Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions

Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

Contents lists available at SciVerse ScienceDirect

Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp

Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions Paul Baybutt* Primatech Inc., Columbus, OH, USA

a r t i c l e i n f o

a b s t r a c t

Article history: Received 23 September 2011 Received in revised form 31 May 2012 Accepted 31 May 2012

Standards and industry guidelines for Safety Instrumented Systems (SISs) describe the use of hazard and risk analysis to determine the risk reduction required, or Safety Integrity Levels (SILs), of Safety Instrumented Functions (SIFs) with reference to hazardous events and risk tolerance criteria for them. However, significant problems are encountered when putting this approach into practice. There is ambiguity in the meaning of the term hazardous event. Notably, even though it is a key concept in the process-sector-specific SIS standard, IEC 61511/ISA 84, it is not defined in the standard. Consequently, risk tolerance criteria for hazardous events are ill-defined and, therefore, they are not the most appropriate criteria to use. Most current approaches to SIL determination use them and therefore they are flawed fundamentally. An informed decision on the tolerability of risk for a facility cannot be made by determining only the tolerability of risk for individual hazardous events. Rather, the tolerability of the cumulative risk from all hazard scenarios and their hazardous events for a facility must be determined. Such facility risk tolerance criteria are the type used by regulators. This issue applies to all per event risk tolerance criteria. Furthermore, determining the tolerability of risk for a facility based only on the risks of single events, be they hazard scenarios or hazardous events, and comparing them to risk tolerance criteria for the events is not meaningful because there is no consideration of how many such events can actually occur and, therefore, no measure of the total risk. The risks from events should be summed for a facility and compared with overall facility risk tolerance criteria. This paper describes and illustrates SIL determination using a risk model implemented within the framework of Layers of Protection Analysis (LOPA) that overcomes these problems. The approach allows the allocation of risk across companies, facilities, processes, process units, process modes, etc. to be managed easily. Ó 2012 Elsevier Ltd. All rights reserved.

Keywords: Layers of Protection Analysis (LOPA) Risk tolerance criteria Safety Instrumented System (SIS) Safety Integrity Level (SIL) Hazardous event SIL determination

1. Introduction The industry standard for Safety Instrumented Systems (SISs), IEC 61511/ISA 84 (ANSI/ISA-84.00.01-2004, Parts 1e3, (IEC 61511-1 Mod, IEC 61511-2 Mod, IEC 61511-3 Mod)), requires that Safety Integrity Levels (SILs) be established for Safety Instrumented Functions (SIFs). The standard describes their determination by comparing the risk of hazardous events that SIFs protect against with risk tolerance criteria, sometimes called process safety target levels, to determine if there is a risk gap, i.e. the need to reduce the existing level of risk to meet the risk tolerance criteria. Such risk reduction decisions must be made consistently to avoid disproportionate risk allocation and the inequitable distribution of

* Tel.: þ1 614 841 9800; fax: þ1 614 841 9805. E-mail address: [email protected]. 0950-4230/$ e see front matter Ó 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.jlp.2012.05.016

resources within a process, facility or company. The selection of suitable risk tolerance criteria is vital to ensuring that objective is met. This paper addresses difficulties that are encountered in choosing risk tolerance criteria, particularly for use with IEC 61511/ ISA 84. An approach that avoids these difficulties is described and illustrated with an example. The role of risk tolerance criteria in the SIS standard and their relationship to hazardous events are described in Section 2. Some key questions are posed that are vital for the determination of SILs for SIFs and definitions are proposed for key consequence terms needed to define risk tolerance criteria properly. The meaning of a hazardous event is discussed in Section 3. It is an essential aspect of the definition of a SIF in the SIS standard. Conflicting usages are described and a definition is proposed together with definitions of other related terms. The nature of risk tolerance criteria for hazardous events is described in Section 4. After laying the theoretical foundation, practical difficulties associated with their use

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

are discussed in Section 5 and further issues in using hazardous events are identified in Section 6. Examples are provided to illustrate the difficulties and issues. Recommendations are given in Section 7 on how risk tolerance criteria should be used for SIL determination in a way that avoids the need to use hazardous event risk tolerance criteria and the problems their use entails. An example of using a LOPA risk model with facility risk tolerance criteria to determine SIL SIFs is provided and explained in Section 8. Conclusions are provided in Section 9 that summarize how LOPA can be used with overall facility risk tolerance criteria to establish SILs for SIFs. 2. SIS standards and risk tolerance criteria IEC 61511/ISA 84 states, “The required safety integrity level of a safety instrumented function shall be derived by taking into account the required risk reduction that is to be provided by that function” (Part 1, Clause 9.2.2). Guidance for doing so is provided in Part 3 of the standard, including the use of Layers of Protection Analysis (LOPA), risk matrices and risk graphs. IEC 61511/ISA 84 describes a SIF as a safety function with a specified SIL1 which is necessary to achieve functional safety and which is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event.2 Necessary risk reduction is defined in IEC 61511/ISA 84 as the reduction in risk that has to be achieved to meet the tolerable risk for a specific situation. Therefore, tolerable risk needs to be established to determine the required risk reduction. Necessary risk reduction may be achieved by using either one or a combination of SIFs or other safety functions. IEC 61511/ISA 84 also states, “The purpose of determining the tolerable risk for a specific hazardous event is to state what is deemed reasonable with respect to both the frequency of the hazardous event and its specific consequences. Protection layers are designed to reduce the frequency of the hazardous event and/or the consequences of the hazardous event.” (Part 3, Clause 3.2) (emphasis added). The standard explains that the necessary risk reduction for a hazardous event, leading to a specific consequence, typically would be expressed quantitatively as a maximum frequency of occurrence per year. Moreover, Part 3, Clause 3.4 of the standard states: “The total risk reduction provided by the safety instrumented function(s) together with any other protection layers has to be such to ensure that: e the failure frequency of the safety functions is sufficiently low to prevent the hazardous event frequency from exceeding that required to meet the tolerable risk; and/or e the safety functions modify the consequences of failure to the extent required to meet the tolerable risk.” Clearly, the intention in IEC 61511/ISA 84 is that risk tolerance criteria be established for hazardous events and their consequences in order to determine the required safety integrity for the SIFs that protect against them. Similarly, industry guidelines define instrumented protective functions, instrumented safety functions and

1 The safety integrity of a SIF is the average probability of the SIF satisfactorily performing its required function. It is expressed as four discrete SILs in IEC 61511/ ISA 84 defined by bands of Probability of Failure on Demand (PFD) and Frequency of Dangerous Failure (FDF) values. 2 There is some debate about what constitutes a SIF. If the requirement that a SIF achieve or maintain a safe state for the process is imposed, it can be argued that the requirement excludes SIFs that mitigate the consequences of a hazardous event.

