inside will weaken much more slowly than the
tank section containing gas. The reason is that the liquid on the inside will cause an
effective heat transfer away from the tank wall and absorb the heat. This process is
much less effective on the gas side since the gas will be less heat conductive and heat
absorptive. For most BLEVEs the tank rupture is initialised on the gas side of the tank.
For un- insulated tanks exposed to a fire on the gas side, such a rupture may occur in
only a few minutes. Calculations show that the tank material in some cases is so quickly
weakened that the tank may rupture before the pressure reaches the set point of the
safety valves.
INTERNAL
PROCESS SAFETY HANDBOOK
67 of 129
2011-04-04
When the tank ruptures, the violent expansion and combustion process will produce a
fireball, which rises due to buoyancy forces. The size of this fireball will be several
times the size of the ruptured tank and the heat radiation will be very high. Even if the
duration usually is not longer than 5 - 30 seconds, a BLEVE in a large storage tank may
produce lethal heat doses more than 500 m away from the tank.
Distances to different radiation levels from hydrocarbon BLEVEs dependent on the tank
inventory are given in figure below.
Effect
Exposed skin reddens and burns on prolonged exposure
Pain threshold reached after 60 sec.
PVC insulated cables damaged
Pain threshold reached after 15 sec. Equilibrium temperature 230C
INTERNAL
PROCESS SAFETY HANDBOOK
68 of 129
2011-04-04
6.4
9.5
16.5
25.0
Pain threshold reached after 8 sec. Second degree burns after 20sec.
Pain threshold reached after 6 sec. Equilibrium temperature 320C
Severe burns after 5 sec.
Wood ignites on prolonged exposure
The fatality probability due to thermal radiation is indicated in the table below
Table 9 Fatality probability due to thermal radiation
Heat Flux
[kW / m2]
1.6
4.0
12.5
37.5
7.6
1%
Explosion
500
150
30
8
1300
370
80
20
99%
3200
930
200
50
INTERNAL
PROCESS SAFETY HANDBOOK
69 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
70 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
71 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
72 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
73 of 129
2011-04-04
To assess the structural response, information of both the explosion load and structure is
necessary. For the explosion load, knowledge is required with respect to
maximum explosion pressure
explosion pressure duration
shape of explosion pressure-time diagram
whether or not reflection phenomenon is present
For the structure, knowledge is required with respect to
mass
stiffness
material
support
With this knowledge of the explosion and the structural data, it is possible to calculate
the dynamic load factor, i.e. a measure of how unfavourable the explosion load is
compared to an equivalent static load. Structural design is performed for an accidental
design situation for the ultimate limit state. This implies that for a situation with an
explosion load, no safety factors are included.
Plastic design of the structure is usually accepted. This implies large deflections, but the
structure will not fail. Increased capacity due to quick loading may be accounted for.
There are several design methods with different degrees of applicability, accuracy and
details level in output. Some are based on hand calculations, others on computerised
tools.
Concrete buildings cast at the location provide best protection from explosion pressure.
Concrete element structures may also provide a safe working environment, but great
care must be taken in the design of all joints. Steel columns may be subject to buckling,
and steel plates may be torn off the structure and act as missiles. But if the eventual
explosion pressure is known during the design phase, and care is taken for the special
problems that may arise from an explosion, steel structures can also be used. Wooden
buildings usually have little resistance for explosion loads and are not recommended.
Special care must be taken with glass. Application of clear film to prevent
fragmentation and thorough fastening of the window frames are essential.
The location of windows (e.g. in control rooms), the strength of the roof (for explosion
pressure) and concrete elements used as buttressing walls for horizontal forces (may fail
and thus reduce stability) are common problems for existing buildings that are required
to remain mostly intact after an explosion.
Typical damage as a function of overpressure is shown in the table below
INTERNAL
PROCESS SAFETY HANDBOOK
74 of 129
2011-04-04
7.7
Overpressure
[bars]
< 0.002
>0.01
> 0.1
> 0.15
> 0.25
> 0.5
~20
0.14
0.5
L = c n dt L
0
where c is the concentration [ppm], T is exposure time (minutes), and n is given in the
table below. If the concentration is constant, the formula simplifies to L = cnT.
2. Calculate the probit value:
P = a + b ln L
INTERNAL
PROCESS SAFETY HANDBOOK
75 of 129
2011-04-04
chemical for 1 hour. A chemical may have up to three ERPG values, each of which
corresponds to a specific tier of health effects.
Fig. 26 Definition
nition of ERPG 11-3
INTERNAL
PROCESS SAFETY HANDBOOK
76 of 129
2011-04-04
SIL analyses
8.1
1
2
3
4
The middle column usually applies in process industry. If demands are often, the failure
frequency should be checked, i.e. the right column should be used.
The higher the safety integrity level, the higher the probability that the required safety
instrumented function will be carried out.
The forth level is very rarely in use in process industry. If a SIL 4 is identified in a
process, a re- design of the process is recommended.
In designing for safety integrity all causes of failures should be considered, such as:
Incorrect specifications of the system, hardware or software
Omissions in the safety requirements specifications (e.g. failure to develop relevant
safety functions during different modes of operation)
Random hardware failure mechanisms
Systematic hardware failure mechanisms
Software errors
Common cause failures
Human error
Environmental influence (e.g. electromagnetic, temperature, mechanical phenomena)
Supply system voltage disturbances (e.g. loss of supply, reduced voltages, reconnection of supply)
Loss of air and hydraulic supply
Fail to safety on loss of electrical supply, air or hydraulic supply.
Some failure types, in particular random hardware failures, may be quantified using
such measures as the failure rate in the dangerous mode or the probability of a safety
function failing to operate on demand. Systematic failures cannot usually be quantified
but can only be considered qualitatively.
INTERNAL
PROCESS SAFETY HANDBOOK
77 of 129
2011-04-04
8.2
Levels
Catastrophic
Critical
One fatality
Dangerous
Permanent
injury
Some
danger
Medical
treatment
Minor
damage
First aid
Consequence
on
environment
-Damage with recovery
time more than 5 years.
-International public
attention
-Damage with recovery
time less than 5 years. -Evacuation of
neighbourhood
required.
-National public
attention.
-Damage with recovery
time less than 2 years.
-Warning of
neighbour-hood
required.
-Local public attention.
No durable damages,
release causing
unpleasant smell
outside site area
Insignificant damage
Cost ()
> 10M
< 10M
< 1M
< 0.1M
< 10.000
INTERNAL
PROCESS SAFETY HANDBOOK
78 of 129
2011-04-04
For mitigating systems and for external risk reduction systems the utility of a SIL
methodology is- as pointed out earlier- not always straightforward, as the complete risk
reduction in connection with mitigating systems and manual interactions must be
assessed.
A SIL assessment is most practical started by ranking the material damage since the
material consequences are easiest to estimate. On assessing the personnel injuries, it is
necessary to assess the likelihood for people being present, and exposed if present, and
the probability for getting away to avoid exposure, or having effective use of protective
equipment. If an acceptable risk reducing measure for material damage is determined,
also risk reducing measures for personnel and environment are taken care of in most
cases. Thus, the first step should be to define the safety functions / risk reducing
measures applicable to material values, and check whether the measures are acceptable
as safety barriers for people and for the environment as well.
