tce PROCESS SAFETY Diving deeper What more can you do if your company displays good process safety performance? Plenty, says Graeme Ellis may 2014 www.tcetoday.com 35 CAREERS tce PROCESS SAFETY Y OU are responsible for process safety on a number of global sites and have just reviewed the results of the latest annual process safety management (PSM) audit. If your PSM audit summary looks something like that shown in Figure 1, year-on-year improvement with no significant issues, and very few recommendations for improvement, then its good news isnt it? Assuming you have a robust audit programme, then finding no issues during audits appears good news, but if you want to improve performance further then what more can you do? You may also be finding that leading process safety performance indicators (see Figure 2) are not consistent with the audit performance, and the lagging indicators are showing a worrying trend with the number of process safety incidents (PSIs) not improving or they may even be increasing. If you arent looking at the right issues on an audit, then it wont improve the number of PSIs. limitations of conventional PSM audits Many organisations, when they seek assurance that process safety is being managed appropriately, base their analysis on detailedauditing of the PSM system. However, process safety incidents are usually caused by failures of multiple barriers. The potential interactions between barriers are often not visible at the PSM system level, which consists of distinct generic elements, for example mechanical integrity, incident investigation, management of change, and so on. Auditing PSM system elements may not therefore identify the potential for a process safety incident, which requires assessment of specific accident scenarios and verification of specific barriers. delving deeper Based on our experience, some major global companies (who we cant name, for confidentiality reasons) are adopting a deep dive audit approach for each of their sites, which focuses on the barriers associated with a few major accident scenarios, aiming to confirm the following: major accident scenarios have been identified; safety basis is robust and ALARP; barrier design provides the required risk reduction; barriers are installed as per design; barriers are maintained and tested to ensure effectiveness; and personnel are competent to operate and maintain the barriers. This approach provides rigorous assurance that a particular scenario has sufficient Figure 1: PSM audit actions If your PSM audit shows a year-on-year improvement, should you celebrate the success of your PSM programme or feel uneasy that performance has reached a plateau, and maybe a serious accident is just round the corner? This is a dilemma that many global organisations are starting to face. Figure 2: API process safety pyramid 35 30 25 20 15 10 5 0 2010 2011 2012 2013 Plant A Plant B Plant C N u m b e r
o f
p r o c e s s
s a f e t y
i n c i d e n t s A simple summary of the main differences between the two types of safety audit illustrates how the deep dive identifies the major accident scenarios and places each element under scrutiny. Factor Conventional PSM audit Deep dive audit Scope All PSM system elements Major accident hazard scenarios Objective Achieve best practice for individual elements Ensure specific risk control barriers are working effectively Focus of audit Suitability of and adherence to written procedures Weaknesses in plant, process or people aspects of barriers Method Check completeness of documents and test experience with system owner and users Verify effectiveness of barriers based on plant records, understanding of staff, and field observations Tier 1: PSIs with serious consequences Tier 2: PSIs with minor consequences Tier 3: Demands on safety systems Tier 4: Management system indicators Lagging Leading 36 www.tcetoday.com may 2014 tce PROCESS SAFETY barriers and they are working effectively. It does not aim to replace conventional PSM audits, which are still required to provide assurance that the overall systems are being well managed. The two types of audit are therefore complementary, with the deep dive audit providing a snapshot of the process safety vital signs, and the conventional PSM audit ensuring that best practice in management systems is being achieved. methodology Initially the potential for major accidents is identified by discussing and reviewing any existing process hazards analysis documents, for example HAZID reports, or safety reports. This stage allows an understanding of major accidents and the required barriers, but more importantly selects a range of high-risk scenarios for the detailed deep dive audit. The selected scenarios should cover a range of event types, allowing different types of prevention, control and mitigation barriers to be assessed. The next stage considers each scenario and the associated barriers, seeking verification that these are functioning effectively. The focus of the deep dive involves barrier verifications relating to plant (reliability of equipment), process (effectiveness of procedures), and people (competency of staff in key roles). The audit is best conducted by two specialists: one with a process safety and operations background, and the other with plant engineering and integrity management background. In addition to the audit team, its very important to involve process engineers, operating managers and maintenance engineers from the site. This helps site management to understand major accident scenarios, and ensures that the audit team can efficiently locate key information. The audit report provides details of the assessment for each barrier, with the decision on whether the barrier is working effectively or whether a weakness related to plant, process or people needs to be addressed. The weaknesses can be specific to this scenario and barrier, or systemic such as lack of proof testing for safety instrumented systems. In some cases the audit may reveal insufficient barriers and a recommendation may be raised for further risk assessment or specific barriers to be implemented. A field visit to verify specific barriers is an essential stage