Thus, at each level of a systems hierarchy, or systems breakdown structure SBS, an item at a specific level may have functional failures of its operational or physical functions that may
Trang 1Fig 5.34 High-integrity protection system (HIPS)
Table 5.15 Component functions for HIPS system
Component Code Function Failure modes λ and mean
repair time
Maint interval Main PCV V1 Stop high-pressure
surge passing through system
Valve fails open: PCV-M
1.14×10 −5, 36.0 4,360
Sub-PCV V2 Stop high-pressure
surge passing through system
Valve fails open: PCV-S
1.14×10 −5, 36.0 4,360
ESD valve V3 Stop high-pressure
surge passing through system
Valve fails open: V-ESD
5.44×10 −6, 36.0 4,360
HIPS1 V4 Stop high-pressure
surge passing through system
Valve fails open: VH1
5.44×10 −6, 36.0 4,360
HIPS2 V5 Stop high-pressure
surge passing through system
Valve fails open: VH2
5.44×10 −6, 36.0 4,360
Solenoid Sol Supply power to
valves
Fails energised:
PCVs M, S, and ESD, and SH1, SH2
5.00×10 −6, 36.0 4,360
Relay
contacts
RC Supply power to
solenoids (2 per solenoid)
Fails closed:
R1–R10
0.23×10 −6, 36.0 4,360
Pressure
sensors
Pr S Indicate the level of
pressure to the computer
Fails to record actual pressure:
P1–P6
1.50×10 −6, 36.0 4,360
DCS DCS Reads information
sent from pressure sensors and acts to close values
Fails to read or act on information
1.00×10 −5, 36.0 4,360
a high-pressure surge originating from process circulation pumps, to protect equip-ment located downstream of the process
The first level of protection is the emergency shutdown (ESD) sub-system This comprises three pressure sensors (P1, P2, P3), for which two out of three must in-dicate a high pressure to cause a trip Two pressure control valves (PCVs), a main
Trang 25.2 Theoretical Overview of Safety and Risk in Engineering Design 645 PCV, a subsidiary PCV, and an emergency shutdown (ESD) valve (V1, V2, V3) activate to trip
If a high-pressure surge is detected, the ESD sub-system acts to close the main PCV, the sub-PCV and the ESD valve To provide an additional level of protection,
a second sub-system is included, the high-integrity protection sub-system (HIPS) This sub-system also comprises three pressure sensors (P3, P4, P5), for which two out of three cause a trip, and two isolation valves labelled HIPS1 and HIPS2 (V4, V5) The HIPS works in a manner identical to that of the ESD but has indepen-dent pressure sensors These pressure sensors feed information for each sub-system into a common distributed control system (DCS)
The cause-consequence diagram is constructed following the rules given in Sub-section f) above, including component failure event ordering, cause-consequence structure, reduction, and system failure quantification
g) Event Ordering and Cause-Consequence Diagram Construction
The ordering is based on the action of components that could perform the task re-quired by the system, i.e main valve, subsidiary valve, ESD valve, HIPS1 valve and HIPS2 valve The cause-consequence diagram is constructed by considering the
Fig 5.35 Cause-consequence diagram for HIPS system (Ridley et al 1996)
Trang 3Fig 5.36 Combination fault trees for cause-consequence diagram
functionality of each valve and their effect on the system Following the removal
of all redundant decision boxes, the minimal cause-consequence structure can be developed as indicated in Fig 5.35 The combination fault trees developed for each decision box are illustrated in Fig 5.36
Following the construction of the cause-consequence diagram, each sequence path is inspected and any common independent sub-trees or basic events are iden-tified The first sequence path inspected in the HIPS system reveals that a common sub-module is present in ft1, ft2 and ft3, namely the failure of the pressure sensors P1, P2 and P3 respectively
Extraction of this common sub-module, namely the failure of the pressure sen-sors P1, P2 and P3, results in a modified cause-consequence diagram depicted in Fig 5.37 The cause-consequence diagram is reduced to a minimal form by remov-ing any redundant decision boxes that have been identified From the new version
of the cause-consequence diagram, all sequence paths are investigated and modified
Trang 45.2 Theoretical Overview of Safety and Risk in Engineering Design 647
Fig 5.37 Modified cause-consequence diagram for HIPS system (Ridley et al 1996)
accordingly, using the rules outlined previously in Sub-section f) This procedure is repeated until all sequence paths have been inspected and no repeated sub-trees or basic events discovered
The corresponding combination fault trees developed for the modified cause-consequence diagram for the HIPS system in Fig 5.37—specifically, for ‘valve fails open’ (PCVs, M, S and ESD), as well as for ‘sensors fail’ (HIPS V1 and V2)—are given in Fig 5.38
The final cause-consequence diagram with corresponding combined fault trees can now be constructed as illustrated in Fig 5.39
The corresponding combined fault trees shown in Fig 5.40 are now in a form where each path contains independent events in the decision boxes and can be easily quantified
The probability of a high-pressure surge could now be obtained by summing the probabilities of ending in the consequence PS, which was reached via five mutually exclusive paths
Therefore
Probability (High Pressure)=∑n
i=1
P (Pathi) (5.83)
Trang 5Fig 5.38 Combination fault trees for modified cause-consequence diagram
Component failures on safety systems are not corrected during scheduled main-tenance Their failure probabilities are given by
where:
Q i = probability of the ith failure
λi = ith failure rate
τ = mean time to repair
θ = maintenance interval
