ReportNo33 Safety Critical Measures
ReportNo33 Safety Critical Measures
ReportNo33 Safety Critical Measures
1
Safety Critical Measures
Author
Dirk Roosendans
Review
Richard Gowland
Charles Butcher
© EPSC 2012
The information held in this report is given in good faith and belief in its accuracy, but
does not imply the acceptance of any legal liability or responsibility whatsoever by the
European Process Safety Centre or by the authors, for the consequence of its use or
misuse in any particular circumstances.
Any enquiries about this report, or other EPSC matters, should be addressed to Mr Lee
Allford, Manager – EPSC Operations
2
Objectives of the European Process Safety Centre
1. Information
To provide advice on how to access safety information and whom to consult, what
process safety databases exist and what information on current acceptable practices is
available.
Benefits of Membership
3
Contents
1. INTRODUCTION .............................................................................................................................. 6
2. BACKGROUND ................................................................................................................................ 6
3. CONTEXT OF SAFETY CRITICAL MEASURES ..................................................................................... 7
3.1 PROCESS ACCIDENT SCENARIO ............................................................................................................. 7
3.2 SCOPE OF SAFETY CRITICAL MEASURES .................................................................................................. 9
3.3 PROTECTION BARRIERS ..................................................................................................................... 10
3.4 PROTECTION BARRIERS AND SAFETY CRITICAL MEASURES ........................................................................ 11
4 IDENTIFICATION OF SAFETY CRITICAL MEASURES ........................................................................ 13
4.1 DETERMINISTIC METHODS ................................................................................................................. 13
4.2 ANALYTICAL METHODS...................................................................................................................... 13
4.2.1 Identification of Prevention Barriers ................................................................................... 13
4.2.2 Identification of Mitigation and Protection Barriers ........................................................... 14
4.2.3 Assessing the Need for Safety Critical Measures ................................................................ 15
5 SELECTION OF SAFETY CRITICAL MEASURES ................................................................................. 16
5.1 GENERAL SELECTION PRINCIPLES ........................................................................................................ 16
5.1.1 Nature of Safety Critical Measures ..................................................................................... 16
5.1.2 Priority rules for Safety Critical Measures .......................................................................... 16
5.1.3 Independence of Safety Critical Measures .......................................................................... 16
6 DESIGN OF SAFETY CRITICAL MEASURES ...................................................................................... 17
7 MANAGEMENT OF SAFETY CRITICAL MEASURES .......................................................................... 19
7.1 GENERAL PRINCIPLES FOR TESTING, MAINTENANCE AND AVAILABILITY ...................................................... 19
7.1.1 Testing of Safety Critical Measures .................................................................................... 19
7.1.2 Maintenance of Safety Critical Measures ........................................................................... 19
7.1.3 Availability of Safety Critical Measures .............................................................................. 20
7.2 GENERAL PRINCIPLES FOR MANAGING SAFETY CRITICAL MEASURES .......................................................... 20
7.2.1 Knowledge of the Risks at Each Life Cycle Phase ................................................................ 21
7.2.2 Standards ............................................................................................................................ 21
7.2.3 Control of Safety-Production Conflicts ................................................................................ 21
7.2.4 Formal Safety Studies ......................................................................................................... 21
7.2.5 Safe Procedures .................................................................................................................. 21
7.2.6 Competent and Sufficient Personnel ................................................................................... 22
7.2.7 Management of the Human Factor .................................................................................... 22
7.2.8 Supervision and Checking ................................................................................................... 22
7.2.9 Capturing Experience .......................................................................................................... 22
7.3 MANAGEMENT SYSTEMS FOR SAFETY CRITICAL MEASURES ...................................................................... 23
8 PERFORMANCE METRICS ............................................................................................................. 24
8.1 INTRODUCTION ............................................................................................................................... 24
8.2 PERFORMANCE METRICS AND SAFETY CRITICAL MEASURES ..................................................................... 24
8.3 EXAMPLES OF PERFORMANCE INDICATORS FOR SAFETY CRITICAL MEASURES ............................................... 25
9 AUDITING AND SELF ASSESSMENT ............................................................................................... 26
9.1 SELF ASSESSMENT AND PROCESS HAZARD ANALYSIS (PHA) ..................................................................... 26
