Management of Safety Critical Elements as a Base for Risk
Management of Major Accident Hazards
Mariana Bahadian Bardy Det Norske Veritas Rua Sete de Setembro 111/12 th floor mariana.bardy@dnv.com
Flvio Luiz Barros Diniz Det Norske Veritas flavio.diniz@dnv.com
Paula Silveira Det Norske Veritas paula.silveira@dnv.com
Prepared for Presentation at American Institute of Chemical Engineers 2013 Spring Meeting 9th Global Congress on Process Safety San Antonio, Texas April 28 May 1, 2013
AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications GCPS 2013 __________________________________________________________________________
Management of Safety Critical Elements as a Base for Risk Management of Major Accident Hazards
Mariana Bahadian Bardy Det Norske Veritas Rua Sete de Setembro 111/12 th floor mariana.bardy@dnv.com
Flvio Luiz Barros Diniz Det Norske Veritas flavio.diniz@dnv.com Paula Silveira Det Norske Veritas paula.silveira@dnv.com
Keywords: safety critical element, barrier, major accident hazard
Abstract
Considering the already established relevance of barriers to avoid Major Accidents, the objective of this paper is to present a methodology for management of Safety Critical Elements (SCE), from the identification of them, definition of relevant importance to each activity performed by the installation and establishing alternatives and contingencies for the failure or absence of the SCE. The proposed methodology, adapted from common use methodologies from Offshore Industry to Process Industries, is developed in 5 steps, being Step 1 the use of a Hazard Identification technique and indication of Major Accident Hazards. Following on Step 2 bowtie diagrams are developed for the MAH and SCE are identified. The SOOB Summary of Operational Boundaries on Step 3 identifies the activities that may or may not proceed or caution is applied in the case the SCE is defeat and on Step 4 a Contingency Plan is develop to maintain operation for the cases indicated on the SOOB that operation may not proceed or proceed with caution. Finally, on Step 5, definition of prioritization of maintenance and inspection activities shall be in place for each SCE, including preventive maintenance routines, inspections routines and definition of spares, where applicable. This methodology can help on the identification of gaps and management of critical elements and consequently improving the performance of safety systems increasing their availability.
1. Introduction and background
Recent accidents have indicated the importance of safety barriers on management of major accidents, reducing its likelihood or minimizing consequence. Buncefield, Texas City and Macondo, just to indicate some, have stated in their accident investigation reports the failure of safety barriers or non-existence of adequate ones as potential causes for the major accident occurrence.
GCPS 2013 __________________________________________________________________________ This paper presents a methodology for management of Safety Critical Elements (SCE), adapted from common use methodologies from Offshore Industry to Process Industries, from the identification of them, definition of relevant importance to each activity performed by the installation and establishing alternatives and contingencies for the failure or absence of the SCE.
Several reference have definitions of SCE and how they must be managed, as NORSOK[1], that indicated that Safety Critical Equipment is equipment that shall be in operation to ensure escape, evacuation and /or to prevent escalation.
According to HSE UK[2] any structure, plant, equipment, system (including computer software) or component part whose failure could cause or contribute substantially to a major accident is safety critical, as is any which is intended to prevent or limit the effect of a major accident.
For this paper, SCE is defined as indicated by HSE UK, as being the Barriers that can avoid or mitigate Major Accident Hazards.
2. Description of Methodology
For the objective of systematic management of Safety Critical Elements, the methodology outlined in Figure 1 is proposed, covering the 5 steps described below.
Figure 1 Methodology for SCE Management
2.1 Step 1 Hazard Identification
The first step is to identify the accidental scenarios from the specific process under analysis. For that purpose, it is proposed to perform a Process Hazard Analysis (PHA) for identification of accidental scenarios and classification according to a Risk Matrix, defined by each company according to its risk management process. Figure 2 represents an example of spreadsheet to be applied for the PHA. GCPS 2013 __________________________________________________________________________
Process Hazard Analysis (PHA)
System: Hazard/Event Group: 1.Hazard 2.Causes 3.Effects 4.Freq 5.Sev 6.Risk 7.Safeguards 8.Final Freq 9.Final Sev 10.Final Risk 11.Recommendations 12.# 1 2 3 Figure 2 Example of PHA Spreadsheet
The spreadsheet has 12 columns, and two classification of the risk for each scenario. Columns 4, 5 and 6 have the classification without considering existing safety barriers for the scenario. The barriers are listed on Column 7 and Columns 8, 9 and 10 indicate the classification of the risk, considering the existence of the barriers and these are operating or ready to operate when needed.