of the audit. The first requirement is a visual check that barriers are installed as designed, and that the equipment is in good condition. Photographs of any deficiencies such as holes drilled through bund walls provide high-impact evidence to site management. Figure 3 shows a gas plant isolation valve that was designed to be kept open to prevent potential overpressure of the line. This valve is specified as lock open in the design, but was found during the field visit to have no lock in place. This specific issue can be addressed but the finding indicates a potential systemic issue with locked valve controls. Field visits also provide the opportunity to discuss barriers with operators and maintenance technicians. This tests their understanding of the potential for major accidents on the site, and their role in maintaining the barriers. Its common to find operators who dont know the emergency procedures and actions they need to take to prevent incidents from escalating. For example, a loss of eco-toxic material into the drains system may require closure of a manual valve on the site outfall line but the operator may not know that, nor the location of the valve. These discussions provide a more general insight into the on-site understanding related to major accidents, Figure 3: A visual check that barriers are installed as per design can quickly identify issues. For example, this safety-critical valve was found to be missing a lock to keep it open A field visit to verify specific barriers is an essential stage of the audit. The first requirement is a visual check that barriers are installed as designed, and that the equipment is in good condition. Photographs of any deficiencies provide high-impact evidence to site management. reaction hazard scenario This scenario illustrates the rigour of a deep dive audit. Consider a runaway reaction scenario leading to reactor overpressure and explosion, as illustrated below. There are four barriers in place: trip of reagent at high temperature; emergency cooling of reactor at high temperature; overpressure relief via a bursting disc system; and blast walls around the reactor to protect personnel. In a deep dive audit this scenario would be identified as a high consequence major accident hazard. The design and operation of each barrier would be checked in detail through reviews of design documents and discussions with knowledgeable technical and operations staff. The design of the safety instrumented system to shut off the reagent flow would be checked, including independence from all potential initiating causes of the reaction runaway. The proof testing procedure would be assessed to confirm suitable reliability, and the test records observed to confirm that the testing is being carried out. The competence of the people carrying out the calibration and testing of the system would also be checked. Maintenance records would be checked to determine if the demand rate was higher than expected, or if the system was regularly found as failed during the proof tests. The design and operation of the emergency cooling system and pressure relief system would be checked with similar rigour, to ensure that these systems are designed correctly and proving to be reliable in use. For pressure relief systems the assumed reliability is typically a probability of failure on demand of 1%. Is there evidence this is being compromised by blockages in the inlet line to the relief valve, or corrosion causing the pressure relief valve to seize? Finally the calculated blast forces caused by the reactor explosion and the design and construction of the blast wall would be checked. The operating and emergency procedures would also be tested against assumptions in the risk assessment. The operators would be questioned to understand current operational practices and whether these complied with the key requirements of the operating procedures with respect to the reaction hazard being assessed. may 2014 www.tcetoday.com 37 tce PROCESS SAFETY and may indicate some complacency towards process safety. conclusions As the deep dive audit is in-depth and can take a significant amount of time to assess a single scenario, it requires selection of the high consequence major accident hazards for the site. Unlike conventional PSM audits the findings are at a detailed level, and can benefit not only the scenarios being assessed, but many similar scenarios by discovering weaknesses in the generic risk controls. For example, the findings that a relief system has used an out-of-date sizing method may result in an action to look at a number of similar pressure relief systems. Although the scope of the deep dive audit is limited when compared to a conventional PSM audit, it should be clear that this approach provides a high degree of confidence that barriers are working effectively. When conventional systems- based audits are starting to find very few actions, the extra level of rigour provided by a deep dive is well worth considering. Companies are choosing to carry out deep dive audits across several global sites in order to provide a quick snapshot of performance, and to benchmark sites in order to identify those requiring greater senior management attention. tce Graeme Ellis (contact@gb.abb.com) is principal lead consultant at ABB Consulting Chemical Engineering Matters The topics discussed in this article refer to the following lines on the vistas of IChemEs technical strategy document Chemical Engineering Matters: Health and wellbeing Lines 11, 12, 13 Visit www.icheme.org/vistas1 to discover where this article and your own activities t into the myriad of grand challenges facing chemical engineers The familiar Swiss-cheese model illustrates how, under certain circumstances, even multiple barriers against runaway reactions could still result in a major accident Blast wall Relief device Emergency cooling Stop adding reagent Runaway reaction Many organisations, when they seek assurance that process safety is being managed appropriately, base this on detailed auditing of the PSM system. However, process safety incidents are usually caused by failures of multiple barriers. Injury from explosion