SIL requirements are determined according to the table below. The requirements fit in
with the recommended risk accept criteria and he matrix for Hazard Identification
(Rapid Risk Ranking). It is important to note that in the SIL assessment, the frequencies
shall be estimated for processes without the safety system.
In a SIL determination the frequency and the consequence must be linked together. A
single initiating event may have several possible consequences, each with its own
frequency. In such cases, it is important that frequency and consequence are coexisting
when using the table below.
Table 32 SIL determination. (Requirements based on ranking of consequences and
frequencies)
Frequency
Consequence
A
Nearly
impossible
< 10-4
[yr-1]
B
Most
unlikely
10-4- 10-3
[yr-1]
C
Unlikely
10-3- 10-2
[yr-1]
D
Low
probability
10-2-0.1
[yr-1]
E
Probable
F
Frequent
0.1- 1
[yr-1]
>1
[yr-1]
SIL 1
Reliability
analysis.
Re- design
of process
or control
system
1
Safe
2
Some danger
NO SIL- REQUIREMENT
3
Dangerous
SIL 1
SIL 1
SIL 2
4
Critical
SIL 1
SIL 2
SIL 3
SIL 2
SIL 3
SIL3
5
Catastrophic
SIL 1
SIL 1
INTERNAL
PROCESS SAFETY HANDBOOK
79 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
80 of 129
2011-04-04
P&ID no:
Descriptions
Equipment
Class
SIL
Function
Type
Cause(s) of hazard
Risks
HS
Risk reduction
C
F
E
C
F
QE
C
F
Sensors
Logic
Final el.
Mechanical
Other
INTERNAL
PROCESS SAFETY HANDBOOK
81 of 129
2011-04-04
Function
Type
Cause(s) of hazard
Risks
HS
C
F
C
F
QE
C
F
Risk reduction
Sensors
Logic
Final el.
Class
SIL
1
D
1
D
3
D
Mechanical
Other
Descriptions
Equipment
Function
Type
Cause(s) of hazard
Risks
HS
E
E
C
F
C
F
C
Evaporate LPG
U-tube HE
Equipment degradation.
Rupture of secondary steam circuit
Leakage and people present and
failure of control loop PIC02101
Rupture of secondary steam circuit
Class
SIL
INTERNAL
PROCESS SAFETY HANDBOOK
82 of 129
2011-04-04
F
Risk reduction
IS
Sensors
Logic
Final el.
Mechanical
Other
Quantitative approach: Risk frequency estimated from failure data and fault tree.
An example for a control loop is shown in the fault three in fig 27. The risk reduction
achieved by a safety relief valve is included, as explained in the next section.
CARA Fault Tree version 4.1 (c) Sydvest Sotfware 1999
Licensee: Yara International, Norway
Supplied by Sydvest, Norway
Rate of demand of
on the Safety
Instrumented
System (SIS)
Demand
Fail to danger in
the control loop
Control failure
Average probability
of failure of the
safety relief valve
SV
Lambda=1,4e-006
Test intervall=4e+004
Fail to danger of
the pressure
transmitter in the
control loop
Sensor
Lambda=8e-007
Fail to danger of
the DCS function
DCS
Lambda=3e-007
Fail to danger of
the control valve,
globe valve
Valve
Lambda=2e-006
Figure 27 Demands on SIS. Control loop failure a safety valve risk reduction
The qualitative approach is usually recommended for the following reasons:
- Quantitative failure data are not available for the actual scenario
- The discussion is involving people from operation to take ownership to the problem
- The frequency estimates will improve in accuracy when SIL analysis are carried out
throughout the company
- The approach of generic SIL analysis for Yara and discussion between plants will
improve estimates
Typical failure classifications are:
- Control loops: D
- Control loops, heavy duty: E
- Control failure and operator failure, coincident: C
INTERNAL
PROCESS SAFETY HANDBOOK
83 of 129
2011-04-04
The qualitative estimates can be combined with generic failure data for leakages and
ruptures.
8.3
INTERNAL
PROCESS SAFETY HANDBOOK
84 of 129
2011-04-04
Equipment
Normal availability
SIL 1
Safety valve
Check valve
Rupture disk
SIL 2
Safety valve
Check valve
Rupture disk
Single
High availability
Safety barriers (
Risk reducing measures)
Comments
SIL 1
Risk analysis
Risk analysis
Risk analysis, procedures, time available for response
Risk analysis, procedures, Job Safety Analysis
SIL 2
Safety distance
Risk analysis
8.4
8.4.1
INTERNAL
PROCESS SAFETY HANDBOOK
85 of 129
2011-04-04
in rupture of the burner; release of ammonia and NOx, major production loss and in
worst case an explosion.
The ammonia / air ratio can be high if:
a fog of un- evaporated ammonia is reaching the burner
the ratio control of ammonia and air have a dangerous failure
SIL determination. According to the table for Ranking of consequences (table 8) the
incident description above gives a consequence ranking on consequence 4.
This event occurs when there are:
[{High level in the upstream ammonia evaporator} and {over- load of the superheater on the evaporator outlet} and {over- load / failure in the de- mister on the top
of the evaporator}] or [{Control failure} and {operator failure by not acting on
alarms}]
For the event to materialize two failures have to occur at the same time. A control
failure has typically a frequency of 0.1 / year. Since another failure has to come at the
same time, the expected rate will be less than 0.1 / year, hence frequency ranking D
(0.01 0.1 / year).
According to the SIL- table, the required level is SIL 2.
Unreliability calculation
For a single 1oo1- loop the reliability block diagram will be as shown in the figure
below.
TEMPERATURE
SENSOR
SOLENOID AND
CONTROL VALVE
LOGIC UNIT
PLC
DU
Structure
[yr-1]
Temperature sensor
0.05
1oo1
Logic, PLC
0.05
1oo1
Control valve/solenoid
0.05
1oo1
Total safety unavailability for the safety function
PFD
T= 1 yr
0.025
0.025
0.025
0.075
T= 2 yr
0.05
0.05
0.05
0.15
T= 4 yr
0.1
The table above shows that a single loop cannot satisfy more than SIL1, and with 1year
test interval. If the valve is duplicated with an extra shut down valve, the reliability
block diagram will be as in the figure below. A single not- fail- safe PLC is not
adequate. We therefore calculate with a relay or solid- state logic system
INTERNAL
PROCESS SAFETY HANDBOOK
86 of 129
2011-04-04
TEMPERATURE
SENSOR
LOGIC UNIT
RELAY/SOLID
STATE
SOLENOID AND
CONTROL VALVE
SHUT DOWN
VALVE
Structure
DU
[yr-1]
.005-(high diagnostic
coverage)
0.05
1oo1
1oo1
1oo2
PFD
T= 1 yr
0.003
0.006
0.012
0.004
0.0025
0.0095
0.008
0.005
0.019
0.016
0.010
0.038
SIL 2 is now achieved with one- year test interval and SIL 1 with 4- year test interval.
