Lecture 8 - Process Safety Management

Question 1

What is process safety?

Answer 1

Process Safety is a technical and operational discipline focusing on the identification and mitigation of the hazards associated with the physical and chemical properties of the material being processed.

Question 2

What are process hazards?

Answer 2

Process Hazards can expose groups of workers to serious injury or death. They may even expose members of the public. Management systems and safeguards (risk treatment) typically address operational integrity and aim to avoid loss of containment.

Question 3

What is process safety management?

Answer 3

Process Safety Management is the application of management systems to the design, operation and maintenance of facilities that handle hazardous materials in a sustainable manner to control the identified process hazards over the facility life cycle.

Effective management of process safety can ensure facilities are appropriately designed, correctly operated and adequately maintained to prevent the catastrophic release of hazardous materials

Question 4

Why is process safety management important?

Answer 4

• Accidents related to process safety failures continue to happen across multiple industries with major impacts on people (both employees and the community), the environment and assets.
• Effective process safety management is key to eliminating these types of outcomes.

Question 5

What are the elements of process safety management?

Answer 5

Refer to slides (layed out in table)

Question 6

What is the ALARP Principle?

Answer 6

As Low As Reasonably Practicable (ALARP): is a principle that risk reduction should be continued until the incremental sacrifice in doing so is grossly disproportionate to the value of the incremental risk reduction achieved (r2p2)
* ALARP represents “criteria where the test for acceptability or tolerability of a risk is whether it is reasonably practicable to do more to reduce risk” (AS ISO 31010)
* Incremental sacrifice is defined in terms of time, effort, cost or other expenditure of resources.
* Recognized and Generally Accepted Good Engineering Practices (RAGAGEP): is a principle that in addition to ALARP all equipment must be documented to demonstrate that good engineering practice has been applied. This includes application of codes and standards
* The ALARP principle allows regulators to avoid setting prescriptive standards, but rather set goals for duty-holders.

Question 7

What is the ALARP Triangle

Answer 7

• Intolerable level of risk: high risks which are considered unacceptable. Activities causing such risk would be prohibited or would require further risk reduction.
• Tolerable level of risk: risks tolerated in order to secure certain benefits. Risk reduction may be implemented if not considered ALARP
• Broadly acceptable level of risk: risks considered acceptable. If practicable, risk are reduced further to ALARP

Question 8

How can you tolerate ALARP risks

Answer 8

The zone between the unacceptable and broadly acceptable regions is the tolerable region. Risks in that region are typical of the risks from activities that people are prepared to tolerate in order to secure benefits, in the expectation that:
* the nature and level of the risks are properly assessed and the results used properly to determine control measures.
* the residual risks are not unduly high and kept as low as reasonably practicable (the ALARP principle); and
* the risks are periodically reviewed to ensure that they still meet the ALARP criteria, for example new knowledge about the risk or the availability of new techniques for reducing or eliminating risks.

Question 9

What is the swiss cheese model?

Answer 9

The slices of the “Swiss Cheese” model represent the controls in place that modify risk by prevent an initiating event becoming an incident In process safety we typically refer to these controls as “safeguards”, which identifies their role in creating safe outcomes Safeguards are the hardware and human actions that directly prevent or mitigate an incident or impact

Question 10

What is the bowtie model?

Answer 10

Refer to slides (better visual with text)

Question 11

Why do we do risk assessments?

Answer 11

• To understand risk
• To identify safeguards currently in place (existing controls)
• To identify gaps between current risk and tolerable risk
• To identify new safeguards required to meet tolerable risk levels (recommendations)* To know which safeguards are most important and must remain effective (assurance)
• There are many ways to do this including:
  o HAZID
  o Standard industry checklists
  o What-if?
  o HAZOP
  o HAZOP/LOPA (qualitative)
  o LOPA (quantitative)

Question 12

Why chose layer of protection analysis (LOPA)

