The Risk Management of Safety and Dependability_5 pot

Techniques to fi nd possible risks 109Added autocontrol PC shown as --- Pressure vessel PC Compressor PB Switchgear Electricity PB Push button PC Pressure control 5.3 Diagram of a manu

Mode: Normal operation

Pump fails Fan fails

High temperatureEngine overheats Lube oil overheatsStart spare pump Spare cooler

Lubrication Cooling

No lube oil Too hot

Pump fails Cooling

Low pressure High temperature alarmHot bearingsStart spare pump See cooling water

Trend delta pressure

Techniques to fi nd possible risks 109

Added autocontrol PC shown as -

Pressure vessel PC

Compressor

PB

Switchgear

Electricity

PB Push button PC Pressure control

5.3 Diagram of a manual control system for a pressure vessel.

independent of each other Either of them could stop excessive pressure They both have to fail for an explosion to occur The operator, pressure gauge, push button and switchgear are said to work in series They all depend on each other If any one fails then they all fail

The system could be made more reliable by adding automatic pressure control This has been shown in Fig 5.3 as an addition With this addition, the system depends on the reliability of the switchgear and the pressure safety valve The operation of the switchgear now depends on two inde-pendent controls (redundancy), one by the operator and the other by the automatic control (diversity) The system is more reliable as more things need to fail before there is excessive pressure A logic fl ow diagram can be used to illustrate the control system (Fig 5.4) This shows that the control logic is the sequential action of the operator, pressure gauge, push button, switchgear and compressor If any one of these elements fails then the whole control system fails If the control system fails, then the system depends on the reliability of the pressure safety relief valve on the vessel.The safety of the manual control system can also be examined by the use

of FMECA (Table 5.7) It will be seen that the risk of an explosion is ceptably due to the high risk ranking of 4 The risk is reduced by the addi-tion of an automatic pressure control to the system This, however, cannot improve the risk ranking because a coarse qualitative assessment cannot assess risk reduction To assess the reduction in risk a quantitative proce-dure has to be used This will be examined in the next chapter

Automatic pressure control addition

Pressure gauge

Explosion

Push button

Switchgear

Pressure safety valve

5.4 Pressure control logic fl ow diagram.

5.5 Hazard and operability studies (HAZOP)

A HAZOP is a procedure for carrying out a systematic critical examination

of an engineering design to assess the hazard potential due to incorrect operation or malfunction of individual items of equipment and the conse-quential effects on the whole plant It was conceived as a way of improving safety in the design of chemical plant and is now extensively used in the design of any type of process plant.2,3 A team is needed for the study It consists of a chairman and a scribe, with representatives from the design team, operations and maintenance The actual HAZOP study is a formal review of the process fl ow diagrams (PFDs), which are conceptual, and piping and instrumentation diagrams (P&IDs), which are detailed designs.The method requires the design to be divided up into sections, called

‘nodes’ For each node, a series of questions called ‘guide words’ have to

be answered This involves the use of a standard worksheet with specifi c headings for the answers required At the start of the study session, the objective of the HAZOP must be stated and a brief background and purpose of the node under study must be discussed This will enable the team to be focused on the objective The parameters to be considered must then be decided The diagram under study should be displayed on the wall

of the study room for all to see As each line is subjected to the HAZOP,

it must then be highlighted, so that at the end of the study it can be seen that all lines have been considered On completion, the study proceeds to the next node, and so on

Table 5.7 Diesel engine starting air control system

mended actions have been implemented This becomes an audit and record

of what was carried out or, if not carried out, then what was the alternative and why The standard worksheet headings and what they mean, together with the guide words to be used, are listed below Typical deviations and

an explanation of possible causes explain how guide words can be applied:

Worksheet headings:

Node Item or section of plant studied

Guide word See guide word descriptions

Deviation Study design and identify meaningful deviations of the

guide wordCause Identify credible causes of the deviation

Consequence Assuming that all protection has failed, establish the

consequence of the deviationSafeguard Identify safeguards provided to prevent deviationS-Severity Apply risk-ranking matrix

L-Likelihood Ditto

R-Ranking Ditto

Recommendation Develop recommended action, if needed

Action by Identify who is responsible to take action

Guide words (and their interpretation):

Guide word Typical deviation Explanation

No, None No fl ow Diverted, blockage, closed valve

Less Flow, pressure Blocked suction, drain with closed

vent

As well as Contamination Carry over, inward leaks from

valvesPart of Composition Wrong composition of materials

Other than Abnormal situations Failure of services/utilities, fi re,

fl oodMaintenance Isolation, venting, purging, drainingAbnormal operations Start-up, part load, etc