1001

Safety Instrumented Functions with reference to the risk reduction that must be achieved for an identified hazardous event to meet a risk tolerance criterion (CCPS, 2007). The guidelines define risk tolerance criteria as qualitative or quantitative measures used to determine whether risk posed by an identified hazardous event is tolerable. Therefore, the meaning of hazardous event is vital in applying IEC 61511/ISA 84 and industry SIS guidelines and establishing hazardous event risk tolerance criteria. Unfortunately, ambiguity surrounds its meaning. For example, what hazardous event is protected by a SIF that shuts down flow to a tank of a flammable liquid in the event that it detects a high level? Is it high level, a spill from the tank, a fire, or something else? Is the hazardous event defined in association with this SIF? Is the hazardous event defined in association with this tank? Should similar events for other tanks be assigned the same risk tolerance criteria? What if a SIF protects against the same event in different tanks? Should all hazardous events be assigned the same risk tolerance criterion? Should risk tolerance criteria depend on the nature of the hazardous event? If so, how? The answers to such questions dictate the hazardous event risk tolerance criteria that should be used. They are critically important for determining the required SILs for SIFs. The meaning of the term consequences as it is used in IEC 61511/ ISA 84 (see above quotes from the standard) is also important. It is not specifically defined in the standard. However, as used, it means the impact of a hazard scenario on people, the environment, and/or property. The following consequence-related definitions will be used in this paper: Consequence: The result of a hazard scenario. Generally, undesirable. Consequence receptor: The specific entity affected by the hazard scenario, i.e. specific people, property, or environments, etc. Consequence location: The geographic place where the consequence occurs. Consequence type: The type of receptor affected by the hazard scenario, i.e. people, property, environment, etc. Consequence impact: The effect on receptors of the hazard scenario. Generally, harm. Consequence severity: A measure of the consequence impact for a hazard scenario, e.g. the number of fatalities and injuries for people. Qualitative measures are often used in the form of consequence levels for each consequence type. Risk tolerance criteria are defined according to consequence type and severity, and sometimes according to receptor and location.

3. Meaning of hazardous event The terms hazardous condition and hazardous event are both used in IEC 61511/ISA 84 but neither is specifically defined, even though the concept of a hazardous event is key in defining a SIF and implementing the standard. The authors of the standard defined over 100 other terms so this is a surprising omission. Perhaps, the meaning was thought to be intuitively obvious. Unfortunately, the concept of a hazardous event is deceptively simple but providing a meaningful definition is problematic. The umbrella standard IEC 61508 (IEC 61508-1:1998, 1998), for which IEC 61511/ISA 84 is the process-sector specific version, does provide a definition of hazardous event as a hazardous situation that results in harm. A hazardous situation is defined as a circumstance in which a person is exposed to hazard(s). However, the term circumstance is not defined. The best that can be made of these definitions is that a hazardous event is an occurrence that results in harm.

1002

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

Initiating event

Hazardous event

Process deviation

Physical effect

Hazardous condition

Hazardous situation

Hazardous circumstance

“Hazardous events lead to specific consequences” (Part 3, Clause 3.4). Consequence

Fig. 1. Sequence of events for a hazard scenario.

Clearly, hazardous event is intended to mean an event that occurs as part of a hazard scenario. However, there are multiple events and states3 that occur during the progression of a hazard scenario which consists of a sequence of events beginning with an initiating event and ending with a consequence. A series of intermediate events connects them including process deviations, hazardous conditions, loss of containment, hazardous events, physical effects and hazardous situations (Fig. 1). Contributing to these events are initiating causes, safeguard failures, and enabling events and conditions. Generally, the initiating event results in a deviation from the allowed range of a process parameter (e.g. level) that, if uncontrolled, can result in a hazardous condition (e.g. high level), the release of a hazardous material or energy from the process containment (e.g. spill of a flammable material) which in turn can cause the realization of a hazard (e.g. fire from a flammable material release), resulting in physical effects (e.g. heat radiation from a fire), a hazardous situation (e.g. exposure of operators to a fire) and impacts on receptors of concern (e.g. an operator fatality, the scenario consequences). However, which of these events are the hazardous event and the hazardous condition as used in IEC 61511/ISA 84? The context of use of the terms hazardous condition and hazardous event in the standard can be examined to help discern their meanings. The following extracts imply that hazardous condition is used to mean the condition that is detected by a SIF that results in the SIF taking the process to a safe state: “In going from a potentially hazardous condition to the final safe state, the process may have to go through a number of intermediate safe-states.” (Part 1, Clause 3.2.66). (emphasis added) “The system that undertakes the safety function would then comprise the sensor detecting the hazardous condition, the alarm presentation, the human response and the equipment used by the operator to terminate any hazard.” (Part 2, Clause 8.2.1). (emphasis added) Usage of the term hazardous event in the standard suggests, although not definitively, that it means an event that will occur and directly cause undesirable consequences if the SIF does not function: It is implied to be an event such as a fire or gas leak (Part 1, Clause 3.2.42), or other process conditions caused by abnormal events including malfunction of the basic process control system (BPCS) (Part 1, Clause 3.2.54). “The total time to detect the fault and to perform the action shall be less than the time for the hazardous event to occur.” (Part 1, Clause 11.3.3). “Also considerations should be given to the potential increased number of people being in the vicinity of the hazardous event as a result of investigating the symptoms during the build-up to the event.” (Part 2, Clause 8.2.1)

3

However, other usage of the term in IEC 61511/S 84 could be interpreted to mean any event that precedes the consequences:

For simplicity, no distinction is made between event and state in this paper.