Answer 12

• Identification of most important safeguards (especially when there are lots available)
  o E.g. for a particular scenario there may be multiple alarms, trips based on different process parameters, mechanical protection systems, multiple mitigation systems
• Identification of required safeguard performance
• Enable development of a maintenance system which prioritises the most important safeguards
• Enable the workforce to understand risks and respond appropriately to safeguards
  o E.g. what action do I need to take on alarm initiation? do I need additional safeguards in place if this safeguard is unavailable?
• Update safeguard information as part of a management of change process

Question 13

WHat is LOPA

Answer 13

• Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment tool for analysing and assessing the risks of the scenarios with higher consequence of concern (e.g. major incident
  events)
  o Single cause–consequence scenarios are identified and analysed
  o Risk is compared against company’s risk tolerance criteria
  o If risk unacceptable, additional independent protection layers are identified and suggested for implementation
  —-
• Consequences of LOPA scenarios are the same as those on the company’s risk matrix
  o Typically, consequence development does not end at loss of containment, but continues to potential harm to personnel / environment
  —-
• If one layer fails, the remaining layers are expected to continue to provide protection

Question 14

What can LOPA be?

Answer 14

A LOPA can be:
* QUALITATIVE – using order of magnitude estimates for risk reduction factors
* QUANTITATIVE – using calculated risk reduction factors e.g. Probability of Failure on Demand (PFD)

Question 15

WHat are IPLs

Answer 15

Independent Protection Layer (IPL)
* A layer of protection that will independently prevent an unsafe scenario from progressing to its stated consequence regardless
of the initiating event or the performance of another layer of
protection.

• Examples include:
  o “Interlocks”
  o Alarms and Operator Intervention
  o Relief Systems
  o Containment Systems
  o Safety Instrumented Systems (SIS)
  o Other Safety Related Protection Systems
  o Basic Process Control system (BPCS)

Question 16

What are layers of protection

Answer 16

Refer to slide (for better visual)

Question 17

How are LOPA results used?

Answer 17

• LOPA will assess the risk reduction effectiveness of the existing
  safeguards as IPLs
  o Is the safeguard independent and proven to respond quickly enough to prevent the scenario developing?
• LOPA will identify if there are any gaps that need to be filled to achieve the required risk tolerance criteria
• If additional safeguards are required, LOPA can help determine the type of safeguard required, e.g. mechanical protection device or if a Safety Instrumented System (SIS) is required and if yes, the required risk reduction factor

Question 18

LOPA vs QRA

Answer 18

• Both LOPA and Quantitative Risk Assessment (QRA) compare risk against a tolerable risk criteria* Whilst a LOPA looks at each cause consequence scenario individually and considers how many people could be impacted by the scenario, it does not consider the risk that each type of worker group would be exposed to
  o LOPA does not account for maintenance and operations personnel spending different amounts of time at the same location, it just considers how many people might be there and impacted by the consequence

Question 19

What is the QRA Process?

Answer 19

QRA process:
o Considers cumulative effect of toxic releases, leaks and ignitiono Determines the risk at specific locations if a worker were present
24 hours a day / 365 days a year (Location Specific Individual Risk, LSIR)
o Considers the amount of time a worker spends in each locationo Calculates the Individual Risk Per Annum (IRPA) of each worker group
o Can be used to calculate Societal Risk (risks affecting multiple individuals) on and off the facility
o IRPA and Societal Risk have to be at, or below, the tolerable risk
criteria for the facility

Question 20

What are the advantages of LOPA?

Answer 20

Advantages
* Opportunity to quantify
* Assistance in QRA
* Lack of independence is usually easy to detect
* Clear indication of most cost effective way to close gaps
* Easy to mandate a corporate method to gain consistency
* Compatible with ‘Bow Tie’ analysis

Question 21

What are the disadvantages of LPOA?

Answer 21

Disadvantages
* Demand for reliability data
* Inappropriate for complex event sequences with multiple root causes
o Designed for single cause-consequence scenarios* Does not easily deal with non-IPL safety measures* Human factors difficult to incorporate
* Over-reliance on standardized values for probability and frequency estimates that may not always be appropriate
* Time consuming
* Lots of arguments
* Too many easy targets for “experts”?
* Multiple initiators for a single scenario - problems if you have lots and lots!