9.2 AUDIT ........................................................................................................................................... 26
10 EXAMPLES OF SAFETY CRITICAL MEASURES ............................................................................. 28
10.1 GENERAL ....................................................................................................................................... 28
10.1.1 Alarms Associated With Safety Critical Measures With Operator Supervision and
Intervention ........................................................................................................................................ 28
10.1.2 Safety Critical Procedures ................................................................................................... 29
4
10.1.3 Automatically Acting SIS and Power Supply ....................................................................... 29
10.1.4 Physical Protection ............................................................................................................. 29
10.1.5 Mitigating and Protective Measures .................................................................................. 29
11 APPENDIX I: TERMS OF REFERENCE .......................................................................................... 30
11.1 PURPOSE ....................................................................................................................................... 30
11.2 MEMBERSHIP ................................................................................................................................. 30
11.3 TOPICS FOR DISCUSSION AND SHARING ................................................................................................ 30
11.4 SHARING OF INFORMATION ............................................................................................................... 31
11.5 TIMING.......................................................................................................................................... 31
11.6 DRIVERS ........................................................................................................................................ 31
12 APPENDIX II: EXAMPLES OF ANALYTICAL METHODS ................................................................. 32
12.1 EXAMPLE OF RISK GRAPH .................................................................................................................. 32
12.2 EXAMPLE OF RISK MATRIX................................................................................................................. 33
12.2.1 Matrix ................................................................................................................................. 33
12.2.2 Definitions for Severity Categories...................................................................................... 33
12.2.3 Definitions for Likelihood Categories .................................................................................. 34
DEFINITIONS ........................................................................................................................................ 35
ABBREVIATIONS .................................................................................................................................. 39
REFERENCES ......................................................................................................................................... 40
WORKING GROUP MEMBERS............................................................................................................... 42
5
1. Introduction
A work group on Safety Critical Measures was created by the European Process Safety
Centre in 2008. This document mirrors the discussions and reflections of this work
group. The terms of reference of the work group can be found in Appendix I: Terms of
Reference.
2. Background
Many major accidents in the process industries could have been avoided if prevention,
mitigation and protection barriers had been properly designed and kept in good order.
These barriers are often required because a full inherently safe process design is
difficult to achieve, for both technical and economic reasons.
In the context of the control of major accidents (including multiple fatalities onsite or
offsite), some of these barriers are called Safety Critical Measures.
Active systems need energy sources – which may be external or internal to the
system - to perform their function. Without these energy sources, the active
system will not function. Examples of external energy sources include electric
power, pneumatic power, hydraulic power, manpower, and system pressure
6
3. Context of Safety Critical Measures
3.1 Process Accident Scenario
The focus of this document is on major accident scenarios in processing and storage
facilities. There is little emphasis on occupational accidents, even if many of the
conclusions in this document may be equally relevant for the latter type of accidents.
A popular way to visualise process accident scenarios is the “bow tie” diagram (see
Figure 1). In a bow tie, the initiating events or “causes” of many process accident
scenarios converge to a “Central Hazardous Event” which can propagate to a number
of different unwanted consequences. In this context a consequence is defined as the
occurrence of physical effects resulting in damage to people or environment.
Figure 1: A bow tie diagram shows how a Central Hazardous Event typically has several causes
(left) and several consequences (right)
For a given system (process system, utility system, storage system), initiating events
include all possible deviations from a normal mode of operation. Initiating events
include equipment failures, instrument failures and operating errors. For every Central
Hazardous Event there may be several initiating events. Initiating events will propagate
to a hazardous event if they are not stopped by preventive barriers.
7
To avoid these possible undesired outcomes or render them less serious, safety
barriers are installed to prevent the occurrence of the hazardous event, mitigate its
effects, or protect the vulnerable environment (people, environment or assets):
Other factors which can influence the propagation of the Central Hazardous Event
include conditional modifiers such as meteorological conditions, the presence of
ignition sources and the presence of targets such as people.