To improve the reliability further, a 2oo3 system of temperature sensors can be used, as
shown in the figure below. There is an also shown fail- safe PLC and DBB (double
block and bleed) valves.
DBB VALVES
Figure 30 Reliability diagram of temperature loop, 2003 sensors, PLC and DBB
valves
A calculation is shown in the table below.
INTERNAL
PROCESS SAFETY HANDBOOK
87 of 129
2011-04-04
Table 12 Reliability of temperature loop with 2003 sensors; fail safe PLC and DBB
valves
Component
DU
[yr-1]
.005-high diagnostic coverage
Structure
Temperature sensor
2003
Logic, fail safe
Double valve (DBB)
0.005
1oo2
Total safety unavailability for the safety function
PFD
T= 1 yr
0.003
0.0006
0.0025
T=2yr
0.006
0.0012
0.005
0.0061
0.012
T=4yr
0.012
0.0024
0.01
0.024
Comment: To improve the reliability further and reach SIL 2 with 4- year test intervals,
more sensors must be applied (up- stream to detect ammonia fog or dangerous ratio control
failure) and the valves must be tested more often. A way of monitoring the valve is by use of
limit switches in both end positions. Then the closing time of each valve, which is a good
indication of the condition of the valve (sticking and clogging), can be measured by e.g. an
event recorder. Procedures must be in place to follow up the recordings.
In this example we have focused on the integrity of the safety function, and assumed
that the functional requirements are met, i.e. that the temperature transmitters are
sensitive (i.e.. give significant response when the flow of ammonia exceeds the set
point) and fast (i.e. give response before a run- away reaction has come into being)
enough and that the valves can close with sufficient speed to avoid a critical situation.
Location of the sensors is important to avoid dead ends, insufficient residence time for
evaporation, insufficient mixing etc. It might be necessary to do equipment
modification, for example to hinder that there are bends or low point up- stream the
burner where liquid ammonia can collect.
8.4.2
INTERNAL
PROCESS SAFETY HANDBOOK
88 of 129
2011-04-04
Reliability: The reliability calculation and discussions in the example above applies
also here.
8.4.3
Steam drum
This purpose of the steam drum in this example is to keep a volume of water in a
circulation loop and deliver steam with a specified pressure into a process unit.
Incident 1: Overpressure is an incident that can have major accident potentials for a
steam drum. An overpressure can cause a drum rupture.
SIL determination: A rupture of the drum can cause fatality if people are in the
vicinity. And the rupture will probably be so violent that people are near enough a
substantial part of the time. In all cases a major equipment break- down and a lasting
production stoppage will result.
According to the table for ranking of the described consequences the ranking is
consequence 4.
For the described consequence to materialize, the drum has to be completely filled with
water. The valve in the circulation loop must be closed and this is not observed. This is
unlikely, and the frequency ranking C (0.01-0.001 / yr) is estimated.
According to the table for SIL determination, the required level is SIL 1.
Safety function: Two parallel 100% relief valves, i.e. a 1oo2- system, in this case
provide overpressure protection.
Unreliability calculation: The table for safety integrity shows unreliability for two
parallel valves on 0.0008. This figure is even satisfying SIL 3, with 4- year test interval.
The SIL requirement is clearly satisfied, but if the requirement had been SIL 3 the
reliability of the actual solution should have been closer examined with regard to for
example clogging, rust in piping, sticking of safety valves due to corrosion etc.
Incident 2 The drum can be empty (dry) due to control failure.
SIL determination: The consequence will be production stop, and more serious
destruction of a boiler and parallel pumps in the water circulation loop.
The consequence ranking 3 is appropriate here.
The expected frequency based on control failure and operator failure (not observing the
level). This is in the frequency area D (0.01-0.1 per yr), since the contribution from
control failure alone is assumed to be 0.1 per yr.
The combination 3D corresponds to SIL1.
Safety function: The safety function in this case constitute:
2oo3 level sensors, two switches and one analogue measurement
INTERNAL
PROCESS SAFETY HANDBOOK
89 of 129
2011-04-04
DU
[yr-1]
.005-low diagnostic
coverage
Structure
2003
1oo2
PFD
T= 1 yr
0.0011
T= 2yr
0.0022
T= 4 yr
0.0045
0.0006
0.0025
0.0042
0.0012
0.005
0.0084
0.0024
0.01
0.0169
INTERNAL
PROCESS SAFETY HANDBOOK
90 of 129
2011-04-04
For people to be exposed directly to a release plume the barriers are the gas mask and
escape or evasive movement which is possible if the leakage is not too big or the
situation is awkward as when the operator is on the top of a ladder. The probability is
very low for direct exposure of an operator by a gas flow plume, and exposure of a big
release plume is most unlikely.
Exposure by a gas cloud in a process hall is prevented by alarm / detection and use of
gas mask.
Comment. The risk reduction is not quantified, since that is more complicated when it
comes to human behaviour. The quality of the risk reduction should be qualitatively
assessed, for example by looking at number of safety barriers. A least two should be
presenting if SIL is identified.
If gas is present in a process hall cases stop of a ventilation system can be an actual risk
reduction measure.
8.4.5
INTERNAL
PROCESS SAFETY HANDBOOK
91 of 129
2011-04-04
F IR E D E T E C T O R S 2 oo2
F A IL S A F E P L C
VALVE
SM O K E D E T E C T O R S 2o o2
Figure 31 Reliability diagram of fire and smoke- detector loop with fail-safe PLC
and valve
Reliability calculations are shown in the table below. The sensors are calculated as one
2oo2 sensor system, not giving credit for redundancy, but assuming that they cover
different scenarios.
Table 42 Reliability assessment of fire and smoke- detector loop with fail-safe PLC
and valve
Component
DU
Structure
[yr ]
0.004
0.004
0.0012
0.05
2oo2
2002
1oo1
1oo1
-1
Fire detector
Smoke detector
Logic, fail safe PLC
Control valve/solenoid
Total safety unavailability for the safety function
PFD
T= 1 yr
0.004
T=2yr
0.008
0.0006
0.0250
0.0296
0.0012
0.05
0.059
The solution is not SIL 2, and the valve is the reliability- vice limiting component.
To obtain the requirement, the following options are available.
Duplicate the valve
Document that the valve has better reliability than the generic data used here.
Provide a valve with certified SIL 2 capability
Comment: Functional requirements to this solution are:
The extinguishing medium must not harm people if there is a spurious release, this can mean
interlocks on doors to any noise hoods, and use of un- dangerous substance.
Provisions for containment of the extinguishing medium so that the effect is adequate on the
machinery.
INTERNAL
PROCESS SAFETY HANDBOOK
92 of 129
2011-04-04
9.1
LOPA scenarios
A LOPA scenario consists of a single event cause LOC consequence chain.
