Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Schmidt, SIS Consultant

Published byAshlyn Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Mike Schmidt, SIS Consultant"— Presentation transcript:

1 Mike Schmidt, SIS Consultant
Tolerable Risk— The Missing Link Between Risk Assessment and SIL Assignment Mike Schmidt, SIS Consultant

2 Presenter Mike Schmidt

3 Introduction Understand what SIL ratings are
Understand “tolerable risk” Getting a sense of tolerable risk Establishing a risk matrix for SIL assignment A quick review of SIL rating for those that aren’t familiar with them. An overview of the idea of tolerable risk, then we’ll do an exercise that let’s them get a sense of what the tolerable risk at their plant might be. Finally, an approach that allows us to take that tolerable risk and convert it into a tool we can use for SIL assignment.

4 What are SILs? “SIL” stands for Safety Integrity Level
SILs represent the difference between the process risk without a Safety Instrumented Function (SIF) and the tolerable risk SILs apply to each SIF, not to the SIS as a whole SILs establish the required reliability of an SIF SILs are calculated to demonstrate that a SIF, as designed and operated, has the required reliability to maintain the tolerable risk The letters S-I-L stand for safety integrity level. The idea of a SIL is that safety function has been designed that, by instrumentation, eliminates the risk a particular hazard. If the safety instrumented function, or SIF, worked perfectly all the time, the risk from that hazard would be zero. However, nothing ever works perfectly. How close to perfectly a SIF works is its SIL rating. One of the important ideas of SILs, then, is that they apply to each safety instrumented function, not a whole system. When you assign a SIL, you are saying there is this much risk without the SIF, and with the SIF, you want to reduce to a certain amount. Once a safety instrumented function is designed, reliability calculations can show if the SIF is reliable enough to reduce the risk to a tolerable level.

5 What are SILs? Safety Integrity Levels
Probability of Failure on Demand (PFDAVG) Risk Reduction Factor (RRF) SIL 4 10-4 > PFD > 10-5 10000 < RRF < SIL 3 10-3 > PFD > 10-4 1000 < RRF < 10000 SIL 2 10-2 > PFD > 10-3 100 < RRF < 1000 SIL 1 10-1 > PFD > 10-2 10 < RRF < 100 Safety Integrity Levels, or SILs, are inverse logs of the risk reduction. A SIL 1 means the risk has been reduced by at least a factor of 10, or in other words, it works perfectly when you need it to work at least 9 times out of 10. SIL 2 reduces risk by at least a factor of 100 – 102 – and works perfectly at least 99 times out of a hundred. SIL 3, a factor of 1000, or 103, and works at least 999 times out of thousand. There is a SIL 4 allowed in the standard, but in the process industries, it is generally accepted that any residual risk that requires four orders of magnitude reduction in risk really should not be relying on instrumentation for risk reduction and should go back to the drawing board for re-design. SIFs can also be N/R (not rated) for a SIL

6 Recommended approach: Risk Matrix
The challenge is to define “x”, the serious consequence, and “High”, the high frequency After that, the categories themselves are separated by orders of magnitude A typical approach to SIL assignment, but certainly not the only one, is to use a Risk Matrix. Risk is a product of consequence and likelihood, and the two properties scaled across the bottom and up the side. The consequence categories and likelihood categories, like the SILs themselves, are separated by orders of magnitude. The challenge for each company is to decide what the serious consequence is that the matrix should key to, and at what benchmark frequency.

7 Many companies already have something similar for PHAs
1 5 4 3 2 8 7 6 9 10 Severity (Consequence) Likelihood A lot of companies already have some kind of matrix in use, usually to prioritize recommendations from HazOps or other process hazard analysis. In this matrix, a “1” would mean something had better be done immediately, while a 10 would mean that no action at all is required.

8 Some typical likelihood categories
Frequent Occasional Seldom Remote Unlikely But what do they mean? More often than not, the categories are qualitative. In this example, the company uses “frequent”, “occasional”, “seldom”, “remote”, and “unlikely”, and then leaves it to the individual participants in the PHA to decide for themselves what they mean.

