Week 10: Lecture Notes / SAFETY ENGINEERING

How can I be sure a system is safe, how do I know it is safe to operate?

Risks to be As Low As Reasonably Practicable (ALARP).

Major Hazard Facilities

Major Hazard Facilities (MHF) are facilities that have the potential to cause major
accidents, where the consequences may rival natural disasters in terms of loss of
life, injury, damage to property and disruption of activities affecting people at the
workplace and the surrounding community and environment. All MHFs must be
registered or licensed.
A major accident is defined by the Major Hazard Facility regulations as a sudden
occurrence at the facility causing serious danger or harm to a person at or near the
facility, an at-risk community, or property or the environment near the facility,
whether the danger or harm occurs immediately or at a later time.

Piper Alpha Disaster

Operated from 1976-1988 and was an oil and gas platform and used a pipeline to
send oil and gas to shore. An explosion and resulting fire destroyed it on July 6,
1988, killing 167 men. Total insured loss was about 1.7 billion (US$ 3.4 billion).
In the aftermath there was a royal commission conducted by Lord Cullen who
recognised that the current level of standards and policies were inadequate. He
claimed that operators of a potentially hazardous facility to demonstrate that:
o The facility is fit for its intended purposes,
o The risks associated with its functioning are sufficiently low
o Sufficient safety and emergency measures have been instituted
He also called for the introduction of both:
o Safety Management System thats assessed
o Safety Case justifying that the facility was safe
As details of the causes of the disaster emerged, the industry changed and every
offshore operator undertook wide-ranging assessments of their installations and
management systems:
o Improvements to Permit to work management systems
o Relocation of some pipeline emergency shutdown valves
o Installation of sub-sea pipeline isolation systems
o Mitigation of smoke hazards
o Improvements to evacuation and escape systems
o Initiation of Formal Safety Assessments
Piper Alpha disaster created a need for Formal Assessment of the Safety
Management System.

Safety Case and Safety Management Systems

Safety Management Systems should be system that is workable, appropriate to

the MHF, and which meets the essential principles.

A Safety Case constitutes three main elements:

o Safety requirements and objectives, which define what are the goals of
the analysis.
o Safety evidence, which defines the evidence are on which the analyses
rely.
o Safety argument, which describes and argues how the safety evidence
is sufficient to demonstrate the achievement of the safety objectives.

The ALARP Principle

Where there is residual risk you need ALARP. Where there is a risk to safety:
o All efforts should be made to reduce risks to the lowest level possible
until the point is reached where the cost of introducing further safety
measures is grossly disproportionate to the safety benefit that would be
achieved.
o A risk should be tolerated only if it can be demonstrated that there is a
clear benefit in doing so
The focus of risk management, from a Safety perspective, is that residual risk is
As Low As Reasonably Practicable (ALARP). The basis for the ALARP
judgement is that the risk is to be treated to the point where:
o The cost of further treatment is excessive compared with the resulting
reduction in risk
o No further treatment is possible; or
o The risk is negligible
A number of factors are taken into account to determine what would be
reasonably practicable:
o Nature and severity of the hazard
o Knowledge of severity of the hazard
o Knowledge of solutions
o Availability of solutions
o Common standards of practice
o Cost of solutions
ALARP principle is used as it defines effort necessary to reduce risk, gross
disproportion rule applies and it is a required standard in safety regulations.

Risk Analysis Tools Part Two

Conduct deductive method where we start from an incident and work out from
there what are we going to do once that incident unfolds and how successful the
controls we implement will be.

Event Tree Analysis

Used to analyse the controls you put in place once you have an event. What
controls could be put in place to contain the incident so it doesnt lead to a
disaster. You are using negative logic.