Each of the paths in a bow tie, from a specific initiating event (or cause) to the Central
Hazardous Event and from the Central Hazardous Event to a specific outcome,
represents an individual process accident scenario.
scenario 1
scenario 2
scenario 3
scenario 4
8
3.2 Scope of Safety Critical Measures
Some process accidents have the potential to cause very severe consequences. This
potential is usually controlled by applying engineering controls (design, hardware,
instrumentation,…) and operating controls (operating procedures, maintenance,
inspection,…). The need for these controls or safety measures is usually identified
during systematic and structured brainstorming sessions by a multidisciplinary team.
On any industrial site, numerous safety measures can be identified, each of which can
play a decisive role in avoiding loss. From those numerous safety measures, many are
necessary to avoid single-fatality accidents. From those many safety measures, only
some will play a role in preventing major accidents.
Safety Critical Measures: A subset of safety measures that are required to avoid or
control the impact of major accident scenarios
For a given Central Hazardous Event, we must assess all possible consequences before
deciding whether Safety Critical Measures need to be identified. Various tools are
available for consequence assessment, including sophisticated consequence modelling
software.
9
3.3 Protection Barriers
A process accident scenario – as illustrated in Figure 2 - can be defined as a sequence
of events leading to the uncontrolled release of the hazard contained within a system,
with unwanted consequences to people, the environment, or assets.
Figure 3 shows some protection barriers that are frequently used to stop an initiating
event propagating to unwanted consequences.
Major Accident
Accident propagagion
Central Hazardous Event
Critical alarms & tasks/procedures with operator supervision and manual intervention
The failure (or absence) of all of the above protection barriers means that the initiating
event will be able to propagate to a major accident. Successful operation of one of the
protective barriers will generally stop the accident sequence.
Not all of the above protection barriers are always present for every process
accident scenario. Most scenarios include only some of these barriers.
10
3.4 Protection Barriers and Safety Critical Measures
Safety Critical Measures in general fall into the following types of protection barriers:
Basic Process Control System (BPCS) trips and process alarms with operator
intervention
Critical alarms or tasks/procedures with operator supervision and manual
intervention
Automatic action by Safety Instrumented Systems (SIS)
Physical protection systems such as pressure relief valves
Mitigating measures (SIS, water curtain, site layout, ignition source
management,…)
Site emergency response
release of a
flammable or
toxic substance or
the release of
Physical protection (relief systems,…)
energy (thermal
radiation, blast
Automatic action SIS overpressure,
kinetic energy of
fragments, …)
Critical alarms or tasks/procedures with
operator supervision and manual intervention
11
appropriate methods of response, location of emergency, escalation effects,…) and
which are functions of the local environment and context.
Often, more than one Safety Critical Measure is needed to reduce to acceptable levels
the likelihood of a given accident scenario with major potential consequences. In this
case, special attention should be given to possible common mode failures : we should
verify that Safety Critical Measures are fully independent of other barriers and
initiators. If this is not the case, estimates of risk reduction through multiple Safety
Critical Measures may be too optimistic.
Common operator
Common power supply
ESD signals handled by a single PLC without redundancy/diversity
Common ageing
Common maintenance
Common fouling/blockage/dirt
Common calibration of sensors
Common factors at start-up or shut-down
Multiple identical barriers (without diversity)
Systematic failures (e.g. software, design)
More details on common mode failures can be found in the specialised literature (see
references [12] to [16]).
12
4 Identification of Safety Critical Measures
There are several different approaches to identifying Safety Critical Measures:
Technical standards:
API
ASME
NFPA (e.g. NFPA30,...)
DIN
AD2000
TRBF
Company policy or procedures
The basis of the decision to implement or modify safety systems is usually a high-
quality hazard identification study. Hazard identification techniques include:
These can be used to identify appropriate prevention barriers. The quality of the
identification process will depend mainly on the expertise of the people that conduct
the analysis and less on the selected methodology.
13
4.2.2 Identification of Mitigation and Protection Barriers
Most major accidents in the chemical and petrochemical industries involve loss of
containment of a flammable or toxic substance. Event trees can be used to analyse
the possible consequences of such a release.
