Appendix 5
Answers to Examples
Answer to Exercise 1 (Section 2.1.1 (d))
Propagation to fatality is 1:2 times 1:5 = 0.1.
Maximum tolerable failure rate leading to single fatality is 10−5 pa/10−1 = 10−4 pa; however the actual process failure rate is 0.05 pa = 5 × 10−2 pa.
Thus the protection system should have a target probability of failure on demand (PFD) no worse than:
10−4 pa/5 × 10−2 pa = 2 × 10−3.
The target is dimensionless and is thus a PFD. the Low Demand column in Table 1.1 is therefore indicated.
Thus the requirement is SIL 2.
Answer to Exercise 2 (Section 2.1.1 (d))
Answer 2.1
Since there are 10 sources of risk (at the same place) the maximum tolerable fatality rate (per risk) is 10−5/10 = 10−6 pa.
Target toxic spill rate is 10−6 pa/10−1 = 10−5 pa.
However, the actual spill rate is 1/50 pa = 2 × 10−2 pa.
Thus the protection system should have a target PFD no worse than:
10−5 pa/2 × 10−2 pa = 5 × 10−4.
The target is dimensionless and is thus a PFD. The Low Demand column in Table 1.1 is therefore indicated.
Thus the requirement is SIL 3.
Answer 2.2
The additional protection reduces the propagation to fatality to 1:30 so the calculation becomes: target spill rate is 10−6 pa/3.3 × 10−2 pa = 3 × 10−5 pa; however, spill rate is 1/50 pa = 2 × 10−2 pa.
Thus the protection system should have a target PFD no worse than:
3 × 10−5 pa/2 × 10−2 pa = 1.5 × 10−3.
Answer to Exercise 3 (Section 2.1.1 (d))
Target maximum tolerable risk = 10−5 pa.
Propagation of incident to fatality = 1/200 = 5 × 10−3.
Thus target maximum tolerable failure rate = 10−5 pa/5 × 10−3 = 2 × 10−3 pa:
Note: 2 × 10−3 pa = 2.3 × 10−7 per hour.
The requirement is expressed as a rate, thus the High Demand column of Table 1.1 is indicated at SIL 2.
Answer to Exercise 4 (Section 2.2)
For the expense to just meet the cost per life saved criterion then:
Thus an expenditure of £7740 would be justified if the stated risk reduction could be obtained for this outlay. Expenditure in excess of this could be argued to be disproportionate to the benefits.
Answer to Exercises (Chapter 11)
11.2. Protection System
The target Unavailability for this “add-on” safety system is therefore 10−5 pa/2.5 × 10−3 pa = 4 × 10−3, which indicates SIL 2.
11.4. Reliability Block Diagram
11.6. Quantifying the Model
(a) Ball valve SS1 fails open.
Unavailability = λ MDT = 0.8 × 10−6 × 4000
= 3.2 × 10−3
(c) PES output 1 fails to close valve (Undiagnosed Failure).
Unavailability = 10% λ MDT = 0.025 × 10−6 × 4000
= 1 × 10−4
(d) PES output 2 fails to close valve (Undiagnosed Failure).
Unavailability = 10% λ MDT = 0.025 × 10−6 × 4000
= 1 × 10−4
(e) PES output 1 fails to close valve (Diagnosed Failure).
Unavailability = 90% λ MDT = 0.225 × 10−6 × 4
= 9 × 10−7
(f) PES output 2 fails to close valve (Diagnosed Failure).
Unavailability = 90% λ MDT = 0.225 × 10−6 × 4
= 9 × 10−7
(g) Pressure transmitter fails low
Unavailability = λ MDT = 0.5 × 10−6 × 4000
= 2 × 10−3
The predicted Unavailability is obtained from the sum of the unavailabilities in (a) to (g)
= 8.6 × 10−3 (Note: the target was 4 × 10−3.).
This is higher than the unavailability target. The argument as to the fact that this is still within the SIL 2 target was discussed in Chapter 2. We chose to calculate an unavailability target and thus it is NOT met.
74% from items (a) and (b), the valves.
23% from item (g), the pressure transmitter.
Negligible from items (c)–(f), the PES.
11.7. Revised Diagrams
11.9. Quantifying the Revised Model
Changed figures are shown in bold.
(a) Ball valve SS1 fails open.
