8/11/2019 Paper 294204

1/10

GCPS 2013 __________________________________________________________________________

Management of Safety Critical Elements as a Base for RiskManagement of Major Accident Hazards

Mariana Bahadian BardyDet Norske Veritas

Rua Sete de Setembro 111/12 th floormariana.bardy@dnv.com

Flvio Luiz Barros DinizDet Norske Veritas

flavio.diniz@dnv.com

Paula SilveiraDet Norske Veritas

paula.silveira@dnv.com

Prepared for Presentation atAmerican Institute of Chemical Engineers

2013 Spring Meeting9th Global Congress on Process Safety

San Antonio, TexasApril 28 May 1, 2013

8/11/2019 Paper 294204

2/10

GCPS 2013 __________________________________________________________________________

UNPUBLISHED

AIChE shall not be responsible for statements or opinions containedin papers or printed in its publications

8/11/2019 Paper 294204

3/10

GCPS 2013 __________________________________________________________________________

Management of Safety Critical Elements as a Base for RiskManagement of Major Accident Hazards

Mariana Bahadian BardyDet Norske Veritas

Rua Sete de Setembro 111/12 th floormariana.bardy@dnv.com

Flvio Luiz Barros DinizDet Norske Veritas

flavio.diniz@dnv.comPaula Silveira

Det Norske Veritaspaula.silveira@dnv.com

Keywords: safety critical element, barrier, major accident hazard

Abstract

Considering the already established relevance of barriers to avoid Major Accidents, the objectiveof this paper is to present a methodology for management of Safety Critical Elements (SCE),from the identification of them, definition of relevant importance to each activity performed bythe installation and establishing alternatives and contingencies for the failure or absence of theSCE. The proposed methodology, adapted from common use methodologies from OffshoreIndustry to Process Industries, is developed in 5 steps, being Step 1 the use of a HazardIdentification technique and indication of Major Accident Hazards. Following on Step 2 bowtiediagrams are developed for the MAH and SCE are identified. The SOOB Summary ofOperational Boundaries on Step 3 identifies the activities that may or may not proceed or cautionis applied in the case the SCE is defeat and on Step 4 a Contingency Plan is develop to maintainoperation for the cases indicated on the SOOB that operation may not proceed or proceed withcaution. Finally, on Step 5, definition of prioritization of maintenance and inspection activitiesshall be in place for each SCE, including preventive maintenance routines, inspections routinesand definition of spares, where applicable. This methodology can help on the identification ofgaps and management of critical elements and consequently improving the performance of safetysystems increasing their availability.

1. Introduction and background

Recent accidents have indicated the importance of safety barriers on management of majoraccidents, reducing its likelihood or minimizing consequence. Buncefield, Texas City andMacondo, just to indicate some, have stated in their accident investigation reports the failure ofsafety barriers or non-existence of adequate ones as potential causes for the major accidentoccurrence.

8/11/2019 Paper 294204

4/10

GCPS 2013 __________________________________________________________________________

This paper presents a methodology for management of Safety Critical Elements (SCE), adaptedfrom common use methodologies from Offshore Industry to Process Industries, from theidentification of them, definition of relevant importance to each activity performed by theinstallation and establishing alternatives and contingencies for the failure or absence of the SCE.

Several reference have definitions of SCE and how they must be managed, as NORSOK[1], thatindicated that Safety Critical Equipment is equipment that shall be in operation to ensure escape,evacuation and /or to prevent escalation.

According to HSE UK[2] any structure, plant, equipment, system (including computersoftware) or component part whose failure could cause or contribute substantially to a majoraccident is safety critical, as is any which is intended to prevent or limit the effect of a majoraccident.

For this paper, SCE is defined as indicated by HSE UK, as being the Barriers that can avoid ormitigate Major Accident Hazards.

2. Description of Methodology

For the objective of systematic management of Safety Critical Elements, the methodologyoutlined in Figure 1 is proposed, covering the 5 steps described below.

Figure 1 Methodology for SCE Management

2.1 Step 1 Hazard Identification

The first step is to identify the accidental scenarios from the specific process under analysis. Forthat purpose, it is proposed to perform a Process Hazard Analysis (PHA) for identification ofaccidental scenarios and classification according to a Risk Matrix, defined by each company

according to its risk management process. Figure 2 represents an example of spreadsheet to beapplied for the PHA.

8/11/2019 Paper 294204

5/10

GCPS 2013 __________________________________________________________________________

Process Hazard Analysis (PHA)

System: Hazard/Event Group:

1.Hazard 2.Causes 3.Effects 4.Freq 5.Sev 6.Risk 7.Safeguards8.Final Freq

9.Final Sev

10.Final Risk 11.Recommendations 12.#

1

2

3

Figure 2 Example of PHA Spreadsheet

The spreadsheet has 12 columns, and two classification of the risk for each scenario. Columns 4,5 and 6 have the classification without considering existing safety barriers for the scenario. The

barriers are listed on Column 7 and Columns 8, 9 and 10 indicate the classification of the risk,considering the existence of the barriers and these are operating or ready to operate when needed.

