Acceptable Risk Criteria

Risk

Risk is commonly defined as a result of multiplication of likelihood (frequency of an event happening) and undesired consequence.

In mathematical language:

Risk = Frequency X Undesired consequences.

Acceptable risk criteria

People active in process safety business are familiar with the risk triangle depiction and borders showing the intolerable region, tolerable region and broadly acceptable region (picture below):

Figure 1: Risk triangle/categories

This picture simply shows our effort to minimize the risk and more importantly shows that we can’t eliminate risk completely. Human activities are risk related; however, we need to draw a line (border) where the risk acceptable is.

One might think that the tolerable risk border line shall be not greater than normal daily life activities risk.

This means that we try to design a plant as safe as daily activities. It is very difficult if not impossible to design a plant to have such a low risk comparable to risk of daily life activities.

If we set the acceptable risk level very low, it will be difficult to reach it and moreover fulfill the required safety aspects of the design. However, as an engineer, it is our moral and legal obligations to design a safe plant, protecting people, environment as well as assets.

Are you aware of how these border’s values are defined?

Fatality Rates

A good start for defining the borders is to find out what are the day-to-day activities risks:

There are a number of sources like Frank P. Lees, Loss Prevention in the Process Industries that provides such a list.

We can divide the activities into two categories: voluntarily and involuntarily. Examples of voluntary activities are staying at home, traveling by car or bicycle or airplane or train, or sports activity such as climbing.

Examples of involuntarily activities are struck by lightening or run over by a vehicle.

Below table is a general fatality rates per activities, of course these numbers might be slightly different from source to source, based on the geographical area and the data that was gathered. Such a table shall be used to have the magnitude of fatality rates.

Voluntary activityFatality rate (deaths per person per year)
Staying at home2,63E-04
Electrocution1,20E-05
Traveling by: 
Car2,0E-04
Bicycle8,4E-03
Air2,1E-06
Motorcycle2,0E-02
Canoeing8,76E-02
Rock climbing4,0E-05
Smoking5,0E-03
Table 1: Voluntary activity’s risk
Involuntary activityFatality rate (deaths per person per year)
Earthquake, California2,0E-06
Struck by lightening1,0E-07
Influenza2,0E-04
Cancer2,5E-04
Drowning1,0E-05
Run over by vehicle6,0E-05
Natural disasters (general)2,0E-06
All accidents5,0E-04
Table 2: Involuntary activity’s risk

Normally selected acceptable risk level

In general, the lower limit of intolerable risk per year for public is considered as (1E-4) and for workers (1E-3). The lower limit of tolerable region is considered as (1E-6).  These limits are shown in the figure 1 above.

The risk equal or greater than 1E-04 is intolerable. (Risk≥1E-4)

The risk higher than 1E-6 and less than 1E-4 is considered as tolerable. (1E-6<Risk<1E-4)

The risk less than 1E-6 is broadly acceptable region. As you can see the limit of acceptable risk or broadly acceptable risk is similar to the risk of fatalities because of natural disasters (general), one might say that it is 1/100 of fatality rate of staying at home.

A risk in tolerable region must be reduced to arrive at the tolerable region, provided that cost is reasonably low compared to risk reduction achieved (ALARP).

Suggestion for people involved in Risk assessment

As someone active in risk assessment, one needs to assess the risk without barrier and compare it to the acceptable risk level. This is done via hazard analysis methods like (LOPA). For information on LOPA see here.

Then it is always a good idea to discuss with the client and define the limits for unacceptable and acceptable risk.  After that any kind of risk assessment studies can be carried out.

Contact us

For more information, help on identifying applicable standard in your project or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More

Standards and lessons learned from Incidents

Standards can be considered as collective experience and knowledge of human being to do a certain work or making an equipment. In fact the International Organization for Standardization (ISO) defines a standard as:

Think of them as a formula that describes the best way of doing something. 

It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities.

Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators. International Organization for Standardization (ISO).

In my last project for a relatively young organization, I prepared a list of standards that based on experience is relevant to Process and Process Safety. Part of my list was to explain between different levels of standards and which one has the priority over the other standards (Standard’s hierarchy).

Standard’s Hierarchy

Followings are a list of standards and guidelines available to any engineer in an descending order:

  • Local Codes (Highest level)
    Think of a municipality or county that your organization is located in and has specific requirements
  • Regional/Provincial Codes
    Think of a region or province/state in a country that has its own legislative or enforcement organization and requires specific requirements.
  • National Standards
    Think of it as each country standard organizations or if a code/instruction is required within national laws passed by parliament of that country.
  • Company standards
    Most of times, operating or engineering companies have standards, guidelines based on their cumulative experiences and might be even more stringent that other levels a good example is SHELL’s DEPs.
  • International/Industry Organizations
    Many organization or associations that are non-governmental and they gather their knowledge and guides. One best known example is American Petroleum Institute (API).
  • Best Practices (Lowest level)
    A best practice is a set of rules, recommendations, technique that is generally accepted as superior to other alternatives e.g., size of a tank’s drain connection (minimum 2 inch).