9 The categories are usually unevenly distributed
Typical definition of Likelihood Categories— Event occurs once a year Event occurs once every 10 years (~1 order of magnitude) Event occurs once every 50 years (~ ½ order of magnitude) Event occurs once every 150 years (~ ½ order of magnitude) Not likely to occur (??? orders of magnitude) Some companies avoid undefined terms, but then define likelihood a frequency intervals that are not uniformly spaced.

10 Consequence categories are worse
Severity (e.g. Consequence) – Loss of life; damage over $1 million Lost time injury; damage over $500k Medical treatment; damage less than $500k Minor injury; near miss; poor quality No injury, impact on process The same holds true for the severity in the consequence categories. If they are defined, the difference between one category and the next doesn’t seem to follow any orderly rule.

11 Converting an existing matrix
Adjust likelihood categories so they are one order of magnitude apart Adjust consequence categories so they are one order of magnitude apart Assign SILs to each box When you are beginning with an existing matrix with the intention of converting it to a SIL assignment matrix, the first step is to adjust the likelihood categories so they are one order of magnitude apart. After that, adjust the consequence categories so they are one order of magnitude apart. Finally, with likelihood and consequence categories in a rational separation, the last task is to assign SILs to each box to so that the whole matrix reflects your plant’s risk profile.

12 Building the Risk Matrix
So, beginning with the HazOp matrix we looked at before, lets take a look at likelihood. A “frequent” event occurs more often than once a year. The next order of magnitude is “occasional”. Unfortunately, the next log cycle spans two categories, and not quite exactly. Something needs to be done.

13 Adjust and consolidate
There are several ways the categories can be adjusted. In this approach, “Seldom” and “Remote” are combined and defined as more often than one event every 150 years. “Occasional” is adjusted so that it means more often than one event every 15 years, and “frequent” means an event more often than every 1.5 years. “Unlikely” remains the category of events that occur less often than once every 150 years. Notice that in this example, it wasn’t necessary to set the intervals at 1, 10, and 100 years. The intervals can be whatever makes sense, as long as they are an order of magnitude apart.

14 Or reconsider entirely
Given, that, it may have made just as much sense to throw out the old categories completely, and start from scratch. Categories separated at 5, 50, and 500 years would have been just as reasonable, and by some standards, even more appropriate.

15 SIS and consequences Personnel consequences – The primary purpose of an SIS Community consequences – Can be another important purpose of an SIS Environmental consequences – Sometimes part of the purpose of an SIS Site and operability – Usually not appropriate to include in an SIS Once the likelihood categories are defined, there is still the task of defining the consequence categories. The universally used scale is of consequences to personnel. This is the scale absolutely required by the SIS standards. Another important consequence scale are community or societal consequences. Occasionally, environmental consequences also show up in one of these matrices. The important thing to keep in mind is that as a SIF for reducing the risk of a specific hazard is evaluated, the consequences of that hazard must be evaluated on each scale. The event will have the same frequency, regardless of the types of consequences considered, and the consequence that results in the highest SIL rules. There is a last type of consequence that some companies consider—one that I do not recommend. This is site and operability consequences of a hazard. One, it puts a dollar scale on the same matrix that has EHS and environmental consequences, and it is not a big leap to equate the EHS consequences to the dollar consequencses. Also, functions that protect against economic loss don’t really belong in an SIS or need to be burdened with the documentation requirements of the SIS. My suggestion is to leave the economically driven functions in the basic process control system, and not to give them SIL ratings.

16 Fatalities Disabilities Injuries First aids Near misses
The Accident Triangle Fatalities Disabilities Injuries First aids Near misses If separating likelihood into categories separated by orders of magnitude was hard, it’s nothing compared to separating consequences into categories. At least frequency is already a number. If you can figure out one, dividing it by 10 or multiplying it by ten is not controversial. Consequence is a completely different case. Safety instrumented functions usually deal with a fatality or a few fatalities as the most extreme case. If one fatality is the worst consequence to consider, then what is a tenth of fatality, or a hundreth of a fatality. Some insight may come from the accident triangle with which we are all familiar.

