34 www.tcetoday.

com june 2013

tce PROCESS SAFETY
Diving deeper
What more can you do if your company displays good
process safety performance? Plenty, says Graeme Ellis
may 2014 www.tcetoday.com 35
CAREERS
tce PROCESS SAFETY
Y
OU are responsible for process
safety on a number of global
sites and have just reviewed the
results of the latest annual process safety
management (PSM) audit. If your PSM
audit summary looks something like
that shown in Figure 1, year-on-year
improvement with no significant issues,
and very few recommendations for
improvement, then its good news isnt it?
Assuming you have a robust audit
programme, then finding no issues during
audits appears good news, but if you want
to improve performance further then what
more can you do? You may also be finding
that leading process safety performance
indicators (see Figure 2) are not consistent
with the audit performance, and the lagging
indicators are showing a worrying trend
with the number of process safety incidents
(PSIs) not improving or they may even be
increasing. If you arent looking at the right
issues on an audit, then it wont improve the
number of PSIs.
limitations of conventional
PSM audits
Many organisations, when they seek
assurance that process safety is being
managed appropriately, base their analysis
on detailedauditing of the PSM system.
However, process safety incidents are usually
caused by failures of multiple barriers. The
potential interactions between barriers are
often not visible at the PSM system level,
which consists of distinct generic elements,
for example mechanical integrity, incident
investigation, management of change, and so
on. Auditing PSM system elements may not
therefore identify the potential for a process
safety incident, which requires assessment of
specific accident scenarios and verification
of specific barriers.
delving deeper
Based on our experience, some major
global companies (who we cant name, for
confidentiality reasons) are adopting a deep
dive audit approach for each of their sites,
which focuses on the barriers associated with
a few major accident scenarios, aiming to
confirm the following:
major accident scenarios have been
identified;
safety basis is robust and ALARP;
barrier design provides the required risk
reduction;
barriers are installed as per design;
barriers are maintained and tested to
ensure effectiveness; and
personnel are competent to operate and
maintain the barriers.
This approach provides rigorous assurance
that a particular scenario has sufficient
Figure 1: PSM audit actions
If your PSM audit shows a year-on-year improvement, should you celebrate the
success of your PSM programme or feel uneasy that performance has reached a
plateau, and maybe a serious accident is just round the corner? This is a dilemma
that many global organisations are starting to face.
Figure 2: API process safety pyramid
35
30
25
20
15
10
5
0
2010 2011 2012 2013
Plant A
Plant B
Plant C
N
u
m
b
e
r

