Probabilistic assessments of Safety Instrumented Function by considering the justification of cost-benefit using ALARP evaluation method

This paper addresses the conceptual design step that probabilistic calculations are done to show that any given design meets the performance requirements of the Safety Instrumented Function(SIF) by considering the justification of cost-benefit. The average Probability of Failure on Demand (PFDavg) of the one out of one (1oo1) sensing device was calculated by simplified Markov model. The effects of the imperfect proof test and proof test interval on the value of PFDavg were then studied. As the test cost occurs during device proof test, high frequently of testing along the device life cycle increases the cost while decreases the PFDavg value and risk of the sensing device. In this work, the relationship between the risk reduction achieved and the investment cost was investigated in detail using As Low As Reasonably Practicable (ALARP) method. Based on the ALARP analysis, the optimized interval of proof test was then evaluated.


Introduction
The SIS is a set of instrumentation hardware and software that controls the safety level of the process automation system in order to avoid revolting conditions, such as explosion, fire and leak of hazardous chemicals.Following this look, the desirable safety condition can be managed by implementing SIS to the process system.The IEC standard 61511 (1) defines a Safety Instrumented System (SIS) as an "instrumented system used to implement one or more Safety Instrumented Functions (SIF).A SIS is composed of any combination of sensor, logic solver and final element".The SIF is intended to bring the process industries to a safe state and designed for protecting the damage to the health of people, property or to the environment.
The level of risk reduction or Safety Integrity Level (SIL) is obtained from the amount of average Probability of Failure on Demand (PFD avg ) of sensing device, logic solve and final element.IEC standard recognizes three modes of safety function operation: (a) Low Demand Mode, (b) High Demand Mode and (c) Continuous Mode (2).The Low Demand Mode is defined as the safety function demand rate is less than or equal to once a year or less than two times of proof test frequency, High Demand Mode is defined as safety function demand rate is greater than once a year or greater than two times of proof test frequency and Continuous Mode is defined as safety function is operating as a continuous control function.This paper focuses on the SIL in Low Demand Mode which is shown in Table 1.

Table 1. Safety Integrity Level (SIL) in Low Demand Mode
For decades, many researchers have focused on a variety of SIL assessment and implementation for process safety (3)(4)(5) and considered the justification of cost-benefit  ≥ 10 -5 to < 10 -4 3 ≥ 10 -4 to < 10 -3 2 ≥ 10 -3 to < 10 -2 1 ≥ 10 -2 to <10 -1 (6).This paper focuses on the proof test of sensing device which affects the PFD avg value by considering the justification of cost-benefit using ALARP evaluation method.The simplified Markov model is taken into account for calculating the PFD avg .According to the proof test interval of the sensing device, the test cost will occur.If there are high frequently proof tests along the life cycle of sensing device, the test cost will increase while the risk or PFD avg value will decrease respectively.In this case, the As Low As Reasonably Practicable (ALARP) method is taken into account for determining the proper proof test interval.

Markov model and Proof Test method
The objective of proof test is to reveal the dangerous undetected failures which cannot be detected by online diagnostic test.Once all failures are revealed, the equipment can be repaired and will function as "new" upon restart (3).This proof test is called "Perfect Proof Test".In case of there are remaining dangerous failures which cannot be detected during the proof test, this proof test is called "Imperfect Proof Test".The result from imperfect proof test will impact on the PFD value which will increase every year along the life cycle of device.
The method for determining failure rates is the Failure Modes Effects and Diagnostic Analysis (FMEDA) which is performed by manufacturers.The FMEDA is a systematic technique that is designed to identify problems.It is a "bottom up" method (7) that starts with a detailed list of all components within the system.The result from this analysis will yield the failure rate which is divided in the safe detected failure rate (λ SD ), safe undetected failure rate (λ SU ), dangerous detected failure rate (λ DD ) and dangerous undetected failure rate (λ DU ).
In this paper, the Markov model which is defined as a "memory-less" system where the probability of moving from one state to another is dependent only upon the current state and not past history of getting to the state ( 7) is taken into account.The failures for calculating the PFD by simplified Markov model are the λ DD and λ DU .Other factors for calculating the PFD are Proof Test Coverage (PTC) and Mean Time To Repair (MTTR).The PTC is the ratio of undetected dangerous failures revealed during the proof test to total undetected dangerous failures.The MTTR is the mean time to repair a module or element of the SIS.This mean time (hour) is measured from the time when failure occurs to the time when the repair is completed and device returned to service.
The simplified Markov model shown in Figure 1 consists of three states as following (4).
1) The OK state (state "0", S 0 ) represents the situation where the SIF is operating correctly with no failures present.2) The FDD state (state "1", S 1 ) represents the situation where the SIF failed dangerous detected.
3) The FDU state (state "2", S 2 ) represents the situation where the SIF failed dangerous undetected.

