Process Safety - Handbook - 2011 PDF

INTERNAL
PROCESS SAFETY HANDBOOK
1 of 129
2011-04-04
Yara Process Safety Handbook
Scope
Process Safety focuses on preventing fires, explosions and accidental chemical
releases in chemical processes or other facilities dealing with hazardous materials.
Yara Process Safety Handbook (PSHb) provides Yara requirements and
background reading related to process safety.
As a Yara document the PSHb is:
A guideline for general methods for safety and risk studies
A reference for TOPS with regard to PS methods
A presentation of a set of Yara Green Rules which can be used in
contractor projects:
1. The Yara risk acceptance criteria
2. The Yara method for SIL analysis
3. The Yara failure data for safety functions and operator failures
Limited by TOPS /statutorily documents, which can overrule results from
methods presented herein
The contents are
Mainly description of:
o Reliability analysis
o Consequence analysis
o Qualitative and quantitative risk analyses and safety studies
Besides:
o Definitions of PS related concepts used in TOPS
o Reference to PS concepts in Yara TOPS 0-P04, ISO(OSHAS)18001,
Safety assessments in life cycle perspective
Another purpose of PSHb is internal training
INTERNAL
2 of 129
2011-04-04
Contents
1.1
1.2
1.3
1.4
2.1
2.2
2.3
4.1
4.2
4.2.1
4.3
4.4
5.1
5.1.1
5.1.2
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
6.1
6.2
6.2.1
6.2.2
6.3
6.4
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.4.1
1
Reference publications ...................................................................................................... 4
External references to standards and guidelines ........................................................................... 4
References to external specialist works ........................................................................................ 4
Yara reference documents............................................................................................................. 4
Process Safety categorised as 12 Elements (PSE) ........................................................................ 4
2
Structure of Process Safety .............................................................................................. 5
Structure of ISO (OSHAS) 18001 ................................................................................................ 5
ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements) ......................................... 5
Yara documents related to ISO 18001 .......................................................................................... 6
3
Definitions .......................................................................................................................... 9
4
Risk, risk analyses and safety studies ............................................................................ 17
Risk identification and risk ranking, ........................................................................................... 17
Risk acceptance criteria .............................................................................................................. 17
Acceptance in connection with risk ranking .............................................................................. 17
On- site risk acceptance (Yara Green Rule) ................................................................................ 19
Off site risk acceptance (Yara Green Rule) ................................................................................ 19
5
Hazards and consequences related to production activities ........................................ 21
Hazard identification by Check Lists .......................................................................................... 23
Simple Check- List .................................................................................................................... 23
Comprehensive checklist ........................................................................................................... 24
Hazard and Operability Studies (HAZOP) ................................................................................. 27
HAZOP study work process ...................................................................................................... 29
Operating procedures ................................................................................................................. 32
Computer- controlled processes................................................................................................. 32
Documentation needed for a HAZOP study .............................................................................. 33
Recording of the HAZOP work ................................................................................................. 33
Criticality ranking for maintenance purposes ............................................................................. 36
Purpose of criticality analysis and risk assessment ............................................................... 36
The risk assessment process ...................................................................................................... 38
Establishing local acceptance criteria ........................................................................................ 39
Carrying out the criticality analysis ranking .............................................................................. 40
Criticality analysis team and necessary documents ................................................................... 42
6
Probability analysis ......................................................................................................... 44
Reliability of equipment and systems ......................................................................................... 44
Reliability of safety functions, .................................................................................................... 48
Dangerous failures in safety functions....................................................................................... 48
Reliability of safety functions, safe failures .............................................................................. 49
Human Reliability ....................................................................................................................... 50
System analysis and modelling ................................................................................................... 51
7
Consequence analysis ...................................................................................................... 56
Release ........................................................................................................................................ 56
Gas dispersion ............................................................................................................................. 58
Evaporation ................................................................................................................................. 60
Ignition ........................................................................................................................................ 61
Fire .............................................................................................................................................. 63
Explosion .................................................................................................................................... 68
Exposure of toxic gases............................................................................................................... 74
8
SIL analyses ..................................................................................................................... 76
Safety integrity (Yara Green Rule) ............................................................................................. 76
Determination of SIL (Yara Green Rule).................................................................................... 77
Total risk reduction for a specific event ...................................................................................... 83
Examples of SIL analyses ........................................................................................................... 84
Ammonia oxidizing unit ............................................................................................................ 84
INTERNAL
3 of 129
2011-04-04
8.4.2
8.4.3
8.4.4
8.4.5
9.1
9.2
9.3
10.1
10.2
10.3
10.4
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
14.1
14.2
14.3
14.4
14.5
14.6
14.7
Water pipe for steam wetting ..................................................................................................... 87

Steam drum ................................................................................................................................ 88
Leakage of toxic gas to process hall .......................................................................................... 89
Fire in heavy rotating equipment ............................................................................................... 90
9
Layer of Protection Analysis (LOPA) ........................................................................... 92
LOPA scenarios .......................................................................................................................... 92
Methodology ............................................................................................................................... 93
Example of failure data for Independent Protection Layers used in LOPA ................................ 95
10 Quantitative Risk Analysis (QRA) ................................................................................ 96
When is a QRA or CQRA done .................................................................................................. 97
Plant data..................................................................................................................................... 97
Off site risk ................................................................................................................................. 98
On site risk .................................................................................................................................. 99
11 Failure Data relevant for Safety Functions................................................................. 102
Data sources .............................................................................................................................. 102
Factors influencing the reliability ............................................................................................. 102
Continuous and Demand mode operation ................................................................................. 103
SIL capability ............................................................................................................................ 103
Presentation of the most relevant failure data for safety functions ........................................... 103
Sensors ...................................................................................................................................... 104
Logic solvers ............................................................................................................................. 105
Final elements ........................................................................................................................... 105
Safety Relief Valves ................................................................................................................. 107
Overview of spurious trip rate for some safety related functions ............................................. 107
12 Leakage data relevant for risk analyses ...................................................................... 108
13 Human reliability .......................................................................................................... 111
14 Risk reduction ............................................................................................................... 115
Inherent safety ........................................................................................................................... 115
Risk reducing measures ............................................................................................................ 115
Definition of layers ................................................................................................................... 116
Safety functions ........................................................................................................................ 118
Life- cycle activities .................................................................................................................. 124
Invariable requirements to design of safety functions .............................................................. 124
Principles for increasing reliability of safety systems............................................................... 125
Yara green rules

4.2.1 Acceptance criteria in connection with risk ranking, pp17-18
4.3 On- site risk acceptance, p 19
4.4 Off- site risk acceptance, pp19-20
8.1 Safety integrity, pp76-83
Table 16. Yara recommended dangerous undetected failure data for sensors, p105
Table 17. Yara recommended dangerous undetected failure data for logic solvers, p105
Table 19. Yara recommended dangerous undetected failure data for final elements, p107
Table 21. Yara recommended dangerous undetected failure data for pressure relief valves, p107
Table 28. Yara recommended dangerous undetected failure process tasks, p114
INTERNAL
4 of 129
2011-04-04
Reference publications
1.1
External references to standards and guidelines

Key external references to process safety are:
1. ISO (OSHAS) 18001
2. The Seveso II- directive
3. EN standards
Machine directive, EN-1050: 1996, EN 620 : 2002
ATEX; directive- 94/9/EC and EN 60079-10
4. IEC 61508/61511
5. API
6. EIGA
7. NFPA
8. ISO
9. Guidelines from acknowledged organisations
EFMA
IFA
The Fertilizer Society
1.2
References to external specialist works

Some references to external specialist works, which are used in this handbook, are:
1. Norsk Hydro Handbook of Safety Risk Assessment, 2000
2. AIChE: Layer of Protection Analysis, 2001
3. AIChE: Guidelines for Process Quantitative Risk Analysis, 2000
4. Gas Explosion Handbook,
http://www.gexcon.com/index.php?src=gas/gas_explosions.html
5. TNO, Yellow book, Methods for the calculation of physical effects, CPR14E; The
Hague, 1996
6. TNO, Purple book, Guideline for quantitative risk assessment, CPR 18E, 2005
1.3
Yara reference documents

The HES documents are on four levels in the Yara document hierarchy:
1. Technical and Operational Standards
2. Best Practices (BP)
3. Manuals and Reference Documents
1.4
Process Safety categorised as 12 Elements (PSE)

In Yara-TOPS 0-P04 Process safety management is categorised as 12 elements:
1. Process Safety Information
2. Process Safety Studies
3. Operating Procedures
4. Safe Work Practices
5. Modification to Process Variables and Equipment
6. Technical Safety Barriers
7. Quality control and maintenance of equipment
8. Competence and training
9. Investigation and reporting
10. Emergency planning and response
11. Pre- start up safety reviews
INTERNAL
5 of 129
2011-04-04
12. Inspection and auditing

2
Structure of Process Safety
2.1
Structure of ISO (OSHAS) 18001

The structure of ISO (OSHAS) 18001 is defined in table 1 below.
Table 1 ISO (OSHAS) 18001 structure
2.2
Clause
Content
1
2
3
4
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
Scope
Definitions
OH&S management system elements
General requirements
OH&S policy
Planning
Planning for hazard identification, risk assessment and risk control
Legal and other requirements
Objectives
OH&S management programme(s)
Implementation and operation
Structure and responsibility
Training, awareness and competence
Consultation and communication
Documentation
Document and data control
Operational control
Emergency preparedness and response
Checking and corrective action
Performance, measurement and monitoring
Accidents, incidents nonconformance and corrective and preventive action
Records and records management
Audit
Management review
ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements)

As shown in table 3 below, 16 elements of process safety can be identified from the ISO
(OSHAS) 18001 structure, shown in italic in the table below.
Table 2 Identification of Process Safety Elements in ISO (OSHAS) 18001
INTERNAL
6 of 129
2011-04-04
ISO (OSHAS) 18001

1
2
3
4
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
2.3
Scope
Definitions
OH&S management system
elements
OH&S policy
Planning
Planning for hazard identification,
risk assessment and risk control
Objectives
Training, awareness and
competence
Documentation
Operational control
Emergency preparedness and

response
Performance, measurement and
monitoring
Accidents, incidents nonconformance and corrective and
preventive action
Audit
Management review
#no
Process Safety Element (PSE)

Title
PSE 1
PSE 2
Process Safety Information

Process Safety Studies
PSE 8
Competence and training
PSE 3
PSE 4
PSE 5
PSE 11
PSE 6
PSE 10
Operating Procedures
Safe Work Practices
Pre- start up safety reviews
Safety Barriers
Emergency planning
PSE 7
PSE 12
Quality control and maintenance of equipment

Inspection and auditing
PSE 9
Investigation and reporting
PSE 12
Inspection and auditing
Modification to Process Variables and Equipment
Yara documents related to ISO 18001

The relation between ISO (OSHAS) 18001 and Yara documents are described in the
table below. Clauses related to process safety in italic.
Table 3 Relation between ISO (OSHAS) 18001 and Yara steering documents
ISO (OSHAS) 18001
Yara document
1
2
3
4
4.1
4.2
TOPS 0
TOPS 0
TOPS 0
Scope
Definitions
OH&S management system elements
OH&S policy
INTERNAL
7 of 129
2011-04-04
ISO (OSHAS) 18001
Yara document
4.3
4.3.1
TOPS 0
4.3.2
4.3.3
4.3.4
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.6
Planning
Planning for hazard identification, risk
assessment and risk control
Objectives
Documentation
Operational control

Accidents, incidents nonconformance and
corrective and preventive action
Audit
Management review
TOPS 1-01, 1-18
TOPS 0-P-08,-11
TOPS 1-01, 1-02, 1-03, 1-04, 1-05, 1-06, 1-07, 108, 1-09, 1-10, 1-11, 1-12, 1-11, 1-12,1-13, 1-14,
1-15, 1-16, 1-17,2-01, 2-04, 2-05, 3-01, 3-02, 303,3-04, 3-05, 3-06, 3-07, 4-01, 4-02, 5-01,5-02,
5-03, 5-04,
TOPS 0-P-04
TOPS 0-P -01,-02
The relation between, Process Safety Elements, ISO (OSHAS) 18001clauses and Yara
documents are also shown in the table below. Clauses related to process safety are in
italic. It is indicated where no relevant Yara document is identified.
Table 4. The relation between, ISO 18001 clauses related to process safety and
Yara documents
ISO 18001 Clause
Yara document no
4.3.1
TOPS 0-P-04
TOPS 0-P-10
4.3.2
4.3.3
4.3.4
4.4.1
4.4.2
TOPS 1- 01
4.4.3
4.4.4
4.4.5
4.4.6
TOPS 0-P-05
TOPS 1- 01
TOPS 1-02
TOPS 1-03
TOPS 1-04
ISO (OSHAS) 18001 title
Yara document title

Planning for hazard identification, risk assessment and risk control
Controlling chemical risk related to personnel
Plant design, construction, modification and decommissioning
Objectives
OH&S management programme(s
Systematic, optimal and safe operation
Documentation
Operational control
Product Stewardship
Systematic, optimal and safe operation
Work permits
Modifications / Management of change
Instrument- based safety functions
INTERNAL
8 of 129
2011-04-04
ISO 18001 Clause

Yara document no
TOPS 1-05
TOPS 1-06
TOPS 1-07
TOPS 1-08
TOPS 1-09
TOPS 1-10
TOPS 1-11
TOPS 1-12
TOPS 1-13
TOPS 1-14
TOPS 1-15
TOPS 1-16
TOPS 1-17
TOPS 1-18
TOPS 2-01
TOPS 2-02
TOPS 2-03
TOPS 2-04
TOPS 2-05
TOPS 3-01
TOPS 3-02
TOPS 3-03
TOPS 3-04
TOPS 3-05
TOPS 3-06
TOPS 3-07
TOPS 4-01
TOPS 4-02
TOPS 5-01
TOPS 5-02
TOPS 5-03
TOPS 5-04
TOPS 7-01
4.4.7
TOPS 0-P-08
4.5.1
4.5.2
TOPS 0-P -01
TOPS 0-P-02
4.5.3
4.5.4
4.6
ISO (OSHAS) 18001 title
Yara document title

Temporary override of safety functions
Control room integrity and operability
Fire Prevention
Conveyor belts
Controlling chemical risk related to personnel
Storage of hazardous liquid and gases
Safe storage of nitrate- based fertilizers and technical ammonium nitrate
Management of contractors
Safe Operation of Re-boiler Condensers in Air Separation Units
Hazardous Area Zone Classification
Safety precautions related to plugged lines and product chutes
Boiler operations
Production IT Security Standard
Competence building in Upstream
Systematic maintenance
On- site leak abatement in operating conditions by injection method
Rotating Machinery- Operation and Maintenance
Use of Socket Welds in Yara
Maintenance strategy in Yara
Safety and reliability requirements for operation of ammonia plants
Safe operating practice for ammonia storage
Safe operating practice for ammonia ship / terminal operations
Design and construction of ammonia storage tanks
Safety and reliability requirements for operation of Urea plants
Leak handling of HP equipment in Urea service
Security in aqueous ammonia storage and vent gas scrubbing systems
Production of Nitric Acid
Nitric Acid Catalyst Gauze Handling
Manufacture of ammonium nitrate solutions, fertilizer grade and technical
grade Ammonium Nitrate
Manufacture, testing and storage of Nitrate containing NPK fertilizer
Opening of plugged AN pipelines
Off-spec material in production of AN- containing products
Safe loading and discharge of dangerous liquids and gases on road tankers,
rail tankers and barges
Yara emergency response plan
Accidents, incidents nonconformance and corrective and preventive action
Reporting of accidents, near- miss incidents, sick-leave, environmental
incidents and security breaches
Incident and follow- up of accidents and near- miss incidents
Audit
Management review
INTERNAL
9 of 129
2011-04-04
Definitions
The definitions presented below are intended to comprise terms used in Yara HES
documents and handbooks
Acceptance criteria for risk
Criteria that are used to express a risk level that is acceptable for the activity in
question. Acceptance criteria may be expressed verbally or numerically.
ALARP
Principle to reduce risk As Low As Reasonable Practicable
Accident
An unintended incident which results in injury to persons and/or damage to property,
the environment, a third party or which leads to production loss
Availability
The proportion of time that an item is capable of operating to specification within a
large time interval
Barrier
Barrier is a device, system or action that is capable of preventing a scenario from
proceeding to the undesired consequence. Preventive measures are aimed at the
prevention of a LOC. In terms of risk such a measure is considered to reduce the
probability of an LOC. Mitigating measures are aimed at minimising the
consequences. In terms of risk, a mitigating measure is considered to reduce the
effect.
Business Unit
In this procedure the term is used to cover all units reporting to Upstream,
Downstream and Industrial management.
CAS-number:
The identification number for a substance in Chemical Abstract Service
Cause (failure cause, for components)
The physical or chemical processes, design defects, quality defects, partial
misapplication or other processes which are the basic reason for failure or which
initiate the physical process by which deterioration proceeds to failure.
Chemical agents
Any chemical element or compound used or produced in the process including raw
materials, intermediates, trade products, maintenance and auxiliary chemicals and
waste
CMR-chemicals
Carcinogenic and mutagenic chemical agents and chemicals those are toxic to
reproduction
Common cause failure
Failure, which is the result of one or more events, causing failures of two or more
separate channels in a multiple channel system, leading to a system failure.
Consequence
The result of the realisation of a hazard- material damage, environmental pollution,
injuries, fatalities or financial loss. Consequences may be expressed verbally or
numerically to define the extent of injury to humans, or environmental or material
damage
Contractors
INTERNAL
10 of 129
2011-04-04
Persons working for contractors who are under contract to execute work for the unit,
but not being part of the units work force.
Control room (CR):
For the purpose of this standard, a "control room" is an area from where an operator
can monitor and control a process that requires a safe shutdown and/or can
execute the emergency response actions necessary to prevent accident escalation.
The "control room" may be a central control room (CCR) for a complete facility or
a local control room (LCR) for a local unit.
Corrective maintenance
Maintenance carried out to restore operational effectiveness after a failure
Critical equipment
Equipment rated as critical in a criticality ranking
Criticality ranking (for maintenance purposes)
Analysis of events and faults and the ranking of these in order of the seriousness of
their consequences.
Customer
Customers of Yara are distributors of fertilizers and industrial and professional users
of Yara products.
Cut set
A list of components such that if they all fail then the system is also in the failed
state
Dangerous failure
Failure, which has the potential to put the safety system in a hazardous or fail- tofunction state.
Demand
A condition which requires a protective system to operate.
Design accidental event:
Accidental events that serve as the basis for layout, dimensioning and use of
installations and the activity at large, in order to meet the defined risk acceptance
criteria or according to defined deterministic scenarios
Deterministic process safety study
A set of accidental events or scenarios representing the safety picture shall be
defined. A maximum credible event shall be defined. Effective safety barriers shall
prevent credible effects of the scenarios.
Diagnostic coverage
Ratio of detected failure rate to the total failure rate of the component or system as
detected by diagnostic tests. Diagnostic coverage does not include any faults
detected by proof test.
Diversity
Means that various types of equipment, technologies and functions are used to
reduce the probability of common mode failure.
Down time
The time during which an item is not able to perform to specification
Effect
The effects of an incident scenario are e.g. blast, dispersion of toxic materials, heat
radiation etc.
Employees
Permanent employees of the unit and personnel on ordinary employment contracts
Exposure
INTERNAL
11 of 129
2011-04-04
The amount, concentration or dose of a substance or physical factor a human

population, area or environmental area is subjected to.
Event
An event is an occurrence related to an accident scenario. A distinction can be made
between initiating and enabling events (or enabling conditions). The initiating event
is the event that starts the chain of events leading to the undesired consequence.
Three types of initiating events can be distinguished;
1. External events
2. Equipment failures
3. Human failures or inappropriate actions
An enabling event or enabling condition is an event or condition that is required for
the initiating event to unleash a scenario. Enabling events are neither failures nor
protection layers. They are expressed as probabilities. Examples of enabling events
are start-up phase, material present, ignition source present etc.
Failure rate
The number of failures of an item (component, system) per unit time
Fatal accident rate (FAR).
The number of deaths that have occurred or are predicted to occur in a defined
group, in a given environment, during 108 hours of operation
Fault tolerance
Ability of a functional unit to continue to perform a required function in the presence
of faults or error.
Fault tree analysis
A graphical method of modelling a system failure using AND and OR logic in tree
form
First-aid injury (FAI)
Injury at work requiring first aid treatment only, before the injured person resumes
normal work.
F-N curve
A plot showing, for a specified hazard, the frequency of all events causing a stated
degree of harm to N or more people, against N.
General equipment
Equipment rated as general in a criticality ranking
Hazardous chemical
Any chemical agent which meets the criteria for classification as a dangerous
substance or preparation according to national legislation except from those only
meeting the criteria for danger for the environment (i.e. explosive, oxidizing,
extremely flammable, highly flammable, flammable, very toxic, toxic, harmful,
corrosive, irritating, sensitising, carcinogenic, mutagenic, toxic to reproduction).
Hazard identification
A study carried out to identify risks in the process by ranking of frequency and
consequence
Hazardous liquids and gases:
Chemicals which under the stored conditions are liquids or gases, and that fall within
the categories given in the EU Council Directive 96/82/EC (SEVESO directive),
annex 1 part 1 or part 2, or are classified as corrosive.
HAZOP (HAZard and OPerability study)
A study carried out by the application of guidewords to identify all deviations from
design intent with undesirable effects for safety or operability
INTERNAL
12 of 129
2011-04-04
Hired personnel
Personnel from other units or companies that are under contract to work full or part
time in position for the Yara unit, and are considered to be part of the work force
Important equipment
Equipment rated as important in a criticality ranking
Incident
A sudden work related accident or near miss, a security breach, sustained in service.
An injury or near miss injury 'in service' means when the incident occurs:
on company property or on property under Yara operational management
within agreed working hours
on an approved business trip
on approved training course, meeting, work assignment, entertaining business
associates, etc.
on a social event arranged by the employer.
Individual risk criteria
Criteria related to the likelihood with which an individual may be expected to sustain
a given level of harm from the realisation of specified hazards
Inherent safety principle:
Limit the hazard by minimizing the amount of hazardous material or processes,
substituting with less dangerous material, moderating the process conditions and
simplifying the equipment and process- when possible
LeakageThe term leakage used in risk analyses consists of rupture major leakage, and
minor leakage
For piping / pipelines rupture means full bore rupture, major leakage means a leak
area of 1/10 of a fall bore rupture, and minor leakage means leak area of 1/100 of a
full bore rupture.
For large pipes and pipelines, major leak is usually limited to 50mm. Minor leakage
then means a 1/10 of that of a major leakage.
For tanks and vessels, the failure mode rupture means a failure resulting in the
sudden release of their entire contents, while the failure mode major leakage means a
circular hole of diameter 50 mm. Minor leakages means a 1/10 of that of a major
leakage.
LOPA (Layer of protection analysis)
Layer of protection analyses (LOPA) is a semi-quantitative tool for analysing and
assessing risk. LOPA is a simplified form of risk assessment as typically "order of
magnitude" categories for initiating event frequencies, consequence severity and the
likelihood of failure of independent protection layers (IPLs) are taken into account.
Using this information, the risk of a scenario is assessed. The method thus falls in
between qualitative methods like HAZOP, What-If or FMEA and a quantitative
method like QRA.
Loss of containment (LOC)
Loss of containment is the top event in a scenario that one aims to prevent from
occurring. Examples of LOC are spill of materials, heat radiation, melting of
(electrical) isolation
Lost-time injury (LTI)
Injury at work leading to unfitness for work and absence beyond the day of the
incident
Maintainability
INTERNAL
13 of 129
2011-04-04
The probability that a failed item will be restored to operational effectiveness within
a period of time when the repair action is performed in accordance with prescribed
procedures.
Materials Compliance Solution
A software database tool consisting of two parts: "Intelligence Authoring" which is a
database and authoring tool for safety data sheets and tremcards, and "Document
Manager" which is a distribution and publishing tool for safety data sheets and
tremcards
Medical treatment case (MTC)
Injury at work (other than LTI and RWC) requiring treatment by a doctor, or nurse in
consultation with a doctor, before the injured person resumes normal work.
Near miss
An unintended incident, which under different circumstances could have become an
accident.
OEL
Occupational exposure limit: maximum allowable concentration of a chemical agent
in the working atmosphere, according to national or EU legislation
Operating instruction:
Document describing the various steps in a particular operation, identifying relevant
requirements and specifying required procedures and corrective action to ensure
controlled operation.
Operating routine
Activity or a succession of activities established to achieve a specific operational
result.
Preventive maintenance
The actions, other than corrective maintenance, carried out for the purpose of
keeping an item in a specified condition.
Probability of Failure on Demand
= Safety Integrity
Process risk
Risk related to potential for fire, explosion and/or accidental discharges or acute
exposure to harmful substances (toxic, burning, caustic etc.)
Process safety
Encompasses technical safety, operational safety and personnel safety
Product Stewardship
Management of a product throughout all stages of its lifecycle (development
materials procurement, manufacturing, distribution and use) in a safe way with
respect to health, environment, occupational and public safety, and security.
Protection layer (Independent protection layer, IPL)
See barrier
Proof test
Test performed to reveal undetected faults in a safety system so that, if necessary, the
system can be restored to its designed functionality
Redundancy
The provision of more than one means of achieving a function. Active redundancy
means that all items are operation prior to failure, standby means that replicated
items do not operate until needed.
Reflected pressure
The pressure on a structure that is perpendicular to the shock wave.
INTERNAL
14 of 129
2011-04-04
Reliability
The probability that an item will perform a required function, under the stated
conditions, for a stated period of time. Since observed reliability is empirical it is
defined as the ratio of items which perform their function for the stated period to the
total number in the sample.
Reliability centred maintenance
The application of quantified reliability techniques to optimising discard, times,
proof test intervals and spares levels.
Residual risk
The risk remaining after implementing protective measures. It is the residual risk
which is estimated in a risk analyses.
Restricted work case (RWC)
Injury at work that does not lead to absence after the day of the incident, because of
alternative job assignment.
Risk
The probability of specific adverse consequences. Risk can thus be considered as a
function of probability and consequences and describes the chance of realisation of a
hazard.
Risk analysis:
A systematic approach for describing and/or calculating risk. Risk analysis involves
the identification of potential undesired events, and the causes and consequences of
these events.
Risk assessment
The process of choosing risk analysis technique(s) and performing risk acceptance
criteria and drawing conclusions on the need for risk evaluation.
Risk contour
Lines that connect points of equal risk around the facility (iso- risk lines)
Risk evaluation
The process of comparing the results of a risk analysis with risk acceptance criteria
and drawing conclusions on the need for risk reduction.
Risk management
A decision making process where decisions for risk reduction are based on risk
analysis and risk evaluation.
Risk matrix
Matrix for risk acceptance. On the horizontal axis are probabilities of occurrence of
accidents; on the vertical axis are consequences.
Safe failure
Failure which does not have the potential to put the safety system in a hazardous or
fail-tofunction state
Safety critical failure
Failure of equipment, which is a part of a safety system, and which error disables the
safety function so that its function cannot be carried out when needed.
Safety data sheet
A document consisting of HES information following a prescribed national or
international format as determined by specific legislation governing the labelling,
handling and use of chemical substances and chemical based products.
Safety function
Function to be implemented by a safety system, which is intended to achieve or
maintain a safe state for the process, with respect to a specific hazard.
INTERNAL
15 of 129
2011-04-04
Safety integrity
Average probability of a safety related system satisfactorily performing the required
safety functions under all the stated conditions within a stated period of time
Safety life cycle
Necessary activities involved in the implementation of safety functions occurring
during a period of time that starts at the concept phase of a project and finishes when
all of the safety functions no longer are available for use
Safety management
Systematic measures undertaken by an organisation in order to attain and maintain a
level of safety that complies with defined objectives.
Safety unavailability (SU)
SU=1- SI (Safety Integrity)
Security breach
Incidents which are illegal acts intended to or by accident harm Yara's personnel,
property, operations, transport or other interests
Shut down
Unexpected stop of equipment. Shut downs are either spurious or real
Sick leave
All absence that is authorized by a doctor's certificate or by legitimate selfdeclaration. Sick leave does not include carer's leave or maternity leave. Sick leave
are recorded in the unit in which the hours worked are recorded.
Side- on pressure
The pressure that would be recorded on the side of a structure parallel to the blast
SIL (Safety Integrity Level, according to the standards IEC 61508 / 61511)
Discrete level (three normally in use in process industry, 1 lowest 3 highest) for
safety integrity
Site
Production plant, terminal, warehouse, office.
SJA
Safe job analysis
Societal risk
The relationship between frequency and the number of people suffering from a
specified level of harm in a given population from the realisation of specified
hazards.
Societal risk criteria
Criteria related to the likelihood of a number of people suffering from a specified
level of harm in a given population from the realisation of specified hazards.
Substandard practice and substandard condition (unsafe act and unsafe condition)
A substandard practice (also called unsafe act) refers to a behaviour deviating from
an accepted standard, e.g. not following the procedure when carrying out a work
task. A substandard condition (also called unsafe condition) refers to a condition,
which deviates from an accepted standard, e.g. inadequate guard on a machinery.
Technical safety
Risk reduction by use of technology. By technology is here meant technological
knowledge and technical systems
TNT equivalency model
An explosion model based on the explosion of a thermodynamically equivalent mass
of TNT
Top event
INTERNAL
16 of 129
2011-04-04
The selected system outcome whose possible causes are analysed in a fault tree
Transport information
The transport of goods and products is regulated according to international and
national legislation and agreements. An assessment has to be made as to whether a
particular product is classifiable as dangerous goods or not. If a product is
classifiable, then specific transport information has to be entered into the appropriate
Yara product SAP database administered by Yara Operational Shared Services
(OSS) before the product can be transported either by road, rail, sea/waterways, or
air. In addition, it is a legal requirement worldwide that appropriate safety documents
are prepared containing safety information about the product to be transported. These
documents must accompany the shipment and must be written in appropriate
language(s) as stipulated in the international transport regulations.
Tremcard
Transport emergency information which is legally required to be issued to a
transporter of dangerous goods on road, and which shall be available with the driver
of the vehicle under Yara's management.
Trip
As Shut Down
Watchdog
Combination of diagnostics and an output device (typically a switch) for monitoring
the correct operation of the programmable electronic device and taking action upon
detection of an incorrect operation
Wind rose
A plan view diagram that shows the percentage of time the wind is blowing in a
particular direction
Worst credible incident
The most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes, that is considered
plausible or reasonably believable.
Worst possible incident
The most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes.
INTERNAL
17 of 129
2011-04-04
Risk, risk analyses and safety studies
4.1
Risk identification and risk ranking,