The various parts of the chain are defined as:
Event: An event is an occurrence related to an accident scenario. A distinction can be
made between initiating and enabling events (or enabling conditions). The initiating
event is the event that starts the chain of events leading to the undesired consequence.
Three types of initiating events can be distinguished;
INTERNAL
PROCESS SAFETY HANDBOOK
93 of 129
2011-04-04
1. External events
2. Equipment failures
3. Human failures or inappropriate actions
An enabling event or enabling condition is an event or condition that is required for the
initiating event to unleash a scenario. Enabling events are neither failures nor protection
layers. They are expressed as probabilities. Examples of enabling events are start-up
phase, material present, ignition source present etc.
Cause: Condition or state resulting from the event(s) that allowed the LOC to occur.
Loss of containment (LOC): Loss of containment is defined as the top event in a
scenario that one aims to prevent from occurring. Examples of LOC are spill of
material, explosion, melting of (electrical) insulation.
Effect: The effects of an accident scenario are e.g. blast, dispersion of toxic materials,
heat radiation etc.
Consequence: The consequence is defined as the (undesired) outcome of an accident
scenario. Consequences are expressed in terms of material damage, environmental
pollution, injuries, fatalities or financial losses.
IP L 1
IP L 2
IP L 3
P re v e n tiv e
la ye rs
IP L 4
M itig a tin g
la ye rs
In itia tin g
event
Cause
LOC
E ffe c t
Consequence
E n a b lin g
event
Methodology
The analytical LOPA method consists of a number of steps. Under the assumption that
scenarios have been developed in a previous study (during qualitative hazard evaluation
(HE) such as process hazard analysis (PHA), management of change evaluation (MOC)
or design review), the following steps can be distinguished:
1. Estimate the consequence and severity of a scenario for screening.
2. Select an accident scenario (single cause-consequence pair).
3. Identify the initiating event of the scenario and determine its frequency.
4. Identify enabling event or conditions (probability).
5. Identify outcome modifiers and their probability.
Outcome modifiers are for example probability of ignition, probability of personnel
in affected area or probability of fatal injury.
6. Determine the frequency of the unmitigated consequence (3*4*5).
7. Identify the IPLs and estimate the PFD of each IPL.
INTERNAL
PROCESS SAFETY HANDBOOK
94 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
95 of 129
2011-04-04
9.3
Comments
PFD, from
literature and
Industry
PFD
recommended
by CCPS
Relief valve
1 x 10-1 - 1 x 10-5
1 x 10-2
1 x 10-1 - 1 x 10-5
1 x 10-2
1 x 10-1 - 1 x 10-2
(<
1 x 10-1 not
allowed by IEC)
1 x 10-1
Rupture disc
Basic Process
Control System
SIL 1- Safety
Instrumented
Functions
SIL 2- Safety
Instrumented
Functions
SIL 3- Safety
Instrumented
Functions
Dike
Underground
Drainage System
Open vent (no
valve)
Fireproofing
Blast- wall/Bunker
Inherent safe
design
Flame/detonation
Arrestors
1 x 10-1 - 1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-3 - 1 x 10-4
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-3
1 x 10-1 - 1 x 10-6
1 x 10-2
1 x 10-1 - 1 x 10-3
1 x 10-2
INTERNAL
PROCESS SAFETY HANDBOOK
96 of 129
2011-04-04
10
INTERNAL
PROCESS SAFETY HANDBOOK
97 of 129
2011-04-04
done without extensive analysis. Small and inexpensive system changes sometimes have a
major impact on risk. The evaluation may be done against legally required risk criteria,
internal company guidelines, comparison with other processes or more subjective criteria.
7. Identify and prioritise potential risk reduction measures if the risk is considered to be
excessive.
A total quantitative risk analysis for a plant involving major hazards is normally used to
gain a picture of the total risk contribution from the plant to the surroundings. A total
QRA reflects the complete risk, which a unit represents. This differs from qualitative
techniques, which show the risk of individual hazards or events.
The objective is normally to assess the acceptability of a plant, i.e. the need for
improvements. Other possible objects include comparison of various design / placing
options, assessment of the effect of various actions, identification of the largest risks
contributions, and the provision of a basis for contingency planning or risk
communication with the local authority or society living near the site. The risk is
normally described with an individual risk (risk contours) measure or a societal risk
measure (Frequency versus Number of fatalities (FN)- curve.
10.1
10.2
Plant data
A set of scenarios are defined, as described above. Generally these are failure of
equipment containing hazardous material causing accidental release.
Failure frequencies for the events are estimated from the generic failure frequencies,
which are based on acknowledged data bases, as described in previous sections.
The following information is needed regarding the plant and processes:
Complete and updated P&ID for all relevant process sections, included number, type,
size and location of process equipment
Process flow diagrams
Results from Rapid Risk Ranking, HAZOP analysis or hazard identification if
performed
Specification of relevant emergency procedures
Detailed description of emergency shutdown systems
Frequency and duration of identified activities (loading of road tankers, ships etc.)
Detailed plot plan of the plant, and local maps of the surrounding area
The time to isolation of a release is estimated taking into account the manual or
automatic detection and shut down and the times for emptying leaking volumes:
INTERNAL
PROCESS SAFETY HANDBOOK
98 of 129
2011-04-04
Some releases cannot be isolated. These will last until the reservoir is empty. Most of
the durations are given as a sum of three terms. These represent time for
detection/diagnosis, time for visual inspection and time for isolation respectively.
When manual interaction in the hazardous area is required, some form of protection
is necessary, and time must be allowed for this. This time must be considered from
case to case. In most cases, two durations are given, one short and one long. This is
most relevant for toxic gases. For flammable gases, it will be adequate to use the
short duration.
The long duration takes into account the possibility of detector failure, unfavourable
wind direction, wrong diagnosis etc.
The appropriate mode of detection must be considered carefully. For example will
detection by process variables (e.g. flow or pressure measurement) only be
applicable when the release is a major part of the normal flow.
When flammable gases are involved, ignition sources are modelled using information
on the types of area involved, certain ignition sources etc.
10.3
INTERNAL
PROCESS SAFETY HANDBOOK
99 of 129
2011-04-04
Industrial areas, placing and number of people daytime, evening, night- time, week- ends
Public assembly areas, placing, when/how often they are used and how many people are
gathered for how long
Whether there are major seasonal differences
On site risk
Design accidental events
QRA with respect to on-site risk is mainly related to identifying design accidental
events, i.e. events which should be used in order to define design criteria for buildings,
detection systems etc. A design accidental event for a specific installation is an event
with such serious consequences that the probability of a more serious event is smaller
than a predefined acceptance criterion. When the design accidental event is identified,
buildings etc. should be designed to withstand this accident, or process modifications
should be made in order to produce a less serious design accidental event. The figure
below illustrates the necessary input data for performing an on-site risk analysis.
Figure 36 Illustration of the necessary input and output elements of a QRA of onsite risk
The procedure is as follows:
1. Identify all relevant accident scenarios.
2. Estimate the probabilities and consequences of the accident scenarios.
3. Rank the scenarios in order of decreasing consequences. The parameter(s) quantifying the
consequences will depend on the type of accidents considered and the ranking will normally
need expert judgement.