As a person involved in a project, one has to get familiar with the standards used in her/his field of expertise. Of course talking to your client or authorities that will review and approve your work is helpful.

Lessons learned from incidents

Many of standards and guidelines naturally are lessons that we as human beings have learned from incidents or our trial and errors.

Following is a list of topics (accidents) and lessons learned from them that you may consider them in your operating plant or your design and see if they are considered and well thought of:

  1. Safe siting of occupied portable buildings. This is based on BP Texas city isomerization unit explosion in USA on March 23, 2005. During this incidents contractors working inside portable buildings located next to the isomerization unit lost their lives
  2. ESD valves on production platform risers. This is based on Piper Alpha platform incidents in North Sea, UK on July 6, 1988. During this incidents there was no possibility to shut off the flow of flammable to the platform already on fire.
    For the other installation on shore, think of means to safely isolate process units from each other in case of an emergency.
  3. Temporary refuges. This is another point based on Piper Alpha platform incidents in North Sea, UK on July 6, 1988. Although this incidents applies for offshore installations mainly, however on an on shore installation, the design needs to be checked for incidents like explosion, fire or gas release in relation to the buildings locations and specifically control rooms. With this check, there is assurance that in case of need, a process can be safely bring back to stop and safe state.
  4. Permit to work. During incidents investigation of at least following incidents:
    • Piper Alpha Platform, UK, North Sea, July 6, 1988
    • Motiva Enterprises LLC, Delware, USA, July 17, 2001
    • Shell Port Edouard Herriot Depot, Lyon, France, June 2, 1987
    • BP Grangemouth Flare Line Fire, Scotland, UK, March 13, 1987. It is concluded that a permit to work and permit to work verification process was not followed that lead to hazardous situation and incident.
  1. Management of change is a direct lessons learned from numerous incidents. To name a few:
    • Flixborough, UK, June 1, 1974.
    • Chernobyl, USSR, April 26, 1986.
    • Bhopal, India, December 3, 1984.

During these incidents, a change was made to process that either was not reviewed within a team for making sure that the new situation is safe and operable (Flixborough incident) or the change was not communicated with other personnel (Bhopal).

Therefore make sure that changes are communicated in your project or plant effectively and they are reviewed for hazard by a hazard identification review tools like HAZOP to make sure that remaining risk is acceptable.

  1. Avoiding liquid release/relief to atmosphere. This is based on BP Texas city isomerization unit explosion in USA on March 23, 2005. During this incidents flammable material was released via a high point vent that caught fire and exploded.
  2. Avoiding tank overfill that might be followed by vapor cloud explosion (VCE). This is based on Buncefield storage terminal explosion, UK, December 11, 2005.For a tankage area, it is not only important to provide means of containing the releases of liquid to atmosphere, but also means to avoid it or mitigate the consequences of release for example adequate firefighting means and drainage system.
  3. Avoid brittle fracture of metallic materials. This is based on Esso Longford Gas Plant Explosion, Australia, September 25, 1998. This point aims to identify the minimum possible achievable temperature in a process and make sure that the design temperature is covered.
  4. Alarm management has been identified as contributing cause in many accidents even in air crashes. At least following examples are good ones to explain this point:
    • Three Mile Island Nuclear Reactor Core Meltdown, Pennsylvania, March 28, 1979.
    • Esso Longford Gas Plant Explosion, Australia, September 25, 1998.

Review the alarms in your design and plant and make sure that operator has adequate set of warnings for excursions of process parameters beyond safe limit and make sure that there is enough Process Safety Time (PST) available. See our previous article on process safety time (PST).

  1. Avoiding toxic material release (e.g. Ammonia, H2S). This is based on many incidents like:
  • Anhydrous ammonia release at Millard Refrigerated Services plant in August 23, 2010, in Theodore, Alabama, 2010.
  • Chuandongbei gas well blow-out, Gao Qiao, China, December 23, 2003

This point aims to manage the risk of harm to people and the environment by exposure to hazardous material.

  1. Avoiding reactive material mixing (e.g. water entering a storage tank). This is based on incident like Bhopal, India, December 3, 1984.

During this incident, 500 kg of water entered the Methyl Isocyanate (MIC) storage tank that caused a runaway reaction.

Make sure that MSDS of materials stored in your facility or produced by your facility are read and understood by everyone and there is no risk of reactive material mixing. Make sure that fire fighters are aware of means to put out a fire if an emergency arises. Water is not always a good mean to put out a fire.

Way forward

It is very important to identify and agree with your client what standards are applicable. Try to follow and understand the codes and if there is explanation required contact your client or organization responsible for that code/standards.

It is always a good idea to issue a document and every discipline in a project indicates which standards will be used during the project and agree with your client.

