Handbook of Reliability, Availability, Maintainability and Safety in Engineering Design - Part 62 docx

In reality, it is the unpredictable sequence of losses L1, or L2,...,L n with respect to an average or expected throughput capacity Tp, in a given time period, which is used in the mea-s

RC= risk cost

C0 = initial cost constant (set to zero for cost comparisons)

C1 = cost constant multiplied with the CER variable of mass

C2 = cost constant multiplied with the CER variable of material

Cs = cost variable for ensuring required reliability and safety

The cost of ensuring the required reliability and safety relative to the selected at-tributes can be formulated as

where:

Cf= cost of failure relative to the selected attributes

R = risk of a failure incident occurring

The risk of a failure incident occurring can be formulated as

where:

p= the probability of the event occurring

c = the consequence of the risk on the estimate

5.2.2.2 Process Operational Risk Modelling

Complex process systems, especially complex integrations of systems, increasingly have to cope with risk in their operating environment As a result, it is necessary and useful to develop a safety hypothesis, expressed as a risk equation, which relates sys-tem throughput capacity to risk Such a risk equation has its roots in financial risk management and has been expanded to measure the mean expected loss risk, which

is more suitable for process systems in general Such a measure not only quantifies risk but also clarifies system safety principles during conceptual design Early iden-tification of specific risk costs and safety benefits of different design alternatives enables avoidance or mitigation of hazards that could result in operational losses

a) Overview of the Risk Hypothesis and Risk Equation

From Eqs (4.23) and (4.24) in Sect 4.2.1.2, a process system is considered to be

a functional unit that converts inputs to outputs, and which may be composed of sub-systems connected either in series or in parallel, enabling the system to convert

a set of process inputs, Ip, to a set of process outputs, Op, per unit time, so that Op

is equivalent to the system throughput, Tp, where the yield is 100%

Equation (4.23) is reviewed here as the following expression

Process throughput TprocC =Material in process

= Rated capacity (Cr)

The term throughput capacity relates engineering process throughput Tpto rated

capacity Cr If Tpis the maximum value for Op, then Tpis seen as the throughput capacity of the system, measured as the units of output per unit time when the system

is operating at rated capacity In general, if the system is operating at a fraction f of throughput capacity Tp, due to process fluctuations, where f is an average constant (i.e 0.95), then the reduced throughput, U , can be determined.

The reduced throughput, U , can be expressed as

In reality, the system will be exposed to unpredictable fluctuations in

through-put capacity and, over a period of time t, the mean and, thus, expected throughthrough-put capacity will be Tp, where

Tp=

n

∑

t=0

Ut

where:

Tp= mean throughput capacity

n = number of time periods

In real loss-deviation time periods, the actual capacity values can be expressed

as the series

S Tp = {Tp − L1,Tp− L2, Tp− L n } (5.19)

where L1,L2, ,L n are loss deviations from the average Tp

The expected or average Tp actually rarely occurs, if at all In reality, it is the

unpredictable sequence of losses (L1, or L2, ,L n) with respect to an average or

expected throughput capacity Tp, in a given time period, which is used in the mea-sure of risk of loss of throughput Two meaningful meamea-sures of risk may be used, the traditional standard deviation measure, and a new measure, the mean expected loss that in many cases is more suitable for systems in general

b) Risk Measures

Risk measures are statistical measures, such as the standard deviation risk (SD-risk) with respect to the mean throughput capacity Tp; if twice the standard deviation is used, then an even stronger risk measure is obtained, the two-standard deviations

risk (2-SD-risk) measure A new measure more suitable for process systems in gen-eral, termed the mean expected loss risk (MEL-risk) with respect to hazard-free Tp,

is proposed (Bradley 2001)

In general, risk of loss L of throughput capacity has two components, namely the

probability of a hazard occurring, and the size of the loss in throughput with respect

to some standard level of throughput A MEL-risk of loss L means that the average loss, with respect to the mean throughput capacity Tpin a period where the hazard

does not occur, is exactly L.