For the classification of severity, likelihood/frequency and risk, a risk matrix shall be used,representing the risk tolerability of the company. An example of risk matrix is on Figure 3,extract from ISO 17776:2000 [3].

Figure 3 Example of Risk Matrix

8/11/2019 Paper 294204

6/10

GCPS 2013 __________________________________________________________________________

Note that this matrix has 5 different severity ratings and analyze four different effects: people,assets, environment and reputation. A common approach to define Major Accidental Hazards(MAH) is to consider whose with highest consequence classification, as the ones classified withSeverity Category 5, from the matrix indicated on Figure 3, that represents multiple fatalities asimpact on people, extensive damage for environment, massive effect to assets and major

international impact on reputation.

The main advantage to select the MAH to go to Bowtie, as described above, is that the barriersrelated to those events can be clearly identified and consequently be managed properly and in afocused way. On the other hand, when there is no distinction between MAH and other scenarios,with lower damage potential, the number of barriers to be managed increase reducing the focuson the major impact scenarios MAH.

Note that some safety barriers are normally identified on this PHA and shall be reviewed anddetailed on the next steps.

2.1 Step 2 Development of Bowties

The following step of this methodology is to develop bowtie diagrams for each of the MAH, orcombination of MAH, if applicable, as exemplified in Figure 4. The BowTie methodology isdesigned to give a picture of the risks, to help people understand the relationship between therisks and organizational events and to identify where barriers in place can act, on the preventionor on the mitigation and consequently give a better overview if those are enough to mitigate therisks related to the MAH.

Figure 4 Example of Bowtie

With the use of multidisciplinary team from the company, starting from a Top Event, localized inthe center of the diagram, causes, preventive barriers, consequences and mitigating barriers areidentified. Following, each barrier, preventive or mitigating, is classified as:

Critical: essential barrier to avoid the causes or associated consequences. Non-critical: barrier that reduces likelihood or minimize consequence, but does not avoid

the occurrence of the top event or associated effects.

8/11/2019 Paper 294204

7/10

GCPS 2013 __________________________________________________________________________

Third Party: barriers, critical or not, that are not under the company responsibility formanagement.

Also responsible person or function can be indicated on the bowtie for each barrier. The list ofSCE are composed by those barriers classified as critical for each bowtie.

The Safety Critical Elements (SCE) can be an Equipment, System or Procedure. In the example presented in Figure 4, for Top Event Large Release of Flammable Gas, from CompressionSystem, the following barriers were classified as Safety Critical Equipment or System:

Safety interlocks PSVs Filter Pressure Drop Indication Injection of Corrosion Inhibitor Gas and Fire Detection System

Fire Fighting System CFTV

The other critical barriers such as Mechanical Integrity Program and Emergency Planning areconsidered as Safety Critical Procedure.

All of those critical elements, equipment, systems and procedures, shall be managed butspecially for the equipment and systems contingency procedures shall apply considering they areoperating under degraded conditions or out of operation. As part of this scope a Summary ofOperations Boundaries (SOOB) analysis is carried out as stated below.

2.3 Step 3 Development of SOOB

The Step 3 of this methodology consists in developing the Summary of Operations Boundaries -SOOB analysis. This is based on a matrix which crosses main operations and activities with theOperational Risk Factors. Operational Risk Factors includes controls, identified in the BowTieanalysis, under reduced effectiveness and risk factors such as severe weather/sea conditions. Thematrix is completed row by row by reviewing all combinations.

The main objective is to examine if operations can be permitted or prohibited when certaincontrols have been defeated or running under reduced effectiveness and examine if operationscan proceed in the case of occurrence of external factors that can potentially influence the risk ofdoing these operations e.g. severe weather conditions.

This will distinguish when a stop work is applied or if that shall be a proceed with cautioncondition, as indicated by IADC[4]. A traffic light system may be applied, indicating:

Red: stop the work or do not proceed; Yellow: evaluate conditions, perform risk analysis or implement additional protection; Green: continuous normal operation.

8/11/2019 Paper 294204

8/10

GCPS 2013 __________________________________________________________________________

Note that the activities will vary depending on the type of installation. Some examples are: loading or unloading of trucks or railcars; operation above normal conditions; increase of capacity; confined space entry; working at height.

An example of analysis is for Gas Detection System failure, it is allowed to proceed with worksat heights and confined space entry; with caution, requiring additional evaluation normaloperation and loading/unloading; and not permitted operation above normal condition, increaseof capacity and hot work.