Pool fire
Jet fire
Flash fire
Fireball
Vapour cloud explosion
Dispersion of toxic chemicals
Some of the following factors in the event trees can be used to identify possible
mitigation and protection barriers:
14
protection may be effective against fires but not against the blast overpressure
of a vapour cloud explosion)
9. Process safety time and reaction time: The process safety time is the period
from the time a fault occurs in the process to the time that the process enters a
dangerous state. Following a demand (process error) the safety system needs
to transfer the process to a safe state within the process safety time. The
reaction time of the safety system, which is the sum of the reaction times of
the sensor, actuator, and safety controller, needs to be shorter than the
process safety time
Other factors that may influence the outcome of the event tree are:
Analytical methods imply the use of criteria to decide the need for Safety Critical
Measures. These decision criteria are usually a combination of the severity and
probability of the potential outcome of the hazardous event under consideration.
Appendix II gives examples of some analytical methods together with their decision
criteria.
15
5 Selection of Safety Critical Measures
Safety Critical Measures can be part of the preventive, mitigating or protective safety
barriers that are or should be installed to reduce the probability or potential
consequences of the scenario under consideration.
If more than one Safety Critical Measure can be identified for the same accident
scenario, then the choice of the safety measures to be designated as Safety Critical
Measures may be based on the following principles:
For example: two independent barriers each with a PFD of 0.1 may be preferred to a
single barrier with a PFD of 0.01
Safety Critical Measures are systems or procedures that are usually part of one of the
following protection layers:
BPCS trips
Process alarms with operator intervention
Critical alarms or tasks/procedures with operator supervision and manual
intervention
Automatically acting Safety Instrumented Systems (SIS)
Physical protection systems such as relief valves
Mitigating measures (SIS, water curtain, site layout, ignition source
management,…)
Site emergency response
16
If more than one Preventive Safety Critical Measure can be identified for the same
accident scenario, then priority may be given to the Safety Critical Measure with the
best performance in the following areas: reliability, efficiency, response time,
testability, maintainability, availability, fault tolerance. Avoidance of false trips is part
of this assessment.
Selectivity
Independence
Reliability
Relevance
Efficiency
Response time
Testability
Maintainability
Availability
Fault tolerance
Vulnerability
Diversity (different technologies or measured variables)
As mentioned above, Safety Critical Measures may take the form of equipment,
instrumentation or procedures.
Figure 5 shows the relationship between risk analysis, reliability analysis and
vulnerability analysis. The central part of the diagram shows the general structure of a
risk analysis. During a risk analysis, the need for preventive, mitigating or protective
safety measures is identified. The performance of these safety measures is usually
assessed in a RAM (Reliability, Availability, Maintainability) study. However, the
performance of safety measures may also be affected by accidental loads (heat
radiation, blast overpressure, impact of debris,…). The impact of accidental loads on
the operability of safety measures is assessed in a vulnerability analysis.
17
Figure 5 : Vulnerability Analysis of Safety Critical Measures
Risk
Reliability Analysis Vulnerability Analysis
Analysis
18
7 Management of Safety Critical Measures
7.1 General Principles for Testing, Maintenance and Availability
19
7.1.3 Availability of Safety Critical Measures
All Safety Critical Measures need to be available for at least 99% of time
The availability of Safety Critical Measures should not be reduced unless
absolutely necessary
If a Safety Critical Measure is unavailable, equivalent compensating measures
should be put in place
The status of the availability of Safety Critical Measures should be recorded.
The list of unavailable SCMs shall be clearly displayed in the control room to
ensure that operators know the exact status of each SCM
Before inhibiting any SCM, a formal risk analysis shall be performed. This must
include the definition of the compensating measures to be applied and the
maximum delay allowed before returning to normal
When an SCM is inhibited, a return to full serviceability should be expedited
without delay. Audit mechanisms should ensure that the existence and
duration of inhibits on safety critical components are not overlooked
The life cycle of any plant contains a number of phases that are especially appropriate
to the introduction and operation of Safety Critical Measures. These are typically:
For each life cycle phase involving Safety Critical Measures, key management tasks are:
For every life cycle phase, the responsibilities for each of the above management tasks
need to be clearly and unambiguously defined and communicated throughout the
organisation.