For the classification of severity, likelihood/frequency and risk, a risk matrix shall be used, representing the risk tolerability of the company. An example of risk matrix is on Figure 3, extract from ISO 17776:2000 [3].
Figure 3 Example of Risk Matrix
GCPS 2013 __________________________________________________________________________ Note that this matrix has 5 different severity ratings and analyze four different effects: people, assets, environment and reputation. A common approach to define Major Accidental Hazards (MAH) is to consider whose with highest consequence classification, as the ones classified with Severity Category 5, from the matrix indicated on Figure 3, that represents multiple fatalities as impact on people, extensive damage for environment, massive effect to assets and major international impact on reputation.
The main advantage to select the MAH to go to Bowtie, as described above, is that the barriers related to those events can be clearly identified and consequently be managed properly and in a focused way. On the other hand, when there is no distinction between MAH and other scenarios, with lower damage potential, the number of barriers to be managed increase reducing the focus on the major impact scenarios MAH.
Note that some safety barriers are normally identified on this PHA and shall be reviewed and detailed on the next steps.
2.1 Step 2 Development of Bowties
The following step of this methodology is to develop bowtie diagrams for each of the MAH, or combination of MAH, if applicable, as exemplified in Figure 4. The BowTie methodology is designed to give a picture of the risks, to help people understand the relationship between the risks and organizational events and to identify where barriers in place can act, on the prevention or on the mitigation and consequently give a better overview if those are enough to mitigate the risks related to the MAH.
Figure 4 Example of Bowtie
With the use of multidisciplinary team from the company, starting from a Top Event, localized in the center of the diagram, causes, preventive barriers, consequences and mitigating barriers are identified. Following, each barrier, preventive or mitigating, is classified as: Critical: essential barrier to avoid the causes or associated consequences. Non-critical: barrier that reduces likelihood or minimize consequence, but does not avoid the occurrence of the top event or associated effects. GCPS 2013 __________________________________________________________________________ Third Party: barriers, critical or not, that are not under the company responsibility for management. Also responsible person or function can be indicated on the bowtie for each barrier. The list of SCE are composed by those barriers classified as critical for each bowtie.
The Safety Critical Elements (SCE) can be an Equipment, System or Procedure. In the example presented in Figure 4, for Top Event Large Release of Flammable Gas, from Compression System, the following barriers were classified as Safety Critical Equipment or System: Safety interlocks PSVs Filter Pressure Drop Indication Injection of Corrosion Inhibitor Gas and Fire Detection System Fire Fighting System CFTV The other critical barriers such as Mechanical Integrity Program and Emergency Planning are considered as Safety Critical Procedure. All of those critical elements, equipment, systems and procedures, shall be managed but specially for the equipment and systems contingency procedures shall apply considering they are operating under degraded conditions or out of operation. As part of this scope a Summary of Operations Boundaries (SOOB) analysis is carried out as stated below.
2.3 Step 3 Development of SOOB
The Step 3 of this methodology consists in developing the Summary of Operations Boundaries - SOOB analysis. This is based on a matrix which crosses main operations and activities with the Operational Risk Factors. Operational Risk Factors includes controls, identified in the BowTie analysis, under reduced effectiveness and risk factors such as severe weather/sea conditions. The matrix is completed row by row by reviewing all combinations.
The main objective is to examine if operations can be permitted or prohibited when certain controls have been defeated or running under reduced effectiveness and examine if operations can proceed in the case of occurrence of external factors that can potentially influence the risk of doing these operations e.g. severe weather conditions.
This will distinguish when a stop work is applied or if that shall be a proceed with caution condition, as indicated by IADC[4]. A traffic light system may be applied, indicating: Red: stop the work or do not proceed; Yellow: evaluate conditions, perform risk analysis or implement additional protection; Green: continuous normal operation.
GCPS 2013 __________________________________________________________________________ Note that the activities will vary depending on the type of installation. Some examples are: loading or unloading of trucks or railcars; operation above normal conditions; increase of capacity; confined space entry; working at height.
An example of analysis is for Gas Detection System failure, it is allowed to proceed with works at heights and confined space entry; with caution, requiring additional evaluation normal operation and loading/unloading; and not permitted operation above normal condition, increase of capacity and hot work.