Consequently, usage of the terms hazardous condition and hazardous event in IEC 61511/ISA 84 does not allow a definitive interpretation of what they are intended to mean. Clarification of their meaning can be sought elsewhere. Industry guidelines (CCPS, 2007) also use the terms hazardous condition and hazardous event but without definition. However, the function of a protection layer is described as avoiding the occurrence of or reducing the effect of a hazardous event, implying that a hazardous event follows the operation of a protection layer, including a SIF. The anatomy of an incident is depicted as a sequence of events from hazard to initiating event to process deviation to hazardous event to impact. Some examples of hazardous events are provided, namely, runaway reaction, release of toxic material, loss of containment, and fire. The guidelines also provide an example of determining SIF SILs using risk tolerance criteria for hazardous events and the SIF SIL is described as the reduction in the hazardous event likelihood that the SIF provides. Other industry guidelines define hazardous event as an event that leads to an undesirable consequence and illustrate a hazardous event occurring as the result of an initiating event that penetrates protection layers (safeguards) resulting in the hazardous event (CCPS, 1993). The guidelines state that protection layers are used to prevent or mitigate hazardous events and they respond to hazardous events, and that an Instrumented Protective System responds to an unacceptable process condition. In order to rationalize the use of these terms, the hazardous condition that activates a SIF and the hazardous event the SIF protects against should be distinguished clearly. Generally, there are multiple events in a hazard scenario and which of those events are considered to be the hazardous condition and hazardous event depends on the nature of the SIF. Processes use various types of protection layers to reduce risk including supervisory, preventive, mitigative, barrier, limitation, and emergency response (CCPS, 2007) and SIFs may be used in several of these layers. Consequently, the hazardous condition and hazardous event depend on the type of SIF and where it acts in the chain of events that defines the hazard scenario (Fig. 1). For example, in filling a tank, high level may trigger a prevention SIF to protect against the spillage of a flammable material that may result in a fire causing injury to process operators. High level is certainly the hazardous condition and spillage at the tank during filling can be considered the hazardous event. The presence of flammable material may trigger a mitigation SIF. For this SIF, the presence of flammable material is the hazardous condition and fire at the tank could be considered the hazardous event. SIFs can address several of the different events in a hazard scenario. Thus, the nature of hazardous conditions and hazardous events varies according to the type of SIF. An alternative interpretation of hazardous event is that, regardless of where a SIF acts in a scenario sequence, it is the event in the scenario sequence where an undesirable consequence definitely becomes possible. Typically, for most processes, this would be when loss of containment of hazardous materials or energy occurs. This interpretation is consistent with the definition of hazardous event as generally being synonymous with a loss event (CCPS, 2008): “Point of time in an abnormal situation when an irreversible physical event occurs that has the potential for loss and harm impacts. Examples include release of a hazardous material, ignition of flammable vapors or ignitable dust cloud, and over-

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

pressurization rupture of a tank or vessel. An incident might involve more than one loss event, such as flammable liquid spill (first loss event) followed by ignition of a flash fire and pool fire (second loss event) that heats up an adjacent vessel and its contents to the point of rupture (third loss event).” However, this definition implies there are multiple hazardous events of different types that occur after loss of containment. In order to avoid inconsistencies and difficulties that would be posed by a definition of hazardous event that allows them to vary according to the nature of a SIF, an invariant definition is desirable. Hazardous event variants would require different risk tolerance criteria. Since a SIF operates to achieve or maintain a safe state of the process, any safety function that acts after the hazardous event occurs presumably does not meet this requirement and therefore cannot be a SIF. Consequently, it would seem appropriate to define a hazardous event as the first event that occurs after loss of containment that has irreversible effects with the potential for harm. Events that follow the hazardous event (or loss event) are better viewed as hazardous situations and domino effects resulting from the hazardous event. They follow directly from the hazardous event. Other events may follow the occurrence of a hazardous condition but precede the hazardous event. These definitions are suggested: Hazardous condition: The process condition that triggers operation of a SIF, e.g. high level in a tank. Hazardous circumstance: The proximate event that a SIF protects against, e.g. spill from a tank. It occurs after the hazardous condition and before the hazardous event. However, for some SIFs, the hazardous circumstance and hazardous event may be the same. Hazardous event: The event in the sequence of events for a hazard scenario when the potential for harm becomes irreversible. For processes, typically this is when containment is lost, a hazardous material or energy is released, and a hazard is realized. Multiple hazard scenarios may produce the same hazardous event. Hazardous situation: An event that follows directly from a hazardous event and leads to a consequence impact. With these definitions, the nature of hazardous conditions and hazardous circumstances varies according to the point in the scenario sequence at which a SIF is activated but the nature of a hazardous event remains the same for all SIFs. 4. Risk tolerance criteria for hazardous events Risk tolerance criteria cannot be set directly for hazardous events. They must be viewed from the perspective of overall facility risk which can be established and understood by most people without difficulty. Industry guidelines recognize that total facility risk must be allocated to hazardous events in order to establish risk tolerance criteria for the hazardous events (CCPS, 2009). For example, if the tolerable risk of a single fatality for a facility has been set at 1  103 per year and there are 10 hazardous events for the facility, typically, a risk tolerance criterion of 1  104 would be set for each hazardous event, i.e. the overall facility risk is allocated equally across hazardous events by dividing the facility risk tolerance criterion by the total number of hazardous events. However, the total number of hazardous events must be estimated. At best, this is an uncertain number, often little better than a guess. Consequently, a conservative estimate is often used that may impose unnecessary requirements for risk reduction. Given the dependence of people’s lives on the use of these analyses, and the considerable effort required to comply with the extensive SIS lifecycle requirements of IEC 61511/ISA 84, it is unwise to base compliance with the standard on such a fragile basis.

