Design of Functional safety for process automation by considering the justification of cost – benefit using ALARP evaluation method

This paper addresses the design of functional safety for process automation in accord with IEC 61508/ 61511 standard. Functional safety design of a tail gas treating unit has been conducted in this study. The average probability failure on demand was calculated using fault analysis and then used as the criterion for the safety instrumented function design in order to conform the required safety integrity level (SIL). The result reveals that the architecture of safety instrumented function, the test interval, and the test method made a significant impact on improving the average probability of failure on demand (PFDavg) of the process. In addition, the cost-benefit evaluation was justified from asset & production loss consequence using As Low As Reasonably Practicable (ALARP) method in order to determine justification for the additional investment of the high SIL against the given additional risk reduction.


Introduction
In industrial automation processes, risks and hazards is very likely to occur due to the production process and the chemicals used.The consequences of this may cause injury, loss of production and environmental damages etc. Safety Instrumented System (SIS) is provided to reduce from a process hazard.In the other word, it is used to detect a specific hazard and bring the process to safe state.For decades, many researchers have focused on the various designs and developments of Safety Instrumented System in accordance with IEC 61508/61511 standards [1,2].Laihu Fang [3] presented the procedure to evaluate the Safety Integrity Level (SIL), also the methods and techniques that such as Layer of Protection Analysis (LOPA), Fault Tree Analysis (FTA), Risk matrix and Risk graph.T.Thepmanee [4] designed a safety instrumented function of the two-phase gas -liquid separator using graphs risk and calculated average probability failure on demand via a simplified equation.The significant parameters that affect the calculation such as period of testing, the architecture and test methods were focused.However, the selected process was not complicated and the cost analysis of safety instrumented function design was not yet performed.Later on, cost-benefit analyses of the safety function for functional testing was then studied [5].GE Jolliffe [6] discussed on the ALARP (As Low As Reasonably Practicable) assessment for the costs of Safety Instrumented Function design and installation The high cost by considering the relationship between the costs of investing in the benefits to be received, including compilation of case studies related to the introduction of ALARP.This paper addresses design of safety functions for process automation.After evaluating the safety function is the safety integrity level for the property loss is high.Will be done considering the cost of capital relative to the benefits by ALARP that the highest SIL is resulted from asset & production loss consequence, to determine the additional investment of the high SIL of safety instrumented function against the given additional risk reduction gained is justified or not.

Safety Integrity Level (SIL)
Safety instrumented system is used to prevent or mitigate hazardous situation to tolerable levels.The safety integrity of safety instrumented system is identified as the Safety Integrity Level (SIL).The higher SIL means the better the safety performance of SIS.
IEC 61508 standard has categorized four overall safety integrity level for continuous mode system, referred to as the average probability of failure on demand (PFDavg), shown in Table 1.
Table 1 Safety integrity level.

Probability of a Failure on Demand (PFD)
PFD can be calculated by knowing failure rate and test interval.The approximation probability of a failure on demand (PFD) is given by following equation [1][2][3][4].
Where λ D = Failure rate (failures per hours) For PFDavg, it can be derived by integrating the PFD(t) from 0 to the test interval, Ti and dividing by the test interval.The equation is expressed as: The average probability of failure on demand of a safety function for the SIS is determined by combining the average probability of failure on demand for all the subsystems (Sensor, Logic Solver and Final Element).This can be expressed by: PFDavg = PFDavg (SE) + PFDavg (LS) + PFDavg (FE) (4) Where PFDavg = the average probability of failure on demand of safety function (in the test time interval) PFDavg (SE) = the average probability of failure on demand of sensor subsystem (in the test time interval) PFDavg (LS) = the average probability of failure on demand of logic solver subsystem (in the test time interval) PFDavg (FE) = the average probability of failure on demand of final element subsystem (in the test time interval)

As Low As Reasonably Practicable (ALARP)
ALARP stands for "as low as reasonably practicable" and is the demonstrable process whereby a risk is reduced so low that any further risk reduction would involve time, trouble, difficulty and cost which are grossly disproportionate to the additional risk reduction achieved [7].This paper applied the ALARP principle to evaluate the design of safety instrumented function by using ROACE equation.The design that meets the justification criteria therefore is ALARP.However, ALARP evaluation is carried out for economic risk only.
The ALARP evaluation process can be done as follows: 1.
Design each of the various alternative designs.