Risk identification and (rapid) risk ranking can be performed by use of a risk matrix,
where the identified risks are ranked as low, medium and high as shown in the section
describing risk acceptance criteria.
Risks can also be identified by use of checklists, as described in a sub sequent section.
4.2
Risk acceptance criteria

The consequences from accidents can be categorized as:
On-site consequences
Fatality of plant personnel
Personal injury to plant personnel
Equipment damage
Product quality damages
Business interruption
Off-site consequences
Death or injury for living beings in the nearby community
Property damage
Business interruption
Environmental Consequences
Contamination and damage to nature
The challenges in a risk evaluation of safety functions are:
To study what are the events that can result in unwanted consequences,
To estimate the frequency they are likely to occur and
To decide how to prevent or mitigate them
It is possible to design redundancies and multiple independent layers of protection in
order to bring the risk to a negligible level. However, it should be remembered that
business is about the bottom line, and risk reduction costs money. So a tolerable level of
risk should be accepted.
4.2.1
Acceptance in connection with risk ranking

For risk ranking the risk matrix and the consequence class definitions are shown in the table
7 and 8 shown below are used as guidelines for acceptance of on- site risk. Risk ranking is
used both for on site and off site risk.
INTERNAL
18 of 129
2011-04-04
Table 5 Yara Risk Matrix

FREQUENCIES
HIGH RISK
RISKS
CONSEQUENCES
MEDIUM RISK
VERY
FREQ.
LOW RISK
> 10 / yr
> 1 / yr
> 10-1 / yr
> 10-2 / yr
> 10-3 / yr
< 10-3/ yr
CATASTROPHIC
CRITICAL
DANGEROUS
SOME DANGER
MINOR DAMAGE
FREQUENT
PROBABLE
LOW PROB.
UNLIKELY
MOST
UNLIKELY
Table 6 Consequence class definitions

CATEGORIES
HES
( PEOPLE)
LEVELS
CATASTROPHIC
Several
fatalities
CRITICAL
One
fatality
DANGEROUS
Permanent
injury
SOME DANGER
Medical
treatment
MINOR
First aid
ENVIRONMENT
MATERIAL VALUES
DESCRIPTION
Damage with recovery time
more than 5 years.
International public attention
less than 5 years.
.
-Evacuation of neighbourhood
required.
-National public attention
less than 2 years.
-Warning of neighbour-hood
required
-Local public attention.
No durable damages
Release causing-unpleasant
smell outside site area
Insignificant damage
DAMAGE
No external reaction
Major plant damage, complete

demolition of plant
Production cessation
Major damage to equipment,
breakdown of main process
equipment like reactors,
crackers, pipelines etc.
Major quality or production loss
COST
()
> 10M
< 10M
Considerable damage to
equipment, ruptures etc.
Considerable quality or
production loss
< 1M
Minor damage to equipment,

fire with limited extent,
emission of toxic flammable or
hot substances etc.
Small quality or production loss
< 0.1M
- Insignificant damage, small

emission of water, air, nitrogen,
steam etcNo quality or production loss
< 10.000
Typical areas where the risk matrix is recommended for use are shown in the table
below.
INTERNAL
19 of 129
2011-04-04
Table 7 Typical areas where the risk matrix is recommended for use
USE OF RISK MATRIX
1 Identification of safety critical parts in
production system
2 Identification of risk in fertilizer storages
Identification of risk from process

equipment, pipes and pipelines:
Identifying needs for safety barriers
Application on technical installations
DESCRIPTION
process unit
main equipment
fire
explosion
decomposition
leakage
fires
explosions
toxic gas release
preventive
mitigating
instrument based
safety relief devices
gas detection
fire extinguishing
fire walls / cells
bunds
fire cells
fire detection
A form for reporting risk ranking is shown in the table below.

Table 8 Form for reporting risk ranking
Ref
4.3
Event
Probability
Cause
(0-5)
Consequence
Description
(1-5)
Comments
On- site risk acceptance (Yara Green Rule)

For on- site risk acceptance, the control room criterion applies.
Control rooms, office buildings etc.
For any control room, office or other building on site where people normally will be
present, the aggregate probability of accidents occurring at the facility which will
cause destruction beyond repair and / or multiple fatalities inside the building should
not exceed 10-4 per year.
4.4
Off site risk acceptance (Yara Green Rule)

Off- site risk can be presented in two forms: individual risk and societal risk. The
individual risk is defined as the chance that a person staying at a fixed location
permanently is killed as a result of an accident. Guidelines for acceptance are presented
below.
1 Societal risk, related to F / N curves
INTERNAL
20 of 129
2011-04-04
The societal risk describes the frequency of an accident that causes N or more
fatalities, F / N- curves. The limits for societal risk are set at f = 10-3 / N2 as a
guideline. For example, this means that accidents causing 20 or more fatalities
should not exceed 2.5.10-6 per year.
Figure 1 Societal risk, F / N curve

2 Individual risk
No single residential area or public assembly area should be exposed to fatal
exposure levels caused by major accidents at the site of frequency greater than 10-5
per year.
It should be remembered that this is the total risk exposure from the plant, and it cannot
be direct applied to risks from single scenarios.
INTERNAL
21 of 129
2011-04-04
Hazards and consequences related to production activities

The production processes are highly automated and controlled from control rooms.
Dangerous substances are handled in a safe way. But hazards are present since large
quantities are involved, often under high pressure or high temperatures.
Characteristics for the most important production methods are shown in the table below.
Table 10 Characteristics for the most important production methods
PRODUCTION
CHARACTERISTIC
Ammonia production
Based on hydrocarbons.
High pressure and temperature
Large amounts of ammonia stored and transported

Nitric acid
production
Ammonium nitrate
production
Based on ammonia
High pressure and temperature

Based on ammonia and nitric acid
Reactors, heaters and tanks with temperature near up to stability point
Large explosion potentials

CAN production
Based on ammonium nitrate and fillers
Stable substance
NPK production
Based on nitric acid or phosphoric acid and nutrient salts
Decomposition due to operational failure can cause large toxic

releases
CN production
Based on nitric acid, ammonia and calcium
Decomposition due to operational failure can cause large toxic

releases
The production activities, associated hazards and consequences are shown in Table
below. The hazards are of five categories, with regard to risk and safety studies:
Fire
Explosion
Toxic release
Decomposition
Production shut down
Production shut down is not listed as a hazard in the table for the different production
processes. But it is a following effect for all hazards.
Consequences can be divided in the following categories:
Internal, inflicting on employed and hired people, asset and production regulation
External, effecting external people, environment and businesses outside the site
High internal or external consequences can cause fatalities, lasting environmental
effects and large economical losses due to production shut down.
Hazards and possible consequences for different production activities are shown in the
table below.
INTERNAL
22 of 129
2011-04-04
Table 11 Production activities, storages, Hazards and Possible Consequences

Production activity and storage
Ammonia
Feed gas transport
Feed gas storage
Production plant incl. noble gas,
metals
Ammonia pipeline, loading
Ammonia storage tanks
Ammonia transport
Nitric Acid
NA production plant, incl. N2O4
NA tanks
NA and N2O4 transport
Ammonium Nitrate (AN)
AN plant
AN tanks
AN storages
AN transport
CAN
CAN production
CAN storage
CAN transport
NPK
NPK production plants
NPK storage
NPK transport
Phosphoric acid production
Phosphoric acid tanks
Sulphuric acid tanks
CN
CN production plant
CN storage
CN transportation
Urea
Urea production plants
Hazard
Possible
consequences
Fire, explosion
Fire, explosion
Fire, explosion, toxic
release
Toxic release
Toxic release
Toxic release
Internal, high
Internal, high
Internal, high

release
Toxic release
Toxic release, N2O4
explosion
Internal
Fire, explosion
Toxic release
Explosion
Explosion
Internal, high
Internal
External, high
External, high
Fire
Decomposition and toxic
release
release
Internal
Internal

release
release
release
Toxic release
Toxic release
Toxic release
Internal
Fire, explosion
Fire, decomposition and
toxic release
Fire, decomposition and
toxic release
Internal
Internal
Fire, explosion
Internal
External, high
External, high
External high
Internal
External, high
External
External
External
Internal
Internal
Internal
Internal
INTERNAL
23 of 129
2011-04-04
Urea storage
Urea transport
Power, Control, Utilities, Buildings, Conveyor belts
Power generation, distribution
Fire, explosion, production
shut down
Control systems
shut down
Steam generation
shut down
Buildings, structures
Fire
Conveyor belts
Fire
Others
CO2 production
Toxic release
CO2 tanks
Toxic release
CO2 transport
Toxic release
Salt of hartshorn
Coating tanks
Fire
Loading stations, formic acid, nitric Toxic release
acid
5.1
Hazard identification by Check Lists

The purposes of checklists are:
Identify hazards
Identify and check protection
Stand alone tool for
audits
safety inspections
small plants
Support tool for identifying hazards, needs for protection in
HAZOP
Safe Job Analyses
Preliminary mapping (for further risk studies) of
hazards
safety critical parts of process plants
5.1.1
Simple Check- List

The table below shows a simple checklist.
No
No
Internal, high
Internal
Internal
Internal, high
Internal, high
Internal
Internal
Internal
Internal
Table 12 Simple checklists

Hazards
1. Collision
2. Falling
A. on the same level

B. to a lower level
C. stumbling
3. Hitting against something
4. Squeezing, pinching
Possible impact
(only acute on people)
people, material values

people
people
INTERNAL
24 of 129
2011-04-04
5. Impact
A. from moving object

B. flying object, fragment
6. Contact
A. with sharp object
B. with electric conductor
C. with hot surface / fluid
D. with dangerous chemical (fluid)
E. with corrosive chemicals
7. Exposure A. to dangerous gas, smoke
B. to steam
C. to dust
D. to dangerous light
8. Choking (reduced oxygen content)
9. Drowning
10. Fire, explosion
11. Radiation
12. Crime
13. Biological treats
14. Flooding
15. Landslide, avalanche
16. Release A. of chemical dangerous for environment
B. of oil
C. of dust
17. Collapsing
18. Late delivery
5.1.2

people
people
people
people
people
people
people
people
people
people
people
people
people
environment, material values
environment, material values
environment
environment
environment
material values
material values
Comprehensive checklist
A comprehensive checklist is shown below. The checklist is divided into the following
nine categories:
1. Materials
2. Material Handling
3. Storage
4. Reactions
5. Equipment
6. Instrumentation
7. Pressure Relief
8. Utility Systems
9. Fire Protection
Under each category several "Items" are listed in the left column with "Subjects to be
investigated" in the right column. In some cases several items are to be checked against
the same group of subjects. Each item in the left column should be checked against each
subject in the right column of the same row.
INTERNAL
25 of 129
2011-04-04
Table 13 Comprehensive checklist

Category / item
1. Materials
Raw materials
Intermediate materials
End products
By-products
Waste
2. Material handling
Transport, container
Pumping
Road/rail transport
Ship transport
Crane handling
Conveyor belts
3. Storages
Storage tanks
Dikes
Storage halls
Silos
4. Reactions
Hazardous reactions
Combustible mixtures
Runaway reactions
5. Equipment
Vessels
Columns
Heat exchangers
Piping
Ducts
Valves
Machinery
Piping
Valves
Heat exchanger
Subjects to be investigated
Toxicity, flammability
Reactions, decompositions
Corrosiveness
Long-term storage behaviour
Total amount, possible reductions
Overfilling protection
Spill collection
Leak detection
Cleaning/inspection
Procedures
Dropped load and potential targets
Stop devices, guards
Overfilling protection
Fire protection
Explosion venting
Inerting/purging/blanketing
External mech. impact
Cleaning/inspection
Freezing/overheating
Deterioration of contents
Unintentional mixing
Wrong materials/contaminants
Wrong proportions
Deviation of process parameters
Unknown kinetics
Pump/agitator failure
Flow blockage
Isolation to stop reaction
De-pressuring/draining to stop reaction
Design, size
Material selection (corrosion)
Over pressure protection
Level, temperature protection
Reverse flow protection
Emergency isolation (remotely)
Emergency de-pressuring (remotely)
Vent and drain possibilities
Isolation for maintenance
Potential leaks: Glass components, small-bore connections
Inspection and maintenance
Compliance with codes
Certificates
Thermal stresses, movement, support, freeze protection. flushing
Maintenance: accessibility, bypass and isolation,
Fail safe in case of power failure
Function testing
Interlock against unintentional opening/closing
Tube rupture protection
INTERNAL
26 of 129
2011-04-04
Category / item
De-super-heater
Rotating machinery
6. Instrumentation
Sensors
Signal transmission
Signal processing
Status display
Alarms
Automatic actions
Actuators
Power supply
7. Pressure relief
Relief valves
Vacuum breakers
Rupture disc
Liquid seals
Liquid seals
8. Utility systems
Electric power
Steam
Cooling medium
Heating medium
Air (instrument + plant)
Chemicals
Electric power
Steam
Cooling medium
Chemicals
9. Fire protection
General measures
Too much/too little cooling liquid flow
Mechanical de-coupling from piping
Safety margin to critical speed
Reverse flow protection
Surge protection (minimum flow)
Reaction to sudden power failure/trip
Maintenance: isolation, start-up of
Function separation (survey, process control, safety)
Common cause failures
Redundant systems
Redundant power supplies
Fail safe principle
Spurious trips
Temporary non-availability (repair/calibration)
Environmental effects
Classification for hazardous area
Man-machine interface
Procedures for commissioning, operation maintenance
Reset of trip bypass
Tagging, documentation
Logic charts (cause/effect)
Installed where required, e.g. on all sections/vessels that can be overpressurised by equipment malfunction or operator error
Sizing criteria
Safe discharge without personal exposure
Blocking by solids (ice, sediments)
Drain points in discharge lines
Maximum back pressure in flare system
Maintenance: testing, repair, written procedure, interlock
Redundancy: spare device
Procedure for checking liquid level
Reliability of supply
Normal load/emergency load
Consequences of failure of one utility
Consequences of failure of several utilities
Fail safe principle
Start-up/shut down
Maintenance/repair without process interruption
Potential ignition source
Classified equipment in hazardous areas
Thermal isolation of hot piping
Freeze protection of dead legs
Risk for burns at tap points
Tube ruptures in heat exchangers (pressure/contamination)
Tube ruptures in heat exchangers
Freeze protection (if water)
Maximum delivery pressure relative to design pressure of section
into which chemical is injected
Back flow protection
Isolation in emergency
Reduce inventory of flammables
INTERNAL
27 of 129
2011-04-04
Category / item
Water main
Hydrants
Sprinklers
Water spray cooling
Foam systems
Water mist systems
Nitrogen, inergen systems
Dual agent systems
Portable systems
Fire detectors
Manual alarms
Alarm system
Fire proofing
Liquid drain
5.2
Avoid leaks
Avoid ignition sources
Prevent fire propagation
Limit heat load from design fire by spacing
Provide easy access for fire fighting
Security of supply (pond, sea, public)
Two independent routes of supply
Sectioned ring main
Capacity related to maximum demand scenario
Freeze protection
Low pressure alarm
Procedure for regular testing, including pumps
Pumps protected from fire/explosion
Pump redundancy/inclusive drive and power supply
Number and location
Maximum distance to object: hose length limitations
Minimum distance to object: heat load
Number and location
Hazard category: low/medium/high
Capacity (mm/min = 1/m2 min) according to hazard category
Pressurised storage of flammables
Important structural members
Water impact on all heat exposed sides
Capacity (l/m2s) according to heat flux in maximum scenario
Number, type, location
Capacity
Maintenance procedures
Test procedures
Number, type, location
Reliability (function on demand)
Spurious trips due to open flames, sunlight
Voting logic
Number, location
Visual/acoustic alarm in Central Control
Room (CCR)
Visual/acoustic alarm in plant
Communication CCR/plant and vice versa
Public address system
Telephone, UHF radio
External assistance
Important structural members potentially exposed to gas fires, liquid
pool fires, and sufficient height above ground. Insulation sufficient to
limit steel temperature to < 450C in maximum duration fire
Drained away escaped flammable liquid from hazardous area
Hazard and Operability Studies (HAZOP)

This chapter describes HAZOP. The hazard analysis and critical control points
(HACCP) [Council Directive No 93/43/EEC9] for food processing is a similar
approach. This is not described in this chapter.
The basic concept of a HAZOP study is to identify hazards, which may arise within a
specific system or as a result of system interactions with an industrial process. This
INTERNAL
28 of 129
2011-04-04
requires the expertise of a number of specialists familiar with the design and operation
of the plant. The team of experts systematically considers each item of the plant
applying as set of guidewords to determine the consequences of operating outside the
design intentions. Because of the structured form of a HAZOP, it is necessary that a
number of terms be clearly defined in the table below.
Table 14 HAZOP terms
HAZOP term
Cause
Consequence
Deviation
Hazard
Guideword
Node
Parameter
Explanation
Reasons why a deviation might occur.
Result of a deviation
Departure from the design intentions, discovered by systematic applications of
the guidewords
Consequence, which can cause damage, injury or loss.
Simple word used to qualify the intention and hence deviation.
In a process the main mode of operation can be examined by working
downstream through the plant a node at a time. A node could be a line
connecting vessels; it may incorporate a simple vessel such as a heat
exchanger. It could be a vessel itself, particularly where some significant
process change occurs in the vessel
Variable, components or activity referred to in the study
The list of the guidewords is shown in the table below.

Table 15 Explanation of Guidewords
Guideword
No / Not
More
Less
As well as
Part of
Reverse
Explanation
No flow, pressure, etc.
High flow, high pressure, etc.
Low flow, low pressure, etc.
Material in addition to the normal process fluids.
A component is missing from the process fluid.
Reverse flow of process fluids.
A list of possible parameters is in the table below:

Table 16 Possible HAZOP parameters
Flow
Pressure
Temperature
Mixing
Stirring
Transfer
Level
Viscosity
Reaction
Possible HAZOP parameters

Composition
Addition
Separation
Time
Phase
Speed
Particle size
Measure
Control
pH
Sequence
Signal
Start / stop
Operate
Maintain
Services
Communication
As described below, HAZOP is systematic application of meaningful combinations of

guidewords and parameters.
INTERNAL
29 of 129
2011-04-04
5.2.1
HAZOP study work process

Multi-disciplinary teams, the members of the team providing a technical contribution or
supporting role, carry out HAZOP studies.
For the HAZOP team the following requirements are mandatory:
Thorough knowledge of the actual P&ID
Thorough knowledge of operation and maintenance of the process
The team is lead by a person with thorough experience in use of HAZOP analysis
As a minimum the team shall consist of
Safety expert, HAZOP- leader
Process expert
Operation expert
Instrument expert
It is necessary that the team leader is independent of the task issuer. The leader shall
preside the meetings in such a way that all sides of the questions raised are thrown light
on. The group must not become absorbed in problems that are not resolved in the
meeting. The attitudes of the team are not only the responsibility of the team leader. The
members must also be aware of the danger of having defence attitudes in relation to
own discipline or work field. It can easily happen that people are plant blind, that is
they lose the ability to realize weaknesses in their own process or project. So
independent persons should attend. The work periods between breaks should not be too
long. More than two hours of continuous work is not recommended, since the process
requires alertness and creative thinking.
For each node the following is clarified in a structured way:
1. Node number and description
2. Design intent; description of how the node functions
3. Deviations
4. Causes; some can be classified as unrealistic and later rejected.
5. Consequences; which cause damage, injury or loss
6. Existing safeguard to reduce risks
7. Recommendations to improve safety if evaluated to be necessary
The team goes systematically through the process using the guidewords to parameters
as recommended, in the following order:
1. Changes in flow
2. Changes in physical condition
3. Changes in chemical condition
4. Start- up and shutdown
5. Changes in vessel condition
6. Effluents
7. Emergencies
A recommended work process is shown in figure 2 below. Meaningful combinations of
parameters and guidewords are shown in table 17.
INTERNAL
2011-04-04
Define the node
Describe and discuss the node, determine the design envelope
From the description and design, select a parameter
Combine this parameter with a guideword to a meaningful deviation
Seek a possible cause of the deviation and identify the consequences
Evaluate the safeguards, decide if adequate or if a change or further

study is needed. Record
Has all the causes for the deviation been

considered?
Does any other guideword combine with

this?
Are there further parameters to

consider?
Examination if the node is complete
Figure 2 Flow diagram for the HAZOP analysis of a node
30 of 129
INTERNAL
31 of 129
2011-04-04
Table 17 Recommended HAZOP work process for P&Ids
For
every
process
stream
A
B
C
A
B
C
D
Start-up and shutdown
Changes in vessel
condition
Effluents
Emergencies
For
vessels
For
whole
section/
stage
Guidewords and meaningful combinations of

parameter and guideword
A Too high flow
Changes in flow
B Too low flow
C No flow
D Reverse flow
A High/low pressure
Changes in
physical condition B High/low temperature
C Static electricity
A High/low concentration
Changes in
chemical condition B Contaminants
Testing
Start-up
Maintenance
High/low reaction
High/low mixing
High/low level
High/low temperature and
pressure
Compatibility
Failure of power, working air,
steam, nitrogen, ventilation,
control- or shutdown system
Descriptions
Pump raising, delivery vessel pressure high, low pressure downstream, leakage heat exchanger
Pump stop, scaling, blockage, poor suction, cavitation, leakage heat exchanger, drain open, valve partly open
Pump failure, blockage, closed valve, empty suction vessel
Pump failure, receiving tank high pressure, loss of pressure upstream, siphoning
Boiling, cavitation, freezing, chemical breakdown, flashing, condensing, sedimentation, scaling, foaming, gas
release, priming, explosion, imploding. Changes in viscosity, density. External fire. Weather condition
Ignition source, electrical impulse to personnel
Changes in properties of mixture (Water, solvents)
Ingress of air, water, steam, fuel, lubricants, corrosion products, other process materials from higher pressure
systems, leakage in heat exchanger
Vacuum, pressure testing, high/low drains and vents
Concentration of reactants and intermediates
Purging, venting, sweetening, drying, warming, access, spares
Foaming, other reactions, run away, gassing, exothermic or endothermic reactions, stability, catalyst influence
Failure of mixer, vortex formation, settling, erosion
Flooding, siphoning, corrosion, sludge accumulation
Equipment design, use of steam cleaning, condensing gases, loss of cooling water. Philosophy and capacity of
relief systems
Reaction in culverts, drains, sewers, collecting mains
Drain connections, washing connections, traps, vents, rousing connections, stacks, flares
Consider total and part failure
Consider lighting of plant, instrument panels, and power for alarms, trip systems, and control system. General
emergency plan
Necessary reliability control and trip systems, common failure control and trip systems
Procedures and communication systems, co-ordination with other plants
INTERNAL
32 of 129
2011-04-04
5.2.2
Operating procedures
As a procedural sequence, the parts under examination during the HAZOP process are
the relevant sequential instructions. In addition to the standard guidewords Out of
sequence and Missing can be productive. In the list of parameters, the phrase
complete the step can be used to good effect, as it combines meaningfully with the
guidewords No, More, Less, Reverse, Part of; As well as, Out of sequence and Missing.
A major difference from process studies is that many of the causes of deviation are
related to human actions. These may be of omission or commission. Other possible
causes include poorly- written procedures; difficulties caused by poor layout, bad
lighting and parameter indicators with limited or poor ranges or too many alarms.
Example. A HAZOP study on an operating procedure is illustrated by the example below.
We consider a small batch process for the manufacture of a safety critical component. The
component must meet a tight specification in both its material properties and its colour.
The processing sequence is as follows:
1. Take 12 kg of powder "A"
2. Place in blender
3. Take 3 kg of colorant powder "B"
4. Place in blender
5. Start blender
6. Mix for 15 minutes; stop blender
7. Remove blended mixture into 3 x 5 kg bags
8. Wash out blender
9. Add 50 l to mixing vessel
10. Add 0.5 kg of hardener to mixing vessel
11. Add 5 kg of mixed powder ("A" & "B")
12. Stir for 1 minute
13. Pour mixture into moulds within 5 minutes
A HAZOP study is carried out to examine ways in which below-specification material may
be produced.
Recommended actions from a HAZOP of this operation can be:
Check quality assurance procedures at manufacturer
Check if powder A may be contaminated by spills, leakages or operator errors
Discuss if critical control point should be implemented after step 7
Implement a safeguard against adding too much hardener in step 9.
5.2.3
Computer- controlled processes