Contact us

For more information, help on identifying applicable standard in your project or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More

Process Safety Time (PST) Part 8 / PST Calculation Reporting

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time (PST). (See part 1, part 2, part 3, part 4  part 5, part 6 and part 7 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

In the previous parts (See part 1, 2, 3, 4, 5, 6 and 7), I tried to define PST and calculation methodology, how to assess and explain the results and a sample calculation as well as notes and thoughts on for a terms of reference.

PST Calculation report contents
This part suggests contents of a typical PST calculation report.
At this stage, we have gathered lots of information and fata, and calculating the PST(s) for different SIFs in the project. For reporting of your findings try to cover the followings subjects as a minimum:

  • Present a summary of SIFs with relevant PST that you did calculation for.
  • If possible, summarize in the previous bullet’s table which method you used: qualitative, quantitative simplified or quantitative dynamic analysis (See part 3).
  • A simplified sketch of the system and SIF that is protecting it. You need to provide one sketch per SIF.
  • Define your terms and abbreviations for SIF response time, Safe design limits, etc.
  • Clearly write down your assumptions and give reference to the document that you took the data from.
  • Write down in detail how you calculated the PST, including formulas and input data. It is worth to note that using Excel program makes it easier if PST calculation is done by hand and not using a simulation program. For the result from a simulation program, print the report out, highlight the relevant sections and attach it.
  • Capture the SIF response time and SIF PST in a table, this makes it easier for the reader to see in a glance and conclude.
  • Write a conclusion if based on agreed criteria with your client, the PST calculated is acceptable or not.
  • Attach all documents that you used as reference to your report and list it. If you are attaching a pdf file, it would be great help for the reader to highlight where the data are taken from.
  • Of course your report might have several revision, make sure that you indicate the differences between two consecutive revisions.
  • Important point is to make sure that your report and calculation is checked internally inside your organization or by others, before you discuss it with your client.

Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More

Process Safety Time (PST) part 7 / PST Terms Of Reference (TOR)

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time (PST). (See part 1, part 2, part 3, part 4  part 5, part 6, and part 8 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

In the previous parts (See part 1, 2, 3, 4, 5 and 6), I tried to define PST and calculation methodology, how to assess and explain the results and a sample calculation.

PST Calculation Terms of Reference (TOR)

This part suggests contents of a typical PST calculation terms of reference (TOR) to help setup the way forward for a process safety calculation.

In a typical TOR, one shall define roles and responsibilities of the PST calculation team member, what is expected as final result, calculation method, how to capture recommendation and possible follow up actions or extra steps/calculation still to do.

The PST calculation terms of reference is important as it defines and makes it clear how an specific PST is calculated, hence minimizing the need for extra meetings and discussions after the work is finished.

Try to cover following subjects as minimum:

  • What the scope of work is.
  • Roles and responsibilities.
  • How and where to gather data.
  • PST Calculation method for different SIFs.
  • Criteria for PST and SIF response time (SIFRT) comparison.
  • How the calculation will be checked and assessed.
  • Reporting of result, if a separate report is required.
  • How to capture recommendations and actions list.
  • Declines and calculation schedule.

Scope of work
It is very important to identify and agree which SIFs need PST calculation? Could you use PST of similar SIFs in other client’s asset? Which calculation you might delegate to the vendor.

Roles and responsibilities
Clearly identify who does what and the deadlines. In this way, you make sure that your target date could also met.
Important point is to make sure that your report or calculation is checked internally inside your organization or by others, before you discuss it with your client.

Approval of PST calculation TOR
Before starting your calculation and after PST TOR is drafted, it is wise to have a meeting with your client and agree on the PST calculation TOR. Then everything is set for starting the real work and calculation!
Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More
Proces safety time example diagram

Process Safety Time (PST) part 6 / A worked out example

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time (PST). (See part 1, part 2, part 3, part 4  part 5, part 7 and part 8 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

This part contains a sample calculation to show a simple calculation with assumptions, available data and calculation procedure.

Definition of SIF loop
In the previous parts (See part 1, 2, 3, 4 and 5), I tried to define PST and calculation methodology and at the end how to assess and explain the results.
In this part, I will try to define and explain a sample calculation.

Consider a temperature switch after a gas heater) and after a knock-out drum, as shown in figure below that is providing the gas to the final consumer. This temperature switch protects the downstream heater #2 piping and stop flow to the final user (e.g. a compressor seal system).

Proces safety time example diagram
Figure 1 LTSD downstream heater #2 protects downstream users from condensation

One of the causes of low temperature is failure of heater #2. In this case the gas may condense in the downstream heater’s piping and may damage the end user (e.g. a compressor seals) leading to loss of containment and gas flow to the environment with risk of fire and explosion.

In other words, the intention of LTSD after heater #2 is to prevent the temperature reaching the gas dew point after knockout vessel/heater #2.