17 H.W. Heinrich’s theory For 300 near misses, 29 first aids
For 29 first aids, 1 serious injury or fatality Basis of the safety pyramid. Something like orders of magnitude Heinrich, H.W., Industrial Accident Prevention: A Scientific Approach, 4th Edition, McGraw-Hill (New York), 1959. In the early twentieth century, H.W.Heinrich proposed the idea that for every fatality, there were a lot more less serious consequences that occurred, and that for the less serious consequences, there were even more near misses. From that simple observations grew the notion that if we could be more alert to near misses and reduce them, we would necessarily reduce the incidence of more severe consequences. The safety pyramid. While premise of the safety pyramid has recently been called into question, there is still Heinrich’s original observation. Near misses, first aids, and fatalities are each separated by about an order of magnitude.

18 Cost of Occupational Injuries
First aid $292 Temporary injury $2782 (9.5x) Permanent partial $15,342 (5.5x) Permanent total $113,372 (7.4x) Fatality $612,150 (5.4x) Leigh, J.Paul, Steven Markowitz, Marianne Fahs, Philip Landrigan, Cost of Occupational Injuries and Illnesses, University of Michigan Press, 2000. Other researchers have looked into, not the value of a life, but the cost of a fatality, along with other types of injuries. Again, beginning with a fatality as the most costly consequence, permanent injuries are about an order of magnitude less, temporary injuries are about another order of magnitude less, and first aids yet another order of magnitude less.

19 Cost of Accidents Reportable without lost work day $7,000
Reportable with lost work day $28,000 (4x) Fatality $910,000 (32.5x) Mine Safety and Health Administration, “Cost of Accidents”, The Mine Safety and Health Administration website, in its efforts to get mine operators to appreciate the value of reducing accidents, has published this information on the cost of accidents on its web site. Again, the data supports the idea that consequences can be categorized, and that the categories fall about an order of magnitude apart.

20 From the literature Fatalities ~$1,000,000 Serious injuries ~$100,000
Injuries (reportables) ~$10,000 First aids (non-reportables) ~$1,000 A general review of the literature supports this idea. The values range, and the methodologies are as different as the number of researchers and the source of their funding. But in general, severity of consequences, when reduced to dollars, seems to be separated by orders of magnitude.

21 Relative cost of consequences
Fatalities 1.0x Serious injuries 0.1x Injuries (reportables) 0.01x First aids (non-reportables) x One does not have to agree that the cost of a fatality is any certain amount. The values themselves are not important. What is important is the idea that for the purposes of developing consequence categories, certain levels of equivalencies can be used.

22 Aligns with some of the consequence categories
Severity (e.g. Consequence) – Loss of life; damage over $1 million  Lost time injury; damage over $500k Medical treatment; damage less than $500k Minor injury; near miss; poor quality  No injury, impact on process  Coincidentally, or perhaps not, some of the consequence categories in our example align with these categories. In fact, implicit in our example company, they’ve chosen a category 1 economic loss that equates a fatality to $1,000,000.

23 The Risk Matrix If we use the equivalences implied in the literature, we can define consequence categories that are separated by orders of magnitude. When a fractional consequence appears, like one tenth of a fatality, that means that a consequence analysis shows that a fatality does not occur every time the event occurs. Something like one fatality per every 10 events.

24 What SIL goes in each box?
So, likelihood categories have been established that are separated by orders of magnitude, and consequence categories have been established that are separated by orders of magnitude. What remains is to assign SILs to each box.

25 This depends on tolerable risk
As an individual, what do you believe the tolerable risk should be for the facility? Take a moment to consider the mean time between fatalities that would be low enough to consider your facility safe. SILs represent the residual risk between what is left after all other layers of protection have been applied to a hazard, and the tolerable risk. What is the tolerable risk? Whether or not your facility has established a tolerable risk criteria for your facility, what do you believe it should be? Imagine that you were explaining the risk of your facility to your spouse, or your pastor. How infrequently would a fatality occur for you to be able to describe your facility as safe? Once a year? Once every 3 years? Once every 5000 years? Once every million years? What would be safe?