2.
Establish the required test intervals for each design.

3.
Do the ALARP evaluation by using ROACE equation for each improvement and confirm the selection.

4.
Finally, establish the target integrity level and the selected design.Following the ALARP evaluation process, the justified alternative should be selected for implementation and the integrity level of the selected 'ALARP' design will become the target safety integrity level.
The justification of the higher design alternative (higher SIL) is based on the Return on Average Capital Employed (ROACE) of the additional benefits and costs of this alternative relative to the lower case (lower SIL).The ROACE is calculated as: (5) Where

Ben = Benefits ($.y -1 ) Dep = Depreciation per year ($.y -1 ) ATC = Additional test costs ($) ARC = Additional repair costs ($) NR = New risk ($) AI TA = Additional investment this alternative ($)
The ROACE is expressed in percentage.Both numerator and denominator may be positive or negative values.If the numerator is negative, the ROACE will be negative unless the denominator is also negative.This design is justified if: Where ROACE target is the specified minimum ROACE to justify an investment (typically taken as 15 % to 20 %).
The parameters in equation ( 5) can be expressed as following: Benefits (Ben) are calculated as: Where PFD LA = PFD lower alternative PFD TA = PFD this alternative IR = Initial risk ($.y -1 ) Initial risk (IR) is the risk without any safety function implemented.It is calculated as: Where

TEC = Total Equivalent Consequences ($) DI = Demand Interval (year)
The total equivalent monetary consequences (TEC) are the sum of the estimated losses calculated from the downtime and repair costs, the monetary equivalent of the personal safety consequences, and the monetary equivalent of the environmental consequences.The demand interval (DI) is the logarithmic average of the lower and upper limit of the selected demand rate category.For instance, if the demand rate category is 10 to 100 years, the logarithmic average is 31.6 years.
The depreciation per year (Dep) is the additional investment of the alternative divided by the depreciation period as specified for the project (10 years).The Dep is calculated as: Additional investment of the alternative (AI TA ) is calculated as: The additional investment of the alternative is the difference between the investment cost of the alternative and lower alternative.The Investment cost of the alternative (IC TA ) is the sum of all the investment cost of all components (tags) required to create the alternative design.The Investment cost of the lower alternative (IC LA ) is the sum of all the investment costs of all components (tags) required to create the lower alternative design.
The additional test costs (ATC) are the difference between test costs of the alternative (TC TA ) and test costs of the lower alternative (TC LA ).The ATC is calculated as: The test costs of the alternative are the sum of all the test costs of all components (tags) required for the alternative design.The test cost of each tag is calculated as the test cost per tag multiply with the test frequency.Test costs include the cost of taking the unit down to facilitate a test that cannot be performed on-line.The test costs of the lower alternative are the sum of all the test costs of all components (assets) required for the lower alternative design.The test cost of each tag is calculated as the test cost per tag multiply with the test frequency.
The additional repair costs (ARC) are the difference between the repair costs of the alternative (RC TA ) and the repair costs of the lower alternative (RC LA ).The ARC is calculated as: The repair costs the alternative is the sum of all the repair costs of all components (tags) required for the alternative design.The repair costs lower alternative is the sum of all the repair costs of all components (tags) required for the lower alternative design.
The new risk (NR) is the additional cost due to spurious trips by the alternative design.The higher costs could be attributable to the possibly higher spurious trip rate of the alternative compared to the lower alternative design.The new risk is calculated as the difference between the sum of the yearly costs of safe failures of all safe-failure cluster (SFC) in the function of this alternative design and the lower alternative design.The NR is calculated as: First, the sum of the yearly costs due to safe failures of all SFC regarding the lower alternative design is calculated.Then, the sum regarding this alternative is similarly calculated.It was noted that the safe failure cost of this alternative minus the safe failure cost regarding the lower alternative is the new risk (the value could be negative).In case a SFC is safe fault tolerant, the yearly cost of a safe failure is taken as zero.

Lifecycle cost analysis (LCC)
To justify safety instrumented system expenditure, it is done by completing a lifecycle cost analysis for the various options being considered.The lifecycle costs reflect the total cost of owning the system.By calculating the lifecycle cost, various options can be analyzed in a more quantitative and content manner.
Table 2 describes the predominant costs incurred during the life of a safety system.The list is divided into initial fixed costs, and annual costs.[8] Table 2 Breakdown of safety system costs.

Cost item Comments
Initial fixed costs i.e., the cost for design, purchasing, installation, commissioning, and operating the system Annual cost (M) i.e., maintenance and other ongoing costs associated with the system

Present value for annual costs(PV)
The present value of the annual costs based on current interest rates and the predicted life of system.These costs are added to the initial fixed costs to obtain the present value of all costs.
The PV is calculated by solving the given equation: Where M = the annual cost ($) R = the interest rate (%) N = the number of year (year) To calculate the total lifecycle costs (LCC) for the life of the system, it can be done by summing the initial fixed costs and the present value for the annual fixed costs.