1003

The allocation of tolerable facility risk to individual hazardous events in this way is driven by the approach for SIL determination described in IEC 61511/ISA 84 and the key role played by hazardous events. The approach is undoubtedly simple but, besides the difficulty of estimating the number of hazardous events to allocate risk, it is flawed fundamentally owing to its focus on hazardous events as will be described. Some pertinent questions can be posed. On what basis can facility tolerable risk be allocated equally to hazardous events? Are hazardous events intended to be equivalent in some way that makes equal allocation valid? If an equal allocation is not appropriate, can a proportionate allocation be made so that equivalent hazardous events receive the same allocation? If so, what is meant by equivalent? These are difficult questions to answer in any useful way and, indeed, it is neither necessary nor desirable to do so. It will be shown in the next section that there is no meaningful basis for allocating tolerable risk to hazardous events. Various problems are encountered and examples will be provided. 5. Difficulties in using risk tolerance criteria for hazardous events 5.1. Meaning of hazardous event An improved definition of hazardous event was provided earlier in this paper but it is still open to interpretation. For example, a fire at vessel A that results in a fatality to an operator meets the definition as does a fire at vessel B that also results in a fatality to an operator. Both can be considered to be different hazardous events. However, the hazardous event could also be defined as a fire in the process area where the vessels are located that kills one person. In this case, the tolerable risk criterion would need to be set at twice the value for either of the individual vessel events in order to produce equivalent risk. Clearly, risk tolerance criteria for these hazardous events should be different. Although in this simple example the risk tolerance criteria could be adjusted appropriately, in general, an analysis in which risk tolerance criteria depend on the way in which hazardous events are defined would be problematic because of the difficulties in assigning and using different risk tolerance criteria. This example can be generalized to all hazardous events. They can be defined as occurring anywhere within a process, e.g. a runaway reaction, release, or fire in any part of the process; or in a specific part of a process, e.g. runaway reactions in multiple reactors or individual reactors, releases from multiple process areas or individual areas, and fires in multiple locations or individual locations. Furthermore, the parts of the process that share a hazardous event could be defined in different ways that would necessitate different values for the hazardous event risk tolerance criteria. 5.2. SIF configuration Some practitioners may believe this problem can be overcome by defining hazardous events in exclusive association with their SIFs. Thus, if each vessel in the above example is protected by a separate SIF, it would be argued there are two separate hazardous events, not one. However, the matter is not so simple. The meaning of a hazardous event depends on how SIFs are configured for a process. If there are separate SIFs that protect each vessel in the above example, the two hazardous events could be addressed separately or together. However, a single SIF may protect both vessels and a single hazardous event must be considered to determine its required SIL. If all similar SIFs in a process were configured in the same way, it might be possible to use hazardous

1004

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

event risk criteria for them consistently but, in general, that will not be the case. Consider a process that has four identical tanks. Two tanks are protected from fire hazardous events that could each result in a single fatality by separate SIFs. The other two tanks are protected against a fire that could result in a single fatality by one SIF. If the same risk tolerance criterion were assigned to all the hazardous events, the tolerable risk from the two tanks that are individually protected would be twice that for the two tanks that are protected by a single SIF, yet the actual risk from each tank is the same. 5.3. Multiple hazard types A SIF may protect against multiple hazard types. For example, a SIF that protects against a runway reaction may guard against employee fatalities owing to both the release of energy and the toxic effects of released materials. If these were treated as separate hazardous events, and the tolerability of risk for each one were addressed individually using the same standard risk tolerance criterion for each hazardous event, the required SIL determined for the SIF most likely would be too low and the actual process risk would be higher than intended. The risk would be underestimated because the actual consequence severity is higher than for either one of the two individual hazardous events (it is actually the sum of their consequences) and the risk tolerance criterion used should be lower than that for one of the individual hazardous events. The energy release and toxic effects should be treated as a single hazardous event and a suitable hazardous event risk tolerance criterion defined. If this could be done consistently, the problem of multiple hazard types could be avoided. However, these events may occur individually in other parts of the process, thus requiring individual risk tolerance criteria for them elsewhere and causing confusion and inaccuracies. In other cases, hazardous events may result in the realization of one of several hazards, for example, a flammable material may burn, mix with air and explode, or simple disperse. Such cases are modeled individually. 5.4. Hazard scenarios without SIFs Since SIFs are defined as protecting against specific hazardous events, it may seem that hazardous events could be defined with reference to only those contributing hazard scenarios that are protected by the SIF. However, it is certainly possible that a hazardous event may be caused both by scenarios that are protected by a SIF and by some that are not. For example, a high level shutdown SIF for a storage tank containing flammable material may be triggered by various causes of high level to protect against fire at the tank from a flammable spill. If these are the only scenarios that result in the hazardous event, the sum of their frequencies is used to determine the frequency of the hazardous event for comparison with the hazardous event risk criteria.4 However, there may be other hazard scenarios not protected by this SIF that result in the same hazardous event, for example, corrosion leaks from the tank, or releases owing to dropped objects or vehicle impacts. In such cases their frequencies should be included in the summation of the frequency of the hazardous event. Exclusion of the contribution of these other scenarios from the frequency of the hazardous event would be tantamount to allocating risk only to some of the hazard scenarios for a process, i.e. those protected by SIFs, and ignoring the

4 The risk of each scenario must be evaluated individually before summation since safety functions and enablers that are part of the scenarios generally will vary by scenario for the same hazardous event.