Unavailability = λ MDT = 0.8 × 10−6 × 2000
= 1.6 × 10−3
(b) Ball valve SS2 fails open.
Unavailability = λ MDT = 0.8 × 10−6 × 2000
= 1.6 × 10−3
(c) PES output 1 fails to close valve (Undiagnosed Failure).
Unavailability = 10% λ MDT = 0.025 × 10−6 × 2000
= 5 × 10−5
(d) PES output 2 fails to close valve (Undiagnosed Failure).
Unavailability = 10% λ MDT = 0.025 × 10−6 × 2000
= 5 × 10−5
(e) PES output 1 fails to close valve (Diagnosed Failure).
Unavailability = 90% λ MDT = 0.225 × 10−6 × 4
= 9 × 10−7
(f) PES output 2 fails to close valve (Diagnosed Failure).
Unavailability = 90% λ MDT = 0.225 × 10−6 × 4
= 9 × 10−7
(g) Voted pair of pressure transmitters.
Unavailability = λ2 T2/3 = [0.5 × 10−6]2 × 40002/3
= 1.3 × 10−6
(h) Common cause failure (CCF) of pressure transmitters.
Unavailability = 9% λ MDT = 0.09 × 0.05 × 10−6 × 2000
= 9 × 10−5
The predicted Unavailability is obtained from the sum of the unavailabilities in (a) to (h) = 3.3 × 10−3, which meets the target.
11.10. ALARP
Assume that further improvements, involving CCF and a further reduction in proof test interval, could be achieved for a total cost of £1000. Assume, also, that this results in an improvement in unavailability, of the safety-related system, from 3.3 × 10−3 to the PFD associated with the Broadly Acceptable limit of 4 × 10−4. It is necessary to consider, applying the ALARP principle, whether this improvement should be implemented.
If the target unavailability of 4 × 10−3 represents a maximum tolerable risk of 10−5 pa, then it follows that 3.3 × 10−3 represents a risk of 10−5 × 3.3/4 = 8.3 × 10−6 pa. If 10−6 pa is taken as the boundary of the negligible risk then the proposal remains within the tolerable range and thus subject to ALARP.
Assuming a two-fatality scenario, the cost per life saved over a 40-year life of the equipment (without cost discounting) is calculated as follows:
3.3 × 10−3 represents a risk of 8.3 × 10−6
4 × 10−4 represents a risk of 10−6
Cost per life saved = £1000/(40 × 2 lives × [8.3 − 1] × 10−6)
= £1,700,000
The Gross Disproposition Factor, GDF, (see below) for this example is 8.6 Thus, on this basis, if the cost per life saved criterion were £1,000,000 then, with GDF taken into account, it becomes £8,600,000. The proposed further improvement is justified.
11.11. Architectural Constraints
(a) PES
The safe failure fraction for the PESs is given by 90% diagnosis of 5% of the failures, which cause the failure mode in question, PLUS the 95% which are “fail safe.”
Thus (90% × 5%) + 95% = 99.5%.
Consulting the tables in Chapter 3 then:
If the simplex PES is regarded as Type B then SIL 2 can be considered if this design has >90% safe failure fraction.
(b) Pressure transmitters
The safe failure fraction for the transmitters is given by the 75% which are “fail safe.”
If they are regarded as Type A then SIL 2 can be considered since they are voted and require less than 60% safe failure fraction.
Incidentally, in the original proposal, the simplex pressure transmitter would not have met the architectural constraints.
(c) Ball valves
The safe failure fraction for the valves is given by the 90% which are “fail safe.”
Comments on Example (Chapter 12)
The following are a few of the criticisms which could be made of the Chapter 12 report.
12.2. Integrity Requirements
In Chapter 11 the number of separate risks to an individual was taken into account. As a result the 10−4 pa target was amended to 10−5 pa. This may or may not be the case here but the point should be addressed.
12.4.1. ALARP
It was stated that nothing could be achieved for £672. It may well be possible to achieve significant improvement by reducing proof test intervals for a modest expenditure.
12.5. Failure Rate Data
It is not clear how the common cause failure proportion has been chosen. This should be addressed.
Other items:
(a) There is no mention of the relationship of the person who carried out the assessment to the provider. Independence of the assessment needs to be explained.
(b) Safe failure fraction was not addressed.
(c) Although the life-cycle activities were referred to, the underlying function safety capability of the system provider was not called for.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.