4. Calculate the cumulative (aggregate) probability of the scenarios starting at the top of the
list produced in step c).
INTERNAL
PROCESS SAFETY HANDBOOK
100 of 129
2011-04-04
5. The design accidental event is found when the cumulative probability reaches the
acceptance criterion. If necessary and relevant, an interpolation method should be used.
Normally, the first approach will be to screen the events identified in step a) and to
calculate both consequences and probability at a reduced level of detail with the main
objective of getting the ranking in step c) correct. When a design accidental event is
identified, a few of the most contributing events may be recalculated with a higher level
of detail to give the final answer.
Often one type of major hazard (fire, explosion or toxic exposure) dominates, and the
design accidental event is calculated according to this hazard. However, sometimes it is
necessary to evaluate more than one hazard. Since relative rating of potential events
involving different hazards can be very complicated, in practice each type of hazard is
ranked by itself, and the corresponding design accidental event is identified for
explosions, fires and toxic releases respectively according to the same criterion.
Calculation of design accidental explosion event or design accidental fire event
The following information is needed regarding the plant and processes:
Complete and updated P&ID for all relevant process sections, included number, type, size
and location of process equipment
Process flow diagrams on all systems containing explosive or flammable chemicals
Results from Rapid Risk Ranking, HAZOP analysis or hazard identification if performed
Specification of relevant emergency procedures
Detailed description of emergency shut- down systems
Frequency and duration of identified activities (loading of road tankers, ships etc.)
Detailed plot plan of the plant, and local maps of the surrounding area
Description of the various buildings and their design (if existing), use and manning
Operator risk
A risk analysis regarding operator risk can also be performed. The term "when he/she is
at work" implies that the calculated probability is not to be multiplied by the time
fraction the person is at work. In other words, the risk should be calculated as if he/she
was at work continuously. On the other hand, "the average probability" implies that it
should be accounted for less hazardous activities during a normal working day or week.
Example: A person performs high-risk work one day a week. On this day, his probability of loss of
life is calculated to be 210-3 per year. He works normal day- time, i.e. 5 days per week. The four
INTERNAL
PROCESS SAFETY HANDBOOK
101 of 129
2011-04-04
other days of the week the probability of loss of life is calculated to be 3 10-4 per year. The time the
person is not at work is not to be taken into account. Therefore, the average probability of loss of life
for this person is: (210-31+ 310-44)/5=6, 410-4 per year.
In some cases it can be documented through experience from the plant in question or
similar plants that the risk to personnel is below the criterion. In other cases, a separate
study needs to be performed. Useful data sources include:
Statistics from accidents and near-miss situations at the plant in question or from similar
plants.
Expert judgement, using experienced operators as experts and probability experts as
interviewers.
Man-machine analysis with respect to probability of human errors.
Consequence analyses with respect to fatality probability in case of exposure. For other types
of accidents (e.g. falling objects, molten metal splashes etc.), each case needs to be evaluated
individually.
INTERNAL
PROCESS SAFETY HANDBOOK
102 of 129
2011-04-04
11
11.1
Technology of
the SIS
Factors
fV = 14
fT = 19
INTERNAL
PROCESS SAFETY HANDBOOK
103 of 129
2011-04-04
Site
organization
fO =1-3
frel = fV fT fO
11.3
11.4
SIL capability
SIL capability specifies the Safety Integrity Level (SIL) that the equipment item /type has
been certified for per IEC 61508 by an independent third party.
The data presented in this handbook are generic and not for specific deliverers and
equipment items / types. For use of specific data it is referred to the EXIDA handbooks /
databases.
11.5
INTERNAL
PROCESS SAFETY HANDBOOK
104 of 129
2011-04-04
PFD:
T:
In the referred literature is taken consideration to detection of failures in sensors, logic units
and final elements.
11.6
Sensors
The term sensor here means the input unit to the logic unit. E.g., a sensor can be:
Transmitter, with analogue signal to the logic unit
Transmitter with analogue signal to a relay function, i.e. analogue to binary unit
providing a binary signal to the logic unit
Switch, i.e. binary process sensor, position switch, limit switch or pushbutton
Data from various sources are shown in table 45 below.
Table 46 Rate of dangerous undetected failures based on EXIDA, OREDA and other sources
Sensor type
EXIDA
OREDA
Other
Temperature switch
0.03
0.07
Temperature transmitter
0.0026
0.07
Pressure switch
Pressure transmitter
0.03
0.0054
0.005
Flow switch
0.03
0.03
Flow transmitter
0.008
0.007
Level switch
0.03
0.04
Level transmitter
0.011
0.04
Analysers
Limit switch
Position switch
Pushbutton
Relay
0.015
0.016
0.017
0.0035
0.05
0.014
1
7.5
0.7
1
0.3
3
0.7
0.036
0.036
0.007
0.006
0.044(critical)
(Smith,
geometric mean,
assumed that
50% of failures
are dangerous
undetected)
0.001 (Smith)
0.001, PTIF= 0.001(PDS)
INTERNAL
PROCESS SAFETY HANDBOOK
105 of 129
2011-04-04
Yara recommended dangerous undetected failure rates for sensors be shown in table 46 below.
Table 47 Yara rec. dangerous undetected failure rates for sensors (Yara Green Rule)
DU
Sensor type
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S12
S13
S14
S15
S16
S17
S18
S19
S20
S21
S22
S23
S24
S25
S26
11.7
Temperature
Pressure
Flow
Level
Fire and gas detectors
Analysers
Switch
Transmitter
Switch
Transmitter
Switch
Transmitter
Switch
Transmitter
Catalytic hydrocarbon
Fire/flame
Heat
IR gas
Oxygen
Smoke
CO2
Conductivity
Dew point
Hydrogen
Oxygen
pH
H2S
Limit switch
Position switch
Pushbutton
Relay
Vibration sensor
[per yr]
0.05
0.014
0.03
0.005
0.03
0.008
0.035
0.025
0.015
0.016
0.017
0.0035
0.05
0.014
1
7.5
0.7
1
0.3
3
0.7
0.036
0.036
0.007
0.0054
0.03
Logic solvers
The data for programmable logic (PLC) solvers presented herein are based on EXIDA,
generic exida Comprehensive Analysis.
Table 48 Yara recommended failure data for logic solvers (Yara Green Rule)
Logic solver type
DU
PFD
[per yr]
L1
L3
L5
L6
L7
L8
11.8
Final elements
Valves include accessories as:
0.016
0.003
0.003
0.0003
0.03
0.03
INTERNAL
PROCESS SAFETY HANDBOOK
106 of 129
2011-04-04
I/P transducers
Pneumatic interfaces
Actuators
The data for final elements presented are based on EXIDA, generic exida Comprehensive
Analysis. PVST in the table means Partial Valve Stroke Test.