Operations vs. Operational Risk Factors N o r m a l
P r o d u c t i o n O p e r a t i o n
A b o v e
N o r m a l
C o n d i t i o n s I n c r e a s e
o f
C a p a c i t y L o a d i n g / U n l o a d i n g
T r u c k L o a d i n g / U n l o a d i n g
R a i l c a r C o n f i n e d
S p a c e
E n t r y H o t
W o r k W o r k i n g
a t
H e i g h t s Safety interlocks RA X X RA RA P RA RA PSVs RA X X RA RA P P RA Filter Pressure Drop Indication RA RA RA NA NA NA NA NA Injection of Corrosion Inhibitor RA RA RA NA NA NA NA NA Gas and Fire Detection System RA X X RA RA P X P CFTV P RA RA RA RA P P P
P- Permitted RA Perform Risk Analysis X- Do not Proceed
Figure 5 Example of SOOB Matrix
2.4 Step 4 Definition of Contingency Plan
The Step 4 of this methodology consists on the definition of Contingency Plan for each SCE. The immediate response action that will normally be applied are: to stop or limit operations to within the limits of remaining barriers; or GCPS 2013 __________________________________________________________________________ identify and assess any temporary substituted safety system barrier that may be implemented to support continued operation. The company shall establish and document contingency procedures and a system of approval and control of SCE to be used when those are under degraded conditions or out of operation. The following items shall be considered: Implementation of alternative controls equivalent; Limitation and reduction of production; Isolation and stopping of equipment, systems, installations; Deadline for the temporary procedure to be allowed until corrective measures are taken.
A specific contingency plan is then developed for each SCE, using, for instance, the example indicated in Figure 6.
SCE Permitted Acitivities Activities with Restriction Prohibited Activities Gas Detecti on System Confi ned Space Entry Worki ng at hei ghts Normal Producti on Loadi ng/Unl oadi ng Hot work Operati on above normal condi ti ons Increase of capaci ty Permitted Activities: Activities with Restriction: Prohibited Activities: Deadline Responsible One month Operati on Manager - Operati on Manager One month Operati on Manager SCE Resposible If SCE not returned to ful l operati on after fi rst deadl i ne, reduce producti on and safe stop producti on Performed l oadi ng/unl oadi ng acti vi ti es wi th one extra fi el operator Mai ntenance Manager Activity No limitation for the development or continuation of activity, event with loss of the SCE No limitation for the development or continuation of activity, event with loss of the SCE Not allowed to perform the activity and must be interrupted, even with Alternative Procedures for Activities with Resctriction Normal producti on to conti nuous wi th one extra Operati on Supervi sor per shi ft, wi th focus on Control Room supervi si on
Figure 6 Example of Contingency Plan for SCE GCPS 2013 __________________________________________________________________________
2.4 Step 5 Definition of Maintenance and Inspection Prioritization
The final step for implementation of this methodology of Management of SCE is to incorporate on maintenance and inspection routines and procedures prioritizations that will consider the findings of the analysis of the SCE. Some important points shall be considered: Guarantee that all SCE are classified as high priority for maintenance routines; Guarantee no delays for inspection routines for the elements associated with MAH and classified as SCE; Evaluate the need of spares of SCE, where applicable.
3. Conclusion
As initially indicated, this paper presents a 5-step methodology for management of SCEs, being those defined here as safety barriers that can avoid or mitigate Major Accident Hazards. The objective of each step as well as practical approach and examples are presented, adapting common use methodologies from Offshore Industry to Process Industries.
As extension of this work, considering all aspects for the presented, some improvements can be implemented. The inclusion of procedures as part of the analysis, after the identification of the critical procedures, with guarantee of correct training or certification of operators, is one of these points. One additional relevant aspect is to incorporate a 6 th step on the above methodology of management of SCE, with the audit of process of management of the critical barriers.
Finally, it is importance to note that, this methodology was developed with the intention of giving support for companies to systemic manage Safety Critical Elements and comply with relevant regulation and best practices.
[2] Health and Safety Executive, A guide to the Offshore Installations (Safety Case) Regulations 2005, item 83. London. 3 rd Edition. 2006.
[3] ISO 17776:2000, Petroleum and natural gas industries Offshore production Installations Guidelines on tools and techniques for hazard identification and risk assessment, Table A.1. Geneva. 2006.
[4] IADC, HSE Case Guidelines for Mobile Offshore Drilling Units, Issue 3.2.1, 2009.
Mastering Opportunities and Risks in IT Projects: Identifying, anticipating and controlling opportunities and risks: A model for effective management in IT development and operation