Fig. 1. Simplified Markov model
When the dangerous detected failure occurs, the state "0" will move to state "1".If the failure is repaired, the state "1" will move back to state "0" which is represented by Restore rate (µ o ).Similarly, when the dangerous undetected failure occurs, the state "0" will move to state "2" and the dangerous undetected failure are only revealed and repaired during proof test.
This paper examines the 1oo1 sensing device from the manufacturer who performs the FMEDA.λ DD of this device equals 1.898E-06 per hour, λ DU equals 1.730E-07 per hour, MTTR equals 24 hours and suppose that the life cycle (T l ) of device and proof test interval (T i ) equals 10 years and every 1 year (Ti=1) respectively.
The Markov model solution technique which is considered in this paper is numerical solution technique.The probability of being in any state can be obtained by simple matrix (7).To solve for state probabilities, a row matrix indicating starting state probabilities ([1 0 0]) is multiplied by the square transition matrix which is shown in Equation (1).Each multiplication represents one discrete time (1 hour) increment.The end of multiplication is at 87600 hours or 10 year which is the device life cycle.
From Equation (1), The PFD(t) can be easily calculated by summing S 1 and S 2 in each discrete time (each 1 hour) and PFD avg can be calculated as follow Equation (2).
PFD avg is average Probability of Failure on Demand According to this information, Figure 2 shows the PFD avg and PFD(t) of perfect proof test (PTC is 100%) but it is quite unrealistic to assume that inspection and testing processes will detect all dangerous undetected failures (7).The suggested proof test from manufacturer will detect 94% of possible λ DU (PTC is 94%).According to this imperfect proof test, the PFD avg and PFD(t) are shown in Figure 3. Fig. 2. PFD avg and PFD(t) from the perfect proof test Fig. 3. PFD avg and PFD(t) from the imperfect proof test From the Figure 3, It shows that the PFD(t) is increasing every year along the life cycle of device.The comparison of PFD avg between perfect proof test and imperfect proof test in Figure 2 and Figure 3 respectively shows that the PFD avg achieving from imperfect proof test is higher than perfect proof test.

ALARP evaluation method
In fact that the test cost occurs during device proof test, high frequently of testing along the device life cycle increases the cost while decreases the PFD avg value or risk of device.
To evaluate the justification of additional test cost and benefit achieving from decreased risk or PFD avg whether it is justified or not, the ALARP method which is the demonstrable process whereby "a risk is reduced so low that any further risk reduction would involve time, trouble, difficulty and cost which are grossly disproportionate to the additional risk reduction achieved."(8) is utilized.This method can be used when SIL of SIF is derived from the economic risks only.
The ALARP evaluation is done as follows.See also Figure 4: 1) Design each of the various alternative designs.This paper considers only 1oo1 sensing device.2) Establish for each design the required test intervals.
The proof test method from manufacturer is considered and the proof test interval is varied from every 1 year, 2 years, 3 years until 10 years along the device life cycle.3) Do the ALARP evaluation for each improvement step and confirm the selection.

Fig. 4. ALARP evaluation method
To find the ALARP point, the comparison between PFD avg and Life Cycle Cost (LCC) of device is considered.The LCC of device is the summation of investment cost of device (including purchase, design and installation) and annual cost (test cost).The annual cost shall be considered in term of present value (PV) at fixed interval by using basic financial which is mentioned by Hary L. Cheddie and Paul Grunh (9).The PV can be calculated as follow.

Where
M is Annual cost (test cost) R is Interest rate (estimated 5%) N is Life cycle of device (10 years) In this paper, the case study from ( 6) is taken into account.The information estimates the test cost per event of device equals 150 USD and investment cost of device including purchase, design and installation equals 4,000 USD.
To verify the ALARP point, the Return on Average Capital Employed (ROACE) is utilized to verify whether the benefits are proportionate to additional investment cost or not.The ROACE Equation ( 4) is expressed as a percentage (%) and the parameters for calculating the ROACE is shown in Table 2.

Note:
Additional OPEX (Operational Expenditure) is the Test Cost (in case there is different number of device in two designs) and repair cost.