Table 49. Data for final elements presented based on generic exida Comprehensive
Analysis
Type
Duty
DU
Trip action
[per yr]
Ball valve
Clean service
Severe service
Globe valve
Clean service
Severe service
Butterfly valve
Clean service
Severe service
Solenoid valve
Relay, circuit breaker
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
0.007
0.004
0.014
0.011
0.005
0.002
0.012
0.004
0.03
0.02
0.009
0.004
0.006
0.003
0.02
0.016
0.005
0.0016
0.009
0.003
0.03
0.025
0.009
0.003
0.017
0.013
0.027
0.024
0.016
0.011
0.032
0.026
0.053
0.047
0.027
0.02
0.005
0.0054
Yara recommended data for final elements are shown in table 50 below. The following
simplifications are done in comparison to table 49.
INTERNAL
PROCESS SAFETY HANDBOOK
107 of 129
2011-04-04
In table 50 solenoid valves are included in the failure rates for the valves. In case PVST
equipment is applied, it is assumed that the PVST include test of the solenoid.
Table 50 Yara rec. data for final elements (Yara Green Rule)
Type
DU
Duty
[per yr]
F1
F2
F3
F4
F5
F6
F7
F8
F9
11.9
Clean service
Severe service
Butterfly valve
Clean service
Severe service
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
0.011
0.004
0.017
0.004
0.022
0.013
0.037
0.026
0.0054
Failure mode
Fail to open
Fail to operate
Critical
DU
[yr-1]
0.002
0.001 (PTIF= 0.001)
0.014
Yara recommended data for safety relief valves is shown in table 52 below.
Table 52 Yara rec. failure data for Pressure relief valves (Yara Green Rule)
Safety relief valves
Failure mode
DU
[yr-1]
0.014
Yara recommended
Fail to operate on demand
11.10
INTERNAL
PROCESS SAFETY HANDBOOK
108 of 129
2011-04-04
Structure
Single
Double 1oo2
Pressure switch
Single
2oo3
Pressure transmitter
Single
2oo3
Level transmitter
Single
2oo3
Flow transmitter
Single
Fire and gas-, toxic gas detection Single
2oo2
Logic unit
Hardwired
PLC, single
PLC, fail safe
Shut off valve
Single
DBB
12
0.009
0.018
0.025
Negligible
0.005
Negligible
0.01
Negligible
0.014
0.03
Negligible
0.06
0.06
Negligible
0.02
0.04
3 Bullet tank
4 Refrigerated tanks
Failure mode
Break
Leakage, D =10mm
Discharged in 10 minutes
Instantaneous rupture
Discharged in 10 minutes
Leakage, D =10mm
Failure in one tube
Coincident failure in 10 tubes
-Relief of safety valve
-Catastrophic failure
-instantaneous discharge
-discharged in 10 minutes
-leakage, D =10mm
-Total failure of inner+ outer tank
-Total failure of inner tank
-Discharged in 10 minutes to atmosphere
-Discharged in 10 minutes from inner tank
-Leakage, D =10mm from inner tank
-Catastrophic failure on rail tankers
-Load / unload hose
-break
-leakage (hole D = 0.1 hose D)
Failure frequency
5 x 10 7 yr-1
1 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 5 yr-1
5 x 10 5 yr-1
1 x 10 3 yr-1
1 x 10 3 yr-1
1 x 10 5 yr-1
2 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
1 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
1 x 10 4 yr-1
5 x 10 7 hr-1
4 x 10 6 hr-1
4 x 10 5 hr-1
INTERNAL
PROCESS SAFETY HANDBOOK
109 of 129
2011-04-04
6 Pipelines
a) pipe D < 75 mm
b) pipe D 75 150 mm
c) pipe D > 150 mm
3 x 10 8 hr-1
3 x 10 7 hr-1
3 x 10 8 hr-1
3 x 10 7hr-1
1 x 10 6 yr-1 m-1
5 x 10 6 yr-1 m-1
3 x 10 7 yr-1 m-1
2 x 10 6 yr-1 m-1
1 x 10 7 yr-1 m-1
5 x 10 7 yr-1 m-1
-Break
-Leakage (hole D = 0.1 arm D)
-Break
-Leakage (hole D = 0.1 arm D)
-Break
-Leakage (hole D = 0.1 arm D)
Failure mode
Minor leakage
Major leakage
Rupture
Minor leakage
Major leakage
Rupture
External
-Minor leakage
-Major leakage
-Rupture
External
-Minor leakage
-Major leakage
-Rupture
Fail to close
Fail to open
Internal:
-Minor leakage
-Major leakage
External:
-Minor leakage
-Major leakage
-Rupture
Fail to close
Internal leakage
External:
-Minor leakage
-Major leakage
-Rupture
Critical (incl.
fail to operate,
plugged,
internal leakage)
Fail to operate
Pipelines (transport),
average diameter
Pumps
Compressors
Valves, control /
regulation inclusive
actuator, command unit,
monitoring and flanges
Failure
rate [yr-1]
Error
factor)
3 x 10-5 /m
6 x 10-6 /m
3 x 10-7 /m
2 x 10-6 /m
6 x 10-7 /m
2 x 10-8 /m
10
10
10
10
10
10
6 x 10-3
2 x 10-4
2 x 10-5
10
10
10
3 x 10-3
3 x 10-4
3 x 10-5
0.05
0.05
Comments
D < 200mm, divide by 3
D< 75 mm, multiply by 3
D < 200mm, divide by 3
D< 75 mm, multiply by 3
Without protection, multiply by 5
0.04
0.02
5
5
5% flow
50% flow
0.001
1 x 10-4
1 x 10-5
4 x 10-3
0.02
10
10
10
5
5
0.001
1 x 10-4
1 x 10-5
0.1
10
10
10
5
0.05
INTERNAL
PROCESS SAFETY HANDBOOK
2011-04-04
Double-walled tank
External:
-Minor leakage
-Major leakage
-Rupture
Internal:
-Leakage
-Major leakage
External:
-Minor leakage
-Major leakage
-Rupture
Internal leakage
External:
-Minor leakage
-Major leakage
-Rupture
Minor leakage
Major leakage
Rupture
Minor leakage
Major leakage
Rupture
Rupture of
inner- and outer
tank
0.001
1 x 10-4
1 x 10-5
10
10
10
0.8
0.02
5
10
0.001
1 x 10-4
1 x 10-5
0.02
10
10
10
5
0.001
1 x 10-4
1 x 10-5
1 x 10-3
1 x 10-5
2 x 10-6
2 x 10-3
5 x 10-5
6 x 10-6
1 x 10-6
10
10
10
10
10
10
10
10
10
10
110 of 129
INTERNAL
PROCESS SAFETY HANDBOOK
111 of 129
2011-04-04
13
Human reliability
There are a considerable number of methods of varying complexity to evaluate and
estimate the impact of human errors. The method presented below is the HEART
model, and the method starts with the data given in the first table below. These can be
modified by choosing from the set of error-producing conditions given in the second
table below. The modification factor(s) is calculated as:
V(M-1)+1
where M is the figure found in table 2, and V is a factor describing to what degree the
error-producing condition is present. 0<V<1.