contribution of those scenarios protected by non-SIF safety functions. This would result in non-conservative values for the required SILs of SIFs as a result of the allocation of the overall tolerable risk to fewer hazard scenarios than actually contribute to the risk. Moreover, IEC 61511/ISA 84 recognizes that non-SIF safety functions that are separate and distinct from SIFs are also used to reduce or mitigate risks, specifically external risk reduction facilities, e.g. a dike (bund), and other-technology safety-related systems, e.g. a relief valve. Logically, such safety functions that protect against the same hazardous events as SIFs should be considered together with the SIFs in assessing tolerable risk. Indeed, IEC 61511/ISA 84 states that other safety systems should be considered so that their contribution can be taken into account when considering SIS performance requirements. Consequently, an approach that includes only hazard scenarios protected by SIFs is incorrect and would result in tolerating higher levels of risk than intended. 5.5. Global hazardous events IEC 61511/ISA 84 in Part 2, Clause 8.2.1 states that loss of services (for example, air, cooling, water, nitrogen, power, steam, trace heating, etc.) should be included when assessing potential sources of demand on a SIS. Some of these external events, such as loss of utilities, may trigger the simultaneous operation of SIFs in various parts of a process. If these SIFs fail to protect the process, a global hazardous event occurs with greater consequences than any of the hazardous events addressed by the individual SIFs. Consequently, all such SIFs must be addressed as a set when determining their required SILs. Also, risk criteria for global hazardous events would be needed if SIL determination is based on hazardous events. Hazard scenarios that result in global hazardous events are usually captured in a global node or global system in a PHA and they should not be overlooked when performing SIL determination studies. Global hazardous events may involve the realization of different types of hazards, i.e. not just fires but also toxic material releases, or other events. Setting risk tolerance criteria for global hazardous events is difficult since there is no basis for claiming their equivalence with local hazardous events. IEC 61511/ISA 84 in Part 2, Clause 8.2.1 recognizes that in assessing the frequency of demands for a SIS there may be complex cases where severe consequences result from the simultaneous occurrence of more than one event (for example, where relief headers are not designed for worst case relief from all sources) and that these cases require detailed analysis. However, currently, there is no code of good practice that deals with global hazardous events. 5.6. Comparability of risk for different hazard types Although the view may be taken that a fatality is a fatality, for example, by regulators, in everyday life people may have a preferred means of casualty and the same is true for people who work in a process facility. Death by toxic exposure may be preferred to death by fire, for example. Usually, such value preferences are not addressed in risk analysis. However, some companies may wish to allocate tolerable facility risk to hazard types to account for such human preferences. For example, if aversion to casualty from fire is strong, less of the facility tolerable risk can be allocated to that hazard type to ensure that more stringent requirements are imposed on hazard scenarios that impact people as a result of fire. This would require the allocation of tolerable risk to fire hazardous events to be less than for toxic release hazardous events resulting in different risk tolerance criteria. Note that such risk allocation ultimately still requires that risk be summed over all scenarios resulting in each hazard type of concern, i.e. fire and toxic exposure

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

in this example, for comparison with overall facility risk tolerance criteria. 5.7. Number of hazardous events The number of hazardous events depends on the level of detail used in the PHA. Hazard scenarios result in incidents where containment of energy or hazardous materials is lost. Each incident may have several possible incident outcomes. For example, a flammable material release may result in a fire or an explosion. Each incident outcome may have various incident outcome cases depending on conditions at the time of the release. IEC 61511/ISA 84 states: “When considering the consequences of a particular failure event, all possible outcomes, and the frequency of the failure event as it contributes to each outcome, should be analysed. No credible outcome should be ignored or discarded from a risk analysis.” (ISA 84 Part 2, Para 8.2.1) A high level PHA may use hazardous events such as a hazardous material release while a more detailed PHA may use a fire resulting from the release or even specify the type of fire, e.g. jet fire, flash fire, pool fire. Thus, the meaning and number of hazardous events is variable for the same process depending on how the PHA is conducted and this directly impacts the allocation of overall facility tolerable risk to hazardous events. Any inconsistencies within a PHA or across PHAs for a facility will produce inequitable allocation of risk. 6. Further issues with the use of hazardous events 6.1. Multiple, sequential SIFs A process may be protected by more than one SIF and they may be present in different protection layers. Consider a storage tank containing a flammable material that is protected by a SIF (SIF1) that detects high level in the tank and shuts down flow into the tank to avoid a flammable spill that could result in a fire at the vessel and a SIF (SIF2) that detects the release of a flammable material and takes action to prevent a fire at the vessel. Both SIFs share the same hazardous event, i.e. fire at the vessel. How should the required SILs be determined for each SIF? Generally, there will be multiple hazard scenarios that could trigger the first SIF and even more scenarios that could trigger the second SIF since it will be triggered not only by scenarios that produce high level but also by scenarios that produce a spill from the vessel, e.g. an open valve. It may appear that the required SILs for SIF1 and SIF2 can be determined by individually summing the frequencies of the scenarios each SIF protects against, i.e. the frequencies of scenarios protected by SIF1 (those that result in high level) should be summed to determine the SIL for SIF1, and the frequencies of scenarios protected by SIF2 (those that result in high level, and a spill by other means, plus a fire) should be summed to determine the SIL for SIF2. However, this approach is incorrect because the use of the same hazardous event risk tolerance criterion in each case would imply that the tolerable risk for the scenarios that produce high level in the tank is the same as that for all scenarios that produce fire at the tank which is illogical and for which there is no valid basis. Although there are two SIFs there is really only one hazardous event, namely, fire at the tank. The frequencies of the two sets of scenarios that produce the hazardous event must be summed to determine its frequency. One set of scenarios is protected by both SIF1 and SIF2 (those that produce high level in the tank and result in a fire), another set of scenarios is protected by only SIF2 (those that produce a spill from the vessel, other than from high level, and