Assumptions and known data

Followings are assumptions and data are valid for the system described/shown in the Figure 1:

  1. Minimum gas temperature before the heater #2 is assumed to be 40 °C. Minimum backup gas temperature before PDCV is 3°C (trip setting of LTSD-1).
  2. Maximum flow through PDCV is 417.8 kg/h equal to 7.286 m3/h, based on Heat and Mass Balance.
  3. The outlet pressure of PDCV is 75 barg.
  4. Using a simulation software, one can calculate gas physical properties at 75 barg and 50°C, Molecular weight of gas us 18.25 kg/kmole.
  5. Gas molecular weight is 18.25 kg/kmole, Gas Cp/Cv=1.49 and Cp= 2441 J/kg K.
  6. Gas kinematic viscosity is 0.000014 kg/m.s (N.s/m2). Gas density is 57.4 kg/m3. Gas thermal conductivity is 0.042 W/m K.
  7. The temperature sensing element is a thermowell that measures the fluid (gas temperature).
  8. The pipe wall temperature and thermowell temperature are at equilibrium.
  9. The pipe wall and fluid form an adiabatic system with no heat transfer to surroundings.
  10. Complete instantaneous failure of the upstream heater #2 is allowed for.
  11. The gas will lose a negligible amount of energy and will not change temperature in traversing the pipe segment.
  12. Fouling has no effect on heat transfer.
  13. The conduction within the pipe wall is instantaneous therefore the pipe will be of uniform temperature.
  14. Calculation of a simplistic process safety time well above the expected system response time is sufficient.
  15. Gas dew point is assumed as design temperature to prevent condensation in the downstream system. The dew point of the gas after heater #2 is assumed as 40 °C (worst case).
  16. There is also a backup gas to the system. The dew point of the backup gas is assumed (-10 °C) worst case.
  17. LTSD-2 has a trip set point of +50°C.
  18. Outlet of Heater #2 is traced, however no credits have been taken for the electrical heat tracing of the line downstream of the Heater #2.
  19. Downstream pipe has initial the trip temperature.
  20. Downstream pipe (designated by D, in formulas) is 1″-Stainless steel, Schedule 40S and piping length between the gas heater and the user is assumed to be 3m.
  21. Pipe thermal conductivity (Kn) is taken from engineeringtoolbox.com and is 14.4 W/m K.
  22. Initial pipe wall temperature is 50°C.
  23. Using the gas volumetric flow and pipe diameter, gas velocity v is 3.63 m/s. This velocity will be used in Re number calculation.
  24. Cold gas scenario PST is more severe than cold back-up gas PST, as the trip set point has the lowest margin for the cold gas scenario. Only the cold gas scenario after Heater #2 is calculated.
  25. Heat transfer coefficient for forced convection of gases is typically in the region of 10 – 1000 W/m².K. Later on we need this range to see if our calculated h is within the range.
  26. Stopping end user takes 10 seconds (e.g. closing a valve or stopping a motor).
  27. A thermowell/Temperature transmitter will detect a temperature within 1 seconds.
  28. Logic solver (ESD system) is assumed to react within 0.3 seconds).

Calculation
The intention of calculation is to calculate the heat loss required to reach gas dew point (40 °C)
For this calculation we can use the simple heat transfer formula: q=m X Cp X dT.

Heat loss required to reach fuel gas dew point (40 °C)
Pipe is 1 inch, schedule 40S and 3m length. It has a nominal diameter of 0.03 m, with a weight of 2.54 kg/m (Pipe data from arvindpipe.com).
Pipe mass is then 3 m x 2.54 kg/m = 7.6 kg
Cp of stainless steel (data from: www.engineeringtoolbox.com) is 0.49 kJ/kg.K
Starting Temperature T1= 50 °C and Trip set point is 40°C.
Heat loss required to reach 40°C will then be -37 kJ (=7.6 kg x . 0.49 kJ/kg.K x (50-40) K)

Heat transfer coefficient hci
For this part of calculation, we must calculate heat transfer coefficient inside the pipe because of forced convection.
Heat transfer between the gas and the steel body is determined by the Dittus-Boelter equation:

The Dittus-Boelter correlation is valid for turbulent flow where Re > 10,000 and 0.6 < Pr < 160.
The Reynolds number is calculated as follows:

The Prandtl number is calculated as follows:

Where:
ν is momentum diffusivity
α is thermal diffusivity
μ is Viscosity
kg is Thermal conductivity
ρ is Gas density @ P and T
v is Gas velocity through pipe
D is pipe diameter
Cp is gas specific heat capacity

Using the information in assumption section above:
Re=385,242 and Pr=0.84. Then the Nu number will be 631.9 and hence hci=989.1 W/m².K.
This value is within the range of expected convective heat transfer coefficient (assumption 24).

Heat transfer from pipe to gas
Now that the forced convection heat transfer coefficient is calculated, we need to calculate how much heat is taken away by gas flow.
Initial pipe wall temperature is 50°C. Gas flows at a temperature of 40°C.

Overall heat transfer coefficient comprises of two parts: forced convection heat transfer (hci) inside pipe and pipe conduction heat transfer (Sn/Kn).