20
7.2.1 Knowledge of the Risks at Each Life Cycle Phase
7.2.2 Standards
Standards provide systematic ways of preventing and controlling major accidents such
that they are accepted as representing good or best practice. Examples include
company standards, European standards, industry standards, and other such as:
legal requirements
design codes
standards setting out frequencies for maintenance, testing and inspection
standard operating procedures
special standards for a particular process or hazard
Production and economic pressures often conflict with safety rather than supporting
it. This can lead to short cuts, omissions, inattention to safety matters, and delays in
carrying out safety-related tasks. It is therefore important to manage these conflicts
and to prioritise safety in relation to production and other conflicting goals.
The management system must provide for formal studies which systematically analyse
the dangers, the possible scenarios, their control, and severity of consequences. The
system should form a basis for understanding the major accident risks and enable risk
reduction measures to be targeted. Methods include process safety studies, HAZOP,
QRA, and task analysis.
21
7.2.6 Competent and Sufficient Personnel
There should be a system to ensure a supply of people competent in the tasks which
relate to the prevention and control of major accidents. This also means there should
be sufficient skills available and sufficient members to manage the workload
associated with those tasks.
Management systems must recognise the potential for human errors, such as
omissions or doing something incorrectly, set out the ways in which these might arise,
and ensure that they are controlled. This includes ergonomic factors such as man-
machine interface and other factors influencing human performance.
It is not enough to have in place procedures relating to Safety Critical Measures. These
procedures must also be implemented effectively. Monitoring is an essential step in
preventing accidents through encouragement and feedback or positive achievement –
but only if it is sufficient, targeted and adequately penetrating. Once implemented, it is
important that Safety Critical Procedures are effectively supervised and checked..
Failure to monitor of Safety Critical Procedures can promote a poor safety culture and
place the integrity of Safety Critical Measures at increased risk.
Principally this is the learning from past experience of how to avoid major accidents
and incorporating this into the system. It often involves analyzing past events or
experience including incidents and accidents and lessons learned from accidents in
other companies.
22
7.3 Management Systems for Safety Critical Measures
The principles highlighted in Sections 7.1 and 7.2 can be embedded in a management
system specific to Safety Critical Measures.
23
8 Performance Metrics
8.1 Introduction
Studies from the insurance industry show that a workplace accident in which someone
is badly hurt or killed often follows a history of “precursor” incidents with similar
characteristics but only minor consequences. Based on this finding, the idea that
minor safety-related events can be used to predict personal injuries that are less
common, but more serious, has become central to safety management
It is believed that a similar predictive relationship exists between lower- and higher-
consequence events in process plants. Indicators that are predictive are known as
leading or pro-active indicators and may be used to identify a weakness that can be
corrected before a higher-consequence event occurs.
Indicators that focus instead on relatively serious accidents that have already occurred,
so as to learn from them, are called lagging or reactive indicators.
With respect to process safety, this concept goes hand in hand with the Layer of
Protection concept. Lagging indicators deal with actual loss of containment, while
leading indicators give an indication of our ability to keep the product in the pipe.
Leading indicators therefore answer to questions such as:
Monitoring the performance of Safety Critical Measures is important for the following
reasons:
24
8.3 Examples of Performance Indicators for Safety Critical Measures
The list below gives some possible leading indicators to monitor the performance of
activities in the area of Safety Critical Measures:
25
9 Auditing and Self Assessment
In principle, auditing of activities in the area of Safety Critical Measures can be based
on the items described in Section 7 and Section 8.
The integrity of Safety Critical Measures or Systems can only be assured if there is a
regular process of ‘Self Assessment’ by the user and Audit by a technically competent
body or person who is independent of the operations where the measures or systems
are required to function. This principle is laid down in the life cycle approach in IEC
61511 and IEC 61508 and is described in the guidance from the Engineering Equipment
and Materials Users Association (EEMUA 222). These sources are aimed at Safety
Instrumented Systems, but the general principles are applicable to all Safety Critical
Measures and Systems.
Self Assessments exist within check lists commonly found in Process Hazard Analysis
(PHA), Self Assessment methodologies. These rely on a check being made on the
actual state of the operation compared with a clearly stated Requirement or Standard.
The process should reveal the degree of conformance and/or non conformance and a
‘gap analysis’. The evaluation needs to cover the state of conformance with
requirements for:
Hardware
Software
Human intervention and action
Management of Change
This self assessment will normally include the records of the tests carried out on the
Safety Critical Measures and Systems. It is important to note that these tests should
include the Human intervention required within a Safety Critical environment.