1005

result in a fire). The SILs of the two SIFs cannot be determined separately. Consequently, if hazardous event risk criteria are to be used in this example, both sets of hazard scenarios must be considered together and the required SILs for the SIFs that are present must be determined together making tradeoffs in risk reduction between them, as appropriate. A more complex example is provided by Burner Management Systems that can contain many different SIFs (ISA-TR84.00.052009). 6.2. Multiple SIFs protect against the same hazardous event A single hazardous event may be protected by more than one SIF. Such SIFs may be activated by different hazardous conditions resulting from the same and/or different causes. For example, a fire or explosion may occur in a furnace firebox if there is a flameout and fuel gas flow continues. One SIF may detect low fuel gas pressure and isolate the fuel gas feed. Another SIF may detect flameout and isolate the fuel gas feed. These SIFs may respond to the same initiating events or different ones. For example, low fuel gas pressure may be due to loss of supply while flameout may be due to inert materials in the fuel gas supply. Required SILs for these SIFs must be determined together since they both contribute to the risk of the same hazardous event. Another example illustrates the same point, as well as the danger of considering process deviations in isolation. Consider a tank that may be over-pressured and release toxic material as a result of high level, high temperature or high flow in the tank. The SILs of SIFs that protect against such process deviations must be determined together by considering all the hazard scenarios that cause the process deviations and trigger the SIFs as in the previous example. The separate consideration of process deviations, such as those addressed in the HAZOP study method, is incorrect in cases where different deviations result in the same hazardous event. The practice can result in under-protection of processes. 6.3. SIFs in multiple process modes and batch processes A SIF may protect against the same hazardous event in various process modes, e.g. startup, normal operation, shutdown. All process modes contribute to the overall facility risk and all of them should be addressed when determining the required SIL for the SIF. Consequently, a risk model is required that addresses all process modes. A SIF may provide protection for multiple steps in a batch process. The nature of the hazardous event is the same for each step yet the event is distinct as it occurs under different circumstances. Assigning risk tolerance criteria to such hazardous events is problematic. The solution is not to do so but rather use a risk model that contains hazard scenarios from all steps in the batch process so as to allow the evaluation of risk across all steps. SIF SILs can then be set with reference to overall facility risk tolerance criteria. This treatment is similar to that for multiple process modes in a continuous process which can be viewed as a batch process with a very long operating cycle. 6.4. Multiple consequence types and levels Generally, hazardous events will have multiple types of consequences. For example, a fire at a storage tank could result in impacts to operating personnel and equipment damage. IEC 61511/ISA 84 requires that risks to facility personnel, the general public and the environment be addressed. Some companies also include equipment damage, business interruption and other consequence types. Risk tolerance criteria must be established for these different types

1006

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

of consequences. In determining the required SIL for a SIF, the tolerability of risk for each consequence type must be demonstrated. This cannot be done for each consequence type individually since the SIF can impact all of them. Any changes in the required SIF SILs, or failure data for non-SIS safety functions, for one consequence type may affect the risk for other consequence types. Therefore, the tolerable risk of all consequence types should be addressed in the same analysis. Also, the achievement of tolerable risk for different consequence types may be in conflict. For example, actions that reduce the risk of process shutdowns may increase the risk to people. It is only when both risk types are considered at the same time that all risk types can be optimized. SIFs protect hazard scenarios covering a range of possible severity levels for a particular consequence type, for example, multiple fatalities to single fatalities for people impacts. Risk tolerance criteria are needed for each severity type and level. Both individual and societal risk tolerance criteria should be used in determining SIF SILs. A risk model is needed that includes all consequence types and levels within the scope of the study in order to specify required SIF SILs to meet all the applicable risk tolerance criteria. 6.5. Mitigation SIFs If a mitigation SIF fails, a severe consequence event usually results. However, even if a mitigation SIF operates successfully and lowers the severity, a significant consequence event may still occur. It is possible that the severe consequence event may meet risk tolerance criteria but the lesser consequence event may not. Thus, both consequence events should be considered together when determining SIF SILs. 6.6. Dominant hazard scenarios Generally, multiple hazard scenarios will lead to a hazardous event and it is certainly possible that one or more of the scenarios may dominate the risk of the hazardous event, even though the hazardous event meets its risk tolerance criterion, resulting in the disproportionate allocation of risk to the scenarios and their receptors. For example, multiple hazard scenarios may contribute to one particular hazardous event that results in an operator fatality. A dominant hazard scenario from this set of scenarios may contribute 90% or more to the frequency of occurrence of the hazardous event and its risk. If this dominant scenario impacts one particular operator, and the other scenarios impact different operators, this one operator will bear a disproportionate amount of the risk and some companies, and certainly the individual operator, may believe this is inappropriate. The use of risk tolerance criteria for individual hazard scenarios helps to avoid this problem. 6.7. Interaction of hazardous events Problems can arise when considering the tolerability of the risk of hazardous events individually. The risk of one hazardous event may be increased above a tolerable level or a new hazardous event may be introduced by actions taken to decrease the risk of another hazardous event. For example, moving gas cylinders away from the vicinity of a work station and closer to a tank farm may reduce the risk to workers at the station but increase the risk in the tank farm as a result of the potential for a knock-on event if the cylinders were to become projectiles in an incident. Furthermore, while the consideration of individual hazardous events results in the risk of each of them being reduced below their risk tolerance criteria, it is possible that a preferred risk reduction solution may be not to reduce the risk of some hazardous events