It is strongly recommended to use only standardised and well-proven computers on
safety critical processes. This implies use of one of the two following systems,
depending on process complexity and hazard potentials in the processes:
PLC- for monitoring, control and sequencing and safety functions
Separate control and shut down systems with
DCS for alarm, monitoring and control functions
Certified shut down systems for safety functions of SIL level 1, 2 or 3
INTERNAL
33 of 129
2011-04-04
If standard computers for process control applications are used, techniques for
avoidance, detection and action in case of fail state are embedded. The HAZOP team
should decide if:
outputs from the computer have to be
fail safe that is causing valves to go in safe position
incremental- that is causing valves to freeze in current position
back up function is needed in case of computer failure
for manual control
information
for safety functions
redundancy in the computer system is needed for
availability reasons- that is avoiding production stop in case of failure of a single
computer
safety reasons- that is
monitoring by watch dog (or equivalent) and alarm so the operator can take
necessary actions
or SIL 1, 2 or 3 certified computers
To avoid failures in application software the following shall be applied:
verification of the programme by an independent person
routines for loop test prior to start up
routines for periodical proof test after operation has started to detect possible failures
which can arise due to changes, maintenance failures or component failures
Special attention must be paid to sequencing system since control of sequential
processes are often more complicated than continuous processes. Safety critical points
are:
Operator intervention such as manual control / bypassing / of steps
Handling of reset and acknowledging functions and test signals in relation to
automatic flags must be discussed.
Programmers and operators must participate in the HAZOP meetings.
5.2.4
Documentation needed for a HAZOP study

Necessary documentation to conduct a HAZOP constitutes:
Process flow diagrams
Process and Instrument Diagrams (P&ID)
Risk and safety studies (HAZID, RR, QRA)
Safety shut down diagrams
Operational and emergency procedures
Chemical data sheets
Area safety drawings
5.2.5
Recording of the HAZOP work

HAZOP reports shall comprise
Reference to P&ID, number, version and date
Date when HAZOP conducted
For each entry reference to:
INTERNAL
34 of 129
2011-04-04
Process Equipment, by Functional Location

Parameter and Guideword
Cause
Possible consequence
Action; recommendation to safeguard or other action or comment
Responsible for carrying out decided action
Time limit for carrying out the decided action
It is underlined that all guidewords shall be covered in the study. However, not all
guidewords have to be reported. Three levels of reporting are possible:
record by exception- that is only when an action results
intermediate record- that is, where an action results, where a hazard exists or
where a significant discussion takes place
full record
Recording by exception requires an entry only when the team makes a recommendation.
This level can be used in existing processes with long operational experience.
At the intermediate level, a record is generated whenever there is any significant
discussion by the team, including those occasions where there is no associated action.
These include deviations identified by the team, which, through realistic and
unanticipated in the original design work, happen to be adequately protected by the
existing safeguards. This level is generally recommended.
In full recording, an entry is included for every deviation considered by the team, even
when no significant causes or consequences were found. At this level, each parameter is
recorded with each guideword for which the combination is physically meaningful. This
level should only be used in process unit that need to demonstrate the highest possible
standard of safety management.
But as underlined above, all guideword have to be discussed. It is assumed that a
guideword not reported is discussed and no deviation, comment or observation is found.
A table for recording of HAZOP is shown in table 18 below.
INTERNAL
35 of 129
2011-04-04
Table 18 Form for recording of HAZOP

Node no / description:
Design intent:
Project
Project phase
Ref.
Pipe, equipment no
P&ID (no/title)
Guideword and
deviation
Cause(s)
Consequence(s)
Date
Safeguard(s)
Recommendation(s) /
Comment(s)
Responsible
Decision /
Implemented
(Sign, date)
INTERNAL
36 of 129
2011-04-04
5.3
Criticality ranking for maintenance purposes

This chapter provides guidelines for assessing the risk of failure in plant processing
equipment (loss of equipments integrity and / or function). This implies that nonprocessing facilities, like structures, buildings, automobiles, etc. are not dealt with. Nor
are occupational health risks, like exposure to noise, burns caused by contact with hot
surfaces, etc. The document does further not address risks associated with human errors
(possibility of mal-operations) or external risks, like terror attacks, airplanes falling
down, cars crashing into plant equipment or alike.
5.3.1
Purpose of criticality analysis and risk assessment

The purpose of maintenance is to keep the condition and functionality of the plants
equipment at acceptable level, as mal-functioning could adversely affect one or more of
the following values (in descending order of priority):
Peoples safety and health
Environment
Product quality
Production capability
Assets / property
Some equipment failure scenarios could have impact on all of the above values.
Other failure scenarios may only affect one or two of them. Some scenarios may have
big and long lasting consequences whereas others may have smaller impact. Some
failures are known to happen frequently whereas others only happen once in a blue
moon.
The objective of Risk Assessment is to identify and rank the potential failures, such that
the operation, inspection, condition monitoring and maintenance activities can be
focused on avoiding events associated with unacceptable risk.
A plants organisation should, in general, pay more attention to elements and activities
involving high risk than to those involving low or no risk. This is the fundamental idea
of so-called Risk Based Maintenance / Inspection / Operation.
As the loss of say 100,000 means more to some production sites than to others, and as
local regulations (e.g. allowable emissions) also vary from place to place, the relevant
site management must define what is unacceptable for their site.
This is in principle done in the Business Plan, which outlines the targets for next years
production volumes as well as safety performance, costs, etc. If the Business Plan
allows only e.g. 15 days loss of production, the availability requirement for the
respective plant becomes (365-15) / 365 = 0.96.
The Business Plan therefore sets the overall production regularity requirement and the
equipment maintenance program must be designed accordingly within the defined
operating and maintenance cost budgets. A maintenance budget normally contains
planned activities (like periodic jobs) and unplanned activities (corrective maintenance).
Ideally, the corrective maintenance budget should match the plants total expected and
INTERNAL
37 of 129
2011-04-04
accepted - monetary risk. The table below illustrates how the corrective maintenance
budget, in principle, could be established by use of risk assessment methods:
Table 19 Illustration of corrective maintenance budget established by use of risk
Item
Component A
Component B
Sum = Total
plant
Probability of Monetary
failure
consequence per
failure
0.01 pr. year 100,000
0.001 pr. year 2,000,000
Budget for corrective mtce:
Calculated monetary risk,

(probability x
consequence)
1,000 per yr
2,000 per yr
Sum = 3,000 per yr
Example 1: A shell and tube heat exchanger contains 500 tubes, and the probability (i.e.
frequency) of one tube failing is 0.01 (one every 100 years) the total probability of a tube
failures in this heat exchanger becomes: 500 x 0.01 = 5 pr. year: If the consequences of a
tube rupture are large (e.g. the whole production has to stop because the final product gets
contaminated), the risk of failure (consequence x probability) may be considered
unacceptably high. Some kind of remedy (e.g. change to other tube material) should then be
evaluated. But if e.g. the tube-side carries the same fluid as the shell-side, the immediate
consequences of a tube rupture may be minor especially if the heat exchanger has some
surplus capacity. In this case therefore, the risk may be regarded as low / acceptable.
Example 2: Two identical pumps are serving two totally different functions. One is
pumping conditioning chemicals into the main process, and the other is pumping water to
the toilets in the 2nd floor of the administration building. It goes without saying that the first
pump requires more attention (periodic inspection, lubrication, etc.) than do the latter.
Also, the response upon failure (the corrective action / maintenance) should be prompt in the
first case, - whereas the toilet pump could wait till after the weekend. The probability of
losing the pumping function may be the same for both, but the consequences following a
failure may be regarded as critical for one pump, and non-critical for the other.
Hence, the fist pump carries a high risk and the latter a low risk.
Example 3: Two identical water pumps, - one is a hot spare for the other:
The consequences of losing the pumping function may be severe, and hence this function is
seen as critical to the plant operations. But, as the spare pump automatically starts if the
first pump fails the probability of losing the pumping function is very small. (If a standby
pump needs long time to start, it should not be considered as a hot spare). Hence, the risk
(consequence x probability, or criticality x likelihood) is low.
Example 4: Again, two identical pumps one is hot spare for the other, but these are
pumping toxic liquid. The pumps are located near the main control room. The pumping
function is just as critical to the plant operations as the pumps in example 3:
As the liquid is toxic a potential leak (which is one possible failure) could affect peoples
safety as well as the environment (especially if the pumps cannot be quickly isolated).
The probability of failure may be the same as in example 3, but the risk becomes higher
due to the potential safety as well as environment and production impact. Hence, these
pumps will be riskier than the pumps in example 3, and call for even more attention and
closer follow-up through inspection programs.
INTERNAL
38 of 129
2011-04-04
Example 5: A control valve with a full bore manual globe valve in bypass. The control
valve becomes sticky and / or the valve stem breaks. The consequence of losing the
controlling function may be critical, but it may be possible to uphold the operation by use of
the manual valve (especially if it can be operated from the control room). The probability of
completely loosing the controlling function (i.e. losing both the automatic control as well as
the bypass valve) is, therefore, low. Hence, the total risk could be low / acceptable.
Example 6: Two pipes, both carrying liquid that is potentially harmful to people as
well as the environment. One pipe has a 2 diameter and runs inside a building, - the
other is 8 and is located outdoors:
The probability of a leak may (or may not) be different for the two pipes, due to
the different location causing different external corrosion rates.
The probability of harming people may be higher inside the building than out in
the open but then again, the wind direction may be unfavourable.
There may be people inside the building, and there may not.
The leak may be small or big, and it may be easy or difficult to isolate.
The volume coming out may be small or big, and it may or may not be
containment / bund walls installed.
There may or may not be detectors installed giving alarm or automatic shutdown
of the whole plant or parts of the plant.
It may or may not be possible to carry out a temporary repair, and the repair may
or may not require scaffolding or other preparations. The repair costs may hence
be high, or not so high.
Etc.
The resulting risks of all these eventualities are?
Example 6 is meant to illustrate how difficult it sometimes is to foresee and assess all
possible consequences. Evaluating the probability of failure can also be tricky
although there is a lot of industrial failure statistics available. The example also
illustrates how complicated everything becomes if one attempts to evaluate the potential
consequences and the probability at the same time. It is therefore important that people
with relevant experience and sound judgement carry out the Risk Assessments, and that
the assessments are made in discrete steps (first evaluate the consequence, and then the
probability). Plant personnel know from own experience what the typical equipment
failures are, the typical frequency and the potential dangers associated with such failure,
the typical consequential stop in production, as well as the typical repair time and cost.
This practical insight must be utilised extensively. Otherwise, Risk Assessments could
easily become a comprehensive and hypothetical exercise.
This risk assessment is not a science offering absolute answers. It is more a tool for
overlooking and managing the plant operations and maintenance.
5.3.2
The risk assessment process

Consequences and probabilities of failures should be assessed separately, as:
The consequence of a loss of function does not depend on the equipment carrying out
the function (if a pumping function is lost, it does not matter whether the pump is
centrifugal or reciprocating type, or whether the manufacturer is Rheinhtte or
Sunstrand), but
INTERNAL
39 of 129
2011-04-04
The probability of a loss of function does depend on the actual equipment and the
actual operational conditions.
In order to get the Risk Assessment process started, a number of initial and simplifying
assumptions may be needed. As and when real life experience is gathered and
systemised, these assumptions, and thereby also the risk assessment can be adjusted and
fine-tuned.
It is recommended to break the Risk Assessment into the following steps:
1
Establish Local Acceptance Criteria for the 5 values (peoples safety,
environment, product quality, production capability, assets / property).
Examples of criteria are given below.
2
Carry out Criticality Ranking, i.e. assess the potential Consequences of
equipment failure as High (3), Medium (2), or Low (1) and classify the
equipment accordingly as Critical, Important or General - for all the 5 values.
3
Carry out RBI, SIL and RCM methods, to estimate the probability and the
resulting Risk of failure (= consequence x probability). Start with the most
critical equipment failures.
This stepwise approach should filter out the non-important matters and set the priorities
for developing maintenance plans / programs. Steps 1) and 2) are further described in
the following chapters whereas the methods mentioned under step 3) are covered by
separate documents.
5.3.3
Establishing local acceptance criteria

As the loss of say 100,000 Euro means more to some production sites than to others,
and as local regulations (e.g. allowable emissions) also vary from place to place, the
relevant site management must define what is acceptable and unacceptable for their
plant(s). The table below shows the principle way of assessing consequences.
Table 20 General consequence classification for maintenance purposes
Criticality /
Health, safety and
consequences environment
3
Critical /
High
2
Important /
Medium
1
General /
Low
-Potential for serious

personnel injuries.
-Render safety critical
systems inoperable.
-Potential for fire in
classified areas.
-Potential for large pollution.
-Potential for injuries
requiring medical treatment.
-Limited effect on safety
systems.
-No potential for fire in
classified areas.
-Potential for moderate
pollution.
-No potential for injuries.
-No potential for fire or
effect on safety systems.
Production and/ or
product quality loss
(Note 1)
Equipment
restoring cost (Note
1)
Stop in production /
significant reduced rate of
production exceeding X
hours (specify duration)
within a defined period of
time.
Substantial cost
exceeding Y Euro
(specify cost limit)
Brief stop in production /

reduced rate of production
lasting less than X hours
(specify duration) within
defined period of time.
Moderate cost between

Z Y Euro (specify
cost limits)
No effect on production
within defined period of
time.
Insignificant cost
less than Z Euro
(specify cost limit)
INTERNAL
40 of 129
2011-04-04
-No potential for pollution

(specify limit)
Note 1: The loss of Production and / or product quality should in monetary value comply with the
corresponding cost limits specified for Equipment Restoring Cost.
The table below shows a typical application of the guidelines given above.
Table 21 Example of Consequence Classification for maintenance purposes
Criticality /
consequences
3
Critical /
High
2
Important /
Medium
1
General /
Low
5.3.4
Health, safety and environment

Leakage of:
-Hydrocarbons, highly ignitable gases,
and other flammable media.
-Liquid / steam, above
50 C or 10 bars.
-Toxic gas and fluids.
-Chemicals harmful to the
environment
Leakage of:
-Oil, diesel and other less ignitable
gases and fluids.
-Liquid / steam, less than 50 C and 10
bars.
-Toxic substance, small volume.
Leakage of:
-Non-ignitable media.
-Atmospheric gases and fluids
harmless to humans and environment.
-Negligible toxic effects.
-Harmless chemicals.
Production and/ or
product quality loss
Equipment
restoring cost
More than 100,000
More than 100,000
Between 10,000 and

100,000
Between 10,000 and

100,000
Less than 10,000
Less than 10,000
Carrying out the criticality analysis ranking

Once the criteria in the Consequence Classification matrix are defined, an experienced
and knowledgeable operator could mark those systems on the P&ID that are potentially
harmful to people and / or environment with different colours. In doing so, the
operator will also be able to spot areas of particular concern e.g. areas where a leak
cannot be easily isolated and where big volumes of toxic / harmful material can be
released and spread around. Such marking exercise (and associated documentation) will
be useful if the Company is considering certifying itself according to Environmental
Management Standards or Process Safety Management Standards, like ISO-14001 and
OHSAS-18001. (Similarly, marking the systems and equipment which could adversely
affect the final product quality would help demonstrating overview and control,
according to e.g. the ISO-9000 Product Quality Management Standard).
Unlike nuclear power plants and offshore oil installations, fertiliser plants have few
duplicated functions i.e. there are no hot spare compressors or heat exchangers.
There is, however, some duplicated pumps and there are some control valves with
bypasses that also can be used for control. These could be circled in on the P&ID, and
marked as areas where the probability of losing the functionality is small.
INTERNAL
41 of 129
2011-04-04
All equipment in a plant has an intended function:

1. A tanks function is to store and contain material
2. A pipes function is to transport and contain material
3. A pumps function is to increase pressure and transport material
4. A control valves function is to regulate / control the flow of material
5. Etc.
In principle, two things can go wrong in a plant:
1. Loss of containment / breakdown of equipment integrity (resulting in leaks or
material coming out in places where it should not be including electrical currents),
and / or
2. Loss of equipment function / control (a pump is not pumping, a control valve is
not controlling, etc. - resulting in flow, pressure, temperature, current, voltage
upsets).
No differentiation is made between e.g. a broken pump shaft, a broken mechanical seal
or a damaged bearing, as all these incidents eventually lead to stopping and repairing
the pump. In all cases the pump function will be lost for some time, and this has
certain consequences.
At a later stage, during the reliability analysis (RCM), the probability of breaking the
mechanical seal and the probability / frequency of damaging the bearing will be looked
into. Also, the effect of any hot spares will be evaluated (these bring the probability and
therefore the risk of losing the pump function down).
Prior to the loss of function / loss of containment assume all equipment in the plant is
clean / fresh and functions as intended, - the plant producing at full capacity (based on
yearly average). Assume also that levels in storage tanks, intermediate tanks, etc. are
normal giving typical time to find and exercise possible alternative counteractions
/ operation modes.
Peoples safety will not be put at risk unless there is an uncontrolled release of material
that is toxic, or suffocating, or self-igniting, or flammable, or comes out at high pressure
and / or temperature at uncontrolled places. People could also be harmed if electrical
power goes astray, or if fragments of equipment are thrown around after e.g. an
explosion or uncontrolled pressure build-up.
In short, people will not be harmed unless something breaks or falls apart. Hence, if the
integrity of the equipment is kept nothing should happen to the people.
But is close to impossible to guess or estimate whether one person will be standing next
to an unintended toxic release, or five persons will be standing 10 metres away
upwind or downwind - and whether they carry and are able to put on gas masks or not.
To simplify, classify any systems containing toxic material in concentrations that according to
Material Safety Data Sheets (MSDS) would have severe impact on people and / or environment
as high consequence / critical. Etc.
When a failure occurs:
INTERNAL
42 of 129
2011-04-04
Assume the failure mechanism is the one most frequently experienced (a damaged
bearing is more common than a broken shaft).
Assume that also safety equipment (like a safety valve) make suffer loss of
function.
But assume that automatic shutdown / isolation / pressure relief systems will
function as intended when needed (the probability of failures in the shutdown /
safety systems themselves will later be covered by the SIL analysis). I.e. do not
consider double contingencies.
Assume that necessary spares are available / not available as per plant experience.
Assume that the repair takes normally long.
Estimate the value of the typical total production loss (including typical rundown
and start-up time), and the typical cost to repair / replace the damaged equipment.
Comment: This approach is clearly a simplification, which basically describes the plants
actual historical experience. It is known that a broken shaft probably would have much
bigger consequences (longer repair / fix time) than a damaged bearing, and thereby the
possible consequences of loss of function will be under-rated when the damaged bearing is
selected as the dimensioning case. However, such potential under-ratings should be dealt
with during the RCM analysis where focus is put on the reliability of the various parts
inside a pump.
An example of format could be as shown in the table below:

Table 22 Example of format for Consequence Rating and Equipment Ranking
Xxx
Yyy
Zzz
Www
Equipment
ranking
Asset/repair
cost
Prod loss
Safety
Tag no.
Quality
Consequence rating
Environ
Misc. tag info
Critical
Critical
Important
General
Note: The equipment ranking is set by the highest rated consequence

5.3.5
Criticality analysis team and necessary documents

The core team should have representatives from all the disciplines to be versatile, but at
the same time be small enough to work effectively. A core team should be composed of:
1 team leader
1 representative from process / production / operation
1 representative from mechanical maintenance
1 representative from electrical maintenance
1 representative from instrument maintenance
INTERNAL
43 of 129
2011-04-04
The production representative should cover consequences on safety, environment, and

product quality and production capability. The maintenance representative(s) should
cover consequences on the assets (repair time and cost).
Documents needed for the analysis would typically be:
P&IDs
Equipment lists
Equipment history data / revision books
Material Safety Data Sheets
INTERNAL
44 of 129
2011-04-04
Probability analysis
6.1
Reliability of equipment and systems

Quantitative reliability is defined as
the probability that an item (component, equipment or system) will operate without
failure for a stated period of time under specified conditions.
Reliability is thus a measure of the probability of successful performance of the system
over a period of time. Reliability assessment is normally carried out for systems of
components which are assumed to have settled down into a steady-state or useful-life
phase. The reliability characteristics of most component families will follow the socalled bath tub curve below.
failure rate
I: burn- in
II: useful life
III: wear- out
time
Fig. 3 Reliability bathtub curve
In phase I in the figure the failure rate (hazard rate, force of mortality) will reduce as
weak components are eliminated, in phase II it will remain approximately constant, and
in phase III components will start to wear out and the failure rate will increase. For
phase II the exponential distribution applies. For phase I and III the Weibull distribution
can be used to model the reliability.
The reliability can be measured in several ways. The most common methods are further
explained below:
1. Expected number of failures per unit time, i.e. the failure rate
2. Expected lifetime (mean time to failure: MTTF) or expected time between failures
3. (MTBF)
4. The probability that the unit functions on demand
5. The availability of the unit, i.e. the time fraction the unit is functioning
Failure rate
The failure rate is the expected number of failures per time unit. A simple estimate of
the failure rate is obtained by dividing the total number of failures in a population of
"identical" components with the total test time (or observation time) of that population.
The failure rate can be divided into several failure modes or causes. The failure modes
"dangerous failures = safety critical failures" and "Safe failures = spurious operation"
are discussed below. It is natural to use the failure rate (together with down time) as a
measure of reliability for units that work continuously. Expected lifetime or time
between failures is estimated as the inverse of the failure rate.
INTERNAL
45 of 129
2011-04-04
Exponential distribution
With a constant failure rate, the reliability of the system can be represented by the
exponential lifetime distribution:
R(t) = et,
where:
t: time
R(t): is the probability of successful operation for the time t,
: the constant failure rate
e:
the base of natural logarithms.
The lifetimes are normally considered to be exponentially distributed in risk analyses.
This means that a unit fails completely at random and with the same probability at any
point of time. Furthermore, a repaired unit is considered as "as good as new".
System structures
A system with n different components is considered. The way the n components are
interconnected to fulfil a specified system function is called the system structure. A
system may constitute a series structure or a parallel structure or a combination of these
two types of structures. The series and parallel structures are shown in the reliability
block diagrams in figure 5 below.
In a series structure all components must function if the system is to function. This
structure is also called 1-out-of-n (1oon) structure. The reliability of a series structure is
the product of the reliability of the components.
In a parallel structure one or more of the components must function if the system is to
function. This structure is also called n-out-of-n (noon) structure. The failure probability
of a parallel structure is the product of the failure probabilities of the components.
A k-out-of-n structure (koon, voting structure) is a combination of a series structure and
a parallel structure. Such a structure functions if at least k of the n components are
functioning. The most common voting structure is 2-out-of-3 (2oo3) structure ( k=2 and
n =3).
INTERNAL
46 of 129
2011-04-04
Reliability block diagram of a series structure
1
2
n
Reliability block diagram of a parallel structure
Reliability block diagram of a 2oo3 structure
Figure 4 Examples of reliability diagrams