26 ALARP – Levels Set per UK HSE
Intolerable Risk 10-3 / man-year (worker) 10-4 /year (public) ALARP or Tolerable Risk Region The A-L-A-R-P principle was developed by the Health and Safety Executive of the United Kingdom. This principle states that risks should be reduced to a level that is “As Low As Reasonably Practicable.” In practice, the A-L-A-R-P principle first divides risk into the three areas: Intolerable Risk at the high end, Negligible Risk at the low end, and the Tolerable Risk that falls between the two. Risk in this A-L-A-R-P region can be tolerated as long all cost-effective measures to reduce risk have been put into place. Anyone operating a process with risks in the Tolerable Risk Region must demonstrate that they have achieved the lowest risk possible, taking into consideration cost vs. risk-reduction. 10-6 / man-year (worker) 10-6 /year (public) Negligible Risk

27 Government mandates Australia (NSW) - Hong Kong - Netherlands -
10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9 Australia (NSW) - Hong Kong - Netherlands - United Kingdom - Some countries have mandated upper and lower levels for tolerable risk. Most countries that have set levels use the average level of risk faced by the entire workplace population, regardless of occupation, as the upper limit for tolerable risk. In developed countries, that is one fatality per year per 1000 workers. The lower limits are generally two or three orders of magnitude lower. The Netherlands took a similar approach, but then declared that workplace risk should be 1% of general risk, because it is not voluntary risk. That results in levels that are 100 times lower than the levels set by most countries that set levels. These levels are some times called “bright lines”, especially when discussed in the United States, where there has been no success in setting levels. The issue was described like this: “A strict ‘bright line’ approach to decision making is vulnerable to misapplication since it cannot explicitly reflect uncertainty about risks, population within variation of susceptibility, community preferences and values, or economic considerations—all of which are legitimate components of any credible risk management process.” In other words, in the U.S., tolerable risk remains very much subject to the political process. The United States does not set tolerable risk levels, or offer guidelines.

28 Chemical industry benchmarks
10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9 Company I - Company II - Company III - Small companies - Almost all major companies in the chemical process industries have guidelines for tolerable risk. They usually don’t publish them, though. In fact, they are generally considered highly confidential. No company is going to announce to the public, “We proudly tolerate up to one fatality per year per thousand workers!” Some companies—especially smaller, local companies—do not have explicit guidelines, secret or otherwise. However, the risk that they tolerate can be inferred from the risk reduction measures they have put in place. Smaller companies without explicit guidelines generally tolerate greater levels of risk than their larger counterparts. This isn’t inappropriate. A small company, struggling to get established or to make payroll, is going to look at the amount of risk it can and must tolerate to get through the next year very differently from a company that is looking out over the next 100 years. A small company with a single plant will look at single event that occurs once every 250 years and may very well decide that once every 250 years might as well be never. A large company, with 50 similar plants around the world would look at that same risk as once every 250 years for each plant, but once every 5 years for the corporation and make a very different decision about whether the risk is tolerable. Every company has levels of risk they will not tolerate, and levels of risk below which they consider risk negligible. Large, multinational chemical companies tend to set levels consistent with international mandates Smaller companies tend to operate in wider ranges and implicitly, at higher levels of risk

29 Voluntary and “natural” risks—a comparison of fatality rates
Smoking a pack a day— 5.0 x 10-3/year or 5000 fatalities per year per million smokers Automobile accident— 1.5 x 10-4/year or 150 fatalities per year per million people Lightning strike— 1.0 x 10-7/year or 1 fatality per 10 years per million people The levels mandated by governments, or self-imposed by companies, can best be understood in terms of some of the risks to which people voluntarily expose themselves. That is not to say that risks like these should ever be compared to process risks in a public meeting. That is likely to just inflame the audience. But, for your own understanding, it is helpful to understand that the upper level for A-L-A-R-P is typically set at 1 x 10-3/year, or five times lower than the risk that smokers expose themselves to. If a chemical process had the same risk as smoking, it would be considered an intolerable risk. On the other hand, the risk of dying from a lightning strike would generally be considered a negligible risk. I’m sure that this consistent with your own personal risk management strategies. I’ll bet you have never even thought about investing in lightning protection at your home, and even in your plant, the lightning protection is for electrical equipment, not personnel. The risk of a fatality in a car accident is within the A-L-A-R-P region. We all recognize that driving has the potential for fatalities, but accept those because the convenience, the benefit is worth it. If it wasn’t there are things we could do as a society immediately, like lower the speed limit to 10 mph and drive tanks.