Using the formula:

Then U is 803 W/m2 K.

The heat taken away by flowing gas can be calculated by general heat transfer formula:

Pipe diameter is 0.03 m with a length of 3m then:
A (heat transfer area) is A= 3.14 x D x L = (3.14 x 3 x 0.03) = 0.3 m2
From assumption section: t1 = 40 °C and t2=50 °C
Then heat carried away by gas flow equals to:
803 W/m2 K x 0.3 m2 x (- 10) °C= – 2409 W = – 2409 J/s = – 2.4 kJ/s

Time to cool down the piping

We have calculated the heat required to be taken away from pipe to reach to 40 °C, as well as heat that gas is taking away while flowing in the 1” pipe.
If we divide these two values then the time that it takes to cool down the piping after heater #2 from 50°C to 40°C is calsulated.

Process Safety Time (PST) = (- 37 kJ) / (-2.4 kJ/s) = 18.5 seconds = 0.3 minutes

SIF response time
Using assumption for SIF components, SIF response is:
Thermowell response time + logic solver response time + final element response time equals to:
1+0.3+10 = 11.4 seconds

Comparison of SIF response time with PST
SIF response time is 11.4 seconds and PST calculated is 18.5 seconds. This means the SIF will react fast enough to bring the process to a safe state.
This is (11.4/18.5=0.6) or 60% of the PST available which is another check to see if calculated PST is acceptable (Refer to part 4).
Conclusion
Response time is less than PST and hence the SIF can act within time to prevent reaching the lower temperature (dangerous temperature) downstream heater #2.

Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More

Process Safety Time (PST) part 5 / calculation methodology

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time (PST). (See part 1, part 2, part 3, part 4, part 6, part 7 and part 8 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.
This is the part contains notes on gathering data and calculation procedure for a PST calculation.

Calculation procedures

In the previous parts (See part 1, part 2, part 3 and part 4), I tried to define PST and calculation methodology and at the end how to assess and explain the results.
In this part, I will try to summarize how to make a calculation procedure for yourself or your company.

It is very important that you make a uniform calculation procedure/calculation sheet for yourself or your company. My advice is to make excel calculation sheet for PST calculations that are straightforward and could be made using simple heat and mass balance equations.

For the other calculations that need dynamic simulation, an agreement with the client or authority that will review and finally approve these calculation is a better option.

When making your calculation in Excel program sheet, one must take care that following points are taken into account:

1. Set a clear approach on the calculation.
2. Establish and define the safe design limit.
3. Define key variables in a PST scenario calculation.
4. Suggest possible opportunities for refining the PST estimate.

Define key variables

It is very important before starting any PST calculation to prepare a heat and mass balance. This heat and mass balance will be used to get physical data like operating conditions, physical properties, and flowrates.

If the flowrate or heat flow is estimated, it is very important to write down any basis, assumption and source of data used in the flow or heat flow estimation. This way your PST calculation is clear and easier to check.

A very important point to remember is when a PST calculation is being carried out for an existing plant, then Heat and Mass balance document shall be checked against actual data from the plant. This is because through the years, existing plants might often operate in a different conditions.

For instrumentation like control valve care must be taken to obtain the correct Cv of control valve. This is to specify the fail open scenario flow rate. For the case of existing plant, a control valve might have been replaced or its internals might have been changed over the years.

Even contacting the vendor for latest data seems to be a good idea, if the valve was modified between start-up of plant and the PST calculation is taking place.

When looking for the operating parameters of a system, after finding the H&MB, a chat with the operating personnel is a great idea. Many times the plant might be operating at a different condition that it is designed for. For example, the normal liquid level in the vessel was designed to be 50% of the total volume, but at the time of PST calculation, the level is maintained at 40% of total volume. This has a direct impact on your PST calculation.

Contact us

For more information, help on your PST calculations or even a tailor-made training for you or your organization please don’t hesitate to contact us!

Read More

Process Safety Time (PST) part 4 / calculation methodology

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time (PST). (See part 1, part 2, part 3, part 5, part 6, part 7 and part 8 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

Review of calculation
After finishing PST calculation, it is very important that IPF/SIL classification team reviews the PST calculation in a meeting. This is to ensure that:
1- PST calculation is quality checked, assumptions and inputs are correct
2- Agree on the result and identify if PST calculation is acceptable or another rigorous calculation shall be carried out (only for the PST calculation that is debateable)
It is also a way to provide and make sure that any issues or problems in the calculation is identified before the IPF/SIF classification is completed.

Evaluation of PST result
At this stage, the SIF loop (sensor, logic solver and final element) are specified and bought. This means that failure rate data and response times are available.
One can calculate, the actual SIF loop response time by summing up all response times of SIF loop’s elements.

Now we will phase with three possibilities:
1- SIF response time is higher than PST calculated.
In this case the review team must decide if there is a need to the study before deciding to change in the design or add extra layer of protections to the system under review.