Availability
For repairable systems the reliability can be measured by the availability which has the
following expression:
A=
MTBF
MTBF + MTTR
where MTBF is the mean (expected) time between failures and MTTR is the mean
(expected) repair time (or actually the down time, see below).
Down time
The down time of a unit is the period from the time the unit fails until it is back in the
system and working (replaced or repaired). Thus the down time includes the time to
detect the failure, waiting time, time for repair/reinstallation/reconfiguration or
replacement. For "passive" units (such as process safety systems), which are in a failed
state when inspected, down time is estimated as half that of the inspection interval,
assuming that the unit failed in the middle of this interval and that the repair time etc. is
INTERNAL
47 of 129
2011-04-04
negligible in comparison. This applies under the assumption that the inspection interval
is considerably shorter than the expected interval between demands on the unit.
Short about reliability of process safety functions
In this section a short description of reliability of safety functions is presented, a more
comprehensive is given in sec. 6.2.
In process safety systems, safety critical failures and failures due to spurious operation
may occur. The process safety systems are normally passive and may have un- revealed
failures. The probability of un- revealed safety critical failures is the Probability of
Failure on Demand (PFD) For a single channel system
PFD = DU
T
2
, where DU is the rate of dangerous undetected failures- [per year]- and T is the
proof test interval [year].
Safety unavailability (SU) equals failure per demand. It is the probability that the unit
does not function when needed. Examples of this are a safety valve with failure mode
"does not open", a pump with failure mode "does not start", or a gas detector, which
"does not detect gas concentration above the defined alarm limit".
The rate of a single-channel protection system failing to protect successfully against a
hazard is the product of the safety unavailability and the demand rate, D:
hr = PFD x D
hr is called hazard rate.
Spurious operation in components of process safety systems means that a false alarm or
a groundless shut down occurs.
The SU and rate of spurious operation depends, in addition to the failure mode rates, on
the structure of the safety system.
When n safety functions constitute a series system, the SU for the system is the product
of the SU- s for the n safety functions, and the system's rate of spurious operation is the
sum of the spurious operation rates for the n safety functions.
When n safety functions constitute a parallel system, the SU for the system is higher
than the SU for each of the n safety functions, and the system's rate of spurious
operation is lower than the spurious operation rates for the n safety functions.
Voting structures (such as 2-out-of-3) combines low spurious operation rate and low
SU.
INTERNAL
48 of 129
2011-04-04
6.2
Reliability of safety functions,
6.2.1
Dangerous failures in safety functions

The symbols used in the reliability formulas below are:
:
failure rate, per yr
T:
DU:
PFD:
PFDred:
PTIF:
proof test interval, in years

rate of dangerous undetected failures (=fail to operate on demand), per yr in the
safety function
probability of fail to operate on demand
probability of fail to operate on demand in a system with redundancy
probability of test independent failure, i.e. probability of dangerous,
undetected failure after a proof test
common mode failure fraction
The formula for probability of failure on demand is in a single loop (without

redundancy):
PFD = DU T + PTIF
The expected frequency of accident, hazard rate, is:
e DT 1
hr = DU 1 +
DT
+ PTIF
where D is the frequency of demands. If DT <<1, a Taylor series expansion can be

applied, and higher order terms neglected to give:
hr = PFD D
When DT 1 or >1 use of this formula give conservative results. For DT>>1, the
formula to use is:
hr = DU
This is illustrated in the table below, where DU = 1 yr-1
Table 23 Accuracy of reliability formulas, DU = 1 yr-1, PTIF=0
hr / DU
Demand mode operation
Continuous operation
DT
Use of exact
formula
Use of demand
mode formula:
hr =PFD . D
0.03
0.1
0.5
1
2
4
8
0.0149
0.048
0.21
0.37
0.56
0.75
0.88
0.015
0.05
0.25
0.5
1
2
4
Use of
continuous
mode formula:
hr = DU
1
1
1
1
1
1
1
The demand mode formula (hr =PFD . D ) gives acceptable results when DT < 1.When DT
> 2, use of the demand mode formula give very conservative results. In this case the
continuous mode formula gives better approximations.
INTERNAL
49 of 129
2011-04-04
In redundant koon- structures where n>k, e.g. 1oo2, 2oo3 systems, the probability of
failure on demand is,
!
= + !! +
Where the common mode failure fraction = 0.1 typical for a duplicated, i.e. 1oo2
system, typical 0.05 for a 2oo3 structure.
In a 2oo2 system the probability of failure on demand is, when PD is for each channel:
PFD2oo2 = 2 PFD
6.2.2
Reliability of safety functions, safe failures

In design of safety functions the process availability also has to be considered. If a
safety function has too high frequency of safe failures, the function must be redesigned.
The number of yearly spurious shut downs that is acceptable, must be decided from the
process characteristics. If a shutdown is causing a long production stop, use of
redundancy has to be considered.
To calculate frequencies of spurious shutdown, the following symbols are used:
S:
:
S2oo2 :
S2oo3 :
S1oo2 :
S1oo3 :
frequency of safe (=spurious) failures in a single loop system

repair time for a loop
frequency of spurious failure in a 2oo2 system
The following formulas apply:

S2oo2 = 2 (S ) S
S2oo3 = 6(S ) S
S1oo2 = 2S
S1oo3 = 3S
Example. If we as typical examples use the following failure data: zS = 0.1 / yr and = 24 hrs,
we will have:
S2oo2 = 2(0.1 . 24 / (24 . 365 )) 0.1 = 0.00006 /yr
S2oo3 = 6(S ) S = 0.0002 / yr
zS1oo2 = 2S = 2 . 0.1 = 0.2 / yr
zS1oo3 = 3S = 3 . 0.1 = 0.3 / yr
2oo2 and 2oo3- systems have a negligible frequency of spurious trips. This is generally valid for
k- out- of- n- systems, where k > 2 and n > k.
For 1oo2 and 1oo3- systems the frequency of spurious trips has to be considered. This is
generally valid for 1oon- systems.
INTERNAL
50 of 129
2011-04-04
Equipment failure data

Failure data is a necessary input to perform quantitative risk assessment for process
systems/plants. Usually generic failure data is used due to
lack of failure reporting system
problems with collecting a high enough number of failures for
specific components/parts
In connection with QRA for process plants which contain toxic and flammable releases,
the most relevant failure data is related to leakages and ruptures in the process lines, but
also other component failure data is needed in the analysis, for example reliability of
safety system functions.
For modelling leakages, recommended failure data are as follows.
For all types of process equipment, the release scenarios are divided into three
groups: ruptures, major leakages and minor leakages.
For a vessel, a rupture means a rapid release of the total contents and a major leakage
has the release rate of a sharp-edged hole of 50 mm in diameter.
For pipelines and equipment with small volumes, a rupture means a full bore rupture
whereas a major leakage means a release area of 1/10 of that for full bore rupture. A
minor leakage has a release area of 1/10 of that of a major leakage.
A selection of generic failure rates and on demand probabilities is given in the section
failure data herein. The generic failure rates are used under the assumption of
"average" operation and maintenance standards. Use of these data is recommended. If
there are specific reasons to believe that other data are more appropriate in a particular
case, such data can be used.
It is assumed that the failure data include causes from external events such as
earthquakes, floods, hurricanes and aeroplane crashes, but for plant locations which are
highly exposed to these types of external effects it is recommended that a separate
analysis is carried out to include these types of events in the risk analysis.
6.3
Human Reliability
In all technical systems, the human factor has an impact in one way or another. For
small and simple units, people are mainly involved in maintenance and repair, while for
larger units (plants) the demands on people are numerous and varied. As technical
components are becoming more and more reliable, the human factors' relative
importance is increasing, and man is becoming the critical part of a system. This means
that the human "component" of a system cannot be simply left out of the analysis, and
as long as the aim is to quantify probabilities of system failures, human reliability must
also be quantified.
Since people normally do discrete (not continuous) operations, human reliability will be
measured in terms of probability of failure per operation.
The probability of human failure is affected by several factors, e.g. motivation, stress,
working conditions and so on. For more detailed studies, the HEART could be used.
The HEART method and a selection of probabilities for human error under "average"
conditions are given in the section failure data. We recommend that these values are
INTERNAL
51 of 129
2011-04-04
used initially and in rough studies, modified if necessary to correct for obviously
unfortunate conditions.
6.4
System analysis and modelling

Below, the most common methods for system analysis and modelling are described.
The purpose of the analysis and system modelling in risk analysis is to describe,
evaluate and estimate the likelihood of or reliability for identified scenarios or events.
Fault Tree Analysis
Fault tree analysis is a backward logic method for the analysis of undesirable events.
The method is most suitable for reliability evaluation of technical systems but can also
be used to describe and track the causes for a specific accident or undesirable event. It
gives a survey of how an undesirable event can arise, and can be used to quantify the
probability or frequency of that event. The method normally consists of four steps:
definition of undesirable event or loss of system function fault tree construction
calculation of minimal cut sets (combinations of events/failure modes which
lead to the undesirable event (frequency) /loss of system function (probability per
demand))
minimal cut-set ranking and importance calculation
CARA Fault Tree version 4.1 (c) Sydvest Sotfware 1999
Licensee: Yara International, Norway
Supplied by Sydvest, Norway
Overfilling of tank (TOPevent, [frequency])
TOP
Safety function not

workinmg on demand
(OR- event, [probability]0
SAFETY SYS
Control loop failure

(OR-event, [frequency])
CONTROL
Level sensor failure- too

low signal to DCS
(BASIC- event,
[frequency])
SENSOR
DCS failure too high

output to valve
DCS
Figure 5 Example of fault tree
Shut down valve failing
SD valve
Valve failure- too high

delivery
VALVE
SD logics failing
LOGICS
SD sensor failing
SD sensor
INTERNAL
52 of 129
2011-04-04
A fault tree analysis should be used when detailed analysis of the reliability of a system
is required. For risk analysis, where the systems to be analysed are normally
complicated, this is a structured way to model the system without the risk of losing
track. An example is shown in the figure below.
Event Tree Analysis
The event tree analysis is a forward logic technique to systematically describe and
develop the different scenarios (sequences) and outcomes from a defined initial event,
and is therefore most applicable for analysing the effects from a specific event. The
analysis starts by defining the initial event and proceeds by subsequently identifying
and defining the alternative routes, either as sub-events occurring or safety systems that
may not function or fail. The method orders the events in time sequence and often the
final unwanted sequences form the top event for further fault tree analysis of safety
functions. In risk analysis the method is often used to develop and describe the
consequences of a hazardous release, see the figure below.
Figure 6 Example of event tree

Cause Consequence Diagrams
A Cause Consequence diagram is constructed by defining a critical event and then
developing the causes and consequences for this event, i.e. cause consequence analysis
is a methodology that combines fault tree (to show the causes, backtracking) and event
tree analysis (to show the consequences, forward logic). It is a flexible method and can
handle external applied conditions and time delays and can be used for start-up and shut
down operations. The main elements (logic gates) are "AND" and "OR" together with
corresponding logic vertices. The decision box "EITHER/OR" vertex is especially
useful. It can be a useful method in risk analysis when the consequences of a certain
undesirable event depend on different safety systems, but so far there is limited use of
the method in
INTERNAL
53 of 129
2011-04-04
Figure 7 Example of Cause Consequence diagram

FMEA
Failure Mode, Effects Analysis (F
(FMEA)
MEA) is a procedure for identifying potential failure
modes and their effects in a system.
Failure mode effects analysis could be conducted at the beginning of the design effort
and as part of each design review to identify potential design weaknesses. The
Th primary
purpose of an FMEA is the early identification of potential design inadequacies that
may adversely affect safety and performance. Identified inadequacies can then be
eliminated or their effect (susceptibility) minimised through design correction or other
means. Later a criticality analysis can be performed (either formally or informally) to
prioritise failure modes for further analysis through RCM (Reliability Centred
Maintenance), LCC (Life Cycle Cost), etc.
Two alternative approaches may be used
use when performing FMEA - a hardware
approach or a functional approach.
INTERNAL
54 of 129
2011-04-04
a) Hardware Approach. The hardware approach is normally used when hardware items
can be uniquely identified from schematics, drawings, maintenance manuals and
other engineering design data. The hardware approach is normally utilised in a
bottom-up approach.
b) Functional Approach. The functional approach is normally used when hardware
items cannot be uniquely identified or when system complexity requires analysis
from the initial indenture level downward through succeeding indenture levels. The
functional approach is normally utilised in an initial top-down approach
The FMEA procedure may be summarised as completing the following steps:
1. Define the system to be analysed
2. Construct a block diagram at equipment level
3. For each item of equipment, construct a block diagram at component level
4. Identify failure modes at appropriate levels
5. Assign effects to the failure modes
6. Enter other failure mode information such as failure detection methods
7. Recommend redesign or maintenance actions to reduce the likelihood of failures
An FMEA is conducted by identifying, through failure analysis techniques; significant
failure modes that can occur, their effect on safety and effectiveness, and the probability
of occurrence. When it is likely that a failure could adversely impact on safety or
effectiveness, the design should be modified to eliminate or minimise the failure cause
probability.
For those potential failure modes that cannot be corrected through redesign effort,
special controls such as labelling warnings, alarms, etc. should be provided. An FMEA
should include an evaluation of possible human-induced failures or hazardous
situations. Each potential failure mode should be considered in the light of its
probability of occurrence and characterised as to the severity of its effect on reliability,
safety and effectiveness.
An example of analysis form is shown in the table below.
Table 24 Example of FMEA analysis form
FMEA
SYSTEM:
DATE:
FUNCTION
COMP./
PART
FAILURE MODE
FAILURE
CONSEQUENCE
CAUSE
DETECTION
RECOMMENDATIO
N
DECISION/
IMPLEMENTED
Dependent failures and events

To increase the reliability of process and control systems, one solution is to implement
redundant and diversified solutions for critical systems and components. The condition
is of course that the failures are independent, but quite often there is some kind of
dependency in redundant systems/components. The dependency can be either functional
(design) such as sub-electrical power supply of the redundant system, or physical
(external environment), for example equipment installed in the same compartment.
INTERNAL
55 of 129
2011-04-04
Figure 8 shows a classification scheme for different causes. This scheme can be used as
a guide to qualitative analysis.
nalysis.
Figure 8 Classification of dependant failure causes

Some comments to the figure above are:
Functional design deficiencies can be undetectable hazards, inadequate control or
instrumentation
Design realisation faults can be channel dependency, common operation &
protection components, operational deficiencies, inadequate components, design
errors or limitations
Manufacturing defects can be caused by inadequate quality control, standards, testing
or inspection
Installation/Commissioning introduced
introduced faults can be related to inadequate quality
control, standards, inspection, testing and commissioning
Operational faults can be operator error, procedures, supervision or communication
error
Maintenance faults can be imperfect repair, testing , calibration,
calibration, procedures,
inadequate supervision
Operational internal process environment extremes faults can be related to
temperature, pressure, vibration, acceleration, stress, corrosion, contamination, etc.
Operational external environment faults can be fire, flood,
flood, earthquake, missiles, etc.
INTERNAL
56 of 129
2011-04-04
Consequence analysis
By consequence is here meant injury to people, damage on environment and assets
and production losses caused by accidents in production plants, transportation and
storage. In this chapter the following phenomena which can cause consequences are
described:
release
dispersion
ignition
fire
explosion
toxic gas exposure
7.1
Release
Accidental releases to be considered in risk analyses are divided into three main
categories:
gas releases
two-phase releases
liquid releases
Release models are depicted in fig. 9 and 10 below.
Fig. 9 Release models
INTERNAL
57 of 129
2011-04-04
Fig, .10 Gas and liquefied gas release

Gas and liquid releases are usually calculated by idealised release models neglecting
thermal effects; i.e. with assumed adiabatic conditions for gases and isothermal
conditions for liquids.
Two-phase releases will normally occur due to flashing liquids.
INTERNAL
58 of 129
2011-04-04
In liquid or two phase models pools on the ground or on water can develop.
7.2
Gas dispersion
The models used in gas dispersion calculations are illustrated in the figures 11, 12 and
13
Fig. 11 Dispersion models
Fig. 12 Pasquill weather stability classes, A-F
INTERNAL
59 of 129
2011-04-04
Fig. 13 Dispersion around buildings and other obstacles

The dispersion of a gas release is strongly dependent on the release situation:
High initial impulse -> rapid dispersion
Low initial impulse -> less efficient dispersion
This means, for instance, that a leakage of a gas at high pressure will normally lead to a
maximum gas concentration below 2% (vol) at a distance of 30 holes of diameters
downstream due to shear-generated turbulent mixing at the edge of the jet.
For releases of lower initial impulse or further downwind of a dense gas cloud, the
effects of cross winds and buoyancy are important and must therefore be included in the
dispersion calculations.
A gas of higher density than ambient air behaves differently from a gas of equal or
lower density than air. The denser gas tends to stay near the ground if released at ground
level (for instance from a boiling liquid pool), and will follow the terrain downhill if
there is a slope. If released from an elevated position it will also descend due to gravity.
A gas cloud with density equal or lower than air may rise (lower density) or follow a
passive dispersion path (density equal to air) that is dominated by the atmospheric
turbulence. The dispersion path with regard to terrain (around or over hills) will also
depend on the atmospheric turbulence.
The formation of dense gas clouds is not confined to materials having molecular
weights greater than that of air. The following categorisation based on material
properties covers most cases:
a) Materials having molecular weights greater than that of air and which therefore, in
most practical situations, form dense gas mixtures with air, e.g. chlorine.
b) Materials having molecular weights less than that of air, but being dense due to low
temperature, e.g. methane released from a spill of LNG at its normal atmospheric
boiling point.
c) Materials having molecular weights less than that of air and whose pure vapours at
their boiling points are less dense than the surrounding air, but which may form
dense mixtures due to the presence and subsequent evaporative cooling effects of
droplets of the material produced by the mechanism of release, e.g. ammonia.
INTERNAL
60 of 129
2011-04-04
d) Materials having nominal molecular weights less than that of air, but which may
form higher molecular weight fractions due to molecular association, e.g. hexamer
formation of hydrogen fluoride.
In the initial phases, heavy gas clouds spread horizontally due to gravity. This creates a
boundary layer between the gas and the ambient air at the top of the cloud and at the
edges where the velocity shear causes the air to be entrained into the cloud. At a later
stage, when the initial impulse and the gravity driven heavy gas dispersion has
decreased considerably, the atmospheric turbulence starts to dominate leading to passive
dispersion. This is of great importance particularly with respect to toxic gases that are
dangerous to man at very low concentrations.
When doing gas dispersion calculations, all major dispersion effects must be included.
This includes the atmospheric stability and the atmospheric boundary layer
(meteorological data), proper surface roughness, temperature, pressure and wind profile,
solar radiation and ambient humidity (especially for anhydrous gases such as ammonia).
All these effects must be taken into consideration. When calculating a specific release,
which has occurred, the conditions at the time of the release must be used. In risk
assessment, representative combinations of conditions or - for some parameters the
average value must be used.
If only a few gas dispersion scenarios are to be carried out in a safety study, at least two
weather situations should be considered:
1) Stable thermal atmospheric conditions (atmospheric stability category F) and low
wind velocities (1 - 2 m/s)
2) Neutral atmospheric stability (atmospheric stability category D) and 5 m/s wind
speed
F stability and low wind velocity will cause large downwind concentration and narrow
clouds while D stability and higher wind velocity will result in lower downwind
concentrations and broader clouds.
The dispersion of jet releases, plume releases, releases from area sources and
instantaneous releases are calculated using models specific to the mode of release.
7.3
Evaporation
When an evaporating liquid is released on to a surface it will spread due to gravity. The
slope of the surface will influence this process as will the temperature difference
between the liquid and the surface. In addition, the surface roughness, the permeability
and the heat capacity of the surface are of major importance.
If the surface is solid ground, a pool will form and the evaporation rate will decrease as
the surface temperature drops. If there is no dike (bund) around the source of release,
the cold liquid will continue to overflow ground of ambient bund temperature and the
total evaporation rate will not change substantially.
INTERNAL
61 of 129
2011-04-04
Fig. 14 Pool evaporation examples

Spilt on water, the boiling process will be much more vigorous. An unstable boiling
process may occur where the boiling changes from film boiling to nucleate boiling
(LNG, LPG). Liquids heavier than water will sink while they boil at the interface with
the water, and thus break up into small droplets, which immediately will evaporate
completely like an explosion (e.g. chlorine).
Evaporation from a pool will depend strongly on the wind conditions. A low wind
velocity will give a low evaporation rate.
7.4
Ignition
The minimum ignition energy for different flammable gases differs considerably. For
instance, hydrogen is easily ignited and can also auto ignite when released at high
pressures, while ammonia is hard to ignite. The minimum ignition energies for the more
important gases related to risk analysis in Yara are listed in table below. Note that these
energies are generally low, and sparks generated by static electricity may therefore
easily ignite a flammable gas cloud.
INTERNAL
62 of 129
2011-04-04
Table 25 Combustion properties for fuel- air clouds

Property
Molecular weight (kg/kmol)
Auto ignition temperature in air
(oK)
Laminar flame speed in air (m/s)
Laminar burning speed in air
(M/s)
% gas at stoichiometric ratio in air
Heat of combustion- low value
(MJ/kg fuel)
Heat of reaction stoichiometric
fuel-air mixture (MJ/m3)
Lower flammability limit in air,
LFL (%)
Upper flammability limit in air,
UFL (%)
Minimum ignition energy in air
(mJ)
Minimum experimental safe gap
MESG (mm)
Max. Explosion over pressure- 1m3
closed vessel (bar)
Max. Rate of pressure rise- 1m3
closed vessel (bar/s)
NFPA-Code Flammability
NFPA-Code Reactivity
Ammonia
Methane
Propane
Vinyl
Chloride
62.5
688
Ethylene
Hydrogen
17.03
16.04
813
44.10
723
28
763
2.01
673
0.43
0.1
3.5
0.45
3.7
0.52
3.4
6.5
0.83
28.0
3.5
18.6
9.5
50.0
4.0
46.4
7.73
18.6
6.5
59.5
30.0
120.0
3.4
3.7
3.7
3.9
3.2
16
5.0
2.2
3.8
3.1
4.0
25
15.0
9.5
29.3
32.0
75.0
>100
0.29
0.24
0.25
0.12
0.02
1.0
1.12
0.91
0.81
0.65
0.29
7.6
8.7
75
80
550
4
0
4
1
4
0
4.0
3.2
1
0
55
If a flammable gas comes into contact with an open flame or a hot surface, it will also
ignite. The lowest surface temperature at which a gas can ignite is called the Auto
Ignition Temperature (AIT). AITs for different gases are listed in the table.
For all installations containing flammable materials there are certain distances within
which every piece of equipment shall be spark proof and no hot surfaces or other
obvious sources of ignition shall be present (ex-zone). Nevertheless, there is always a
remaining possibility for an easily flammable gas to be ignited. Outside this ex-zone,
but still inside the plant area, the ignition probability increases. The presence of electric
equipment and vehicles also increases the ignition probability.
Public roads, residential and other areas outside the plant are other possible sources of
ignition.
In the table below, general probabilities for the ignition of different gases at different
locations are listed. These data must be used with great care, and if certain sources of
ignition like open flames, furnaces, motors or surfaces at temperatures above autoignition temperature can be defined inside the area of interest, the probability of ignition
must be chosen to be 1.
Typical ignition probabilities are shown in the table below.
INTERNAL
63 of 129
2011-04-04
Table 26 Ignition probabilities

Gas
Ignition probabilities *)
In EX- zone
In plant area
On public road
On farmland
1
1
1
0.5
Hydrogen
0.1
0.3
0.4
0.1
Ethylene
0.05
0.2
0.3
0.05
Methane
0.05
0.2
0.3
0.05
Ethane
0.05
0.2
0.3
0.05
Propane
0.05
0.2
0.3
0.05
VCM
0.01
0.02
0.05
0.01
Ammonia
*): The figures refer to a flammable cloud covering an area of 600m2. For other cloud sizes, the ignition
probability Pign = 1 - exp(-pA/600), where A is flammable cloud area (m2) and p is the figure given in
the table. For hydrogen the probabilities in the table are used independent of the gas cloud size.
However, since the hydrogen leakages may ignite so fast that a jet fire and not an explosion will be the
result, an explosion probability of 0.5 is often assumed.
7.5
Fire
This section describes different types of fire scenarios (such as jet fires, fireballs and
pool fires), which may be the result of releases of flammable materials. The effects of
thermal radiation are also discussed.
Fig. 15,16 and 17 depicts fire models
Fig 15 Fire models
INTERNAL
2011-04-04
Fig. 16 Types of fires
Fig 17 More types of fire
64 of 129
INTERNAL
65 of 129
2011-04-04
Fig 18 BLEVE
Jet fire
If a gas or two-phase jet ignites, the result will be a jet fire. A jet fire is characterised by
a very high heat transfer to the surroundings. The violent turbulence in a jet fire will
lead to effective air entrainment and thus a combustion process with high temperature
and significant heat radiation. The radiation intensity from a jet fire can reach up to 300
kW/m2. Due to the high velocities there will be a very high heat transmission to objects
engulfed or hit by the jet flame. In case of high release rates and thus high impulse, jet
fires can have lengths of more than 100 m.
Pool fire
If a pool containing a flammable liquid ignites, a pool fire will occur. A pool fire
usually produces lower average radiation intensity per m2 than a jet fire. The reason is a
less effective combustion process in a pool fire in pools with large diameters (> 3-5 m)
since the air entrainment is not large enough to maintain an efficient combustion. The
result is a reduced flame temperature, and at the same time soothing will shield the
surroundings from the flame. For pool fires in large pools the area of the visible flame
may be large and produce a high heat of radiation on the surroundings. The heat
radiation from the visible flame may be 150 - 200 kW/m2, while the part shielded by
soot may have a heat radiation of 25 kW/m2.
Distance from centre of a propane pool fire to different radiation levels dependent on
the pool diameter are given in the figure below
INTERNAL
66 of 129
2011-04-04
Figure 19 Distance from flame centre of a pool fire to different radiation levels
Flash fire
A flammable gas cloud dispersed in a relatively open area will in case of ignition burn
back to the release point. The characteristic of a flash fire is a relatively slow flame
velocity through the gas cloud (5-10 m/s). However, the velocity will be fast enough to
harm persons inside or just on the outside of the gas cloud. A flash fire will normally be
followed by a jet fire or a pool located at the position of the release point. The radiation
intensity from the flame in a flash fire will normally be 50 - 100 kW/m2.
BLEVE
A BLEVE (Boiling Liquid Expanding Vapour Explosion) is a fireball which will occur
in case of a tank rupture and simultaneous ignition of the liquid in a tank containing a
liquid which is pressurised at a temperature higher than its normal boiling point. A
BLEVE may also occur if the tank is exposed to heat radiation. This radiation may
cause simultaneous weakening of the tank and pressure rise in the tank. The section of
the tank wall covered by liquid on the inside will weaken much more slowly than the
tank section containing gas. The reason is that the liquid on the inside will cause an
effective heat transfer away from the tank wall and absorb the heat. This process is
much less effective on the gas side since the gas will be less heat conductive and heat
absorptive. For most BLEVEs the tank rupture is initialised on the gas side of the tank.
For un- insulated tanks exposed to a fire on the gas side, such a rupture may occur in
only a few minutes. Calculations show that the tank material in some cases is so quickly
weakened that the tank may rupture before the pressure reaches the set point of the
safety valves.
INTERNAL
67 of 129
2011-04-04
When the tank ruptures, the violent expansion and combustion process will produce a
fireball, which rises due to buoyancy forces. The size of this fireball will be several
times the size of the ruptured tank and the heat radiation will be very high. Even if the
duration usually is not longer than 5 - 30 seconds, a BLEVE in a large storage tank may
produce lethal heat doses more than 500 m away from the tank.
Distances to different radiation levels from hydrocarbon BLEVEs dependent on the tank
inventory are given in figure below.
Figure 20 Distance to different radiation levels from hydrocarbon BLEVEs