The standard deviation measure of possible loss with respect to the mean

through-put capacity, Tp, is the SD-risk measure This measure is obtained by determining

the standard deviation of the mean s of all the deviations (L1,L2, ,L n) from the

mean throughput capacity Tp

An SD-risk of s means that, in the next time unit, there is:

• a 50% chance or probability of a loss from the expected throughput capacity Tp,

• a 34.1% chance of a loss between 0 and s from the expected Tp,

• a 15.9% chance of a loss > s.

For a two-standard deviations measure, there is a 47.7% chance of a loss between

0 and 2s with respect to Tp This implies that there is a 13.6% chance of a loss

between s and 2s, and a 2.3% chance of a loss >2s, both losses with reference to the mean throughput capacity Tp In specifying an SD-risk, the standard deviation

of the variations in throughput must be specified, as well as the standard level of throughput

A 2-SD-risk of 2s means that, in the next time unit, there is:

• a 50% chance or probability of a loss from the expected throughput capacity Tp,

• a 47.7% chance of a loss between 0 and 2s from the expected Tp,

• a 2.3% chance of a loss > 2s.

It is assumed that the losses in each time unit are distributed normally, and the percentages are obtained from a normal distribution function table These percent-ages will inevitably be different if the distribution departs from normal The SD-risk measure is widely used in financial risk analysis, particularly for stock and bond portfolio management, since stock and bond prices follow a random pattern that gives rise to a near-normal distribution of price changes (Beaumont 1986)

Where there is exposure to future loss, which can be made up of two loss

com-ponents, namely a certain loss and a probable loss, the SD-risk measure considers only the probable loss, which in effect is the true risk This is better explained with the aid of an example: assume a system has a mean throughput capacity Tp= 400 if there was no future loss exposure Suppose that the system has exposure to a future

loss in Tpwith a mean of 100 and a standard deviation of 14 where the least loss is always greater than 70 This implies a certain loss of 70 plus a loss that makes up

the balance with a mean of 30 This balance can, however, be as small as 0 (left side

of the mean) and as large as 60 (right side of the mean), with a standard deviation

of 14 The future loss thus has a certain loss of 70 and a probable loss of 30, with

a standard deviation about the mean of the loss variations of 30 that is equal to 14

This standard deviation about the mean of the probable loss is the SD-risk The sys-tem has a certain loss of 70 and a probable loss with a mean of 30 and an SD-risk

of 14

To deal with the problems that arise in arbitrary systems, where variations in throughput depart significantly from the normal distribution and the distribution of losses is not normal, an additional risk measure becomes essential This is the mean

expected loss risk (MEL-risk) Suppose that for a system exposed to risk, there is at

least one hazard-free time period in which, by chance, the hazard does not occur, and

where the loss with respect to the mean throughput capacity Tpis L in this hazard-free time period, and where a loss exceeding L is not probable (but a loss less than L

is probable) Thus, in the best-case scenario, the total hazard-free throughput

capac-ity is Tp− L Then all other throughput capacities, each in a time period where the hazard does occur in varying degrees of intensity, i.e Tp− L1,Tp− L2, ,Tp− L n, may be considered as exhibiting losses, or loss deviations, with respect to the value

of Tpin the hazard-free time period The mean of these loss deviations from Tpin

a hazard-free time period may be used as a measure of the risk This measure of

expected loss in the future with respect to the throughput capacity for a hazard-free

time period is the mean expected loss risk (MEL-risk) Thus, a MEL-risk of loss

L means that the average loss, with respect to the mean throughput capacity Tpin

a time period where the hazard does not occur, is exactly L In specifying a

MEL-risk, the mean deviation of the variations in throughput must be specified, as well

as the standard level of throughput A MEL-risk of loss L is two standard devia-tions from the mean Tp The definitions of the loss variance, standard deviation or

SD-risk, and two standard deviations or MEL-risk of loss L from the mean Tpare considered by their formulation

The variance (V) is the square of the differences between the losses and their

average

where:

L k = the loss Lk (k = 1 to n) for n losses

AL = the average (or mean) (1/n)∑L k

The standard deviation (SD) is the spread about the average (or mean)

SD2= (1/n) ·∑(Lk − A L)2

SD=&(1/n) ·∑(Lk − A L)2 (5.21)

SD is the root mean square deviation between the losses and their average (SD2

is the difference between the average of the squares and the square of the average), and can be computed as

MEL-risk=

#

(1/n) · L2

k −(1/n) ·∑L k2

(5.22)

A1—standard deviation, SD1

SD1=#(1/n) · L2

k −(1/n) ·∑L k2

A2—standard deviation, SD2

SD2=

#

(1/n) · L2

k −(1/n) ·∑L k2

where:

L k = the loss Lk(k = 1 to n) for n losses.