The calculated system unavailability is identical to that produced by the FTA method This result does reflect well on the cause-consequence diagram method,
in comparison to the FTA method, as it emphasises the fact that the example sys-tem can fail by a single component, namely the DCS The remaining minimal cut sets are of order 4 or more and, therefore, have little effect on the overall system unavailability For a system that contains a large number of small order minimal cut
Trang 65.2 Theoretical Overview of Safety and Risk in Engineering Design 649
Fig 5.39 Final cause-consequence diagram for HIPS system (Ridley et al 1996)
sets, it can be seen that the cause-consequence diagram method would yield a more accurate result than that obtained from FTA
The developed algorithm will produce the correct cause-consequence diagram and calculate the exact system failure probability for static systems with binary suc-cess or failure responses to the trigger event This is achieved without having to construct the fault tree of the system, and retains the documented failure logic of the system (Ridley et al 1996)
The cause-consequence diagram is reduced to a minimal form by, first, removing any redundant decision boxes and, second, manipulating any common failure events that exist on the same path The common failure events can be extracted as common
Trang 7Fig 5.40 Combination fault trees for the final cause-consequence diagram (Ridley et al 1996)
sub-modules or individual events This process is equivalent to constructing the fault tree, and identifying and extracting independent sub-modules Thus, exact, rather than approximate calculations are performed
5.2.4.3 Failure Modes and Safety Effects Evaluation
Failure modes and effects criticality analysis (FMECA) is a design discipline where
an engineer examines and records the consequences of any (usually only single point) failure on the operation of a system The purpose of the analysis is to high-light any significant problems with a design and, if possible, to change the design
to avoid those problems (Price 1996) In contrast, failure modes and safety effects (FMSE) evaluation is a detail design discipline that examines and records the safety consequences of a system through safety criticality analysis.
Trang 85.2 Theoretical Overview of Safety and Risk in Engineering Design 651 a) Safety Criticality Analysis
In complex engineering designs, the determination of safety criticality is essentially
an expansion of risk analysis in which focus is placed upon the importance of safety-critical equipment early in the engineering design stage Any significant effect on the operational performance of critical equipment as a result of changes in designing for safety will inevitably have an impact on the performance of the total process In effect, risk-based safety criticality analysis quantifies these impacts on the total pro-cess performance, whereby preventive maintenance tasks are scheduled according
to required frequencies Essential preventive maintenance intervals are set by
equip-ment age analysis in which the rate of deterioration and resulting potential failure ages are determined through the statistical method of residual life evaluation Safety
criticality in process engineering is complex, and basically depends upon the reli-ability of equipment subject to a variety of failure risks This complexity is due
to the interaction between the various risks of failure These risks are defined as the result of multiplying the consequence of failure by the probability of its occur-rence
Consequence of failure The main concern for equipment failure, particularly
equipment functional failure, is its consequence Consequences of functional fail-ures may range from the cost of replacement of a failed component, to the conse-quential damage of equipment, and possibly to a safety hazard through loss of life
or limb The more complex equipment designs are, with regard to constituent com-ponents and their configuration, the more ways there are in which various functional failures can possibly occur
Some typical process engineering consequences of functional failure are abnor-mal pressures, excessive vibration, overheating, cracking, rupturing, warping, etc
As many functional failures can be defined as there are different types of compo-nent functions However, a point of interest that becomes evident after scrutinising
these consequences of failure is that there are two types of consequences that can be defined, specifically operational consequences of failure and physical consequences
of failure.
It is obvious that the consequences of functional failures such as abnormal tem-perature, abnormal pressure, excessive vibration, overheating, etc are consequences
affecting the operational function or working performance of the equipment or
sys-tem Similarly, the consequences of functional failures such as cracking, rupturing,
warping, etc are consequences affecting the physical function or material design
of the equipment or system Thus, at each level of a systems hierarchy, or systems breakdown structure (SBS), an item at a specific level may have functional failures
of its operational or physical functions that may have consequences of functional failure affecting the operational or physical functions of a higher level of the sys-tems hierarchy These consequences of functional failure are then also recognised
to be either operational consequences or physical consequences Thus, the more complex equipment designs become, the more ways there are in which functional
Trang 9failure can occur As a result, equipment operational and physical consequences of functional failure can be grouped into five significant categories:
• Safety operational and physical consequences.
