There’s a new process line coming to your plant next month. It includes a boiler and a pressure vessel plus the requisite valves and pumps. One of the chemicals involved in the process is toxic to humans if released to the atmosphere. Do you know all the places where a potential hazard exists? Did the design engineering team identify these to you and show you how risks were mitigated during the design phase? Do you know what operating guidelines must be in place to avoid catastrophe?
Or, perhaps you manage a discrete manufacturing plant and that new piece of equipment is a metal-cutting machine. Then again, either type of plant may have a high-speed packaging line. Can an operator or technician be exposed to hazards to life or limb?
You’d better know, or you’ll look bad on the witness stand.
Standards bodies have developed guidelines for formal risk assessment along with quantitative methods for determining probability of occurrence. A summary of applicable standards can be found in “Standards Bodies Take on Safety,” beginning on page 40 in this issue. Within some of these standards are guidelines for formal risk assessment of processes, machinery or robotics.
“The mother of all safety standards is IEC 61508,” declares Robin McCrea-Steele, business development director of Irvine, Calif.-based Triconex Premier Consulting Services, a division of Invensys. The International Electrotechnical Commission (IEC) is a European standards setting organization. “This standard defines safety instrumented systems for all industries. A set of sub-standards focus on specific industries. IEC 62061 deals with machinery, while IEC 61511 deals with process industries.”
Consequence plus likelihood
The basis of risk management, according to McCrea-Steele, is that risk is a function of the consequence of an event and the likelihood of an occurrence of that event.
“When you design a process unit,” he says, “part of the design is the determination of the inherent risk of the process. If you don’t do anything, then there is a certain inherent risk. You can mitigate this risk by reducing the consequence or likelihood of the event. In a refinery, for example, you could move the control room away from the area of a potential explosion to reduce the consequence to operators. Then perhaps you could reduce the risk with something like a pressure relief valve to mitigate the likelihood of a vessel exploding.”
All the relevant standards are based on following the lifecycle of a project from design to decommissioning.
McCrea-Steele offers this description of a lifecycle. “The first part is conceptual process design. Your professional engineer (PE) who is designing the process will detail the inherent risk levels in the design. Many risks will be mitigated through the design of pipes, vessels and other components. The next stage is a hazard and operability analysis (HAZOP). This is accomplished by a team from the plant, including operators, process engineers, instrumentation technicians, a senior manager familiar with the process, quality engineers, maintenance personnel and perhaps others.”
If there is a gap from the first level of solutions to the tolerable risk, then determine a safety instrumented system to provide additional protection. McCrea-Steele continues, “The next step is to develop safety requirement specifications (SRS), which define all safety requirements. This will be the basis of all design, including what level of safety and what sort of redundancy will be required, how the redundancy process will vote, how proof testing will be defined. Then you build and validate that the design meets the SRS.”
Standards are under constant review, and ANSI/ISA S84 is up for review now. John Cusimano, marketing manager for process safety at Siemens Energy & Automation’s Springhouse, Pa., office, reports that the ISA 84 committee will effectively incorporate the latest IEC 61511 into the standard. “The standard does not tell you how to perform risk assessment,” Cusimano continues, “but it does tell you that you must do one.” Part 3 of IEC 61511 describes a number of different methods in use today. One of the more popular ones is layer of protection analysis, known as LOPA. Using this method, the user team performs its HAZOP review, then adds protection layers to mitigate the risk.
Fear of a big robot arm swinging wildly out of control destroying property and striking people still exists today, but the Robotic Industries Association (RIA) has taken an aggressive safety approach embodied in the ANSI/RIA 15.06 standard. The standard is applicable for machine guarding as well as robotic workcell guarding. It is also similar to the European ISO 13849-1, which began life as European Norm EN 954-1, Safety Related Parts of Control Systems.
Ray Butler, corporate business manager for safety products at Minneapolis-based Banner Engineering, discusses machinery safety and risk assessment. “One of the big things is to assure that corporations have some sort of a safety plan in effect. This plan must detail how to go from where they are today to where they need to be within a defined future,” he states.
One problem that must be addressed, but that is often overlooked, involves different generations of the same type of machinery. “As technology has evolved,some of the older machines may not be built to what are considered today to be good engineering practices,” Butler points out. “For example, a few years ago it was considered acceptable to put a standard limit switch on a door giving access into the machine. Those limit switches today are not considered reliable enough for this application, so switches built just for that application are available.
Butler adds that the standards all strongly encourage risk assessment by committee. “I believe that using a strong safety committee for risk assessment demonstrates proper due diligence by the company.”
ISO 13849-1 specifies five safety categories: B, 1, 2, 3 and 4, while ANSI/RIA 15.06 discusses similar categories in section 4.5, “Safety Circuit Performance.” Butler provides thumbnail sketches of the categories, grouped together where similar. This discussion does not replace a reading of the entire safety standard.
B—Safety related parts of the control systems and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence.
1—Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. Using more reliable components lowers the probability of a failure to less than with Cat. B.
2—Requirements of B and the use of well-tried safety principles shall be used. Safety function shall be checked at suitable intervals by the machine control system.
ANSI/RIA 15.06 Robot and Robot Systems Safety Requirements
4.5.1 Simple—Simple safety circuits shall be designed and constructed using accepted single channel circuitry, and may be programmable.
4.5.2 Single Channel—Single channel safety circuits shall be hardware based, include components which should be safety rated, and be used in compliance with manufacturers recommendations and proven circuit designs.
3—Requirements of B and the use of well-tried safety principles shall be used. Safety related parts shall be designed, so that a single fault in any of these parts does not lead to the loss of the safety function and whenever reasonably practicable, the single fault is detected.
When the single fault occurs, the safety function is always performed. Some but not all faults will be detected. Accumulationof undetected faults can lead to the loss of the safety function.
ANSI/RIA 15.06 Robot and Robot Systems Safety Requirements
4.5.3 Single Channel With Monitoring—Single channel with monitoring safety circuits shall include the requirements for single channel, shall be safety rated, and shall be checked (preferably automatically) at suitable intervals.
4—Requirements of B and the use of well-tried safety principles shall be used. Safety related parts shall be designed, so that a single fault in any of these parts does not lead to the loss of the safety function and the single fault is detected at or before the next demand upon the safety function.
While these standards currently have the force of law only in Germany (in part), following recommended standards and documenting decisions can go a long way toward protecting personnel, plant equipment and the community.