30 Plant A – 1 fatality/100 years
Assume that 1 fatality per 100 years is “safe” Exposed workforce ~ 250 workers (1 year / 250 man-years) x (1 fatality/100 years) = 1 fatality/25000 man-years = 4 x 10-5 fatalities/man-year = total tolerable risk Let’s get back to SIL assignment. I’m not going to ask anyone to share there personal tolerable risk, but my experience is that it is not at all uncommon for people to pick 100 years. I think it is because one hundred years is longer than anyone person’s career could be, but is short enough to be meaningful in terms of the life of a facility. Let’s further assume that at this facility, the workforce includes 250 workers that would be exposed to process risks. From there, the math is pretty straight-forward: the total tolerable risk is 1 fatality per 25,000 man-years, or 4 x 10-5 fatalities per man-year.

31 ALARP – Levels Set per UK HSE
Intolerable Risk 10-3 / man-year (worker) 10-4 /year (public) ALARP or Tolerable Risk Region 4x10-5 / man-year (worker) On the A-L-A-R-P diagram, 4x10-5 falls right in the middle of the Tolerable Risk Region. This is not an unreasonable place to be. 10-6 / man-year (worker) 10-6 /year (public) Negligible Risk

32 Process safety is only part of risk
Process safety is only part of the total tolerable risk Total tolerable risk = 4 x 10-5 fatalities/man-year Assume process safety risk is half = 2 x 10-5 fatalities/man-year It is important to keep in mind that the tolerable risk established in the prior exercise if for all fatalities in the plant. Not all fatalities result from process safety risks, from process hazards. There are still the slips, trips, and falls, the housekeeping issues, the electrical safety and confined space entry issues that much of a facility’s safety meetings focus on. For our purposes, let assume that only half of the risk comes from process safety risks or process hazards.

33 Tolerable risk per safety function
Process safety risk should not be allocated all to a single hazard Process safety risk = 2 x 10-5 fatalities/man-year Assume workers are each exposed to about 5 potentially fatal hazards N/R ≤ 4 x 10-6 fatalities/man-year SIL 1 ≤ 4 x 10-5 fatalities/man-year SIL 2 ≤ 4 x 10-4 fatalities/man-year SIL 3 ≤ 4 x 10-3 fatalities/man-year SIL 4 or re-design > 4 x 10-3 fatalities/man-year Although we’ve assumed that no more than half of the risk comes from the process hazards, we need to consider all of the process hazards that could lead to a fatality. Unless there is only one potentially fatal hazard, not all of the process safety risk can be allocated to a single hazard. One approach is to consider the number of potentially fatal hazards that an individual may be exposed to, and then distribute the “risk budget” over those five hazards in establishing SIL selection criteria. Other hazards, although not expected to be fatal, can then use the same criteria.

34 Putting a stake in the ground
With the tolerable risk criteria settled, then the next step is to assign a SIL to one of the boxes in the matrix. For this examples, let’s look at box 2-2.

35 The middle of the box 4.7 years is the log mean of the box
0.32 fatalities per event is the log mean of the box (1 event/4.7 year) x (0.32 fatalities per event) x (1 yr/250 man-year) = 2.7 x 10-4 fatalities/man-year SIL rating = SIL 2 We want to consider the risk at the middle of the box. Since the scale is logarithmic, the middle of the box on the likelihood scale is the log mean of 1.5 and 15 years. That is 4.7 years. The log mean of 0.1 fatalities per event and 1 fatality per event is 0.32 fatalities per event. Doing the math, the center of our target box has a risk of 2.7x10-4 fatalities per man year. Going back to our tolerable risk criteria, that is less than 4x10-4, so it translates to SIL 2.

36 The implied Risk Matrix
SIL 1 SIL 2 SIL 3 re-design Once we can assign SIL 2 to that box, completing the rest of the matrix is easy. The box to left is one order of magnitude less risk, so it is SIL 1. Everything to the left of that is not rated. Similarly, the box below is one order of magnitude less risk, so it is also SIL 1. Everything below that box is not rated. Filling in the rest of the matrix follows the same logic. When we’re finished, we have a Risk Matrix that can be used for SIL assignment for all SIFs, whether or not fatal consequences are anticipated. Interestingly enough, when the Risk Matrix is finished, it spells out the criteria for assigning a SIL to a SIF without ever explicitly acknowledging a tolerable risk. The tolerable risk is only implied.