Tail Gas Treating Process descriptions
Petrochemical and refinery processes produces harmful chemicals such as sulfur (S) and sulfur dioxide (SO 2 ) as by products, which can cause potential negative effects on the host community and the environment.Although sulfur dioxide is a colorless, non-flammable, but it can affect the health of people in the host community surrounding the plant.Therefore, sulfur must be recovered more than 95-97% before being released to the atmosphere in order to meet the requirements.Sulfur can be recovered by installing a sulfur recovery unit to convert gaseous hydrogen sulfide (H 2 S) into solid sulfur together with installing a tail gas treating unit to increase recovery rates up to 99.9%.
This research was part of the selection process, tail gas treating from Fig. 1 in the study and evaluation of safety instrumented function follows.A tail gas treating process starting from the tail gas derived from the sulfur recovery unit.The tail gas is then heated through tail gas heaters E-8671 and E-8676 before sent to a reactor R-8671.Reacted with H 2 , the tail gas SO 2 , S, COS and CS 2 will be converted to hydrogen sulfide (H 2 S) via hydrogenation in the reactor.After this exothermic reaction, which a large amount of energy is released, the high temperature gaseous H 2 S is then cooled by forwarded to a reactor effluent cooler E-8672 (heat exchanger) and then to a contact condenser C-8671 in order to separate the gas phase of sulfur removal tail gases and the liquid phase of H 2 S/amine liquid mixture.The liquid solution is then forwarded to the amine absorber for H 2 S removal before sending them to the incinerator and released to the atmosphere.The sour water is cooled down and sent back into the contact condenser C-8671 again.

Safety Integrity Level Assessment
Three safety instrumented functions, SIF-A, SIF-B, and SIF-C, for the above tail gas treating unit are evaluated with a target safety integrity level (SIL) as shown in Table 3.The assessment procedure can be found in [4].The assessment of the risk of faults that could occur, which will lead to the occurrence of hazards in each event, was firstly performed by considering the demand rate (W), asset & production loss (L), personal safety (C), and the environment (E).

Design and PFD calculation
After the safety integrity level is assessed, a new system of the safety instrumented function, SIF2-A, is proposed.Regarding section 2.2, the PFDavg for the sensor, the logical solver, and the logical final element of the proposed architecture in various cases are calculated and shown in Table 4 -6.The test interval Ti 1 and Ti 2 of the final element represent a full test and a partial test respectively.The average probability of failure on demand PFD avg for each element in Table 4 -6 are summarized and further average in Table 7.It can be obviously seen that the PFD avg (Total) of each of SIF2-A1 to SIF2-A4 is than 0.01, which does not meet the SIL2 requirement.Only SIF2-A5 and SIF2-A6 that can satisfy the safety range of SIL2.

Evaluation of the cost -benefit by ALARP
It was found that the costs of the function safety for process automation are costly for design, investment, maintenance and safety instrumentation with a high SIL.Also, it is difficult to install due to the limited space for the shutdown valve.To determine the risk to be reduced compared to the cost and the hassle of having to rise to consider the suitability of installing the evaluation safety integrity level of SIF2-A, it was found the highest SIL as a result of the risk of asset and production loss.Analyzing and evaluating the trade-off between benefits and the additional cost between the safety integrity level 1 (SIL 1) and level 2 (SIL 2) according to section 2.8.1 in Shell's standard [7], it was found that SIL 2 is appropriate to the current process with the average probability of failure on demand (PFDavg) in an acceptable range in ALARP method.Comparing SIF2-A3 (SIL 1) to SIF2-A5 (SIL 2) for the assessment, as shown in Table 3, which are appropriate for the process with different elements in the design, SIF2-A5 has safety valves more than SIF2-A3.Fig. 2 The life cycle costs and the average probability of failure on demand from cost-benefit evaluation.Fig. 2 shows the result of the lifecycle (CCL) and PFD avg from cost-benefit evaluation.Table 8 shows the result calculated by Eq. ( 5) for an alternative design based on the ROACE of the additional benefits and costs of the current alternative concerning the lower one calculated by Eq. ( 5).It was found that the value of ROACE is 26.69% and greater than the target value ROACE target , 20%.This indicates that the additional cost from SIF2-A3 (with SIL 1) to SIF2-A5 (with SIL 2) in order to reduce more risk.
This study intentionally demonstrates the technique for completing the lifecycle cost analysis.However, because of a high subjective data, which is not reflecting the actual costs for any particular installations.Thus, the data from individual organization should be used for the assessment in order to reflect an accurate result.

Conclusion
Risk assessment of the proposed tail gas treating process show the crucial three functions for the safety instrumented function by evaluating the safety integrity level using the risk graph method.Designs for each function were then proposed before analyzing the probability failure on demand of each function for the safety instrumented functions SIF2-A.The results showed that both the design of device and the test method have an effect on the probability failure on demand.Also, the result from assessment of the benefits-costs by evaluating ALARP with ROACE and comparing the designs SIF2-A3 and SIF2-A5 with the safety integrity level of SIL 1 and SIL 2, respectively, showed the value of ROACE obtained from the analysis is 26.69% and greater than the target value of 20%.Thus, to reduce the risk from SIF2-A3 (SIL 1) to SIF2-A5 (SIL 2), the additional cost has to be provided.

Table 3
Result of SIL Assessment.

Table 4
Proposed architecture for sensor SIF No. Architecture Test Interval (Ti) PFD avg (SE)

Table 5
Proposed architecture for logic solver SIF No. Architecture Test Interval (Ti) PFD avg (LS)

Table 7
Safety Instrumented Function design SIF2-A

Table 9
Life Cycle Costs Calculation