There are two extreme cases with regard to Tpfor a hazard-free period of time (Bradley 2001):

(i) Explicit hazard-free case:

In the explicit case, the hazard-free throughput capacity Tp− L cannot be ex-ceeded beyond the value of L This throughput capacity remains in a time period

when no hazard occurs However, a hazard is certain to occur sometime Thus,

over a period of time, there will be a distribution of n losses about the mean and, in at least one of the n time periods, there will occur a loss deviation L with respect to the mean throughput capacity Tp However, no loss deviation below

L will ever occur The concept of a hazard-free throughput capacity level Tp−L

implies:

(1) that no variation in throughput capacity can occur leading to a throughput capacity below the hazard-free level, and

(2) that the only variations in throughput capacity that can occur must lead to

a throughput capacity at or below the hazard-free level

This ensures that all probable losses are included in, and certain losses excluded

from, the MEL-risk measure

(ii) Implicit hazard-free case:

In the implicit case, the values in each time period fluctuate about the mean

throughput capacity Tp, and the distribution of the deviations from the mean follows some reasonably bell-shaped distribution, where large but usually

im-probable loss deviations from the mean throughput capacity Tpoccur, and where

no explicit hazard-free throughput capacity can be determined In such a case,

a hazard-free throughput capacity Tp−L may be defined where the loss L is two

standard deviations from the mean

For this case, the MEL-risk is defined as the mean expected loss with respect

to Tp− L for the hazard-free period, with a value equivalent to two standard deviations of the mean throughput capacity Tp

MEL-risk can therefore be viewed as the hazard-free deviation, either explicit or

implicit, from the throughput capacity Tp, and is also equal to the average loss to be

expected in a future hazard-free time period, with respect to throughput capacity Tp

5.2.2.3 Hazard and Operability Studies for Risk Prediction

Safety issues have to be considered throughout an engineered installation’s life cy-cle, from design, manufacture, installation, assembly and construction, through to start-up and operation The later the hazardous operating modes are detected in this development process, the more serious and expensive they become to avoid or miti-gate in terms of the required plant modifications Thus, an extensive and systematic examination of safety aspects has to be carried out carefully and at the earliest pos-sible opportunity in the engineering design stage To meet these essential demands,

a thorough safety and hazards analysis is compulsory during the engineering design and development stages, for official approval to commence with construction

The initial step of such an analysis is process hazard identification (PHI), which

aims at identifying potential hazards that may be caused either by the nature of the process or the intended systems configuration Further steps in this analysis are achieved by a variety of methods such as what-if analyses and safety checklists,

usu-ally incorporated in a more formal hazard and operability study (HazOp) conducted

as early as possible in the conceptual and/or preliminary design phases However, investigations in these early design phases identify faults only in the basic plant layout because no detailed specifications of process behaviour, or of the required controller equipment, may yet be available Therefore, in the later detail engineer-ing phase, further examination of the dynamic behaviour of systems is necessary to determine fail safe control by programmable logic controllers (PLCs) or distributed control systems (DCSs)

The technique of HazOp has been used and developed over approximately four decades for identifying potential hazards and operability problems caused by devi-ations from the design intent of both new and existing process plants Because of the high profile of process plant accidents, emphasis has often been placed upon the identification of hazards but, in so doing, potential operability problems have been neglected Yet, it is in the latter area that benefits of a HazOp study are usually the greatest With respect to ‘design intent’, all industrial processes are designed for

a purpose Process systems are designed and constructed to achieve desired objec-tives In order to do so, each item of equipment must consistently function according

to specified criteria These criteria can be classified as the ‘design intent’ for each particular item