The effect of thermal radiation
The effect of thermal radiation depends primarily on the emitted radiation from the
flame, but for objects engulfed in the flames, heat transmission to the object caused by
large velocities will also have an influence. The emitted radiation or radiated effect from
a flame (kW/m2) depends on the fire category, type of fuel and other aspects such as
incomplete combustion or soot shielding.
The effect of thermal radiation is given in the table below.
Table 27 Effect of thermal radiation
Heat Flux
[kW / m2]
0.7
1.75
2.0
5.0
Effect
Exposed skin reddens and burns on prolonged exposure
Pain threshold reached after 60 sec.
PVC insulated cables damaged
Pain threshold reached after 15 sec. Equilibrium temperature 230C
INTERNAL
68 of 129
2011-04-04
6.4
9.5
16.5
25.0
Pain threshold reached after 8 sec. Second degree burns after 20sec.
Pain threshold reached after 6 sec. Equilibrium temperature 320C
Severe burns after 5 sec.
Wood ignites on prolonged exposure
The fatality probability due to thermal radiation is indicated in the table below
Table 9 Fatality probability due to thermal radiation
Heat Flux
[kW / m2]
1.6
4.0
12.5
37.5
7.6
Seconds exposure of % fatality

50%
1%
Explosion
Fig 21 Explosion models
500
150
30
8
1300
370
80
20
99%
3200
930
200
50
INTERNAL
69 of 129
2011-04-04
Fig. 22 Unconfined vapour cloud explosions

Accidental explosions can be divided into two main types:
Physical explosions
Chemical explosions
Physical explosions have a physical energy source. An example of a physical explosion
is the rupture of a high-pressure steam vessel (not further discussed here)
Chemical explosions have the energy of exothermic (= heat producing) chemical
reactions as their basis. Examples of chemical explosions are:
Gas explosions
Dust explosions
Thermal runaway explosions
A gas or dust explosion is a combustion process in a cloud where fuel and air are well
mixed (premixed) and with a flame velocity so fast that a pressure wave is produced.
The higher the flame velocity, the higher is the rate of energy release and maximum
explosion pressure.
Gas (and dust) explosions can be divided into two fundamentally different types with
respect to the mechanism of propagation, namely:
Deflagrations
Detonations
In a deflagration, the reaction zone or flame front travels through the premixed
explosive mass at subsonic speed (sonic speed = speed of sound) in relation to the
INTERNAL
70 of 129
2011-04-04
unburned gas. The propagation mechanism is based on heat transfer (radiation,

convection and conduction) between the flame and the unburned gases. In confined
fuel-air mixtures, deflagration pressures can reach 7-10 bar abs. Because the reaction
zone is moving sub- sonically, it is preceded by the pressure wave (pressure waves are
always moving with sonic velocity).
In a detonation, the reaction zone travels through the explosive mass at supersonic
speed relative to the unburned gases. Typical speeds are 1500-2000 m/s. The
propagation mechanism is extremely rapid, and a near adiabatic compression of the
unburned gases in the shock wave (the rate of pressure rise approaches zero) leads to a
sudden heating to above the autoignition temperature. The energy thus liberated serves
to further propagate the explosion process. Explosion pressure in a detonation wave
may reach 10-30 bars. In a detonation, the pressure wave and the reaction zone
coincide. A deflagration can accelerate to a detonation, DDT (Deflagration to
Detonation Transition).
In general, accidental gas explosions in the process industry will normally be of the
deflagration type, because the initiation of a detonation is dependent on conditions such
as a very strong source of ignition, a certain kind of confinement (long pipes, repeated
obstacles etc.) or a highly reactive gas. This means that in most cases, deflagrations will
be the normal basis for calculations and design. Because of the nature of detonations
(extremely fast shock waves with high over pressures), it will probably not be possible
to make a safe design to withstand them in most cases.
As already stated, we define a gas explosion (deflagration) as a process where
combustion of a premixed gas cloud, i.e. fuel-air or fuel-oxidiser, is causing rapid
increase of pressure. Gas explosions can occur inside process equipment or pipes, in
buildings or offshore modules, in open process areas or in unconfined areas.
The consequences of a gas explosion will depend on the environment in which the gas
cloud is contained or which the gas cloud engulfs. Therefore it has been common to
classify a gas explosion from the environment where the explosion takes place:
Confined Gas Explosions within vessels, pipes, channels or tunnels
Partly Confined Gas Explosions in a compartment, buildings or process modules
Unconfined Gas Explosions in process plants and other unconfined areas
It should be pointed out that these terms are not strictly defined. In an accidental event it
may be hard to classify the explosion. As an example, an unconfined explosion in a
process plant may also involve partly confined explosions in compartments into which
the gas cloud has leaked.
Confined gas explosions are explosions within tanks, process equipment, pipes, in
culverts, sewage systems, closed rooms and in underground installations, see figure
below. Confined explosions are also called internal explosions.
INTERNAL
71 of 129
2011-04-04
Figure 23 Confined explosion within a tank

Partly confined gas explosions occur when a fuel is accidentally released inside a
building which is partly open, see figure below. Typical cases are compressor rooms
and process modules. The building will confine the explosion and the explosion
pressures can only be relieved through the explosion vent areas, i.e. open areas in the
walls or light relief walls that open quickly at low overpressure. Both size and location
of explosion vent areas are important for the resulting explosion pressure.
Figure 24 Gas explosion in a partly confined area with process equipment

The term unconfined gas explosion was used to describe explosions in open areas such
as process plants, see figure below. Large-scale tests have shown that a truly
unconfined, unobstructed gas cloud ignited by a weak ignition source will only produce
small overpressures while burning (flash fire). The term unconfined gas explosions
should therefore be used with care. In a process plant, there are local areas, which are
partly confined and highly obstructed. In such areas very high explosion over pressures
may be expected.
INTERNAL
72 of 129
2011-04-04
Figure 25 Gas explosions in a process area

To summarise, the main parameters influencing the explosion pressure are:
the size of the cloud
the properties of the fuel
the degree of obstruction
the degree of confinement
The size of the cloud gives the total energy content, while the properties of the fuel
determine the reactivity of the particular fuel. The degree of obstruction determines the
generation of turbulence in front of the flame and hence the flame speed, while the
degree of confinement determines the vent areas. The most reactive fuels are
characterised by high flame speeds and burning velocity, and a wide flammable range.
The Multi Energy Method
To calculate the explosion blast wave from explosions in process areas the so-called
Multi Energy Method (MEM) is frequently used. In MEM it is assumed that strong blast
is generated only in places characterised by a considerable degree of partial confinement
while other, usually large parts of the cloud, just burn out without any significant
contribution. MEM is a "hand method" for calculating side-on blast pressure and
duration in the far field from gas explosions in process areas. Assumptions about the
source strength must be made dependent of the gas and the obstacle density and degree
of confinement in the process area. MEM is not capable of predicting explosion
pressure inside the reactive gas cloud.
Response of structures
Design of structures exposed to explosion loads is an extensive subject. Both
complicated and simplified methods exist for dynamic design, but good knowledge is
required to determine the correct design method.
Sometimes structures exposed to explosion loads behave differently from what could be
expected. To give an example, an explosion with a maximum over pressure of 0.10 barg
may be twice as unfavourable to the structure as a static load of 0.10 barg.
INTERNAL
73 of 129
2011-04-04
To assess the structural response, information of both the explosion load and structure is
necessary. For the explosion load, knowledge is required with respect to
maximum explosion pressure
explosion pressure duration
shape of explosion pressure-time diagram
whether or not reflection phenomenon is present
For the structure, knowledge is required with respect to
mass
stiffness
material
support
With this knowledge of the explosion and the structural data, it is possible to calculate
the dynamic load factor, i.e. a measure of how unfavourable the explosion load is
compared to an equivalent static load. Structural design is performed for an accidental
design situation for the ultimate limit state. This implies that for a situation with an
explosion load, no safety factors are included.
Plastic design of the structure is usually accepted. This implies large deflections, but the
structure will not fail. Increased capacity due to quick loading may be accounted for.
There are several design methods with different degrees of applicability, accuracy and
details level in output. Some are based on hand calculations, others on computerised
tools.
Concrete buildings cast at the location provide best protection from explosion pressure.
Concrete element structures may also provide a safe working environment, but great
care must be taken in the design of all joints. Steel columns may be subject to buckling,
and steel plates may be torn off the structure and act as missiles. But if the eventual
explosion pressure is known during the design phase, and care is taken for the special
problems that may arise from an explosion, steel structures can also be used. Wooden
buildings usually have little resistance for explosion loads and are not recommended.
Special care must be taken with glass. Application of clear film to prevent
fragmentation and thorough fastening of the window frames are essential.
The location of windows (e.g. in control rooms), the strength of the roof (for explosion
pressure) and concrete elements used as buttressing walls for horizontal forces (may fail
and thus reduce stability) are common problems for existing buildings that are required
to remain mostly intact after an explosion.
Typical damage as a function of overpressure is shown in the table below
INTERNAL
74 of 129
2011-04-04
Table 10 Typical damage as a function of overpressure

Description
Safe distance
Shattered windows (peculiar)
Severe damage of houses
Falling down of walls and ceilings (frame distortion of steel framed buildings)
Ripping of oil tanks
Devastation of buildings
Border of crater
Dangerous level (1% lethality)
Serious level of death
7.7
Overpressure
[bars]
< 0.002
>0.01
> 0.1
> 0.15
> 0.25
> 0.5
~20
0.14
0.5
Exposure of toxic gases

Irritant and toxic gases can be a threat to humans if exposed to high concentrations. The
more important gases in this context are the ones which are used or stored in large
quantities in the plant. These gases are listed in the table below
.
International accident records show that toxic gases have caused both injuries and
fatalities, and as a part of a risk analysis or hazard assessment there is a need to relate
certain exposures to some fatality or injury probability.
The concept of probit functions takes into account the fact that different individuals may
survive different toxic loads. To estimate the probability of death the following
procedure is to be used:
T
1. Estimate toxic load
L = c n dt L
0
where c is the concentration [ppm], T is exposure time (minutes), and n is given in the
table below. If the concentration is constant, the formula simplifies to L = cnT.
2. Calculate the probit value:
P = a + b ln L
The constants a and b are presented in TNO Purple Book.

The "Immediate Danger to Life and Health" (IDLH) concentration is defined as the
concentration from which a person could escape within 30 minutes without any escape
impairing symptoms or any irreversible health effects. LC50(t) indicates the
concentration where 50 % of the exposed population is expected to die, when exposed
for time t.
3. Having calculated the probit value, the probability of death can be found (TNO
Purple book, the program system EFFECTS)
Emergency Response Planning Guidelines (ERPGs) estimate the concentrations at
which most people will begin to experience health effects if they are exposed to a toxic
INTERNAL
75 of 129
2011-04-04
chemical for 1 hour. A chemical may have up to three ERPG values, each of which
corresponds to a specific tier of health effects.
Fig. 26 Definition
nition of ERPG 11-3
INTERNAL
76 of 129
2011-04-04
SIL analyses
8.1
Safety integrity (Yara Green Rule)

The safety integrity of a safety function is the probability of a safety related system
satisfactorily performing the required safety functions under all the stated conditions
within a stated period of time.
SIL (Safety Integrity Level) are discrete levels of unreliability of safety functions
according to the table below.
Table 30 SIL levels and unreliability
SIL level
Un- reliability (PFD) in low

demand mode operation
Frequency of dangerous failure in

high demand/continuous mode
operation, per hr
1
2
3
4
Less than 0.1

Less than 0.01
Less than 0.001
Less than 0.0001
Less than 10-5

Less than 10-6
Less than 10-7
Less than 10-8
The middle column usually applies in process industry. If demands are often, the failure
frequency should be checked, i.e. the right column should be used.
The higher the safety integrity level, the higher the probability that the required safety
instrumented function will be carried out.
The forth level is very rarely in use in process industry. If a SIL 4 is identified in a
process, a redesign of the process is recommended.
In designing for safety integrity all causes of failures should be considered, such as:
Incorrect specifications of the system, hardware or software
Omissions in the safety requirements specifications (e.g. failure to develop relevant
safety functions during different modes of operation)
Random hardware failure mechanisms
Systematic hardware failure mechanisms
Software errors
Human error
Environmental influence (e.g. electromagnetic, temperature, mechanical phenomena)
Supply system voltage disturbances (e.g. loss of supply, reduced voltages, reconnection of supply)
Loss of air and hydraulic supply
Fail to safety on loss of electrical supply, air or hydraulic supply.
Some failure types, in particular random hardware failures, may be quantified using
such measures as the failure rate in the dangerous mode or the probability of a safety
function failing to operate on demand. Systematic failures cannot usually be quantified
but can only be considered qualitatively.
INTERNAL
77 of 129
2011-04-04
8.2
Determination of SIL (Yara Green Rule)

When HAZOP studies are performed for process plants, a SIL assessment should be
performed. SIL analyses may be based on e.g.:
P&ID
Safety functions identified in the HAZOP study, documented in shut
down/trip/interlock matrices and safety functions identified in the P&IDs.
Qualitative risk analysis, as Hazard Identification
Quantitative Risk Analysis (QRA)
Safety functions from ISO 10418 (API RP 14C)
Reports from operation and maintenance of the actual or equal plants
Personal experience of people from safety, process, instrumentation and maintenance
in the actual or equal plants
Generic failure data banks
Accident data banks
Requirements for safety integrity for safety functions are determined by risk for
identified incidents, according to IEC 61508 / 61511 where risk based design of safety
functions is discussed. The method described here is based on a ranking of
consequence and frequency of potential incidents and accidents. The two first tables
below are used to determine the SIL requirements. It should be emphasised that the
methodology described primarily should be applied to instrument based process safety
functions. The process safety functions must be assessed in a total risk and risk
reduction context. The first following table shows the consequence ranking:
Table 1 Ranking of consequences
Consequence
on
people
Several
fatalities
Levels
Catastrophic
Critical
One fatality
Dangerous
Permanent
injury
Some
danger
Medical
treatment
Minor
damage
First aid
Consequence
on
environment
-Damage with recovery
time more than 5 years.
-International public
attention
time less than 5 years. -Evacuation of
neighbourhood
required.
-National public
attention.
time less than 2 years.
-Warning of
neighbour-hood
required.
-Local public attention.
No durable damages,
release causing
unpleasant smell
outside site area
Insignificant damage
Consequence on material values

Description
- Major plant damage, complete
demolition of plant
- Production cessation
Cost ()
> 10M
- Major damage to equipment,

breakdown of main process
equipment like reactors, crackers,
pipelines etc.
- Major quality or production loss
< 10M
- Considerable damage to equipment

ruptures etc.
- Considerable quality or production
loss
< 1M
- Minor damage to equipment, fire

with limited extent, emission of
toxic flammable or hot substances
etc.
- Small quality or production loss
- Insignificant damage, small
emission of water, air, nitrogen,
steam etc.
- No quality or production loss
< 0.1M
< 10.000
INTERNAL
78 of 129
2011-04-04
For mitigating systems and for external risk reduction systems the utility of a SIL
methodology is- as pointed out earlier- not always straightforward, as the complete risk
reduction in connection with mitigating systems and manual interactions must be
assessed.
A SIL assessment is most practical started by ranking the material damage since the
material consequences are easiest to estimate. On assessing the personnel injuries, it is
necessary to assess the likelihood for people being present, and exposed if present, and
the probability for getting away to avoid exposure, or having effective use of protective
equipment. If an acceptable risk reducing measure for material damage is determined,
also risk reducing measures for personnel and environment are taken care of in most
cases. Thus, the first step should be to define the safety functions / risk reducing
measures applicable to material values, and check whether the measures are acceptable
as safety barriers for people and for the environment as well.
SIL requirements are determined according to the table below. The requirements fit in
with the recommended risk accept criteria and he matrix for Hazard Identification
(Rapid Risk Ranking). It is important to note that in the SIL assessment, the frequencies
shall be estimated for processes without the safety system.
In a SIL determination the frequency and the consequence must be linked together. A
single initiating event may have several possible consequences, each with its own
frequency. In such cases, it is important that frequency and consequence are coexisting
when using the table below.
Table 32 SIL determination. (Requirements based on ranking of consequences and
frequencies)
Frequency
Consequence
A
Nearly
impossible
< 10-4
[yr-1]
B
Most
unlikely
10-4- 10-3
[yr-1]
C
Unlikely
10-3- 10-2
[yr-1]
D
Low
probability
10-2-0.1
[yr-1]
E
Probable
F
Frequent
0.1- 1
[yr-1]
>1
[yr-1]
SIL 1
Reliability
analysis.
Re- design
of process
or control
system
1
Safe
2
Some danger
NO SIL- REQUIREMENT
3
Dangerous
SIL 1
SIL 1
SIL 2
4
Critical
SIL 1
SIL 2
SIL 3
SIL 2
SIL 3
SIL3
5
Catastrophic
SIL 1
SIL 1
INTERNAL
79 of 129
2011-04-04
If any SIL 3 level is identified, a reliability study should be performed. If the

consequences are catastrophic, a quantitative risk analysis shall be carried out, and riskreducing measures must be implemented according to the results of the QRA.
The column F (high frequencies) rarely applies to continuous processes, but may be
applicable to batch processes. If applicable, a reliability analysis should be carried out
and/or the process and control system should be redesigned. Redesign of the control
system may, e.g., be taken care of by implementation of safety related functions in the
control system, and in this way reduce the frequency of excitation of the safety system.
For equipment belonging to several safety functions / risk reducing measures, an
additional assessment with the total expected demand frequency should be performed.
This is often the case for final elements (i.e. valves, switches, etc).
If the ranked consequences are 2 or 3 and for material values, then, according to the
ALARP principle, a cost benefit analysis may act as basis for decisions on further safety
barriers. If the costs are higher than the benefit from implementing of risk reduction
measures, the recommendations listed in the SIL table may be departed from.
The probability of injuries to personnel may be reduced by designing the work place so
that personnel is working remote from the hazardous area and not exposed to the
hazards involved. Adequate operating procedures must be available and routines
implemented. Exemptions may be defined, but in such cases the safety standard must be
kept at a high level by extraordinary measures or extraordinary operating conditions.
For recording of data from a SIL study of a safety function, a form as table below could
be used.
There is not a one-to-one connection between the risk matrix (Table 7) and the SIL
matrix (Table 35), since the risk matrix has three levels (low, medium and high risk)
and the SIL matrix has four (no SIL, SIL1, SIL2 and SIL3). There are also differences
in used frequency intervals.
Explanations of the abbreviations used in the SIL for are:
- HS: Health and Safety
- E: Environment
- QE: Quality and Economy
- C: Consequence
- F: Frequency
- SIS: Safety Instrumented System
As Hazardous event are considered all events which may peril health and safety,
environment or quality and economy, such as:
- Leakage and release of flammable or toxic substances
- Rupture of equipment
- Explosions
- Run- away
- Mechanical breakdown of equipment
- Overheating of equipment
- Deposit on equipment
- Damage of intermediate and final products, catalysts
INTERNAL
80 of 129
2011-04-04
Cause of hazard constitutes failures as

- Sensor failure
- Valve failure
- Control failure
- Operator failure
- Blocking of pipes
- Over- heating
- Icing
- Wrong ratio of material flows
- Pumping against closed valves or blocked lines
- Carry- over of droplets to compressors
- Equipment flaw, creep or cracks
- Contamination of substances
Table 11 Form for documentation of SIL assessment, example
FL (Equipment Functional Location):
Hazardous event:
P&ID no:
Descriptions
Equipment
Class
SIL
Function
Type
Cause(s) of hazard
Risks
HS
Risk reduction
C
F
E
C
F
QE
C
F
Sensors
Logic
Final el.
Mechanical
Other
Risk identification for a hazardous event (Yara Green Rule)

The consequences C are described in table 33 above. . A frequency is specific for an
event, and the same equipment may have several events with different frequencies. The
frequency for HS is often less than the frequency for E and QE since the latter has to be
multiplied with the probability that
- people are present and exposed
- people present do not escape, or have possibility to escape
Qualitative approach
. The risks are estimated for the process without safety system. The frequency estimate
can be based on phrase like:
- Is likely to happen every third year for this equipment (Frequency: E)
- Has happened once in the actual plant/equipment in 30 years of experience
(Frequency: E)
INTERNAL
81 of 129
2011-04-04
Has never happened in the plant during 30 years of operation (D or C)

Has never happened in any Yara plant / relevant equipment in 300 years of
cumulative experience (C)
Is reported to have happened once worldwide in approximate 200 similar
installations (C or B)
Two examples are shown in table 34 and 35 below.

Table 34 Example of SIL form
FL (Equipment Functional Location): 2.01 E06A/B
P&ID no:YD002
Hazardous event: Leakage of steam in to the process (NOx) gas
Descriptions
Equipment
Function
Type
Cause(s) of hazard
Risks
HS
C
F
C
F
QE
C
F
Risk reduction
Sensors
Logic
Final el.
Class
Cooling of NOx gas by steam

superheating and production of
high pressure steam for the turbines
Super- heater
Pipe failure
No consequence
Has happened in Rostock and other
NA plants in Yara
No consequence
NA plants in Yara
Have to stop the plant to repair
NA plants in Yara
Flow transmitter, F 1101
Solid state logics
DBB (Double Block and Bleed)
valves, HI 1027 and HI 1037 for
block, and HI 1036 for bleed.
SIL
1
D
1
D
3
D
Mechanical
Other
Table 35 Example of SIL form

FC (Equipment Functional Location): H-264
Hazardous event: Internal Leakage
P&ID no: 062-D303
Descriptions
Equipment
Function
Type
Cause(s) of hazard
Risks
HS
E
E
C
F
C
F
C
Evaporate LPG
U-tube HE
Equipment degradation.
Rupture of secondary steam circuit
Leakage and people present and
failure of control loop PIC02101
Rupture of secondary steam circuit
Class
SIL
INTERNAL
82 of 129
2011-04-04
F
Risk reduction
IS
Sensors
Logic
Final el.
Mechanical
Other
Leakage and failure of control loop

PIC02101
Pressure transmitters,
PZH02102ABC, 2oo3 structure
SIL 3- approved PLC
PZV 09058/59, ESDV02024, PZV
02135, valves in 1oo3 structure. In
addition the valve ESDV 02299.
Safety relief valve, RV 02046
Quantitative approach: Risk frequency estimated from failure data and fault tree.
An example for a control loop is shown in the fault three in fig 27. The risk reduction
achieved by a safety relief valve is included, as explained in the next section.
CARA Fault Tree version 4.1 (c) Sydvest Sotfware 1999
Licensee: Yara International, Norway
Supplied by Sydvest, Norway
Rate of demand of
on the Safety
Instrumented
System (SIS)
Demand
Fail to danger in
the control loop
Control failure
Average probability
of failure of the
safety relief valve
SV
Lambda=1,4e-006
Test intervall=4e+004
Fail to danger of
the pressure
transmitter in the
control loop
Sensor
Lambda=8e-007
Fail to danger of
the DCS function
DCS
Lambda=3e-007
Fail to danger of
the control valve,
globe valve
Valve
Lambda=2e-006
Figure 27 Demands on SIS. Control loop failure a safety valve risk reduction
The qualitative approach is usually recommended for the following reasons:
- Quantitative failure data are not available for the actual scenario
- The discussion is involving people from operation to take ownership to the problem
- The frequency estimates will improve in accuracy when SIL analysis are carried out
throughout the company
- The approach of generic SIL analysis for Yara and discussion between plants will
improve estimates
Typical failure classifications are:
- Control loops: D
- Control loops, heavy duty: E
- Control failure and operator failure, coincident: C
INTERNAL
83 of 129
2011-04-04
Starting a pump against a closed valve, operator failure: E

Broken shaft or coupling in rotating equipment: D
Axial displacement or vibration in rotating equipment causing destruction when not
monitored: D
Destroyed bearings when not monitored: D
Leakage in firebox, danger for explosion D
The qualitative estimates can be combined with generic failure data for leakages and
ruptures.
8.3
Total risk reduction for a specific event

As described in previous chapters the total risk reduction can be achieved by:
1. Instrument based safety functions
2. Alternative technology based safety functions
3. External risk reduction
The total probability of failure is the probability that all risk reduction measures fail. Or,
the total safety integrity (unreliability) is the product of the safety integrity of electronic
based safety functions, mechanical and external risk reduction:
{Prob. of failure}TOTAL = {Prob. of failure}1 x {Prob. of failure}2 x {Prob. of failure}3
Example: We assume a liquid tank, with a LZH instrument based safety function, a
safety relief valve SV and a bund wall to collect spill. The total safety integrity is then
the probability of not containing the substance in the bund in case of a demand. The
demand scenario is rupture of the tank when a pump is running against a completely
filled tank. The demand will cause effluent outside the bund if none of the risk reducing
measures is functioning. If the LZH function has a failure probability of 0.06, the SV
and bund wall 0.07 and 0.05 respectively:
{Prob. of failure}TOTAL = 0.06 . 0.07 . 0.05 = 0.0002
The total SIL level, SILTOTAL, is derived from the estimated probability of failure,
{Probability of failure}TOTAL. By use of the tables, the following conservative
approximation can be used:
SILTOTAL = SILSIS + SIL ALTERNATIVE + SIL EXTERNAL
The terms SILTOTAL, SIL ALTERNATIVE and SIL EXTERNAL are not defined in
IEC61511/&1508. They are used here since they contribute to risk reduction the same way as
instrument based safety functions.
Example continued: In the above example the result for total risk reduction is SIL 3. If the
safety integrity of one or both of the safety functions or the bund (a risk reduction measure)
was lower, the total result could be on SIL 4 level. Hence the approximation in (9.2) is
conservative, as it gives an upper limit.
INTERNAL
84 of 129
2011-04-04
SIL for mechanical safety functions, general guidelines