• Economic operational and physical consequences.
• Environmental operational and physical consequences.
• Systems operational and physical consequences.
• Maintenance operational and physical consequences.
Safety operational and physical consequences Safety operational and physical
consequences of functional failure are alternately termed critical functional failure consequences In general, if the consequences of functional failure are critical, then
the functional failures resulting from the inability to carry out the operational or
physical functions are defined as critical failures Safety consequences of functional
failure in certain operational or physical functions are always critical In evaluating functional failure, the first consideration is safety
Functional failures that fall into this category are classed as critical These func-tional failures affect either the operafunc-tional or physical functions of equipment that
could have a direct effect on safety The term ‘direct’ implies certain limitations The impact of the functional failure must be immediate if it is considered to be direct.
Safety of equipment in this context implies certain specific definitions, where:
Safety is defined as “not involving risk”.
Risk is defined as “the chance of disaster or loss”.
It can be interpreted from these definitions that the concept of safety as not involving
risk in the form of disaster has to do with personal protection against injury or the loss of ‘life or limb’, and safety not involving risk in the form of loss of property has
to do with equipment protection against ‘consequential damage’ Safety can thus be classified into two categories, one relating to personal protection, the other relating
to equipment protection Risk can be quantified as the product of the probability of
occurrence (chance), with the level of severity of the risk (disaster or loss) Risk is
an indication of the degree of safety Thus:
Risk= Severity × Probability The measure of probability can be quantified in the form of statistical probability
distributions or measures of statistical likelihood Severity relates to the disaster or
loss incurred The measure of severity can thus be quantified based on two aspects— accidents and incidents, according to the two categories of safety (i.e personal pro-tection and equipment propro-tection) In this regard, an accident is an undesired event that results in disastrous physical harm to a person An incident is an undesired event that could result in a loss In the context of safety, this loss is in the form of an asset loss, which implies consequential damage to equipment or property Assessment of severity related to risk, or the severity of risk, would therefore be an estimate of the disaster or loss that can occur, whereas an evaluation of the severity related to risk would be an account of the actual disaster or loss that has occurred.
Trang 105.2 Theoretical Overview of Safety and Risk in Engineering Design 653
The estimated severity of risk is a vital tool in the evaluation of designing for safety, and is assessed on the basis of the estimated measure of severity, which is quantified in terms of two aspects, namely accidents and incidents, according to which an estimation of the possible occurrences of accidents or incidents needs to
be made This is known as the estimated degree of safety (accidents or incidents) The estimated degree of safety—accidents: This is assessed according to the contribution of the estimated physical condition of the equipment to its safety, the estimated disabling injury frequency, as well as the estimated reportable accident frequency, arising from functional failure predictions of the equipment resulting in disastrous safety consequence of failure.
However, not every critical functional failure results in an accident Some such failures may have occurred with no disastrous safety consequences but, rather, with
a loss in the form of an asset loss, which implies consequential damage to equipment
or property The severity of risk in this case is assessed on the basis of the measure
of severity quantified in incidents, where an estimation of the possible occurrences
of incidents is made This is known as the estimated degree of safety (incidents) The estimated degree of safety—incidents: This is assessed according to the con-tribution of the estimated physical condition of the equipment to its safety, the esti-mated downtime frequency, as well as the estiesti-mated reportable incident frequency, arising from functional failure predictions of the equipment resulting in an asset loss
consequence of failure Aside from an assessment of severity related to risk, or the
severity of risk being an assessment of the disaster or loss that can occur, the issue
in designing for safety is not whether the estimated degree of safety is based on ac-cidents or inac-cidents being inevitable but, rather, whether they are probable—hence, the measure of probability in assessing risk.
Safety operational and physical consequences should always be assessed at the
most conservative level and, in the absence of proof that a functional failure can affect safety, it is precautionary to nevertheless classify it by default as critical
In contrast, the actual severity of risk is a vital tool in the verification of designing for safety, where the statistics of safety operational and physical consequences of functional failure, as well as of the causes of critical functional failures are essential
for validating the safety criticality analysis applied during the detail design phase
The actual severity of risk is evaluated on the basis of the actual measure of severity that is quantified in the two aspects of accidents and incidents, according to which
an analysis of the actual occurrences of accidents or incidents needs to be made This is known as the actual degree of safety (accidents or incidents).
The actual degree of safety—accidents: This is evaluated according to the contri-bution of the actual physical condition of the equipment to its safety, the actual dis-abling injury frequency, as well as the actual reportable accident frequency, arising from the functional failure history of the equipment resulting in disastrous safety consequence of failure Similarly, actual severity is evaluated on the basis of the measure of severity quantified in incidents, where a determination of the actual oc-currences of incidents needs to be made This is known as the actual degree of safety (incidents).