below their tolerable risk criteria if that results in an overall risk that is tolerable. For example, consider a process with two hazardous events. Assume one has a risk that is half the hazardous event risk tolerance criterion and the other has a risk that is twice the criterion. Thus, the total risk from the two hazardous events is tolerable. Under these circumstances it could be argued that the company should not invest the resources to reduce the risk of the first hazardous event below its risk tolerance criterion. Of course, in practice, other considerations may influence the decision such as which receptors are exposed to the risk. Consequently, rather than managing the tolerability of risk for individual hazardous events, it should be managed for all of them in a risk model that calculates overall facility risk. 6.8. Identification of hazardous events Industry SIS standards and guidelines assume that hazardous events will be defined by analyses outside their scope, particularly PHA. However, currently-used formats for documenting PHAs usually do not explicitly identify hazardous events. For example, PHA studies performed using the Hazard and Operability (HAZOP) study method commonly use worksheet columns for Guide Words, Deviations, Causes, Consequences and Safeguards but not Hazardous Events. To the extent that hazardous events are identified, they are captured in the Consequence column. Some practitioners are beginning to include an Intermediate Events column in the PHA worksheet to capture some of the scenario detail that is needed to support LOPA studies and the hazardous event for the scenario may be found there. If hazardous events are to be used as the basis for SIL determination, extra work is needed to characterize them for each hazard scenario. This process can produce inappropriate and inconsistent hazardous events unless performed with the assistance of personnel familiar with how hazardous events should be defined. 7. Recommended use of risk tolerance criteria for SIL determination The difficulties described in the previous sections complicate the allocation of overall facility tolerable risk to individual hazardous events and militate against using hazardous event risk tolerance criteria to determine required SILs for SIFs. If a single hazardous event risk tolerance criterion is used for all hazardous events, there should be some type of equivalency between hazardous events to provide a meaningful allocation of risk to them. Absent an equivalency measure, this approach is not logical. If the nature of hazardous events varies, so should the risk tolerance criteria for them, but there is no logical means for allocating risk to them proportionately. A hazardous event is just an attribute of a scenario and not even an invariant one, i.e. one that always has the same meaning. Indeed, the only attributes of a hazard scenario that are invariant are its consequence type and severity. Not even the initiating event is invariant. For example, a mechanical valve failure could be divided into its underlying causes with each represented by a separate hazard scenario although, usually, if all remaining aspects of the scenario are the same, they would be treated as a single cause and an appropriate frequency assigned to include all the underlying causes. Thus, the only risk tolerance criterion that is invariant for a facility is the sum of the risks of all scenarios for all hazards at a facility. These are the types of criteria used by some regulators e.g. the United Kingdom Health and Safety Executive (HSE, 2001). IEC 61511/ISA 84 states, “Important factors in assessing tolerable risk include the perception and views of those exposed to the hazardous event.” (Part 3, Clause 3.2). So, for someone exposed to

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

1007

Fig. 2. Example of completed LOPA worksheet for a hazard scenario.

a hazardous event, what risk is tolerable? This question cannot be answered in isolation since the question that really matters is: What is the risk from all hazardous events to which an individual may be exposed? Only when the total risk is evaluated of the consequences from all hazardous events that are possible for a facility can the total risk be partitioned into risk from the contributing hazardous events. In other words, what matters to an exposed individual is not the risk from individual hazardous events but the total risk to which the individual is exposed in the workplace, and what matters to a company is the risk to all people from all risks in the workplace. If risk criteria are established for hazardous events without reference to the total facility risk, there is no guarantee that the sum of the risks for all the hazardous events will be tolerable, even if each hazardous event meets its risk tolerance criterion, because there is no way of knowing what the total risk is from all hazardous events unless the total risk is evaluated. Thus, the only meaningful way to determine the required SILs for the SIFs in a facility is to evaluate the total risk from all hazardous events that are possible, whether they are addressed by a SIF or not. The same argument can be made for risk tolerance criteria that are established for individual hazard scenarios or, indeed, any other partition of the facility risk. Therefore, a risk model is needed for a facility that allows the calculation of overall facility risk for comparison with an overall facility risk tolerance criterion and provides the ability to optimize facility risk through various risk reduction measures, including the addition of SIFs and/or the modification of their SILs. LOPA provides a ready framework for such a model (CCPS, 2001). For any consequence type and severity, e.g. single fatalities of facility personnel,

hazard scenarios with that consequence can be analyzed and the risk summed over all the contributing scenarios. Such a model avoids the difficulties of using hazardous event risk tolerance criteria. IEC 61511/ISA 84 appears to recognize that the tolerability of hazardous event risks should not be judged in isolation: “Once the tolerable risk has been set, and the necessary risk reduction estimated, the safety integrity requirements for the SIS can be allocated. NOTE The allocation may be iterative in order to optimise the design to meet the various requirements.” (Part 3, Clause 3.5) Risk tolerance criteria for hazard scenarios, hazardous events, or other hazard scenario events can still play a useful role with a risk model for a facility because reliance solely on meeting overall facility risk tolerance criteria may result in the inequitable distribution of risk across a facility. While the overall facility risk criterion may be met, there may be processes, areas, units, people, etc. that bear the brunt of the risk resulting from the disproportionate allocation of risk across the facility. If some form of proportionate risk allocation is desired, the most logical approach is to use a risk tolerance criterion for individual hazard scenarios to ensure that none has disproportionate risk compared to other scenarios. Use of individual scenario risk tolerance criteria is easier and more meaningful than for hazardous events owing to the difficulties described earlier. Hazard scenarios are the fundamental building blocks of risk analysis. While their risks can be aggregated into different groups, such as hazardous events, there is no logical basis for allocating a share of overall

1008

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

Fig. 3. Example of overall risk summations for a process.

Fig. 4. Example of risk summations for a process by process mode, hazard type and hazardous event.

facility risk to such groups. The only logical allocation is to the individual hazard scenarios, provided they are defined at the same level of resolution. However, reliance cannot be placed on them alone to ensure tolerable risk for an entire process or facility. Overall risk tolerance criteria are still required. The individual scenario risk tolerance criteria provide a guide to help ensure risk is spread across the facility uniformly. It is also possible to allocate the overall tolerable facility risk to individual processes, process units, process areas, and process modes. Such allocations require that risk scaling be addressed (CCPS, 2009).

8. Example of determining SIF SILs using LOPA Primatech’s software tool, LOPAWorksÒ, was used to perform a LOPA study for a toluene storage and delivery process using hazard scenarios taken from a PHA in order to illustrate how a risk model can be constructed for an entire process and how various risk tolerance criteria can be used to optimize the allocation of risk for the process. For simplicity, hazard scenarios from only one process have been included in the model, although all scenarios from all processes at the facility could have been included. Two operating modes were considered. Part of the overall facility tolerable risk was assigned to the toluene storage and delivery process as the basis for the risk tolerance criteria used. In turn, these were allocated to hazard types, hazardous events, and hazard scenarios. LOPA worksheets were completed for 41 hazard scenarios. An example is shown in Fig. 2 where the risk tolerance criterion for the hazard scenario can be seen and the amount of risk reduction required to meet the criterion is displayed.