The guidelines presented in the table below may be used in order to assess the total risk
reduction for mechanical safety functions. The table should be used to get an overall
understanding of the requirements and guidelines when designing instrument based
safety functions, and not for design of mechanical safety functions.
Table 36 SIL for mechanical safety functions, general guidelines
Level
Equipment
Normal availability
SIL 1
Safety valve
Check valve
Rupture disk
Single, T=2 or 4, upon assessment
SIL 2
Safety valve
Check valve
Rupture disk
Single
High availability
In general not recommended
A: Redundancy 2x100%, 3x50%, T=2 or 4, upon assessment

B: Single, T=1, separate assessment
Single
SIL for external risk reduction, general guidelines

Measures for offsite risk reduction are mitigating measures against gas dispersion and
explosion, safety distances, emergency preparedness actions, and operator actions. In
order to assess the total risk reduction, the guidelines presented in the table below for
offsite risk may be used. The table should be used to get an overall understanding of the
requirements and guidelines when designing instrument based safety functions, and not
for design of offsite risk reduction measures. Offsite risk reduction should be assessed
by risk analysis. If manual actions are included in the risk reduction measures, e.g.
operator actions or emergency response, Job Safety Analysis should be carried out, and
appropriate procedures for the actual tasks should be prepared.
Table 37 SIL for external risk reduction, general guidelines
Level
Safety barriers (
Risk reducing measures)
Comments
SIL 1
Mitigating against gas dispersion, explosion

Safety distance
Emergency preparedness
Operator actions
Risk analysis
Risk analysis
Risk analysis, procedures, time available for response
Risk analysis, procedures, Job Safety Analysis
SIL 2
Safety distance
Risk analysis
8.4
Examples of SIL analyses
8.4.1
Ammonia oxidizing unit

The purpose of an ammonia oxidation unit or burner in a nitric acid plant is to oxidize
ammonia at a specified temperature.
Incident. A too high ammonia / air ratio in the burner will cause a strong exothermic
reaction and a run away. Temperature and pressure will increase uncontrolled resulting
INTERNAL
85 of 129
2011-04-04
in rupture of the burner; release of ammonia and NOx, major production loss and in
worst case an explosion.
The ammonia / air ratio can be high if:
a fog of un- evaporated ammonia is reaching the burner
the ratio control of ammonia and air have a dangerous failure
SIL determination. According to the table for Ranking of consequences (table 8) the
incident description above gives a consequence ranking on consequence 4.
This event occurs when there are:
[{High level in the upstream ammonia evaporator} and {overload of the superheater on the evaporator outlet} and {overload / failure in the de- mister on the top
of the evaporator}] or [{Control failure} and {operator failure by not acting on
alarms}]
For the event to materialize two failures have to occur at the same time. A control
failure has typically a frequency of 0.1 / year. Since another failure has to come at the
same time, the expected rate will be less than 0.1 / year, hence frequency ranking D
(0.01 0.1 / year).
According to the SIL- table, the required level is SIL 2.
Unreliability calculation
For a single 1oo1- loop the reliability block diagram will be as shown in the figure
below.
TEMPERATURE
SENSOR
SOLENOID AND
CONTROL VALVE
LOGIC UNIT
PLC
Figure 18 Reliability diagram of a single temperature loop

Table 38 Reliability assessment of single temperature loop
Component
DU
Structure
[yr-1]
Temperature sensor
0.05
1oo1
Logic, PLC
0.05
1oo1
Control valve/solenoid
0.05
1oo1
Total safety unavailability for the safety function
PFD
T= 1 yr
0.025
0.025
0.025
0.075
T= 2 yr
0.05
0.05
0.05
0.15
T= 4 yr
0.1
The table above shows that a single loop cannot satisfy more than SIL1, and with 1year
test interval. If the valve is duplicated with an extra shut down valve, the reliability
block diagram will be as in the figure below. A single not- fail- safe PLC is not
adequate. We therefore calculate with a relay or solid- state logic system
INTERNAL
86 of 129
2011-04-04
TEMPERATURE
SENSOR
LOGIC UNIT
RELAY/SOLID
STATE
SOLENOID AND
CONTROL VALVE
SHUT DOWN
VALVE
Figure 29 Reliability diagram of a temperature loop with duplicated valve

If in addition there is in place procedures for monitoring the temperature sensor by:
Checking that the measurement signal is alive
Comparison by other sensor measurements
The sensor will have high diagnostic coverage (explained later), and the safety integrity
will be according to the table below.
Table 39 Reliability assessment of temperature loop with duplicated valve
Component
Temperature sensor
Structure
DU
[yr-1]
.005-(high diagnostic
coverage)
0.05
Logic, relay / solid state

Double valve
1oo1
1oo1
1oo2
PFD
T= 1 yr
0.003
0.006
0.012
0.004
0.0025
0.0095
0.008
0.005
0.019
0.016
0.010
0.038
SIL 2 is now achieved with one- year test interval and SIL 1 with 4- year test interval.
To improve the reliability further, a 2oo3 system of temperature sensors can be used, as
shown in the figure below. There is an also shown fail- safe PLC and DBB (double
block and bleed) valves.
FAIL SAFE PLC
TEMPERATURE SENSORS 2oo3
DBB VALVES
Figure 30 Reliability diagram of temperature loop, 2003 sensors, PLC and DBB
valves
A calculation is shown in the table below.
INTERNAL
87 of 129
2011-04-04
Table 12 Reliability of temperature loop with 2003 sensors; fail safe PLC and DBB
valves
Component
DU
[yr-1]
.005-high diagnostic coverage
Structure
Temperature sensor
2003
Logic, fail safe
Double valve (DBB)
0.005
1oo2
PFD
T= 1 yr
0.003
0.0006
0.0025
T=2yr
0.006
0.0012
0.005
0.0061
0.012
T=4yr
0.012
0.0024
0.01
0.024
Comment: To improve the reliability further and reach SIL 2 with 4- year test intervals,
more sensors must be applied (upstream to detect ammonia fog or dangerous ratio control
failure) and the valves must be tested more often. A way of monitoring the valve is by use of
limit switches in both end positions. Then the closing time of each valve, which is a good
indication of the condition of the valve (sticking and clogging), can be measured by e.g. an
event recorder. Procedures must be in place to follow up the recordings.
In this example we have focused on the integrity of the safety function, and assumed
that the functional requirements are met, i.e. that the temperature transmitters are
sensitive (i.e.. give significant response when the flow of ammonia exceeds the set
point) and fast (i.e. give response before a runaway reaction has come into being)
enough and that the valves can close with sufficient speed to avoid a critical situation.
Location of the sensors is important to avoid dead ends, insufficient residence time for
evaporation, insufficient mixing etc. It might be necessary to do equipment
modification, for example to hinder that there are bends or low point upstream the
burner where liquid ammonia can collect.
8.4.2
Water pipe for steam wetting

Also this example is from a nitric acid plant. Steam is heated in a superheater in the
ammonia oxidizer unit. Water is injected to the input steam to the superheater. The
purpose of the steam wetting is to control the superheater outlet steam temperature.
Incident: A possible advertent incident is leakage through the water valve of steam into
water during start- up when the steam pressure is higher than the pressure on the
waterside.
SIL determination. The consequence of leakage is over- temperature in the water
piping causing leakage and possible rupture. According to the table for ranking of
consequences the ranking is consequence 2.
The expected frequency can be based on experience. People with broad background in
operation and the process and instrumentation disciplines taking part in the analyses
estimated the ranking frequency E, 0.1 1 /yr.
According to table for SIL determination, the required level is SIL 1.
Safety architecture: The safety function is based on sensors for temperature, and one
dedicated shut down valve.
INTERNAL
88 of 129
2011-04-04
Reliability: The reliability calculation and discussions in the example above applies
also here.
8.4.3
Steam drum
This purpose of the steam drum in this example is to keep a volume of water in a
circulation loop and deliver steam with a specified pressure into a process unit.
Incident 1: Overpressure is an incident that can have major accident potentials for a
steam drum. An overpressure can cause a drum rupture.
SIL determination: A rupture of the drum can cause fatality if people are in the
vicinity. And the rupture will probably be so violent that people are near enough a
substantial part of the time. In all cases a major equipment breakdown and a lasting
production stoppage will result.
According to the table for ranking of the described consequences the ranking is
consequence 4.
For the described consequence to materialize, the drum has to be completely filled with
water. The valve in the circulation loop must be closed and this is not observed. This is
unlikely, and the frequency ranking C (0.01-0.001 / yr) is estimated.
According to the table for SIL determination, the required level is SIL 1.
Safety function: Two parallel 100% relief valves, i.e. a 1oo2- system, in this case
provide overpressure protection.
Unreliability calculation: The table for safety integrity shows unreliability for two
parallel valves on 0.0008. This figure is even satisfying SIL 3, with 4- year test interval.
The SIL requirement is clearly satisfied, but if the requirement had been SIL 3 the
reliability of the actual solution should have been closer examined with regard to for
example clogging, rust in piping, sticking of safety valves due to corrosion etc.
Incident 2 The drum can be empty (dry) due to control failure.
SIL determination: The consequence will be production stop, and more serious
destruction of a boiler and parallel pumps in the water circulation loop.
The consequence ranking 3 is appropriate here.
The expected frequency based on control failure and operator failure (not observing the
level). This is in the frequency area D (0.01-0.1 per yr), since the contribution from
control failure alone is assumed to be 0.1 per yr.
The combination 3D corresponds to SIL1.
Safety function: The safety function in this case constitute:
2oo3 level sensors, two switches and one analogue measurement
INTERNAL
89 of 129
2011-04-04
Fail safe PLC. I.e. high diagnostic coverage

Double block and bleed valves, closing off the supply of gas to the reactor producing
the energy.
A calculation is shown in table 41 below.
Table 41 Reliability of level loop with 2003 sensors; fail safe PLC and DBB valves
Component
Level sensor
DU
[yr-1]
.005-low diagnostic
coverage
Logic, fail safe

Double valve (DBB)
0.005
Structure
2003
1oo2
PFD
T= 1 yr
0.0011
T= 2yr
0.0022
T= 4 yr
0.0045
0.0006
0.0025
0.0042
0.0012
0.005
0.0084
0.0024
0.01
0.0169
The SIL1 requirement is met with 4- year test interval.

Incident 3: A big leakage of steam will have the same advertent consequences as in
incident 2 above.
It is experienced large leakage in circulation loops of this type in the company in the last
year. Adjusting to the number of such process units, the frequency is C, and the safety
integrity level corresponding to 3C is SIL 1.
Safety function: The safety function is here as above.
Comment: In the two last cases the pumps can run dry, and it should be evaluated if a
safety function also should stop the pumps, or if this action can be done manually when
there is an alarm on level shut down. Possibly the pumps must run until overheating of
the boiler is avoided.
8.4.4
Leakage of toxic gas to process hall

Leakage of nitrous gases (NOx) has been observed in nitric acid plants several times.
These gases are very toxic.
Incident: Leakage of NOx or nitric acid reacting with black steel or other reducing
agent can cause injury if people are unawares exposed.
SIL determination: The frequency of leakages is estimated to be D, since it has
occurred in a plant analysed. The consequence is expected to be 3.
Risk reduction: In this case the risk reduction will constitute
Use of gas masks, compulsory to bring gas masks when going to the process area
Detection and alarm, analyses by hand carried analysers for small leakages and
detectable on drop in process pressure on large leakages.
Procedures for operator interactions on gas detection.
INTERNAL
90 of 129
2011-04-04
For people to be exposed directly to a release plume the barriers are the gas mask and
escape or evasive movement which is possible if the leakage is not too big or the
situation is awkward as when the operator is on the top of a ladder. The probability is
very low for direct exposure of an operator by a gas flow plume, and exposure of a big
release plume is most unlikely.
Exposure by a gas cloud in a process hall is prevented by alarm / detection and use of
gas mask.
Comment. The risk reduction is not quantified, since that is more complicated when it
comes to human behaviour. The quality of the risk reduction should be qualitatively
assessed, for example by looking at number of safety barriers. A least two should be
presenting if SIL is identified.
If gas is present in a process hall cases stop of a ventilation system can be an actual risk
reduction measure.
8.4.5
Fire in heavy rotating equipment

Fires linked to heavy rotating equipment, such as compressors, steam turbines and
electrical power generators have occurred recently.
Incident: The fires having occurred have started when oil for lubrication or hydraulic
control has leaked on hot surfaces and ignited. Leakage sources have been fittings,
hoses or piping.
SIL determination: The frequency of leakages is from experience of incidents and
number of installations estimated to be D (0.01-0.1 per yr). It is estimated that the
consequence rating is 4 due to production stoppage equipment damage and structural
damage the combination D4 is SIL 2.
Safety function: The safety architecture is here
Sensors 2oo2 fire detectors and 2oo2 smoke detectors
Fail- safe PLC
Valve, opening on demand. Start of pump(s) for foaming may have to be considered
as part of the safety function. Shut down of the rotating equipment is also a part of
the safety function.
A reliability block diagram of the safety function is shown in figure below.
INTERNAL
91 of 129
2011-04-04
F IR E D E T E C T O R S 2 oo2
F A IL S A F E P L C
VALVE
SM O K E D E T E C T O R S 2o o2
Figure 31 Reliability diagram of fire and smoke- detector loop with fail-safe PLC
and valve
Reliability calculations are shown in the table below. The sensors are calculated as one
2oo2 sensor system, not giving credit for redundancy, but assuming that they cover
different scenarios.
Table 42 Reliability assessment of fire and smoke- detector loop with fail-safe PLC
and valve
Component
DU
Structure
[yr ]
0.004
0.004
0.0012
0.05
2oo2
2002
1oo1
1oo1
-1
Fire detector
Smoke detector
Logic, fail safe PLC
Control valve/solenoid
PFD
T= 1 yr
0.004
T=2yr
0.008
0.0006
0.0250
0.0296
0.0012
0.05
0.059
The solution is not SIL 2, and the valve is the reliability- vice limiting component.
To obtain the requirement, the following options are available.
Duplicate the valve
Document that the valve has better reliability than the generic data used here.
Provide a valve with certified SIL 2 capability
Comment: Functional requirements to this solution are:
The extinguishing medium must not harm people if there is a spurious release, this can mean
interlocks on doors to any noise hoods, and use of un- dangerous substance.
Provisions for containment of the extinguishing medium so that the effect is adequate on the
machinery.
INTERNAL
92 of 129
2011-04-04
Layer of Protection Analysis (LOPA)

LOPA is a simplified form of risk assessment. LOPA typically uses order of magnitude
categories for initiating event frequency, consequence severity, and the likelihood of
failure of independent protection layers (IPLs = Safety Barriers) to approximate the risk
of a scenario. LOPA is an analysis tool that typically builds on the information
developed during a qualitative hazard evaluation, such as a (rapid) risk ranking.
Like many other hazard analysis methods, the primary purpose of LOPA is to determine
if there are sufficient layers of protection against an accident scenario (can it be
tolerated?). As illustrated in the figure below, many types of protective layers are
possible.
LOPA is a semi-quantitative tool for analysing and assessing risk. The basis of the
method comes from two publications. In the late 1980's, the then Chemical
Manufacturers Association (now the American Chemistry Council) published the
Responsible Care Process Safety Code of Management Practices which included
"sufficient layers of protection" as one of the recommended components of an effective
process safety management system (American Chemistry Council, 2000). In 1993,
CCPS published a guideline on safe automation of chemical processes. LOPA was
suggested as one method to determine the integrity level for the safety instrumented
functions (SIF). The initial development of LOPA was done within individual
companies.
Although LOPA can be used at any stage in the life cycle of a process, its most frequent
use is reported during the design stage or when modifications to an existing process or
its control or safety systems are made. The use of LOPA during the design stage is done
when the process flow diagram and the P&ID are essentially complete. LOPA is then
used to examine scenarios, as a part of the SIF design, or, as a part of a design study on
a system to evaluate generated options for design alternatives. It is also possible to use
LOPA during the conceptual design stage to examine basic design alternatives. It is
important to note that LOPA is not just focussing on the determination of the Safety
Integrity Level (SIL) for SIF but also on the determination and evaluation of other
safety related equipment.
LOPA is a simplified form of risk assessment as typically order of magnitude
categories for initiating event frequencies, consequence severity and the likelihood of
failure of independent protection layers (IPLs) are taken into account. Using this
information, the risk of a scenario is assessed. The method thus falls in between
qualitative methods like HAZOP, What-if or FMEA and a quantitative method like
QRA.
9.1
LOPA scenarios
A LOPA scenario consists of a single event cause LOC consequence chain.
The various parts of the chain are defined as:
Event: An event is an occurrence related to an accident scenario. A distinction can be
made between initiating and enabling events (or enabling conditions). The initiating
event is the event that starts the chain of events leading to the undesired consequence.
Three types of initiating events can be distinguished;
INTERNAL
93 of 129
2011-04-04
1. External events
2. Equipment failures
3. Human failures or inappropriate actions
An enabling event or enabling condition is an event or condition that is required for the
initiating event to unleash a scenario. Enabling events are neither failures nor protection
layers. They are expressed as probabilities. Examples of enabling events are start-up
phase, material present, ignition source present etc.
Cause: Condition or state resulting from the event(s) that allowed the LOC to occur.
Loss of containment (LOC): Loss of containment is defined as the top event in a
scenario that one aims to prevent from occurring. Examples of LOC are spill of
material, explosion, melting of (electrical) insulation.
Effect: The effects of an accident scenario are e.g. blast, dispersion of toxic materials,
heat radiation etc.
Consequence: The consequence is defined as the (undesired) outcome of an accident
scenario. Consequences are expressed in terms of material damage, environmental
pollution, injuries, fatalities or financial losses.
IP L 1
IP L 2
IP L 3
P re v e n tiv e
la ye rs
IP L 4
M itig a tin g
la ye rs
In itia tin g
event
Cause
LOC
E ffe c t
Consequence
E n a b lin g
event
Figure 32 LOPA scenario

Compared with other techniques like QRA, a LOPA scenario represents one path
(typically to the worst consequence) through an event tree. Different branches in the
fault tree are covered by the different LOPA scenarios.
9.2
Methodology
The analytical LOPA method consists of a number of steps. Under the assumption that
scenarios have been developed in a previous study (during qualitative hazard evaluation
(HE) such as process hazard analysis (PHA), management of change evaluation (MOC)
or design review), the following steps can be distinguished:
1. Estimate the consequence and severity of a scenario for screening.
2. Select an accident scenario (single cause-consequence pair).
3. Identify the initiating event of the scenario and determine its frequency.
4. Identify enabling event or conditions (probability).
5. Identify outcome modifiers and their probability.
Outcome modifiers are for example probability of ignition, probability of personnel
in affected area or probability of fatal injury.
6. Determine the frequency of the unmitigated consequence (3*4*5).
7. Identify the IPLs and estimate the PFD of each IPL.
INTERNAL
94 of 129
2011-04-04
8. Estimate the risk of the scenario by mathematically combining the consequence,

initiating event and IPL data.
9. Evaluate the risk to reach a decision concerning the scenario.
In this step, the risk of a scenario is compared with the tolerable risk criteria or
related targets (company dependent or determined by legislation).
10. Decide how much additional risk reduction may be required to reach a tolerable risk
level.
The different components of a scenario are shown in figure below. Note that the place
of the conditional modifiers must be regarded with care. Depending upon the type of
modifier, these modifiers might not affect the effects of loss of containment in terms of
physical effects (thermal radiation or blast) or toxicological effects. The modifiers do
affect the consequence however in terms of severity (for example consequence class).
The significance of the use of these modifiers is to assess the risk of given a scenario.
Figure 33 Components and structure of a LOPA scenario.

The accuracy of the numbers generated by a LOPA calculation depends on how detailed
the method was applied. In principle, the numbers are not precise values of the risk of a
scenario.
INTERNAL
95 of 129
2011-04-04
9.3
Example of failure data for Independent Protection Layers used in LOPA

Table 43 Example of failure data for Independent Protection Layers used in LOPA
IPL
Comments
PFD, from
literature and
Industry
PFD
recommended
by CCPS
Relief valve
Prevents system exceeding specified

overpressure. Effectiveness of this device
is sensitive to service and experience
Prevents system exceeding specified
overpressure. Effectiveness of this device
is sensitive to service and experience
Can be credited as an IPL if not
associated with the initiating event being
considered
Typically consist of
Single sensor (redundant for fault
tolerance)
Single logic processor (redundant
for fault tolerance)
Single final element
Multiple sensors Single logic
processor
Multiple final element
Multiple sensors (redundant for fault
tolerance)
Single logic processor (redundant
for fault tolerance)
Multiple final element
Will reduce the frequency of large
consequences (widespread spill) of a
tank overfill/rupture/spill/etc
consequences (widespread spill) of a
tank overfill/rupture/spill/etc
Will prevent overpressure
1 x 10-1 - 1 x 10-5
1 x 10-2
1 x 10-1 - 1 x 10-5
1 x 10-2
1 x 10-1 - 1 x 10-2
(<
1 x 10-1 not
allowed by IEC)
1 x 10-1
Rupture disc
Basic Process
Control System
SIL 1- Safety
Instrumented
Functions
SIL 2- Safety
Instrumented
Functions
SIL 3- Safety
Instrumented
Functions
Dike
Underground
Drainage System
Open vent (no
valve)
Fireproofing
Blast- wall/Bunker
Inherent safe
design
Flame/detonation
Arrestors
Will reduce the heat input and provide

additional time for de- pressuring /firefighting/etc.
consequences of an explosion by
confining blast and protecting
equipment/buildings/etc.
If properly implemented can
significantly reduce the frequency of
consequences associated with a scenario.
If properly designed, installed and
maintained these should eliminate the
potential for flash- back through a piping
system or into a vessel or tank
1 x 10-1 - 1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-3 - 1 x 10-4
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-2
1 x 10-2 - 1 x 10-3
1 x 10-3
1 x 10-1 - 1 x 10-6
1 x 10-2
1 x 10-1 - 1 x 10-3
1 x 10-2
INTERNAL
96 of 129
2011-04-04
10
Quantitative Risk Analysis (QRA)

The major steps of a QRA are shown in the figure below.
1. Define the potential event
sequences and potential incidents
3. Estimate the potential

accident frequencies
2. Evaluate the event

consequences
4. Estimate the event

effects (impacts)
5. Estimate the risk
6. Evaluate the risk
7. Identify and prioritise potential

risk reduction measures
Figure 34 Steps of a QRA
The steps are:
1. Define the potential event sequences and potential incidents. This may be based on
qualitative hazard analysis for simple or screening level analysis. Complete or complex
analysis is normally based on full range of possible incidents for all sources.
2. Evaluate the incident outcomes (consequences). Some typical tools include vapour
dispersion modelling and fire and explosion effect modelling.
3. Estimate the potential incident frequencies. Fault tree or generic databases may be used for
the initial event sequences. Event trees may be used to account for mitigation and post
release events.
4. Estimate the incident impacts on people, environment and property.
5. Estimate the risk. This is done by combining the potential consequence for each event with
the event frequency, and summing over all events.
6. Evaluate the risk. Identify the major sources of risk and determine if there are cost- effective
process or plant modifications which can be implemented to reduce risk. Often this can be
INTERNAL
97 of 129
2011-04-04
done without extensive analysis. Small and inexpensive system changes sometimes have a
major impact on risk. The evaluation may be done against legally required risk criteria,
internal company guidelines, comparison with other processes or more subjective criteria.
7. Identify and prioritise potential risk reduction measures if the risk is considered to be
excessive.
A total quantitative risk analysis for a plant involving major hazards is normally used to
gain a picture of the total risk contribution from the plant to the surroundings. A total
QRA reflects the complete risk, which a unit represents. This differs from qualitative
techniques, which show the risk of individual hazards or events.
The objective is normally to assess the acceptability of a plant, i.e. the need for
improvements. Other possible objects include comparison of various design / placing
options, assessment of the effect of various actions, identification of the largest risks
contributions, and the provision of a basis for contingency planning or risk
communication with the local authority or society living near the site. The risk is
normally described with an individual risk (risk contours) measure or a societal risk
measure (Frequency versus Number of fatalities (FN)- curve.
10.1
When is a QRA or CQRA done

It is recommended to carry out a QRA (in some countries this is required)
as part of conceptual risk evaluation. In this project phase the QRA is course
(CQRA) when other safety and risk studies are not done and effect of risk
reduction by safety systems are not considered.
part of SevesoII reporting
on request from plant management
10.2
Plant data
A set of scenarios are defined, as described above. Generally these are failure of
equipment containing hazardous material causing accidental release.
Failure frequencies for the events are estimated from the generic failure frequencies,
which are based on acknowledged data bases, as described in previous sections.
The following information is needed regarding the plant and processes:
Complete and updated P&ID for all relevant process sections, included number, type,
size and location of process equipment
Process flow diagrams
Results from Rapid Risk Ranking, HAZOP analysis or hazard identification if
performed
Specification of relevant emergency procedures
Detailed description of emergency shutdown systems
Frequency and duration of identified activities (loading of road tankers, ships etc.)
Detailed plot plan of the plant, and local maps of the surrounding area
The time to isolation of a release is estimated taking into account the manual or
automatic detection and shut down and the times for emptying leaking volumes:
INTERNAL
98 of 129
2011-04-04
Some releases cannot be isolated. These will last until the reservoir is empty. Most of
the durations are given as a sum of three terms. These represent time for
detection/diagnosis, time for visual inspection and time for isolation respectively.
When manual interaction in the hazardous area is required, some form of protection
is necessary, and time must be allowed for this. This time must be considered from
case to case. In most cases, two durations are given, one short and one long. This is
most relevant for toxic gases. For flammable gases, it will be adequate to use the
short duration.
The long duration takes into account the possibility of detector failure, unfavourable
wind direction, wrong diagnosis etc.
The appropriate mode of detection must be considered carefully. For example will
detection by process variables (e.g. flow or pressure measurement) only be
applicable when the release is a major part of the normal flow.
When flammable gases are involved, ignition sources are modelled using information
on the types of area involved, certain ignition sources etc.
10.3
Off site risk

The figure below illustrates the necessary input and output elements of a quantitative
risk analysis of "off-site" risk
Figure 35 QRA for off-site risk

In order to produce FN curves, information on the location and number of people is
necessary. Information is required on:
The residential areas: the number and placing of houses, assessment of how many people are
present during day, night and in summer, and the proportion of people indoors vs. outdoors.
How many people are at work during the day and where are they working.
Placing of schools, hospital etc. and the number of people present, daytime, evening, nighttime, week- ends
Traffic on main roads passing the plant
INTERNAL
99 of 129
2011-04-04
Industrial areas, placing and number of people daytime, evening, nighttime, week- ends
Public assembly areas, placing, when/how often they are used and how many people are
gathered for how long
Whether there are major seasonal differences
This information is not necessary for risk contours.