2- SIF response time is the same as the PST.
In this case the team must decide if this is acceptable and shall externally communicate and agree upon it with the client or certified body. Or team decides for another calculation or review the calculations again to identify if something is missed out.

3- SIF response time is less than PS.
In this case the design is acceptable. However you might distinguish and agree with your client about new SIFs and existing SIFs.

For an existing SIF this is acceptable as the SIF acts within the PST time to bring the system to safety. However for the new SIFs, it is a good idea to leave some room/margins between SIF response time and PST.
A good practice is to limit the SIF response time to 50 to 70% of PST.
In any case, it is better to discuss and agree this criteria with your client. In this way you will save time afterwards with redoing your calculation.

Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Please share this content.

Read More
Process safety time layers of protectiokn SIF

Process Safety Time (PST) part 3 / calculation methodology

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time. (See part 1, part 2, part 4  part 5, part 6, part 7 and part 8 for more information).
PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

Important point to remember and it is also resulting from definition of a SIF is:
In Layer of Protection Assessment (LOPA, see here), there are layer of protection that reduce the chance of main even happening and there are layers that try to reduce the effects/severity of dangerous that has happened. The first type of layers before a dangerous event are prevention barriers and the layers of protection after a hazardous event are mitigation barrier.
See figure below for graphical explanation:

Process safety time layers of protectiokn SIF

Choosing a proper method for PST calculation
As I mentioned in part 2 of this article series, there are three ways to choose for PST calculation:
• Qualitative Analysis (QA)
• Quantitative – Simplified Analysis (QSA)
• Quantitative – Dynamic analysis (QDA)

At this stage, you might wonder which method shall be used for PST calculation. This is not a simple question to answer. As a process/ process engineer, one needs to look into list of SIFs and decide which method is suitable. Following table could be consulted for selection.

Proces Safety time calculation method

Table above shows only a guideline for selection of the calculation method. In any case, you need to select a method for calculation and discuss it with your client and agree upon it. Finally the Notified Body, who will review and certify safety systems, shall review your calculation and agree upon your selected method and your outcome.

When selecting your calculation method remember following points:

1- SIFs with a high Safety Integrity Level (SIL) level, need more accurate calculation. This is because they are providing a higher risk reduction factor (RRF).
2- Some parameters rate of change is faster or slower than other parameters. For example a level increase is faster to detect than a temperature increase. Therefore, a quantitative dynamic analysis (QDA) with help of simulation programs might be more accurate for a temperature protection switch than level protection switch.
3- Help/Advise of an experienced operator or vendor in defining PST is invaluable, after all he/she has been working with the system or equipment for many years and could help much better than any calculation.
4- If you are having the same system inside your company but not at the same location, it would be a good idea to look to the other system that is running and see what the PST is or how it is calculated. For example, a dynamic simulation for a high pressure switch at the outlet of compressor might be time-consuming and very difficult to set up in the simulation software like HYSYS. If you can find a similar compressor within your asset who has the same pressure switch, you might use it. Of course the Notified Body or Authority having Jurisdiction shall agree with you.
5- You might need to ask vendor’s help you to set up a dynamic analysis when a SIF is acting in start up or shut down situations. Imagine a high pump temperature switch that protects the pump during a dry run scenario.

Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More
Process safery time calculation

Process Safety Time (PST) part 2 / calculation methodology

IEC 61511 is the standard that set the requirements for Safety Instrumented Systems (SIF). As part of this standard, a SIF is required to act within adequate response time to bring the process or a system to a safe state. This is called response time of a SIF and the time available to act before anything dangerous happens is called process safety time. (See part 1, part 3, part 4  part 5, part 6, part 7 and part 8 for more information).

PST calculation and definition is a mandatory requirement for all the instrumented functions to which IEC 61511 is applicable.

Timeframe within a project to do a PST time calculation

Of course like any other activity within a project, PST calculation shall fit within planning and shall not jeopardize the planning.

IEC 61511 also asks for a Safety Requirement Specification (SRS) for a SIF and its associated Safety Integrity Level (SIL). This is done when a decision is made to have a Safety Instrumented Function and a Safety Integrity Level is allocated to it, either by a simple decision making in a team or using a risk assessment method like (LOPA). For information on LOPA see here.

At this stage, a safety requirement specification is drafted. As part of its input, a process safety time calculation/decision making is to be carried out.

Process safery time calculation

Terms of reference

Once a decision is made to proceed with the PST study/calculation, the first step is to develop a PST calculation/study terms of reference. This document will define the scope as well as how the study is to be executed.

One must realize that because PST calculation and definition is a mandatory requirement of IEC 61511, all SIFs identified in a project shall be reviewed for PST calculation and at least for SIFs that have a SIL level of 1 and higher in relation to Health & Safety (H&S) and Environment (E).

Of course the project or the owner/business may add and include all or some SIFs with lower SIL level or SIL level 1, because of asset or reputation damage.