The results of risk summations for the entire process for all consequence types and levels addressed are shown in Fig. 3. Other risk summations can be used to examine the allocation of risk within the process. For example, a breakdown by process operating mode, hazard type and hazardous event is shown in Fig. 4. The percentage contributions from individual hazard scenarios to the total risk of these summations can be used to guide adjustments to safety function PFDs and SIF SILs to allow the risk tolerance criteria to be met. All SIFs and applicable non-SIF safety functions are included in the model. Adjustments can be made easily to any of the data and the effect on the risk summations is seen immediately so that risk tolerance criteria can be met and risk allocated within a process or facility in any way that is desired. Use of risk criteria for hazard types, hazardous events, hazard scenarios, etc. is at the discretion of the analysts. Only overall facility risk tolerance criteria must be met. In other cases, it may be permissible to exceed the criteria so long as there is an appropriate allocation of risk across the facility or process.

9. Conclusions Generally, multiple hazard scenarios involving a variety of hazardous events contribute to the risk of a facility. The goal must be to ensure that the sum of their risks is at or below the facility risk tolerance criteria. Industry guidelines and standards for SISs describe the determination of SIF SILs using methods such as LOPA with risk tolerance criteria for hazardous events. Since risk can be calculated for individual hazard scenarios and hazardous events, it may appear logical to assign risk tolerance criteria to them by allocating the overall facility tolerable risk to each scenario or to

P. Baybutt / Journal of Loss Prevention in the Process Industries 25 (2012) 1000e1009

groups of them, such as those that result in various hazardous events. However, little or no guidance is provided by industry guidelines and standards on defining hazardous events and an invariant, consistent definition that would allow the same risk tolerance criteria to be assigned meaningfully to all hazardous events is difficult, as is the proportionate allocation of tolerable risk to different types of hazardous events. The focus on hazardous events in determining tolerable risk for a process and the required SILs for SIFs is inappropriate. While the risk of a hazardous event can be calculated, it is not particularly meaningful to assign a risk criterion to it. Fundamentally, the risk from a process is determined by its hazard scenarios and a hazardous event can only be defined uniquely by the set of hazard scenarios that contribute to it. However, hazardous events can be defined in different ways for a process depending on how hazard scenarios are aggregated and, unfortunately, there is no unique way of doing so. Meaningful use of risk tolerance criteria for hazardous events would require a set of rules for their definition and the allocation of overall facility risk to them that does not currently exist. It would be difficult to develop such a set of rules and probably even more difficult to implement them consistently. The solution to this dilemma is to work with a risk model that allows the summation of risk for an entire facility so that overall facility risk tolerance criteria can be used directly. LOPA can be adapted readily to do so. Individual scenario risk criteria do have a role to play. They can be used and set at an appropriate value so as not to expose any one receptor to an inordinate risk. However, this is a different role from using them to manage the total facility risk which is the risk measure of primary concern. ISA has published a simple example of the implementation of the SIS standard (ISA-TR84.00.04-2005). It may be revealing that no specific mention is made of hazardous events for SIL determination in the example. Risk criteria are specified for total risk from all hazards. The total risk is allocated to individual hazard scenarios by an essentially arbitrary reduction by a factor of 10 from the overall tolerable risk criteria. The individual hazard scenario risk tolerance criteria are used to determine the required SILs of the SIFs that protect the scenarios. Total risk is calculated by summing the scenario risks which are then compared with the total risk criteria. The example is too simple to determine if the intention was to follow the approach suggested in this paper of using a risk model for the entire process to determine and optimize SILs but it is similar. However, in the example, once the scenario risk tolerance criteria and total risk tolerance criteria have both been met no

1009

optimization of SIF SILs is performed. This leads to overspecification of one of the SIFs which can be reduced from SIL 2 to SIL 1 at the expense of exceeding an individual scenario risk tolerance criterion while still meeting the total risk tolerance criterion. Compliance with SIS standards requires extensive effort. Determining SIF SlLs is central to the that effort. Therefore, it would seem foolish to shortchange the process by using simple approaches that are not commensurate with the overall effort needed for compliance with the standards and which may produce erroneous results. Risk analysis is key to this process and the most comprehensive risk model of a process that is feasible should be constructed and used to make these decisions. The concept of a hazardous event is integral to the use of other methods for SIL determination such as risk matrices and risk graphs. While the difficulties in defining hazardous events described in this paper can be overcome by using LOPA with a detailed risk model, they pose significant challenges for the use of these other methods. LOPAWorks is a registered trademark of Primatech Inc.

References ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod), Functional safety: Safety instrumented systems for the process industry sector d Part 1: Framework, definitions, system, hardware and software requirements, 2004. ANSI/ISA-84.00.01-2004 Part 2 (IEC 61511-2 Mod), Functional safety: Safety instrumented systems for the process industry sector d Part 2: Guidelines for the Application of ANSI/ISAd84.00.01d2004 Part 1 (IEC 61511-1 Mod), 2004. ANSI/ISA 84.00.01-2004 Part 3 (IEC 61511-661513 Mod, Functional Safety: Safety instrumented systems for the process industry sector d Part 3: Guidance for the Determination of the required safety integrity levels d Informative, 2004. CCPS. (1993). Guidelines for safe automation of chemical processes. Center for Chemical Process Safety/American Institute of Chemical Engineers. CCPS. (2001). Layer of protection analysis: Simplified process risk assessment. Chemical Process Safety/American Institute of Chemical Engineers. CCPS. (2007). Guidelines for safe and reliable instrumented protective systems. Center for Chemical Process Safety/American Institute of Chemical Engineers. CCPS. (2008). Guidelines for hazard evaluation procedures (3rd ed.). Center for Chemical Process Safety/American Institute of Chemical Engineers. CCPS. (2009). Guidelines for developing quantitative safety risk criteria. Chemical Process Safety/American Institute of Chemical Engineers. HSE. (2001). Reducing risks, protecting people, HSE’s decision-making process. HSE Books. IEC 61508 1:1998. (1998). Functional safety of electrical/electronic/programmable electronic safety-related systems e Part 1: General requirements. ISA-TR84.00.04-2005-Part 2, Example Implementation of ANSI/ISA-84.00.01-2004, 2005. ISA-TR84.00.05-2009, Guidance on the identification of safety instrumented functions (SIF) in burner management systems (BMS), 2009.