Question 22

What is the LOPA Process?

Answer 22

Identify (and assess) the
* Risk tolerance criteria
* Scenario
* Initiating events
* Enabling events
* Conditional modifiers
* Protection layers
* Overall conclusions

Question 23

What is the risk tolerance criteria?

Answer 23

Tolerable LOPA scenario risk:
* A risk level which as assigned to a studied event which meets managerial, corporate or legal requirements.
* This level is used as the target to be achieved for the hazardous scenario being studied.
* This target can be derived for
o Injury
o Environmental effect
o Financial impact

Question 24

How do you define consequences?

Answer 24

• Usually done as part of the HAZOP scenario using a risk matrix (qualitative / semi quantitative)

Question 25

How do you determine likeihood?

Answer 25

• Likelihood of risk occurring with the identified consequence is
  determined through consideration of:
  o Initiating Event Frequency
  o Risk reduction factors from:
   Enabling Conditions
   Conditional Modifiers
   Existing Safeguards
• Risk reduction factors must be directly related to the HAZOP
  scenario being assessed

Question 26

What is the risk reduction factor?

Answer 26

• The potential reduction in likelihood or consequences provided by the presence of a safeguard or IPL

Question 27

What is a scenario?

Answer 27

Describe the ultimate consequence - injury, environmental effect etc. Assuming:
 something can initiate it… and
 no safeguards/layers of protection are in place… and
 full hazard of the scenario occurs…
Remember that a scenario may have several different initiating causes and an initiating cause may lead to more than one scenario

Question 28

How do select the initiating events?

Answer 28

• External initiating events, e.g.
  o Ambient temperature – hot or cold
  o Bushfire
• Equipment related initiating events, e.g.
  o Failure of a control loop
  o Blockage of pipe
  o Leakage in heat exchanger
  o Pump / compressor failure
• Human failure-related initiating events e.g.
  o Opening / closing valves
  o Instrumentation failure prompting inappropriate operator response

Question 29

What are the basic rules for initiating events

Answer 29

• HAZOP studies can be used to identify initiating events
• Initiating events are single events, but may be modified by the probability of an Enabling Event and/or Conditional Modifier occurring.
• Process control software should not be an initiating event.
• Failure of a safeguard is not normally an initiating event unless the failure causes an unexpected process condition
  o E.g. PSV lifts in normal operation can be a cause of Misdirected Flow* A Basic Process Control System (BPCS) is not treated as a safeguard initially, therefore failure of a BPCS is a credible scenario.

Question 30

What does it mean by enabling events?

Answer 30

• When or what needs to occur for the initiating event to progress
  The purpose of employing the enabling condition is to consider conditions that are necessary for an abnormal situation to proceed to a consequence of concern.

Question 31

What are conditional modifiers?

Answer 31

These are conditions that MUST be TRUE for the hazard scenario to fully develop

Question 32

What are the rules for recording safeguards?

Answer 32

• Document safeguards in the order in which they would happen as the scenario develops * For example, if spurious closure of a valve on the liquid outlet of a vessel occurs resulting in increasing level in a vessel with potential to over-pressure the vessel resulting in loss of containment, potential ignition with resulting fire and potential harm to personnel, safeguard order is:
  1. Flow control valve on the inlet acts to reduce flow into the vessel
  2. High level alarm in vessel and operator response to troubleshoot issue
  3. High-high level trip of upstream process feeding the vessel
  4. Pressure relief device sized for liquid overfill diverting fluid to a flare designed for liquids5. Fire and gas detection systems, associated general alarm and operator response to evacuate area
  6. Fusible bulb or operator triggered deluge system
  7. Passive fire protection to ensure the supporting structure remains viable for the time required for personnel to escape to a safe location

Question 33

Why is not every safeguard is an IPL?