It is possible to apply error-producing conditions that contradict the task description,
e.g. condition 1 to task G. Only conditions that are undoubtedly present should be
accounted for, and care must also be taken not to double-count un- favourable factors. If
more than one task description is applicable, the less probable must be chosen. If the
resulting probability is larger than 1, it is set equal to 1.
Table 56 Starting values in the HEART method
Generic task
(A) Totally unfamiliar, performed at speed
with no real idea of likely consequences
(B) Shift or restore system to a new or
original state at a single attempt without
supervision or procedures
(C) Complex task requiring high level of
comprehension and skill
(D) Fairly simple task performed rapidly or
given scant attention
(E) Routine, highly-practised, rapid task
involving relatively low level of skill
(F) Restore or shift a system to original or
new state following procedures, with some
checking
(G) Completely familiar well-designed,
highly-practised, routine task occurring
several times per hour, performed to highest
possible standards by highly-motivated,
highly trained and experienced person,
totally aware of implications of failure with
time to correct potential error, but without
the benefit of significant job aids
(H) Respond correctly to system command
even when there is automated supervisory
system providing accurate interpretation of
system state
(M) Miscellaneous tasks for which no
description can be found
Proposed failure
probability of
nominal human
0.55
0.35 - 0.97
0.26
0.14 - 0.42
0.16
0.12 - 0.28
0.09
0.06 - 0.13
0.02
0.007 - 0.045
0.003
0.0008 - 0.007
0.0004
0.00008 - 0.009
0.00002
0.000006 - 0.0009
0.03
0.008 - 0.11
INTERNAL
PROCESS SAFETY HANDBOOK
112 of 129
2011-04-04
x 17
x 11
x 10
x9
x8
x8
x8
x6
x6
x 5.5
x5
x4
x4
x4
x3
x3
x3
INTERNAL
PROCESS SAFETY HANDBOOK
113 of 129
2011-04-04
Read /
reason
Physical
operation
Everyday
yardstick
0.00001
0.00001
0.0001
0.0002
0.0003
0.0005
0.0005
0.001
0.001
0.002
0.003
0.003
0.004
0.005
0.005
0.006
0.003
0.01
0.01
0.01
0.01
0.01
0.01-0.03
0.02
0.02
0.02
0.03
0.05
0.06
0.1
0.1
0.1
0.25
0.5
0.9
Yara recommended data for human failures for process tasks be shown in table 61 below.
INTERNAL
PROCESS SAFETY HANDBOOK
114 of 129
2011-04-04
Table 59 Yara recommended data for human failures for process tasks (Yara Green
Rule)
Operation/task
Alarms
- React on process alarm during normal operation
- React on process alarm during process upset, alarm avalanche
- React on process alarm in emergency situation, alarm avalanche
- React on plant or site alarm/siren in emergency situation
Pump start
- Starting against closed valve and forgetting to open the valve
Valve operation (open/close)
- In control room
- Manual valve in the plant
New work-shift
- Check of equipment, unless specified
Stress, emergency situations
- General
- After 1 min in emergency situation
Failure
probability
[per operation]
Failure
frequency
[per yr]
0.05
0.25
0.25
0.025
0.05
0.02
0.02
0.1
0.25
0.9
INTERNAL
PROCESS SAFETY HANDBOOK
115 of 129
2011-04-04
14
Risk reduction
14.1
Inherent safety
Appliance of the inherent safety concept is the most important risk reduction effort.
The inherent safety concept is to reduce the hazard of complex systems by asking:
Can less hazardous raw materials and intermediates be used
Can quantities of hazardous materials be reduced
Can equipment be optimised to increase safety
The common Inherent Safety Guidewords are listed in the table below.
Table 60 Inherent safety guidewords
Guideword
substitute
minimise
moderate
simplify
14.2
Meaning
substituting less hazardous materials or processes wherever possible
minimising the amount of hazardous material in use
moderating the process conditions of the hazardous material
simplifying the equipment and the processes that are used
Monitoring of raw
materials and additive
streams
Safety valves
6
7
Fire protection
Detection of developing
Description
Preventing the occurrence of accidents.
Local or in control rooms, announcing that
process parameters as pressures and
temperatures exceed defined limits.
Automatic stop of the process if process
parameters as pressures and temperatures exceed
defined limits.
Programmes for measuring raw materials and
additive streams to ascertain that concentrations
and pollutions are not jeopardizing the stability
of the materials.
Mitigating the consequences when accidents
happen
Valves removing substances from processes or
storage tanks in case of upsets in order to keep
pressures below safe limits.
Critical structures and buildings in or near the
process area are designed to withstand blast
pressures of explosions up to defined levels,
based on risk analyses, identified explosion
scenarios or industrial standards.
Passive and active fire protection. Fire cells.
Detectors gas, smoke and fires for early warning
INTERNAL
PROCESS SAFETY HANDBOOK
116 of 129
2011-04-04
accident
8
Sectioning
Flaring, draining
10
Bunds, dikes
11
Safety distances
Design Measures
12
Internal standards
13
External standards
14
16
Proof testing
Accident Response
17
Emergency response
18
Community response
14.3
22
Procedures
Rules for personnel
protection
Work permit systems
23
Definition of layers
Independent Protection Layer (IPL) is a device, system or action that is capable of
preventing a scenario from proceeding to the undesired consequence. In the figure
below the general independent protection layers are given for a chemical reactor. The
layers below the process drawing are preventive measures. These measures are aimed at
the prevention of a LOC. In terms of risk such a measure is considered to reduce the
INTERNAL
PROCESS SAFETY HANDBOOK
117 of 129
2011-04-04
probability of an LOC. The layers above the process drawing are preventive measures.
These measures are aimed at minimising the consequences. In terms of risk, a
mitigating measure is considered to reduce the effect.
MITIGATING
MEASURES
Process design
PREVENTIVE
MEASURES
INTERNAL
PROCESS SAFETY HANDBOOK
118 of 129
2011-04-04
14.4
Safety functions
In order to control the safety risk, a process plant has several protection layers normally
comprising:
Safety related functions and alarms implemented in the process control system
The PSD (Process Shut Down) system
The relief devices, or physical protection
Flaring and blow- down
The post-release systems, the ESD (Emergency Shut Down) system and devices such
as fire- walls, dikes and bunds
Plant emergency response
Community emergency response
In principle the protection can be taken care of by preventive or mitigating barriers, as
indicated in the figure below. The preventive process safety barriers, which consist in
PSD and relief devices, shall prevent incidents and accidents to happen. The mitigating
barriers shall mitigate the consequences if an accident occurs. The mitigating measures
are such as emergency shutdown, gas detection systems, deluge systems, sprinkler
systems, fire curtains, dikes, etc.
