Nay ds Safety Assessment Techniques and Analysis : t980r10 Failure Mode and Effects Analysis Introduction FMEA (Failure Mode and Effects Analysis) or FMECA (Failure Mode and Effects Criticality Analysis) is a methodical study of component failures. Each process component is listed on an FMEA tabulation sheet. For each component, the review team asks the questions, "How could this component fail?" and "How does this failure affect this system?". The FMEA is frequently quantitative but it is often used qualitatively as a hazard analysis technique. It may be used instead of a HAZOP in certain cases as it is more equipment orientated and is not as time consuming. Ratings are assigned to each failure which reflect the severity and probability of the risks. These numerical results are used for evaluating which failure modes should be given further attention by the hazards review team. Although FMEA involves assigning numbers for hazard severity and probability of ‘component failures, it is primarily a qualitative method. The final decision regarding adequacy of process safeguard is a collective judgement by the review team. The method is easy to use but does not question the design basis of a project. ‘An FMEA study has the following objectives: + Identity component and human failures that could cause or contribute to hazardous events. + Develop an approximate ranking of these events based on severity of consequence and probability of occurrence. + Identify component failures that could have multiple effects on the system (common mode failures) + Evaluate the adequacy of process safeguards and recommendations to correct inadequacies. + Identify hazards that may require Fault Tree Analysis. + Document review findings to ensure continuity for future review teams. FMEA is recommended for analysis of a small segment of a high-potential hazardous process, such as a reactor or distillation column, in contrast to an entire production operation or an operating building. FMEA tends to focus on equipment. As a result, user of this method may not give adequate emphasis to human factors such as: + Omissions or errors in operating procedures, + Incorrect start-up and shutdown sequences. + Incorrect operational sequences in batch operations. + Other operator errors. Additional job studies, such as What if/Checklist, may be needed to evaluate the hazards associated with these human aspects of a process. Page 76Safety Assessment Techniques and Analysis (US > &: 198010 Procedure The following steps should be performed before the review begin: + Areview leader is selected and instructed about the process. + Review planning takes place. + FMEA team members are selected, + AFMEA team organizational meeting is held. The hazard identification portion of the revi w using FMEA is described below. ‘An FMEA team of three to six participants is recommended a study leader, a secretary, at least one team member with previous FMEA experience and/or training must be included. Using the FMEA tabulation sheet, the leader tabulates information about each system component. Detailed Failure Mode and Effect Analysis Procedure Select a system : Describe the system including a sketch showing all components eg P&ID. Tabulate item identity number and component descriptions. List failure or error modes. List safety effects on the whole system. Determine a hazard severity rating associated with each failure mode. Determine the failure probability and assign a probability rating. Calculate criticality List current protection. 0. Consider high criticality events and/or high hazard severity events for protection improvements. ZePnoesens Page 77Safety Assessment Techniques and Analysis J [Ue Report Format A typical FMEA sheet is shown below: FMEA Tabulation Sheet 1900010 Page 78Safety Assessment Techniques and Analysis s TABLE FMEA HAZARD RATINGS Degree of Safety Description Hazard Rating Safe The component cannot fail, or, if it does, it will fail safe (cannot cause a hazardous situation) Marginal Failure of the component could cause a single serious injury and/or property/business loss. less than $100,000 Unsafe Failure probably will cause major damage ($100,000 - 2,000,000) and/or personal injury, possibly a single fatality. Very Unsafe Failure of the component will cause multiple failures in the process; the failures would cause serious personal. injury and multiple fatalities and/or property loss consequences of $2,000,000 or more, off-site exposure, or environmental damage. The PHR team should decide if the prose in "description" is appropriate for their study and adjust where needed. If the failure effect is rated 0, no other columns of the tabulation sheet need be filled out. The Failure Probability is determined and a Probability Rating is assigned. This rating relates to the failure mode being considered. It depends on the frequency of failure and the duration of the failed state. The PHR team should decide what probability number to give the failure mode being studied. The Table shows suggested descriptions of probability ratings. Page 79Safety Assessment Techniques and Analysis, TABLE EVENT PROBABILITY RATINGS Description Frequency