o
f

p
r
o
c
e
s
s

s
a
f
e
t
y

i
n
c
i
d
e
n
t
s
A simple summary of the main differences between the two types of safety audit illustrates how
the deep dive identifies the major accident scenarios and places each element under scrutiny.
Factor Conventional PSM audit Deep dive audit
Scope All PSM system elements Major accident hazard scenarios
Objective
Achieve best practice for individual
elements
Ensure specific risk control barriers
are working effectively
Focus of audit
Suitability of and adherence to
written procedures
Weaknesses in plant, process or
people aspects of barriers
Method
Check completeness of documents
and test experience with system
owner and users
Verify effectiveness of barriers based
on plant records, understanding of
staff, and field observations
Tier 1: PSIs with serious consequences
Tier 2: PSIs with minor consequences
Tier 3: Demands on safety systems
Tier 4: Management system
indicators
Lagging
Leading
36 www.tcetoday.com may 2014
tce PROCESS SAFETY
barriers and they are working effectively. It
does not aim to replace conventional PSM
audits, which are still required to provide
assurance that the overall systems are being
well managed. The two types of audit are
therefore complementary, with the deep dive
audit providing a snapshot of the process
safety vital signs, and the conventional
PSM audit ensuring that best practice in
management systems is being achieved.
methodology
Initially the potential for major accidents is
identified by discussing and reviewing any
existing process hazards analysis documents,
for example HAZID reports, or safety reports.
This stage allows an understanding of major
accidents and the required barriers, but
more importantly selects a range of high-risk
scenarios for the detailed deep dive audit.
The selected scenarios should cover a range
of event types, allowing different types of
prevention, control and mitigation barriers to
be assessed.
The next stage considers each scenario and
the associated barriers, seeking verification
that these are functioning effectively. The
focus of the deep dive involves barrier
verifications relating to plant (reliability
of equipment), process (effectiveness of
procedures), and people (competency of staff
in key roles).
The audit is best conducted by two
specialists: one with a process safety and
operations background, and the other with
plant engineering and integrity management
background. In addition to the audit team, its
very important to involve process engineers,
operating managers and maintenance
engineers from the site. This helps site
management to understand major accident
scenarios, and ensures that the audit team
can efficiently locate key information.
The audit report provides details of the
assessment for each barrier, with the decision
on whether the barrier is working effectively
or whether a weakness related to plant,
process or people needs to be addressed. The
weaknesses can be specific to this scenario
and barrier, or systemic such as lack of proof
testing for safety instrumented systems. In
some cases the audit may reveal insufficient
barriers and a recommendation may be
raised for further risk assessment or specific
barriers to be implemented.
A field visit to verify specific barriers is
an essential stage of the audit. The first
requirement is a visual check that barriers are
installed as designed, and that the equipment
is in good condition. Photographs of any
deficiencies such as holes drilled through
bund walls provide high-impact evidence
to site management. Figure 3 shows a gas
plant isolation valve that was designed to be
kept open to prevent potential overpressure
of the line. This valve is specified as lock
open in the design, but was found during
the field visit to have no lock in place. This
specific issue can be addressed but the
finding indicates a potential systemic issue
with locked valve controls.
Field visits also provide the opportunity
to discuss barriers with operators and
maintenance technicians. This tests their
understanding of the potential for major
accidents on the site, and their role in
maintaining the barriers. Its common to find
operators who dont know the emergency
procedures and actions they need to take
to prevent incidents from escalating. For
example, a loss of eco-toxic material into
the drains system may require closure of a
manual valve on the site outfall line but the
operator may not know that, nor the location
of the valve. These discussions provide
a more general insight into the on-site
understanding related to major accidents,
Figure 3: A visual check that barriers are installed as per design can quickly identify issues. For
example, this safety-critical valve was found to be missing a lock to keep it open
A field visit to verify specific
barriers is an essential
stage of the audit. The first
requirement is a visual
check that barriers are
installed as designed, and
that the equipment is in good
condition. Photographs of
any deficiencies provide
high-impact evidence to site
management.
reaction
hazard
scenario
This scenario
illustrates the
rigour of a deep
dive audit. Consider
a runaway reaction
scenario leading to reactor
overpressure and explosion, as
illustrated below. There are four
barriers in place: trip of reagent
at high temperature; emergency
cooling of reactor at high temperature; overpressure relief
via a bursting disc system; and blast walls around the reactor to
protect personnel.
In a deep dive audit this scenario would be identified as a high consequence major
accident hazard. The design and operation of each barrier would be checked in detail
through reviews of design documents and discussions with knowledgeable technical
and operations staff.
The design of the safety instrumented system to shut off the reagent flow would be
checked, including independence from all potential initiating causes of the reaction
runaway. The proof testing procedure would be assessed to confirm suitable reliability,
and the test records observed to confirm that the testing is being carried out. The
competence of the people carrying out the calibration and testing of the system would
also be checked. Maintenance records would be checked to determine if the demand
rate was higher than expected, or if the system was regularly found as failed during
the proof tests.
The design and operation of the emergency cooling system and pressure relief
system would be checked with similar rigour, to ensure that these systems are
designed correctly and proving to be reliable in use. For pressure relief systems
the assumed reliability is typically a probability of failure on demand of 1%. Is there
evidence this is being compromised by blockages in the inlet line to the relief valve, or
corrosion causing the pressure relief valve to seize?
Finally the calculated blast forces caused by the reactor explosion and the design
and construction of the blast wall would be checked. The operating and emergency
procedures would also be tested against assumptions in the risk assessment. The
operators would be questioned to understand current operational practices and
whether these complied with the key requirements of the operating procedures with
respect to the reaction hazard being assessed.
may 2014 www.tcetoday.com 37
tce PROCESS SAFETY
and may indicate some complacency
towards process safety.
conclusions
As the deep dive audit is in-depth and can
take a significant amount of time to assess
a single scenario, it requires selection of the
high consequence major accident hazards
for the site. Unlike conventional PSM audits
the findings are at a detailed level, and
can benefit not only the scenarios being
assessed, but many similar scenarios by
discovering weaknesses in the generic risk
controls. For example, the findings that a
relief system has used an out-of-date sizing
method may result in an action to look at a
number of similar pressure relief systems.
Although the scope of the deep dive
audit is limited when compared to a
conventional PSM audit, it should be clear
that this approach provides a high degree
of confidence that barriers are working
effectively. When conventional systems-
based audits are starting to find very few
actions, the extra level of rigour provided by
a deep dive is well worth considering.
Companies are choosing to carry out
deep dive audits across several global sites
in order to provide a quick snapshot of
performance, and to benchmark sites in
order to identify those requiring greater
senior management attention. tce
Graeme Ellis (contact@gb.abb.com)
is principal lead consultant at ABB
Consulting
Chemical Engineering Matters
The topics discussed in this article refer to the
following lines on the vistas of IChemEs technical
strategy document Chemical Engineering Matters:
Health and wellbeing
Lines 11, 12, 13
Visit www.icheme.org/vistas1 to discover where
this article and your own activities t into the myriad
of grand challenges facing chemical engineers
The familiar Swiss-cheese model illustrates how, under certain circumstances, even
multiple barriers against runaway reactions could still result in a major accident
Blast wall
Relief device
Emergency
cooling
Stop adding
reagent
Runaway
reaction
Many organisations, when
they seek assurance that
process safety is being
managed appropriately, base
this on detailed auditing of
the PSM system. However,
process safety incidents are
usually caused by failures of
multiple barriers.
Injury from
explosion