As an example, in the cooling water system of Fig 5.5, consider now the cooling water circuit piping in which the pumps are installed A simplified statement of the design intent of this small section of the reactor cooling system would be ‘to continuously circulate cooling water at an initial temperature of X◦C and at a rate

of Y l per hour’ It is usually at this low level of design intent that a HazOp study

is directed The use of the word ‘deviation’ now becomes easier to understand In the case of the cooling water circuit, a deviation or departure from the design intent would be a cessation of circulation, or the water being at an excessively high initial temperature It is important to note the difference between a deviation and its cause

In this case, failure of the pump would be a cause, not a deviation, and a bent shaft due to insufficient lubrication would be a possible root cause Essentially, the HazOp

procedure involves taking a full description of a process system and systematically questioning every part of it to establish how deviations from the design intent can arise Once identified, an assessment is made as to whether such deviations and their consequences can have a negative effect upon the safe and efficient operation of the system If considered necessary, remedial action is then taken

An essential feature in this process of questioning and systematic analysis is

the use of keywords to focus attention on deviations and their possible causes In

Sect 5.2.1.5, keywords consisted of guidewords, attributes and process parame-ters In the early conceptual phase of engineering design, when many equipment attributes and process parameters have not yet been defined but it is considered ex-pedient to conduct a preliminary HazOp study, these keywords are simplified by grouping into two subsets:

• Primary keywords, which focus attention upon a particular aspect of the design

intent or an associated process condition or parameter

(e.g isolate, vent, open, clean, drain, purge, inspect, maintain, start-up and shut-down)

• Secondary keywords, which are combined with a primary keyword to suggest

possible deviations

(e.g no, less, more, also, other, early, late, reverse, fluctuation)

The usefulness of a preliminary HazOp study thus revolves around the effective

ap-plication of these two subsets of keywords—for example, (pressure/maintain) (pres-sure/less) as primary and secondary keyword combinations.

a) Primary and Secondary Keywords

Primary keywords reflect both the process design intent and operational aspects of

the system being studied Typical process-oriented words are very similar to the pro-cess parameters of Sect 5.2.1.5, as the words employed will generally depend upon the process being studied, whether at systems level or at a more detailed component

level However, the technique is hazard and operability studies; thus, added to the

above primary keywords might be relevant operational words such as those given in Table 5.9

This latter type of primary keyword is sometimes either overlooked or given secondary importance Improper consideration of the word ‘isolate’, for example, can result in impromptu and sometimes hazardous means of taking a non-essential

Table 5.9 Operational primary keywords

Isolate Drain

Start-up Shutdown

item of equipment offline for repairs because no secure means of isolation has been provided Sufficient consideration of the words ‘start-up’ and ‘shutdown’ are par-ticularly important, as most hazardous situations arise during these activities For example, during commissioning it is found that the plant cannot be brought on-stream because no provision for safe manual override of the safety system trips has been provided, or it may be discovered that it is necessary to shut down an entire system just to re-calibrate or replace a pressure gauge

Secondary keywords are similar to the HazOp guidewords of Sect 5.2.1.5 and,

when applied in conjunction with a primary keyword, they suggest potential de-viations or problems Although they tend to be a standard set, the following list is taken from Table 5.5 with a review of their meanings in line with industrial processes (Table 5.10)

Table 5.10 Operational secondary keywords: standard HazOp guidewords

Secondary keywords (standard HazOp guidewords)

No The design intent does not occur (e.g flow/no) or the operational aspect is not

achievable (isolate/no)

Less A quantitative decrease in the design intent occurs (e.g pressure/less) More A quantitative increase in the design intent occurs (e.g temperature/more) Reverse The opposite of the design intent occurs (e.g flow/reverse)

Also The design intent is completely fulfilled but, in addition, some other related

activity occurs (e.g flow/also, indicating contamination in a product stream,

or level/also meaning material in a tank or vessel that should not be there) Other The activity occurs but not in the way intended (e.g flow/other could indicate

a leak or product flowing where it should not, or composition/other might suggest unexpected proportions in a feedstock)

Fluctuation The design intention is achieved only part of the time (e.g an airlock in

a pipeline might result in flow/fluctuation)

Early Usually used when studying sequential operations; this would indicate that

a step is started at the wrong time or done out of sequence

Late Usually used when studying sequential operations; this would indicate that

a step is started at the wrong time or done out of sequence

b) HazOp Study Methodology

In simple terms, the HazOp study process involves systematically applying all rel-evant keyword combinations to the system in question, in an effort to uncover po-tential problems The results are recorded in columnar format under the following headings:

node, attributes/parameters, deviations, causes, consequences, safeguards, action.