Rating (P) Highly Likely 1 or>/yr 4 Very Likely 12-5 yrs 2 Likely 16-15 yrs 3 Remote 1/16-35 yrs 4 Very Unlikely 7735 or > 5 — The Criticality is Calculated Criticality is the sum of the hazard and probability of failure ratings. Thus, criticality is an evaluation of both the probability of a failure and the severity of a “worst case” result. It is the same thing as risk, which is the product of the severity of an event and the probability that the event will occur. The Current Protection (Protection Now) is listed When components or people fail, emergency measures often can be employed or equipment can be designed to cope with failures or minimise the effects of the failures. The PHR team should list existing protection for each component or people failure that could contribute to the worst case safety consequence. This can either be done by the entire team or assigned to an individual member to develop outside the meeting and review with the team at a subsequent meeting for consensus. Protection includes such things as interlocks, alarms, emergency shutdown systems, and operator actions that can still protect the system when the given failure occurs. Possible Recommendations are considered. Events with a hazard rating (H) or 2 or 3 or with a criticality of -2 or greater (algebraically) should be considered for possible protection improvements. The team may well conclude that the system already has adequate protection. If so, make sure the logic for this is adequately recorded in the "Recommendation" column. If not, recommended concepts for hardware or procedure changes could be made to improve protection, and these are also recorded in the Recommendation column. The need for protection improvements is a judgement call by the team, based upon its collective experience. As described in step 9, above, an individual team member may be assigned the initial task of deciding what, if any recommendations are need. 1869010 Page 80Safety Assessment Techniques and Analysis ((4S 0 ee If the team cannot reach a consensus as to improved protection with the information available thus far, it may want to consider quantifying the risk of the existing process and of possible protection improvements. To do this, a fault tree analysis of the system under consideration would be appropriate. This would require the expertise of a skilled fault tree analyst. Common Mode Failures Common mode failures have two or more effects on the system which contribute to the same hazardous event. A typical example is the use of high level alarm/high- high level interlock instrumentation. Although it might appear that these are separate protective systems, there can be several components, such as a sensor and transmitter, which are common to both. Thus, a single failure could disable both systems. Such designs are not always undesirable, since they give an operator time to respond before shutting down a process. But the analyst should not consider the design equivalent to two separate forms of protection, When common modes exist in an instrument loop, it is important to recognise these multiple effects. These multiple effects are easiest to identify when each component is analysed separately. Conversely, when an instrument loop has single effect, it is adequate and certainly easier to consider the whole loop as one component. For purposes of this analysis, it is adequate to assume a “failure probability" for such a loop as -1. Thus, a -1 may be entered in the rating column. The device that is actuated (for example, a valve) should be listed separately from the loop. The actuated component failure may represent a common mode failure even when the loop does not represent a failure. 8: 1969640 Page 81Safety Assessment Techniques and Analysis ‘S 1860610 FAILURE MODE AND EFFECTS ANALYSIS EXAMPLE Page 82Process Hazards Analysis ‘MEA FMEA EXAMPLE Beotherme Reactor Instr. Air TIC TS1 om IP) Presse ah bel angle B Panel Jo. Field Inge (TP ‘Supply ©. Coating Wailer Retr epi cong LQ Water op Supply [| [_ G1 Xi wand yale alles way ae [ee whe epFMEA TABULATION SHEET (Answer Sheets) STUDY: — Exothermic Reactor Example DATE: SECTION: Reactor and cooling BY: Page 1 of 2 Y | See ee | EaSTEC HON ee ee IDENTITY | COMPONENT | |: OW: | RECOMMENDATION | Mt Water control -4 [-2 [TA1,TOr Existing hardware valve indication, H1, | adequate. Make sure RV1&TG1 TAI tested periodically vessel rupture Fails open| Slowed oO vps TNA NA—no safety effect reaction and possible ‘quaity problem ‘Ht Manual bypass | Fails Unable to get | 2 “30 | -1 | Annual Increase inspection valve closed — | water to Rx if inspection, AV1 | frequency to once per cooling control week-by operator ’ Woop fails Jeading to vessel rupture TCA Temp. indicator | Fails low | Siowed o fe fo [Na NA—no satety effect controller output reaction Fails high | Vessel rupture] 2 |-4 |-2 |TA1,TC1,H1, | None—existing x output RVI protection adequate ‘Stuck Nocontrolof | 1 “3 | -2 | Preventive None—existing TV1 and no maintenance | protection adequate response to (PM) program | for low hazard upsets. for TC1 ™ Temp. sensor | Fails low | TV1 closes, 2 “1 [-1 | TG1,H1 & RV1 | Consider adding an transmitter ‘output loosing TAT independent high and cooling, temp. interlock loop leading to halting reactor feeds vessel rupture or dumping batch {common mode failure) Fails high | Quality o ft je | NA NA—no safety effect output problem TS1 Pressure switch | Fails Causes 0 ” TNA NA—no safety effect closed | contusion ‘Stuck Vessel rupture} 2 -2 10 TC1, TG1,& See independent open Rv interlock above for ™ TAY High temp. Fails No warning of |2 |-5 |-3 | Dailytestby — | None—iow risk alarm high temp. operator leading to vessel ruptureFMEA TABULATION SHEET (Answer Sheets) STUDY: Exothermic Reactor Example DATE: SECTION: Reactor and cooling BY: Page 2 of 2 Tat No 2 per shift. | None—iow risk gage independent reading by check of high operator, TC1, temp. vessel TAT & RAVI rupture NA—no safety effect Fails high | Operator = fo |= [= [na confused : RV1 | Relet vave Possible _|1 |-8 [4 |Anmal None—existing environmental inspection and | protection adequate problem rebuild for low risk Fails [Unabieto [2 |-3 |-1 | Annual closed | relieve Inspection and | Bera Se Ot ou cs pressure rise rebuild materials, increase leading to inspection frequency vessel rupture to twice a year = Cooling water | Supply | TV1 opens Valve position | Existing protection loss with no indicated on | plus the independent resuting ct, TA, TP1 | shutdown already cooling &RVI mentioned should be leading to adequate vessel rupture Water | Vessel rupture} |-3 |-1 | V1 position, | See comment for temp. Tat, TP1& | supply loss increase RVI above design = Instrument air | Pressure [TV1 fails open[o [~ |~ [NA NA—no safety effect Pres ui = Operator Failsto | Vesselrupture]2 [-3 |-1 |1c1,TP1& | Existing protection respond RVI along with an Yajror dycA toTAT independent Fed Nigh Shutdown should be temp. adequate ( oot wall jab 2-3 twas \w Wood timey dawnt cere wool. oteotd abe} de Wn ye : bet as eae avg yor wa or banaSafety Assessment Techniques and Analysis TYPICAL SAFETY PROCESS CHECKLIST S 1e80r10 Page 86TABLE A procedure for safety assessment of modifications A possible extra question is, ‘What is the worst thing that can go wrong?’ Plant Reg, No. Underline those factors which have been changed by the proposal Process conditions temperature pressure flow level composition toxicity flash point reaction conditions Operating methods start-up routine operation shutdown preparation for maintenance abnormal operation emergency operation Jayout and positioning of controls and instruments Engineering methods trip and alarm testing maintenance procedures inspection portable equipment Safety equipment fire fighting and detection systems means of escape safety equipment for personnel Environmental conditions liquid effluent solid effluent gaseous effluent noise Engineering hardware and design line diagram wiring diagram plant layout design pressure design temperature materials of construction loads on, or strength of: foundations, structures, vessels pipework/supports/bellows temporary or permanent: pipework/supports/bellows valves, slip-plates restriction plates, filters instrumentation and control systems trips and alarms static electricity lightning protection radioactivity rate of corrosion rate of erosion isolation for maintenance mechanical-electrical fire protection of cables handrails ladders platforms walkways tripping hazard access for: operation, maintenance, vehicles, plant, fire fighting underground/overhead: services equipment (Table continued opposite)Within the categories listed below, does the proposal: Yes or no What problems are created affecting plant or personnel safety? Recommended action? Signed| and date Relief and blowdown (1) Introduce or alter any potential cause of over/under pressuring the system or part of it? (2) Introduce or alter any potential cause of higher or lower temperature in the system or part of it? (3) Introduce a risk of creating a vacuum in the system or part of it? (4) In any way affect equipment already installed for the purpose of preventing or minimising over or under pressure? Area classification | (5) Introduce or alter the location of potential leaks of flammable material? (6) Alter the chemical composition or the physical properties of the process material? (7) Introduce new or alter existing electrical equipment? Safety equipment (8) Require the provision of additional safety equipment?, (9) Affect existing safety equipment? Operation and design (10) Introduce new or alter existing hardware? (11) Require consideration of the relevant Codes of Practice and Specifications? (12) Affect the process or equipment upstream or downstream of the change? (13) Affect safe access for personnel and equipment, safe places of work and safe layout? (14) Require revision of equipment inspection frequencies? (15) Affect any existing trip or alarm system or tequire additional trip or alarm protection? (16) Affect the reaction stability or controllability of the process? (17) Affect existing operating or maintenance procedures or require new procedures? (18) Alter the composition of, or means of disposal of effluent? (19) Alter noise levels? Safety assessor... Checked by . Date...... wee ‘Plant Manager’ Checked by ........