Answer 33

• The qualitative assessment of likelihood made in a HAZOP can consider all safeguards* In a LOPA, credit can only be taken for Independent Protection Layers (IPLs)
• Each safety layer must be independent of other protection layers
• Failure of one layer must not result in the failure of another layer
• Layers must have acceptable reliability (i.e. Probability of Failure on Demand, PFD)
• If a layer is an administrative procedure, it must have written procedures, performance standardsand auditability

Question 34

What is the general rule of independence?

Answer 34

To be Independent, a layer of protection shall prevent an unsafe
scenario from progressing regardless of the initiating event or the
performance of another layer of protection.

Question 35

What are the rules for selecting IPLs?

Answer 35

Refer to slides for image (slide 54)

Question 36

What are the considerations for alarms and operator interventions

Answer 36

• Must be independent of the BPCS if the BPCS already provides a trip (logic solver may be shared if it has proven reliability and separated channels)
  o Different loops
  o Different Power supplies (if UPS used for “active switching to safe state - mention this)
• Accurate Fail Safe (power, signal etc) condition decided and implemented (look for it on P&ID)
• Written procedure in which the Operator must be trained
• Procedure must interrupt chain of events
• Operator must have time to respond
• Audited - tested – recorded
• If an operator error is the initiating event, care is needed if we want to consider the same operator responding to a resulting alarm. This needs to be argued carefully
  o Many practitioners will not allow an alarm as an IPL in this case
• Single manned control rooms present challenges

Question 37

How is LOPA risk quantification acheived?

Answer 37

• Risk quantification is achieved by multiplying probabilities along the LOPA chain
• The final probability is the conditional probability of a specified outcome, given that the initiating event has occurred.
• When a quantitative risk is required, then this conditional probability is multiplied by the primary initiating frequency

Question 38

When do you need an IPL?

Answer 38

Refer to slides (better visual)

Question 39

What are the risk reducation options and what needs to be considered?

Answer 39

• If, at the end of a LOPA for a specific initiating event there is a gap between the tolerable risk and the estimated event frequency, then other IPLs, including a Safety Instrumented System (SIS), may be required

We need to consider:
* How much risk reduction is required* What IPLs are available
* If a SIS is selected, whether a single SIS or a combination of SIS can achieve that risk reduction
* The implications of the required risk
reduction on the design, operation and maintenance of the SIS (including determining the optimum testing intervals)

Question 40

What is functional safety?

Answer 40

A SIS is 100% functionally safe if all random, common cause and systematic failuresdo not lead to malfunctioning of the safety system and do not result in harm to personnel, damage to the environment or loss of equipment or production
* 100% functional safety does not exist, but risk reduction is possible
* The risk reduction required to achieve the tolerable risk level can be specified as the Probability of Failure on Demand (PFD)
* The PFD can be used to determine the required Safety Integrity Levels (SIL)
* Required SIL dictates the rigor required at every stage of the safety life-cycle

Question 41

What is SIL - Low Demand?

Answer 41

• Target failure measures for a safety function operating in low demand mode of operation
• Low demand mode is when the safety function is only performed on demand and demand frequency is no more than once per year

Question 42

What is SIL - High or Continuous Demand?

Answer 42

• Target failure measures for a safety function operating in high
  demand mode of operation or continuous mode of operation
  – High demand mode is when the safety function is only performed on demand and demand frequency is greater than once per year
• Continuous demand mode is where the safety function retains the EUC in a safe state as part of normal operations

Question 43

Why is using generic values when performing LOPA good?

Answer 43

• In performing LOPA, values used are usually drawn from generic sources, company standards and team “best” estimates.
  o The initiating event frequencies are order of magnitude estimates based on risk matrix likelihood scales.
  o Probabilities of failure on demand for the IPLs are typically generic values.
  o Many companies have their own tables for how much risk reduction can be claimed for an existing IPL or assumed for one that is recommended to fill an IPL gap
  o Multiple IPLs may be needed to close a gap