9.2 Audit
The audit process practices of EPSC member companies are described in the EPSC
Member Report on Auditing, however, the most efficient form of audit takes account
of and checks the PHA and self assessment which is in place at the operating facility.
This check should be about:
the degree of conformance with the PHA and self assessment system
an examination of records of training and tests and inspections
26
‘deep drill’ on specific selected items (selection based on previous history,
follow up, incidents, new requirements, records found, physical state of the
facility and other relevant drivers
No self assessment, PHA or Audit can function properly without an effective follow up
system where deficiencies are addressed in a timely manner. Put simply ‘Plan, Do,
Check, Act’.
27
10 Examples of Safety Critical Measures
10.1 General
This section lists some general categories of Safety Critical Measures. Within each category, some
examples are given. The proposed structure of the Safety Critical Measures follows the Layer Of
Protection philosophy shown in the figure below.
Mitigating Measures
e
systems,…)
po
se
yr
on
sp
intervention
re
er
cy
em
operator intervention
ity
erg
un
em
mm
te
Co
Si
10.1.1 Alarms Associated With Safety Critical Measures With Operator Supervision
and Intervention
Alarms associated with Safety Critical Measures with operator supervision and
intervention shall be clearly identified as Safety Critical Alarms and not be confused
with other alarms generated by the DCS. Possible alarms include:
To ensure that these critical alarms are clearly identified as Priority 1 alarms they
should be on a separate panel and not within the DCS.
28
10.1.2 Safety Critical Procedures
1. Dyking
2. Water curtains
3. Sprinkler/deluge systems
4. Foam application systems
5. Restricting flow orifices
6. Excess flow valves
7. Blast/fire resistant structures (blast/fire walls, reinforced control rooms, …)
8. Control of ignition sources
9. Active fire protection
10. Passive fire protection
11. Containment systems (containment inside building)
12. Flange protection
13. Devices influencing the direction of leaks
29
11 Appendix I: Terms of Reference
11.1 Purpose
The purpose of the work group is to share member companies’ systems of:
11.2 Membership
30
Members are encouraged to:
Information is in the first instance for dissemination exclusively between EPSC member
company representatives. Contributors may specify that some or all of their
information is restricted to the member representatives and does not pass to other
people in their respective companies.
11.5 Timing
The work group was launched at the Technical Steering Committee in October 2008.
Decisions on the life cycle of the group shall be made by the group’s membership.
11.6 Drivers
31
12 Appendix II: Examples of Analytical Methods
12.1 Example of Risk Graph
32
12.2 Example of Risk Matrix
12.2.1 Matrix
Likely
High priority
Unlikely
Very unlikely
Tolerable if
ALARP
Extremely
unlikely Acceptable risk
Remote
33
12.2.3 Definitions for Likelihood Categories
Frequency
Likelihood Definition
(1/yr)
-2
Likely > 10 Could occur several times during plant lifetime
-2 -3 Could occur one time for 10 to 20 similar plants
Unlikely 10 10
during 20 to 30years of plant lifetime
One time per year for at least 1000plants.
One time for 100 to 200 similar plants in the world
-3 -4
Very unlikely 10 10 during 20 to 30 years of plant lifetime
Has already occurred in the company but
correctives actions has been taken
-4 -5 Has already occurred few times in industry but
Extremely unlikely 10 10
correctives actions has been taken
Event physically credible but has never occurred or
-5 only few times during a period of 20 à 30 years for a
Remote < 10
large amount of units (>few thousands, ex: wagons,
process drums,…)
34
Definitions
Term Definition
Event or chain of events which causes, or could cause, injury, illness, and/or
damage (loss) to assets, the environment or third parties (ISO 17776, first
edition 2000-10-15).
A rate which expresses how often a particular event occurs within a stated
Frequency
time period. Frequency is defined as the reciprocal of the average time
35
Term Definition
between events, and thus is often expressed in terms such as 1 per 1000
years (ISO 17776, first edition, 2000-10-15).