Meteorology data
Local weather statistics (wind rose and velocity) along with atmospheric stability
classes form the raw meteorological data input. These data determine how a release will
disperse and spread.
10.4
On site risk
Design accidental events
QRA with respect to on-site risk is mainly related to identifying design accidental
events, i.e. events which should be used in order to define design criteria for buildings,
detection systems etc. A design accidental event for a specific installation is an event
with such serious consequences that the probability of a more serious event is smaller
than a predefined acceptance criterion. When the design accidental event is identified,
buildings etc. should be designed to withstand this accident, or process modifications
should be made in order to produce a less serious design accidental event. The figure
below illustrates the necessary input data for performing an on-site risk analysis.
Figure 36 Illustration of the necessary input and output elements of a QRA of onsite risk
The procedure is as follows:
1. Identify all relevant accident scenarios.
2. Estimate the probabilities and consequences of the accident scenarios.
3. Rank the scenarios in order of decreasing consequences. The parameter(s) quantifying the
consequences will depend on the type of accidents considered and the ranking will normally
need expert judgement.
4. Calculate the cumulative (aggregate) probability of the scenarios starting at the top of the
list produced in step c).
INTERNAL
100 of 129
2011-04-04
5. The design accidental event is found when the cumulative probability reaches the
acceptance criterion. If necessary and relevant, an interpolation method should be used.
Normally, the first approach will be to screen the events identified in step a) and to
calculate both consequences and probability at a reduced level of detail with the main
objective of getting the ranking in step c) correct. When a design accidental event is
identified, a few of the most contributing events may be recalculated with a higher level
of detail to give the final answer.
Often one type of major hazard (fire, explosion or toxic exposure) dominates, and the
design accidental event is calculated according to this hazard. However, sometimes it is
necessary to evaluate more than one hazard. Since relative rating of potential events
involving different hazards can be very complicated, in practice each type of hazard is
ranked by itself, and the corresponding design accidental event is identified for
explosions, fires and toxic releases respectively according to the same criterion.
Calculation of design accidental explosion event or design accidental fire event
Complete and updated P&ID for all relevant process sections, included number, type, size
and location of process equipment
Process flow diagrams on all systems containing explosive or flammable chemicals
Results from Rapid Risk Ranking, HAZOP analysis or hazard identification if performed
Detailed description of emergency shutdown systems
Description of the various buildings and their design (if existing), use and manning
Calculation of design accidental toxic event

Complete and updated P&ID for all relevant process sections, included number, type, size
and location of process equipment
Process flow diagrams on all systems containing toxic chemicals, or where such chemicals
can be produced
Results from Rapid Risk Ranking, HAZOP analysis or hazard identification if performed
Detailed description of emergency shutdown systems
Description of the various buildings and their design, use and manning
Details of the ventilation systems and associated shut down functions
Operator risk
A risk analysis regarding operator risk can also be performed. The term "when he/she is
at work" implies that the calculated probability is not to be multiplied by the time
fraction the person is at work. In other words, the risk should be calculated as if he/she
was at work continuously. On the other hand, "the average probability" implies that it
should be accounted for less hazardous activities during a normal working day or week.
Example: A person performs high-risk work one day a week. On this day, his probability of loss of
life is calculated to be 210-3 per year. He works normal daytime, i.e. 5 days per week. The four
INTERNAL
101 of 129
2011-04-04
other days of the week the probability of loss of life is calculated to be 3 10-4 per year. The time the
person is not at work is not to be taken into account. Therefore, the average probability of loss of life
for this person is: (210-31+ 310-44)/5=6, 410-4 per year.
To calculate all the various risk contributions an employee is exposed to during a

working day or year is a rather cumbersome and complicated task. This is normally not
considered necessary. In most cases, an analysis related to this criterion is only
performed when considering specific activities exposed to high risks when there is
doubt as to whether the risk is tolerable. A practical approach when performing a study
is to calculate only the high- risk contribution. If the result does not comply with the
criterion, the situation is unacceptable and actions are needed. If the result is within the
criterion, a qualitative judgement of the situation is made with respect to other risk
contributions and how much of the criterion is "left" for these risks.
Example: An employee performs hot work in a process area containing explosive gas 50% of her
working time. The risk of fatal explosion or fire accidents when performing this work is found to be
510-4 per year. Since she only performs this activity 50% of the time, the contribution from
fires/explosions to the average probability of loss of life when she is at work is 2.510-4 per year.
Since this activity is considered to be the most hazardous the employee is performing, compliance
with the criterion is assumed.
In some cases it can be documented through experience from the plant in question or
similar plants that the risk to personnel is below the criterion. In other cases, a separate
study needs to be performed. Useful data sources include:
Statistics from accidents and near-miss situations at the plant in question or from similar
plants.
Expert judgement, using experienced operators as experts and probability experts as
interviewers.
Man-machine analysis with respect to probability of human errors.
Consequence analyses with respect to fatality probability in case of exposure. For other types
of accidents (e.g. falling objects, molten metal splashes etc.), each case needs to be evaluated
individually.
Uncertainties in risk analyses

A quantified measure of risk, for instance the individual risk of death, is generally
calculated as a function of asset of parameters. The values of these parameters are
uncertain because:
They may be estimated from models that are not exact
They may be estimated from a limited amount of data
They may vary in time and space
INTERNAL
102 of 129
2011-04-04
11
11.1
Failure Data relevant for Safety Functions

Data sources
The failure data are mainly based on:
EXIDA:
Safety Equipment Reliability Handbooks 1-3, third edition, exida.com L.L.C.
OREDA:
Offshore Reliability Data, DNV and Technical, 1997 and 2002
The following sources for failure data are referred in this chapter and recommended for use
in a few cases:
SARA:
Handbook of Safety Risk Assessment, Hydro Corporate Health Security Safety &
Environment, Appendix A, 2000. (Used also by former Hydro Agra)
PDS:
Reliability Data for Control and Safety Systems, SINTEF STF75F94056, jan.1995
Cookbook:
Dowell A.M and Dallas L. Green: Formulate Emergency Shutdown Systems by
Cookbook, Chemical Engineering Process, April 1998
Smith:
Smith David J. Reliability Maintainability and Risk, Butterworth-Heinemann, London

1999.
11.2
Factors influencing the reliability

Criterion for use of Yara recommended reliability data is
A factor feel is calculated from fV,, fT,and fO, in the table 1 below. Yara recommended
failure data can be used if the factor frel > 50.
Factors influencing the reliability are:
fv : vulnerability, fV =1-4, 1 is un- vulnerable, and 4 is highly vulnerable
fT : technology, fT = 1-9, 1 is highest quality of SIS, 9 is low
fQ : organization quality, fO =1-3, 1 is highest quality and 3 is low
Table 44 Criterion for use of Yara recommended reliability data
Conditions influencing the reliability of SIS components
Unvulnerability
of the SIS
Technology of
the SIS
-Medium: Clogging, erosion, corrosion, other degradation

mechanisms
-Environment: Corrosion, dust, hot air, cold air, icing,
clogging substance
-Other: External physical impact, vibration
-Certificate from recognized body, Yara Best Practice or
Good Engineering Practice
-Assurance of adequate response to the hazards to be
covered, i.e. functionality analysis of SIS
-Monitoring that components are not worn, torn
-Adequate HMI, condition of safety function can be
monitored from control room or by inspection
Factors
fV = 14
fT = 19
INTERNAL
103 of 129
2011-04-04
Site
organization
-Certificates: ISO 9001, ISO 14001, OSHAS 18801

-Use of brilliance or equivalent system
-Use of maintenance management system, (SAP etc) wrt.
work order, experience feedback
-Adequate program for proof testing, inspection or
systematic maintenance in general
-Quality of documentation (wrt. drawings, manuals,
procedures, operator training)
fO =1-3
frel = fV fT fO
11.3
Continuous and Demand mode operation

In calculation of SIL it is divided between two modes of operation, Continuous mode
operation and Demand mode operation.
Demand mode of operation (=low demand mode)
is normally used in process industry. The demand to activate the safety instrumented
function is infrequent compared to the proof test interval. The demand interval is greater
than twice the proof test interval.
Continuous mode of operation (=high demand mode)
is used when the demand rate is high. The demand interval is less than twice the proof
test interval. This mode of operation is valid in the machine industry and in avionics.
The workbook for reliability calculation does not apply in continuous mode operation.
SIL (Safety Integrity Levels)
for demand mode are:
Table 45 SIL for demand mode of operation
SIL
1
2
3
4
11.4
Probability of failure (Demand mode)

< 0.1
< 0.01
< 0.001
< 0.0001
SIL capability
SIL capability specifies the Safety Integrity Level (SIL) that the equipment item /type has
been certified for per IEC 61508 by an independent third party.
The data presented in this handbook are generic and not for specific deliverers and
equipment items / types. For use of specific data it is referred to the EXIDA handbooks /
databases.
11.5
Presentation of the most relevant failure data for safety functions

In this section failure data for the most commonly used components of safety functions are
presented. In the tables below the following symbols are used:
DU:
Rate of dangerous undetected failures
INTERNAL
104 of 129
2011-04-04
PFD:
T:
Probability of failure on demand

Proof test interval
For PDS data is also in some cases used:

PTIF:
Probability of failure not detected in proof test
In the referred literature is taken consideration to detection of failures in sensors, logic units
and final elements.
11.6
Sensors
The term sensor here means the input unit to the logic unit. E.g., a sensor can be:
Transmitter, with analogue signal to the logic unit
Transmitter with analogue signal to a relay function, i.e. analogue to binary unit
providing a binary signal to the logic unit
Switch, i.e. binary process sensor, position switch, limit switch or pushbutton
Data from various sources are shown in table 45 below.
Table 46 Rate of dangerous undetected failures based on EXIDA, OREDA and other sources
Sensor type
EXIDA
OREDA
Other
Temperature switch
0.03
0.07
Temperature transmitter
0.0026
0.07
Pressure switch
Pressure transmitter
0.03
0.0054
0.005
Flow switch
0.03
0.03
Flow transmitter
0.008
0.007
Level switch
0.03
0.04
Level transmitter
0.011
0.04
0.025, PTIF= 0.0005(PDS)

0.07 (Cookbook)
0.005, PTIF= 0.0005(PDS)
0.007 (Cookbook)
0.0007 (Cookbook)
0.001, PTIF= 0.0005(PDS)
0.002 (Cookbook)
0.025, PTIF= 0.0005(PDS)
0.07 (Cookbook)
0.001, PTIF= 0.0005(PDS)
0.07 (Cookbook)
0.025, PTIF= 0.0005(PDS)
0.01 (Cookbook)
0.005, PTIF= 0.0005(PDS)
0.005 (Cookbook)
Fire and gas

detectors
Analysers
Limit switch
Position switch
Pushbutton
Relay
Catalytic hydrocarbon detector

Fire/flame detector
Heat detector
IR gas detector
Oxygen detector
Smoke detector
CO2
Conductivity
Dew point
Hydrogen
Oxygen
pH
H2S
0.015
0.016
0.017
0.0035
0.05
0.014
1
7.5
0.7
1
0.3
3
0.7
0.036
0.036
0.007
0.006
0.044(critical)
(Smith,
geometric mean,
assumed that
50% of failures
are dangerous
undetected)
0.001 (Smith)
0.001, PTIF= 0.001(PDS)
INTERNAL
105 of 129
2011-04-04
Yara recommended dangerous undetected failure rates for sensors be shown in table 46 below.
Table 47 Yara rec. dangerous undetected failure rates for sensors (Yara Green Rule)
DU
Sensor type
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S12
S13
S14
S15
S16
S17
S18
S19
S20
S21
S22
S23
S24
S25
S26
11.7
Temperature
Pressure
Flow
Level
Fire and gas detectors
Analysers
Switch
Transmitter
Switch
Transmitter
Switch
Transmitter
Switch
Transmitter
Catalytic hydrocarbon
Fire/flame
Heat
IR gas
Oxygen
Smoke
CO2
Conductivity
Dew point
Hydrogen
Oxygen
pH
H2S
Limit switch
Position switch
Pushbutton
Relay
Vibration sensor
[per yr]
0.05
0.014
0.03
0.005
0.03
0.008
0.035
0.025
0.015
0.016
0.017
0.0035
0.05
0.014
1
7.5
0.7
1
0.3
3
0.7
0.036
0.036
0.007
0.0054
0.03
Logic solvers
The data for programmable logic (PLC) solvers presented herein are based on EXIDA,
generic exida Comprehensive Analysis.
Table 48 Yara recommended failure data for logic solvers (Yara Green Rule)
Logic solver type
DU
PFD
[per yr]
L1
L3
L5
L6
L7
L8
11.8
General purpose PLC, Single

Industrial PLC, Single
SIL 2 approved PLC- (1001D)
SIL 3 approved PLC- (1oo2D, =0.02 )
Industrial Solid State, assumed 5 solid state units per safety function
Industrial Relay Based, assumed 5 relays per safety function
Final elements
Valves include accessories as:
0.016
0.003
0.003
0.0003
0.03
0.03
INTERNAL
106 of 129
2011-04-04

I/P transducers
Pneumatic interfaces
Actuators
The data for final elements presented are based on EXIDA, generic exida Comprehensive
Analysis. PVST in the table means Partial Valve Stroke Test.
Table 49. Data for final elements presented based on generic exida Comprehensive
Analysis
Type
Duty
DU
Trip action
[per yr]
Ball valve
Clean service
Close full stroke

Tight shut off
Open on trip
Severe service
Close full stroke

Tight shut off
Open on trip
Globe valve
Clean service
Close full stroke

Tight shut off
Open on trip
Severe service
Close full stroke

Tight shut off
Open on trip
Butterfly valve
Clean service
Close full stroke

Tight shut off
Open on trip
Severe service
Close full stroke

Tight shut off
Open on trip
Solenoid valve
Relay, circuit breaker
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
0.007
0.004
0.014
0.011
0.005
0.002
0.012
0.004
0.03
0.02
0.009
0.004
0.006
0.003
0.02
0.016
0.005
0.0016
0.009
0.003
0.03
0.025
0.009
0.003
0.017
0.013
0.027
0.024
0.016
0.011
0.032
0.026
0.053
0.047
0.027
0.02
0.005
0.0054
Yara recommended data for final elements are shown in table 50 below. The following
simplifications are done in comparison to table 49.
INTERNAL
107 of 129
2011-04-04
Globe valves and ball valves are merged.

The same data is used for Open on trip and Close on trip
Tight shut off are omitted since the requirement of tight shut off have to be solved by
using special valve types, duplicated valves or double block and bleed or requires a
particular study.
In table 50 solenoid valves are included in the failure rates for the valves. In case PVST
equipment is applied, it is assumed that the PVST include test of the solenoid.
Table 50 Yara rec. data for final elements (Yara Green Rule)
Type
DU
Duty
[per yr]
F1
F2
F3
F4
F5
F6
F7
F8
F9
11.9
Ball Valve and globe valve
Clean service
Severe service
Butterfly valve
Clean service
Severe service
Normal
PVST
Normal
PVST
Normal
PVST
Normal
PVST
Relay, circuit breaker
0.011
0.004
0.017
0.004
0.022
0.013
0.037
0.026
0.0054
Safety Relief Valves

Data from various sources for safety relief valves are shown in table 51 below.
Table 51 Failure data for Pressure relief valves
Dangerous undetected failures
Source
SARA
PDS
OREDA 92 (pilot operated)
EXIDA
Failure mode
Fail to open
Fail to operate
Critical
DU
[yr-1]
0.002
0.001 (PTIF= 0.001)
0.014
Yara recommended data for safety relief valves is shown in table 52 below.
Table 52 Yara rec. failure data for Pressure relief valves (Yara Green Rule)
Safety relief valves
Failure mode
DU
[yr-1]
0.014
Yara recommended
Fail to operate on demand
11.10
Overview of spurious trip rate for some safety related functions

The table in this chapter show safety integrity and spurious trip frequency for the most
commonly used components in instrumented safety functions.
INTERNAL
108 of 129
2011-04-04
Table 53 Frequency of spurious shut downs

Component / function
Structure
Safety Relief Valve
Single
Double 1oo2
Pressure switch
Single
2oo3
Pressure transmitter
Single
2oo3
Level transmitter
Single
2oo3
Flow transmitter
Single
Fire and gas-, toxic gas detection Single
2oo2
Logic unit
Hardwired
PLC, single
PLC, fail safe
Shut off valve
Single
DBB
12
Frequency of spurious shut

downs [yr-1]
0.009
0.018
0.025
Negligible
0.005
Negligible
0.01
Negligible
0.014
0.03
Negligible
0.06
0.06
Negligible
0.02
0.04
Leakage data relevant for risk analyses

TNO- data
The table below shows leakage data used by [TNO] in quantitative risk analysis for
Yara.
Table 54 Leakage frequency data used by TNO
Component
1.Pressure vessels
2 Heat exchangers
3 Bullet tank
4 Refrigerated tanks
5 Rail tankers and loading /

unloading arms in an
establishment
Failure mode
Break
Leakage, D =10mm
Discharged in 10 minutes
Instantaneous rupture
Discharged in 10 minutes
Leakage, D =10mm
Failure in one tube
Coincident failure in 10 tubes
-Relief of safety valve
-Catastrophic failure
-instantaneous discharge
-discharged in 10 minutes
-leakage, D =10mm
-Total failure of inner+ outer tank
-Total failure of inner tank
-Discharged in 10 minutes to atmosphere
-Discharged in 10 minutes from inner tank
-Leakage, D =10mm from inner tank
-Catastrophic failure on rail tankers
-Load / unload hose
-break
-leakage (hole D = 0.1 hose D)
Failure frequency
5 x 10 7 yr-1
1 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 5 yr-1
5 x 10 5 yr-1
1 x 10 3 yr-1
1 x 10 3 yr-1
1 x 10 5 yr-1
2 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
1 x 10 5 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
5 x 10 7 yr-1
1 x 10 4 yr-1
5 x 10 7 hr-1
4 x 10 6 hr-1
4 x 10 5 hr-1
INTERNAL
109 of 129
2011-04-04
-Load / unload arm road tanker

-break
-leakage (hole D = 0.1 arm D)
-Load / unload arm ship
-break
-leakage (hole D = 0.1 arm D)
6 Pipelines
a) pipe D < 75 mm
b) pipe D 75 150 mm
c) pipe D > 150 mm
3 x 10 8 hr-1
3 x 10 7 hr-1
3 x 10 8 hr-1
3 x 10 7hr-1
1 x 10 6 yr-1 m-1
5 x 10 6 yr-1 m-1
3 x 10 7 yr-1 m-1
2 x 10 6 yr-1 m-1
1 x 10 7 yr-1 m-1
5 x 10 7 yr-1 m-1
-Break
-Leakage (hole D = 0.1 arm D)
-Break
-Break
Hydro Agri data for leakage frequencies

The table below shows leakage data used by Hydro Agri in quantitative risk analysis.
Table 55 Leakage data frequencies used by Hydro Agri [Handbook of Safety Risk
Analysis]
Component
Failure mode
Piping (incl. flanges /

elbows), average diameter
Minor leakage
Major leakage
Rupture
Minor leakage
Major leakage
Rupture
External
-Minor leakage
-Major leakage
-Rupture
External
-Minor leakage
-Major leakage
-Rupture
Fail to close
Fail to open
Internal:
-Minor leakage
-Major leakage
External:
-Minor leakage
-Major leakage
-Rupture
Fail to close
Internal leakage
External:
-Minor leakage
-Major leakage
-Rupture
Critical (incl.
fail to operate,
plugged,
internal leakage)
Fail to operate
Pipelines (transport),
average diameter
Pumps
Compressors
Valves, automatic shutoff including flanges
Valves, check / non return

including flanges
Valves, control /
regulation inclusive
actuator, command unit,
monitoring and flanges
Failure
rate [yr-1]
Error
factor)
3 x 10-5 /m
6 x 10-6 /m
3 x 10-7 /m
2 x 10-6 /m
6 x 10-7 /m
2 x 10-8 /m
10
10
10
10
10
10
6 x 10-3
2 x 10-4
2 x 10-5
10
10
10
3 x 10-3
3 x 10-4
3 x 10-5
0.05
0.05
Comments
D < 200mm, divide by 3
D< 75 mm, multiply by 3
D < 200mm, divide by 3
D< 75 mm, multiply by 3
Without protection, multiply by 5
Higher values for standby

pumps
Fail to close on demand 5 x 10-4
0.04
0.02
5
5
5% flow
50% flow
0.001
1 x 10-4
1 x 10-5
4 x 10-3
0.02
10
10
10
5
5
Fail to close on demand 2 x 10-4

5% flow
0.001
1 x 10-4
1 x 10-5
0.1
10
10
10
5
0.05
INTERNAL
2011-04-04
Valve, safety (relief),

spring loaded inclusive
flanges
Valve, safety (relief), pilot

operated inclusive flanges
Vessel- pressure vessel
Atmospheric storage tanks
Double-walled tank
External:
-Minor leakage
-Major leakage
-Rupture
Internal:
-Leakage
-Major leakage
External:
-Minor leakage
-Major leakage
-Rupture
Internal leakage
External:
-Minor leakage
-Major leakage
-Rupture
Minor leakage
Major leakage
Rupture
Minor leakage
Major leakage
Rupture
Rupture of
inner- and outer
tank
0.001
1 x 10-4
1 x 10-5
10
10
10
0.8
0.02
5
10
0.001
1 x 10-4
1 x 10-5
0.02
10
10
10
5
0.001
1 x 10-4
1 x 10-5
1 x 10-3
1 x 10-5
2 x 10-6
2 x 10-3
5 x 10-5
6 x 10-6
1 x 10-6
10
10
10
10
10
10
10
10
10
10
110 of 129
INTERNAL
111 of 129
2011-04-04
13
Human reliability
There are a considerable number of methods of varying complexity to evaluate and
estimate the impact of human errors. The method presented below is the HEART
model, and the method starts with the data given in the first table below. These can be
modified by choosing from the set of error-producing conditions given in the second
table below. The modification factor(s) is calculated as:
V(M-1)+1
where M is the figure found in table 2, and V is a factor describing to what degree the
error-producing condition is present. 0<V<1.
It is possible to apply error-producing conditions that contradict the task description,
e.g. condition 1 to task G. Only conditions that are undoubtedly present should be
accounted for, and care must also be taken not to double-count unfavourable factors. If
more than one task description is applicable, the less probable must be chosen. If the
resulting probability is larger than 1, it is set equal to 1.
Table 56 Starting values in the HEART method
Generic task
(A) Totally unfamiliar, performed at speed
with no real idea of likely consequences
(B) Shift or restore system to a new or
original state at a single attempt without
supervision or procedures
(C) Complex task requiring high level of
comprehension and skill
(D) Fairly simple task performed rapidly or
given scant attention
(E) Routine, highly-practised, rapid task
involving relatively low level of skill
(F) Restore or shift a system to original or
new state following procedures, with some
checking
(G) Completely familiar well-designed,
highly-practised, routine task occurring
several times per hour, performed to highest
possible standards by highly-motivated,
highly trained and experienced person,
totally aware of implications of failure with
time to correct potential error, but without
the benefit of significant job aids
(H) Respond correctly to system command
even when there is automated supervisory
system providing accurate interpretation of
system state
(M) Miscellaneous tasks for which no
description can be found
Proposed failure
probability of
nominal human
Lower and upper 5

percentile bounds
0.55
0.35 - 0.97
0.26
0.14 - 0.42
0.16
0.12 - 0.28
0.09
0.06 - 0.13
0.02
0.007 - 0.045
0.003
0.0008 - 0.007
0.0004
0.00008 - 0.009
0.00002
0.000006 - 0.0009
0.03
0.008 - 0.11
INTERNAL
112 of 129
2011-04-04
Table 57 Condition factors in the HEART method

Error- producing condition
1. Unfamiliarity with a situation which is potentially important but
which only occurs infrequently or which is novel
2. A shortage of time available for error detection and correction
3. A low signal-noise ratio
4. A means of suppressing or overriding information or features
which is easily accessible
5. No means of conveying spatial and functional inform. to operators
in a form which they can readily assimilate
6. A mismatch between an operator's model of the system and that
imagined by a designer
7. No obvious means of reversing an unintended action
8. A channel capacity overload, particularly one caused by
simultaneous presentation of non-redundant information
9. A need to unlearn a technique and apply one which requires the
application of an opposing philosophy
10. The need to transfer specific knowledge from task to task without
loss
11. Ambiguity in the required performance standards
12. A mismatch between perceived and real risk
13. Poor, ambiguous or ill-matched system feedback
14. No clear direct and timely confirmation of an intended action
from the portion of the system over which control is to be exerted
15. Operator inexperience (e.g. a newly qualified tradesman, but not
an "expert)
16. An impoverished quality of information conveyed by procedures
and person/person interaction
17. Little or no independent checking or testing of output
Max. predicted amount by which

unreliability might change going
from good cond. too bad
x 17
x 11
x 10
x9
x8
x8
x8
x6
x6
x 5.5
x5
x4
x4
x4
x3
x3
x3
General guidelines for prediction of human unreliability

General guidelines for human error rates are presented in the table below. It must be
emphasized that these are broad guidelines. In any particular situation the humanresponse reliability will be governed by a number of shaping factors, which include:
Environmental factorso Physical

o Organizational
o Personal
Intrinsic error
o Selection of Individuals
o Training
o Experience
Stress factors
o Personal
o Circumstantial
INTERNAL
113 of 129
2011-04-04
Table 58 Human error probabilities [Smith 1999]

Error rate (per task)
Task description
Read /
reason
Physical
operation
Everyday
yardstick
Simplest Possible Task

Fail to respond to annunciator
Overfill bath
Fail to isolate supply (elec. work)
Read single alphanumeric wrongly
Read five-letter word with good resolution wrongly
Select wrong switch (with mimic diagram)
Fail to notice major crossroads
0.00001
0.00001
0.0001
0.0002
0.0003
0.0005
0.0005
Routine Simple Task