ROACE ≥ ROACE target (5)
where ROACE target is the specified minimum ROACE to justify an investment (typically taken from 15 % to 20 %).The Equation (4) will be achieved when the number of device in two designs are different.If the two designs are identical where the number of device in this alternative design and lower alternative design are equality, the term "Additional Investment this alternative" is zero.In this case, the ROACE cannot be calculated (8).
This paper considers only one sensing device and the alternative design is different by proof test interval.Only test cost of sensing device is taken into account and the term of "additional OPEX" and "new risk" will be neglected.Therefore, the "Additional Investment this alternative" in Equation (4) will be replaced by "Additional test cost this alternative".The following Equation ( 6) is considered in this paper.is the additional cost due to spurious trips by "this alternative" design (do not consider in this paper).
The case study from (6) which determines SIL of the SIF by using the Risk Graph method is considered.The result from this case study is the demand rate (interval between demands) equals 1 year to 10 years, the economic consequence equals 1 million USD which is in category L 3 , there is slight effect of environmental consequence which is in category E 1 and there is no personal injury or health effect which is in category C 0 .From Table 2, the total equivalent consequence which is summation of economic, personal health and environmental consequence equals 319706.27, the demand rate equals 3.16.From both parameters, the initial risk can be calculated.Therefore, the initial risk equals 101100.

Experimental Result
To determine the ALARP point, the PFD avg and Life Cycle Cost (LCC) of each proof test interval shall be calculated then the comparison between these parameters is plotted into the graph and the ALARP point will be verified by ROACE whether the benefits are proportionate to additional test cost or not.The ALARP point can be determined by the following step.

PFD avg and Life Cycle Cost (LCC) calculation
The PFD value can be calculated by Equation (1,2).The LCC can be calculated by investment cost and test cost Equation (3).The results of these calculations are shown in Table 3 and the Figure 5 is the comparison graph between PFD avg and LCC of each proof test interval.The Figure 5 shows that the high frequency of proof test along the device life cycle increases LCC while decreases the risk or PFD avg .The intersection between Ti=3 and Ti=4 is the ALARP point.The risk reduction from Ti=10 to Ti=4 is proportionate to the investment cost but risk reduction from Ti=3 to Ti=1 is not proportionate to investment cost because risk reduction which is minor comparing with high LCC.Therefore, the selected proof test interval which is justified is Ti=4.

ROACE calculation for verifying ALARP
To verify whether the selected proof test interval (Ti=4) can reduce the risk or PFD avg to the ALARP point, ROACE method is utilized.The Table 4 shows proof test interval, proof test frequency along the device life cycle and test cost.The ROACE calculation in Table 2 is done as follows.
1) Equivalent Consequence and Demand interval are calculated from the information from (6) 2) Calculate the Initial Risk from item 3 3) Calculate the Benefits from the item 5 4) Calculate the additional test cost from item 9 and Table 4 5) Calculate the Depreciation from the item 6 The comparison of respective proof test interval and ROACE value calculated from these steps are shown in Table 5.According to Equation ( 5), the selected proof test interval will be justified when ROACE ≥ ROACE target where minimum ROACE target is 15%.Therefore, the selected proof test interval which is justified is Ti=4 (proof test 2.5 times per device life cycle).

Conclusion
This paper focuses only on 1oo1 sensing device.The PFD avg of sensing device is calculated by simplified Markov model.The different proof test interval is taken into account in this study and this factor significantly impacts on the risk or PFD avg value.The risk or PFD avg can be reduced by increasing proof test interval.In this case, the test cost occurs when proof test of device is performed.
To demonstrate that the increased test cost is proportionate to risk reduction or decreased PFD avg , the ALARP method is a tool for determining that the selected proof test is justified and this method can only be used when SIL of SIF is derived from the economic risks.
The optimized proof test interval of sensing device in this paper is Ti=4 which is done by proof testing 2.5 times per device life cycle and the PFD avg of this proof test interval is 2.88E-03.
Finally, the PFD avg , ALARP calculation method and proof test interval selection in this paper can also be used for final element which is the one of three parts in Safety Instrumented System (SIS).

Table 2 .
The Parameters for calculating the ROACE ReductionThe Risk reduction offered by the "lower alternative" is the PFD avg of the "lower Alternative" proof test interval.The Risk reduction of the alternative under study is the PFD avg of "this alternative" proof test interval.

Table 3 .
PFD avg and Life Cycle Cost (LCC)

Table 4 .
PFD avg , Proof test frequency and Test cost

Table 5 .
Comparison of proof test interval and ROACE