As per IEC 61508 and IEC 61511, a functional safety assessment should be
performed to ensure that risks inherent in a process and its associated
equipment are duly controlled. This assessment should be applied through
all the stages of the life cycle described in IEC 61508 and IEC 61511, from
initial risk analysis to decommissioning. The assessment can be performed
after each stage of the safety life cycle or after concluding a specific number
of stages, including the safety life cycle of the SIS and its software.
IEC 61511 requires that at least one senior, “competent” and independent
person takes part in the Functional Safety Assessment. This competent
person should be able to review the hazard analysis, design,
implementation, and testing to ensure that everything has been successfully
completed and must have the authority to prevent the start-up of the
process if necessary.
Human injury, damage to the environment, damage to property, or a
combination of these (ISO 17776, first edition 2000-10-15).
Harm
Adverse consequences of accidents, such as sickness, injury, death, damage
to property, degradation of the environment, or interruption of business (“A
Guide to QRA for Offshore Installations”, CMPT, 1999).
Hazard Potential source of harm (ISO 17776, first edition, 2000-10-15).
Method of identifying possible undesirable events, analysing the
mechanisms by which they could occur, and (usually) estimating their
Hazard Analysis (or
consequences. Hazard analysis sometimes includes consideration of the
HAZAN)
likelihood of key events (A Guide to QRA for Offshore Installations, CMPT,
1999).
Incident that occurs when a hazard is realised (ISO 17776, first edition, 2000-
10-15). Also sometimes called an “Undesired Event”.
Hazardous event
Examples: Release of a substance, release of energy, fire, loss of buoyancy.
Systematic identification of all the hazards that may affect, or arise from, the
Hazard Identification particular operation under consideration (ISO 17776, first edition, 2000-10-
15).
Acronym for Hazard Identification and especially for a particular form of
Hazard Identification commonly applied to upstream installations. HAZID is a
systematic (group) review of the possible causes and consequences of
HAZID
hazardous events (A Guide to QRA for Offshore Installations, CMPT, 1999).
Sometimes this analysis includes consideration of the likelihood of key
events.
36
Term Definition
Acronym for Hazard and Operability Study: a systematic critical group review
of a process plant design, to evaluate the effects of deviations from normal
operating conditions. HAZOP is normally used to generate recommendations
HAZOP
to improve the safety and operability of a design, but it can in principle be
used to identify hazards as well (A Guide to QRA for Offshore Installations,
CMPT, 1999).
Relatively minor accident: an unintended departure from normal operating
Incident conditions causing little or no harm (A Guide to QRA for Offshore
Installations, CMPT, 1999).
Initiating event Event directly causing a central Hazardous Event.
Intensity Quantified effect of an accident.
Expressions that indicate, in general terms, the possibility of something
Likelihood (or Chance) happening (ISO 17776, first edition, 2000-10-15). See also Probability and
Frequency.
Attenuation of the effects of a central Hazardous Event, such as by reducing
the duration or rate of a release, or by stimulating dilution or dispersal.
Mitigation
Mitigation includes the effect of passive elements such as walls located close
to the source.
According to the more general definition of Article 3 of the Seveso II
Directive, a “‘major accident’ shall mean an occurrence such as a major
emission, fire, or explosion resulting from uncontrolled developments in the
Major accident
course of the operation of any establishment covered by the Directive, and
(Seveso II Directive)
leading to serious danger to human health and/or the environment,
immediate or delayed, inside or outside the establishment, and involving
one or more dangerous substances”.
Prevention Reduction of the occurrence frequency of a central Hazardous Event.
The ratio of the number of chances that a particular event may occur to the
total number of chances. It is expressed as a number in the range 0 to 1, zero
Probability being the certainty that the event will not occur, and 1 the certainty that the
event will occur. It is also normal to express probability in percentage terms
(ISO 17776, first edition, 2000-10-15).
Reduction of the severity of the consequences on a particular target;
Protection
reduction of the vulnerability of a target.
Acronym for Quantitative Risk Analysis (not Quantitative Risk Assessment in
the context of this report). QRA is a mathematical means of estimating
numerical risk from a particular hazardous activity. It involves making
QRA
numerical estimates of hazard outcomes in terms of frequencies and
consequences, and aggregating them into overall measure of individual or
societal risk.