Operations vs.Operational Risk Factors

N o r m a l P r o d u c t i o n

O p e r a t i o n A

b o v e N o r m a l C o n d i t i o n s

I n c r e a s e o f C a p a c i t y

L o a d i n g / U n l o a

d i n g T r u c

k

L o a d i n g / U n l o a

d i n g R a i l c a r

C o n f i n e d S p a c e E n t r y

H o t W o r

k

W o r

k i n g a t H e i g h t s

Safety interlocks RA X X RA RA P RA RA PSVs RA X X RA RA P P RA Filter Pressure Drop Indication RA RA RA NA NA NA NA NA

Injection of Corrosion Inhibitor RA RA RA NA NA NA NA NA Gas and Fire Detection System RA X X RA RA P X P

CFTV P RA RA RA RA P P P

P- PermittedRA Perform Risk Analysis

X- Do not Proceed

Figure 5 Example of SOOB Matrix

2.4 Step 4 Definition of Contingency Plan

The Step 4 of this methodology consists on the definition of Contingency Plan for each SCE.The immediate response action that will normally be applied are:

to stop or limit operations to within the limits of remaining barriers; or

8/11/2019 Paper 294204

9/10

GCPS 2013 __________________________________________________________________________

identify and assess any temporary substituted safety system barrier that may beimplemented to support continued operation.

The company shall establish and document contingency procedures and a system of approval andcontrol of SCE to be used when those are under degraded conditions or out of operation.

The following items shall be considered:

Implementation of alternative controls equivalent; Limitation and reduction of production; Isolation and stopping of equipment, systems, installations; Deadline for the temporary procedure to be allowed until corrective measures are taken.

A specific contingency plan is then developed for each SCE, using, for instance, the exampleindicated in Figure 6.

SCE Permitted AcitivitiesActivities with

RestrictionProhibited Activities

Gas DetectionSystem

Confined Space EntryWorking a t heights

Normal ProductionLoading/Unloading

Hot workOperation abovenormal conditionsIncrease of capacity

Permitted Activities:

Activities withRestriction:

Prohibited Activities:

Deadline Responsible

One month Opera ti on Manager

- Operation Manager

One month Opera ti on Manager

SCE Resposible

If SCE not returned to full operation afterfirst deadline, reduce production and safestop production

Performed loading/unloading activitieswith one extra fiel operator

Maintenance Manager

Activity

No limitation for the development or continua tion of acti vity, event withloss o f the SCE

No limitation for the development or continua tion of acti vity, event withloss o f the SCENot allowed to perform the activity and must be interrupted, even with

Alternative Procedures for Activities with Resctriction

Normal production to continuous wi th oneextra Operation Supervisor per shift, withfocus on Control Room supervision

Figure 6 Example of Contingency Plan for SCE

8/11/2019 Paper 294204

10/10

GCPS 2013 __________________________________________________________________________

2.4 Step 5 Definition of Maintenance and Inspection Prioritization

The final step for implementation of this methodology of Management of SCE is to incorporateon maintenance and inspection routines and procedures prioritizations that will consider the

findings of the analysis of the SCE. Some important points shall be considered: Guarantee that all SCE are classified as high priority for maintenance routines; Guarantee no delays for inspection routines for the elements associated with MAH and

classified as SCE; Evaluate the need of spares of SCE, where applicable.

3. Conclusion

As initially indicated, this paper presents a 5-step methodology for management of SCEs, beingthose defined here as safety barriers that can avoid or mitigate Major Accident Hazards. The

objective of each step as well as practical approach and examples are presented, adaptingcommon use methodologies from Offshore Industry to Process Industries.

As extension of this work, considering all aspects for the presented, some improvements can beimplemented. The inclusion of procedures as part of the analysis, after the identification of thecritical procedures, with guarantee of correct training or certification of operators, is one of these

points. One additional relevant aspect is to incorporate a 6 th step on the above methodology ofmanagement of SCE, with the audit of process of management of the critical barriers.

Finally, it is importance to note that, this methodology was developed with the intention ofgiving support for companies to systemic manage Safety Critical Elements and comply with

relevant regulation and best practices.

4. References

[1] Norsok S-001, Edition 4, February 2008, item 3.1.11. Norway. 2008

[2] Health and Safety Executive, A guide to the Offshore Installations (Safety Case)Regulations 2005, item 83. London. 3 rd Edition. 2006.

[3] ISO 17776:2000, Petroleum and natural gas industries Offshore productionInstallations Guidelines on tools and techniques for hazard identification and riskassessment, Table A.1. Geneva. 2006.

[4] IADC, HSE Case Guidelines for Mobile Offshore Drilling Units, Issue 3.2.1, 2009.