5.5.1 HAZOP application example

The example to be studied is based on the starting air system The concept,

as discussed previously, is shown in Fig 5.3 However, the air system is to

Techniques to fi nd possible risks 113

to be installed with a spare compressor package and two air storage sure vessels (receivers) This will allow critical maintenance of the compres-sors and inspection of the receivers without the need to disrupt the utility air supply This is a simple example as only one node is involved The object

pres-of the HAZOP must be to verify safe operation and maintenance without disruption of the air supply The node under HAZOP study is the air supply

to the receivers The HAZOP is called a coarse HAZOP, as the study will

be based on a PFD

The study showed that the closure of any combination of isolating valves would not lead to over-pressure All sections of pipe up to the receiver isolation valves would be protected by the compressor safety valve The whole system is of course protected by the pressure control system and the pressure safety valves on the receivers It was considered prudent to add

an independent automatic high-pressure shutdown and alarm This will improve reliability at little extra cost The other recommendation was to add automatic water traps to discharge any water from the receivers and not to rely on the operators This will reduce the risk of corrosion due to water stagnating in the receiver The isolation and venting of the receivers was not provided for Although inlet isolation valves were shown, the vessel cannot be isolated as the vessel would be pressurised by backfl ow from the discharge manifold, and so discharge isolation valves have been added Although the piping inlet manifold had a pressure gauge, it was considered prudent to add one to each vessel A pressure gauge on the vessel will enable the pressure in the vessel to be monitored during venting down for maintenance Due to the high pressure, all instruments need block and bleed valves to ensure pressure letdown for maintenance The HAZOP was carried out on the PFD in Fig 5.5 The worksheet completed for the study

is shown in Table 5.8 The P&ID that embodies the recommendations of the HAZOP study is shown in Fig 5.6

5.5.2 Other HAZOP applications

The HAZOP procedure was developed by the process industries and the previous example has demonstrated how it can be applied to a P&ID for a process system It is also a useful tool for fi nding weaknesses in any type

of system that can be represented by a block fl ow diagram It enables the interface parameters to be explored for the effects of any deviation from the planned intent They could be systems that involve the fl ow of materials, people or data Alternatively it could be used in the study of a number of events or activities in a planned sequence Typical applications are:

• software applications and programmable software systems;

• logistic systems of people and materials;

Compressor

PC PB

PC PB

Receiver Receiver

Closed valve Non-return valve Valve

PB Push button PC Pressure control PI Pressure gauge

5.5 Utility air system process fl ow diagram.

Table 5.8 Session: (date)

PAHH High pressure alarm/

trip

Compressor

Compressor

PC PB

PC PB

Receiver Receiver

Closed valve Non-return valve Valve

PB Push button PC Pressure control PI Pressure gauge

Techniques to fi nd possible risks 117

• assessment of administrative procedures;

• assessment of other systems and devices

In the HAZOP of logistics where time or sequences are involved, other additional guide words are needed, such as:

5.6 A cautionary example

The effectiveness of any hazard analysis depends entirely on the experience and creative imagination of the team doing the investigation The proce-dures only impose a disciplined structure to the work The Concorde super-sonic airliner that crashed at Paris in 2000 is a good example of this During take-off a fuel tank in the wing was ruptured The escaping fuel was ignited and then the plane caught fi re and crashed The engineers had considered all failure modes in the design and the fuel tank should not have ruptured The event that was not foreseen was the possibility that an object could strike the underside of the fuel tank and cause a hydraulic wave to be transmitted to the upper side of the fuel tank It was the refl ected hydraulic wave that then caused the underside of the fuel tank to rupture If the fuel tank had not been completely full there would not have been a refl ected hydraulic wave For take-off on a long journey the tanks were of course full

No one had thought of this possibility; it just demonstrates how much imagination is needed to ensure that all failure modes are identifi ed Some-times it is just too much to expect, as with Concorde Making provisions to avoid the hazard by design solved the problem The tyres were redesigned

to avoid bursting and shedding large enough debris to cause damage to the fuel tanks The fuel tanks were lined with a material that could absorb hydraulic shock waves and self-seal if punctured

5.7 Summary

This chapter has shown how processes and systems can be broken down and analysed to fi nd hazards to safety and reliability The techniques of using ‘What if’, producing block fl ow diagrams and how to apply FMEA have been demonstrated A method of risk ranking to qualify risk has been

provided These methods have been used on an air system, which was developed from an initial PFD to a fi nal P&ID using HAZOP It has also been shown that fi nding hazards and reducing risk depend entirely on the abilities of the team assigned These techniques can be applied to a whole range of situations for many different industries The work should be a challenge to the creative imagination of any engineer There are other techniques in use that are listed in published codes of practice.4 In high-risk situations it has also been shown that there will be a need to quantify the risk to safety, and calculate its reliability, for any plant or system This is especially true if the effects of improvements need to be judged or alterna-tive measures need to be compared These matters will be dealt with in the chapter that follows.