An event tree analysis (ETA) is a deductive procedure that shows all possible
outcomes resulting from an accidental (initiating) event, taking into account
whether installed safety barriers are functioning or not, and additional events and
factors.
By studying all relevant accidental events (that have been identified by a
preliminary hazard analysis, a HAZOP, or some other technique), the ETA can be
used to identify the outcome of accident scenarios and sequences in a complex
system.
Design and procedural weaknesses can be identified, and probabilities of the
various outcomes from an accidental event can be determined.
Given an undesired event (eg fault), whats the probability that system responds
successfully (safely)
System design is such that response to initialising event is a logical sequence of
components that are engaged in response to the event.
Suited to analysis of failsafe mechanisms in safety critical systems

Event Tree Analysis - Steps

Identify (and define) a relevant accidental (initial) event that may give rise to
unwanted consequences
Identify the barriers that are designed to deal with the accidental event
Construct the event tree
Describe the (potential) resulting accident sequences
Determine the frequency of the accidental event and the (conditional) probabilities
of the branches in the event tree
Calculate the probabilities/frequencies for the identified consequences (outcomes)
Compile and present the results from the analysis
Probability of success given the event is Sum of probabilities for each path
leading to success
In the preceding example: (1-PFA) * (1-PFB) + (1-PFA) * PFB * (1-PFC)
Failures assumed to be statistically independent
Violation may occur if failure due to Poor maintenance and Defective parts from
same batch

Fault Tree Analysis

Fault tree analysis (FTA) is a top-down approach to failure analysis, starting with
a potential undesirable event (accident) called a TOP event, and then determining
all the ways it can happen
The analysis proceeds by determining how the TOP event can be caused by
individual or combined lower level failures or events
The causes of the TOP event are connected through logic gates - typically
AND-gates and OR-gates
FTA is the most commonly used technique for causal analysis in risk and
reliability studies.
A model that logically and graphically represents the various combinations of
possible events, both faulty and normal, occurring in a system that leads to the top
undesired event.
FTA uses a tree to show the cause and- effect relationships between a single,
undesired event (failure) and the various contributing causes
The tree shows the logical branches from a single failure at the top of the tree to
the root cause(s) at the bottom of the tree
Standard logic symbols connect the branches of the tree. For example, gates
permit or inhibit the passage of fault logic up the tree through the events.
Fault tree does not necessarily contain all possible failure modes of the
components of the system. Fault tree contains only those failure modes whose
existence contribute to the existence of the top event
Suitable for further analysing undesired events (failures) identified by other tools
such as PHA and FMEA
FTA starts with a pre-identified event, (Top Event). System is then drilled down
to find the initiating events and which combinations of events (Cut-set elements)
leads to the failure.
Note the difference between AND and OR events in terms of the number of subevents required to trigger the Top Event.
Redundancy / Safety functions use AND gates. The more AND triggers the safer
the system will be.
Event Trees focus on systems ability to recover from an event.
Fault Trees enable the causes of undesirable events to be determined. FTA + ETA
becomes a Bow Tie Diagram

Where to use FTA

Root Cause Analysis - Identify all relevant events & conditions leading to
undesired event
Risk Assessment - Calculate the probability of an undesired event (level of risk)
Design Safety Assessment - Demonstrate compliance with requirements

Steps

Definition of the system, the TOP event (the potential accident), and the boundary
conditions
Construction of the fault tree
Identification of the minimal cut sets
Qualitative analysis of the fault tree
Quantitative analysis of the fault tree
Reporting of results

Immediate, Necessary and Sufficient Causes

Read the Intermediate Gate event wording

Identify all Immediate, Necessary and Sufficient events to cause the Intermediate
Gate event.
Structure the Immediate Necessary and Sufficient casual events with appropriate
logic:
o Immediate what is the most immediate direct cause
o Necessary include only what is actually necessary
o Sufficient only include the minimum necessary

Primary, Secondary and Control Causes

Consider the type of fault path for each Enabling Event and identify each causing
event as one of the following path types:
o Primary Fault unplanned failure modes
o Secondary Fault condition based failure modes
o Command Fault Induced Fault, Sequential Fault

Reliability Equations

Bow Tie Analysis

The Bow Tie analysis was developed for the oil and gas industries as a tool for the
development of safety cases
Designed for management of risk rather than the detailed quantitative assessment
of risk.
Diagrammatic representation of the relationship between the management system
and the hazards being managed, linking hazards and their consequences through
event lines illustrating the routes to accidents.
Preventive and Recovery controls show the fundamental components of the safety
management system.