37 Reverting to the PHA matrix
1 = re-design 2 = SIL 3 3 – 4 = SIL 2? 5 – 7 = SIL 1? 8 – 10 = N/R 1 = SIL 3 2 = SIL 2 3 or 4 = SIL 1 5 and up = N/R How about that original PHA priority matrix. An overlay of the two matrices reveals that we’ve concluded that any hazard that was assigned a priority of 1 is so risky that we would recommend a process redesign, rather than rely solely on a safety instrumented function to reduce the risk. Priority 2 hazards translate directly to SIL 3 SIFs. Below that, correspondence is not perfect. We could take the original PHA matrix and say that anything that had a priority of 3 or 4 should have SIL 2 SIF, but we end up with one box that is over-classified. By the same token, we could say that priority 5, 6, or 7 should have a SIL 1 SIFs, but again, some boxes get over-classified. There is no harm in overclassified SIFs except for the costs associated with them. There is some consolation that, in this case, we can say that anything that gets a priority of 8, 9, or 10 does not need a SIL-rated SIF. Another approach is to simply recognize that, although similar, the PHA priority matrix will not convert directly to a SIL assignment matrix, and leave it at that. or, recognize that the PHA priority matrix will not convert directly

38 Plant B – 1 x 10-6 fatality/man-year
Intolerable Risk 10-3 / man-year (worker) 10-4 /year (public) ALARP or Tolerable Risk Region Now let’s consider Plant B. It is very similar to Plant A, with the same number of exposed workers and the same number of potentially fatal hazards. In this case, however, senior management has declared that risk needs to be reduced to the level considered “negligible” on the A-L-A-R-P diagram. That is, less than one fatality per million man-years. 10-6 / man-year (worker) 10-6 /year (public) Negligible Risk

39 Plant B – 1 x 10-6 fatality/man-yr
Total tolerable risk = 1 x 10-6 fatality/man-year Process safety risk = 5 x 10-7 fatality/man-year Workers exposed to 5 potentially fatal hazards N/R ≤ 1 x 10-7 fatalities/man-year SIL 1 ≤ 1 x 10-6 fatalities/man-year SIL 2 ≤ 1 x 10-5 fatalities/man-year SIL 3 ≤ 1 x 10-4 fatalities/man-year SIL 4 or re-design > 1 x 10-4 fatalities/man-year The portion of total risk to an individual attributable to process safety risk would again be half, or 5x10-7 fatalities per man-year. Once again, with each individual worker exposed to about five potentially fatal hazards, the threshold for avoiding a SIL-rated SIF is 1x10-7 fatalities per man-year. Likewise, SIL 1 is less than 10-6, SIL 2 is less than 10-5, and SIL 3 is less than In the process industries, anything larger than 10-4 would first need to be re-designed to reduce the hazard before a safety instrumented function for risk reduction was even considered.

40 The middle of the same box
(1 event/4.7 year) x (0.32 fatalities per event) x (1 yr/250 man-year) = 2.7 x 10-4 fatalities/man-year SIL rating = SIL 4 or re-design Looking at the same box, we end up with still end up with a risk of 2.7x10-4 fatalities per man-year. The plant is the same so the risk is the same. What’s difference is the tolerable risk. In the case of Plant B, the tolerable risk is set at a much lower level, and so in this case, the risk is not quite low enough to meet the SIL 3 rating.

41 The implied Risk Matrix
SIL 2 SIL 3 re-design re-design SIL 1 SIL 2 SIL 3 re-design re-design SIL 1 SIL 2 SIL 3 re-design SIL 1 SIL 2 SIL 3 As in the first example, the rest of the matrix is easily populated. Because of the difference in tolerable risk, the SIL assignments have shifted toward the lower left hand corner.

42 Variations to consider, depending on risk philosophy
Define SIL based on upper right corner, rather than the middle of the box. Most conservative approach, this increases SIL by one. A variation to consider, depending on risk philosophy is what part of a box to benchmark to. In our examples, we took the center of a box. If the upper right corner is used instead, the result will be a SIL assignment that is higher by one level. This is clearly the most conservative approach.