5.8 References

1 bsi iso iec 60812, Analysis Techniques for System Reliability – A Procedure for

Failure Mode and Effects Analysis (FMEA)

2 chemical industries association (1992) A Guide to Hazard and Operability

Studies, London

3 bs iec 61882: 2001, Hazard and Operability Studies (HAZOP Studies) –

Application Guide

4 bs 31100: 2008, Risk Management – A Code of Practice

5 bs iec 60300-3-9, Dependability Management – Risk Assessment of Technological

Systems

Safe enough? Methods and procedures for evaluating and reducing risk in the design of

processes, plant and machinery

Abstract: This chapter is intended to provide suffi cient introduction to

the subject matter for managers and engineers to deal with simple situations in industry and to communicate with safety specialists The concept of ‘as low as reasonably practicable’ (ALARP) will be explained and what degree of risk is acceptable or expense is needed to comply For a qualitative assessment the use of the Bow Tie analysis procedure

is explained showing the multiple levels of controls required to reduce risk and the management system needed to ensure its effectiveness The use of failure rate data and its application to simple systems is given From this fault tree analysis is used to evaluate a pressure control system The importance of testing standby units for hidden failures and the folly of neglecting this and the value of redundancy is discussed.

Key words: ALARP, value of life, acceptable risk, Bow Tie analysis,

human error, TESEO, preventative, recovery, engineering, system, human, component failure, probability, failure rate, factors, MTTF, MTTR, redundancy, series systems, partial redundancy, binomial

distribution, hidden failure, test interval, hazard rate, demand rate, availability, unavailability, common mode, FTA, exposure risk, SIL.

6.1 Introduction

The law requires that employers have a duty of care to ensure the health and safety of their employees and the public who could be affected by their activities With the Corporate Manslaughter and Corporate Homicide Act (2007) in place, corporate management will need to understand what has

to be done to fulfi l their duty The risk of an accident can never be zero

So what is safe enough?

When there are no accidents!

The means by which accidents can be reduced and the estimation of their probability of occurring can be quite complex In some situations an expert knowledge of the industry, the situation and the use of complex mathemat-ics is needed However, the intention here is to provide the basic principles

in suffi cient detail to enable managers and engineers to understand the subject This will enable those who design plant and machinery to work

with the specialist safety engineers in compliance with HSE regulations In the management of operations the measures to control safety have to be appreciated and maintained to ensure that they are effective Corporate management may engage consultants to aid them in this task, but as they cannot subcontract responsibility, they will have to take responsibility for the work and understand what is being done.1

In the UK the law requires the risk of an accident to be reduced as low

as reasonably practical (ALARP) This means that some common sense judgment is allowed However, it should be noted that the UK and The Netherlands are the only ones in the EU that allow a risk-based assessment

to determine what is acceptable To manage risk, a risk assessment needs

to be made to determine what measures to control or mitigate them are needed In most situations these measures can follow established industrial practice In other situations it has been established that a cost-based analy-sis (CBA) of the investment to save life is acceptable.2 Implied values to prevent a fatality in the UK are (2004 values):

• health service << £1 million;

The fatal injury rates in the table illustrate how the public will accept a much higher risk of their own choosing but will be intolerant of any imposed risk.3 What is acceptable depends on perspective, which is as follows:

• Personal risk, people may sometimes take enormous risks

• Societal risk, what is acceptable depends on public opinion

• Business risk, the possible loss of capital assets is often overlooked

• ALARP risk, to health and safety, often linked to business risk

For industry the risks to health and safety that are between a thousand and one in a million are only tolerable if they are shown to be ALARP.4 However,

if a disaster occurs and it involves the public it is also a societal risk and may become an emotional issue A risk of considerably less than one in a million may then be demanded The estimation of probability is based on judgement, the calculation of probability is based on statistical data Statisti-

Methods and procedures for evaluating risk 121

absolute lies and statistics’ Therefore the lines of demarcation given in the table are target guidelines

3 no facilities, use contracted scaffolding/mobile equipment when needed;

4 no facilities, just use a ladder when needed;

5 leave it to the owner’s maintenance department

Option 4 is against the law The law requires a risk assessment The hazard

is a man falling to the ground The consequence is death or injury, which depends on:

• the height of the roof;

• a hard or soft landing

Table 6.1 Acceptable risk of an accident

Activity

Fatal injury rate per 10−5 persons per year

Risk acceptance criteria for industry

Probability per million

workers but not any exposed public

1000

the public

100 Agriculture, hunting,

forestry and fi shing

7.5 Tolerable, but needs

justifi cation

75

million must be ALARP

Extraction and utility