Fig 5.21 Example of part of a cooling water system

In considering the information to be recorded in each of these columns, an example

of part of the cooling water system depicted in Fig 3.18 of Sect 3.2.2.6 dealing with fault-tree analysis is illustrated in the simple schematic below (Fig 5.21)

HazOp Study for Part of Cooling Water System

Process from–to nodes

X1→ X2

Attributes

Cooling water tank T2 flow, level

Deviation

The keyword combination being applied (e.g no/flow)

Cause

Potential causes that would result in the deviation occurring (e.g ‘strainer S1

block-age due to impurities in dosing tank T1’ might be a cause of flow/no)

Consequence

The consequences that would arise, both from the effect of the deviation (e.g ‘loss

of dosing results in incomplete precipitation in T2’) and, if appropriate, from the

cause itself (e.g ‘cavitations in pump P1, with possible damage if prolonged’) The recording of consequences should be explicit An important point to note, particularly for hazard and operability modelling (included later in this paragraph),

is that when assessing the consequences, credit for protective systems or instruments that are already included in the design should not be considered

Any existing protective devices that either prevent the cause or safeguard against the adverse consequences must be recorded For example, the recording ‘local pressure gauge in discharge from pump might indicate problem was arising’ might be con-sidered Safeguards need not be restricted to hardware but, where appropriate, credit can be taken for procedural aspects such as the use of a standard work instruction (SWI) and job safety instructions (JSI)

Action

Where a credible cause results in a negative consequence, it must be decided whether some action should be taken It is at this stage that consequences and as-sociated safeguards are considered If it is deemed that the protective measures are adequate, then no action need be taken, and words to that effect are recorded in the

‘action’ column

Actions fall into two groups:

• Actions that remove the cause.

• Actions that mitigate or eliminate the consequences.

Whereas the former is to be preferred, it is not always possible, especially when dealing with equipment malfunction However, removing the cause first should al-ways take preference and, only where necessary, the consequences mitigated For

example, to return to the example cause ‘strainer S1blockage due to impurities etc.’, the problem might be approached in a number of specific remedial ways:

• Ensure that impurities cannot get into T1, by fitting a strainer in the offloading

line Consider carefully whether a strainer is required in the suction to pump P1 Particulate matter might pass through the pump without causing any damage, and

it might be necessary to ensure that no such matter gets into T2 If the strainer can

be dispensed with altogether, the cause of the problem might be removed

• Fit a differential pressure gauge across the strainer, with perhaps a high alarm to

give clear indication that a total blockage is imminent

• Fit a strainer, with a regular schedule of changeover and cleaning of the standby

unit

Having gone through the steps involved in recording a single deviation, the tech-nique can now be inserted in the context of a qualitative hazard and operability computational model Such a model is quite feasible, as the HazOp study method is

an iterative process, applying in a structured and systematic way the relevant key-word (guidekey-word-parameter) combinations in order to identify potential problems The example serves to highlight several points of caution when formulating actions:

Thus, it is not always advisable to automatically opt for an engineered solution, adding additional instrumentation, alarms, trips, etc Due regard must be taken of the reliability of such devices, and their potential for spurious operation causing unnecessary downtime In addition, the increased operational cost in terms of main-tenance, regular calibration, etc should also be considered It is not unknown for

a thorough safety and hazards analysis is compulsory during the engineering design and development stages, for official... Tp In specifying an SD-risk, the standard deviation

of the variations in throughput must be specified, as well as the standard level of throughput

A 2-SD-risk of 2s means... Tp, in a given time period, which is used in the mea-sure of risk of loss of throughput Two meaningful meamea-sures of risk may be used, the traditional standard deviation measure, and a new