Contents of Terms of Reference

A terms of reference should include at least the following information:

-Activity plan and responsibilities between parties involved.
– Start/Finish dates and
– Data collection and data validation
– Agreement on selecting the calculation method for PST at least per parameters (SIFs that are protecting for high/low pressure or high low/levels)

Calculation method selection

Calculating or Estimating a PST is not an easy task. Therefore, it is very important to have an experienced operator in your team to ask his opinion when the PST calculation is very difficult, or if the team can’t agree on the way it has been calculated.

Based on the amount of information at hand, the design information available as well as an established method to calculate a specific PST, the time required and quality of calculation differs from case to case.

In general PST calculation could be grouped into following categories:

Qualitative analysis

As mentioned above, for certain PST calculation, numerical calculation is either time consuming and different methods are available for it with some degree of simplification. This means that the discussions like how the calculation shall be done, parameters or boundary conditions used, will be never ending.

In such situations, the only way forward is Qualitative PST estimation:

This means using engineering judgment to estimate the PST time and hence verify if a SIF’s response time is adequate. Then help of a specialist could be used, for example a compressor specialist, process/equipment/package manufacturer or an experienced operator.

Quantitative Simplified

Some systems are relatively easy for a quantitative- simplified PST calculation approach. The math is easy to do and there is no need for sophisticated simulation programs such as HYSYS. Of course assumptions and boundary limits shall be gathered and carefully documented.

In this case there is a semi-transient method, an example is the time that an overflow happens in an atmospheric tank if the inlet valve fails open. For this calculation one needs to divide the volume available between High-High liquid level (high level trip switch) and overflow outlet height.

By dividing this volume by the volumetric inlet flow to the tank, the time between high level switch activation and overflow (the consequence we intended to prevent) or in other words, PST, can be calculated.

Quantitative Dynamic
It is clear that this method is for modelling scenarios that are complicated and the behaviour of the process system needs to be simulated with a simulation package like HYSYS.

The simulation program is used to simulate/analyse the behaviour of a system after initiation of protection layer (a switch). A good model can predict the system behaviour realistically or close to reality.

Imagine that a pressure switch is protecting downstream of a control valve that is letting down a high pressure gas to a different pressure. The temperature drop after the control valve is depending on many parameters such as the flow through the valve, the amount of metal downstream the control valve, etc.

A good simulation program can calculate with good margin when the low temperature happens and at what distance relative to the control valve.
However, a dynamic modelling is relatively complex exercise that needs multiple variables and needs a lot of data and design information collection, before a result can be achieved.

In some cases the steady state solution within the simulation program shall be reached before dynamic model could be set up, run and reach the result.
This is where help of experts and peer colleagues or even a third party assistance will come handy.

See part 1 for PST definition and part 3 for PST calculation methodology.

Contact us

For more information, help on your PST calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Please share this content.

Read More
Level Of Protection Layers LOPA

Layer Of Protection Analysis (LOPA) Building blocks

Aim of every HAZARD analysis is to assess risks and determine if enough safeguards are at place against a specific risk. HAZOP is a common HAZARD analysis study, however it is a qualitative study. This means that the risk is not calculated but somehow guessed/estimated and depending on the client, a risk matrix is used to find the severity of consequences of a particular scenario.

Layer Of Protection Analysis (LOPA)

Layer Of Protection Analysis (LOPA) is one of the methods to determine risk for severe consequences resulting a particular scenario/deviation identified by the HAZOP team. The main objective is to quantify rather than qualify the risk and in this way have a better understanding of the risk’s magnitude.

LOPA is considered a semi-quantitative approach of risk assessment.

LOPA provides specific criteria and restrictions for evaluation of protection layers, eliminating subjectivity of qualitative methods at substantially less cost than fully quantitative techniques.

LOPA is used when the consequence identified for a scenario is too severe that the HAZOP team can’t make a sound judgment based solely on qualitative information.

LOPA provides consistent basis for judging whether there are sufficient protection layers against hazardous events to achieve required risk reduction target.

LOPA can be used to determine target Safety Integrity Level (SIL) for Safety Instrumented Function (SIF), but that is just one outcome/usage of LOPA. LOPA also evaluates adequacy of a protection layer for a hazard and can determine the performance required/expected for alternate risk reduction measures to Safety Instrumented Systems (SIS).

At the moment LOPA is generally used to determine SIL level of Safety Instrumented Functions (SIF).

Advantages limitations, and suitability of LOPA

LOPA advantages
a. LOPA is effective in resolving disagreements related to risk.
b. LOPA determines whether Safety Instrumented Systems (SIS) or an alternative means of protection are required and its associated SIL if SIS is chosen.
c. LOPA complies with IEC 61511, clauses 8 and 9.
d. LOPA eliminates excess recommendation generation in.
LOPA limitations
a. LOPA may be excessive for simple or low risk decisions making.
b. LOPA is not a tool for identifying hazards.
c. LOPA may be overly simplistic for very complex systems.
d. Risk comparison scenarios are only valid if same LOPA method is used throughout the study.
LOPA is usually not sufficient if:
a. Consequences are high severity (more than 3 fatalities). In this case Quantitative method is recommended for the estimation of event frequency and consequence.
b. It results in the need for a SIF with a specified SIL level of 3 or greater.