CONSEQUENCE REDUCING
(MITIGATING) BARRIERS
FREQUENCY REDUCING
(PREVENTIVE) BARRIERS
C
A
U
S
E
S
ADVERSE
EVENT
C
O
N
S
E
Q
U
E
N
C
E
S
INTERNAL
PROCESS SAFETY HANDBOOK
119 of 129
2011-04-04
Sensor(s)
Logic unit
Final element(s) such as consequence reducing (sectioning) valves, active fire
fighting equipment etc.
and systems with manual interaction consist of
Sensor(s)
Logic unit with alarm
Devices for manual shut down initiation, i.e. push buttons or operator stations
Final element(s) such as consequence reducing (sectioning) valves, active fire
fighting equipment operated manually or automatic after shut down initiation
In the figures below are shown other possible interactions between the
process conditions
operation
stop
process incidents and accidents as
loss of containment
functional failure of equipment (loss of function)
and actions by the safety functions:
detection and
shut down
Spurious operation of safety functions cause stop of the process. These situations are
shown as the upper arc of the figures. The legend of the figures moreover is shown in
the frame below.
INTERNAL
PROCESS SAFETY HANDBOOK
120 of 129
2011-04-04
Abbreviation
Description
NOP
Normal OPeration
LOC FLAM Loss Of Containment of FLAMmable material
LOC TOXIC Loss Of Containment of TOXIC substance
LOF Loss Of Function, i.e. flow, temperature, pressure etc. outside shut down limits
DET GAS
DETection (automatic) of flammable GAS release
DET FIRE
DETection of FIRE (automatic)
OBS
OBServation of fire (manual)
SD
Shut Down
STOP 1
STOP after
LOC
LOF
with the consequence
production loss
STOP 2
STOP after
FIRE or
OUT OF CONTROL
BURST
with the consequences
damage to equipment
considerable production loss
STOP 3
STOP after
EXPLosion
Loss Of Containment of TOXIC substance
with the consequences
injury
environmental damage
major damage to equipment
lasting production loss
Process state, normal operation (NOP) or loss of function (LOF)
INTERNAL
PROCESS SAFETY HANDBOOK
121 of 129
2011-04-04
Figure 39 Interaction
nteraction between the process and a PSD function
In the next figure below is a similar scenario for the interaction between the process and
a pressure relief device. In this case the process is not equipped with any PSD function.
The loss of function will here result in a pressure increase, which can be the cause of a
material burst if the relief device is not functioning.
INTERNAL
PROCESS SAFETY HANDBOOK
2011-04-04
Figure 41 Interaction between process control, PSD and the relief valve
In the next figure is depicted a situation with release of toxic
t
material. Human injury is
here a possible consequence of the state STOP 3.
INTERNAL
PROCESS SAFETY HANDBOOK
123 of 129
2011-04-04
D ET
GAS
NOP
L OC
F LAM
FIRE
ESD
DET
FIRE
OBS
STOP 1
ESD
STOP 2
EXPL
STOP 3
ESD
STOP 2
INTERNAL
PROCESS SAFETY HANDBOOK
124 of 129
2011-04-04
14.5
Decommissioning
Verification
Functional safety assessment
14.6
INTERNAL
PROCESS SAFETY HANDBOOK
125 of 129
2011-04-04
The safety functions as well as the process control functions shall be designed
according to the idle current principle (de- energized to shut down, 4-20mA)
The safety functions as well as the process control functions shall be designed
according to the fail- to- safe principle.
The ESD system shall independent of other systems be able to bring the process to a
pre- defined state.
For all safety related functions a maximum reaction time shall be defined.
Safety related information shall be available in the central control room within 5
seconds of an accident, on screen or alarm panel.
There shall be defined a time limitation for degraded operation (2oo3 with failure
degraded to 1oo1, one of two logic units operating)
Repair time requirements shall be defined for equipment in safety functions that is
bypassed / overridden during plant operation
There shall be a design philosophy and guidance for the process operator interface
For programming the following apply:
Only use programming based on logic diagrams + effect matrices
Program only with the delivered safety engineering tool
Avoid instruction lists / mnemonics
Use proven- in- house or pre- tested function blocks. Maintain a library of such
blocks
Test the restart after power failure in all operating modes
14.7
INTERNAL
PROCESS SAFETY HANDBOOK
126 of 129
2011-04-04
INTERNAL
PROCESS SAFETY HANDBOOK
127 of 129
2011-04-04
For logic units the concept diagnostic coverage is used, meaning the fraction of
failures detected. The following is an indication of low, medium and high diagnostic
coverage for logic units:
Low: 60% of failures are detected, corresponding to
a single PLC with a watch- dog (WD) and fail- safe I/O
a solid state or relay based system utilising the fail-safe principle by idle
current, normally closed contacts and logic, which initiate shut down in case
of power loss.
Medium: 90% of failures detected, corresponding to an acknowledged PLC
with enhanced self test
High: 99% of failures detected, corresponding to an acknowledged fail-safe
PLC with enhanced self test, evaluated by an independent organisation
Type B components
0
(1oo1)
(2oo2)
Safe Failure Fraction
(SFF)
< 60 %
60 - 90 %
90 - 99 %
> 99 %
SIL 1
SIL 2
SIL 3
SIL 3
1
(1oo2)
(2oo3)
SIL 2
SIL 3
SIL 4
SIL 4
2
(1oo3)(2
oo4)
SIL 3
SIL 4
SIL 4
SIL 4
0
(1oo1)
(2oo2)
N/A
SIL 1
SIL 2
SIL 3
1
(1oo2)
(2oo3)
SIL 1
SIL 2
SIL 3
SIL 4
2
(1oo3)
(2oo4)
SIL 2
SIL 3
SIL4
SIL 4
INTERNAL
PROCESS SAFETY HANDBOOK
128 of 129
2011-04-04
The table below shows different structures, degradation in case of failures, diagnosis
and redundancy purposes (safety or availability).
Degradation on failures
Redundancy
for safety (S)
availability(A)
Safe failures
Dangerous failures
Degradation on failure no
1
1oo1
Degradation on failure no
SD
NS
1oo2
SD
1oo1
NS
1oo2D
S, A
SD
1001D
1oo3
SD
1oo2
NS
D
1oo1
2oo2
1oo1
2oo2D
S, A
1oo1D
NS
D
NS
D
2oo3
S, A
1oo2
2oo2
NS
D
2oo3D
S, A
1oo2D
2oo2
D
NS
D
2oo4
S, A
1oo3
2oo3
2oo2
SD
NS
NS
NS
These plants comprise ammonia plants, nitric acid plants, ammonium nitrate solution
plants, urea plants, and gas power stations. In general, finished fertilizer plants are
not considered of this category, except for the processing of ammonium nitrate,
potassium nitrate and calcium nitrate materials.
INTERNAL
PROCESS SAFETY HANDBOOK
129 of 129
2011-04-04
Probability axis
2T
3T
Figure 44 Probability of failure vs. proof test interval for a 1oo1 structure
For the 1oo1 structure, the probability of failure on demand, PFD is:
1T
PFD = PTIF + DU tdt = 1 DU T
2
T0
Generally, for a koon, structure where k < n:
1 T k
n!
PFD = P + ( DU t ) k dt =
( DU T ) k
T 0 n
(k + 1)(n k )!k!
TIF
Time axis