Read a checklist or digital display wrongly
Set switch (multi-position) wrongly
Calibrate dial by potentiometer wrongly
Check for wrong indication in an array
Wrongly carry out visual inspection for defined criterion (e.g. leak)
Fail to correctly replace printed circuit board
Select wrong switch among similar
Read analogue indicator wrongly
Read ten-digit number wrongly
Leave light on
0.001
0.001
0.002
0.003
0.003
0.004
0.005
0.005
0.006
0.003
Routine task with Care Needed

Mate a connector wrongly
Fail to reset valve after some related task
Record information or read graph wrongly
Let milk boil over
Type or punch character wrongly
Do simple arithmetic wrongly
Wrong selection - vending machine
Wrongly replace a detailed part
Do simple algebra wrongly
Read five-letter word with poor resolution wrongly
Put 10 digits into calculator wrongly
Dial 10 digits wrongly
0.01
0.01
0.01
0.01
0.01
0.01-0.03
0.02
0.02
0.02
0.03
0.05
0.06
Complicated Non-routine Task

Fail to notice adverse indication when reaching for wrong switch or item
0.1
Fail to recognise incorrect status in roving inspection

New work-shift - fail to check hardware, unless specified
General (high stress)
Fail to notice wrong pos. of valves
Fail to act correctly after 1 min in emergency situation
0.1
0.1
0.25
0.5
0.9
Yara recommended data for human failures for process tasks be shown in table 61 below.
INTERNAL
114 of 129
2011-04-04
Table 59 Yara recommended data for human failures for process tasks (Yara Green
Rule)
Operation/task
Alarms
- React on process alarm during normal operation
- React on process alarm during process upset, alarm avalanche
- React on process alarm in emergency situation, alarm avalanche
- React on plant or site alarm/siren in emergency situation
Pump start
- Starting against closed valve and forgetting to open the valve
Valve operation (open/close)
- In control room
- Manual valve in the plant
New work-shift
- Check of equipment, unless specified
Stress, emergency situations
- General
- After 1 min in emergency situation
Failure
probability
[per operation]
Failure
frequency
[per yr]
0.05
0.25
0.25
0.025
0.05
0.02
0.02
0.1
0.25
0.9
INTERNAL
115 of 129
2011-04-04
14
Risk reduction
14.1
Inherent safety
Appliance of the inherent safety concept is the most important risk reduction effort.
The inherent safety concept is to reduce the hazard of complex systems by asking:
Can less hazardous raw materials and intermediates be used
Can quantities of hazardous materials be reduced
Can equipment be optimised to increase safety
The common Inherent Safety Guidewords are listed in the table below.
Table 60 Inherent safety guidewords
Guideword
substitute
minimise
moderate
simplify
14.2
Meaning
substituting less hazardous materials or processes wherever possible
minimising the amount of hazardous material in use
moderating the process conditions of the hazardous material
simplifying the equipment and the processes that are used
Risk reducing measures

In order to achieve an acceptable level of safety, different safety measures are applied.
The different kinds of safety measures are listed in the table below.
Table 61 Risk reducing measures
Safety measure
Preventive Safety Barriers
1
Alarms
Instrument based safety

functions
Monitoring of raw
materials and additive
streams
Mitigating Safety Barriers

4
Safety valves
Designing for accidental

load
6
7
Fire protection
Detection of developing
Description
Preventing the occurrence of accidents.
Local or in control rooms, announcing that
process parameters as pressures and
temperatures exceed defined limits.
Automatic stop of the process if process
parameters as pressures and temperatures exceed
defined limits.
Programmes for measuring raw materials and
additive streams to ascertain that concentrations
and pollutions are not jeopardizing the stability
of the materials.
Mitigating the consequences when accidents
happen
Valves removing substances from processes or
storage tanks in case of upsets in order to keep
pressures below safe limits.
Critical structures and buildings in or near the
process area are designed to withstand blast
pressures of explosions up to defined levels,
based on risk analyses, identified explosion
scenarios or industrial standards.
Passive and active fire protection. Fire cells.
Detectors gas, smoke and fires for early warning
INTERNAL
116 of 129
2011-04-04
accident
8
Sectioning
Flaring, draining
10
Bunds, dikes
11
Safety distances
Design Measures
12
Internal standards
13
External standards
14
Best practice systems
Maintenance to uphold Safety Integrity

15
Inspection
16
Proof testing
Accident Response
17
Emergency response
18
Community response
Safe Work Practice

19
Signs
20
21
14.3
22
Procedures
Rules for personnel
protection
Work permit systems
23
Safe job analysis
of release or discharges. The shut down can be

either automatic or manual.
Measures to limit the extent of accident, such as
firewalls and shut-off valves.
Measures to remove dangerous substances from
the process in case of an accident.
Equipment to collect spills from processes and
storages
Distances to people and process equipment with
potential of domino effects
Standards for design, operation and maintenance
of the processes.
International standards are for design of
processes, safety systems and work processes.
ISO certification is an example.
Practices throughout the company are discussed
to identify the best.
Inspection is carried out to ascertain the safety
margin of equipment such as piping, vessels,
structures, lifting equipment, transport systems
as conveyor belts
Testing if the safety functions are working as
specified is carried out periodically
Plans for intervening when incidents and
accidents happen. Scenarios are defined and
drilled.
Plans for communicating and helping and get
help from the society when large incidents and
accidents happen.
Quality of signs, tagging of equipment are
influencing the safety level
Procedures for safety critical tasks
Rules for personal protective equipment, for
entering process area and tanks.
Systems for work in the process and storage
area, defining scope of work, assessing risk,
communicate and agree of work progress, safety
measures and coordinating activities to
maximise safety.
Structuring work in process areas into safe steps.
Definition of layers
Independent Protection Layer (IPL) is a device, system or action that is capable of
preventing a scenario from proceeding to the undesired consequence. In the figure
below the general independent protection layers are given for a chemical reactor. The
layers below the process drawing are preventive measures. These measures are aimed at
the prevention of a LOC. In terms of risk such a measure is considered to reduce the
INTERNAL
117 of 129
2011-04-04
probability of an LOC. The layers above the process drawing are preventive measures.
These measures are aimed at minimising the consequences. In terms of risk, a
mitigating measure is considered to reduce the effect.
Community emergency response

Plant emergency response
Post release physical protection (walls, dikes)
MITIGATING
MEASURES
Physical protection (relief

devices)
PRV
Process design
BPCS, operator supervision
PREVENTIVE
MEASURES
Alarms and human intervention

Safety instrumented functions (SIS)
Figure 37 Preventive and mitigating measures

The characteristics of the independent protection layers are that each protection layer:
is totally independent of other safety layers (however, in some cases there is always
the possibility of common failure mode)
is not affected ('compromised') by failure of other layers,
must have an acceptable reliability,
must be approved according to company policy and procedures,
must meet proper equipment classification,
must be a non-control alternative (i.e. chemical, mechanical),
may require diverse hardware and software packages, and,
may be an administrative procedure.
To prevent the occurrence of a scenario (or the consequences of an initiating event) only
one layer of protection is required. The essence of LOPA is based on the fact that both
preventive and mitigating measures have a probability of failure on demand (PFD). The
primary purpose of LOPA is to determine if there are sufficient layers of protection
against the scenario to balance the safety measures with the required safety levels. If
insufficient safety measures are present, additional layers may be added. Or, the other
way around, if too many layers are present, layers may be deleted (safety critical
equipment or instrumentation). For a scenario to occur, all IPLs should fail.
INTERNAL
118 of 129
2011-04-04
14.4
Safety functions
In order to control the safety risk, a process plant has several protection layers normally
comprising:
Safety related functions and alarms implemented in the process control system
The PSD (Process Shut Down) system
The relief devices, or physical protection
Flaring and blow- down
The post-release systems, the ESD (Emergency Shut Down) system and devices such
as firewalls, dikes and bunds
Plant emergency response
Community emergency response
In principle the protection can be taken care of by preventive or mitigating barriers, as
indicated in the figure below. The preventive process safety barriers, which consist in
PSD and relief devices, shall prevent incidents and accidents to happen. The mitigating
barriers shall mitigate the consequences if an accident occurs. The mitigating measures
are such as emergency shutdown, gas detection systems, deluge systems, sprinkler
systems, fire curtains, dikes, etc.
CONSEQUENCE REDUCING
(MITIGATING) BARRIERS
FREQUENCY REDUCING
(PREVENTIVE) BARRIERS
C
A
U
S
E
S
ADVERSE
EVENT
C
O
N
S
E
Q
U
E
N
C
E
S
Figure 38 Bow tie diagram for safety barriers

By the concept safety functions is meant the safety related functions implemented in the
following systems:
PSD
Relief devices
ESD
The PSD systems again consist of:
Sensor(s)
Logic unit
Final element(s)
The ESD systems can be fully automatic, or based on manual interaction where:
fully automatic systems consist of:
INTERNAL
119 of 129
2011-04-04
Sensor(s)
Logic unit
Final element(s) such as consequence reducing (sectioning) valves, active fire
fighting equipment etc.
and systems with manual interaction consist of
Sensor(s)
Logic unit with alarm
Devices for manual shut down initiation, i.e. push buttons or operator stations
Final element(s) such as consequence reducing (sectioning) valves, active fire
fighting equipment operated manually or automatic after shut down initiation
In the figures below are shown other possible interactions between the
process conditions
operation
stop
process incidents and accidents as
loss of containment
functional failure of equipment (loss of function)
and actions by the safety functions:
detection and
shut down
Spurious operation of safety functions cause stop of the process. These situations are
shown as the upper arc of the figures. The legend of the figures moreover is shown in
the frame below.
INTERNAL
120 of 129
2011-04-04
Abbreviation
Description
NOP
Normal OPeration
LOC FLAM Loss Of Containment of FLAMmable material
LOC TOXIC Loss Of Containment of TOXIC substance
LOF Loss Of Function, i.e. flow, temperature, pressure etc. outside shut down limits
DET GAS
DETection (automatic) of flammable GAS release
DET FIRE
DETection of FIRE (automatic)
OBS
OBServation of fire (manual)
SD
Shut Down
STOP 1
STOP after
LOC
LOF
with the consequence
production loss
STOP 2
STOP after
FIRE or
OUT OF CONTROL
BURST
with the consequences
damage to equipment
considerable production loss
STOP 3
STOP after
EXPLosion
Loss Of Containment of TOXIC substance
with the consequences
injury
environmental damage
major damage to equipment
lasting production loss
Process state, normal operation (NOP) or loss of function (LOF)
Unwanted state, fire, out of control, material burst, explosion, stop
Action by a safety related system, fire- or gas detection, PSD, ESD
Safety action by process operator
INTERNAL
121 of 129
2011-04-04
In the figure below is show

shownn the interaction between the process and a PSD function.
There is no relief valve in this case. Normal operation is the wanted process state; loss
of function (LOF) for some process equipment is unwanted but it can happen. When the
PSD is functioning according
cording to the requirements, a LOF will cause a production stop,
STOP 1. The PSD can also have a LOF (LOF PSD, upper arch) and cause a spurious
stop of the process, as indicated by the upped way in the drawing. These failures in the
safety system are called
d safe failures.
If the PSD function has a dangerous failure when the process has a LOF, the situation
will be out of control, and equipment will possibly be damaged and a bigger
production loss, STOP 2, will also be a result. The difference in the cons
consequences STOP
1 and STOP 2 is decisive for the demands we make on the performance of the PSD
functions. The consequences when STOP 2 occurs are the unfortunate realisation of the
process inherent risk for people, assets, and product quality and production continuity.
The risk for people must be according to acceptance criteria. For material values and
production the consequences and the frequencies at which these consequences are
materialised should be kept at a minimum, but not at any cost.
Figure 39 Interaction
nteraction between the process and a PSD function
In the next figure below is a similar scenario for the interaction between the process and
a pressure relief device. In this case the process is not equipped with any PSD function.
The loss of function will here result in a pressure increase, which can be the cause of a
material burst if the relief device is not functioning.
INTERNAL
2011-04-04
Figure 40 Interaction between the process and a pressure relief device

For completeness it can be mentioned that there normally in case of high pressure is an
interaction between process control, PSD and the relief valve as shown in the figure
below.
Pressure
Hydraulic test pressure
Relief valve setting

PSD (Process shut down, here a PZ)
PIAH (Pressures Indication an
Normal pressure area, normal operating range
Figure 41 Interaction between process control, PSD and the relief valve
In the next figure is depicted a situation with release of toxic
t
material. Human injury is
here a possible consequence of the state STOP 3.
INTERNAL
123 of 129
2011-04-04
Figure 42 Interactions of safety functions in case of release of toxic material

In the next figure a situation with release and possible consequences of a release of
flammable
mmable substance is shown.
LOC
ESD
D ET
GAS
NOP
L OC
F LAM
FIRE
ESD
DET
FIRE
OBS
STOP 1
ESD
STOP 2
EXPL
STOP 3
ESD
STOP 2
Figure 43 Interaction of safety functions in case of a release of flammable

substance
INTERNAL
124 of 129
2011-04-04
14.5
Life- cycle activities

The safety lifecycle is the set of necessary activities involved in the implementation of
safety related systems occurring during a period of time that starts at the concept phase
of a project and finishes when the safety related systems are no longer available for use.
The standards IEC 61508 / 61511 emphasise the lifecycle aspects. The table below
shows lifecycle overview for safety functions.
Table 62 Life- cycle activities, overview for safety functions

Activity or phase for the plant
or process equipment
Objective related to safety functions
Hazard and risk assessment
To determine the hazards of the process and

auxiliary systems
Allocate safety functions to the different protection
layers, and for the safety functions the SIL
To specify the safety requirements for each safety
function
To design to meet the requirements to functionality
and integrity
To integrate and test the safety functions
Allocation of safety functions

to protection layers
Safety requirement
specification
Design and engineering
Installation, commissioning
and validation
Operation and maintenance
Modification
Decommissioning
Verification
Functional safety assessment
14.6
To ensure that the functional safety is maintained

during operation and maintenance
To make corrections, enhancements or adaptations,
ensuring that the required safety level is achieved
and maintained
To ensure the safety functions remain appropriate
To test and evaluate to ensure correctness in each
lifecycle phase.
To investigate and judge the functionality.
Invariable requirements to design of safety functions

Some invariable requirements to design, operation and maintenance of safety functions
are:
All components of new- designed safety functions shall be certified by
acknowledged body for use in required SIL level.
Single failures shall not endanger people, or represent major hazards for environment
or equipment. (The principle of two barriers). Examples are:
For flammable material: containment with safety margin (barrier) and a safety
function protecting against fire (barrier) with detectors, alarm, extinguishing agent
For process upset: PSD system (barrier) and safety distances / or structures
designed for withstanding blast pressure and toxic gas penetration (barrier) to
places where people are staying substantial part of the time
The state of overrides and hot work shall be easily accessible in the central control
room
INTERNAL
125 of 129
2011-04-04
The safety functions as well as the process control functions shall be designed
according to the idle current principle (de- energized to shut down, 4-20mA)
The safety functions as well as the process control functions shall be designed
according to the fail- to- safe principle.
The ESD system shall independent of other systems be able to bring the process to a
predefined state.
For all safety related functions a maximum reaction time shall be defined.
Safety related information shall be available in the central control room within 5
seconds of an accident, on screen or alarm panel.
There shall be defined a time limitation for degraded operation (2oo3 with failure
degraded to 1oo1, one of two logic units operating)
Repair time requirements shall be defined for equipment in safety functions that is
bypassed / overridden during plant operation
There shall be a design philosophy and guidance for the process operator interface
For programming the following apply:
Only use programming based on logic diagrams + effect matrices
Program only with the delivered safety engineering tool
Avoid instruction lists / mnemonics
Use proven- in- house or pre- tested function blocks. Maintain a library of such
blocks
Test the restart after power failure in all operating modes
14.7
Principles for increasing reliability of safety systems

Fault intolerance
By fault intolerance is meant that the safety functions are designed to avoid failures
by selection of material to withstand the negative effects of the environment and the
process substances, by safety margins and generally by exploiting the knowledge of
failure mechanisms. In addition the environment and utilities must give adequate
conditions, as avoidance of vibration, dust, corrosive substances, temperature and
electrical upsets.
Best practice, feedback of experience through the maintenance system
In design and maintenance of equipment for safety functions the best practice for the
actual application shall be utilised. Only equipment that is well proven in the actual
application shall be used. If this is not the case, a study of suitability and reliability
must be carried out. To make visible weaknesses of safety related equipment, the
failures that happen shall be recorded in the maintenance system. Experiences with
repair and other maintenance jobs should also be recorded.
Fail- safe design
The fail- safe design shall be utilised, implying:
Spring return bringing valves to the safe position, end position or locking
Normally energised state on other control elements
Active signal, i.e. signal shut off in shut down situations
Idle current for on / off signals, normally pressurised hydraulic and air supply
Signal to safe state on loss of power in logic units
Fault tolerance
By fault tolerance is meant that the safety systems are so designed that failure in
equipment is not necessary causing failure in the safety function. This is normally
achieved by:
INTERNAL
126 of 129
2011-04-04
Redundancy to increase safety compared to single (1oo1= 1 out of one) safety

functions, where the most common structures are
1oo2 (1 out of 2)- systems
1oo3- systems
2oo3 majority voting systems
2oo2-systems. In this case there must b e a precise monitoring of the equipment to
achieve a high diagnostic coverage, 99% as explained in the section monitoring
and diagnosis below
Redundancy to increase production regularity compared to single safety functions,
usually
2oo2- systems
2oo3- systems
Diversity in the redundant channels to reduce the probability of common mode
failures
Built in failure detection and isolation of faulty equipment, used in logic systems
Hence, redundancy is applied to decrease fail- to- danger and fail- to safe failures. A
1oo2- structure has higher frequency of fail- to- safety failures than a single loop; a
2oo2- structure has higher frequency of fail- to- danger failures than a single loop,
whereas a 2oo3-structure is better than a single loop both with regard to safety and
regularity.
Common cause and common mode failures avoidance
In redundant safety functions, there is a probability that two or more redundant
channels are failing due to the same cause or in the same manner (mode). These
failures are called common cause or common mode failures. Examples of common
cause are impact, vibration, abrasion and installation failures. Potential common
mode failures can be caused by components containing identical manufacturing
faults, by components maintained by the same engineer, and components have the
same power source. Common mode failures can be revealed by monitoring and
automatic failure detection of the safety function. Diversity is also a principle
applied to reduce the occurrence of common mode failure. Diversity means that
equipment of different technology or functional principle is applied. Examples are
use of relief valve and PZH- function to protect against overloading of an evaporator,
use of pressure sensors of different make, or use of different sensing principle in
TZH functions.
Monitoring and diagnosis
In order to reduce the probability of failure in a safety system, it is important to
detect failures that may occur, and repair as soon as possible. The detection can be
manual monitoring (as comparison of measurements)
condition monitoring (instrumentation for measuring the equipment condition,
as shaft displacement, bearing temperature)
built- in test of safety devices equipped by micro- processors. This can be
watch- dogs monitoring program cycles times or more advanced program
modules supervising and testing the operation of control and safety related
software and hardware. For example, in fail safe logic systems, redundant
units are checking each other and if a failure is detected in one module, this
module is shut down, and the system continues to run for a predefined time
before the whole logic system and the process and is shut down.
INTERNAL
127 of 129
2011-04-04
For logic units the concept diagnostic coverage is used, meaning the fraction of
failures detected. The following is an indication of low, medium and high diagnostic
coverage for logic units:
Low: 60% of failures are detected, corresponding to
a single PLC with a watchdog (WD) and fail- safe I/O
a solid state or relay based system utilising the fail-safe principle by idle
current, normally closed contacts and logic, which initiate shut down in case
of power loss.
Medium: 90% of failures detected, corresponding to an acknowledged PLC
with enhanced self test
High: 99% of failures detected, corresponding to an acknowledged fail-safe
PLC with enhanced self test, evaluated by an independent organisation
Use of A and B- components

The standard IEC 61508 has recommendations for use of A and B components in
safety related systems. These are characterized by:
Type A components
Well proven in the actual application
Single function components with simple, well defined failure modes
Failure behaviour can be completely determined
Sufficient failure data available
Type B components
Not well proven in the application
Multi function components with possible complex failure modes where one or
more failure modes are not well defined
Behaviour of failures are not completely determined
Availability of failure data is insufficient
The implication of this with regard to use in different SIL levels is shown in the table
below. In the left part of the table are shown four requirements. To the right is shown
on which SIL level requirements apply. For example: The statement All safety
critical failures to be detected by proof test applies to both A and B components on
SIL 1, 2 and 3. Medium diagnostic coverage is required for B components on SIL2
and A and B components on SIL3.
Table 63 Requirements to A and B components in safety functions

Type A components
Type B components
Hardware fault tolerance (HFT)
0
(1oo1)
(2oo2)
Safe Failure Fraction
(SFF)
< 60 %
60 - 90 %
90 - 99 %
> 99 %
SIL 1
SIL 2
SIL 3
SIL 3
1
(1oo2)
(2oo3)
SIL 2
SIL 3
SIL 4
SIL 4
2
(1oo3)(2
oo4)
SIL 3
SIL 4
SIL 4
SIL 4
Hardware fault tolerance (HFT)
0
(1oo1)
(2oo2)
N/A
SIL 1
SIL 2
SIL 3
1
(1oo2)
(2oo3)
SIL 1
SIL 2
SIL 3
SIL 4
2
(1oo3)
(2oo4)
SIL 2
SIL 3
SIL4
SIL 4
INTERNAL
128 of 129
2011-04-04
The table below shows different structures, degradation in case of failures, diagnosis
and redundancy purposes (safety or availability).
Table 64 Structures of safety functions, degradation, diagnosis and redundancy

Structure
D: Diagnostics
Degradation on failures
Redundancy
for safety (S)
availability(A)
Safe failures
Dangerous failures
SD: Shut Down
NS: No Safety function

D: Diagnostics, detection
of dangerous failures
Degradation on failure no
1
1oo1
Degradation on failure no
SD
NS
1oo2
SD
1oo1
NS
1oo2D
S, A
SD
1001D
1oo3
SD
1oo2
NS
D
1oo1
2oo2
1oo1
2oo2D
S, A
1oo1D
NS
D
NS
D
2oo3
S, A
1oo2
2oo2
NS
D
2oo3D
S, A
1oo2D
2oo2
D
NS
D
2oo4
S, A
1oo3
2oo3
2oo2
SD
NS
NS
NS
Requirements for plants with high level of safety integrity or regularity

For plants with a demand for high level of safety integrity for instrument-based
safety functions, the following additional requirements apply:
Safety functions shall be separated from control functions. Exceptions are

redundant sensors used for SIF and where one or the median measurement
value of the sensors is also is used for control
redundant valves where one is used also for control
Pre-alarm for shutdown.
Reset of safety functions.
These plants comprise ammonia plants, nitric acid plants, ammonium nitrate solution
plants, urea plants, and gas power stations. In general, finished fertilizer plants are
not considered of this category, except for the processing of ammonium nitrate,
potassium nitrate and calcium nitrate materials.
INTERNAL
129 of 129
2011-04-04
Proof testing of SIS

By periodic proof testing the probability of dangerous undetected failures are reduced.
The probability of failure after a test is called PTIF, where TIF means Test Independent
Failure. The probability of failure in a safety function is at a minimum shortly after a
function test, and at its maximum just before a function test, as shown for a 1oo1
structure in the figure 36.
Probability of failure
Average probability of failure
Probability axis
Probability of failure after a proof test
2T
3T
Figure 44 Probability of failure vs. proof test interval for a 1oo1 structure
For the 1oo1 structure, the probability of failure on demand, PFD is:
1T
PFD = PTIF + DU tdt = 1 DU T
2
T0
Generally, for a koon, structure where k < n:
1 T k
n!
PFD = P + ( DU t ) k dt =
( DU T ) k
T 0 n
(k + 1)(n k )!k!
TIF
With common mode failures included:

n!
1
PFD = P +
( DU T ) k + T
(k + 1)(n k )!k!
2
TIF
Time axis

Process Safety - Handbook - 2011 PDF

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Process Safety - Handbook - 2011 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

INTERNAL

PROCESS SAFETY HANDBOOK

Yara Process Safety Handbook

Water pipe for steam wetting ..................................................................................................... 87

Yara green rules

External references to standards and guidelines

References to external specialist works

Yara reference documents

Process Safety categorised as 12 Elements (PSE)

12. Inspection and auditing

Structure of Process Safety

Structure of ISO (OSHAS) 18001

ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements)

Table 2 Identification of Process Safety Elements in ISO (OSHAS) 18001

ISO (OSHAS) 18001

Emergency preparedness and

Process Safety Element (PSE)

Process Safety Information

Competence and training

Quality control and maintenance of equipment

Investigation and reporting

Inspection and auditing

Modification to Process Variables and Equipment

Yara documents related to ISO 18001

ISO (OSHAS) 18001

Emergency preparedness and response

TOPS 1-01, 1-18

TOPS 0-P -01,-02

ISO (OSHAS) 18001 title

Yara document title

ISO 18001 Clause

ISO (OSHAS) 18001 title

Yara document title

The amount, concentration or dose of a substance or physical factor a human

Risk, risk analyses and safety studies

Risk identification and risk ranking,

Risk acceptance criteria

Acceptance in connection with risk ranking

Table 5 Yara Risk Matrix

Table 6 Consequence class definitions

Major plant damage, complete

Minor damage to equipment,

- Insignificant damage, small

Identification of risk from process

Identifying needs for safety barriers

Application on technical installations

A form for reporting risk ranking is shown in the table below.

On- site risk acceptance (Yara Green Rule)

Off site risk acceptance (Yara Green Rule)

Figure 1 Societal risk, F / N curve

Hazards and consequences related to production activities

Large amounts of ammonia stored and transported

High pressure and temperature

Large explosion potentials

Based on ammonium nitrate and fillers

Based on nitric acid or phosphoric acid and nutrient salts

Decomposition due to operational failure can cause large toxic

Based on nitric acid, ammonia and calcium

Decomposition due to operational failure can cause large toxic

Table 11 Production activities, storages, Hazards and Possible Consequences

Fire, explosion, toxic

Fire, explosion, toxic