(Independent) Protection Layers

When designing a processing unit (e.g. a gas processing plant or even a cookie baking production line), there are layers in our design. Each layer has a specific role and shall act as an independent layer to bring the process unit back to a safe state.

As shown in Figure below, a process unit (or scenario identified in HAZOP) may require one or many types of protection layers, depending on complexity of process and potential severity of consequence.

Level Of Protection Layers LOPA

Independent Protection Layers (IPL)

LOPA uses safeguards (layer of protections) that meet independent protection layer (IPL) criteria.

Below are some criteria to be able to identify if a protection layer is IPL or not:

IPLs are extrinsic safety systems and can be active or passive systems, as long as they meet the following criteria:

a. Specificity: IPL shall be designed solely to prevent or mitigate consequences of one potentially hazardous event (e.g., runaway reaction, toxic material release, loss of contaminant, or fire). Multiple initiating causes may lead to same hazardous event, and therefore, multiple event scenarios may activate action of one IPL.
b. Independence: IPL shall be independent of all other protection layers associated with identified potentially hazardous event. Independence requires that IPL’s performance shall not be affected by failure of another protection layer or by conditions that caused another protection layer to fail. Protection layer shall also be independent of initiating cause.
c. Dependability: Protection provided by IPL shall reduce identified risk by known and specified amount.
d. Auditability: IPL shall be designed to enable periodic validation of protective function. Proof testing and maintenance of IPL is required to make sure performance in case of need.

LOPA Risk-Based Decision Criteria

In HAZOP to rank a risk has a range is used, e.g. damage between 100,000 to 500,000 US$. In LOPA, an explicit probability value, the tolerable Event Frequency Decision Value or commonly known as Tolerable Event Frequency (TEF) is used.

TEF is then used to compare with the likelihood of certain scenario after suitable protection layers, conditional modifies and enabling events have been applied, Mitigated Event Frequency (MEF). This shows the adequacy of protection layers. If the likelihood measured/calculated is lower than TEF, then we have an adequate protection layer.

Prior to every HAZOP, the risk matrix has to be calibrated and agreed with the asset owner/operator. Similar to HAZOP, before starting any LOPA study/review, tolerable event frequency for a specific consequences need to be developed and agreed upon based on the client/operator standards.

LOPA Building Blocks

Explanation of the table columns as indicated by numbers in green hexagon:

1- Initiating Event: The initial event cause that can lead to the consequences. This is same and identical to the initiating event identified in HAZOP. Initiating event has a frequency per year. This number is taken from the tables accepted by all parties before LOPA meeting.
1- Frequency (#/Yr): The frequency of initating event happening per year. This also needs to be agreed before LOPA meeting is started.
3- Consequences: The worst credible scenario/consequence that could result from the initiating event. This is normally same as identified by HAZOP team, however LOPA team might find extra consequences. It has a Category ranking and Severity. These are the same as identified in HAZOP meeting.
4- Tolerable Event Frequency (TEF): The maximum allowed frequency or the consequences identified. THE TEF is determined based on the severity level identified in the HAZOP meeting for the consequences.
5- Enabling Event Conditions: The event of conditions that need to happen as well in order for the consequences to happen.
6- Unmitigated Event Frequency (UEF): The frequency of the consequences without independent Protection Layer (IPL). This is the multiplication result of columns 2 and 5.
7- Independent Protection Layer (IPL): As identified by the LOPA team, independent protection layer from other protection layers and is effective in mitigating the consequences identified.
8- Probability of Failure on demand of Independent Protection Layer (IPL PFD): This is the probability of the independent barrier failure in time that it needs to act. For example a PSV needs to open in case it reaches its set pressure. However it can fail 1 out of 100 times.
9- Mitigated Event Frequency (MEF): This is the frequency of consequences occurring after considering/implementation of IPL. This is the multiplication result of columns 8 and 6.
10- Risk Reduction Factor (RRF) needed or remaining risk: This is the ratio of Mitigated Event Frequency (MEF) to Tolerable Event Frequency (TEF). This is the division result of columns 9 and 4.
This ratio shows if the risk is acceptable or an extra layer of protection is needed to bring the risk/consequences to acceptable region.

Normally before any LOPA meeting, an agreement shall be made on what RRF is acceptable and what needs to be done.

• Generally an RRF of less than and equal to 1.0 (One) is acceptable, meaning that the IPL considered for scenario under investigation is effective and able to reduce the risk to an acceptable level.
• The RRF larger than 1 it is not acceptable and shows that improvement of existing IPL reliability or reduction of initiating event or an extra IPL is needed.

Contact us

For more information, help on your LOPA calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More
Sign up for our newsletter

Get all the updates about interesting topics related to process safety