Ability of a system to perform a required function, under given conditions,
within a given period of time. Approximately, the system failure probability P
Reliability
increases as a function of a failure rate and a test period T according to the
equation: P = .T
The combination of the likelihood that a hazard will be realised and the
consequence of that hazard; the chance of a specific event occurring within
a specific period (A Guide to QRA for Offshore Installations, CMPT, 1999).
Risk
When using the more experience-based qualitative approaches, it is normal
to express risk as the direct product of the frequency of occurrence and the
severity. In some situations, however, it is necessary to define risk in
37
Term Definition
somewhat more precise terms; here the usual approach is to express risk as
the probability that a specified hazardous event will occur in a specified time
period or as a result of a specified situation (ISO 17776, first edition, 2000-
10-15). This approach uses the definition of the frequency of a number of
different consequences to give the overall risk picture.
Safety Critical A subset of safety measures that are required to avoid or control the impact
Measures of major accident scenarios (see also section 3.2 of this document)
A Safety Instrumented System (SIS) consists of an engineered set of
hardware and software controls which are especially used on critical process
systems. A critical process system can be identified as one which, once
running and an operational problem occurs, the system may need to be put
Safety Instrumented into a safe state avoid adverse consequences.
System (SIS)
An SIS is composed of the same types of control elements (including sensors,
logic solvers, actuators and other control equipment) as a Basic Process
Control System (BPCS). However, all of the control elements in an SIS are
dedicated solely to the proper functioning of the SIS.
Refers to the specific control functions performed by an SIS. An SIS is
engineered to perform "specific control functions" to failsafe or maintain
Safety Instrumented safe operation of a process when unacceptable or dangerous conditions
Function (SIF) occur. They are implemented as part of an overall risk reduction strategy
which is intended to eliminate the likelihood or consequences of a,
previously identified, hazardous event.
The severity of an accident results from the combination of intensity and the
Severity
vulnerability of the target.
System The object of the assessment, which can include many equipment items.
The process of proving that a SIS or by extension any Safety Critical Measure
Validation works in practice. Validation involves a complete test from input to output
and can be performed as part of the pre-startup test.
Verification (in context Demonstration that the output of a Safety Instrumented Function (at each
of Safety Instrumented stage of the life cycle) satisfies prescribed requirements. Verification
Systems) methods include testing, review and analysis.
Sensitivity of a target to a particular type of effect. A vulnerability analysis
Vulnerability defines a relationship between the intensity of incident effects and
consequent damage.
The period from the time at which a fault occurs in the process to the time
when the process enters a dangerous state. Following a process error, the
Process safety time
safety system needs to transfer the process to a safe state within the
process safety time.
Referring to the complete safety system, the sum of the individual reaction
Reaction time times of the sensor, actuator, and safety controller. The reaction time needs
to be shorter than the process safety time.
38
Abbreviations
Abbreviation Term
API American Petroleum Institute
DCS Distributed Control System
ESD Emergency Shut-Down
HAZID HAZard IDentification
HAZOP HAZard and OPerability Study
ISO International Organization for Standardization
Probability of Failure on Demand or Process Flow Diagram (depending on
PFD
context)
QRA Quantitative Risk Analysis (in the context of this document).
SCM Safety Critical Measure
SIL Safety Integrity Level
SIS Safety Instrumented System
UPS Un-interruptible Power Supply
39
References
1. TOTAL – Industrial Safety Division SG-SEI
Guidance Note on Safety Critical Measures (2009)
HSE-SRD-016
4. Bellamy, L J (2003)
SAVRIM Handbook (dec 2000)
5. Gowland, R (2003)
Layer Of Protection Training Course
University of Manchester
6. De Wilde, B (2004)
Design of Safety Instrumented Systems, rev1
8. Mogford, J (2005)
Fatal Accident Investigation Report
Isomerization Unit Explosion
Final Report
Texas City, Texas, USA
40
10. International Electrotechnical Commission (IEC)
Functional safety of electrical/electronic/programmable electronic safety-
related systems, Parts 1 to 7
IEC 61508: 1998 – 2000
17. Guidelines for Safe and Reliable Instrumented Protective Systems (2007)
Center for Chemical Process Safety
41
Working Group Members
Guest Speakers
42