43 Fewer categories A 5x5 matrix is probably the largest workable matrix. A 3x3 matrix is probably smallest workable matrix. Another variation to consider is the number of categories for both likelihood and for consequence. Typically, a 5x5 matrix is the largest workable matrix. Larger than that, and the team doing risk assessment will probably spend more time debating categories than is warranted. By the same token, if the matrix is smaller than 3x3, it is unlikely to have enough detail to be worthwhile. In general, it is a good idea to extend the matrix far enough to the left to get a column of all non-rated SIFs, or else all SIFs, regardless of risk, will end up being SIL rated. By the same token, there is no reason to extend the matrix further to the left than a column that is all “N/R”, or further to the right than is all “re-design”. For that reason, I recommend a 3x4 or 3x5 matrix.

44 Adjust categories While categories should be separated by orders of magnitude, the significant figure can be whatever is consistent with an organization’s philosophy of risk. We talked earlier about setting the likelihood categories at intervals other than 1, 10, and 100 years, as long as they are separated by orders of magnitude. The same holds true for consequences. Some companies don’t want to use a single fatality as their benchmark consequence. Rather they want to consider “fatalities”. That may mean two fatalities, three fatalities, or some higher number. When 3 is used, it has the advantage of having a log mean of 1 to represent the center of the box.

45 Business Results Achieved
A Risk Matrix for SIL assignment never explicitly states the tolerable risk. Likelihood and consequence only need order-of-magnitude estimates, reducing the extent of calculations required or the number of conflicting opinions that must be resolved, resulting in less cost to assign SILs. The Risk Matrix can be broadly applied and results in consistent treatment of hazards and risks, with much less under- or over-specification, resulting in lower total cost of safety instrumented system. When a company establishes a risk matrix for SIL assignment, it is distributed fairly broadly. To the extent that a company is uncomfortable publicizing its tolerable risk criteria, the risk matrix approach to SIL assignment does not require an explicit statement of tolerable risk. Because likelihood and consequence only need be estimated to the nearest order of magnitude, most SIL assignments can be made without using detailed and expensive quantitative risk analysis techniques. It is usually easy to get agreement, based solely on the experience of the risk assessment team, that an event is likely to occur between 10 and 100 years, rather than spend the time determining whether it will be once every 47 years or once every 54 years. Quantitative risk analysis can then be saved for those hazards that are either expected to be very, very rare, or to have very, very large consequences. And even in those cases, the quantitative analysis only need be done if there is question about the SIL assignment of a particular SIF. Finally, Risk Matrix is easy to apply, and will result in hazards and their associated risks being treated similarly from project to project. This will result in much less under-specification with intolerably high risk, and much less over-specification with a resulting misallocation of limited safety resources.

46 Summary SIL assignment is based on orders of magnitude
A familiar risk matrix can be used to assign SILs, preferably with the likelihood and consequence categories are adjusted to orders of magnitude Tolerable risk is specific to an organization, and depends on its size and circumstances, government mandates, and industry standards Identical plants with identical risks will assign different SILs if their tolerable risk differs. There is no “Standard Risk Matrix”. To summarize SILs are based on orders of magnitude. It is not necessary to parse risk any finer than that. The risk matrix that most plants already recognize for assigning priorities in a PHA can be adapted to SIL assignment, as long as some effort is made to adjust the likelihood and consequence categories to orders of magnitude differences. The SIL assignments that go into a risk matrix depend not only on the risk categories of likelihood and consequence, but on the tolerable risk of the organization. Tolerable risk will depend on a whole range of characteristics, and naturally varies from organization to organization. Because tolerable risk can vary from organization to organization, there cannot be a standard risk matrix. Off-the-shelf solution must be adjusted to fit the needs each facility.

47 Questions?

48 Where To Get More Information
Heinrich, H.W., Industrial Accident Prevention: A Scientific Approach, 4th Edition, McGraw-Hill (New York), 1959. Leigh, J.Paul, Steven Markowitz, Marianne Fahs, Philip Landrigan, Cost of Occupational Injuries and Illnesses, University of Michigan Press, 2000. Mine Safety and Health Administration, “Cost of Accidents”, Health & Safety Executive, Reducing risks, protecting people—HSE’s decision-making process, HSE Books, 2001. Jones, David W., chairman, Guidelines for Developing Quantitative Risk Criteria, CCPS Guidelines Books, AIChE, due to be published in 2007. Emerson Process Management, SIS Consulting

Download ppt "Mike Schmidt, SIS Consultant"

Similar presentations

1 OBJECTIVES: TO HAVE A CLEAR IDEA ON HAZARD IDENTIFICATION, RISK ASSESSMENT & RISK CONTROL * TO UNDERSTAND THE METHODOLOGY TO PERFORM GROUP RISK ASSESSMENT.

