Safety Systems
CHAPTER28
28.1 INTRODUCTION
Various safety systems are used to control hazards in processes (CCPS, 1993a).
These include instrumented protection, pressure relief and venting, release detec-
tion, isolation, secondary containment, off-gas treatment, fire and explosion protec-
tion, grounding, inerting, emergency shutdown, physical barriers, etc. Various hu-
man factors issues apply to the selection, design, construction, installation, testing,
use and maintenance of these systems. Sometimes safety systems are taken for
granted, and consequently they may not receive the attention required for their con-
tinued functionality.
Failure Example
Improper design A storage tank dike is designed with inadequate height because the
designer is not aware of the possibility of the liquid shooting out of
an elevated hole and over the top of the dike.
Improper construction The discharge of a relief valve is vented directly to the atmosphere
instead of a scrubber owing to time pressures on the construction
crew to finish the work under tight deadlines.
Improper installation A check valve is installed backwards owing to carelessness by the
mechanic.
Improper positioning Gas detectors are placed at incorrect locations owing to
miscommunication between engineering and maintenance.
Improper maintenance A malfunctioning high temperature sensor is replaced but not
connected by a distracted instrument engineer.
Improper testing One of several oxygen analyzers is not tested by a tired mechanic
and it subsequently fails to function correctly during a confined
space entry.
Improper calibration A pressure detector is calibrated incorrectly by a new employee
who is not properly trained. It fails to register a pressure excursion.
Incorrect specification A rupture disk is installed below a relief valve with an improper
pressure rating owing to a slip by the mechanic.
Improper operation A temporary replacement pump with a higher capacity than normal
is connected to a tank fitted with a pressurehacuum relief valve.
Liquid is pumped out more quickly than air can enter through the
vent and the tank collapses.
Deterioration from The filters on a scrubber are not cleaned or replaced because the
lack of regular maintenance department is overloaded and postpones the work in
maintenance favor of activities deemed more important.
Deterioration from Grounding straps and cables become corroded because they are not
lack of PM included in the plant PM program due to an oversight.
Deterioration from A dike wall loses its integrity over time since the slow
lack of inspection deterioration is not noticed.
Failure to restore A fire protection system for a storage vessel is disabled to prevent
operation after its inadvertent operation while work is being performed. It is not
maintenance returned to service after the work is complete due to lack of
awareness, forgetfulness or inadequate procedures.
Deliberate disablement A procedure calls for a blind to isolate a storage tank being taken
out of service for maintenance. Operators decide to rely on remote-
ly operated valves instead to perform the procedure in less time.
Failure to recognize A tank truck containing a flammable liquid is offloaded using a
the need for a safety non-conductive flexible hose. The driver was not aware of the
measure static electricity accumulation hazard.
Yore: Each type of failure may result from a variety of underlying human factors. The examples are in-
tended to be Illustrative only.
28.3 BYPASSING AND DISABLING SAFETY SYSTEMS 187
Figure 28-1: The impact of disabling an unreliable low level trip on a high pressure separa-
tor-an explosion resulting in a fatality and $100 million of property damage.
188 SAFETY SYSTEMS
Use permits-to-work for bypasses. This helps ensure that system restoration
occurs.
Conduct periodic audits to confirm the correct treatment of bypasses.
Many processes use safety shutdown systems as a last resort in the event that other
control and safety measures do not work. They are often automated but sometimes
they are manual. Important human factors issues can arise when operators are called
upon to make a decision on shutting down a process. Process dynamics and time fac-
tors may require decisions to be made by operators without consulting supervisors or
managers. Shutdown procedures must address the level at which a shutdown decision
can be made.
Shutdown decisions can be influenced by a variety of factors besides the risk of
not shutting down. For example, operators may be disinclined to shut down in order
to avoid production losses, personal inconvenience, loss of their reputation or self
respect, or negative feedback from peers and managers. Peer pressure, concerns
about job security, fear of recrimination, lack of understanding of the consequences,
belief that normal operations can be restored without shutting down, or the desire to
be seen as a hero may also be factors.
Guidelines to address these issues include:
Use automated shutdown systems where possible to take the decision out of
the operators hands.
Establish as clearly as possible criteria for when processes must be shut down
manually. Provide clear management direction to shut down processes in
these circumstances.