1 OBJECTIVES: TO HAVE A CLEAR IDEA ON HAZARD IDENTIFICATION, RISK ASSESSMENT & RISK CONTROL * TO UNDERSTAND THE METHODOLOGY TO PERFORM GROUP RISK ASSESSMENT.
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Accident and Incident Investigation

Accident and Incident Investigation
A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
IEC – IEC Presentation G.M. International s.r.l

IEC – IEC Presentation G.M. International s.r.l
OSHA’s Voluntary Protection Program (VPP) Job Hazard Analysis Mishap reporting 1 This class is only intended to familiarize you with the programs in place.

OSHA’s Voluntary Protection Program (VPP) Job Hazard Analysis Mishap reporting 1 This class is only intended to familiarize you with the programs in place.
Integrated Risk Management and Risk Communications David DeGagne, Executive Director Centre for Risk Management Tel: 403-803-2367 Fax: 403-203-0706 Web:

Integrated Risk Management and Risk Communications David DeGagne, Executive Director Centre for Risk Management Tel: Fax: Web:
Managing Safety and Health, Overview Ron Hopkins, CFPS, CFEI TRACE Fire Protection and Safety Consultants. Ltd. Richmond, Kentucky.

Managing Safety and Health, Overview Ron Hopkins, CFPS, CFEI TRACE Fire Protection and Safety Consultants. Ltd. Richmond, Kentucky.
Module 3 UNIT I Copyright 2002, Information Spectrum, Inc. All Rights Reserved. INTRODUCTION TO RCM RCM TERMINOLOGY AND CONCEPTS.

Module 3 UNIT I " Copyright 2002, Information Spectrum, Inc. All Rights Reserved." INTRODUCTION TO RCM RCM TERMINOLOGY AND CONCEPTS.
PPRT PREVENTION DES RISQUES ET LUTTE CONTRE LES POLLUTIONS Safe Communities & a Sustainable Hazaedous Industry : Present and Future Discussion.

PPRT PREVENTION DES RISQUES ET LUTTE CONTRE LES POLLUTIONS Safe Communities & a Sustainable Hazaedous Industry : Present and Future Discussion.
Topic 4 - Risk Assessment Textbook pages 72–77. Learning outcomes By the end of the topic learners will have: Greater familiarity with risk assessment.

Topic 4 - Risk Assessment Textbook pages 72–77. Learning outcomes By the end of the topic learners will have: Greater familiarity with risk assessment.
“ Hard work and concern for the society is the key to success ” - O P Jindal On-site and Off-site Emergency Plans Based on Integral Risk Management – Key.

“ Hard work and concern for the society is the key to success ” - O P Jindal On-site and Off-site Emergency Plans Based on Integral Risk Management – Key.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT RISK ACCEPTANCE CRITERION 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT RISK ACCEPTANCE CRITERION 2.
Bureau of Workers’ Comp PA Training for Health & Safety (PATHS)

Bureau of Workers’ Comp PA Training for Health & Safety (PATHS)
Chapter 10 Health, Safety, and Preparedness

Chapter 10 Health, Safety, and Preparedness
Safety and Health Programs

Safety and Health Programs
EMPLOY THE RISK MANAGEMENT PROCESS DURING JOB PLANNING and EXECUTION

EMPLOY THE RISK MANAGEMENT PROCESS DURING JOB PLANNING and EXECUTION
Occupational health and safety

Occupational health and safety
Risk Analysis for Engineering Design J. M. McCarthy Fall 2003 Definitions Hazard Analysis Hazard Analysis Report Example for Mini Baja Nationally Recognized.

Risk Analysis for Engineering Design J. M. McCarthy Fall 2003 Definitions Hazard Analysis Hazard Analysis Report Example for Mini Baja Nationally Recognized.

Similar presentations

Ads by Google