Ensure that operators understand abnormal process operations and the conse-
quences of deviations from normal operation.
Train operators in emergency shutdown and provide refresher training so that
operators feel comfortable and familiar with the process when emergency
shutdown must actually be performed.
Ensure that management reaction in the event of emergency shutdown by op-
erators provides positive reinforcement of the operators actions.
Establish a strong process safety culture. Ensure that when in doubt, a shut-
down decision is made.
Various human factors enter into the selection of safety systems. Engineers must
fully understand process hazards in order to select appropriate safety systems. For
example, antistatic plastic or paper bags may be needed when handling flammable
dusts. Hazard identification and analysis play a key role in helping ensure process
hazards are understood. Engineers must be informed of the results of these studies.
Engineers must also select the right type of safety system. For example, insulat-
ed dike walls may reduce the volatilization of liquids spilled at temperatures above
their boiling point. There can also be a tendency for engineers to add safety systems
beyond the point of diminishing returns. In particular, this can result from perform-
ing process hazards analysis and indiscriminately adding safeguards. The more
safety systems that are installed, the more complexity there is in the process, the
greater the possibility that new hazards have been introduced and the more can go
wrong. Engineers should not decide on the installation of safety systems in isola-
tion. They should consider possible interactions between safety systems that may
increase risk or introduce new hazards. Engineers should also consider the impact
on process safety of the susceptibility of safety systems to human failures, e.g. man-
ual vs automatic isolation valves.
Pointers to address these issues include:
Common cause failures arise when a single failure results in multiple simultaneous
failures in systems or components that would otherwise be expected to fail indepen-
dently (CCPS, 2000). Safety systems often are designed to provide redundancy
with duplicate safety systems provided. However, the redundancy will be lost if
common cause failures occur. For example, if a mechanic is tasked with calibrating
three identical pressure detectors but systematically mis-calibrates all three detec-
tors in the same way owing to lack of familiarity with the calibration procedure,
then all three detectors will fail to correctly detect pressure excursions. The detec-
tors all fail for a common cause. Such failures are important because they result in
the likelihood of simultaneous multiple failures being significantly higher than
what would be expected if the failures occurred independently of one another.
People are a common cause of common-cause failures and they are involved in
all steps of the life cycle for safety systems-design, specification, construction, in-
stallation, maintenance, testing, etc. Common cause failures can occur in all these
steps. One defense against common cause failures is to provide diversity for the
safety systems protecting a process so the systems are less susceptible to failure
from the same cause. The same principle can be applied to the people involved with
190 SAFETY SYSTEMS
a process to lessen the chance for common-cause failures that may originate with
one individual. This can be accomplished by not assigning the same individual to
carry out activities susceptible to common cause failure or by providing one-over-
one checks for critical actions in design, construction, maintenance, etc. of safety
systems.
Common cause failures should be considered in process hazard analysis. More
detailed studies can also be performed, e.g. using fault tree analysis (CCPS, 2000).
28.7 TOOLS
The starting point to address human factors for safety systems is an understanding
of the types of human failures that are possible. Table 28-1 provides a checklist of
the types of human failures that should be considered for safety systems. Human
factors for the design, construction, installation, maintenance, and operation of
safety systems are similar to those for other process equipment. These human fac-
tors issues should be addressed in process hazard analysis (see Chapter 27) and
process safety audits (CCPS, 1993b) with emphasis on potential common cause
failures.
Various other chapters provide tools that should also be applied to safety sys-
tems. This includes Process Equipment Design (Chapter 4), Environmental Factors
(Chapter 15), Procedures (Chapter 22), Training (Chapter 12), Competence Man-
agement (Chapter 29), Management of Change (Chapter 25), Maintenance (Chapter
23), and Communications (Chapter 13). Issues such as work pressures and conflict-
ing objectives should be addressed by the organizations management system.
Guidelines for addressing safety-system-specific issues have been provided in earli-
er sections of this chapter.
28.8 REFERENCES
CCPS (1993a), Guidelines for Engineering Design for Process Safety (NY: AICHE Center
for Chemical Process Safety).
CCPS (1 993b), Guidelines for Auditing Process Safety Management Systems (NY:
AICHE Center for Chemical Process Safety).
CCPS (2000), Guidelines for Chemical Process Quantitative Risk Analysis (NY: AICHE
Center for Chemical Process Safety).